@fanboynz/network-scanner 3.0.1 → 3.0.2

package/.github/workflows/npm-publish.yml

@@ -162,7 +162,10 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: v${{ steps.version.outputs.version }}
-          name: v${{ steps.version.outputs.version }}
+          # Date suffix matches the convention used by the backfilled
+          # historical releases (v2.0.10..v2.0.66) so the Releases page
+          # shows the release date inline without a click-through.
+          name: v${{ steps.version.outputs.version }} (${{ steps.version.outputs.date }})
           body: ${{ inputs.release_notes_source == 'changelog' && steps.changelog_notes.outputs.notes || steps.manual_notes.outputs.notes }}
           draft: false
           prerelease: ${{ inputs.prerelease }}

package/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 All notable changes to the Network Scanner (nwss.js) project.
 
+## [3.0.2] - 2026-05-25
+
+### Security
+- **Credentials redacted in `lib/proxy.js` 'Invalid proxy URL' warn** — `getProxyArgs` echoed the raw user-configured `proxyUrl` when parseProxyUrl returned null. For a URL like `socks5://user:pass@host:port` that fails parse (mistyped protocol, port out of range, etc.) this emitted the full credentials to stderr. Regex-strips the `user:pass@` segment (handles both scheme-prefixed and bare host:port forms) before logging. Same redaction policy as `getProxyInfo()` and the socks-relay logs already fixed in 3.0.1. The new port-range validation in this release expanded the trigger surface (one more parse-failure path) which made me find the leak.
+- **`applyProxyAuth` debug log redacted** — the `Auth set for USER@host:port` debug-only log line emitted the raw username. Now `[redacted]@host:port`. Same leak class as above, third site of the same kind.
+
+### Added
+- **`scripts/test-stealth.js --format=json`** (already shipped in 3.0.1, listed here only because the harness gained a real consumer via the next item) — `getRelayStats()` exposed from `lib/socks-relay.js`, returning `[{key, port, activeConnections, errors}]` per active relay (`key` with the username segment stripped for safety, IPv6-aware). Diagnostic surface for answering "is the proxy slow because the upstream is saturated or because the scan is opening too many parallel tunnels?" without enabling `forceDebug`.
+- **`delay_uncapped: true` site-config flag** — lifts the 2s post-networkidle delay cap; honors the configured `delay` up to half the per-URL timeout. Targets sites with setTimeout-deferred lazy ad/tracker loaders (weather.com / cbssports.com class) where late requests fire well past the standard window. Default behavior unchanged (still 2s) so fast sites stay fast.
+
+### Fixed
+- **Race: late-completing dig/whois validations were orphaned.** Per-URL async nettools handlers were scheduled via fire-and-forget `setImmediate(() => netToolsHandler(...))`; if the handler's full async chain (dig spawn + match check + addMatchedDomain) resolved AFTER the result snapshot ran, the addMatchedDomain call landed in a Set that was no longer referenced by any in-flight result. Most visible symptom: domains appearing in the end-of-scan "Fresh dig:" list with no corresponding rule in the output. Now tracked via `trackNetToolsHandler` (closure over per-URL `pendingNetTools[]`) and drained via `drainPendingNetTools()` with a 3s hard cap (`TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT`), called BEFORE `formatRules` at all three snapshot sites (dry-run, success, partial-success/catch path). All three setImmediate call sites (popup observer, main request handler, secondary request handler) migrated.
+- **Race: scan-exit hang up to ~100s when a dig/whois lookup hung.** Four `setTimeout`s in `lib/nettools.js` (outer exec timer, overall 65s timer, whois progressive retry delay up to ~30s, whois server-switch delay ~8s) were not `unref`'d, so a genuinely-hung lookup that survived the new 3s drain could hold the Node event loop alive for the remainder. All four now `unref`'d with defensive `typeof timer.unref === 'function'` guards; the previously-unref'd inner SIGKILL tail-timer makes 5/5 setTimeout sites in the module now safe for scan-exit. Natural-completion paths still `clearTimeout` on resolution, so this only affects the hung-process case.
+- **`parseProxyUrl` accepted ports > 65535.** Now rejects ports outside 1-65535 at parse time, surfacing misconfiguration immediately instead of passing an invalid value to Chromium and getting an opaque downstream error.
+- **`@version 1.1.0` JSDoc** in `lib/proxy.js` was stale (const said `1.2.0`). Aligned to 1.2.0; the const + export then went away in the export trim — see Improved.
+- **Site-config `delay` field was a no-op.** `nwss.js` per-URL handler hardcoded `const delayMs = DEFAULT_DELAY` regardless of `siteConfig.delay`. Now reads `siteConfig.delay || DEFAULT_DELAY`. Visible only with the new `delay_uncapped: true` flag (without it, the configured value is still capped at 2s as before).
+- **"Something went wrong when opening your profile" popup in `--keep-open` headful mode.** `--disable-sync` was conditionally dropped when `--keep-open` was set, which let Chrome's sync subsystem initialise against our temp `userDataDir` (which has no real profile), error out, and pop a modal that blocked the page until dismissed. Three-flag fix: `--disable-sync` is now always-on (was the only one of five `--keep-open`-conditional flags actually causing user-visible breakage), plus `--allow-browser-signin=false` and `AccountConsistencyMirror,AccountConsistencyDice` appended to the existing `--disable-features=` list as defence in depth across Chromium's multiple account-subsystem entry points. The other four conditional-on-keep-open flags (`--disable-component-extensions-with-background-pages`, `--disable-component-update`, `--disable-background-networking`, `--disable-extensions`) stay conditional so user-loaded extensions and live inspection still work normally.
