god-eye/CHANGELOG.md

Changelog

All notable changes to God's Eye are documented here.

Format inspired by Keep a Changelog. Versioning follows SemVer — major bumps mean breaking CLI/config changes.

---

[v2.0.0] — 2026-04-18

The first full rewrite since v0.1. This is a new shape of tool, not a patch.

✨ Added

Core architecture

• Event-driven pipeline replacing the v0.1 monolithic scanner.Run — see internal/pipeline/.
• Typed event bus (internal/eventbus) — 20 event types, race-safe pub/sub, drop counter, panic recovery.
• Thread-safe host store (internal/store) with per-host locking and deep-copy reads.
• Module registry (internal/module) — 26 auto-registered modules across 6 phases.
• YAML config (internal/config) with auto-discovery at ~/.god-eye/config.yaml.
• Five built-in scan profiles: quick, bugbounty, pentest, asm-continuous, stealth-max.

Interactive wizard (internal/wizard/)

• Auto-launches when ./god-eye is run with no -d flag in a TTY.
• Walks through AI tier selection, Ollama model check + download, target validation, scan profile, live view, output format.
• Force with --wizard even when -d is set.

AI layer (internal/ai/ + internal/modules/ai/)

• Three tuned profiles: lean (16 GB RAM), balanced (32 GB + MoE), heavy (64 GB+).
• Six event-driven handlers: CVE correlation, JS file indexing, HTTP response analysis, secret validation, multi-agent vulnerability enrichment, end-of-scan anomaly detection + executive report.
• Content-hash cache dedups queries — a tech detected on 10 hosts fires one Ollama call.
• Auto-pull of missing Ollama models via /api/pull with streaming progress.
• --ai-verbose flag to stream every query on stderr.
• Full local inference via Ollama — no API keys, no cloud.
• End-of-scan AI SCAN BRIEF — framed terminal summary with severity totals, top exploitable chains, AI-generated executive prose, and recommended next actions.

Nuclei compatibility layer (internal/nucleitpl/)

• Executes ~13,000 community nuclei-templates.
• Auto-downloads the official ZIP from GitHub into ~/.god-eye/nuclei-templates/ on first use.
• ./god-eye nuclei-update subcommand to refresh the cache.
• Supports HTTP templates with word / regex / status / size matchers, and / or conditions, part=header|body|response, negative matching.
• Scope filter rejects off-host templates (OSINT user lookups on third-party services) to eliminate false positives.

Discovery expansion (26 passive sources — up from 20 in v0.1)

• BufferOver, DNSDumpster, Omnisint, HudsonRock, WebArchiveCDX, Digitorus added.
• Six active techniques: AXFR zone-transfer, GitHub code dorks (honors GITHUB_TOKEN), CT live polling, DNS permutation (alterx-style), reverse DNS ±16 sweep, virtual host discovery, ASN/CIDR expansion, supply-chain recon (npm + PyPI).

Continuous monitoring (ASM)

• --monitor-interval 24h schedules re-scans.
• Diff engine (9 change kinds: new_host, removed_host, new_ip, removed_ip, status_change, tech_change, new_vuln, cleared_vuln, cert_change, new_takeover).
• Webhook alerter (generic JSON POST) + stdout alerter.

Native vulnerability scanners (new in v2)

• GraphQL introspection + mutation-enabled flag.
• JWT analyzer (alg=none, excessive expiry, kid-injection, weak-HMAC crack).
• Security header audit (OWASP Secure Headers Project aligned).
• HTTP request smuggling timing probe (CL.TE / TE.CL, opt-in).

Operational

• --proxy flag for HTTP / HTTPS / SOCKS5 / SOCKS5h routing. Full Burp / mitmproxy / Tor support. (Fixes #1 from @who0xac.)
• --live colorized event stream with 3 verbosity levels.
• --ai-profile {lean,balanced,heavy} preset for AI tier.
• --ai-auto-pull (default true) for Ollama model management.
• --nuclei-auto-download (default true) for nuclei-templates cache.
• Context-aware cancellation on SIGINT / SIGTERM.

Testing

• 185 unit tests across 15 packages, all race-detector clean.
• Live reproducible benchmark against scanme.nmap.org in BENCHMARK-SCANME.md.
• Parity tool (tools/parity/) to diff v1 vs v2 outputs on the same target.

