nsauditor-ai 0.1.0

package/plugins/opensearch_scanner.mjs

@@ -0,0 +1,276 @@
+
+// plugins/opensearch_scanner.mjs
+// OpenSearch Scanner — probes OpenSearch HTTP API ports and extracts version,
+// plus (heuristically) Linux kernel and Node.js versions if present in banners.
+//
+// CHANGE: Default ports now only include 9200 (API) and 5601 (Dashboards).
+// Previously 80/443 were included, which produced noisy entries in reports.
+// You can still add 80/443 (or any others) via OPENSEARCH_SCANNER_PORTS.
+//
+// Env vars:
+//   OPENSEARCH_SCANNER_TIMEOUT_MS    default 6000
+//   OPENSEARCH_SCANNER_PORTS         CSV of port[:service] (default "9200:opensearch,5601:opensearch-dashboards")
+//   OPENSEARCH_SCANNER_SCHEMES       CSV of schemes to try per HTTP port (default "http,https")
+//   OPENSEARCH_SCANNER_INSECURE_TLS  1/true to skip TLS verification for HTTPS
+//   OPENSEARCH_SCANNER_DEBUG         1/true to include extra debug info in banner
+//   OPENSEARCH_SCANNER_INCLUDE_TRANSPORT 1/true to also probe 9300 (transport, not HTTP)
+//
+// Notes:
+// - We attempt HTTP(S) GET / on HTTP ports. 9300 (transport) is not HTTP —
+//   it's optional and only recorded as "transport port (not HTTP)" if enabled.
+// - Version is read from JSON.version.number when available.
+// - OS + Node.js versions are parsed from any banner/header that contains the
+//   opensearch-js UA format.
+// - We record response headers and body (truncated) for Evidence.
+
+const DEFAULT_PORTS = {
+  9200: 'opensearch',
+  5601: 'opensearch-dashboards',
+};
+
+function parseCsvEnv(name, fallback) {
+  const v = process.env[name];
+  if (!v) return fallback;
+  const arr = String(v).split(',').map(s => s.trim()).filter(Boolean);
+  return arr.length ? arr : fallback;
+}
+
+function parsePortsEnv(name, fallback) {
+  const v = process.env[name];
+  if (!v) return fallback;
+  const out = {};
+  for (const tok of String(v).split(',').map(s => s.trim()).filter(Boolean)) {
+    const [p, svc] = tok.split(':').map(s => s.trim());
+    const n = Number(p);
+    if (Number.isFinite(n)) out[n] = svc || (DEFAULT_PORTS[n] || `tcp-${n}`);
+  }
+  return Object.keys(out).length ? out : fallback;
+}
+
+// Use global fetch (Node 18+). If not present, dynamic import of node-fetch (only when needed).
+async function getFetch() {
+  if (typeof fetch === 'function') return fetch;
+  const mod = await import('node-fetch');
+  return mod.default || mod;
+}
+
+// Best effort: build a simple https.Agent that can ignore certs if requested.
+// We avoid importing 'https' unless we need it.