+- **Race: `socks-relay.ensureRelay` concurrent-init created orphan servers.** Two concurrent callers for the same upstream both passed the `_relays.get(key)` check, both created `net.Server` listeners, both raced to `_relays.set` — second overwrote first, first server was orphaned (listening forever, never closed by `closeAllRelays`). Not triggered by current usage (proxy.js's `prepareSocksRelays` uses a sequential await loop) but a latent bug for future parallel-init paths. Fix: singleflight via new `_pendingRelays` Map; second caller for an in-flight upstream rides the existing promise. Cleanup uses `.finally()` on the returned promise (not try/finally inside the IIFE) so a hypothetical sync-throw in the init body can't leave a permanent rejected entry in `_pendingRelays`. Mirrors the `pendingDigLookups`/`pendingWhoisLookups` pattern in `lib/nettools.js`.
+- **Race: handshake watchdog firing during upstream connect orphaned the upstream socket.** `HANDSHAKE_TIMEOUT_MS = 10000` vs `SocksClient.createConnection` timeout = `20000` left a 10-second window where the watchdog could fire mid-await, destroy the client, and set `settled = true`. When the upstream connect then resolved into a fresh socket, the subsequent `cleanup()` short-circuited via the settled guard, leaving an open TCP connection to the upstream that was never destroyed — held alive until OS-level timeout or remote close. Fix: disarm the watchdog at the `phase = 'connecting'` transition (client has completed its part of the handshake; `SocksClient`'s own 20s timeout covers the upstream connect), plus a defence-in-depth `if (settled) destroy + return` after `upstreamSock = info.socket` for any other path that could call cleanup before upstreamSock registers.
+- **Race: `closeAllRelays` didn't wait for in-flight `ensureRelay` inits.** A relay whose `listen()` completed AFTER `closeAllRelays` snapshotted `_relays` landed in `_relays` unowned by the close pass — leaked until next call or process exit. Pre-existing, more visible after `_pendingRelays` became a separate Map for the singleflight. Fix: `await Promise.allSettled(Array.from(_pendingRelays.values()))` at the head of `closeAllRelays` so the snapshot is guaranteed-complete. `allSettled` (not `all`) because rejected inits have already cleaned up their `_pendingRelays` entries via `.finally()`.
+
+### Improved
+- **socks-relay handshake buffer cap** (`MAX_HANDSHAKE_BYTES = 4096`) on pre-piping growth. Prior code absorbed arbitrary bytes for the full 10s handshake watchdog window, letting a hostile/buggy local process pin memory by drip-feeding garbage. Sends a protocol-appropriate failure reply per phase before closing.
+- **socks-relay TCP keep-alive on upstream socket** (`setKeepAlive(true, 60000)`). Catches silently-dead upstreams (NAT timeout, mobile-tower drop, proxy crash without FIN/RST) in ~12 minutes (60s idle + kernel-default 9 × 75s probes) instead of the Linux default ~2 hours. Comment is honest about the kernel-default probe math — `60000` is `TCP_KEEPIDLE` only, not the full detection time.
+- **socks-relay auth-misconfig warn** — `ensureRelay` warns once per unique upstream when `username && !password`, since RFC 1929 auth will almost certainly fail. Surfaces the misconfiguration at relay start instead of as opaque per-request failures inside `forceDebug`-gated logs.
+- **socks-relay `server.maxConnections = 256` cap** per relay. Sheds excess Chromium connections at the TCP-accept layer (where HTTP retry handles them cleanly) instead of letting all N tunnels open to the upstream and have the provider silently drop past-quota ones — which looks to the scan like random missed requests.
+- **socks-relay per-relay error counter** tracked in `relayEntry.errors`, bumped on `SocksClient.createConnection` failures, surfaced via `getRelayStats()` as the `errors` field. Lets a post-scan reader see "X of N upstream connects failed" without re-running with forceDebug.
+- **socks-relay graceful drain on `closeAllRelays`** — `DRAIN_TIMEOUT_MS = 2000` window via `Promise.race(closePromise, drainTimeout)` for in-flight tunnels to flush their last response bytes into Chromium / Puppeteer. Stragglers past 2s get force-destroyed (server.close callback then fires immediately). SIGINT mid-scan no longer amputates in-flight responses, but a hung tunnel can't block exit beyond 2s. Drain timer `unref`'d so it doesn't hold the event loop open when the close-promise wins the race.
+- **`lib/proxy.js` exports trimmed 12 → 8** — removed `getModuleInfo`, `PROXY_MODULE_VERSION`, `SUPPORTED_PROTOCOLS`, `getConfiguredProxy` (zero external callers in each case, grep-verified). Mirrors the same trim already done in `lib/cloudflare.js`. `SUPPORTED_PROTOCOLS` and `getConfiguredProxy` stay as module-local since they're used internally.
+- **`lib/proxy.js` code cleanup** — two `require('./socks-relay')` calls consolidated into one destructured import (with `closeAllRelays` renamed inline), `net` module require hoisted from `testProxy()` body to top of file, `applyProxyAuth` JSDoc enumerates the 5 distinct `false` return scenarios (caller treating false as "auth failed" would incorrectly retry on the SOCKS5 → relay handles it case).
+
+### CI
+- **GitHub Release names now include date suffix** (`v3.0.2 (YYYY-MM-DD)`), matching the convention used by the backfilled v2.0.10 through v2.0.66 releases. Auto-applied via the already-computed `steps.version.outputs.date` in `softprops/action-gh-release`.
+
 ## [3.0.1] - 2026-05-24
 
