# utils.py
# SuperRecon utils - improved (compat_resources + Wappalyzer DB validation + regex fixes)
import os
import re
import json
import socket
import logging
import ssl
import gzip
import OpenSSL
import dns.resolver
import httpx
from urllib.parse import urljoin, urlparse, quote_plus
from bs4 import BeautifulSoup
from datetime import datetime, date, timezone
from collections import defaultdict
from typing import List, Dict, Any, Optional, Tuple
import asyncio
import random
import ipaddress
import ipwhois
import time
from functools import lru_cache
from playwright.async_api import async_playwright
import whois
from Wappalyzer import Wappalyzer, WebPage
import builtwith
import subprocess
import hashlib

# optional import for charset detection (best-effort)
try:
    from charset_normalizer import from_bytes
except Exception:
    from_bytes = None

# optional brotli decompress
try:
    import brotli
except Exception:
    brotli = None

# -------------------- Logger setup --------------------
logger = logging.getLogger("SuperRecon.utils")
if not logger.handlers:
    handler = logging.StreamHandler()
    formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
    handler.setFormatter(formatter)
    logger.addHandler(handler)
logger.setLevel(os.environ.get("SUPERR_LOG_LEVEL", "INFO"))

# Directory to store raw evidence
EVIDENCE_DIR = os.environ.get("SUPERR_EVIDENCE_DIR", "./evidence")
os.makedirs(EVIDENCE_DIR, exist_ok=True)


# -------------------- Compatibility layer (replacement for pkg_resources) --------------------
# Provides: get_version, resource_bytes, resource_text, resource_path (context manager),
# iter_entry_points, load_entry_point, parse_requirement, installed_distributions, dist_metadata
try:
    # importlib.metadata (stdlib) with backport fallback
    from importlib.metadata import distribution, distributions, entry_points, version as _version, PackageNotFoundError  # type: ignore
except Exception:
    from importlib_metadata import distribution, distributions, entry_points, version as _version, PackageNotFoundError  # type: ignore

# importlib.resources with backport fallback
try:
    from importlib.resources import files, as_file, read_binary, read_text  # type: ignore
except Exception:
    from importlib_resources import files, as_file, read_binary, read_text  # type: ignore

from contextlib import contextmanager
from packaging.requirements import Requirement
from packaging.version import Version, InvalidVersion

def get_version(package_name: str) -> Optional[str]:
    try:
        return _version(package_name)
    except Exception:
        return None

def resource_bytes(package: str, resource: str) -> bytes:
    return read_binary(package, resource)

def resource_text(package: str, resource: str, encoding: str = "utf-8") -> str:
    return read_text(package, resource, encoding=encoding)

@contextmanager
def resource_path(package: str, resource: str):
    """
    Yields a filesystem Path for resource if possible.
    Usage:
      with resource_path('mypkg', 'data/file.txt') as p:
          open(p)...
    """
    p = files(package).joinpath(resource)
    with as_file(p) as fp:
        yield fp

class EP:
    def __init__(self, ep):
        self._ep = ep

    @property
    def name(self):
        return self._ep.name

    @property
    def value(self):
        return self._ep.value

    def load(self):
        return self._ep.load()

def iter_entry_points(group: str):
    eps = entry_points()
    try:
        group_eps = eps.select(group=group)  # py3.10+
    except Exception:
        try:
            group_eps = [e for e in eps if getattr(e, "group", None) == group]
        except Exception:
            group_eps = eps.get(group, [])  # type: ignore
    for e in group_eps:
        yield EP(e)

def load_entry_point(group: str, name: str):
    for ep in iter_entry_points(group):
        if ep.name == name:
            return ep.load()
    raise LookupError(f"entry point {group}:{name} not found")

def parse_requirement(req_str: str) -> Requirement:
    return Requirement(req_str)

def installed_distributions():
    for dist in distributions():
        yield dist

def dist_metadata(name: str):
    try:
        return distribution(name).metadata
    except PackageNotFoundError:
        return None

def dist_files(name: str):
    try:
        return distribution(name).files
    except PackageNotFoundError:
        return None


# -------------------- Safe JSON Helpers --------------------
def _make_json_safe(obj):
    if obj is None or isinstance(obj, (bool, int, float, str)):
        return obj
    if isinstance(obj, dict):
        new = {}
        for k, v in obj.items():
            try:
                key = str(k)
            except Exception:
                key = repr(k)
            new[key] = _make_json_safe(v)
        return new
    if isinstance(obj, (list, tuple, set)):
        return [_make_json_safe(i) for i in obj]
    try:
        if isinstance(obj, (datetime, date)):
            return obj.isoformat()
    except Exception:
        pass
    try:
        import httpx as _httpx
        if isinstance(obj, _httpx.Response):
            try:
                text_snippet = obj.text[:1000]
            except Exception:
                text_snippet = None
            return {
                "status_code": obj.status_code,
                "url": str(obj.url) if hasattr(obj, "url") else None,
                "headers": dict(obj.headers) if hasattr(obj, "headers") else None,
                "text_snippet": text_snippet
            }
    except Exception:
        pass
    try:
        return str(obj)
    except Exception:
        return repr(obj)

def safe_json(obj):
    try:
        safe = _make_json_safe(obj)
        json.dumps(safe, ensure_ascii=False)
        return safe
    except Exception as e:
        logger.exception("safe_json conversion failed")
        return {
            "error": "safe_json_conversion_failed",
            "error_str": str(e),
            "repr": repr(obj)[:2000]
        }


# -------------------- UUID Generator --------------------
def generate_scan_id():
    import uuid
    return str(uuid.uuid4())


# -------------------- Stealth Mode Enhancements --------------------
def get_random_user_agent():
    user_agents = [
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15",
        "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edg/120.0.0.0"
    ]
    return random.choice(user_agents)

def get_realistic_headers(url: Optional[str] = None):
    from urllib.parse import urlparse
    time.sleep(random.uniform(0.02, 0.15))
    domain = urlparse(url).netloc if url else "example.com"
    user_agent = get_random_user_agent()
    accept_headers = {
        "Chrome": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
        "Firefox": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Safari": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Edge": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
        "Opera": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
    }
    browser = "Chrome"
    if "Firefox" in user_agent:
        browser = "Firefox"
    elif "Safari" in user_agent and "Chrome" not in user_agent:
        browser = "Safari"
    elif "Edg" in user_agent or "Edge" in user_agent:
        browser = "Edge"
    languages = ["en-US,en;q=0.9", "en-GB,en;q=0.9", "ar-JO,ar;q=0.9,en;q=0.8", "fr-FR,fr;q=0.9,en;q=0.8"]
    encodings = ["gzip, deflate, br", "gzip, deflate", "gzip, br", "deflate, br"]
    headers = {
        "User-Agent": user_agent,
        "Accept": accept_headers.get(browser, accept_headers["Chrome"]),
        "Accept-Language": random.choice(languages),
        "Accept-Encoding": random.choice(encodings),
        "Connection": "keep-alive",
        "Upgrade-Insecure-Requests": "1",
        "DNT": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "none",
        "Sec-Fetch-User": "?1",
        "Referer": f"https://www.google.com/search?q={domain.replace('.', '+')}",
        "Cache-Control": "max-age=0"
    }
    return headers


