securl 1.4.1

package/dist/network.js

@@ -0,0 +1,139 @@
+import http from "node:http";
+import https from "node:https";
+import { OBSERVATIONAL_TLS_OPTIONS } from "./certificate.js";
+import { REDIRECT_LIMIT, REQUEST_TIMEOUT_MS, TEXT_BODY_LIMIT } from "./scannerConfig.js";
+import { headerValue } from "./utils.js";
+import { assertPublicRequestTarget, createPinnedLookup } from "./network-validation.js";
+export const SCANNER_USER_AGENT = "ExternalPostureInsight/1.0";
+export function requestOnce(targetUrl, method = "HEAD", options = {}) {
+    return requestWithHeaders(targetUrl, method, {}, options);
+}
+export async function requestWithHeaders(targetUrl, method = "HEAD", extraHeaders = {}, options = {}) {
+    const validatedAddresses = await assertPublicRequestTarget(targetUrl);
+    const isHttps = targetUrl.protocol === "https:";
+    const transport = isHttps ? https : http;
+    const startedAt = Date.now();
+    const timeoutMs = options.timeoutMs ?? REQUEST_TIMEOUT_MS;
+    return new Promise((resolve, reject) => {
+        const request = transport.request(targetUrl, {
+            method,
+            ...OBSERVATIONAL_TLS_OPTIONS,
+            lookup: createPinnedLookup(validatedAddresses),
+            headers: {
+                "User-Agent": SCANNER_USER_AGENT,
+                Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                "Accept-Encoding": "identity",
+                ...extraHeaders,
+            },
+        }, (response) => {
+            response.resume();
+            resolve({
+                statusCode: response.statusCode || 0,
+                headers: response.headers,
+                elapsedMs: Date.now() - startedAt,
+            });
+        });
+        request.on("error", reject);
+        request.setTimeout(timeoutMs, () => {
+            request.destroy(new Error("Request timed out."));
+        });
+        request.end();
+    });
+}
+export async function requestText(targetUrl, extraHeaders = {}, options = {}) {
+    const validatedAddresses = await assertPublicRequestTarget(targetUrl);
+    const isHttps = targetUrl.protocol === "https:";
+    const transport = isHttps ? https : http;
+    const timeoutMs = options.timeoutMs ?? REQUEST_TIMEOUT_MS;
+    return new Promise((resolve, reject) => {
+        const request = transport.request(targetUrl, {
+            method: "GET",
+            ...OBSERVATIONAL_TLS_OPTIONS,
+            lookup: createPinnedLookup(validatedAddresses),
+            headers: {
+                "User-Agent": SCANNER_USER_AGENT,
+                Accept: "text/plain,text/*;q=0.9,*/*;q=0.1",
+                "Accept-Encoding": "identity",
+                ...extraHeaders,
+            },
+        }, (response) => {
+            let body = "";
+            response.setEncoding("utf8");
+            response.on("data", (chunk) => {
+                body += chunk;
+                if (body.length > TEXT_BODY_LIMIT) {
+                    body = body.slice(0, TEXT_BODY_LIMIT);
+                }
+            });
+            response.on("end", () => {
+                resolve({
+                    statusCode: response.statusCode || 0,
+                    headers: response.headers,
+                    body,
+                });
+            });
+        });
+        request.on("error", reject);
+        request.setTimeout(timeoutMs, () => {
+            request.destroy(new Error("Request timed out."));
+        });
+        request.end();
+    });
+}
+function tryParseJson(body) {
+    if (!body)
+        return null;
+    try {
+        return JSON.parse(body);
+    }
+    catch {
+        return null;
+    }
+}
+export async function requestJson(targetUrl, extraHeaders = {}, options = {}) {
+    const response = await requestText(targetUrl, {
+        Accept: "application/json,text/plain;q=0.9,*/*;q=0.1",
+        ...extraHeaders,
+    }, options);
+    return {
+        ...response,
+        json: tryParseJson(response.body),
+    };
+}
+export async function fetchWithRedirects(initialUrl, redirectLimit = REDIRECT_LIMIT, options = {}) {
+    const redirects = [];
+    let currentUrl = initialUrl;
+    let response = await requestOnce(currentUrl, "HEAD", options);
+    if (response.statusCode === 405 || response.statusCode === 403) {
+        response = await requestOnce(currentUrl, "GET", options);
+    }
+    while ([301, 302, 303, 307, 308].includes(response.statusCode) &&
+        headerValue(response.headers, "location") &&
+        redirects.length < redirectLimit) {
+        const location = headerValue(response.headers, "location");
+        redirects.push({
+            url: currentUrl.toString(),
+            status: response.statusCode,
+            statusCode: response.statusCode,
+            location,
+            isHttps: currentUrl.protocol === "https:",
+            secure: currentUrl.protocol === "https:",
+        });
+        currentUrl = new URL(location, currentUrl);
+        // Each hop is validated and IP-pinned inside requestOnce -> assertPublicRequestTarget,
+        // so a redirect cannot be re-pointed at a private address between check and connect.
+        response = await requestOnce(currentUrl, "HEAD", options);
+        if (response.statusCode === 405 || response.statusCode === 403) {
+            response = await requestOnce(currentUrl, "GET", options);
+        }
+    }
+    redirects.push({
+        url: currentUrl.toString(),
+        status: response.statusCode,
+        statusCode: response.statusCode,
+        location: null,
+        isHttps: currentUrl.protocol === "https:",
+        secure: currentUrl.protocol === "https:",
+    });
+    return { finalUrl: currentUrl, redirects, response };
+}

