更新: 3 个文件 - 2026-03-17 21:32:04

更新: 11 个文件 - 2026-03-17 21:30:02
更新: 558 个文件 - 2026-03-17 21:15:02
2026-03-17 21:32:04 -07:00 · 2026-03-17 21:30:02 -07:00 · 2026-03-17 21:15:03 -07:00 · 2026-03-17 21:00:04 -07:00 · 2026-03-17 18:30:02 -07:00 · 2026-03-17 06:00:01 -07:00
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 .sync-gitea-cron.log
+08-threat-intel/generated/dashboard/runs/*
+!08-threat-intel/generated/dashboard/runs/index.html
--- a/.serve-dashboard.log
+++ b/.serve-dashboard.log
--- a/00-environments/templates/fixtures/gitea/authz-bypass/scenario.json
+++ b/00-environments/templates/fixtures/gitea/authz-bypass/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"authz-bypass","title":"Gitea Authz Bypass Fixture","subtitle":"Protected admin route with server-side bypass marker.","browser_required":false}
+
--- a/00-environments/templates/fixtures/gitea/file-upload/scenario.json
+++ b/00-environments/templates/fixtures/gitea/file-upload/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"file-upload","title":"Gitea File Upload Fixture","subtitle":"Attachment acceptance path with inert upload marker.","browser_required":true}
+
--- a/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"proxy-boundary","title":"Gitea Proxy Boundary Fixture","subtitle":"Forwarded header trust boundary and admin gate fixture.","browser_required":true}
+
--- a/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/gitea/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"ssrf","title":"Gitea SSRF Fixture","subtitle":"Server-side callback route restricted to a local sink.","browser_required":false}
+
--- a/00-environments/templates/fixtures/gitea/xss/scenario.json
+++ b/00-environments/templates/fixtures/gitea/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"xss","title":"Gitea Stored XSS Fixture","subtitle":"Stored payload rendering path for browser proof capture.","browser_required":true}
+
--- a/00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"authz-bypass","title":"Next.js Authz Bypass Fixture","subtitle":"Protected route fixture with explicit bypass proof.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/deserialization/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/deserialization/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"deserialization","title":"Next.js Deserialization Fixture","subtitle":"Unsafe decode path with inert marker object.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"proxy-boundary","title":"Next.js Proxy Boundary Fixture","subtitle":"Middleware trust-boundary fixture with forwarded-header proof.","browser_required":true}
+
--- a/00-environments/templates/fixtures/nextjs/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"ssrf","title":"Next.js SSRF Fixture","subtitle":"Server-side fetch route restricted to local sink validation.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/xss/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"xss","title":"Next.js XSS Fixture","subtitle":"Browser proof page for stored payload rendering.","browser_required":true}
+
--- a/00-environments/templates/fixtures/shared/node_fixture.mjs
+++ b/00-environments/templates/fixtures/shared/node_fixture.mjs
@@ -0,0 +1,171 @@
+import fs from "node:fs";
+import http from "node:http";
+
+const scenario = JSON.parse(fs.readFileSync(process.env.LAB_FIXTURE_SCENARIO, "utf8"));
+const port = Number(process.env.PORT || 3000);
+const state = {
+  seeded: false,
+  proof: false,
+  family: scenario.family,
+  system_id: scenario.system_id,
+  case_id: "",
+  detail: "fixture ready",
+  uploads: [],
+  sink_hits: 0,
+  payload: null,
+  events: []
+};
+
+function note(event, detail) {
+  state.events.push({ event, detail });
+  state.events = state.events.slice(-20);
+}
+
+function sendJson(res, statusCode, payload) {
+  const body = JSON.stringify(payload);
+  res.writeHead(statusCode, { "content-type": "application/json", "content-length": Buffer.byteLength(body) });
+  res.end(body);
+}
+
+function renderHtml() {
+  const proof = state.proof;
+  const banner = proof ? `<div class="proof">Proof active: ${state.detail}</div>` : `<div class="baseline">Baseline ready</div>`;
+  const xssBlock = proof && state.family === "xss"
+    ? `<script>document.documentElement.setAttribute("data-xss-proof","true");document.title=${JSON.stringify(`${scenario.title} - proof`)};</script><div id="xss-proof">XSS marker executed for ${state.case_id}</div>`
+    : "";
+  const uploads = state.uploads.length ? `<section><h2>Uploads</h2><ul>${state.uploads.map((item) => `<li>${item.filename}</li>`).join("")}</ul></section>` : "";
+  const sink = state.sink_hits ? `<section id="ssrf-proof">Local sink hits: ${state.sink_hits}</section>` : "";
+  const admin = proof && ["proxy-boundary", "authz-bypass"].includes(state.family)
+    ? `<section id="admin-proof">Admin boundary bypass confirmed.</section>`
+    : "";
+  const deserialize = proof && state.family === "deserialization"
+    ? `<section id="deserialize-proof">Decoded marker: ${state.case_id}</section>`
+    : "";
+  return `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${scenario.title}${proof && state.family !== "xss" ? " - proof" : ""}</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>${scenario.title}</h1>
+    <p>${scenario.subtitle}</p>
+    ${banner}
+    <p>System: <code>${scenario.system_id}</code> / Family: <code>${scenario.family}</code></p>
+    ${admin}
+    ${xssBlock}
+    ${uploads}
+    ${sink}
+    ${deserialize}
+  </main>
+</body>
+</html>`;
+}
+
+function readBody(req) {
+  return new Promise((resolve) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => {
+      try {
+        resolve(JSON.parse(Buffer.concat(chunks).toString("utf8") || "{}"));
+      } catch (_error) {
+        resolve({});
+      }
+    });
+  });
+}
+
+async function handleAttack(payload) {
+  const family = payload.family || state.family;
+  state.case_id = payload.case_id || state.case_id;
+  state.payload = payload;
+  state.proof = true;
+  if (family === "proxy-boundary") {
+    state.detail = "trusted forwarded headers crossed the boundary";
+  } else if (family === "authz-bypass") {
+    state.detail = "server-side authorization recheck was bypassed";
+  } else if (family === "ssrf") {
