{"id":50797264,"url":"https://github.com/rodhnin/hephaestus-server-forger","last_synced_at":"2026-06-12T15:32:01.929Z","repository":{"id":325671758,"uuid":"1097890172","full_name":"rodhnin/hephaestus-server-forger","owner":"rodhnin","description":"server security auditor scanning Apache, Nginx, and IIS configurations with AI-powered hardening guides and professional reporting.","archived":false,"fork":false,"pushed_at":"2026-05-01T14:38:06.000Z","size":15498,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-01T16:26:42.179Z","etag":null,"topics":["ai","apache","docker","infosec","nginx","penetration-testing","python","security","server-auditing","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rodhnin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-17T01:36:14.000Z","updated_at":"2026-05-01T14:33:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rodhnin/hephaestus-server-forger","commit_stats":null,"previous_names":["rodhnin/hephaestus-server-forger"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rodhnin/hephaestus-server-forger","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rodhnin%2Fhephaestus-server-forger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rodhnin%2Fhephaestus-server-forger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rodhnin%2Fhephaestus-server-forger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rodhnin%2Fhephaestus-server-forger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rodhnin","download_url":"https://codeload.github.com/rodhnin/hephaestus-server-forger/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rodhnin%2Fhephaestus-server-forger/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34251774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","apache","docker","infosec","nginx","penetration-testing","python","security","server-auditing","vulnerability-scanners"],"created_at":"2026-06-12T15:32:01.075Z","updated_at":"2026-06-12T15:32:01.922Z","avatar_url":"https://github.com/rodhnin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"./docs/media/hephaestus-banner.webp\" alt=\"Hephaestus — Server Security Auditor\" width=\"100%\"\u003e\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Version](https://img.shields.io/badge/version-0.2.0-e85d04?style=for-the-badge\u0026labelColor=0c0c0f)](https://github.com/rodhnin/hephaestus-server-forger/releases)\n[![Python](https://img.shields.io/badge/python-3.11+-f59e0b?style=for-the-badge\u0026labelColor=0c0c0f\u0026logo=python\u0026logoColor=f59e0b)](https://www.python.org/)\n[![License](https://img.shields.io/badge/license-MIT-4ade80?style=for-the-badge\u0026labelColor=0c0c0f)](LICENSE)\n[![Docker](https://img.shields.io/badge/docker-ready-f59e0b?style=for-the-badge\u0026labelColor=0c0c0f\u0026logo=docker\u0026logoColor=f59e0b)](docker/)\n[![LangChain](https://img.shields.io/badge/langchain-1.0.0-fb923c?style=for-the-badge\u0026labelColor=0c0c0f)](https://python.langchain.com/)\n[![Ethical](https://img.shields.io/badge/ethical-use_only-f87171?style=for-the-badge\u0026labelColor=0c0c0f)](docs/ETHICS.md)\n\n\u003cbr\u003e\n\n**Server security auditor for Apache, Nginx \u0026 IIS — 13 scan phases, 70+ finding codes, AI-powered hardening guides.**\n\n\u003cbr\u003e\n\n[Quick Start](#-quick-start) \u0026nbsp;·\u0026nbsp;\n[Documentation](docs/) \u0026nbsp;·\u0026nbsp;\n[Docker](#-docker-deployment) \u0026nbsp;·\u0026nbsp;\n[AI Analysis](#-ai-powered-analysis) \u0026nbsp;·\u0026nbsp;\n[Star on GitHub](https://github.com/rodhnin/hephaestus-server-forger)\n\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"./docs/media/hephaestus-hero.webp\" alt=\"Hephaestus — Forge Secure Server Configs\" width=\"100%\"\u003e\n\u003c/div\u003e\n\n---\n\n## In Action\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"./docs/media/console.webp\" alt=\"Hephaestus — real scan output\" width=\"100%\"\u003e\n \u003cbr\u003e\u003csub\u003eLive scan · Apache 2.4.54 · 11 findings · 44.17s · scan #518 · safe mode\u003c/sub\u003e\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003ctable width=\"100%\"\u003e\u003ctr\u003e\n\u003ctd width=\"50%\" align=\"center\"\u003e\n \u003cimg src=\"./docs/media/report_html.webp\" alt=\"Hephaestus — HTML report overview\" width=\"100%\"\u003e\n \u003cbr\u003e\u003csub\u003eHTML report — severity breakdown, OWASP mapping, filter bar\u003c/sub\u003e\n\u003c/td\u003e\n\u003ctd width=\"50%\" align=\"center\"\u003e\n \u003cimg src=\"./docs/media/report_findings.webp\" alt=\"Hephaestus — findings table with CVE badges\" width=\"100%\"\u003e\n \u003cbr\u003e\u003csub\u003eFindings table — CVE/CWE badges, expandable evidence, config snippets\u003c/sub\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\u003c/table\u003e\n\n---\n\n## 🎯 What is Hephaestus?