zephex 2.0.11 → 2.0.14

package/dist/tools/audit_headers/index.js

@@ -148,6 +148,25 @@ function filePolyfill(path) {
     text: async () => readFile(path, "utf8")
   };
 }
+
+class GlobPolyfill {
+  pattern;
+  constructor(pattern) {
+    this.pattern = pattern;
+  }
+  async* scan(opts) {
+    const { glob } = await import("node:fs/promises");
+    const cwd = opts?.cwd ?? process.cwd();
+    for await (const entry of glob(this.pattern, { cwd })) {
+      if (opts?.absolute) {
+        const { resolve } = await import("node:path");
+        yield resolve(cwd, entry);
+      } else {
+        yield entry;
+      }
+    }
+  }
+}
 function ensureBunPolyfill() {
   const g = globalThis;
   if (typeof g.Bun !== "undefined")
@@ -155,7 +174,8 @@ function ensureBunPolyfill() {
   g.Bun = {
     file: filePolyfill,
     spawn: spawnPolyfill,
-    JSONL: { parse: jsonlParsePolyfill }
+    JSONL: { parse: jsonlParsePolyfill },
+    Glob: GlobPolyfill
   };
 }
 var init_bun_polyfill = __esm(() => {
@@ -403,19 +423,16 @@ function isPrivateIpv4(ip) {
 }
 function isPrivateIpv6(ip) {
   const lower = ip.toLowerCase();
-  if (lower === "::1" || lower.startsWith("fc") || lower.startsWith("fd") || lower.startsWith("fe80")) {
+  if (lower === "::1" || lower.startsWith("fc") || lower.startsWith("fd") || lower.startsWith("fe80"))
     return true;
-  }
   const v4MappedDotted = lower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
-  if (v4MappedDotted?.[1]) {
+  if (v4MappedDotted?.[1])
     return isPrivateIpv4(v4MappedDotted[1]);
-  }
   const v4MappedHex = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
   if (v4MappedHex?.[1] && v4MappedHex[2]) {
     const hi = parseInt(v4MappedHex[1], 16);
     const lo = parseInt(v4MappedHex[2], 16);
-    const dottedQuad = `${hi >> 8 & 255}.${hi & 255}.${lo >> 8 & 255}.${lo & 255}`;
-    return isPrivateIpv4(dottedQuad);
+    return isPrivateIpv4(`${hi >> 8 & 255}.${hi & 255}.${lo >> 8 & 255}.${lo & 255}`);
   }
   return false;
 }
@@ -436,25 +453,25 @@ async function resolveAndValidateIp(hostname) {
     throw new AuditHeadersError(`No IPv4 address found for ${hostname}`, -32603, "The hostname may not have a public IPv4 record");
   }
   const ip = addresses[0];
-  if (isPrivateIpv4(ip)) {
+  if (isPrivateIpv4(ip))
     throw new AuditHeadersError(`Blocked: ${hostname} resolves to a private/reserved IP address`, -32602, "Only public HTTPS endpoints are supported");
-  }
-  if (isPrivateIpv6(ip)) {
+  if (isPrivateIpv6(ip))
     throw new AuditHeadersError(`Blocked: ${hostname} resolves to a private IPv6 address`, -32602, "Only public HTTPS endpoints are supported");
-  }
   return ip;
 }
-function makeRawRequest(resolvedIp, originalHostname, port, path, method, isHttps) {
+function makeRawRequest(resolvedIp, originalHostname, port, path, method, isHttps, extraHeaders) {
   return new Promise((resolve, reject) => {
+    const reqHeaders = {
+      Host: originalHostname,
+      "User-Agent": "audit-headers-mcp/1.0",
+      ...extraHeaders
+    };
     const options = {
       hostname: resolvedIp,
       port,
       path: path || "/",
       method,
-      headers: {
-        Host: originalHostname,
-        "User-Agent": "audit-headers-mcp/1.0"
-      },
+      headers: reqHeaders,
       servername: originalHostname,
       rejectUnauthorized: true,
       timeout: 1e4
@@ -470,12 +487,7 @@ function makeRawRequest(resolvedIp, originalHostname, port, path, method, isHttp
         const h = res.headers;
         const locationRaw = h["location"];
         const location = Array.isArray(locationRaw) ? locationRaw[0] ?? null : locationRaw ?? null;
-        resolve({
-          statusCode: res.statusCode ?? 0,
-          headers: h,
-          httpVersion: res.httpVersion,
-          location
-        });
+        resolve({ statusCode: res.statusCode ?? 0, headers: h, httpVersion: res.httpVersion, location });
       });
       res.on("error", reject);
     });
@@ -493,9 +505,8 @@ async function fetchWithPinnedDns(startUrl) {
   let httpVersion = "1.1";
   let statusCode = 0;
   for (let hop = 0;hop <= 5; hop++) {
-    if (hop === 5) {
+    if (hop === 5)
       throw new AuditHeadersError("Too many redirects (max 5)", -32603);
-    }
     const parsed = new URL2(currentUrl);
     const hostname = parsed.hostname;
     const isHttps = parsed.protocol === "https:";
@@ -507,11 +518,7 @@ async function fetchWithPinnedDns(startUrl) {
     httpVersion = response.httpVersion;
     if (response.statusCode >= 300 && response.statusCode < 400 && response.location) {
       const nextUrl = new URL2(response.location, currentUrl).href;
-      redirectChain.push({
-        url: currentUrl,
-        status: response.statusCode,
-        location: response.location
-      });
+      redirectChain.push({ url: currentUrl, status: response.statusCode, location: response.location });
       currentUrl = nextUrl;
     } else {
       break;
@@ -532,107 +539,65 @@ function safeStr(s, max = 200) {
 async function inspectSsl(hostname, resolvedIp) {
   return new Promise((resolve) => {
     try {
-      const tlsOptions = {
+      const socket = tls.connect({
         host: resolvedIp,
         port: 443,
         servername: hostname,
-        rejectUnauthorized: true
-      };
-      const socket = tls.connect(tlsOptions, () => {
+        rejectUnauthorized: true,
+        ALPNProtocols: ["h2", "http/1.1"]
+      }, () => {
         try {
           const cert = socket.getPeerCertificate();
           const protocol = socket.getProtocol() ?? null;
+          const alpn = socket.alpnProtocol;
           socket.destroy();
           if (!cert || !cert.valid_to) {
-            resolve({
-              valid: true,
-              days_until_expiry: null,
-              issuer: null,
-              protocol,
-              expiry_warning: null
-            });
+            resolve({ ssl: { valid: true, days_until_expiry: null, issuer: null, protocol, expiry_warning: null }, http2: alpn === "h2" });
             return;
           }
           const daysLeft = Math.round((new Date(cert.valid_to).getTime() - Date.now()) / 86400000);
           let expiry_warning = null;
-          if (daysLeft < 0) {
+          if (daysLeft < 0)
             expiry_warning = "CRITICAL: Certificate has expired";
-          } else if (daysLeft <= 7) {
+          else if (daysLeft <= 7)
             expiry_warning = `CRITICAL: Certificate expires in ${daysLeft} days — renew immediately`;
-          } else if (daysLeft <= 30) {
+          else if (daysLeft <= 30)
             expiry_warning = `WARNING: Certificate expires in ${daysLeft} days — schedule renewal`;
-          }
           const issuerRaw = cert.issuer?.O ?? cert.issuer?.CN ?? null;
           const issuerStr = Array.isArray(issuerRaw) ? issuerRaw[0] ?? null : issuerRaw;
           resolve({
-            valid: true,
-            days_until_expiry: daysLeft,
-            issuer: typeof issuerStr === "string" ? issuerStr.slice(0, 100) : null,
-            protocol,
-            expiry_warning
+            ssl: { valid: true, days_until_expiry: daysLeft, issuer: typeof issuerStr === "string" ? issuerStr.slice(0, 100) : null, protocol, expiry_warning },
+            http2: alpn === "h2"
           });
         } catch (e) {
           socket.destroy();
-          resolve({
-            valid: false,
-            days_until_expiry: null,
-            issuer: null,
-            protocol: null,
-            expiry_warning: null,
-            error: e.message
-          });
+          resolve({ ssl: { valid: false, days_until_expiry: null, issuer: null, protocol: null, expiry_warning: null, error: e.message }, http2: false });
         }
       });
       socket.setTimeout(1e4, () => {
         socket.destroy();
-        resolve({
-          valid: false,
-          days_until_expiry: null,
-          issuer: null,
-          protocol: null,
-          expiry_warning: null,
-          error: "TLS connection timed out"
-        });
+        resolve({ ssl: { valid: false, days_until_expiry: null, issuer: null, protocol: null, expiry_warning: null, error: "TLS connection timed out" }, http2: false });
       });
       socket.on("error", (err) => {
-        resolve({
-          valid: false,
-          days_until_expiry: null,
-          issuer: null,
-          protocol: null,
-          expiry_warning: null,
-          error: err.message
-        });
+        resolve({ ssl: { valid: false, days_until_expiry: null, issuer: null, protocol: null, expiry_warning: null, error: err.message }, http2: false });
       });
     } catch (e) {
-      resolve({
-        valid: false,
-        days_until_expiry: null,
-        issuer: null,
-        protocol: null,
-        expiry_warning: null,
-        error: e.message
-      });
+      resolve({ ssl: { valid: false, days_until_expiry: null, issuer: null, protocol: null, expiry_warning: null, error: e.message }, http2: false });
