icarus-cmd 0.3.1

package/src/core/store.js

@@ -0,0 +1,82 @@
+// Stockage des résultats : un simple fichier JSON (pas de dépendance native à
+// compiler sous Windows). Tous les outils écrivent leurs "findings" normalisés
+// au même endroit -> c'est ça, "tout regrouper".
+
+import { mkdirSync, readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const ROOT = join(dirname(fileURLToPath(import.meta.url)), '..', '..');
+export const DATA_DIR = join(ROOT, 'data');
+const DB_FILE = join(DATA_DIR, 'db.json');
+
+function ensureDir() {
+  if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR, { recursive: true });
+}
+
+function load() {
+  ensureDir();
+  if (!existsSync(DB_FILE)) return { scans: [], findings: [] };
+  try {
+    return JSON.parse(readFileSync(DB_FILE, 'utf8'));
+  } catch {
+    return { scans: [], findings: [] };
+  }
+}
+
+function save(db) {
+  ensureDir();
+  writeFileSync(DB_FILE, JSON.stringify(db, null, 2), 'utf8');
+}
+
+// Enregistre une exécution d'outil et renvoie son id.
+export function recordScan({ tool, target, code, command }) {
+  const db = load();
+  const scan = {
+    id: crypto.randomUUID(),
+    tool,
+    target,
+    code,
+    command,
+    startedAt: new Date().toISOString(),
+  };
+  db.scans.push(scan);
+  save(db);
+  return scan.id;
+}
+
+// Ajoute des findings normalisés (le runner les enrichit avec scanId/tool/target).
+export function addFindings(findings) {
+  if (!findings?.length) return [];
+  const db = load();
+  const enriched = findings.map((f) => ({
+    id: crypto.randomUUID(),
+    timestamp: new Date().toISOString(),
+    severity: 'unknown',
+    type: 'finding',
+    ...f,
+  }));
+  db.findings.push(...enriched);
+  save(db);
+  return enriched;
+}
+
+export function allFindings() {
+  return load().findings;
+}
+
+export function findingsForTarget(target) {
+  return load().findings.filter((f) => f.target === target);
+}
+
+export function allScans() {
+  return load().scans;
+}
+
+export function targets() {
+  return [...new Set(load().findings.map((f) => f.target))];
+}
+
+export function clearAll() {
+  save({ scans: [], findings: [] });
+}

package/src/core/target.js

@@ -0,0 +1,5 @@
+// Helpers de cible partagés (TUI + Web).
+
+export const toHost = (t) => String(t).replace(/^https?:\/\//, '').replace(/\/.*$/, '');
+export const toUrl = (t) => (/^https?:\/\//.test(t) ? t : `http://${t}`);
+export const effectiveTarget = (tool, target) => (tool.needs === 'url' ? toUrl(target) : toHost(target));

package/src/index.js

@@ -0,0 +1,425 @@
+#!/usr/bin/env node
+// Icarus — point d'entrée.
+//   (sans argument)        -> TUI interactive
+//   doctor                 -> état des outils (installé / manquant)
+//   scan <cible> [options] -> scan non interactif (scriptable)
+//   report                 -> rapport HTML + JSON depuis les résultats
+//   help                   -> aide
+
+import chalk from 'chalk';
+import Table from 'cli-table3';
+import { select, input, checkbox, confirm } from '@inquirer/prompts';
+
+import { TOOLS, PROFILES, getTool, toolStatus, availableIds } from './core/registry.js';
+import { runTool } from './core/runner.js';
+import { allFindings, findingsForTarget, allScans, clearAll, targets, recordScan, addFindings } from './core/store.js';
+import { analyzeCode } from './core/codescan.js';
+import { setupTools } from './core/setup.js';
+import { existsSync } from 'node:fs';
+import { banner, intro, rule } from './ui/banner.js';
+import { startSpinner, ICON, chevron, sleep, isTTY } from './ui/anim.js';
+import { renderFindings } from './ui/results.js';
+import { generateReport } from './report/html.js';
+import { startWeb } from './web/server.js';