# -------------------- Evidence storage --------------------
def store_raw_evidence(content: bytes, prefix: str = "body") -> Dict[str, Any]:
    sha = hashlib.sha256(content).hexdigest()
    filename = f"{prefix}_{sha}.bin"
    path = os.path.join(EVIDENCE_DIR, filename)
    try:
        if not os.path.exists(path):
            with open(path, "wb") as fh:
                fh.write(content)
        return {"path": path, "sha256": sha, "timestamp": datetime.utcnow().isoformat() + "Z"}
    except Exception as e:
        logger.debug(f"Failed to store evidence: {e}")
        return {"error": str(e)}


# -------------------- Retry/backoff wrapper (async) --------------------
async def async_request_with_retry(method: str, url: str, client: httpx.AsyncClient, max_retries: int = 4,
                                   base_delay: float = 0.5, timeout: int = 15, headers: dict = None):
    attempt = 0
    while attempt <= max_retries:
        try:
            attempt += 1
            resp = await client.request(method, url, timeout=timeout, headers=headers)
            if resp.status_code == 429 or (500 <= resp.status_code < 600 and resp.status_code != 501):
                raise httpx.HTTPStatusError("Retryable status", request=resp.request, response=resp)
            return resp
        except Exception as e:
            if attempt > max_retries:
                logger.debug(f"Request failed (max retries) for {url}: {e}")
                return None
            sleep = base_delay * (2 ** (attempt - 1))
            jitter = random.uniform(0, sleep)
            await asyncio.sleep(jitter)
    return None


# -------------------- WHOIS --------------------
def whois_lookup(domain: str) -> dict:
    try:
        w = whois.whois(domain)
        return {"source": "python-whois", "timestamp": datetime.utcnow().isoformat() + "Z", "data": safe_json(w)}
    except Exception as e:
        logger.debug(f"whois_lookup error: {e}")
        return {"source": "python-whois", "timestamp": datetime.utcnow().isoformat() + "Z", "error": str(e)}


# -------------------- DNS --------------------
@lru_cache(maxsize=256)
def get_dns_records(domain: str) -> Dict[str, List[str]]:
    records = defaultdict(list)
    try:
        for rtype in ("A", "AAAA", "CNAME", "MX", "NS", "TXT"):
            try:
                answers = dns.resolver.resolve(domain, rtype, lifetime=5)
                for r in answers:
                    records[rtype].append(str(r).strip())
            except Exception:
                continue
    except Exception as e:
        logger.debug(f"get_dns_records error: {e}")
    return dict(records)

def resolve_cname_chain(hostname: str, max_depth: int = 6) -> List[str]:
    chain = []
    try:
        resolver = dns.resolver.Resolver()
        resolver.lifetime = 5
        curr = hostname
        for _ in range(max_depth):
            try:
                answers = resolver.resolve(curr, "CNAME")
                if not answers:
                    break
                target = str(answers[0].target).rstrip(".")
                chain.append(target)
                curr = target
            except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN, dns.resolver.NoNameservers):
                break
            except Exception:
                break
    except Exception as e:
        logger.debug(f"resolve_cname_chain error for {hostname}: {e}")
    return chain


# -------------------- SSL/TLS info --------------------
def get_ssl_info(domain: str) -> Dict[str, Any]:
    res = {
        "valid": False,
        "issuer": None,
        "subject": None,
        "not_before": None,
        "not_after": None,
        "expired": None,
        "san": [],
        "raw_pem": None,
        "error": None
    }
    try:
        ctx = ssl.create_default_context()
        with socket.create_connection((domain, 443), timeout=5) as sock:
            with ctx.wrap_socket(sock, server_hostname=domain) as ss:
                der = ss.getpeercert(binary_form=True)
                pem = ssl.DER_cert_to_PEM_cert(der)
                res["raw_pem"] = pem
                x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem)
                res["issuer"] = {k.decode() if isinstance(k, bytes) else k: v.decode() if isinstance(v, bytes) else v
                                 for k, v in x509.get_issuer().get_components()}
                res["subject"] = {k.decode() if isinstance(k, bytes) else k: v.decode() if isinstance(v, bytes) else v
                                  for k, v in x509.get_subject().get_components()}
                not_before = x509.get_notBefore()
                not_after = x509.get_notAfter()
                res["not_before"] = not_before.decode() if isinstance(not_before, bytes) else str(not_before)
                res["not_after"] = not_after.decode() if isinstance(not_after, bytes) else str(not_after)
                for i in range(x509.get_extension_count()):
                    ext = x509.get_extension(i)
                    if ext.get_short_name() == b'subjectAltName':
                        res["san"] = [s.strip() for s in str(ext).split(',')]
                res["valid"] = True
                try:
                    dt = datetime.strptime(res["not_after"][:14], "%Y%m%d%H%M%S")
                    res["expired"] = dt < datetime.utcnow()
                except Exception:
                    res["expired"] = None
    except Exception as e:
        res["error"] = str(e)
        logger.debug(f"get_ssl_info error for {domain}: {e}")
    return res


# -------------------- Robots (try https then http, handle encodings/charset/compression) --------------------
async def analyze_robots(domain: str) -> Dict[str, Any]:
    tried = []
    async with httpx.AsyncClient(follow_redirects=True) as client:
        for scheme in ("https://", "http://"):
            url = f"{scheme}{domain}/robots.txt"
            tried.append(url)
            headers = get_realistic_headers(url)
            r = await async_request_with_retry("GET", url, client, headers=headers, timeout=10)
            if not r:
                continue
            if r.status_code == 200:
                raw = r.content or b""
                ev = store_raw_evidence(raw, prefix="robots")
                text = None
                # if content is compressed (gzip)
                try:
                    if raw.startswith(b'\x1f\x8b'):
                        try:
                            text = gzip.decompress(raw).decode('utf-8', errors='replace')
                        except Exception:
                            try:
                                text = r.text
                            except Exception:
                                text = None
                    elif brotli and (not raw.startswith(b'\x1f\x8b')) and (b'br' in (r.headers.get('content-encoding') or '').lower() or raw[:2] == b'\x8b'):
                        try:
                            text = brotli.decompress(raw).decode('utf-8', errors='replace')
                        except Exception:
                            text = None
                    else:
                        text = None
                except Exception:
                    text = None

                # try charset_normalizer
                if text is None and from_bytes:
                    try:
                        result = from_bytes(raw)
                        best = result.best()
                        if best:
                            text = best.read()
                    except Exception:
                        text = None
                if text is None:
                    try:
                        text = raw.decode(r.encoding or "utf-8", errors="replace")
                    except Exception:
                        try:
                            text = r.text
                        except Exception:
                            text = raw.decode("utf-8", errors="replace")

                # sanitize and parse lines
                rules = []
                sitemaps = []
                for line in text.splitlines():
                    line = line.strip()
                    if not line or line.startswith("#"):
                        continue
                    parts = (line.split(":", 1) + [""])[:2]
                    k = parts[0].strip().lower()
                    v = parts[1].strip()
                    if k == "sitemap":
                        sitemaps.append(v)
                    else:
                        rules.append({"directive": k, "value": v})
                return {"exists": True, "content_snippet": text[:8000], "rules": rules, "sitemaps": sitemaps, "fetched_from": url, "raw_evidence": ev}
    return {"exists": False, "tried": tried, "error": "robots not found or unreachable (checked https and http)"}


