SpecterOps · Mayyhem · Apr 22, 2026 · Jan 23, 2026 · Jan 31, 2026 · Jan 31, 2026
diff --git a/.claude/plans/integration_test_ci.md b/.claude/plans/integration_test_ci.md
@@ -0,0 +1,205 @@
+# GitHub Actions CI: Integration Tests with Samba AD DC + SQL Server
+
+## Context
+
+MSSQLHound needs CI that validates all expected edges are created against a real AD environment. The integration test framework already handles AD object creation via LDAP, SQL setup/teardown, collector execution, and edge validation — we just need to provide the infrastructure.
+
+**Architecture**: SQL Server installed on the runner host (via apt) + Samba AD DC in a Docker container. SQL Server is configured for AD auth via a keytab from `samba-tool`. The integration test framework (`TestIntegrationAll`) handles everything else.
+
+## Network and domain config
+
+| Setting | Value |
+|---------|-------|
+| Subnet | `10.2.0.0/20` |
+| DC IP | `10.2.10.100` |
+| SQL Server | On the runner host (localhost) |
+| Domain FQDN | `MAYYHEM.COM` |
+| NetBIOS | `MAYYHEM` |
+| Admin account | `MAYYHEM\domainadmin` (sysadmin on SQL) |
+| Password (all) | `password` |
+| SQL auth mode | Mixed mode (Windows + SQL) |
+
+## Files to create
+
+- `.github/workflows/ci.yml` (new)
+
+## Plan
+
+### 1. Create `.github/workflows/ci.yml` with two jobs
+
+**Job 1: `unit-tests`** — Fast validation of all edge creation logic
+- `ubuntu-latest`, checkout, setup Go, `go test -v -count=1 ./...`
+
+**Job 2: `integration-tests`** — Full pipeline against real AD + SQL Server on `ubuntu-22.04`
+
+#### Step 1: Checkout + Setup Go
+
+#### Step 2: Start Samba AD DC
+```bash
+docker network create --subnet=10.2.0.0/20 adnet
+
+docker run -d --privileged \
+  --name dc --hostname DC \
+  --network adnet --ip 10.2.10.100 \
+  -e REALM='MAYYHEM.COM' \
+  -e DOMAIN='MAYYHEM' \
+  -e ADMIN_PASS='password' \
+  -e DNS_FORWARDER='8.8.8.8' \
+  -p 389:389/tcp -p 389:389/udp \
+  -p 636:636/tcp \
+  -p 88:88/tcp -p 88:88/udp \
+  -p 464:464/tcp -p 464:464/udp \
+  diegogslomp/samba-ad-dc
+```
+
+#### Step 3: Wait for Samba DC readiness
+Poll `samba-tool domain info` up to 60 attempts / 2s.
+
+#### Step 4: Create domainadmin user + SQL Server service account + keytab
+```bash
+# Create domainadmin user
+docker exec dc samba-tool user create domainadmin 'password' --use-username-as-cn
+docker exec dc samba-tool group addmembers "Domain Admins" domainadmin
+
+# Create SQL Server service account
+docker exec dc samba-tool user create sqlsvc 'password' --use-username-as-cn
+HOSTNAME=$(hostname)
+docker exec dc samba-tool spn add MSSQLSvc/${HOSTNAME}.mayyhem.com sqlsvc
+docker exec dc samba-tool spn add MSSQLSvc/${HOSTNAME}.mayyhem.com:1433 sqlsvc
+
+# Export keytab
+docker exec dc samba-tool domain exportkeytab /tmp/mssql.keytab --principal=sqlsvc
+docker exec dc samba-tool domain exportkeytab /tmp/mssql.keytab \
+  --principal=MSSQLSvc/${HOSTNAME}.mayyhem.com
+docker exec dc samba-tool domain exportkeytab /tmp/mssql.keytab \
+  --principal=MSSQLSvc/${HOSTNAME}.mayyhem.com:1433
+docker cp dc:/tmp/mssql.keytab /tmp/mssql.keytab
+```
+
