salvacybersec/keyhunter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(phase-10): complete phase execution

Browse Source
This commit is contained in:
salvacybersec
2026-04-06 11:38:31 +03:00
parent 118decbb3e
commit 3aadeb2d1c
3 changed files with 134 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.planning/ROADMAP.md
View File

@@ -336,7 +336,7 @@ Phases execute in numeric order: 1 → 2 → 3 → ... → 18
| 7. Import Adapters & CI/CD Integration | 0/? | Not started | - |
| 8. Dork Engine | 0/? | Not started | - |
| 9. OSINT Infrastructure | 2/6 | In Progress| |
| 10. OSINT Code Hosting | 9/9 | Complete | 2026-04-05 |
| 10. OSINT Code Hosting | 9/9 | Complete | 2026-04-06 |
| 11. OSINT Search & Paste | 0/? | Not started | - |
| 12. OSINT IoT & Cloud Storage | 0/? | Not started | - |
| 13. OSINT Package Registries & Container/IaC | 0/? | Not started | - |

10
.planning/STATE.md
View File

@@ -4,8 +4,8 @@ milestone: v1.0
milestone_name: milestone
status: executing
stopped_at: Completed 10-09-PLAN.md
last_updated: "2026-04-05T22:28:27.416Z"
last_activity: 2026-04-05
last_updated: "2026-04-06T08:38:31.363Z"
last_activity: 2026-04-06
progress:
total_phases: 18
completed_phases: 10
@@ -25,10 +25,10 @@ See: .planning/PROJECT.md (updated 2026-04-04)
## Current Position
Phase: 10 (osint-code-hosting) — EXECUTING
Plan: 4 of 9
Phase: 11
Plan: Not started
Status: Ready to execute
Last activity: 2026-04-05
Last activity: 2026-04-06
Progress: [██░░░░░░░░] 20%

128
.planning/phases/10-osint-code-hosting/10-VERIFICATION.md Normal file
View File

