diff --git a/00-environments/catalog/systems/adminer.yaml b/00-environments/catalog/systems/adminer.yaml
new file mode 100644
index 00000000..446fbad4
--- /dev/null
+++ b/00-environments/catalog/systems/adminer.yaml
@@ -0,0 +1,26 @@
+system_id: adminer
+display_name: Adminer
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18136:80
+source_reference:
+- name: NVD Adminer
+  kind: nvd-search
+  keyword: Adminer
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/adobe-commerce.yaml b/00-environments/catalog/systems/adobe-commerce.yaml
new file mode 100644
index 00000000..6bc64f8e
--- /dev/null
+++ b/00-environments/catalog/systems/adobe-commerce.yaml
@@ -0,0 +1,36 @@
+system_id: adobe-commerce
+display_name: Adobe Commerce
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18795:80
+source_reference:
+- name: Adobe Security Bulletins
+  kind: html-links
+  url: https://helpx.adobe.com/security/products/magento.html
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - adobe commerce
+  - magento
+  - apsb
+  max_items: 60
+- name: NVD Adobe Commerce
+  kind: nvd-search
+  keyword: Adobe Commerce
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/angular.yaml b/00-environments/catalog/systems/angular.yaml
new file mode 100644
index 00000000..8715e67d
--- /dev/null
+++ b/00-environments/catalog/systems/angular.yaml
@@ -0,0 +1,29 @@
+system_id: angular
+display_name: Angular
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18146:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Angular
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/apache-httpd.yaml b/00-environments/catalog/systems/apache-httpd.yaml
new file mode 100644
index 00000000..4ec9e751
--- /dev/null
+++ b/00-environments/catalog/systems/apache-httpd.yaml
@@ -0,0 +1,37 @@
+system_id: apache-httpd
+display_name: Apache HTTP Server
+category: servers
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: httpd:2.4
+    ports:
+    - 18087:80
+source_reference:
+- name: Apache HTTPD Security
+  kind: html-links
+  url: https://httpd.apache.org/security/vulnerabilities_24.html
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - apache
+  - http server
+  - cve
+  max_items: 80
+- name: CISA KEV Apache HTTPD
+  kind: kev-json
+  url: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - apache http server
diff --git a/00-environments/catalog/systems/apache-tomcat.yaml b/00-environments/catalog/systems/apache-tomcat.yaml
new file mode 100644
index 00000000..4f87a80c
--- /dev/null
+++ b/00-environments/catalog/systems/apache-tomcat.yaml
@@ -0,0 +1,36 @@
+system_id: apache-tomcat
+display_name: Apache Tomcat
+category: servers
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: authz-bypass-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: tomcat:10.1
+    ports:
+    - 18088:8080
+source_reference:
+- name: Apache Tomcat Security
+  kind: html-links
+  url: https://tomcat.apache.org/security-10.html
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - tomcat
+  - cve
+  max_items: 80
+- name: CISA KEV Tomcat
+  kind: kev-json
+  url: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - tomcat
diff --git a/00-environments/catalog/systems/aspnet-core.yaml b/00-environments/catalog/systems/aspnet-core.yaml
new file mode 100644
index 00000000..9033be5d
--- /dev/null
+++ b/00-environments/catalog/systems/aspnet-core.yaml
@@ -0,0 +1,26 @@
+system_id: aspnet-core
+display_name: ASP.NET Core
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18521:80
+source_reference:
+- name: NVD ASP.NET Core
+  kind: nvd-search
+  keyword: ASP.NET Core
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/astro.yaml b/00-environments/catalog/systems/astro.yaml
new file mode 100644
index 00000000..49059a45
--- /dev/null
+++ b/00-environments/catalog/systems/astro.yaml
@@ -0,0 +1,29 @@
+system_id: astro
+display_name: Astro
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: authz-bypass-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18653:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Astro
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/caddy.yaml b/00-environments/catalog/systems/caddy.yaml
new file mode 100644
index 00000000..63a88cd5
--- /dev/null
+++ b/00-environments/catalog/systems/caddy.yaml
@@ -0,0 +1,32 @@
+system_id: caddy
+display_name: Caddy
+category: servers
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18617:80
+source_reference:
+- name: GitHub Caddy Advisories
+  kind: html-links
+  url: https://github.com/caddyserver/caddy/security/advisories
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - caddy
+  max_items: 50
+- name: OSV Caddy
+  kind: osv-batch
+  confidence: official
+  advisory_mode: server
diff --git a/00-environments/catalog/systems/directus.yaml b/00-environments/catalog/systems/directus.yaml
new file mode 100644
index 00000000..f661f2e8
--- /dev/null
+++ b/00-environments/catalog/systems/directus.yaml
@@ -0,0 +1,32 @@
+system_id: directus
+display_name: Directus
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18267:80
+source_reference:
+- name: Directus GitHub Advisories
+  kind: html-links
+  url: https://github.com/directus/directus/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - directus
+  max_items: 50
+- name: OSV Directus
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/discourse.yaml b/00-environments/catalog/systems/discourse.yaml
new file mode 100644
index 00000000..98bd90da
--- /dev/null
+++ b/00-environments/catalog/systems/discourse.yaml
@@ -0,0 +1,37 @@
+system_id: discourse
+display_name: Discourse
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18377:80
+source_reference:
+- name: Discourse Meta Security
+  kind: html-links
+  url: https://meta.discourse.org/c/bug/security/40
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - discourse
+  - security
+  max_items: 50
+- name: GitHub Discourse Advisories
+  kind: html-links
+  url: https://github.com/discourse/discourse/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - discourse
+  max_items: 50
diff --git a/00-environments/catalog/systems/django.yaml b/00-environments/catalog/systems/django.yaml
new file mode 100644
index 00000000..6e178ccc
--- /dev/null
+++ b/00-environments/catalog/systems/django.yaml
@@ -0,0 +1,32 @@
+system_id: django
+display_name: Django
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18727:80
+source_reference:
+- name: Django Security RSS
+  kind: rss-feed
+  url: https://www.djangoproject.com/weblog/feeds/tags/security/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - django
+  max_items: 60
+- name: OSV Django
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/drupal.yaml b/00-environments/catalog/systems/drupal.yaml
new file mode 100644
index 00000000..62b37c24
--- /dev/null
+++ b/00-environments/catalog/systems/drupal.yaml
@@ -0,0 +1,42 @@
+system_id: drupal
+display_name: Drupal
+category: cms
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: drupal:10-apache
+    ports:
+    - 18081:80
+  db:
+    image: postgres:15
+    environment:
+      POSTGRES_DB: drupal
+      POSTGRES_USER: drupal
+      POSTGRES_PASSWORD: drupal
+source_reference:
+- name: Drupal Security Advisories RSS
+  kind: rss-feed
+  url: https://www.drupal.org/security/rss.xml
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - drupal
+  - sa-core
+  - security
+  max_items: 60
+- name: NVD Drupal
+  kind: nvd-search
+  keyword: Drupal
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/echo.yaml b/00-environments/catalog/systems/echo.yaml
new file mode 100644
index 00000000..4f819783
--- /dev/null
+++ b/00-environments/catalog/systems/echo.yaml
@@ -0,0 +1,24 @@
+system_id: echo
+display_name: Echo
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18515:80
+source_reference:
+- name: OSV Echo
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/esbuild.yaml b/00-environments/catalog/systems/esbuild.yaml
new file mode 100644
index 00000000..a43283e9
--- /dev/null
+++ b/00-environments/catalog/systems/esbuild.yaml
@@ -0,0 +1,29 @@
+system_id: esbuild
+display_name: esbuild
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18144:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV esbuild
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/express.yaml b/00-environments/catalog/systems/express.yaml
new file mode 100644
index 00000000..52860f6d
--- /dev/null
+++ b/00-environments/catalog/systems/express.yaml
@@ -0,0 +1,29 @@
+system_id: express
+display_name: Express
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18178:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Express
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/fastify.yaml b/00-environments/catalog/systems/fastify.yaml
new file mode 100644
index 00000000..b451c929
--- /dev/null
+++ b/00-environments/catalog/systems/fastify.yaml
@@ -0,0 +1,29 @@
+system_id: fastify
+display_name: Fastify
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18158:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Fastify
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/flask.yaml b/00-environments/catalog/systems/flask.yaml
new file mode 100644
index 00000000..7ce8a7d8
--- /dev/null
+++ b/00-environments/catalog/systems/flask.yaml
@@ -0,0 +1,29 @@
+system_id: flask
+display_name: Flask
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18629:80
+source_reference:
+- name: OSV Flask
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: pip
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/ghost.yaml b/00-environments/catalog/systems/ghost.yaml
new file mode 100644
index 00000000..35cb3366
--- /dev/null
+++ b/00-environments/catalog/systems/ghost.yaml
@@ -0,0 +1,34 @@
+system_id: ghost
+display_name: Ghost
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18649:80
+source_reference:
+- name: Ghost GitHub Advisories
+  kind: html-links
+  url: https://github.com/TryGhost/Ghost/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - ghost
+  max_items: 50
+- name: NVD Ghost
+  kind: nvd-search
+  keyword: Ghost CMS
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/gin.yaml b/00-environments/catalog/systems/gin.yaml
new file mode 100644
index 00000000..7e3f9894
--- /dev/null
+++ b/00-environments/catalog/systems/gin.yaml
@@ -0,0 +1,24 @@
+system_id: gin
+display_name: Gin
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18418:80
+source_reference:
+- name: OSV Gin
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/gitea.yaml b/00-environments/catalog/systems/gitea.yaml
new file mode 100644
index 00000000..275f85b5
--- /dev/null
+++ b/00-environments/catalog/systems/gitea.yaml
@@ -0,0 +1,32 @@
+system_id: gitea
+display_name: Gitea
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: gitea/gitea:1.22.6
+    ports:
+    - 18085:3000
+source_reference:
+- name: GitHub Gitea Advisories
+  kind: html-links
+  url: https://github.com/go-gitea/gitea/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - gitea
+  max_items: 50
+- name: OSV Gitea
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/gitlab-ce.yaml b/00-environments/catalog/systems/gitlab-ce.yaml
new file mode 100644
index 00000000..ec03a4e2
--- /dev/null
+++ b/00-environments/catalog/systems/gitlab-ce.yaml
@@ -0,0 +1,35 @@
+system_id: gitlab-ce
+display_name: GitLab CE
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: deserialization-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18272:80
+source_reference:
+- name: GitLab Security Releases
+  kind: html-links
+  url: https://about.gitlab.com/releases/categories/releases/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - security release
+  - gitlab
+  max_items: 50
+- name: NVD GitLab
+  kind: nvd-search
+  keyword: GitLab CE
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/grafana.yaml b/00-environments/catalog/systems/grafana.yaml
new file mode 100644
index 00000000..777c9572
--- /dev/null
+++ b/00-environments/catalog/systems/grafana.yaml
@@ -0,0 +1,35 @@
+system_id: grafana
+display_name: Grafana
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18120:80
+source_reference:
+- name: Grafana Security Advisories
+  kind: html-links
+  url: https://grafana.com/security/security-advisories/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - grafana
+  max_items: 60
+- name: CISA KEV Grafana
+  kind: kev-json
+  url: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - grafana
diff --git a/00-environments/catalog/systems/hapi.yaml b/00-environments/catalog/systems/hapi.yaml
new file mode 100644
index 00000000..92a5a567
--- /dev/null
+++ b/00-environments/catalog/systems/hapi.yaml
@@ -0,0 +1,29 @@
+system_id: hapi
+display_name: Hapi
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18518:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Hapi
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/haproxy.yaml b/00-environments/catalog/systems/haproxy.yaml
new file mode 100644
index 00000000..68a7e43b
--- /dev/null
+++ b/00-environments/catalog/systems/haproxy.yaml
@@ -0,0 +1,35 @@
+system_id: haproxy
+display_name: HAProxy
+category: servers
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18179:80
+source_reference:
+- name: HAProxy Security Advisories
+  kind: html-links
+  url: https://www.haproxy.org/security/
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - haproxy
+  - security
+  max_items: 50
+- name: NVD HAProxy
+  kind: nvd-search
+  keyword: HAProxy
+  confidence: official
+  advisory_mode: server
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/jenkins.yaml b/00-environments/catalog/systems/jenkins.yaml
new file mode 100644
index 00000000..054166fc
--- /dev/null
+++ b/00-environments/catalog/systems/jenkins.yaml
@@ -0,0 +1,34 @@
+system_id: jenkins
+display_name: Jenkins
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: deserialization-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18154:80
+source_reference:
+- name: Jenkins Security Advisories
+  kind: html-links
+  url: https://www.jenkins.io/security/advisories/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - jenkins
+  max_items: 60
+- name: NVD Jenkins
+  kind: nvd-search
+  keyword: Jenkins
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/joomla.yaml b/00-environments/catalog/systems/joomla.yaml
new file mode 100644
index 00000000..6d341ca4
--- /dev/null
+++ b/00-environments/catalog/systems/joomla.yaml
@@ -0,0 +1,42 @@
+system_id: joomla
+display_name: Joomla
+category: cms
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: joomla:latest
+    ports:
+    - 18082:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: joomla
+      MARIADB_USER: joomla
+      MARIADB_PASSWORD: joomla
+      MARIADB_ROOT_PASSWORD: root
+source_reference:
+- name: Joomla Security Centre
+  kind: html-links
+  url: https://developer.joomla.org/security-centre.html
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - joomla
+  - security
+  max_items: 50
+- name: NVD Joomla
+  kind: nvd-search
+  keyword: Joomla
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/kibana.yaml b/00-environments/catalog/systems/kibana.yaml
new file mode 100644
index 00000000..94f8ece0
--- /dev/null
+++ b/00-environments/catalog/systems/kibana.yaml
@@ -0,0 +1,36 @@
+system_id: kibana
+display_name: Kibana
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18714:80
+source_reference:
+- name: Elastic Security Announcements
+  kind: html-links
+  url: https://discuss.elastic.co/c/announcements/security-announcements/31
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - kibana
+  - elastic
+  - security
+  max_items: 60
+- name: NVD Kibana
+  kind: nvd-search
+  keyword: Kibana
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/koa.yaml b/00-environments/catalog/systems/koa.yaml
new file mode 100644
index 00000000..90bd4785
--- /dev/null
+++ b/00-environments/catalog/systems/koa.yaml
@@ -0,0 +1,29 @@
+system_id: koa
+display_name: Koa
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18415:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Koa
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/laravel.yaml b/00-environments/catalog/systems/laravel.yaml
new file mode 100644
index 00000000..e4e9eb3c
--- /dev/null
+++ b/00-environments/catalog/systems/laravel.yaml
@@ -0,0 +1,29 @@
+system_id: laravel
+display_name: Laravel
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18143:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: composer
+  confidence: official
+  advisory_mode: core
+- name: OSV Laravel
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/magento-open-source.yaml b/00-environments/catalog/systems/magento-open-source.yaml
new file mode 100644
index 00000000..c124937f
--- /dev/null
+++ b/00-environments/catalog/systems/magento-open-source.yaml
@@ -0,0 +1,34 @@
+system_id: magento-open-source
+display_name: Magento Open Source
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18628:80
+source_reference:
+- name: Magento GitHub Advisories
+  kind: html-links
+  url: https://github.com/magento/magento2/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - magento
+  max_items: 50
+- name: NVD Magento
+  kind: nvd-search
