npm - blackveil-dns - Versions diffs - 2.6.4 → 2.9.2 - Mend

blackveil-dns 2.6.4 → 2.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,12 @@
 import { z } from 'zod';
-import { PROFILE_WEIGHTS, createFinding, buildCheckResult, detectDomainContext, getProfileWeights, computeScanScore, scoreToGrade } from '@blackveil/dns-checks/scoring';
+import { PROFILE_WEIGHTS, buildCheckResult, createFinding, detectDomainContext, getProfileWeights, computeScanScore, scoreToGrade } from '@blackveil/dns-checks/scoring';
 export { CATEGORY_DISPLAY_WEIGHTS, SEVERITY_PENALTIES, buildCheckResult, computeCategoryScore, computeScanScore, createFinding, detectDomainContext, getProfileWeights, inferFindingConfidence, scoreToGrade } from '@blackveil/dns-checks/scoring';
 import * as punycode from 'punycode/';
-import { checkBIMI, checkCAA, checkDKIM, checkDMARC, checkDNSSEC, checkMTASTS, checkMX, createFinding as createFinding$1, checkNS, checkSPF, checkSSL, checkSubdomainTakeover as checkSubdomainTakeover$1, checkTLSRPT, buildCheckResult as buildCheckResult$1, parseDmarcTags, checkHTTPSecurity, checkDANE, checkDANEHTTPS, checkSVCBHTTPS, checkSubdomailing as checkSubdomailing$1 } from '@blackveil/dns-checks';
+import { checkBIMI, checkCAA, checkDKIM, checkDMARC, checkDNSSEC, checkMTASTS, checkMX, createFinding as createFinding$1, checkNS, checkSPF, checkSSL, checkSubdomainTakeover as checkSubdomainTakeover$1, checkTLSRPT, buildCheckResult as buildCheckResult$1, checkSubdomailing as checkSubdomailing$1, checkSVCBHTTPS, checkDANEHTTPS, checkDANE, checkHTTPSecurity, parseDmarcTags } from '@blackveil/dns-checks';
 export { parseDmarcTags } from '@blackveil/dns-checks';
+import 'cloudflare:workers';
+import 'drizzle-orm';
+import 'drizzle-orm/durable-sqlite';
 // src/lib/dns-types.ts
 var RecordType = {
@@ -19,6 +22,7 @@ var RecordType = {
   DNSKEY: 48,
   DS: 43,
   RRSIG: 46,
+  NSEC3PARAM: 51,
   PTR: 12,
   SRV: 33,
   HTTPS: 65
@@ -170,7 +174,7 @@ function hasTypedAnswers(response, type) {
 function retryDelay(attempt) {
   return new Promise((r) => setTimeout(r, DNS_RETRY_BASE_DELAY_MS * (attempt + 1) + Math.random() * 50));
 }
-async function fetchDohResponse(url, timeoutMs, opts) {
+async function fetchDohOutcome(url, timeoutMs, opts) {
   try {
     const headers = { Accept: "application/dns-json" };
     if (opts?.token) headers["X-BV-Token"] = opts.token;
@@ -181,11 +185,25 @@ async function fetchDohResponse(url, timeoutMs, opts) {
       ...opts?.useEdgeCache ? { cf: { cacheTtl: DOH_EDGE_CACHE_TTL, cacheEverything: true } } : {}
     });
     const response = opts?.semaphore ? await opts.semaphore.run(doFetch) : await doFetch();
-    if (!response.ok) return null;
+    if (!response.ok) {
+      logError("DNS fetch non-2xx", {
+        severity: "warn",
+        category: "dns-transport",
+        details: { url: url.replace(/name=[^&]+/, "name=<domain>"), status: response.status }
+      });
+      return { kind: "error", reason: "http" };
+    }
     const data = await response.json();
     const parsed = DohResponseSchema.safeParse(data);
-    if (!parsed.success) return null;
-    return parsed.data;
+    if (!parsed.success) {
+      logError("DNS parse failure", {
+        severity: "warn",
+        category: "dns-transport",
+        details: { url: url.replace(/name=[^&]+/, "name=<domain>") }
+      });
+      return { kind: "error", reason: "parse" };
+    }
+    return { kind: "ok", response: parsed.data };
   } catch (err) {
     const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
     logError(isTimeout ? "DNS fetch timeout" : "DNS fetch failed", {
@@ -193,7 +211,7 @@ async function fetchDohResponse(url, timeoutMs, opts) {
       category: "dns-transport",
       details: { url: url.replace(/name=[^&]+/, "name=<domain>"), errorType: isTimeout ? "timeout" : "network" }
     });
-    return null;
+    return { kind: "error", reason: isTimeout ? "timeout" : "network" };
   }
 }
 var DnsQueryError = class extends Error {
@@ -264,43 +282,38 @@ async function queryDnsUncached(domain, type, dnssecCheck = false, opts) {
     }
     const data = validated.data;
     if (confirmWithSecondaryOnEmpty && !opts?.skipSecondaryConfirmation && !hasTypedAnswers(data, type)) {
-      const secondaryResult = await confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts);
-      if (secondaryResult) return secondaryResult;
+      const secondaryOpts = opts?.secondaryDoh ? { secondaryDoh: { url: opts.secondaryDoh.endpoint, token: opts.secondaryDoh.token } } : void 0;
+      const secondaryResult = await confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, secondaryOpts);
+      if ("kind" in secondaryResult && secondaryResult.kind === "unconfirmed") {
+        return data;
+      }
+      const confirmedResponse = secondaryResult;
+      return confirmedResponse;
     }
     return data;
   }
   throw new DnsQueryError("DNS query failed after retries", domain, type);
 }
 async function confirmWithSecondaryResolvers(domain, type, dnssecCheck, timeoutMs, sem, opts) {
-  const hasBvDns = !!opts?.secondaryDoh?.endpoint;
+  const bvDnsUrl = opts?.secondaryDoh ? buildDohUrl(opts.secondaryDoh.url, domain, type, dnssecCheck) : null;
   const googleUrl = buildDohUrl(GOOGLE_DOH_ENDPOINT, domain, type, dnssecCheck);
-  if (hasBvDns) {
-    const bvDnsUrl = buildDohUrl(opts.secondaryDoh.endpoint, domain, type, dnssecCheck);
