npm - @panguard-ai/threat-cloud - Versions diffs - 0.2.1 → 0.2.3 - Mend

@panguard-ai/threat-cloud 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/admin-dashboard.d.ts +11 -0
package/dist/admin-dashboard.d.ts.map +1 -0
package/dist/admin-dashboard.js +509 -0
package/dist/admin-dashboard.js.map +1 -0
package/dist/backup.d.ts.map +1 -1
package/dist/backup.js.map +1 -1
package/dist/cli.js +2 -2
package/dist/cli.js.map +1 -1
package/dist/database.d.ts +26 -3
package/dist/database.d.ts.map +1 -1
package/dist/database.js +390 -65
package/dist/database.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/llm-reviewer.d.ts.map +1 -1
package/dist/llm-reviewer.js +1 -3
package/dist/llm-reviewer.js.map +1 -1
package/dist/server.d.ts +26 -2
package/dist/server.d.ts.map +1 -1
package/dist/server.js +327 -24
package/dist/server.js.map +1 -1
package/dist/types.d.ts +35 -0
package/dist/types.d.ts.map +1 -1
package/package.json +1 -1

package/dist/database.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../src/database.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,~~EAAE~~,oBAAoB,~~EAAE~~,eAAe,~~EAAE~~,WAAW,~~EAAE~~,WAAW,~~EAAE~~,qBAAqB,~~EAAE~~,MAAM,YAAY,CAAC;~~AAEzH~~;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAoB;gBAE3B,MAAM,EAAE,MAAM;IAO1B,gDAAgD;IAChD,OAAO,CAAC,UAAU;~~IA+FlB~~,gDAAgD;IAChD,YAAY,CAAC,IAAI,EAAE,oBAAoB,GAAG,IAAI;IAgB9C,oDAAoD;IACpD,UAAU,CAAC,IAAI,EAAE,eAAe,GAAG,IAAI;~~IAavC~~,mEAAmE;IACnE,aAAa,~~CAAC~~,KAAK,EAAE,MAAM,~~GAAG~~,eAAe,EAAE;~~IAU/C~~,+CAA+C;IAC/C,WAAW,~~CAAC~~,KAAK,SAAO,~~GAAG~~,eAAe,EAAE;~~IAU5C~~,6CAA6C;IAC7C,iBAAiB,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI;IAe9C,mEAAmE;IACnE,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE;~~IAO3C~~,6EAA6E;IAC7E,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;~~IAU7C~~,6DAA6D;IAC7D,0BAA0B,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;~~IAMtE~~,sCAAsC;IACtC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI;~~IAMnF~~,+CAA+C;IAC/C,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,MAAM,CAAA;KAAE;~~IAMtF~~,gDAAgD;IAChD,iBAAiB,CAAC,UAAU,EAAE,qBAAqB,GAAG,IAAI;IAe1D,0CAA0C;IAC1C,eAAe,CAAC,KAAK,GAAE,MAAW,GAAG,OAAO,EAAE;~~IAI9C~~,uCAAuC;IACvC,gBAAgB,IAAI;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;~~IAQ3F~~,qCAAqC;IACrC,QAAQ,IAAI,WAAW;~~IAsCvB~~,mFAAmF;IACnF,oBAAoB,~~CAAC~~,KAAK,CAAC,EAAE,MAAM,~~GAAG~~,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;~~IAiBzH~~,gFAAgF;IAChF,cAAc,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,EAAE;~~IAuB~~/C,uDAAuD;IACvD,kBAAkB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,EAAE;~~IAUnD~~,yCAAyC;IACzC,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;~~IAYhF~~,iFAAiF;IACjF,yBAAyB,IAAI,MAAM;~~IAkCnC~~,yCAAyC;IACzC,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;~~IAO5C~~,sEAAsE;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,eAAe,EAAE;~~IAiBnE~~,qFAAqF;IACrF,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI;~~IAalE~~,kDAAkD;IAClD,iBAAiB,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;~~IASxF~~,iCAAiC;IACjC,KAAK,IAAI,IAAI;CAGd"}
