wize-dev-kit 0.5.0 → 0.7.0

package/CHANGELOG.md

@@ -5,6 +5,32 @@ Format inspired by [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [0.7.0] — 2026-06-21
+
+### Added
+
+- **Post-scan remediation planning (security-overlay).** Ao fim do `wize-sec-pentest`, o overlay traduz os findings em um backlog de correção pronto para `wize-create-epics-and-stories`.
+  - **`security-backlog.md`** gerado em `.wize/security/`: findings agrupados por tema (ex.: 97 secrets → 1 epic de rotação, não 97 stories), priorizados **P0/P1/P2** pela pior severidade do grupo, estimados S/M/L, com rastreabilidade aos findings de origem + `scope_sha256` e DoD ("re-rodar scan e confirmar finding ausente").
+  - Epics semeados pelo action plan do `ai-insights.json` quando presente.
+  - **Call-to-action** com o comando exato (`/wize-create-epics-and-stories --from .wize/security/security-backlog.md`) impresso no terminal, no `report.md` e como banner no `report.html`.
+  - Mantém **zero runtime próprio**: o overlay gera o backlog e imprime o comando; o usuário/agente é quem executa a skill de planejamento (o Node nunca invoca skills).
+
+## [0.6.0] — 2026-06-20
+
+### Added
+
+- **`security-overlay` — AI Pentester (novo profile opcional).** Pipeline file-first de pentest que roda no harness do usuário (zero runtime próprio, zero dependência npm nova). Selecionável no instalador como `security-overlay`.
+  - **Persona `red-teamer`** + orquestradora `wize-sec-pentest` que encadeia recon → enumerate → SAST → DAST → report.
+  - **Gate de escopo** (`.wize/security/scope.md`, allowlist assinada com SHA-256): toda ação ofensiva é verificada por fase; alvo fora do escopo é recusado e auditado em `.refusals.log`. Default passivo; exploit ativo só com `--active`.
+  - **Allowlist de flags por ferramenta** (`data/tool-allowlist.json`): `--dump`/`--os-shell` e afins nunca chegam ao `execFile`, independente do input.
+  - **SAST**: secrets via gitleaks (com redação `***REDACTED***`) + dependências vulneráveis via osv-scanner/grype (CVE + CVSS).
+  - **DAST**: nuclei, nikto (safe checks), sqlmap e ffuf (content discovery), gated por `--active` quando ofensivos.
+  - **CVSS v3.1** zero-dep + tagger **OWASP Top 10 (2021)**.
+  - **Relatório** `report.md` + `report.html` self-contained (CSS inline, offline, WCAG 2.2 AA): risk score 0–100, briefing executivo, plano de ação P0/P1/P2, cobertura honesta do teste (audit confidence), recomendação por finding.
+  - **AI insights**: o renderer consome `ai-insights.json` escrito pelo LLM do harness (briefing + recomendações), sem chamada externa — dados ficam locais.
+  - **Preflight** (Epic 08): detecta SO/arch/package-manager e gera `install-pentest-tools.sh` com a fonte correta por ferramenta (apt para nmap/nikto/sqlmap; GitHub release para gitleaks/nuclei/ffuf/osv-scanner; script oficial para grype).
+- Documentação completa do overlay em `.wize/planning` e `.wize/solutioning` (brief, PRD, tech-vision, NFR, architecture, 4 ADRs, 8 epics, 26+ stories).
+
 ## [0.5.0] — 2026-06-17
 
 ### Added

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "wize-dev-kit",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "Full-lifecycle AI-assisted development kit with Test Architect and Whiteport Design Studio embedded. Inspired by BMAD Method and WDS.",
   "keywords": [
     "ai",