+#### Step 5: Configure host DNS + Kerberos
+```bash
+# DNS
+echo "10.2.10.100 dc.mayyhem.com dc mayyhem.com" | sudo tee -a /etc/hosts
+sudo sed -i '1i nameserver 10.2.10.100' /etc/resolv.conf
+
+# Kerberos
+sudo DEBIAN_FRONTEND=noninteractive apt-get install -y krb5-user
+cat <<'EOF' | sudo tee /etc/krb5.conf
+[libdefaults]
+    default_realm = MAYYHEM.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    MAYYHEM.COM = {
+        kdc = 10.2.10.100
+        admin_server = 10.2.10.100
+        default_domain = mayyhem.com
+    }
+
+[domain_realm]
+    .mayyhem.com = MAYYHEM.COM
+    mayyhem.com = MAYYHEM.COM
+EOF
+```
+
+#### Step 6: Install SQL Server 2022
+```bash
+curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | \
+  sudo gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg
+curl -fsSL https://packages.microsoft.com/config/ubuntu/22.04/mssql-server-2022.list | \
+  sudo tee /etc/apt/sources.list.d/mssql-server-2022.list
+sudo apt-get update
+sudo apt-get install -y mssql-server
+sudo MSSQL_SA_PASSWORD='password' MSSQL_PID='Developer' \
+  /opt/mssql/bin/mssql-conf setup accept-eula
+```
+
+#### Step 7: Enable mixed mode auth
+```bash
+sudo /opt/mssql/bin/mssql-conf set sqlagent.enabled true
+sudo /opt/mssql/bin/mssql-conf set network.kerberoskeytabfile /var/opt/mssql/secrets/mssql.keytab
+sudo /opt/mssql/bin/mssql-conf set network.privilegedadaccount sqlsvc
+
+# Enable mixed mode (SQL + Windows auth)
+# SQL Server Linux uses the MSSQL_SA_PASSWORD being set during setup to enable mixed mode.
+# To explicitly toggle it post-setup if needed:
+sudo /opt/mssql/bin/mssql-conf set sqlagent.enabled true
+```
+
+Note: SQL Server on Linux enables mixed mode auth when SA password is set during setup. The `MSSQL_SA_PASSWORD` in step 6 handles this.
+
+#### Step 8: Configure SQL Server keytab + restart
+```bash
+sudo mkdir -p /var/opt/mssql/secrets
+sudo cp /tmp/mssql.keytab /var/opt/mssql/secrets/mssql.keytab
+sudo chown mssql:mssql /var/opt/mssql/secrets/mssql.keytab
+sudo chmod 400 /var/opt/mssql/secrets/mssql.keytab
+sudo systemctl restart mssql-server
+sleep 5
+```
+
+#### Step 9: Create domainadmin as SQL sysadmin
+```bash
+# Install sqlcmd
+curl -fsSL https://packages.microsoft.com/config/ubuntu/22.04/prod.list | \
+  sudo tee /etc/apt/sources.list.d/mssql-release.list
+sudo apt-get update
+sudo ACCEPT_EULA=Y apt-get install -y mssql-tools18
+
+export PATH="$PATH:/opt/mssql-tools18/bin"
+sqlcmd -S localhost -U sa -P 'password' -C -Q "
+  CREATE LOGIN [MAYYHEM\domainadmin] FROM WINDOWS;
+  ALTER SERVER ROLE [sysadmin] ADD MEMBER [MAYYHEM\domainadmin];
+"
+```
+
+#### Step 10: Verify AD auth
+```bash
+echo 'password' | kinit Administrator@MAYYHEM.COM
+klist
+```
+
+#### Step 11: Run integration tests
+```bash
+MSSQL_SERVER=localhost \
+MSSQL_USER=sa \
+MSSQL_PASSWORD='password' \
+MSSQL_DOMAIN=mayyhem.com \
+MSSQL_DC=10.2.10.100 \
+LDAP_USER='Administrator@mayyhem.com' \
+LDAP_PASSWORD='password' \
+MSSQL_SKIP_DOMAIN=false \
+MSSQL_ACTION=all \
+MSSQL_SKIP_HTML=true \
+go test -v -count=1 -tags integration -timeout 30m \
+  -run TestIntegrationAll ./internal/collector/...