     }
   });
 }
 async function checkHstsPreload(domain) {
   return new Promise((resolve) => {
     const path = `/api/v2/status?domain=${encodeURIComponent(domain)}`;
-    const req = https.get({
-      hostname: "hstspreload.org",
-      path,
-      headers: { "User-Agent": "audit-headers-mcp/1.0" },
-      timeout: 3000
-    }, (res) => {
+    const req = https.get({ hostname: "hstspreload.org", path, headers: { "User-Agent": "audit-headers-mcp/1.0" }, timeout: 3000 }, (res) => {
       let body = "";
       res.on("data", (chunk) => {
         body += chunk.toString();
       });
       res.on("end", () => {
         try {
-          const parsed = JSON.parse(body);
-          resolve(typeof parsed.status === "string" ? parsed.status : "unknown");
+          const p = JSON.parse(body);
+          resolve(typeof p.status === "string" ? p.status : "unknown");
         } catch {
           resolve("check_failed");
         }
@@ -646,240 +611,206 @@ async function checkHstsPreload(domain) {
     req.on("error", () => resolve("check_failed"));
   });
 }
+function analyzeCspQuality(cspValue, isReportOnly) {
+  const lower = cspValue.toLowerCase();
+  const issues = [];
+  let score = 100;
+  const hasUnsafeInline = /script-src[^;]*'unsafe-inline'/.test(lower) || !lower.includes("script-src") && /default-src[^;]*'unsafe-inline'/.test(lower);
+  const hasUnsafeEval = /script-src[^;]*'unsafe-eval'/.test(lower) || !lower.includes("script-src") && /default-src[^;]*'unsafe-eval'/.test(lower);
+  const hasWildcard = /(default-src|script-src)\s+[^;]*(?<!')(?<!=)\*(?!\.)/.test(lower);
+  const hasDataSrc = /script-src[^;]*\bdata:/.test(lower) || !lower.includes("script-src") && /default-src[^;]*\bdata:/.test(lower);
+  const hasBlobSrc = /script-src[^;]*\bblob:/.test(lower) || !lower.includes("script-src") && /default-src[^;]*\bblob:/.test(lower);
+  const hasHttpsSrc = /script-src[^;]*(?<!')\bhttps:(?!\/)/.test(lower) || !lower.includes("script-src") && /default-src[^;]*(?<!')\bhttps:(?!\/)/.test(lower);
+  const missingFrameAncestors = !lower.includes("frame-ancestors");
+  const missingBaseUri = !lower.includes("base-uri");
+  const missingObjectSrc = !lower.includes("object-src");
+  const hasNonceOrHash = /'nonce-[^']+'/i.test(cspValue) || /'sha(256|384|512)-[^']+'/i.test(cspValue);
+  const hasStrictDynamic = lower.includes("'strict-dynamic'");
+  if (isReportOnly) {
+    issues.push("Report-Only mode — no enforcement, violations only logged");
+    score = 10;
+  }
+  if (hasWildcard) {
+    issues.push("Wildcard * in script-src/default-src — allows scripts from any origin");
+    score = Math.min(score, 5);
+  }
+  if (hasUnsafeInline && !hasNonceOrHash) {
+    issues.push("'unsafe-inline' in script-src without nonce/hash — XSS protection defeated");
+    score -= 40;
+  }
+  if (hasUnsafeEval) {
+    issues.push("'unsafe-eval' — allows eval()/Function()/setTimeout(string)");
+    score -= 20;
+  }
+  if (hasDataSrc) {
+    issues.push("data: in script-src — allows data:text/javascript injection");
+    score -= 25;
+  }
+  if (hasBlobSrc) {
+    issues.push("blob: in script-src — allows blob URL script execution");
+    score -= 15;
+  }
+  if (hasHttpsSrc) {
+    issues.push("https: as source — allows scripts from ANY HTTPS origin");
+    score -= 20;
+  }
+  if (missingObjectSrc) {
+    issues.push("Missing object-src — Flash/plugin injection possible");
+    score -= 10;
+  }
+  if (missingBaseUri) {
+    issues.push("Missing base-uri — <base> tag injection possible");
+    score -= 10;
+  }
+  if (missingFrameAncestors) {
+    issues.push("Missing frame-ancestors — no clickjacking protection via CSP");
+    score -= 10;
+  }
+  if (hasNonceOrHash) {
+    issues.push("✓ Uses nonce/hash — strong script allowlisting");
+    score += 15;
+  }
+  if (hasStrictDynamic) {
+    issues.push("✓ Uses strict-dynamic — modern CSP Level 3");
+    score += 10;
+  }
+  if (lower.includes("object-src 'none'"))
+    score += 5;
+  if (lower.includes("base-uri 'none'") || lower.includes("base-uri 'self'"))
+    score += 5;
+  score = Math.max(0, Math.min(100, score));
+  return {
+    csp_score: score,
+    has_unsafe_inline: hasUnsafeInline,
+    has_unsafe_eval: hasUnsafeEval,
+    has_wildcard_src: hasWildcard,
+    has_data_src: hasDataSrc,
+    has_blob_src: hasBlobSrc,
+    has_https_src: hasHttpsSrc,
+    missing_frame_ancestors: missingFrameAncestors,
+    missing_base_uri: missingBaseUri,
+    missing_object_src: missingObjectSrc,
+    report_only_mode: isReportOnly,
+    has_nonce_or_hash: hasNonceOrHash,
+    has_strict_dynamic: hasStrictDynamic,
+    issues
+  };
+}
 function analyzeSecurityHeaders(headers) {
   const result = {};
   let score = 100;
+  let cspQuality;
   {
     const val = getHeaderString(headers, "strict-transport-security");
     if (!val) {
-      result.strict_transport_security = {
-        present: false,
-        status: "fail",
-        issue: "Missing — site can be accessed over HTTP, vulnerable to SSL stripping",
-        fix: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"
-      };
+      result.strict_transport_security = { present: false, status: "fail", issue: "Missing — vulnerable to SSL stripping", fix: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload", fixes: FIX_SNIPPETS.hsts };
       score -= 25;
     } else {
       const maxAgeMatch = val.match(/max-age=(\d+)/i);
       const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : 0;
       if (maxAge < 31536000) {
-        result.strict_transport_security = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "warn",
-          issue: `max-age is only ${maxAge} seconds — should be at least 31536000 (1 year)`,
-          fix: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"
-        };
+        result.strict_transport_security = { present: true, value_summary: safeStr(val), status: "warn", issue: `max-age=${maxAge} — should be ≥31536000 (1 year)`, fix: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload", fixes: FIX_SNIPPETS.hsts };
         score -= 10;
       } else {
-        result.strict_transport_security = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "pass",
-          issue: null,
-          fix: null
-        };
+        result.strict_transport_security = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
       }
     }
   }
   {
     const val = getHeaderString(headers, "content-security-policy");
-    if (!val) {
-      result.content_security_policy = {
-        present: false,
-        status: "fail",
-        issue: "Missing — no protection against XSS attacks",
-        fix: "Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'"
-      };
+    const reportOnlyVal = getHeaderString(headers, "content-security-policy-report-only");
+    const effectiveVal = val ?? reportOnlyVal;
+    const isReportOnly = !val && !!reportOnlyVal;
+    if (!effectiveVal) {
+      result.content_security_policy = { present: false, status: "fail", issue: "Missing — no XSS protection", fix: "Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'", fixes: FIX_SNIPPETS.csp };
       score -= 25;
     } else {
-      const issues = [];
-      const lower = val.toLowerCase();
-      if (lower.includes("'unsafe-inline'")) {
-        issues.push("allows 'unsafe-inline' — XSS protection weakened");
+      cspQuality = analyzeCspQuality(effectiveVal, isReportOnly);
+      const cspIssues = cspQuality.issues.filter((i) => !i.startsWith("✓"));
+      if (isReportOnly)
+        score -= 15;
+      if (cspQuality.has_unsafe_inline && !cspQuality.has_nonce_or_hash)
         score -= 10;
-      }
-      if (lower.includes("'unsafe-eval'")) {
-        issues.push("allows 'unsafe-eval' — eval() execution enabled, potential XSS vector");
+      if (cspQuality.has_unsafe_eval)
         score -= 5;
-      }
-      if (/(?:default-src|script-src|style-src|img-src|connect-src|font-src|media-src|frame-src)\s+[^;]*\*/.test(lower)) {
-        issues.push("wildcard (*) in src directive — overly permissive");
-      }
-      if (!lower.includes("default-src")) {
-        issues.push("no default-src fallback directive");
-      }
-      if (lower.includes("frame-ancestors")) {
-        issues.push("frame-ancestors present (supersedes X-Frame-Options)");
-      }
-      const hasReporting = lower.includes("report-uri") || lower.includes("report-to");
-      if (!hasReporting) {
-        issues.push("no reporting endpoint (report-uri/report-to) — violations are silently dropped");
-      }
+      if (cspQuality.has_wildcard_src)
+        score -= 15;
       result.content_security_policy = {
         present: true,
-        value_summary: safeStr(val),
-        status: issues.length > 0 ? "warn" : "pass",
-        issue: issues.length > 0 ? issues.join("; ") : null,
-        fix: issues.some((i) => i.includes("unsafe")) ? "Remove 'unsafe-inline' and 'unsafe-eval'. Use nonces or hashes for inline scripts." : null
