"Claude Code Review workflow"

"Claude PR Assistant workflow"
chore(deps): bump golang.org/x/time from 0.14.0 to 0.15.0 (#142 )
2026-06-27 00:43:59 -07:00 · 2026-06-22 18:37:42 -07:00 · 2026-06-22 18:37:41 -07:00 · 2026-06-22 18:36:04 -07:00 · 2026-06-22 18:35:58 -07:00 · 2026-06-22 18:29:10 -07:00
248 changed files with 23194 additions and 805 deletions
@@ -1,6 +1,6 @@
 {
  "projectName": "sif",
-  "projectOwner": "lunchcat",
+  "projectOwner": "vmfunc",
  "files": [
    "README.md"
  ],
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the latest code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0
      - name: automatic rebase
@@ -17,7 +17,7 @@ jobs:
    name: check for large files
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: check for large files
        run: |
          large_files=$(find . -path ./.git -prune -o -type f -size +5M -print)
@@ -0,0 +1,44 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+
@@ -0,0 +1,50 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr *)'
+
@@ -22,7 +22,7 @@ jobs:
      security-events: write
      contents: read
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v5
        with:
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
      - name: dependency review
        uses: actions/dependency-review-action@v5
        continue-on-error: ${{ github.event_name == 'push' }}
@@ -17,7 +17,7 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v6
        with:
@@ -33,7 +33,7 @@ jobs:
      matrix:
        go-version: ["1.25"]
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v6
        with:
@@ -43,7 +43,7 @@ jobs:
      - name: run tests with coverage
        run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
      - name: upload coverage to codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@v7
        with:
          files: ./coverage.out
          fail_ci_if_error: false
@@ -15,7 +15,7 @@ jobs:
  govulncheck:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v5
        with:
@@ -15,7 +15,7 @@ jobs:
  check-headers:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7

      - name: check license headers
        run: |
@@ -24,7 +24,7 @@ jobs:
    name: profanity check
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
      - name: Profanity check step
        uses: tailaiw/mind-your-language-action@v1.0.3
        env:
@@ -14,7 +14,7 @@ jobs:
    name: runner / markdownlint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: markdownlint
        uses: reviewdog/action-markdownlint@v0.26.2
        with:
@@ -18,7 +18,7 @@ jobs:
    name: runner / misspell
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: misspell
        uses: reviewdog/action-misspell@v1.27.0
        with:
@@ -1,7 +1,7 @@
 name: pr bot

 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize, reopened, edited]

 permissions:
@@ -9,7 +9,7 @@ permissions:
  pull-requests: write

 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number }}
  cancel-in-progress: true

 jobs:
@@ -23,7 +23,6 @@ jobs:
  size:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
      - name: label pr size
        uses: actions/github-script@v9
        with:
@@ -19,7 +19,7 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v5
        with:
@@ -18,6 +18,6 @@ jobs:
  update-report-card:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: update go report card
        uses: creekorful/goreportcard-action@v1.0
@@ -14,7 +14,7 @@ jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: set up go
        uses: actions/setup-go@v5
        with:
@@ -15,7 +15,7 @@ jobs:
      security-events: write
      id-token: write
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
        with:
          persist-credentials: false
      - name: run scorecard
@@ -14,7 +14,7 @@ jobs:
    name: runner / shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: shellcheck
        uses: reviewdog/action-shellcheck@v1.32.0
        with:
@@ -15,7 +15,7 @@ jobs:
    name: runner / yamllint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - name: yamllint
        uses: reviewdog/action-yamllint@v1.21.0
        with:
@@ -88,6 +88,8 @@ linters:
        linters:
          - errcheck
          - noctx
+          - gosec  # fake credentials in secret-scanner fixtures are not real keys
+          - bodyclose  # synthetic *http.Response fixtures carry no socket to close

 issues:
  max-issues-per-linter: 50
@@ -33,7 +33,7 @@ When opening an issue, please use the search tool and make sure that the issue h

 ### Development

-To develop sif, you'll need version 1.23 or later of the Go toolchain. After making your changes, run the program using `go run ./cmd/sif` to make sure it compiles and runs properly.
+To develop sif, you'll need version 1.25 or later of the Go toolchain. After making your changes, run the program using `go run ./cmd/sif` to make sure it compiles and runs properly.

 _Nix users:_ the repository provides a flake that can be used to develop and run sif. Use `nix run`, `nix develop`, `nix build`, etc. Make sure to run `gomod2nix` if `go.mod` is changed.

@@ -38,8 +38,7 @@ define SUPPORT_MESSAGE
 │                                                            │
 │  🌟 Enjoying sif? Please consider:                         │
 │                                                            │
-│  • Starring our repo: https://github.com/lunchcat/sif      │
-│  • Supporting the devs: https://lunchcat.dev               │
+│  • Starring our repo: https://github.com/vmfunc/sif        │
 │                                                            │
 │  Your support helps us continue improving sif!             │
 │                                                            │
@@ -15,18 +15,32 @@

 **[install](#install) · [usage](#usage) · [modules](#modules) · [docs](docs/) · [contribute](#contribute)**

+*fast, concurrent recon to exploitation in one binary. every scanner shares one connection-pooled http client.*
+
 </div>

 ---

 ## what is sif?

-sif is a modular pentesting toolkit written in go. it's designed to be fast, concurrent, and extensible. run multiple scan types against targets with a single command.
+sif is a recon and exploitation scanner that runs the whole chain in one binary: subdomain enum, port scan, crawler, nuclei, framework/cve detection, js secret extraction, web-vuln probes (cors/xss/redirect), cloud and takeover checks. 25+ scan types, one command.

 ```bash
-./sif -u https://example.com -headers -sh -cms -framework -git
+sif -u https://example.com -dnslist -ports -crawl -js -framework -nuclei
 ```

+nuclei and colly are compiled in as libraries rather than shelled out to (there's no `exec.Command` in the tree), so it's a single static binary with no runtime dependencies and nothing to wire together.
+
+every scanner runs through one shared http client and a work-stealing worker pool. `-proxy`, `-H`, `-cookie` and `-rate-limit` apply to the whole run at once, connections get pooled and reused across the scan (a single-host run reuses one connection for ~50 requests instead of dialing 50 times), and a slow host doesn't hold the rest up. that shared client is the practical reason to use it over piping a stack of separate tools together. port scanning is `connect()`-based, so rustscan and nmap are still faster at raw port scans.
+
+it reads targets from stdin and prints findings one per line under `-silent`, so it composes:
+
+```bash
+subfinder -d example.com | sif -silent -crawl -js -nuclei | notify
+```
+
+`-diff` turns a re-scan into a monitor that only reports what changed, `-notify` posts to slack/discord/telegram/webhook, and runs export to sarif and markdown.
+
 ## install

 ### homebrew (macos)
@@ -49,7 +63,7 @@ paru -S sif
 ### nix

 ```bash
-# nixpkgs (declarative — add to configuration.nix or home-manager)
+# nixpkgs (declarative: add to configuration.nix or home-manager)
 environment.systemPackages = [ pkgs.sif ];

 # or imperatively
@@ -84,7 +98,7 @@ cd sif
 make
 ```

-requires go 1.23+
+requires go 1.25+

 ### aur (manual install)

@@ -122,6 +136,9 @@ makepkg -si
 # sql recon + lfi scanning
 ./sif -u https://example.com -sql -lfi

+# web vuln probes (cors, open redirect, reflected xss)
+./sif -u https://example.com -cors -redirect -xss
+
 # framework detection (with cve lookup)
 ./sif -u https://example.com -framework

@@ -154,11 +171,19 @@ sif has a modular architecture. modules are defined in yaml and can be extended
 | flag | description |
 |------|-------------|
 | `-dirlist` | directory and file fuzzing (small/medium/large) |
+| `-mc` | dirlist: match these status codes (comma list, e.g. 200,301) |
+| `-fc` | dirlist: filter out these status codes (comma list) |
+| `-fs` | dirlist: filter out responses of these body sizes (comma list) |
+| `-fw` | dirlist: filter out responses with these word counts (comma list) |
+| `-fr` | dirlist: filter out responses whose body matches this regex |
+| `-ac` | dirlist: auto-calibrate the soft-404 wildcard baseline |
+| `-w` | dirlist: custom wordlist (local file or url; overrides `-dirlist` size) |
+| `-e` | dirlist: extensions appended to each word (comma list, e.g. php,bak,env) |
 | `-dnslist` | subdomain enumeration (small/medium/large) |
 | `-ports` | port scanning (common/full) |
 | `-nuclei` | vulnerability scanning with nuclei templates |
 | `-dork` | automated google dorking |
-| `-js` | javascript analysis |
+| `-js` | javascript analysis + secret and endpoint extraction |
 | `-c3` | cloud storage misconfiguration |
 | `-headers` | http header analysis |
 | `-sh` | security header analysis (missing/weak headers) |
@@ -170,7 +195,109 @@ sif has a modular architecture. modules are defined in yaml and can be extended
 | `-securitytrails` | domain discovery + target expansion (requires SECURITYTRAILS_API_KEY) |
 | `-sql` | sql recon |
 | `-lfi` | local file inclusion |
+| `-jwt` | jwt discovery + offline weakness analysis (alg:none, weak hmac, exp, sensitive claims) |
+| `-openapi` | openapi/swagger spec exposure probe (enumerates paths + unauth endpoints) |
+| `-favicon` | favicon hash fingerprinting (shodan-style mmh3, tech match + pivot query) |
+| `-cors` | cors misconfiguration probe |
+| `-redirect` | open redirect probe |
+| `-xss` | reflected xss probe |
 | `-framework` | framework detection with cve lookup |
+| `-crawl` | web crawler (spider same-host links/scripts/forms) |
+| `-crawl-depth` | max crawl recursion depth (default 2) |
+| `-passive` | passive subdomain/url discovery (zero traffic to target) |
+| `-probe` | live-host probe (status, title, server, redirect chain) |
+
+### http options
+
+these apply to every outbound request across all scanners:
+
+| flag | description |
+|------|-------------|
+| `-proxy` | route all traffic through a proxy (http/https/socks5 url) |
+| `-H`, `--header` | custom header to send (repeatable or comma-separated, `"Key: Value"`) |
+| `-cookie` | cookie header to send with every request |
+| `-rate-limit` | max requests per second (0 = unlimited, default 0) |
+
+```bash
+# scan through a socks5 proxy with a custom header, cookie and 20 req/s cap
+./sif -u https://example.com -headers -proxy socks5://127.0.0.1:1080 -H "Authorization: Bearer tok" -cookie "session=abc" -rate-limit 20
+```
+
+a scanner that sets a header explicitly (e.g. an api key) always wins over the global default.
+
+### report export
+
+write the run's findings out to a file for ci/cd or triage:
+
+| flag | description |
+|------|-------------|
+| `-sarif` | write a sarif 2.1.0 report to this file |
+| `-markdown`, `-md` | write a markdown report to this file |
+| `-silent` | plain output: chrome to stderr, one finding per line to stdout (for pipelines) |
+| `-diff` | surface only findings added/removed since the last snapshot of each target |
+| `-store` | snapshot directory for `-diff` (default: log dir, else `<user-config>/sif/state`) |
+
+```bash
+# scan and emit both a sarif and markdown report
+./sif -u https://example.com -headers -cors -sarif out.sarif -md out.md
+```
+
+sarif output is ingestable by github code scanning; markdown is a readable per-target summary.
+
+### diff mode
+
+`-diff` turns a re-scan into a monitor: sif snapshots each target's normalized findings to a json file, and on the next run reports only the delta (`+ new` / `- gone`) against that snapshot, then overwrites it. the first run for a target has no baseline, so everything is `+ new`. snapshots land in `-store` (one sanitized file per target); when unset they reuse the log dir, falling back to `<user-config>/sif/state`.
+
+```bash
+# baseline run, then re-scan later and see only what moved
+./sif -u https://example.com -sh -cors -diff
+./sif -u https://example.com -sh -cors -diff
+```
+
+the snapshot is always rewritten, so each run diffs against the previous one. the delta is chrome (it rides the normal output sink / stderr under `-silent`), not the findings stream.
+
+### notify
+
+ship findings to a chat/webhook sink so a continuous-recon run alerts on what it turns up. every provider is a single POST through the shared http client, so the global proxy/rate-limit/header config applies.
+
+| flag | description |
+|------|-------------|
+| `-notify` | ship findings to every configured provider after the scan |
+| `-notify-severity` | minimum severity to send (`info`/`low`/`medium`/`high`/`critical`, default `medium`) |
+| `-notify-config` | path to a notify-compatible yaml config (overrides env vars) |
+
+providers are configured env-first; a yaml file (`-notify-config`) overrides per-field. the yaml keys match [projectdiscovery/notify](https://github.com/projectdiscovery/notify) so an existing config ports over:
+
+| env var | yaml key | provider |
+|---------|----------|----------|
+| `SLACK_WEBHOOK_URL` | `slack_webhook_url` | slack incoming webhook |
+| `DISCORD_WEBHOOK_URL` | `discord_webhook_url` | discord webhook |
+| `TELEGRAM_BOT_TOKEN` | `telegram_api_key` | telegram bot api (needs chat id too) |
+| `TELEGRAM_CHAT_ID` | `telegram_chat_id` | telegram destination chat |
+| `NOTIFY_WEBHOOK_URL` | `webhook_url` | generic json webhook (structured findings) |
+
+```bash
+# alert slack on medium+ findings discovered during a scan
+export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
+./sif -u https://example.com -cors -xss -notify -notify-severity medium
+```
+
+a provider with no destination is skipped; with nothing configured, `-notify` is a silent no-op. slack/discord/telegram receive a fixed-width finding block; the generic webhook receives structured json (`{count, findings[]}`).
+
+### pipe mode
+
+sif reads targets from stdin and accepts naked hosts, so it drops into a unix pipeline. `-silent` routes all banner/spinner/log chrome to stderr and prints one normalized finding per line (`[severity] target module title`) to stdout:
+
+```bash
+# subfinder feeds hosts, sif probes them, notify ships the findings
+subfinder -d example.com | sif -silent -probe | notify
+```
+
+| flag | description |
+|------|-------------|
+| stdin | a piped target stream (one host/url per line) is read alongside `-u`/`-f` |
+
+scheme-less hosts default to `https://`; an explicit `http://`/`https://` is kept; any other scheme (`ftp://`, ...) is rejected.

 ### yaml modules

@@ -238,7 +365,7 @@ contributions welcome. see [contributing.md](CONTRIBUTING.md) for guidelines.
 gofmt -w .

 # lint
-golangci-lint run
+go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run

 # test
 go test ./...
@@ -258,13 +385,13 @@ join our discord for support, feature discussions, and pentesting tips:
 <table>
  <tbody>
    <tr>
-      <td align="center" valign="top" width="14.28%"><a href="https://vmfunc.re"><img src="https://avatars.githubusercontent.com/u/59031302?v=4?s=100" width="100px;" alt="vmfunc"/><br /><sub><b>vmfunc</b></sub></a><br /><a href="#maintenance-vmfunc" title="Maintenance">🚧</a> <a href="#mentoring-vmfunc" title="Mentoring">🧑‍🏫</a> <a href="#projectManagement-vmfunc" title="Project Management">📆</a> <a href="#security-vmfunc" title="Security">🛡️</a> <a href="https://github.com/lunchcat/sif/commits?author=vmfunc" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://vmfunc.re"><img src="https://avatars.githubusercontent.com/u/59031302?v=4?s=100" width="100px;" alt="vmfunc"/><br /><sub><b>vmfunc</b></sub></a><br /><a href="#maintenance-vmfunc" title="Maintenance">🚧</a> <a href="#mentoring-vmfunc" title="Mentoring">🧑‍🏫</a> <a href="#projectManagement-vmfunc" title="Project Management">📆</a> <a href="#security-vmfunc" title="Security">🛡️</a> <a href="https://github.com/vmfunc/sif/commits?author=vmfunc" title="Code">💻</a></td>
      <td align="center" valign="top" width="14.28%"><a href="https://projectdiscovery.io"><img src="https://avatars.githubusercontent.com/u/50994705?v=4?s=100" width="100px;" alt="ProjectDiscovery"/><br /><sub><b>ProjectDiscovery</b></sub></a><br /><a href="#platform-projectdiscovery" title="Packaging/porting to new platform">📦</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/macdoos"><img src="https://avatars.githubusercontent.com/u/127897805?v=4?s=100" width="100px;" alt="macdoos"/><br /><sub><b>macdoos</b></sub></a><br /><a href="https://github.com/lunchcat/sif/commits?author=macdoos" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/macdoos"><img src="https://avatars.githubusercontent.com/u/127897805?v=4?s=100" width="100px;" alt="macdoos"/><br /><sub><b>macdoos</b></sub></a><br /><a href="https://github.com/vmfunc/sif/commits?author=macdoos" title="Code">💻</a></td>
      <td align="center" valign="top" width="14.28%"><a href="https://epitech.eu"><img src="https://avatars.githubusercontent.com/u/75166283?v=4?s=100" width="100px;" alt="Matthieu Witrowiez"/><br /><sub><b>Matthieu Witrowiez</b></sub></a><br /><a href="#ideas-D3adPlays" title="Ideas, Planning, & Feedback">🤔</a></td>
      <td align="center" valign="top" width="14.28%"><a href="https://github.com/tessa-u-k"><img src="https://avatars.githubusercontent.com/u/109355732?v=4?s=100" width="100px;" alt="tessa "/><br /><sub><b>tessa </b></sub></a><br /><a href="#infra-tessa-u-k" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#question-tessa-u-k" title="Answering Questions">💬</a> <a href="#userTesting-tessa-u-k" title="User Testing">📓</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/xyzeva"><img src="https://avatars.githubusercontent.com/u/133499694?v=4?s=100" width="100px;" alt="Eva"/><br /><sub><b>Eva</b></sub></a><br /><a href="#blog-xyzeva" title="Blogposts">📝</a> <a href="#content-xyzeva" title="Content">🖋</a> <a href="#research-xyzeva" title="Research">🔬</a> <a href="#security-xyzeva" title="Security">🛡️</a> <a href="https://github.com/lunchcat/sif/commits?author=xyzeva" title="Tests">⚠️</a> <a href="https://github.com/lunchcat/sif/commits?author=xyzeva" title="Code">💻</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/vxfemboy"><img src="https://avatars.githubusercontent.com/u/79362520?v=4?s=100" width="100px;" alt="Zoa Hickenlooper"/><br /><sub><b>Zoa Hickenlooper</b></sub></a><br /><a href="https://github.com/lunchcat/sif/commits?author=vxfemboy" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/xyzeva"><img src="https://avatars.githubusercontent.com/u/133499694?v=4?s=100" width="100px;" alt="Eva"/><br /><sub><b>Eva</b></sub></a><br /><a href="#blog-xyzeva" title="Blogposts">📝</a> <a href="#content-xyzeva" title="Content">🖋</a> <a href="#research-xyzeva" title="Research">🔬</a> <a href="#security-xyzeva" title="Security">🛡️</a> <a href="https://github.com/vmfunc/sif/commits?author=xyzeva" title="Tests">⚠️</a> <a href="https://github.com/vmfunc/sif/commits?author=xyzeva" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/vxfemboy"><img src="https://avatars.githubusercontent.com/u/79362520?v=4?s=100" width="100px;" alt="Zoa Hickenlooper"/><br /><sub><b>Zoa Hickenlooper</b></sub></a><br /><a href="https://github.com/vmfunc/sif/commits?author=vxfemboy" title="Code">💻</a></td>
    </tr>
    <tr>
      <td align="center" valign="top" width="14.28%"><a href="https://github.com/0xatrilla"><img src="https://avatars.githubusercontent.com/u/107285362?v=4?s=100" width="100px;" alt="acxtrilla"/><br /><sub><b>acxtrilla</b></sub></a><br /><a href="#platform-0xatrilla" title="Packaging/porting to new platform">📦</a></td>
@@ -52,7 +52,9 @@ func main() {
 		log.Fatal(err)
 	}

-	if !settings.ApiMode {
+	// patchnotes print to stdout; skip them in api/silent mode so the only thing
+	// on stdout is the machine-readable result stream.
+	if !settings.ApiMode && !settings.Silent {
 		patchnotes.ShowOnce(version)
 	}

@@ -57,6 +57,12 @@ enable verbose logging:
 ./sif -u https://example.com -d
 ```

+### templates
+
+`-template` loads a batch of scan settings from a built-in preset or a local yaml file, so a run does not have to pass every flag. see the [usage guide](usage.md) for the presets and file format. command-line flags still take precedence over the template.
+
+sif also reads an ambient config at `~/.config/sif/config.yaml` (created on first run) keyed by the same flag names. passing `-template` uses that template as the config for the run instead of the ambient file.
+
 ## user modules

 place custom modules in:
@@ -92,6 +98,38 @@ info:
  # ...
 ```

+## custom signatures
+
+framework detection (`-framework`) also loads user-defined detectors from yaml
+files, so a framework sif does not ship can be detected without rebuilding:
+
+- linux/macos: `~/.config/sif/signatures/`
+- windows: `%LOCALAPPDATA%\sif\signatures\`
+
+each file defines one detector; place them directly in the directory, as
+subdirectories are not scanned. `header: true` matches a response header name or
+value (case-insensitive) instead of the body; the optional `version` block pulls
+a version out of the body.
+
+```yaml
+# ~/.config/sif/signatures/ghost.yaml
+name: Ghost
+signatures:
+  - pattern: 'content="Ghost'
+    weight: 0.6
+  - pattern: 'X-Ghost-Cache'
+    weight: 0.4
+    header: true
+version:
+  regex: 'content="Ghost ([0-9.]+)'
+  group: 1
+```
+
+a detector reports a match once its matched signature weights sum past half, so
+weight your signatures to total about `1.0`. a name matching a built-in detector
+overrides it and inherits that built-in's version patterns and known cves, the
+same as user modules.
+
 ## performance tuning

 ### fast scans
@@ -60,8 +60,11 @@ gofmt -w .

 ### lint

+ci pins golangci-lint v2.11.4 (`.github/workflows/go.yml`); other versions
+report spurious issues against the v2 config, so pin it locally too:
+
 ```bash
-golangci-lint run
+go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run
 ```

 ### test
@@ -164,7 +167,7 @@ go test -tags=integration ./internal/scan/...
 1. fork the repository
 2. create a feature branch
 3. make changes
-4. run `gofmt -w .` and `golangci-lint run`
+4. run `gofmt -w .` and `golangci-lint run` (pinned version, see [lint](#lint))
 5. submit pr

 ### commit messages
@@ -115,6 +115,18 @@ http:

 each payload creates a separate request for each path.

+#### attack
+
+how paths and payloads combine into requests.
+
+```yaml
+http:
+  attack: pitchfork
+```
+
+- `clusterbomb` (default) - every path is tried with every payload
+- `pitchfork` - path and payload are paired by index, stopping at the shorter list
+
 #### headers

 custom headers to send.
@@ -199,6 +211,18 @@ matchers:
    condition: or
 ```

+### size matcher
+
+match the response body length in bytes (measured after the 5 MB response cap, so larger sizes never match).
+
+```yaml
+matchers:
+  - type: size
+    size:
+      - 0
+      - 1337
+```
+
 ### combining matchers

 multiple matchers are combined with AND logic by default.
@@ -238,7 +262,7 @@ extractors:

 ### kv extractor

-extract key-value pairs.
+record every response header as a key-value pair, namespaced by `name`.

 ```yaml
 extractors:
@@ -21,6 +21,23 @@ read targets from a file (one url per line):
 ./sif -f targets.txt
 ```

+### stdin (pipe mode)
+
+when stdin is a pipe, sif reads one target per line from it, alongside any `-u`/`-f` targets. this lets sif slot into a unix pipeline:
+
+```bash
+subfinder -d example.com | sif -silent -probe | notify
+```
+
+### naked hosts
+
+targets without a scheme default to `https://`; an explicit `http://`/`https://` is kept as given. any other scheme (`ftp://`, `file://`, ...) is rejected:
+
+```bash
+./sif -u example.com          # scanned as https://example.com
+echo example.com | sif -probe # same, over stdin
+```
+
 ## scan options

 ### directory fuzzing
@@ -33,6 +50,42 @@ sizes: `small`, `medium`, `large`
 ./sif -u https://example.com -dirlist medium
 ```

+#### response filters
+
+modern apps serve a catch-all 200 for unknown routes, so a naive scan reports
+every path. these ffuf-style filters cut the noise (a filter always wins over a
+match):
+
+- `-mc <codes>` - match only these status codes (comma list, e.g. `200,301`)
+- `-fc <codes>` - filter out these status codes
+- `-fs <sizes>` - filter out responses of these body sizes
+- `-fw <counts>` - filter out responses with these word counts
+- `-fr <regex>` - filter out responses whose body matches this regex
+
+```bash
+./sif -u https://example.com -dirlist medium -mc 200,301 -fs 1234
+```
+
+#### wildcard calibration
+
+`-ac` probes a few paths that cannot exist, learns the soft-404 baseline
+(status + size + words), and auto-drops any response matching it - so SPA
+catch-all 200s stop flooding the output:
+
+```bash
+./sif -u https://example.com -dirlist medium -ac
+```
+
+#### custom wordlists and extensions
+
+`-w <path|url>` overrides the size switch with your own list (local file or
+remote url); `-e <exts>` appends each extension to every word, keeping the bare
+word too:
+
+```bash
+./sif -u https://example.com -w /path/to/words.txt -e php,bak,env
+```
+
 ### subdomain enumeration

 `-dnslist <size>` - enumerate subdomains
@@ -79,7 +132,7 @@ scopes: `common` (top ports), `full` (all ports)

 ### javascript analysis

-`-js` - analyze javascript files
+`-js` - analyze javascript files + secret and endpoint extraction

 ```bash
 ./sif -u https://example.com -js
@@ -154,6 +207,56 @@ export SHODAN_API_KEY=your-api-key
 ./sif -u https://example.com -lfi
 ```

+### cors probe
+
+`-cors` - probe for cors misconfigurations (reflected/permissive origins)
+
+```bash
+./sif -u https://example.com -cors
+```
+
+### open redirect probe
+
+`-redirect` - probe redirect-prone params for open redirects
+
+```bash
+./sif -u https://example.com/login?next=home -redirect
+```
+
+### reflected xss probe
+
+`-xss` - inject a canary into params and report unescaped reflections
+
+```bash
+./sif -u https://example.com/search?q=test -xss
+```
+
+### jwt analysis
+
+`-jwt` - fetch the target once, harvest jwts from response headers, cookies and body, then analyze each one entirely offline
+
+flags alg:none, the rs256->hs256 confusion surface, missing/expired exp, plaintext sensitive claims, and cracks a small bundled weak-hmac wordlist. no token is ever sent off-box.
+
+```bash
+./sif -u https://example.com -jwt
+```
+
+### openapi/swagger exposure
+
+`-openapi` - probe the conventional spec paths (`/swagger.json`, `/openapi.json`, `/v3/api-docs`, ...), parse the first hit (json or yaml) and enumerate every path+method, flagging operations with no security requirement
+
+```bash
+./sif -u https://example.com -openapi
+```
+
+### favicon fingerprint
+
+`-favicon` - fetch `/favicon.ico` (or the declared `<link rel=icon>`), compute the shodan-style mmh3 hash, match it against a bundled tech map and print the `http.favicon.hash:<n>` pivot query
+
+```bash
+./sif -u https://example.com -favicon
+```
+
 ### framework detection

 `-framework` - detect web frameworks with version and cve lookup
@@ -162,6 +265,34 @@ export SHODAN_API_KEY=your-api-key
 ./sif -u https://example.com -framework
 ```

+### web crawler
+
+`-crawl` - spider the target, following same-host links, scripts and forms
+
+`-crawl-depth` - max recursion depth (default 2). respects robots.txt and stays on the target host.
+
+```bash
+./sif -u https://example.com -crawl -crawl-depth 3
+```
+
+### passive discovery
+
+`-passive` - gather subdomains from certificate transparency (crt.sh, certspotter) and historical urls from the wayback machine
+
+keyless and zero traffic to the target itself - all lookups hit third-party feeds.
+
+```bash
+./sif -u https://example.com -passive
+```
+
+### live-host probe
+
+`-probe` - check whether the target is alive and report its final status, page title, server header, content-length and the redirect chain it walked
+
+```bash
+./sif -u https://example.com -probe
+```
+
 ### whois lookup

 `-whois` - perform whois lookups
@@ -225,7 +356,7 @@ http request timeout (default: 10s):

 ### --threads

-number of concurrent threads (default: 10):
+number of concurrent threads (default: 10). values below 1 are clamped to 1:

 ```bash
 ./sif -u https://example.com --threads 20
@@ -247,6 +378,169 @@ enable debug logging:
 ./sif -u https://example.com -d
 ```

+### --template
+
+load a batch of scan settings from a template instead of passing each flag. the value is either a built-in preset or a local yaml file keyed by flag long-names:
+
+```bash
+./sif -u https://example.com --template recon
+./sif -u https://example.com --template ./my-scans.yaml
+```
+
+built-in presets:
+
+- `minimal`: liveness and fingerprint only (probe, headers, favicon)
+- `recon`: broad non-intrusive discovery, no attack payloads
+- `full`: every scan except the api-key ones (shodan, securitytrails), including the intrusive probes (xss, sql, lfi, redirect)
+
+`full` sends attack payloads, so only run it against targets you are authorized to test.
+
+a local template lists flag long-names, for example:
+
+```yaml
+cms: true
+dirlist: medium
+threads: 20
+```
+
+flags passed on the command line take precedence over the template, so `--template recon -xss` runs the recon preset with an added xss probe.
+
+## http options
+
+these apply to every outbound request across all scanners (proxy, custom headers, cookie and rate limiting share one client). a scanner that sets a header explicitly still wins over the global default.
+
+### -proxy
+
+route all traffic through a proxy. supports http, https and socks5 urls:
+
+```bash
+./sif -u https://example.com -proxy socks5://127.0.0.1:1080
+```
+
+### -H, --header
+
+add a custom header to every request. repeatable or comma-separated, `"Key: Value"`:
+
+```bash
+./sif -u https://example.com -H "Authorization: Bearer tok" -H "X-Env: staging"
+```
+
+### -cookie
+
+cookie header to send with every request:
+
+```bash
+./sif -u https://example.com -cookie "session=abc; theme=dark"
+```
+
+### -rate-limit
+
+cap outbound requests per second (0 = unlimited, default 0):
+
+```bash
+./sif -u https://example.com -rate-limit 20
+```
+
+## output options
+
+write the collected findings out to a file after the scan. both formats can be requested in the same run.
+
+### -sarif
+
+write a sarif 2.1.0 report (one run, tool `sif`, one result per finding). ingestable by github code scanning and other sarif consumers:
+
+```bash
+./sif -u https://example.com -headers -cors -sarif out.sarif
+```
+
+### -md, --markdown
+
+write a readable markdown report grouped by target, then by module:
+
+```bash
+./sif -u https://example.com -headers -cors -md report.md
+```
+
+### -silent
+
+plain output for pipelines: all banner/spinner/log chrome goes to stderr and stdout carries one normalized finding per line, formatted `[severity] target module title`. implies non-interactive (no spinners), so a downstream consumer sees nothing but findings:
+
+```bash
+subfinder -d example.com | sif -silent -probe -sh | notify
+```
+
+### -diff
+
+turn a re-scan into a monitor. sif snapshots each target's normalized findings to a json file under the store dir; on the next run it loads that snapshot, diffs the current findings against it by finding key, and prints only the delta (`+ new` for findings that appeared, `- gone` for findings that vanished). it always rewrites the snapshot afterwards, so each run compares against the previous one.
+
+the first run for a target has no snapshot, so every finding shows as `+ new`. when nothing changed, sif notes that and writes a fresh snapshot anyway.
+
+```bash
+# baseline, then re-scan and see only what moved
+./sif -u https://example.com -sh -cors -diff
+./sif -u https://example.com -sh -cors -diff
+```
+
+the delta is chrome, not the findings stream: under `-silent` it rides stderr with the rest of the chrome, leaving stdout for the full findings.
+
+### -store
+
+snapshot directory for `-diff`. precedence when unset: the `-log` dir if one is given, else `<user-config>/sif/state` (`$XDG_CONFIG_HOME/sif/state` on linux, `~/Library/Application Support/sif/state` on macos). one sanitized file per target, created at `0750`, written `0600`.
+
+```bash
+./sif -u https://example.com -sh -diff -store ./snapshots
+```
+
+
+## notify options
+
+ship findings to a chat/webhook sink after the scan. every provider is a single POST through the shared http client, so the global proxy/rate-limit/header config applies. with nothing configured, `-notify` is a silent no-op.
+
+### -notify
+
+enable delivery to every configured provider:
+
+```bash
+export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
+./sif -u https://example.com -cors -xss -notify
+```
+
+### -notify-severity
+
+minimum severity to send: `info`, `low`, `medium`, `high` or `critical` (default `medium`). findings below the floor are dropped, so info-level recon noise doesn't flood a channel. an unrecognized value falls back to `medium`:
+
+```bash
+./sif -u https://example.com -cors -notify -notify-severity high
+```
+
+### -notify-config
+
+path to a yaml config that overrides the env vars per-field. the keys match [projectdiscovery/notify](https://github.com/projectdiscovery/notify) so an existing config ports over:
+
+```yaml
+slack_webhook_url: https://hooks.slack.com/services/...
+discord_webhook_url: https://discord.com/api/webhooks/...
+telegram_api_key: 123456:abcdef
+telegram_chat_id: "987654"
+webhook_url: https://example.internal/sif-findings
+```
+
+```bash
+./sif -u https://example.com -cors -notify -notify-config notify.yaml
+```
+
+providers are resolved env-first, then overlaid by the yaml file:
+
+| env var | yaml key | provider |
+|---------|----------|----------|
+| `SLACK_WEBHOOK_URL` | `slack_webhook_url` | slack incoming webhook |
+| `DISCORD_WEBHOOK_URL` | `discord_webhook_url` | discord webhook |
+| `TELEGRAM_BOT_TOKEN` | `telegram_api_key` | telegram bot api (needs chat id too) |
+| `TELEGRAM_CHAT_ID` | `telegram_chat_id` | telegram destination chat |
+| `NOTIFY_WEBHOOK_URL` | `webhook_url` | generic json webhook (structured findings) |
+
+slack/discord/telegram receive a fixed-width finding block; the generic webhook receives structured json (`{count, findings[]}`) for downstream automation.
+
 ## api options

 ### -api
@@ -303,6 +597,9 @@ the first time you run a new release sif also prints that release's notes once.
  -git \
  -sql \
  -lfi \
+  -cors \
+  -redirect \
+  -xss \
  -am
 ```

@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1767364772,
-        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+        "lastModified": 1780930886,
+        "narHash": "sha256-rppURzHviaQN131F+nLiLdGfcb0uCd9gGP0E5+iw9MI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
+        "rev": "8c3cede7ddc26bd659d2d383b5610efbd2c7a16e",
        "type": "github"
      },
      "original": {
@@ -21,7 +21,7 @@
            version = "unstable-${self.shortRev or self.dirtyShortRev or "dev"}";
            src = ./.;

-            vendorHash = "sha256-ztKXnOjZS/jMxsRjtF0rIZ3lKv4YjMdZd6oQFRuAtR4=";
+            vendorHash = "sha256-fR63/dStMsZon22vancuLWIAvZiEYMLjMwY1kmRDNgM=";

