# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [2026-04.1] - 2026-04-28

### Added
- **Domain input replaces email input** — no more data-collection appearance, direct domain entry
- **Interactive subdomain selection** — discovery pauses to show a list of probed subdomains, visitor picks one to scan
- **IP fast-path** — when an IP address is entered, subdomain discovery is skipped entirely and GoTestWAF scans directly
- **DNS probe with wildcard detection** — detects wildcard DNS (`*.domain.com`) and relies on TLS validation to filter real services from catch-all noise
- **TLS certificate validation** as the definitive subdomain filter — Go's HTTPS client validates cert + hostname, distinguishing real services from wildcard defaults
- **Wordlist-based subdomain probing** — loads 5000 common names from SecLists (`/opt/aasd/subdomains.txt`), replaces hardcoded 40-name list
- **Live probe progress** — frontend shows "Checking 142/5000 subdomains…" with animated pulse during discovery
- **Report naming** — `visitor_{token}.html` for user-facing reports, `consultant_{token}.html` for GoTestWAF output
- **Admin dashboard enhanced** — consultant report link only shown when file exists on disk; shows "No WAF report (target unreachable)" when GoTestWAF didn't produce output
- **Race condition guard** — `discoverSubdomains` now uses mutex-guarded status check to prevent overwriting `scanning` status back to `awaiting_selection`

### Changed
- **Pipeline restructured** — discovery phase now pauses (status `awaiting_selection`) for user to pick a target, then scan phase runs
- **Removed domain-scan binary** (43MB) — was ineffective without API keys, always timed out at 15s; replaced by direct HTTPS/TLS wordlist probe
- **ProbeSubdomains** now accepts `projectRoot` for wordlist path and `onProgress` callback for live progress
- **GoTestWAF report naming** — changed from `report_{token}_{domain}.html` to `consultant_{token}.html`
- **QR code URL** corrected to point to `visitor_{token}.html` instead of `report_{token}.html`
- **Config** — `base_url` set to `https://aasd.sechpoint.app`, admin password set to `Git3x2o26`
- **Directory structure reorganized** — `AttackSurface/` flattened to `aasd/src/`; removed stale `dist/` and `reports/` from source
- **Frontend** — step sequencer simplified to 3 steps (Domain Discovery, WAF Scan, AI Report); added subdomain selection panel
- **Frontend status** — adds `animate-pulse` CSS class to status dot during discovery
- **Admin dashboard** — back-end now checks `HasConsultantReport` by testing file existence, template conditionally shows link or "no report" text

### Fixed
- **Crash on IP submission** — `GenerateFallbackHTML` panicked on empty subdomains slice; now sets `Subdomains` to `[IP]` for IP fast-path
- **Race condition** — `discoverSubdomains` goroutine could overwrite `scanning` status set by `SelectAndScan`; now guarded by mutex check
- **Consultant report 404** — admin dashboard no longer shows broken link when GoTestWAF didn't produce output
- **GoTestWAF report naming mismatch** — GoTestWAF output file name now matches QR code and dashboard links
- **Early selection rejected with proper error** — `SelectAndScan` returns 400 Bad Request with explanation instead of 500 Internal Error

### Removed
- **Email capture** — entire email validation, extraction, and storage removed; domain is now the primary input
- **domain-scan binary** — removed from `/opt/aasd/` (43MB) and from build pipeline
- **`discover.go`** — entire file removed (dead code after domain-scan removal)
- **`FindMostCriticalSubdomain`** — heuristic scoring function removed (all subdomains now presented to user)
- **`CriticalDomain`** field — removed from `ScanResult` struct
- **Old report naming** — `{token}.html` → `visitor_{token}.html`, `report_{token}.html` → `consultant_{token}.html`
- **AttackSurface/** directory — reorganized into `aasd/src/`

## [0.3.0] - 2026-04-22

### Added
- Comprehensive email validation with regex pattern
- Domain security validation (path traversal prevention, length limits)
- Graceful shutdown with OS signal handling (SIGINT, SIGTERM)
- Context propagation for GoTestWAF scan cancellation
- Reports static file serving endpoint (`/reports/*`)
- Go 1.25.0 compiler support
- Scan status polling endpoint (`/scan-status/:domain`) for real-time updates

### Changed
- GoTestWAF command flags updated for compatibility:
  - Removed invalid `--testCase "all"` flag
  - Added `--reportFormat html` flag for HTML report generation
  - Fixed report file naming consistency
- Improved error handling throughout application
- Enhanced code quality with Go idiomatic patterns
- Updated main.go with proper context management

### Fixed
- **Critical**: GoTestWAF integration bugs causing scan failures
- **Critical**: Missing `--reportFormat` flag preventing HTML report generation
- **Critical**: Report file mismatch between stored results and generated files
- **Security**: Weak email validation allowing malformed input
- **Security**: Path traversal vulnerability in domain handling
- **Code Quality**: Monolithic function structure violating 50-line limit
- **Concurrency**: Potential race conditions in map access
- **Resource Leaks**: Goroutines not properly cancelled on shutdown
- **Missing Feature**: Reports not served via web endpoint

### Removed
- Invalid GoTestWAF flag `--testCase "all"` (not supported in current version)

## [0.2.0] - 2026-04-21

### Added
- Gin web framework dependency installed
- POST `/start` endpoint with email domain extraction and validation
- Static file serving (`/static`, `/`, `/simulation`)
- In‑memory storage for scan results with thread‑safe mutex
- Basic HTML frontend: capture page (`index.html`) with QR placeholder
- Simulation page (`simulation.html`) with JavaScript step sequencer
- Consultant dashboard (`/admin‑dashboard`) with results table
- GoTestWAF binary integration (background execution with flags)
- Reports directory auto‑creation
- Server listens on `0.0.0.0:8080` for booth Wi‑Fi access

### Changed
- Project structure refined: `AttackSurface/{bin,src,docs}`
- Git repository initialized with `main` branch
- Go 1.24.4 installed via official binary

## [0.1.0] - 2026-04-21

### Added
- Project initialization based on PROJECT_PLAN.md
- Basic directory structure for Go web application
- GoTestWAF binary integration (planned)