+```
+
+Since `MSSQL_DOMAIN=mayyhem.com` → `substituteDomain()` extracts `MAYYHEM` as NetBIOS, which matches the hardcoded `MAYYHEM\` references in the SQL scripts. No substitution gap.
+
+## Critical files
+
+| File | Role |
+|------|------|
+| [integration_setup_test.go](internal/collector/integration_setup_test.go) | Config loading, LDAP object creation, SQL setup orchestration |
+| [integration_sql_test.go](internal/collector/integration_sql_test.go) | Embedded SQL scripts with `FROM WINDOWS` + `$Domain` references |
+| [edge_integration_test.go](internal/collector/edge_integration_test.go) | `TestIntegrationAll` entry point, edge validation |
+| [edge_test_data_test.go](internal/collector/edge_test_data_test.go) | 200+ edge test case definitions |
+
+## Risks and mitigations
+
+| Risk | Mitigation |
+|------|------------|
+| Port 53 conflict on runner | Don't publish port 53; use `/etc/hosts` + `/etc/resolv.conf` |
+| SQL Server 2022 not on Ubuntu 24.04 | Pin `ubuntu-22.04` |
+| Samba DC slow to start | 120s timeout with polling |
+| `FROM WINDOWS` fails if DNS broken | Verify `kinit` works before running tests |
+| `diegogslomp/samba-ad-dc` unavailable | Fall back to `craftdock/samba-ad-dc` |
+| Mixed mode not enabled | SA password set during setup enables it automatically |
+
+## Verification
+
+1. Unit tests locally: `go test -v ./...`
+2. Push to branch and verify both jobs pass
+3. Integration test output includes edge coverage report from `TestIntegrationAll`
diff --git a/.claude/plans/logging.md b/.claude/plans/logging.md
@@ -0,0 +1,151 @@
+# Logging Overhaul Plan
+
+## Context
+MSSQLHound currently uses raw `fmt.Printf`/`fmt.Println` for all logging (~149 calls across 10 files). Messages have no timestamps, no log levels, and inconsistent formatting. The goal is to add UTC timestamps and log levels to every message using Go's stdlib `log/slog` (available since Go 1.21, project uses Go 1.24).
+
+## Approach: Use `log/slog` from stdlib
+
+No new packages or dependencies. Create a `*slog.Logger` in `main()`, propagate via struct fields.
+
+### Output format
+```
+INFO    2026-03-30T14:22:01Z Processing 5 SQL Server(s)...
+INFO    2026-03-30T14:22:01Z [corp.local] Enumerating MSSQL SPNs from Active Directory...
+VERBOSE 2026-03-30T14:22:01Z [corp.local] Found SPNs count=12 host=sql01.corp.local
+WARNING 2026-03-30T14:22:02Z [sql01.corp.local] SPN enumeration failed error="connection refused"
+DEBUG   2026-03-30T14:22:02Z [sql01.corp.local] EPA TLS handshake complete cipher=0x1301
+```
+
+- Custom `slog.Handler` implementation in a new file `internal/logging/handler.go`
+- Format: `LEVEL TIMESTAMP [target] message attrs...`
+- Level name is left-aligned, right-padded to 7 chars (longest: `WARNING` and `VERBOSE`)
+- Output goes to **stderr** (standard for logs; keeps stdout clean for data output like tables)
+- Timestamps in UTC RFC3339 format
+- **Target context**: when processing a specific server or domain, a `[target]` tag appears after the timestamp. Implemented via `logger.With("target", serverName)` to create sub-loggers. The custom handler renders the `target` attr specially in brackets, separate from other attrs.
+- Messages without a target (startup, global config) omit the bracket section
+
+### Colors (ANSI escape codes)
+- Auto-detect TTY on stderr (`os.Stderr.Fd()` + `isatty` check or `golang.org/x/term.IsTerminal`). Disable colors when piped.
