securl 1.7.0 → 1.9.0

package/README.md

@@ -174,6 +174,43 @@ console.log({
 });
 ```
 
+### 6. Prioritized action plans
+
+Version `1.8.0+` includes an action-plan helper for client surfaces that need to show what to fix first without reinterpreting the full scan result.
+
+```ts
+import { analyzeUrl, buildActionPlan } from "securl";
+
+const result = await analyzeUrl("https://example.com");
+const actionPlan = buildActionPlan(result);
+
+console.log({
+  grade: actionPlan.posture.grade,
+  mainRisk: actionPlan.posture.mainRisk,
+  highImpactActions: actionPlan.highImpactActions,
+  firstAction: actionPlan.items[0],
+});
+```
+
+Action-plan items include owner, effort, impact, confidence, score impact where available, evidence references, and verification guidance.
+
+### 7. Live certificate checks
+
+Version `1.9.0+` includes a lightweight certificate helper for Cert Watch-style clients that only need the currently served TLS certificate.
+
+```ts
+import { scanLiveCertificate } from "securl/live-certificate";
+
+const certificate = await scanLiveCertificate(new URL("https://example.com"));
+
+console.log({
+  issuer: certificate.issuer,
+  daysRemaining: certificate.daysRemaining,
+  protocol: certificate.protocol,
+  chainLength: certificate.chain.length,
+});
+```
+
 ### 6. Evidence-backed remediation plans
 
 Version `1.4.0+` includes a remediation plan helper that turns score drivers and findings into prioritized, owner-aware fix guidance. Findings can also carry structured evidence references so clients can show why a finding was raised.
@@ -283,6 +320,8 @@ Primary exports:
 - `buildHistoryDiffFromSnapshots(current, previous)` - build a structured diff between scans.
 - `buildPostureRiskEventsFromSnapshots(current, previous, diff)` - classify scan changes into alert-friendly risk events.
 - `buildPostureDigest(result)` - reduce a full scan result to a compact API/mobile-friendly digest.
+- `buildActionPlan(result)` - turn remediation, score drivers, exposure, and vendor context into prioritized fix actions.
+- `scanLiveCertificate(url)` - perform a TLS handshake-only certificate read for lightweight cert monitoring.
 - `buildPostureDriftReportFromSnapshots(current, previous)` - produce a complete scan-to-scan drift report for monitoring, alerting, and history views.
 - `buildPostureRemediationPlan(result)` - generate prioritized, owner-aware remediation actions from findings and score drivers.
 - `attachIssueEvidence(result)` - add structured evidence references to findings without changing their existing fields.
@@ -292,6 +331,8 @@ Package subpath exports:
 
 - `securl/history-diff`
 - `securl/posture-digest`
+- `securl/action-plan`
+- `securl/live-certificate`
 - `securl/posture-drift`
 - `securl/remediation-plan`
 - `securl/risk-events`

package/dist/actionPlan.d.ts

@@ -0,0 +1,2 @@
+import type { ActionPlan, AnalysisResult } from "./types.js";
+export declare function buildActionPlan(analysis: AnalysisResult): ActionPlan;

package/dist/actionPlan.js

@@ -0,0 +1,315 @@
+const normalizeArray = (value) => (Array.isArray(value) ? value : []);
+const IMPACT_RANK = {
+    high: 0,
+    medium: 1,
+    low: 2,
+};
+function evidenceFromText(label, observed, kind, source) {
+    return {
+        kind,
+        label,
+        observed,
+        source: source,
+    };
+}
+function evidenceKindForExposure(source) {
+    if (source === "dns") {
+        return "dns";
+    }
+    if (source === "tls") {
+        return "tls";
+    }
+    if (source === "cookies") {
+        return "cookie";
+    }
+    if (source === "headers") {
+        return "header";
+    }
+    if (source === "html" || source === "third_party" || source === "ai") {
+        return "html";
+    }
+    if (source === "public_record" || source === "ct") {
+        return "public_record";
+    }
+    return "probe";
+}
+function ownerForExposure(category) {
+    if (category === "trust_gap") {
+        return "dns";
+    }
+    if (category === "third_party" || category === "ai") {
+        return "third_party";
+    }
+    if (category === "identity") {
+        return "identity";
+    }
+    if (category === "entry_point" || category === "infrastructure") {
+        return "edge";
+    }
+    return "app";
+}
+function themeForOwner(owner, title) {
+    const value = title.toLowerCase();
+    if (owner === "dns") {
+        return "domain_trust";
+    }
+    if (owner === "third_party") {
+        return "vendor_risk";
+    }
+    if (owner === "identity") {
+        return "identity";
+    }
+    if (value.includes("tls") || value.includes("certificate") || value.includes("https") || value.includes("hsts")) {
+        return "transport";
+    }
+    if (value.includes("monitor") || value.includes("rescan")) {
+        return "monitoring";
+    }
+    if (value.includes("unreachable") || value.includes("timeout") || value.includes("service")) {
+        return "availability";
+    }
