更新: 558 个文件 - 2026-03-17 21:15:02

2026-03-17 21:15:03 -07:00
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2022-31151"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2022-31151",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2022-31151"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2022-31151"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:36 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2022-31151"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2022-31151-20260318040233</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2022-31151</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:33+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2022-31151</td></tr>
+<tr><td><code>2026-03-18T04:02:33+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:33+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:36+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:02:37+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:02:37+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2022-31151-20260318040233</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2022-31151-20260318040233
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2022-31151`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:33+00:00`
+- 完成时间: `2026-03-18T04:02:37+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:33+00:00` | `select-advisory` | `completed` | undici--CVE-2022-31151 |
+| `2026-03-18T04:02:33+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:33+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:36+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:36+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:36+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:36+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:36+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:36+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:02:37+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:02:37+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2022-31151-20260318040233 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2022-31151-20260318040233",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2022-31151",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:33+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2022-31151"
+    },
+    {
+      "at": "2026-03-18T04:02:33+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:33+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:36+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:02:37+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:02:37+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2022-31151-20260318040233"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:33+00:00",
+  "finished_at": "2026-03-18T04:02:37+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318040233/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2022-32210"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2022-32210",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2022-32210"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2022-32210"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:40 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2022-32210"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2022-32210-20260318040238</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2022-32210</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:38+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2022-32210</td></tr>
+<tr><td><code>2026-03-18T04:02:38+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:38+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:40+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:40+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:40+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:40+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:40+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:41+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:02:42+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:02:42+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2022-32210-20260318040238</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2022-32210-20260318040238
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2022-32210`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:38+00:00`
+- 完成时间: `2026-03-18T04:02:42+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:38+00:00` | `select-advisory` | `completed` | undici--CVE-2022-32210 |
+| `2026-03-18T04:02:38+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:38+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:40+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:40+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:40+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:40+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:40+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:41+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:02:42+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:02:42+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2022-32210-20260318040238 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2022-32210-20260318040238",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2022-32210",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:38+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2022-32210"
+    },
+    {
+      "at": "2026-03-18T04:02:38+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:38+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:40+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:40+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:40+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:40+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:40+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:41+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:02:42+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:02:42+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2022-32210-20260318040238"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:38+00:00",
+  "finished_at": "2026-03-18T04:02:42+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2022-32210-20260318040238/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2023-45143"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2023-45143",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2023-45143"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2023-45143"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:45 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2023-45143"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2023-45143-20260318040242</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2023-45143</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:42+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2023-45143</td></tr>
+<tr><td><code>2026-03-18T04:02:42+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:42+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:45+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:02:46+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:02:46+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2023-45143-20260318040242</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2023-45143-20260318040242
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2023-45143`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:42+00:00`
+- 完成时间: `2026-03-18T04:02:46+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:42+00:00` | `select-advisory` | `completed` | undici--CVE-2023-45143 |
+| `2026-03-18T04:02:42+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:42+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:45+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:45+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:45+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:45+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:45+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:45+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:02:46+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:02:46+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2023-45143-20260318040242 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2023-45143-20260318040242",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2023-45143",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:42+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2023-45143"
+    },
+    {
+      "at": "2026-03-18T04:02:42+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:42+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:45+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:02:46+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:02:46+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2023-45143-20260318040242"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:42+00:00",
+  "finished_at": "2026-03-18T04:02:46+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2023-45143-20260318040242/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2024-30260"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2024-30260",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2024-30260"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2024-30260"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:49 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2024-30260"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2024-30260-20260318040247</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2024-30260</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:47+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2024-30260</td></tr>
+<tr><td><code>2026-03-18T04:02:47+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:47+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:49+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:49+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:49+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:49+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:49+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:50+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:02:51+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:02:51+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2024-30260-20260318040247</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2024-30260-20260318040247