 ### Security

package/lib/nettools.js

@@ -418,6 +418,12 @@ function execFileWithTimeout(cmd, args, timeout = 10000) {
 
       reject(new Error(`Command timeout after ${timeout}ms: ${cmd} ${args.join(' ')}`));
     }, timeout);
+    // unref the outer timeout too — a hung dig/whois firing AFTER the
+    // per-URL drain (3s cap) already returned would otherwise hold the
+    // event loop alive for up to `timeout` (5-10s) on scan exit. The exec
+    // callback / 'error' handler still clear it via the existing
+    // clearTimeout, so this only matters for the genuinely-hung case.
+    if (typeof timer.unref === 'function') timer.unref();
 
     // Handle child process errors
     child.on('error', (err) => {
@@ -790,7 +796,17 @@ async function whoisLookupWithRetry(domain = '', timeout = 10000, whoisServer =
             console.log(formatLogMessage('debug', `${messageColors.highlight('[whois-retry]')} Adding ${actualDelay}ms progressive delay before retry ${retryCount + 1} (base: ${baseDelay}ms + extra: ${extraDelay}ms)...`));
           }
         }
-        await new Promise(resolve => setTimeout(resolve, actualDelay));
+        // unref the retry-delay timer so a pending backoff (up to ~30s on
+        // late attempts) can't hold the event loop alive past scan exit
+        // when the per-URL drain has already returned. If the process is
+        // still otherwise busy, the timer fires normally; if it's the only
+        // thing left, the process exits and the now-pointless retry result
+        // never lands. Same pattern as the execFile/overall timers
+        // unref'd in 83209d4.
+        await new Promise(resolve => {
+          const t = setTimeout(resolve, actualDelay);
+          if (typeof t.unref === 'function') t.unref();
+        });
       } else if (serverIndex > 0 && retryCount === 0 && whoisDelay > 0) {
         // Add delay before trying a new server (but not the very first server)
         if (debugMode) {
@@ -800,7 +816,11 @@ async function whoisLookupWithRetry(domain = '', timeout = 10000, whoisServer =
             console.log(formatLogMessage('debug', `${messageColors.highlight('[whois-retry]')} Adding ${whoisDelay}ms delay before trying new server...`));
           }
         }
-        await new Promise(resolve => setTimeout(resolve, whoisDelay));
+        // Same unref rationale as the retry-delay timer above.
+        await new Promise(resolve => {
+          const t = setTimeout(resolve, whoisDelay);
+          if (typeof t.unref === 'function') t.unref();
+        });
       } else if (debugMode && whoisDelay === 0) {
         // Log when delay is skipped due to whoisDelay being 0
         if (logFunc) {
@@ -1232,6 +1252,12 @@ function createNetToolsHandler(config) {
       })(),
       new Promise((_, reject) => {
         overallTimeoutId = setTimeout(() => reject(new Error('NetTools overall timeout')), 65000);
+        // unref so a still-pending overall timeout (handler returned via
+        // drain at 3s but the lookup is technically still in-flight) can't
+        // hold the event loop alive for the full 65s on scan exit. The
+        // finally on the inner promise still clearTimeouts on natural
+        // completion, so this only matters for the genuinely-hung case.
+        if (typeof overallTimeoutId.unref === 'function') overallTimeoutId.unref();
       })
     ]).catch(err => {
       if (forceDebug) {

package/lib/proxy.js

@@ -61,13 +61,19 @@
  *   // After page creation, before page.goto()
  *   await applyProxyAuth(page, siteConfig, forceDebug);
  *
- * @version 1.1.0
+ * @version 1.2.0
  */
 
+const net = require('net');
 const { formatLogMessage } = require('./colorize');
-const { ensureRelay, getRelayPort } = require('./socks-relay');
+const { ensureRelay, getRelayPort, closeAllRelays: closeAllSocksRelays } = require('./socks-relay');
+
+// Note: no separate subsystem TAG here — formatLogMessage('proxy', ...)
+// already emits the `[proxy]` prefix from the severity. socks-relay.js's
+// pattern (`[proxy] [socks-relay] ...`) is correct THERE because its
+// module name differs from the severity. For this file the module IS the
+// severity, so a second '[proxy]' would be redundant double-prefix.
 
-const PROXY_MODULE_VERSION = '1.2.0';
 const SUPPORTED_PROTOCOLS = ['socks5', 'socks4', 'http', 'https'];
 
 const DEFAULT_PORTS = {
@@ -115,6 +121,10 @@ function parseProxyUrl(proxyUrl) {
     if (!host) return null;
 
     const port = parseInt(url.port, 10) || DEFAULT_PORTS[protocol] || 1080;
+    // Reject obvious typos at parse time rather than passing a >65535 port
+    // through to Chromium and getting an opaque downstream error. Port 0
+    // is technically OS-assigned but never a valid proxy target.
+    if (port < 1 || port > 65535) return null;
     // decodeURIComponent throws URIError on a literal '%' that isn't a valid
     // escape (e.g. a password containing '%'). Fall back to the raw value so
     // an otherwise-valid proxy isn't rejected as "Invalid proxy URL".
@@ -186,7 +196,19 @@ function getProxyArgs(siteConfig, forceDebug = false) {
 
   const parsed = parseProxyUrl(proxyUrl);
   if (!parsed) {
-    console.warn(formatLogMessage('proxy', `Invalid proxy URL: ${proxyUrl}`));
+    // Strip user:pass before echoing the URL — same redaction policy as
+    // getProxyInfo() / applyProxyAuth / socks-relay logs. Without this, a
+    // proxy URL with embedded creds (`socks5://user:pass@host:port`) that
+    // fails parse (typo in protocol, port out of range, etc.) leaks the
+    // raw creds to stderr. Regex handles both scheme-prefixed
+    // (`socks5://user:pass@`) and bare (`user:pass@`) forms — the latter
+    // because parseProxyUrl normalises bare host:port internally so the
+    // user-supplied string still reaches here unchanged.
+    const safeUrl = String(proxyUrl).replace(
+      /^([a-z0-9+]+:\/\/)?[^@\s]+@/i,
+      (_m, scheme) => `${scheme || ''}[redacted]@`
+    );
+    console.warn(formatLogMessage('proxy', `Invalid proxy URL: ${safeUrl}`));
     return [];
   }
 
@@ -249,10 +271,20 @@ function getProxyArgs(siteConfig, forceDebug = false) {
  * Applies proxy authentication to a page via Puppeteer's authenticate API.
  * Must be called BEFORE page.goto().
  *
+ * Returns `true` only on a successful HTTP/HTTPS page.authenticate() call.
+ * Returns `false` in five distinct scenarios — callers cannot use the
+ * boolean to distinguish them; treat `false` as "no further action needed
+ * from this module" rather than "auth failed":
+ *   - no proxy configured
+ *   - proxy has no username (anonymous)
+ *   - SOCKS5 with creds  -> the local relay handles upstream auth out-of-band
+ *   - SOCKS4 with creds  -> genuinely unsupported (warned)
+ *   - page.authenticate() threw (warned)
+ *
  * @param {object} page - Puppeteer page instance
  * @param {object} siteConfig
  * @param {boolean} forceDebug
- * @returns {Promise<boolean>} True if auth was applied
+ * @returns {Promise<boolean>}
  */
 async function applyProxyAuth(page, siteConfig, forceDebug = false) {
   const proxyUrl = getConfiguredProxy(siteConfig);
@@ -283,7 +315,11 @@ async function applyProxyAuth(page, siteConfig, forceDebug = false) {
 
     const debug = forceDebug || siteConfig.proxy_debug || siteConfig.socks5_debug;
     if (debug) {
-      console.log(formatLogMessage('proxy', `Auth set for ${parsed.username}@${parsed.host}:${parsed.port}`));
+      // Redact the username — same policy as getProxyInfo() and the
+      // socks-relay logs. debug output gets pasted into support tickets /
+      // screenshots / gists; '[redacted]' keeps the "yes, creds were
+      // attached" signal without disclosing what they were.
+      console.log(formatLogMessage('proxy', `Auth set for [redacted]@${parsed.host}:${parsed.port}`));
     }
 
     return true;
@@ -311,7 +347,6 @@ async function testProxy(siteConfig, timeoutMs = 5000) {
     return { reachable: false, latencyMs: 0, error: 'Invalid proxy URL' };
   }
 