+  keyword: Magento
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/mattermost.yaml b/00-environments/catalog/systems/mattermost.yaml
new file mode 100644
index 00000000..bc30141b
--- /dev/null
+++ b/00-environments/catalog/systems/mattermost.yaml
@@ -0,0 +1,34 @@
+system_id: mattermost
+display_name: Mattermost
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18504:80
+source_reference:
+- name: Mattermost Security Updates
+  kind: html-links
+  url: https://mattermost.com/security-updates/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - mattermost
+  max_items: 50
+- name: NVD Mattermost
+  kind: nvd-search
+  keyword: Mattermost
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/mediawiki.yaml b/00-environments/catalog/systems/mediawiki.yaml
new file mode 100644
index 00000000..a0dcc675
--- /dev/null
+++ b/00-environments/catalog/systems/mediawiki.yaml
@@ -0,0 +1,35 @@
+system_id: mediawiki
+display_name: MediaWiki
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18348:80
+source_reference:
+- name: MediaWiki Security Releases
+  kind: html-links
+  url: https://www.mediawiki.org/wiki/Security
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - mediawiki
+  - security
+  max_items: 50
+- name: NVD MediaWiki
+  kind: nvd-search
+  keyword: MediaWiki
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/medusa.yaml b/00-environments/catalog/systems/medusa.yaml
new file mode 100644
index 00000000..2b61a00b
--- /dev/null
+++ b/00-environments/catalog/systems/medusa.yaml
@@ -0,0 +1,32 @@
+system_id: medusa
+display_name: Medusa
+category: ecommerce
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: session-token-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18739:80
+source_reference:
+- name: GitHub Medusa Advisories
+  kind: html-links
+  url: https://github.com/medusajs/medusa/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - medusa
+  max_items: 50
+- name: OSV Medusa
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/moodle.yaml b/00-environments/catalog/systems/moodle.yaml
new file mode 100644
index 00000000..29bb6dee
--- /dev/null
+++ b/00-environments/catalog/systems/moodle.yaml
@@ -0,0 +1,35 @@
+system_id: moodle
+display_name: Moodle
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18740:80
+source_reference:
+- name: Moodle Security News
+  kind: html-links
+  url: https://moodle.org/security/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - moodle
+  - security
+  max_items: 50
+- name: NVD Moodle
+  kind: nvd-search
+  keyword: Moodle
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/nestjs.yaml b/00-environments/catalog/systems/nestjs.yaml
new file mode 100644
index 00000000..2db0732b
--- /dev/null
+++ b/00-environments/catalog/systems/nestjs.yaml
@@ -0,0 +1,29 @@
+system_id: nestjs
+display_name: NestJS
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: ssrf-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18763:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV NestJS
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/nextjs.yaml b/00-environments/catalog/systems/nextjs.yaml
new file mode 100644
index 00000000..2feb0704
--- /dev/null
+++ b/00-environments/catalog/systems/nextjs.yaml
@@ -0,0 +1,34 @@
+system_id: nextjs
+display_name: Next.js
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- official-source
+- synthetic
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18090:3000
+source_reference:
+- name: GitHub Next.js Advisories
+  kind: html-links
+  url: https://github.com/vercel/next.js/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - next.js
+  - next
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/nginx.yaml b/00-environments/catalog/systems/nginx.yaml
new file mode 100644
index 00000000..6783d866
--- /dev/null
+++ b/00-environments/catalog/systems/nginx.yaml
@@ -0,0 +1,35 @@
+system_id: nginx
+display_name: Nginx
+category: servers
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginx:1.27-alpine
+    ports:
+    - 18086:80
+source_reference:
+- name: NGINX Security Advisories
+  kind: html-links
+  url: https://nginx.org/en/security_advisories.html
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - nginx
+  - security
+  max_items: 60
+- name: NVD NGINX
+  kind: nvd-search
+  keyword: NGINX
+  confidence: official
+  advisory_mode: server
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/nodejs.yaml b/00-environments/catalog/systems/nodejs.yaml
new file mode 100644
index 00000000..31fa5e74
--- /dev/null
+++ b/00-environments/catalog/systems/nodejs.yaml
@@ -0,0 +1,37 @@
+system_id: nodejs
+display_name: Node.js
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- official-source
+- synthetic
+- synthetic
+default_repro_family: ssrf-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18089:3000
+source_reference:
+- name: Node.js Security Releases
+  kind: html-links
+  url: https://nodejs.org/en/blog/vulnerability
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - node.js
+  - security
+  max_items: 60
+- name: CISA KEV Node.js
+  kind: kev-json
+  url: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - node.js
+  - nodejs
diff --git a/00-environments/catalog/systems/nuxt.yaml b/00-environments/catalog/systems/nuxt.yaml
new file mode 100644
index 00000000..0330be78
--- /dev/null
+++ b/00-environments/catalog/systems/nuxt.yaml
@@ -0,0 +1,33 @@
+system_id: nuxt
+display_name: Nuxt
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- official-source
+- synthetic
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18092:3000
+source_reference:
+- name: Nuxt Security
+  kind: html-links
+  url: https://github.com/nuxt/nuxt/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - nuxt
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/opencart.yaml b/00-environments/catalog/systems/opencart.yaml
new file mode 100644
index 00000000..b5d9461a
--- /dev/null
+++ b/00-environments/catalog/systems/opencart.yaml
@@ -0,0 +1,41 @@
+system_id: opencart
+display_name: OpenCart
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: bitnami/opencart:latest
+    ports:
+    - 18084:8080
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: opencart
+      MARIADB_USER: opencart
+      MARIADB_PASSWORD: opencart
+      MARIADB_ROOT_PASSWORD: root
+source_reference:
+- name: OpenCart Releases
+  kind: html-links
+  url: https://github.com/opencart/opencart/releases
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - opencart
+  max_items: 50
+- name: NVD OpenCart
+  kind: nvd-search
+  keyword: OpenCart
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/catalog/systems/openmage.yaml b/00-environments/catalog/systems/openmage.yaml
new file mode 100644
index 00000000..3000735d
--- /dev/null
+++ b/00-environments/catalog/systems/openmage.yaml
@@ -0,0 +1,35 @@
+system_id: openmage
+display_name: OpenMage / Mage-OS
+category: ecommerce
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: plugin-extension-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18244:80
+source_reference:
+- name: OpenMage GitHub Advisories
+  kind: html-links
+  url: https://github.com/OpenMage/magento-lts/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - openmage
+  - mage
+  max_items: 50
+- name: NVD OpenMage
+  kind: nvd-search
+  keyword: OpenMage
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/phpmyadmin.yaml b/00-environments/catalog/systems/phpmyadmin.yaml
new file mode 100644
index 00000000..b5f17d60
--- /dev/null
+++ b/00-environments/catalog/systems/phpmyadmin.yaml
@@ -0,0 +1,34 @@
+system_id: phpmyadmin
+display_name: phpMyAdmin
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18479:80
+source_reference:
+- name: phpMyAdmin Security Page
+  kind: html-links
+  url: https://www.phpmyadmin.net/security/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - phpmyadmin
+  max_items: 50
+- name: NVD phpMyAdmin
+  kind: nvd-search
+  keyword: phpMyAdmin
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/prestashop.yaml b/00-environments/catalog/systems/prestashop.yaml
new file mode 100644
index 00000000..b165bd71
--- /dev/null
+++ b/00-environments/catalog/systems/prestashop.yaml
@@ -0,0 +1,44 @@
+system_id: prestashop
+display_name: PrestaShop
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: prestashop/prestashop:latest
+    ports:
+    - 18083:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: prestashop
+      MARIADB_USER: prestashop
+      MARIADB_PASSWORD: prestashop
+      MARIADB_ROOT_PASSWORD: root
+source_reference:
+- name: PrestaShop Security Page
+  kind: html-links
+  url: https://build.prestashop-project.org/news/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - prestashop
+  - security
+  max_items: 50
+- name: GitHub PrestaShop Advisories
+  kind: html-links
+  url: https://github.com/PrestaShop/PrestaShop/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - prestashop
+  max_items: 50
diff --git a/00-environments/catalog/systems/rails.yaml b/00-environments/catalog/systems/rails.yaml
new file mode 100644
index 00000000..95ac1b7f
--- /dev/null
+++ b/00-environments/catalog/systems/rails.yaml
@@ -0,0 +1,29 @@
+system_id: rails
+display_name: Ruby on Rails
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18639:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: rubygems
+  confidence: official
+  advisory_mode: core
+- name: OSV Rails
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/react.yaml b/00-environments/catalog/systems/react.yaml
new file mode 100644
index 00000000..a2875590
--- /dev/null
+++ b/00-environments/catalog/systems/react.yaml
@@ -0,0 +1,33 @@
+system_id: react
+display_name: React
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18627:80
+source_reference:
+- name: GitHub React Advisories
+  kind: html-links
+  url: https://github.com/facebook/react/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - react
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/redmine.yaml b/00-environments/catalog/systems/redmine.yaml
new file mode 100644
index 00000000..e8310c9f
--- /dev/null
+++ b/00-environments/catalog/systems/redmine.yaml
@@ -0,0 +1,34 @@
+system_id: redmine
+display_name: Redmine
+category: platforms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18140:80
+source_reference:
+- name: Redmine Security Advisories
+  kind: html-links
+  url: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - redmine
+  max_items: 50
+- name: NVD Redmine
+  kind: nvd-search
+  keyword: Redmine
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/saleor.yaml b/00-environments/catalog/systems/saleor.yaml
new file mode 100644
index 00000000..649b824c
--- /dev/null
+++ b/00-environments/catalog/systems/saleor.yaml
@@ -0,0 +1,34 @@
+system_id: saleor
+display_name: Saleor
+category: ecommerce
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: session-token-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18746:80
+source_reference:
+- name: GitHub Saleor Advisories
+  kind: html-links
+  url: https://github.com/saleor/saleor/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - saleor
+  max_items: 50
+- name: NVD Saleor
+  kind: nvd-search
+  keyword: Saleor
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/shopware.yaml b/00-environments/catalog/systems/shopware.yaml
new file mode 100644
index 00000000..baa41c16
--- /dev/null
+++ b/00-environments/catalog/systems/shopware.yaml
@@ -0,0 +1,34 @@
+system_id: shopware
+display_name: Shopware
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18273:80
+source_reference:
+- name: Shopware Security Advisories
+  kind: html-links
+  url: https://github.com/shopware/shopware/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - shopware
+  max_items: 50
+- name: NVD Shopware
+  kind: nvd-search
+  keyword: Shopware
+  confidence: official
+  advisory_mode: core
+  results_per_page: 40
diff --git a/00-environments/catalog/systems/spring-boot.yaml b/00-environments/catalog/systems/spring-boot.yaml
new file mode 100644
index 00000000..3b24b213
--- /dev/null
+++ b/00-environments/catalog/systems/spring-boot.yaml
@@ -0,0 +1,33 @@
+system_id: spring-boot
+display_name: Spring Boot
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18540:80
+source_reference:
+- name: Spring Security Advisories
+  kind: html-links
+  url: https://spring.io/security
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - spring boot
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: maven
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/spring-framework.yaml b/00-environments/catalog/systems/spring-framework.yaml
new file mode 100644
index 00000000..57b1e15b
--- /dev/null
+++ b/00-environments/catalog/systems/spring-framework.yaml
@@ -0,0 +1,34 @@
+system_id: spring-framework
+display_name: Spring Framework
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: deserialization-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18378:80
+source_reference:
+- name: Spring Security Advisories
+  kind: html-links
+  url: https://spring.io/security
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - spring framework
+  - cve
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: maven
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/spring-security.yaml b/00-environments/catalog/systems/spring-security.yaml
new file mode 100644
index 00000000..5081f6d0
--- /dev/null
+++ b/00-environments/catalog/systems/spring-security.yaml
@@ -0,0 +1,33 @@
+system_id: spring-security
+display_name: Spring Security
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18292:80
+source_reference:
+- name: Spring Security Advisories
+  kind: html-links
+  url: https://spring.io/security
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - spring security
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: maven
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/strapi.yaml b/00-environments/catalog/systems/strapi.yaml
new file mode 100644
index 00000000..67c57eed
--- /dev/null
+++ b/00-environments/catalog/systems/strapi.yaml
@@ -0,0 +1,32 @@
+system_id: strapi
+display_name: Strapi
+category: cms
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18759:80
+source_reference:
+- name: Strapi GitHub Advisories
+  kind: html-links
+  url: https://github.com/strapi/strapi/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - strapi
+  max_items: 50
+- name: OSV Strapi
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/sveltekit.yaml b/00-environments/catalog/systems/sveltekit.yaml
new file mode 100644
index 00000000..017e303d
--- /dev/null
+++ b/00-environments/catalog/systems/sveltekit.yaml
@@ -0,0 +1,29 @@
+system_id: sveltekit
+display_name: SvelteKit
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: session-token-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18387:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV SvelteKit
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/symfony.yaml b/00-environments/catalog/systems/symfony.yaml
new file mode 100644
index 00000000..dbbe3511
--- /dev/null
+++ b/00-environments/catalog/systems/symfony.yaml
@@ -0,0 +1,29 @@
+system_id: symfony
+display_name: Symfony
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18189:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: composer
+  confidence: official
+  advisory_mode: core
+- name: OSV Symfony
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/traefik.yaml b/00-environments/catalog/systems/traefik.yaml
new file mode 100644
index 00000000..2510ec84
--- /dev/null
+++ b/00-environments/catalog/systems/traefik.yaml
@@ -0,0 +1,32 @@
+system_id: traefik
+display_name: Traefik
+category: servers
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: false
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18142:80
+source_reference:
+- name: GitHub Traefik Advisories
+  kind: html-links
+  url: https://github.com/traefik/traefik/security/advisories
+  confidence: official
+  advisory_mode: server
+  keywords:
+  - traefik
+  max_items: 50
+- name: OSV Traefik
+  kind: osv-batch
+  confidence: official
+  advisory_mode: server
diff --git a/00-environments/catalog/systems/undici.yaml b/00-environments/catalog/systems/undici.yaml
new file mode 100644
index 00000000..139bdb77
--- /dev/null
+++ b/00-environments/catalog/systems/undici.yaml
@@ -0,0 +1,29 @@
+system_id: undici
+display_name: Undici
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18736:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV Undici
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/vite.yaml b/00-environments/catalog/systems/vite.yaml
new file mode 100644
index 00000000..28f92c53
--- /dev/null
+++ b/00-environments/catalog/systems/vite.yaml
@@ -0,0 +1,33 @@
+system_id: vite
+display_name: Vite
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- official-source
+- synthetic
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18093:5173
+source_reference:
+- name: Vite Security
+  kind: html-links
+  url: https://github.com/vitejs/vite/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - vite
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/vue.yaml b/00-environments/catalog/systems/vue.yaml