1	+ {"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../src/database.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,eAAe,EACf,WAAW,EACX,WAAW,EACX,qBAAqB,EACrB,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAEpB;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAoB;gBAE3B,MAAM,EAAE,MAAM;IAO1B,gDAAgD;IAChD,OAAO,CAAC,UAAU;IA8GlB,wEAAwE;IACxE,OAAO,CAAC,OAAO;IAcf,gDAAgD;IAChD,YAAY,CAAC,IAAI,EAAE,oBAAoB,GAAG,IAAI;IAgB9C,qDAAqD;IACrD,UAAU,CAAC,KAAK,GAAE,MAAW,EAAE,MAAM,GAAE,MAAU,GAAG,OAAO,EAAE;IAM7D,sCAAsC;IACtC,cAAc,IAAI,MAAM;IAIxB,uEAAuE;IACvE,OAAO,CAAC,eAAe;IAiJvB,oDAAoD;IACpD,UAAU,CAAC,IAAI,EAAE,eAAe,GAAG,IAAI;IAiCvC,mEAAmE;IACnE,aAAa,CACX,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAClE,eAAe,EAAE;IAuBpB,+CAA+C;IAC/C,WAAW,CACT,KAAK,SAAO,EACZ,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAClE,eAAe,EAAE;IAwBpB,6CAA6C;IAC7C,iBAAiB,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI;IAe9C,mEAAmE;IACnE,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE;IAS3C,6EAA6E;IAC7E,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAc7C,6DAA6D;IAC7D,0BAA0B,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAUtE,sCAAsC;IACtC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI;IAUnF,+CAA+C;IAC/C,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,MAAM,CAAA;KAAE;IAkBtF,gDAAgD;IAChD,iBAAiB,CAAC,UAAU,EAAE,qBAAqB,GAAG,IAAI;IAe1D,0CAA0C;IAC1C,eAAe,CAAC,KAAK,GAAE,MAAW,GAAG,OAAO,EAAE;IAM9C,uCAAuC;IACvC,gBAAgB,IAAI;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IAsB3F,qCAAqC;IACrC,QAAQ,IAAI,WAAW;IAyFvB,mFAAmF;IACnF,oBAAoB,CAClB,KAAK,CAAC,EAAE,MAAM,GACb,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA8BtF,gFAAgF;IAChF,cAAc,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,EAAE;IA+B/C,uDAAuD;IACvD,kBAAkB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,EAAE;IAcnD,yCAAyC;IACzC,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAgBhF,iFAAiF;IACjF,yBAAyB,IAAI,MAAM;IA0CnC,yCAAyC;IACzC,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAW5C,sEAAsE;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,eAAe,EAAE;IA2BnE,qFAAqF;IACrF,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI;IAiBlE,kDAAkD;IAClD,iBAAiB,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAaxF;;;OAGG;IACH,iBAAiB,CAAC,UAAU,GAAE,MAAU,EAAE,UAAU,GAAE,MAAW,GAAG,mBAAmB,EAAE;IAqBzF,uEAAuE;IACvE,sBAAsB,IAAI,MAAM;IAmBhC,iCAAiC;IACjC,KAAK,IAAI,IAAI;CAGd"}

package/dist/database.js CHANGED Viewed

@@ -39,6 +39,10 @@ export class ThreatCloudDB {
         rule_content TEXT NOT NULL,
         published_at TEXT NOT NULL,
         source TEXT NOT NULL,
+        category TEXT,
+        severity TEXT,
+        mitre_techniques TEXT,
+        tags TEXT,
         created_at TEXT NOT NULL DEFAULT (datetime('now')),
         updated_at TEXT NOT NULL DEFAULT (datetime('now'))
       );
@@ -104,6 +108,15 @@ export class ThreatCloudDB {
         last_reported TEXT DEFAULT (datetime('now'))
       );
+      -- Migration: add classification columns to existing rules table
+      -- SQLite allows ADD COLUMN on existing tables; IF NOT EXISTS not supported,
+      -- so we catch errors for already-existing columns in migrate().