            # Tests require network access (httptest)
            doCheck = false;
@@ -4,14 +4,19 @@ go 1.25.7

 require (
 	github.com/antchfx/htmlquery v1.3.6
-	github.com/charmbracelet/glamour v0.10.0
+	github.com/charmbracelet/glamour v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
 	github.com/charmbracelet/log v1.0.0
+	github.com/gocolly/colly/v2 v2.3.0
 	github.com/likexian/whois v1.15.7
 	github.com/projectdiscovery/goflags v0.1.74
-	github.com/projectdiscovery/nuclei/v3 v3.8.0
-	github.com/projectdiscovery/utils v0.10.1
+	github.com/projectdiscovery/nuclei/v3 v3.9.0
+	github.com/projectdiscovery/retryabledns v1.0.115
+	github.com/projectdiscovery/utils v0.11.1
 	github.com/rocketlaunchr/google-search v1.1.6
+	github.com/twmb/murmur3 v1.1.8
+	golang.org/x/net v0.56.0
+	golang.org/x/time v0.15.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -28,16 +33,18 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 // indirect
 	github.com/Azure/go-ntlmssp v0.1.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
-	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
+	github.com/FalconOpsLLC/goexec v0.3.0 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057 // indirect
 	github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809 // indirect
 	github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d // indirect
+	github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415 // indirect
 	github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697 // indirect
 	github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/PuerkitoBio/goquery v1.11.0 // indirect
+	github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/akrylysov/pogreb v0.10.2 // indirect
@@ -50,7 +57,7 @@ require (
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/andygrunwald/go-jira v1.16.1 // indirect
-	github.com/antchfx/xmlquery v1.4.4 // indirect
+	github.com/antchfx/xmlquery v1.5.0 // indirect
 	github.com/antchfx/xpath v1.3.6 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
@@ -75,7 +82,7 @@ require (
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
-	github.com/bits-and-blooms/bitset v1.22.0 // indirect
+	github.com/bits-and-blooms/bitset v1.24.4 // indirect
 	github.com/bits-and-blooms/bloom/v3 v3.5.0 // indirect
 	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
@@ -92,7 +99,7 @@ require (
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/colorprofile v0.3.2 // indirect
-	github.com/charmbracelet/x/ansi v0.10.1 // indirect
+	github.com/charmbracelet/x/ansi v0.10.2 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/slice v0.0.0-20250908092851-c2208eb08494 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
@@ -112,8 +119,7 @@ require (
 	github.com/ditashi/jsbeautifier-go v0.0.0-20141206144643-2520a8026a9c // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
-	github.com/docker/docker v28.3.3+incompatible // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -126,8 +132,8 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/free5gc/util v1.0.5-0.20230511064842-2e120956883b // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/gaissmai/bart v0.26.1 // indirect
-	github.com/geoffgarside/ber v1.1.0 // indirect
+	github.com/gaissmai/bart v0.28.0 // indirect
+	github.com/geoffgarside/ber v1.2.0 // indirect
 	github.com/getkin/kin-openapi v0.132.0 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
@@ -136,7 +142,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.9.0 // indirect
 	github.com/go-git/go-git/v5 v5.19.1 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.11 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logfmt/logfmt v0.6.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -158,8 +164,6 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.4.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/gocolly/colly/v2 v2.1.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
@@ -187,6 +191,7 @@ require (
 	github.com/hdm/jarm-go v0.0.7 // indirect
 	github.com/iangcarroll/cookiemonster v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/indece-official/go-ebcdic v1.2.0 // indirect
 	github.com/invopop/jsonschema v0.13.0 // indirect
 	github.com/invopop/yaml v0.3.1 // indirect
 	github.com/itchyny/gojq v0.12.17 // indirect
@@ -195,6 +200,7 @@ require (
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
 	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
@@ -207,7 +213,7 @@ require (
 	github.com/kennygrant/sanitize v1.2.4 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kitabisa/go-ci v1.0.3 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
@@ -225,8 +231,8 @@ require (
 	github.com/mackerelio/go-osstat v0.2.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
+	github.com/mattn/go-runewidth v0.0.17 // indirect
 	github.com/mattn/go-sqlite3 v1.14.28 // indirect
 	github.com/maypok86/otter/v2 v2.2.1 // indirect
 	github.com/mholt/acmez/v3 v3.1.3 // indirect
@@ -239,16 +245,21 @@ require (
 	github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/moby/api v1.54.2 // indirect
+	github.com/moby/moby/client v0.4.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/nlnwa/whatwg-url v0.6.2 // indirect
 	github.com/nwaples/rardecode/v2 v2.2.2 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
 	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
+	github.com/oiweiwei/go-msrpc v1.2.12 // indirect
+	github.com/oiweiwei/go-smb2.fork v1.0.0 // indirect
+	github.com/oiweiwei/gokrb5.fork/v9 v9.0.6 // indirect
 	github.com/olekukonko/errors v1.1.0 // indirect
 	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/olekukonko/tablewriter v1.0.8 // indirect
@@ -264,41 +275,42 @@ require (
 	github.com/praetorian-inc/fingerprintx v1.1.15 // indirect
 	github.com/projectdiscovery/asnmap v1.1.1 // indirect
 	github.com/projectdiscovery/blackrock v0.0.1 // indirect
-	github.com/projectdiscovery/cdncheck v1.2.31 // indirect
-	github.com/projectdiscovery/clistats v0.1.1 // indirect
-	github.com/projectdiscovery/dsl v0.8.14 // indirect
-	github.com/projectdiscovery/fastdialer v0.5.6 // indirect
+	github.com/projectdiscovery/cdncheck v1.2.39 // indirect
+	github.com/projectdiscovery/clistats v0.1.4 // indirect
+	github.com/projectdiscovery/dsl v0.8.19 // indirect
+	github.com/projectdiscovery/fastdialer v0.5.10 // indirect
 	github.com/projectdiscovery/fasttemplate v0.0.2 // indirect
 	github.com/projectdiscovery/freeport v0.0.7 // indirect
 	github.com/projectdiscovery/gcache v0.0.0-20241015120333-12546c6e3f4c // indirect
 	github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb // indirect
-	github.com/projectdiscovery/gologger v1.1.68 // indirect
+	github.com/projectdiscovery/gologger v1.1.70 // indirect
 	github.com/projectdiscovery/gostruct v0.0.2 // indirect
-	github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81 // indirect
-	github.com/projectdiscovery/hmap v0.0.100 // indirect
+	github.com/projectdiscovery/govaluate v0.0.0-20260504230327-80320480bb6e // indirect
+	github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76 // indirect
+	github.com/projectdiscovery/hmap v0.0.101 // indirect
 	github.com/projectdiscovery/httpx v1.9.0 // indirect
 	github.com/projectdiscovery/interactsh v1.3.1 // indirect
 	github.com/projectdiscovery/ldapserver v1.0.2-0.20240219154113-dcc758ebc0cb // indirect
 	github.com/projectdiscovery/machineid v0.0.0-20250715113114-c77eb3567582 // indirect
 	github.com/projectdiscovery/mapcidr v1.1.97 // indirect
 	github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5 // indirect
-	github.com/projectdiscovery/networkpolicy v0.1.36 // indirect
-	github.com/projectdiscovery/ratelimit v0.0.85 // indirect
+	github.com/projectdiscovery/networkpolicy v0.1.40 // indirect
+	github.com/projectdiscovery/ratelimit v0.0.88 // indirect
 	github.com/projectdiscovery/rawhttp v0.1.90 // indirect
 	github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917 // indirect
-	github.com/projectdiscovery/retryabledns v1.0.114 // indirect
-	github.com/projectdiscovery/retryablehttp-go v1.3.8 // indirect
-	github.com/projectdiscovery/sarif v0.0.1 // indirect
+	github.com/projectdiscovery/retryablehttp-go v1.3.14 // indirect
+	github.com/projectdiscovery/sarif v0.1.0 // indirect
 	github.com/projectdiscovery/tlsx v1.2.2 // indirect
-	github.com/projectdiscovery/uncover v1.2.0 // indirect
-	github.com/projectdiscovery/useragent v0.0.107 // indirect
-	github.com/projectdiscovery/wappalyzergo v0.2.76 // indirect
+	github.com/projectdiscovery/uncover v1.2.1 // indirect
+	github.com/projectdiscovery/useragent v0.0.108 // indirect
+	github.com/projectdiscovery/wappalyzergo v0.2.84 // indirect
 	github.com/projectdiscovery/yamldoc-go v1.0.6 // indirect
 	github.com/redis/go-redis/v9 v9.11.0 // indirect
 	github.com/refraction-networking/utls v1.8.2 // indirect
 	github.com/remeh/sizedwaitgroup v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/xid v1.6.0 // indirect
+	github.com/rs/zerolog v1.34.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
 	github.com/sashabaranov/go-openai v1.37.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
@@ -307,12 +319,13 @@ require (
 	github.com/shirou/gopsutil/v4 v4.26.3 // indirect
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
 	github.com/sijms/go-ora/v2 v2.9.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
-	github.com/spf13/cast v1.9.2 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/temoto/robotstxt v1.1.2 // indirect
 	github.com/tidwall/btree v1.8.1 // indirect
@@ -360,37 +373,36 @@ require (
 	github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248 // indirect
 	github.com/zmap/zcrypto v0.0.0-20240803002437-3a861682ac77 // indirect
 	github.com/zmap/zgrab2 v0.1.8 // indirect
-	gitlab.com/gitlab-org/api/client-go v0.130.1 // indirect
+	gitlab.com/gitlab-org/api/client-go v1.9.1 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.mongodb.org/mongo-driver v1.17.9 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.41.0 // indirect
-	go.opentelemetry.io/otel/metric v1.41.0 // indirect
-	go.opentelemetry.io/otel/trace v1.41.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	goftp.io/server/v2 v2.0.1 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
-	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/crypto v0.53.0 // indirect
+	golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3 // indirect
+	golang.org/x/mod v0.36.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.44.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/sync v0.21.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
+	golang.org/x/term v0.44.0 // indirect
+	golang.org/x/text v0.38.0 // indirect
+	golang.org/x/tools v0.45.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 	gopkg.in/corvus-ch/zbase32.v1 v1.0.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	mellium.im/sasl v0.3.2 // indirect
 	moul.io/http2curl v1.0.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.7.0 // indirect
 )
@@ -73,8 +73,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
-github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
+github.com/FalconOpsLLC/goexec v0.3.0 h1:ryLMkrGT6asnkqdc5rFMNOSTYdMH/iCfyEuwu0D6ZhA=
+github.com/FalconOpsLLC/goexec v0.3.0/go.mod h1:kiyxVbmFCGbbwXRyZmOSKlOy7PiK+JH2gq07Ztag/k8=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -86,6 +86,8 @@ github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb888350
 github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809/go.mod h1:upgc3Zs45jBDnBT4tVRgRcgm26ABpaP7MoTSdgysca4=
 github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d h1:DofPB5AcjTnOU538A/YD86/dfqSNTvQsAXgwagxmpu4=
 github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d/go.mod h1:uzdh/m6XQJI7qRvufeBPDa+lj5SVCJO8B9eLxTbtI5U=
+github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415 h1:lpSZPcbowbxvKFaFvE1reLTCStezWXcRVk0zzBtUatg=
+github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415/go.mod h1:Wvb2f1Aq6NVL4Fza/dPNxv6/canpeizpgmiTCBGMD50=
 github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697 h1:54I+OF5vS4a/rxnUrN5J3hi0VEYKcrTlpc8JosDyP+c=
 github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697/go.mod h1:yNqYRqxYkSROY1J+LX+A0tOSA/6soXQs5m8hZSqYBac=
 github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883 h1:+Is1AS20q3naP+qJophNpxuvx1daFOx9C0kLIuI0GVk=
@@ -101,6 +103,8 @@ github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBK
 github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ=
 github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
 github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687 h1:HHkHNwakgAFX3qlMm88c090vIYNFWiO5+4WyAr0xJuM=
+github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687/go.mod h1:l6FRaC2TliS/JMNWskO3J1tmrcKJyOaMFhWC6hHeWno=
 github.com/RumbleDiscovery/rumble-tools v0.0.0-20201105153123-f2adbb3244d2/go.mod h1:jD2+mU+E2SZUuAOHZvZj4xP4frlOo+N/YrXDvASFhkE=
 github.com/STARRY-S/zip v0.2.3 h1:luE4dMvRPDOWQdeDdUxUoZkzUIpTccdKdhHHsQJ1fm4=
 github.com/STARRY-S/zip v0.2.3/go.mod h1:lqJ9JdeRipyOQJrYSOtpNAiaesFO6zVDsE8GIGFaoSk=
@@ -125,8 +129,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alexsnet/go-vnc v0.1.0 h1:vBCwPNy79WEL8V/Z5A0ngEFCvTWBAjmS048lkR2rdmY=
 github.com/alexsnet/go-vnc v0.1.0/go.mod h1:bbRsg41Sh3zvrnWsw+REKJVGZd8Of2+S0V1G0ZaBhlU=
 github.com/alitto/pond v1.9.2 h1:9Qb75z/scEZVCoSU+osVmQ0I0JOeLfdTDafrbcJ8CLs=
@@ -149,13 +153,13 @@ github.com/antchfx/htmlquery v1.3.6 h1:RNHHL7YehO5XdO8IM8CynwLKONwRHWkrghbYhQIk9
 github.com/antchfx/htmlquery v1.3.6/go.mod h1:kcVUqancxPygm26X2rceEcagZFFVkLEE7xgLkGSDl/4=
 github.com/antchfx/xmlquery v1.2.4/go.mod h1:KQQuESaxSlqugE2ZBcM/qn+ebIpt+d+4Xx7YcSGAIrM=
 github.com/antchfx/xmlquery v1.3.15/go.mod h1:zMDv5tIGjOxY/JCNNinnle7V/EwthZ5IT8eeCGJKRWA=
-github.com/antchfx/xmlquery v1.4.4 h1:mxMEkdYP3pjKSftxss4nUHfjBhnMk4imGoR96FRY2dg=
-github.com/antchfx/xmlquery v1.4.4/go.mod h1:AEPEEPYE9GnA2mj5Ur2L5Q5/2PycJ0N9Fusrx9b12fc=
+github.com/antchfx/xmlquery v1.5.0 h1:uAi+mO40ZWfyU6mlUBxRVvL6uBNZ6LMU4M3+mQIBV4c=
+github.com/antchfx/xmlquery v1.5.0/go.mod h1:lJfWRXzYMK1ss32zm1GQV3gMIW/HFey3xDZmkP1SuNc=
 github.com/antchfx/xpath v1.1.6/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
 github.com/antchfx/xpath v1.1.8/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
 github.com/antchfx/xpath v1.2.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
 github.com/antchfx/xpath v1.2.4/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
-github.com/antchfx/xpath v1.3.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
+github.com/antchfx/xpath v1.3.5/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
 github.com/antchfx/xpath v1.3.6 h1:s0y+ElRRtTQdfHP609qFu0+c6bglDv20pqOViQjjdPI=
 github.com/antchfx/xpath v1.3.6/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -212,8 +216,9 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bits-and-blooms/bitset v1.8.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
-github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4=
-github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.20.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.24.4 h1:95H15Og1clikBrKr/DuzMXkQzECs1M6hhoGXLwLQOZE=
+github.com/bits-and-blooms/bitset v1.24.4/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/bits-and-blooms/bloom/v3 v3.5.0 h1:AKDvi1V3xJCmSR6QhcBfHbCN4Vf8FfxeWkMNQfmAGhY=
 github.com/bits-and-blooms/bloom/v3 v3.5.0/go.mod h1:Y8vrn7nk1tPIlmLtW2ZPV+W7StdVMor6bC1xgpjMZFs=
 github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
@@ -245,8 +250,6 @@ github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+Y
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/censys/censys-sdk-go v0.19.1 h1:CG8rQKgwrKuoICd3oU0uddALMfJnboeMkDg/e74HYyc=
 github.com/censys/censys-sdk-go v0.19.1/go.mod h1:DgPz5NgL+EfoueXLPG9UG1e7hS0OhtlywgpkIuu3ZRE=
@@ -259,14 +262,14 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI=
 github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI=
-github.com/charmbracelet/glamour v0.10.0 h1:MtZvfwsYCx8jEPFJm3rIBFIMZUfUJ765oX8V6kXldcY=
-github.com/charmbracelet/glamour v0.10.0/go.mod h1:f+uf+I/ChNmqo087elLnVdCiVgjSKWuXa/l6NU2ndYk=
+github.com/charmbracelet/glamour v1.0.0 h1:AWMLOVFHTsysl4WV8T8QgkQ0s/ZNZo7CiE4WKhk8l08=
+github.com/charmbracelet/glamour v1.0.0/go.mod h1:DSdohgOBkMr2ZQNhw4LZxSGpx3SvpeujNoXrQyH2hxo=
 github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 h1:ZR7e0ro+SZZiIZD7msJyA+NjkCNNavuiPBLgerbOziE=
 github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834/go.mod h1:aKC/t2arECF6rNOnaKaVU6y4t4ZeHQzqfxedE/VkVhA=
 github.com/charmbracelet/log v1.0.0 h1:HVVVMmfOorfj3BA9i8X8UL69Hoz9lI0PYwXfJvOdRc4=
 github.com/charmbracelet/log v1.0.0/go.mod h1:uYgY3SmLpwJWxmlrPwXvzVYujxis1vAKRV/0VQB7yWA=
-github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=
-github.com/charmbracelet/x/ansi v0.10.1/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
+github.com/charmbracelet/x/ansi v0.10.2 h1:ith2ArZS0CJG30cIUfID1LXN7ZFXRCww6RUvAPA+Pzw=
+github.com/charmbracelet/x/ansi v0.10.2/go.mod h1:HbLdJjQH4UH4AqA2HpRWuWNluRE6zxJH/yteYEYCFa8=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a h1:G99klV19u0QnhiizODirwVksQB91TJKV/UaTnACcG30=
@@ -305,8 +308,7 @@ github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
 github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -330,10 +332,8 @@ github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZ
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
 github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
@@ -373,10 +373,10 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
-github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
-github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
-github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
-github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
+github.com/gaissmai/bart v0.28.0 h1:89yZLo8NmyqD0RYgJ3QO9HhqqGGw+oWhf90cZm69Lko=
+github.com/gaissmai/bart v0.28.0/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
+github.com/geoffgarside/ber v1.2.0 h1:/loowoRcs/MWLYmGX9QtIAbA+V/FrnVLsMMPhwiRm64=
+github.com/geoffgarside/ber v1.2.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
 github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
 github.com/getkin/kin-openapi v0.132.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
@@ -405,8 +405,8 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
@@ -464,12 +464,12 @@ github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakr
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gocolly/colly v1.2.0/go.mod h1:Hof5T3ZswNVsOHYmba1u03W65HDWgpV5HifSuueE0EA=
-github.com/gocolly/colly/v2 v2.1.0 h1:k0DuZkDoCsx51bKpRJNEmcxcp+W5N8ziuwGaSDuFoGs=
 github.com/gocolly/colly/v2 v2.1.0/go.mod h1:I2MuhsLjQ+Ex+IzK3afNS8/1qP3AedHOusRPcRdC5o0=
+github.com/gocolly/colly/v2 v2.3.0 h1:HSFh0ckbgVd2CSGRE+Y/iA4goUhGROJwyQDCMXGFBWM=
+github.com/gocolly/colly/v2 v2.3.0/go.mod h1:Qp54s/kQbwCQvFVx8KzKCSTXVJ1wWT4QeAKEu33x1q8=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
@@ -569,13 +569,15 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
 github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
 github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
 github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
 github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
@@ -608,6 +610,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/indece-official/go-ebcdic v1.2.0 h1:nKCubkNoXrGvBp3MSYuplOQnhANCDEY512Ry5Mwr4a0=
+github.com/indece-official/go-ebcdic v1.2.0/go.mod h1:RBddVJt0Ks0eDLRG5dhPwBDRiTNA7n+yv0dVFpSs46Q=
 github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
 github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
 github.com/invopop/yaml v0.3.1 h1:f0+ZpmhfBSS4MhG+4HYseMdJhoeeopbSKbq5Rpeelso=
@@ -665,13 +669,12 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kitabisa/go-ci v1.0.3 h1:JmIUIvcercRQc/9x/v02ydCCqU4MadSHaNaOF8T2pGA=
 github.com/kitabisa/go-ci v1.0.3/go.mod h1:e3wBSzaJbcifXrr/Gw2ZBLn44MmeqP5WySwXyHlCK/U=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
@@ -722,13 +725,16 @@ github.com/mackerelio/go-osstat v0.2.6 h1:gs4U8BZeS1tjrL08tt5VUliVvSWP26Ai2Ob8Lr
 github.com/mackerelio/go-osstat v0.2.6/go.mod h1:lRy8V9ZuHpuRVZh+vyTkODeDPl3/d5MgXHtLSaqG8bA=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkENfrjQ=
+github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.28 h1:ThEiQrnbtumT+QMknw63Befp/ce/nUPgBPMlRFEum7A=
 github.com/mattn/go-sqlite3 v1.14.28/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -758,14 +764,10 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/moby/api v1.53.0 h1:PihqG1ncw4W+8mZs69jlwGXdaYBeb5brF6BL7mPIS/w=
-github.com/moby/moby/api v1.53.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
-github.com/moby/moby/client v0.2.2 h1:Pt4hRMCAIlyjL3cr8M5TrXCwKzguebPAc2do2ur7dEM=
-github.com/moby/moby/client v0.2.2/go.mod h1:2EkIPVNCqR05CMIzL1mfA07t0HvVUUOl85pasRz/GmQ=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
+github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
 github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
 github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
@@ -781,8 +783,6 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
 github.com/mreiferson/go-httpclient v0.0.0-20201222173833-5e475fde3a4d/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
 github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
@@ -791,6 +791,8 @@ github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nlnwa/whatwg-url v0.6.2 h1:jU61lU2ig4LANydbEJmA2nPrtCGiKdtgT0rmMd2VZ/Q=
+github.com/nlnwa/whatwg-url v0.6.2/go.mod h1:x0FPXJzzOEieQtsBT/AKvbiBbQ46YlL6Xa7m02M1ECk=
 github.com/nwaples/rardecode/v2 v2.2.2 h1:/5oL8dzYivRM/tqX9VcTSWfbpwcbwKG1QtSJr3b3KcU=
 github.com/nwaples/rardecode/v2 v2.2.2/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
@@ -799,6 +801,12 @@ github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//J
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
+github.com/oiweiwei/go-msrpc v1.2.12 h1:gaxnv1cyX3v9l+NNxyr4ONyvh/mnmh8Egel9r8zxNxE=
+github.com/oiweiwei/go-msrpc v1.2.12/go.mod h1:T6/ENmAoD1nYCr3NW8PS8AjIX0tZEAL7yO0tsejtK18=
+github.com/oiweiwei/go-smb2.fork v1.0.0 h1:xHq/eYPM8hQEO/nwCez8YwHWHC8mlcsgw/Neu52fPN4=
+github.com/oiweiwei/go-smb2.fork v1.0.0/go.mod h1:h0CzLVvGAmq39izdYVHKyI5cLv6aHdbQAMKEe4dz4N8=
+github.com/oiweiwei/gokrb5.fork/v9 v9.0.6 h1:ZMXO5OtzPPSqZ7KPgknVuvHE5iAbSXq5JLgzrkiXknM=
+github.com/oiweiwei/gokrb5.fork/v9 v9.0.6/go.mod h1:KEnkAYUYqZ5VwzxLFbv3JHlRhCvdFahjrdjjssMJJkI=
 github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
 github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
 github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
@@ -847,14 +855,14 @@ github.com/projectdiscovery/asnmap v1.1.1 h1:ImJiKIaACOT7HPx4Pabb5dksolzaFYsD1kI
 github.com/projectdiscovery/asnmap v1.1.1/go.mod h1:QT7jt9nQanj+Ucjr9BqGr1Q2veCCKSAVyUzLXfEcQ60=
 github.com/projectdiscovery/blackrock v0.0.1 h1:lHQqhaaEFjgf5WkuItbpeCZv2DUIE45k0VbGJyft6LQ=
 github.com/projectdiscovery/blackrock v0.0.1/go.mod h1:ANUtjDfaVrqB453bzToU+YB4cUbvBRpLvEwoWIwlTss=
-github.com/projectdiscovery/cdncheck v1.2.31 h1:8iD/MLDdMdMziM3RA5FkjUxO6kIwwgAoxWaL6RBIIl0=
-github.com/projectdiscovery/cdncheck v1.2.31/go.mod h1:6/B6caF1+97hR9cICMlzIYR8hpAN/y3AlJPHI2q48PQ=
-github.com/projectdiscovery/clistats v0.1.1 h1:8mwbdbwTU4aT88TJvwIzTpiNeow3XnAB72JIg66c8wE=
-github.com/projectdiscovery/clistats v0.1.1/go.mod h1:4LtTC9Oy//RiuT1+76MfTg8Hqs7FQp1JIGBM3nHK6a0=
-github.com/projectdiscovery/dsl v0.8.14 h1:g9szcXk2RRdVf2rsHEzbTXOPxiny3haKonSncU6pg2w=
-github.com/projectdiscovery/dsl v0.8.14/go.mod h1:LYImt/EiBzqTWG1RswT3Yl0DZbfjUP93Nvq2Z/G7dcE=
-github.com/projectdiscovery/fastdialer v0.5.6 h1:kIBFmzbXrua41uf4fGsQClTZmT7cm7E3vVgcSj8gs6Q=
-github.com/projectdiscovery/fastdialer v0.5.6/go.mod h1:QxvCe02Jii+j8vA3hWYkymgZIY8cqMgs2s3Jbz6mvbs=
+github.com/projectdiscovery/cdncheck v1.2.39 h1:gNE2dyaK+ZqEdEWyVUFlq8PvromEhSxamhsmFZR2Voc=
+github.com/projectdiscovery/cdncheck v1.2.39/go.mod h1:9oE9KKxCSHNvUf0UaMeqqUwWpC38FkNaTll0ScIBT3w=
+github.com/projectdiscovery/clistats v0.1.4 h1:kDnXoNxIdOvQElOF7k2Mt6XosGa5GbMKPtRXdPHMVzU=
+github.com/projectdiscovery/clistats v0.1.4/go.mod h1:hjJYNcUubk9T3cuFvA+JkLhZGjzYW50fkC48dqUAtbU=
+github.com/projectdiscovery/dsl v0.8.19 h1:qA5OFJMfghSCjKqS4AdsEtnur/SoriXDw3geE7+mReU=
+github.com/projectdiscovery/dsl v0.8.19/go.mod h1:Twk93q7fxQ43v/8nR+0TJV8/eFTdBAC5tIXe3qzua9Y=
+github.com/projectdiscovery/fastdialer v0.5.10 h1:dB9MSu4cSo22qne4pHiK9iYSxfOgpwlKB6zfOHvz3RI=
+github.com/projectdiscovery/fastdialer v0.5.10/go.mod h1:W1ZkULr9mMR6i0oRFTztANnpVyEEzPUovK8sUM4eAw8=
 github.com/projectdiscovery/fasttemplate v0.0.2 h1:h2cISk5xDhlJEinlBQS6RRx0vOlOirB2y3Yu4PJzpiA=
 github.com/projectdiscovery/fasttemplate v0.0.2/go.mod h1:XYWWVMxnItd+r0GbjA1GCsUopMw1/XusuQxdyAIHMCw=
 github.com/projectdiscovery/freeport v0.0.7 h1:Q6uXo/j8SaV/GlAHkEYQi8WQoPXyJWxyspx+aFmz9Qk=
@@ -865,14 +873,16 @@ github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb h1:rutG90
 github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb/go.mod h1:FLjF1DmZ+POoGEiIQdWuYVwS++C/GwpX8YaCsTSm1RY=
 github.com/projectdiscovery/goflags v0.1.74 h1:n85uTRj5qMosm0PFBfsvOL24I7TdWRcWq/1GynhXS7c=
 github.com/projectdiscovery/goflags v0.1.74/go.mod h1:UMc9/7dFz2oln+10tv6cy+7WZKTHf9UGhaNkF95emh4=
-github.com/projectdiscovery/gologger v1.1.68 h1:KfdIO/3X7BtHssWZuqhxPZ+A946epCCx2cz+3NnRAnU=
-github.com/projectdiscovery/gologger v1.1.68/go.mod h1:Xae0t4SeqJVa0RQGK9iECx/+HfXhvq70nqOQp2BuW+o=
+github.com/projectdiscovery/gologger v1.1.70 h1:A1ZAsUJfRUXO6qqwTwyTWXLVlBrVu/Gpi1zzL1hg5LY=
+github.com/projectdiscovery/gologger v1.1.70/go.mod h1:kpLKNafZWRN9P7WpJYtIOY/XvY/v41GDdU9NzICdKmo=
 github.com/projectdiscovery/gostruct v0.0.2 h1:s8gP8ApugGM4go1pA+sVlPDXaWqNP5BBDDSv7VEdG1M=
 github.com/projectdiscovery/gostruct v0.0.2/go.mod h1:H86peL4HKwMXcQQtEa6lmC8FuD9XFt6gkNR0B/Mu5PE=
-github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81 h1:yHh46pJovYbyiaHCV7oIDinFmy+Fyq36H1BowJgb0M0=
-github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81/go.mod h1:9lmGPBDGZVANzCGjQg+V32n8Y3Cgjo/4kT0E88lsVTI=
-github.com/projectdiscovery/hmap v0.0.100 h1:DBZ3Req9lWf4P1YC9PRa4eiMvLY0Uxud43NRBcocPfs=
-github.com/projectdiscovery/hmap v0.0.100/go.mod h1:2O06pR8pHOP9wSmxAoxuM45U7E+UqOqOdlSIeddM0bA=
+github.com/projectdiscovery/govaluate v0.0.0-20260504230327-80320480bb6e h1:o+ulEIaC2+9V2Ezr6mI5xEhKWsf0V/+FUQIS723Aj6U=
+github.com/projectdiscovery/govaluate v0.0.0-20260504230327-80320480bb6e/go.mod h1:xH7bPwHxUlz1yx9UlVeTF+UVCUaKhTnZgaxHb5z362E=
+github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76 h1:AN70bbi6BBs7KpIM9w0LxygUN7uzT/oH+owDIQ+Fz/k=
+github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76/go.mod h1:cWHYnRXoYWHtTpOYyAp5laGYX8GH8ITUhgQaP8G/8FA=
+github.com/projectdiscovery/hmap v0.0.101 h1:zXM6YtLmsn8Q0CUUw8QavhqWmiQYwaw+/U679Rr00pc=
+github.com/projectdiscovery/hmap v0.0.101/go.mod h1:w6N9/a5H8kvyx53AhtPDUWe5Qq3D6NBDPA23glHpa/Q=
 github.com/projectdiscovery/httpx v1.9.0 h1:5yn4ik/LqZ+v3MLgU7+CZJQyND9osW9NmZ3squylxsc=
 github.com/projectdiscovery/httpx v1.9.0/go.mod h1:jGTRyUHddo2WyK4klWIwQXgGF1Lu39XVyzlue4H3pX8=
 github.com/projectdiscovery/interactsh v1.3.1 h1:5HzeVGVCAX/cjTguJ+7ClOmML5r97Ty7op9s+/F7BiM=
@@ -885,34 +895,34 @@ github.com/projectdiscovery/mapcidr v1.1.97 h1:7FkxNNVXp+m1rIu5Nv/2SrF9k4+LwP8Qu
 github.com/projectdiscovery/mapcidr v1.1.97/go.mod h1:9dgTJh1SP02gYZdpzMjm6vtYFkEHQHoTyaVNvaeJ7lA=
 github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5 h1:L/e8z8yw1pfT6bg35NiN7yd1XKtJap5Nk6lMwQ0RNi8=
 github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5/go.mod h1:pGW2ncnTxTxHtP9wzcIJAB+3/NMp6IiuQWd2NK7K+oc=
-github.com/projectdiscovery/networkpolicy v0.1.36 h1:88EAYvEplBmn4vlGKenZJtzsGkEWALX3QzPiY930GtA=
-github.com/projectdiscovery/networkpolicy v0.1.36/go.mod h1:lrm+DXxtH0cGpM4OKhILC+9ktnzrXVYcM0S2Jk+gQcc=
-github.com/projectdiscovery/nuclei/v3 v3.8.0 h1:UfIDjoHBsvACtvO4x8XIp6COffH+0G4sqco1qrijZqw=
-github.com/projectdiscovery/nuclei/v3 v3.8.0/go.mod h1:xBCCFK5nMafAuf3sWyOojzL9pKN91tj4Uwj2TK7HhOM=
-github.com/projectdiscovery/ratelimit v0.0.85 h1:TrqYis/+6Djac20n3kgFXQbN/xj7ywObJpH3xDOd+40=
-github.com/projectdiscovery/ratelimit v0.0.85/go.mod h1:enLZ8XGL02WPBhuoHAhgvMgOpuU9ALhFpFgCps5lxmM=
+github.com/projectdiscovery/networkpolicy v0.1.40 h1:kYin4u1/dgb0nuz5fE1bz4Q0Zh66mOKIdkSHJ00bjGY=
+github.com/projectdiscovery/networkpolicy v0.1.40/go.mod h1:9ULLaMbdv9UnT0C5rmuK4nIwYs0o776xMnkPUb8TtaE=
+github.com/projectdiscovery/nuclei/v3 v3.9.0 h1:kNHrWZH7mM8Ntf5qacYgHNCEGzmPtywcU0feKm2YnhU=
+github.com/projectdiscovery/nuclei/v3 v3.9.0/go.mod h1:6gkhTSiX+7ay5NTHM62+WUUCg7toWwHaWady+3tblbY=
+github.com/projectdiscovery/ratelimit v0.0.88 h1:AcurW9aLRzlEyPe9kSjnOpr3XzLMWTpiWAlW/w73ALU=
+github.com/projectdiscovery/ratelimit v0.0.88/go.mod h1:CU1s+68UUG2mctSl2wi32/DHLJA6TMg+4rxgP59LfVk=
 github.com/projectdiscovery/rawhttp v0.1.90 h1:LOSZ6PUH08tnKmWsIwvwv1Z/4zkiYKYOSZ6n+8RFKtw=
 github.com/projectdiscovery/rawhttp v0.1.90/go.mod h1:VZYAM25UI/wVB3URZ95ZaftgOnsbphxyAw/XnQRRz4Y=
 github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917 h1:m03X4gBVSorSzvmm0bFa7gDV4QNSOWPL/fgZ4kTXBxk=
 github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917/go.mod h1:JxXtZC9e195awe7EynrcnBJmFoad/BNDzW9mzFkK8Sg=
-github.com/projectdiscovery/retryabledns v1.0.114 h1:COyNKzhA7oa3C/1639WRXeXsKrUJx06paVbN64IHZ3E=
-github.com/projectdiscovery/retryabledns v1.0.114/go.mod h1:+DyanDr8naxQ2dRO9c4Ezo3NHHXhz8L0tTSRYWhiwyA=
-github.com/projectdiscovery/retryablehttp-go v1.3.8 h1:TA075ioaVyaM65R3dSzKSbOCiJSvFrlGScxzScu4ik8=
-github.com/projectdiscovery/retryablehttp-go v1.3.8/go.mod h1:/vas835LvB4aqK9vCPGSgKF7Q7hY/BRcIJ/TgM2sPAY=
-github.com/projectdiscovery/sarif v0.0.1 h1:C2Tyj0SGOKbCLgHrx83vaE6YkzXEVrMXYRGLkKCr/us=
-github.com/projectdiscovery/sarif v0.0.1/go.mod h1:cEYlDu8amcPf6b9dSakcz2nNnJsoz4aR6peERwV+wuQ=
+github.com/projectdiscovery/retryabledns v1.0.115 h1:RKV63FNIznFHUoawg/1hs53pVH3wqPtFhwstCuxVSoA=
+github.com/projectdiscovery/retryabledns v1.0.115/go.mod h1:+fEMWoPigw+M0lGNKY7AZ+g8FIgj+4sONjsinMmeL3k=
+github.com/projectdiscovery/retryablehttp-go v1.3.14 h1:vCBLwK8iIuua3i97jEac5/+TWkYTLhTkGblHu9ETPVc=
+github.com/projectdiscovery/retryablehttp-go v1.3.14/go.mod h1:reVhQ+DzMAPYEQHdawCQ6h0tX3CpFyMH4XjcAyq9+U8=
+github.com/projectdiscovery/sarif v0.1.0 h1:O541T+a448nSJsmIMnXXSOeDQEzpnCAYvRfe0eG5h74=
+github.com/projectdiscovery/sarif v0.1.0/go.mod h1:LBC+reM3bkI3qIIhE0rZaINaYX6VG+En6u2hHa5mA7E=
 github.com/projectdiscovery/stringsutil v0.0.2 h1:uzmw3IVLJSMW1kEg8eCStG/cGbYYZAja8BH3LqqJXMA=
 github.com/projectdiscovery/stringsutil v0.0.2/go.mod h1:EJ3w6bC5fBYjVou6ryzodQq37D5c6qbAYQpGmAy+DC0=
 github.com/projectdiscovery/tlsx v1.2.2 h1:Y96QBqeD2anpzEtBl4kqNbwzXh2TrzJuXfgiBLvK+SE=
 github.com/projectdiscovery/tlsx v1.2.2/go.mod h1:ZJl9F1sSl0sdwE+lR0yuNHVX4Zx6tCSTqnNxnHCFZB4=
-github.com/projectdiscovery/uncover v1.2.0 h1:31tjYa0v8FB8Ch8hJTxb+2t63vsljdOo0OSFylJcX4M=
-github.com/projectdiscovery/uncover v1.2.0/go.mod h1:ozqKb++p39Kmh1SmwIpbQ9p0aVGPXuwsb4/X2Kvx6ms=
-github.com/projectdiscovery/useragent v0.0.107 h1:45gSBda052fv2Gtxtnpx7cu2rWtUpZEQRGAoYGP6F5M=
-github.com/projectdiscovery/useragent v0.0.107/go.mod h1:yv5ZZLDT/kq6P+NvBcCPq6sjEVQtZGgO+OvvHzZ+WtY=
-github.com/projectdiscovery/utils v0.10.1 h1:9luYfL7PpN1L/cLO4bAES4+ltDaEBKOUnRiTn920XfM=
-github.com/projectdiscovery/utils v0.10.1/go.mod h1:x3jGS2YIxnUYxlpB9HWBKf0k+AE83nYCGRX/YStC8G8=
-github.com/projectdiscovery/wappalyzergo v0.2.76 h1:6zQt6Jmi/hIwD8InWswkk1yhJGWaVEAEzshTGiTGbeM=
-github.com/projectdiscovery/wappalyzergo v0.2.76/go.mod h1:hRsnKNleH693FFJsBOD5NMUDbxw/Q94f0Oq2OV04Q6M=
+github.com/projectdiscovery/uncover v1.2.1 h1:8U46T/96CLT7BPoXBgkTvWqB06lOyeTSLvh5+UjzATE=
+github.com/projectdiscovery/uncover v1.2.1/go.mod h1:0p8onrWxfpXQEYs90ZDzTSpu1107gWmodX1NWqu/+z4=
+github.com/projectdiscovery/useragent v0.0.108 h1:fb+uLuFJvC+MHZjCtxQJxtvp1X6A8n98CUGPyFcg3NE=
+github.com/projectdiscovery/useragent v0.0.108/go.mod h1:XdNRrlvtDmYfVL1Oybat4uMe+W6cLwsK9S18ond17CI=
+github.com/projectdiscovery/utils v0.11.1 h1:PWj1KjIASxt8icxommH72C0TQqNOvGkcSODRkiq0SQw=
+github.com/projectdiscovery/utils v0.11.1/go.mod h1:yktGrHGk2CTjNiccXovnvGrLHX9sV2bqz9nSnbA3V8M=
+github.com/projectdiscovery/wappalyzergo v0.2.84 h1:19c+ea8KZCnZIuZPztafFKK2uczDXxcZ/z6/l6DEEEs=
+github.com/projectdiscovery/wappalyzergo v0.2.84/go.mod h1:gMH0o5lBp65sKMwHx/tuUdOtW2RjodC6Ti+9QDsYMkY=
 github.com/projectdiscovery/yamldoc-go v1.0.6 h1:GCEdIRlQjDux28xTXKszM7n3jlMf152d5nqVpVoetas=
 github.com/projectdiscovery/yamldoc-go v1.0.6/go.mod h1:R5lWrNzP+7Oyn77NDVPnBsxx2/FyQZBBkIAaSaCQFxw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -956,6 +966,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU=
 github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d h1:hrujxIzL1woJ7AwssoOcM/tq5JjjG2yYOc8odClEiXA=
@@ -980,8 +992,9 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
@@ -996,8 +1009,10 @@ github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0b
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
-github.com/spf13/cast v1.9.2 h1:SsGfm7M8QOFtEzumm7UZrZdLLquNdzFYfIbEXntcFbE=
-github.com/spf13/cast v1.9.2/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -1061,8 +1076,9 @@ github.com/trivago/tgo v1.0.7 h1:uaWH/XIy9aWYWpjm2CU3RpcqZXmX2ysQ9/Go+d9gyrM=
 github.com/trivago/tgo v1.0.7/go.mod h1:w4dpD+3tzNIIiIfkWWa85w5/B77tlvdZckQ+6PkFnhc=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg=
 github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
+github.com/twmb/murmur3 v1.1.8 h1:8Yt9taO/WN3l08xErzjeschgZU2QSrwm1kclYq+0aRg=
+github.com/twmb/murmur3 v1.1.8/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
 github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
@@ -1133,7 +1149,6 @@ github.com/ysmood/leakless v0.9.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
 github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
@@ -1163,8 +1178,8 @@ github.com/zmap/zflags v1.4.0-beta.1.0.20200204220219-9d95409821b6/go.mod h1:HXD
 github.com/zmap/zgrab2 v0.1.8 h1:PFnXrIBcGjYFec1JNbxMKQuSXXzS+SbqE89luuF4ORY=
 github.com/zmap/zgrab2 v0.1.8/go.mod h1:5d8HSmUwvllx4q1qG50v/KXphkg45ZzWdaQtgTFnegE=
 github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
-gitlab.com/gitlab-org/api/client-go v0.130.1 h1:1xF5C5Zq3sFeNg3PzS2z63oqrxifne3n/OnbI7nptRc=
-gitlab.com/gitlab-org/api/client-go v0.130.1/go.mod h1:ZhSxLAWadqP6J9lMh40IAZOlOxBLPRh7yFOXR/bMJWM=
+gitlab.com/gitlab-org/api/client-go v1.9.1 h1:tZm+URa36sVy8UCEHQyGGJ8COngV4YqMHpM6k9O5tK8=
+gitlab.com/gitlab-org/api/client-go v1.9.1/go.mod h1:71yTJk1lnHCWcZLvM5kPAXzeJ2fn5GjaoV8gTOPd4ME=
 go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
 go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
 go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
@@ -1176,24 +1191,18 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
-go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
-go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
-go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
-go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
-go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -1234,8 +1243,9 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
+golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1246,8 +1256,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
-golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
+golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3 h1:VHEvKbpgPXcPXn40t9cDTGK3JZwMikIEyF/CTrFfu7k=
+golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3/go.mod h1:d2fgXJLVs4dYDHUk5lwMIfzRzSrWCfGZb0ZqeLa/Vcw=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1273,8 +1283,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1310,7 +1320,6 @@ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -1331,8 +1340,9 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
+golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1352,7 +1362,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1361,8 +1370,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
+golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1417,6 +1426,7 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1429,8 +1439,9 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1446,8 +1457,9 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
+golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1466,14 +1478,14 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
+golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -1513,17 +1525,15 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1550,8 +1560,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
+google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -1581,11 +1592,6 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20250122153221-138b5a5a4fd4 h1:Pw6WnI9W/LIdRxqK7T6XGugGbHIRl5Q7q3BssH6xk4s=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1598,8 +1604,6 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
-google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1616,8 +1620,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1658,6 +1662,10 @@ mellium.im/sasl v0.3.2 h1:PT6Xp7ccn9XaXAnJ03FcEjmAn7kK1x7aoXV6F+Vmrl0=
 mellium.im/sasl v0.3.2/go.mod h1:NKXDi1zkr+BlMHLQjY3ofYuU4KSPFxknb8mfEu6SveY=
 moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
 moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
+software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
@@ -13,6 +13,7 @@
 package config

 import (
+	"os"
 	"time"

 	"github.com/charmbracelet/log"
@@ -21,7 +22,16 @@ import (

 type Settings struct {
 	Dirlist           string
+	DirMatchCodes     string // -mc dirlist: status codes to keep
+	DirFilterCodes    string // -fc dirlist: status codes to drop
+	DirFilterSizes    string // -fs dirlist: body sizes to drop
+	DirFilterWords    string // -fw dirlist: word counts to drop
+	DirFilterRegex    string // -fr dirlist: regex; body match drops response
+	DirCalibrate      bool   // -ac dirlist: auto-calibrate soft-404 baseline
+	DirWordlist       string // -w  dirlist: custom wordlist (file path or url)
+	DirExtensions     string // -e  dirlist: extensions appended to each word
 	Dnslist           string
+	Resolvers         string // -resolvers dnslist: comma list overriding the bundled pool
 	Debug             bool
 	LogDir            string
 	NoScan            bool
@@ -46,13 +56,48 @@ type Settings struct {
 	SecurityTrails    bool
 	SQL               bool
 	LFI               bool
+	JWT               bool
+	OpenAPI           bool
+	Favicon           bool
+	CORS              bool
+	Redirect          bool
+	XSS               bool
 	Framework         bool
+	Crawl             bool
+	CrawlDepth        int
+	Passive           bool
+	Probe             bool
+	SARIF             string // path to write a sarif 2.1.0 report to ("" = off)
+	Markdown          string // path to write a markdown report to ("" = off)
+	Silent            bool   // route chrome to stderr, print one finding per line to stdout
+	Diff              bool   // surface only findings added/removed vs the last snapshot
+	Store             string // snapshot dir for diff mode ("" = default state dir)
 	Modules           string // Comma-separated list of module IDs to run
 	ModuleTags        string // Run modules matching these tags
 	AllModules        bool   // Run all loaded modules
 	ListModules       bool   // List available modules and exit
+	Proxy             string
+	Header            goflags.StringSlice // custom request headers ("Key: Value")
+	Cookie            string
+	RateLimit         int
+	Notify            bool   // -notify: ship findings to configured providers
+	NotifySeverity    string // -notify-severity: minimum severity to send (info..critical)
+	NotifyConfig      string // -notify-config: path to a notify-compatible yaml file
 }

+// minThreads is the floor for the worker count. Threads feeds wg.Add across the
+// scanners, so 0 silently runs nothing and a negative value panics with
+// "negative WaitGroup counter"; clamp the parsed value up to this.
+const minThreads = 1
+
+// defaultCrawlDepth bounds how far the spider recurses by default; deep enough
+// to find linked pages without crawling an entire site.
+const defaultCrawlDepth = 2
+
+// defaultNotifySeverity is the floor notify sends at when -notify-severity is
+// unset: medium drops pure recon/info noise so alerts stay actionable.
+const defaultNotifySeverity = "medium"
+
 const (
 	Nil goflags.EnumVariable = iota

@@ -66,9 +111,9 @@ const (
 	Full
 )

-func Parse() *Settings {
-	settings := &Settings{}
-
+// registerFlags builds the flag set for the given settings without parsing it,
+// so callers (Parse and tests) can inspect the registered flags.
+func registerFlags(settings *Settings) *goflags.FlagSet {
 	flagSet := goflags.NewFlagSet()
 	flagSet.SetDescription("a blazing-fast pentesting (recon/exploitation) suite")

@@ -81,7 +126,16 @@ func Parse() *Settings {
 	portScopes := goflags.AllowdTypes{"common": Common, "full": Full, "none": Nil}
 	flagSet.CreateGroup("scans", "Scans",
 		flagSet.EnumVar(&settings.Dirlist, "dirlist", Nil, "Directory fuzzing scan size (small/medium/large)", listSizes),
+		flagSet.StringVar(&settings.DirMatchCodes, "mc", "", "Dirlist: match these status codes (comma list, e.g. 200,301)"),
+		flagSet.StringVar(&settings.DirFilterCodes, "fc", "", "Dirlist: filter out these status codes (comma list)"),
+		flagSet.StringVar(&settings.DirFilterSizes, "fs", "", "Dirlist: filter out responses of these body sizes (comma list)"),
+		flagSet.StringVar(&settings.DirFilterWords, "fw", "", "Dirlist: filter out responses with these word counts (comma list)"),
+		flagSet.StringVar(&settings.DirFilterRegex, "fr", "", "Dirlist: filter out responses whose body matches this regex"),
+		flagSet.BoolVar(&settings.DirCalibrate, "ac", false, "Dirlist: auto-calibrate the soft-404 wildcard baseline"),
+		flagSet.StringVar(&settings.DirWordlist, "w", "", "Dirlist: custom wordlist (local file path or url; overrides -dirlist size)"),
+		flagSet.StringVar(&settings.DirExtensions, "e", "", "Dirlist: extensions appended to each word (comma list, e.g. php,bak,env)"),
 		flagSet.EnumVar(&settings.Dnslist, "dnslist", Nil, "DNS fuzzing scan size (small/medium/large)", listSizes),
+		flagSet.StringVar(&settings.Resolvers, "resolvers", "", "Dnslist: DNS resolvers to use (comma list, e.g. 1.1.1.1,8.8.8.8; overrides the bundled pool)"),
 		flagSet.EnumVar(&settings.Ports, "ports", Nil, "Port scanning scope (common/full)", portScopes),
 		flagSet.BoolVar(&settings.Dorking, "dork", false, "Enable Google dorking"),
 		flagSet.BoolVar(&settings.Git, "git", false, "Enable git repository scanning"),
@@ -98,7 +152,17 @@ func Parse() *Settings {
 		flagSet.BoolVar(&settings.SecurityTrails, "securitytrails", false, "Enable SecurityTrails domain discovery (requires SECURITYTRAILS_API_KEY env var)"),
 		flagSet.BoolVar(&settings.SQL, "sql", false, "Enable SQL reconnaissance (admin panels, error disclosure)"),
 		flagSet.BoolVar(&settings.LFI, "lfi", false, "Enable LFI (Local File Inclusion) reconnaissance"),
+		flagSet.BoolVar(&settings.JWT, "jwt", false, "Enable JWT discovery + offline weakness analysis"),
+		flagSet.BoolVar(&settings.OpenAPI, "openapi", false, "Enable OpenAPI/Swagger spec exposure probe"),
+		flagSet.BoolVar(&settings.Favicon, "favicon", false, "Enable favicon hash fingerprinting (shodan-style)"),
+		flagSet.BoolVar(&settings.CORS, "cors", false, "Enable CORS misconfiguration probe"),
+		flagSet.BoolVar(&settings.Redirect, "redirect", false, "Enable open redirect probe"),
+		flagSet.BoolVar(&settings.XSS, "xss", false, "Enable reflected XSS probe"),
 		flagSet.BoolVar(&settings.Framework, "framework", false, "Enable framework detection"),
+		flagSet.BoolVar(&settings.Crawl, "crawl", false, "Enable web crawling (spider same-host links/scripts/forms)"),
+		flagSet.IntVar(&settings.CrawlDepth, "crawl-depth", defaultCrawlDepth, "Max crawl recursion depth"),
+		flagSet.BoolVar(&settings.Passive, "passive", false, "Enable passive subdomain/url discovery (zero traffic to target)"),
+		flagSet.BoolVar(&settings.Probe, "probe", false, "Probe the target for liveness (status, title, server, redirect chain)"),
 	)

 	flagSet.CreateGroup("runtime", "Runtime",
@@ -106,11 +170,32 @@ func Parse() *Settings {
 		flagSet.DurationVarP(&settings.Timeout, "timeout", "t", 10*time.Second, "HTTP request timeout"),
 		flagSet.StringVarP(&settings.LogDir, "log", "l", "", "Directory to store logs in"),
 		flagSet.IntVar(&settings.Threads, "threads", 10, "Number of threads to run scans on"),
-		flagSet.StringVar(&settings.Template, "template", "", "Sif runtime template to use"),
+		flagSet.StringVar(&settings.Template, "template", "", "Load scan settings from a template (preset minimal/recon/full, or a local yaml file)"),
+	)
+
+	flagSet.CreateGroup("http", "HTTP",
+		flagSet.StringVar(&settings.Proxy, "proxy", "", "Proxy for all requests (http/https/socks5 url)"),
+		flagSet.StringSliceVarP(&settings.Header, "header", "H", nil, "Custom header to send (repeatable or comma-separated, \"Key: Value\")", goflags.CommaSeparatedStringSliceOptions),
+		flagSet.StringVar(&settings.Cookie, "cookie", "", "Cookie header to send with every request"),
+		flagSet.IntVar(&settings.RateLimit, "rate-limit", 0, "Max requests per second (0 = unlimited)"),
+	)
+
+	flagSet.CreateGroup("output", "Output",
+		flagSet.StringVar(&settings.SARIF, "sarif", "", "Write a SARIF 2.1.0 report to this file"),
+		flagSet.StringVarP(&settings.Markdown, "markdown", "md", "", "Write a markdown report to this file"),
+		flagSet.BoolVar(&settings.Silent, "silent", false, "Plain output: chrome to stderr, one finding per line to stdout (for pipelines)"),
+		flagSet.BoolVar(&settings.Diff, "diff", false, "Diff mode: surface only findings added/removed since the last snapshot of each target"),
+		flagSet.StringVar(&settings.Store, "store", "", "Snapshot directory for -diff (default: log dir, else <user-config>/sif/state)"),
+	)
+
+	flagSet.CreateGroup("notify", "Notify",
+		flagSet.BoolVar(&settings.Notify, "notify", false, "Ship findings to configured providers (slack/discord/telegram/webhook)"),
+		flagSet.StringVar(&settings.NotifySeverity, "notify-severity", defaultNotifySeverity, "Minimum severity to notify on (info/low/medium/high/critical)"),
+		flagSet.StringVar(&settings.NotifyConfig, "notify-config", "", "Path to a notify-compatible yaml config (overrides env vars)"),
 	)

 	flagSet.CreateGroup("api", "API",
-		flagSet.BoolVar(&settings.ApiMode, "api", false, "Enable API mode. Only useful for internal lunchcat usage"),
+		flagSet.BoolVar(&settings.ApiMode, "api", false, "Enable API mode. Only useful for internal usage"),
 	)

 	flagSet.CreateGroup("modules", "Modules",
@@ -120,8 +205,38 @@ func Parse() *Settings {
 		flagSet.BoolVarP(&settings.ListModules, "list-modules", "lm", false, "List available modules and exit"),
 	)