# -------------------- Extract links & resources --------------------
def extract_links_and_scripts(html: str, base_url: str) -> dict:
    if not html:
        return {"js_links": [], "css_links": [], "internal_links": [], "external_links": [], "image_links": [], "form_links": [], "api_links": [], "meta_tags": []}
    try:
        soup = BeautifulSoup(html, "lxml")
        results = {"js_links": [], "css_links": [], "internal_links": [], "external_links": [], "image_links": [], "form_links": [], "api_links": [], "meta_tags": []}
        base_domain = urlparse(base_url).netloc.split(":")[0] if base_url else ""
        for s in soup.find_all("script", src=True):
            src = s["src"].strip()
            full = urljoin(base_url, src)
            results["js_links"].append(full)
        for l in soup.find_all("link", rel=lambda r: r and "stylesheet" in r, href=True):
            href = l["href"].strip()
            full = urljoin(base_url, href)
            results["css_links"].append(full)
        for m in soup.find_all("meta"):
            results["meta_tags"].append({k: m.get(k) for k in ("name", "property", "content", "http-equiv") if m.get(k)})
        for a in soup.find_all("a", href=True):
            href = a["href"].strip()
            if href.startswith(("mailto:", "tel:", "javascript:", "#")):
                continue
            full = urljoin(base_url, href)
            try:
                netloc = urlparse(full).netloc.split(":")[0]
            except Exception:
                netloc = ""
            if netloc == base_domain:
                results["internal_links"].append(full)
            else:
                results["external_links"].append(full)
        for img in soup.find_all("img", src=True):
            src = img["src"].strip()
            full = urljoin(base_url, src)
            results["image_links"].append(full)
        for form in soup.find_all("form", action=True):
            action = form["action"].strip()
            full = urljoin(base_url, action)
            results["form_links"].append(full)
            if "/api/" in full or "/graphql" in full:
                results["api_links"].append(full)
        for k in ("js_links", "css_links", "internal_links", "external_links", "image_links", "form_links", "api_links"):
            results[k] = list(dict.fromkeys(results[k]))
        return results
    except Exception as e:
        logger.debug(f"extract_links error: {e}")
        return {"js_links": [], "css_links": [], "internal_links": [], "external_links": [], "image_links": [], "form_links": [], "api_links": [], "meta_tags": []}


# -------------------- Playwright render (returns content, headers, final_url) --------------------
async def get_dynamic_html(url: str, timeout: int = 20) -> Tuple[str, Dict[str, str], str]:
    try:
        async with async_playwright() as pw:
            browser = await pw.chromium.launch(args=["--no-sandbox"], headless=True)
            page = await browser.new_page()
            await page.set_extra_http_headers(get_realistic_headers(url))
            # navigate and capture main response
            resp = await page.goto(url, wait_until="networkidle", timeout=timeout * 1000)
            await asyncio.sleep(0.25)
            content = await page.content()
            # extract headers from the main response if available
            headers = {}
            final_url = url
            try:
                if resp:
                    headers = resp.headers or {}
                    final_url = resp.url or page.url
                else:
                    final_url = page.url
            except Exception:
                headers = {}
            await browser.close()
            headers = {str(k): str(v) for k, v in (headers or {}).items()}
            return content or "", headers, final_url or url
    except Exception as e:
        logger.debug(f"Playwright error: {e}")
        return "", {}, url


# -------------------- Static fetch --------------------
async def fetch_static(url: str, timeout: int = 15) -> Optional[httpx.Response]:
    headers = get_realistic_headers(url)
    async with httpx.AsyncClient(follow_redirects=True) as client:
        resp = await async_request_with_retry("GET", url, client, timeout=timeout, headers=headers)
        return resp


# -------------------- Wappalyzer helpers: DB validation --------------------
def _iter_values_recursively(obj):
    if isinstance(obj, dict):
        for k, v in obj.items():
            yield from _iter_values_recursively(v)
    elif isinstance(obj, list):
        for i in obj:
            yield from _iter_values_recursively(i)
    elif isinstance(obj, str):
        yield obj

def validate_wappalyzer_db(path: str) -> List[Tuple[str, str, str]]:
    """
    Validate regex patterns inside a Wappalyzer technologies.json file.
    Returns list of tuples: (technology_name, pattern_string, error_message)
    """
    bad = []
    try:
        with open(path, "r", encoding="utf-8") as fh:
            data = json.load(fh)
    except Exception as e:
        logger.debug(f"validate_wappalyzer_db: failed to load JSON: {e}")
        return bad
    for tech_name, tech_def in data.items():
        try:
            for s in _iter_values_recursively(tech_def):
                if not isinstance(s, str):
                    continue
                # quick skip for short tokens unlikely to be regex
                if len(s) < 4:
                    continue
                try:
                    re.compile(s)
                except re.error as rex:
                    bad.append((tech_name, s, str(rex)))
                except Exception:
                    # ignore other compile-time issues
                    continue
        except Exception:
            continue
    return bad


# -------------------- Wappalyzer / BuiltWith / JS/CSS heuristics --------------------
def compute_tech_confidence_from_wappalyzer(data: dict) -> int:
    confidence = 50
    detection = data.get("detection", {})
    if isinstance(detection, dict):
        if "headers" in detection:
            confidence = max(confidence, 85)
        if "script" in detection or "js" in detection:
            confidence = max(confidence, 80)
        if "meta" in detection:
            confidence = max(confidence, 75)
    return confidence

async def detect_technologies_wappalyzer(url: str, html: str, headers: dict) -> list:
    try:
        webpage = WebPage(url, html or "", headers or {})
        # try Wappalyzer.latest() but be resilient
        try:
            w = Wappalyzer.latest()
        except Exception as e:
            # fallback to local DB if available (with validation)
            tech_path = os.path.join(os.path.dirname(__file__), "technologies.json")
            if os.path.exists(tech_path):
                try:
                    # validate DB first to log problematic regexs
                    bad = validate_wappalyzer_db(tech_path)
                    if bad:
                        logger.warning(f"Wappalyzer DB contains {len(bad)} invalid regex patterns (showing up to 10).")
                        for tname, patt, err in bad[:10]:
                            logger.warning(f"Invalid regex in Wappalyzer DB - {tname}: pattern={patt!r} error={err}")
                    w = Wappalyzer(tech_path)
                except Exception as e2:
                    logger.debug(f"Fallback Wappalyzer load failed: {e2}")
                    return []
            else:
                logger.debug("Wappalyzer DB not available and no local fallback")
                return []
        # analyze, but guard against regex runtime errors inside w.analyze
        try:
            results = w.analyze_with_categories(webpage) or {}
        except re.error as rex:
            logger.exception("Wappalyzer analyze raised a regex error — likely a faulty pattern in DB.")
            return []
        except Exception as e:
            logger.debug(f"Wappalyzer analyze failed: {e}")
            return []

