@q32/signal-scanner 0.1.0 → 0.2.0

package/src/render.ts

@@ -1,233 +0,0 @@
-// Render-and-scan: build a REAL DOM (linkedom), run the page's inline AND
-// external scripts against it with our behavioral surfaces instrumented, then
-// hand back the rendered HTML (to re-scan with the static rules) plus a
-// BehaviorReport (exfil endpoints, runtime redirects, eval'd code, surfaced
-// URLs). This closes the gap where a credential form is injected by an external
-// JS bundle — invisible to inline-only analysis.
-//
-// linkedom replaces only the DOM; the instrumentation (fetch/XHR/sendBeacon/
-// location/eval/Function/atob/cookie) is layered ON the linkedom window so both
-// `fetch(...)` and `window.fetch(...)`/`window.location.href=` are recorded.
-//
-// linkedom + new Function run in any JS isolate (Node + workerd). For UNTRUSTED
-// pages the caller supplies a `run` that executes in a real sandbox (node:vm with
-// a timeout in the CLI; a globalOutbound:null Dynamic Worker in the Worker). The
-// default in-process runner is for trusted/synthetic use (tests).
-
-import { parseHTML } from "linkedom";
-import { extractInlineScripts, extractScriptSources, type BehaviorReport, type NetworkAttempt } from "./dynamic";
-
-const MAX_EXTERNAL_SCRIPTS = 8;
-const MAX_SCRIPT_BYTES = 512 * 1024;
-
-/** Self-contained input for the in-isolate core: HTML + already-fetched external script bodies. */
-export interface RenderInput {
-  html: string;
-  url?: string;
-  externalScripts?: string[];
-}
-
-/** Runs renderDom — in-process by default, or inside an isolate (isolated-vm / Dynamic Worker). */
-export type RenderInvoke = (input: RenderInput) => RenderResult | Promise<RenderResult>;
-
-export interface RenderOptions {
-  url?: string;
-  /** Fetch an external script body (caller provides IO + egress). Omit to skip externals. */
-  fetchScript?: (absoluteUrl: string) => Promise<string | null>;
-  /** Where renderDom runs (caller's isolate). Default: in-process (trusted/synthetic use only). */
-  invoke?: RenderInvoke;
-  maxExternalScripts?: number;
-}
-
-export interface RenderResult {
-  /** Serialized DOM after scripts ran — feed this to the static scanner. */
-  html: string;
-  /** Behaviors recorded while scripts ran. */
-  report: BehaviorReport;
-}
-
-function emptyReport(): BehaviorReport {
-  return { redirects: [], network: [], writes: [], evals: [], decoded: [], cookies: [], errors: [] };
-}
-
-// Host orchestrator: pre-fetch external scripts (IO stays on the host — the
-// isolate has no network), then run the pure renderDom core inside the caller's
-// isolate (or in-process by default).
-export async function renderAndScan(html: string, options: RenderOptions = {}): Promise<RenderResult> {
-  let externalScripts: string[] = [];
-  if (options.fetchScript) {
-    const sources = extractScriptSources(html).slice(0, options.maxExternalScripts ?? MAX_EXTERNAL_SCRIPTS);
-    externalScripts = (
-      await Promise.all(
-        sources.map(async (src) => {
-          let absolute: string;
-          try {
-            absolute = new URL(src, options.url ?? "https://invalid.example/").toString();
-          } catch {
-            return "";
-          }
-          if (!/^https?:/i.test(absolute)) return "";
-          try {
-            const body = await options.fetchScript!(absolute);
-            return (body ?? "").slice(0, MAX_SCRIPT_BYTES);
-          } catch {
-            return "";
-          }
-        })
-      )
-    ).filter(Boolean);
-  }
-  const invoke = options.invoke ?? renderDom;
-  return await invoke({ html, url: options.url, externalScripts });
-}
-
-// The pure, self-contained core: build a real DOM, run inline + provided external
-// scripts against it with instrumented surfaces, return rendered HTML + behaviors.
-// No IO, no host-global mutation — safe to run in-process or bundled into an
-// isolate (isolated-vm / CF Dynamic Worker).
