fix(sources): replace clearbit_enrich and tines_breach with seon_email and flare_leaksdb

build_sources.py

@@ -913,14 +913,17 @@ AUTHENTICATED_PREMIUM_SOURCES += [
           tags=["passive", "stealth"],
           health_check_url="https://api.breachaware.com", reliability_score=3, is_volatile=True),
 
-    _auth("tines_breach", "breaches",
+    _auth("flare_leaksdb", "breaches",
-          "https://api.tines.com/breaches/{target}", "GET",
+          "https://api.flare.io/leaksdb/v2/credentials/email/{target}", "GET",
-          {"breaches": "$.breaches"},
+          {"items": "$.items"},
-          headers={"Authorization": "Bearer {TINES_API_KEY}"},
+          headers={"Authorization": "Bearer {FLARE_API_KEY}"},
-          api_key_slots=["{TINES_API_KEY}"],
+          api_key_slots=["{FLARE_API_KEY}"],
-          input_type="email", output_type=["email"],
+          input_type="email", output_type=["email", "username"],
-          tags=["passive"],
+          normalization_map={"email": "email_address", "username": "username",
-          health_check_url="https://api.tines.com", reliability_score=3),
+                             "password": "plaintext_password", "hash": "password_hash",
+                             "source": "breach_name"},
+          tags=["passive", "stealth"],
+          health_check_url="https://api.flare.io", reliability_score=4),
 
     _base("leak_lookup", "breaches",
           "https://leak-lookup.com/api/search", "POST",
@@ -1042,15 +1045,17 @@ AUTHENTICATED_PREMIUM_SOURCES += [
 
     # ── Enrichment ────────────────────────────────────────────────────────────
 
-    _auth("clearbit_enrich", "enrichment",
+    _auth("seon_email", "enrichment",
-          "https://person.clearbit.com/v2/people/find?email={target}", "GET",
+          "https://api.seon.io/SeonRestService/email-api/v3", "POST",
-          {"full_name": "$.name.fullName"},
+          {"data": "$.data"},
-          headers={"Authorization": "Bearer {CLEARBIT_API_KEY}"},
+          headers={"X-API-KEY": "{SEON_API_KEY}", "Content-Type": "application/json"},
-          api_key_slots=["{CLEARBIT_API_KEY}"],
+          api_key_slots=["{SEON_API_KEY}"],
-          input_type="email", output_type=["username", "domain"],
+          input_type="email", output_type=["email", "domain", "username"],
-          normalization_map={"fullName": "full_name"},
+          payload_template={"email": "{target}"},
+          normalization_map={"email": "email_address", "domain": "domain",
+                             "full_name": "full_name", "phone_number": "phone"},
           tags=["passive"],
-          health_check_url="https://person.clearbit.com", reliability_score=4),
+          health_check_url="https://api.seon.io", reliability_score=4),
 
     _auth("fullcontact", "enrichment",
           "https://api.fullcontact.com/v3/person.enrich", "POST",

sources/clearbit_enrich.json

@@ -1,33 +0,0 @@
-{
-    "name": "clearbit_enrich",
-    "category": "enrichment",
-    "endpoint": "https://person.clearbit.com/v2/people/find?email={target}",
-    "method": "GET",
-    "requires_auth": true,
-    "selectors": {
-        "full_name": "$.name.fullName"
-    },
-    "rate_limit": 1.0,
-    "headers": {
-        "Authorization": "Bearer {CLEARBIT_API_KEY}"
-    },
-    "api_key_slots": [
-        "{CLEARBIT_API_KEY}"
-    ],
-    "input_type": "email",
-    "output_type": [
-        "username",
-        "domain"
-    ],
-    "normalization_map": {
-        "fullName": "full_name"
-    },
-    "tags": [
-        "passive"
-    ],
-    "health_check_url": "https://person.clearbit.com",
-    "expected_status": 200,
-    "reliability_score": 4,
-    "backup_endpoints": [],
-    "confidence": 0.85
-}