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2024-30260`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:47+00:00`
+- 完成时间: `2026-03-18T04:02:51+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:47+00:00` | `select-advisory` | `completed` | undici--CVE-2024-30260 |
+| `2026-03-18T04:02:47+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:47+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:49+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:49+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:49+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:49+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:49+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:50+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:02:51+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:02:51+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2024-30260-20260318040247 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2024-30260-20260318040247",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2024-30260",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:47+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2024-30260"
+    },
+    {
+      "at": "2026-03-18T04:02:47+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:47+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:49+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:49+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:49+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:49+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:49+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:50+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:02:51+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:02:51+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2024-30260-20260318040247"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:47+00:00",
+  "finished_at": "2026-03-18T04:02:51+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30260-20260318040247/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2024-30261"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2024-30261",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2024-30261"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2024-30261"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:54 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2024-30261"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2024-30261-20260318040251</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2024-30261</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:51+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2024-30261</td></tr>
+<tr><td><code>2026-03-18T04:02:51+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:51+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:54+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:02:56+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:02:56+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2024-30261-20260318040251</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2024-30261-20260318040251
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2024-30261`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:51+00:00`
+- 完成时间: `2026-03-18T04:02:56+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:51+00:00` | `select-advisory` | `completed` | undici--CVE-2024-30261 |
+| `2026-03-18T04:02:51+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:51+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:54+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:54+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:54+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:54+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:54+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:54+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:02:56+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:02:56+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2024-30261-20260318040251 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2024-30261-20260318040251",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2024-30261",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:51+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2024-30261"
+    },
+    {
+      "at": "2026-03-18T04:02:51+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:51+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:54+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:02:56+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:02:56+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2024-30261-20260318040251"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:51+00:00",
+  "finished_at": "2026-03-18T04:02:56+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2024-30261-20260318040251/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2025-22150"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2025-22150",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2025-22150"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2025-22150"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:02:58 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2025-22150"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2025-22150-20260318040256</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2025-22150</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:02:56+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2025-22150</td></tr>
+<tr><td><code>2026-03-18T04:02:56+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:02:56+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:02:58+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:02:58+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:02:58+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:58+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:02:58+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:02:59+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:03:00+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:03:00+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2025-22150-20260318040256</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2025-22150-20260318040256
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2025-22150`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:02:56+00:00`
+- 完成时间: `2026-03-18T04:03:00+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:02:56+00:00` | `select-advisory` | `completed` | undici--CVE-2025-22150 |
+| `2026-03-18T04:02:56+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:02:56+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:02:58+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:02:58+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:02:58+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:02:58+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:02:58+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:02:59+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:03:00+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:03:00+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2025-22150-20260318040256 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2025-22150-20260318040256",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2025-22150",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:02:56+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2025-22150"
+    },
+    {
+      "at": "2026-03-18T04:02:56+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:02:56+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:02:58+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:02:58+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:02:58+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:58+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:02:58+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:02:59+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:03:00+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:03:00+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2025-22150-20260318040256"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:02:56+00:00",
+  "finished_at": "2026-03-18T04:03:00+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-22150-20260318040256/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2025-47279"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2025-47279",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2025-47279"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2025-47279"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:03:03 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2025-47279"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2025-47279-20260318040300</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2025-47279</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:03:00+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2025-47279</td></tr>
+<tr><td><code>2026-03-18T04:03:00+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:03:00+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:03+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:03:04+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:03:04+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2025-47279-20260318040300</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2025-47279-20260318040300
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2025-47279`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:03:00+00:00`
+- 完成时间: `2026-03-18T04:03:04+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:03:00+00:00` | `select-advisory` | `completed` | undici--CVE-2025-47279 |