package/src/security-overlay/_shared/allowlist.js

@@ -0,0 +1,154 @@
+'use strict';
+
+// allowlist.js — gate that filters arguments for an external pentest tool
+// before they are passed to child_process.execFile. The list of allowed
+// flags per tool lives in src/security-overlay/data/tool-allowlist.json.
+//
+// Schema (per tool, array of strings):
+//   "-foo"        switch with no value
+//   "-foo:"       switch that consumes the next argv as its value
+//   "-foo=bar"    switch with a fixed value (only the literal "bar" is allowed)
+//   "--flag="     switch that consumes a value joined by '=' (e.g. --level=1)
+//
+// Invariant: args NOT in the allowlist (or args that look like values for
+// flags not in the allowlist) are dropped. Positional args (targets, URLs)
+// pass through unchanged.
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+class UnknownToolError extends Error {
+  constructor(tool) {
+    super(`Unknown tool "${tool}" — not in tool-allowlist.json. Refusing to invoke.`);
+    this.name = 'UnknownToolError';
+    this.tool = tool;
+  }
+}
+
+const DEFAULT_ALLOWLIST_PATH = path.join(__dirname, '..', 'data', 'tool-allowlist.json');
+
+let _cache = null;
+function _loadDefault() {
+  if (_cache) return _cache;
+  const raw = fs.readFileSync(DEFAULT_ALLOWLIST_PATH, 'utf8');
+  _cache = JSON.parse(raw);
+  return _cache;
+}
+
+function loadAllowlist(filePath) {
+  const fp = filePath || DEFAULT_ALLOWLIST_PATH;
+  return JSON.parse(fs.readFileSync(fp, 'utf8'));
+}
+
+// Heuristic for "is this arg a flag?": starts with '-' and is more than 1 char
+// (a bare "-" is sometimes used as stdin, treat as positional).
+function isFlag(arg) {
+  return typeof arg === 'string' && arg.length > 1 && arg[0] === '-';
+}
+
+// Classify one allowlist token into one of:
+//   { kind: 'switch' }                       — no value
+//   { kind: 'colon',   prefix: '-foo' }      — consumes next argv (e.g. -f path)
+//   { kind: 'equals',  prefix: '--flag=' }   — consumes value joined by '=' (e.g. --level=1)
+//   { kind: 'literal', full: '-foo=bar' }    — only the exact form is allowed
+//
+// When matching an arg, we try in order: literal, then colon (exact prefix
+// match, e.g. arg === '-u'), then equals (arg starts with prefix, e.g.
+// arg === '--level=1'), then switch (exact equality).
+function classify(token) {
+  if (token.endsWith(':')) {
+    return { kind: 'colon', prefix: token.slice(0, -1) };
+  }
+  if (token.endsWith('=') && token.startsWith('--')) {
+    return { kind: 'equals', prefix: token };
+  }
+  if (token.includes('=') && !token.endsWith('=')) {
+    return { kind: 'literal', full: token };
+  }
+  return { kind: 'switch' };
+}
+
+// Given a flag arg, find the first allowlist token that matches it.
+function matchFlag(toolData, arg) {
+  // Literal first (most specific).
+  for (const tok of toolData) {
+    if (classify(tok).kind === 'literal' && arg === tok) return { consumeNext: false };
+  }
+  // Then colon (exact prefix match) — e.g. arg === '-u'.
+  for (const tok of toolData) {
+    if (classify(tok).kind === 'colon' && arg === classify(tok).prefix) return { consumeNext: true };
+  }
+  // Then equals — e.g. arg starts with '--level='.
+  for (const tok of toolData) {
+    if (classify(tok).kind === 'equals' && arg.startsWith(classify(tok).prefix)) return { consumeNext: false };
+  }
+  // Then switch.
+  for (const tok of toolData) {
+    if (classify(tok).kind === 'switch' && tok === arg) return { consumeNext: false };
+  }
+  return null;
+}
+
+// filterArgs(tool, args, allowlist) — keep only args allowed by the tool's
+// allowlist, handling value-bearing flags correctly.
+function filterArgs(tool, args, allowlist) {
+  const data = allowlist || _loadDefault();
+  if (!Object.prototype.hasOwnProperty.call(data, tool)) {
+    throw new UnknownToolError(tool);
+  }
+  const toolData = data[tool];
+
+  const out = [];
+  let i = 0;
+  const list = args || [];
+  while (i < list.length) {
+    const arg = list[i];
+    if (!isFlag(arg)) {
+      // Positional: target, URL, output path.
+      out.push(arg);
+      i++;
+      continue;
+    }
+    const m = matchFlag(toolData, arg);
+    if (!m) {
+      // Unknown flag — drop the flag. We do NOT also drop the next arg,
+      // because a positional after a stripped flag is still a positional
+      // (caller may have intended both to pass). However, common patterns
+      // are value-bearing: e.g. `--script vuln` — if the flag is dropped,
+      // "vuln" is also dropped to avoid leaking. This is the safe default.
+      if (looksLikeValueArg(list[i + 1])) {
+        // Consume the next arg as part of the dropped flag's expected value.
+        i += 2;
+      } else {
+        i++;
+      }
+      continue;
+    }
+    out.push(arg);
+    if (m.consumeNext) {
+      // Value-bearing: the next argv is the value. Pass it through.
+      if (i + 1 < list.length) {
+        out.push(list[i + 1]);
+        i += 2;
+      } else {
+        i++;
+      }
+    } else {
+      i++;
+    }
+  }
+  return out;
+}
+
+// A value arg is one that does NOT start with '-' (or is the bare "-").
+function looksLikeValueArg(arg) {
+  return arg !== undefined && (typeof arg !== 'string' || arg.length === 0 || arg[0] !== '-');
+}
+
+module.exports = {
+  filterArgs,
+  loadAllowlist,
+  UnknownToolError,
+  classify,
+  matchFlag
+};