-export function renderDom(input: RenderInput): RenderResult {
-  const report = emptyReport();
-  let parsed: { document: any; window: any };
-  try {
-    parsed = parseHTML(input.html);
-  } catch {
-    report.errors.push("linkedom parse failed");
-    return { html: input.html, report };
-  }
-  const globals = instrument(parsed.window, parsed.document, input.url, report);
-  const scripts = [...extractInlineScripts(input.html), ...(input.externalScripts ?? [])];
-  for (const body of scripts) {
-    try {
-      // eslint-disable-next-line no-new-func
-      new Function(...Object.keys(globals), body)(...Object.values(globals));
-    } catch (error) {
-      report.errors.push(error instanceof Error ? error.message : "script error");
-    }
-  }
-  let rendered = input.html;
-  try {
-    rendered = parsed.document.toString();
-  } catch {
-    /* keep raw html */
-  }
-  return { html: rendered, report };
-}
-
-// Install instrumented behavioral surfaces on the linkedom window AND return the
-// matching bare globals (so `fetch(...)` and `window.fetch(...)` both record).
-function instrument(window: any, document: any, url: string | undefined, report: BehaviorReport): Record<string, unknown> {
-  const resolve = (value: unknown): string => {
-    const raw = String(value ?? "");
-    try {
-      return url ? new URL(raw, url).toString() : raw;
-    } catch {
-      return raw;
-    }
-  };
-  const pushNet = (kind: NetworkAttempt["kind"], target: unknown) => report.network.push({ kind, url: resolve(target) });
-
-  const fetchStub = (input: unknown) => {
-    pushNet("fetch", typeof input === "object" && input ? (input as any).url ?? input : input);
-    return Promise.resolve({ ok: true, status: 200, text: () => Promise.resolve(""), json: () => Promise.resolve({}), headers: { get: () => null } });
-  };
-  const XHRStub = function (this: any) {
-    this.open = (_method: string, target: string) => { this._url = target; };
-    this.send = () => { if (this._url) pushNet("xhr", this._url); };
-    this.setRequestHeader = () => {};
-    this.addEventListener = () => {};
-  };
-  const beacon = (target: unknown) => { pushNet("beacon", target); return true; };
-  const recordEval = (code: unknown) => { report.evals.push(String(code)); return undefined; };
-  const FunctionStub = function (...args: unknown[]) { report.evals.push(String(args[args.length - 1] ?? "")); return function () {}; };
-  const safeAtob = (value: unknown) => {
-    let out: string;
-    try { out = atob(String(value)); } catch { out = String(value); }
-    report.decoded.push(out);
-    return out;
-  };
-  const safeBtoa = (value: unknown) => { try { return btoa(String(value)); } catch { return String(value); } };
-  // Expose the URL's real components — page JS routinely builds its redirect
-  // target from window.location.search / pathname / origin (a cloaking bouncer
-  // does `dest + location.search`). Missing them yields "undefined" in the URL
-  // and we'd follow the wrong destination.
-  let parsedLocation: URL | null = null;
-  try { parsedLocation = url ? new URL(url) : null; } catch { parsedLocation = null; }
-  const location = new Proxy(
-    {
-      href: url ?? "",
-      origin: parsedLocation?.origin ?? "",
-      protocol: parsedLocation?.protocol ?? "",
-      host: parsedLocation?.host ?? "",
-      hostname: parsedLocation?.hostname ?? "",
-      port: parsedLocation?.port ?? "",
-      pathname: parsedLocation?.pathname ?? "/",
-      search: parsedLocation?.search ?? "",
-      hash: parsedLocation?.hash ?? "",
-      assign: (u: unknown) => report.redirects.push(resolve(u)),
-      replace: (u: unknown) => report.redirects.push(resolve(u)),
-      reload: () => {},
-      toString: () => url ?? ""
-    },
-    { set: (target, prop, value) => { if (prop === "href") report.redirects.push(resolve(value)); (target as any)[prop] = value; return true; } }
-  );
-
-  // Override the surfaces the page reaches via the window object.
