dns-security-mcp 0.1.0

package/dist/domain/index.js

@@ -0,0 +1,938 @@
+import { z } from "zod";
+import { text, json } from "../types/index.js";
+import { createResolver, shannonEntropy, reverseIp } from "../utils/dns-client.js";
+import { TTLCache } from "../utils/cache.js";
+import { RateLimiter } from "../utils/rate-limiter.js";
+import * as dns from "node:dns/promises";
+// ─── Constants ───
+const RDAP_BASE = "https://rdap.org/domain";
+const CRT_SH_BASE = "https://crt.sh";
+const FETCH_TIMEOUT = 10_000;
+// ─── Rate Limiter & Cache ───
+const rdapLimiter = new RateLimiter(500);
+const crtshLimiter = new RateLimiter(1000);
+const domainCache = new TTLCache(5 * 60 * 1000); // 5 min
+// ─── Parking Page Fingerprints ───
+const PARKING_KEYWORDS = [
+    "sedoparking",
+    "sedo.com",
+    "godaddy",
+    "parked domain",
+    "parkingcrew",
+    "bodis.com",
+    "above.com",
+    "hugedomains",
+    "dan.com",
+    "afternic",
+    "undeveloped",
+    "this domain is for sale",
+    "this website is for sale",
+    "buy this domain",
+    "domain parking",
+    "parked free",
+    "is parked",
+    "domain is available",
+    "domain may be for sale",
+    "registrar-servers",
+];
+// ─── Common English Bigrams (for DGA detection) ───
+const COMMON_BIGRAMS = new Set([
+    "th", "he", "in", "en", "nt", "re", "er", "an", "ti", "on",
+    "es", "st", "or", "te", "of", "ed", "is", "it", "al", "ar",
+    "nd", "to", "se", "at", "ha", "ou", "le", "ng", "co", "me",
+    "de", "hi", "ri", "ro", "ic", "ne", "ea", "ra", "ce", "li",
+]);
+const VOWELS = new Set(["a", "e", "i", "o", "u"]);
+// ─── Helpers ───
+async function rdapFetch(domain) {
+    await rdapLimiter.acquire();
+    const url = `${RDAP_BASE}/${encodeURIComponent(domain)}`;
+    const res = await fetch(url, {
+        signal: AbortSignal.timeout(FETCH_TIMEOUT),
+        headers: { Accept: "application/rdap+json, application/json" },
+    });
+    if (!res.ok)
+        throw new Error(`RDAP error: ${res.status} ${res.statusText}`);
+    return res.json();
+}
+function extractRdapEvents(data) {
+    const events = data.events ?? [];
+    return events.map((e) => ({
+        action: e.eventAction,
+        date: e.eventDate,
+    }));
+}
+function extractRdapRegistrar(data) {
+    const entities = data.entities ?? [];
+    for (const entity of entities) {
+        const roles = entity.roles ?? [];
+        if (roles.includes("registrar")) {
+            const vcardArray = entity.vcardArray ?? [];
+            if (Array.isArray(vcardArray) && vcardArray.length >= 2) {
+                const fields = vcardArray[1];
+                for (const field of fields) {
+                    if (Array.isArray(field) && field[0] === "fn") {
+                        return field[3];
+                    }
+                }
+            }
+            // Fallback to handle field
+            if (entity.handle)
+                return entity.handle;
+        }
+    }
+    return "Unknown";
+}
+function extractNameservers(data) {
+    const nameservers = data.nameservers ?? [];
+    return nameservers.map((ns) => ns.ldhName);
+}
+function extractStatusCodes(data) {
+    return data.status ?? [];
+}
+function daysBetween(a, b) {
+    return Math.floor((b.getTime() - a.getTime()) / (1000 * 60 * 60 * 24));
+}
+async function queryCrtSh(query) {
+    await crtshLimiter.acquire();
+    const url = `${CRT_SH_BASE}/?q=${encodeURIComponent(query)}&output=json`;
+    const res = await fetch(url, {
+        signal: AbortSignal.timeout(FETCH_TIMEOUT),
+        headers: { Accept: "application/json" },
+    });
+    if (!res.ok)
+        throw new Error(`crt.sh error: ${res.status} ${res.statusText}`);
+    const data = await res.json();
+    return data ?? [];
+}
+// ─── Tool 1: domain_whois ───
+const domainWhois = {
+    name: "domain_whois",
+    description: "Query RDAP (Registration Data Access Protocol) for domain WHOIS information. " +
+        "Returns registrar, registration dates, nameservers, and status codes.",
+    schema: {
+        domain: z.string().describe("The domain to look up (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        const cacheKey = `domain_whois:${domain}`;
+        const cached = domainCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            const data = await rdapFetch(domain);
+            const events = extractRdapEvents(data);
+            const registrar = extractRdapRegistrar(data);
+            const nameservers = extractNameservers(data);
+            const statusCodes = extractStatusCodes(data);
+            const result = {
+                domain,
+                registrar,
+                nameservers,
+                status_codes: statusCodes,
