wize-dev-kit 0.5.0 → 0.6.0

package/src/security-overlay/data/tool-allowlist.json

@@ -0,0 +1,31 @@
+{
+  "_schema": "Each entry is a list of allowed flag tokens. Flags ending in ':' (e.g. '-f:') consume the next arg as their value; flags without ':' are standalone switches.",
+  "nmap": [
+    "-sV", "-Pn", "-p-", "--open", "-T4", "-sn", "-O"
+  ],
+  "gitleaks": [
+    "detect", "--no-banner", "-s:", "-f:", "-r:", "-v", "--log-level=", "--exit-code:"
+  ],
+  "osv-scanner": [
+    "scan", "source", "--format:", "--output-file:", "-L:", "-r", "--recursive"
+  ],
+  "grype": [
+    "dir:.", "-o", "json", "-f"
+  ],
+  "nuclei": [
+    "-u:", "-t:", "-severity:", "-s:", "-jsonl", "-o:", "-duc", "-rl:", "-c:", "-nc", "-silent"
+  ],
+  "nikto": [
+    "-h:", "-ask", "no", "-Tuning", "-timeout=", "-port="
+  ],
+  "sqlmap": [
+    "-u:", "--batch", "--level=1", "--risk=1", "--threads=2", "--timeout=10",
+    "--dbms=", "--technique=", "--tamper=", "--random-agent", "--retries=1"
+  ],
+  "ffuf": [
+    "-u:", "-w:", "-mc:", "-t:", "-rate:", "-recursion", "-recursion-depth:", "-ac:", "-of:", "-o:", "-ma:", "-fs:"
+  ],
+  "curl": [
+    "-sI:", "-s:", "-o:", "-L", "-k", "-A=", "-H=", "--max-time="
+  ]
+}

