@fanboynz/network-scanner 2.0.55 → 2.0.57

package/lib/post-processing.js

@@ -2,6 +2,40 @@
 // Handles cleanup and validation of scan results after scanning is complete
 
 const { formatLogMessage, messageColors } = require('./colorize');
+const psl = require('psl');
+
+// Precompiled regex patterns (avoids recompilation per rule)
+const REGEX_ADBLOCK = /^\|\|([^/\^]+)/;
+const REGEX_DNSMASQ_LOCAL = /local=\/([^/]+)\//;
+const REGEX_DNSMASQ_SERVER = /server=\/([^/]+)\//;
+const REGEX_UNBOUND = /local-zone:\s*"([^"]+)\.?"/;
+const REGEX_PRIVOXY = /\{\s*\+block\s*\}\s*\.?([^\s]+)/;
+const REGEX_PIHOLE = /^\(\^\|\\\.\)(.+)\\\.\w+\$$/;
+const REGEX_DOMAIN_FALLBACK = /([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/;
+const REGEX_WHITESPACE = /\s+/;
+const REGEX_UNESCAPE_DOT = /\\\./g;
+
+// Cache for compiled wildcard regex patterns
+const wildcardRegexCache = new Map();
+
+/**
+ * Get or compile a wildcard pattern regex (cached)
+ * @param {string} pattern - Wildcard pattern string
+ * @returns {RegExp} Compiled regex
+ */
+function getWildcardRegex(pattern) {
+  let regex = wildcardRegexCache.get(pattern);
+  if (!regex) {
+    regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+    wildcardRegexCache.set(pattern, regex);
+    // Cap cache size
+    if (wildcardRegexCache.size > 200) {
+      const firstKey = wildcardRegexCache.keys().next().value;
+      wildcardRegexCache.delete(firstKey);
+    }
+  }
+  return regex;
+}
 
 /**
  * Safely extracts hostname from a URL, handling malformed URLs gracefully
@@ -11,20 +45,77 @@ const { formatLogMessage, messageColors } = require('./colorize');
  */
 function safeGetDomain(url, getFullHostname = false) {
   try {
-    const psl = require('psl');
     const parsedUrl = new URL(url);
     if (getFullHostname) {
       return parsedUrl.hostname;
-    } else {
-      // Extract root domain using psl library
-      const parsed = psl.parse(parsedUrl.hostname);
-      return parsed.domain || parsedUrl.hostname;
     }
+    const parsed = psl.parse(parsedUrl.hostname);
+    return parsed.domain || parsedUrl.hostname;
   } catch (urlError) {
     return '';
   }
 }
 
+/**
+ * Enhanced domain extraction helper - single source of truth for all rule formats
+ * (Was duplicated inline in cleanupIgnoreDomains and cleanupFirstPartyDomains)
+ * @param {string} rule - Rule string in various formats
+ * @returns {string|null} Extracted domain or null if not found
+ */
+function extractDomainFromRule(rule) {
+  if (!rule || typeof rule !== 'string') {
+    return null;
+  }
+
+  // Adblock: ||domain.com^
+  if (rule.charCodeAt(0) === 124 && rule.charCodeAt(1) === 124 && rule.includes('^')) { // '||' + '^'
+    const match = REGEX_ADBLOCK.exec(rule);
+    return match ? match[1] : null;
+  }
+
+  // Hosts file: 127.0.0.1 domain / 0.0.0.0 domain
+  if (rule.charCodeAt(0) === 49 || rule.charCodeAt(0) === 48) { // '1' or '0'
+    if (rule.startsWith('127.0.0.1 ') || rule.startsWith('0.0.0.0 ')) {
+      const parts = rule.split(REGEX_WHITESPACE);
+      return parts.length >= 2 ? parts[1] : null;
+    }
+  }
+
+  // dnsmasq: local=/domain.com/
+  if (rule.includes('local=/')) {
+    const match = REGEX_DNSMASQ_LOCAL.exec(rule);
+    return match ? match[1] : null;
+  }
+
+  // dnsmasq old: server=/domain.com/
+  if (rule.includes('server=/')) {
+    const match = REGEX_DNSMASQ_SERVER.exec(rule);
+    return match ? match[1] : null;
+  }
+
+  // Unbound: local-zone: "domain.com." always_null
+  if (rule.includes('local-zone:') && rule.includes('always_null')) {
+    const match = REGEX_UNBOUND.exec(rule);
+    return match ? match[1] : null;
+  }
+
+  // Privoxy: { +block } .domain.com
+  if (rule.includes('+block') && rule.includes('.')) {
+    const match = REGEX_PRIVOXY.exec(rule);
+    return match ? match[1] : null;
+  }
+
+  // Pi-hole regex: (^|\.)domain\.com$ -- single match (was tested then matched separately)
+  if (rule.charCodeAt(0) === 40) { // '('
+    const match = REGEX_PIHOLE.exec(rule);
+    return match ? match[1].replace(REGEX_UNESCAPE_DOT, '.') : null;
+  }
+
+  // Fallback: any domain-like pattern
+  const domainMatch = REGEX_DOMAIN_FALLBACK.exec(rule);
+  return domainMatch ? domainMatch[1] : null;
+}
+
 /**
  * Enhanced domain matching for ignoreDomains patterns (including wildcards)
  * @param {string} domain - Domain to check
@@ -37,47 +128,35 @@ function shouldIgnoreAsIgnoreDomain(domain, ignorePatterns, forceDebug) {
     return { shouldIgnore: false, reason: 'No ignore patterns' };
   }
 
