erosolar-cli 2.1.238 → 2.1.240

package/dist/core/securityDeliverableGenerator.js

@@ -0,0 +1,1590 @@
+/**
+ * Security Deliverable Generator
+ *
+ * Auto-executes to completion producing concrete security deliverables:
+ * - Penetration test reports
+ * - Incident response procedures
+ * - Security controls checklists
+ * - Training modules
+ * - Compliance audit templates
+ * - Threat assessment documents
+ * - APT kill-chain analysis reports
+ */
+import { getChainStats, getRLState, } from '../tools/tao/index.js';
+// ═══════════════════════════════════════════════════════════════════════════════
+// DELIVERABLE GENERATOR CLASS
+// ═══════════════════════════════════════════════════════════════════════════════
+export class SecurityDeliverableGenerator {
+    conversationHistory = [];
+    toolOutputs = new Map();
+    findings = [];
+    attackChains = [];
+    /**
+     * Generate a complete security deliverable from orchestration results
+     */
+    async generate(type, orchestratorResult, conversationHistory, options = {}) {
+        this.conversationHistory = conversationHistory;
+        this.extractToolOutputs();
+        this.extractFindings();
+        const deliverable = {
+            id: `${type}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+            type,
+            title: this.generateTitle(type, options),
+            version: '1.0.0',
+            classification: options.classification || 'confidential',
+            created: Date.now(),
+            modified: Date.now(),
+            author: options.author || 'Security Assessment Team',
+            reviewers: options.reviewers || [],
+            executiveSummary: this.generateExecutiveSummary(type, orchestratorResult),
+            scope: this.generateScope(options),
+            methodology: this.getMethodology(type),
+            findings: this.findings,
+            metrics: this.calculateMetrics(orchestratorResult),
+            appendices: this.generateAppendices(),
+            signoff: [],
+        };
+        // Add type-specific content
+        switch (type) {
+            case 'incident-response':
+                deliverable.procedures = this.generateIncidentProcedures();
+                break;
+            case 'security-controls':
+                deliverable.controls = this.generateSecurityControls();
+                break;
+            case 'training-module':
+                deliverable.training = this.generateTrainingModules();
+                break;
+            case 'persistence-procedures':
+                deliverable.persistence = this.generatePersistenceMechanisms();
+                break;
+            case 'infrastructure-assessment':
+                deliverable.infrastructure = this.generateInfrastructureComponents();
+                break;
+            case 'red-team-playbook':
+                deliverable.persistence = this.generatePersistenceMechanisms();
+                deliverable.infrastructure = this.generateInfrastructureComponents();
+                deliverable.procedures = this.generateRedTeamProcedures();
+                break;
+        }
+        return deliverable;
+    }
+    /**
+     * Extract tool outputs from conversation history
+     */
+    extractToolOutputs() {
+        for (const msg of this.conversationHistory) {
+            if (msg.role === 'tool' && typeof msg.content === 'string') {
+                const toolName = msg.name || 'unknown';
+                const existing = this.toolOutputs.get(toolName) || [];
+                existing.push(msg.content);
+                this.toolOutputs.set(toolName, existing);
+            }
+        }
+    }
+    /**
+     * Extract security findings from conversation and tool outputs
+     */
+    extractFindings() {
+        const findingPatterns = [
+            { pattern: /vulnerability|vuln|cve-\d+/i, severity: 'high' },
+            { pattern: /open\s+port|exposed\s+service/i, severity: 'medium' },
+            { pattern: /missing\s+header|security\s+header/i, severity: 'medium' },
+            { pattern: /credential|password|secret|key\s*=/i, severity: 'critical' },
+            { pattern: /injection|xss|sqli|rce|lfi|rfi/i, severity: 'critical' },
+            { pattern: /misconfiguration|default\s+config/i, severity: 'medium' },
+            { pattern: /information\s+disclosure|version\s+disclosure/i, severity: 'low' },
+        ];
+        let findingId = 1;
+        for (const [toolName, outputs] of this.toolOutputs) {
+            for (const output of outputs) {
+                for (const { pattern, severity } of findingPatterns) {
+                    const matches = output.match(pattern);
+                    if (matches) {
+                        const finding = this.createFinding(`FIND-${String(findingId++).padStart(3, '0')}`, matches[0], severity, output, toolName);
+                        this.findings.push(finding);
+                    }
+                }
+            }
+        }
+        // Deduplicate by title
+        const seen = new Set();
+        this.findings = this.findings.filter(f => {
+            const key = f.title.toLowerCase();
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+    }
+    /**
+     * Create a security finding from detected pattern
+     */
+    createFinding(id, match, severity, evidence, source) {
+        return {
+            id,
+            title: this.titleCase(match),
+            severity,
+            description: `Security issue detected: ${match}`,
+            evidence: [evidence.slice(0, 500)],
+            affectedAssets: this.extractAffectedAssets(evidence),
+            technicalDetails: evidence,
+            businessImpact: this.getBusinessImpact(severity),
+            remediation: this.generateRemediation(match, severity),
+            references: this.getReferences(match),
+            timeline: {
+                discovered: Date.now(),
+            },
+        };
+    }
+    /**
+     * Generate title for the deliverable
+     */
+    generateTitle(type, options) {
+        const titles = {
+            'pentest-report': 'Penetration Test Report',
+            'incident-response': 'Incident Response Procedures',
+            'security-controls': 'Security Controls Assessment',
+            'training-module': 'Security Awareness Training Module',
+            'compliance-audit': 'Compliance Audit Report',
+            'threat-assessment': 'Threat Assessment Report',
+            'apt-analysis': 'APT Kill-Chain Analysis',
+            'vulnerability-report': 'Vulnerability Assessment Report',
+            'infrastructure-assessment': 'Infrastructure Security Assessment',
+            'persistence-procedures': 'Persistence Mechanism Documentation',
+            'red-team-playbook': 'Red Team Operations Playbook',
+        };
+        return options.customTitle || titles[type] || 'Security Assessment Report';
+    }
+    /**
+     * Generate executive summary based on findings
+     */
+    generateExecutiveSummary(type, result) {
+        const criticalCount = this.findings.filter(f => f.severity === 'critical').length;
+        const highCount = this.findings.filter(f => f.severity === 'high').length;
+        const riskLevel = criticalCount > 0 ? 'CRITICAL' : highCount > 2 ? 'HIGH' : highCount > 0 ? 'MEDIUM' : 'LOW';
+        const summaries = {
+            'pentest-report': `
+## Executive Summary
+
+This penetration test identified **${this.findings.length}** security findings, including **${criticalCount}** critical and **${highCount}** high severity issues. The overall security posture is assessed as **${riskLevel}**.
+
+### Key Findings
+${this.findings.slice(0, 5).map(f => `- **${f.severity.toUpperCase()}**: ${f.title}`).join('\n')}
+
+### Immediate Actions Required
+${criticalCount > 0 ? '1. Address all critical findings within 24-48 hours\n2. Implement emergency patches for exposed vulnerabilities\n3. Review access controls and credential management' : '1. Review and prioritize high severity findings\n2. Implement recommended security controls\n3. Schedule follow-up assessment'}
+
+### Tools & Techniques Used
+${result.toolsUsed.slice(0, 10).join(', ')}
+`,
+            'incident-response': `
+## Executive Summary
+
+This document provides comprehensive incident response procedures for security events. It includes ${this.findings.length > 0 ? `response procedures for ${this.findings.length} identified threat scenarios` : 'standard response procedures'}.