+                events,
+                handle: data.handle ?? null,
+                ldhName: data.ldhName ?? domain,
+            };
+            domainCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error querying RDAP for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 2: domain_age ───
+const domainAge = {
+    name: "domain_age",
+    description: "Determine domain age via RDAP creation date. Classifies as suspicious (<30 days), " +
+        "young (<90 days), or established (>365 days).",
+    schema: {
+        domain: z.string().describe("The domain to check age for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const data = await rdapFetch(domain);
+            const events = extractRdapEvents(data);
+            const registration = events.find((e) => e.action === "registration");
+            if (!registration) {
+                return json({
+                    domain,
+                    error: "No registration date found in RDAP data",
+                    age_days: null,
+                    verdict: "unknown",
+                });
+            }
+            const creationDate = new Date(registration.date);
+            const now = new Date();
+            const ageDays = daysBetween(creationDate, now);
+            let verdict;
+            let risk;
+            if (ageDays < 30) {
+                verdict = "suspicious";
+                risk = "high";
+            }
+            else if (ageDays < 90) {
+                verdict = "young";
+                risk = "medium";
+            }
+            else if (ageDays < 365) {
+                verdict = "moderate";
+                risk = "low";
+            }
+            else {
+                verdict = "established";
+                risk = "minimal";
+            }
+            return json({
+                domain,
+                creation_date: registration.date,
+                age_days: ageDays,
+                age_human: ageDays >= 365
+                    ? `${Math.floor(ageDays / 365)} year(s), ${Math.floor((ageDays % 365) / 30)} month(s)`
+                    : ageDays >= 30
+                        ? `${Math.floor(ageDays / 30)} month(s), ${ageDays % 30} day(s)`
+                        : `${ageDays} day(s)`,
+                verdict,
+                risk,
+            });
+        }
+        catch (err) {
+            return text(`Error checking domain age for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 3: domain_history ───
+const domainHistory = {
+    name: "domain_history",
+    description: "Retrieve domain event history from RDAP. Returns timeline of registration, expiration, " +
+        "last changed, and transfer events.",
+    schema: {
+        domain: z.string().describe("The domain to get history for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const data = await rdapFetch(domain);
+            const events = extractRdapEvents(data);
+            const registrar = extractRdapRegistrar(data);
+            const statusCodes = extractStatusCodes(data);
+            // Sort events by date
+            const sortedEvents = events
+                .map((e) => ({
+                ...e,
+                timestamp: new Date(e.date).getTime(),
+            }))
+                .sort((a, b) => a.timestamp - b.timestamp);
+            const timeline = sortedEvents.map((e) => ({
+                action: e.action,
+                date: e.date,
+                description: getEventDescription(e.action),
+            }));
+            return json({
+                domain,
+                registrar,
+                current_status: statusCodes,
+                event_count: timeline.length,
+                timeline,
+            });
+        }
+        catch (err) {
+            return text(`Error getting domain history for ${domain}: ${err.message}`);
+        }
+    },
+};
+function getEventDescription(action) {
+    const descriptions = {
+        registration: "Domain was initially registered",
+        expiration: "Domain registration expiration date",
+        reregistration: "Domain was re-registered after expiration",
+        "last changed": "Domain record was last modified",
+        "last update of RDAP database": "RDAP database was last updated for this record",
+        transfer: "Domain was transferred to a new registrar",
+        locked: "Domain was locked by registrar",
+        unlocked: "Domain was unlocked by registrar",
+    };
+    return descriptions[action] ?? `Event: ${action}`;
+}
+// ─── Tool 4: domain_expiry_risk ───
+const domainExpiryRisk = {
+    name: "domain_expiry_risk",
+    description: "Assess domain expiry risk via RDAP. Checks expiration date and transfer lock status. " +