-    const candidates = [
-      fetchDohResponse(bvDnsUrl, timeoutMs, { token: opts.secondaryDoh.token, semaphore: sem }),
-      fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem })
-    ];
-    const results = await Promise.allSettled(candidates);
-    for (const r of results) {
-      if (r.status === "fulfilled" && r.value && hasTypedAnswers(r.value, type)) {
-        return r.value;
-      }
-    }
-    const allFailed = results.every((r) => r.status === "rejected" || !r.value);
-    if (allFailed) {
-      logError("All secondary DNS resolvers failed", {
-        severity: "warn",
-        category: "dns-transport",
-        details: { domain, type }
-      });
-    }
-    return null;
+  const candidates = [
+    bvDnsUrl ? fetchDohOutcome(bvDnsUrl, timeoutMs, { token: opts.secondaryDoh.token, semaphore: sem }) : Promise.resolve({ kind: "error", reason: "network" }),
+    fetchDohOutcome(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem })
+  ];
+  const results = await Promise.allSettled(candidates);
+  for (const r of results) {
+    if (r.status === "fulfilled" && r.value.kind === "ok" && hasTypedAnswers(r.value.response, type)) return r.value.response;
   }
-  const google = await fetchDohResponse(googleUrl, timeoutMs, { useEdgeCache: true, semaphore: sem });
-  if (google && hasTypedAnswers(google, type)) {
-    return google;
+  for (const r of results) {
+    if (r.status === "fulfilled" && r.value.kind === "ok") return r.value.response;
   }
-  return null;
+  logError("All secondary resolvers failed", {
+    severity: "warn",
+    category: "dns-transport",
+    details: { type }
+  });
+  return { kind: "unconfirmed" };
 }
 // src/lib/dns-records.ts
@@ -371,6 +384,9 @@ async function queryMxRecords(domain, opts) {
     };
   });
 }
+// src/lib/adaptive-weights.ts
+var MATURITY_THRESHOLD = 200;
 var SCORING_NOTE_DELTA_THRESHOLD = 3;
 var CRITICAL_MAIL_CATEGORIES = /* @__PURE__ */ new Set(["dmarc", "spf", "dkim", "ssl"]);
 var CRITICAL_MAIL_PROFILES = /* @__PURE__ */ new Set(["mail_enabled", "enterprise_mail"]);
@@ -571,7 +587,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.6.4";
+var SERVER_VERSION = "2.9.2";
 var DomainSchema = z.string().min(1).max(253);
 z.string().regex(/^[0-9a-f]{64}$/);
 var DkimSelectorSchema = z.string().transform((s) => s.trim().toLowerCase()).pipe(z.string().max(63).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/));
@@ -699,6 +715,11 @@ var GenerateRolloutPlanArgs = z.object({
   timeline: TimelineSchema.optional().describe("Rollout speed: aggressive, standard, conservative (default: standard)"),
   format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
 }).passthrough();
+var CheckFastFluxArgs = z.object({
+  domain: DomainSchema.describe("Domain to check (e.g., example.com)"),
+  rounds: z.number().int().min(3).max(5).optional().describe("Number of query rounds (3-5, default 3)."),
+  format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
+}).passthrough();
 var TOOL_SCHEMA_MAP = {
   check_mx: BaseDomainArgs,
   check_spf: BaseDomainArgs,
@@ -743,11 +764,18 @@ var TOOL_SCHEMA_MAP = {
   resolve_spf_chain: BaseDomainArgs,
   discover_subdomains: BaseDomainArgs,
   map_compliance: BaseDomainArgs,
-  simulate_attack_paths: BaseDomainArgs
+  simulate_attack_paths: BaseDomainArgs,
+  check_dbl: BaseDomainArgs,
+  check_rbl: BaseDomainArgs,
+  cymru_asn: BaseDomainArgs,
+  rdap_lookup: BaseDomainArgs,
+  check_nsec_walkability: BaseDomainArgs,
+  check_dnssec_chain: BaseDomainArgs,
+  check_fast_flux: CheckFastFluxArgs
 };
 // src/schemas/tool-definitions.ts
-var KNOWN_ACRONYMS = /* @__PURE__ */ new Set(["mx", "spf", "dmarc", "dkim", "dnssec", "ssl", "mta", "sts", "ns", "caa", "bimi", "tlsrpt", "http", "https", "dane", "svcb", "srv", "txt", "doh", "rpm"]);
+var KNOWN_ACRONYMS = /* @__PURE__ */ new Set(["mx", "spf", "dmarc", "dkim", "dnssec", "ssl", "mta", "sts", "ns", "caa", "bimi", "tlsrpt", "http", "https", "dane", "svcb", "srv", "txt", "doh", "rpm", "dbl", "rdap", "nsec"]);
 function toolNameToTitle(name) {
   return name.split("_").map((word) => KNOWN_ACRONYMS.has(word) ? word.toUpperCase() : word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
 }
@@ -1045,6 +1073,48 @@ var TOOL_DEFS = {
     schema: BaseDomainArgs,
     group: "intelligence",
     scanIncluded: false
+  },
+  check_dbl: {
+    description: "Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_rbl: {
+    description: "Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  cymru_asn: {
+    description: "Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  rdap_lookup: {
+    description: "Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and domain age.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_nsec_walkability: {
+    description: "Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_dnssec_chain: {
+    description: "Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level.",
+    schema: BaseDomainArgs,
+    group: "intelligence",
+    scanIncluded: false
+  },
+  check_fast_flux: {
+    description: "Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identify rotating infrastructure.",
+    schema: CheckFastFluxArgs,
+    group: "intelligence",
+    scanIncluded: false
   }
 };
 var TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
