@fanboynz/network-scanner 2.0.66 → 3.0.0

package/lib/cloudflare.js

@@ -30,8 +30,11 @@
  */
 
 // Import color utilities
-const { formatLogMessage } = require('./colorize');
+const { formatLogMessage, messageColors } = require('./colorize');
+const URL_VALIDATION_TAG = messageColors.processing('[url-validation]');
 
+
+const CLOUDFLARE_TAG = messageColors.cloudflare('[cloudflare]');
 /**
  * Module version information
  */
@@ -54,15 +57,15 @@ const TIMEOUTS = {
   CLICK_TIMEOUT_BUFFER: 1000,     // Click timeout safety buffer
   NAVIGATION_TIMEOUT: 15000,      // Standard navigation timeout
   NAVIGATION_TIMEOUT_BUFFER: 2000, // Navigation timeout safety buffer
-  ADAPTIVE_TIMEOUT_WITH_INDICATORS: 25000,    // Adaptive timeout when indicators found + explicit config
-  ADAPTIVE_TIMEOUT_WITHOUT_INDICATORS: 20000, // Adaptive timeout with explicit config only
-  ADAPTIVE_TIMEOUT_AUTO_WITH_INDICATORS: 15000,   // Adaptive timeout for auto-detected with indicators
-  ADAPTIVE_TIMEOUT_AUTO_WITHOUT_INDICATORS: 10000, // Adaptive timeout for auto-detected without indicators
-  // New timeouts for enhanced functionality
-  RETRY_DELAY: 1000,              // Delay between retry attempts
-  MAX_RETRIES: 2,                 // Maximum retry attempts (only 2 fit within 25s outer timeout)
-  CHALLENGE_POLL_INTERVAL: 500,   // Interval for polling challenge completion
-  CHALLENGE_MAX_POLLS: 20         // Maximum polling attempts
+  // Adaptive timeouts are only consulted AFTER the no-indicators early
+  // return in handleCloudflareProtection, so the WITHOUT_INDICATORS
+  // variants were unreachable and have been removed.
+  ADAPTIVE_TIMEOUT_WITH_INDICATORS: 25000,        // Indicators present + explicit config
+  ADAPTIVE_TIMEOUT_AUTO_WITH_INDICATORS: 15000,   // Indicators present, auto-detected only
+  // Removed: RETRY_DELAY, CHALLENGE_POLL_INTERVAL, CHALLENGE_MAX_POLLS --
+  // defined but never read. Backoff uses RETRY_CONFIG.baseDelay +
+  // getRetryDelay(); challenges aren't polled via fixed interval.
+  MAX_RETRIES: 2                  // Maximum retry attempts (only 2 fit within 25s outer timeout)
 };
 
 // Fast timeout constants - optimized for speed
@@ -72,7 +75,8 @@ const FAST_TIMEOUTS = {
   CHALLENGE_WAIT: 500,            // Fast challenge detection
   ELEMENT_INTERACTION_DELAY: 250, // Fast element interactions
   SELECTOR_WAIT: 3000,            // Fast selector waits
-  TURNSTILE_OPERATION: 6000,      // Fast Turnstile operations
+  // Removed: TURNSTILE_OPERATION -- defined but never read. The
+  // turnstileTimeout local var that referenced it was also dead.
   JS_CHALLENGE: 10000,            // Fast JS challenge completion
   CHALLENGE_SOLVING: 12000,       // Overall challenge solving -- fits within 15s adaptive outer
   CHALLENGE_COMPLETION: 8000      // Fast completion check
@@ -92,18 +96,18 @@ async function clickInShadowDOM(context, selectors, forceDebug = false, waitMs =
       if (element) {
         const box = await element.boundingBox();
         if (box && box.width > 0 && box.height > 0) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `pierce/${selector} matched in ${Date.now() - start}ms -- box: ${box.width}x${box.height} at (${box.x},${box.y})`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} pierce/${selector} matched in ${Date.now() - start}ms -- box: ${box.width}x${box.height} at (${box.x},${box.y})`));
           await element.click();
           await element.dispose();
           return { found: true, clicked: true, selector, x: box.x + box.width / 2, y: box.y + box.height / 2 };
         }
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `pierce/${selector} found but not visible (0x0)`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} pierce/${selector} found but not visible (0x0)`));
         await element.dispose();
         // Element found but not visible
         return { found: true, clicked: false, selector, x: 0, y: 0 };
       }
     } catch (e) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `pierce/${selector} timeout after ${waitMs}ms`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} pierce/${selector} timeout after ${waitMs}ms`));
       continue;
     }
   }
@@ -197,17 +201,33 @@ function detectChallengeLoop(url, previousUrls = []) {
 
   if (!isChallengeUrl) return false;
 
-  // Check if we've seen this exact URL or very similar challenge URLs
-  const similarUrls = previousUrls.filter(prevUrl => {
-    if (prevUrl === url) return true; // Exact match
-    // Check for similar challenge URLs with different ray IDs
-    if (prevUrl.includes('/cdn-cgi/challenge-platform/') && url.includes('/cdn-cgi/challenge-platform/')) {
-      return true;
-    }
-    return false;
-  });
+  // Two loop signals with different sensitivities:
+  //
+  //   exactMatches  — page reloaded between retries but came back to the
+  //                   identical URL. Strong signal: the reload didn't
+  //                   advance the challenge state. Trips on a single
+  //                   prior visit, which means it actually fires under
+  //                   the default RETRY_CONFIG.maxAttempts = 2 (where
+  //                   you only ever have one prior URL to compare to).
+  //                   Previously the threshold was a flat >= 2 which
+  //                   silently never fired with default config.
+  //
+  //   cdnCgiMatches — both URLs are cdn-cgi challenge URLs (different
+  //                   ray IDs). Weaker signal: a reload that yields a
+  //                   fresh challenge is normal retry behavior, not a
+  //                   loop. Keep the original >= 2 threshold so this
+  //                   only trips with custom cloudflare_max_retries set
+  //                   to 3+ (i.e. you've seen 2 fresh challenges and
+  //                   the 3rd is still a challenge -- genuinely stuck).
+  const urlIsCdnCgi = url.includes('/cdn-cgi/challenge-platform/');
+  let exactMatches = 0;
+  let cdnCgiMatches = 0;
+  for (const prevUrl of previousUrls) {
+    if (prevUrl === url) exactMatches++;
+    else if (urlIsCdnCgi && prevUrl.includes('/cdn-cgi/challenge-platform/')) cdnCgiMatches++;
+  }
 
-  return similarUrls.length >= 2; // Loop detected if we've seen similar URLs 2+ times
+  return exactMatches >= 1 || cdnCgiMatches >= 2;
 }
 
 /**
@@ -217,6 +237,10 @@ function detectChallengeLoop(url, previousUrls = []) {
 class CloudflareDetectionCache {
   constructor(ttl = 300000) { // 5 minutes TTL by default
     this.cache = new Map();
+    // Outcomes live in a separate Map so the 1000-entry eviction on the
+    // detection cache doesn't randomly drop "this domain timed out" entries
+    // and re-permit expensive retries. Same TTL applies to both.
+    this.outcomes = new Map();
     this.ttl = ttl;
     this.hits = 0;
     this.misses = 0;
@@ -240,16 +264,16 @@ class CloudflareDetectionCache {
   get(url) {
     const key = this.getCacheKey(url);
     const cached = this.cache.get(key);
-    
+
     if (cached && Date.now() - cached.timestamp < this.ttl) {
       this.hits++;
       return cached.data;
     }
-    
+
     if (cached) {
       this.cache.delete(key); // Remove expired entry
     }
-    
+
     this.misses++;
     return null;
   }
@@ -260,7 +284,7 @@ class CloudflareDetectionCache {
       data,
       timestamp: Date.now()
     });
-    
+
     // Prevent cache from growing too large
     if (this.cache.size > 1000) {
       const firstKey = this.cache.keys().next().value;
@@ -268,6 +292,29 @@ class CloudflareDetectionCache {
     }
   }
 
+  /**
+   * Per-domain handling-outcome cache. Used to skip subsequent URLs on a
+   * domain that already timed out, without polluting the detection cache.
+   * Returns the cached outcome data or null (TTL-checked).
+   */
+  getOutcome(url) {
+    const key = this.getCacheKey(url);
+    const entry = this.outcomes.get(key);
+    if (entry && Date.now() - entry.timestamp < this.ttl) {
+      return entry.data;
+    }
+    if (entry) this.outcomes.delete(key);
+    return null;
+  }
+
+  setOutcome(url, data) {
+    const key = this.getCacheKey(url);
+    this.outcomes.set(key, { data, timestamp: Date.now() });
+    if (this.outcomes.size > 1000) {
+      this.outcomes.delete(this.outcomes.keys().next().value);
+    }
+  }
+
   cleanupExpired() {
     const now = Date.now();
     for (const [key, value] of this.cache.entries()) {
@@ -275,6 +322,11 @@ class CloudflareDetectionCache {
         this.cache.delete(key);
       }
     }
+    for (const [key, value] of this.outcomes.entries()) {
+      if (now - value.timestamp >= this.ttl) {
+        this.outcomes.delete(key);
+      }
+    }
   }
 
   destroy() {
@@ -284,6 +336,7 @@ class CloudflareDetectionCache {
 
   clear() {
     this.cache.clear();
+    this.outcomes.clear();
     this.hits = 0;
     this.misses = 0;
   }
@@ -294,7 +347,8 @@ class CloudflareDetectionCache {
       hits: this.hits,
       misses: this.misses,
       hitRate: total > 0 ? (this.hits / total * 100).toFixed(2) + '%' : '0%',
-      size: this.cache.size
+      size: this.cache.size,
+      outcomes: this.outcomes.size
     };
   }
 }
@@ -307,17 +361,82 @@ const detectionCache = new CloudflareDetectionCache();
 // produces N=URL-count copies for no useful signal beyond the first.
 let _moduleVersionLogged = false;
 
