- GistSource implements recon.ReconSource (RECON-CODE-04) - Lists /gists/public?per_page=100, fetches each file's raw content, scans against provider keyword set, emits one Finding per matching gist - Disabled when GitHub token empty - Rate: rate.Every(2s), burst 1 (30 req/min GitHub limit) - 256KB read cap per file; skips gists without keyword matches - httptest coverage: enable gating, sweep match, no-match, 401, ctx cancel
- BitbucketSource implements recon.ReconSource (RECON-CODE-03) - Queries /2.0/workspaces/{ws}/search/code with Bearer auth - Disabled when token OR workspace empty - Rate: rate.Every(3.6s), burst 1 (Bitbucket 1000/hr limit) - httptest coverage: enable gating, sweep, 401, ctx cancel
- BuildQueries(reg, source) dedups keywords and formats per-source syntax - github/gist use 'keyword' in:file; others use bare keyword - SourcesConfig placeholder struct for Wave 2 plans to depend on - RegisterAll no-op stub (Plan 10-09 will fill)
- Client.Do retries 429/403/5xx honoring Retry-After - 401 returns ErrUnauthorized immediately (no retry) - Context cancellation honored during retry sleeps - Default UA keyhunter-recon/1.0, 30s timeout, 2 retries