@@ -1062,6 +1132,8 @@ var TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
   ...def.tier !== void 0 && { tier: def.tier },
   scanIncluded: def.scanIncluded
 }));
+// src/lib/dns-query-adapter.ts
 function makeQueryDNS(dnsOptions) {
   return async (domain, type) => {
     if (type === "TXT") {
@@ -1070,6 +1142,8 @@ function makeQueryDNS(dnsOptions) {
     return queryDnsRecords(domain, type, dnsOptions);
   };
 }
+// src/tools/check-bimi.ts
 async function checkBimi(domain, dnsOptions) {
   return checkBIMI(
     domain,
@@ -1077,18 +1151,10 @@ async function checkBimi(domain, dnsOptions) {
     { timeout: dnsOptions?.timeoutMs ?? 5e3, fetchFn: fetch }
   );
 }
-function makeQueryDNS2(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkCaa(domain, dnsOptions) {
   return checkCAA(
     domain,
-    makeQueryDNS2(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -1101,18 +1167,10 @@ var HIGH_CONFIDENCE_DKIM_PROVIDERS = /* @__PURE__ */ new Set([
   "microsoft 365"
 ]);
 var MEDIUM_CONFIDENCE_DKIM_PROVIDERS = /* @__PURE__ */ new Set(["proofpoint", "mimecast"]);
-function makeQueryDNS3(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkDkim(domain, selector, dnsOptions) {
   return checkDKIM(
     domain,
-    makeQueryDNS3(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3, selector }
   );
 }
@@ -1162,34 +1220,68 @@ function applyProviderDkimContext(dkimResult, provider) {
   }
   return buildCheckResult$1("dkim", newFindings);
 }
-function makeQueryDNS4(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkDmarc(domain, dnsOptions) {
   return checkDMARC(
     domain,
-    makeQueryDNS4(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
-function makeQueryDNS5(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
+var GOOGLE_DOH_ENDPOINT2 = "https://dns.google/resolve";
+var AD_CONFIRM_TIMEOUT_MS = 3e3;
+async function confirmAdWithGoogle(domain, timeoutMs = AD_CONFIRM_TIMEOUT_MS) {
+  try {
+    const url = `${GOOGLE_DOH_ENDPOINT2}?name=${encodeURIComponent(domain)}&type=A&cd=0`;
+    const resp = await fetch(url, {
+      method: "GET",
+      redirect: "manual",
+      headers: { Accept: "application/dns-json" },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!resp.ok) return false;
+    const data = await resp.json();
+    return data.AD === true;
+  } catch {
+    return false;
+  }
+}
+async function augmentWithSource(domain, baseResult, dnsOptions) {
+  const [dnskeyResult, dsResult] = await Promise.allSettled([
+    queryDnsRecords(domain, "DNSKEY", dnsOptions),
+    queryDnsRecords(domain, "DS", dnsOptions)
+  ]);
+  const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
+  const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
+  const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
+  if (dnssecSource === "tld_inherited") {
+    const inheritedFinding = createFinding(
+      "dnssec",
+      "DNSSEC inherited from TLD",
+      "info",
+      `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
+      { dnssecSource: "tld_inherited" }
+    );
+    return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
+  }
+  if (baseResult.findings.length > 0) {
+    const [first, ...rest] = baseResult.findings;
+    const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
+    return buildCheckResult("dnssec", [tagged, ...rest]);
+  }
+  const configuredFinding = createFinding(
+    "dnssec",
+    "DNSSEC configured by domain owner",
+    "info",
+    `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
+    { dnssecSource: "domain_configured" }
+  );
+  return buildCheckResult("dnssec", [configuredFinding]);
 }
 async function checkDnssec2(domain, dnsOptions) {
   try {
     const baseResult = await checkDNSSEC(
       domain,
-      makeQueryDNS5(dnsOptions),
+      makeQueryDNS(dnsOptions),
       {
         timeout: dnsOptions?.timeoutMs ?? 5e3,
         rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -1198,51 +1290,49 @@ async function checkDnssec2(domain, dnsOptions) {
         }
       }
     );
-    const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete") || baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
+    const isDnsTransportError = baseResult.findings.some((f) => f.title === "DNSSEC check failed");
+    if (isDnsTransportError) {
+      return { ...baseResult, checkStatus: "error" };
+    }
+    const dnssecAbsent = baseResult.findings.some((f) => f.title === "DNSSEC not enabled") || baseResult.findings.some((f) => f.title === "DNSSEC check failed") || baseResult.findings.some((f) => f.title === "DNSSEC chain of trust incomplete");
     if (dnssecAbsent) {
       return baseResult;
     }
-    const [dnskeyResult, dsResult] = await Promise.allSettled([
-      queryDnsRecords(domain, "DNSKEY", dnsOptions),
-      queryDnsRecords(domain, "DS", dnsOptions)
-    ]);
-    const hasDnskey = dnskeyResult.status === "fulfilled" && dnskeyResult.value.length > 0;
-    const hasDs = dsResult.status === "fulfilled" && dsResult.value.length > 0;
-    const dnssecSource = hasDnskey && hasDs ? "domain_configured" : "tld_inherited";
-    if (dnssecSource === "tld_inherited") {
-      const inheritedFinding = createFinding(
-        "dnssec",
-        "DNSSEC inherited from TLD",
-        "info",
-        `DNSSEC validation passes but ${domain} does not have its own DNSKEY or DS records. DNSSEC protection is inherited from the TLD registry, not configured by the domain owner.`,