+async function buildAgentIfNeeded(scheme, insecure) {
+  if (!insecure || scheme !== 'https') return undefined;
+  const https = await import('node:https');
+  return new https.Agent({ rejectUnauthorized: false });
+}
+
+function firstDefined(...xs) {
+  for (const x of xs) if (x !== undefined && x !== null) return x;
+  return undefined;
+}
+
+function normalizeUaBanner(str = '') {
+  // Return { osKernel, nodeVersion, ua } if matches the opensearch-js UA shape
+  const out = { osKernel: null, nodeVersion: null, ua: null };
+  const s = String(str);
+  const m = s.match(/opensearch-js\/[\d.]+\s*\(([^)]+)\)/i);
+  if (!m) return out;
+  out.ua = s;
+  const inside = m[1]; // e.g., 'linux 6.19.14-linuxkit-x64; Node.js v20.10.0'
+  const node = inside.match(/node\.js\s*v([\d.]+)/i);
+  if (node) out.nodeVersion = node[1];
+  const linux = inside.match(/linux\s*([^;]+)/i);
+  if (linux) out.osKernel = linux[1].trim();
+  return out;
+}
+
+function trunc(s, n = 1200) {
+  const str = String(s || '');
+  return str.length > n ? str.slice(0, n) + '…' : str;
+}
+
+export default {
+  id: "012",
+  name: "OpenSearch Scanner",
+  description: "Detects OpenSearch and extracts version; heuristically parses Linux/Node.js versions from banners.",
+  priority: 360,
+  requirements: {},
+
+  async run(host, _port, opts = {}) {
+    const timeoutMs = Number(process.env.OPENSEARCH_SCANNER_TIMEOUT_MS || 6000);
+    const portsMap = parsePortsEnv('OPENSEARCH_SCANNER_PORTS', { ...DEFAULT_PORTS });
+    const includeTransport = /^(1|true|yes|on)$/i.test(String(process.env.OPENSEARCH_SCANNER_INCLUDE_TRANSPORT || ''));
+    if (includeTransport && !('9300' in portsMap && portsMap[9300])) {
+      portsMap[9300] = 'opensearch-transport';
+    }
+    const schemes = parseCsvEnv('OPENSEARCH_SCANNER_SCHEMES', ['http', 'https']);
+    const insecure = /^(1|true|yes|on)$/i.test(String(process.env.OPENSEARCH_SCANNER_INSECURE_TLS || ''));
+    const debug = /^(1|true|yes|on)$/i.test(String(process.env.OPENSEARCH_SCANNER_DEBUG || ''));
+    const doFetch = await getFetch();
+
+    const perPort = [];
+
+    for (const [pStr, svc] of Object.entries(portsMap)) {
+      const port = Number(pStr);
+      if (port === 9300) {
+        // Not HTTP; we just note transport port present if opted in
+        perPort.push({
+          port, service: svc, success: false, status: 'unknown', version: null,
+          osKernel: null, nodeVersion: null, headers: {}, body: null, error: 'transport port (not HTTP)'
+        });
+        continue;
+      }
+
+      let success = false, pickedScheme = null, version = null, osKernel = null, nodeVersion = null;
+      let headersRecord = {}, bodyStr = null, statusText = null, errMsg = null;
+
+      for (const scheme of schemes) {
+        const url = `${scheme}://${host}:${port}/`;
+        try {
+          const agent = await buildAgentIfNeeded(scheme, insecure);
+          const ctrl = new AbortController();
+          const to = setTimeout(() => ctrl.abort(), timeoutMs);
+          const res = await doFetch(url, {
+            method: 'GET',
+            headers: {
+              'User-Agent': 'opensearch-js/3.4.0 (opensearch-scanner)'
+            },
+            signal: ctrl.signal,
+            agent
+          }).catch(e => { throw e; });
+          clearTimeout(to);
+
+          statusText = `${res.status}`;
+          // Record headers into a plain object
+          headersRecord = {};
+          try {
+            for (const [k, v] of res.headers) headersRecord[k.toLowerCase()] = String(v);
+          } catch {}
+
+          // Try JSON first
+          let parsed = null;
+          try {
+            const ct = headersRecord['content-type'] || '';
+            if (/json/i.test(ct)) {
+              parsed = await res.json();
+              bodyStr = trunc(JSON.stringify(parsed));
+            } else {
+              // fallback to text (may include hint)
+              const t = await res.text();
+              bodyStr = trunc(t);
+              try { parsed = JSON.parse(t); } catch {}
+            }
+          } catch {
+            // ignore parse errors
+          }
+