\n\nHephaestus is a **production-ready server security auditor** that puts **ethics first**. Built for system administrators, DevOps engineers, and penetration testers, it scans web server configurations (Apache, Nginx, IIS) to identify critical misconfigurations before attackers exploit them.\n\n### Why Hephaestus?\n\n- **🔒 Ethical by Design**: Consent token system prevents unauthorized scanning\n- **🤖 AI-Powered**: GPT-4, Claude, or local Ollama for intelligent hardening guides\n- **📊 Professional Reports**: Beautiful HTML + machine-readable JSON\n- **🚀 Fast \u0026 Efficient**: Concurrent scanning with intelligent rate limiting\n- **💾 Persistent Tracking**: SQLite database **SHARED with Argos suite** (`~/.argos/argos.db`)\n- **🐳 Docker Ready**: Containerized scanning + vulnerable test labs (Apache \u0026 Nginx)\n- **🎯 Zero False Positives**: Extensively tested with 55+ validation tests\n\n### What It Scans\n\n| Check Category | Details |\n| ------------------------- | --------------------------------------------------------------------------------------- |\n| **Server Information** | Apache/Nginx/IIS version disclosure via headers \u0026 error pages |\n| **Sensitive Files** | .env, .git, phpinfo.php, server-status, backups, config files (70+ paths) |\n| **HTTP Methods** | Unsafe methods (PUT, DELETE, TRACE, OPTIONS) |\n| **Security Headers** | HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |\n| **TLS/SSL Configuration** | Deep analysis: cipher suites, protocol versions, certificate validity, CVE correlation |\n| **Directory Listing** | Apache/Nginx autoindex enabled on sensitive directories |\n| **CORS Detection** | Wildcard, null-origin, reflection probes (COR-001 to COR-006) |\n| **Robots.txt** | Disallowed path analysis, live accessibility probes in aggressive mode |\n| **WAF Detection** | 13 signatures including Cloudflare, Sucuri, ModSecurity, AWS WAF, Imperva |\n| **API Discovery** | Swagger/OpenAPI spec exposure, GraphQL introspection, unauthenticated endpoints |\n| **Cookie Security** | Per-cookie HttpOnly/Secure/SameSite analysis across authenticated paths |\n| **phpinfo() Analysis** | 9 dangerous PHP settings: display_errors, allow_url_include, open_basedir, and more |\n| **Config File Parser** | Offline analysis of httpd.conf / nginx.conf for misconfigurations |\n| **Port Scanner** | 37 common ports with banner grabbing and CVE enrichment |\n\n---\n\n## ✨ Features\n\n### 🛡️ Core Security Auditing\n\n```bash\n# One command, comprehensive server analysis\npython -m heph --target https://example.com --html\n```\n\n- **Multi-Server Support**: Apache, Nginx, IIS detection and hardening\n- **Concurrent Scanning**: Thread pool + rate limiting for fast, respectful scans\n- **Evidence Collection**: HTTP responses, headers, file contents preserved\n- **Graceful Error Handling**: Timeouts, DNS failures, connection refused handled robustly\n\n### 🤖 AI-Powered Hardening Guides\n\nChoose your AI provider based on your needs:\n\n| Provider | Best For | Speed | Cost | Privacy |\n| -------------------- | ------------------ | --------------- | ------------- | --------------- |\n| **OpenAI GPT-4** | Production quality | ⚡ Fast (35s) | 💰 $0.25/scan | 🔒 Standard |\n| **Anthropic Claude** | Privacy-focused | ⚡ Fast (45s) | 💰 $0.30/scan | 🔒 Enhanced |\n| **Ollama (Local)** | Complete privacy | 🐢 Slow (28min) | 💰 Free | 🔐 100% Offline |\n\n**Two Analysis Modes:**\n\n- **Technical**: Apache/Nginx config snippets, CLI commands, step-by-step hardening\n- **Executive**: Plain-language risk assessment for stakeholders and management\n\n### 📊 Professional Reporting\n\n**JSON Reports** (Machine-Readable)\n\n```json\n{\n \"tool\": \"hephaestus\",\n \"version\": \"0.2.0\",\n \"target\": \"https://example.com\",\n \"mode\": \"safe\",\n \"summary\": {\n \"critical\": 3,\n \"high\": 2,\n \"medium\": 5,\n \"low\": 3,\n \"info\": 0\n },\n \"findings\": [...],\n \"diff\": {...}\n}\n```\n\n**HTML Reports** (Human-Friendly)\n\n- 🎨 Forge theme with orange/red gradients (⚒️ blacksmith aesthetic)\n- 🏷️ Color-coded severity badges\n- 📝 Expandable evidence sections\n- 🤖 AI hardening guides beautifully formatted\n- 📱 Mobile-responsive design\n\n### 🔐 Consent Token System\n\nAggressive scanning and AI analysis require **proof of ownership**:\n\n```bash\n# 1. Generate token\npython -m heph --gen-consent example.com\n\n# 2. Place token on your server\necho \"verify-abc123...\" \u003e .well-known/verify-abc123.txt\n\n# 3. Verify ownership\npython -m heph --verify-consent http --domain example.com --token verify-abc123\n\n# 4. Now you can use aggressive mode\npython -m heph --target https://example.com --aggressive --use-ai\n```\n\n### 💾 Database Persistence\n\nSQLite database **SHARED with Argos suite** (`~/.argos/argos.db`):\n\n- **Scan History**: Date, duration, findings count, severity breakdown\n- **Finding Repository**: Searchable vulnerability database (1159+ findings stored)\n- **Verified Domains**: Consent token tracking with expiration\n- **Cross-Tool Integration**: Works seamlessly with Argus, Pythia, and future tools\n\n```bash\n# Query recent scans\nsqlite3 ~/.argos/argos.db \"SELECT * FROM scans WHERE tool='hephaestus' ORDER BY scan_id DESC LIMIT 10\"\n\n# Find critical issues\nsqlite3 ~/.argos/argos.db \"SELECT * FROM findings WHERE severity='critical' AND tool='hephaestus'\"\n```\n\n---\n\n## ✅ Validation \u0026 Testing\n\nHephaestus v0.2.0 has been **empirically validated** using controlled Docker-based vulnerable labs (Apache \u0026 Nginx).