-  const net = require('net');
   const start = Date.now();
 
   return new Promise((resolve) => {
@@ -358,15 +393,11 @@ function getProxyInfo(siteConfig) {
   return `${parsed.protocol}://${auth}${parsed.host}:${parsed.port}`;
 }
 
-/**
- * Returns module version information
- */
-function getModuleInfo() {
-  return { version: PROXY_MODULE_VERSION, name: 'Proxy Handler' };
-}
-
-// Re-export relay teardown so nwss.js cleanup paths can close listeners.
-const { closeAllRelays: closeAllSocksRelays } = require('./socks-relay');
+// getModuleInfo() / PROXY_MODULE_VERSION / SUPPORTED_PROTOCOLS / and now
+// getConfiguredProxy removed from exports -- zero external callers (mirrors
+// the same trim done in lib/cloudflare.js). SUPPORTED_PROTOCOLS and
+// getConfiguredProxy stay as module-local since parseProxyUrl /
+// needsProxy / prepareSocksRelays / getProxyArgs use them.
 
 module.exports = {
   parseProxyUrl,
@@ -376,9 +407,5 @@ module.exports = {
   getProxyArgs,
   applyProxyAuth,
   testProxy,
-  getProxyInfo,
-  getModuleInfo,
-  getConfiguredProxy,
-  PROXY_MODULE_VERSION,
-  SUPPORTED_PROTOCOLS
+  getProxyInfo
 };

package/lib/socks-relay.js

@@ -22,9 +22,24 @@ const { SocksClient } = require('socks');
 const { formatLogMessage, messageColors } = require('./colorize');
 const SOCKS_RELAY_TAG = messageColors.processing('[socks-relay]');
 
-// upstreamKey -> { server, port, activeSockets:Set<net.Socket> }
+// upstreamKey -> {
+//   server: net.Server,                  // listening on 127.0.0.1:port
+//   port: number,                        // OS-assigned local port
+//   activeSockets: Set<net.Socket>,      // live client sockets (Chromium side)
+//   errors: number                       // cumulative upstream-connect failures
+// }
 const _relays = new Map();
 
+// upstreamKey -> Promise<port> currently initialising. Singleflight guard for
+// ensureRelay so two concurrent callers for the same upstream share one
+// in-flight init instead of both creating servers and racing to _relays.set,
+// where the loser's server would be orphaned (listening forever, never
+// closed by closeAllRelays). Not triggered by current usage (proxy.js's
+// prepareSocksRelays uses a sequential await loop) but cheap defence
+// against future callers that don't know to serialise. Mirrors the
+// pendingDigLookups / pendingWhoisLookups pattern in lib/nettools.js.
+const _pendingRelays = new Map();
+
 function upstreamKey(u) {
   return `${u.host}:${u.port}:${u.username || ''}`;
 }
@@ -39,7 +54,28 @@ function upstreamKey(u) {
 // notices (default ~2 hours on Linux).
 const HANDSHAKE_TIMEOUT_MS = 10000;
 
-function handleClient(client, upstream, forceDebug) {
+// Cap pre-piping buffer growth. A real SOCKS5 greeting+request is well
+// under 300 bytes; absorbing more before the watchdog fires lets a hostile
+// or buggy local process drip-feed garbage to pin memory for up to 10s.
+// 4096 is the next clean ceiling above any realistic handshake and matches
+// typical TCP receive-buffer batches.
+const MAX_HANDSHAKE_BYTES = 4096;
+
+// Cap simultaneous local connections per relay. If Chromium opens more than
+// this (prefetch-heavy site, fetch-retry loop), excess gets refused at the
+// TCP-accept layer, which Chromium's HTTP retry logic handles cleanly. The
+// alternative (no cap) is excess tunnels opening to the upstream and the
+// provider silently dropping them past its concurrent-tunnel quota — looks
+// to the scan like random missed requests.
+const MAX_LOCAL_CONNECTIONS = 256;
+
+// On closeAllRelays, give in-flight tunnels this long to drain their
+// response data into Chromium before force-destroying. Without it, SIGINT
+// mid-scan loses any upstream bytes that hadn't yet hit Puppeteer's
+// response listener, leaving incomplete entries in results.json.
+const DRAIN_TIMEOUT_MS = 2000;
+
+function handleClient(client, upstream, forceDebug, relay) {
   let phase = 'greeting';
   let buf = Buffer.alloc(0);
   let upstreamSock = null;
@@ -73,6 +109,21 @@ function handleClient(client, upstream, forceDebug) {
 
   const onData = async (chunk) => {
     buf = Buffer.concat([buf, chunk]);
+    // Reject oversize pre-piping buffers before the 10s watchdog. Sends
+    // a protocol-appropriate failure reply per phase so a misbehaving but
+    // RFC-aware client gets a clean signal rather than a raw connection
+    // drop. Skipped once piping starts (buf is nulled then anyway).
+    if (phase !== 'piping' && buf.length > MAX_HANDSHAKE_BYTES) {
+      if (forceDebug) {
+        console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} handshake oversize (${buf.length} bytes, phase=${phase}) — closing`));
+      }
+      if (phase === 'greeting') {
+        try { client.write(Buffer.from([0x05, 0xFF])); } catch (_) {} // no acceptable methods
+      } else if (phase === 'request') {
+        failReply(client, 0x01); // general SOCKS server failure
+      }
+      return cleanup();
+    }
     try {
       if (phase === 'greeting') {
         // [0x05, NMETHODS, METHODS...]
@@ -134,6 +185,17 @@ function handleClient(client, upstream, forceDebug) {
         phase = 'connecting';
         client.pause();
         client.off('data', onData);
+        // Disarm the handshake watchdog now (not later at 'piping'). The
+        // client has completed its SOCKS5 negotiation; the remaining wait
+        // is on SocksClient.createConnection (which has its own 20s
+        // timeout below). Without this, if the upstream connect takes
+        // longer than HANDSHAKE_TIMEOUT_MS (10s) but less than 20s, the
+        // watchdog fires cleanup mid-await — destroying the client and
+        // setting settled=true — then the upstream connect resolves into
+        // a fresh socket that cleanup() can no longer destroy (settled
+        // guard short-circuits), orphaning an open TCP connection until
+        // OS-level timeout or remote close.
+        if (handshakeTimer) { clearTimeout(handshakeTimer); handshakeTimer = null; }
         const early = buf.subarray(hdrLen);   // any bytes after the request header
         buf = null;
 
