npm - @omnizap-system/omnizap - Versions diffs - 2.5.12 - Mend

@omnizap-system/omnizap 2.5.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (425) hide show

package/.clusterfuzzlite/Dockerfile +10 -0
package/.env.example +907 -0
package/.github/codeql/codeql-config.yml +10 -0
package/.github/dependabot.yml +35 -0
package/.github/workflows/ci.yml +73 -0
package/.github/workflows/codeql.yml +106 -0
package/.github/workflows/db-migration-check.yml +98 -0
package/.github/workflows/dependency-review.yml +22 -0
package/.github/workflows/deploy.yml +95 -0
package/.github/workflows/release.yml +106 -0
package/.github/workflows/security-attest-provenance.yml +51 -0
package/.github/workflows/security-gitleaks.yml +34 -0
package/.github/workflows/security-runner-hardening.yml +31 -0
package/.github/workflows/security-scorecard.yml +44 -0
package/.github/workflows/security-zap-baseline.yml +44 -0
package/.github/workflows/security-zap-full-scan.yml +43 -0
package/.github/workflows/security-zizmor.yml +36 -0
package/.github/workflows/wiki-sync.yml +44 -0
package/.gitleaks.toml +15 -0
package/.prettierrc +34 -0
package/CODE_OF_CONDUCT.md +114 -0
package/LICENSE +56 -0
package/README.md +110 -0
package/SECURITY.md +110 -0
package/app/config/index.js +4 -0
package/app/configParts/adminIdentity.js +92 -0
package/app/configParts/baileysConfig.js +1818 -0
package/app/configParts/groupUtils.js +692 -0
package/app/configParts/loggerConfig.js +394 -0
package/app/configParts/messagePersistenceService.js +305 -0
package/app/connection/baileysCompatibility.test.js +40 -0
package/app/connection/baileysDbAuthState.js +344 -0
package/app/connection/socketController.js +2243 -0
package/app/controllers/messageController.js +7 -0
package/app/controllers/messagePipeline/commandMiddleware.js +146 -0
package/app/controllers/messagePipeline/conversationMiddleware.js +183 -0
package/app/controllers/messagePipeline/messagePipelineMiddlewares.test.js +522 -0
package/app/controllers/messagePipeline/postProcessingMiddleware.js +41 -0
package/app/controllers/messagePipeline/preProcessingMiddlewares.js +166 -0
package/app/controllers/messageProcessingPipeline.js +699 -0
package/app/modules/adminModule/AGENT.md +4056 -0
package/app/modules/adminModule/adminAiHelpService.js +56 -0
package/app/modules/adminModule/adminConfigRuntime.js +177 -0
package/app/modules/adminModule/commandConfig.json +7122 -0
package/app/modules/adminModule/groupCommandHandlers.js +1823 -0
package/app/modules/adminModule/groupCommandHandlers.test.js +350 -0
package/app/modules/adminModule/groupEventHandlers.js +399 -0
package/app/modules/aiModule/AGENT.md +547 -0
package/app/modules/aiModule/aiAiHelpService.js +14 -0
package/app/modules/aiModule/aiConfigRuntime.js +135 -0
package/app/modules/aiModule/catCommand.js +967 -0
package/app/modules/aiModule/commandConfig.json +981 -0
package/app/modules/analyticsModule/messageAnalysisEventRepository.js +83 -0
package/app/modules/gameModule/AGENT.md +196 -0
package/app/modules/gameModule/commandConfig.json +366 -0
package/app/modules/gameModule/diceCommand.js +42 -0
package/app/modules/gameModule/gameAiHelpService.js +14 -0
package/app/modules/gameModule/gameConfigRuntime.js +68 -0
package/app/modules/menuModule/AGENT.md +205 -0
package/app/modules/menuModule/commandConfig.json +366 -0
package/app/modules/menuModule/common.js +316 -0
package/app/modules/menuModule/menuAiHelpService.js +14 -0
package/app/modules/menuModule/menuConfigRuntime.js +68 -0
package/app/modules/menuModule/menus.js +66 -0
package/app/modules/playModule/AGENT.md +321 -0
package/app/modules/playModule/commandConfig.json +584 -0
package/app/modules/playModule/playAiHelpService.js +14 -0
package/app/modules/playModule/playCommand.js +1417 -0
package/app/modules/playModule/playConfigRuntime.js +68 -0
package/app/modules/quoteModule/AGENT.md +199 -0
package/app/modules/quoteModule/commandConfig.json +366 -0
package/app/modules/quoteModule/quoteAiHelpService.js +14 -0
package/app/modules/quoteModule/quoteCommand.js +842 -0
package/app/modules/quoteModule/quoteConfigRuntime.js +68 -0
package/app/modules/rpgPokemonModule/AGENT.md +229 -0
package/app/modules/rpgPokemonModule/commandConfig.json +386 -0
package/app/modules/rpgPokemonModule/rpgBattleCanvasRenderer.js +795 -0
package/app/modules/rpgPokemonModule/rpgBattleService.js +2110 -0
package/app/modules/rpgPokemonModule/rpgBattleService.test.js +770 -0
package/app/modules/rpgPokemonModule/rpgEvolutionUtils.js +22 -0
package/app/modules/rpgPokemonModule/rpgPokemonAiHelpService.js +14 -0
package/app/modules/rpgPokemonModule/rpgPokemonCommand.js +174 -0
package/app/modules/rpgPokemonModule/rpgPokemonConfigRuntime.js +68 -0
package/app/modules/rpgPokemonModule/rpgPokemonDomain.js +192 -0
package/app/modules/rpgPokemonModule/rpgPokemonDomain.test.js +93 -0
package/app/modules/rpgPokemonModule/rpgPokemonEvolution.test.js +46 -0
package/app/modules/rpgPokemonModule/rpgPokemonMessages.js +746 -0
package/app/modules/rpgPokemonModule/rpgPokemonRepository.js +1847 -0
package/app/modules/rpgPokemonModule/rpgPokemonService.js +6839 -0
package/app/modules/rpgPokemonModule/rpgProfileCanvasRenderer.js +354 -0
package/app/modules/statsModule/AGENT.md +320 -0
package/app/modules/statsModule/commandConfig.json +540 -0
package/app/modules/statsModule/globalRankingCommand.js +64 -0
package/app/modules/statsModule/rankingCommand.js +41 -0
package/app/modules/statsModule/rankingCommon.js +1305 -0
package/app/modules/statsModule/statsAiHelpService.js +14 -0
package/app/modules/statsModule/statsConfigRuntime.js +68 -0
package/app/modules/stickerModule/AGENT.md +692 -0
package/app/modules/stickerModule/addStickerMetadata.js +239 -0