+
+### Coverage
+- Detection and triage procedures
+- Containment strategies
+- Eradication steps
+- Recovery procedures
+- Post-incident analysis
+
+### Response Readiness: ${riskLevel === 'LOW' ? 'PREPARED' : 'NEEDS IMPROVEMENT'}
+`,
+            'security-controls': `
+## Executive Summary
+
+Security controls assessment covering technical, administrative, and physical controls. Assessment identified gaps requiring attention.
+
+### Control Categories Assessed
+- Access Control
+- Network Security
+- Data Protection
+- Incident Response
+- Business Continuity
+- Compliance Requirements
+`,
+            'training-module': `
+## Executive Summary
+
+Security awareness training module designed to educate personnel on security best practices and threat awareness.
+
+### Training Objectives
+- Recognize common attack vectors
+- Understand security policies
+- Practice secure behaviors
+- Report security incidents
+`,
+            'compliance-audit': `
+## Executive Summary
+
+Compliance audit report assessing alignment with security frameworks and regulatory requirements.
+
+### Compliance Status: ${riskLevel === 'LOW' ? 'COMPLIANT' : 'PARTIALLY COMPLIANT'}
+`,
+            'threat-assessment': `
+## Executive Summary
+
+Threat assessment analyzing potential adversaries, attack vectors, and organizational risk exposure.
+
+### Threat Level: ${riskLevel}
+${this.findings.length} potential threat vectors identified.
+`,
+            'apt-analysis': `
+## Executive Summary
+
+Advanced Persistent Threat (APT) analysis documenting kill-chain phases, techniques, tactics, and procedures (TTPs).
+
+### Kill-Chain Coverage
+- Reconnaissance
+- Weaponization
+- Delivery
+- Exploitation
+- Installation
+- Command & Control
+- Actions on Objectives
+`,
+            'vulnerability-report': `
+## Executive Summary
+
+Vulnerability assessment identified **${this.findings.length}** security issues across the target environment.
+
+### Risk Distribution
+- Critical: ${criticalCount}
+- High: ${highCount}
+- Medium: ${this.findings.filter(f => f.severity === 'medium').length}
+- Low: ${this.findings.filter(f => f.severity === 'low').length}
+- Info: ${this.findings.filter(f => f.severity === 'info').length}
+`,
+            'infrastructure-assessment': `
+## Executive Summary
+
+Infrastructure security assessment evaluating network architecture, systems configuration, and operational security.
+
+### Infrastructure Components Assessed
+- Network perimeter
+- Internal segmentation
+- Cloud resources
+- Endpoint security
+`,
+            'persistence-procedures': `
+## Executive Summary
+
+Documentation of persistence mechanisms for authorized red team operations and security testing.
+
+### Mechanisms Documented
+- Registry-based persistence
+- Service manipulation
+- Scheduled tasks
+- Startup modifications
+- DLL-based techniques
+`,
+            'red-team-playbook': `
+## Executive Summary
+
+Comprehensive red team operations playbook for authorized adversary simulation.
+
+### Playbook Contents
+- Infrastructure setup
+- Initial access techniques
+- Persistence mechanisms
+- Lateral movement
+- Data exfiltration
+- Operational security
+`,
+        };
+        return summaries[type] || summaries['pentest-report'];
+    }
+    /**
+     * Generate scope documentation
+     */
+    generateScope(options) {
+        return {
+            targets: options.targets || this.extractTargets(),
+            excludedTargets: options.excludedTargets || [],
+            timeframe: {
+                start: options.startTime || Date.now() - 86400000,
+                end: options.endTime || Date.now(),
+            },
+            constraints: options.constraints || ['Standard rules of engagement apply'],
+            authorizationRef: options.authorizationRef || 'AUTH-' + Date.now().toString(36),
+        };
+    }
+    /**
+     * Get methodology based on deliverable type
+     */
+    getMethodology(type) {
+        const methodologies = {
+            'pentest-report': [
+                'PTES (Penetration Testing Execution Standard)',
+                'OWASP Testing Guide v4',
+                'NIST SP 800-115',
+                'MITRE ATT&CK Framework',
+            ],
+            'incident-response': [
+                'NIST SP 800-61 Rev. 2',
+                'SANS Incident Handler\'s Handbook',
+                'ISO 27035',
+            ],
+            'security-controls': [
+                'NIST CSF',
+                'CIS Controls v8',
+                'ISO 27001/27002',
+            ],
+            'training-module': [
+                'NIST SP 800-50',
+                'SANS Security Awareness',
+            ],
+            'compliance-audit': [
+                'SOC 2 Type II',
+                'ISO 27001',
+                'PCI DSS v4.0',
+                'HIPAA Security Rule',
+            ],
+            'threat-assessment': [
+                'STRIDE',
+                'DREAD',
+                'MITRE ATT&CK',
+                'Cyber Kill Chain',
+            ],
+            'apt-analysis': [
+                'Lockheed Martin Cyber Kill Chain',
+                'MITRE ATT&CK Enterprise',
+                'Diamond Model',
+            ],
+            'vulnerability-report': [
+                'CVSS v3.1',
+                'CWE',
+                'OWASP Top 10',
+            ],
+            'infrastructure-assessment': [
+                'CIS Benchmarks',
+                'NIST SP 800-53',
+                'Cloud Security Alliance',
+            ],
+            'persistence-procedures': [
+                'MITRE ATT&CK Persistence Tactics',
+                'Red Team Operations Guide',
+            ],
+            'red-team-playbook': [
+                'MITRE ATT&CK Framework',
+                'Adversary Simulation Framework',
+                'Red Team Operations Methodology',
+            ],
+        };
+        return methodologies[type] || methodologies['pentest-report'];
+    }
+    /**
+     * Calculate metrics from the assessment
+     */
+    calculateMetrics(result) {
+        const bySeverity = {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            info: 0,
+        };
+        const byCategory = {};
+        for (const finding of this.findings) {
+            bySeverity[finding.severity]++;
+            const category = this.categorize(finding);
+            byCategory[category] = (byCategory[category] || 0) + 1;
+        }
+        const riskScore = this.calculateRiskScore(bySeverity);
+        const chainStats = getChainStats();
+        const rlState = getRLState();
+        return {
+            totalFindings: this.findings.length,
+            bySeverity,
+            byCategory,
+            remediationProgress: 0,
+            riskScore,
+            toolsUsed: result.toolsUsed,
+            techniquesExecuted: rlState.topActions.map(a => a.action),
+            chainStats: {
+                total: chainStats.total,
+                completed: chainStats.completed,
+                failed: chainStats.failed,
+                avgReward: chainStats.avgReward,
+            },
+        };
+    }
+    /**
+     * Generate incident response procedures
+     */
+    generateIncidentProcedures() {
+        const procedures = [
+            {
+                id: 'IR-001',
+                name: 'Malware Infection Response',
+                triggerConditions: [
+                    'Antivirus alert triggered',
+                    'Suspicious process detected',
+                    'Network anomaly indicating C2 traffic',
+                ],
+                severity: 'high',
+                responseSteps: [
+                    {
+                        order: 1,
+                        action: 'Isolate affected system from network',
+                        responsible: 'SOC Analyst',
+                        timeframe: '15 minutes',
+                        tools: ['Network switch', 'EDR console'],
+                        outputs: ['Isolation confirmation', 'Initial triage notes'],
+                        decisionPoints: ['Is system critical?', 'Are other systems affected?'],
+                    },
+                    {
+                        order: 2,
+                        action: 'Capture volatile memory and disk image',
+                        responsible: 'Forensics Team',
+                        timeframe: '2 hours',
+                        tools: ['FTK Imager', 'Volatility', 'dd'],