-  try { Object.defineProperty(window, "location", { value: location, configurable: true, writable: true }); } catch { /* non-configurable */ }
-  try { window.fetch = fetchStub; } catch {}
-  try { window.XMLHttpRequest = XHRStub; } catch {}
-  try { if (window.navigator) window.navigator.sendBeacon = beacon; } catch {}
-  try { Object.defineProperty(document, "cookie", { configurable: true, get: () => "", set: (v: unknown) => { report.cookies.push(String(v)); } }); } catch {}
-  // document.write/writeln: linkedom doesn't implement them, yet phishing kits
-  // routinely inject their credential form this way. Materialize the markup into
-  // the real DOM so the rendered output (re-scanned by the static rules) contains
-  // the injected form/script — not just a string buried in a <script>.
-  const writeMarkup = (markup: unknown) => {
-    const target = document.body ?? document.documentElement;
-    try { target?.insertAdjacentHTML("beforeend", String(markup ?? "")); } catch {}
-  };
-  try { document.write = writeMarkup; } catch {}
-  try { document.writeln = (markup: unknown) => writeMarkup(String(markup ?? "") + "\n"); } catch {}
-
-  const noop = () => {};
-  const timerRun = (fn: unknown) => { try { if (typeof fn === "function") (fn as () => void)(); } catch {} return 0; };
-  return {
-    window,
-    document,
-    self: window,
-    globalThis: window,
-    top: window,
-    parent: window,
-    location,
-    fetch: fetchStub,
-    XMLHttpRequest: XHRStub,
-    navigator: window.navigator ?? { userAgent: "Mozilla/5.0", language: "en-US", platform: "Win32", sendBeacon: beacon },
-    screen: { width: 1920, height: 1080 },
-    history: { pushState: noop, replaceState: noop },
-    atob: safeAtob,
-    btoa: safeBtoa,
-    eval: recordEval,
-    Function: FunctionStub,
-    setTimeout: timerRun,
-    setInterval: () => 0,
-    clearTimeout: noop,
-    clearInterval: noop,
-    requestAnimationFrame: timerRun,
-    queueMicrotask: (fn: unknown) => { try { (fn as () => void)(); } catch {} },
-    console: { log: noop, warn: noop, error: noop, info: noop, debug: noop },
-    MutationObserver: function (this: any) { this.observe = noop; this.disconnect = noop; },
-    IntersectionObserver: function (this: any) { this.observe = noop; this.disconnect = noop; }
-  };
-}
-
-function defaultRun(scripts: string[], globals: Record<string, unknown>): void {
-  const names = Object.keys(globals);
-  const values = names.map((name) => globals[name]);
-  for (const body of scripts) {
-    try {
-      // eslint-disable-next-line no-new-func
-      new Function(...names, body)(...values);
-    } catch {
-      /* malformed/strict-mode-conflicting script — skip, best effort */
-    }
-  }
-}

package/src/rules/packs/binary.ts

@@ -1,103 +0,0 @@
-import type { PatternRule, RuleDefinition } from "../types";
-
-export const binaryRules: Record<"elf_executable_magic" | "content_type_magic_mismatch" | "elf_writable_executable_stack", RuleDefinition> = {
-  elf_executable_magic: {
-    id: "elf_executable_magic",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "high",
-    title: "ELF executable",
-    description: "Content begins with ELF executable magic bytes.",
-    locationType: "binary",
-    score: { base: 55, tags: ["binary"] }
-  },
-  content_type_magic_mismatch: {
-    id: "content_type_magic_mismatch",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "high",
-    title: "Content type does not match magic bytes",
-    description: "Declared content type conflicts with executable magic bytes.",
-    locationType: "binary",
-    score: { base: 45, tags: ["binary", "obfuscation"] }
-  },
-  elf_writable_executable_stack: {
-    id: "elf_writable_executable_stack",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "medium",
-    title: "ELF requests writable executable stack",
-    description: "ELF program headers include a GNU_STACK segment with write and execute permissions.",
-    locationType: "binary",
-    score: { base: 32, tags: ["binary"] }
-  }
-};
-
