secure-review-extension 1.0.0

package/src/report.js

@@ -0,0 +1,837 @@
+const fs = require("node:fs/promises");
+const path = require("node:path");
+let vscode;
+try {
+  vscode = require("vscode");
+} catch {
+  vscode = null;
+}
+const { shorten } = require("./utils");
+
+const SEVERITY_ORDER = ["critical", "high", "medium", "low"];
+
+function buildReportModel(findings, metadata = {}) {
+  const normalized = [...findings]
+    .map((finding) => normalizeFinding(finding))
+    .sort(compareFindings);
+  const hasDynamicFindings = normalized.some((finding) => finding.source === "dynamic");
+  const hasStaticFindings = normalized.some((finding) => finding.source !== "dynamic");
+  const effectiveScanType = metadata.scanType
+    || (hasStaticFindings && hasDynamicFindings
+      ? "Static + Dynamic Analysis"
+      : hasDynamicFindings
+        ? "Dynamic Analysis"
+        : "Static Analysis");
+
+  const severitySummary = SEVERITY_ORDER.map((severity) => ({
+    severity,
+    label: severity.toUpperCase(),
+    count: normalized.filter((finding) => finding.groupKey === severity).length
+  }));
+
+  const categoryMap = new Map();
+  for (const finding of normalized) {
+    categoryMap.set(finding.category, (categoryMap.get(finding.category) || 0) + 1);
+  }
+
+  const categorySummary = [...categoryMap.entries()]
+    .sort((left, right) => left[0].localeCompare(right[0]))
+    .map(([category, count]) => ({ category, count }));
+
+  const reviewDomainMap = new Map();
+  for (const finding of normalized) {
+    reviewDomainMap.set(finding.reviewDomain, (reviewDomainMap.get(finding.reviewDomain) || 0) + 1);
+  }
+
+  const reviewDomainSummary = [...reviewDomainMap.entries()]
+    .sort((left, right) => left[0].localeCompare(right[0]))
+    .map(([domain, count]) => ({ domain, count }));
+
+  const groupedOverview = SEVERITY_ORDER.map((severity) => ({
+    severity,
+    label: severity === "critical"
+      ? "Critical Findings"
+      : severity === "high"
+        ? "High Severity Findings"
+        : severity === "medium"
+          ? "Medium Severity Findings"
+          : "Low Severity Findings",
+    findings: normalized.filter((finding) => finding.groupKey === severity)
+  })).filter((group) => group.findings.length > 0);
+
+  const totalFindings = normalized.length;
+  const categoriesCount = categorySummary.length;
+  const criticalCount = severitySummary.find((item) => item.severity === "critical")?.count || 0;
+  const topRecommendations = buildRecommendations(normalized);
+  const executiveSummary = totalFindings === 0
+    ? `This report presents the results of the requested secure review. No findings were identified in the current visible findings set.`
+    : `This report presents the results of a ${effectiveScanType} on the ${metadata.projectName || "workspace"} workspace. A total of ${totalFindings} finding${totalFindings === 1 ? "" : "s"} were identified across ${categoriesCount} categor${categoriesCount === 1 ? "y" : "ies"} and ${reviewDomainSummary.length} review domain${reviewDomainSummary.length === 1 ? "" : "s"}.${criticalCount > 0 ? ` Immediate attention is required for the ${criticalCount} critical-severity finding${criticalCount === 1 ? "" : "s"}.` : ""}`;
+
+  const methodologyNotes = metadata.notes
+    || (hasStaticFindings && hasDynamicFindings
+      ? "Static analysis was performed using Secure Review built-in rule packs and any locally available external static analysis tools enabled in the extension settings. Dynamic analysis was performed using OWASP ZAP against the configured local or test target."
+      : hasDynamicFindings
+        ? "Dynamic analysis was performed using OWASP ZAP against the configured local or test target URL from Secure Review."
+        : "Static analysis was performed using Secure Review built-in rule packs and any locally available external static analysis tools enabled in the extension settings.");
+
+  const methodologyLimitations = hasDynamicFindings && !hasStaticFindings
+    ? "Results reflect only the current visible dynamic findings set in Secure Review. Ignored findings and findings below the configured minimum severity are excluded. Dynamic coverage depends on crawler reachability and the selected ZAP scan mode."
+    : hasStaticFindings && hasDynamicFindings
+      ? "Results reflect only the current visible findings set in Secure Review. Ignored findings and findings below the configured minimum severity are excluded. Static coverage depends on which local analysis tools are installed, and dynamic coverage depends on crawler reachability and the selected ZAP scan mode."