package/src/security-overlay/skills/wize-sec-enumerate/scripts/run-enumerate.js

@@ -0,0 +1,180 @@
+'use strict';
+
+// run-enumerate.js — second phase: HTTP probing + tech inference from
+// the recon partial. Doesn't run any active tools by default.
+
+const path = require('node:path');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+
+// Parse the recon.md partial's open_ports section into a list of {port, service, version}
+// tuples. We accept both the markdown bullet form we write (- **80/tcp** `http` — nginx)
+// and a raw `PORT/PROTO SERVICE VERSION` form.
+function parseOpenPorts(body) {
+  const out = [];
+  for (const line of String(body || '').split('\n')) {
+    // Markdown bullet form
+    let m = line.match(/^- \*\*(\d+\/tcp)\*\* `(\S+)` — (.+?)$/);
+    if (m) { out.push({ port: m[1], service: m[2], version: m[3].trim() }); continue; }
+    // Raw form
+    m = line.match(/^(\d+\/tcp)\s+(\S+)\s+(.+?)$/);
+    if (m) out.push({ port: m[1], service: m[2], version: m[3].trim() });
+  }
+  return out;
+}
+
+// Build the URL the enumerator will probe given a port. We don't know the
+// protocol from nmap alone; assume http for well-known ports, https for
+// 443, otherwise default to http.
+function urlForPort(port, host) {
+  const portNum = parseInt(port.split('/')[0], 10);
+  const scheme = (portNum === 443 || portNum === 8443) ? 'https' : 'http';
+  return `${scheme}://${host}:${portNum}/`;
+}
+
+// Parse a curl -sI response into a { status, headers } object. We split
+// on `\r\n` (curl's default).
+function parseCurlHead(stdout) {
+  const lines = String(stdout || '').split(/\r?\n/).filter(Boolean);
+  const status = (lines[0] || '').trim();
+  const headers = {};
+  for (const line of lines.slice(1)) {
+    const m = line.match(/^([A-Za-z0-9-]+):\s*(.*?)\s*$/);
+    if (m) headers[m[1].toLowerCase()] = m[2];
+  }
+  return { status, headers };
+}
+
+// runEnumerate({securityDir, scope, active, execFn?, detectFn?}) ->
+//   { ok, partialStatus }
+async function runEnumerate(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 10_000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['curl', 'nuclei'], { cacheDir: sec });
+  const curlPresent = !!(tools.curl && tools.curl.present);
+  const nucleiPresent = !!(tools.nuclei && tools.nuclei.present);
+
+  // Load recon.md if it exists.
+  const recon = loadPartial({ securityDir: sec, phase: 'recon' });
+  const openPorts = recon ? parseOpenPorts(recon.body) : [];
+
+  // Determine which hosts to probe from the scope body. We accept the
+  // allowlist block as defined by scope-parser: `## allowlist` then a
+  // `hosts:` line followed by `  - value` items.
+  const hostAllowlist = (() => {
+    const lines = (scope.body || '').split('\n');
+    const hosts = [];
+    let inHosts = false;
+    for (const line of lines) {
+      if (/^hosts:\s*$/.test(line)) { inHosts = true; continue; }
+      if (inHosts) {
+        const m = line.match(/^\s+-\s+(.+?)\s*$/);
+        if (m) hosts.push(m[1]);
+        else if (line.trim() !== '' && !/^\s/.test(line)) inHosts = false;
+      }
+    }
+    return hosts;
+  })();
+
+  // Degraded paths: missing recon OR no tools.
+  const degraded = [];
+  if (!recon) degraded.push('recon.md ausente — sem superfície para enumerar');
+  if (!curlPresent && !nucleiPresent) degraded.push('curl e nuclei ausentes — sem probing HTTP possível');
+
+  if (degraded.length && openPorts.length === 0) {
+    writePartial({
+      securityDir: sec,
+      phase: 'enumerate',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      dependsOn: ['recon'],
+      sections: {
+        degraded_checks: degraded.join('\n')
+      }
+    });
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // Probe each host:port from the recon.
+  const surfaceLines = [];
+  const techHits = new Set();
+  let anyProbed = false;
+  let refusedCount = 0;
+
+  if (curlPresent && openPorts.length > 0) {
+    for (const host of hostAllowlist) {
+      for (const p of openPorts) {
+        // Gate: refuse out-of-scope targets BEFORE any probing.
+        const inScope = assertTargetInScope(scope, { host, port: p.port }, { refusalsDir: sec });
+        if (!inScope) { refusedCount++; continue; }
+
+        const url = urlForPort(p.port, host);
+        const args = filterArgs('curl', ['-sI', url]);
+        try {
+          const out = execFn('curl', args, { timeout: 10_000 });
+          const { status, headers } = parseCurlHead(out && out.stdout ? out.stdout : out);
+          surfaceLines.push(`- **${url}** — ${status || 'no status'}`);
+          if (headers.server) {
+            techHits.add(`server: ${headers.server}`);
+            surfaceLines.push(`  - server: ${headers.server}`);
+          }
+          if (headers['x-powered-by']) {
+            techHits.add(`x-powered-by: ${headers['x-powered-by']}`);
+            surfaceLines.push(`  - x-powered-by: ${headers['x-powered-by']}`);
+          }
+          if (headers['set-cookie']) {
+            surfaceLines.push(`  - set-cookie: ${headers['set-cookie']}`);
+          }
+          anyProbed = true;
+        } catch (_) {
+          surfaceLines.push(`- **${url}** — probe failed`);
+        }
+      }
+    }
+  }
+
+  // nuclei passive (only if present) — we don't fully parse nuclei output here;
+  // the report renderer will include the JSON dump if found.
+  const partialStatus = (anyProbed && refusedCount === 0 && degraded.length === 0) ? 'complete' : 'incomplete';
+
+  writePartial({
+    securityDir: sec,
+    phase: 'enumerate',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status: partialStatus,
+    tools,
+    dependsOn: ['recon'],
+    sections: {
+      surface: surfaceLines.length ? surfaceLines.join('\n') : '_(nenhuma superfície enumerada)_',
+      tech: techHits.size ? Array.from(techHits).map(t => `- ${t}`).join('\n') : '_(tech não inferida — curl ausente ou nenhum host acessível)_',
+      ...(degraded.length ? { degraded_checks: degraded.join('\n') } : {})
+    }
+  });
+  return { ok: true, partialStatus };
+}
+
+module.exports = { runEnumerate, parseOpenPorts, parseCurlHead, urlForPort };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runEnumerate({ securityDir, scope, active, target });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target' }
+  });
+}