@@ -152,6 +214,10 @@ function handleClient(client, upstream, forceDebug) {
             timeout: 20000,
           });
         } catch (e) {
+          // Bump the per-relay error counter (exposed via getRelayStats)
+          // so post-scan diagnostics can see "X of N upstream connects
+          // failed" without re-running with forceDebug.
+          relay.errors++;
           if (forceDebug) {
             console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} upstream connect failed (${host}:${port}): ${e.message}`));
           }
@@ -160,7 +226,28 @@ function handleClient(client, upstream, forceDebug) {
         }
 
         upstreamSock = info.socket;
+        // Safety net: if cleanup() ran while we were awaiting the upstream
+        // connect (some path other than the handshake watchdog — e.g. a
+        // 'close' event on the client during pause), settled is true and
+        // cleanup's settled guard would short-circuit a future call,
+        // orphaning this freshly-connected upstream socket. Destroy it
+        // here directly. With Fix #1a moving the watchdog clearTimeout to
+        // the 'connecting' transition this is currently unreachable, but
+        // cheap to keep as defense-in-depth against future code paths.
+        if (settled) {
+          try { upstreamSock.destroy(); } catch (_) {}
+          return;
+        }
         try { upstreamSock.setNoDelay(true); } catch (_) {}
+        // Catch silently-dead upstreams (NAT timeout, mobile-tower drop,
+        // proxy crash without FIN/RST) faster than the default ~2-hour
+        // Linux idle. setKeepAlive(true, 60000) sets TCP_KEEPIDLE only —
+        // the kernel still uses tcp_keepalive_intvl/tcp_keepalive_probes
+        // for the probe phase, so total detection is ~60s idle + N probes
+        // (default 9 × 75s on Linux) ≈ 12 minutes. Big improvement over
+        // 2h, not the 60s the bare argument suggests. Client-side keep-
+        // alive is omitted — same kernel, OS surfaces death immediately.
+        try { upstreamSock.setKeepAlive(true, 60000); } catch (_) {}
         upstreamSock.on('error', cleanup);
         upstreamSock.on('close', cleanup);
         client.on('error', cleanup);
@@ -173,9 +260,8 @@ function handleClient(client, upstream, forceDebug) {
         upstreamSock.pipe(client);
         client.resume();
         phase = 'piping';
-        // Negotiation complete — disarm the handshake watchdog so a
-        // long-running download isn't killed mid-transfer.
-        if (handshakeTimer) { clearTimeout(handshakeTimer); handshakeTimer = null; }
+        // (handshakeTimer was already disarmed at the 'connecting'
+        // transition above; no second clearTimeout needed.)
       }
     } catch (e) {
       if (forceDebug) {
@@ -207,41 +293,86 @@ async function ensureRelay(upstream, forceDebug = false) {
   const existing = _relays.get(key);
   if (existing) return existing.port;
 
-  const activeSockets = new Set();
-  const server = net.createServer((clientSock) => {
-    // Disable Nagle: page scanning is full of small-packet phases (per-origin
-    // TLS handshakes, small XHR/API calls, the SOCKS handshake itself).
-    // Nagle + delayed-ACK adds ~40ms stalls on those; relays should not.
-    try { clientSock.setNoDelay(true); } catch (_) {}
-    activeSockets.add(clientSock);
-    clientSock.on('close', () => activeSockets.delete(clientSock));
-    handleClient(clientSock, upstream, forceDebug);
-  });
+  // Singleflight: if another caller is already initialising this upstream,
+  // ride its promise instead of starting a parallel init. Prevents the
+  // race where two concurrent callers both pass the _relays.get(key) check
+  // above, both create servers, and the second _relays.set(key, ...) below
+  // orphans the first server (listening forever, never closed).
+  if (_pendingRelays.has(key)) return _pendingRelays.get(key);
+
+  // Most authenticated SOCKS5 servers reject empty-password auth at the
+  // RFC 1929 handshake; without this warn, the misconfig surfaces only
+  // per-request inside forceDebug-gated logs (silent in production).
+  // Fire once per unique upstream (after the existing-relay short-circuit
+  // above) so repeated calls don't spam.
+  if (upstream.username && !upstream.password) {
+    console.warn(formatLogMessage('warn', `${SOCKS_RELAY_TAG} upstream ${upstream.host}:${upstream.port} has username but no password — RFC 1929 auth will likely fail`));
+  }
+
+  // .finally() (not try/finally inside the IIFE) so the cleanup is
+  // scheduled in a microtask, guaranteed to run AFTER the _pendingRelays.set
+  // below. If the cleanup were a try/finally inside an async IIFE and the
+  // body threw SYNCHRONOUSLY (before its first await), the finally would
+  // run SYNC before the implicit rejected promise was returned, _pendingRelays
+  // wouldn't be set yet, the delete would no-op, and then the outer .set
+  // would register a permanent rejected entry that future callers would
+  // await forever. The current body has no realistic sync-throw paths
+  // (net.createServer / Set / object literal don't throw), but defensive.
+  const initPromise = (async () => {
+    const activeSockets = new Set();
+    // Single mutable state object referenced by both the connection handler
+    // (writes .errors) and _relays / getRelayStats (read both). Server +
+    // port assigned after listen() completes; declared up-front so the
+    // closure below can close over `relayEntry` and pass it to handleClient.
+    const relayEntry = { server: null, port: null, activeSockets, errors: 0 };
+
+    const server = net.createServer((clientSock) => {
+      // Disable Nagle: page scanning is full of small-packet phases (per-origin
+      // TLS handshakes, small XHR/API calls, the SOCKS handshake itself).
+      // Nagle + delayed-ACK adds ~40ms stalls on those; relays should not.
+      try { clientSock.setNoDelay(true); } catch (_) {}
+      activeSockets.add(clientSock);
+      clientSock.on('close', () => activeSockets.delete(clientSock));
+      handleClient(clientSock, upstream, forceDebug, relayEntry);
+    });
 
