3.0.0 - 2026-03-23

[samugit83]

Added

• Custom Nuclei Templates Integration — custom nuclei templates (mcp/nuclei-templates/) are now manageable via the UI with per-project selection, dynamically discovered by the agent, and included in automated recon scans:

  • Template Upload UI: upload, view, and delete custom .yaml/.yml nuclei templates directly from Project Settings → Nuclei → Template Options. Templates are global (shared across all projects). Upload validates nuclei template format (requires id: and info: with name: and severity:). API: GET/POST/DELETE /api/nuclei-templates
  • Per-project template selection: each template has a checkbox — only checked templates are included in that project's automated scans. Stored as nucleiSelectedCustomTemplates String[] per project (default: []). Different projects can enable different templates from the same global pool
  • Agent discovery: at startup, the nuclei MCP server scans /opt/nuclei-templates/ and dynamically appends all template paths (id, severity, name) to the execute_nuclei tool description, so the agent automatically knows what custom templates are available
  • Recon pipeline: selected templates are individually passed as -t /custom-templates/{path} flags to nuclei. Recon logs list each selected template by name
  • Spring Boot Actuator templates (community PR feat: add Spring Boot Actuator advanced detection with WAF bypasses #69): 7 detection templates with 200+ WAF bypass paths for /actuator, /heapdump, /env, /jolokia, /gateway endpoints — URL encoding, semicolon injection, path traversal, and alternate base path evasion techniques

• SSL Verify Toggle for OpenAI-compatible LLM Providers (community PR feat: add SSL verify toggle for OpenAI-compatible LLM providers #70) — sslVerify boolean (default: true) lets users skip SSL certificate verification when connecting to internal/self-hosted LLM endpoints with self-signed certificates. Full stack: Prisma schema, API route, frontend checkbox, agent httpx.Client(verify=False) injection.

• Dockerfile DEBIAN_FRONTEND=noninteractive (community PR fix: prevent interactive prompts during package installation #63) — added to agentic, recon_orchestrator, and guinea_pigs Dockerfiles to suppress interactive apt-get prompts during builds.

• ParamSpider Passive Parameter Discovery — mines the Wayback Machine CDX API for historically-documented URLs containing query parameters. Only returns parameterized URLs (with ?key=value), with values replaced by a configurable placeholder (default FUZZ), making results directly usable for fuzzing. Runs in Phase 4 (Resource Enumeration) in parallel with Katana, Hakrawler, and GAU. Passive — no traffic to target. No API keys required. Disabled by default; stealth mode auto-enables it. Full stack integration:

  • Backend: paramspider_helpers.py with run_paramspider_discovery() (subprocess per domain, stdout + file output parsing, scope filtering, temp dir cleanup) and merge_paramspider_into_by_base_url() (sources array merge, parameter enrichment, deduplication)
  • Settings: 3 user-configurable PARAMSPIDER_* settings (enabled, placeholder, timeout)
  • Frontend: ParamSpiderSection.tsx with enable toggle, placeholder input, timeout setting
  • Stealth mode: auto-enabled (passive tool, queries Wayback Machine only)
  • Tests: 22 unit tests covering merge logic, subprocess mocking, scope filtering, method merging, legacy field migration, settings, stealth overrides

• Arjun Parameter Discovery — discovers hidden HTTP query and body parameters on endpoints by testing ~25,000 common parameter names. Runs in Phase 4 (Resource Enumeration) after FFuf, testing discovered endpoints from crawlers/fuzzers rather than just base URLs. Disabled by default; stealth mode forces passive-only; RoE caps rate. Full stack integration:

  • Backend: arjun_helpers.py with multi-method parallel execution via ThreadPoolExecutor — each selected method (GET/POST/JSON/XML) runs as a separate Arjun subprocess simultaneously
  • Discovered endpoint feeding: collects full endpoint URLs from Katana + Hakrawler + jsluice + FFuf results, prioritizes API and dynamic endpoints, caps to configurable max (default 50)
  • Settings: 12 user-configurable ARJUN_* settings (methods, max endpoints, threads, timeout, chunk size, rate limit, stable mode, passive mode, disable redirects, custom headers)
  • Frontend: ArjunSection.tsx with multi-select method checkboxes, max endpoints field, scan parameters, stable/passive/redirect toggles, custom headers textarea
  • Stealth mode: forces ARJUN_PASSIVE=True (CommonCrawl/OTX/WaybackMachine only, no active requests to target)
  • Tests: 29 unit tests covering merge logic, multi-method parallel execution, scope filtering, command building, settings consistency, stealth/RoE overrides

