@fanboynz/network-scanner 2.0.66 → 3.0.0

package/lib/spawn-async.js

@@ -0,0 +1,137 @@
+// === Shared async-spawn helper ===
+// Single canonical implementation of "spawn an external command, collect
+// stdout/stderr with hard caps, enforce a kill timeout" — extracted from
+// what used to be ~400 lines of near-identical Promise wrappers across
+// lib/curl.js, lib/searchstring.js, and lib/grep.js (two sites in the
+// latter). Each caller previously had its own copy of the same pattern:
+// truncate-on-cap, SIGKILL belt-and-braces timer, stdout buffer concat,
+// error/close handlers.
+//
+// Design notes:
+// - Resolves (never rejects). Callers inspect the result object to
+//   distinguish failure modes instead of needing try/catch. Pre-existing
+//   call sites all converted failure into a result-object anyway —
+//   this just standardizes the shape.
+// - stdout/stderr returned as Buffer so the caller decides decoding
+//   (curl's `--write-out` metadata is line-oriented and tolerant of
+//   UTF-8 decoding mid-multibyte; binary HTTP responses are not).
+// - lib/wireguard_vpn.js intentionally stays on spawnSync — its calls
+//   are startup-only (validation, health check) and the synchronous
+//   semantics are simpler. Not all spawn calls benefit from async.
+
+const { spawn } = require('child_process');
+
+const DEFAULT_TIMEOUT_MS = 30000;
+const DEFAULT_MAX_STDOUT = 50 * 1024 * 1024; // 50MB
+const KILL_GRACE_MS = 5000; // belt-and-braces SIGKILL after timeout+grace
+
+/**
+ * Spawn a process asynchronously, collect stdout/stderr with hard caps,
+ * enforce a kill timeout. Resolves with a result object describing what
+ * happened — never rejects.
+ *
+ * @param {string} cmd - Executable name (no shell — args are not parsed)
+ * @param {string[]} args - Argument array
+ * @param {object} [opts]
+ * @param {number} [opts.timeout=30000] - Soft timeout in ms; primary
+ *   limit is whatever the executable itself enforces (e.g. curl
+ *   --max-time). This is the belt-and-braces SIGKILL deadline fired at
+ *   `timeout + 5000` ms.
+ * @param {number} [opts.maxStdout=52428800] - Cap on stdout collection.
+ *   When the cap is exceeded the child is killed with SIGTERM and the
+ *   result has `truncated: true`.
+ * @param {string|Buffer} [opts.input] - Data to write to the child's
+ *   stdin then close. EPIPE on stdin is swallowed (child may exit early).
+ * @param {boolean} [opts.collectStderr=true] - When false, stderr is
+ *   drained but not retained (saves memory when caller doesn't need it).
+ * @returns {Promise<{
+ *   code: number|null,
+ *   signal: string|null,
+ *   stdout: Buffer,
+ *   stderr: Buffer,
+ *   truncated: boolean,
+ *   error: string|null
+ * }>}
+ */
+function runProcess(cmd, args, opts = {}) {
+  const {
+    timeout = DEFAULT_TIMEOUT_MS,
+    maxStdout = DEFAULT_MAX_STDOUT,
+    input,
+    collectStderr = true
+  } = opts;
+
+  return new Promise((resolve) => {
+    let child;
+    try {
+      child = spawn(cmd, args);
+    } catch (spawnErr) {
+      resolve({
+        code: null, signal: null,
+        stdout: Buffer.alloc(0), stderr: Buffer.alloc(0),
+        truncated: false, error: spawnErr.message
+      });
+      return;
+    }
+
+    const stdoutChunks = [];
+    const stderrChunks = [];
+    let stdoutBytes = 0;
+    let truncated = false;
+
+    child.stdout.on('data', (chunk) => {
+      if (truncated) return;
+      if (stdoutBytes + chunk.length > maxStdout) {
+        truncated = true;
+        try { child.kill('SIGTERM'); } catch (_) {}
+        return;
+      }
+      stdoutBytes += chunk.length;
+      stdoutChunks.push(chunk);
+    });
+
+    if (collectStderr) {
+      child.stderr.on('data', (chunk) => { stderrChunks.push(chunk); });
+    } else {
+      child.stderr.on('data', () => {}); // drain but discard
+    }
+
+    // SIGKILL belt-and-braces after timeout+grace. unref'd so the timer
+    // doesn't keep the event loop alive on its own; if the process exits
+    // earlier, the timer is cleared in the close handler.
+    const killTimer = setTimeout(() => {
+      try { child.kill('SIGKILL'); } catch (_) {}
+    }, timeout + KILL_GRACE_MS);
+    if (typeof killTimer.unref === 'function') killTimer.unref();
+
+    child.on('error', (err) => {
+      clearTimeout(killTimer);
+      resolve({
+        code: null, signal: null,
+        stdout: Buffer.concat(stdoutChunks),
+        stderr: Buffer.concat(stderrChunks),
+        truncated, error: err.message
+      });
+    });
+
+    child.on('close', (code, signal) => {
+      clearTimeout(killTimer);
+      resolve({
+        code, signal,
+        stdout: Buffer.concat(stdoutChunks),
+        stderr: Buffer.concat(stderrChunks),
+        truncated, error: null
+      });
+    });
+
+    if (input !== undefined) {
+      // EPIPE if the child exited before we finished writing (e.g. grep
+      // matched and bailed early, or our truncation kill fired). Swallow
+      // so it doesn't surface as an unhandled stream error.
+      child.stdin.on('error', () => {});
+      child.stdin.end(input);
+    }
+  });
+}
+
+module.exports = { runProcess };

