whopper 0.4.0 → 0.5.2

package/dist/analyzer/apply.js

@@ -1,4 +1,4 @@
-import { matchString } from "./match.js";
+import { matchString, truncateBodyForEvidence } from "./match.js";
 function isFirstPartyResponse(response) {
     return response.isFirstParty ?? true;
 }
@@ -113,7 +113,7 @@ export const applySignature = (context, signature) => {
                 }
                 evidences.push({
                     type: "body",
-                    value: `${body.substring(0, 100)}...`,
+                    value: truncateBodyForEvidence(body),
                     version: result.version,
                     confidence: rule.confidence,
                     host: response.host,

package/dist/analyzer/apply.js.map

@@ -1 +1 @@
-{"version":3,"file":"apply.js","sourceRoot":"","sources":["../../src/analyzer/apply.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,SAAS,oBAAoB,CAAC,QAAkB;IAC9C,OAAO,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC;AACvC,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAkC;IAC5D,OAAO,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC;AACrC,CAAC;AAED,SAAS,qBAAqB,CAAC,WAA+B;IAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACnD,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC;QAClC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;QACjC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CAAC,WAAmB;IAC7D,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACnD,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC;QACrC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC,CACxC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,SAAoB;IACxC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACzE,OAAO,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AACxD,CAAC;AAED,SAAS,cAAc,CAAC,SAAoB;IAC1C,OAAO,SAAS,CAAC,OAAO,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAkB,EAAE,OAAgB;IAC9D,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,WAAW,CAAC,CAAC,CAAC,kCAAkC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/E,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,OAAgB,EAChB,SAAoB,EACG,EAAE;IACzB,IAAI,SAAS,GAAe,EAAE,CAAC;IAC/B,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;IAC5B,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC;IACvC,MAAM,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC3E,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAErE,aAAa;IACb,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC;QACf,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;gBACpC,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;oBAC5D,SAAS;gBACX,CAAC;gBACD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;gBACzB,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACvC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;oBAChB,SAAS;gBACX,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,GAAG;oBACV,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC3E,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,SAAS;YACX,CAAC;YAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAE,CAAC;YACjD,MAAM,MAAM,GAAG,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,MAAM,KAAK,WAAW,EAAE;gBAClC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,eAAe;IACf,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;gBACpC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;oBAC3C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;gBACjC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,SAAS;gBACX,CAAC;gBACD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;oBAChB,SAAS;gBACX,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK;oBACrC,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACzD,MAAM,eAAe,GAAG,IAAI,MAAM,CAAC,OAAO,IAAI,IAAI,EAAE,GAAG,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3E,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,EAAE;gBACxC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,EAAE,mBAAmB,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACrE,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnE,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,IAAI,KAAK,MAAM,EAAE;gBAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,EAAE,2BAA2B,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,2BAA2B,CAAC,KAAK,CACvD,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,SAAS,CACrC,CAAC;QACF,MAAM,oBAAoB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QACxE,IAAI,CAAC,UAAU,IAAI,CAAC,oBAAoB,EAAE,CAAC;YACzC,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,SAAS;SACV,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC"}
+{"version":3,"file":"apply.js","sourceRoot":"","sources":["../../src/analyzer/apply.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAElE,SAAS,oBAAoB,CAAC,QAAkB;IAC9C,OAAO,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC;AACvC,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAkC;IAC5D,OAAO,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC;AACrC,CAAC;AAED,SAAS,qBAAqB,CAAC,WAA+B;IAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACnD,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC;QAClC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;QACjC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CAAC,WAAmB;IAC7D,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACnD,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC;QACrC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;QACvC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC,CACxC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,SAAoB;IACxC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACzE,OAAO,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AACxD,CAAC;AAED,SAAS,cAAc,CAAC,SAAoB;IAC1C,OAAO,SAAS,CAAC,OAAO,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAkB,EAAE,OAAgB;IAC9D,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,WAAW,CAAC,CAAC,CAAC,kCAAkC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/E,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,OAAgB,EAChB,SAAoB,EACG,EAAE;IACzB,IAAI,SAAS,GAAe,EAAE,CAAC;IAC/B,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;IAC5B,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC;IACvC,MAAM,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC3E,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAErE,aAAa;IACb,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC;QACf,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;gBACpC,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;oBAC5D,SAAS;gBACX,CAAC;gBACD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;gBACzB,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACvC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;oBAChB,SAAS;gBACX,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,GAAG;oBACV,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC3E,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,SAAS;YACX,CAAC;YAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAE,CAAC;YACjD,MAAM,MAAM,GAAG,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,MAAM,KAAK,WAAW,EAAE;gBAClC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,eAAe;IACf,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;gBACpC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;oBAC3C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;gBACjC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,SAAS;gBACX,CAAC;gBACD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;oBAChB,SAAS;gBACX,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,uBAAuB,CAAC,IAAI,CAAC;oBACpC,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,SAAS,EAAE,QAAQ,CAAC,GAAG;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACzD,MAAM,eAAe,GAAG,IAAI,MAAM,CAAC,OAAO,IAAI,IAAI,EAAE,GAAG,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3E,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,EAAE;gBACxC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,EAAE,mBAAmB,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACrE,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnE,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,GAAG,IAAI,KAAK,MAAM,EAAE;gBAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,EAAE,2BAA2B,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,2BAA2B,CAAC,KAAK,CACvD,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,SAAS,CACrC,CAAC;QACF,MAAM,oBAAoB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QACxE,IAAI,CAAC,UAAU,IAAI,CAAC,oBAAoB,EAAE,CAAC;YACzC,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,SAAS;SACV,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC"}