+import { paint, rank } from './core/severity.js';
+import { spawn } from 'node:child_process';
+
+const toHost = (t) => String(t).replace(/^https?:\/\//, '').replace(/\/.*$/, '');
+const toUrl = (t) => (/^https?:\/\//.test(t) ? t : `http://${t}`);
+const effectiveTarget = (tool, target) => (tool.needs === 'url' ? toUrl(target) : toHost(target));
+
+function openBrowser(url) {
+  const cmd = process.platform === 'win32' ? 'cmd' : process.platform === 'darwin' ? 'open' : 'xdg-open';
+  const args = process.platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  try { spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref(); } catch { /* ignore */ }
+}
+
+// ---------- Affichages partagés ----------
+
+function statusTable({ fresh = false } = {}) {
+  const table = new Table({
+    head: ['Outil', 'Catégorie', 'État', 'Chemin / installation'].map((h) => chalk.bold(h)),
+    style: { head: [], border: ['grey'] },
+    colWidths: [14, 12, 16, 58],
+    wordWrap: true,
+  });
+  for (const { tool, bin, available } of toolStatus({ fresh })) {
+    table.push([
+      tool.name,
+      tool.category,
+      available ? chalk.green('✓ installé') : chalk.red('✗ manquant'),
+      available ? chalk.gray(bin) : chalk.yellow(tool.install),
+    ]);
+  }
+  return table.toString();
+}
+
+function summarize(findings) {
+  if (!findings.length) return chalk.gray('aucun finding');
+  const counts = {};
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+  return Object.entries(counts)
+    .sort((a, b) => rank(a[0]) - rank(b[0]))
+    .map(([s, n]) => paint(chalk, s, `${s}:${n}`))
+    .join('  ');
+}
+
+// Résout une liste d'ids d'outils en gardant ceux installés, et signale les autres.
+function resolveTools(ids) {
+  const avail = new Set(availableIds());
+  const run = ids.filter((id) => getTool(id) && avail.has(id));
+  const skipped = ids.filter((id) => getTool(id) && !avail.has(id));
+  return { run, skipped };
+}
+
+// ---------- Exécution d'un scan ----------
+
+const FAST_OPTS = { fast: true, topPorts: '100', depth: 1, severity: 'critical,high', level: 1, risk: 1 };
+
+async function runScan(target, toolIds, { opts = {}, quiet = false, parallel = false } = {}) {
+  const all = [];
+
+  if (parallel) {
+    console.log('');
+    let done = 0;
+    const total = toolIds.length;
+    const spin = startSpinner(chalk.gray(`0/${total} — ${toolIds.map((id) => getTool(id).name).join(', ')}`));
+    await Promise.all(toolIds.map((id) => {
+      const tool = getTool(id);
+      const et = effectiveTarget(tool, target);
+      return runTool(tool, et, { opts }).then((res) => {
+        done += 1;
+        if (!res.ok && res.error) spin.log(chalk.red(`  ⚠ ${chalk.bold(tool.name)}: ${res.error}`));
+        else spin.log(`  ${chalk.green('✓')} ${chalk.bold(tool.name)}  ${summarize(res.findings)}`);
+        spin.update(chalk.gray(`${done}/${total} terminés…`));
+        all.push(...res.findings);
+      });
+    }));
+    spin.stop(chalk.gray(`  ▸ ${total} outils terminés.`));
+  } else {
+    for (const id of toolIds) {
+      const tool = getTool(id);
+      const et = effectiveTarget(tool, target);
+      console.log('\n' + chalk.bgHex('#f59e0b').black.bold(` ${tool.name} `) + chalk.hex('#fb923c')(` → ${et}`));
+      const res = await runTool(tool, et, {
+        opts,
+        onLog: (l) => console.log(chalk.gray(l)),
+        onData: quiet ? undefined : (s) => process.stdout.write(chalk.dim(s)),
+      });
+      if (!res.ok && res.error) console.log(chalk.red(`  ⚠ ${res.error}`));
+      console.log(chalk.bold(`  ${tool.name}: `) + summarize(res.findings));
+      all.push(...res.findings);
+    }
+  }
+
+  console.log('\n' + chalk.bold('Bilan du scan : ') + summarize(all));
