@vulcn/plugin-report 0.4.0 → 0.5.0

package/dist/index.js

@@ -3,6 +3,262 @@ import { z } from "zod";
 import { writeFile, mkdir } from "fs/promises";
 import { resolve } from "path";
 
+// src/report-model.ts
+var CWE_MAP = {
+  xss: {
+    id: 79,
+    name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+  },
+  sqli: {
+    id: 89,
+    name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+  },
+  ssrf: { id: 918, name: "Server-Side Request Forgery (SSRF)" },
+  xxe: {
+    id: 611,
+    name: "Improper Restriction of XML External Entity Reference"
+  },
+  "command-injection": {
+    id: 78,
+    name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+  },
+  "path-traversal": {
+    id: 22,
+    name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+  },
+  "open-redirect": {
+    id: 601,
+    name: "URL Redirection to Untrusted Site ('Open Redirect')"
+  },
+  reflection: {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  "security-misconfiguration": {
+    id: 16,
+    name: "Configuration"
+  },
+  "information-disclosure": {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  custom: { id: 20, name: "Improper Input Validation" }
+};
+var SEVERITY_WEIGHTS = {
+  critical: 10,
+  high: 7,
+  medium: 4,
+  low: 1,
+  info: 0
+};
+var SECURITY_SEVERITY = {
+  critical: "9.0",
+  high: "7.0",
+  medium: "4.0",
+  low: "2.0",
+  info: "0.0"
+};
+var PASSIVE_CATEGORIES = [
+  {
+    id: "security-headers",
+    label: "Security Headers",
+    icon: "\u{1F512}",
+    color: "#42a5f5",
+    remedy: "Add the recommended security headers to your server configuration. Most web servers and frameworks support these via middleware.",
+    checks: [
+      "Strict-Transport-Security (HSTS)",
+      "Content-Security-Policy (CSP)",
+      "X-Content-Type-Options",
+      "X-Frame-Options",
+      "Referrer-Policy",
+      "Permissions-Policy"
+    ]
+  },
+  {
+    id: "cookie-security",
+    label: "Cookie Security",
+    icon: "\u{1F36A}",
+    color: "#ffab40",
+    remedy: "Set the Secure, HttpOnly, and SameSite attributes on all session cookies. Configure your framework's session middleware accordingly.",
+    checks: ["Secure flag", "HttpOnly flag", "SameSite attribute"]
+  },
+  {
+    id: "information-disclosure",
+    label: "Information Disclosure",
+    icon: "\u{1F50D}",
+    color: "#66bb6a",
+    remedy: "Remove or obfuscate server version headers (Server, X-Powered-By). Disable debug mode in production environments.",
+    checks: ["Server version", "X-Powered-By", "Debug tokens"]
+  },
+  {
+    id: "cors",
+    label: "CORS Configuration",
+    icon: "\u{1F310}",
+    color: "#ce93d8",
+    remedy: "Replace wildcard origins with specific trusted domains. Never combine Access-Control-Allow-Credentials with wildcard origins.",
+    checks: ["Wildcard origin", "Credentials with wildcard"]
+  },
+  {
+    id: "mixed-content",
+    label: "Mixed Content",
+    icon: "\u26A0\uFE0F",
+    color: "#ff8a65",
+    remedy: "Replace all HTTP resource URLs with HTTPS. Use Content-Security-Policy: upgrade-insecure-requests as a fallback.",
+    checks: ["HTTP resources on HTTPS"]
+  }
+];
+function toRuleId(type) {
+  return `VULCN-${type.toUpperCase().replace(/[^A-Z0-9]+/g, "-")}`;
+}
+function fingerprint(f) {
+  return `${f.type}:${f.stepId}:${f.payload.slice(0, 50)}`;
+}
+function detectMethod(f) {
+  return f.metadata?.detectionMethod === "passive" ? "passive" : "active";
+}
+function passiveCat(f) {
+  const method = detectMethod(f);
+  if (method !== "passive") return void 0;
+  return f.metadata?.category || "other";
+}
+function enrichFinding(f) {
+  const cwe = CWE_MAP[f.type] || CWE_MAP.custom;
+  const sev = f.severity;
+  return {
+    // Original fields
+    type: f.type,
+    severity: sev,
+    title: f.title,
+    description: f.description,
+    stepId: f.stepId,
+    payload: f.payload,
+    url: f.url,
+    evidence: f.evidence,
+    metadata: f.metadata,
+    // Enriched
+    ruleId: toRuleId(f.type),
+    cwe,
+    securitySeverity: SECURITY_SEVERITY[sev] || "4.0",
+    fingerprint: fingerprint(f),
+    detectionMethod: detectMethod(f),
+    passiveCategory: passiveCat(f)
+  };
+}
+function buildRules(enriched) {
+  const seen = /* @__PURE__ */ new Map();
+  for (const f of enriched) {
+    if (!seen.has(f.type)) seen.set(f.type, f);
+  }
+  return Array.from(seen.entries()).map(([type, sample]) => ({
+    id: toRuleId(type),
+    type,
+    cwe: sample.cwe,
+    severity: sample.severity,
+    securitySeverity: sample.securitySeverity,
+    description: `Vulcn detected a potential ${type} vulnerability. ${sample.cwe.name}.`
+  }));
+}
+function countSeverities(findings) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  for (const f of findings) {
+    counts[f.severity] = (counts[f.severity] || 0) + 1;
+  }
+  return counts;
+}
+function assessRisk(counts, total) {
+  const score = counts.critical * SEVERITY_WEIGHTS.critical + counts.high * SEVERITY_WEIGHTS.high + counts.medium * SEVERITY_WEIGHTS.medium + counts.low * SEVERITY_WEIGHTS.low;
+  const maxRisk = total * SEVERITY_WEIGHTS.critical || 1;
+  const percent = Math.min(100, Math.round(score / maxRisk * 100));
+  const label = percent >= 80 ? "Critical" : percent >= 50 ? "High" : percent >= 25 ? "Medium" : percent > 0 ? "Low" : "Clear";
+  return { score, percent, label };
+}
+function buildPassiveAnalysis(passiveFindings) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const f of passiveFindings) {
+    const cat = f.passiveCategory || "other";
+    if (!grouped.has(cat)) grouped.set(cat, []);
+    grouped.get(cat).push(f);
+  }
+  const categories = PASSIVE_CATEGORIES.map((def) => {
+    const findings = grouped.get(def.id) || [];
+    const issueCount = findings.length;
+    const totalChecks = def.checks.length;
+    const passedChecks = Math.max(0, totalChecks - issueCount);
+    const status = issueCount === 0 ? "pass" : issueCount >= 3 ? "fail" : "warn";
+    return {
+      definition: def,
+      findings,
+      issueCount,
+      passedChecks,
+      totalChecks,
+      status
+    };
+  });
+  return {
+    totalIssues: passiveFindings.length,
+    categories
+  };
+}
+function buildReport(session, result, generatedAt, engineVersion) {
+  const severityOrder = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4
+  };
+  const sortedFindings = [...result.findings].sort(
+    (a, b) => (severityOrder[a.severity] ?? 5) - (severityOrder[b.severity] ?? 5)
+  );
+  const findings = sortedFindings.map(enrichFinding);
+  const activeFindings = findings.filter((f) => f.detectionMethod === "active");
+  const passiveFindings = findings.filter(
+    (f) => f.detectionMethod === "passive"