+        value_summary: safeStr(effectiveVal),
+        status: cspQuality.csp_score < 50 ? "fail" : cspIssues.length > 0 ? "warn" : "pass",
+        issue: cspIssues.length > 0 ? cspIssues.join("; ") : null,
+        fix: cspIssues.length > 0 ? "Remove unsafe-inline/unsafe-eval. Use nonces or hashes. Add object-src 'none'; base-uri 'self'; frame-ancestors 'self'" : null,
+        fixes: cspIssues.length > 0 ? FIX_SNIPPETS.csp : undefined
       };
     }
   }
   {
     const val = getHeaderString(headers, "x-frame-options");
     if (!val) {
-      result.x_frame_options = {
-        present: false,
-        status: "fail",
-        issue: "Missing — page can be embedded in iframes, vulnerable to clickjacking",
-        fix: "X-Frame-Options: SAMEORIGIN"
-      };
+      result.x_frame_options = { present: false, status: "fail", issue: "Missing — vulnerable to clickjacking", fix: "X-Frame-Options: SAMEORIGIN", fixes: FIX_SNIPPETS.xfo };
       score -= 15;
     } else {
       const upper = val.trim().toUpperCase();
       if (upper.startsWith("ALLOW-FROM")) {
-        result.x_frame_options = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "warn",
-          issue: "ALLOW-FROM is deprecated and not supported by modern browsers",
-          fix: "Use Content-Security-Policy frame-ancestors instead"
-        };
+        result.x_frame_options = { present: true, value_summary: safeStr(val), status: "warn", issue: "ALLOW-FROM is deprecated — use CSP frame-ancestors", fix: "Use Content-Security-Policy frame-ancestors instead" };
       } else {
-        result.x_frame_options = {
-          present: true,
-          value_summary: safeStr(val),
-          status: upper === "DENY" || upper === "SAMEORIGIN" ? "pass" : "pass",
-          issue: null,
-          fix: null
-        };
+        result.x_frame_options = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
       }
     }
   }
   {
     const val = getHeaderString(headers, "x-content-type-options");
     if (!val) {
-      result.x_content_type_options = {
-        present: false,
-        status: "fail",
-        issue: "Missing — browsers may MIME-sniff responses, enabling content injection",
-        fix: "X-Content-Type-Options: nosniff"
-      };
+      result.x_content_type_options = { present: false, status: "fail", issue: "Missing — MIME-sniffing enabled", fix: "X-Content-Type-Options: nosniff", fixes: FIX_SNIPPETS.xcto };
       score -= 15;
     } else {
       const isNosniff = val.toLowerCase().includes("nosniff");
-      result.x_content_type_options = {
-        present: true,
-        value_summary: safeStr(val),
-        status: isNosniff ? "pass" : "warn",
-        issue: isNosniff ? null : "Value should be 'nosniff'",
-        fix: isNosniff ? null : "X-Content-Type-Options: nosniff"
-      };
+      result.x_content_type_options = { present: true, value_summary: safeStr(val), status: isNosniff ? "pass" : "warn", issue: isNosniff ? null : "Value should be 'nosniff'", fix: isNosniff ? null : "X-Content-Type-Options: nosniff", fixes: isNosniff ? undefined : FIX_SNIPPETS.xcto };
     }
   }
   {
     const val = getHeaderString(headers, "referrer-policy");
     if (!val) {
-      result.referrer_policy = {
-        present: false,
-        status: "fail",
-        issue: "Missing — full URLs including query parameters may leak to third parties",
-        fix: "Referrer-Policy: strict-origin-when-cross-origin"
-      };
+      result.referrer_policy = { present: false, status: "fail", issue: "Missing — URLs may leak to third parties", fix: "Referrer-Policy: strict-origin-when-cross-origin", fixes: FIX_SNIPPETS.referrer };
       score -= 10;
     } else {
       const lower = val.toLowerCase().trim();
-      const strictPolicies = new Set([
-        "no-referrer",
-        "same-origin",
-        "strict-origin",
-        "strict-origin-when-cross-origin"
-      ]);
-      if (strictPolicies.has(lower)) {
-        result.referrer_policy = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "pass",
-          issue: null,
-          fix: null
-        };
+      const strict = new Set(["no-referrer", "same-origin", "strict-origin", "strict-origin-when-cross-origin"]);
+      if (strict.has(lower)) {
+        result.referrer_policy = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
       } else if (lower === "unsafe-url") {
-        result.referrer_policy = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "warn",
-          issue: "'unsafe-url' leaks full URL to all destinations",
-          fix: "Referrer-Policy: strict-origin-when-cross-origin"
-        };
+        result.referrer_policy = { present: true, value_summary: safeStr(val), status: "warn", issue: "'unsafe-url' leaks full URL to all destinations", fix: "Referrer-Policy: strict-origin-when-cross-origin", fixes: FIX_SNIPPETS.referrer };
       } else {
-        result.referrer_policy = {
-          present: true,
-          value_summary: safeStr(val),
-          status: "info",
-          issue: `'${lower}' is acceptable but consider a stricter policy`,
-          fix: "Referrer-Policy: strict-origin-when-cross-origin"
-        };
+        result.referrer_policy = { present: true, value_summary: safeStr(val), status: "info", issue: `'${lower}' — consider a stricter policy`, fix: "Referrer-Policy: strict-origin-when-cross-origin", fixes: FIX_SNIPPETS.referrer };
       }
     }
   }
   {
     const val = getHeaderString(headers, "permissions-policy");
     if (!val) {
-      result.permissions_policy = {
-        present: false,
-        status: "warn",
-        issue: "Missing — browser features like camera and microphone are unrestricted",
-        fix: "Permissions-Policy: camera=(), microphone=(), geolocation=()"
-      };
+      result.permissions_policy = { present: false, status: "warn", issue: "Missing — browser features unrestricted", fix: "Permissions-Policy: camera=(), microphone=(), geolocation=()", fixes: FIX_SNIPPETS.permissions };
       score -= 5;
     } else {
-      result.permissions_policy = {
-        present: true,
-        value_summary: safeStr(val),
-        status: "pass",
-        issue: null,
-        fix: null
-      };
+      result.permissions_policy = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
     }
   }
   {
     const val = getHeaderString(headers, "cross-origin-opener-policy");
     if (!val) {
-      result.cross_origin_opener_policy = {
-        present: false,
-        status: "info",
-        issue: "Missing — page may be vulnerable to cross-origin attacks via window.opener",
-        fix: "Cross-Origin-Opener-Policy: same-origin"
-      };
+      result.cross_origin_opener_policy = { present: false, status: "info", issue: "Missing — cross-origin window.opener attacks possible", fix: "Cross-Origin-Opener-Policy: same-origin", fixes: FIX_SNIPPETS.coop };
       score -= 3;
     } else {
-      result.cross_origin_opener_policy = {
-        present: true,
-        value_summary: safeStr(val),
-        status: "pass",
-        issue: null,
-        fix: null
-      };
+      result.cross_origin_opener_policy = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
     }
   }
   {
     const val = getHeaderString(headers, "cross-origin-resource-policy");
     if (!val) {
-      result.cross_origin_resource_policy = {
-        present: false,
-        status: "info",
-        issue: "Missing — resources can be loaded by any origin",
-        fix: "Cross-Origin-Resource-Policy: same-origin"
-      };
+      result.cross_origin_resource_policy = { present: false, status: "info", issue: "Missing — resources loadable by any origin", fix: "Cross-Origin-Resource-Policy: same-origin", fixes: FIX_SNIPPETS.corp };
       score -= 2;
     } else {
-      result.cross_origin_resource_policy = {
-        present: true,
-        value_summary: safeStr(val),
-        status: "pass",
-        issue: null,
-        fix: null
-      };
+      result.cross_origin_resource_policy = { present: true, value_summary: safeStr(val), status: "pass", issue: null, fix: null };
     }
   }
   if (score >= 90) {
@@ -888,13 +819,11 @@ function analyzeSecurityHeaders(headers) {
       score += 5;
     const cspVal = getHeaderString(headers, "content-security-policy");
     if (cspVal) {
-      const lower = cspVal.toLowerCase();
-      if (!lower.includes("'unsafe-inline'") && !lower.includes("'unsafe-eval'") && lower.includes("default-src")) {
+      const l = cspVal.toLowerCase();
+      if (!l.includes("'unsafe-inline'") && !l.includes("'unsafe-eval'") && l.includes("default-src"))
         score += 5;
-      }
     }
-    const allPresent = Object.values(result).every((h) => h.present);
-    if (allPresent)
+    if (Object.values(result).every((h) => h.present))
       score += 5;
   }
   score = Math.max(0, score);