• FFuf Directory Fuzzer — brute-force directory/endpoint discovery using wordlists, complementing crawlers (Katana, Hakrawler, GAU) by finding hidden content (admin panels, backup files, configs, undocumented APIs). Runs in Phase 4 (Resource Enumeration) after jsluice and before Kiterunner. Disabled by default; stealth mode disables it; RoE caps rate. Full stack integration:

  • Backend: ffuf_helpers.py with run_ffuf_discovery(), JSON output parsing, scope filtering, deduplication, and smart fuzzing under crawler-discovered base paths
  • Dockerfile: multi-stage Go 1.22 build compiles FFuf from source, installs 3 SecLists wordlists (common.txt, raft-medium-directories.txt, directory-list-2.3-small.txt)
  • Settings: 16 user-configurable FFUF_* settings (threads, rate, timeout, wordlist, match/filter codes, extensions, recursion, auto-calibrate, smart fuzz, custom headers)
  • Frontend: FfufSection.tsx with full settings UI, wordlist dropdown (built-in SecLists + custom uploads), custom wordlist upload/delete via API
  • Custom wordlists: upload .txt wordlists per-project via /api/projects/[id]/wordlists (GET/POST/DELETE), shared between webapp and recon containers via Docker volume mount
  • Validation: frontend form validation for FFuf status codes (100-599), header format, numeric ranges, extensions format, recursion depth (1-5)
  • Tests: 43 unit tests covering helpers, settings, stealth/RoE overrides, sanitization, and CRUD operations

• RedAmon Terminal — interactive PTY shell access to the kali-sandbox container directly from the graph page via xterm.js. Provides full Kali Linux terminal with all pre-installed pentesting tools (Metasploit, Nmap, Nuclei, Hydra, sqlmap, etc.) without leaving the browser. Architecture: Browser (xterm.js) → WebSocket → Agent FastAPI proxy (/ws/kali-terminal) → kali-sandbox terminal server (PTY /bin/bash on port 8016):

  • Terminal server: terminal_server.py — WebSocket PTY server using os.fork + pty module with async I/O via loop.add_reader(), connection limits (max 5 sessions), resize validation (clamped 1-500), process group cleanup, and asyncio.Event for clean shutdown
  • Agent proxy: /ws/kali-terminal WebSocket endpoint in api.py — bidirectional relay with proper task cancellation (asyncio.gather with return_exceptions)
  • Frontend: KaliTerminal.tsx — React component with dark Ayu theme, connection status indicator, auto-reconnect with exponential backoff (5 attempts), fullscreen toggle, browser-side keepalive ping (30s), proper xterm.js teardown, ARIA accessibility attributes
  • Docker: port 8016 bound to localhost only (127.0.0.1:8016:8016), TERMINAL_WS_PORT and KALI_TERMINAL_WS_URL env vars
  • Tests: 18 Python + TypeScript unit tests covering resize clamping, connection limits, URL derivation, reconnect logic

• "Remote Shells" renamed to "Reverse Shell" — tab renamed for clarity to distinguish from the new RedAmon Terminal tab. The Reverse Shell tab manages agent-opened sessions (meterpreter, netcat, etc.), while RedAmon Terminal provides direct interactive sandbox access.

• Hakrawler Integration — DOM-aware web crawler running as Docker container (jauderho/hakrawler). Runs in parallel with Katana, GAU, and Kiterunner during resource enumeration. Configurable depth, threads, subdomain inclusion, and scope filtering. Disabled automatically in stealth mode.

• jsluice JavaScript Analysis — Passive JS analysis tool for extracting URLs, API endpoints, and embedded secrets (AWS keys, GitHub tokens, GCP credentials, etc.) from discovered JavaScript files. Runs sequentially after the parallel crawling phase.

• Secret Node in Neo4j — Generic Secret node type linked to BaseURL via [:HAS_SECRET]. Source-agnostic design supports jsluice now and future secret discovery tools. Includes deduplication, severity classification, and redacted samples.

• Hakrawler enabled by default — New projects have Hakrawler and Include Subdomains enabled by default.

