Skip to content

feat: validate JS Recon endpoints before graph ingest#137

Merged
samugit83 merged 1 commit into
samugit83:masterfrom
gbxbgbl:feature/js-recon-endpoint-validation
Jun 26, 2026
Merged

feat: validate JS Recon endpoints before graph ingest#137
samugit83 merged 1 commit into
samugit83:masterfrom
gbxbgbl:feature/js-recon-endpoint-validation

Conversation

@gbxbgbl

@gbxbgbl gbxbgbl commented May 29, 2026

Copy link
Copy Markdown

Summary

  • Adds endpoint validation for JS Recon candidates before they are written into the graph, while preserving raw endpoint candidates in the JS Recon JSON output.
  • Exposes accepted status codes and probe-only custom headers in project settings and the JS Recon UI.
  • Stores validation metadata on graph Endpoint nodes and adds regression coverage for filtered graph ingestion.

Type of Change

  • Bug fix
  • New feature
  • Refactor (no behavior change)
  • Documentation
  • Test

Component(s)

  • webapp (Next.js)
  • recon-orchestrator (Python)
  • agent (Python)
  • kali-sandbox / MCP servers
  • docs / wiki
  • other: ___

How to Test

  1. Run python -m py_compile recon\\main_recon_modules\\js_recon.py recon\\project_settings.py graph_db\\mixins\\recon\\js_recon_mixin.py recon\\tests\\test_js_recon.py tests\\test_js_recon_graph_ingestion.py.
  2. Run python -m unittest tests.test_js_recon_graph_ingestion -q.
  3. Run git diff --check master..HEAD.
  4. Optional local dependency checks: python recon\\tests\\test_js_recon.py, npm run type-check in webapp/, and npx --yes vitest run src/lib/recon-preset-schema.test.ts in webapp/.

Checklist

  • I have tested this change locally with docker compose
  • I have not included real-world target data
  • My commits follow Conventional Commits
  • I have read and agree to the DISCLAIMER.md

Screenshots

Not included.

Related Issues

Relates to JS Recon graph pollution from unreachable extracted endpoints.

@samugit83 samugit83 merged commit 877e541 into samugit83:master Jun 26, 2026
samugit83 added a commit that referenced this pull request Jun 27, 2026
…cy dial

Follow-up to #137. Endpoint validation now defaults OFF and only drops
endpoints a probe positively confirmed dead, so the out-of-the-box graph
ingestion behavior is unchanged while probing becomes an explicit opt-in.

- Default off: JS_RECON_VALIDATE_ENDPOINTS / jsReconValidateEndpoints now
  default to false across recon DEFAULT_SETTINGS, the validator's inline
  fallback, the Prisma schema, the DB column, the UI toggle, and the
  orchestrator /defaults endpoint.
- Fix fail-closed filter: the graph mixin now drops only 'not_hittable'
  endpoints and ingests 'hittable' + 'unvalidated' (and missing status).
  Without this, disabling probing — now the default — would have silently
  excluded every extracted endpoint from the graph.
- Add JS_RECON_ENDPOINT_CONCURRENCY / jsReconEndpointConcurrency (default
  10, clamped 1-20): a parallelism dial for endpoint probes, independent
  of the shared JS_RECON_CONCURRENCY used by downloads/secret validation.
  Wired through recon settings, the probe, Prisma, the preset schema +
  parameter catalog, and a UI number input. Also surfaced in the recon
  effective-settings log.
- Tests: update graph-ingestion expectations to the drop-only-dead
  semantics and add coverage for unvalidated endpoints being ingested
  when probing is off.
- Drive-by: fix two pre-existing RECON_PARAMETER_CATALOG lines
  (jsluiceVerifyAcceptStatus / jsluiceExcludePatterns) that used
  "array of integers/strings" and failed the type-annotation test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants