blackveil-dns 2.6.2 → 2.9.2

package/dist/stdio.js

@@ -1,7 +1,9 @@
 #!/usr/bin/env node
 import { z, ZodError } from 'zod';
-import { checkSubdomailing as checkSubdomailing$1, checkSVCBHTTPS, checkDANEHTTPS, checkDANE, checkHTTPSecurity, checkTLSRPT, checkBIMI, checkCAA, checkNS, checkMTASTS, checkSSL, checkDNSSEC, checkDKIM, checkDMARC, checkSPF, checkSubdomainTakeover as checkSubdomainTakeover$1, createFinding as createFinding$1, buildCheckResult as buildCheckResult$1, parseDmarcTags, checkMX } from '@blackveil/dns-checks';
+import { checkSubdomailing as checkSubdomailing$1, checkSVCBHTTPS, checkDANEHTTPS, checkDANE, checkHTTPSecurity, checkTLSRPT, checkBIMI, checkCAA, checkNS, checkMTASTS, checkSSL, checkDNSSEC, checkDKIM, checkDMARC, checkSPF, checkSubdomainTakeover as checkSubdomainTakeover$1, createFinding as createFinding$1, buildCheckResult as buildCheckResult$1, checkMX, parseDmarcTags } from '@blackveil/dns-checks';
 import { PROFILE_WEIGHTS, createFinding, buildCheckResult, detectDomainContext, getProfileWeights, computeScanScore, IMPORTANCE_WEIGHTS, scoreToGrade } from '@blackveil/dns-checks/scoring';
+import 'drizzle-orm';
+import 'drizzle-orm/durable-sqlite';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -75,7 +77,7 @@ var init_log = __esm({
 });
 
 // src/lib/config.ts
-var BLOCKED_SUFFIXES, BLOCKED_HOSTS, BLOCKED_IP_PATTERNS, BLOCKED_DNS_REBINDING, MAX_DOMAIN_LENGTH, MAX_LABEL_LENGTH, LABEL_REGEX, HTTPS_TIMEOUT_MS, DNS_TIMEOUT_MS, DNS_RETRIES, DOH_EDGE_CACHE_TTL, INFLIGHT_CLEANUP_MS, DNS_RETRY_BASE_DELAY_MS, DNS_CONFIRM_WITH_SECONDARY_ON_EMPTY, GLOBAL_DAILY_TOOL_LIMIT, TIER_DAILY_LIMITS, TIER_TOOL_DAILY_LIMITS, FREE_TOOL_DAILY_LIMITS, TIER_CONCURRENT_LIMITS;
+var BLOCKED_SUFFIXES, BLOCKED_HOSTS, BLOCKED_IP_PATTERNS, BLOCKED_DNS_REBINDING, MAX_DOMAIN_LENGTH, MAX_LABEL_LENGTH, LABEL_REGEX, HTTPS_TIMEOUT_MS, DNS_TIMEOUT_MS, DNS_RETRIES, DOH_EDGE_CACHE_TTL, INFLIGHT_CLEANUP_MS, DNS_RETRY_BASE_DELAY_MS, DNS_CONFIRM_WITH_SECONDARY_ON_EMPTY, GLOBAL_DAILY_TOOL_LIMIT, TIER_DAILY_LIMITS, TIER_TOOL_DAILY_LIMITS, FREE_TOOL_DAILY_LIMITS, TIER_CONCURRENT_LIMITS, IP_LOCK_TTL_MS, IP_LOCK_RETRY_MS;
 var init_config = __esm({
   "src/lib/config.ts"() {
     BLOCKED_SUFFIXES = [
@@ -195,7 +197,14 @@ var init_config = __esm({
       resolve_spf_chain: 100,
       discover_subdomains: 50,
       map_compliance: 75,
-      simulate_attack_paths: 75
+      simulate_attack_paths: 75,
+      check_dbl: 30,
+      check_rbl: 20,
+      cymru_asn: 30,
+      rdap_lookup: 20,
+      check_nsec_walkability: 30,
+      check_dnssec_chain: 30,
+      check_fast_flux: 10
     };
     TIER_CONCURRENT_LIMITS = {
       free: 3,
@@ -205,6 +214,8 @@ var init_config = __esm({
       partner: 50,
       owner: Infinity
     };
+    IP_LOCK_TTL_MS = 500;
+    IP_LOCK_RETRY_MS = 200;
   }
 });
 
@@ -213,6 +224,7 @@ var cache_exports = {};
 __export(cache_exports, {
   IN_MEMORY_CACHE: () => IN_MEMORY_CACHE,
   TTLCache: () => TTLCache,
+  cacheDelete: () => cacheDelete,
   cacheGet: () => cacheGet,
   cacheSet: () => cacheSet,
   cacheSetDeferred: () => cacheSetDeferred,
@@ -230,6 +242,15 @@ async function cacheGet(key, kv) {
   }
   return IN_MEMORY_CACHE.get(key);
 }
+async function cacheDelete(key, kv) {
+  IN_MEMORY_CACHE.delete(key);
+  if (kv) {
+    try {
+      await kv.delete(key);
+    } catch {
+    }
+  }
+}
 function cacheSetDeferred(key, value, ctx, kv, ttlSeconds) {
   ctx.waitUntil(cacheSet(key, value, kv, ttlSeconds));
 }
@@ -424,6 +445,7 @@ var init_dns_types = __esm({
       DNSKEY: 48,
       DS: 43,
       RRSIG: 46,
+      NSEC3PARAM: 51,
       PTR: 12,
       SRV: 33,
       HTTPS: 65
@@ -485,7 +507,7 @@ function hasTypedAnswers(response, type) {
 function retryDelay(attempt) {
   return new Promise((r) => setTimeout(r, DNS_RETRY_BASE_DELAY_MS * (attempt + 1) + Math.random() * 50));
 }
-async function fetchDohResponse(url, timeoutMs, opts) {
+async function fetchDohOutcome(url, timeoutMs, opts) {
   try {
     const headers = { Accept: "application/dns-json" };
     if (opts?.token) headers["X-BV-Token"] = opts.token;
@@ -496,11 +518,25 @@ async function fetchDohResponse(url, timeoutMs, opts) {
       ...opts?.useEdgeCache ? { cf: { cacheTtl: DOH_EDGE_CACHE_TTL, cacheEverything: true } } : {}
     });
     const response = opts?.semaphore ? await opts.semaphore.run(doFetch) : await doFetch();
-    if (!response.ok) return null;
+    if (!response.ok) {
+      logError("DNS fetch non-2xx", {
+        severity: "warn",
+        category: "dns-transport",
+        details: { url: url.replace(/name=[^&]+/, "name=<domain>"), status: response.status }
+      });
+      return { kind: "error", reason: "http" };
+    }
     const data = await response.json();
     const parsed = DohResponseSchema.safeParse(data);
-    if (!parsed.success) return null;
-    return parsed.data;
+    if (!parsed.success) {
+      logError("DNS parse failure", {
+        severity: "warn",
+        category: "dns-transport",
+        details: { url: url.replace(/name=[^&]+/, "name=<domain>") }
+      });
+      return { kind: "error", reason: "parse" };
+    }
+    return { kind: "ok", response: parsed.data };
   } catch (err) {
     const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
     logError(isTimeout ? "DNS fetch timeout" : "DNS fetch failed", {
@@ -508,7 +544,7 @@ async function fetchDohResponse(url, timeoutMs, opts) {
       category: "dns-transport",
       details: { url: url.replace(/name=[^&]+/, "name=<domain>"), errorType: isTimeout ? "timeout" : "network" }
     });
-    return null;
+    return { kind: "error", reason: isTimeout ? "timeout" : "network" };
   }
 }
 async function queryDns(domain, type, dnssecCheck = false, opts) {
@@ -570,43 +606,38 @@ async function queryDnsUncached(domain, type, dnssecCheck = false, opts) {
     }
     const data = validated.data;
     if (confirmWithSecondaryOnEmpty && !opts?.skipSecondaryConfirmation && !hasTypedAnswers(data, type)) {
-      const secondaryResult = await confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts);
-      if (secondaryResult) return secondaryResult;
+      const secondaryOpts = opts?.secondaryDoh ? { secondaryDoh: { url: opts.secondaryDoh.endpoint, token: opts.secondaryDoh.token } } : void 0;
+      const secondaryResult = await confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, secondaryOpts);
+      if ("kind" in secondaryResult && secondaryResult.kind === "unconfirmed") {
+        return data;
+      }
+      const confirmedResponse = secondaryResult;
+      return confirmedResponse;
     }
     return data;
   }
   throw new DnsQueryError("DNS query failed after retries", domain, type);
 }
 async function confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts) {
-  const hasBvDns = !!opts?.secondaryDoh?.endpoint;
+  const bvDnsUrl = opts?.secondaryDoh ? buildDohUrl(opts.secondaryDoh.url, domain, type, dnssecCheck) : null;
   const googleUrl = buildDohUrl(GOOGLE_DOH_ENDPOINT, domain, type, dnssecCheck);
-  if (hasBvDns) {
-    const bvDnsUrl = buildDohUrl(opts.secondaryDoh.endpoint, domain, type, dnssecCheck);
-    const candidates = [
-      fetchDohResponse(bvDnsUrl, timeoutMs, { token: opts.secondaryDoh.token, semaphore: sem }),
-      fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem })
-    ];
-    const results = await Promise.allSettled(candidates);
-    for (const r of results) {
-      if (r.status === "fulfilled" && r.value && hasTypedAnswers(r.value, type)) {
-        return r.value;
-      }
-    }
-    const allFailed = results.every((r) => r.status === "rejected" || !r.value);
-    if (allFailed) {
-      logError("All secondary DNS resolvers failed", {
-        severity: "warn",
-        category: "dns-transport",
-        details: { domain, type }
-      });
-    }
-    return null;
+  const candidates = [
+    bvDnsUrl ? fetchDohOutcome(bvDnsUrl, timeoutMs, { token: opts.secondaryDoh.token, semaphore: sem }) : Promise.resolve({ kind: "error", reason: "network" }),
+    fetchDohOutcome(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem })
+  ];
+  const results = await Promise.allSettled(candidates);
+  for (const r of results) {
+    if (r.status === "fulfilled" && r.value.kind === "ok" && hasTypedAnswers(r.value.response, type)) return r.value.response;
   }
-  const google = await fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem });
-  if (google && hasTypedAnswers(google, type)) {
-    return google;
+  for (const r of results) {
+    if (r.status === "fulfilled" && r.value.kind === "ok") return r.value.response;
   }
-  return null;
+  logError("All secondary resolvers failed", {
+    severity: "warn",
+    category: "dns-transport",
+    details: { type }
+  });
+  return { kind: "unconfirmed" };
 }
 var DOH_ENDPOINT, GOOGLE_DOH_ENDPOINT, DnsQueryError;
 var init_dns_transport = __esm({
@@ -701,6 +732,21 @@ var init_dns2 = __esm({
   }
 });
 
+// src/lib/dns-query-adapter.ts
+function makeQueryDNS(dnsOptions) {
+  return async (domain, type) => {
+    if (type === "TXT") {
+      return queryTxtRecords(domain, dnsOptions);
+    }
+    return queryDnsRecords(domain, type, dnsOptions);
+  };
+}
+var init_dns_query_adapter = __esm({
+  "src/lib/dns-query-adapter.ts"() {
+    init_dns2();
+  }
+});
+
 // src/lib/provider-signature-source.ts
 function normalizeSha256(value) {
   return value.trim().toLowerCase().replace(/^sha256:/, "");
@@ -932,19 +978,11 @@ var check_mx_exports = {};
 __export(check_mx_exports, {
   checkMx: () => checkMx
 });
-function makeQueryDNS15(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkMx(domain, options, dnsOptions) {
   const timeout = dnsOptions?.timeoutMs ?? 5e3;
   const baseResult = await checkMX(
     domain,
-    makeQueryDNS15(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout }
   );
   const hasCritical = baseResult.findings.some((f) => f.severity === "critical");
@@ -953,6 +991,7 @@ async function checkMx(domain, options, dnsOptions) {
     return baseResult;
   }
   const findings = [...baseResult.findings];
+  let providerDetectionFailed = false;
   try {
     const mxAnswers = await queryDnsRecords(domain, "MX", dnsOptions);
     const mxTargets = mxAnswers.map((answer) => {
@@ -982,6 +1021,7 @@ async function checkMx(domain, options, dnsOptions) {
         );
       }
       if (providerSignatures.degraded) {
+        providerDetectionFailed = true;
         findings.push(
           createFinding$1(
             "mx",
@@ -1000,6 +1040,7 @@ async function checkMx(domain, options, dnsOptions) {
       }
     }
   } catch (err) {
+    providerDetectionFailed = true;
     logEvent({
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       severity: "warn",
@@ -1010,11 +1051,16 @@ async function checkMx(domain, options, dnsOptions) {
       details: { phase: "provider_detection" }
     });
   }
-  return { ...baseResult, findings };
+  return {
+    ...baseResult,
+    findings,
+    ...providerDetectionFailed ? { metadata: { providerDetectionFailed: true } } : {}
+  };
 }
 var init_check_mx = __esm({
   "src/tools/check-mx.ts"() {
     init_dns2();
+    init_dns_query_adapter();
     init_provider_signatures();
     init_log();
   }
@@ -1215,8 +1261,8 @@ function checkToolDailyRateLimitInMemory(principalId, toolName, limit) {
   const key = `${principalId}:${toolName.trim().toLowerCase()}`;
   const entry = getOrCreateToolDailyEntry(key);
   entry.timestamps = pruneTimestamps(entry.timestamps, DAY_MS, now);
-  const count = entry.timestamps.length;
-  if (count >= limit) {
+  const count2 = entry.timestamps.length;
+  if (count2 >= limit) {
     const oldestInWindow = entry.timestamps[0];
     const retryAfterMs = oldestInWindow + DAY_MS - now;
     return {
@@ -1360,6 +1406,7 @@ var CircuitBreaker = class {
 