package/dist/analyzer/match.d.ts

@@ -4,5 +4,6 @@ type MatchResult = {
     version: string | undefined;
 };
 export declare const matchString: (value: string, regex: Regex) => MatchResult;
+export declare const truncateBodyForEvidence: (body: string) => string;
 export {};
 //# sourceMappingURL=match.d.ts.map

package/dist/analyzer/match.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"match.d.ts","sourceRoot":"","sources":["../../src/analyzer/match.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAErD,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE,OAAO,CAAC;IACb,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,WAAW,GAAI,OAAO,MAAM,EAAE,OAAO,KAAK,KAAG,WAQzD,CAAC"}
+{"version":3,"file":"match.d.ts","sourceRoot":"","sources":["../../src/analyzer/match.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAErD,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE,OAAO,CAAC;IACb,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,WAAW,GAAI,OAAO,MAAM,EAAE,OAAO,KAAK,KAAG,WAQzD,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAI,MAAM,MAAM,KAAG,MACvB,CAAC"}

package/dist/analyzer/match.js

@@ -6,4 +6,5 @@ export const matchString = (value, regex) => {
     }
     return { hit: false, version: undefined };
 };
+export const truncateBodyForEvidence = (body) => `${body.substring(0, 100)}...`;
 //# sourceMappingURL=match.js.map

package/dist/analyzer/match.js.map

@@ -1 +1 @@
-{"version":3,"file":"match.js","sourceRoot":"","sources":["../../src/analyzer/match.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,KAAY,EAAe,EAAE;IACtE,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;IACzE,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAC5C,CAAC,CAAC"}
+{"version":3,"file":"match.js","sourceRoot":"","sources":["../../src/analyzer/match.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,KAAY,EAAe,EAAE;IACtE,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;IACzE,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAC5C,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,IAAY,EAAU,EAAE,CAC9D,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC"}

package/dist/browser/active_scan.d.ts

@@ -0,0 +1,5 @@
+import type { APIRequestContext } from "playwright";
+import type { Response } from "./types.js";
+export declare function isRelativePath(path: string): boolean;
+export declare function fetchActiveRule(baseUrl: string, path: string, request: APIRequestContext, timeoutMs: number): Promise<Response | null>;
+//# sourceMappingURL=active_scan.d.ts.map

package/dist/browser/active_scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"active_scan.d.ts","sourceRoot":"","sources":["../../src/browser/active_scan.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAG3C,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AAQD,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAkE1B"}