+          version = firstDefined(parsed?.version?.number, parsed?.version?.distribution === 'opensearch' ? parsed?.version?.number : null, null);
+
+          // Heuristic UA extraction: look for opensearch-js UA within *any* bannerish header
+          const bannerish = headersRecord['server'] || headersRecord['x-powered-by'] || headersRecord['user-agent'] || '';
+          const uaBits = normalizeUaBanner(bannerish);
+          osKernel = uaBits.osKernel || null;
+          nodeVersion = uaBits.nodeVersion || null;
+
+          // Some proxies echo request headers back; try to read from body if present
+          if (!osKernel && bodyStr && /opensearch-js\//i.test(bodyStr)) {
+            const uaBody = normalizeUaBanner(bodyStr);
+            osKernel = uaBody.osKernel || osKernel;
+            nodeVersion = uaBody.nodeVersion || nodeVersion;
+          }
+
+          success = !!(version || bodyStr || Object.keys(headersRecord).length);
+          pickedScheme = scheme;
+          break; // stop after first scheme that returns
+        } catch (e) {
+          errMsg = e && e.message ? String(e.message) : 'fetch error';
+          // Try next scheme
+        }
+      }
+
+      perPort.push({
+        port,
+        service: svc,
+        scheme: pickedScheme,
+        success,
+        status: success ? 'open' : 'unknown',
+        version: version || null,
+        osKernel,
+        nodeVersion,
+        headers: headersRecord,
+        body: bodyStr,
+        error: success ? null : (errMsg || statusText || null)
+      });
+    }
+
+    // Build data rows for evidence
+    const data = perPort.map(r => {
+      const bits = [];
+      if (r.version) bits.push(`OpenSearch: ${r.version}`);
+      if (r.osKernel) bits.push(`Linux: ${r.osKernel}`);
+      if (r.nodeVersion) bits.push(`Node.js: v${r.nodeVersion}`);
+      const probe_info = bits.join(' | ') || (r.error ? `No banner (${r.error})` : 'No banner');
+      const bannerObj = {
+        headers: r.headers,
+        body: r.body,
+        scheme: r.scheme,
+        debug: debug ? { error: r.error } : undefined
+      };
+      return {
+        probe_protocol: 'tcp',
+        probe_port: r.port,
+        probe_service: r.service,
+        probe_info,
+        response_banner: JSON.stringify(bannerObj)
+      };
+    });
+
+    const up = perPort.some(r => r.success);
+
+    // Prefer the clearest program/version at the root API port (9200) if present
+    const root = perPort.find(r => r.port === 9200 && r.version);
+    const program = root ? 'OpenSearch' : (up ? 'OpenSearch (suspected)' : 'Unknown');
+    const version = root ? root.version : null;
+
+    return {
+      up,
+      program,
+      version,
+      os: null,           // not authoritative; let concluder infer from other sources
+      osVersion: null,
+      data
+    };
+  }
+};
+
+// ---------------- Plug-and-Play concluder adapter ----------------
+import { statusFrom } from '../utils/conclusion_utils.mjs';
+
+export async function conclude({ host, result }) {
+  const rows = Array.isArray(result?.data) ? result.data : [];
+  const items = [];
+  for (const r of rows) {
+    const port = Number(r?.probe_port);
+    if (!Number.isFinite(port)) continue;
+    // Prefer the probe_service we set in run()
+    const svc = r?.probe_service || (port === 9200 ? 'opensearch' : (port === 5601 ? 'opensearch-dashboards' : 'opensearch'));
+    const info = r?.probe_info || null;
+    const banner = r?.response_banner || null;
+    const status = /OpenSearch:\s*\d+/.test(String(info||'')) ? 'open' : 'unknown';
+    items.push({
+      port,
+      protocol: 'tcp',
+      service: svc,
+      program: 'OpenSearch',
+      version: null, // per-port version is often same; leave null unless per-port differs
+      status,
+      info,
+      banner,
+      source: 'opensearch-scanner',
+      evidence: rows,
+      authoritative: true
+    });
+  }
+  return items;
+}
+
+// Authoritative for standard HTTP API / dashboards ports
+export const authoritativePorts = new Set(['tcp:9200','tcp:5601']);

package/plugins/os_detector.mjs

@@ -0,0 +1,436 @@
+// plugins/os_detector.mjs
+// OS Detector — infers OS from DNS/mDNS/UPnP evidence and conservatively falls back to prior plugin OS labels.