+    `);
+        this.migrate();
+        this.db.exec(`
+      CREATE INDEX IF NOT EXISTS idx_rules_category ON rules(category);
+      CREATE INDEX IF NOT EXISTS idx_rules_severity ON rules(severity);
+      CREATE INDEX IF NOT EXISTS idx_rules_source ON rules(source);
       CREATE INDEX IF NOT EXISTS idx_atr_proposals_status ON atr_proposals(status);
       CREATE INDEX IF NOT EXISTS idx_atr_proposals_pattern ON atr_proposals(pattern_hash);
       CREATE INDEX IF NOT EXISTS idx_skill_threats_hash ON skill_threats(skill_hash);
@@ -114,6 +127,21 @@ export class ThreatCloudDB {
       CREATE INDEX IF NOT EXISTS idx_skill_whitelist_name ON skill_whitelist(normalized_name);
     `);
     }
+    /** Run schema migrations for existing databases / 執行既有資料庫的 schema 遷移 */
+    migrate() {
+        const addColumn = (table, column, type) => {
+            try {
+                this.db.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${type}`);
+            }
+            catch {
+                // Column already exists — safe to ignore
+            }
+        };
+        addColumn('rules', 'category', 'TEXT');
+        addColumn('rules', 'severity', 'TEXT');
+        addColumn('rules', 'mitre_techniques', 'TEXT');
+        addColumn('rules', 'tags', 'TEXT');
+    }
     /** Insert anonymized threat data / 插入匿名化威脅數據 */
     insertThreat(data) {
         const stmt = this.db.prepare(`
@@ -122,38 +150,219 @@ export class ThreatCloudDB {
     `);
         stmt.run(data.attackSourceIP, data.attackType, data.mitreTechnique, data.sigmaRuleMatched, data.timestamp, data.industry ?? null, data.region);
     }
+    /** Get paginated threat events (admin) / 取得分頁威脅事件 */
+    getThreats(limit = 50, offset = 0) {
+        return this.db
+            .prepare('SELECT * FROM threats ORDER BY timestamp DESC LIMIT ? OFFSET ?')
+            .all(limit, offset);
+    }
+    /** Get total threat count / 取得威脅總數 */
+    getThreatCount() {
+        return this.db.prepare('SELECT COUNT(*) as count FROM threats').get().count;
+    }
+    /** Extract classification metadata from rule content / 從規則內容提取分類元資料 */
+    extractMetadata(ruleContent, source) {
+        let category = 'unknown';
+        let severity = 'medium';
+        let mitreTechniques = '';
+        let tags = '';
+        try {
+            if (source === 'yara') {
+                // YARA rules: extract from meta section
+                const metaMatch = ruleContent.match(/meta\s*:\s*([\s\S]*?)(?:strings|condition)\s*:/);
+                if (metaMatch) {
+                    const meta = metaMatch[1];
+                    const catMatch = meta.match(/category\s*=\s*"([^"]+)"/);
+                    if (catMatch)
+                        category = catMatch[1].toLowerCase();
+                    const sevMatch = meta.match(/severity\s*=\s*"([^"]+)"/);
+                    if (sevMatch)
+                        severity = sevMatch[1].toLowerCase();
+                    const mitreMatch = meta.match(/mitre_att(?:ack|&ck)\s*=\s*"([^"]+)"/i);
+                    if (mitreMatch)
+                        mitreTechniques = mitreMatch[1];
+                }
+                // Fallback: infer category from rule content keywords
+                if (category === 'unknown') {
+                    if (/malware|trojan|ransom|backdoor|rat_|infostealer/i.test(ruleContent))
+                        category = 'malware';
+                    else if (/exploit|cve-/i.test(ruleContent))
+                        category = 'exploit';
+                    else if (/hack_?tool|offensive|cobalt/i.test(ruleContent))
+                        category = 'hacktool';
+                    else if (/webshell/i.test(ruleContent))
+                        category = 'webshell';
+                    else if (/packer|obfusc|crypter/i.test(ruleContent))
+                        category = 'packer';
+                }
+            }
+            else {
+                // Sigma / ATR: YAML-based extraction
+                // Extract level/severity
+                const sevMatch = ruleContent.match(/(?:^|\n)\s*(?:level|severity)\s*:\s*(\w+)/);
+                if (sevMatch)
+                    severity = sevMatch[1].toLowerCase();
+                // Extract tags list
+                const tagMatch = ruleContent.match(/(?:^|\n)\s*tags\s*:\s*\n((?:\s+-\s*.+\n?)+)/);
+                if (tagMatch) {
+                    const tagLines = tagMatch[1].match(/-\s*(.+)/g) ?? [];
+                    const tagList = tagLines.map((t) => t.replace(/^-\s*/, '').trim());
+                    tags = tagList.join(',');
+                    // Derive MITRE techniques from tags (attack.tXXXX)
+                    const mitreTags = tagList.filter((t) => /^attack\.t\d+/i.test(t));
+                    if (mitreTags.length > 0) {
+                        mitreTechniques = mitreTags
+                            .map((t) => t.replace(/^attack\./i, '').toUpperCase())
+                            .join(',');
+                    }
+                    // Derive category from MITRE ATT&CK tactic tags
+                    const attackTags = tagList.filter((t) => t.startsWith('attack.'));
+                    for (const tag of attackTags) {