-  for (const pattern of ignorePatterns) {
+  for (let i = 0; i < ignorePatterns.length; i++) {
+    const pattern = ignorePatterns[i];
     if (pattern.includes('*')) {
-      // Handle wildcard patterns
       if (pattern.startsWith('*.')) {
         // Pattern: *.example.com
-        const wildcardDomain = pattern.substring(2); // Remove "*."
-        const wildcardRoot = safeGetDomain(`http://${wildcardDomain}`, false);
-        const domainRoot = safeGetDomain(`http://${domain}`, false);
+        const wildcardDomain = pattern.substring(2);
+        const wildcardRoot = safeGetDomain('http://' + wildcardDomain, false);
+        const domainRoot = safeGetDomain('http://' + domain, false);
         
         if (wildcardRoot === domainRoot) {
-          return { 
-            shouldIgnore: true, 
-            reason: `Matches wildcard ignore pattern: ${pattern}` 
-          };
+          return { shouldIgnore: true, reason: 'Matches wildcard ignore pattern: ' + pattern };
         }
       } else if (pattern.endsWith('.*')) {
         // Pattern: example.*
-        const baseDomain = pattern.slice(0, -2); // Remove ".*"
+        const baseDomain = pattern.slice(0, -2);
         if (domain.startsWith(baseDomain + '.')) {
-          return { 
-            shouldIgnore: true, 
-            reason: `Matches wildcard TLD ignore pattern: ${pattern}` 
-          };
+          return { shouldIgnore: true, reason: 'Matches wildcard TLD ignore pattern: ' + pattern };
         }
       } else {
-        // Complex wildcard pattern
-        const wildcardRegex = new RegExp('^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$');
+        // Complex wildcard -- use cached regex
+        const wildcardRegex = getWildcardRegex(pattern);
         if (wildcardRegex.test(domain)) {
-          return { 
-            shouldIgnore: true, 
-            reason: `Matches complex wildcard ignore pattern: ${pattern}` 
-          };
+          return { shouldIgnore: true, reason: 'Matches complex wildcard ignore pattern: ' + pattern };
         }
       }
     } else {
       // Exact pattern matching
       if (domain === pattern || domain.endsWith('.' + pattern)) {
-        return { 
-          shouldIgnore: true, 
-          reason: `Matches exact ignore pattern: ${pattern}` 
-        };
+        return { shouldIgnore: true, reason: 'Matches exact ignore pattern: ' + pattern };
       }
     }
   }
@@ -97,53 +176,54 @@ function shouldRemoveAsFirstParty(extractedDomain, scannedRootDomain, forceDebug
     return { shouldRemove: false, reason: 'Missing domain data' };
   }
 
-  // Handle wildcard patterns
   if (extractedDomain.includes('*')) {
-    // Common wildcard patterns
     if (extractedDomain.startsWith('*.')) {
-      // Pattern: *.example.com
-      const wildcardDomain = extractedDomain.substring(2); // Remove "*."
-      const wildcardRoot = safeGetDomain(`http://${wildcardDomain}`, false);
+      const wildcardDomain = extractedDomain.substring(2);
+      const wildcardRoot = safeGetDomain('http://' + wildcardDomain, false);
       
       if (wildcardRoot === scannedRootDomain) {
-        return { 
-          shouldRemove: true, 
-          reason: `Wildcard subdomain pattern matches root domain (*.${wildcardRoot})` 
-        };
+        return { shouldRemove: true, reason: 'Wildcard subdomain pattern matches root domain (*.' + wildcardRoot + ')' };
       }
     } else if (extractedDomain.endsWith('.*')) {
-      // Pattern: example.*
-      const baseDomain = extractedDomain.slice(0, -2); // Remove ".*"
+      const baseDomain = extractedDomain.slice(0, -2);
       if (scannedRootDomain.startsWith(baseDomain + '.')) {
-        return { 
-          shouldRemove: true, 
-          reason: `Wildcard TLD pattern matches base domain (${baseDomain}.*)` 
-        };
+        return { shouldRemove: true, reason: 'Wildcard TLD pattern matches base domain (' + baseDomain + '.*)' };
       }
-    } else if (extractedDomain.includes('*')) {
-      // Pattern: sub*.example.com or other wildcard positions
-      const wildcardRegex = new RegExp('^' + extractedDomain.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$');
+    } else {
+      // Complex wildcard -- use cached regex
+      const wildcardRegex = getWildcardRegex(extractedDomain);
       if (wildcardRegex.test(scannedRootDomain)) {
-        return { 
-          shouldRemove: true, 
-          reason: `Complex wildcard pattern matches root domain (${extractedDomain})` 
-        };
+        return { shouldRemove: true, reason: 'Complex wildcard pattern matches root domain (' + extractedDomain + ')' };
       }
     }
   }
 
