Update server.js

server.js

@@ -14,6 +14,7 @@ import cron from 'node-cron';
 import maxmind from 'maxmind';
 import geoip from 'geoip-lite';
 import piiFilter from 'pii-filter';
+import { Mutex } from 'async-mutex';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -25,7 +26,6 @@ app.set('trust proxy', 1);
 app.use(helmet({ contentSecurityPolicy: false, frameguard: false }));
 app.use(cors());
 app.use(express.json({ limit: '10mb' }));
-
 app.use('/api/', rateLimit({
     windowMs: 15 * 60 * 1000,
     max: 100,
@@ -33,18 +33,95 @@ app.use('/api/', rateLimit({
     legacyHeaders: false,
 }));
 
-// 环境变量
+// ==================== ENV ====================
 const MAXMIND_ACCOUNT_ID = process.env.Account_ID;
 const MAXMIND_LICENSE_KEY = process.env.License_key;
 
-// 全局数据库变量
+// ==================== GLOBALS ====================
 let ghosteryDB = null;
 let ddgTrackerRadar = { domains: {} };
 let tosdrCache = new Map();
 let geoReader = null;
 let useMaxMind = false;
+const scanMutex = new Mutex();
+
+// ==================== BROWSER POOL ====================
+class BrowserPool {
+    constructor() {
+        this.browser = null;
+        this.launching = false;
+        this.waiters = [];
+    }
+
+    async getBrowser() {
+        if (this.browser) {
+            try {
+                await this.browser.version();
+                return this.browser;
+            } catch {
+                this.browser = null;
+            }
+        }
+
+        if (this.launching) {
+            await new Promise(r => {
+                this.waiters.push(r);
+                setTimeout(r, 8000); // max wait 8s
+            });
+            return this.getBrowser();
+        }
 
-// --- 初始化 Ghostery TrackerDB ---
+        this.launching = true;
+        try {
+            this.browser = await chromium.launch({
+                headless: true,
+                args: [
+                    '--no-sandbox',
+                    '--disable-setuid-sandbox',
+                    '--disable-dev-shm-usage',
+                    '--disable-gpu',
+                    '--single-process',
+                    '--disable-extensions',
+                    '--memory-pressure-off',
+                    '--disable-blink-features=AutomationControlled'
+                ]
+            });
+            console.log('🚀 Browser launched');
+            this.waiters.forEach(r => r());
+            this.waiters = [];
+        } finally {
+            this.launching = false;
+        }
+
+        return this.browser;
+    }
+
+    async newTab() {
+        const browser = await this.getBrowser();
+        const context = await browser.newContext({
+            javaScriptEnabled: true,
+            ignoreHTTPSErrors: true,
+            userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
+        });
+        const page = await context.newPage();
+        return { page, context };
+    }
+
+    async closeTab(context) {
+        await context.close().catch(() => {});
+    }
+
+    async shutdown() {
+        if (this.browser) {
+            await this.browser.close().catch(() => {});
+            this.browser = null;
+        }
+    }
+}
+
+const pool = new BrowserPool();
+
+// ==================== INIT FUNCTIONS ====================
 async function initGhosteryDB() {
     try {
         const enginePath = path.join(__dirname, 'node_modules', '@ghostery', 'trackerdb', 'dist', 'trackerdb.engine');
@@ -58,7 +135,6 @@ async function initGhosteryDB() {
     }
 }
 
-// --- 加载 DuckDuckGo Tracker Radar 数据 ---
 function loadDDGTrackerRadar() {
     try {
         const ddgPath = path.join(__dirname, 'data', 'ddg-tracker-radar.json');
@@ -71,7 +147,6 @@ function loadDDGTrackerRadar() {
     }
 }
 
-// --- 定时任务：每天更新 DDG 和 Geo 数据库 ---
 cron.schedule('0 0 * * *', async () => {
     await downloadDDGTrackerRadar();
     if (MAXMIND_ACCOUNT_ID && MAXMIND_LICENSE_KEY) {
@@ -79,7 +154,6 @@ cron.schedule('0 0 * * *', async () => {
     }
 });
 
-// --- 下载 DuckDuckGo Tracker Radar 数据 ---
 async function downloadDDGTrackerRadar() {
     try {
         const response = await axios.get('https://downloads.vivaldi.com/ddg/tds-v2-current.json', { timeout: 30000 });
@@ -103,15 +177,11 @@ async function downloadDDGTrackerRadar() {
     }
 }
 