-export const binaryStringRules: PatternRule[] = [
-  {
-    id: "iot_botnet_family_strings",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "high",
-    title: "IoT botnet family strings",
-    description: "Binary strings reference IoT botnet family names or architecture payload naming.",
-    locationType: "binary",
-    pattern: /\b(?:Mozi|mirai|gafgyt|boatnet|Mozi\.[a-z0-9])\b/i,
-    score: { base: 70, tags: ["binary"] }
-  },
-  {
-    id: "iot_device_exploit_strings",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "medium",
-    title: "IoT device exploit strings",
-    description: "Binary strings reference common router, camera, TR-064, HNAP, GPON, or Realtek exploitation paths.",
-    locationType: "binary",
-    pattern: /\b(?:gpon8080|gpon80|realtek|netgear8080|netgear80|huawei|tr064|hnap|camcrossweb|camjaws|dlink|vacron|setup\.cgi|SOAPAction:|AddPortMapping|SetNTPServers)\b/i,
-    score: { base: 42, tags: ["binary"] }
-  },
-  {
-    id: "iot_payload_dropper_commands",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "high",
-    title: "IoT payload dropper commands",
-    description: "Binary strings contain wget/curl, chmod, temporary directory, and shell execution payload chains.",
-    locationType: "binary",
-    pattern: /(?:wget|curl|busybox wget)[\s\S]{0,160}(?:chmod|\/tmp|\/var\/tmp|\/dev\/shm)[\s\S]{0,160}(?:\/bin\/sh|sh\s|\.\/|Mozi\.)/i,
-    score: { base: 64, tags: ["binary", "source"] }
-  },
-  {
-    id: "router_management_hijack_commands",
-    pack: "binary-static",
-    severity: "high",
-    confidence: "high",
-    title: "Router management hijack commands",
-    description: "Binary strings contain TR-069 or router management-server hijack commands.",
-    locationType: "binary",
-    pattern: /(?:cfgtool|sendcmd)[\s\S]{0,240}(?:ManagementServer|MgtServer|Tr069Enable|ConnectionRequestPassword|acsMozi|127\.0\.0\.1)/i,
-    score: { base: 58, tags: ["binary"] }
-  },
-  {
-    id: "firewall_lockout_commands",
-    pack: "binary-static",
-    severity: "medium",
-    confidence: "high",
-    title: "Firewall lockout commands",
-    description: "Binary strings contain iptables rules that block management, TR-069, telnet, or SSH ports.",
-    locationType: "binary",
-    pattern: /iptables[\s\S]{0,120}(?:DROP|--dport|--sport|--destination-port|--source-port)[\s\S]{0,80}\b(?:22|23|2323|35000|50023|7547|58000)\b/i,
-    score: { base: 34, tags: ["binary"] }
-  },
-  {
-    id: "dht_cnc_protocol_strings",
-    pack: "binary-static",
-    severity: "medium",
-    confidence: "high",
-    title: "DHT/CNC protocol strings",
-    description: "Binary strings contain DHT peer protocol and command-and-control markers.",
-    locationType: "binary",
-    pattern: /(?:\[cnc\]|\[atk\]|\[ud\]|\[dip\]|1:q9:find_node|1:q9:get_peers|1:q13:announce_peer|info_hash20|nodes6)/i,
-    score: { base: 34, tags: ["binary"] }
-  }
-];

package/src/rules/packs/css.ts

@@ -1,44 +0,0 @@
-import type { RuleDefinition } from "../types";
-
-export const cssRules: Record<"hidden_link_cluster" | "unicode_bidi_trick" | "css_imports_suspicious_domain" | "invisible_form_overlay", RuleDefinition> = {
-  hidden_link_cluster: {
-    id: "hidden_link_cluster",
-    pack: "seo-spam",
-    severity: "low",
-    confidence: "medium",
-    title: "Hidden CSS content",
-    description: "CSS contains hidden or offscreen content patterns.",
-    locationType: "css",
-    score: { base: 4, tags: ["seo"] }
-  },
-  unicode_bidi_trick: {
-    id: "unicode_bidi_trick",
-    pack: "obfuscation",
-    severity: "medium",
-    confidence: "high",
-    title: "Unicode bidi CSS trick",
-    description: "CSS uses bidi override, which can hide or reorder visible text.",
-    locationType: "css",
-    score: { base: 20, tags: ["obfuscation"] }
-  },
-  css_imports_suspicious_domain: {
-    id: "css_imports_suspicious_domain",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "medium",
-    title: "CSS imports off-site resource",
-    description: "CSS imports or loads an off-site URL.",