+      : "Results reflect only the current visible findings set in Secure Review. Ignored findings and findings below the configured minimum severity are excluded. External tool coverage depends on which tools are installed locally.";
+
+  return {
+    header: {
+      title: "Security Code Review Report",
+      projectName: metadata.projectName || "Workspace",
+      reportDate: formatDate(metadata.reportDate || new Date()),
+      scanType: effectiveScanType,
+      totalFindings
+    },
+    executiveSummary,
+    severitySummary,
+    categorySummary,
+    reviewDomainSummary,
+    groupedOverview,
+    detailedFindings: groupedOverview,
+    recommendationsSummary: topRecommendations,
+    methodology: {
+      notes: methodologyNotes,
+      limitations: methodologyLimitations,
+      configuration: metadata.scanConfiguration || `Scan Type: ${effectiveScanType}`
+    }
+  };
+}
+
+function normalizeFinding(finding) {
+  const isDynamic = finding.source === "dynamic";
+  const locationDisplay = isDynamic
+    ? (finding.targetUrl || "Unknown URL")
+    : finding.relativePath && finding.line
+      ? `${finding.relativePath} (line ${finding.line})`
+      : finding.relativePath || finding.filePath || "Unknown file";
+
+  const overviewLocationDisplay = isDynamic
+    ? (finding.targetUrl || "Unknown URL")
+    : finding.relativePath && finding.line
+      ? `${finding.relativePath}:${finding.line}`
+      : finding.relativePath || finding.filePath || "Unknown file";
+
+  return {
+    ...finding,
+    severityDisplay: severityLabel(finding.severity).toUpperCase(),
+    groupKey: finding.severity,
+    category: finding.category || "General",
+    subcategory: finding.subcategory || "General",
+    reviewDomain: finding.reviewDomain || "security",
+    confidence: finding.confidence || "medium",
+    locationDisplay,
+    overviewLocationDisplay,
+    remediationSummary: shorten(stripHtml(finding.remediation || "No remediation provided."), 100),
+    evidenceDisplay: stripHtml(finding.evidence || "n/a"),
+    whyItMatters: stripHtml(finding.whyItMatters || "This issue may increase security, correctness, reliability, or maintainability risk."),
+    remediation: stripHtml(finding.remediation || "No remediation provided."),
+    suggestion: stripHtml(finding.suggestion || finding.remediation || "Review and update the affected code path."),
+    standardsDisplay: Array.isArray(finding.standards) ? finding.standards.join(", ") : (finding.standards || "n/a")
+  };
+}
+
+function buildRecommendations(findings) {
+  const grouped = new Map();
+  for (const finding of findings) {
+    const key = `${finding.category}|${finding.suggestion}`;
+    if (!grouped.has(key)) {
+      grouped.set(key, {
+        category: finding.category,
+        suggestion: finding.suggestion,
+        count: 0
+      });
+    }
+    grouped.get(key).count += 1;
+  }
+
+  return [...grouped.values()]
+    .sort((left, right) => right.count - left.count || left.category.localeCompare(right.category))
+    .slice(0, 5);
+}
+
+function severityLabel(severity) {
+  return severity.charAt(0).toUpperCase() + severity.slice(1);
+}
+
+function compareFindings(left, right) {
+  const severityDiff = SEVERITY_ORDER.indexOf(left.severity) - SEVERITY_ORDER.indexOf(right.severity);
+  if (severityDiff !== 0) {
+    return severityDiff;
+  }
+
+  const locationDiff = (left.overviewLocationDisplay || "").localeCompare(right.overviewLocationDisplay || "");
+  if (locationDiff !== 0) {
+    return locationDiff;
+  }
+
+  return left.title.localeCompare(right.title);
+}
+
+function formatDate(value) {
+  const date = value instanceof Date ? value : new Date(value);
+  return date.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric"
+  });
+}
+
+function renderReportHtml(reportModel) {
+  const severityCards = reportModel.severitySummary
+    .map((item) => `<div class="card"><strong>${escapeHtml(item.label)}</strong><div>${item.count}</div></div>`)
+    .join("");
+
+  const categoryRows = reportModel.categorySummary
+    .map((item) => `<tr><td>${escapeHtml(item.category)}</td><td>${item.count}</td></tr>`)
+    .join("") || '<tr><td colspan="2">No findings</td></tr>';
+
+  const domainRows = reportModel.reviewDomainSummary
+    .map((item) => `<tr><td>${escapeHtml(item.domain)}</td><td>${item.count}</td></tr>`)
