@fanboynz/network-scanner 2.0.66 → 3.0.0

package/lib/post-processing.js

@@ -10,23 +10,48 @@ const REGEX_DNSMASQ_LOCAL = /local=\/([^/]+)\//;
 const REGEX_DNSMASQ_SERVER = /server=\/([^/]+)\//;
 const REGEX_UNBOUND = /local-zone:\s*"([^"]+)\.?"/;
 const REGEX_PRIVOXY = /\{\s*\+block\s*\}\s*\.?([^\s]+)/;
-const REGEX_PIHOLE = /^\(\^\|\\\.\)(.+)\\\.\w+\$$/;
+// Pi-hole prefix detect + strip (tolerates optional backslash before the dot,
+// matching how output.js writes both). The old single-regex with a trailing
+// `\.\w+$` was capturing everything up to (but not including) the TLD, so
+// 'example.com' came out as 'example' and downstream filters never matched.
+const REGEX_PIHOLE_PREFIX = /^\(\^\|\\?\.\)/;
+const REGEX_TRAILING_DOLLAR = /\$$/;
 const REGEX_DOMAIN_FALLBACK = /([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/;
 const REGEX_WHITESPACE = /\s+/;
 const REGEX_UNESCAPE_DOT = /\\\./g;
+// Regex meta-chars we must escape in a wildcard pattern before turning '*'
+// into '.*'. Without this, a pattern like 'foo+bar.com' would treat '+' as
+// a quantifier, and 'foo(bar.com' would throw on RegExp construction.
+const REGEX_META_ESCAPE = /[.+?^${}()|[\]\\]/g;
+// Sentinel regex that never matches — used when a pattern is so malformed
+// that even our escaped version fails to compile.
+const NEVER_MATCH = /(?!)/;
 
 // Cache for compiled wildcard regex patterns
 const wildcardRegexCache = new Map();
 
 /**
- * Get or compile a wildcard pattern regex (cached)
+ * Get or compile a wildcard pattern regex (cached). Escapes every regex
+ * metacharacter except '*' before turning '*' into '.*'. The previous
+ * version only escaped '.', so patterns with '+', '(', '[', etc. would
+ * either silently misbehave or throw synchronously out of the caller.
  * @param {string} pattern - Wildcard pattern string
  * @returns {RegExp} Compiled regex
  */
 function getWildcardRegex(pattern) {
   let regex = wildcardRegexCache.get(pattern);
   if (!regex) {
-    regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+    try {
+      regex = new RegExp(
+        '^' +
+        pattern.replace(REGEX_META_ESCAPE, '\\$&').replace(/\*/g, '.*') +
+        '$'
+      );
+    } catch (_) {
+      // Defensive belt-and-braces: a still-malformed pattern becomes
+      // never-match instead of crashing the calling cleanup loop.
+      regex = NEVER_MATCH;
+    }
     wildcardRegexCache.set(pattern, regex);
     // Cap cache size
     if (wildcardRegexCache.size > 200) {
@@ -56,6 +81,24 @@ function safeGetDomain(url, getFullHostname = false) {
   }
 }
 
+/**
+ * Extract the registrable root domain from an already-parsed hostname,
+ * skipping the URL-parse round-trip that safeGetDomain pays. Use when the
+ * caller already knows the input is a bare hostname (no scheme, path, port).
+ * @param {string} hostname - Bare hostname (e.g. 'sub.example.com')
+ * @returns {string} Registrable root domain ('example.com'), or hostname back
+ *   on psl parse failure, or '' on bad input
+ */
+function getDomainFromHostname(hostname) {
+  if (!hostname || typeof hostname !== 'string') return '';
+  try {
+    const parsed = psl.parse(hostname);
+    return parsed.domain || hostname;
+  } catch (_) {
+    return '';
+  }
+}
+
 /**
  * Enhanced domain extraction helper - single source of truth for all rule formats
  * (Was duplicated inline in cleanupIgnoreDomains and cleanupFirstPartyDomains)
@@ -105,10 +148,15 @@ function extractDomainFromRule(rule) {
     return match ? match[1] : null;
   }
 