 // src/lib/rate-limiter.ts
 init_log();
+init_config();
 var MINUTE_LIMIT = 50;
 var HOUR_LIMIT = 300;
 var CONTROL_PLANE_MINUTE_LIMIT = 60;
@@ -1368,6 +1415,7 @@ var MINUTE_MS2 = 6e4;
 var HOUR_MS2 = 36e5;
 var DAY_MS2 = 864e5;
 var KV_IP_LOCK_TAILS = /* @__PURE__ */ new Map();
+var KV_IP_LOCK_MAX = 5e3;
 var quotaCoordinatorBreaker = new CircuitBreaker({
   name: "QuotaCoordinator",
   failureThreshold: 3,
@@ -1428,12 +1476,15 @@ async function checkScopedRateLimitKV(ip, scope, minuteLimit, hourLimit, kv) {
   });
 }
 async function checkRateLimitKV(ip, kv) {
-  return checkScopedRateLimitKV(ip, "tools", MINUTE_LIMIT, HOUR_LIMIT, kv);
+  return checkScopedRateLimitKVWithAdvisory(ip, "tools", MINUTE_LIMIT, HOUR_LIMIT, kv);
 }
 async function checkControlPlaneRateLimitKV(ip, kv) {
   return checkScopedRateLimitKV(ip, "control", CONTROL_PLANE_MINUTE_LIMIT, CONTROL_PLANE_HOUR_LIMIT, kv);
 }
 async function withIpKvLock(ip, work) {
+  if (KV_IP_LOCK_TAILS.size >= KV_IP_LOCK_MAX && !KV_IP_LOCK_TAILS.has(ip)) {
+    return work();
+  }
   const prevTail = KV_IP_LOCK_TAILS.get(ip) ?? Promise.resolve();
   let release;
   const current = new Promise((resolve) => {
@@ -1451,6 +1502,33 @@ async function withIpKvLock(ip, work) {
     }
   }
 }
+async function withIpKvAdvisoryLock(ip, kv, work) {
+  const contended = KV_IP_LOCK_TAILS.has(ip);
+  if (!contended) return work();
+  const advisoryKey = `lk:ip:${ip}`;
+  try {
+    const held = await kv.get(advisoryKey);
+    if (held) await new Promise((r) => setTimeout(r, IP_LOCK_RETRY_MS));
+    await kv.put(advisoryKey, String(Date.now()), { expirationTtl: Math.max(1, Math.ceil(IP_LOCK_TTL_MS / 1e3)) });
+  } catch {
+  }
+  try {
+    return await work();
+  } finally {
+    try {
+      await kv.delete(advisoryKey);
+    } catch {
+    }
+  }
+}
+async function checkScopedRateLimitKVWithAdvisory(ip, scope, minuteLimit, hourLimit, kv) {
+  try {
+    return await withIpKvAdvisoryLock(ip, kv, () => checkScopedRateLimitKV(ip, scope, minuteLimit, hourLimit, kv));
+  } catch {
+    logError("[rate-limiter] KV error, falling back to in-memory");
+    return checkScopedRateLimitInMemory(ip, scope, minuteLimit, hourLimit);
+  }
+}
 async function checkToolDailyRateLimitKV(principalId, toolName, limit, kv) {
   return withIpKvLock(`tool:${principalId}:${toolName}`, async () => {
     const now = Date.now();
@@ -1682,15 +1760,15 @@ function checkSessionCreateRateLimitInMemory(ip) {
     remaining: SESSION_CREATE_LIMIT_PER_MINUTE - recent.length
   };
 }
-function evictOldestSessionCreateIps(count) {
-  if (count <= 0) return;
+function evictOldestSessionCreateIps(count2) {
+  if (count2 <= 0) return;
   const entries = [];
   for (const [key, timestamps] of SESSION_CREATE_BY_IP.entries()) {
     const latest = timestamps.length > 0 ? timestamps[timestamps.length - 1] : 0;
     entries.push([key, latest]);
   }
   entries.sort((a, b) => a[1] - b[1]);
-  for (let i = 0; i < count && i < entries.length; i++) {
+  for (let i = 0; i < count2 && i < entries.length; i++) {
     SESSION_CREATE_BY_IP.delete(entries[i][0]);
   }
 }
@@ -1828,7 +1906,7 @@ function generateSessionId() {
   crypto.getRandomValues(bytes);
   return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
 }
-async function createSession(kv) {
+async function createSession(kv, analytics) {
   const id = generateSessionId();
   const now = Date.now();
   const record = { createdAt: now, lastAccessedAt: now };
@@ -1838,6 +1916,7 @@ async function createSession(kv) {
       await createSessionKVRecord(id, kv, record);
     } catch {
       logError("[session] KV create failed, in-memory fallback active", { category: "session" });
+      analytics?.emitDegradationEvent({ degradationType: "kv_fallback", component: "session" });
     }
   }
   return id;
@@ -2372,6 +2451,11 @@ var GenerateRolloutPlanArgs = z.object({
   timeline: TimelineSchema.optional().describe("Rollout speed: aggressive, standard, conservative (default: standard)"),
   format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
 }).passthrough();
+var CheckFastFluxArgs = z.object({
+  domain: DomainSchema.describe("Domain to check (e.g., example.com)"),
+  rounds: z.number().int().min(3).max(5).optional().describe("Number of query rounds (3-5, default 3)."),
+  format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
+}).passthrough();
 var TOOL_SCHEMA_MAP = {
   check_mx: BaseDomainArgs,
   check_spf: BaseDomainArgs,
@@ -2416,7 +2500,14 @@ var TOOL_SCHEMA_MAP = {
   resolve_spf_chain: BaseDomainArgs,
   discover_subdomains: BaseDomainArgs,
   map_compliance: BaseDomainArgs,
-  simulate_attack_paths: BaseDomainArgs
+  simulate_attack_paths: BaseDomainArgs,
+  check_dbl: BaseDomainArgs,
+  check_rbl: BaseDomainArgs,
+  cymru_asn: BaseDomainArgs,
+  rdap_lookup: BaseDomainArgs,
+  check_nsec_walkability: BaseDomainArgs,
+  check_dnssec_chain: BaseDomainArgs,
+  check_fast_flux: CheckFastFluxArgs
 };
 
 // src/handlers/tool-args.ts
@@ -2519,15 +2610,7 @@ function extractExplainFindingArgs(args) {
 init_cache();
 
 // src/tools/check-spf.ts
-init_dns2();
-function makeQueryDNS(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkSpf(domain, dnsOptions) {
   return checkSPF(
     domain,
@@ -2537,25 +2620,17 @@ async function checkSpf(domain, dnsOptions) {
 }
 
 // src/tools/check-dmarc.ts
-init_dns2();
-function makeQueryDNS2(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkDmarc(domain, dnsOptions) {
   return checkDMARC(
     domain,
-    makeQueryDNS2(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
 
 // src/tools/check-dkim.ts
-init_dns2();
+init_dns_query_adapter();
 var HIGH_CONFIDENCE_DKIM_PROVIDERS = /* @__PURE__ */ new Set([
   "amazon ses",
   "sendgrid",
@@ -2565,18 +2640,10 @@ var HIGH_CONFIDENCE_DKIM_PROVIDERS = /* @__PURE__ */ new Set([
   "microsoft 365"
 ]);
 var MEDIUM_CONFIDENCE_DKIM_PROVIDERS = /* @__PURE__ */ new Set(["proofpoint", "mimecast"]);
-function makeQueryDNS3(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkDkim(domain, selector, dnsOptions) {
   return checkDKIM(
     domain,
-    makeQueryDNS3(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3, selector }
   );
 }
@@ -2629,6 +2696,10 @@ function applyProviderDkimContext(dkimResult, provider) {
 
 // src/tools/check-dnssec.ts
 init_dns2();
+init_dns_query_adapter();
+
+// src/lib/adaptive-weights.ts
+var MATURITY_THRESHOLD = 200;
 var SCORING_NOTE_DELTA_THRESHOLD = 3;
 var CRITICAL_MAIL_CATEGORIES = /* @__PURE__ */ new Set(["dmarc", "spf", "dkim", "ssl"]);
 var CRITICAL_MAIL_PROFILES = /* @__PURE__ */ new Set(["mail_enabled", "enterprise_mail"]);
@@ -2699,19 +2770,61 @@ function formatNote(category, delta, provider) {
 function capitalizeWords(s) {
   return s.replace(/\b\w/g, (c) => c.toUpperCase());
 }
-function makeQueryDNS4(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
+var GOOGLE_DOH_ENDPOINT2 = "https://dns.google/resolve";
+var AD_CONFIRM_TIMEOUT_MS = 3e3;
+async function confirmAdWithGoogle(domain, timeoutMs = AD_CONFIRM_TIMEOUT_MS) {
+  try {
+    const url = `${GOOGLE_DOH_ENDPOINT2}?name=${encodeURIComponent(domain)}&type=A&cd=0`;
+    const resp = await fetch(url, {
+      method: "GET",
+      redirect: "manual",
+      headers: { Accept: "application/dns-json" },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!resp.ok) return false;
+    const data = await resp.json();
+    return data.AD === true;
+  } catch {
+    return false;
+  }
+}
+async function augmentWithSource(domain, baseResult, dnsOptions) {
+  const [dnskeyResult, dsResult] = await Promise.allSettled([
+    queryDnsRecords(domain, "DNSKEY", dnsOptions),
+    queryDnsRecords(domain, "DS", dnsOptions)
+  ]);
+  const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
+  const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
+  const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
+  if (dnssecSource === "tld_inherited") {
+    const inheritedFinding = createFinding(
+      "dnssec",
+      "DNSSEC inherited from TLD",
+      "info",
+      `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
+      { dnssecSource: "tld_inherited" }
+    );
+    return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
+  }
+  if (baseResult.findings.length > 0) {
+    const [first, ...rest] = baseResult.findings;
+    const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
+    return buildCheckResult("dnssec", [tagged, ...rest]);
+  }
+  const configuredFinding = createFinding(
+    "dnssec",
+    "DNSSEC configured by domain owner",
+    "info",
+    `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
+    { dnssecSource: "domain_configured" }
+  );
+  return buildCheckResult("dnssec", [configuredFinding]);
 }
 async function checkDnssec2(domain, dnsOptions) {
   try {
     const baseResult = await checkDNSSEC(
       domain,
-      makeQueryDNS4(dnsOptions),
+      makeQueryDNS(dnsOptions),
       {
         timeout: dnsOptions?.timeoutMs ?? 5e3,
         rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -2720,51 +2833,49 @@ async function checkDnssec2(domain, dnsOptions) {
         }
       }
     );
-    const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete") || baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
+    const isDnsTransportError = baseResult.findings.some((f) => f.title === "DNSSEC check failed");
+    if (isDnsTransportError) {
+      return { ...baseResult, checkStatus: "error" };
+    }
+    const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete");
     if (dnssecAbsent) {
       return baseResult;
     }
-    const [dnskeyResult, dsResult] = await Promise.allSettled([
-      queryDnsRecords(domain, "DNSKEY", dnsOptions),
-      queryDnsRecords(domain, "DS", dnsOptions)
-    ]);
-    const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
-    const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
-    const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
-    if (dnssecSource === "tld_inherited") {
-      const inheritedFinding = createFinding(
-        "dnssec",
-        "DNSSEC inherited from TLD",
-        "info",
-        `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
-        { dnssecSource: "tld_inherited" }
-      );
-      return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
-    }
-    if (baseResult.findings.length > 0) {
-      const [first, ...rest] = baseResult.findings;
-      const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
-      return buildCheckResult("dnssec", [tagged, ...rest]);
+    const validationFailing = baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
+    if (validationFailing) {
+      const googleConfirmsAd = await confirmAdWithGoogle(domain, dnsOptions?.timeoutMs ?? AD_CONFIRM_TIMEOUT_MS);
+      if (googleConfirmsAd) {
+        const correctedResult = await checkDNSSEC(
+          domain,
+          makeQueryDNS(dnsOptions),
+          {
+            timeout: dnsOptions?.timeoutMs ?? 5e3,
+            rawQueryDNS: async (d, type, dnssecFlag) => {
+              const resp = await queryDns(d, type, dnssecFlag ?? false, dnsOptions);
+              return { AD: true, Answer: resp.Answer };
+            }
+          }
+        );
+        return augmentWithSource(domain, correctedResult, dnsOptions);
+      }
+      return baseResult;
     }
-    const configuredFinding = createFinding(
-      "dnssec",
-      "DNSSEC configured by domain owner",
-      "info",
-      `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
-      { dnssecSource: "domain_configured" }
-    );
-    return buildCheckResult("dnssec", [configuredFinding]);
+    return augmentWithSource(domain, baseResult, dnsOptions);
   } catch (err) {
     if (err instanceof DnsQueryError) {
-      return buildCheckResult("dnssec", [
-        createFinding(
-          "dnssec",
-          "DNSSEC check could not complete",
-          "info",
-          `Unable to verify DNSSEC for ${domain} \u2014 DNS query failed: ${err.message}`,
-          { checkStatus: "error" }
-        )
-      ]);
+      const message = err.message;
+      return {
+        ...buildCheckResult("dnssec", [
+          createFinding(
+            "dnssec",
+            "DNSSEC check could not complete",
+            "info",
+            `DNS query failed (${message}). DNSSEC posture unknown.`,
+            { dnsError: message, checkStatus: "error" }
+          )
+        ]),
+        checkStatus: "error"
+      };
     }
     throw err;
   }
@@ -2777,38 +2888,23 @@ async function checkSsl(domain) {
 }
 
 // src/tools/check-mta-sts.ts
-init_dns2();
+init_dns_query_adapter();
 init_config();
-function makeQueryDNS5(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkMtaSts(domain, dnsOptions) {
   return checkMTASTS(
     domain,
-    makeQueryDNS5(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? HTTPS_TIMEOUT_MS, fetchFn: fetch }
   );
 }
 
 // src/tools/check-ns.ts
 init_dns2();
-function makeQueryDNS6(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkNs(domain, dnsOptions) {
   return checkNS(
     domain,
-    makeQueryDNS6(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -2820,55 +2916,31 @@ async function checkNs(domain, dnsOptions) {
 }
 
 // src/tools/check-caa.ts
-init_dns2();
-function makeQueryDNS7(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkCaa(domain, dnsOptions) {
   return checkCAA(
     domain,
-    makeQueryDNS7(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
 
 // src/tools/check-bimi.ts
-init_dns2();
-function makeQueryDNS8(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkBimi(domain, dnsOptions) {
   return checkBIMI(
     domain,
-    makeQueryDNS8(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3, fetchFn: fetch }
   );
 }
 
 // src/tools/check-tlsrpt.ts
-init_dns2();
-function makeQueryDNS9(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkTlsrpt(domain, dnsOptions) {
   return checkTLSRPT(
     domain,
-    makeQueryDNS9(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -3945,9 +4017,9 @@ async function checkTxtHygiene(domain, dnsOptions) {
     }
   }
   const duplicates = [];
-  for (const [, { service, count }] of prefixCounts) {
-    if (count >= 2) {
-      duplicates.push({ service, count });
+  for (const [, { service, count: count2 }] of prefixCounts) {
+    if (count2 >= 2) {
+      duplicates.push({ service, count: count2 });
     }
   }
   if (duplicates.length > 0) {
@@ -4042,6 +4114,38 @@ async function checkTxtHygiene(domain, dnsOptions) {
   return buildCheckResult("txt_hygiene", findings);
 }
 init_config();
+var SCANNER_USER_AGENT = "Mozilla/5.0 (compatible; BlackVeilDNSScanner/1.0; +https://blackveilsecurity.com)";
+var WAF_CHALLENGE_FINGERPRINTS = [
+  {
+    name: "cloudflare",
+    // cf-ray header is conclusive on its own; body title is a belt-and-suspenders signal
+    matchHeaders: (h) => !!(h.get("cf-ray") && (h.get("server") ?? "").toLowerCase().includes("cloudflare")),
+    matchBody: (body) => /just a moment/i.test(body)
+  },
+  {
+    name: "akamai",
+    matchHeaders: (h) => (h.get("server") ?? "").toLowerCase().includes("akamaighost")
+  }
+];
+function detectWafChallenge(headers, body) {
+  for (const fp of WAF_CHALLENGE_FINGERPRINTS) {
+    if (!fp.matchHeaders(headers)) continue;
+    if (fp.matchBody && body !== void 0 && !fp.matchBody(body)) continue;
+    return fp.name;
+  }
+  return null;
+}
+var MERGE_HEADERS = [
+  "content-security-policy",
+  "x-frame-options",
+  "x-content-type-options",
+  "permissions-policy",
+  "referrer-policy",
+  "cross-origin-resource-policy",
+  "cross-origin-opener-policy",
+  "cross-origin-embedder-policy"
+];
+var MAX_REDIRECT_HOPS = 3;
 function detectCdnProvider(headers) {
   if (headers.get("cf-ray") || headers.get("server")?.toLowerCase().includes("cloudflare")) {
     return "Cloudflare";
@@ -4061,9 +4165,107 @@ function detectCdnProvider(headers) {
   }
   return null;
 }
+async function fetchWithRedirects(url, timeoutMs) {
+  let response = await fetch(url, {
+    method: "HEAD",
+    redirect: "manual",
+    headers: { "User-Agent": SCANNER_USER_AGENT },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  for (let hop = 0; hop < MAX_REDIRECT_HOPS; hop++) {
+    const status = response.status;
+    const isRedirect = status >= 300 && status < 400 || response.type === "opaqueredirect" || status === 0 && response.headers.get("location");
+    if (!isRedirect) break;
+    const location = response.headers.get("location");
+    if (!location) break;
+    let nextUrl;
+    try {
+      nextUrl = new URL(location, response.url || void 0).href;
+    } catch {
+      break;
+    }
+    if (!nextUrl.startsWith("https://")) break;
+    try {
+      response = await fetch(nextUrl, {
+        method: "HEAD",
+        redirect: "manual",
+        headers: { "User-Agent": SCANNER_USER_AGENT },
+        signal: AbortSignal.timeout(timeoutMs)
+      });
+    } catch {
+      break;
+    }
+  }
+  return response;
+}
+function mergeSecurityHeaders(a, b) {
+  const merged = new Headers();
+  a.forEach((value, key) => merged.set(key, value));
+  for (const header of MERGE_HEADERS) {
+    if (!merged.has(header) && b.has(header)) {
+      merged.set(header, b.get(header));
+    }
+  }
+  b.forEach((value, key) => {
+    if (!merged.has(key)) merged.set(key, value);
+  });
+  return merged;
+}
+async function dualFetchHeaders(domain, timeoutMs) {
+  const url = `https://${domain}`;
+  const results = await Promise.allSettled([fetchWithRedirects(url, timeoutMs), fetchWithRedirects(url, timeoutMs)]);
+  const responses = results.filter((r) => r.status === "fulfilled").map((r) => r.value);
+  if (responses.length === 0) return null;
+  const usable = responses.filter((r) => r.ok || r.status >= 300 && r.status < 400);
+  if (usable.length === 0) return null;
+  if (usable.length === 1) {
+    return { headers: usable[0].headers, ok: usable[0].ok, status: usable[0].status };
+  }
+  const merged = mergeSecurityHeaders(usable[0].headers, usable[1].headers);
+  const primary = usable[0].ok ? usable[0] : usable[1].ok ? usable[1] : usable[0];
+  return { headers: merged, ok: primary.ok, status: primary.status };
+}
+async function fetchBodyForWafDetection(url, timeoutMs) {
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      redirect: "manual",
+      headers: { "User-Agent": SCANNER_USER_AGENT },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    return await response.text();
+  } catch {
+    return "";
+  }
+}
 async function checkHttpSecurity(domain) {
+  const dualResult = await dualFetchHeaders(domain, HTTPS_TIMEOUT_MS);
+  if (dualResult) {
+    const headersForWaf = dualResult.headers;
+    const needsBody = WAF_CHALLENGE_FINGERPRINTS.some((fp) => fp.matchHeaders(headersForWaf) && fp.matchBody);
+    const body = needsBody ? await fetchBodyForWafDetection(`https://${domain}`, HTTPS_TIMEOUT_MS) : void 0;
+    const wafName = detectWafChallenge(headersForWaf, body);
+    if (wafName) {
+      const finding = createFinding(
+        "http_security",
+        `${wafName.charAt(0).toUpperCase() + wafName.slice(1)} WAF challenge intercepted`,
+        "info",
+        `The fetched response appears to be a WAF/CDN challenge page, not the real site. Header analysis is inconclusive.`,
+        { wafChallenge: wafName, inconclusive: true }
+      );
+      const base2 = buildCheckResult("http_security", [finding]);
+      return { ...base2, score: 0, passed: false, checkStatus: "error" };
+    }
+  }
   let capturedHeaders = null;
   const capturingFetch = async (input, init) => {
+    if (dualResult) {
+      capturedHeaders = dualResult.headers;
+      return new Response(null, {
+        status: dualResult.status,
+        headers: dualResult.headers
+      });
+    }
     const response = await fetch(input, init);
     capturedHeaders = response.headers;
     return response;
@@ -4086,18 +4288,11 @@ async function checkHttpSecurity(domain) {
 
