blackveil-dns 2.2.2 → 2.3.5

package/README.md

@@ -9,7 +9,7 @@ Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP cl
 [![GitHub stars](https://img.shields.io/github/stars/MadaBurns/bv-mcp?style=flat&logo=github)](https://github.com/MadaBurns/bv-mcp/stargazers)
 [![npm version](https://img.shields.io/npm/v/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns)
 [![npm downloads](https://img.shields.io/npm/dm/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns)
-[![Tests](https://img.shields.io/badge/Tests-1932-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
+[![Tests](https://img.shields.io/badge/Tests-2283-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
 [![Coverage](https://img.shields.io/badge/Coverage-~90%25-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
 [![BUSL-1.1 License](https://img.shields.io/badge/License-BUSL--1.1-blue.svg)](LICENSE)
 [![MCP](https://img.shields.io/badge/MCP-2025--03--26-blue)](https://modelcontextprotocol.io/)
@@ -26,7 +26,7 @@ Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP cl
 
 **Claude Desktop** (one-click install):
 
-Download the [Blackveil DNS extension](https://github.com/MadaBurns/bv-claude-dns/releases/latest/download/bv-claude-dns.mcpb) and open it — all 41 tools available instantly. [Verify your download](https://blackveilsecurity.com/extensions/claude-dns#install).
+Download the [Blackveil DNS extension](https://github.com/MadaBurns/bv-claude-dns/releases/latest/download/bv-claude-dns.mcpb) and open it — all 44 tools available instantly. [Verify your download](https://blackveilsecurity.com/extensions/claude-dns#install).
 
 **Claude Code** (one command):
 
@@ -66,7 +66,7 @@ Transport support:
 
 ## What you get
 
-- **57+ checks across 20 categories** — SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, BIMI, TLS-RPT, subdomain takeover, lookalike domains, HTTP security headers, DANE, shadow domains, TXT hygiene, MX reputation, SRV, zone hygiene
+- **80+ checks across 20 categories** — SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, BIMI, TLS-RPT, subdomain takeover, lookalike domains, HTTP security headers, DANE, shadow domains, TXT hygiene, MX reputation, SRV, zone hygiene
 - **Maturity staging** — Stage 0-4 classification (Unprotected to Hardened) with score-based capping to prevent inflated labels
 - **Trust surface analysis** — detects shared SaaS platforms (Google, M365, SendGrid) and cross-references DMARC enforcement to determine real exposure
 - **Guided remediation** — `generate_fix_plan` produces provider-aware prioritized actions; record generators output ready-to-publish records; `validate_fix` confirms whether a fix was applied successfully
@@ -81,25 +81,25 @@ Transport support:
 ## Tools
 
 ```
-  41 MCP tools · 7 prompts · 6 resources
+  44 MCP tools · 7 prompts · 6 resources
 
   Email Auth           Infrastructure        Brand & Threats       Meta
- ────────────         ────────────────       ─────────────────    ──────────────
+ ────────────         ────────────────       ─────────────────    ──────────────────────
   check_spf            check_dnssec           check_bimi           scan_domain
-  check_dmarc          check_ns               check_tlsrpt         explain_finding
-  check_dkim           check_caa              check_lookalikes     compare_baseline
-  check_mta_sts        check_ssl              check_shadow_domains
-  check_mx             check_http_security
-  check_mx_reputation  check_dane             Intelligence         Remediation
-                       check_dane_https      ──────────────       ──────────────
-  DNS Hygiene          check_svcb_https       get_benchmark         generate_fix_plan
- ────────────          check_srv              get_provider_         generate_spf_record
-  check_txt_hygiene    check_zone_hygiene       insights            generate_dmarc_record
-                       check_resolver_        assess_spoofability   generate_dkim_config
-                         consistency          map_supply_chain      generate_mta_sts_policy
-                                              resolve_spf_chain     generate_rollout_plan
-                                              discover_subdomains   validate_fix
-                                              map_compliance
+  check_dmarc          check_ns               check_tlsrpt         batch_scan
+  check_dkim           check_caa              check_lookalikes     compare_domains
+  check_mta_sts        check_ssl              check_shadow_domains compare_baseline
+  check_mx             check_http_security                         explain_finding
+  check_mx_reputation  check_dane             Intelligence
+  check_subdomailing   check_dane_https      ──────────────       Remediation
+                       check_svcb_https       get_benchmark       ──────────────
+  DNS Hygiene          check_srv              get_provider_        generate_fix_plan
+ ────────────          check_zone_hygiene       insights           generate_spf_record
+  check_txt_hygiene    check_resolver_        assess_spoofability  generate_dmarc_record
+                         consistency          map_supply_chain     generate_dkim_config
+                                              resolve_spf_chain    generate_mta_sts_policy
+                                              discover_subdomains  generate_rollout_plan
+                                              map_compliance       validate_fix
                                               simulate_attack_paths
                                               analyze_drift
 
@@ -184,6 +184,14 @@ For full hosted setup examples, stdio usage, and legacy fallback endpoints, see
 
 ---
 
+## Responsible use
+
+This tool is intended for **authorized security assessments** of domains you own or have explicit permission to test. Do not use it for unauthorized reconnaissance, harassment, or any activity that violates applicable laws. Findings from attack simulation, spoofability, and subdomain discovery tools should be used to **improve your own security posture**, not to exploit others.