-  // Pi-hole regex: (^|\.)domain\.com$ -- single match (was tested then matched separately)
-  if (rule.charCodeAt(0) === 40) { // '('
-    const match = REGEX_PIHOLE.exec(rule);
-    return match ? match[1].replace(REGEX_UNESCAPE_DOT, '.') : null;
+  // Pi-hole regex: (^|\.)domain\.com$
+  // Strip the leading '(^|\.)' (or '(^|.)') prefix, unescape '\.' to '.',
+  // and drop the trailing '$'. Matches output.js's extractDomainFromRule
+  // shape — the old regex-based capture here lost the TLD.
+  if (rule.charCodeAt(0) === 40 && REGEX_PIHOLE_PREFIX.test(rule)) { // '('
+    return rule
+      .replace(REGEX_PIHOLE_PREFIX, '')
+      .replace(REGEX_UNESCAPE_DOT, '.')
+      .replace(REGEX_TRAILING_DOLLAR, '');
   }
 
   // Fallback: any domain-like pattern
@@ -125,43 +173,57 @@ function extractDomainFromRule(rule) {
  */
 function shouldIgnoreAsIgnoreDomain(domain, ignorePatterns, forceDebug) {
   if (!domain || !ignorePatterns || ignorePatterns.length === 0) {
-    return { shouldIgnore: false, reason: 'No ignore patterns' };
+    return { shouldIgnore: false, reason: 'No ignore patterns', matchType: null };
   }
 
+  // domain is loop-invariant — its registrable root only needs computing once
+  // (and only if at least one '*.' pattern is encountered). Previously we
+  // called getDomainFromHostname(domain) once per '*.'-shaped pattern.
+  let domainRoot = null;
+  let domainRootComputed = false;
+
   for (let i = 0; i < ignorePatterns.length; i++) {
     const pattern = ignorePatterns[i];
     if (pattern.includes('*')) {
       if (pattern.startsWith('*.')) {
-        // Pattern: *.example.com
+        // Pattern: *.example.com — both sides are already bare hostnames,
+        // skip the 'http://' wrap + URL parse.
         const wildcardDomain = pattern.substring(2);
-        const wildcardRoot = safeGetDomain('http://' + wildcardDomain, false);
-        const domainRoot = safeGetDomain('http://' + domain, false);
-        
+        const wildcardRoot = getDomainFromHostname(wildcardDomain);
+        if (!domainRootComputed) {
+          domainRoot = getDomainFromHostname(domain);
+          domainRootComputed = true;
+        }
+
         if (wildcardRoot === domainRoot) {
-          return { shouldIgnore: true, reason: 'Matches wildcard ignore pattern: ' + pattern };
+          if (forceDebug) console.log(formatLogMessage('debug', '[ignoreDomains] ' + domain + ' matches wildcard pattern ' + pattern + ' (root=' + wildcardRoot + ')'));
+          return { shouldIgnore: true, reason: 'Matches wildcard ignore pattern: ' + pattern, matchType: 'wildcard' };
         }
       } else if (pattern.endsWith('.*')) {
         // Pattern: example.*
         const baseDomain = pattern.slice(0, -2);
         if (domain.startsWith(baseDomain + '.')) {
-          return { shouldIgnore: true, reason: 'Matches wildcard TLD ignore pattern: ' + pattern };
+          if (forceDebug) console.log(formatLogMessage('debug', '[ignoreDomains] ' + domain + ' matches TLD-wildcard pattern ' + pattern));
+          return { shouldIgnore: true, reason: 'Matches wildcard TLD ignore pattern: ' + pattern, matchType: 'wildcard' };
         }
       } else {
         // Complex wildcard -- use cached regex
         const wildcardRegex = getWildcardRegex(pattern);
         if (wildcardRegex.test(domain)) {
-          return { shouldIgnore: true, reason: 'Matches complex wildcard ignore pattern: ' + pattern };
+          if (forceDebug) console.log(formatLogMessage('debug', '[ignoreDomains] ' + domain + ' matches complex wildcard pattern ' + pattern));
+          return { shouldIgnore: true, reason: 'Matches complex wildcard ignore pattern: ' + pattern, matchType: 'wildcard' };
         }
       }
     } else {
       // Exact pattern matching
       if (domain === pattern || domain.endsWith('.' + pattern)) {
-        return { shouldIgnore: true, reason: 'Matches exact ignore pattern: ' + pattern };
+        if (forceDebug) console.log(formatLogMessage('debug', '[ignoreDomains] ' + domain + ' matches exact pattern ' + pattern));
+        return { shouldIgnore: true, reason: 'Matches exact ignore pattern: ' + pattern, matchType: 'exact' };
       }
     }
   }
 