+  return all;
+}
+
+// ---------- TUI interactive ----------
+
+async function chooseTools(target) {
+  const mode = await select({
+    message: 'Comment choisir les outils ?',
+    choices: [
+      ...Object.entries(PROFILES).map(([id, p]) => ({
+        name: `${chevron}  Profil ${chalk.bold(p.label)} ${chalk.gray(`(${p.tools.length} outils)`)}`,
+        value: `profile:${id}`,
+      })),
+      { name: `${chevron}  Sélection manuelle`, value: 'manual' },
+    ],
+  });
+
+  if (mode.startsWith('profile:')) {
+    const { run, skipped } = resolveTools(PROFILES[mode.split(':')[1]].tools);
+    if (skipped.length) console.log(chalk.gray(`  (ignorés, non installés : ${skipped.join(', ')})`));
+    return run;
+  }
+
+  const statuses = toolStatus();
+  return checkbox({
+    message: 'Outils à lancer (espace = cocher) :',
+    choices: statuses.map(({ tool, available }) => ({
+      name: `${tool.name.padEnd(10)} ${chalk.gray(tool.description)}${available ? '' : chalk.red('  [manquant]')}`,
+      value: tool.id,
+      checked: available && tool.category === 'recon',
+      disabled: available ? false : `→ ${tool.install}`,
+    })),
+  });
+}
+
+async function gatherOpts(picks, target) {
+  const opts = {};
+  if (picks.includes('nmap')) {
+    opts.vuln = await confirm({ message: 'nmap : activer les scripts NSE de détection de vulns (--script vuln) ?', default: false });
+  }
+  if (picks.includes('sqlmap')) {
+    const url = toUrl(target);
+    if (!url.includes('?')) console.log(chalk.yellow(`  Astuce sqlmap : une URL avec paramètre marche mieux (ex: ${url}?id=1)`));
+    opts.level = Number(await input({ message: 'sqlmap --level (1-5) :', default: '1' })) || 1;
+  }
+  return opts;
+}
+
+async function tui() {
+  await intro();
+  let target = targets()[0] || null;
+
+  for (;;) {
+    const nAvail = availableIds().length;
+    console.log(
+      '\n' + chalk.gray('Cible : ') +
+        (target ? chalk.hex('#fb923c')(target) : chalk.red('(aucune)')) +
+        chalk.gray(`   ·   outils dispo : ${nAvail}/${TOOLS.length}`)
+    );
+
+    const action = await select({
+      message: 'Menu Icarus',
+      choices: [
+        { name: `${chevron}  Définir / changer la cible`, value: 'target' },
+        { name: `${chevron}  Lancer un scan`, value: 'scan', disabled: !target && '(définis une cible)' },
+        { name: `${chevron}  Voir les résultats`, value: 'results' },
+        { name: `${chevron}  Générer un rapport (HTML + JSON)`, value: 'report' },
+        { name: `${chevron}  État des outils`, value: 'status' },
+        { name: `${chevron}  Effacer les résultats`, value: 'clear' },
+        { name: `${chevron}  Quitter`, value: 'quit' },
+      ],
+    });
+
+    if (action === 'quit') { console.log(chalk.gray(`${ICON.star} Bon vol.`)); return; }
+
+    if (action === 'target') {
+      const v = (await input({ message: 'Cible (IP, hostname ou URL) :', default: target || '' })).trim();
+      if (v) target = v;
+    }
+
+    if (action === 'status') console.log('\n' + statusTable({ fresh: true }));
+
+    if (action === 'clear') {
+      if (await confirm({ message: 'Effacer TOUS les résultats stockés ?', default: false })) {
+        clearAll();
+        console.log(chalk.yellow('Résultats effacés.'));
+      }
+    }
+
+    if (action === 'results') {
+      const ts = targets();
+      const scope = ts.length > 1
+        ? await select({ message: 'Quels résultats ?', choices: [{ name: 'Tous', value: '__all__' }, ...ts.map((t) => ({ name: t, value: t }))] })
+        : '__all__';
+      const data = scope === '__all__' ? allFindings() : findingsForTarget(scope);
+      console.log(renderFindings(data, { title: `Résultats — ${scope === '__all__' ? 'tout' : scope}` }));