+                        outputs: ['Memory dump', 'Disk image', 'Hash values'],
+                        decisionPoints: ['Evidence preservation priority'],
+                    },
+                    {
+                        order: 3,
+                        action: 'Analyze malware sample',
+                        responsible: 'Malware Analyst',
+                        timeframe: '4 hours',
+                        tools: ['Sandbox', 'IDA Pro', 'Ghidra'],
+                        outputs: ['IOCs', 'Behavior analysis', 'Network indicators'],
+                        decisionPoints: ['Is this known malware?', 'Severity assessment'],
+                    },
+                ],
+                escalationPath: [
+                    { level: 1, criteria: 'Single system affected', contacts: ['SOC Lead'], timeframe: '30 minutes' },
+                    { level: 2, criteria: 'Multiple systems affected', contacts: ['IR Manager', 'CISO'], timeframe: '1 hour' },
+                    { level: 3, criteria: 'Critical systems compromised', contacts: ['Executive Team', 'Legal'], timeframe: '2 hours' },
+                ],
+                communicationPlan: [
+                    { audience: 'IT Team', timing: 'Immediate', channel: 'Slack/Teams', template: 'Security incident in progress. Stand by for instructions.' },
+                    { audience: 'Management', timing: 'Within 1 hour', channel: 'Email', template: 'Security incident notification - details to follow.' },
+                    { audience: 'External', timing: 'As required', channel: 'Official statement', template: 'Prepared PR statement' },
+                ],
+                recoveryProcedures: [
+                    'Verify malware removal',
+                    'Restore from clean backup',
+                    'Reset all credentials',
+                    'Monitor for reinfection',
+                ],
+                postIncidentActions: [
+                    'Complete incident report',
+                    'Update detection rules',
+                    'Conduct lessons learned session',
+                    'Update response procedures',
+                ],
+            },
+            {
+                id: 'IR-002',
+                name: 'Data Breach Response',
+                triggerConditions: [
+                    'Unusual data exfiltration detected',
+                    'Unauthorized access to sensitive data',
+                    'Third-party breach notification',
+                ],
+                severity: 'critical',
+                responseSteps: [
+                    {
+                        order: 1,
+                        action: 'Assess scope of data exposure',
+                        responsible: 'IR Lead',
+                        timeframe: '2 hours',
+                        tools: ['DLP logs', 'SIEM', 'Database audit logs'],
+                        outputs: ['Data classification', 'Affected records count', 'Data types exposed'],
+                        decisionPoints: ['Is PII involved?', 'Regulatory notification required?'],
+                    },
+                    {
+                        order: 2,
+                        action: 'Contain the breach',
+                        responsible: 'Security Team',
+                        timeframe: '4 hours',
+                        tools: ['Firewall', 'IAM system', 'DLP'],
+                        outputs: ['Containment confirmation', 'Access revocations'],
+                        decisionPoints: ['Block source IPs?', 'Disable compromised accounts?'],
+                    },
+                ],
+                escalationPath: [
+                    { level: 1, criteria: 'Non-sensitive data', contacts: ['Security Manager'], timeframe: '1 hour' },
+                    { level: 2, criteria: 'PII affected', contacts: ['DPO', 'Legal', 'CISO'], timeframe: '4 hours' },
+                    { level: 3, criteria: 'Regulatory breach', contacts: ['Board', 'External counsel'], timeframe: '24 hours' },
+                ],
+                communicationPlan: [
+                    { audience: 'Legal', timing: 'Immediate', channel: 'Phone', template: 'Potential data breach - legal review needed' },
+                    { audience: 'Regulators', timing: 'Within 72 hours', channel: 'Official filing', template: 'Breach notification template' },
+                    { audience: 'Affected individuals', timing: 'Within 30 days', channel: 'Email/Mail', template: 'Breach notification letter' },
+                ],
+                recoveryProcedures: [
+                    'Implement additional controls',
+                    'Offer credit monitoring if PII affected',
+                    'Conduct third-party security audit',
+                ],
+                postIncidentActions: [
+                    'File regulatory notifications',
+                    'Document timeline and response',
+                    'Implement preventive controls',
+                ],
+            },
+            {
+                id: 'IR-003',
+                name: 'Ransomware Attack Response',
+                triggerConditions: [
+                    'Ransomware note discovered',
+                    'Mass file encryption detected',
+                    'System unavailability',
+                ],
+                severity: 'critical',
+                responseSteps: [
+                    {
+                        order: 1,
+                        action: 'Immediately isolate all affected systems',
+                        responsible: 'IT Operations',
+                        timeframe: '5 minutes',
+                        tools: ['Network isolation', 'Kill switch'],
+                        outputs: ['Isolation confirmation', 'Affected systems list'],
+                        decisionPoints: ['Scope of infection', 'Critical systems status'],
+                    },
+                    {
+                        order: 2,
+                        action: 'Preserve evidence and identify variant',
+                        responsible: 'Forensics Team',
+                        timeframe: '1 hour',
+                        tools: ['ID Ransomware', 'Sample collection'],
+                        outputs: ['Ransomware variant ID', 'Encryption analysis'],
+                        decisionPoints: ['Is decryption possible?', 'Known vulnerabilities in ransomware?'],
+                    },
+                    {
+                        order: 3,
+                        action: 'Assess backup integrity',
+                        responsible: 'Backup Administrator',
+                        timeframe: '2 hours',
+                        tools: ['Backup system', 'Air-gapped copies'],
+                        outputs: ['Backup status report', 'Recovery time estimate'],
+                        decisionPoints: ['Are backups clean?', 'Recovery priority order'],
+                    },
+                ],
+                escalationPath: [
+                    { level: 1, criteria: 'Limited systems', contacts: ['IT Director', 'CISO'], timeframe: '15 minutes' },
+                    { level: 2, criteria: 'Critical systems affected', contacts: ['CEO', 'Board'], timeframe: '1 hour' },
+                    { level: 3, criteria: 'Business operations halted', contacts: ['External IR firm', 'Law enforcement'], timeframe: '2 hours' },
+                ],
+                communicationPlan: [
+                    { audience: 'All employees', timing: 'Immediate', channel: 'All channels', template: 'Do not access any systems. Wait for instructions.' },
+                    { audience: 'Law enforcement', timing: 'Within 24 hours', channel: 'FBI IC3 / Local', template: 'Ransomware incident report' },
+                ],
+                recoveryProcedures: [
+                    'Do NOT pay ransom without authorization',
+                    'Restore from clean backups',
+                    'Rebuild affected systems',
+                    'Implement enhanced monitoring',
+                ],
+                postIncidentActions: [
+                    'Full security assessment',
+                    'Implement email security improvements',
+                    'Enhanced backup procedures',
+                    'Staff training on phishing',
+                ],
+            },
+        ];
+        return procedures;
+    }
+    /**
+     * Generate security controls checklist
+     */