        detected = []
        for name, data in results.items():
            if not isinstance(data, dict):
                continue
            confidence = compute_tech_confidence_from_wappalyzer(data)
            prov = []
            det = data.get("detected", {})
            if det:
                prov.append("wappalyzer-detected")
            categories = data.get("categories", [])
            detected.append({
                "name": name,
                "version": data.get("version", "Unknown"),
                "categories": categories,
                "confidence": confidence,
                "source": "Wappalyzer",
                "provenance": prov
            })
        detected.sort(key=lambda x: x["confidence"], reverse=True)
        return detected
    except Exception as e:
        logger.debug(f"Wappalyzer error: {e}")
        return []


async def detect_technologies_builtwith(url: str) -> list:
    try:
        raw = builtwith.builtwith(url)
        out = []
        for cat, techs in (raw or {}).items():
            for t in techs:
                confidence = 70
                if "cdn" in cat.lower():
                    confidence = 90
                if "framework" in cat.lower():
                    confidence = 90
                out.append({
                    "name": t,
                    "category": cat,
                    "confidence": confidence,
                    "source": "BuiltWith",
                    "provenance": ["builtwith-api"]
                })
        out.sort(key=lambda x: x["confidence"], reverse=True)
        return out
    except Exception as e:
        logger.debug(f"BuiltWith error: {e}")
        return []


async def fetch_resource_content(url: str, timeout: int = 10) -> str:
    try:
        headers = get_realistic_headers(url)
        async with httpx.AsyncClient(follow_redirects=True) as client:
            r = await async_request_with_retry("GET", url, client, timeout=timeout, headers=headers)
            if r and r.status_code == 200:
                return r.text or ""
    except Exception as e:
        logger.debug(f"Failed to fetch resource {url}: {e}")
        return ""
    return ""


async def detect_js_technologies(js_links: List[str], base_url: str, html: str) -> list:
    detected = []
    content = " ".join(js_links or []) + " " + (html or "")
    content_l = content.lower()
    indicators = {
        "jQuery": r"jquery[\w-]*\.js|jquery-ui|\$\.fn\.jquery|window\.jquery",
        "React": r"react[\w-]*\.js|react-dom|__react_devtools_global_hook__|data-reactroot",
        "Angular": r"angular[\w-]*\.js|ng-app|angular\.module",
        "Vue.js": r"vue[\w-]*\.js|__vue_devtools_global_hook__|vue-router"
    }
    for tech, pattern in indicators.items():
        try:
            if re.search(pattern, content_l):
                detected.append({"name": tech, "confidence": 70, "source": "JS Heuristics", "provenance": ["inline", "links"]})
        except re.error:
            # fallback: substring check
            if pattern.lower() in content_l:
                detected.append({"name": tech, "confidence": 60, "source": "JS Heuristics (fallback)", "provenance": ["inline", "links"]})
    sem = asyncio.Semaphore(10)

    async def _fetch(url_):
        async with sem:
            return await fetch_resource_content(url_)

    tasks = []
    for url_ in (js_links or []):
        tasks.append(_fetch(url_))

    contents = []
    if tasks:
        try:
            contents = await asyncio.gather(*tasks)
        except Exception:
            contents = []

    for c in (contents or []):
        c_l = (c or "").lower()
        for tech, pattern in indicators.items():
            try:
                if re.search(pattern, c_l):
                    if not any(d["name"] == tech for d in detected):
                        detected.append({"name": tech, "confidence": 85, "source": "JS Heuristics", "provenance": ["resource_content"]})
            except re.error:
                if pattern.lower() in c_l:
                    if not any(d["name"] == tech for d in detected):
                        detected.append({"name": tech, "confidence": 75, "source": "JS Heuristics (fallback)", "provenance": ["resource_content"]})
    return detected


async def detect_css_technologies(css_links: List[str], html: str) -> list:
    detected = []
    content = " ".join(css_links or []) + " " + (html or "")
    content_l = content.lower()
    indicators = {
        "Bootstrap": r"bootstrap[\w-]*\.css|class=['\"].*col-",
        # improved Tailwind detection: look for class attributes containing tw- (utility prefix) or grid-cols, flex- etc.
        "Tailwind CSS": r"tailwind\.min\.css|class=['\"][^'\"]*\btw-|class=['\"].*grid-cols-|class=['\"].*flex-",
        "Materialize": r"materialize[\w-]*\.css"
    }
    for tech, pattern in indicators.items():
        try:
            if re.search(pattern, content_l):
                detected.append({"name": tech, "confidence": 70, "source": "CSS Heuristics", "provenance": ["links_or_inline"]})
        except re.error:
            if pattern.lower() in content_l:
                detected.append({"name": tech, "confidence": 60, "source": "CSS Heuristics (fallback)", "provenance": ["links_or_inline"]})
    sem = asyncio.Semaphore(8)

    async def _fetch(url_):
        async with sem:
            return await fetch_resource_content(url_)

    tasks = []
    for url_ in (css_links or []):
        tasks.append(_fetch(url_))

    contents = []
    if tasks:
        try:
            contents = await asyncio.gather(*tasks)
        except Exception:
            contents = []

    for c in (contents or []):
        c_l = (c or "").lower()
        for tech, pattern in indicators.items():
            try:
                if re.search(pattern, c_l):
                    if not any(d["name"] == tech for d in detected):
                        detected.append({"name": tech, "confidence": 85, "source": "CSS Heuristics", "provenance": ["resource_content"]})
            except re.error:
                if pattern.lower() in c_l:
                    if not any(d["name"] == tech for d in detected):
                        detected.append({"name": tech, "confidence": 75, "source": "CSS Heuristics (fallback)", "provenance": ["resource_content"]})
    return detected


# -------------------- CMS detection --------------------
def compute_confidence_from_evidence(evidence: List[Dict[str, Any]]) -> float:
    if not evidence:
        return 0.0
    total_possible = sum(float(e.get("weight", 0.0)) for e in evidence)
    if total_possible <= 0:
        return 0.0
    found = sum(float(e.get("weight", 0.0)) for e in evidence if e.get("found"))
    return min(1.0, found / total_possible)