+
+If you discover a vulnerability in a third-party domain, please follow [coordinated disclosure](https://www.cisa.gov/coordinated-vulnerability-disclosure-process) practices.
+
+---
+
 <div align="center">
 
 Built and maintained by [**BLACKVEIL**](https://blackveilsecurity.com) — NZ-owned cybersecurity consultancy.

package/dist/index.d.ts

@@ -3,6 +3,35 @@ export { CATEGORY_DISPLAY_WEIGHTS, CheckCategory, CheckResult, DomainContext, Do
 import { z } from 'zod';
 export { parseDmarcTags } from '@blackveil/dns-checks';
 
+/**
+ * Promise-based counting semaphore for concurrency control.
+ *
+ * Used to cap concurrent outbound DoH fetches per isolate,
+ * preventing DNS/KV resource exhaustion during batch scans.
+ *
+ * Workers-compatible: uses only Promises and setTimeout, no Node.js APIs.
+ */
+interface SemaphoreOptions {
+    /** Maximum milliseconds a caller waits in the queue before rejection. */
+    maxWaitMs?: number;
+}
+declare class Semaphore {
+    private _active;
+    private readonly _queue;
+    private readonly maxConcurrent;
+    private readonly maxWaitMs?;
+    constructor(maxConcurrent: number, options?: SemaphoreOptions);
+    get active(): number;
+    get waiting(): number;
+    /** Acquire a semaphore slot. Returns a release function. */
+    acquire(): Promise<() => void>;
+    /** Run an async function within a semaphore-controlled slot. */
+    run<T>(fn: () => Promise<T>): Promise<T>;
+    /** Wait for all active and queued tasks to finish. */
+    drain(): Promise<void>;
+    private release;
+}
+
 /** Standard DNS record type codes */
 declare const RecordType: {
     readonly A: 1;
@@ -68,6 +97,8 @@ interface QueryDnsOptions {
     queryCache?: Map<string, Promise<DohResponse>>;
     /** Custom secondary DoH resolver. When set, used instead of Google DoH for empty-result confirmation. Falls back to Google if this resolver fails. */
     secondaryDoh?: SecondaryDohConfig;
+    /** Semaphore for capping concurrent outbound DoH fetches per isolate. */
+    dnsSemaphore?: Semaphore;
 }
 
 /** Error thrown when a DNS query fails */
@@ -160,7 +191,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.2.2";
+declare const SERVER_VERSION = "2.3.5";
 
 /**
  * Map of every tool name to its Zod argument schema.