+        "Flags critical (<30 days), warning (<90 days), and missing transfer lock.",
+    schema: {
+        domain: z.string().describe("The domain to assess expiry risk for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const data = await rdapFetch(domain);
+            const events = extractRdapEvents(data);
+            const statusCodes = extractStatusCodes(data);
+            const expiration = events.find((e) => e.action === "expiration");
+            const flags = [];
+            let daysUntilExpiry = null;
+            let risk = "unknown";
+            if (expiration) {
+                const expiryDate = new Date(expiration.date);
+                const now = new Date();
+                daysUntilExpiry = daysBetween(now, expiryDate);
+                if (daysUntilExpiry < 0) {
+                    risk = "expired";
+                    flags.push(`CRITICAL: Domain expired ${Math.abs(daysUntilExpiry)} day(s) ago`);
+                }
+                else if (daysUntilExpiry < 30) {
+                    risk = "critical";
+                    flags.push(`CRITICAL: Domain expires in ${daysUntilExpiry} day(s)`);
+                }
+                else if (daysUntilExpiry < 90) {
+                    risk = "warning";
+                    flags.push(`WARNING: Domain expires in ${daysUntilExpiry} day(s)`);
+                }
+                else {
+                    risk = "ok";
+                }
+            }
+            else {
+                flags.push("WARNING: No expiration date found in RDAP data");
+            }
+            // Check transfer lock
+            const hasTransferLock = statusCodes.some((s) => s.includes("clientTransferProhibited") ||
+                s.includes("serverTransferProhibited"));
+            if (!hasTransferLock) {
+                flags.push("WARNING: No transfer lock detected — domain may be vulnerable to unauthorized transfers");
+            }
+            // Check other lock statuses
+            const hasDeleteLock = statusCodes.some((s) => s.includes("clientDeleteProhibited") ||
+                s.includes("serverDeleteProhibited"));
+            if (!hasDeleteLock) {
+                flags.push("INFO: No delete lock detected");
+            }
+            const hasUpdateLock = statusCodes.some((s) => s.includes("clientUpdateProhibited") ||
+                s.includes("serverUpdateProhibited"));
+            return json({
+                domain,
+                expiration_date: expiration?.date ?? null,
+                days_until_expiry: daysUntilExpiry,
+                risk,
+                status_codes: statusCodes,
+                locks: {
+                    transfer_lock: hasTransferLock,
+                    delete_lock: hasDeleteLock,
+                    update_lock: hasUpdateLock,
+                },
+                flags,
+            });
+        }
+        catch (err) {
+            return text(`Error assessing expiry risk for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 5: domain_parked_detect ───
+const domainParkedDetect = {
+    name: "domain_parked_detect",
+    description: "Detect if a domain is a parked/for-sale page. Resolves A record, fetches the page, " +
+        "and fingerprints for known parking services (Sedoparking, GoDaddy, Sedo, ParkingCrew, Bodis, etc.).",
+    schema: {
+        domain: z.string().describe("The domain to check for parking page detection (e.g. 'parked-example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            // Resolve A record
+            const resolver = createResolver();
+            let ips = [];
+            try {
+                const aRecords = await resolver.resolve4(domain);
+                ips = aRecords;
+            }
+            catch {
+                return json({
+                    domain,
+                    resolvable: false,
+                    is_parked: false,
+                    error: "Domain does not resolve to an IP address",
+                });
+            }
+            // Attempt HTTP fetch
+            let html = "";
+            let statusCode = 0;
+            let redirectUrl = null;
+            try {
+                const res = await fetch(`https://${domain}`, {
+                    signal: AbortSignal.timeout(FETCH_TIMEOUT),
+                    redirect: "follow",
+                });
+                statusCode = res.status;
+                if (res.redirected)
+                    redirectUrl = res.url;
+                html = await res.text();
+            }
+            catch {
+                // Try HTTP if HTTPS fails
+                try {
+                    const res = await fetch(`http://${domain}`, {
+                        signal: AbortSignal.timeout(FETCH_TIMEOUT),