   // Standard exact root domain matching
-  const extractedRoot = safeGetDomain(`http://${extractedDomain}`, false);
+  const extractedRoot = safeGetDomain('http://' + extractedDomain, false);
   if (extractedRoot === scannedRootDomain) {
-    return { 
-      shouldRemove: true, 
-      reason: `Exact root domain match (${extractedRoot})` 
-    };
+    return { shouldRemove: true, reason: 'Exact root domain match (' + extractedRoot + ')' };
   }
 
   return { shouldRemove: false, reason: 'No first-party match detected' };
 }
 
+/**
+ * Build URL-to-site-config mapping (shared between cleanup functions)
+ * @param {Array} sites - Array of site configurations
+ * @returns {Map} URL to site config mapping
+ */
+function buildUrlToSiteConfig(sites) {
+  const map = new Map();
+  for (let i = 0; i < sites.length; i++) {
+    const site = sites[i];
+    const urls = Array.isArray(site.url) ? site.url : [site.url];
+    for (let j = 0; j < urls.length; j++) {
+      map.set(urls[j], site);
+    }
+  }
+  return map;
+}
+
 /**
  * Post-scan cleanup function to remove ignoreDomains from results
  * This is a final safety net to catch any domains that should have been ignored
@@ -163,80 +243,31 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
   }
 
   if (forceDebug) {
-    console.log(formatLogMessage('debug', `[ignoreDomains cleanup] Processing ${results.length} results against ${ignoreDomains.length} ignore patterns`));
+    console.log(formatLogMessage('debug', '[ignoreDomains cleanup] Processing ' + results.length + ' results against ' + ignoreDomains.length + ' ignore patterns'));
   }
 
   const cleanedResults = [];
   let totalRulesRemoved = 0;
   let sitesAffected = 0;
 
-  results.forEach(result => {
+  for (let ri = 0; ri < results.length; ri++) {
+    const result = results[ri];
     if (!result.rules || result.rules.length === 0) {
       cleanedResults.push(result);
-      return;
+      continue;
     }
 
-    const originalRulesCount = result.rules.length;
     const cleanedRules = [];
     const removedRules = [];
 
-    // Filter out rules that match ignoreDomains patterns
-    result.rules.forEach(rule => {
-      let extractedDomain = null;
+    for (let j = 0; j < result.rules.length; j++) {
+      const rule = result.rules[j];
+      let kept = true;
 
       try {
-        // Extract domain from different rule formats (same logic as first-party cleanup)
-        if (rule.startsWith('||') && rule.includes('^')) {
-          // ||domain.com^ format (adblock)
-          const match = rule.match(/^\|\|([^/\^]+)/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.startsWith('127.0.0.1 ') || rule.startsWith('0.0.0.0 ')) {
-          // hosts file format
-          const parts = rule.split(/\s+/);
-          if (parts.length >= 2) {
-            extractedDomain = parts[1];
-          }
-        } else if (rule.includes('local=/') && rule.includes('/')) {
-          // dnsmasq format: local=/domain.com/
-          const match = rule.match(/local=\/([^/]+)\//);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('server=/') && rule.includes('/')) {
-          // dnsmasq old format: server=/domain.com/
-          const match = rule.match(/server=\/([^/]+)\//);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('local-zone:') && rule.includes('always_null')) {
-          // unbound format: local-zone: "domain.com." always_null
-          const match = rule.match(/local-zone:\s*"([^"]+)\.?"/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('+block') && rule.includes('.')) {
-          // privoxy format: { +block } .domain.com
-          const match = rule.match(/\{\s*\+block\s*\}\s*\.?([^\s]+)/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.match(/^\(\^\|\\\.\).*\\\.\w+\$$/)) {
-          // pi-hole regex format: (^|\.)domain\.com$
-          const match = rule.match(/^\(\^\|\\\.\)(.+)\\\.\w+\$$/);
-          if (match) {
-            // Unescape the domain
-            extractedDomain = match[1].replace(/\\\./g, '.');
-          }
-        } else {
-          // Try to extract any domain-like pattern as fallback
-          const domainMatch = rule.match(/([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/);
-          if (domainMatch) {
-            extractedDomain = domainMatch[1];
-          }
-        }
-        // Check if extracted domain should be ignored
+        // Use shared extractDomainFromRule (was duplicated inline)
+        const extractedDomain = extractDomainFromRule(rule);
+        
         if (extractedDomain) {
           const ignoreResult = shouldIgnoreAsIgnoreDomain(extractedDomain, ignoreDomains, forceDebug);
           