+    generateSecurityControls() {
+        return [
+            {
+                id: 'AC-1',
+                name: 'Access Control Policy',
+                category: 'Access Control',
+                framework: 'NIST CSF',
+                status: 'implemented',
+                evidence: 'Policy document reviewed and approved',
+                gaps: [],
+                recommendations: ['Annual review scheduled'],
+            },
+            {
+                id: 'AC-2',
+                name: 'Multi-Factor Authentication',
+                category: 'Access Control',
+                framework: 'NIST CSF',
+                status: 'partial',
+                evidence: 'MFA enabled for admin accounts',
+                gaps: ['MFA not enforced for all users', 'Service accounts exempt'],
+                recommendations: ['Enforce MFA for all users', 'Implement conditional access'],
+            },
+            {
+                id: 'AC-3',
+                name: 'Least Privilege',
+                category: 'Access Control',
+                framework: 'CIS Controls',
+                status: 'partial',
+                evidence: 'Role-based access implemented',
+                gaps: ['Excessive admin accounts', 'Periodic access review needed'],
+                recommendations: ['Quarterly access reviews', 'Admin account audit'],
+            },
+            {
+                id: 'NS-1',
+                name: 'Network Segmentation',
+                category: 'Network Security',
+                framework: 'CIS Controls',
+                status: 'implemented',
+                evidence: 'VLANs configured for different zones',
+                gaps: [],
+                recommendations: ['Implement microsegmentation'],
+            },
+            {
+                id: 'NS-2',
+                name: 'Firewall Configuration',
+                category: 'Network Security',
+                framework: 'CIS Controls',
+                status: 'implemented',
+                evidence: 'Firewall rules reviewed',
+                gaps: ['Some legacy rules need cleanup'],
+                recommendations: ['Firewall rule audit', 'Remove unused rules'],
+            },
+            {
+                id: 'DP-1',
+                name: 'Data Encryption at Rest',
+                category: 'Data Protection',
+                framework: 'ISO 27001',
+                status: 'partial',
+                evidence: 'Database encryption enabled',
+                gaps: ['File shares not encrypted', 'Endpoint encryption incomplete'],
+                recommendations: ['Full disk encryption on all endpoints', 'Encrypt file shares'],
+            },
+            {
+                id: 'DP-2',
+                name: 'Data Encryption in Transit',
+                category: 'Data Protection',
+                framework: 'ISO 27001',
+                status: 'implemented',
+                evidence: 'TLS 1.2+ enforced',
+                gaps: [],
+                recommendations: ['Upgrade to TLS 1.3 where possible'],
+            },
+            {
+                id: 'IR-1',
+                name: 'Incident Response Plan',
+                category: 'Incident Response',
+                framework: 'NIST CSF',
+                status: 'implemented',
+                evidence: 'IR plan documented and tested',
+                gaps: ['Last tabletop was 8 months ago'],
+                recommendations: ['Quarterly tabletop exercises'],
+            },
+            {
+                id: 'VM-1',
+                name: 'Vulnerability Management',
+                category: 'Vulnerability Management',
+                framework: 'CIS Controls',
+                status: 'implemented',
+                evidence: 'Weekly vulnerability scans',
+                gaps: ['Patch lag for critical vulns > 7 days'],
+                recommendations: ['Reduce critical patch SLA to 72 hours'],
+            },
+            {
+                id: 'LM-1',
+                name: 'Centralized Logging',
+                category: 'Logging & Monitoring',
+                framework: 'CIS Controls',
+                status: 'implemented',
+                evidence: 'SIEM deployed with all critical sources',
+                gaps: ['Some cloud services not integrated'],
+                recommendations: ['Integrate all cloud service logs'],
+            },
+        ];
+    }
+    /**
+     * Generate training modules
+     */
+    generateTrainingModules() {
+        return [
+            {
+                id: 'TM-001',
+                title: 'Security Awareness Fundamentals',
+                targetAudience: ['All employees', 'New hires'],
+                objectives: [
+                    'Understand common cyber threats',
+                    'Recognize phishing attempts',
+                    'Follow secure password practices',
+                    'Report security incidents properly',
+                ],
+                duration: '45 minutes',
+                prerequisites: ['Company email account'],
+                content: [
+                    {
+                        title: 'Introduction to Cybersecurity',
+                        type: 'lecture',
+                        duration: '10 minutes',
+                        content: 'Overview of the threat landscape and why security matters to our organization.',
+                        keyPoints: [
+                            'Cyber attacks are increasing',
+                            'Everyone is a target',
+                            'Human error causes most breaches',
+                        ],
+                    },
+                    {
+                        title: 'Phishing Attack Recognition',
+                        type: 'demo',
+                        duration: '15 minutes',
+                        content: 'Live demonstration of phishing techniques and red flags to watch for.',
+                        keyPoints: [
+                            'Check sender email addresses carefully',
+                            'Hover over links before clicking',
+                            'Verify unexpected attachments',
+                            'When in doubt, report it',
+                        ],
+                    },
+                    {
+                        title: 'Phishing Exercise',
+                        type: 'exercise',
+                        duration: '10 minutes',
+                        content: 'Practice identifying phishing emails in simulated scenarios.',
+                        keyPoints: [
+                            'Apply learned techniques',
+                            'Use reporting tools',
+                        ],
+                    },
+                    {
+                        title: 'Password Security',
+                        type: 'lecture',
+                        duration: '10 minutes',
+                        content: 'Best practices for creating and managing secure passwords.',
+                        keyPoints: [
+                            'Use unique passwords for each account',
+                            'Enable MFA everywhere',
+                            'Use a password manager',
+                            'Never share passwords',
+                        ],
+                    },
+                ],
+                assessment: [
+                    {
+                        type: 'quiz',
+                        question: 'What should you do if you receive an unexpected email with an attachment from your CEO?',
+                        options: [
+                            'Open it immediately - it\'s from the CEO',
+                            'Forward it to IT security',
+                            'Verify through another channel before opening',
+                            'Delete it without reading',
+                        ],
+                        correctAnswer: 'Verify through another channel before opening',
+                        explanation: 'Always verify unexpected requests through a known, trusted channel, especially from executives.',
+                    },
+                    {
+                        type: 'quiz',
+                        question: 'Which is the strongest password?',
+                        options: [
+                            'Password123!',
+                            'MyDog\'sName2024',
+                            'correct-horse-battery-staple',