+// Per-scan aggregate stats. Updated on every handleCloudflareProtection
+// completion regardless of debug mode so nwss.js can print an end-of-scan
+// summary ("Of 200 URLs: 47 challenged, 31 solved via JS, 12 via Turnstile,
+// 4 timed out") without needing to thread the per-URL results back into the
+// orchestration layer. Reset via resetAggregateStats() or implicitly by
+// cleanup().
+const aggregateStats = {
+  total: 0,
+  byOutcome: Object.create(null),       // 'ok' -> N, 'solved(turnstile)' -> N, etc.
+  bySolveMethod: Object.create(null),   // Includes BOTH verification-challenge
+                                        // methods ('js_challenge_wait',
+                                        // 'turnstile', 'legacy_checkbox') and
+                                        // the phishing-bypass method
+                                        // ('phishing_continue').
+  totalDurationMs: 0,
+  maxDurationMs: 0,                     // Cheap to track; surfaces the
+                                        // worst-case URL when avg gets
+                                        // dominated by timeouts.
+  failures: 0,                          // !overallSuccess count
+  timedOut: 0                           // adaptive-timeout count (subset of failures)
+};
+
+function bumpAggregate(outcome, result, durationMs) {
+  aggregateStats.total++;
+  aggregateStats.byOutcome[outcome] = (aggregateStats.byOutcome[outcome] || 0) + 1;
+  aggregateStats.totalDurationMs += durationMs;
+  if (durationMs > aggregateStats.maxDurationMs) aggregateStats.maxDurationMs = durationMs;
+  if (!result.overallSuccess) aggregateStats.failures++;
+  if (result.timedOut) aggregateStats.timedOut++;
+  // Method-of-resolution tracking. Mirrors buildOutcomeString's branch
+  // order: prefer the verification-challenge method, fall back to the
+  // phishing-continue path. A URL where both succeeded gets counted under
+  // the challenge method (matches `solved(turnstile)` etc. in byOutcome).
+  const vMethod = result.verificationChallenge && result.verificationChallenge.method;
+  if (vMethod) {
+    aggregateStats.bySolveMethod[vMethod] = (aggregateStats.bySolveMethod[vMethod] || 0) + 1;
+  } else if (result.phishingWarning && result.phishingWarning.attempted && result.phishingWarning.success) {
+    aggregateStats.bySolveMethod['phishing_continue'] = (aggregateStats.bySolveMethod['phishing_continue'] || 0) + 1;
+  }
+}
+
 /**
- * Gets module version information
- * @returns {object} Version information object
+ * Returns a snapshot of per-scan aggregate stats. nwss.js can call this at
+ * scan end to print a summary. Pass {reset:true} to atomically read+reset
+ * so multi-scan processes don't accumulate across runs.
  */
-function getModuleInfo() {
-  return {
-    version: CLOUDFLARE_MODULE_VERSION,
-    name: 'Cloudflare Protection Handler'
+function getAggregateStats({ reset = false } = {}) {
+  const snap = {
+    total: aggregateStats.total,
+    failures: aggregateStats.failures,
+    timedOut: aggregateStats.timedOut,
+    byOutcome: { ...aggregateStats.byOutcome },
+    bySolveMethod: { ...aggregateStats.bySolveMethod },
+    avgDurationMs: aggregateStats.total > 0
+      ? Math.round(aggregateStats.totalDurationMs / aggregateStats.total)
+      : 0,
+    maxDurationMs: aggregateStats.maxDurationMs
   };
+  if (reset) resetAggregateStats();
+  return snap;
 }
 
+function resetAggregateStats() {
+  aggregateStats.total = 0;
+  aggregateStats.failures = 0;
+  aggregateStats.timedOut = 0;
+  aggregateStats.byOutcome = Object.create(null);
+  aggregateStats.bySolveMethod = Object.create(null);
+  aggregateStats.totalDurationMs = 0;
+  aggregateStats.maxDurationMs = 0;
+}
+
+// Note: getModuleInfo() helper was removed -- had zero callers internal
+// or external. CLOUDFLARE_MODULE_VERSION stays as it's read by the
+// once-per-process version banner in handleCloudflareProtection.
+
 /**
  * Validates if a URL should be processed by Cloudflare protection
  * Only allows HTTP/HTTPS URLs, skips browser-internal and special protocols
@@ -334,21 +453,21 @@ const HTTP_PROTO_RE = /^https?:\/\//i;
 
 function shouldProcessUrl(url, forceDebug = false) {
   if (!url || typeof url !== 'string') {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `[url-validation] Skipping invalid URL: ${url}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${URL_VALIDATION_TAG} Skipping invalid URL: ${url}`));
     return false;
   }
 
   const skipMatch = url.match(SKIP_PROTO_RE);
   if (skipMatch) {
     if (forceDebug) {
-      console.log(formatLogMessage('cloudflare', `[url-validation] Skipping ${skipMatch[0].toLowerCase()} URL: ${url.substring(0, 100)}${url.length > 100 ? '...' : ''}`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${URL_VALIDATION_TAG} Skipping ${skipMatch[0].toLowerCase()} URL: ${url.substring(0, 100)}${url.length > 100 ? '...' : ''}`));
     }
     return false;
   }
 
   if (!HTTP_PROTO_RE.test(url)) {
     if (forceDebug) {
-      console.log(formatLogMessage('cloudflare', `[url-validation] Skipping non-HTTP(S) URL: ${url.substring(0, 100)}${url.length > 100 ? '...' : ''}`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${URL_VALIDATION_TAG} Skipping non-HTTP(S) URL: ${url.substring(0, 100)}${url.length > 100 ? '...' : ''}`));
     }
     return false;
   }
@@ -357,13 +476,14 @@ function shouldProcessUrl(url, forceDebug = false) {
 }
 
 /**
- * Fast timeout helper for Puppeteer 22.x compatibility 
- * Replaces deprecated page.waitForTimeout() with standard Promise-based approach
+ * Fast timeout helper for Puppeteer 22.x compatibility. Replaces deprecated
+ * page.waitForTimeout() with a standard Promise-based delay. The `page` arg
+ * used to be required for the deprecated API; it's been dropped now that
+ * every call site is just sleeping. Renamed from waitForTimeout to fastTimeout
+ * to match the CLAUDE.md convention used across the codebase.
  */
-async function waitForTimeout(page, timeout) {
-  // Use fast Promise-based timeout for Puppeteer 22.x compatibility
-  // This eliminates the deprecated API dependency and improves performance
-  return new Promise(resolve => setTimeout(resolve, timeout));
+function fastTimeout(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
 }
 
 /**
@@ -493,7 +613,7 @@ async function safePageEvaluate(page, func, timeout = TIMEOUTS.PAGE_EVALUATION_S
       }
 
       if (forceDebug && attempt > 1) {
-        console.log(formatLogMessage('cloudflare', `Page evaluation succeeded on attempt ${attempt}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Page evaluation succeeded on attempt ${attempt}`));
       }
       
       return result;
@@ -507,13 +627,13 @@ async function safePageEvaluate(page, func, timeout = TIMEOUTS.PAGE_EVALUATION_S
       const errorType = categorizeError(error);
       
       if (forceDebug) {
-        console.warn(formatLogMessage('cloudflare', `Page evaluation failed (attempt ${attempt}/${maxRetries}): ${error.message} [${errorType}]`));
+        console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} Page evaluation failed (attempt ${attempt}/${maxRetries}): ${error.message} [${errorType}]`));
       }
 
       // Handle detached frame errors specifically
       if (errorType === ERROR_TYPES.DETACHED_FRAME) {
         if (forceDebug) {
-          console.warn(formatLogMessage('cloudflare', `Detached frame detected on attempt ${attempt}/${maxRetries} - using longer delay`));
+          console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} Detached frame detected on attempt ${attempt}/${maxRetries} - using longer delay`));
         }
         // For detached frames, brief delay before retry
         await new Promise(resolve => setTimeout(resolve, 1000));
@@ -569,9 +689,12 @@ async function safeClick(page, selector, timeout = TIMEOUTS.CLICK_TIMEOUT) {
 }
 
 /**
- * Safe navigation waiting with timeout protection
+ * Safe navigation waiting with timeout protection. The warn on timeout is
+ * forceDebug-gated to match the convention of the other warn sites in this
+ * file -- previously it fired unconditionally, which spammed stderr on every
+ * phishing-bypass click that didn't trigger a clean redirect.
  */
-async function safeWaitForNavigation(page, timeout = TIMEOUTS.NAVIGATION_TIMEOUT) {
+async function safeWaitForNavigation(page, timeout = TIMEOUTS.NAVIGATION_TIMEOUT, forceDebug = false) {
   let timeoutId;
   try {
     return await Promise.race([
@@ -581,7 +704,7 @@ async function safeWaitForNavigation(page, timeout = TIMEOUTS.NAVIGATION_TIMEOUT
       })
     ]);
   } catch (error) {
-    console.warn(formatLogMessage('cloudflare', `Navigation wait failed: ${error.message}`));
+    if (forceDebug) console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} Navigation wait failed: ${error.message}`));
   } finally {
     if (timeoutId) clearTimeout(timeoutId);
   }
@@ -597,7 +720,7 @@ async function quickCloudflareDetection(page, forceDebug = false) {
     
     if (!shouldProcessUrl(currentPageUrl, forceDebug)) {
       if (forceDebug) {
-        console.log(formatLogMessage('cloudflare', `Quick detection skipping non-HTTP(S) page: ${currentPageUrl}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Quick detection skipping non-HTTP(S) page: ${currentPageUrl}`));
       }
       return { hasIndicators: false, skippedInvalidUrl: true };
     }
@@ -607,7 +730,7 @@ async function quickCloudflareDetection(page, forceDebug = false) {
     if (cachedResult !== null) {
       if (forceDebug) {
         const stats = detectionCache.getStats();
-        console.log(formatLogMessage('cloudflare', `Using cached detection result (cache hit rate: ${stats.hitRate})`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Using cached detection result (cache hit rate: ${stats.hitRate})`));
       }
       // Return a fresh shallow copy tagged _fromCache so the handler's
       // logging can say "[cached]" instead of presenting cached title/body
@@ -699,7 +822,7 @@ async function quickCloudflareDetection(page, forceDebug = false) {
     
     if (forceDebug) {
       if (quickCheck.hasIndicators) {
-        console.log(formatLogMessage('cloudflare', `Quick detection found Cloudflare indicators on ${quickCheck.url}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Quick detection found Cloudflare indicators on ${quickCheck.url}`));
       }
       // hasErrorPage and no-indicators cases are deliberately silent here —
       // handleCloudflareProtection prints a clearer per-action line right
@@ -708,13 +831,13 @@ async function quickCloudflareDetection(page, forceDebug = false) {
       // here would just duplicate it.
 