+//
+// Supports two invocation styles used by tests:
+//   1) run(priorResultsArray)
+//   2) run(host, port, { results: priorResultsArray, context })
+// Returns an object suitable to be wrapped by the concluder.
+
+const ID = "013";
+const NAME = "OS Detector";
+
+function asArray(x) {
+  if (!x) return [];
+  if (Array.isArray(x)) return x;
+  return [x];
+}
+
+function getResultsFromArgs(a, b, c) {
+  // Style 1: run([plugins])
+  if (Array.isArray(a) && b === undefined && c === undefined) {
+    return { prior: a, host: null, ctx: {} };
+  }
+  // Style 2: run(host, port, { results, context })
+  const host = typeof a === "string" ? a : null;
+  const opts = c || {};
+  return { prior: asArray(opts.results), host, ctx: opts.context || {} };
+}
+
+function toStr(x) {
+  return typeof x === "string" ? x : "";
+}
+
+function parseKeyVals(s) {
+  // Parse 'k=v; k2=v2' (or comma/space separated) into map
+  const out = {};
+  if (!s) return out;
+  const parts = String(s)
+    .split(/[;,\s]\s*/)
+    .map((p) => p.trim())
+    .filter(Boolean);
+  for (const p of parts) {
+    const m = p.match(/^([^=]+)=(.+)$/);
+    if (m) out[m[1].trim().toLowerCase()] = m[2].trim();
+  }
+  return out;
+}
+
+function extractAddresses(banner) {
+  const s = String(banner || "");
+  if (!s) return [];
+
+  // JSON banner first (preferred by mdns_scanner and upnp_scanner)
+  try {
+    const obj = JSON.parse(s);
+    // Check for address field (used by UPnP Scanner)
+    if (obj?.address) return [obj.address];
+    // Check for addresses or addrs arrays (used by mDNS Scanner)
+    if (Array.isArray(obj?.addresses)) return obj.addresses.map(String);
+    if (Array.isArray(obj?.addrs)) return obj.addrs.map(String);
+  } catch {}
+
+  // Key/val legacy: '...; addresses=ip1,ip2'
+  const m = s.match(/addresses=([^\s;]+)/i);
+  if (m) {
+    return m[1]
+      .split(/[,\s]+/)
+      .map((x) => x.trim())
+      .filter(Boolean);
+  }
+
+  // Inline JSON-like fragment
+  const mj = s.match(/"addresses"\s*:\s*\[([^\]]*)\]/i);
+  if (mj) {
+    return mj[1]
+      .split(",")
+      .map(x => x.replace(/["'\s]/g, ""))
+      .filter(Boolean);
+  }
+
+  return [];
+}
+
+function evidenceRow(info, port = null, proto = "os-detector", banner = null) {
+  return {
+    probe_protocol: proto,
+    probe_port: port,
+    probe_info: info,
+    response_banner: banner
+  };
+}
+
+/* ---------------- Helpers for mDNS Apple inference ---------------- */
+
+function looksLikeAppleHost(s) {
+  const host = String(s || "").toLowerCase();
+  // iphone-of-joe.local, ANAHITs-iPad.local, ANAHITs-iMac.local, MacBook-Air.local, apple-tv.local, etc.