 // src/tools/check-dane.ts
 init_dns2();
-function makeQueryDNS10(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkDane(domain, dnsOptions) {
   return checkDANE(
     domain,
-    makeQueryDNS10(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -4110,18 +4305,11 @@ async function checkDane(domain, dnsOptions) {
 
 // src/tools/check-dane-https.ts
 init_dns2();
-function makeQueryDNS11(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkDaneHttps(domain, dnsOptions) {
   return checkDANEHTTPS(
     domain,
-    makeQueryDNS11(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -4133,19 +4321,11 @@ async function checkDaneHttps(domain, dnsOptions) {
 }
 
 // src/tools/check-svcb-https.ts
-init_dns2();
-function makeQueryDNS12(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkSvcbHttps(domain, dnsOptions) {
   return checkSVCBHTTPS(
     domain,
-    makeQueryDNS12(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -4771,19 +4951,11 @@ async function checkZoneHygiene(domain, dnsOptions) {
 }
 
 // src/tools/check-subdomailing.ts
-init_dns2();
-function makeQueryDNS13(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
+init_dns_query_adapter();
 async function checkSubdomailing(domain, dnsOptions) {
   return checkSubdomailing$1(
     domain,
-    makeQueryDNS13(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -4881,20 +5053,12 @@ function applyInteractionPenalties(score, config) {
 init_cache();
 
 // src/tools/check-subdomain-takeover.ts
-init_dns2();
+init_dns_query_adapter();
 init_config();
-function makeQueryDNS14(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkSubdomainTakeover(domain, dnsOptions) {
   return checkSubdomainTakeover$1(
     domain,
-    makeQueryDNS14(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? HTTPS_TIMEOUT_MS, fetchFn: fetch }
   );
 }
@@ -4964,6 +5128,11 @@ function upsertCheckResult(results, updated) {
   return results.map((result) => result.category === updated.category ? updated : result);
 }
 async function addOutboundProviderInference(results, runtimeOptions) {
+  const mxResult = results.find((result) => result.category === "mx");
+  const providerDetectionFailed = Boolean(
+    mxResult?.metadata?.providerDetectionFailed
+  );
+  if (providerDetectionFailed) return results;
   const spfResult = results.find((result) => result.category === "spf");
   const dkimResult = results.find((result) => result.category === "dkim");
   const signalDomains = extractSpfSignalDomains(spfResult);
@@ -5103,6 +5272,34 @@ function adjustForNoSendDomain(results) {
 // src/tools/scan-domain.ts
 init_log();
 
+// src/lib/profile-accumulator.ts
+init_log();
+var ADAPTIVE_WEIGHT_KV_TTL_SECONDS = 60;
+function awKey(profile, provider) {
+  return `aw:${profile}:${provider}`;
+}
+async function publishAdaptiveWeightSummary(profile, provider, weights, kv) {
+  try {
+    await kv.put(awKey(profile, provider), JSON.stringify(weights), {
+      expirationTtl: ADAPTIVE_WEIGHT_KV_TTL_SECONDS
+    });
+  } catch {
+    logError("[profile-accumulator] KV publish failed", {
+      severity: "warn",
+      category: "profile-accumulator"
+    });
+  }
+}
+async function getAdaptiveWeights(profile, provider, kv) {
+  try {
+    const raw = await kv.get(awKey(profile, provider));
+    if (!raw) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
 // src/tools/scan/maturity-staging.ts
 function capMaturityStage(maturity, score) {
   if (score < 50 && maturity.stage > 2) {
@@ -5635,6 +5832,59 @@ var EXPLANATIONS = {
     explanation: "An HTTPS/SVCB record is configured, advertising modern connection capabilities for this domain.",
     recommendation: "No action required. Consider adding ECH for enhanced privacy.",
     references: ["https://datatracker.ietf.org/doc/html/rfc9460"]
+  },
+  // --- Intelligence tools ---
+  DBL_LISTED: {
+    title: "Domain Listed on Blocklist",
+    severity: "high",
+    explanation: "The domain appears on one or more DNS-based Domain Block Lists (DBLs), indicating it has been flagged for spam, phishing, or malware distribution.",
+    impact: "Listed domains may have email deliverability issues and are often blocked by recipient mail servers.",
+    adverseConsequences: "Legitimate email from this domain may be silently dropped or quarantined.",
+    recommendation: "Investigate the listing reason. For Spamhaus DBL, check https://check.spamhaus.org/. Request delisting after resolving the underlying issue.",
+    references: ["https://www.spamhaus.org/dbl/", "https://uribl.com/", "https://www.surbl.org/"]
+  },
+  RBL_LISTED: {
+    title: "IP Listed on Real-time Blocklist",
+    severity: "high",
+    explanation: "One or more mail server IPs are listed on DNS-based Real-time Blocklists, indicating the IP has been flagged for sending spam or malicious traffic.",
+    impact: "Email from listed IPs is likely to be rejected or quarantined by recipient servers.",
+    adverseConsequences: "Significant email deliverability degradation. May require IP change or delisting process.",
+    recommendation: "Check Spamhaus at https://check.spamhaus.org/. For shared hosting, contact your provider. For dedicated IPs, resolve the abuse issue and request delisting.",
+    references: ["https://www.spamhaus.org/zen/", "https://www.spamcop.net/"]
+  },
+  ASN_HIGH_RISK: {
+    title: "High-Risk ASN Detected",
+    severity: "medium",
+    explanation: "The domain resolves to IP addresses in an Autonomous System commonly associated with abuse infrastructure (bulletproof hosting, botnets).",
+    recommendation: "Verify the hosting choice is intentional. High-risk ASNs are not inherently malicious but are statistically over-represented in abuse reports.",
+    references: ["https://www.team-cymru.com/ip-asn-mapping"]
+  },
+  FAST_FLUX_DETECTED: {
+    title: "Fast-Flux Behavior Detected",
+    severity: "high",
+    explanation: "The domain shows rapidly rotating IP addresses with very low TTLs, a technique commonly used by botnets and phishing operations to evade takedown.",
+    impact: "Fast-flux domains are a strong indicator of malicious infrastructure.",
+    adverseConsequences: "Associating with fast-flux infrastructure damages domain reputation and may trigger automated blocking.",
+    recommendation: "Investigate immediately. If this is a CDN or legitimate load balancer, TTLs are typically higher and rotation patterns are predictable.",
+    references: ["https://en.wikipedia.org/wiki/Fast_flux"]
+  },
+  DNSSEC_CHAIN_BROKEN: {
+    title: "DNSSEC Chain of Trust Broken",
+    severity: "high",
+    explanation: "The DNSSEC chain of trust has a gap \u2014 a DS record exists at the parent zone but the corresponding DNSKEY is missing or mismatched at the child zone.",
+    impact: "DNSSEC-validating resolvers will return SERVFAIL for this domain, causing complete resolution failure for security-conscious clients.",
+    adverseConsequences: "Domain may be unreachable for users behind DNSSEC-validating resolvers.",
+    recommendation: "Ensure the DS record at the parent matches a DNSKEY at the child zone. Use `delv +vtrace` for detailed chain debugging.",
+    references: ["https://datatracker.ietf.org/doc/html/rfc4033"]
+  },
+  NSEC_WALKABLE: {
+    title: "Zone Walkable (No NSEC3)",
+    severity: "high",
+    explanation: "The zone does not appear to use NSEC3, meaning it likely uses plain NSEC records which allow full zone enumeration (zone walking).",
+    impact: "Attackers can discover all hostnames in the zone without brute-forcing, exposing internal infrastructure.",
+    adverseConsequences: "Complete zone enumeration reveals the attack surface \u2014 internal hosts, staging environments, and service names.",
+    recommendation: "Deploy NSEC3 with at least algorithm 1 (SHA-1) and consider using salt. RFC 9276 recommends 0 iterations with no salt as the minimum.",
+    references: ["https://datatracker.ietf.org/doc/html/rfc5155", "https://datatracker.ietf.org/doc/html/rfc9276"]
   }
 };
 var DEFAULT_EXPLANATION = {
@@ -5711,6 +5961,26 @@ var CATEGORY_FALLBACK_IMPACT = {
   SVCB_HTTPS: {
     impact: "Modern transport capabilities (ALPN, ECH) cannot be advertised via DNS, reducing connection efficiency and privacy.",
     adverseConsequences: "Clients require additional round-trips to negotiate protocols, and ECH-based privacy is unavailable."
+  },
+  RBL: {
+    impact: "Mail server IPs are listed on one or more DNS blocklists, likely degrading email deliverability.",
+    adverseConsequences: "Outbound email may be silently dropped or quarantined by recipient servers."
+  },
+  DBL: {
+    impact: "Domain is flagged on DNS-based domain blocklists, indicating prior spam or abuse association.",
+    adverseConsequences: "Domain reputation is damaged. Email and web traffic may be blocked by security tools."
+  },
+  FAST_FLUX: {
+    impact: "DNS resolution shows fast-flux patterns \u2014 rapidly rotating IPs with low TTLs.",
+    adverseConsequences: "Strong indicator of botnet or phishing infrastructure. Domain reputation will be severely impacted."
+  },
+  DNSSEC_CHAIN: {
+    impact: "DNSSEC chain structure has gaps or uses weak algorithms, reducing trust in DNS responses.",
+    adverseConsequences: "DNSSEC-validating resolvers may fail to resolve the domain or accept spoofed responses."
+  },
+  NSEC_WALKABILITY: {
+    impact: "Zone denial-of-existence parameters allow enumeration of zone contents.",
+    adverseConsequences: "Attackers can map the full attack surface by walking the zone without brute-forcing."
   }
 };
 var SEVERITY_FALLBACK_IMPACT = {
@@ -6079,11 +6349,86 @@ function formatScanReport(result, format = "full") {
 var CACHE_PREFIX = "cache:";
 var PER_CHECK_TIMEOUT_MS = 8e3;
 var SCAN_TIMEOUT_MS = 12e3;
+var RETRY_BUDGET_MS = 3e3;
+var MAX_RETRIES_PER_SCAN = 3;
+var RETRY_TIMEOUT_MS = 2500;
 var adaptiveWeightCache = /* @__PURE__ */ new Map();
 var ADAPTIVE_CACHE_TTL_MS = 6e4;
 var ADAPTIVE_CACHE_MAX_ENTRIES = 100;
 var ADAPTIVE_FETCH_TIMEOUT_MS = 200;
+function shouldRetry(result) {
+  return result.checkStatus === "error" && result.score === 0;
+}
+async function runCheckRetry(category, domain, scanDns, runtimeOptions) {
+  const retryDns = { ...scanDns, queryCache: /* @__PURE__ */ new Map() };
+  const timeoutPromise = new Promise(
+    (_, reject) => setTimeout(() => reject(new Error("Retry timed out")), RETRY_TIMEOUT_MS)
+  );
+  let checkPromise;
+  switch (category) {
+    case "spf":
+      checkPromise = checkSpf(domain, retryDns);
+      break;
+    case "dmarc":
+      checkPromise = checkDmarc(domain, retryDns);
+      break;
+    case "dkim":
+      checkPromise = checkDkim(domain, void 0, retryDns);
+      break;
+    case "dnssec":
+      checkPromise = checkDnssec2(domain, retryDns);
+      break;
+    case "ssl":
+      checkPromise = checkSsl(domain);
+      break;
+    case "mta_sts":
+      checkPromise = checkMtaSts(domain, retryDns);
+      break;
+    case "ns":
+      checkPromise = checkNs(domain, retryDns);
+      break;
+    case "caa":
+      checkPromise = checkCaa(domain, retryDns);
+      break;
+    case "bimi":
+      checkPromise = checkBimi(domain, retryDns);
+      break;
+    case "tlsrpt":
+      checkPromise = checkTlsrpt(domain, retryDns);
+      break;
+    case "subdomain_takeover":
+      checkPromise = checkSubdomainTakeover(domain, retryDns);
+      break;
+    case "http_security":
+      checkPromise = checkHttpSecurity(domain);
+      break;
+    case "dane":
+      checkPromise = checkDane(domain, retryDns);
+      break;
+    case "dane_https":
+      checkPromise = checkDaneHttps(domain, retryDns);
+      break;
+    case "svcb_https":
+      checkPromise = checkSvcbHttps(domain, retryDns);
+      break;
+    case "subdomailing":
+      checkPromise = checkSubdomailing(domain, retryDns);
+      break;
+    case "mx":
+      checkPromise = checkMx(domain, {
+        providerSignaturesUrl: runtimeOptions?.providerSignaturesUrl,
+        providerSignaturesAllowedHosts: runtimeOptions?.providerSignaturesAllowedHosts,
+        providerSignaturesSha256: runtimeOptions?.providerSignaturesSha256
+      }, retryDns);
+      break;
+    default:
+      return { ...buildCheckResult(category, []), score: 0, passed: false, checkStatus: "error" };
+  }
+  return Promise.race([checkPromise, timeoutPromise]);
+}
 async function scanDomain(domain, kv, runtimeOptions) {
+  crypto.randomUUID();
+  const scanStartTime = Date.now();
   const explicitProfile = runtimeOptions?.profile;
   const isExplicit = explicitProfile && explicitProfile !== "auto";
   const cacheKey = isExplicit ? `${CACHE_PREFIX}${domain}:profile:${explicitProfile}` : `${CACHE_PREFIX}${domain}`;
@@ -6173,6 +6518,21 @@ async function scanDomain(domain, kv, runtimeOptions) {
       degradedStatuses.set(r.category, r.checkStatus);
     }
   }
+  if (!timedOut && Date.now() - scanStartTime < SCAN_TIMEOUT_MS - RETRY_BUDGET_MS) {
+    const retryable = checkResults.map((r, idx) => ({ r, idx })).filter(({ r }) => shouldRetry(r)).slice(0, MAX_RETRIES_PER_SCAN);
+    if (retryable.length > 0) {
+      const retrySettled = await Promise.allSettled(
+        retryable.map(({ r }) => runCheckRetry(r.category, domain, scanDns, runtimeOptions))
+      );
+      for (let i = 0; i < retryable.length; i++) {
+        const s = retrySettled[i];
+        if (s.status === "fulfilled" && s.value.checkStatus !== "error" && s.value.score > 0) {
+          checkResults[retryable[i].idx] = s.value;
+          degradedStatuses.delete(retryable[i].r.category);
+        }
+      }
+    }
+  }
   if (timedOut) {
     const completedCategories = new Set(checkResults.map((r) => r.category));
     for (const category of ALL_CHECK_CATEGORIES) {
@@ -6186,7 +6546,7 @@ async function scanDomain(domain, kv, runtimeOptions) {
           )
         ];
         const result2 = buildCheckResult(category, findings);
-        checkResults.push({ ...result2, score: 0, checkStatus: "timeout" });
+        checkResults.push({ ...result2, score: 0, passed: false, checkStatus: "timeout" });
         degradedStatuses.set(category, "timeout");
       }
     }
@@ -6197,7 +6557,7 @@ async function scanDomain(domain, kv, runtimeOptions) {
     if (degradedStatuses.size > 0) {
       checkResults = checkResults.map((r) => {
         const status = degradedStatuses.get(r.category);
-        return status ? { ...r, score: 0, checkStatus: status } : r;
+        return status ? { ...r, score: 0, passed: false, checkStatus: status } : r;
       });
     }
     let domainContext = detectDomainContext(checkResults);
@@ -6217,12 +6577,31 @@ async function scanDomain(domain, kv, runtimeOptions) {
     }
     const scoringContext = isExplicit ? domainContext : void 0;
     let adaptiveResponse = null;
-    if (runtimeOptions?.profileAccumulator) {
+    const adaptiveProvider = domainContext.detectedProvider ?? "";
+    if (kv && adaptiveProvider) {
+      const kvWeights = await getAdaptiveWeights(domainContext.profile, adaptiveProvider, kv);
+      if (kvWeights) {
+        adaptiveResponse = {
+          profile: domainContext.profile,
+          provider: adaptiveProvider,
+          sampleCount: MATURITY_THRESHOLD,
+          blendFactor: 1,
+          weights: kvWeights,
+          boundHits: []
+        };
+      }
+    }
+    if (!adaptiveResponse && runtimeOptions?.profileAccumulator) {
       adaptiveResponse = await fetchAdaptiveWeights(
         runtimeOptions.profileAccumulator,
         domainContext.profile,
         domainContext.detectedProvider
       );
+      if (adaptiveResponse && adaptiveProvider && kv && runtimeOptions.waitUntil) {
+        runtimeOptions.waitUntil(
+          publishAdaptiveWeightSummary(domainContext.profile, adaptiveProvider, adaptiveResponse.weights, kv)
+        );
+      }
     }
     if (adaptiveResponse?.boundHits.length) {
       domainContext.signals.push(`adaptive bound hits: ${adaptiveResponse.boundHits.join(", ")}`);
@@ -9680,164 +10059,1254 @@ All evaluated attack vectors are blocked by the current security configuration.`
   return lines.join("\n").trimEnd();
 }
 