-	if err := flagSet.Parse(); err != nil {
-		log.Fatalf("Could not parse flags: %s", err)
+	return flagSet
+}
+
+func Parse() *Settings {
+	settings := &Settings{}
+	flagSet := registerFlags(settings)
+
+	// -template presets a batch of scans from a yaml file or named preset; point
+	// goflags at it before Parse so it merges as config (cli flags still win) and
+	// replaces the ambient config for this run.
+	templatePath, cleanup, err := templateConfigPath(os.Args[1:])
+	if err != nil {
+		log.Fatalf("Could not load template: %s", err)
+	}
+	if templatePath != "" {
+		flagSet.SetConfigFilePath(templatePath)
+	}
+
+	// Parse merges the template config synchronously, so a temp preset file can
+	// be removed right after, before any fatal exit (no leaking defer).
+	parseErr := flagSet.Parse()
+	if cleanup != nil {
+		cleanup()
+	}
+	if parseErr != nil {
+		log.Fatalf("Could not parse flags: %s", parseErr)
+	}
+
+	// threads feeds wg.Add directly; floor it so 0 isn't a silent no-op and a
+	// negative value can't panic the waitgroup.
+	if settings.Threads < minThreads {
+		settings.Threads = minThreads
 	}

 	return settings
@@ -61,6 +61,14 @@ func TestSettingsDefaults(t *testing.T) {
 	if settings.Ports != "" {
 		t.Errorf("expected Ports default to be empty, got %v", settings.Ports)
 	}
+
+	// diff mode is opt-in and its store dir defaults empty (resolved at runtime).
+	if settings.Diff != false {
+		t.Errorf("expected Diff default to be false, got %v", settings.Diff)
+	}
+	if settings.Store != "" {
+		t.Errorf("expected Store default to be empty, got %v", settings.Store)
+	}
 }