• Tool Confirmation Gate — per-tool human-in-the-loop safety gate that pauses the agent before executing dangerous tools (execute_nmap, execute_naabu, execute_nuclei, execute_curl, metasploit_console, msf_restart, kali_shell, execute_code, execute_hydra). Full multi-layer integration:

  • Backend: DANGEROUS_TOOLS frozenset in project_settings.py, ToolConfirmationRequest Pydantic model in state.py, two new LangGraph nodes (await_tool_confirmation, process_tool_confirmation) in tool_confirmation_nodes.py
  • Orchestrator: think node detects dangerous tools in both single-tool and plan-wave decisions, sets awaiting_tool_confirmation and tool_confirmation_pending state, graph pauses at await_tool_confirmation (END) and resumes via process_tool_confirmation routing to execute_tool/execute_plan (approve), think (reject), or patching tool_args (modify)
  • WebSocket: tool_confirmation (client→server) and tool_confirmation_request (server→client) message types, ToolConfirmationMessage model, handle_tool_confirmation() handler with streaming resumption
  • Frontend: inline Allow / Deny buttons on ToolExecutionCard (single mode) and PlanWaveCard (plan mode) with pending_approval status, awaitingToolConfirmation state disables chat input, warning badge in chat header when disabled
  • Settings: REQUIRE_TOOL_CONFIRMATION (default: true) toggle in Project Settings → Agent Behaviour → Approval Gates, with autonomous operation risk warning when disabled
  • Conversation restore: tool confirmation requests and responses persisted to DB, correctly restored on conversation reload with Allow/Deny buttons re-activated if no subsequent agent work occurred
  • Prisma schema: agentRequireToolConfirmation Boolean field (default: true)

• Hard Guardrail — deterministic, non-disableable domain blocklist for government, military, educational, and international organization domains. Cannot be toggled off regardless of project settings. Implemented identically in Python (agentic/hard_guardrail.py) and TypeScript (webapp/src/lib/hard-guardrail.ts):

  • Blocks TLD suffix patterns: .gov, .mil, .edu, .int, and country-code variants (.gov.uk, .ac.jp, .gob.mx, .gouv.fr, etc.)
  • Blocks 300+ exact intergovernmental organization domains on generic TLDs (UN system, EU institutions, development banks, arms control bodies, international courts, etc.)
  • Subdomain matching: blocks all subdomains of exact-blocked domains
  • Provides defense-in-depth alongside the soft LLM-based guardrail

• Zero-config setup — .env file completely removed — all user-configurable settings (NVD API key, ngrok auth token, chisel server URL/auth) are now managed from the Global Settings UI page and stored in PostgreSQL. No .env or .env.example file is needed.

  • Global Settings → API Keys: NVD, Vulners, and URLScan API keys added alongside Tavily, Shodan, SerpAPI (all user-scoped)
  • Global Settings → Tunneling: new section for ngrok and chisel tunnel configuration with live push to kali-sandbox (no container restart needed)
  • Tunnel Manager API: lightweight HTTP server on port 8015 inside kali-sandbox that receives tunnel config pushes from the webapp and manages ngrok/chisel processes
  • Boot-time config fetch: kali-sandbox fetches tunnel credentials from webapp DB on startup
  • Bug fix: NVD API key was never actually passed to CVE lookup function — now correctly wired through

• Availability Testing Attack Skill — new built-in attack skill for disrupting service availability. Includes LLM prompt templates for DoS vector selection, resource exhaustion, flooding, and crash exploits. Full integration across the stack:

  • Backend: denial_of_service_prompts.py with DoS-specific workflow guidance, vector classification, and impact assessment prompts
  • Orchestrator: DoS attack path type (denial_of_service) integrated into classification, phase transitions, and tool registry
  • Database: Prisma schema updated with DoS configuration fields and project-level toggle
  • Frontend: DosSection.tsx configuration component in the project form for enabling/disabling and tuning DoS parameters
  • API: agent skills endpoint updated to expose DoS as a built-in skill

• Expanded Finding Types — 8 new goal/outcome finding_type values for ChainFinding nodes, covering real-world pentesting outcomes beyond the original 10 types:

  • data_exfiltration — data successfully stolen/exfiltrated
  • lateral_movement — pivot to another system in the network
  • persistence_established — backdoor, cron job, or persistent access installed
  • denial_of_service_success — service confirmed down after DoS attack
  • social_engineering_success — phishing or social engineering succeeded
  • remote_code_execution — arbitrary code execution achieved
  • session_hijacked — existing user session taken over
  • information_disclosure — sensitive info leaked (source code, API keys, error messages)
  • LLM prompts updated to guide the agent in emitting the correct goal type
  • Analytics and report queries expanded to include all goal types