new file mode 100644
index 00000000..ebbc941c
--- /dev/null
+++ b/00-environments/catalog/systems/vue.yaml
@@ -0,0 +1,33 @@
+system_id: vue
+display_name: Vue
+category: frameworks
+tier: history-full
+artifact_mode_preference:
+- official-source
+- synthetic
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18091:5173
+source_reference:
+- name: Vue Security
+  kind: html-links
+  url: https://github.com/vuejs/core/security
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - vue
+  max_items: 50
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/webpack.yaml b/00-environments/catalog/systems/webpack.yaml
new file mode 100644
index 00000000..1698b29c
--- /dev/null
+++ b/00-environments/catalog/systems/webpack.yaml
@@ -0,0 +1,29 @@
+system_id: webpack
+display_name: webpack
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: file-upload-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18133:80
+source_reference:
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: npm
+  confidence: official
+  advisory_mode: core
+- name: OSV webpack
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/werkzeug.yaml b/00-environments/catalog/systems/werkzeug.yaml
new file mode 100644
index 00000000..f2856863
--- /dev/null
+++ b/00-environments/catalog/systems/werkzeug.yaml
@@ -0,0 +1,29 @@
+system_id: werkzeug
+display_name: Werkzeug
+category: frameworks
+tier: rolling-24m
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: proxy-boundary-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18284:80
+source_reference:
+- name: OSV Werkzeug
+  kind: osv-batch
+  confidence: official
+  advisory_mode: core
+- name: GitHub Global Advisories
+  kind: ghsa-global
+  ecosystem: pip
+  confidence: official
+  advisory_mode: core
diff --git a/00-environments/catalog/systems/woocommerce.yaml b/00-environments/catalog/systems/woocommerce.yaml
new file mode 100644
index 00000000..84ec3a9f
--- /dev/null
+++ b/00-environments/catalog/systems/woocommerce.yaml
@@ -0,0 +1,37 @@
+system_id: woocommerce
+display_name: WooCommerce
+category: ecommerce
+tier: history-full
+artifact_mode_preference:
+- synthetic
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18584:80
+source_reference:
+- name: Woo Developer Advisories
+  kind: html-links
+  url: https://developer.woocommerce.com/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - woocommerce
+  - security
+  max_items: 50
+- name: GitHub WooCommerce Advisories
+  kind: html-links
+  url: https://github.com/woocommerce/woocommerce/security/advisories
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - woocommerce
+  max_items: 50
diff --git a/00-environments/catalog/systems/wordpress.yaml b/00-environments/catalog/systems/wordpress.yaml
new file mode 100644
index 00000000..3ae3cbca
--- /dev/null
+++ b/00-environments/catalog/systems/wordpress.yaml
@@ -0,0 +1,43 @@
+system_id: wordpress
+display_name: WordPress
+category: cms
+tier: history-full
+artifact_mode_preference:
+- official-image
+- official-source
+- synthetic
+default_repro_family: xss-generic
+browser_required_default: true
+log_collectors:
+- docker-logs
+- http-snapshot
+report_template: default-lab-report
+services:
+  app:
+    image: wordpress:php8.2-apache
+    ports:
+    - 18080:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: wordpress
+      MARIADB_USER: wordpress
+      MARIADB_PASSWORD: wordpress
+      MARIADB_ROOT_PASSWORD: root
+source_reference:
+- name: WordPress Security News
+  kind: html-links
+  url: https://wordpress.org/news/category/security/
+  confidence: official
+  advisory_mode: core
+  keywords:
+  - wordpress
+  - security
+  - release
+  max_items: 40
+- name: NVD WordPress
+  kind: nvd-search
+  keyword: WordPress
+  confidence: official
+  advisory_mode: core
+  results_per_page: 50
diff --git a/00-environments/profiles/core/adminer/current.yaml b/00-environments/profiles/core/adminer/current.yaml
new file mode 100644
index 00000000..21a5fdef
--- /dev/null
+++ b/00-environments/profiles/core/adminer/current.yaml
@@ -0,0 +1,17 @@
+profile_id: adminer-core-current
+system_id: adminer
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18136:80
+baseline_urls:
+- http://127.0.0.1:18136/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/adobe-commerce/current.yaml b/00-environments/profiles/core/adobe-commerce/current.yaml
new file mode 100644
index 00000000..8039a8a3
--- /dev/null
+++ b/00-environments/profiles/core/adobe-commerce/current.yaml
@@ -0,0 +1,17 @@
+profile_id: adobe-commerce-core-current
+system_id: adobe-commerce
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18795:80
+baseline_urls:
+- http://127.0.0.1:18795/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/angular/current.yaml b/00-environments/profiles/core/angular/current.yaml
new file mode 100644
index 00000000..3b05fb87
--- /dev/null
+++ b/00-environments/profiles/core/angular/current.yaml
@@ -0,0 +1,17 @@
+profile_id: angular-core-current
+system_id: angular
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18146:80
+baseline_urls:
+- http://127.0.0.1:18146/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/apache-httpd/current.yaml b/00-environments/profiles/core/apache-httpd/current.yaml
new file mode 100644
index 00000000..b6b7a72b
--- /dev/null
+++ b/00-environments/profiles/core/apache-httpd/current.yaml
@@ -0,0 +1,17 @@
+profile_id: apache-httpd-core-current
+system_id: apache-httpd
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: false
+services:
+  app:
+    image: httpd:2.4
+    ports:
+    - 18087:80
+baseline_urls:
+- http://127.0.0.1:18087/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/apache-tomcat/current.yaml b/00-environments/profiles/core/apache-tomcat/current.yaml
new file mode 100644
index 00000000..8a6666bd
--- /dev/null
+++ b/00-environments/profiles/core/apache-tomcat/current.yaml
@@ -0,0 +1,17 @@
+profile_id: apache-tomcat-core-current
+system_id: apache-tomcat
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: false
+services:
+  app:
+    image: tomcat:10.1
+    ports:
+    - 18088:8080
+baseline_urls:
+- http://127.0.0.1:18088/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/aspnet-core/current.yaml b/00-environments/profiles/core/aspnet-core/current.yaml
new file mode 100644
index 00000000..e672ab54
--- /dev/null
+++ b/00-environments/profiles/core/aspnet-core/current.yaml
@@ -0,0 +1,17 @@
+profile_id: aspnet-core-core-current
+system_id: aspnet-core
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18521:80
+baseline_urls:
+- http://127.0.0.1:18521/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/astro/current.yaml b/00-environments/profiles/core/astro/current.yaml
new file mode 100644
index 00000000..06ce0b38
--- /dev/null
+++ b/00-environments/profiles/core/astro/current.yaml
@@ -0,0 +1,17 @@
+profile_id: astro-core-current
+system_id: astro
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18653:80
+baseline_urls:
+- http://127.0.0.1:18653/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/caddy/current.yaml b/00-environments/profiles/core/caddy/current.yaml
new file mode 100644
index 00000000..8fd0e3ba
--- /dev/null
+++ b/00-environments/profiles/core/caddy/current.yaml
@@ -0,0 +1,17 @@
+profile_id: caddy-core-current
+system_id: caddy
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: false
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18617:80
+baseline_urls:
+- http://127.0.0.1:18617/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/directus/current.yaml b/00-environments/profiles/core/directus/current.yaml
new file mode 100644
index 00000000..8545803e
--- /dev/null
+++ b/00-environments/profiles/core/directus/current.yaml
@@ -0,0 +1,17 @@
+profile_id: directus-core-current
+system_id: directus
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18267:80
+baseline_urls:
+- http://127.0.0.1:18267/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/discourse/current.yaml b/00-environments/profiles/core/discourse/current.yaml
new file mode 100644
index 00000000..412bc45f
--- /dev/null
+++ b/00-environments/profiles/core/discourse/current.yaml
@@ -0,0 +1,17 @@
+profile_id: discourse-core-current
+system_id: discourse
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18377:80
+baseline_urls:
+- http://127.0.0.1:18377/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/django/current.yaml b/00-environments/profiles/core/django/current.yaml
new file mode 100644
index 00000000..75bcc40c
--- /dev/null
+++ b/00-environments/profiles/core/django/current.yaml
@@ -0,0 +1,17 @@
+profile_id: django-core-current
+system_id: django
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18727:80
+baseline_urls:
+- http://127.0.0.1:18727/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/drupal/current.yaml b/00-environments/profiles/core/drupal/current.yaml
new file mode 100644
index 00000000..df3941c5
--- /dev/null
+++ b/00-environments/profiles/core/drupal/current.yaml
@@ -0,0 +1,23 @@
+profile_id: drupal-core-current
+system_id: drupal
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: drupal:10-apache
+    ports:
+    - 18081:80
+  db:
+    image: postgres:15
+    environment:
+      POSTGRES_DB: drupal
+      POSTGRES_USER: drupal
+      POSTGRES_PASSWORD: drupal
+baseline_urls:
+- http://127.0.0.1:18081/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/echo/current.yaml b/00-environments/profiles/core/echo/current.yaml
new file mode 100644
index 00000000..caf5cafb
--- /dev/null
+++ b/00-environments/profiles/core/echo/current.yaml
@@ -0,0 +1,17 @@
+profile_id: echo-core-current
+system_id: echo
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18515:80
+baseline_urls:
+- http://127.0.0.1:18515/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/esbuild/current.yaml b/00-environments/profiles/core/esbuild/current.yaml
new file mode 100644
index 00000000..89cba1ef
--- /dev/null
+++ b/00-environments/profiles/core/esbuild/current.yaml
@@ -0,0 +1,17 @@
+profile_id: esbuild-core-current
+system_id: esbuild
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18144:80
+baseline_urls:
+- http://127.0.0.1:18144/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/express/current.yaml b/00-environments/profiles/core/express/current.yaml
new file mode 100644
index 00000000..5df44fff
--- /dev/null
+++ b/00-environments/profiles/core/express/current.yaml
@@ -0,0 +1,17 @@
+profile_id: express-core-current
+system_id: express
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18178:80
+baseline_urls:
+- http://127.0.0.1:18178/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/fastify/current.yaml b/00-environments/profiles/core/fastify/current.yaml
new file mode 100644
index 00000000..ed3d4d60
--- /dev/null
+++ b/00-environments/profiles/core/fastify/current.yaml
@@ -0,0 +1,17 @@
+profile_id: fastify-core-current
+system_id: fastify
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18158:80
+baseline_urls:
+- http://127.0.0.1:18158/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/flask/current.yaml b/00-environments/profiles/core/flask/current.yaml
new file mode 100644
index 00000000..e2286f59
--- /dev/null
+++ b/00-environments/profiles/core/flask/current.yaml
@@ -0,0 +1,17 @@
+profile_id: flask-core-current
+system_id: flask
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18629:80
+baseline_urls:
+- http://127.0.0.1:18629/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/ghost/current.yaml b/00-environments/profiles/core/ghost/current.yaml
new file mode 100644
index 00000000..ec28ae50
--- /dev/null
+++ b/00-environments/profiles/core/ghost/current.yaml
@@ -0,0 +1,17 @@
+profile_id: ghost-core-current
+system_id: ghost
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18649:80
+baseline_urls:
+- http://127.0.0.1:18649/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/gin/current.yaml b/00-environments/profiles/core/gin/current.yaml
new file mode 100644
index 00000000..e0f3a0a9
--- /dev/null
+++ b/00-environments/profiles/core/gin/current.yaml
@@ -0,0 +1,17 @@
+profile_id: gin-core-current
+system_id: gin
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18418:80
+baseline_urls:
+- http://127.0.0.1:18418/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/gitea/current.yaml b/00-environments/profiles/core/gitea/current.yaml
new file mode 100644
index 00000000..293f2606
--- /dev/null
+++ b/00-environments/profiles/core/gitea/current.yaml
@@ -0,0 +1,17 @@
+profile_id: gitea-core-current
+system_id: gitea
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: gitea/gitea:1.22.6
+    ports:
+    - 18085:3000
+baseline_urls:
+- http://127.0.0.1:18085/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/gitlab-ce/current.yaml b/00-environments/profiles/core/gitlab-ce/current.yaml
new file mode 100644
index 00000000..ac733ab1
--- /dev/null
+++ b/00-environments/profiles/core/gitlab-ce/current.yaml
@@ -0,0 +1,17 @@
+profile_id: gitlab-ce-core-current
+system_id: gitlab-ce
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18272:80
+baseline_urls:
+- http://127.0.0.1:18272/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/grafana/current.yaml b/00-environments/profiles/core/grafana/current.yaml
new file mode 100644
index 00000000..101e91ba
--- /dev/null
+++ b/00-environments/profiles/core/grafana/current.yaml
@@ -0,0 +1,17 @@
+profile_id: grafana-core-current
+system_id: grafana
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18120:80
+baseline_urls:
+- http://127.0.0.1:18120/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/hapi/current.yaml b/00-environments/profiles/core/hapi/current.yaml
new file mode 100644
index 00000000..527a20d6
--- /dev/null
+++ b/00-environments/profiles/core/hapi/current.yaml
@@ -0,0 +1,17 @@
+profile_id: hapi-core-current
+system_id: hapi
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18518:80
+baseline_urls:
+- http://127.0.0.1:18518/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/haproxy/current.yaml b/00-environments/profiles/core/haproxy/current.yaml
new file mode 100644
index 00000000..276a8634
--- /dev/null
+++ b/00-environments/profiles/core/haproxy/current.yaml
@@ -0,0 +1,17 @@
+profile_id: haproxy-core-current
+system_id: haproxy
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: false
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18179:80
+baseline_urls:
+- http://127.0.0.1:18179/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/jenkins/current.yaml b/00-environments/profiles/core/jenkins/current.yaml
new file mode 100644
index 00000000..438548dc
--- /dev/null
+++ b/00-environments/profiles/core/jenkins/current.yaml
@@ -0,0 +1,17 @@
+profile_id: jenkins-core-current
+system_id: jenkins
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18154:80
+baseline_urls:
+- http://127.0.0.1:18154/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/joomla/current.yaml b/00-environments/profiles/core/joomla/current.yaml
new file mode 100644
index 00000000..9ef35525
--- /dev/null
+++ b/00-environments/profiles/core/joomla/current.yaml
@@ -0,0 +1,24 @@
+profile_id: joomla-core-current
+system_id: joomla
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: joomla:latest
+    ports:
+    - 18082:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: joomla
+      MARIADB_USER: joomla
+      MARIADB_PASSWORD: joomla
+      MARIADB_ROOT_PASSWORD: root
+baseline_urls:
+- http://127.0.0.1:18082/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/kibana/current.yaml b/00-environments/profiles/core/kibana/current.yaml
new file mode 100644
index 00000000..b1082d62
--- /dev/null
+++ b/00-environments/profiles/core/kibana/current.yaml
@@ -0,0 +1,17 @@
+profile_id: kibana-core-current
+system_id: kibana
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18714:80
+baseline_urls:
+- http://127.0.0.1:18714/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/koa/current.yaml b/00-environments/profiles/core/koa/current.yaml
new file mode 100644
index 00000000..ba10ba92
--- /dev/null
+++ b/00-environments/profiles/core/koa/current.yaml
@@ -0,0 +1,17 @@
+profile_id: koa-core-current
+system_id: koa
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18415:80
+baseline_urls:
+- http://127.0.0.1:18415/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/laravel/current.yaml b/00-environments/profiles/core/laravel/current.yaml
new file mode 100644
index 00000000..ba609b68
--- /dev/null
+++ b/00-environments/profiles/core/laravel/current.yaml
@@ -0,0 +1,17 @@
+profile_id: laravel-core-current
+system_id: laravel
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18143:80
+baseline_urls:
+- http://127.0.0.1:18143/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/magento-open-source/current.yaml b/00-environments/profiles/core/magento-open-source/current.yaml
new file mode 100644
index 00000000..8f33749b
--- /dev/null
+++ b/00-environments/profiles/core/magento-open-source/current.yaml
@@ -0,0 +1,17 @@
+profile_id: magento-open-source-core-current
+system_id: magento-open-source
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18628:80
+baseline_urls:
+- http://127.0.0.1:18628/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/mattermost/current.yaml b/00-environments/profiles/core/mattermost/current.yaml
new file mode 100644
index 00000000..a9163403
--- /dev/null
+++ b/00-environments/profiles/core/mattermost/current.yaml
@@ -0,0 +1,17 @@
+profile_id: mattermost-core-current
+system_id: mattermost
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18504:80
+baseline_urls:
+- http://127.0.0.1:18504/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/mediawiki/current.yaml b/00-environments/profiles/core/mediawiki/current.yaml
new file mode 100644
index 00000000..046ca139
--- /dev/null
+++ b/00-environments/profiles/core/mediawiki/current.yaml
@@ -0,0 +1,17 @@
+profile_id: mediawiki-core-current
+system_id: mediawiki
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18348:80
+baseline_urls:
+- http://127.0.0.1:18348/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/medusa/current.yaml b/00-environments/profiles/core/medusa/current.yaml
new file mode 100644
index 00000000..c147cfbe
--- /dev/null
+++ b/00-environments/profiles/core/medusa/current.yaml
@@ -0,0 +1,17 @@
+profile_id: medusa-core-current
+system_id: medusa
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18739:80
+baseline_urls:
+- http://127.0.0.1:18739/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/moodle/current.yaml b/00-environments/profiles/core/moodle/current.yaml
new file mode 100644
index 00000000..827e82cf
--- /dev/null
+++ b/00-environments/profiles/core/moodle/current.yaml
@@ -0,0 +1,17 @@
+profile_id: moodle-core-current
+system_id: moodle
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18740:80
+baseline_urls:
+- http://127.0.0.1:18740/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/nestjs/current.yaml b/00-environments/profiles/core/nestjs/current.yaml
new file mode 100644
index 00000000..cce3cd92
--- /dev/null
+++ b/00-environments/profiles/core/nestjs/current.yaml
@@ -0,0 +1,17 @@
+profile_id: nestjs-core-current
+system_id: nestjs
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18763:80
+baseline_urls:
+- http://127.0.0.1:18763/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/nextjs/current.yaml b/00-environments/profiles/core/nextjs/current.yaml
new file mode 100644
index 00000000..4e351d9e
--- /dev/null
+++ b/00-environments/profiles/core/nextjs/current.yaml
@@ -0,0 +1,17 @@
+profile_id: nextjs-core-current
+system_id: nextjs
+version: current
+artifact_mode: official-source
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18090:3000
+baseline_urls:
+- http://127.0.0.1:18090/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/nginx/current.yaml b/00-environments/profiles/core/nginx/current.yaml
new file mode 100644
index 00000000..9bfa3fa8
--- /dev/null
+++ b/00-environments/profiles/core/nginx/current.yaml
@@ -0,0 +1,17 @@
+profile_id: nginx-core-current
+system_id: nginx
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: false
+services:
+  app:
+    image: nginx:1.27-alpine
+    ports:
+    - 18086:80
+baseline_urls:
+- http://127.0.0.1:18086/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/nodejs/current.yaml b/00-environments/profiles/core/nodejs/current.yaml
new file mode 100644
index 00000000..328c38fa
--- /dev/null
+++ b/00-environments/profiles/core/nodejs/current.yaml
@@ -0,0 +1,17 @@
+profile_id: nodejs-core-current
+system_id: nodejs
+version: current
+artifact_mode: official-source
+verification_mode: real
+browser_required: false
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18089:3000
+baseline_urls:
+- http://127.0.0.1:18089/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/nuxt/current.yaml b/00-environments/profiles/core/nuxt/current.yaml
new file mode 100644
index 00000000..0fe5bd66
--- /dev/null
+++ b/00-environments/profiles/core/nuxt/current.yaml
@@ -0,0 +1,17 @@
+profile_id: nuxt-core-current
+system_id: nuxt
+version: current
+artifact_mode: official-source
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18092:3000
+baseline_urls:
+- http://127.0.0.1:18092/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/opencart/current.yaml b/00-environments/profiles/core/opencart/current.yaml
new file mode 100644
index 00000000..c029d144
--- /dev/null
+++ b/00-environments/profiles/core/opencart/current.yaml
@@ -0,0 +1,24 @@
+profile_id: opencart-core-current
+system_id: opencart
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: bitnami/opencart:latest
+    ports:
+    - 18084:8080
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: opencart
+      MARIADB_USER: opencart
+      MARIADB_PASSWORD: opencart
+      MARIADB_ROOT_PASSWORD: root
+baseline_urls:
+- http://127.0.0.1:18084/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/openmage/current.yaml b/00-environments/profiles/core/openmage/current.yaml
new file mode 100644
index 00000000..ca709692
--- /dev/null
+++ b/00-environments/profiles/core/openmage/current.yaml
@@ -0,0 +1,17 @@
+profile_id: openmage-core-current
+system_id: openmage
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18244:80
+baseline_urls:
+- http://127.0.0.1:18244/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/phpmyadmin/current.yaml b/00-environments/profiles/core/phpmyadmin/current.yaml
new file mode 100644
index 00000000..d2d823a0
--- /dev/null
+++ b/00-environments/profiles/core/phpmyadmin/current.yaml
@@ -0,0 +1,17 @@
+profile_id: phpmyadmin-core-current
+system_id: phpmyadmin
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18479:80
+baseline_urls:
+- http://127.0.0.1:18479/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/prestashop/current.yaml b/00-environments/profiles/core/prestashop/current.yaml
new file mode 100644
index 00000000..6c575753
--- /dev/null
+++ b/00-environments/profiles/core/prestashop/current.yaml
@@ -0,0 +1,24 @@
+profile_id: prestashop-core-current
+system_id: prestashop
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: prestashop/prestashop:latest
+    ports:
+    - 18083:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: prestashop
+      MARIADB_USER: prestashop
+      MARIADB_PASSWORD: prestashop
+      MARIADB_ROOT_PASSWORD: root
+baseline_urls:
+- http://127.0.0.1:18083/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/rails/current.yaml b/00-environments/profiles/core/rails/current.yaml
new file mode 100644
index 00000000..78ac4fea
--- /dev/null
+++ b/00-environments/profiles/core/rails/current.yaml
@@ -0,0 +1,17 @@
+profile_id: rails-core-current
+system_id: rails
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18639:80
+baseline_urls:
+- http://127.0.0.1:18639/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/react/current.yaml b/00-environments/profiles/core/react/current.yaml
new file mode 100644
index 00000000..12b4dc73
--- /dev/null
+++ b/00-environments/profiles/core/react/current.yaml
@@ -0,0 +1,17 @@
+profile_id: react-core-current
+system_id: react
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18627:80
+baseline_urls:
+- http://127.0.0.1:18627/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/redmine/current.yaml b/00-environments/profiles/core/redmine/current.yaml
new file mode 100644
index 00000000..c0c59bb8
--- /dev/null
+++ b/00-environments/profiles/core/redmine/current.yaml
@@ -0,0 +1,17 @@
+profile_id: redmine-core-current
+system_id: redmine
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18140:80
+baseline_urls:
+- http://127.0.0.1:18140/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/saleor/current.yaml b/00-environments/profiles/core/saleor/current.yaml
new file mode 100644
index 00000000..3350db29
--- /dev/null
+++ b/00-environments/profiles/core/saleor/current.yaml
@@ -0,0 +1,17 @@
+profile_id: saleor-core-current
+system_id: saleor
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18746:80
+baseline_urls:
+- http://127.0.0.1:18746/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/shopware/current.yaml b/00-environments/profiles/core/shopware/current.yaml
new file mode 100644
index 00000000..9d52e8ef
--- /dev/null
+++ b/00-environments/profiles/core/shopware/current.yaml
@@ -0,0 +1,17 @@
+profile_id: shopware-core-current
+system_id: shopware
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18273:80
+baseline_urls:
+- http://127.0.0.1:18273/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/spring-boot/current.yaml b/00-environments/profiles/core/spring-boot/current.yaml
new file mode 100644
index 00000000..1c64935f
--- /dev/null
+++ b/00-environments/profiles/core/spring-boot/current.yaml
@@ -0,0 +1,17 @@
+profile_id: spring-boot-core-current
+system_id: spring-boot
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18540:80
+baseline_urls:
+- http://127.0.0.1:18540/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/spring-framework/current.yaml b/00-environments/profiles/core/spring-framework/current.yaml
new file mode 100644
index 00000000..db7187f4
--- /dev/null
+++ b/00-environments/profiles/core/spring-framework/current.yaml
@@ -0,0 +1,17 @@
+profile_id: spring-framework-core-current
+system_id: spring-framework
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18378:80
+baseline_urls:
+- http://127.0.0.1:18378/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/spring-security/current.yaml b/00-environments/profiles/core/spring-security/current.yaml
new file mode 100644
index 00000000..651f01a0
--- /dev/null
+++ b/00-environments/profiles/core/spring-security/current.yaml
@@ -0,0 +1,17 @@
+profile_id: spring-security-core-current
+system_id: spring-security
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18292:80
+baseline_urls:
+- http://127.0.0.1:18292/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/strapi/current.yaml b/00-environments/profiles/core/strapi/current.yaml
new file mode 100644
index 00000000..9f252973
--- /dev/null
+++ b/00-environments/profiles/core/strapi/current.yaml
@@ -0,0 +1,17 @@
+profile_id: strapi-core-current
+system_id: strapi
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18759:80
+baseline_urls:
+- http://127.0.0.1:18759/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/sveltekit/current.yaml b/00-environments/profiles/core/sveltekit/current.yaml
new file mode 100644
index 00000000..2c2dc9eb
--- /dev/null
+++ b/00-environments/profiles/core/sveltekit/current.yaml
@@ -0,0 +1,17 @@
+profile_id: sveltekit-core-current
+system_id: sveltekit
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18387:80
+baseline_urls:
+- http://127.0.0.1:18387/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/symfony/current.yaml b/00-environments/profiles/core/symfony/current.yaml
new file mode 100644
index 00000000..cb49ba5f
--- /dev/null
+++ b/00-environments/profiles/core/symfony/current.yaml
@@ -0,0 +1,17 @@
+profile_id: symfony-core-current
+system_id: symfony
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18189:80
+baseline_urls:
+- http://127.0.0.1:18189/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/traefik/current.yaml b/00-environments/profiles/core/traefik/current.yaml
new file mode 100644
index 00000000..d1743c87
--- /dev/null
+++ b/00-environments/profiles/core/traefik/current.yaml
@@ -0,0 +1,17 @@
+profile_id: traefik-core-current
+system_id: traefik
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: false
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18142:80
+baseline_urls:
+- http://127.0.0.1:18142/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/undici/current.yaml b/00-environments/profiles/core/undici/current.yaml
new file mode 100644
index 00000000..bdbbee59
--- /dev/null
+++ b/00-environments/profiles/core/undici/current.yaml
@@ -0,0 +1,17 @@
+profile_id: undici-core-current
+system_id: undici
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18736:80
+baseline_urls:
+- http://127.0.0.1:18736/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/vite/current.yaml b/00-environments/profiles/core/vite/current.yaml
new file mode 100644
index 00000000..b43ac9f1
--- /dev/null
+++ b/00-environments/profiles/core/vite/current.yaml
@@ -0,0 +1,17 @@
+profile_id: vite-core-current
+system_id: vite
+version: current
+artifact_mode: official-source
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18093:5173
+baseline_urls:
+- http://127.0.0.1:18093/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/vue/current.yaml b/00-environments/profiles/core/vue/current.yaml
new file mode 100644
index 00000000..475752b5
--- /dev/null
+++ b/00-environments/profiles/core/vue/current.yaml
@@ -0,0 +1,17 @@
+profile_id: vue-core-current
+system_id: vue
+version: current
+artifact_mode: official-source
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18091:5173
+baseline_urls:
+- http://127.0.0.1:18091/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/webpack/current.yaml b/00-environments/profiles/core/webpack/current.yaml
new file mode 100644
index 00000000..76891620
--- /dev/null
+++ b/00-environments/profiles/core/webpack/current.yaml
@@ -0,0 +1,17 @@
+profile_id: webpack-core-current
+system_id: webpack
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18133:80
+baseline_urls:
+- http://127.0.0.1:18133/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/werkzeug/current.yaml b/00-environments/profiles/core/werkzeug/current.yaml
new file mode 100644
index 00000000..29f01bae
--- /dev/null
+++ b/00-environments/profiles/core/werkzeug/current.yaml
@@ -0,0 +1,17 @@
+profile_id: werkzeug-core-current
+system_id: werkzeug
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18284:80
+baseline_urls:
+- http://127.0.0.1:18284/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/woocommerce/current.yaml b/00-environments/profiles/core/woocommerce/current.yaml
new file mode 100644
index 00000000..ded78160
--- /dev/null
+++ b/00-environments/profiles/core/woocommerce/current.yaml
@@ -0,0 +1,17 @@
+profile_id: woocommerce-core-current
+system_id: woocommerce
+version: current
+artifact_mode: synthetic
+verification_mode: synthetic
+browser_required: true
+services:
+  app:
+    image: nginxdemos/hello:latest
+    ports:
+    - 18584:80
+baseline_urls:
+- http://127.0.0.1:18584/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/00-environments/profiles/core/wordpress/current.yaml b/00-environments/profiles/core/wordpress/current.yaml
new file mode 100644
index 00000000..5327ea0d
--- /dev/null
+++ b/00-environments/profiles/core/wordpress/current.yaml
@@ -0,0 +1,24 @@
+profile_id: wordpress-core-current
+system_id: wordpress
+version: current
+artifact_mode: official-image
+verification_mode: real
+browser_required: true
+services:
+  app:
+    image: wordpress:php8.2-apache
+    ports:
+    - 18080:80
+  db:
+    image: mariadb:10.11
+    environment:
+      MARIADB_DATABASE: wordpress
+      MARIADB_USER: wordpress
+      MARIADB_PASSWORD: wordpress
+      MARIADB_ROOT_PASSWORD: root
+baseline_urls:
+- http://127.0.0.1:18080/
+seed_actions:
+- kind: note
+  message: Use default seed strategy derived from repro profile.
+cleanup_policy: destroy
diff --git a/01-sql-injection/tools/sqli-exploit.go b/01-sql-injection/tools/sqli-exploit.go
index 305db33b..52ee94ca 100644
--- a/01-sql-injection/tools/sqli-exploit.go
+++ b/01-sql-injection/tools/sqli-exploit.go
@@ -349,20 +349,20 @@ func main() {
 		}
 	}
 	report := map[string]interface{}{
-		"tool":               "sqli-exploit-go",
-		"mode":               *technique + "-probe-and-extract",
-		"target":             *target,
-		"status":             "needs-review",
-		"severity":           "info",
-		"timestamp":          time.Now().UTC().Format(time.RFC3339),
-		"request_summary":    map[string]interface{}{"method": *method, "param": *param, "threads": *threads, "dbms": *dbms},
-		"payload_or_probe":   map[string]interface{}{"hits": allResults, "extract": *extract, "query": *query, "result": extractedResult},
-		"evidence_refs":      []string{},
-		"minimal_validation": "只读探测、最小化注入、可审计回显、可回滚验证。",
+		"tool":                "sqli-exploit-go",
+		"mode":                *technique + "-probe-and-extract",
+		"target":              *target,
+		"status":              "needs-review",
+		"severity":            "info",
+		"timestamp":           time.Now().UTC().Format(time.RFC3339),
+		"request_summary":     map[string]interface{}{"method": *method, "param": *param, "threads": *threads, "dbms": *dbms},
+		"payload_or_probe":    map[string]interface{}{"hits": allResults, "extract": *extract, "query": *query, "result": extractedResult},
+		"evidence_refs":       []string{},
+		"minimal_validation":  "只读探测、最小化注入、可审计回显、可回滚验证。",
 		"authorization_scope": "lab-local, lab-public, authorized-third-party",
-		"destructive_risk":   "medium",
-		"run_id":             *runID,
-		"case_id":            *caseID,
+		"destructive_risk":    "medium",
+		"run_id":              *runID,
+		"case_id":             *caseID,
 	}
 	if len(allResults) > 0 || extractedResult != "" {
 		report["status"] = "verified"
diff --git a/02-xss/tools/xss-scanner.go b/02-xss/tools/xss-scanner.go
index fcff9f48..dd43b44e 100644
--- a/02-xss/tools/xss-scanner.go
+++ b/02-xss/tools/xss-scanner.go
@@ -322,20 +322,20 @@ func main() {
 