package/src/security-overlay/skills/wize-sec-enumerate/skill.md

@@ -0,0 +1,32 @@
+---
+code: wize-sec-enumerate
+name: wize-sec-enumerate
+overlay: security
+module: security-overlay
+owner: red-teamer
+status: ready
+---
+
+# wize-sec-enumerate — Surface enumeration
+
+Reads `recon.md`, probes HTTP/S ports via `curl -sI`, infers tech from `Server` and `X-Powered-By` headers. Writes `enumerate.md` with `## surface` and `## tech` sections, plus `depends_on: [recon]` in the frontmatter so the renderer orders parciais.
+
+## Usage
+
+```bash
+/wize-sec-enumerate
+/wize-sec-enumerate --active  # currently a no-op for this phase; reserved for future
+```
+
+## Behavior
+
+- Loads `.wize/security/scope.md` first; aborts on invalid scope.
+- Reads `recon.md` partial; if missing, marks `partial_status: incomplete` and writes a degraded partial so the audit trail is complete.
+- Probes **only the scope's allowlisted hosts**, not the recon's listed services. Out-of-scope hosts are never probed.
+- curl and nuclei are detected via `command -v`; missing tools degrade the check rather than aborting.
+- Calls `assertTargetInScope` for every probed target. Refusals are appended to `.refusals.log`.
+
+## Output
+
+- `.wize/security/enumerate.md` — partial with `## surface` (probed endpoints) and `## tech` (deduplicated `server`/`x-powered-by` hits).
+- `.wize/security/.refusals.log` — appended on out-of-scope targets.

package/src/security-overlay/skills/wize-sec-exploit/data/common.txt

@@ -0,0 +1,117 @@
+admin
+api
+app
+auth
+backup
+blog
+cart
+catalog
+cms
+config
+console
+contact
+dashboard
+data
+db
+debug
+default
+demo
+dev
+docs
+download
+editor
+email
+error
+example
+export
+feed
+file
+files
+forum
+gallery
+help
+home
+images
+img
+import
+index
+info
+internal
+js
+json
+lib
+login
+logout
+mail
+manage
+member
+message
+metrics
+mobile
+new
+news
+node
+notes
+old
+order
+page
+pages
+panel
+password
+pdf
+photo
+php
+ping
+plugins
+portal
+post
+posts
+private
+profile
+public
+readme
+register
+report
+reports
+reset
+robots.txt
+rss
+search
+secure
+server
+service
+settings
+setup
+shop
+sitemap
+sitemap.xml
+staff
+static
+stats
+status
+store
+style.css
+styles
+subscribe
+support
+swagger
+system
+temp
+test
+tests
+tmp
+tools
+tracker
+upload
+uploads
+user
+users
+vendor
+version
+web
+webhook
+webmaster
+widget
+wiki
+xml
+xmlrpc

