main.py

#!/usr/bin/env python3
"""
╔═══════════════════════════════════════════════════════════════════════════════╗
║                                                                               ║
║   ███████╗██╗  ██╗ █████╗ ██████╗  ██████╗ ██╗    ██╗                        ║
║   ██╔════╝██║  ██║██╔══██╗██╔══██╗██╔═══██╗██║    ██║                        ║
║   ███████╗███████║███████║██║  ██║██║   ██║██║ █╗ ██║                        ║
║   ╚════██║██╔══██║██╔══██║██║  ██║██║   ██║██║███╗██║                        ║
║   ███████║██║  ██║██║  ██║██████╔╝╚██████╔╝╚███╔███╔╝                        ║
║   ╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝  ╚═════╝  ╚══╝╚══╝                         ║
║                                                                               ║
║   ██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗                        ║
║   ██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗                       ║
║   ███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝                       ║
║   ██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗                       ║
║   ██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║                       ║
║   ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝                       ║
║                                                                               ║
║   Dark Web Threat Intelligence Platform                                       ║
║   Version: 0.1.0                                                              ║
║                                                                               ║
╚═══════════════════════════════════════════════════════════════════════════════╝

ShadowHunter - Unified CLI Entry Point
Author: Fevra
Version: 0.1.0

Comprehensive dark web intelligence platform with:
- Credential monitoring (Telegram, Tor, Pastebin)
- Google dorking reconnaissance
- Web crawling and data extraction
- OSINT lookup (email, phone, username, domain)
- Neo4j threat intelligence graph
- Real-time alerting and reporting
"""

import asyncio
import os
import sys
import json
from pathlib import Path
from datetime import datetime
from typing import Optional, List

import click
from rich.console import Console
from rich.table import Table
from rich.panel import Panel
from rich.progress import Progress, SpinnerColumn, TextColumn
from rich.syntax import Syntax
from rich.markdown import Markdown

# Import ShadowHunter modules
from shadowhunter_logger import get_logger, LogLevel, configure_logging
from shadowhunter_dorking import DorkingEngine, DorkCategory, SimulatedSearchProvider
from shadowhunter_crawler import ShadowCrawler, OnionLinkMapper
from shadowhunter_osint import OSINTEngine
from shadowhunter_core import ShadowHunter as CoreMonitor
from shadowhunter_tor import DarkWebIntelligencePlatform
from shadowhunter_telegram import TelegramIntelligencePlatform

# Import new consolidated modules
from shadowhunter_alerts import (
    AlertManager,
    AlertConfig,
    Alert,
    AlertPriority,
    AlertChannel,
    create_alert_manager,
    create_credential_leak_alert,
)
from shadowhunter_scheduler import (
    SchedulerEngine,
    SchedulerDatabase,
    SiteMonitor,
    MonitoredSite,
    MonitorStatus,
    CheckInterval,
)
from shadowhunter_verify import (
    VanguardVerify,
    ContentType,
    AuthenticityLevel,
    ThreatIndicator,
)

# Import stealer log parser module
from shadowhunter.parsers import (
    StealerParserFactory,
    StealerLogPipeline,
    PipelineConfig,
    StealerFamily,
)

# Import IOC enrichment module
from shadowhunter.intelligence import (
    EnrichmentEngine,
    IOCExtractor,
    IOCType,
    ThreatLevel,
)

# Import session validator module
from shadowhunter.validators import (
    SessionValidatorEngine,
    ValidatorConfig,
    Platform,
    SessionStatus,
    RiskLevel,
)

# Import data leak monitor module
from shadowhunter.monitors import (
    DataLeakMonitor,
    MonitorConfig as LeakMonitorConfig,
    LeakSource,
    LeakSeverity,
    SecretType,
)

# Import attack surface scanner module
from shadowhunter.scanner import (
    AttackSurfaceScanner,
    ScanConfig,
    ScanResult,
    AssetType,
    RiskLevel as SurfaceRiskLevel,
)

# Import blockchain forensics module
from shadowhunter.blockchain import (
    BlockchainForensicsEngine,
    Chain,
    WalletProfile,
    WalletType,
    RiskLevel as BlockchainRiskLevel,
    detect_chain,
)

# Import ingestion pipeline (MVP: I2P, STIX, Neo4j; analytics)
from shadowhunter.ingestion import IngestionOrchestrator
from shadowhunter.database import GraphStore
from config import get_config

# Phase 3: Multi-Agent Hunter System
try:
    from shadowhunter.hunters import (
        PasteHunter,
        CryptoHunter,
        AttributionHunter,
        AgenticProfiler,
        DACOAnalyst,
        IdentityHunter,
        EntropyMonitor,
        PipelineDefender,
        SupplyChainHunter,
        AIThreatHunter,
        InsiderThreatHunter,
        SyntheticIDHunter,
        PhysicalSecHunter,
        ExploitMarketHunter,
        SocialMediaHunter,
        GitHubHunter,
        APTHunter,
        ThreatScoringEngine,
    )
    from shadowhunter.orchestration import (
        Orchestrator,
        EscapeHatchRegistry,
        EnhancedOrchestrator,
        EnhancedEscapeHatchRegistry,
    )
    from shadowhunter.nl_to_cypher.schema_context import load_schema
    from shadowhunter.nl_to_cypher.translator import LLMNLToCypherTranslator
    PHASE3_AVAILABLE = True
except ImportError as e:
    PHASE3_AVAILABLE = False
    PasteHunter = CryptoHunter = AttributionHunter = AgenticProfiler = None
    DACOAnalyst = IdentityHunter = EntropyMonitor = PipelineDefender = None
    SupplyChainHunter = AIThreatHunter = InsiderThreatHunter = None
    SyntheticIDHunter = PhysicalSecHunter = ExploitMarketHunter = None
    SocialMediaHunter = GitHubHunter = APTHunter = ThreatScoringEngine = None
    Orchestrator = EscapeHatchRegistry = None
    load_schema = LLMNLToCypherTranslator = None

# Initialize console and logger
console = Console()
logger = get_logger("CLI", log_level=LogLevel.INFO)

# Version from single source (shadowhunter._version)
try:
    from shadowhunter._version import __version__ as VERSION
except ImportError:
    VERSION = "0.1.0"
AUTHOR = "Fevra"


# ============================================================================
# BANNER & UTILITIES
# ============================================================================

def print_banner():
    """Print the ShadowHunter banner."""
    banner = """
[bold blue]███████╗██╗  ██╗ █████╗ ██████╗  ██████╗ ██╗    ██╗[/bold blue]
[bold blue]██╔════╝██║  ██║██╔══██╗██╔══██╗██╔═══██╗██║    ██║[/bold blue]
[bold cyan]███████╗███████║███████║██║  ██║██║   ██║██║ █╗ ██║[/bold cyan]
[bold cyan]╚════██║██╔══██║██╔══██║██║  ██║██║   ██║██║███╗██║[/bold cyan]
[bold magenta]███████║██║  ██║██║  ██║██████╔╝╚██████╔╝╚███╔███╔╝[/bold magenta]
[bold magenta]╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝  ╚═════╝  ╚══╝╚══╝ [/bold magenta]
                                                
[bold yellow]██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗ [/bold yellow]
[bold yellow]██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗[/bold yellow]
[bold green]███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝[/bold green]
[bold green]██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗[/bold green]
[bold red]██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║[/bold red]
[bold red]╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝[/bold red]
    """
    console.print(banner)
    console.print(
        Panel.fit(
            "[bold white]Dark Web Threat Intelligence Platform[/bold white]\n"
            f"[dim]Version {VERSION} | By {AUTHOR}[/dim]",
            border_style="blue"
        )
    )
    console.print()


def print_status(message: str, status: str = "info"):
    """Print status message with icon."""
    icons = {
        "info": "[blue]ℹ[/blue]",
        "success": "[green]✓[/green]",
        "warning": "[yellow]⚠[/yellow]",
        "error": "[red]✗[/red]",
        "running": "[cyan]⟳[/cyan]"
    }
    icon = icons.get(status, icons["info"])
    console.print(f" {icon} {message}")


# ============================================================================
# CLI GROUP
# ============================================================================

@click.group()
@click.version_option(VERSION, prog_name="ShadowHunter")
@click.option('--debug', is_flag=True, help='Enable debug logging')
@click.pass_context
def cli(ctx, debug):
    """
    ShadowHunter - Dark Web Threat Intelligence Platform
    
    A comprehensive toolkit for cybersecurity professionals to monitor
    dark web threats, analyze credentials, and gather OSINT intelligence.
    
    \b
    Modules:
      • scan       - Credential and threat monitoring
      • parse      - Parse stealer logs (RedLine, Vidar, Lumma)
      • enrich     - IOC extraction and threat intel enrichment
      • validate   - Session cookie validation (Google, Microsoft)
      • leaks      - Data leak detection (GitHub, paste sites)
      • surface    - Attack surface scanning and discovery
      • blockchain - Cryptocurrency forensics and tracing
      • dork       - Google dorking reconnaissance
      • crawl      - Web crawling and data extraction
      • osint      - Email, phone, username, domain lookup
      • verify     - AI content integrity verification
      • schedule   - Dark web site monitoring scheduler
      • alerts     - Multi-channel alerting (Telegram, Discord, Slack)
      • monitor    - Continuous threat monitoring
      • ingest     - Ingestion pipeline (I2P/Telegram -> STIX -> Neo4j)
      • hunters    - Multi-agent hunter system (synthesis report, Neo4j)
      • search     - Dark web search (LLM refine → Tor → scrape → summary; multi-model)
      • api        - Start the REST API server
    
    \b
    Examples:
      shadowhunter scan --domain example.com
      shadowhunter parse ./stealer_logs/ -c 20
      shadowhunter validate parsed.json --allowed yourcompany.com
      shadowhunter leaks -k "mycompany" -d mycompany.com
      shadowhunter enrich 1.2.3.4 --virustotal YOUR_KEY
      shadowhunter dork target.com --category credentials
      shadowhunter osint email test@example.com
    """
    ctx.ensure_object(dict)
    
    # Configure logging
    log_level = LogLevel.DEBUG if debug else LogLevel.INFO
    configure_logging(log_level=log_level)
    ctx.obj['debug'] = debug


# ============================================================================
# SCAN COMMAND
# ============================================================================

@cli.command()
@click.option('--domain', '-d', multiple=True, help='Domain(s) to monitor')
@click.option('--email', '-e', multiple=True, help='Email(s) to check')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.option('--format', '-f', type=click.Choice(['json', 'table']), default='table')
@click.pass_context
def scan(ctx, domain, email, output, format):
    """
    Scan for credential leaks and threats.
    
    \b
    Examples:
      shadowhunter scan --domain acmecorp.com
      shadowhunter scan --email admin@example.com
      shadowhunter scan -d example.com -d company.com -o results.json
    """
    print_banner()
    
    if not domain and not email:
        console.print("[yellow]Please provide at least one domain or email to scan.[/yellow]")
        console.print("\nExample: [cyan]shadowhunter scan --domain example.com[/cyan]")
        return
    
    console.print(Panel.fit(
        f"[bold]Credential Scan[/bold]\n"
        f"Domains: {', '.join(domain) if domain else 'None'}\n"
        f"Emails: {', '.join(email) if email else 'None'}",
        title="🔍 Scan Configuration",
        border_style="blue"
    ))
    
    # Run scan
    async def run_scan():
        monitor = CoreMonitor()
        
        # Add domains to watchlist
        for d in domain:
            monitor.domain_monitor.add_domain(d)
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task("[cyan]Running credential scan...", total=None)
            
            results = await monitor.run_scan()
            
            progress.update(task, completed=True)
        
        return results
    
    results = asyncio.run(run_scan())
    
    # Display results
    console.print()
    print_status(f"Scan completed", "success")
    
    # Create results table
    table = Table(title="Scan Results", show_header=True, header_style="bold cyan")
    table.add_column("Source", style="dim")
    table.add_column("Type", style="dim")
    table.add_column("Count")
    table.add_column("Status")
    
    for source, data in results.items():
        count = len(data) if isinstance(data, list) else 1
        status = "[green]✓[/green]" if count > 0 else "[dim]-[/dim]"
        table.add_row(source, "credentials", str(count), status)
    
    console.print(table)
    
    # Export if requested
    if output:
        with open(output, 'w') as f:
            json.dump(results, f, indent=2, default=str)
        print_status(f"Results exported to {output}", "success")


# ============================================================================
# DORK COMMAND
# ============================================================================

@cli.command()
@click.argument('domain')
@click.option('--category', '-c', 
              type=click.Choice([c.value for c in DorkCategory]),
              help='Specific category to scan')
@click.option('--severity', '-s',
              type=click.Choice(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW']),
              multiple=True,
              help='Filter by severity')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.option('--format', '-f', 
              type=click.Choice(['json', 'markdown', 'csv']), 
              default='json')
@click.pass_context
def dork(ctx, domain, category, severity, output, format):
    """
    Google dorking reconnaissance.
    
    Discover exposed files, credentials, and sensitive data using
    advanced search queries.
    
    \b
    Categories:
      credentials, sensitive_files, database, subdomain,
      api_keys, documents, admin_panels, paste_sites,
      cloud_storage, source_code
    
    \b
    Examples:
      shadowhunter dork example.com
      shadowhunter dork target.com -c credentials -c database
      shadowhunter dork company.com -s CRITICAL -s HIGH -o report.json
    """
    print_banner()
    
    console.print(Panel.fit(
        f"[bold]Google Dorking Scan[/bold]\n"
        f"Target: {domain}\n"
        f"Category: {category or 'All'}\n"
        f"Severity Filter: {', '.join(severity) if severity else 'All'}",
        title="🔍 Dork Configuration",
        border_style="yellow"
    ))
    
    async def run_dork():
        engine = DorkingEngine(
            search_provider=SimulatedSearchProvider(),
            rate_limit_delay=0.2
        )
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task("[yellow]Running Google dorks...", total=None)
            
            categories = [DorkCategory(category)] if category else None
            severity_filter = list(severity) if severity else None
            
            report = await engine.scan_domain(
                domain,
                categories=categories,
                severity_filter=severity_filter
            )
            
            progress.update(task, completed=True)
        
        return report, engine
    
    report, engine = asyncio.run(run_dork())
    
    # Display results
    console.print()
    
    # Summary table
    table = Table(title="Dorking Results", show_header=True, header_style="bold yellow")
    table.add_column("Metric", style="dim")
    table.add_column("Value")
    
    table.add_row("Total Findings", str(report.total_results))
    table.add_row("[red]Critical[/red]", str(report.critical_count))
    table.add_row("[orange1]High[/orange1]", str(report.high_count))
    table.add_row("Categories Scanned", str(len(report.categories_scanned)))
    
    console.print(table)
    
    # Show findings
    if report.results:
        console.print("\n[bold]Top Findings:[/bold]")
        for result in report.results[:5]:
            severity_color = {
                "CRITICAL": "red",
                "HIGH": "orange1",
                "MEDIUM": "yellow",
                "LOW": "blue"
            }.get(result.dork.severity, "white")
            
            console.print(
                f"  [{severity_color}]●[/{severity_color}] "
                f"[{severity_color}]{result.dork.severity}[/{severity_color}] | "
                f"{result.dork.description}"
            )
            console.print(f"    [dim]{result.url}[/dim]")
    
    # Export
    if output:
        engine.export_report(report, Path(output), format)
        print_status(f"Report exported to {output}", "success")


# ============================================================================
# CRAWL COMMAND
# ============================================================================

@cli.command()
@click.argument('url')
@click.option('--depth', '-d', default=2, help='Maximum crawl depth')
@click.option('--max-pages', '-p', default=50, help='Maximum pages to crawl')
@click.option('--concurrent', '-c', default=5, help='Concurrent requests')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.option('--format', '-f', 
              type=click.Choice(['json', 'markdown']), 
              default='json')
@click.pass_context
def crawl(ctx, url, depth, max_pages, concurrent, output, format):
    """
    Web crawling and data extraction.
    
