Add legacy tools/cli.py shim, document it, and tighten apex domain logic

[Victor-Dixon]

Motivation

• Restore compatibility for existing automation that invokes python tools/cli.py by providing a minimal shim that forwards to the unified CLI entrypoint.
• Prevent generation of off-target FQDNs when deriving an apex domain from subdomains by preferring the original host unless a safe prefix strip is possible.
• Preserve special-case handling for common two-level public suffixes such as co.uk when computing apex domains.
• Maintain project constraints around single-source-of-truth (SSOT) and Python file size limits during edits.

Description

• Add a lightweight legacy shim tools/cli.py that imports main from tools.cli.main and exits with its return code to keep python tools/cli.py working.
• Document the shim and its intended minimal/temporary nature in tools/cli/README.md with usage examples and migration guidance.
• Update _apex_domain in tools_v2/categories/security_audit_tools.py to return the original host by default and only strip a known host prefix when the resulting candidate does not collapse into a known two-level public suffix.
• Keep the COMMON_PUBLIC_SUFFIX_2 logic to ensure three-part apex domains are returned for those suffixes.

Testing

• No automated tests (unit tests, pytest, or CI) were executed after these changes.
• Recommend running the repository test suite (pytest -q) and CI pipelines to validate runtime behavior and prevent regressions.

---

Codex Task

---

Note

Introduces a legacy CLI shim and refines domain handling.

• Adds tools/cli.py shim that forwards to tools.cli.main to preserve python tools/cli.py entrypoint
• Documents shim usage and migration notes in tools/cli/README.md
• Updates _apex_domain in tools_v2/categories/security_audit_tools.py to default to the original host, preserve two-level public suffix handling (e.g., co.uk), and strip common prefixes only when safe to avoid off-target FQDNs

^{Written by Cursor Bugbot for commit e37059f. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Strip only rare prefixes breaks subdomain probing

Because _apex_domain now only strips the first label when it is in COMMON_HOST_PREFIXES, common inputs like api.example.com or staging.example.com are treated as the “apex” and the function falls through to return the full host. That means _probe_subdomains will generate admin.api.example.com, www.staging.example.com, etc., instead of probing siblings such as admin.example.com, which is the behavior implied by the default subdomains list. This is a regression for typical URLs where the first label is not in {www,m,app,beta}, and it will silently miss the intended subdomain checks.

Useful? React with 👍 / 👎.