feat: initial implementation of abuse reporting wizard

Go web app automating infrastructure discovery and abuse report
lifecycle for endharassment.net. Server-rendered HTML with htmx,
SQLite storage, SendGrid email delivery.

Core workflow: URL submission → DNS/ASN/RDAP/BGP discovery →
Cloudflare detection → evidence upload → X-ARF report generation →
admin approval queue → SendGrid delivery → escalation to upstreams.

Includes security review with rate limiting, HMAC-signed CSRF,
content safety validation, and CSAM/legal risk analysis.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lizthegrey

.gitignore

@@ -0,0 +1,26 @@
+# Binary
+/wizard
+/reporting-wizard
+
+# Evidence storage
+evidence/*
+!evidence/.gitkeep
+
+# Database
+*.db
+*.db-wal
+*.db-shm
+
+# Environment
+.env
+.env.*
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*~
+
+# OS
+.DS_Store
+Thumbs.db

SECURITY_REVIEW.md

@@ -0,0 +1,99 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"io/fs"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	wizard "github.com/endharassment/reporting-wizard"
+	"github.com/endharassment/reporting-wizard/internal/server"
+	"github.com/endharassment/reporting-wizard/internal/store"
+)
+
+func main() {
+	listenAddr := flag.String("listen", envOr("WIZARD_LISTEN", ":8080"), "HTTP listen address")
+	dbPath := flag.String("db", envOr("WIZARD_DB_PATH", "./wizard.db"), "SQLite database path")
+	evidenceDir := flag.String("evidence-dir", envOr("WIZARD_EVIDENCE_DIR", "./evidence"), "Evidence storage directory")
+	flag.Parse()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	db, err := store.NewSQLiteStore(ctx, *dbPath)
+	if err != nil {
+		log.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Ensure evidence directory exists.
+	if err := os.MkdirAll(*evidenceDir, 0o750); err != nil {
+		log.Fatalf("Failed to create evidence directory: %v", err)
+	}
+
+	tmplFS, err := fs.Sub(wizard.TemplatesFS, "templates")
+	if err != nil {
+		log.Fatalf("Failed to create templates sub-FS: %v", err)
+	}
+	stFS, err := fs.Sub(wizard.StaticFS, "static")
+	if err != nil {
+		log.Fatalf("Failed to create static sub-FS: %v", err)
+	}
+
+	cfg := server.Config{
+		ListenAddr:     *listenAddr,
+		DBPath:         *dbPath,
+		EvidenceDir:    *evidenceDir,
+		SendGridKey:    os.Getenv("WIZARD_SENDGRID_KEY"),
+		FromEmail:      envOr("WIZARD_FROM_EMAIL", "reports@endharassment.net"),
+		FromName:       envOr("WIZARD_FROM_NAME", "End Harassment"),
+		BaseURL:        envOr("WIZARD_BASE_URL", "http://localhost:8080"),
+		GoogleClientID: os.Getenv("WIZARD_GOOGLE_CLIENT_ID"),
+		GoogleSecret:   os.Getenv("WIZARD_GOOGLE_SECRET"),
+		GitHubClientID: os.Getenv("WIZARD_GITHUB_CLIENT_ID"),
+		GitHubSecret:   os.Getenv("WIZARD_GITHUB_SECRET"),
+		EscalationDays: 14,
+		SessionSecret:  envOr("WIZARD_SESSION_SECRET", "change-me-in-production"),
+	}
+
+	srv, err := server.NewServer(cfg, db, tmplFS, stFS)
+	if err != nil {
+		log.Fatalf("Failed to create server: %v", err)
+	}
+	defer srv.Stop()
+
+	log.Println("Escalation engine started (placeholder)")
+
+	httpSrv := &http.Server{
+		Addr:    *listenAddr,
+		Handler: srv.Handler(),
+	}
+
+	go func() {
+		log.Printf("Listening on %s", *listenAddr)
+		if err := httpSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("HTTP server error: %v", err)
+		}
+	}()
+
+	<-ctx.Done()
+	log.Println("Shutting down...")
+
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer shutdownCancel()
+	if err := httpSrv.Shutdown(shutdownCtx); err != nil {
+		log.Fatalf("Shutdown error: %v", err)
+	}
+}
+
+func envOr(key, fallback string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return fallback
+}

cmd/wizard/main.go

@@ -0,0 +1,13 @@
+package wizard
+
+import "embed"
+
+// TemplatesFS embeds the HTML templates directory.
+//
+//go:embed templates
+var TemplatesFS embed.FS
+
+// StaticFS embeds the static assets directory.
+//
+//go:embed static
+var StaticFS embed.FS

embed.go

@@ -0,0 +1,32 @@
+module github.com/endharassment/reporting-wizard
+
+go 1.25.6
+
+require (
+	github.com/ammario/ipisp/v2 v2.0.1
+	github.com/go-chi/chi/v5 v5.2.5
+	github.com/google/uuid v1.6.0
+	github.com/openrdap/rdap v0.9.1
+	github.com/sendgrid/sendgrid-go v3.16.1+incompatible
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.19.0
+	modernc.org/sqlite v1.44.3
+)
+
+require (
+	github.com/alecthomas/kingpin/v2 v2.3.2 // indirect
+	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/sendgrid/rest v2.6.9+incompatible // indirect
+	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
+	golang.org/x/crypto v0.9.0 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	modernc.org/libc v1.67.6 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+)