Commit Graph

1197 Commits

Author SHA1 Message Date
Carter Perez c7eb953234
Update SOC-ANALYST.md 2026-07-05 15:45:50 -04:00
CarterPerez-dev 01dca71765 feat: rveng M3 web app + M3.5 static-analysis engine depth
M3 React web app over the existing FastAPI: hex viewer, disassembly pane, section map, strings, challenge runner with reveal-after-solve, and progress. Scaffolded from the open no-auth react-scss template; components kept self-contained for CertGames extraction.

M3.5 static-analysis depth, all still no-execution and KAT-traced to the gate binary: PLT/GOT import resolution (plt.py), RIP-relative cross-references and callers (xref.py), basic-block control-flow graphs (cfg.py), and prologue-scan function discovery for stripped binaries (discover.py). Adds the 06-stripped-gate challenge. The API now resolves call names, exposes rip targets, and serves /cfg, /xrefs, and discovered functions.

M2 API hardening from a read-only audit: challenge-loader error isolation, a request body-size middleware, session length bounds, CORS, and the disasm gate annotation gated behind solved state so it no longer pre-solves the challenge.

96 backend tests green; frontend typecheck, build, and lint clean.
2026-07-05 15:36:46 -04:00
CarterPerez-dev 312b13b348 feat(nadezhda): M2 cross-source dedup + clustering
Group the same story across outlets into clusters, the velocity signal for
ranking. Runs automatically after 'scrape' (recompute-from-scratch, idempotent).

- internal/cluster: connected-components engine (union-find). Two articles join
  when, within a time window (Cluster.WindowHours, default 72h), EITHER their
  normalized-title token-set Jaccard >= threshold (default 0.6) AND they are from
  different outlets, OR they share >= 1 CVE (source-agnostic). The cross-outlet
  guard on the title edge kills a real false positive where two distinct CISA
  advisories with identical boilerplate titles were merging. Cluster key = the
  earliest article by time; SourceCount tracks distinct outlets so the reported
  'multi-source' metric is truthful.
- Shared-CVE join reads article_cves, which is empty until M3 CVE extraction, so
  that path is a natural no-op today and lights up in M3 with no rework.
- store: ClusterCandidates (effective time = published_at else fetched_at, bounded
  by lookback), ArticleCVEMap, ReplaceClusters (single atomic tx: wipe + rebuild).
- config: Cluster.LookbackHours (default 168h) bounds the corpus for O(n^2);
  validated as >= window_hours so window edges are never silently dropped.
- Proven live: 215 real articles -> 137 clusters, 2 genuinely cross-outlet
  (FortiBleed x3, Scattered Spider x2). 17 cluster tests; suite offline + -race.

One read-only audit agent run; findings (multi-source stat, lookback guard) fixed in-phase.

Clustering is recompute-from-scratch each scrape; safe to re-run.
2026-07-05 15:11:29 -04:00
CarterPerez-dev b41276004f feat(nadezhda): M1 ingestion core (fetch, parse, normalize, dedup)
Concurrent, rate-limited feed ingestion wired end to end: 'scrape' pulls
live security news into the SQLite store, idempotent across re-runs.

- internal/fetch: per-host token-bucket rate limiting, conditional GET
  (ETag/Last-Modified with 304 handling), retry+backoff that honors
  Retry-After and treats timeouts/cancellation as non-retryable, per-source
  deadline, honest User-Agent, 16MB body cap. robots.txt is enforced only via
  Client.Allowed() for the future HTML article-scrape path, not on subscribed
  feed fetches (user-directed retrieval; several publishers blanket-disallow
  generic bots yet serve a public feed).
- internal/parse: gofeed RSS/Atom to a normalized Item; RFC1123Z/RFC822Z/
  RFC3339 time fallbacks (CISA emits RFC822Z, not RFC1123Z as first researched).
- internal/normalize: canonical URL (lowercase scheme+host, drop fragment,
  strip utm_*/gclid/fbclid/ref/mc_cid/mc_eid, drop trailing slash), title
  normalization, goquery HTML strip, sha256 content+title hashes.
- internal/ingest: errgroup fan-out over sources, fail-soft per source, fetch
  -> parse -> normalize -> InsertArticle dedup via store.ErrDuplicate, plus
  fetch_state upsert for conditional GET.
- store: migration 0002 adds articles.title_hash; GetFetchState/UpsertFetchState.
- Trimmed testdata/feeds fixtures (3 items each) back golden parse tests; full
  suite is offline and passes under -race. Proven live: cold run 215 new across
  7 sources, warm run 0 new (304s + dedup).