+                        redirect: "follow",
+                    });
+                    statusCode = res.status;
+                    if (res.redirected)
+                        redirectUrl = res.url;
+                    html = await res.text();
+                }
+                catch {
+                    return json({
+                        domain,
+                        resolvable: true,
+                        ips,
+                        is_parked: false,
+                        http_reachable: false,
+                        error: "Could not fetch page via HTTP or HTTPS",
+                    });
+                }
+            }
+            // Fingerprint parking pages
+            const htmlLower = html.toLowerCase();
+            const matchedKeywords = [];
+            for (const keyword of PARKING_KEYWORDS) {
+                if (htmlLower.includes(keyword)) {
+                    matchedKeywords.push(keyword);
+                }
+            }
+            // Check for minimal content (another sign of parking)
+            const textContentLength = html.replace(/<[^>]*>/g, "").trim().length;
+            const isMinimalContent = textContentLength < 500;
+            // Determine parking provider
+            let parkingProvider = null;
+            if (matchedKeywords.some((k) => k.includes("sedo")))
+                parkingProvider = "Sedo";
+            else if (matchedKeywords.some((k) => k.includes("godaddy")))
+                parkingProvider = "GoDaddy";
+            else if (matchedKeywords.some((k) => k.includes("parkingcrew")))
+                parkingProvider = "ParkingCrew";
+            else if (matchedKeywords.some((k) => k.includes("bodis")))
+                parkingProvider = "Bodis";
+            else if (matchedKeywords.some((k) => k.includes("hugedomains")))
+                parkingProvider = "HugeDomains";
+            else if (matchedKeywords.some((k) => k.includes("dan.com")))
+                parkingProvider = "Dan.com";
+            else if (matchedKeywords.some((k) => k.includes("afternic")))
+                parkingProvider = "Afternic";
+            const isParked = matchedKeywords.length >= 1;
+            return json({
+                domain,
+                resolvable: true,
+                ips,
+                http_reachable: true,
+                status_code: statusCode,
+                redirect_url: redirectUrl,
+                is_parked: isParked,
+                confidence: matchedKeywords.length >= 3 ? "high" : matchedKeywords.length >= 1 ? "medium" : "low",
+                parking_provider: parkingProvider,
+                matched_keywords: matchedKeywords,
+                minimal_content: isMinimalContent,
+                content_length: textContentLength,
+            });
+        }
+        catch (err) {
+            return text(`Error detecting parking for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 6: domain_dga_detect ───
+const domainDgaDetect = {
+    name: "domain_dga_detect",
+    description: "Analyze domains for DGA (Domain Generation Algorithm) characteristics. Evaluates consonant ratio, " +
+        "bigram frequency, Shannon entropy, length, and pronounceability. Returns per-domain DGA probability score.",
+    schema: {
+        domains: z
+            .array(z.string())
+            .describe("List of domain names to analyze for DGA characteristics"),
+    },
+    async execute(args) {
+        const domains = args.domains;
+        try {
+            const results = domains.map((rawDomain) => {
+                // Extract the registrable part (remove TLD)
+                const parts = rawDomain.split(".");
+                const label = parts.length >= 2 ? parts.slice(0, -1).join("") : parts[0];
+                const labelLower = label.toLowerCase();
+                // 1. Consonant ratio
+                let consonants = 0;
+                let vowels = 0;
+                for (const ch of labelLower) {
+                    if (/[a-z]/.test(ch)) {
+                        if (VOWELS.has(ch))
+                            vowels++;
+                        else
+                            consonants++;
+                    }
+                }
+                const totalLetters = consonants + vowels;
+                const consonantRatio = totalLetters > 0 ? consonants / totalLetters : 0;
+                // 2. Bigram frequency
+                let knownBigrams = 0;
+                let totalBigrams = 0;
+                for (let i = 0; i < labelLower.length - 1; i++) {
+                    const bigram = labelLower.substring(i, i + 2);
+                    if (/^[a-z]{2}$/.test(bigram)) {
+                        totalBigrams++;
+                        if (COMMON_BIGRAMS.has(bigram))