package/dist/passive-intelligence.d.ts

@@ -0,0 +1,21 @@
+import type { AiSurfaceInfo, ApiSurfaceInfo, DomainSecurityInfo, HtmlSecurityInfo, IdentityProviderInfo, InfrastructureInfo, PassiveIntelligenceInfo, PublicSignalsInfo, SecurityTxtInfo, TechnologyResult, ThirdPartyTrustInfo, WafFingerprintInfo } from "./types.js";
+interface PassiveIntelligenceInput {
+    technologies: TechnologyResult[];
+    infrastructure: InfrastructureInfo;
+    thirdPartyTrust: ThirdPartyTrustInfo;
+    htmlSecurity: HtmlSecurityInfo;
+    aiSurface: AiSurfaceInfo;
+    domainSecurity: DomainSecurityInfo;
+    securityTxt: SecurityTxtInfo;
+    publicSignals: PublicSignalsInfo;
+    identityProvider: IdentityProviderInfo;
+    wafFingerprint: WafFingerprintInfo;
+    apiSurface: ApiSurfaceInfo;
+    assessmentLimitation?: {
+        limited: boolean;
+        title: string | null;
+    } | null;
+}
+export declare function buildPassiveIntelligence(input: PassiveIntelligenceInput): PassiveIntelligenceInfo;
+export declare function emptyPassiveIntelligence(reason?: string): PassiveIntelligenceInfo;
+export {};