+    .join("") || '<tr><td colspan="2">No findings</td></tr>';
+
+  const overviewSections = reportModel.groupedOverview
+    .map((group) => `
+      <section class="block">
+        <h3>${escapeHtml(group.label)}</h3>
+        ${renderFindingsTable(group.findings)}
+      </section>
+    `)
+    .join("") || '<p>No findings are present in the current visible set.</p>';
+
+  const detailSections = reportModel.detailedFindings
+    .map((group, groupIndex) => `
+      <section class="block">
+        <h3>${groupIndex + 1}. ${escapeHtml(group.label)}</h3>
+        ${group.findings.map((finding, index) => renderFindingDetail(finding, index + 1)).join("")}
+      </section>
+    `)
+    .join("") || "<p>No detailed findings to display.</p>";
+
+  return `<!DOCTYPE html>
+  <html lang="en">
+    <head>
+      <meta charset="UTF-8" />
+      <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+      <title>Secure Review Report</title>
+      <style>
+        body { font-family: Arial, sans-serif; font-size: 11pt; padding: 28px; color: #222222; background: #ffffff; line-height: 1.45; }
+        h1, h2, h3, h4 { margin-bottom: 8px; }
+        h1 { font-size: 28pt; font-weight: 400; color: #111111; }
+        h2 { color: #1F4E79; font-size: 18pt; font-weight: 700; border-bottom: 2px solid #1F4E79; padding-bottom: 4px; margin-top: 28px; }
+        h3 { color: #2E75B6; font-size: 13pt; font-weight: 700; margin-top: 18px; }
+        h4 { color: #333333; font-size: 11pt; font-weight: 700; margin-top: 14px; }
+        p { margin: 6px 0 12px; }
+        .meta p { margin: 3px 0; }
+        .cards { display: grid; grid-template-columns: repeat(4, minmax(0, 1fr)); gap: 12px; margin: 14px 0 20px; }
+        .card { background: white; border: 1px solid #b7c9dd; padding: 12px; }
+        .block, .finding { background: white; margin-bottom: 16px; }
+        table { width: 100%; border-collapse: collapse; background: white; margin-top: 8px; }
+        th, td { text-align: left; padding: 8px 10px; border: 1px solid #9aa9b8; vertical-align: top; font-size: 10.5pt; }
+        th { background: #ffffff; font-weight: 700; }
+        .finding-grid { display: grid; grid-template-columns: 180px 1fr; gap: 8px 16px; margin-top: 10px; }
+        .finding-grid strong { color: #222222; }
+      </style>
+    </head>
+    <body>
+      <h1>${escapeHtml(reportModel.header.title)}</h1>
+      <div class="meta">
+        <p><strong>Project:</strong> ${escapeHtml(reportModel.header.projectName)}</p>
+        <p><strong>Date:</strong> ${escapeHtml(reportModel.header.reportDate)}</p>
+        <p><strong>Scan Type:</strong> ${escapeHtml(reportModel.header.scanType)}</p>
+        <p><strong>Total Findings:</strong> ${reportModel.header.totalFindings}</p>
+      </div>
+
+      <h2>1. Executive Summary</h2>
+      <p>${escapeHtml(reportModel.executiveSummary)}</p>
+
+      <h3>Finding Severity Summary</h3>
+      <div class="cards">${severityCards}</div>
+
+      <h3>Findings by Category</h3>
+      <table>
+        <thead><tr><th>Category</th><th>Finding Count</th></tr></thead>
+        <tbody>${categoryRows}</tbody>
+      </table>
+
+      <h3>Findings by Review Domain</h3>
+      <table>
+        <thead><tr><th>Review Domain</th><th>Finding Count</th></tr></thead>
+        <tbody>${domainRows}</tbody>
+      </table>
+
+      <h2>2. Findings Overview</h2>
+      ${overviewSections}
+
+      <h2>3. Detailed Findings</h2>
+      <p>The following section provides full detail for each finding, including evidence and specific remediation guidance.</p>
+      ${detailSections}
+
+      <h2>4. Recommendations Summary</h2>
+      <table>
+        <thead><tr><th>Category</th><th>Recommendation</th><th>Finding Count</th></tr></thead>
+        <tbody>
+          ${reportModel.recommendationsSummary.map((item) => `<tr><td>${escapeHtml(item.category)}</td><td>${escapeHtml(item.suggestion)}</td><td>${item.count}</td></tr>`).join("") || '<tr><td colspan="3">No recommendations</td></tr>'}
+        </tbody>
+      </table>
+
+      <h2>5. Methodology, Limitations, and Scan Configuration</h2>
+      <div class="block">
+        <div class="finding-grid">
+          <strong>Methodology</strong><span>${escapeHtml(reportModel.methodology.notes)}</span>
+          <strong>Limitations</strong><span>${escapeHtml(reportModel.methodology.limitations)}</span>