package/app/modules/stickerModule/commandConfig.json +1216 -0
package/app/modules/stickerModule/convertToWebp.js +367 -0
package/app/modules/stickerModule/stickerAiHelpService.js +14 -0
package/app/modules/stickerModule/stickerCommand.js +446 -0
package/app/modules/stickerModule/stickerConfigRuntime.js +68 -0
package/app/modules/stickerModule/stickerConvertCommand.js +159 -0
package/app/modules/stickerModule/stickerTextCommand.js +653 -0
package/app/modules/stickerPackModule/AGENT.md +215 -0
package/app/modules/stickerPackModule/autoPackCollectorRuntime.js +20 -0
package/app/modules/stickerPackModule/autoPackCollectorService.js +357 -0
package/app/modules/stickerPackModule/commandConfig.json +387 -0
package/app/modules/stickerPackModule/domainEventOutboxRepository.js +227 -0
package/app/modules/stickerPackModule/domainEvents.js +52 -0
package/app/modules/stickerPackModule/semanticReclassificationEngine.js +429 -0
package/app/modules/stickerPackModule/semanticReclassificationEngine.test.js +75 -0
package/app/modules/stickerPackModule/semanticThemeClusterService.js +544 -0
package/app/modules/stickerPackModule/stickerAssetClassificationRepository.js +400 -0
package/app/modules/stickerPackModule/stickerAssetRepository.js +400 -0
package/app/modules/stickerPackModule/stickerAssetReprocessQueueRepository.js +175 -0
package/app/modules/stickerPackModule/stickerAutoPackByTagsRuntime.js +3702 -0
package/app/modules/stickerPackModule/stickerClassificationBackgroundRuntime.js +559 -0
package/app/modules/stickerPackModule/stickerClassificationService.js +557 -0
package/app/modules/stickerPackModule/stickerDedicatedTaskWorkerRuntime.js +249 -0
package/app/modules/stickerPackModule/stickerDomainEventBus.js +65 -0
package/app/modules/stickerPackModule/stickerDomainEventConsumerRuntime.js +208 -0
package/app/modules/stickerPackModule/stickerMarketplaceDriftService.js +99 -0
package/app/modules/stickerPackModule/stickerObjectStorageService.js +285 -0
package/app/modules/stickerPackModule/stickerPackAiHelpService.js +14 -0
package/app/modules/stickerPackModule/stickerPackCommandHandlers.js +1148 -0
package/app/modules/stickerPackModule/stickerPackConfigRuntime.js +68 -0
package/app/modules/stickerPackModule/stickerPackEngagementRepository.js +152 -0
package/app/modules/stickerPackModule/stickerPackErrors.js +30 -0
package/app/modules/stickerPackModule/stickerPackInteractionEventRepository.js +101 -0
package/app/modules/stickerPackModule/stickerPackItemRepository.js +432 -0
package/app/modules/stickerPackModule/stickerPackMarketplaceService.js +313 -0
package/app/modules/stickerPackModule/stickerPackMessageService.js +268 -0
package/app/modules/stickerPackModule/stickerPackRepository.js +450 -0
package/app/modules/stickerPackModule/stickerPackScoreSnapshotRepository.js +179 -0
package/app/modules/stickerPackModule/stickerPackScoreSnapshotRuntime.js +271 -0
package/app/modules/stickerPackModule/stickerPackService.js +733 -0
package/app/modules/stickerPackModule/stickerPackServiceRuntime.js +32 -0
package/app/modules/stickerPackModule/stickerPackUtils.js +107 -0
package/app/modules/stickerPackModule/stickerStorageService.js +559 -0
package/app/modules/stickerPackModule/stickerWorkerPipelineRuntime.js +242 -0
package/app/modules/stickerPackModule/stickerWorkerTaskQueueRepository.js +242 -0
package/app/modules/systemMetricsModule/AGENT.md +193 -0
package/app/modules/systemMetricsModule/commandConfig.json +344 -0
package/app/modules/systemMetricsModule/pingCommand.js +399 -0
package/app/modules/systemMetricsModule/systemMetricsAiHelpService.js +14 -0
package/app/modules/systemMetricsModule/systemMetricsConfigRuntime.js +68 -0
package/app/modules/tiktokModule/AGENT.md +196 -0
package/app/modules/tiktokModule/commandConfig.json +366 -0
package/app/modules/tiktokModule/tiktokAiHelpService.js +14 -0
package/app/modules/tiktokModule/tiktokCommand.js +716 -0
package/app/modules/tiktokModule/tiktokConfigRuntime.js +68 -0
package/app/modules/userModule/AGENT.md +200 -0
package/app/modules/userModule/commandConfig.json +386 -0
package/app/modules/userModule/userAiHelpService.js +14 -0
package/app/modules/userModule/userCommand.js +1155 -0
package/app/modules/userModule/userConfigRuntime.js +68 -0
package/app/modules/waifuPicsModule/AGENT.md +431 -0
package/app/modules/waifuPicsModule/commandConfig.json +780 -0
package/app/modules/waifuPicsModule/waifuPicsAiHelpService.js +14 -0
package/app/modules/waifuPicsModule/waifuPicsCommand.js +586 -0
package/app/modules/waifuPicsModule/waifuPicsConfigRuntime.js +68 -0
package/app/observability/metrics.js +766 -0
package/app/services/ai/aiHelpResponseCacheRepository.js +280 -0
package/app/services/ai/aiLearningRepository.js +400 -0
package/app/services/ai/commandConfigEnrichmentRepository.js +769 -0
package/app/services/ai/commandConfigEnrichmentService.js +452 -0
package/app/services/ai/commandConfigValidationService.js +443 -0
package/app/services/ai/commandToolBuilderService.js +192 -0
package/app/services/ai/conversationRouterService.js +516 -0
package/app/services/ai/geminiService.js +115 -0
package/app/services/ai/geminiService.test.js +87 -0
package/app/services/ai/globalModuleAiHelpService.js +1412 -0
package/app/services/ai/globalToolCallingService.js +203 -0
package/app/services/ai/messageCommandExecutionService.js +391 -0
package/app/services/ai/moduleAiHelpCoreService.js +1099 -0
package/app/services/ai/moduleAiHelpWrapperFactory.js +65 -0
package/app/services/ai/moduleCommandConfigRuntimeService.js +113 -0
package/app/services/ai/moduleToolExecutorService.js +464 -0
package/app/services/ai/moduleToolRegistryService.js +178 -0
package/app/services/ai/toolCandidateSelectorService.js +781 -0