+    if (value.includes("header") || value.includes("policy") || value.includes("cookie") || value.includes("csp")) {
+        return "browser_hardening";
+    }
+    return "public_exposure";
+}
+function themeForExposure(item) {
+    if (item.category === "trust_gap") {
+        return "domain_trust";
+    }
+    if (item.category === "third_party" || item.category === "ai") {
+        return "vendor_risk";
+    }
+    if (item.category === "identity") {
+        return "identity";
+    }
+    if (item.category === "entry_point" || item.category === "infrastructure") {
+        return "public_exposure";
+    }
+    if (item.source === "tls") {
+        return "transport";
+    }
+    return "public_exposure";
+}
+function impactForExposure(item) {
+    if (item.severity === "critical" || item.severity === "warning") {
+        return "high";
+    }
+    if (item.severity === "watch") {
+        return "medium";
+    }
+    return "low";
+}
+function effortForExposure(item) {
+    if (item.category === "entry_point" || item.category === "trust_gap") {
+        return "low";
+    }
+    if (item.category === "third_party" || item.category === "ai") {
+        return "medium";
+    }
+    return item.severity === "critical" ? "high" : "medium";
+}
+function scoreDriverAction(driver) {
+    if (driver.impact > 0) {
+        return `Review and improve ${driver.label} so this score driver no longer reduces the passive posture score.`;
+    }
+    return `Review ${driver.label} and confirm it is intentionally configured.`;
+}
+function scoreDriverTheme(driver) {
+    if (driver.source === "dns" || driver.areaKey === "domain") {
+        return "domain_trust";
+    }
+    if (driver.source === "tls") {
+        return "transport";
+    }
+    if (driver.source === "cookies" || driver.source === "headers") {
+        return "browser_hardening";
+    }
+    if (driver.source === "third_party" || driver.source === "ai") {
+        return "vendor_risk";
+    }
+    return "public_exposure";
+}
+function scoreDriverOwner(driver) {
+    if (driver.source === "dns" || driver.areaKey === "domain") {
+        return "dns";
+    }
+    if (driver.source === "headers" || driver.source === "tls") {
+        return "edge";
+    }
+    if (driver.source === "third_party" || driver.source === "ai") {
+        return "third_party";
+    }
+    if (driver.source === "cookies") {
+        return "app";
+    }
+    return "app";
+}
+function scoreDriverEvidence(driver) {
+    return [{
+            kind: "score_driver",
+            label: driver.label,
+            observed: driver.detail,
+            source: driver.source,
+        }];
+}
+function vendorEvidence(provider) {
+    return [{
+            kind: "html",
+            label: provider.domain || provider.name,
+            observed: provider.evidence,
+            source: "derived",
+        }];
+}
+function actionKey(item) {
+    return `${item.theme}:${item.title}:${item.action}`.toLowerCase().replace(/\s+/g, " ").trim();
+}
+function dedupeItems(items) {
+    const seen = new Set();
+    const unique = [];
+    for (const item of items) {
+        const key = actionKey(item);
+        if (seen.has(key)) {
+            continue;
+        }
+        seen.add(key);
+        unique.push(item);
+    }
+    return unique;
+}
+function sortItems(items) {
+    return [...items].sort((left, right) => {
+        const impactDelta = IMPACT_RANK[left.impact] - IMPACT_RANK[right.impact];
+        if (impactDelta !== 0) {
+            return impactDelta;
+        }
+        const priorityDelta = left.priority - right.priority;
+        if (priorityDelta !== 0) {
+            return priorityDelta;
+        }
+        return (right.scoreImpact ?? 0) - (left.scoreImpact ?? 0);
+    }).map((item, index) => ({
+        ...item,
+        priority: index + 1,
+    }));
+}
+function buildSummary(analysis, items) {
+    if (analysis.assessmentLimitation?.limited) {
+        return "The assessment was limited, so the first priority is restoring reliable scan coverage before treating the grade as complete.";
+    }
+    if (items.length === 0) {
+        return "No immediate action was identified from the passive evidence. Keep monitoring and rescan after deployment, DNS, or vendor changes.";
+    }
+    const highImpact = items.filter((item) => item.impact === "high").length;
+    if (highImpact > 0) {
+        return `${highImpact} high-impact action${highImpact === 1 ? "" : "s"} should move first because they affect the visible security posture most.`;
+    }
+    return "The next actions are mostly cleanup and monitoring work; no high-impact passive issue is currently leading the posture.";
+}
+export function buildActionPlan(analysis) {
+    const items = [];
+    for (const planItem of normalizeArray(analysis.remediationPlan?.items)) {
+        items.push({
+            id: `remediation:${planItem.id}`,
+            priority: planItem.priority,