+                        if (/initial.access/i.test(tag)) {
+                            category = 'initial-access';
+                            break;
+                        }
+                        if (/execution/i.test(tag)) {
+                            category = 'execution';
+                            break;
+                        }
+                        if (/persistence/i.test(tag)) {
+                            category = 'persistence';
+                            break;
+                        }
+                        if (/privilege.escalation/i.test(tag)) {
+                            category = 'privilege-escalation';
+                            break;
+                        }
+                        if (/defense.evasion/i.test(tag)) {
+                            category = 'defense-evasion';
+                            break;
+                        }
+                        if (/credential.access/i.test(tag)) {
+                            category = 'credential-access';
+                            break;
+                        }
+                        if (/discovery/i.test(tag)) {
+                            category = 'discovery';
+                            break;
+                        }
+                        if (/lateral.movement/i.test(tag)) {
+                            category = 'lateral-movement';
+                            break;
+                        }
+                        if (/collection/i.test(tag)) {
+                            category = 'collection';
+                            break;
+                        }
+                        if (/exfiltration/i.test(tag)) {
+                            category = 'exfiltration';
+                            break;
+                        }
+                        if (/command.and.control|c2/i.test(tag)) {
+                            category = 'command-and-control';
+                            break;
+                        }
+                        if (/impact/i.test(tag)) {
+                            category = 'impact';
+                            break;
+                        }
+                        if (/resource.development/i.test(tag)) {
+                            category = 'resource-development';
+                            break;
+                        }
+                        if (/reconnaissance/i.test(tag)) {
+                            category = 'reconnaissance';
+                            break;
+                        }
+                    }
+                }
+                // Fallback: infer from logsource (Sigma)
+                if (category === 'unknown') {
+                    const lsCatMatch = ruleContent.match(/(?:^|\n)\s*logsource\s*:\s*\n(?:\s+\w+\s*:.+\n)*?\s+category\s*:\s*(\S+)/);
+                    if (lsCatMatch) {
+                        category = lsCatMatch[1].toLowerCase();
+                    }
+                    else {
+                        const lsProdMatch = ruleContent.match(/(?:^|\n)\s*logsource\s*:\s*\n(?:\s+\w+\s*:.+\n)*?\s+product\s*:\s*(\S+)/);
+                        if (lsProdMatch)
+                            category = lsProdMatch[1].toLowerCase();
+                    }
+                }
+            }
+        }
+        catch {
+            // Extraction failed — keep defaults
+        }
+        // Normalize category to lowercase
+        category = category.toLowerCase();
+        severity = severity.toLowerCase();
+        return { category, severity, mitreTechniques, tags };
+    }
     /** Insert or update a community rule / 插入或更新社群規則 */
     upsertRule(rule) {
+        // Extract classification from content if not provided
+        const meta = this.extractMetadata(rule.ruleContent, rule.source);
+        const category = rule.category ?? meta.category;
+        const severity = rule.severity ?? meta.severity;
+        const mitreTechniques = rule.mitreTechniques ?? meta.mitreTechniques;
+        const tags = rule.tags ?? meta.tags;
         const stmt = this.db.prepare(`
-      INSERT INTO rules (rule_id, rule_content, published_at, source)
-      VALUES (?, ?, ?, ?)
+      INSERT INTO rules (rule_id, rule_content, published_at, source, category, severity, mitre_techniques, tags)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
       ON CONFLICT(rule_id) DO UPDATE SET
         rule_content = excluded.rule_content,
         published_at = excluded.published_at,
         source = excluded.source,
+        category = excluded.category,
+        severity = excluded.severity,
+        mitre_techniques = excluded.mitre_techniques,
+        tags = excluded.tags,
         updated_at = datetime('now')
     `);
-        stmt.run(rule.ruleId, rule.ruleContent, rule.publishedAt, rule.source);
+        stmt.run(rule.ruleId, rule.ruleContent, rule.publishedAt, rule.source, category, severity, mitreTechniques, tags);
     }
     /** Fetch rules published after a given timestamp / 取得指定時間後發佈的規則 */
-    getRulesSince(since) {
-        const stmt = this.db.prepare(`
-      SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source
-      FROM rules
-      WHERE published_at > ?