package/app/services/auth/googleWebLinkService.js +80 -0
package/app/services/auth/whatsappLoginLinkService.js +230 -0
package/app/services/external/pokeApiService.js +398 -0
package/app/services/group/groupMetadataService.js +311 -0
package/app/services/infra/dbWriteQueue.js +874 -0
package/app/services/infra/featureFlagService.js +131 -0
package/app/services/infra/queueUtils.js +55 -0
package/app/services/messaging/captchaService.js +491 -0
package/app/services/messaging/messagePersistenceService.js +1 -0
package/app/services/messaging/newsBroadcastService.js +347 -0
package/app/services/sticker/stickerFocusService.js +347 -0
package/app/services/sticker/stickerFocusService.test.js +43 -0
package/app/store/aiPromptStore.js +38 -0
package/app/store/conversationSessionStore.js +131 -0
package/app/store/groupConfigStore.js +58 -0
package/app/store/premiumUserStore.js +54 -0
package/app/utils/antiLink/antiLinkModule.js +700 -0
package/app/utils/http/getImageBufferModule.js +18 -0
package/app/utils/json/jsonSanitizer.js +113 -0
package/app/utils/json/jsonSanitizer.test.js +40 -0
package/app/utils/systemMetrics/systemMetricsModule.js +88 -0
package/app/workers/aiLearningWorker.js +605 -0
package/app/workers/commandConfigEnrichmentWorker.js +242 -0
package/database/index.js +2075 -0
package/database/init.js +151 -0
package/database/migrations/.gitkeep +0 -0
package/database/migrations/20260307_d0_hardening_down.sql +64 -0
package/database/migrations/20260307_d0_hardening_up.sql +79 -0
package/database/migrations/20260307_d1_terms_acceptance_down.sql +11 -0
package/database/migrations/20260307_d1_terms_acceptance_up.sql +37 -0
package/database/migrations/20260307_d2_auth_hardening_down.sql +75 -0
package/database/migrations/20260307_d2_auth_hardening_up.sql +100 -0
package/database/migrations/20260314_d7_canonical_sender_down.sql +53 -0
package/database/migrations/20260314_d7_canonical_sender_up.sql +114 -0
package/database/migrations/20260406_d30_security_analytics_down.sql +95 -0
package/database/migrations/20260406_d30_security_analytics_up.sql +292 -0
package/database/migrations/20260407_d31_web_google_session_token_hardening_down.sql +2 -0
package/database/migrations/20260407_d31_web_google_session_token_hardening_up.sql +17 -0
package/database/migrations/20260408_d32_ai_help_response_cache_down.sql +1 -0
package/database/migrations/20260408_d32_ai_help_response_cache_up.sql +22 -0
package/database/migrations/20260409_d33_ai_learning_tables_down.sql +4 -0
package/database/migrations/20260409_d33_ai_learning_tables_up.sql +52 -0
package/database/migrations/20260410_d34_command_config_enrichment_down.sql +3 -0
package/database/migrations/20260410_d34_command_config_enrichment_up.sql +48 -0
package/database/schema.sql +1186 -0
package/docker-compose.yml +104 -0
package/docs/audits/stickerCatalogController-out-of-scope.md +103 -0
package/docs/audits/stickerCatalogController-symbols.md +58 -0
package/docs/compliance/acceptable-use-policy-2026-03-07.md +35 -0
package/docs/compliance/dpa-b2b-standard-2026-03-07.md +80 -0
package/docs/compliance/monthly-compliance-checklist-2026-03-07.md +88 -0
package/docs/compliance/notice-and-takedown-policy-2026-03-07.md +34 -0
package/docs/compliance/privacy-policy-2026-03-07.md +75 -0
package/docs/compliance/subprocessors-inventory-2026-03-07.md +16 -0
package/docs/database/production-db-evolution-runbook-2026q1.md +365 -0
package/docs/security/dsar-lgpd-runbook-2026-03-07.md +86 -0
package/docs/security/incident-response-lgpd-anpd-runbook-2026-03-07.md +77 -0
package/docs/security/network-hardening-runbook-2026-03-07.md +137 -0
package/docs/seo/omnizap-seo-playbook-br-2026-02-28.md +238 -0
package/docs/seo/satellite-page-template.md +116 -0
package/docs/seo/satellite-pages-phase1.json +364 -0
package/docs/wiki/Home.md +120 -0
package/docs/wiki/pair-extraordinaire-2026-03-08.md +3 -0
package/docs/wiki/recent-changes-2026-03-08.md +47 -0
package/ecosystem.prod.config.cjs +135 -0
package/eslint.config.js +89 -0
package/index.js +488 -0
package/ml/clip_classifier/Dockerfile +18 -0
package/ml/clip_classifier/README.md +118 -0
package/ml/clip_classifier/adaptive_scoring.py +40 -0
package/ml/clip_classifier/classifier.py +654 -0
package/ml/clip_classifier/embedding_store.py +481 -0
package/ml/clip_classifier/env_loader.py +15 -0
package/ml/clip_classifier/llm_label_expander.py +144 -0
package/ml/clip_classifier/main.py +213 -0
package/ml/clip_classifier/requirements.txt +10 -0
package/ml/clip_classifier/similarity_engine.py +74 -0
package/new-logo.png +0 -0
package/observability/alert-rules.yml +60 -0
package/observability/grafana/dashboards/omnizap-mysql.json +136 -0
package/observability/grafana/dashboards/omnizap-overview.json +170 -0
package/observability/grafana/provisioning/dashboards/dashboards.yml +11 -0
package/observability/grafana/provisioning/datasources/datasources.yml +15 -0
package/observability/loki-config.yml +38 -0
package/observability/mysql-setup.sql +46 -0
package/observability/prometheus.yml +35 -0
package/observability/promtail-config.yml +84 -0
package/observability/sticker-catalog-slo.md +83 -0
package/observability/sticker-scale-hardening-rollout.md +128 -0
package/package.json +144 -0
package/public/apple-touch-icon.png +0 -0
package/public/assets/css/commands-react.input.css +71 -0
package/public/assets/css/create-pack-react.input.css +31 -0
package/public/assets/css/home-react.input.css +106 -0
package/public/assets/css/login-react.input.css +58 -0
package/public/assets/css/stickers-react.input.css +18 -0
package/public/assets/css/terms-react.input.css +115 -0
package/public/assets/css/user-react.input.css +57 -0