    Crawl websites to discover emails, API endpoints, secrets,
    and other sensitive information.
    
    \b
    Examples:
      shadowhunter crawl https://example.com
      shadowhunter crawl https://target.com -d 3 -p 100
      shadowhunter crawl https://company.com -o report.json
    """
    print_banner()
    
    console.print(Panel.fit(
        f"[bold]Web Crawler[/bold]\n"
        f"Target: {url}\n"
        f"Depth: {depth}\n"
        f"Max Pages: {max_pages}\n"
        f"Concurrent: {concurrent}",
        title="🕷️ Crawl Configuration",
        border_style="cyan"
    ))
    
    async def run_crawl():
        crawler = ShadowCrawler(
            max_depth=depth,
            max_pages=max_pages,
            max_concurrent=concurrent,
            delay=0.3
        )
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task("[cyan]Crawling website...", total=None)
            
            report = await crawler.crawl(url)
            
            progress.update(task, completed=True)
        
        return report, crawler
    
    report, crawler = asyncio.run(run_crawl())
    
    # Display results
    console.print()
    
    # Summary table
    table = Table(title="Crawl Results", show_header=True, header_style="bold cyan")
    table.add_column("Metric", style="dim")
    table.add_column("Value")
    
    table.add_row("Pages Crawled", str(report.pages_crawled))
    table.add_row("Pages Failed", str(report.pages_failed))
    table.add_row("Total URLs", str(len(report.all_urls)))
    table.add_row("Emails Found", str(len(report.emails)))
    table.add_row("API Endpoints", str(len(report.api_endpoints)))
    table.add_row("Secrets Found", str(len(report.secrets)))
    table.add_row("Subdomains", str(len(report.subdomains)))
    
    console.print(table)
    
    # Show findings
    if report.emails:
        console.print("\n[bold]Emails Found:[/bold]")
        for email in list(report.emails)[:5]:
            console.print(f"  [green]●[/green] {email}")
    
    if report.secrets:
        console.print("\n[bold red]⚠ Secrets Detected:[/bold red]")
        for secret in report.secrets[:5]:
            console.print(f"  [red]●[/red] {secret['type']}: {secret['value']}")
    
    # Export
    if output:
        crawler.export_report(report, Path(output), format)
        print_status(f"Report exported to {output}", "success")


# ============================================================================
# OSINT COMMAND GROUP
# ============================================================================

@cli.group()
@click.pass_context
def osint(ctx):
    """
    OSINT lookup capabilities.
    
    Investigate emails, phone numbers, usernames, and domains.
    
    \b
    Commands:
      email     - Email address investigation
      phone     - Phone number lookup
      username  - Username enumeration
      domain    - Domain reconnaissance
    """
    pass


@osint.command()
@click.argument('email')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.pass_context
def email(ctx, email, output):
    """
    Investigate email address.
    
    Check for breaches, validate domain, detect disposable emails.
    
    Example: shadowhunter osint email test@example.com
    """
    print_banner()
    
    console.print(Panel.fit(
        f"[bold]Email Investigation[/bold]\n"
        f"Target: {email}",
        title="📧 OSINT",
        border_style="green"
    ))
    
    async def run():
        engine = OSINTEngine()
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task("[green]Investigating email...", total=None)
            result = await engine.investigate_email(email)
            progress.update(task, completed=True)
        return result
    
    result = asyncio.run(run())
    
    # Display results
    console.print()
    
    table = Table(title="Email Intelligence", show_header=True, header_style="bold green")
    table.add_column("Property", style="dim")
    table.add_column("Value")
    
    table.add_row("Email", result.email)
    table.add_row("Valid Format", "✓" if result.valid_format else "✗")
    table.add_row("Disposable", "[red]Yes[/red]" if result.disposable else "[green]No[/green]")
    table.add_row("Domain Exists", "✓" if result.domain_exists else "✗")
    table.add_row("MX Records", str(len(result.mx_records)))
    table.add_row("Breaches Found", str(len(result.breaches)))
    table.add_row("Risk Level", f"[{'red' if result.risk_level.value in ['CRITICAL', 'HIGH'] else 'yellow'}]{result.risk_level.value}[/]")
    
    console.print(table)
    
    if result.risk_factors:
        console.print("\n[bold]Risk Factors:[/bold]")
        for factor in result.risk_factors:
            console.print(f"  [yellow]⚠[/yellow] {factor}")
    
    if output:
        with open(output, 'w') as f:
            json.dump(result.to_dict(), f, indent=2)
        print_status(f"Report exported to {output}", "success")


@osint.command()
@click.argument('number')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.pass_context
def phone(ctx, number, output):
    """
    Investigate phone number.
    
    Identify carrier, location, and line type.
    
    Example: shadowhunter osint phone +1-555-123-4567
    """
    print_banner()
    
    async def run():
        engine = OSINTEngine()
        return await engine.investigate_phone(number)
    
    result = asyncio.run(run())
    
    table = Table(title="Phone Intelligence", show_header=True, header_style="bold green")
    table.add_column("Property", style="dim")
    table.add_column("Value")
    
    table.add_row("Number", result.number)
    table.add_row("Valid", "✓" if result.valid else "✗")
    table.add_row("Country", result.country_name or "Unknown")
    table.add_row("Carrier", result.carrier or "Unknown")
    table.add_row("Line Type", result.line_type or "Unknown")
    
    console.print(table)


@osint.command()
@click.argument('username')
@click.option('--platform', '-p', multiple=True, help='Specific platforms to check')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.pass_context
def username(ctx, username, platform, output):
    """
    Enumerate username across platforms.
    
    Search for username on social media and other platforms.
    
    Example: shadowhunter osint username johndoe
    """
    print_banner()
    
    async def run():
        engine = OSINTEngine()
        platforms = list(platform) if platform else None
        return await engine.investigate_username(username, platforms)
    
    result = asyncio.run(run())
    
    console.print(f"\n[bold]Username Enumeration: {username}[/bold]\n")
    
    if result.found_platforms:
        table = Table(title="Profiles Found", show_header=True, header_style="bold green")
        table.add_column("Platform")
        table.add_column("URL")
        
        for profile in result.found_platforms:
            table.add_row(profile['platform'], profile['url'])
        
        console.print(table)
    else:
        console.print("[yellow]No profiles found on checked platforms.[/yellow]")


@osint.command()
@click.argument('domain')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.pass_context
def domain(ctx, domain, output):
    """
    Domain reconnaissance.
    
    WHOIS lookup, DNS enumeration, subdomain discovery.
    
    Example: shadowhunter osint domain example.com
    """
    print_banner()
    
    async def run():
        engine = OSINTEngine()
        return await engine.investigate_domain(domain)
    
    result = asyncio.run(run())
    
    table = Table(title="Domain Intelligence", show_header=True, header_style="bold green")
    table.add_column("Property", style="dim")
    table.add_column("Value")
    
    table.add_row("Domain", result.domain)
    table.add_row("Registered", "✓" if result.registered else "✗")
    table.add_row("Registrar", result.registrar or "Unknown")
    table.add_row("Created", result.creation_date or "Unknown")
    table.add_row("Expires", result.expiration_date or "Unknown")
    table.add_row("A Records", str(len(result.a_records)))
    table.add_row("MX Records", str(len(result.mx_records)))
    table.add_row("Subdomains", str(len(result.subdomains)))
    
    console.print(table)
    
    if result.subdomains:
        console.print("\n[bold]Subdomains Found:[/bold]")
        for sub in result.subdomains[:10]:
            console.print(f"  [cyan]●[/cyan] {sub}")


# ============================================================================
# MONITOR COMMAND
# ============================================================================

@cli.command()
@click.option('--domain', '-d', multiple=True, required=True, help='Domain(s) to monitor')
@click.option('--interval', '-i', default=300, help='Scan interval in seconds')
@click.option('--telegram', is_flag=True, help='Enable Telegram monitoring')
@click.option('--tor', is_flag=True, help='Enable Tor/dark web monitoring')
@click.pass_context
def monitor(ctx, domain, interval, telegram, tor):
    """
    Continuous threat monitoring.
    
    Run continuous monitoring for specified domains across
    multiple intelligence sources.
    
    \b
    Examples:
      shadowhunter monitor -d example.com -d company.com
      shadowhunter monitor -d target.com --telegram --tor
      shadowhunter monitor -d corp.com -i 600
    """
    print_banner()
    
    console.print(Panel.fit(
        f"[bold]Continuous Monitoring[/bold]\n"
        f"Domains: {', '.join(domain)}\n"
        f"Interval: {interval} seconds\n"
        f"Telegram: {'Enabled' if telegram else 'Disabled'}\n"
        f"Tor/Dark Web: {'Enabled' if tor else 'Disabled'}",
        title="🔄 Monitor Configuration",
        border_style="magenta"
    ))
    
    console.print("\n[yellow]Press Ctrl+C to stop monitoring[/yellow]\n")
    
    async def run_monitor():
        monitor_instance = CoreMonitor()
        
        # Add domains
        for d in domain:
            monitor_instance.domain_monitor.add_domain(d)
        
        scan_count = 0
        
        try:
            while True:
                scan_count += 1
                console.print(f"[cyan]Scan #{scan_count}[/cyan] - {datetime.now().strftime('%H:%M:%S')}")
                
                results = await monitor_instance.run_scan()
                
                # Check for alerts
                total_findings = sum(
                    len(v) if isinstance(v, list) else 0 
                    for v in results.values()
                )
                
                if total_findings > 0:
                    console.print(f"  [red]⚠ {total_findings} findings detected![/red]")
                else:
                    console.print(f"  [green]✓ No new threats[/green]")
                
                await asyncio.sleep(interval)
                
        except KeyboardInterrupt:
            console.print("\n[yellow]Monitoring stopped.[/yellow]")
    
    try:
        asyncio.run(run_monitor())
    except KeyboardInterrupt:
        pass


# ============================================================================
# API COMMAND
# ============================================================================

# ============================================================================
# INGEST COMMAND (MVP Ingestion Pipeline: I2P/Telegram -> STIX -> Neo4j)
# ============================================================================

@cli.command()
@click.option('--destinations', '-d', multiple=True, help='I2P/Telegram destinations to fetch (e.g. host.i2p)')
@click.option('--source-type', '-s', default='i2p', type=click.Choice(['i2p', 'telegram']), help='Source type')
@click.option('--neo4j-uri', default=None, help='Neo4j bolt URI (default from config)')
@click.option('--neo4j-user', default=None, help='Neo4j user (default from config)')
@click.option('--neo4j-password', default=None, help='Neo4j password (default from config)')
@click.pass_context
def ingest(ctx, destinations, source_type, neo4j_uri, neo4j_user, neo4j_password):
    """
    Run the ingestion pipeline: fetch from I2P/Telegram -> FaP filter -> STIX -> Neo4j.
    
    Fetches raw content from decentralized sources, filters adversarial FaP,
    transforms to STIX 2.1 (ObservedData, Indicator), and persists to Neo4j.
    
    \b
    Examples:
      shadowhunter ingest -d market.i2p -d news.eepsite.i2p
      shadowhunter ingest -d market.i2p --source-type i2p --neo4j-uri bolt://localhost:7687
    """
    print_banner()
    if not destinations:
        console.print("[yellow]No destinations given. Use -d/--destinations (e.g. -d market.i2p)[/yellow]")
        return
    config = get_config()
    uri = neo4j_uri or config.database.neo4j_uri
    user = neo4j_user or config.database.neo4j_user
    password = neo4j_password or config.database.neo4j_password
    graph_store = GraphStore(uri=uri, user=user, password=password)
    orchestrator = IngestionOrchestrator(graph_store=graph_store)
    with console.status("[bold blue]Running ingestion pipeline...[/bold blue]", spinner="dots"):
        result = orchestrator.run_sync(list(destinations), source_type=source_type)
    table = Table(title="Ingestion Result")
    table.add_column("Metric", style="cyan")
    table.add_column("Value", style="green")
    table.add_row("Destinations fetched", str(result.destinations_fetched))
    table.add_row("Passed FaP filter", str(result.contents_passed_fap))
    table.add_row("Rejected (FaP)", str(result.contents_rejected_fap))
    table.add_row("ObservedData written", str(result.observed_data_written))
    table.add_row("Indicators written", str(result.indicators_written))
    table.add_row("Errors", str(len(result.errors)))
    console.print(table)
    if result.errors:
        for err in result.errors[:5]:
            console.print(f" [red]✗[/red] {err}")
        if len(result.errors) > 5:
            console.print(f" [dim]... and {len(result.errors) - 5} more[/dim]")
    else:
        print_status("Ingestion completed.", "success")


# ============================================================================
# PHASE 3: MULTI-AGENT HUNTER SYSTEM
# ============================================================================