Ctrl-C aborts scrape cleanly via signal-aware context.
2026-07-05 14:51:57 -04:00
CarterPerez-dev 8b8eaafa1f feat(nadezhda): M0 scaffold for security news + CVE aggregator
Go engine that aggregates cybersecurity news and enriches CVEs. This
first commit lays the M0 foundation:

- config: fetch/enrich/cluster/rank/AI settings, YAML + validation,
  defaults as named constants, AI opt-in and off by default
- source: Source registry with embedded default feeds (7 verified RSS
  sources), external-file override, dedup/URL validation
- store: pure-Go SQLite (modernc), WAL + foreign_keys, forward-only
  embedded migrations with schema_migrations tracking and a loud
  newer-than-binary guard; ErrDuplicate sentinel for dedup
- cmd: cobra skeleton, version + sources wired, remaining commands
  stubbed to their milestones

go vet / gofmt / go test all clean.
2026-07-05 13:22:08 -04:00
CarterPerez-dev 44f1b5bc99 feat: rveng M0-M2 reverse-engineering learning platform engine and API
Framework-free analysis engine (hex dump, hand-rolled ELF64 parser,
capstone x86-64 disassembly, string extraction, byte patching, challenge
grading) behind a thin read-only FastAPI layer over curated pre-compiled
challenge binaries.

No-execution security posture: the backend only reads and decodes bytes,
never runs a target; patch challenges are graded by static byte diff.
Reveal-after-solve pedagogy: challenge source is returned only on a
correct submission. Input size-caps enforced at the API boundary.