package/src/security-overlay/_shared/backlog.js

@@ -0,0 +1,180 @@
+'use strict';
+
+// backlog.js — turns classified security findings into a remediation
+// backlog (epics + stories) that wize-create-epics-and-stories can consume.
+//
+// Design (per brief-post-scan):
+//   - Group findings by theme/section, NOT 1-story-per-finding (97 secrets
+//     => 1 "rotate secrets" story, not 97).
+//   - Priority P0/P1/P2 derived from the worst severity in the group.
+//   - Each story keeps traceability to the source findings + scope hash.
+//   - Seed epics from the AI action plan (ai-insights.json) when present.
+//   - Zero-dep, file-first. The overlay never invokes a skill — it prints
+//     a clear CTA command for the user/agent to run.
+
+const CTA_COMMAND = '/wize-create-epics-and-stories --from .wize/security/security-backlog.md';
+
+// Severity -> remediation priority.
+function priorityFor(severity) {
+  switch (severity) {
+    case 'Critical':
+    case 'High':
+      return 'P0';
+    case 'Medium':
+      return 'P1';
+    default:
+      return 'P2'; // Low, Info-surface, None, unknown
+  }
+}
+
+// Group size -> rough estimate.
+function estimateFor(count) {
+  if (count <= 2) return 'S';
+  if (count <= 10) return 'M';
+  return 'L';
+}
+
+// Human label + remediation intent per section.
+const SECTION_THEME = {
+  secrets: { theme: 'Rotacionar e remover segredos expostos', owasp: 'A07:2021' },
+  deps: { theme: 'Atualizar dependências vulneráveis', owasp: 'A06:2021' },
+  nuclei: { theme: 'Corrigir vulnerabilidades detectadas (nuclei)', owasp: null },
+  nikto: { theme: 'Hardening de servidor web (nikto)', owasp: 'A05:2021' },
+  sqlmap: { theme: 'Corrigir injeção SQL', owasp: 'A03:2021' },
+  ffuf: { theme: 'Revisar endpoints/arquivos descobertos', owasp: 'A05:2021' },
+  tech: { theme: 'Hardening: ocultar fingerprinting de versões', owasp: 'A05:2021' },
+  open_ports: { theme: 'Revisar exposição de portas/serviços', owasp: 'A05:2021' },
+  surface: { theme: 'Revisar superfície HTTP exposta', owasp: 'A05:2021' }
+};
+
+// Severity rank for "worst in group".
+const SEV_RANK = { Critical: 5, High: 4, Medium: 3, Low: 2, 'Info-surface': 1, None: 0, unknown: 0 };
+
+// groupFindings(findings) -> [{ section, theme, owasp, count, priority,
+//   worstSeverity, findings: [...] }] sorted by priority then count.
+function groupFindings(findings) {
+  const bySection = {};
+  for (const f of findings || []) {
+    const s = f.section || 'unknown';
+    if (!bySection[s]) bySection[s] = [];
+    bySection[s].push(f);
+  }
+  const groups = [];
+  for (const [section, fs] of Object.entries(bySection)) {
+    let worst = 'unknown';
+    for (const f of fs) {
+      if ((SEV_RANK[f.severity] || 0) > (SEV_RANK[worst] || 0)) worst = f.severity;
+    }
+    const theme = (SECTION_THEME[section] && SECTION_THEME[section].theme) || `Revisar findings de ${section}`;
+    const owasp = SECTION_THEME[section] && SECTION_THEME[section].owasp;
+    groups.push({
+      section,
+      theme,
+      owasp,
+      count: fs.length,
+      worstSeverity: worst,
+      priority: priorityFor(worst),
+      findings: fs
+    });
+  }
+  // Order: P0 first, then by count desc.
+  const pOrder = { P0: 0, P1: 1, P2: 2 };
+  groups.sort((a, b) => (pOrder[a.priority] - pOrder[b.priority]) || (b.count - a.count));
+  return groups;
+}
+
+function escapeMd(s) {
+  return String(s == null ? '' : s);
+}
+
+// buildBacklog({ findings, actionPlan, scopeSha, generatedAt }) -> markdown.
+function buildBacklog({ findings = [], actionPlan = [], scopeSha = '', generatedAt = '' } = {}) {
+  const groups = groupFindings(findings);
+  const lines = [];
+
+  lines.push('---');
+  lines.push('kind: security-remediation-backlog');