@cli.command()
@click.option('--neo4j-uri', default=None, help='Neo4j bolt URI (default from config)')
@click.option('--neo4j-user', default=None, help='Neo4j user (default from config)')
@click.option('--neo4j-password', default=None, help='Neo4j password (default from config)')
@click.option('--events-file', type=click.Path(exists=True), default=None, help='JSON file with event_stream (list of {source, raw_content, stix_objects, timestamp, metadata})')
@click.option('--enhanced', is_flag=True, help='Use enhanced orchestrator (IntelligentEventRouter, ResourcePool, CircuitBreaker, EnhancedEscapeHatchRegistry)')
@click.option('--output', '-o', type=click.Path(), default=None, help='Write synthesis report to file (.md or .json); default filename if dir given')
@click.option('--model', '-m', default=None, help='LLM model for synthesis/NL (e.g. gpt-4, claude-3-sonnet); optional, uses config if not set')
@click.option('--hunters', '-H', default=None, help='Comma-separated subset of hunters to run (e.g. PasteHunter,CryptoHunter,ThreatScoringEngine); default: all')
@click.pass_context
def hunters(ctx, neo4j_uri, neo4j_user, neo4j_password, events_file, enhanced, output, model, hunters):
    """
    Run Multi-Agent Hunter System: fan out events to all registered hunters,
    process escape hatches, de-duplicate, write high-confidence to Neo4j, synthesize report.
    Use --enhanced for priority routing, resource pools, circuit breakers, and condition-based escape hatches.
    Use --hunters to run only a subset of hunters (e.g. PasteHunter,CryptoHunter).
    """
    if not PHASE3_AVAILABLE:
        console.print("[red]Hunters not available (missing dependencies).[/red]")
        return
    print_banner()
    config = get_config()
    uri = neo4j_uri or getattr(config.database, 'neo4j_uri', 'bolt://localhost:7687')
    user = neo4j_user or getattr(config.database, 'neo4j_user', 'neo4j')
    password = neo4j_password or getattr(config.database, 'neo4j_password', 'password')
    try:
        from neo4j import GraphDatabase
        db_driver = GraphDatabase.driver(uri, auth=(user, password))
        db_driver.verify_connectivity()
    except Exception as e:
        console.print(f"[red]Neo4j connection failed: {e}[/red]")
        return
    hunter_config = getattr(config, 'hunters', None) or {}
    config_by_hunter = {
        'paste_hunter': hunter_config.get('paste_hunter', {}),
        'crypto_hunter': hunter_config.get('crypto_hunter', {}),
        'attribution_hunter': hunter_config.get('attribution_hunter', {}),
        'agentic_profiler': hunter_config.get('agentic_profiler', {}),
        'daco_analyst': hunter_config.get('daco_analyst', {}),
        'identity_hunter': hunter_config.get('identity_hunter', {}),
        'entropy_monitor': hunter_config.get('entropy_monitor', {}),
        'pipeline_defender': hunter_config.get('pipeline_defender', {}),
        'supply_chain_hunter': hunter_config.get('supply_chain_hunter', {}),
        'ai_threat_hunter': hunter_config.get('ai_threat_hunter', {}),
        'insider_threat_hunter': hunter_config.get('insider_threat_hunter', {}),
        'synthetic_id_hunter': hunter_config.get('synthetic_id_hunter', {}),
        'physical_sec_hunter': hunter_config.get('physical_sec_hunter', {}),
        'exploit_market_hunter': hunter_config.get('exploit_market_hunter', {}),
        'social_media_hunter': hunter_config.get('social_media_hunter', {}),
        'github_hunter': hunter_config.get('github_hunter', {}),
        'apt_hunter': hunter_config.get('apt_hunter', {}),
        'threat_scoring_engine': hunter_config.get('threat_scoring', hunter_config.get('threat_scoring_engine', {})),
    }
    session = db_driver.session()
    all_hunters_list = [
        PasteHunter(session, config_by_hunter['paste_hunter']),
        CryptoHunter(session, config_by_hunter['crypto_hunter']),
        AttributionHunter(session, config_by_hunter['attribution_hunter']),
        AgenticProfiler(session, config_by_hunter['agentic_profiler']),
        DACOAnalyst(session, config_by_hunter['daco_analyst']),
        IdentityHunter(session, config_by_hunter['identity_hunter']),
        EntropyMonitor(session, config_by_hunter['entropy_monitor']),
        PipelineDefender(session, config_by_hunter['pipeline_defender']),
        SupplyChainHunter(session, config_by_hunter['supply_chain_hunter']),
        AIThreatHunter(session, config_by_hunter['ai_threat_hunter']),
        InsiderThreatHunter(session, config_by_hunter['insider_threat_hunter']),
        SyntheticIDHunter(session, config_by_hunter['synthetic_id_hunter']),
        PhysicalSecHunter(session, config_by_hunter['physical_sec_hunter']),
        ExploitMarketHunter(session, config_by_hunter['exploit_market_hunter']),
        SocialMediaHunter(session, config_by_hunter['social_media_hunter']),
        GitHubHunter(session, config_by_hunter['github_hunter']),
        APTHunter(session, config_by_hunter['apt_hunter']),
        ThreatScoringEngine(session, config_by_hunter['threat_scoring_engine']),
    ]
    if hunters:
        allowed = {n.strip() for n in hunters.split(',') if n.strip()}
        hunters_list = [h for h in all_hunters_list if h.get_name() in allowed]
        if not hunters_list:
            console.print("[red]No hunters matched --hunters. Use names like PasteHunter,CryptoHunter.[/red]")
            db_driver.close()
            return
        console.print(f"[dim]Running subset: {', '.join(h.get_name() for h in hunters_list)}[/dim]")
    else:
        hunters_list = all_hunters_list
    event_stream = []
    if events_file:
        with open(events_file, 'r') as f:
            event_stream = json.load(f)
    else:
        event_stream = [{
            'source': 'cli',
            'raw_content': 'Sample paste with wallet 4AdkPJoxn7JCvAqP31V1EBhNj4pes2u3uT5r2W2R8f2N2abc and email test@example.com',
            'stix_objects': [],
            'timestamp': datetime.utcnow().isoformat(),
            'metadata': {},
        }]

    if enhanced:
        escape_registry = EnhancedEscapeHatchRegistry()
        orch_config = {
            "io_concurrency": hunter_config.get("io_concurrency", 100),
            "circuit_breaker_threshold": hunter_config.get("circuit_breaker_threshold", 5),
            "circuit_breaker_timeout": hunter_config.get("circuit_breaker_timeout", 60),
        }
        if model:
            orch_config["llm_model"] = model
        orchestrator = EnhancedOrchestrator(hunters_list, db_driver, escape_registry, config=orch_config)
    else:
        escape_registry = EscapeHatchRegistry()
        orchestrator = Orchestrator(hunters_list, db_driver, escape_registry)

    with console.status(
        "[bold blue]Running Hunter System" + (" (enhanced)" if enhanced else "") + "...[/bold blue]",
        spinner="dots",
    ):
        try:
            report = asyncio.run(orchestrator.run(event_stream))
        except Exception as e:
            console.print(f"[red]Orchestrator error: {e}[/red]")
            db_driver.close()
            return
    db_driver.close()
    console.print(Panel(report.get('summary', 'No summary.'), title="Synthesis Report", border_style="green"))
    if report.get('key_findings'):
        console.print("[bold]Key findings:[/bold]")
        for finding in report['key_findings'][:10]:
            console.print(f"  • {finding}")

    # Write report to file if --output given
    if output:
        out_path = Path(output)
        if out_path.suffix.lower() == ".md":
            md_lines = [
                "# ShadowHunter Synthesis Report",
                "",
                report.get("summary", "No summary."),
                "",
                "## Key findings",
                "",
            ]
            for f in report.get("key_findings") or []:
                md_lines.append(f"- {f}")
            md_lines.append("")
            out_path.write_text("\n".join(md_lines), encoding="utf-8")
        else:
            json_path = out_path if out_path.suffix.lower() == ".json" else Path(str(out_path) + ".json")
            with open(json_path, "w", encoding="utf-8") as f:
                json.dump(report, f, indent=2, default=str)
            out_path = json_path
        console.print(f"[dim]Report written to {out_path}[/dim]")
    print_status("Hunter run complete.", "success")


# ============================================================================
# DARK WEB SEARCH (refine → search → filter → scrape → summarize; multi-model)
# ============================================================================

@cli.command()
@click.option('--query', '-q', required=True, help='Dark web search query')
@click.option('--model', '-m', default=None, help='LLM model (uses OPENAI_MODEL / OpenAI-compatible endpoint)')
@click.option('--threads', '-t', default=5, show_default=True, help='Parallel threads for search and scrape')
@click.option('--output', '-o', type=click.Path(), default=None, help='Save summary to file (.md); default: summary_<timestamp>.md')
@click.option('--no-llm', is_flag=True, help='Skip LLM: use raw query, first 20 results, and a plain text summary (no API key needed)')
@click.option('--engines', default=None, help='Comma-separated list of search engine URLs with {query} placeholder; overrides default engines')
@click.option('--engines-file', type=click.Path(exists=True), default=None, help='Path to file with one engine URL per line (with {query})')
@click.pass_context
def search(ctx, query, model, threads, output, no_llm, engines, engines_file):
    """
    Dark web search: LLM-refine query → Tor search engines → filter → scrape → LLM summary.

    Requires Tor (proxy 127.0.0.1:9050). Use --no-llm to skip LLM steps (raw query + first 20 + text summary).
    Use --model to choose provider/model (e.g. gpt-4o, claude-3-5-sonnet, gemini-1.5-flash, grok-2).
    Saves investigation summary to --output or summary_<timestamp>.md.
    """
    try:
        from shadowhunter.dark_web_search import (
            get_search_results,
            scrape_multiple,
            refine_query,
            filter_results,
            generate_summary,
            get_llm_client,
        )
    except ImportError as e:
        console.print("[red]Dark web search module unavailable.[/red]")
        console.print(f"[dim]{e}[/dim]")
        return

    config = get_config()
    proxy_host = getattr(config.tor, 'proxy_host', '127.0.0.1')
    proxy_port = getattr(config.tor, 'proxy_port', 9050)

    # Optional custom engines list
    engines_list = None
    if engines_file:
        with open(engines_file, 'r') as f:
            engines_list = [line.strip() for line in f if line.strip() and '{query}' in line]
    elif engines:
        engines_list = [u.strip() for u in engines.split(',') if u.strip() and '{query}' in u.strip()]

    client, model_name, provider = None, (model or '').strip() or None, "openai"
    if not no_llm:
        client, model_name, provider = get_llm_client(
            api_key=getattr(getattr(config, 'llm', None), 'openai_api_key', None) or os.environ.get('OPENAI_API_KEY'),
            base_url=os.environ.get('OPENAI_BASE_URL'),
            model=model,
        )
    if not client and not no_llm:
        console.print("[yellow]No LLM API key set; using query as-is and first 20 results.[/yellow]")
        try:
            from shadowhunter.dark_web_search.llm_flow import get_supported_models_help
            console.print("[dim]" + get_supported_models_help() + "[/dim]")
        except Exception:
            console.print("[dim]Set OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, or XAI_API_KEY (or OPENAI_BASE_URL for Ollama).[/dim]")

    print_status("Refining query...", "running")
    refined = refine_query(client, model_name, provider, query) if client else query.strip()
    if refined != query.strip():
        console.print(f"  [dim]Refined: {refined}[/dim]")

    print_status("Searching dark web (Tor)...", "running")
    raw_results = get_search_results(refined, max_workers=threads, proxy_host=proxy_host, proxy_port=proxy_port, engines=engines_list)
    if not raw_results:
        console.print("[red]No search results. Check Tor (e.g. Tor Browser or tor service) and proxy port 9050.[/red]")
        return
    print_status(f"Found {len(raw_results)} raw results; filtering...", "info")

    filtered = filter_results(client, model_name, refined, raw_results, top_k=20) if client else raw_results[:20]
    print_status(f"Scraping {len(filtered)} pages...", "running")
    scraped = scrape_multiple(filtered, max_workers=threads, proxy_host=proxy_host, proxy_port=proxy_port)
    if not scraped:
        console.print("[red]Failed to scrape any content. Check Tor connectivity.[/red]")
        return

    print_status("Generating summary...", "running")
    summary = generate_summary(client, model_name, provider, query, scraped) if client else _fallback_summary(query, scraped)

    # Output file
    out_path = output
    if not out_path:
        out_path = f"summary_{datetime.utcnow().strftime('%Y-%m-%d_%H-%M-%S')}.md"
    if not out_path.endswith('.md'):
        out_path = out_path + '.md'
    Path(out_path).write_text(summary, encoding='utf-8')
    console.print(f"[green]Summary saved to {out_path}[/green]")
    console.print(Panel(summary[:2000] + ("..." if len(summary) > 2000 else ""), title="Summary (preview)", border_style="blue"))
    print_status("Search complete.", "success")


def _fallback_summary(query: str, scraped: dict) -> str:
    """When no LLM is configured, produce a minimal text summary."""
    lines = [
        f"# Dark Web Search Summary",
        f"Query: {query}",
        "",
        "## Source Links",
        *list(scraped.keys()),
        "",
        "## Excerpts",
        ""
    ]
    for url, text in list(scraped.items())[:10]:
        lines.append(f"### {url}")
        lines.append((text[:500] + "..." if len(text) > 500 else text))
        lines.append("")
    return "\n".join(lines)


@cli.command()
@click.option('--host', '-h', default='0.0.0.0', help='Host to bind')
@click.option('--port', '-p', default=8000, help='Port to bind')
@click.option('--reload', is_flag=True, help='Enable auto-reload')
@click.pass_context
def api(ctx, host, port, reload):
    """
    Start the REST API server.
    
    Launch the FastAPI backend server for dashboard integration.
    
    \b
    Examples:
      shadowhunter api
      shadowhunter api --port 3000
      shadowhunter api --reload
    """
    print_banner()
    
    console.print(Panel.fit(
        f"[bold]API Server[/bold]\n"
        f"Host: {host}\n"
        f"Port: {port}\n"
        f"Auto-reload: {'Enabled' if reload else 'Disabled'}",
        title="🚀 Server Configuration",
        border_style="green"
    ))
    
    console.print(f"\n[green]Starting server at http://{host}:{port}[/green]")
    console.print(f"[dim]API docs available at http://{host}:{port}/docs[/dim]\n")
    
    import uvicorn
    uvicorn.run(
        "shadowhunter_api:app",
        host=host,
        port=port,
        reload=reload,
        log_level="info"
    )


# ============================================================================
# PARSE COMMAND (Stealer Log Parser)
# ============================================================================

@cli.command()
@click.argument('path', type=click.Path(exists=True))
@click.option('--family', '-f', 
              type=click.Choice(['redline', 'vidar', 'lumma', 'raccoon', 'risepro', 'auto']),
              default='auto',
              help='Stealer family (auto-detect if not specified)')
@click.option('--output', '-o', type=click.Path(), help='Output directory for JSON results')
@click.option('--concurrent', '-c', default=10, help='Max concurrent parsers')
@click.option('--format', 
              type=click.Choice(['json', 'summary', 'table']), 
              default='table',
              help='Output format')
@click.pass_context
def parse(ctx, path, family, output, concurrent, format):
    """
    Parse stealer log archives.
    