@@ -0,0 +1,128 @@
---
phase: 10-osint-code-hosting
verified: 2026-04-06T08:37:18Z
status: passed
score: 5/5 must-haves verified
re_verification:
previous_status: gaps_found
previous_score: 3/5
gaps_closed:
- "`recon --sources=github,gitlab` executes dorks via APIs — `--sources` StringSlice flag now declared on reconFullCmd (line 174) and filterEngineSources rebuilds a filtered engine via Engine.Get (lines 67-86)"
- "All code hosting source findings are stored in the database with source attribution and deduplication — persistReconFindings (lines 90-115) calls storage.SaveFinding per deduped finding, gated by `--no-persist` opt-out flag"
gaps_remaining: []
regressions: []
---
# Phase 10: OSINT Code Hosting Verification Report
**Phase Goal:** Users can scan 10 code hosting platforms for leaked LLM API keys
**Verified:** 2026-04-06T08:37:18Z
**Status:** passed
**Re-verification:** Yes -- after gap closure (previous: gaps_found 3/5)
## Goal Achievement
### Observable Truths (from ROADMAP Success Criteria)
| # | Truth | Status | Evidence |
|---|-------|--------|----------|
| 1 | `recon --sources=github,gitlab` executes dorks via APIs and feeds detection pipeline | VERIFIED | `--sources` StringSlice flag declared at cmd/recon.go:174. reconFullCmd (line 37-39) checks `reconSourcesFilter` and calls `filterEngineSources` which uses `Engine.Get(name)` (engine.go:37-42) to rebuild a filtered engine containing only named sources. GitHubSource and GitLabSource are substantive implementations (199 and 175 lines respectively) with real API calls. |
| 2 | `recon --sources=huggingface` scans HF Spaces and model repos | VERIFIED | HuggingFaceSource (huggingface.go, 181 lines) sweeps both `/api/spaces` and `/api/models`. Registered in register.go:56. `--sources=huggingface` would filter to this single source via filterEngineSources. Integration test asserts findings arrive from both endpoints. |
| 3 | `recon --sources=gist,bitbucket,codeberg` works | VERIFIED | GistSource (184 lines), BitbucketSource (174 lines), CodebergSource (167 lines) all implemented, registered (register.go:68-84), and exercised by integration test. `--sources` flag enables selecting any combination. |
| 4 | `recon --sources=replit,codesandbox,kaggle` works | VERIFIED | ReplitSource (141 lines), CodeSandboxSource (95 lines), KaggleSource (149 lines) all implemented, registered (register.go:86-97), and exercised by integration test. SandboxesSource (248 lines) also present for CodePen/JSFiddle/StackBlitz/Glitch/Observable. |
| 5 | Code hosting findings stored in DB with source attribution and dedup | VERIFIED | `persistReconFindings` (cmd/recon.go:90-115) iterates deduped findings and calls `storage.SaveFinding` (pkg/storage/findings.go:43) with correct field mapping including SourceType, ProviderName, KeyMasked. Called at line 56 gated by `!reconNoPersist`. Dedup via `recon.Dedup` at line 50. `openDBWithKey` (cmd/keys.go:410) provides DB handle with encryption key. |
**Score:** 5/5 truths VERIFIED
### Required Artifacts
All ten source files exist, are substantive, and are wired via RegisterAll (regression check -- unchanged from initial verification):
| Artifact | Expected | Status | Details |
|----------|----------|--------|---------|
| `pkg/recon/sources/github.go` | GitHubSource | VERIFIED | 199 lines, /search/code API |
| `pkg/recon/sources/gitlab.go` | GitLabSource | VERIFIED | 175 lines, /api/v4/search |
| `pkg/recon/sources/bitbucket.go` | BitbucketSource | VERIFIED | 174 lines, /2.0/workspaces search |
| `pkg/recon/sources/gist.go` | GistSource | VERIFIED | 184 lines, /gists/public enumeration |
| `pkg/recon/sources/codeberg.go` | CodebergSource | VERIFIED | 167 lines, /api/v1/repos/search |
| `pkg/recon/sources/huggingface.go` | HuggingFaceSource | VERIFIED | 181 lines, /api/spaces + /api/models |
| `pkg/recon/sources/replit.go` | ReplitSource | VERIFIED | 141 lines, HTML scraper |
| `pkg/recon/sources/codesandbox.go` | CodeSandboxSource | VERIFIED | 95 lines, HTML scraper |
| `pkg/recon/sources/sandboxes.go` | SandboxesSource | VERIFIED | 248 lines, multi-platform aggregator |
| `pkg/recon/sources/kaggle.go` | KaggleSource | VERIFIED | 149 lines, /api/v1/kernels/list |
| `pkg/recon/sources/register.go` | RegisterAll | VERIFIED | 10 engine.Register calls (lines 54-97) |
| `pkg/recon/sources/integration_test.go` | E2E SweepAll test | VERIFIED | 240 lines, httptest multiplexed server |
| `pkg/recon/engine.go` | Engine with Get() method | VERIFIED | Get(name) at lines 37-42, returns (ReconSource, bool) |
| `cmd/recon.go` | CLI with --sources flag + DB persistence | VERIFIED | --sources at line 174, filterEngineSources at lines 67-86, persistReconFindings at lines 90-115 |
