wize-dev-kit 0.6.0 → 0.7.0

package/CHANGELOG.md

@@ -5,6 +5,16 @@ Format inspired by [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [0.7.0] — 2026-06-21
+
+### Added
+
+- **Post-scan remediation planning (security-overlay).** Ao fim do `wize-sec-pentest`, o overlay traduz os findings em um backlog de correção pronto para `wize-create-epics-and-stories`.
+  - **`security-backlog.md`** gerado em `.wize/security/`: findings agrupados por tema (ex.: 97 secrets → 1 epic de rotação, não 97 stories), priorizados **P0/P1/P2** pela pior severidade do grupo, estimados S/M/L, com rastreabilidade aos findings de origem + `scope_sha256` e DoD ("re-rodar scan e confirmar finding ausente").
+  - Epics semeados pelo action plan do `ai-insights.json` quando presente.
+  - **Call-to-action** com o comando exato (`/wize-create-epics-and-stories --from .wize/security/security-backlog.md`) impresso no terminal, no `report.md` e como banner no `report.html`.
+  - Mantém **zero runtime próprio**: o overlay gera o backlog e imprime o comando; o usuário/agente é quem executa a skill de planejamento (o Node nunca invoca skills).
+
 ## [0.6.0] — 2026-06-20
 
 ### Added

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "wize-dev-kit",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Full-lifecycle AI-assisted development kit with Test Architect and Whiteport Design Studio embedded. Inspired by BMAD Method and WDS.",
   "keywords": [
     "ai",