package/dist/index.js

@@ -97,6 +97,62 @@ z.object({
   certData: z.string()
 });
 
+// src/lib/log.ts
+var REDACTED = "[redacted]";
+var MAX_LOG_STRING_LENGTH = 256;
+var MAX_ERROR_STRING_LENGTH = 1024;
+var SENSITIVE_KEY_PATTERN = /(^ip$|authorization|mcp-session-id|session|token|api[-_]?key|secret|password|cookie|rawbody)/i;
+function isSensitiveKey(key) {
+  return !/^has[A-Z]/.test(key) && SENSITIVE_KEY_PATTERN.test(key);
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function sanitizeString(value, maxLength = MAX_LOG_STRING_LENGTH) {
+  const stripped = value.replace(/[\x00-\x08\x0a-\x1f\x7f]/g, " ");
+  if (stripped.length <= maxLength) return stripped;
+  const half = Math.floor((maxLength - 5) / 2);
+  return `${stripped.slice(0, half)} ... ${stripped.slice(-half)}`;
+}
+function sanitizeLogValue(value, key, maxLength) {
+  if (key && isSensitiveKey(key)) {
+    return REDACTED;
+  }
+  if (typeof value === "string") {
+    return sanitizeString(value, maxLength);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeLogValue(item, void 0, maxLength));
+  }
+  if (isPlainObject(value)) {
+    const sanitized = {};
+    for (const [entryKey, entryValue] of Object.entries(value)) {
+      sanitized[entryKey] = sanitizeLogValue(entryValue, entryKey, maxLength);
+    }
+    return sanitized;
+  }
+  return value;
+}
+function logEvent(event) {
+  const isError = event.severity === "error";
+  const maxLen = isError ? MAX_ERROR_STRING_LENGTH : MAX_LOG_STRING_LENGTH;
+  const log = {
+    ...event,
+    timestamp: event.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
+    details: sanitizeLogValue(event.details, void 0, maxLen),
+    error: typeof event.error === "string" ? sanitizeString(event.error, maxLen) : event.error
+  };
+  console.log(JSON.stringify(log));
+}
+function logError(error, context) {
+  logEvent({
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    severity: "error",
+    error: typeof error === "string" ? error : error.message,
+    ...context
+  });
+}
+
 // src/lib/dns-transport.ts
 var DOH_ENDPOINT = "https://cloudflare-dns.com/dns-query";
 var GOOGLE_DOH_ENDPOINT = "https://dns.google/resolve";
@@ -118,18 +174,25 @@ async function fetchDohResponse(url, timeoutMs, opts) {
   try {
     const headers = { Accept: "application/dns-json" };
     if (opts?.token) headers["X-BV-Token"] = opts.token;
-    const response = await fetch(url, {
+    const doFetch = () => fetch(url, {
       method: "GET",
       headers,
       signal: AbortSignal.timeout(timeoutMs),
       ...opts?.useEdgeCache ? { cf: { cacheTtl: DOH_EDGE_CACHE_TTL, cacheEverything: true } } : {}
     });
+    const response = opts?.semaphore ? await opts.semaphore.run(doFetch) : await doFetch();
     if (!response.ok) return null;
     const data = await response.json();
     const parsed = DohResponseSchema.safeParse(data);
     if (!parsed.success) return null;
     return parsed.data;
-  } catch {
+  } catch (err) {
+    const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+    logError(isTimeout ? "DNS fetch timeout" : "DNS fetch failed", {
+      severity: "warn",
+      category: "dns-transport",
+      details: { url: url.replace(/name=[^&]+/, "name=<domain>"), errorType: isTimeout ? "timeout" : "network" }
+    });
     return null;
   }
 }
@@ -161,11 +224,13 @@ async function queryDnsUncached(domain, type, dnssecCheck = false, opts) {
   const timeoutMs = opts?.timeoutMs ?? DNS_TIMEOUT_MS;
   const retries = opts?.retries ?? DNS_RETRIES;
   const confirmWithSecondaryOnEmpty = opts?.confirmWithSecondaryOnEmpty ?? DNS_CONFIRM_WITH_SECONDARY_ON_EMPTY;
+  const sem = opts?.dnsSemaphore;
   const url = buildDohUrl(DOH_ENDPOINT, domain, type, dnssecCheck);
+  const guardedFetch = (input, init) => sem ? sem.run(() => fetch(input, init)) : fetch(input, init);
   for (let attempt = 0; attempt <= retries; attempt++) {
     let response;
     try {
-      response = await fetch(url, {
+      response = await guardedFetch(url, {
         method: "GET",
         headers: { Accept: "application/dns-json" },
         signal: AbortSignal.timeout(timeoutMs),
@@ -199,29 +264,44 @@ async function queryDnsUncached(domain, type, dnssecCheck = false, opts) {
     }
     const data = validated.data;
     if (confirmWithSecondaryOnEmpty && !opts?.skipSecondaryConfirmation && !hasTypedAnswers(data, type)) {
-      if (opts?.secondaryDoh?.endpoint) {
-        const bvDns = await fetchDohResponse(
-          buildDohUrl(opts.secondaryDoh.endpoint, domain, type, dnssecCheck),