-// --- 初始化地理定位数据库 ---
 async function initGeoDatabase() {
-    // 如果提供了 MaxMind 密钥，尝试使用 maxmind
     if (MAXMIND_ACCOUNT_ID && MAXMIND_LICENSE_KEY) {
         try {
             const dbPath = path.join(__dirname, 'data', 'geo', 'GeoLite2-City.mmdb');
-            if (!existsSync(dbPath)) {
-                await downloadMaxMindDatabase(dbPath);
-            }
+            if (!existsSync(dbPath)) await downloadMaxMindDatabase(dbPath);
             if (existsSync(dbPath)) {
                 geoReader = await maxmind.open(dbPath);
                 useMaxMind = true;
@@ -122,16 +192,13 @@ async function initGeoDatabase() {
             console.warn('���️ MaxMind initialization failed, falling back to geoip-lite:', e.message);
         }
     }
-    // 回退到 geoip-lite
     console.log('✅ Using geoip-lite for Geo mapping');
 }
 
-// --- 下载 MaxMind 数据库（如果需要）---
 async function downloadMaxMindDatabase(dbPath) {
     const url = `https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz`;
     const dir = path.dirname(dbPath);
     if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-    
     console.log('📥 Downloading MaxMind GeoLite2-City...');
     const response = await axios.get(url, { responseType: 'stream', timeout: 120000 });
     const tarPath = path.join(dir, 'GeoLite2-City.tar.gz');
@@ -141,13 +208,10 @@ async function downloadMaxMindDatabase(dbPath) {
         writer.on('finish', resolve);
         writer.on('error', reject);
     });
-    
-    // 注意：需要解压 tar.gz 文件，此处简化处理，实际项目中建议使用 tar 库解压
-    // 由于解压较为复杂，这里只下载，实际使用时如果无法解压，geoReader 将无法初始化，会自动回退到 geoip-lite
     console.warn('⚠️ MaxMind DB downloaded but auto-extraction not implemented. Using geoip-lite instead.');
 }
 
-// --- 工具函数 ---
+// ==================== UTILS ====================
 function normalizeUrl(inputUrl) {
     let url = inputUrl.trim();
     if (!url.startsWith('http://') && !url.startsWith('https://')) url = 'https://' + url;
@@ -159,7 +223,6 @@ function getBaseDomain(hostname) {
     return parsed.domain || hostname;
 }
 
-// --- 获取 Ghostery 追踪器信息 ---
 async function getGhosteryInfo(domain) {
     if (!ghosteryDB) return null;
     try {
@@ -179,29 +242,21 @@ async function getGhosteryInfo(domain) {
     return null;
 }
 
-// --- 获取 DuckDuckGo 追踪器信息 ---
 function getDDGInfo(domain) {
     const baseDomain = getBaseDomain(domain);
     return ddgTrackerRadar.domains[domain] || ddgTrackerRadar.domains[baseDomain] || null;
 }
 
-// --- 获取 ToS;DR 评级 ---
 async function getTosdrGrade(url) {
     try {
         const hostname = new URL(url).hostname;
         if (tosdrCache.has(hostname)) return tosdrCache.get(hostname);
-        
         const searchResponse = await axios.get(`https://api.tosdr.org/search/v5?query=${encodeURIComponent(hostname)}`, { timeout: 5000 });
         const services = searchResponse.data?.services || [];
-        if (services.length === 0) {
-            tosdrCache.set(hostname, null);
-            return null;
-        }
-        
+        if (services.length === 0) { tosdrCache.set(hostname, null); return null; }
         const serviceId = services[0].id;
         const detailResponse = await axios.get(`https://api.tosdr.org/service/v3?id=${serviceId}`, { timeout: 5000 });
         const service = detailResponse.data;
-        
         const result = {
             grade: service.rating || 'N/A',
             name: service.name,
@@ -215,99 +270,305 @@ async function getTosdrGrade(url) {
     }
 }
 