+- **Level colors**:
+  - `ERROR` — red (ANSI 31)
+  - `WARNING` — yellow (ANSI 33)
+  - `INFO` — white/default (no color)
+  - `VERBOSE` — dim/gray (ANSI 90)
+  - `DEBUG` — magenta (ANSI 35)
+- **Timestamp** — light blue (ANSI 94)
+- **Target** `[brackets]` — deterministic color per unique target string. Hash the target name to pick from a palette of primary/secondary ANSI colors (red 31, green 32, yellow 33, blue 34, magenta 35, cyan 36). Same target always gets the same color. Use a simple hash (e.g., `fnv32(target) % len(palette)`).
+- **Message text** — default/no color
+- **Attrs** (`key=value`) — dim (ANSI 2) for the key, default for value
+
+### Custom slog levels
+| Name | slog.Level value | Meaning |
+|---|---|---|
+| `ERROR` | `slog.LevelError` (8) | Error conditions |
+| `WARNING` | `slog.LevelWarn` (4) | Warnings |
+| `INFO` | `slog.LevelInfo` (0) | Normal status/progress |
+| `VERBOSE` | `slog.Level(-2)` | Detailed progress (was `logVerbose`) |
+| `DEBUG` | `slog.LevelDebug` (-4) | EPA/TLS/NTLM diagnostics (was `logDebug`/`logf`) |
+
+### Level mapping from current code
+| Current pattern | New level |
+|---|---|
+| `fmt.Printf(...)` (status/progress) | `INFO` |
+| `fmt.Printf("Warning: ...")` | `WARNING` |
+| `fmt.Printf("ERROR: ...")` | `ERROR` |
+| `logVerbose(...)` | `VERBOSE` |
+| `logDebug(...)` / `logf(...)` (EPA diagnostics) | `DEBUG` |
+
+### Flag behavior
+- No flags: minimum level = INFO
+- `--verbose`: minimum level = VERBOSE (shows VERBOSE + INFO + WARNING + ERROR)
+- `--debug`: minimum level = DEBUG (shows everything)
+- `--debug` additionally sets `debug=true` on subsystems (controls EPA test behavior beyond just logging)
+
+## Implementation Phases
+
+### Phase 0: Custom handler (`internal/logging/`)
+
+**New file: [internal/logging/handler.go](go/internal/logging/handler.go)**
+- Implement `slog.Handler` that formats: `LEVEL   TIMESTAMP [target] message attrs...`
+- Define custom level constants: `LevelVerbose = slog.Level(-2)`
+- Level name mapping: `-2` → `VERBOSE`, `slog.LevelWarn` → `WARNING`
+- Left-align level name, right-pad to 7 chars
+- Special handling for `target` attr: rendered as `[value]` before the message, not as `key=value`
+- Other attrs appended as `key=value` after the message
+- Thread-safe writer (mutex around writes)
+- `WithAttrs` / `WithGroup` support for creating sub-loggers (e.g., `logger.With("target", server)`)
+- ANSI color support: detect TTY via `golang.org/x/term.IsTerminal(int(os.Stderr.Fd()))`
+- Color each element per the palette defined above (level, timestamp, target, attrs)
+- Target color: `fnv32a(targetString) % 6` maps to one of [blue 34, cyan 36, bright green 92, bright blue 94, bright cyan 96, bright white 97]. These avoid red (ERROR), yellow (WARNING), magenta (DEBUG), and gray (VERBOSE).