-        { dnssecSource: "tld_inherited" }
-      );
-      return buildCheckResult("dnssec", [...baseResult.findings, inheritedFinding]);
-    }
-    if (baseResult.findings.length > 0) {
-      const [first, ...rest] = baseResult.findings;
-      const tagged = { ...first, metadata: { ...first.metadata ?? {}, dnssecSource: "domain_configured" } };
-      return buildCheckResult("dnssec", [tagged, ...rest]);
+    const validationFailing = baseResult.findings.some((f) => f.title === "DNSSEC validation failing");
+    if (validationFailing) {
+      const googleConfirmsAd = await confirmAdWithGoogle(domain, dnsOptions?.timeoutMs ?? AD_CONFIRM_TIMEOUT_MS);
+      if (googleConfirmsAd) {
+        const correctedResult = await checkDNSSEC(
+          domain,
+          makeQueryDNS(dnsOptions),
+          {
+            timeout: dnsOptions?.timeoutMs ?? 5e3,
+            rawQueryDNS: async (d, type, dnssecFlag) => {
+              const resp = await queryDns(d, type, dnssecFlag ?? false, dnsOptions);
+              return { AD: true, Answer: resp.Answer };
+            }
+          }
+        );
+        return augmentWithSource(domain, correctedResult, dnsOptions);
+      }
+      return baseResult;
     }
-    const configuredFinding = createFinding(
-      "dnssec",
-      "DNSSEC configured by domain owner",
-      "info",
-      `${domain} has DNSKEY and DS records \u2014 DNSSEC is explicitly configured by the domain owner.`,
-      { dnssecSource: "domain_configured" }
-    );
-    return buildCheckResult("dnssec", [configuredFinding]);
+    return augmentWithSource(domain, baseResult, dnsOptions);
   } catch (err) {
     if (err instanceof DnsQueryError) {
-      return buildCheckResult("dnssec", [
-        createFinding(
-          "dnssec",
-          "DNSSEC check could not complete",
-          "info",
-          `Unable to verify DNSSEC for ${domain} \u2014 DNS query failed: ${err.message}`,
-          { checkStatus: "error" }
-        )
-      ]);
+      const message = err.message;
+      return {
+        ...buildCheckResult("dnssec", [
+          createFinding(
+            "dnssec",
+            "DNSSEC check could not complete",
+            "info",
+            `DNS query failed (${message}). DNSSEC posture unknown.`,
+            { dnsError: message, checkStatus: "error" }
+          )
+        ]),
+        checkStatus: "error"
+      };
     }
     throw err;
   }
@@ -1621,18 +1711,10 @@ async function checkLookalikesCore(domain) {
   }
   return buildCheckResult("lookalikes", findings);
 }
-function makeQueryDNS6(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkMtaSts(domain, dnsOptions) {
   return checkMTASTS(
     domain,
-    makeQueryDNS6(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? HTTPS_TIMEOUT_MS, fetchFn: fetch }
   );
 }
@@ -1853,19 +1935,11 @@ function detectProviderMatchesBySelectors(selectors, signatures) {
 }
 // src/tools/check-mx.ts
-function makeQueryDNS7(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkMx(domain, options, dnsOptions) {
   const timeout = dnsOptions?.timeoutMs ?? 5e3;
   const baseResult = await checkMX(
     domain,
-    makeQueryDNS7(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout }
   );
   const hasCritical = baseResult.findings.some((f) => f.severity === "critical");
@@ -1874,6 +1948,7 @@ async function checkMx(domain, options, dnsOptions) {
     return baseResult;
   }
   const findings = [...baseResult.findings];
+  let providerDetectionFailed = false;
   try {
     const mxAnswers = await queryDnsRecords(domain, "MX", dnsOptions);
     const mxTargets = mxAnswers.map((answer) => {
@@ -1903,6 +1978,7 @@ async function checkMx(domain, options, dnsOptions) {
         );
       }
       if (providerSignatures.degraded) {
+        providerDetectionFailed = true;
         findings.push(
           createFinding$1(
             "mx",
@@ -1921,6 +1997,7 @@ async function checkMx(domain, options, dnsOptions) {
       }
     }
   } catch (err) {
+    providerDetectionFailed = true;
     logEvent({
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       severity: "warn",
@@ -1931,20 +2008,16 @@ async function checkMx(domain, options, dnsOptions) {
       details: { phase: "provider_detection" }
     });
   }
-  return { ...baseResult, findings };
-}
-function makeQueryDNS8(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
+  return {
+    ...baseResult,
+    findings,
+    ...providerDetectionFailed ? { metadata: { providerDetectionFailed: true } } : {}
   };
 }
 async function checkNs(domain, dnsOptions) {
   return checkNS(
     domain,
-    makeQueryDNS8(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -1954,51 +2027,27 @@ async function checkNs(domain, dnsOptions) {
     }
   );
 }
-function makeQueryDNS9(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkSpf(domain, dnsOptions) {
   return checkSPF(
     domain,
-    makeQueryDNS9(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
 async function checkSsl(domain) {
   return checkSSL(domain, fetch, { timeout: HTTPS_TIMEOUT_MS });
 }
-function makeQueryDNS10(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkSubdomainTakeover(domain, dnsOptions) {
   return checkSubdomainTakeover$1(
     domain,
-    makeQueryDNS10(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? HTTPS_TIMEOUT_MS, fetchFn: fetch }