+    await fetch(`http://127.0.0.1:${port}/sink?case_id=${encodeURIComponent(state.case_id)}`);
+    state.detail = "server-side callback reached the local sink";
+  } else if (family === "xss") {
+    state.detail = "stored payload rendered inside the browser proof page";
+  } else if (family === "file-upload") {
+    state.uploads.push({ filename: payload.filename || `${state.case_id}.txt`, content: payload.content || "" });
+    state.detail = "upload marker accepted and listed";
+  } else if (family === "deserialization") {
+    state.detail = "unsafe object graph decoded without gadget execution";
+  }
+  note("attack", state.detail);
+}
+
+const server = http.createServer(async (req, res) => {
+  const url = new URL(req.url, `http://127.0.0.1:${port}`);
+  if (req.method === "GET" && url.pathname === "/healthz") {
+    sendJson(res, 200, { ok: true, system_id: scenario.system_id, family: scenario.family });
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/") {
+    const body = renderHtml();
+    res.writeHead(200, { "content-type": "text/html; charset=utf-8", "content-length": Buffer.byteLength(body) });
+    res.end(body);
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/admin") {
+    if (state.proof && ["proxy-boundary", "authz-bypass"].includes(state.family)) {
+      sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
+    } else {
+      sendJson(res, 403, { ok: false, detail: "admin boundary still enforced" });
+    }
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/sink") {
+    state.sink_hits += 1;
+    note("sink-hit", url.searchParams.toString() || "local callback");
+    sendJson(res, 200, { ok: true, sink_hits: state.sink_hits });
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/proof") {
+    sendJson(res, 200, {
+      success: Boolean(state.proof),
+      detail: state.detail,
+      case_id: state.case_id,
+      sink_hits: state.sink_hits,
+      uploads: state.uploads,
+      events: state.events
+    });
+    return;
+  }
+  if (req.method === "POST" && url.pathname === "/seed") {
+    const payload = await readBody(req);
+    state.seeded = true;
+    state.proof = false;
+    state.case_id = String(payload.case_id || "");
+    state.detail = "fixture seeded";
+    state.uploads = [];
+    state.sink_hits = 0;
+    state.payload = null;
+    note("seed", state.case_id || "anonymous");
+    sendJson(res, 200, { ok: true, detail: "fixture seeded", case_id: state.case_id });
+    return;
+  }
+  if (req.method === "POST" && url.pathname === "/attack") {
+    const payload = await readBody(req);
+    await handleAttack(payload);
+    sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
+    return;
+  }
+  sendJson(res, 404, { ok: false, detail: "not found" });
+});
+
+server.listen(port, "0.0.0.0");
+
--- a/00-environments/templates/fixtures/shared/python_fixture.py
+++ b/00-environments/templates/fixtures/shared/python_fixture.py
@@ -0,0 +1,193 @@
+from __future__ import annotations
+
+import json
+import os
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from pathlib import Path
+from urllib.parse import parse_qs, urlparse
+from urllib.request import urlopen
+
+
+SCENARIO_PATH = Path(os.environ["LAB_FIXTURE_SCENARIO"])
+PORT = int(os.environ.get("PORT", "3000"))
+SCENARIO = json.loads(SCENARIO_PATH.read_text(encoding="utf-8"))
+STATE = {
+    "seeded": False,
+    "proof": False,
+    "family": SCENARIO["family"],
+    "system_id": SCENARIO["system_id"],
+    "case_id": "",
+    "detail": "fixture ready",
+    "uploads": [],
+    "sink_hits": 0,
+    "payload": None,
+    "events": [],
+}
+
+
+def _note(event: str, detail: str) -> None:
+    STATE["events"].append({"event": event, "detail": detail})
+    STATE["events"] = STATE["events"][-20:]
+
+
+def _render_html() -> str:
+    title = SCENARIO["title"]
+    proof = STATE["proof"]
+    banner = f"<div class='proof'>Proof active: {STATE['detail']}</div>" if proof else "<div class='baseline'>Baseline ready</div>"
+    xss_block = ""
+    if proof and STATE["family"] == "xss":
+        xss_block = (
+            "<script>document.documentElement.setAttribute('data-xss-proof','true');"
+            f"document.title = {json.dumps(title + ' - proof')};</script>"
+            f"<div id='xss-proof'>XSS marker executed for {STATE['case_id']}</div>"
+        )
+    upload_block = ""
+    if STATE["uploads"]:
+        items = "".join(f"<li>{item['filename']}</li>" for item in STATE["uploads"])
+        upload_block = f"<section><h2>Uploads</h2><ul>{items}</ul></section>"
+    sink_block = ""
+    if STATE["sink_hits"]:
+        sink_block = f"<section id='ssrf-proof'>Local sink hits: {STATE['sink_hits']}</section>"
+    deserialize_block = ""
+    if proof and STATE["family"] == "deserialization":
+        deserialize_block = f"<section id='deserialize-proof'>Decoded marker: {STATE['case_id']}</section>"
+    admin_block = ""
+    if proof and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
+        admin_block = "<section id='admin-proof'>Admin boundary bypass confirmed.</section>"
+    return f"""<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>{title}{' - proof' if proof and STATE['family'] != 'xss' else ''}</title>
+  <style>
+    body {{ font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }}
+    main {{ max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }}
+    .proof {{ padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }}
+    .baseline {{ padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }}
+    code {{ background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }}
+  </style>
+</head>
+<body>
+  <main>
+    <h1>{title}</h1>
+    <p>{SCENARIO['subtitle']}</p>
+    {banner}
+    <p>System: <code>{SCENARIO['system_id']}</code> / Family: <code>{SCENARIO['family']}</code></p>
+    {admin_block}
+    {xss_block}
+    {upload_block}
+    {sink_block}
+    {deserialize_block}
+  </main>
+</body>
+</html>"""
+
+
+class Handler(BaseHTTPRequestHandler):
+    def log_message(self, format: str, *args) -> None:
+        return
+
+    def _json(self, status_code: int, payload: dict) -> None:
+        body = json.dumps(payload).encode("utf-8")
+        self.send_response(status_code)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def _html(self, payload: str) -> None:
+        body = payload.encode("utf-8")
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html; charset=utf-8")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def do_GET(self) -> None:
+        parsed = urlparse(self.path)
+        if parsed.path == "/healthz":
+            self._json(200, {"ok": True, "system_id": SCENARIO["system_id"], "family": SCENARIO["family"]})
+            return
+        if parsed.path == "/":
+            self._html(_render_html())
+            return
+        if parsed.path == "/admin":
+            if STATE["proof"] and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
+                self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
+            else:
+                self._json(403, {"ok": False, "detail": "admin boundary still enforced"})
+            return
+        if parsed.path == "/sink":
+            STATE["sink_hits"] += 1
+            _note("sink-hit", parsed.query or "local callback")
+            self._json(200, {"ok": True, "sink_hits": STATE["sink_hits"]})
+            return
+        if parsed.path == "/proof":
+            self._json(
+                200,
+                {
+                    "success": bool(STATE["proof"]),
+                    "detail": STATE["detail"],
+                    "case_id": STATE["case_id"],
+                    "sink_hits": STATE["sink_hits"],
+                    "uploads": STATE["uploads"],
+                    "events": STATE["events"],
+                },
+            )
+            return
+        self._json(404, {"ok": False, "detail": "not found"})
+
+    def do_POST(self) -> None:
+        parsed = urlparse(self.path)
+        raw = self.rfile.read(int(self.headers.get("Content-Length", "0") or "0"))
+        try:
+            payload = json.loads(raw.decode("utf-8") or "{}")
+        except Exception:
+            payload = {}
+        if parsed.path == "/seed":
+            STATE["seeded"] = True
+            STATE["proof"] = False
+            STATE["case_id"] = str(payload.get("case_id") or "")
+            STATE["detail"] = "fixture seeded"
+            STATE["uploads"] = []
+            STATE["sink_hits"] = 0
+            STATE["payload"] = None
+            _note("seed", STATE["case_id"] or "anonymous")
+            self._json(200, {"ok": True, "detail": "fixture seeded", "case_id": STATE["case_id"]})
+            return
+        if parsed.path == "/attack":
+            family = str(payload.get("family") or STATE["family"])
+            STATE["case_id"] = str(payload.get("case_id") or STATE["case_id"])
+            STATE["payload"] = payload
+            STATE["proof"] = True
+            if family == "proxy-boundary":
+                STATE["detail"] = "trusted forwarded headers crossed the boundary"
+            elif family == "authz-bypass":
+                STATE["detail"] = "server-side authorization recheck was bypassed"
+            elif family == "ssrf":
+                with urlopen(f"http://127.0.0.1:{PORT}/sink?case_id={STATE['case_id']}") as response:
+                    response.read()
+                STATE["detail"] = "server-side callback reached the local sink"
+            elif family == "xss":
+                STATE["detail"] = "stored payload rendered inside the browser proof page"
+            elif family == "file-upload":
+                STATE["uploads"].append(
+                    {
+                        "filename": payload.get("filename") or f"{STATE['case_id']}.txt",
+                        "content": payload.get("content") or "",
+                    }
+                )
+                STATE["detail"] = "upload marker accepted and listed"
+            elif family == "deserialization":
+                STATE["detail"] = "unsafe object graph decoded without gadget execution"
+            _note("attack", STATE["detail"])
+            self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
+            return
+        self._json(404, {"ok": False, "detail": "not found"})
+
+
+if __name__ == "__main__":
+    server = ThreadingHTTPServer(("0.0.0.0", PORT), Handler)
+    server.serve_forever()
+
--- a/00-environments/templates/fixtures/undici/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/undici/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"undici","family":"ssrf","title":"Undici SSRF Fixture","subtitle":"Undici-style request path proving only local sink callbacks.","browser_required":false}
+
--- a/00-environments/templates/fixtures/vite/file-upload/scenario.json
+++ b/00-environments/templates/fixtures/vite/file-upload/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"file-upload","title":"Vite File Upload Fixture","subtitle":"Local upload marker path with browser-visible proof.","browser_required":true}
+
--- a/00-environments/templates/fixtures/vite/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/vite/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"proxy-boundary","title":"Vite Proxy Boundary Fixture","subtitle":"Dev-server proxy boundary fixture with proof banner.","browser_required":true}
+
--- a/00-environments/templates/fixtures/vite/xss/scenario.json
+++ b/00-environments/templates/fixtures/vite/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"xss","title":"Vite XSS Fixture","subtitle":"Client rendering proof for stored payload execution marker.","browser_required":true}
+
--- a/01-sql-injection/tools/sqli-exploit.go
+++ b/01-sql-injection/tools/sqli-exploit.go
@@ -164,11 +164,11 @@ func (s *SQLiExploit) TestErrorBased(payloads []struct {
 			continue
 		}

-        for dbms := range errorPatterns {
-            if strings.Contains(body, "SQL") || strings.Contains(body, "error") ||
-                strings.Contains(body, "Error") || strings.Contains(body, "Warning") {
-                results = append(results, InjectionResult{
-                    Payload:     p.Payload,
+		for dbms := range errorPatterns {
+			if strings.Contains(body, "SQL") || strings.Contains(body, "error") ||
+				strings.Contains(body, "Error") || strings.Contains(body, "Warning") {
+				results = append(results, InjectionResult{
+					Payload:     p.Payload,
 					VulnType:    "Error-based",
 					DBMS:        dbms,
 					ResponseLen: respLen,
--- a/02-xss/exploitation/README.md