+  );
+  const counts = countSeverities(findings);
+  const risk = assessRisk(counts, findings.length);
+  const rules = buildRules(findings);
+  return {
+    reportVersion: "2.0",
+    engineVersion,
+    generatedAt,
+    session: {
+      name: session.name,
+      driver: session.driver,
+      driverConfig: session.driverConfig,
+      stepsCount: session.steps.length,
+      metadata: session.metadata
+    },
+    stats: {
+      stepsExecuted: result.stepsExecuted,
+      payloadsTested: result.payloadsTested,
+      durationMs: result.duration,
+      errors: result.errors
+    },
+    summary: {
+      totalFindings: findings.length,
+      severityCounts: counts,
+      risk,
+      vulnerabilityTypes: [...new Set(findings.map((f) => f.type))],
+      affectedUrls: [...new Set(findings.map((f) => f.url))]
+    },
+    rules,
+    findings,
+    activeFindings,
+    passiveAnalysis: buildPassiveAnalysis(passiveFindings)
+  };
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+
 // src/html.ts
 var COLORS = {
   bg: "#0a0a0f",
@@ -39,30 +295,9 @@ function severityColor(severity) {
       return COLORS.textMuted;
   }
 }
-function severityOrder(severity) {
-  switch (severity) {
-    case "critical":
-      return 0;
-    case "high":
-      return 1;
-    case "medium":
-      return 2;
-    case "low":
-      return 3;
-    case "info":
-      return 4;
-    default:
-      return 5;
-  }
-}
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  const seconds = (ms / 1e3).toFixed(1);
-  return `${seconds}s`;
-}
 function formatDate(iso) {
   const d = new Date(iso);
   return d.toLocaleDateString("en-US", {
@@ -89,31 +324,95 @@ var VULCN_LOGO_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20
   <path fill="#dc2626" d="m 13.0058,9.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
   <path fill="url(#lg2)" d="m 14.0058,8.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
 </svg>`;
-function generateHtml(data) {
-  const { session, result, generatedAt, engineVersion } = data;
-  const findings = [...result.findings].sort(
-    (a, b) => severityOrder(a.severity) - severityOrder(b.severity)
-  );
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
+function renderPassiveSection(analysis) {
+  if (analysis.totalIssues === 0) {
+    return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">All clear</span>
+      </div>
+      <div class="passive-clear">
+        <div class="icon">\u2705</div>
+        <h4>All Passive Checks Passed</h4>
+        <p>No security header, cookie, CORS, or information disclosure issues detected.</p>
+      </div>
+    </div>`;
   }
-  const totalFindings = findings.length;
+  const categoryCards = analysis.categories.map((cat) => {
+    const statusColor = cat.status === "pass" ? COLORS.success : cat.status === "fail" ? COLORS.high : COLORS.medium;
+    return `
+      <div class="passive-category-card">
+        <div class="passive-cat-header">
+          <div class="passive-cat-icon">${cat.definition.icon}</div>
+          <div class="passive-cat-info">
+            <div class="passive-cat-title">${cat.definition.label}</div>
+            <div class="passive-cat-count" style="color: ${statusColor}">
+              ${cat.issueCount === 0 ? "\u2713 All clear" : `${cat.issueCount} issue${cat.issueCount !== 1 ? "s" : ""}`}
+            </div>
+          </div>
+          <div class="passive-cat-badge" style="background: ${statusColor}20; color: ${statusColor}; border-color: ${statusColor}30">
+            ${cat.status.toUpperCase()}
+          </div>
+        </div>
+        ${cat.findings.length > 0 ? `
+        <div class="passive-cat-findings">
+          ${cat.findings.map(
+      (f) => `
+            <div class="passive-finding-row">
+              <div class="passive-finding-dot" style="background: ${severityColor(f.severity)}"></div>
+              <div class="passive-finding-content">
+                <div class="passive-finding-title">${escapeHtml(f.title)}</div>
+                <div class="passive-finding-desc">${escapeHtml(f.description)}</div>
+                ${f.evidence ? `<div class="passive-finding-evidence">${escapeHtml(f.evidence)}</div>` : ""}
+              </div>
+              <span class="passive-sev-tag" style="color: ${severityColor(f.severity)}">${f.severity.toUpperCase()}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        <div class="passive-remedy">
+          <span class="passive-remedy-label">\u{1F4A1} Remediation</span>
+          <span>${cat.definition.remedy}</span>
+        </div>
+        ` : `
+        <div class="passive-checks-passed">
+          ${cat.definition.checks.map(
+      (check) => `
+            <div class="passive-check-item">
+              <span class="passive-check-icon">\u2713</span>
+              <span>${check}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        `}
+      </div>`;
+  }).join("");
+  return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">${analysis.totalIssues} issue${analysis.totalIssues !== 1 ? "s" : ""}</span>
+      </div>
+      <div class="passive-grid">
+        ${categoryCards}
+      </div>
+    </div>`;
+}
+function generateHtml(report) {
+  const { summary, stats, session, passiveAnalysis, activeFindings, findings } = report;
+  const {
+    severityCounts: counts,
+    risk,
+    totalFindings,
+    affectedUrls,
+    vulnerabilityTypes: vulnTypes
+  } = summary;
+  const { stepsExecuted, payloadsTested, durationMs, errors } = stats;
   const hasFindings = totalFindings > 0;
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
-  const maxRisk = totalFindings * 10 || 1;
-  const riskPercent = Math.min(100, Math.round(riskScore / maxRisk * 100));
-  const riskLabel = riskPercent >= 80 ? "Critical" : riskPercent >= 50 ? "High" : riskPercent >= 25 ? "Medium" : riskPercent > 0 ? "Low" : "Clear";
-  const riskColor = riskPercent >= 80 ? COLORS.critical : riskPercent >= 50 ? COLORS.high : riskPercent >= 25 ? COLORS.medium : riskPercent > 0 ? COLORS.low : COLORS.success;
+  const riskColor = risk.percent >= 80 ? COLORS.critical : risk.percent >= 50 ? COLORS.high : risk.percent >= 25 ? COLORS.medium : risk.percent > 0 ? COLORS.low : COLORS.success;
   const donutSvg = generateDonut(counts, totalFindings);
-  const affectedUrls = [...new Set(findings.map((f) => f.url))];
-  const vulnTypes = [...new Set(findings.map((f) => f.type))];
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -605,6 +904,180 @@ function generateHtml(data) {
     .no-findings h3 { font-size: 20px; font-weight: 700; color: ${COLORS.success}; margin-bottom: 8px; }
     .no-findings p { font-size: 14px; color: var(--text-muted); }
 