@@ -917,18 +846,15 @@ function analyzeSecurityHeaders(headers) {
       result[key] = { present: entry.present, status: "pass" };
     }
   }
-  return {
-    grade,
-    score,
-    headers: result
-  };
+  return { grade, score, headers: result, csp_quality: cspQuality };
 }
 function parseCookieFlags(headers) {
   const raw = headers["set-cookie"];
   if (!raw)
-    return [];
+    return { cookies: [], frameworkFromCookies: null };
   const cookies = Array.isArray(raw) ? raw : [raw];
   const result = [];
+  let frameworkFromCookies = null;
   for (const cookieStr of cookies) {
     const parts = cookieStr.split(";").map((p) => p.trim());
     const nameVal = parts[0] ?? "";
@@ -939,32 +865,52 @@ function parseCookieFlags(headers) {
     const lower = cookieStr.toLowerCase();
     const secure = lower.includes("secure");
     const httponly = lower.includes("httponly");
+    const hasPartitioned = lower.includes("partitioned");
+    const hasDomain = /;\s*domain\s*=/i.test(cookieStr);
+    const pathMatch = cookieStr.match(/;\s*path\s*=\s*([^;]*)/i);
+    const pathVal = pathMatch?.[1]?.trim() ?? null;
     let samesite = null;
     const ssMatch = lower.match(/samesite=([a-z]+)/);
-    if (ssMatch?.[1]) {
+    if (ssMatch?.[1])
       samesite = ssMatch[1].charAt(0).toUpperCase() + ssMatch[1].slice(1);
-    }
     const issues = [];
+    const prefixIssues = [];
     if (!secure)
       issues.push("Missing Secure flag");
-    if (!httponly && SESSION_COOKIE_PATTERN.test(name)) {
-      issues.push("Missing HttpOnly flag on session-like cookie");
-    }
-    if (samesite?.toLowerCase() === "none" && !secure) {
-      issues.push("SameSite=None requires Secure flag");
-    }
-    const flag = {
-      name: name.slice(0, 100),
-      secure,
-      httponly,
-      samesite,
-      status: issues.length === 0 ? "pass" : "fail"
-    };
-    if (issues.length > 0)
-      flag.issue = issues.join("; ");
+    if (!httponly && SESSION_COOKIE_PATTERN.test(name))
+      issues.push("Missing HttpOnly on session-like cookie");
+    if (samesite?.toLowerCase() === "none" && !secure)
+      issues.push("SameSite=None requires Secure flag — browsers reject this cookie");
+    if (name.startsWith("__Host-") || name.toLowerCase().startsWith("__host-")) {
+      if (!secure)
+        prefixIssues.push("__Host- prefix requires Secure attribute");
+      if (hasDomain)
+        prefixIssues.push("__Host- prefix must NOT have Domain attribute");
+      if (pathVal !== "/")
+        prefixIssues.push("__Host- prefix requires Path=/");
+    }
+    if ((name.startsWith("__Secure-") || name.toLowerCase().startsWith("__secure-")) && !secure) {
+      prefixIssues.push("__Secure- prefix requires Secure attribute");
+    }
+    if (hasPartitioned && !secure)
+      prefixIssues.push("Partitioned cookies require Secure attribute");
+    if (!frameworkFromCookies) {
+      for (const [pattern, fw] of COOKIE_FRAMEWORK_MAP) {
+        if (pattern.test(name)) {
+          frameworkFromCookies = fw;
+          break;
+        }
+      }
+    }
+    const allIssues = [...issues, ...prefixIssues];
+    const flag = { name: name.slice(0, 100), secure, httponly, samesite, status: allIssues.length === 0 ? "pass" : "fail" };
+    if (allIssues.length > 0)
+      flag.issue = allIssues.join("; ");
+    if (prefixIssues.length > 0)
+      flag.prefix_issues = prefixIssues;
     result.push(flag);
   }
-  return result;
+  return { cookies: result, frameworkFromCookies };
 }
 function analyzeServerFingerprint(headers) {
   const serverVal = getHeaderString(headers, "server");
@@ -973,77 +919,248 @@ function analyzeServerFingerprint(headers) {
   const serverLeaksVersion = serverVal !== null && /\/\d/.test(serverVal);
   const poweredByPresent = poweredBy !== null;
   const issues = [];
-  if (serverLeaksVersion) {
+  if (serverLeaksVersion)
     issues.push("Server header reveals software version — remove or genericize");
-  } else if (serverPresent) {
-    issues.push("Server header is present — consider removing to reduce attack surface");
-  }
-  if (poweredByPresent) {
-    issues.push("X-Powered-By header reveals framework — remove entirely");
-  }
-  return {
-    server_header_present: serverPresent,
-    server_leaks_version: serverLeaksVersion,
-    x_powered_by_present: poweredByPresent,
-    issues
-  };
-}
-function analyzeCacheHeaders(headers, urlPath) {
+  else if (serverPresent)
+    issues.push("Server header present — consider removing");
+  if (poweredByPresent)
+    issues.push("X-Powered-By reveals framework — remove entirely");
+  let framework = null;
+  const sv = (serverVal ?? "").toLowerCase();
+  const pb = (poweredBy ?? "").toLowerCase();
+  if (sv.includes("vercel") || sv === "vercel")
+    framework = "Vercel";
+  else if (sv.includes("netlify"))
+    framework = "Netlify";
+  else if (sv.includes("cloudflare"))
+    framework = "Cloudflare";
+  else if (sv.includes("nginx"))
+    framework = "Nginx";
+  else if (sv.includes("apache"))
+    framework = "Apache";
+  else if (sv.includes("caddy"))
+    framework = "Caddy";
+  else if (pb.includes("express"))
+    framework = "Express";
+  else if (pb.includes("next.js"))
+    framework = "Next.js";
+  else if (pb.includes("nuxt"))
+    framework = "Nuxt";
+  else if (pb.includes("php"))
+    framework = "PHP";
+  else if (pb.includes("asp.net"))
+    framework = "ASP.NET";
+  else if (pb.includes("django"))
+    framework = "Django";
+  else if (pb.includes("flask"))
+    framework = "Flask";
+  else if (pb.includes("rails") || pb.includes("ruby"))
+    framework = "Rails";
+  return { server_header_present: serverPresent, server_leaks_version: serverLeaksVersion, x_powered_by_present: poweredByPresent, issues, framework_detected: framework };
+}
+function analyzeCacheHeaders(headers, urlPath, hasCookies) {
   const cc = getHeaderString(headers, "cache-control");
   const cacheControlPresent = cc !== null;
   const hasNoStore = cc !== null && cc.toLowerCase().includes("no-store");
+  const hasPublic = cc !== null && cc.toLowerCase().includes("public");
+  const hasNoCache = cc !== null && cc.toLowerCase().includes("no-cache");
   const etagPresent = getHeaderString(headers, "etag") !== null;
   const lastModifiedPresent = getHeaderString(headers, "last-modified") !== null;
   const vary = getHeaderString(headers, "vary");
+  const contentType = getHeaderString(headers, "content-type") ?? "";
+  const isHtml = contentType.includes("text/html");
+  const isApi = urlPath.includes("/api/") || contentType.includes("application/json");
   const issues = [];
   const lowerPath = urlPath.toLowerCase();
   const isSensitivePath = SENSITIVE_PATH_FRAGMENTS.some((p) => lowerPath.includes(p));
-  if (isSensitivePath && !hasNoStore) {
-    issues.push(`WARNING: no-store not set on ${urlPath} — sensitive page may be cached by browser`);
-  }
-  return {
-    cache_control_present: cacheControlPresent,
-    has_no_store: hasNoStore,
-    etag_present: etagPresent,
-    last_modified_present: lastModifiedPresent,
-    vary_header: vary ? vary.slice(0, 200) : null,
-    issues
-  };
+  if (isSensitivePath && !hasNoStore)
+    issues.push(`WARNING: no-store not set on ${urlPath} — sensitive page may be cached`);
+  if (hasCookies && !hasNoStore && !cc?.toLowerCase().includes("private"))
+    issues.push("WARNING: Response sets cookies but missing no-store/private — may be cached by CDN");
+  if (hasPublic && isApi)
+    issues.push("WARNING: Cache-Control: public on API response — user-specific data may be cached by shared caches");
+  if (isHtml && !cacheControlPresent)
+    issues.push("WARNING: No Cache-Control on HTML page — browsers use heuristic caching");
+  if (isHtml && !hasNoCache && !hasNoStore && cc && !cc.toLowerCase().includes("must-revalidate"))
+    issues.push("INFO: HTML page cached without revalidation directive — stale content after deploys");
+  const fixes = issues.length > 0 ? FIX_SNIPPETS.cache_nostore : undefined;
+  return { cache_control_present: cacheControlPresent, has_no_store: hasNoStore, etag_present: etagPresent, last_modified_present: lastModifiedPresent, vary_header: vary ? vary.slice(0, 200) : null, issues, fixes };
 }
 async function checkCorsPreflight(resolvedIp, hostname, port, path, isHttps) {
   try {
-    const response = await makeRawRequest(resolvedIp, hostname, port, path, "OPTIONS", isHttps);
+    const response = await makeRawRequest(resolvedIp, hostname, port, path, "OPTIONS", isHttps, {
+      Origin: "https://evil.example.com",
+      "Access-Control-Request-Method": "GET"
+    });
     const origin = getHeaderString(response.headers, "access-control-allow-origin");
     const credentials = getHeaderString(response.headers, "access-control-allow-credentials");
+    const methods = getHeaderString(response.headers, "access-control-allow-methods");
+    const maxAge = getHeaderString(response.headers, "access-control-max-age");