+                            knownBigrams++;
+                    }
+                }
+                const bigramScore = totalBigrams > 0 ? knownBigrams / totalBigrams : 0;
+                // 3. Shannon entropy
+                const entropy = shannonEntropy(labelLower);
+                // 4. Length analysis
+                const length = label.length;
+                const lengthScore = length > 20 ? 1.0 : length > 15 ? 0.7 : length > 10 ? 0.4 : 0.1;
+                // 5. Digit ratio
+                const digits = (label.match(/\d/g) ?? []).length;
+                const digitRatio = label.length > 0 ? digits / label.length : 0;
+                // 6. Consecutive consonant runs
+                let maxConsonantRun = 0;
+                let currentRun = 0;
+                for (const ch of labelLower) {
+                    if (/[a-z]/.test(ch) && !VOWELS.has(ch)) {
+                        currentRun++;
+                        if (currentRun > maxConsonantRun)
+                            maxConsonantRun = currentRun;
+                    }
+                    else {
+                        currentRun = 0;
+                    }
+                }
+                // 7. Pronounceability (heuristic: long consonant runs are hard to pronounce)
+                const pronounceabilityScore = maxConsonantRun >= 5 ? 1.0 : maxConsonantRun >= 4 ? 0.7 : maxConsonantRun >= 3 ? 0.3 : 0.0;
+                // Calculate composite DGA probability
+                const dgaProbability = Math.min(1.0, (consonantRatio > 0.7 ? 0.2 : 0.0) +
+                    (bigramScore < 0.3 ? 0.2 : 0.0) +
+                    (entropy > 3.5 ? 0.15 : 0.0) +
+                    (entropy > 4.0 ? 0.1 : 0.0) +
+                    lengthScore * 0.15 +
+                    (digitRatio > 0.3 ? 0.15 : 0.0) +
+                    pronounceabilityScore * 0.15);
+                let verdict;
+                if (dgaProbability >= 0.7)
+                    verdict = "likely_dga";
+                else if (dgaProbability >= 0.4)
+                    verdict = "suspicious";
+                else if (dgaProbability >= 0.2)
+                    verdict = "possibly_benign";
+                else
+                    verdict = "likely_benign";
+                return {
+                    domain: rawDomain,
+                    label_analyzed: label,
+                    metrics: {
+                        consonant_ratio: parseFloat(consonantRatio.toFixed(3)),
+                        bigram_score: parseFloat(bigramScore.toFixed(3)),
+                        entropy: parseFloat(entropy.toFixed(3)),
+                        length,
+                        digit_ratio: parseFloat(digitRatio.toFixed(3)),
+                        max_consonant_run: maxConsonantRun,
+                    },
+                    dga_probability: parseFloat(dgaProbability.toFixed(3)),
+                    verdict,
+                };
+            });
+            const dgaCount = results.filter((r) => r.verdict === "likely_dga").length;
+            const suspiciousCount = results.filter((r) => r.verdict === "suspicious").length;
+            return json({
+                total_analyzed: results.length,
+                likely_dga: dgaCount,
+                suspicious: suspiciousCount,
+                likely_benign: results.length - dgaCount - suspiciousCount,
+                results,
+            });
+        }
+        catch (err) {
+            return text(`Error analyzing domains for DGA: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 7: domain_newly_registered ───
+const domainNewlyRegistered = {
+    name: "domain_newly_registered",
+    description: "Search CT logs for recently issued certificates matching a pattern to discover newly registered domains. " +
+        "Returns domains with certificate issuance dates.",
+    schema: {
+        pattern: z.string().describe("Domain pattern to search in CT logs (e.g. 'paypal' to find phishing domains)"),
+        days: z
+            .number()
+            .optional()
+            .describe("Number of days to look back. Default 7."),
+    },
+    async execute(args) {
+        const pattern = args.pattern;
+        const days = args.days ?? 7;
+        try {
+            const entries = await queryCrtSh(`%${pattern}%`);
+            const cutoff = new Date();
+            cutoff.setDate(cutoff.getDate() - days);
+            const recentEntries = entries.filter((e) => {
+                const notBefore = new Date(e.not_before);
+                return notBefore >= cutoff;
+            });
+            // Extract unique domains
+            const domainSet = new Map();
+            for (const entry of recentEntries) {