+    /* \u2500\u2500 Passive Security Analysis \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .passive-section { margin-bottom: 32px; }
+
+    .section-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      margin-bottom: 16px;
+    }
+
+    .section-header h3 {
+      font-size: 18px;
+      font-weight: 700;
+      letter-spacing: -0.01em;
+    }
+
+    .passive-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(320px, 1fr));
+      gap: 12px;
+    }
+
+    .passive-category-card {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      overflow: hidden;
+      transition: border-color 0.2s;
+    }
+
+    .passive-category-card:hover { border-color: var(--border-active); }
+
+    .passive-cat-header {
+      display: flex;
+      align-items: center;
+      gap: 12px;
+      padding: 16px 20px;
+      border-bottom: 1px solid var(--border);
+    }
+
+    .passive-cat-icon {
+      font-size: 20px;
+      width: 36px;
+      height: 36px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: rgba(255,255,255,0.03);
+      border-radius: var(--radius-xs);
+      flex-shrink: 0;
+    }
+
+    .passive-cat-info { flex: 1; min-width: 0; }
+
+    .passive-cat-title {
+      font-size: 14px;
+      font-weight: 600;
+      letter-spacing: -0.01em;
+    }
+
+    .passive-cat-count {
+      font-size: 12px;
+      font-weight: 500;
+    }
+
+    .passive-cat-badge {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.05em;
+      padding: 3px 8px;
+      border-radius: 100px;
+      border: 1px solid;
+      flex-shrink: 0;
+    }
+
+    .passive-cat-findings {
+      padding: 12px 20px;
+    }
+
+    .passive-finding-row {
+      display: flex;
+      align-items: flex-start;
+      gap: 10px;
+      padding: 8px 0;
+      border-bottom: 1px solid rgba(255,255,255,0.03);
+    }
+
+    .passive-finding-row:last-child { border-bottom: none; }
+
+    .passive-finding-dot {
+      width: 6px;
+      height: 6px;
+      border-radius: 50%;
+      flex-shrink: 0;
+      margin-top: 7px;
+    }
+
+    .passive-finding-content { flex: 1; min-width: 0; }
+
+    .passive-finding-title {
+      font-size: 13px;
+      font-weight: 500;
+      margin-bottom: 2px;
+    }
+
+    .passive-finding-desc {
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.4;
+    }
+
+    .passive-finding-evidence {
+      font-family: 'JetBrains Mono', monospace;
+      font-size: 11px;
+      color: var(--text-dim);
+      margin-top: 4px;
+      padding: 4px 8px;
+      background: rgba(255,255,255,0.02);
+      border-radius: 4px;
+    }
+
+    .passive-sev-tag {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.04em;
+      flex-shrink: 0;
+      margin-top: 2px;
+    }
+
+    .passive-remedy {
+      padding: 12px 20px;
+      background: rgba(66, 165, 245, 0.04);
+      border-top: 1px solid rgba(66, 165, 245, 0.08);
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.5;
+    }
+
+    .passive-remedy-label {
+      font-weight: 600;
+      margin-right: 6px;
+    }
+
+    .passive-checks-passed {
+      padding: 12px 20px;
+    }
+
+    .passive-check-item {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      padding: 4px 0;
+      font-size: 12px;
+      color: var(--text-muted);
+    }
+
+    .passive-check-icon {
+      color: ${COLORS.success};
+      font-weight: 700;
+      font-size: 11px;
+    }
+
+    .passive-clear {
+      text-align: center;
+      padding: 40px 24px;
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+    }
+
+    .passive-clear .icon { font-size: 36px; margin-bottom: 12px; }
+    .passive-clear h4 { font-size: 16px; font-weight: 600; color: ${COLORS.success}; margin-bottom: 6px; }
+    .passive-clear p { font-size: 13px; color: var(--text-muted); }
+
     /* Errors section */
     .errors-section {
       margin-bottom: 32px;
@@ -669,6 +1142,7 @@ function generateHtml(data) {
       body::before { display: none; }
       .finding-details { display: block !important; padding-top: 12px !important; }
       .finding-card { page-break-inside: avoid; }
+      .passive-category-card { page-break-inside: avoid; }
     }
   </style>
 </head>
@@ -684,8 +1158,8 @@ function generateHtml(data) {
         </div>
       </div>
       <div class="header-meta">
-        <div>${formatDate(generatedAt)}</div>
-        <div>Engine v${escapeHtml(engineVersion)}</div>
+        <div>${formatDate(report.generatedAt)}</div>
+        <div>Engine v${escapeHtml(report.engineVersion)}</div>
       </div>
     </div>
 