+    const varyHeader = getHeaderString(response.headers, "vary");
     const isWildcard = origin === "*";
     const allowsCredentials = credentials?.toLowerCase() === "true";
-    const allowsCredentialsWithWildcard = isWildcard && allowsCredentials;
+    const originReflected = origin === "https://evil.example.com";
+    const nullAllowed = origin === "null";
+    const varyOriginPresent = !!varyHeader && varyHeader.toLowerCase().includes("origin");
     const issues = [];
-    if (allowsCredentialsWithWildcard) {
-      issues.push("CRITICAL: Access-Control-Allow-Credentials with wildcard origin — browsers will reject this combination");
-    }
+    if (originReflected && allowsCredentials)
+      issues.push("CRITICAL: Origin reflection with credentials — any site can make authenticated cross-origin requests");
+    else if (originReflected)
+      issues.push("WARNING: Server reflects arbitrary Origin header — potential CORS misconfiguration");
+    if (nullAllowed && allowsCredentials)
+      issues.push("CRITICAL: null origin allowed with credentials — exploitable via sandboxed iframes");
+    if (isWildcard && allowsCredentials)
+      issues.push("CRITICAL: Wildcard origin with credentials — browsers block this but server is misconfigured");
+    if (origin && !isWildcard && !varyOriginPresent)
+      issues.push("WARNING: Dynamic ACAO without Vary: Origin — cache poisoning risk");
+    if (!maxAge)
+      issues.push("INFO: No Access-Control-Max-Age — preflight repeated every request (performance)");
     return {
       checked: true,
-      allowed_origins: origin === null ? "none" : isWildcard ? "wildcard" : "specific",
-      allows_credentials_with_wildcard: allowsCredentialsWithWildcard,
+      allowed_origins: origin === null ? "none" : isWildcard ? "wildcard" : originReflected ? "reflects_origin" : "specific",
+      allows_credentials_with_wildcard: isWildcard && allowsCredentials,
+      origin_reflected: originReflected,
+      null_origin_allowed: nullAllowed,
+      vary_origin_present: varyOriginPresent,
+      methods: methods ? methods.slice(0, 200) : null,
+      max_age: maxAge,
       issues
     };
   } catch {
-    return {
-      checked: true,
-      allowed_origins: "unknown",
-      allows_credentials_with_wildcard: false,
-      issues: []
-    };
+    return { checked: true, allowed_origins: "unknown", allows_credentials_with_wildcard: false, issues: [] };
   }
 }
-function aggregateIssues(ssl, secHeaders, cookies, fingerprint, cache, httpVersion, cors) {
+function detectCdnWaf(headers) {
+  let cdnName = null;
+  let wafName = null;
+  for (const sig of CDN_SIGNATURES) {
+    if (sig.detect(headers)) {
+      if (sig.type === "cdn" || sig.type === "both")
+        cdnName = cdnName ?? sig.name;
+      if (sig.type === "waf" || sig.type === "both")
+        wafName = wafName ?? sig.name;
+    }
+  }
+  return { cdnName, wafName };
+}
+function detectInfoLeakage(headers) {
+  const entries = [];
+  const serverVal = getHeaderString(headers, "server");
+  if (serverVal && /\/\d/.test(serverVal)) {
+    entries.push({ header: "Server", severity: "high", issue: "Server header exposes software version — enables targeted CVE exploitation", fixes: FIX_SNIPPETS.remove_server });
+  }
+  for (const check of INFO_LEAK_HEADERS) {
+    if (getHeaderString(headers, check.header) !== null) {
+      entries.push({ header: check.header, severity: check.severity, issue: check.message, fixes: check.fixKey ? FIX_SNIPPETS[check.fixKey] : undefined });
+    }
+  }
+  return { leaks_found: entries.length, entries };
+}
+function detectDeprecatedHeaders(headers) {
+  const entries = [];
+  const xxp = getHeaderString(headers, "x-xss-protection");
+  if (xxp !== null) {
+    const trimmed = xxp.trim();
+    if (trimmed !== "0") {
+      entries.push({ header: "X-XSS-Protection", value_summary: safeStr(xxp), severity: "error", issue: "Non-zero X-XSS-Protection is dangerous — XSS Auditor removed from all browsers (Chrome 78). Can introduce XSS via false positives. Set to 0 or remove." });
+    }
+  }
+  if (getHeaderString(headers, "public-key-pins") !== null) {
+    entries.push({ header: "Public-Key-Pins", severity: "error", issue: "HPKP is deprecated and dangerous — can permanently brick your site. Removed from Chrome 72, Firefox 72. Remove immediately." });
+  }
+  if (getHeaderString(headers, "public-key-pins-report-only") !== null) {
+    entries.push({ header: "Public-Key-Pins-Report-Only", severity: "warning", issue: "HPKP-Report-Only is deprecated — no browser processes it. Remove." });
+  }
+  if (getHeaderString(headers, "expect-ct") !== null) {
+    entries.push({ header: "Expect-CT", severity: "warning", issue: "Expect-CT deprecated since Chrome 107. Certificate Transparency is enforced by default. Remove." });
+  }
+  const fp = getHeaderString(headers, "feature-policy");
+  const pp = getHeaderString(headers, "permissions-policy");
+  if (fp !== null && pp === null) {
+    entries.push({ header: "Feature-Policy", severity: "warning", issue: "Feature-Policy is deprecated — rename to Permissions-Policy with updated syntax", fixes: FIX_SNIPPETS.permissions });
+  } else if (fp !== null && pp !== null) {
+    entries.push({ header: "Feature-Policy", severity: "info", issue: "Feature-Policy is redundant alongside Permissions-Policy — consider removing" });
+  }
+  return { found: entries.length, entries };
+}
+async function checkDnsSecurity(domain) {
+  const dnsP = dns.promises;
+  let spf = { found: false, policy: null, issues: [] };
+  try {
+    const records = await dnsP.resolveTxt(domain);
+    const spfRecords = records.map((c) => c.join("")).filter((r) => r.startsWith("v=spf1"));
+    if (spfRecords.length === 0) {
+      spf = { found: false, policy: null, issues: ["No SPF record — anyone can send email as this domain"] };
+    } else if (spfRecords.length > 1) {
+      spf = { found: true, policy: null, issues: ["Multiple SPF records — RFC 7208 violation (PermError)"] };
+    } else {
+      const rec = spfRecords[0];
+      let policy = null;
+      if (rec.includes("-all"))
+        policy = "hardfail";
+      else if (rec.includes("~all"))
+        policy = "softfail";
+      else if (rec.includes("?all"))
+        policy = "neutral";
+      else if (rec.includes("+all"))
+        policy = "pass_all";
+      const issues = [];
+      if (policy === "pass_all")
+        issues.push("+all allows ANY server to send email — effectively no SPF");
+      else if (policy === "softfail")
+        issues.push("~all (softfail) — consider upgrading to -all (hardfail)");
+      else if (policy === "neutral")
+        issues.push("?all (neutral) — provides no protection");
+      spf = { found: true, policy, issues };
+    }
+  } catch {}
+  let dmarc = { found: false, policy: null, issues: [] };
+  try {
+    const records = await dnsP.resolveTxt(`_dmarc.${domain}`);
+    const dmarcRecords = records.map((c) => c.join("")).filter((r) => r.startsWith("v=DMARC1"));
+    if (dmarcRecords.length === 0) {
+      dmarc = { found: false, policy: null, issues: ["No DMARC record — email spoofing not prevented"] };
+    } else {
+      const rec = dmarcRecords[0];
+      const pMatch = rec.match(/;\s*p=([^;\s]+)/);
+      const policy = pMatch?.[1] ?? null;
+      const issues = [];
+      if (policy === "none")
+        issues.push("p=none — monitoring only, no enforcement");
+      dmarc = { found: true, policy, issues };
+    }
+  } catch {}
+  let dkim = { found: false, selectors_found: [] };
+  const selectorResults = await Promise.allSettled(COMMON_DKIM_SELECTORS.map(async (sel) => {
+    try {
+      const records = await dnsP.resolveTxt(`${sel}._domainkey.${domain}`);
+      const rec = records.map((c) => c.join("")).find((r) => r.includes("p="));
+      if (rec)
+        return sel;
+    } catch {}
+    return null;
+  }));
+  const foundSelectors = selectorResults.filter((r) => r.status === "fulfilled" && r.value !== null).map((r) => r.value);
+  if (foundSelectors.length > 0)
+    dkim = { found: true, selectors_found: foundSelectors };
+  return { spf, dmarc, dkim };
+}
+function detectHttp3(headers) {
+  const altSvc = getHeaderString(headers, "alt-svc");
+  if (!altSvc)
+    return false;
+  return /\bh3\b/.test(altSvc);
+}
+function detectCompression(headers) {
+  const encoding = (getHeaderString(headers, "content-encoding") ?? "").toLowerCase();
+  return { brotli: encoding.includes("br"), gzip: encoding.includes("gzip") };
+}
+function aggregateIssues(ssl, secHeaders, cookies, fingerprint, cache, httpVersion, cors, infoLeak, deprecated, dnsSec) {
   const criticals = [];
   const warnings = [];
   const infos = [];
-  if (!ssl.valid) {
+  if (!ssl.valid)
     criticals.push(`CRITICAL: SSL/TLS connection failed — ${ssl.error ?? "unknown error"}`);
-  }
   if (ssl.expiry_warning) {
     if (ssl.expiry_warning.startsWith("CRITICAL"))