   );
 }
-function makeQueryDNS11(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkTlsrpt(domain, dnsOptions) {
   return checkTLSRPT(
     domain,
-    makeQueryDNS11(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -2440,6 +2489,59 @@ var EXPLANATIONS = {
     explanation: "An HTTPS/SVCB record is configured, advertising modern connection capabilities for this domain.",
     recommendation: "No action required. Consider adding ECH for enhanced privacy.",
     references: ["https://datatracker.ietf.org/doc/html/rfc9460"]
+  },
+  // --- Intelligence tools ---
+  DBL_LISTED: {
+    title: "Domain Listed on Blocklist",
+    severity: "high",
+    explanation: "The domain appears on one or more DNS-based Domain Block Lists (DBLs), indicating it has been flagged for spam, phishing, or malware distribution.",
+    impact: "Listed domains may have email deliverability issues and are often blocked by recipient mail servers.",
+    adverseConsequences: "Legitimate email from this domain may be silently dropped or quarantined.",
+    recommendation: "Investigate the listing reason. For Spamhaus DBL, check https://check.spamhaus.org/. Request delisting after resolving the underlying issue.",
+    references: ["https://www.spamhaus.org/dbl/", "https://uribl.com/", "https://www.surbl.org/"]
+  },
+  RBL_LISTED: {
+    title: "IP Listed on Real-time Blocklist",
+    severity: "high",
+    explanation: "One or more mail server IPs are listed on DNS-based Real-time Blocklists, indicating the IP has been flagged for sending spam or malicious traffic.",
+    impact: "Email from listed IPs is likely to be rejected or quarantined by recipient servers.",
+    adverseConsequences: "Significant email deliverability degradation. May require IP change or delisting process.",
+    recommendation: "Check Spamhaus at https://check.spamhaus.org/. For shared hosting, contact your provider. For dedicated IPs, resolve the abuse issue and request delisting.",
+    references: ["https://www.spamhaus.org/zen/", "https://www.spamcop.net/"]
+  },
+  ASN_HIGH_RISK: {
+    title: "High-Risk ASN Detected",
+    severity: "medium",
+    explanation: "The domain resolves to IP addresses in an Autonomous System commonly associated with abuse infrastructure (bulletproof hosting, botnets).",
+    recommendation: "Verify the hosting choice is intentional. High-risk ASNs are not inherently malicious but are statistically over-represented in abuse reports.",
+    references: ["https://www.team-cymru.com/ip-asn-mapping"]
+  },
+  FAST_FLUX_DETECTED: {
+    title: "Fast-Flux Behavior Detected",
+    severity: "high",
+    explanation: "The domain shows rapidly rotating IP addresses with very low TTLs, a technique commonly used by botnets and phishing operations to evade takedown.",
+    impact: "Fast-flux domains are a strong indicator of malicious infrastructure.",
+    adverseConsequences: "Associating with fast-flux infrastructure damages domain reputation and may trigger automated blocking.",
+    recommendation: "Investigate immediately. If this is a CDN or legitimate load balancer, TTLs are typically higher and rotation patterns are predictable.",
+    references: ["https://en.wikipedia.org/wiki/Fast_flux"]
+  },
+  DNSSEC_CHAIN_BROKEN: {
+    title: "DNSSEC Chain of Trust Broken",
+    severity: "high",
+    explanation: "The DNSSEC chain of trust has a gap \u2014 a DS record exists at the parent zone but the corresponding DNSKEY is missing or mismatched at the child zone.",
+    impact: "DNSSEC-validating resolvers will return SERVFAIL for this domain, causing complete resolution failure for security-conscious clients.",
+    adverseConsequences: "Domain may be unreachable for users behind DNSSEC-validating resolvers.",
+    recommendation: "Ensure the DS record at the parent matches a DNSKEY at the child zone. Use `delv +vtrace` for detailed chain debugging.",
+    references: ["https://datatracker.ietf.org/doc/html/rfc4033"]
+  },
+  NSEC_WALKABLE: {
+    title: "Zone Walkable (No NSEC3)",
+    severity: "high",
+    explanation: "The zone does not appear to use NSEC3, meaning it likely uses plain NSEC records which allow full zone enumeration (zone walking).",
+    impact: "Attackers can discover all hostnames in the zone without brute-forcing, exposing internal infrastructure.",
+    adverseConsequences: "Complete zone enumeration reveals the attack surface \u2014 internal hosts, staging environments, and service names.",
+    recommendation: "Deploy NSEC3 with at least algorithm 1 (SHA-1) and consider using salt. RFC 9276 recommends 0 iterations with no salt as the minimum.",
+    references: ["https://datatracker.ietf.org/doc/html/rfc5155", "https://datatracker.ietf.org/doc/html/rfc9276"]
   }
 };
 var DEFAULT_EXPLANATION = {
@@ -2516,6 +2618,26 @@ var CATEGORY_FALLBACK_IMPACT = {
   SVCB_HTTPS: {
     impact: "Modern transport capabilities (ALPN, ECH) cannot be advertised via DNS, reducing connection efficiency and privacy.",
     adverseConsequences: "Clients require additional round-trips to negotiate protocols, and ECH-based privacy is unavailable."
+  },
+  RBL: {
+    impact: "Mail server IPs are listed on one or more DNS blocklists, likely degrading email deliverability.",
+    adverseConsequences: "Outbound email may be silently dropped or quarantined by recipient servers."