package/dist/passive-intelligence.js

@@ -0,0 +1,247 @@
+import { unique } from "./utils.js";
+const SOURCE_BOUNDARY = "Passive read only: normal HTTP/TLS responses, public DNS records, public trust records, and visible page assets. No port scanning, brute forcing, login probing, exploit payloads, or bypass attempts are used.";
+const titleCase = (value) => value
+    .split(/[_\s-]+/)
+    .filter(Boolean)
+    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+    .join(" ");
+const describeList = (items, fallback, limit = 3) => {
+    const values = unique(items.filter(Boolean));
+    if (!values.length)
+        return fallback;
+    if (values.length <= limit)
+        return values.join(", ");
+    return `${values.slice(0, limit).join(", ")} +${values.length - limit} more`;
+};
+const categoryRank = {
+    attention: 0,
+    watch: 1,
+    neutral: 2,
+    positive: 3,
+};
+const addSignal = (signals, signal) => {
+    const key = `${signal.category}:${signal.title}:${signal.evidence.join("|")}`;
+    if (signals.some((existing) => `${existing.category}:${existing.title}:${existing.evidence.join("|")}` === key)) {
+        return;
+    }
+    signals.push(signal);
+};
+const confidenceFromTechnologies = (technologies) => {
+    if (technologies.some((technology) => technology.confidence === "high"))
+        return "high";
+    if (technologies.some((technology) => technology.confidence === "medium"))
+        return "medium";
+    return "low";
+};
+const visibleProviderNames = (providers, categories) => unique(providers.filter((provider) => categories.includes(provider.category)).map((provider) => provider.name));
+export function buildPassiveIntelligence(input) {
+    const signals = [];
+    const technologiesByCategory = (category) => input.technologies.filter((technology) => technology.category === category);
+    const networkStack = technologiesByCategory("network");
+    const hostingStack = technologiesByCategory("hosting");
+    const frontendStack = technologiesByCategory("frontend");
+    const serverStack = technologiesByCategory("server");
+    const securityStack = technologiesByCategory("security");
+    if (input.assessmentLimitation?.limited) {
+        addSignal(signals, {
+            category: "exposure",
+            title: "Limited external read",
+            summary: input.assessmentLimitation.title || "The target did not return a normal page response.",
+            confidence: "high",
+            source: "derived",
+            risk: "watch",
+            evidence: [input.assessmentLimitation.title || "Limited assessment"],
+            action: "Treat technology and missing-control observations as partial until a normal trusted response can be read.",
+        });
+    }
+    if (networkStack.length || hostingStack.length || serverStack.length || frontendStack.length) {
+        const stackNames = [
+            ...networkStack,
+            ...hostingStack,
+            ...serverStack,
+            ...frontendStack,
+        ].map((technology) => technology.version ? `${technology.name} ${technology.version}` : technology.name);
+        addSignal(signals, {
+            category: "technology",
+            title: "Visible technology stack",
+            summary: `Public response and asset evidence suggests ${describeList(stackNames, "no obvious stack markers")}.`,
+            confidence: confidenceFromTechnologies([...networkStack, ...hostingStack, ...serverStack, ...frontendStack]),
+            source: "html",
+            risk: "neutral",
+            evidence: stackNames.slice(0, 6),
+            action: "Use this as attribution context only; review exposed framework or server versions where exact versions are visible.",
+        });
+    }
+    if (securityStack.length || input.wafFingerprint.detected || input.infrastructure.providers.length) {
+        const providers = unique([
+            ...input.infrastructure.providers.map((provider) => provider.provider),
+            ...input.wafFingerprint.providers.map((provider) => provider.name),
+            ...securityStack.map((technology) => technology.name),
+        ]);
+        addSignal(signals, {
+            category: "infrastructure",
+            title: "Edge and protection signals",
+            summary: providers.length
+                ? `Passive evidence points to ${describeList(providers, "no obvious edge provider")}.`
+                : "No obvious edge provider was inferred.",
+            confidence: input.wafFingerprint.providers.some((provider) => provider.confidence === "high") ? "high" : "medium",
+            source: "headers",
+            risk: providers.length ? "positive" : "neutral",
+            evidence: providers.slice(0, 6),
+            action: providers.length
+                ? "Confirm security headers are applied consistently behind the edge layer, not only on the landing page."
+                : null,
+        });
+    }
+    const analyticsProviders = visibleProviderNames(input.thirdPartyTrust.providers, ["analytics", "ads"]);
+    const replayProviders = visibleProviderNames(input.thirdPartyTrust.providers, ["session_replay"]);
+    const consentProviders = visibleProviderNames(input.thirdPartyTrust.providers, ["consent"]);
+    const supportProviders = visibleProviderNames(input.thirdPartyTrust.providers, ["support"]);
+    const telemetryProviders = unique([...analyticsProviders, ...replayProviders, ...consentProviders, ...supportProviders]);
+    if (telemetryProviders.length) {
+        addSignal(signals, {
+            category: "telemetry",
+            title: "Visible telemetry and customer-experience tooling",
+            summary: `The page publicly loads ${describeList(telemetryProviders, "visible telemetry tooling")}.`,
+            confidence: "high",
+            source: "asset",
+            risk: replayProviders.length || analyticsProviders.length > 2 ? "watch" : "neutral",
+            evidence: telemetryProviders.slice(0, 8),
+            action: replayProviders.length
+                ? "Check consent, masking, and retention settings for any session replay or behavioural analytics tooling."
+                : "Confirm analytics and consent tooling are intentionally exposed and covered by privacy notices.",
+        });
+    }
+    if (input.thirdPartyTrust.providers.length) {
+        const providerDomains = input.thirdPartyTrust.providers.map((provider) => provider.domain);
+        addSignal(signals, {
+            category: "third_party",
+            title: "Third-party dependency surface",
+            summary: `${input.thirdPartyTrust.totalProviders} third-party provider${input.thirdPartyTrust.totalProviders === 1 ? "" : "s"} were visible from the fetched page.`,
+            confidence: "high",
+            source: "asset",
+            risk: input.thirdPartyTrust.highRiskProviders > 0 ? "watch" : "neutral",
+            evidence: providerDomains.slice(0, 8),
+            action: "Review whether critical security, analytics, payments, and support dependencies are documented and monitored.",
+        });
+    }
+    if (input.aiSurface.detected || input.aiSurface.vendors.length) {