\n\n### Validation Summary (May 2026)\n\n| Metric | Result |\n| ------------------------- | --------------------------------------- |\n| **Test Suite** | 55/55 tests passing (13 phases) |\n| **Apache Detection** | 42 findings across all 13 scan phases |\n| **Nginx Detection** | 25 findings across all 13 scan phases |\n| **Precision** | 100% (zero false positives) |\n| **Recall** | 100% (zero false negatives) |\n| **F1-Score** | 100% (perfect balance) |\n| **Average Scan Duration** | 30-35 seconds |\n| **Database Operations** | 80 scans tracked, 1159+ findings stored |\n\n**Test Coverage (13 phases):**\n\n- ✅ **Phase 1**: Basic CLI (exit codes, error handling)\n- ✅ **Phase 2**: Consent tokens (HTTP verification, aggressive mode)\n- ✅ **Phase 3**: AI integration (OpenAI, Anthropic, Ollama)\n- ✅ **Phase 4**: Report generation (JSON, HTML, AI analysis)\n- ✅ **Phase 5**: Advanced options (rate limiting, threads, timeouts)\n- ✅ **Phase 6**: Check modules (70+ finding codes validated)\n- ✅ **Phase 7**: Logging (text, JSON, verbosity levels)\n- ✅ **Phase 8**: Database (schema, integrity, foreign keys)\n- ✅ **Phase 9**: Error handling (edge cases, permissions)\n- ✅ **Phase 10**: Integration (Argos suite compatibility)\n- ✅ **Phase 11**: CORS, Robots.txt, WAF detection\n- ✅ **Phase 12**: API discovery, Cookie security, phpinfo analysis\n- ✅ **Phase 13**: Config file parser, diff reports, AI cost tracking\n\n**Key Findings:**\n\n- ✅ All critical vulnerabilities detected (.env, .git, server-status, phpinfo)\n- ✅ All server versions identified (Apache 2.4.54, Nginx 1.18.0)\n- ✅ All security headers analyzed correctly (6 headers checked)\n- ✅ All directory listing issues identified\n- ✅ CORS, WAF, API, Cookie, phpinfo modules fully operational\n- ✅ Diff reports (`--diff last`) working across scan history\n- ✅ Resilient error handling (timeouts, DNS failures, connection refused)\n\n**Verdict:** Hephaestus is **production-ready** for server security assessments.\n\n---\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n- **Python 3.11+** (3.12 recommended)\n- **pip** (Python package manager)\n- **Docker** (optional, for vulnerable labs)\n\n### Installation\n\n**1. Clone the repository**\n\n```bash\ngit clone https://github.com/rodhnin/hephaestus-server-forger.git\ncd hephaestus-server-forger\n```\n\n**2. (Optional) Install `venv` if not already available**\n\n```bash\n# Debian/Ubuntu\nsudo apt update \u0026\u0026 sudo apt install -y python3-venv\n\n# Fedora/RHEL\nsudo dnf install python3-virtualenv\n\n# macOS (via Homebrew)\nbrew install python@3.11\n```\n\n**3. Create and activate virtual environment**\n\n```bash\npython3 -m venv .venv\nsource .venv/bin/activate\n# You should see (.venv) in your terminal prompt\n```\n\n**4. Upgrade pip**\n\n```bash\npython -m pip install --upgrade pip\n```\n\n**5. Install dependencies**\n\n```bash\npython -m pip install -r requirements.txt\n```\n\n**6. Configure API keys (if using cloud AI)**\n\n```bash\n# OpenAI\nexport OPENAI_API_KEY=\"sk-...\"\n\n# Anthropic\nexport ANTHROPIC_API_KEY=\"sk-ant-...\"\n```\n\n**7. Verify installation**\n\n```bash\npython -m heph --version\n# Output: heph 0.2.0\n```\n\n### Your First Scan\n\n```bash\n# Basic scan (safe mode, no consent required)\npython -m heph --target https://example.com\n\n# With HTML report\npython -m heph --target https://example.com --html\n\n# With AI hardening guide (requires consent)\npython -m heph --target https://example.com --use-ai --html\n```\n\n### 🐳 Quick Start with Docker\n\ncd docker \u0026\u0026 ./deploy.sh\n\n# Select option 3 for testing (Both)\n\ndocker compose exec hephaestus python -m heph --target http://vulnerable-apache\n\n**🎉 Success!** Check `~/.hephaestus/reports/` for your reports.