package/dist/browser/active_scan.js

@@ -0,0 +1,73 @@
+import { logger } from "../logger/index.js";
+import { getHostFromUrl, isFirstPartyHost, isSameHost } from "./utils.js";
+export function isRelativePath(path) {
+    return !/^[a-z][a-z0-9+.-]*:/i.test(path) && !path.startsWith("//");
+}
+const MAX_REDIRECT_HOPS = 3;
+function isRedirectStatus(status) {
+    return status >= 300 && status < 400;
+}
+export async function fetchActiveRule(baseUrl, path, request, timeoutMs) {
+    if (!isRelativePath(path)) {
+        logger.warn(`Active scan path must be relative: ${path}`);
+        return null;
+    }
+    let url;
+    try {
+        url = new URL(path, baseUrl).toString();
+    }
+    catch {
+        logger.warn(`Invalid active scan baseUrl or path: baseUrl=${baseUrl}, path=${path}`);
+        return null;
+    }
+    const pageHost = getHostFromUrl(baseUrl) ?? "";
+    try {
+        for (let hop = 0; hop <= MAX_REDIRECT_HOPS; hop++) {
+            logger.info(`Active scan request: ${url}`);
+            const res = await request.get(url, {
+                timeout: timeoutMs,
+                maxRedirects: 0,
+            });
+            const status = res.status();
+            const location = res.headers()["location"];
+            if (isRedirectStatus(status) && location) {
+                if (hop === MAX_REDIRECT_HOPS) {
+                    logger.warn(`Active scan exceeded redirect limit: ${url}`);
+                    return null;
+                }
+                let nextUrl;
+                try {
+                    nextUrl = new URL(location, url).toString();
+                }
+                catch {
+                    logger.warn(`Active scan invalid redirect location: ${location}`);
+                    return null;
+                }
+                const nextHost = getHostFromUrl(nextUrl) ?? "";
+                if (!nextHost || !isSameHost(pageHost, nextHost)) {
+                    logger.warn(`Active scan redirect to non-same-host blocked: ${nextUrl}`);
+                    return null;
+                }
+                url = nextUrl;
+                continue;
+            }
+            const host = getHostFromUrl(url) ?? "";
+            const body = await res.text().catch(() => "");
+            return {
+                url,
+                host,
+                isFirstParty: host ? isFirstPartyHost(pageHost, host) : false,
+                status,
+                headers: res.headers(),
+                body,
+            };
+        }
+        return null;
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        logger.warn(`Active scan fetch failed (${url}): ${message.split("\n")[0]}`);
+        return null;
+    }
+}
+//# sourceMappingURL=active_scan.js.map

package/dist/browser/active_scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"active_scan.js","sourceRoot":"","sources":["../../src/browser/active_scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE1E,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAe,EACf,IAAY,EACZ,OAA0B,EAC1B,SAAiB;IAEjB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,gDAAgD,OAAO,UAAU,IAAI,EAAE,CAAC,CAAC;QACrF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC;QACH,KAAK,IAAI,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,iBAAiB,EAAE,GAAG,EAAE,EAAE,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE;gBACjC,OAAO,EAAE,SAAS;gBAClB,YAAY,EAAE,CAAC;aAChB,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;YAC3C,IAAI,gBAAgB,CAAC,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzC,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;oBAC9B,MAAM,CAAC,IAAI,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;oBAC3D,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,IAAI,OAAe,CAAC;gBACpB,IAAI,CAAC;oBACH,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,CAAC,0CAA0C,QAAQ,EAAE,CAAC,CAAC;oBAClE,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAC/C,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACjD,MAAM,CAAC,IAAI,CACT,kDAAkD,OAAO,EAAE,CAC5D,CAAC;oBACF,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,GAAG,GAAG,OAAO,CAAC;gBACd,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9C,OAAO;gBACL,GAAG;gBACH,IAAI;gBACJ,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK;gBAC7D,MAAM;gBACN,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;gBACtB,IAAI;aACL,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,IAAI,CACT,6BAA6B,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAC/D,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/browser/active_scan.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=active_scan.test.d.ts.map

package/dist/browser/active_scan.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"active_scan.test.d.ts","sourceRoot":"","sources":["../../src/browser/active_scan.test.ts"],"names":[],"mappings":""}