-      ORDER BY published_at ASC
-    `);
-        return stmt.all(since);
+    getRulesSince(since, filters) {
+        let sql = `SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source,
+      category, severity, mitre_techniques as mitreTechniques, tags
+      FROM rules WHERE published_at > ?`;
+        const params = [since];
+        if (filters?.category) {
+            sql += ' AND category = ?';
+            params.push(filters.category);
+        }
+        if (filters?.severity) {
+            sql += ' AND severity = ?';
+            params.push(filters.severity);
+        }
+        if (filters?.source) {
+            sql += ' AND source = ?';
+            params.push(filters.source);
+        }
+        sql += ' ORDER BY published_at ASC';
+        return this.db.prepare(sql).all(...params);
     }
     /** Fetch all rules with limit / 取得所有規則（含限制） */
-    getAllRules(limit = 5000) {
-        const stmt = this.db.prepare(`
-      SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source
-      FROM rules
-      ORDER BY published_at DESC
-      LIMIT ?
-    `);
-        return stmt.all(limit);
+    getAllRules(limit = 5000, filters) {
+        let sql = `SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source,
+      category, severity, mitre_techniques as mitreTechniques, tags
+      FROM rules WHERE 1=1`;
+        const params = [];
+        if (filters?.category) {
+            sql += ' AND category = ?';
+            params.push(filters.category);
+        }
+        if (filters?.severity) {
+            sql += ' AND severity = ?';
+            params.push(filters.severity);
+        }
+        if (filters?.source) {
+            sql += ' AND source = ?';
+            params.push(filters.source);
+        }
+        sql += ' ORDER BY published_at DESC LIMIT ?';
+        params.push(limit);
+        return this.db.prepare(sql).all(...params);
     }
     /** Insert ATR rule proposal / 插入 ATR 規則提案 */
     insertATRProposal(proposal) {
@@ -166,36 +375,48 @@ export class ThreatCloudDB {
     /** Get ATR proposals, optionally filtered by status / 取得 ATR 提案 */
     getATRProposals(status) {
         if (status) {
-            return this.db.prepare('SELECT * FROM atr_proposals WHERE status = ? ORDER BY created_at DESC').all(status);
+            return this.db
+                .prepare('SELECT * FROM atr_proposals WHERE status = ? ORDER BY created_at DESC')
+                .all(status);
         }
         return this.db.prepare('SELECT * FROM atr_proposals ORDER BY created_at DESC').all();
     }
     /** Increment confirmations for a proposal; auto-confirm at >= 3 / 增加提案確認數 */
     confirmATRProposal(patternHash) {
-        this.db.prepare(`
+        this.db
+            .prepare(`
       UPDATE atr_proposals
       SET confirmations = confirmations + 1,
           status = CASE WHEN confirmations + 1 >= 3 THEN 'confirmed' ELSE status END,
           updated_at = datetime('now')
       WHERE pattern_hash = ?
-    `).run(patternHash);
+    `)
+            .run(patternHash);
     }
     /** Update LLM review verdict for a proposal / 更新 LLM 審查結果 */
     updateATRProposalLLMReview(patternHash, verdict) {
-        this.db.prepare(`
+        this.db
+            .prepare(`
       UPDATE atr_proposals SET llm_review_verdict = ?, updated_at = datetime('now') WHERE pattern_hash = ?
-    `).run(verdict, patternHash);
+    `)
+            .run(verdict, patternHash);
     }
     /** Insert ATR feedback / 插入 ATR 回饋 */
     insertATRFeedback(ruleId, isTruePositive, clientId) {
-        this.db.prepare(`
+        this.db
+            .prepare(`
       INSERT INTO atr_feedback (rule_id, is_true_positive, client_id) VALUES (?, ?, ?)
