What's New

Hybrid Topology Layout Engine

Replaced the Fruchterman-Reingold force-directed layout with a hybrid constrained layered-stress topology solver. The solver pipeline uses longest-path rank assignment with barycenter crossing reduction, zone-aware constraint compilation, constrained stress refinement with anchor terms, and a deterministic seeded PRNG (mulberry32). Pre-computed layouts for desktop, tablet, and mobile viewports are embedded at server startup. Falls back to the original FR engine if solver output is missing or malformed. Zero node overlaps and zero flow x-monotonicity violations on desktop.

Wayback Machine Automatic Archival

Every successful, non-private, non-scan-flagged analysis is now automatically submitted to the Internet Archive via web.archive.org/save/ in a background goroutine. The returned snapshot URL is stored in domain_analyses.wayback_url and displayed as a green "Archived" badge in the results header, plus an "Internet Archive — Permanent Record" card on Engineer's and Executive's reports with View Archived Snapshot and Copy URL buttons. Privacy guards ensure private analyses and scanner-flagged analyses are never archived. Completes a three-layer evidence chain: SHA-3-512 integrity hash + posture hash for drift detection + third-party Wayback Machine archive for independent verification.

Font Awesome CSS Direct Loading Fix

Fixed Font Awesome CSS loading to use direct <link rel="stylesheet"> instead of the media="print" progressive loading trick, which caused icon flicker on initial page load across all templates.

ROE Modal iOS Compatibility Fix

Fixed the Rules of Engagement modal on iOS devices by adding touchend event listeners alongside click, setting aria-hidden="true" for accessibility, implementing roeHandled debounce flag to prevent double-fire, and using modal-fullscreen-sm-down modal-dialog-scrollable classes for proper mobile display.

Privacy Banner — Straight Talk About Your Data

Added a fixed-position privacy banner that appears once on first visit regardless of entry page. Lists the exact two cookies used (_csrf for security, _dns_session only if you sign in), explains IP logging for rate limiting and security, and geo checks for DNS analysis accuracy. States plainly: no tracking cookies, no analytics cookies, no ad networks, no data brokers. Links to open-core codebase for verification and Privacy Pledge for full details. Describes account deletion process. Banner is permanently dismissed via localStorage on acknowledgment, compatible with fetch-based navigation, and accessible (role=region, aria-label). Covert mode compatible with red spectrum overrides.

DMARC Quarantine Monitoring Posture Note

Added a contextual note to the DMARC RFC & Security Context panel when p=quarantine is detected. Notes that quarantine sequesters authentication failures while preserving full DMARC forensic telemetry (RFC 7489 §7), and that some organizations maintain quarantine rather than reject as a deliberate monitoring strategy. Cites NIST SP 800-177 Rev. 1 for enforcement tradeoffs. Appears universally for all domains with p=quarantine — no special treatment based on domain owner. Applied to both Engineer's Report and Covert Recon Report templates.

Covert Recon Mode — Mobile ASCII Art, Exit Sign, Toggle Fix

Three fixes to Covert Recon Mode: ASCII art hero now displays on mobile Safari (was gated behind 768px media query, now global with 0.32rem mobile scaling). Exit button restyled as scotopic-correct emergency exit sign — solid #cc3030 with red glow, uppercase, fa-sign-out-alt icon, hover brightens to #ff4040. Toggle button on results page now navigates to standard view instead of just removing CSS class (prevented users getting stuck on covert template with standard styling). Hardened toggle logic to redirect whenever analysis ID is present regardless of report mode value. Added x-public-suffix meta tag to results_covert.html for correct exit routing.

IC Framing Defense — Addressing the Criticism

Expanded the Addressing the Criticism section on /approach with a dedicated IC framing defense. ICD 203 applies because the problem matches (high-stakes decisions on incomplete data). ICAE/ICuAE naming enforces subsystem separation between correctness and currency with IC-precise terminology. Scotopic vision science citations added. Marketing voice directive applied: removed comparative language.

Schema.org Intelligence Pipeline Mapping

Rich JSON-LD structured data on indexed pages now maps the full intelligence pipeline to Google's knowledge graph. Index page WebApplication schema includes featureList (18 protocol analyzers with RFC citations), hasPart (ICIE/ICAE/ICuAE as named SoftwareApplication entities with @id identifiers), isBasedOn (10 RFC/draft references as CreativeWork), and additionalProperty (intelligence sources, protocol coverage, output formats, risk classification, CVE coverage). Approach page Article schema maps methodology components with isBasedOn RFC references. Live version injection via template variables.