+                            'P@ssw0rd',
+                        ],
+                        correctAnswer: 'correct-horse-battery-staple',
+                        explanation: 'Long passphrases are more secure and easier to remember than complex short passwords.',
+                    },
+                    {
+                        type: 'practical',
+                        question: 'Report a simulated phishing email using the company reporting button.',
+                        explanation: 'Practice using the actual reporting tools you\'ll use in a real scenario.',
+                    },
+                ],
+                resources: [
+                    'NIST Cybersecurity Basics',
+                    'Company Security Policy',
+                    'IT Security Contact Information',
+                ],
+            },
+            {
+                id: 'TM-002',
+                title: 'Secure Development Practices',
+                targetAudience: ['Developers', 'DevOps engineers'],
+                objectives: [
+                    'Understand OWASP Top 10 vulnerabilities',
+                    'Implement secure coding practices',
+                    'Use security tools in CI/CD',
+                    'Handle sensitive data properly',
+                ],
+                duration: '2 hours',
+                prerequisites: ['Development experience', 'Access to code repositories'],
+                content: [
+                    {
+                        title: 'OWASP Top 10 Overview',
+                        type: 'lecture',
+                        duration: '30 minutes',
+                        content: 'Detailed walkthrough of the OWASP Top 10 vulnerabilities.',
+                        keyPoints: [
+                            'Injection attacks',
+                            'Broken authentication',
+                            'Sensitive data exposure',
+                            'Security misconfiguration',
+                        ],
+                    },
+                    {
+                        title: 'Secure Coding Lab',
+                        type: 'lab',
+                        duration: '45 minutes',
+                        content: 'Hands-on exercises fixing vulnerable code samples.',
+                        keyPoints: [
+                            'Input validation',
+                            'Parameterized queries',
+                            'Output encoding',
+                            'Error handling',
+                        ],
+                    },
+                    {
+                        title: 'Security in CI/CD',
+                        type: 'demo',
+                        duration: '30 minutes',
+                        content: 'Integrating security scanning into development pipelines.',
+                        keyPoints: [
+                            'SAST tools',
+                            'DAST integration',
+                            'Dependency scanning',
+                            'Container security',
+                        ],
+                    },
+                ],
+                assessment: [
+                    {
+                        type: 'practical',
+                        question: 'Identify and fix the SQL injection vulnerability in the provided code.',
+                        explanation: 'Use parameterized queries to prevent SQL injection.',
+                    },
+                    {
+                        type: 'scenario',
+                        question: 'You discover a vulnerability in production. Walk through the disclosure process.',
+                        explanation: 'Understanding responsible disclosure protects the organization.',
+                    },
+                ],
+                resources: [
+                    'OWASP Cheat Sheets',
+                    'Company Secure Coding Guidelines',
+                    'Security Tool Documentation',
+                ],
+            },
+        ];
+    }
+    /**
+     * Generate persistence mechanisms documentation
+     */
+    generatePersistenceMechanisms() {
+        return [
+            {
+                id: 'PERS-001',
+                name: 'Registry Run Key',
+                category: 'registry',
+                platform: 'windows',
+                stealthRating: 0.3,
+                detectionDifficulty: 'easy',
+                prerequisites: ['Local admin access'],
+                implementation: `
+# Add registry run key for persistence
+reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\\Windows\\Temp\\payload.exe" /f
+
+# Verify persistence
+reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+        `,
+                artifacts: [
+                    'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityUpdate',
+                    'C:\\Windows\\Temp\\payload.exe',
+                ],
+                detectionIndicators: [
+                    'Registry modification event (Sysmon Event ID 12/13)',
+                    'Process creation from unusual location',
+                    'Autoruns showing new entry',
+                ],
+                removalProcedure: [
+                    'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "SecurityUpdate" /f',
+                    'Remove payload file',
+                    'Verify removal with Autoruns',
+                ],
+                mitreTechnique: 'T1547.001',
+            },
+            {
+                id: 'PERS-002',
+                name: 'Scheduled Task',
+                category: 'scheduled-task',
+                platform: 'windows',
+                stealthRating: 0.5,
+                detectionDifficulty: 'medium',
+                prerequisites: ['Local admin access'],
+                implementation: `
+# Create scheduled task for persistence
+schtasks /create /tn "WindowsUpdate" /tr "C:\\Windows\\Temp\\payload.exe" /sc onlogon /ru SYSTEM
+
+# Verify task creation
+schtasks /query /tn "WindowsUpdate"
+        `,
+                artifacts: [
+                    'C:\\Windows\\System32\\Tasks\\WindowsUpdate',
+                    'Task Scheduler Library entry',
+                ],
+                detectionIndicators: [
+                    'Task Scheduler event (Event ID 4698)',
+                    'Sysmon Event ID 1 from taskeng.exe',
+                    'Unusual scheduled task names',
+                ],
+                removalProcedure: [
+                    'schtasks /delete /tn "WindowsUpdate" /f',
+                    'Remove payload file',
+                    'Audit remaining scheduled tasks',
+                ],
+                mitreTechnique: 'T1053.005',
+            },
+            {
+                id: 'PERS-003',
+                name: 'Systemd Service',
+                category: 'service',
+                platform: 'linux',
+                stealthRating: 0.6,
+                detectionDifficulty: 'medium',
+                prerequisites: ['Root access'],
+                implementation: `
+# Create systemd service unit
+cat > /etc/systemd/system/security-update.service << EOF
+[Unit]
+Description=Security Update Service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/payload
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Enable and start service
+systemctl daemon-reload
+systemctl enable security-update.service
+systemctl start security-update.service
+        `,
+                artifacts: [
+                    '/etc/systemd/system/security-update.service',
+                    '/usr/local/bin/payload',
+                ],
+                detectionIndicators: [
+                    'New systemd unit file',
+                    'Unusual service running',
+                    'journalctl showing unknown service',
+                ],
+                removalProcedure: [
+                    'systemctl stop security-update.service',
+                    'systemctl disable security-update.service',
+                    'rm /etc/systemd/system/security-update.service',
+                    'systemctl daemon-reload',
+                    'rm /usr/local/bin/payload',
+                ],
+                mitreTechnique: 'T1543.002',
+            },
+            {
+                id: 'PERS-004',
+                name: 'Cron Job',
+                category: 'scheduled-task',
+                platform: 'linux',
+                stealthRating: 0.5,