package/lib/validate_rules.js

@@ -1,10 +1,45 @@
-const { formatLogMessage } = require('./colorize');
+const net = require('node:net');
+const { formatLogMessage, messageColors } = require('./colorize');
+// Cross-module validators wired into site-config validation — previously
+// each had to be called separately (or wasn't called at all). Centralizing
+// here means a single validateSiteConfig surfaces ALL misconfigurations
+// at startup instead of mid-scan.
+//   - validateSearchString: had ZERO callers anywhere before this hookup.
+//   - validateVpnConfig / validateOvpnConfig: called inside connectForSite
+//     per-site at scan time. Adding here catches errors at startup.
+const { validateSearchString } = require('./searchstring');
+const { validateVpnConfig: validateWgConfig, normalizeVpnConfig: normalizeWgConfig } = require('./wireguard_vpn');
+const { validateOvpnConfig, normalizeOvpnConfig } = require('./openvpn_vpn');
+const CLEAN_TAG = messageColors.processing('[clean]');
 
-// Pre-compiled regex constants for validation
+// Pre-compiled regex constants for validation. IPv4/IPv6 validation now
+// uses Node's built-in net.isIP() — the old hand-rolled regexes were
+// incomplete (missing IPv4-mapped IPv6, zone identifiers, etc.) and
+// silently accepted some malformed inputs like '2001:db8:::1'.
 const REGEX_LABEL = /^[a-zA-Z0-9-]+$/;
 const REGEX_TLD = /^[a-zA-Z][a-zA-Z0-9]*$/;
-const REGEX_IPv4 = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
-const REGEX_IPv6 = /^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$|^::$|^::1$|^(?:[0-9a-fA-F]{1,4}:)*::(?:[0-9a-fA-F]{1,4}:)*[0-9a-fA-F]{1,4}$/;
+
+// Module-level Set of valid adblock filter modifiers. Was previously
+// re-allocated inside validateAdblockModifiers on every call — for a
+// 100k-line filter list that's 100k identical Set allocations.
+const VALID_MODIFIERS = new Set([
+  // Resource type modifiers
+  'script', 'stylesheet', 'image', 'object', 'xmlhttprequest', 'subdocument',
+  'ping', 'websocket', 'webrtc', 'document', 'elemhide', 'generichide',
+  'genericblock', 'popup', 'font', 'media', 'other',
+  // Party modifiers
+  'third-party', 'first-party', '~third-party', '~first-party',
+  // Domain modifiers (domain= is validated separately below)
+  'domain',
+  // Method modifiers
+  'match-case', '~match-case',
+  // Action modifiers
+  'important', 'badfilter',
+  // CSP and redirect modifiers
+  'csp', 'redirect', 'redirect-rule',
+  // uBlock Origin specific
+  'inline-script', 'inline-font', 'mp4', 'empty', 'xhr'
+]);
 
 /**
  * Enhanced domain validation function
@@ -128,30 +163,31 @@ function isValidTLD(tld) {
 }
 