-  return { shouldIgnore: false, reason: 'No ignore pattern matches' };
+  return { shouldIgnore: false, reason: 'No ignore pattern matches', matchType: null };
 }
 
 /**
@@ -173,38 +235,43 @@ function shouldIgnoreAsIgnoreDomain(domain, ignorePatterns, forceDebug) {
  */
 function shouldRemoveAsFirstParty(extractedDomain, scannedRootDomain, forceDebug) {
   if (!extractedDomain || !scannedRootDomain) {
-    return { shouldRemove: false, reason: 'Missing domain data' };
+    return { shouldRemove: false, reason: 'Missing domain data', matchType: null };
   }
 
   if (extractedDomain.includes('*')) {
     if (extractedDomain.startsWith('*.')) {
       const wildcardDomain = extractedDomain.substring(2);
-      const wildcardRoot = safeGetDomain('http://' + wildcardDomain, false);
-      
+      const wildcardRoot = getDomainFromHostname(wildcardDomain);
+
       if (wildcardRoot === scannedRootDomain) {
-        return { shouldRemove: true, reason: 'Wildcard subdomain pattern matches root domain (*.' + wildcardRoot + ')' };
+        if (forceDebug) console.log(formatLogMessage('debug', '[firstParty] ' + extractedDomain + ' matches root domain via wildcard subdomain (*.' + wildcardRoot + ')'));
+        return { shouldRemove: true, reason: 'Wildcard subdomain pattern matches root domain (*.' + wildcardRoot + ')', matchType: 'wildcard' };
       }
     } else if (extractedDomain.endsWith('.*')) {
       const baseDomain = extractedDomain.slice(0, -2);
       if (scannedRootDomain.startsWith(baseDomain + '.')) {
-        return { shouldRemove: true, reason: 'Wildcard TLD pattern matches base domain (' + baseDomain + '.*)' };
+        if (forceDebug) console.log(formatLogMessage('debug', '[firstParty] ' + extractedDomain + ' matches root domain via TLD-wildcard (' + baseDomain + '.*)'));
+        return { shouldRemove: true, reason: 'Wildcard TLD pattern matches base domain (' + baseDomain + '.*)', matchType: 'wildcard' };
       }
     } else {
       // Complex wildcard -- use cached regex
       const wildcardRegex = getWildcardRegex(extractedDomain);
       if (wildcardRegex.test(scannedRootDomain)) {
-        return { shouldRemove: true, reason: 'Complex wildcard pattern matches root domain (' + extractedDomain + ')' };
+        if (forceDebug) console.log(formatLogMessage('debug', '[firstParty] ' + extractedDomain + ' matches root domain via complex wildcard'));
+        return { shouldRemove: true, reason: 'Complex wildcard pattern matches root domain (' + extractedDomain + ')', matchType: 'wildcard' };
       }
     }
   }
 