\n\n---\n\n## 📘 Usage Guide\n\n### Basic Scanning\n\n```bash\n# Safe mode (default) - Non-intrusive checks\npython -m heph --target https://example.com\n\n# Generate HTML report\npython -m heph --target https://example.com --html\n\n# Increase verbosity for debugging\npython -m heph --target https://example.com -vv\n\n# Quiet mode (errors only)\npython -m heph --target https://example.com -q\n```\n\n### Advanced Scanning\n\n```bash\n# Control scan speed (1-20 req/s)\npython -m heph --target https://example.com --rate 10\n\n# Control concurrency (1-20 threads)\npython -m heph --target https://example.com --threads 8\n\n# Custom timeout (useful for slow servers)\npython -m heph --target https://example.com --timeout 60\n\n# Custom output directory\npython -m heph --target https://example.com --report-dir ./my-reports\n\n# Custom User-Agent\npython -m heph --target https://example.com --user-agent \"MyBot/1.0\"\n\n# Disable SSL verification (testing only)\npython -m heph --target https://self-signed.badssl.com --no-verify-ssl\n```\n\n### AI-Powered Hardening Guides\n\n**Step 1: Configure your provider**\n\nEdit `config/defaults.yaml`:\n\n```yaml\nai:\n langchain:\n provider: \"openai\" # Options: openai, anthropic, ollama\n model: \"gpt-4o-mini-2024-07-18\"\n temperature: 0.3\n```\n\n**Step 2: Test your setup**\n\n```bash\n# Verify AI provider works\npython -m heph.core.ai openai\n```\n\n**Step 3: Run AI-powered scan**\n\n```bash\n# Technical hardening guide (for sysadmins)\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-tone technical \\\n --html\n\n# Executive risk summary (for management)\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-tone non_technical \\\n --html\n\n# Both analyses in one report\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-tone both \\\n --html\n\n# Stream AI output token-by-token\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-stream \\\n --html\n\n# Compare two AI providers in parallel\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-compare openai,anthropic \\\n --html\n\n# Agent mode with live NVD CVE lookup\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-agent \\\n --html\n\n# Set a cost budget cap (USD)\npython -m heph --target https://example.com \\\n --use-ai \\\n --ai-budget 0.50 \\\n --html\n```\n\n### Aggressive Mode (Requires Consent)\n\n```bash\n# Step 1: Generate consent token\npython -m heph --gen-consent example.com\n# Output: Token: verify-a3f9b2c1d8e4...\n\n# Step 2: Place token on your server\n# Create: https://example.com/.well-known/verify-a3f9b2c1d8e4.txt\n# Content: verify-a3f9b2c1d8e4\n\n# Step 3: Verify consent\npython -m heph --verify-consent http \\\n --domain example.com \\\n --token verify-a3f9b2c1d8e4\n\n# Step 4: Run aggressive scan (deeper checks, higher rate limit)\npython -m heph --target https://example.com --aggressive\n```\n\n---\n\n## 🤖 AI-Powered Analysis\n\nHephaestus uses **LangChain 1.0.0** with support for multiple AI providers.\n\n### Supported Providers\n\n#### OpenAI GPT-4 Turbo\n\n**Best for: Production use**\n\n- ⭐ Quality: Excellent (5/5)\n- ⚡ Speed: ~35 seconds\n- 💰 Cost: ~$0.25 per scan\n- 🔒 Privacy: Standard (data encrypted in transit)\n\n```bash\nexport OPENAI_API_KEY=\"sk-...\"\npython -m pip install langchain-openai==1.0.0\n```\n\n#### Anthropic Claude\n\n**Best for: Enhanced privacy**\n\n- ⭐ Quality: Excellent (5/5)\n- ⚡ Speed: ~45 seconds\n- 💰 Cost: ~$0.30 per scan\n- 🔒 Privacy: Enhanced (Anthropic's privacy-first approach)\n\n```bash\nexport ANTHROPIC_API_KEY=\"sk-ant-...\"\npython -m pip install langchain-anthropic==1.0.0\n```\n\n#### Ollama (Local Models)\n\n**Best for: Complete privacy**\n\n- ⭐ Quality: Good (3/5)\n- 🐢 Speed: ~28 minutes (CPU) or ~75 seconds (GPU)\n- 💰 Cost: Free\n- 🔐 Privacy: 100% offline (data never leaves your machine)\n\n```bash\n# Install Ollama: https://ollama.ai\nollama pull llama3.2\npython -m pip install \"langchain-ollama\u003e=0.3.0,\u003c0.4.0\"\n```\n\n### Privacy \u0026 Security\n\n**Automatic Sanitization**\n\nBefore sending to AI providers, Hephaestus automatically removes:\n\n- ✅ Consent tokens\n- ✅ API keys and credentials\n- ✅ Private keys and certificates\n- ✅ Internal IP addresses\n- ✅ Database credentials\n\n**Opt-In Only**\n\n- AI analysis requires explicit `--use-ai` flag\n- Aggressive scanning requires verified consent token\n- You control which provider sees your data\n\n**For Maximum Privacy**: Use Ollama locally.\n\n---\n\n## 🧪 Safe Testing Labs\n\n**⚠️ NEVER scan production sites without written permission!**\n\nUse our Docker labs to practice safely:\n\n### Setup Test Environment\n\n### Option 1: Interactive Script (Recommended)\n\n```bash\n# Run the interactive deployment script\ncd docker \u0026\u0026 ./deploy.sh\n```\n\nThe script provides 5 options:\n\n1. **Production** → Deploy Hephaestus scanner service\n2. **Testing Lab** → Deploy vulnerable web servers (Apache + Nginx)\n3. **Both** → Deploy both environments\n4. **Stop All** → Stop all running services\n5. **Remove All** → Remove containers, volumes, and data (requires confirmation)\n\n### Option 2: Manual Docker Compose\n\n**Testing Lab Only:**\n\n```bash\n# Start vulnerable servers (Apache + Nginx)\ndocker compose -f docker/compose.testing.yml up -d\n\n# Wait for initialization (~15 seconds)\nsleep 15\n\n# Verify services\ndocker compose -f docker/compose.testing.yml ps\ncurl -I http://localhost:8080 # Apache\ncurl -I http://localhost:8081 # Nginx\n```\n\n**Production Scanner:**\n\n```bash\n# Start Hephaestus scanner service\ndocker compose -f docker/compose.yml up -d\n\n# Run a scan\ndocker compose -f