@@ -244,35 +275,42 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
             removedRules.push({
               rule: rule,
               domain: extractedDomain,
-              reason: `ignoreDomains: ${ignoreResult.reason}`,
+              reason: 'ignoreDomains: ' + ignoreResult.reason,
               matchType: ignoreResult.reason.includes('wildcard') ? 'wildcard' : 'exact'
             });
-            return; // Exit early - rule should be removed
+            kept = false;
           }
         }
       } catch (parseErr) {
         if (forceDebug) {
-          console.log(formatLogMessage('debug', `[ignoreDomains cleanup] Failed to parse rule: ${rule} - ${parseErr.message}`));
+          console.log(formatLogMessage('debug', '[ignoreDomains cleanup] Failed to parse rule: ' + rule + ' - ' + parseErr.message));
         }
       }
 
-      // If we reach here, the rule should be kept
-      cleanedRules.push(rule);
-    });
+      if (kept) {
+        cleanedRules.push(rule);
+      }
+    }
 
-    cleanedResults.push({ ...result, rules: cleanedRules });
+    // Mutate rules directly instead of spreading entire result object
+    result.rules = cleanedRules;
+    cleanedResults.push(result);
 
     if (removedRules.length > 0) {
       sitesAffected++;
       totalRulesRemoved += removedRules.length;
       
       if (!silentMode) {
-        const wildcardCount = removedRules.filter(r => r.matchType === 'wildcard').length;
-        const exactCount = removedRules.filter(r => r.matchType === 'exact').length;
+        // Single-pass count instead of two .filter() calls
+        let wildcardCount = 0;
+        for (let k = 0; k < removedRules.length; k++) {
+          if (removedRules[k].matchType === 'wildcard') wildcardCount++;
+        }
+        const exactCount = removedRules.length - wildcardCount;
         
-        let cleanupMessage = `?? Removed ${removedRules.length} ignoreDomains rule(s) from ${safeGetDomain(result.url)} (final cleanup)`;
+        let cleanupMessage = '?? Removed ' + removedRules.length + ' ignoreDomains rule(s) from ' + safeGetDomain(result.url) + ' (final cleanup)';
         if (wildcardCount > 0) {
-          cleanupMessage += ` [${wildcardCount} wildcard, ${exactCount} exact]`;
+          cleanupMessage += ' [' + wildcardCount + ' wildcard, ' + exactCount + ' exact]';
         }
         
         if (messageColors && messageColors.cleanup) {
@@ -282,28 +320,18 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
         }
       }
       if (forceDebug) {
-        console.log(formatLogMessage('debug', `[ignoreDomains cleanup] Removed rules from ${result.url}:`));
-        removedRules.forEach((removed, idx) => {
-          console.log(formatLogMessage('debug', `  [${idx + 1}] ${removed.rule} (${removed.reason}) [${removed.matchType}]`));
-        });
+        console.log(formatLogMessage('debug', '[ignoreDomains cleanup] Removed rules from ' + result.url + ':'));
+        for (let k = 0; k < removedRules.length; k++) {
+          console.log(formatLogMessage('debug', '  [' + (k + 1) + '] ' + removedRules[k].rule + ' (' + removedRules[k].reason + ') [' + removedRules[k].matchType + ']'));
+        }
       }
     }
-  });
+  }
 
   // Summary
   if (totalRulesRemoved > 0 && !silentMode) {
-    const allRemovedRules = cleanedResults.reduce((acc, result) => {
-      if (result.removedIgnoreDomains) {
-        acc.push(...result.removedIgnoreDomains);
-      }
-      return acc;
-    }, []);
-    
-    const totalWildcardCount = allRemovedRules.filter(r => r.matchType === 'wildcard').length;
-    const totalExactCount = allRemovedRules.filter(r => r.matchType === 'exact').length;
-    
-    const summaryMessage = `\n?? ignoreDomains cleanup completed: Removed ${totalRulesRemoved} rules from ${sitesAffected} site(s)` +
-      (totalWildcardCount > 0 ? ` [${totalWildcardCount} wildcard patterns, ${totalExactCount} exact matches]` : '');
+    const summaryMessage = '\n?? ignoreDomains cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s)';
+
     if (messageColors && messageColors.cleanup) {
       console.log(messageColors.cleanup(summaryMessage));
     } else {
@@ -316,77 +344,6 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
   return cleanedResults;
 }
 
