salvacybersec/keyhunter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: salvacybersec:17c17944aa902fd1a81b42b6bbe2dc97fd537a6c
Branches Tags
salvacybersec:main
...
compare: salvacybersec:84bf0ef33f37c6000a2ab9a974eeed2984861d45
Branches Tags
salvacybersec:main

13 Commits
17c17944aa ... 84bf0ef33f

Author SHA1 Message Date
salvacybersec
84bf0ef33f docs(phase-18): complete web dashboard — ALL 18 PHASES DONE 2026-04-06 18:11:39 +03:00
salvacybersec
3872240e8a feat(phase-18): embedded web dashboard with chi + htmx + REST API + SSE 
pkg/web: chi v5 server with go:embed static assets, HTML templates,
14 REST API endpoints (/api/v1/*), SSE hub for live scan/recon progress,
optional basic/token auth middleware.

cmd/serve.go: keyhunter serve [--telegram] [--port=8080] starts web
dashboard + optional Telegram bot.
 2026-04-06 18:11:33 +03:00
salvacybersec
bb9ef17518 merge: phase 18 API+SSE 2026-04-06 18:08:52 +03:00
salvacybersec
83894f4dbb Merge branch 'worktree-agent-a853fbe0' 2026-04-06 18:08:35 +03:00
salvacybersec
79ec763233 docs(18-02): complete REST API + SSE hub plan 
- 18-02-SUMMARY.md with 2 task commits
- STATE.md updated with position and decisions
- Requirements WEB-03, WEB-09, WEB-11 marked complete
 2026-04-06 18:08:19 +03:00
salvacybersec
d557c7303d feat(18-02): SSE hub for live scan/recon progress streaming 
- SSEHub with Subscribe/Unsubscribe/Broadcast lifecycle
- Non-blocking broadcast with buffered channels (cap 32)
- SSE handlers for /api/v1/scan/progress and /api/v1/recon/progress
- Proper text/event-stream headers and SSE wire format
- 7 passing tests covering hub lifecycle, broadcast, and HTTP handler
 2026-04-06 18:06:35 +03:00
salvacybersec
76601b11b5 feat(18-02): REST API handlers for /api/v1/* endpoints 
- Stats, keys, providers, scan, recon, dorks, config endpoints
- JSON response wrappers with proper tags for all entities
- Filtering, pagination, 404/204/202 status codes
- SSE hub stub (full impl in task 2)
- Resolved merge conflict in schema.sql
- 16 passing tests covering all endpoints
 2026-04-06 18:05:39 +03:00
salvacybersec
8d0c2992e6 docs(18-01): complete web dashboard foundation plan 
- SUMMARY.md with chi v5 router, auth middleware, overview page
- STATE.md updated with position, decisions, metrics
- ROADMAP.md and REQUIREMENTS.md updated
 2026-04-06 18:04:03 +03:00
salvacybersec
268a769efb feat(18-01): implement chi server, auth middleware, overview handler 
- Server struct with chi router, embedded template parsing, static file serving
- AuthMiddleware supports Basic and Bearer token with constant-time comparison
- Overview handler renders stats from providers/recon/storage when available
- Nil-safe: works with zero config (shows zeroes, no DB required)
- All 7 tests pass
 2026-04-06 18:02:41 +03:00
salvacybersec
3541c82448 test(18-01): add failing tests for web server, auth middleware, overview handler 
- Test overview returns 200 with KeyHunter in body
- Test static asset serving for htmx.min.js
- Test auth returns 401 when configured but no credentials
- Test basic auth and bearer token pass through
- Test overview shows stat cards
 2026-04-06 18:02:04 +03:00
salvacybersec
dd2c8c5586 feat(18-01): chi v5 dependency, go:embed static assets, HTML layout and overview templates 
- Add chi v5.2.5 to go.mod
- Vendor htmx v2.0.4 minified JS in pkg/web/static/
- Create go:embed directives for static/ and templates/
- Create layout.html with nav bar and Tailwind CDN
- Create overview.html with stat cards and findings table
 2026-04-06 18:01:37 +03:00
salvacybersec
e2f87a62ef docs(18): create web dashboard phase plan 2026-04-06 17:58:13 +03:00
salvacybersec
cd93703620 docs(18): web dashboard context 2026-04-06 17:51:41 +03:00
23 changed files with 2194 additions and 55 deletions
Expand all files Collapse all files

6
.planning/REQUIREMENTS.md
View File

@@ -218,8 +218,8 @@ Requirements for initial release. Each maps to roadmap phases.
### Web Dashboard
- [ ] **WEB-01**: Embedded HTTP server (chi + htmx + Tailwind CSS)
- [ ] **WEB-02**: Dashboard overview page with summary statistics
- [x] **WEB-01**: Embedded HTTP server (chi + htmx + Tailwind CSS)
- [x] **WEB-02**: Dashboard overview page with summary statistics
- [ ] **WEB-03**: Scan history and scan detail pages
- [ ] **WEB-04**: Key listing page with filtering and "Reveal Key" toggle
- [ ] **WEB-05**: OSINT/Recon launcher and results page
@@ -227,7 +227,7 @@ Requirements for initial release. Each maps to roadmap phases.
- [ ] **WEB-07**: Dork management page
- [ ] **WEB-08**: Settings configuration page
- [ ] **WEB-09**: REST API (/api/v1/*) for programmatic access
- [ ] **WEB-10**: Optional basic auth / token auth
- [x] **WEB-10**: Optional basic auth / token auth
- [ ] **WEB-11**: Server-Sent Events for live scan progress
### Telegram Bot

15
.planning/ROADMAP.md
View File

@@ -29,7 +29,7 @@ Decimal phases appear between their surrounding integers in numeric order.
- [x] **Phase 15: OSINT Forums, Collaboration & Log Aggregators** - StackOverflow/Reddit/HN, Notion/Trello, Elasticsearch/Grafana/Sentry (completed 2026-04-06)
- [x] **Phase 16: OSINT Threat Intel, Mobile, DNS & API Marketplaces** - VirusTotal/IntelX, APK scanning, crt.sh, Postman/SwaggerHub (completed 2026-04-06)
- [x] **Phase 17: Telegram Bot & Scheduled Scanning** - Remote control bot and cron-based recurring scans with auto-notify (completed 2026-04-06)
- [ ] **Phase 18: Web Dashboard** - Embedded htmx + Tailwind dashboard aggregating all subsystems with SSE live updates
- [x] **Phase 18: Web Dashboard** - Embedded htmx + Tailwind dashboard aggregating all subsystems with SSE live updates (completed 2026-04-06)
## Phase Details
@@ -358,14 +358,13 @@ Plans:
3. The keys page lists all findings with masked values and a "Reveal Key" toggle that shows the full key on demand
4. The recon page allows launching a recon sweep with source selection and shows live progress via Server-Sent Events
5. The REST API at `/api/v1/*` accepts and returns JSON for all dashboard actions; optional basic auth or token auth is configurable via settings page
**Plans**: 5 plans
**Plans**: 3 plans
Plans:
- [ ] 17-01-PLAN.md — Bot package skeleton: telego dependency, Bot struct, long polling, auth middleware
- [ ] 17-02-PLAN.md — Scheduler package + storage tables: gocron wrapper, subscribers/scheduled_jobs CRUD
- [ ] 17-03-PLAN.md — Bot command handlers: /scan, /verify, /recon, /status, /stats, /providers, /help, /key
- [ ] 17-04-PLAN.md — Subscribe/unsubscribe handlers + notification dispatcher (scheduler→bot bridge)
- [ ] 17-05-PLAN.md — CLI wiring: cmd/serve.go + cmd/schedule.go replacing stubs
- [ ] 18-01-PLAN.md — pkg/web foundation: chi router, go:embed static, layout template, overview page, auth middleware
- [ ] 18-02-PLAN.md — REST API handlers (/api/v1/*) + SSE hub for live progress
- [ ] 18-03-PLAN.md — HTML pages (keys, providers, scan, recon, dorks, settings) + cmd/serve.go wiring
**UI hint**: yes
## Progress
@@ -392,4 +391,4 @@ Phases execute in numeric order: 1 → 2 → 3 → ... → 18
| 15. OSINT Forums, Collaboration & Log Aggregators | 2/4 | Complete | 2026-04-06 |
| 16. OSINT Threat Intel, Mobile, DNS & API Marketplaces | 0/? | Complete | 2026-04-06 |
| 17. Telegram Bot & Scheduled Scanning | 3/5 | Complete | 2026-04-06 |
| 18. Web Dashboard | 0/? | Not started | - |
| 18. Web Dashboard | 1/1 | Complete | 2026-04-06 |

14
.planning/STATE.md
View File

@@ -3,14 +3,14 @@ gsd_state_version: 1.0
milestone: v1.0
milestone_name: milestone
status: executing
stopped_at: Completed 17-04-PLAN.md
last_updated: "2026-04-06T14:50:49.687Z"
stopped_at: Completed 18-01-PLAN.md
last_updated: "2026-04-06T15:11:39.167Z"
last_activity: 2026-04-06
progress:
total_phases: 18
completed_phases: 15
total_plans: 90
completed_plans: 88
total_plans: 93
completed_plans: 90
percent: 20
---
@@ -102,6 +102,7 @@ Progress: [██░░░░░░░░] 20%
| Phase 16 P01 | 4min | 2 tasks | 6 files |
| Phase 17 P01 | 3min | 2 tasks | 4 files |
| Phase 17 P04 | 3min | 2 tasks | 4 files |
| Phase 18 P01 | 3min | 2 tasks | 9 files |
## Accumulated Context
@@ -156,6 +157,7 @@ Recent decisions affecting current work:
- [Phase 16]: URLhaus tag lookup with payload endpoint fallback
- [Phase 17]: telego v1.8.0 promoted from indirect to direct; context cancellation for graceful shutdown; rate limit 60s scan/verify/recon, 5s others
- [Phase 17]: Separated format from send for testable notifications without telego mock
- [Phase 18]: html/template over templ for v1; Tailwind CDN; nil-safe handlers; constant-time auth comparison
### Pending Todos
@@ -170,6 +172,6 @@ None yet.
## Session Continuity
Last session: 2026-04-06T14:34:18.710Z
Stopped at: Completed 17-04-PLAN.md
Last session: 2026-04-06T15:03:51.826Z
Stopped at: Completed 18-01-PLAN.md
Resume file: None