 func TestSettingsNoScanBehavior(t *testing.T) {
@@ -0,0 +1,116 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package config
+
+import (
+	"embed"
+	"fmt"
+	"os"
+	"strings"
+)
+
+//go:embed templates/*.yaml
+var embeddedTemplates embed.FS
+
+// presetNames are the templates shipped in the binary, listed in help and
+// error text. each presets a batch of scans without listing every flag.
+var presetNames = []string{"minimal", "recon", "full"}
+
+// templateConfigPath resolves the -template value into a config file path for
+// goflags to merge, plus a cleanup to run after Parse (embedded presets are
+// written to a temp file). it returns "" when -template is unset.
+func templateConfigPath(args []string) (string, func(), error) {
+	value := templateFlagValue(args)
+	if value == "" {
+		return "", nil, nil
+	}
+	return resolveTemplate(value)
+}
+
+// templateFlagValue pulls the -template value out of raw args; the config path
+// has to be known before Parse, so it cannot come from the parsed flag itself.
+func templateFlagValue(args []string) string {
+	for i, arg := range args {
+		if arg == "-template" || arg == "--template" {
+			if i+1 < len(args) {
+				return args[i+1]
+			}
+			return ""
+		}
+		if v, ok := strings.CutPrefix(arg, "-template="); ok {
+			return v
+		}
+		if v, ok := strings.CutPrefix(arg, "--template="); ok {
+			return v
+		}
+	}
+	return ""
+}
+
+// resolveTemplate turns the -template value into a config file path. an existing
+// local file wins; a named preset is materialized from the embedded set; a
+// path-shaped miss or an unknown name is a hard error.
+func resolveTemplate(value string) (string, func(), error) {
+	info, err := os.Stat(value) //nolint:gosec // G304: user-supplied local template path, by design (same as the -f/-w wordlist paths)
+	switch {
+	case err == nil && info.IsDir():
+		return "", nil, fmt.Errorf("template path %q is a directory", value)
+	case err == nil:
+		return value, nil, nil
+	}
+	if data, ok := embeddedPreset(value); ok {
+		return materializePreset(data)
+	}
+	if looksLikePath(value) {
+		return "", nil, fmt.Errorf("template file %q not found", value)
+	}
+	return "", nil, fmt.Errorf("unknown template %q; use a local yaml file or one of: %s",
+		value, strings.Join(presetNames, ", "))
+}
+
+// embeddedPreset returns the bytes of a named preset shipped in the binary.
+func embeddedPreset(name string) ([]byte, bool) {
+	data, err := embeddedTemplates.ReadFile("templates/" + name + ".yaml")
+	if err != nil {
+		return nil, false
+	}
+	return data, true
+}
+
+// materializePreset writes preset bytes to a temp file so goflags, which merges
+// a config by path, can read it; the cleanup removes the file after Parse.
+func materializePreset(data []byte) (string, func(), error) {
+	file, err := os.CreateTemp("", "sif-template-*.yaml")
+	if err != nil {
+		return "", nil, err
+	}
+	cleanup := func() { _ = os.Remove(file.Name()) }
+	if _, err := file.Write(data); err != nil {
+		cleanup()
+		return "", nil, err
+	}
+	if err := file.Close(); err != nil {
+		cleanup()
+		return "", nil, err
+	}
+	return file.Name(), cleanup, nil
+}
+
+// looksLikePath reports whether the value addresses a file rather than a named
+// preset: a path separator or a yaml suffix marks a file.
+func looksLikePath(value string) bool {
+	if strings.ContainsAny(value, `/\`) {
+		return true
+	}
+	return strings.HasSuffix(value, ".yaml") || strings.HasSuffix(value, ".yml")
+}
@@ -0,0 +1,211 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package config
+
+import (
+	"flag"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/projectdiscovery/goflags"
+	"gopkg.in/yaml.v3"
+)
+
+// writeTemplate drops a yaml template in a temp dir and returns its path.
+func writeTemplate(t *testing.T, body string) string {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "tmpl.yaml")
+	if err := os.WriteFile(path, []byte(body), 0o600); err != nil {
+		t.Fatalf("write template: %s", err)
+	}
+	return path
+}
+
+// loadPreset registers the real flags, merges the named embedded preset, and
+// returns the resulting settings (no cli scan flags set).
+func loadPreset(t *testing.T, name string) *Settings {
+	t.Helper()
+	goflags.DisableAutoConfigMigration = true
+	path, cleanup, err := resolveTemplate(name)
+	if err != nil {
+		t.Fatalf("resolve %s: %s", name, err)
+	}
+	if cleanup != nil {
+		defer cleanup()
+	}
+	settings := &Settings{}
+	flagSet := registerFlags(settings)
+	flagSet.SetConfigFilePath(path)
+	if err := flagSet.Parse("-silent"); err != nil {
+		t.Fatalf("parse %s: %s", name, err)
+	}
+	return settings
+}
+
+// every key in an embedded preset must be a real flag long-name. goflags drops
+// unknown config keys silently, so a typo would otherwise ship as a dead no-op.
+func TestPresetKeysAreRegisteredFlags(t *testing.T) {
+	valid := map[string]bool{}
+	registerFlags(&Settings{}).CommandLine.VisitAll(func(f *flag.Flag) {
+		valid[f.Name] = true
+	})
+
+	for _, name := range presetNames {
+		data, ok := embeddedPreset(name)
+		if !ok {
+			t.Errorf("preset %q is not embedded", name)
+			continue
+		}
+		var keys map[string]any
+		if err := yaml.Unmarshal(data, &keys); err != nil {
+			t.Errorf("preset %q is not valid yaml: %s", name, err)
+			continue
+		}
+		for key := range keys {
+			if !valid[key] {
+				t.Errorf("preset %q references unknown flag %q", name, key)
+			}
+		}
+	}
+}
+
+func TestPresetMinimal(t *testing.T) {
+	s := loadPreset(t, "minimal")
+	if !s.Probe || !s.Headers || !s.Favicon {
+		t.Errorf("minimal should enable probe/headers/favicon, got probe=%v headers=%v favicon=%v",
+			s.Probe, s.Headers, s.Favicon)
+	}
+	if s.XSS || s.SQL || s.Nuclei {
+		t.Error("minimal should not enable heavy or intrusive scans")
+	}
+}
+
+func TestPresetReconIsNonIntrusive(t *testing.T) {
+	s := loadPreset(t, "recon")
+	if !s.Passive || !s.Whois || !s.CMS || !s.Probe {
+		t.Errorf("recon should enable passive/whois/cms/probe, got %v/%v/%v/%v",
+			s.Passive, s.Whois, s.CMS, s.Probe)
+	}
+	if s.XSS || s.SQL || s.LFI || s.Redirect {
+		t.Errorf("recon must not enable payload-injecting scans: xss=%v sql=%v lfi=%v redirect=%v",
+			s.XSS, s.SQL, s.LFI, s.Redirect)
+	}
+}
+
+func TestPresetFull(t *testing.T) {
+	s := loadPreset(t, "full")
+	if !s.XSS || !s.SQL || !s.LFI || !s.Redirect {
+		t.Error("full should enable the intrusive scans")
+	}
+	if s.Dirlist != "large" || s.Ports != "full" {
+		t.Errorf("full should set dirlist=large ports=full, got dirlist=%q ports=%q",
+			s.Dirlist, s.Ports)
+	}
+}
+
+// the template merges as the goflags config: it fills flags left at their
+// default, an explicit cli flag still wins, and an untouched flag stays put.
+func TestTemplateConfigPrecedence(t *testing.T) {
+	goflags.DisableAutoConfigMigration = true
+	tmpl := writeTemplate(t, "cms: true\nthreads: 99\n")
+
+	var cms, sql bool
+	var threads int
+	flagSet := goflags.NewFlagSet()
+	flagSet.BoolVar(&cms, "cms", false, "")
+	flagSet.BoolVar(&sql, "sql", false, "")
+	flagSet.IntVar(&threads, "threads", 10, "")
+
+	flagSet.SetConfigFilePath(tmpl)
+	if err := flagSet.Parse("-threads", "5"); err != nil {
+		t.Fatalf("parse: %s", err)
+	}
+
+	if !cms {
+		t.Error("expected template to set cms=true")
+	}
+	if threads != 5 {
+		t.Errorf("expected cli threads 5 to win over template, got %d", threads)
+	}
+	if sql {
+		t.Error("expected sql left untouched to stay false")
+	}
+}
+
+func TestTemplateFlagValue(t *testing.T) {
+	cases := []struct {
+		name string
+		args []string
+		want string
+	}{
+		{"long with space", []string{"-template", "a.yaml"}, "a.yaml"},
+		{"double dash with space", []string{"--template", "b.yaml"}, "b.yaml"},
+		{"long with equals", []string{"-template=c.yaml"}, "c.yaml"},
+		{"double dash with equals", []string{"--template=d.yaml"}, "d.yaml"},
+		{"absent", []string{"-u", "x"}, ""},
+		{"trailing without value", []string{"-u", "x", "-template"}, ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := templateFlagValue(tc.args); got != tc.want {
+				t.Errorf("expected %q, got %q", tc.want, got)
+			}
+		})
+	}
+}
+
+func TestResolveTemplateExistingFile(t *testing.T) {
+	path := writeTemplate(t, "cms: true\n")
+	got, cleanup, err := resolveTemplate(path)
+	if cleanup != nil {
+		defer cleanup()
+	}
+	if err != nil {
+		t.Fatalf("resolveTemplate: %s", err)
+	}
+	if got != path {
+		t.Errorf("expected %q, got %q", path, got)
+	}
+}
+
+func TestResolveTemplateNamedPreset(t *testing.T) {
+	path, cleanup, err := resolveTemplate("recon")
+	if cleanup != nil {
+		defer cleanup()
+	}
+	if err != nil {
+		t.Fatalf("recon preset should resolve: %s", err)
+	}
+	if path == "" {
+		t.Fatal("expected a materialized preset path")
+	}
+}
+
+func TestResolveTemplateMissingFile(t *testing.T) {
+	if _, _, err := resolveTemplate("./does-not-exist.yaml"); err == nil {
+		t.Fatal("expected an error for a missing template file")
+	}
+}
+
+func TestResolveTemplateDirectory(t *testing.T) {
+	if _, _, err := resolveTemplate(t.TempDir()); err == nil {
+		t.Fatal("expected an error for a directory")
+	}
+}
+
+func TestResolveTemplateUnknownName(t *testing.T) {
+	if _, _, err := resolveTemplate("bogus"); err == nil {
+		t.Fatal("expected an error for an unknown template name")
+	}
+}
@@ -0,0 +1,28 @@
+# full: thorough and active, including intrusive probes that inject payloads
+# (xss, sql, lfi, redirect). api-key scans (shodan, securitytrails) stay opt-in
+# via their own flags.
+passive: true
+whois: true
+dork: true
+favicon: true
+headers: true
+security-headers: true
+cms: true
+framework: true
+probe: true
+git: true
+js: true
+nuclei: true
+openapi: true
+cors: true
+jwt: true
+c3: true
+st: true
+crawl: true
+sql: true
+lfi: true
+xss: true
+redirect: true
+dirlist: large
+dnslist: large
+ports: full
@@ -0,0 +1,4 @@
+# minimal: fast liveness + fingerprint, a handful of benign GETs per target.
+probe: true
+headers: true
+favicon: true
@@ -0,0 +1,11 @@
+# recon: broad non-intrusive discovery (light traffic, no attack payloads).
+passive: true
+whois: true
+dork: true
+favicon: true
+headers: true
+security-headers: true
+cms: true
+framework: true
+probe: true
+dnslist: small
@@ -0,0 +1,270 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package dnsx resolves subdomain candidates against a bundled resolver pool
+// before anything is probed over http, so the slow/inaccurate path of HTTP-ing
+// every wordlist entry through the OS resolver is gone. it also fingerprints
+// wildcard zones (a zone that answers every random label) so a catch-all
+// nameserver can't flood the caller with phantom subdomains.
+package dnsx
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	"sort"
+	"strings"
+
+	retryabledns "github.com/projectdiscovery/retryabledns"
+)
+
+// bundled default resolver pool. anycast cloudflare/google/quad9 - fast, public,
+// and unlikely to rate-limit a recon sweep. -resolvers overrides this set.
+const (
+	resolverCloudflare = "1.1.1.1:53"
+	resolverGoogle     = "8.8.8.8:53"
+	resolverQuad9      = "9.9.9.9:53"
+)
+
+// defaultResolvers is the bundled pool used when the caller passes none.
+var defaultResolvers = []string{resolverCloudflare, resolverGoogle, resolverQuad9}
+
+const (
+	// defaultRetries is how many times retryabledns rotates through the pool on a
+	// timeout before giving up on a name. low enough to stay fast on a big list.
+	defaultRetries = 3
+
+	// wildcardProbes is how many random nonexistent labels we resolve to
+	// fingerprint a wildcard zone. more samples make a rotating catch-all (one
+	// that hands back a different ip per query) harder to miss, but each is a
+	// real lookup so this stays small.
+	wildcardProbes = 3
+
+	// randomLabelLen is the length of each random wildcard-probe label. long
+	// enough that a collision with a real host is astronomically unlikely.
+	randomLabelLen = 16
+)
+
+// randomLabelAlphabet is the lowercase-alnum set wildcard probe labels draw
+// from; a valid dns label so the query isn't rejected before it leaves.
+const randomLabelAlphabet = "abcdefghijklmnopqrstuvwxyz0123456789"
+
+// defaultDNSPort is appended to any resolver entry given without an explicit
+// port, so "1.1.1.1" and "1.1.1.1:53" both work on the cli.
+const defaultDNSPort = "53"
+
+// ParseResolvers splits a comma list of resolvers into a normalized slice,
+// appending the default port to bare ips/hosts. an empty or blank input returns
+// nil so the caller falls back to the bundled pool.
+func ParseResolvers(raw string) []string {
+	if strings.TrimSpace(raw) == "" {
+		return nil
+	}
+	parts := strings.Split(raw, ",")
+	out := make([]string, 0, len(parts))
+	for i := 0; i < len(parts); i++ {
+		entry := strings.TrimSpace(parts[i])
+		if entry == "" {
+			continue
+		}
+		// a bare ip/host gets the default port; an entry already carrying ":port"
+		// (or a bracketed ipv6 literal) is left as-is.
+		if !strings.Contains(entry, ":") {
+			entry += ":" + defaultDNSPort
+		}
+		out = append(out, entry)
+	}
+
+	return out
+}
+
+// resolution is the resolved address set for one host. empty Addrs means the
+// name did not resolve (nxdomain / no records).
+type resolution struct {
+	Addrs []string
+}
+
+// resolved reports whether the name returned any address.
+func (r resolution) resolved() bool {
+	return len(r.Addrs) > 0
+}
+
+// resolverFn is the test seam: every lookup the package makes goes through this
+// var, so a fake can answer without touching the network. real runs point it at
+// a retryabledns-backed client via NewResolver.
+var resolverFn func(host string) (resolution, error)
+
+// Resolver resolves candidates against a pool and filters wildcard answers. it
+// is built once per scan and shared across the worker goroutines; the
+// underlying retryabledns client is safe for concurrent use.
+type Resolver struct {
+	// wildcardSigs holds the address sets a wildcard zone answers random labels
+	// with. nil/empty means the zone is not wildcard. a candidate whose answer is
+	// covered by one of these is a catch-all hit, not a real host.
+	wildcardSigs []map[string]struct{}
+}
+
+// NewResolver wires resolverFn to a retryabledns client over the given pool
+// (bundled default when resolvers is empty) and returns a Resolver. it does not
+// fingerprint anything yet - call FingerprintWildcard with the apex first.
+func NewResolver(resolvers []string) (*Resolver, error) {
+	pool := resolvers
+	if len(pool) == 0 {
+		pool = defaultResolvers
+	}
+
+	client, err := retryabledns.New(pool, defaultRetries)
+	if err != nil {
+		return nil, fmt.Errorf("dnsx: build resolver over %v: %w", pool, err)
+	}
+
+	// only install the real client when a test hasn't already injected a fake;
+	// the seam wins so hermetic tests never reach this client.
+	if resolverFn == nil {
+		resolverFn = func(host string) (resolution, error) {
+			data, err := client.Resolve(host)
+			if err != nil {
+				return resolution{}, fmt.Errorf("dnsx: resolve %q: %w", host, err)
+			}
+			return resolution{Addrs: mergeAddrs(data)}, nil
+		}
+	}
+
+	return &Resolver{}, nil
+}
+
+// FingerprintWildcard resolves wildcardProbes random labels under apex. any that
+// answer mean the zone is a catch-all, so their address sets are recorded as
+// signatures to filter real candidates against later. a clean zone leaves the
+// signature list empty and nothing gets filtered.
+func (r *Resolver) FingerprintWildcard(apex string) error {
+	apex = strings.TrimSuffix(apex, ".")
+	for i := 0; i < wildcardProbes; i++ {
+		label, err := randomLabel(randomLabelLen)
+		if err != nil {
+			return fmt.Errorf("dnsx: wildcard probe label: %w", err)
+		}
+
+		res, err := resolverFn(label + "." + apex)
+		if err != nil {
+			// a probe failure (timeout / nxdomain surfaced as error) just means this
+			// sample says "not wildcard"; don't abort the whole fingerprint on it.
+			continue
+		}
+		if res.resolved() {
+			r.wildcardSigs = append(r.wildcardSigs, toSet(res.Addrs))
+		}
+	}
+
+	return nil
+}
+
+// Resolve looks up host and reports whether it is a real, non-wildcard hit. a
+// name that doesn't resolve, or whose answer matches a recorded wildcard
+// signature, returns false so the caller skips probing it.
+func (r *Resolver) Resolve(host string) (bool, error) {
+	res, err := resolverFn(host)
+	if err != nil {
+		return false, fmt.Errorf("dnsx: resolve %q: %w", host, err)
+	}
+	if !res.resolved() {
+		return false, nil
+	}
+	if r.isWildcard(res.Addrs) {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// isWildcard reports whether addrs is covered by any recorded wildcard
+// signature. a candidate whose every address appears in a wildcard answer is a
+// catch-all hit; a host with even one address outside the signature is a real,
+// distinct record and survives.
+func (r *Resolver) isWildcard(addrs []string) bool {
+	if len(r.wildcardSigs) == 0 {
+		return false
+	}
+	for i := 0; i < len(r.wildcardSigs); i++ {
+		if subset(addrs, r.wildcardSigs[i]) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// mergeAddrs flattens the A and AAAA answers into one sorted, deduped slice so
+// two equal answers compare equal regardless of record ordering.
+func mergeAddrs(data *retryabledns.DNSData) []string {
+	if data == nil {
+		return nil
+	}
+	seen := make(map[string]struct{}, len(data.A)+len(data.AAAA))
+	for i := 0; i < len(data.A); i++ {
+		seen[data.A[i]] = struct{}{}
+	}
+	for i := 0; i < len(data.AAAA); i++ {
+		seen[data.AAAA[i]] = struct{}{}
+	}
+
+	addrs := make([]string, 0, len(seen))
+	for addr := range seen {
+		addrs = append(addrs, addr)
+	}
+	sort.Strings(addrs)
+
+	return addrs
+}
+
+// toSet turns addrs into a lookup set for subset checks.
+func toSet(addrs []string) map[string]struct{} {
+	set := make(map[string]struct{}, len(addrs))
+	for i := 0; i < len(addrs); i++ {
+		set[addrs[i]] = struct{}{}
+	}
+
+	return set
+}
+
+// subset reports whether every addr is present in sig (and addrs is non-empty);
+// an empty addrs can't be a wildcard match.
+func subset(addrs []string, sig map[string]struct{}) bool {
+	if len(addrs) == 0 {
+		return false
+	}
+	for i := 0; i < len(addrs); i++ {
+		if _, ok := sig[addrs[i]]; !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
+// randomLabel returns a cryptographically-random lowercase-alnum dns label of
+// length n. crypto/rand (not math/rand) so a target can't predict the probe
+// labels and special-case them to defeat wildcard detection.
+func randomLabel(n int) (string, error) {
+	var b strings.Builder
+	b.Grow(n)
+	alphabetLen := big.NewInt(int64(len(randomLabelAlphabet)))
+	for i := 0; i < n; i++ {
+		idx, err := rand.Int(rand.Reader, alphabetLen)
+		if err != nil {
+			return "", fmt.Errorf("dnsx: random index: %w", err)
+		}
+		b.WriteByte(randomLabelAlphabet[idx.Int64()])
+	}
+
+	return b.String(), nil
+}
@@ -0,0 +1,176 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package dnsx
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+)
+
+// withFakeResolver swaps resolverFn for fn for the duration of one test, then
+// restores it - the seam that keeps every case below network-free.
+func withFakeResolver(t *testing.T, fn func(host string) (resolution, error)) {
+	t.Helper()
+	orig := resolverFn
+	resolverFn = fn
+	t.Cleanup(func() { resolverFn = orig })
+}
+
+// newFingerprinted builds a Resolver and runs the wildcard fingerprint against
+// apex using the already-injected fake; fatal on error.
+func newFingerprinted(t *testing.T, apex string) *Resolver {
+	t.Helper()
+	r := &Resolver{}
+	if err := r.FingerprintWildcard(apex); err != nil {
+		t.Fatalf("FingerprintWildcard: %v", err)
+	}
+
+	return r
+}
+
+const testApex = "example.com"
+
+// a host that resolves to a real address, in a clean (non-wildcard) zone, is a
+// genuine hit.
+func TestResolve_FoundInCleanZone(t *testing.T) {
+	withFakeResolver(t, func(host string) (resolution, error) {
+		// nothing answers a random wildcard probe -> clean zone.
+		if strings.HasSuffix(host, "."+testApex) && host != "www."+testApex {
+			return resolution{}, nil
+		}
+		if host == "www."+testApex {
+			return resolution{Addrs: []string{"93.184.216.34"}}, nil
+		}
+		return resolution{}, nil
+	})
+
+	r := newFingerprinted(t, testApex)
+	if len(r.wildcardSigs) != 0 {
+		t.Fatalf("clean zone should record no wildcard signatures, got %d", len(r.wildcardSigs))
+	}
+
+	ok, err := r.Resolve("www." + testApex)
+	if err != nil {
+		t.Fatalf("Resolve: %v", err)
+	}
+	if !ok {
+		t.Error("a resolving host in a clean zone should be a hit")
+	}
+}
+
+// nxdomain (no addresses) is not a hit, so the caller skips probing it.
+func TestResolve_NxdomainSkipped(t *testing.T) {
+	withFakeResolver(t, func(string) (resolution, error) {
+		// every name, probes included, returns no records.
+		return resolution{}, nil
+	})
+
+	r := newFingerprinted(t, testApex)
+
+	ok, err := r.Resolve("ghost." + testApex)
+	if err != nil {
+		t.Fatalf("Resolve: %v", err)
+	}
+	if ok {
+		t.Error("an nxdomain host must not count as found")
+	}
+}
+
+// a wildcard zone answers the random probe labels, so a candidate that resolves
+// to the same catch-all address is filtered out.
+func TestResolve_WildcardFiltered(t *testing.T) {
+	const catchAll = "10.0.0.1"
+	withFakeResolver(t, func(string) (resolution, error) {
+		// the zone answers everything - probes and candidates alike - with one ip.
+		return resolution{Addrs: []string{catchAll}}, nil
+	})
+
+	r := newFingerprinted(t, testApex)
+	if len(r.wildcardSigs) == 0 {
+		t.Fatal("wildcard zone should record at least one signature")
+	}
+
+	ok, err := r.Resolve("anything." + testApex)
+	if err != nil {
+		t.Fatalf("Resolve: %v", err)
+	}
+	if ok {
+		t.Error("a candidate matching the wildcard answer must be filtered")
+	}
+}
+
+// a real host in a wildcard zone that resolves to a distinct address (not the
+// catch-all) still survives the filter - one address outside the signature is
+// enough to be a genuine record.
+func TestResolve_DistinctHostSurvivesWildcard(t *testing.T) {
+	const catchAll = "10.0.0.1"
+	const realHost = "api." + testApex
+	withFakeResolver(t, func(host string) (resolution, error) {
+		if host == realHost {
+			return resolution{Addrs: []string{"203.0.113.7"}}, nil
+		}
+		// everything else (probes + other candidates) hits the catch-all.
+		return resolution{Addrs: []string{catchAll}}, nil
+	})
+
+	r := newFingerprinted(t, testApex)
+	if len(r.wildcardSigs) == 0 {
+		t.Fatal("wildcard zone should record at least one signature")
+	}
+
+	ok, err := r.Resolve(realHost)
+	if err != nil {
+		t.Fatalf("Resolve: %v", err)
+	}
+	if !ok {
+		t.Error("a host resolving to a distinct address should survive the wildcard filter")
+	}
+}
+
+func TestParseResolvers(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want []string
+	}{
+		{"empty falls back to bundled", "", nil},
+		{"blank falls back to bundled", "   ", nil},
+		{"bare ips get default port", "1.1.1.1,8.8.8.8", []string{"1.1.1.1:53", "8.8.8.8:53"}},
+		{"explicit port preserved", "9.9.9.9:5353", []string{"9.9.9.9:5353"}},
+		{"whitespace and empties trimmed", " 1.1.1.1 , ,8.8.8.8 ", []string{"1.1.1.1:53", "8.8.8.8:53"}},
+		{"mixed bare and ported", "1.1.1.1,9.9.9.9:5353", []string{"1.1.1.1:53", "9.9.9.9:5353"}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := ParseResolvers(tt.in); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ParseResolvers(%q) = %v, want %v", tt.in, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNewResolver_DefaultsToBundledPool(t *testing.T) {
+	// keep the seam already installed so New doesn't replace it with a real
+	// client; we only assert the constructor accepts an empty override.
+	withFakeResolver(t, func(string) (resolution, error) { return resolution{}, nil })
+
+	r, err := NewResolver(nil)
+	if err != nil {
+		t.Fatalf("NewResolver(nil): %v", err)
+	}
+	if r == nil {
+		t.Fatal("NewResolver returned nil resolver")
+	}
+}
@@ -0,0 +1,730 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package finding is the one normalization layer between the scan results and
+// the consumers that don't want to know about ~two dozen result structs: notify
+// (later) gates and renders on it, diff (later) keys runs off it. Flatten is the
+// single type-switch; adding a scanner without teaching Flatten about it trips
+// the guard test in flatten_test.go, on purpose.
+package finding
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+	"github.com/dropalldatabases/sif/internal/scan"
+	"github.com/dropalldatabases/sif/internal/scan/frameworks"
+	"github.com/dropalldatabases/sif/internal/scan/js"
+	"github.com/projectdiscovery/nuclei/v3/pkg/output"
+)
+
+// Finding is the normalized shape every scanner result collapses to. one
+// Finding is one underlying item (a single header, one cors hit, one nuclei
+// match) rather than a whole module's blob, so consumers diff and notify at
+// item granularity.
+type Finding struct {
+	Target   string   // the url/host the scan ran against
+	Module   string   // the ResultType() of the source scanner
+	Severity Severity // ranked severity, SeverityUnknown when the source has none
+	Key      string   // stable identity for dedup/diff: module + ":" + identifier
+	Title    string   // short human label
+	Raw      string   // short evidence string, not the full body
+}
+
+// Line renders a finding as one stable, terse, machine-friendly line for the
+// -silent plain sink: "[severity] target module title". no styling, no color -
+// a downstream pipe (notify, grep, awk) keys off the bracketed severity and the
+// fixed field order, so the shape stays frozen. pointer receiver: Finding is
+// wide enough that copying it per line is wasteful.
+func (f *Finding) Line() string {
+	return fmt.Sprintf("[%s] %s %s %s", f.Severity, f.Target, f.Module, f.Title)
+}
+
+// static per-module severities for results that carry no severity field of
+// their own. these are the editorial baseline; a scanner that emits its own
+// severity (cors, xss, nuclei, ...) overrides this on a per-item basis.
+const (
+	// a live admin panel / takeover / public bucket is high on its own.
+	sevTakeover   = SeverityHigh
+	sevPublicS3   = SeverityHigh
+	sevAdminPanel = SeverityHigh
+	// disclosure-grade signals: dberrors, secrets, supabase keys.
+	sevDBError = SeverityMedium
+	sevSecret  = SeverityMedium
+	// pure recon/inventory: headers, crawl urls, passive hosts, ports.
+	sevRecon = SeverityInfo
+)
+
+// keySep joins the module id and the per-item identifier into a Key. kept as a
+// const so the diff layer can split on it without re-deriving the separator.
+const keySep = ":"
+
+// key builds a stable per-item identity: module:identifier. identifier is
+// whatever uniquely names the item within its module (a url, a header name, a
+// subdomain) so the same finding across two runs produces the same Key.
+func key(module, identifier string) string {
+	return module + keySep + identifier
+}
+
+// Flatten normalizes one module's result into zero or more Findings. result is
+// the raw data carried in a ModuleResult; the type switch covers every scan
+// result struct. an unrecognized type yields a single SeverityUnknown finding
+// keyed "module:unhandled" so a new scanner surfaces loudly instead of
+// vanishing - the guard test asserts this never happens for a known type.
+func Flatten(target, module string, result any) []Finding {
+	switch r := result.(type) {
+	case *scan.ShodanResult:
+		return flattenShodan(target, r)
+	case *scan.SQLResult:
+		return flattenSQL(target, r)
+	case *scan.LFIResult:
+		return flattenLFI(target, r)
+	case *scan.JWTResult:
+		return flattenJWT(target, r)
+	case *scan.OpenAPIResult:
+		return flattenOpenAPI(target, r)
+	case *scan.FaviconResult:
+		return flattenFavicon(target, r)
+	case *scan.CMSResult:
+		return flattenCMS(target, r)
+	case *scan.SecurityTrailsResult:
+		return flattenSecurityTrails(target, r)
+	case *scan.CORSResult:
+		return flattenCORS(target, r)
+	case *scan.RedirectResult:
+		return flattenRedirect(target, r)
+	case *scan.XSSResult:
+		return flattenXSS(target, r)
+	case *scan.CrawlResult:
+		return flattenCrawl(target, r)
+	case *scan.PassiveResult:
+		return flattenPassive(target, r)
+	case *scan.ProbeResult:
+		return flattenProbe(target, r)
+	case scan.HeaderResults:
+		return flattenHeaders(target, r)
+	case []scan.HeaderResult:
+		// the headers module appends a literal []HeaderResult, not the named
+		// slice type; both reach here so cover both.
+		return flattenHeaders(target, r)
+	case scan.SecurityHeaderResults:
+		return flattenSecurityHeaders(target, r)
+	case []scan.SecurityHeaderResult:
+		return flattenSecurityHeaders(target, r)
+	case scan.DirectoryResults:
+		return flattenDirlist(target, r)
+	case []scan.DirectoryResult:
+		return flattenDirlist(target, r)
+	case scan.CloudStorageResults:
+		return flattenCloudStorage(target, r)
+	case []scan.CloudStorageResult:
+		return flattenCloudStorage(target, r)
+	case scan.DorkResults:
+		return flattenDork(target, r)
+	case []scan.DorkResult:
+		return flattenDork(target, r)
+	case scan.SubdomainTakeoverResults:
+		return flattenTakeover(target, r)
+	case []scan.SubdomainTakeoverResult:
+		return flattenTakeover(target, r)
+	case *frameworks.FrameworkResult:
+		return flattenFramework(target, r)
+	case *js.JavascriptScanResult:
+		return flattenJS(target, r)
+	case *modules.Result:
+		// yaml/builtin modules carry their own module id; honor it over the
+		// passed-in module so per-module findings stay attributed correctly.
+		return flattenModule(target, r)
+	case []output.ResultEvent:
+		return flattenNuclei(target, r)
+	case []string:
+		// dnslist/portscan/git all hand back a bare []string of discovered
+		// items; module disambiguates which inventory it is.
+		return flattenStrings(target, module, r)
+	default:
+		// unknown type: emit a loud placeholder rather than dropping it.
+		return []Finding{{
+			Target:   target,
+			Module:   module,
+			Severity: SeverityUnknown,
+			Key:      key(module, "unhandled"),
+			Title:    fmt.Sprintf("unhandled result type %T", result),
+			Raw:      fmt.Sprintf("%T", result),
+		}}
+	}
+}
+
+func flattenShodan(target string, r *scan.ShodanResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	// one host snapshot -> one inventory finding; vulns are the interesting bit
+	// so they bump severity and ride along in the evidence string.
+	sev := sevRecon
+	if len(r.Vulns) > 0 {
+		sev = SeverityHigh
+	}
+	raw := fmt.Sprintf("%d ports", len(r.Ports))
+	if len(r.Vulns) > 0 {
+		raw = fmt.Sprintf("%s, %d vulns", raw, len(r.Vulns))
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "shodan",
+		Severity: sev,
+		Key:      key("shodan", r.IP),
+		Title:    "shodan host " + r.IP,
+		Raw:      raw,
+	}}
+}
+
+func flattenSQL(target string, r *scan.SQLResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.AdminPanels)+len(r.DatabaseErrors)+len(r.ExposedPorts))
+	for i := 0; i < len(r.AdminPanels); i++ {
+		p := r.AdminPanels[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "sql",
+			Severity: sevAdminPanel,
+			Key:      key("sql", "admin:"+p.URL),
+			Title:    p.Type + " admin panel",
+			Raw:      fmt.Sprintf("%s (%d)", p.URL, p.Status),
+		})
+	}
+	for i := 0; i < len(r.DatabaseErrors); i++ {
+		e := r.DatabaseErrors[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "sql",
+			Severity: sevDBError,
+			Key:      key("sql", "dberr:"+e.URL+":"+e.DatabaseType),
+			Title:    e.DatabaseType + " error disclosure",
+			Raw:      e.ErrorPattern,
+		})
+	}
+	for i := 0; i < len(r.ExposedPorts); i++ {
+		p := r.ExposedPorts[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "sql",
+			Severity: SeverityMedium,
+			Key:      key("sql", fmt.Sprintf("port:%d", p)),
+			Title:    fmt.Sprintf("exposed db port %d", p),
+			Raw:      fmt.Sprintf("%d", p),
+		})
+	}
+	return out
+}
+
+func flattenLFI(target string, r *scan.LFIResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Vulnerabilities))
+	for i := 0; i < len(r.Vulnerabilities); i++ {
+		v := r.Vulnerabilities[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "lfi",
+			Severity: ParseSeverity(v.Severity),
+			Key:      key("lfi", v.URL+":"+v.Parameter),
+			Title:    "lfi via " + v.Parameter,
+			Raw:      v.Evidence,
+		})
+	}
+	return out
+}
+
+func flattenJWT(target string, r *scan.JWTResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Tokens))
+	for i := 0; i < len(r.Tokens); i++ {
+		t := r.Tokens[i]
+		// one finding per weakness, not per token: a token with alg:none and a
+		// weak key is two distinct issues a consumer wants to diff separately.
+		for j := 0; j < len(t.Issues); j++ {
+			iss := t.Issues[j]
+			out = append(out, Finding{
+				Target:   target,
+				Module:   "jwt",
+				Severity: ParseSeverity(iss.Severity),
+				Key:      key("jwt", t.Source+":"+iss.Kind),
+				Title:    "jwt " + iss.Kind,
+				Raw:      iss.Detail,
+			})
+		}
+	}
+	return out
+}
+
+func flattenOpenAPI(target string, r *scan.OpenAPIResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "openapi",
+		Severity: ParseSeverity(r.Severity),
+		Key:      key("openapi", r.SpecURL),
+		Title:    "openapi spec exposed",
+		Raw:      fmt.Sprintf("%s (%d endpoints)", r.SpecURL, len(r.Endpoints)),
+	}}
+}
+
+func flattenFavicon(target string, r *scan.FaviconResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	// a matched fingerprint is a real signal; an unmatched hash is just inventory
+	// (still useful as a shodan pivot, so we keep it at recon).
+	sev := sevRecon
+	title := fmt.Sprintf("favicon hash %d", r.Hash)
+	if r.Tech != "" {
+		sev = SeverityLow
+		title = r.Tech + " (favicon)"
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "favicon",
+		Severity: sev,
+		Key:      key("favicon", fmt.Sprintf("%d", r.Hash)),
+		Title:    title,
+		Raw:      r.ShodanQ,
+	}}
+}
+
+func flattenCMS(target string, r *scan.CMSResult) []Finding {
+	if r == nil || r.Name == "" {
+		return nil
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "cms",
+		Severity: sevRecon,
+		Key:      key("cms", r.Name),
+		Title:    r.Name + " detected",
+		Raw:      strings.TrimSpace(r.Name + " " + r.Version),
+	}}
+}
+
+func flattenSecurityTrails(target string, r *scan.SecurityTrailsResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Subdomains)+len(r.AssociatedDomains))
+	for i := 0; i < len(r.Subdomains); i++ {
+		d := r.Subdomains[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "securitytrails",
+			Severity: sevRecon,
+			Key:      key("securitytrails", "sub:"+d),
+			Title:    "subdomain " + d,
+			Raw:      d,
+		})
+	}
+	for i := 0; i < len(r.AssociatedDomains); i++ {
+		d := r.AssociatedDomains[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "securitytrails",
+			Severity: sevRecon,
+			Key:      key("securitytrails", "assoc:"+d),
+			Title:    "associated domain " + d,
+			Raw:      d,
+		})
+	}
+	return out
+}
+
+func flattenCORS(target string, r *scan.CORSResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Findings))
+	for i := 0; i < len(r.Findings); i++ {
+		f := r.Findings[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "cors",
+			Severity: ParseSeverity(f.Severity),
+			Key:      key("cors", f.URL+":"+f.OriginTested),
+			Title:    f.Note,
+			Raw:      "allow-origin: " + f.AllowOrigin,
+		})
+	}
+	return out
+}
+
+func flattenRedirect(target string, r *scan.RedirectResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Findings))
+	for i := 0; i < len(r.Findings); i++ {
+		f := r.Findings[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "redirect",
+			Severity: ParseSeverity(f.Severity),
+			Key:      key("redirect", f.URL+":"+f.Parameter+":"+f.Via),
+			Title:    "open redirect via " + f.Parameter,
+			Raw:      f.Location,
+		})
+	}
+	return out
+}
+
+func flattenXSS(target string, r *scan.XSSResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Findings))
+	for i := 0; i < len(r.Findings); i++ {
+		f := r.Findings[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "xss",
+			Severity: ParseSeverity(f.Severity),
+			Key:      key("xss", f.URL+":"+f.Parameter+":"+f.Context),
+			Title:    "reflected xss in " + f.Parameter,
+			Raw:      strings.Join(f.SurvivedRaw, " "),
+		})
+	}
+	return out
+}
+
+func flattenCrawl(target string, r *scan.CrawlResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.URLs))
+	for i := 0; i < len(r.URLs); i++ {
+		u := r.URLs[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "crawl",
+			Severity: sevRecon,
+			Key:      key("crawl", u),
+			Title:    "crawled url",
+			Raw:      u,
+		})
+	}
+	return out
+}
+
+func flattenPassive(target string, r *scan.PassiveResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	out := make([]Finding, 0, len(r.Subdomains)+len(r.URLs))
+	for i := 0; i < len(r.Subdomains); i++ {
+		s := r.Subdomains[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "passive",
+			Severity: sevRecon,
+			Key:      key("passive", "sub:"+s),
+			Title:    "passive subdomain " + s,
+			Raw:      s,
+		})
+	}
+	for i := 0; i < len(r.URLs); i++ {
+		u := r.URLs[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "passive",
+			Severity: sevRecon,
+			Key:      key("passive", "url:"+u),
+			Title:    "passive url",
+			Raw:      u,
+		})
+	}
+	return out
+}
+
+func flattenProbe(target string, r *scan.ProbeResult) []Finding {
+	if r == nil || !r.Alive {
+		// a dead probe isn't a finding, just an absent host.
+		return nil
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "probe",
+		Severity: sevRecon,
+		Key:      key("probe", r.URL),
+		Title:    fmt.Sprintf("alive %d", r.StatusCode),
+		Raw:      strings.TrimSpace(fmt.Sprintf("%d %s", r.StatusCode, r.Title)),
+	}}
+}
+
+func flattenHeaders(target string, rs []scan.HeaderResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		h := rs[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "headers",
+			Severity: sevRecon,
+			Key:      key("headers", h.Name),
+			Title:    h.Name,
+			Raw:      h.Value,
+		})
+	}
+	return out
+}
+
+func flattenSecurityHeaders(target string, rs []scan.SecurityHeaderResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		h := rs[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "security_headers",
+			Severity: ParseSeverity(h.Severity),
+			Key:      key("security_headers", h.Header),
+			Title:    h.Header,
+			Raw:      h.Note,
+		})
+	}
+	return out
+}
+
+// dirInteresting bounds the "noteworthy" 3xx range for a listed directory; a
+// redirect (>=300) or anything past it is worth more than a plain 200 hit.
+const dirRedirectFloor = 300
+
+func flattenDirlist(target string, rs []scan.DirectoryResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		d := rs[i]
+		sev := sevRecon
+		if d.StatusCode >= dirRedirectFloor {
+			sev = SeverityLow
+		}
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "dirlist",
+			Severity: sev,
+			Key:      key("dirlist", d.Url),
+			Title:    fmt.Sprintf("%s [%d]", d.Url, d.StatusCode),
+			Raw:      fmt.Sprintf("status=%d size=%d", d.StatusCode, d.Size),
+		})
+	}
+	return out
+}
+
+func flattenCloudStorage(target string, rs []scan.CloudStorageResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		b := rs[i]
+		sev := sevRecon
+		if b.IsPublic {
+			sev = sevPublicS3
+		}
+		title := "bucket " + b.BucketName
+		if b.IsPublic {
+			title = "public bucket " + b.BucketName
+		}
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "cloudstorage",
+			Severity: sev,
+			Key:      key("cloudstorage", b.BucketName),
+			Title:    title,
+			Raw:      fmt.Sprintf("public=%t", b.IsPublic),
+		})
+	}
+	return out
+}
+
+func flattenDork(target string, rs []scan.DorkResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		d := rs[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "dork",
+			Severity: sevRecon,
+			Key:      key("dork", d.Url),
+			Title:    "dork hit",
+			Raw:      d.Url,
+		})
+	}
+	return out
+}
+
+func flattenTakeover(target string, rs []scan.SubdomainTakeoverResult) []Finding {
+	out := make([]Finding, 0, len(rs))
+	for i := 0; i < len(rs); i++ {
+		t := rs[i]
+		// only the vulnerable ones are findings; a safe cname is noise here.
+		if !t.Vulnerable {
+			continue
+		}
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "subdomain_takeover",
+			Severity: sevTakeover,
+			Key:      key("subdomain_takeover", t.Subdomain),
+			Title:    "takeover: " + t.Subdomain,
+			Raw:      t.Service,
+		})
+	}
+	return out
+}
+
+func flattenFramework(target string, r *frameworks.FrameworkResult) []Finding {
+	if r == nil || r.Name == "" {
+		return nil
+	}
+	// framework risk maps onto severity; an unset risk falls back to recon.
+	sev := ParseSeverity(r.RiskLevel)
+	if sev == SeverityUnknown {
+		sev = sevRecon
+	}
+	raw := strings.TrimSpace(r.Name + " " + r.Version)
+	if len(r.CVEs) > 0 {
+		raw = fmt.Sprintf("%s, %d cves", raw, len(r.CVEs))
+	}
+	return []Finding{{
+		Target:   target,
+		Module:   "framework",
+		Severity: sev,
+		Key:      key("framework", r.Name),
+		Title:    r.Name + " detected",
+		Raw:      raw,
+	}}
+}
+
+func flattenJS(target string, r *js.JavascriptScanResult) []Finding {
+	if r == nil {
+		return nil
+	}
+	supabase := r.SupabaseFindings()
+	out := make([]Finding, 0, len(r.SecretMatches)+len(supabase)+len(r.Endpoints)+len(r.FoundEnvironmentVars))
+	for i := 0; i < len(r.SecretMatches); i++ {
+		s := r.SecretMatches[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "js",
+			Severity: sevSecret,
+			Key:      key("js", "secret:"+s.Rule+":"+s.Source),
+			Title:    "secret: " + s.Rule,
+			Raw:      s.Source,
+		})
+	}
+	for i := 0; i < len(supabase); i++ {
+		s := supabase[i]
+		// a non-anon role on an exposed key is the real bug; anon is just recon.
+		sev := sevRecon
+		if s.Role != "" && s.Role != "anon" {
+			sev = SeverityHigh
+		}
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "js",
+			Severity: sev,
+			Key:      key("js", "supabase:"+s.ProjectId),
+			Title:    "supabase project " + s.ProjectId,
+			Raw:      fmt.Sprintf("role=%s collections=%d", s.Role, s.Collections),
+		})
+	}
+	for i := 0; i < len(r.Endpoints); i++ {
+		e := r.Endpoints[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "js",
+			Severity: sevRecon,
+			Key:      key("js", "endpoint:"+e),
+			Title:    "js endpoint",
+			Raw:      e,
+		})
+	}
+	// env vars are a map; sort-free since the Key carries the name, and diff
+	// keys on the Key not on iteration order.
+	for name, value := range r.FoundEnvironmentVars {
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "js",
+			Severity: sevSecret,
+			Key:      key("js", "env:"+name),
+			Title:    "env var " + name,
+			Raw:      value,
+		})
+	}
+	return out
+}
+
+func flattenModule(target string, r *modules.Result) []Finding {
+	if r == nil {
+		return nil
+	}
+	module := r.ResultType()
+	out := make([]Finding, 0, len(r.Findings))
+	for i := 0; i < len(r.Findings); i++ {
+		f := r.Findings[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   module,
+			Severity: ParseSeverity(f.Severity),
+			Key:      key(module, f.URL),
+			Title:    module + " finding",
+			Raw:      f.Evidence,
+		})
+	}
+	return out
+}
+
+func flattenNuclei(target string, events []output.ResultEvent) []Finding {
+	out := make([]Finding, 0, len(events))
+	for i := 0; i < len(events); i++ {
+		e := events[i]
+		// host is the most reliable per-hit identifier; matched-at sharpens it
+		// when several templates fire on one host.
+		ident := e.TemplateID + ":" + e.Host
+		if e.Matched != "" {
+			ident = e.TemplateID + ":" + e.Matched
+		}
+		out = append(out, Finding{
+			Target:   target,
+			Module:   "nuclei",
+			Severity: ParseSeverity(e.Info.SeverityHolder.Severity.String()),
+			Key:      key("nuclei", ident),
+			Title:    e.Info.Name,
+			Raw:      e.Matched,
+		})
+	}
+	return out
+}
+
+func flattenStrings(target, module string, items []string) []Finding {
+	out := make([]Finding, 0, len(items))
+	for i := 0; i < len(items); i++ {
+		v := items[i]
+		out = append(out, Finding{
+			Target:   target,
+			Module:   module,
+			Severity: sevRecon,
+			Key:      key(module, v),
+			Title:    module + " item",
+			Raw:      v,
+		})
+	}
+	return out
+}
@@ -0,0 +1,383 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package finding
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+	"github.com/dropalldatabases/sif/internal/scan"
+	"github.com/dropalldatabases/sif/internal/scan/frameworks"
+	"github.com/dropalldatabases/sif/internal/scan/js"
+	"github.com/projectdiscovery/nuclei/v3/pkg/model"
+	"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"
+	"github.com/projectdiscovery/nuclei/v3/pkg/output"
+)
+
+// scanResultType mirrors the minimal interface the scan packages implement; the
+// coverage table below carries a value per ResultType() so a new scanner whose
+// ResultType isn't represented (or isn't handled by Flatten) trips a failure.
+type scanResultType interface {
+	ResultType() string
+}
+
+// coverageCase is one representative, non-empty instance of a result type plus
+// its expected module attribution. wantItems is how many findings Flatten must
+// emit for the populated instance, proving the per-item fan-out works.
+type coverageCase struct {
+	value     any            // the result as it reaches Flatten
+	typed     scanResultType // same value when it implements ResultType(), else nil
+	module    string         // module id Flatten should stamp
+	wantItems int            // findings the populated instance must produce
+}
+
+// coverageCases is the registry the guard checks against. there must be one
+// entry per distinct ResultType() in the scan tree (plus the raw []string and
+// nuclei []ResultEvent that flow through the report without a ResultType). add a
+// scanner without adding it here and TestFlattenCoversEveryResultType fails.
+func coverageCases() []coverageCase {
+	return []coverageCase{
+		{
+			value:     &scan.ShodanResult{IP: "1.2.3.4", Ports: []int{80}, Vulns: []string{"CVE-1"}},
+			typed:     &scan.ShodanResult{},
+			module:    "shodan",
+			wantItems: 1,
+		},
+		{
+			value: &scan.SQLResult{
+				AdminPanels:    []scan.SQLAdminPanel{{URL: "http://x/pma", Type: "phpMyAdmin", Status: 200}},
+				DatabaseErrors: []scan.SQLDatabaseError{{URL: "http://x", DatabaseType: "mysql", ErrorPattern: "syntax"}},
+				ExposedPorts:   []int{3306},
+			},
+			typed:     &scan.SQLResult{},
+			module:    "sql",
+			wantItems: 3,
+		},
+		{
+			value: &scan.LFIResult{Vulnerabilities: []scan.LFIVulnerability{
+				{URL: "http://x", Parameter: "file", Evidence: "root:x", Severity: "high"},
+			}},
+			typed:     &scan.LFIResult{},
+			module:    "lfi",
+			wantItems: 1,
+		},
+		{
+			value: &scan.JWTResult{Tokens: []scan.JWTToken{{
+				Source: "header:Authorization",
+				Alg:    "none",
+				Issues: []scan.JWTIssue{
+					{Kind: "alg:none", Severity: "critical", Detail: "no signature"},
+					{Kind: "missing exp", Severity: "medium", Detail: "no expiry"},
+				},
+			}}},
+			typed:     &scan.JWTResult{},
+			module:    "jwt",
+			wantItems: 2,
+		},
+		{
+			value: &scan.OpenAPIResult{
+				SpecURL:   "http://x/openapi.json",
+				Severity:  "high",
+				Endpoints: []scan.OpenAPIEndpoint{{Path: "/users", Method: "GET", Unauth: true}},
+			},
+			typed:     &scan.OpenAPIResult{},
+			module:    "openapi",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.FaviconResult{Hash: 116323821, Tech: "Apache Tomcat", ShodanQ: "http.favicon.hash:116323821"},
+			typed:     &scan.FaviconResult{},
+			module:    "favicon",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.CMSResult{Name: "WordPress", Version: "6.1"},
+			typed:     &scan.CMSResult{},
+			module:    "cms",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.SecurityTrailsResult{Domain: "x.com", Subdomains: []string{"a.x.com"}, AssociatedDomains: []string{"y.com"}},
+			typed:     &scan.SecurityTrailsResult{},
+			module:    "securitytrails",
+			wantItems: 2,
+		},
+		{
+			value:     &scan.CORSResult{Findings: []scan.CORSFinding{{URL: "http://x", OriginTested: "null", AllowOrigin: "null", Severity: "medium", Note: "null origin"}}},
+			typed:     &scan.CORSResult{},
+			module:    "cors",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.RedirectResult{Findings: []scan.RedirectFinding{{URL: "http://x", Parameter: "next", Location: "http://evil", Via: "header", Severity: "medium"}}},
+			typed:     &scan.RedirectResult{},
+			module:    "redirect",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.XSSResult{Findings: []scan.XSSFinding{{URL: "http://x", Parameter: "q", Context: "html", SurvivedRaw: []string{"<"}, Severity: "high"}}},
+			typed:     &scan.XSSResult{},
+			module:    "xss",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.CrawlResult{URLs: []string{"http://x/a"}},
+			typed:     &scan.CrawlResult{},
+			module:    "crawl",
+			wantItems: 1,
+		},
+		{
+			value:     &scan.PassiveResult{Subdomains: []string{"a.x.com"}, URLs: []string{"http://x/old"}},
+			typed:     &scan.PassiveResult{},
+			module:    "passive",
+			wantItems: 2,
+		},
+		{
+			value:     &scan.ProbeResult{URL: "http://x", Alive: true, StatusCode: 200, Title: "home"},
+			typed:     &scan.ProbeResult{},
+			module:    "probe",
+			wantItems: 1,
+		},
+		{
+			value:     scan.HeaderResults{{Name: "Server", Value: "nginx"}},
+			typed:     scan.HeaderResults{},
+			module:    "headers",
+			wantItems: 1,
+		},
+		{
+			value:     scan.SecurityHeaderResults{{Header: "Content-Security-Policy", Present: false, Severity: "medium", Note: "missing"}},
+			typed:     scan.SecurityHeaderResults{},
+			module:    "security_headers",
+			wantItems: 1,
+		},
+		{
+			value:     scan.DirectoryResults{{Url: "http://x/admin", StatusCode: 301, Size: 10, Words: 2}},
+			typed:     scan.DirectoryResults{},
+			module:    "dirlist",
+			wantItems: 1,
+		},
+		{
+			value:     scan.CloudStorageResults{{BucketName: "x-assets", IsPublic: true}},
+			typed:     scan.CloudStorageResults{},
+			module:    "cloudstorage",
+			wantItems: 1,
+		},
+		{
+			value:     scan.DorkResults{{Url: "http://x/leak", Count: 1}},
+			typed:     scan.DorkResults{},
+			module:    "dork",
+			wantItems: 1,
+		},
+		{
+			value:     scan.SubdomainTakeoverResults{{Subdomain: "old.x.com", Vulnerable: true, Service: "GitHub Pages"}},
+			typed:     scan.SubdomainTakeoverResults{},
+			module:    "subdomain_takeover",
+			wantItems: 1,
+		},
+		{
+			value:     &frameworks.FrameworkResult{Name: "Laravel", Version: "9.0", RiskLevel: "high", CVEs: []string{"CVE-2"}},
+			typed:     &frameworks.FrameworkResult{},
+			module:    "framework",
+			wantItems: 1,
+		},
+		{
+			value: &js.JavascriptScanResult{
+				SecretMatches: []js.SecretMatch{{Rule: "aws-key", Match: "AKIA...", Source: "http://x/app.js"}},
+				Endpoints:     []string{"/api/v1"},
+			},
+			typed:     &js.JavascriptScanResult{},
+			module:    "js",
+			wantItems: 2,
+		},
+		{
+			value:     &modules.Result{ModuleID: "custom-mod", Target: "http://x", Findings: []modules.Finding{{URL: "http://x", Severity: "low", Evidence: "hit"}}},
+			typed:     &modules.Result{ModuleID: "custom-mod"},
+			module:    "custom-mod",
+			wantItems: 1,
+		},
+		{
+			// nuclei results aren't ScanResult-typed; they ride through the report
+			// as a raw []ResultEvent, so cover that shape explicitly.
+			value:     []output.ResultEvent{{TemplateID: "t1", Host: "x", Matched: "http://x", Info: model.Info{Name: "n", SeverityHolder: severity.Holder{Severity: severity.High}}}},
+			module:    "nuclei",
+			wantItems: 1,
+		},
+		{
+			// dnslist/portscan/git all hand Flatten a bare []string keyed only by
+			// the module argument.
+			value:     []string{"sub.x.com"},
+			module:    "dnslist",
+			wantItems: 1,
+		},
+	}
+}
+
+const target = "http://target.example"
+
+// TestFlattenCoversEveryResultType is the guard: every result type in the
+// coverage table must flatten into the expected module without hitting the
+// "unhandled" fallback. a new scanner that skips both the table and Flatten's
+// switch trips this loudly.
+func TestFlattenCoversEveryResultType(t *testing.T) {
+	for _, tc := range coverageCases() {
+		findings := Flatten(target, tc.module, tc.value)
+
+		if len(findings) != tc.wantItems {
+			t.Errorf("module %q: got %d findings, want %d", tc.module, len(findings), tc.wantItems)
+		}
+		for i := 0; i < len(findings); i++ {
+			f := findings[i]
+			if strings.HasSuffix(f.Key, keySep+"unhandled") {
+				t.Errorf("module %q: Flatten has no case, fell through to unhandled (key=%q)", tc.module, f.Key)
+			}
+			if f.Target != target {
+				t.Errorf("module %q: target=%q, want %q", tc.module, f.Target, target)
+			}
+			if f.Module != tc.module {
+				t.Errorf("module %q: finding stamped module=%q, want %q", tc.module, f.Module, tc.module)
+			}
+			if f.Key == "" {
+				t.Errorf("module %q: empty Key", tc.module)
+			}
+			if !strings.HasPrefix(f.Key, tc.module+keySep) {
+				t.Errorf("module %q: Key %q not prefixed with module", tc.module, f.Key)
+			}
+		}
+	}
+}
+
+// TestEveryResultTypeIsInCoverageTable cross-checks the table against the actual
+// ResultType() registry: if a scanner type exists whose ResultType() isn't in
+// the table, the coverage guard above would never exercise it. enumerate the
+// known typed entries and assert each ResultType() string is present.
+func TestEveryResultTypeIsInCoverageTable(t *testing.T) {
+	covered := make(map[string]struct{})
+	for _, tc := range coverageCases() {
+		if tc.typed == nil {
+			continue
+		}
+		covered[tc.typed.ResultType()] = struct{}{}
+	}
+
+	// the full set of ResultType() strings the scan tree exposes. keep this in
+	// lockstep with the ScanResult implementers; a missing entry means the table
+	// (and very likely Flatten) skipped a scanner.
+	want := []string{
+		"shodan", "sql", "lfi", "jwt", "openapi", "favicon", "cms", "securitytrails",
+		"cors", "redirect", "xss", "crawl", "passive", "probe",
+		"headers", "security_headers", "dirlist", "cloudstorage",
+		"dork", "subdomain_takeover", "framework", "js", "custom-mod",
+	}
+	for _, rt := range want {
+		if _, ok := covered[rt]; !ok {
+			t.Errorf("ResultType %q has no entry in coverageCases; Flatten coverage unverified", rt)
+		}
+	}
+}
+
+// TestFlattenStableKeysAndSeverities pins the keys and severities for a couple
+// of representative items so a refactor that quietly reshuffles them is caught.
+func TestFlattenStableKeysAndSeverities(t *testing.T) {
+	tests := []struct {
+		name    string
+		value   any
+		module  string
+		wantKey string
+		wantSev Severity
+	}{
+		{
+			name:    "cors honors source severity",
+			value:   &scan.CORSResult{Findings: []scan.CORSFinding{{URL: "http://x", OriginTested: "null", AllowOrigin: "null", Severity: "high", Note: "n"}}},
+			module:  "cors",
+			wantKey: "cors:http://x:null",
+			wantSev: SeverityHigh,
+		},
+		{
+			name:    "public bucket is high",
+			value:   scan.CloudStorageResults{{BucketName: "b", IsPublic: true}},
+			module:  "cloudstorage",
+			wantKey: "cloudstorage:b",
+			wantSev: SeverityHigh,
+		},
+		{
+			name:    "header is recon info",
+			value:   scan.HeaderResults{{Name: "Server", Value: "nginx"}},
+			module:  "headers",
+			wantKey: "headers:Server",
+			wantSev: SeverityInfo,
+		},
+		{
+			name:    "vulnerable takeover is high",
+			value:   scan.SubdomainTakeoverResults{{Subdomain: "old.x.com", Vulnerable: true, Service: "GitHub Pages"}},
+			module:  "subdomain_takeover",
+			wantKey: "subdomain_takeover:old.x.com",
+			wantSev: SeverityHigh,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			findings := Flatten(target, tt.module, tt.value)
+			if len(findings) != 1 {
+				t.Fatalf("got %d findings, want 1", len(findings))
+			}
+			f := findings[0]
+			if f.Key != tt.wantKey {
+				t.Errorf("Key = %q, want %q", f.Key, tt.wantKey)
+			}
+			if f.Severity != tt.wantSev {
+				t.Errorf("Severity = %v, want %v", f.Severity, tt.wantSev)
+			}
+		})
+	}
+}
+
+// TestFlattenUnhandledTypeIsLoud asserts the fallback fires for a type Flatten
+// doesn't know - this is what makes the guard above meaningful.
+func TestFlattenUnhandledTypeIsLoud(t *testing.T) {
+	type bogus struct{}
+	findings := Flatten(target, "mystery", bogus{})
+	if len(findings) != 1 {
+		t.Fatalf("got %d findings, want 1 placeholder", len(findings))
+	}
+	if !strings.HasSuffix(findings[0].Key, keySep+"unhandled") {
+		t.Errorf("unhandled type should key on :unhandled, got %q", findings[0].Key)
+	}
+	if findings[0].Severity != SeverityUnknown {
+		t.Errorf("unhandled severity = %v, want SeverityUnknown", findings[0].Severity)
+	}
+}
+
+// TestSubdomainTakeoverSkipsSafe confirms a non-vulnerable cname produces no
+// finding; only the real takeover is a finding.
+func TestSubdomainTakeoverSkipsSafe(t *testing.T) {
+	value := scan.SubdomainTakeoverResults{
+		{Subdomain: "safe.x.com", Vulnerable: false},
+		{Subdomain: "bad.x.com", Vulnerable: true, Service: "Heroku"},
+	}
+	findings := Flatten(target, "subdomain_takeover", value)
+	if len(findings) != 1 {
+		t.Fatalf("got %d findings, want 1 (only the vulnerable one)", len(findings))
+	}
+	if findings[0].Key != "subdomain_takeover:bad.x.com" {
+		t.Errorf("Key = %q, want subdomain_takeover:bad.x.com", findings[0].Key)
+	}
+}
+
+// TestDeadProbeIsNotAFinding confirms a host that didn't answer yields nothing.
+func TestDeadProbeIsNotAFinding(t *testing.T) {
+	findings := Flatten(target, "probe", &scan.ProbeResult{URL: "http://x", Alive: false})
+	if len(findings) != 0 {
+		t.Errorf("dead probe produced %d findings, want 0", len(findings))
+	}
+}
@@ -0,0 +1,48 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package finding
+
+import "testing"
+
+// Line is the -silent wire format; its shape is frozen, so pin it.
+func TestFindingLine(t *testing.T) {
+	tests := []struct {
+		name string
+		f    Finding
+		want string
+	}{
+		{
+			name: "high severity",
+			f:    Finding{Target: "https://x.com", Module: "sql", Severity: SeverityHigh, Title: "admin panel"},
+			want: "[high] https://x.com sql admin panel",
+		},
+		{
+			name: "info recon",
+			f:    Finding{Target: "https://y.com", Module: "headers", Severity: SeverityInfo, Title: "Server"},
+			want: "[info] https://y.com headers Server",
+		},
+		{
+			name: "unknown severity",
+			f:    Finding{Target: "z.com", Module: "mystery", Severity: SeverityUnknown, Title: "?"},
+			want: "[unknown] z.com mystery ?",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.f.Line(); got != tt.want {
+				t.Errorf("Line() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
@@ -0,0 +1,78 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package finding
+
+import "strings"
+
+// Severity is an ordered severity rank shared by every normalized finding.
+// the order matters: notify gates on a threshold and diff sorts by it, so the
+// underlying ints have to compare info < low < medium < high < critical.
+type Severity int
+
+// severity ranks, lowest to highest. SeverityUnknown sorts below everything so
+// an unrecognized scanner string never silently outranks a real critical.
+const (
+	SeverityUnknown Severity = iota
+	SeverityInfo
+	SeverityLow
+	SeverityMedium
+	SeverityHigh
+	SeverityCritical
+)
+
+// severityNames maps each rank to its canonical lowercase string. the wire
+// format scanners emit ("info"/"low"/...) round-trips through this table.
+var severityNames = map[Severity]string{
+	SeverityUnknown:  "unknown",
+	SeverityInfo:     "info",
+	SeverityLow:      "low",
+	SeverityMedium:   "medium",
+	SeverityHigh:     "high",
+	SeverityCritical: "critical",
+}
+
+// String renders the canonical lowercase name for the rank.
+func (s Severity) String() string {
+	if name, ok := severityNames[s]; ok {
+		return name
+	}
+	return severityNames[SeverityUnknown]
+}
+
+// ParseSeverity maps a scanner's free-form severity string onto a rank. it's
+// case/space insensitive and folds the common synonyms ("informational",
+// "warning", "moderate") so the dozen scanners that each picked their own
+// spelling all land on the same ladder. an empty or unrecognized value is
+// SeverityUnknown rather than a guess.
+func ParseSeverity(raw string) Severity {
+	switch strings.ToLower(strings.TrimSpace(raw)) {
+	case "critical":
+		return SeverityCritical
+	case "high":
+		return SeverityHigh
+	case "medium", "moderate", "warning":
+		return SeverityMedium
+	case "low":
+		return SeverityLow
+	case "info", "informational", "information", "none":
+		return SeverityInfo
+	default:
+		return SeverityUnknown
+	}
+}
+
+// AtLeast reports whether s is at or above threshold; notify uses it to drop
+// findings below the configured floor.
+func (s Severity) AtLeast(threshold Severity) bool {
+	return s >= threshold
+}
@@ -0,0 +1,84 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package finding
+
+import "testing"
+
+func TestParseSeverity(t *testing.T) {
+	tests := []struct {
+		in   string
+		want Severity
+	}{
+		{"critical", SeverityCritical},
+		{"CRITICAL", SeverityCritical},
+		{"  high  ", SeverityHigh},
+		{"medium", SeverityMedium},
+		{"moderate", SeverityMedium},
+		{"warning", SeverityMedium},
+		{"low", SeverityLow},
+		{"info", SeverityInfo},
+		{"informational", SeverityInfo},
+		{"none", SeverityInfo},
+		{"", SeverityUnknown},
+		{"bogus", SeverityUnknown},
+	}
+	for _, tt := range tests {
+		if got := ParseSeverity(tt.in); got != tt.want {
+			t.Errorf("ParseSeverity(%q) = %v, want %v", tt.in, got, tt.want)
+		}
+	}
+}
+
+func TestSeverityOrdering(t *testing.T) {
+	// the ladder must be strictly increasing for AtLeast/sort to behave.
+	ordered := []Severity{
+		SeverityUnknown, SeverityInfo, SeverityLow,
+		SeverityMedium, SeverityHigh, SeverityCritical,
+	}
+	for i := 1; i < len(ordered); i++ {
+		if ordered[i-1] >= ordered[i] {
+			t.Errorf("severity ladder not increasing at %d: %v !< %v", i, ordered[i-1], ordered[i])
+		}
+	}
+}
+
+func TestSeverityAtLeast(t *testing.T) {
+	tests := []struct {
+		sev       Severity
+		threshold Severity
+		want      bool
+	}{
+		{SeverityHigh, SeverityMedium, true},
+		{SeverityMedium, SeverityMedium, true},
+		{SeverityLow, SeverityMedium, false},
+		{SeverityCritical, SeverityInfo, true},
+		{SeverityUnknown, SeverityInfo, false},
+	}
+	for _, tt := range tests {
+		if got := tt.sev.AtLeast(tt.threshold); got != tt.want {
+			t.Errorf("%v.AtLeast(%v) = %v, want %v", tt.sev, tt.threshold, got, tt.want)
+		}
+	}
+}
+
+func TestSeverityStringRoundTrip(t *testing.T) {
+	// every named rank renders to a string ParseSeverity maps back to the same
+	// rank, so the wire format is lossless for known severities.
+	for _, sev := range []Severity{
+		SeverityInfo, SeverityLow, SeverityMedium, SeverityHigh, SeverityCritical,
+	} {
+		if got := ParseSeverity(sev.String()); got != sev {
+			t.Errorf("round-trip %v -> %q -> %v", sev, sev.String(), got)
+		}
+	}
+}
@@ -0,0 +1,56 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package fingerprint holds small response-fingerprinting primitives shared by
+// the scan checks and the module engine, so both compute identical values.
+package fingerprint
+
+import (
+	"encoding/base64"
+	"strings"
+
+	"github.com/twmb/murmur3"
+)
+
+// b64LineLen is python's base64.encodebytes line width. mmh3/shodan hash the
+// chunked base64 (newline every 76 chars, trailing newline), so we must wrap at
+// exactly this width to land on the same hash.
+const b64LineLen = 76
+
+// FaviconHash computes shodan's favicon hash: murmur3 32-bit over the python
+// base64.encodebytes encoding of the raw icon (newline every 76 chars plus a
+// trailing newline), reinterpreted as a signed int32 (both load-bearing, golden-pinned).
+func FaviconHash(data []byte) int32 {
+	encoded := encodeFaviconBase64(data)
+	return int32(murmur3.Sum32(encoded)) //nolint:gosec // shodan stores the signed reinterpretation on purpose
+}
+
+// encodeFaviconBase64 mirrors python's base64.encodebytes: standard base64 with
+// a newline inserted every 76 output characters and a trailing newline. this is
+// the exact byte stream shodan feeds to mmh3, so it must match byte-for-byte.
+func encodeFaviconBase64(data []byte) []byte {
+	raw := base64.StdEncoding.EncodeToString(data)
+
+	var b strings.Builder
+	// final size: the base64 body plus one '\n' per (full or partial) 76-char
+	// line. preallocate so the builder never regrows mid-loop.
+	b.Grow(len(raw) + len(raw)/b64LineLen + 1)
+	for i := 0; i < len(raw); i += b64LineLen {
+		end := i + b64LineLen
+		if end > len(raw) {
+			end = len(raw)
+		}
+		b.WriteString(raw[i:end])
+		b.WriteByte('\n')
+	}
+	return []byte(b.String())
+}
@@ -0,0 +1,68 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package fingerprint
+
+import (
+	"strings"
+	"testing"
+)
+
+// goldenFaviconBytes is a fixed payload long enough to span multiple base64
+// lines, so the python-style 76-char chunking is actually exercised by the hash.
+var goldenFaviconBytes = []byte(strings.Repeat("sif-favicon-golden-test-bytes-", 8))
+
+// goldenFaviconHash is the pinned shodan mmh3 hash of goldenFaviconBytes: the python
+// base64.encodebytes byte stream (76-char lines + trailing newline) through murmur3-32,
+// reinterpreted as a signed int32. if the chunking or signedness regress, this test fails.
+const goldenFaviconHash int32 = -1554620260
+
+// goldenHelloHash pins a short single-line case so a regression in the trailing
+// newline (which the small case still has) is caught independently.
+const goldenHelloHash int32 = 1155597304
+
+func TestFaviconHashGolden(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []byte
+		want int32
+	}{
+		{name: "multi-line fixture", in: goldenFaviconBytes, want: goldenFaviconHash},
+		{name: "single-line hello", in: []byte("hello"), want: goldenHelloHash},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := FaviconHash(tt.in); got != tt.want {
+				t.Errorf("FaviconHash = %d, want %d", got, tt.want)
+			}
+		})
+	}
+}
+
+// TestFaviconBase64Chunking pins the encode step against python's
+// base64.encodebytes: a 60-byte input encodes to 80 base64 chars, so it must
+// wrap into two newline-terminated lines.
+func TestFaviconBase64Chunking(t *testing.T) {
+	in := []byte(strings.Repeat("A", 60))
+	got := string(encodeFaviconBase64(in))
+
+	lines := strings.Split(strings.TrimRight(got, "\n"), "\n")
+	if len(lines) != 2 {
+		t.Fatalf("expected 2 wrapped lines, got %d: %q", len(lines), got)
+	}
+	if len(lines[0]) != b64LineLen {
+		t.Errorf("first line = %d chars, want %d", len(lines[0]), b64LineLen)
+	}
+	if !strings.HasSuffix(got, "\n") {
+		t.Errorf("encoding must end in a trailing newline, got %q", got)
+	}
+}
@@ -0,0 +1,258 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package httpx is the shared http layer every scanner talks through, so a
+// single Configure call wires proxy, custom headers, cookies and rate limiting
+// into every outbound request without touching scanner signatures.
+package httpx
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/net/proxy"
+	"golang.org/x/time/rate"
+)
+
+// allowed proxy schemes
+const (
+	schemeHTTP   = "http"
+	schemeHTTPS  = "https"
+	schemeSOCKS5 = "socks5"
+)
+
+// a header is "Key: Value"; this is the separator between the two halves.
+const headerSep = ": "
+
+// burst lets the limiter absorb a small spike before pacing kicks in; a burst
+// equal to the per-second rate keeps the cap honest over any one-second window.
+const limiterBurstPerRate = 1
+
+// transport pool tuning. go's default transport caps idle conns per host at 2
+// and reuse only kicks in once a response body is fully drained, so without
+// these a high thread count just thrashes the dialer instead of pooling.
+const (
+	// total idle conns kept warm across every host we hit in a run.
+	maxIdleConns = 512
+	// floor for per-host idle conns so a single-target run still pools even
+	// when the thread count is tiny.
+	minIdleConnsPerHost = 8
+	// how long an idle conn lingers before the pool reaps it.
+	idleConnTimeout = 90 * time.Second
+	// keepalive probe interval for live conns; mirrors go's default dialer so
+	// the socks5 branch doesn't silently lose os-level keepalive.
+	dialKeepAlive = 30 * time.Second
+	// dial timeout for the socks5 branch; matches go's default dialer.
+	dialTimeout = 30 * time.Second
+)
+
+// drainCap bounds how much of an unread body DrainClose will copy before
+// closing; a body larger than this isn't worth slurping just to reuse the
+// conn, so we cap the read and let the conn be discarded instead.
+const drainCap = 16 << 10
+
+// Options carries the runtime knobs that apply to every outbound request.
+// RateLimit is requests/sec (0 = unlimited); Headers are "Key: Value" strings.
+type Options struct {
+	Proxy     string
+	Headers   []string
+	Cookie    string
+	UserAgent string
+	RateLimit int
+	// Threads is the scan worker count; it sizes the per-host idle pool so
+	// concurrent workers hitting one target reuse conns instead of dialing fresh.
+	Threads int
+}
+
+// configured holds the package-level transport built once by Configure. nil
+// means Configure was never called, so Client falls back to a plain client.
+var (
+	mu         sync.RWMutex
+	configured http.RoundTripper
+)
+
+// Configure builds the shared transport once at startup from opts. Calling it
+// again replaces the previous configuration.
+//
+//nolint:gocritic // signature is the package's stable startup api; called once.
+func Configure(opts Options) error {
+	base, err := buildTransport(opts.Proxy, opts.Threads)
+	if err != nil {
+		return err
+	}
+
+	headers, err := parseHeaders(opts.Headers)
+	if err != nil {
+		return err
+	}
+
+	var limiter *rate.Limiter
+	if opts.RateLimit > 0 {
+		limiter = rate.NewLimiter(rate.Limit(opts.RateLimit), opts.RateLimit*limiterBurstPerRate)
+	}
+
+	rt := &roundTripper{
+		base:      base,
+		headers:   headers,
+		cookie:    opts.Cookie,
+		userAgent: opts.UserAgent,
+		limiter:   limiter,
+	}
+
+	mu.Lock()
+	configured = rt
+	mu.Unlock()
+
+	return nil
+}
+
+// Client returns an http client wired to the configured transport. It works
+// before Configure is ever called (plain transport) so existing code and tests
+// behave unchanged. A zero timeout means no timeout, matching http.Client.
+func Client(timeout time.Duration) *http.Client {
+	mu.RLock()
+	rt := configured
+	mu.RUnlock()
+
+	return &http.Client{Timeout: timeout, Transport: rt}
+}
+
+// buildTransport clones the default transport, tunes its pool for the worker
+// count and applies the proxy. An empty proxy leaves the default behavior
+// (respects HTTP_PROXY env) intact.
+func buildTransport(proxyURL string, threads int) (*http.Transport, error) {
+	tr, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		// unreachable in practice, but never trust an assertion silently.
+		return nil, fmt.Errorf("default transport is not *http.Transport")
+	}
+	transport := tr.Clone()
+
+	// size the idle pool so every worker can keep its conn warm. per-host idle
+	// must clear the thread count or workers past the cap re-dial each request;
+	// MaxConnsPerHost stays 0 (unbounded) so the limiter, not the pool, paces us.
+	transport.MaxIdleConns = maxIdleConns
+	transport.MaxIdleConnsPerHost = idlePerHost(threads)
+	transport.MaxConnsPerHost = 0
+	transport.IdleConnTimeout = idleConnTimeout
+	transport.ForceAttemptHTTP2 = true
+
+	if proxyURL == "" {
+		return transport, nil
+	}
+
+	parsed, err := url.Parse(proxyURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse proxy url %q: %w", proxyURL, err)
+	}
+
+	switch parsed.Scheme {
+	case schemeHTTP, schemeHTTPS:
+		transport.Proxy = http.ProxyURL(parsed)
+	case schemeSOCKS5:
+		// socks5 needs a custom dialer. proxy.SOCKS5 takes a forward dialer, so
+		// hand it our own net.Dialer with keepalive set - the default
+		// proxy.Direct has none, which would kill os-level conn pooling.
+		fwd := &net.Dialer{Timeout: dialTimeout, KeepAlive: dialKeepAlive}
+		dialer, err := proxy.SOCKS5("tcp", parsed.Host, nil, fwd)
+		if err != nil {
+			return nil, fmt.Errorf("socks5 proxy %q: %w", proxyURL, err)
+		}
+		ctxDialer, ok := dialer.(proxy.ContextDialer)
+		if !ok {
+			return nil, fmt.Errorf("socks5 proxy %q: dialer lacks context support", proxyURL)
+		}
+		transport.DialContext = ctxDialer.DialContext
+	default:
+		return nil, fmt.Errorf("unsupported proxy scheme %q (want http/https/socks5)", parsed.Scheme)
+	}
+
+	return transport, nil
+}
+
+// idlePerHost picks the per-host idle pool size: at least the worker count so
+// no worker re-dials, never below the floor so a small thread count still pools.
+func idlePerHost(threads int) int {
+	if threads < minIdleConnsPerHost {
+		return minIdleConnsPerHost
+	}
+	return threads
+}
+
+// DrainClose fully reads (up to drainCap) and closes resp.Body. go only returns
+// a conn to the idle pool when the body is read to EOF, so a caller that only
+// closes leaks the conn and forces a fresh dial next time. Call this instead of
+// a bare resp.Body.Close() to keep the pool warm. Safe on a nil response.
+func DrainClose(resp *http.Response) {
+	if resp == nil || resp.Body == nil {
+		return
+	}
+	// the read result is intentionally ignored: we're discarding the body and
+	// about to close it, so a copy error changes nothing we can act on.
+	_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, drainCap))
+	resp.Body.Close()
+}
+
+// parseHeaders splits each "Key: Value" entry on the first ": ". Entries
+// without the separator are rejected so a typo fails loud instead of silently.