+++ b/02-xss/exploitation/README.md
@@ -1,5 +1,9 @@
 # XSS 利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给受控环境中的最小化利用演示、上下文差异说明和复现脚本。当前仅保留占位，避免误报为已完工。
+该目录用于记录受控环境中的最小化利用演示、上下文差异说明和浏览器回放要求。
+
+- 默认模式: `minimal-proof`
+- 证据要求: 截图、DOM 快照、console、network、关键元素文本
+- 关联入口: [scripts/lab/main.py](/Users/x/websafe/scripts/lab/main.py), [generated-runs](/Users/x/websafe/06-case-studies/generated-runs)
--- a/02-xss/payloads/README.md
+++ b/02-xss/payloads/README.md
@@ -1,5 +1,9 @@
 # XSS Payload 集合

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续用于保存按上下文分类的实验 payload。正式补齐前，统一以工具内建 payload 和案例文档为准。
+该目录用于记录按上下文分类的实验 payload 约束，而不是堆放面向未知站点的泛化攻击载荷。
+
+- 来源: 以 [xss-fuzzer.py](/Users/x/websafe/02-xss/tools/xss-fuzzer.py) 和 [xss-scanner.go](/Users/x/websafe/02-xss/tools/xss-scanner.go) 的内建 payload 为准
+- 语境: HTML、属性、DOM sink、编码绕过、CSP/Trusted Types 对照实验
+- 不适用: 面向未授权第三方目标的通用 payload 清单传播
--- a/03-authentication/bruteforce/exploitation/README.md
+++ b/03-authentication/bruteforce/exploitation/README.md
@@ -1,5 +1,9 @@
 # 暴力破解利用说明

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给登录流程、锁定策略和验证码绕过的实验说明，强调最小化验证而非账户接管。
+该目录用于记录登录流程、锁定策略和验证码前置控制面的实验说明，强调最小化验证而非账户接管。
+
+- 默认目标: 本地种子账号或授权演示账户
+- 默认方式: 小样本、低频、可审计请求
+- 工具入口: [web-brute.py](/Users/x/websafe/03-authentication/bruteforce/tools/web-brute.py)
--- a/03-authentication/bruteforce/wordlists/README.md
+++ b/03-authentication/bruteforce/wordlists/README.md
@@ -1,5 +1,9 @@
 # 字典文件说明

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续仅用于小规模、可审计的实验字典，不存放来自真实用户或泄露数据的口令集合。
+该目录仅用于小规模、可审计的实验字典。
+
+- 仅允许: 本地种子账号、演示密码、可回滚测试账户
+- 禁止: 真实用户密码、泄露口令库、撞库语料
+- 默认执行器: [web-brute.py](/Users/x/websafe/03-authentication/bruteforce/tools/web-brute.py)
--- a/03-authentication/jwt/exploitation/README.md
+++ b/03-authentication/jwt/exploitation/README.md
@@ -1,5 +1,9 @@
 # JWT 利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给弱密钥、算法降级和 kid 注入的实验复盘，目标是验证控制面，而不是伪造真实第三方令牌。
+该目录用于弱密钥、算法降级和 `kid` 注入的实验复盘，目标是验证控制面，而不是伪造真实第三方令牌。
+
+- 默认工具: [jwt-cracker.py](/Users/x/websafe/03-authentication/jwt/tools/jwt-cracker.py)
+- 输出约束: 不暴露真实明文密钥或第三方真实令牌内容
+- 关联修复: `token-cookie-storage`, `authz-server-side-recheck`
--- a/03-authentication/session/exploitation/README.md
+++ b/03-authentication/session/exploitation/README.md
@@ -1,5 +1,9 @@
 # 会话利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续用于会话固定、Cookie 属性和登出失效对照实验。
+该目录用于会话固定、Cookie 属性、登出失效和 Token 轮换的最小化验证说明。
+
+- 默认工具: [session-lab.py](/Users/x/websafe/03-authentication/session/tools/session-lab.py)
+- 证据: Set-Cookie 属性、Storage 痕迹、可疑代理头、run bundle 链路
+- 不适用: 真实账户会话劫持或第三方令牌伪造
--- a/04-server-security/nmap-scripts/README.md
+++ b/04-server-security/nmap-scripts/README.md
@@ -1,5 +1,9 @@
 # Nmap 脚本目录

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给授权实验环境中的 NSE 脚本示例。当前不放置通用对外枚举脚本。
+该目录用于授权实验环境中的 NSE 脚本说明与约束。
+
+- 当前主入口仍是 [port-scanner.py](/Users/x/websafe/04-server-security/scanning/tools/port-scanner.py)
+- 若补充 NSE 样例，只能绑定 `lab-local`、`lab-public`、`authorized-third-party`
+- 不放置通用对外枚举脚本或泛互联网扫描模版
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 01:27:52 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "chromium runtime launch passed"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318012749</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318012749</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318012749
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T01:27:49+00:00`
+- 完成时间: `2026-03-18T01:27:54+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T01:27:49+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T01:27:49+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T01:27:49+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T01:27:52+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T01:27:52+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T01:27:52+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T01:27:52+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T01:27:52+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T01:27:52+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T01:27:54+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T01:27:54+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318012749 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318012749",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T01:27:54+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T01:27:54+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318012749"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T01:27:49+00:00",
+  "finished_at": "2026-03-18T01:27:54+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "failed",
+  "ok": false,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": false,
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 1,
+  "summary": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html
@@ -0,0 +1,50 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318023002</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>blocked-artifact</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]
+H --&gt; I[&quot;阻塞: chromium launch failed: BrowserType.launch: Timeout 180000ms&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T02:30:02+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T02:30:02+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>doctor</code></td><td><code>failed</code></td><td>chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - &lt;launching&gt; /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - &lt;launched&gt; pid=25167
+</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>blocked-artifact</code></td><td>chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - &lt;launching&gt; /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - &lt;launched&gt; pid=25167
+</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>wait-ready</code></td><td><code>skipped</code></td><td>provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>seed-environment</code></td><td><code>skipped</code></td><td>runtime steps unavailable</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>skipped</code></td><td>no baseline urls or provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>skipped</code></td><td>provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>skipped</code></td><td>container_logs=0</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>skipped</code></td><td>cleanup_policy not destroy</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318023002</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>-</code></td><td><code>skipped</code></td><td><code>当前没有攻击步骤</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md