+                const nameValue = entry.name_value ?? "";
+                const names = nameValue.split("\n");
+                for (const name of names) {
+                    const trimmed = name.trim().replace(/^\*\./, "");
+                    if (trimmed && !domainSet.has(trimmed)) {
+                        const issuerName = entry.issuer_name ?? "";
+                        const match = issuerName.match(/O=([^,]+)/);
+                        domainSet.set(trimmed, {
+                            first_seen: entry.not_before,
+                            issuer: match ? match[1].trim() : issuerName,
+                        });
+                    }
+                }
+            }
+            const domainList = Array.from(domainSet.entries())
+                .map(([domain, info]) => ({
+                domain,
+                first_seen: info.first_seen,
+                issuer: info.issuer,
+            }))
+                .sort((a, b) => new Date(b.first_seen).getTime() - new Date(a.first_seen).getTime());
+            return json({
+                pattern,
+                days_searched: days,
+                cutoff_date: cutoff.toISOString(),
+                total_certificates: recentEntries.length,
+                unique_domains_found: domainList.length,
+                domains: domainList.slice(0, 500),
+            });
+        }
+        catch (err) {
+            return text(`Error searching newly registered domains for '${pattern}': ${err.message}`);
+        }
+    },
+};
+// ─── Tool 8: domain_reputation ───
+const domainReputation = {
+    name: "domain_reputation",
+    description: "Multi-source domain reputation check. Queries DNS blocklists (Spamhaus DBL, SURBL), " +
+        "checks CT log presence, and evaluates domain age. Returns a composite reputation score.",
+    schema: {
+        domain: z.string().describe("The domain to check reputation for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const checks = {
+                blocklists: [],
+                domain_age: { days: null, verdict: "unknown" },
+                ct_presence: { has_certificates: false, count: 0 },
+            };
+            // 1. DNS Blocklist checks
+            const dnsblDomains = [
+                { name: "Spamhaus DBL", zone: "dbl.spamhaus.org" },
+                { name: "SURBL Multi", zone: "multi.surbl.org" },
+                { name: "URIBL", zone: "multi.uribl.com" },
+                { name: "Spamhaus ZRD", zone: "zrd.spamhaus.org" },
+                { name: "SEM Fresh", zone: "fresh.spameatingmonkey.net" },
+            ];
+            const resolver = createResolver();
+            const blResults = await Promise.allSettled(dnsblDomains.map(async (bl) => {
+                const lookup = `${domain}.${bl.zone}`;
+                try {
+                    await resolver.resolve4(lookup);
+                    return { name: bl.name, listed: true };
+                }
+                catch {
+                    return { name: bl.name, listed: false };
+                }
+            }));
+            for (const result of blResults) {
+                if (result.status === "fulfilled") {
+                    checks.blocklists.push(result.value);
+                }
+            }
+            // 2. Domain age check via RDAP
+            try {
+                const rdapData = await rdapFetch(domain);
+                const events = extractRdapEvents(rdapData);
+                const registration = events.find((e) => e.action === "registration");
+                if (registration) {
+                    const ageDays = daysBetween(new Date(registration.date), new Date());
+                    checks.domain_age = {
+                        days: ageDays,
+                        verdict: ageDays < 30 ? "suspicious" : ageDays < 90 ? "young" : "established",
+                    };
+                }
+            }
+            catch {
+                // RDAP may not be available for all domains
+            }
+            // 3. CT log presence
+            try {
+                const ctEntries = await queryCrtSh(domain);
+                checks.ct_presence = {
+                    has_certificates: ctEntries.length > 0,
+                    count: ctEntries.length,
+                };
+            }
+            catch {
+                // CT check is supplementary
+            }
+            // Calculate reputation score (0-100, higher = better)
+            let score = 70; // Base score
+            const listedCount = checks.blocklists.filter((b) => b.listed).length;
+            score -= listedCount * 25; // Heavy penalty for blocklist listings
+            if (checks.domain_age.days !== null) {