package/src/security-overlay/_shared/backlog.js

@@ -0,0 +1,180 @@
+'use strict';
+
+// backlog.js — turns classified security findings into a remediation
+// backlog (epics + stories) that wize-create-epics-and-stories can consume.
+//
+// Design (per brief-post-scan):
+//   - Group findings by theme/section, NOT 1-story-per-finding (97 secrets
+//     => 1 "rotate secrets" story, not 97).
+//   - Priority P0/P1/P2 derived from the worst severity in the group.
+//   - Each story keeps traceability to the source findings + scope hash.
+//   - Seed epics from the AI action plan (ai-insights.json) when present.
+//   - Zero-dep, file-first. The overlay never invokes a skill — it prints
+//     a clear CTA command for the user/agent to run.
+
+const CTA_COMMAND = '/wize-create-epics-and-stories --from .wize/security/security-backlog.md';
+
+// Severity -> remediation priority.
+function priorityFor(severity) {
+  switch (severity) {
+    case 'Critical':
+    case 'High':
+      return 'P0';
+    case 'Medium':
+      return 'P1';
+    default:
+      return 'P2'; // Low, Info-surface, None, unknown
+  }
+}
+
+// Group size -> rough estimate.
+function estimateFor(count) {
+  if (count <= 2) return 'S';
+  if (count <= 10) return 'M';
+  return 'L';
+}
+
+// Human label + remediation intent per section.
+const SECTION_THEME = {
+  secrets: { theme: 'Rotacionar e remover segredos expostos', owasp: 'A07:2021' },
+  deps: { theme: 'Atualizar dependências vulneráveis', owasp: 'A06:2021' },
+  nuclei: { theme: 'Corrigir vulnerabilidades detectadas (nuclei)', owasp: null },
+  nikto: { theme: 'Hardening de servidor web (nikto)', owasp: 'A05:2021' },
+  sqlmap: { theme: 'Corrigir injeção SQL', owasp: 'A03:2021' },
+  ffuf: { theme: 'Revisar endpoints/arquivos descobertos', owasp: 'A05:2021' },
+  tech: { theme: 'Hardening: ocultar fingerprinting de versões', owasp: 'A05:2021' },
+  open_ports: { theme: 'Revisar exposição de portas/serviços', owasp: 'A05:2021' },
+  surface: { theme: 'Revisar superfície HTTP exposta', owasp: 'A05:2021' }
+};
+
+// Severity rank for "worst in group".
+const SEV_RANK = { Critical: 5, High: 4, Medium: 3, Low: 2, 'Info-surface': 1, None: 0, unknown: 0 };
+
+// groupFindings(findings) -> [{ section, theme, owasp, count, priority,
+//   worstSeverity, findings: [...] }] sorted by priority then count.
+function groupFindings(findings) {
+  const bySection = {};
+  for (const f of findings || []) {
+    const s = f.section || 'unknown';
+    if (!bySection[s]) bySection[s] = [];
+    bySection[s].push(f);
+  }
+  const groups = [];
+  for (const [section, fs] of Object.entries(bySection)) {
+    let worst = 'unknown';
+    for (const f of fs) {
+      if ((SEV_RANK[f.severity] || 0) > (SEV_RANK[worst] || 0)) worst = f.severity;
+    }
+    const theme = (SECTION_THEME[section] && SECTION_THEME[section].theme) || `Revisar findings de ${section}`;
+    const owasp = SECTION_THEME[section] && SECTION_THEME[section].owasp;
+    groups.push({
+      section,
+      theme,
+      owasp,
+      count: fs.length,
+      worstSeverity: worst,
+      priority: priorityFor(worst),
+      findings: fs
+    });
+  }
+  // Order: P0 first, then by count desc.
+  const pOrder = { P0: 0, P1: 1, P2: 2 };
+  groups.sort((a, b) => (pOrder[a.priority] - pOrder[b.priority]) || (b.count - a.count));
+  return groups;
+}
+
+function escapeMd(s) {
+  return String(s == null ? '' : s);
+}
+
+// buildBacklog({ findings, actionPlan, scopeSha, generatedAt }) -> markdown.
+function buildBacklog({ findings = [], actionPlan = [], scopeSha = '', generatedAt = '' } = {}) {
+  const groups = groupFindings(findings);
+  const lines = [];
+
+  lines.push('---');
+  lines.push('kind: security-remediation-backlog');
+  lines.push('owner: red-teamer');
+  lines.push(`source_scope_sha256: ${escapeMd(scopeSha)}`);
+  lines.push(`generated_at: ${escapeMd(generatedAt)}`);
+  lines.push('consumed_by: wize-create-epics-and-stories');
+  lines.push('---');
+  lines.push('');
+  lines.push('# Security Remediation Backlog');
+  lines.push('');
+  lines.push('Backlog de correção derivado do scan de segurança. Cada epic agrupa findings por tema; cada story rastreia os findings de origem. Prioridade vem da severidade (P0 = Critical/High, P1 = Medium, P2 = Low/informativo).');
+  lines.push('');
+  lines.push(`> **Próximo passo:** rode \`${CTA_COMMAND}\` para transformar este backlog em stories formais.`);
+  lines.push('');
+
+  // Action plan summary (from AI insights) — the executive framing.
+  if (actionPlan && actionPlan.length) {
+    lines.push('## Plano de ação (resumo)');
+    lines.push('');
+    for (const a of actionPlan) {
+      lines.push(`- **[${escapeMd(a.priority)}] ${escapeMd(a.title)}** — ${escapeMd(a.detail)}`);
+    }
+    lines.push('');
+  }
+
+  // Build a lookup from action plan title keywords to attach detail to epics.
+  const planByTheme = {};
+  for (const a of (actionPlan || [])) planByTheme[(a.title || '').toLowerCase()] = a;
+
+  const actionable = groups.filter(g => g.worstSeverity !== 'Info-surface' || g.priority !== 'P2' ? true : true);
+
+  if (groups.length === 0) {
+    lines.push('## (sem itens)');
+    lines.push('');
+    lines.push('_Nenhum finding acionável neste scan — no actionable findings._');
+    return lines.join('\n');
+  }
+
+  // One epic per group.
+  let epicN = 0;
+  for (const g of groups) {
+    epicN++;
+    const est = estimateFor(g.count);
+    // Find a matching action-plan detail by theme keyword overlap.
+    let planDetail = '';
+    for (const [title, a] of Object.entries(planByTheme)) {
+      const key = g.section;
+      if (title.includes(key) || (key === 'secrets' && title.includes('segredo')) ||
+          (key === 'deps' && (title.includes('depend') || title.includes('dep'))) ||
+          (key === 'tech' && title.includes('fingerprint'))) {
+        planDetail = a.detail; break;
+      }
+    }
+    lines.push(`## Epic ${String(epicN).padStart(2, '0')}: ${g.theme} [${g.priority}]`);
+    lines.push('');
+    lines.push(`- **Prioridade:** ${g.priority} (pior severidade: ${g.worstSeverity})`);
+    lines.push(`- **Findings cobertos:** ${g.count}`);
+    if (g.owasp) lines.push(`- **OWASP:** ${g.owasp}`);
+    lines.push(`- **Estimativa:** ${est}`);
+    if (planDetail) lines.push(`- **Como corrigir:** ${planDetail}`);
+    lines.push('');
+    lines.push('### Stories');
+    lines.push('');
+    // For large groups, a single remediation story + a verification story.
+    lines.push(`- **${g.theme}** (${g.priority}, est ${est}) — corrigir os ${g.count} finding(s) de \`${g.section}\`. _Origem: ${g.section} (${g.count} findings, ${g.worstSeverity})._`);
+    lines.push(`- **Verificar correção de ${g.section}** (${g.priority}, est S) — re-rodar \`/wize-sec-pentest\` e confirmar que os findings de \`${g.section}\` sumiram (DoD).`);
+    lines.push('');
+    // Sample of source findings for traceability (cap at 5).
+    const sample = g.findings.slice(0, 5);
+    lines.push('<details><summary>Findings de origem (amostra)</summary>');
+    lines.push('');
+    for (const f of sample) {
+      lines.push(`- ${escapeMd(f.raw)}`);
+    }
+    if (g.findings.length > sample.length) {
+      lines.push(`- _… e mais ${g.findings.length - sample.length}._`);
+    }
+    lines.push('');
+    lines.push('</details>');
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+module.exports = { buildBacklog, priorityFor, estimateFor, groupFindings, CTA_COMMAND };