+          <strong>Scan Configuration</strong><span>${escapeHtml(reportModel.methodology.configuration)}</span>
+        </div>
+      </div>
+    </body>
+  </html>`;
+}
+
+function renderFindingsTable(findings) {
+  const rows = findings
+    .map((finding) => `
+      <tr>
+        <td>${escapeHtml(finding.severityDisplay)}</td>
+        <td>${escapeHtml(finding.category)}</td>
+        <td>${escapeHtml(finding.title)}</td>
+        <td>${escapeHtml(finding.overviewLocationDisplay)}</td>
+        <td>${escapeHtml(finding.remediationSummary)}</td>
+      </tr>
+    `)
+    .join("");
+
+  return `
+    <table>
+      <thead>
+        <tr>
+          <th>Severity</th>
+          <th>Category</th>
+          <th>Title</th>
+          <th>File / Line</th>
+          <th>Remediation Summary</th>
+        </tr>
+      </thead>
+      <tbody>${rows || '<tr><td colspan="5">No findings</td></tr>'}</tbody>
+    </table>
+  `;
+}
+
+function renderFindingDetail(finding, index) {
+  return `
+    <div class="finding">
+      <h4>${index}. ${escapeHtml(finding.title)}</h4>
+      <div class="finding-grid">
+        <strong>Severity</strong><span>${escapeHtml(finding.severityDisplay)}</span>
+        <strong>Category</strong><span>${escapeHtml(finding.category)}</span>
+        <strong>Subcategory</strong><span>${escapeHtml(finding.subcategory)}</span>
+        <strong>Review Domain</strong><span>${escapeHtml(finding.reviewDomain)}</span>
+        <strong>Confidence</strong><span>${escapeHtml(finding.confidence)}</span>
+        <strong>Finding ID</strong><span>${escapeHtml(finding.id)}</span>
+        <strong>File / Location</strong><span>${escapeHtml(finding.locationDisplay)}</span>
+        <strong>Source</strong><span>${escapeHtml(finding.source)}</span>
+        <strong>Evidence</strong><span>${escapeHtml(finding.evidenceDisplay)}</span>
+        <strong>Why It Matters</strong><span>${escapeHtml(finding.whyItMatters)}</span>
+        <strong>Remediation</strong><span>${escapeHtml(finding.remediation || "No remediation provided.")}</span>
+        <strong>Suggestion</strong><span>${escapeHtml(finding.suggestion)}</span>
+        <strong>Standards</strong><span>${escapeHtml(finding.standardsDisplay)}</span>
+      </div>
+    </div>
+  `;
+}
+
+async function promptReportMetadata(defaultScanType = "Static Analysis") {
+  if (!vscode) {
+    throw new Error("Interactive report metadata prompts are only available inside VS Code.");
+  }
+  const workspaceName = vscode.workspace.workspaceFolders?.[0]?.name || "Workspace";
+  const projectName = await vscode.window.showInputBox({
+    title: "Secure Review Report",
+    prompt: "Project name",
+    value: workspaceName,
+    ignoreFocusOut: true
+  });
+
+  if (projectName === undefined) {
+    return null;
+  }
+
+  const reportDate = await vscode.window.showInputBox({
+    title: "Secure Review Report",
+    prompt: "Report date",
+    value: formatDate(new Date()),
+    ignoreFocusOut: true
+  });
+
+  if (reportDate === undefined) {
+    return null;
+  }
+
+  const scanType = await vscode.window.showInputBox({
+    title: "Secure Review Report",
+    prompt: "Scan type",
+    value: defaultScanType,
+    ignoreFocusOut: true
+  });
+
+  if (scanType === undefined) {
+    return null;
+  }
+
+  const notes = await vscode.window.showInputBox({
+    title: "Secure Review Report",
+    prompt: "Optional methodology or limitation notes",
+    value: "",
+    ignoreFocusOut: true
+  });
+
+  if (notes === undefined) {
+    return null;
+  }
+
+  return {
+    projectName: projectName.trim() || workspaceName,
+    reportDate: reportDate.trim() || formatDate(new Date()),
+    scanType: scanType.trim() || defaultScanType,
+    notes: notes.trim()
+  };
+}
+
+function stripHtml(value) {
+  return String(value || "")
+    .replace(/<[^>]+>/g, " ")
+    .replace(/&nbsp;/gi, " ")
+    .replace(/&amp;/gi, "&")
+    .replace(/&lt;/gi, "<")
+    .replace(/&gt;/gi, ">")
+    .replace(/\s+/g, " ")
+    .trim();
+}
+
+async function exportDocx(reportModel, targetUri) {
+  const contentTypes = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">' +
+    '<Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>' +
+    '<Default Extension="xml" ContentType="application/xml"/>' +
+    '<Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/>' +
+    '<Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/>' +
