wize-dev-kit 0.5.0 → 0.7.0

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-ffuf.js

@@ -0,0 +1,147 @@
+'use strict';
+
+// run-ffuf.js — DAST ffuf (path/param fuzzing). GATED by --active.
+// Rate-limit (-rate 5) keeps the scan gentle even when active. The
+// wordlist is a small embedded file in data/common.txt (~100 entries);
+// users with SecLists should pass their own wordlist via extraArgs
+// (the data file is the conservative default).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+const TIMEOUT_MS = 10 * 60 * 1000;
+const DEFAULT_WORDLIST = path.join(__dirname, '..', '..', '..', 'data', 'common.txt');
+
+function filterFfufArgs(targetUrl, wordlistPath) {
+  return [
+    '-u', targetUrl.replace(/\/+$/, '') + '/FUZZ',
+    '-w', wordlistPath,
+    '-mc', '200,201,202,301,302,401,403,500',
+    '-t', '5',
+    '-rate', '5',
+    '-of', 'json',
+    '-o', path.join(path.dirname(wordlistPath), '..', '..', '..', '.ffuf.json')
+  ];
+}
+
+function parseFfufJson(text) {
+  try {
+    const obj = JSON.parse(text);
+    return (obj && obj.results) ? obj.results : [];
+  } catch (_) {
+    return [];
+  }
+}
+
+async function runFfuf(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+  const wordlist = opts.wordlist || DEFAULT_WORDLIST;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: TIMEOUT_MS });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['ffuf'], { cacheDir: sec });
+  const present = !!(tools.ffuf && tools.ffuf.present);
+
+  let targetUrl = null;
+  for (const line of (scope.body || '').split('\n')) {
+    const m = line.match(/^url:\s*(.+?)\s*$/);
+    if (m && line.indexOf('url') === 0) { targetUrl = m[1]; break; }
+  }
+
+  function mergeDast(sections, status) {
+    const existing = loadPartial({ securityDir: sec, phase: 'dast' });
+    const merged = {};
+    if (existing && existing.body) {
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        merged[m[1]] = m[2].trim();
+      }
+    }
+    Object.assign(merged, sections);
+    const finalStatus = merged.degraded_checks ? 'incomplete' : status;
+    writePartial({
+      securityDir: sec, phase: 'dast', mode: active ? 'active' : 'passive',
+      scope, status: finalStatus, tools, sections: merged
+    });
+  }
+
+  // 1. Not active -> degraded with [ffuf-passive].
+  if (!active) {
+    mergeDast({ degraded_checks: '- ffuf-passive: --active ausente — ffuf não é invocado sem opt-in explícito.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  if (!targetUrl) {
+    mergeDast({ degraded_checks: '- ffuf: dast_target.url ausente' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const urlObj = new URL(targetUrl);
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    mergeDast({ degraded_checks: `- ffuf: target ${targetUrl} recusado pelo gate` }, 'incomplete');
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  if (!present) {
+    mergeDast({ degraded_checks: '- ffuf: ffuf ausente — instale ffuf e re-rode com --active.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // Happy path.
+  const reportPath = path.join(sec, '.ffuf.json');
+  const args = filterArgs('ffuf', [
+    '-u', targetUrl.replace(/\/+$/, '') + '/FUZZ',
+    '-w', wordlist,
+    '-mc', '200,201,202,301,302,401,403,500',
+    '-t', '5',
+    '-rate', '5',
+    '-of', 'json',
+    '-o', reportPath
+  ]);
+  try {
+    execFn('ffuf', args, { timeout: TIMEOUT_MS });
+  } catch (_) { /* ffuf may exit non-zero; the JSON report is still written */ }
+
+  let findings = [];
+  if (fs.existsSync(reportPath)) {
+    try {
+      findings = parseFfufJson(fs.readFileSync(reportPath, 'utf8'));
+    } catch (_) { findings = []; }
+  }
+
+  const body = findings.length
+    ? findings.map(f => {
+        const owasp = tagOwasp({ rule: `status-${f.status || ''} path-${f.input && f.input.FUZZ || ''}` });
+        return `- **${f.url}** status=${f.status} length=${f.length || 0} owasp=\`${owasp}\``;
+      }).join('\n')
+    : '_(nenhum finding do ffuf)_';
+
+  mergeDast({ ffuf: body }, findings.length ? 'complete' : 'incomplete');
+  return { ok: true, partialStatus: findings.length ? 'complete' : 'incomplete' };
+}
+
+module.exports = { runFfuf, filterFfufArgs, parseFfufJson };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target, wordlist } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runFfuf({ securityDir, scope, active, target, wordlist });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target', 'wordlist': 'wordlist' }
+  });
+}

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-nikto.js

@@ -0,0 +1,145 @@
+'use strict';
+
+// run-nikto.js — DAST nikto phase. Nikto runs in safe-checks mode
+// (-Tuning x6) which excludes brute force and DoS probes (NFR Security #6).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+// Build nikto argv (raw, before filterArgs).