• Goal Finding Visualization — ChainFinding diamond nodes on the attack surface graph now visually distinguish goal/outcome findings from informational ones:

  • Active chain: goal diamonds are bright green (#4ade80), non-goal diamonds remain amber
  • Inactive chain: goal diamonds are dark green (#276d43), non-goal diamonds are dark yellow (#3d3107), other chain nodes remain dark grey
  • Inactive chain edges and particles darkened for better contrast
  • Active chain particles brighter (#9ca3af) for clear visual distinction
  • Applied consistently to both 2D and 3D graph renderers

• Inline Model Picker — the model badge in the AI assistant drawer is now clickable, opening a searchable modal to switch LLM model on the fly. Models are grouped by provider with context-length badges and descriptions. Includes a manual-input fallback when the models API is unreachable. Shared model utilities (ModelOption type, formatContextLength, getDisplayName) extracted into modelUtils.ts and reused across the drawer and project form.

• Animated Loading Indicator — replaced static "Processing..." text in the AI assistant chat with a dynamic loading experience:

  • RedAmon eye logo with randomized heartbeat animation (2–6s random intervals)
  • Color-shifting pupil cycling through 13 bright colors (yellow, cyan, orange, purple, green, pink, etc.)
  • 60 rotating hacker-themed phrases displayed in random order every 5 seconds with fade-in animation (e.g., "Unmasking the hidden...", "Piercing the veil...", "Becoming root...")

• URLScan.io OSINT Integration — new passive enrichment module that queries URLScan.io's Search API to discover subdomains, IPs, TLS metadata, server technologies, domain age, and screenshots from historical scans. Runs in the recon pipeline after domain discovery, before port scanning. Full integration across the stack:

  • New module: recon/urlscan_enrich.py — fetches historical scan data from URLScan.io for each discovered domain. Works without API key (public results) or with API key (higher rate limits and access to private scans)
  • Passive OSINT data: discovers in-scope subdomains, IP addresses, URL paths for endpoint creation, TLS validity, ASN information, and external domains from historical scans
  • GAU provider deduplication: when URLScan enrichment has already run, the urlscan provider is automatically removed from GAU's data sources to avoid redundant API calls to the same underlying data
  • Pipeline placement: runs after domain discovery and before port scanning, alongside Shodan enrichment
  • Project settings: urlscanEnabled toggle and urlscanMaxResults (default: 500) configurable per project. Optional API key in Global Settings → API Keys
  • Frontend: new UrlscanSection.tsx in the Discovery & OSINT tab with passive badge, API key status indicator, and max results configuration

• ExternalDomain Node — new graph node type for tracking out-of-scope domains encountered during reconnaissance. Provides situational awareness about the target's external dependencies without scanning them:

  • Schema: (:ExternalDomain { domain, sources[], redirect_from_urls[], redirect_to_urls[], status_codes_seen[], titles_seen[], servers_seen[], ips_seen[], countries_seen[], times_seen, first_seen_at, updated_at })
  • Relationship: (d:Domain)-[:HAS_EXTERNAL_DOMAIN]->(ed:ExternalDomain)
  • Multi-source aggregation: external domains are collected from HTTP probe redirects, URLScan historical data, GAU passive archives, Katana crawling, and certificate transparency — then merged and deduplicated
  • Neo4j constraints: unique constraint on (domain, user_id, project_id) with tenant-scoped index
  • Neo4j client: new update_graph_from_external_domains() method for creating ExternalDomain nodes and HAS_EXTERNAL_DOMAIN relationships
  • Graph schema docs: GRAPH.SCHEMA.md updated with full ExternalDomain documentation

• Subfinder Integration — new passive subdomain discovery source in the recon pipeline. Queries 50+ online sources (certificate transparency, DNS databases, web archives, threat intelligence feeds) via ProjectDiscovery's Subfinder Docker image. No API keys required for basic operation (20+ free sources). Full multi-layer integration:

  • Backend: run_subfinder() in domain_recon.py using Docker-in-Docker pattern, JSONL parsing, max results capping
  • Settings: subfinderEnabled (default: true), subfinderMaxResults (default: 5000), subfinderDockerImage across Prisma schema, project settings, and defaults
  • Frontend: compact inline toggle with max results input in the Subdomain Discovery passive sources section
  • Stealth mode: max results capped to 100 (consistent with other passive sources)
  • Entrypoint: projectdiscovery/subfinder:latest added to Docker image pre-pull list
  • Results merge into existing subdomain flow — no graph schema changes needed