package/dist/browser/active_scan.test.js

@@ -0,0 +1,207 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { fetchActiveRule } from "./active_scan.js";
+const mockRequest = (impl) => {
+    return {
+        get: vi.fn(async (url) => impl(url)),
+    };
+};
+describe("fetchActiveRule", () => {
+    beforeEach(() => {
+        vi.restoreAllMocks();
+    });
+    it("fetches a relative path resolved against the base URL", async () => {
+        const request = mockRequest((url) => {
+            expect(url).toBe("https://example.com/magento_version");
+            return {
+                status: () => 200,
+                text: async () => "Magento/2.4 (Community)",
+                headers: () => ({ "content-type": "text/plain" }),
+            };
+        });
+        const res = await fetchActiveRule("https://example.com/some/page", "/magento_version", request, 5000);
+        expect(res?.url).toBe("https://example.com/magento_version");
+        expect(res?.status).toBe(200);
+        expect(res?.body).toBe("Magento/2.4 (Community)");
+        expect(res?.host).toBe("example.com");
+        expect(res?.isFirstParty).toBe(true);
+    });
+    it("rejects absolute URLs", async () => {
+        const request = mockRequest(() => {
+            throw new Error("should not be called");
+        });
+        const res = await fetchActiveRule("https://example.com/", "https://evil.example/x", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("rejects protocol-relative paths", async () => {
+        const request = mockRequest(() => {
+            throw new Error("should not be called");
+        });
+        const res = await fetchActiveRule("https://example.com/", "//evil.example/x", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("returns null when the request throws", async () => {
+        const request = mockRequest(() => {
+            throw new Error("network down");
+        });
+        const res = await fetchActiveRule("https://example.com/", "/magento_version", request, 5000);
+        expect(res).toBeNull();
+    });
+    describe("URL resolution with /path (host root)", () => {
+        const cases = [
+            {
+                base: "https://example.com/",
+                expected: "https://example.com/magento_version",
+                note: "root",
+            },
+            {
+                base: "https://www.example.com/en/",
+                expected: "https://www.example.com/magento_version",
+                note: "redirected to subpath ignores subpath",
+            },
+            {
+                base: "https://example.com/shop/catalog/item",
+                expected: "https://example.com/magento_version",
+                note: "deep path ignored",
+            },
+        ];
+        for (const { base, expected, note } of cases) {
+            it(`resolves '/magento_version' on ${note} (${base})`, async () => {
+                let called = "";
+                const request = mockRequest((url) => {
+                    called = url;
+                    return {
+                        status: () => 200,
+                        text: async () => "Magento/2.4",
+                        headers: () => ({}),
+                    };
+                });
+                await fetchActiveRule(base, "/magento_version", request, 5000);
+                expect(called).toBe(expected);
+            });
+        }
+    });
+    describe("URL resolution with ./path", () => {
+        const cases = [
+            {
+                base: "https://example.com/",
+                expected: "https://example.com/magento_version",
+                note: "root",
+            },
+            {
+                base: "https://example.com/shop/",
+                expected: "https://example.com/shop/magento_version",
+                note: "subpath with trailing slash",
+            },
+            {
+                base: "https://example.com/shop",
+                expected: "https://example.com/magento_version",
+                note: "subpath without trailing slash (treated as file)",
+            },
+            {
+                base: "https://example.com/index.html",
+                expected: "https://example.com/magento_version",
+                note: "file at root",
+            },
+            {
+                base: "https://example.com/shop/index.html",