-// --- 截图 ---
+// ==================== BROWSER TOOLS (shared pool) ====================
+
 async function takeScreenshot(url) {
-    let browser = null;
+    const { page, context } = await pool.newTab();
     try {
-        browser = await chromium.launch({ headless: true, args: ['--no-sandbox', '--disable-dev-shm-usage'] });
-        const page = await browser.newPage();
         await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });
-        await page.waitForTimeout(1000);
-        const buffer = await page.screenshot({ type: 'jpeg', quality: 85, fullPage: false });
+        await page.waitForTimeout(800);
+        const buffer = await page.screenshot({ type: 'jpeg', quality: 80, fullPage: false });
         return `data:image/jpeg;base64,${buffer.toString('base64')}`;
     } catch (e) {
         console.error('Screenshot failed:', e.message);
         return null;
     } finally {
-        if (browser) await browser.close().catch(() => {});
+        await pool.closeTab(context);
     }
 }
 
-// --- Blacklight 扫描 ---
-async function performBlacklightScan(url) {
+async function checkHiddenStorage(url) {
+    const { page, context } = await pool.newTab();
     try {
-        const options = {
-            inUrl: url,
-            blTests: ['cookies', 'third_party_trackers', 'fb_pixel_events', 'canvas_fingerprinters', 'canvas_font_fingerprinters', 'key_logging', 'session_recorders', 'google_analytics_events', 'twitter_pixel', 'tiktok_pixel'],
-            numPages: 1,
-            defaultWaitUntil: 'networkidle2',
-            captureHar: true,
-            saveScreenshots: false,
-            headless: true,
-            defaultTimeout: 60000,
-            extraChromiumArgs: ['--disable-blink-features=AutomationControlled','--no-sandbox','--disable-setuid-sandbox','--disable-dev-shm-usage','--disable-gpu','--ignore-certificate-errors']
-        };
-        return await collect(url, options);
+        await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });
+        return await page.evaluate(() => ({
+            localStorage: Object.entries(localStorage).map(([k, v]) => ({ key: k, value: v })),
+            sessionStorage: Object.entries(sessionStorage).map(([k, v]) => ({ key: k, value: v })),
+            indexedDB: !!window.indexedDB
+        }));
     } catch (e) {
-        console.error('Blacklight scan failed:', e.message);
-        return { hosts: {}, cookies: [], error: e.message };
+        console.error('Hidden storage check failed:', e.message);
+        return null;
+    } finally {
+        await pool.closeTab(context);
     }
 }
 
