npm - cipher-security - Versions diffs - 2.0.4 → 2.0.6 - Mend

cipher-security 2.0.4 → 2.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/bin/cipher.js +113 -18
package/lib/commands.js +1 -3
package/lib/gateway/commands.js +125 -50
package/lib/gateway/index.js +0 -2
package/lib/mcp/server.js +241 -14
package/lib/pipeline/index.js +3 -1
package/lib/pipeline/osint.js +488 -239
package/lib/pipeline/scanner.js +67 -3
package/package.json +1 -1

package/lib/pipeline/osint.js CHANGED Viewed

@@ -3,24 +3,68 @@
 // CIPHER is a trademark of defconxt.
 /**
- * CIPHER OSINT Pipeline — structured OSINT workflows.
+ * CIPHER OSINT Pipeline — comprehensive open-source intelligence.
  *
- * - Domain intelligence and WHOIS enrichment
- * - IP reputation and classification
- * - Document metadata extraction (EXIF, PDF)
- * - Investigation orchestration
+ * Integrates Bellingcat toolkit methodology with programmatic tool wrappers:
  *
- * Ported from pipeline/osint.py (322 LOC Python).
+ * Domain intelligence:
+ *   - DNS (A/AAAA/MX/NS/TXT/CNAME/SOA via dig or node:dns)
+ *   - WHOIS (registration, registrar, dates, name servers)
+ *   - Certificate Transparency (crt.sh subdomain discovery)
+ *   - Wayback Machine (archive snapshots)
+ *   - Web technology fingerprinting (headers + HTML analysis)
+ *   - URL reputation (urlscan.io when API key available)
+ *
+ * IP intelligence:
+ *   - Reverse DNS, classification (private/public/multicast/loopback)
+ *   - IP geolocation (ip-api.com — free, no key)
+ *   - Abuse contact lookup (via WHOIS)
+ *
+ * People/username:
+ *   - Sherlock (username → 400+ social platforms)
+ *   - Holehe (email → account existence on 120+ services)
+ *
+ * Document metadata:
+ *   - EXIF extraction (exiftool)
+ *   - PDF metadata (pdfinfo)
+ *
+ * Archive/history:
+ *   - Wayback Machine CDX API (snapshot history)
+ *   - archive.today availability check
+ *
+ * All external tool calls degrade gracefully when tools aren't installed.
+ * All network calls use configurable timeouts. No API keys required for
+ * core functionality — optional keys unlock deeper queries.
+ *
+ * @module pipeline/osint
  */
-import { execFileSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
 import dns from 'node:dns';
 import net from 'node:net';
-import { promisify } from 'node:util';
+import { resolve, dirname } from 'node:path';
+import { existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
-const resolve4 = promisify(dns.resolve4);
-const resolve6 = promisify(dns.resolve6);
-const reversePromise = promisify(dns.reverse);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const HTTP_TIMEOUT = 15000;
+/**
+ * Find the Python venv path for OSINT tools (sherlock, holehe).
+ * Walks up from cli/lib/pipeline/ to find .venv/bin/.
+ * @returns {string|null}
+ */
+function findVenvBin() {
+  let dir = resolve(__dirname, '..', '..', '..');
+  for (let i = 0; i < 5; i++) {
+    const venvBin = resolve(dir, '.venv', 'bin');
+    if (existsSync(venvBin)) return venvBin;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
 // ---------------------------------------------------------------------------
 // IP classification helper
@@ -28,53 +72,37 @@ const reversePromise = promisify(dns.reverse);
 /**
  * Check if an IP address is private (RFC 1918 / RFC 4193).