+    }
+
+    if (action === 'report') {
+      const { htmlPath, jsonPath } = generateReport(allFindings(), { scans: allScans() });
+      console.log(chalk.green('\n✓ Rapport généré :'));
+      console.log('  ' + chalk.hex('#fb923c')(htmlPath));
+      console.log('  ' + chalk.gray(jsonPath));
+    }
+
+    if (action === 'scan') {
+      const picks = await chooseTools(target);
+      if (!picks.length) { console.log(chalk.yellow('Aucun outil disponible/sélectionné.')); continue; }
+
+      const mode = await select({
+        message: 'Mode',
+        choices: [
+          { name: `${chevron}  Rapide (parallèle, options légères)`, value: 'fast' },
+          { name: `${chevron}  Parallèle (tout en même temps)`, value: 'parallel' },
+          { name: `${chevron}  Séquentiel (sortie live détaillée)`, value: 'seq' },
+        ],
+      });
+
+      const opts = mode === 'fast' ? { ...FAST_OPTS, timeout: 60 } : await gatherOpts(picks, target);
+
+      if (await confirm({ message: `Lancer ${picks.length} outil(s) sur ${chalk.hex('#fb923c')(target)} ?`, default: true })) {
+        console.log('\n' + rule('SCAN'));
+        const found = await runScan(target, picks, { opts, parallel: mode !== 'seq' });
+        console.log(renderFindings(found, { title: `Résultats — ${target}` }));
+      }
+    }
+  }
+}
+
+// ---------- CLI non interactive ----------
+
+function parseFlags(args) {
+  const flags = {};
+  const positional = [];
+  for (let i = 0; i < args.length; i++) {
+    if (args[i].startsWith('--')) {
+      const key = args[i].slice(2);
+      const val = args[i + 1] && !args[i + 1].startsWith('--') ? args[++i] : true;
+      flags[key] = val;
+    } else positional.push(args[i]);
+  }
+  return { flags, positional };
+}
+
+function help() {
+  console.log(banner());
+  console.log(`${chalk.bold('Usage')}
+  ${chalk.hex('#fb923c')('icarus')}                         TUI interactive (terminal)
+  ${chalk.hex('#fb923c')('icarus web')}                     Lance l'interface web locale (http://localhost:7373)
+  ${chalk.hex('#fb923c')('icarus setup')}                   Télécharge les outils (nuclei, httpx, ffuf…)
+  ${chalk.hex('#fb923c')('icarus doctor')}                  État des outils (installé/manquant)
+  ${chalk.hex('#fb923c')('icarus scan <cible>')}            Scan non interactif
+  ${chalk.hex('#fb923c')('icarus code <fichier|dossier>')}  Analyse statique du code (SAST) — failles dans le code
+  ${chalk.hex('#fb923c')('icarus report')}                  Rapport HTML + JSON
+  ${chalk.hex('#fb923c')('icarus help')}                    Cette aide
+
+  ${chalk.gray('icarus web --port 8080      change le port')}
+  ${chalk.gray('icarus web --no-open        ne pas ouvrir le navigateur')}
+
+${chalk.bold('Options de scan')}
+  ${chalk.gray('--fast                          mode rapide (parallèle + options légères)')}
+  ${chalk.gray('--parallel                      lance tous les outils en même temps')}
+  ${chalk.gray('--profile recon|web|vuln|full   enchaîne un profil d\'outils')}
+  ${chalk.gray('--tools nmap,nuclei,sqlmap      choisit des outils précis')}
+  ${chalk.gray('--vuln                          nmap: scripts NSE de vulns')}
+  ${chalk.gray('--level 3 --risk 2              options sqlmap')}
+  ${chalk.gray('--timeout 90                    délai max par outil (s)')}
+  ${chalk.gray('--quiet                         sans sortie live')}
+
+${chalk.bold('Profils')}
+${Object.entries(PROFILES).map(([id, p]) => `  ${chalk.hex('#fb923c')(id.padEnd(7))} ${p.label} ${chalk.gray(`(${p.tools.join(', ')})`)}`).join('\n')}
+
+${chalk.bold('Exemples')}
+  ${chalk.gray('icarus scan example.com --profile recon')}