+function filterNiktoArgs(host, outputPath) {
+  return ['-h', host, '-ask', 'no', '-Tuning', 'x6', '-timeout', '10', '-o', outputPath];
+}
+
+// Parse nikto's text output. We accept a relaxed line shape — every line
+// that starts with '+' (or contains OSVDB-) is treated as a finding.
+function parseNiktoText(text) {
+  const findings = [];
+  for (const line of String(text || '').split('\n')) {
+    const t = line.trim();
+    if (!t || t.startsWith('- Nikto')) continue; // header
+    if (!t.startsWith('+') && !/OSVDB-\d+/.test(t)) continue;
+    // id: first OSVDB-#### match, else hash of first 8 chars.
+    const osvdb = t.match(/OSVDB-(\d+)/);
+    const id = osvdb ? `OSVDB-${osvdb[1]}` : `NIKTO-${Math.abs(hashStr(t)) % 1e6}`;
+    const msg = t.replace(/^\+\s*/, '').replace(/^OSVDB-\d+:\s*/, '');
+    // Severity inferred by keyword.
+    let severity = 'info';
+    if (/injection|sqli|xss|sql injection/i.test(t)) severity = 'high';
+    else if (/default.{0,5}account|admin|exposed/i.test(t)) severity = 'medium';
+    else if (/missing|cookie|httponly|header|csp/i.test(t)) severity = 'low';
+    findings.push({ id, msg, severity });
+  }
+  return findings;
+}
+
+function hashStr(s) {
+  let h = 0;
+  for (let i = 0; i < s.length; i++) h = ((h << 5) - h + s.charCodeAt(i)) | 0;
+  return h;
+}
+
+async function runNikto(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 10 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['nikto'], { cacheDir: sec });
+  const present = !!(tools.nikto && tools.nikto.present);
+
+  // Resolve target URL.
+  let targetUrl = null;
+  for (const line of (scope.body || '').split('\n')) {
+    if (/^## dast_target/.test(line)) continue;
+    const m = line.match(/^url:\s*(.+?)\s*$/);
+    if (m && line.indexOf('url') === 0) { targetUrl = m[1]; break; }
+  }
+  if (!targetUrl) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: '- nikto: dast_target.url ausente' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const urlObj = new URL(targetUrl);
+
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: `- nikto: target ${targetUrl} recusado pelo gate` }, 'incomplete');
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  if (!present) {
+    mergeDast(sec, scope, active, tools, { degraded_checks: '- nikto: nikto ausente — instale nikto e re-rode.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  const outPath = path.join(sec, '.nikto.txt');
+  const rawArgs = filterNiktoArgs(urlObj.hostname, outPath);
+  const args = filterArgs('nikto', rawArgs);
+  const r = execFn('nikto', args, { timeout: 10 * 60 * 1000 });
+  let text = r && r.stdout ? r.stdout : '';
+  if (!text && fs.existsSync(outPath)) {
+    text = fs.readFileSync(outPath, 'utf8');
+  }
+  const raw = parseNiktoText(text);
+  const findings = raw.map(f => ({
+    id: f.id,
+    msg: f.msg,
+    severity: f.severity,
+    owasp: tagOwasp({ rule: f.id + ' ' + f.msg })
+  }));
+  const lines = findings.length
+    ? findings.map(f => `- **${f.id}** severity=${f.severity} owasp=\`${f.owasp}\` — ${f.msg}`)
+    : ['_(nenhum finding do nikto)_'];
+
+  // Merge into dast.md: preserve sections from earlier tools (e.g. nuclei).
