fixed github ci from triggering for every change

Author: hollowpointer

.github/workflows/build.yml

@@ -5,8 +5,32 @@ on:
     types: [published]
   push:
     branches: [ "main" ]
+    paths:
+      - 'common/**'
+      - 'core/**'
+      - 'cli/**'
+      - 'plugins/**'
+      - 'protocols/**'
+      - 'tests/**'
+      - 'scripts/**'
+      - 'docker/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.github/workflows/build.yml'
   pull_request:
     branches: [ "main" ]
+    paths:
+      - 'common/**'
+      - 'core/**'
+      - 'cli/**'
+      - 'plugins/**'
+      - 'protocols/**'
+      - 'tests/**'
+      - 'scripts/**'
+      - 'docker/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.github/workflows/build.yml'
 
 permissions:
   contents: write

cli/src/commands.rs

@@ -43,7 +43,9 @@ use zond_common::{config::ZondConfig, models::port::PortSet};
 
 #[derive(Parser)]
 #[command(name = "zond")]
-#[command(about = "Deep network reconnaissance and probing tool.")]
+#[command(version = env!("CARGO_PKG_VERSION"))]
+#[command(about = "Deep network reconnaissance and probing tool.", long_about = None)]
+#[command(propagate_version = true)]
 pub struct CommandLine {
     #[command(subcommand)]
     pub command: Commands,

core/src/scanner.rs

@@ -63,16 +63,14 @@ pub async fn scan(target_map: TargetMap, cfg: &ZondConfig) -> anyhow::Result<Vec
     STOP_SIGNAL.store(false, Ordering::Relaxed);
     let use_raw_sockets = preflight_check(cfg);
 
-    // Currently, even if we are root, we default to the TCP connect scanner for port scanning
-    // until a specialized privileged strategy (e.g. SYN scan) is fully implemented.
-    if !use_raw_sockets || true {
-        let dispatcher = dispatcher::Dispatcher::new(target_map);
-        let rx = dispatcher.run_shuffled();
-        return connect::scan(rx, 50).await;
+    if use_raw_sockets {
+        // Future: Remove this fallback once SYN scanner is ready
+        warn!("Privileged port scanning (SYN) not yet implemented; using TCP connect fallback");
     }
 
-    // Future: Implement privileged SYN scan strategy here
-    Ok(Vec::new())
+    let dispatcher = dispatcher::Dispatcher::new(target_map);
+    let rx = dispatcher.run_shuffled();
+    connect::scan(rx, 50).await
 }
 
 /// The primary entry point for network discovery.

core/src/scanner/connect.rs

@@ -13,22 +13,26 @@ use tokio::net::TcpStream;
 use tokio::sync::mpsc;
 use tokio::task::JoinSet;
 use tokio::time::timeout;
+use std::collections::HashSet;
+use std::sync::{Arc, Mutex};
 use zond_common::models::host::Host;
 use zond_common::models::ip::set::IpSet;
-use zond_common::models::port::{Port, PortState, Protocol};
-use zond_common::models::target::Target;
+use zond_common::models::port::{Port, PortSet, PortState, Protocol};
+use zond_common::models::target::{Target, TargetMap, TargetSet};
 
 use super::STOP_SIGNAL;
-
+use super::dispatcher::Dispatcher;
 use crate::scanner::increment_host_count;
 
-/// Performs an asynchronous, highly-concurrent full TCP connect port scan over a randomized target stream.
+/// Most common ports across Linux, Windows, and Networking gear.
+const DISCOVERY_PORTS: &[u16] = &[22, 80, 443, 445, 3389];
+
+/// Performs a high-concurrency, unprivileged port scan.
 ///
-/// This leverages an [`mpsc::Receiver`] (typically from a [`Dispatcher`]), bounds the number
-/// of concurrent connections via `concurrency_limit`, and aggregates the findings into
-/// a minimal set of [`Host`]s. IP addresses that return at least one non-closed port
-/// will be mapped to a [`Host`] with their discovered [`Port`]s. This is the primary
-/// port scanning strategy for users without root privileges.
+/// This engine is the primary scanning strategy for users without root privileges.
+/// It consumes a randomized stream of [`Target`]s from a [`Dispatcher`], maintaining 
+/// a strictly bounded concurrency set to prevent OS socket exhaustion. Discovered 
+/// open or filtered ports are aggregated into a collection of [`Host`] entities.
 pub async fn scan(
     mut rx: mpsc::Receiver<Target>,
     concurrency_limit: usize,
@@ -107,39 +111,119 @@ async fn port_prober(target: Target) -> anyhow::Result<Option<(IpAddr, Port)>> {
     }
 }
 
