# Changelog All notable changes to God's Eye are documented here. Format inspired by [Keep a Changelog](https://keepachangelog.com/). Versioning follows [SemVer](https://semver.org/) — major bumps mean breaking CLI/config changes. --- ## [v2.0.0-rc1] — 2026-04-18 The first full rewrite since v0.1. This is a **new shape of tool**, not a patch. Promoted to `v2.0.0` after ~1 week of RC bake-in barring showstoppers. ### ✨ Added **Core architecture** - Event-driven pipeline replacing the v0.1 monolithic `scanner.Run` — see `internal/pipeline/`. - Typed event bus (`internal/eventbus`) — 20 event types, race-safe pub/sub, drop counter, panic recovery. - Thread-safe host store (`internal/store`) with per-host locking and deep-copy reads. - Module registry (`internal/module`) — 26 auto-registered modules across 6 phases. - YAML config (`internal/config`) with auto-discovery at `~/.god-eye/config.yaml`. - Five built-in scan profiles: `quick`, `bugbounty`, `pentest`, `asm-continuous`, `stealth-max`. **Interactive wizard** (`internal/wizard/`) - Auto-launches when `./god-eye` is run with no `-d` flag in a TTY. - Walks through AI tier selection, Ollama model check + download, target validation, scan profile, live view, output format. - Force with `--wizard` even when `-d` is set. **AI layer** (`internal/ai/` + `internal/modules/ai/`) - Three tuned profiles: `lean` (16 GB RAM), `balanced` (32 GB + MoE), `heavy` (64 GB+). - Six event-driven handlers: CVE correlation, JS file indexing, HTTP response analysis, secret validation, multi-agent vulnerability enrichment, end-of-scan anomaly detection + executive report. - Content-hash cache dedups queries — a tech detected on 10 hosts fires **one** Ollama call. - Auto-pull of missing Ollama models via `/api/pull` with streaming progress. - `--ai-verbose` flag to stream every query on stderr. - Full local inference via Ollama — no API keys, no cloud. - End-of-scan **AI SCAN BRIEF** — framed terminal summary with severity totals, top exploitable chains, AI-generated executive prose, and recommended next actions. **Nuclei compatibility layer** (`internal/nucleitpl/`) - Executes ~13,000 community nuclei-templates. - Auto-downloads the official ZIP from GitHub into `~/.god-eye/nuclei-templates/` on first use. - `./god-eye nuclei-update` subcommand to refresh the cache. - Supports HTTP templates with `word` / `regex` / `status` / `size` matchers, `and` / `or` conditions, `part=header|body|response`, negative matching. - Scope filter rejects off-host templates (OSINT user lookups on third-party services) to eliminate false positives. **Discovery expansion** (26 passive sources — up from 20 in v0.1) - `BufferOver`, `DNSDumpster`, `Omnisint`, `HudsonRock`, `WebArchiveCDX`, `Digitorus` added. - Six active techniques: AXFR zone-transfer, GitHub code dorks (honors `GITHUB_TOKEN`), CT live polling, DNS permutation (alterx-style), reverse DNS ±16 sweep, virtual host discovery, ASN/CIDR expansion, supply-chain recon (npm + PyPI). **Continuous monitoring** (ASM) - `--monitor-interval 24h` schedules re-scans. - Diff engine (9 change kinds: `new_host`, `removed_host`, `new_ip`, `removed_ip`, `status_change`, `tech_change`, `new_vuln`, `cleared_vuln`, `cert_change`, `new_takeover`). - Webhook alerter (generic JSON POST) + stdout alerter. **Native vulnerability scanners** (new in v2) - GraphQL introspection + mutation-enabled flag. - JWT analyzer (`alg=none`, excessive expiry, kid-injection, weak-HMAC crack). - Security header audit (OWASP Secure Headers Project aligned). - HTTP request smuggling timing probe (CL.TE / TE.CL, opt-in). **Operational** - `--proxy` flag for HTTP / HTTPS / SOCKS5 / SOCKS5h routing. Full Burp / mitmproxy / Tor support. (Fixes [#1](https://github.com/Vyntral/god-eye/issues/1) from @who0xac.) - `--live` colorized event stream with 3 verbosity levels. - `--ai-profile {lean,balanced,heavy}` preset for AI tier. - `--ai-auto-pull` (default true) for Ollama model management. - `--nuclei-auto-download` (default true) for nuclei-templates cache. - Context-aware cancellation on SIGINT / SIGTERM. **Testing** - 185 unit tests across 15 packages, all race-detector clean. - Live reproducible benchmark against `scanme.nmap.org` in [BENCHMARK-SCANME.md](BENCHMARK-SCANME.md). - Parity tool (`tools/parity/`) to diff v1 vs v2 outputs on the same