+                if (checks.domain_age.days < 30)
+                    score -= 20;
+                else if (checks.domain_age.days < 90)
+                    score -= 10;
+                else if (checks.domain_age.days > 365)
+                    score += 10;
+            }
+            if (checks.ct_presence.has_certificates)
+                score += 5;
+            score = Math.max(0, Math.min(100, score));
+            let verdict;
+            if (score >= 80)
+                verdict = "good";
+            else if (score >= 60)
+                verdict = "neutral";
+            else if (score >= 40)
+                verdict = "suspicious";
+            else
+                verdict = "malicious";
+            return json({
+                domain,
+                reputation_score: score,
+                verdict,
+                checks,
+                flags: [
+                    ...(listedCount > 0 ? [`Listed on ${listedCount} DNS blocklist(s)`] : []),
+                    ...(checks.domain_age.verdict === "suspicious" ? ["Domain is less than 30 days old"] : []),
+                    ...(checks.domain_age.verdict === "young" ? ["Domain is less than 90 days old"] : []),
+                    ...(!checks.ct_presence.has_certificates ? ["No certificates found in CT logs"] : []),
+                ],
+            });
+        }
+        catch (err) {
+            return text(`Error checking reputation for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 9: domain_hosting_info ───
+const domainHostingInfo = {
+    name: "domain_hosting_info",
+    description: "Get hosting infrastructure details for a domain. Resolves A record to IP, performs reverse DNS, " +
+        "and queries ASN information via Team Cymru DNS. Returns IP, ASN, AS name, prefix, and hosting provider.",
+    schema: {
+        domain: z.string().describe("The domain to get hosting info for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            // Resolve A record
+            const resolver = createResolver();
+            let ips = [];
+            try {
+                ips = await resolver.resolve4(domain);
+            }
+            catch {
+                return json({
+                    domain,
+                    error: "Domain does not resolve to an A record",
+                });
+            }
+            if (ips.length === 0) {
+                return json({ domain, error: "No A records found" });
+            }
+            const ip = ips[0];
+            // Reverse DNS
+            let reverseDns = null;
+            try {
+                const ptrs = await dns.reverse(ip);
+                reverseDns = ptrs.length > 0 ? ptrs[0] : null;
+            }
+            catch {
+                // Reverse DNS may not be configured
+            }
+            // ASN lookup via Team Cymru
+            let asn = null;
+            let asName = null;
+            let prefix = null;
+            let country = null;
+            try {
+                const reversed = reverseIp(ip);
+                const originQuery = `${reversed}.origin.asn.cymru.com`;
+                const txtRecords = await resolver.resolveTxt(originQuery);
+                if (txtRecords.length > 0) {
+                    // Format: "ASN | Prefix | CC | Registry | Allocated"
+                    const parts = txtRecords[0].join("").split("|").map((p) => p.trim());
+                    asn = parts[0] ?? null;
+                    prefix = parts[1] ?? null;
+                    country = parts[2] ?? null;
+                    // Get AS name
+                    if (asn) {
+                        try {
+                            const asQuery = `AS${asn}.asn.cymru.com`;
+                            const asRecords = await resolver.resolveTxt(asQuery);
+                            if (asRecords.length > 0) {
+                                // Format: "ASN | CC | Registry | Allocated | AS Name"
+                                const asParts = asRecords[0].join("").split("|").map((p) => p.trim());
+                                asName = asParts[4] ?? null;
+                            }
+                        }
+                        catch {
+                            // AS name lookup may fail
+                        }
+                    }
+                }
+            }
+            catch {
+                // Team Cymru lookup may fail
+            }
+            // All resolved IPs
+            const allIps = await Promise.all(ips.map(async (resolvedIp) => {
+                let rdns = null;
+                try {
+                    const ptrs = await dns.reverse(resolvedIp);
+                    rdns = ptrs.length > 0 ? ptrs[0] : null;
+                }
+                catch {