@@ -700,11 +1174,11 @@ function generateHtml(data) {
         ${session.driverConfig?.startUrl ? `<div class="meta-item"><span class="meta-label">Target URL</span><span class="meta-value">${escapeHtml(String(session.driverConfig.startUrl))}</span></div>` : ""}
         <div class="meta-item">
           <span class="meta-label">Duration</span>
-          <span class="meta-value">${formatDuration(result.duration)}</span>
+          <span class="meta-value">${formatDuration(durationMs)}</span>
         </div>
         <div class="meta-item">
           <span class="meta-label">Generated</span>
-          <span class="meta-value">${formatDate(generatedAt)}</span>
+          <span class="meta-value">${formatDate(report.generatedAt)}</span>
         </div>
       </div>
     </div>
@@ -717,13 +1191,13 @@ function generateHtml(data) {
           <svg viewBox="0 0 160 160" width="160" height="160">
             <circle cx="80" cy="80" r="68" fill="none" stroke="rgba(255,255,255,0.04)" stroke-width="10"/>
             <circle cx="80" cy="80" r="68" fill="none" stroke="${riskColor}" stroke-width="10"
-              stroke-dasharray="${riskPercent / 100 * 427} 427"
+              stroke-dasharray="${risk.percent / 100 * 427} 427"
               stroke-linecap="round"
               style="filter: drop-shadow(0 0 6px ${riskColor});"/>
           </svg>
           <div class="risk-gauge-label">
-            <div class="score" style="color: ${riskColor}">${hasFindings ? riskPercent : 0}</div>
-            <div class="label">${riskLabel}</div>
+            <div class="score" style="color: ${riskColor}">${hasFindings ? risk.percent : 0}</div>
+            <div class="label">${risk.label}</div>
           </div>
         </div>
       </div>
@@ -736,11 +1210,11 @@ function generateHtml(data) {
             <div class="stat-label">Findings</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.payloadsTested}</div>
+            <div class="stat-number">${payloadsTested}</div>
             <div class="stat-label">Payloads Tested</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.stepsExecuted}</div>
+            <div class="stat-number">${stepsExecuted}</div>
             <div class="stat-label">Steps Executed</div>
           </div>
           <div class="stat-box">
@@ -768,14 +1242,17 @@ function generateHtml(data) {
       </div>
     </div>
 
