- Implements recon.ReconSource against GitLab Search API - PRIVATE-TOKEN header auth; rate.Every(30ms) burst 5 (~2000/min) - Disabled when token empty; Sweep returns nil without calls - Emits Finding per blob with Source=/projects/<id>/-/blob/<ref>/<path> - 401 wrapped as ErrUnauthorized; ctx cancellation honored - httptest coverage: enabled gating, happy path, 401, ctx cancel, iface assert
- BuildQueries(reg, source) dedups keywords and formats per-source syntax - github/gist use 'keyword' in:file; others use bare keyword - SourcesConfig placeholder struct for Wave 2 plans to depend on - RegisterAll no-op stub (Plan 10-09 will fill)
- Client.Do retries 429/403/5xx honoring Retry-After - 401 returns ErrUnauthorized immediately (no retry) - Context cancellation honored during retry sleeps - Default UA keyhunter-recon/1.0, 30s timeout, 2 retries