-  // Standard exact root domain matching
-  const extractedRoot = safeGetDomain('http://' + extractedDomain, false);
+  // Standard exact root domain matching — extractedDomain is already a bare
+  // hostname out of extractDomainFromRule.
+  const extractedRoot = getDomainFromHostname(extractedDomain);
   if (extractedRoot === scannedRootDomain) {
-    return { shouldRemove: true, reason: 'Exact root domain match (' + extractedRoot + ')' };
+    if (forceDebug) console.log(formatLogMessage('debug', '[firstParty] ' + extractedDomain + ' matches root domain ' + scannedRootDomain + ' exactly (root=' + extractedRoot + ')'));
+    return { shouldRemove: true, reason: 'Exact root domain match (' + extractedRoot + ')', matchType: 'exact' };
   }
 
-  return { shouldRemove: false, reason: 'No first-party match detected' };
+  return { shouldRemove: false, reason: 'No first-party match detected', matchType: null };
 }
 
 /**
@@ -246,19 +313,27 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
     console.log(formatLogMessage('debug', '[ignoreDomains cleanup] Processing ' + results.length + ' results against ' + ignoreDomains.length + ' ignore patterns'));
   }
 
-  const cleanedResults = [];
+  // We mutate result.rules in place and return `results` directly — the
+  // previous version allocated a separate cleanedResults array but pushed
+  // every original result reference into it unchanged, which was pure waste
+  // (and gave callers a false sense of immutability when the input was
+  // being mutated anyway).
   let totalRulesRemoved = 0;
   let sitesAffected = 0;
+  // The per-rule detail objects in removedRules are only consumed by the
+  // forceDebug per-rule list — skip allocating them on the silent/non-debug
+  // path. Counts (wildcard/exact) are tracked separately because the
+  // !silentMode summary still needs them.
+  const needsDetails = forceDebug;
 
   for (let ri = 0; ri < results.length; ri++) {
     const result = results[ri];
-    if (!result.rules || result.rules.length === 0) {
-      cleanedResults.push(result);
-      continue;
-    }
+    if (!result.rules || result.rules.length === 0) continue;
 
     const cleanedRules = [];
-    const removedRules = [];
+    const removedRules = needsDetails ? [] : null;
+    let removedCount = 0;
+    let wildcardCount = 0;
 
     for (let j = 0; j < result.rules.length; j++) {
       const rule = result.rules[j];
@@ -267,17 +342,21 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
       try {
         // Use shared extractDomainFromRule (was duplicated inline)
         const extractedDomain = extractDomainFromRule(rule);
-        
+
         if (extractedDomain) {
           const ignoreResult = shouldIgnoreAsIgnoreDomain(extractedDomain, ignoreDomains, forceDebug);
-          
+
           if (ignoreResult.shouldIgnore) {
-            removedRules.push({
-              rule: rule,
-              domain: extractedDomain,
-              reason: 'ignoreDomains: ' + ignoreResult.reason,
-              matchType: ignoreResult.reason.includes('wildcard') ? 'wildcard' : 'exact'
-            });
+            removedCount++;
+            if (ignoreResult.matchType === 'wildcard') wildcardCount++;
+            if (needsDetails) {
+              removedRules.push({
+                rule: rule,
+                domain: extractedDomain,
+                reason: 'ignoreDomains: ' + ignoreResult.reason,
+                matchType: ignoreResult.matchType
+              });
+            }
             kept = false;
           }
         }
@@ -294,25 +373,18 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
 
     // Mutate rules directly instead of spreading entire result object
     result.rules = cleanedRules;
-    cleanedResults.push(result);
 