+  mergeDast(sec, scope, active, tools, { nikto: lines.join('\n') }, findings.length ? 'complete' : 'incomplete');
+  return { ok: true, partialStatus: findings.length ? 'complete' : 'incomplete' };
+}
+
+function mergeDast(sec, scope, active, tools, update, defaultStatus) {
+  const existing = loadPartial({ securityDir: sec, phase: 'dast' });
+  const sections = {};
+  if (existing && existing.body) {
+    const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+    let m;
+    while ((m = re.exec(existing.body)) !== null) {
+      sections[m[1]] = m[2].trim();
+    }
+  }
+  Object.assign(sections, update);
+  // Status: incomplete if any degraded_checks section is present.
+  const status = sections.degraded_checks ? 'incomplete' : (defaultStatus || 'complete');
+  writePartial({
+    securityDir: sec,
+    phase: 'dast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status,
+    tools,
+    sections
+  });
+}
+
+module.exports = { runNikto, filterNiktoArgs, parseNiktoText };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runNikto({ securityDir, scope, active, target });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target' }
+  });
+}

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-nuclei.js

@@ -0,0 +1,176 @@
+'use strict';
+
+// run-nuclei.js — DAST nuclei phase. Default is passive (info disclosure,
+// misconfig, headers). Active mode is gated by --active (sqlmap/ffuf
+// come in separate stories).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+// Build the nuclei args list. Returns the raw argv (before filterArgs).
+// Kept as a separate function so tests can assert on the raw list.
+function filterNucleiArgs(targetUrl, active, outputPath) {
+  // nuclei v3: there is no `-t passive` template path. We run the default
+  // template set and filter by severity. Passive = lower-impact severities
+  // + aggressive rate limit; active = full severity range. Output is JSONL
+  // (-jsonl), disable update check (-duc), non-colored (-nc), silent.
+  const args = [
+    '-u', targetUrl,
+    '-severity', active ? 'info,low,medium,high,critical' : 'info,low,medium',
+    '-rl', '10',
+    '-jsonl', '-o', outputPath,
+    '-duc', '-nc', '-silent'
+  ];
+  return args;
+}
+
+// Parse line-delimited nuclei JSON output (one finding per line).
+function parseNucleiJson(text) {
+  const out = [];
+  for (const line of String(text || '').split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    try {
+      const f = JSON.parse(trimmed);
+      out.push(f);
+    } catch (_) { /* skip malformed lines */ }
+  }
+  return out;
+}
+
+// Build a nuclei finding object (flat) with template_id, severity, owasp, etc.
+function normalizeFinding(raw) {
+  const templateId = raw['template-id'] || raw.templateID || raw.template || '<unknown>';
+  const info = raw.info || {};
+  const severity = (info.severity || raw.severity || 'unknown').toString().toLowerCase();
+  const name = info.name || raw.name || templateId;
+  const matchedAt = raw['matched-at'] || raw.matched || raw.host || '<unknown>';
+  // CVSS: nuclei sometimes nests it.
+  let cvss = raw.cvss;
+  if (typeof cvss !== 'number' && info && info.classification && info.classification.cvss_score) {
+    cvss = Number(info.classification.cvss_score);
+  }
+  if (typeof cvss !== 'number') cvss = null;
+  const owasp = tagOwasp({ rule: templateId, cve: raw['cve-id'] || raw.cve });
+  return { template_id: templateId, name, severity, cvss, matched_at: matchedAt, owasp };
+}
+
+// runNuclei({securityDir, scope, active, execFn?, detectFn?}) -> {ok, partialStatus}
+async function runNuclei(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 10 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['nuclei'], { cacheDir: sec });
+  const present = !!(tools.nuclei && tools.nuclei.present);
+
+  // 1. Target resolution — prefer scope body's ## dast_target.url.