-/**
- * Enhanced domain extraction helper that reuses existing parsing logic
- * @param {string} rule - Rule string in various formats
- * @returns {string|null} Extracted domain or null if not found
- */
-function extractDomainFromRule(rule) {
-  if (!rule || typeof rule !== 'string') {
-    return null;
-  }
-
-  try {
-    // Reuse the existing parsing logic from cleanupFirstPartyDomains
-    let extractedDomain = null;
-    
-    if (rule.startsWith('||') && rule.includes('^')) {
-      // ||domain.com^ format (adblock)
-      const match = rule.match(/^\|\|([^/\^]+)/);
-      if (match) {
-        extractedDomain = match[1];
-      }
-    } else if (rule.startsWith('127.0.0.1 ') || rule.startsWith('0.0.0.0 ')) {
-      // hosts file format
-      const parts = rule.split(/\s+/);
-      if (parts.length >= 2) {
-        extractedDomain = parts[1];
-      }
-    } else if (rule.includes('local=/') && rule.includes('/')) {
-      // dnsmasq format: local=/domain.com/
-      const match = rule.match(/local=\/([^/]+)\//);
-      if (match) {
-        extractedDomain = match[1];
-      }
-    } else if (rule.includes('server=/') && rule.includes('/')) {
-      // dnsmasq old format: server=/domain.com/
-      const match = rule.match(/server=\/([^/]+)\//);
-      if (match) {
-        extractedDomain = match[1];
-      }
-    } else if (rule.includes('local-zone:') && rule.includes('always_null')) {
-      // unbound format: local-zone: "domain.com." always_null
-      const match = rule.match(/local-zone:\s*"([^"]+)\.?"/);
-      if (match) {
-        extractedDomain = match[1];
-      }
-    } else if (rule.includes('+block') && rule.includes('.')) {
-      // privoxy format: { +block } .domain.com
-      const match = rule.match(/\{\s*\+block\s*\}\s*\.?([^\s]+)/);
-      if (match) {
-        extractedDomain = match[1];
-      }
-    } else if (rule.match(/^\(\^\|\\\.\).*\\\.\w+\$$/)) {
-      // pi-hole regex format: (^|\.)domain\.com$
-      const match = rule.match(/^\(\^\|\\\.\)(.+)\\\.\w+\$$/);
-      if (match) {
-        // Unescape the domain
-        extractedDomain = match[1].replace(/\\\./g, '.');
-      }
-    } else {
-      // Try to extract any domain-like pattern as fallback
-      const domainMatch = rule.match(/([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/);
-      if (domainMatch) {
-        extractedDomain = domainMatch[1];
-      }
-    }
-    
-    return extractedDomain;
-  } catch (parseErr) {
-    return null;
-  }
-}
-
 /**
  * Post-scan cleanup function to remove first-party domains from results
  * Only processes sites that have firstParty: false in their configuration
@@ -396,6 +353,7 @@ function extractDomainFromRule(rule) {
  * @param {Object} options - Options object
  * @param {boolean} options.forceDebug - Debug logging flag
  * @param {boolean} options.silentMode - Silent mode flag
+ * @param {Map} [options._urlToSiteConfig] - Pre-built URL mapping (internal optimization)
  * @returns {Array} Cleaned results with conditional first-party removal
  */
 function cleanupFirstPartyDomains(results, sites, options = {}) {
@@ -405,105 +363,44 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
     return results;
   }
 
-  // Build mapping of URLs to their site configs
-  const urlToSiteConfig = new Map();
-  sites.forEach(site => {
-    const urls = Array.isArray(site.url) ? site.url : [site.url];
-    urls.forEach(url => {
-      urlToSiteConfig.set(url, site);
-    });
-  });
+  // Use pre-built map if passed, otherwise build it
+  const urlToSiteConfig = options._urlToSiteConfig || buildUrlToSiteConfig(sites);
 
   const cleanedResults = [];
   let totalRulesRemoved = 0;
   let sitesAffected = 0;
 
-  results.forEach(result => {
-    // Find the site config for this result
+  for (let ri = 0; ri < results.length; ri++) {
+    const result = results[ri];
     const siteConfig = urlToSiteConfig.get(result.url);
-    
-    // Only clean if firstParty is explicitly set to false
     const shouldCleanFirstParty = siteConfig && siteConfig.firstParty === false;
     
     if (!shouldCleanFirstParty || !result.rules || result.rules.length === 0) {
       cleanedResults.push(result);
-      return;
+      continue;
     }
 
     if (forceDebug) {
-      console.log(formatLogMessage('debug', `[cleanup] Processing ${result.url} (firstParty: false detected)`));
+      console.log(formatLogMessage('debug', '[cleanup] Processing ' + result.url + ' (firstParty: false detected)'));
     }
 
-    // Get the scanned domain for this specific result
     const scannedDomain = safeGetDomain(result.url, false);
     if (!scannedDomain) {
       cleanedResults.push(result);
-      return;
+      continue;
     }
 
-    const originalRulesCount = result.rules.length;
     const cleanedRules = [];
     const removedRules = [];
 
-    // Filter out rules that match the scanned domain
-    result.rules.forEach(rule => {
-      let shouldRemove = false;
-      let extractedDomain = null;
+    for (let j = 0; j < result.rules.length; j++) {
+      const rule = result.rules[j];
+      let kept = true;
 