+                expected: "https://example.com/shop/magento_version",
+                note: "file under subpath",
+            },
+        ];
+        for (const { base, expected, note } of cases) {
+            it(`resolves './magento_version' on ${note} (${base})`, async () => {
+                let called = "";
+                const request = mockRequest((url) => {
+                    called = url;
+                    return {
+                        status: () => 200,
+                        text: async () => "Magento/2.4",
+                        headers: () => ({}),
+                    };
+                });
+                await fetchActiveRule(base, "./magento_version", request, 5000);
+                expect(called).toBe(expected);
+            });
+        }
+    });
+    it("returns null when baseUrl is not a valid absolute URL", async () => {
+        const request = mockRequest(() => {
+            throw new Error("should not be called");
+        });
+        const res = await fetchActiveRule("not-a-url", "./magento_version", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("follows a same-host redirect and returns the final response", async () => {
+        const calls = [];
+        const request = mockRequest((url) => {
+            calls.push(url);
+            if (url === "https://example.com/magento_version") {
+                return {
+                    status: () => 302,
+                    text: async () => "",
+                    headers: () => ({ location: "/en/magento_version" }),
+                };
+            }
+            return {
+                status: () => 200,
+                text: async () => "Magento/2.4.6",
+                headers: () => ({}),
+            };
+        });
+        const res = await fetchActiveRule("https://example.com/", "/magento_version", request, 5000);
+        expect(calls).toEqual([
+            "https://example.com/magento_version",
+            "https://example.com/en/magento_version",
+        ]);
+        expect(res?.url).toBe("https://example.com/en/magento_version");
+        expect(res?.status).toBe(200);
+        expect(res?.body).toBe("Magento/2.4.6");
+    });
+    it("blocks redirects to a sibling subdomain even if same registrable domain", async () => {
+        const request = mockRequest((url) => {
+            if (url === "https://app.example.com/magento_version") {
+                return {
+                    status: () => 302,
+                    text: async () => "",
+                    headers: () => ({ location: "https://cdn.example.com/magento_version" }),
+                };
+            }
+            throw new Error("should not follow cross-host redirect");
+        });
+        const res = await fetchActiveRule("https://app.example.com/", "/magento_version", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("blocks redirects to a third-party host", async () => {
+        const request = mockRequest((url) => {
+            if (url === "https://example.com/magento_version") {
+                return {
+                    status: () => 302,
+                    text: async () => "",
+                    headers: () => ({ location: "https://evil.example/magento_version" }),
+                };
+            }
+            throw new Error("should not follow cross-host redirect");
+        });
+        const res = await fetchActiveRule("https://example.com/", "/magento_version", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("stops after exceeding the redirect hop limit", async () => {
+        const request = mockRequest(() => ({
+            status: () => 302,
+            text: async () => "",
+            headers: () => ({ location: "/loop" }),
+        }));
+        const res = await fetchActiveRule("https://example.com/", "/magento_version", request, 5000);
+        expect(res).toBeNull();
+    });
+    it("returns response even on non-200 status (caller decides)", async () => {
+        const request = mockRequest(() => ({
+            status: () => 404,
+            text: async () => "",
+            headers: () => ({}),
+        }));
+        const res = await fetchActiveRule("https://example.com/", "/magento_version", request, 5000);
+        expect(res?.status).toBe(404);
+    });
+});
+//# sourceMappingURL=active_scan.test.js.map