+// The returned map is always non-nil so callers can range it unconditionally.
+func parseHeaders(raw []string) (map[string]string, error) {
+	headers := make(map[string]string, len(raw))
+	for i := 0; i < len(raw); i++ {
+		key, value, ok := strings.Cut(raw[i], headerSep)
+		if !ok {
+			return nil, fmt.Errorf("invalid header %q (want \"Key: Value\")", raw[i])
+		}
+		headers[key] = value
+	}
+
+	return headers, nil
+}
+
+// roundTripper paces and decorates each request before delegating to base.
+type roundTripper struct {
+	base      *http.Transport
+	headers   map[string]string
+	cookie    string
+	userAgent string
+	limiter   *rate.Limiter
+}
+
+func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if rt.limiter != nil {
+		if err := rt.limiter.Wait(req.Context()); err != nil {
+			return nil, fmt.Errorf("rate limiter: %w", err)
+		}
+	}
+
+	// only set what the caller hasn't already; a scanner that explicitly sets a
+	// header (e.g. an api key) must win over the global default.
+	for key, value := range rt.headers {
+		if req.Header.Get(key) == "" {
+			req.Header.Set(key, value)
+		}
+	}
+	if rt.cookie != "" && req.Header.Get("Cookie") == "" {
+		req.Header.Set("Cookie", rt.cookie)
+	}
+	if rt.userAgent != "" && req.Header.Get("User-Agent") == "" {
+		req.Header.Set("User-Agent", rt.userAgent)
+	}
+
+	return rt.base.RoundTrip(req)
+}
@@ -0,0 +1,491 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package httpx
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+// resetConfig clears the package-level transport so each test starts clean.
+func resetConfig(t *testing.T) {
+	t.Helper()
+	mu.Lock()
+	configured = nil
+	mu.Unlock()
+}
+
+// captureServer records the headers of the last request it served.
+func captureServer(t *testing.T, seen *http.Header) *httptest.Server {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		*seen = r.Header.Clone()
+		w.WriteHeader(http.StatusOK)
+	}))
+	t.Cleanup(srv.Close)
+	return srv
+}
+
+func get(t *testing.T, client *http.Client, url string) {
+	t.Helper()
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("do request: %v", err)
+	}
+	resp.Body.Close()
+}
+
+func TestClientBeforeConfigure(t *testing.T) {
+	resetConfig(t)
+
+	var seen http.Header
+	srv := captureServer(t, &seen)
+
+	// a client must work with no Configure call so existing code is unaffected.
+	get(t, Client(5*time.Second), srv.URL)
+
+	if seen == nil {
+		t.Fatal("request never reached the server")
+	}
+}
+
+func TestConfigureHeadersAndCookie(t *testing.T) {
+	tests := []struct {
+		name      string
+		opts      Options
+		wantKey   string
+		wantValue string
+	}{
+		{
+			name:      "custom header injected",
+			opts:      Options{Headers: []string{"X-Test: sif"}},
+			wantKey:   "X-Test",
+			wantValue: "sif",
+		},
+		{
+			name:      "cookie injected",
+			opts:      Options{Cookie: "session=abc"},
+			wantKey:   "Cookie",
+			wantValue: "session=abc",
+		},
+		{
+			name:      "user agent injected",
+			opts:      Options{UserAgent: "sif-scanner"},
+			wantKey:   "User-Agent",
+			wantValue: "sif-scanner",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resetConfig(t)
+
+			if err := Configure(tt.opts); err != nil {
+				t.Fatalf("Configure: %v", err)
+			}
+
+			var seen http.Header
+			srv := captureServer(t, &seen)
+			get(t, Client(5*time.Second), srv.URL)
+
+			if got := seen.Get(tt.wantKey); got != tt.wantValue {
+				t.Errorf("header %q = %q, want %q", tt.wantKey, got, tt.wantValue)
+			}
+		})
+	}
+}
+
+func TestConfigureHeaderDoesNotOverride(t *testing.T) {
+	resetConfig(t)
+
+	if err := Configure(Options{Headers: []string{"X-Test: global"}}); err != nil {
+		t.Fatalf("Configure: %v", err)
+	}
+
+	var seen http.Header
+	srv := captureServer(t, &seen)
+
+	// a caller that sets the header explicitly must win over the global default.
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	req.Header.Set("X-Test", "caller")
+	resp, err := Client(5 * time.Second).Do(req)
+	if err != nil {
+		t.Fatalf("do request: %v", err)
+	}
+	resp.Body.Close()
+
+	if got := seen.Get("X-Test"); got != "caller" {
+		t.Errorf("X-Test = %q, want caller (caller value must not be overridden)", got)
+	}
+}
+
+func TestConfigureInvalidHeader(t *testing.T) {
+	resetConfig(t)
+
+	// a header without ": " should fail loud rather than silently dropping.
+	if err := Configure(Options{Headers: []string{"missing-separator"}}); err == nil {
+		t.Fatal("expected error for malformed header, got nil")
+	}
+}
+
+func TestConfigureInvalidProxy(t *testing.T) {
+	tests := []struct {
+		name  string
+		proxy string
+	}{
+		{name: "unsupported scheme", proxy: "ftp://localhost:1080"},
+		{name: "malformed url", proxy: "://nope"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resetConfig(t)
+			if err := Configure(Options{Proxy: tt.proxy}); err == nil {
+				t.Errorf("expected error for proxy %q, got nil", tt.proxy)
+			}
+		})
+	}
+}
+
+func TestRateLimit(t *testing.T) {
+	resetConfig(t)
+
+	const ratePerSec = 5
+	if err := Configure(Options{RateLimit: ratePerSec}); err != nil {
+		t.Fatalf("Configure: %v", err)
+	}
+
+	var seen http.Header
+	srv := captureServer(t, &seen)
+	client := Client(5 * time.Second)
+
+	// at 5 req/s the limiter starts with a full burst, so the first batch is
+	// immediate and the next request must wait roughly one tick. fire burst+1
+	// requests and assert the extra one forced a measurable delay.
+	const requests = ratePerSec + 1
+	start := time.Now()
+	for i := 0; i < requests; i++ {
+		get(t, client, srv.URL)
+	}
+	elapsed := time.Since(start)
+
+	// one request beyond the burst should cost about 1/rate; allow slack but
+	// require a non-trivial delay so an unthrottled client fails this.
+	minDelay := time.Second / ratePerSec / 2
+	if elapsed < minDelay {
+		t.Errorf("expected rate limiting to add >= %v of delay, got %v", minDelay, elapsed)
+	}
+}
+
+func TestRateLimitUnlimited(t *testing.T) {
+	resetConfig(t)
+
+	// RateLimit 0 means no limiter is installed; requests should fly through.
+	if err := Configure(Options{RateLimit: 0}); err != nil {
+		t.Fatalf("Configure: %v", err)
+	}
+
+	mu.RLock()
+	rt, ok := configured.(*roundTripper)
+	mu.RUnlock()
+	if !ok {
+		t.Fatal("configured transport is not *roundTripper")
+	}
+	if rt.limiter != nil {
+		t.Error("expected no limiter when RateLimit is 0")
+	}
+}
+
+func TestIdlePerHost(t *testing.T) {
+	tests := []struct {
+		name    string
+		threads int
+		want    int
+	}{
+		{name: "below floor clamps up", threads: 1, want: minIdleConnsPerHost},
+		{name: "zero clamps up", threads: 0, want: minIdleConnsPerHost},
+		{name: "at floor", threads: minIdleConnsPerHost, want: minIdleConnsPerHost},
+		{name: "above floor passes through", threads: 64, want: 64},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := idlePerHost(tt.threads); got != tt.want {
+				t.Errorf("idlePerHost(%d) = %d, want %d", tt.threads, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestBuildTransportTuning(t *testing.T) {
+	const threads = 32
+	tr, err := buildTransport("", threads)
+	if err != nil {
+		t.Fatalf("buildTransport: %v", err)
+	}
+
+	if tr.MaxIdleConns != maxIdleConns {
+		t.Errorf("MaxIdleConns = %d, want %d", tr.MaxIdleConns, maxIdleConns)
+	}
+	if tr.MaxIdleConnsPerHost != threads {
+		t.Errorf("MaxIdleConnsPerHost = %d, want %d", tr.MaxIdleConnsPerHost, threads)
+	}
+	if tr.MaxConnsPerHost != 0 {
+		t.Errorf("MaxConnsPerHost = %d, want 0 (unbounded)", tr.MaxConnsPerHost)
+	}
+	if tr.IdleConnTimeout != idleConnTimeout {
+		t.Errorf("IdleConnTimeout = %v, want %v", tr.IdleConnTimeout, idleConnTimeout)
+	}
+	if !tr.ForceAttemptHTTP2 {
+		t.Error("ForceAttemptHTTP2 = false, want true")
+	}
+}
+
+func TestDrainClose(t *testing.T) {
+	resetConfig(t)
+
+	// serve a body the caller never reads; DrainClose must drain it so the conn
+	// is eligible for reuse rather than abandoned mid-stream.
+	const body = "sif response body that the caller never reads"
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		io.WriteString(w, body)
+	}))
+	t.Cleanup(srv.Close)
+
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	resp, err := Client(5 * time.Second).Do(req)
+	if err != nil {
+		t.Fatalf("do request: %v", err)
+	}
+
+	DrainClose(resp)
+
+	// after DrainClose the body is closed; a further read must fail.
+	if _, err := resp.Body.Read(make([]byte, 1)); err == nil {
+		t.Error("expected read after DrainClose to fail on a closed body")
+	}
+}
+
+func TestDrainCloseNil(t *testing.T) {
+	// a nil response (e.g. an errored request) must not panic.
+	DrainClose(nil)
+	DrainClose(&http.Response{})
+}
+
+// countConns wraps a test server with a ConnState hook that tallies how many
+// distinct tcp conns the server saw. distinct conns == failed reuse.
+func countConns(t *testing.T) (*httptest.Server, func() int) {
+	t.Helper()
+
+	var (
+		mu    sync.Mutex
+		conns = make(map[net.Conn]struct{})
+	)
+	srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		// always write a body so reuse depends on the caller draining it.
+		io.WriteString(w, "ok")
+	}))
+	srv.Config.ConnState = func(c net.Conn, state http.ConnState) {
+		if state != http.StateNew {
+			return
+		}
+		mu.Lock()
+		conns[c] = struct{}{}
+		mu.Unlock()
+	}
+	srv.Start()
+	t.Cleanup(srv.Close)
+
+	return srv, func() int {
+		mu.Lock()
+		defer mu.Unlock()
+		return len(conns)
+	}
+}
+
+func TestTransportReusesConnections(t *testing.T) {
+	resetConfig(t)
+
+	const (
+		threads  = 8
+		requests = 30
+	)
+	if err := Configure(Options{Threads: threads}); err != nil {
+		t.Fatalf("Configure: %v", err)
+	}
+
+	srv, distinct := countConns(t)
+
+	// fire N sequential requests through the tuned client, draining each body so
+	// the conn returns to the pool. a working pool serves all of them on one conn.
+	client := Client(5 * time.Second)
+	for i := 0; i < requests; i++ {
+		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
+		if err != nil {
+			t.Fatalf("new request %d: %v", i, err)
+		}
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Fatalf("do request %d: %v", i, err)
+		}
+		DrainClose(resp)
+	}
+
+	// sequential reuse should land on exactly one conn; allow a tiny margin for
+	// the rare race where a conn is reaped between requests.
+	const maxReuseConns = 2
+	if got := distinct(); got > maxReuseConns {
+		t.Errorf("tuned client opened %d conns for %d requests, want <= %d (pool not reusing)",
+			got, requests, maxReuseConns)
+	}
+}
+
+func TestBareClientDoesNotReuse(t *testing.T) {
+	srv, distinct := countConns(t)
+
+	// the control: a bare DefaultTransport client whose caller closes but never
+	// drains the body. go can't reuse a half-read conn, so each request dials
+	// fresh - this is exactly the pre-tuning behavior we're fixing.
+	client := &http.Client{
+		Timeout:   5 * time.Second,
+		Transport: http.DefaultTransport.(*http.Transport).Clone(),
+	}
+
+	const requests = 30
+	for i := 0; i < requests; i++ {
+		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
+		if err != nil {
+			t.Fatalf("new request %d: %v", i, err)
+		}
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Fatalf("do request %d: %v", i, err)
+		}
+		// close without draining - the leak that kills reuse.
+		resp.Body.Close()
+	}
+
+	// most requests should have dialed a fresh conn. don't demand exactly N (the
+	// scheduler occasionally reuses one), just that it's clearly not pooling.
+	const minDistinct = requests / 2
+	if got := distinct(); got < minDistinct {
+		t.Errorf("bare client opened only %d conns for %d requests, want >= %d "+
+			"(expected near-zero reuse without draining)", got, requests, minDistinct)
+	}
+}
+
+// BenchmarkConnReuse contrasts the tuned, draining client against a bare client
+// that closes without draining. the reported conns/op metric is the distinct
+// tcp conns one pass of `requests` opened - tuned≈1, bare≈requests - so the
+// README can quote real before/after reuse numbers. the conn map is reset per
+// iteration so the metric stays a per-pass count and the bare path doesn't
+// accumulate b.N*requests live sockets and exhaust the ephemeral port range.
+//
+// run the bare sub-bench with a bounded -benchtime (e.g. -benchtime 5x): its
+// whole point is that it can't reuse, so a large b.N floods the local port
+// space with TIME_WAIT sockets. the tuned sub-bench reuses and runs unbounded.
+func BenchmarkConnReuse(b *testing.B) {
+	const requests = 50
+
+	run := func(b *testing.B, drain bool, client *http.Client) {
+		b.Helper()
+		var (
+			mu    sync.Mutex
+			conns = make(map[net.Conn]struct{})
+		)
+		srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			io.WriteString(w, strings.Repeat("x", 256))
+		}))
+		srv.Config.ConnState = func(c net.Conn, state http.ConnState) {
+			if state != http.StateNew {
+				return
+			}
+			mu.Lock()
+			conns[c] = struct{}{}
+			mu.Unlock()
+		}
+		srv.Start()
+		defer srv.Close()
+
+		var lastPass int
+		b.ResetTimer()
+		for n := 0; n < b.N; n++ {
+			mu.Lock()
+			conns = make(map[net.Conn]struct{})
+			mu.Unlock()
+			for i := 0; i < requests; i++ {
+				req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
+				resp, err := client.Do(req)
+				if err != nil {
+					b.Fatalf("do: %v", err)
+				}
+				if drain {
+					DrainClose(resp)
+				} else {
+					resp.Body.Close()
+				}
+			}
+			// close idle conns between passes so the bare client's per-pass
+			// sockets land in TIME_WAIT and free up before the next pass.
+			client.CloseIdleConnections()
+			mu.Lock()
+			lastPass = len(conns)
+			mu.Unlock()
+		}
+		b.StopTimer()
+
+		// distinct conns for a single pass of `requests`.
+		b.ReportMetric(float64(lastPass), "conns/op")
+	}
+
+	b.Run("tuned-drain", func(b *testing.B) {
+		resetBench()
+		tr, err := buildTransport("", 8)
+		if err != nil {
+			b.Fatalf("buildTransport: %v", err)
+		}
+		run(b, true, &http.Client{Timeout: 5 * time.Second, Transport: tr})
+	})
+
+	b.Run("bare-noDrain", func(b *testing.B) {
+		run(b, false, &http.Client{
+			Timeout:   5 * time.Second,
+			Transport: http.DefaultTransport.(*http.Transport).Clone(),
+		})
+	})
+}
+
+// resetBench clears the package transport without a *testing.T for benchmarks.
+func resetBench() {
+	mu.Lock()
+	configured = nil
+	mu.Unlock()
+}
@@ -0,0 +1,164 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runAnalyticsModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func analyticsExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestAnalyticsUIExposureModules(t *testing.T) {
+	const metabase = "../../modules/recon/metabase-api-exposure.yaml"
+	const zeppelin = "../../modules/recon/zeppelin-api-exposure.yaml"
+	const jupyter = "../../modules/recon/jupyter-api-exposure.yaml"
+
+	metabaseProps := `{"engines":{"postgres":{"driver-name":"PostgreSQL"}},` +
+		`"setup-token":"245f5f7c-8f0b-4c20-9a1e-6b2d7e1f0a33","anon-tracking-enabled":true,` +
+		`"available-locales":[["en","English"]],"password-complexity":{"total":6},` +
+		`"version":{"date":"2023-10-01","tag":"v0.47.2","branch":"release-x.47.x","hash":"abc1234"}}`
+
+	zeppelinVersion := `{"status":"OK","message":"Zeppelin version",` +
+		`"body":{"version":"0.10.1","git-commit-id":"a1b2c3d4e5","git-timestamp":"2022-01-15 10:00:00"}}`
+
+	jupyterStatus := `{"started":"2024-01-01T00:00:00.000000Z",` +
+		`"last_activity":"2024-01-01T01:23:45.000000Z","connections":2,"kernels":3}`
+
+	t.Run("an exposed metabase properties api is flagged and versioned", func(t *testing.T) {
+		res := runAnalyticsModule(t, metabase, 200, metabaseProps)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a metabase finding")
+		}
+		if v := analyticsExtract(res, "metabase_version"); v != "v0.47.2" {
+			t.Errorf("metabase_version=%q, want v0.47.2", v)
+		}
+	})
+
+	t.Run("an exposed zeppelin server is flagged and versioned", func(t *testing.T) {
+		res := runAnalyticsModule(t, zeppelin, 200, zeppelinVersion)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a zeppelin finding")
+		}
+		if v := analyticsExtract(res, "zeppelin_version"); v != "0.10.1" {
+			t.Errorf("zeppelin_version=%q, want 0.10.1", v)
+		}
+	})
+
+	t.Run("an exposed jupyter status api is flagged with the kernel count", func(t *testing.T) {
+		res := runAnalyticsModule(t, jupyter, 200, jupyterStatus)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a jupyter finding")
+		}
+		if v := analyticsExtract(res, "jupyter_active_kernels"); v != "3" {
+			t.Errorf("jupyter_active_kernels=%q, want 3", v)
+		}
+	})
+
+	t.Run("a live metabase token without the tracking setting is not flagged", func(t *testing.T) {
+		body := `{"setup-token":"245f5f7c-8f0b-4c20-9a1e-6b2d7e1f0a33","name":"app"}`
+		if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a setup token alone should not match metabase, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a metabase tracking setting without a setup token is not flagged", func(t *testing.T) {
+		body := `{"anon-tracking-enabled":true,"name":"app"}`
+		if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a tracking setting alone should not match metabase, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a patched metabase with a null setup token is not flagged", func(t *testing.T) {
+		body := `{"setup-token":null,"anon-tracking-enabled":true,` +
+			`"version":{"tag":"v0.47.2"}}`
+		if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a null setup token should not match metabase, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a zeppelin banner without a git commit id is not flagged", func(t *testing.T) {
+		body := `{"status":"OK","message":"Zeppelin version","body":{}}`
+		if res := runAnalyticsModule(t, zeppelin, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a banner alone should not match zeppelin, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a git commit id without the zeppelin banner is not flagged", func(t *testing.T) {
+		body := `{"git-commit-id":"a1b2c3d","name":"app"}`
+		if res := runAnalyticsModule(t, zeppelin, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a commit id alone should not match zeppelin, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a jupyter status without a kernels field is not flagged", func(t *testing.T) {
+		body := `{"started":"2024-01-01T00:00:00Z","last_activity":"2024-01-01T01:00:00Z","connections":2}`
+		if res := runAnalyticsModule(t, jupyter, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a status without kernels should not match jupyter, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a jupyter status without a connections field is not flagged", func(t *testing.T) {
+		body := `{"started":"2024-01-01T00:00:00Z","last_activity":"2024-01-01T01:00:00Z","kernels":3}`
+		if res := runAnalyticsModule(t, jupyter, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a status without connections should not match jupyter, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic version json is not an analytics service", func(t *testing.T) {
+		body := `{"version":"1.0.0","name":"app"}`
+		for _, file := range []string{metabase, zeppelin, jupyter} {
+			if res := runAnalyticsModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{metabase, zeppelin, jupyter} {
+			if res := runAnalyticsModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{metabase, zeppelin, jupyter} {
+			if res := runAnalyticsModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,173 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runAppCfgModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func appCfgExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestAppConfigExposureModules(t *testing.T) {
+	const spring = "../../modules/recon/spring-application-config-exposure.yaml"
+	const appsettings = "../../modules/recon/appsettings-exposure.yaml"
+	const wpconfig = "../../modules/recon/wp-config-backup-exposure.yaml"
+
+	springProps := "spring.application.name=billing\n" +
+		"spring.datasource.url=jdbc:mysql://db.internal:3306/billing\n" +
+		"spring.datasource.username=app\nspring.datasource.password=s3cr3tP@ss\n" +
+		"spring.jpa.hibernate.ddl-auto=update\nserver.port=8080\n"
+
+	springYaml := "spring:\n  datasource:\n    url: jdbc:postgresql://pg.internal:5432/app\n" +
+		"    username: app\n    password: hunter2\nserver:\n  port: 8443\n"
+
+	appSettings := `{` + "\n" +
+		`  "Logging": { "LogLevel": { "Default": "Information" } },` + "\n" +
+		`  "ConnectionStrings": {` + "\n" +
+		`    "DefaultConnection": "Server=db;Database=app;User Id=sa;Password=P@ssw0rd;"` + "\n" +
+		`  },` + "\n" +
+		`  "AllowedHosts": "*"` + "\n}"
+
+	wpConfig := "<?php\ndefine( 'DB_NAME', 'wordpress' );\ndefine( 'DB_USER', 'wp' );\n" +
+		"define( 'DB_PASSWORD', 'Tr0ub4dor&3' );\ndefine( 'DB_HOST', 'localhost' );\n" +
+		"$table_prefix = 'wp_';\n"
+
+	t.Run("a spring properties file leaks the jdbc url", func(t *testing.T) {
+		res := runAppCfgModule(t, spring, 200, springProps)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a spring config finding")
+		}
+		if v := appCfgExtract(res, "jdbc_url"); v != "jdbc:mysql://db.internal:3306/billing" {
+			t.Errorf("jdbc_url=%q, want the mysql url", v)
+		}
+	})
+
+	t.Run("a spring yaml file also matches and names the jdbc url", func(t *testing.T) {
+		res := runAppCfgModule(t, spring, 200, springYaml)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a spring config finding for yaml")
+		}
+		if v := appCfgExtract(res, "jdbc_url"); v != "jdbc:postgresql://pg.internal:5432/app" {
+			t.Errorf("jdbc_url=%q, want the postgres url", v)
+		}
+	})
+
+	t.Run("an appsettings json leaks the connection string", func(t *testing.T) {
+		res := runAppCfgModule(t, appsettings, 200, appSettings)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an appsettings finding")
+		}
+		want := "Server=db;Database=app;User Id=sa;Password=P@ssw0rd;"
+		if v := appCfgExtract(res, "connection_string"); v != want {
+			t.Errorf("connection_string=%q, want %q", v, want)
+		}
+	})
+
+	t.Run("a wp-config backup leaks the database password", func(t *testing.T) {
+		res := runAppCfgModule(t, wpconfig, 200, wpConfig)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a wp-config finding")
+		}
+		if v := appCfgExtract(res, "db_password"); v != "Tr0ub4dor&3" {
+			t.Errorf("db_password=%q, want Tr0ub4dor&3", v)
+		}
+	})
+
+	t.Run("a spring config with no credential is not flagged", func(t *testing.T) {
+		body := "spring.application.name=app\nserver.port=8080\n"
+		if res := runAppCfgModule(t, spring, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a credential-free config should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a spring config inside an html page is not flagged", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>spring.datasource.password=x</pre></body></html>"
+		if res := runAppCfgModule(t, spring, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an appsettings without a connection string is not flagged", func(t *testing.T) {
+		body := `{"Logging":{"LogLevel":{"Default":"Information"}},"AllowedHosts":"*"}`
+		if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a config without a connection string should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an appsettings with no password is not a credential leak", func(t *testing.T) {
+		body := `{"ConnectionStrings":{"Db":"Server=db;Database=app;Integrated Security=true;"}}`
+		if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a passwordless connection string should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an appsettings password outside a connection strings section is not flagged", func(t *testing.T) {
+		body := `{"Smtp":{"Host":"Server=mail;Password=relaypass;"}}`
+		if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a password outside ConnectionStrings should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("prose that names the wp-config password is not a backup", func(t *testing.T) {
+		body := "set the DB_PASSWORD env var before running the installer"
+		if res := runAppCfgModule(t, wpconfig, 200, body); len(res.Findings) > 0 {
+			t.Errorf("prose naming DB_PASSWORD should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a wp-config shown in an html page is not flagged", func(t *testing.T) {
+		body := "<html><head><title>setup</title></head><body>define( 'DB_PASSWORD', 'x' ); DB_NAME</body></html>"
+		if res := runAppCfgModule(t, wpconfig, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{spring, appsettings, wpconfig} {
+			if res := runAppCfgModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{spring, appsettings, wpconfig} {
+			if res := runAppCfgModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,92 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runArgocdModule(t *testing.T, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule("../../modules/recon/argocd-api-exposure.yaml")
+	if err != nil {
+		t.Fatalf("parse argocd module: %v", err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute argocd module: %v", err)
+	}
+	return res
+}
+
+func argocdExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestArgocdExposureModule(t *testing.T) {
+	argocdVersion := `{"Version":"v2.9.3+a1b2c3d","BuildDate":"2024-01-15T12:00:00Z","GitCommit":"a1b2c3d",` +
+		`"GitTreeState":"clean","GoVersion":"go1.21.5","Compiler":"gc","Platform":"linux/amd64",` +
+		`"KustomizeVersion":"v5.2.1 2023-10-19","HelmVersion":"v3.13.2+gadc03ef",` +
+		`"KubectlVersion":"v0.26.11","JsonnetVersion":"v0.20.0"}`
+
+	t.Run("an exposed argocd version endpoint is flagged and versioned", func(t *testing.T) {
+		res := runArgocdModule(t, 200, argocdVersion)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an argocd finding")
+		}
+		if v := argocdExtract(res, "argocd_version"); v != "v2.9.3+a1b2c3d" {
+			t.Errorf("argocd_version=%q, want v2.9.3+a1b2c3d", v)
+		}
+	})
+
+	t.Run("an argocd kustomize version without a helm version is not flagged", func(t *testing.T) {
+		body := `{"Version":"v2.9.3","KustomizeVersion":"v5.2.1 2023-10-19"}`
+		if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a kustomize version alone should not match argocd, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an argocd helm version without a kustomize version is not flagged", func(t *testing.T) {
+		body := `{"Version":"v2.9.3","HelmVersion":"v3.13.2+gadc03ef"}`
+		if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a helm version alone should not match argocd, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic version endpoint is not argocd", func(t *testing.T) {
+		body := `{"Version":"v1.0.0","GitCommit":"abc"}`
+		if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic version json should not match argocd, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		if res := runArgocdModule(t, 200, "ok"); len(res.Findings) > 0 {
+			t.Errorf("a plain 200 body should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		if res := runArgocdModule(t, 404, "not found"); len(res.Findings) > 0 {
+			t.Errorf("a 404 should not match, got %d findings", len(res.Findings))
+		}
+	})
+}
@@ -0,0 +1,144 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package modules
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"sync"
+	"testing"
+
+	"github.com/dropalldatabases/sif/internal/httpx"
+)
+
+func reqURLs(reqs []*httpRequest) []string {
+	urls := make([]string, len(reqs))
+	for i, r := range reqs {
+		urls[i] = r.URL
+	}
+	sort.Strings(urls)
+	return urls
+}
+
+func TestGenerateHTTPRequestsAttack(t *testing.T) {
+	const target = "http://t"
+	paths2 := []string{"{{BaseURL}}/a?x={{payload}}", "{{BaseURL}}/b?x={{payload}}"}
+	pay2 := []string{"1", "2"}
+	cross := []string{"http://t/a?x=1", "http://t/a?x=2", "http://t/b?x=1", "http://t/b?x=2"}
+	paired := []string{"http://t/a?x=1", "http://t/b?x=2"}
+
+	tests := []struct {
+		name     string
+		paths    []string
+		payloads []string
+		attack   string
+		want     []string
+	}{
+		{"clusterbomb default crosses all", paths2, pay2, "", cross},
+		{"clusterbomb explicit crosses all", paths2, pay2, "clusterbomb", cross},
+		{"pitchfork pairs by index", paths2, pay2, "pitchfork", paired},
+		{"pitchfork stops at fewer payloads", append(paths2, "{{BaseURL}}/c?x={{payload}}"), pay2, "pitchfork", paired},
+		{"pitchfork stops at fewer paths", paths2, []string{"1", "2", "3"}, "pitchfork", paired},
+		{"attack is case insensitive", paths2, pay2, "Pitchfork", paired},
+		{"no payloads ignores attack", []string{"{{BaseURL}}/a", "{{BaseURL}}/b"}, nil, "pitchfork", []string{"http://t/a", "http://t/b"}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &HTTPConfig{Paths: tt.paths, Payloads: tt.payloads, Attack: tt.attack}
+			got := reqURLs(generateHTTPRequests(target, cfg))
+			want := append([]string(nil), tt.want...)
+			sort.Strings(want)
+			if !reflect.DeepEqual(got, want) {
+				t.Errorf("attack %q:\n got %v\nwant %v", tt.attack, got, want)
+			}
+		})
+	}
+}
+
+func TestValidateAttack(t *testing.T) {
+	for _, ok := range []string{"", "clusterbomb", "pitchfork", "Pitchfork", "CLUSTERBOMB"} {
+		if err := validateAttack(ok); err != nil {
+			t.Errorf("validateAttack(%q) = %v, want nil", ok, err)
+		}
+	}
+	for _, bad := range []string{"sniper", "batteringram", "bogus"} {
+		if err := validateAttack(bad); err == nil {
+			t.Errorf("validateAttack(%q) = nil, want error", bad)
+		}
+	}
+}
+
+func TestParseAttackValidation(t *testing.T) {
+	dir := t.TempDir()
+	write := func(name, body string) string {
+		p := filepath.Join(dir, name)
+		if err := os.WriteFile(p, []byte(body), 0o644); err != nil {
+			t.Fatal(err)
+		}
+		return p
+	}
+
+	good := write("good.yaml", "id: ok\ntype: http\nhttp:\n  attack: pitchfork\n  paths: [\"{{BaseURL}}/\"]\n")
+	if _, err := ParseYAMLModule(good); err != nil {
+		t.Fatalf("valid attack rejected: %v", err)
+	}
+
+	bad := write("bad.yaml", "id: bad\ntype: http\nhttp:\n  attack: sniper\n  paths: [\"{{BaseURL}}/\"]\n")
+	if _, err := ParseYAMLModule(bad); err == nil {
+		t.Fatal("invalid attack accepted")
+	}
+}
+
+// TestExecuteHTTPModulePitchfork drives the executor end to end and confirms
+// pitchfork only fires the index-paired requests, not the full cross product.
+func TestExecuteHTTPModulePitchfork(t *testing.T) {
+	var mu sync.Mutex
+	var hits []string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mu.Lock()
+		hits = append(hits, r.URL.Path+"?"+r.URL.RawQuery)
+		mu.Unlock()
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer srv.Close()
+
+	def := &YAMLModule{
+		ID:   "pf",
+		Type: TypeHTTP,
+		HTTP: &HTTPConfig{
+			Attack:   "pitchfork",
+			Paths:    []string{"{{BaseURL}}/a?x={{payload}}", "{{BaseURL}}/b?x={{payload}}"},
+			Payloads: []string{"1", "2"},
+			Matchers: []Matcher{{Type: "word", Part: "body", Words: []string{"ok"}}},
+		},
+	}
+
+	opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
+	if _, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts); err != nil {
+		t.Fatalf("ExecuteHTTPModule: %v", err)
+	}
+
+	mu.Lock()
+	got := append([]string(nil), hits...)
+	mu.Unlock()
+	sort.Strings(got)
+	want := []string{"/a?x=1", "/b?x=2"}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("pitchfork hit %v, want %v (clusterbomb would also hit /a?x=2 and /b?x=1)", got, want)
+	}
+}
@@ -0,0 +1,156 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runBigDataModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func bigDataExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestBigDataAPIExposureModules(t *testing.T) {
+	const solr = "../../modules/recon/solr-api-exposure.yaml"
+	const spark = "../../modules/recon/spark-api-exposure.yaml"
+	const hadoop = "../../modules/recon/hadoop-yarn-api-exposure.yaml"
+
+	solrSystem := `{"responseHeader":{"status":0,"QTime":15},"mode":"std",` +
+		`"solr_home":"/var/solr/data","lucene":{"solr-spec-version":"9.4.0",` +
+		`"solr-impl-version":"9.4.0","lucene-spec-version":"9.8.0","lucene-impl-version":"9.8.0"},` +
+		`"jvm":{"version":"17.0.9"}}`
+
+	sparkState := `{"url":"spark://master:7077","workers":[{"id":"worker-1","host":"10.0.0.5"}],` +
+		`"aliveworkers":2,"cores":8,"coresused":0,"memory":15360,"activeapps":[],` +
+		`"completedapps":[],"status":"ALIVE"}`
+
+	hadoopInfo := `{"clusterInfo":{"id":1700000000000,"startedOn":1700000000000,"state":"STARTED",` +
+		`"haState":"ACTIVE","resourceManagerVersion":"3.3.6","resourceManagerBuildVersion":"3.3.6 from abc",` +
+		`"hadoopVersion":"3.3.6","hadoopBuildVersion":"3.3.6 from abc","hadoopVersionBuiltOn":"2023-06-18"}}`
+
+	t.Run("an exposed solr admin api is flagged and versioned", func(t *testing.T) {
+		res := runBigDataModule(t, solr, 200, solrSystem)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a solr finding")
+		}
+		if v := bigDataExtract(res, "solr_version"); v != "9.4.0" {
+			t.Errorf("solr_version=%q, want 9.4.0", v)
+		}
+	})
+
+	t.Run("an exposed spark master leaks its url", func(t *testing.T) {
+		res := runBigDataModule(t, spark, 200, sparkState)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a spark finding")
+		}
+		if v := bigDataExtract(res, "spark_master_url"); v != "spark://master:7077" {
+			t.Errorf("spark_master_url=%q, want spark://master:7077", v)
+		}
+	})
+
+	t.Run("an exposed hadoop yarn api is flagged and versioned", func(t *testing.T) {
+		res := runBigDataModule(t, hadoop, 200, hadoopInfo)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a hadoop finding")
+		}
+		if v := bigDataExtract(res, "hadoop_version"); v != "3.3.6" {
+			t.Errorf("hadoop_version=%q, want 3.3.6", v)
+		}
+	})
+
+	t.Run("a solr spec version without a solr home is not solr", func(t *testing.T) {
+		body := `{"lucene":{"solr-spec-version":"9.4.0"},"name":"otherservice"}`
+		if res := runBigDataModule(t, solr, 200, body); len(res.Findings) > 0 {
+			t.Errorf("spec version alone should not match solr, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a solr home without a spec version is not solr", func(t *testing.T) {
+		body := `{"solr_home":"/var/solr/data","mode":"std"}`
+		if res := runBigDataModule(t, solr, 200, body); len(res.Findings) > 0 {
+			t.Errorf("solr home alone should not match solr, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a spark url without alive workers is not flagged", func(t *testing.T) {
+		body := `{"url":"spark://master:7077","workers":[],"status":"ALIVE"}`
+		if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a spark url alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("alive workers behind a non spark url is not flagged", func(t *testing.T) {
+		body := `{"url":"http://internal:8080","aliveworkers":2}`
+		if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a non spark url should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a cluster info without a resource manager version is not hadoop", func(t *testing.T) {
+		body := `{"clusterInfo":{"id":1,"state":"STARTED","hadoopVersion":"3.3.6"}}`
+		if res := runBigDataModule(t, hadoop, 200, body); len(res.Findings) > 0 {
+			t.Errorf("cluster info alone should not match hadoop, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a resource manager version without a cluster info is not hadoop", func(t *testing.T) {
+		body := `{"resourceManagerVersion":"3.3.6","app":"custom"}`
+		if res := runBigDataModule(t, hadoop, 200, body); len(res.Findings) > 0 {
+			t.Errorf("rm version alone should not match hadoop, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic json endpoint is not a spark master", func(t *testing.T) {
+		body := `{"url":"http://app","workers":5,"name":"myservice"}`
+		if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic json should not match spark, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{solr, spark, hadoop} {
+			if res := runBigDataModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{solr, spark, hadoop} {
+			if res := runBigDataModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,205 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runCMSCfgModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func cmsCfgExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestCMSConfigExposureModules(t *testing.T) {
+	const joomla = "../../modules/recon/joomla-config-exposure.yaml"
+	const drupal = "../../modules/recon/drupal-config-exposure.yaml"
+	const magento = "../../modules/recon/magento-config-exposure.yaml"
+
+	joomlaConfig := "<?php\nclass JConfig {\n\tpublic $offline = '0';\n" +
+		"\tpublic $host = 'localhost';\n\tpublic $user = 'joomla_user';\n" +
+		"\tpublic $password = 'S3cretJoomlaPass';\n\tpublic $db = 'joomla_db';\n" +
+		"\tpublic $dbprefix = 'jos_';\n\tpublic $secret = 'AbCdEfGhIjKlMnOp';\n}\n"
+
+	drupalConfig := "<?php\n$databases['default']['default'] = array (\n" +
+		"  'database' => 'drupal_db',\n  'username' => 'drupal_user',\n" +
+		"  'password' => 'S3cretDrupalPass',\n  'host' => 'localhost',\n" +
+		"  'driver' => 'mysql',\n);\n$settings['hash_salt'] = 'longrandomhashsalt';\n"
+
+	magentoConfig := "<?php\nreturn [\n  'backend' => ['frontName' => 'admin_x7y'],\n" +
+		"  'crypt' => ['key' => 'a1b2c3d4e5f6g7h8'],\n  'db' => [\n" +
+		"    'connection' => ['default' => [\n      'host' => 'localhost',\n" +
+		"      'dbname' => 'magento',\n      'username' => 'magento_user',\n" +
+		"      'password' => 'S3cretMagentoPass',\n    ]],\n  ],\n  'MAGE_MODE' => 'production',\n];\n"
+
+	t.Run("an exposed joomla configuration leaks the password", func(t *testing.T) {
+		res := runCMSCfgModule(t, joomla, 200, joomlaConfig)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a joomla finding")
+		}
+		if v := cmsCfgExtract(res, "joomla_password"); v != "S3cretJoomlaPass" {
+			t.Errorf("joomla_password=%q, want S3cretJoomlaPass", v)
+		}
+	})
+
+	t.Run("an exposed drupal settings leaks the password", func(t *testing.T) {
+		res := runCMSCfgModule(t, drupal, 200, drupalConfig)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a drupal finding")
+		}
+		if v := cmsCfgExtract(res, "drupal_password"); v != "S3cretDrupalPass" {
+			t.Errorf("drupal_password=%q, want S3cretDrupalPass", v)
+		}
+	})
+
+	t.Run("an exposed magento env leaks the crypt key", func(t *testing.T) {
+		res := runCMSCfgModule(t, magento, 200, magentoConfig)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a magento finding")
+		}
+		if v := cmsCfgExtract(res, "magento_crypt_key"); v != "a1b2c3d4e5f6g7h8" {
+			t.Errorf("magento_crypt_key=%q, want a1b2c3d4e5f6g7h8", v)
+		}
+	})
+
+	t.Run("a joomla config missing the password is not flagged", func(t *testing.T) {
+		body := "<?php\nclass JConfig {\n\tpublic $host = 'localhost';\n" +
+			"\tpublic $db = 'joomla_db';\n\tpublic $dbprefix = 'jos_';\n}\n"
+		if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a config without a password should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a php class with a public password but no jconfig is not joomla", func(t *testing.T) {
+		body := "<?php\nclass MyAuth {\n\tpublic $password = 'changeme';\n" +
+			"\tpublic $username = 'admin';\n}\n"
+		if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic class should not match joomla, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a php array with a password but no databases is not drupal", func(t *testing.T) {
+		body := "<?php\n$config = array('password' => 'x', 'host' => 'y');\n"
+		if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic array should not match drupal, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a drupal databases array without a password is not flagged", func(t *testing.T) {
+		body := "<?php\n$databases['default']['default'] = array (\n" +
+			"  'database' => 'drupal_db',\n  'host' => 'localhost',\n  'driver' => 'mysql',\n);\n"
+		if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a databases array without a password should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a php return array with a password but no magento markers is not flagged", func(t *testing.T) {
+		body := "<?php\nreturn ['db' => ['password' => 'secret', 'host' => 'localhost']];\n"
+		if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic return array should not match magento, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a magento config without a credential is not flagged", func(t *testing.T) {
+		body := "<?php\nreturn ['MAGE_MODE' => 'production', 'db' => ['host' => 'localhost']];\n"
+		if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a magento config without a credential should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating a joomla config is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>class JConfig { public $password = 'x'; public $db = 'y'; }</pre></body></html>"
+		if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html joomla tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a drupal settings using env indirection is not a literal password leak", func(t *testing.T) {
+		body := "<?php\n$databases['default']['default'] = array (\n" +
+			"  'database' => 'drupal_db',\n  'username' => 'drupal_user',\n" +
+			"  'password' => getenv('DB_PASS'),\n  'host' => 'localhost',\n);\n"
+		if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
+			t.Errorf("env indirection should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a magento env with a cloud placeholder key is not a literal leak", func(t *testing.T) {
+		body := "<?php\nreturn ['crypt' => ['key' => '#env.CRYPT_KEY#'], 'MAGE_MODE' => 'production'];\n"
+		if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a cloud placeholder should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a magento env with a placeholder key but a literal password is flagged not mis-extracted", func(t *testing.T) {
+		body := "<?php\nreturn ['crypt' => ['key' => '#env.CRYPT_KEY#'],\n" +
+			"  'db' => ['connection' => ['default' => ['password' => 'RealDbPass']]],\n" +
+			"  'MAGE_MODE' => 'production'];\n"
+		res := runCMSCfgModule(t, magento, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a magento finding on the literal password")
+		}
+		if v := cmsCfgExtract(res, "magento_crypt_key"); v == "#env.CRYPT_KEY#" {
+			t.Errorf("extractor surfaced the placeholder %q as the crypt key", v)
+		}
+	})
+
+	t.Run("an html page demonstrating a drupal config is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>$databases['default']['default'] = array('password' => 'x');</pre></body></html>"
+		if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html drupal tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating a magento config is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>'crypt' => ['key' => 'x'], 'MAGE_MODE' => 'production'</pre></body></html>"
+		if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html magento tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{joomla, drupal, magento} {
+			if res := runCMSCfgModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{joomla, drupal, magento} {
+			if res := runCMSCfgModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,113 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runCredModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func credExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestCredentialExposureModules(t *testing.T) {
+	const aws = "../../modules/recon/aws-credentials-exposure.yaml"
+	const npmrc = "../../modules/recon/npmrc-exposure.yaml"
+	const docker = "../../modules/recon/docker-config-exposure.yaml"
+
+	t.Run("aws credentials leak the access key id", func(t *testing.T) {
+		body := "[default]\naws_access_key_id = AKIAIOSFODNN7EXAMPLE\n" +
+			"aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n"
+		res := runCredModule(t, aws, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an aws credentials finding")
+		}
+		if v := credExtract(res, "aws_access_key_id"); v != "AKIAIOSFODNN7EXAMPLE" {
+			t.Errorf("aws_access_key_id=%q, want AKIAIOSFODNN7EXAMPLE", v)
+		}
+	})
+
+	t.Run("npmrc leaks the registry of an auth token", func(t *testing.T) {
+		body := "//registry.npmjs.org/:_authToken=npm_AbCdEf0123456789AbCdEf0123456789\n"
+		res := runCredModule(t, npmrc, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an npmrc finding")
+		}
+		if v := credExtract(res, "npm_registry"); v != "registry.npmjs.org" {
+			t.Errorf("npm_registry=%q, want registry.npmjs.org", v)
+		}
+	})
+
+	t.Run("docker config leaks the registry host", func(t *testing.T) {
+		body := `{"auths":{"registry.example.com":{"auth":"dXNlcm5hbWU6c3VwZXJzZWNyZXRwYXNz"}}}`
+		res := runCredModule(t, docker, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a docker config finding")
+		}
+		if v := credExtract(res, "docker_registry"); v != "registry.example.com" {
+			t.Errorf("docker_registry=%q, want registry.example.com", v)
+		}
+	})
+
+	t.Run("html page mentioning the key name is not a leak", func(t *testing.T) {
+		body := `<html><head><title>Docs</title></head><body>` +
+			`set your aws_secret_access_key in ~/.aws/credentials</body></html>`
+		if res := runCredModule(t, aws, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html doc mentioning the key should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{aws, npmrc, docker} {
+			if res := runCredModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{aws, npmrc, docker} {
+			if res := runCredModule(t, file, 200, "nothing to see here"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a docker auth field holding a jwt is not a leak", func(t *testing.T) {
+		body := `{"token":"x","auth":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}`
+		if res := runCredModule(t, docker, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a jwt in an auth field should not match, got %d findings", len(res.Findings))
+		}
+	})
+}
@@ -0,0 +1,151 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runPipelineModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func pipelineExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDataPipelineAPIExposureModules(t *testing.T) {
+	const airflow = "../../modules/recon/airflow-api-exposure.yaml"
+	const flink = "../../modules/recon/flink-api-exposure.yaml"
+	const kafka = "../../modules/recon/kafka-connect-api-exposure.yaml"
+
+	airflowHealth := `{"metadatabase":{"status":"healthy"},"scheduler":{"status":"healthy",` +
+		`"latest_scheduler_heartbeat":"2023-09-13T09:35:49.123456+00:00"}}`
+
+	flinkOverview := `{"taskmanagers":1,"slots-total":4,"slots-available":4,"jobs-running":0,` +
+		`"jobs-finished":2,"jobs-cancelled":0,"jobs-failed":0,"flink-version":"1.17.1","flink-commit":"2750d5c"}`
+
+	kafkaConnect := `{"version":"3.5.0","commit":"c97b88d5db4de28d","kafka_cluster_id":"M_oad8FjQ1eMShri6_jjQg"}`
+
+	t.Run("an exposed airflow health endpoint is flagged", func(t *testing.T) {
+		res := runPipelineModule(t, airflow, 200, airflowHealth)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an airflow finding")
+		}
+		if v := pipelineExtract(res, "airflow_scheduler_heartbeat"); v != "2023-09-13T09:35:49.123456+00:00" {
+			t.Errorf("airflow_scheduler_heartbeat=%q, want the heartbeat timestamp", v)
+		}
+	})
+
+	t.Run("an exposed flink dashboard is flagged and versioned", func(t *testing.T) {
+		res := runPipelineModule(t, flink, 200, flinkOverview)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a flink finding")
+		}
+		if v := pipelineExtract(res, "flink_version"); v != "1.17.1" {
+			t.Errorf("flink_version=%q, want 1.17.1", v)
+		}
+	})
+
+	t.Run("an exposed kafka connect api is flagged and versioned", func(t *testing.T) {
+		res := runPipelineModule(t, kafka, 200, kafkaConnect)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a kafka connect finding")
+		}
+		if v := pipelineExtract(res, "kafka_version"); v != "3.5.0" {
+			t.Errorf("kafka_version=%q, want 3.5.0", v)
+		}
+	})
+
+	t.Run("an airflow metadatabase without a scheduler is not flagged", func(t *testing.T) {
+		body := `{"metadatabase":{"status":"healthy"}}`
+		if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
+			t.Errorf("metadatabase alone should not match airflow, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an airflow scheduler without a metadatabase is not flagged", func(t *testing.T) {
+		body := `{"scheduler":{"status":"healthy","latest_scheduler_heartbeat":"2023-09-13T09:35:49.123456+00:00"}}`
+		if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
+			t.Errorf("scheduler alone should not match airflow, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a flink version without a slot total is not flagged", func(t *testing.T) {
+		body := `{"flink-version":"1.17.1","taskmanagers":1}`
+		if res := runPipelineModule(t, flink, 200, body); len(res.Findings) > 0 {
+			t.Errorf("flink version alone should not match flink, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a slot total without a flink version is not flagged", func(t *testing.T) {
+		body := `{"slots-total":4,"jobs-running":0}`
+		if res := runPipelineModule(t, flink, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a slot total alone should not match flink, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a kafka cluster id without a version is not flagged", func(t *testing.T) {
+		body := `{"kafka_cluster_id":"M_oad8FjQ1eMShri6_jjQg","commit":"abc"}`
+		if res := runPipelineModule(t, kafka, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a cluster id alone should not match kafka connect, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a version without a kafka cluster id is not flagged", func(t *testing.T) {
+		body := `{"version":"3.5.0","name":"someservice"}`
+		if res := runPipelineModule(t, kafka, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a version alone should not match kafka connect, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic health json is not airflow", func(t *testing.T) {
+		body := `{"status":"UP","components":{"db":{"status":"UP"}}}`
+		if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic health should not match airflow, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{airflow, flink, kafka} {
+			if res := runPipelineModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{airflow, flink, kafka} {
+			if res := runPipelineModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,166 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDBFileModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func dbFileExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDatabaseFileExposureModules(t *testing.T) {
+	const sqlDump = "../../modules/recon/sql-dump-exposure.yaml"
+	const sqlite = "../../modules/recon/sqlite-database-exposure.yaml"
+	const redis = "../../modules/recon/redis-dump-exposure.yaml"
+
+	mysqldump := "-- MySQL dump 10.13  Distrib 8.0.32, for Linux (x86_64)\n--\n" +
+		"-- Host: localhost    Database: appdb\n--\n-- Server version\t8.0.32\n\n" +
+		"DROP TABLE IF EXISTS `users`;\nCREATE TABLE `users` (\n" +
+		"  `id` int NOT NULL AUTO_INCREMENT,\n  `email` varchar(255) DEFAULT NULL,\n" +
+		"  PRIMARY KEY (`id`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;\n" +
+		"INSERT INTO `users` VALUES (1,'admin@x.com');\n"
+
+	pgdump := "--\n-- PostgreSQL database dump\n--\n\nSET statement_timeout = 0;\n" +
+		"CREATE TABLE public.accounts (\n    id integer NOT NULL,\n    email text\n);\n" +
+		"COPY public.accounts (id, email) FROM stdin;\n1\tadmin@x.com\n\\.\n"
+
+	sqliteFile := "SQLite format 3\x00" + strings.Repeat("\x00", 84) +
+		"\x05\x00CREATE TABLE users(id INTEGER PRIMARY KEY, email TEXT, password TEXT)\x00"
+
+	redisDump := "REDIS0011\xfa\x09redis-ver\x055.0.7\xfa\x0aredis-bits\xc0@\xfe\x00\xfb\x02\x00" +
+		"\x03key\x05value\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+
+	t.Run("a mysqldump leaks the dumped table", func(t *testing.T) {
+		res := runDBFileModule(t, sqlDump, 200, mysqldump)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a sql dump finding")
+		}
+		if v := dbFileExtract(res, "dump_table"); v != "users" {
+			t.Errorf("dump_table=%q, want users", v)
+		}
+	})
+
+	t.Run("a postgresql dump also matches and names its table", func(t *testing.T) {
+		res := runDBFileModule(t, sqlDump, 200, pgdump)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a sql dump finding for pg_dump")
+		}
+		if v := dbFileExtract(res, "dump_table"); v != "accounts" {
+			t.Errorf("dump_table=%q, want accounts", v)
+		}
+	})
+
+	t.Run("a sqlite database file leaks its schema table", func(t *testing.T) {
+		res := runDBFileModule(t, sqlite, 200, sqliteFile)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a sqlite finding")
+		}
+		if v := dbFileExtract(res, "table_name"); v != "users" {
+			t.Errorf("table_name=%q, want users", v)
+		}
+	})
+
+	t.Run("a redis rdb snapshot leaks its format version", func(t *testing.T) {
+		res := runDBFileModule(t, redis, 200, redisDump)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a redis rdb finding")
+		}
+		if v := dbFileExtract(res, "rdb_version"); v != "0011" {
+			t.Errorf("rdb_version=%q, want 0011", v)
+		}
+	})
+
+	t.Run("sql shown inside an html page is not a dump", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><head><title>SQL tutorial</title></head><body>" +
+			"<pre>DROP TABLE IF EXISTS users; CREATE TABLE users (id int); INSERT INTO users VALUES (1);</pre>" +
+			"</body></html>"
+		if res := runDBFileModule(t, sqlDump, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a sql file with no dump idiom is not flagged", func(t *testing.T) {
+		body := "-- migration notes\nSELECT id FROM users WHERE active = 1;\n"
+		if res := runDBFileModule(t, sqlDump, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a bare select should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a page that names the sqlite format is not the file", func(t *testing.T) {
+		body := "This page documents the SQLite format 3 on-disk structure for readers."
+		if res := runDBFileModule(t, sqlite, 200, body); len(res.Findings) > 0 {
+			t.Errorf("prose about sqlite should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a page that names redis is not an rdb snapshot", func(t *testing.T) {
+		body := "redis-server is running on this host as the REDIS cache backend."
+		if res := runDBFileModule(t, redis, 200, body); len(res.Findings) > 0 {
+			t.Errorf("prose about redis should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("the sqlite magic only counts at the start of the file", func(t *testing.T) {
+		body := "<pre>hexdump of a header: " + sqliteFile + "</pre>"
+		if res := runDBFileModule(t, sqlite, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an embedded sqlite header should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("the rdb magic only counts at the start of the file", func(t *testing.T) {
+		body := "log line: loaded snapshot " + redisDump
+		if res := runDBFileModule(t, redis, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an embedded rdb header should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{sqlDump, sqlite, redis} {
+			if res := runDBFileModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{sqlDump, sqlite, redis} {
+			if res := runDBFileModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,88 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDBModule(t *testing.T, file string, status int, headers map[string]string, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for k, v := range headers {
+			w.Header().Set(k, v)
+		}
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func dbExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDBPanelModules(t *testing.T) {
+	const adminer = "../../modules/info/adminer-panel.yaml"
+	const phpmyadmin = "../../modules/info/phpmyadmin-panel.yaml"
+
+	adminerLogin := `<form action=""><input type="hidden" name="auth[driver]" value="server">` +
+		`<input name="auth[username]"></form>` +
+		`<p class="links"><a href="https://www.adminer.org/">Adminer</a> <span class="version">4.8.1</span></p>`
+	pmaLogin := `<link rel="stylesheet" href="themes/pmahomme/css/theme.css">` +
+		`<input type="text" name="pma_username"><script>var data = {"PMA_VERSION":"5.2.1"};</script>`
+
+	t.Run("adminer login", func(t *testing.T) {
+		res := runDBModule(t, adminer, 200, nil, adminerLogin)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an adminer finding")
+		}
+		if v := dbExtract(res, "adminer_version"); v != "4.8.1" {
+			t.Errorf("adminer_version=%q, want 4.8.1", v)
+		}
+	})
+
+	t.Run("adminer unrelated page", func(t *testing.T) {
+		if res := runDBModule(t, adminer, 200, nil, "<html><body>nothing</body></html>"); len(res.Findings) > 0 {
+			t.Errorf("unrelated page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("phpmyadmin login", func(t *testing.T) {
+		res := runDBModule(t, phpmyadmin, 200, map[string]string{"Set-Cookie": "phpMyAdmin=abc123; path=/"}, pmaLogin)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a phpmyadmin finding")
+		}
+		if v := dbExtract(res, "phpmyadmin_version"); v != "5.2.1" {
+			t.Errorf("phpmyadmin_version=%q, want 5.2.1", v)
+		}
+	})
+
+	t.Run("phpmyadmin unrelated page", func(t *testing.T) {
+		if res := runDBModule(t, phpmyadmin, 200, nil, "<html><body>nothing</body></html>"); len(res.Findings) > 0 {
+			t.Errorf("unrelated page should not match, got %d findings", len(res.Findings))
+		}
+	})
+}
@@ -0,0 +1,121 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDebugModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func debugExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDebugExposureModules(t *testing.T) {
+	const ignition = "../../modules/recon/laravel-ignition-exposure.yaml"
+	const profiler = "../../modules/recon/symfony-profiler-exposure.yaml"
+	const heapdump = "../../modules/recon/spring-heapdump-exposure.yaml"
+
+	t.Run("ignition health check exposes command execution", func(t *testing.T) {
+		res := runDebugModule(t, ignition, 200, `{"can_execute_commands":true,"config":{}}`)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an ignition finding")
+		}
+		if v := debugExtract(res, "can_execute_commands"); v != "true" {
+			t.Errorf("can_execute_commands=%q, want true", v)
+		}
+	})
+
+	t.Run("ignition exposed with debug off still flags and extracts false", func(t *testing.T) {
+		res := runDebugModule(t, ignition, 200, `{"can_execute_commands":false}`)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an ignition finding even when command execution is off")
+		}
+		if v := debugExtract(res, "can_execute_commands"); v != "false" {
+			t.Errorf("can_execute_commands=%q, want false", v)
+		}
+	})
+
+	t.Run("symfony profiler exposes a request token", func(t *testing.T) {
+		body := `<html><head><title>Symfony Profiler</title></head><body>` +
+			`<a href="/_profiler/5f3a2b">GET /</a></body></html>`
+		res := runDebugModule(t, profiler, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a symfony profiler finding")
+		}
+		if v := debugExtract(res, "profiler_token"); v != "5f3a2b" {
+			t.Errorf("profiler_token=%q, want 5f3a2b", v)
+		}
+	})
+
+	t.Run("spring heap dump exposes the hprof magic", func(t *testing.T) {
+		body := "JAVA PROFILE 1.0.2\x00\x00\x00\x08heap bytes follow"
+		res := runDebugModule(t, heapdump, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a heap dump finding")
+		}
+		if v := debugExtract(res, "hprof_version"); v != "1.0.2" {
+			t.Errorf("hprof_version=%q, want 1.0.2", v)
+		}
+	})
+
+	t.Run("the hprof magic must be at the start not merely present", func(t *testing.T) {
+		body := "<html><body>docs about the JAVA PROFILE 1.0.2 hprof header</body></html>"
+		if res := runDebugModule(t, heapdump, 200, body); len(res.Findings) > 0 {
+			t.Errorf("the magic away from the start should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a page that only names ignition is not the endpoint", func(t *testing.T) {
+		body := `<html><body>we use ignition to render errors in development</body></html>`
+		if res := runDebugModule(t, ignition, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a prose mention should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{ignition, profiler, heapdump} {
+			if res := runDebugModule(t, file, 200, "<html><body>plain</body></html>"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{ignition, profiler, heapdump} {
+			if res := runDebugModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,134 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDeployModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func deployExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDeployConfigExposureModules(t *testing.T) {
+	const vscode = "../../modules/recon/vscode-sftp-exposure.yaml"
+	const sublime = "../../modules/recon/sublime-sftp-exposure.yaml"
+	const ftpconfig = "../../modules/recon/ftpconfig-exposure.yaml"
+
+	t.Run("vscode sftp config leaks the deploy host", func(t *testing.T) {
+		body := `{"name":"prod","host":"deploy.example.com","protocol":"sftp",` +
+			`"username":"root","password":"s3cr3t","remotePath":"/var/www","uploadOnSave":true}`
+		res := runDeployModule(t, vscode, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a vscode sftp finding")
+		}
+		if v := deployExtract(res, "remote_host"); v != "deploy.example.com" {
+			t.Errorf("remote_host=%q, want deploy.example.com", v)
+		}
+	})
+
+	t.Run("vscode sftp config with key auth still flags and extracts the host", func(t *testing.T) {
+		body := `{"host":"key.example.com","protocol":"sftp",` +
+			`"username":"deploy","privateKeyPath":"~/.ssh/id_rsa","uploadOnSave":true}`
+		res := runDeployModule(t, vscode, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a vscode sftp finding for a key-auth config")
+		}
+		if v := deployExtract(res, "remote_host"); v != "key.example.com" {
+			t.Errorf("remote_host=%q, want key.example.com", v)
+		}
+	})
+
+	t.Run("sublime sftp config leaks the deploy host", func(t *testing.T) {
+		body := `{"type":"sftp","host":"sftp.example.org","user":"www","password":"hunter2",` +
+			`"remote_path":"/srv","upload_on_save":true,"sync_down_on_open":false}`
+		res := runDeployModule(t, sublime, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a sublime sftp finding")
+		}
+		if v := deployExtract(res, "remote_host"); v != "sftp.example.org" {
+			t.Errorf("remote_host=%q, want sftp.example.org", v)
+		}
+	})
+
+	t.Run("atom remote-ftp config leaks the deploy host", func(t *testing.T) {
+		body := `{"protocol":"ftp","host":"ftp.example.net","port":21,"user":"upload",` +
+			`"pass":"letmein","remote":"/","connTimeout":10000,"pasvTimeout":10000}`
+		res := runDeployModule(t, ftpconfig, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an atom remote-ftp finding")
+		}
+		if v := deployExtract(res, "remote_host"); v != "ftp.example.net" {
+			t.Errorf("remote_host=%q, want ftp.example.net", v)
+		}
+	})
+
+	t.Run("an html login page carrying the same keys is not a leak", func(t *testing.T) {
+		body := `<html><head><title>Sign in</title></head><body>` +
+			`config keys "remotePath" "password" "host":"evil.example.com"</body></html>`
+		if res := runDeployModule(t, vscode, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain json config without the tool keys is not a leak", func(t *testing.T) {
+		body := `{"host":"db.internal","username":"admin","user":"admin","pass":"x","password":"hunter2"}`
+		for _, file := range []string{vscode, sublime, ftpconfig} {
+			if res := runDeployModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a config without the tool keys should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a tool config with a host but no credential field is not a leak", func(t *testing.T) {
+		bodies := map[string]string{
+			vscode:    `{"host":"h.example.com","remotePath":"/var/www","uploadOnSave":true}`,
+			sublime:   `{"type":"sftp","host":"h.example.com","upload_on_save":true}`,
+			ftpconfig: `{"protocol":"ftp","host":"h.example.com","connTimeout":10000,"pasvTimeout":10000}`,
+		}
+		for file, body := range bodies {
+			if res := runDeployModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a config with no credential field should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{vscode, sublime, ftpconfig} {
+			if res := runDeployModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,159 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDistDBModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func distDBExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDistributedDBExposureModules(t *testing.T) {
+	const riak = "../../modules/recon/riak-api-exposure.yaml"
+	const couchbase = "../../modules/recon/couchbase-api-exposure.yaml"
+	const druid = "../../modules/recon/druid-api-exposure.yaml"
+
+	riakStats := `{"riak_kv_version":"3.0.16","riak_core_version":"3.0.99","riak_pipe_version":"3.0.16",` +
+		`"sys_otp_release":"22","ring_members":["riak@10.0.0.1"],"ring_num_partitions":64,` +
+		`"storage_backend":"riak_kv_bitcask_backend"}`
+
+	couchbasePools := `{"pools":[{"name":"default","uri":"/pools/default?uuid=abc",` +
+		`"streamingUri":"/poolsStreaming/default?uuid=abc"}],"isAdminCreds":false,"isEnterprise":true,` +
+		`"implementationVersion":"7.2.0-6053-enterprise","uuid":"abc",` +
+		`"componentsVersion":{"ns_server":"7.2.0-6053","couchdb":"3.1.1"}}`
+
+	druidStatus := `{"version":"0.22.1","modules":[{"name":"org.apache.druid.server.initialization.jetty.JettyServerModule",` +
+		`"artifact":"druid-server","version":"0.22.1"},{"name":"org.apache.druid.guice.AnnouncerModule",` +
+		`"artifact":"druid-server","version":"0.22.1"}],"memory":{"maxMemory":1037959168,` +
+		`"totalMemory":1037959168,"freeMemory":900000000,"directMemory":134217728}}`
+
+	t.Run("an exposed riak http api is flagged and versioned", func(t *testing.T) {
+		res := runDistDBModule(t, riak, 200, riakStats)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a riak finding")
+		}
+		if v := distDBExtract(res, "riak_version"); v != "3.0.16" {
+			t.Errorf("riak_version=%q, want 3.0.16", v)
+		}
+	})
+
+	t.Run("an exposed couchbase cluster api is flagged and versioned", func(t *testing.T) {
+		res := runDistDBModule(t, couchbase, 200, couchbasePools)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a couchbase finding")
+		}
+		if v := distDBExtract(res, "couchbase_version"); v != "7.2.0-6053-enterprise" {
+			t.Errorf("couchbase_version=%q, want 7.2.0-6053-enterprise", v)
+		}
+	})
+
+	t.Run("an exposed druid process is flagged and versioned", func(t *testing.T) {
+		res := runDistDBModule(t, druid, 200, druidStatus)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a druid finding")
+		}
+		if v := distDBExtract(res, "druid_version"); v != "0.22.1" {
+			t.Errorf("druid_version=%q, want 0.22.1", v)
+		}
+	})
+
+	t.Run("a riak kv version without a core version is not flagged", func(t *testing.T) {
+		body := `{"riak_kv_version":"3.0.16","name":"app"}`
+		if res := runDistDBModule(t, riak, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a kv version alone should not match riak, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a riak core version without a kv version is not flagged", func(t *testing.T) {
+		body := `{"riak_core_version":"3.0.16","name":"app"}`
+		if res := runDistDBModule(t, riak, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a core version alone should not match riak, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a couchbase impl version without a components version is not flagged", func(t *testing.T) {
+		body := `{"implementationVersion":"7.2.0","name":"app"}`
+		if res := runDistDBModule(t, couchbase, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an impl version alone should not match couchbase, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a couchbase components version without an impl version is not flagged", func(t *testing.T) {
+		body := `{"componentsVersion":{"ns_server":"7.2.0"},"name":"app"}`
+		if res := runDistDBModule(t, couchbase, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a components version alone should not match couchbase, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a druid package without a memory block is not flagged", func(t *testing.T) {
+		body := `{"modules":[{"name":"org.apache.druid.cli.Main"}],"app":"x"}`
+		if res := runDistDBModule(t, druid, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a druid package alone should not match druid, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a memory block without a druid package is not flagged", func(t *testing.T) {
+		body := `{"memory":{"maxMemory":123},"app":"x"}`
+		if res := runDistDBModule(t, druid, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a memory block alone should not match druid, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic version json is not a distributed db", func(t *testing.T) {
+		body := `{"version":"1.0.0","name":"app"}`
+		for _, file := range []string{riak, couchbase, druid} {
+			if res := runDistDBModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{riak, couchbase, druid} {
+			if res := runDistDBModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{riak, couchbase, druid} {
+			if res := runDistDBModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,164 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runDotfileModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func dotfileExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestDotfileCredentialExposureModules(t *testing.T) {
+	const netrc = "../../modules/recon/netrc-exposure.yaml"
+	const pgpass = "../../modules/recon/pgpass-exposure.yaml"
+	const mycnf = "../../modules/recon/mysql-client-config-exposure.yaml"
+
+	netrcBody := "machine api.example.com\n  login deploy\n  password s3cr3tP@ss\n" +
+		"machine ftp.example.com\n  login anon\n  password anon@site\n"
+
+	pgpassBody := "db.example.com:5432:appdb:appuser:Sup3rSecret\n*:*:*:replication:replpass\n"
+
+	mycnfBody := "[client]\nuser=root\npassword=R00tPass!\nhost=127.0.0.1\nport=3306\n"
+
+	t.Run("an exposed netrc leaks the machine host", func(t *testing.T) {
+		res := runDotfileModule(t, netrc, 200, netrcBody)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a netrc finding")
+		}
+		if v := dotfileExtract(res, "netrc_machine"); v != "api.example.com" {
+			t.Errorf("netrc_machine=%q, want api.example.com", v)
+		}
+	})
+
+	t.Run("an exposed pgpass leaks the host", func(t *testing.T) {
+		res := runDotfileModule(t, pgpass, 200, pgpassBody)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a pgpass finding")
+		}
+		if v := dotfileExtract(res, "pgpass_host"); v != "db.example.com" {
+			t.Errorf("pgpass_host=%q, want db.example.com", v)
+		}
+	})
+
+	t.Run("an exposed my.cnf leaks the client user", func(t *testing.T) {
+		res := runDotfileModule(t, mycnf, 200, mycnfBody)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a my.cnf finding")
+		}
+		if v := dotfileExtract(res, "mysql_user"); v != "root" {
+			t.Errorf("mysql_user=%q, want root", v)
+		}
+	})
+
+	t.Run("prose that names machine login and password out of order is not a netrc", func(t *testing.T) {
+		body := "this machine requires a login; store the password securely"
+		if res := runDotfileModule(t, netrc, 200, body); len(res.Findings) > 0 {
+			t.Errorf("out of order prose should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating a netrc is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>machine api.example.com login deploy password s3cret</pre></body></html>"
+		if res := runDotfileModule(t, netrc, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html netrc tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a yaml db config with colon keys is not a pgpass", func(t *testing.T) {
+		body := "database:\n  host: db.example.com\n  port: 5432\n  user: appuser\n  password: secret\n"
+		if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a yaml db config should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a pgpass shaped line with a non numeric port is not flagged", func(t *testing.T) {
+		body := "db.example.com:default:appdb:appuser:Sup3rSecret\n"
+		if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a non numeric port should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a multi line config with a number field does not match across lines", func(t *testing.T) {
+		body := "timeout:30:seconds configured\nsee http://docs.example.com:8080 for details\n"
+		if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
+			t.Errorf("fields must stay on one line, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating a pgpass is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html>\n<html><body><pre>\ndb.example.com:5432:appdb:appuser:secret\n</pre></body></html>\n"
+		if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html pgpass tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a my.cnf client section without a password is not flagged", func(t *testing.T) {
+		body := "[client]\nuser=root\nhost=localhost\nport=3306\n"
+		if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a section without a password should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a password line without a my.cnf section is not flagged", func(t *testing.T) {
+		body := "password=hunter2\nfoo=bar\n"
+		if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a password without a section should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating a my.cnf is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>[client]\npassword=secret</pre></body></html>"
+		if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html my.cnf tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{netrc, pgpass, mycnf} {
+			if res := runDotfileModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{netrc, pgpass, mycnf} {
+			if res := runDotfileModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -14,6 +14,7 @@ package modules

