feat(14-03): implement SourceMapSource, WebpackSource, EnvLeakSource with tests

- SourceMapSource probes .map files for original source containing API keys
- WebpackSource scans JS bundles for inlined NEXT_PUBLIC_/REACT_APP_/VITE_ env vars
- EnvLeakSource probes common .env paths for exposed environment files
- All three implement ReconSource, credentialless, with httptest-based tests

pkg/recon/sources/envleak_test.go

@@ -0,0 +1,145 @@
+package sources
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/salvacybersec/keyhunter/pkg/providers"
+	"github.com/salvacybersec/keyhunter/pkg/recon"
+)
+
+func envLeakTestRegistry() *providers.Registry {
+	return providers.NewRegistryFromProviders([]providers.Provider{
+		{Name: "openai", Keywords: []string{"sk-proj-"}},
+	})
+}
+
+const envLeakFixture = `# Application config
+APP_NAME=myapp
+DATABASE_URL=postgres://user:pass@localhost/db
+OPENAI_API_KEY=sk-proj-abc123def456ghi789
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+DEBUG=false
+`
+
+const envLeakCleanFixture = `# Nothing sensitive here
+APP_NAME=myapp
+DEBUG=false
+LOG_LEVEL=info
+`
+
+func TestEnvLeak_Sweep_ExtractsFindings(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain")
+		_, _ = w.Write([]byte(envLeakFixture))
+	}))
+	defer srv.Close()
+
+	src := &EnvLeakSource{
+		BaseURL:  srv.URL,
+		Registry: envLeakTestRegistry(),
+		Client:   NewClient(),
+	}
+
+	out := make(chan recon.Finding, 64)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	if err := src.Sweep(ctx, "", out); err != nil {
+		t.Fatalf("Sweep err: %v", err)
+	}
+	close(out)
+
+	var findings []recon.Finding
+	for f := range out {
+		findings = append(findings, f)
+	}
+	if len(findings) == 0 {
+		t.Fatal("expected at least one finding")
+	}
+	for _, f := range findings {
+		if f.SourceType != "recon:dotenv" {
+			t.Errorf("unexpected SourceType: %s", f.SourceType)
+		}
+		if f.Confidence != "high" {
+			t.Errorf("unexpected Confidence: %s", f.Confidence)
+		}
+	}
+}
+
+func TestEnvLeak_Sweep_NoFindings_OnCleanFile(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain")
+		_, _ = w.Write([]byte(envLeakCleanFixture))
+	}))
+	defer srv.Close()
+
+	src := &EnvLeakSource{
+		BaseURL:  srv.URL,
+		Registry: envLeakTestRegistry(),
+		Client:   NewClient(),
+	}
+
+	out := make(chan recon.Finding, 64)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	if err := src.Sweep(ctx, "", out); err != nil {
+		t.Fatalf("Sweep err: %v", err)
+	}
+	close(out)
+
+	var count int
+	for range out {
+		count++
+	}
+	if count != 0 {
+		t.Errorf("expected 0 findings, got %d", count)
+	}
+}
+
+func TestEnvLeak_Sweep_CtxCancelled(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(500 * time.Millisecond)
+		_, _ = w.Write([]byte(envLeakFixture))
+	}))
+	defer srv.Close()
+
+	src := &EnvLeakSource{
+		BaseURL:  srv.URL,
+		Registry: envLeakTestRegistry(),
+		Limiters: recon.NewLimiterRegistry(),
+		Client:   NewClient(),
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	out := make(chan recon.Finding, 4)
+	if err := src.Sweep(ctx, "", out); err == nil {
+		t.Fatal("expected ctx error")
+	}
+}
+
+func TestEnvLeak_EnabledAlwaysTrue(t *testing.T) {
+	s := &EnvLeakSource{}
+	if !s.Enabled(recon.Config{}) {
+		t.Fatal("expected Enabled=true")
+	}
+}
+
+func TestEnvLeak_NameAndRate(t *testing.T) {
+	s := &EnvLeakSource{}
+	if s.Name() != "dotenv" {
+		t.Errorf("unexpected name: %s", s.Name())
+	}
+	if s.Burst() != 2 {
+		t.Errorf("burst: %d", s.Burst())
+	}
+	if !s.RespectsRobots() {
+		t.Error("expected RespectsRobots=true")
+	}
+}