def detect_cms(html: str, headers: dict, url: str, extracted_data: dict = None) -> list:
    detected_cms = []
    html_lower = (html or "").lower()
    headers_lower = {k.lower(): v for k, v in (headers or {}).items()}
    extracted_data = extracted_data or {}
    js_links = " ".join(extracted_data.get("js_links", []))
    form_links = " ".join(extracted_data.get("form_links", []))
    image_links = " ".join(extracted_data.get("image_links", []))
    cms_signatures = {
        "WordPress": [
            {"type": "path", "pattern": r"wp-content", "weight": 0.23},
            {"type": "path", "pattern": r"wp-includes", "weight": 0.22},
            {"type": "api", "pattern": r"wp-json", "weight": 0.18},
            {"type": "meta", "pattern": r"<meta name=\"generator\" content=\"wordpress", "weight": 0.12},
            {"type": "cookie", "pattern": r"wordpress_logged_in_", "weight": 0.12},
            {"type": "admin", "pattern": r"/wp-admin/", "weight": 0.13}
        ],
        "Joomla": [
            {"type": "meta", "pattern": r"meta name=\"generator\" content=\"joomla", "weight": 0.35},
            {"type": "path", "pattern": r"media\/com_content", "weight": 0.25},
            {"type": "admin", "pattern": r"\/administrator\/", "weight": 0.35}
        ],
        "Drupal": [
            {"type": "path", "pattern": r"sites\/default\/files", "weight": 0.35},
            {"type": "path", "pattern": r"\/core\/misc\/drupal\.js", "weight": 0.3},
            {"type": "meta", "pattern": r"<meta name=\"generator\" content=\"drupal", "weight": 0.35}
        ],
        "Shopify": [
            {"type": "domain", "pattern": r"cdn\.shopify\.com", "weight": 0.45},
            {"type": "domain", "pattern": r"myshopify\.com", "weight": 0.45},
            {"type": "script", "pattern": r"shopify", "weight": 0.1}
        ],
        "Magento": [
            {"type": "path", "pattern": r"mage\/", "weight": 0.3},
            {"type": "meta", "pattern": r"magento", "weight": 0.3},
            {"type": "admin", "pattern": r"/admin/", "weight": 0.2}
        ],
        "Wix": [
            {"type": "script", "pattern": r"wix\.com|wixstatic", "weight": 0.6},
            {"type": "meta", "pattern": r"wix", "weight": 0.4}
        ],
        "Squarespace": [
            {"type": "script", "pattern": r"squarespace", "weight": 0.6},
            {"type": "meta", "pattern": r"squarespace", "weight": 0.4}
        ],
        "Bitrix": [
            {"type": "path", "pattern": r"/bitrix/", "weight": 0.7}
        ]
    }
    for cms_name, sigs in cms_signatures.items():
        evidence = []
        for s in sigs:
            found = False
            typ = s["type"]
            pat = s["pattern"]
            try:
                if typ in ("path", "meta", "api"):
                    found = bool(re.search(pat, html_lower))
                elif typ == "cookie":
                    cookie_header = headers_lower.get("set-cookie", "")
                    found = bool(re.search(pat, cookie_header.lower()))
                elif typ == "domain":
                    combined = " ".join(list(headers_lower.values())) + " " + form_links.lower() + " " + js_links.lower() + " " + image_links.lower() + " " + url.lower()
                    found = bool(re.search(pat, combined))
                elif typ == "script":
                    found = bool(re.search(pat, js_links.lower()))
                elif typ == "admin":
                    found = bool(re.search(pat, html_lower)) or bool(re.search(pat, form_links.lower()))
            except re.error:
                if typ in ("path", "meta", "api", "script", "admin"):
                    found = pat.lower() in html_lower
                elif typ == "domain":
                    found = pat.lower() in (" ".join(list(headers_lower.values())) + " " + form_links + " " + js_links + " " + image_links + " " + url).lower()
            evidence.append({"type": typ, "pattern": pat, "weight": s.get("weight", 0.1), "found": found})
        confidence = compute_confidence_from_evidence(evidence)
        if confidence > 0:
            detected_cms.append({
                "name": cms_name,
                "confidence": round(confidence, 3),
                "evidence": evidence,
                "source": "CMS Heuristics",
                "provenance": [e for e in evidence if e["found"]]
            })
    x_gen = headers_lower.get("x-generator", "") or headers_lower.get("server", "")
    if x_gen:
        if "joomla" in x_gen.lower():
            if not any(d["name"] == "Joomla" for d in detected_cms):
                detected_cms.append({"name": "Joomla", "confidence": 1.0, "evidence": [{"type": "header", "value": x_gen}], "source": "Headers", "provenance": [{"type": "header", "value": x_gen}]})
        elif "wordpress" in x_gen.lower() or "wp-" in x_gen.lower():
            if not any(d["name"] == "WordPress" for d in detected_cms):
                detected_cms.append({"name": "WordPress", "confidence": 1.0, "evidence": [{"type": "header", "value": x_gen}], "source": "Headers", "provenance": [{"type": "header", "value": x_gen}]})
    detected_cms.sort(key=lambda x: x["confidence"], reverse=True)
    return detected_cms


# -------------------- Security Headers --------------------
def analyze_security_headers(headers: dict) -> Dict[str, Any]:
    headers = {k.lower(): v for k, v in (headers or {}).items()}
    security = {
        "x-frame-options": headers.get("x-frame-options"),
        "x-xss-protection": headers.get("x-xss-protection"),
        "x-content-type-options": headers.get("x-content-type-options"),
        "strict-transport-security": headers.get("strict-transport-security"),
        "content-security-policy": headers.get("content-security-policy"),
        "referrer-policy": headers.get("referrer-policy")
    }
    results = {}
    for header, value in security.items():
        if value:
            status = "Implemented"
            if header == "x-frame-options":
                if value.lower() in ["deny", "sameorigin"]:
                    status = "Secure"
                else:
                    status = "Weak"
            results[header] = {"status": status, "value": value}
    return results


# -------------------- Payment Method Detection --------------------
def detect_payment_methods(html: str, extracted_data: dict = None) -> list:
    detected_methods = []
    html_lower = (html or "").lower()
    extracted_data = extracted_data or {}
    js_links = " ".join(extracted_data.get("js_links", [])).lower()
    form_links = " ".join(extracted_data.get("form_links", [])).lower()
    image_links = " ".join(extracted_data.get("image_links", [])).lower()
    combined = " ".join([html_lower, js_links, form_links, image_links])
    payment_patterns = {
        "Visa": r"\bvisa\b|visa-logo|/visa\.(svg|png|jpg|gif)",
        "Mastercard": r"mastercard|/mastercard\.(svg|png|jpg|gif)|master-card|master card",
        "American Express": r"american[\s-]*express|amex|/amex\.(svg|png|jpg|gif)",
        "PayPal": r"paypal\.com|paypal-button|www\.paypalobjects\.com|paypalcheckout|paypal\.me",
        "Stripe": r"js\.stripe\.com|stripe\.com|Stripe\.(setPublishableKey|card)|stripe-v3|stripe-elements",
        "Apple Pay": r"apple[\s-]*pay|apple-pay",
        "Google Pay": r"google[\s-]*pay|pay.google.com|google-pay",
        "Shop Pay": r"shopify\.com\/shop_pay|shopify|shop-pay",
        "Discover": r"discover|discover-logo|/discover\.(svg|png|jpg|gif)",
        "UnionPay": r"unionpay|union-pay",
        "JCB": r"\bjcb\b",
        "Alipay": r"alipay|alipayjsbridge|alipay\.com",
        "WeChat Pay": r"wechatpay|weixin\.qq\.com|wechat[\s-]*pay",
        "Square": r"squareup\.com|square\.(js|cdn)|sq-",
        "Authorize.Net": r"authorize\.net|secure2.authorize\.net",
        "Braintree": r"braintree\.gateway|braintree\.js|braintree",
        "Adyen": r"adyen|checkoutshopper|adyen-checkout",
        "Worldpay": r"worldpay|secure\.worldpay",
        "SagePay": r"sagepay|opayo",
        "Klarna": r"klarna|klarna-checkout",
        "Amazon Pay": r"amazonpay|static-na\.amzn\.com|amazon-pay",
        "Payoneer": r"payoneer",
        "Razorpay": r"razorpay|checkout\.razorpay\.com",
        "2Checkout": r"2checkout|2co",
        "Mollie": r"mollie|checkout\.mollie",
        "PayU": r"payu|payu\.com",
        "MercadoPago": r"mercadopago|mercadopago\.com",
        "CyberSource": r"cybersource|ics2wsa",
        "Afterpay": r"afterpay|clearpay",
        "Paystack": r"paystack|js\.paystack\.co",
        "ePDQ": r"epdq|ogone",
        "Checkout.com": r"checkout\.com|checkoutjs",
        "GreenPay": r"greenpay"
    }
    for method, pattern in payment_patterns.items():
        try:
            if re.search(pattern, combined, re.I):
                if method not in detected_methods:
                    detected_methods.append(method)
        except re.error:
            if pattern.lower() in combined:
                if method not in detected_methods:
                    detected_methods.append(method)
    checkout_indicators = [r"/checkout", r"/cart", r"/pay", r"/payment", r"/order", r"/billing"]
    for pat in checkout_indicators:
        if re.search(pat, form_links + html_lower):
            if "E-Commerce/Checkout" not in detected_methods:
                detected_methods.append("E-Commerce/Checkout")
    return detected_methods