package/public/assets/images/brand-icon-192.png +0 -0
package/public/assets/images/brand-logo-128.webp +0 -0
package/public/assets/images/hero-banner-1280.jpg +0 -0
package/public/comandos/commands-catalog.json +4517 -0
package/public/css/api-docs.css +161 -0
package/public/css/stickers-admin.css +1288 -0
package/public/css/styles.css +679 -0
package/public/css/systemadm/admin.css +474 -0
package/public/css/systemadm/base.css +73 -0
package/public/css/systemadm/components.css +662 -0
package/public/css/systemadm/layout.css +229 -0
package/public/css/systemadm/tokens.css +56 -0
package/public/favicon-16x16.png +0 -0
package/public/favicon-32x32.png +0 -0
package/public/favicon.ico +0 -0
package/public/js/apps/apiDocsApp.js +235 -0
package/public/js/apps/commandsReactApp.js +528 -0
package/public/js/apps/createPackApp.js +1646 -0
package/public/js/apps/homeReactApp.js +942 -0
package/public/js/apps/loginReactApp.js +496 -0
package/public/js/apps/stickersAdminApp.js +1753 -0
package/public/js/apps/stickersApp.js +3797 -0
package/public/js/apps/termsReactApp.js +528 -0
package/public/js/apps/userApp.js +2540 -0
package/public/js/apps/userProfile/actions.js +66 -0
package/public/js/apps/userReactApp.js +547 -0
package/public/js/catalog.js +950 -0
package/public/pages/api-docs.html +40 -0
package/public/pages/aup.html +158 -0
package/public/pages/comandos.html +41 -0
package/public/pages/dpa.html +227 -0
package/public/pages/home.html +45 -0
package/public/pages/licenca.html +182 -0
package/public/pages/login.html +40 -0
package/public/pages/notice-and-takedown.html +234 -0
package/public/pages/politica-de-privacidade.html +251 -0
package/public/pages/seo-bot-whatsapp-para-grupo.html +350 -0
package/public/pages/seo-bot-whatsapp-sem-programar.html +350 -0
package/public/pages/seo-como-automatizar-avisos-no-whatsapp.html +350 -0
package/public/pages/seo-como-criar-comandos-whatsapp.html +350 -0
package/public/pages/seo-como-evitar-spam-no-whatsapp.html +350 -0
package/public/pages/seo-como-moderar-grupo-whatsapp.html +350 -0
package/public/pages/seo-como-organizar-comunidade-whatsapp.html +350 -0
package/public/pages/seo-melhor-bot-whatsapp-para-grupos.html +350 -0
package/public/pages/stickers-admin.html +31 -0
package/public/pages/stickers-create.html +41 -0
package/public/pages/stickers.html +45 -0
package/public/pages/suboperadores.html +237 -0
package/public/pages/termos-de-uso-texto-integral.html +241 -0
package/public/pages/termos-de-uso.html +41 -0
package/public/pages/user-password-reset.html +32 -0
package/public/pages/user-systemadm.html +508 -0
package/public/pages/user.html +39 -0
package/public/robots.txt +9 -0
package/public/site.webmanifest +24 -0
package/public/sitemap.xml +98 -0
package/schemas/command-config.schema.json +582 -0
package/scripts/baileys-compat-smoke.mjs +12 -0
package/scripts/cache-bust.mjs +142 -0
package/scripts/deploy.sh +916 -0
package/scripts/email-broadcast-terms-update.mjs +170 -0
package/scripts/enrich-command-discovery-fields.mjs +286 -0
package/scripts/generate-command-config-schema.mjs +273 -0
package/scripts/generate-commands-catalog.mjs +308 -0
package/scripts/generate-module-agents.mjs +631 -0
package/scripts/generate-seo-satellite-pages.mjs +400 -0
package/scripts/github-deploy-notify.mjs +174 -0
package/scripts/github-release-notify.mjs +219 -0
package/scripts/release.sh +599 -0
package/scripts/run-codeql-local.sh +116 -0
package/scripts/run-prettier-all.mjs +25 -0
package/scripts/security-smoketest.mjs +581 -0
package/scripts/sticker-catalog-loadtest.mjs +210 -0
package/scripts/sticker-worker-task.mjs +119 -0
package/scripts/sync-readme-snapshot.mjs +133 -0
package/scripts/validate-command-config-schema.mjs +130 -0
package/scripts/validate-command-configs.mjs +15 -0
package/scripts/wiki-sync.sh +191 -0
package/server/auth/googleWebAuth/googleWebAuthRuntime.js +62 -0
package/server/auth/googleWebAuth/googleWebAuthService.js +807 -0
package/server/auth/jwt/webJwtService.js +147 -0
package/server/auth/stickerCatalogAuthContext.js +165 -0
package/server/auth/termsAcceptance/termsAcceptanceHandler.js +189 -0
package/server/auth/userPassword/index.js +14 -0
package/server/auth/userPassword/userPasswordAuthService.js +422 -0
package/server/auth/userPassword/userPasswordCrypto.js +199 -0
package/server/auth/userPassword/userPasswordCrypto.test.js +76 -0
package/server/auth/userPassword/userPasswordRecoveryService.js +728 -0
package/server/auth/validation/authSchemas.js +236 -0
package/server/auth/webAccount/webAccountHandlers.js +1434 -0
package/server/controllers/admin/adminBanService.js +138 -0
package/server/controllers/admin/adminPanelHandlers.js +2083 -0
package/server/controllers/admin/stickerCatalogAdminContext.js +17 -0
package/server/controllers/admin/systemAdminController.js +201 -0
package/server/controllers/email/emailAutomationController.js +239 -0
package/server/controllers/metricsController.js +21 -0
package/server/controllers/seo/stickerCatalogSeoContext.js +514 -0
package/server/controllers/sticker/nonCatalogHandlers.js +303 -0
package/server/controllers/sticker/stickerCatalogController.js +4700 -0
package/server/controllers/system/contactController.js +115 -0
package/server/controllers/system/githubController.js +137 -0
package/server/controllers/system/stickerCatalogSystemContext.js +758 -0
package/server/controllers/system/storageController.js +154 -0
package/server/controllers/system/systemController.js +135 -0
package/server/controllers/system/systemMetricsController.js +156 -0
package/server/controllers/system/visitController.js +90 -0
package/server/controllers/userController.js +145 -0
package/server/email/emailAutomationRuntime.js +225 -0