M0 research (ELF format, x86-64/capstone, pedagogy, no-execution) is
cross-checked against a real compiled binary. 63 tests green, including
an ELF parser cross-check against pyelftools and disassembly that matches
objdump instruction-for-instruction.
2026-07-05 13:20:45 -04:00
surya b29476d1d8 [chore]: bump rolldown-vite to 7.3.1 and migrate pnpm overrides to root 2026-07-04 21:36:38 +05:30
surya ae159b3e7a [chore]: copy lockfile and workspace config before pnpm install in Dockerfiles 2026-07-04 21:36:29 +05:30
surya 7f536cb617 [fix]: correct postgres volume mount path to /var/lib/postgresql 2026-07-04 21:36:16 +05:30
surya 614fc12bf2 [feat]: add xxe simulation mode with 5 XXE payload variants 2026-07-04 21:36:12 +05:30
surya a12df57316 [feat]: register XXE_INJECTION detection rule with score 0.82 2026-07-04 21:36:08 +05:30
surya 22c9f66dcf [feat]: add XXE_INJECTION regex pattern to ATTACK_COMBINED 2026-07-04 21:36:03 +05:30
Carter Perez 6593aa5689
Update README.md 2026-07-04 11:03:09 -04:00
Carter Perez 9dee035cb2
Update license reference in README 2026-07-04 10:57:30 -04:00
Carter Perez 8439e82902
Update README.md 2026-07-04 10:54:00 -04:00
Carter Perez a0407cdba2
Merge pull request #299 from CarterPerez-dev/project/zingela
Project/zingela
2026-07-04 10:49:41 -04:00
CarterPerez-dev ab42857882 completed 2026-07-04 10:43:16 -04:00
CarterPerez-dev 71f6acd972 add stealth.zig 2026-07-04 10:32:59 -04:00
Carter Perez 1c8cfc73e9
Merge pull request #295 from CarterPerez-dev/dependabot/go_modules/PROJECTS/advanced/monitor-the-situation-dashboard/backend/golang.org/x/net-0.55.0
chore(deps): bump golang.org/x/net from 0.52.0 to 0.55.0 in /PROJECTS/advanced/monitor-the-situation-dashboard/backend
2026-07-04 10:28:07 -04:00
Carter Perez 2d3cc3f584
Merge pull request #296 from CarterPerez-dev/dependabot/go_modules/PROJECTS/intermediate/secrets-scanner/golang.org/x/net-0.55.0
chore(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 in /PROJECTS/intermediate/secrets-scanner
2026-07-04 10:27:51 -04:00
Carter Perez c464a019d6
Merge pull request #297 from CarterPerez-dev/dependabot/go_modules/PROJECTS/beginner/canary-token-generator/backend/golang.org/x/net-0.55.0
chore(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 in /PROJECTS/beginner/canary-token-generator/backend
2026-07-04 10:27:34 -04:00
Carter Perez 78fb4f5e39
Merge branch 'main' into dependabot/go_modules/PROJECTS/beginner/canary-token-generator/backend/golang.org/x/net-0.55.0 2026-07-04 10:27:25 -04:00
Carter Perez 16a4c69c8e
Merge pull request #298 from CarterPerez-dev/dependabot/go_modules/PROJECTS/beginner/canary-token-generator/backend/golang.org/x/image-0.41.0
chore(deps): bump golang.org/x/image from 0.39.0 to 0.41.0 in /PROJECTS/beginner/canary-token-generator/backend
2026-07-04 10:26:42 -04:00
CarterPerez-dev 866a809a66 feat(zingela): M10 connect-scan fallback + cloud/VM raw-send detection + full raw IPv6 SYN
connect-scan: raw non-blocking connect() + poll(POLLOUT) + SO_ERROR via std.os.linux (std.Io.net connect-with-timeout is unimplemented in 0.16); own sized std.Io.Threaded with N io.async workers off a mutex+token-bucket dispenser; --backend connect / --connect, --concurrency, --connect-timeout.

cloud/VM detection: two-socket AF_PACKET self-probe (send on one, observe the tagged frame on a second - single-socket cannot see its own send); --backend auto checks CAP_NET_RAW + egress and auto-falls-back to connect with a notice; forced raw backend disables fallback and hard-fails; zero-response raw scan hints --connect.

raw IPv6 SYN: packet.Addr union result + RFC5952 v6 render; Ipv6Hdr + pseudoChecksum6/tcpChecksum6; 128-bit SipHash cookie (generate6/seq6); parseIpv6, resolveSrcIp6 (/proc/net/if_inet6), defaultGateway6 (/proc/net/ipv6_route); Engine6 (bounded prefix, RFC6890 reserved floor, ::/0 reject, host cap); SynTemplate6; classifyTcp6 + ICMPv6 type1; ndp.zig NDP neighbor resolution; runV6Scan dispatch; connect-path v6 rides the connect engine. v6 scope = TCP SYN.