### Key Link Verification
| From | To | Via | Status | Details |
|------|----|----|--------|---------|
| cmd/recon.go | pkg/recon/sources | sources.RegisterAll(e, cfg) | WIRED | Line 157 in buildReconEngine |
| register.go | all 10 sources | engine.Register(...) | WIRED | 10 Register calls (lines 54-97) |
| each source | httpclient.go | Client.Do(ctx, req) | WIRED | Shared retrying client in every source |
| each source | recon.LimiterRegistry | Limiters.Wait(...) | WIRED | Rate limiting in every Sweep loop |
| Sweep outputs | cmd/recon.go | out chan <- recon.Finding -> SweepAll -> Dedup | WIRED | reconFullCmd collects + dedups |
| cmd/recon.go | --sources filter | reconSourcesFilter -> filterEngineSources -> Engine.Get | WIRED | Flag at line 174, filter at lines 37-39, rebuild at lines 67-86 |
| cmd/recon.go findings | pkg/storage | persistReconFindings -> openDBWithKey -> db.SaveFinding | WIRED | Lines 55-59 call persistReconFindings, which calls storage.SaveFinding per finding (lines 97-112) |
### Data-Flow Trace (Level 4)
| Artifact | Data Variable | Source | Produces Real Data | Status |
|----------|---------------|--------|--------------------|--------|
| All 10 sources | Finding structs | API JSON / HTML scraping | Yes (integration test asserts non-empty findings per SourceType) | FLOWING |
| cmd/recon.go dedup | deduped slice | recon.Dedup(all) from SweepAll | Yes | FLOWING |
| cmd/recon.go persist | storage.Finding | persistReconFindings maps engine.Finding -> storage.Finding | Yes -- SaveFinding inserts with ProviderName, SourceType, KeyMasked, etc. | FLOWING |
### Behavioral Spot-Checks
| Behavior | Command | Result | Status |
|----------|---------|--------|--------|
| `go build ./...` succeeds | `go build ./...` | exit 0, clean | PASS |
| --sources flag declared | grep StringSliceVar cmd/recon.go | Found at line 174 | PASS |
| persistReconFindings calls SaveFinding | grep SaveFinding cmd/recon.go | Found at line 110 | PASS |
| Engine.Get method exists | grep "func.*Get" pkg/recon/engine.go | Found at line 37 | PASS |
| storage.Finding has all mapped fields | grep SourceType pkg/storage/findings.go | SourceType field present at line 20 | PASS |
### Requirements Coverage
| Requirement | Source Plan | Description | Status | Evidence |
|-------------|-------------|-------------|--------|----------|
| RECON-CODE-01 | 10-02 | GitHub code search | SATISFIED | github.go + test |
| RECON-CODE-02 | 10-03 | GitLab code search | SATISFIED | gitlab.go + test |
| RECON-CODE-03 | 10-04 | GitHub Gist search | SATISFIED | gist.go + test |
| RECON-CODE-04 | 10-04 | Bitbucket code search | SATISFIED | bitbucket.go + test |
| RECON-CODE-05 | 10-05 | Codeberg/Gitea search | SATISFIED | codeberg.go + test |
| RECON-CODE-06 | 10-07 | Replit scanning | SATISFIED | replit.go + test |
| RECON-CODE-07 | 10-07 | CodeSandbox scanning | SATISFIED | codesandbox.go + test |
| RECON-CODE-08 | 10-06 | HuggingFace scanning | SATISFIED | huggingface.go + test |
| RECON-CODE-09 | 10-08 | Kaggle scanning | SATISFIED | kaggle.go + test |
| RECON-CODE-10 | 10-07 | CodePen/JSFiddle/StackBlitz/Glitch/Observable | SATISFIED | sandboxes.go + test |
### Anti-Patterns Found
| File | Line | Pattern | Severity | Impact |
|------|------|---------|----------|--------|
| cmd/recon.go | 84 | `_ = eng` unused parameter assignment | Info | Cosmetic; kept for API symmetry per comment |
No TODOs, FIXMEs, placeholders, or empty implementations found in any Phase 10 file.
### Human Verification Required
None. All gaps have been closed with programmatically verifiable changes.
### Gaps Summary
Both gaps from the initial verification have been closed:
1. **--sources flag:** `reconFullCmd` now declares a `--sources` StringSlice flag (line 174). When provided, `filterEngineSources` (lines 67-86) uses the new `Engine.Get(name)` method (engine.go:37-42) to rebuild a filtered engine containing only the requested sources. This satisfies SCs 1-4 which require `recon --sources=github,gitlab` syntax.
2. **Database persistence:** `persistReconFindings` (lines 90-115) maps deduped `engine.Finding` structs to `storage.Finding` structs and calls `db.SaveFinding` for each one. The function is invoked at line 56, gated by `!reconNoPersist` (opt-out via `--no-persist` flag). This satisfies SC5 which requires findings stored in DB with source attribution and dedup.
No regressions detected. All 10 source implementations, RegisterAll wiring, integration test, and previously-passing artifacts remain intact.
---
_Verified: 2026-04-06T08:37:18Z_
_Verifier: Claude (gsd-verifier)_