feat: add wave 4 plugins (opslog, note, subdomain, headers)

Opslog: timestamped operational log per channel with add, list,
search, and delete. SQLite-backed, admin-only clear.

Note: persistent per-channel key-value store with set, get, del,
list, clear. SQLite-backed, admin-only clear.

Subdomain: enumeration via crt.sh CT log query with optional DNS
brute force using a built-in 80-word prefix wordlist. Resolves
discovered subdomains concurrently.

Headers: HTTP header fingerprinting against 50+ signature patterns.
Detects servers, frameworks, CDNs, and security headers (HSTS, CSP,
XFO, etc).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

TASKS.md

@@ -1,21 +1,22 @@
 # derp - Tasks
 
-## Current Sprint -- v0.4.0 Wave 3 (2026-02-15)
+## Current Sprint -- v0.5.0 Wave 4 (2026-02-15)
 
 | Pri | Status | Task |
 |-----|--------|------|
-| P0 | [x] | GeoIP plugin (GeoLite2-City mmdb) |
-| P0 | [x] | ASN plugin (GeoLite2-ASN mmdb) |
-| P0 | [x] | Tor exit node check plugin |
-| P0 | [x] | IP reputation plugin (Firehol blocklists) |
-| P0 | [x] | CVE lookup plugin (NVD JSON feed) |
-| P0 | [x] | Data update script (scripts/update-data.sh) |
-| P0 | [x] | Documentation update (all docs current) |
+| P0 | [x] | Opslog plugin (SQLite per-channel notes) |
+| P0 | [x] | Note plugin (per-channel key-value store) |
+| P0 | [x] | Subdomain plugin (crt.sh + DNS brute force) |
+| P0 | [x] | Headers plugin (HTTP header fingerprinting) |
+| P1 | [ ] | ExploitDB search plugin (local CSV clone) |
+| P1 | [ ] | Payload template plugin (SQLi, XSS, SSTI) |
+| P1 | [x] | Documentation update |
 
 ## Completed
 
 | Date | Task |
 |------|------|
+| 2026-02-15 | Wave 4 batch 1 (opslog, note, subdomain, headers) |
 | 2026-02-15 | Wave 3 plugins (geoip, asn, torcheck, iprep, cve) + update script |
 | 2026-02-15 | Admin/owner permission system (hostmask + IRCOP) |
 | 2026-02-15 | SASL PLAIN, rate limiting, CTCP responses |