-// src/handlers/tool-execution.ts
-init_log();
-function logToolSuccess(options) {
-  options.analytics?.emitToolEvent({
-    toolName: options.toolName,
-    status: options.status,
-    durationMs: options.durationMs,
-    domain: options.domain,
-    isError: false,
-    score: options.score,
-    cacheStatus: options.cacheStatus,
-    country: options.country,
-    clientType: options.clientType,
-    authTier: options.authTier,
-    keyHash: options.keyHash
-  });
-  logEvent({
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    tool: options.toolName,
-    domain: options.domain,
-    result: options.logResult,
-    details: options.logDetails,
-    durationMs: options.durationMs,
-    severity: options.severity ?? (options.status === "pass" ? "info" : "warn")
-  });
-}
-function logToolFailure(options) {
-  options.analytics?.emitToolEvent({
-    toolName: options.toolName,
-    status: "error",
-    durationMs: options.durationMs,
-    domain: options.domain,
-    isError: true,
-    score: options.score,
-    cacheStatus: options.cacheStatus,
-    country: options.country,
-    clientType: options.clientType,
-    authTier: options.authTier,
-    keyHash: options.keyHash
-  });
-  logError(options.error instanceof Error ? options.error : String(options.error), {
-    tool: options.toolName,
-    domain: options.domain,
-    details: options.args,
-    severity: options.severity ?? "error"
-  });
-}
-
-// src/handlers/tool-formatters.ts
-function mcpError(message) {
-  return { type: "text", text: `Error: ${message}` };
-}
-function mcpText(text) {
-  return { type: "text", text };
-}
-function buildToolContent(text, structuredData, format) {
-  const content = [mcpText(text)];
-  if (format === "full") {
-    content.push(mcpText(`<!-- STRUCTURED_RESULT
-${JSON.stringify(structuredData)}
-STRUCTURED_RESULT -->`));
+// src/tools/check-dbl.ts
+init_dns2();
+var CATEGORY = "dbl";
+var SPAMHAUS_CODES = {
+  "127.0.1.2": "Spam domain",
+  "127.0.1.4": "Phishing domain",
+  "127.0.1.5": "Malware domain",
+  "127.0.1.6": "Botnet C&C domain",
+  "127.0.1.102": "Abused legit spam domain",
+  "127.0.1.103": "Abused legit spammed redirector",
+  "127.0.1.104": "Abused legit phishing domain",
+  "127.0.1.105": "Abused legit malware domain",
+  "127.0.1.106": "Abused legit botnet C&C domain"
+};
+function decodeSpamhaus(ip) {
+  if (/^127\.255\.255\./.test(ip)) return null;
+  const label = SPAMHAUS_CODES[ip];
+  if (label) {
+    return { label, detail: `Spamhaus DBL return code ${ip}: ${label}` };
   }
-  return content;
+  if (/^127\.0\.1\./.test(ip)) {
+    return { label: "Listed (unknown code)", detail: `Spamhaus DBL return code ${ip}: unknown listing type` };
+  }
+  return null;
 }
-function formatCheckResult(result, format = "full") {
-  const lines = [];
-  lines.push(`## ${result.category.toUpperCase()} Check`);
-  lines.push(`**Status:** ${result.passed ? "\u2705 Passed" : "\u274C Failed"}`);
-  lines.push(`**Score:** ${result.score}/100`);
-  lines.push("");
-  if (result.findings.length > 0) {
-    lines.push("### Findings");
-    for (const finding of result.findings) {
-      if (format === "compact") {
-        const isHighPriority = finding.severity === "critical" || finding.severity === "high";
-        const detailLimit = isHighPriority ? 4e3 : 300;
-        lines.push(`- [${finding.severity.toUpperCase()}] ${sanitizeOutputText(finding.title, 120)} \u2014 ${sanitizeOutputText(finding.detail, detailLimit)}`);
+var URIBL_FLAGS = [
+  { mask: 2, label: "Black" },
+  { mask: 4, label: "Grey" },
+  { mask: 8, label: "Red" }
+];
+function decodeUribl(ip) {
+  const octet = parseInt(ip.split(".")[3], 10);
+  if (!Number.isFinite(octet) || octet === 0) return null;
+  if ((octet & 1) !== 0 && (octet & -2) === 0) return null;
+  const matched = URIBL_FLAGS.filter((f) => (octet & f.mask) !== 0).map((f) => f.label);
+  if (matched.length === 0) return null;
+  const labels = matched.join(", ");
+  return { label: labels, detail: `URIBL flags: ${labels} (return code ${ip})` };
+}
+var SURBL_FLAGS = [
+  { mask: 2, label: "SC (SpamCop)" },
+  { mask: 4, label: "WS (sa-blacklist)" },
+  { mask: 8, label: "PH (Phishing)" },
+  { mask: 16, label: "MW (Malware)" },
+  { mask: 32, label: "AB (AbuseButler)" },
+  { mask: 64, label: "JP" },
+  { mask: 128, label: "CR (Cracked)" }
+];
+function decodeSurbl(ip) {
+  const octet = parseInt(ip.split(".")[3], 10);
+  if (!Number.isFinite(octet) || octet === 0) return null;
+  const matched = SURBL_FLAGS.filter((f) => (octet & f.mask) !== 0).map((f) => f.label);
+  if (matched.length === 0) return null;
+  const labels = matched.join(", ");
+  return { label: labels, detail: `SURBL flags: ${labels} (return code ${ip})` };
+}
+var DBL_ZONES = [
+  { name: "Spamhaus DBL", zone: "dbl.spamhaus.org", decode: decodeSpamhaus, severity: "high" },
+  { name: "URIBL", zone: "multi.uribl.com", decode: decodeUribl, severity: "medium" },
+  { name: "SURBL", zone: "multi.surbl.org", decode: decodeSurbl, severity: "medium" }
+];
+async function checkDbl(domain, dnsOptions) {
+  const findings = [];
+  const results = await Promise.allSettled(
+    DBL_ZONES.map(async (zone) => {
+      const queryName = `${domain}.${zone.zone}`;
+      const answers = await queryDnsRecords(queryName, "A", dnsOptions);
+      return { zone, answers };
+    })
+  );
+  let listedCount = 0;
+  let checkedCount = 0;
+  for (const result of results) {
+    if (result.status === "rejected") {
+      const zoneIndex = results.indexOf(result);
+      const zone2 = DBL_ZONES[zoneIndex];
+      findings.push(
+        createFinding(
+          CATEGORY,
+          `${zone2.name} lookup error`,
+          "low",
+          `DNS query error for ${domain} on ${zone2.name} (${zone2.zone}). Partial results may be available from other blocklists.`,
+          { zone: zone2.zone, error: true }
+        )
+      );
+      continue;
+    }
+    checkedCount++;
+    const { zone, answers } = result.value;
+    if (answers.length === 0) {
+      continue;
+    }
+    const ip = answers[0];
+    if (zone.zone === "dbl.spamhaus.org" && /^127\.255\.255\./.test(ip)) {
+      findings.push(
+        createFinding(
+          CATEGORY,
+          `${zone.name} query rate-limited`,
+          "low",
+          `Spamhaus DBL returned ${ip}, indicating a query quota or rate limit. This is not a listing. Results from this zone are unavailable.`,
+          { zone: zone.zone, returnCode: ip, quotaError: true }
+        )
+      );
+      continue;
+    }
+    if (zone.zone === "multi.uribl.com") {
+      const uriblOctet = parseInt(ip.split(".")[3], 10);
+      if (uriblOctet === 1) {
+        findings.push(
+          createFinding(
+            CATEGORY,
+            `${zone.name} query rate-limited`,
+            "info",
+            `URIBL returned ${ip}, indicating the querier is rate-limited or blocked. This is not a listing. Results from this zone are unavailable.`,
+            { zone: zone.zone, returnCode: ip, quotaError: true }
+          )
+        );
         continue;
       }
-      const icon = finding.severity === "info" ? "\u2139\uFE0F" : finding.severity === "low" ? "\u26A0\uFE0F" : finding.severity === "medium" ? "\u{1F536}" : finding.severity === "high" ? "\u{1F534}" : "\u{1F6A8}";
-      lines.push(`- ${icon} **[${finding.severity.toUpperCase()}]** ${sanitizeOutputText(finding.title, 120)}`);
-      lines.push(`  ${sanitizeOutputText(finding.detail)}`);
-      const verificationStatus = finding.category === "subdomain_takeover" && finding.metadata?.verificationStatus ? String(finding.metadata.verificationStatus) : void 0;
-      if (verificationStatus) {
-        lines.push(`  Takeover Verification: ${sanitizeOutputText(verificationStatus, 80)}`);
-      }
-      const confidence = finding.metadata?.confidence ? String(finding.metadata.confidence) : void 0;
-      if (confidence) {
-        lines.push(`  Confidence: ${sanitizeOutputText(confidence, 80)}`);
-      }
-      if (finding.severity !== "info") {
-        const narrative = resolveImpactNarrative({
-          category: finding.category,
-          severity: finding.severity,
-          title: finding.title,
-          detail: finding.detail
-        });
-        if (narrative.impact) {
-          lines.push(`  Potential Impact: ${narrative.impact}`);
-        }
-        if (narrative.adverseConsequences) {
-          lines.push(`  Adverse Consequences: ${narrative.adverseConsequences}`);
-        }
-      }
+    }
+    const decoded = zone.decode(ip);
+    if (decoded) {
+      listedCount++;
+      findings.push(
+        createFinding(
+          CATEGORY,
+          `Listed on ${zone.name}`,
+          zone.severity,
+          `${domain} is listed on ${zone.name}: ${decoded.detail}`,
+          { zone: zone.zone, returnCode: ip, labels: decoded.label }
+        )
+      );
     }
   }
-  return lines.join("\n");
+  if (listedCount === 0 && findings.length === 0) {
+    findings.push(
+      createFinding(
+        CATEGORY,
+        "Domain not listed on any blocklist",
+        "info",
+        `${domain} is not listed on any of the ${checkedCount} checked DNS-based domain blocklists (Spamhaus DBL, URIBL, SURBL).`,
+        { zonesChecked: checkedCount }
+      )
+    );
+  } else if (listedCount === 0 && findings.every((f) => f.severity === "low")) {
+    findings.push(
+      createFinding(
+        CATEGORY,
+        "Domain not listed on any blocklist",
+        "info",
+        `${domain} was not found on any of the successfully queried blocklists.`,
+        { zonesChecked: checkedCount }
+      )
+    );
+  }
+  return buildCheckResult(CATEGORY, findings);
 }
-var KNOWN_ACRONYMS = /* @__PURE__ */ new Set(["mx", "spf", "dmarc", "dkim", "dnssec", "ssl", "mta", "sts", "ns", "caa", "bimi", "tlsrpt", "http", "https", "dane", "svcb", "srv", "txt", "doh", "rpm"]);
-function toolNameToTitle(name) {
-  return name.split("_").map((word) => KNOWN_ACRONYMS.has(word) ? word.toUpperCase() : word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+
+// src/tools/check-rbl.ts
+init_dns2();
+
+// src/lib/ip-utils.ts
+function reverseIPv4(ip) {
+  return ip.split(".").reverse().join(".");
 }
-function toInputSchema(schema) {
-  const jsonSchema = z.toJSONSchema(schema);
-  delete jsonSchema.$schema;
-  if (jsonSchema.additionalProperties !== void 0 && typeof jsonSchema.additionalProperties === "object" && jsonSchema.additionalProperties !== null && Object.keys(jsonSchema.additionalProperties).length === 0) {
-    delete jsonSchema.additionalProperties;
+function isPrivateIP(ip) {
+  if (ip.includes(":")) {
+    if (ip === "::1") return true;
+    const lower = ip.toLowerCase();
+    if (lower.startsWith("fe80:")) return true;
+    if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+    return false;
   }
-  return jsonSchema;
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4) return false;
+  const [a, b] = parts;
+  if (a === 10) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  return false;
 }
-var TOOL_DEFS = {
-  check_mx: {
-    description: "Validate MX records and email provider detection.",
-    schema: BaseDomainArgs,
-    group: "email_auth",
+
+// src/tools/check-rbl.ts
+var RBL_ZONES = [
+  { name: "Spamhaus ZEN", zone: "zen.spamhaus.org" },
+  { name: "SpamCop", zone: "bl.spamcop.net" },
+  { name: "UCEProtect L1", zone: "dnsbl-1.uceprotect.net" },
+  { name: "UCEProtect L2", zone: "dnsbl-2.uceprotect.net" },
+  { name: "Mailspike", zone: "bl.mailspike.net" },
+  { name: "Barracuda", zone: "b.barracudacentral.org" },
+  { name: "PSBL", zone: "psbl.surriel.com" },
+  { name: "SORBS", zone: "dnsbl.sorbs.net" }
+];
+var CATEGORY2 = "rbl";
+var MAX_MX_IPS = 4;
+var SPAMHAUS_CODES2 = {
+  "0.2": "SBL \u2014 direct spam source",
+  "0.3": "SBL CSS \u2014 spam support service",
+  "0.4": "XBL CBL \u2014 exploited host",
+  "0.5": "XBL \u2014 exploited host (NJABL)",
+  "0.9": "SBL DROP \u2014 hijacked netblock",
+  "0.10": "PBL ISP \u2014 end-user IP",
+  "0.11": "PBL ISP \u2014 end-user IP"
+};
+function decodeSpamhausCode(ip) {
+  if (ip.startsWith("127.255.255.")) return null;
+  const lastTwo = ip.split(".").slice(2).join(".");
+  return SPAMHAUS_CODES2[lastTwo] ?? `Listed (${ip})`;
+}
+function isMailspikePositive(ip) {
+  const last = parseInt(ip.split(".").pop() ?? "0", 10);
+  return last >= 10 && last <= 14;
+}
+async function checkRbl(domain, dnsOptions) {
+  const findings = [];
+  let ips = [];
+  let usedFallback = false;
+  try {
+    const mxRecords = await queryMxRecords(domain, dnsOptions);
+    if (mxRecords.length > 0) {
+      const mxHosts = mxRecords.map((r) => r.exchange).filter(Boolean);
+      const ipResults = await Promise.allSettled(
+        mxHosts.slice(0, MAX_MX_IPS).map((host) => queryDnsRecords(host, "A", dnsOptions))
+      );
+      for (const r of ipResults) {
+        if (r.status === "fulfilled") ips.push(...r.value);
+      }
+    }
+  } catch {
+  }
+  if (ips.length === 0) {
+    try {
+      ips = await queryDnsRecords(domain, "A", dnsOptions);
+      if (ips.length > 0) usedFallback = true;
+    } catch {
+    }
+  }
+  if (ips.length === 0) {
+    findings.push(
+      createFinding(CATEGORY2, "No IP addresses found", "info", `Could not resolve any IP addresses for ${domain} (no MX or A records).`, {
+        domain
+      })
+    );
+    return buildCheckResult(CATEGORY2, findings);
+  }
+  if (usedFallback) {
+    findings.push(
+      createFinding(CATEGORY2, "No MX records \u2014 using A record fallback", "info", `${domain} has no MX records. Using A record IP(s) for RBL checks.`, {
+        domain,
+        fallback: true
+      })
+    );
+  }
+  ips = [...new Set(ips)].slice(0, MAX_MX_IPS);
+  let totalListings = 0;
+  for (const ip of ips) {
+    if (!/^(\d{1,3}\.){3}\d{1,3}$/.test(ip)) continue;
+    if (isPrivateIP(ip)) {
+      findings.push(
+        createFinding(CATEGORY2, `Private IP detected: ${ip}`, "info", `MX resolves to private IP ${ip} \u2014 RBL checks skipped for this address.`, {
+          ip,
+          private: true
+        })
+      );
+      continue;
+    }
+    const reversed = reverseIPv4(ip);
+    let ipListingCount = 0;
+    let hasSpamhausListing = false;
+    const ipListingIndices = [];
+    const rblResults = await Promise.allSettled(
+      RBL_ZONES.map(async (rbl) => {
+        const queryName = `${reversed}.${rbl.zone}`;
+        try {
+          const answers = await queryDnsRecords(queryName, "A", dnsOptions);
+          if (answers.length === 0) return { rbl, listed: false };
+          const returnIp = answers[0];
+          if (rbl.zone === "zen.spamhaus.org" && returnIp.startsWith("127.255.255.")) {
+            return { rbl, listed: false, quota: true };
+          }
+          if (rbl.zone === "bl.mailspike.net" && isMailspikePositive(returnIp)) {
+            return { rbl, listed: false, positiveRep: true };
+          }
+          return { rbl, listed: true, returnIp };
+        } catch {
+          return { rbl, listed: false, error: true };
+        }
+      })
+    );
+    for (const settled of rblResults) {
