feat: major cleanup — remove dashboard, semantic CLI, banner, API management, uninstall, more tools

[Copilot]

Summary

Complete overhaul of macaron as described in the issue. All changes build and all tests pass.

---

Changes

Removed

• Dashboard entirely deleted — internal/ui/ (server.go + HTML assets), serve command, all related flags and references

CLI / UX

• CLI banner — new internal/cliui/banner.go with ASCII art, NO_COLOR support, and Info/OK/Warn/Err color helpers
• Semantic subcommand interface — replaced cryptic 3-letter flag codes (-scn, -sts, -res, -sak, etc.) with clear subcommands and readable flags:
  • macaron scan -t <domain> -p <profile> --stages ...
  • macaron status, results, setup, export, config, guide, version
  • macaron api list|set|unset|import|bulk
  • macaron uninstall
• macaron uninstall — locates binary via os.Executable(), removes it from PATH, optionally removes storage directory (with confirmation prompt or --yes flag)
• No tech-stack mentions anywhere in CLI output (removed Go version, SQLite references, "macaronV2" branding)

API Management

• Global key store shared across all tools macaron runs — no per-tool config needed
• macaron api set key=value [key=value ...] — set one or more keys
• macaron api unset key [key ...] — remove keys
• macaron api list — show masked keys
• macaron api import — pull keys from installed tool configs (subfinder ~/.config/subfinder/provider-config.yaml, amass config)
• macaron api bulk -f keys.yaml — load many keys at once from a YAML file
• When macaron runs subfinder, keys are injected via a temporary provider-config.yaml — user's own subfinder config is never modified

Pipeline improvements

• More tools — catalog expanded from 10 → 16: amass, gospider, hakrawler, ffuf, gobuster, feroxbuster added
• Port scanning — naabu-backed when installed (1000 ports), with native TCP-dial fallback on failure (with warning)
• URL discovery — Wayback CDX + gau + katana all run when available (per-host)
• Subdomain stage — amass added alongside subfinder/assetfinder/findomain
• Tool inventory table shows role for each tool

Documentation

• README completely rewritten — researcher-oriented language, no tech-stack mentions, tables for pipeline stages / tools / flags, API management section, install instructions

Testing

• All existing tests updated to cover new API
• New tests: TestApplyProfileBalanced, TestLooksLikeDomain, TestMacaronHomeOverride
• go build ./... and go test ./... pass cleanly
• CodeQL scan: 0 alerts

[Copilot]

Pull request overview

This PR is a major CLI- and pipeline-focused overhaul of macaron, removing the web dashboard/UI and replacing legacy flags with semantic subcommands while expanding tool support and introducing global API key management.

Changes:

• Removes the dashboard (internal/ui) and related CLI surface area.
• Reworks the CLI into subcommands (scan/status/results/setup/export/config/api/uninstall) with a new banner + output helpers.
• Expands pipeline/tooling (e.g., amass subdomains, naabu ports, gau/katana URLs) and adds API key import/bulk management with subfinder key injection.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
README.md	Rewritten usage docs reflecting new subcommand-based CLI and pipeline/tool inventory.
internal/ui/server.go	Deletes the dashboard server implementation.
internal/ui/assets/index.html	Deletes dashboard frontend assets.
internal/engine/engine.go	Adds amass, naabu port scanning, gau/katana URL discovery, and subfinder API key injection.
internal/cliui/banner.go	Adds CLI banner + colored Info/OK/Warn/Err helpers with NO_COLOR support.
internal/cfg/config.go	Adds bulk load + import helpers for API keys and subfinder provider-config generation.
internal/app/app.go	Expands tool catalog/tool inventory output and updates status/setup rendering.
cmd/macaron/main.go	Replaces legacy flags with a subcommand dispatcher; adds api + uninstall flows.
cmd/macaron/main_test.go	Removes legacy arg-normalization tests; adds tests for profiles/domain detection/home override.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Save writes config.yaml with mode 0644, but this file contains API keys/secrets. This makes keys readable by other users on the system. Use a restrictive permission (e.g., 0600) when writing the config file (and ideally preserve permissions on updates).

Suggested change

	return os.WriteFile(filepath.Join(storageRoot, "config.yaml"), b, 0o644)
	path := filepath.Join(storageRoot, "config.yaml")
	mode := os.FileMode(0o600)
	if info, err := os.Stat(path); err == nil {
	mode = info.Mode().Perm()
	} else if !os.IsNotExist(err) {
	return err
	}
	return os.WriteFile(path, b, mode)

[Copilot]

readAmassConfig attempts to parse ~/.config/amass/config.ini via yaml.Unmarshal, which will fail for INI format and silently skip importing keys from that file. Either parse INI properly (if you want to support it) or remove the .ini candidate to avoid a non-functional import path.

[Copilot]

BulkLoadFile returns len(bulk.APIKeys) even though empty/whitespace values are skipped during merge. This can report that N keys were loaded when fewer were actually applied. Consider counting only the keys that are actually inserted/updated in cfg.APIKeys and returning that count.

Suggested change

	for k, v := range bulk.APIKeys {
	k = strings.ToLower(strings.TrimSpace(k))
	if k != "" && strings.TrimSpace(v) != "" {
	cfg.APIKeys[k] = strings.TrimSpace(v)
	}
	}
	return len(bulk.APIKeys), nil
	count := 0
	for k, v := range bulk.APIKeys {
	k = strings.ToLower(strings.TrimSpace(k))
	v = strings.TrimSpace(v)
	if k != "" && v != "" {
	cfg.APIKeys[k] = v
	count++
	}
	}
	return count, nil

[Copilot]

writeSubfinderProviderConfig writes YAML manually and emits raw key strings without quoting/escaping. API keys often contain characters that can break YAML (e.g., :, #, leading/trailing spaces), which would make subfinder fail to read the provider config. Prefer generating the YAML via yaml.Marshal (or reuse the existing provider-config writer in internal/cfg) so values are correctly escaped and the provider mapping logic lives in one place.

[Copilot]

All subcommands ignore flag parsing errors (_ = fs.Parse(args)). With ContinueOnError, this means unknown flags / missing values / --help can be silently ignored and execution continues with partial/default values (e.g., treating leftover args as targets). Capture and handle the parse error (including pflag.ErrHelp) and return a non-zero exit code where appropriate.

[Copilot]

uninstall --yes sets removeStorage = storage != "", so running macaron uninstall --yes will never remove the default storage directory even though the interactive flow offers to remove it. This makes --yes behave differently than “answer yes to prompts”. Consider either adding an explicit --remove-storage flag or making --yes apply to both prompts (and keep --storage as the path selector).

Suggested change

	removeStorage = storage != ""
	removeStorage = home != ""

[Copilot]

The README states MACARON_HOME is “not yet supported”, but macaronHome() already honors the MACARON_HOME environment variable. Update the docs to reflect current behavior (or remove env support if it’s not intended).

Suggested change

	Override with `--storage /path/to/dir` or `MACARON_HOME` (env not yet supported — use the flag).
	Override with `--storage /path/to/dir` or the `MACARON_HOME` environment variable.