-    locationType: "url",
-    score: { base: 12, tags: ["script", "url"] }
-  },
-  invisible_form_overlay: {
-    id: "invisible_form_overlay",
-    pack: "phishing",
-    severity: "medium",
-    confidence: "medium",
-    title: "Invisible form overlay style",
-    description: "CSS contains fixed/absolute overlay and invisibility patterns that can hide or intercept form input.",
-    locationType: "css",
-    score: { base: 24, tags: ["credential", "phishing"] }
-  }
-};

package/src/rules/packs/decoders.ts

@@ -1,47 +0,0 @@
-import type { RuleDefinition } from "../types";
-
-export const decodedArtifactRules: Record<"large_base64_blob" | "javascript_hex_escapes" | "javascript_unicode_escapes" | "fromcharcode_decoded_string", RuleDefinition> = {
-  large_base64_blob: {
-    id: "large_base64_blob",
-    pack: "obfuscation",
-    severity: "medium",
-    confidence: "medium",
-    title: "Decoded base64 artifact",
-    description: "Scanner decoded a base64 artifact and rescanned it.",
-    locationType: "decoded_artifact",
-    score: { base: 14, tags: ["decoded", "obfuscation"] }
-  },
-  javascript_hex_escapes: {
-    id: "javascript_hex_escapes",
-    pack: "obfuscation",
-    severity: "medium",
-    confidence: "medium",
-    title: "Decoded JavaScript hex escapes",
-    description: "Scanner decoded JavaScript hex escapes and rescanned the artifact.",
-    locationType: "decoded_artifact",
-    score: { base: 18, tags: ["decoded", "obfuscation"] }
-  },
-  javascript_unicode_escapes: {
-    id: "javascript_unicode_escapes",
-    pack: "obfuscation",
-    severity: "low",
-    confidence: "medium",
-    title: "Decoded JavaScript unicode escapes",
-    description: "Scanner decoded JavaScript unicode escapes and rescanned the artifact.",
-    locationType: "decoded_artifact",
-    // Unicode escapes are ubiquitous in legitimate minified/i18n JS. The mere
-    // presence is weak — the conviction comes from rescanning the DECODED
-    // artifact (whose own findings fire separately), not from this marker.
-    score: { base: 8, tags: ["decoded", "obfuscation"] }
-  },
-  fromcharcode_decoded_string: {
-    id: "fromcharcode_decoded_string",
-    pack: "obfuscation",
-    severity: "medium",
-    confidence: "medium",
-    title: "Decoded String.fromCharCode artifact",
-    description: "Scanner decoded a literal String.fromCharCode artifact and rescanned it.",
-    locationType: "decoded_artifact",
-    score: { base: 22, tags: ["decoded", "obfuscation"] }
-  }
-};

package/src/rules/packs/html.ts

@@ -1,255 +0,0 @@
-import type { RuleDefinition } from "../types";
-
-export const htmlRules: Record<
-  | "external_script_from_unrelated_domain"
-  | "mixed_content_script"
-  | "hidden_iframe_off_origin"
-  | "meta_refresh_external"
-  | "password_form_without_https"
-  | "credential_form_posts_off_origin"
-  | "card_fields_plus_external_script"
-  | "excessive_external_scripts_on_login_page"
-  | "login_page_with_punycode_links"
-  | "credential_ui_rendered_as_image"
-  | "crypto_wallet_login_language"
-  | "crypto_trading_landing_language"
-  | "seo_trademark_stuffing"
-  | "credential_form_on_suspicious_host"
-  | "brand_impersonation_content",
-  RuleDefinition
-> = {
-  external_script_from_unrelated_domain: {
-    id: "external_script_from_unrelated_domain",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "medium",
-    title: "External script from unrelated domain",
-    description: "HTML loads a script from an off-site domain.",
-    locationType: "url",
-    score: { base: 8, tags: ["script", "url"], repeatMultiplier: 0.1, maxRepeats: 3 }
-  },
-  mixed_content_script: {
-    id: "mixed_content_script",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "high",
-    title: "Mixed-content script",
-    description: "HTTPS page loads a script over HTTP.",
-    locationType: "url",
-    // A real injection vector, but a hygiene issue on its own (browsers block it)
-    // — shouldn't convict a site as malicious without corroborating signal.
