docs(11-16): auto-generated OSINT phase contexts

2026-04-06 11:40:44 +03:00
parent 3aadeb2d1c
commit 9ad9767109
6 changed files with 266 additions and 0 deletions
--- a/.planning/phases/11-osint_search_paste/11-CONTEXT.md
+++ b/.planning/phases/11-osint_search_paste/11-CONTEXT.md
@@ -0,0 +1,42 @@
+# Phase 11: OSINT Search Engines & Paste Sites - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for public search engine dorking (Google, Bing, DuckDuckGo, Yandex, Brave) and paste site scraping (Pastebin, GitHub Gist, Ghostbin, Rentry, ControlC) to detect leaked API keys across indexed web pages and public pastes.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- GoogleDorkSource — search engine dorking via Google search
+- BingDorkSource — search engine dorking via Bing search
+- DuckDuckGoSource — search via DuckDuckGo
+- YandexSource — search via Yandex
+- BraveSource — search via Brave Search API
+- PastebinSource — scrape/search Pastebin for leaked keys
+- GistSource — GitHub Gist paste aggregator for public gists
+- GhostbinSource / RentrySource / ControlCSource — alternative paste site scrapers
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>
--- a/.planning/phases/12-osint_iot_cloud_storage/12-CONTEXT.md
+++ b/.planning/phases/12-osint_iot_cloud_storage/12-CONTEXT.md
@@ -0,0 +1,44 @@
+# Phase 12: OSINT IoT/Device Search & Cloud Storage - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for internet-facing device search engines (Shodan, Censys, ZoomEye, FOFA, Netlas, BinaryEdge) and public cloud storage bucket scanners (AWS S3, GCS, Azure Blob, DigitalOcean Spaces) to find API keys exposed in device banners, configs, and misconfigured storage buckets.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- ShodanSource — search Shodan for exposed API keys in banners/configs
+- CensysSource — search Censys for exposed services leaking keys
+- ZoomEyeSource — search ZoomEye for device/service key exposure
+- FOFASource — search FOFA for exposed endpoints with keys
+- NetlasSource — search Netlas for internet-wide scan results
+- BinaryEdgeSource — search BinaryEdge for exposed services
+- S3Scanner — scan publicly accessible AWS S3 buckets for key files
+- GCSScanner — scan publicly accessible Google Cloud Storage buckets
+- AzureBlobScanner — scan publicly accessible Azure Blob containers
+- DigitalOceanSpaces — scan publicly accessible DO Spaces
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>
--- a/.planning/phases/13-osint_package_registries_container_iac/13-CONTEXT.md
+++ b/.planning/phases/13-osint_package_registries_container_iac/13-CONTEXT.md
@@ -0,0 +1,45 @@
+# Phase 13: OSINT Package Registries, Containers & IaC - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for package registry searches (npm, PyPI, Crates.io, RubyGems, Maven, NuGet, Go Proxy), container image inspection (Docker Hub, Docker Compose files), and infrastructure-as-code sources (Kubernetes configs, Terraform Registry) to detect API keys embedded in published packages, images, and IaC definitions.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- NpmSource — search npm registry for packages leaking API keys
+- PyPISource — search PyPI for packages with embedded keys
+- CratesIOSource — search Crates.io for Rust packages with key leaks
+- RubyGemsSource — search RubyGems for gems with exposed keys
+- MavenSource — search Maven Central for Java artifacts with keys
+- NuGetSource — search NuGet for .NET packages with key exposure
+- GoProxySource — search Go module proxy for modules with keys
+- ComposeSource — scan Docker Compose files for hardcoded keys
+- DockerHubSource — inspect public Docker Hub images for embedded keys
+- KubernetesConfigSource — scan public Kubernetes configs/manifests for secrets
+- TerraformRegistrySource — search Terraform Registry modules for leaked keys
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>
--- a/.planning/phases/14-osint_ci_cd_logs_web_archives_frontend_leaks/14-CONTEXT.md
+++ b/.planning/phases/14-osint_ci_cd_logs_web_archives_frontend_leaks/14-CONTEXT.md
@@ -0,0 +1,45 @@
+# Phase 14: OSINT CI/CD Logs, Web Archives & Frontend Leaks - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for CI/CD build log scraping (Travis CI, GitHub Actions, CircleCI, Jenkins), web archive searching (Wayback Machine, Common Crawl), and frontend asset analysis (JS bundles, source maps, env file leaks, Webpack/Next.js builds) to detect API keys leaked in build outputs, archived pages, and client-side code.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- TravisCISource — scrape public Travis CI build logs for leaked keys