       try {
-        // Extract domain from different rule formats
-        if (rule.startsWith('||') && rule.includes('^')) {
-          // ||domain.com^ format (adblock)
-          const match = rule.match(/^\|\|([^/\^]+)/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.startsWith('127.0.0.1 ') || rule.startsWith('0.0.0.0 ')) {
-          // hosts file format
-          const parts = rule.split(/\s+/);
-          if (parts.length >= 2) {
-            extractedDomain = parts[1];
-          }
-        } else if (rule.includes('local=/') && rule.includes('/')) {
-          // dnsmasq format: local=/domain.com/
-          const match = rule.match(/local=\/([^/]+)\//);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('server=/') && rule.includes('/')) {
-          // dnsmasq old format: server=/domain.com/
-          const match = rule.match(/server=\/([^/]+)\//);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('local-zone:') && rule.includes('always_null')) {
-          // unbound format: local-zone: "domain.com." always_null
-          const match = rule.match(/local-zone:\s*"([^"]+)\.?"/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.includes('+block') && rule.includes('.')) {
-          // privoxy format: { +block } .domain.com
-          const match = rule.match(/\{\s*\+block\s*\}\s*\.?([^\s]+)/);
-          if (match) {
-            extractedDomain = match[1];
-          }
-        } else if (rule.match(/^\(\^\|\\\.\).*\\\.\w+\$$/)) {
-          // pi-hole regex format: (^|\.)domain\.com$
-          const match = rule.match(/^\(\^\|\\\.\)(.+)\\\.\w+\$$/);
-          if (match) {
-            // Unescape the domain
-            extractedDomain = match[1].replace(/\\\./g, '.');
-          }
-        } else {
-          // Try to extract any domain-like pattern as fallback
-          const domainMatch = rule.match(/([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/);
-          if (domainMatch) {
-            extractedDomain = domainMatch[1];
-          }
-        }
+        // Use shared extractDomainFromRule (was duplicated inline)
+        const extractedDomain = extractDomainFromRule(rule);
 
-        // Check if extracted domain is a first-party domain
         if (extractedDomain) {
           const matchResult = shouldRemoveAsFirstParty(extractedDomain, scannedDomain, forceDebug);
           
@@ -512,35 +409,42 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
               rule: rule,
               domain: extractedDomain,
               rootDomain: scannedDomain,
-              reason: `First-party: ${matchResult.reason} (firstParty: false)`,
+              reason: 'First-party: ' + matchResult.reason + ' (firstParty: false)',
               matchType: matchResult.reason.includes('Wildcard') ? 'wildcard' : 'exact'
             });
-            return; // Exit early - rule should be removed
+            kept = false;
           }
         }
       } catch (parseErr) {
         if (forceDebug) {
-          console.log(formatLogMessage('debug', `[cleanup] Failed to parse rule: ${rule} - ${parseErr.message}`));
+          console.log(formatLogMessage('debug', '[cleanup] Failed to parse rule: ' + rule + ' - ' + parseErr.message));
         }
       }
 
-      // If we reach here, the rule should be kept
-      cleanedRules.push(rule);
-    });
+      if (kept) {
+        cleanedRules.push(rule);
+      }
+    }
 
-    cleanedResults.push({ ...result, rules: cleanedRules });
+    // Mutate rules directly instead of { ...result, rules: cleanedRules }
+    result.rules = cleanedRules;
+    cleanedResults.push(result);
 
     if (removedRules.length > 0) {
       sitesAffected++;
       totalRulesRemoved += removedRules.length;
       
       if (!silentMode) {
-        const wildcardCount = removedRules.filter(r => r.matchType === 'wildcard').length;
-        const exactCount = removedRules.filter(r => r.matchType === 'exact').length;
+        // Single-pass count
+        let wildcardCount = 0;
+        for (let k = 0; k < removedRules.length; k++) {
+          if (removedRules[k].matchType === 'wildcard') wildcardCount++;
+        }
+        const exactCount = removedRules.length - wildcardCount;
         
-        let cleanupMessage = `?? Cleaned ${removedRules.length} first-party rule(s) from ${scannedDomain} (firstParty: false)`;
+        let cleanupMessage = '?? Cleaned ' + removedRules.length + ' first-party rule(s) from ' + scannedDomain + ' (firstParty: false)';
         if (wildcardCount > 0) {
-          cleanupMessage += ` [${wildcardCount} wildcard, ${exactCount} exact]`;
+          cleanupMessage += ' [' + wildcardCount + ' wildcard, ' + exactCount + ' exact]';
         }
         if (messageColors && messageColors.cleanup) {
           console.log(messageColors.cleanup(cleanupMessage));
@@ -550,17 +454,17 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
       }
 
       if (forceDebug) {
-        console.log(formatLogMessage('debug', `[cleanup] Removed rules from ${result.url}:`));
-        removedRules.forEach((removed, idx) => {
-          console.log(formatLogMessage('debug', `  [${idx + 1}] ${removed.rule} (${removed.reason}) [${removed.matchType}]`));
-        });
+        console.log(formatLogMessage('debug', '[cleanup] Removed rules from ' + result.url + ':'));
+        for (let k = 0; k < removedRules.length; k++) {
+          console.log(formatLogMessage('debug', '  [' + (k + 1) + '] ' + removedRules[k].rule + ' (' + removedRules[k].reason + ') [' + removedRules[k].matchType + ']'));
+        }
       }
     }
-  });
+  }
 
   // Summary
   if (totalRulesRemoved > 0 && !silentMode) {
-    const summaryMessage = `\n?? First-party cleanup completed: Removed ${totalRulesRemoved} rules from ${sitesAffected} site(s) with firstParty: false`;
+    const summaryMessage = '\n?? First-party cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s) with firstParty: false';
     if (messageColors && messageColors.cleanup) {
       console.log(messageColors.cleanup(summaryMessage));
     } else {
@@ -592,47 +496,66 @@ function validateScanResults(results, options = {}) {
   let totalValidated = 0;
   let totalRemoved = 0;
 