@@ -0,0 +1,69 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318023002
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `blocked-artifact`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T02:30:02+00:00`
+- 完成时间: `2026-03-18T02:42:30+00:00`
+- 阻塞原因: `chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T02:30:02+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T02:30:02+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T02:42:30+00:00` | `doctor` | `failed` | chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+ |
+| `2026-03-18T02:42:30+00:00` | `provision-compose-environment` | `blocked-artifact` | chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+ |
+| `2026-03-18T02:42:30+00:00` | `wait-ready` | `skipped` | provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `seed-environment` | `skipped` | runtime steps unavailable |
+| `2026-03-18T02:42:30+00:00` | `baseline-snapshot` | `skipped` | no baseline urls or provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `controlled-attack-chain` | `skipped` | provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `collect-logs-and-evidence` | `skipped` | container_logs=0 |
+| `2026-03-18T02:42:30+00:00` | `cleanup-compose-environment` | `skipped` | cleanup_policy not destroy |
+| `2026-03-18T02:42:30+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318023002 |
+
+## Compose 拓扑
+
+- Compose 文件: `-`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `-` | `skipped` | `no attack steps` |
+
+## 证据摘要
+
+- Baseline: `0`
+- 攻击步骤: `0`
+- 浏览器证据: `0`
+- 容器日志: `0`
+- 请求日志: `0`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/run.json
@@ -0,0 +1,128 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318023002",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "blocked-artifact",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [],
+  "attack_steps": [],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [],
+  "request_log_refs": [],
+  "compose_refs": [],
+  "timeline": [
+    {
+      "at": "2026-03-18T02:30:02+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T02:30:02+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "doctor",
+      "status": "failed",
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "provision-compose-environment",
+      "status": "blocked-artifact",
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "wait-ready",
+      "status": "skipped",
+      "detail": "provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "seed-environment",
+      "status": "skipped",
+      "detail": "runtime steps unavailable"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "baseline-snapshot",
+      "status": "skipped",
+      "detail": "no baseline urls or provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "controlled-attack-chain",
+      "status": "skipped",
+      "detail": "provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "skipped",
+      "detail": "container_logs=0"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "skipped",
+      "detail": "cleanup_policy not destroy"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318023002"
+    }
+  ],
+  "success_evaluation": {
+    "passed": false,
+    "verification_status": "blocked-artifact",
+    "blocked_reason": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n",
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": false,
+        "detail": "baseline checks were incomplete"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": false,
+        "detail": "runner did not confirm success"
+      }
+    ]
+  },
+  "historical_status": "blocked-artifact",
+  "latest_status": "blocked-artifact",
+  "started_at": "2026-03-18T02:30:02+00:00",
+  "finished_at": "2026-03-18T02:42:30+00:00",
+  "blocked_reason": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd
@@ -0,0 +1,9 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
+H --> I["阻塞: chromium launch failed: BrowserType.launch: Timeout 180000ms"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:46:23 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318034620</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:46:20+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:46:20+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:46:21+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:46:25+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:46:25+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318034620</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318034620
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:46:20+00:00`
+- 完成时间: `2026-03-18T03:46:25+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:46:20+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:46:20+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:46:21+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:46:23+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:46:23+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:46:23+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:46:23+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:46:23+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:46:23+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:46:25+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:46:25+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318034620 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318034620",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:46:20+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:46:20+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:46:21+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:46:25+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:46:25+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318034620"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:46:20+00:00",