Intelligence Pipeline Topology Visualization

System architecture visualization showing the full intelligence pipeline: source nodes, engine processing, confidence auditors, protocol analysis modules with RFC-based dependency edges, storage layers, and output formats. Animated data flow illustrates movement from sources through engine to outputs.

Safari Covert Mode Fix

Fixed operator environment buttons (Submarine, Tactical, Operator) not responding to clicks in Safari. Replaced CSS pseudo-element overlay with a real DOM element to resolve WebKit mix-blend-mode pointer-events bug.

Stats Page Success Rate Fix

Fixed success rate calculation that reported 100% by counting all stored analyses as successful. Now uses actual analysis_success field from domain_analyses for accurate success/failure counts.

Daily Analysis Stats Tracking

Wired up daily_stats recording for every completed analysis. Each scan now increments the analysis_stats table with success/failure status and duration, enabling accurate per-day trend reporting.

Admin IP Audit Trail

Added scan_ip and country origin column to admin dashboard recent analyses table, enabling traffic pattern investigation and external scan source identification.

HTTP Observatory A+ Score — Infrastructure Hardening

Achieved a perfect A+ score (140/100, 10/10 tests passed) on Mozilla HTTP Observatory. Secure cookie flag now enforced in production via Replit infrastructure. Combined with existing Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers for comprehensive HTTP security posture.

CSRF Form Field Fix — TTL Tuner & Watchlist

Corrected CSRF token field name from '_csrf' to 'csrf_token' in TTL Tuner analysis, re-scan, and Watchlist forms. The mismatch caused silent form submission failures — POST requests were rejected by the CSRF middleware and redirected to the homepage without any user-visible error. All form submissions on these pages now work correctly.

TTL Tuner UX Overhaul

Added loading overlay with spinner during TTL analysis to prevent double-submission and provide visual feedback. Results auto-scroll into view on completion. Profile card selection now shows a checkmark with opacity and scale transition for clear visual confirmation. GET requests to /ttl-tuner/analyze now redirect to the TTL Tuner page instead of returning a 404. Mobile-responsive table hides Current TTL and Impact columns on small screens to prevent horizontal scrolling.

DNS Provider Detection Expansion — 5 to 15 Providers

Expanded DNS provider detection from 5 providers (Cloudflare, AWS Route 53, GoDaddy, Namecheap, Hostinger) to 15 by adding Gandi, Porkbun, Hetzner, DigitalOcean, Linode (Akamai), OVH, Dyn, NS1 (IBM), DNS Made Easy, and Google Cloud DNS. Each provider includes nameserver pattern matching and minimum TTL constraints where applicable. NS records for all detected providers are now marked as 'Provider-Locked' with an explanation that NS TTL control requires DNS delegation migration.

Mobile Homepage Scroll Fix

Removed HTML autofocus attribute from the domain input field to prevent iOS Safari from scrolling the viewport to the input and opening the keyboard on page load. Desktop browsers now receive focus via JavaScript only when the viewport is 768px or wider and the device is non-touch.

Navbar Dropdown Refinement

Unified the navbar dropdown background color with the navbar itself using rgba(28, 35, 51, 0.97) with backdrop-filter blur. Removed the top border so the dropdown extends seamlessly from the navbar. History page 'New Analysis' button now uses the glass-style btn-analyze treatment consistent with the homepage.

SonarCloud Quality Gate Fixes

Fixed unchecked error returns across multiple source files. All ignored errors now have proper handling with logging and graceful degradation.

Architecture Page — TLP:GREEN Public Release

Complete redesign of the /architecture page: replaced 2.9MB Mermaid.js dependency with static HTML/CSS diagrams for zero-JavaScript rendering and Lighthouse-optimal performance. Page now carries FIRST TLP:GREEN classification with six curated public-safe sections — Intelligence Pipeline, Dual-Engine Confidence Framework (ICAE/ICuAE), Protocol Coverage (9 RFCs), Open-Core Architecture boundary, Intelligence Products, and Standards Foundation (ICD 203, NIST SI-18, ISO 25012, FIPS 202). Redacted content bars protect proprietary methodology. Full Mermaid source retained in docs/architecture/ for GitHub/Codeberg rendering.

Currency Level Hero Card Label

Added "Currency Level:" label to the homepage ICAE hero card, paralleling the existing "Confidence Level:" label. This surfaces ICuAE's data timeliness assessment alongside ICAE's correctness assessment, completing the dual-engine confidence display at the first point of user contact.

PWA Icon Edge Cleanup

Regenerated all Progressive Web App icons, favicons, and Apple touch icons with the owl artwork scaled to 88% of canvas size, creating a clean dark buffer zone around the Greek key border ring. Prevents anti-aliasing edge bleed when browsers crop icons to circles (Chrome tabs, PWA app icons, Safari favicons). Maskable icons use 72% scale to fit within the mandatory 80% safe zone.