+    '<Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/>' +
+    '<Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/>' +
+    "</Types>"
+  );
+
+  const rootRels = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">' +
+    '<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>' +
+    '<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/>' +
+    '<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/>' +
+    "</Relationships>"
+  );
+
+  const documentRels = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">' +
+    '<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/>' +
+    "</Relationships>"
+  );
+
+  const styles = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<w:styles mc:Ignorable="w14 w15" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml">' +
+    '<w:docDefaults><w:rPrDefault><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:sz w:val="22"/><w:szCs w:val="22"/><w:color w:val="222222"/></w:rPr></w:rPrDefault><w:pPrDefault><w:pPr><w:spacing w:after="120" w:line="240" w:lineRule="auto"/></w:pPr></w:pPrDefault></w:docDefaults>' +
+    '<w:style w:type="paragraph" w:default="1" w:styleId="Normal"><w:name w:val="Normal"/><w:qFormat/><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:color w:val="222222"/><w:sz w:val="22"/><w:szCs w:val="22"/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="Title"><w:name w:val="Title"/><w:basedOn w:val="Normal"/><w:next w:val="Normal"/><w:qFormat/><w:pPr><w:spacing w:after="160"/></w:pPr><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:color w:val="111111"/><w:sz w:val="56"/><w:szCs w:val="56"/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="Heading1"><w:name w:val="Heading 1"/><w:basedOn w:val="Normal"/><w:next w:val="Normal"/><w:qFormat/><w:pPr><w:pBdr><w:bottom w:val="single" w:color="1F4E79" w:sz="6" w:space="1"/></w:pBdr><w:spacing w:before="360" w:after="200"/><w:outlineLvl w:val="0"/></w:pPr><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:b/><w:bCs/><w:color w:val="1F4E79"/><w:sz w:val="36"/><w:szCs w:val="36"/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="Heading2"><w:name w:val="Heading 2"/><w:basedOn w:val="Normal"/><w:next w:val="Normal"/><w:qFormat/><w:pPr><w:spacing w:before="280" w:after="120"/><w:outlineLvl w:val="1"/></w:pPr><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:b/><w:bCs/><w:color w:val="2E75B6"/><w:sz w:val="26"/><w:szCs w:val="26"/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="Heading3"><w:name w:val="Heading 3"/><w:basedOn w:val="Normal"/><w:next w:val="Normal"/><w:qFormat/><w:pPr><w:spacing w:before="200" w:after="80"/><w:outlineLvl w:val="2"/></w:pPr><w:rPr><w:rFonts w:ascii="Arial" w:cs="Arial" w:eastAsia="Arial" w:hAnsi="Arial"/><w:b/><w:bCs/><w:color w:val="333333"/><w:sz w:val="22"/><w:szCs w:val="22"/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="Strong"><w:name w:val="Strong"/><w:basedOn w:val="Normal"/><w:next w:val="Normal"/><w:qFormat/><w:rPr><w:b/><w:bCs/></w:rPr></w:style>' +
+    '<w:style w:type="paragraph" w:styleId="ListParagraph"><w:name w:val="List Paragraph"/><w:basedOn w:val="Normal"/><w:qFormat/><w:pPr><w:spacing w:after="80"/></w:pPr></w:style>' +
+    "</w:styles>"
+  );
+
+  const createdIso = new Date().toISOString();
+  const core = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' +
+    `<dc:title>${escapeXml(reportModel.header.title)}</dc:title>` +
+    "<dc:creator>Secure Review</dc:creator>" +
+    "<cp:lastModifiedBy>Secure Review</cp:lastModifiedBy>" +
+    `<dcterms:created xsi:type="dcterms:W3CDTF">${createdIso}</dcterms:created>` +
+    `<dcterms:modified xsi:type="dcterms:W3CDTF">${createdIso}</dcterms:modified>` +
+    "</cp:coreProperties>"
+  );
+
+  const app = xml(
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">' +
+    "<Application>Secure Review</Application>" +
+    "</Properties>"
+  );
+
+  const document = xml(buildDocumentXml(reportModel));
+
+  const zipBuffer = buildZip([
+    { name: "[Content_Types].xml", data: Buffer.from(contentTypes, "utf8") },
+    { name: "_rels/.rels", data: Buffer.from(rootRels, "utf8") },
+    { name: "docProps/core.xml", data: Buffer.from(core, "utf8") },
+    { name: "docProps/app.xml", data: Buffer.from(app, "utf8") },
+    { name: "word/document.xml", data: Buffer.from(document, "utf8") },