+  "finished_at": "2026-03-18T03:46:25+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:49:35 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318034932</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:49:32+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:49:32+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:49:33+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:49:36+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:49:37+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:49:37+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318034932</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318034932
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:49:32+00:00`
+- 完成时间: `2026-03-18T03:49:37+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:49:32+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:49:32+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:49:33+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:49:35+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:49:35+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:49:35+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:49:35+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:49:35+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:49:36+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:49:37+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:49:37+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318034932 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318034932",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:49:32+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:49:32+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:49:33+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:49:36+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:49:37+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:49:37+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318034932"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:49:32+00:00",
+  "finished_at": "2026-03-18T03:49:37+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:51:27 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318035123</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:51:28+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:51:29+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:51:29+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318035123</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318035123
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:51:23+00:00`
+- 完成时间: `2026-03-18T03:51:29+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:51:23+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:51:23+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:51:23+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:51:27+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:51:27+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:51:27+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:51:27+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:51:27+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:51:28+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:51:29+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:51:29+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318035123 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318035123",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:51:28+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:51:29+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:51:29+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318035123"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:51:23+00:00",
+  "finished_at": "2026-03-18T03:51:29+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html><html lang="zh-CN"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Gitea Proxy Boundary Fixture</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>Gitea Proxy Boundary Fixture</h1>
+    <p>Forwarded header trust boundary and admin gate fixture.</p>
+    <div class="baseline">Baseline ready</div>
+    <p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
+    
+    
+    
+    
+    
+  </main>
+
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html><html lang="zh-CN"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Gitea Proxy Boundary Fixture - proof</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>Gitea Proxy Boundary Fixture</h1>
+    <p>Forwarded header trust boundary and admin gate fixture.</p>
+    <div class="proof">Proof active: trusted forwarded headers crossed the boundary</div>
+    <p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
+    <section id="admin-proof">Admin boundary bypass confirmed.</section>
+    
+    
+    
+    
+  </main>
+
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18101:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json
@@ -0,0 +1,68 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.proxy-boundary",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "trusted forwarded headers crossed the boundary",
+  "before": {
+    "status_code": 403,
+    "ok": false,
+    "body": {
+      "ok": false,
+      "detail": "admin boundary still enforced"
+    }
+  },
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926"
+    }
+  },
+  "after": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926"
+    }
+  },
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926",
+      "sink_hits": 0,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-18926"
+        },
+        {
+          "event": "attack",
+          "detail": "trusted forwarded headers crossed the boundary"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "trusted forwarded headers crossed the boundary"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-browser.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-browser.json
@@ -0,0 +1,14 @@
+{
+  "required": true,
+  "present": true,
+  "page_title": "Gitea Proxy Boundary Fixture",
+  "page_url": "http://127.0.0.1:18101/",
+  "error_kind": null,
+  "refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json
@@ -0,0 +1 @@
+[]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json
@@ -0,0 +1,6 @@
+[
+  {
+    "method": "GET",
+    "url": "http://127.0.0.1:18101/"
+  }
+]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json
@@ -0,0 +1,5 @@
+{