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-ffuf.js

@@ -0,0 +1,147 @@
+'use strict';
+
+// run-ffuf.js — DAST ffuf (path/param fuzzing). GATED by --active.
+// Rate-limit (-rate 5) keeps the scan gentle even when active. The
+// wordlist is a small embedded file in data/common.txt (~100 entries);
+// users with SecLists should pass their own wordlist via extraArgs
+// (the data file is the conservative default).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+const TIMEOUT_MS = 10 * 60 * 1000;
+const DEFAULT_WORDLIST = path.join(__dirname, '..', '..', '..', 'data', 'common.txt');
+
+function filterFfufArgs(targetUrl, wordlistPath) {
+  return [
+    '-u', targetUrl.replace(/\/+$/, '') + '/FUZZ',
+    '-w', wordlistPath,
+    '-mc', '200,201,202,301,302,401,403,500',
+    '-t', '5',
+    '-rate', '5',
+    '-of', 'json',
+    '-o', path.join(path.dirname(wordlistPath), '..', '..', '..', '.ffuf.json')
+  ];
+}
+
+function parseFfufJson(text) {
+  try {
+    const obj = JSON.parse(text);
+    return (obj && obj.results) ? obj.results : [];
+  } catch (_) {
+    return [];
+  }
+}
+
+async function runFfuf(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+  const wordlist = opts.wordlist || DEFAULT_WORDLIST;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: TIMEOUT_MS });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['ffuf'], { cacheDir: sec });
+  const present = !!(tools.ffuf && tools.ffuf.present);
+
+  let targetUrl = null;
+  for (const line of (scope.body || '').split('\n')) {
+    const m = line.match(/^url:\s*(.+?)\s*$/);
+    if (m && line.indexOf('url') === 0) { targetUrl = m[1]; break; }
+  }
+
+  function mergeDast(sections, status) {
+    const existing = loadPartial({ securityDir: sec, phase: 'dast' });
+    const merged = {};
+    if (existing && existing.body) {
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        merged[m[1]] = m[2].trim();
+      }
+    }
+    Object.assign(merged, sections);
+    const finalStatus = merged.degraded_checks ? 'incomplete' : status;
+    writePartial({
+      securityDir: sec, phase: 'dast', mode: active ? 'active' : 'passive',
+      scope, status: finalStatus, tools, sections: merged
+    });
+  }
+
+  // 1. Not active -> degraded with [ffuf-passive].
+  if (!active) {
+    mergeDast({ degraded_checks: '- ffuf-passive: --active ausente — ffuf não é invocado sem opt-in explícito.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  if (!targetUrl) {
+    mergeDast({ degraded_checks: '- ffuf: dast_target.url ausente' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const urlObj = new URL(targetUrl);
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    mergeDast({ degraded_checks: `- ffuf: target ${targetUrl} recusado pelo gate` }, 'incomplete');
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  if (!present) {
+    mergeDast({ degraded_checks: '- ffuf: ffuf ausente — instale ffuf e re-rode com --active.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // Happy path.
+  const reportPath = path.join(sec, '.ffuf.json');
+  const args = filterArgs('ffuf', [
+    '-u', targetUrl.replace(/\/+$/, '') + '/FUZZ',
+    '-w', wordlist,
+    '-mc', '200,201,202,301,302,401,403,500',
+    '-t', '5',
+    '-rate', '5',
+    '-of', 'json',
+    '-o', reportPath
+  ]);
+  try {
+    execFn('ffuf', args, { timeout: TIMEOUT_MS });
+  } catch (_) { /* ffuf may exit non-zero; the JSON report is still written */ }
+
+  let findings = [];
+  if (fs.existsSync(reportPath)) {
+    try {
+      findings = parseFfufJson(fs.readFileSync(reportPath, 'utf8'));
+    } catch (_) { findings = []; }
+  }
+
+  const body = findings.length
+    ? findings.map(f => {
+        const owasp = tagOwasp({ rule: `status-${f.status || ''} path-${f.input && f.input.FUZZ || ''}` });
+        return `- **${f.url}** status=${f.status} length=${f.length || 0} owasp=\`${owasp}\``;
+      }).join('\n')
+    : '_(nenhum finding do ffuf)_';
+
+  mergeDast({ ffuf: body }, findings.length ? 'complete' : 'incomplete');
+  return { ok: true, partialStatus: findings.length ? 'complete' : 'incomplete' };
+}
+
+module.exports = { runFfuf, filterFfufArgs, parseFfufJson };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target, wordlist } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runFfuf({ securityDir, scope, active, target, wordlist });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target', 'wordlist': 'wordlist' }
+  });
+}