 /**
- * Checks if a string is an IP address (IPv4 or IPv6)
+ * Checks if a string is an IP address (IPv4 or IPv6).
+ * Delegates to Node's net.isIP() — standards-compliant, no regex to
+ * maintain. Returns true for any valid IP form including IPv4-mapped
+ * IPv6 (::ffff:192.0.2.1) which the old hand-rolled regex missed.
  * @param {string} str - String to check
  * @returns {boolean} True if it's an IP address
  */
 function isIPAddress(str) {
-  return isIPv4(str) || isIPv6(str);
+  return net.isIP(str) !== 0;
 }
 
 /**
- * Checks if a string is a valid IPv4 address
- * @param {string} str - String to check
+ * @param {string} str
  * @returns {boolean} True if valid IPv4
  */
 function isIPv4(str) {
-  return REGEX_IPv4.test(str);
+  return net.isIPv4(str);
 }
 
 /**
- * Checks if a string is a valid IPv6 address
- * @param {string} str - String to check
+ * @param {string} str
  * @returns {boolean} True if valid IPv6
  */
 function isIPv6(str) {
-  return REGEX_IPv6.test(str);
+  return net.isIPv6(str);
 }
 
 /**
@@ -163,11 +199,19 @@ function validateRegexPattern(pattern) {
   if (!pattern || typeof pattern !== 'string') {
     return { isValid: false, error: 'Pattern must be a non-empty string' };
   }
-  
+
   try {
-    // Remove leading/trailing slashes if present
-    const cleanPattern = pattern.replace(/^\/(.*)\/$/, '$1');
-    new RegExp(cleanPattern);
+    // Handle /pattern/flags literal syntax. The old `^\/(.*)\/$/` strip
+    // didn't match patterns with flags ('/foo/i'), so they passed through
+    // unchanged to `new RegExp('/foo/i')` — which compiled a regex that
+    // matched the LITERAL string '/foo/i' instead of the intended `foo`
+    // pattern with the `i` flag. Silent acceptance of malformed input.
+    const literalMatch = pattern.match(/^\/(.*)\/([gimsuy]*)$/);
+    if (literalMatch) {
+      new RegExp(literalMatch[1], literalMatch[2]);
+    } else {
+      new RegExp(pattern);
+    }
     return { isValid: true };
   } catch (err) {
     return { isValid: false, error: `Invalid regex: ${err.message}` };
@@ -183,33 +227,7 @@ function validateAdblockModifiers(modifiers) {
   if (!modifiers) {
     return { isValid: true, modifiers: [] };
   }
-  
-  // Valid adblock filter modifiers
-  const validModifiers = new Set([
-    // Resource type modifiers
-    'script', 'stylesheet', 'image', 'object', 'xmlhttprequest', 'subdocument',
-    'ping', 'websocket', 'webrtc', 'document', 'elemhide', 'generichide',
-    'genericblock', 'popup', 'font', 'media', 'other',
-    
-    // Party modifiers
-    'third-party', 'first-party', '~third-party', '~first-party',
-    
-    // Domain modifiers (domain= will be validated separately)
-    'domain',
-    
-    // Method modifiers
-    'match-case', '~match-case',
-    
-    // Action modifiers
-    'important', 'badfilter',
-    
-    // CSP and redirect modifiers
-    'csp', 'redirect', 'redirect-rule',
-    
-    // uBlock Origin specific
-    'inline-script', 'inline-font', 'mp4', 'empty', 'xhr'
-  ]);
-  
+
   const modifierList = modifiers.split(',').map(m => m.trim());
   const invalidModifiers = [];
   const parsedModifiers = [];
@@ -262,7 +280,7 @@ function validateAdblockModifiers(modifiers) {
     const isNegated = modifier.startsWith('~');
     const baseModifier = isNegated ? modifier.substring(1) : modifier;
     