+  lines.push('owner: red-teamer');
+  lines.push(`source_scope_sha256: ${escapeMd(scopeSha)}`);
+  lines.push(`generated_at: ${escapeMd(generatedAt)}`);
+  lines.push('consumed_by: wize-create-epics-and-stories');
+  lines.push('---');
+  lines.push('');
+  lines.push('# Security Remediation Backlog');
+  lines.push('');
+  lines.push('Backlog de correção derivado do scan de segurança. Cada epic agrupa findings por tema; cada story rastreia os findings de origem. Prioridade vem da severidade (P0 = Critical/High, P1 = Medium, P2 = Low/informativo).');
+  lines.push('');
+  lines.push(`> **Próximo passo:** rode \`${CTA_COMMAND}\` para transformar este backlog em stories formais.`);
+  lines.push('');
+
+  // Action plan summary (from AI insights) — the executive framing.
+  if (actionPlan && actionPlan.length) {
+    lines.push('## Plano de ação (resumo)');
+    lines.push('');
+    for (const a of actionPlan) {
+      lines.push(`- **[${escapeMd(a.priority)}] ${escapeMd(a.title)}** — ${escapeMd(a.detail)}`);
+    }
+    lines.push('');
+  }
+
+  // Build a lookup from action plan title keywords to attach detail to epics.
+  const planByTheme = {};
+  for (const a of (actionPlan || [])) planByTheme[(a.title || '').toLowerCase()] = a;
+
+  const actionable = groups.filter(g => g.worstSeverity !== 'Info-surface' || g.priority !== 'P2' ? true : true);
+
+  if (groups.length === 0) {
+    lines.push('## (sem itens)');
+    lines.push('');
+    lines.push('_Nenhum finding acionável neste scan — no actionable findings._');
+    return lines.join('\n');
+  }
+
+  // One epic per group.
+  let epicN = 0;
+  for (const g of groups) {
+    epicN++;
+    const est = estimateFor(g.count);
+    // Find a matching action-plan detail by theme keyword overlap.
+    let planDetail = '';
+    for (const [title, a] of Object.entries(planByTheme)) {
+      const key = g.section;
+      if (title.includes(key) || (key === 'secrets' && title.includes('segredo')) ||
+          (key === 'deps' && (title.includes('depend') || title.includes('dep'))) ||
+          (key === 'tech' && title.includes('fingerprint'))) {
+        planDetail = a.detail; break;
+      }
+    }
+    lines.push(`## Epic ${String(epicN).padStart(2, '0')}: ${g.theme} [${g.priority}]`);
+    lines.push('');
+    lines.push(`- **Prioridade:** ${g.priority} (pior severidade: ${g.worstSeverity})`);
+    lines.push(`- **Findings cobertos:** ${g.count}`);
+    if (g.owasp) lines.push(`- **OWASP:** ${g.owasp}`);
+    lines.push(`- **Estimativa:** ${est}`);
+    if (planDetail) lines.push(`- **Como corrigir:** ${planDetail}`);
+    lines.push('');
+    lines.push('### Stories');
+    lines.push('');
+    // For large groups, a single remediation story + a verification story.
+    lines.push(`- **${g.theme}** (${g.priority}, est ${est}) — corrigir os ${g.count} finding(s) de \`${g.section}\`. _Origem: ${g.section} (${g.count} findings, ${g.worstSeverity})._`);
+    lines.push(`- **Verificar correção de ${g.section}** (${g.priority}, est S) — re-rodar \`/wize-sec-pentest\` e confirmar que os findings de \`${g.section}\` sumiram (DoD).`);
+    lines.push('');
+    // Sample of source findings for traceability (cap at 5).
+    const sample = g.findings.slice(0, 5);
+    lines.push('<details><summary>Findings de origem (amostra)</summary>');
+    lines.push('');
+    for (const f of sample) {
+      lines.push(`- ${escapeMd(f.raw)}`);
+    }
+    if (g.findings.length > sample.length) {
+      lines.push(`- _… e mais ${g.findings.length - sample.length}._`);
+    }
+    lines.push('');
+    lines.push('</details>');
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+module.exports = { buildBacklog, priorityFor, estimateFor, groupFindings, CTA_COMMAND };