 	results := scanner.ScanURL(*target, *method, *param)
 	report := map[string]interface{}{
-		"tool":              "xss-scanner-go",
-		"mode":              "bulk-reflected-xss",
-		"target":            *target,
-		"status":            "needs-review",
-		"severity":          "info",
-		"timestamp":         time.Now().UTC().Format(time.RFC3339),
-		"request_summary":   map[string]interface{}{"method": *method, "param": *param, "threads": *threads},
-		"payload_or_probe":  map[string]interface{}{"reflected_hits": results, "dom_hits": domResults, "csp": cspResult},
-		"evidence_refs":     []string{},
-		"minimal_validation": "只读探测、最小化注入、可审计回显、可回滚验证。",
+		"tool":                "xss-scanner-go",
+		"mode":                "bulk-reflected-xss",
+		"target":              *target,
+		"status":              "needs-review",
+		"severity":            "info",
+		"timestamp":           time.Now().UTC().Format(time.RFC3339),
+		"request_summary":     map[string]interface{}{"method": *method, "param": *param, "threads": *threads},
+		"payload_or_probe":    map[string]interface{}{"reflected_hits": results, "dom_hits": domResults, "csp": cspResult},
+		"evidence_refs":       []string{},
+		"minimal_validation":  "只读探测、最小化注入、可审计回显、可回滚验证。",
 		"authorization_scope": "lab-local, lab-public, authorized-third-party",
-		"destructive_risk":  "low",
-		"run_id":            *runID,
-		"case_id":           *caseID,
+		"destructive_risk":    "low",
+		"run_id":              *runID,
+		"case_id":             *caseID,
 	}
 	if len(results) > 0 {
 		report["status"] = "verified"
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/compose/compose.yaml b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/compose/compose.yaml
new file mode 100644
index 00000000..2cb0d9e3
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/compose/compose.yaml
@@ -0,0 +1,8 @@
+services:
+  app:
+    image: gitea/gitea:1.22.6
+    ports:
+    - 18085:3000
+networks:
+  labnet:
+    driver: bridge
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/attack.json b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/attack.json
new file mode 100644
index 00000000..21b63bd3
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/attack.json
@@ -0,0 +1,10 @@
+{
+  "steps": [
+    {
+      "kind": "note",
+      "tool": null,
+      "args": [],
+      "status": "skipped"
+    }
+  ]
+}
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/baseline.json b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/baseline.json
new file mode 100644
index 00000000..c20aadf0
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063113/logs/baseline.json
@@ -0,0 +1,8 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18085/",
+      "error": "HTTPConnectionPool(host='127.0.0.1', port=18085): Max retries exceeded with url: / (Caused by NewConnectionError(\"HTTPConnection(host='127.0.0.1', port=18085): Failed to establish a new connection: [Errno 61] Connection refused\"))"
+    }
+  ]
+}
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/compose/compose.yaml b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/compose/compose.yaml
new file mode 100644
index 00000000..2cb0d9e3
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/compose/compose.yaml
@@ -0,0 +1,8 @@
+services:
+  app:
+    image: gitea/gitea:1.22.6
+    ports:
+    - 18085:3000
+networks:
+  labnet:
+    driver: bridge
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html
new file mode 100644
index 00000000..4d8edc23
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html
@@ -0,0 +1,26 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe run report</title>
+<style>body{font-family:ui-monospace,Menlo,monospace;margin:2rem;line-height:1.5;} code,pre{background:#f5f5f5;padding:.2rem .4rem;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #ddd;padding:1rem;border-radius:.5rem;}</style>
+</head><body>
+<h1>Run gitea-gitea--CVE-2025-68939-20260317063330</h1>
+<div class='grid'>
+<div class='card'><strong>Advisory</strong><br><code>gitea--CVE-2025-68939</code></div>
+<div class='card'><strong>Status</strong><br><code>blocked-artifact</code></div>
+<div class='card'><strong>Profile</strong><br><code>file-upload-generic</code></div>
+<div class='card'><strong>Artifact Mode</strong><br><code>official-image</code></div>
+</div>
+<h2>Mermaid Timeline</h2>
+<pre>flowchart LR
+A[&quot;Select Advisory&quot;] --&gt; B[&quot;Resolve Repro Profile&quot;]
+B --&gt; C[&quot;Provision Compose Environment&quot;]
+C --&gt; D[&quot;Baseline Snapshot&quot;]
+D --&gt; E[&quot;Controlled Attack Steps&quot;]
+E --&gt; F[&quot;Browser Replay&quot;]
+F --&gt; G[&quot;Collect Logs and Evidence&quot;]
+G --&gt; H[&quot;Update Registry and Reports&quot;]
+H --&gt; I[&quot;Blocked: unable to get image &#x27;gitea/gitea:1.22.6&#x27;: Cannot connect to &quot;]</pre>
+<h2>Evidence</h2><ul>
+<li><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json</code></li>
+<li><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json</code></li>
+</ul>
+</body></html>
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md
new file mode 100644
index 00000000..0bfc086a
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md
@@ -0,0 +1,30 @@
+# Run gitea-gitea--CVE-2025-68939-20260317063330
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- Advisory: `gitea--CVE-2025-68939`
+- 系统: `gitea`
+- Repro Profile: `file-upload-generic`
+- 实证状态: `blocked-artifact`
+- 实证方式: `real`
+- Artifact 模式: `official-image`
+- 启动时间: `2026-03-17T06:33:30+00:00`
+- 完成时间: `2026-03-17T06:33:30+00:00`
+- 阻塞原因: `unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd)
+
+## 证据摘要
+
+- Baseline: `0`
+- 攻击步骤: `0`
+- 浏览器证据: `0`
+- 容器日志: `0`
+- 请求日志: `2`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/run.json b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/run.json
new file mode 100644
index 00000000..82eca2c6
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/run.json
@@ -0,0 +1,31 @@
+{
+  "run_id": "gitea-gitea--CVE-2025-68939-20260317063330",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2025-68939",
+  "repro_profile_id": "file-upload-generic",
+  "verification_status": "blocked-artifact",
+  "verification_mode": "real",
+  "artifact_mode": "official-image",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [],
+  "attack_steps": [],
+  "browser_refs": [],
+  "container_log_refs": [],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json"
+  ],
+  "timeline": [],
+  "started_at": "2026-03-17T06:33:30+00:00",
+  "finished_at": "2026-03-17T06:33:30+00:00",
+  "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd"
+  }
+}
diff --git a/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd
new file mode 100644
index 00000000..5b4e2b4b
--- /dev/null
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd
@@ -0,0 +1,9 @@
+flowchart LR
+A["Select Advisory"] --> B["Resolve Repro Profile"]
+B --> C["Provision Compose Environment"]
+C --> D["Baseline Snapshot"]
+D --> E["Controlled Attack Steps"]
+E --> F["Browser Replay"]
+F --> G["Collect Logs and Evidence"]
+G --> H["Update Registry and Reports"]
+H --> I["Blocked: unable to get image 'gitea/gitea:1.22.6': Cannot connect to "]
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/compose/compose.yaml b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/compose/compose.yaml
new file mode 100644
index 00000000..71dc41cc
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/compose/compose.yaml
@@ -0,0 +1,8 @@
+services:
+  app:
+    image: node:22-alpine
+    ports:
+    - 18090:3000
+networks:
+  labnet:
+    driver: bridge
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json
new file mode 100644
index 00000000..c56719c4
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json
@@ -0,0 +1,10 @@
+{
+  "steps": [
+    {
+      "kind": "note",
+      "tool": null,
+      "args": [],
+      "status": "planned"
+    }
+  ]
+}
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json
new file mode 100644
index 00000000..42bbfa72
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json
@@ -0,0 +1,8 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18090/",
+      "error": "HTTPConnectionPool(host='127.0.0.1', port=18090): Max retries exceeded with url: / (Caused by NewConnectionError(\"HTTPConnection(host='127.0.0.1', port=18090): Failed to establish a new connection: [Errno 61] Connection refused\"))"
+    }
+  ]
+}
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html
new file mode 100644
index 00000000..836d1a8a
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html
@@ -0,0 +1,26 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe run report</title>
+<style>body{font-family:ui-monospace,Menlo,monospace;margin:2rem;line-height:1.5;} code,pre{background:#f5f5f5;padding:.2rem .4rem;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #ddd;padding:1rem;border-radius:.5rem;}</style>
+</head><body>
+<h1>Run nextjs-nextjs--CVE-2025-29927-20260317063047</h1>
+<div class='grid'>
+<div class='card'><strong>Advisory</strong><br><code>nextjs--CVE-2025-29927</code></div>
+<div class='card'><strong>Status</strong><br><code>triage-manual</code></div>
+<div class='card'><strong>Profile</strong><br><code>authz-bypass-generic</code></div>
+<div class='card'><strong>Artifact Mode</strong><br><code>official-source</code></div>
+</div>
+<h2>Mermaid Timeline</h2>
+<pre>flowchart LR
+A[&quot;Select Advisory&quot;] --&gt; B[&quot;Resolve Repro Profile&quot;]
+B --&gt; C[&quot;Provision Compose Environment&quot;]
+C --&gt; D[&quot;Baseline Snapshot&quot;]
+D --&gt; E[&quot;Controlled Attack Steps&quot;]
+E --&gt; F[&quot;Browser Replay&quot;]
+F --&gt; G[&quot;Collect Logs and Evidence&quot;]
+G --&gt; H[&quot;Update Registry and Reports&quot;]
+H --&gt; I[&quot;Blocked: dry-run only&quot;]</pre>
+<h2>Evidence</h2><ul>
+<li><code>/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json</code></li>
+<li><code>/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json</code></li>
+</ul>
+</body></html>
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md
new file mode 100644
index 00000000..7766c45e
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md
@@ -0,0 +1,30 @@
+# Run nextjs-nextjs--CVE-2025-29927-20260317063047
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- Advisory: `nextjs--CVE-2025-29927`
+- 系统: `nextjs`
+- Repro Profile: `authz-bypass-generic`
+- 实证状态: `triage-manual`
+- 实证方式: `real`
+- Artifact 模式: `official-source`
+- 启动时间: `2026-03-17T06:30:47+00:00`
+- 完成时间: `2026-03-17T06:30:47+00:00`
+- 阻塞原因: `dry-run only`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd)
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `0`
+- 请求日志: `2`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/run.json b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/run.json
new file mode 100644
index 00000000..fa0b5bb5
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/run.json
@@ -0,0 +1,40 @@
+{
+  "run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
+  "system_id": "nextjs",
+  "advisory_id": "nextjs--CVE-2025-29927",
+  "repro_profile_id": "authz-bypass-generic",
+  "verification_status": "triage-manual",
+  "verification_mode": "real",
+  "artifact_mode": "official-source",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "note",
+      "tool": null,
+      "args": [],
+      "status": "planned"
+    }
+  ],
+  "browser_refs": [],
+  "container_log_refs": [],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+  ],
+  "timeline": [],
+  "started_at": "2026-03-17T06:30:47+00:00",
+  "finished_at": "2026-03-17T06:30:47+00:00",
+  "blocked_reason": "dry-run only",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd"
+  }
+}
diff --git a/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd
new file mode 100644
index 00000000..6919db5a
--- /dev/null
+++ b/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd
@@ -0,0 +1,9 @@
+flowchart LR
+A["Select Advisory"] --> B["Resolve Repro Profile"]
+B --> C["Provision Compose Environment"]
+C --> D["Baseline Snapshot"]
+D --> E["Controlled Attack Steps"]
+E --> F["Browser Replay"]
+F --> G["Collect Logs and Evidence"]
+G --> H["Update Registry and Reports"]
+H --> I["Blocked: dry-run only"]
diff --git a/07-framework-security/cms/directus/INDEX.md b/07-framework-security/cms/directus/INDEX.md
index f8b65ee9..a38bb488 100644
--- a/07-framework-security/cms/directus/INDEX.md
+++ b/07-framework-security/cms/directus/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/discourse/INDEX.md b/07-framework-security/cms/discourse/INDEX.md
index d86c5387..a4d0c3fe 100644
--- a/07-framework-security/cms/discourse/INDEX.md
+++ b/07-framework-security/cms/discourse/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/drupal/INDEX.md b/07-framework-security/cms/drupal/INDEX.md
index f08b6ee2..ef5243e2 100644
--- a/07-framework-security/cms/drupal/INDEX.md
+++ b/07-framework-security/cms/drupal/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/ghost/INDEX.md b/07-framework-security/cms/ghost/INDEX.md
index b672c46a..ff932079 100644
--- a/07-framework-security/cms/ghost/INDEX.md
+++ b/07-framework-security/cms/ghost/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/joomla/INDEX.md b/07-framework-security/cms/joomla/INDEX.md
index 25050419..4d557d74 100644
--- a/07-framework-security/cms/joomla/INDEX.md
+++ b/07-framework-security/cms/joomla/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/mediawiki/INDEX.md b/07-framework-security/cms/mediawiki/INDEX.md
index 6e62172c..d58d6f46 100644
--- a/07-framework-security/cms/mediawiki/INDEX.md
+++ b/07-framework-security/cms/mediawiki/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/moodle/INDEX.md b/07-framework-security/cms/moodle/INDEX.md
index ddf76cae..6283b3a2 100644
--- a/07-framework-security/cms/moodle/INDEX.md
+++ b/07-framework-security/cms/moodle/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/strapi/INDEX.md b/07-framework-security/cms/strapi/INDEX.md
index 70c31e85..7a82ce75 100644
--- a/07-framework-security/cms/strapi/INDEX.md
+++ b/07-framework-security/cms/strapi/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/cms/wordpress/INDEX.md b/07-framework-security/cms/wordpress/INDEX.md
index 07c63c40..7c48475b 100644
--- a/07-framework-security/cms/wordpress/INDEX.md
+++ b/07-framework-security/cms/wordpress/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/adobe-commerce/INDEX.md b/07-framework-security/ecommerce/adobe-commerce/INDEX.md
index 5685ff5d..8edc6dab 100644
--- a/07-framework-security/ecommerce/adobe-commerce/INDEX.md
+++ b/07-framework-security/ecommerce/adobe-commerce/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/magento-open-source/INDEX.md b/07-framework-security/ecommerce/magento-open-source/INDEX.md
index 97f5ae93..f4df6d71 100644
--- a/07-framework-security/ecommerce/magento-open-source/INDEX.md
+++ b/07-framework-security/ecommerce/magento-open-source/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/medusa/INDEX.md b/07-framework-security/ecommerce/medusa/INDEX.md
index 979f92f5..3622bf91 100644
--- a/07-framework-security/ecommerce/medusa/INDEX.md
+++ b/07-framework-security/ecommerce/medusa/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/opencart/INDEX.md b/07-framework-security/ecommerce/opencart/INDEX.md
index 68c578fc..aae98c45 100644
--- a/07-framework-security/ecommerce/opencart/INDEX.md
+++ b/07-framework-security/ecommerce/opencart/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/openmage/INDEX.md b/07-framework-security/ecommerce/openmage/INDEX.md
index c5232e4d..7d7eb23f 100644
--- a/07-framework-security/ecommerce/openmage/INDEX.md
+++ b/07-framework-security/ecommerce/openmage/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/prestashop/INDEX.md b/07-framework-security/ecommerce/prestashop/INDEX.md
index 3396db6a..5c980182 100644
--- a/07-framework-security/ecommerce/prestashop/INDEX.md
+++ b/07-framework-security/ecommerce/prestashop/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/saleor/INDEX.md b/07-framework-security/ecommerce/saleor/INDEX.md
index 1d6727c7..314ece6c 100644
--- a/07-framework-security/ecommerce/saleor/INDEX.md
+++ b/07-framework-security/ecommerce/saleor/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/shopware/INDEX.md b/07-framework-security/ecommerce/shopware/INDEX.md
index 14c0dbcf..cedf6d6d 100644
--- a/07-framework-security/ecommerce/shopware/INDEX.md
+++ b/07-framework-security/ecommerce/shopware/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/ecommerce/woocommerce/INDEX.md b/07-framework-security/ecommerce/woocommerce/INDEX.md
index 74e340ca..3ded7461 100644
--- a/07-framework-security/ecommerce/woocommerce/INDEX.md
+++ b/07-framework-security/ecommerce/woocommerce/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/angular/INDEX.md b/07-framework-security/frameworks/angular/INDEX.md
index 840b86bf..6366eafb 100644
--- a/07-framework-security/frameworks/angular/INDEX.md
+++ b/07-framework-security/frameworks/angular/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/aspnet-core/INDEX.md b/07-framework-security/frameworks/aspnet-core/INDEX.md
index 679024f0..2a62cb36 100644
--- a/07-framework-security/frameworks/aspnet-core/INDEX.md
+++ b/07-framework-security/frameworks/aspnet-core/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/astro/INDEX.md b/07-framework-security/frameworks/astro/INDEX.md
index 615b336e..11cdc734 100644
--- a/07-framework-security/frameworks/astro/INDEX.md
+++ b/07-framework-security/frameworks/astro/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/django/INDEX.md b/07-framework-security/frameworks/django/INDEX.md
index 2b519340..96d2effa 100644
--- a/07-framework-security/frameworks/django/INDEX.md
+++ b/07-framework-security/frameworks/django/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/echo/INDEX.md b/07-framework-security/frameworks/echo/INDEX.md
index 1d5dbc34..16bd5c57 100644
--- a/07-framework-security/frameworks/echo/INDEX.md
+++ b/07-framework-security/frameworks/echo/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/esbuild/INDEX.md b/07-framework-security/frameworks/esbuild/INDEX.md
index 4b67b151..59fd2c58 100644
--- a/07-framework-security/frameworks/esbuild/INDEX.md
+++ b/07-framework-security/frameworks/esbuild/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/express/INDEX.md b/07-framework-security/frameworks/express/INDEX.md
index 414608e1..8c5e6684 100644
--- a/07-framework-security/frameworks/express/INDEX.md
+++ b/07-framework-security/frameworks/express/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/fastify/INDEX.md b/07-framework-security/frameworks/fastify/INDEX.md
index 3d4f2d2a..7ed9630e 100644
--- a/07-framework-security/frameworks/fastify/INDEX.md
+++ b/07-framework-security/frameworks/fastify/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/flask/INDEX.md b/07-framework-security/frameworks/flask/INDEX.md
index 8000fbf7..e0658a9a 100644
--- a/07-framework-security/frameworks/flask/INDEX.md
+++ b/07-framework-security/frameworks/flask/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/gin/INDEX.md b/07-framework-security/frameworks/gin/INDEX.md
index 84f060e8..823d8336 100644
--- a/07-framework-security/frameworks/gin/INDEX.md
+++ b/07-framework-security/frameworks/gin/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/hapi/INDEX.md b/07-framework-security/frameworks/hapi/INDEX.md
index 32e7adab..da37824f 100644
--- a/07-framework-security/frameworks/hapi/INDEX.md
+++ b/07-framework-security/frameworks/hapi/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/koa/INDEX.md b/07-framework-security/frameworks/koa/INDEX.md
index fef6f858..4418c90e 100644
--- a/07-framework-security/frameworks/koa/INDEX.md
+++ b/07-framework-security/frameworks/koa/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/laravel/INDEX.md b/07-framework-security/frameworks/laravel/INDEX.md
index 2831f4c4..2c9c6d45 100644
--- a/07-framework-security/frameworks/laravel/INDEX.md
+++ b/07-framework-security/frameworks/laravel/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/nestjs/INDEX.md b/07-framework-security/frameworks/nestjs/INDEX.md
index 279c162a..c5df2869 100644
--- a/07-framework-security/frameworks/nestjs/INDEX.md
+++ b/07-framework-security/frameworks/nestjs/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/nextjs/INDEX.md b/07-framework-security/frameworks/nextjs/INDEX.md
index 6c785101..7878e661 100644
--- a/07-framework-security/frameworks/nextjs/INDEX.md
+++ b/07-framework-security/frameworks/nextjs/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `26`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:44+00:00`
 