-    if (validModifiers.has(modifier) || validModifiers.has(baseModifier)) {
+    if (VALID_MODIFIERS.has(modifier) || VALID_MODIFIERS.has(baseModifier)) {
       parsedModifiers.push({ 
         type: baseModifier, 
         negated: isNegated,
@@ -296,91 +314,124 @@ function validateAdblockRule(rule) {
   if (!rule || typeof rule !== 'string') {
     return { isValid: false, format: 'unknown', error: 'Rule must be a non-empty string' };
   }
-  
+
   const trimmedRule = rule.trim();
-  
+
   // Skip comments
   if (trimmedRule.startsWith('!') || trimmedRule.startsWith('#')) {
     return { isValid: true, format: 'comment' };
   }
-  
-  // Adblock format: ||domain.com^ or ||domain.com^$script,third-party
-  if (trimmedRule.startsWith('||') && trimmedRule.includes('^')) {
-    const parts = trimmedRule.substring(2).split('^');
+
+  // Strip @@ exception (whitelist) prefix and run the rest of validation
+  // on the remainder. Exception rules are standard adblock syntax
+  // (e.g. '@@||example.com^', '@@||example.com^$image') and appear
+  // throughout real-world filter lists like EasyList — without this,
+  // `nwss --validate-rules easylist.txt` flagged every exception as
+  // 'Unrecognized rule format'. We attach `isException: true` to the
+  // result so downstream consumers can see the whitelist intent.
+  let isException = false;
+  let working = trimmedRule;
+  if (working.startsWith('@@')) {
+    isException = true;
+    working = working.substring(2);
+    if (!working) {
+      return { isValid: false, format: 'unknown', error: '@@ exception prefix with no rule body' };
+    }
+  }
+
+  // @@ only makes sense as a prefix for adblock-format rules. Bail
+  // early if it's prefixing something else (e.g. '@@127.0.0.1 host'
+  // is meaningless — localhost format has no exception concept).
+  if (isException &&
+      !(working.startsWith('||') && working.includes('^')) &&
+      !(working.includes('^$'))) {
+    return {
+      isValid: false,
+      format: 'unknown',
+      isException: true,
+      error: '@@ exception prefix only valid for adblock-format rules'
+    };
+  }
+
+  // Adblock format: ||domain.com^ or ||domain.com^$script,third-party.
+  // Uses `working` (post-@@-strip body) instead of `trimmedRule`.
+  const ruleBody = working;
+  if (ruleBody.startsWith('||') && ruleBody.includes('^')) {
+    const parts = ruleBody.substring(2).split('^');
     const domain = parts[0];
-    
+
     if (!isValidDomain(domain)) {
-      return { isValid: false, format: 'adblock', error: `Invalid domain in adblock rule: ${domain}` };
+      return { isValid: false, format: 'adblock', isException, error: `Invalid domain in adblock rule: ${domain}` };
     }
-    
+
     // Check for modifiers after ^$
     let modifiers = '';
     let modifierValidation = { isValid: true, modifiers: [] };
-    
+
     if (parts.length > 1 && parts[1].startsWith('$')) {
       modifiers = parts[1].substring(1);
       modifierValidation = validateAdblockModifiers(modifiers);
-      
+
       if (!modifierValidation.isValid) {
-        return { 
-          isValid: false, 
-          format: 'adblock', 
+        return {
+          isValid: false,
+          format: 'adblock',
+          isException,
           error: `${modifierValidation.error} in rule: ${trimmedRule}`,
           domain,
           modifiers: modifierValidation.validModifiers || []
         };
       }
     }
-    
-    return { 
-      isValid: true, 
-      format: 'adblock', 
+
+    return {
+      isValid: true,
+      format: 'adblock',
+      isException,
       domain,
       modifiers: modifierValidation.modifiers,
       hasModifiers: modifiers.length > 0
     };
   }
-  
+
   // Basic adblock format without ||: domain.com^$modifier
-  if (trimmedRule.includes('^') && trimmedRule.includes('$')) {
-    const parts = trimmedRule.split('^$');
+  if (ruleBody.includes('^') && ruleBody.includes('$')) {
+    const parts = ruleBody.split('^$');
     if (parts.length === 2) {
       const domain = parts[0];
       const modifiers = parts[1];
-      
+
       if (!isValidDomain(domain)) {
-        return { isValid: false, format: 'adblock-basic', error: `Invalid domain in adblock rule: ${domain}` };
+        return { isValid: false, format: 'adblock-basic', isException, error: `Invalid domain in adblock rule: ${domain}` };
       }
-      
+
       const modifierValidation = validateAdblockModifiers(modifiers);
       if (!modifierValidation.isValid) {
-        return { 
-          isValid: false, 
-          format: 'adblock-basic', 
+        return {
+          isValid: false,
+          format: 'adblock-basic',
+          isException,
           error: modifierValidation.error,
           domain
         };
       }
-      
-      return { 
-        isValid: true, 
-        format: 'adblock-basic', 
+
+      return {
+        isValid: true,
+        format: 'adblock-basic',
+        isException,
         domain,
         modifiers: modifierValidation.modifiers
       };
     }
   }
   