+                    // Skip
+                }
+                return { ip: resolvedIp, reverse_dns: rdns };
+            }));
+            return json({
+                domain,
+                primary_ip: ip,
+                all_ips: allIps,
+                reverse_dns: reverseDns,
+                asn: asn ? `AS${asn}` : null,
+                as_name: asName,
+                prefix,
+                country,
+                hosting_provider: asName ?? "Unknown",
+            });
+        }
+        catch (err) {
+            return text(`Error getting hosting info for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 10: domain_related ───
+const domainRelated = {
+    name: "domain_related",
+    description: "Find domains related through shared infrastructure: same nameservers, same MX records, " +
+        "same IP via reverse DNS, and CT log co-occurrence. Returns infrastructure-linked domains.",
+    schema: {
+        domain: z.string().describe("The domain to find related domains for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const related = {
+                by_nameserver: [],
+                by_mx: [],
+                by_ip: [],
+                by_ct: [],
+            };
+            const resolver = createResolver();
+            // Get current NS, MX, A records
+            let nameservers = [];
+            let mxRecords = [];
+            let ips = [];
+            try {
+                nameservers = await resolver.resolveNs(domain);
+            }
+            catch { /* no NS */ }
+            try {
+                const mx = await resolver.resolveMx(domain);
+                mxRecords = mx.map((r) => r.exchange);
+            }
+            catch { /* no MX */ }
+            try {
+                ips = await resolver.resolve4(domain);
+            }
+            catch { /* no A */ }
+            // Find domains sharing same IP (via reverse DNS)
+            for (const ip of ips) {
+                try {
+                    const ptrs = await dns.reverse(ip);
+                    for (const ptr of ptrs) {
+                        const ptrClean = ptr.replace(/\.$/, "");
+                        if (ptrClean !== domain && ptrClean.includes(".")) {
+                            related.by_ip.push(ptrClean);
+                        }
+                    }
+                }
+                catch {
+                    // Reverse DNS may not work
+                }
+            }
+            // Find related domains from CT logs
+            try {
+                const ctEntries = await queryCrtSh(`%.${domain}`);
+                // Collect all unique names from CT entries
+                const ctNames = new Set();
+                for (const entry of ctEntries.slice(0, 200)) {
+                    const nameValue = entry.name_value ?? "";
+                    const names = nameValue.split("\n");
+                    for (const name of names) {
+                        const trimmed = name.trim().replace(/^\*\./, "");
+                        if (trimmed && trimmed !== domain && trimmed.endsWith(`.${domain}`)) {
+                            ctNames.add(trimmed);
+                        }
+                    }
+                }
+                related.by_ct = [...ctNames].sort().slice(0, 100);
+            }
+            catch {
+                // CT lookup is supplementary
+            }
+            // Deduplicate
+            related.by_ip = [...new Set(related.by_ip)];
+            const totalRelated = related.by_nameserver.length +
+                related.by_mx.length +
+                related.by_ip.length +
+                related.by_ct.length;
+            return json({
+                domain,
+                infrastructure: {
+                    nameservers,
+                    mx_records: mxRecords,
+                    ips,
+                },
+                related_domains: related,
+                total_related: totalRelated,
+                summary: {
+                    by_ip_count: related.by_ip.length,
+                    by_ct_subdomains_count: related.by_ct.length,
+                    by_nameserver_count: related.by_nameserver.length,
+                    by_mx_count: related.by_mx.length,
+                },
+            });
+        }
+        catch (err) {
+            return text(`Error finding related domains for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Export All Domain Tools ───
+export const domainTools = [
+    domainWhois,
+    domainAge,
+    domainHistory,
+    domainExpiryRisk,
+    domainParkedDetect,
+    domainDgaDetect,
+    domainNewlyRegistered,
+    domainReputation,
+    domainHostingInfo,
+    domainRelated,
+];
+//# sourceMappingURL=index.js.map