feat: wire up NTE embeddings and add supplemental timing to scan API

extract_features() existed but was never called after the OSS extraction —
embeddings were hardcoded to None. Now collect_timing_samples_raw() generates
64-dim L2-normalized embeddings from timing samples automatically.

Added timing_samples field to ScanRequest and discover_with_timing() on Engine
so callers can request multi-sample timing profiles for open ports after
discovery. The CLI scan subcommand gets --timing-samples to expose this.

Author: Simon Morley

src/cli/mod.rs

@@ -85,6 +85,9 @@ pub struct ScanArgs {
     /// Network interface for XDP (auto-detect if omitted)
     #[arg(long)]
     pub interface: Option<String>,
+    /// Supplemental timing samples per open port (0 = skip)
+    #[arg(long, default_value = "0")]
+    pub timing_samples: u16,
 }
 
 /// Arguments for the `time` subcommand.
@@ -143,13 +146,15 @@ pub enum OutputFmt {
 /// Run a port scan and return the result.
 ///
 /// Creates an Engine, builds a ScanRequest, and delegates to `engine.discover()`.
+/// When `timing_samples > 0`, open ports are re-probed for multi-sample timing profiles.
 pub async fn run_scan(
     target: &str,
     port_spec: PortSpec,
     pacing: PacingProfile,
     timeout_ms: u32,
     interface: Option<String>,
-) -> Result<ScanResult, String> {
+    timing_samples: u16,
+) -> Result<(ScanResult, Vec<crate::TimingResult>), String> {
     let engine = create_engine(interface.clone())?;
 
     let request = ScanRequest {
@@ -160,13 +165,18 @@ pub async fn run_scan(
         timeout_ms,
         interface,
         max_ports: None,
+        timing_samples: if timing_samples > 0 {
+            Some(timing_samples)
+        } else {
+            None
+        },
     };
 
-    let result = engine.discover(&request).await;
+    let (result, timing_results) = engine.discover_with_timing(&request).await;
     if let Some(ref e) = result.error {
         Err(e.clone())
     } else {
-        Ok(result)
+        Ok((result, timing_results))
     }
 }
 

src/engine.rs

@@ -251,6 +251,43 @@ impl Engine {
         }
     }
 
+    /// Run a port discovery scan, then collect supplemental timing for open ports.
+    ///
+    /// If `request.timing_samples` is `Some(n)` with `n > 0`, each open port is
+    /// re-probed `n` times to build a multi-sample timing profile with embeddings.
+    /// Closed/filtered/firewalled ports are skipped.
+    pub async fn discover_with_timing(
+        &self,
+        request: &crate::ScanRequest,
+    ) -> (ScanResult, Vec<TimingResult>) {
+        let scan_result = self.discover(request).await;
+        let mut timing_results = Vec::new();
+
+        let sample_count = request.timing_samples.unwrap_or(0);
+        if sample_count == 0 {
+            return (scan_result, timing_results);
+        }
+
+        for port in &scan_result.ports {
+            if port.state != crate::PortState::Open {
+                continue;
+            }
+            let timing_req = TimingRequest {
+                request_id: Uuid::new_v4(),
+                scan_id: None,
+                target_host: scan_result.target_ip.to_string(),
+                target_port: port.port,
+                sample_count: sample_count as u32,
+                timeout_ms: request.timeout_ms,
+                banner_timeout_ms: None,
+            };
+            let result = self.collect_timing(&timing_req).await;
+            timing_results.push(result);
+        }
+
+        (scan_result, timing_results)
+    }
+
     /// Backend string identifier.
     pub fn backend_str(&self) -> &str {
         match self {
@@ -652,6 +689,7 @@ mod tests {
             timeout_ms: 500,
             interface: None,
             max_ports: None,
+            timing_samples: None,
         };
         let result = engine.discover(&request).await;
         assert_eq!(result.request_id, request.request_id);
@@ -674,6 +712,7 @@ mod tests {
             timeout_ms: 1000,
             interface: None,
             max_ports: None,
+            timing_samples: None,
         };
         let result = engine.discover(&request).await;
         assert!(result.error.is_some());
@@ -701,6 +740,7 @@ mod tests {
             timeout_ms: 500,
             interface: None,
             max_ports: Some(3),
+            timing_samples: None,
         };
         let result = engine.discover(&request).await;
         assert_eq!(