       if (quickCheck.attempts && quickCheck.attempts > 1) {
-        console.log(formatLogMessage('cloudflare', `Detection required ${quickCheck.attempts} attempts`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Detection required ${quickCheck.attempts} attempts`));
       }
     }
     
     return quickCheck;
   } catch (error) {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Quick detection failed: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Quick detection failed: ${error.message}`));
     return { hasIndicators: false, error: error.message };
   }
 }
@@ -760,37 +883,48 @@ async function analyzeCloudflareChallenge(page) {
       );
 
       const hasDataRay = !!document.querySelector('[data-ray], [data-cf-challenge]');
-      
+
+      // Managed challenges (cf-managed). parallelChallengeDetection and the
+      // quick-detection slow path both look for these, but the main analyzer
+      // used to ignore them — a managed-challenge-only page would then slip
+      // past isChallengePresent. Now folded in below.
+      const hasManagedChallenge = !!document.querySelector(
+        '.cf-managed-challenge, [data-cf-managed]'
+      );
+
       const hasCaptcha = bodyText.includes('CAPTCHA') || bodyText.includes('captcha') ||
                         bodyText.includes('hCaptcha') || bodyText.includes('reCAPTCHA');
-      
+
       const hasJSChallenge = document.querySelector('script[src*="/cdn-cgi/challenge-platform/"]') !== null ||
                             bodyText.includes('Checking your browser') ||
                             bodyText.includes('Please wait while we verify');
-      
+
       const hasPhishingWarning = bodyText.includes('This website has been reported for potential phishing') ||
                                 title.includes('Attention Required');
-      
-      const hasTurnstileResponse = document.querySelector('input[name="cf-turnstile-response"]') !== null;
-      
-      const isChallengeCompleted = hasTurnstileResponse && 
-                                  document.querySelector('input[name="cf-turnstile-response"]')?.value;
-      
+
+      // Cache the element once -- isChallengeCompleted used to re-query the
+      // same selector after hasTurnstileResponse had already located it.
+      const turnstileInput = document.querySelector('input[name="cf-turnstile-response"]');
+      const hasTurnstileResponse = turnstileInput !== null;
+      const isChallengeCompleted = hasTurnstileResponse && !!turnstileInput.value;
+
       const isChallengePresent = title.includes('Just a moment') ||
                                title.includes('Checking your browser') ||
                                bodyText.includes('Verify you are human') ||
-                               hasLegacyCheckbox || 
-                               hasChallengeRunning || 
+                               hasLegacyCheckbox ||
+                               hasChallengeRunning ||
                                hasDataRay ||
                                hasTurnstileIframe ||
                                hasTurnstileContainer ||
-                               hasJSChallenge;
-      
+                               hasJSChallenge ||
+                               hasManagedChallenge;
+
       return {
         isChallengePresent,
         isPhishingWarning: hasPhishingWarning,
         isTurnstile: hasTurnstileIframe || hasTurnstileContainer || hasTurnstileCheckbox,
         isJSChallenge: hasJSChallenge,
+        hasManagedChallenge,
         isChallengeCompleted,
         title,
         hasLegacyCheckbox,
@@ -849,10 +983,10 @@ async function handlePhishingWarning(page, currentUrl, forceDebug = false) {
   };
 
   try {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Checking for phishing warning on ${currentUrl}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Checking for phishing warning on ${currentUrl}`));
     
     // Shorter wait with timeout protection
-    await waitForTimeout(page, FAST_TIMEOUTS.PHISHING_WAIT);
+    await fastTimeout(FAST_TIMEOUTS.PHISHING_WAIT);
 
     const challengeInfo = await analyzeCloudflareChallenge(page);
     
@@ -861,30 +995,29 @@ async function handlePhishingWarning(page, currentUrl, forceDebug = false) {
       result.details = challengeInfo;
       
       if (forceDebug) {
-        console.log(formatLogMessage('cloudflare', `Phishing warning detected on ${currentUrl}:`));
-        console.log(formatLogMessage('cloudflare', `  Page Title: "${challengeInfo.title}"`));
-        console.log(formatLogMessage('cloudflare', `  Current URL: ${challengeInfo.url}`));
-        console.log(formatLogMessage('cloudflare', `  Body snippet: ${challengeInfo.bodySnippet}`));
+        // One structured line; matches the collapsed Challenge-detected log.
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning detected on ${currentUrl}: title="${challengeInfo.title}" url=${challengeInfo.url}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG}   Body snippet: ${challengeInfo.bodySnippet}`));
       }
 
       try {
         // Use safe click with shorter timeout
         await safeClick(page, 'a[href*="continue"]', TIMEOUTS.PHISHING_CLICK);
-        await safeWaitForNavigation(page, TIMEOUTS.PHISHING_NAVIGATION);
-        
+        await safeWaitForNavigation(page, TIMEOUTS.PHISHING_NAVIGATION, forceDebug);
+
         result.success = true;
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Successfully bypassed phishing warning for ${currentUrl}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Successfully bypassed phishing warning for ${currentUrl}`));
       } catch (clickError) {
         result.error = `Failed to click continue button: ${clickError.message}`;
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Failed to bypass phishing warning: ${clickError.message}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Failed to bypass phishing warning: ${clickError.message}`));
       }
     } else {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `No phishing warning detected on ${currentUrl}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} No phishing warning detected on ${currentUrl}`));
       result.success = true; // No warning to handle
     }
   } catch (error) {
     result.error = error.message;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning check failed for ${currentUrl}: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning check failed for ${currentUrl}: ${error.message}`));
   }
 
   return result;
@@ -917,10 +1050,10 @@ async function handleVerificationChallenge(page, currentUrl, forceDebug = false)
   };
 
   try {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Checking for verification challenge on ${currentUrl}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Checking for verification challenge on ${currentUrl}`));
     
     // Reduced wait time
-    await waitForTimeout(page, FAST_TIMEOUTS.CHALLENGE_WAIT);
+    await fastTimeout(FAST_TIMEOUTS.CHALLENGE_WAIT);
 
     const challengeInfo = await analyzeCloudflareChallenge(page);
     result.details = challengeInfo;
@@ -929,27 +1062,21 @@ async function handleVerificationChallenge(page, currentUrl, forceDebug = false)
       result.attempted = true;
       
       if (forceDebug) {
-        console.log(formatLogMessage('cloudflare', `Challenge detected on ${currentUrl}:`));
-        console.log(formatLogMessage('cloudflare', `  Page Title: "${challengeInfo.title}"`));
-        console.log(formatLogMessage('cloudflare', `  Current URL: ${challengeInfo.url}`));
-        console.log(formatLogMessage('cloudflare', `  Is Turnstile: ${challengeInfo.isTurnstile}`));
-        console.log(formatLogMessage('cloudflare', `  Is JS Challenge: ${challengeInfo.isJSChallenge}`));
-        console.log(formatLogMessage('cloudflare', `  Has Legacy Checkbox: ${challengeInfo.hasLegacyCheckbox}`));
-        console.log(formatLogMessage('cloudflare', `  Has Turnstile Iframe: ${challengeInfo.hasTurnstileIframe}`));
-        console.log(formatLogMessage('cloudflare', `  Has Turnstile Container: ${challengeInfo.hasTurnstileContainer}`));
-        console.log(formatLogMessage('cloudflare', `  Has Turnstile Checkbox: ${challengeInfo.hasTurnstileCheckbox}`));
-        console.log(formatLogMessage('cloudflare', `  Has CAPTCHA: ${challengeInfo.hasCaptcha}`));
-        console.log(formatLogMessage('cloudflare', `  Has Challenge Running: ${challengeInfo.hasChallengeRunning}`));
-        console.log(formatLogMessage('cloudflare', `  Has Data Ray: ${challengeInfo.hasDataRay}`));
-        console.log(formatLogMessage('cloudflare', `  Has Turnstile Response: ${challengeInfo.hasTurnstileResponse}`));
-        console.log(formatLogMessage('cloudflare', `  Body snippet: ${challengeInfo.bodySnippet}`));
+        // One structured line instead of 14 separate log calls. Flags use
+        // single-letter shorthand (t/f) to keep the line scannable; full
+        // bodySnippet stays on its own line because it's the only field
+        // that's worth more than a column-width of attention.
+        const f = (v) => v ? 't' : 'f';
+        const ci = challengeInfo;
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge detected on ${currentUrl}: title="${ci.title}" url=${ci.url} turnstile=${f(ci.isTurnstile)} js=${f(ci.isJSChallenge)} legacy=${f(ci.hasLegacyCheckbox)} iframe=${f(ci.hasTurnstileIframe)} container=${f(ci.hasTurnstileContainer)} checkbox=${f(ci.hasTurnstileCheckbox)} captcha=${f(ci.hasCaptcha)} running=${f(ci.hasChallengeRunning)} dataRay=${f(ci.hasDataRay)} tsResponse=${f(ci.hasTurnstileResponse)}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG}   Body snippet: ${ci.bodySnippet}`));
       }
 
       // Check for CAPTCHA that requires human intervention
       if (challengeInfo.hasCaptcha) {
         result.requiresHuman = true;
         result.error = 'CAPTCHA detected - requires human intervention';
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Skipping automatic bypass due to CAPTCHA requirement`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping automatic bypass due to CAPTCHA requirement`));
         return result;
       }
 
@@ -960,12 +1087,12 @@ async function handleVerificationChallenge(page, currentUrl, forceDebug = false)
       result.method = solveResult.method;
       