+  return /(iphone|ipad|ipod|imac|macbook|apple.?tv)/i.test(host);
+}
+
+function unescapeFullname(s) {
+  return String(s || "").replace(/\\032/g, " ");
+}
+
+function isAppleMdnsRow(r) {
+  const info = toStr(r?.probe_info);
+  const banner = toStr(r?.response_banner);
+
+  // Service types associated with Apple
+  const appleSvc =
+    /airplay\._tcp|raop\._tcp|companion-link\._tcp|_apple|_touch-able|_sleep-proxy/i.test(info);
+
+  // Host/fullname cues
+  const infoHostMatch = info.match(/host=([^\s]+)/i);
+  const hostLooksApple = infoHostMatch && looksLikeAppleHost(infoHostMatch[1]);
+
+  // Fullname in banner JSON (from mdns_scanner fallback path)
+  let fullnameLooksApple = false;
+  try {
+    const obj = JSON.parse(banner);
+    if (obj?.fullname && looksLikeAppleHost(unescapeFullname(obj.fullname))) {
+      fullnameLooksApple = true;
+    }
+  } catch {}
+
+  // TXT cues: model, ty, features, srcvers, or a MAC-like deviceid
+  let txtModel = null, hasAirplayish = false, hasDeviceIdMac = false;
+  try {
+    const obj = JSON.parse(banner);
+    const txt = obj?.txt || {};
+    txtModel = txt.model || txt.mdl || txt.ty || null;
+    hasAirplayish = Boolean(txt.features || txt.srcvers);
+    hasDeviceIdMac = /([0-9A-Fa-f]{2}[:\-]){5}[0-9A-Fa-f]{2}/.test(String(txt.deviceid || txt.rpBA || ""));
+  } catch {
+    // also try to scrape from probe_info
+    const kv = parseKeyVals(info);
+    txtModel = txtModel || kv.model || kv.mdl || kv.ty || null;
+    hasAirplayish = hasAirplayish || Boolean(kv.features || kv.srcvers);
+    hasDeviceIdMac = hasDeviceIdMac || /deviceid\s*=\s*([0-9A-Fa-f]{2}[:\-]){5}[0-9A-Fa-f]{2}/i.test(info);
+  }
+
+  const hasMacModelToken = /model\s*=\s*Mac/i.test(info) || /"model"\s*:\s*"?Mac/i.test(banner) || /^Mac/i.test(String(txtModel || ""));
+
+  return appleSvc || hostLooksApple || fullnameLooksApple || hasMacModelToken || hasAirplayish || hasDeviceIdMac;
+}
+
+function refineAppleFamilyFromModel(model, info, banner) {
+  const m = String(model || "");
+  if (/^i(phone|pad|pod)/i.test(m)) return "iOS";
+  if (/^Mac/i.test(m)) return "macOS";
+  if (/apple.?tv/i.test(m)) return "tvOS";
+
+  // Check hostname for iOS-specific patterns
+  const infoHostMatch = info.match(/host=([^\s]+)/i);
+  const host = infoHostMatch ? infoHostMatch[1].toLowerCase() : "";
+  if (host.includes('iphone') || host.includes('ipad') || host.includes('ipod')) {
+    return "iOS";
+  }
+  if (host.includes('imac') || host.includes('macbook')) {
+    return "macOS";
+  }
+  if (host.includes('apple') && host.includes('tv')) {
+    return "tvOS";
+  }
+
+  // Check fullname in banner
+  try {
+    const obj = JSON.parse(banner);
+    const fullname = unescapeFullname(obj?.fullname || "").toLowerCase();
+    if (looksLikeAppleHost(fullname)) {
+      if (fullname.includes('iphone') || fullname.includes('ipad') || fullname.includes('ipod')) {
+        return "iOS";
+      }
+      if (fullname.includes('imac') || fullname.includes('macbook')) {
+        return "macOS";
+      }
+      if (fullname.includes('apple') && host.includes('tv')) {
+        return "tvOS";
+      }
+    }
+  } catch {}
+
+  // Check service type for companion-link (macOS or iOS)
+  if (info.includes('_companion-link._tcp')) {
+    // If no hostname/model indicates otherwise, default to iOS for companion-link
+    // as it's common on both but iOS is more likely without macOS-specific cues
+    return "iOS";
+  }
+
+  return "macOS or iOS";
+}
+
+function inferFromMdns(prior, targetHost) {