+    { name: "word/styles.xml", data: Buffer.from(styles, "utf8") },
+    { name: "word/_rels/document.xml.rels", data: Buffer.from(documentRels, "utf8") }
+  ]);
+
+  if (typeof targetUri === "string") {
+    await fs.writeFile(targetUri, zipBuffer);
+    return;
+  }
+
+  if (!vscode) {
+    throw new Error("A filesystem path string is required when exporting DOCX outside VS Code.");
+  }
+
+  await vscode.workspace.fs.writeFile(targetUri, zipBuffer);
+}
+
+function buildDocumentXml(reportModel) {
+  const body = [];
+
+  body.push(paragraph(reportModel.header.title, "Title"));
+  body.push(paragraph(`Project: ${reportModel.header.projectName}`));
+  body.push(paragraph(`Date: ${reportModel.header.reportDate}`));
+  body.push(paragraph(`Scan Type: ${reportModel.header.scanType}`));
+  body.push(paragraph(`Total Findings: ${reportModel.header.totalFindings}`));
+
+  body.push(paragraph("1. Executive Summary", "Heading2"));
+  body.push(paragraph(reportModel.executiveSummary));
+  body.push(paragraph("Finding Severity Summary", "Heading3"));
+  body.push(simpleTable(
+    [["Severity", "Count"]],
+    reportModel.severitySummary.map((item) => [item.label, String(item.count)])
+  ));
+  body.push(paragraph("Findings by Category", "Heading3"));
+  body.push(simpleTable(
+    [["Category", "Finding Count"]],
+    reportModel.categorySummary.length
+      ? reportModel.categorySummary.map((item) => [item.category, String(item.count)])
+      : [["No findings", "0"]]
+  ));
+  body.push(paragraph("Findings by Review Domain", "Heading3"));
+  body.push(simpleTable(
+    [["Review Domain", "Finding Count"]],
+    reportModel.reviewDomainSummary.length
+      ? reportModel.reviewDomainSummary.map((item) => [item.domain, String(item.count)])
+      : [["No findings", "0"]]
+  ));
+
+  body.push(paragraph("2. Findings Overview", "Heading2"));
+  if (reportModel.groupedOverview.length === 0) {
+    body.push(paragraph("No findings are present in the current visible set."));
+  } else {
+    for (const group of reportModel.groupedOverview) {
+      body.push(paragraph(group.label, "Heading3"));
+      body.push(simpleTable(
+        [["Severity", "Category", "Title", "File / Line", "Remediation Summary"]],
+        group.findings.map((finding) => [
+          finding.severityDisplay,
+          finding.category,
+          finding.title,
+          finding.overviewLocationDisplay,
+          finding.remediationSummary
+        ])
+      ));
+    }
+  }
+
+  body.push(paragraph("3. Detailed Findings", "Heading2"));
+  body.push(paragraph("The following section provides full detail for each finding, including evidence and specific remediation guidance."));
+  if (reportModel.detailedFindings.length === 0) {
+    body.push(paragraph("No detailed findings to display."));
+  } else {
+    reportModel.detailedFindings.forEach((group, groupIndex) => {
+      body.push(paragraph(`3.${groupIndex + 1} ${group.label}`, "Heading3"));
+      group.findings.forEach((finding, index) => {
+        body.push(paragraph(`${index + 1}. ${finding.title}`));
+        body.push(keyValueParagraph("Severity", finding.severityDisplay));
+        body.push(keyValueParagraph("Category", finding.category));
+        body.push(keyValueParagraph("Subcategory", finding.subcategory));
+        body.push(keyValueParagraph("Review Domain", finding.reviewDomain));
+        body.push(keyValueParagraph("Confidence", finding.confidence));
+        body.push(keyValueParagraph("Finding ID", finding.id));
+        body.push(keyValueParagraph("File / Location", finding.locationDisplay));
+        body.push(keyValueParagraph("Source", finding.source));
+        body.push(keyValueParagraph("Evidence", finding.evidenceDisplay));
+        body.push(keyValueParagraph("Why It Matters", finding.whyItMatters));
+        body.push(keyValueParagraph("Remediation", finding.remediation || "No remediation provided."));
+        body.push(keyValueParagraph("Suggestion", finding.suggestion));
+        body.push(keyValueParagraph("Standards", finding.standardsDisplay));
+      });
+    });
+  }
+
+  body.push(paragraph("4. Recommendations Summary", "Heading2"));
+  body.push(simpleTable(
+    [["Category", "Recommendation", "Finding Count"]],
+    reportModel.recommendationsSummary.length
+      ? reportModel.recommendationsSummary.map((item) => [item.category, item.suggestion, String(item.count)])