240 tests Debug+ReleaseSafe (-Dxdp on/off); KAT + two-namespace netns e2e proven on the wire; two read-only audits, 0 Critical/High/Medium, all findings fixed in-phase.
2026-07-04 07:46:17 -04:00
CarterPerez-dev 2f94c4b5ec feat(zingela): M9 service/banner detection - two-phase userspace grab behind --banners, SMACK + pure-Zig regex classify, TLS-detect, no JA4 2026-07-04 05:12:53 -04:00
dependabot[bot] 03b37181e8
chore(deps): bump golang.org/x/image
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.39.0 to 0.41.0.
- [Commits](https://github.com/golang/image/compare/v0.39.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-version: 0.41.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-04 05:51:02 +00:00
dependabot[bot] 8af023afab
chore(deps): bump golang.org/x/net
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.53.0 to 0.55.0.
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-03 17:55:50 +00:00
dependabot[bot] f6e0ade9cd
chore(deps): bump golang.org/x/net
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.53.0 to 0.55.0.
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-03 17:47:33 +00:00
dependabot[bot] b326ad00e5
chore(deps): bump golang.org/x/net
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.52.0 to 0.55.0.
- [Commits](https://github.com/golang/net/compare/v0.52.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-03 16:26:38 +00:00
CarterPerez-dev 6e3bfccba7 feat(zingela): M8 stealth/evasion suite behind --authorized-scan
OS-realistic SYN templates (Linux/Windows/macOS/masscan JA4T option chains
plus varying IP-id), Poisson jitter, source-port rotation (RX recomputes off
the reply, zero classify changes), scoped RST-suppression (iptables plus
ambient CAP_NET_ADMIN, self-healing delete-before-insert), decoys (bogon-free
RND, real probe always sent), and FIN/NULL/Xmas/Maimon/ACK/Window flag scans
with per-mode cookie matching plus State.unfiltered.

Dead theater (idle scan, fragmentation, TTL, MAC/source-route spoof, badsum)
omitted and documented as obsolete with citations.

Cursor-based TX emission with token refund plus cold-start pacing; non-stealth
path byte-identical to M7.
2026-07-03 05:54:17 -04:00
CarterPerez-dev bb46250087 feat(zingela): M7 AF_XDP TX backend behind -Dxdp - pure-syscall UMEM + 4 rings, zero-copy/SKB/AF_PACKET selection ladder, asymmetric AF_XDP-TX + AF_PACKET-RX 2026-07-02 11:54:07 -04:00
CarterPerez-dev 29849fd258 feat(zingela): M6 UDP scan - source-port cookie, compile-time payload table, ICMP type3/code3 classification 2026-07-02 06:39:31 -04:00
CarterPerez-dev 16429c20c2 feat(zingela): M5 two-engine concurrency + truecolor dashboard + NDJSON
Turn the scan from sequential TX-then-RX into two io.concurrent engines on
std.Io.Threaded, fixing the M4 bug where replies arriving during transmit were
dropped and the RX deadline (anchored at socket-open) expired before draining.
The main thread is the non-blocking Io.Queue consumer and dashboard renderer.

- rx: Receiver keyed off a shared tx_done atomic; new pure planDrain anchors the
  drain window at TX-completion, not socket-open, killing the quiet-gap early exit
  during a slow TX. Hard-cap safety backstop anchored at drain start.
- output (new): cache-line-padded atomic Stats, truecolor/256/none palette
  (violet gradient, neon-green, muted-gray), in-place multi-line live dashboard,
  Unicode results table, NDJSON to stdout with visuals on stderr, full
  NO_COLOR/CLICOLOR_FORCE/COLORTERM/--color chain plus a narrow-terminal fallback.
- tx: wall-clock deadline so a stalled TX ring can no longer hang the scan.
- cli: banner recolored to the violet gradient and routed through the color chain.
- targets: add 192.88.99.0/24 (6to4 relay anycast) to the RFC 6890 exclude floor.