+  ${chalk.gray('icarus scan http://site/p?id=1 --tools sqlmap --level 3')}
+`);
+}
+
+async function main() {
+  const [cmd, ...rest] = process.argv.slice(2);
+
+  if (!cmd) return tui();
+  if (['help', '-h', '--help'].includes(cmd)) return help();
+
+  if (cmd === 'doctor') {
+    console.log(banner());
+    console.log(statusTable({ fresh: true }));
+    return;
+  }
+
+  if (cmd === 'web') {
+    const { flags } = parseFlags(rest);
+    const port = Number(flags.port) || 7373;
+    console.log(banner());
+    const { url } = await startWeb({ port });
+    console.log(chalk.green('✓ Interface web Icarus lancée :') + '  ' + chalk.hex('#fb923c').bold(url));
+    console.log(chalk.gray('  (Ctrl+C pour arrêter)'));
+    if (!flags['no-open']) openBrowser(url);
+    return; // le serveur garde le process en vie
+  }
+
+  if (cmd === 'report') {
+    const { htmlPath, jsonPath } = generateReport(allFindings(), { scans: allScans() });
+    console.log(chalk.green('✓ Rapport généré :'));
+    console.log('  ' + htmlPath);
+    console.log('  ' + jsonPath);
+    return;
+  }
+
+  if (cmd === 'setup' || cmd === 'install') {
+    console.log(banner());
+    await setupTools();
+    return;
+  }
+
+  if (cmd === 'code' || cmd === 'sast') {
+    const { positional } = parseFlags(rest);
+    return doCodeScan(positional[0] || '.');
+  }
+
+  if (cmd === 'scan') {
+    const { flags, positional } = parseFlags(rest);
+    return doScanCli(positional[0], flags);
+  }
+
+  // Cible "nue" : `icarus example.com`, ou `icarus ./fichier.js` -> analyse code
+  if (!cmd.startsWith('-')) {
+    if (existsSync(cmd)) return doCodeScan(cmd); // chemin local => SAST
+    const { flags } = parseFlags(rest);
+    return doScanCli(cmd, flags);
+  }
+
+  console.log(chalk.red(`Commande inconnue : ${cmd}`));
+  help();
+  process.exit(1);
+}
+
+const SEV_COLOR = { critical: '#dc2626', high: '#f97316', medium: '#eab308', low: '#3b82f6', info: '#6b7280', unknown: '#9ca3af' };
+const SEV_ICON = { critical: ICON.critical, high: ICON.high, medium: ICON.medium, low: ICON.low, info: ICON.info, unknown: ICON.info };
+const sevTag = (s) => chalk.hex(SEV_COLOR[s] || '#9ca3af').bold(`${SEV_ICON[s] || '•'} ${String(s || '?').toUpperCase()}`);
+
+// Analyse statique du code (SAST) d'un fichier ou dossier local.
+async function doCodeScan(target) {
+  console.log('\n' + rule(`ANALYSE CODE — ${target}`));
+  const spin = startSpinner(chalk.gray('analyse du code…'));
+  const res = analyzeCode(target);
+  await sleep(180); // laisse voir le spinner même sur petit scan
+  spin.stop();
+  if (res.error) { console.log(chalk.red(`  ${ICON.warn} ` + res.error)); process.exit(1); }
+
+  const scanId = recordScan({ tool: 'codescan', target, code: 0, command: `codescan ${target}` });
+  const stored = addFindings(res.findings.map((f) => ({ scanId, tool: 'codescan', target, ...f })));
+
+  console.log(chalk.gray(`  ${res.files} fichier(s) analysé(s)\n`));
+  if (!stored.length) { console.log(chalk.green(`  ${ICON.ok} Aucun motif de vulnérabilité détecté.\n`)); return; }
+
+  const order = ['critical', 'high', 'medium', 'low', 'info', 'unknown'];
+  stored.sort((a, b) => order.indexOf(a.severity) - order.indexOf(b.severity));
+  const stagger = isTTY() && stored.length <= 40;
+  for (const f of stored) {
+    console.log('  ' + sevTag(f.severity) + '  ' + chalk.bold(f.title));
+    console.log('      ' + chalk.gray(f.detail));
+    if (stagger) await sleep(35); // révélation animée
+  }
+  const counts = {};
+  for (const f of stored) counts[f.severity] = (counts[f.severity] || 0) + 1;
+  console.log('\n  ' + chalk.bold('Bilan  ') + order.filter((s) => counts[s]).map((s) => sevTag(s) + ' ' + counts[s]).join('    '));