+        addSignal(signals, {
+            category: "ai",
+            title: "AI or support automation surface",
+            summary: input.aiSurface.vendors.length
+                ? `Visible page signals suggest ${describeList(input.aiSurface.vendors.map((vendor) => vendor.name), "AI or automation tooling")}.`
+                : "AI or automation language was visible on the page.",
+            confidence: input.aiSurface.vendors.some((vendor) => vendor.confidence === "high") ? "high" : "medium",
+            source: "html",
+            risk: input.aiSurface.issues.length ? "watch" : "neutral",
+            evidence: [
+                ...input.aiSurface.vendors.map((vendor) => `${vendor.name}: ${vendor.evidence}`),
+                ...input.aiSurface.disclosures,
+            ].slice(0, 6),
+            action: input.aiSurface.issues.length
+                ? "Check disclosure, privacy, and data-handling language for public AI or automation features."
+                : "Keep AI and support automation disclosures aligned with privacy and customer-support practices.",
+        });
+    }
+    const emailEvidence = unique([
+        input.domainSecurity.emailPolicy.spf.status !== "missing"
+            ? `SPF ${input.domainSecurity.emailPolicy.spf.status}`
+            : "SPF missing",
+        input.domainSecurity.emailPolicy.dmarc.status !== "missing"
+            ? `DMARC ${input.domainSecurity.emailPolicy.dmarc.status}`
+            : "DMARC missing",
+        input.domainSecurity.mtaSts.dns ? "MTA-STS present" : "MTA-STS missing",
+        input.domainSecurity.caaRecords.length ? "CAA present" : "CAA missing",
+        input.domainSecurity.dnssec.enabled ? "DNSSEC signed" : "DNSSEC not signed",
+    ]);
+    addSignal(signals, {
+        category: "email",
+        title: "Domain and email trust posture",
+        summary: input.domainSecurity.issues.length
+            ? `${input.domainSecurity.issues.length} domain or email trust signal${input.domainSecurity.issues.length === 1 ? "" : "s"} need attention.`
+            : "Core domain and email trust signals look broadly healthy from public records.",
+        confidence: "high",
+        source: "public_record",
+        risk: input.domainSecurity.issues.length ? "watch" : "positive",
+        evidence: emailEvidence,
+        action: input.domainSecurity.issues.length
+            ? "Prioritise DMARC/SPF/MTA-STS/DNSSEC gaps that align with how important email is for this domain."
+            : null,
+    });
+    const trustEvidence = unique([
+        input.securityTxt.status === "present_valid" ? "security.txt valid" : "security.txt missing or incomplete",
+        `HSTS preload: ${titleCase(input.publicSignals.hstsPreload.status)}`,
+        ...input.htmlSecurity.firstPartyPaths.filter((path) => /privacy|contact|security|support|legal/i.test(path)).slice(0, 5),
+    ]);
+    addSignal(signals, {
+        category: "trust",
+        title: "Public trust and disclosure signals",
+        summary: input.securityTxt.status === "present_valid"
+            ? "A vulnerability disclosure route was visible through security.txt."
+            : "No valid security.txt disclosure route was visible from the standard location.",
+        confidence: "high",
+        source: "public_record",
+        risk: input.securityTxt.status === "present_valid" ? "positive" : "watch",
+        evidence: trustEvidence,
+        action: input.securityTxt.status === "present_valid"
+            ? "Keep disclosure contacts, expiry, and policy links current."
+            : "Publish /.well-known/security.txt with a monitored contact and policy URL.",
+    });
+    if (input.htmlSecurity.passiveLeakSignals.length || input.htmlSecurity.clientExposureSignals.length || input.apiSurface.issues.length) {
+        const exposureSignals = [
+            ...input.htmlSecurity.passiveLeakSignals.map((signal) => signal.title),
+            ...input.htmlSecurity.clientExposureSignals.map((signal) => signal.title),
+            ...input.apiSurface.issues,
+        ];
+        addSignal(signals, {
+            category: "exposure",
+            title: "Client-visible exposure clues",
+            summary: `${exposureSignals.length} client-visible exposure signal${exposureSignals.length === 1 ? "" : "s"} were observed in the fetched page or public API hints.`,
+            confidence: "medium",
+            source: "html",
+            risk: input.htmlSecurity.passiveLeakSignals.some((signal) => signal.severity === "warning") ? "attention" : "watch",
+            evidence: exposureSignals.slice(0, 8),
+            action: "Review exposed client configuration, public endpoint references, source maps, and token-like values for intended visibility.",
+        });
+    }
+    const orderedSignals = signals.sort((a, b) => categoryRank[a.risk] - categoryRank[b.risk]);
+    const stackSummary = describeList(unique([
+        ...networkStack.map((technology) => technology.name),
+        ...hostingStack.map((technology) => technology.name),
+        ...serverStack.map((technology) => technology.name),
+        ...frontendStack.map((technology) => technology.name),
+    ]), "No confident technology stack was inferred from passive evidence.");
+    const telemetrySummary = telemetryProviders.length
+        ? `Visible telemetry/customer tooling: ${describeList(telemetryProviders, "none")}.`
+        : "No prominent analytics, consent, support, or session-replay tooling was identified from visible assets.";
+    const trustSummary = orderedSignals.some((signal) => signal.risk === "attention" || signal.risk === "watch")
+        ? "Several public trust, exposure, or dependency signals deserve review."
+        : "Passive intelligence did not surface major public trust or exposure concerns.";
+    return {
+        postureRead: orderedSignals.some((signal) => signal.risk === "attention")
+            ? "Passive intelligence found public signals that should be reviewed."
+            : orderedSignals.some((signal) => signal.risk === "watch")
+                ? "Passive intelligence found useful context and a few watch items."
+                : "Passive intelligence found useful context without obvious concerns.",
+        stackSummary,
+        telemetrySummary,
+        trustSummary,
+        collectionBoundary: SOURCE_BOUNDARY,
+        signals: orderedSignals,
+        issues: orderedSignals.filter((signal) => signal.risk === "attention" || signal.risk === "watch").map((signal) => signal.summary),
+        strengths: orderedSignals.filter((signal) => signal.risk === "positive").map((signal) => signal.summary),
+    };
+}
+export function emptyPassiveIntelligence(reason = "Passive intelligence was not available for this scan.") {
+    return {
+        postureRead: reason,
+        stackSummary: "No passive stack summary is available.",
+        telemetrySummary: "No passive telemetry summary is available.",
+        trustSummary: "No passive trust summary is available.",
+        collectionBoundary: SOURCE_BOUNDARY,
+        signals: [],
+        issues: [],
+        strengths: [],
+    };
+}

