0.3.2 — correctness + precision patch
Correctness fixes
- Engine rate limiter math fix — configured
rate_ppswas overshooting by ~1000× (10k pps configured delivered ~10M pps observed). Internal scale changed from ×1000 to ×1000000 so the per-μs refill now matches the configured rate at every value. Affects everysynscan-style burst. - Five correlation rules tightened to prevent cross-target false positives:
admin_exposed: a generic "Missing X header" finding no longer chains with an admin panel finding to claim "admin without auth".source_secrets,cors_secret_chain,wildcard_takeover,ssrf_internal: now require source/secret signals to share a host (or parent domain) before chaining.debug_rce: emits one chain per host instead of one chain whose target field misrepresents which host the listed endpoints actually live on.api_auth: now normalizes target hosts so http vs https vs port variants cluster.
Defense in depth
- 13 unbounded
.json().awaitcalls in intel sources (Shodan, VirusTotal, Censys, URLScan, GreyNoise, AbuseIPDB, ipinfo, PassiveDNS) now route throughgossan_core::net::bounded_jsonwith per-source caps. JsonBackend::load()no longer follows arbitrarynodes_file/edges_filepaths from the manifest — guards against path-traversal and information disclosure via parse-error messages.insecure_tls=truenow emits a one-shot warning at scan start so a degraded TLS posture is always visible in logs.