+  console.log(chalk.gray(`\n  ${ICON.report} Rapport complet :  icarus report\n`));
+}
+
+async function doScanCli(target, flags) {
+  if (!target) { console.log(chalk.red('Cible manquante. Ex : icarus example.com  ·  icarus scan example.com --profile recon')); process.exit(1); }
+
+  let ids;
+  if (flags.profile) {
+    const prof = PROFILES[flags.profile];
+    if (!prof) { console.log(chalk.red(`Profil inconnu : ${flags.profile}. Dispo : ${Object.keys(PROFILES).join(', ')}`)); process.exit(1); }
+    ids = prof.tools;
+  } else if (flags.tools) {
+    ids = String(flags.tools).split(',').map((s) => s.trim());
+  } else {
+    ids = availableIds();
+  }
+
+  const { run, skipped } = resolveTools(ids);
+  if (skipped.length) console.log(chalk.gray(`Ignorés (non installés) : ${skipped.join(', ')}`));
+  if (!run.length) { console.log(chalk.red('Aucun outil disponible. Lance : icarus doctor')); process.exit(1); }
+
+  const opts = {};
+  if (flags.fast) Object.assign(opts, FAST_OPTS);
+  if (flags.vuln) opts.vuln = true;
+  if (flags.scripts) opts.scripts = true;
+  if (flags.level) opts.level = Number(flags.level);
+  if (flags.risk) opts.risk = Number(flags.risk);
+  if (flags.depth) opts.depth = Number(flags.depth);
+  if (flags.wordlist) opts.wordlist = String(flags.wordlist);
+  opts.timeout = Number(flags.timeout) || (flags.fast ? 60 : 0);
+
+  const parallel = Boolean(flags.parallel || flags.fast);
+
+  console.log(banner());
+  await runScan(target, run, { opts, quiet: Boolean(flags.quiet), parallel });
+  console.log(chalk.gray('\nGénère le rapport avec :  ') + chalk.hex('#fb923c')('icarus report') + chalk.gray('   ·   ou ouvre le web :  ') + chalk.hex('#fb923c')('icarus web'));
+}
+
+main().catch((err) => {
+  if (err?.name === 'ExitPromptError') { console.log(chalk.gray('\nInterrompu.')); process.exit(0); }
+  console.error(chalk.red('Erreur :'), err?.message || err);
+  process.exit(1);
+});

package/src/report/html.js

@@ -0,0 +1,166 @@
+// Génère un rapport HTML autonome (un seul fichier, interactif) + un export JSON,
+// à partir des findings et scans stockés.
+
+import { writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { DATA_DIR } from '../core/store.js';
+import { rank, normalize, SEVERITIES } from '../core/severity.js';
+
+const COLORS = {
+  critical: '#b91c1c', high: '#ef4444', medium: '#f59e0b',
+  low: '#06b6d4', info: '#64748b', unknown: '#475569',
+};
+
+const esc = (s) =>
+  String(s ?? '').replace(/[&<>"]/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;' }[c]));
+
+export function generateReport(findings, { scans = [] } = {}) {
+  const reportsDir = join(DATA_DIR, 'reports');
+  if (!existsSync(reportsDir)) mkdirSync(reportsDir, { recursive: true });
+  const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+
+  const jsonPath = join(reportsDir, `icarus-${stamp}.json`);
+  writeFileSync(jsonPath, JSON.stringify({ tool: 'Icarus', generatedAt: new Date().toISOString(), scans, findings }, null, 2));
+
+  const sorted = [...findings].sort((a, b) => rank(a.severity) - rank(b.severity) || String(a.target).localeCompare(b.target));
+  const counts = {};
+  for (const f of findings) { const s = normalize(f.severity); counts[s] = (counts[s] || 0) + 1; }
+  const total = findings.length || 0;
+  const targetsList = [...new Set(findings.map((f) => f.target))];
+  const toolsUsed = [...new Set(findings.map((f) => f.tool))];
+
+  // Cartes de synthèse par sévérité.
+  const cards = SEVERITIES.filter((s) => counts[s]).map((sev) =>
+    `<div class="card" style="--c:${COLORS[sev]}">
+       <div class="num">${counts[sev]}</div><div class="lbl">${esc(sev)}</div>
+     </div>`).join('');
+
+  // Barre de répartition.