-    `).run(ruleId, isTruePositive ? 1 : 0, clientId ?? null);
+    `)
+            .run(ruleId, isTruePositive ? 1 : 0, clientId ?? null);
     }
     /** Get feedback stats for a rule / 取得規則回饋統計 */
     getATRFeedbackStats(ruleId) {
-        const tp = this.db.prepare('SELECT COUNT(*) as count FROM atr_feedback WHERE rule_id = ? AND is_true_positive = 1').get(ruleId).count;
-        const fp = this.db.prepare('SELECT COUNT(*) as count FROM atr_feedback WHERE rule_id = ? AND is_true_positive = 0').get(ruleId).count;
+        const tp = this.db
+            .prepare('SELECT COUNT(*) as count FROM atr_feedback WHERE rule_id = ? AND is_true_positive = 1')
+            .get(ruleId).count;
+        const fp = this.db
+            .prepare('SELECT COUNT(*) as count FROM atr_feedback WHERE rule_id = ? AND is_true_positive = 0')
+            .get(ruleId).count;
         return { truePositives: tp, falsePositives: fp };
     }
     /** Insert skill threat submission / 插入技能威脅提交 */
@@ -208,13 +429,21 @@ export class ThreatCloudDB {
     }
     /** Get recent skill threats / 取得最近技能威脅 */
     getSkillThreats(limit = 50) {
-        return this.db.prepare('SELECT * FROM skill_threats ORDER BY created_at DESC LIMIT ?').all(limit);
+        return this.db
+            .prepare('SELECT * FROM skill_threats ORDER BY created_at DESC LIMIT ?')
+            .all(limit);
     }
     /** Get proposal statistics / 取得提案統計 */
     getProposalStats() {
-        const pending = this.db.prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'pending'").get().count;
-        const confirmed = this.db.prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'confirmed'").get().count;
-        const rejected = this.db.prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'rejected'").get().count;
+        const pending = this.db
+            .prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'pending'")
+            .get().count;
+        const confirmed = this.db
+            .prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'confirmed'")
+            .get().count;
+        const rejected = this.db
+            .prepare("SELECT COUNT(*) as count FROM atr_proposals WHERE status = 'rejected'")
+            .get().count;
         const total = this.db.prepare('SELECT COUNT(*) as count FROM atr_proposals').get().count;
         return { pending, confirmed, rejected, total };
     }
@@ -222,23 +451,48 @@ export class ThreatCloudDB {
     getStats() {
         const totalThreats = this.db.prepare('SELECT COUNT(*) as count FROM threats').get().count;
         const totalRules = this.db.prepare('SELECT COUNT(*) as count FROM rules').get().count;
-        const last24h = this.db.prepare("SELECT COUNT(*) as count FROM threats WHERE received_at > datetime('now', '-1 day')").get().count;
-        const topAttackTypes = this.db.prepare(`
+        const last24h = this.db
+            .prepare("SELECT COUNT(*) as count FROM threats WHERE received_at > datetime('now', '-1 day')")
+            .get().count;
+        const topAttackTypes = this.db
+            .prepare(`
       SELECT attack_type as type, COUNT(*) as count
       FROM threats
       GROUP BY attack_type
       ORDER BY count DESC
       LIMIT 10
-    `).all();
-        const topMitreTechniques = this.db.prepare(`
+    `)
+            .all();
+        const topMitreTechniques = this.db
+            .prepare(`
       SELECT mitre_technique as technique, COUNT(*) as count
       FROM threats
       GROUP BY mitre_technique
       ORDER BY count DESC
       LIMIT 10
-    `).all();
+    `)
+            .all();
         const proposalStats = this.getProposalStats();
         const skillThreatsTotal = this.db.prepare('SELECT COUNT(*) as count FROM skill_threats').get().count;
+        const skillBlacklistTotal = this.getSkillBlacklist().length;
+        const rulesByCategory = this.db
+            .prepare(`
+      SELECT COALESCE(category, 'unknown') as category, COUNT(*) as count
+      FROM rules GROUP BY category ORDER BY count DESC LIMIT 20
+    `)
+            .all();
+        const rulesBySeverity = this.db
+            .prepare(`
+      SELECT COALESCE(severity, 'unknown') as severity, COUNT(*) as count
+      FROM rules GROUP BY severity ORDER BY count DESC
+    `)
+            .all();
+        const rulesBySource = this.db
+            .prepare(`
+      SELECT source, COUNT(*) as count
+      FROM rules GROUP BY source ORDER BY count DESC
+    `)
+            .all();
         return {
             totalThreats,
             totalRules,
@@ -247,40 +501,52 @@ export class ThreatCloudDB {
             last24hThreats: last24h,
             proposalStats,
             skillThreatsTotal,
+            skillBlacklistTotal,
+            rulesByCategory,
+            rulesBySeverity,
+            rulesBySource,
         };
     }
     /** Get confirmed/promoted ATR rules, optionally filtered by date / 取得已確認 ATR 規則 */
     getConfirmedATRRules(since) {
         if (since) {
-            return this.db.prepare(`
+            return this.db
+                .prepare(`
         SELECT pattern_hash as ruleId, rule_content as ruleContent, updated_at as publishedAt, 'atr-community' as source
         FROM atr_proposals
         WHERE (status = 'confirmed' OR status = 'promoted') AND updated_at > ?