-    <!-- Findings -->
+    <!-- Passive Security Analysis -->
+    ${renderPassiveSection(passiveAnalysis)}
+
+    <!-- Active Findings -->
     <div class="findings-section animate-in-delay-3">
       <div class="findings-header">
-        <h3>Findings</h3>
-        <span class="findings-count">${totalFindings} total</span>
+        <h3>\u{1F3AF} Active Scan Findings</h3>
+        <span class="findings-count">${activeFindings.length} finding${activeFindings.length !== 1 ? "s" : ""}</span>
       </div>
 
-      ${hasFindings ? findings.map(
+      ${activeFindings.length > 0 ? activeFindings.map(
     (f, i) => `
         <div class="finding-card" onclick="this.classList.toggle('open')">
           <div class="finding-header">
@@ -821,16 +1298,16 @@ function generateHtml(data) {
   ).join("") : `
         <div class="no-findings">
           <div class="icon">\u{1F6E1}\uFE0F</div>
-          <h3>No Vulnerabilities Detected</h3>
-          <p>${result.payloadsTested} payloads were tested across ${result.stepsExecuted} steps with no findings.</p>
+          <h3>No Active Vulnerabilities Detected</h3>
+          <p>${payloadsTested} payloads were tested across ${stepsExecuted} steps with no findings.</p>
         </div>
       `}
     </div>
 
-    ${result.errors.length > 0 ? `
+    ${errors.length > 0 ? `
     <div class="errors-section">
-      <h3>\u26A0\uFE0F Errors During Execution (${result.errors.length})</h3>
-      ${result.errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
+      <h3>\u26A0\uFE0F Errors During Execution (${errors.length})</h3>
+      ${errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
     </div>
     ` : ""}
 