       criticals.push(ssl.expiry_warning);
@@ -1054,39 +1171,74 @@ function aggregateIssues(ssl, secHeaders, cookies, fingerprint, cache, httpVersi
     if (!h.issue)
       continue;
     const label = key.replace(/_/g, "-").toUpperCase();
-    if (h.status === "fail") {
+    if (h.status === "fail")
       criticals.push(`CRITICAL: ${label} — ${h.issue}`);
-    } else if (h.status === "warn") {
+    else if (h.status === "warn")
       warnings.push(`WARNING: ${label} — ${h.issue}`);
-    } else if (h.status === "info") {
+    else if (h.status === "info")
       infos.push(`INFO: ${label} — ${h.issue}`);
-    }
+  }
+  if (secHeaders.csp_quality) {
+    const cq = secHeaders.csp_quality;
+    if (cq.csp_score < 30)
+      criticals.push(`CRITICAL: CSP quality score ${cq.csp_score}/100 — policy is effectively useless`);
+    else if (cq.csp_score < 50)
+      warnings.push(`WARNING: CSP quality score ${cq.csp_score}/100 — significant weaknesses`);
   }
   for (const c of cookies) {
-    if (c.status === "fail" && c.issue) {
+    if (c.status === "fail" && c.issue)
       warnings.push(`WARNING: Cookie '${c.name}' — ${c.issue}`);
-    }
   }
-  for (const i of fingerprint.issues) {
+  for (const i of fingerprint.issues)
     warnings.push(`WARNING: ${i}`);
-  }
   for (const i of cache.issues) {
-    if (i.startsWith("WARNING:"))
+    if (i.startsWith("WARNING"))
       warnings.push(i);
     else
       infos.push(`INFO: ${i}`);
   }
-  if (httpVersion === "1.1") {
+  if (httpVersion === "1.1")
     infos.push("INFO: HTTP/1.1 detected — consider HTTP/2 for improved performance");
-  }
   if (cors.checked && cors.issues) {
     for (const i of cors.issues) {
       if (i.startsWith("CRITICAL"))
         criticals.push(i);
+      else if (i.startsWith("WARNING"))
+        warnings.push(i);
       else
-        warnings.push(`WARNING: ${i}`);
+        infos.push(i);
     }
   }
+  for (const e of infoLeak.entries) {
+    if (e.severity === "critical")
+      criticals.push(`CRITICAL: ${e.header} — ${e.issue}`);
+    else if (e.severity === "high")
+      warnings.push(`WARNING: ${e.header} — ${e.issue}`);
+    else
+      infos.push(`INFO: ${e.header} — ${e.issue}`);
+  }
+  for (const e of deprecated.entries) {
+    if (e.severity === "error")
+      criticals.push(`CRITICAL: ${e.header} — ${e.issue}`);
+    else if (e.severity === "warning")
+      warnings.push(`WARNING: ${e.header} — ${e.issue}`);
+    else
+      infos.push(`INFO: ${e.header} — ${e.issue}`);
+  }
+  for (const i of dnsSec.spf.issues) {
+    if (i.includes("+all") || i.includes("No SPF"))
+      warnings.push(`WARNING: SPF — ${i}`);
+    else
+      infos.push(`INFO: SPF — ${i}`);
+  }
+  for (const i of dnsSec.dmarc.issues) {
+    if (i.includes("No DMARC"))
+      warnings.push(`WARNING: DMARC — ${i}`);
+    else
+      infos.push(`INFO: DMARC — ${i}`);
+  }
+  if (!dnsSec.dkim.found)
+    infos.push("INFO: DKIM — no DKIM records found for common selectors");
   return [...criticals, ...warnings, ...infos];
 }
 async function runAudit(url, options) {
@@ -1111,46 +1263,64 @@ async function runAudit(url, options) {
   } catch {
     finalResolvedIp = finalHostname;
   }
-  const ssl = isHttps && opts.checkSsl ? await inspectSsl(finalHostname, finalResolvedIp) : {
-    valid: isHttps,
-    days_until_expiry: null,
-    issuer: null,
-    protocol: null,
-    expiry_warning: opts.checkSsl ? "WARNING: Connection is not HTTPS — no TLS certificate" : "SSL check disabled"
-  };
-  const securityHeaders = opts.checkHeaders ? analyzeSecurityHeaders(headers) : {
-    grade: "skip",
-    score: null,
-    headers: {
-      strict_transport_security: { present: false, status: "info", issue: null, fix: null },
-      content_security_policy: { present: false, status: "info", issue: null, fix: null },
-      x_frame_options: { present: false, status: "info", issue: null, fix: null },
-      x_content_type_options: { present: false, status: "info", issue: null, fix: null },
-      referrer_policy: { present: false, status: "info", issue: null, fix: null },
-      permissions_policy: { present: false, status: "info", issue: null, fix: null },
-      cross_origin_opener_policy: { present: false, status: "info", issue: null, fix: null },
-      cross_origin_resource_policy: { present: false, status: "info", issue: null, fix: null }
-    },
-    summary: "Check disabled"
-  };
+  let ssl;
+  let http2 = false;
+  if (isHttps && opts.checkSsl) {
+    const sslResult = await inspectSsl(finalHostname, finalResolvedIp);
+    ssl = sslResult.ssl;
+    http2 = sslResult.http2;
+  } else {
+    ssl = { valid: isHttps, days_until_expiry: null, issuer: null, protocol: null, expiry_warning: opts.checkSsl ? "WARNING: Connection is not HTTPS" : "SSL check disabled" };
+  }
+  const securityHeaders = opts.checkHeaders ? analyzeSecurityHeaders(headers) : { grade: "skip", score: null, headers: { strict_transport_security: { present: false, status: "info", issue: null, fix: null }, content_security_policy: { present: false, status: "info", issue: null, fix: null }, x_frame_options: { present: false, status: "info", issue: null, fix: null }, x_content_type_options: { present: false, status: "info", issue: null, fix: null }, referrer_policy: { present: false, status: "info", issue: null, fix: null }, permissions_policy: { present: false, status: "info", issue: null, fix: null }, cross_origin_opener_policy: { present: false, status: "info", issue: null, fix: null }, cross_origin_resource_policy: { present: false, status: "info", issue: null, fix: null } }, summary: "Check disabled" };
   if (opts.checkHeaders && opts.checkSsl) {
     const hstsVal = getHeaderString(headers, "strict-transport-security");
     if (hstsVal?.toLowerCase().includes("preload")) {
       const preloadStatus = await checkHstsPreload(finalHostname);
       const stsEntry = securityHeaders.headers.strict_transport_security;
-      if (stsEntry) {
+      if (stsEntry)
         stsEntry.hsts_preload_status = preloadStatus;
-      }
     }
   }
-  const cookieFlags = opts.checkCookies ? parseCookieFlags(headers) : [];
+  const { cookies: cookieFlags, frameworkFromCookies } = opts.checkCookies ? parseCookieFlags(headers) : { cookies: [], frameworkFromCookies: null };
   const serverFingerprint = analyzeServerFingerprint(headers);
-  const cacheAnalysis = analyzeCacheHeaders(headers, finalPath);
+  const hasCookies = cookieFlags.length > 0;
+  const cacheAnalysis = analyzeCacheHeaders(headers, finalPath, hasCookies);
   const httpVersionStr = httpVersion === "2.0" || httpVersion === "2" ? "2.0" : httpVersion ?? "1.1";
   const contentType = getHeaderString(headers, "content-type") ?? "";
   const shouldCheckCors = finalPath.includes("/api/") || contentType.includes("application/json");
   const corsPreflight = shouldCheckCors ? await checkCorsPreflight(finalResolvedIp, finalHostname, finalPort, finalPath, isHttps) : { checked: false };
-  const issues = aggregateIssues(ssl, securityHeaders, cookieFlags, serverFingerprint, cacheAnalysis, httpVersionStr, corsPreflight);
+  const { cdnName, wafName } = detectCdnWaf(headers);
+  const http3 = detectHttp3(headers);
+  const { brotli, gzip } = detectCompression(headers);
+  const infoLeakage = detectInfoLeakage(headers);
+  const deprecatedHeaders = detectDeprecatedHeaders(headers);
+  let dnsSecurity;
+  try {
+    dnsSecurity = await Promise.race([
+      checkDnsSecurity(finalHostname),
+      new Promise((resolve) => setTimeout(() => resolve({
+        spf: { found: false, policy: null, issues: ["DNS lookup timed out"] },
+        dmarc: { found: false, policy: null, issues: ["DNS lookup timed out"] },
+        dkim: { found: false, selectors_found: [] }
+      }), 5000))
+    ]);
+  } catch {
+    dnsSecurity = { spf: { found: false, policy: null, issues: [] }, dmarc: { found: false, policy: null, issues: [] }, dkim: { found: false, selectors_found: [] } };
+  }
+  const frameworkDetected = serverFingerprint.framework_detected ?? frameworkFromCookies ?? null;
+  const infra = {
+    cdn_detected: cdnName !== null,
+    cdn_name: cdnName,
+    waf_detected: wafName !== null,
+    waf_name: wafName,
+    http2,
+    http3,
+    brotli,
+    gzip,
+    framework_detected: frameworkDetected
+  };
+  const issues = aggregateIssues(ssl, securityHeaders, cookieFlags, serverFingerprint, cacheAnalysis, httpVersionStr, corsPreflight, infoLeakage, deprecatedHeaders, dnsSecurity);
   {
     const stsEntry = securityHeaders.headers.strict_transport_security;
     const preloadStatus = stsEntry?.hsts_preload_status;
@@ -1158,6 +1328,8 @@ async function runAudit(url, options) {
       issues.push(`INFO: HSTS header claims preload but domain is not on the preload list (status: ${preloadStatus}) — submit at hstspreload.org`);
     }
   }
+  if (!cdnName)
+    infos_push(issues, "INFO: No CDN detected — origin server is directly exposed");