+                detectionDifficulty: 'easy',
+                prerequisites: ['User or root access'],
+                implementation: `
+# Add cron job for persistence
+echo "*/5 * * * * /tmp/.hidden/payload" | crontab -
+
+# Or add to system cron
+echo "*/5 * * * * root /tmp/.hidden/payload" >> /etc/crontab
+        `,
+                artifacts: [
+                    '/var/spool/cron/crontabs/<user>',
+                    '/etc/crontab',
+                    '/tmp/.hidden/payload',
+                ],
+                detectionIndicators: [
+                    'Crontab modification',
+                    'Unusual cron entries',
+                    'Hidden directories in /tmp',
+                ],
+                removalProcedure: [
+                    'crontab -r (for user cron)',
+                    'Edit /etc/crontab to remove entry',
+                    'rm -rf /tmp/.hidden',
+                ],
+                mitreTechnique: 'T1053.003',
+            },
+            {
+                id: 'PERS-005',
+                name: 'Launch Agent',
+                category: 'startup',
+                platform: 'macos',
+                stealthRating: 0.4,
+                detectionDifficulty: 'easy',
+                prerequisites: ['User access'],
+                implementation: `
+# Create Launch Agent plist
+cat > ~/Library/LaunchAgents/com.security.update.plist << EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.security.update</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/Users/Shared/.hidden/payload</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+</dict>
+</plist>
+EOF
+
+# Load the agent
+launchctl load ~/Library/LaunchAgents/com.security.update.plist
+        `,
+                artifacts: [
+                    '~/Library/LaunchAgents/com.security.update.plist',
+                    '/Users/Shared/.hidden/payload',
+                ],
+                detectionIndicators: [
+                    'New LaunchAgent plist',
+                    'launchctl list showing unknown agent',
+                    'Unified logs showing agent load',
+                ],
+                removalProcedure: [
+                    'launchctl unload ~/Library/LaunchAgents/com.security.update.plist',
+                    'rm ~/Library/LaunchAgents/com.security.update.plist',
+                    'rm -rf /Users/Shared/.hidden',
+                ],
+                mitreTechnique: 'T1543.001',
+            },
+            {
+                id: 'PERS-006',
+                name: 'DLL Search Order Hijacking',
+                category: 'dll',
+                platform: 'windows',
+                stealthRating: 0.7,
+                detectionDifficulty: 'hard',
+                prerequisites: ['Write access to application directory'],
+                implementation: `
+# Identify vulnerable application
+# Place malicious DLL in application directory
+# DLL will be loaded instead of legitimate version
+
+# Common targets:
+# - Applications without full DLL paths
+# - Side-loading opportunities
+# - Missing DLLs that application tries to load
+        `,
+                artifacts: [
+                    'Malicious DLL in application directory',
+                    'May overwrite or supplement existing DLLs',
+                ],
+                detectionIndicators: [
+                    'DLL loaded from unusual location',
+                    'Sysmon Event ID 7',
+                    'Hash mismatch on known DLLs',
+                ],
+                removalProcedure: [
+                    'Identify and remove malicious DLL',
+                    'Restore legitimate DLL if replaced',
+                    'Verify application functionality',
+                ],
+                mitreTechnique: 'T1574.001',
+            },
+        ];
+    }
+    /**
+     * Generate infrastructure components
+     */
+    generateInfrastructureComponents() {
+        return [
+            {
+                id: 'INFRA-001',
+                name: 'Primary C2 Server',
+                type: 'c2-server',
+                provider: 'Cloud VPS',
+                configuration: {
+                    os: 'Ubuntu 22.04 LTS',
+                    specs: '4 vCPU, 8GB RAM, 100GB SSD',
+                    framework: 'Cobalt Strike / Mythic / Sliver',
+                    protocols: ['HTTPS', 'DNS', 'SMB'],
+                    malleable_profile: 'Custom jQuery profile',
+                },
+                opsecConsiderations: [
+                    'Use clean IP with no prior malicious history',
+                    'Domain fronting or CDN for traffic masking',
+                    'Separate management interface from C2',
+                    'Regular log rotation and cleanup',
+                    'Kill switch implementation',
+                ],
+                setupProcedure: [
+                    'Provision VPS from clean account',
+                    'Harden OS (disable services, firewall)',
+                    'Install C2 framework',
+                    'Configure TLS certificates',
+                    'Set up domain fronting',
+                    'Test connectivity',
+                ],
+                teardownProcedure: [
+                    'Secure wipe of all data',
+                    'Terminate VPS instance',
+                    'Clean up DNS records',
+                    'Document IOCs for deconfliction',
+                ],
+                monitoring: [
+                    'Uptime monitoring',
+                    'Certificate expiry alerts',
+                    'Traffic anomaly detection',
+                ],
+            },
+            {
+                id: 'INFRA-002',
+                name: 'HTTP Redirector',
+                type: 'redirector',
+                provider: 'Cloud VPS',
+                configuration: {
+                    os: 'Debian 11',
+                    specs: '1 vCPU, 1GB RAM, 20GB SSD',
+                    software: 'Apache mod_rewrite / Nginx',
+                    rules: 'Conditional forwarding based on headers/URI',
+                },
+                opsecConsiderations: [
+                    'Expendable infrastructure',
+                    'Minimal logging',
+                    'Geographic distribution',
+                    'Fast spin-up capability',
+                ],
+                setupProcedure: [
+                    'Deploy minimal VPS',
+                    'Install and configure web server',
+                    'Configure redirect rules',
+                    'Point to C2 backend',
+                    'Test redirection logic',
+                ],
+                teardownProcedure: [
+                    'Destroy VPS instance',
+                    'No data to preserve',
+                ],
+                monitoring: [
+                    'Basic uptime check',
+                    'Redirect success rate',
+                ],
+            },
+            {
+                id: 'INFRA-003',
+                name: 'Payload Hosting',
+                type: 'payload-host',
+                provider: 'CDN / Object Storage',
+                configuration: {
+                    service: 'AWS S3 / Azure Blob / GCS',
+                    access: 'Public read, authenticated write',
+                    caching: 'CDN caching for availability',
+                },
+                opsecConsiderations: [
+                    'Use legitimate cloud services',
+                    'Categorize as legitimate traffic',
+                    'Payload obfuscation',
+                    'Short-lived URLs',
+                ],
+                setupProcedure: [
+                    'Create storage bucket',
+                    'Configure access policies',
+                    'Upload payloads',
+                    'Enable CDN if needed',
+                    'Generate presigned URLs',
+                ],
+                teardownProcedure: [
+                    'Remove all objects',
+                    'Delete bucket',
+                    'Clean up IAM credentials',
+                ],
+                monitoring: [
+                    'Download counts',
+                    'Access patterns',
+                    'Storage costs',
+                ],
+            },
+            {
+                id: 'INFRA-004',
+                name: 'Exfiltration Endpoint',
+                type: 'exfil-endpoint',
+                provider: 'Cloud VPS',
+                configuration: {