-// --- 隐藏存储检测 ---
-async function checkHiddenStorage(url) {
-    let browser = null;
+async function analyzeCookieConsent(url) {
+    const { page, context } = await pool.newTab();
     try {
-        browser = await chromium.launch({ headless: true, args: ['--no-sandbox', '--disable-dev-shm-usage'] });
-        const page = await browser.newPage();
         await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });
-        const storageData = await page.evaluate(() => {
-            const ls = [];
-            const ss = [];
-            for (let i = 0; i < localStorage.length; i++) {
-                const key = localStorage.key(i);
-                ls.push({ key, value: localStorage.getItem(key) });
-            }
-            for (let i = 0; i < sessionStorage.length; i++) {
-                const key = sessionStorage.key(i);
-                ss.push({ key, value: sessionStorage.getItem(key) });
-            }
+        await page.waitForTimeout(1500); // انتظر الـ banner يظهر
+
+        return await page.evaluate(() => {
+            const bodyText = document.body.innerHTML.toLowerCase();
+            const allButtons = Array.from(document.querySelectorAll('button, a[role="button"], [class*="btn"]'))
+                .map(el => el.innerText?.toLowerCase().trim())
+                .filter(Boolean);
+
+            const hasAccept = allButtons.some(t =>
+                t.includes('accept') || t.includes('agree') || t.includes('allow') ||
+                t.includes('ok') || t.includes('got it') || t.includes('i agree')
+            );
+            const hasReject = allButtons.some(t =>
+                t.includes('reject') || t.includes('decline') || t.includes('refuse') ||
+                t.includes('no thanks') || t.includes('deny') || t.includes('opt out')
+            );
+            const hasBanner = !!(bodyText.match(/cookie|gdpr|consent|ccpa/));
+
+            const checkboxes = Array.from(document.querySelectorAll('input[type="checkbox"]'));
+            const preChecked = checkboxes.filter(el => el.checked).length;
+            const totalChecks = checkboxes.length;
+
+            // detect dark patterns
+            const darkPatterns = [];
+            if (hasAccept && !hasReject) darkPatterns.push('no_reject_option');
+            if (preChecked > 0) darkPatterns.push('pre_checked_boxes');
+
+            const hasCustomize = allButtons.some(t =>
+                t.includes('customize') || t.includes('settings') ||
+                t.includes('manage') || t.includes('preferences')
+            );
+
             return {
-                localStorage: ls,
-                sessionStorage: ss,
-                indexedDB: !!window.indexedDB
+                has_banner: hasBanner,
+                has_accept: hasAccept,
+                has_reject: hasReject,
+                has_customize: hasCustomize,
+                pre_checked_boxes: preChecked,
+                total_checkboxes: totalChecks,
+                dark_patterns: darkPatterns,
+                gdpr_compliant: hasAccept && hasReject,
+                dark_pattern_detected: darkPatterns.length > 0
             };
         });
-        return storageData;
     } catch (e) {
-        console.error('Hidden storage check failed:', e.message);
+        console.error('Cookie consent analysis failed:', e.message);
+        return null;
+    } finally {
+        await pool.closeTab(context);
+    }
+}
+
+async function collectFingerprintRisks(url) {
+    const { page, context } = await pool.newTab();
+    try {
+        // intercept scripts to detect fingerprint APIs
+        const fingerprintAPIs = {
+            canvas: false,
+            webgl: false,
+            audio: false,
+            fonts: false,
+            webrtc: false,
+            battery: false,
+            sensors: false,
+            mediaDevices: false
+        };
+
+        await page.addInitScript(() => {
+            // نتعقب استخدام الـ APIs
+            const orig = HTMLCanvasElement.prototype.toDataURL;
+            HTMLCanvasElement.prototype.toDataURL = function(...args) {
+                window.__fp_canvas = true;
+                return orig.apply(this, args);
+            };
+            const origGetContext = HTMLCanvasElement.prototype.getContext;
+            HTMLCanvasElement.prototype.getContext = function(type, ...args) {
+                if (type === 'webgl' || type === 'webgl2') window.__fp_webgl = true;
+                return origGetContext.apply(this, args);
+            };
+            const OrigAudio = window.AudioContext || window.webkitAudioContext;
+            if (OrigAudio) {
+                const OrigClass = OrigAudio;
+                window.AudioContext = window.webkitAudioContext = function(...args) {
+                    window.__fp_audio = true;
+                    return new OrigClass(...args);
+                };
+            }
+            const origGetBattery = navigator.getBattery;
+            if (origGetBattery) {
+                navigator.getBattery = function() {
+                    window.__fp_battery = true;
+                    return origGetBattery.call(navigator);
+                };
+            }
+            const origEnumerate = navigator.mediaDevices?.enumerateDevices;
+            if (origEnumerate) {
+                navigator.mediaDevices.enumerateDevices = function() {