    Extract credentials, cookies, crypto wallets, and corporate indicators
    from info-stealer malware logs (RedLine, Vidar, Lumma, etc.).
    
    PATH can be a single archive file or a directory of archives.
    
    \b
    Supported formats:
      • ZIP archives
      • RAR archives (requires unrar)
      • 7z archives (requires p7zip)
      • Extracted directories
    
    \b
    Examples:
      shadowhunter parse logs.zip
      shadowhunter parse ./stealer_logs/ -c 20
      shadowhunter parse archive.zip -f redline -o ./results/
      shadowhunter parse batch_logs/ --format summary
    """
    print_banner()
    
    path_obj = Path(path)
    
    # Determine if single file or directory
    if path_obj.is_file():
        archives = [path_obj]
        mode = "single"
    elif path_obj.is_dir():
        archives = list(path_obj.glob("*.zip")) + list(path_obj.glob("*.rar")) + list(path_obj.glob("*.7z"))
        mode = "batch"
    else:
        console.print(f"[red]Invalid path: {path}[/red]")
        return
    
    if not archives:
        console.print(f"[yellow]No archives found in {path}[/yellow]")
        return
    
    # Resolve stealer family
    stealer_family = None
    if family != 'auto':
        family_map = {
            'redline': StealerFamily.REDLINE,
            'vidar': StealerFamily.VIDAR,
            'lumma': StealerFamily.LUMMA,
            'raccoon': StealerFamily.RACCOON,
            'risepro': StealerFamily.RISEPRO,
        }
        stealer_family = family_map.get(family)
    
    console.print(Panel.fit(
        f"[bold]Stealer Log Parser[/bold]\n"
        f"Mode: {mode.title()}\n"
        f"Archives: {len(archives)}\n"
        f"Family: {family.upper()}\n"
        f"Concurrent: {concurrent}\n"
        f"Output: {output or 'Console'}",
        title="🔓 Parse Configuration",
        border_style="red"
    ))
    
    # Aggregated results
    all_results = []
    total_stats = {
        "credentials": 0,
        "cookies": 0,
        "wallets": 0,
        "corporate_victims": 0,
        "high_risk": 0,
    }
    
    async def run_parser():
        nonlocal all_results, total_stats
        
        config = PipelineConfig(
            max_concurrent=concurrent,
            save_results=output is not None,
            output_directory=Path(output) if output else None,
        )
        pipeline = StealerLogPipeline(config)
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task(
                f"[red]Parsing {len(archives)} archive(s)...", 
                total=len(archives)
            )
            
            processed = 0
            async for result in pipeline.process_archives(archives, family=stealer_family):
                processed += 1
                progress.update(task, completed=processed)
                all_results.append(result)
                
                # Update totals
                total_stats["credentials"] += result.total_credentials
                total_stats["cookies"] += result.total_cookies
                total_stats["wallets"] += len(result.wallets)
                if result.is_corporate_victim:
                    total_stats["corporate_victims"] += 1
                if result.risk_score > 70:
                    total_stats["high_risk"] += 1
        
        return pipeline.stats
    
    stats = asyncio.run(run_parser())
    
    # Display results based on format
    console.print()
    
    if format == 'table':
        # Summary table
        table = Table(title="Parse Results", show_header=True, header_style="bold red")
        table.add_column("Metric", style="dim")
        table.add_column("Value")
        
        table.add_row("Archives Processed", str(stats.success))
        table.add_row("Archives Failed", str(stats.failed))
        table.add_row("Duration", f"{stats.duration_seconds:.2f}s")
        table.add_row("Rate", f"{stats.rate_per_second:.2f}/sec")
        table.add_row("[cyan]Total Credentials[/cyan]", str(total_stats["credentials"]))
        table.add_row("[cyan]Total Cookies[/cyan]", str(total_stats["cookies"]))
        table.add_row("[yellow]Crypto Wallets[/yellow]", str(total_stats["wallets"]))
        table.add_row("[red]Corporate Victims[/red]", str(total_stats["corporate_victims"]))
        table.add_row("[red]High Risk Logs[/red]", str(total_stats["high_risk"]))
        
        console.print(table)
        
        # Show top findings
        if all_results:
            console.print("\n[bold]Top Findings:[/bold]")
            
            # Sort by risk score
            sorted_results = sorted(all_results, key=lambda r: r.risk_score, reverse=True)
            
            for result in sorted_results[:5]:
                risk_color = "red" if result.risk_score > 70 else "yellow" if result.risk_score > 40 else "green"
                corp_badge = " [red]🏢 CORPORATE[/red]" if result.is_corporate_victim else ""
                
                console.print(
                    f"  [{risk_color}]●[/{risk_color}] "
                    f"[{risk_color}]Risk: {result.risk_score}/100[/{risk_color}] | "
                    f"{Path(result.source_file).name} | "
                    f"{result.total_credentials} creds{corp_badge}"
                )
    
    elif format == 'summary':
        # Detailed summary for each result
        for result in all_results:
            console.print(result.to_summary())
            console.print("─" * 60)
    
    elif format == 'json':
        # JSON output to console
        output_data = {
            "stats": stats.to_dict(),
            "totals": total_stats,
            "results": [r.to_dict() for r in all_results]
        }
        console.print(Syntax(json.dumps(output_data, indent=2, default=str), "json"))
    
    # Final status
    if output:
        print_status(f"Results saved to {output}", "success")
    
    # Alert on high-value findings
    if total_stats["corporate_victims"] > 0:
        console.print(
            f"\n[bold red]⚠ {total_stats['corporate_victims']} CORPORATE VICTIM(S) DETECTED![/bold red]"
        )
    
    if total_stats["wallets"] > 0:
        console.print(
            f"[bold yellow]💰 {total_stats['wallets']} crypto wallet(s) extracted[/bold yellow]"
        )


# ============================================================================
# ENRICH COMMAND (IOC Enrichment)
# ============================================================================

@cli.command()
@click.argument('input_source', type=str)
@click.option('--type', '-t', 'ioc_type',
              type=click.Choice(['ip', 'domain', 'url', 'md5', 'sha256', 'email', 'auto']),
              default='auto',
              help='IOC type (auto-detect if not specified)')
@click.option('--virustotal', 'vt_key', envvar='VT_API_KEY',
              help='VirusTotal API key (or set VT_API_KEY env)')
@click.option('--shodan', 'shodan_key', envvar='SHODAN_API_KEY',
              help='Shodan API key (or set SHODAN_API_KEY env)')
@click.option('--abuseipdb', 'abuseipdb_key', envvar='ABUSEIPDB_API_KEY',
              help='AbuseIPDB API key (or set ABUSEIPDB_API_KEY env)')
@click.option('--output', '-o', type=click.Path(), help='Output file path')
@click.option('--format', '-f', 
              type=click.Choice(['table', 'json', 'summary']), 
              default='table',
              help='Output format')
@click.pass_context
def enrich(ctx, input_source, ioc_type, vt_key, shodan_key, abuseipdb_key, output, format):
    """
    Extract and enrich IOCs with threat intelligence.
    
    INPUT_SOURCE can be:
    - A single IOC value (IP, domain, hash, etc.)
    - A file path containing text with IOCs
    - "-" to read from stdin
    
    Enriches IOCs using VirusTotal, Shodan, and AbuseIPDB APIs.
    
    \b
    Examples:
      shadowhunter enrich 1.2.3.4
      shadowhunter enrich evil.com --type domain
      shadowhunter enrich report.txt --virustotal YOUR_KEY
      shadowhunter enrich - < iocs.txt
      echo "Check IP 8.8.8.8" | shadowhunter enrich -
    """
    print_banner()
    
    # Check for API keys
    api_keys = {}
    if vt_key:
        api_keys["virustotal"] = vt_key
    if shodan_key:
        api_keys["shodan"] = shodan_key
    if abuseipdb_key:
        api_keys["abuseipdb"] = abuseipdb_key
    
    if not api_keys:
        console.print("[yellow]⚠ No API keys provided. IOCs will be extracted but not enriched.[/yellow]")
        console.print("[dim]Set API keys via options or environment variables:[/dim]")
        console.print("[dim]  --virustotal KEY  or  VT_API_KEY=KEY[/dim]")
        console.print("[dim]  --shodan KEY      or  SHODAN_API_KEY=KEY[/dim]")
        console.print("[dim]  --abuseipdb KEY   or  ABUSEIPDB_API_KEY=KEY[/dim]")
        console.print()
    
    # Determine input text
    if input_source == "-":
        # Read from stdin
        input_text = sys.stdin.read()
    elif Path(input_source).is_file():
        # Read from file
        with open(input_source, 'r', encoding='utf-8', errors='ignore') as f:
            input_text = f.read()
    else:
        # Treat as single IOC value
        input_text = input_source
    
    console.print(Panel.fit(
        f"[bold]IOC Enrichment[/bold]\n"
        f"Input: {input_source if len(input_source) < 50 else input_source[:47] + '...'}\n"
        f"Type Filter: {ioc_type.upper()}\n"
        f"Providers: {', '.join(api_keys.keys()) or 'None (extraction only)'}",
        title="🔍 Enrich Configuration",
        border_style="cyan"
    ))
    
    # Results
    enriched_iocs = []
    extraction_result = None
    
    async def run_enrichment():
        nonlocal enriched_iocs, extraction_result
        
        extractor = IOCExtractor()
        
        # Determine types to extract
        type_filter = None
        if ioc_type != 'auto':
            type_map = {
                'ip': IOCType.IP_ADDRESS,
                'domain': IOCType.DOMAIN,
                'url': IOCType.URL,
                'md5': IOCType.FILE_HASH_MD5,
                'sha256': IOCType.FILE_HASH_SHA256,
                'email': IOCType.EMAIL,
            }
            type_filter = [type_map[ioc_type]]
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            
            # Extract IOCs
            task = progress.add_task("[cyan]Extracting IOCs...", total=None)
            extraction_result = extractor.extract(input_text, types=type_filter)
            progress.update(task, completed=True)
            
            if extraction_result.total_count == 0:
                console.print("[yellow]No IOCs found in input.[/yellow]")
                return
            
            console.print(f"\n[green]✓[/green] Extracted {extraction_result.total_count} IOCs\n")
            
            # Enrich if API keys provided
            if api_keys:
                from shadowhunter.intelligence.enrichment_engine import EnrichmentConfig
                
                config = EnrichmentConfig(
                    cache_ttl=3600,
                    max_concurrent=5,
                )
                
                engine = EnrichmentEngine(api_keys=api_keys, config=config)
                
                task = progress.add_task(
                    f"[cyan]Enriching {extraction_result.total_count} IOCs...", 
                    total=None
                )
                
                enriched_iocs = await engine.extract_and_enrich(input_text, priority_types=type_filter)
                
                progress.update(task, completed=True)
    
    asyncio.run(run_enrichment())
    
    # Display results
    console.print()
    
    if enriched_iocs:
        if format == 'table':
            # Results table
            table = Table(title="Enriched IOCs", show_header=True, header_style="bold cyan")
            table.add_column("IOC", style="dim", max_width=40)
            table.add_column("Type", style="dim")
            table.add_column("Score", justify="right")
            table.add_column("Level")
            table.add_column("Tags")
            
            for ioc in enriched_iocs[:20]:  # Limit to top 20
                score_color = "red" if ioc.threat_score >= 70 else "yellow" if ioc.threat_score >= 30 else "green"
                level_color = {
                    ThreatLevel.CRITICAL: "red",
                    ThreatLevel.MALICIOUS: "red",
                    ThreatLevel.SUSPICIOUS: "yellow",
                    ThreatLevel.CLEAN: "green",
                    ThreatLevel.UNKNOWN: "dim",
                }[ioc.threat_level]
                
                table.add_row(
                    ioc.value[:40],
                    ioc.ioc_type.value.upper(),
                    f"[{score_color}]{ioc.threat_score:.1f}[/{score_color}]",
                    f"[{level_color}]{ioc.threat_level.name}[/{level_color}]",
                    ", ".join(list(ioc.tags)[:3]) if ioc.tags else "-"
                )
            
            console.print(table)
            
            if len(enriched_iocs) > 20:
                console.print(f"\n[dim]... and {len(enriched_iocs) - 20} more IOCs[/dim]")
            
            # Summary stats
            malicious = sum(1 for i in enriched_iocs if i.is_malicious)
            suspicious = sum(1 for i in enriched_iocs if i.is_suspicious and not i.is_malicious)
            
            console.print(f"\n[bold]Summary:[/bold]")
            console.print(f"  Total: {len(enriched_iocs)}")
            console.print(f"  [red]Malicious: {malicious}[/red]")
            console.print(f"  [yellow]Suspicious: {suspicious}[/yellow]")
            
        elif format == 'json':
            output_data = {
                "stats": {
                    "total": len(enriched_iocs),
                    "malicious": sum(1 for i in enriched_iocs if i.is_malicious),
                    "suspicious": sum(1 for i in enriched_iocs if i.is_suspicious),
                },
                "iocs": [i.to_dict() for i in enriched_iocs]
            }
            console.print(Syntax(json.dumps(output_data, indent=2, default=str), "json"))
            
        elif format == 'summary':
            for ioc in enriched_iocs[:10]:
                console.print(ioc.to_summary())
                console.print()
    
    elif extraction_result and extraction_result.total_count > 0:
        # No enrichment, just show extraction results
        console.print("[bold]Extracted IOCs (not enriched):[/bold]\n")
        console.print(extraction_result.to_summary())
    
    # Save output
    if output and enriched_iocs:
        output_data = {
            "timestamp": datetime.utcnow().isoformat(),
            "input_source": str(input_source),
            "total_iocs": len(enriched_iocs),
            "iocs": [i.to_dict() for i in enriched_iocs]
        }
        with open(output, 'w') as f:
            json.dump(output_data, f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Alert on high-threat findings
    if enriched_iocs:
        malicious = [i for i in enriched_iocs if i.is_malicious]
        if malicious:
            console.print(
                f"\n[bold red]🚨 {len(malicious)} MALICIOUS IOC(s) DETECTED![/bold red]"
            )
            for ioc in malicious[:5]:
                console.print(f"   [red]•[/red] {ioc.value} (Score: {ioc.threat_score:.1f})")


# ============================================================================
# VALIDATE COMMAND (Session Validator)
# ============================================================================

@cli.command()
@click.argument('input_source', type=click.Path(exists=True))
@click.option('--allowed', '-a', multiple=True, required=True,
              help='Allowed domain(s) to validate (required for authorization)')
@click.option('--platform', '-p',
              type=click.Choice([p.value for p in Platform]),
              help='Filter to specific platform (auto-detect if not specified)')
@click.option('--rate-limit', '-r', default=10,
              help='Max validations per minute per platform')
@click.option('--concurrent', '-c', default=3,
              help='Max concurrent validations')
@click.option('--high-risk-only', is_flag=True,
              help='Only show valid high-risk sessions')
@click.option('--output', '-o', type=click.Path(), 
              help='Output file path for results')
@click.option('--format', '-f',
              type=click.Choice(['table', 'json', 'summary']),
              default='table',
              help='Output format')
@click.pass_context
def validate(ctx, input_source, allowed, platform, rate_limit, concurrent, 
             high_risk_only, output, format):
    """
    Validate session cookies from stealer logs.
    