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -26,6 +27,11 @@ import (
 // MaxBodySize limits response body to prevent memory exhaustion.
 const MaxBodySize = 5 * 1024 * 1024

+// ErrUnsupportedModuleType signals an executor for a module type that is not
+// yet implemented. Returning it (rather than an empty result) keeps callers
+// from mistaking "not implemented" for "scanned, found nothing".
+var ErrUnsupportedModuleType = errors.New("unsupported module type")
+
 // httpRequest represents a generated HTTP request.
 type httpRequest struct {
 	Method   string
@@ -143,25 +149,52 @@ func generateHTTPRequests(target string, cfg *HTTPConfig) []*httpRequest {
 		return requests
 	}

-	// Generate requests with payloads
+	// pitchfork pairs path[i] with payload[i] and stops at the shorter list;
+	// clusterbomb (default) crosses every path with every payload.
+	if strings.EqualFold(cfg.Attack, "pitchfork") {
+		n := len(cfg.Paths)
+		if len(cfg.Payloads) < n {
+			n = len(cfg.Payloads)
+		}
+		for i := 0; i < n; i++ {
+			requests = append(requests, newPayloadRequest(method, target, cfg.Paths[i], cfg.Payloads[i], cfg))
+		}
+		return requests
+	}
+
 	for _, path := range cfg.Paths {
 		for _, payload := range cfg.Payloads {
-			url := substituteVariables(path, target, payload)
-			body := substituteVariables(cfg.Body, target, payload)
-			requests = append(requests, &httpRequest{
-				Method:   method,
-				URL:      url,
-				Headers:  cfg.Headers,
-				Body:     body,
-				Payload:  payload,
-				Original: path,
-			})
+			requests = append(requests, newPayloadRequest(method, target, path, payload, cfg))
 		}
 	}

 	return requests
 }

+// newPayloadRequest builds one request with the path and body templates
+// substituted for the given payload.
+func newPayloadRequest(method, target, path, payload string, cfg *HTTPConfig) *httpRequest {
+	return &httpRequest{
+		Method:   method,
+		URL:      substituteVariables(path, target, payload),
+		Headers:  cfg.Headers,
+		Body:     substituteVariables(cfg.Body, target, payload),
+		Payload:  payload,
+		Original: path,
+	}
+}
+
+// validateAttack rejects an attack mode that is not "", "clusterbomb", or
+// "pitchfork"; an empty value defaults to clusterbomb.
+func validateAttack(attack string) error {
+	switch strings.ToLower(attack) {
+	case "", "clusterbomb", "pitchfork":
+		return nil
+	default:
+		return fmt.Errorf("invalid attack %q (want \"clusterbomb\" or \"pitchfork\")", attack)
+	}
+}
+
 // substituteVariables replaces template variables in a string.
 func substituteVariables(template, baseURL, payload string) string {
 	result := template
@@ -260,6 +293,15 @@ func checkMatcher(m *Matcher, resp *http.Response, body string) bool {
 	case "regex":
 		return checkRegex(part, m.Regex, m.Condition)

+	case "size":
+		// size matches the response body length against any listed value.
+		for _, n := range m.Size {
+			if len(body) == n {
+				return true
+			}
+		}
+		return false
+
 	default:
 		return false
 	}
@@ -350,9 +392,9 @@ func runExtractors(extractors []Extractor, resp *http.Response, body string) map
 	result := make(map[string]string)

 	for _, e := range extractors {
-		part := getPart(e.Part, resp, body)
-
-		if e.Type == "regex" {
+		switch e.Type {
+		case "regex":
+			part := getPart(e.Part, resp, body)
 			for _, pattern := range e.Regex {
 				re, err := regexp.Compile(pattern)
 				if err != nil {
@@ -364,6 +406,16 @@ func runExtractors(extractors []Extractor, resp *http.Response, body string) map
 					break
 				}
 			}
+		case "kv":
+			// kv records response header key/values, namespaced by the extractor
+			// name when set (e.g. a headers module surfacing every header).
+			for k, v := range resp.Header {
+				key := k
+				if e.Name != "" {
+					key = e.Name + "." + k
+				}
+				result[key] = strings.Join(v, ", ")
+			}
 		}
 	}

@@ -379,22 +431,16 @@ func truncateEvidence(s string) string {
 	return s
 }

-// ExecuteDNSModule runs a DNS-based module (stub for now).
-func ExecuteDNSModule(ctx context.Context, target string, def *YAMLModule, opts Options) (*Result, error) {
-	// TODO: Implement DNS module execution
-	return &Result{
-		ModuleID: def.ID,
-		Target:   target,
-		Findings: []Finding{},
-	}, nil
+// ExecuteDNSModule runs a DNS-based module (not yet implemented).
+// returns ErrUnsupportedModuleType so the caller logs a clear failure rather
+// than reporting an empty (but successful-looking) result.
+func ExecuteDNSModule(_ context.Context, _ string, def *YAMLModule, _ Options) (*Result, error) {
+	return nil, fmt.Errorf("dns module %q: %w", def.ID, ErrUnsupportedModuleType)
 }