Misplaced DMARC Record Detection

New post-analysis enrichment detects DMARC records incorrectly published at the root domain instead of the required _dmarc subdomain (RFC 7489 §6.1). DetectMisplacedDMARC scans root TXT records for v=DMARC1 patterns with case-insensitive matching, extracts the policy, and surfaces the misconfiguration in the report with specific remediation guidance. Four deterministic golden test cases validate detection accuracy.

Covert Mode Recon Report UI

Fixed Recon Report buttons in Covert Mode to use proper red-themed styling consistent with the tactical red-light aesthetic. Buttons now use the covert accent palette instead of default blue, maintaining the adversarial perspective throughout the report view.

High-DPI PWA Icon Regeneration

Regenerated all Progressive Web App icons at proper high-DPI resolution with maskable variants for Android adaptive icons. Icons now render crisply on high-resolution displays and correctly fill the safe zone on devices that apply circular or shaped masks.

Origin Story Page

New /about page documenting the project's origin story, from early CLI development through defensive security work and the evolution to the current Go-based intelligence platform. Includes acknowledgments section crediting early collaborators and linked verifiable references.

ASCII Art Homepage Hero

Desktop homepage hero title rendered as a Unicode block-character ASCII art banner for visual impact. Responsive design with automatic mobile text fallback below 768px width. The art uses CSS monospace rendering with careful line-height tuning for consistent cross-browser display.

Authenticated Multi-Port SMTP Probe API

Remote probe infrastructure upgraded to API v2 with shared-secret authentication, rate limiting, and multi-port mail transport probing across ports 25 (SMTP), 465 (SMTPS), and 587 (submission). Banner capture provides additional server intelligence fingerprinting. Graceful fallback on authentication or rate limit responses.

Privacy-Preserving Analytics Middleware

Cookie-free, GDPR-friendly analytics pipeline collecting pageviews, unique visitors, analyses run, and unique domains analyzed. Daily-rotating random salt hashes visitor IPs into pseudonymous IDs — no cookies, no fingerprinting, no PII stored. Referrer origin and top page tracking with automatic self-referral filtering. In-memory aggregation flushed to database periodically. Static assets, health checks, and bot paths excluded.

Admin Analytics Dashboard

Administrative monitoring dashboard with 30-day daily analytics view showing pageviews, unique visitors, analyses run, and unique domains. Summary cards with totals, averages, top referrers, and most-visited pages. Built on the privacy-preserving analytics middleware — no third-party tracking scripts.

Admin Dashboard & JSON Export

Administrative monitoring dashboard with stats cards for total users, analyses, unique domains, and session metrics. Users table with role badges, recent analyses table with domain links and status. JSON export streams NDJSON with paginated batches and proper Content-Disposition header.

Admin Bootstrap Fix

Fixed admin bootstrap for existing users. When initial admin email matches an already-registered user and zero admins exist, the system now correctly upgrades their role. Previously, the existing role was preserved, silently skipping the bootstrap. Audit-logged with reason and email.

UNLIKELY Badge Color Unification

Unified the UNLIKELY verdict color to green/success across both email spoofing and brand impersonation assessments. Email spoofing with DMARC quarantine at 100% now shows success (green) instead of warning (amber). Brand impersonation with quarantine + BIMI + CAA also uses success (green). Consistent visual language: UNLIKELY = green across all verdict types.

Remote SMTP Probe Infrastructure

Deployed external probe infrastructure for live SMTP transport verification. Cloud platforms block outbound port 25 — the probe infrastructure provides direct STARTTLS handshakes, certificate chain validation, and cipher suite inspection. Falls back gracefully when probe is unavailable.

Interactive System Architecture Diagrams

New /architecture page with interactive Mermaid diagrams visualizing the full system: high-level overview of the intelligence pipeline, ICIE pipeline, ICAE confidence engine, and Privacy Gate decision tree. Color-coded nodes with CSP-compliant rendering. Dark background with thin blue connector lines.

DNS Library v2 Migration (miekg/dns)

Migrated from miekg/dns v1 to v2. The v1 library is archived; v2 is actively maintained with improved performance and modern API. Updated with new Exchange, RR data access, and EDNS0 patterns.

CT Log Resilience (Certspotter Fallback)

Added Certspotter API as a fallback Certificate Transparency source when crt.sh is unavailable (502/timeout). Expanded DNS subdomain probe list from ~130 to ~280 common subdomains. Probe concurrency increased from 20 to 30 workers with a 25-second timeout.