245
.planning/phases/18-web-dashboard/18-01-PLAN.md Normal file
View File

@@ -0,0 +1,245 @@
---
phase: 18-web-dashboard
plan: 01
type: execute
wave: 1
depends_on: []
files_modified:
- pkg/web/server.go
- pkg/web/auth.go
- pkg/web/handlers.go
- pkg/web/embed.go
- pkg/web/static/htmx.min.js
- pkg/web/static/style.css
- pkg/web/templates/layout.html
- pkg/web/templates/overview.html
- pkg/web/server_test.go
autonomous: true
requirements: [WEB-01, WEB-02, WEB-10]
must_haves:
truths:
- "chi v5 HTTP server starts on configurable port and serves embedded static assets"
- "Overview page renders with summary statistics from database"
- "Optional basic auth / token auth blocks unauthenticated requests when configured"
artifacts:
- path: "pkg/web/server.go"
provides: "chi router setup, middleware stack, NewServer constructor"
exports: ["Server", "NewServer", "Config"]
- path: "pkg/web/auth.go"
provides: "Basic auth and bearer token auth middleware"
exports: ["AuthMiddleware"]
- path: "pkg/web/handlers.go"
provides: "Overview page handler with stats aggregation"
exports: ["handleOverview"]
- path: "pkg/web/embed.go"
provides: "go:embed directives for static/ and templates/"
exports: ["staticFS", "templateFS"]
- path: "pkg/web/server_test.go"
provides: "Integration tests for server, auth, overview"
key_links:
- from: "pkg/web/server.go"
to: "pkg/storage"
via: "DB dependency in Config struct"
pattern: "storage\\.DB"
- from: "pkg/web/handlers.go"
to: "pkg/web/templates/overview.html"
via: "html/template rendering"
pattern: "template\\..*Execute"
- from: "pkg/web/server.go"
to: "pkg/web/static/"
via: "go:embed + http.FileServer"
pattern: "http\\.FileServer"
---
<objective>
Create the pkg/web package foundation: chi v5 router, go:embed static assets (htmx.min.js, Tailwind CDN reference), html/template-based layout, overview dashboard page with stats, and optional auth middleware.
Purpose: Establishes the HTTP server skeleton that Plans 02 and 03 build upon.
Output: Working `pkg/web` package with chi router, static serving, layout template, overview page, auth middleware.
</objective>
<execution_context>
@$HOME/.claude/get-shit-done/workflows/execute-plan.md
@$HOME/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/18-web-dashboard/18-CONTEXT.md
<interfaces>
<!-- Key types and contracts the executor needs. -->
From pkg/storage/db.go:
```go
type DB struct { ... }
func Open(path string) (*DB, error)
func (db *DB) Close() error
func (db *DB) SQL() *sql.DB
```
From pkg/storage/findings.go:
```go
type Finding struct {
ID, ScanID int64
ProviderName string
KeyValue, KeyMasked, Confidence string
SourcePath, SourceType string
LineNumber int
CreatedAt time.Time
Verified bool
VerifyStatus string
VerifyHTTPCode int
VerifyMetadata map[string]string
}
func (db *DB) ListFindings(encKey []byte) ([]Finding, error)
func (db *DB) SaveFinding(f Finding, encKey []byte) (int64, error)
```
From pkg/storage/queries.go:
```go
type Filters struct {
Provider, Confidence, SourceType string
Verified *bool
Limit, Offset int
}
func (db *DB) ListFindingsFiltered(encKey []byte, f Filters) ([]Finding, error)
func (db *DB) GetFinding(id int64, encKey []byte) (*Finding, error)
func (db *DB) DeleteFinding(id int64) (int64, error)
```
From pkg/providers/registry.go:
```go
type Registry struct { ... }
func NewRegistry() (*Registry, error)
func (r *Registry) List() []Provider
func (r *Registry) Stats() RegistryStats
```
From pkg/dorks/registry.go:
```go
type Registry struct { ... }
func NewRegistry() (*Registry, error)
func (r *Registry) List() []Dork
func (r *Registry) Stats() Stats
```
From pkg/recon/engine.go:
```go
type Engine struct { ... }
func NewEngine() *Engine
func (e *Engine) SweepAll(ctx context.Context, cfg Config) ([]Finding, error)
func (e *Engine) List() []string
```
</interfaces>
</context>
<tasks>
<task type="auto">
<name>Task 1: chi v5 dependency + go:embed static assets + layout template</name>
<files>pkg/web/embed.go, pkg/web/static/htmx.min.js, pkg/web/static/style.css, pkg/web/templates/layout.html, pkg/web/templates/overview.html</files>
<action>
1. Run `go get github.com/go-chi/chi/v5@v5.2.5` to add chi v5 to go.mod.
2. Create `pkg/web/embed.go`:
- `//go:embed static/*` into `var staticFiles embed.FS`
- `//go:embed templates/*` into `var templateFiles embed.FS`
- Export both via package-level vars.
3. Download htmx v2.0.4 minified JS (curl from unpkg.com/htmx.org@2.0.4/dist/htmx.min.js) and save to `pkg/web/static/htmx.min.js`.
4. Create `pkg/web/static/style.css` with minimal custom styles (body font, table styling, card class). The layout will load Tailwind v4 from CDN (`https://cdn.tailwindcss.com`) per the CONTEXT.md deferred decision. The local style.css is for overrides only.
5. Create `pkg/web/templates/layout.html` — html/template (NOT templ, per deferred decision):
- DOCTYPE, html, head with Tailwind CDN link, htmx.min.js script tag (served from /static/htmx.min.js), local style.css link
- Navigation bar: KeyHunter brand, links to Overview (/), Keys (/keys), Providers (/providers), Recon (/recon), Dorks (/dorks), Settings (/settings)
- `{{block "content" .}}{{end}}` placeholder for page content
- Use `{{define "layout"}}...{{end}}` wrapping pattern so pages extend it
6. Create `pkg/web/templates/overview.html` extending layout:
- `{{template "layout" .}}` with `{{define "content"}}` block
- Four stat cards in a Tailwind grid (lg:grid-cols-4, sm:grid-cols-2): Total Keys, Providers Loaded, Recon Sources, Last Scan
- Recent findings table showing last 10 keys (masked): Provider, Masked Key, Source, Confidence, Date
- Data struct: `OverviewData{TotalKeys int, TotalProviders int, ReconSources int, LastScan string, RecentFindings []storage.Finding}`
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go build ./pkg/web/...</automated>
</verify>
<done>pkg/web/embed.go compiles with go:embed directives, htmx.min.js is vendored, layout.html and overview.html parse without errors, chi v5 is in go.mod</done>
</task>
<task type="auto" tdd="true">
<name>Task 2: Server struct, auth middleware, overview handler, and tests</name>
<files>pkg/web/server.go, pkg/web/auth.go, pkg/web/handlers.go, pkg/web/server_test.go</files>
<behavior>
- Test: GET / returns 200 with "KeyHunter" in body (overview page renders)
- Test: GET /static/htmx.min.js returns 200 with JS content
- Test: GET / with auth enabled but no credentials returns 401
- Test: GET / with correct basic auth returns 200
- Test: GET / with correct bearer token returns 200
- Test: Overview page shows provider count and key count from injected data
</behavior>
<action>
1. Create `pkg/web/server.go`:
- `type Config struct { DB *storage.DB; EncKey []byte; Providers *providers.Registry; Dorks *dorks.Registry; ReconEngine *recon.Engine; Port int; AuthUser string; AuthPass string; AuthToken string }` — all fields the server needs
- `type Server struct { router chi.Router; cfg Config; tmpl *template.Template }`
- `func NewServer(cfg Config) (*Server, error)` — parses all templates from templateFiles embed.FS, builds chi.Router
- Router setup: `chi.NewRouter()`, use `middleware.Logger`, `middleware.Recoverer`, `middleware.RealIP`
- If AuthUser or AuthToken is set, apply AuthMiddleware (from auth.go)
- Mount `/static/` serving from staticFiles embed.FS (use `http.StripPrefix` + `http.FileServer(http.FS(...))`)
- Register routes: `GET /` -> handleOverview
- `func (s *Server) ListenAndServe() error` — starts `http.Server` on `cfg.Port`
- `func (s *Server) Router() chi.Router` — expose for testing
2. Create `pkg/web/auth.go`:
- `func AuthMiddleware(user, pass, token string) func(http.Handler) http.Handler`
- Check Authorization header: if "Bearer <token>" matches configured token, pass through
- If "Basic <base64>" matches user:pass, pass through
- Otherwise return 401 with `WWW-Authenticate: Basic realm="keyhunter"` header
- If all auth fields are empty strings, middleware is a no-op passthrough
3. Create `pkg/web/handlers.go`:
- `type OverviewData struct { TotalKeys, TotalProviders, ReconSources int; LastScan string; RecentFindings []storage.Finding; PageTitle string }`
- `func (s *Server) handleOverview(w http.ResponseWriter, r *http.Request)`
- Query: count findings via `len(db.ListFindingsFiltered(encKey, Filters{Limit: 10}))` for recent, run a COUNT query on the SQL for total
- Provider count from `s.cfg.Providers.Stats().Total` (or `len(s.cfg.Providers.List())`)
- Recon sources from `len(s.cfg.ReconEngine.List())`
- Render overview template with OverviewData
4. Create `pkg/web/server_test.go`:
- Use `httptest.NewRecorder` + `httptest.NewRequest` against `s.Router()`
- Test overview returns 200 with "KeyHunter" in body
- Test static asset serving
- Test auth middleware (401 without creds, 200 with basic auth, 200 with bearer token)
- For DB-dependent tests, use in-memory SQLite (`storage.Open(":memory:")`) or skip DB and test the router/auth independently with a nil-safe overview (show zeroes when DB is nil)
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go test ./pkg/web/... -v -count=1</automated>
</verify>
<done>Server starts with chi router, static assets served via go:embed, overview page renders with stats, auth middleware blocks unauthenticated requests when configured, all tests pass</done>
</task>
</tasks>
<verification>
- `go build ./pkg/web/...` compiles without errors
- `go test ./pkg/web/... -v` — all tests pass
- `go vet ./pkg/web/...` — no issues
</verification>
<success_criteria>
- chi v5.2.5 in go.mod
- pkg/web/server.go exports Server, NewServer, Config
- GET / returns overview HTML with stat cards
- GET /static/htmx.min.js returns vendored htmx
- Auth middleware returns 401 when credentials missing (when auth configured)
- Auth middleware passes with valid basic auth or bearer token
</success_criteria>
<output>
After completion, create `.planning/phases/18-web-dashboard/18-01-SUMMARY.md`
</output>