-  await new Promise((resolve, reject) => {
-    const onErr = (e) => reject(e);
-    server.once('error', onErr);
-    server.listen(0, '127.0.0.1', () => {
-      server.removeListener('error', onErr);
-      // Keep a listener so a late server error doesn't crash the process.
-      server.on('error', (e) => {
-        if (forceDebug) console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} server error: ${e.message}`));
+    // Shed excess connections at the TCP-accept layer instead of letting them
+    // all proceed to open authenticated tunnels (which the upstream provider
+    // may silently drop past its quota).
+    server.maxConnections = MAX_LOCAL_CONNECTIONS;
+
+    await new Promise((resolve, reject) => {
+      const onErr = (e) => reject(e);
+      server.once('error', onErr);
+      server.listen(0, '127.0.0.1', () => {
+        server.removeListener('error', onErr);
+        // Keep a listener so a late server error doesn't crash the process.
+        server.on('error', (e) => {
+          if (forceDebug) console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} server error: ${e.message}`));
+        });
+        resolve();
       });
-      resolve();
     });
+
+    relayEntry.server = server;
+    relayEntry.port = server.address().port;
+    _relays.set(key, relayEntry);
+    const port = relayEntry.port;
+    if (forceDebug) {
+      // auth status is kept as a presence flag only -- previously printed
+      // the raw username, which leaked into shared debug output (support
+      // tickets, screenshots, gists). Same redaction policy as the
+      // proxy.js getProxyInfo() change.
+      const authTag = upstream.username ? ' (auth: [redacted])' : ' (no auth)';
+      console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} 127.0.0.1:${port} -> ${upstream.host}:${upstream.port}${authTag}`));
+    }
+    return port;
+  })().finally(() => {
+    _pendingRelays.delete(key);
   });
 
-  const port = server.address().port;
-  _relays.set(key, { server, port, activeSockets });
-  if (forceDebug) {
-    // auth status is kept as a presence flag only -- previously printed
-    // the raw username, which leaked into shared debug output (support
-    // tickets, screenshots, gists). Same redaction policy as the
-    // proxy.js getProxyInfo() change.
-    const authTag = upstream.username ? ' (auth: [redacted])' : ' (no auth)';
-    console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} 127.0.0.1:${port} -> ${upstream.host}:${upstream.port}${authTag}`));
-  }
-  return port;
+  _pendingRelays.set(key, initPromise);
+  return initPromise;
 }
 
 /**
@@ -255,26 +386,90 @@ function getRelayPort(upstream) {
 }
 
 /**
- * Tear down every relay: destroy in-flight sockets, close listeners.
- * Safe to call multiple times.
+ * Snapshot of active relays for diagnostics. Returns an array of
+ * { key, port, activeConnections, errors } — the upstream `key` has its
+ * trailing `:username` segment stripped using the same regex as
+ * closeAllRelays' display path (IPv6-safe). `errors` is the cumulative
+ * count of failed upstream-tunnel opens for the relay's lifetime.
+ * Useful for answering "is my proxy slow because the upstream is
+ * saturated, or because the scan is opening too many parallel tunnels?"
+ * without enabling forceDebug.
+ */
+function getRelayStats() {
+  const stats = [];
+  for (const [key, r] of _relays) {
+    stats.push({
+      key: key.replace(/:[^:]*$/, ''),
+      port: r.port,
+      activeConnections: r.activeSockets.size,
+      errors: r.errors
+    });
+  }
+  return stats;
+}
+
+/**
+ * Tear down every relay. Stops accepting new connections, gives in-flight
+ * tunnels up to DRAIN_TIMEOUT_MS (2s) to flush remaining response bytes
+ * into Chromium / Puppeteer, then force-destroys any stragglers. Safe to
+ * call multiple times (subsequent calls iterate an empty _relays Map).
  */
 async function closeAllRelays(forceDebug = false) {
+  // Wait for any in-flight ensureRelay inits to finish before snapshotting
+  // _relays. Without this, a relay whose listen() completes AFTER our
+  // iteration starts would land in _relays unowned by closeAllRelays —
+  // leaked until next call or process exit. allSettled (not all) because
+  // a rejected init has already cleaned up its _pendingRelays entry via
+  // .finally; we just need to not throw here.
+  if (_pendingRelays.size > 0) {
+    await Promise.allSettled(Array.from(_pendingRelays.values()));
+  }
   for (const [key, r] of _relays) {
-    for (const s of r.activeSockets) { try { s.destroy(); } catch (_) {} }
-    await new Promise((res) => {
+    // upstreamKey embeds the username (host:port:username), so the raw
+    // key would leak it in debug output. Strip just the trailing
+    // `:username` segment for display; using a regex (not split-on-':')
+    // so IPv6 hosts with embedded colons (e.g. 2001:db8::1:1080:user)
+    // aren't mangled. The relay identity stays unambiguous from host+port.
+    const displayKey = key.replace(/:[^:]*$/, '');
+    const startedWith = r.activeSockets.size;
+
+    // server.close() stops accepting new connections and resolves only
+    // when all existing sockets have closed naturally. Race that against
+    // DRAIN_TIMEOUT_MS: if active tunnels finish flushing in time,
+    // Chromium / Puppeteer gets the response bytes it was waiting for;
+    // beyond that, force-destroy stragglers (the close callback then
+    // fires immediately). Trade-off chosen so SIGINT mid-scan doesn't
+    // amputate in-flight responses but a hung tunnel can't block exit.
+    const closePromise = new Promise((res) => {
       try { r.server.close(() => res()); } catch (_) { res(); }
     });
+
+    let timer;
+    const drained = await Promise.race([
+      closePromise.then(() => { if (timer) clearTimeout(timer); return true; }),
+      new Promise((res) => {
+        timer = setTimeout(() => res(false), DRAIN_TIMEOUT_MS);
+        // Don't hold the event loop open on a still-pending drain timer
+        // when the close-promise won the race.
+        if (typeof timer.unref === 'function') timer.unref();
+      })
+    ]);
+
+    let forcedCount = 0;
+    if (!drained) {
+      forcedCount = r.activeSockets.size;
+      for (const s of r.activeSockets) { try { s.destroy(); } catch (_) {} }
+      await closePromise; // resolves now that the last socket has closed
+    }
+
     if (forceDebug) {
-      // upstreamKey embeds the username (host:port:username), so the raw
-      // key would leak it in debug output. Strip just the trailing
-      // `:username` segment for display; using a regex (not split-on-':')
-      // so IPv6 hosts with embedded colons (e.g. 2001:db8::1:1080:user)
-      // aren't mangled. The relay identity stays unambiguous from host+port.
-      const displayKey = key.replace(/:[^:]*$/, '');
-      console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} closed relay for ${displayKey}`));
+      const note = forcedCount > 0
+        ? ` (drain timeout — force-closed ${forcedCount}/${startedWith} active socket(s))`
+        : (startedWith > 0 ? ` (drained ${startedWith} active socket(s))` : '');
+      console.log(formatLogMessage('proxy', `${SOCKS_RELAY_TAG} closed relay for ${displayKey}${note}`));
     }
   }
   _relays.clear();
 }
 