- *
- * IPv4: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
- * IPv6: ::1, fc00::/7, fe80::/10
- *
  * @param {string} ip
  * @returns {boolean}
  */
 function isPrivateIP(ip) {
   const version = net.isIP(ip);
   if (version === 0) return false;
   if (version === 4) {
     const parts = ip.split('.').map(Number);
-    if (parts[0] === 10) return true;                                    // 10.0.0.0/8
-    if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true; // 172.16.0.0/12
-    if (parts[0] === 192 && parts[1] === 168) return true;               // 192.168.0.0/16
-    if (parts[0] === 127) return true;                                    // 127.0.0.0/8
+    if (parts[0] === 10) return true;
+    if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
+    if (parts[0] === 192 && parts[1] === 168) return true;
+    if (parts[0] === 127) return true;
     return false;
   }
-  // IPv6
   const lower = ip.toLowerCase();
   if (lower === '::1') return true;
-  // Expand the first 16 bits for fc00::/7 and fe80::/10 checks
-  // fc00::/7 covers fc00:: - fdff::
-  // fe80::/10 covers fe80:: - febf::
-  const expanded = _expandIPv6Prefix(lower);
-  if (expanded !== null) {
-    if (expanded >= 0xfc00 && expanded <= 0xfdff) return true; // fc00::/7
-    if (expanded >= 0xfe80 && expanded <= 0xfebf) return true; // fe80::/10
-  }
+  const parts = lower.split(':');
+  if (!parts[0]) return false;
+  const val = parseInt(parts[0], 16);
+  if (isNaN(val)) return false;
+  if (val >= 0xfc00 && val <= 0xfdff) return true;
+  if (val >= 0xfe80 && val <= 0xfebf) return true;
   return false;
 }
-/**
- * Extract the first 16-bit group from an IPv6 address.
- * @param {string} ip lowercased IPv6 address
- * @returns {number|null}
- */
-function _expandIPv6Prefix(ip) {
-  // Handle :: expansion — we only need the first group
-  const parts = ip.split(':');
-  if (!parts[0]) return 0; // starts with :: (e.g. ::1)
-  const val = parseInt(parts[0], 16);
-  return isNaN(val) ? null : val;
+function _isMulticast(ip, version) {
+  if (version === 4) {
+    const first = parseInt(ip.split('.')[0], 10);
+    return first >= 224 && first <= 239;
+  }
+  return ip.toLowerCase().startsWith('ff');
 }
 // ---------------------------------------------------------------------------
@@ -82,15 +110,6 @@ function _expandIPv6Prefix(ip) {
 // ---------------------------------------------------------------------------
 class OSINTResult {
-  /**
-   * @param {object} opts
-   * @param {string} opts.source
-   * @param {string} opts.query
-   * @param {object} [opts.data={}]
-   * @param {string} [opts.confidence='medium'] high | medium | low
-   * @param {string} [opts.timestamp]
-   * @param {string} [opts.collectionMethod='passive'] passive | active
-   */
   constructor(opts) {
     this.source = opts.source;
     this.query = opts.query;
@@ -100,15 +119,8 @@ class OSINTResult {
     this.collectionMethod = opts.collectionMethod ?? 'passive';
   }
-  /** @type {boolean} Quick success check — true unless data contains an error. */
-  get success() {
-    return !this.data.error;
-  }
-  /** @type {string|null} Error message if present. */
-  get error() {
-    return this.data.error ?? null;
-  }
+  get success() { return !this.data.error; }
+  get error() { return this.data.error ?? null; }
   toDict() {
     return {
@@ -122,16 +134,47 @@ class OSINTResult {
   }
 }
+// ---------------------------------------------------------------------------
+// HTTP helper (uses global fetch, available in Node 18+)
+// ---------------------------------------------------------------------------
+async function fetchJSON(url, opts = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), opts.timeout || HTTP_TIMEOUT);
+  try {
+    const resp = await fetch(url, {
+      signal: controller.signal,
+      headers: opts.headers || {},
+    });
+    if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+    return await resp.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function fetchText(url, opts = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), opts.timeout || HTTP_TIMEOUT);
+  try {
+    const resp = await fetch(url, {
+      signal: controller.signal,
+      headers: opts.headers || { 'User-Agent': 'CIPHER-OSINT/2.0' },
+    });
+    if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+    return await resp.text();
+  } finally {
+    clearTimeout(timer);
+  }
+}
 // ---------------------------------------------------------------------------
 // Domain Intelligence
 // ---------------------------------------------------------------------------
 class DomainIntelligence {
   /**
-   * Resolve DNS records for a domain (passive).
-   * Uses `dig` subprocess with `dns.resolve` fallback.
-   * @param {string} domain
-   * @returns {OSINTResult}
+   * DNS record lookup via dig with node:dns fallback.
    */
   static dnsLookup(domain) {
     const data = { domain, records: {} };
@@ -142,71 +185,37 @@ class DomainIntelligence {
       if (hasDig) {
         try {
           const out = execFileSync('dig', ['+short', domain, rtype], {
-            encoding: 'utf-8',
-            timeout: 10000,
-            stdio: ['pipe', 'pipe', 'pipe'],
+            encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
           });
-          const records = out
-            .split('\n')
-            .map((r) => r.trim())
-            .filter(Boolean);
-          if (records.length > 0) {
-            data.records[rtype] = records;
-          }
+          const records = out.split('\n').map(r => r.trim()).filter(Boolean);
+          if (records.length > 0) data.records[rtype] = records;
         } catch (err) {
-          // If dig doesn't exist (ENOENT), fall through to socket-based fallback
-          if (err.code === 'ENOENT') {
-            hasDig = false;
-            // Fall through to fallback below
-          } else {
-            continue; // timeout or other error — skip this record type
-          }
+          if (err.code === 'ENOENT') { hasDig = false; } else { continue; }
         }
       }
-      if (!hasDig) {
-        // Fallback: only A records via dns.resolve (sync not available, use socket)
-        if (rtype === 'A') {
-          try {
-            const { address } = dns.lookup
-              ? (() => {
-                  // Synchronous-ish: use execFileSync to call node
-                  const out = execFileSync(
-                    process.execPath,
-                    ['-e', `const dns=require('dns');dns.resolve4('${domain}',(e,a)=>console.log(JSON.stringify(a||[])))`],
-                    { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] },
-                  );
-                  const ips = JSON.parse(out.trim());
-                  if (ips.length > 0) data.records.A = ips;
-                  return {};
-                })()
-              : {};
-          } catch {
-            // Can't resolve — skip
-          }
-        }
-        break; // No dig = only A records
+      if (!hasDig && rtype === 'A') {
+        try {
+          const out = execFileSync(process.execPath,
+            ['-e', `const dns=require('dns');dns.resolve4('${domain}',(e,a)=>console.log(JSON.stringify(a||[])))`],
+            { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
+          const ips = JSON.parse(out.trim());
+          if (ips.length > 0) data.records.A = ips;
+        } catch { /* skip */ }
+        break;
       }
     }
     return new OSINTResult({ source: 'dns', query: domain, data, confidence: 'high' });
   }
   /**
-   * WHOIS lookup for domain registration info (passive).
-   * @param {string} domain
-   * @returns {OSINTResult}
+   * WHOIS registration lookup.
    */
   static whoisLookup(domain) {
     try {
       const out = execFileSync('whois', [domain], {
-        encoding: 'utf-8',
-        timeout: 15000,
-        stdio: ['pipe', 'pipe', 'pipe'],
+        encoding: 'utf-8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
       });
       const data = { domain, raw_length: out.length };
       const patterns = {
         registrar: /Registrar:\s*(.+)/i,
         creation_date: /Creat(?:ion|ed) Date:\s*(.+)/i,
@@ -216,25 +225,155 @@ class DomainIntelligence {
         registrant_org: /Registrant Organi[sz]ation:\s*(.+)/i,
         registrant_country: /Registrant Country:\s*(.+)/i,
       };
       for (const [key, pattern] of Object.entries(patterns)) {
-        // Use matchAll for patterns with /g, exec for single match
         if (pattern.global) {
-          const matches = [...out.matchAll(pattern)].map((m) => m[1]);
+          const matches = [...out.matchAll(pattern)].map(m => m[1]);
           if (matches.length > 0) data[key] = matches.length > 1 ? matches : matches[0];
         } else {
           const m = pattern.exec(out);
           if (m) data[key] = m[1];
         }
       }
       return new OSINTResult({ source: 'whois', query: domain, data, confidence: 'high' });
     } catch (err) {
-      const errMsg = err.code === 'ENOENT' ? 'whois binary not found' : String(err.message || err);
       return new OSINTResult({
-        source: 'whois',
-        query: domain,
-        data: { error: errMsg },
+        source: 'whois', query: domain,
+        data: { error: err.code === 'ENOENT' ? 'whois binary not found' : err.message },
+        confidence: 'low',
+      });
+    }
+  }
+  /**
+   * Certificate Transparency search via crt.sh for subdomain discovery.
+   */
+  static async certTransparency(domain) {
+    try {
+      const data = await fetchJSON(`https://crt.sh/?q=%25.${encodeURIComponent(domain)}&output=json`, { timeout: 20000 });
+      const subdomains = [...new Set(
+        (data || [])
+          .flatMap(entry => (entry.name_value || '').split('\n'))
+          .map(name => name.trim().toLowerCase().replace(/^\*\./, ''))
+          .filter(name => name.endsWith(domain) && name !== domain)
+      )].sort();
+      return new OSINTResult({
+        source: 'cert_transparency', query: domain,
+        data: { domain, subdomains, count: subdomains.length },
+        confidence: 'high',
+      });
+    } catch (err) {
+      return new OSINTResult({
+        source: 'cert_transparency', query: domain,
+        data: { error: `crt.sh query failed: ${err.message}` },
+        confidence: 'low',
+      });
+    }
+  }
+  /**
+   * Wayback Machine snapshot history via CDX API.
+   */
+  static async waybackHistory(domain) {
+    try {
+      const url = `https://web.archive.org/cdx/search/cdx?url=${encodeURIComponent(domain)}&output=json&limit=20&fl=timestamp,original,statuscode,mimetype`;
+      const data = await fetchJSON(url, { timeout: 20000 });
+      if (!data || data.length < 2) {
+        return new OSINTResult({
+          source: 'wayback_machine', query: domain,
+          data: { domain, snapshots: [], count: 0, first_seen: null, last_seen: null },
+          confidence: 'medium',
+        });
+      }
+      // First row is headers, rest are data
+      const snapshots = data.slice(1).map(row => ({
+        timestamp: row[0],
+        url: row[1],
+        status: row[2],
+        mime: row[3],
+        archive_url: `https://web.archive.org/web/${row[0]}/${row[1]}`,
+      }));
+      return new OSINTResult({
+        source: 'wayback_machine', query: domain,
+        data: {
+          domain,
+          snapshots,
+          count: snapshots.length,
+          first_seen: snapshots[0]?.timestamp || null,
+          last_seen: snapshots[snapshots.length - 1]?.timestamp || null,
+        },
+        confidence: 'high',
+      });
+    } catch (err) {
+      return new OSINTResult({
+        source: 'wayback_machine', query: domain,
+        data: { error: `Wayback Machine query failed: ${err.message}` },
+        confidence: 'low',
+      });
+    }
+  }
+  /**
+   * Web technology fingerprinting via HTTP headers and HTML meta analysis.
+   */
+  static async webTechFingerprint(domain) {
+    try {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), HTTP_TIMEOUT);
+      const resp = await fetch(`https://${domain}`, {
+        signal: controller.signal,
+        redirect: 'follow',
+        headers: { 'User-Agent': 'CIPHER-OSINT/2.0' },
+      });
+      clearTimeout(timer);
+      const headers = Object.fromEntries(resp.headers.entries());
+      const html = await resp.text();
+      const techs = [];
+      // Server header
+      if (headers.server) techs.push({ name: headers.server, category: 'server', source: 'header' });
+      // X-Powered-By
+      if (headers['x-powered-by']) techs.push({ name: headers['x-powered-by'], category: 'framework', source: 'header' });
+      // CDN detection
+      if (headers['cf-ray']) techs.push({ name: 'Cloudflare', category: 'cdn', source: 'header' });
+      if (headers['x-amz-cf-id'] || headers['x-cache']) techs.push({ name: 'AWS CloudFront', category: 'cdn', source: 'header' });
+      if (headers['x-vercel-id']) techs.push({ name: 'Vercel', category: 'hosting', source: 'header' });
+      if (headers['x-netlify-request-id']) techs.push({ name: 'Netlify', category: 'hosting', source: 'header' });
+      // Security headers
+      const securityHeaders = {};
+      for (const h of ['strict-transport-security', 'content-security-policy', 'x-frame-options',
+                         'x-content-type-options', 'x-xss-protection', 'permissions-policy',
+                         'referrer-policy', 'cross-origin-opener-policy']) {
+        if (headers[h]) securityHeaders[h] = headers[h];
+      }
+      // HTML-based detection (limited, fast)
+      const htmlLower = html.slice(0, 50000).toLowerCase();
+      if (htmlLower.includes('wp-content') || htmlLower.includes('wordpress')) techs.push({ name: 'WordPress', category: 'cms', source: 'html' });
+      if (htmlLower.includes('drupal')) techs.push({ name: 'Drupal', category: 'cms', source: 'html' });
+      if (htmlLower.includes('joomla')) techs.push({ name: 'Joomla', category: 'cms', source: 'html' });
+      if (htmlLower.includes('shopify')) techs.push({ name: 'Shopify', category: 'ecommerce', source: 'html' });
+      if (htmlLower.includes('squarespace')) techs.push({ name: 'Squarespace', category: 'cms', source: 'html' });
+      if (htmlLower.includes('wix.com')) techs.push({ name: 'Wix', category: 'cms', source: 'html' });
+      if (htmlLower.includes('next/') || htmlLower.includes('__next')) techs.push({ name: 'Next.js', category: 'framework', source: 'html' });