+  const bar = SEVERITIES.filter((s) => counts[s]).map((s) =>
+    `<span style="width:${((counts[s] / total) * 100).toFixed(1)}%;background:${COLORS[s]}" title="${esc(s)}: ${counts[s]}"></span>`).join('');
+
+  // Puces de filtre.
+  const chips = SEVERITIES.filter((s) => counts[s]).map((s) =>
+    `<button class="chip on" data-sev="${s}" style="--c:${COLORS[s]}">${esc(s)} <b>${counts[s]}</b></button>`).join('');
+
+  const rows = sorted.map((f) => {
+    const sev = normalize(f.severity);
+    const hay = `${f.tool} ${f.target} ${f.title} ${f.detail} ${f.ref}`.toLowerCase();
+    return `<tr data-sev="${sev}" data-text="${esc(hay)}">
+      <td><span class="sev" style="background:${COLORS[sev]}">${esc(sev)}</span></td>
+      <td class="mono">${esc(f.tool)}</td>
+      <td class="mono">${esc(f.target)}</td>
+      <td>${esc(f.title)}</td>
+      <td class="muted">${esc(f.detail || '')}</td>
+      <td class="mono muted">${esc(f.ref || '')}</td>
+    </tr>`;
+  }).join('');
+
+  const scanRows = scans.map((s) =>
+    `<tr><td class="mono">${esc(s.tool)}</td><td class="mono">${esc(s.target)}</td>
+     <td>${s.code === 0 ? '<span class="ok">0</span>' : `<span class="bad">${esc(s.code)}</span>`}</td>
+     <td class="mono muted">${esc(s.command)}</td>
+     <td class="muted">${esc(new Date(s.startedAt).toLocaleString('fr-FR'))}</td></tr>`).join('');
+
+  const html = `<!doctype html><html lang="fr"><head><meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Icarus — Rapport de pentest</title>
+<style>
+  :root{--bg:#0b1120;--panel:#111c33;--panel2:#16213b;--line:#243149;--txt:#e2e8f0;--muted:#94a3b8;--accent:#f59e0b}
+  *{box-sizing:border-box}
+  body{font:14px/1.55 'Segoe UI',system-ui,sans-serif;margin:0;background:var(--bg);color:var(--txt)}
+  header{padding:28px 36px;background:linear-gradient(135deg,#1e293b,#0b1120);border-bottom:1px solid var(--line);display:flex;justify-content:space-between;align-items:center;flex-wrap:wrap;gap:12px}
+  .brand{font-size:26px;font-weight:800;letter-spacing:1px}
+  .brand span{color:var(--accent)}
+  .sub{color:var(--muted);font-size:13px;margin-top:4px}
+  .meta{text-align:right;color:var(--muted);font-size:13px}
+  section{padding:22px 36px}
+  h2{font-size:13px;text-transform:uppercase;letter-spacing:1.4px;color:var(--muted);margin:0 0 14px}
+  .cards{display:flex;gap:14px;flex-wrap:wrap}
+  .card{background:var(--panel);border:1px solid var(--line);border-left:4px solid var(--c);border-radius:12px;padding:14px 22px;min-width:104px}
+  .card .num{font-size:30px;font-weight:800;color:var(--c)}
+  .card .lbl{font-size:11px;text-transform:uppercase;letter-spacing:1px;color:var(--muted)}
+  .stat{display:flex;gap:26px;flex-wrap:wrap;margin-top:8px;color:var(--muted)}
+  .stat b{color:var(--txt);font-size:18px}
+  .bar{display:flex;height:14px;border-radius:8px;overflow:hidden;margin-top:16px;border:1px solid var(--line)}
+  .bar span{display:block}
+  .controls{display:flex;gap:10px;flex-wrap:wrap;align-items:center;margin-bottom:14px}
+  .chip{background:transparent;border:1px solid var(--c);color:var(--c);border-radius:20px;padding:5px 13px;font-size:12px;cursor:pointer;text-transform:uppercase;letter-spacing:.5px;opacity:.45;transition:.15s}
+  .chip.on{background:var(--c);color:#0b1120;opacity:1;font-weight:700}
+  .chip b{font-weight:800}
+  input.search{flex:1;min-width:200px;background:var(--panel);border:1px solid var(--line);color:var(--txt);border-radius:8px;padding:8px 12px;font-size:13px}