-    if (removedRules.length > 0) {
+    if (removedCount > 0) {
       sitesAffected++;
-      totalRulesRemoved += removedRules.length;
-      
+      totalRulesRemoved += removedCount;
+
       if (!silentMode) {
-        // Single-pass count instead of two .filter() calls
-        let wildcardCount = 0;
-        for (let k = 0; k < removedRules.length; k++) {
-          if (removedRules[k].matchType === 'wildcard') wildcardCount++;
-        }
-        const exactCount = removedRules.length - wildcardCount;
-        
-        let cleanupMessage = '?? Removed ' + removedRules.length + ' ignoreDomains rule(s) from ' + safeGetDomain(result.url) + ' (final cleanup)';
+        const exactCount = removedCount - wildcardCount;
+        let cleanupMessage = 'Removed ' + removedCount + ' ignoreDomains rule(s) from ' + safeGetDomain(result.url) + ' (final cleanup)';
         if (wildcardCount > 0) {
           cleanupMessage += ' [' + wildcardCount + ' wildcard, ' + exactCount + ' exact]';
         }
-        
+
         if (messageColors && messageColors.cleanup) {
           console.log(messageColors.cleanup(cleanupMessage));
         } else {
@@ -328,9 +400,11 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
     }
   }
 
-  // Summary
+  // Summary. When silentMode hides the visible message but rules WERE
+  // removed, the debug log used to claim "no rules found" — fixed by
+  // gating the "no rules" message on the actual count.
   if (totalRulesRemoved > 0 && !silentMode) {
-    const summaryMessage = '\n?? ignoreDomains cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s)';
+    const summaryMessage = '\nignoreDomains cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s)';
 
     if (messageColors && messageColors.cleanup) {
       console.log(messageColors.cleanup(summaryMessage));
@@ -338,10 +412,12 @@ function cleanupIgnoreDomains(results, ignoreDomains, options = {}) {
       console.log(summaryMessage);
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('debug', '[ignoreDomains cleanup] No ignoreDomains rules found to remove'));
+    console.log(formatLogMessage('debug', totalRulesRemoved > 0
+      ? '[ignoreDomains cleanup] (silentMode) Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s)'
+      : '[ignoreDomains cleanup] No ignoreDomains rules found to remove'));
   }
 
-  return cleanedResults;
+  return results;
 }
 
 /**
@@ -366,32 +442,29 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
   // Use pre-built map if passed, otherwise build it
   const urlToSiteConfig = options._urlToSiteConfig || buildUrlToSiteConfig(sites);
 
-  const cleanedResults = [];
+  // Mutate result.rules in place; return `results` directly.
   let totalRulesRemoved = 0;
   let sitesAffected = 0;
+  const needsDetails = forceDebug;
 
   for (let ri = 0; ri < results.length; ri++) {
     const result = results[ri];
     const siteConfig = urlToSiteConfig.get(result.url);
     const shouldCleanFirstParty = siteConfig && siteConfig.firstParty === false;
-    
-    if (!shouldCleanFirstParty || !result.rules || result.rules.length === 0) {
-      cleanedResults.push(result);
-      continue;
-    }
+
+    if (!shouldCleanFirstParty || !result.rules || result.rules.length === 0) continue;
 
     if (forceDebug) {
       console.log(formatLogMessage('debug', '[cleanup] Processing ' + result.url + ' (firstParty: false detected)'));
     }
 
     const scannedDomain = safeGetDomain(result.url, false);
-    if (!scannedDomain) {
-      cleanedResults.push(result);
-      continue;
-    }
+    if (!scannedDomain) continue;
 
     const cleanedRules = [];
-    const removedRules = [];
+    const removedRules = needsDetails ? [] : null;
+    let removedCount = 0;
+    let wildcardCount = 0;
 
     for (let j = 0; j < result.rules.length; j++) {
       const rule = result.rules[j];
@@ -403,15 +476,19 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
 
