securl 1.4.1

package/dist/domain-security.js

@@ -0,0 +1,416 @@
+import dns from "node:dns/promises";
+import { DNS_LOOKUP_TIMEOUT_MS } from "./scannerConfig.js";
+import { safeResolveWithTimeout } from "./utils.js";
+const DKIM_COMMON_SELECTORS = [
+    "google",
+    "mail",
+    "dkim",
+    "selector1",
+    "selector2",
+    "k1",
+    "k2",
+    "default",
+    "smtp",
+    "mailgun",
+    "sendgrid",
+    "proofpoint",
+    "mimecast",
+    "amazonses",
+    "mandrill",
+];
+async function fetchMtaStsPolicy(host, requestText) {
+    const policyHost = `mta-sts.${host}`;
+    const policyUrl = new URL(`https://${policyHost}/.well-known/mta-sts.txt`);
+    try {
+        const response = await requestText(policyUrl);
+        if (response.statusCode >= 200 && response.statusCode < 300 && response.body.trim()) {
+            return { policyUrl: policyUrl.toString(), policy: response.body.trim() };
+        }
+    }
+    catch {
+        // Ignore fetch failure and return a null policy below.
+    }
+    return { policyUrl: policyUrl.toString(), policy: null };
+}
+const parseDnsTags = (record) => {
+    const tags = new Map();
+    for (const part of record.split(";")) {
+        const [key, ...valueParts] = part.trim().split("=");
+        if (key && valueParts.length) {
+            tags.set(key.toLowerCase(), valueParts.join("=").trim());
+        }
+    }
+    return tags;
+};
+export const evaluateSpfPolicy = (spf) => {
+    if (!spf) {
+        return {
+            status: "missing",
+            allMechanism: null,
+            dnsLookupMechanisms: 0,
+            summary: "No SPF record was detected at the zone apex.",
+        };
+    }
+    const mechanisms = spf.split(/\s+/).filter(Boolean);
+    const allMechanism = mechanisms.find((mechanism) => /^[~?+-]?all$/i.test(mechanism))?.toLowerCase() || null;
+    const normalizedAll = allMechanism === "all" ? "+all" : allMechanism;
+    const dnsLookupMechanisms = mechanisms.filter((mechanism) => /^(?:[~?+-])?(?:include|a|mx|ptr|exists)(?::|$)/i.test(mechanism)).length;
+    if (normalizedAll === "-all") {
+        return {
+            status: dnsLookupMechanisms > 10 ? "watch" : "strong",
+            allMechanism: "-all",
+            dnsLookupMechanisms,
+            summary: dnsLookupMechanisms > 10
+                ? "SPF uses hardfail, but appears to exceed the 10 DNS-lookup guidance limit."
+                : "SPF uses hardfail, which is the strongest published all-mechanism.",
+        };
+    }
+    if (normalizedAll === "~all") {
+        return {
+            status: "watch",
+            allMechanism: "~all",
+            dnsLookupMechanisms,
+            summary: "SPF uses softfail; this is safer than no policy but weaker than hardfail.",
+        };
+    }
+    if (normalizedAll === "?all" || normalizedAll === "+all") {
+        return {
+            status: "weak",
+            allMechanism: normalizedAll,
+            dnsLookupMechanisms,
+            summary: "SPF ends with a neutral or permissive all-mechanism, so spoofing resistance is weak.",
+        };
+    }
+    return {
+        status: "watch",
+        allMechanism: null,
+        dnsLookupMechanisms,
+        summary: "SPF is present, but no explicit all-mechanism was found.",
+    };
+};
+export const evaluateSpfDetail = (spf) => {
+    const mechanisms = spf?.split(/\s+/).filter(Boolean) || [];
+    const normalizedMechanisms = mechanisms.map((mechanism) => mechanism.toLowerCase());
+    const hasPlusAll = normalizedMechanisms.some((mechanism) => mechanism === "+all" || mechanism === "all");
+    const hasTildeAll = normalizedMechanisms.includes("~all");
+    const hasMinusAll = normalizedMechanisms.includes("-all");
+    const hasQuestionAll = normalizedMechanisms.includes("?all");
+    const includeCount = normalizedMechanisms.filter((mechanism) => /^(?:[~?+-])?include:/i.test(mechanism)).length;
+    // Per RFC 7208 §4.6.4 the 10-lookup limit covers include, a, mx, ptr, and exists mechanisms.