package/dist/browser/active_scan.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"active_scan.test.js","sourceRoot":"","sources":["../../src/browser/active_scan.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAE9D,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAQnD,MAAM,WAAW,GAAG,CAAC,IAA2D,EAAE,EAAE;IAClF,OAAO;QACL,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;KACb,CAAC;AACpC,CAAC,CAAC;AAEF,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;YAClC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACxD,OAAO;gBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;gBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,yBAAyB;gBAC3C,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC;aAClD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,+BAA+B,EAC/B,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,wBAAwB,EACxB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;QACrD,MAAM,KAAK,GAA4D;YACrE;gBACE,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,qCAAqC;gBAC/C,IAAI,EAAE,MAAM;aACb;YACD;gBACE,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE,yCAAyC;gBACnD,IAAI,EAAE,uCAAuC;aAC9C;YACD;gBACE,IAAI,EAAE,uCAAuC;gBAC7C,QAAQ,EAAE,qCAAqC;gBAC/C,IAAI,EAAE,mBAAmB;aAC1B;SACF,CAAC;QAEF,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;YAC7C,EAAE,CAAC,kCAAkC,IAAI,KAAK,IAAI,GAAG,EAAE,KAAK,IAAI,EAAE;gBAChE,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;oBAClC,MAAM,GAAG,GAAG,CAAC;oBACb,OAAO;wBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;wBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,aAAa;wBAC/B,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;qBACpB,CAAC;gBACJ,CAAC,CAAC,CAAC;gBAEH,MAAM,eAAe,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC/D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAChC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAA4D;YACrE;gBACE,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,qCAAqC;gBAC/C,IAAI,EAAE,MAAM;aACb;YACD;gBACE,IAAI,EAAE,2BAA2B;gBACjC,QAAQ,EAAE,0CAA0C;gBACpD,IAAI,EAAE,6BAA6B;aACpC;YACD;gBACE,IAAI,EAAE,0BAA0B;gBAChC,QAAQ,EAAE,qCAAqC;gBAC/C,IAAI,EAAE,kDAAkD;aACzD;YACD;gBACE,IAAI,EAAE,gCAAgC;gBACtC,QAAQ,EAAE,qCAAqC;gBAC/C,IAAI,EAAE,cAAc;aACrB;YACD;gBACE,IAAI,EAAE,qCAAqC;gBAC3C,QAAQ,EAAE,0CAA0C;gBACpD,IAAI,EAAE,oBAAoB;aAC3B;SACF,CAAC;QAEF,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;YAC7C,EAAE,CAAC,mCAAmC,IAAI,KAAK,IAAI,GAAG,EAAE,KAAK,IAAI,EAAE;gBACjE,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;oBAClC,MAAM,GAAG,GAAG,CAAC;oBACb,OAAO;wBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;wBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,aAAa;wBAC/B,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;qBACpB,CAAC;gBACJ,CAAC,CAAC,CAAC;gBAEH,MAAM,eAAe,CAAC,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;gBAChE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAChC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,WAAW,EACX,mBAAmB,EACnB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;YAClC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChB,IAAI,GAAG,KAAK,qCAAqC,EAAE,CAAC;gBAClD,OAAO;oBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;oBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;oBACpB,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,qBAAqB,EAAE,CAAC;iBACrD,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;gBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,eAAe;gBACjC,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;aACpB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;YACpB,qCAAqC;YACrC,wCAAwC;SACzC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;QACvF,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;YAClC,IAAI,GAAG,KAAK,yCAAyC,EAAE,CAAC;gBACtD,OAAO;oBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;oBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;oBACpB,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,yCAAyC,EAAE,CAAC;iBACzE,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,0BAA0B,EAC1B,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,GAAG,EAAE,EAAE;YAClC,IAAI,GAAG,KAAK,qCAAqC,EAAE,CAAC;gBAClD,OAAO;oBACL,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;oBACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;oBACpB,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,sCAAsC,EAAE,CAAC;iBACtE,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;YACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;YACpB,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;SACvC,CAAC,CAAC,CAAC;QAEJ,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG;YACjB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;YACpB,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;SACpB,CAAC,CAAC,CAAC;QAEJ,MAAM,GAAG,GAAG,MAAM,eAAe,CAC/B,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EACP,IAAI,CACL,CAAC;QAEF,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/browser/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/browser/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAsB,MAAM,YAAY,CAAC;AAiC/E,wBAAsB,QAAQ,CAC5B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,uBAAuB,EAAE,MAAM,EAAE,EACjC,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,OAAO,CAAC,CA4RlB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/browser/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAsB,MAAM,YAAY,CAAC;AA0C/E,wBAAsB,QAAQ,CAC5B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,uBAAuB,EAAE,MAAM,EAAE,EACjC,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,OAAO,CAAC,CA6YlB"}