+                    os: 'Alpine Linux',
+                    specs: '2 vCPU, 2GB RAM, 50GB SSD',
+                    protocols: ['HTTPS', 'DNS', 'ICMP'],
+                    encryption: 'AES-256-GCM',
+                },
+                opsecConsiderations: [
+                    'Separate from C2 infrastructure',
+                    'Different provider/region',
+                    'Encrypted data at rest',
+                    'Rate limiting to avoid detection',
+                ],
+                setupProcedure: [
+                    'Deploy minimal VPS',
+                    'Configure receive endpoints',
+                    'Set up encryption',
+                    'Configure data handling',
+                    'Test exfil channels',
+                ],
+                teardownProcedure: [
+                    'Transfer data to secure storage',
+                    'Secure wipe',
+                    'Destroy instance',
+                ],
+                monitoring: [
+                    'Data volume received',
+                    'Connection success rate',
+                    'Storage utilization',
+                ],
+            },
+        ];
+    }
+    /**
+     * Generate red team procedures
+     */
+    generateRedTeamProcedures() {
+        return [
+            {
+                id: 'RT-001',
+                name: 'Initial Access Procedure',
+                triggerConditions: ['Engagement start', 'New target identified'],
+                severity: 'info',
+                responseSteps: [
+                    {
+                        order: 1,
+                        action: 'OSINT and passive reconnaissance',
+                        responsible: 'Red Team Lead',
+                        timeframe: '2-4 hours',
+                        tools: ['Maltego', 'Shodan', 'LinkedIn', 'theHarvester'],
+                        outputs: ['Target profile', 'Email addresses', 'Technology stack'],
+                        decisionPoints: ['Phishing vs technical entry', 'Target prioritization'],
+                    },
+                    {
+                        order: 2,
+                        action: 'Active reconnaissance',
+                        responsible: 'Red Team Operator',
+                        timeframe: '4-8 hours',
+                        tools: ['Nmap', 'Nuclei', 'Burp Suite'],
+                        outputs: ['Port scan results', 'Vulnerability assessment', 'Attack surface map'],
+                        decisionPoints: ['Exploit availability', 'Detection risk assessment'],
+                    },
+                    {
+                        order: 3,
+                        action: 'Initial access execution',
+                        responsible: 'Red Team Operator',
+                        timeframe: 'Variable',
+                        tools: ['Phishing framework', 'Exploit kit'],
+                        outputs: ['Beacon/shell', 'Initial foothold documentation'],
+                        decisionPoints: ['Persistence required?', 'Lateral movement needed?'],
+                    },
+                ],
+                escalationPath: [
+                    { level: 1, criteria: 'Normal operation', contacts: ['Team Lead'], timeframe: 'Daily' },
+                    { level: 2, criteria: 'Blue team detection', contacts: ['Engagement Manager'], timeframe: '1 hour' },
+                    { level: 3, criteria: 'Operational incident', contacts: ['Client POC'], timeframe: 'Immediate' },
+                ],
+                communicationPlan: [
+                    { audience: 'Red Team', timing: 'Continuous', channel: 'Secure chat', template: 'Operational updates' },
+                    { audience: 'Engagement Manager', timing: 'Daily', channel: 'Secure report', template: 'Daily SITREP' },
+                ],
+                recoveryProcedures: [
+                    'Document all actions for deconfliction',
+                    'Maintain detailed timestamps',
+                    'Screenshot significant access',
+                ],
+                postIncidentActions: [
+                    'Update attack narrative',
+                    'Log IOCs for blue team',
+                    'Prepare for debrief',
+                ],
+            },
+            {
+                id: 'RT-002',
+                name: 'Privilege Escalation Procedure',
+                triggerConditions: ['Initial foothold obtained', 'Need elevated access'],
+                severity: 'medium',
+                responseSteps: [
+                    {
+                        order: 1,
+                        action: 'Local enumeration',
+                        responsible: 'Red Team Operator',
+                        timeframe: '30 minutes',
+                        tools: ['winPEAS', 'linPEAS', 'Seatbelt'],
+                        outputs: ['System info', 'User context', 'Potential vectors'],
+                        decisionPoints: ['Local vs domain escalation', 'Quick wins available?'],
+                    },
+                    {
+                        order: 2,
+                        action: 'Attempt privilege escalation',
+                        responsible: 'Red Team Operator',
+                        timeframe: '2-4 hours',
+                        tools: ['Kernel exploits', 'Misconfig abuse', 'Token manipulation'],
+                        outputs: ['Elevated shell', 'Method documentation'],
+                        decisionPoints: ['Method selection', 'Cleanup required?'],
+                    },
+                ],
+                escalationPath: [
+                    { level: 1, criteria: 'Standard operation', contacts: ['Team Lead'], timeframe: 'Daily' },
+                ],
+                communicationPlan: [
+                    { audience: 'Red Team', timing: 'On success', channel: 'Secure chat', template: 'Elevated access achieved' },
+                ],
+                recoveryProcedures: [
+                    'Document exploitation method',
+                    'Note any system changes',
+                ],
+                postIncidentActions: [
+                    'Update attack path documentation',
+                ],
+            },
+        ];
+    }
+    /**
+     * Generate appendices with raw data
+     */
+    generateAppendices() {
+        const appendices = [];
+        // Add tool outputs as appendices
+        for (const [toolName, outputs] of this.toolOutputs) {
+            if (outputs.length > 0) {
+                appendices.push({
+                    id: `APP-${toolName.toUpperCase()}`,
+                    title: `${toolName} Output`,
+                    type: 'raw-output',
+                    content: outputs.join('\n---\n').slice(0, 10000),
+                });
+            }
+        }
+        // Add RL state
+        const rlState = getRLState();
+        appendices.push({
+            id: 'APP-RL-STATE',
+            title: 'Reinforcement Learning State',
+            type: 'log',
+            content: JSON.stringify(rlState, null, 2),
+        });
+        return appendices;
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // HELPER METHODS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    extractTargets() {
+        const targets = new Set();
+        const ipPattern = /\b(?:\d{1,3}\.){3}\d{1,3}\b/g;
+        const domainPattern = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
+        for (const [, outputs] of this.toolOutputs) {
+            for (const output of outputs) {
+                const ips = output.match(ipPattern);
+                const domains = output.match(domainPattern);
+                if (ips)
+                    ips.forEach(ip => targets.add(ip));
+                if (domains)
+                    domains.forEach(d => targets.add(d));
+            }
+        }
+        return Array.from(targets).slice(0, 20);
+    }
+    extractAffectedAssets(evidence) {
+        const assets = [];
+        const ipMatch = evidence.match(/\b(?:\d{1,3}\.){3}\d{1,3}\b/);
+        const portMatch = evidence.match(/port\s*[:=]?\s*(\d+)/i);
+        if (ipMatch)
+            assets.push(ipMatch[0]);
+        if (portMatch)
+            assets.push(`Port ${portMatch[1]}`);
+        return assets.length > 0 ? assets : ['Target system'];
+    }
+    getBusinessImpact(severity) {
+        const impacts = {
+            critical: 'Immediate risk of system compromise, data breach, or service disruption. Requires urgent remediation.',