# -------------------- Tracker and Analytics Detection --------------------
def detect_trackers_and_analytics(html: str, js_links: list = None, meta_tags: list = None) -> list:
    detected_trackers = []
    html_lower = (html or "").lower()
    tracker_patterns = {
        "Google Analytics": r"google-analytics\.com/|gtag\.js|analytics\.js",
        "Google Tag Manager": r"googletagmanager\.com",
        "Facebook Pixel": r"connect\.facebook\.net/en_US/fbevents\.js|fbq\(",
        "Hotjar": r"hotjar\.com|hjid",
        "Matomo (Piwik)": r"matomo\.js",
        "TikTok Pixel": r"ttq\.load"
    }
    for tracker, pattern in tracker_patterns.items():
        if re.search(pattern, html_lower):
            detected_trackers.append(tracker)
    all_js_links = " ".join([link.lower() for link in (js_links or [])])
    for tracker, pattern in tracker_patterns.items():
        if re.search(pattern, all_js_links):
            if tracker not in detected_trackers:
                detected_trackers.append(tracker)
    meta_content = " ".join([tag.get('content', '').lower() for tag in (meta_tags or [])])
    for tracker, pattern in tracker_patterns.items():
        if re.search(pattern, meta_content):
            if tracker not in detected_trackers:
                detected_trackers.append(tracker)
    return detected_trackers


# -------------------- IP info --------------------
def get_ip_info(ip: str) -> Dict:
    res = {"source": "ipwhois", "timestamp": datetime.utcnow().isoformat() + "Z"}
    try:
        obj = ipwhois.IPWhois(ip).lookup_rdap(depth=1)
        res["asn"] = obj.get("asn")
        res["asn_cidr"] = obj.get("asn_cidr")
        res["asn_country_code"] = obj.get("asn_country_code")
        res["asn_description"] = obj.get("asn_description")
        res["network"] = obj.get("network")
    except Exception as e:
        logger.debug(f"IPWhois lookup failed for {ip}: {e}")
        res["error"] = str(e)
    return res


# -------------------- WAF detection --------------------
def detect_waf_subprocess(url: str) -> dict:
    result = {"detected": False, "provider": None, "confidence": 0.0, "evidence": []}
    try:
        proc = subprocess.run(["wafw00f", "-a", url], capture_output=True, text=True, timeout=20)
        out = (proc.stdout or "") + (proc.stderr or "")
        if proc.returncode == 0 and out:
            lines = out.splitlines()
            for ln in lines:
                for provider in ["Cloudflare", "Imperva", "Akamai", "Fastly", "Sucuri", "F5", "ModSecurity", "AWS WAF", "Fortinet", "Barracuda", "Incapsula"]:
                    if provider.lower() in ln.lower():
                        result.update({"detected": True, "provider": provider, "confidence": 0.9, "evidence": ["wafw00f-output"]})
                        return result
    except Exception:
        pass
    try:
        parsed = urlparse(url)
        try:
            r = httpx.get(url, follow_redirects=True, timeout=10, headers=get_realistic_headers(url))
            headers = {k.lower(): v for k, v in dict(r.headers).items()}
            body_snippet = (r.text or "")[:3000]
            cookie_keys = " ".join([c.name for c in getattr(r, "cookies", [])]) if hasattr(r, "cookies") else ""
        except Exception as e:
            headers = {}
            body_snippet = ""
            cookie_keys = ""
        header_indicators = {
            "Cloudflare": ["cf-ray", "server: cloudflare", "cf-cache-status", "cf-request-id"],
            "Imperva": ["x-iinfo", "incapsula", "visid_incap_"],
            "Akamai": ["x-akamai-transformed", "akamai", "akamaiedge", "akamaitechnologies"],
            "Fastly": ["x-served-by", "x-cache", "x-fastly-backend-request-id"],
            "Sucuri": ["x-sucuri-cache", "x-sucuri-id"],
            "F5": ["bigipserver", "x-lb"],
            "ModSecurity": ["mod_security", "mod_sec"],
            "AWS WAF": ["x-amzn-requestid", "x-amz-cf-id"],
            "Fortinet": ["fortigate", "f5-"],
            "Barracuda": ["barracuda"],
            "Incapsula": ["visid_incap_"]
        }
        for provider, sigs in header_indicators.items():
            for sig in sigs:
                try:
                    if ":" in sig:
                        hname, hv = [s.strip() for s in sig.split(":", 1)]
                        hv = hv.lower()
                        if headers.get(hname) and hv in headers.get(hname, "").lower():
                            result.update({"detected": True, "provider": provider, "confidence": 0.75, "evidence": [f"header:{hname}"]})
                            return result
                    else:
                        if any(sig in h for h in headers.keys()):
                            result.update({"detected": True, "provider": provider, "confidence": 0.7, "evidence": [f"header_contains:{sig}"]})
                            return result
                        if sig in body_snippet.lower():
                            result.update({"detected": True, "provider": provider, "confidence": 0.6, "evidence": ["body_snippet"]})
                            return result
                        if re.search(re.escape(sig), cookie_keys, re.I):
                            result.update({"detected": True, "provider": provider, "confidence": 0.65, "evidence": ["cookie_name"]})
                            return result
                except Exception:
                    continue
        challenge_patterns = [r"attention required", r"access denied", r"please enable cookies", r"security check", r"verify you are a human", r"challenge.*cloudflare"]
        for pat in challenge_patterns:
            if re.search(pat, body_snippet, re.I):
                result.update({"detected": True, "provider": "Unknown (challenge page)", "confidence": 0.5, "evidence": ["challenge_pattern"]})
                return result
    except Exception as e:
        logger.debug(f"WAF detection error heuristics: {e}")
    return result