-// ExecuteTCPModule runs a TCP-based module (stub for now).
-func ExecuteTCPModule(ctx context.Context, target string, def *YAMLModule, opts Options) (*Result, error) {
-	// TODO: Implement TCP module execution
-	return &Result{
-		ModuleID: def.ID,
-		Target:   target,
-		Findings: []Finding{},
-	}, nil
+// ExecuteTCPModule runs a TCP-based module (not yet implemented).
+// returns ErrUnsupportedModuleType so the caller logs a clear failure rather
+// than reporting an empty (but successful-looking) result.
+func ExecuteTCPModule(_ context.Context, _ string, def *YAMLModule, _ Options) (*Result, error) {
+	return nil, fmt.Errorf("tcp module %q: %w", def.ID, ErrUnsupportedModuleType)
 }
@@ -0,0 +1,343 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package modules
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/httpx"
+)
+
+const testTimeout = 5 * time.Second
+
+// TestExecuteHTTPModuleMatchAndExtract drives the full executor against a live
+// httptest server: a request hits a path, a matcher fires, an extractor captures.
+func TestExecuteHTTPModuleMatchAndExtract(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/admin" {
+			w.Header().Set("X-App", "demo")
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`flag{found-it} session=sess-4242`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer srv.Close()
+
+	def := &YAMLModule{
+		ID:   "test-http-hit",
+		Type: TypeHTTP,
+		Info: YAMLModuleInfo{Severity: "high"},
+		HTTP: &HTTPConfig{
+			Method: "GET",
+			Paths:  []string{"{{BaseURL}}/admin", "{{BaseURL}}/missing"},
+			Matchers: []Matcher{
+				{Type: "status", Status: []int{200}},
+				{Type: "word", Part: "body", Words: []string{"flag{found-it}"}},
+			},
+			Extractors: []Extractor{
+				{Type: "regex", Name: "session", Part: "body", Regex: []string{`session=(\S+)`}, Group: 1},
+			},
+		},
+	}
+
+	// route through the shared httpx client so proxy/-H/-rate-limit would apply.
+	opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
+
+	result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts)
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule: %v", err)
+	}
+
+	// only /admin satisfies status+word, /missing returns 404.
+	if len(result.Findings) != 1 {
+		t.Fatalf("got %d findings, want 1", len(result.Findings))
+	}
+	f := result.Findings[0]
+	if f.Severity != "high" {
+		t.Errorf("severity = %q, want high (carried from Info)", f.Severity)
+	}
+	if f.Extracted["session"] != "sess-4242" {
+		t.Errorf("extracted session = %q, want sess-4242", f.Extracted["session"])
+	}
+	if f.URL != srv.URL+"/admin" {
+		t.Errorf("finding url = %q, want %q", f.URL, srv.URL+"/admin")
+	}
+}
+
+// TestExecuteHTTPModuleNoMatch confirms a module that matches nothing reports
+// zero findings without erroring.
+func TestExecuteHTTPModuleNoMatch(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("nothing interesting"))
+	}))
+	defer srv.Close()
+
+	def := &YAMLModule{
+		ID:   "test-http-miss",
+		Type: TypeHTTP,
+		HTTP: &HTTPConfig{
+			Paths: []string{"{{BaseURL}}/"},
+			Matchers: []Matcher{
+				{Type: "word", Part: "body", Words: []string{"never-present"}},
+			},
+		},
+	}
+
+	result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule: %v", err)
+	}
+	if len(result.Findings) != 0 {
+		t.Fatalf("got %d findings, want 0", len(result.Findings))
+	}
+}
+
+// TestExecuteHTTPModulePayloadExpansion verifies payload templates reach the
+// server and the matching response is captured.
+func TestExecuteHTTPModulePayloadExpansion(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// only the "boom" payload triggers the vulnerable branch.
+		if r.URL.Query().Get("q") == "boom" {
+			_, _ = w.Write([]byte("error: sql syntax near boom"))
+			return
+		}
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer srv.Close()
+
+	def := &YAMLModule{
+		ID:   "test-http-payload",
+		Type: TypeHTTP,
+		HTTP: &HTTPConfig{
+			Paths:    []string{"{{BaseURL}}/search?q={{payload}}"},
+			Payloads: []string{"safe", "boom"},
+			Matchers: []Matcher{
+				{Type: "word", Part: "body", Words: []string{"sql syntax"}},
+			},
+		},
+	}
+
+	result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule: %v", err)
+	}
+	if len(result.Findings) != 1 {
+		t.Fatalf("got %d findings, want 1 (only boom payload)", len(result.Findings))
+	}
+}
+
+// TestExecuteHTTPModuleSizeMatcher pins the size matcher: it fires when the
+// response body length equals a listed value and stays silent otherwise.
+func TestExecuteHTTPModuleSizeMatcher(t *testing.T) {
+	body := "1234567890" // 10 bytes
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
+	mod := func(id string, size int) *YAMLModule {
+		return &YAMLModule{
+			ID: id, Type: TypeHTTP,
+			HTTP: &HTTPConfig{
+				Paths:    []string{"{{BaseURL}}/"},
+				Matchers: []Matcher{{Type: "size", Size: []int{size}}},
+			},
+		}
+	}
+
+	hit, err := ExecuteHTTPModule(context.Background(), srv.URL, mod("size-hit", len(body)), opts)
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule(hit): %v", err)
+	}
+	if len(hit.Findings) != 1 {
+		t.Fatalf("size match: got %d findings, want 1", len(hit.Findings))
+	}
+
+	miss, err := ExecuteHTTPModule(context.Background(), srv.URL, mod("size-miss", len(body)+1), opts)
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule(miss): %v", err)
+	}
+	if len(miss.Findings) != 0 {
+		t.Fatalf("size mismatch: got %d findings, want 0", len(miss.Findings))
+	}
+}
+
+// TestExecuteHTTPModuleKvExtractor pins the kv extractor: it records response
+// header key/values onto the finding, namespaced by the extractor name.
+func TestExecuteHTTPModuleKvExtractor(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Server", "nginx/1.25.3")
+		w.Header().Set("X-Powered-By", "PHP/8.2.0")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("hello"))
+	}))
+	defer srv.Close()
+
+	def := &YAMLModule{
+		ID: "kv-mod", Type: TypeHTTP,
+		HTTP: &HTTPConfig{
+			Paths:      []string{"{{BaseURL}}/"},
+			Matchers:   []Matcher{{Type: "status", Status: []int{200}}},
+			Extractors: []Extractor{{Type: "kv", Name: "headers", Part: "header"}},
+		},
+	}
+
+	result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
+	if err != nil {
+		t.Fatalf("ExecuteHTTPModule: %v", err)
+	}
+	if len(result.Findings) != 1 {
+		t.Fatalf("got %d findings, want 1", len(result.Findings))
+	}
+	ex := result.Findings[0].Extracted
+	if ex["headers.Server"] != "nginx/1.25.3" {
+		t.Errorf("kv headers.Server = %q, want nginx/1.25.3", ex["headers.Server"])
+	}
+	if ex["headers.X-Powered-By"] != "PHP/8.2.0" {
+		t.Errorf("kv headers.X-Powered-By = %q, want PHP/8.2.0", ex["headers.X-Powered-By"])
+	}
+}
+
+func TestExecuteHTTPModuleNoConfig(t *testing.T) {
+	def := &YAMLModule{ID: "x", Type: TypeHTTP}
+	if _, err := ExecuteHTTPModule(context.Background(), "http://h", def, Options{}); err == nil {
+		t.Fatal("expected error when HTTP config is nil")
+	}
+}
+
+// TestExecuteHTTPModuleContextCancel pins the cancellation path. The dispatch
+// loop selects between ctx.Done() and the concurrency semaphore, so a cancelled
+// context can either short-circuit with ctx.Err() or let the in-flight request
+// fail on the dead context. Both are correct: the contract is "never hang, never
+// invent a finding", which is what we assert here rather than forcing one race
+// winner (that made this test flaky under -count).
+func TestExecuteHTTPModuleContextCancel(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	def := &YAMLModule{
+		ID:   "test-http-cancel",
+		Type: TypeHTTP,
+		HTTP: &HTTPConfig{
+			Paths:    []string{"{{BaseURL}}/a"},
+			Matchers: []Matcher{{Type: "status", Status: []int{200}}},
+		},
+	}
+
+	result, err := ExecuteHTTPModule(ctx, srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
+	if err != nil {
+		if !errors.Is(err, context.Canceled) {
+			t.Fatalf("err = %v, want context.Canceled or nil", err)
+		}
+		return
+	}
+	// no error means the request was dispatched but failed on the dead context;
+	// either way a cancelled scan must not surface findings.
+	if len(result.Findings) != 0 {
+		t.Fatalf("cancelled scan produced %d findings, want 0", len(result.Findings))
+	}
+}
+
+// TestExecuteDNSModuleUnsupported pins the current behavior: DNS execution is
+// not implemented and must signal it via ErrUnsupportedModuleType, not by
+// quietly returning an empty (successful-looking) result.
+func TestExecuteDNSModuleUnsupported(t *testing.T) {
+	def := &YAMLModule{ID: "dns-mod", Type: TypeDNS, DNS: &DNSConfig{Type: "A"}}
+	result, err := ExecuteDNSModule(context.Background(), "example.com", def, Options{})
+	if result != nil {
+		t.Errorf("result = %v, want nil for unsupported type", result)
+	}
+	if !errors.Is(err, ErrUnsupportedModuleType) {
+		t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
+	}
+}
+
+func TestExecuteTCPModuleUnsupported(t *testing.T) {
+	def := &YAMLModule{ID: "tcp-mod", Type: TypeTCP, TCP: &TCPConfig{Port: 22}}
+	result, err := ExecuteTCPModule(context.Background(), "example.com", def, Options{})
+	if result != nil {
+		t.Errorf("result = %v, want nil for unsupported type", result)
+	}
+	if !errors.Is(err, ErrUnsupportedModuleType) {
+		t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
+	}
+}
+
+// TestWrapperExecuteRoutesByType confirms the Module wrapper dispatches each
+// type to the right executor and propagates the unsupported-type sentinel.
+func TestWrapperExecuteRoutesByType(t *testing.T) {
+	t.Run("dns routes to unsupported", func(t *testing.T) {
+		def := &YAMLModule{ID: "d", Type: TypeDNS, DNS: &DNSConfig{}}
+		w := newYAMLModuleWrapper(def, "d.yaml")
+		if _, err := w.Execute(context.Background(), "t", Options{}); !errors.Is(err, ErrUnsupportedModuleType) {
+			t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
+		}
+	})
+
+	t.Run("tcp routes to unsupported", func(t *testing.T) {
+		def := &YAMLModule{ID: "t", Type: TypeTCP, TCP: &TCPConfig{}}
+		w := newYAMLModuleWrapper(def, "t.yaml")
+		if _, err := w.Execute(context.Background(), "t", Options{}); !errors.Is(err, ErrUnsupportedModuleType) {
+			t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
+		}
+	})
+
+	t.Run("missing http config errors", func(t *testing.T) {
+		def := &YAMLModule{ID: "h", Type: TypeHTTP}
+		w := newYAMLModuleWrapper(def, "h.yaml")
+		if _, err := w.Execute(context.Background(), "t", Options{}); err == nil {
+			t.Fatal("expected error for missing http config")
+		}
+	})
+
+	t.Run("unknown type errors", func(t *testing.T) {
+		def := &YAMLModule{ID: "z", Type: ModuleType("bogus")}
+		w := newYAMLModuleWrapper(def, "z.yaml")
+		if _, err := w.Execute(context.Background(), "t", Options{}); err == nil {
+			t.Fatal("expected error for unknown module type")
+		}
+	})
+}
+
+func TestTruncateEvidence(t *testing.T) {
+	short := "short evidence"
+	if got := truncateEvidence(short); got != short {
+		t.Errorf("short evidence changed: %q", got)
+	}
+
+	long := make([]byte, 600)
+	for i := range long {
+		long[i] = 'a'
+	}
+	got := truncateEvidence(string(long))
+	// 500 chars of content plus the ellipsis marker.
+	if len(got) != 503 {
+		t.Errorf("truncated len = %d, want 503", len(got))
+	}
+	if got[len(got)-3:] != "..." {
+		t.Errorf("truncated evidence missing ellipsis: %q", got[len(got)-3:])
+	}
+}
@@ -0,0 +1,168 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runHTTPDBModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func httpdbExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestHTTPDatabaseExposureModules(t *testing.T) {
+	const influxdb = "../../modules/recon/influxdb-api-exposure.yaml"
+	const arangodb = "../../modules/recon/arangodb-api-exposure.yaml"
+	const neo4j = "../../modules/recon/neo4j-api-exposure.yaml"
+
+	influxHealth := `{"name":"influxdb","message":"ready for queries and writes","status":"pass",` +
+		`"checks":[],"version":"2.9.1","commit":"a1b2c3d4"}`
+
+	arangoVersion := `{"server":"arango","version":"3.11.5","license":"community"}`
+
+	neo4jDiscovery := `{"bolt_routing":"neo4j://localhost:7687","transaction":"http://localhost:7474/db/{databaseName}/tx",` +
+		`"bolt_direct":"bolt://localhost:7687","neo4j_version":"5.13.0","neo4j_edition":"community"}`
+
+	t.Run("an exposed influxdb health endpoint is flagged and versioned", func(t *testing.T) {
+		res := runHTTPDBModule(t, influxdb, 200, influxHealth)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an influxdb finding")
+		}
+		if v := httpdbExtract(res, "influxdb_version"); v != "2.9.1" {
+			t.Errorf("influxdb_version=%q, want 2.9.1", v)
+		}
+	})
+
+	t.Run("an anonymous arangodb version endpoint is flagged and versioned", func(t *testing.T) {
+		res := runHTTPDBModule(t, arangodb, 200, arangoVersion)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an arangodb finding")
+		}
+		if v := httpdbExtract(res, "arangodb_version"); v != "3.11.5" {
+			t.Errorf("arangodb_version=%q, want 3.11.5", v)
+		}
+	})
+
+	t.Run("an exposed neo4j discovery endpoint is flagged and versioned", func(t *testing.T) {
+		res := runHTTPDBModule(t, neo4j, 200, neo4jDiscovery)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a neo4j finding")
+		}
+		if v := httpdbExtract(res, "neo4j_version"); v != "5.13.0" {
+			t.Errorf("neo4j_version=%q, want 5.13.0", v)
+		}
+	})
+
+	t.Run("an influxdb name without the health message is not flagged", func(t *testing.T) {
+		body := `{"name":"influxdb","status":"pass"}`
+		if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an influxdb name alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a health message without the influxdb name is not flagged", func(t *testing.T) {
+		body := `{"name":"telegraf","message":"ready for queries and writes"}`
+		if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
+			t.Errorf("the message alone should not match influxdb, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an arango without a license field is still flagged", func(t *testing.T) {
+		body := `{"server":"arango","version":"3.11.5"}`
+		res := runHTTPDBModule(t, arangodb, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an arangodb finding without a license field (pre-3.12)")
+		}
+		if v := httpdbExtract(res, "arangodb_version"); v != "3.11.5" {
+			t.Errorf("arangodb_version=%q, want 3.11.5", v)
+		}
+	})
+
+	t.Run("a non-arango version response is not flagged", func(t *testing.T) {
+		body := `{"server":"foundationdb","version":"1.0.0"}`
+		if res := runHTTPDBModule(t, arangodb, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a non-arango server should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an arango response without a version is not flagged", func(t *testing.T) {
+		body := `{"server":"arango"}`
+		if res := runHTTPDBModule(t, arangodb, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an arango without a version should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an arango that requires auth is not flagged", func(t *testing.T) {
+		if res := runHTTPDBModule(t, arangodb, 401, arangoVersion); len(res.Findings) > 0 {
+			t.Errorf("a 401 arango should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a neo4j version without an edition is not flagged", func(t *testing.T) {
+		body := `{"neo4j_version":"5.13.0","transaction":"http://localhost:7474/db/neo4j/tx"}`
+		if res := runHTTPDBModule(t, neo4j, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a neo4j version alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a neo4j edition without a version is not flagged", func(t *testing.T) {
+		body := `{"neo4j_edition":"community","bolt_routing":"neo4j://localhost:7687"}`
+		if res := runHTTPDBModule(t, neo4j, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a neo4j edition alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic health json is not influxdb", func(t *testing.T) {
+		body := `{"status":"UP","components":{"db":{"status":"UP"}}}`
+		if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic health should not match influxdb, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{influxdb, arangodb, neo4j} {
+			if res := runHTTPDBModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{influxdb, arangodb, neo4j} {
+			if res := runHTTPDBModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,269 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package modules
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// writeModule drops a yaml file into a temp dir and returns its path.
+func writeModule(t *testing.T, dir, name, content string) string {
+	t.Helper()
+	path := filepath.Join(dir, name)
+	if err := os.WriteFile(path, []byte(content), 0o600); err != nil {
+		t.Fatalf("write module: %v", err)
+	}
+	return path
+}
+
+func TestParseYAMLModuleValid(t *testing.T) {
+	const doc = `id: example-http
+type: http
+info:
+  name: Example
+  author: azzie
+  severity: medium
+  description: a test module
+  tags: [test, demo]
+http:
+  method: GET
+  paths:
+    - "{{BaseURL}}/admin"
+  matchers:
+    - type: status
+      status: [200]
+    - type: word
+      part: body
+      words: ["admin"]
+      condition: and
+  extractors:
+    - type: regex
+      name: token
+      part: body
+      regex: ["token=(\\w+)"]
+      group: 1
+`
+	dir := t.TempDir()
+	path := writeModule(t, dir, "ok.yaml", doc)
+
+	def, err := ParseYAMLModule(path)
+	if err != nil {
+		t.Fatalf("ParseYAMLModule: %v", err)
+	}
+	if def.ID != "example-http" {
+		t.Errorf("id = %q, want example-http", def.ID)
+	}
+	if def.Type != TypeHTTP {
+		t.Errorf("type = %q, want http", def.Type)
+	}
+	if def.Info.Severity != "medium" {
+		t.Errorf("severity = %q, want medium", def.Info.Severity)
+	}
+	if def.HTTP == nil {
+		t.Fatal("http config not parsed")
+	}
+	if len(def.HTTP.Matchers) != 2 {
+		t.Errorf("got %d matchers, want 2", len(def.HTTP.Matchers))
+	}
+	if len(def.HTTP.Extractors) != 1 || def.HTTP.Extractors[0].Group != 1 {
+		t.Errorf("extractor not parsed correctly: %+v", def.HTTP.Extractors)
+	}
+	if len(def.Info.Tags) != 2 {
+		t.Errorf("got %d tags, want 2", len(def.Info.Tags))
+	}
+}
+
+func TestParseYAMLModuleErrors(t *testing.T) {
+	dir := t.TempDir()
+
+	tests := []struct {
+		name    string
+		content string
+	}{
+		{
+			name:    "missing id",
+			content: "type: http\nhttp:\n  paths: [\"/\"]\n",
+		},
+		{
+			name:    "missing type",
+			content: "id: no-type\nhttp:\n  paths: [\"/\"]\n",
+		},
+		{
+			name:    "malformed yaml",
+			content: "id: bad\ntype: http\n  paths: [unbalanced\n   : nope\n",
+		},
+		{
+			// a scalar where a mapping is expected must fail to unmarshal.
+			name:    "type mismatch",
+			content: "id: bad-shape\ntype: http\nhttp: \"should-be-a-map\"\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := writeModule(t, dir, tt.name+".yaml", tt.content)
+			if _, err := ParseYAMLModule(path); err == nil {
+				t.Fatalf("expected error for %s", tt.name)
+			}
+		})
+	}
+}
+
+func TestParseYAMLModuleMissingFile(t *testing.T) {
+	if _, err := ParseYAMLModule(filepath.Join(t.TempDir(), "does-not-exist.yaml")); err == nil {
+		t.Fatal("expected error for missing file")
+	}
+}
+
+func TestYAMLModuleWrapperInfoAndType(t *testing.T) {
+	def := &YAMLModule{
+		ID:   "wrap-test",
+		Type: TypeHTTP,
+		Info: YAMLModuleInfo{
+			Name:        "Wrapped",
+			Author:      "azzie",
+			Severity:    "low",
+			Description: "desc",
+			Tags:        []string{"a", "b"},
+		},
+	}
+	w := newYAMLModuleWrapper(def, "wrap.yaml")
+
+	if w.Type() != TypeHTTP {
+		t.Errorf("Type() = %q, want http", w.Type())
+	}
+	info := w.Info()
+	if info.ID != "wrap-test" || info.Name != "Wrapped" || info.Severity != "low" {
+		t.Errorf("Info() mismatch: %+v", info)
+	}
+	if len(info.Tags) != 2 {
+		t.Errorf("Info().Tags = %v, want 2 entries", info.Tags)
+	}
+}
+
+// TestLoaderLoadAll exercises the directory walk: a valid module registers, a
+// malformed one is skipped without aborting the walk.
+func TestLoaderLoadAll(t *testing.T) {
+	Clear()
+	t.Cleanup(Clear)
+
+	dir := t.TempDir()
+	writeModule(t, dir, "good.yaml", "id: good-mod\ntype: http\nhttp:\n  paths: [\"{{BaseURL}}/\"]\n  matchers:\n    - type: status\n      status: [200]\n")
+	writeModule(t, dir, "bad.yml", "id: bad-mod\n") // missing type -> skipped
+	writeModule(t, dir, "ignore.txt", "not a module")
+
+	l := &Loader{builtinDir: dir, userDir: filepath.Join(dir, "nonexistent-user")}
+	if err := l.LoadAll(); err != nil {
+		t.Fatalf("LoadAll: %v", err)
+	}
+
+	// only the good module loads; the malformed one is logged and skipped.
+	if l.Loaded() != 1 {
+		t.Errorf("Loaded() = %d, want 1", l.Loaded())
+	}
+	if _, ok := Get("good-mod"); !ok {
+		t.Error("good-mod not registered")
+	}
+	if _, ok := Get("bad-mod"); ok {
+		t.Error("bad-mod should not have registered")
+	}
+}
+
+func TestNewLoaderDirs(t *testing.T) {
+	l, err := NewLoader()
+	if err != nil {
+		t.Fatalf("NewLoader: %v", err)
+	}
+	if l.BuiltinDir() == "" {
+		t.Error("BuiltinDir is empty")
+	}
+	if l.UserDir() == "" {
+		t.Error("UserDir is empty")
+	}
+}
+
+// TestRegistry exercises the package-level registry: register, get, dedupe by
+// id, filter by tag and type, count and clear.
+func TestRegistry(t *testing.T) {
+	Clear()
+	t.Cleanup(Clear)
+
+	http1 := newYAMLModuleWrapper(&YAMLModule{ID: "h1", Type: TypeHTTP, Info: YAMLModuleInfo{Tags: []string{"web", "cve"}}}, "h1")
+	http2 := newYAMLModuleWrapper(&YAMLModule{ID: "h2", Type: TypeHTTP, Info: YAMLModuleInfo{Tags: []string{"web"}}}, "h2")
+	dns1 := newYAMLModuleWrapper(&YAMLModule{ID: "d1", Type: TypeDNS, Info: YAMLModuleInfo{Tags: []string{"dns"}}}, "d1")
+
+	Register(http1)
+	Register(http2)
+	Register(dns1)
+
+	if Count() != 3 {
+		t.Fatalf("Count() = %d, want 3", Count())
+	}
+
+	got, ok := Get("h1")
+	if !ok || got.Info().ID != "h1" {
+		t.Errorf("Get(h1) = %v, %v", got, ok)
+	}
+	if _, ok := Get("missing"); ok {
+		t.Error("Get(missing) should report not found")
+	}
+
+	if n := len(ByType(TypeHTTP)); n != 2 {
+		t.Errorf("ByType(http) = %d, want 2", n)
+	}
+	if n := len(ByType(TypeDNS)); n != 1 {
+		t.Errorf("ByType(dns) = %d, want 1", n)
+	}
+	if n := len(ByTag("web")); n != 2 {
+		t.Errorf("ByTag(web) = %d, want 2", n)
+	}
+	if n := len(ByTag("cve")); n != 1 {
+		t.Errorf("ByTag(cve) = %d, want 1", n)
+	}
+	if n := len(ByTag("none")); n != 0 {
+		t.Errorf("ByTag(none) = %d, want 0", n)
+	}
+	if n := len(All()); n != 3 {
+		t.Errorf("All() = %d, want 3", n)
+	}
+
+	// re-registering the same id overwrites rather than duplicating.
+	Register(newYAMLModuleWrapper(&YAMLModule{ID: "h1", Type: TypeHTTP}, "h1-v2"))
+	if Count() != 3 {
+		t.Errorf("Count() after re-register = %d, want 3", Count())
+	}
+
+	Clear()
+	if Count() != 0 {
+		t.Errorf("Count() after Clear = %d, want 0", Count())
+	}
+}
+
+// TestResultType pins the ScanResult interface bridge.
+func TestResultType(t *testing.T) {
+	r := &Result{ModuleID: "abc"}
+	if r.ResultType() != "abc" {
+		t.Errorf("ResultType() = %q, want abc", r.ResultType())
+	}
+}
+
+// TestLoaderScriptStubNoop confirms the go-script loader is currently a no-op
+// that registers nothing and returns no error.
+func TestLoaderScriptStubNoop(t *testing.T) {
+	l := &Loader{}
+	if err := l.loadScript("anything.go"); err != nil {
+		t.Errorf("loadScript stub returned error: %v", err)
+	}
+}
@@ -0,0 +1,155 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runMgmtModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func mgmtExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestManagementAPIExposureModules(t *testing.T) {
+	const kong = "../../modules/recon/kong-api-exposure.yaml"
+	const jolokia = "../../modules/recon/jolokia-api-exposure.yaml"
+	const nats = "../../modules/recon/nats-api-exposure.yaml"
+
+	kongRoot := `{"version":"3.4.0","tagline":"Welcome to kong","hostname":"kong-node","node_id":"abc",` +
+		`"lua_version":"LuaJIT 2.1.0","plugins":{"available_on_server":{}},` +
+		`"configuration":{"database":"postgres","admin_listen":["0.0.0.0:8001"]}}`
+
+	jolokiaVersion := `{"request":{"type":"version"},"value":{"agent":"1.7.2","protocol":"7.2",` +
+		`"config":{"agentType":"servlet"},"info":{"product":"tomcat"}},"status":200,"timestamp":1694598949}`
+
+	natsVarz := `{"server_id":"NDABC","server_name":"NDABC","version":"2.10.1","proto":1,"go":"go1.21.1",` +
+		`"host":"0.0.0.0","port":4222,"max_connections":65536,"max_payload":1048576,"connections":3,"total_connections":10}`
+
+	t.Run("an exposed kong admin api is flagged and versioned", func(t *testing.T) {
+		res := runMgmtModule(t, kong, 200, kongRoot)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a kong finding")
+		}
+		if v := mgmtExtract(res, "kong_version"); v != "3.4.0" {
+			t.Errorf("kong_version=%q, want 3.4.0", v)
+		}
+	})
+
+	t.Run("an exposed jolokia agent is flagged and versioned", func(t *testing.T) {
+		res := runMgmtModule(t, jolokia, 200, jolokiaVersion)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a jolokia finding")
+		}
+		if v := mgmtExtract(res, "jolokia_agent_version"); v != "1.7.2" {
+			t.Errorf("jolokia_agent_version=%q, want 1.7.2", v)
+		}
+	})
+
+	t.Run("an exposed nats monitor is flagged and versioned", func(t *testing.T) {
+		res := runMgmtModule(t, nats, 200, natsVarz)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a nats finding")
+		}
+		if v := mgmtExtract(res, "nats_version"); v != "2.10.1" {
+			t.Errorf("nats_version=%q, want 2.10.1", v)
+		}
+	})
+
+	t.Run("an available plugins map without an admin listen is not flagged", func(t *testing.T) {
+		body := `{"plugins":{"available_on_server":{}},"version":"3.4.0"}`
+		if res := runMgmtModule(t, kong, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an available plugins map alone should not match kong, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an admin listen without an available plugins map is not flagged", func(t *testing.T) {
+		body := `{"configuration":{"admin_listen":["0.0.0.0:8001"]},"version":"1.0"}`
+		if res := runMgmtModule(t, kong, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an admin listen alone should not match kong, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a jolokia agent without a protocol is not flagged", func(t *testing.T) {
+		body := `{"value":{"agent":"1.7.2"}}`
+		if res := runMgmtModule(t, jolokia, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an agent alone should not match jolokia, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a jolokia protocol without an agent is not flagged", func(t *testing.T) {
+		body := `{"value":{"protocol":"7.2"},"info":{}}`
+		if res := runMgmtModule(t, jolokia, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a protocol alone should not match jolokia, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a nats server id without a max payload is not flagged", func(t *testing.T) {
+		body := `{"server_id":"NDABC","version":"2.10.1"}`
+		if res := runMgmtModule(t, nats, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a server id alone should not match nats, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a max payload without a nats server id is not flagged", func(t *testing.T) {
+		body := `{"max_payload":1048576,"port":4222}`
+		if res := runMgmtModule(t, nats, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a max payload alone should not match nats, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic version json is not a management api", func(t *testing.T) {
+		body := `{"version":"1.0.0","name":"app"}`
+		for _, file := range []string{kong, jolokia, nats} {
+			if res := runMgmtModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{kong, jolokia, nats} {
+			if res := runMgmtModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{kong, jolokia, nats} {
+			if res := runMgmtModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,465 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package modules
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+)
+
+// fakeResponse builds a minimal *http.Response for matcher/extractor tests.
+// it carries no real socket (Body is http.NoBody), so there is nothing to
+// close; bodyclose is excluded for test files in .golangci.yml. header drives
+// the header/all parts without a live server; matchers read the body string
+// argument, not resp.Body.
+func fakeResponse(t *testing.T, status int, header http.Header) *http.Response {
+	t.Helper()
+	if header == nil {
+		header = http.Header{}
+	}
+	return &http.Response{StatusCode: status, Header: header, Body: http.NoBody}
+}
+
+func TestCheckMatcherStatus(t *testing.T) {
+	tests := []struct {
+		name   string
+		status int
+		want   []int
+		expect bool
+	}{
+		{name: "single match", status: 200, want: []int{200}, expect: true},
+		{name: "one of many", status: 404, want: []int{200, 301, 404}, expect: true},
+		{name: "no match", status: 500, want: []int{200, 404}, expect: false},
+		{name: "empty status list", status: 200, want: nil, expect: false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := &Matcher{Type: "status", Status: tt.want}
+			resp := fakeResponse(t, tt.status, nil)
+			if got := checkMatcher(m, resp, ""); got != tt.expect {
+				t.Errorf("checkMatcher status = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestCheckMatcherWord(t *testing.T) {
+	const body = "welcome admin dashboard"
+
+	tests := []struct {
+		name      string
+		words     []string
+		condition string
+		expect    bool
+	}{
+		{name: "and all present", words: []string{"admin", "dashboard"}, condition: "and", expect: true},
+		{name: "and one missing", words: []string{"admin", "missing"}, condition: "and", expect: false},
+		{name: "default is and", words: []string{"admin", "missing"}, condition: "", expect: false},
+		{name: "or one present", words: []string{"missing", "admin"}, condition: "or", expect: true},
+		{name: "or none present", words: []string{"missing", "absent"}, condition: "or", expect: false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := &Matcher{Type: "word", Part: "body", Words: tt.words, Condition: tt.condition}
+			resp := fakeResponse(t, 200, nil)
+			if got := checkMatcher(m, resp, body); got != tt.expect {
+				t.Errorf("checkMatcher word = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestCheckMatcherRegex(t *testing.T) {
+	const body = "version 1.2.3 build 99"
+
+	tests := []struct {
+		name      string
+		patterns  []string
+		condition string
+		expect    bool
+	}{
+		{name: "and all match", patterns: []string{`version \d`, `build \d+`}, condition: "and", expect: true},
+		{name: "and one fails", patterns: []string{`version \d`, `nope\d`}, condition: "and", expect: false},
+		{name: "or one matches", patterns: []string{`nope`, `build \d+`}, condition: "or", expect: true},
+		{name: "or none match", patterns: []string{`nope`, `zilch`}, condition: "or", expect: false},
+		// an invalid pattern under AND must fail closed, not panic.
+		{name: "and invalid pattern fails closed", patterns: []string{`version \d`, `(`}, condition: "and", expect: false},
+		// under OR an invalid pattern is skipped, a later valid one can still hit.
+		{name: "or invalid pattern skipped", patterns: []string{`(`, `build \d+`}, condition: "or", expect: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := &Matcher{Type: "regex", Part: "body", Regex: tt.patterns, Condition: tt.condition}
+			resp := fakeResponse(t, 200, nil)
+			if got := checkMatcher(m, resp, body); got != tt.expect {
+				t.Errorf("checkMatcher regex = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestCheckMatcherHeaderPart(t *testing.T) {
+	header := http.Header{"X-Powered-By": []string{"PHP/8.1"}}
+	resp := fakeResponse(t, 200, header)
+
+	m := &Matcher{Type: "word", Part: "header", Words: []string{"PHP/8.1"}}
+	if !checkMatcher(m, resp, "body-content") {
+		t.Error("expected header-part word matcher to hit on header value")
+	}
+
+	// the same word lives only in the header, so a body-part matcher must miss.
+	mBody := &Matcher{Type: "word", Part: "body", Words: []string{"PHP/8.1"}}
+	if checkMatcher(mBody, resp, "body-content") {
+		t.Error("body-part matcher should not see header-only value")
+	}
+}
+
+func TestCheckMatcherUnknownType(t *testing.T) {
+	m := &Matcher{Type: "size", Part: "body"}
+	resp := fakeResponse(t, 200, nil)
+	if checkMatcher(m, resp, "anything") {
+		t.Error("unknown matcher type should not match")
+	}
+}
+
+func TestCheckMatchers(t *testing.T) {
+	resp := fakeResponse(t, 200, http.Header{"Server": []string{"nginx"}})
+	const body = "secret token here"
+
+	tests := []struct {
+		name     string
+		matchers []Matcher
+		expect   bool
+	}{
+		{
+			name:     "empty matchers never match",
+			matchers: nil,
+			expect:   false,
+		},
+		{
+			name: "all matchers pass (AND across matchers)",
+			matchers: []Matcher{
+				{Type: "status", Status: []int{200}},
+				{Type: "word", Part: "body", Words: []string{"secret"}},
+			},
+			expect: true,
+		},
+		{
+			name: "one matcher fails breaks AND",
+			matchers: []Matcher{
+				{Type: "status", Status: []int{200}},
+				{Type: "word", Part: "body", Words: []string{"absent"}},
+			},
+			expect: false,
+		},
+		{
+			name: "negative inverts a non-match into a pass",
+			matchers: []Matcher{
+				{Type: "word", Part: "body", Words: []string{"absent"}, Negative: true},
+			},
+			expect: true,
+		},
+		{
+			name: "negative inverts a match into a fail",
+			matchers: []Matcher{
+				{Type: "word", Part: "body", Words: []string{"secret"}, Negative: true},
+			},
+			expect: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := checkMatchers(tt.matchers, resp, body); got != tt.expect {
+				t.Errorf("checkMatchers = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestCheckWords(t *testing.T) {
+	const content = "alpha beta gamma"
+
+	tests := []struct {
+		name      string
+		words     []string
+		condition string
+		expect    bool
+	}{
+		{name: "and all present", words: []string{"alpha", "gamma"}, condition: "and", expect: true},
+		{name: "and missing", words: []string{"alpha", "delta"}, condition: "and", expect: false},
+		{name: "or present", words: []string{"delta", "beta"}, condition: "or", expect: true},
+		{name: "or absent", words: []string{"delta", "epsilon"}, condition: "or", expect: false},
+		{name: "empty under and matches vacuously", words: nil, condition: "and", expect: true},
+		{name: "empty under or matches nothing", words: nil, condition: "or", expect: false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := checkWords(content, tt.words, tt.condition); got != tt.expect {
+				t.Errorf("checkWords = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestCheckRegex(t *testing.T) {
+	const content = "id=42 name=root"
+
+	tests := []struct {
+		name      string
+		patterns  []string
+		condition string
+		expect    bool
+	}{
+		{name: "and all match", patterns: []string{`id=\d+`, `name=\w+`}, condition: "and", expect: true},
+		{name: "and one fails", patterns: []string{`id=\d+`, `zzz`}, condition: "and", expect: false},
+		{name: "or first matches", patterns: []string{`id=\d+`, `zzz`}, condition: "or", expect: true},
+		{name: "or none match", patterns: []string{`xxx`, `zzz`}, condition: "or", expect: false},
+		{name: "and bad regex fails closed", patterns: []string{`(`}, condition: "and", expect: false},
+		{name: "or bad regex skipped then match", patterns: []string{`(`, `name=\w+`}, condition: "or", expect: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := checkRegex(content, tt.patterns, tt.condition); got != tt.expect {
+				t.Errorf("checkRegex = %v, want %v", got, tt.expect)
+			}
+		})
+	}
+}
+
+func TestGetPart(t *testing.T) {
+	header := http.Header{"Server": []string{"nginx"}}
+	resp := fakeResponse(t, 200, header)
+	const body = "page body"
+
+	if got := getPart("body", resp, body); got != body {
+		t.Errorf("getPart body = %q, want %q", got, body)
+	}
+
+	headerPart := getPart("header", resp, body)
+	if !strings.Contains(headerPart, "Server") || !strings.Contains(headerPart, "nginx") {
+		t.Errorf("getPart header = %q, want it to include the header", headerPart)
+	}
+	if strings.Contains(headerPart, body) {
+		t.Errorf("getPart header should not include body, got %q", headerPart)
+	}
+
+	all := getPart("all", resp, body)
+	if !strings.Contains(all, "nginx") || !strings.Contains(all, body) {
+		t.Errorf("getPart all = %q, want both header and body", all)
+	}
+
+	// an unrecognised part falls back to the body.
+	if got := getPart("weird", resp, body); got != body {
+		t.Errorf("getPart fallback = %q, want body %q", got, body)
+	}
+
+	// empty part behaves like "all".
+	if got := getPart("", resp, body); !strings.Contains(got, "nginx") || !strings.Contains(got, body) {
+		t.Errorf("getPart empty = %q, want both header and body", got)
+	}
+}
+
+func TestRunExtractors(t *testing.T) {
+	resp := fakeResponse(t, 200, http.Header{"X-Token": []string{"abc123"}})
+	const body = `{"session":"sess-7788","role":"admin"}`
+
+	tests := []struct {
+		name       string
+		extractors []Extractor
+		wantKey    string
+		wantVal    string
+		wantNil    bool
+	}{
+		{
+			name:       "no extractors yields nil",
+			extractors: nil,
+			wantNil:    true,
+		},
+		{
+			name: "regex capture group on body",
+			extractors: []Extractor{
+				{Type: "regex", Name: "session", Part: "body", Regex: []string{`"session":"([^"]+)"`}, Group: 1},
+			},
+			wantKey: "session",
+			wantVal: "sess-7788",
+		},
+		{
+			name: "group zero is the whole match",
+			extractors: []Extractor{
+				{Type: "regex", Name: "role", Part: "body", Regex: []string{`role":"admin`}, Group: 0},
+			},
+			wantKey: "role",
+			wantVal: `role":"admin`,
+		},
+		{
+			name: "extract from header part",
+			extractors: []Extractor{
+				{Type: "regex", Name: "token", Part: "header", Regex: []string{`X-Token: (\S+)`}, Group: 1},
+			},
+			wantKey: "token",
+			wantVal: "abc123",
+		},
+		{
+			name: "first matching pattern wins",
+			extractors: []Extractor{
+				{Type: "regex", Name: "session", Part: "body", Regex: []string{`nomatch(\d+)`, `"session":"([^"]+)"`}, Group: 1},
+			},
+			wantKey: "session",
+			wantVal: "sess-7788",
+		},
+		{
+			name: "group index out of range is skipped",
+			extractors: []Extractor{
+				{Type: "regex", Name: "session", Part: "body", Regex: []string{`"session":"([^"]+)"`}, Group: 5},
+			},
+			wantNil: true,
+		},
+		{
+			name: "invalid pattern is skipped, no capture",
+			extractors: []Extractor{
+				{Type: "regex", Name: "session", Part: "body", Regex: []string{`(`}, Group: 1},
+			},
+			wantNil: true,
+		},
+		{
+			name: "unknown extractor type is ignored",
+			extractors: []Extractor{
+				{Type: "bogus", Name: "session", Part: "body", Regex: []string{`"session":"([^"]+)"`}, Group: 1},
+			},
+			wantNil: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := runExtractors(tt.extractors, resp, body)
+			if tt.wantNil {
+				if len(got) != 0 {
+					t.Errorf("runExtractors = %v, want empty", got)
+				}
+				return
+			}
+			if got[tt.wantKey] != tt.wantVal {
+				t.Errorf("runExtractors[%q] = %q, want %q", tt.wantKey, got[tt.wantKey], tt.wantVal)
+			}
+		})
+	}
+}
+
+func TestSubstituteVariables(t *testing.T) {
+	tests := []struct {
+		name     string
+		template string
+		baseURL  string
+		payload  string
+		want     string
+	}{
+		{
+			name:     "baseurl both cases",
+			template: "{{BaseURL}}/x and {{baseurl}}/y",
+			baseURL:  "http://h",
+			want:     "http://h/x and http://h/y",
+		},
+		{
+			name:     "payload both cases",
+			template: "q={{payload}}&r={{Payload}}",
+			payload:  "<script>",
+			want:     "q=<script>&r=<script>",
+		},
+		{
+			name:     "combined base and payload",
+			template: "{{BaseURL}}/search?q={{payload}}",
+			baseURL:  "http://h",
+			payload:  "x",
+			want:     "http://h/search?q=x",
+		},
+		{
+			name:     "no placeholders untouched",
+			template: "/static/path",
+			baseURL:  "http://h",
+			want:     "/static/path",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := substituteVariables(tt.template, tt.baseURL, tt.payload); got != tt.want {
+				t.Errorf("substituteVariables = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestGenerateHTTPRequests(t *testing.T) {
+	t.Run("paths without payloads", func(t *testing.T) {
+		cfg := &HTTPConfig{
+			Paths: []string{"{{BaseURL}}/a", "{{BaseURL}}/b"},
+		}
+		// trailing slash on the target must be trimmed before substitution.
+		got := generateHTTPRequests("http://h/", cfg)
+		if len(got) != 2 {
+			t.Fatalf("got %d requests, want 2", len(got))
+		}
+		if got[0].Method != "GET" {
+			t.Errorf("default method = %q, want GET", got[0].Method)
+		}
+		if got[0].URL != "http://h/a" || got[1].URL != "http://h/b" {
+			t.Errorf("urls = %q,%q", got[0].URL, got[1].URL)
+		}
+	})
+
+	t.Run("payload expansion is path x payload", func(t *testing.T) {
+		cfg := &HTTPConfig{
+			Method:   "POST",
+			Paths:    []string{"{{BaseURL}}/q?x={{payload}}"},
+			Payloads: []string{"1", "2", "3"},
+			Body:     "data={{payload}}",
+		}
+		got := generateHTTPRequests("http://h", cfg)
+		if len(got) != 3 {
+			t.Fatalf("got %d requests, want 3", len(got))
+		}
+		for i, want := range []string{"1", "2", "3"} {
+			if got[i].Payload != want {
+				t.Errorf("req %d payload = %q, want %q", i, got[i].Payload, want)
+			}
+			if got[i].URL != "http://h/q?x="+want {
+				t.Errorf("req %d url = %q", i, got[i].URL)
+			}
+			if got[i].Body != "data="+want {
+				t.Errorf("req %d body = %q", i, got[i].Body)
+			}
+			if got[i].Method != "POST" {
+				t.Errorf("req %d method = %q, want POST", i, got[i].Method)
+			}
+		}
+	})
+
+	t.Run("multiple paths times multiple payloads", func(t *testing.T) {
+		cfg := &HTTPConfig{
+			Paths:    []string{"{{BaseURL}}/a", "{{BaseURL}}/b"},
+			Payloads: []string{"x", "y"},
+		}
+		got := generateHTTPRequests("http://h", cfg)
+		if len(got) != 4 {
+			t.Fatalf("got %d requests, want 4 (2 paths x 2 payloads)", len(got))
+		}
+	})
+}
@@ -91,6 +91,7 @@ type Matcher struct {
 	Regex     []string `yaml:"regex,omitempty"`
 	Words     []string `yaml:"words,omitempty"`
 	Status    []int    `yaml:"status,omitempty"`
+	Size      []int    `yaml:"size,omitempty"`
 	Condition string   `yaml:"condition"` // and, or
 	Negative  bool     `yaml:"negative"`
 }
@@ -98,7 +99,7 @@ type Matcher struct {
 // Extractor defines data extraction from responses.
 // Extractors pull specific data from matched responses for reporting.
 type Extractor struct {
-	Type  string   `yaml:"type"` // regex, kval, json
+	Type  string   `yaml:"type"` // regex, kv, json
 	Name  string   `yaml:"name"`
 	Part  string   `yaml:"part"`
 	Regex []string `yaml:"regex,omitempty"`
@@ -0,0 +1,112 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+// runOpsModule runs a shipped module end to end against a server that returns
+// the same status and body for every path it requests.
+func runOpsModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func opsExtracted(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v, ok := f.Extracted[key]; ok {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestOpsPanelModules(t *testing.T) {
+	cases := []struct {
+		name        string
+		file        string
+		status      int
+		body        string
+		wantFinding bool
+		versionKey  string
+		versionVal  string
+	}{
+		{
+			name: "portainer status api", file: "../../modules/info/portainer-panel.yaml", status: 200,
+			body:        `{"Edition":"CE","Version":"2.19.4","InstanceID":"a1b2c3"}`,
+			wantFinding: true, versionKey: "portainer_version", versionVal: "2.19.4",
+		},
+		{
+			name: "portainer version-only json is not a match", file: "../../modules/info/portainer-panel.yaml", status: 200,
+			body: `{"Version":"1.0.0"}`, wantFinding: false,
+		},
+		{
+			name: "portainer real body behind a 404 is not a match", file: "../../modules/info/portainer-panel.yaml", status: 404,
+			body: `{"Edition":"CE","Version":"2.19.4","InstanceID":"a1b2c3"}`, wantFinding: false,
+		},
+		{
+			name: "traefik version api", file: "../../modules/info/traefik-panel.yaml", status: 200,
+			body:        `{"Version":"2.10.4","Codename":"saintnectaire","startDate":"2024-01-01T00:00:00Z"}`,
+			wantFinding: true, versionKey: "traefik_version", versionVal: "2.10.4",
+		},
+		{
+			name: "traefik without codename is not a match", file: "../../modules/info/traefik-panel.yaml", status: 200,
+			body: `{"Version":"2.10.4"}`, wantFinding: false,
+		},
+		{
+			name: "keycloak realm endpoint", file: "../../modules/info/keycloak-panel.yaml", status: 200,
+			body:        `{"realm":"master","public_key":"MIIBIjAN","token-service":"https://h/realms/master/protocol/openid-connect","account-service":"https://h/realms/master/account"}`,
+			wantFinding: true, versionKey: "keycloak_realm", versionVal: "master",
+		},
+		{
+			name: "keycloak partial realm json is not a match", file: "../../modules/info/keycloak-panel.yaml", status: 200,
+			body: `{"realm":"master","public_key":"MIIBIjAN"}`, wantFinding: false,
+		},
+		{
+			name: "rabbitmq management ui", file: "../../modules/info/rabbitmq-panel.yaml", status: 200,
+			body:        `<!DOCTYPE html><html><head><title>RabbitMQ Management</title></head><body><img src="img/rabbitmqlogo.svg"></body></html>`,
+			wantFinding: true,
+		},
+		{
+			name: "rabbitmq unrelated page is not a match", file: "../../modules/info/rabbitmq-panel.yaml", status: 200,
+			body: `<html><body>nothing to see</body></html>`, wantFinding: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			res := runOpsModule(t, tc.file, tc.status, tc.body)
+			got := len(res.Findings) > 0
+			if got != tc.wantFinding {
+				t.Fatalf("findings=%d, want match=%v", len(res.Findings), tc.wantFinding)
+			}
+			if tc.versionKey != "" {
+				if v := opsExtracted(res, tc.versionKey); v != tc.versionVal {
+					t.Errorf("extracted[%q]=%q, want %q", tc.versionKey, v, tc.versionVal)
+				}
+			}
+		})
+	}
+}
@@ -0,0 +1,132 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runOrchModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func orchExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestOrchestrationAPIExposureModules(t *testing.T) {
+	const vault = "../../modules/recon/vault-api-exposure.yaml"
+	const consul = "../../modules/recon/consul-api-exposure.yaml"
+	const etcd = "../../modules/recon/etcd-api-exposure.yaml"
+
+	vaultSeal := `{"type":"shamir","initialized":true,"sealed":false,"t":3,"n":5,` +
+		`"progress":0,"nonce":"","version":"1.15.2","build_date":"2023-11-06T11:33:49Z",` +
+		`"migration":false,"cluster_name":"vault-cluster-9d52b1f1","recovery_seal":false,` +
+		`"storage_type":"raft"}`
+
+	consulSelf := `{"Config":{"Datacenter":"dc1","NodeName":"consul-server-1","Server":true,` +
+		`"Version":"1.17.0"},"Member":{"Name":"consul-server-1","Addr":"10.0.0.5","Port":8301}}`
+
+	etcdVersion := `{"etcdserver":"3.5.9","etcdcluster":"3.5.0"}`
+
+	t.Run("an exposed vault seal-status is flagged and versioned", func(t *testing.T) {
+		res := runOrchModule(t, vault, 200, vaultSeal)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a vault finding")
+		}
+		if v := orchExtract(res, "vault_version"); v != "1.15.2" {
+			t.Errorf("vault_version=%q, want 1.15.2", v)
+		}
+	})
+
+	t.Run("an exposed consul agent self leaks the datacenter", func(t *testing.T) {
+		res := runOrchModule(t, consul, 200, consulSelf)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a consul finding")
+		}
+		if v := orchExtract(res, "consul_datacenter"); v != "dc1" {
+			t.Errorf("consul_datacenter=%q, want dc1", v)
+		}
+	})
+
+	t.Run("an exposed etcd version endpoint is flagged and versioned", func(t *testing.T) {
+		res := runOrchModule(t, etcd, 200, etcdVersion)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an etcd finding")
+		}
+		if v := orchExtract(res, "etcd_version"); v != "3.5.9" {
+			t.Errorf("etcd_version=%q, want 3.5.9", v)
+		}
+	})
+
+	t.Run("a sealed flag without the other vault keys is not vault", func(t *testing.T) {
+		body := `{"sealed":"yes","status":"ok"}`
+		if res := runOrchModule(t, vault, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a bare sealed flag should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a datacenter field alone is not consul", func(t *testing.T) {
+		body := `{"Datacenter":"dc1"}`
+		if res := runOrchModule(t, consul, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a bare datacenter field should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a version response from another service is not etcd", func(t *testing.T) {
+		body := `{"version":"1.2.3","service":"myapp"}`
+		if res := runOrchModule(t, etcd, 200, body); len(res.Findings) > 0 {
+			t.Errorf("another service version should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an etcdserver without an etcdcluster is not flagged", func(t *testing.T) {
+		body := `{"etcdserver":"3.5.9"}`
+		if res := runOrchModule(t, etcd, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a partial etcd response should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{vault, consul, etcd} {
+			if res := runOrchModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{vault, consul, etcd} {
+			if res := runOrchModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,131 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runRailsModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func railsExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestRailsSecretExposureModules(t *testing.T) {
+	const database = "../../modules/recon/rails-database-yml-exposure.yaml"
+	const secrets = "../../modules/recon/rails-secrets-yml-exposure.yaml"
+	const masterKey = "../../modules/recon/rails-master-key-exposure.yaml"
+
+	const keyBase = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" +
+		"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	const masterKeyValue = "0123456789abcdef0123456789abcdef"
+
+	t.Run("database config leaks the database name and credentials", func(t *testing.T) {
+		body := "default: &default\n  adapter: postgresql\n  encoding: unicode\n  pool: 5\n" +
+			"  username: app_user\n  password: s3cr3tdbpass\n  host: db.internal\n\n" +
+			"production:\n  <<: *default\n  database: myapp_production\n"
+		res := runRailsModule(t, database, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a database config finding")
+		}
+		if v := railsExtract(res, "database"); v != "myapp_production" {
+			t.Errorf("database=%q, want myapp_production", v)
+		}
+	})
+
+	t.Run("a credential free sqlite database config is not a leak", func(t *testing.T) {
+		body := "production:\n  adapter: sqlite3\n  database: db/production.sqlite3\n  pool: 5\n"
+		if res := runRailsModule(t, database, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a sqlite config without credentials should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("secrets config leaks the secret key base", func(t *testing.T) {
+		body := "development:\n  secret_key_base: " + keyBase + "\n"
+		res := runRailsModule(t, secrets, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a secrets config finding")
+		}
+		if v := railsExtract(res, "secret_key_base"); v != keyBase {
+			t.Errorf("secret_key_base=%q, want %q", v, keyBase)
+		}
+	})
+
+	t.Run("master key file leaks the key", func(t *testing.T) {
+		res := runRailsModule(t, masterKey, 200, masterKeyValue)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a master key finding")
+		}
+		if v := railsExtract(res, "master_key"); v != masterKeyValue {
+			t.Errorf("master_key=%q, want %q", v, masterKeyValue)
+		}
+	})
+
+	t.Run("a longer hex digest is not the master key", func(t *testing.T) {
+		body := masterKeyValue + masterKeyValue
+		if res := runRailsModule(t, masterKey, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a 64 char digest should not match the 32 char key, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a hex value not at the body start is not the master key", func(t *testing.T) {
+		body := "key=" + masterKeyValue
+		if res := runRailsModule(t, masterKey, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a hex value away from the start should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page naming the rails markers is not a leak", func(t *testing.T) {
+		body := "<html><head><title>Error</title></head><body>secret_key_base: " + keyBase + "</body></html>"
+		if res := runRailsModule(t, secrets, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a config without the rails markers is not a leak", func(t *testing.T) {
+		body := "password: hunter2\nusername: admin\nhost: db.internal\n"
+		for _, file := range []string{database, secrets, masterKey} {
+			if res := runRailsModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a config without the rails markers should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{database, secrets, masterKey} {
+			if res := runRailsModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,118 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runRegistryModule(t *testing.T, file string, status int, headers map[string]string, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for k, v := range headers {
+			w.Header().Set(k, v)
+		}
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func registryExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestRegistryExposureModules(t *testing.T) {
+	const dockerRegistry = "../../modules/recon/docker-registry-api-exposure.yaml"
+	const harbor = "../../modules/recon/harbor-api-exposure.yaml"
+
+	registryHeader := map[string]string{"Docker-Distribution-Api-Version": "registry/2.0"}
+
+	harborInfo := `{"auth_mode":"db_auth","registry_url":"harbor.example.com",` +
+		`"external_url":"https://harbor.example.com","harbor_version":"v2.9.1-1f4a3c9d",` +
+		`"self_registration":true,"has_ca_root":false,"read_only":false}`
+
+	t.Run("an anonymous docker registry is flagged with its api version", func(t *testing.T) {
+		res := runRegistryModule(t, dockerRegistry, 200, registryHeader, "{}")
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a docker registry finding")
+		}
+		if v := registryExtract(res, "docker_registry_api_version"); v != "registry/2.0" {
+			t.Errorf("docker_registry_api_version=%q, want registry/2.0", v)
+		}
+	})
+
+	t.Run("a plain 200 without the registry header is not flagged", func(t *testing.T) {
+		if res := runRegistryModule(t, dockerRegistry, 200, nil, "{}"); len(res.Findings) > 0 {
+			t.Errorf("a 200 without the api-version header should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a registry that requires auth is not flagged", func(t *testing.T) {
+		if res := runRegistryModule(t, dockerRegistry, 401, registryHeader, ""); len(res.Findings) > 0 {
+			t.Errorf("a 401 registry should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an exposed harbor systeminfo is flagged and versioned", func(t *testing.T) {
+		res := runRegistryModule(t, harbor, 200, nil, harborInfo)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a harbor finding")
+		}
+		if v := registryExtract(res, "harbor_version"); v != "v2.9.1-1f4a3c9d" {
+			t.Errorf("harbor_version=%q, want v2.9.1-1f4a3c9d", v)
+		}
+	})
+
+	t.Run("a harbor version without an auth mode is not flagged", func(t *testing.T) {
+		body := `{"harbor_version":"v2.9.1","registry_url":"harbor.example.com"}`
+		if res := runRegistryModule(t, harbor, 200, nil, body); len(res.Findings) > 0 {
+			t.Errorf("a harbor version alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an auth mode without a harbor version is not flagged", func(t *testing.T) {
+		body := `{"auth_mode":"db_auth","self_registration":true}`
+		if res := runRegistryModule(t, harbor, 200, nil, body); len(res.Findings) > 0 {
+			t.Errorf("an auth mode alone should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{dockerRegistry, harbor} {
+			if res := runRegistryModule(t, file, 200, nil, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{dockerRegistry, harbor} {
+			if res := runRegistryModule(t, file, 404, nil, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,162 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runSecretModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func secretExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestSecretFileExposureModules(t *testing.T) {
+	const privkey = "../../modules/recon/private-key-exposure.yaml"
+	const gitcred = "../../modules/recon/git-credentials-exposure.yaml"
+	const pypirc = "../../modules/recon/pypirc-exposure.yaml"
+
+	opensshKey := "-----BEGIN OPENSSH PRIVATE KEY-----\n" +
+		"b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQy\n" +
+		"NTUxOQAAACD1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n" +
+		"-----END OPENSSH PRIVATE KEY-----\n"
+
+	rsaKey := "-----BEGIN RSA PRIVATE KEY-----\n" +
+		"MIIEpAIBAAKCAQEArandombase64payloadthatstandsinforakeybodyhere1234567890\n" +
+		"-----END RSA PRIVATE KEY-----\n"
+
+	gitCreds := "https://octocat:ghp_AbCdEf0123456789AbCdEf0123456789@github.com\n" +
+		"https://deploy:s3cr3t@gitlab.example.com\n"
+
+	pypiConfig := "[distutils]\nindex-servers =\n    pypi\n\n[pypi]\n" +
+		"username = __token__\npassword = pypi-AgEIcHlwaS5vcmcCJDQ2Y2Q\n"
+
+	t.Run("an openssh private key is flagged and typed", func(t *testing.T) {
+		res := runSecretModule(t, privkey, 200, opensshKey)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a private key finding")
+		}
+		if v := secretExtract(res, "key_type"); v != "OPENSSH" {
+			t.Errorf("key_type=%q, want OPENSSH", v)
+		}
+	})
+
+	t.Run("an rsa private key is flagged and typed", func(t *testing.T) {
+		res := runSecretModule(t, privkey, 200, rsaKey)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a private key finding")
+		}
+		if v := secretExtract(res, "key_type"); v != "RSA" {
+			t.Errorf("key_type=%q, want RSA", v)
+		}
+	})
+
+	t.Run("a git credential store leaks its host", func(t *testing.T) {
+		res := runSecretModule(t, gitcred, 200, gitCreds)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a git credential finding")
+		}
+		if v := secretExtract(res, "git_host"); v != "github.com" {
+			t.Errorf("git_host=%q, want github.com", v)
+		}
+	})
+
+	t.Run("a pypirc leaks the upload token", func(t *testing.T) {
+		res := runSecretModule(t, pypirc, 200, pypiConfig)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a pypirc finding")
+		}
+		if v := secretExtract(res, "pypi_token"); v != "pypi-AgEIcHlwaS5vcmcCJDQ2Y2Q" {
+			t.Errorf("pypi_token=%q, want the pypi- token", v)
+		}
+	})
+
+	t.Run("a public key is not a private key", func(t *testing.T) {
+		body := "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK\n" +
+			"-----END PUBLIC KEY-----\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB user@host\n"
+		if res := runSecretModule(t, privkey, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a public key should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("prose that names a private key is not the key", func(t *testing.T) {
+		body := "Generate your private key with ssh-keygen and keep id_rsa secret."
+		if res := runSecretModule(t, privkey, 200, body); len(res.Findings) > 0 {
+			t.Errorf("prose about keys should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a git remote url without a password is not a credential store", func(t *testing.T) {
+		body := "https://github.com/octocat/hello-world.git\n"
+		if res := runSecretModule(t, gitcred, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a bare remote url should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a pypi section without a credential is not a leak", func(t *testing.T) {
+		body := "[distutils]\nindex-servers =\n    pypi\n"
+		if res := runSecretModule(t, pypirc, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a section with no credential should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("credentials shown in an html page are not a store", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body>clone with https://user:pass@host.example</body></html>"
+		if res := runSecretModule(t, gitcred, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a pypi config inside an html page is not a leak", func(t *testing.T) {
+		body := "<html><head><title>docs</title></head><body><pre>[pypi]\npassword = pypi-x</pre></body></html>"
+		if res := runSecretModule(t, pypirc, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{privkey, gitcred, pypirc} {
+			if res := runSecretModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{privkey, gitcred, pypirc} {
+			if res := runSecretModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,155 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runVCSModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func vcsExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestVCSMetadataExposureModules(t *testing.T) {
+	const svn = "../../modules/recon/svn-exposure.yaml"
+	const hg = "../../modules/recon/mercurial-exposure.yaml"
+	const bzr = "../../modules/recon/bazaar-exposure.yaml"
+
+	svnWcDb := "SQLite format 3\x00" + strings.Repeat("\x00", 80) +
+		"CREATE TABLE WCROOT (id INTEGER PRIMARY KEY);" +
+		"CREATE TABLE REPOSITORY (root TEXT, uuid TEXT);" +
+		"\x01root\x00https://svn.example.com/myrepo/trunk\x00"
+
+	hgRequires := "revlogv1\nstore\nfncache\ndotencode\ngeneraldelta\nsparserevlog\n"
+
+	bzrFormat := "Bazaar-NG meta directory, format 1\n"
+
+	t.Run("an exposed svn wc.db leaks the repository url", func(t *testing.T) {
+		res := runVCSModule(t, svn, 200, svnWcDb)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an svn finding")
+		}
+		if v := vcsExtract(res, "svn_repository"); v != "https://svn.example.com/myrepo/trunk" {
+			t.Errorf("svn_repository=%q, want https://svn.example.com/myrepo/trunk", v)
+		}
+	})
+
+	t.Run("an exposed mercurial requires is flagged", func(t *testing.T) {
+		res := runVCSModule(t, hg, 200, hgRequires)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a mercurial finding")
+		}
+		if v := vcsExtract(res, "hg_requirement"); v != "revlogv1" {
+			t.Errorf("hg_requirement=%q, want revlogv1", v)
+		}
+	})
+
+	t.Run("an exposed bazaar branch-format is flagged", func(t *testing.T) {
+		res := runVCSModule(t, bzr, 200, bzrFormat)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a bazaar finding")
+		}
+		if v := vcsExtract(res, "bzr_format"); v != "Bazaar-NG meta directory, format 1" {
+			t.Errorf("bzr_format=%q, want the meta directory signature", v)
+		}
+	})
+
+	t.Run("a generic sqlite database without svn tables is not flagged", func(t *testing.T) {
+		body := "SQLite format 3\x00" + strings.Repeat("\x00", 80) +
+			"CREATE TABLE users (id INTEGER, name TEXT, email TEXT);"
+		if res := runVCSModule(t, svn, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic sqlite db should not match svn, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic sqlite with a nodes table is not an svn working copy", func(t *testing.T) {
+		body := "SQLite format 3\x00" + strings.Repeat("\x00", 80) +
+			"CREATE TABLE NODES (id INTEGER PRIMARY KEY, parent INTEGER, label TEXT);"
+		if res := runVCSModule(t, svn, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a generic nodes table should not match svn, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an svn magic that is not at byte zero is not flagged", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>SQLite format 3 WCROOT REPOSITORY</pre></body></html>"
+		if res := runVCSModule(t, svn, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an unanchored magic should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a page naming mercurial without the requires format is not flagged", func(t *testing.T) {
+		body := "this project uses mercurial for distributed version control"
+		if res := runVCSModule(t, hg, 200, body); len(res.Findings) > 0 {
+			t.Errorf("prose naming mercurial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating hg requires is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>revlogv1\nstore\ndotencode</pre></body></html>"
+		if res := runVCSModule(t, hg, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html hg tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a bazaar marketplace page is not a repository", func(t *testing.T) {
+		body := "Welcome to the Bazaar, the finest open air marketplace in town"
+		if res := runVCSModule(t, bzr, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a marketplace page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page demonstrating bzr branch-format is not a leak", func(t *testing.T) {
+		body := "<!DOCTYPE html><html><body><pre>Bazaar-NG meta directory, format 1</pre></body></html>"
+		if res := runVCSModule(t, bzr, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html bzr tutorial should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{svn, hg, bzr} {
+			if res := runVCSModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{svn, hg, bzr} {
+			if res := runVCSModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,143 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runVectorDBModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func vectorDBExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestVectorDBExposureModules(t *testing.T) {
+	const qdrant = "../../modules/recon/qdrant-api-exposure.yaml"
+	const weaviate = "../../modules/recon/weaviate-api-exposure.yaml"
+	const chroma = "../../modules/recon/chroma-api-exposure.yaml"
+
+	qdrantCollections := `{"result":{"collections":[{"name":"documents"},{"name":"embeddings"}]},` +
+		`"status":"ok","time":0.000018}`
+
+	weaviateMeta := `{"hostname":"http://[::]:8080","modules":{"text2vec-openai":{"version":"v1.0.0"}},` +
+		`"version":"1.23.7"}`
+
+	chromaHeartbeat := `{"nanosecond heartbeat":1718900000000000000}`
+
+	t.Run("a qdrant collections api is flagged and named", func(t *testing.T) {
+		res := runVectorDBModule(t, qdrant, 200, qdrantCollections)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a qdrant finding")
+		}
+		if v := vectorDBExtract(res, "qdrant_collection"); v != "documents" {
+			t.Errorf("qdrant_collection=%q, want documents", v)
+		}
+	})
+
+	t.Run("a weaviate meta api is flagged with its hostname", func(t *testing.T) {
+		res := runVectorDBModule(t, weaviate, 200, weaviateMeta)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a weaviate finding")
+		}
+		if v := vectorDBExtract(res, "weaviate_hostname"); v != "http://[::]:8080" {
+			t.Errorf("weaviate_hostname=%q, want http://[::]:8080", v)
+		}
+	})
+
+	t.Run("a chroma heartbeat api is flagged", func(t *testing.T) {
+		res := runVectorDBModule(t, chroma, 200, chromaHeartbeat)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a chroma finding")
+		}
+	})
+
+	t.Run("a qdrant status without a collections result is not flagged", func(t *testing.T) {
+		body := `{"result":{"points":[{"id":1}]},"status":"ok","time":0.001}`
+		if res := runVectorDBModule(t, qdrant, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a points result should not match qdrant, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a qdrant collections result without an ok status is not flagged", func(t *testing.T) {
+		body := `{"result":{"collections":[{"name":"x"}]}}`
+		if res := runVectorDBModule(t, qdrant, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a collections result without ok status should not match qdrant, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a weaviate meta without a version is not flagged", func(t *testing.T) {
+		body := `{"hostname":"http://x:8080","modules":{"a":{}}}`
+		if res := runVectorDBModule(t, weaviate, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a meta without a version should not match weaviate, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a weaviate hostname that is not a url is not flagged", func(t *testing.T) {
+		body := `{"hostname":"db-internal","version":"1.23.7"}`
+		if res := runVectorDBModule(t, weaviate, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a bare hostname should not match weaviate, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a chroma 200 without the heartbeat key is not flagged", func(t *testing.T) {
+		body := `{"heartbeat":1718900000}`
+		if res := runVectorDBModule(t, chroma, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a plain heartbeat key should not match chroma, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a generic version json is not a vector db", func(t *testing.T) {
+		body := `{"version":"1.0.0","name":"app"}`
+		for _, file := range []string{qdrant, weaviate, chroma} {
+			if res := runVectorDBModule(t, file, 200, body); len(res.Findings) > 0 {
+				t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{qdrant, weaviate, chroma} {
+			if res := runVectorDBModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{qdrant, weaviate, chroma} {
+			if res := runVectorDBModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -0,0 +1,136 @@
+package modules_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/modules"
+)
+
+func runWebSrvModule(t *testing.T, file string, status int, body string) *modules.Result {
+	t.Helper()
+	def, err := modules.ParseYAMLModule(file)
+	if err != nil {
+		t.Fatalf("parse %s: %v", file, err)
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+	defer srv.Close()
+
+	res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
+		Timeout: 5 * time.Second,
+		Threads: 2,
+	})
+	if err != nil {
+		t.Fatalf("execute %s: %v", file, err)
+	}
+	return res
+}
+
+func webSrvExtract(res *modules.Result, key string) string {
+	for _, f := range res.Findings {
+		if v := f.Extracted[key]; v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestWebserverConfigExposureModules(t *testing.T) {
+	const htpasswd = "../../modules/recon/htpasswd-exposure.yaml"
+	const webconfig = "../../modules/recon/webconfig-exposure.yaml"
+	const htaccess = "../../modules/recon/htaccess-exposure.yaml"
+
+	t.Run("htpasswd leaks the user and an apache md5 hash", func(t *testing.T) {
+		body := "admin:$apr1$z9c.x1pq$Q8r6Jm0pYh0pX2yq4nN3l1\nbackup:$apr1$ab$cd\n"
+		res := runWebSrvModule(t, htpasswd, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an htpasswd finding")
+		}
+		if v := webSrvExtract(res, "htpasswd_user"); v != "admin" {
+			t.Errorf("htpasswd_user=%q, want admin", v)
+		}
+	})
+
+	t.Run("htpasswd with a bcrypt hash also matches", func(t *testing.T) {
+		body := "deploy:$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZ\n"
+		if res := runWebSrvModule(t, htpasswd, 200, body); len(res.Findings) == 0 {
+			t.Fatal("expected an htpasswd finding for a bcrypt hash")
+		}
+	})
+
+	t.Run("web.config leaks a connection string", func(t *testing.T) {
+		body := `<?xml version="1.0"?><configuration><connectionStrings>` +
+			`<add name="Default" connectionString="Server=db;Database=app;User Id=sa;Password=p@ss;" ` +
+			`providerName="System.Data.SqlClient" /></connectionStrings></configuration>`
+		res := runWebSrvModule(t, webconfig, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected a web.config finding")
+		}
+		want := "Server=db;Database=app;User Id=sa;Password=p@ss;"
+		if v := webSrvExtract(res, "connection_string"); v != want {
+			t.Errorf("connection_string=%q, want %q", v, want)
+		}
+	})
+
+	t.Run("htaccess leaks the password file path", func(t *testing.T) {
+		body := "RewriteEngine On\nAuthType Basic\nAuthName \"Restricted\"\n" +
+			"AuthUserFile /var/www/.htpasswd\nRequire valid-user\n"
+		res := runWebSrvModule(t, htaccess, 200, body)
+		if len(res.Findings) == 0 {
+			t.Fatal("expected an htaccess finding")
+		}
+		if v := webSrvExtract(res, "auth_user_file"); v != "/var/www/.htpasswd" {
+			t.Errorf("auth_user_file=%q, want /var/www/.htpasswd", v)
+		}
+	})
+
+	t.Run("a minimal htaccess with only access control still flags", func(t *testing.T) {
+		body := "Options -Indexes\nDeny from all\n"
+		if res := runWebSrvModule(t, htaccess, 200, body); len(res.Findings) == 0 {
+			t.Fatal("expected a finding for a deny-from-all htaccess")
+		}
+	})
+
+	t.Run("a plaintext password line is not a hash", func(t *testing.T) {
+		body := "admin:notahashedpassword\n"
+		if res := runWebSrvModule(t, htpasswd, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a plaintext line should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a configuration element without a dotnet section is not a leak", func(t *testing.T) {
+		body := `<?xml version="1.0"?><configuration><customRoot><foo/></customRoot></configuration>`
+		if res := runWebSrvModule(t, webconfig, 200, body); len(res.Findings) > 0 {
+			t.Errorf("a non dotnet configuration should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("an html page is not an htaccess", func(t *testing.T) {
+		body := "<html><head><title>x</title></head><body>RewriteEngine On AuthType Basic</body></html>"
+		if res := runWebSrvModule(t, htaccess, 200, body); len(res.Findings) > 0 {
+			t.Errorf("an html page should not match, got %d findings", len(res.Findings))
+		}
+	})
+
+	t.Run("a plain 200 body is not a leak", func(t *testing.T) {
+		for _, file := range []string{htpasswd, webconfig, htaccess} {
+			if res := runWebSrvModule(t, file, 200, "ok"); len(res.Findings) > 0 {
+				t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+
+	t.Run("a 404 is not a leak", func(t *testing.T) {
+		for _, file := range []string{htpasswd, webconfig, htaccess} {
+			if res := runWebSrvModule(t, file, 404, "not found"); len(res.Findings) > 0 {
+				t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
+			}
+		}
+	})
+}
@@ -58,7 +58,7 @@ type HTTPConfig struct {
 	Payloads   []string          `yaml:"payloads,omitempty"`
 	Headers    map[string]string `yaml:"headers,omitempty"`
 	Body       string            `yaml:"body,omitempty"`
-	Attack     string            `yaml:"attack,omitempty"` // sniper, pitchfork, clusterbomb
+	Attack     string            `yaml:"attack,omitempty"` // clusterbomb (default), pitchfork
 	Threads    int               `yaml:"threads,omitempty"`
 	Matchers   []Matcher         `yaml:"matchers"`
 	Extractors []Extractor       `yaml:"extractors,omitempty"`
@@ -100,6 +100,12 @@ func ParseYAMLModule(path string) (*YAMLModule, error) {
 		return nil, fmt.Errorf("module missing required field: type")
 	}

+	if ym.HTTP != nil {
+		if err := validateAttack(ym.HTTP.Attack); err != nil {
+			return nil, fmt.Errorf("module %q: %w", ym.ID, err)
+		}
+	}
+
 	return &ym, nil
 }