package/src/security-overlay/skills/wize-sec-pentest/scripts/run-pipeline.js

@@ -147,6 +147,16 @@ async function main() {
   if (result.skipped.length) {
     console.log(`! skipped: ${result.skipped.join(', ')}`);
   }
+  // Next-step CTA: turn the findings into a remediation sprint. The overlay
+  // never invokes a skill itself (zero runtime própio) — it prints the exact
+  // command for the user/agent to run.
+  try {
+    const { CTA_COMMAND } = require('../../../_shared/backlog.js');
+    console.log('');
+    console.log('→ Backlog de correção gerado em .wize/security/security-backlog.md');
+    console.log('→ Próximo passo — planejar a sprint de correção, rode:');
+    console.log(`    ${CTA_COMMAND}`);
+  } catch (_) { /* backlog module optional */ }
   process.exit(result.ok ? 0 : 1);
 }
 

package/src/security-overlay/skills/wize-sec-report/scripts/render-report.js

@@ -470,15 +470,36 @@ function renderReport({ securityDir } = {}) {
     lines.push('');
   }
 
+  // Next step CTA — turn findings into a remediation sprint.
+  {
+    const { CTA_COMMAND } = require('../../../_shared/backlog.js');
+    lines.push('## Próximo passo — planejar a correção');
+    lines.push('');
+    lines.push('Um backlog de remediação foi gerado em `.wize/security/security-backlog.md` (epics/stories priorizados a partir destes findings).');
+    lines.push('');
+    lines.push('Para transformá-lo em uma sprint formal, rode:');
+    lines.push('');
+    lines.push('```');
+    lines.push(CTA_COMMAND);
+    lines.push('```');
+    lines.push('');
+  }
+
   // Final newline + deterministic timestamp is the only line that
   // changes between runs in tests; the rest of the report is stable.
   const reportPath = path.join(sec, 'report.md');
   fs.writeFileSync(reportPath, lines.join('\n'), 'utf8');
 
+  // Generate the remediation backlog (consumable by
+  // wize-create-epics-and-stories) from the same findings + AI action plan.
+  const { buildBacklog, CTA_COMMAND } = require('../../../_shared/backlog.js');
+  const backlogMd = buildBacklog({ findings: allFindings, actionPlan, scopeSha, generatedAt });
+  fs.writeFileSync(path.join(sec, 'security-backlog.md'), backlogMd, 'utf8');
+
   // Also generate the HTML report (self-contained, no remote refs).
-  renderReportHtml({ securityDir: sec, phaseSummaries, allFindings, refusals, generatedAt, scopeSha, risk, coverage, briefing, actionPlan });
+  renderReportHtml({ securityDir: sec, phaseSummaries, allFindings, refusals, generatedAt, scopeSha, risk, coverage, briefing, actionPlan, ctaCommand: CTA_COMMAND });
 
