更新: 1 个文件 - 2026-04-02 05:50:37

更新: 1 个文件 - 2026-04-02 05:45:25
更新: 1 个文件 - 2026-04-02 05:45:07
2026-04-02 05:50:37 -07:00 · 2026-04-02 05:45:25 -07:00 · 2026-04-02 05:45:07 -07:00 · 2026-04-02 05:40:07 -07:00 · 2026-04-02 05:34:52 -07:00 · 2026-04-02 05:30:07 -07:00
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 .sync-gitea-cron.log
+08-threat-intel/generated/dashboard/runs/*
+!08-threat-intel/generated/dashboard/runs/index.html
--- a/.serve-dashboard.log
+++ b/.serve-dashboard.log
--- a/00-environments/.DS_Store
+++ b/00-environments/.DS_Store
--- a/00-environments/templates/fixtures/gitea/authz-bypass/scenario.json
+++ b/00-environments/templates/fixtures/gitea/authz-bypass/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"authz-bypass","title":"Gitea Authz Bypass Fixture","subtitle":"Protected admin route with server-side bypass marker.","browser_required":false}
+
--- a/00-environments/templates/fixtures/gitea/file-upload/scenario.json
+++ b/00-environments/templates/fixtures/gitea/file-upload/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"file-upload","title":"Gitea File Upload Fixture","subtitle":"Attachment acceptance path with inert upload marker.","browser_required":true}
+
--- a/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"proxy-boundary","title":"Gitea Proxy Boundary Fixture","subtitle":"Forwarded header trust boundary and admin gate fixture.","browser_required":true}
+
--- a/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/gitea/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"ssrf","title":"Gitea SSRF Fixture","subtitle":"Server-side callback route restricted to a local sink.","browser_required":false}
+
--- a/00-environments/templates/fixtures/gitea/xss/scenario.json
+++ b/00-environments/templates/fixtures/gitea/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"gitea","family":"xss","title":"Gitea Stored XSS Fixture","subtitle":"Stored payload rendering path for browser proof capture.","browser_required":true}
+
--- a/00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"authz-bypass","title":"Next.js Authz Bypass Fixture","subtitle":"Protected route fixture with explicit bypass proof.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/deserialization/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/deserialization/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"deserialization","title":"Next.js Deserialization Fixture","subtitle":"Unsafe decode path with inert marker object.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"proxy-boundary","title":"Next.js Proxy Boundary Fixture","subtitle":"Middleware trust-boundary fixture with forwarded-header proof.","browser_required":true}
+
--- a/00-environments/templates/fixtures/nextjs/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"ssrf","title":"Next.js SSRF Fixture","subtitle":"Server-side fetch route restricted to local sink validation.","browser_required":false}
+
--- a/00-environments/templates/fixtures/nextjs/xss/scenario.json
+++ b/00-environments/templates/fixtures/nextjs/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"nextjs","family":"xss","title":"Next.js XSS Fixture","subtitle":"Browser proof page for stored payload rendering.","browser_required":true}
+
--- a/00-environments/templates/fixtures/shared/node_fixture.mjs
+++ b/00-environments/templates/fixtures/shared/node_fixture.mjs
@@ -0,0 +1,171 @@
+import fs from "node:fs";
+import http from "node:http";
+
+const scenario = JSON.parse(fs.readFileSync(process.env.LAB_FIXTURE_SCENARIO, "utf8"));
+const port = Number(process.env.PORT || 3000);
+const state = {
+  seeded: false,
+  proof: false,
+  family: scenario.family,
+  system_id: scenario.system_id,
+  case_id: "",
+  detail: "fixture ready",
+  uploads: [],
+  sink_hits: 0,
+  payload: null,
+  events: []
+};
+
+function note(event, detail) {
+  state.events.push({ event, detail });
+  state.events = state.events.slice(-20);
+}
+
+function sendJson(res, statusCode, payload) {
+  const body = JSON.stringify(payload);
+  res.writeHead(statusCode, { "content-type": "application/json", "content-length": Buffer.byteLength(body) });
+  res.end(body);
+}
+
+function renderHtml() {
+  const proof = state.proof;
+  const banner = proof ? `<div class="proof">Proof active: ${state.detail}</div>` : `<div class="baseline">Baseline ready</div>`;
+  const xssBlock = proof && state.family === "xss"
+    ? `<script>document.documentElement.setAttribute("data-xss-proof","true");document.title=${JSON.stringify(`${scenario.title} - proof`)};</script><div id="xss-proof">XSS marker executed for ${state.case_id}</div>`
+    : "";
+  const uploads = state.uploads.length ? `<section><h2>Uploads</h2><ul>${state.uploads.map((item) => `<li>${item.filename}</li>`).join("")}</ul></section>` : "";