-  const validatedResults = results.map(result => {
+  // Pre-strip wildcards from ignore patterns once (was done per rule per pattern)
+  let strippedIgnorePatterns = null;
+  if (ignoreDomains.length > 0) {
+    strippedIgnorePatterns = new Array(ignoreDomains.length);
+    for (let i = 0; i < ignoreDomains.length; i++) {
+      strippedIgnorePatterns[i] = ignoreDomains[i].replace('*', '');
+    }
+  }
+
+  for (let ri = 0; ri < results.length; ri++) {
+    const result = results[ri];
     if (!result.rules || result.rules.length === 0) {
-      return result;
+      continue;
     }
 
     const originalCount = result.rules.length;
-    const validRules = result.rules.filter(rule => {
-      // Basic validation - ensure rule isn't empty or malformed
+    const validRules = [];
+    
+    for (let j = 0; j < result.rules.length; j++) {
+      const rule = result.rules[j];
+      
+      // Basic validation
       if (!rule || typeof rule !== 'string' || rule.trim().length === 0) {
         if (forceDebug) {
-          console.log(formatLogMessage('debug', `[validation] Removed empty/invalid rule`));
+          console.log(formatLogMessage('debug', '[validation] Removed empty/invalid rule'));
         }
         totalRemoved++;
-        return false;
+        continue;
       }
 
-      // Check against ignore domains if provided
-      if (ignoreDomains.length > 0) {
-        for (const ignorePattern of ignoreDomains) {
-          if (rule.includes(ignorePattern.replace('*', ''))) {
+      // Check against stripped ignore patterns
+      let ignored = false;
+      if (strippedIgnorePatterns) {
+        for (let k = 0; k < strippedIgnorePatterns.length; k++) {
+          if (rule.includes(strippedIgnorePatterns[k])) {
             if (forceDebug) {
-              console.log(formatLogMessage('debug', `[validation] Removed rule matching ignore pattern: ${ignorePattern}`));
+              console.log(formatLogMessage('debug', '[validation] Removed rule matching ignore pattern: ' + ignoreDomains[k]));
             }
             totalRemoved++;
-            return false;
+            ignored = true;
+            break;
           }
         }
       }
 
-      return true;
-    });
+      if (!ignored) {
+        validRules.push(rule);
+      }
+    }
 
     totalValidated += originalCount;
-    return { ...result, rules: validRules };
-  });
+    // Mutate in place instead of spread
+    result.rules = validRules;
+  }
 
   if (forceDebug && totalRemoved > 0) {
-    console.log(formatLogMessage('debug', `[validation] Validated ${totalValidated} rules, removed ${totalRemoved} invalid rules`));
+    console.log(formatLogMessage('debug', '[validation] Validated ' + totalValidated + ' rules, removed ' + totalRemoved + ' invalid rules'));
   }
 
-  return validatedResults;
+  return results;
 }
 
 
@@ -643,6 +566,7 @@ function validateScanResults(results, options = {}) {
  * @param {Array} results - Array of scan results
  * @param {Array} sites - Array of site configurations  
  * @param {Object} options - Options object
+ * @param {Map} [options._urlToSiteConfig] - Pre-built URL mapping (internal optimization)
  * @returns {Array} Results with any remaining first-party domains removed
  */
 function finalFirstPartyValidation(results, sites, options = {}) {
@@ -652,64 +576,57 @@ function finalFirstPartyValidation(results, sites, options = {}) {
     return results;
   }
 
-  // Reuse the URL-to-config mapping pattern from cleanupFirstPartyDomains
-  const urlToSiteConfig = new Map();
-  sites.forEach(site => {
-    const urls = Array.isArray(site.url) ? site.url : [site.url];
-    urls.forEach(url => {
-      urlToSiteConfig.set(url, site);
-    });
-  });
+  // Use pre-built map if passed, otherwise build it
+  const urlToSiteConfig = options._urlToSiteConfig || buildUrlToSiteConfig(sites);
 
   const finalResults = [];
   let totalViolationsFound = 0;
   let sitesWithViolations = 0;
 
-  results.forEach(result => {
+  for (let ri = 0; ri < results.length; ri++) {
+    const result = results[ri];
     const siteConfig = urlToSiteConfig.get(result.url);
-    
-    // Only validate sites with firstParty: false
     const shouldValidate = siteConfig && siteConfig.firstParty === false;
     
     if (!shouldValidate || !result.rules || result.rules.length === 0) {
       finalResults.push(result);
-      return;
+      continue;
     }
 
     const scannedDomain = safeGetDomain(result.url, false);
     if (!scannedDomain) {
       finalResults.push(result);
-      return;
+      continue;
     }
 
-    // Reuse the same filtering logic pattern from cleanupFirstPartyDomains
     const cleanedRules = [];
     const violatingRules = [];
 