+  },
+  DBL: {
+    impact: "Domain is flagged on DNS-based domain blocklists, indicating prior spam or abuse association.",
+    adverseConsequences: "Domain reputation is damaged. Email and web traffic may be blocked by security tools."
+  },
+  FAST_FLUX: {
+    impact: "DNS resolution shows fast-flux patterns \u2014 rapidly rotating IPs with low TTLs.",
+    adverseConsequences: "Strong indicator of botnet or phishing infrastructure. Domain reputation will be severely impacted."
+  },
+  DNSSEC_CHAIN: {
+    impact: "DNSSEC chain structure has gaps or uses weak algorithms, reducing trust in DNS responses.",
+    adverseConsequences: "DNSSEC-validating resolvers may fail to resolve the domain or accept spoofed responses."
+  },
+  NSEC_WALKABILITY: {
+    impact: "Zone denial-of-existence parameters allow enumeration of zone contents.",
+    adverseConsequences: "Attackers can map the full attack surface by walking the zone without brute-forcing."
   }
 };
 var SEVERITY_FALLBACK_IMPACT = {
@@ -2959,6 +3081,38 @@ async function pollForResult(key, kv) {
   }
   return void 0;
 }
+var SCANNER_USER_AGENT = "Mozilla/5.0 (compatible; BlackVeilDNSScanner/1.0; +https://blackveilsecurity.com)";
+var WAF_CHALLENGE_FINGERPRINTS = [
+  {
+    name: "cloudflare",
+    // cf-ray header is conclusive on its own; body title is a belt-and-suspenders signal
+    matchHeaders: (h) => !!(h.get("cf-ray") && (h.get("server") ?? "").toLowerCase().includes("cloudflare")),
+    matchBody: (body) => /just a moment/i.test(body)
+  },
+  {
+    name: "akamai",
+    matchHeaders: (h) => (h.get("server") ?? "").toLowerCase().includes("akamaighost")
+  }
+];
+function detectWafChallenge(headers, body) {
+  for (const fp of WAF_CHALLENGE_FINGERPRINTS) {
+    if (!fp.matchHeaders(headers)) continue;
+    if (fp.matchBody && body !== void 0 && !fp.matchBody(body)) continue;
+    return fp.name;
+  }
+  return null;
+}
+var MERGE_HEADERS = [
+  "content-security-policy",
+  "x-frame-options",
+  "x-content-type-options",
+  "permissions-policy",
+  "referrer-policy",
+  "cross-origin-resource-policy",
+  "cross-origin-opener-policy",
+  "cross-origin-embedder-policy"
+];
+var MAX_REDIRECT_HOPS = 3;
 function detectCdnProvider(headers) {
   if (headers.get("cf-ray") || headers.get("server")?.toLowerCase().includes("cloudflare")) {
     return "Cloudflare";
@@ -2978,9 +3132,107 @@ function detectCdnProvider(headers) {
   }
   return null;
 }
+async function fetchWithRedirects(url, timeoutMs) {
+  let response = await fetch(url, {
+    method: "HEAD",
+    redirect: "manual",
+    headers: { "User-Agent": SCANNER_USER_AGENT },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  for (let hop = 0; hop < MAX_REDIRECT_HOPS; hop++) {
+    const status = response.status;
+    const isRedirect = status >= 300 && status < 400 || response.type === "opaqueredirect" || status === 0 && response.headers.get("location");
+    if (!isRedirect) break;
+    const location = response.headers.get("location");
+    if (!location) break;
+    let nextUrl;
+    try {
+      nextUrl = new URL(location, response.url || void 0).href;
+    } catch {
+      break;
+    }
+    if (!nextUrl.startsWith("https://")) break;
+    try {
+      response = await fetch(nextUrl, {
+        method: "HEAD",
+        redirect: "manual",
+        headers: { "User-Agent": SCANNER_USER_AGENT },
+        signal: AbortSignal.timeout(timeoutMs)
+      });
+    } catch {
+      break;
+    }
+  }
+  return response;
+}
+function mergeSecurityHeaders(a, b) {
+  const merged = new Headers();
+  a.forEach((value, key) => merged.set(key, value));
+  for (const header of MERGE_HEADERS) {
+    if (!merged.has(header) && b.has(header)) {
+      merged.set(header, b.get(header));
+    }
+  }
+  b.forEach((value, key) => {
+    if (!merged.has(key)) merged.set(key, value);
+  });
+  return merged;
+}
+async function dualFetchHeaders(domain, timeoutMs) {
+  const url = `https://${domain}`;
+  const results = await Promise.allSettled([fetchWithRedirects(url, timeoutMs), fetchWithRedirects(url, timeoutMs)]);
+  const responses = results.filter((r) => r.status === "fulfilled").map((r) => r.value);
+  if (responses.length === 0) return null;
+  const usable = responses.filter((r) => r.ok || r.status >= 300 && r.status < 400);
+  if (usable.length === 0) return null;
+  if (usable.length === 1) {
+    return { headers: usable[0].headers, ok: usable[0].ok, status: usable[0].status };
+  }
+  const merged = mergeSecurityHeaders(usable[0].headers, usable[1].headers);
+  const primary = usable[0].ok ? usable[0] : usable[1].ok ? usable[1] : usable[0];
+  return { headers: merged, ok: primary.ok, status: primary.status };
+}
+async function fetchBodyForWafDetection(url, timeoutMs) {
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      redirect: "manual",
+      headers: { "User-Agent": SCANNER_USER_AGENT },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    return await response.text();
+  } catch {
+    return "";