+            title: planItem.title,
+            whyNow: planItem.scoreImpact && planItem.scoreImpact > 0
+                ? `This is costing about ${planItem.scoreImpact} point${planItem.scoreImpact === 1 ? "" : "s"} in the passive score.`
+                : planItem.detail,
+            action: planItem.action,
+            verify: planItem.verify,
+            owner: planItem.owner,
+            effort: planItem.effort,
+            impact: planItem.impact,
+            scoreImpact: planItem.scoreImpact,
+            confidence: "high",
+            theme: themeForOwner(planItem.owner, planItem.title),
+            evidence: normalizeArray(planItem.evidence).slice(0, 5),
+            relatedFindings: normalizeArray(planItem.relatedFindings).slice(0, 5),
+            source: "remediation",
+        });
+    }
+    for (const risk of normalizeArray(analysis.exposureBrief?.topRisks)) {
+        if (!risk.action) {
+            continue;
+        }
+        const owner = ownerForExposure(risk.category);
+        items.push({
+            id: `exposure:${risk.category}:${risk.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "")}`,
+            priority: 50,
+            title: risk.title,
+            whyNow: risk.detail,
+            action: risk.action,
+            verify: "Rescan the target and confirm this exposure brief item is no longer reported as a top risk.",
+            owner,
+            effort: effortForExposure(risk),
+            impact: impactForExposure(risk),
+            scoreImpact: null,
+            confidence: risk.confidence,
+            theme: themeForExposure(risk),
+            evidence: normalizeArray(risk.evidence).map((evidence) => evidenceFromText(risk.title, evidence, evidenceKindForExposure(risk.source), risk.source)).slice(0, 5),
+            relatedFindings: [risk.detail],
+            source: "exposure_brief",
+        });
+    }
+    for (const provider of normalizeArray(analysis.vendorExposure?.highPriorityProviders)) {
+        items.push({
+            id: `vendor:${provider.domain || provider.name}`.toLowerCase(),
+            priority: provider.reviewPriority === "urgent" ? 40 : 60,
+            title: `Review ${provider.name} vendor exposure`,
+            whyNow: `${provider.domain} is visible as a ${provider.risk}-risk ${provider.category} provider with ${provider.dataFlow.replace(/_/g, " ")} data-flow implications.`,
+            action: provider.action,
+            verify: "Rescan the target and confirm the provider remains documented, intentionally loaded, or no longer appears.",
+            owner: "third_party",
+            effort: "medium",
+            impact: provider.reviewPriority === "urgent" || provider.risk === "high" ? "high" : "medium",
+            scoreImpact: null,
+            confidence: "medium",
+            theme: "vendor_risk",
+            evidence: vendorEvidence(provider),
+            relatedFindings: [provider.domain],
+            source: "vendor_exposure",
+        });
+    }
+    if (items.length === 0) {
+        for (const driver of normalizeArray(analysis.scoreDrivers).filter((driver) => driver.impact > 0).slice(0, 5)) {
+            const owner = scoreDriverOwner(driver);
+            items.push({
+                id: `score:${driver.areaKey}:${driver.label.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "")}`,
+                priority: 100 - driver.impact,
+                title: driver.label,
+                whyNow: driver.detail,
+                action: scoreDriverAction(driver),
+                verify: "Rescan and confirm this score driver is no longer reported as missing or warning.",
+                owner,
+                effort: driver.impact >= 8 ? "medium" : "low",
+                impact: driver.impact >= 10 ? "high" : driver.impact >= 4 ? "medium" : "low",
+                scoreImpact: driver.impact,
+                confidence: "medium",
+                theme: scoreDriverTheme(driver),
+                evidence: scoreDriverEvidence(driver),
+                relatedFindings: [driver.detail],
+                source: "score_driver",
+            });
+        }
+    }
+    const sortedItems = sortItems(dedupeItems(items)).slice(0, 8);
+    return {
+        generatedAt: new Date().toISOString(),
+        summary: buildSummary(analysis, sortedItems),
+        posture: {
+            score: analysis.score,
+            grade: analysis.grade,
+            limited: Boolean(analysis.assessmentLimitation?.limited),
+            mainRisk: sortedItems[0]?.title ?? null,
+        },
+        totalActions: sortedItems.length,
+        highImpactActions: sortedItems.filter((item) => item.impact === "high").length,
+        quickWins: sortedItems.filter((item) => item.effort === "low").length,
+        items: sortedItems,
+        nextReview: analysis.assessmentLimitation?.limited
+            ? "Resolve the limited-assessment condition and rerun the scan before relying on the grade."