+      if (settled.status === "rejected") continue;
+      const result = settled.value;
+      if (result.quota) {
+        findings.push(
+          createFinding(CATEGORY2, `${result.rbl.name} quota exceeded`, "info", `Spamhaus returned a quota/rate-limit response for ${ip}. Use a DQS key for reliable results.`, {
+            ip,
+            zone: result.rbl.zone,
+            quota: true
+          })
+        );
+        continue;
+      }
+      if (result.positiveRep) {
+        findings.push(
+          createFinding(CATEGORY2, `Positive Mailspike reputation for ${ip}`, "info", `${ip} has positive reputation on Mailspike.`, {
+            ip,
+            zone: result.rbl.zone,
+            positiveReputation: true
+          })
+        );
+        continue;
+      }
+      if (result.error || !result.listed) continue;
+      ipListingCount++;
+      totalListings++;
+      if (result.rbl.zone === "zen.spamhaus.org") hasSpamhausListing = true;
+      const severity = result.rbl.zone === "zen.spamhaus.org" ? "high" : "low";
+      const detail = result.rbl.zone === "zen.spamhaus.org" ? `${ip} is listed on ${result.rbl.name}: ${decodeSpamhausCode(result.returnIp) ?? result.returnIp}.` : `${ip} is listed on ${result.rbl.name}.`;
+      ipListingIndices.push(findings.length);
+      findings.push(
+        createFinding(CATEGORY2, `Listed on ${result.rbl.name}`, severity, detail, {
+          ip,
+          zone: result.rbl.zone,
+          returnCode: result.returnIp
+        })
+      );
+    }
+    if (!hasSpamhausListing && ipListingCount >= 2) {
+      const firstLowIdx = ipListingIndices.find((idx) => findings[idx]?.severity === "low");
+      if (firstLowIdx !== void 0) {
+        const f = findings[firstLowIdx];
+        findings[firstLowIdx] = createFinding(
+          CATEGORY2,
+          f.title,
+          "medium",
+          f.detail + ` (elevated: listed on ${ipListingCount} RBLs)`,
+          f.metadata
+        );
+      }
+    }
+  }
+  if (totalListings === 0 && !findings.some((f) => f.title.includes("Listed"))) {
+    findings.push(
+      createFinding(CATEGORY2, "IP reputation clean \u2014 not listed on any RBL", "info", `All checked IPs for ${domain} are clean on ${RBL_ZONES.length} RBLs.`, {
+        ips,
+        zones: RBL_ZONES.map((z8) => z8.zone)
+      })
+    );
+  }
+  return buildCheckResult(CATEGORY2, findings);
+}
+
+// src/tools/check-cymru-asn.ts
+init_dns2();
+var CATEGORY3 = "asn";
+var HIGH_RISK_ASNS = /* @__PURE__ */ new Set([
+  9009,
+  // M247
+  53667,
+  // Frantech/BuyVM
+  36352,
+  // ColoCrossing
+  20473,
+  // Vultr
+  14061,
+  // DigitalOcean
+  63949
+  // Linode/Akamai
+]);
+function parseOriginTxt(txt) {
+  const parts = txt.split("|").map((p) => p.trim());
+  if (parts.length < 5) return null;
+  const asn = parseInt(parts[0], 10);
+  if (!Number.isFinite(asn) || asn <= 0) return null;
+  return {
+    asn,
+    prefix: parts[1],
+    cc: parts[2],
+    registry: parts[3],
+    allocated: parts[4]
+  };
+}
+function parseOrgTxt(txt) {
+  const parts = txt.split("|").map((p) => p.trim());
+  if (parts.length < 5) return null;
+  return parts[4] || null;
+}
+async function checkCymruAsn(domain, dnsOptions) {
+  const findings = [];
+  let ips = [];
+  try {
+    ips = await queryDnsRecords(domain, "A", dnsOptions);
+  } catch {
+  }
+  if (ips.length === 0) {
+    findings.push(
+      createFinding(CATEGORY3, "No A records found", "info", `Could not resolve any A records for ${domain}. ASN lookup requires IPv4 addresses.`, {
+        domain
+      })
+    );
+    return buildCheckResult(CATEGORY3, findings);
+  }
+  ips = [...new Set(ips)];
+  const seenAsns = /* @__PURE__ */ new Set();
+  for (const ip of ips) {
+    if (!/^(\d{1,3}\.){3}\d{1,3}$/.test(ip)) continue;
+    const reversed = reverseIPv4(ip);
+    const originName = `${reversed}.origin.asn.cymru.com`;
+    let originTxts = [];
+    try {
+      originTxts = await queryTxtRecords(originName, dnsOptions);
+    } catch {
+    }
+    if (originTxts.length === 0) {
+      findings.push(
+        createFinding(CATEGORY3, `No ASN data for ${ip}`, "info", `No ASN data returned from Team Cymru for ${ip}.`, {
+          ip
+        })
+      );
+      continue;
+    }
+    const origin = parseOriginTxt(originTxts[0]);
+    if (!origin) {
+      findings.push(
+        createFinding(CATEGORY3, `Unparseable ASN response for ${ip}`, "info", `Team Cymru returned an unparseable response for ${ip}.`, {
+          ip,
+          raw: originTxts[0]
+        })
+      );
+      continue;
+    }
+    let orgName = null;
+    if (!seenAsns.has(origin.asn)) {
+      try {
+        const orgTxts = await queryTxtRecords(`AS${origin.asn}.asn.cymru.com`, dnsOptions);
+        if (orgTxts.length > 0) {
+          orgName = parseOrgTxt(orgTxts[0]);
+        }
+      } catch {
+      }
+    }
+    seenAsns.add(origin.asn);
+    const isHighRisk = HIGH_RISK_ASNS.has(origin.asn);
+    const orgLabel = orgName ? ` (${orgName})` : "";
+    if (isHighRisk) {
+      findings.push(
+        createFinding(
+          CATEGORY3,
+          `High-risk ASN ${origin.asn} detected`,
+          "medium",
+          `${ip} is announced by high-risk ASN ${origin.asn}${orgLabel} in prefix ${origin.prefix} (${origin.cc}, ${origin.registry}).`,
+          { ip, asn: origin.asn, prefix: origin.prefix, cc: origin.cc, registry: origin.registry, orgName, highRisk: true }
+        )
+      );
+    }
+    findings.push(
+      createFinding(
+        CATEGORY3,
+        `ASN ${origin.asn} for ${ip}`,
+        "info",
+        `${ip} \u2192 AS${origin.asn}${orgLabel}, prefix ${origin.prefix}, country ${origin.cc}, registry ${origin.registry}, allocated ${origin.allocated}.`,
+        { ip, asn: origin.asn, prefix: origin.prefix, cc: origin.cc, registry: origin.registry, allocated: origin.allocated, orgName }
+      )
+    );
+  }
+  return buildCheckResult(CATEGORY3, findings);
+}
+
+// src/tools/check-rdap-lookup.ts
+var CATEGORY4 = "rdap";
+var IANA_BOOTSTRAP_URL = "https://data.iana.org/rdap/dns.json";
+var FALLBACK_RDAP_SERVERS = {
+  com: "https://rdap.verisign.com/com/v1/",
+  net: "https://rdap.verisign.com/net/v1/",
+  org: "https://rdap.org/",
+  info: "https://rdap.afilias.net/rdap/info/",
+  io: "https://rdap.nic.io/"
+};
+var bootstrapCache = null;
+var RDAP_TIMEOUT_MS = 1e4;
+async function fetchBootstrap() {
+  if (bootstrapCache) return bootstrapCache;
+  try {
+    const resp = await fetch(IANA_BOOTSTRAP_URL, {
+      redirect: "manual",
+      signal: AbortSignal.timeout(RDAP_TIMEOUT_MS),
+      headers: { Accept: "application/json" }
+    });
+    if (!resp.ok) return {};
+    const data = await resp.json();
+    const map2 = {};
+    if (Array.isArray(data.services)) {
+      for (const [tlds, urls] of data.services) {
+        if (!Array.isArray(tlds) || !Array.isArray(urls) || urls.length === 0) continue;
+        const serverUrl = urls[0];
+        for (const tld of tlds) {
+          if (typeof tld === "string" && typeof serverUrl === "string") {
+            map2[tld.toLowerCase()] = serverUrl;
+          }
+        }
+      }
+    }
+    bootstrapCache = map2;
+    return map2;
+  } catch {
+    return {};
+  }
+}
+async function resolveRdapServer(tld) {
+  const normalizedTld = tld.toLowerCase();
+  const bootstrap = await fetchBootstrap();
+  if (bootstrap[normalizedTld]) return bootstrap[normalizedTld];
+  return FALLBACK_RDAP_SERVERS[normalizedTld] ?? null;
+}
+function extractVcardName(entity) {
+  if (!entity.vcardArray || entity.vcardArray[0] !== "vcard") return null;
+  const properties = entity.vcardArray[1];
+  if (!Array.isArray(properties)) return null;
+  for (const prop of properties) {
+    if (Array.isArray(prop) && prop[0] === "fn" && typeof prop[3] === "string") {
+      return prop[3];
+    }
+  }
+  return null;
+}
+function extractVcardCountry(entity) {
+  if (!entity.vcardArray || entity.vcardArray[0] !== "vcard") return null;
+  const properties = entity.vcardArray[1];
+  if (!Array.isArray(properties)) return null;
+  for (const prop of properties) {
+    if (Array.isArray(prop) && prop[0] === "adr") {
+      const value = prop[3];
+      if (Array.isArray(value) && value.length > 0) {
+        const country = value[value.length - 1];
+        return typeof country === "string" && country.length > 0 ? country : null;
+      }
+    }
+  }
+  return null;
+}
+function findEntityByRole(entities, role) {
+  if (!Array.isArray(entities)) return null;
+  for (const entity of entities) {
+    if (Array.isArray(entity.roles) && entity.roles.includes(role)) {
+      return entity;
+    }
+    if (Array.isArray(entity.entities)) {
+      const nested = findEntityByRole(entity.entities, role);
+      if (nested) return nested;
+    }
+  }
+  return null;
+}
+function findEvent(events, action) {
+  if (!Array.isArray(events)) return null;
+  return events.find((e) => e.eventAction === action) ?? null;
+}
+async function checkRdapLookup(domain) {
+  const findings = [];
+  const labels = domain.split(".");
+  const tld = labels[labels.length - 1];
+  const rdapServerUrl = await resolveRdapServer(tld);
+  if (!rdapServerUrl) {
+    findings.push(
+      createFinding(CATEGORY4, "No RDAP server found", "info", `No RDAP server found for TLD ".${tld}". RDAP data unavailable for this domain.`, {
+        domain,
+        tld
+      })
+    );
+    return buildCheckResult(CATEGORY4, findings);
+  }
+  let rdapData;
+  try {
+    const baseUrl = rdapServerUrl.endsWith("/") ? rdapServerUrl : `${rdapServerUrl}/`;
+    const rdapUrl = `${baseUrl}domain/${domain}`;
+    const resp = await fetch(rdapUrl, {
+      redirect: "manual",
+      signal: AbortSignal.timeout(RDAP_TIMEOUT_MS),
+      headers: { Accept: "application/rdap+json, application/json" }
+    });
+    if (!resp.ok) {
+      findings.push(
+        createFinding(CATEGORY4, "RDAP lookup failed", "info", `RDAP server returned HTTP ${resp.status} for ${domain}. Registration data unavailable.`, {
+          domain,
+          httpStatus: resp.status
+        })
+      );
+      return buildCheckResult(CATEGORY4, findings);
+    }
+    rdapData = await resp.json();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Unknown error";
+    findings.push(
+      createFinding(CATEGORY4, "RDAP lookup failed", "info", `RDAP lookup failed for ${domain}: ${message}`, {
+        domain,
+        error: message
+      })
+    );
+    return buildCheckResult(CATEGORY4, findings);
+  }
+  const registrarEntity = findEntityByRole(rdapData.entities, "registrar");
+  const registrarName = registrarEntity ? extractVcardName(registrarEntity) : null;
+  const registrantEntity = findEntityByRole(rdapData.entities, "registrant");
+  const registrantName = registrantEntity ? extractVcardName(registrantEntity) : null;
+  const registrantCountry = registrantEntity ? extractVcardCountry(registrantEntity) : null;
+  const registrationEvent = findEvent(rdapData.events, "registration");
+  const expirationEvent = findEvent(rdapData.events, "expiration");
+  const lastChangedEvent = findEvent(rdapData.events, "last changed");
+  let domainAgeDays = null;
+  if (registrationEvent?.eventDate) {
+    const creationTime = new Date(registrationEvent.eventDate).getTime();
+    if (Number.isFinite(creationTime)) {
+      domainAgeDays = Math.floor((Date.now() - creationTime) / (1e3 * 60 * 60 * 24));
+    }
+  }
+  let daysUntilExpiration = null;
+  if (expirationEvent?.eventDate) {
+    const expirationTime = new Date(expirationEvent.eventDate).getTime();
+    if (Number.isFinite(expirationTime)) {
+      daysUntilExpiration = Math.floor((expirationTime - Date.now()) / (1e3 * 60 * 60 * 24));
+    }
+  }
+  const eppStatus = Array.isArray(rdapData.status) ? rdapData.status : [];
+  const metadata = {
+    domain,
+    registrar: registrarName,
+    registrant: registrantName,
+    registrantCountry,
+    creationDate: registrationEvent?.eventDate ?? null,
+    expirationDate: expirationEvent?.eventDate ?? null,
+    lastChanged: lastChangedEvent?.eventDate ?? null,
+    eppStatus,
+    rdapServer: rdapServerUrl
+  };
+  if (domainAgeDays !== null) {
+    metadata.domainAgeDays = domainAgeDays;
+  }
+  if (daysUntilExpiration !== null) {
+    metadata.daysUntilExpiration = daysUntilExpiration;
+  }
+  if (domainAgeDays !== null && domainAgeDays < 30) {
+    findings.push(
+      createFinding(
+        CATEGORY4,
+        "Newly registered domain",
+        "medium",
+        `${domain} was registered ${domainAgeDays} day${domainAgeDays !== 1 ? "s" : ""} ago (${registrationEvent.eventDate}). Newly registered domains are commonly used for phishing and spam.`,
+        metadata
+      )
+    );
+  }
+  if (daysUntilExpiration !== null && daysUntilExpiration <= 30 && daysUntilExpiration >= 0) {
+    findings.push(
+      createFinding(
+        CATEGORY4,
+        "Domain expiring soon",
+        "low",
+        `${domain} expires in ${daysUntilExpiration} day${daysUntilExpiration !== 1 ? "s" : ""} (${expirationEvent.eventDate}). Expired domains can be re-registered by attackers.`,
+        metadata
+      )
+    );
+  }
+  const parts = [];
+  if (registrarName) parts.push(`Registrar: ${registrarName}`);
+  if (registrantName) parts.push(`Registrant: ${registrantName}`);
+  if (registrantCountry) parts.push(`Country: ${registrantCountry}`);
+  if (registrationEvent?.eventDate) parts.push(`Created: ${registrationEvent.eventDate.split("T")[0]}`);
+  if (expirationEvent?.eventDate) parts.push(`Expires: ${expirationEvent.eventDate.split("T")[0]}`);
+  if (lastChangedEvent?.eventDate) parts.push(`Updated: ${lastChangedEvent.eventDate.split("T")[0]}`);
+  if (eppStatus.length > 0) parts.push(`Status: ${eppStatus.join(", ")}`);
+  if (domainAgeDays !== null) parts.push(`Age: ${domainAgeDays} days`);
+  findings.push(
+    createFinding(
+      CATEGORY4,
+      "Registration details",
+      "info",
+      parts.length > 0 ? parts.join(". ") + "." : `RDAP data retrieved for ${domain} but no structured fields found.`,
+      metadata
+    )
+  );
+  return buildCheckResult(CATEGORY4, findings);
+}
+
+// src/tools/check-nsec-walkability.ts
+init_dns2();
+var CATEGORY5 = "nsec_walkability";
+var NSEC3_HASH_ALGORITHMS = {
+  1: "SHA-1"
+};
+function parseNsec3Param(data) {
+  const parts = data.trim().split(/\s+/);
+  if (parts.length < 4) return null;
+  const algorithm = parseInt(parts[0], 10);
+  const flags = parseInt(parts[1], 10);
+  const iterations = parseInt(parts[2], 10);
+  const salt = parts[3];
+  if (!Number.isFinite(algorithm) || !Number.isFinite(flags) || !Number.isFinite(iterations)) {
+    return null;
+  }
+  return {
+    algorithm,
+    algorithmName: NSEC3_HASH_ALGORITHMS[algorithm] ?? `Unknown (${algorithm})`,
+    flags,
+    iterations,
+    salt
+  };
+}
+async function checkNsecWalkability(domain, dnsOptions) {
+  const findings = [];
+  let nsec3Records = [];
+  try {
+    nsec3Records = await queryDnsRecords(domain, "NSEC3PARAM", dnsOptions);
+  } catch {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "NSEC3PARAM query failed",
+        "info",