         if (extractedDomain) {
           const matchResult = shouldRemoveAsFirstParty(extractedDomain, scannedDomain, forceDebug);
-          
+
           if (matchResult.shouldRemove) {
-            removedRules.push({
-              rule: rule,
-              domain: extractedDomain,
-              rootDomain: scannedDomain,
-              reason: 'First-party: ' + matchResult.reason + ' (firstParty: false)',
-              matchType: matchResult.reason.includes('Wildcard') ? 'wildcard' : 'exact'
-            });
+            removedCount++;
+            if (matchResult.matchType === 'wildcard') wildcardCount++;
+            if (needsDetails) {
+              removedRules.push({
+                rule: rule,
+                domain: extractedDomain,
+                rootDomain: scannedDomain,
+                reason: 'First-party: ' + matchResult.reason + ' (firstParty: false)',
+                matchType: matchResult.matchType
+              });
+            }
             kept = false;
           }
         }
@@ -428,21 +505,14 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
 
     // Mutate rules directly instead of { ...result, rules: cleanedRules }
     result.rules = cleanedRules;
-    cleanedResults.push(result);
 
-    if (removedRules.length > 0) {
+    if (removedCount > 0) {
       sitesAffected++;
-      totalRulesRemoved += removedRules.length;
-      
+      totalRulesRemoved += removedCount;
+
       if (!silentMode) {
-        // Single-pass count
-        let wildcardCount = 0;
-        for (let k = 0; k < removedRules.length; k++) {
-          if (removedRules[k].matchType === 'wildcard') wildcardCount++;
-        }
-        const exactCount = removedRules.length - wildcardCount;
-        
-        let cleanupMessage = '?? Cleaned ' + removedRules.length + ' first-party rule(s) from ' + scannedDomain + ' (firstParty: false)';
+        const exactCount = removedCount - wildcardCount;
+        let cleanupMessage = 'Cleaned ' + removedCount + ' first-party rule(s) from ' + scannedDomain + ' (firstParty: false)';
         if (wildcardCount > 0) {
           cleanupMessage += ' [' + wildcardCount + ' wildcard, ' + exactCount + ' exact]';
         }
@@ -462,49 +532,52 @@ function cleanupFirstPartyDomains(results, sites, options = {}) {
     }
   }
 
-  // Summary
+  // Summary (see ignoreDomains cleanup for the silentMode/forceDebug gating logic).
   if (totalRulesRemoved > 0 && !silentMode) {
-    const summaryMessage = '\n?? First-party cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s) with firstParty: false';
+    const summaryMessage = '\nFirst-party cleanup completed: Removed ' + totalRulesRemoved + ' rules from ' + sitesAffected + ' site(s) with firstParty: false';
     if (messageColors && messageColors.cleanup) {
       console.log(messageColors.cleanup(summaryMessage));
     } else {
       console.log(summaryMessage);
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('debug', '[cleanup] No first-party rules found to remove'));
+    console.log(formatLogMessage('debug', totalRulesRemoved > 0
+      ? '[cleanup] (silentMode) Removed ' + totalRulesRemoved + ' first-party rules from ' + sitesAffected + ' site(s)'
+      : '[cleanup] No first-party rules found to remove'));
   }
 
-  return cleanedResults;
+  return results;
 }
 
 /**
- * Validates scan results and removes any obvious false positives
- * 
+ * Validates scan results and prunes structurally invalid rules
+ * (empty strings, non-strings, whitespace-only). Does NOT filter by
+ * ignoreDomains — that's cleanupIgnoreDomains's job and it runs earlier.
+ *
  * @param {Array} results - Array of scan results
  * @param {Object} options - Options object
  * @param {boolean} options.forceDebug - Debug logging flag
- * @param {Array} options.ignoreDomains - Domains to ignore
  * @returns {Array} Validated results
  */
 function validateScanResults(results, options = {}) {
-  const { forceDebug = false, ignoreDomains = [] } = options;
-  
+  const { forceDebug = false } = options;
+
   if (!results || results.length === 0) {
     return results;
   }
 