    Check if extracted session tokens are still active for
    authorized domains. Supports Google, Microsoft, and more.
    
    ⚠️  IMPORTANT: Only validates sessions for domains you specify
    with --allowed. This is required for authorized use.
    
    INPUT_SOURCE should be a JSON file containing parsed stealer log results
    (output from 'shadowhunter parse' command).
    
    \b
    Supported Platforms:
      • Google / Google Workspace
      • Microsoft 365 / Azure AD
      • GitHub (coming soon)
      • Slack (coming soon)
    
    \b
    Examples:
      shadowhunter validate parsed.json --allowed yourcompany.com
      shadowhunter validate results/ -a corp.com -a company.org
      shadowhunter validate logs.json -a domain.com --high-risk-only
      shadowhunter validate output.json -a target.com -o report.json
    """
    print_banner()
    
    console.print(Panel.fit(
        "[bold yellow]⚠ Session Validation Notice[/bold yellow]\n\n"
        "This tool validates session cookies to check if they are still active.\n"
        "• Only read-only validation operations are performed\n"
        "• Sessions are only checked for authorized domains\n"
        "• All validations are logged for audit purposes\n"
        "• Never use for unauthorized access",
        title="🔐 Ethical Use Warning",
        border_style="yellow"
    ))
    
    console.print()
    
    # Load input data
    input_path = Path(input_source)
    
    cookies_to_validate = []
    
    try:
        if input_path.is_file():
            with open(input_path, 'r') as f:
                data = json.load(f)
            
            # Handle different input formats
            if isinstance(data, list):
                # List of results from parse command
                for result in data:
                    if 'cookies' in result:
                        for cookie_data in result['cookies']:
                            from shadowhunter.parsers.stealer_types import SessionCookie, StealerFamily
                            cookie = SessionCookie(
                                domain=cookie_data.get('domain', ''),
                                name=cookie_data.get('name', ''),
                                value=cookie_data.get('value', ''),
                                path=cookie_data.get('path', '/'),
                                http_only=cookie_data.get('http_only', False),
                                secure=cookie_data.get('secure', False),
                                stealer_family=StealerFamily(cookie_data.get('stealer_family', 'unknown'))
                            )
                            cookies_to_validate.append(cookie)
            elif isinstance(data, dict) and 'cookies' in data:
                # Single result
                for cookie_data in data['cookies']:
                    from shadowhunter.parsers.stealer_types import SessionCookie, StealerFamily
                    cookie = SessionCookie(
                        domain=cookie_data.get('domain', ''),
                        name=cookie_data.get('name', ''),
                        value=cookie_data.get('value', ''),
                        path=cookie_data.get('path', '/'),
                        http_only=cookie_data.get('http_only', False),
                        secure=cookie_data.get('secure', False),
                        stealer_family=StealerFamily(cookie_data.get('stealer_family', 'unknown'))
                    )
                    cookies_to_validate.append(cookie)
                    
        elif input_path.is_dir():
            # Load all JSON files in directory
            for json_file in input_path.glob("*.json"):
                with open(json_file, 'r') as f:
                    data = json.load(f)
                if isinstance(data, dict) and 'cookies' in data:
                    for cookie_data in data['cookies']:
                        from shadowhunter.parsers.stealer_types import SessionCookie, StealerFamily
                        cookie = SessionCookie(
                            domain=cookie_data.get('domain', ''),
                            name=cookie_data.get('name', ''),
                            value=cookie_data.get('value', ''),
                            path=cookie_data.get('path', '/'),
                            http_only=cookie_data.get('http_only', False),
                            secure=cookie_data.get('secure', False),
                            stealer_family=StealerFamily(cookie_data.get('stealer_family', 'unknown'))
                        )
                        cookies_to_validate.append(cookie)
                        
    except Exception as e:
        console.print(f"[red]Error loading input: {e}[/red]")
        return
    
    if not cookies_to_validate:
        console.print("[yellow]No cookies found in input. Run 'shadowhunter parse' first.[/yellow]")
        return
    
    # Filter high-value cookies only
    high_value_cookies = [c for c in cookies_to_validate if c.is_high_value]
    
    console.print(Panel.fit(
        f"[bold]Session Validator[/bold]\n"
        f"Total Cookies: {len(cookies_to_validate)}\n"
        f"High-Value Cookies: {len(high_value_cookies)}\n"
        f"Allowed Domains: {', '.join(allowed)}\n"
        f"Rate Limit: {rate_limit}/min/platform\n"
        f"Concurrent: {concurrent}",
        title="🔐 Validate Configuration",
        border_style="purple"
    ))
    
    # Validation results
    all_results = []
    
    async def run_validation():
        nonlocal all_results
        
        config = ValidatorConfig(
            rate_limit_per_minute=rate_limit,
            max_concurrent=concurrent,
            validate_only_high_value=True,  # Focus on session tokens
        )
        
        engine = SessionValidatorEngine(config=config)
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task(
                f"[purple]Validating {len(high_value_cookies)} session cookies...",
                total=None
            )
            
            all_results = await engine.validate_cookies(
                cookies=high_value_cookies,
                allowed_domains=list(allowed)
            )
            
            progress.update(task, completed=True)
        
        return engine.get_stats()
    
    stats = asyncio.run(run_validation())
    
    # Filter results if requested
    display_results = all_results
    if high_risk_only:
        display_results = [r for r in all_results if r.is_valid and r.is_high_risk]
    
    # Display results
    console.print()
    
    if format == 'table':
        # Summary table
        summary_table = Table(title="Validation Summary", show_header=True, header_style="bold purple")
        summary_table.add_column("Metric", style="dim")
        summary_table.add_column("Value")
        
        summary_table.add_row("Total Validated", str(stats['total_validated']))
        summary_table.add_row("[green]Valid Sessions[/green]", str(stats['valid_sessions']))
        summary_table.add_row("Expired Sessions", str(stats['expired_sessions']))
        summary_table.add_row("[red]Critical Risk[/red]", str(stats['critical_sessions']))
        summary_table.add_row("[orange1]High Risk[/orange1]", str(stats['high_risk_sessions']))
        summary_table.add_row("Rate Limited", str(stats['rate_limited']))
        summary_table.add_row("Errors", str(stats['errors']))
        
        console.print(summary_table)
        
        # Results table
        if display_results:
            console.print()
            results_table = Table(title="Session Results", show_header=True, header_style="bold purple")
            results_table.add_column("Platform", style="dim")
            results_table.add_column("Domain")
            results_table.add_column("Status")
            results_table.add_column("Risk")
            results_table.add_column("User")
            results_table.add_column("Response")
            
            for result in display_results[:20]:
                status_color = {
                    SessionStatus.VALID: "green",
                    SessionStatus.EXPIRED: "dim",
                    SessionStatus.INVALID: "red",
                    SessionStatus.MFA_REQUIRED: "yellow",
                    SessionStatus.RATE_LIMITED: "orange1",
                    SessionStatus.ERROR: "red",
                }.get(result.status, "white")
                
                risk_color = {
                    RiskLevel.CRITICAL: "red",
                    RiskLevel.HIGH: "orange1",
                    RiskLevel.MEDIUM: "yellow",
                    RiskLevel.LOW: "green",
                    RiskLevel.UNKNOWN: "dim",
                }.get(result.risk_level, "white")
                
                user = ""
                if result.session_info:
                    user = result.session_info.email or result.session_info.username or ""
                    if result.session_info.is_admin:
                        user += " [red](ADMIN)[/red]"
                
                results_table.add_row(
                    result.platform.value.upper(),
                    result.cookie_domain[:25],
                    f"[{status_color}]{result.status.value}[/{status_color}]",
                    f"[{risk_color}]{result.risk_level.value}[/{risk_color}]",
                    user[:30] if user else "-",
                    f"{result.response_time_ms:.0f}ms"
                )
            
            console.print(results_table)
            
            if len(display_results) > 20:
                console.print(f"\n[dim]... and {len(display_results) - 20} more results[/dim]")
    
    elif format == 'json':
        output_data = {
            "stats": stats,
            "results": [r.to_dict() for r in display_results]
        }
        console.print(Syntax(json.dumps(output_data, indent=2, default=str), "json"))
    
    elif format == 'summary':
        for result in display_results[:10]:
            console.print(result.to_summary())
        if len(display_results) > 10:
            console.print(f"\n[dim]... and {len(display_results) - 10} more[/dim]")
    
    # Save output
    if output:
        output_data = {
            "timestamp": datetime.utcnow().isoformat(),
            "allowed_domains": list(allowed),
            "stats": stats,
            "results": [r.to_dict() for r in all_results]
        }
        with open(output, 'w') as f:
            json.dump(output_data, f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Alert on high-risk sessions
    critical_sessions = [r for r in all_results if r.is_valid and r.risk_level == RiskLevel.CRITICAL]
    high_risk_sessions = [r for r in all_results if r.is_valid and r.risk_level == RiskLevel.HIGH]
    
    if critical_sessions:
        console.print(
            f"\n[bold red]🚨 {len(critical_sessions)} CRITICAL SESSION(S) DETECTED![/bold red]"
        )
        for result in critical_sessions[:5]:
            user = result.session_info.email if result.session_info else "Unknown"
            console.print(f"   [red]•[/red] {result.platform.value.upper()}: {user}")
        
        console.print("\n[yellow]⚠ Immediate action recommended:[/yellow]")
        console.print("   • Revoke affected sessions immediately")
        console.print("   • Reset user credentials")
        console.print("   • Enable MFA if not already active")
        console.print("   • Review account activity logs")
    
    elif high_risk_sessions:
        console.print(
            f"\n[bold orange1]⚠ {len(high_risk_sessions)} HIGH-RISK SESSION(S) FOUND[/bold orange1]"
        )


# ============================================================================
# LEAKS COMMAND (Data Leak Monitor)
# ============================================================================

@cli.command()
@click.option('--keyword', '-k', multiple=True, required=True,
              help='Keywords to search for (company name, project name)')
@click.option('--domain', '-d', multiple=True,
              help='Domain names to monitor')
@click.option('--github-token', envvar='GITHUB_TOKEN',
              help='GitHub personal access token (or set GITHUB_TOKEN env)')
@click.option('--org', '-o', multiple=True,
              help='GitHub organizations to scan')
@click.option('--max-results', '-m', default=100,
              help='Maximum results per search query')
@click.option('--severity', '-s',
              type=click.Choice(['critical', 'high', 'medium', 'low', 'all']),
              default='all',
              help='Minimum severity to report')
@click.option('--source',
              type=click.Choice(['github', 'paste', 'all']),
              default='all',
              help='Source to scan')
@click.option('--output', type=click.Path(), 
              help='Output file path for results')
@click.option('--format', '-f',
              type=click.Choice(['table', 'json', 'report']),
              default='table',
              help='Output format')
@click.option('--continuous', is_flag=True,
              help='Run continuous monitoring')
@click.option('--interval', default=30,
              help='Scan interval in minutes (for continuous mode)')
@click.pass_context
def leaks(ctx, keyword, domain, github_token, org, max_results, severity,
          source, output, format, continuous, interval):
    """
    Scan for exposed secrets and data leaks.
    
    Monitor GitHub, paste sites, and other sources for leaked
    credentials, API keys, and sensitive data.
    
    \b
    Detected Secret Types:
      • AWS credentials (access keys, secret keys)
      • GitHub/GitLab tokens
      • Slack tokens & webhooks
      • Stripe API keys (live & test)
      • Private keys (SSH, RSA, PGP)
      • Database connection strings
      • JWT secrets
      • Generic API keys & passwords
    
    \b
    Examples:
      shadowhunter leaks -k "mycompany" -d mycompany.com
      shadowhunter leaks -k internal -k confidential --github-token TOKEN
      shadowhunter leaks -k corp -o my-github-org -s critical
      shadowhunter leaks -k company --continuous --interval 60
    """
    print_banner()
    
    # Check for GitHub token
    if not github_token:
        console.print("[yellow]⚠ No GitHub token provided. GitHub scanning disabled.[/yellow]")
        console.print("[dim]Set GITHUB_TOKEN env var or use --github-token[/dim]\n")
        if source == 'github':
            console.print("[red]Cannot scan GitHub without token.[/red]")
            return
    
    console.print(Panel.fit(
        f"[bold]Data Leak Monitor[/bold]\n"
        f"Keywords: {', '.join(keyword)}\n"
        f"Domains: {', '.join(domain) if domain else 'None'}\n"
        f"GitHub Token: {'✓' if github_token else '✗'}\n"
        f"Organizations: {', '.join(org) if org else 'None'}\n"
        f"Max Results: {max_results}\n"
        f"Severity Filter: {severity.upper()}\n"
        f"Mode: {'Continuous' if continuous else 'One-time scan'}",
        title="🔍 Leak Monitor Configuration",
        border_style="red"
    ))
    
    # Build config
    config = LeakMonitorConfig(
        keywords=list(keyword),
        domains=list(domain),
        github_token=github_token,
        github_orgs=list(org),
        max_results_per_search=max_results,
        scan_interval_minutes=interval,
    )
    
    all_alerts = []
    
    async def run_scan():
        nonlocal all_alerts
        
        monitor = DataLeakMonitor(config)
        
        if continuous:
            console.print("\n[yellow]Press Ctrl+C to stop monitoring[/yellow]\n")
            
            try:
                scan_count = 0
                while True:
                    scan_count += 1
                    console.print(f"[cyan]Scan #{scan_count}[/cyan] — {datetime.now().strftime('%H:%M:%S')}")
                    
                    with Progress(
                        SpinnerColumn(),
                        TextColumn("[progress.description]{task.description}"),
                        console=console
                    ) as progress:
                        task = progress.add_task("[red]Scanning for leaks...", total=None)
                        alerts = await monitor.run_full_scan()
                        progress.update(task, completed=True)
                    