+  let targetUrl = null;
+  const lines = (scope.body || '').split('\n');
+  let inDast = false;
+  for (const line of lines) {
+    if (/^## dast_target/.test(line)) { inDast = true; continue; }
+    if (inDast && /^url:\s*(.+?)\s*$/.test(line)) { targetUrl = line.match(/^url:\s*(.+?)\s*$/)[1]; break; }
+    if (inDast && /^## /.test(line)) break;
+  }
+  if (!targetUrl) {
+    writePartial({
+      securityDir: sec,
+      phase: 'dast',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      sections: { degraded_checks: '- nuclei: dast_target.url ausente no scope.md' }
+    });
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // 2. Gate — target must be in scope.
+  const urlObj = new URL(targetUrl);
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    writePartial({
+      securityDir: sec,
+      phase: 'dast',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      sections: { degraded_checks: `- nuclei: target ${targetUrl} recusado pelo gate` }
+    });
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  // 3. Missing tool -> degraded.
+  if (!present) {
+    writePartial({
+      securityDir: sec,
+      phase: 'dast',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      sections: { degraded_checks: '- nuclei: nuclei ausente — instale nuclei e re-rode a fase.' }
+    });
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // 4. happy path.
+  const outPath = path.join(sec, '.nuclei.json');
+  const rawArgs = filterNucleiArgs(targetUrl, active, outPath);
+  const args = filterArgs('nuclei', rawArgs);
+  // nuclei may exit non-zero on some template errors; the JSONL output is
+  // still written for whatever ran. Read it regardless of exit status.
+  try {
+    execFn('nuclei', args, { timeout: 10 * 60 * 1000 });
+  } catch (_) { /* partial results still in outPath */ }
+
+  let findings = [];
+  if (fs.existsSync(outPath)) {
+    try {
+      findings = parseNucleiJson(fs.readFileSync(outPath, 'utf8'));
+    } catch (_) {
+      findings = [];
+    }
+  }
+  const normalized = findings.map(normalizeFinding);
+  const bodyLines = normalized.length
+    ? normalized.map(f => `- **${f.template_id}** (\`${f.name}\`) severity=${f.severity} owasp=\`${f.owasp}\`${f.cvss != null ? ` cvss=${f.cvss}` : ''} matched_at: ${f.matched_at}`)
+    : ['_(nenhum finding do nuclei)_'];
+
+  writePartial({
+    securityDir: sec,
+    phase: 'dast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status: normalized.length ? 'complete' : 'incomplete',
+    tools,
+    sections: { nuclei: bodyLines.join('\n') }
+  });
+  return { ok: true, partialStatus: normalized.length ? 'complete' : 'incomplete' };
+}
+
+module.exports = { runNuclei, filterNucleiArgs, parseNucleiJson, normalizeFinding };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runNuclei({ securityDir, scope, active, target });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target' }
+  });
+}

package/src/security-overlay/skills/wize-sec-exploit/scripts/run-sqlmap.js

@@ -0,0 +1,139 @@
+'use strict';
+
+// run-sqlmap.js — DAST sqlmap. GATED by --active (ADR-004). Without
+// --active, sqlmap is NOT invoked even if the tool is installed.
+// filterArgs() blocks --dump and --os-shell (exfiltration / shell) —
+// they're not in the allowlist.
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { assertTargetInScope } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const { tagOwasp } = require('../../../_shared/owasp.js');
+
+const TIMEOUT_MS = 5 * 60 * 1000;
+
+function defaultArgs(targetUrl) {
+  // Conservative defaults. filterArgs() drops --dump, --os-shell, --level>1,
+  // --risk>1, etc. — they're not in the allowlist.
+  return ['-u', targetUrl, '--batch', '--level=1', '--risk=1', '--threads=2', '--timeout=10', '--retries=1', '--random-agent'];
+}
+
+// Parse a slice of sqlmap stdout into findings. Sqlmap's output is fairly
+// free-form; we use a relaxed parser that looks for the canonical
+// "Parameter: <name> ... Type: ..." block.