docker/compose.yml exec hephaestus heph --target https://example.com\n\n# View reports\nls -lh docker/reports/\n```\n\n**Both Environments:**\n\n```bash\n# Start both production and testing\ndocker compose -f docker/compose.yml up -d\ndocker compose -f docker/compose.testing.yml up -d\n\n# Scan the testing labs from host\npython -m heph --target http://localhost:8080 --html\npython -m heph --target http://localhost:8081 --html\n```\n\n### Scan the Labs\n\n```bash\n# Scan Apache lab (from host)\npython -m heph --target http://localhost:8080 --html\n\n# Scan Nginx lab (from host)\npython -m heph --target http://localhost:8081 --html\n\n# AI-powered analysis (requires OPENAI_API_KEY)\npython -m heph --target http://localhost:8080 --use-ai --html\n\n# OR from inside production container (using container name)\ndocker compose -f docker/compose.yml exec hephaestus python -m heph --target http://hephaestus-vulnerable-apache --html\n```\n\n### Expected Results\n\n**Apache Lab (localhost:8080):**\n\n- 42 findings total (across all 13 scan phases)\n- Includes CORS, WAF, API, Cookie, phpinfo, OWASP-mapped findings\n\n**Nginx Lab (localhost:8081):**\n\n- 25 findings total (across all 13 scan phases)\n- Includes CORS, WAF, API, Cookie, OWASP-mapped findings\n\n### Cleanup\n\n**Stop services:**\n\n```bash\n# Using script\ncd docker \u0026\u0026 ./deploy.sh # Choose option 4 (Stop All)\n\n# OR manually\ndocker compose -f docker/compose.yml down\ndocker compose -f docker/compose.testing.yml down\n```\n\n**Remove everything (WARNING: deletes data and reports):**\n\n```bash\n# Using script (with confirmation)\ncd docker \u0026\u0026 ./deploy.sh # Choose option 5 (Remove All)\n\n# OR manually\ndocker compose -f docker/compose.yml down -v\ndocker compose -f docker/compose.testing.yml down -v\nrm -rf docker/data docker/reports\n```\n\n---\n\n## 🐳 Docker Deployment\n\nHephaestus provides two Docker deployment options:\n\n### Option 1: Docker Compose (Recommended)\n\n**Production Scanner Service:**\n\n```bash\n# Start long-running scanner service\ndocker compose -f docker/compose.yml up -d\n\n# Run scans\ndocker compose -f docker/compose.yml exec hephaestus heph --target https://example.com --html\n\n# View reports\nls -lh docker/reports/\n\n# Stop service\ndocker compose -f docker/compose.yml down\n```\n\n**Testing Lab (Vulnerable Servers):**\n\n```bash\n# Start Apache + Nginx vulnerable servers\ndocker compose -f docker/compose.testing.yml up -d\n\n# Scan from host\npython -m heph --target http://localhost:8080 --html\n\n# Stop lab\ndocker compose -f docker/compose.testing.yml down\n```\n\n**Interactive Deployment Script:**\n\n```bash\n# Use the interactive menu\ncd docker \u0026\u0026 ./deploy.sh\n```\n\n### Option 2: Direct Docker Run\n\n**Build the image:**\n\n```bash\ndocker build -f docker/Dockerfile -t hephaestus:0.2.0 .\n```\n\n**Run a one-off scan:**\n\n```bash\ndocker run --rm \\\n -v $(pwd)/docker/reports:/reports \\\n -v $(pwd)/docker/data:/data \\\n hephaestus:0.2.0 \\\n --target https://example.com \\\n --html\n```\n\n**With AI analysis:**\n\n```bash\ndocker run --rm \\\n -v $(pwd)/docker/reports:/reports \\\n -e OPENAI_API_KEY=\"$OPENAI_API_KEY\" \\\n hephaestus:0.2.0 \\\n --target https://example.com \\\n --use-ai \\\n --ai-tone both \\\n --html\n```\n\n**Scan local testing lab:**\n\n```bash\n# Start testing lab first\ndocker compose -f docker/compose.testing.yml up -d\n\n# Scan from container (join the testing lab network)\ndocker run --rm \\\n --network hephaestus-lab \\\n hephaestus:0.2.0 \\\n --target http://hephaestus-vulnerable-apache\n```\n\n---\n\n## 📊 Understanding Reports\n\n### Report Structure\n\n```\n~/.hephaestus/\n├── reports/\n│ ├── hephaestus_report_example_20251021_143022.json\n│ └── hephaestus_report_example_20251021_143022.html\n└── (shared with Argos)\n ~/.argos/\n ├── argos.db # Shared database\n └── logs/\n └── hephaestus.log\n```\n\n### Finding IDs (Pattern, 70+ total)\n\n```\nHEPH-SRV-001: Server version disclosed (Apache/Nginx/IIS)\nHEPH-SRV-004: Server disclosed in error page\nHEPH-SRV-016: PHP version disclosed in Server header\nHEPH-SRV-017: OpenSSL version disclosed in Server header\nHEPH-FILE-001: Environment file exposed (.env)\nHEPH-FILE-002: Git repository exposed\nHEPH-FILE-003: PHP information page exposed\nHEPH-FILE-004: Apache server-status exposed\nHEPH-HTTP-003: Unsafe HTTP method in OPTIONS (TRACE)\nHEPH-HTTP-008: TRACE method enabled (XST vulnerability)\nHEPH-HDR-001: Missing security header: HSTS\nHEPH-HDR-002: Missing security header: CSP\nHEPH-HDR-003: Missing security header: X-Frame-Options\nHEPH-HDR-004: Missing security header: X-Content-Type-Options\nHEPH-HDR-005: Missing security header: Referrer-Policy\nHEPH-HDR-006: Missing security header: Permissions-Policy\nHEPH-CFG-001: Directory listing enabled\nHEPH-TLS-000: TLS not enabled\nHEPH-TLS-001: Weak TLS protocol (SSLv3, TLS 1.0)\nHEPH-TLS-002: Weak cipher suite enabled\nCOR-001 to COR-006: CORS misconfiguration findings\nROB-001/002/003: Robots.txt intelligence findings\nWAF-001/002: WAF detection findings\nAPI-001 to API-005: API discovery findings\nCOO-001 to COO-005: Cookie security findings\nPHP-001 to PHP-009: phpinfo() dangerous settings\n```\n\n### Severity Mapping\n\n- **CRITICAL**: .env exposed, .git accessible, phpinfo, server-status, SQL dumps\n- **HIGH**: Server version disclosed, weak TLS, TLS missing, unsafe HTTP methods\n- **MEDIUM**: Missing important headers (HSTS, CSP, X-Frame-Options), directory listing, error page disclosure\n- **LOW**: Minor headers (X-Content-Type-Options, Referrer-Policy, Permissions-Policy)\n- **INFO**: Informational findings (server detected, TLS 1.2 OK)\n\n---\n\n## 📁 Project Structure\n\n```\nhephaestus-server-forger/\n│\n├── heph/ # Main application package\n│ ├── checks/ # Security check modules (13 phases)\n│ │ ├── __init__.py\n│ │ ├── api_discovery.py # Phase 11: Swagger/OpenAPI/GraphQL exposure\n│ │ ├── config.py # Phase 5: Directory listing detection\n│ │ ├── config_file.py # Phase 14: Offline httpd.conf/nginx.conf parser\n│ │ ├── cookies.py # Phase 12: HttpOnly/Secure/SameSite analysis\n│ │ ├── cors.py # Phase 8: CORS wildcard \u0026 reflection probes\n│ │ ├── files.py # Phase 2: 70+ sensitive file paths\n│ │ ├── headers.py # Phase 4: Security headers analysis\n│ │ ├── http_methods.py # Phase 3: Unsafe HTTP methods (PUT/DELETE/TRACE)\n│ │ ├── phpinfo.py # Phase 13: phpinfo() dangerous settings\n│ │ ├── ports.py # Phase 7: 37-port scanner with banner grabbing\n│ │ ├── robots.py # Phase 9: robots.txt disallowed path analysis\n│ │ ├── server_info.py # Phase 1: Apache/Nginx/IIS fingerprinting\n│ │ ├── tls.py # Phase 6: Deep TLS/SSL + CVE correlation\n│ │ └── waf.py # Phase 10: 13 WAF signatures detection\n│ │\n│ ├── core/ # Core infrastructure\n│ │ ├── __init__.py\n│ │ ├── ai.py # LangChain AI (GPT-4/Claude/Ollama) + cost tracking\n│ │ ├── config.py # Configuration loader\n│ │ ├── consent.py # Consent token system (HTTP + DNS)\n│ │ ├── cve_lookup.py # NVD CVE API integration\n│ │ ├── db.py # SQLite — shared with Argos suite (~/.argos/argos.db)\n│ │ ├── diff.py # Scan diff engine (--diff last / --diff \u003cid\u003e)\n│ │ ├── http_client.py # Token-bucket rate-limited HTTP client\n│ │ ├── logging.py # Structured logging\n│ │ ├── owasp.py # HEPH-* code → OWASP Top 10 2021 mapper\n│ │ └── report.py # JSON + HTML report generation\n│ │\n│ ├── __init__.py # Package metadata\n│ ├── __main__.py # Entry point\n│ ├── cli.py # CLI (30+ flags incl. --use-ai, --diff, --config-file)\n│ └── scanner.py # Orchestrator — 13 parallel phases\n│\n├── assets/\n│ └── ascii.txt # Hephaestus braille ASCII art\n│\n├── config/ # Configuration files\n│ ├── defaults.yaml # Default settings\n│ └── prompts/ # AI prompt templates\n│ ├── technical.txt # Technical hardening prompt\n│ └── non_technical.txt # Executive summary prompt\n│\n├── db/\n│ └── migrate.sql # Shared database schema (Argos suite)\n│\n├── docker/ # Docker deployment\n│ ├── vulnerable-apache/ # Vulnerable Apache lab (port 8080/8443)\n│ │ └── docker-entrypoint.sh\n│ ├── vulnerable-nginx/ # Vulnerable Nginx lab (port 8081/8444)\n│ │ └── docker-entrypoint.sh\n│ ├── compose.yml # Production stack\n│ ├── compose.testing.yml # Vulnerable lab stack\n│ ├── deploy.sh # Interactive deployment script\n│ └── Dockerfile # Production image\n│\n├── docs/ # Documentation\n│ ├── media/ # README visual assets\n│ │ ├── hephaestus-banner.webp # Banner 1280×400\n│ │ ├── hephaestus-hero.webp # Hero 1600×640\n│ │ ├── console.webp # Terminal scan output\n│ │ ├── report_html.webp # HTML report header\n│ │ └── report_findings.webp # Findings table with CVE badges\n│ ├── AI_INTEGRATION.md # AI providers setup guide\n│ ├── CONSENT.md # Consent system details\n│ ├── DATABASE_GUIDE.md # Shared database reference\n│ ├── ETHICS.md # Ethical use guidelines\n│ ├── REPORT_FORMAT.md # JSON/HTML report specification\n│ ├── ROADMAP.md # v0.3.0 tickets and priorities\n│ └── TESTING_GUIDE.md # Safe testing practices\n│\n├── schema/\n│ └── report.schema.json # JSON report schema (OWASP + CVE fields)\n│\n├── scripts/\n│ └── cli-examples.md # CLI usage examples\n│\n├── templates/\n│ └── report.html.j2 # HTML report template — forge theme\n│\n├── CHANGELOG.md # Version history\n├── CODE_OF_CONDUCT.md # Community guidelines\n├── CONTRIBUTING.md # Contribution guide\n├── LICENSE # MIT License\n├── README.md # This file\n├── requirements.txt # Python dependencies\n└── setup.py # Package installer\n```\n\n---\n\n## 🗺️ Roadmap\n\n### v0.1.0 — Initial Release ✅ (January 2026)\n\n**Status:** 🎉 **Released** (superseded by v0.2.0)\n\n- ✅ 6 security check modules (server, files, methods, headers, TLS, config)\n- ✅ AI-powered hardening guides (OpenAI, Anthropic, Ollama)\n- ✅ Consent token system (HTTP + DNS verification)\n- ✅ Professional