+                    window.__fp_media = true;
+                    return origEnumerate.call(navigator.mediaDevices);
+                };
+            }
+        });
+
+        await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });
+        await page.waitForTimeout(2000); // انتظر scripts تشتغل
+
+        const result = await page.evaluate(() => ({
+            canvas: !!window.__fp_canvas,
+            webgl: !!window.__fp_webgl,
+            audio: !!window.__fp_audio,
+            battery: !!window.__fp_battery,
+            mediaDevices: !!window.__fp_media,
+            // APIs موجودة في البراوزر
+            webrtc_available: !!(window.RTCPeerConnection),
+            fonts_api: !!document.fonts,
+            device_memory: navigator.deviceMemory || null,
+            hardware_concurrency: navigator.hardwareConcurrency || null,
+            screen: {
+                width: screen.width,
+                height: screen.height,
+                depth: screen.colorDepth
+            },
+            timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+            languages: navigator.languages ? [...navigator.languages] : []
+        }));
+
+        // حساب fingerprint risk score
+        const risks = [];
+        if (result.canvas) risks.push('canvas_fingerprinting');
+        if (result.webgl) risks.push('webgl_fingerprinting');
+        if (result.audio) risks.push('audio_fingerprinting');
+        if (result.battery) risks.push('battery_status_api');
+        if (result.mediaDevices) risks.push('media_device_enumeration');
+        if (result.webrtc_available) risks.push('webrtc_ip_leak_risk');
+
+        return {
+            ...result,
+            risks_detected: risks,
+            risk_level: risks.length === 0 ? 'low' : risks.length <= 2 ? 'medium' : 'high',
+            risk_count: risks.length
+        };
+    } catch (e) {
+        console.error('Fingerprint risk collection failed:', e.message);
         return null;
     } finally {
-        if (browser) await browser.close().catch(() => {});
+        await pool.closeTab(context);
+    }
+}
+
+// ==================== NON-BROWSER TOOLS ====================
+
+async function trackRedirectChain(url) {
+    const TRACKING_PARAMS = [
+        'utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content',
+        'fbclid', 'gclid', 'mc_eid', 'ref', 'affiliate',
+        'clickid', 'adid', 'msclkid', 'twclid', '_ga', 'igshid'
+    ];
+
+    const chain = [];
+    let current = url;
+
+    for (let i = 0; i < 12; i++) {
+        try {
+            const response = await axios.get(current, {
+                maxRedirects: 0,
+                validateStatus: s => s < 500,
+                timeout: 5000,
+                headers: {
+                    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
+                }
+            });
+
+            let foundParams = [];
+            try {
+                const urlObj = new URL(current);
+                foundParams = TRACKING_PARAMS.filter(p => urlObj.searchParams.has(p));
+            } catch {}
+
+            chain.push({
+                url: current,
+                status: response.status,
+                tracking_params: foundParams,
+                is_tracker: foundParams.length > 0
+            });
+
+            const location = response.headers.location;
+            if (!location) break;
+
+            current = location.startsWith('http')
+                ? location
+                : new URL(location, current).toString();
+
+        } catch (e) {
+            break;
+        }
+    }
+
+    const allTrackingParams = [...new Set(chain.flatMap(c => c.tracking_params))];
+
+    return {
+        chain,
+        total_redirects: Math.max(0, chain.length - 1),
+        has_tracking: chain.some(c => c.tracking_params.length > 0),
+        tracking_params_found: allTrackingParams,
+        risk_level: allTrackingParams.length === 0 ? 'low'
+            : allTrackingParams.length <= 2 ? 'medium' : 'high'
+    };
+}
+
+async function performBlacklightScan(url) {
+    try {
+        const tmpDir = path.join(__dirname, 'bl-tmp');
+        if (!existsSync(tmpDir)) mkdirSync(tmpDir, { recursive: true });
+
+        const options = {
+            inUrl: url,
+            blTests: [
+                'cookies', 'third_party_trackers', 'fb_pixel_events',
+                'canvas_fingerprinters', 'canvas_font_fingerprinters',
+                'key_logging', 'session_recorders', 'google_analytics_events',
+                'twitter_pixel', 'tiktok_pixel'
+            ],
+            numPages: 1,
+            defaultWaitUntil: 'domcontentloaded',
+            captureHar: true,
+            saveScreenshots: false,
+            headless: true,
+            defaultTimeout: 30000,
+            extraChromiumArgs: [
+                '--disable-blink-features=AutomationControlled',
+                '--no-sandbox',
+                '--disable-setuid-sandbox',
+                '--disable-dev-shm-usage',
+                '--disable-gpu',
+                '--single-process',
+                '--ignore-certificate-errors'
+            ]
+        };
+        return await collect(url, options);
+    } catch (e) {
+        console.error('Blacklight scan failed:', e.message);
+        return { hosts: {}, cookies: [], error: e.message };
     }
 }
 