src/lib.rs

@@ -236,6 +236,10 @@ pub struct ScanRequest {
     /// Maximum number of ports to scan (truncates expanded port list).
     #[serde(default)]
     pub max_ports: Option<u32>,
+    /// Number of supplemental timing samples per open port (0 or None = skip).
+    /// After discovery, open ports are re-probed N times to build timing profiles.
+    #[serde(default)]
+    pub timing_samples: Option<u16>,
 }
 
 /// Result of a port scan.

src/main.rs

@@ -28,6 +28,7 @@ async fn main() {
                 args.timeout,
                 args.output,
                 args.interface,
+                args.timing_samples,
             )
             .await;
         }
@@ -61,7 +62,7 @@ async fn main() {
             let timeout = cli.timeout.unwrap_or(2000);
             let output = cli.output.unwrap_or(OutputFmt::Pretty);
 
-            run_scan_command(&target, &ports, stealth, timeout, output, cli.interface).await;
+            run_scan_command(&target, &ports, stealth, timeout, output, cli.interface, 0).await;
         }
     }
 }
@@ -73,6 +74,7 @@ async fn run_scan_command(
     timeout: u32,
     output: OutputFmt,
     interface: Option<String>,
+    timing_samples: u16,
 ) {
     let port_spec = match limpet::PortSpec::parse(ports_str) {
         Ok(s) => s,
@@ -84,10 +86,31 @@ async fn run_scan_command(
 
     let pacing: limpet::scanner::stealth::PacingProfile = stealth.into();
 
-    match cli::run_scan(target, port_spec, pacing, timeout, interface).await {
-        Ok(result) => match output {
-            OutputFmt::Pretty => print!("{}", cli::format_pretty(&result, target)),
-            OutputFmt::Json => println!("{}", cli::format_json(&result)),
+    match cli::run_scan(target, port_spec, pacing, timeout, interface, timing_samples).await {
+        Ok((result, timing_results)) => match output {
+            OutputFmt::Pretty => {
+                print!("{}", cli::format_pretty(&result, target));
+                if !timing_results.is_empty() {
+                    println!("\nTiming profiles ({} ports):", timing_results.len());
+                    for tr in &timing_results {
+                        let emb = if tr.embedding.is_some() { "64-dim" } else { "none" };
+                        println!(
+                            "  port {}: {} samples, mean={:.2}µs, embedding={}",
+                            tr.target_port,
+                            tr.samples.len(),
+                            tr.stats.mean,
+                            emb,
+                        );
+                    }
+                }
+            }
+            OutputFmt::Json => {
+                let out = serde_json::json!({
+                    "scan": result,
+                    "timing": timing_results,
+                });
+                println!("{}", serde_json::to_string_pretty(&out).unwrap_or_default());
+            }
         },
         Err(e) => {
             eprintln!("Scan failed: {e}");

src/timing/userspace.rs

@@ -224,6 +224,11 @@ pub async fn collect_timing_samples_raw(
         }
     };
 
+    let embedding = match super::embeddings::extract_features(&samples) {
+        Ok(fv) => Some(fv.to_embedding()),
+        Err(_) => None,
+    };
+
     TimingResult {
         request_id: request.request_id,
         scan_id: request.scan_id,
@@ -234,7 +239,7 @@ pub async fn collect_timing_samples_raw(
         stats,
         collected_at: chrono::Utc::now(),
         error: None,
-        embedding: None,
+        embedding,
         banner: None, // SYN-only: no handshake, no banner
         source_ip: None,
         worker_node: None,