-    score: { base: 30, tags: ["script", "url"] }
-  },
-  hidden_iframe_off_origin: {
-    id: "hidden_iframe_off_origin",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Hidden off-origin iframe",
-    description: "HTML contains a hidden iframe pointed at an off-origin URL.",
-    locationType: "url",
-    score: { base: 70, tags: ["phishing", "url"] }
-  },
-  meta_refresh_external: {
-    id: "meta_refresh_external",
-    pack: "redirects",
-    severity: "medium",
-    confidence: "medium",
-    title: "Meta refresh to external URL",
-    description: "HTML redirects with a meta refresh to an off-site URL.",
-    locationType: "url",
-    score: { base: 25, tags: ["redirect", "url"] }
-  },
-  password_form_without_https: {
-    id: "password_form_without_https",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Password form without HTTPS",
-    description: "Page contains a password form on an HTTP origin.",
-    locationType: "html",
-    score: { base: 70, tags: ["credential", "phishing"] }
-  },
-  credential_form_posts_off_origin: {
-    id: "credential_form_posts_off_origin",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Credential form posts off origin",
-    description: "A form with a password field submits to an off-origin URL.",
-    locationType: "url",
-    score: { base: 82, tags: ["credential", "phishing", "url"] }
-  },
-  card_fields_plus_external_script: {
-    id: "card_fields_plus_external_script",
-    pack: "payment",
-    severity: "high",
-    confidence: "medium",
-    title: "Payment fields with external resources",
-    description: "Page contains payment fields and off-site resources.",
-    locationType: "html",
-    score: { base: 72, tags: ["payment", "script", "url"] }
-  },
-  excessive_external_scripts_on_login_page: {
-    id: "excessive_external_scripts_on_login_page",
-    pack: "phishing",
-    severity: "medium",
-    confidence: "medium",
-    title: "Excessive external scripts on login/payment page",
-    description: "Login or payment page loads many off-site scripts.",
-    locationType: "aggregate",
-    score: { base: 14, tags: ["phishing", "script"] }
-  },
-  login_page_with_punycode_links: {
-    id: "login_page_with_punycode_links",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Login page with punycode links",
-    description: "Login-like page references punycode URLs.",
-    locationType: "aggregate",
-    score: { base: 76, tags: ["phishing", "url"] }
-  },
-  credential_ui_rendered_as_image: {
-    id: "credential_ui_rendered_as_image",
-    pack: "phishing",
-    severity: "medium",
-    confidence: "high",
-    title: "Credential UI rendered as image",
-    description: "Page model or markup references a screenshot/image that appears to contain a login or credential form.",
-    locationType: "html",
-    score: { base: 34, tags: ["credential", "phishing"] }
-  },
-  crypto_wallet_login_language: {
-    id: "crypto_wallet_login_language",
-    pack: "phishing",
-    severity: "medium",
-    confidence: "high",
-    title: "Crypto wallet login language",
-    description: "Page model or markup contains crypto/wallet language in login, account, or access context.",
-    locationType: "html",
-    score: { base: 22, tags: ["phishing", "wallet"] }
-  },
-  crypto_trading_landing_language: {
-    id: "crypto_trading_landing_language",
-    pack: "phishing",
-    severity: "low",
-    confidence: "medium",
-    title: "Crypto or DeFi trading landing language",
-    description: "Page model or markup contains multiple crypto, DeFi, exchange, swap, trading, or liquidity terms.",
-    locationType: "html",
-    score: { base: 6, tags: ["phishing", "wallet"] }
-  },
-  seo_trademark_stuffing: {
-    id: "seo_trademark_stuffing",
-    pack: "phishing",
-    severity: "high",
-    confidence: "medium",
-    title: "SEO trademark stuffing",