+    // Counting only `include:` under-flags records with many a/mx/ptr/exists terms.
+    const dnsLookupCount = normalizedMechanisms.filter((m) => /^(?:[~?+-])?(?:include:|a(?:[:/\s]|$)|mx(?:[:/\s]|$)|ptr(?:[:/]|$)|exists:)/i.test(m)).length;
+    return {
+        hasPlusAll,
+        hasTildeAll,
+        hasMinusAll,
+        hasQuestionAll,
+        includeCount,
+        exceedsLookupLimit: dnsLookupCount > 10,
+        isOverlyPermissive: hasPlusAll || hasQuestionAll,
+    };
+};
+const normalizeDmarcPolicy = (value) => {
+    const normalized = value?.toLowerCase();
+    return normalized === "reject" || normalized === "quarantine" || normalized === "none" ? normalized : null;
+};
+export const evaluateDmarcPolicy = (dmarc) => {
+    if (!dmarc) {
+        return {
+            status: "missing",
+            policy: null,
+            subdomainPolicy: null,
+            pct: null,
+            reporting: false,
+            summary: "No DMARC record was detected.",
+        };
+    }
+    const tags = parseDnsTags(dmarc);
+    const policy = normalizeDmarcPolicy(tags.get("p"));
+    const subdomainPolicy = normalizeDmarcPolicy(tags.get("sp"));
+    const pctRaw = tags.get("pct");
+    const pct = pctRaw && /^\d+$/.test(pctRaw) ? Math.max(0, Math.min(100, Number(pctRaw))) : null;
+    const reporting = Boolean(tags.get("rua") || tags.get("ruf"));
+    if (policy === "reject" || policy === "quarantine") {
+        const reducedRollout = pct !== null && pct < 100;
+        return {
+            status: reducedRollout ? "watch" : "strong",
+            policy,
+            subdomainPolicy,
+            pct,
+            reporting,
+            summary: reducedRollout
+                ? `DMARC is enforcing ${policy}, but only for ${pct}% of mail.`
+                : `DMARC is enforcing ${policy}.`,
+        };
+    }
+    if (policy === "none") {
+        return {
+            status: "weak",
+            policy,
+            subdomainPolicy,
+            pct,
+            reporting,
+            summary: "DMARC is present in monitoring mode only and does not enforce quarantine or reject.",
+        };
+    }
+    return {
+        status: "watch",
+        policy,
+        subdomainPolicy,
+        pct,
+        reporting,
+        summary: "DMARC is present, but the policy tag could not be interpreted.",
+    };
+};
+const buildDkimInfo = (recordsBySelector) => {
+    const discovered = recordsBySelector
+        .flatMap(({ selector, records }) => records
+        .filter((record) => record.toLowerCase().startsWith("v=dkim1"))
+        .map((record) => ({ selector, record })));
+    const selectors = discovered.map((record) => record.selector);
+    return {
+        discovered,
+        selectors,
+        count: discovered.length,
+        summary: discovered.length
+            ? `DKIM records were found at common selector${discovered.length === 1 ? "" : "s"}: ${selectors.join(", ")}.`
+            : "No DKIM records found at common selectors.",
+    };
+};
+const gradeEmailScore = (score) => {
+    if (score >= 80)
+        return "A";
+    if (score >= 60)
+        return "B";
+    if (score >= 40)
+        return "C";
+    if (score >= 20)
+        return "D";
+    return "F";
+};
+const buildEmailDeliverabilityScore = ({ spf, spfDetail, dmarc, dmarcPolicy, dkim, mtaStsDns, tlsRptDns, bimiDns, dnssecSigned, }) => {
+    const breakdown = {};
+    if (spf)
+        breakdown["SPF present"] = 10;
+    if (spfDetail.hasMinusAll)
+        breakdown["SPF hardfail"] = 10;
+    else if (spfDetail.hasTildeAll)
+        breakdown["SPF softfail"] = 5;
+    if (dmarc)
+        breakdown["DMARC present"] = 15;
+    if (dmarcPolicy.policy === "reject")
+        breakdown["DMARC reject"] = 20;
+    else if (dmarcPolicy.policy === "quarantine")
+        breakdown["DMARC quarantine"] = 10;
+    if (dmarcPolicy.reporting)
+        breakdown["DMARC reporting"] = 5;
+    if (dkim.count > 0)
+        breakdown["DKIM discovered"] = 15;
+    if (mtaStsDns)
+        breakdown["MTA-STS present"] = 10;
+    if (tlsRptDns)
+        breakdown["TLS-RPT present"] = 5;
+    if (bimiDns)
+        breakdown["BIMI present"] = 5;
+    if (dnssecSigned)
+        breakdown["DNSSEC signed"] = 5;
+    const score = Math.min(100, Math.round(Object.values(breakdown).reduce((total, value) => total + value, 0)));
+    return {
+        score,
+        grade: gradeEmailScore(score),
+        breakdown,
+    };
+};
+export async function analyzeDomainSecurity(host, requestText) {
+    const apexHost = host.startsWith("www.") ? host.slice(4) : host;
+    const candidateHosts = [...new Set([host, apexHost])];
+    const resolveDns = (operation) => safeResolveWithTimeout(operation, DNS_LOOKUP_TIMEOUT_MS);
+    const [mxByHost, nsByHost, txtRootByHost, txtDmarcByHost, caaByHost, txtMtaStsByHost, txtTlsRptByHost, txtBimiByHost, txtDkimByHost, dsByHost,] = await Promise.all([
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveMx(candidate)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveNs(candidate)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveTxt(candidate)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveTxt(`_dmarc.${candidate}`)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveCaa(candidate)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveTxt(`_mta-sts.${candidate}`)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveTxt(`_smtp._tls.${candidate}`)))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolveTxt(`default._bimi.${candidate}`)))),
+        Promise.all(candidateHosts.map((candidate) => Promise.all(DKIM_COMMON_SELECTORS.map(async (selector) => ({
+            selector,
+            records: ((await resolveDns(() => dns.resolveTxt(`${selector}._domainkey.${candidate}`))) || [])
+                .map((entry) => entry.join("")),
+        }))))),
+        Promise.all(candidateHosts.map((candidate) => resolveDns(() => dns.resolve(candidate, "DS")))),
+    ]);
+    const pickFirst = (values) => values.find((value) => value && value.length) || null;
+    const mxRecordsRaw = pickFirst(mxByHost) || [];
+    const nsRecordsRaw = pickFirst(nsByHost) || [];
+    const txtRoot = pickFirst(txtRootByHost) || [];
+    const txtDmarc = pickFirst(txtDmarcByHost) || [];
+    const caaRaw = pickFirst(caaByHost) || [];
+    const txtMtaSts = pickFirst(txtMtaStsByHost) || [];
+    const txtTlsRpt = pickFirst(txtTlsRptByHost) || [];
+    const txtBimi = pickFirst(txtBimiByHost) || [];
+    const dsRaw = pickFirst(dsByHost) || [];
+    const mxRecords = mxRecordsRaw
+        .sort((a, b) => a.priority - b.priority)
+        .map((record) => `${record.priority} ${record.exchange}`);
+    const nsRecords = nsRecordsRaw || [];
+    const txtValues = txtRoot.map((entry) => entry.join(""));
+    const dmarcValues = txtDmarc.map((entry) => entry.join(""));
+    const mtaStsValues = txtMtaSts.map((entry) => entry.join(""));
+    const tlsRptValues = txtTlsRpt.map((entry) => entry.join(""));
+    const bimiValues = txtBimi.map((entry) => entry.join(""));
+    const caaRecords = caaRaw.flatMap((record) => Object.entries(record)
+        .filter(([key]) => key !== "critical")
+        .map(([tag, value]) => `${tag} ${value}`));
+    const dsRecords = dsRaw.map((record) => `${record.keyTag} ${record.algorithm} ${record.digestType} ${record.digest}`);
+    const spf = txtValues.find((value) => value.toLowerCase().startsWith("v=spf1")) || null;
+    const dmarc = dmarcValues.find((value) => value.toLowerCase().startsWith("v=dmarc1")) || null;
+    const mtaStsDns = mtaStsValues.find((value) => value.toLowerCase().startsWith("v=stsv1")) || null;
+    const tlsRptDns = tlsRptValues.find((value) => value.toLowerCase().startsWith("v=tlsrptv1")) || null;
+    const bimiDns = bimiValues.find((value) => value.toLowerCase().startsWith("v=bimi1")) || null;
+    const txtDkim = txtDkimByHost.flat();
+    const dkim = buildDkimInfo(txtDkim);
+    const mtaStsTargetHost = txtMtaStsByHost[0]?.length ? candidateHosts[0] : candidateHosts[1] || candidateHosts[0];
+    const mtaStsPolicy = mtaStsDns ? await fetchMtaStsPolicy(mtaStsTargetHost, requestText) : { policyUrl: null, policy: null };
+    const spfDetail = evaluateSpfDetail(spf);
+    const emailPolicy = {
+        spf: evaluateSpfPolicy(spf),
+        dmarc: evaluateDmarcPolicy(dmarc),
+    };
+    const dnssecSigned = dsRecords.length > 0;
+    const emailDeliverabilityScore = buildEmailDeliverabilityScore({
+        spf,
+        spfDetail,
+        dmarc,
+        dmarcPolicy: emailPolicy.dmarc,
+        dkim,
+        mtaStsDns,
+        tlsRptDns,
+        bimiDns,
+        dnssecSigned,
+    });
+    const issues = [];
+    const strengths = [];
+    if (!mxRecords.length) {
+        issues.push("No MX records found.");
+    }
+    else {
+        strengths.push("MX records are published.");
+    }
+    if (!spf) {
+        issues.push("No SPF record detected at the zone apex.");
+    }
+    else if (emailPolicy.spf.status === "weak") {
+        issues.push(emailPolicy.spf.summary);
+    }
+    else if (emailPolicy.spf.status === "watch") {
+        issues.push(emailPolicy.spf.summary);
+    }
+    else {
+        strengths.push(emailPolicy.spf.summary);
+    }
+    if (spfDetail.hasPlusAll) {
+        issues.push("Critical: SPF uses +all, which permits any sender to claim the domain.");
+    }
+    if (spfDetail.hasQuestionAll) {
+        issues.push("SPF uses ?all, leaving sender authorization neutral.");
+    }
+    if (spfDetail.exceedsLookupLimit) {
+        issues.push("SPF includes more than 10 include mechanisms and may hit the DNS lookup limit.");
+    }
+    if (spfDetail.hasMinusAll) {
+        strengths.push("SPF uses -all hardfail.");
+    }
+    if (!dmarc) {
+        issues.push("No DMARC record detected.");
+    }
+    else if (emailPolicy.dmarc.status === "weak") {
+        issues.push(emailPolicy.dmarc.summary);
+    }
+    else if (emailPolicy.dmarc.status === "watch") {
+        issues.push(emailPolicy.dmarc.summary);
+    }
+    else {
+        strengths.push(emailPolicy.dmarc.summary);
+    }
+    if (!caaRecords.length) {
+        issues.push("No CAA records found.");
+    }
+    else {
+        strengths.push("CAA records restrict which certificate authorities may issue for the domain.");
+    }
+    if (!dsRecords.length) {
+        issues.push("No DNSSEC DS records detected at the domain apex.");
+    }
+    else {
+        strengths.push("DNSSEC DS records are published.");
+    }
+    if (!mtaStsDns) {
+        issues.push("No MTA-STS DNS policy record detected.");
+    }
+    else if (!mtaStsPolicy.policy) {
+        issues.push("MTA-STS DNS record exists, but the HTTPS policy file could not be fetched.");
+    }
+    else {
+        strengths.push("MTA-STS is published.");
+    }
+    if (!tlsRptDns) {
+        if (mtaStsDns) {
+            issues.push("MTA-STS is present, but no TLS-RPT reporting record was detected.");
+        }
+    }
+    else {
+        strengths.push("TLS-RPT reporting is published for SMTP transport issues.");
+    }
+    if (bimiDns) {
+        strengths.push("BIMI is published, which can support brand trust when paired with enforcing DMARC.");
+    }
+    if (dkim.count === 0) {
+        if (dmarc) {
+            issues.push("DMARC is published but no DKIM record was found at common selectors.");
+        }
+    }
+    else {
+        strengths.push(dkim.summary);
+    }
+    return {
+        host: apexHost,
+        mxRecords,