@@ -865,110 +1342,63 @@ function generateDonut(counts, total) {
 }
 
 // src/json.ts
-function formatDuration2(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
-}
-function generateJson(session, result, generatedAt, engineVersion) {
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of result.findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
-  }
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
+function generateJson(report) {
   return {
     vulcn: {
-      version: engineVersion,
-      reportVersion: "1.0",
-      generatedAt
-    },
-    session: {
-      name: session.name,
-      driver: session.driver,
-      driverConfig: session.driverConfig,
-      stepsCount: session.steps.length,
-      metadata: session.metadata
+      version: report.engineVersion,
+      reportVersion: report.reportVersion,
+      generatedAt: report.generatedAt
     },
+    session: report.session,
     execution: {
-      stepsExecuted: result.stepsExecuted,
-      payloadsTested: result.payloadsTested,
-      durationMs: result.duration,
-      durationFormatted: formatDuration2(result.duration),
-      errors: result.errors
+      stepsExecuted: report.stats.stepsExecuted,
+      payloadsTested: report.stats.payloadsTested,
+      durationMs: report.stats.durationMs,
+      durationFormatted: formatDuration(report.stats.durationMs),
+      errors: report.stats.errors
     },
     summary: {
-      totalFindings: result.findings.length,
-      riskScore,
-      severityCounts: counts,
-      vulnerabilityTypes: [...new Set(result.findings.map((f) => f.type))],
-      affectedUrls: [...new Set(result.findings.map((f) => f.url))]
+      totalFindings: report.summary.totalFindings,
+      riskScore: report.summary.risk.score,
+      riskLabel: report.summary.risk.label,
+      severityCounts: report.summary.severityCounts,
+      vulnerabilityTypes: report.summary.vulnerabilityTypes,
+      affectedUrls: report.summary.affectedUrls
+    },
+    findings: report.findings,
+    passiveAnalysis: {
+      totalIssues: report.passiveAnalysis.totalIssues,
+      categories: report.passiveAnalysis.categories.map((c) => ({
+        id: c.definition.id,
+        label: c.definition.label,
+        status: c.status,
+        issueCount: c.issueCount,
+        passedChecks: c.passedChecks,
+        totalChecks: c.totalChecks,
+        remedy: c.definition.remedy
+      }))
     },
-    findings: result.findings
+    rules: report.rules
   };
 }
 
 // src/yaml.ts
 import { stringify } from "yaml";
-function generateYaml(session, result, generatedAt, engineVersion) {
-  const report = generateJson(session, result, generatedAt, engineVersion);
+function generateYaml(report) {
+  const jsonReport = generateJson(report);
   const header = [
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "# Vulcn Security Report",
-    `# Generated: ${generatedAt}`,
-    `# Session: ${session.name}`,
-    `# Findings: ${result.findings.length}`,
+    `# Generated: ${report.generatedAt}`,
+    `# Session: ${report.session.name}`,
+    `# Findings: ${report.summary.totalFindings}`,
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     ""
   ].join("\n");
-  return header + stringify(report, { indent: 2 });
+  return header + stringify(jsonReport, { indent: 2 });
 }
 
 // src/sarif.ts
-var CWE_MAP = {
-  xss: {
-    id: 79,
-    name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-  },
-  sqli: {
-    id: 89,
-    name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
-  },
-  ssrf: { id: 918, name: "Server-Side Request Forgery (SSRF)" },
-  xxe: {
-    id: 611,
-    name: "Improper Restriction of XML External Entity Reference"
-  },
-  "command-injection": {
-    id: 78,
-    name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
-  },
-  "path-traversal": {
-    id: 22,
-    name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
-  },
-  "open-redirect": {
-    id: 601,
-    name: "URL Redirection to Untrusted Site ('Open Redirect')"
-  },
-  reflection: {
-    id: 200,
-    name: "Exposure of Sensitive Information to an Unauthorized Actor"
-  },
-  "security-misconfiguration": {
-    id: 16,
-    name: "Configuration"
-  },
-  "information-disclosure": {
-    id: 200,
-    name: "Exposure of Sensitive Information to an Unauthorized Actor"
-  },
-  custom: { id: 20, name: "Improper Input Validation" }
-};
 function toSarifLevel(severity) {
   switch (severity) {
     case "critical":
@@ -983,22 +1413,6 @@ function toSarifLevel(severity) {
       return "warning";
   }
 }
-function toSecuritySeverity(severity) {
-  switch (severity) {
-    case "critical":
-      return "9.0";
-    case "high":
-      return "7.0";
-    case "medium":
-      return "4.0";
-    case "low":
-      return "2.0";
-    case "info":
-      return "0.0";
-    default:
-      return "4.0";
-  }
-}
 function toPrecision(severity) {
   switch (severity) {
     case "critical":
@@ -1014,63 +1428,53 @@ function toPrecision(severity) {
       return "medium";
   }
 }
-function toRuleId(type) {
-  return `VULCN-${type.toUpperCase().replace(/[^A-Z0-9]+/g, "-")}`;
-}
-function buildRules(findings) {
-  const seenTypes = /* @__PURE__ */ new Map();
-  for (const f of findings) {
-    if (!seenTypes.has(f.type)) {
-      seenTypes.set(f.type, f);
-    }
-  }
-  return Array.from(seenTypes.entries()).map(([type, sampleFinding]) => {
-    const cwe = CWE_MAP[type] || CWE_MAP.custom;
-    const ruleId = toRuleId(type);
-    return {
-      id: ruleId,
-      name: type,
-      shortDescription: {
-        text: `${cwe.name} (CWE-${cwe.id})`
-      },
-      fullDescription: {
-        text: `Vulcn detected a potential ${type} vulnerability. ${cwe.name}. See CWE-${cwe.id} for details.`
-      },
-      helpUri: `https://cwe.mitre.org/data/definitions/${cwe.id}.html`,
-      help: {
-        text: `## ${cwe.name}
-
-CWE-${cwe.id}: ${cwe.name}
-
-This rule detects ${type} vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+function toSarifRule(rule) {
+  return {
+    id: rule.id,
+    name: rule.type,
+    shortDescription: {
+      text: `${rule.cwe.name} (CWE-${rule.cwe.id})`
+    },
+    fullDescription: {
+      text: rule.description
+    },
+    helpUri: `https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html`,
+    help: {
+      text: `## ${rule.cwe.name}
+
+CWE-${rule.cwe.id}: ${rule.cwe.name}
+
+This rule detects ${rule.type} vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
 