     } else {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `No verification challenge detected on ${currentUrl}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} No verification challenge detected on ${currentUrl}`));
       result.success = true;
     }
   } catch (error) {
     result.error = error.message;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge check failed for ${currentUrl}: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge check failed for ${currentUrl}: ${error.message}`));
   }
 
   return result;
@@ -974,179 +1101,146 @@ async function handleVerificationChallenge(page, currentUrl, forceDebug = false)
 /**
  * Enhanced challenge handling with retry logic and loop detection
  */
-async function handleVerificationChallengeWithRetries(page, currentUrl, siteConfig, forceDebug = false) {
-  const retryConfig = getRetryConfig(siteConfig);
-  const visitedUrls = []; // Track URLs to detect redirect loops
+/**
+ * Generic retry harness shared by the verification-challenge and
+ * phishing-warning paths (was ~150 lines of duplicated try/catch/backoff
+ * before extraction). Resolves with the inner result + bookkeeping fields
+ * (attempts, optional maxRetriesExceeded, optional errorType). Never
+ * rejects — the inner attemptFn's exceptions are categorized and either
+ * retried or bundled into a failure-result return.
+ *
+ * @param {object} cfg
+ * @param {string} cfg.label - Human label for logs ("Challenge" / "Phishing warning")
+ * @param {object} cfg.retryConfig - From getRetryConfig(siteConfig)
+ * @param {boolean} cfg.forceDebug
+ * @param {(attempt:number) => Promise<object>} cfg.attemptFn
+ * @param {object} [cfg.failureShape] - Extra fields merged into the
+ *   error/exhaustion return objects (e.g. {requiresHuman:false,method:null}
+ *   for the challenge path so its callers always see those keys).
+ * @param {(attempt:number) => Promise<object|null>} [cfg.preIteration]
+ *   Optional hook fired before each attempt. Return a result object to
+ *   short-circuit the harness (e.g. challenge loop-detected); return null
+ *   to proceed with the attempt.
+ * @param {(attempt:number) => Promise<void>} [cfg.betweenAttempts]
+ *   Optional hook fired after a failed attempt but before the next one
+ *   (e.g. page.reload() between challenge retries).
+ */
+async function runWithRetries(cfg) {
+  const { label, retryConfig, forceDebug, attemptFn,
+          failureShape = {}, preIteration, betweenAttempts } = cfg;
   let lastError = null;
-  
-  if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Starting verification challenge with max ${retryConfig.maxAttempts} attempts`));
-  }
-  
+
   for (let attempt = 1; attempt <= retryConfig.maxAttempts; attempt++) {
     try {
-      const currentPageUrl = await page.url();
-      visitedUrls.push(currentPageUrl);
-      
-      // Check for redirect loops
-      if (detectChallengeLoop(currentPageUrl, visitedUrls)) {
-        const error = `Challenge redirect loop detected after ${attempt} attempts. URLs: ${visitedUrls.slice(-3).join(' -> ')}`;
-        if (forceDebug) {
-          console.log(formatLogMessage('cloudflare', error));
-        }
-        return {
-          success: false,
-          attempted: true,
-          error: error,
-          details: null,
-          requiresHuman: false,
-          method: null,
-          attempts: attempt,
-          loopDetected: true
-        };
+      if (preIteration) {
+        const earlyReturn = await preIteration(attempt);
+        if (earlyReturn) return earlyReturn;
       }
-      
+
       if (forceDebug && attempt > 1) {
-        console.log(formatLogMessage('cloudflare', `Challenge attempt ${attempt}/${retryConfig.maxAttempts} for ${currentUrl}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${label} attempt ${attempt}/${retryConfig.maxAttempts}`));
       }
-      
-      const result = await handleVerificationChallenge(page, currentUrl, forceDebug);
-      
+
+      const result = await attemptFn(attempt);
+
       if (result.success || result.requiresHuman || !retryConfig.retryOnError) {
         if (forceDebug && attempt > 1) {
-          console.log(`[debug][cloudflare] Challenge ${result.success ? 'succeeded' : 'failed'} on attempt ${attempt}`);
+          console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${label} ${result.success ? 'succeeded' : 'failed'} on attempt ${attempt}`));
         }
         return { ...result, attempts: attempt };
       }
-      
-      // If this wasn't the last attempt, wait before retrying
+
       if (attempt < retryConfig.maxAttempts) {
         const delay = getRetryDelay(attempt);
         if (forceDebug) {
-          console.log(formatLogMessage('cloudflare', `Challenge attempt ${attempt} failed, retrying in ${delay}ms: ${result.error}`));
+          console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${label} attempt ${attempt} failed, retrying in ${delay}ms: ${result.error}`));
         }
         await new Promise(resolve => setTimeout(resolve, delay));
-        
-        // Refresh the page to get a fresh challenge
-        try {
-          await page.reload({ waitUntil: 'domcontentloaded', timeout: 10000 });
-          await waitForTimeout(page, 2000); // Give challenge time to load
-        } catch (reloadErr) {
-          if (forceDebug) {
-            console.log(formatLogMessage('cloudflare', `Page reload failed on attempt ${attempt}: ${reloadErr.message}`));
-          }
-        }
+        if (betweenAttempts) await betweenAttempts(attempt);
       }
-      
       lastError = result.error;
     } catch (error) {
       lastError = error.message;
       const errorType = categorizeError(error);
-      
+
       if (forceDebug) {
-        console.warn(formatLogMessage('cloudflare', `Challenge attempt ${attempt}/${retryConfig.maxAttempts} failed: ${error.message} [${errorType}]`));
+        console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} ${label} attempt ${attempt}/${retryConfig.maxAttempts} failed: ${error.message} [${errorType}]`));
       }
-      
-      // Don't retry if error type is not retryable or if it's the last attempt
+
       if (!retryConfig.retryableErrors.includes(errorType) || attempt === retryConfig.maxAttempts) {
         return {
-          success: false,
-          attempted: true,
-          error: lastError,
-          details: null,
-          requiresHuman: false,
-          method: null,
-          attempts: attempt,
-          errorType: errorType
+          success: false, attempted: true, error: lastError, details: null,
+          attempts: attempt, errorType, ...failureShape
         };
       }
-      
-      // Wait before retrying with exponential backoff
       if (attempt < retryConfig.maxAttempts) {
         await new Promise(resolve => setTimeout(resolve, getRetryDelay(attempt)));
       }
     }
   }
-  
+
   return {
-    success: false,
-    attempted: true,
-    error: `All ${retryConfig.maxAttempts} challenge attempts failed. Last error: ${lastError}`,
-    details: null,
-    requiresHuman: false,
-    method: null,
-    attempts: retryConfig.maxAttempts,
-    maxRetriesExceeded: true
+    success: false, attempted: true,
+    error: `All ${retryConfig.maxAttempts} ${label.toLowerCase()} attempts failed. Last error: ${lastError}`,
+    details: null, attempts: retryConfig.maxAttempts, maxRetriesExceeded: true,
+    ...failureShape
   };
 }
 
-/**
- * Enhanced phishing warning handling with retry logic
- */
-async function handlePhishingWarningWithRetries(page, currentUrl, siteConfig, forceDebug = false) {
+async function handleVerificationChallengeWithRetries(page, currentUrl, siteConfig, forceDebug = false) {
   const retryConfig = getRetryConfig(siteConfig);
-  let lastError = null;
-  
-  for (let attempt = 1; attempt <= retryConfig.maxAttempts; attempt++) {
-    try {
-      if (forceDebug && attempt > 1) {
-        console.log(formatLogMessage('cloudflare', `Phishing warning attempt ${attempt}/${retryConfig.maxAttempts} for ${currentUrl}`));
-      }
-      
-      const result = await handlePhishingWarning(page, currentUrl, forceDebug);
-      
-      if (result.success || !retryConfig.retryOnError) {
-        if (forceDebug && attempt > 1) {
-          console.log(`[debug][cloudflare] Phishing warning ${result.success ? 'succeeded' : 'failed'} on attempt ${attempt}`);
-        }
-        return { ...result, attempts: attempt };
-      }
-      
-      // If this wasn't the last attempt, wait before retrying
-      if (attempt < retryConfig.maxAttempts) {
-        const delay = getRetryDelay(attempt);
-        if (forceDebug) {
-          console.log(formatLogMessage('cloudflare', `Phishing warning attempt ${attempt} failed, retrying in ${delay}ms: ${result.error}`));
-        }
-        await new Promise(resolve => setTimeout(resolve, delay));
-      }
-      
-      lastError = result.error;
-    } catch (error) {
-      lastError = error.message;
-      const errorType = categorizeError(error);
-      
-      if (forceDebug) {
-        console.warn(formatLogMessage('cloudflare', `Phishing warning attempt ${attempt}/${retryConfig.maxAttempts} failed: ${error.message} [${errorType}]`));
-      }
-      
-      // Don't retry if error type is not retryable or if it's the last attempt
-      if (!retryConfig.retryableErrors.includes(errorType) || attempt === retryConfig.maxAttempts) {
+  const visitedUrls = []; // Track URLs to detect redirect loops
+
+  if (forceDebug) {
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Starting verification challenge with max ${retryConfig.maxAttempts} attempts`));
+  }
+
+  return runWithRetries({
+    label: 'Challenge',
+    retryConfig,
+    forceDebug,
+    failureShape: { requiresHuman: false, method: null },
+    preIteration: async (attempt) => {
+      const currentPageUrl = await page.url();
+      // Loop check BEFORE push — see detectChallengeLoop notes; the prior
+      // ordering counted the just-pushed URL against itself.
+      if (detectChallengeLoop(currentPageUrl, visitedUrls)) {
+        const error = `Challenge redirect loop detected after ${attempt} attempts. URLs: ${visitedUrls.slice(-3).join(' -> ')}`;
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${error}`));
         return {
-          success: false,
-          attempted: true,
-          error: lastError,
-          details: null,
-          attempts: attempt,
-          errorType: errorType
+          success: false, attempted: true, error, details: null,
+          requiresHuman: false, method: null, attempts: attempt, loopDetected: true
         };
       }
-      
-      // Wait before retrying with exponential backoff
-      if (attempt < retryConfig.maxAttempts) {
-        await new Promise(resolve => setTimeout(resolve, getRetryDelay(attempt)));
+      visitedUrls.push(currentPageUrl);
+      return null;
+    },
+    betweenAttempts: async (attempt) => {
+      // Refresh the page to get a fresh challenge between retries.
+      try {
+        await page.reload({ waitUntil: 'domcontentloaded', timeout: 10000 });
+        await fastTimeout(2000);
+      } catch (reloadErr) {
+        if (forceDebug) {
+          console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Page reload failed on attempt ${attempt}: ${reloadErr.message}`));
+        }
       }
-    }
-  }
-  
-  return {
-    success: false,
-    attempted: true,
-    error: `All ${retryConfig.maxAttempts} phishing warning attempts failed. Last error: ${lastError}`,
-    details: null,
-    attempts: retryConfig.maxAttempts,
-    maxRetriesExceeded: true
-  };
+    },
+    attemptFn: () => handleVerificationChallenge(page, currentUrl, forceDebug)
+  });
+}
+
+/**
+ * Enhanced phishing warning handling with retry logic
+ */
+async function handlePhishingWarningWithRetries(page, currentUrl, siteConfig, forceDebug = false) {
+  const retryConfig = getRetryConfig(siteConfig);
+  return runWithRetries({
+    label: 'Phishing warning',
+    retryConfig,
+    forceDebug,
+    attemptFn: () => handlePhishingWarning(page, currentUrl, forceDebug)
+  });
 }
 
