salvacybersec/keyhunter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c2081821fba4fac0ea25a0f4ee150a35cbf60a6
keyhunter/.planning/STATE.md
salvacybersec 436791f263 docs(phase-07): complete phase execution
2026-04-06 00:05:04 +03:00

6.2 KiB
Raw Blame History

gsd_state_version, milestone, milestone_name, status, stopped_at, last_updated, last_activity, progress
gsd_state_version milestone milestone_name status stopped_at last_updated last_activity progress
1.0 v1.0 milestone executing Completed 06-06-PLAN.md 2026-04-05T21:05:04.569Z 2026-04-05
total_phases completed_phases total_plans completed_plans percent
18 7 40 40 20

Project State

Project Reference

See: .planning/PROJECT.md (updated 2026-04-04)

Core value: Detect leaked LLM API keys across more providers and more internet sources than any other tool, with active verification to confirm keys are real and alive. Current focus: Phase 07 — import-cicd

Current Position

Phase: 8 Plan: Not started Status: Ready to execute Last activity: 2026-04-05

Progress: [██░░░░░░░░] 20%

Performance Metrics

Velocity:

  • Total plans completed: 0
  • Average duration: —
  • Total execution time: 0 hours

By Phase:

Phase Plans Total Avg/Plan
- - - -

Recent Trend:

  • Last 5 plans: —
  • Trend: —

Updated after each plan completion | Phase 01-foundation P02 | 9 | 2 tasks | 11 files | | Phase 01-foundation P04 | 5min | 2 tasks | 12 files | | Phase 01-foundation P05 | 4min | 2 tasks | 8 files | | Phase 02-tier-1-2-providers P02 | 1m | 2 tasks | 12 files | | Phase 02-tier-1-2-providers P03 | 3min | 2 tasks | 14 files | | Phase 02-tier-1-2-providers P01 | 3min | 2 tasks | 12 files | | Phase 02-tier-1-2-providers P04 | 1min | 2 tasks tasks | 14 files files | | Phase 02-tier-1-2-providers P05 | 2min | 1 tasks | 1 files | | Phase 03-tier-3-9-providers P04 | 3m | 2 tasks | 20 files | | Phase 03-tier-3-9-providers P02 | 70 | 2 tasks | 22 files | | Phase 03-tier-3-9-providers P06 | 3m | 2 tasks | 16 files | | Phase 03-tier-3-9-providers P01 | 3m | 2 tasks | 32 files | | Phase 03 P08 | 2min | 1 tasks | 1 files | | Phase 04 P01 | 1m | 1 tasks | 2 files | | Phase 04-input-sources P03 | 6m | 1 tasks | 2 files | | Phase 04 P02 | 4min | 1 tasks | 3 files | | Phase 04 P05 | 3min | 1 tasks | 2 files | | Phase 05 P01 | 3m43s | 2 tasks | 10 files | | Phase 05 P04 | 10m | 2 tasks | 25 files | | Phase 05-verification-engine P02 | 7m | 2 tasks | 9 files | | Phase 05-verification-engine P03 | 245s | 2 tasks | 4 files | | Phase 05 P05 | 12min | 2 tasks | 5 files | | Phase 06 P01 | 8m | 2 tasks | 7 files | | Phase 06 P03 | ~6m | 1 tasks | 2 files | | Phase 06-output-reporting P05 | 4min | 2 tasks | 3 files | | Phase 06 P06 | 3min | 2 tasks | 3 files |

Accumulated Context

Decisions

Decisions are logged in PROJECT.md Key Decisions table. Recent decisions affecting current work:

  • Roadmap: CGO_ENABLED=0 throughout — modernc.org/sqlite over mattn/go-sqlite3 (see PROJECT.md)
  • Roadmap: Per-source rate limiter architecture (Phase 9) must precede all OSINT source modules (Phases 10-16)
  • Roadmap: AES-256 encryption added in Phase 1, not post-hoc — avoids migration complexity
  • Roadmap: Verification (Phase 5) requires consent prompt + LEGAL.md — not optional polish
  • [Phase 01-foundation]: Provider YAML in dual locations: providers/ (user-visible) and pkg/providers/definitions/ (embed) — Go embed cannot use '..' paths
  • [Phase 01-foundation]: Aho-Corasick built with DFA=true at NewRegistry() for O(n) keyword pre-filtering across all providers
  • [Phase 01-foundation]: pkg/types/chunk.go breaks engine<->sources circular import; ants pool with WaitGroup+Mutex for detector coordination
  • [Phase 01-foundation]: Per-installation salt via settings table -- no hardcoded salt in production code
  • [Phase 01-foundation]: Exit code semantics: 0=clean, 1=keys-found, 2=error for CI/CD integration
  • [Phase 02-tier-1-2-providers]: AWS Bedrock verify URL left empty — SigV4 signing deferred to Phase 5 verification engine
  • [Phase 03-tier-3-9-providers]: Keyword-only detection for providers without documented key prefixes (You.com, Unstructured, Runway, Midjourney) to avoid false positives.
  • [Phase 04]: Use 'go mod download' instead of 'go mod tidy' when bootstrapping dependencies ahead of their consumers
  • [Phase 04-input-sources]: GitSource walks heads+tags+remotes+stash with per-OID blob dedup
  • [Phase 04]: Introduced selectSource dispatcher with sourceFlags struct for testable CLI source routing
  • [Phase 05]: Keep legacy VerifySpec ValidStatus/InvalidStatus alongside canonical SuccessCodes/FailureCodes; Effective*() helpers pick canonical-first with fallback
  • [Phase 05]: Store Finding.VerifyMetadata as JSON TEXT column; legacy DBs migrated in-place via PRAGMA table_info + conditional ALTER TABLE in storage.Open()
  • [Phase 05-verification-engine]: LEGAL.md dual-location mirror (root + pkg/legal/) required because go:embed cannot traverse parents — mirrors Phase 1 providers pattern
  • [Phase 05-verification-engine]: verify.consent setting: granted is sticky across runs; declined is not — users who initially refuse can change mind without manual reset
  • [Phase 05-verification-engine]: Plan 05-03: HTTPVerifier classifies via YAML VerifySpec only; no per-provider branches. VerifyAll uses ants pool with per-finding Result guarantee.
  • [Phase 05]: Verification runs in batch mode after scan completes (collect -> verify -> persist) with Result->Finding back-assignment via provider+masked-key tuple
  • [Phase 06]: Registry pattern for output formatters; TableFormatter strips ANSI when writer is not a TTY via zero-value lipgloss.Style
  • [Phase 06]: SARIF 2.1.0 via hand-rolled structs (no library) per CLAUDE.md
  • [Phase 06-output-reporting]: keys export rejects SARIF (scan-only); keys show always unmasked; keys verify updates findings inline via db.SQL().Exec

Pending Todos

None yet.

Blockers/Concerns

  • Phase 1: Argon2 vs PBKDF2 for database encryption key derivation — needs decision before Storage Layer implementation
  • Phase 1: Aho-Corasick library choice (cloudflare/ahocorasick vs bobrik/ahocorasick) — verify which TruffleHog uses
  • Phase 2+: Provider YAML patterns for 108 providers — lesser-known providers need targeted research (Chinese LLMs, niche APIs)
  • Phase 11: Google Custom Search API quota (100 queries/day free tier) vs direct scraping ToS trade-off — product decision needed

Session Continuity

Last session: 2026-04-05T20:42:54.082Z Stopped at: Completed 06-06-PLAN.md Resume file: None