package/dist/path-discovery.d.ts

@@ -0,0 +1,4 @@
+export declare function isLikelyPagePath(pathname: string): boolean;
+export declare function scorePagePath(pathname: string): number;
+export declare function normalizeDiscoveredPath(value: string | undefined | null, finalUrl: URL): string | null;
+export declare function rankDiscoveredPaths(paths: Array<string | null | undefined | false>): string[];

package/dist/path-discovery.js

@@ -0,0 +1,50 @@
+import { DISCOVERY_PATH_LIMIT } from "./scannerConfig.js";
+import { unique } from "./utils.js";
+const PAGE_PATH_PRIORITY_PATTERNS = [
+    /\/login/i,
+    /\/account/i,
+    /\/dashboard/i,
+    /\/admin/i,
+    /\/app/i,
+    /\/portal/i,
+    /\/signin/i,
+    /\/auth/i,
+    /\/support/i,
+    /\/contact/i,
+    /\/security/i,
+];
+export function isLikelyPagePath(pathname) {
+    if (!pathname || pathname === "/") {
+        return false;
+    }
+    return !/\.(?:css|js|mjs|json|xml|txt|ico|png|jpe?g|gif|svg|webp|avif|woff2?|ttf|eot|map|pdf|zip|gz|mp4|webm)$/i.test(pathname);
+}
+export function scorePagePath(pathname) {
+    return PAGE_PATH_PRIORITY_PATTERNS.reduce((score, pattern, index) => {
+        if (pattern.test(pathname)) {
+            return score + (PAGE_PATH_PRIORITY_PATTERNS.length - index) * 10;
+        }
+        return score;
+    }, pathname.split("/").filter(Boolean).length <= 2 ? 5 : 0);
+}
+export function normalizeDiscoveredPath(value, finalUrl) {
+    if (!value || /^(mailto|tel|javascript):/i.test(value)) {
+        return null;
+    }
+    try {
+        const resolved = new URL(value, finalUrl);
+        if (resolved.origin !== finalUrl.origin || !isLikelyPagePath(resolved.pathname)) {
+            return null;
+        }
+        const normalizedPath = `${resolved.pathname}${resolved.search}`;
+        return normalizedPath.length <= 120 ? normalizedPath : resolved.pathname;
+    }
+    catch {
+        return null;
+    }
+}
+export function rankDiscoveredPaths(paths) {
+    return unique(paths)
+        .sort((left, right) => scorePagePath(right) - scorePagePath(left))
+        .slice(0, DISCOVERY_PATH_LIMIT);
+}