+        `DNS query for NSEC3PARAM records at ${domain} failed. Unable to assess zone walkability. Note: this analysis cannot probe for actual NSEC/NSEC3 denial records via DoH and analyzes configuration parameters only.`,
+        { domain }
+      )
+    );
+    return buildCheckResult(CATEGORY5, findings);
+  }
+  if (nsec3Records.length === 0) {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "No NSEC3PARAM record found",
+        "high",
+        `No NSEC3PARAM record was found for ${domain}. The zone likely uses plain NSEC, which makes it fully walkable \u2014 an attacker can enumerate all zone contents by following NSEC chain links. Limitation: DoH cannot probe for actual NSEC/NSEC3 denial-of-existence records, so this assessment is based on the absence of NSEC3PARAM configuration only.`,
+        { domain, walkable: true }
+      )
+    );
+    return buildCheckResult(CATEGORY5, findings);
+  }
+  const params = parseNsec3Param(nsec3Records[0]);
+  if (!params) {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "Unparseable NSEC3PARAM",
+        "info",
+        `NSEC3PARAM record for ${domain} could not be parsed: ${nsec3Records[0]}`,
+        { domain, raw: nsec3Records[0] }
+      )
+    );
+    return buildCheckResult(CATEGORY5, findings);
+  }
+  const hasSalt = params.salt !== "-";
+  const hasIterations = params.iterations > 0;
+  if (params.flags & 1) {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "NSEC3 opt-out enabled",
+        "low",
+        `NSEC3PARAM for ${domain} has the opt-out flag set (flags=${params.flags}). Opt-out allows unsigned delegations to be omitted from the NSEC3 chain, which may leave some subdomains without denial-of-existence protection.`,
+        { domain, flags: params.flags, optOut: true }
+      )
+    );
+  }
+  if (!hasIterations && !hasSalt) {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "NSEC3 with minimal parameters",
+        "medium",
+        `NSEC3PARAM for ${domain} uses 0 iterations and no salt (RFC 9276 recommended defaults). While NSEC3 prevents trivial zone walking, the low enumeration cost means offline dictionary attacks against the hashed names are feasible. Algorithm: ${params.algorithmName}. Note: this tool analyzes NSEC3PARAM configuration only and cannot probe for actual NSEC3 denial records via DoH.`,
+        {
+          domain,
+          algorithm: params.algorithmName,
+          algorithmId: params.algorithm,
+          iterations: params.iterations,
+          salt: params.salt,
+          hasSalt: false
+        }
+      )
+    );
+  } else {
+    findings.push(
+      createFinding(
+        CATEGORY5,
+        "NSEC3 parameters configured",
+        "info",
+        `NSEC3PARAM for ${domain}: algorithm ${params.algorithmName}, ${params.iterations} iteration${params.iterations !== 1 ? "s" : ""}, salt ${hasSalt ? params.salt : "none"}. Zone uses NSEC3 hashed denial-of-existence, which mitigates trivial zone walking. Note: this tool analyzes configuration parameters only.`,
+        {
+          domain,
+          algorithm: params.algorithmName,
+          algorithmId: params.algorithm,
+          iterations: params.iterations,
+          salt: params.salt,
+          hasSalt
+        }
+      )
+    );
+  }
+  return buildCheckResult(CATEGORY5, findings);
+}
+
+// src/tools/check-dnssec-chain.ts
+init_dns2();
+var CATEGORY6 = "dnssec_chain";
+var DNSSEC_ALGORITHMS = {
+  1: "RSA-MD5",
+  3: "DSA-SHA1",
+  5: "RSA-SHA1",
+  6: "DSA-NSEC3-SHA1",
+  7: "RSA-SHA1-NSEC3",
+  8: "RSA-SHA256",
+  10: "RSA-SHA512",
+  12: "ECC-GOST",
+  13: "ECDSAP256SHA256",
+  14: "ECDSAP384SHA384",
+  15: "Ed25519",
+  16: "Ed448"
+};
+var WEAK_ALGORITHMS = /* @__PURE__ */ new Set([1, 3, 5, 6, 7]);
+var DIGEST_TYPES = { 1: "SHA-1", 2: "SHA-256", 4: "SHA-384" };
+function parseDsRecord2(data) {
+  const parts = data.trim().split(/\s+/);
+  if (parts.length < 4) return null;
+  const keyTag = parseInt(parts[0], 10);
+  const algorithm = parseInt(parts[1], 10);
+  const digestType = parseInt(parts[2], 10);
+  const digest = parts.slice(3).join("");
+  if (!Number.isFinite(keyTag) || !Number.isFinite(algorithm) || !Number.isFinite(digestType)) return null;
+  return { keyTag, algorithm, digestType, digest };
+}
+function parseDnskeyRecord(data) {
+  const parts = data.trim().split(/\s+/);
+  if (parts.length < 4) return null;
+  const flags = parseInt(parts[0], 10);
+  const protocol = parseInt(parts[1], 10);
+  const algorithm = parseInt(parts[2], 10);
+  const pubkey = parts.slice(3).join("");
+  if (!Number.isFinite(flags) || !Number.isFinite(protocol) || !Number.isFinite(algorithm)) return null;
+  return { flags, protocol, algorithm, pubkey, isKsk: flags === 257 };
+}
+function determineLinkage(dsRecords, dnskeyRecords) {
+  if (dsRecords.length === 0) return "no_ds";
+  if (dnskeyRecords.length === 0) return "no_dnskey";
+  const dsAlgs = new Set(dsRecords.map((ds) => ds.algorithm));
+  const keyAlgs = new Set(dnskeyRecords.map((k) => k.algorithm));
+  for (const alg of dsAlgs) {
+    if (keyAlgs.has(alg)) return "linked";
+  }
+  return "broken";
+}
+function buildZoneHierarchy(domain) {
+  const labels = domain.split(".");
+  const zones = ["."];
+  for (let i = labels.length - 1; i >= 0; i--) {
+    zones.push(labels.slice(i).join("."));
+  }
+  return zones;
+}
+async function checkDnssecChain(domain, dnsOptions) {
+  const findings = [];
+  const zones = buildZoneHierarchy(domain);
+  const zoneResults = [];
+  let chainBroken = false;
+  const weakAlgsFound = [];
+  for (const zone of zones) {
+    let dsRecords = [];
+    if (zone !== ".") {
+      try {
+        const rawDs = await queryDnsRecords(zone, "DS", dnsOptions);
+        dsRecords = rawDs.map(parseDsRecord2).filter((r) => r !== null);
+      } catch {
+      }
+    }
+    let dnskeyRecords = [];
+    try {
+      const rawDnskey = await queryDnsRecords(zone, "DNSKEY", dnsOptions);
+      dnskeyRecords = rawDnskey.map(parseDnskeyRecord).filter((r) => r !== null);
+    } catch {
+    }
+    const linkage = zone === "." ? dnskeyRecords.length > 0 ? "linked" : "no_dnskey" : determineLinkage(dsRecords, dnskeyRecords);
+    const allAlgs = /* @__PURE__ */ new Set();
+    for (const ds of dsRecords) allAlgs.add(ds.algorithm);
+    for (const key of dnskeyRecords) allAlgs.add(key.algorithm);
+    const algorithms = [...allAlgs].map((a) => DNSSEC_ALGORITHMS[a] ?? `Unknown(${a})`);
+    const weakAlgorithms = [...allAlgs].filter((a) => WEAK_ALGORITHMS.has(a)).map((a) => DNSSEC_ALGORITHMS[a] ?? `Unknown(${a})`);
+    weakAlgsFound.push(...weakAlgorithms);
+    zoneResults.push({
+      zone,
+      dsRecords,
+      dnskeyRecords,
+      linkage,
+      algorithms,
+      weakAlgorithms
+    });
+    if (linkage === "no_dnskey" || linkage === "broken") {
+      chainBroken = true;
+    }
+    if (zone !== "." && dsRecords.length === 0 && dnskeyRecords.length === 0) {
+      break;
+    }
+  }
+  let adFlag = false;
+  try {
+    const adResp = await queryDns(domain, "A", true, dnsOptions);
+    adFlag = adResp.AD === true;
+  } catch {
+  }
+  const lastZone = zoneResults[zoneResults.length - 1];
+  const reachedTarget = lastZone?.zone === domain;
+  const targetSigned = reachedTarget && (lastZone.dsRecords.length > 0 || lastZone.dnskeyRecords.length > 0);
+  const chainComplete = reachedTarget && !chainBroken && targetSigned;
+  if (chainBroken) {
+    const brokenZones = zoneResults.filter((z8) => z8.linkage === "no_dnskey" || z8.linkage === "broken");
+    for (const bz of brokenZones) {
+      const reason = bz.linkage === "no_dnskey" ? "DS record exists but no DNSKEY found" : "DS and DNSKEY algorithm mismatch";
+      findings.push(
+        createFinding(
+          CATEGORY6,
+          `Broken DNSSEC chain at ${bz.zone}`,
+          "high",
+          `DNSSEC chain is broken at ${bz.zone}: ${reason}. Resolvers that validate DNSSEC will return SERVFAIL for this zone.`,
+          { zone: bz.zone, linkage: bz.linkage }
+        )
+      );
+    }
+  }
+  if (weakAlgsFound.length > 0) {
+    const uniqueWeak = [...new Set(weakAlgsFound)];
+    findings.push(
+      createFinding(
+        CATEGORY6,
+        "Weak DNSSEC algorithm in chain",
+        "medium",
+        `DNSSEC chain uses deprecated/weak algorithm(s): ${uniqueWeak.join(", ")}. These are considered cryptographically weak and should be migrated to RSA-SHA256 (algorithm 8) or ECDSA (algorithm 13/14).`,
+        { weakAlgorithms: uniqueWeak }
+      )
+    );
+  }
+  const zonesSummary = zoneResults.map((z8) => ({
+    zone: z8.zone,
+    dsCount: z8.dsRecords.length,
+    dnskeyCount: z8.dnskeyRecords.length,
+    kskCount: z8.dnskeyRecords.filter((k) => k.isKsk).length,
+    zskCount: z8.dnskeyRecords.filter((k) => !k.isKsk).length,
+    linkage: z8.linkage,
+    algorithms: z8.algorithms,
+    dsDigestTypes: [...new Set(z8.dsRecords.map((ds) => DIGEST_TYPES[ds.digestType] ?? `Unknown(${ds.digestType})`))]
+  }));
+  const stoppedEarly = !reachedTarget;
+  let summaryStatus;
+  if (stoppedEarly) {
+    summaryStatus = `stopped at ${lastZone?.zone ?? "."} \u2014 zone has no DS and no DNSKEY (not signed)`;
+  } else if (!targetSigned) {
+    summaryStatus = `${domain} has no DS and no DNSKEY \u2014 domain is not signed`;
+  } else if (chainComplete) {
+    summaryStatus = "complete chain from root to target";
+  } else {
+    summaryStatus = "chain broken";
+  }
+  const summaryDetail = `DNSSEC chain walk for ${domain}: ${summaryStatus}. Zones walked: ${zoneResults.map((z8) => z8.zone).join(" \u2192 ")}. AD flag: ${adFlag}. Limitation: no cryptographic RRSIG verification; reports structure and linkage only.`;
+  findings.push(
+    createFinding(CATEGORY6, "DNSSEC chain summary", "info", summaryDetail, {
+      chainComplete,
+      adFlag,
+      zonesWalked: zoneResults.length,
+      zones: zonesSummary
+    })
+  );
+  return buildCheckResult(CATEGORY6, findings);
+}
+
+// src/tools/check-fast-flux.ts
+init_dns2();
+var CATEGORY7 = "fast_flux";
+var TYPE_A = 1;
+var TYPE_AAAA = 28;
+async function checkFastFlux(domain, rounds, dnsOptions, delayMs = 2e3) {
+  const effectiveRounds = Math.max(3, Math.min(5, rounds ?? 3));
+  const roundResults = [];
+  for (let i = 0; i < effectiveRounds; i++) {
+    if (i > 0 && delayMs > 0) {
+      await new Promise((resolve) => setTimeout(resolve, delayMs));
+    }
+    try {
+      const [aResult, aaaaResult] = await Promise.allSettled([
+        queryDns(domain, "A", false, dnsOptions),
+        queryDns(domain, "AAAA", false, dnsOptions)
+      ]);
+      const answers = [];
+      if (aResult.status === "fulfilled" && aResult.value.Answer) {
+        answers.push(...aResult.value.Answer.filter((a) => a.type === TYPE_A));
+      }
+      if (aaaaResult.status === "fulfilled" && aaaaResult.value.Answer) {
+        answers.push(...aaaaResult.value.Answer.filter((a) => a.type === TYPE_AAAA));
+      }
+      const ips = answers.map((a) => a.data).sort();
+      const minTtl = answers.length > 0 ? Math.min(...answers.map((a) => a.TTL)) : Infinity;
+      roundResults.push({ ips, minTtl });
+    } catch {
+      roundResults.push({ ips: [], minTtl: Infinity });
+    }
+  }
+  const successfulRounds = roundResults.filter((r) => r.ips.length > 0);
+  if (successfulRounds.length === 0) {
+    const findings2 = [
+      createFinding(
+        CATEGORY7,
+        "DNS queries failed",
+        "medium",
+        `All ${effectiveRounds} query rounds failed for ${domain}. Unable to assess fast-flux behavior.`
+      )
+    ];
+    return buildCheckResult(CATEGORY7, findings2);
+  }
+  const allUniqueIps = /* @__PURE__ */ new Set();
+  for (const round of roundResults) {
+    for (const ip of round.ips) {
+      allUniqueIps.add(ip);
+    }
+  }
+  let ipSetChanges = 0;
+  for (let i = 1; i < roundResults.length; i++) {
+    const prev = roundResults[i - 1].ips.join(",");
+    const curr = roundResults[i].ips.join(",");
+    if (prev !== curr && roundResults[i - 1].ips.length > 0 && roundResults[i].ips.length > 0) {
+      ipSetChanges++;
+    }
+  }
+  const overallMinTtl = Math.min(...successfulRounds.map((r) => r.minTtl));
+  const fluxDetected = overallMinTtl < 300 && ipSetChanges > 0;
+  const findings = [];
+  if (fluxDetected) {
+    findings.push(
+      createFinding(
+        CATEGORY7,
+        "Fast-flux behavior detected",
+        "high",
+        `${domain} shows fast-flux indicators: ${allUniqueIps.size} unique IPs observed across ${effectiveRounds} rounds with ${ipSetChanges} IP set change(s) and minimum TTL of ${overallMinTtl}s. Rotating IPs with low TTLs are characteristic of fast-flux networks used to evade takedowns.`,
+        {
+          domain,
+          flux_detected: true,
+          unique_ips: allUniqueIps.size,
+          ip_set_changes: ipSetChanges,
+          min_ttl: overallMinTtl,
+          rounds: effectiveRounds
+        }
+      )
+    );
+  } else {
+    findings.push(
+      createFinding(
+        CATEGORY7,
+        "Stable resolution \u2014 no fast-flux indicators",
+        "info",
+        `${domain} resolved consistently across ${effectiveRounds} rounds: ${allUniqueIps.size} unique IP(s), ${ipSetChanges} IP set change(s), minimum TTL ${overallMinTtl === Infinity ? "N/A" : `${overallMinTtl}s`}. No fast-flux behavior detected.`,
+        {
+          domain,
+          flux_detected: false,
+          unique_ips: allUniqueIps.size,
+          ip_set_changes: ipSetChanges,
+          min_ttl: overallMinTtl === Infinity ? null : overallMinTtl,
+          rounds: effectiveRounds
+        }
+      )
+    );
+  }
+  findings.push(
+    createFinding(
+      CATEGORY7,
+      "Detection limitations",
+      "info",
+      "DoH resolver caching may mask IP rotation. This check has lower fidelity than direct UDP probing against authoritative nameservers."
+    )
+  );
+  return buildCheckResult(CATEGORY7, findings);
+}
+
+// src/handlers/tool-execution.ts
+init_log();
+function buildLogContext(toolName, startTime, domain, runtimeOptions) {
+  return {
+    toolName,
+    durationMs: Date.now() - startTime,
+    domain,
+    analytics: runtimeOptions?.analytics,
+    country: runtimeOptions?.country,
+    clientType: runtimeOptions?.clientType,
+    authTier: runtimeOptions?.authTier,
+    keyHash: runtimeOptions?.keyHash
+  };
+}
+function logToolSuccess(options) {
+  options.analytics?.emitToolEvent({
+    toolName: options.toolName,
+    status: options.status,
+    durationMs: options.durationMs,
+    domain: options.domain,
+    isError: false,
+    score: options.score,
+    cacheStatus: options.cacheStatus,
+    country: options.country,
+    clientType: options.clientType,
+    authTier: options.authTier,
+    keyHash: options.keyHash
+  });
+  logEvent({
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: options.toolName,
+    domain: options.domain,
+    result: options.logResult,
+    details: options.logDetails,
+    durationMs: options.durationMs,
+    severity: options.severity ?? (options.status === "pass" ? "info" : "warn")
+  });
+}
+function logToolFailure(options) {
+  options.analytics?.emitToolEvent({
+    toolName: options.toolName,