 ### Remediation
 
-See https://cwe.mitre.org/data/definitions/${cwe.id}.html for detailed remediation guidance.`,
-        markdown: `## ${cwe.name}
+See https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html for detailed remediation guidance.`,
+      markdown: `## ${rule.cwe.name}
 
-**CWE-${cwe.id}**: ${cwe.name}
+**CWE-${rule.cwe.id}**: ${rule.cwe.name}
 
-This rule detects \`${type}\` vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+This rule detects \`${rule.type}\` vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
 
 ### Remediation
 
-See [CWE-${cwe.id}](https://cwe.mitre.org/data/definitions/${cwe.id}.html) for detailed remediation guidance.`
-      },
-      properties: {
-        tags: ["security", `CWE-${cwe.id}`, `external/cwe/cwe-${cwe.id}`],
-        precision: toPrecision(sampleFinding.severity),
-        "security-severity": toSecuritySeverity(sampleFinding.severity)
-      },
-      defaultConfiguration: {
-        level: toSarifLevel(sampleFinding.severity)
-      }
-    };
-  });
+See [CWE-${rule.cwe.id}](https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html) for detailed remediation guidance.`
+    },
+    properties: {
+      tags: [
+        "security",
+        `CWE-${rule.cwe.id}`,
+        `external/cwe/cwe-${rule.cwe.id}`
+      ],
+      precision: toPrecision(rule.severity),
+      "security-severity": rule.securitySeverity
+    },
+    defaultConfiguration: {
+      level: toSarifLevel(rule.severity)
+    }
+  };
 }
-function toSarifResult(finding, rules) {
-  const ruleId = toRuleId(finding.type);
-  const ruleIndex = rules.findIndex((r) => r.id === ruleId);
+function toSarifResult(finding, sarifRules) {
+  const ruleIndex = sarifRules.findIndex((r) => r.id === finding.ruleId);
   let messageText = `${finding.title}
 
 ${finding.description}`;
@@ -1082,10 +1486,8 @@ Evidence: ${finding.evidence}`;
   messageText += `
 