+            : "Rerun after the high-impact actions are complete, and again after deployment, DNS, or vendor changes.",
+        limitation: analysis.assessmentLimitation?.limited ? analysis.assessmentLimitation : null,
+    };
+}

package/dist/certificate.d.ts

@@ -1,5 +1,6 @@
-import type { CertificateResult } from "./types.js";
+import type { CertificateResult, LiveCertificateResult } from "./types.js";
 export declare const OBSERVATIONAL_TLS_OPTIONS: {
     rejectUnauthorized: boolean;
 };
 export declare const scanTls: (targetUrl: URL) => Promise<CertificateResult>;
+export declare const scanLiveCertificate: (targetUrl: URL) => Promise<LiveCertificateResult>;

package/dist/certificate.js

@@ -16,6 +16,48 @@ export const OBSERVATIONAL_TLS_OPTIONS = {
     // Set EXTERNAL_POSTURE_ALLOW_INSECURE_TLS=1 only for controlled observational runs.
     rejectUnauthorized: !allowInsecureTls,
 };
+function certificateName(certificate, field) {
+    return firstStringValue(certificate?.[field]?.O) ?? firstStringValue(certificate?.[field]?.CN);
+}
+function chainFromCertificate(certificate) {
+    const chain = [];
+    const seen = new Set();
+    let current = certificate;
+    while (current && Object.keys(current).length > 0) {
+        const fingerprint = current.fingerprint256 || current.fingerprint || null;
+        const key = fingerprint || `${current.subject?.CN || ""}:${current.issuer?.CN || ""}:${current.valid_to || ""}`;
+        if (seen.has(key)) {
+            break;
+        }
+        seen.add(key);
+        chain.push({
+            subject: certificateName(current, "subject"),
+            issuer: certificateName(current, "issuer"),
+            validFrom: current.valid_from || null,
+            validTo: current.valid_to || null,
+            fingerprint,
+        });
+        if (!current.issuerCertificate || current.issuerCertificate === current) {
+            break;
+        }
+        current = current.issuerCertificate;
+    }
+    return chain;
+}
+function keyBitsFromCertificate(certificate) {
+    const value = certificate?.bits;
+    return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+function keyTypeFromCertificate(certificate) {
+    const value = certificate?.asn1Curve || certificate?.nistCurve;
+    if (typeof value === "string" && value.trim()) {
+        return value;
+    }
+    if (typeof certificate?.bits === "number") {
+        return "rsa";
+    }
+    return null;
+}
 export const scanTls = (targetUrl) => {
     if (targetUrl.protocol !== "https:") {
         return Promise.resolve({
@@ -71,8 +113,89 @@ export const scanTls = (targetUrl) => {
                 available: true,
                 valid: Boolean(socket.authorized),
                 authorized: Boolean(socket.authorized),
-                issuer: firstStringValue(certificate?.issuer?.O) ?? firstStringValue(certificate?.issuer?.CN),
-                subject: firstStringValue(certificate?.subject?.CN),
+                issuer: certificateName(certificate, "issuer"),
+                subject: certificateName(certificate, "subject"),
+                validFrom,
+                validTo,
+                daysRemaining,
+                protocol,
+                cipher: cipherInfo?.name || null,
+                fingerprint: certificate?.fingerprint256 || null,
+                subjectAltName,
+                issues,
+            });
+            socket.end();
+        });
+        socket.once("timeout", () => {
+            socket.destroy(new Error("TLS handshake timed out."));
+        });
+        socket.once("error", reject);
+    });
+};
+export const scanLiveCertificate = (targetUrl) => {
+    if (targetUrl.protocol !== "https:") {
+        return Promise.resolve({
+            available: false,
+            valid: false,
+            authorized: false,
+            issuer: null,
+            subject: null,
+            validFrom: null,
+            validTo: null,
+            daysRemaining: null,
+            protocol: null,
+            cipher: null,
+            fingerprint: null,
+            subjectAltName: [],
+            issues: ["TLS certificate data is only available for HTTPS targets."],
+            host: targetUrl.hostname,
+            port: Number(targetUrl.port || 443),
+            checkedAt: new Date().toISOString(),
+            serialNumber: null,
+            keyBits: null,
+            keyType: null,