sources/flare_leaksdb.json

@@ -0,0 +1,38 @@
+{
+    "name": "flare_leaksdb",
+    "category": "breaches",
+    "endpoint": "https://api.flare.io/leaksdb/v2/credentials/email/{target}",
+    "method": "GET",
+    "requires_auth": true,
+    "selectors": {
+        "items": "$.items"
+    },
+    "rate_limit": 1.0,
+    "headers": {
+        "Authorization": "Bearer {FLARE_API_KEY}"
+    },
+    "api_key_slots": [
+        "{FLARE_API_KEY}"
+    ],
+    "input_type": "email",
+    "output_type": [
+        "email",
+        "username"
+    ],
+    "normalization_map": {
+        "email": "email_address",
+        "username": "username",
+        "password": "plaintext_password",
+        "hash": "password_hash",
+        "source": "breach_name"
+    },
+    "tags": [
+        "passive",
+        "stealth"
+    ],
+    "health_check_url": "https://api.flare.io",
+    "expected_status": 200,
+    "reliability_score": 4,
+    "backup_endpoints": [],
+    "confidence": 0.85
+}

sources/helpers/config_handler.py

@@ -79,7 +79,7 @@ SERVICE_REGISTRY: Dict[str, Dict] = {
     "CENSYS_AUTH_BASE64":       {"display": "Censys",                    "public": False},
     "CIRCL_AUTH_BASE64":        {"display": "CIRCL.lu PDNS",             "public": False},
     "CIT0DAY_API_KEY":          {"display": "Cit0day",                   "public": False},
-    "CLEARBIT_API_KEY":         {"display": "Clearbit Enrich",           "public": False},
+    "SEON_API_KEY":             {"display": "SEON Email Intelligence",   "public": False},
     "CRIMINALIP_API_KEY":       {"display": "CriminalIP",                "public": False},
     "DEHASHED_AUTH_BASE64":     {"display": "Dehashed",                  "public": False},
     "DNSDB_API_KEY":            {"display": "DNSDB Passive DNS",         "public": False},
@@ -127,7 +127,7 @@ SERVICE_REGISTRY: Dict[str, Dict] = {
     "SPYONWEB_API_KEY":         {"display": "SpyOnWeb",                  "public": False},
     "SPYSE_API_KEY":            {"display": "Spyse",                     "public": False},
     "TC_API_KEY":               {"display": "ThreatConnect",             "public": False},
-    "TINES_API_KEY":            {"display": "Tines Breach",              "public": False},
+    "FLARE_API_KEY":            {"display": "Flare LeaksDB",              "public": False},
     "TP_API_KEY":               {"display": "ThreatPortal",              "public": False},
     "TWITTER_BEARER_TOKEN":     {"display": "Twitter / X API v2",        "public": False},
     "URLVOID_API_KEY":          {"display": "URLVoid",                   "public": False},

sources/seon_email.json

@@ -0,0 +1,41 @@
+{
+    "name": "seon_email",
+    "category": "enrichment",
+    "endpoint": "https://api.seon.io/SeonRestService/email-api/v3",
+    "method": "POST",
+    "requires_auth": true,
+    "selectors": {
+        "data": "$.data"
+    },
+    "rate_limit": 1.0,
+    "headers": {
+        "X-API-KEY": "{SEON_API_KEY}",
+        "Content-Type": "application/json"
+    },
+    "payload_template": {
+        "email": "{target}"
+    },
+    "api_key_slots": [
+        "{SEON_API_KEY}"
+    ],
+    "input_type": "email",
+    "output_type": [
+        "email",
+        "domain",
+        "username"
+    ],
+    "normalization_map": {
+        "email": "email_address",
+        "domain": "domain",
+        "full_name": "full_name",
+        "phone_number": "phone"
+    },
+    "tags": [
+        "passive"
+    ],
+    "health_check_url": "https://api.seon.io",
+    "expected_status": 200,
+    "reliability_score": 4,
+    "backup_endpoints": [],
+    "confidence": 0.85
+}

sources/tines_breach.json

@@ -1,30 +0,0 @@
-{
-    "name": "tines_breach",
-    "category": "breaches",
-    "endpoint": "https://api.tines.com/breaches/{target}",
-    "method": "GET",
-    "requires_auth": true,
-    "selectors": {
-        "breaches": "$.breaches"
-    },
-    "rate_limit": 1.0,
-    "headers": {
-        "Authorization": "Bearer {TINES_API_KEY}"
-    },
-    "api_key_slots": [
-        "{TINES_API_KEY}"
-    ],
-    "input_type": "email",
-    "output_type": [
-        "email"
-    ],
-    "normalization_map": {},
-    "tags": [
-        "passive"
-    ],
-    "health_check_url": "https://api.tines.com",
-    "expected_status": 200,
-    "reliability_score": 3,
-    "backup_endpoints": [],
-    "confidence": 0.7
-}