-    result.rules.forEach(rule => {
+    for (let j = 0; j < result.rules.length; j++) {
+      const rule = result.rules[j];
       const extractedDomain = extractDomainFromRule(rule);
+      
       if (extractedDomain) {
-        // Reuse the shouldRemoveAsFirstParty logic
         const matchResult = shouldRemoveAsFirstParty(extractedDomain, scannedDomain, forceDebug);
         
         if (matchResult.shouldRemove) {
           violatingRules.push({
             rule: rule,
             domain: extractedDomain,
-            reason: `VALIDATION FAILURE: ${matchResult.reason}`
+            reason: 'VALIDATION FAILURE: ' + matchResult.reason
           });
           totalViolationsFound++;
-          return;
+          continue;
         }
       }
       cleanedRules.push(rule);
-    });
+    }
 
     if (violatingRules.length > 0) {
       sitesWithViolations++;
       
       if (!silentMode) {
-        const errorMessage = `? CONFIG VIOLATION: Found ${violatingRules.length} first-party rule(s) in ${scannedDomain} (firstParty: false)`;
+        const errorMessage = '? CONFIG VIOLATION: Found ' + violatingRules.length + ' first-party rule(s) in ' + scannedDomain + ' (firstParty: false)';
         if (messageColors && messageColors.error) {
           console.log(messageColors.error(errorMessage));
         } else {
@@ -718,19 +635,21 @@ function finalFirstPartyValidation(results, sites, options = {}) {
       }
 
       if (forceDebug) {
-        console.log(formatLogMessage('debug', `[final-validation] Violations found for ${result.url}:`));
-        violatingRules.forEach((violation, idx) => {
-          console.log(formatLogMessage('debug', `  [${idx + 1}] ${violation.rule} -> ${violation.domain}`));
-        });
+        console.log(formatLogMessage('debug', '[final-validation] Violations found for ' + result.url + ':'));
+        for (let k = 0; k < violatingRules.length; k++) {
+          console.log(formatLogMessage('debug', '  [' + (k + 1) + '] ' + violatingRules[k].rule + ' -> ' + violatingRules[k].domain));
+        }
       }
     }
 
-    finalResults.push({ ...result, rules: cleanedRules });
-  });
+    // Mutate in place
+    result.rules = cleanedRules;
+    finalResults.push(result);
+  }
 
-  // Summary using existing message patterns
+  // Summary
   if (totalViolationsFound > 0 && !silentMode) {
-    const summaryMessage = `\n? SCAN FILTERING FAILURE: Removed ${totalViolationsFound} first-party rules from ${sitesWithViolations} site(s) in post-processing`;
+    const summaryMessage = '\n? SCAN FILTERING FAILURE: Removed ' + totalViolationsFound + ' first-party rules from ' + sitesWithViolations + ' site(s) in post-processing';
     console.log(summaryMessage);
     console.log('??  This indicates firstParty: false filtering failed during scan - consider investigating root cause.');
   } else if (forceDebug) {
@@ -755,24 +674,31 @@ function processResults(results, sites, options = {}) {
   const { forceDebug = false, silentMode = false } = options;
   
   if (forceDebug) {
-    console.log(formatLogMessage('debug', `[post-processing] Starting post-processing of ${results.length} results`));
+    console.log(formatLogMessage('debug', '[post-processing] Starting post-processing of ' + results.length + ' results'));
   }
 
+  // Build URL-to-config map once, share across all steps
+  const urlToSiteConfig = buildUrlToSiteConfig(sites);
+  const sharedOptions = Object.assign({}, options, { _urlToSiteConfig: urlToSiteConfig });
+
   // Step 1: Clean up first-party domains
-  let processedResults = cleanupFirstPartyDomains(results, sites, options);
+  let processedResults = cleanupFirstPartyDomains(results, sites, sharedOptions);
   
   // Step 2: Clean up ignoreDomains (final safety net)
   processedResults = cleanupIgnoreDomains(processedResults, options.ignoreDomains || [], options);
   
   // Step 3: Final validation for firstParty: false configurations
-  processedResults = finalFirstPartyValidation(processedResults, sites, options);
+  processedResults = finalFirstPartyValidation(processedResults, sites, sharedOptions);
 
   // Step 4: Validate results
   processedResults = validateScanResults(processedResults, options);
   
   if (forceDebug) {
-    const totalRules = processedResults.reduce((sum, r) => sum + (r.rules ? r.rules.length : 0), 0);
-    console.log(formatLogMessage('debug', `[post-processing] Completed: ${totalRules} total rules remaining`));
+    let totalRules = 0;
+    for (let i = 0; i < processedResults.length; i++) {
+      totalRules += processedResults[i].rules ? processedResults[i].rules.length : 0;
+    }
+    console.log(formatLogMessage('debug', '[post-processing] Completed: ' + totalRules + ' total rules remaining'));
   }
 
   return processedResults;
@@ -785,4 +711,4 @@ module.exports = {
   extractDomainFromRule,
   validateScanResults,
   processResults
-};
+};