History Table Cleanup

Removed the redundant status column from the analysis history table. Failed analyses are already excluded from history (they appear in statistics only). The green checkmark column was wasting horizontal space without adding information.

Brand Security Verdict Matrix Overhaul

Corrected the brand impersonation verdict logic. DMARC reject alone blocks email spoofing (RFC 7489 §6.3) but not visual impersonation via lookalike domains or unrestricted certificate issuance. New 8-branch verdict matrix considers DMARC policy + BIMI brand verification + CAA certificate restriction (RFC 8659 §4). Expanded from 5 to 8 golden rule test cases.

DKIM Selector Expansion (81+ Selectors)

Expanded default DKIM selector list from 39 to 81+ selectors covering major ESPs: HubSpot, Salesforce, Klaviyo, Intercom, ActiveCampaign, Constant Contact, MailerLite, Drip, Customer.io, Freshdesk, and more. Enhanced provider-to-selector inference from SPF/MX records. Privacy mode classification updated for expanded known-selector list.

Google OAuth 2.0 + PKCE Authentication

Pure stdlib Google OAuth 2.0 implementation with PKCE (Proof Key for Code Exchange) — no external OAuth libraries. Advanced Protection compatible. Email verification enforced, ID token claims validated, rate-limited auth endpoints, no tokens stored server-side. Route protection for sensitive endpoints. All analysis remains no-login-required.

Security Redaction & Mission Statement

Comprehensive security audit: removed server version exposure from HTTP headers, redacted internal paths from error responses, hardened SSRF prevention. Added mission statement to the Security Policy page defining scope, principles, and responsible disclosure process.

Boundary Integrity Test Suite

Comprehensive test suite protecting the architecture boundary: boundary files verified across multiple categories including file presence, build tags, function signatures, and package consistency. Catches contract violations and architecture drift before they reach production.

BUSL-1.1 License Migration

Migrated from AGPL-3.0 to Business Source License 1.1 (SPDX: BUSL-1.1) with a 3-year rolling Change Date converting to Apache-2.0. Explicit MSP/consultant carve-out permits security professionals to use the tool for client audits. All 111 Go source files updated. Both public and private repositories under BUSL-1.1.

CSP Compliance & XSS Hardening

Eliminated all inline style attributes from report templates to resolve Content Security Policy violations flagged by Lighthouse/PageSpeed Insights. All styles moved to CSS utility classes. DNS history table rendering refactored to safe DOM methods, eliminating XSS anti-pattern. Fixed protocol navigation links: MTA-STS and TLS-RPT now correctly scroll to Email Security section, CAA scrolls to Brand Security section.

Expanded Exposure Checks (Opt-In)

New opt-in OSINT exposure scanner checks well-known misconfiguration paths on target domains. Content validation reduces false positives — each path is checked for characteristic content, not just HTTP 200 status. Sequential requests with proper rate limiting and User-Agent identification. Results include severity badges, risk descriptions, and specific remediation guidance. Explicit PCI DSS disclaimer: these are OSINT collection, not ASV compliance scans.

Report Integrity Hash & Header Preview

Every analysis now generates a SHA-256 integrity fingerprint binding domain, analysis ID, timestamp, tool version, and canonicalized results data into a tamper-evident hash. Displayed at the bottom of both Engineer's DNS Intelligence Report and Executive's DNS Intelligence Brief with copy-to-clipboard. Short hash preview (first 8 characters) shown in the report header metadata bar with anchor link to the full hash section. Distinct from posture hash (drift detection) — the integrity hash uniquely identifies each specific report instance.

Intelligence Document Naming Convention

Adopted IC (Intelligence Community) document naming: Engineer's DNS Intelligence Report (comprehensive, like a National Intelligence Estimate) and Executive's DNS Intelligence Brief (concise, like a Presidential Daily Brief). Possessive form signals personal ownership. 'DNS Intelligence' avoids MI5 brand conflict. Updated all title tags, print headers, screen headers, OG/Twitter meta, and JSON-LD schema. Homepage hero subtitle now explicitly references both intelligence products.

Sophistication Accent Tokens & Color Flow

Added steel-blue (#7d8ea8) and deep navy (#1e3a5f) brand accent tokens for premium intelligence aesthetic. Color flow continuity from homepage through results pages via gradients, borders, and card hover effects. Hero typography upgraded to 3.5rem/800 weight with tighter tracking. All non-status visual elements use brand accents while RFC/CVSS status colors remain untouched.