+        nsRecords,
+        caaRecords,
+        dnssec: {
+            enabled: dsRecords.length > 0,
+            dsRecords,
+            status: dsRecords.length > 0 ? "signed" : "not_signed",
+        },
+        spf,
+        dmarc,
+        emailPolicy,
+        mtaSts: {
+            dns: mtaStsDns,
+            policyUrl: mtaStsPolicy.policyUrl,
+            policy: mtaStsPolicy.policy,
+        },
+        spfDetail,
+        dkim,
+        tlsRpt: {
+            dns: tlsRptDns,
+            reporting: Boolean(tlsRptDns),
+            summary: tlsRptDns
+                ? "TLS-RPT is published for SMTP transport reporting."
+                : "No TLS-RPT reporting record was detected.",
+        },
+        bimi: {
+            dns: bimiDns,
+            selector: "default",
+            status: bimiDns ? "present" : "missing",
+            summary: bimiDns
+                ? "BIMI is published at the default selector."
+                : "No BIMI record was detected at the default selector.",
+        },
+        emailDeliverabilityScore,
+        issues,
+        strengths,
+    };
+}

package/dist/header-analysis.d.ts

@@ -0,0 +1,14 @@
+import type { LibraryRiskSignal, RemediationSnippet, ScanIssue, SecurityHeaderResult } from "./types.js";
+type ResponseHeaders = Record<string, string | string[] | undefined>;
+export declare const SECURITY_HEADERS: Array<Pick<SecurityHeaderResult, "key" | "label" | "description" | "recommendation">>;
+export declare const REMEDIATION_TARGETS: Record<string, string>;
+export declare const analyzeHeaders: (headers: ResponseHeaders, isHttps: boolean) => {
+    headers: SecurityHeaderResult[];
+    issues: ScanIssue[];
+    strengths: string[];
+};
+export declare const buildRawHeaders: (headers: ResponseHeaders) => Record<string, string>;
+export declare const classifyIssueTaxonomy: (issue: ScanIssue) => ScanIssue;
+export declare const buildLibraryRiskIssues: (libraryRiskSignals: LibraryRiskSignal[]) => ScanIssue[];
+export declare const buildRemediation: (headerResults: SecurityHeaderResult[]) => RemediationSnippet[];
+export {};

package/dist/header-analysis.js

@@ -0,0 +1,165 @@
+import { headerValue, unique } from "./utils.js";
+export const SECURITY_HEADERS = [
+    { key: "strict-transport-security", label: "Strict-Transport-Security", description: "Forces browsers to keep using HTTPS after the first secure visit.", recommendation: "Set HSTS with at least 6 months max-age and includeSubDomains." },
+    { key: "content-security-policy", label: "Content-Security-Policy", description: "Reduces XSS and data injection risk by controlling allowed resource sources.", recommendation: "Add a CSP and avoid unsafe-inline / unsafe-eval where possible." },
+    { key: "x-frame-options", label: "X-Frame-Options", description: "Helps prevent clickjacking in framed pages.", recommendation: "Use DENY or SAMEORIGIN unless framing is intentionally required." },
+    { key: "x-content-type-options", label: "X-Content-Type-Options", description: "Stops MIME sniffing for mismatched content types.", recommendation: "Set X-Content-Type-Options to nosniff." },
+    { key: "referrer-policy", label: "Referrer-Policy", description: "Limits how much referral data leaves the site.", recommendation: "Use strict-origin-when-cross-origin or stricter." },
+    { key: "permissions-policy", label: "Permissions-Policy", description: "Restricts browser features such as camera and microphone access.", recommendation: "Disable unneeded browser capabilities with Permissions-Policy." },
+    { key: "cross-origin-opener-policy", label: "Cross-Origin-Opener-Policy", description: "Improves browsing context isolation against cross-window attacks.", recommendation: "Set COOP to same-origin for stronger isolation where compatible." },