-  // Simple adblock format: ||domain.com^ (without modifiers)
-  if (trimmedRule.startsWith('||') && trimmedRule.endsWith('^')) {
-    const domain = trimmedRule.substring(2, trimmedRule.length - 1);
-    if (isValidDomain(domain)) {
-      return { isValid: true, format: 'adblock-simple', domain };
-    } else {
-      return { isValid: false, format: 'adblock-simple', error: `Invalid domain in adblock rule: ${domain}` };
-    }
-  }
-  
+  // Removed: "Simple adblock format" branch for `||domain.com^` without
+  // modifiers. The main `||...^` branch above already handles this case
+  // (parts becomes ['domain.com', ''] on split, the empty modifier check
+  // falls through to the success return as format='adblock'). This branch
+  // was unreachable dead code.
+
   // Localhost format: 127.0.0.1 domain.com or 0.0.0.0 domain.com
   if (trimmedRule.match(/^(127\.0\.0\.1|0\.0\.0\.0)\s+/)) {
     const parts = trimmedRule.split(/\s+/);
@@ -665,6 +716,44 @@ function validateSiteConfig(siteConfig, siteIndex = 0) {
     }
   });
 
+  // Cross-module validation: searchstring/searchstring_and. validateSearchString
+  // catches things like both-defined-at-once (forbidden), empty arrays, length
+  // caps, non-string elements. Before this call was added, misconfigured
+  // searchstring values silently passed validation and only surfaced as
+  // runtime TypeErrors mid-scan.
+  if (siteConfig.searchstring !== undefined || siteConfig.searchstring_and !== undefined) {
+    const ssValidation = validateSearchString(siteConfig.searchstring, siteConfig.searchstring_and);
+    if (!ssValidation.isValid) {
+      errors.push(`Site ${siteIndex}: ${ssValidation.error}`);
+    }
+  }
+
+  // Cross-module validation: VPN configs. nwss.js dispatches on field
+  // presence — `vpn` → WireGuard, `openvpn` → OpenVPN. Both validators
+  // require a normalized config object, so normalize first. Previously
+  // VPN errors only surfaced inside connectForSite at scan time; now
+  // misconfigured configs fail loudly at startup.
+  if (siteConfig.vpn !== undefined && siteConfig.openvpn !== undefined) {
+    warnings.push(`Site ${siteIndex}: both 'vpn' (WireGuard) and 'openvpn' set — runtime dispatches to WireGuard, openvpn config will be ignored`);
+  }
+  if (siteConfig.vpn !== undefined) {
+    const normalized = normalizeWgConfig(siteConfig.vpn);
+    const vpnValidation = validateWgConfig(normalized);
+    if (!vpnValidation.isValid) {
+      vpnValidation.errors.forEach(e => errors.push(`Site ${siteIndex} (WireGuard): ${e}`));
+    }
+    // Validator warnings (e.g. "requires root") propagate too.
+    (vpnValidation.warnings || []).forEach(w => warnings.push(`Site ${siteIndex} (WireGuard): ${w}`));
+  }
+  if (siteConfig.openvpn !== undefined && siteConfig.vpn === undefined) {
+    const normalized = normalizeOvpnConfig(siteConfig.openvpn);
+    const ovpnValidation = validateOvpnConfig(normalized);
+    if (!ovpnValidation.isValid) {
+      ovpnValidation.errors.forEach(e => errors.push(`Site ${siteIndex} (OpenVPN): ${e}`));
+    }
+    (ovpnValidation.warnings || []).forEach(w => warnings.push(`Site ${siteIndex} (OpenVPN): ${w}`));
+  }
+
  // Validate ignore_similar_threshold
  if (siteConfig.ignore_similar_threshold !== undefined) {
    if (typeof siteConfig.ignore_similar_threshold !== 'number' || 
@@ -774,7 +863,7 @@ function cleanRulesetFile(filePath, outputPath = null, options = {}) {
           stats.duplicates++;
           
           if (forceDebug) {
-            console.log(formatLogMessage('debug', `[clean] Removing duplicate line ${lineNumber}: ${trimmed}`));
+            console.log(formatLogMessage('debug', `${CLEAN_TAG} Removing duplicate line ${lineNumber}: ${trimmed}`));
           }
           continue; // Skip duplicate
         } else {
@@ -789,7 +878,7 @@ function cleanRulesetFile(filePath, outputPath = null, options = {}) {
       stats.invalid++;
       
       if (forceDebug) {
-        console.log(formatLogMessage('debug', `[clean] Removing invalid line ${lineNumber}: ${trimmed} (${validation.error})`));
+        console.log(formatLogMessage('debug', `${CLEAN_TAG} Removing invalid line ${lineNumber}: ${trimmed} (${validation.error})`));
       }
     }
   }
@@ -986,92 +1075,17 @@ function testDomainValidation() {
   return allPassed;
 }
 
