docs(12-03): complete cloud storage scanners plan

- SUMMARY.md with 4 cloud scanner sources (S3, GCS, Azure Blob, DO Spaces)
- STATE.md, ROADMAP.md, REQUIREMENTS.md updated

.planning/phases/12-osint_iot_cloud_storage/12-03-SUMMARY.md

@@ -0,0 +1,115 @@
+---
+phase: 12-osint_iot_cloud_storage
+plan: 03
+subsystem: recon
+tags: [s3, gcs, azure-blob, digitalocean-spaces, cloud-storage, osint, bucket-enumeration]
+
+requires:
+  - phase: 09-osint-infrastructure
+    provides: "LimiterRegistry, ReconSource interface, shared Client"
+  - phase: 10-osint-code-hosting
+    provides: "BuildQueries, RegisterAll pattern, sources.Client"
+provides:
+  - "S3Scanner — public AWS S3 bucket enumeration recon source"
+  - "GCSScanner — public GCS bucket enumeration recon source"
+  - "AzureBlobScanner — public Azure Blob container enumeration recon source"
+  - "DOSpacesScanner — public DigitalOcean Spaces enumeration recon source"
+  - "bucketNames() shared helper for provider-keyword bucket name generation"
+  - "isConfigFile() shared helper for config-pattern file detection"
+affects: [12-osint_iot_cloud_storage, register-all-wiring]
+
+tech-stack:
+  added: []
+  patterns: ["credentialless cloud bucket enumeration via anonymous HTTP HEAD+GET"]
+
+key-files:
+  created:
+    - pkg/recon/sources/s3scanner.go
+    - pkg/recon/sources/gcsscanner.go
+    - pkg/recon/sources/azureblob.go
+    - pkg/recon/sources/dospaces.go
+    - pkg/recon/sources/s3scanner_test.go
+    - pkg/recon/sources/gcsscanner_test.go
+    - pkg/recon/sources/azureblob_test.go
+    - pkg/recon/sources/dospaces_test.go
+  modified: []
+
+key-decisions:
+  - "bucketNames generates candidates from provider names + suffixes (not keywords) to produce readable bucket names"
+  - "HEAD probe before GET listing to avoid unnecessary bandwidth on non-public buckets"
+  - "isConfigFile checks extensions and common basenames (.env, config.*, credentials.*) without downloading contents"
+  - "Azure iterates fixed container names (config, secrets, backup, etc.) within each account"
+  - "DO Spaces iterates 5 regions (nyc3, sfo3, ams3, sgp1, fra1) per bucket"
+
+patterns-established:
+  - "Cloud scanner pattern: HEAD probe for existence, GET for listing, filter by isConfigFile"
+  - "BaseURL override pattern with %s placeholder for httptest injection"
+
+requirements-completed: [RECON-CLOUD-01, RECON-CLOUD-02, RECON-CLOUD-03, RECON-CLOUD-04]
+
+duration: 4min
+completed: 2026-04-06
+---
+
+# Phase 12 Plan 03: Cloud Storage Scanners Summary
+
+**Four credentialless cloud storage recon sources (S3, GCS, Azure Blob, DO Spaces) with provider-keyword bucket enumeration and config-file pattern detection**
+
+## Performance
+
+- **Duration:** 4 min
+- **Started:** 2026-04-06T09:22:08Z
+- **Completed:** 2026-04-06T09:26:11Z
+- **Tasks:** 2
+- **Files modified:** 8
+
+## Accomplishments
+- S3Scanner enumerates public AWS S3 buckets using S3 ListBucketResult XML parsing
+- GCSScanner enumerates public GCS buckets using JSON listing format
+- AzureBlobScanner enumerates public Azure Blob containers using EnumerationResults XML
+- DOSpacesScanner enumerates public DO Spaces across 5 regions using S3-compatible XML
+- Shared bucketNames() generates candidates from provider names + common suffixes
+- Shared isConfigFile() detects .env, .json, .yaml, .toml, .conf and similar patterns
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Implement S3Scanner and GCSScanner** - `47d542b` (feat)
+2. **Task 2: Implement AzureBlobScanner, DOSpacesScanner, and all tests** - `13905eb` (feat)
+
+## Files Created/Modified
+- `pkg/recon/sources/s3scanner.go` - S3 bucket enumeration with XML ListBucketResult parsing
+- `pkg/recon/sources/gcsscanner.go` - GCS bucket enumeration with JSON listing parsing
+- `pkg/recon/sources/azureblob.go` - Azure Blob container enumeration with XML EnumerationResults parsing
+- `pkg/recon/sources/dospaces.go` - DO Spaces enumeration across 5 regions (S3-compatible XML)
+- `pkg/recon/sources/s3scanner_test.go` - httptest tests for S3Scanner
+- `pkg/recon/sources/gcsscanner_test.go` - httptest tests for GCSScanner
+- `pkg/recon/sources/azureblob_test.go` - httptest tests for AzureBlobScanner
+- `pkg/recon/sources/dospaces_test.go` - httptest tests for DOSpacesScanner
+
+## Decisions Made
+- bucketNames uses provider Name (not Keywords) as base for bucket name generation -- produces more realistic bucket names like "openai-keys" vs "sk-proj--keys"
+- HEAD probe before GET to minimize bandwidth on non-public buckets
+- Azure iterates a fixed list of common container names within each generated account name
+- DO Spaces iterates all 5 supported regions per bucket name
+- Tests omit rate limiters (nil Limiters) to avoid test slowness from the 500ms rate limit across many bucket/region combinations
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+- Azure and DO Spaces tests initially timed out due to rate limiter overhead (9 bucket names x 7 containers = 63 requests at 500ms each). Resolved by omitting rate limiters in tests since rate limiting is tested at the LimiterRegistry level.
+
+## User Setup Required
+
+None - no external service configuration required.
+
+## Next Phase Readiness
+- Four cloud storage scanners ready for RegisterAll wiring
+- Sources use same pattern as Phase 10/11 sources (BaseURL override, shared Client, LimiterRegistry)
+
+---
+*Phase: 12-osint_iot_cloud_storage*
+*Completed: 2026-04-06*