-    description: "Page title or SEO model overuses trademark symbols in a way commonly seen on impersonation landing pages.",
-    locationType: "html",
-    score: { base: 64, tags: ["phishing", "seo"] }
-  },
-  credential_form_on_suspicious_host: {
-    id: "credential_form_on_suspicious_host",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Credential form on suspicious host",
-    description: "Page contains credential fields on a generated, shared-hosting, suspicious-path, or redirected host.",
-    locationType: "html",
-    score: { base: 72, tags: ["credential", "hosting", "phishing"] }
-  },
-  brand_impersonation_content: {
-    id: "brand_impersonation_content",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Page mimics a brand and captures credentials",
-    description: "Page content prominently references a well-known brand and presents a credential field, but is served from a domain that does not belong to that brand — the core credential-phishing pattern, independent of the URL.",
-    locationType: "html",
-    score: { base: 68, tags: ["credential", "phishing"] }
-  }
-};
-
-export const htmlTechnologyRules: Record<
-  | "legacy_jquery_reference"
-  | "legacy_angularjs_reference"
-  | "legacy_bootstrap_reference"
-  | "legacy_lodash_reference"
-  | "wordpress_surface_reference"
-  | "drupal_surface_reference"
-  | "phpmyadmin_surface_reference",
-  RuleDefinition
-> = {
-  legacy_jquery_reference: {
-    id: "legacy_jquery_reference",
-    pack: "dependency-fingerprint",
-    severity: "low",
-    confidence: "medium",
-    title: "Legacy jQuery reference",
-    description: "A script URL or source text references a legacy jQuery major version.",
-    locationType: "url",
-    score: { base: 4, tags: ["dependency"] }
-  },
-  legacy_angularjs_reference: {
-    id: "legacy_angularjs_reference",
-    pack: "dependency-fingerprint",
-    severity: "low",
-    confidence: "medium",
-    title: "Legacy AngularJS reference",
-    description: "A script URL or source text references AngularJS 1.x.",
-    locationType: "url",
-    score: { base: 6, tags: ["dependency"] }
-  },
-  legacy_bootstrap_reference: {
-    id: "legacy_bootstrap_reference",
-    pack: "dependency-fingerprint",
-    severity: "low",
-    confidence: "medium",
-    title: "Legacy Bootstrap reference",
-    description: "A script URL or source text references Bootstrap 3.x.",
-    locationType: "url",
-    score: { base: 4, tags: ["dependency"] }
-  },
-  legacy_lodash_reference: {
-    id: "legacy_lodash_reference",
-    pack: "dependency-fingerprint",
-    severity: "low",
-    confidence: "medium",
-    title: "Legacy lodash reference",
-    description: "A script URL or source text references lodash versions commonly covered by dependency scanners.",
-    locationType: "url",
-    score: { base: 4, tags: ["dependency"] }
-  },
-  wordpress_surface_reference: {
-    id: "wordpress_surface_reference",
-    pack: "technology-fingerprint",
-    severity: "info",
-    confidence: "medium",
-    title: "WordPress surface reference",
-    description: "HTML references common WordPress paths or generator metadata.",
-    locationType: "html",
-    score: { base: 2, tags: ["technology"] }
-  },
-  drupal_surface_reference: {
-    id: "drupal_surface_reference",
-    pack: "technology-fingerprint",
-    severity: "info",
-    confidence: "medium",
-    title: "Drupal surface reference",
-    description: "HTML or script text references common Drupal surface fingerprints.",
-    locationType: "html",
-    score: { base: 2, tags: ["technology"] }
-  },
-  phpmyadmin_surface_reference: {
-    id: "phpmyadmin_surface_reference",
-    pack: "technology-fingerprint",
-    severity: "info",
-    confidence: "medium",
-    title: "phpMyAdmin surface reference",
-    description: "HTML references common phpMyAdmin surface fingerprints.",
-    locationType: "html",
-    score: { base: 8, tags: ["technology"] }
-  }
-};