         ORDER BY updated_at ASC
-      `).all(since);
+      `)
+                .all(since);
         }
-        return this.db.prepare(`
+        return this.db
+            .prepare(`
       SELECT pattern_hash as ruleId, rule_content as ruleContent, updated_at as publishedAt, 'atr-community' as source
       FROM atr_proposals
       WHERE status = 'confirmed' OR status = 'promoted'
       ORDER BY updated_at ASC
-    `).all();
+    `)
+            .all();
     }
     /** Get IP blocklist from IoC entries and aggregated threat data / 取得 IP 封鎖清單 */
     getIPBlocklist(minReputation) {
         // IoC entries with sufficient reputation
-        const iocIPs = this.db.prepare(`
+        const iocIPs = this.db
+            .prepare(`
       SELECT value FROM ioc_entries
       WHERE type = 'ip' AND reputation >= ?
       ORDER BY reputation DESC
-    `).all(minReputation);
+    `)
+            .all(minReputation);
         // Aggregate from threats table: distinct IPs with >= 3 occurrences
-        const threatIPs = this.db.prepare(`
+        const threatIPs = this.db
+            .prepare(`
       SELECT attack_source_ip as value
       FROM threats
       GROUP BY attack_source_ip
       HAVING COUNT(*) >= 3
-    `).all();
+    `)
+            .all();
         // Merge and deduplicate
         const ipSet = new Set();
         for (const row of iocIPs)
@@ -291,16 +557,19 @@ export class ThreatCloudDB {
     }
     /** Get domain blocklist from IoC entries / 取得域名封鎖清單 */
     getDomainBlocklist(minReputation) {
-        const iocDomains = this.db.prepare(`
+        const iocDomains = this.db
+            .prepare(`
       SELECT value FROM ioc_entries
       WHERE type = 'domain' AND reputation >= ?
       ORDER BY reputation DESC
-    `).all(minReputation);
+    `)
+            .all(minReputation);
         return iocDomains.map((row) => row.value);
     }
     /** Upsert an IoC entry / 插入或更新 IoC 條目 */
     upsertIoC(type, value, reputation, source) {
-        this.db.prepare(`
+        this.db
+            .prepare(`
       INSERT INTO ioc_entries (type, value, reputation, source)
       VALUES (?, ?, ?, ?)
       ON CONFLICT(value) DO UPDATE SET
@@ -308,15 +577,18 @@ export class ThreatCloudDB {
         source = excluded.source,
         last_seen = datetime('now'),
         sighting_count = sighting_count + 1
-    `).run(type, value, reputation, source);
+    `)
+            .run(type, value, reputation, source);
     }
     /** Promote confirmed proposals with approved LLM review to rules / 推廣已確認提案為規則 */
     promoteConfirmedProposals() {
-        const proposals = this.db.prepare(`
+        const proposals = this.db
+            .prepare(`
       SELECT pattern_hash, rule_content, llm_review_verdict
       FROM atr_proposals
       WHERE status = 'confirmed' AND llm_review_verdict IS NOT NULL
-    `).all();
+    `)
+            .all();
         let promoted = 0;
         for (const proposal of proposals) {
             try {
@@ -329,10 +601,12 @@ export class ThreatCloudDB {
                     publishedAt: new Date().toISOString(),
                     source: 'atr-community',
                 });
-                this.db.prepare(`
+                this.db
+                    .prepare(`
           UPDATE atr_proposals SET status = 'promoted', updated_at = datetime('now')
           WHERE pattern_hash = ?
-        `).run(proposal.pattern_hash);
+        `)
+                    .run(proposal.pattern_hash);
                 promoted++;
             }
             catch {
@@ -343,32 +617,41 @@ export class ThreatCloudDB {
     }
     /** Reject an ATR proposal / 拒絕 ATR 提案 */
     rejectATRProposal(patternHash) {
-        this.db.prepare(`
+        this.db
+            .prepare(`
       UPDATE atr_proposals SET status = 'rejected', updated_at = datetime('now')
       WHERE pattern_hash = ?