 ## 目标约束
 
@@ -47,7 +47,7 @@
 | Information exposure in Next.js dev server due to lack of origin verification | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-06-13T14:41:21Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-48068.md) |
 | Next.js Race Condition to Cache Poisoning | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-09-26T17:48:29Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-32421.md) |
 | Next.js may leak x-middleware-subrequest-id to external hosts | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-10-13T15:35:50Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-30218.md) |
-| Authorization Bypass in Next.js Middleware | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-04T15:06:29.993197Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md) |
+| Authorization Bypass in Next.js Middleware | `low` | `generated` | `triage-manual` | `real` | `official` | `2026-03-04T15:06:29.993197Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md) |
 | Next.js Allows a Denial of Service (DoS) with Server Actions | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:36:04.252972Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-56332.md) |
 | Next.js authorization bypass vulnerability | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-09-10T21:12:24Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-51479.md) |
 | Denial of Service condition in Next.js image optimization | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T03:25:43.295558Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-47831.md) |
diff --git a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md
index c37b5f3e..2ef3378c 100644
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md
@@ -9,9 +9,9 @@ severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "triage-manual"
-verification_mode: "synthetic"
-artifact_mode: "synthetic"
-last_run_id: ""
+verification_mode: "real"
+artifact_mode: "official-source"
+last_run_id: "nextjs-nextjs--CVE-2025-29927-20260317063047"
 target_types:
   - "lab-local"
   - "lab-public"
@@ -44,11 +44,11 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-f82v
 ## 本地实证状态
 
 - 实证状态: `triage-manual`
-- 实证方式: `synthetic`
-- Artifact 模式: `synthetic`
-- 最近运行: `-`
+- 实证方式: `real`
+- Artifact 模式: `official-source`
+- 最近运行: `nextjs-nextjs--CVE-2025-29927-20260317063047`
 - 浏览器证据: `missing`
-- Run Bundle: `-`
+- Run Bundle: `/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047`
 