-// --- SSL 安全检查 ---
 async function performSecurityCheck(url) {
     try {
         const https = await import('node:https');
         const { hostname } = new URL(url);
-        
         const cert = await new Promise((resolve, reject) => {
             const req = https.request({ hostname, port: 443, method: 'HEAD', timeout: 5000 }, (res) => {
-                const cert = res.socket.getPeerCertificate();
-                resolve(cert);
+                resolve(res.socket.getPeerCertificate());
             });
             req.on('error', reject);
             req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
             req.end();
         });
-        
         const valid = cert && Object.keys(cert).length > 0;
         const issuer = cert.issuer?.O || cert.issuer?.CN || 'Unknown';
         const expires = cert.valid_to ? new Date(cert.valid_to) : null;
         const daysRemaining = expires ? Math.floor((expires - Date.now()) / (1000 * 60 * 60 * 24)) : 0;
-        
         return {
             ssl: {
                 valid,
@@ -315,41 +576,55 @@ async function performSecurityCheck(url) {
                 expires_in_days: daysRemaining,
                 protocol: 'TLS',
                 grade: valid ? (daysRemaining > 30 ? 'A' : 'B') : 'F'
-            },
-            headers: {}
+            }
         };
     } catch (e) {
         return { ssl: { valid: false, error: e.message } };
     }
 }
 