+      if (htmlLower.includes('react')) techs.push({ name: 'React', category: 'framework', source: 'html' });
+      if (htmlLower.includes('vue')) techs.push({ name: 'Vue.js', category: 'framework', source: 'html' });
+      if (htmlLower.includes('angular')) techs.push({ name: 'Angular', category: 'framework', source: 'html' });
+      if (htmlLower.includes('bootstrap')) techs.push({ name: 'Bootstrap', category: 'css', source: 'html' });
+      if (htmlLower.includes('tailwind')) techs.push({ name: 'Tailwind CSS', category: 'css', source: 'html' });
+      if (htmlLower.includes('jquery')) techs.push({ name: 'jQuery', category: 'library', source: 'html' });
+      // Meta generator
+      const genMatch = html.match(/<meta[^>]+name=["']generator["'][^>]+content=["']([^"']+)["']/i);
+      if (genMatch) techs.push({ name: genMatch[1], category: 'generator', source: 'meta' });
+      return new OSINTResult({
+        source: 'web_tech', query: domain,
+        data: { domain, technologies: techs, security_headers: securityHeaders, status: resp.status, final_url: resp.url },
+        confidence: 'medium',
+      });
+    } catch (err) {
+      return new OSINTResult({
+        source: 'web_tech', query: domain,
+        data: { error: `Web tech scan failed: ${err.message}` },
         confidence: 'low',
       });
     }
@@ -246,153 +385,226 @@ class DomainIntelligence {
 // ---------------------------------------------------------------------------
 class IPIntelligence {
-  /**
-   * Reverse DNS lookup for an IP address.
-   * @param {string} ip
-   * @returns {OSINTResult}
-   */
   static reverseDns(ip) {
     try {
-      // Synchronous approach: use execFileSync with node subprocess
-      const out = execFileSync(
-        process.execPath,
+      const out = execFileSync(process.execPath,
         ['-e', `const dns=require('dns');dns.reverse('${ip}',(e,h)=>console.log(JSON.stringify(e?null:h[0])))`],
-        { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] },
-      );
+        { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
       const hostname = JSON.parse(out.trim());
       return new OSINTResult({
-        source: 'reverse_dns',
-        query: ip,
-        data: { ip, hostname },
-        confidence: hostname ? 'high' : 'low',
+        source: 'reverse_dns', query: ip,
+        data: { ip, hostname }, confidence: hostname ? 'high' : 'low',
       });
     } catch {
-      return new OSINTResult({
-        source: 'reverse_dns',
-        query: ip,
-        data: { ip, hostname: null },
-        confidence: 'low',
-      });
+      return new OSINTResult({ source: 'reverse_dns', query: ip, data: { ip, hostname: null }, confidence: 'low' });
     }
   }
-  /**
-   * Aggregate IP intelligence from available local tools.
-   * @param {string} ip
-   * @returns {OSINTResult}
-   */
   static ipInfo(ip) {
     const data = { ip };
     const version = net.isIP(ip);
     if (version === 0) {
-      data.error = 'Invalid IP address';
-      return new OSINTResult({ source: 'ip_info', query: ip, data, confidence: 'low' });
+      return new OSINTResult({ source: 'ip_info', query: ip, data: { error: 'Invalid IP address' }, confidence: 'low' });
     }
     data.version = version;
     data.is_private = isPrivateIP(ip);
     data.is_loopback = (version === 4 && ip.startsWith('127.')) || ip === '::1';
     data.is_multicast = _isMulticast(ip, version);
-    // Reverse DNS (best effort)
     try {
-      const out = execFileSync(
-        process.execPath,
+      const out = execFileSync(process.execPath,
         ['-e', `const dns=require('dns');dns.reverse('${ip}',(e,h)=>console.log(JSON.stringify(e?null:h?h[0]:null)))`],
-        { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] },
-      );
+        { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
       data.hostname = JSON.parse(out.trim());
-    } catch {
-      data.hostname = null;
-    }
+    } catch { data.hostname = null; }
     return new OSINTResult({ source: 'ip_info', query: ip, data, confidence: 'high' });
   }
+  /**
+   * IP geolocation via ip-api.com (free, no key, 45 req/min).