+            chain: [],
+        });
+    }
+    return new Promise((resolve, reject) => {
+        const socket = tls.connect({
+            host: targetUrl.hostname,
+            port: Number(targetUrl.port || 443),
+            servername: targetUrl.hostname,
+            ...OBSERVATIONAL_TLS_OPTIONS,
+            timeout: TLS_HANDSHAKE_TIMEOUT_MS,
+        });
+        socket.once("secureConnect", () => {
+            const certificate = socket.getPeerCertificate(true);
+            const protocol = socket.getProtocol?.() || null;
+            const cipherInfo = socket.getCipher?.();
+            const validTo = certificate?.valid_to || null;
+            const validFrom = certificate?.valid_from || null;
+            const daysRemaining = validTo
+                ? Math.ceil((new Date(validTo).getTime() - Date.now()) / (1000 * 60 * 60 * 24))
+                : null;
+            const subjectAltName = typeof certificate?.subjectaltname === "string"
+                ? certificate.subjectaltname.split(",").map((entry) => entry.trim().replace(/^DNS:/, ""))
+                : [];
+            const issues = [];
+            if (!socket.authorized) {
+                issues.push(typeof socket.authorizationError === "string"
+                    ? socket.authorizationError
+                    : "Certificate is not trusted.");
+            }
+            if (allowInsecureTls) {
+                issues.push("Insecure TLS observation mode is enabled via EXTERNAL_POSTURE_ALLOW_INSECURE_TLS.");
+            }
+            if (daysRemaining !== null && daysRemaining <= 14)
+                issues.push("Certificate expires very soon.");
+            if (protocol && /tlsv1(\.0|\.1)?$/i.test(protocol))
+                issues.push("TLS protocol is outdated.");
+            resolve({
+                available: true,
+                valid: Boolean(socket.authorized),
+                authorized: Boolean(socket.authorized),
+                issuer: certificateName(certificate, "issuer"),
+                subject: certificateName(certificate, "subject"),
                 validFrom,
                 validTo,
                 daysRemaining,
@@ -81,6 +204,13 @@ export const scanTls = (targetUrl) => {
                 fingerprint: certificate?.fingerprint256 || null,
                 subjectAltName,
                 issues,
+                host: targetUrl.hostname,
+                port: Number(targetUrl.port || 443),
+                checkedAt: new Date().toISOString(),
+                serialNumber: certificate?.serialNumber || null,
+                keyBits: keyBitsFromCertificate(certificate),
+                keyType: keyTypeFromCertificate(certificate),
+                chain: chainFromCertificate(certificate),
             });
             socket.end();
         });

package/dist/index.d.ts

@@ -11,6 +11,8 @@ export declare function analyzeUrl(input: string, options?: AnalyzeTargetOptions
 export declare const analyzeTarget: typeof analyzeUrl;
 export { formatErrorMessage };
 export { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
+export { buildActionPlan } from "./actionPlan.js";
+export { scanLiveCertificate } from "./certificate.js";
 export { buildExposureBrief } from "./exposureBrief.js";
 export { buildVendorExposureBrief } from "./vendorExposure.js";
 export { analyzeInfrastructure } from "./infrastructure.js";

package/dist/index.js

@@ -1,5 +1,6 @@
 import { URL } from "node:url";
 import { scanTls } from "./certificate.js";
+import { buildActionPlan } from "./actionPlan.js";
 import { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
 import { buildExposureBrief } from "./exposureBrief.js";
 import { buildVendorExposureBrief } from "./vendorExposure.js";
@@ -508,11 +509,15 @@ async function buildLimitedResult(input, normalizedInput, failure, scanTiming) {
         remediationPlan,
         evidenceSummary: buildPostureEvidenceSummary({ ...evidenceResult, remediationPlan }),
     };
-    return {
+    const resultWithBriefs = {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
         vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
+    return {
+        ...resultWithBriefs,
+        actionPlan: buildActionPlan(resultWithBriefs),
+    };
 }
 async function enrichCoreResult(result, profile) {
     const finalUrl = new URL(result.finalUrl);