+    { key: "cross-origin-resource-policy", label: "Cross-Origin-Resource-Policy", description: "Protects resources from being loaded by unintended origins.", recommendation: "Set CORP to same-origin or same-site when appropriate." },
+];
+export const REMEDIATION_TARGETS = {
+    "strict-transport-security": "max-age=31536000; includeSubDomains; preload",
+    "content-security-policy": "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests",
+    "x-frame-options": "SAMEORIGIN",
+    "x-content-type-options": "nosniff",
+    "referrer-policy": "strict-origin-when-cross-origin",
+    "permissions-policy": "camera=(), microphone=(), geolocation=(), browsing-topics=()",
+    "cross-origin-opener-policy": "same-origin",
+    "cross-origin-resource-policy": "same-origin",
+};
+export const analyzeHeaders = (headers, isHttps) => {
+    const results = [];
+    const issues = [];
+    const strengths = [];
+    const createIssue = (severity, area, title, detail, confidence = "high", source = "observed") => ({ severity, area, title, detail, confidence, source, owasp: [], mitre: [] });
+    for (const definition of SECURITY_HEADERS) {
+        const value = headerValue(headers, definition.key);
+        let status = value ? "present" : "missing";
+        let severity = value ? "good" : "warning";
+        let summary = value ? "Configured." : "Missing.";
+        if (definition.key === "strict-transport-security" && value) {
+            const lower = value.toLowerCase();
+            const maxAgeMatch = lower.match(/max-age=(\d+)/);
+            const maxAge = maxAgeMatch ? Number(maxAgeMatch[1]) : 0;
+            if (maxAge < 15552000 || !lower.includes("includesubdomains")) {
+                status = "warning";
+                severity = "warning";
+                summary = "Present, but the policy is weaker than recommended.";
+                issues.push(createIssue("warning", "transport", "HSTS could be stronger", "Increase max-age and include subdomains for better HTTPS protection.", "medium", "heuristic"));
+            }
+            else {
+                strengths.push("Strong HSTS policy detected.");
+            }
+        }
+        if (definition.key === "content-security-policy" && value) {
+            const directives = Object.fromEntries(value.split(";").map((directive) => directive.trim()).filter(Boolean).map((directive) => {
+                const [name, ...tokens] = directive.split(/\s+/);
+                return [name.toLowerCase(), tokens.map((token) => token.toLowerCase())];
+            }));
+            const scriptSources = directives["script-src"] || directives["default-src"] || [];
+            if (scriptSources.includes("'unsafe-inline'") || scriptSources.includes("'unsafe-eval'")) {
+                status = "warning";
+                severity = "warning";
+                summary = "Present, but allows unsafe script execution in script policies.";
+                issues.push(createIssue("warning", "headers", "CSP contains risky allowances", "unsafe-inline or unsafe-eval in script policies weakens CSP protections against XSS.", "high", "observed"));
+            }
+            else {
+                strengths.push("CSP is present without obvious unsafe script allowances.");
+            }
+        }
+        if (definition.key === "x-frame-options" && value) {
+            const lower = value.toLowerCase();
+            if (!["deny", "sameorigin"].includes(lower)) {
+                status = "warning";
+                severity = "warning";
+                summary = "Present, but uses a less reliable policy.";
+            }
+        }
+        if (definition.key === "referrer-policy" && value) {
+            const lower = value.split(",").map((part) => part.trim().toLowerCase()).filter(Boolean).at(-1) || "";
+            if (!["strict-origin", "strict-origin-when-cross-origin", "same-origin", "no-referrer"].includes(lower)) {