• Puredns Wildcard Filtering — new post-discovery validation step that removes wildcard DNS entries and DNS-poisoned subdomains before they reach the rest of the pipeline. Runs after the 5 discovery tools merge their results and before DNS resolution. Full multi-layer integration:

  • Backend: run_puredns_resolve() in domain_recon.py using Docker-in-Docker pattern with configurable threads, rate limiting, wildcard batch size, and skip-validation option
  • Settings: purednsEnabled (default: true), purednsThreads (default: 0 = auto), purednsRateLimit (default: 0 = unlimited), purednsDockerImage across Prisma schema, project settings, and defaults
  • Frontend: new "Wildcard Filtering" subsection with Active badge in the Subdomain Discovery section, with toggle and conditional thread/rate-limit inputs
  • Stealth mode: forced off (active DNS queries)
  • RoE: rate limit capped by global RoE max when enabled
  • Entrypoint: frost19k/puredns:latest added to Docker image pre-pull list, DNS resolver list auto-downloaded from trickest/resolvers (refreshed every 7 days)
  • Graceful degradation: on any error or timeout, returns the unfiltered subdomain list unchanged
  • Orphan cleanup: puredns image added to SUB_CONTAINER_IMAGES for force-stop container cleanup

• Amass Integration — OWASP Amass subdomain enumeration added to the recon pipeline as a new passive/active discovery source. Queries 50+ data sources (certificate transparency logs, DNS databases, web archives, WHOIS records) via the official Amass Docker image. Full multi-layer integration:

  • Backend: run_amass() in domain_recon.py using Docker-in-Docker pattern with configurable active mode, brute force, timeout, and max results capping
  • Settings: amassEnabled (default: false), amassMaxResults (default: 5000), amassTimeout (default: 10 min), amassActive (default: false), amassBrute (default: false), amassDockerImage across Prisma schema, project settings, and defaults
  • Frontend: compact inline toggle with max results input in the passive sources section, plus dedicated Amass Active Mode and Amass Bruteforce toggles in the active discovery section with time estimate warning
  • Stealth mode: active and brute force forced off, max results capped to 100
  • Entrypoint: caffix/amass:latest added to Docker image pre-pull list
  • Results merge into existing subdomain flow with per-source attribution — no graph schema changes needed

• Parallelized Recon Pipeline (Fan-Out / Fan-In) — the reconnaissance pipeline now uses concurrent.futures.ThreadPoolExecutor to run independent modules concurrently, significantly reducing total scan time while respecting data dependencies between groups:

  • GROUP 1: WHOIS + Subdomain Discovery + URLScan run in parallel (3 concurrent tasks). Within subdomain discovery, all 5 tools (crt.sh, HackerTarget, Subfinder, Amass, Knockpy) run concurrently via ThreadPoolExecutor(max_workers=5). Each tool refactored into a thread-safe function with its own requests.Session
  • GROUP 3: Shodan Enrichment + Port Scan (Naabu) run in parallel (2 concurrent tasks). New _isolated function variants (run_port_scan_isolated, run_shodan_enrichment_isolated) accept a read-only snapshot and return only their data section
  • DNS Resolution: parallelized with 20 concurrent workers via ThreadPoolExecutor(max_workers=20) in resolve_all_dns()
  • Background Graph DB Updates: all Neo4j graph writes now run in a dedicated single-writer background thread (_graph_update_bg). The main pipeline submits deep-copy snapshots and continues immediately. _graph_wait_all() ensures completion before pipeline exit
  • Structured Logging: all log messages standardized to [level][Module] prefix format (e.g., [+][crt.sh] Found 42 subdomains) for clarity in concurrent output
  • Resource Enumeration (Katana, GAU, Kiterunner) was already internally parallel; Groups 4 (HTTP Probe) and 6 (Vuln Scan + MITRE) remain sequential as they depend on prior group results

• Per-source Subdomain Attribution — subdomain discovery now tracks which tool found each subdomain (crt.sh, hackertarget, subfinder, amass, knockpy). External domain entries carry accurate per-source labels instead of generic cert_discovery. get_passive_subdomains() returns dict{subdomain: set_of_sources} instead of a flat set

• Compact Subdomain Discovery UI — passive subdomain source toggles (crt.sh, HackerTarget, Subfinder, Amass, Knockpy) now display the tool name, max results input, and toggle on a single row instead of separate expandable sections