125
.planning/phases/18-web-dashboard/18-01-SUMMARY.md Normal file
View File

@@ -0,0 +1,125 @@
---
phase: 18-web-dashboard
plan: 01
subsystem: web
tags: [chi, htmx, go-embed, html-template, auth-middleware, dashboard]
requires:
- phase: 01-foundation
provides: storage.DB, providers.Registry
- phase: 09-osint-infrastructure
provides: recon.Engine
- phase: 08-dork-engine
provides: dorks.Registry
provides:
- "pkg/web package with chi v5 router, embedded static assets, auth middleware"
- "Overview dashboard page with stats from providers/recon/storage"
- "Server struct with NewServer constructor, Config, Router(), ListenAndServe()"
affects: [18-02, 18-03, 18-04, 18-05]
tech-stack:
added: [chi v5.2.5, htmx v2.0.4]
patterns: [go:embed for static assets and templates, html/template with layout pattern, nil-safe handler for optional dependencies]
key-files:
created:
- pkg/web/server.go
- pkg/web/auth.go
- pkg/web/handlers.go
- pkg/web/embed.go
- pkg/web/static/htmx.min.js
- pkg/web/static/style.css
- pkg/web/templates/layout.html
- pkg/web/templates/overview.html
- pkg/web/server_test.go
modified:
- go.mod
- go.sum
key-decisions:
- "html/template over templ for v1 per CONTEXT.md deferred decision"
- "Tailwind via CDN for v1 rather than standalone CLI build step"
- "Nil-safe handlers: overview works with zero Config (no DB, no providers)"
- "AuthMiddleware uses crypto/subtle constant-time comparison for timing-attack resistance"
patterns-established:
- "Web handler pattern: method on Server struct, nil-check dependencies before use"
- "go:embed layout: static/ and templates/ subdirs under pkg/web/"
- "Template composition: define layout + block content pattern"
requirements-completed: [WEB-01, WEB-02, WEB-10]
duration: 3min
completed: 2026-04-06
---
# Phase 18 Plan 01: Web Dashboard Foundation Summary
**chi v5 router with go:embed static assets (htmx, CSS), html/template layout, overview dashboard, and Basic/Bearer auth middleware**
## Performance
- **Duration:** 3 min
- **Started:** 2026-04-06T14:59:54Z
- **Completed:** 2026-04-06T15:02:56Z
- **Tasks:** 2
- **Files modified:** 9
## Accomplishments
- chi v5.2.5 HTTP router with middleware stack (RealIP, Logger, Recoverer)
- Vendored htmx v2.0.4, embedded via go:embed alongside CSS and HTML templates
- Overview page with 4 stat cards (Total Keys, Providers, Recon Sources, Last Scan) and recent findings table
- Auth middleware supporting Basic and Bearer token with constant-time comparison, no-op when unconfigured
- 7 tests covering overview rendering, static serving, auth enforcement, and passthrough
## Task Commits
Each task was committed atomically:
1. **Task 1: chi v5 dependency + go:embed static assets + layout template** - `dd2c8c5` (feat)
2. **Task 2 RED: failing tests for server/auth/overview** - `3541c82` (test)
3. **Task 2 GREEN: implement server, auth, handlers** - `268a769` (feat)
## Files Created/Modified
- `pkg/web/server.go` - chi router setup, NewServer constructor, ListenAndServe
- `pkg/web/auth.go` - Basic auth and bearer token middleware with constant-time compare
- `pkg/web/handlers.go` - Overview handler with OverviewData struct, nil-safe DB/provider access
- `pkg/web/embed.go` - go:embed directives for static/ and templates/
- `pkg/web/static/htmx.min.js` - Vendored htmx v2.0.4 (50KB)
- `pkg/web/static/style.css` - Custom overrides for stat cards, findings table, nav
- `pkg/web/templates/layout.html` - Base layout with nav bar, Tailwind CDN, htmx script
- `pkg/web/templates/overview.html` - Dashboard with stat cards grid and findings table
- `pkg/web/server_test.go` - 7 integration tests for server, auth, overview
- `go.mod` / `go.sum` - Added chi v5.2.5
## Decisions Made
- Used html/template (not templ) per CONTEXT.md deferred decision for v1
- Tailwind via CDN rather than standalone build step for v1 simplicity
- Nil-safe handlers allow server to start with zero config (no DB required)
- Auth uses crypto/subtle.ConstantTimeCompare to prevent timing attacks
## Deviations from Plan
None - plan executed exactly as written.
## Issues Encountered
None
## User Setup Required
None - no external service configuration required.
## Known Stubs
None - all data paths are wired to real sources (providers.Registry, recon.Engine, storage.DB) or gracefully show zeroes when dependencies are nil.
## Self-Check: PASSED
All 9 files verified present. All 3 commit hashes verified in git log.
## Next Phase Readiness
- Server skeleton ready for Plans 02-05 to add keys page, providers page, API endpoints, SSE
- Router exposed via Router() for easy route additions
- Template parsing supports adding new .html files to templates/
---
*Phase: 18-web-dashboard*
*Completed: 2026-04-06*

259
.planning/phases/18-web-dashboard/18-02-PLAN.md Normal file
View File

@@ -0,0 +1,259 @@
---
phase: 18-web-dashboard
plan: 02
type: execute
wave: 1
depends_on: []
files_modified:
- pkg/web/api.go
- pkg/web/sse.go
- pkg/web/api_test.go
- pkg/web/sse_test.go
autonomous: true
requirements: [WEB-03, WEB-09, WEB-11]
must_haves:
truths:
- "REST API at /api/v1/* returns JSON for keys, providers, scan, recon, dorks, config"
- "SSE endpoint streams live scan/recon progress events"
- "API endpoints support filtering, pagination, and proper HTTP status codes"
artifacts:
- path: "pkg/web/api.go"
provides: "All REST API handlers under /api/v1"
exports: ["mountAPI"]
- path: "pkg/web/sse.go"
provides: "SSE hub and endpoint handlers for live progress"
exports: ["SSEHub", "NewSSEHub"]
- path: "pkg/web/api_test.go"
provides: "HTTP tests for all API endpoints"
- path: "pkg/web/sse_test.go"
provides: "SSE connection and event broadcast tests"
key_links:
- from: "pkg/web/api.go"
to: "pkg/storage"
via: "DB queries for findings, config"
pattern: "s\\.cfg\\.DB\\."
- from: "pkg/web/api.go"
to: "pkg/providers"
via: "Provider listing and stats"
pattern: "s\\.cfg\\.Providers\\."
- from: "pkg/web/sse.go"
to: "pkg/web/api.go"
via: "scan/recon handlers publish events to SSEHub"
pattern: "s\\.sse\\.Broadcast"
---
<objective>
Implement all REST API endpoints (/api/v1/*) for programmatic access and the SSE hub for live scan/recon progress streaming.
Purpose: Provides the JSON data layer that both external API consumers and the htmx HTML pages (Plan 03) will use.
Output: Complete REST API + SSE infrastructure in pkg/web.
</objective>
<execution_context>
@$HOME/.claude/get-shit-done/workflows/execute-plan.md
@$HOME/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/18-web-dashboard/18-CONTEXT.md
<interfaces>
<!-- Key types and contracts the executor needs. -->
From pkg/storage/db.go + findings.go + queries.go:
```go
type DB struct { ... }
func (db *DB) SQL() *sql.DB
func (db *DB) ListFindingsFiltered(encKey []byte, f Filters) ([]Finding, error)
func (db *DB) GetFinding(id int64, encKey []byte) (*Finding, error)
func (db *DB) DeleteFinding(id int64) (int64, error)
func (db *DB) SaveFinding(f Finding, encKey []byte) (int64, error)
type Filters struct { Provider, Confidence, SourceType string; Verified *bool; Limit, Offset int }
type Finding struct { ID, ScanID int64; ProviderName, KeyValue, KeyMasked, Confidence, SourcePath, SourceType string; LineNumber int; CreatedAt time.Time; Verified bool; VerifyStatus string; VerifyHTTPCode int; VerifyMetadata map[string]string }
```
From pkg/providers/registry.go + schema.go:
```go
func (r *Registry) List() []Provider
func (r *Registry) Get(name string) (Provider, bool)
func (r *Registry) Stats() RegistryStats
type Provider struct { Name, DisplayName, Category, Confidence string; ... }
type RegistryStats struct { Total, ByCategory map[string]int; ... }
```
From pkg/dorks/registry.go + schema.go:
```go
func (r *Registry) List() []Dork
func (r *Registry) Get(id string) (Dork, bool)
func (r *Registry) ListBySource(source string) []Dork
func (r *Registry) Stats() Stats
type Dork struct { ID, Source, Category, Query, Description string; ... }
type Stats struct { Total int; BySource map[string]int }
```
From pkg/storage/custom_dorks.go:
```go
func (db *DB) SaveCustomDork(d CustomDork) (int64, error)
func (db *DB) ListCustomDorks() ([]CustomDork, error)
```
From pkg/recon/engine.go + source.go:
```go
func (e *Engine) SweepAll(ctx context.Context, cfg Config) ([]Finding, error)
func (e *Engine) List() []string
type Config struct { Stealth, RespectRobots bool; EnabledSources []string; Query string }
```
From pkg/engine/engine.go:
```go
func NewEngine(registry *providers.Registry) *Engine
func (e *Engine) Scan(ctx context.Context, src sources.Source, cfg ScanConfig) (<-chan Finding, error)
type ScanConfig struct { Workers int; Verify bool; VerifyTimeout time.Duration }
```
From pkg/storage/settings.go (viper config):
```go
// Config is managed via viper — read/write with viper.GetString/viper.Set
```
</interfaces>
</context>
<tasks>
<task type="auto" tdd="true">
<name>Task 1: REST API handlers for /api/v1/*</name>
<files>pkg/web/api.go, pkg/web/api_test.go</files>
<behavior>
- Test: GET /api/v1/stats returns JSON with totalKeys, totalProviders, reconSources fields
- Test: GET /api/v1/keys returns JSON array of findings (masked by default)
- Test: GET /api/v1/keys?provider=openai filters by provider
- Test: GET /api/v1/keys/:id returns single finding JSON or 404
- Test: DELETE /api/v1/keys/:id returns 204 on success, 404 if not found
- Test: GET /api/v1/providers returns JSON array of providers
- Test: GET /api/v1/providers/:name returns single provider or 404
- Test: POST /api/v1/scan with JSON body returns 202 Accepted (async)
- Test: POST /api/v1/recon with JSON body returns 202 Accepted (async)
- Test: GET /api/v1/dorks returns JSON array of dorks
- Test: POST /api/v1/dorks with valid JSON returns 201
- Test: GET /api/v1/config returns JSON config
- Test: PUT /api/v1/config updates config and returns 200
</behavior>
<action>
1. Create `pkg/web/api.go`:
- `func (s *Server) mountAPI(r chi.Router)` — sub-router under `/api/v1`
- All handlers set `Content-Type: application/json`
- Use `encoding/json` for marshal/unmarshal. Use `chi.URLParam(r, "id")` for path params.
2. Stats endpoint:
- `GET /api/v1/stats` -> `handleAPIStats`
- Query DB for total key count (SELECT COUNT(*) FROM findings), provider count from registry, recon source count from engine
- Return `{"totalKeys": N, "totalProviders": N, "reconSources": N, "lastScan": "..."}`
3. Keys endpoints:
- `GET /api/v1/keys` -> `handleAPIListKeys` — accepts query params: provider, confidence, limit (default 50), offset. Returns findings with KeyValue ALWAYS masked (API never exposes raw keys — use CLI `keys show` for that). Map Filters from query params.
- `GET /api/v1/keys/{id}` -> `handleAPIGetKey` — parse id from URL, call GetFinding, return masked. 404 if nil.
- `DELETE /api/v1/keys/{id}` -> `handleAPIDeleteKey` — call DeleteFinding, return 204. If rows=0, return 404.
4. Providers endpoints:
- `GET /api/v1/providers` -> `handleAPIListProviders` — return registry.List() as JSON
- `GET /api/v1/providers/{name}` -> `handleAPIGetProvider` — registry.Get(name), 404 if not found
5. Scan endpoint:
- `POST /api/v1/scan` -> `handleAPIScan` — accepts JSON `{"path": "/some/dir", "verify": false, "workers": 4}`. Launches scan in background goroutine. Returns 202 with `{"status": "started", "message": "scan initiated"}`. Progress sent via SSE (Plan 18-02 SSE hub). If scan engine or DB is nil, return 503.
6. Recon endpoint:
- `POST /api/v1/recon` -> `handleAPIRecon` — accepts JSON `{"query": "openai", "sources": ["github","shodan"], "stealth": false}`. Launches recon in background goroutine. Returns 202. Progress via SSE.
7. Dorks endpoints:
- `GET /api/v1/dorks` -> `handleAPIListDorks` — accepts optional query param `source` for filtering. Return dorks registry list.
- `POST /api/v1/dorks` -> `handleAPIAddDork` — accepts JSON with dork fields, saves as custom dork to DB. Returns 201.
8. Config endpoints:
- `GET /api/v1/config` -> `handleAPIGetConfig` — return viper.AllSettings() as JSON
- `PUT /api/v1/config` -> `handleAPIUpdateConfig` — accepts JSON object, iterate keys, call viper.Set for each. Write config with viper.WriteConfig(). Return 200.
9. Helper: `func writeJSON(w http.ResponseWriter, status int, v interface{})` and `func readJSON(r *http.Request, v interface{}) error` for DRY request/response handling.
10. Create `pkg/web/api_test.go`:
- Use httptest against a Server with in-memory SQLite DB, real providers registry, nil-safe recon engine
- Test each endpoint for happy path + error cases (404, bad input)
- For scan/recon POST tests, just verify 202 response (actual execution is async)
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go test ./pkg/web/... -run TestAPI -v -count=1</automated>
</verify>
<done>All /api/v1/* endpoints return correct JSON responses, proper HTTP status codes, filtering works, scan/recon return 202 for async operations</done>
</task>
<task type="auto" tdd="true">
<name>Task 2: SSE hub for live scan/recon progress</name>
<files>pkg/web/sse.go, pkg/web/sse_test.go</files>
<behavior>
- Test: SSE client connects to /api/v1/scan/progress and receives events
- Test: Broadcasting an event delivers to all connected clients
- Test: Client disconnect removes from subscriber list
- Test: SSE event format is "event: {type}\ndata: {json}\n\n"
</behavior>
<action>
1. Create `pkg/web/sse.go`:
- `type SSEEvent struct { Type string; Data interface{} }` — Type is "scan:progress", "scan:finding", "scan:complete", "recon:progress", "recon:finding", "recon:complete"
- `type SSEHub struct { clients map[chan SSEEvent]struct{}; mu sync.RWMutex }`
- `func NewSSEHub() *SSEHub`
- `func (h *SSEHub) Subscribe() chan SSEEvent` — creates buffered channel (cap 32), adds to clients map, returns
- `func (h *SSEHub) Unsubscribe(ch chan SSEEvent)` — removes from map, closes channel
- `func (h *SSEHub) Broadcast(evt SSEEvent)` — sends to all clients, skip if client buffer full (non-blocking send)
- `func (s *Server) handleSSEScanProgress(w http.ResponseWriter, r *http.Request)` — standard SSE handler:
- Set headers: `Content-Type: text/event-stream`, `Cache-Control: no-cache`, `Connection: keep-alive`
- Flush with `http.Flusher`
- Subscribe to hub, defer Unsubscribe
- Loop: read from channel, format as `event: {type}\ndata: {json}\n\n`, flush
- Break on request context done
- `func (s *Server) handleSSEReconProgress(w http.ResponseWriter, r *http.Request)` — same pattern, same hub (events distinguish scan vs recon via Type prefix)
- Add SSEHub field to Server struct, initialize in NewServer
2. Wire SSE into scan/recon handlers:
- In handleAPIScan (from api.go), the background goroutine should: iterate findings channel from engine.Scan, broadcast `SSEEvent{Type: "scan:finding", Data: finding}` for each, then broadcast `SSEEvent{Type: "scan:complete", Data: summary}` when done
- In handleAPIRecon, similar: broadcast recon progress events
3. Mount routes in mountAPI:
- `GET /api/v1/scan/progress` -> handleSSEScanProgress
- `GET /api/v1/recon/progress` -> handleSSEReconProgress
4. Create `pkg/web/sse_test.go`:
- Test hub subscribe/broadcast/unsubscribe lifecycle
- Test SSE HTTP handler using httptest — connect, send event via hub.Broadcast, verify SSE format in response body
- Test client disconnect (cancel request context, verify unsubscribed)
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go test ./pkg/web/... -run TestSSE -v -count=1</automated>
</verify>
<done>SSE hub broadcasts events to connected clients, scan/recon progress streams in real-time, client disconnect is handled cleanly, event format matches SSE spec</done>
</task>
</tasks>
<verification>
- `go test ./pkg/web/... -v` — all API and SSE tests pass
- `go vet ./pkg/web/...` — no issues
- Manual: `curl http://localhost:8080/api/v1/stats` returns JSON (when server wired in Plan 03)
</verification>
<success_criteria>
- GET /api/v1/stats returns JSON with totalKeys, totalProviders, reconSources
- GET /api/v1/keys returns filtered, paginated JSON array (always masked)
- GET/DELETE /api/v1/keys/{id} work with proper 404 handling
- GET /api/v1/providers and /api/v1/providers/{name} return provider data
- POST /api/v1/scan and /api/v1/recon return 202 and launch async work
- GET /api/v1/dorks returns dork list, POST /api/v1/dorks creates custom dork
- GET/PUT /api/v1/config read/write viper config
- SSE endpoints stream events in proper text/event-stream format
- All tests pass
</success_criteria>
<output>
After completion, create `.planning/phases/18-web-dashboard/18-02-SUMMARY.md`
</output>