+    status: "error",
+    durationMs: options.durationMs,
+    domain: options.domain,
+    isError: true,
+    score: options.score,
+    cacheStatus: options.cacheStatus,
+    country: options.country,
+    clientType: options.clientType,
+    authTier: options.authTier,
+    keyHash: options.keyHash
+  });
+  logError(options.error instanceof Error ? options.error : String(options.error), {
+    tool: options.toolName,
+    domain: options.domain,
+    details: options.args,
+    severity: options.severity ?? "error"
+  });
+}
+
+// src/handlers/tool-formatters.ts
+function mcpError(message) {
+  return { type: "text", text: `Error: ${message}` };
+}
+function mcpText(text) {
+  return { type: "text", text };
+}
+function buildToolContent(text, structuredData, format) {
+  const content = [mcpText(text)];
+  if (format === "full") {
+    content.push(mcpText(`<!-- STRUCTURED_RESULT
+${JSON.stringify(structuredData)}
+STRUCTURED_RESULT -->`));
+  }
+  return content;
+}
+function formatCheckResult(result, format = "full") {
+  const lines = [];
+  lines.push(`## ${result.category.toUpperCase()} Check`);
+  lines.push(`**Status:** ${result.passed ? "\u2705 Passed" : "\u274C Failed"}`);
+  lines.push(`**Score:** ${result.score}/100`);
+  lines.push("");
+  if (result.findings.length > 0) {
+    lines.push("### Findings");
+    for (const finding of result.findings) {
+      if (format === "compact") {
+        const isHighPriority = finding.severity === "critical" || finding.severity === "high";
+        const detailLimit = isHighPriority ? 4e3 : 300;
+        lines.push(`- [${finding.severity.toUpperCase()}] ${sanitizeOutputText(finding.title, 120)} \u2014 ${sanitizeOutputText(finding.detail, detailLimit)}`);
+        continue;
+      }
+      const icon = finding.severity === "info" ? "\u2139\uFE0F" : finding.severity === "low" ? "\u26A0\uFE0F" : finding.severity === "medium" ? "\u{1F536}" : finding.severity === "high" ? "\u{1F534}" : "\u{1F6A8}";
+      lines.push(`- ${icon} **[${finding.severity.toUpperCase()}]** ${sanitizeOutputText(finding.title, 120)}`);
+      lines.push(`  ${sanitizeOutputText(finding.detail)}`);
+      const verificationStatus = finding.category === "subdomain_takeover" && finding.metadata?.verificationStatus ? String(finding.metadata.verificationStatus) : void 0;
+      if (verificationStatus) {
+        lines.push(`  Takeover Verification: ${sanitizeOutputText(verificationStatus, 80)}`);
+      }
+      const confidence = finding.metadata?.confidence ? String(finding.metadata.confidence) : void 0;
+      if (confidence) {
+        lines.push(`  Confidence: ${sanitizeOutputText(confidence, 80)}`);
+      }
+      if (finding.severity !== "info") {
+        const narrative = resolveImpactNarrative({
+          category: finding.category,
+          severity: finding.severity,
+          title: finding.title,
+          detail: finding.detail
+        });
+        if (narrative.impact) {
+          lines.push(`  Potential Impact: ${narrative.impact}`);
+        }
+        if (narrative.adverseConsequences) {
+          lines.push(`  Adverse Consequences: ${narrative.adverseConsequences}`);
+        }
+      }
+    }
+  }
+  return lines.join("\n");
+}
+var KNOWN_ACRONYMS = /* @__PURE__ */ new Set(["mx", "spf", "dmarc", "dkim", "dnssec", "ssl", "mta", "sts", "ns", "caa", "bimi", "tlsrpt", "http", "https", "dane", "svcb", "srv", "txt", "doh", "rpm", "dbl", "rdap", "nsec"]);
+function toolNameToTitle(name) {
+  return name.split("_").map((word) => KNOWN_ACRONYMS.has(word) ? word.toUpperCase() : word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+}
+function toInputSchema(schema) {
+  const jsonSchema = z.toJSONSchema(schema);
+  delete jsonSchema.$schema;
+  if (jsonSchema.additionalProperties !== void 0 && typeof jsonSchema.additionalProperties === "object" && jsonSchema.additionalProperties !== null && Object.keys(jsonSchema.additionalProperties).length === 0) {
+    delete jsonSchema.additionalProperties;
+  }
+  return jsonSchema;
+}
+var TOOL_DEFS = {
+  check_mx: {
+    description: "Look up MX records for a domain. Shows mail servers, email provider detection, and validates configuration.",
+    schema: BaseDomainArgs,
+    group: "email_auth",
     tier: "protective",
     scanIncluded: true
   },
   check_spf: {
-    description: "Validate SPF syntax, policy, and trust surface.",
+    description: "Look up and validate SPF record for a domain. Shows authorized senders, syntax issues, and trust surface.",
     schema: BaseDomainArgs,
     group: "email_auth",
     tier: "core",
     scanIncluded: true
   },
   check_dmarc: {
-    description: "Validate DMARC policy, alignment, and reporting.",
+    description: "Look up and validate DMARC record for a domain. Shows policy enforcement, alignment mode, and reporting config.",
     schema: BaseDomainArgs,
     group: "email_auth",
     tier: "core",
     scanIncluded: true
   },
   check_dkim: {
-    description: "Probe DKIM selectors and validate key strength.",
+    description: "Look up DKIM records for a domain. Probes common selectors and validates key strength and algorithm.",
     schema: CheckDkimArgs,
     group: "email_auth",
     tier: "core",
     scanIncluded: true
   },
   check_dnssec: {
-    description: "Verify DNSSEC validation and DNSKEY/DS records.",
+    description: "Check DNSSEC status for a domain. Verifies DNSKEY/DS records and validation chain.",
     schema: BaseDomainArgs,
     group: "infrastructure",
     tier: "core",
     scanIncluded: true
   },
   check_ssl: {
-    description: "Verify SSL/TLS certificate and HTTPS config.",
+    description: "Check SSL/TLS certificate for a domain. Shows issuer, expiry, protocol versions, and HTTPS configuration.",
     schema: BaseDomainArgs,
     group: "infrastructure",
     tier: "core",
@@ -9851,14 +11320,14 @@ var TOOL_DEFS = {
     scanIncluded: true
   },
   check_ns: {
-    description: "Analyze NS delegation and provider diversity.",
+    description: "Look up NS (nameserver) records for a domain. Shows DNS provider, delegation, and redundancy.",
     schema: BaseDomainArgs,
     group: "infrastructure",
     tier: "protective",
     scanIncluded: true
   },
   check_caa: {
-    description: "Check authorized Certificate Authorities via CAA.",
+    description: "Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates.",
     schema: BaseDomainArgs,
     group: "infrastructure",
     tier: "protective",
@@ -9921,7 +11390,7 @@ var TOOL_DEFS = {
     scanIncluded: true
   },
   scan_domain: {
-    description: "Full DNS and email security audit. Score, grade, maturity, findings. Start here.",
+    description: "Look up any domain to get a full DNS and email security audit. Use this whenever a user mentions a domain name, asks to check/scan/lookup/analyze a domain, or wants to know about a domain's security posture. Returns score, grade, maturity stage, and prioritized findings. Start here for any domain-related question.",
     schema: ScanDomainArgs,
     group: "meta",
     scanIncluded: false
@@ -10064,13 +11533,13 @@ var TOOL_DEFS = {
     scanIncluded: false
   },
   resolve_spf_chain: {
-    description: "Recursively resolve the full SPF include chain. Shows lookup count, tree depth, and flags issues like circular includes or exceeding the 10-lookup limit.",
+    description: "Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or exceeding the 10-lookup limit.",
     schema: BaseDomainArgs,
     group: "intelligence",
     scanIncluded: false
   },
   discover_subdomains: {
-    description: "Discover subdomains via Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance.",
+    description: "Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance.",
     schema: BaseDomainArgs,
     group: "intelligence",
     scanIncluded: false
@@ -10086,6 +11555,48 @@ var TOOL_DEFS = {
     schema: BaseDomainArgs,
     group: "intelligence",
     scanIncluded: false
+  },
+  check_dbl: {
+    description: "Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_rbl: {
+    description: "Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  cymru_asn: {
+    description: "Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  rdap_lookup: {
+    description: "Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and domain age.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_nsec_walkability: {
+    description: "Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_dnssec_chain: {
+    description: "Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_fast_flux: {
+    description: "Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identify rotating infrastructure.",
+    schema: CheckFastFluxArgs,
+    group: "intelligence",
+    scanIncluded: false
   }
 };
 var TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
@@ -10148,9 +11659,16 @@ var TOOL_REGISTRY = {
   check_mx_reputation: { cacheKey: () => "mx_reputation", execute: (d, _args, ro) => checkMxReputation(d, buildDnsOptions(ro)), cacheTtlSeconds: 3600 },
   check_srv: { cacheKey: () => "srv", execute: (d, _args, ro) => checkSrv(d, buildDnsOptions(ro)) },
   check_zone_hygiene: { cacheKey: () => "zone_hygiene", execute: (d, _args, ro) => checkZoneHygiene(d, buildDnsOptions(ro)) },
-  check_subdomailing: { cacheKey: () => "subdomailing", execute: (d, _args, ro) => checkSubdomailing(d, buildDnsOptions(ro)) }
+  check_subdomailing: { cacheKey: () => "subdomailing", execute: (d, _args, ro) => checkSubdomailing(d, buildDnsOptions(ro)) },
+  check_dbl: { cacheKey: () => "dbl", execute: (d, _args, ro) => checkDbl(d, buildDnsOptions(ro)), cacheTtlSeconds: 3600 },
+  check_rbl: { cacheKey: () => "rbl", execute: (d, _args, ro) => checkRbl(d, buildDnsOptions(ro)), cacheTtlSeconds: 3600 },
+  cymru_asn: { cacheKey: () => "asn", execute: (d, _args, ro) => checkCymruAsn(d, buildDnsOptions(ro)), cacheTtlSeconds: 3600 },
+  rdap_lookup: { cacheKey: () => "rdap", execute: (d) => checkRdapLookup(d), cacheTtlSeconds: 3600 },
+  check_nsec_walkability: { cacheKey: () => "nsec_walkability", execute: (d, _args, ro) => checkNsecWalkability(d, buildDnsOptions(ro)), cacheTtlSeconds: 3600 },
+  check_dnssec_chain: { cacheKey: () => "dnssec_chain", execute: (d, _args, ro) => checkDnssecChain(d, buildDnsOptions(ro)) },
+  check_fast_flux: { cacheKey: () => "fast_flux", execute: (d, args, ro) => checkFastFlux(d, args.rounds ?? 3, buildDnsOptions(ro)) }
 };
-var INTERACTIVE_CLIENTS = /* @__PURE__ */ new Set(["claude_code", "cursor", "vscode", "claude_desktop", "windsurf"]);
+var INTERACTIVE_CLIENTS = /* @__PURE__ */ new Set(["claude_mobile", "claude_code", "cursor", "vscode", "claude_desktop", "windsurf"]);
 function isInteractiveClient(clientType) {
   return INTERACTIVE_CLIENTS.has(clientType ?? "");
 }
@@ -10162,19 +11680,13 @@ function resolveFormat(args, clientType) {
 function buildToolErrorResult(message) {
   return { content: [mcpError(message)], isError: true };
 }
-function handleExplainFindingValidationError(args, durationMs, runtimeOptions) {
+function handleExplainFindingValidationError(args, startTime, runtimeOptions) {
   const error2 = new Error("Missing required parameters: checkType and status");
   logToolFailure({
-    toolName: "explain_finding",
-    durationMs,
-    analytics: runtimeOptions?.analytics,
+    ...buildLogContext("explain_finding", startTime, void 0, runtimeOptions),
     error: error2,
     args,
-    severity: "warn",
-    country: runtimeOptions?.country,
-    clientType: runtimeOptions?.clientType,
-    authTier: runtimeOptions?.authTier,
-    keyHash: runtimeOptions?.keyHash
+    severity: "warn"
   });
   return buildToolErrorResult(error2.message);
 }
@@ -10183,6 +11695,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
   const name = normalizeToolName(params.name);
   const args = params.arguments ?? {};
   const startTime = Date.now();
+  const ctx = () => buildLogContext(name, startTime, domain, runtimeOptions);
   let domain;
   let logResult = "unknown";
   let logDetails;
@@ -10201,27 +11714,17 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
         const checkName = registeredTool.cacheKey(validatedArgs);
         const cacheKey = `cache:${validDomain}:check:${checkName}`;
         const { data: result, cacheStatus } = await runWithCacheTracked(cacheKey, () => registeredTool.execute(validDomain, validatedArgs, runtimeOptions), scanCacheKV, registeredTool.cacheTtlSeconds);
-        if (result.partial && scanCacheKV) {
-          try {
-            await scanCacheKV.delete(cacheKey);
-          } catch {
-          }
+        if (result.partial) {
+          await cacheDelete(cacheKey, scanCacheKV);
         }
         runtimeOptions?.resultCapture?.(result);
         logResult = result.passed ? "pass" : "fail";
         logDetails = result;
         logToolSuccess({
-          toolName: name,
-          durationMs: Date.now() - startTime,
-          domain,
-          analytics: runtimeOptions?.analytics,
+          ...ctx(),
           status: result.passed ? "pass" : "fail",
           logResult,
           logDetails,
-          country: runtimeOptions?.country,
-          clientType: runtimeOptions?.clientType,
-          authTier: runtimeOptions?.authTier,
-          keyHash: runtimeOptions?.keyHash,
           cacheStatus
         });
         return { content: buildToolContent(formatCheckResult(result, effectiveFormat), result, effectiveFormat) };
@@ -10234,20 +11737,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           const result = await scanDomain(validDomain, scanCacheKV, scanOptions);
           logResult = result.score.grade;
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.score.overall >= 50 ? "pass" : "fail",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.score.overall >= 50 ? "pass" : "fail", logResult, logDetails, severity: "info" });
           const structured = buildStructuredScanResult(result);
           return { content: buildToolContent(formatScanReport(result, effectiveFormat), structured, effectiveFormat) };
         }
@@ -10268,19 +11758,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
             }
           });
           const batchText = formatBatchScan(batchResults, effectiveFormat);
-          logToolSuccess({
-            toolName: "batch_scan",
-            durationMs: Date.now() - startTime,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: `${batchResults.filter((r) => !r.error).length}/${batchResults.length} domains`,
-            logDetails: { totalDomains: batchResults.length },
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: `${batchResults.filter((r) => !r.error).length}/${batchResults.length} domains`, logDetails: { totalDomains: batchResults.length }, severity: "info" });
           return { content: buildToolContent(batchText, batchResults, effectiveFormat) };
         }
         case "compare_domains": {
@@ -10298,19 +11776,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
             }
           });
           const compareText = formatDomainComparison(compareResults, effectiveFormat);
-          logToolSuccess({
-            toolName: "compare_domains",