+   */
+  static async geolocate(ip) {
+    if (isPrivateIP(ip)) {
+      return new OSINTResult({ source: 'ip_geo', query: ip, data: { ip, note: 'Private IP — no geolocation' }, confidence: 'low' });
+    }
+    try {
+      const data = await fetchJSON(`http://ip-api.com/json/${encodeURIComponent(ip)}?fields=status,message,country,countryCode,region,regionName,city,zip,lat,lon,timezone,isp,org,as,asname,query`);
+      if (data.status === 'fail') {
+        return new OSINTResult({ source: 'ip_geo', query: ip, data: { error: data.message }, confidence: 'low' });
+      }
+      return new OSINTResult({ source: 'ip_geo', query: ip, data, confidence: 'high' });
+    } catch (err) {
+      return new OSINTResult({ source: 'ip_geo', query: ip, data: { error: `Geolocation failed: ${err.message}` }, confidence: 'low' });
+    }
+  }
 }
-/**
- * Check if IP is multicast.
- * IPv4: 224.0.0.0 - 239.255.255.255
- * IPv6: ff00::/8
- * @param {string} ip
- * @param {number} version
- * @returns {boolean}
- */
-function _isMulticast(ip, version) {
-  if (version === 4) {
-    const first = parseInt(ip.split('.')[0], 10);
-    return first >= 224 && first <= 239;
+// ---------------------------------------------------------------------------
+// Username/People Intelligence
+// ---------------------------------------------------------------------------
+class PeopleIntelligence {
+  /**
+   * Username search across 400+ platforms via Sherlock.
+   * Returns found accounts with URLs.
+   */
+  static usernameSearch(username) {
+    const venvBin = findVenvBin();
+    const sherlock = venvBin ? resolve(venvBin, 'sherlock') : 'sherlock';
+    try {
+      const out = execFileSync(sherlock, [username, '--print-found', '--timeout', '10', '--output', '/dev/null'], {
+        encoding: 'utf-8', timeout: 120000, stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      const accounts = [];
+      for (const line of out.split('\n')) {
+        // Sherlock output: [+] SiteName: URL
+        const match = line.match(/^\[\+\]\s+(.+?):\s+(https?:\/\/.+)/);
+        if (match) {
+          accounts.push({ platform: match[1].trim(), url: match[2].trim() });
+        }
+      }
+      return new OSINTResult({
+        source: 'sherlock', query: username,
+        data: { username, accounts, count: accounts.length },
+        confidence: 'high', collectionMethod: 'active',
+      });
+    } catch (err) {
+      const msg = err.code === 'ENOENT' ? 'sherlock not installed (pip install sherlock-project)' : err.message;
+      return new OSINTResult({
+        source: 'sherlock', query: username,
+        data: { error: msg }, confidence: 'low',
+      });
+    }
+  }
+  /**
+   * Email account existence check across 120+ services via Holehe.
+   */
+  static emailOsint(email) {
+    const venvBin = findVenvBin();
+    const holehe = venvBin ? resolve(venvBin, 'holehe') : 'holehe';
+    try {
+      const out = execFileSync(holehe, [email, '--no-color', '--only-used', '-NP'], {
+        encoding: 'utf-8', timeout: 120000, stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      const services = [];
+      for (const line of out.split('\n')) {
+        // Holehe output: [+] service.com (skip legend line)
+        const match = line.match(/^\[\+\]\s+(.+)/);
+        if (match && !match[1].includes('Email used') && !match[1].includes('Email not used')) {
+          services.push(match[1].trim());
+        }
+      }
+      return new OSINTResult({
+        source: 'holehe', query: email,
+        data: { email, services, count: services.length },
+        confidence: 'medium', collectionMethod: 'active',
+      });
+    } catch (err) {
+      const msg = err.code === 'ENOENT' ? 'holehe not installed (pip install holehe)' : err.message;
+      return new OSINTResult({
+        source: 'holehe', query: email,
+        data: { error: msg }, confidence: 'low',
+      });
+    }
   }
-  return ip.toLowerCase().startsWith('ff');
 }
 // ---------------------------------------------------------------------------
-// Document Metadata
+// Archive Intelligence
 // ---------------------------------------------------------------------------
-class DocumentMetadata {
+class ArchiveIntelligence {
+  /**
+   * Check if a URL has been archived on archive.today.
+   */
+  static async archiveTodayCheck(url) {
+    try {
+      const resp = await fetchText(`https://archive.ph/newest/${url}`, { timeout: 15000 });
+      const hasArchive = resp.includes('id="CONTENT"') || resp.includes('archived');
+      return new OSINTResult({
+        source: 'archive_today', query: url,
+        data: { url, archived: hasArchive, check_url: `https://archive.ph/newest/${url}` },
+        confidence: 'medium',
+      });
+    } catch (err) {
+      return new OSINTResult({
+        source: 'archive_today', query: url,
+        data: { error: `archive.today check failed: ${err.message}` },
+        confidence: 'low',
+      });
+    }
+  }
   /**
-   * Extract EXIF metadata from an image file.