                    # Filter by severity
                    if severity != 'all':
                        severity_map = {
                            'critical': [LeakSeverity.CRITICAL],
                            'high': [LeakSeverity.CRITICAL, LeakSeverity.HIGH],
                            'medium': [LeakSeverity.CRITICAL, LeakSeverity.HIGH, LeakSeverity.MEDIUM],
                            'low': [LeakSeverity.CRITICAL, LeakSeverity.HIGH, LeakSeverity.MEDIUM, LeakSeverity.LOW],
                        }
                        alerts = [a for a in alerts if a.max_severity in severity_map.get(severity, [])]
                    
                    if alerts:
                        console.print(f"  [red]🚨 {len(alerts)} leak(s) detected![/red]")
                        for alert in alerts[:3]:
                            console.print(f"    [{alert.max_severity.value}] {alert.source_name}")
                    else:
                        console.print(f"  [green]✓ No new leaks found[/green]")
                    
                    all_alerts.extend(alerts)
                    
                    console.print(f"  [dim]Next scan in {interval} minutes...[/dim]\n")
                    await asyncio.sleep(interval * 60)
                    
            except KeyboardInterrupt:
                console.print("\n[yellow]Monitoring stopped.[/yellow]")
                
        else:
            with Progress(
                SpinnerColumn(),
                TextColumn("[progress.description]{task.description}"),
                console=console
            ) as progress:
                task = progress.add_task("[red]Scanning for data leaks...", total=None)
                all_alerts = await monitor.run_full_scan()
                progress.update(task, completed=True)
            
            # Filter by severity
            if severity != 'all':
                severity_map = {
                    'critical': [LeakSeverity.CRITICAL],
                    'high': [LeakSeverity.CRITICAL, LeakSeverity.HIGH],
                    'medium': [LeakSeverity.CRITICAL, LeakSeverity.HIGH, LeakSeverity.MEDIUM],
                    'low': [LeakSeverity.CRITICAL, LeakSeverity.HIGH, LeakSeverity.MEDIUM, LeakSeverity.LOW],
                }
                all_alerts = [a for a in all_alerts if a.max_severity in severity_map.get(severity, [])]
        
        return monitor.get_stats()
    
    try:
        stats = asyncio.run(run_scan())
    except KeyboardInterrupt:
        stats = {}
    
    # Display results
    console.print()
    
    if format == 'table':
        # Summary table
        summary_table = Table(title="Leak Detection Summary", show_header=True, header_style="bold red")
        summary_table.add_column("Metric", style="dim")
        summary_table.add_column("Value")
        
        summary_table.add_row("Total Alerts", str(len(all_alerts)))
        summary_table.add_row("[red]Critical[/red]", str(sum(1 for a in all_alerts if a.max_severity == LeakSeverity.CRITICAL)))
        summary_table.add_row("[orange1]High[/orange1]", str(sum(1 for a in all_alerts if a.max_severity == LeakSeverity.HIGH)))
        summary_table.add_row("[yellow]Medium[/yellow]", str(sum(1 for a in all_alerts if a.max_severity == LeakSeverity.MEDIUM)))
        summary_table.add_row("Secrets Found", str(sum(a.secret_count for a in all_alerts)))
        
        console.print(summary_table)
        
        # Alerts table
        if all_alerts:
            console.print()
            alerts_table = Table(title="Detected Leaks", show_header=True, header_style="bold red")
            alerts_table.add_column("Severity")
            alerts_table.add_column("Source", style="dim")
            alerts_table.add_column("Location", max_width=40)
            alerts_table.add_column("Secrets")
            alerts_table.add_column("Types")
            
            for alert in all_alerts[:20]:
                sev_color = {
                    LeakSeverity.CRITICAL: "red",
                    LeakSeverity.HIGH: "orange1",
                    LeakSeverity.MEDIUM: "yellow",
                    LeakSeverity.LOW: "blue",
                    LeakSeverity.INFO: "dim",
                }.get(alert.max_severity, "white")
                
                alerts_table.add_row(
                    f"[{sev_color}]{alert.max_severity.value.upper()}[/{sev_color}]",
                    alert.source.value,
                    (alert.source_name or "Unknown")[:40],
                    str(alert.secret_count),
                    ", ".join(alert.secret_types[:3])
                )
            
            console.print(alerts_table)
            
            if len(all_alerts) > 20:
                console.print(f"\n[dim]... and {len(all_alerts) - 20} more alerts[/dim]")
    
    elif format == 'json':
        output_data = {
            "stats": stats,
            "alerts": [a.to_dict() for a in all_alerts]
        }
        console.print(Syntax(json.dumps(output_data, indent=2, default=str), "json"))
    
    elif format == 'report':
        monitor = DataLeakMonitor(config)
        report = monitor.generate_report(all_alerts)
        console.print(report)
    
    # Save output
    if output:
        output_data = {
            "timestamp": datetime.utcnow().isoformat(),
            "config": config.to_dict(),
            "stats": stats,
            "alerts": [a.to_dict() for a in all_alerts]
        }
        with open(output, 'w') as f:
            json.dump(output_data, f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Alert on critical findings
    critical_alerts = [a for a in all_alerts if a.max_severity == LeakSeverity.CRITICAL]
    if critical_alerts:
        console.print(
            f"\n[bold red]🚨 {len(critical_alerts)} CRITICAL LEAK(S) DETECTED![/bold red]"
        )
        for alert in critical_alerts[:5]:
            console.print(f"   [red]•[/red] {alert.source.value}: {alert.source_name}")
            console.print(f"     URL: {alert.source_url}")
        
        console.print("\n[yellow]⚠ Immediate action required:[/yellow]")
        console.print("   • Rotate all exposed credentials")
        console.print("   • Remove secrets from public sources")
        console.print("   • Audit for unauthorized access")


# ============================================================================
# SURFACE COMMAND - Attack Surface Scanner
# ============================================================================

@cli.command()
@click.argument('domain')
@click.option('--deep', '-D', is_flag=True, help='Enable deep scan (extended port list)')
@click.option('--ports', '-p', multiple=True, type=int, help='Additional ports to scan')
@click.option('--no-ports', is_flag=True, help='Skip port scanning')
@click.option('--no-fingerprint', is_flag=True, help='Skip technology fingerprinting')
@click.option('--no-crtsh', is_flag=True, help='Skip Certificate Transparency lookup')
@click.option('--no-wayback', is_flag=True, help='Skip Wayback Machine lookup')
@click.option('--no-brute', is_flag=True, help='Skip DNS brute forcing')
@click.option('--wordlist', '-w', type=click.Path(exists=True), help='Custom subdomain wordlist')
@click.option('--timeout', '-t', default=3.0, help='Port scan timeout in seconds')
@click.option('--output', '-o', type=click.Path(), help='Output file path (JSON)')
@click.option('--format', '-f', 
              type=click.Choice(['table', 'json', 'brief']), 
              default='table', help='Output format')
@click.pass_context
def surface(ctx, domain, deep, ports, no_ports, no_fingerprint, no_crtsh, no_wayback, 
            no_brute, wordlist, timeout, output, format):
    """
    Scan external attack surface for a domain.
    
    Discovers subdomains, open ports, technologies, and security issues.
    
    \b
    Examples:
      shadowhunter surface example.com
      shadowhunter surface example.com --deep
      shadowhunter surface example.com -p 9000 -p 9200
      shadowhunter surface example.com --no-ports --output surface.json
    """
    print_banner()
    
    # Load custom wordlist if provided
    custom_wordlist = None
    if wordlist:
        try:
            with open(wordlist, 'r') as f:
                custom_wordlist = [line.strip() for line in f if line.strip()]
            console.print(f"[dim]Loaded {len(custom_wordlist)} words from wordlist[/dim]")
        except Exception as e:
            console.print(f"[yellow]Warning: Could not load wordlist: {e}[/yellow]")
    
    # Build configuration
    config = ScanConfig(
        enable_crtsh=not no_crtsh,
        enable_wayback=not no_wayback,
        enable_dns_brute=not no_brute,
        enable_port_scan=not no_ports,
        enable_fingerprint=not no_fingerprint,
        port_scan_timeout=timeout,
        common_ports_only=not deep,
        custom_wordlist=custom_wordlist,
    )
    
    console.print(Panel.fit(
        f"[bold]Target:[/bold] {domain}\n"
        f"[bold]Mode:[/bold] {'Deep Scan' if deep else 'Standard Scan'}\n"
        f"[bold]Port Scan:[/bold] {'Disabled' if no_ports else 'Extended' if deep else 'Common ports'}\n"
        f"[bold]Fingerprint:[/bold] {'Disabled' if no_fingerprint else 'Enabled'}\n"
        f"[bold]CT Logs:[/bold] {'Disabled' if no_crtsh else 'Enabled'}\n"
        f"[bold]Wayback:[/bold] {'Disabled' if no_wayback else 'Enabled'}",
        title="🎯 Attack Surface Scanner",
        border_style="cyan"
    ))
    
    async def run_scan():
        scanner = AttackSurfaceScanner(config=config)
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console,
        ) as progress:
            task = progress.add_task(
                f"[cyan]Scanning {domain}...", 
                total=None
            )
            
            result = await scanner.scan_domain(
                domain,
                deep_scan=deep,
                include_ports=list(ports) if ports else None
            )
            
            progress.update(task, completed=True)
        
        return result
    
    try:
        result = asyncio.run(run_scan())
    except KeyboardInterrupt:
        console.print("\n[yellow]Scan cancelled.[/yellow]")
        return
    except Exception as e:
        console.print(f"[red]Error: {e}[/red]")
        return
    
    # Display results
    console.print()
    
    if format == 'json':
        console.print(Syntax(
            json.dumps(result.to_dict(), indent=2, default=str),
            "json",
            theme="monokai"
        ))
    
    elif format == 'brief':
        console.print(f"[bold]Scan Complete:[/bold] {domain}")
        console.print(f"  Subdomains: {result.total_subdomains}")
        console.print(f"  Open Services: {result.total_services}")
        console.print(f"  High Risk: {len(result.high_risk_assets)}")
        console.print(f"  Critical: {len(result.critical_assets)}")
        console.print(f"  SSL Issues: {len(result.assets_with_ssl_issues)}")
        console.print(f"  Changes: {len(result.changes)}")
        console.print(f"  Duration: {result.duration_seconds:.1f}s")
    
    else:  # table format
        # Summary panel
        summary = (
            f"[bold]Duration:[/bold] {result.duration_seconds:.1f}s\n"
            f"[bold]Subdomains:[/bold] {result.total_subdomains}\n"
            f"[bold]Services:[/bold] {result.total_services}\n"
            f"[bold]High Risk:[/bold] {len(result.high_risk_assets)}\n"
            f"[bold]Critical:[/bold] {len(result.critical_assets)}\n"
            f"[bold]SSL Issues:[/bold] {len(result.assets_with_ssl_issues)}"
        )
        console.print(Panel(summary, title="📊 Scan Summary", border_style="green"))
        
        # Assets table
        if result.assets:
            table = Table(
                title=f"Discovered Assets ({len(result.assets)})",
                show_header=True,
                header_style="bold cyan"
            )
            table.add_column("Asset", style="dim")
            table.add_column("IP", style="dim")
            table.add_column("Ports")
            table.add_column("Status")
            table.add_column("Technologies")
            table.add_column("Risk", justify="center")
            
            for asset in result.assets[:50]:  # Limit to 50 for display
                # Format ports
                ports_str = ", ".join(str(p.port) for p in asset.open_ports[:5])
                if len(asset.open_ports) > 5:
                    ports_str += f" (+{len(asset.open_ports) - 5})"
                
                # Format technologies
                techs_str = ", ".join(t.name for t in asset.technologies[:3])
                if len(asset.technologies) > 3:
                    techs_str += f" (+{len(asset.technologies) - 3})"
                
                # Risk color
                risk_colors = {
                    SurfaceRiskLevel.CRITICAL: "red",
                    SurfaceRiskLevel.HIGH: "orange1",
                    SurfaceRiskLevel.MEDIUM: "yellow",
                    SurfaceRiskLevel.LOW: "blue",
                    SurfaceRiskLevel.INFO: "dim",
                }
                risk_color = risk_colors.get(asset.risk_level, "white")
                risk_str = f"[{risk_color}]{asset.risk_level.name}[/{risk_color}]"
                
                # Status
                status_str = ""
                if asset.http_status:
                    status_str = str(asset.http_status)
                
                table.add_row(
                    asset.value[:40],
                    asset.ip_addresses[0] if asset.ip_addresses else "-",
                    ports_str or "-",
                    status_str or "-",
                    techs_str or "-",
                    risk_str
                )
            
            console.print(table)
            
            if len(result.assets) > 50:
                console.print(f"[dim]...and {len(result.assets) - 50} more assets[/dim]")
        
        # Changes table
        if result.changes:
            console.print()
            changes_table = Table(
                title=f"Detected Changes ({len(result.changes)})",
                show_header=True,
                header_style="bold yellow"
            )
            changes_table.add_column("Type")
            changes_table.add_column("Asset")
            changes_table.add_column("Description")
            changes_table.add_column("Risk")
            
            for change in result.changes[:20]:
                risk_color = {
                    SurfaceRiskLevel.CRITICAL: "red",
                    SurfaceRiskLevel.HIGH: "orange1",
                    SurfaceRiskLevel.MEDIUM: "yellow",
                    SurfaceRiskLevel.LOW: "blue",
                    SurfaceRiskLevel.INFO: "dim",
                }.get(change.risk_level, "white")
                
                changes_table.add_row(
                    change.change_type.value.replace("_", " ").title(),
                    change.asset.value[:30],
                    change.description[:50],
                    f"[{risk_color}]{change.risk_level.name}[/{risk_color}]"
                )
            
            console.print(changes_table)
        
        # High risk alerts
        if result.high_risk_assets:
            console.print()
            console.print(
                f"[bold red]⚠ {len(result.high_risk_assets)} HIGH RISK ASSET(S) DETECTED[/bold red]"
            )
            for asset in result.high_risk_assets[:5]:
                console.print(f"  [red]•[/red] {asset.value} (score: {asset.risk_score:.0f})")
        
        # Errors
        if result.errors:
            console.print(f"\n[yellow]Warnings: {len(result.errors)} errors during scan[/yellow]")
    
    # Save output
    if output:
        with open(output, 'w') as f:
            json.dump(result.to_dict(), f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Final summary
    print_status(
        f"Scan complete: {result.total_subdomains} subdomains, "
        f"{result.total_services} services, "
        f"{len(result.high_risk_assets)} high-risk",
        "success"
    )


# ============================================================================
# BLOCKCHAIN COMMAND - Cryptocurrency Forensics
# ============================================================================

@cli.command()
@click.argument('address')
@click.option('--chain', '-c',
              type=click.Choice(['bitcoin', 'ethereum', 'solana', 'zcash', 'bsc', 'polygon', 'auto']),
              default='auto', help='Blockchain network (auto-detect if not specified)')
@click.option('--bubblemaps', envvar='BUBBLEMAPS_API_KEY', help='Bubblemaps API key')
@click.option('--helius', envvar='HELIUS_API_KEY', help='Helius API key for Solana')
@click.option('--etherscan', envvar='ETHERSCAN_API_KEY', help='Etherscan API key for Ethereum/EVM')
@click.option('--blockchain-com', envvar='BLOCKCHAIN_COM_API_KEY', help='Blockchain.com API key (Bitcoin fallback)')
@click.option('--trace', '-t', is_flag=True, help='Trace transaction connections')
@click.option('--depth', '-d', default=2, help='Trace depth (default: 2)')
@click.option('--output', '-o', type=click.Path(), help='Output file path (JSON)')
@click.option('--format', '-f',
              type=click.Choice(['table', 'json', 'brief']),
              default='table', help='Output format')
@click.pass_context
def blockchain(ctx, address, chain, bubblemaps, helius, etherscan, blockchain_com, trace, depth, output, format):
    """
    Analyze cryptocurrency wallet for forensics.
    