-// --- 隐私评分计算 ---
-function calculatePrivacyScore(blacklight, enrichedTrackers, tosdrGrade, security) {
+// ==================== SCORING ====================
+function calculatePrivacyScore(blacklight, enrichedTrackers, tosdrGrade, security, cookieConsent, fingerprintRisks, redirectChain) {
     let score = 100;
-    
-    const trackerCount = enrichedTrackers.length;
-    score -= Math.min(trackerCount * 4, 30);
-    
-    const hasFingerprinting = !!(blacklight?.canvasFingerprinters?.length) || !!(blacklight?.canvasFontFingerprinters?.length);
-    if (hasFingerprinting) score -= 30;
-    
+
+    // trackers
+    score -= Math.min(enrichedTrackers.length * 4, 30);
+
+    // fingerprinting from blacklight
+    if (blacklight?.canvasFingerprinters?.length) score -= 15;
+    if (blacklight?.canvasFontFingerprinters?.length) score -= 10;
+
+    // fingerprint risks detected live
+    if (fingerprintRisks?.risk_count > 0) score -= Math.min(fingerprintRisks.risk_count * 5, 20);
+
+    // cookies
     const thirdPartyCookies = blacklight?.cookies?.filter(c => c.thirdParty)?.length || 0;
     score -= Math.min(thirdPartyCookies * 5, 20);
-    
+
+    // session & keylogging
     if (blacklight?.sessionRecorders?.length > 0) score -= 10;
-    if (blacklight?.keyLogging?.length > 0) score -= 10;
-    
+    if (blacklight?.keyLogging?.length > 0) score -= 15;
+
+    // SSL
     if (!security?.ssl?.valid) score -= 20;
-    
+
+    // cookie consent dark patterns
+    if (cookieConsent?.dark_pattern_detected) score -= 10;
+    if (cookieConsent?.has_banner && !cookieConsent?.gdpr_compliant) score -= 5;
+
+    // redirect tracking
+    if (redirectChain?.has_tracking) score -= Math.min(redirectChain.tracking_params_found.length * 3, 10);
+
+    // ToS;DR
     if (tosdrGrade) {
         if (tosdrGrade.grade === 'A') score += 5;
         else if (tosdrGrade.grade === 'B') score += 2;
         else if (tosdrGrade.grade === 'D') score -= 5;
         else if (tosdrGrade.grade === 'E') score -= 10;
     }
-    
+
     score = Math.max(0, Math.min(100, Math.round(score)));
-    
+
     let grade;
     if (score >= 95) grade = 'A+';
     else if (score >= 85) grade = 'A';
@@ -357,41 +632,65 @@ function calculatePrivacyScore(blacklight, enrichedTrackers, tosdrGrade, securit
     else if (score >= 65) grade = 'C';
     else if (score >= 55) grade = 'D';
     else grade = 'F';
-    
+
     return { score, grade };
 }
 
