From c16f5feaee1526fd2c1b53b82d10c9c9e2567e2c Mon Sep 17 00:00:00 2001
From: salvacybersec <salva@opsecti.local>
Date: Mon, 6 Apr 2026 12:59:11 +0300
Subject: [PATCH] feat(13-04): wire all 12 Phase 13 sources into RegisterAll
 (40 total)

- Add 8 package registry sources (npm, pypi, crates, rubygems, maven, nuget, goproxy, packagist)
- Update register_test to assert 40 sources in sorted list
- Update Phase 12 integration test count from 32 to 40
---
 pkg/recon/sources/integration_test.go |  4 ++--
 pkg/recon/sources/register.go         | 34 +++++++++++++--------------
 pkg/recon/sources/register_test.go    | 16 +++++++++----
 3 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/pkg/recon/sources/integration_test.go b/pkg/recon/sources/integration_test.go
index 76adff0..ab4e1bb 100644
--- a/pkg/recon/sources/integration_test.go
+++ b/pkg/recon/sources/integration_test.go
@@ -524,8 +524,8 @@ func TestRegisterAll_Phase12(t *testing.T) {
 	})
 
 	names := eng.List()
-	if n := len(names); n != 32 {
-		t.Fatalf("expected 32 sources from RegisterAll, got %d: %v", n, names)
+	if n := len(names); n != 40 {
+		t.Fatalf("expected 40 sources from RegisterAll, got %d: %v", n, names)
 	}
 
 	// Build lookup for source access.
diff --git a/pkg/recon/sources/register.go b/pkg/recon/sources/register.go
index 29eb1a1..3d56340 100644
--- a/pkg/recon/sources/register.go
+++ b/pkg/recon/sources/register.go
@@ -56,8 +56,8 @@ type SourcesConfig struct {
 }
 
 // RegisterAll registers every Phase 10 code-hosting, Phase 11 search engine /
-// paste site, Phase 12 IoT scanner / cloud storage, and Phase 13 container /
-// IaC source on engine (32 sources total).
+// paste site, Phase 12 IoT scanner / cloud storage, and Phase 13 package
+// registry / container / IaC source on engine (40 sources total).
 //
 // All sources are registered unconditionally so that cmd/recon.go can surface
 // the full catalog via `keyhunter recon list` regardless of which credentials
@@ -213,21 +213,19 @@ func RegisterAll(engine *recon.Engine, cfg SourcesConfig) {
 		Limiters: lim,
 	})
 
+	// Phase 13: Package registry sources (credentialless).
+	engine.Register(&NpmSource{Registry: reg, Limiters: lim})
+	engine.Register(&PyPISource{Registry: reg, Limiters: lim})
+	engine.Register(&CratesIOSource{Registry: reg, Limiters: lim})
+	engine.Register(&RubyGemsSource{Registry: reg, Limiters: lim})
+	engine.Register(&MavenSource{Registry: reg, Limiters: lim})
+	engine.Register(&NuGetSource{Registry: reg, Limiters: lim})
+	engine.Register(&GoProxySource{Registry: reg, Limiters: lim})
+	engine.Register(&PackagistSource{Registry: reg, Limiters: lim})
+
 	// Phase 13: Container and IaC sources (credentialless).
-	engine.Register(&DockerHubSource{
-		Registry: reg,
-		Limiters: lim,
-	})
-	engine.Register(&KubernetesSource{
-		Registry: reg,
-		Limiters: lim,
-	})
-	engine.Register(&TerraformSource{
-		Registry: reg,
-		Limiters: lim,
-	})
-	engine.Register(&HelmSource{
-		Registry: reg,
-		Limiters: lim,
-	})
+	engine.Register(&DockerHubSource{Registry: reg, Limiters: lim})
+	engine.Register(&KubernetesSource{Registry: reg, Limiters: lim})
+	engine.Register(&TerraformSource{Registry: reg, Limiters: lim})
+	engine.Register(&HelmSource{Registry: reg, Limiters: lim})
 }
diff --git a/pkg/recon/sources/register_test.go b/pkg/recon/sources/register_test.go
index 8ce73b8..6d6d97c 100644
--- a/pkg/recon/sources/register_test.go
+++ b/pkg/recon/sources/register_test.go
@@ -16,9 +16,9 @@ func registerTestRegistry() *providers.Registry {
 	})
 }
 
-// TestRegisterAll_WiresAllThirtyTwoSources asserts that RegisterAll registers
+// TestRegisterAll_WiresAllFortySources asserts that RegisterAll registers
 // every Phase 10 + Phase 11 + Phase 12 + Phase 13 source by its stable name on a fresh engine.
-func TestRegisterAll_WiresAllThirtyTwoSources(t *testing.T) {
+func TestRegisterAll_WiresAllFortySources(t *testing.T) {
 	eng := recon.NewEngine()
 	cfg := SourcesConfig{
 		Registry: registerTestRegistry(),
@@ -36,6 +36,7 @@ func TestRegisterAll_WiresAllThirtyTwoSources(t *testing.T) {
 		"censys",
 		"codeberg",
 		"codesandbox",
+		"crates",
 		"dockerhub",
 		"duckduckgo",
 		"fofa",
@@ -45,14 +46,21 @@ func TestRegisterAll_WiresAllThirtyTwoSources(t *testing.T) {
 		"github",
 		"gitlab",
 		"google",
+		"goproxy",
 		"helm",
 		"huggingface",
 		"k8s",
 		"kaggle",
+		"maven",
 		"netlas",
+		"npm",
+		"nuget",
+		"packagist",
 		"pastebin",
 		"pastesites",
+		"pypi",
 		"replit",
+		"rubygems",
 		"s3",
 		"sandboxes",
 		"shodan",
@@ -77,8 +85,8 @@ func TestRegisterAll_MissingCredsStillRegistered(t *testing.T) {
 		Limiters: recon.NewLimiterRegistry(),
 	})
 
-	if n := len(eng.List()); n != 32 {
-		t.Fatalf("expected 32 sources registered, got %d: %v", n, eng.List())
+	if n := len(eng.List()); n != 40 {
+		t.Fatalf("expected 40 sources registered, got %d: %v", n, eng.List())
 	}
 
 	// SweepAll with an empty config should filter out cred-gated sources