-          timeoutMs,
-          { token: opts.secondaryDoh.token }
-        );
-        if (bvDns && hasTypedAnswers(bvDns, type)) {
-          return bvDns;
-        }
-      }
-      const google = await fetchDohResponse(
-        buildDohUrl(GOOGLE_DOH_ENDPOINT, domain, type, dnssecCheck),
-        timeoutMs,
-        { useEdgeCache: true }
-      );
-      if (google && hasTypedAnswers(google, type)) {
-        return google;
-      }
+      const secondaryResult = await confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts);
+      if (secondaryResult) return secondaryResult;
     }
     return data;
   }
   throw new DnsQueryError("DNS query failed after retries", domain, type);
 }
+async function confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts) {
+  const hasBvDns = !!opts?.secondaryDoh?.endpoint;
+  const googleUrl = buildDohUrl(GOOGLE_DOH_ENDPOINT, domain, type, dnssecCheck);
+  if (hasBvDns) {
+    const bvDnsUrl = buildDohUrl(opts.secondaryDoh.endpoint, domain, type, dnssecCheck);
+    const candidates = [
+      fetchDohResponse(bvDnsUrl, timeoutMs, { token: opts.secondaryDoh.token, semaphore: sem }),
+      fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem })
+    ];
+    const results = await Promise.allSettled(candidates);
+    for (const r of results) {
+      if (r.status === "fulfilled" && r.value && hasTypedAnswers(r.value, type)) {
+        return r.value;
+      }
+    }
+    const allFailed = results.every((r) => r.status === "rejected" || !r.value);
+    if (allFailed) {
+      logError("All secondary DNS resolvers failed", {
+        severity: "warn",
+        category: "dns-transport",
+        details: { domain, type }
+      });
+    }
+    return null;
+  }
+  const google = await fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem });
+  if (google && hasTypedAnswers(google, type)) {
+    return google;
+  }
+  return null;
+}
 
 // src/lib/dns-records.ts
 async function queryDnsRecords(domain, type, opts) {
@@ -491,7 +571,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.2.2";
+var SERVER_VERSION = "2.3.5";
 var DomainSchema = z.string().min(1).max(253);
 z.string().regex(/^[0-9a-f]{64}$/);
 var DkimSelectorSchema = z.string().transform((s) => s.trim().toLowerCase()).pipe(z.string().max(63).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/));
@@ -1106,51 +1186,66 @@ function makeQueryDNS5(dnsOptions) {
   };
 }
 async function checkDnssec2(domain, dnsOptions) {
-  const baseResult = await checkDNSSEC(
-    domain,
-    makeQueryDNS5(dnsOptions),
-    {
-      timeout: dnsOptions?.timeoutMs ?? 5e3,
-      rawQueryDNS: async (d, type, dnssecFlag) => {
-        const resp = await queryDns(d, type, dnssecFlag ?? false, dnsOptions);
-        return { AD: resp.AD, Answer: resp.Answer };
+  try {
+    const baseResult = await checkDNSSEC(
+      domain,
+      makeQueryDNS5(dnsOptions),
+      {
+        timeout: dnsOptions?.timeoutMs ?? 5e3,
+        rawQueryDNS: async (d, type, dnssecFlag) => {
+          const resp = await queryDns(d, type, dnssecFlag ?? false, dnsOptions);
+          return { AD: resp.AD, Answer: resp.Answer };
+        }
       }
+    );
+    const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete") || baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
+    if (dnssecAbsent) {
+      return baseResult;
     }
-  );
-  const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete") || baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
-  if (dnssecAbsent) {
-    return baseResult;
-  }
-  const [dnskeyResult, dsResult] = await Promise.allSettled([
-    queryDnsRecords(domain, "DNSKEY", dnsOptions),
-    queryDnsRecords(domain, "DS", dnsOptions)
-  ]);
-  const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
-  const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
-  const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
-  if (dnssecSource === "tld_inherited") {
-    const inheritedFinding = createFinding(
+    const [dnskeyResult, dsResult] = await Promise.allSettled([
+      queryDnsRecords(domain, "DNSKEY", dnsOptions),
+      queryDnsRecords(domain, "DS", dnsOptions)
+    ]);
+    const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
+    const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
+    const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
+    if (dnssecSource === "tld_inherited") {
+      const inheritedFinding = createFinding(
+        "dnssec",