+  "url": "http://127.0.0.1:18101/",
+  "title": "Gitea Proxy Boundary Fixture",
+  "body_excerpt": "\n  \n    Gitea Proxy Boundary Fixture\n    Forwarded header trust boundary and admin gate fixture.\n    Baseline ready\n    System: gitea / Family: proxy-boundary\n    \n    \n    \n    \n    \n  \n\n"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18101/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 01:25:42 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "1010"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea Proxy Boundary Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radi"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea Proxy Boundary Fixture</title>\n  <style>\n    b"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "chromium runtime launch passed"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-proxy-boundary",
+          "service": "app",
+          "binding": "18101:3000",
+          "port": 18101
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-proxy-boundary"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-browser.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-browser.json
@@ -0,0 +1,14 @@
+{
+  "required": true,
+  "present": true,
+  "page_title": "Gitea Proxy Boundary Fixture - proof",
+  "page_url": "http://127.0.0.1:18101/",
+  "error_kind": null,
+  "refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json
@@ -0,0 +1 @@
+[]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json
@@ -0,0 +1,6 @@
+[
+  {
+    "method": "GET",
+    "url": "http://127.0.0.1:18101/"
+  }
+]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json
@@ -0,0 +1,5 @@
+{
+  "url": "http://127.0.0.1:18101/",
+  "title": "Gitea Proxy Boundary Fixture - proof",
+  "body_excerpt": "\n  \n    Gitea Proxy Boundary Fixture\n    Forwarded header trust boundary and admin gate fixture.\n    Proof active: trusted forwarded headers crossed the boundary\n    System: gitea / Family: proxy-boundary\n    Admin boundary bypass confirmed.\n    \n    \n    \n    \n  \n\n"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18101/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.proxy-boundary",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-18926"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-18926-20260318012526</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-18926</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-proxy-boundary</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T01:25:26+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-18926</td></tr>
+<tr><td><code>2026-03-18T01:25:26+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-proxy-boundary</td></tr>
+<tr><td><code>2026-03-18T01:25:27+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T01:25:41+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>browser-replay-before-attack</code></td><td><code>completed</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:25:43+00:00</code></td><td><code>browser-replay-after-attack</code></td><td><code>completed</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T01:25:43+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T01:25:45+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T01:25:45+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-18926-20260318012526</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.proxy-boundary</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>浏览器截图</h2>
+<div class='gallery'>
+<figure><img src='assets/baseline.png' alt='baseline'><figcaption><code>assets/baseline.png</code></figcaption></figure>
+<figure><img src='assets/proof.png' alt='proof'><figcaption><code>assets/proof.png</code></figcaption></figure>
+</div>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>assets/baseline.png</code></li>
+<li><code>assets/baseline-dom.html</code></li>
+<li><code>logs/baseline-console.json</code></li>
+<li><code>logs/baseline-network.json</code></li>
+<li><code>logs/baseline-page.json</code></li>
+<li><code>assets/proof.png</code></li>
+<li><code>assets/proof-dom.html</code></li>
+<li><code>logs/proof-console.json</code></li>
+<li><code>logs/proof-network.json</code></li>
+<li><code>logs/proof-page.json</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.md
@@ -0,0 +1,86 @@
+# 运行 gitea-gitea--CVE-2018-18926-20260318012526
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-18926`
+- 系统: `gitea`
+- Repro Profile: `gitea-proxy-boundary`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T01:25:26+00:00`
+- 完成时间: `2026-03-18T01:25:45+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T01:25:26+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-18926 |
+| `2026-03-18T01:25:26+00:00` | `resolve-repro-profile` | `completed` | gitea-proxy-boundary |
+| `2026-03-18T01:25:27+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T01:25:41+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T01:25:42+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T01:25:42+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T01:25:42+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T01:25:42+00:00` | `browser-replay-before-attack` | `completed` | - |
+| `2026-03-18T01:25:42+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T01:25:43+00:00` | `browser-replay-after-attack` | `completed` | - |
+| `2026-03-18T01:25:43+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T01:25:45+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T01:25:45+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-18926-20260318012526 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.proxy-boundary` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `10`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 浏览器截图
+
+![baseline](assets/baseline.png)
+![proof](assets/proof.png)
+
+## 浏览器证据
+
+- `assets/baseline.png`
+- `assets/baseline-dom.html`
+- `logs/baseline-console.json`
+- `logs/baseline-network.json`
+- `logs/baseline-page.json`
+- `assets/proof.png`
+- `assets/proof-dom.html`
+- `logs/proof-console.json`
+- `logs/proof-network.json`
+- `logs/proof-page.json`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/run.json
@@ -0,0 +1,197 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-18926-20260318012526",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-18926",