+function parseSqlmapStdout(stdout) {
+  const findings = [];
+  const lines = String(stdout || '').split('\n');
+  let current = null;
+  for (const line of lines) {
+    const pm = line.match(/Parameter:\s*(\S+).*Type:\s*(\S+)/i);
+    if (pm) {
+      if (current) findings.push(current);
+      current = { parameter: pm[1], type: pm[2] };
+      continue;
+    }
+    const dm = line.match(/DBMS:\s*(.+?)\s*$/i);
+    if (dm && current) current.dbms = dm[1];
+    const pm2 = line.match(/Payload:\s*(.+?)\s*$/i);
+    if (pm2 && current) current.payload = pm2[1];
+    const reqm = line.match(/^\s*Type:\s*UNION.*query/i);
+    if (reqm && current) current.kind = 'union';
+  }
+  if (current) findings.push(current);
+  return findings;
+}
+
+async function runSqlmap(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: TIMEOUT_MS });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['sqlmap'], { cacheDir: sec });
+  const present = !!(tools.sqlmap && tools.sqlmap.present);
+
+  // Resolve dast_target.url.
+  let targetUrl = null;
+  for (const line of (scope.body || '').split('\n')) {
+    const m = line.match(/^url:\s*(.+?)\s*$/);
+    if (m && line.indexOf('url') === 0) { targetUrl = m[1]; break; }
+  }
+
+  function mergeDast(sections, status) {
+    const existing = loadPartial({ securityDir: sec, phase: 'dast' });
+    const merged = {};
+    if (existing && existing.body) {
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        merged[m[1]] = m[2].trim();
+      }
+    }
+    Object.assign(merged, sections);
+    const finalStatus = merged.degraded_checks ? 'incomplete' : status;
+    writePartial({
+      securityDir: sec, phase: 'dast', mode: active ? 'active' : 'passive',
+      scope, status: finalStatus, tools, sections: merged
+    });
+  }
+
+  // 1. Not active -> degraded with [sqlmap-pasive].
+  if (!active) {
+    mergeDast({ degraded_checks: '- sqlmap-pasive: --active ausente — sqlmap não é invocado sem opt-in explícito.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  if (!targetUrl) {
+    mergeDast({ degraded_checks: '- sqlmap: dast_target.url ausente' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // 2. Gate first.
+  const urlObj = new URL(targetUrl);
+  const inScope = assertTargetInScope(scope, { host: urlObj.hostname, url: targetUrl }, { refusalsDir: sec });
+  if (!inScope) {
+    mergeDast({ degraded_checks: `- sqlmap: target ${targetUrl} recusado pelo gate` }, 'incomplete');
+    return { ok: false, partialStatus: 'incomplete' };
+  }
+
+  // 3. Missing tool.
+  if (!present) {
+    mergeDast({ degraded_checks: '- sqlmap: sqlmap ausente — instale sqlmap e re-rode com --active.' }, 'incomplete');
+    return { ok: true, partialStatus: 'incomplete' };
+  }
+
+  // 4. happy path (active + present + in scope).
+  const rawArgs = defaultArgs(targetUrl);
+  const args = filterArgs('sqlmap', rawArgs);
+  const r = execFn('sqlmap', args, { timeout: TIMEOUT_MS });
+  const stdout = r && r.stdout ? r.stdout : '';
+  const findings = parseSqlmapStdout(stdout);
+  const findingsWithOwasp = findings.map(f => ({ ...f, owasp: tagOwasp({ rule: f.type || 'sqlmap' }) }));
+  const body = findingsWithOwasp.length
+    ? findingsWithOwasp.map(f => `- **${f.parameter || '?'}** (\`${f.type || '?'}\`) dbms=\`${f.dbms || '?'}\` owasp=\`${f.owasp}\` payload: ${f.payload || 'n/a'}`).join('\n')
+    : '_(nenhum finding do sqlmap)_';
+
+  mergeDast({ sqlmap: body }, findingsWithOwasp.length ? 'complete' : 'incomplete');
+  return { ok: true, partialStatus: findingsWithOwasp.length ? 'complete' : 'incomplete' };
+}
+
+module.exports = { runSqlmap, defaultArgs, parseSqlmapStdout };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, target } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runSqlmap({ securityDir, scope, active, target });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'target': 'target' }
+  });
+}