 
@@ -1183,7 +1277,7 @@ async function attemptChallengeSolveWithTimeout(page, currentUrl, challengeInfo,
       clearTimeout(timeoutId);
     }
     result.error = `Challenge solving timed out: ${error.message}`;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge solving timeout for ${currentUrl}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge solving timeout for ${currentUrl}`));
     return result;
   }
 }
@@ -1201,65 +1295,65 @@ async function attemptChallengeSolve(page, currentUrl, challengeInfo, forceDebug
   // Method 1: Handle JS challenges (wait for automatic completion) - Most reliable
   if (challengeInfo.isJSChallenge) {
     try {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Attempting JS challenge wait for ${currentUrl}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Attempting JS challenge wait for ${currentUrl}`));
       
       const jsResult = await waitForJSChallengeCompletion(page, forceDebug);
       if (jsResult.success) {
         // Wait for redirect after challenge completion
         try {
           await page.waitForNavigation({ waitUntil: 'domcontentloaded', timeout: 10000 });
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Post-challenge redirect completed for ${currentUrl}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Post-challenge redirect completed for ${currentUrl}`));
         } catch (navErr) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Post-challenge redirect timeout (may already be on target page): ${navErr.message}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Post-challenge redirect timeout (may already be on target page): ${navErr.message}`));
         }
         result.success = true;
         result.method = 'js_challenge_wait';
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `JS challenge completed successfully for ${currentUrl}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} JS challenge completed successfully for ${currentUrl}`));
         return result;
       }
     } catch (jsError) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `JS challenge wait failed for ${currentUrl}: ${jsError.message}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} JS challenge wait failed for ${currentUrl}: ${jsError.message}`));
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Skipping JS challenge method (not detected)`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping JS challenge method (not detected)`));
   }
 
   // Method 2: Handle Turnstile challenges (interactive)
   if (challengeInfo.isTurnstile) {
     try {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Attempting Turnstile method for ${currentUrl}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Attempting Turnstile method for ${currentUrl}`));
       
       const turnstileResult = await handleTurnstileChallenge(page, forceDebug);
       if (turnstileResult.success) {
         result.success = true;
         result.method = 'turnstile';
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile challenge solved successfully for ${currentUrl}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile challenge solved successfully for ${currentUrl}`));
         return result;
       }
     } catch (turnstileError) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile method failed for ${currentUrl}: ${turnstileError.message}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile method failed for ${currentUrl}: ${turnstileError.message}`));
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Skipping Turnstile method (not detected)`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping Turnstile method (not detected)`));
   }
 
   // Method 3: Legacy checkbox interaction (fallback)
   if (challengeInfo.hasLegacyCheckbox) {
     try {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Attempting legacy checkbox method for ${currentUrl}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Attempting legacy checkbox method for ${currentUrl}`));
       
       const legacyResult = await handleLegacyCheckbox(page, forceDebug);
       if (legacyResult.success) {
         result.success = true;
         result.method = 'legacy_checkbox';
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Legacy checkbox method succeeded for ${currentUrl}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Legacy checkbox method succeeded for ${currentUrl}`));
         return result;
       }
     } catch (legacyError) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Legacy checkbox method failed for ${currentUrl}: ${legacyError.message}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Legacy checkbox method failed for ${currentUrl}: ${legacyError.message}`));
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Skipping legacy checkbox method (not detected)`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping legacy checkbox method (not detected)`));
   }
 
   if (!result.success) {
@@ -1271,8 +1365,8 @@ async function attemptChallengeSolve(page, currentUrl, challengeInfo, forceDebug
           url: window.location.href,
           body: (document.body?.textContent || '').substring(0, 300)
         }));
-        console.log(formatLogMessage('cloudflare', `Post-attempt page state: title="${postState.title}" url=${postState.url}`));
-        console.log(formatLogMessage('cloudflare', `Post-attempt body: ${postState.body}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Post-attempt page state: title="${postState.title}" url=${postState.url}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Post-attempt body: ${postState.body}`));
       } catch (_) {}
     }
   }
@@ -1290,22 +1384,27 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
   };
 
   try {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Checking for embedded iframe challenges`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Checking for embedded iframe challenges`));
 
     // Use CDP-level frame detection -- bypasses closed shadow roots
     const frames = page.frames();
     if (forceDebug) {
-      console.log(formatLogMessage('cloudflare', `Available frames (${frames.length}):`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Available frames (${frames.length}):`));
       for (const f of frames) {
-        console.log(formatLogMessage('cloudflare', `  ${f.url()}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG}   ${f.url()}`));
       }
     }
     const challengeFrame = frames.find(frame => {
       const frameUrl = frame.url();
+      // `/turnstile/if/` is the canonical Cloudflare path; the bare
+      // `turnstile` substring check that used to also live here was a
+      // strict superset of it, making the narrower check dead. Kept
+      // the specific path so unrelated iframes whose URL happens to
+      // contain "turnstile" elsewhere (e.g. third-party CAPTCHA
+      // wrappers, query params) don't get picked up.
       return frameUrl.includes('challenges.cloudflare.com') ||
              frameUrl.includes('/cdn-cgi/challenge-platform/') ||
-             frameUrl.includes('/turnstile/if/') ||
-             frameUrl.includes('turnstile');
+             frameUrl.includes('/turnstile/if/');
     });
 
     if (!challengeFrame) {
@@ -1313,9 +1412,9 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
       return result;
     }
 
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Interacting with iframe: ${challengeFrame.url()}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Interacting with iframe: ${challengeFrame.url()}`));
 
-    await waitForTimeout(page, 500);
+    await fastTimeout(500);
 
     let checkboxInteractionSuccess = false;
     try {
@@ -1330,14 +1429,14 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
 
       if (shadowResult.clicked) {
         checkboxInteractionSuccess = true;
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Shadow DOM click succeeded: ${shadowResult.selector}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Shadow DOM click succeeded: ${shadowResult.selector}`));
       } else if (shadowResult.found && shadowResult.x > 0) {
         await page.mouse.click(shadowResult.x, shadowResult.y);
         checkboxInteractionSuccess = true;
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Shadow DOM mouse fallback at (${shadowResult.x}, ${shadowResult.y})`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Shadow DOM mouse fallback at (${shadowResult.x}, ${shadowResult.y})`));
       }
     } catch (shadowErr) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Shadow DOM click failed: ${shadowErr.message}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Shadow DOM click failed: ${shadowErr.message}`));
     }
 
     if (!checkboxInteractionSuccess) {
@@ -1346,10 +1445,10 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
         const iframeElement = await page.$('iframe[src*="challenges.cloudflare.com"]');
         if (iframeElement) {
           await iframeElement.click();
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Clicked iframe container as fallback`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Clicked iframe container as fallback`));
         }
       } catch (containerClickError) {
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Container click failed: ${containerClickError.message}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Container click failed: ${containerClickError.message}`));
       }
     }
 
@@ -1371,15 +1470,15 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
       ]);
 
       result.success = true;
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Embedded iframe challenge completed`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Embedded iframe challenge completed`));
     } catch (completionError) {
       result.error = `Challenge completion check failed: ${completionError.message}`;
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Completion check failed: ${completionError.message}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Completion check failed: ${completionError.message}`));
     }
 
   } catch (error) {
     result.error = `Embedded iframe handling failed: ${error.message}`;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', result.error));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${result.error}`));
   }
 
   return result;
@@ -1397,17 +1496,25 @@ async function waitForJSChallengeCompletion(page, forceDebug = false) {
   let timeoutId = null;
 
   try {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Waiting for JS challenge completion`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Waiting for JS challenge completion`));
 
     const timeoutPromise = new Promise((_, reject) => {
       timeoutId = setTimeout(() => reject(new Error('JS challenge timeout')), TIMEOUTS.JS_CHALLENGE_BUFFER);
     });
     
-    // Reduced timeout for JS challenge completion
+    // Reduced timeout for JS challenge completion.
+    // Cap body.textContent to 2KB per poll -- same cap as
+    // analyzeCloudflareChallenge / checkChallengeCompletion. waitForFunction
+    // polls at ~100ms over up to 10s = ~100 evaluations; on a content-heavy
+    // page that resolves the challenge and then renders the original page,
+    // uncapped textContent could materialize MB of DOM text per poll. The
+    // four substrings we're testing for ("Verification successful",
+    // "Checking your browser", "Please wait while we verify") all appear
+    // well within the first 2KB of CF challenge pages.
     await Promise.race([
       page.waitForFunction(
         () => {
-          const bodyText = document.body.textContent;
+          const bodyText = document.body ? document.body.textContent.substring(0, 2000) : '';
           if (bodyText.includes('Verification successful')) return true;
           return !bodyText.includes('Checking your browser') &&
                  !bodyText.includes('Please wait while we verify') &&
@@ -1425,7 +1532,7 @@ async function waitForJSChallengeCompletion(page, forceDebug = false) {
     }
     
     result.success = true;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `JS challenge completed automatically`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} JS challenge completed automatically`));
   } catch (error) {
     // Clear timeout on error
     if (timeoutId) {
@@ -1433,7 +1540,7 @@ async function waitForJSChallengeCompletion(page, forceDebug = false) {
     }
 
     result.error = `JS challenge timeout: ${error.message}`;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `JS challenge wait failed: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} JS challenge wait failed: ${error.message}`));
   }
 
   return result;
@@ -1454,12 +1561,9 @@ async function handleTurnstileChallenge(page, forceDebug = false) {
     return { ...result, success: true };
   }
   
-  if (forceDebug) console.log(formatLogMessage('cloudflare', `Embedded iframe failed: ${iframeResult.error}, trying legacy method`));
+  if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Embedded iframe failed: ${iframeResult.error}, trying legacy method`));
 
   try {
-    // Use fast timeout for Turnstile operations
-    const turnstileTimeout = FAST_TIMEOUTS.TURNSTILE_OPERATION;
-    
     const turnstileSelectors = [
       'iframe[src*="challenges.cloudflare.com"]',
       'iframe[title*="Widget containing a Cloudflare"]',
@@ -1480,21 +1584,21 @@ async function handleTurnstileChallenge(page, forceDebug = false) {
           frame.url().includes('turnstile')
         );
         if (turnstileFrame) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Found Turnstile iframe using selector: ${selector}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Found Turnstile iframe using selector: ${selector}`));
           break;
         }
       } catch (e) {
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Selector ${selector} not found or timed out`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Selector ${selector} not found or timed out`));
         continue;
       }
     }
 
     if (turnstileFrame) {
       if (forceDebug) {
-        console.log(formatLogMessage('cloudflare', `Found Turnstile iframe with URL: ${turnstileFrame.url()}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Found Turnstile iframe with URL: ${turnstileFrame.url()}`));
       }
       