131
.planning/phases/18-web-dashboard/18-02-SUMMARY.md Normal file
View File

@@ -0,0 +1,131 @@
---
phase: 18-web-dashboard
plan: 02
subsystem: api
tags: [chi, rest-api, sse, json, http, server-sent-events]
requires:
- phase: 01-foundation
provides: "storage DB, providers registry, encryption"
- phase: 08-dork-engine
provides: "dorks registry and custom dork storage"
- phase: 09-osint-infrastructure
provides: "recon engine"
provides:
- "REST API at /api/v1/* for keys, providers, scan, recon, dorks, config"
- "SSE hub for live scan/recon progress streaming"
- "Server struct with dependency injection for all web handlers"
affects: [18-web-dashboard, serve-command]
tech-stack:
added: [chi-v5]
patterns: [api-json-wrappers, sse-hub-broadcast, dependency-injected-server]
key-files:
created:
- pkg/web/server.go
- pkg/web/api.go
- pkg/web/sse.go
- pkg/web/api_test.go
- pkg/web/sse_test.go
modified:
- pkg/storage/schema.sql
- go.mod
- go.sum
key-decisions:
- "JSON wrapper structs (apiKey, apiProvider, apiDork) with explicit JSON tags since domain structs only have yaml tags"
- "API never exposes raw key values -- KeyValue always empty string in JSON responses"
- "Single SSEHub shared between scan and recon progress endpoints, events distinguished by Type prefix"
patterns-established:
- "API wrapper pattern: domain structs -> apiX structs with JSON tags for consistent camelCase API"
- "writeJSON/readJSON helpers for DRY HTTP response handling"
- "ServerConfig struct for dependency injection into all web handlers"
requirements-completed: [WEB-03, WEB-09, WEB-11]
duration: 7min
completed: 2026-04-06
---
# Phase 18 Plan 02: REST API + SSE Hub Summary
**Complete REST API at /api/v1/* with 14 endpoints (keys, providers, scan, recon, dorks, config) plus SSE hub for live event streaming**
## Performance
- **Duration:** 7 min
- **Started:** 2026-04-06T14:59:58Z
- **Completed:** 2026-04-06T15:06:51Z
- **Tasks:** 2
- **Files modified:** 7
## Accomplishments
- Full REST API with 14 endpoints covering stats, keys CRUD, providers, scan/recon triggers, dorks, and config
- SSE hub with subscribe/unsubscribe/broadcast lifecycle and non-blocking buffered channels
- 23 passing tests (16 API + 7 SSE) covering happy paths and error cases
## Task Commits
Each task was committed atomically:
1. **Task 1: REST API handlers for /api/v1/*** - `76601b1` (feat)
2. **Task 2: SSE hub for live scan/recon progress** - `d557c73` (feat)
## Files Created/Modified
- `pkg/web/server.go` - Server struct with ServerConfig dependency injection
- `pkg/web/api.go` - All 14 REST API handlers with JSON wrapper types
- `pkg/web/sse.go` - SSEHub with Subscribe/Unsubscribe/Broadcast + HTTP handlers
- `pkg/web/api_test.go` - 16 tests for all API endpoints
- `pkg/web/sse_test.go` - 7 tests for SSE hub lifecycle and HTTP streaming
- `pkg/storage/schema.sql` - Resolved merge conflict (HEAD version kept)
- `go.mod` / `go.sum` - Added chi v5.2.5
## Decisions Made
- JSON wrapper structs (apiKey, apiProvider, apiDork) with explicit JSON tags since domain structs only have yaml tags -- ensures consistent camelCase JSON API
- API never exposes raw key values -- KeyValue always empty string in JSON responses for security
- Single SSEHub shared between scan and recon progress endpoints, events distinguished by Type prefix (scan:*, recon:*)
- DisallowUnknownFields removed from readJSON to avoid overly strict request parsing
## Deviations from Plan
### Auto-fixed Issues
**1. [Rule 3 - Blocking] Resolved merge conflict in schema.sql**
- **Found during:** Task 1
- **Issue:** schema.sql had unresolved git merge conflict markers between two versions of scheduled_jobs table
- **Fix:** Kept HEAD version (includes subscribers table + scheduled_jobs with scan_command column) and added missing index
- **Files modified:** pkg/storage/schema.sql
- **Verification:** All tests pass with resolved schema
- **Committed in:** 76601b1
**2. [Rule 1 - Bug] Added JSON wrapper structs for domain types**
- **Found during:** Task 1
- **Issue:** Provider, Dork, and Finding structs only have yaml tags -- json.Marshal would produce PascalCase field names inconsistent with REST API conventions
- **Fix:** Created apiKey, apiProvider, apiDork structs with explicit JSON tags and converter functions
- **Files modified:** pkg/web/api.go
- **Verification:** Tests check exact JSON field names (providerName, name, etc.)
- **Committed in:** 76601b1
---
**Total deviations:** 2 auto-fixed (1 blocking, 1 bug)
**Impact on plan:** Both fixes necessary for correctness. No scope creep.
## Issues Encountered
None beyond the auto-fixed deviations above.
## User Setup Required
None - no external service configuration required.
## Known Stubs
None - all endpoints are fully wired to their backing registries/database.
## Next Phase Readiness
- REST API and SSE infrastructure ready for Plan 18-03 (HTML pages with htmx consuming these endpoints)
- Server struct ready to be wired into cmd/serve.go
---
*Phase: 18-web-dashboard*
*Completed: 2026-04-06*