   const criticalCount = issues.filter((i) => i.startsWith("CRITICAL")).length;
   const warningCount = issues.filter((i) => i.startsWith("WARNING")).length;
   const infoCount = issues.filter((i) => i.startsWith("INFO")).length;
@@ -1183,10 +1355,18 @@ async function runAudit(url, options) {
     server_fingerprint: serverFingerprint,
     cache_analysis: cacheAnalysis,
     http_version: httpVersionStr,
-    cors_preflight: corsPreflight
+    cors_preflight: corsPreflight,
+    infra,
+    info_leakage: infoLeakage,
+    deprecated_headers: deprecatedHeaders,
+    dns: dnsSecurity
   };
 }
-var rateLimitMap, PRIVATE_RANGES, BLOCKED_AUDIT_HOSTNAMES, SESSION_COOKIE_PATTERN, SENSITIVE_PATH_FRAGMENTS;
+function infos_push(issues, msg) {
+  if (!issues.includes(msg))
+    issues.push(msg);
+}
+var rateLimitMap, PRIVATE_RANGES, BLOCKED_AUDIT_HOSTNAMES, FIX_SNIPPETS, SESSION_COOKIE_PATTERN, COOKIE_FRAMEWORK_MAP, SENSITIVE_PATH_FRAGMENTS, CDN_SIGNATURES, INFO_LEAK_HEADERS, COMMON_DKIM_SELECTORS;
 var init_handlers = __esm(() => {
   init_sanitize();
   init_types();
@@ -1207,15 +1387,156 @@ var init_handlers = __esm(() => {
     /^metadata\.google\.internal$/i,
     /^metadata\.amazonaws\.com$/i
   ];
+  FIX_SNIPPETS = {
+    hsts: {
+      nginx: 'add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;',
+      express: "app.use(helmet({ strictTransportSecurity: { maxAge: 63072000, includeSubDomains: true, preload: true } }));",
+      vercel: '{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" }',
+      next_config: "{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' }",
+      cloudflare: "newHeaders.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload');",
+      caddy: 'header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"',
+      apache: 'Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"'
+    },
+    csp: {
+      nginx: `add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'" always;`,
+      express: `app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], baseUri: ["'self'"], frameAncestors: ["'none'"], objectSrc: ["'none'"] } } }));`,
+      vercel: `{ "key": "Content-Security-Policy", "value": "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'" }`,
+      next_config: `{ key: 'Content-Security-Policy', value: "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'" }`,
+      cloudflare: `newHeaders.set('Content-Security-Policy', "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'");`,
+      caddy: `header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'"`,
+      apache: `Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'"`
+    },
+    xfo: {
+      nginx: 'add_header X-Frame-Options "SAMEORIGIN" always;',
+      express: "app.use(helmet({ xFrameOptions: { action: 'sameorigin' } }));",
+      vercel: '{ "key": "X-Frame-Options", "value": "SAMEORIGIN" }',
+      next_config: "{ key: 'X-Frame-Options', value: 'SAMEORIGIN' }",
+      cloudflare: "newHeaders.set('X-Frame-Options', 'SAMEORIGIN');",
+      caddy: 'header X-Frame-Options "SAMEORIGIN"',
+      apache: 'Header always set X-Frame-Options "SAMEORIGIN"'
+    },
+    xcto: {
+      nginx: 'add_header X-Content-Type-Options "nosniff" always;',
+      express: "app.use(helmet()); // sets nosniff by default",
+      vercel: '{ "key": "X-Content-Type-Options", "value": "nosniff" }',
+      next_config: "{ key: 'X-Content-Type-Options', value: 'nosniff' }",
+      cloudflare: "newHeaders.set('X-Content-Type-Options', 'nosniff');",
+      caddy: 'header X-Content-Type-Options "nosniff"',
+      apache: 'Header always set X-Content-Type-Options "nosniff"'
+    },
+    referrer: {
+      nginx: 'add_header Referrer-Policy "strict-origin-when-cross-origin" always;',
+      express: "app.use(helmet({ referrerPolicy: { policy: 'strict-origin-when-cross-origin' } }));",
+      vercel: '{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }',
+      next_config: "{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }",
+      cloudflare: "newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin');",
+      caddy: 'header Referrer-Policy "strict-origin-when-cross-origin"',
+      apache: 'Header always set Referrer-Policy "strict-origin-when-cross-origin"'
+    },
+    permissions: {
+      nginx: 'add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;',
+      express: `res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');`,
+      vercel: '{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }',
+      next_config: "{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' }",
+      cloudflare: "newHeaders.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');",
+      caddy: 'header Permissions-Policy "camera=(), microphone=(), geolocation=()"',
+      apache: 'Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"'
+    },
+    coop: {
+      nginx: 'add_header Cross-Origin-Opener-Policy "same-origin" always;',
+      express: `res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');`,
+      vercel: '{ "key": "Cross-Origin-Opener-Policy", "value": "same-origin" }',
+      next_config: "{ key: 'Cross-Origin-Opener-Policy', value: 'same-origin' }",
+      cloudflare: "newHeaders.set('Cross-Origin-Opener-Policy', 'same-origin');",
+      caddy: 'header Cross-Origin-Opener-Policy "same-origin"',
+      apache: 'Header always set Cross-Origin-Opener-Policy "same-origin"'
+    },
+    corp: {
+      nginx: 'add_header Cross-Origin-Resource-Policy "same-origin" always;',
+      express: `res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');`,
+      vercel: '{ "key": "Cross-Origin-Resource-Policy", "value": "same-origin" }',
+      next_config: "{ key: 'Cross-Origin-Resource-Policy', value: 'same-origin' }",
+      cloudflare: "newHeaders.set('Cross-Origin-Resource-Policy', 'same-origin');",
+      caddy: 'header Cross-Origin-Resource-Policy "same-origin"',
+      apache: 'Header always set Cross-Origin-Resource-Policy "same-origin"'
+    },
+    cache_nostore: {
+      nginx: 'add_header Cache-Control "no-store, max-age=0" always;',
+      express: `res.setHeader('Cache-Control', 'no-store, max-age=0');`,
+      vercel: '{ "key": "Cache-Control", "value": "no-store, max-age=0" }',
+      next_config: "{ key: 'Cache-Control', value: 'no-store, max-age=0' }",
+      cloudflare: "newHeaders.set('Cache-Control', 'no-store, max-age=0');",
+      caddy: 'header Cache-Control "no-store, max-age=0"',
+      apache: 'Header always set Cache-Control "no-store, max-age=0"'
+    },
+    remove_server: {
+      nginx: "server_tokens off;",
+      express: "app.use((req, res, next) => { res.removeHeader('Server'); next(); });",
+      cloudflare: "newHeaders.delete('Server');",
+      caddy: "header -Server",
+      apache: `ServerTokens Prod
+ServerSignature Off`
+    },
+    remove_powered_by: {
+      nginx: "proxy_hide_header X-Powered-By;",
+      express: "app.disable('x-powered-by');",
+      next_config: "module.exports = { poweredByHeader: false };",
+      cloudflare: "newHeaders.delete('X-Powered-By');",
+      caddy: "header -X-Powered-By",
+      apache: "Header always unset X-Powered-By"
+    }
+  };
   SESSION_COOKIE_PATTERN = /session|sid|token|auth/i;
-  SENSITIVE_PATH_FRAGMENTS = [
-    "/login",
-    "/dashboard",
-    "/admin",
-    "/auth",
-    "/account",
-    "/settings"
+  COOKIE_FRAMEWORK_MAP = [
+    [/^PHPSESSID$/i, "PHP"],
+    [/^JSESSIONID$/i, "Java"],
+    [/^ASP\.NET_SessionId$/i, "ASP.NET"],
+    [/^connect\.sid$/i, "Express"],
+    [/^laravel_session$/i, "Laravel"],
+    [/^_rails_session$/i, "Rails"],
+    [/^django_session$/i, "Django"],
+    [/^PLAY_SESSION$/i, "Play Framework"],
+    [/^rack\.session$/i, "Ruby Rack"],
+    [/^wp-settings-/i, "WordPress"]
+  ];
+  SENSITIVE_PATH_FRAGMENTS = ["/login", "/dashboard", "/admin", "/auth", "/account", "/settings"];
+  CDN_SIGNATURES = [
+    { name: "Cloudflare", type: "both", detect: (h) => !!h["cf-ray"] || getHeaderString(h, "server")?.toLowerCase() === "cloudflare" },
+    { name: "AWS CloudFront", type: "cdn", detect: (h) => !!h["x-amz-cf-id"] || (getHeaderString(h, "via") ?? "").toLowerCase().includes("cloudfront") },
+    { name: "Akamai", type: "cdn", detect: (h) => !!h["x-akamai-transformed"] || /AkamaiGHost/i.test(getHeaderString(h, "server") ?? "") },
+    { name: "Fastly", type: "cdn", detect: (h) => !!h["x-served-by"] && /^cache-/i.test(getHeaderString(h, "x-served-by") ?? "") || !!h["x-timer"] },
+    { name: "Vercel", type: "cdn", detect: (h) => !!h["x-vercel-id"] || getHeaderString(h, "server")?.toLowerCase() === "vercel" },
+    { name: "Netlify", type: "cdn", detect: (h) => !!h["x-nf-request-id"] || getHeaderString(h, "server")?.toLowerCase() === "netlify" },
+    { name: "Google Cloud CDN", type: "cdn", detect: (h) => (getHeaderString(h, "via") ?? "").includes("google") || getHeaderString(h, "server") === "Google Frontend" },