+  // Collect mDNS rows
+  const mdnsRows = [];
+  for (const p of prior) {
+    const rows = asArray(p?.result?.data);
+    for (const r of rows) {
+      if (String(r?.probe_protocol || "").toLowerCase() === "mdns") {
+        mdnsRows.push(r);
+      }
+    }
+  }
+  if (mdnsRows.length === 0) return null;
+
+  // Require that at least one row ties to this host by addresses[]
+  for (const r of mdnsRows) {
+    if (!isAppleMdnsRow(r)) continue;
+
+    const info = toStr(r?.probe_info);
+    const banner = toStr(r?.response_banner);
+    const addresses = extractAddresses(banner);
+    const targetMatches = targetHost ? addresses.includes(targetHost) : addresses.length > 0;
+
+    if (!targetMatches) continue;
+
+    // Try to refine from model type if known
+    let model = null;
+    try {
+      const obj = JSON.parse(banner);
+      model = obj?.txt?.model || obj?.txt?.mdl || obj?.txt?.ty || null;
+    } catch {
+      const kv = parseKeyVals(info);
+      model = kv.model || kv.mdl || kv.ty || null;
+    }
+
+    const osLabel = refineAppleFamilyFromModel(model, info, banner);
+    const ev = `mDNS evidence: Apple (${model ? `model=${model}` : "service/hostname/TXT"}) matched; addresses includes ${targetHost ?? addresses.join(",")}`;
+    return {
+      os: osLabel,
+      osVersion: null,
+      osExtras: { mdns: true },
+      rows: [evidenceRow(ev, 5353, "mdns", banner)]
+    };
+  }
+
+  return null;
+}
+
+/* ---------------- DNS/BIND → Red Hat ---------------- */
+
+function inferFromBind(prior) {
+  // Look for DNS Scanner rows exposing version.bind with BIND banners that contain RedHat tokens
+  for (const p of prior) {
+    const rows = asArray(p?.result?.data);
+    for (const r of rows) {
+      const banner = toStr(r?.response_banner);
+      const info = toStr(r?.probe_info);
+
+      const isBind = /version\.bind/i.test(info) || /bind/i.test(banner);
+      if (!isBind) continue;
+
+      // Common Red Hat markers in packaged BIND strings
+      // e.g. '...RedHat-9.11.4-26.P2.el7_9.16.tuxcare.els8'
+      const isRedHatish =
+        /redhat|\.el\d|centos|rhel/i.test(banner);
+      if (!isRedHatish) continue;
+
+      // Extract rhel major/minor from el7_9 or el7 token
+      let osVersion = null;
+      const em = banner.match(/\.el(\d+)(?:_(\d+))?/i);
+      if (em) {
+        const major = em[1];
+        const minor = em[2] ? `.${em[2]}` : "";
+        osVersion = `${major}${minor}`;
+      }
+
+      const tuxcare = /\.tuxcare\./i.test(banner);
+
+      return {
+        os: "Red Hat Enterprise Linux",
+        osVersion,
+        osExtras: { tuxcare },
+        rows: [
+          evidenceRow("BIND evidence: Red Hat family packaging", r?.probe_port ?? null, String(r?.probe_protocol || "dns"), banner)
+        ]
+      };
+    }
+  }
+  return null;
+}
+
+/* ---------------- UPnP → OS from Server Header ---------------- */
+
+function inferFromUpnp(prior, targetHost) {
+  const upnpRows = [];
+  for (const p of prior) {
+    const rows = asArray(p?.result?.data);
+    for (const r of rows) {
+      if (String(r?.probe_protocol || "").toLowerCase() === "upnp") {
+        upnpRows.push(r);
+      }
+    }
+  }
+  if (upnpRows.length === 0) return null;
+
+  let bestMatch = null;
+  for (const r of upnpRows) {
+    const info = toStr(r?.probe_info);
+    const banner = toStr(r?.response_banner);
+    const addresses = extractAddresses(banner);
+    const targetMatches = targetHost ? addresses.includes(targetHost) : addresses.length > 0;
+
+    if (!targetMatches) continue;