+      : [["No recommendations", "n/a", "0"]]
+  ));
+
+  body.push(paragraph("5. Methodology, Limitations, and Scan Configuration", "Heading2"));
+  body.push(keyValueParagraph("Methodology", reportModel.methodology.notes));
+  body.push(keyValueParagraph("Limitations", reportModel.methodology.limitations));
+  body.push(keyValueParagraph("Scan Configuration", reportModel.methodology.configuration));
+
+  return (
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    '<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">' +
+    `<w:body>${body.join("")}<w:sectPr/></w:body>` +
+    "</w:document>"
+  );
+}
+
+function paragraph(text, styleId) {
+  const style = styleId ? `<w:pPr><w:pStyle w:val="${styleId}"/></w:pPr>` : "";
+  return `<w:p>${style}<w:r><w:t xml:space="preserve">${escapeXml(text)}</w:t></w:r></w:p>`;
+}
+
+function keyValueParagraph(label, value) {
+  return (
+    "<w:p>" +
+    '<w:r><w:rPr><w:b/></w:rPr><w:t xml:space="preserve">' + escapeXml(`${label}: `) + "</w:t></w:r>" +
+    `<w:r><w:t xml:space="preserve">${escapeXml(value)}</w:t></w:r>` +
+    "</w:p>"
+  );
+}
+
+function simpleTable(headerRows, dataRows) {
+  const rows = [...headerRows, ...dataRows].map((row, index) => (
+    `<w:tr>${row.map((cell) => tableCell(cell, index === 0)).join("")}</w:tr>`
+  )).join("");
+
+  return (
+    '<w:tbl>' +
+    '<w:tblPr><w:tblBorders><w:top w:val="single" w:color="9AA9B8" w:sz="6"/><w:left w:val="single" w:color="9AA9B8" w:sz="6"/><w:bottom w:val="single" w:color="9AA9B8" w:sz="6"/><w:right w:val="single" w:color="9AA9B8" w:sz="6"/><w:insideH w:val="single" w:color="9AA9B8" w:sz="4"/><w:insideV w:val="single" w:color="9AA9B8" w:sz="4"/></w:tblBorders><w:tblCellMar><w:top w:w="60" w:type="dxa"/><w:left w:w="80" w:type="dxa"/><w:bottom w:w="60" w:type="dxa"/><w:right w:w="80" w:type="dxa"/></w:tblCellMar></w:tblPr>' +
+    rows +
+    "</w:tbl>"
+  );
+}
+
+function tableCell(text, isHeader) {
+  return (
+    "<w:tc><w:p><w:pPr><w:spacing w:after=\"40\"/></w:pPr><w:r>" +
+    (isHeader ? "<w:rPr><w:b/><w:bCs/><w:rFonts w:ascii=\"Arial\" w:cs=\"Arial\" w:eastAsia=\"Arial\" w:hAnsi=\"Arial\"/></w:rPr>" : "<w:rPr><w:rFonts w:ascii=\"Arial\" w:cs=\"Arial\" w:eastAsia=\"Arial\" w:hAnsi=\"Arial\"/></w:rPr>") +
+    `<w:t xml:space="preserve">${escapeXml(text)}</w:t>` +
+    "</w:r></w:p></w:tc>"
+  );
+}
+
+function escapeHtml(value) {
+  return String(value)
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;");
+}
+
+function escapeXml(value) {
+  return escapeHtml(value).replaceAll("'", "&apos;");
+}
+
+function xml(value) {
+  return value;
+}
+
+async function exportReport(reportModel) {
+  if (!vscode) {
+    throw new Error("Interactive report export is only available inside VS Code.");
+  }
+  const defaultName = slugify(reportModel.header.projectName || "secure-review-report");
+  const target = await vscode.window.showSaveDialog({
+    saveLabel: "Export Secure Review DOCX Report",
+    defaultUri: vscode.Uri.file(path.join(vscode.workspace.workspaceFolders?.[0]?.uri.fsPath || "", `${defaultName}-security-report.docx`)),
+    filters: {
+      DOCX: ["docx"]
+    }
+  });
+
+  if (!target) {
+    return false;
+  }
+
+  try {
+    await exportDocx(reportModel, target);
+    return true;
+  } catch (error) {
+    const fallbackTarget = await vscode.window.showSaveDialog({
+      saveLabel: "DOCX export failed, save Markdown fallback",
+      defaultUri: vscode.Uri.file(path.join(vscode.workspace.workspaceFolders?.[0]?.uri.fsPath || "", `${defaultName}-security-report.md`)),
+      filters: {
+        Markdown: ["md"]
+      }
+    });
+
+    if (!fallbackTarget) {
+      throw error;
+    }
+
+    await vscode.workspace.fs.writeFile(fallbackTarget, Buffer.from(renderMarkdown(reportModel), "utf8"));
+    return true;
+  }
+}
+
+function renderMarkdown(reportModel) {
+  const lines = [
+    `# ${reportModel.header.title}`,
+    "",
+    `Project: ${reportModel.header.projectName}`,
+    `Date: ${reportModel.header.reportDate}`,
+    `Scan Type: ${reportModel.header.scanType}`,
+    `Total Findings: ${reportModel.header.totalFindings}`,
+    "",
+    "## 1. Executive Summary",
+    "",
+    reportModel.executiveSummary,
+    "",
+    "## 2. Findings Overview",
+    ""
+  ];
+
+  for (const group of reportModel.groupedOverview) {