+    { name: "Azure Front Door", type: "cdn", detect: (h) => !!h["x-azure-ref"] },
+    { name: "BunnyCDN", type: "cdn", detect: (h) => /BunnyCDN/i.test(getHeaderString(h, "server") ?? "") || !!h["cdn-pullzone"] },
+    { name: "KeyCDN", type: "cdn", detect: (h) => /keycdn-engine/i.test(getHeaderString(h, "server") ?? "") || !!h["x-edge-location"] },
+    { name: "Sucuri", type: "waf", detect: (h) => /Sucuri/i.test(getHeaderString(h, "server") ?? "") || !!h["x-sucuri-id"] },
+    { name: "Imperva", type: "waf", detect: (h) => !!h["x-iinfo"] || /Incapsula|Imperva/i.test(getHeaderString(h, "x-cdn") ?? "") }
+  ];
+  INFO_LEAK_HEADERS = [
+    { header: "x-powered-by", severity: "high", message: "Leaks server technology — remove entirely", fixKey: "remove_powered_by" },
+    { header: "x-aspnet-version", severity: "high", message: "Leaks ASP.NET version — disable via web.config: enableVersionHeader=false" },
+    { header: "x-aspnetmvc-version", severity: "high", message: "Leaks ASP.NET MVC version" },
+    { header: "x-generator", severity: "medium", message: "Leaks CMS/generator information" },
+    { header: "x-drupal-cache", severity: "medium", message: "Reveals Drupal CMS in use" },
+    { header: "x-drupal-dynamic-cache", severity: "medium", message: "Reveals Drupal 8+ with dynamic page cache" },
+    { header: "x-pingback", severity: "medium", message: "Reveals WordPress with XML-RPC enabled (attack surface)" },
+    { header: "x-runtime", severity: "medium", message: "Leaks request processing time — enables timing attacks" },
+    { header: "x-debug-token", severity: "critical", message: "Symfony debug mode enabled in production" },
+    { header: "x-debug-token-link", severity: "critical", message: "Symfony profiler exposed in production" },
+    { header: "x-powered-cms", severity: "medium", message: "Leaks CMS platform information" },
+    { header: "x-backend-server", severity: "critical", message: "Leaks internal server hostname" },
+    { header: "x-server-name", severity: "critical", message: "Leaks internal server hostname" },
+    { header: "x-upstream", severity: "critical", message: "Leaks internal upstream server info" },
+    { header: "x-host", severity: "high", message: "Leaks internal hostname" },
+    { header: "x-mod-pagespeed", severity: "low", message: "Reveals Google PageSpeed module version" },
+    { header: "x-page-speed", severity: "low", message: "Reveals Google PageSpeed module version" },
+    { header: "x-litespeed-cache", severity: "low", message: "Reveals LiteSpeed server" },
+    { header: "x-turbo-charged-by", severity: "low", message: "Reveals LiteSpeed server" },
+    { header: "x-redirect-by", severity: "low", message: "Reveals redirect handler (e.g., WordPress)" }
   ];
+  COMMON_DKIM_SELECTORS = ["google", "google1", "selector1", "selector2", "k1", "s1", "default", "dkim", "mail"];
 });
 
 // node_modules/.bun/zod@4.3.6/node_modules/zod/v4/core/core.js
@@ -15176,7 +15497,7 @@ var init_v4_mini = __esm(() => {
   init_external2();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/zod-compat.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/zod-compat.js
 function isZ4Schema(s) {
   const schema = s;
   return !!schema._zod;
@@ -15252,7 +15573,7 @@ var init_v4 = __esm(() => {
   init_classic();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
 var exports_types = {};
 __export(exports_types, {
   isTaskAugmentedRequestParams: () => isTaskAugmentedRequestParams,
@@ -15445,7 +15766,7 @@ var init_types2 = __esm(() => {
   ProgressTokenSchema = union([string2(), number2().int()]);
   CursorSchema = string2();
   TaskCreationParamsSchema = looseObject({
-    ttl: union([number2(), _null3()]).optional(),
+    ttl: number2().optional(),
     pollInterval: number2().optional()
   });
   TaskMetadataSchema = object({
@@ -15596,7 +15917,8 @@ var init_types2 = __esm(() => {
     roots: object({
       listChanged: boolean2().optional()
     }).optional(),
-    tasks: ClientTasksCapabilitySchema.optional()
+    tasks: ClientTasksCapabilitySchema.optional(),
+    extensions: record(string2(), AssertObjectSchema).optional()
   });
   InitializeRequestParamsSchema = BaseRequestParamsSchema.extend({
     protocolVersion: string2(),
@@ -15621,7 +15943,8 @@ var init_types2 = __esm(() => {
     tools: object({
       listChanged: boolean2().optional()
     }).optional(),
-    tasks: ServerTasksCapabilitySchema.optional()
+    tasks: ServerTasksCapabilitySchema.optional(),
+    extensions: record(string2(), AssertObjectSchema).optional()
   });
   InitializeResultSchema = ResultSchema.extend({
     protocolVersion: string2(),
@@ -15736,6 +16059,7 @@ var init_types2 = __esm(() => {
     uri: string2(),
     description: optional(string2()),
     mimeType: optional(string2()),
+    size: optional(number2()),
     annotations: AnnotationsSchema.optional(),
     _meta: optional(looseObject({}))
   });
@@ -16265,7 +16589,7 @@ var init_types2 = __esm(() => {
   };
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/interfaces.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/interfaces.js
 function isTerminal(status) {
   return status === "completed" || status === "failed" || status === "cancelled";
 }
@@ -16483,7 +16807,7 @@ var init_esm = __esm(() => {
   init_zodToJsonSchema();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/zod-json-schema-compat.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/zod-json-schema-compat.js
 function getMethodLiteral(schema) {
   const shape = getObjectShape(schema);
   const methodSchema = shape?.method;
@@ -16508,7 +16832,7 @@ var init_zod_json_schema_compat = __esm(() => {
   init_esm();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/protocol.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/protocol.js
 class Protocol {
   constructor(_options) {
     this._options = _options;
@@ -23816,7 +24140,7 @@ var require_dist = __commonJS((exports, module) => {
   exports.default = formatsPlugin;
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/validation/ajv-provider.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/validation/ajv-provider.js
 function createDefaultAjvInstance() {
   const ajv = new import_ajv.default({
     strict: false,
@@ -23859,7 +24183,7 @@ var init_ajv_provider = __esm(() => {
   import_ajv_formats = __toESM(require_dist(), 1);
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/server.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/server.js
 class ExperimentalServerTasks {
   constructor(_server) {
     this._server = _server;
@@ -23940,7 +24264,7 @@ var init_server = __esm(() => {
   init_types2();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/helpers.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/helpers.js
 function assertToolsCallTaskCapability(requests, method, entityName) {
   if (!requests) {
     throw new Error(`${entityName} does not support task creation (required for ${method})`);
@@ -23975,7 +24299,7 @@ function assertClientRequestTaskCapability(requests, method, entityName) {
   }
 }
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js
 var exports_server = {};
 __export(exports_server, {
   Server: () => Server
@@ -24320,7 +24644,7 @@ var init_server2 = __esm(() => {
   };
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/stdio.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/stdio.js
 class ReadBuffer {
   append(chunk) {
     this._buffer = this._buffer ? Buffer.concat([this._buffer, chunk]) : chunk;
@@ -24353,7 +24677,7 @@ var init_stdio = __esm(() => {
   init_types2();
 });
 
-// node_modules/.bun/@modelcontextprotocol+sdk@1.28.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
+// node_modules/.bun/@modelcontextprotocol+sdk@1.29.0/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
 var exports_stdio = {};
 __export(exports_stdio, {
   StdioServerTransport: () => StdioServerTransport
@@ -24459,7 +24783,7 @@ var init_audit_headers = __esm(async () => {
 ` + `• When a user shares a URL from Vercel, Netlify, Cloudflare Pages, AWS CloudFront, Azure Front Door, GCP Load Balancer / Cloud CDN, Fastly, Akamai, BunnyCDN, KeyCDN, jsDelivr / unpkg, custom Nginx / Apache / Caddy / HAProxy / Traefik — the fix snippets are tailored to common origins
 ` + `• When the user asks to compare headers across staging vs production, or across regions / edge locations
 ` + `
-` + `Does NOT render JavaScript or measure Core Web Vitals — for those, use inspect_url. audit_headers is the right tool for anything at the HTTP / TLS / cookie / redirect layer.
+` + `Does NOT render JavaScript or measure Core Web Vitals — for those, use Zephex_dev_info. audit_headers is the right tool for anything at the HTTP / TLS / cookie / redirect layer.
 ` + `
 ` + "Params: url (https recommended), check_redirects / check_ssl / check_headers / check_cookies (all default true; disable to speed up if you only need one aspect).",
     inputSchema: {