@@ -0,0 +1,119 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+// env var names notify reads, env-first. these mirror the conventional names so
+// an operator who already exports them for other tooling gets notify for free.
+const (
+	envSlackWebhook   = "SLACK_WEBHOOK_URL"
+	envDiscordWebhook = "DISCORD_WEBHOOK_URL"
+	// the name of the env var holding the bot token, not the token itself.
+	envTelegramToken = "TELEGRAM_BOT_TOKEN" //nolint:gosec // env var name, not a secret
+	envTelegramChat  = "TELEGRAM_CHAT_ID"
+	envWebhookURL    = "NOTIFY_WEBHOOK_URL"
+)
+
+// config holds resolved destinations for every provider. yaml tags use
+// projectdiscovery/notify-compatible key names so an existing notify config file
+// ports over verbatim; env supplies the same values and yaml overrides it.
+type config struct {
+	SlackWebhook   string `yaml:"slack_webhook_url"`
+	DiscordWebhook string `yaml:"discord_webhook_url"`
+	// telegram needs both a bot token and a chat id. notify spells the token
+	// "telegram_api_key", so accept that key for drop-in compatibility.
+	TelegramToken string `yaml:"telegram_api_key"`
+	TelegramChat  string `yaml:"telegram_chat_id"`
+	WebhookURL    string `yaml:"webhook_url"`
+}
+
+// loadConfig resolves notify destinations env-first, then overlays a yaml file
+// when path is non-empty. yaml wins per-field so a file value overrides the
+// matching env var; an unset yaml field leaves the env value intact. an empty
+// path means env-only. a missing/unparseable file is an error - if the operator
+// pointed -notify-config somewhere, a typo should fail loud, not silently drop.
+func loadConfig(path string) (config, error) {
+	cfg := config{
+		SlackWebhook:   os.Getenv(envSlackWebhook),
+		DiscordWebhook: os.Getenv(envDiscordWebhook),
+		TelegramToken:  os.Getenv(envTelegramToken),
+		TelegramChat:   os.Getenv(envTelegramChat),
+		WebhookURL:     os.Getenv(envWebhookURL),
+	}
+
+	if path == "" {
+		return cfg, nil
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return config{}, fmt.Errorf("read config %q: %w", path, err)
+	}
+
+	// decode into a separate value so only the keys present in the file overlay
+	// the env-derived defaults; a zero field in the yaml must not blank an env var.
+	var file config
+	if err := yaml.Unmarshal(data, &file); err != nil {
+		return config{}, fmt.Errorf("parse config %q: %w", path, err)
+	}
+	overlay(&cfg, &file)
+
+	return cfg, nil
+}
+
+// overlay copies non-empty fields from src onto dst. used to let a yaml file
+// override env without an empty yaml key wiping out a populated env value.
+func overlay(dst, src *config) {
+	if src.SlackWebhook != "" {
+		dst.SlackWebhook = src.SlackWebhook
+	}
+	if src.DiscordWebhook != "" {
+		dst.DiscordWebhook = src.DiscordWebhook
+	}
+	if src.TelegramToken != "" {
+		dst.TelegramToken = src.TelegramToken
+	}
+	if src.TelegramChat != "" {
+		dst.TelegramChat = src.TelegramChat
+	}
+	if src.WebhookURL != "" {
+		dst.WebhookURL = src.WebhookURL
+	}
+}
+
+// providers builds the live provider list from the resolved config: a provider
+// is included only when its destination is fully specified. telegram needs both
+// token and chat id, so a half-configured telegram is dropped rather than POSTing
+// to a broken endpoint.
+func (c *config) providers() []provider {
+	var out []provider
+	if c.SlackWebhook != "" {
+		out = append(out, &slackProvider{webhook: c.SlackWebhook})
+	}
+	if c.DiscordWebhook != "" {
+		out = append(out, &discordProvider{webhook: c.DiscordWebhook})
+	}
+	if c.TelegramToken != "" && c.TelegramChat != "" {
+		out = append(out, &telegramProvider{token: c.TelegramToken, chatID: c.TelegramChat})
+	}
+	if c.WebhookURL != "" {
+		out = append(out, &webhookProvider{url: c.WebhookURL})
+	}
+	return out
+}
@@ -0,0 +1,153 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// clearNotifyEnv unsets every var loadConfig reads so a test starts from a known
+// blank slate; t.Setenv("", "") still records the var for cleanup restoration.
+func clearNotifyEnv(t *testing.T) {
+	t.Helper()
+	for _, k := range []string{
+		envSlackWebhook, envDiscordWebhook,
+		envTelegramToken, envTelegramChat, envWebhookURL,
+	} {
+		t.Setenv(k, "")
+	}
+}
+
+func TestLoadConfigEnvOnly(t *testing.T) {
+	clearNotifyEnv(t)
+	t.Setenv(envSlackWebhook, "https://hooks.slack.test/a")
+	t.Setenv(envTelegramToken, "123:abc")
+	t.Setenv(envTelegramChat, "999")
+
+	cfg, err := loadConfig("")
+	if err != nil {
+		t.Fatalf("loadConfig: %v", err)
+	}
+	if cfg.SlackWebhook != "https://hooks.slack.test/a" {
+		t.Errorf("slack webhook = %q, want from env", cfg.SlackWebhook)
+	}
+	if cfg.TelegramToken != "123:abc" || cfg.TelegramChat != "999" {
+		t.Errorf("telegram = %q/%q, want from env", cfg.TelegramToken, cfg.TelegramChat)
+	}
+
+	// slack + telegram (both halves) configured, discord/webhook empty.
+	got := cfg.providers()
+	if len(got) != 2 {
+		t.Fatalf("providers = %d, want 2 (slack, telegram)", len(got))
+	}
+	wantNames := map[string]bool{"slack": false, "telegram": false}
+	for _, p := range got {
+		wantNames[p.name()] = true
+	}
+	for name, seen := range wantNames {
+		if !seen {
+			t.Errorf("provider %q missing", name)
+		}
+	}
+}
+
+func TestLoadConfigYAMLOverridesEnv(t *testing.T) {
+	clearNotifyEnv(t)
+	t.Setenv(envSlackWebhook, "https://env.slack.test/x")
+	t.Setenv(envWebhookURL, "https://env.webhook.test/x")
+
+	body := "" +
+		"slack_webhook_url: https://file.slack.test/y\n" +
+		"discord_webhook_url: https://file.discord.test/z\n"
+	path := writeTempConfig(t, body)
+
+	cfg, err := loadConfig(path)
+	if err != nil {
+		t.Fatalf("loadConfig: %v", err)
+	}
+	// yaml present -> overrides env.
+	if cfg.SlackWebhook != "https://file.slack.test/y" {
+		t.Errorf("slack = %q, want yaml override", cfg.SlackWebhook)
+	}
+	// yaml absent for webhook -> env value survives.
+	if cfg.WebhookURL != "https://env.webhook.test/x" {
+		t.Errorf("webhook = %q, want env value preserved", cfg.WebhookURL)
+	}
+	// yaml introduces discord.
+	if cfg.DiscordWebhook != "https://file.discord.test/z" {
+		t.Errorf("discord = %q, want from yaml", cfg.DiscordWebhook)
+	}
+}
+
+func TestLoadConfigNotifyCompatibleTelegramKey(t *testing.T) {
+	clearNotifyEnv(t)
+	// projectdiscovery/notify spells the bot token "telegram_api_key"; assert a
+	// drop-in config wires telegram from that key.
+	body := "" +
+		"telegram_api_key: 555:tok\n" +
+		"telegram_chat_id: \"42\"\n"
+	path := writeTempConfig(t, body)
+
+	cfg, err := loadConfig(path)
+	if err != nil {
+		t.Fatalf("loadConfig: %v", err)
+	}
+	if cfg.TelegramToken != "555:tok" || cfg.TelegramChat != "42" {
+		t.Fatalf("telegram = %q/%q, want from notify-compatible keys", cfg.TelegramToken, cfg.TelegramChat)
+	}
+	if len(cfg.providers()) != 1 {
+		t.Fatalf("providers = %d, want 1 (telegram)", len(cfg.providers()))
+	}
+}
+
+func TestLoadConfigMissingFileErrors(t *testing.T) {
+	clearNotifyEnv(t)
+	if _, err := loadConfig(filepath.Join(t.TempDir(), "nope.yaml")); err == nil {
+		t.Fatal("loadConfig with missing file: want error, got nil")
+	}
+}
+
+func TestLoadConfigBadYAMLErrors(t *testing.T) {
+	clearNotifyEnv(t)
+	path := writeTempConfig(t, "slack_webhook_url: [unterminated\n")
+	if _, err := loadConfig(path); err == nil {
+		t.Fatal("loadConfig with malformed yaml: want error, got nil")
+	}
+}
+
+func TestProvidersTelegramNeedsBothHalves(t *testing.T) {
+	// token without chat id must not produce a (broken) telegram provider.
+	cfg := config{TelegramToken: "tok"}
+	if got := cfg.providers(); len(got) != 0 {
+		t.Fatalf("providers = %d, want 0 for half-configured telegram", len(got))
+	}
+}
+
+func TestProvidersEmptyConfigIsNone(t *testing.T) {
+	var cfg config
+	if got := cfg.providers(); len(got) != 0 {
+		t.Fatalf("providers = %d, want 0 for empty config", len(got))
+	}
+}
+
+// writeTempConfig writes body to a temp yaml file and returns its path.
+func writeTempConfig(t *testing.T, body string) string {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "notify.yaml")
+	if err := os.WriteFile(path, []byte(body), 0o600); err != nil {
+		t.Fatalf("write temp config: %v", err)
+	}
+	return path
+}
@@ -0,0 +1,39 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+)
+
+// discordProvider posts to a discord webhook. discord's incoming-webhook body
+// keys the message on "content" (slack uses "text"); same code-block wrapping so
+// the finding columns line up in the channel.
+type discordProvider struct {
+	webhook string
+}
+
+func (d *discordProvider) name() string { return "discord" }
+
+// discordPayload is the minimal webhook body: a single content field.
+type discordPayload struct {
+	Content string `json:"content"`
+}
+
+func (d *discordProvider) send(ctx context.Context, client *http.Client, findings []finding.Finding) error {
+	payload := discordPayload{Content: codeBlock(renderFindings(findings))}
+	return postJSON(ctx, client, d.webhook, payload)
+}
@@ -0,0 +1,74 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+	"github.com/dropalldatabases/sif/internal/httpx"
+)
+
+// contentTypeJSON is the body type every provider POSTs; all four speak json.
+const contentTypeJSON = "application/json"
+
+// messageHeader prefixes the rendered finding block. kept terse - chat sinks
+// truncate, so the count and lead-in carry the signal.
+const messageHeader = "sif found %d finding(s):"
+
+// renderFindings turns a batch into a single plain-text block, one finding per
+// line in the same "[severity] target module title" shape as the -silent sink so
+// a reader sees identical lines across stdout and chat. a strings.Builder keeps
+// the per-line concat to one allocation path.
+func renderFindings(findings []finding.Finding) string {
+	var b strings.Builder
+	fmt.Fprintf(&b, messageHeader, len(findings))
+	b.WriteByte('\n')
+	for i := 0; i < len(findings); i++ {
+		b.WriteString(findings[i].Line())
+		b.WriteByte('\n')
+	}
+	return b.String()
+}
+
+// postJSON marshals payload and POSTs it to url through the shared client. it
+// drains+closes the response so the conn returns to httpx's pool, and treats any
+// non-2xx as a delivery failure so a 4xx from a bad webhook surfaces loudly.
+func postJSON(ctx context.Context, client *http.Client, url string, payload any) error {
+	body, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshal payload: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))
+	if err != nil {
+		return fmt.Errorf("build request: %w", err)
+	}
+	req.Header.Set("Content-Type", contentTypeJSON)
+
+	resp, err := client.Do(req) //nolint:bodyclose // drained and closed via httpx.DrainClose
+	if err != nil {
+		return fmt.Errorf("post: %w", err)
+	}
+	defer httpx.DrainClose(resp)
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		return fmt.Errorf("unexpected status %d", resp.StatusCode)
+	}
+	return nil
+}
@@ -0,0 +1,85 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package notify ships findings to chat/webhook sinks (slack, discord, telegram,
+// generic webhook) so a continuous-recon run can alert on what it turns up. every
+// provider is one POST through httpx.Client, so the global proxy/rate-limit/header
+// config applies uniformly and there's no extra http stack to keep in sync.
+package notify
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+	"github.com/dropalldatabases/sif/internal/httpx"
+	"github.com/dropalldatabases/sif/internal/output"
+)
+
+// Options carries the runtime knobs Send needs. Timeout bounds each provider's
+// POST; ConfigPath is an optional yaml file whose values override env. severity
+// filtering is the caller's job - Send ships whatever batch it's handed.
+type Options struct {
+	Timeout    time.Duration
+	ConfigPath string
+}
+
+// Send dispatches findings to every configured provider. config resolves
+// env-first, then a yaml file overlays it (notify-compatible key names). a
+// provider with no destination is skipped, so zero configured providers makes
+// Send a silent no-op - notify is opt-in and never errors just for being unwired.
+// an empty findings slice is also a no-op: nothing to report.
+func Send(ctx context.Context, findings []finding.Finding, opts Options) error {
+	if len(findings) == 0 {
+		return nil
+	}
+
+	cfg, err := loadConfig(opts.ConfigPath)
+	if err != nil {
+		return fmt.Errorf("notify config: %w", err)
+	}
+
+	providers := cfg.providers()
+	if len(providers) == 0 {
+		// nothing wired up; opt-in feature stays quiet rather than erroring.
+		return nil
+	}
+
+	log := output.Module("NOTIFY")
+	client := httpx.Client(opts.Timeout)
+
+	// run every provider; a failure on one sink must not suppress the others, so
+	// errors accumulate and the first is returned after all have been attempted.
+	var firstErr error
+	for i := 0; i < len(providers); i++ {
+		p := providers[i]
+		if err := p.send(ctx, client, findings); err != nil {
+			log.Error("%s delivery failed: %v", p.name(), err)
+			if firstErr == nil {
+				firstErr = fmt.Errorf("%s: %w", p.name(), err)
+			}
+			continue
+		}
+		log.Success("sent %d findings to %s", len(findings), p.name())
+	}
+
+	return firstErr
+}
+
+// provider is one delivery sink. name is for logging; send formats findings into
+// the sink's payload and POSTs it through the shared client.
+type provider interface {
+	name() string
+	send(ctx context.Context, client *http.Client, findings []finding.Finding) error
+}
@@ -0,0 +1,224 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+)
+
+// sampleFindings returns a small mixed-severity batch for payload assertions.
+func sampleFindings() []finding.Finding {
+	return []finding.Finding{
+		{Target: "https://a.test", Module: "cors", Severity: finding.SeverityHigh, Key: "cors:a", Title: "reflected origin", Raw: "ACAO echo"},
+		{Target: "https://a.test", Module: "headers", Severity: finding.SeverityInfo, Key: "headers:x", Title: "Server header", Raw: "nginx"},
+	}
+}
+
+// capture records the method, content-type and raw body of the request a provider
+// makes, so each test can assert the wire shape without a real network.
+type capture struct {
+	method      string
+	contentType string
+	path        string
+	body        []byte
+}
+
+// captureServer stands up an httptest server that records the single inbound
+// request into c and replies 200, the happy path every provider expects.
+func captureServer(t *testing.T, c *capture) *httptest.Server {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, _ := io.ReadAll(r.Body)
+		c.method = r.Method
+		c.contentType = r.Header.Get("Content-Type")
+		c.path = r.URL.Path
+		c.body = body
+		w.WriteHeader(http.StatusOK)
+	}))
+	t.Cleanup(srv.Close)
+	return srv
+}
+
+func TestSlackPayloadShape(t *testing.T) {
+	var c capture
+	srv := captureServer(t, &c)
+
+	p := &slackProvider{webhook: srv.URL}
+	if err := p.send(context.Background(), srv.Client(), sampleFindings()); err != nil {
+		t.Fatalf("slack send: %v", err)
+	}
+
+	assertPostJSON(t, c)
+	var payload slackPayload
+	if err := json.Unmarshal(c.body, &payload); err != nil {
+		t.Fatalf("unmarshal slack body: %v", err)
+	}
+	// slack keys on "text"; both findings must appear, code-block fenced.
+	if !strings.Contains(payload.Text, "reflected origin") || !strings.Contains(payload.Text, "Server header") {
+		t.Errorf("slack text missing findings: %q", payload.Text)
+	}
+	if !strings.HasPrefix(payload.Text, "```") {
+		t.Errorf("slack text not code-block fenced: %q", payload.Text)
+	}
+}
+
+func TestDiscordPayloadShape(t *testing.T) {
+	var c capture
+	srv := captureServer(t, &c)
+
+	p := &discordProvider{webhook: srv.URL}
+	if err := p.send(context.Background(), srv.Client(), sampleFindings()); err != nil {
+		t.Fatalf("discord send: %v", err)
+	}
+
+	assertPostJSON(t, c)
+	var payload discordPayload
+	if err := json.Unmarshal(c.body, &payload); err != nil {
+		t.Fatalf("unmarshal discord body: %v", err)
+	}
+	// discord keys on "content", not "text".
+	if !strings.Contains(payload.Content, "reflected origin") {
+		t.Errorf("discord content missing finding: %q", payload.Content)
+	}
+}
+
+func TestTelegramPayloadShape(t *testing.T) {
+	var c capture
+	srv := captureServer(t, &c)
+
+	// repoint the bot api base at the test server for the lifetime of this test.
+	orig := telegramAPIBase
+	telegramAPIBase = srv.URL
+	t.Cleanup(func() { telegramAPIBase = orig })
+
+	p := &telegramProvider{token: "555:tok", chatID: "42"}
+	if err := p.send(context.Background(), srv.Client(), sampleFindings()); err != nil {
+		t.Fatalf("telegram send: %v", err)
+	}
+
+	assertPostJSON(t, c)
+	// the token rides the path and the method is sendMessage.
+	if c.path != "/bot555:tok/sendMessage" {
+		t.Errorf("telegram path = %q, want /bot555:tok/sendMessage", c.path)
+	}
+	var payload telegramPayload
+	if err := json.Unmarshal(c.body, &payload); err != nil {
+		t.Fatalf("unmarshal telegram body: %v", err)
+	}
+	if payload.ChatID != "42" {
+		t.Errorf("telegram chat_id = %q, want 42", payload.ChatID)
+	}
+	if !strings.Contains(payload.Text, "reflected origin") {
+		t.Errorf("telegram text missing finding: %q", payload.Text)
+	}
+}
+
+func TestWebhookPayloadShape(t *testing.T) {
+	var c capture
+	srv := captureServer(t, &c)
+
+	p := &webhookProvider{url: srv.URL}
+	if err := p.send(context.Background(), srv.Client(), sampleFindings()); err != nil {
+		t.Fatalf("webhook send: %v", err)
+	}
+
+	assertPostJSON(t, c)
+	var payload webhookPayload
+	if err := json.Unmarshal(c.body, &payload); err != nil {
+		t.Fatalf("unmarshal webhook body: %v", err)
+	}
+	// generic webhook carries structured findings, not a prerendered blob.
+	if payload.Count != 2 || len(payload.Findings) != 2 {
+		t.Fatalf("webhook count = %d / %d findings, want 2", payload.Count, len(payload.Findings))
+	}
+	first := payload.Findings[0]
+	if first.Severity != "high" {
+		t.Errorf("webhook severity = %q, want canonical string \"high\"", first.Severity)
+	}
+	if first.Key != "cors:a" || first.Module != "cors" {
+		t.Errorf("webhook finding fields wrong: %+v", first)
+	}
+}
+
+func TestProviderNon2xxIsError(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusForbidden)
+	}))
+	t.Cleanup(srv.Close)
+
+	p := &slackProvider{webhook: srv.URL}
+	if err := p.send(context.Background(), srv.Client(), sampleFindings()); err == nil {
+		t.Fatal("send to 403 endpoint: want error, got nil")
+	}
+}
+
+func TestSendNoProviderIsNoop(t *testing.T) {
+	clearNotifyEnv(t)
+	// no env, no config file -> zero providers -> Send must not error.
+	if err := Send(context.Background(), sampleFindings(), Options{Timeout: time.Second}); err != nil {
+		t.Fatalf("Send with no provider: want nil, got %v", err)
+	}
+}
+
+func TestSendEmptyFindingsIsNoop(t *testing.T) {
+	// even with a provider configured, an empty batch must not POST anything.
+	hit := false
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hit = true
+		w.WriteHeader(http.StatusOK)
+	}))
+	t.Cleanup(srv.Close)
+
+	clearNotifyEnv(t)
+	t.Setenv(envSlackWebhook, srv.URL)
+	if err := Send(context.Background(), nil, Options{Timeout: time.Second}); err != nil {
+		t.Fatalf("Send with empty findings: want nil, got %v", err)
+	}
+	if hit {
+		t.Fatal("Send with empty findings posted to provider, want no-op")
+	}
+}
+
+func TestSendDeliversToConfiguredProvider(t *testing.T) {
+	var c capture
+	srv := captureServer(t, &c)
+
+	clearNotifyEnv(t)
+	t.Setenv(envSlackWebhook, srv.URL)
+	if err := Send(context.Background(), sampleFindings(), Options{Timeout: time.Second}); err != nil {
+		t.Fatalf("Send: %v", err)
+	}
+	if c.method != http.MethodPost {
+		t.Fatalf("provider not hit (method=%q)", c.method)
+	}
+}
+
+// assertPostJSON checks the request was a json POST.
+func assertPostJSON(t *testing.T, c capture) {
+	t.Helper()
+	if c.method != http.MethodPost {
+		t.Errorf("method = %q, want POST", c.method)
+	}
+	if c.contentType != contentTypeJSON {
+		t.Errorf("content-type = %q, want %q", c.contentType, contentTypeJSON)
+	}
+}
@@ -0,0 +1,45 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+)
+
+// slackProvider posts to a slack incoming webhook. the webhook url already pins
+// the channel, so the payload is just the rendered text in slack's mrkdwn-aware
+// "text" field wrapped in a code block to keep the fixed-width finding lines.
+type slackProvider struct {
+	webhook string
+}
+
+func (s *slackProvider) name() string { return "slack" }
+
+// slackPayload is the minimal incoming-webhook body: a single text field.
+type slackPayload struct {
+	Text string `json:"text"`
+}
+
+func (s *slackProvider) send(ctx context.Context, client *http.Client, findings []finding.Finding) error {
+	payload := slackPayload{Text: codeBlock(renderFindings(findings))}
+	return postJSON(ctx, client, s.webhook, payload)
+}
+
+// codeBlock wraps body in a triple-backtick fence; both slack and discord render
+// it fixed-width, which preserves the column-aligned finding lines.
+func codeBlock(body string) string {
+	return "```\n" + body + "```"
+}
@@ -0,0 +1,48 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+)
+
+// telegramAPIBase is the bot api root. it's a var so tests can repoint it at an
+// httptest server; the token is appended path-side per telegram's scheme.
+var telegramAPIBase = "https://api.telegram.org"
+
+// telegramProvider posts via the bot api's sendMessage. unlike slack/discord the
+// destination isn't a single opaque webhook: it needs the bot token (in the url
+// path) plus the chat id (in the body).
+type telegramProvider struct {
+	token  string
+	chatID string
+}
+
+func (t *telegramProvider) name() string { return "telegram" }
+
+// telegramPayload is the sendMessage body. parse_mode "MarkdownV2" would force
+// escaping every special char in the finding lines, so we send plain text and
+// let the lines stand as-is.
+type telegramPayload struct {
+	ChatID string `json:"chat_id"`
+	Text   string `json:"text"`
+}
+
+func (t *telegramProvider) send(ctx context.Context, client *http.Client, findings []finding.Finding) error {
+	endpoint := telegramAPIBase + "/bot" + t.token + "/sendMessage"
+	payload := telegramPayload{ChatID: t.chatID, Text: renderFindings(findings)}
+	return postJSON(ctx, client, endpoint, payload)
+}
@@ -0,0 +1,65 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package notify
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/dropalldatabases/sif/internal/finding"
+)
+
+// webhookProvider posts a structured json payload to an arbitrary endpoint. unlike
+// the chat sinks it carries the findings as data, not a prerendered blob, so
+// downstream automation (a siem, a bot, ci) keys off the fields directly.
+type webhookProvider struct {
+	url string
+}
+
+func (w *webhookProvider) name() string { return "webhook" }
+
+// webhookFinding is the per-item wire shape: the normalized Finding fields with
+// severity flattened to its canonical string so a json consumer never sees the
+// internal integer rank.
+type webhookFinding struct {
+	Target   string `json:"target"`
+	Module   string `json:"module"`
+	Severity string `json:"severity"`
+	Key      string `json:"key"`
+	Title    string `json:"title"`
+	Raw      string `json:"raw,omitempty"`
+}
+
+// webhookPayload wraps the batch with a count so a consumer can size buffers /
+// assert completeness without walking the slice first.
+type webhookPayload struct {
+	Count    int              `json:"count"`
+	Findings []webhookFinding `json:"findings"`
+}
+
+func (w *webhookProvider) send(ctx context.Context, client *http.Client, findings []finding.Finding) error {
+	items := make([]webhookFinding, 0, len(findings))
+	for i := 0; i < len(findings); i++ {
+		f := findings[i]
+		items = append(items, webhookFinding{
+			Target:   f.Target,
+			Module:   f.Module,
+			Severity: f.Severity.String(),
+			Key:      f.Key,
+			Title:    f.Title,
+			Raw:      f.Raw,
+		})
+	}
+	payload := webhookPayload{Count: len(items), Findings: items}
+	return postJSON(ctx, client, w.url, payload)
+}
@@ -14,6 +14,7 @@ package output

 import (
 	"fmt"
+	"io"
 	"os"
 	"strings"

@@ -126,13 +127,47 @@ func SetAPIMode(enabled bool) {
 	apiMode = enabled
 }

+// sink is where all banner/spinner/log chrome is written. it defaults to stdout
+// so normal runs are unchanged; -silent repoints it at stderr so stdout carries
+// nothing but the machine-readable findings a downstream pipe consumes.
+var sink io.Writer = os.Stdout
+
+// silent is the plain-sink mode: chrome goes to stderr and interactive widgets
+// (spinners, live progress) are suppressed so a piped consumer never sees them.
+var silent bool
+
+// SetSilent routes all chrome to stderr and marks the run non-interactive.
+// findings are printed to stdout by the caller via Finding/PrintFinding; the
+// output package itself never touches stdout once silent is on.
+func SetSilent(enabled bool) {
+	silent = enabled
+	if enabled {
+		sink = os.Stderr
+		return
+	}
+	sink = os.Stdout
+}
+
+// Silent reports whether plain-sink mode is active. callers gate interactive
+// behaviour (spinners, prompts) on this.
+func Silent() bool {
+	return silent
+}
+
+// Writer is the current chrome sink (stdout normally, stderr under -silent).
+// callers that render their own chrome (the startup banner) write here so it
+// follows the same routing as everything else.
+func Writer() io.Writer {
+	return sink
+}
+
 // Info prints an informational message with [*] prefix
 func Info(format string, args ...interface{}) {
 	if apiMode {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s\n", prefixInfo.Render("[*]"), msg)
+	fmt.Fprintf(sink, "%s %s\n", prefixInfo.Render("[*]"), msg)
 }

 // Success prints a success message with [+] prefix
@@ -141,7 +176,7 @@ func Success(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s\n", prefixSuccess.Render("[+]"), msg)
+	fmt.Fprintf(sink, "%s %s\n", prefixSuccess.Render("[+]"), msg)
 }

 // Warn prints a warning message with [!] prefix
@@ -150,7 +185,7 @@ func Warn(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s\n", prefixWarning.Render("[!]"), msg)
+	fmt.Fprintf(sink, "%s %s\n", prefixWarning.Render("[!]"), msg)
 }

 // Error prints an error message with [-] prefix
@@ -159,7 +194,7 @@ func Error(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s\n", prefixError.Render("[-]"), msg)
+	fmt.Fprintf(sink, "%s %s\n", prefixError.Render("[-]"), msg)
 }

 // ScanStart prints a styled scan start message
@@ -167,7 +202,7 @@ func ScanStart(scanName string) {
 	if apiMode {
 		return
 	}
-	fmt.Printf("%s starting %s\n", prefixInfo.Render("[*]"), scanName)
+	fmt.Fprintf(sink, "%s starting %s\n", prefixInfo.Render("[*]"), scanName)
 }

 // ScanComplete prints a styled scan completion message
@@ -175,7 +210,7 @@ func ScanComplete(scanName string, resultCount int, resultType string) {
 	if apiMode {
 		return
 	}
-	fmt.Printf("%s %s complete (%d %s)\n", prefixInfo.Render("[*]"), scanName, resultCount, resultType)
+	fmt.Fprintf(sink, "%s %s complete (%d %s)\n", prefixInfo.Render("[*]"), scanName, resultCount, resultType)
 }

 // Module creates a prefixed logger for a specific module/tool
@@ -202,7 +237,7 @@ func (m *ModuleLogger) Info(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s\n", m.prefix(), msg)
+	fmt.Fprintf(sink, "%s %s\n", m.prefix(), msg)
 }

 // Success prints a success message with module prefix
@@ -211,7 +246,7 @@ func (m *ModuleLogger) Success(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s %s\n", m.prefix(), prefixSuccess.Render("✓"), msg)
+	fmt.Fprintf(sink, "%s %s %s\n", m.prefix(), prefixSuccess.Render("✓"), msg)
 }

 // Warn prints a warning message with module prefix
@@ -220,7 +255,7 @@ func (m *ModuleLogger) Warn(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s %s\n", m.prefix(), prefixWarning.Render("!"), msg)
+	fmt.Fprintf(sink, "%s %s %s\n", m.prefix(), prefixWarning.Render("!"), msg)
 }

 // Error prints an error message with module prefix
@@ -229,7 +264,7 @@ func (m *ModuleLogger) Error(format string, args ...interface{}) {
 		return
 	}
 	msg := fmt.Sprintf(format, args...)
-	fmt.Printf("%s %s %s\n", m.prefix(), prefixError.Render("✗"), msg)
+	fmt.Fprintf(sink, "%s %s %s\n", m.prefix(), prefixError.Render("✗"), msg)
 }

 // Start prints a scan start message with module prefix (adds newline before for separation)
@@ -237,7 +272,7 @@ func (m *ModuleLogger) Start() {
 	if apiMode {
 		return
 	}
-	fmt.Printf("\n%s starting scan\n", m.prefix())
+	fmt.Fprintf(sink, "\n%s starting scan\n", m.prefix())
 }

 // Complete prints a scan complete message with module prefix
@@ -245,15 +280,16 @@ func (m *ModuleLogger) Complete(resultCount int, resultType string) {
 	if apiMode {
 		return
 	}
-	fmt.Printf("%s complete (%d %s)\n", m.prefix(), resultCount, resultType)
+	fmt.Fprintf(sink, "%s complete (%d %s)\n", m.prefix(), resultCount, resultType)
 }

-// ClearLine clears the current line (for progress bar updates)
+// ClearLine clears the current line (for progress bar updates). silent mode is
+// non-interactive, so there's no live line to clear and stdout stays untouched.
 func ClearLine() {
-	if !IsTTY {
+	if !IsTTY || silent {
 		return
 	}
-	fmt.Print("\033[2K\r")
+	fmt.Fprint(sink, "\033[2K\r")
 }

 // Summary styles
@@ -274,22 +310,22 @@ func PrintSummary(scans []string, logFiles []string) {
 		return
 	}

-	fmt.Println()
-	fmt.Println(summaryLine.Render("────────────────────────────────────────────────────────────"))
-	fmt.Println()
-	fmt.Printf("  %s\n", summaryHeader.Render("SCAN COMPLETE"))
-	fmt.Println()
+	fmt.Fprintln(sink)
+	fmt.Fprintln(sink, summaryLine.Render("────────────────────────────────────────────────────────────"))
+	fmt.Fprintln(sink)
+	fmt.Fprintf(sink, "  %s\n", summaryHeader.Render("SCAN COMPLETE"))
+	fmt.Fprintln(sink)

 	// Print scans
 	scanList := strings.Join(scans, ", ")
-	fmt.Printf("  %s %s\n", Muted.Render("Scans:"), scanList)
+	fmt.Fprintf(sink, "  %s %s\n", Muted.Render("Scans:"), scanList)

 	// Print log files if any
 	if len(logFiles) > 0 {
-		fmt.Printf("  %s %s\n", Muted.Render("Output:"), strings.Join(logFiles, ", "))
+		fmt.Fprintf(sink, "  %s %s\n", Muted.Render("Output:"), strings.Join(logFiles, ", "))
 	}

-	fmt.Println()
-	fmt.Println(summaryLine.Render("────────────────────────────────────────────────────────────"))
-	fmt.Println()
+	fmt.Fprintln(sink)
+	fmt.Fprintln(sink, summaryLine.Render("────────────────────────────────────────────────────────────"))
+	fmt.Fprintln(sink)
 }
@@ -28,12 +28,13 @@ const (

 // Progress displays a progress bar for operations with known counts
 type Progress struct {
-	total    int64
-	current  int64
-	message  string
-	lastItem string
-	mu       sync.Mutex
-	paused   bool
+	total     int64
+	current   int64
+	message   string
+	lastItem  string
+	mu        sync.Mutex
+	paused    bool
+	lastShown int // last printed milestone bucket in non-tty mode
 }

 // NewProgress creates a new progress bar
@@ -97,7 +98,7 @@ func (p *Progress) Done() {
 }

 func (p *Progress) render() {
-	if apiMode {
+	if apiMode || silent {
 		return
 	}

@@ -110,9 +111,31 @@ func (p *Progress) render() {
 		}
 		percent := int(current * 100 / total)

-		// Print at 0%, 25%, 50%, 75%, 100%
-		if current == 1 || percent == 25 || percent == 50 || percent == 75 || current == total {
-			fmt.Printf("    [%d%%] %d/%d\n", percent, current, total)
+		// map current to a milestone bucket (0=none,1..5). concurrent workers
+		// hammer the same bucket, so only print when the bucket advances.
+		bucket := 0
+		switch {
+		case current >= total:
+			bucket = 5
+		case percent >= 75:
+			bucket = 4
+		case percent >= 50:
+			bucket = 3
+		case percent >= 25:
+			bucket = 2
+		case current >= 1:
+			bucket = 1
+		}
+
+		p.mu.Lock()
+		advanced := bucket > p.lastShown
+		if advanced {
+			p.lastShown = bucket
+		}
+		p.mu.Unlock()
+
+		if advanced {
+			fmt.Fprintf(sink, "    [%d%%] %d/%d\n", percent, current, total)
 		}
 		return
 	}
@@ -167,5 +190,5 @@ func (p *Progress) render() {
 	)

 	ClearLine()
-	fmt.Print(line)
+	fmt.Fprint(sink, line)
 }
@@ -12,7 +12,12 @@

 package output

-import "testing"
+import (
+	"os"
+	"strings"
+	"sync"
+	"testing"
+)

 // the non-tty milestone path divides current*100/total, so a zero-total bar
 // used to panic with integer divide-by-zero when piped or redirected.
@@ -32,3 +37,60 @@ func TestProgressCounts(t *testing.T) {
 		t.Errorf("current = %d, want 4", p.current)
 	}
 }
+
+// many concurrent workers used to spam the same milestone bucket (e.g. ten
+// "[25%] .../1000" lines). each bucket must now print at most once.
+func TestProgressNonTTYDedupesMilestones(t *testing.T) {
+	savedTTY, savedAPI := IsTTY, apiMode
+	IsTTY, apiMode = false, false
+	defer func() { IsTTY, apiMode = savedTTY, savedAPI }()
+
+	out := captureStdout(t, func() {
+		p := NewProgress(1000, "scanning")
+		var wg sync.WaitGroup
+		for i := 0; i < 40; i++ {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				for j := 0; j < 25; j++ {
+					p.Increment("x")
+				}
+			}()
+		}
+		wg.Wait()
+	})
+
+	lines := strings.Count(out, "\n")
+	if lines > 5 {
+		t.Errorf("printed %d milestone lines, want <=5:\n%s", lines, out)
+	}
+}
+
+func captureStdout(t *testing.T, fn func()) string {
+	t.Helper()
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("pipe: %v", err)
+	}
+	saved := os.Stdout
+	os.Stdout = w
+
+	done := make(chan string, 1)
+	go func() {
+		buf := make([]byte, 0, 4096)
+		tmp := make([]byte, 1024)
+		for {
+			n, rerr := r.Read(tmp)
+			buf = append(buf, tmp[:n]...)
+			if rerr != nil {
+				break
+			}
+		}
+		done <- string(buf)
+	}()
+
+	fn()
+	os.Stdout = saved
+	w.Close()
+	return <-done
+}
@@ -0,0 +1,113 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package output
+
+import (
+	"os"
+	"strings"
+	"testing"
+)
+
+// in silent mode chrome must land on stderr and leave stdout untouched, so a
+// piped consumer downstream never sees a banner or log line.
+func TestSetSilentRoutesChromeToStderr(t *testing.T) {
+	defer SetSilent(false)
+
+	outStr, errStr := captureStdoutStderr(t, func() {
+		// SetSilent reads os.Stderr at call time, so swap then set.
+		SetSilent(true)
+		Info("scanning %s", "example.com")
+		Success("done")
+	})
+
+	if outStr != "" {
+		t.Errorf("silent mode wrote chrome to stdout: %q", outStr)
+	}
+	if !strings.Contains(errStr, "scanning example.com") {
+		t.Errorf("silent chrome missing from stderr: %q", errStr)
+	}
+}
+
+// the default (non-silent) sink is stdout; flipping silent off must restore it.
+func TestSetSilentOffRoutesChromeToStdout(t *testing.T) {
+	outStr, errStr := captureStdoutStderr(t, func() {
+		SetSilent(false)
+		Info("hello")
+	})
+
+	if !strings.Contains(outStr, "hello") {
+		t.Errorf("non-silent chrome missing from stdout: %q", outStr)
+	}
+	if strings.Contains(errStr, "hello") {
+		t.Errorf("non-silent chrome leaked to stderr: %q", errStr)
+	}
+}
+
+// Silent() reflects the toggle so callers can gate interactive widgets.
+func TestSilentToggle(t *testing.T) {
+	defer SetSilent(false)
+	SetSilent(true)
+	if !Silent() {
+		t.Error("Silent() = false after SetSilent(true)")
+	}
+	SetSilent(false)
+	if Silent() {
+		t.Error("Silent() = true after SetSilent(false)")
+	}
+}
+
+// captureStdoutStderr swaps both real streams for pipes, runs fn, and returns
+// what landed on each. SetSilent reads os.Stdout/os.Stderr at call time, so the
+// swap has to happen before fn flips the sink - fn does that itself.
+func captureStdoutStderr(t *testing.T, fn func()) (string, string) {
+	t.Helper()
+
+	outR, outW, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("pipe stdout: %v", err)
+	}
+	errR, errW, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("pipe stderr: %v", err)
+	}
+
+	savedOut, savedErr := os.Stdout, os.Stderr
+	os.Stdout, os.Stderr = outW, errW
+
+	outCh := drain(outR)
+	errCh := drain(errR)
+
+	fn()
+
+	os.Stdout, os.Stderr = savedOut, savedErr
+	outW.Close()
+	errW.Close()
+	return <-outCh, <-errCh
+}
+
+func drain(r *os.File) <-chan string {
+	ch := make(chan string, 1)
+	go func() {
+		buf := make([]byte, 0, 4096)
+		tmp := make([]byte, 1024)
+		for {
+			n, rerr := r.Read(tmp)
+			buf = append(buf, tmp[:n]...)
+			if rerr != nil {
+				break
+			}
+		}
+		ch <- string(buf)
+	}()
+	return ch
+}
@@ -14,7 +14,6 @@ package output

 import (
 	"fmt"
-	"os"
 	"sync"
 	"time"
 )
@@ -42,7 +41,7 @@ func NewSpinner(message string) *Spinner {

 // Start begins the spinner animation
 func (s *Spinner) Start() {
-	if apiMode {
+	if apiMode || silent {
 		return
 	}

@@ -57,7 +56,7 @@ func (s *Spinner) Start() {

 	// In non-TTY mode, just print the message once
 	if !IsTTY {
-		fmt.Printf("    %s...\n", s.message)
+		fmt.Fprintf(sink, "    %s...\n", s.message)
 		return
 	}

@@ -66,7 +65,7 @@ func (s *Spinner) Start() {

 // Stop halts the spinner and clears the line
 func (s *Spinner) Stop() {
-	if apiMode {
+	if apiMode || silent {
 		return
 	}

@@ -112,8 +111,8 @@ func (s *Spinner) animate() {
 			spinnerChar := prefixInfo.Render(spinnerFrames[frame])
 			line := fmt.Sprintf("\r    %s %s", spinnerChar, msg)

-			fmt.Fprint(os.Stdout, "\033[2K") // Clear line
-			fmt.Fprint(os.Stdout, line)
+			fmt.Fprint(sink, "\033[2K") // Clear line
+			fmt.Fprint(sink, line)

 			frame = (frame + 1) % len(spinnerFrames)
 		}
@@ -0,0 +1,57 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package pool spreads independent per-item work across a fixed set of workers
+// that all pull from one shared channel. that's the point over a static
+// modulo-stride partition: a slow or timing-out item only stalls the one worker
+// holding it, the rest keep draining the queue instead of idling behind it.
+package pool
+
+import "sync"
+
+// Each runs fn for every item in items, concurrently, across at most workers
+// goroutines. order isn't preserved - fn must be safe to call from multiple
+// goroutines and guard any shared state itself. blocks until every item is done.
+func Each[T any](items []T, workers int, fn func(T)) {
+	if len(items) == 0 {
+		return
+	}
+	// floor at one worker; a non-positive count would otherwise spawn nothing
+	// and silently drop the work.
+	if workers < 1 {
+		workers = 1
+	}
+	// never spin more workers than there is work for.
+	if workers > len(items) {
+		workers = len(items)
+	}
+
+	queue := make(chan T, len(items))
+	for i := 0; i < len(items); i++ {
+		queue <- items[i]
+	}
+	close(queue)
+
+	var wg sync.WaitGroup
+	wg.Add(workers)
+	for i := 0; i < workers; i++ {
+		go func() {
+			defer wg.Done()
+			// pull until the queue is drained; a worker that finishes its
+			// current item just grabs the next, which is the work-stealing.
+			for item := range queue {
+				fn(item)
+			}
+		}()
+	}
+	wg.Wait()
+}
@@ -0,0 +1,145 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package pool
+
+import (
+	"sync"
+	"sync/atomic"
+	"testing"
+)
+
+// every item runs exactly once across a spread of sizes and worker counts,
+// including the floors (zero/negative workers) and workers > len.
+func TestEachProcessesAllExactlyOnce(t *testing.T) {
+	tests := []struct {
+		name    string
+		items   int
+		workers int
+	}{
+		{"empty", 0, 4},
+		{"single item", 1, 8},
+		{"workers floored from zero", 5, 0},
+		{"workers floored from negative", 5, -3},
+		{"more workers than items", 3, 16},
+		{"even split", 100, 4},
+		{"uneven split", 101, 7},
+		{"one worker", 50, 1},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			items := make([]int, tt.items)
+			for i := 0; i < tt.items; i++ {
+				items[i] = i
+			}
+
+			var mu sync.Mutex
+			seen := make(map[int]int, tt.items)
+			Each(items, tt.workers, func(v int) {
+				mu.Lock()
+				seen[v]++
+				mu.Unlock()
+			})
+
+			if len(seen) != tt.items {
+				t.Fatalf("processed %d distinct items, want %d", len(seen), tt.items)
+			}
+			for v, n := range seen {
+				if n != 1 {
+					t.Errorf("item %d processed %d times, want 1", v, n)
+				}
+			}
+		})
+	}
+}
+
+// no more than `workers` (capped at len(items)) callbacks ever run at once.
+func TestEachRespectsWorkerCap(t *testing.T) {
+	const (
+		items   = 200
+		workers = 6
+	)
+	work := make([]int, items)
+
+	var inFlight, peak int64
+	var release = make(chan struct{})
+	var started sync.WaitGroup
+	started.Add(items)
+
+	go func() {
+		Each(work, workers, func(int) {
+			cur := atomic.AddInt64(&inFlight, 1)
+			for {
+				p := atomic.LoadInt64(&peak)
+				if cur <= p || atomic.CompareAndSwapInt64(&peak, p, cur) {
+					break
+				}
+			}
+			started.Done()
+			<-release
+			atomic.AddInt64(&inFlight, -1)
+		})
+	}()
+
+	// the cap means at most `workers` callbacks block on release at once, so
+	// release exactly that many at a time until everything drains.
+	done := make(chan struct{})
+	go func() {
+		for i := 0; i < items; i++ {
+			release <- struct{}{}
+		}
+		close(done)
+	}()
+	<-done
+
+	if got := atomic.LoadInt64(&peak); got > workers {
+		t.Fatalf("peak concurrency %d exceeded worker cap %d", got, workers)
+	}
+}
+
+// the cap is min(workers, len(items)): fewer items than workers must not spin
+// idle goroutines past the item count.
+func TestEachCapsAtItemCount(t *testing.T) {
+	const (
+		items   = 3
+		workers = 32
+	)
+	work := make([]int, items)
+
+	var inFlight, peak int64
+	var ready sync.WaitGroup
+	ready.Add(items)
+	release := make(chan struct{})
+
+	go func() {
+		for i := 0; i < items; i++ {
+			release <- struct{}{}
+		}
+	}()
+
+	Each(work, workers, func(int) {
+		cur := atomic.AddInt64(&inFlight, 1)
+		for {
+			p := atomic.LoadInt64(&peak)
+			if cur <= p || atomic.CompareAndSwapInt64(&peak, p, cur) {
+				break
+			}
+		}
+		<-release
+		atomic.AddInt64(&inFlight, -1)
+	})
+
+	if got := atomic.LoadInt64(&peak); got > items {
+		t.Fatalf("peak concurrency %d exceeded item count %d", got, items)
+	}
+}
@@ -0,0 +1,74 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package report
+
+import (
+	"bytes"
+	"encoding/json"
+	"sort"
+	"strings"
+)
+
+// Markdown renders results as a readable report grouped by target, then by
+// module, with each module's finding pretty-printed as a json code block.
+func Markdown(results []Result) []byte {
+	var b strings.Builder
+	b.WriteString("# sif scan report\n\n")
+
+	// group module results under their target so the report reads target-first
+	// regardless of the order results came in.
+	byTarget := make(map[string][]Result)
+	order := make([]string, 0)
+	for i := 0; i < len(results); i++ {
+		t := results[i].Target
+		if _, seen := byTarget[t]; !seen {
+			order = append(order, t)
+		}
+		byTarget[t] = append(byTarget[t], results[i])
+	}
+
+	for i := 0; i < len(order); i++ {
+		target := order[i]
+		b.WriteString("## ")
+		b.WriteString(target)
+		b.WriteString("\n\n")
+
+		mods := byTarget[target]
+		// sort modules so the report is deterministic across runs
+		sort.SliceStable(mods, func(a, c int) bool { return mods[a].Module < mods[c].Module })
+
+		for j := 0; j < len(mods); j++ {
+			b.WriteString("### ")
+			b.WriteString(mods[j].Module)
+			b.WriteString("\n\n")
+			b.WriteString("```json\n")
+			b.WriteString(prettyJSON(mods[j].Data))
+			b.WriteString("\n```\n\n")
+		}
+	}
+
+	return []byte(b.String())
+}
+
+// prettyJSON re-indents the raw finding for readability; if it doesn't parse as
+// json (shouldn't happen, but never trust it) the raw bytes are returned as-is.
+func prettyJSON(raw json.RawMessage) string {
+	if len(raw) == 0 {
+		return "null"
+	}
+	var indented bytes.Buffer
+	if err := json.Indent(&indented, raw, "", "  "); err != nil {
+		return string(raw)
+	}
+	return indented.String()
+}
@@ -0,0 +1,26 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+// Package report serializes collected scan results to sarif and markdown. it's
+// deliberately decoupled from the scan package: callers map their own results
+// into report.Result, so report never imports a scanner type.
+package report
+
+import "encoding/json"
+
+// Result is one module's output for one target. Data is whatever the scanner
+// returned, carried as raw json so report stays free of scan types.
+type Result struct {
+	Target string
+	Module string
+	Data   json.RawMessage
+}
@@ -0,0 +1,172 @@
+/*
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+:                                                                               :
+:   █▀ █ █▀▀   ·   Blazing-fast pentesting suite                                :
+:   ▄█ █ █▀    ·   BSD 3-Clause License                                         :
+:                                                                               :
+:   (c) 2022-2026 vmfunc, xyzeva,                                               :
+:                 lunchcat alumni & contributors                                :
+:                                                                               :
+·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
+*/
+
+package report
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+)
+
+// fakeResults are a couple of representative findings across two targets used by
+// every test below.
+func fakeResults() []Result {
+	return []Result{
+		{Target: "https://a.example.com", Module: "cors", Data: json.RawMessage(`{"severity":"high"}`)},
+		{Target: "https://a.example.com", Module: "probe", Data: json.RawMessage(`{"status_code":200}`)},
+		{Target: "https://b.example.com", Module: "redirect", Data: json.RawMessage(`{"parameter":"next"}`)},
+	}
+}
+
+func TestSARIF_ValidAndContainsFindings(t *testing.T) {
+	out, err := SARIF(fakeResults())
+	if err != nil {
+		t.Fatalf("SARIF: %v", err)
+	}
+
+	// the output must parse back into the sarif shape
+	var doc sarifLog
+	if err := json.Unmarshal(out, &doc); err != nil {
+		t.Fatalf("sarif output is not valid json: %v", err)
+	}
+
+	if doc.Version != "2.1.0" {
+		t.Errorf("expected sarif version 2.1.0, got %q", doc.Version)
+	}
+	if len(doc.Runs) != 1 {
+		t.Fatalf("expected exactly one run, got %d", len(doc.Runs))
+	}
+	run := doc.Runs[0]
+	if run.Tool.Driver.Name != "sif" {
+		t.Errorf("expected tool name sif, got %q", run.Tool.Driver.Name)
+	}
+	if len(run.Results) != 3 {
+		t.Fatalf("expected 3 results, got %d", len(run.Results))
+	}
+
+	// each finding's module id surfaces as the ruleId and its target as the uri
+	tests := []struct {
+		ruleID string
+		target string
+	}{
+		{"cors", "https://a.example.com"},
+		{"probe", "https://a.example.com"},
+		{"redirect", "https://b.example.com"},
+	}
+	for _, tt := range tests {
+		if !sarifHasResult(run.Results, tt.ruleID, tt.target) {
+			t.Errorf("expected sarif result rule=%q target=%q, got %+v", tt.ruleID, tt.target, run.Results)
+		}
+	}
+
+	// rules list each module id once, deduped across targets
+	if len(run.Tool.Driver.Rules) != 3 {
+		t.Errorf("expected 3 deduped rules, got %d: %+v", len(run.Tool.Driver.Rules), run.Tool.Driver.Rules)
+	}
+}
+
+func TestSARIF_DedupesRulesAcrossTargets(t *testing.T) {
+	// the same module on two targets must yield one rule but two results.
+	results := []Result{
+		{Target: "https://a.example.com", Module: "cors", Data: json.RawMessage(`{}`)},
+		{Target: "https://b.example.com", Module: "cors", Data: json.RawMessage(`{}`)},
+	}
+	out, err := SARIF(results)
+	if err != nil {
+		t.Fatalf("SARIF: %v", err)
+	}
+	var doc sarifLog
+	if err := json.Unmarshal(out, &doc); err != nil {
+		t.Fatalf("invalid json: %v", err)
+	}
+	run := doc.Runs[0]
+	if len(run.Tool.Driver.Rules) != 1 {
+		t.Errorf("expected 1 deduped rule, got %d", len(run.Tool.Driver.Rules))
+	}
+	if len(run.Results) != 2 {
+		t.Errorf("expected 2 results, got %d", len(run.Results))
+	}
+}
+
+func TestSARIF_Empty(t *testing.T) {
+	out, err := SARIF(nil)
+	if err != nil {
+		t.Fatalf("SARIF: %v", err)
+	}
+	var doc sarifLog
+	if err := json.Unmarshal(out, &doc); err != nil {
+		t.Fatalf("empty sarif is not valid json: %v", err)
+	}
+	if len(doc.Runs) != 1 {
+		t.Fatalf("expected one run even when empty, got %d", len(doc.Runs))
+	}
+	if len(doc.Runs[0].Results) != 0 {
+		t.Errorf("expected no results, got %d", len(doc.Runs[0].Results))
+	}
+}
+
+func TestMarkdown_ContainsTargetsAndModules(t *testing.T) {
+	out := string(Markdown(fakeResults()))
+
+	wants := []string{
+		"# sif scan report",
+		"## https://a.example.com",
+		"## https://b.example.com",
+		"### cors",
+		"### probe",
+		"### redirect",
+		`"severity": "high"`, // re-indented finding body
+		`"parameter": "next"`,
+	}
+	for _, want := range wants {
+		if !strings.Contains(out, want) {
+			t.Errorf("markdown report missing %q\n---\n%s", want, out)
+		}
+	}
+}
+
+func TestMarkdown_GroupsByTarget(t *testing.T) {
+	// a.example.com's two modules must both appear before b.example.com's header.
+	out := string(Markdown(fakeResults()))
+	aHeader := strings.Index(out, "## https://a.example.com")
+	bHeader := strings.Index(out, "## https://b.example.com")
+	if aHeader < 0 || bHeader < 0 {
+		t.Fatalf("missing target headers in:\n%s", out)
+	}
+	if aHeader > bHeader {
+		t.Errorf("expected target a before target b, got a=%d b=%d", aHeader, bHeader)
+	}
+	// both of a's modules sit between a's header and b's header
+	corsIdx := strings.Index(out, "### cors")
+	probeIdx := strings.Index(out, "### probe")
+	if corsIdx < aHeader || corsIdx > bHeader || probeIdx < aHeader || probeIdx > bHeader {
+		t.Errorf("expected a's modules grouped under a, cors=%d probe=%d (a=%d b=%d)", corsIdx, probeIdx, aHeader, bHeader)
+	}
+}
+
+// sarifHasResult reports whether any result carries the given rule id and target
+// uri, the pairing that proves a finding survived serialization.
+func sarifHasResult(results []sarifResult, ruleID, target string) bool {
+	for i := 0; i < len(results); i++ {
+		r := results[i]
+		if r.RuleID != ruleID {
+			continue
+		}
+		for j := 0; j < len(r.Locations); j++ {
+			if r.Locations[j].PhysicalLocation.ArtifactLocation.URI == target {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/Show More
+++ b/Show More