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-nikto.js

@@ -0,0 +1,145 @@
+'use strict';
+
+// run-nikto.js — DAST nikto phase. Nikto runs in safe-checks mode
+// (-Tuning x6) which excludes brute force and DoS probes (NFR Security #6).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+// Build nikto argv (raw, before filterArgs).
+function filterNiktoArgs(host, outputPath) {
+  return ['-h', host, '-ask', 'no', '-Tuning', 'x6', '-timeout', '10', '-o', outputPath];
+}
+
+// Parse nikto's text output. We accept a relaxed line shape — every line
+// that starts with '+' (or contains OSVDB-) is treated as a finding.
+function parseNiktoText(text) {
+  const findings = [];
+  for (const line of String(text || '').split('\n')) {
+    const t = line.trim();
+    if (!t || t.startsWith('- Nikto')) continue; // header
+    if (!t.startsWith('+') && !/OSVDB-\d+/.test(t)) continue;
+    // id: first OSVDB-#### match, else hash of first 8 chars.
+    const osvdb = t.match(/OSVDB-(\d+)/);
+    const id = osvdb ? `OSVDB-${osvdb[1]}` : `NIKTO-${Math.abs(hashStr(t)) % 1e6}`;
+    const msg = t.replace(/^\+\s*/, '').replace(/^OSVDB-\d+:\s*/, '');
+    // Severity inferred by keyword.
+    let severity = 'info';
+    if (/injection|sqli|xss|sql injection/i.test(t)) severity = 'high';
+    else if (/default.{0,5}account|admin|exposed/i.test(t)) severity = 'medium';
+    else if (/missing|cookie|httponly|header|csp/i.test(t)) severity = 'low';
+    findings.push({ id, msg, severity });
+  }
+  return findings;
+}
+
+function hashStr(s) {
+  let h = 0;
+  for (let i = 0; i < s.length; i++) h = ((h << 5) - h + s.charCodeAt(i)) | 0;
+  return h;
+}
+
+async function runNikto(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 10 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['nikto'], { cacheDir: sec });
+  const present = !!(tools.nikto && tools.nikto.present);
+
+  // Resolve target URL.
+  let targetUrl = null;
+  for (const line of (scope.body || '').split('\n')) {
+    if (/^## dast_target/.test(line)) continue;
+    const m = line.match(/^url:\s*(.+?)\s*$/);
+    if (m && line.indexOf('url') === 0) { targetUrl = m[1]; break; }
+  }
+  if (!targetUrl) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: '- nikto: dast_target.url ausente' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const urlObj = new URL(targetUrl);
+
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: `- nikto: target ${targetUrl} recusado pelo gate` }, 'incomplete');
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  if (!present) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: '- nikto: nikto ausente — instale nikto e re-rode.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const outPath = path.join(sec, '.nikto.txt');
+  const rawArgs = filterNiktoArgs(urlObj.hostname, outPath);
+  const args = filterArgs('nikto', rawArgs);
+  const r = execFn('nikto', args, { timeout: 10 * 60 * 1000 });
+  let text = r && r.stdout ? r.stdout : '';
+  if (!text && fs.existsSync(outPath)) {
+    text = fs.readFileSync(outPath, 'utf8');
+  }
+  const raw = parseNiktoText(text);
+  const findings = raw.map(f => ({
+    id: f.id,
+    msg: f.msg,
+    severity: f.severity,
+    owasp: tagOwasp({ rule: f.id + ' ' + f.msg })
+  }));
+  const lines = findings.length
+    ? findings.map(f => `- **${f.id}** severity=${f.severity} owasp=\`${f.owasp}\` — ${f.msg}`)
+    : ['_(nenhum finding do nikto)_'];
+
+  // Merge into dast.md: preserve sections from earlier tools (e.g. nuclei).
+  mergeDast(sec, scope, active, tools, { nikto: lines.join('\n') }, findings.length ? 'complete' : 'incomplete');
+  return { ok: true, partialStatus: findings.length ? 'complete' : 'incomplete' };
+}
+
+function mergeDast(sec, scope, active, tools, update, defaultStatus) {
+  const existing = loadPartial({ securityDir: sec, phase: 'dast' });
+  const sections = {};
+  if (existing && existing.body) {
+    const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+    let m;
+    while ((m = re.exec(existing.body)) !== null) {
+      sections[m[1]] = m[2].trim();
+    }
+  }
+  Object.assign(sections, update);
+  // Status: incomplete if any degraded_checks section is present.
+  const status = sections.degraded_checks ? 'incomplete' : (defaultStatus || 'complete');
+  writePartial({
+    securityDir: sec,
+    phase: 'dast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status,
+    tools,
+    sections
+  });
+}
+
+module.exports = { runNikto, filterNiktoArgs, parseNiktoText };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runNikto({ securityDir, scope, active, target });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target' }
+  });
+}