-      await waitForTimeout(page, FAST_TIMEOUTS.ELEMENT_INTERACTION_DELAY);
+      await fastTimeout(FAST_TIMEOUTS.ELEMENT_INTERACTION_DELAY);
 
       try {
         const shadowResult = await clickInShadowDOM(turnstileFrame, [
@@ -1507,13 +1611,13 @@ async function handleTurnstileChallenge(page, forceDebug = false) {
         ], forceDebug);
 
         if (shadowResult.clicked) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile shadow DOM click succeeded: ${shadowResult.selector}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile shadow DOM click succeeded: ${shadowResult.selector}`));
         } else if (shadowResult.found && shadowResult.x > 0) {
           await page.mouse.click(shadowResult.x, shadowResult.y);
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile shadow DOM mouse fallback at (${shadowResult.x}, ${shadowResult.y})`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile shadow DOM mouse fallback at (${shadowResult.x}, ${shadowResult.y})`));
         }
       } catch (shadowErr) {
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Shadow DOM fallback failed: ${shadowErr.message}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Shadow DOM fallback failed: ${shadowErr.message}`));
       }
       
       // Wait for Turnstile completion with reduced timeout
@@ -1528,11 +1632,11 @@ async function handleTurnstileChallenge(page, forceDebug = false) {
         new Promise((_, reject) => setTimeout(() => reject(new Error('Turnstile completion timeout')), TIMEOUTS.TURNSTILE_COMPLETION_BUFFER))
       ]);
       
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile response token generated successfully`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile response token generated successfully`));
       result.success = true;
     } else {
       // Try container-based Turnstile (non-iframe)
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `No Turnstile iframe found, trying container-based approach`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} No Turnstile iframe found, trying container-based approach`));
       
       const containerSelectors = [
         '.cf-turnstile',
@@ -1547,32 +1651,32 @@ async function handleTurnstileChallenge(page, forceDebug = false) {
             new Promise((_, reject) => setTimeout(() => reject(new Error('Container timeout')), FAST_TIMEOUTS.SELECTOR_WAIT + 500))
           ]);
           
-          await waitForTimeout(page, FAST_TIMEOUTS.ELEMENT_INTERACTION_DELAY);
+          await fastTimeout(FAST_TIMEOUTS.ELEMENT_INTERACTION_DELAY);
           await page.click(selector);
           
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Clicked Turnstile container: ${selector}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Clicked Turnstile container: ${selector}`));
           
           const completionCheck = await checkChallengeCompletion(page);
           if (completionCheck.isCompleted) {
             result.success = true;
-            if (forceDebug) console.log(formatLogMessage('cloudflare', `Container-based Turnstile completed successfully`));
+            if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Container-based Turnstile completed successfully`));
             break;
           }
         } catch (e) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Container selector ${selector} not found or failed`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Container selector ${selector} not found or failed`));
           continue;
         }
       }
       
       if (!result.success) {
         result.error = 'Turnstile iframe/container not found or not interactive';
-        if (forceDebug) console.log(formatLogMessage('cloudflare', result.error));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${result.error}`));
       }
     }
     
   } catch (error) {
     result.error = `Turnstile handling failed: ${error.message}`;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Turnstile handling error: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Turnstile handling error: ${error.message}`));
   }
 
   return result;
@@ -1588,12 +1692,22 @@ async function handleLegacyCheckbox(page, forceDebug = false) {
   };
 
   try {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Attempting legacy checkbox challenge`));
-    
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Attempting legacy checkbox challenge`));
+
+    // Aligned with the two selectors analyzeCloudflareChallenge uses to
+    // set hasLegacyCheckbox (line ~789). A third selector
+    // `.cf-turnstile input[type="checkbox"]` used to live here as a
+    // fallback, but it had no matching detection entry -- meaning the
+    // analyzer would never set hasLegacyCheckbox=true on a Turnstile-
+    // embedded-checkbox page, so this handler was never invoked for it
+    // anyway. Turnstile-embedded checkboxes are handled by
+    // handleTurnstileChallenge's container-click path (clicking
+    // `.cf-turnstile` triggers the embedded checkbox via CF's widget
+    // script). Keeping the orphan selector here created a phantom
+    // fallback that only fired in unreachable-in-practice scenarios.
     const legacySelectors = [
       'input[type="checkbox"]#challenge-form',
-      'input[type="checkbox"][name="cf_captcha_kind"]',
-      '.cf-turnstile input[type="checkbox"]'
+      'input[type="checkbox"][name="cf_captcha_kind"]'
     ];
 
     for (const selector of legacySelectors) {
@@ -1606,29 +1720,29 @@ async function handleLegacyCheckbox(page, forceDebug = false) {
         const checkbox = await page.$(selector);
         if (checkbox) {
           await checkbox.click();
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Clicked legacy checkbox: ${selector}`));
+          if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Clicked legacy checkbox: ${selector}`));
 
           const completionCheck = await checkChallengeCompletion(page);
           if (completionCheck.isCompleted) {
             result.success = true;
-            if (forceDebug) console.log(formatLogMessage('cloudflare', `Legacy checkbox challenge completed successfully`));
+            if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Legacy checkbox challenge completed successfully`));
             break;
           }
         }
       } catch (e) {
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Legacy selector ${selector} failed: ${e.message}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Legacy selector ${selector} failed: ${e.message}`));
         continue;
       }
     }
 
     if (!result.success) {
       result.error = 'No interactive legacy checkbox found';
-      if (forceDebug) console.log(formatLogMessage('cloudflare', result.error));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} ${result.error}`));
     }
     
   } catch (error) {
     result.error = `Legacy checkbox handling failed: ${error.message}`;
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Legacy checkbox error: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Legacy checkbox error: ${error.message}`));
   }
 
   return result;
@@ -1708,44 +1822,101 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
   const cfBypassEnabled = siteConfig.cloudflare_bypass === true || siteConfig.cloudflare_bypass === 'debug';
   const cfPhishEnabled = siteConfig.cloudflare_phish === true || siteConfig.cloudflare_phish === 'debug';
 
-  // Outcome-summary bookkeeping. Only paid for in debug mode — page.cookies()
-  // is a real CDP round-trip we don't want on every URL in production.
+  // Outcome-summary bookkeeping. Cookie state (page.cookies() = CDP
+  // round-trip) is paid for only in debug mode. The structured outcome
+  // line ALSO fires as a warn in production for !overallSuccess /
+  // timedOut so a normal scan log captures every failure with cf-ray
+  // for correlation, without needing a debug re-run.
   // navInfo carries httpStatus + cfRay captured at page.goto time by the
   // caller (response object isn't reachable from the page after navigation).
   const startMs = Date.now();
+  // Per-stage timing breakdown surfaced in the outcome line. Helps pinpoint
+  // which stage dominates wall-clock when scans get slow.
+  const timings = { quick: 0, phish: 0, challenge: 0 };
   let cookiesBefore = { cf_clearance: false, cf_bm: false };
   if (forceDebug) cookiesBefore = await getCfCookieState(page);
   let errorCode = null; // populated once quickDetection runs
   const logOutcome = async (result) => {
-    if (forceDebug) {
-      try {
+    // One try wraps EVERYTHING summary-related: aggregate bump, outcome
+    // computation, cookie reads, and log emission. The original code wrapped
+    // only the log block, so a future throw in bumpAggregate would have
+    // propagated past the "never let summary logging affect the return"
+    // intent. Returning `result` from inside the try is fine -- there's no
+    // finally and no further work after the log site.
+    try {
+      const durationMs = Date.now() - startMs;
+      const outcome = buildOutcomeString(result, errorCode);
+      // Always update aggregates regardless of debug mode -- so
+      // getAggregateStats() returns useful end-of-scan numbers even in
+      // silent production runs.
+      bumpAggregate(outcome, result, durationMs);
+
+      // Three-tier production severity:
+      //   isFailure        -> warn   (overallSuccess=false OR adaptive timeout
+      //                                fired -- the scanner did NOT do its job)
+      //   isUpstreamError  -> info   (CF returned a 5xx origin-error page; the
+      //                                scanner did its job, the origin is just
+      //                                unreachable. Not bypass-actionable but
+      //                                worth per-URL visibility against CF's
+      //                                edge logs.)
+      //   otherwise        -> silent in production (debug still gets everything)
+      const isFailure = !result.overallSuccess || result.timedOut;
+      const isUpstreamError = !!result.cloudflareErrorPage;
+      if (!forceDebug && !isFailure && !isUpstreamError) return result;
+
+      // Build common tail once (DRY: shared between debug, warn, and info lines).
+      const statusTag = navInfo.httpStatus != null ? ` | http=${navInfo.httpStatus}` : '';
+      const rayTag = navInfo.cfRay ? ` | cf-ray=${navInfo.cfRay}` : '';
+      // Emit only non-zero stages -- previously every line carried
+      // `q=2400ms p=0ms c=0ms` even on phishing-only or quick-only paths,
+      // which was visually noisy in production warn output.
+      const stageParts = [];
+      if (timings.quick > 0)     stageParts.push(`q=${timings.quick}ms`);
+      if (timings.phish > 0)     stageParts.push(`p=${timings.phish}ms`);
+      if (timings.challenge > 0) stageParts.push(`c=${timings.challenge}ms`);
+      const timingTag = stageParts.length > 0 ? ` | ${stageParts.join(' ')}` : '';
+      const tail = `${outcome}${statusTag}${rayTag} | duration=${durationMs}ms${timingTag}`;
+
+      if (forceDebug) {
         const cookiesAfter = await getCfCookieState(page);
-        const outcome = buildOutcomeString(result, errorCode);
         const clearanceTag = cookiesAfter.cf_clearance
           ? (cookiesBefore.cf_clearance ? 'clearance=preexisting' : 'clearance=gained')
           : 'clearance=no';
         const bmTag = cookiesAfter.cf_bm
           ? (cookiesBefore.cf_bm ? 'cf_bm=preexisting' : 'cf_bm=gained')
           : 'cf_bm=no';
-        const statusTag = navInfo.httpStatus != null ? ` | http=${navInfo.httpStatus}` : '';
-        const rayTag = navInfo.cfRay ? ` | cf-ray=${navInfo.cfRay}` : '';
-        console.log(formatLogMessage('cloudflare', `Outcome for ${currentUrl}: ${outcome} | ${clearanceTag} | ${bmTag}${statusTag}${rayTag} | duration=${Date.now() - startMs}ms`));
-      } catch (_) { /* never let summary logging affect the return */ }
-    }
+        // Debug line splices cookie state in BETWEEN outcome and the rest of
+        // the tail, so it can't share the tail string verbatim -- but every
+        // other component is computed once above.
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Outcome for ${currentUrl}: ${outcome} | ${clearanceTag} | ${bmTag}${statusTag}${rayTag} | duration=${durationMs}ms${timingTag}`));
+      } else if (isFailure) {
+        // Production failure: skip cookie state (avoid CDP round-trip) but
+        // keep cf-ray / http / timings -- enough to correlate failures
+        // against CF's edge logs and identify slow stages. isFailure takes
+        // precedence over isUpstreamError because a bypass that failed for
+        // both reasons (overall failure + error page) is more meaningfully
+        // categorized as a failure than as an upstream issue.
+        console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} Outcome for ${currentUrl}: ${tail}`));
+      } else {
+        // Production upstream-error (5xx). Routed at info severity because
+        // your scanner did everything it could -- the origin is just down.
+        console.log(formatLogMessage('info', `${CLOUDFLARE_TAG} Outcome for ${currentUrl}: ${tail}`));
+      }
+    } catch (_) { /* never let summary logging affect the return */ }
     return result;
   };
 