+  }
+}
 async function checkHttpSecurity(domain) {
+  const dualResult = await dualFetchHeaders(domain, HTTPS_TIMEOUT_MS);
+  if (dualResult) {
+    const headersForWaf = dualResult.headers;
+    const needsBody = WAF_CHALLENGE_FINGERPRINTS.some((fp) => fp.matchHeaders(headersForWaf) && fp.matchBody);
+    const body = needsBody ? await fetchBodyForWafDetection(`https://${domain}`, HTTPS_TIMEOUT_MS) : void 0;
+    const wafName = detectWafChallenge(headersForWaf, body);
+    if (wafName) {
+      const finding = createFinding(
+        "http_security",
+        `${wafName.charAt(0).toUpperCase() + wafName.slice(1)} WAF challenge intercepted`,
+        "info",
+        `The fetched response appears to be a WAF/CDN challenge page, not the real site. Header analysis is inconclusive.`,
+        { wafChallenge: wafName, inconclusive: true }
+      );
+      const base = buildCheckResult("http_security", [finding]);
+      return { ...base, score: 0, passed: false, checkStatus: "error" };
+    }
+  }
   let capturedHeaders = null;
   const capturingFetch = async (input, init) => {
+    if (dualResult) {
+      capturedHeaders = dualResult.headers;
+      return new Response(null, {
+        status: dualResult.status,
+        headers: dualResult.headers
+      });
+    }
     const response = await fetch(input, init);
     capturedHeaders = response.headers;
     return response;
@@ -3000,18 +3252,10 @@ async function checkHttpSecurity(domain) {
   );
   return { ...result, findings: [...result.findings, cdnFinding] };
 }
-function makeQueryDNS12(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkDane(domain, dnsOptions) {
   return checkDANE(
     domain,
-    makeQueryDNS12(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -3021,18 +3265,10 @@ async function checkDane(domain, dnsOptions) {
     }
   );
 }
-function makeQueryDNS13(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkDaneHttps(domain, dnsOptions) {
   return checkDANEHTTPS(
     domain,
-    makeQueryDNS13(dnsOptions),
+    makeQueryDNS(dnsOptions),
     {
       timeout: dnsOptions?.timeoutMs ?? 5e3,
       rawQueryDNS: async (d, type, dnssecFlag) => {
@@ -3042,33 +3278,17 @@ async function checkDaneHttps(domain, dnsOptions) {
     }
   );
 }
-function makeQueryDNS14(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkSvcbHttps(domain, dnsOptions) {
   return checkSVCBHTTPS(
     domain,
-    makeQueryDNS14(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
-function makeQueryDNS15(dnsOptions) {
-  return async (domain, type) => {
-    if (type === "TXT") {
-      return queryTxtRecords(domain, dnsOptions);
-    }
-    return queryDnsRecords(domain, type, dnsOptions);
-  };
-}
 async function checkSubdomailing(domain, dnsOptions) {
   return checkSubdomailing$1(
     domain,
-    makeQueryDNS15(dnsOptions),
+    makeQueryDNS(dnsOptions),
     { timeout: dnsOptions?.timeoutMs ?? 5e3 }
   );
 }
@@ -3133,6 +3353,11 @@ function upsertCheckResult(results, updated) {
   return results.map((result) => result.category === updated.category ? updated : result);
 }
 async function addOutboundProviderInference(results, runtimeOptions) {
+  const mxResult = results.find((result) => result.category === "mx");
+  const providerDetectionFailed = Boolean(
+    mxResult?.metadata?.providerDetectionFailed
+  );
+  if (providerDetectionFailed) return results;
   const spfResult = results.find((result) => result.category === "spf");
   const dkimResult = results.find((result) => result.category === "dkim");
   const signalDomains = extractSpfSignalDomains(spfResult);
@@ -3268,6 +3493,31 @@ function adjustForNoSendDomain(results) {
     return buildCheckResult(result.category, adjusted);
   });
 }
+var ADAPTIVE_WEIGHT_KV_TTL_SECONDS = 60;
+function awKey(profile, provider) {
+  return `aw:${profile}:${provider}`;
+}
+async function publishAdaptiveWeightSummary(profile, provider, weights, kv) {
+  try {
+    await kv.put(awKey(profile, provider), JSON.stringify(weights), {
+      expirationTtl: ADAPTIVE_WEIGHT_KV_TTL_SECONDS
+    });
+  } catch {
+    logError("[profile-accumulator] KV publish failed", {
+      severity: "warn",
+      category: "profile-accumulator"
+    });
+  }
+}
+async function getAdaptiveWeights(profile, provider, kv) {
+  try {
+    const raw = await kv.get(awKey(profile, provider));
+    if (!raw) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
 // src/tools/scan/maturity-staging.ts
 function capMaturityStage(maturity, score) {
@@ -3548,11 +3798,86 @@ function formatScanReport(result, format = "full") {
 var CACHE_PREFIX = "cache:";
 var PER_CHECK_TIMEOUT_MS = 8e3;
 var SCAN_TIMEOUT_MS = 12e3;
+var RETRY_BUDGET_MS = 3e3;
+var MAX_RETRIES_PER_SCAN = 3;
+var RETRY_TIMEOUT_MS = 2500;
 var adaptiveWeightCache = /* @__PURE__ */ new Map();
 var ADAPTIVE_CACHE_TTL_MS = 6e4;
 var ADAPTIVE_CACHE_MAX_ENTRIES = 100;
 var ADAPTIVE_FETCH_TIMEOUT_MS = 200;
+function shouldRetry(result) {
+  return result.checkStatus === "error" && result.score === 0;