package/dist/postureDigest.d.ts

@@ -0,0 +1,142 @@
+import type { AnalysisResult } from "./types.js";
+export declare function buildPostureDigest(analysis: AnalysisResult, { findingLimit }?: {
+    findingLimit?: number;
+}): {
+    generatedAt: string;
+    target: {
+        inputUrl: string;
+        finalUrl: string;
+        host: string;
+        statusCode: number;
+        responseTimeMs: number;
+        scannedAt: string;
+    };
+    posture: {
+        score: number;
+        grade: string;
+        summary: string;
+        overview: string;
+        mainRisk: string;
+        posture: "strong" | "weak" | "mixed";
+        takeaways: string[];
+        limited: boolean;
+        limitedKind: "other" | "blocked_edge_response" | "auth_required" | "rate_limited" | "service_unavailable";
+        limitation: import("./types.js").AssessmentLimitation;
+        scoreDrivers: import("./types.js").ScoreDriver[];
+    };
+    findings: {
+        total: number;
+        bySeverity: {
+            critical: number;
+            warning: number;
+            info: number;
+        };
+        top: {
+            severity: "info" | "warning" | "critical";
+            title: string;
+            detail: string;
+            confidence: import("./types.js").IssueConfidence;
+            source: import("./types.js").IssueSource;
+            owasp: import("./types.js").OwaspCategory[];
+            mitre: import("./types.js").MitreRelevance[];
+        }[];
+    };
+    remediationPlan: {
+        summary: string;
+        totalActions: number;
+        highImpactActions: number;
+        quickWins: number;
+        topActions: {
+            id: string;
+            priority: number;
+            title: string;
+            owner: import("./types.js").RemediationOwner;
+            effort: import("./types.js").RemediationEffort;
+            impact: import("./types.js").RemediationImpact;
+            action: string;
+            verify: string;
+            relatedFindings: string[];
+        }[];
+    };
+    controls: {
+        headers: {
+            total: number;
+            missing: number;
+            warning: number;
+            present: number;
+        };
+        cookies: {
+            total: number;
+            issues: string[];
+        };
+        tls: {
+            available: boolean;
+            valid: boolean;
+            authorized: boolean;
+            issuer: string;
+            daysRemaining: number;
+            issues: string[];
+        };
+    };
+    surface: {
+        redirects: {
+            totalHops: number;
+            hasMixedRedirect: boolean;
+            crossesDomain: boolean;
+            issues: string[];
+        };
+        exposure: {
+            issues: string[];
+            interesting: number;
+            exposed: number;
+        };
+        api: {
+            issues: string[];
+            public: number;
+            interesting: number;
+        };
+        cors: {
+            issues: string[];
+            allowCredentials: string;
+            allowedOrigin: string;
+        };
+    };
+    trust: {
+        domainSecurity: {
+            emailDeliverabilityScore: {
+                score: number;
+                grade: "A" | "B" | "C" | "D" | "F";
+                breakdown: Record<string, number>;
+            };
+            issues: string[];
+            strengths: string[];
+        };
+        securityTxt: {
+            status: import("./types.js").SecurityTxtStatus;
+            contact: string[];
+        };
+        thirdParty: {
+            providers: string[];
+            highRiskProviders: number;
+            issues: string[];
+        };
+        identityProvider: string;
+        wafProviders: string[];
+        infrastructureProviders: string[];
+    };
+    intelligence: {
+        passiveRead: string;
+        compromisePosture: "no_public_ioc" | "review_recommended" | "suspicious" | "reputation_flagged" | "not_assessed";
+        compromiseSummary: string;
+        riskIndicators: {
+            severity: "info" | "warning" | "critical" | "watch";
+            category: "infrastructure" | "exposure" | "credential_collection" | "script_anomaly" | "supply_chain" | "reputation";
+            title: string;
+            detail: string;
+            confidence: import("./types.js").IssueConfidence;
+        }[];
+        ctPriorityHosts: string[];
+        aiVendors: string[];
+    };
+    timing: import("./types.js").ScanTimingInfo;
+};