78/78 unit tests pass under Debug and ReleaseSafe; proven end-to-end (open/closed,
dedup, dashboard, NDJSON) in an unshare -r -n netns under ReleaseSafe.
2026-07-01 22:38:37 -04:00
Carter Perez 51830a5ae8
Merge pull request #293 from CarterPerez-dev/chore/certgames-resource-links
docs: broaden CertGames positioning across roadmaps and resources
2026-06-30 10:26:25 -04:00
CarterPerez-dev d2f6f7bae4 docs: broaden CertGames positioning across roadmaps and resources 2026-06-30 10:22:31 -04:00
Carter Perez d6b02e1ef6
Update FUNDING.yml 2026-06-30 09:39:03 -04:00
CarterPerez-dev d05a7e6172 feat(zingela): M4 RX engine - classify + dedup + Io.Queue handoff
classify.zig pure frame parser: SYN-ACK -> open, RST/ACK -> closed,
ICMP type-3 {1,2,3,9,10,13} -> filtered, every verdict gated on a
wrapping SipHash cookie re-check (ack == seq+1 for replies, inner seq
== cookie for ICMP) so spoofed/stale frames are dropped state-free;
byte-offset readInt parsing, fully length-guarded. dedup.zig power-of-2
open-addressed (ip,port) set, single-owned allocator, grows at load
factor with a bounded probe (never wedges). rx.zig receive engine
generic over an injected Source + Sink (proven over hand-built frames),
Io.Queue found-host handoff across producer/consumer fibers, and a
privileged AF_PACKET Receiver (poll-bounded drain with a hard deadline,
ignore-outgoing, EINTR-retry, errno-gated, fail-closed on missing
CAP_NET_RAW). scan subcommand shares one per-run cookie across the TX
template + RX validation; consumer uses a dedicated allocator to keep
the producer/consumer fibers race-free. netutil.zig factors the shared
arg-parse/iface-resolve helpers out of txcmd. Proven end-to-end with a
live SYN scan inside a unshare -r -n netns over a veth pair
(open/closed against a real listener, dedup verified). Green Debug +
ReleaseSafe, leak-free, 61 unit tests.
2026-06-30 09:37:59 -04:00
Carter Perez a3ecda91a9
Update FUNDING.yml 2026-06-30 09:36:55 -04:00
Carter Perez 0a5ba94a29
Update README.md 2026-06-30 03:19:46 -04:00
CarterPerez-dev 8783227711 feat(zingela): M3 AF_PACKET TX_RING backend + token-bucket rate limiter
PACKET_TX_RING (PACKET_MMAP, TPACKET_V2) over AF_PACKET with
PACKET_QDISC_BYPASS: socket + version + TX_RING setsockopt + mmap'd ring,
errno-gated, fail-closed on missing CAP_NET_RAW. ratelimit.zig integer
token bucket (banked-nanoseconds, no float, saturating, exact KATs).
template.zig SYN frame template: stamp dst IP/port + SipHash seq, recompute
IP + TCP checksums (reuses the M1 RFC 1071 + cookie code, both self-verify).
afpacket.zig pure Ring slot bookkeeping (inline tpacket2_hdr, comptime size
assert, reserve/fill/atomic-status, self-defending bounds, kernel-drain
reuse) split from the privileged Backend so the hot-path accounting is
unit-tested over an in-process buffer. tx.zig transmit engine generic over
an injected Sink + Clock: the M2 cyclic-group bijection is proven to survive
stamp -> ratelimit -> submit end-to-end via a fake sink + fake clock.
Privileged tx subcommand for on-hardware benchmarking (setcap + tcpdump/perf).
Green Debug + ReleaseSafe, leak-free, 45/45 tests.
2026-06-29 17:22:20 -04:00
CarterPerez-dev c9d0cf5e36 feat(zingela): M2 address engine - cyclic-group permutation + exclude floor
Stateless O(1) zmap-style multiplicative cyclic group: runtime smallest-
prime-above-N (deterministic Miller-Rabin), fresh CSPRNG primitive root
validated against the factors of p-1, two-ops-per-target iteration with
near-zero re-roll.

numtheory.zig: modExp/mulMod (u128 intermediate), isPrime, smallestPrimeAbove,
distinctPrimeFactors, primitive-root finder, all with known-answer tests.
targets.zig: CIDR parse, RFC 6890 reserved exclude floor by range subtraction
(reserved space never enters the index space), cumulative-prefix IpPicker,
mixed-radix IP:port decode, contiguous pizza-slice sharding with a fail-closed
shard-count guard. Full bijection property tests (single shard + 4-shard union,
no gaps/overlap/reserved), green Debug + ReleaseSafe, leak-free.
2026-06-29 05:45:09 -04:00
CarterPerez-dev e6e6703aba feat(zingela): M1 packet-layer correctness KATs + SipHash SYN-cookie
SIMD @Vector internet checksum proven byte-equivalent to scalar across
every length 0..256 plus the 0xb861 IPv4 KAT. RFC 1624 incremental
update proven against the RFC section 4 worked example
(0xDD2F/0x5555/0x3285 -> 0x0000) plus 4096 random full-recompute trials.
Reusable TCP pseudo-header checksum helper; smoke.zig now reuses it.