+  // NOTE: this function used to also filter rules whose text contained any
+  // wildcard-stripped ignoreDomains pattern as a literal substring. Two bugs
+  // stacked: (a) .replace('*', '') only stripped the FIRST '*' (so '*.x.*'
+  // stayed wildcarded), (b) substring matching was semantically wrong — a
+  // pattern of 'ads' would silently kill any rule containing 'headstart'.
+  // cleanupIgnoreDomains already runs before this step with the correct
+  // extract-and-match logic, so the ignore-pattern branch here is both
+  // redundant AND unsafe. Now this function does only what it should: prune
+  // structurally invalid rules.
   let totalValidated = 0;
   let totalRemoved = 0;
 
-  // Pre-strip wildcards from ignore patterns once (was done per rule per pattern)
-  let strippedIgnorePatterns = null;
-  if (ignoreDomains.length > 0) {
-    strippedIgnorePatterns = new Array(ignoreDomains.length);
-    for (let i = 0; i < ignoreDomains.length; i++) {
-      strippedIgnorePatterns[i] = ignoreDomains[i].replace('*', '');
-    }
-  }
-
   for (let ri = 0; ri < results.length; ri++) {
     const result = results[ri];
     if (!result.rules || result.rules.length === 0) {
@@ -513,11 +586,9 @@ function validateScanResults(results, options = {}) {
 
     const originalCount = result.rules.length;
     const validRules = [];
-    
+
     for (let j = 0; j < result.rules.length; j++) {
       const rule = result.rules[j];
-      
-      // Basic validation
       if (!rule || typeof rule !== 'string' || rule.trim().length === 0) {
         if (forceDebug) {
           console.log(formatLogMessage('debug', '[validation] Removed empty/invalid rule'));
@@ -525,29 +596,10 @@ function validateScanResults(results, options = {}) {
         totalRemoved++;
         continue;
       }
-
-      // Check against stripped ignore patterns
-      let ignored = false;
-      if (strippedIgnorePatterns) {
-        for (let k = 0; k < strippedIgnorePatterns.length; k++) {
-          if (rule.includes(strippedIgnorePatterns[k])) {
-            if (forceDebug) {
-              console.log(formatLogMessage('debug', '[validation] Removed rule matching ignore pattern: ' + ignoreDomains[k]));
-            }
-            totalRemoved++;
-            ignored = true;
-            break;
-          }
-        }
-      }
-
-      if (!ignored) {
-        validRules.push(rule);
-      }
+      validRules.push(rule);
     }
 
     totalValidated += originalCount;
-    // Mutate in place instead of spread
     result.rules = validRules;
   }
 
@@ -579,54 +631,53 @@ function finalFirstPartyValidation(results, sites, options = {}) {
   // Use pre-built map if passed, otherwise build it
   const urlToSiteConfig = options._urlToSiteConfig || buildUrlToSiteConfig(sites);
 
-  const finalResults = [];
+  // Mutate result.rules in place; return `results` directly.
   let totalViolationsFound = 0;
   let sitesWithViolations = 0;
+  const needsDetails = forceDebug;
 
   for (let ri = 0; ri < results.length; ri++) {
     const result = results[ri];
     const siteConfig = urlToSiteConfig.get(result.url);
     const shouldValidate = siteConfig && siteConfig.firstParty === false;
-    
-    if (!shouldValidate || !result.rules || result.rules.length === 0) {
-      finalResults.push(result);
-      continue;
-    }
+
+    if (!shouldValidate || !result.rules || result.rules.length === 0) continue;
 
     const scannedDomain = safeGetDomain(result.url, false);
-    if (!scannedDomain) {
-      finalResults.push(result);
-      continue;
-    }
+    if (!scannedDomain) continue;
 
     const cleanedRules = [];
-    const violatingRules = [];
+    const violatingRules = needsDetails ? [] : null;
+    let violationCount = 0;
 