package/dist/browser/index.js

@@ -3,6 +3,15 @@ import { chromium } from "playwright";
 import { logger } from "../logger/index.js";
 import { extractJsVariables, getHostFromUrl, isFirstPartyHost, isSameHost, sleep, } from "./utils.js";
 const MAX_REDIRECT_HOPS = 20;
+// Quiet period (ms) used for the custom network-idle decision.
+// Playwright's built-in `networkidle` has a fixed 500ms threshold, which
+// is too short: it fires before script-driven secondary requests (e.g. a
+// CSS file loaded from within an async script) have a chance to start,
+// causing technology-detection evidence to be dropped. We use a longer
+// threshold evaluated by our own tracking.
+const NETWORK_IDLE_THRESHOLD_MS = 2000;
+// Polling interval (ms) for the idle-decision loop.
+const NETWORK_IDLE_POLL_INTERVAL_MS = 200;
 function colorizeStatusCode(statusCode) {
     const code = String(statusCode);
     if (statusCode >= 100 && statusCode < 200) {
@@ -23,7 +32,7 @@ function colorizeStatusCode(statusCode) {
     return chalk.gray(code);
 }
 export async function openPage(url, timeoutMs, javascriptVariableNames, options = {}) {
-    const { userAgent, locale, extraHTTPHeaders, blockCrossDomainRedirect = false, } = options;
+    const { userAgent, locale, extraHTTPHeaders, blockCrossDomainRedirect = false, networkIdleThresholdMs = NETWORK_IDLE_THRESHOLD_MS, } = options;
     const pageHost = getHostFromUrl(url);
     if (!pageHost) {
         throw new Error(`Invalid URL: ${url}`);
@@ -68,8 +77,7 @@ export async function openPage(url, timeoutMs, javascriptVariableNames, options
             await route.continue();
             return;
         }
-        if (blockCrossDomainRedirect &&
-            !isSameHost(pageHost, targetHost)) {
+        if (blockCrossDomainRedirect && !isSameHost(pageHost, targetHost)) {
             logger.warn(`Blocked cross-domain redirect: ${targetUrl}`);
             blockedByRedirectPolicy = true;
             urls.push({ url: targetUrl, error: "Blocked cross-domain redirect" });
@@ -104,7 +112,9 @@ export async function openPage(url, timeoutMs, javascriptVariableNames, options
         // URLs captured here are added to preInspectedUrls so that the
         // page.on("response") listener can skip them and avoid duplicates.
         const firstResponse = response;
-        for (let hop = 0; hop < MAX_REDIRECT_HOPS && response.status() >= 300 && response.status() < 400; hop++) {
+        for (let hop = 0; hop < MAX_REDIRECT_HOPS &&
+            response.status() >= 300 &&
+            response.status() < 400; hop++) {
             // Capture intermediate 3xx responses so their headers (e.g. server,
             // x-powered-by) are available for analysis even though the browser
             // never sees these responses directly.
@@ -161,44 +171,146 @@ export async function openPage(url, timeoutMs, javascriptVariableNames, options
     });
     const urls = [];
     const responses = [];
-    page.on("response", async (response) => {
-        const responseUrl = response.url();
-        const statusCode = response.status();
-        // Skip responses already captured by the pre-inspection loop to
-        // avoid duplicates.
-        if (preInspectedUrls.has(responseUrl) && statusCode >= 300 && statusCode < 400) {
-            logger.debug(`Skipping already captured response [${colorizeStatusCode(statusCode)}] ${responseUrl}`);
-            return;
-        }
-        const responseHost = getHostFromUrl(responseUrl) ?? "";
-        logger.debug(`Received response [${colorizeStatusCode(statusCode)}] ${responseUrl}`);
-        const request = response.request();
-        if (request.isNavigationRequest() && request.frame() === page.mainFrame()) {
-            urls.push({ url: responseUrl, status: statusCode });
-        }
-        const res = {
-            url: responseUrl,
-            host: responseHost,
-            isFirstParty: responseHost
-                ? isFirstPartyHost(pageHost, responseHost)
-                : false,
-            status: statusCode,
-            headers: response.headers(),
-        };
-        const body = await response.text().catch(() => null);
-        if (body) {
-            res.body = body;
-        }
-        responses.push(res);
-    });
+    // Timestamp of the most recent network activity (request sent or
+    // response received). Used by the custom idle-decision loop below.
+    let lastNetworkActivityAt = Date.now();
+    // Number of requests currently in flight. We include this in the idle
+    // condition so that a request whose response takes longer than the
+    // quiet-period threshold cannot cause the loop to exit before the
+    // response is captured.
+    let inFlightRequestCount = 0;
+    // Pending response-handler promises. The response handler awaits
+    // `response.text()`, which can still be in progress when the idle loop
+    // decides to break; awaiting this set after the loop prevents those
+    // in-progress body reads from being dropped.
+    const pendingResponseWork = new Set();
+    const onRequest = () => {
+        inFlightRequestCount++;
+        lastNetworkActivityAt = Date.now();
+    };
+    const onRequestFinished = () => {
+        inFlightRequestCount = Math.max(0, inFlightRequestCount - 1);
+        lastNetworkActivityAt = Date.now();
+    };
+    const onRequestFailed = () => {
+        inFlightRequestCount = Math.max(0, inFlightRequestCount - 1);
+        lastNetworkActivityAt = Date.now();
+    };
+    const onResponse = (response) => {
+        lastNetworkActivityAt = Date.now();