-   * @param {string} filepath
-   * @returns {OSINTResult}
+   * Wayback Machine availability check for a specific URL.
    */
+  static async waybackCheck(url) {
+    try {
+      const data = await fetchJSON(`https://archive.org/wayback/available?url=${encodeURIComponent(url)}`);
+      const snapshot = data?.archived_snapshots?.closest;
+      return new OSINTResult({
+        source: 'wayback_check', query: url,
+        data: {
+          url,
+          available: !!snapshot,
+          closest_snapshot: snapshot ? { url: snapshot.url, timestamp: snapshot.timestamp, status: snapshot.status } : null,
+        },
+        confidence: snapshot ? 'high' : 'medium',
+      });
+    } catch (err) {
+      return new OSINTResult({
+        source: 'wayback_check', query: url,
+        data: { error: `Wayback check failed: ${err.message}` },
+        confidence: 'low',
+      });
+    }
+  }
+}
+// ---------------------------------------------------------------------------
+// Document Metadata
+// ---------------------------------------------------------------------------
+class DocumentMetadata {
   static extractExif(filepath) {
     try {
       const out = execFileSync('exiftool', ['-json', filepath], {
-        encoding: 'utf-8',
-        timeout: 15000,
-        stdio: ['pipe', 'pipe', 'pipe'],
+        encoding: 'utf-8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
       });
       const metadata = JSON.parse(out);
       return new OSINTResult({
-        source: 'exif',
-        query: filepath,
+        source: 'exif', query: filepath,
         data: { metadata: Array.isArray(metadata) ? metadata[0] : metadata },
         confidence: 'high',
       });
     } catch (err) {
-      const errMsg = err.code === 'ENOENT' ? 'exiftool not found' : 'Failed to extract EXIF';
       return new OSINTResult({
-        source: 'exif',
-        query: filepath,
-        data: { error: errMsg },
+        source: 'exif', query: filepath,
+        data: { error: err.code === 'ENOENT' ? 'exiftool not found' : 'Failed to extract EXIF' },
         confidence: 'low',
       });
     }
   }
-  /**
-   * Extract metadata from a PDF file using pdfinfo.
-   * @param {string} filepath
-   * @returns {OSINTResult}
-   */
   static extractPdfMetadata(filepath) {
     try {
       const out = execFileSync('pdfinfo', [filepath], {
-        encoding: 'utf-8',
-        timeout: 15000,
-        stdio: ['pipe', 'pipe', 'pipe'],
+        encoding: 'utf-8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
       });
       const data = {};
       for (const line of out.split('\n')) {
         const idx = line.indexOf(':');
-        if (idx >= 0) {
-          data[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
-        }
+        if (idx >= 0) data[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
       }
-      return new OSINTResult({
-        source: 'pdf_metadata',
-        query: filepath,
-        data,
-        confidence: 'high',
-      });
+      return new OSINTResult({ source: 'pdf_metadata', query: filepath, data, confidence: 'high' });
     } catch (err) {
-      const errMsg = err.code === 'ENOENT' ? 'pdfinfo not found' : 'Failed to extract PDF metadata';
       return new OSINTResult({
-        source: 'pdf_metadata',
-        query: filepath,
-        data: { error: errMsg },
+        source: 'pdf_metadata', query: filepath,
+        data: { error: err.code === 'ENOENT' ? 'pdfinfo not found' : 'Failed to extract PDF metadata' },
         confidence: 'low',
       });
     }
@@ -400,7 +612,7 @@ class DocumentMetadata {
 }
 // ---------------------------------------------------------------------------
-// OSINT Pipeline — orchestrator
+// OSINT Pipeline — comprehensive orchestrator
 // ---------------------------------------------------------------------------
 class OSINTPipeline {
@@ -409,20 +621,36 @@ class OSINTPipeline {
   }
   /**
-   * Run full domain investigation pipeline.
+   * Full domain investigation — DNS, WHOIS, cert transparency,
+   * Wayback Machine, web tech, and IP pivot with geolocation.