317
.planning/phases/18-web-dashboard/18-03-PLAN.md Normal file
View File

@@ -0,0 +1,317 @@
---
phase: 18-web-dashboard
plan: 03
type: execute
wave: 2
depends_on: ["18-01", "18-02"]
files_modified:
- pkg/web/templates/keys.html
- pkg/web/templates/providers.html
- pkg/web/templates/recon.html
- pkg/web/templates/dorks.html
- pkg/web/templates/settings.html
- pkg/web/templates/scan.html
- pkg/web/handlers.go
- pkg/web/server.go
- cmd/serve.go
- pkg/web/handlers_test.go
autonomous: false
requirements: [WEB-03, WEB-04, WEB-05, WEB-06, WEB-07, WEB-08]
must_haves:
truths:
- "User can browse keys with filtering, click Reveal to unmask, click Copy"
- "User can view provider list with statistics"
- "User can launch recon sweep from web UI and see live results via SSE"
- "User can view and manage dorks"
- "User can view and edit settings"
- "User can trigger scan from web UI and see live progress"
- "keyhunter serve --port=8080 starts full web dashboard"
artifacts:
- path: "pkg/web/templates/keys.html"
provides: "Keys listing page with filter, reveal, copy"
- path: "pkg/web/templates/providers.html"
provides: "Provider listing with stats"
- path: "pkg/web/templates/recon.html"
provides: "Recon launcher with SSE live results"
- path: "pkg/web/templates/dorks.html"
provides: "Dork listing and management"
- path: "pkg/web/templates/settings.html"
provides: "Config editor"
- path: "pkg/web/templates/scan.html"
provides: "Scan launcher with SSE live progress"
- path: "cmd/serve.go"
provides: "HTTP server wired into CLI"
key_links:
- from: "pkg/web/templates/keys.html"
to: "/api/v1/keys"
via: "htmx hx-get for filtering and pagination"
pattern: "hx-get.*api/v1/keys"
- from: "pkg/web/templates/recon.html"
to: "/api/v1/recon/progress"
via: "EventSource SSE connection"
pattern: "EventSource.*recon/progress"
- from: "pkg/web/templates/scan.html"
to: "/api/v1/scan/progress"
via: "EventSource SSE connection"
pattern: "EventSource.*scan/progress"
- from: "cmd/serve.go"
to: "pkg/web"
via: "web.NewServer(cfg) + ListenAndServe"
pattern: "web\\.NewServer"
---
<objective>
Create all remaining HTML pages (keys, providers, recon, dorks, scan, settings) using htmx for interactivity and SSE for live updates, then wire the HTTP server into cmd/serve.go so `keyhunter serve` launches the full dashboard.
Purpose: Completes the user-facing web dashboard and makes it accessible via the CLI.
Output: Full dashboard with all pages + cmd/serve.go wiring.
</objective>
<execution_context>
@$HOME/.claude/get-shit-done/workflows/execute-plan.md
@$HOME/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/18-web-dashboard/18-CONTEXT.md
@.planning/phases/18-web-dashboard/18-01-SUMMARY.md
@.planning/phases/18-web-dashboard/18-02-SUMMARY.md
<interfaces>
<!-- From Plan 18-01 (Server foundation): -->
```go
// pkg/web/server.go
type Config struct {
DB *storage.DB
EncKey []byte
Providers *providers.Registry
Dorks *dorks.Registry
ReconEngine *recon.Engine
Port int
AuthUser string
AuthPass string
AuthToken string
}
type Server struct { router chi.Router; cfg Config; tmpl *template.Template; sse *SSEHub }
func NewServer(cfg Config) (*Server, error)
func (s *Server) ListenAndServe() error
func (s *Server) Router() chi.Router
```
```go
// pkg/web/embed.go
var staticFiles embed.FS // //go:embed static/*
var templateFiles embed.FS // //go:embed templates/*
```
```go
// pkg/web/auth.go
func AuthMiddleware(user, pass, token string) func(http.Handler) http.Handler
```
<!-- From Plan 18-02 (API + SSE): -->
```go
// pkg/web/api.go
func (s *Server) mountAPI(r chi.Router) // mounts /api/v1/*
func writeJSON(w http.ResponseWriter, status int, v interface{})
```
```go
// pkg/web/sse.go
type SSEHub struct { ... }
func NewSSEHub() *SSEHub
func (h *SSEHub) Broadcast(evt SSEEvent)
type SSEEvent struct { Type string; Data interface{} }
```
<!-- From cmd/serve.go (existing): -->
```go
var servePort int
var serveTelegram bool
var serveCmd = &cobra.Command{ Use: "serve", ... }
// Currently only starts Telegram bot — needs HTTP server wiring
```
<!-- From cmd/ helpers (existing pattern): -->
```go
func openDBWithKey() (*storage.DB, []byte, error) // returns DB + encryption key
```
</interfaces>
</context>
<tasks>
<task type="auto">
<name>Task 1: HTML pages with htmx interactivity + page handlers</name>
<files>pkg/web/templates/keys.html, pkg/web/templates/providers.html, pkg/web/templates/recon.html, pkg/web/templates/dorks.html, pkg/web/templates/settings.html, pkg/web/templates/scan.html, pkg/web/handlers.go, pkg/web/server.go, pkg/web/handlers_test.go</files>
<action>
1. **keys.html** — extends layout (WEB-04):
- Filter bar: provider dropdown (populated server-side from registry), confidence dropdown, text filter. Use `hx-get="/keys" hx-target="#keys-table" hx-include="[name='provider'],[name='confidence']"` for htmx-driven filtering.
- Keys table: ID, Provider, Masked Key, Source, Confidence, Verified, Date columns
- "Reveal" button per row: uses a small inline script or htmx `hx-get="/api/v1/keys/{id}"` that replaces the masked value cell. Since API always returns masked, the Reveal button uses a `data-key` attribute with the masked key from server render; for actual reveal, a dedicated handler `/keys/{id}/reveal` renders the unmasked key value (server-side, not API — the web dashboard can show unmasked to authenticated users).
- "Copy" button: `navigator.clipboard.writeText()` on the revealed key value
- "Delete" button: `hx-delete="/api/v1/keys/{id}" hx-confirm="Delete this key?" hx-target="closest tr" hx-swap="outerHTML"` — removes row on success
- Pagination: "Load more" button via `hx-get="/keys?offset=N" hx-target="#keys-table" hx-swap="beforeend"`
2. **providers.html** — extends layout (WEB-06):
- Stats summary bar: total count, per-category counts in badges
- Provider table: Name, Category, Confidence, Keywords count, Has Verify
- Filter by category via htmx dropdown
- Click provider name -> expand row with details (patterns, verify endpoint) via `hx-get="/api/v1/providers/{name}" hx-target="#detail-{name}"`
3. **scan.html** — extends layout (WEB-03):
- Form: Path input, verify checkbox, workers number input
- "Start Scan" button: `hx-post="/api/v1/scan"` with JSON body, shows progress section
- Progress section (hidden until scan starts): connects to SSE via inline script:
`const es = new EventSource('/api/v1/scan/progress');`
`es.addEventListener('scan:finding', (e) => { /* append row */ });`
`es.addEventListener('scan:complete', (e) => { es.close(); });`
- Results table: populated live via SSE events
4. **recon.html** — extends layout (WEB-05):
- Source checkboxes: populated from `recon.Engine.List()`, grouped by category
- Query input, stealth toggle, respect-robots toggle
- "Sweep" button: `hx-post="/api/v1/recon"` triggers sweep
- Live results via SSE (same pattern as scan.html with recon event types)
- Results displayed as cards showing provider, masked key, source
5. **dorks.html** — extends layout (WEB-07):
- Dork list table: ID, Source, Category, Query (truncated), Description
- Filter by source dropdown
- "Add Dork" form: source, category, query, description fields. `hx-post="/api/v1/dorks"` to create.
- Stats bar: total dorks, per-source counts
6. **settings.html** — extends layout (WEB-08):
- Config form populated from viper settings (rendered server-side)
- Key fields: database path, encryption, telegram token (masked), default workers, verify timeout
- "Save" button: `hx-put="/api/v1/config"` with form data as JSON
- Success/error toast notification via htmx `hx-swap-oob`
7. **Update handlers.go** — add page handlers:
- `handleKeys(w, r)` — render keys.html with initial data (first 50 findings, provider list for filter dropdown)
- `handleKeyReveal(w, r)` — GET /keys/{id}/reveal — returns unmasked key value as HTML fragment (for htmx swap)
- `handleProviders(w, r)` — render providers.html with provider list + stats
- `handleScan(w, r)` — render scan.html
- `handleRecon(w, r)` — render recon.html with source list
- `handleDorks(w, r)` — render dorks.html with dork list + stats
- `handleSettings(w, r)` — render settings.html with current config
8. **Update server.go** — register new routes in the router:
- `GET /keys` -> handleKeys
- `GET /keys/{id}/reveal` -> handleKeyReveal
- `GET /providers` -> handleProviders
- `GET /scan` -> handleScan
- `GET /recon` -> handleRecon
- `GET /dorks` -> handleDorks
- `GET /settings` -> handleSettings
9. **Create handlers_test.go**:
- Test each page handler returns 200 with expected content
- Test keys page contains "keys-table" div
- Test providers page lists provider names
- Test key reveal returns unmasked value
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go test ./pkg/web/... -v -count=1</automated>
</verify>
<done>All 6 page templates render correctly, htmx attributes are present for interactive features, SSE JavaScript is embedded in scan and recon pages, page handlers serve data from real packages, all tests pass</done>
</task>
<task type="auto">
<name>Task 2: Wire HTTP server into cmd/serve.go</name>
<files>cmd/serve.go</files>
<action>
1. Update cmd/serve.go RunE function:
- Import `github.com/salvacybersec/keyhunter/pkg/web`
- Import `github.com/salvacybersec/keyhunter/pkg/dorks`
- After existing DB/provider/recon setup, create web server:
```go
reg, err := providers.NewRegistry()
dorkReg, err := dorks.NewRegistry()
reconEng := recon.NewEngine()
// ... (register recon sources if needed)
srv, err := web.NewServer(web.Config{
DB: db,
EncKey: encKey,
Providers: reg,
Dorks: dorkReg,
ReconEngine: reconEng,
Port: servePort,
AuthUser: viper.GetString("web.auth_user"),
AuthPass: viper.GetString("web.auth_pass"),
AuthToken: viper.GetString("web.auth_token"),
})
```
- Start HTTP server in a goroutine: `go srv.ListenAndServe()`
- Keep existing Telegram bot start logic (conditioned on --telegram flag)
- Update the port message: `fmt.Printf("KeyHunter dashboard running at http://localhost:%d\n", servePort)`
- The existing `<-ctx.Done()` already handles graceful shutdown
2. Add serve flags:
- `--no-web` flag (default false) to disable web dashboard (for telegram-only mode)
- `--auth-user`, `--auth-pass`, `--auth-token` flags bound to viper `web.auth_user`, `web.auth_pass`, `web.auth_token`
3. Ensure the DB is opened unconditionally (it currently only opens when --telegram is set):
- Move `openDBWithKey()` call before the telegram conditional
- Both web server and telegram bot share the same DB instance
</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go build -o /dev/null ./cmd/... && echo "build OK"</automated>
</verify>
<done>`keyhunter serve` starts HTTP server on port 8080 with full dashboard, --telegram additionally starts bot, --port changes listen port, --auth-user/pass/token enable auth, `go build ./cmd/...` succeeds</done>
</task>
<task type="checkpoint:human-verify" gate="blocking">
<name>Task 3: Visual verification of complete web dashboard</name>
<action>Human verifies the full dashboard renders and functions correctly in browser.</action>
<verify>
<automated>cd /home/salva/Documents/apikey && go build -o /dev/null ./cmd/... && go test ./pkg/web/... -count=1</automated>
</verify>
<done>All pages render, navigation works, API returns JSON, server starts and stops cleanly</done>
<what-built>Complete web dashboard: overview, keys (with reveal/copy/delete), providers, scan (with SSE live progress), recon (with SSE live results), dorks, and settings pages. HTTP server wired into `keyhunter serve`.</what-built>
<how-to-verify>
1. Run: `cd /home/salva/Documents/apikey && go run . serve --port=9090`
2. Open browser: http://localhost:9090
3. Verify overview page shows stat cards and navigation bar
4. Click "Keys" — verify table renders (may be empty if no scans done)
5. Click "Providers" — verify 108+ providers listed with categories
6. Click "Dorks" — verify dork list renders
7. Click "Settings" — verify config form renders
8. Test API: `curl http://localhost:9090/api/v1/stats` — verify JSON response
9. Test API: `curl http://localhost:9090/api/v1/providers | head -c 200` — verify provider JSON
10. Stop server with Ctrl+C — verify clean shutdown
</how-to-verify>
<resume-signal>Type "approved" or describe issues</resume-signal>
</task>
</tasks>
<verification>
- `go build ./cmd/...` compiles without errors
- `go test ./pkg/web/... -v` — all tests pass
- `keyhunter serve --port=9090` starts and serves dashboard at http://localhost:9090
- All 7 pages render (overview, keys, providers, scan, recon, dorks, settings)
- Navigation links work
- htmx interactions work (filtering, delete)
- SSE streams work (scan and recon progress)
- API endpoints return proper JSON
</verification>
<success_criteria>
- All 7 HTML pages render with proper layout and navigation
- Keys page supports filtering, reveal, copy, delete via htmx
- Scan and recon pages show live progress via SSE
- Providers page shows 108+ providers with stats
- Settings page reads/writes config
- cmd/serve.go starts HTTP server + optional Telegram bot
- Auth middleware protects dashboard when credentials configured
</success_criteria>
<output>
After completion, create `.planning/phases/18-web-dashboard/18-03-SUMMARY.md`
</output>