reporting (JSON + HTML with AI analysis)\n- ✅ SQLite persistence (SHARED with Argos suite: `~/.argos/argos.db`)\n- ✅ Docker support with vulnerable labs (Apache \u0026 Nginx)\n- ✅ Comprehensive error handling and resilience\n- ✅ 55+ validation tests (10 phases, 100% passing)\n\n### v0.2.0 — Enhanced Detection ✅ (May 2026)\n\n**Status:** 🎉 **Released**\n\n- ✅ **13 scan phases** (7 new phases added over v0.1.0)\n- ✅ **Deep TLS Analysis**: SSLyze integration, cipher suites, CVE correlation, A+/F grading\n- ✅ **Framework \u0026 Module Detection**: Laravel, Django, Rails, mod_security, WAF detection\n- ✅ **Apache/Nginx Config Parser** (`--config-file`): Offline analysis of httpd.conf/nginx.conf\n- ✅ **CORS Detection**: Wildcard, null-origin, reflection probes (COR-001 to COR-006)\n- ✅ **Robots.txt Intelligence**: Disallowed path analysis, live accessibility probes (ROB-001/002/003)\n- ✅ **WAF Detection**: 13 signatures including Cloudflare, Sucuri, ModSecurity, AWS WAF (WAF-001/002)\n- ✅ **API Discovery**: Swagger/OpenAPI, GraphQL introspection, unauthenticated endpoints (API-001 to API-005)\n- ✅ **Cookie Security**: Per-cookie HttpOnly/Secure/SameSite analysis (COO-001 to COO-005)\n- ✅ **phpinfo() Deep Analysis**: 9 dangerous PHP settings (PHP-001 to PHP-009)\n- ✅ **OWASP Top 10 2021** mapping on every finding\n- ✅ **Live CVE Lookup** via NVD API v2 (Apache, Nginx, PHP, OpenSSL)\n- ✅ **Port Scanner**: 37 ports with banner grabbing\n- ✅ **AI Cost Tracking** (`--ai-budget`): Budget limits, costs.json, ai_costs table\n- ✅ **AI Streaming** (`--ai-stream`): Real-time token-by-token output\n- ✅ **AI Compare** (`--ai-compare`): Run two providers in parallel\n- ✅ **AI Agent** (`--ai-agent`): LangChain agent with NVD CVE lookup\n- ✅ **Diff Reports** (`--diff last` / `--diff SCAN_ID`): new/fixed/persisting findings\n- ✅ **Enhanced HTML Reports**: CVE/CWE badges, filter bar, expandable config snippets, AI tabs\n- ✅ 70+ finding codes validated\n\n### v0.3.0 — Enterprise Features (Q3 2026)\n\n**Focus:** Usability, scale, interactive AI\n\n- 🔜 **Interactive Config Management**: Metasploit-style interface (`heph --show-options`, `heph --set`)\n- 🔜 **Database CLI**: No SQL required (`heph db scans list`, `heph db findings search`)\n- 🔜 **Multi-Site Scanning**: Batch processing from file\n- 🔜 **AI Chat Interface**: Conversational hardening guidance\n- 🔜 **CI/CD Integration**: GitHub Actions, Jenkins, GitLab templates\n- 🔜 **REST API Server**: FastAPI-based API for automation\n- 🔜 **Nmap Integration**: Port scanning for comprehensive assessment\n\n### v0.4.0 — Intelligence \u0026 Automation (Q4 2026)\n\n**Focus:** ML, automation, advanced AI\n\n- 🔜 **Automated Remediation**: Ansible/Puppet playbooks for auto-fixing\n- 🔜 **ML-Based Detection**: Anomaly detection, false positive reduction\n- 🔜 **Distributed Scanning**: Worker nodes for large-scale operations\n- 🔜 **Advanced AI Agents**: Autonomous scan planning, exploit generation\n\n### Pro Track (Q1 2027)\n\n**Commercial product for enterprises**\n\n**IN PROCESS**\n\nFor detailed feature descriptions, see [ROADMAP.md](docs/ROADMAP.md)\n\n---\n\n## 🔒 Ethics \u0026 Legal\n\n### The Golden Rule\n\n**Only scan systems you own or have explicit written permission to test.**\n\n### Consent Enforcement\n\nHephaestus implements **technical controls** to prevent misuse:\n\n| Mode | Checks | Consent Required | Rate Limit |\n| --------------- | --------------- | ---------------- | ---------- |\n| **Safe** | Non-intrusive | ❌ No | 5 req/s |\n| **Aggressive** | Deep probing | ✅ Yes | 12 req/s |\n| **AI Analysis** | Hardening guide | ✅ Yes | N/A |\n\n### Legal Framework\n\nUnauthorized access to computer systems is **illegal** in most jurisdictions:\n\n- 🇺🇸 **USA**: Computer Fraud and Abuse Act (CFAA)\n- 🇬🇧 **UK**: Computer Misuse Act 1990\n- 🇪🇺 **EU**: Directive 2013/40/EU\n- 🌍 **International**: Various cybercrime laws\n\n### Best Practices\n\n1. ✅ **Get written authorization** before scanning\n2. ✅ **Define scope clearly** (which domains/IPs)\n3. ✅ **Document everything** (consent, findings, remediation)\n4. ✅ **Use safe mode first** to establish baseline\n5. ✅ **Report findings responsibly** (coordinated disclosure)\n6. ❌ **Never exploit vulnerabilities** without explicit permission\n7. ❌ **Never scan third-party sites** (e.g., apache.org, nginx.com)\n\nFor complete ethical guidelines, see [docs/ETHICS.md](docs/ETHICS.md)\n\n---\n\n## 🤝 Contributing\n\nWe welcome contributions! Whether it's:\n\n- 🐛 Bug reports\n- 💡 Feature requests\n- 📝 Documentation improvements\n- 🔧 Code contributions\n\n### How to Contribute\n\n1. **Fork the repository**\n2. **Create a feature branch** (`git checkout -b feature/amazing-feature`)\n3. **Make your changes**\n4. **Write/update tests** (when applicable)\n5. **Commit your changes** (`git commit -m 'Add amazing feature'`)\n6. **Push to the branch** (`git push origin feature/amazing-feature`)\n7. **Open a Pull Request**\n\n### Development Setup\n\n```bash\n# Clone your fork\ngit clone https://github.com/YOUR-USERNAME/hephaestus-server-forger.git\ncd hephaestus-server-forger\n\n# Install development dependencies\npython -m pip install -r requirements.txt\npython -m pip install pytest black flake8 mypy\n\n# Run code formatting\nblack heph/\n\n# Run linting\nflake8 heph/\nmypy heph/\n\n# Run tests (when available)\npytest tests/\n```\n\n### Reporting Issues\n\nFound a bug? Have a feature request?