    Supports Bitcoin, Ethereum, Solana, Zcash and EVM chains.
    
    \b
    Examples:
      shadowhunter blockchain 0x742d35Cc6634C0532925a3b844Bc9e7595f5d5E2
      shadowhunter blockchain SoLANA_ADDRESS --chain solana --helius KEY
      shadowhunter blockchain t1ADDRESS --chain zcash
      shadowhunter blockchain 0x... --trace --depth 3
      shadowhunter blockchain 0x... --bubblemaps KEY -o report.json
    """
    print_banner()
    
    # Parse chain
    chain_map = {
        'bitcoin': Chain.BITCOIN,
        'ethereum': Chain.ETHEREUM,
        'solana': Chain.SOLANA,
        'zcash': Chain.ZCASH,
        'bsc': Chain.BSC,
        'polygon': Chain.POLYGON,
        'auto': None,
    }
    selected_chain = chain_map.get(chain)
    
    # Auto-detect chain if needed
    if not selected_chain:
        detected = detect_chain(address)
        if detected:
            selected_chain = detected
            console.print(f"[dim]Auto-detected chain: {detected.value}[/dim]")
        else:
            console.print("[red]Could not detect blockchain for this address format.[/red]")
            console.print("[yellow]Please specify --chain explicitly.[/yellow]")
            return
    
    console.print(Panel.fit(
        f"[bold]Address:[/bold] {address}\n"
        f"[bold]Chain:[/bold] {selected_chain.value}\n"
        f"[bold]Bubblemaps:[/bold] {'Enabled' if bubblemaps else 'Disabled'}\n"
        f"[bold]Helius:[/bold] {'Enabled' if helius else 'Disabled'}\n"
        f"[bold]Trace:[/bold] {'Enabled (depth=' + str(depth) + ')' if trace else 'Disabled'}",
        title="🔗 Blockchain Forensics",
        border_style="magenta"
    ))
    
    async def run_analysis():
        config = get_config()
        engine = BlockchainForensicsEngine(
            bubblemaps_api_key=bubblemaps or config.blockchain.bubblemaps_api_key,
            helius_api_key=helius or config.blockchain.helius_api_key,
            etherscan_api_key=etherscan or config.blockchain.etherscan_api_key,
            blockchain_com_api_key=blockchain_com or config.blockchain.blockchain_com_api_key,
        )
        
        # Analyze the wallet
        profile = await engine.analyze_wallet(address, selected_chain)
        
        # Optional: trace transactions
        graph = None
        if trace and profile:
            console.print(f"\n[cyan]Tracing transactions (depth={depth})...[/cyan]")
            graph = await engine.trace_transactions(address, selected_chain, depth=depth)
        
        return profile, graph, engine.get_stats()
    
    try:
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console,
        ) as progress:
            task = progress.add_task(f"[magenta]Analyzing {address[:12]}...", total=None)
            profile, graph, stats = asyncio.run(run_analysis())
            progress.update(task, completed=True)
    except KeyboardInterrupt:
        console.print("\n[yellow]Analysis cancelled.[/yellow]")
        return
    except Exception as e:
        console.print(f"[red]Error: {e}[/red]")
        return
    
    if not profile:
        console.print("[red]Could not analyze wallet.[/red]")
        return
    
    console.print()
    
    # Display results
    if format == 'json':
        output_data = profile.to_dict()
        if graph:
            output_data["transaction_graph"] = {k: list(v) for k, v in graph.items()}
        console.print(Syntax(json.dumps(output_data, indent=2, default=str), "json", theme="monokai"))
    
    elif format == 'brief':
        console.print(f"[bold]Analysis Complete:[/bold] {address[:16]}...")
        console.print(f"  Chain: {profile.chain.value}")
        console.print(f"  Risk Level: {profile.risk_level.name}")
        console.print(f"  Risk Score: {profile.risk_score:.0f}/100")
        console.print(f"  Balance: {profile.balance}")
        console.print(f"  Transactions: {profile.transaction_count}")
        if profile.known_entity:
            console.print(f"  Known Entity: {profile.known_entity}")
        if profile.risk_factors:
            console.print(f"  Risk Factors: {', '.join(profile.risk_factors)}")
    
    else:  # table format
        # Risk color mapping
        risk_colors = {
            BlockchainRiskLevel.CRITICAL: "red",
            BlockchainRiskLevel.HIGH: "orange1",
            BlockchainRiskLevel.MEDIUM: "yellow",
            BlockchainRiskLevel.LOW: "green",
            BlockchainRiskLevel.UNKNOWN: "dim",
        }
        risk_color = risk_colors.get(profile.risk_level, "white")
        
        # Summary panel
        summary = (
            f"[bold]Chain:[/bold] {profile.chain.value}\n"
            f"[bold]Type:[/bold] {profile.wallet_type.value}\n"
            f"[bold]Risk:[/bold] [{risk_color}]{profile.risk_level.name} ({profile.risk_score:.0f}/100)[/{risk_color}]\n"
            f"[bold]Balance:[/bold] {profile.balance}\n"
            f"[bold]Transactions:[/bold] {profile.transaction_count}\n"
            f"[bold]Tokens:[/bold] {len(profile.token_balances)}\n"
            f"[bold]NFTs:[/bold] {profile.nft_count}"
        )
        
        if profile.known_entity:
            summary += f"\n[bold]Known Entity:[/bold] {profile.known_entity}"
        
        if profile.labels:
            summary += f"\n[bold]Labels:[/bold] {', '.join(profile.labels)}"
        
        console.print(Panel(summary, title=f"🔍 Wallet Profile", border_style="green"))
        
        # Risk factors
        if profile.risk_factors:
            console.print("\n[bold yellow]Risk Factors:[/bold yellow]")
            for factor in profile.risk_factors:
                console.print(f"  [yellow]•[/yellow] {factor.replace('_', ' ').title()}")
        
        # Token balances
        if profile.token_balances:
            console.print("\n[bold]Token Holdings:[/bold]")
            tokens_table = Table(show_header=True, header_style="bold cyan")
            tokens_table.add_column("Token")
            tokens_table.add_column("Balance", justify="right")
            
            for symbol, balance in list(profile.token_balances.items())[:10]:
                tokens_table.add_row(symbol, f"{balance:.4f}")
            
            console.print(tokens_table)
            
            if len(profile.token_balances) > 10:
                console.print(f"[dim]...and {len(profile.token_balances) - 10} more tokens[/dim]")
        
        # Recent transactions
        if profile.recent_transactions:
            console.print("\n[bold]Recent Transactions:[/bold]")
            tx_table = Table(show_header=True, header_style="bold cyan")
            tx_table.add_column("Hash", style="dim")
            tx_table.add_column("From")
            tx_table.add_column("To")
            tx_table.add_column("Value", justify="right")
            tx_table.add_column("Time")
            
            for tx in profile.recent_transactions[:5]:
                tx_table.add_row(
                    tx.tx_hash[:12] + "...",
                    tx.from_address[:12] + "...",
                    tx.to_address[:12] + "..." if tx.to_address else "-",
                    f"{tx.value:.4f}",
                    tx.timestamp.strftime("%Y-%m-%d %H:%M") if tx.timestamp else "-"
                )
            
            console.print(tx_table)
        
        # Transaction graph
        if graph:
            console.print(f"\n[bold]Transaction Graph:[/bold] {len(graph)} addresses traced")
            for addr, connections in list(graph.items())[:5]:
                console.print(f"  {addr[:16]}... → {len(connections)} connections")
        
        # Explorer link
        if profile.explorer_url:
            console.print(f"\n[dim]Explorer: {profile.explorer_url}[/dim]")
    
    # Save output
    if output:
        output_data = profile.to_dict()
        if graph:
            output_data["transaction_graph"] = {k: list(v) for k, v in graph.items()}
        output_data["analysis_stats"] = stats
        
        with open(output, 'w') as f:
            json.dump(output_data, f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Final status
    if profile.is_high_risk:
        console.print(f"\n[bold red]⚠ HIGH RISK WALLET DETECTED[/bold red]")
        if profile.wallet_type == WalletType.RANSOMWARE:
            console.print("[red]This address is associated with ransomware activity![/red]")
        if profile.wallet_type == WalletType.MIXER:
            console.print("[orange1]This address is a known mixer/tumbler.[/orange1]")
    else:
        print_status(
            f"Analysis complete: Risk {profile.risk_level.name} ({profile.risk_score:.0f}/100)",
            "success"
        )


# ============================================================================
# VERIFY COMMAND - AI Content Integrity
# ============================================================================

@cli.command()
@click.argument('input_source', type=str)
@click.option('--type', '-t', 'content_type',
              type=click.Choice(['text', 'credential_dump', 'forum_post', 'paste', 'auto']),
              default='auto', help='Content type to verify')
@click.option('--author', '-a', help='Content author (for forum posts)')
@click.option('--source-url', '-u', help='Source URL of content')
@click.option('--output', '-o', type=click.Path(), help='Output file path (JSON)')
@click.option('--format', '-f',
              type=click.Choice(['table', 'json', 'brief']),
              default='table', help='Output format')
@click.pass_context
def verify(ctx, input_source, content_type, author, source_url, output, format):
    """
    Verify content authenticity using AI detection.
    
    Detect AI-generated text, fake credential dumps, honeypots,
    and disinformation in dark web content.
    
    INPUT_SOURCE can be:
    - Direct text content (in quotes)
    - A file path containing content
    - "-" to read from stdin
    
    \b
    Detection Capabilities:
      • AI-generated text patterns
      • Fake/honeypot credential dumps
      • Scam forum posts
      • Recycled/repackaged data
      • Bot-generated content
    
    \b
    Examples:
      shadowhunter verify "suspicious text content here"
      shadowhunter verify paste.txt --type paste
      shadowhunter verify dump.json --type credential_dump
      echo "content" | shadowhunter verify -
    """
    print_banner()
    
    # Get content from input source
    if input_source == "-":
        content = sys.stdin.read()
    elif Path(input_source).is_file():
        with open(input_source, 'r', encoding='utf-8', errors='ignore') as f:
            content = f.read()
    else:
        content = input_source
    
    if not content.strip():
        console.print("[red]No content provided.[/red]")
        return
    
    console.print(Panel.fit(
        f"[bold]Content Verification[/bold]\n"
        f"Input: {input_source[:50] if len(input_source) < 50 else input_source[:47] + '...'}\n"
        f"Type: {content_type.upper()}\n"
        f"Length: {len(content)} chars",
        title="🔍 Vanguard Verify",
        border_style="purple"
    ))
    
    verifier = VanguardVerify()
    
    # Determine content type and verify
    with Progress(
        SpinnerColumn(),
        TextColumn("[progress.description]{task.description}"),
        console=console
    ) as progress:
        task = progress.add_task("[purple]Analyzing content...", total=None)
        
        if content_type == 'credential_dump' or (content_type == 'auto' and content.startswith('[')):
            # Try to parse as JSON credential dump
            try:
                credentials = json.loads(content)
                if isinstance(credentials, list):
                    result = verifier.verify_credential_dump(
                        credentials,
                        source_name=source_url or "Unknown"
                    )
                else:
                    result = verifier.verify_text(content, ContentType.TEXT, source_url)
            except json.JSONDecodeError:
                result = verifier.verify_text(content, ContentType.TEXT, source_url)
        elif content_type == 'forum_post':
            result = verifier.verify_forum_post(content, author=author)
        else:
            result = verifier.verify_text(content, ContentType.TEXT, source_url)
        
        progress.update(task, completed=True)
    
    console.print()
    
    # Display results
    if format == 'json':
        console.print(Syntax(json.dumps(result.to_dict(), indent=2, default=str), "json", theme="monokai"))
    
    elif format == 'brief':
        console.print(f"[bold]Verification Complete[/bold]")
        console.print(f"  Authenticity: {result.authenticity.value}")
        console.print(f"  Confidence: {result.confidence_score:.1%}")
        console.print(f"  Risk Level: {result.get_risk_level()}")
        console.print(f"  Trustworthy: {'Yes' if result.is_trustworthy() else 'No'}")
    
    else:  # table format
        # Risk color mapping
        auth_colors = {
            AuthenticityLevel.VERIFIED: "green",
            AuthenticityLevel.LIKELY_AUTHENTIC: "green",
            AuthenticityLevel.UNCERTAIN: "yellow",
            AuthenticityLevel.SUSPICIOUS: "orange1",
            AuthenticityLevel.LIKELY_SYNTHETIC: "red",
            AuthenticityLevel.CONFIRMED_FAKE: "red",
        }
        auth_color = auth_colors.get(result.authenticity, "white")
        
        summary = (
            f"[bold]Authenticity:[/bold] [{auth_color}]{result.authenticity.value.replace('_', ' ').title()}[/{auth_color}]\n"
            f"[bold]Confidence:[/bold] {result.confidence_score:.1%}\n"
            f"[bold]Risk Level:[/bold] {result.get_risk_level()}\n"
            f"[bold]Trustworthy:[/bold] {'[green]Yes[/green]' if result.is_trustworthy() else '[red]No[/red]'}"
        )
        
        if result.indicators:
            summary += f"\n[bold]Indicators:[/bold] {', '.join(i.value for i in result.indicators)}"
        
        console.print(Panel(summary, title="📋 Verification Result", border_style=auth_color))
        
        # Analysis details
        if result.analysis_details:
            details_table = Table(title="Analysis Details", show_header=True, header_style="bold cyan")
            details_table.add_column("Metric", style="dim")
            details_table.add_column("Value")
            
            for key, value in result.analysis_details.items():
                if isinstance(value, float):
                    value = f"{value:.3f}"
                elif isinstance(value, dict):
                    value = json.dumps(value)
                details_table.add_row(key.replace("_", " ").title(), str(value)[:50])
            
            console.print(details_table)
        
        # Recommendations
        if result.recommendations:
            console.print("\n[bold yellow]Recommendations:[/bold yellow]")
            for rec in result.recommendations:
                console.print(f"  [yellow]•[/yellow] {rec}")
    
    # Save output
    if output:
        with open(output, 'w') as f:
            json.dump(result.to_dict(), f, indent=2, default=str)
        print_status(f"Results saved to {output}", "success")
    
    # Alert on suspicious content
    if not result.is_trustworthy():
        console.print(f"\n[bold red]⚠ CONTENT FLAGGED AS SUSPICIOUS[/bold red]")
        if ThreatIndicator.HONEYPOT in result.indicators:
            console.print("[red]WARNING: Possible honeypot detected![/red]")
        if ThreatIndicator.SCAM in result.indicators:
            console.print("[red]WARNING: Scam indicators detected![/red]")


# ============================================================================
# SCHEDULE COMMAND - Site Monitoring
# ============================================================================

@cli.command()
@click.option('--add', '-a', 'add_url', help='Add a site to monitoring')
@click.option('--name', '-n', help='Site name (for --add)')
@click.option('--category', '-c', default='unknown', help='Site category (for --add)')
@click.option('--keywords', '-k', multiple=True, help='Keywords to monitor (for --add)')
@click.option('--interval', '-i', default=3600, type=int, help='Check interval in seconds')
@click.option('--list', 'list_sites', is_flag=True, help='List monitored sites')
@click.option('--stats', is_flag=True, help='Show monitoring statistics')
@click.option('--changes', type=int, default=0, help='Show recent changes (hours)')
@click.option('--db', 'db_path', default='shadowhunter_scheduler.db', help='Database path')
@click.pass_context
def schedule(ctx, add_url, name, category, keywords, interval, list_sites, stats, changes, db_path):
    """
    Manage scheduled .onion site monitoring.
    