121
.planning/phases/18-web-dashboard/18-CONTEXT.md Normal file
View File

@@ -0,0 +1,121 @@
# Phase 18: Web Dashboard - Context
**Gathered:** 2026-04-06
**Status:** Ready for planning
**Mode:** Auto-generated
<domain>
## Phase Boundary
Embedded web dashboard: htmx + Tailwind CSS + chi router + go:embed. All HTML/CSS/JS embedded in the binary. Pages: overview, keys, providers, recon, dorks, settings. REST API at /api/v1/*. SSE for live scan progress. Auth: optional basic/token auth.
</domain>
<decisions>
## Implementation Decisions
### Stack (per CLAUDE.md)
- chi v5 HTTP router — 100% net/http compatible
- templ v0.3.1001 — type-safe HTML templates (compile to Go)
- htmx v2.x — server-rendered interactivity, vendored via go:embed
- Tailwind CSS v4.x standalone — compiled to single CSS file, go:embed
- SSE for live updates — native browser EventSource API
### Package Layout
```
pkg/web/
server.go — chi router setup, middleware, go:embed assets
handlers.go — page handlers (overview, keys, providers, recon, dorks, settings)
api.go — REST API handlers (/api/v1/*)
sse.go — SSE endpoint for live scan/recon progress
auth.go — optional basic/token auth middleware
static/
htmx.min.js — vendored htmx
style.css — compiled Tailwind CSS
templates/
layout.templ — base layout with nav
overview.templ — dashboard overview
keys.templ — keys list + detail modal
providers.templ — provider list + stats
recon.templ — recon launcher + live results
dorks.templ — dork management
settings.templ — config editor
```
### Pragmatic Scope (v1)
Given this is the final phase, focus on:
1. Working chi server with go:embed static assets
2. REST API endpoints (JSON) for all operations
3. Simple HTML pages with htmx for interactivity
4. SSE for live scan progress
5. Optional auth middleware
NOT in scope for v1:
- Full templ compilation pipeline (use html/template for now, templ can be added later)
- Tailwind compilation step (use CDN link or pre-compiled CSS)
- Full-featured SPA experience
### REST API Endpoints
```
GET /api/v1/stats — overview statistics
GET /api/v1/keys — list findings
GET /api/v1/keys/:id — get finding detail
DELETE /api/v1/keys/:id — delete finding
GET /api/v1/providers — list providers
GET /api/v1/providers/:name — provider detail
POST /api/v1/scan — trigger scan
GET /api/v1/scan/progress — SSE stream
POST /api/v1/recon — trigger recon
GET /api/v1/recon/progress — SSE stream
GET /api/v1/dorks — list dorks
POST /api/v1/dorks — add custom dork
GET /api/v1/config — current config
PUT /api/v1/config — update config
```
### Integration
- Wire into cmd/serve.go — serve starts HTTP server alongside optional Telegram bot
- All handlers call the same packages as CLI commands (pkg/storage, pkg/engine, pkg/recon, pkg/providers, pkg/dorks)
</decisions>
<code_context>
## Existing Code Insights
### Reusable Assets
- cmd/serve.go — wire HTTP server
- pkg/storage/ — all DB operations
- pkg/engine/ — scan engine
- pkg/recon/ — recon engine
- pkg/providers/ — provider registry
- pkg/dorks/ — dork registry
- pkg/output/ — formatters (JSON reusable for API)
### Dependencies
- chi v5 — already in go.mod
- go:embed — stdlib
- htmx — vendor the minified JS file
- Tailwind — use CDN for v1 (standalone CLI can be added later)
</code_context>
<specifics>
## Specific Ideas
- Dashboard should be functional but not pretty — basic Tailwind utility classes
- Keys page: table with masked keys, click to reveal, click to copy
- Recon page: select sources from checkboxes, click "Sweep", see live results via SSE
- Overview: simple stat cards (total keys, providers, last scan, scheduled jobs)
</specifics>
<deferred>
## Deferred Ideas
- templ compilation pipeline — use html/template for v1
- Tailwind standalone build — use CDN for v1
- WebSocket instead of SSE — SSE is simpler and sufficient
- Full auth system (OAuth, sessions) — basic auth is enough for v1
- Dark mode toggle — out of scope
</deferred>

55
cmd/serve.go
View File

@@ -3,13 +3,16 @@ package cmd
import (
"context"
"fmt"
"net/http"
"os"
"os/signal"
"syscall"
"github.com/go-chi/chi/v5"
"github.com/salvacybersec/keyhunter/pkg/bot"
"github.com/salvacybersec/keyhunter/pkg/providers"
"github.com/salvacybersec/keyhunter/pkg/recon"
"github.com/salvacybersec/keyhunter/pkg/web"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
@@ -21,11 +24,24 @@ var (
var serveCmd = &cobra.Command{
Use: "serve",
Short: "Start KeyHunter server (Telegram bot + scheduler)",
Short: "Start KeyHunter web dashboard and optional Telegram bot",
RunE: func(cmd *cobra.Command, args []string) error {
ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
defer cancel()
// Open shared resources.
reg, err := providers.NewRegistry()
if err != nil {
return fmt.Errorf("loading providers: %w", err)
}
db, encKey, err := openDBWithKey()
if err != nil {
return fmt.Errorf("opening database: %w", err)
}
defer db.Close()
reconEng := recon.NewEngine()
// Optional Telegram bot.
if serveTelegram {
token := viper.GetString("telegram.token")
if token == "" {
@@ -34,24 +50,10 @@ var serveCmd = &cobra.Command{
if token == "" {
return fmt.Errorf("telegram token required: set telegram.token in config or TELEGRAM_BOT_TOKEN env var")
}
reg, err := providers.NewRegistry()
if err != nil {
return fmt.Errorf("loading providers: %w", err)
}
db, encKey, err := openDBWithKey()
if err != nil {
return fmt.Errorf("opening database: %w", err)
}
defer db.Close()
reconEng := recon.NewEngine()
b, err := bot.New(bot.Config{
Token: token,
DB: db,
ScanEngine: nil, // TODO: wire scan engine
ScanEngine: nil,
ReconEngine: reconEng,
ProviderRegistry: reg,
EncKey: encKey,
@@ -59,12 +61,29 @@ var serveCmd = &cobra.Command{
if err != nil {
return fmt.Errorf("creating bot: %w", err)
}
go b.Start(ctx)
fmt.Println("Telegram bot started.")
}
fmt.Printf("KeyHunter server running on port %d. Press Ctrl+C to stop.\n", servePort)
// Web dashboard.
webSrv := web.NewServer(web.ServerConfig{
DB: db,
EncKey: encKey,
Providers: reg,
ReconEngine: reconEng,
})
r := chi.NewRouter()
webSrv.Mount(r)
addr := fmt.Sprintf(":%d", servePort)
fmt.Printf("KeyHunter dashboard at http://localhost%s\n", addr)
go func() {
if err := http.ListenAndServe(addr, r); err != nil && err != http.ErrServerClosed {
fmt.Fprintf(os.Stderr, "web server error: %v\n", err)
}
}()
<-ctx.Done()
fmt.Println("\nShutting down.")
return nil

1
go.mod
View File

@@ -44,6 +44,7 @@ require (
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/go-chi/chi/v5 v5.2.5 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.8.0 // indirect
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect

6
go.sum
View File

@@ -53,6 +53,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
github.com/go-co-op/gocron/v2 v2.19.1 h1:B4iLeA0NB/2iO3EKQ7NfKn5KsQgZfjb2fkvoZJU3yBI=
github.com/go-co-op/gocron/v2 v2.19.1/go.mod h1:5lEiCKk1oVJV39Zg7/YG10OnaVrDAV5GGR6O0663k6U=
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -189,10 +191,6 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=

15
pkg/storage/schema.sql
View File

@@ -56,7 +56,6 @@ CREATE TABLE IF NOT EXISTS custom_dorks (
CREATE INDEX IF NOT EXISTS idx_custom_dorks_source ON custom_dorks(source);
CREATE INDEX IF NOT EXISTS idx_custom_dorks_category ON custom_dorks(category);
<<<<<<< HEAD
-- Phase 17: Telegram bot subscribers for auto-notifications.
CREATE TABLE IF NOT EXISTS subscribers (
chat_id INTEGER PRIMARY KEY,
@@ -76,19 +75,5 @@ CREATE TABLE IF NOT EXISTS scheduled_jobs (
next_run DATETIME,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
=======
-- Phase 17: scheduled scan jobs for cron-based recurring scans.
CREATE TABLE IF NOT EXISTS scheduled_jobs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
cron_expr TEXT NOT NULL,
scan_path TEXT NOT NULL,
enabled INTEGER NOT NULL DEFAULT 1,
notify INTEGER NOT NULL DEFAULT 1,
last_run_at DATETIME,
next_run_at DATETIME,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_scheduled_jobs_enabled ON scheduled_jobs(enabled);
>>>>>>> worktree-agent-a39573e4