+| `2026-03-18T04:03:00+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:03:00+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:03:03+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:03:03+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:03:03+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:03:03+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:03:03+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:03:03+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:03:04+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:03:04+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2025-47279-20260318040300 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2025-47279-20260318040300",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2025-47279",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:03:00+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2025-47279"
+    },
+    {
+      "at": "2026-03-18T04:03:00+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:03:00+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:03+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:03:04+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:03:04+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2025-47279-20260318040300"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:03:00+00:00",
+  "finished_at": "2026-03-18T04:03:04+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2025-47279-20260318040300/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2026-1525"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2026-1525",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2026-1525"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2026-1525"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:03:07 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2026-1525"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2026-1525-20260318040304</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2026-1525</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:03:04+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2026-1525</td></tr>
+<tr><td><code>2026-03-18T04:03:04+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:03:05+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:03:07+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:03:07+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:03:07+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:07+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:03:07+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:08+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:03:09+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:03:09+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2026-1525-20260318040304</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2026-1525-20260318040304
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2026-1525`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:03:04+00:00`
+- 完成时间: `2026-03-18T04:03:09+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:03:04+00:00` | `select-advisory` | `completed` | undici--CVE-2026-1525 |
+| `2026-03-18T04:03:04+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:03:05+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:03:07+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:03:07+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:03:07+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:03:07+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:03:07+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:03:08+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:03:09+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:03:09+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2026-1525-20260318040304 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2026-1525-20260318040304",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2026-1525",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:03:04+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2026-1525"
+    },
+    {
+      "at": "2026-03-18T04:03:04+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:03:05+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:03:07+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:03:07+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:03:07+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:07+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:03:07+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:08+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:03:09+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:03:09+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2026-1525-20260318040304"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:03:04+00:00",
+  "finished_at": "2026-03-18T04:03:09+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1525-20260318040304/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2026-1526"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "undici--CVE-2026-1526",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "undici--CVE-2026-1526"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=undici--CVE-2026-1526"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/baseline.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/baseline.json
@@ -0,0 +1,25 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200,
+      "headers": {
+        "content-type": "text/html; charset=utf-8",
+        "content-length": "988",
+        "Date": "Wed, 18 Mar 2026 04:03:12 GMT",
+        "Connection": "keep-alive",
+        "Keep-Alive": "timeout=5"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px;"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Undici SSRF Fixture</title>\n  <style>\n    body { fon"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/docker/app.log
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/docker/app.log
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/doctor.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "undici-ssrf",
+          "service": "app",
+          "binding": "18301:3000",
+          "port": 18301
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "undici-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/ready.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18301/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/seed.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "undici--CVE-2026-1526"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.html
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 undici-undici--CVE-2026-1526-20260318040309</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>undici--CVE-2026-1526</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>undici-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T04:03:09+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>undici--CVE-2026-1526</td></tr>
+<tr><td><code>2026-03-18T04:03:09+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>undici-ssrf</td></tr>
+<tr><td><code>2026-03-18T04:03:09+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T04:03:12+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T04:03:14+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T04:03:14+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>undici-undici--CVE-2026-1526-20260318040309</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>undici.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.md
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.md
@@ -0,0 +1,66 @@
+# 运行 undici-undici--CVE-2026-1526-20260318040309
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `undici--CVE-2026-1526`
+- 系统: `undici`
+- Repro Profile: `undici-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T04:03:09+00:00`
+- 完成时间: `2026-03-18T04:03:14+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T04:03:09+00:00` | `select-advisory` | `completed` | undici--CVE-2026-1526 |
+| `2026-03-18T04:03:09+00:00` | `resolve-repro-profile` | `completed` | undici-ssrf |
+| `2026-03-18T04:03:09+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T04:03:12+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T04:03:12+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T04:03:12+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T04:03:12+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T04:03:12+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T04:03:12+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T04:03:14+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T04:03:14+00:00` | `update-registry-and-reports` | `completed` | undici-undici--CVE-2026-1526-20260318040309 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `undici.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/run.json
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "undici-undici--CVE-2026-1526-20260318040309",
+  "system_id": "undici",
+  "advisory_id": "undici--CVE-2026-1526",
+  "repro_profile_id": "undici-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "undici.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T04:03:09+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "undici--CVE-2026-1526"
+    },
+    {
+      "at": "2026-03-18T04:03:09+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "undici-ssrf"
+    },
+    {
+      "at": "2026-03-18T04:03:09+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T04:03:12+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T04:03:14+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T04:03:14+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "undici-undici--CVE-2026-1526-20260318040309"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T04:03:09+00:00",
+  "finished_at": "2026-03-18T04:03:14+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/timeline.mmd
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1526-20260318040309/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/undici-undici--CVE-2026-1527-20260318040314/compose/compose.yaml
+++ b/06-case-studies/generated-runs/undici-undici--CVE-2026-1527-20260318040314/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: node:22-alpine
+    networks:
+    - labnet
+    ports:
+    - 18301:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - node
+    - /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/显示更多
+++ b/显示更多