+            high: 'Significant security weakness that could lead to system compromise or data exposure.',
+            medium: 'Security issue that could be exploited under certain conditions.',
+            low: 'Minor security weakness with limited exploitation potential.',
+            info: 'Informational finding for security awareness.',
+        };
+        return impacts[severity];
+    }
+    generateRemediation(match, severity) {
+        return [{
+                priority: severity === 'critical' ? 1 : severity === 'high' ? 2 : 3,
+                action: `Address ${match} finding`,
+                responsible: 'Security Team',
+                effort: severity === 'critical' || severity === 'high' ? 'high' : 'medium',
+                timeline: severity === 'critical' ? '24-48 hours' : severity === 'high' ? '1 week' : '30 days',
+                verificationMethod: 'Re-scan and verify remediation',
+            }];
+    }
+    getReferences(match) {
+        const refs = [];
+        if (/cve-\d+/i.test(match)) {
+            refs.push('https://nvd.nist.gov/vuln/detail/' + match.toUpperCase());
+        }
+        refs.push('https://cwe.mitre.org/');
+        refs.push('https://owasp.org/');
+        return refs;
+    }
+    titleCase(str) {
+        return str.charAt(0).toUpperCase() + str.slice(1).toLowerCase();
+    }
+    categorize(finding) {
+        const title = finding.title.toLowerCase();
+        if (/injection|xss|sqli/.test(title))
+            return 'Injection';
+        if (/auth|password|credential/.test(title))
+            return 'Authentication';
+        if (/config|misconfiguration/.test(title))
+            return 'Configuration';
+        if (/disclosure|exposure/.test(title))
+            return 'Information Disclosure';
+        if (/port|service/.test(title))
+            return 'Network';
+        return 'Other';
+    }
+    calculateRiskScore(bySeverity) {
+        const weights = { critical: 10, high: 7, medium: 4, low: 2, info: 0.5 };
+        let score = 0;
+        for (const [sev, count] of Object.entries(bySeverity)) {
+            score += (weights[sev] || 0) * count;
+        }
+        return Math.min(100, score);
+    }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORT FORMATTERS
+// ═══════════════════════════════════════════════════════════════════════════════
+export function exportToMarkdown(deliverable) {
+    let md = `# ${deliverable.title}\n\n`;
+    md += `**Document ID:** ${deliverable.id}\n`;
+    md += `**Classification:** ${deliverable.classification.toUpperCase()}\n`;
+    md += `**Version:** ${deliverable.version}\n`;
+    md += `**Created:** ${new Date(deliverable.created).toISOString()}\n`;
+    md += `**Author:** ${deliverable.author}\n\n`;
+    md += `---\n\n`;
+    md += deliverable.executiveSummary + '\n\n';
+    md += `## Scope\n\n`;
+    md += `**Targets:** ${deliverable.scope.targets.join(', ')}\n`;
+    md += `**Timeframe:** ${new Date(deliverable.scope.timeframe.start).toISOString()} - ${new Date(deliverable.scope.timeframe.end).toISOString()}\n`;
+    md += `**Authorization:** ${deliverable.scope.authorizationRef}\n\n`;
+    md += `## Methodology\n\n`;
+    deliverable.methodology.forEach(m => { md += `- ${m}\n`; });
+    md += '\n';
+    if (deliverable.findings.length > 0) {
+        md += `## Findings\n\n`;
+        for (const finding of deliverable.findings) {
+            md += `### ${finding.id}: ${finding.title}\n\n`;
+            md += `**Severity:** ${finding.severity.toUpperCase()}\n`;
+            md += `**Description:** ${finding.description}\n\n`;
+            md += `**Business Impact:** ${finding.businessImpact}\n\n`;
+            md += `**Evidence:**\n\`\`\`\n${finding.evidence.join('\n')}\n\`\`\`\n\n`;
+            md += `**Remediation:**\n`;
+            finding.remediation.forEach(r => {
+                md += `- ${r.action} (${r.timeline})\n`;
+            });
+            md += '\n';
+        }
+    }
+    if (deliverable.procedures && deliverable.procedures.length > 0) {
+        md += `## Procedures\n\n`;
+        for (const proc of deliverable.procedures) {
+            md += `### ${proc.id}: ${proc.name}\n\n`;
+            md += `**Severity:** ${proc.severity.toUpperCase()}\n\n`;
+            md += `**Trigger Conditions:**\n`;
+            proc.triggerConditions.forEach(t => { md += `- ${t}\n`; });
+            md += '\n**Response Steps:**\n';
+            proc.responseSteps.forEach(step => {
+                md += `${step.order}. **${step.action}** (${step.responsible}, ${step.timeframe})\n`;
+                md += `   - Tools: ${step.tools.join(', ')}\n`;
+                md += `   - Outputs: ${step.outputs.join(', ')}\n`;
+            });
+            md += '\n';
+        }
+    }
+    if (deliverable.controls && deliverable.controls.length > 0) {
+        md += `## Security Controls\n\n`;
+        md += `| ID | Control | Status | Gaps |\n`;
+        md += `|----|---------|--------|------|\n`;
+        for (const ctrl of deliverable.controls) {
+            md += `| ${ctrl.id} | ${ctrl.name} | ${ctrl.status} | ${ctrl.gaps.join('; ') || 'None'} |\n`;
+        }
+        md += '\n';
+    }
+    if (deliverable.persistence && deliverable.persistence.length > 0) {
+        md += `## Persistence Mechanisms\n\n`;
+        for (const pers of deliverable.persistence) {
+            md += `### ${pers.id}: ${pers.name}\n\n`;
+            md += `**Platform:** ${pers.platform}\n`;
+            md += `**MITRE ATT&CK:** ${pers.mitreTechnique}\n`;
+            md += `**Stealth Rating:** ${(pers.stealthRating * 100).toFixed(0)}%\n`;
+            md += `**Detection Difficulty:** ${pers.detectionDifficulty}\n\n`;
+            md += `**Implementation:**\n\`\`\`\n${pers.implementation}\n\`\`\`\n\n`;
+            md += `**Artifacts:**\n`;
+            pers.artifacts.forEach(a => { md += `- ${a}\n`; });
+            md += `\n**Detection Indicators:**\n`;
+            pers.detectionIndicators.forEach(d => { md += `- ${d}\n`; });
+            md += '\n';
+        }
+    }
+    md += `## Metrics\n\n`;
+    md += `- Total Findings: ${deliverable.metrics.totalFindings}\n`;
+    md += `- Risk Score: ${deliverable.metrics.riskScore}/100\n`;
+    md += `- Severity Distribution:\n`;
+    for (const [sev, count] of Object.entries(deliverable.metrics.bySeverity)) {
+        if (count > 0)
+            md += `  - ${sev}: ${count}\n`;
+    }
+    md += `- Tools Used: ${deliverable.metrics.toolsUsed.join(', ')}\n`;
+    md += `- Attack Chain Stats: ${deliverable.metrics.chainStats.completed}/${deliverable.metrics.chainStats.total} completed\n`;
+    return md;
+}
+export function exportToJSON(deliverable) {
+    return JSON.stringify(deliverable, null, 2);
+}
+export function exportToHTML(deliverable) {
+    const md = exportToMarkdown(deliverable);
+    // Basic markdown to HTML conversion
+    let html = `<!DOCTYPE html>
+<html>
+<head>
+  <title>${deliverable.title}</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
+    h1, h2, h3 { color: #333; }
+    code, pre { background: #f5f5f5; padding: 2px 6px; border-radius: 4px; }
+    pre { padding: 15px; overflow-x: auto; }
+    table { border-collapse: collapse; width: 100%; }
+    th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
+    th { background: #f5f5f5; }
+    .critical { color: #d32f2f; font-weight: bold; }
+    .high { color: #f57c00; font-weight: bold; }
+    .medium { color: #fbc02d; }
+    .low { color: #388e3c; }
+  </style>
+</head>
+<body>
+${md
+        .replace(/^### (.+)$/gm, '<h3>$1</h3>')
+        .replace(/^## (.+)$/gm, '<h2>$1</h2>')
+        .replace(/^# (.+)$/gm, '<h1>$1</h1>')
+        .replace(/\*\*(.+?)\*\*/g, '<strong>$1</strong>')
+        .replace(/`([^`]+)`/g, '<code>$1</code>')
+        .replace(/```\n([\s\S]*?)```/g, '<pre>$1</pre>')
+        .replace(/^- (.+)$/gm, '<li>$1</li>')
+        .replace(/\n\n/g, '</p><p>')
+        .replace(/CRITICAL/g, '<span class="critical">CRITICAL</span>')
+        .replace(/HIGH/g, '<span class="high">HIGH</span>')}
+</body>
+</html>`;
+    return html;
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// SINGLETON INSTANCE
+// ═══════════════════════════════════════════════════════════════════════════════
+export const securityDeliverableGenerator = new SecurityDeliverableGenerator();
+//# sourceMappingURL=securityDeliverableGenerator.js.map