+                status = "warning";
+                severity = "warning";
+                summary = "Present, but a stricter referrer policy is recommended.";
+            }
+        }
+        if (!value) {
+            issues.push(createIssue(definition.key === "permissions-policy" ? "info" : "warning", "headers", `${definition.label} is missing`, definition.recommendation, "high", "observed"));
+        }
+        results.push({ ...definition, value, status, severity, summary });
+    }
+    if (!isHttps) {
+        issues.push(createIssue("critical", "transport", "Site is not using HTTPS", "Traffic can be intercepted or modified in transit over plain HTTP.", "high", "observed"));
+    }
+    return { headers: results, issues, strengths };
+};
+export const buildRawHeaders = (headers) => Object.fromEntries(Object.entries(headers)
+    .filter(([, value]) => value !== undefined)
+    .map(([key, value]) => [key, Array.isArray(value) ? value.join(", ") : String(value)]));
+export const classifyIssueTaxonomy = (issue) => {
+    const text = `${issue.area} ${issue.title} ${issue.detail}`.toLowerCase();
+    const owasp = [];
+    const mitre = [];
+    const isCookieIssue = issue.area === "cookies" || text.includes("cookie");
+    const isHttpSurfaceDiscovery = text.includes("publicly reachable")
+        || text.includes("exposed")
+        || text.includes("fingerprint")
+        || text.includes("banner")
+        || text.includes("redirect chain")
+        || text.includes("version")
+        || text.includes("header");
+    if (text.includes("outdated component") || text.includes("known advis") || text.includes("osv") || text.includes("vulnerab") || text.includes("library "))
+        owasp.push("A06 Vulnerable and Outdated Components");
+    if (issue.area === "transport" || issue.area === "certificate" || text.includes("https") || text.includes("tls") || text.includes("certificate") || text.includes("hsts"))
+        owasp.push("A02 Cryptographic Failures");
+    if (issue.area === "headers" || text.includes("missing") || text.includes("csp") || text.includes("referrer-policy") || text.includes("permissions-policy") || text.includes("cors") || text.includes("samesite") || text.includes("httponly") || text.includes("secure flag"))
+        owasp.push("A05 Security Misconfiguration");
+    if (text.includes("unsafe-inline") || text.includes("unsafe-eval") || text.includes("xss") || text.includes("inline script"))
+        owasp.push("A03 Injection");
+    if (text.includes("publicly reachable") || text.includes("exposed") || text.includes("authorization") || text.includes("access-controlled"))
+        owasp.push("A01 Broken Access Control");
+    if (isCookieIssue)
+        owasp.push("A07 Identification and Authentication Failures");
+    if (text.includes("publicly reachable") || text.includes("exposed") || text.includes("site is not using https") || text.includes("redirect chain"))
+        mitre.push("Initial Access");
+    if (isHttpSurfaceDiscovery || text.includes("certificate") || text.includes("cors"))
+        mitre.push("Reconnaissance");
+    if (isCookieIssue || text.includes("password") || text.includes("token") || text.includes("session"))
+        mitre.push("Credential Access");
+    if (text.includes("referrer") || text.includes("inline script") || text.includes("sri"))
+        mitre.push("Collection");
+    if (text.includes("bypass") || text.includes("evasion") || text.includes("obfuscat"))
+        mitre.push("Defense Evasion");
+    return { ...issue, owasp: unique(owasp), mitre: unique(mitre) };
+};
+export const buildLibraryRiskIssues = (libraryRiskSignals) => libraryRiskSignals.map((signal) => {
+    const highestSeverity = signal.vulnerabilities.some((item) => item.severity === "critical" || item.severity === "high")