481
pkg/web/api.go Normal file
View File

@@ -0,0 +1,481 @@
package web
import (
"context"
"database/sql"
"encoding/json"
"errors"
"fmt"
"net/http"
"strconv"
"github.com/go-chi/chi/v5"
"github.com/salvacybersec/keyhunter/pkg/dorks"
"github.com/salvacybersec/keyhunter/pkg/providers"
"github.com/salvacybersec/keyhunter/pkg/recon"
"github.com/salvacybersec/keyhunter/pkg/storage"
"github.com/spf13/viper"
)
// apiKey is the JSON-friendly representation of a finding with masked key value.
type apiKey struct {
ID int64 `json:"id"`
ScanID int64 `json:"scanId,omitempty"`
ProviderName string `json:"providerName"`
KeyValue string `json:"keyValue"`
KeyMasked string `json:"keyMasked"`
Confidence string `json:"confidence"`
SourcePath string `json:"sourcePath"`
SourceType string `json:"sourceType"`
LineNumber int `json:"lineNumber"`
Verified bool `json:"verified"`
VerifyStatus string `json:"verifyStatus,omitempty"`
VerifyHTTPCode int `json:"verifyHttpCode,omitempty"`
VerifyMetadata map[string]string `json:"verifyMetadata,omitempty"`
CreatedAt string `json:"createdAt"`
}
// mountAPI registers all /api/v1/* routes on the given router.
func (s *Server) mountAPI(r chi.Router) {
r.Route("/api/v1", func(r chi.Router) {
// Stats
r.Get("/stats", s.handleAPIStats)
// Keys
r.Get("/keys", s.handleAPIListKeys)
r.Get("/keys/{id}", s.handleAPIGetKey)
r.Delete("/keys/{id}", s.handleAPIDeleteKey)
// Providers
r.Get("/providers", s.handleAPIListProviders)
r.Get("/providers/{name}", s.handleAPIGetProvider)
// Scan
r.Post("/scan", s.handleAPIScan)
r.Get("/scan/progress", s.handleSSEScanProgress)
// Recon
r.Post("/recon", s.handleAPIRecon)
r.Get("/recon/progress", s.handleSSEReconProgress)
// Dorks
r.Get("/dorks", s.handleAPIListDorks)
r.Post("/dorks", s.handleAPIAddDork)
// Config
r.Get("/config", s.handleAPIGetConfig)
r.Put("/config", s.handleAPIUpdateConfig)
})
}
// --- Stats ---
func (s *Server) handleAPIStats(w http.ResponseWriter, r *http.Request) {
var totalKeys int
if s.cfg.DB != nil {
row := s.cfg.DB.SQL().QueryRow("SELECT COUNT(*) FROM findings")
_ = row.Scan(&totalKeys)
}
totalProviders := 0
if s.cfg.Providers != nil {
totalProviders = len(s.cfg.Providers.List())
}
reconSources := 0
if s.cfg.ReconEngine != nil {
reconSources = len(s.cfg.ReconEngine.List())
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"totalKeys": totalKeys,
"totalProviders": totalProviders,
"reconSources": reconSources,
})
}
// --- Keys ---
func (s *Server) handleAPIListKeys(w http.ResponseWriter, r *http.Request) {
if s.cfg.DB == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "database not available"})
return
}
q := r.URL.Query()
f := storage.Filters{
Provider: q.Get("provider"),
Limit: intParam(q.Get("limit"), 50),
Offset: intParam(q.Get("offset"), 0),
}
if v := q.Get("verified"); v != "" {
b := v == "true" || v == "1"
f.Verified = &b
}
findings, err := s.cfg.DB.ListFindingsFiltered(s.cfg.EncKey, f)
if err != nil {
writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
return
}
keys := make([]apiKey, 0, len(findings))
for _, f := range findings {
keys = append(keys, apiKey{
ID: f.ID,
ScanID: f.ScanID,
ProviderName: f.ProviderName,
KeyValue: "", // always masked
KeyMasked: f.KeyMasked,
Confidence: f.Confidence,
SourcePath: f.SourcePath,
SourceType: f.SourceType,
LineNumber: f.LineNumber,
Verified: f.Verified,
VerifyStatus: f.VerifyStatus,
VerifyHTTPCode: f.VerifyHTTPCode,
VerifyMetadata: f.VerifyMetadata,
CreatedAt: f.CreatedAt.Format("2006-01-02T15:04:05Z"),
})
}
writeJSON(w, http.StatusOK, keys)
}
func (s *Server) handleAPIGetKey(w http.ResponseWriter, r *http.Request) {
if s.cfg.DB == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "database not available"})
return
}
id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
return
}
finding, err := s.cfg.DB.GetFinding(id, s.cfg.EncKey)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
return
}
writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
return
}
// Return masked via apiKey struct
writeJSON(w, http.StatusOK, apiKey{
ID: finding.ID,
ScanID: finding.ScanID,
ProviderName: finding.ProviderName,
KeyValue: "", // always masked
KeyMasked: finding.KeyMasked,
Confidence: finding.Confidence,
SourcePath: finding.SourcePath,
SourceType: finding.SourceType,
LineNumber: finding.LineNumber,
Verified: finding.Verified,
VerifyStatus: finding.VerifyStatus,
VerifyHTTPCode: finding.VerifyHTTPCode,
VerifyMetadata: finding.VerifyMetadata,
CreatedAt: finding.CreatedAt.Format("2006-01-02T15:04:05Z"),
})
}
func (s *Server) handleAPIDeleteKey(w http.ResponseWriter, r *http.Request) {
if s.cfg.DB == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "database not available"})
return
}
id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
if err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid id"})
return
}
n, err := s.cfg.DB.DeleteFinding(id)
if err != nil {
writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
return
}
if n == 0 {
writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
return
}
w.WriteHeader(http.StatusNoContent)
}
// --- Providers ---
// apiProvider is the JSON-friendly representation of a provider.
type apiProvider struct {
Name string `json:"name"`
DisplayName string `json:"displayName"`
Tier int `json:"tier"`
LastVerified string `json:"lastVerified,omitempty"`
Keywords []string `json:"keywords"`
}
func toAPIProvider(p providers.Provider) apiProvider {
return apiProvider{
Name: p.Name,
DisplayName: p.DisplayName,
Tier: p.Tier,
LastVerified: p.LastVerified,
Keywords: p.Keywords,
}
}
func (s *Server) handleAPIListProviders(w http.ResponseWriter, r *http.Request) {
if s.cfg.Providers == nil {
writeJSON(w, http.StatusOK, []interface{}{})
return
}
list := s.cfg.Providers.List()
out := make([]apiProvider, len(list))
for i, p := range list {
out[i] = toAPIProvider(p)
}
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleAPIGetProvider(w http.ResponseWriter, r *http.Request) {
if s.cfg.Providers == nil {
writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
return
}
name := chi.URLParam(r, "name")
p, ok := s.cfg.Providers.Get(name)
if !ok {
writeJSON(w, http.StatusNotFound, map[string]string{"error": "not found"})
return
}
writeJSON(w, http.StatusOK, toAPIProvider(p))
}
// --- Scan ---
type scanRequest struct {
Path string `json:"path"`
Verify bool `json:"verify"`
Workers int `json:"workers"`
}
func (s *Server) handleAPIScan(w http.ResponseWriter, r *http.Request) {
var req scanRequest
if err := readJSON(r, &req); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
return
}
// Launch scan in background -- actual scan wiring happens when ScanEngine
// is available. For now, return 202 to indicate the request was accepted.
if s.cfg.ScanEngine != nil {
go func() {
// Background scan execution with SSE progress broadcasting.
// Full wiring deferred to serve command integration.
s.sse.Broadcast(SSEEvent{Type: "scan:started", Data: map[string]string{
"path": req.Path,
}})
}()
}
writeJSON(w, http.StatusAccepted, map[string]string{
"status": "started",
"message": "scan initiated",
})
}
// --- Recon ---
type reconRequest struct {
Query string `json:"query"`
Sources []string `json:"sources"`
Stealth bool `json:"stealth"`
}
func (s *Server) handleAPIRecon(w http.ResponseWriter, r *http.Request) {
var req reconRequest
if err := readJSON(r, &req); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
return
}
if s.cfg.ReconEngine != nil {
go func() {
cfg := recon.Config{
Query: req.Query,
EnabledSources: req.Sources,
Stealth: req.Stealth,
}
s.sse.Broadcast(SSEEvent{Type: "recon:started", Data: map[string]string{
"query": req.Query,
}})
findings, err := s.cfg.ReconEngine.SweepAll(context.Background(), cfg)
if err != nil {
s.sse.Broadcast(SSEEvent{Type: "recon:error", Data: map[string]string{
"error": err.Error(),
}})
return
}
for _, f := range findings {
s.sse.Broadcast(SSEEvent{Type: "recon:finding", Data: f})
}
s.sse.Broadcast(SSEEvent{Type: "recon:complete", Data: map[string]int{
"total": len(findings),
}})
}()
}
writeJSON(w, http.StatusAccepted, map[string]string{
"status": "started",
"message": "recon initiated",
})
}
// --- Dorks ---
// apiDork is the JSON-friendly representation of a dork.
type apiDork struct {
ID string `json:"id"`
Name string `json:"name"`
Source string `json:"source"`
Category string `json:"category"`
Query string `json:"query"`
Description string `json:"description"`
Tags []string `json:"tags,omitempty"`
}
func toAPIDork(d dorks.Dork) apiDork {
return apiDork{
ID: d.ID,
Name: d.Name,
Source: d.Source,
Category: d.Category,
Query: d.Query,
Description: d.Description,
Tags: d.Tags,
}
}
func (s *Server) handleAPIListDorks(w http.ResponseWriter, r *http.Request) {
source := r.URL.Query().Get("source")
var list []dorks.Dork
if source != "" && s.cfg.Dorks != nil {
list = s.cfg.Dorks.ListBySource(source)
} else if s.cfg.Dorks != nil {
list = s.cfg.Dorks.List()
}
out := make([]apiDork, len(list))
for i, d := range list {
out[i] = toAPIDork(d)
}
writeJSON(w, http.StatusOK, out)
}
type addDorkRequest struct {
DorkID string `json:"dorkId"`
Name string `json:"name"`
Source string `json:"source"`
Category string `json:"category"`
Query string `json:"query"`
Description string `json:"description"`
Tags []string `json:"tags"`
}
func (s *Server) handleAPIAddDork(w http.ResponseWriter, r *http.Request) {
if s.cfg.DB == nil {
writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "database not available"})
return
}
var req addDorkRequest
if err := readJSON(r, &req); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
return
}
id, err := s.cfg.DB.SaveCustomDork(storage.CustomDork{
DorkID: req.DorkID,
Name: req.Name,
Source: req.Source,
Category: req.Category,
Query: req.Query,
Description: req.Description,
Tags: req.Tags,
})
if err != nil {
writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
return
}
writeJSON(w, http.StatusCreated, map[string]interface{}{"id": id})
}
// --- Config ---
func (s *Server) handleAPIGetConfig(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, viper.AllSettings())
}
func (s *Server) handleAPIUpdateConfig(w http.ResponseWriter, r *http.Request) {
var settings map[string]interface{}
if err := readJSON(r, &settings); err != nil {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
return
}
for k, v := range settings {
viper.Set(k, v)
}
// Attempt to persist; ignore error if no config file is set.
_ = viper.WriteConfig()
writeJSON(w, http.StatusOK, map[string]string{"status": "updated"})
}
// --- Helpers ---
// writeJSON marshals v to JSON and writes it with the given HTTP status code.
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
if err := json.NewEncoder(w).Encode(v); err != nil {
// Best effort — headers already sent.
fmt.Fprintf(w, `{"error":"encode: %s"}`, err)
}
}
// readJSON decodes the request body into v.
func readJSON(r *http.Request, v interface{}) error {
if r.Body == nil {
return fmt.Errorf("empty request body")
}
defer r.Body.Close()
return json.NewDecoder(r.Body).Decode(v)
}
// intParam parses a query param as int, returning defaultVal on empty or error.
func intParam(s string, defaultVal int) int {
if s == "" {
return defaultVal
}
v, err := strconv.Atoi(s)
if err != nil || v < 0 {
return defaultVal
}
return v
}
// itoa is a small helper for int64 to string conversion.
func itoa(v int64) string {
return strconv.FormatInt(v, 10)
}

52
pkg/web/auth.go Normal file
View File

@@ -0,0 +1,52 @@
package web
import (
"crypto/subtle"
"net/http"
"strings"
)
// AuthMiddleware returns HTTP middleware that enforces authentication when
// at least one of user/pass or token is configured. If all auth fields are
// empty, the middleware is a no-op passthrough.
//
// Supported schemes:
// - Bearer <token> — matches the configured token
// - Basic <base64> — matches the configured user:pass
func AuthMiddleware(user, pass, token string) func(http.Handler) http.Handler {
authEnabled := user != "" || token != ""
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !authEnabled {
next.ServeHTTP(w, r)
return
}
auth := r.Header.Get("Authorization")
// Check bearer token first.
if token != "" && strings.HasPrefix(auth, "Bearer ") {
provided := strings.TrimPrefix(auth, "Bearer ")
if subtle.ConstantTimeCompare([]byte(provided), []byte(token)) == 1 {
next.ServeHTTP(w, r)
return
}
}
// Check basic auth.
if user != "" {
u, p, ok := r.BasicAuth()
if ok &&
subtle.ConstantTimeCompare([]byte(u), []byte(user)) == 1 &&
subtle.ConstantTimeCompare([]byte(p), []byte(pass)) == 1 {
next.ServeHTTP(w, r)
return
}
}
w.Header().Set("WWW-Authenticate", `Basic realm="keyhunter"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
})
}
}

14
pkg/web/embed.go Normal file
View File

@@ -0,0 +1,14 @@
package web
import "embed"
// staticFiles holds the vendored static assets (htmx.min.js, style.css, etc.)
// embedded at compile time.
//
//go:embed static/*
var staticFiles embed.FS
// templateFiles holds HTML templates embedded at compile time.
//
//go:embed templates/*
var templateFiles embed.FS