New cookie.zig: stateless SipHash64(2,4) SYN-cookie over the 4-tuple,
full-128-bit randomSecure key, u64 generate with write-site u32
truncation, ack == cookie +% 1 wrapping validation. Reproduces the
published SipHash reference vector plus a pinned golden cookie KAT.

All green Debug + ReleaseSafe (14/14). Version bumped to 0.0.0-m1.
2026-06-26 18:12:20 -04:00
CarterPerez-dev 79e155ae94 feat(zingela): M0 scaffold + AF_PACKET ground-truth smoke
Zig 0.16 module graph (build.zig DAG with per-module addTest, run/smoke
steps), Juicy Main entry, truecolor tty-gated banner, --version/--help.
Wire-exact extern eth/ip/tcp headers with comptime @sizeOf asserts and
an RFC 1071 checksum proven by the canonical 0xb861 IPv4 KAT. AF_PACKET
raw socket that hand-builds and sends one SYN, checking errno not fd<0.
4/4 tests green under Debug and ReleaseSafe.
2026-06-26 15:16:50 -04:00
Carter Perez 90366fbe7c
Merge pull request #290 from CarterPerez-dev/dependabot/pip/PROJECTS/intermediate/api-security-scanner/backend/pydantic-settings-2.14.2
chore(deps): bump pydantic-settings from 2.12.0 to 2.14.2 in /PROJECTS/intermediate/api-security-scanner/backend
2026-06-21 08:56:32 -04:00
dependabot[bot] 54b820c5fe
chore(deps): bump pydantic-settings
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.12.0 to 2.14.2.
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](https://github.com/pydantic/pydantic-settings/compare/v2.12.0...v2.14.2)

---
updated-dependencies:
- dependency-name: pydantic-settings
  dependency-version: 2.14.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-20 01:35:21 +00:00
Carter Perez 558acc1001
Merge pull request #289 from CarterPerez-dev/project/kernel-rootkit-detection
Project/kernel rootkit detection
2026-06-19 00:11:05 -04:00
CarterPerez-dev 2466a80ce2 feat(cre): one-shot curl|bash installer for credential-rotation-enforcer
- fresh-machine to 'cre' on PATH, runnable from a clone or piped from the web
2026-06-18 23:24:30 -04:00
CarterPerez-dev ab22c3b1b8 feat(tlsfp): add social-share OG image and one-command tunnel redeploy
- add 1200x630 og-image.jpg plus Open Graph and Twitter Card meta tags so
  the live demo renders a rich preview when shared (LinkedIn, etc.)
- omit og:url to avoid crawler cache canonicalizing share URLs back to a
  stale entry
- justfile: add redeploy recipe (tunnel down, cached build, up -d with the
  backend profile and remove-orphans); strip the exported dev .env overrides
  so it deploys under the prod project name and ports
- install.sh: clearer live-capture hint (setcap, then run without sudo)
2026-06-18 23:24:30 -04:00
Carter Perez 5ba13d42fd
Merge pull request #288 from CarterPerez-dev/chore/update-copy
the helictopter has been circling for 40 minutes. thats not a normal …
2026-06-18 21:28:17 -04:00
Carter Perez ca350a3df2
Merge pull request #287 from CarterPerez-dev/dependabot/npm_and_yarn/PROJECTS/intermediate/ja3-ja4-tls-fingerprinting/frontend/axios-1.16.0
chore(deps): bump axios from 1.13.2 to 1.16.0 in /PROJECTS/intermediate/ja3-ja4-tls-fingerprinting/frontend
2026-06-18 21:27:53 -04:00