package/server/email/emailAutomationService.js +125 -0
package/server/email/emailOutboxRepository.js +282 -0
package/server/email/emailTemplateService.js +480 -0
package/server/email/emailTransportService.js +156 -0
package/server/http/clientIp.js +95 -0
package/server/http/httpRequestUtils.js +262 -0
package/server/http/httpRequestUtils.test.js +80 -0
package/server/http/httpServer.js +180 -0
package/server/http/requestContext.js +20 -0
package/server/http/siteRoutingUtils.js +87 -0
package/server/index.js +1 -0
package/server/middleware/cachePolicy.js +26 -0
package/server/middleware/cachePolicyHelpers.js +1 -0
package/server/middleware/endpointRateLimit.js +181 -0
package/server/middleware/rateLimit.js +70 -0
package/server/middleware/requireAdminAuth.js +48 -0
package/server/middleware/securityHeaders.js +97 -0
package/server/routes/admin/systemAdminRouter.js +64 -0
package/server/routes/email/emailAutomationRouter.js +46 -0
package/server/routes/health/healthRouter.js +41 -0
package/server/routes/indexRouter.js +234 -0
package/server/routes/metrics/metricsRouter.js +58 -0
package/server/routes/static/staticPageRouter.js +134 -0
package/server/routes/sticker/catalogHandlers/catalogAdminHttp.js +105 -0
package/server/routes/sticker/catalogHandlers/catalogAuthHttp.js +77 -0
package/server/routes/sticker/catalogHandlers/catalogPublicHttp.js +120 -0
package/server/routes/sticker/catalogHandlers/catalogUploadHttp.js +83 -0
package/server/routes/sticker/catalogRouter.js +77 -0
package/server/routes/sticker/stickerApiRouter.js +84 -0
package/server/routes/sticker/stickerDataRouter.js +145 -0
package/server/routes/sticker/stickerSiteRouter.js +43 -0
package/server/routes/user/userApiPaths.js +66 -0
package/server/routes/user/userRouter.js +65 -0
package/server/utils/safePath.js +26 -0
package/utils/logger/loggerModule.js +35 -0
package/vite.config.mjs +38 -0

package/scripts/security-smoketest.mjs ADDED Viewed

@@ -0,0 +1,581 @@
+#!/usr/bin/env node
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import process from 'node:process';
+const BASE_URL = String(process.env.SECURITY_TEST_BASE_URL || 'http://127.0.0.1:9102').replace(/\/+$/, '');
+const REPORT_PATH = String(process.env.SECURITY_TEST_REPORT_PATH || './temp/security-smoketest-report.json').trim();
+const REQUEST_TIMEOUT_MS = Math.max(1_000, Number(process.env.SECURITY_TEST_TIMEOUT_MS || 10_000));
+const PASS = 'PASS';
+const WARN = 'WARN';
+const FAIL = 'FAIL';
+const MANUAL = 'MANUAL';
+const sqlErrorRegex = /(sql syntax|syntax error|mysql|sqlite|postgres|odbc|query failed|unclosed quotation|ORA-\d+)/i;
+const nowIso = () => new Date().toISOString();
+const safeJson = async (value) => {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+};
+const request = async (path, { method = 'GET', headers = {}, body = undefined } = {}) => {
+  const url = `${BASE_URL}${path.startsWith('/') ? path : `/${path}`}`;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const response = await fetch(url, {
+      method,
+      headers,
+      body,
+      redirect: 'manual',
+      signal: controller.signal,
+    });
+    const text = await response.text();
+    const json = await safeJson(text);
+    return {
+      ok: true,
+      url,
+      status: response.status,
+      headers: Object.fromEntries(response.headers.entries()),
+      text,
+      json,
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      url,
+      status: null,
+      headers: {},
+      text: '',
+      json: null,
+      error: error?.message || String(error),
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+};
+const summarizeStatuses = (items) =>
+  items.reduce((acc, item) => {
+    acc[item.status] = (acc[item.status] || 0) + 1;
+    return acc;
+  }, {});
+const testSqlInjection = async () => {
+  const payloads = ["' OR 1=1--", '" OR "1"="1', '1;DROP TABLE users;--'];
+  const routes = ['/api/sticker-packs?q=', '/api/sticker-packs/creators?q=', '/api/sticker-packs/recommendations?q='];
+  const evidence = [];
+  let hasFailure = false;
+  for (const route of routes) {
+    for (const payload of payloads) {
+      const res = await request(`${route}${encodeURIComponent(payload)}`);
+      const hasSqlError = sqlErrorRegex.test(res.text || '');
+      const bad = !res.ok || res.status >= 500 || hasSqlError;
+      if (bad) hasFailure = true;
+      evidence.push({
+        route,
+        payload,
+        status: res.status,
+        network_ok: res.ok,
+        sql_error_pattern: hasSqlError,
+      });
+    }
+  }
+  return {
+    id: 1,
+    name: 'SQL Injection',
+    status: hasFailure ? FAIL : PASS,
+    note: hasFailure ? 'Há indícios de falha/erro SQL em payload de injeção.' : 'Payloads SQLi não causaram erro SQL nem 5xx.',
+    evidence,
+  };
+};
+const testXss = async () => {
+  const payload = '<svg/onload=alert(1)>';
+  const routes = [`/stickers?q=${encodeURIComponent(payload)}`, `/user?q=${encodeURIComponent(payload)}`, `/api/sticker-packs?q=${encodeURIComponent(payload)}`];
+  const evidence = [];
+  let htmlRawReflected = false;
+  let apiRawReflected = false;
+  for (const path of routes) {
+    const res = await request(path);
+    const reflectedRaw = (res.text || '').includes(payload);
+    const contentType = String(res.headers['content-type'] || '');
+    const isHtml = /text\/html/i.test(contentType);
+    const isJson = /application\/json/i.test(contentType);
+    if (reflectedRaw && isHtml) htmlRawReflected = true;
+    if (reflectedRaw && isJson) apiRawReflected = true;
+    evidence.push({
+      path,
+      status: res.status,
+      content_type: contentType || null,
+      reflected_raw: reflectedRaw,
+    });
+  }