-/// Discovers live hosts using a standard, unprivileged TCP connect sweep.
+/// High-fidelity, multi-port host discovery for unprivileged environments.
 ///
-/// Sweeps through the provided [`IpSet`], attempting a basic connection to port 443.
-/// This approach serves as a fallback for users without root privileges where raw
-/// socket-based ARP/NDP sweeps are not possible. Returns a [`Vec<Host>`] for all IPs
-/// that responded within the timeout window.
+/// This engine performs a rapid sweep of target networks by probing a curated 
+/// set of infrastructure ports: SSH (22), HTTP (80), HTTPS (443), SMB (445), 
+/// and RDP (3389). This multi-port approach ensures high discovery fidelity 
+/// across Linux, Windows, and embedded network targets.
+///
+/// ### Characteristics
+/// - **Early-Exit**: Probes for an IP are immediately bypassed if the host 
+///   has already been confirmed alive by a parallel task.
+/// - **Randomized**: Target distribution is handled by a shuffling [`Dispatcher`] 
+///   to minimize local network congestion.
+/// - **Fidelity Range**: Uses an adjustable 1000ms timeout window to capture 
+///   hosts on high-latency or geographically distant links.
 pub async fn discover(ips: IpSet) -> anyhow::Result<Vec<Host>> {
-    let mut result: Vec<Host> = Vec::new();
-    for ip in ips {
+    const CONCURRENCY_LIMIT: usize = 2048;
+    
+    // 1. Prepare Target Map for all IP x Common Port combinations
+    let mut target_map = TargetMap::new();
+    let port_set = PortSet::try_from(
+        DISCOVERY_PORTS.iter()
+            .map(|p| p.to_string())
+            .collect::<Vec<_>>()
+            .join(",")
+            .as_str()
+    )?;
+    target_map.add_unit(TargetSet::new(ips, port_set));
+
+    // 2. Setup Dispatcher and Shared State
+    let dispatcher = Dispatcher::new(target_map).with_batch_size(1024);
+    let mut rx = dispatcher.run_shuffled();
+    let mut set = JoinSet::new();
+    let found_hosts = Arc::new(Mutex::new(HashSet::new()));
+    let mut hosts = Vec::new();
+
+    // 3. Concurrent Execution Loop
+    while let Some(target) = rx.recv().await {
         if STOP_SIGNAL.load(Ordering::Relaxed) {
             break;
         }
-        if let Some(found) = prober(ip).await? {
-            result.push(found);
+
+        while set.len() >= CONCURRENCY_LIMIT {
+            if let Some(res) = set.join_next().await {
+                if let Ok(Ok(Some(host))) = res {
+                    hosts.push(host);
+                }
+            }
+        }
+
+        let inner_found = Arc::clone(&found_hosts);
+        set.spawn(async move { prober(target, inner_found).await });
+    }
+
+    // 4. Final Collection
+    while let Some(res) = set.join_next().await {
+        if let Ok(Ok(Some(host))) = res {
+            hosts.push(host);
         }
     }
-    Ok(result)
+
+    Ok(hosts)
 }
 
-/// Attempts a basic TCP connection to port 443 on the specified [`IpAddr`].
+/// Concurrent network host prober.
 ///
-/// Returns a basic [`Host`] object on success. Times out quickly (`100ms`) since it's
-/// primarily intended for rapid host discovery, not deep service enumeration.
-async fn prober(ip: IpAddr) -> anyhow::Result<Option<Host>> {
-    let socket_addr: SocketAddr = SocketAddr::new(ip, 443);
-    let probe_timeout: Duration = Duration::from_millis(100);
+/// Attempts a TCP connection to a specific [`Target`]. To minimize unnecessary 
+/// network traffic and OS resource usage, it employs a thread-safe early-exit 
+/// mechanism: if the host has already been identified by a parallel probe 
+/// (e.g., SSH responded before HTTP), this task terminates immediately.
+async fn prober(target: Target, found_set: Arc<Mutex<HashSet<IpAddr>>>) -> anyhow::Result<Option<Host>> {
+    // 1. Early exit if already discovered
+    {
+        let set = found_set.lock().unwrap();
+        if set.contains(&target.ip) {
+            return Ok(None);
+        }
+    }
+
+    let socket_addr: SocketAddr = SocketAddr::new(target.ip, target.port);
+    let probe_timeout: Duration = Duration::from_millis(1000);
 
     let start: Instant = Instant::now();
     match timeout(probe_timeout, TcpStream::connect(socket_addr)).await {
-        Ok(Ok(_)) | Ok(Err(_)) => {
-            increment_host_count();
-            let host: Host = Host::new(ip).with_rtt(start.elapsed());
-            Ok(Some(host))
+        Ok(Ok(_)) => {
+            // 2. Successful handshake -> Host is alive
+            let mut set = found_set.lock().unwrap();
+            if set.insert(target.ip) {
+                increment_host_count();
+                let host: Host = Host::new(target.ip).with_rtt(start.elapsed());
+                Ok(Some(host))
+            } else {
+                Ok(None)
+            }
+        }
+        Ok(Err(e)) => {
+            use std::io::ErrorKind;
+            // 3. Only specific TCP errors imply the target host responded at the IP/TCP layer
+            match e.kind() {
+                ErrorKind::ConnectionRefused | ErrorKind::ConnectionReset | ErrorKind::ConnectionAborted => {
+                    let mut set = found_set.lock().unwrap();
+                    if set.insert(target.ip) {
+                        increment_host_count();
+                        let host: Host = Host::new(target.ip).with_rtt(start.elapsed());
+                        Ok(Some(host))
+                    } else {
+                        Ok(None)
+                    }
+                }
+                _ => {
+                    // Ignore local network errors (No route, Permission denied, etc.)
+                    Ok(None)
+                }
+            }
         }
         Err(_elapsed) => Ok(None),
     }