 ## 事件层
 
diff --git a/07-framework-security/frameworks/nodejs/INDEX.md b/07-framework-security/frameworks/nodejs/INDEX.md
index 17badfe1..304b0d01 100644
--- a/07-framework-security/frameworks/nodejs/INDEX.md
+++ b/07-framework-security/frameworks/nodejs/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/nuxt/INDEX.md b/07-framework-security/frameworks/nuxt/INDEX.md
index cf526c8e..dd83b6cc 100644
--- a/07-framework-security/frameworks/nuxt/INDEX.md
+++ b/07-framework-security/frameworks/nuxt/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:44+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/rails/INDEX.md b/07-framework-security/frameworks/rails/INDEX.md
index f7caa7af..2ae3fdaa 100644
--- a/07-framework-security/frameworks/rails/INDEX.md
+++ b/07-framework-security/frameworks/rails/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/react/INDEX.md b/07-framework-security/frameworks/react/INDEX.md
index 3065c364..69813e88 100644
--- a/07-framework-security/frameworks/react/INDEX.md
+++ b/07-framework-security/frameworks/react/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:43+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/spring-boot/INDEX.md b/07-framework-security/frameworks/spring-boot/INDEX.md
index 091e1c0c..7493bb99 100644
--- a/07-framework-security/frameworks/spring-boot/INDEX.md
+++ b/07-framework-security/frameworks/spring-boot/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/spring-framework/INDEX.md b/07-framework-security/frameworks/spring-framework/INDEX.md
index 511ac8da..65f2c2dc 100644
--- a/07-framework-security/frameworks/spring-framework/INDEX.md
+++ b/07-framework-security/frameworks/spring-framework/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/spring-security/INDEX.md b/07-framework-security/frameworks/spring-security/INDEX.md
index f3da407c..4d511423 100644
--- a/07-framework-security/frameworks/spring-security/INDEX.md
+++ b/07-framework-security/frameworks/spring-security/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/sveltekit/INDEX.md b/07-framework-security/frameworks/sveltekit/INDEX.md
index 82ca997b..278e287f 100644
--- a/07-framework-security/frameworks/sveltekit/INDEX.md
+++ b/07-framework-security/frameworks/sveltekit/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/symfony/INDEX.md b/07-framework-security/frameworks/symfony/INDEX.md
index e33dd783..6d3eb581 100644
--- a/07-framework-security/frameworks/symfony/INDEX.md
+++ b/07-framework-security/frameworks/symfony/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/undici/INDEX.md b/07-framework-security/frameworks/undici/INDEX.md
index 9eecbcb4..a5d9eb7e 100644
--- a/07-framework-security/frameworks/undici/INDEX.md
+++ b/07-framework-security/frameworks/undici/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `14`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/vite/INDEX.md b/07-framework-security/frameworks/vite/INDEX.md
index f0b7887b..47edc70f 100644
--- a/07-framework-security/frameworks/vite/INDEX.md
+++ b/07-framework-security/frameworks/vite/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `12`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:45+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/vue/INDEX.md b/07-framework-security/frameworks/vue/INDEX.md
index e1850928..9cb71f3e 100644
--- a/07-framework-security/frameworks/vue/INDEX.md
+++ b/07-framework-security/frameworks/vue/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:45+00:00`
+- 最近渲染时间: `2026-03-17T06:35:44+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/webpack/INDEX.md b/07-framework-security/frameworks/webpack/INDEX.md
index 8218f999..7cab2da1 100644
--- a/07-framework-security/frameworks/webpack/INDEX.md
+++ b/07-framework-security/frameworks/webpack/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/frameworks/werkzeug/INDEX.md b/07-framework-security/frameworks/werkzeug/INDEX.md
index a4dfb455..dc0a2f3b 100644
--- a/07-framework-security/frameworks/werkzeug/INDEX.md
+++ b/07-framework-security/frameworks/werkzeug/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/adminer/INDEX.md b/07-framework-security/platforms/adminer/INDEX.md
index 155a9110..d970f271 100644
--- a/07-framework-security/platforms/adminer/INDEX.md
+++ b/07-framework-security/platforms/adminer/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/gitea/INDEX.md b/07-framework-security/platforms/gitea/INDEX.md
index afc34924..234fd6b6 100644
--- a/07-framework-security/platforms/gitea/INDEX.md
+++ b/07-framework-security/platforms/gitea/INDEX.md
@@ -10,9 +10,9 @@
 - 重点 Markdown 案例数: `37`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
-- 阻塞数: `0`
-- 待人工/缺浏览器证据: `37`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 阻塞数: `1`
+- 待人工/缺浏览器证据: `36`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
@@ -42,7 +42,7 @@
 | Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:55.747880Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2026-20912.md) |
 | Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:49.801641Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-69413.md) |
 | Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:49.095775Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68938.md) |
-| Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:48.777563Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md) |
+| Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea | `unknown` | `generated` | `blocked-artifact` | `real` | `official` | `2026-03-03T04:57:48.777563Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md) |
 | Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:50.087298Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68940.md) |
 | Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:50.339953Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68941.md) |
 | Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-03T04:57:49.781753Z` | [link](/Users/x/websafe/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68942.md) |
diff --git a/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md b/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md
index 00f86109..93c5aa40 100644
--- a/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md
+++ b/07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md
@@ -8,10 +8,10 @@ updated_date: "2026-03-03T04:57:48.777563Z"
 severity: "unknown"
 exploit_status: "unknown"
 source_confidence: "official"
-verification_status: "triage-manual"
-verification_mode: "synthetic"
-artifact_mode: "synthetic"
-last_run_id: ""
+verification_status: "blocked-artifact"
+verification_mode: "real"
+artifact_mode: "official-image"
+last_run_id: "gitea-gitea--CVE-2025-68939-20260317063330"
 target_types:
   - "lab-local"
   - "lab-public"
@@ -39,12 +39,12 @@ primary_source: "https://github.com/advisories/GHSA-263q-5cv3-xq9g"
 
 ## 本地实证状态
 
-- 实证状态: `triage-manual`
-- 实证方式: `synthetic`
-- Artifact 模式: `synthetic`
-- 最近运行: `-`
+- 实证状态: `blocked-artifact`
+- 实证方式: `real`
+- Artifact 模式: `official-image`
+- 最近运行: `gitea-gitea--CVE-2025-68939-20260317063330`
 - 浏览器证据: `missing`
-- Run Bundle: `-`
+- Run Bundle: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330`
 
 ## 事件层
 
diff --git a/07-framework-security/platforms/gitlab-ce/INDEX.md b/07-framework-security/platforms/gitlab-ce/INDEX.md
index c0362ee4..caeb07e2 100644
--- a/07-framework-security/platforms/gitlab-ce/INDEX.md
+++ b/07-framework-security/platforms/gitlab-ce/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/grafana/INDEX.md b/07-framework-security/platforms/grafana/INDEX.md
index f5bd3072..5a8f877a 100644
--- a/07-framework-security/platforms/grafana/INDEX.md
+++ b/07-framework-security/platforms/grafana/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/jenkins/INDEX.md b/07-framework-security/platforms/jenkins/INDEX.md
index 919d990f..8b3cc8a4 100644
--- a/07-framework-security/platforms/jenkins/INDEX.md
+++ b/07-framework-security/platforms/jenkins/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/kibana/INDEX.md b/07-framework-security/platforms/kibana/INDEX.md
index bf1a39a6..90a6c5de 100644
--- a/07-framework-security/platforms/kibana/INDEX.md
+++ b/07-framework-security/platforms/kibana/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/mattermost/INDEX.md b/07-framework-security/platforms/mattermost/INDEX.md
index 8666a495..a4907032 100644
--- a/07-framework-security/platforms/mattermost/INDEX.md
+++ b/07-framework-security/platforms/mattermost/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/phpmyadmin/INDEX.md b/07-framework-security/platforms/phpmyadmin/INDEX.md
index 017b11aa..efb2a3b8 100644
--- a/07-framework-security/platforms/phpmyadmin/INDEX.md
+++ b/07-framework-security/platforms/phpmyadmin/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/platforms/redmine/INDEX.md b/07-framework-security/platforms/redmine/INDEX.md
index 09fa78bd..4dc41907 100644
--- a/07-framework-security/platforms/redmine/INDEX.md
+++ b/07-framework-security/platforms/redmine/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:48+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/apache-httpd/INDEX.md b/07-framework-security/servers/apache-httpd/INDEX.md
index a1643b35..77fa819c 100644
--- a/07-framework-security/servers/apache-httpd/INDEX.md
+++ b/07-framework-security/servers/apache-httpd/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/apache-tomcat/INDEX.md b/07-framework-security/servers/apache-tomcat/INDEX.md
index 929834b4..77a81901 100644
--- a/07-framework-security/servers/apache-tomcat/INDEX.md
+++ b/07-framework-security/servers/apache-tomcat/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/caddy/INDEX.md b/07-framework-security/servers/caddy/INDEX.md
index 09cc825d..b53ab073 100644
--- a/07-framework-security/servers/caddy/INDEX.md
+++ b/07-framework-security/servers/caddy/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/haproxy/INDEX.md b/07-framework-security/servers/haproxy/INDEX.md
index fe1f8eca..620711fc 100644
--- a/07-framework-security/servers/haproxy/INDEX.md
+++ b/07-framework-security/servers/haproxy/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/nginx/INDEX.md b/07-framework-security/servers/nginx/INDEX.md
index 36b80185..57cce67a 100644
--- a/07-framework-security/servers/nginx/INDEX.md
+++ b/07-framework-security/servers/nginx/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/07-framework-security/servers/traefik/INDEX.md b/07-framework-security/servers/traefik/INDEX.md
index b7b4d30c..656b43f8 100644
--- a/07-framework-security/servers/traefik/INDEX.md
+++ b/07-framework-security/servers/traefik/INDEX.md
@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-17T06:28:46+00:00`
+- 最近渲染时间: `2026-03-17T06:35:46+00:00`
 
 ## 目标约束
 
diff --git a/08-threat-intel/generated/coverage-matrix.md b/08-threat-intel/generated/coverage-matrix.md
index 94f104b2..3f495582 100644
--- a/08-threat-intel/generated/coverage-matrix.md
+++ b/08-threat-intel/generated/coverage-matrix.md
@@ -21,7 +21,7 @@
 | Flask | `frameworks` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Ghost | `cms` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Gin | `frameworks` | `rolling-24m` | `-` | `yes` | `0` | `0` | `2` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
-| Gitea | `platforms` | `rolling-24m` | `-` | `yes` | `37` | `37` | `3` | `seeded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `2026-03-03T04:57:57.697708Z` |
+| Gitea | `platforms` | `rolling-24m` | `-` | `yes` | `37` | `37` | `3` | `seeded` | `real:0/synthetic:0/blocked:1` | `0` | `1` | `0` | `2026-03-03T04:57:57.697708Z` |
 | GitLab CE | `platforms` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Grafana | `platforms` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Hapi | `frameworks` | `rolling-24m` | `-` | `yes` | `0` | `0` | `2` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
@@ -37,7 +37,7 @@
 | Medusa | `ecommerce` | `rolling-24m` | `-` | `yes` | `0` | `0` | `2` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Moodle | `cms` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | NestJS | `frameworks` | `rolling-24m` | `-` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
-| Next.js | `frameworks` | `history-full` | `yes` | `yes` | `26` | `26` | `3` | `seeded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `2026-03-13T22:14:13.665535Z` |
+| Next.js | `frameworks` | `history-full` | `yes` | `yes` | `26` | `26` | `3` | `seeded` | `real:0/synthetic:0/blocked:0` | `0` | `1` | `0` | `2026-03-13T22:14:13.665535Z` |
 | Nginx | `servers` | `history-full` | `yes` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Node.js | `frameworks` | `history-full` | `yes` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
 | Nuxt | `frameworks` | `history-full` | `yes` | `yes` | `0` | `0` | `3` | `scaffolded` | `real:0/synthetic:0/blocked:0` | `0` | `0` | `0` | `` |
diff --git a/08-threat-intel/generated/dashboard/runs.json b/08-threat-intel/generated/dashboard/runs.json
index fe51488c..aa2d5502 100644
--- a/08-threat-intel/generated/dashboard/runs.json
+++ b/08-threat-intel/generated/dashboard/runs.json
@@ -1 +1,73 @@
-[]
+[
+  {
+    "run_id": "gitea-gitea--CVE-2025-68939-20260317063330",
+    "system_id": "gitea",
+    "advisory_id": "gitea--CVE-2025-68939",
+    "repro_profile_id": "file-upload-generic",
+    "verification_status": "blocked-artifact",
+    "verification_mode": "real",
+    "artifact_mode": "official-image",
+    "target_env": "local-docker",
+    "compose_services": [
+      "app"
+    ],
+    "baseline_refs": [],
+    "attack_steps": [],
+    "browser_refs": [],
+    "container_log_refs": [],
+    "request_log_refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json"
+    ],
+    "timeline": [],
+    "started_at": "2026-03-17T06:33:30+00:00",
+    "finished_at": "2026-03-17T06:33:30+00:00",
+    "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
+    "report_refs": {
+      "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330",
+      "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md",
+      "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html",
+      "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd"
+    }
+  },
+  {
+    "run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
+    "system_id": "nextjs",
+    "advisory_id": "nextjs--CVE-2025-29927",
+    "repro_profile_id": "authz-bypass-generic",
+    "verification_status": "triage-manual",
+    "verification_mode": "real",
+    "artifact_mode": "official-source",
+    "target_env": "local-docker",
+    "compose_services": [
+      "app"
+    ],
+    "baseline_refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+    ],
+    "attack_steps": [
+      {
+        "kind": "note",
+        "tool": null,
+        "args": [],
+        "status": "planned"
+      }
+    ],
+    "browser_refs": [],
+    "container_log_refs": [],
+    "request_log_refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+    ],
+    "timeline": [],
+    "started_at": "2026-03-17T06:30:47+00:00",
+    "finished_at": "2026-03-17T06:30:47+00:00",
+    "blocked_reason": "dry-run only",
+    "report_refs": {
+      "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
+      "report_md": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md",
+      "report_html": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html",
+      "timeline": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd"
+    }
+  }
+]
diff --git a/08-threat-intel/generated/dashboard/summary.json b/08-threat-intel/generated/dashboard/summary.json
index d605fda0..670d706c 100644
--- a/08-threat-intel/generated/dashboard/summary.json
+++ b/08-threat-intel/generated/dashboard/summary.json
@@ -1,5 +1,80 @@
 {
-  "run_count": 0,
-  "statuses": {},
-  "recent_runs": []
+  "run_count": 2,
+  "statuses": {
+    "blocked-artifact": 1,
+    "triage-manual": 1
+  },
+  "recent_runs": [
+    {
+      "run_id": "gitea-gitea--CVE-2025-68939-20260317063330",
+      "system_id": "gitea",
+      "advisory_id": "gitea--CVE-2025-68939",
+      "repro_profile_id": "file-upload-generic",
+      "verification_status": "blocked-artifact",
+      "verification_mode": "real",
+      "artifact_mode": "official-image",
+      "target_env": "local-docker",
+      "compose_services": [
+        "app"
+      ],
+      "baseline_refs": [],
+      "attack_steps": [],
+      "browser_refs": [],
+      "container_log_refs": [],
+      "request_log_refs": [
+        "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json",
+        "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json"
+      ],
+      "timeline": [],
+      "started_at": "2026-03-17T06:33:30+00:00",
+      "finished_at": "2026-03-17T06:33:30+00:00",
+      "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
+      "report_refs": {
+        "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330",
+        "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md",
+        "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html",
+        "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd"
+      }
+    },
+    {
+      "run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
+      "system_id": "nextjs",
+      "advisory_id": "nextjs--CVE-2025-29927",
+      "repro_profile_id": "authz-bypass-generic",
+      "verification_status": "triage-manual",
+      "verification_mode": "real",
+      "artifact_mode": "official-source",
+      "target_env": "local-docker",
+      "compose_services": [
+        "app"
+      ],
+      "baseline_refs": [
+        "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+      ],
+      "attack_steps": [
+        {
+          "kind": "note",
+          "tool": null,
+          "args": [],
+          "status": "planned"
+        }
+      ],
+      "browser_refs": [],
+      "container_log_refs": [],
+      "request_log_refs": [
+        "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json",
+        "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+      ],
+      "timeline": [],
+      "started_at": "2026-03-17T06:30:47+00:00",
+      "finished_at": "2026-03-17T06:30:47+00:00",
+      "blocked_reason": "dry-run only",
+      "report_refs": {
+        "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
+        "report_md": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md",
+        "report_html": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html",
+        "timeline": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd"
+      }
+    }
+  ]
 }
diff --git a/08-threat-intel/generated/latest-ingest.md b/08-threat-intel/generated/latest-ingest.md
index 7edfe056..e898e863 100644
--- a/08-threat-intel/generated/latest-ingest.md
+++ b/08-threat-intel/generated/latest-ingest.md
@@ -1,10 +1,10 @@
 # 最新同步摘要
 