-module.exports = { ensureRelay, getRelayPort, closeAllRelays };
+module.exports = { ensureRelay, getRelayPort, getRelayStats, closeAllRelays };

package/nwss.js

@@ -109,6 +109,7 @@ const TIMEOUTS = Object.freeze({
   EMERGENCY_RESTART_DELAY: 2000,      // Delay after emergency browser restart
   BROWSER_STABILIZE_DELAY: 1000,      // Browser stabilization after restart
   CURL_HANDLER_DELAY: 3000,           // Wait for async curl operations
+  NETTOOLS_DRAIN_TIMEOUT: 3000,       // Hard cap for awaiting in-flight nettools (dig/whois) handlers before snapshot. Drains immediately if all complete; bounded so a hung dig can't block exit. Mirrors CURL_HANDLER_DELAY's role for curl/searchstring.
   PROTOCOL_TIMEOUT: 180000,           // Chrome DevTools Protocol timeout
   REDIRECT_JS_TIMEOUT: 5000           // JavaScript redirect detection timeout
 });
@@ -777,7 +778,8 @@ Redirect Handling Options:
   isBrave: true/false                          Spoof Brave browser detection
   userAgent: "chrome"|"chrome_mac"|"chrome_linux"|"firefox"|"firefox_mac"|"firefox_linux"|"safari"  Custom desktop User-Agent
   interact_intensity: "low"|"medium"|"high"     Interaction simulation intensity (default: medium)
-  delay: <milliseconds>                        Delay after load (default: 4000)
+  delay: <milliseconds>                        Delay after load (default: 6000, capped at 2000ms unless delay_uncapped: true)
+  delay_uncapped: true/false                   Honor 'delay' up to half the per-URL timeout instead of the 2s default cap. Use for sites with setTimeout-deferred lazy ad/tracker loaders that fire well past the standard post-networkidle window
   reload: <number>                             Reload page n times after load (default: 1)
   forcereload: true/false or ["domain1.com", "domain2.com"]  Force cache-clearing reload for all URLs or specific domains
   clear_sitedata: true/false                   Clear all cookies, cache, storage before each load (default: false)
@@ -1864,7 +1866,13 @@ function setupFrameHandling(page, forceDebug) {
         '--disable-domain-reliability', // No reliability monitor disk writes
         // PERFORMANCE: Disable non-essential Chrome features in a single flag
         // IMPORTANT: Chrome only reads the LAST --disable-features flag, so combine all into one
-        `--disable-features=AudioServiceOutOfProcess,VizDisplayCompositor,TranslateUI,BlinkGenPropertyTrees,Translate,BackForwardCache,AcceptCHFrame,SafeBrowsing,HttpsFirstBalancedModeAutoEnable,site-per-process,PaintHolding${disable_ad_tagging ? ',AdTagging' : ''}`,
+        // AccountConsistencyMirror + AccountConsistencyDice prevent the
+        // Chrome sign-in subsystem from initialising at startup. Combined
+        // with --disable-sync + --allow-browser-signin=false below, this
+        // suppresses the "Something went wrong when opening your profile"
+        // popup that fires in headful + --keep-open mode (temp userDataDir
+        // has no real profile, so the sync init errors out and pops up).
+        `--disable-features=AudioServiceOutOfProcess,VizDisplayCompositor,TranslateUI,BlinkGenPropertyTrees,Translate,BackForwardCache,AcceptCHFrame,SafeBrowsing,HttpsFirstBalancedModeAutoEnable,site-per-process,PaintHolding,AccountConsistencyMirror,AccountConsistencyDice${disable_ad_tagging ? ',AdTagging' : ''}`,
         '--disable-ipc-flooding-protection',
         '--aggressive-cache-discard',
         '--memory-pressure-off',
@@ -1874,7 +1882,16 @@ function setupFrameHandling(page, forceDebug) {
         '--no-sandbox',
         '--disable-setuid-sandbox',
         '--disable-dev-shm-usage',
-        ...(keepBrowserOpen ? [] : ['--disable-sync']),
+        // --disable-sync is always-on (was previously dropped in --keep-open
+        // mode, which let the sync subsystem init against our temp
+        // userDataDir and pop the "Something went wrong when opening your
+        // profile" dialog). Inspection during --keep-open doesn't need
+        // sync; nothing in the scanner flow does.
+        '--disable-sync',
+        // Prevent the sign-in promo / account banner from appearing in
+        // headful sessions. Same family of fixes as --disable-sync and the
+        // AccountConsistency* features disabled above.
+        '--allow-browser-signin=false',
         '--mute-audio',
         '--disable-translate',
         '--window-size=1920,1080',
@@ -2100,6 +2117,30 @@ function setupFrameHandling(page, forceDebug) {
     // Use Map to track domains and their resource types for --adblock-rules or --dry-run
     const matchedDomains = (adblockRulesMode || siteConfig.adblock_rules || dryRunMode) ? new Map() : new Set();
 