+        ? "critical"
+        : signal.vulnerabilities.some((item) => item.severity === "moderate")
+            ? "warning"
+            : "info";
+    const references = signal.vulnerabilities.flatMap((item) => item.aliases).filter(Boolean).slice(0, 3);
+    return {
+        severity: highestSeverity,
+        area: "headers",
+        title: `${signal.packageName} ${signal.version} has known advisories`,
+        detail: `OSV returned ${signal.vulnerabilities.length} advisory match${signal.vulnerabilities.length === 1 ? "" : "es"} for this publicly referenced library version.${references.length ? ` References: ${references.join(", ")}.` : ""}`,
+        confidence: signal.confidence,
+        source: "observed",
+        owasp: [],
+        mitre: [],
+    };
+});
+export const buildRemediation = (headerResults) => {
+    const requiredHeaders = headerResults
+        .filter((header) => header.status !== "present")
+        .map((header) => ({ key: header.key, label: header.label, value: REMEDIATION_TARGETS[header.key] }))
+        .filter((header) => header.value);
+    if (!requiredHeaders.length)
+        return [];
+    const nginxLines = requiredHeaders.map((header) => `add_header ${header.label} "${header.value}" always;`);
+    const apacheLines = requiredHeaders.map((header) => `Header always set ${header.label} "${header.value}"`);
+    const cloudflareLines = requiredHeaders.map((header) => `secured.headers.set("${header.label}", "${header.value.replaceAll('"', '\\"')}");`);
+    const vercelLines = requiredHeaders.map((header) => `        { key: "${header.label}", value: "${header.value}" },`);
+    const netlifyLines = requiredHeaders.map((header) => `  ${header.label}: ${header.value}`);
+    const names = requiredHeaders.map((header) => header.label).join(", ");
+    return [
+        { platform: "nginx", title: "Nginx security headers", description: `Adds recommended headers for: ${names}.`, filename: "nginx.conf", snippet: ["server {", "  # ...existing config", ...nginxLines.map((line) => `  ${line}`), "}"].join("\n") },
+        { platform: "apache", title: "Apache mod_headers rules", description: "Use inside your vhost or .htaccess where mod_headers is enabled.", filename: ".htaccess", snippet: ["<IfModule mod_headers.c>", ...apacheLines.map((line) => `  ${line}`), "</IfModule>"].join("\n") },
+        { platform: "cloudflare", title: "Cloudflare Worker response hardening", description: "Apply these headers in a Worker or edge response transform.", filename: "worker.js", snippet: ["export default {", "  async fetch(request, env, ctx) {", "    const response = await fetch(request);", "    const secured = new Response(response.body, response);", ...cloudflareLines.map((line) => `    ${line}`), "    return secured;", "  },", "};"].join("\n") },
+        { platform: "vercel", title: "Vercel headers() config", description: "Paste into next.config.js or next.config.mjs.", filename: "next.config.js", snippet: ["export default {", "  async headers() {", "    return [", "      {", '        source: "/(.*)",', "        headers: [", ...vercelLines, "        ],", "      },", "    ];", "  },", "};"].join("\n") },
+        { platform: "netlify", title: "Netlify _headers file", description: "Add this block to your Netlify `_headers` file.", filename: "_headers", snippet: ["/*", ...netlifyLines, ""].join("\n") },
+    ];
+};

package/dist/historyDiff.d.ts

@@ -0,0 +1,4 @@
+import type { AnalysisResult, HistoryDiff, HistorySnapshot } from "./types.js";
+export declare const snapshotFromAnalysis: (analysis: AnalysisResult) => HistorySnapshot;
+export declare const buildHistoryDiffFromSnapshots: (current: HistorySnapshot, previous: HistorySnapshot) => HistoryDiff;
+export declare const buildHistoryDiff: (history: HistorySnapshot[]) => HistoryDiff | null;