target. ### 🔧 Changed - **AI default models**: `deepseek-r1:1.5b` + `qwen2.5-coder:7b` → `qwen3:1.7b` + `qwen2.5-coder:14b` (lean tier). Balanced tier adds `qwen3-coder:30b` MoE. - **Banner**: dropped legacy organisation reference; version bumped to `2.0-dev`. - **Go version**: bumped to 1.21. - **Output format**: now uses `internal/store.Host` internally; legacy `config.SubdomainResult` kept for JSON backward compatibility. ### 🐛 Fixed - **Issue [#1](https://github.com/Vyntral/god-eye/issues/1)** — SOCKS5 / Tor compatibility. Native `--proxy socks5h://127.0.0.1:9050` replaces reliance on `torsocks`. - **Duplicate CVE emissions** — dedup by `(tech, version)` pair instead of `(host, tech, version)`. `cloudflare` on 8 hosts now fires 1 AI query instead of 8. - **CDN / WAF false positives** — `cloudflare`, `cloudfront`, `akamai`, `fastly`, `imperva`, `aws`, `azure`, `gcp`, `heroku`, `netlify`, `vercel` skipped from CVE matching when version unknown (previously generated 10+ bogus CVE chains per scan). - **JS secret regex noise** — deterministic deny-list for Google Fonts / Googleapis / UI strings like "Change Password" removed 60-70% of false positives. - **Off-host Nuclei OSINT templates** — templates with absolute URLs to third-party services (`https://www.mastodon.social/api/...`) no longer fire during targeted scans. Added `TargetsCurrentHost()` check. - **Module registration race** — `ai.cascade` and `vuln.nuclei-compat` now `DefaultEnabled() = true` so registry always selects them; opt-in happens in `Run()` via config check. - **Pipeline deadlock** — resolution / analysis modules subscribed too late to upstream events; switched to "drain store first, subscribe for late events" pattern across all consumers. - **Nuclei template-dir resolution** — preferred `~/.god-eye/nuclei-templates/` over `~/nuclei-templates/` (which may be permission-denied from a previous nuclei CLI install). ### 🔒 Security - **No real secrets in documentation** — live-scan output in `BENCHMARK-SCANME.md` is redacted with `AIzaSy***REDACTED***` even though the target (scanme.nmap.org) is public. - **Gitignore covers**: `/god-eye` binary, `gods-eye-*.json`, `.god-eye/`, `god-eye.yaml`, `.claude/`, `CLAUDE.md`, `*.log`, `/tmp/`. - **Proxy auth redaction** — `Humanize()` strips `user:pass@` from proxy URLs in console output; only the scheme + host appears. ### 📚 Documentation Eight thoroughly-rewritten documents: - **[README.md](README.md)** — hero + quickstart + feature matrix + competitive landscape + GIF demos. - **[AI_SETUP.md](AI_SETUP.md)** — 5-minute install, cascade diagram, 3 profiles comparison, wizard walk-through, troubleshooting, performance reference. - **[EXAMPLES.md](EXAMPLES.md)** — 14 practical recipes from zero-flag launch to route-through-Tor. - **[BENCHMARK.md](BENCHMARK.md)** — cross-tool comparison matrix, methodology, honest caveats. - **[BENCHMARK-SCANME.md](BENCHMARK-SCANME.md)** — reproducible live benchmark on `scanme.nmap.org` with exact runtimes + three bugs-fixed-mid-test story. - **[FEATURE_ANALYSIS.md](FEATURE_ANALYSIS.md)** — per-feature status across all 6 development phases. - **[SECURITY.md](SECURITY.md)** — ethical guidelines, disclosure process, compliance references. - **CHANGELOG.md** — this file. ### 🎬 Media - Three GIF demos in `assets/`, captured live against `scanme.nmap.org`: - `wizard-demo.gif` — interactive setup walkthrough - `live-scan.gif` — colorized event stream - `ai-verbose.gif` — full AI cascade + end-of-scan brief - Legacy v0.1 GIFs (`demo.gif`, `demo-ai.gif`) removed. ### 💔 Breaking - The `scanner.Run()` call path is still present for backward compatibility but is considered **legacy**. New workflows should use `--pipeline` which becomes the default in v2.0 final. - AI default model changed: if you had automation relying on `deepseek-r1:1.5b` being pulled by default, set `--ai-fast-model deepseek-r1:1.5b` explicitly or stick to v0.1. ### 📦 Dependencies Added: - `gopkg.in/yaml.v3` — for YAML config loading. - `golang.org/x/net` (promoted from indirect) — for SOCKS5 proxy support. - `github.com/mattn/go-isatty` (promoted from indirect) — for wizard TTY detection. No new cgo dependencies. Single static binary on every supported platform. --- ## [v0.1] — earlier Legacy monolithic scanner. Preserved in-tree for parity testing; superseded by v2.