-            durationMs: Date.now() - startTime,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: `${Object.keys(compareResults.scores).length}/${compareResults.domains.length} domains compared`,
-            logDetails: { totalDomains: compareResults.domains.length, winner: compareResults.winner },
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: `${Object.keys(compareResults.scores).length}/${compareResults.domains.length} domains compared`, logDetails: { totalDomains: compareResults.domains.length, winner: compareResults.winner }, severity: "info" });
           return { content: buildToolContent(compareText, compareResults, effectiveFormat) };
         }
         case "compare_baseline": {
@@ -10319,135 +11785,45 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           const result = compareBaseline(scan, baseline);
           logResult = result.passed ? "pass" : "fail";
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.passed ? "pass" : "fail",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.passed ? "pass" : "fail", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatBaselineResult(result, effectiveFormat), result, effectiveFormat) };
         }
         case "generate_fix_plan": {
           const plan = await generateFixPlan(validDomain, scanCacheKV, runtimeOptions);
           logResult = plan.grade;
           logDetails = plan;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatFixPlan(plan, effectiveFormat), plan, effectiveFormat) };
         }
         case "generate_spf_record": {
           const includeProviders = extractIncludeProviders(validatedArgs);
           const record = await generateSpfRecord(validDomain, includeProviders, buildDnsOptions(runtimeOptions));
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: "generated",
-            logDetails: record,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: "generated", logDetails: record, severity: "info" });
           return { content: buildToolContent(formatGeneratedRecord(record, effectiveFormat), record, effectiveFormat) };
         }
         case "generate_dmarc_record": {
           const policy = typeof validatedArgs.policy === "string" ? validatedArgs.policy : void 0;
           const ruaEmail = typeof validatedArgs.rua_email === "string" ? validatedArgs.rua_email : void 0;
           const record = await generateDmarcRecord(validDomain, policy, ruaEmail, buildDnsOptions(runtimeOptions));
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: "generated",
-            logDetails: record,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: "generated", logDetails: record, severity: "info" });
           return { content: buildToolContent(formatGeneratedRecord(record, effectiveFormat), record, effectiveFormat) };
         }
         case "generate_dkim_config": {
           const provider = typeof validatedArgs.provider === "string" ? validatedArgs.provider : void 0;
           const record = await generateDkimConfig(validDomain, provider);
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: "generated",
-            logDetails: record,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: "generated", logDetails: record, severity: "info" });
           return { content: buildToolContent(formatGeneratedRecord(record, effectiveFormat), record, effectiveFormat) };
         }
         case "generate_mta_sts_policy": {
           const mxHosts = extractMxHosts(validatedArgs);
           const record = await generateMtaStsPolicy(validDomain, mxHosts, buildDnsOptions(runtimeOptions));
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: "generated",
-            logDetails: record,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: "generated", logDetails: record, severity: "info" });
           return { content: buildToolContent(formatGeneratedRecord(record, effectiveFormat), record, effectiveFormat) };
         }
         case "get_benchmark": {
           const profile = typeof validatedArgs.profile === "string" ? validatedArgs.profile : "mail_enabled";
           const result = await getBenchmark(runtimeOptions?.profileAccumulator, profile);
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: result.status,
-            logDetails: result,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: result.status, logDetails: result, severity: "info" });
           return { content: buildToolContent(formatBenchmark(result, effectiveFormat), result, effectiveFormat) };
         }
         case "get_provider_insights": {
@@ -10457,39 +11833,14 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           }
           const profile = typeof validatedArgs.profile === "string" ? validatedArgs.profile : "mail_enabled";
           const result = await getProviderInsights(runtimeOptions?.profileAccumulator, provider, profile);
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: result.status,
-            logDetails: result,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: result.status, logDetails: result, severity: "info" });
           return { content: buildToolContent(formatProviderInsights(result, effectiveFormat), result, effectiveFormat) };
         }
         case "assess_spoofability": {
           const result = await assessSpoofability(validDomain, buildDnsOptions(runtimeOptions));
           logResult = result.riskLevel;
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.spoofabilityScore <= 30 ? "pass" : "fail",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.spoofabilityScore <= 30 ? "pass" : "fail", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatSpoofability(result, effectiveFormat), result, effectiveFormat) };
         }
         case "check_resolver_consistency": {
@@ -10498,20 +11849,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           runtimeOptions?.resultCapture?.(result);
           logResult = result.passed ? "pass" : "fail";
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.passed ? "pass" : "fail",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.passed ? "pass" : "fail", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatResolverConsistency(result, effectiveFormat), result, effectiveFormat) };
         }
         case "explain_finding": {
@@ -10519,23 +11857,11 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           try {
             explainArgs = extractExplainFindingArgs(validatedArgs);
           } catch {
-            return handleExplainFindingValidationError(args, Date.now() - startTime, runtimeOptions);
+            return handleExplainFindingValidationError(args, startTime, runtimeOptions);
           }
           const { checkType, status, details } = explainArgs;
           const result = explainFinding(checkType, status, details);
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult: status,
-            logDetails: { checkType, details },
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult: status, logDetails: { checkType, details }, severity: "info" });
           return { content: buildToolContent(formatExplanation(result, effectiveFormat), result, effectiveFormat) };
         }
         case "validate_fix": {
@@ -10544,40 +11870,14 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           const result = await validateFix(validDomain, check, expected, buildDnsOptions(runtimeOptions));
           logResult = result.verdict;
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.verdict === "fixed" ? "pass" : "fail",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.verdict === "fixed" ? "pass" : "fail", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatValidateFix(result, effectiveFormat), result, effectiveFormat) };
         }
         case "map_supply_chain": {
           const result = await mapSupplyChain(validDomain, buildDnsOptions(runtimeOptions));
           logResult = `${result.summary.totalProviders} providers`;
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatSupplyChain(result, effectiveFormat), result, effectiveFormat) };
         }
         case "generate_rollout_plan": {
@@ -10586,20 +11886,7 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           const result = await generateRolloutPlan(validDomain, targetPolicy, timeline, buildDnsOptions(runtimeOptions));
           logResult = result.atTarget ? "at_target" : `${result.phases.length} phases`;
           logDetails = result;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatRolloutPlan(result, effectiveFormat), result, effectiveFormat) };
         }
         case "analyze_drift": {
@@ -10627,77 +11914,40 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
           const drift = computeDrift(validDomain, baselineScore, scanResult.score);
           logResult = drift.classification;
           logDetails = drift;
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: "pass",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatDriftReport(drift, effectiveFormat), drift, effectiveFormat) };
         }
         case "resolve_spf_chain": {
           const result = await resolveSpfChain(validDomain, buildDnsOptions(runtimeOptions));
           logResult = result.overLimit ? "over_limit" : "ok";
           logDetails = { totalLookups: result.totalLookups, maxDepth: result.maxDepth, issues: result.issues.length };
-          logToolSuccess({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            status: result.overLimit ? "fail" : "pass",
-            logResult,
-            logDetails,
-            severity: "info",
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
+          logToolSuccess({ ...ctx(), status: result.overLimit ? "fail" : "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatSpfChain(result, effectiveFormat), result, effectiveFormat) };
         }
         case "discover_subdomains": {
           const result = await discoverSubdomains(validDomain, runtimeOptions?.certstream);
           logResult = `${result.totalSubdomains} subdomains`;
           logDetails = { totalSubdomains: result.totalSubdomains, issues: result.issues.length };
-          logToolSuccess({ toolName: name, durationMs: Date.now() - startTime, domain, analytics: runtimeOptions?.analytics, status: "pass", logResult, logDetails, severity: "info", country: runtimeOptions?.country, clientType: runtimeOptions?.clientType, authTier: runtimeOptions?.authTier });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatSubdomainDiscovery(result, effectiveFormat), result, effectiveFormat) };
         }
         case "map_compliance": {
           const result = await mapCompliance(validDomain, scanCacheKV, runtimeOptions);
           logResult = "mapped";
           logDetails = result;
-          logToolSuccess({ toolName: name, durationMs: Date.now() - startTime, domain, analytics: runtimeOptions?.analytics, status: "pass", logResult, logDetails, severity: "info", country: runtimeOptions?.country, clientType: runtimeOptions?.clientType, authTier: runtimeOptions?.authTier });
+          logToolSuccess({ ...ctx(), status: "pass", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatCompliance(result, effectiveFormat), result, effectiveFormat) };
         }
         case "simulate_attack_paths": {
           const result = await simulateAttackPaths(validDomain, buildDnsOptions(runtimeOptions));
           logResult = `${result.totalPaths} paths, risk: ${result.overallRisk}`;
           logDetails = { totalPaths: result.totalPaths, overallRisk: result.overallRisk };
-          logToolSuccess({ toolName: name, durationMs: Date.now() - startTime, domain, analytics: runtimeOptions?.analytics, status: result.overallRisk === "low" ? "pass" : "fail", logResult, logDetails, severity: "info", country: runtimeOptions?.country, clientType: runtimeOptions?.clientType, authTier: runtimeOptions?.authTier });
+          logToolSuccess({ ...ctx(), status: result.overallRisk === "low" ? "pass" : "fail", logResult, logDetails, severity: "info" });
           return { content: buildToolContent(formatAttackPaths(result, effectiveFormat), result, effectiveFormat) };
         }
         default:
-          logToolFailure({
-            toolName: name,
-            durationMs: Date.now() - startTime,
-            domain,
-            analytics: runtimeOptions?.analytics,
-            error: `Unknown tool: ${name}`,
-            args,
-            country: runtimeOptions?.country,
-            clientType: runtimeOptions?.clientType,
-            authTier: runtimeOptions?.authTier,
-            keyHash: runtimeOptions?.keyHash
-          });
-          return buildToolErrorResult(`Unknown tool: ${name}. Call tools/list to see all 44 available tools.`);
+          logToolFailure({ ...ctx(), error: `Unknown tool: ${name}`, args });
+          return buildToolErrorResult(`Unknown tool: ${name}. Call tools/list to see all 51 available tools.`);
       }
     };
     return await Promise.race([
@@ -10706,36 +11956,14 @@ async function handleToolsCall(params, scanCacheKV, runtimeOptions) {
     ]);
   } catch (err) {
     if (err instanceof Error && err.message === "__tool_timeout__") {
-      logToolFailure({
-        toolName: name,
-        durationMs: Date.now() - startTime,
-        domain,
-        analytics: runtimeOptions?.analytics,
-        error: "Tool call timed out",
-        args,
-        country: runtimeOptions?.country,
-        clientType: runtimeOptions?.clientType,
-        authTier: runtimeOptions?.authTier,
-        keyHash: runtimeOptions?.keyHash
-      });
+      logToolFailure({ ...ctx(), error: "Tool call timed out", args });
       return {
         content: [mcpError(`${name} timed out after ${TOOL_CALL_TIMEOUT_MS / 1e3}s. Try a simpler check or retry \u2014 cached partial results make retries faster.`)],
         isError: true
       };
     }
     const message = sanitizeErrorMessage(err, `An unexpected error occurred while running ${name}. Retry the request \u2014 transient DNS failures are common.`);
-    logToolFailure({
-      toolName: name,
-      durationMs: Date.now() - startTime,
-      domain,
-      analytics: runtimeOptions?.analytics,
-      error: err,
-      args,
-      country: runtimeOptions?.country,
-      clientType: runtimeOptions?.clientType,
-      authTier: runtimeOptions?.authTier,
-      keyHash: runtimeOptions?.keyHash
-    });
+    logToolFailure({ ...ctx(), error: err, args });
     return buildToolErrorResult(message);
   }
 }
@@ -11239,7 +12467,7 @@ async function dispatchMcpMethod(options) {
           };
         }
       }
-      const sessionId = createSessionOnInitialize ? await createSession(options.sessionStore) : options.existingSessionId;
+      const sessionId = createSessionOnInitialize ? await createSession(options.sessionStore, options.analytics) : options.existingSessionId;
       if (createSessionOnInitialize && sessionId) {
         auditSessionCreated(options.ip, sessionId);
         options.analytics?.emitSessionEvent({
@@ -11852,7 +13080,7 @@ async function executeMcpRequest(options) {
 }
 
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.6.2";
+var SERVER_VERSION = "2.9.2";
 
 // src/stdio.ts
 function buildNotInitializedError(id) {