TLP:AMBER Default & Colored Selector

Report distribution now defaults to TLP:AMBER per CISA/FIRST standards for security posture reports. TLP selector button and dropdown badges show FIRST TLP v2.0 colors (amber, green, clear). Font cache-busting ensures all icons render correctly across browsers.

Dual Intelligence Products: Engineer's DNS Intelligence Report & Executive's DNS Intelligence Brief

Two intelligence products: Engineer's DNS Intelligence Report (comprehensive technical detail with all protocol analysis) and Executive's DNS Intelligence Brief (concise board-ready summary with security scorecard, risk posture, and priority actions). Both use the same live analysis data — different formats for different audiences. Includes posture drift detection foundation with canonical SHA-256 hashing for future longitudinal monitoring.

OpenPhish Threat Intelligence Attribution

Added OpenPhish Community Feed to the Intelligence Sources page with its own Threat Intelligence category. Added OpenPhish attribution to the Email Header Analyzer trust bar and body analysis results. Proper credit for the free community phishing URL feed that powers our phishing detection.

Email Header Analyzer Homepage Promotion

Added a promotional banner for the Email Header Analyzer on the homepage, matching the IP Investigate card style. Makes the feature more discoverable for users landing on the main page.

High-Speed Subdomain Discovery

Subdomain probing now uses lightweight UDP DNS queries instead of DNS-over-HTTPS, with independent timeouts and 20-goroutine concurrency. Discovery completes in ~1 second instead of timing out. All subdomains found reliably.

Intelligence Sources Inventory

New /sources page documents every intelligence source used by DNS Tool — DNS resolvers, reverse DNS, Team Cymru ASN attribution, SMTP probing, SecurityTrails, crt.sh, IANA RDAP — with methodology, rate limits, and verification commands. No black boxes.

PTR-Based Hosting Detection

Reverse DNS (PTR) lookups now identify hosting providers directly from IP addresses — the classic Unix-era technique. CloudFront, AWS, Google Cloud, Azure, and more detected without any third-party API.

IP-to-ASN Attribution

Team Cymru DNS-based IP-to-ASN mapping identifies which organization owns each IP address (AWS, Cloudflare, Google, etc.). Free community service with no API key and no rate limits.

Honest Data Reporting

When third-party data sources are rate-limited or unavailable, reports now say exactly that — never claiming 'no changes detected' when the data simply couldn't be checked. Four clear states: success, rate-limited, error, and partial.

DNS History Cache

Successful DNS history lookups are now cached for 24 hours, completely isolated from live analysis. Reduces API calls while ensuring live DNS queries are never served stale data.

Verify It Yourself

Each report now includes terminal commands (dig, openssl, curl) to independently verify the underlying DNS queries. Our analysis adds consensus and RFC evaluation on top — but the raw data is always verifiable.

Confidence Indicators

Every attribution now shows whether data was directly observed (RDAP lookup, DNS record), inferred (pattern matching), or sourced from a third party — so you know exactly how each conclusion was reached.

SMTP Transport Verification

Live STARTTLS probing of mail servers with certificate validation, cipher suite analysis, and TLS version checking. DNS-inferred fallback when direct connection is unavailable.

AI Surface Scanner

Detects AI governance signals across domains — llms.txt discovery, AI crawler policies in robots.txt, and prompt injection artifacts. Helps organizations understand their AI exposure.

DNS History Timeline

SecurityTrails-powered historical DNS record tracking shows how a domain's DNS configuration has changed over time. Users provide their own API key — never stored server-side.

Enhanced Remediation Engine

RFC-cited remediation guidance now distinguishes SPF softfail vs hardfail context per RFC 7489, with nuanced recommendations based on whether DKIM is present.

Email Security Management Detection

Automatic identification of DMARC monitoring providers, SPF flattening services, and TLS-RPT reporting platforms from DNS records.

DANE/TLSA Deep Analysis

Full TLSA record parsing for every MX host with certificate usage, selector, matching type validation, and DNSSEC dependency checking per RFC 7672.

Go Performance Rewrite

Complete rewrite from Python/Flask to Go/Gin for dramatically improved performance and concurrency. Multi-resolver consensus DNS client with DoH fallback. The second attempt at Go — this time it stuck.

IP Investigation Workflow

New /investigate page for IP-to-domain reverse lookups with ASN attribution, hosting provider detection, and infrastructure mapping.

Email Header Analyzer

Paste or upload .eml files for SPF/DKIM/DMARC verification, delivery route tracing, spoofing detection, and phishing pattern scanning with critical thinking prompts.

Enterprise DNS Detection & Golden Rules

Automatic identification of enterprise-grade DNS providers with test-guarded detection. Legacy provider blocklist prevents false enterprise tagging. Protected by automated golden rules tests.