-    `).run(patternHash);
+    `)
+            .run(patternHash);
     }
     /** Get rules by source type, optionally filtered by date / 依來源取得規則 */
     getRulesBySource(source, since) {
         if (since) {
-            return this.db.prepare(`
-        SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source
+            return this.db
+                .prepare(`
+        SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source,
+          category, severity, mitre_techniques as mitreTechniques, tags
         FROM rules
         WHERE source = ? AND published_at > ?
         ORDER BY published_at ASC
-      `).all(source, since);
+      `)
+                .all(source, since);
         }
-        return this.db.prepare(`
-      SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source
+        return this.db
+            .prepare(`
+      SELECT rule_id as ruleId, rule_content as ruleContent, published_at as publishedAt, source,
+        category, severity, mitre_techniques as mitreTechniques, tags
       FROM rules
       WHERE source = ?
       ORDER BY published_at ASC
-    `).all(source);
+    `)
+            .all(source);
     }
     /** Report a safe skill (increment confirmations, auto-confirm at 3+) / 回報安全 skill */
     reportSafeSkill(skillName, fingerprintHash) {
         const normalized = skillName.toLowerCase().trim().replace(/\s+/g, '-');
-        this.db.prepare(`
+        this.db
+            .prepare(`
       INSERT INTO skill_whitelist (skill_name, normalized_name, fingerprint_hash)
       VALUES (?, ?, ?)
       ON CONFLICT(normalized_name) DO UPDATE SET
@@ -376,16 +659,58 @@ export class ThreatCloudDB {
         status = CASE WHEN confirmations + 1 >= 3 THEN 'confirmed' ELSE status END,
         fingerprint_hash = COALESCE(excluded.fingerprint_hash, fingerprint_hash),
         last_reported = datetime('now')
-    `).run(skillName, normalized, fingerprintHash ?? null);
+    `)
+            .run(skillName, normalized, fingerprintHash ?? null);
     }
     /** Get confirmed community whitelist / 取得社群白名單 */
     getSkillWhitelist() {
-        return this.db.prepare(`
+        return this.db
+            .prepare(`
       SELECT skill_name as name, fingerprint_hash as hash, confirmations
       FROM skill_whitelist
       WHERE status = 'confirmed'
       ORDER BY confirmations DESC
-    `).all();
+    `)
+            .all();
+    }
+    /**
+     * Get skill blacklist: skills reported by 3+ distinct clients with avg risk >= 70
+     * 取得技能黑名單：3+ 不同客戶端回報且平均風險 >= 70 的技能
+     */
+    getSkillBlacklist(minReports = 3, minAvgRisk = 70) {
+        return this.db
+            .prepare(`
+      SELECT
+        skill_hash as skillHash,
+        skill_name as skillName,
+        ROUND(AVG(risk_score)) as avgRiskScore,
+        MAX(risk_level) as maxRiskLevel,
+        COUNT(DISTINCT COALESCE(client_id, 'anonymous')) as reportCount,
+        MIN(created_at) as firstReported,
+        MAX(created_at) as lastReported
+      FROM skill_threats
+      GROUP BY skill_hash
+      HAVING reportCount >= ? AND AVG(risk_score) >= ?
+      ORDER BY avgRiskScore DESC
+    `)
+            .all(minReports, minAvgRisk);
+    }
+    /** Backfill classification for rules with NULL category / 回填缺少分類的規則 */
+    backfillClassification() {
+        const unclassified = this.db
+            .prepare(`SELECT rule_id, rule_content, source FROM rules WHERE category IS NULL`)
+            .all();
+        let updated = 0;
+        const stmt = this.db.prepare(`
+      UPDATE rules SET category = ?, severity = ?, mitre_techniques = ?, tags = ?, updated_at = datetime('now')
+      WHERE rule_id = ?
+    `);
+        for (const row of unclassified) {
+            const meta = this.extractMetadata(row.rule_content, row.source);
+            stmt.run(meta.category, meta.severity, meta.mitreTechniques, meta.tags, row.rule_id);
+            updated++;
+        }
+        return updated;
     }
     /** Close the database / 關閉資料庫 */
     close() {