+    lines.push(`### ${group.label}`);
+    lines.push("");
+    for (const finding of group.findings) {
+      lines.push(`- [${finding.severityDisplay}] ${finding.title} | ${finding.overviewLocationDisplay} | ${finding.remediationSummary}`);
+    }
+    lines.push("");
+  }
+
+  lines.push("## 3. Detailed Findings", "");
+
+  for (const group of reportModel.detailedFindings) {
+    lines.push(`### ${group.label}`, "");
+    for (const finding of group.findings) {
+      lines.push(`#### ${finding.title}`);
+      lines.push(`- Severity: ${finding.severityDisplay}`);
+      lines.push(`- Category: ${finding.category}`);
+      lines.push(`- Finding ID: ${finding.id}`);
+      lines.push(`- File / Location: ${finding.locationDisplay}`);
+      lines.push(`- Source: ${finding.source}`);
+      lines.push(`- Evidence: ${finding.evidenceDisplay}`);
+      lines.push(`- Remediation: ${finding.remediation || "No remediation provided."}`);
+      lines.push("");
+    }
+  }
+
+  lines.push("## 4. Methodology, Limitations, and Scan Configuration", "");
+  lines.push(`- Methodology: ${reportModel.methodology.notes}`);
+  lines.push(`- Limitations: ${reportModel.methodology.limitations}`);
+  lines.push(`- Scan Configuration: ${reportModel.methodology.configuration}`);
+
+  return lines.join("\n");
+}
+
+function slugify(value) {
+  return String(value)
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "") || "secure-review";
+}
+
+function buildZip(entries) {
+  const localFiles = [];
+  const centralRecords = [];
+  let offset = 0;
+
+  for (const entry of entries) {
+    const nameBuffer = Buffer.from(entry.name, "utf8");
+    const dataBuffer = Buffer.isBuffer(entry.data) ? entry.data : Buffer.from(entry.data);
+    const crc = crc32(dataBuffer);
+
+    const localHeader = Buffer.alloc(30);
+    localHeader.writeUInt32LE(0x04034b50, 0);
+    localHeader.writeUInt16LE(20, 4);
+    localHeader.writeUInt16LE(0, 6);
+    localHeader.writeUInt16LE(0, 8);
+    localHeader.writeUInt16LE(0, 10);
+    localHeader.writeUInt16LE(0, 12);
+    localHeader.writeUInt32LE(crc >>> 0, 14);
+    localHeader.writeUInt32LE(dataBuffer.length, 18);
+    localHeader.writeUInt32LE(dataBuffer.length, 22);
+    localHeader.writeUInt16LE(nameBuffer.length, 26);
+    localHeader.writeUInt16LE(0, 28);
+
+    localFiles.push(localHeader, nameBuffer, dataBuffer);
+
+    const centralHeader = Buffer.alloc(46);
+    centralHeader.writeUInt32LE(0x02014b50, 0);
+    centralHeader.writeUInt16LE(20, 4);
+    centralHeader.writeUInt16LE(20, 6);
+    centralHeader.writeUInt16LE(0, 8);
+    centralHeader.writeUInt16LE(0, 10);
+    centralHeader.writeUInt16LE(0, 12);
+    centralHeader.writeUInt16LE(0, 14);
+    centralHeader.writeUInt32LE(crc >>> 0, 16);
+    centralHeader.writeUInt32LE(dataBuffer.length, 20);
+    centralHeader.writeUInt32LE(dataBuffer.length, 24);
+    centralHeader.writeUInt16LE(nameBuffer.length, 28);
+    centralHeader.writeUInt16LE(0, 30);
+    centralHeader.writeUInt16LE(0, 32);
+    centralHeader.writeUInt16LE(0, 34);
+    centralHeader.writeUInt16LE(0, 36);
+    centralHeader.writeUInt32LE(0, 38);
+    centralHeader.writeUInt32LE(offset, 42);
+
+    centralRecords.push(centralHeader, nameBuffer);
+    offset += localHeader.length + nameBuffer.length + dataBuffer.length;
+  }
+
+  const centralDirectory = Buffer.concat(centralRecords);
+  const end = Buffer.alloc(22);
+  end.writeUInt32LE(0x06054b50, 0);
+  end.writeUInt16LE(0, 4);
+  end.writeUInt16LE(0, 6);
+  end.writeUInt16LE(entries.length, 8);
+  end.writeUInt16LE(entries.length, 10);
+  end.writeUInt32LE(centralDirectory.length, 12);
+  end.writeUInt32LE(offset, 16);
+  end.writeUInt16LE(0, 20);
+
+  return Buffer.concat([...localFiles, centralDirectory, end]);
+}
+
+const CRC_TABLE = buildCrcTable();
+
+function buildCrcTable() {
+  const table = [];
+  for (let i = 0; i < 256; i += 1) {
+    let c = i;
+    for (let j = 0; j < 8; j += 1) {
+      c = (c & 1) ? (0xedb88320 ^ (c >>> 1)) : (c >>> 1);
+    }
+    table.push(c >>> 0);
+  }
+  return table;
+}
+
+function crc32(buffer) {
+  let crc = 0 ^ (-1);
+  for (const byte of buffer) {
+    crc = (crc >>> 8) ^ CRC_TABLE[(crc ^ byte) & 0xff];
+  }
+  return (crc ^ (-1)) >>> 0;
+}
+
+module.exports = {
+  buildReportModel,
+  renderReportHtml,
+  renderMarkdown,
+  exportDocx,
+  exportReport,
+  promptReportMetadata
+};