+}
+async function runCheckRetry(category, domain, scanDns, runtimeOptions) {
+  const retryDns = { ...scanDns, queryCache: /* @__PURE__ */ new Map() };
+  const timeoutPromise = new Promise(
+    (_, reject) => setTimeout(() => reject(new Error("Retry timed out")), RETRY_TIMEOUT_MS)
+  );
+  let checkPromise;
+  switch (category) {
+    case "spf":
+      checkPromise = checkSpf(domain, retryDns);
+      break;
+    case "dmarc":
+      checkPromise = checkDmarc(domain, retryDns);
+      break;
+    case "dkim":
+      checkPromise = checkDkim(domain, void 0, retryDns);
+      break;
+    case "dnssec":
+      checkPromise = checkDnssec2(domain, retryDns);
+      break;
+    case "ssl":
+      checkPromise = checkSsl(domain);
+      break;
+    case "mta_sts":
+      checkPromise = checkMtaSts(domain, retryDns);
+      break;
+    case "ns":
+      checkPromise = checkNs(domain, retryDns);
+      break;
+    case "caa":
+      checkPromise = checkCaa(domain, retryDns);
+      break;
+    case "bimi":
+      checkPromise = checkBimi(domain, retryDns);
+      break;
+    case "tlsrpt":
+      checkPromise = checkTlsrpt(domain, retryDns);
+      break;
+    case "subdomain_takeover":
+      checkPromise = checkSubdomainTakeover(domain, retryDns);
+      break;
+    case "http_security":
+      checkPromise = checkHttpSecurity(domain);
+      break;
+    case "dane":
+      checkPromise = checkDane(domain, retryDns);
+      break;
+    case "dane_https":
+      checkPromise = checkDaneHttps(domain, retryDns);
+      break;
+    case "svcb_https":
+      checkPromise = checkSvcbHttps(domain, retryDns);
+      break;
+    case "subdomailing":
+      checkPromise = checkSubdomailing(domain, retryDns);
+      break;
+    case "mx":
+      checkPromise = checkMx(domain, {
+        providerSignaturesUrl: runtimeOptions?.providerSignaturesUrl,
+        providerSignaturesAllowedHosts: runtimeOptions?.providerSignaturesAllowedHosts,
+        providerSignaturesSha256: runtimeOptions?.providerSignaturesSha256
+      }, retryDns);
+      break;
+    default:
+      return { ...buildCheckResult(category, []), score: 0, passed: false, checkStatus: "error" };
+  }
+  return Promise.race([checkPromise, timeoutPromise]);
+}
 async function scanDomain(domain, kv, runtimeOptions) {
+  crypto.randomUUID();
+  const scanStartTime = Date.now();
   const explicitProfile = runtimeOptions?.profile;
   const isExplicit = explicitProfile && explicitProfile !== "auto";
   const cacheKey = isExplicit ? `${CACHE_PREFIX}${domain}:profile:${explicitProfile}` : `${CACHE_PREFIX}${domain}`;
@@ -3642,6 +3967,21 @@ async function scanDomain(domain, kv, runtimeOptions) {
       degradedStatuses.set(r.category, r.checkStatus);
     }
   }
+  if (!timedOut && Date.now() - scanStartTime < SCAN_TIMEOUT_MS - RETRY_BUDGET_MS) {
+    const retryable = checkResults.map((r, idx) => ({ r, idx })).filter(({ r }) => shouldRetry(r)).slice(0, MAX_RETRIES_PER_SCAN);
+    if (retryable.length > 0) {
+      const retrySettled = await Promise.allSettled(
+        retryable.map(({ r }) => runCheckRetry(r.category, domain, scanDns, runtimeOptions))
+      );
+      for (let i = 0; i < retryable.length; i++) {
+        const s = retrySettled[i];
+        if (s.status === "fulfilled" && s.value.checkStatus !== "error" && s.value.score > 0) {
+          checkResults[retryable[i].idx] = s.value;
+          degradedStatuses.delete(retryable[i].r.category);
+        }
+      }
+    }
+  }
   if (timedOut) {
     const completedCategories = new Set(checkResults.map((r) => r.category));
     for (const category of ALL_CHECK_CATEGORIES) {
@@ -3686,12 +4026,31 @@ async function scanDomain(domain, kv, runtimeOptions) {
     }
     const scoringContext = isExplicit ? domainContext : void 0;
     let adaptiveResponse = null;
-    if (runtimeOptions?.profileAccumulator) {
+    const adaptiveProvider = domainContext.detectedProvider ?? "";
+    if (kv && adaptiveProvider) {
+      const kvWeights = await getAdaptiveWeights(domainContext.profile, adaptiveProvider, kv);
+      if (kvWeights) {
+        adaptiveResponse = {
+          profile: domainContext.profile,
+          provider: adaptiveProvider,
+          sampleCount: MATURITY_THRESHOLD,
+          blendFactor: 1,
+          weights: kvWeights,
+          boundHits: []
+        };
+      }
+    }
+    if (!adaptiveResponse && runtimeOptions?.profileAccumulator) {
       adaptiveResponse = await fetchAdaptiveWeights(
         runtimeOptions.profileAccumulator,
         domainContext.profile,
         domainContext.detectedProvider
       );
+      if (adaptiveResponse && adaptiveProvider && kv && runtimeOptions.waitUntil) {
+        runtimeOptions.waitUntil(
+          publishAdaptiveWeightSummary(domainContext.profile, adaptiveProvider, adaptiveResponse.weights, kv)
+        );
+      }
     }
     if (adaptiveResponse?.boundHits.length) {
       domainContext.signals.push(`adaptive bound hits: ${adaptiveResponse.boundHits.join(", ")}`);