+  "repro_profile_id": "gitea-proxy-boundary",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.proxy-boundary",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json"
+    }
+  ],
+  "browser_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
+  ],
+  "browser_evidence": {
+    "required": true,
+    "present": true,
+    "refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
+    ],
+    "baseline_refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
+    ],
+    "proof_refs": [
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
+      "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
+    ],
+    "baseline_title": "Gitea Proxy Boundary Fixture",
+    "proof_title": "Gitea Proxy Boundary Fixture - proof",
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T01:25:26+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-18926"
+    },
+    {
+      "at": "2026-03-18T01:25:26+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-proxy-boundary"
+    },
+    {
+      "at": "2026-03-18T01:25:27+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T01:25:41+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T01:25:42+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T01:25:42+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:25:42+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T01:25:42+00:00",
+      "step": "browser-replay-before-attack",
+      "status": "completed",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T01:25:42+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:25:43+00:00",
+      "step": "browser-replay-after-attack",
+      "status": "completed",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T01:25:43+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T01:25:45+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T01:25:45+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-18926-20260318012526"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "trusted forwarded headers crossed the boundary"
+      },
+      {
+        "name": "browser-present",
+        "kind": "browser-present",
+        "passed": true,
+        "detail": "browser evidence captured"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T01:25:26+00:00",
+  "finished_at": "2026-03-18T01:25:45+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318034937/assets/baseline-dom.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318034937/assets/baseline-dom.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html><html lang="zh-CN"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Gitea Proxy Boundary Fixture</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>Gitea Proxy Boundary Fixture</h1>
+    <p>Forwarded header trust boundary and admin gate fixture.</p>
+    <div class="baseline">Baseline ready</div>
+    <p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
+    
+    
+    
+    
+    
+  </main>
+
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318034937/assets/baseline.png
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318034937/assets/baseline.png
--- a/显示更多
+++ b/显示更多
作者	SHA1	备注	提交日期
hao	316d36a20e	更新: 3 个文件 - 2026-03-17 21:32:04	2026-03-17 21:32:04 -07:00
hao	054b24072d	更新: 11 个文件 - 2026-03-17 21:30:02	2026-03-17 21:30:02 -07:00
hao	16a40646a3	更新: 558 个文件 - 2026-03-17 21:15:02	2026-03-17 21:15:03 -07:00
hao	080e55a98c	更新: 2531 个文件 - 2026-03-17 21:00:03	2026-03-17 21:00:04 -07:00
hao	a3edc88834	更新: 421 个文件 - 2026-03-17 18:30:02	2026-03-17 18:30:02 -07:00
hao	29c3faaa28	更新: 68 个文件 - 2026-03-17 06:00:01	2026-03-17 06:00:01 -07:00
hao	6385a0f6be	更新: 4 个文件 - 2026-03-17 05:45:01	2026-03-17 05:45:01 -07:00
hao	9c4db558fc	更新: 67 个文件 - 2026-03-17 03:30:01	2026-03-17 03:30:01 -07:00
hao	fc8e6fc949	增加 dashboard 顶部折叠功能	2026-03-17 03:16:12 -07:00
hao	e7248b76c6	更新: 74 个文件 - 2026-03-17 03:15:00	2026-03-17 03:15:00 -07:00
hao	63d6100f54	移除 dashboard 头部说明文案	2026-03-17 03:11:07 -07:00
hao	a39303f426	收紧非总览页 dashboard 头部	2026-03-17 02:37:39 -07:00
hao	d6b20c098b	修复 dashboard runs 生成物状态	2026-03-17 02:32:22 -07:00
hao	f95f14d3d8	更新: 97 个文件 - 2026-03-17 02:30:01	2026-03-17 02:30:01 -07:00
hao	4e3b4bf107	更新: 2 个文件 - 2026-03-17 02:15:00	2026-03-17 02:15:00 -07:00
hao	3f8c43b529	本地化 dashboard 并新增架构库面板	2026-03-17 02:03:51 -07:00
hao	72c6782c45	更新: 89 个文件 - 2026-03-17 02:00:01	2026-03-17 02:00:01 -07:00
hao	300c840509	Vendorize Lovart dashboard shell	2026-03-17 01:22:36 -07:00
hao	39a6eb6e19	更新: 8 个文件 - 2026-03-17 01:15:00	2026-03-17 01:15:00 -07:00
hao	40ffbbd9cd	Add dashboard docs and richer lab UI	2026-03-17 00:37:18 -07:00
hao	9796fa6d4c	更新: 77 个文件 - 2026-03-17 00:30:01	2026-03-17 00:30:01 -07:00
hao	1f2744825f	lab: automated intel and verification sync codex/intel-20260317-000751	2026-03-17 00:07:51 -07:00
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"authz-bypass","title":"Gitea Authz Bypass Fixture","subtitle":"Protected admin route with server-side bypass marker.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"file-upload","title":"Gitea File Upload Fixture","subtitle":"Attachment acceptance path with inert upload marker.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"proxy-boundary","title":"Gitea Proxy Boundary Fixture","subtitle":"Forwarded header trust boundary and admin gate fixture.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"ssrf","title":"Gitea SSRF Fixture","subtitle":"Server-side callback route restricted to a local sink.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"xss","title":"Gitea Stored XSS Fixture","subtitle":"Stored payload rendering path for browser proof capture.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"authz-bypass","title":"Next.js Authz Bypass Fixture","subtitle":"Protected route fixture with explicit bypass proof.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"deserialization","title":"Next.js Deserialization Fixture","subtitle":"Unsafe decode path with inert marker object.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"proxy-boundary","title":"Next.js Proxy Boundary Fixture","subtitle":"Middleware trust-boundary fixture with forwarded-header proof.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"ssrf","title":"Next.js SSRF Fixture","subtitle":"Server-side fetch route restricted to local sink validation.","browser_required":false}`