+  const status = htmlRawReflected ? FAIL : apiRawReflected ? WARN : PASS;
+  return {
+    id: 2,
+    name: 'Cross-Site Scripting (XSS)',
+    status,
+    note: status === FAIL ? 'Payload XSS refletido em resposta HTML.' : status === WARN ? 'Payload refletido em API JSON; revisar sanitização no frontend consumidor.' : 'Sem reflexão bruta do payload XSS nas rotas testadas.',
+    evidence,
+  };
+};
+const testCsrf = async () => {
+  const resSession = await request('/api/sticker-packs/admin/session', {
+    method: 'DELETE',
+    headers: { 'x-forwarded-proto': 'https' },
+  });
+  const cookieHeader = String(resSession.headers['set-cookie'] || '');
+  const hasHttpOnly = /httponly/i.test(cookieHeader);
+  const hasSameSite = /samesite=/i.test(cookieHeader);
+  const hasSecure = /secure/i.test(cookieHeader);
+  const resOrigin = await request('/api/sticker-packs/create', {
+    method: 'POST',
+    headers: {
+      Origin: 'https://evil.example',
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ name: 'csrf-test' }),
+  });
+  const blockedByAuth = [401, 403].includes(resOrigin.status);
+  const cookieFlagsOk = hasHttpOnly && hasSameSite && hasSecure;
+  const status = blockedByAuth && cookieFlagsOk ? PASS : WARN;
+  return {
+    id: 3,
+    name: 'Cross-Site Request Forgery (CSRF)',
+    status,
+    note: status === PASS ? 'Fluxo testado bloqueou mutação não autenticada e cookies possuem flags de proteção.' : 'Validação parcial: revisar proteção CSRF em rotas autenticadas com sessão ativa.',
+    evidence: [
+      {
+        path: '/api/sticker-packs/admin/session',
+        status: resSession.status,
+        cookie_flags: { http_only: hasHttpOnly, same_site: hasSameSite, secure: hasSecure },
+      },
+      {
+        path: '/api/sticker-packs/create',
+        status: resOrigin.status,
+        blocked_by_auth: blockedByAuth,
+      },
+    ],
+  };
+};
+const testDdosSafe = async () => {
+  const total = 80;
+  const concurrency = 16;
+  let cursor = 0;
+  let failures = 0;
+  let serverErrors = 0;
+  const latencies = [];
+  const worker = async () => {
+    while (true) {
+      const idx = cursor;
+      cursor += 1;
+      if (idx >= total) return;
+      const startedAt = Date.now();
+      const res = await request('/healthz');
+      const elapsed = Date.now() - startedAt;
+      latencies.push(elapsed);
+      if (!res.ok) failures += 1;
+      if (res.status >= 500) serverErrors += 1;
+    }
+  };
+  await Promise.all(Array.from({ length: concurrency }, () => worker()));
+  latencies.sort((a, b) => a - b);
+  const p95 = latencies[Math.floor(latencies.length * 0.95)] || 0;
+  const failureRate = total > 0 ? failures / total : 1;
+  const serverErrorRate = total > 0 ? serverErrors / total : 1;
+  const status = failureRate <= 0.1 && serverErrorRate === 0 ? PASS : WARN;
+  return {
+    id: 4,
+    name: 'Distributed Denial-of-Service (safe simulation)',
+    status,
+    note: status === PASS ? 'Serviço permaneceu estável em burst controlado local.' : 'Houve instabilidade em burst local; revisar capacidade e limites.',
+    evidence: [
+      {
+        total,
+        concurrency,
+        failures,
+        server_errors: serverErrors,
+        failure_rate: failureRate,
+        p95_ms: p95,
+      },
+    ],
+  };
+};
+const testBruteForce = async () => {
+  const codes = [];
+  for (let i = 0; i < 14; i += 1) {
+    const res = await request('/api/sticker-packs/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ probe: 'bruteforce' }),
+    });
+    codes.push(res.status);
+  }
+  const has429 = codes.includes(429);
+  return {
+    id: 5,
+    name: 'Brute Force Attack',
+    status: has429 ? PASS : WARN,
+    note: has429 ? 'Rate limiting acionado para tentativas repetidas.' : 'Não foi observado 429 no cenário simulado de força bruta.',
+    evidence: [{ codes }],
+  };
+};
+const testCredentialStuffing = async () => {
+  const identities = ['a@example.com', 'b@example.com', 'c@example.com', 'd@example.com'];
+  const codes = [];
+  for (let i = 0; i < 16; i += 1) {
+    const identity = identities[i % identities.length];
+    const res = await request('/api/sticker-packs/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ identity, password: `P@ss${i}` }),
+    });
+    codes.push(res.status);
+  }
+  const has429 = codes.includes(429);
+  return {
+    id: 6,
+    name: 'Credential Stuffing',
+    status: has429 ? PASS : WARN,
+    note: has429 ? 'Rate limiting também mitigou tentativas com credenciais variadas.' : 'Sem 429 no padrão simulado de credential stuffing.',
+    evidence: [{ codes }],
+  };
+};
+const testDirectoryTraversal = async () => {
+  const paths = ['/.env', '/data/../../.env', '/data/%2e%2e/%2e%2e/.env', '/data/%252e%252e/%252e%252e/.env'];
+  const evidence = [];
+  let leaked = false;
+  for (const path of paths) {
+    const res = await request(path);
+    const body = String(res.text || '');
+    const maybeLeak = res.status === 200 || /DB_PASSWORD|MYSQL_PASSWORD|GITHUB_TOKEN/i.test(body);
+    if (maybeLeak) leaked = true;
+    evidence.push({ path, status: res.status, potential_leak: maybeLeak });
+  }
+  return {
+    id: 7,
+    name: 'Directory Traversal',
+    status: leaked ? FAIL : PASS,
+    note: leaked ? 'Há indício de leitura indevida de arquivo sensível.' : 'Tentativas de traversal foram bloqueadas.',
+    evidence,
+  };
+};
+const testFileUploadAttack = async () => {
+  const binaryPayload = Buffer.from('MZ_fake_executable_content', 'utf8');
+  const resCreate = await request('/api/sticker-packs/create', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name: '../../../etc/passwd', cover: 'data:text/plain;base64,QQ==' }),