   if (cfDebug && !_moduleVersionLogged) {
     // Print once per process; the version is global and doesn't change
     // between URLs. Subsequent calls stay silent.
-    console.log(formatLogMessage('cloudflare', `Using Cloudflare module v${CLOUDFLARE_MODULE_VERSION}`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Using Cloudflare module v${CLOUDFLARE_MODULE_VERSION}`));
     _moduleVersionLogged = true;
   }
 
   // VALIDATE URL FIRST - Skip protection handling for non-HTTP(S) URLs
   if (!shouldProcessUrl(currentUrl, forceDebug)) {
     if (forceDebug) {
-      console.log(formatLogMessage('cloudflare', `Skipping protection handling for non-HTTP(S) URL: ${currentUrl}`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping protection handling for non-HTTP(S) URL: ${currentUrl}`));
     }
     return await logOutcome({
       phishingWarning: { attempted: false, success: true },
@@ -1757,7 +1928,9 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
   }
 
   // Quick detection first - exit early if no Cloudflare detected and no explicit config
+  const quickStart = Date.now();
   const quickDetection = await quickCloudflareDetection(page, forceDebug);
+  timings.quick = Date.now() - quickStart;
   if (quickDetection && quickDetection.errorCode) errorCode = quickDetection.errorCode;
 
   // Safety check: ensure quickDetection is valid
@@ -1773,12 +1946,20 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
   if (!quickDetection.hasIndicators) {
     if (forceDebug) {
       const cachedTag = quickDetection._fromCache ? ' [cached]' : '';
-      if (quickDetection.hasErrorPage) {
-        console.log(formatLogMessage('cloudflare', `Cloudflare error page detected${cachedTag} (origin unreachable, no bypass possible) for ${currentUrl}`));
+      if (quickDetection.skippedInvalidUrl) {
+        // Live page URL isn't HTTP(S) -- typically a popup/redirect dropped
+        // the page to about:blank between page.goto() and our detection
+        // call. quickCloudflareDetection short-circuits before the
+        // page.evaluate, so title/bodySnippet are absent. The old code
+        // logged them anyway and rendered literal "undefined" strings.
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Live page URL is not HTTP(S) -- detection skipped for ${currentUrl} (likely popup/redirect to about:blank)`));
+      } else if (quickDetection.hasErrorPage) {
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Cloudflare error page detected${cachedTag} (origin unreachable, no bypass possible) for ${currentUrl}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Quick detection details${cachedTag}: title="${quickDetection.title}", bodySnippet="${quickDetection.bodySnippet}"`));
       } else {
-        console.log(formatLogMessage('cloudflare', `No Cloudflare indicators found${cachedTag}, skipping protection handling for ${currentUrl}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} No Cloudflare indicators found${cachedTag}, skipping protection handling for ${currentUrl}`));
+        console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Quick detection details${cachedTag}: title="${quickDetection.title}", bodySnippet="${quickDetection.bodySnippet}"`));
       }
-      console.log(formatLogMessage('cloudflare', `Quick detection details${cachedTag}: title="${quickDetection.title}", bodySnippet="${quickDetection.bodySnippet}"`));
     }
     return await logOutcome({
       phishingWarning: { attempted: false, success: true },
@@ -1786,6 +1967,12 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
       overallSuccess: true,
       errors: [],
       skippedNoIndicators: true,
+      // Propagate quickCloudflareDetection's internal short-circuit so
+      // buildOutcomeString routes to 'skipped(non-http)' instead of the
+      // misleading 'no_indicators'. The latter implies detection ran and
+      // found nothing; the former honestly says "didn't run because the
+      // live page URL wasn't HTTP(S)".
+      skippedInvalidUrl: !!quickDetection.skippedInvalidUrl,
       cloudflareErrorPage: !!quickDetection.hasErrorPage
     });
   }
@@ -1801,39 +1988,39 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
   };
 
   try {
-    // Adaptive timeout based on detection results and explicit config
-    let adaptiveTimeout;
-    if (cfPhishEnabled || cfBypassEnabled) {
-      // Explicit config - give more time
-      adaptiveTimeout = quickDetection.hasIndicators ? TIMEOUTS.ADAPTIVE_TIMEOUT_WITH_INDICATORS : TIMEOUTS.ADAPTIVE_TIMEOUT_WITHOUT_INDICATORS;
-    } else {
-      // Auto-detected only - shorter timeout
-      adaptiveTimeout = quickDetection.hasIndicators ? TIMEOUTS.ADAPTIVE_TIMEOUT_AUTO_WITH_INDICATORS : TIMEOUTS.ADAPTIVE_TIMEOUT_AUTO_WITHOUT_INDICATORS;
-    }
+    // Adaptive timeout based on explicit config. hasIndicators is guaranteed
+    // truthy here: the early-return above this block filters out the
+    // no-indicators path, so the WITHOUT_INDICATORS branches that used to
+    // sit here were dead code.
+    const adaptiveTimeout = (cfPhishEnabled || cfBypassEnabled)
+      ? TIMEOUTS.ADAPTIVE_TIMEOUT_WITH_INDICATORS
+      : TIMEOUTS.ADAPTIVE_TIMEOUT_AUTO_WITH_INDICATORS;
 
     if (forceDebug) {
-      console.log(formatLogMessage('cloudflare', `Using adaptive timeout of ${adaptiveTimeout}ms for ${currentUrl} (indicators: ${quickDetection.hasIndicators}, explicit config: ${!!(siteConfig.cloudflare_phish || siteConfig.cloudflare_bypass)})`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Using adaptive timeout of ${adaptiveTimeout}ms for ${currentUrl} (indicators: ${quickDetection.hasIndicators}, explicit config: ${!!(siteConfig.cloudflare_phish || siteConfig.cloudflare_bypass)})`));
     }
     
-    // Check if this domain already timed out -- skip immediately
-    try {
-      const outcomeCacheKey = 'outcome:' + new URL(currentUrl).hostname;
-      const cachedOutcome = detectionCache.cache.get(outcomeCacheKey);
-      if (cachedOutcome && cachedOutcome.data && cachedOutcome.data.timedOut && Date.now() - cachedOutcome.timestamp < detectionCache.ttl) {
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Skipping ${currentUrl} -- domain already timed out on a previous URL`));
-        return await logOutcome(cachedOutcome.data);
-      }
-    } catch (e) { /* malformed URL, proceed normally */ }
+    // Check if this domain already timed out -- skip immediately.
+    // getOutcome handles TTL + the malformed-URL fallback internally.
+    const cachedOutcome = detectionCache.getOutcome(currentUrl);
+    if (cachedOutcome && cachedOutcome.timedOut) {
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Skipping ${currentUrl} -- domain already timed out on a previous URL`));
+      return await logOutcome(cachedOutcome);
+    }
     
     let adaptiveTimeoutId = null;
     const handlingResult = await Promise.race([
-      performCloudflareHandling(page, currentUrl, siteConfig, cfDebug).then(r => {
+      // Pass the pre-derived bypass/phish flags so performCloudflareHandling
+      // doesn't re-parse siteConfig.cloudflare_bypass strings a second time.
+      // `timings` is mutated in place by performCloudflareHandling so the
+      // outcome line can report per-stage durations.
+      performCloudflareHandling(page, currentUrl, siteConfig, cfDebug, { cfBypassEnabled, cfPhishEnabled }, timings).then(r => {
         if (adaptiveTimeoutId) clearTimeout(adaptiveTimeoutId);
         return r;
       }),
       new Promise((resolve) => {
         adaptiveTimeoutId = setTimeout(() => {
-        console.warn(formatLogMessage('cloudflare', `Adaptive timeout (${adaptiveTimeout}ms) for ${currentUrl} - continuing with scan`));
+        console.warn(formatLogMessage('warn', `${CLOUDFLARE_TAG} Adaptive timeout (${adaptiveTimeout}ms) for ${currentUrl} - continuing with scan`));
           resolve({
             phishingWarning: { attempted: false, success: true },
             verificationChallenge: { attempted: false, success: true },
@@ -1847,33 +2034,36 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
     
     // Cache timeout results at domain level so subsequent URLs skip immediately
     if (handlingResult.timedOut) {
-      try {
-        const outcomeCacheKey = 'outcome:' + new URL(currentUrl).hostname;
-        detectionCache.cache.set(outcomeCacheKey, { data: handlingResult, timestamp: Date.now() });
-      } catch (e) { /* malformed URL, skip caching */ }
+      detectionCache.setOutcome(currentUrl, handlingResult);
     }
     
     return await logOutcome(handlingResult);
   } catch (error) {
     result.overallSuccess = false;
     result.errors.push(`Cloudflare handling failed: ${error.message}`);
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Overall handling failed: ${error.message}`));
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Overall handling failed: ${error.message}`));
     return await logOutcome(result);
   }
 }
 