\n\n**Open an issue**: https://github.com/rodhnin/hephaestus-server-forger/issues\n\nPlease include:\n\n- Hephaestus version (`python -m heph --version`)\n- Python version (`python --version`)\n- Operating system\n- Steps to reproduce (for bugs)\n- Expected vs actual behavior\n\n---\n\n## 📚 Documentation\n\nComprehensive documentation available in the `docs/` directory:\n\n| Document | Description |\n| ------------------------------------------- | ----------------------------------------- |\n| [AI_INTEGRATION.md](docs/AI_INTEGRATION.md) | Complete AI setup guide (all 3 providers) |\n| [CONSENT.md](docs/CONSENT.md) | Consent token system technical details |\n| [DATABASE_GUIDE.md](docs/DATABASE_GUIDE.md) | SQLite schema, queries, management |\n| [ETHICS.md](docs/ETHICS.md) | Legal framework and ethical guidelines |\n| [REPORT_FORMAT.md](docs/REPORT_FORMAT.md) | JSON schema and HTML specifications |\n| [TESTING_GUIDE.md](docs/TESTING_GUIDE.md) | Safe testing with Docker labs |\n| [ROADMAP.md](docs/ROADMAP.md) | Future features and development plans |\n\n### Quick Links\n\n- **Changelog**: [CHANGELOG.md](CHANGELOG.md)\n- **License**: [LICENSE](LICENSE)\n- **CLI Examples**: [scripts/cli-examples.md](scripts/cli-examples.md)\n\n---\n\n## ⚖️ License\n\nThis project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.\n\n```\nMIT License\n\nCopyright (c) 2026 Rodney Dhavid Jimenez Chacin\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\n```\n\n---\n\n## ⚠️ Disclaimer\n\n**IMPORTANT:** This tool is for **authorized security testing only**.\n\n### Legal Notice\n\nBy using Hephaestus, you acknowledge and agree that:\n\n1. ✅ You will **only scan systems you own** or have **explicit written permission** to test\n2. ✅ You will **comply with all applicable laws** and regulations\n3. ✅ You understand that **unauthorized access is illegal** (CFAA, Computer Misuse Act, etc.)\n4. ✅ The author and contributors **assume no liability** for misuse\n5. ✅ This software is provided **\"as-is\" without warranty** of any kind\n\n### Responsible Disclosure\n\nIf you discover vulnerabilities using Hephaestus:\n\n- 📧 Contact the site owner privately first\n- ⏰ Give reasonable time to fix (typically 90 days)\n- 🤝 Coordinate disclosure timeline\n- 📝 Document your findings professionally\n\n### When in Doubt\n\n**Don't scan.** If you're unsure whether you have permission, you probably don't.\n\n---\n\n## 🙏 Acknowledgments\n\nHephaestus stands on the shoulders of giants:\n\n- **Apache \u0026 Nginx** — Documentation and hardening guides\n- **OWASP** — Security standards (Top 10, Testing Guide, Secure Headers Project)\n- **CIS Benchmarks** — Server hardening best practices\n- **LangChain** — AI framework for intelligent analysis\n- **Anthropic \u0026 OpenAI** — AI models for vulnerability analysis\n- **Ollama** — Local AI inference for privacy-focused scanning\n- **Python Community** — Amazing libraries and tools\n\nSpecial thanks to all security researchers who practice and promote ethical hacking.\n\n---\n\n## 👤 Author\n\n**Rodney Dhavid Jimenez Chacin (rodhnin)**\n\n- 🌐 Website \u0026 Contact: [rodhnin.com](https://rodhnin.com)\n- 💼 GitHub: [@rodhnin](https://github.com/rodhnin)\n- 🔗 Project: [hephaestus-server-forger](https://github.com/rodhnin/hephaestus-server-forger)\n\nFor questions, feedback, or collaboration inquiries, please visit [rodhnin.com](https://rodhnin.com) to contact me.\n\n---\n\n## 💬 Community\n\n- **Discussions**: [GitHub Discussions](https://github.com/rodhnin/hephaestus-server-forger/discussions)\n- **Issues**: [GitHub Issues](https://github.com/rodhnin/hephaestus-server-forger/issues)\n- **Releases**: [GitHub Releases](https://github.com/rodhnin/hephaestus-server-forger/releases)\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built with ❤️ for ethical hackers and sysadmins worldwide**\n\n⭐ **Star this repo** if you find it useful! ⭐\n\n[Report Bug](https://github.com/rodhnin/hephaestus-server-forger/issues) • [Request Feature](https://github.com/rodhnin/hephaestus-server-forger/issues) • [Documentation](docs/)\n\n---\n\n_Hephaestus v0.2.0 — May 2026_\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frodhnin%2Fhephaestus-server-forger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frodhnin%2Fhephaestus-server-forger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frodhnin%2Fhephaestus-server-forger/lists"}