+        "DNSSEC inherited from TLD",
+        "info",
+        `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
+        { dnssecSource: "tld_inherited" }
+      );
+      return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
+    }
+    if (baseResult.findings.length > 0) {
+      const [first, ...rest] = baseResult.findings;
+      const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
+      return buildCheckResult("dnssec", [tagged, ...rest]);
+    }
+    const configuredFinding = createFinding(
       "dnssec",
-      "DNSSEC inherited from TLD",
+      "DNSSEC configured by domain owner",
       "info",
-      `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
-      { dnssecSource: "tld_inherited" }
+      `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
+      { dnssecSource: "domain_configured" }
     );
-    return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
-  }
-  if (baseResult.findings.length > 0) {
-    const [first, ...rest] = baseResult.findings;
-    const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
-    return buildCheckResult("dnssec", [tagged, ...rest]);
+    return buildCheckResult("dnssec", [configuredFinding]);
+  } catch (err) {
+    if (err instanceof DnsQueryError) {
+      return buildCheckResult("dnssec", [
+        createFinding(
+          "dnssec",
+          "DNSSEC check could not complete",
+          "info",
+          `Unable to verify DNSSEC for ${domain} \u2014 DNS query failed: ${err.message}`,
+          { checkStatus: "error" }
+        )
+      ]);
+    }
+    throw err;
   }
-  const configuredFinding = createFinding(
-    "dnssec",
-    "DNSSEC configured by domain owner",
-    "info",
-    `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
-    { dnssecSource: "domain_configured" }
-  );
-  return buildCheckResult("dnssec", [configuredFinding]);
 }
 
 // src/tools/lookalike-analysis.ts
@@ -1393,14 +1488,16 @@ async function checkLookalikes(domain) {
     checkLookalikesCore(domain),
     new Promise((_, reject) => setTimeout(() => reject(new Error("Lookalike check timed out")), LOOKALIKE_TIMEOUT_MS))
   ]).catch(() => {
-    return buildCheckResult("lookalikes", [
+    const result = buildCheckResult("lookalikes", [
       createFinding(
         "lookalikes",
         "Lookalike check incomplete",
         "info",
-        "Lookalike check did not complete. This check generates many DNS queries \u2014 try again shortly, as partial results are cached."
+        "Lookalike check did not complete within the time limit. Results may be incomplete \u2014 try again shortly."
       )
     ]);
+    result.partial = true;
+    return result;
   });
 }
 async function checkLookalikesCore(domain) {
@@ -1823,7 +1920,16 @@ async function checkMx(domain, options, dnsOptions) {
         );
       }
     }
-  } catch {
+  } catch (err) {
+    logEvent({
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      severity: "warn",
+      category: "provider-detection",
+      domain,
+      tool: "check_mx",
+      error: err instanceof Error ? err.message : String(err),
+      details: { phase: "provider_detection" }
+    });
   }
   return { ...baseResult, findings };
 }
@@ -2683,57 +2789,6 @@ function applyInteractionPenalties(score, config) {
   };
 }
 
-// src/lib/log.ts
-var REDACTED = "[redacted]";
-var MAX_LOG_STRING_LENGTH = 256;
-var SENSITIVE_KEY_PATTERN = /(^ip$|authorization|mcp-session-id|session|token|api[-_]?key|secret|password|cookie|rawbody)/i;
-function isSensitiveKey(key) {
-  return !/^has[A-Z]/.test(key) && SENSITIVE_KEY_PATTERN.test(key);
-}
-function isPlainObject(value) {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function sanitizeString(value) {
-  const stripped = value.replace(/[\x00-\x08\x0a-\x1f\x7f]/g, " ");
-  return stripped.length > MAX_LOG_STRING_LENGTH ? `${stripped.slice(0, MAX_LOG_STRING_LENGTH)}...` : stripped;
-}
-function sanitizeLogValue(value, key) {
-  if (key && isSensitiveKey(key)) {
-    return REDACTED;
-  }
-  if (typeof value === "string") {
-    return sanitizeString(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((item) => sanitizeLogValue(item));
-  }
-  if (isPlainObject(value)) {
-    const sanitized = {};
-    for (const [entryKey, entryValue] of Object.entries(value)) {
-      sanitized[entryKey] = sanitizeLogValue(entryValue, entryKey);
-    }
-    return sanitized;
-  }
-  return value;
-}
-function logEvent(event) {
-  const log = {
-    ...event,
-    timestamp: event.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