+  table{width:100%;border-collapse:collapse;background:var(--panel);border:1px solid var(--line);border-radius:12px;overflow:hidden}
+  th,td{padding:9px 12px;text-align:left;border-bottom:1px solid var(--line);vertical-align:top}
+  th{background:var(--panel2);font-size:11px;text-transform:uppercase;letter-spacing:.6px;color:var(--muted);position:sticky;top:0}
+  tr:hover td{background:#1a2740}
+  .sev{color:#fff;padding:2px 9px;border-radius:6px;font-size:11px;text-transform:uppercase;font-weight:700}
+  .mono{font-family:ui-monospace,Consolas,monospace;font-size:12px}
+  .muted{color:var(--muted)}
+  .ok{color:#22c55e;font-weight:700}.bad{color:#ef4444;font-weight:700}
+  details{margin-top:8px}summary{cursor:pointer;color:var(--muted)}
+  footer{padding:24px 36px;color:var(--muted);font-size:12px;border-top:1px solid var(--line)}
+  .empty{padding:30px;text-align:center;color:var(--muted)}
+</style></head><body>
+<header>
+  <div><div class="brand">ICARUS<span>.</span></div><div class="sub">Plateforme de pentest tout-en-un — rapport consolidé</div></div>
+  <div class="meta">Généré le ${esc(new Date().toLocaleString('fr-FR'))}<br>${esc(targetsList.join(', ') || '—')}</div>
+</header>
+
+<section>
+  <h2>Résumé exécutif</h2>
+  <div class="cards">${cards || '<div class="card" style="--c:#475569"><div class="num">0</div><div class="lbl">findings</div></div>'}</div>
+  <div class="stat">
+    <div><b>${total}</b> findings</div>
+    <div><b>${targetsList.length}</b> cible(s)</div>
+    <div><b>${toolsUsed.length}</b> outil(s)</div>
+    <div><b>${scans.length}</b> scan(s)</div>
+  </div>
+  <div class="bar">${bar}</div>
+</section>
+
+<section>
+  <h2>Findings</h2>
+  <div class="controls">
+    ${chips}
+    <input class="search" id="q" placeholder="🔎 filtrer (outil, cible, texte…)">
+  </div>
+  <table id="tbl"><thead><tr>
+    <th>Sévérité</th><th>Outil</th><th>Cible</th><th>Finding</th><th>Détail</th><th>Réf</th>
+  </tr></thead><tbody>${rows || '<tr><td colspan="6" class="empty">Aucun résultat enregistré.</td></tr>'}</tbody></table>
+</section>
+
+<section>
+  <details><summary>Annexe — journal des scans (${scans.length})</summary>
+  <table style="margin-top:12px"><thead><tr><th>Outil</th><th>Cible</th><th>Code</th><th>Commande</th><th>Date</th></tr></thead>
+  <tbody>${scanRows || '<tr><td colspan="5" class="empty">—</td></tr>'}</tbody></table>
+  </details>
+</section>
+
+<footer>Rapport généré par <b>Icarus</b> · usage strictement autorisé. Les findings doivent être validés manuellement (faux positifs possibles).</footer>
+
+<script>
+  const active = new Set([...document.querySelectorAll('.chip')].map(c=>c.dataset.sev));
+  const rows = [...document.querySelectorAll('#tbl tbody tr')];
+  const q = document.getElementById('q');
+  function apply(){
+    const term = q.value.trim().toLowerCase();
+    for(const r of rows){
+      if(!r.dataset.sev) continue;
+      const okSev = active.has(r.dataset.sev);
+      const okTxt = !term || (r.dataset.text||'').includes(term);
+      r.style.display = okSev && okTxt ? '' : 'none';
+    }
+  }
+  document.querySelectorAll('.chip').forEach(c=>c.addEventListener('click',()=>{
+    c.classList.toggle('on');
+    if(active.has(c.dataset.sev)) active.delete(c.dataset.sev); else active.add(c.dataset.sev);
+    apply();
+  }));
+  q.addEventListener('input', apply);
+</script>
+</body></html>`;
+
+  const htmlPath = join(reportsDir, `icarus-${stamp}.html`);
+  writeFileSync(htmlPath, html, 'utf8');
+  return { htmlPath, jsonPath };
+}