-// ==================== API 端点 ====================
+// ==================== API ENDPOINTS ====================
+
 app.get('/api/scan', async (req, res) => {
     const url = normalizeUrl(req.query.url);
     if (!url) return res.status(400).json({ error: 'Invalid URL' });
-    
+
+    // منع التزامن — طلب واحد في كل مرة
+    if (scanMutex.isLocked()) {
+        return res.status(429).json({
+            error: 'Scanner is busy, please try again in a moment.',
+            retry_after: 30
+        });
+    }
+
+    const release = await scanMutex.acquire();
     const startTime = Date.now();
-    
+
     try {
-        // 并行执行所有任务
-        const [screenshot, blacklight, tosdr, security, hiddenStorage] = await Promise.allSettled([
+        // المتصفح الواحد — كل tool في tab منفصل (بالتوازي)
+        const [
+            screenshotResult,
+            hiddenStorageResult,
+            cookieConsentResult,
+            fingerprintResult,
+            // هذه لا تحتاج browser
+            redirectChainResult,
+            blacklightResult,
+            tosdrResult,
+            securityResult
+        ] = await Promise.allSettled([
             takeScreenshot(url),
+            checkHiddenStorage(url),
+            analyzeCookieConsent(url),
+            collectFingerprintRisks(url),
+            trackRedirectChain(url),
             performBlacklightScan(url),
             getTosdrGrade(url),
-            performSecurityCheck(url),
-            checkHiddenStorage(url)
+            performSecurityCheck(url)
         ]);
-        
-        const screenshotData = screenshot.status === 'fulfilled' ? screenshot.value : null;
-        const blacklightData = blacklight.status === 'fulfilled' ? blacklight.value : { hosts: {}, cookies: [] };
-        const tosdrData = tosdr.status === 'fulfilled' ? tosdr.value : null;
-        const securityData = security.status === 'fulfilled' ? security.value : { ssl: { valid: false } };
-        const hiddenData = hiddenStorage.status === 'fulfilled' ? hiddenStorage.value : null;
-        
-        // 提取第三方域名
+
+        const screenshotData = screenshotResult.status === 'fulfilled' ? screenshotResult.value : null;
+        const blacklightData = blacklightResult.status === 'fulfilled' ? blacklightResult.value : { hosts: {}, cookies: [] };
+        const tosdrData = tosdrResult.status === 'fulfilled' ? tosdrResult.value : null;
+        const securityData = securityResult.status === 'fulfilled' ? securityResult.value : { ssl: { valid: false } };
+        const hiddenData = hiddenStorageResult.status === 'fulfilled' ? hiddenStorageResult.value : null;
+        const cookieConsentData = cookieConsentResult.status === 'fulfilled' ? cookieConsentResult.value : null;
+        const fingerprintData = fingerprintResult.status === 'fulfilled' ? fingerprintResult.value : null;
+        const redirectData = redirectChainResult.status === 'fulfilled' ? redirectChainResult.value : null;
+
+        // ==================== TRACKERS ====================
         const thirdPartyDomains = [
             ...(blacklightData.hosts?.thirdParty || []),
             ...(blacklightData.hosts?.requests?.third_party || [])
         ];
         const uniqueDomains = [...new Set(thirdPartyDomains)];
-        
-        // 丰富追踪器数据
         const enrichedTrackers = [];
         for (const domain of uniqueDomains) {
             try {
@@ -404,19 +703,14 @@ app.get('/api/scan', async (req, res) => {
                     prevalence: ddgInfo?.prevalence || 0
                 });
             } catch (e) {
-                enrichedTrackers.push({
-                    domain,
-                    owner: getBaseDomain(domain),
-                    category: 'unknown',
-                    prevalence: 0
-                });
+                enrichedTrackers.push({ domain, owner: getBaseDomain(domain), category: 'unknown', prevalence: 0 });
             }
         }
-        
-        // --- Geo Mapping ---
+
+        // ==================== GEO MAPPING ====================
         const uniqueIps = [...new Set(
-            blacklightData.hosts?.requests?.third_party
-                ?.map(req => req.ip_addr).filter(ip => ip) || []
+            (blacklightData.hosts?.requests?.third_party || [])
+                .map(r => r.ip_addr).filter(Boolean)
         )];
         const geoDestinations = [];
         for (const ip of uniqueIps) {
@@ -426,7 +720,7 @@ app.get('/api/scan', async (req, res) => {
                     const mmGeo = geoReader.get(ip);
                     if (mmGeo) {
                         geoData = {
-                            ip: ip,
+                            ip,
                             country: mmGeo.country?.names?.en || 'Unknown',
                             city: mmGeo.city?.names?.en || 'Unknown',
                             latitude: mmGeo.location?.latitude,
@@ -438,30 +732,29 @@ app.get('/api/scan', async (req, res) => {
                     const geoLite = geoip.lookup(ip);
                     if (geoLite) {
                         geoData = {
-                            ip: ip,
+                            ip,
                             country: geoLite.country,
                             city: geoLite.city,
-                            latitude: geoLite.ll ? geoLite.ll[0] : null,
-                            longitude: geoLite.ll ? geoLite.ll[1] : null
+                            latitude: geoLite.ll?.[0] || null,
+                            longitude: geoLite.ll?.[1] || null
                         };
                     }
                 }
                 if (geoData) geoDestinations.push(geoData);
             } catch (e) {}
         }
-        
-        // --- Leakage Detection ---
+
+        // ==================== LEAKAGE ====================
         const leakageAlerts = [];
-        const thirdPartyRequests = blacklightData.hosts?.requests?.third_party || [];
-        for (const req of thirdPartyRequests) {
-            if ((req.method === 'POST' || req.method === 'PUT') && req.body) {
+        for (const r of (blacklightData.hosts?.requests?.third_party || [])) {
+            if ((r.method === 'POST' || r.method === 'PUT') && r.body) {
                 try {
-                    const detected = piiFilter.detect(req.body);
-                    if (detected && detected.length > 0) {
+                    const detected = piiFilter.detect(r.body);
+                    if (detected?.length > 0) {
                         leakageAlerts.push({
                             severity: 'high',
-                            destination: req.url,
-                            method: req.method,
+                            destination: r.url,
+                            method: r.method,
                             types: detected.map(p => p.type),
                             message: 'Potential PII detected in request to third-party domain.'
                         });
@@ -469,24 +762,33 @@ app.get('/api/scan', async (req, res) => {
                 } catch (e) {}
             }
         }
-        
-        const { score, grade } = calculatePrivacyScore(blacklightData, enrichedTrackers, tosdrData, securityData);
-        
-        // 最终输出
+
+        // ==================== SCORE ====================
+        const { score, grade } = calculatePrivacyScore(
+            blacklightData, enrichedTrackers, tosdrData,
+            securityData, cookieConsentData, fingerprintData, redirectData
+        );
+
+        // ==================== RESPONSE ====================
         const result = {
             success: true,
             url,
             final_url: blacklightData.uri_dest || url,
             scan_time_sec: (Date.now() - startTime) / 1000,
             privacy_score: { score, grade },
-            trackers: { count: enrichedTrackers.length, list: enrichedTrackers.slice(0, 20) },
+
+            trackers: {
+                count: enrichedTrackers.length,
+                list: enrichedTrackers.slice(0, 20)
+            },
             cookies: {
                 total: blacklightData.cookies?.length || 0,
                 third_party: blacklightData.cookies?.filter(c => c.thirdParty)?.length || 0
             },
             fingerprinting: {
                 canvas: !!(blacklightData.canvasFingerprinters?.length),
-                fonts: !!(blacklightData.canvasFontFingerprinters?.length)
+                fonts: !!(blacklightData.canvasFontFingerprinters?.length),
+                live_risks: fingerprintData
             },
             session_recording: !!(blacklightData.sessionRecorders?.length),
             key_logging: !!(blacklightData.keyLogging?.length),
@@ -495,37 +797,49 @@ app.get('/api/scan', async (req, res) => {
                 sessionStorage: hiddenData.sessionStorage?.length || 0,
                 indexedDB: hiddenData.indexedDB
             } : null,
+            cookie_consent: cookieConsentData,
+            redirect_chain: redirectData,
             security: securityData,
             tosdr: tosdrData,
-            geo_mapping: {
-                data_destinations: geoDestinations
-            },
-            leakage_detection: {
-                alerts: leakageAlerts
-            },
+            geo_mapping: { data_destinations: geoDestinations },
+            leakage_detection: { alerts: leakageAlerts },
             screenshot: screenshotData,
             raw: blacklightData
         };
-        
+
         res.json(result);
-        
+
     } catch (e) {
         console.error('Scan error:', e);
         res.status(500).json({ success: false, error: e.message });
+    } finally {
+        release();
     }
 });
 
 app.get('/health', (req, res) => res.json({ status: 'ok' }));
 app.use(express.static('public'));
 
-// --- 启动服务器 ---
+// ==================== STARTUP ====================
 (async () => {
+    // تأكد أن المجلدات موجودة
+    const dirs = [
+        path.join(__dirname, 'data'),
+        path.join(__dirname, 'bl-tmp'),
+        path.join(__dirname, 'public')
+    ];
+    for (const dir of dirs) {
+        if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    }
+
     await initGhosteryDB();
     loadDDGTrackerRadar();
     await initGeoDatabase();
+
     if (Object.keys(ddgTrackerRadar.domains).length === 0) {
         await downloadDDGTrackerRadar();
     }
+
     app.listen(PORT, '0.0.0.0', () => {
         console.log(`🚀 Private Eye with Geo & Leak Detection running on ${PORT}`);
     });