+  });
+  const resUpload = await request('/api/sticker-packs/fake-pack/manage/stickers-upload', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/octet-stream' },
+    body: binaryPayload,
+  });
+  const blocked = ![200, 201, 202].includes(resCreate.status) && ![200, 201, 202].includes(resUpload.status);
+  return {
+    id: 8,
+    name: 'File Upload Attack',
+    status: blocked ? PASS : WARN,
+    note: blocked ? 'Uploads malformados/suspeitos não foram aceitos no cenário sem autenticação.' : 'Algum upload suspeito retornou sucesso; revisar validações.',
+    evidence: [
+      { path: '/api/sticker-packs/create', status: resCreate.status },
+      { path: '/api/sticker-packs/fake-pack/manage/stickers-upload', status: resUpload.status },
+    ],
+  };
+};
+const testSessionHijacking = async () => {
+  const resCookie = await request('/api/sticker-packs/admin/session', {
+    method: 'DELETE',
+    headers: { 'x-forwarded-proto': 'https' },
+  });
+  const cookieHeader = String(resCookie.headers['set-cookie'] || '');
+  const hasHttpOnly = /httponly/i.test(cookieHeader);
+  const hasSameSite = /samesite=/i.test(cookieHeader);
+  const hasSecure = /secure/i.test(cookieHeader);
+  const resForged = await request('/api/sticker-packs/admin/overview', {
+    headers: { Cookie: 'omnizap_admin_panel_session=fake-session-token' },
+  });
+  const blocked = [401, 403].includes(resForged.status);
+  const status = blocked && hasHttpOnly && hasSameSite && hasSecure ? PASS : WARN;
+  return {
+    id: 9,
+    name: 'Session Hijacking',
+    status,
+    note: status === PASS ? 'Cookie protegido e sessão forjada bloqueada no endpoint admin.' : 'Validação parcial: revisar sessão/cookie para evitar hijacking.',
+    evidence: [{ forged_request_status: resForged.status }, { cookie_flags: { http_only: hasHttpOnly, same_site: hasSameSite, secure: hasSecure } }],
+  };
+};
+const testClickjacking = async () => {
+  const res = await request('/user/systemadm');
+  const xfo = String(res.headers['x-frame-options'] || '');
+  const csp = String(res.headers['content-security-policy'] || '');
+  const ok = /sameorigin/i.test(xfo) && /frame-ancestors\s+'self'/i.test(csp);
+  return {
+    id: 10,
+    name: 'Clickjacking',
+    status: ok ? PASS : WARN,
+    note: ok ? 'Proteções anti-frame detectadas (X-Frame-Options + frame-ancestors).' : 'Cabeçalhos anti-clickjacking incompletos.',
+    evidence: [
+      {
+        status: res.status,
+        x_frame_options: xfo || null,
+        csp_has_frame_ancestors_self: /frame-ancestors\s+'self'/i.test(csp),
+      },
+    ],
+  };
+};
+const testMitm = async () => {
+  const res = await request('/api/home-bootstrap');
+  const hsts = String(res.headers['strict-transport-security'] || '');
+  const hasHsts = /max-age=\d+/i.test(hsts);
+  return {
+    id: 11,
+    name: 'Man-in-the-Middle (header posture)',
+    status: hasHsts ? PASS : WARN,
+    note: hasHsts ? 'HSTS presente. Teste MITM real ainda requer ambiente de rede controlado.' : 'HSTS ausente; reforçar proteção em tráfego HTTPS.',
+    evidence: [{ status: res.status, hsts: hsts || null }],
+  };
+};
+const testSsrf = async () => {
+  const payload = 'http://169.254.169.254/latest/meta-data/';
+  const res = await request('/api/sticker-packs/create', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name: 'ssrf-test', source_url: payload }),
+  });
+  const blocked = [400, 401, 403, 405, 422].includes(res.status);
+  return {
+    id: 12,
+    name: 'Server-Side Request Forgery (SSRF)',
+    status: blocked ? PASS : MANUAL,
+    note: blocked ? 'Payload SSRF não foi processado no cenário testado sem autenticação.' : 'Necessário teste autenticado em endpoint que realmente consome URLs.',
+    evidence: [{ path: '/api/sticker-packs/create', status: res.status }],
+  };
+};
+const testRce = async () => {
+  const payload = '$(id)';
+  const res = await request(`/api/sticker-packs?q=${encodeURIComponent(payload)}`);
+  const hasExecutionEvidence = /uid=\d+/.test(res.text || '');
+  const failed = !res.ok || res.status >= 500 || hasExecutionEvidence;
+  return {
+    id: 13,
+    name: 'Remote Code Execution (RCE)',
+    status: failed ? WARN : PASS,
+    note: failed ? 'Houve erro/indício que merece investigação manual de RCE.' : 'Sem indício de execução remota nos payloads de smoke test.',
+    evidence: [{ status: res.status, execution_pattern_found: hasExecutionEvidence }],
+  };
+};
+const testCommandInjection = async () => {
+  const payload = ';cat /etc/passwd';
+  const res = await request(`/api/sticker-packs/recommendations?q=${encodeURIComponent(payload)}`);
+  const leaked = /root:.*:0:0:/.test(res.text || '');
+  const failed = !res.ok || res.status >= 500 || leaked;
+  return {
+    id: 14,
+    name: 'Command Injection',
+    status: failed ? WARN : PASS,
+    note: failed ? 'Houve erro/indício de injeção de comando a investigar.' : 'Sem indício de command injection nos payloads aplicados.',
+    evidence: [{ status: res.status, passwd_pattern_found: leaked }],
+  };
+};
+const testXxe = async () => {
+  const xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>\n<root><name>&xxe;</name></root>`;
+  const res = await request('/api/sticker-packs/auth/login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/xml' },
+    body: xml,
+  });
+  const leaked = /root:.*:0:0:/.test(res.text || '');
+  const blocked = [400, 401, 403, 405, 415, 422, 429].includes(res.status) && !leaked;
+  return {
+    id: 15,
+    name: 'XML External Entity (XXE)',
+    status: blocked ? PASS : WARN,
+    note: blocked ? 'Payload XXE bloqueado/não processado.' : 'Comportamento inesperado para payload XXE.',