 /**
- * Performs the actual Cloudflare handling with enhanced debug logging
- * 
- * @param {Object} page - Puppeteer page instance  
+ * Performs the actual Cloudflare handling with enhanced debug logging.
+ * Only ever called from handleCloudflareProtection's adaptive-timeout race,
+ * so the bypass/phish flags arrive pre-derived in `flags` to avoid reparsing
+ * siteConfig string variants twice per URL.
+ *
+ * @param {Object} page - Puppeteer page instance
  * @param {string} currentUrl - URL being processed
- * @param {Object} siteConfig - Configuration flags
+ * @param {Object} siteConfig - Forwarded to the retry harnesses for getRetryConfig
  * @param {boolean} forceDebug - Debug logging flag
+ * @param {{cfBypassEnabled:boolean, cfPhishEnabled:boolean}} flags
+ * @param {{quick:number, phish:number, challenge:number}} [timings] - In-place
+ *   timing accumulator from the caller. Populated as each stage completes so
+ *   the outer outcome line can report per-stage durations.
  * @returns {Promise<Object>} Same structure as handleCloudflareProtection()
  */
-async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebug = false) {
-  const cfBypassEnabled = siteConfig.cloudflare_bypass === true || siteConfig.cloudflare_bypass === 'debug';
-  const cfPhishEnabled = siteConfig.cloudflare_phish === true || siteConfig.cloudflare_phish === 'debug';
+async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebug, flags, timings = {}) {
+  const { cfBypassEnabled, cfPhishEnabled } = flags;
 
   const result = {
     phishingWarning: { attempted: false, success: false },
@@ -1882,22 +2072,24 @@ async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebu
     errors: []
   };
 
-  if (forceDebug) console.log(formatLogMessage('cloudflare', `Starting Cloudflare protection handling for ${currentUrl}`));
+  if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Starting Cloudflare protection handling for ${currentUrl}`));
 
   // Handle phishing warnings first - updates result.phishingWarning
   // Only runs if siteConfig.cloudflare_phish === true
   // Handle phishing warnings if enabled
   if (cfPhishEnabled) {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning bypass enabled for ${currentUrl}`));
-    
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning bypass enabled for ${currentUrl}`));
+
+    const phishStart = Date.now();
     const phishingResult = await handlePhishingWarningWithRetries(page, currentUrl, siteConfig, forceDebug);
+    timings.phish = Date.now() - phishStart;
     result.phishingWarning = phishingResult;
 
     // Check for max retries exceeded
     if (phishingResult.maxRetriesExceeded) {
       result.overallSuccess = false;
       result.errors.push(`Phishing warning bypass exceeded max retries (${phishingResult.attempts}): ${phishingResult.error}`);
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning max retries exceeded: ${phishingResult.error}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning max retries exceeded: ${phishingResult.error}`));
       // Exit early if max retries exceeded
       return result;
     }
@@ -1906,16 +2098,16 @@ async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebu
       result.overallSuccess = false;
       if (phishingResult.loopDetected) {
         result.errors.push(`Phishing warning bypass failed (redirect loop): ${phishingResult.error}`);
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning redirect loop detected: ${phishingResult.error}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning redirect loop detected: ${phishingResult.error}`));
       } else {
         result.errors.push(`Phishing warning bypass failed: ${phishingResult.error}`);
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning handling failed: ${phishingResult.error}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning handling failed: ${phishingResult.error}`));
       }
     } else if (phishingResult.attempted && phishingResult.success) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Phishing warning handled successfully`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning handled successfully`));
     }
   } else if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Phishing warning bypass disabled for ${currentUrl}`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Phishing warning bypass disabled for ${currentUrl}`));
   }
 
   // Handle verification challenges second - updates result.verificationChallenge  
@@ -1923,16 +2115,18 @@ async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebu
   // Sets requiresHuman: true if CAPTCHA detected (no bypass attempted)
   // Handle verification challenges if enabled
   if (cfBypassEnabled) {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge bypass enabled for ${currentUrl}`));
-    
+    if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge bypass enabled for ${currentUrl}`));
+
+    const challengeStart = Date.now();
     const challengeResult = await handleVerificationChallengeWithRetries(page, currentUrl, siteConfig, forceDebug);
+    timings.challenge = Date.now() - challengeStart;
     result.verificationChallenge = challengeResult;
 
     // Check for max retries exceeded
     if (challengeResult.maxRetriesExceeded) {
       result.overallSuccess = false;
       result.errors.push(`Challenge bypass exceeded max retries (${challengeResult.attempts}): ${challengeResult.error}`);
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge bypass max retries exceeded: ${challengeResult.error}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge bypass max retries exceeded: ${challengeResult.error}`));
       // Exit early if max retries exceeded
       return result;
     }
@@ -1941,31 +2135,31 @@ async function performCloudflareHandling(page, currentUrl, siteConfig, forceDebu
       result.overallSuccess = false;
       if (challengeResult.requiresHuman) {
         result.errors.push(`Human intervention required: ${challengeResult.error}`);
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Human intervention required: ${challengeResult.error}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Human intervention required: ${challengeResult.error}`));
       } else if (challengeResult.loopDetected) {
         result.errors.push(`Challenge bypass failed (redirect loop): ${challengeResult.error}`);
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge redirect loop detected: ${challengeResult.error}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge redirect loop detected: ${challengeResult.error}`));
       } else {
         result.errors.push(`Challenge bypass failed: ${challengeResult.error}`);
-        if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge bypass failed: ${challengeResult.error}`));
+        if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge bypass failed: ${challengeResult.error}`));
       }
     } else if (challengeResult.attempted && challengeResult.success) {
-      if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge handled successfully using method: ${challengeResult.method || 'unknown'}`));
+      if (forceDebug) console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge handled successfully using method: ${challengeResult.method || 'unknown'}`));
     }
   } else if (forceDebug) {
-     console.log(formatLogMessage('cloudflare', `Challenge bypass disabled for ${currentUrl}`));
+     console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Challenge bypass disabled for ${currentUrl}`));
   }
 
   // Log overall result
   if (!result.overallSuccess && forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Overall Cloudflare handling failed for ${currentUrl}:`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Overall Cloudflare handling failed for ${currentUrl}:`));
     result.errors.forEach(error => {
-      console.log(formatLogMessage('cloudflare', `  - ${error}`));
+      console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG}   - ${error}`));
     });
   } else if ((result.phishingWarning.attempted || result.verificationChallenge.attempted) && forceDebug) {
-    console.log(formatLogMessage('cloudflare', `Successfully handled Cloudflare protections for ${currentUrl}`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Successfully handled Cloudflare protections for ${currentUrl}`));
   } else if (forceDebug) {
-    console.log(formatLogMessage('cloudflare', `No Cloudflare protections detected or enabled for ${currentUrl}`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} No Cloudflare protections detected or enabled for ${currentUrl}`));
   }
 
   return result;
@@ -2000,7 +2194,7 @@ async function parallelChallengeDetection(page, forceDebug = false) {
   const detectedChallenges = results.filter(r => r.detected).map(r => r.type);
   
   if (forceDebug && detectedChallenges.length > 0) {
-    console.log(formatLogMessage('cloudflare', `Parallel detection found challenges: ${detectedChallenges.join(', ')}`));
+    console.log(formatLogMessage('debug', `${CLOUDFLARE_TAG} Parallel detection found challenges: ${detectedChallenges.join(', ')}`));
   }
   
   return {
@@ -2010,29 +2204,6 @@ async function parallelChallengeDetection(page, forceDebug = false) {
   };
 }
 
-/**
- * Enhanced parallel detection including embedded iframe challenges
- */
-async function enhancedParallelChallengeDetection(page, forceDebug = false) {
-  const existingDetection = await parallelChallengeDetection(page, forceDebug);
-  
-  try {
-    const hasEmbeddedIframe = await page.evaluate(() => {
-      return document.querySelector('iframe[src*="challenges.cloudflare.com"]') !== null ||
-             document.querySelector('iframe[title*="Verify you are human"]') !== null;
-    });
-    
-    if (hasEmbeddedIframe && !existingDetection.challenges.includes('embedded_iframe')) {
-      existingDetection.challenges.push('embedded_iframe');
-      existingDetection.hasAnyChallenge = true;
-    }
-  } catch (e) {
-    // Ignore detection errors
-  }
-  
-  return existingDetection;
-}
-
 /**
  * Gets cache statistics for performance monitoring
  */
@@ -2048,38 +2219,37 @@ function clearDetectionCache() {
 }
 
 /**
- * Cleanup function to prevent memory leaks in long-running processes
+ * Cleanup function to prevent memory leaks in long-running processes.
+ * Also resets aggregate stats so a re-init of the module starts fresh.
  */
 function cleanup() {
   if (detectionCache) {
     detectionCache.destroy();
   }
+  resetAggregateStats();
 }
 
+// Public surface kept narrow on purpose: only what nwss.js actually imports.
+// Internal helpers (analyzeCloudflareChallenge, handlePhishingWarning,
+// handleVerificationChallenge, handleTurnstileChallenge, handleLegacyCheckbox,
+// handleEmbeddedIframeChallenge, waitForJSChallengeCompletion,
+// checkChallengeCompletion, quickCloudflareDetection, fastTimeout,
+// runWithRetries, categorizeError, getRetryConfig, detectChallengeLoop,
+// ERROR_TYPES, RETRY_CONFIG, CLOUDFLARE_MODULE_VERSION) stay as
+// module-local helpers — move them back to module.exports only if a new
+// external consumer appears.
 module.exports = {
-  analyzeCloudflareChallenge,
-  handlePhishingWarning,
-  handleVerificationChallenge,
   handleCloudflareProtection,
-  waitForTimeout,
-  handleTurnstileChallenge,
-  waitForJSChallengeCompletion,
-  handleLegacyCheckbox,
-  checkChallengeCompletion,
-  handleEmbeddedIframeChallenge,
-  enhancedParallelChallengeDetection,
-  quickCloudflareDetection,
-  getModuleInfo,
-  CLOUDFLARE_MODULE_VERSION,
-  // New exports
   parallelChallengeDetection,
   getCacheStats,
   clearDetectionCache,
-  categorizeError,
-  ERROR_TYPES,
-  RETRY_CONFIG,
-  getRetryConfig,
-  detectChallengeLoop,
+  // End-of-scan aggregate diagnostics. nwss.js can call
+  // getAggregateStats({reset:true}) after the scan loop to print a summary
+  // ("Of 200 URLs: 47 challenged, 31 solved via JS, 12 via Turnstile,
+  // 4 timed out, avg 1.8s") without threading per-URL results back through
+  // its orchestration layer.
+  getAggregateStats,
+  resetAggregateStats,
   // Memory management
   cleanup
 };