package/src/security-overlay/_shared/cli-runner.js

@@ -0,0 +1,87 @@
+'use strict';
+
+// cli-runner.js — small helper so each phase script can be invoked
+// either as a module (import + call) or as a CLI (with --securityDir /
+// --scope / --active argv). The invoke-phase helper spawns the script
+// as a Node subprocess; this module bridges that to the per-phase
+// `runX` function exported by each script.
+//
+// Usage from a script:
+//   const { runX } = require('./run-x');
+//   module.exports = { runX };
+//   if (require.main === module) {
+//     require('../../../_shared/cli-runner.js').runFromArgv({
+//       fn: runX,
+//       argMap: { securityDir: 'securityDir', scopePath: 'scopePath', active: 'active' }
+//     });
+//   }
+//
+// argv shape: --securityDir=PATH --scope=PATH --active [script-specific]
+// The function `fn` is called with the parsed object spread.
+
+function parseArgv(argv) {
+  const out = {};
+  for (let i = 0; i < (argv || []).length; i++) {
+    const a = argv[i];
+    if (a === '--active') { out.active = true; continue; }
+    const eq = a.indexOf('=');
+    if (eq > 0) {
+      const key = a.slice(0, eq).replace(/^--/, '');
+      const val = a.slice(eq + 1);
+      out[camel(key)] = val;
+      continue;
+    }
+    if (a.startsWith('--') && i + 1 < argv.length && !argv[i + 1].startsWith('--')) {
+      out[camel(a.slice(2))] = argv[i + 1];
+      i++;
+    }
+  }
+  return out;
+}
+
+function camel(s) {
+  return s.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+}
+
+async function runFromArgv({ fn, argMap = {} }) {
+  const argv = process.argv.slice(2);
+  const parsed = parseArgv(argv);
+  // Map --securityDir -> securityDir, --scope -> scopePath, etc.
+  const opts = {};
+  for (const [cliKey, optKey] of Object.entries(argMap)) {
+    if (cliKey in parsed) opts[optKey] = parsed[cliKey];
+  }
+  // Also accept any unprefixed camelCase keys directly.
+  for (const [k, v] of Object.entries(parsed)) {
+    if (!(k in opts)) opts[k] = v;
+  }
+  if (!('active' in opts)) opts.active = false;
+  // The phase script may also export its own CLI flags (--target for recon).
+  // We forward remaining --flags as a target-agnostic extraArgs-style list.
+  const extras = {};
+  for (const a of argv) {
+    if (a === '--active') continue;
+    const m = a.match(/^--([a-z0-9-]+)/);
+    if (m && !argMap[m[1]] && !argMap[camel(m[1])]) {
+      // Stash any flag the script might want to read itself.
+      extras[m[1]] = a.includes('=') ? a.slice(a.indexOf('=') + 1) : true;
+    }
+  }
+  Object.assign(opts, extras);
+  try {
+    const r = await fn(opts);
+    if (r && typeof r === 'object') {
+      // Print a one-line summary the orchestrator can show in its summary.
+      const summary = r.partialStatus
+        ? `${process.argv[1].split('/').pop().replace(/\.js$/, '')}: partial_status=${r.partialStatus} mode=${r.mode || 'passive'}`
+        : '';
+      if (summary) process.stdout.write(summary + '\n');
+    }
+    process.exit(0);
+  } catch (e) {
+    process.stderr.write(`✖ ${process.argv[1]}: ${e && e.message ? e.message : e}\n`);
+    process.exit(2);
+  }
+}
+
+module.exports = { parseArgv, runFromArgv };