+- GitHubActionsSource — search GitHub Actions workflow logs for key exposure
+- CircleCISource — scrape public CircleCI build logs
+- JenkinsSource — scrape publicly accessible Jenkins build consoles
+- WaybackMachineSource — search Wayback Machine snapshots for historical key leaks
+- CommonCrawlSource — search Common Crawl index for pages containing keys
+- JSBundleSource — analyze public JavaScript bundles for embedded API keys
+- SourceMapSource — parse source maps to recover original source with keys
+- EnvLeakSource — detect publicly accessible .env files on web servers
+- WebpackSource — analyze Webpack chunk manifests for key exposure
+- NextJSSource — analyze Next.js build artifacts for leaked server-side keys
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>
--- a/.planning/phases/15-osint_forums_collaboration_log_aggregators/15-CONTEXT.md
+++ b/.planning/phases/15-osint_forums_collaboration_log_aggregators/15-CONTEXT.md
@@ -0,0 +1,47 @@
+# Phase 15: OSINT Forums, Collaboration Tools & Log Aggregators - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for developer forums (Stack Overflow, Reddit, Hacker News), collaboration platforms (Discord, Slack, Trello, Notion, Confluence), and log/monitoring aggregators (Elasticsearch, Grafana, Sentry, Kibana, Splunk) to detect API keys shared in public discussions, workspace leaks, and exposed logging dashboards.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- StackOverflowSource — search Stack Overflow posts/answers for leaked keys
+- RedditSource — search Reddit posts/comments for key exposure
+- HackerNewsSource — search Hacker News submissions/comments for keys
+- DiscordSource — search public Discord servers/channels for leaked keys
+- SlackSource — search publicly indexed Slack messages for keys
+- TrelloSource — search public Trello boards for exposed credentials
+- NotionSource — search publicly shared Notion pages for keys
+- ConfluenceSource — search publicly accessible Confluence wikis for keys
+- ElasticsearchSource — search exposed Elasticsearch instances for key data
+- GrafanaSource — search publicly accessible Grafana dashboards for keys
+- SentrySource — search exposed Sentry instances for leaked keys in error reports
+- KibanaSource — search publicly accessible Kibana dashboards for key data
+- SplunkSource — search exposed Splunk instances for key leaks in logs
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>
--- a/.planning/phases/16-osint_threat_intel_mobile_dns_api_marketplaces/16-CONTEXT.md
+++ b/.planning/phases/16-osint_threat_intel_mobile_dns_api_marketplaces/16-CONTEXT.md
@@ -0,0 +1,43 @@
+# Phase 16: OSINT Threat Intel, Mobile, DNS & API Marketplaces - Context
+
+**Gathered:** 2026-04-06
+**Status:** Ready for planning
+**Mode:** Auto-generated
+
+<domain>
+## Phase Boundary
+Adds ReconSource implementations for threat intelligence platforms (VirusTotal, IntelligenceX, URLScan), mobile app analysis (APKMirror), DNS/certificate transparency (crt.sh, SecurityTrails), and API marketplaces/documentation hubs (Postman, SwaggerHub, RapidAPI) to detect API keys exposed in threat feeds, mobile binaries, certificate records, and public API collections.
+</domain>
+
+<decisions>
+## Implementation Decisions
+### Claude's Discretion
+All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
+</decisions>
+
+<code_context>
+## Existing Code Insights
+### Reusable Assets
+- pkg/recon/sources/ — established source implementation pattern from Phase 10
+- pkg/recon/sources/httpclient.go — shared retry HTTP client
+- pkg/recon/sources/register.go — RegisterAll (extend per phase)
+- pkg/recon/source.go — ReconSource interface
+</code_context>
+
+<specifics>
+## Specific Ideas
+- VirusTotalSource — search VirusTotal for samples/URLs containing API keys
+- IntelligenceXSource — search IntelligenceX archives for leaked credentials
+- URLScanSource — search urlscan.io scan results for exposed keys
+- APKMirrorSource — download and analyze APK files for embedded API keys
+- CrtShSource — search crt.sh certificate transparency logs for key-related domains
+- SecurityTrailsSource — search SecurityTrails DNS/historical data for key exposure
+- PostmanSource — search public Postman collections/workspaces for API keys
+- SwaggerHubSource — search public SwaggerHub API definitions for embedded keys
+- RapidAPISource — search RapidAPI public listings for exposed credentials
+</specifics>
+
+<deferred>
+## Deferred Ideas
+None — straightforward source implementations.
+</deferred>