-- 渲染时间: `2026-03-17T06:28:49+00:00`
+- 渲染时间: `2026-03-17T06:35:58+00:00`
 - 系统数量: `62`
 - Advisory 数量: `89`
 - 重点 Markdown 数量: `89`
-- Run Bundle 数量: `0`
+- Run Bundle 数量: `2`
 - 新增记录: `0`
 - 更新记录: `0`
 - Triage 数量: `0`
diff --git a/08-threat-intel/generated/run-summary.json b/08-threat-intel/generated/run-summary.json
index f38de44a..c20a9ff0 100644
--- a/08-threat-intel/generated/run-summary.json
+++ b/08-threat-intel/generated/run-summary.json
@@ -1,5 +1,5 @@
 {
-  "generated_at": "2026-03-17T06:28:49+00:00",
+  "generated_at": "2026-03-17T06:35:58+00:00",
   "system_count": 62,
   "advisory_count": 89,
   "markdown_count": 89,
@@ -7,7 +7,7 @@
   "updated_count": 0,
   "systems_touched": [],
   "triage_count": 0,
-  "run_bundle_count": 0,
+  "run_bundle_count": 2,
   "failures": [
     "wordpress::NVD WordPress::SSLError",
     "wordpress::WPScan Vulnerability Database::SSLError",
diff --git a/08-threat-intel/registry/advisories/gitea--CVE-2025-68939.json b/08-threat-intel/registry/advisories/gitea--CVE-2025-68939.json
index 325a7173..1f0e4d94 100644
--- a/08-threat-intel/registry/advisories/gitea--CVE-2025-68939.json
+++ b/08-threat-intel/registry/advisories/gitea--CVE-2025-68939.json
@@ -49,19 +49,19 @@
   ],
   "status": "generated",
   "triage_reasons": [],
-  "verification_status": "triage-manual",
-  "verification_mode": "synthetic",
-  "last_verified_at": null,
-  "last_run_id": null,
-  "evidence_bundle": null,
+  "verification_status": "blocked-artifact",
+  "verification_mode": "real",
+  "last_verified_at": "2026-03-17T06:33:30+00:00",
+  "last_run_id": "gitea-gitea--CVE-2025-68939-20260317063330",
+  "evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330",
   "browser_evidence": {
     "required": false,
     "present": false,
     "refs": []
   },
   "repro_profile_id": "file-upload-generic",
-  "artifact_mode": "synthetic",
-  "blocked_reason": null,
+  "artifact_mode": "official-image",
+  "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
   "metadata": {
     "source_names": [
       "OSV Gitea"
diff --git a/08-threat-intel/registry/advisories/nextjs--CVE-2025-29927.json b/08-threat-intel/registry/advisories/nextjs--CVE-2025-29927.json
index 141865e5..ac734c1f 100644
--- a/08-threat-intel/registry/advisories/nextjs--CVE-2025-29927.json
+++ b/08-threat-intel/registry/advisories/nextjs--CVE-2025-29927.json
@@ -61,18 +61,18 @@
   "status": "generated",
   "triage_reasons": [],
   "verification_status": "triage-manual",
-  "verification_mode": "synthetic",
-  "last_verified_at": null,
-  "last_run_id": null,
-  "evidence_bundle": null,
+  "verification_mode": "real",
+  "last_verified_at": "2026-03-17T06:30:47+00:00",
+  "last_run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
+  "evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
   "browser_evidence": {
     "required": false,
     "present": false,
     "refs": []
   },
   "repro_profile_id": "authz-bypass-generic",
-  "artifact_mode": "synthetic",
-  "blocked_reason": null,
+  "artifact_mode": "official-source",
+  "blocked_reason": "dry-run only",
   "metadata": {
     "source_names": [
       "OSV Next.js"
diff --git a/08-threat-intel/registry/runs/gitea-gitea--CVE-2025-68939-20260317063330.json b/08-threat-intel/registry/runs/gitea-gitea--CVE-2025-68939-20260317063330.json
new file mode 100644
index 00000000..82eca2c6
--- /dev/null
+++ b/08-threat-intel/registry/runs/gitea-gitea--CVE-2025-68939-20260317063330.json
@@ -0,0 +1,31 @@
+{
+  "run_id": "gitea-gitea--CVE-2025-68939-20260317063330",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2025-68939",
+  "repro_profile_id": "file-upload-generic",
+  "verification_status": "blocked-artifact",
+  "verification_mode": "real",
+  "artifact_mode": "official-image",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [],
+  "attack_steps": [],
+  "browser_refs": [],
+  "container_log_refs": [],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json"
+  ],
+  "timeline": [],
+  "started_at": "2026-03-17T06:33:30+00:00",
+  "finished_at": "2026-03-17T06:33:30+00:00",
+  "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd"
+  }
+}
diff --git a/08-threat-intel/registry/runs/nextjs-nextjs--CVE-2025-29927-20260317063047.json b/08-threat-intel/registry/runs/nextjs-nextjs--CVE-2025-29927-20260317063047.json
new file mode 100644
index 00000000..fa0b5bb5
--- /dev/null
+++ b/08-threat-intel/registry/runs/nextjs-nextjs--CVE-2025-29927-20260317063047.json
@@ -0,0 +1,40 @@
+{
+  "run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
+  "system_id": "nextjs",
+  "advisory_id": "nextjs--CVE-2025-29927",
+  "repro_profile_id": "authz-bypass-generic",
+  "verification_status": "triage-manual",
+  "verification_mode": "real",
+  "artifact_mode": "official-source",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "note",
+      "tool": null,
+      "args": [],
+      "status": "planned"
+    }
+  ],
+  "browser_refs": [],
+  "container_log_refs": [],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json"
+  ],
+  "timeline": [],
+  "started_at": "2026-03-17T06:30:47+00:00",
+  "finished_at": "2026-03-17T06:30:47+00:00",
+  "blocked_reason": "dry-run only",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd"
+  }
+}
diff --git a/08-threat-intel/registry/systems/gitea.json b/08-threat-intel/registry/systems/gitea.json
index fcee85fb..a946013d 100644
--- a/08-threat-intel/registry/systems/gitea.json
+++ b/08-threat-intel/registry/systems/gitea.json
@@ -15,8 +15,8 @@
   ],
   "verified_real": 0,
   "verified_synthetic": 0,
-  "blocked_count": 0,
-  "manual_count": 37,
+  "blocked_count": 1,
+  "manual_count": 36,
   "items": [
     "gitea--CVE-2026-0798",
     "gitea--CVE-2026-20736",
diff --git a/08-threat-intel/repro-map.yaml b/08-threat-intel/repro-map.yaml
new file mode 100644
index 00000000..bd68f538
--- /dev/null
+++ b/08-threat-intel/repro-map.yaml
@@ -0,0 +1,745 @@
+systems:
+- system_id: wordpress
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: drupal
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: joomla
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: ghost
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: strapi
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: directus
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: mediawiki
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: moodle
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: discourse
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: adobe-commerce
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: magento-open-source
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: openmage
+  default_repro_family: plugin-extension-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: woocommerce
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: prestashop
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: shopware
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: opencart
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: saleor
+  default_repro_family: session-token-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: medusa
+  default_repro_family: session-token-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: react
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: nextjs
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-source
+  - synthetic
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: vue
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - official-source
+  - synthetic
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: nuxt
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-source
+  - synthetic
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: vite
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-source
+  - synthetic
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: angular
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: sveltekit
+  default_repro_family: session-token-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: astro
+  default_repro_family: authz-bypass-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: express
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: nestjs
+  default_repro_family: ssrf-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: koa
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: fastify
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: hapi
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: nodejs
+  default_repro_family: ssrf-generic
+  provisioning_mode_preference:
+  - official-source
+  - synthetic
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: undici
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: webpack
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: esbuild
+  default_repro_family: file-upload-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: spring-framework
+  default_repro_family: deserialization-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: spring-security
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: spring-boot
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: laravel
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: symfony
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: django
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: flask
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: werkzeug
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: rails
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: aspnet-core
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: gin
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: echo
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: nginx
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: apache-httpd
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: apache-tomcat
+  default_repro_family: authz-bypass-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: caddy
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: traefik
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: haproxy
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: false
+  seed_strategy: minimal-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: phpmyadmin
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: adminer
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: gitea
+  default_repro_family: proxy-boundary-generic
+  provisioning_mode_preference:
+  - official-image
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: gitlab-ce
+  default_repro_family: deserialization-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: jenkins
+  default_repro_family: deserialization-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: grafana
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: kibana
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: mattermost
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
+- system_id: redmine
+  default_repro_family: xss-generic
+  provisioning_mode_preference:
+  - synthetic
+  - official-source
+  - synthetic
+  browser_required_default: true
+  seed_strategy: default-seed
+  log_collectors:
+  - docker-logs
+  - http-snapshot
+  report_template: default-lab-report
diff --git a/scripts/lab/browser.py b/scripts/lab/browser.py
index c69d49a8..d87d8422 100644
--- a/scripts/lab/browser.py
+++ b/scripts/lab/browser.py
@@ -27,15 +27,20 @@ def capture(url: str, run_dir: Path, prefix: str = "baseline") -> Dict[str, Any]
     network_path = run_dir / "logs" / f"{prefix}-network.json"
     console_messages: List[Dict[str, Any]] = []
     requests_seen: List[Dict[str, Any]] = []
-    with sync_playwright() as p:
-        browser = p.chromium.launch(headless=True)
-        page = browser.new_page()
-        page.on("console", lambda msg: console_messages.append({"type": msg.type, "text": msg.text}))
-        page.on("request", lambda req: requests_seen.append({"method": req.method, "url": req.url}))
-        page.goto(url, wait_until="networkidle", timeout=20000)
-        page.screenshot(path=str(screenshot_path), full_page=True)
-        dom_path.write_text(page.content(), encoding="utf-8")
-        browser.close()
+    try:
+        with sync_playwright() as p:
+            browser = p.chromium.launch(headless=True)
+            page = browser.new_page()
+            page.on("console", lambda msg: console_messages.append({"type": msg.type, "text": msg.text}))
+            page.on("request", lambda req: requests_seen.append({"method": req.method, "url": req.url}))
+            page.goto(url, wait_until="networkidle", timeout=20000)
+            page.screenshot(path=str(screenshot_path), full_page=True)
+            dom_path.write_text(page.content(), encoding="utf-8")
+            browser.close()
+    except Exception as exc:
+        payload["reason"] = str(exc)
+        write_json(run_dir / "logs" / f"{prefix}-browser.json", payload)
+        return payload
     write_json(console_path, console_messages)
     write_json(network_path, requests_seen)
     payload = {
diff --git a/scripts/lab/main.py b/scripts/lab/main.py
index 54f4f144..b5c94d56 100644
--- a/scripts/lab/main.py
+++ b/scripts/lab/main.py
@@ -164,18 +164,23 @@ def cmd_run_case(args) -> int:
     run_dir = _run_dir(run_id)
 
     provision_result = provision.prepare(profile, run_dir, dry_run=args.dry_run)
-    baseline_payload = baseline.collect(profile, run_dir) if profile.get("baseline_urls") else {"observations": []}
-    attack_payload = attack.run_attack(profile, advisory, run_dir, dry_run=args.dry_run)
+    allow_runtime_steps = provision_result.get("status") not in {"blocked-artifact"}
+    baseline_payload = (
+        baseline.collect(profile, run_dir) if profile.get("baseline_urls") and allow_runtime_steps else {"observations": []}
+    )
+    attack_payload = (
+        attack.run_attack(profile, advisory, run_dir, dry_run=args.dry_run) if allow_runtime_steps else {"steps": []}
+    )
 
     browser_payload = {"required": bool(profile.get("browser_assertions", {}).get("required")), "present": False, "refs": []}
     blocked_reason = provision_result.get("blocked_reason")
-    if browser_payload["required"] and not args.dry_run and profile.get("baseline_urls"):
+    if browser_payload["required"] and not args.dry_run and profile.get("baseline_urls") and allow_runtime_steps:
         browser_payload = browser.capture(profile["baseline_urls"][0], run_dir, prefix="proof")
         if not browser_payload.get("present"):
             blocked_reason = blocked_reason or browser_payload.get("reason")
 
     compose_path = Path(provision_result["compose_path"])
-    container_logs = evidence.collect_container_logs(run_dir, compose_path) if compose_path.exists() else []
+    container_logs = evidence.collect_container_logs(run_dir, compose_path) if compose_path.exists() and allow_runtime_steps else []
 
     verification_status = "triage-manual"
     verification_mode = profile.get("verification_mode", "synthetic")
diff --git a/xss-scanner b/xss-scanner
new file mode 100755
index 00000000..b6699792
Binary files /dev/null and b/xss-scanner differ