@@ -943,11 +948,15 @@ function buildTimedOutEnrichmentResult(result, pageAnalysisEnabled, timeoutMs, c
         remediationPlan,
         evidenceSummary: buildPostureEvidenceSummary({ ...evidenceResult, remediationPlan }),
     };
-    return {
+    const resultWithBriefs = {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
         vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
+    return {
+        ...resultWithBriefs,
+        actionPlan: buildActionPlan(resultWithBriefs),
+    };
 }
 export async function analyzeUrl(input, options = {}) {
     const scanStartedAt = Date.now();
@@ -1017,15 +1026,21 @@ export async function analyzeUrl(input, options = {}) {
         remediationPlan,
         evidenceSummary: buildPostureEvidenceSummary({ ...resultWithEvidence, remediationPlan }),
     };
-    return {
+    const resultWithBriefs = {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
         vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
+    return {
+        ...resultWithBriefs,
+        actionPlan: buildActionPlan(resultWithBriefs),
+    };
 }
 export const analyzeTarget = analyzeUrl;
 export { formatErrorMessage };
 export { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
+export { buildActionPlan } from "./actionPlan.js";
+export { scanLiveCertificate } from "./certificate.js";
 export { buildExposureBrief } from "./exposureBrief.js";
 export { buildVendorExposureBrief } from "./vendorExposure.js";
 export { analyzeInfrastructure } from "./infrastructure.js";

package/dist/types.d.ts

@@ -67,6 +67,22 @@ export interface CertificateResult {
     subjectAltName: string[];
     issues: string[];
 }
+export interface LiveCertificateChainEntry {
+    subject: string | null;
+    issuer: string | null;
+    validFrom: string | null;
+    validTo: string | null;
+    fingerprint: string | null;
+}
+export interface LiveCertificateResult extends CertificateResult {
+    host: string;
+    port: number;
+    checkedAt: string;
+    serialNumber: string | null;
+    keyBits: number | null;
+    keyType: string | null;
+    chain: LiveCertificateChainEntry[];
+}
 export interface RedirectHop {
     url: string;
     status: number;
@@ -224,6 +240,40 @@ export interface VendorExposureBrief {
     collectionBoundary: string;
     limitation: AssessmentLimitation | null;
 }
+export type ActionPlanTheme = "browser_hardening" | "transport" | "domain_trust" | "public_exposure" | "vendor_risk" | "identity" | "availability" | "monitoring";
+export interface ActionPlanItem {
+    id: string;
+    priority: number;
+    title: string;
+    whyNow: string;
+    action: string;
+    verify: string;
+    owner: RemediationOwner;
+    effort: RemediationEffort;
+    impact: RemediationImpact;
+    scoreImpact: number | null;
+    confidence: IssueConfidence;
+    theme: ActionPlanTheme;
+    evidence: ScanEvidenceReference[];
+    relatedFindings: string[];
+    source: "remediation" | "score_driver" | "exposure_brief" | "vendor_exposure";
+}
+export interface ActionPlan {
+    generatedAt: string;
+    summary: string;
+    posture: {
+        score: number;
+        grade: string;
+        limited: boolean;
+        mainRisk: string | null;
+    };
+    totalActions: number;
+    highImpactActions: number;
+    quickWins: number;
+    items: ActionPlanItem[];
+    nextReview: string;
+    limitation: AssessmentLimitation | null;
+}
 export interface CrawlPageResult {
     label: string;
     path: string;
@@ -791,6 +841,7 @@ export interface AnalysisResult {
     evidenceSummary?: PostureEvidenceSummary;
     exposureBrief?: ExposureBrief;
     vendorExposure?: VendorExposureBrief;
+    actionPlan?: ActionPlan;
     crawl: CrawlSummary;
     securityTxt: SecurityTxtInfo;
     domainSecurity: DomainSecurityInfo;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securl",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "type": "module",
   "description": "Passive external security posture scanner for public URLs and web services.",
   "author": {
@@ -73,6 +73,14 @@
     "./vendor-exposure": {
       "types": "./dist/vendorExposure.d.ts",
       "default": "./dist/vendorExposure.js"
+    },
+    "./action-plan": {
+      "types": "./dist/actionPlan.d.ts",
+      "default": "./dist/actionPlan.js"
+    },
+    "./live-certificate": {
+      "types": "./dist/certificate.d.ts",
+      "default": "./dist/certificate.js"
     }
   },
   "files": [