    Add sites to monitoring, view status, and check for changes.
    Requires Tor connection for actual monitoring.
    
    \b
    Examples:
      shadowhunter schedule --add http://example.onion --name "Example" -k breach -k leak
      shadowhunter schedule --list
      shadowhunter schedule --stats
      shadowhunter schedule --changes 24
    """
    print_banner()
    
    db = SchedulerDatabase(db_path)
    
    if add_url:
        if not name:
            console.print("[red]Please provide --name for the site.[/red]")
            return
        
        site_id = db.add_site(
            url=add_url,
            name=name,
            category=category,
            keywords=list(keywords),
            check_interval=interval
        )
        
        if site_id:
            print_status(f"Added site: {name} (ID: {site_id})", "success")
            console.print(f"  URL: {add_url}")
            console.print(f"  Interval: {interval}s")
            if keywords:
                console.print(f"  Keywords: {', '.join(keywords)}")
        else:
            console.print("[yellow]Site already exists in monitoring.[/yellow]")
        return
    
    if list_sites:
        sites = db.get_active_sites()
        
        if not sites:
            console.print("[yellow]No sites configured for monitoring.[/yellow]")
            console.print("\nAdd a site with: [cyan]shadowhunter schedule --add URL --name NAME[/cyan]")
            return
        
        table = Table(title=f"Monitored Sites ({len(sites)})", show_header=True, header_style="bold cyan")
        table.add_column("ID", style="dim")
        table.add_column("Name")
        table.add_column("Category")
        table.add_column("Interval")
        table.add_column("Status")
        table.add_column("Last Check")
        
        for site in sites:
            status_color = {
                MonitorStatus.ONLINE: "green",
                MonitorStatus.OFFLINE: "red",
                MonitorStatus.CHANGED: "yellow",
                MonitorStatus.ERROR: "red",
                MonitorStatus.TIMEOUT: "orange1",
            }.get(site.last_status, "dim")
            
            last_checked = site.last_checked.strftime("%Y-%m-%d %H:%M") if site.last_checked else "Never"
            
            table.add_row(
                str(site.id),
                site.name[:25],
                site.category,
                f"{site.check_interval}s",
                f"[{status_color}]{site.last_status.value}[/{status_color}]",
                last_checked
            )
        
        console.print(table)
        return
    
    if stats:
        statistics = db.get_statistics()
        
        table = Table(title="Monitoring Statistics", show_header=True, header_style="bold green")
        table.add_column("Metric", style="dim")
        table.add_column("Value")
        
        table.add_row("Total Sites", str(statistics['total_sites']))
        table.add_row("Active Sites", str(statistics['active_sites']))
        table.add_row("[green]Online Sites[/green]", str(statistics['online_sites']))
        table.add_row("Checks (24h)", str(statistics['checks_24h']))
        table.add_row("[yellow]Changes (24h)[/yellow]", str(statistics['changes_24h']))
        table.add_row("Keyword Matches (24h)", str(statistics['keyword_matches_24h']))
        
        console.print(table)
        return
    
    if changes > 0:
        recent_changes = db.get_recent_changes(hours=changes)
        
        if not recent_changes:
            console.print(f"[dim]No changes detected in the last {changes} hours.[/dim]")
            return
        
        table = Table(title=f"Recent Changes ({len(recent_changes)})", show_header=True, header_style="bold yellow")
        table.add_column("Time", style="dim")
        table.add_column("Site")
        table.add_column("Type")
        table.add_column("Severity")
        table.add_column("Description")
        
        for change in recent_changes[:20]:
            sev_color = {
                "CRITICAL": "red",
                "HIGH": "orange1",
                "MEDIUM": "yellow",
                "LOW": "blue",
            }.get(change.severity, "white")
            
            table.add_row(
                change.timestamp.strftime("%m-%d %H:%M"),
                change.site_name[:20],
                change.change_type.value,
                f"[{sev_color}]{change.severity}[/{sev_color}]",
                change.description[:40]
            )
        
        console.print(table)
        return
    
    # Default: show help
    console.print("[bold]Scheduler Commands:[/bold]")
    console.print("  --add URL --name NAME    Add site to monitoring")
    console.print("  --list                   List monitored sites")
    console.print("  --stats                  Show statistics")
    console.print("  --changes 24             Show changes from last 24h")


# ============================================================================
# ALERTS COMMAND - Multi-Channel Alerting
# ============================================================================

@cli.command()
@click.option('--test', is_flag=True, help='Send test alert')
@click.option('--stats', is_flag=True, help='Show alerting statistics')
@click.option('--telegram-token', envvar='TELEGRAM_BOT_TOKEN', help='Telegram bot token')
@click.option('--telegram-chat', multiple=True, help='Telegram chat IDs')
@click.option('--discord-webhook', multiple=True, help='Discord webhook URLs')
@click.option('--slack-webhook', envvar='SLACK_WEBHOOK_URL', help='Slack webhook URL')
@click.option('--priority', '-p',
              type=click.Choice(['critical', 'high', 'medium', 'low', 'info']),
              default='high', help='Alert priority for test')
@click.pass_context
def alerts(ctx, test, stats, telegram_token, telegram_chat, discord_webhook, slack_webhook, priority):
    """
    Configure and test multi-channel alerting.
    
    Supports Email, Telegram, Discord, Slack, and custom webhooks.
    
    \b
    Examples:
      shadowhunter alerts --test
      shadowhunter alerts --test --telegram-token TOKEN --telegram-chat 123456
      shadowhunter alerts --test --discord-webhook URL
      shadowhunter alerts --stats
    """
    print_banner()
    
    # Create alert manager
    manager = create_alert_manager(
        telegram_token=telegram_token,
        telegram_chat_ids=list(telegram_chat) if telegram_chat else None,
        discord_webhooks=list(discord_webhook) if discord_webhook else None,
        slack_webhook=slack_webhook,
    )
    
    if stats:
        statistics = manager.get_statistics()
        
        table = Table(title="Alerting Statistics", show_header=True, header_style="bold green")
        table.add_column("Metric", style="dim")
        table.add_column("Value")
        
        table.add_row("Alerts This Hour", str(statistics['alerts_this_hour']))
        table.add_row("Alerts Today", str(statistics['alerts_today']))
        table.add_row("Hourly Limit", str(statistics['hourly_limit']))
        table.add_row("Daily Limit", str(statistics['daily_limit']))
        table.add_row("Registered Channels", ", ".join(statistics['registered_channels']))
        table.add_row("Configured Channels", ", ".join(statistics['configured_channels']))
        table.add_row("Total Deliveries", str(statistics['total_deliveries']))
        
        console.print(table)
        return
    
    if test:
        console.print(Panel.fit(
            f"[bold]Test Alert[/bold]\n"
            f"Priority: {priority.upper()}\n"
            f"Telegram: {'✓' if telegram_token else '✗'}\n"
            f"Discord: {'✓' if discord_webhook else '✗'}\n"
            f"Slack: {'✓' if slack_webhook else '✗'}",
            title="📢 Alert Configuration",
            border_style="yellow"
        ))
        
        # Create test alert
        priority_map = {
            'critical': AlertPriority.CRITICAL,
            'high': AlertPriority.HIGH,
            'medium': AlertPriority.MEDIUM,
            'low': AlertPriority.LOW,
            'info': AlertPriority.INFO,
        }
        
        test_alert = Alert(
            id=f"test_{datetime.now().strftime('%Y%m%d%H%M%S')}",
            title="ShadowHunter Test Alert",
            message="This is a test alert from ShadowHunter to verify your alerting configuration is working correctly.",
            priority=priority_map[priority],
            source="CLI",
            category="test",
            affected_domains=["example.com"],
            actions=[
                "Verify alert received on all configured channels",
                "Check alert formatting and content",
                "Confirm notification delivery"
            ],
            tags=["test", "verification"]
        )
        
        async def send_test():
            results = await manager.send_alert(test_alert, force=True)
            return results
        
        with Progress(
            SpinnerColumn(),
            TextColumn("[progress.description]{task.description}"),
            console=console
        ) as progress:
            task = progress.add_task("[yellow]Sending test alert...", total=None)
            results = asyncio.run(send_test())
            progress.update(task, completed=True)
        
        console.print()
        
        if results:
            table = Table(title="Delivery Results", show_header=True, header_style="bold cyan")
            table.add_column("Channel")
            table.add_column("Status")
            table.add_column("Attempts")
            table.add_column("Error")
            
            for channel, record in results.items():
                status_color = "green" if record.status.value == "delivered" else "red"
                table.add_row(
                    channel.value.upper(),
                    f"[{status_color}]{record.status.value}[/{status_color}]",
                    str(record.attempt),
                    record.error[:30] if record.error else "-"
                )
            
            console.print(table)
        else:
            console.print("[yellow]No channels configured or all deliveries suppressed.[/yellow]")
        
        return
    
    # Default: show configuration help
    console.print("[bold]Alert Configuration:[/bold]")
    console.print("\n[cyan]Environment Variables:[/cyan]")
    console.print("  TELEGRAM_BOT_TOKEN    Telegram bot token")
    console.print("  SLACK_WEBHOOK_URL     Slack incoming webhook URL")
    console.print("\n[cyan]Commands:[/cyan]")
    console.print("  --test                Send test alert to console")
    console.print("  --test --telegram-token TOKEN --telegram-chat ID")
    console.print("  --test --discord-webhook URL")
    console.print("  --stats               Show alerting statistics")


# ============================================================================
# INFO COMMAND
# ============================================================================

@cli.command()
@click.pass_context
def info(ctx):
    """
    Display system information and module status.
    """
    print_banner()
    
    # System info table
    table = Table(title="System Information", show_header=True, header_style="bold blue")
    table.add_column("Module", style="dim")
    table.add_column("Status")
    table.add_column("Description")
    
    modules = [
        ("Core Monitor", "✓ Ready", "Credential and threat monitoring"),
        ("Stealer Log Parser", "✓ Ready", "Parse RedLine, Vidar, Lumma logs"),
        ("IOC Enrichment", "✓ Ready", "IOC extraction + VT/Shodan/AbuseIPDB"),
        ("Session Validator", "✓ Ready", "Validate Google/Microsoft sessions"),
        ("Data Leak Monitor", "✓ Ready", "GitHub/paste site secret scanning"),
        ("Attack Surface", "✓ Ready", "Subdomain & port discovery, fingerprinting"),
        ("Blockchain Forensics", "✓ Ready", "Multi-chain wallet analysis & tracing"),
        ("Vanguard Verify", "✓ Ready", "AI content integrity & honeypot detection"),
        ("Site Scheduler", "✓ Ready", "Dark web site monitoring & change detection"),
        ("Multi-Channel Alerts", "✓ Ready", "Telegram, Discord, Slack, webhooks"),
        ("Dorking Engine", "✓ Ready", "Google dorking reconnaissance"),
        ("Web Crawler", "✓ Ready", "Web crawling & onion link mapping"),
        ("OSINT Engine", "✓ Ready", "Email, phone, username, domain lookup"),
        ("Telegram Monitor", "○ Config Required", "Telegram channel monitoring"),
        ("Tor Scanner", "○ Config Required", "Dark web scanning"),
        ("Neo4j Graph", "○ Config Required", "Threat intelligence graph"),
        ("API Server", "✓ Ready", "REST API backend"),
    ]
    
    for name, status, desc in modules:
        status_styled = f"[green]{status}[/green]" if "Ready" in status else f"[yellow]{status}[/yellow]"
        table.add_row(name, status_styled, desc)
    
    console.print(table)
    
    console.print("\n[bold]Quick Start:[/bold]")
    console.print("  [cyan]shadowhunter scan --domain example.com[/cyan]")
    console.print("  [cyan]shadowhunter parse ./stealer_logs/[/cyan]")
    console.print("  [cyan]shadowhunter validate parsed.json --allowed yourcompany.com[/cyan]")
    console.print("  [cyan]shadowhunter leaks -k mycompany --github-token TOKEN[/cyan]")
    console.print("  [cyan]shadowhunter surface example.com --deep[/cyan]")
    console.print("  [cyan]shadowhunter blockchain 0x... --helius KEY[/cyan]")
    console.print("  [cyan]shadowhunter enrich 1.2.3.4 --virustotal KEY[/cyan]")
    console.print("  [cyan]shadowhunter verify \"suspicious content\"[/cyan]")
    console.print("  [cyan]shadowhunter schedule --add http://site.onion --name Site[/cyan]")
    console.print("  [cyan]shadowhunter alerts --test --telegram-token TOKEN[/cyan]")
    console.print("  [cyan]shadowhunter dork target.com[/cyan]")
    console.print("  [cyan]shadowhunter osint email test@example.com[/cyan]")
    console.print("  [cyan]shadowhunter api[/cyan]")


# ============================================================================
# ENTRY POINT
# ============================================================================

def main():
    """Main entry point."""
    cli(obj={})


if __name__ == "__main__":
    main()