 Payload: ${finding.payload}`;
-  const uri = finding.url || "unknown";
-  const fingerprint = `${finding.type}:${finding.stepId}:${finding.payload.slice(0, 50)}`;
   return {
-    ruleId,
+    ruleId: finding.ruleId,
     ruleIndex: Math.max(ruleIndex, 0),
     level: toSarifLevel(finding.severity),
     message: { text: messageText },
@@ -1093,7 +1495,7 @@ Payload: ${finding.payload}`;
       {
         physicalLocation: {
           artifactLocation: {
-            uri
+            uri: finding.url || "unknown"
           },
           region: {
             startLine: 1
@@ -1108,7 +1510,7 @@ Payload: ${finding.payload}`;
       }
     ],
     fingerprints: {
-      vulcnFindingV1: fingerprint
+      vulcnFindingV1: finding.fingerprint
     },
     partialFingerprints: {
       vulcnType: finding.type,
@@ -1118,23 +1520,21 @@ Payload: ${finding.payload}`;
       severity: finding.severity,
       payload: finding.payload,
       stepId: finding.stepId,
+      detectionMethod: finding.detectionMethod,
       ...finding.evidence ? { evidence: finding.evidence } : {},
-      ...finding.metadata || {}
+      ...finding.passiveCategory ? { passiveCategory: finding.passiveCategory } : {}
     }
   };
 }
-function generateSarif(session, result, generatedAt, engineVersion) {
-  const rules = buildRules(result.findings);
-  const results = result.findings.map((f) => toSarifResult(f, rules));
-  const uniqueUrls = [
-    ...new Set(result.findings.map((f) => f.url).filter(Boolean))
-  ];
-  const artifacts = uniqueUrls.map((url) => ({
+function generateSarif(report) {
+  const sarifRules = report.rules.map(toSarifRule);
+  const results = report.findings.map((f) => toSarifResult(f, sarifRules));
+  const artifacts = report.summary.affectedUrls.map((url) => ({
     location: { uri: url }
   }));
-  const startDate = new Date(generatedAt);
-  const endDate = new Date(startDate.getTime() + result.duration);
-  const sarifLog = {
+  const startDate = new Date(report.generatedAt);
+  const endDate = new Date(startDate.getTime() + report.stats.durationMs);
+  return {
     $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
     version: "2.1.0",
     runs: [
@@ -1142,24 +1542,24 @@ function generateSarif(session, result, generatedAt, engineVersion) {
         tool: {
           driver: {
             name: "Vulcn",
-            version: engineVersion,
-            semanticVersion: engineVersion,
+            version: report.engineVersion,
+            semanticVersion: report.engineVersion,
             informationUri: "https://vulcn.dev",
-            rules
+            rules: sarifRules
           }
         },
         results,
         invocations: [
           {
-            executionSuccessful: result.errors.length === 0,
-            startTimeUtc: generatedAt,
+            executionSuccessful: report.stats.errors.length === 0,
+            startTimeUtc: report.generatedAt,
             endTimeUtc: endDate.toISOString(),
             properties: {
-              sessionName: session.name,
-              stepsExecuted: result.stepsExecuted,
-              payloadsTested: result.payloadsTested,
-              durationMs: result.duration,
-              ...result.errors.length > 0 ? { errors: result.errors } : {}
+              sessionName: report.session.name,
+              stepsExecuted: report.stats.stepsExecuted,
+              payloadsTested: report.stats.payloadsTested,
+              durationMs: report.stats.durationMs,
+              ...report.stats.errors.length > 0 ? { errors: report.stats.errors } : {}
             }
           }
         ],
@@ -1167,7 +1567,6 @@ function generateSarif(session, result, generatedAt, engineVersion) {
       }
     ]
   };
-  return sarifLog;
 }
 
 // src/index.ts
@@ -1216,13 +1615,20 @@ var plugin = {
       );
     },
     /**
-     * Generate report(s) after run completes
+     * Generate report(s) after run completes.
+     *
+     * Architecture: RunResult + Session → buildReport() → VulcnReport
+     * Each output format is a pure projection of the canonical model.
      */
     onRunEnd: async (result, ctx) => {
       const config = configSchema.parse(ctx.config);
       const formats = getFormats(config.format);
-      const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
-      const engineVersion = ctx.engine.version;
+      const report = buildReport(
+        ctx.session,
+        result,
+        (/* @__PURE__ */ new Date()).toISOString(),
+        ctx.engine.version
+      );
       const outDir = resolve(config.outputDir);
       await mkdir(outDir, { recursive: true });
       const basePath = resolve(outDir, config.filename);
@@ -1231,13 +1637,7 @@ var plugin = {
         try {
           switch (fmt) {
             case "html": {
-              const htmlData = {
-                session: ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              };
-              const html = generateHtml(htmlData);
+              const html = generateHtml(report);
               const htmlPath = `${basePath}.html`;
               await writeFile(htmlPath, html, "utf-8");
               writtenFiles.push(htmlPath);
@@ -1245,12 +1645,7 @@ var plugin = {
               break;
             }
             case "json": {
-              const jsonReport = generateJson(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const jsonReport = generateJson(report);
               const jsonPath = `${basePath}.json`;
               await writeFile(
                 jsonPath,
@@ -1262,12 +1657,7 @@ var plugin = {
               break;
             }
             case "yaml": {
-              const yamlContent = generateYaml(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const yamlContent = generateYaml(report);
               const yamlPath = `${basePath}.yml`;
               await writeFile(yamlPath, yamlContent, "utf-8");
               writtenFiles.push(yamlPath);
@@ -1275,12 +1665,7 @@ var plugin = {
               break;
             }
             case "sarif": {
-              const sarifReport = generateSarif(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const sarifReport = generateSarif(report);
               const sarifPath = `${basePath}.sarif`;
               await writeFile(
                 sarifPath,
@@ -1313,6 +1698,7 @@ var plugin = {
 };
 var index_default = plugin;
 export {
+  buildReport,
   configSchema,
   index_default as default,
   generateHtml,