-    details: sanitizeLogValue(event.details),
-    error: typeof event.error === "string" ? sanitizeString(event.error) : event.error
-  };
-  console.log(JSON.stringify(log));
-}
-function logError(error, context) {
-  logEvent({
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    severity: "error",
-    error: typeof error === "string" ? error : error.message,
-    ...context
-  });
-}
-
 // src/lib/cache.ts
 var DEFAULT_TTL_MS = 5 * 60 * 1e3;
 var DEFAULT_TTL_SECONDS = 300;
@@ -2852,10 +2907,37 @@ async function runWithCache(key, run, kv, ttlSeconds, skipCache) {
   }
   const existing = INFLIGHT.get(key);
   if (existing) return existing;
+  if (kv && !skipCache) {
+    const sentinelKey = `${key}:computing`;
+    try {
+      const sentinel = await kv.get(sentinelKey);
+      if (sentinel) {
+        const polled = await pollForResult(key, kv);
+        if (polled !== void 0) return polled;
+      } else {
+        await kv.put(sentinelKey, String(Date.now()), { expirationTtl: SENTINEL_TTL_SECONDS });
+      }
+    } catch {
+    }
+  }
   const cleanup = setTimeout(() => INFLIGHT.delete(key), INFLIGHT_CLEANUP_MS);
   const promise = run().then(async (result) => {
     await cacheSet(key, result, kv, ttlSeconds);
+    if (kv) {
+      try {
+        await kv.delete(`${key}:computing`);
+      } catch {
+      }
+    }
     return result;
+  }).catch(async (err) => {
+    if (kv) {
+      try {
+        await kv.delete(`${key}:computing`);
+      } catch {
+      }
+    }
+    throw err;
   }).finally(() => {
     clearTimeout(cleanup);
     INFLIGHT.delete(key);
@@ -2863,6 +2945,20 @@ async function runWithCache(key, run, kv, ttlSeconds, skipCache) {
   INFLIGHT.set(key, promise);
   return promise;
 }
+var SENTINEL_TTL_SECONDS = 10;
+var POLL_DELAYS_MS = [250, 500, 750];
+async function pollForResult(key, kv) {
+  for (const delay of POLL_DELAYS_MS) {
+    await new Promise((r) => setTimeout(r, delay));
+    try {
+      const val = await kv.get(key, "json");
+      if (val !== null) return val;
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
 function detectCdnProvider(headers) {
   if (headers.get("cf-ray") || headers.get("server")?.toLowerCase().includes("cloudflare")) {
     return "Cloudflare";
@@ -3669,7 +3765,12 @@ async function scanDomain(domain, kv, runtimeOptions) {
       })();
       if (runtimeOptions.waitUntil) runtimeOptions.waitUntil(telemetryPromise);
     }
-  } catch {
+  } catch (postProcessError) {
+    logError(postProcessError instanceof Error ? postProcessError : String(postProcessError), {
+      category: "scan-domain",
+      domain,
+      details: { phase: "post-processing", checksCompleted: checkResults.length }
+    });
     if (degradedStatuses.size > 0) {
       checkResults = checkResults.map((r) => {
         const status = degradedStatuses.get(r.category);
@@ -3697,7 +3798,7 @@ async function scanDomain(domain, kv, runtimeOptions) {
       context: fallbackContext,
       cached: false,
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      scoringNote: null,
+      scoringNote: "Post-processing encountered an error; results may be approximate",
       adaptiveWeightDeltas: null,
       interactionEffects: []
     };
@@ -3770,11 +3871,16 @@ async function safeCheck(category, fn) {
     return result;
   } catch (err) {
     const rawMessage = err instanceof Error ? err.message : "Check failed";
+    const isTimeout = rawMessage === "Check timed out";
     const SAFE_PREFIXES = ["DNS query", "Check timed out", "Check failed", "Connection", "timeout"];
     const safeMessage = SAFE_PREFIXES.some((p) => rawMessage.startsWith(p)) ? rawMessage : "Check failed";
-    const findings = [createFinding(category, `${category.toUpperCase()} check error`, "high", `Check failed: ${safeMessage}`)];
+    const severity = isTimeout ? "low" : "high";
+    const title = isTimeout ? `${category.toUpperCase()} check timed out` : `${category.toUpperCase()} check error`;
+    const detail = isTimeout ? `Check did not complete within the ${PER_CHECK_TIMEOUT_MS / 1e3}s per-check time limit. Try running this check individually.` : `Check failed: ${safeMessage}`;
+    const checkStatus = isTimeout ? "timeout" : "error";
+    const findings = [createFinding(category, title, severity, detail)];
     const result = buildCheckResult(category, findings);
-    return { ...result, score: 0, checkStatus: "error" };
+    return { ...result, score: 0, checkStatus };
   }
 }