     for (let j = 0; j < result.rules.length; j++) {
       const rule = result.rules[j];
       const extractedDomain = extractDomainFromRule(rule);
-      
+
       if (extractedDomain) {
         const matchResult = shouldRemoveAsFirstParty(extractedDomain, scannedDomain, forceDebug);
-        
+
         if (matchResult.shouldRemove) {
-          violatingRules.push({
-            rule: rule,
-            domain: extractedDomain,
-            reason: 'VALIDATION FAILURE: ' + matchResult.reason
-          });
+          violationCount++;
           totalViolationsFound++;
+          if (needsDetails) {
+            violatingRules.push({
+              rule: rule,
+              domain: extractedDomain,
+              reason: 'VALIDATION FAILURE: ' + matchResult.reason
+            });
+          }
           continue;
         }
       }
       cleanedRules.push(rule);
     }
 
-    if (violatingRules.length > 0) {
+    if (violationCount > 0) {
       sitesWithViolations++;
-      
+
       if (!silentMode) {
-        const errorMessage = '? CONFIG VIOLATION: Found ' + violatingRules.length + ' first-party rule(s) in ' + scannedDomain + ' (firstParty: false)';
+        const errorMessage = 'CONFIG VIOLATION: Found ' + violationCount + ' first-party rule(s) in ' + scannedDomain + ' (firstParty: false)';
         if (messageColors && messageColors.error) {
           console.log(messageColors.error(errorMessage));
         } else {
@@ -644,19 +695,20 @@ function finalFirstPartyValidation(results, sites, options = {}) {
 
     // Mutate in place
     result.rules = cleanedRules;
-    finalResults.push(result);
   }
 
-  // Summary
+  // Summary (see ignoreDomains cleanup for the silentMode/forceDebug gating logic).
   if (totalViolationsFound > 0 && !silentMode) {
-    const summaryMessage = '\n? SCAN FILTERING FAILURE: Removed ' + totalViolationsFound + ' first-party rules from ' + sitesWithViolations + ' site(s) in post-processing';
+    const summaryMessage = '\nSCAN FILTERING FAILURE: Removed ' + totalViolationsFound + ' first-party rules from ' + sitesWithViolations + ' site(s) in post-processing';
     console.log(summaryMessage);
-    console.log('??  This indicates firstParty: false filtering failed during scan - consider investigating root cause.');
+    console.log('This indicates firstParty: false filtering failed during scan - consider investigating root cause.');
   } else if (forceDebug) {
-    console.log(formatLogMessage('debug', '[final-validation] No first-party violations found - filtering working correctly'));
+    console.log(formatLogMessage('debug', totalViolationsFound > 0
+      ? '[final-validation] (silentMode) Removed ' + totalViolationsFound + ' first-party violations from ' + sitesWithViolations + ' site(s)'
+      : '[final-validation] No first-party violations found - filtering working correctly'));
   }
 
-  return finalResults;
+  return results;
 }
 
 /**
@@ -683,15 +735,17 @@ function processResults(results, sites, options = {}) {
 
   // Step 1: Clean up first-party domains
   let processedResults = cleanupFirstPartyDomains(results, sites, sharedOptions);
-  
-  // Step 2: Clean up ignoreDomains (final safety net)
-  processedResults = cleanupIgnoreDomains(processedResults, options.ignoreDomains || [], options);
-  
+
+  // Step 2: Clean up ignoreDomains (final safety net). sharedOptions carries
+  // _urlToSiteConfig which this step ignores, but using sharedOptions keeps
+  // the four calls visually consistent.
+  processedResults = cleanupIgnoreDomains(processedResults, options.ignoreDomains || [], sharedOptions);
+
   // Step 3: Final validation for firstParty: false configurations
   processedResults = finalFirstPartyValidation(processedResults, sites, sharedOptions);
 
   // Step 4: Validate results
-  processedResults = validateScanResults(processedResults, options);
+  processedResults = validateScanResults(processedResults, sharedOptions);
   
   if (forceDebug) {
     let totalRules = 0;