+    evidence: [{ status: res.status, passwd_pattern_found: leaked }],
+  };
+};
+const testBrokenAuth = async () => {
+  const checks = ['/api/sticker-packs/admin/overview', '/api/system-summary', '/api/email/health'];
+  const evidence = [];
+  let allBlocked = true;
+  for (const path of checks) {
+    const res = await request(path);
+    const blocked = [401, 403].includes(res.status);
+    if (!blocked) allBlocked = false;
+    evidence.push({ path, status: res.status, blocked });
+  }
+  return {
+    id: 16,
+    name: 'Broken Authentication',
+    status: allBlocked ? PASS : FAIL,
+    note: allBlocked ? 'Endpoints protegidos bloquearam acesso sem credenciais.' : 'Algum endpoint protegido respondeu sem bloqueio esperado.',
+    evidence,
+  };
+};
+const testBrokenAccessControl = async () => {
+  const resAdminFake = await request('/api/sticker-packs/admin/users', {
+    headers: { 'x-admin-token': 'fake-token' },
+  });
+  const resContact = await request('/api/support');
+  const blocked = [401, 403].includes(resAdminFake.status) && [401, 403].includes(resContact.status);
+  return {
+    id: 17,
+    name: 'Broken Access Control',
+    status: blocked ? PASS : FAIL,
+    note: blocked ? 'Acesso privilegiado foi negado sem autorização válida.' : 'Há rota sensível sem bloqueio consistente.',
+    evidence: [
+      { path: '/api/sticker-packs/admin/users', status: resAdminFake.status },
+      { path: '/api/support', status: resContact.status },
+    ],
+  };
+};
+const testOpenRedirect = async () => {
+  const probes = ['/stickers/create?next=https://evil.example', '/stickers/admin?next=//evil.example'];
+  const evidence = [];
+  let vulnerable = false;
+  for (const path of probes) {
+    const res = await request(path);
+    const location = String(res.headers.location || '');
+    const open = /^https?:\/\/evil\.example/i.test(location) || /^\/\/evil\.example/i.test(location);
+    if (open) vulnerable = true;
+    evidence.push({ path, status: res.status, location: location || null, open_redirect: open });
+  }
+  return {
+    id: 18,
+    name: 'Open Redirect',
+    status: vulnerable ? FAIL : PASS,
+    note: vulnerable ? 'Foi observada possibilidade de redirecionamento aberto.' : 'Não houve redirecionamento aberto nas rotas testadas.',
+    evidence,
+  };
+};
+const testParameterTampering = async () => {
+  const probes = ['/api/sticker-packs?limit=-1000&page=-1', '/api/sticker-packs?limit=1000000&page=999999', '/api/sticker-packs/creators?limit=999999'];
+  const evidence = [];
+  let failed = false;
+  for (const path of probes) {
+    const res = await request(path);
+    const bad = !res.ok || res.status >= 500;
+    if (bad) failed = true;
+    evidence.push({ path, status: res.status, ok: res.ok });
+  }
+  return {
+    id: 19,
+    name: 'Parameter Tampering',
+    status: failed ? WARN : PASS,
+    note: failed ? 'Algum parâmetro adulterado gerou falha de servidor.' : 'Parâmetros adulterados não causaram erro crítico no smoke test.',
+    evidence,
+  };
+};
+const testPathManipulation = async () => {
+  const probes = ['/api/sticker-packs/%2e%2e/admin/overview', '/api/sticker-packs/..%2Fadmin%2Foverview', '/api/sticker-packs/%2e%2e/%2e%2e/.env', '/api/sticker-packs/%252e%252e/%252e%252e/.env'];
+  const evidence = [];
+  let bypass = false;
+  for (const path of probes) {
+    const res = await request(path);
+    const bad = [200, 201, 202].includes(res.status);
+    if (bad) bypass = true;
+    evidence.push({ path, status: res.status, suspicious_success: bad });
+  }
+  return {
+    id: 20,
+    name: 'Path Manipulation',
+    status: bypass ? FAIL : PASS,
+    note: bypass ? 'Payload de manipulação de caminho obteve sucesso inesperado.' : 'Manipulações de caminho foram bloqueadas.',
+    evidence,
+  };
+};
+const run = async () => {
+  const startedAt = nowIso();
+  const tests = [testSqlInjection, testXss, testCsrf, testDdosSafe, testBruteForce, testCredentialStuffing, testDirectoryTraversal, testFileUploadAttack, testSessionHijacking, testClickjacking, testMitm, testSsrf, testRce, testCommandInjection, testXxe, testBrokenAuth, testBrokenAccessControl, testOpenRedirect, testParameterTampering, testPathManipulation];
+  const results = [];
+  for (const testFn of tests) {
+    try {
+      const result = await testFn();
+      results.push(result);
+      console.log(`[security-smoketest] ${String(result.id).padStart(2, '0')} ${result.name}: ${result.status}`);
+    } catch (error) {
+      const fallbackResult = {
+        id: results.length + 1,
+        name: testFn.name || 'unknown-test',
+        status: WARN,
+        note: `Falha ao executar teste: ${error?.message || error}`,
+        evidence: [],
+      };
+      results.push(fallbackResult);
+      console.log(`[security-smoketest] ${String(fallbackResult.id).padStart(2, '0')} ${fallbackResult.name}: ${fallbackResult.status}`);
+    }
+  }
+  const endedAt = nowIso();
+  const summary = summarizeStatuses(results);
+  const report = {
+    base_url: BASE_URL,
+    started_at: startedAt,
+    ended_at: endedAt,
+    summary,
+    results,
+  };
+  const reportDir = path.dirname(path.resolve(REPORT_PATH));
+  await fs.mkdir(reportDir, { recursive: true });
+  await fs.writeFile(REPORT_PATH, `${JSON.stringify(report, null, 2)}\n`, 'utf8');
+  console.log('[security-smoketest] ---');
+  console.log(`[security-smoketest] base_url=${BASE_URL}`);
+  console.log(`[security-smoketest] summary=${JSON.stringify(summary)}`);
+  console.log(`[security-smoketest] report_path=${REPORT_PATH}`);
+};
+run().catch((error) => {
+  console.error('[security-smoketest] fatal_error', error?.message || error);
+  process.exit(2);
+});