-/**
- * Test adblock rule validation with known test cases
- * @returns {boolean} True if all tests pass
- */
-function testAdblockValidation() {
-  const testCases = [
-    // Valid rules
-    { rule: '||example.com^', expected: true },
-    { rule: '||example.com^$script', expected: true },
-    { rule: '127.0.0.1 example.com', expected: true },
-    { rule: 'local=/example.com/', expected: true },
-    
-    // Invalid rules
-    { rule: '', expected: false },
-    { rule: '||invalid..domain^', expected: false },
-    { rule: '||.example.com^', expected: false }
-  ];
-  
-  let allPassed = true;
-  
-  testCases.forEach(({ rule, expected }) => {
-    const result = validateAdblockRule(rule);
-    if (result.isValid !== expected) {
-      console.error(`Test failed for rule "${rule}": expected ${expected}, got ${result.isValid}`);
-      allPassed = false;
-    }
-  });
-  
-  return allPassed;
-}
-
-/**
- * Validates a domain and formats it according to specified output options
- * @param {string} domain - The domain to validate and format
- * @param {object} options - Formatting options
- * @returns {string|object} Formatted domain string or error object
- */
-function formatDomainWithValidation(domain, options = {}) {
-  const {
-    localhost = false,
-    localhostAlt = false,
-    plain = false,
-    dnsmasq = false,
-    dnsmasqOld = false,
-    unbound = false,
-    privoxy = false,
-    pihole = false,
-    adblockRules = false,
-    resourceType = ''
-  } = options;
-
-  // Validate domain first
-  if (!isValidDomain(domain)) {
-    return {
-      isValid: false,
-      error: `Invalid domain format: ${domain}`,
-      formattedRule: null
-    };
-  }
-
-  // Format according to specified options (priority order)
-  if (pihole) {
-    const escapedDomain = domain.replace(/\./g, '\\.');
-    return `(^|\\.)${escapedDomain}$`;
-  } else if (privoxy) {
-    return `{ +block } .${domain}`;
-  } else if (dnsmasq) {
-    return `local=/${domain}/`;
-  } else if (dnsmasqOld) {
-    return `server=/${domain}/`;
-  } else if (unbound) {
-    return `local-zone: "${domain}." always_null`;
-  } else if (localhost) {
-    return `127.0.0.1 ${domain}`;
-  } else if (localhostAlt) {
-    return `0.0.0.0 ${domain}`;
-  } else if (adblockRules && resourceType) {
-    return `||${domain}^$${resourceType}`;
-  } else if (plain) {
-    return domain;
-  } else {
-    // Default adblock format
-    return `||${domain}^`;
-  }
-}
-
+// Public surface used by nwss.js (validateRulesetFile, validateFullConfig,
+// testDomainValidation, cleanRulesetFile). The rest (isValidDomain,
+// isValidDomainLabel, isValidTLD, isIPAddress, isIPv4, isIPv6,
+// validateRegexPattern, validateAdblockModifiers, validateAdblockRule,
+// validateSiteConfig) stay internal-helper-but-exported for now since
+// downstream callers MAY import them via the dotted path even if grep
+// shows no current consumers — domain validators are the kind of thing
+// that gets added to in future. testAdblockValidation and
+// formatDomainWithValidation were removed entirely (zero callers
+// anywhere; formatDomainWithValidation looked like an old implementation
+// superseded by lib/output.js).
 module.exports = {
   isValidDomain,
   isValidDomainLabel,
@@ -1086,7 +1100,5 @@ module.exports = {
   cleanRulesetFile,
   validateSiteConfig,
   validateFullConfig,
-  testDomainValidation,
-  testAdblockValidation,
-  formatDomainWithValidation
+  testDomainValidation
 };