package/src/security-overlay/_shared/cvss.js

@@ -0,0 +1,108 @@
+'use strict';
+
+// cvss.js — zero-dep CVSS v3.1 score calculator. Implements the official
+// formula from FIRST.org. Tested against the 5 canonical vectors from
+// the spec. Returns the base score (0.0-10.0) and the severity label.
+
+class InvalidVectorError extends Error {
+  constructor(message) { super(message); this.name = 'InvalidVectorError'; }
+}
+
+// --- metric value tables (per CVSS v3.1 spec) -----------------------------
+
+const AV = { N: 0.85, A: 0.62, L: 0.55, P: 0.2 };
+const AC = { L: 0.77, H: 0.44 };
+const PR_U = { N: 0.85, L: 0.62, H: 0.27 };  // PR and UI share values when scope=U
+const PR_C = { N: 0.85, L: 0.68, H: 0.5 };   // PR changes when scope=C
+const UI_U = { N: 0.85, R: 0.62 };
+const UI_C = { N: 0.85, R: 0.68 };
+const CIA = { H: 0.56, L: 0.22, N: 0 };
+
+// --- parse --------------------------------------------------------------
+
+function parse(vector) {
+  if (typeof vector !== 'string') throw new InvalidVectorError('vector must be a string');
+  let v = vector.trim();
+  if (v.startsWith('CVSS:3.1/')) v = v.slice('CVSS:3.1/'.length);
+  if (v.startsWith('CVSS:3.0/')) throw new InvalidVectorError('CVSS v3.0 vectors are not supported');
+
+  const m = {};
+  for (const part of v.split('/')) {
+    const idx = part.indexOf(':');
+    if (idx < 0) throw new InvalidVectorError(`bad metric segment: ${part}`);
+    const key = part.slice(0, idx);
+    const val = part.slice(idx + 1);
+    if (val.length !== 1) throw new InvalidVectorError(`bad metric value: ${val}`);
+    m[key] = val;
+  }
+
+  // Validate required metrics.
+  for (const k of ['AV', 'AC', 'PR', 'UI', 'S', 'C', 'I', 'A']) {
+    if (!(k in m)) throw new InvalidVectorError(`missing metric: ${k}`);
+  }
+  // Validate values.
+  if (!(m.AV in AV)) throw new InvalidVectorError(`invalid AV: ${m.AV}`);
+  if (!(m.AC in AC)) throw new InvalidVectorError(`invalid AC: ${m.AC}`);
+  if (!(m.PR in { N: 1, L: 1, H: 1 })) throw new InvalidVectorError(`invalid PR: ${m.PR}`);
+  if (!(m.UI in { N: 1, R: 1 })) throw new InvalidVectorError(`invalid UI: ${m.UI}`);
+  if (!(m.S in { U: 1, C: 1 })) throw new InvalidVectorError(`invalid S: ${m.S}`);
+  for (const k of ['C', 'I', 'A']) {
+    if (!(m[k] in CIA)) throw new InvalidVectorError(`invalid ${k}: ${m[k]}`);
+  }
+  // Scope C requires PR/UI to be in the {N,L,H}/{N,R} sets.
+  if (m.S === 'C' && !(m.PR in { N: 1, L: 1, H: 1 })) {
+    throw new InvalidVectorError(`invalid PR for scope C: ${m.PR}`);
+  }
+  return m;
+}
+
+// --- formula ------------------------------------------------------------
+
+function roundUpTo1Decimal(n) {
+  // CVSS rounds UP to 1 decimal place. JS banker rounding rounds half to
+  // even, which is wrong for CVSS — we use ceiling-to-1-decimal.
+  return Math.ceil(n * 10) / 10;
+}
+
+function compute(vector) {
+  const m = parse(vector);
+  const scopeChanged = m.S === 'C';
+  const PR = scopeChanged ? PR_C[m.PR] : PR_U[m.PR];
+  const UI = scopeChanged ? UI_C[m.UI] : UI_U[m.UI];
+
+  // Impact.
+  const issBase = 1 - ((1 - CIA[m.C]) * (1 - CIA[m.I]) * (1 - CIA[m.A]));
+  let impact = scopeChanged
+    ? 7.52 * (issBase - 0.029) - 3.25 * Math.pow(issBase - 0.02, 15)
+    : 6.42 * issBase;
+  if (impact < 0) impact = 0;
+  impact = roundUpTo1Decimal(impact);
+
+  // Exploitability.
+  const exploit = 8.22 * AV[m.AV] * AC[m.AC] * PR * UI;
+  const explRounded = roundUpTo1Decimal(exploit);
+
+  // Base score.
+  let base;
+  if (impact <= 0) {
+    base = 0;
+  } else if (scopeChanged) {
+    base = 1.08 * (impact + explRounded);
+  } else {
+    base = impact + explRounded;
+  }
+  base = roundUpTo1Decimal(base);
+  if (base > 10) base = 10;
+
+  return { score: base, severity: severityFromScore(base) };
+}
+
+function severityFromScore(score) {
+  if (score === 0) return 'None';
+  if (score < 4.0) return 'Low';
+  if (score < 7.0) return 'Medium';
+  if (score < 9.0) return 'High';
+  return 'Critical';
+}
+
+module.exports = { compute, severityFromScore, parse, InvalidVectorError };