# -------------------- CDN detection --------------------
def detect_cdn_from_headers_and_dns(headers: dict, dns_records: dict, ip: str = None, extracted_data: dict = None) -> dict:
    detected = {"source": None, "provider": None, "confidence": 0, "reasons": []}
    headers_lower = {k.lower(): v for k, v in (headers or {}).items()}
    extracted_data = extracted_data or {}
    cdn_header_signatures = {
        "Cloudflare": ["cf-ray", "cf-cache-status", "server: cloudflare", "cf-request-id"],
        "Akamai": ["x-akamai-transformed", "x-akamai-request-id", "akamai"],
        "Amazon CloudFront": ["x-amz-cf-id", "via: 1.1 cloudfront", "x-cache"],
        "Fastly": ["x-served-by", "x-fastly-backend-request-id", "x-cache"],
        "Sucuri": ["x-sucuri-cache", "x-sucuri-id"],
        "Google Cloud CDN": ["x-goog-gfe-response-headers", "x-google-gfe"],
        "Incapsula": ["x-iinfo", "visid_incap_"],
        "Azure CDN": ["cdn-io", "azureedge", "azurefd", "akadns"],
        "Netlify": ["netlify"],
        "Cloudflare Stream": ["cf-stream"],
        "BunnyCDN": ["bunnycdn"],
        "StackPath": ["stackpathcdn"],
        "KeyCDN": ["x-keycdn"],
        "CDN77": ["cdn77"],
        "Akamai EdgeKey": ["edgekey.net"]
    }
    for provider, sigs in cdn_header_signatures.items():
        for sig in sigs:
            if any(sig in h for h in headers_lower.keys()) or any(sig in v.lower() for v in headers_lower.values()):
                detected.update({"source": "Headers", "provider": provider, "confidence": 95})
                detected["reasons"].append(f"header signature matched {sig}")
                return detected
    cname_records = dns_records.get("CNAME", []) if dns_records else []
    try:
        candidate_host = cname_records[0] if cname_records else None
        cname_chain = resolve_cname_chain(candidate_host) if candidate_host else []
        cname_patterns = {
            "Cloudflare": r"cloudflare|cloudfront|cloudflare.net",
            "Akamai": r"akamai|akamaiedge|akamaitechnologies|edgekey\.net|akamaiedge\.net",
            "Amazon CloudFront": r"cloudfront\.net",
            "Fastly": r"fastly\.net|fastly",
            "Incapsula": r"incapsula|imperva",
            "Sucuri": r"sucuri\.net|sucuri",
            "Azure CDN": r"azureedge|azurefd|z6rungcdn|azure",
            "Netlify": r"netlify\.app|netlify",
            "BunnyCDN": r"bunnycdn",
            "StackPath": r"stackpathdns",
            "KeyCDN": r"kccdn|kxcdn",
            "CDN77": r"cdn77",
        }
        for provider, pattern in cname_patterns.items():
            for cname in (cname_records + cname_chain):
                if re.search(pattern, cname, re.I):
                    detected.update({"source": "DNS CNAME", "provider": provider, "confidence": 85})
                    detected["reasons"].append(f"CNAME {cname} matches {provider}")
                    return detected
    except Exception as e:
        logger.debug(f"CDN CNAME check error: {e}")
    try:
        asset_hosts = set()
        for linklist in ("js_links", "css_links", "image_links", "form_links"):
            for a in extracted_data.get(linklist, []):
                try:
                    p = urlparse(a)
                    if p.hostname:
                        asset_hosts.add(p.hostname.lower())
                except Exception:
                    continue
        asset_hosts_list = list(asset_hosts)
        asset_host_patterns = {
            "Cloudflare": ["cloudflare", "cdn-cdn.cloudflare", "cloudflare.net", "cdn-cgi"],
            "Akamai": ["akamai.net", "akamaiedge", "akamaitechnologies", "edgekey.net"],
            "Fastly": ["fastly.net", "fastly"],
            "Amazon CloudFront": ["cloudfront.net", "amazonaws.com"],
            "Netlify": ["netlify.app", "netlify"],
            "BunnyCDN": ["b-cdn.net", "bunnycdn"],
            "Google Cloud CDN": ["googleusercontent.com", "googleapis.com"],
            "KeyCDN": ["kxcdn", "kccdn"],
            "CDN77": ["cdn77"],
            "StackPath": ["stackpathcdn", "stackpathdns"]
        }
        for provider, pats in asset_host_patterns.items():
            for pat in pats:
                for ah in asset_hosts_list:
                    if pat in ah:
                        detected.update({"source": "Asset Hosts", "provider": provider, "confidence": 80})
                        detected["reasons"].append(f"asset host {ah} contains {pat}")
                        return detected
    except Exception as e:
        logger.debug(f"Asset host analysis error: {e}")
    return detected


# -------------------- Main async scan (IMPROVED) --------------------
async def main_async_scan(url: str):
    scan_start = datetime.utcnow().isoformat() + "Z"
    try:
        logger.info(f"Starting scan for {url}")
        # Step 1: Try Playwright render (get content + headers)
        dynamic_html, dynamic_headers, dynamic_final_url = await get_dynamic_html(url)
        final_html = dynamic_html or ""
        final_headers = dynamic_headers or {}
        final_url = dynamic_final_url or url
        static_response = None

        # If no dynamic content, try static fetch (async)
        if not final_html:
            logger.info("Dynamic fetch empty; attempting static fetch...")
            static_response = await fetch_static(url)
            if static_response and static_response.status_code == 200:
                final_html = static_response.text or ""
                final_headers = dict(static_response.headers or {})
                final_url = str(static_response.url or url)
            else:
                # fallback sync attempt to capture headers/body
                try:
                    r = httpx.get(url, follow_redirects=True, timeout=10, headers=get_realistic_headers(url))
                    if r.status_code == 200:
                        final_html = r.text or ""
                        final_headers = dict(r.headers or {})
                        final_url = str(r.url or url)
                    else:
                        logger.warning(f"Static fetch returned {r.status_code} for {url}")
                except Exception as e:
                    logger.debug(f"Sync fallback static fetch failed: {e}")
        else:
            # We have dynamic HTML; ensure we also have headers (use static fetch or HEAD if headers missing)
            if not final_headers:
                try:
                    head_resp = httpx.head(final_url, follow_redirects=True, timeout=8, headers=get_realistic_headers(final_url))
                    if head_resp and head_resp.status_code < 400:
                        final_headers = dict(head_resp.headers or {})
                    else:
                        r2 = httpx.get(final_url, follow_redirects=True, timeout=10, headers=get_realistic_headers(final_url))
                        if r2:
                            final_headers = dict(r2.headers or {})
                except Exception as e:
                    logger.debug(f"Failed to fetch headers fallback: {e}")

        # store raw evidence: headers + body
        raw_evidence = {}
        if final_html:
            raw_body_bytes = (final_html.encode("utf-8") if isinstance(final_html, str) else (final_html or b""))
            raw_evidence["body"] = store_raw_evidence(raw_body_bytes, prefix="body")
        if final_headers:
            try:
                hdr_bytes = json.dumps(dict(final_headers), ensure_ascii=False).encode("utf-8")
                raw_evidence["headers"] = store_raw_evidence(hdr_bytes, prefix="headers")
            except Exception:
                raw_evidence["headers"] = {"error": "failed_to_store_headers"}

        # Step 2: Extract links and resources (ensure final_url passed)
        logger.info("Extracting links and resources...")
        extracted_data = extract_links_and_scripts(final_html or "", final_url)
        js_links = extracted_data.get("js_links", [])
        css_links = extracted_data.get("css_links", [])