• Discovery & OSINT Tab — new unified tab in the project form replacing the previous scattered tool placement. Groups all passive and active discovery tools in a single section:

  • Subdomain Discovery — passive sources (crt.sh, HackerTarget, Subfinder, Amass, Knockpy Recon) and active discovery (Knockpy Bruteforce, Amass Active/Brute), plus DNS settings (WHOIS/DNS retries)
  • Shodan OSINT Enrichment — moved from the Integrations tab into Discovery & OSINT, reflecting its role as a core discovery tool rather than an external integration. All four toggles (Host Lookup, Reverse DNS, Domain DNS, Passive CVEs) remain unchanged
  • URLScan.io Enrichment — new section with passive badge, max results config, and API key status
  • Node Info Tooltips — each section header now has a waypoints icon that shows which graph node types the tool consumes (input, blue pills) and produces (output, purple pills) via NodeInfoTooltip component, SECTION_INPUT_MAP and SECTION_NODE_MAP in nodeMapping.ts
  • Recon toggle switches moved to section headers for cleaner layout

• Agent Guardrail Toggle — the scope guardrail (LLM-based target verification) can now be enabled or disabled per project:

  • New setting: agentGuardrailEnabled (default: true) — when disabled, the agent skips the scope verification check on session start
  • Initialize node: guardrail check is now conditional, skipped when setting is false or on retries to avoid redundant LLM calls
  • Think node: scope guardrail reminder in the system prompt only injected when enabled
  • Guardrail LLM bootstrapping: the guardrail API endpoint now fetches the user's configured LLM providers from the database to properly initialize the LLM with the correct API keys (OpenAI, Anthropic, or OpenRouter)
  • Frontend: checkbox in Agent Behaviour section
  • Fail-closed: if the guardrail check itself fails (API error, LLM error), the agent is blocked by default (security-first)

• Multi-source CVE Attribution — CVE nodes created from Shodan data now track their source (source property) instead of hardcoding "shodan", enabling future enrichment from multiple CVE databases (NVD, Vulners, etc.)

• API Key Rotation — configure multiple API keys per tool with automatic round-robin rotation to avoid rate limits. Each key in Global Settings now has a "Key Rotation" button that opens a modal to add extra keys and set the rotation interval (default: every 10 API calls). All keys (main + extras) are treated equally in the rotation pool. Full multi-layer integration:

  • Database: new ApiKeyRotationConfig model with userId + toolName unique constraint, extraKeys (newline-separated), and rotateEveryN (default 10)
  • Settings API: GET /api/users/[id]/settings returns rotationConfigs with key counts (frontend) or full keys (?internal=true); PUT accepts rotation config upserts with masked-value preservation
  • Frontend: "Key Rotation" button next to each API key field; modal with textarea for extra keys (one per line) and rotation interval input; info badge showing total key count and rotation interval when configured
  • Python KeyRotator: pure-Python round-robin class (key_rotation.py) in both agentic/ and recon/ containers — no new dependencies, no Docker image rebuild needed
  • Agent integration: orchestrator builds KeyRotator per tool manager; web_search, shodan, and google_dork tools use rotator.current_key + tick() on each API call
  • Recon integration: single _fetch_user_settings_full() call replaces individual key fetches; rotators built for Shodan, URLScan, NVD, and Vulners; threaded through _shodan_get, _urlscan_search, lookup_cves_nvd, and lookup_cves_vulners
  • Backward compatible: with no extra keys configured, behavior is identical to before
  • Tests: 26 unit tests covering KeyRotator logic, rotation mechanics, integration with Shodan/URLScan/NVD/Vulners enrichment modules

• NVD/Vulners API Keys moved to Global Settings — NVD and Vulners API keys removed from the Project model and the project-level fallback chain. All 6 tool API keys (Tavily, Shodan, SerpAPI, NVD, Vulners, URLScan) are now exclusively user-scoped in Global Settings, consistent with the other keys.

Fixed

• Banner grabbing data loss — fixed falsy value filtering in neo4j_client.py banner property handling. Changed if v to if v is not None to preserve empty strings and zero values that are valid banner data

Changed

• Kali sandbox Dockerfile updated
• Shodan OSINT Enrichment moved from the Integrations tab to the new Discovery & OSINT tab in the project form
• Integrations tab now contains only GitHub Secret Hunting (Shodan removed)
• Recon pipeline toggle switches moved from section bodies to section headers for a cleaner UI
• Documentation and wiki updates

---

This discussion was created from the release 3.0.0 - 2026-03-23.