🔧 Changed

• AI default models: deepseek-r1:1.5b + qwen2.5-coder:7b → qwen3:1.7b + qwen2.5-coder:14b (lean tier). Balanced tier adds qwen3-coder:30b MoE.
• Banner: dropped legacy organisation reference; version bumped to 2.0-dev.
• Go version: bumped to 1.21.
• Output format: now uses internal/store.Host internally; legacy config.SubdomainResult kept for JSON backward compatibility.

🐛 Fixed

• Issue #1 — SOCKS5 / Tor compatibility. Native --proxy socks5h://127.0.0.1:9050 replaces reliance on torsocks.
• Duplicate CVE emissions — dedup by (tech, version) pair instead of (host, tech, version). cloudflare on 8 hosts now fires 1 AI query instead of 8.
• CDN / WAF false positives — cloudflare, cloudfront, akamai, fastly, imperva, aws, azure, gcp, heroku, netlify, vercel skipped from CVE matching when version unknown (previously generated 10+ bogus CVE chains per scan).
• JS secret regex noise — deterministic deny-list for Google Fonts / Googleapis / UI strings like "Change Password" removed 60-70% of false positives.
• Off-host Nuclei OSINT templates — templates with absolute URLs to third-party services (https://www.mastodon.social/api/...) no longer fire during targeted scans. Added TargetsCurrentHost() check.
• Module registration race — ai.cascade and vuln.nuclei-compat now DefaultEnabled() = true so registry always selects them; opt-in happens in Run() via config check.
• Pipeline deadlock — resolution / analysis modules subscribed too late to upstream events; switched to "drain store first, subscribe for late events" pattern across all consumers.
• Nuclei template-dir resolution — preferred ~/.god-eye/nuclei-templates/ over ~/nuclei-templates/ (which may be permission-denied from a previous nuclei CLI install).

🔒 Security

• No real secrets in documentation — live-scan output in BENCHMARK-SCANME.md is redacted with AIzaSy***REDACTED*** even though the target (scanme.nmap.org) is public.
• Gitignore covers: /god-eye binary, gods-eye-*.json, .god-eye/, god-eye.yaml, .claude/, CLAUDE.md, *.log, /tmp/.
• Proxy auth redaction — Humanize() strips user:pass@ from proxy URLs in console output; only the scheme + host appears.

📚 Documentation

Eight thoroughly-rewritten documents:

• README.md — hero + quickstart + feature matrix + competitive landscape + GIF demos.
• AI_SETUP.md — 5-minute install, cascade diagram, 3 profiles comparison, wizard walk-through, troubleshooting, performance reference.
• EXAMPLES.md — 14 practical recipes from zero-flag launch to route-through-Tor.
• BENCHMARK.md — cross-tool comparison matrix, methodology, honest caveats.
• BENCHMARK-SCANME.md — reproducible live benchmark on scanme.nmap.org with exact runtimes + three bugs-fixed-mid-test story.
• FEATURE_ANALYSIS.md — per-feature status across all 6 development phases.
• SECURITY.md — ethical guidelines, disclosure process, compliance references.
• CHANGELOG.md — this file.

🎬 Media

• Three GIF demos in assets/, captured live against scanme.nmap.org:
  • wizard-demo.gif — interactive setup walkthrough
  • live-scan.gif — colorized event stream
  • ai-verbose.gif — full AI cascade + end-of-scan brief
• Legacy v0.1 GIFs (demo.gif, demo-ai.gif) removed.

💔 Breaking

• The scanner.Run() call path is still present for backward compatibility but is considered legacy. New workflows should use --pipeline which becomes the default in v2.0 final.
• AI default model changed: if you had automation relying on deepseek-r1:1.5b being pulled by default, set --ai-fast-model deepseek-r1:1.5b explicitly or stick to v0.1.

📦 Dependencies

Added:

• gopkg.in/yaml.v3 — for YAML config loading.
• golang.org/x/net (promoted from indirect) — for SOCKS5 proxy support.
• github.com/mattn/go-isatty (promoted from indirect) — for wizard TTY detection.

No new cgo dependencies. Single static binary on every supported platform.

---

[v0.1] — earlier

Legacy monolithic scanner. Preserved in-tree for parity testing; superseded by v2.