58
pkg/web/handlers.go Normal file
View File

@@ -0,0 +1,58 @@
package web
import (
"log"
"net/http"
"github.com/salvacybersec/keyhunter/pkg/storage"
)
// OverviewData holds template data for the overview dashboard page.
type OverviewData struct {
TotalKeys int
TotalProviders int
ReconSources int
LastScan string
RecentFindings []storage.Finding
PageTitle string
}
// handleOverview renders the overview dashboard page with aggregated stats.
func (s *Server) handleOverview(w http.ResponseWriter, r *http.Request) {
data := OverviewData{
PageTitle: "Overview",
}
// Provider count.
if s.cfg.Providers != nil {
data.TotalProviders = s.cfg.Providers.Stats().Total
}
// Recon source count.
if s.cfg.ReconEngine != nil {
data.ReconSources = len(s.cfg.ReconEngine.List())
}
// Recent findings + total count from DB.
if s.cfg.DB != nil && s.cfg.EncKey != nil {
recent, err := s.cfg.DB.ListFindingsFiltered(s.cfg.EncKey, storage.Filters{Limit: 10})
if err != nil {
log.Printf("web: listing recent findings: %v", err)
} else {
data.RecentFindings = recent
}
// Total count via a broader query.
all, err := s.cfg.DB.ListFindingsFiltered(s.cfg.EncKey, storage.Filters{})
if err != nil {
log.Printf("web: counting findings: %v", err)
} else {
data.TotalKeys = len(all)
}
}
if err := s.tmpl.ExecuteTemplate(w, "layout", data); err != nil {
log.Printf("web: rendering overview: %v", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}

57
pkg/web/server.go Normal file
View File

@@ -0,0 +1,57 @@
// Package web implements the KeyHunter embedded web dashboard and REST API.
package web
import (
"html/template"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/salvacybersec/keyhunter/pkg/dorks"
"github.com/salvacybersec/keyhunter/pkg/engine"
"github.com/salvacybersec/keyhunter/pkg/providers"
"github.com/salvacybersec/keyhunter/pkg/recon"
"github.com/salvacybersec/keyhunter/pkg/storage"
)
// ServerConfig holds all dependencies injected into the web Server.
type ServerConfig struct {
DB *storage.DB
EncKey []byte
Providers *providers.Registry
Dorks *dorks.Registry
ScanEngine *engine.Engine
ReconEngine *recon.Engine
}
// Server is the central HTTP server holding all handler dependencies.
type Server struct {
cfg ServerConfig
sse *SSEHub
tmpl *template.Template
}
// NewServer creates a Server with the given configuration.
func NewServer(cfg ServerConfig) *Server {
tmpl, _ := template.ParseFS(templateFiles, "templates/*.html")
return &Server{
cfg: cfg,
sse: NewSSEHub(),
tmpl: tmpl,
}
}
// Mount registers all web dashboard routes on the given chi router.
func (s *Server) Mount(r chi.Router) {
// Static assets.
r.Handle("/static/*", http.StripPrefix("/static/", http.FileServer(http.FS(staticFiles))))
// HTML pages.
r.Get("/", s.handleOverview)
// REST API (routes defined in api.go).
s.mountAPI(r)
// SSE progress endpoints.
r.Get("/events/scan", s.handleSSEScanProgress)
r.Get("/events/recon", s.handleSSEReconProgress)
}

115
pkg/web/sse.go Normal file
View File

@@ -0,0 +1,115 @@
package web
import (
"encoding/json"
"fmt"
"net/http"
"sync"
)
// SSEEvent represents a server-sent event with a type and JSON-serializable data.
type SSEEvent struct {
Type string `json:"type"`
Data interface{} `json:"data"`
}
// SSEHub manages SSE client subscriptions and broadcasts events to all
// connected clients. It is safe for concurrent use.
type SSEHub struct {
mu sync.RWMutex
clients map[chan SSEEvent]struct{}
}
// NewSSEHub creates an empty SSE hub ready to accept subscriptions.
func NewSSEHub() *SSEHub {
return &SSEHub{
clients: make(map[chan SSEEvent]struct{}),
}
}
// Subscribe creates a new buffered channel for a client and registers it.
// The caller must call Unsubscribe when done.
func (h *SSEHub) Subscribe() chan SSEEvent {
ch := make(chan SSEEvent, 32)
h.mu.Lock()
h.clients[ch] = struct{}{}
h.mu.Unlock()
return ch
}
// Unsubscribe removes a client channel from the hub and closes it.
func (h *SSEHub) Unsubscribe(ch chan SSEEvent) {
h.mu.Lock()
delete(h.clients, ch)
h.mu.Unlock()
close(ch)
}
// Broadcast sends an event to all connected clients. If a client's buffer is
// full the event is dropped for that client (non-blocking send).
func (h *SSEHub) Broadcast(evt SSEEvent) {
h.mu.RLock()
defer h.mu.RUnlock()
for ch := range h.clients {
select {
case ch <- evt:
default:
// client buffer full, drop event
}
}
}
// ClientCount returns the number of currently connected SSE clients.
func (h *SSEHub) ClientCount() int {
h.mu.RLock()
defer h.mu.RUnlock()
return len(h.clients)
}
// handleSSEScanProgress streams scan progress events to the client via SSE.
func (s *Server) handleSSEScanProgress(w http.ResponseWriter, r *http.Request) {
s.serveSSE(w, r)
}
// handleSSEReconProgress streams recon progress events to the client via SSE.
func (s *Server) handleSSEReconProgress(w http.ResponseWriter, r *http.Request) {
s.serveSSE(w, r)
}
// serveSSE is the shared SSE handler for both scan and recon progress endpoints.
func (s *Server) serveSSE(w http.ResponseWriter, r *http.Request) {
flusher, ok := w.(http.Flusher)
if !ok {
http.Error(w, "streaming unsupported", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "text/event-stream")
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Connection", "keep-alive")
w.Header().Set("X-Accel-Buffering", "no")
ch := s.sse.Subscribe()
defer s.sse.Unsubscribe(ch)
// Send initial connection event
fmt.Fprintf(w, "event: connected\ndata: {}\n\n")
flusher.Flush()
for {
select {
case <-r.Context().Done():
return
case evt, ok := <-ch:
if !ok {
return
}
data, err := json.Marshal(evt.Data)
if err != nil {
continue
}
fmt.Fprintf(w, "event: %s\ndata: %s\n\n", evt.Type, data)
flusher.Flush()
}
}
}

1
pkg/web/static/htmx.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

39
pkg/web/static/style.css Normal file
View File

@@ -0,0 +1,39 @@
/* KeyHunter Dashboard — custom overrides (Tailwind CDN handles utility classes) */
body {
font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont,
"Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
}
/* Stat card styling */
.stat-card {
border-radius: 0.5rem;
padding: 1.5rem;
box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
}
/* Findings table */
.findings-table {
width: 100%;
border-collapse: collapse;
}
.findings-table th,
.findings-table td {
padding: 0.75rem 1rem;
text-align: left;
border-bottom: 1px solid #e5e7eb;
}
.findings-table th {
font-weight: 600;
color: #374151;
background-color: #f9fafb;
}
.findings-table tr:hover {
background-color: #f3f4f6;
}
/* Navigation active link */
.nav-link-active {
border-bottom: 2px solid #3b82f6;
color: #3b82f6;
}

43
pkg/web/templates/layout.html Normal file
View File

@@ -0,0 +1,43 @@
{{define "layout"}}<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{if .PageTitle}}{{.PageTitle}} - {{end}}KeyHunter Dashboard</title>
<script src="https://cdn.tailwindcss.com"></script>
<script src="/static/htmx.min.js"></script>
<link rel="stylesheet" href="/static/style.css">
</head>
<body class="bg-gray-50 min-h-screen">
<!-- Navigation -->
<nav class="bg-white shadow-sm border-b border-gray-200">
<div class="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8">
<div class="flex justify-between h-16">
<div class="flex items-center space-x-8">
<a href="/" class="text-xl font-bold text-gray-900">KeyHunter</a>
<div class="hidden md:flex space-x-6">
<a href="/" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Overview</a>
<a href="/keys" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Keys</a>
<a href="/providers" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Providers</a>
<a href="/recon" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Recon</a>
<a href="/dorks" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Dorks</a>
<a href="/settings" class="text-gray-600 hover:text-gray-900 px-1 py-2 text-sm font-medium">Settings</a>
</div>
</div>
</div>
</div>
</nav>
<!-- Main content -->
<main class="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8 py-8">
{{block "content" .}}{{end}}
</main>
<!-- Footer -->
<footer class="bg-white border-t border-gray-200 mt-auto">
<div class="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8 py-4">
<p class="text-sm text-gray-500 text-center">KeyHunter - API Key Scanner</p>
</div>
</footer>
</body>
</html>{{end}}

77
pkg/web/templates/overview.html Normal file
View File

@@ -0,0 +1,77 @@
{{template "layout" .}}
{{define "content"}}
<!-- Stat cards -->
<div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-4 gap-6 mb-8">
<div class="stat-card bg-white border border-gray-200">
<p class="text-sm font-medium text-gray-500">Total Keys Found</p>
<p class="mt-2 text-3xl font-bold text-gray-900">{{.TotalKeys}}</p>
</div>
<div class="stat-card bg-white border border-gray-200">
<p class="text-sm font-medium text-gray-500">Providers Loaded</p>
<p class="mt-2 text-3xl font-bold text-gray-900">{{.TotalProviders}}</p>
</div>
<div class="stat-card bg-white border border-gray-200">
<p class="text-sm font-medium text-gray-500">Recon Sources</p>
<p class="mt-2 text-3xl font-bold text-gray-900">{{.ReconSources}}</p>
</div>
<div class="stat-card bg-white border border-gray-200">
<p class="text-sm font-medium text-gray-500">Last Scan</p>
<p class="mt-2 text-xl font-bold text-gray-900">{{if .LastScan}}{{.LastScan}}{{else}}Never{{end}}</p>
</div>
</div>
<!-- Recent findings -->
<div class="bg-white shadow-sm rounded-lg border border-gray-200">
<div class="px-6 py-4 border-b border-gray-200">
<h2 class="text-lg font-semibold text-gray-900">Recent Findings</h2>
</div>
{{if .RecentFindings}}
<div class="overflow-x-auto">
<table class="findings-table">
<thead>
<tr>
<th>Provider</th>
<th>Masked Key</th>
<th>Source</th>
<th>Confidence</th>
<th>Verified</th>
<th>Date</th>
</tr>
</thead>
<tbody>
{{range .RecentFindings}}
<tr>
<td class="font-medium">{{.ProviderName}}</td>
<td class="font-mono text-sm text-gray-600">{{.KeyMasked}}</td>
<td class="text-sm text-gray-600">{{.SourcePath}}</td>
<td>
{{if eq .Confidence "high"}}
<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-green-100 text-green-800">High</span>
{{else if eq .Confidence "medium"}}
<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-yellow-100 text-yellow-800">Medium</span>
{{else}}
<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-gray-100 text-gray-800">{{.Confidence}}</span>
{{end}}
</td>
<td>
{{if .Verified}}
<span class="text-green-600 font-medium">Live</span>
{{else}}
<span class="text-gray-400">-</span>
{{end}}
</td>
<td class="text-sm text-gray-500">{{.CreatedAt.Format "2006-01-02 15:04"}}</td>
</tr>
{{end}}
</tbody>
</table>
</div>
{{else}}
<div class="px-6 py-12 text-center text-gray-500">
<p class="text-lg">No findings yet</p>
<p class="mt-1 text-sm">Run a scan to detect API keys</p>
</div>
{{end}}
</div>
{{end}}