+
+    const os = r.os || null;
+    const osVersion = r.osVersion || null;
+
+    if (os) {
+      const ev = `UPnP evidence: OS detected from server header; addresses includes ${targetHost ?? addresses.join(",")}`;
+      const candidate = {
+        os,
+        osVersion,
+        osExtras: { upnp: true },
+        rows: [evidenceRow(ev, 1900, "upnp", banner)]
+      };
+
+      // Prioritize candidates with osVersion
+      if (osVersion) {
+        return candidate; // Immediately return if osVersion is present
+      } else if (!bestMatch) {
+        bestMatch = candidate;
+      }
+    }
+  }
+  return bestMatch;
+}
+
+/* ---------------- Fallbacks (Ping/FTP/others) ---------------- */
+
+function fallbackFromPluginOs(prior) {
+  // Prefer OS labels that came from "Ping Checker" (TTL) or explicit plugin os
+  let picked = null;
+  for (const p of prior) {
+    const name = String(p?.name || "").toLowerCase();
+    const os = p?.result?.os || null;
+    if (!os) continue;
+
+    // Ping Checker or explicit recognizable plugin OS is a good fallback
+    if (name.includes("ping")) {
+      picked = { os, rows: [evidenceRow("Baseline OS from Ping Checker")] };
+      break;
+    }
+    // Otherwise remember the first OS we see (e.g., FTP Banner Check -> Linux)
+    if (!picked) picked = { os, rows: [evidenceRow(`Fallback OS from ${p?.name || "previous plugin"}`)] };
+  }
+  return picked;
+}
+
+/* ---------------- Main ---------------- */
+
+export default {
+  id: ID,
+  name: NAME,
+  description: "Infers OS from DNS/mDNS/UPnP evidence and conservatively falls back to prior plugin OS labels.",
+  // Runs after mDNS (345) and UPnP (346) to have their evidence.
+  priority: 365,
+  requirements: {},
+  protocols: [],
+  ports: [],
+
+  async run(a, b, c) {
+    const { prior, host } = getResultsFromArgs(a, b, c);
+
+    // 1) UPnP → OS from server header
+    const upnp = inferFromUpnp(prior, host);
+    if (upnp) {
+      return {
+        up: true,
+        program: NAME,
+        version: "1",
+        os: upnp.os,
+        osVersion: upnp.osVersion || null,
+        osExtras: upnp.osExtras || {},
+        type: "os",
+        data: upnp.rows
+      };
+    }
+
+    // 2) DNS/BIND → Red Hat family
+    const bind = inferFromBind(prior);
+    if (bind) {
+      return {
+        up: true,
+        program: NAME,
+        version: "1",
+        os: bind.os,
+        osVersion: bind.osVersion || null,
+        osExtras: bind.osExtras || {},
+        type: "os",
+        data: bind.rows
+      };
+    }
+
+    // 3) mDNS → Apple (service/hostname/TXT evidence + address tie)
+    const mdns = inferFromMdns(prior, host);
+    if (mdns) {
+      return {
+        up: true,
+        program: NAME,
+        version: "1",
+        os: mdns.os,
+        osVersion: mdns.osVersion,
+        osExtras: mdns.osExtras,
+        type: "os",
+        data: mdns.rows
+      };
+    }
+
+    // 4) Fallback: use any plugin-provided OS labels (Ping/FTP/etc.)
+    const fb = fallbackFromPluginOs(prior);
+    if (fb) {
+      return {
+        up: true,
+        program: NAME,
+        version: "1",
+        os: fb.os || "Unknown",
+        osVersion: null,
+        osExtras: {},
+        type: "os",
+        data: fb.rows
+      };
+    }
+
+    // Nothing conclusive
+    return {
+      up: true,
+      program: NAME,
+      version: "1",
+      os: "Unknown",
+      osVersion: null,
+      osExtras: {},
+      type: "os",
+      data: [evidenceRow("No decisive OS evidence")]
+    };
+  }
+};