+        const work = (async () => {
+            const responseUrl = response.url();
+            const statusCode = response.status();
+            // Skip responses already captured by the pre-inspection loop to
+            // avoid duplicates.
+            if (preInspectedUrls.has(responseUrl) &&
+                statusCode >= 300 &&
+                statusCode < 400) {
+                logger.debug(`Skipping already captured response [${colorizeStatusCode(statusCode)}] ${responseUrl}`);
+                return;
+            }
+            const responseHost = getHostFromUrl(responseUrl) ?? "";
+            logger.debug(`Received response [${colorizeStatusCode(statusCode)}] ${responseUrl}`);
+            const request = response.request();
+            if (request.isNavigationRequest() &&
+                request.frame() === page.mainFrame()) {
+                urls.push({ url: responseUrl, status: statusCode });
+            }
+            const res = {
+                url: responseUrl,
+                host: responseHost,
+                isFirstParty: responseHost
+                    ? isFirstPartyHost(pageHost, responseHost)
+                    : false,
+                status: statusCode,
+                headers: response.headers(),
+            };
+            const body = await response.text().catch(() => null);
+            if (body) {
+                res.body = body;
+            }
+            responses.push(res);
+        })();
+        pendingResponseWork.add(work);
+        work.finally(() => {
+            pendingResponseWork.delete(work);
+        });
+    };
+    page.on("request", onRequest);
+    page.on("requestfinished", onRequestFinished);
+    page.on("requestfailed", onRequestFailed);
+    page.on("response", onResponse);
     let timeoutOccurred = false;
-    const goto = page.goto(url, { waitUntil: "networkidle" });
+    const navigationStartedAt = Date.now();
+    // Playwright's built-in `networkidle` is flaky (500ms fixed threshold),
+    // so resolve goto at the `load` event (onload fired) and wait for
+    // secondary requests triggered by deferred scripts using our own
+    // idle-decision loop below.
+    const goto = page.goto(url, { waitUntil: "load" });
     const result = await Promise.race([
         goto.then(() => "loaded").catch((e) => e.message),
         sleep(timeoutMs).then(() => "timeout"),
     ]);
+    // After onload, wait until all in-flight requests have finished and a
+    // quiet period of `networkIdleThresholdMs` has elapsed (or the overall
+    // timeout is reached) so that secondary requests triggered by deferred
+    // scripts are captured. Including in-flight count in the condition
+    // prevents the loop from exiting while a slow response
+    // (> networkIdleThresholdMs) is still pending.
+    //
+    // Tracks whether the loop exited because the network actually went
+    // idle, or because the overall timeout budget was exhausted. In the
+    // latter case we must return `timeoutOccurred: true` so callers can
+    // distinguish a full capture from a partial one.
+    let idleWaitTimedOut = false;
     if (result === "loaded") {
-        logger.info("Page loaded successfully");
+        while (true) {
+            const now = Date.now();
+            const elapsed = now - navigationStartedAt;
+            if (elapsed >= timeoutMs) {
+                idleWaitTimedOut = true;
+                break;
+            }
+            const idleFor = now - lastNetworkActivityAt;
+            if (inFlightRequestCount === 0 && idleFor >= networkIdleThresholdMs) {
+                break;
+            }
+            const remainingBudget = timeoutMs - elapsed;
+            await sleep(Math.min(NETWORK_IDLE_POLL_INTERVAL_MS, remainingBudget));
+        }
+        // If any response handlers are still running at loop exit (e.g.
+        // waiting on `response.text()`), wait for them to finish so their
+        // captures are not dropped. However, do not wait beyond the overall
+        // timeout: race against the remaining budget so that when the budget
+        // is exhausted we drop any still-pending in-flight captures rather
+        // than letting the process block indefinitely on slow body reads.
+        if (pendingResponseWork.size > 0) {
+            const remainingBudget = Math.max(0, timeoutMs - (Date.now() - navigationStartedAt));
+            if (remainingBudget > 0) {
+                await Promise.race([
+                    Promise.allSettled(Array.from(pendingResponseWork)),
+                    sleep(remainingBudget),
+                ]);
+            }
+        }
+    }
+    // Detach network listeners so that the `responses` snapshot is frozen
+    // at this point. Subsequent activity from cookie/JS extraction (or any
+    // delayed in-flight responses) must not mutate the captured set, since
+    // those entries would not be awaited and could race with the return.
+    page.off("request", onRequest);
+    page.off("requestfinished", onRequestFinished);
+    page.off("requestfailed", onRequestFailed);
+    page.off("response", onResponse);
+    logger.info(`${responses.length} responses captured`);
+    if (result === "loaded") {
+        if (idleWaitTimedOut) {
+            timeoutOccurred = true;
+            logger.warn(`Timeout of ${timeoutMs}ms exceeded while waiting for network idle after load on ${url}`);
+        }
+        else {
+            logger.info("Page loaded successfully");
+        }
     }
     else if (result === "timeout") {
         timeoutOccurred = true;