        # Step 3: Run detection tasks concurrently
        logger.info("Detecting technologies (Wappalyzer/BuiltWith/JS/CSS heuristics)...")
        tasks = [
            detect_technologies_wappalyzer(final_url, final_html or "", final_headers),
            detect_technologies_builtwith(final_url),
            detect_js_technologies(js_links, final_url, final_html or ""),
            detect_css_technologies(css_links, final_html or "")
        ]
        wappalyzer_res, builtwith_res, js_res, css_res = await asyncio.gather(*tasks)

        # Step 4: Combine technologies
        all_tech = (wappalyzer_res or []) + (builtwith_res or []) + (js_res or []) + (css_res or [])
        tech_map: Dict[str, Any] = {}
        for tech in all_tech:
            name = tech.get("name")
            if not name:
                continue
            existing = tech_map.get(name)
            confidence = float(tech.get("confidence", 50))
            if existing:
                existing_conf = float(existing.get("confidence", 0))
                existing["confidence"] = max(existing_conf, confidence)
                existing_sources = set([s.strip() for s in str(existing.get("source", "")).split(",") if s])
                incoming_source = tech.get("source") or ""
                if incoming_source and incoming_source not in existing_sources:
                    existing_sources.add(incoming_source)
                    existing["source"] = ", ".join(sorted(existing_sources))
                existing_prov = set(existing.get("provenance", []) or [])
                incoming_prov = set(tech.get("provenance", []) or [])
                existing["provenance"] = list(existing_prov.union(incoming_prov))
                if tech.get("version") and existing.get("version") in (None, "Unknown"):
                    existing["version"] = tech.get("version")
            else:
                tech_map[name] = {
                    "name": name,
                    "version": tech.get("version", "Unknown"),
                    "confidence": confidence,
                    "source": tech.get("source", ""),
                    "provenance": tech.get("provenance", []) or []
                }
        combined_tech = list(tech_map.values())
        combined_tech.sort(key=lambda x: x.get("confidence", 0), reverse=True)

        # Step 5: DNS and SSL
        parsed = urlparse(final_url)
        domain = parsed.netloc.split(":")[0] if parsed.netloc else ""
        dns_records = get_dns_records(domain) if domain else {}
        ssl_info = {}
        if parsed.scheme == "https" and domain:
            ssl_info = get_ssl_info(domain)

        # Step 6: IP info
        ip_info = {}
        if dns_records.get("A"):
            ip = dns_records["A"][0] if isinstance(dns_records["A"], list) and dns_records["A"] else dns_records["A"]
            ip_info = get_ip_info(ip)

        # Step 7: robots.txt
        robots_info = await analyze_robots(domain) if domain else {"exists": False, "tried": [], "error": "no domain"}

        # Step 8: Security headers and CMS detection
        security_headers = analyze_security_headers(final_headers)
        cms_info = detect_cms(final_html or "", final_headers or {}, final_url, extracted_data=extracted_data)

        # Step 9: payments and trackers
        payment_methods_info = detect_payment_methods(final_html or "", extracted_data=extracted_data)
        trackers_info = detect_trackers_and_analytics(final_html or "", js_links=extracted_data.get("js_links", []), meta_tags=extracted_data.get("meta_tags", []))

        # Step 10: WAF & CDN heuristics
        waf_info = detect_waf_subprocess(final_url)
        cdn_info = detect_cdn_from_headers_and_dns(final_headers or {}, dns_records or {}, ip_info.get("asn_cidr") if ip_info else None, extracted_data=extracted_data)

        # Inference rules for Cloudflare
        try:
            if (not cdn_info.get("provider")) and waf_info.get("provider") and "cloudflare" in (waf_info.get("provider") or "").lower():
                cdn_info.update({"source": "inferred", "provider": "Cloudflare", "confidence": 90, "reasons": ["waf indicates Cloudflare"]})
            elif (not cdn_info.get("provider")) and ip_info and ip_info.get("asn_description") and "cloudflare" in str(ip_info.get("asn_description")).lower():
                cdn_info.update({"source": "inferred", "provider": "Cloudflare", "confidence": 85, "reasons": ["ip whois ASN indicates Cloudflare"]})
            else:
                ns_list = dns_records.get("NS", []) or []
                if (not cdn_info.get("provider")):
                    for ns in ns_list:
                        if "cloudflare" in ns.lower():
                            cdn_info.update({"source": "dns", "provider": "Cloudflare", "confidence": 85, "reasons": [f"NS {ns} indicates Cloudflare"]})
                            break
        except Exception:
            pass

        # Build final report
        title = "No Title"
        try:
            soup = BeautifulSoup(final_html or "", "lxml")
            if soup.title and soup.title.string:
                title = soup.title.string.strip()
        except Exception:
            title = "No Title"

        report = {
            "scan_id": generate_scan_id(),
            "scanned_at": scan_start,
            "url": final_url,
            "title": title,
            "raw_evidence": raw_evidence,
            "technologies": combined_tech,
            "links_and_resources": extracted_data,
            "dns_records": dns_records,
            "ssl_info": ssl_info,
            "ip_info": ip_info,
            "robots_info": robots_info,
            "security_headers": security_headers,
            "cms_info": cms_info,
            "payment_methods": payment_methods_info,
            "trackers_and_analytics": trackers_info,
            "waf_info": waf_info,
            "cdn_info": cdn_info,
            "headers": final_headers,
            "notes": "Report contains provenance (raw_evidence paths) and normalized confidence scores (0-100 for technologies)."
        }

        # Normalize confidence to 0-100 for technologies
        for t in report["technologies"]:
            try:
                t_conf = float(t.get("confidence", 50))
                if 0 <= t_conf <= 1:
                    t["confidence"] = int(round(t_conf * 100))
                else:
                    t["confidence"] = int(round(min(max(t_conf, 0), 100)))
            except Exception:
                t["confidence"] = 50

        return safe_json(report)

    except Exception as e:
        logger.exception("Main scan failed")
        return safe_json({"error": "Main scan failed", "details": str(e), "scanned_at": scan_start})


# -------------------- Convenience wrapper used by analyze_site.py --------------------
async def run_scan_for_url(url: str, render_js: bool = False, scan_id: Optional[str] = None) -> Dict[str, Any]:
    try:
        report = await main_async_scan(url)
        if not isinstance(report, dict):
            report = {"error": "invalid_report", "details": "Scanner returned non-dict result", "raw": str(report)}
        report.setdefault("scanned_url", report.get("url", url))
        if scan_id:
            report["scan_id"] = scan_id
        report.setdefault("url", report.get("scanned_url"))
        report.setdefault("technologies", report.get("technologies", []))
        report.setdefault("dns_records", report.get("dns_records", {}))
        report.setdefault("robots_info", report.get("robots_info", {"exists": False}))
        report.setdefault("headers", report.get("headers", {}))
        # compatibility aliases
        report.setdefault("waf", report.get("waf_info"))
        report.setdefault("cdn", report.get("cdn_info"))
        report.setdefault("payments", report.get("payment_methods"))
        return report
    except Exception as e:
        logger.exception("run_scan_for_url wrapper failed")
        return safe_json({"error": "run_scan_for_url_failed", "details": str(e), "scanned_url": url})


if __name__ == '__main__':
    # quick smoke test when running standalone
    test_url = "https://www.google.com"
    # note: run async via: python -c "import asyncio, utils; asyncio.run(utils.main_async_scan('https://example.com'))"
    pass