+- Accept a `NoColor bool` option to force colors off (for tests or `--no-color` flag)
+
+### Phase 1: Logger setup in main (`cmd/mssqlhound/`)
+
+**[main.go](go/cmd/mssqlhound/main.go)**
+- Create `slog.LevelVar` and `*slog.Logger` with custom `logging.NewHandler(os.Stderr, ...)` in `main()`
+- Add `PersistentPreRunE` to set level from `--verbose`/`--debug` flags
+- Pass logger to `run()` and subcommands
+- Convert 11 `fmt.Printf`/`fmt.Println` calls to `logger.Info`/`logger.Warn`
+- Keep `fmt.Fprintf(os.Stderr, ...)` for cobra error at line 105 (logger may not exist)
+
+**[cmd_test_epa_matrix.go](go/cmd/mssqlhound/cmd_test_epa_matrix.go)**
+- Accept logger parameter from main
+- Convert 8 `fmt.Printf` calls
+
+### Phase 2: Collector (`internal/collector/`)
+
+**[collector.go](go/internal/collector/collector.go)**
+- Add `Logger *slog.Logger` field to `Config` struct
+- Convert 75 `fmt.Printf`/`fmt.Println` calls to appropriate slog levels
+- Convert 49 `c.logVerbose(...)` calls to `c.config.Logger.Log(ctx, logging.LevelVerbose, ...)`
+- Remove `logVerbose` method (line 6128)
+- When processing a server, create a sub-logger: `serverLog := c.config.Logger.With("target", server.ConnectionString)` and use it for all per-server messages
+- For domain-level operations: `domainLog := c.config.Logger.With("target", domain)`
+- Pass logger to `mssql.Client` and `wmi` calls
+
+### Phase 3: MSSQL client (`internal/mssql/`)
+
+**[client.go](go/internal/mssql/client.go)** — 15 fmt calls + 7 logf calls
+- Add `logger *slog.Logger` field, `SetLogger` method
+- Default to `slog.Default()` in `NewClient`
+- Replace `logVerbose`/`logDebug` methods with `c.logger.Debug()`
+- Change `epaTLSDialer.logf` and `epaTDSDialer.logf` fields from `func(string, ...interface{})` to `*slog.Logger`
+- Update dialer `d.logf(...)` calls to `d.logger.Debug(...)`
+
+**[epa_tester.go](go/internal/mssql/epa_tester.go)** — 69 logf calls + 2 fmt calls
+- Add `Logger *slog.Logger` to `EPATestConfig`
+- Remove the `logf` closure (line 91-95)
+- Convert all 69 `logf(...)` calls to `config.Logger.Debug(...)` with `"component", "epa"` attr
+- Convert 2 direct `fmt.Printf` calls
+
+**[epa_auth_provider.go](go/internal/mssql/epa_auth_provider.go)** — 2 fmt calls
+- Add `logger *slog.Logger` field
+- Convert 2 `fmt.Printf("[EPA-auth] ...")` calls
+
+**[powershell_fallback.go](go/internal/mssql/powershell_fallback.go)** — 1 fmt call
+- Add `logger *slog.Logger` field, `SetLogger` method
+- Remove `logVerbose` method, convert call to `p.logger.Debug()`
+
+### Phase 4: Supporting packages
+
+**[epamatrix/epamatrix.go](go/internal/epamatrix/epamatrix.go)** — 24 fmt calls
+- Add `Logger *slog.Logger` to `MatrixConfig`
+- Convert all 24 calls
+
+**[wmi/wmi_windows.go](go/internal/wmi/wmi_windows.go)** — 7 fmt calls
+- Change `GetLocalGroupMembers` and `GetLocalGroupMembersWithFallback` signatures: replace `verbose bool` with `logger *slog.Logger`
+- Update [wmi/wmi_stub.go](go/internal/wmi/wmi_stub.go) signatures to match
+- Update caller in [collector.go:1854](go/internal/collector/collector.go#L1854)
+
+### NOT changed
+- **[epamatrix/table.go](go/internal/epamatrix/table.go)** — `PrintResultsTable`/`Summarize` write formatted table data to `io.Writer`. This is data output, not logging.
+- All `fmt.Errorf(...)` calls (error construction, not logging)
+- All `fmt.Sprintf(...)` calls (string building)
+
+## Verification
+1. `go build ./...` compiles cleanly
+2. `go vet ./...` passes
+3. Run with no flags — only INFO+ messages appear, each with UTC timestamp and level
+4. Run with `--verbose` — DEBUG messages appear
+5. Run with `--debug` — EPA diagnostic messages appear with `component=epa` attribute
+6. Table output (EPA matrix) still renders correctly to stdout without log formatting