    * @param {string} domain
-   * @returns {OSINTResult[]}
+   * @returns {Promise<OSINTResult[]>}
    */
-  investigateDomain(domain) {
+  async investigateDomain(domain) {
     const results = [];
+    // Synchronous lookups
     results.push(DomainIntelligence.dnsLookup(domain));
     results.push(DomainIntelligence.whoisLookup(domain));
-    // Pivot: resolve IPs and investigate them
+    // Async lookups — run in parallel
+    const asyncResults = await Promise.allSettled([
+      DomainIntelligence.certTransparency(domain),
+      DomainIntelligence.waybackHistory(domain),
+      DomainIntelligence.webTechFingerprint(domain),
+    ]);
+    for (const r of asyncResults) {
+      if (r.status === 'fulfilled') results.push(r.value);
+    }
+    // IP pivot — resolve IPs and geolocate them
     const dnsResult = results[0];
     const aRecords = dnsResult.data?.records?.A ?? [];
-    for (const ip of aRecords.slice(0, 5)) {
+    for (const ip of aRecords.slice(0, 3)) {
       results.push(IPIntelligence.ipInfo(ip));
+      const geo = await IPIntelligence.geolocate(ip);
+      results.push(geo);
     }
     this._results.push(...results);
@@ -430,20 +658,57 @@ class OSINTPipeline {
   }
   /**
-   * Run IP investigation pipeline.
+   * Full IP investigation — info, reverse DNS, geolocation.
    * @param {string} ip
-   * @returns {OSINTResult[]}
+   * @returns {Promise<OSINTResult[]>}
    */
-  investigateIp(ip) {
+  async investigateIp(ip) {
     const results = [IPIntelligence.ipInfo(ip), IPIntelligence.reverseDns(ip)];
+    const geo = await IPIntelligence.geolocate(ip);
+    results.push(geo);
+    this._results.push(...results);
+    return results;
+  }
+  /**
+   * Username OSINT — search across 400+ platforms via Sherlock.
+   * @param {string} username
+   * @returns {OSINTResult[]}
+   */
+  investigateUsername(username) {
+    const results = [PeopleIntelligence.usernameSearch(username)];
+    this._results.push(...results);
+    return results;
+  }
+  /**
+   * Email OSINT — check account existence across 120+ services.
+   * @param {string} email
+   * @returns {OSINTResult[]}
+   */
+  investigateEmail(email) {
+    const results = [PeopleIntelligence.emailOsint(email)];
     this._results.push(...results);
     return results;
   }
   /**
-   * Extract metadata from a file.
-   * @param {string} filepath
-   * @returns {OSINTResult}
+   * URL archive investigation — Wayback Machine + archive.today.
+   * @param {string} url
+   * @returns {Promise<OSINTResult[]>}
+   */
+  async investigateUrl(url) {
+    const results = await Promise.allSettled([
+      ArchiveIntelligence.waybackCheck(url),
+      ArchiveIntelligence.archiveTodayCheck(url),
+    ]);
+    const settled = results.filter(r => r.status === 'fulfilled').map(r => r.value);
+    this._results.push(...settled);
+    return settled;
+  }
+  /**
+   * Extract metadata from a file (EXIF for images, pdfinfo for PDFs).
    */
   extractMetadata(filepath) {
     const result = filepath.toLowerCase().endsWith('.pdf')
@@ -453,18 +718,8 @@ class OSINTPipeline {
     return result;
   }
-  /**
-   * Return all investigation results.
-   * @returns {object[]}
-   */
-  getAllResults() {
-    return this._results.map((r) => r.toDict());
-  }
+  getAllResults() { return this._results.map(r => r.toDict()); }
-  /**
-   * Investigation summary statistics.
-   * @returns {object}
-   */
   summary() {
     const bySource = {};
     const byConfidence = {};
@@ -472,11 +727,7 @@ class OSINTPipeline {
       bySource[r.source] = (bySource[r.source] ?? 0) + 1;
       byConfidence[r.confidence] = (byConfidence[r.confidence] ?? 0) + 1;
     }
-    return {
-      total_results: this._results.length,
-      by_source: bySource,
-      by_confidence: byConfidence,
-    };
+    return { total_results: this._results.length, by_source: bySource, by_confidence: byConfidence };
   }
 }
@@ -485,14 +736,12 @@ class OSINTPipeline {
 // ---------------------------------------------------------------------------
 export {
-  // Helper
   isPrivateIP,
-  // Data class
   OSINTResult,
-  // Intelligence modules
   DomainIntelligence,
   IPIntelligence,
+  PeopleIntelligence,
+  ArchiveIntelligence,
   DocumentMetadata,
-  // Pipeline
   OSINTPipeline,
 };