+    // Per-URL tracking of in-flight async nettools (dig/whois) handlers so we
+    // can drain them BEFORE snapshotting matchedDomains into the result. The
+    // previous fire-and-forget setImmediate pattern dropped late-completing
+    // matches (handler resolved after formatRules had already run). Each
+    // setImmediate-scheduled handler now registers a promise via
+    // trackNetToolsHandler; drainPendingNetTools() awaits all of them with a
+    // hard cap (TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT) so a hung dig can't block.
+    const pendingNetTools = [];
+    const trackNetToolsHandler = (handlerFn) => {
+      pendingNetTools.push(new Promise((resolve) => {
+        setImmediate(async () => {
+          try { await handlerFn(); } catch (_) { /* handler logs its own errors */ }
+          finally { resolve(); }
+        });
+      }));
+    };
+    const drainPendingNetTools = async () => {
+      if (pendingNetTools.length === 0) return;
+      await Promise.race([
+        Promise.all(pendingNetTools),
+        fastTimeout(TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT)
+      ]);
+    };
+
     // Local domain dedup scoped to THIS processUrl call only
     // Prevents cross-config contamination from the global domain cache
     const localDetectedDomains = new Set();
@@ -3167,7 +3208,7 @@ function setupFrameHandling(page, forceDebug) {
                   currentUrl, getRootDomain, siteConfig, dumpUrls, matchedUrlsLogFile, forceDebug, fs,
                   ignoreDomains, matchesIgnoreDomain
                 });
-                setImmediate(() => popupNetToolsHandler(checkedRootDomain, fullSubdomain));
+                trackNetToolsHandler(() => popupNetToolsHandler(checkedRootDomain, fullSubdomain));
               } else {
                 // No nettools required — regex match alone counts.
                 addMatchedDomain(checkedRootDomain, resourceType, fullSubdomain);
@@ -3573,7 +3614,7 @@ function setupFrameHandling(page, forceDebug) {
 
               // Execute nettools check asynchronously
               const originalDomain = fullSubdomain;
-              setImmediate(() => netToolsHandler(reqDomain, originalDomain));
+              trackNetToolsHandler(() => netToolsHandler(reqDomain, originalDomain));
             }
             if (forceDebug) {
               console.log(formatLogMessage('debug', `${reqUrl} has nettools validation required - skipping immediate add`));
@@ -3688,7 +3729,7 @@ function setupFrameHandling(page, forceDebug) {
 
              // Execute nettools check asynchronously
             const originalDomain = fullSubdomain; // Use full subdomain for nettools
-            setImmediate(() => netToolsHandler(reqDomain, originalDomain));
+            trackNetToolsHandler(() => netToolsHandler(reqDomain, originalDomain));
 
              // Do NOT continue processing this request for immediate domain addition
              // The nettools handler is responsible for adding the domain if validation passes
@@ -4237,13 +4278,22 @@ function setupFrameHandling(page, forceDebug) {
       }
       }
 
-      const delayMs = DEFAULT_DELAY;
+      const delayMs = siteConfig.delay || DEFAULT_DELAY;
 
       // Optimized delays for Puppeteer 23.x performance
       const isFastSite = timeout <= TIMEOUTS.FAST_SITE_THRESHOLD;
       const networkIdleTime = TIMEOUTS.NETWORK_IDLE;  // Balanced: 2s for reliable network detection
       const networkIdleTimeout = Math.min(timeout / 2, TIMEOUTS.NETWORK_IDLE_MAX);  // Balanced: 10s timeout
-      const actualDelay = Math.min(delayMs, TIMEOUTS.NETWORK_IDLE);  // Balanced: 2s delay for stability
+      // Post-networkidle delay cap. Default (2s) keeps fast sites fast. Opt
+      // in with `delay_uncapped: true` to honor the configured `delay` up to
+      // half the per-URL timeout — useful for sites with setTimeout-deferred
+      // lazy ad/tracker loaders (weather.com, cbssports.com class) where
+      // late requests fire well past the 2s window. See also the per-URL
+      // drainPendingNetTools() which awaits in-flight dig/whois handlers
+      // before the matchedDomains snapshot regardless of this flag.
+      const actualDelay = siteConfig.delay_uncapped === true
+        ? Math.min(delayMs, Math.floor(timeout / 2))
+        : Math.min(delayMs, TIMEOUTS.NETWORK_IDLE);
 
       // Build delay promise (networkIdle + delay + optional flowProxy delay)
       const delayPromise = (async () => {
@@ -4625,7 +4675,8 @@ function setupFrameHandling(page, forceDebug) {
         // Wait a moment for async nettools/searchstring operations to complete
         // Use fast timeout helper for Puppeteer 22.x compatibility
         await fastTimeout(TIMEOUTS.CURL_HANDLER_DELAY); // Wait for async operations
-        
+        await drainPendingNetTools(); // Bounded wait for in-flight dig/whois (race fix)
+
         return { url: currentUrl, rules: [], success: true, dryRun: true, matchCount: dryRunResult.matchCount };
       } else {
         // Format rules using the output module
@@ -4639,6 +4690,12 @@ function setupFrameHandling(page, forceDebug) {
         privoxyMode,
         piholeMode
       };
+        // Drain pending dig/whois handlers BEFORE snapshotting matchedDomains.
+        // Without this, late-completing async validations (request fired near
+        // end of the delay window, dig still in flight) get orphaned — their
+        // addMatchedDomain calls happen but the result has already been
+        // returned. Bounded by TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT.
+        await drainPendingNetTools();
         const formattedRules = formatRules(matchedDomains, siteConfig, globalOptions);
         
         return {
@@ -4690,7 +4747,11 @@ function setupFrameHandling(page, forceDebug) {
       };
     }
          
-      // For other errors, preserve any matches we found before the error
+      // For other errors, preserve any matches we found before the error.
+      // Drain pending nettools first so dig/whois handlers scheduled DURING
+      // the failed navigation get a chance to add to matchedDomains before
+      // the partial-success snapshot — same race as the success path.
+      await drainPendingNetTools();
       if (matchedDomains && (matchedDomains.size > 0 || (matchedDomains instanceof Map && matchedDomains.size > 0))) {
         const globalOptions = {
           localhostIP,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fanboynz/network-scanner",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "description": "A Puppeteer-based network scanner for analyzing web traffic, generating adblock filter rules, and identifying third-party requests. Features include fingerprint spoofing, Cloudflare bypass, content analysis with curl/grep, and multiple output formats.",
   "main": "nwss.js",
   "scripts": {