-  return { ok: true, findings: allFindings.length };
+  return { ok: true, findings: allFindings.length, backlog: 'security-backlog.md', cta: CTA_COMMAND };
 }
 
 // --- HTML report -------------------------------------------------------
@@ -744,10 +765,17 @@ footer.site code { background: var(--code-bg); padding: 1px 6px; border-radius:
 .card .rec { margin: .75rem 0 0; padding: .6rem .8rem; background: var(--owasp-bg); border-radius: var(--radius-sm); font-size: .85rem; color: var(--fg); }
 .card .rec strong { color: var(--owasp); }
 
+/* Call to action — next-step sprint planning */
+.cta { background: var(--bg-elev); border: 1px solid var(--accent); border-radius: var(--radius); padding: 1rem 1.25rem; }
+.cta h2 { margin: 0 0 .5rem; font-size: 1.05rem; color: var(--accent); }
+.cta p { margin: 0 0 .5rem; font-size: .92rem; }
+.cta .cta-cmd { background: var(--code-bg); border: 1px dashed var(--accent); border-radius: var(--radius-sm); padding: .75rem 1rem; margin: 0; overflow-x: auto; }
+.cta .cta-cmd code { font-family: ui-monospace, "SF Mono", Menlo, monospace; color: var(--fg); user-select: all; }
+
 @media print {
   header.site { position: static; }
   .skip-link, .filters { display: none; }
-  .card, .risk-banner, .briefing, .action-plan .plan li { break-inside: avoid; box-shadow: none; border-color: #888; }
+  .card, .risk-banner, .briefing, .action-plan .plan li, .cta { break-inside: avoid; box-shadow: none; border-color: #888; }
 }
 `;
 
@@ -760,13 +788,14 @@ function escapeHtml(s) {
     .replace(/'/g, ''');
 }
 
-function renderReportHtml({ securityDir, phaseSummaries, allFindings, refusals, generatedAt, scopeSha, risk, coverage, briefing, actionPlan }) {
+function renderReportHtml({ securityDir, phaseSummaries, allFindings, refusals, generatedAt, scopeSha, risk, coverage, briefing, actionPlan, ctaCommand }) {
   const sec = securityDir;
   const title = `Security Report — ${scopeSha ? scopeSha.slice(0, 12) : 'unknown'}`;
   risk = risk || computeRisk(allFindings);
   coverage = coverage || computeCoverage(loadPartial, sec);
   briefing = briefing || heuristicBriefing(risk, coverage, allFindings);
   actionPlan = (actionPlan && actionPlan.length) ? actionPlan : heuristicActionPlan(allFindings, coverage);
+  ctaCommand = ctaCommand || require('../../../_shared/backlog.js').CTA_COMMAND;
 
   // Severity counts (for sticky header). 'Info-surface' is folded into a
   // dedicated "surface" bucket so the stakeholder header isn't dominated by
@@ -949,6 +978,11 @@ ${actionPlan.map(a => `      <li class="prio-${escapeHtml((a.priority||'').toLow
     `    <div class="findings">${findingsHtml}</div>`,
     `  </section>`,
     refusalsHtml,
+    `  <section class="cta" aria-labelledby="cta-h">
+    <h2 id="cta-h">Próximo passo — planejar a correção</h2>
+    <p>Um backlog de remediação foi gerado em <code>.wize/security/security-backlog.md</code> (epics/stories priorizados a partir destes findings). Para transformá-lo em uma sprint formal, rode:</p>
+    <pre class="cta-cmd"><code>${escapeHtml(ctaCommand)}</code></pre>
+  </section>`,
     `</main>`,
     `<footer class="site" role="contentinfo">`,
     `  <p>Gerado por <code>wize-sec-report</code> (overlay <code>security-overlay</code>) · Self-contained (sem refs remotas) · CSS inline · Default: dark mode.</p>`,