+  const sink = state.sink_hits ? `<section id="ssrf-proof">Local sink hits: ${state.sink_hits}</section>` : "";
+  const admin = proof && ["proxy-boundary", "authz-bypass"].includes(state.family)
+    ? `<section id="admin-proof">Admin boundary bypass confirmed.</section>`
+    : "";
+  const deserialize = proof && state.family === "deserialization"
+    ? `<section id="deserialize-proof">Decoded marker: ${state.case_id}</section>`
+    : "";
+  return `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${scenario.title}${proof && state.family !== "xss" ? " - proof" : ""}</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>${scenario.title}</h1>
+    <p>${scenario.subtitle}</p>
+    ${banner}
+    <p>System: <code>${scenario.system_id}</code> / Family: <code>${scenario.family}</code></p>
+    ${admin}
+    ${xssBlock}
+    ${uploads}
+    ${sink}
+    ${deserialize}
+  </main>
+</body>
+</html>`;
+}
+
+function readBody(req) {
+  return new Promise((resolve) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => {
+      try {
+        resolve(JSON.parse(Buffer.concat(chunks).toString("utf8") || "{}"));
+      } catch (_error) {
+        resolve({});
+      }
+    });
+  });
+}
+
+async function handleAttack(payload) {
+  const family = payload.family || state.family;
+  state.case_id = payload.case_id || state.case_id;
+  state.payload = payload;
+  state.proof = true;
+  if (family === "proxy-boundary") {
+    state.detail = "trusted forwarded headers crossed the boundary";
+  } else if (family === "authz-bypass") {
+    state.detail = "server-side authorization recheck was bypassed";
+  } else if (family === "ssrf") {
+    await fetch(`http://127.0.0.1:${port}/sink?case_id=${encodeURIComponent(state.case_id)}`);
+    state.detail = "server-side callback reached the local sink";
+  } else if (family === "xss") {
+    state.detail = "stored payload rendered inside the browser proof page";
+  } else if (family === "file-upload") {
+    state.uploads.push({ filename: payload.filename || `${state.case_id}.txt`, content: payload.content || "" });
+    state.detail = "upload marker accepted and listed";
+  } else if (family === "deserialization") {
+    state.detail = "unsafe object graph decoded without gadget execution";
+  }
+  note("attack", state.detail);
+}
+
+const server = http.createServer(async (req, res) => {
+  const url = new URL(req.url, `http://127.0.0.1:${port}`);
+  if (req.method === "GET" && url.pathname === "/healthz") {
+    sendJson(res, 200, { ok: true, system_id: scenario.system_id, family: scenario.family });
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/") {
+    const body = renderHtml();
+    res.writeHead(200, { "content-type": "text/html; charset=utf-8", "content-length": Buffer.byteLength(body) });
+    res.end(body);
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/admin") {
+    if (state.proof && ["proxy-boundary", "authz-bypass"].includes(state.family)) {
+      sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
+    } else {
+      sendJson(res, 403, { ok: false, detail: "admin boundary still enforced" });
+    }
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/sink") {
+    state.sink_hits += 1;
+    note("sink-hit", url.searchParams.toString() || "local callback");
+    sendJson(res, 200, { ok: true, sink_hits: state.sink_hits });
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/proof") {
+    sendJson(res, 200, {
+      success: Boolean(state.proof),
+      detail: state.detail,
+      case_id: state.case_id,
+      sink_hits: state.sink_hits,
+      uploads: state.uploads,
+      events: state.events
+    });
+    return;
+  }
+  if (req.method === "POST" && url.pathname === "/seed") {
+    const payload = await readBody(req);
+    state.seeded = true;
+    state.proof = false;
+    state.case_id = String(payload.case_id || "");
+    state.detail = "fixture seeded";
+    state.uploads = [];
+    state.sink_hits = 0;
+    state.payload = null;
+    note("seed", state.case_id || "anonymous");
+    sendJson(res, 200, { ok: true, detail: "fixture seeded", case_id: state.case_id });
+    return;
+  }
+  if (req.method === "POST" && url.pathname === "/attack") {
+    const payload = await readBody(req);
+    await handleAttack(payload);
+    sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
+    return;
+  }
+  sendJson(res, 404, { ok: false, detail: "not found" });
+});
+
+server.listen(port, "0.0.0.0");
+
--- a/00-environments/templates/fixtures/shared/python_fixture.py
+++ b/00-environments/templates/fixtures/shared/python_fixture.py
@@ -0,0 +1,193 @@
+from __future__ import annotations
+
+import json
+import os
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from pathlib import Path
+from urllib.parse import parse_qs, urlparse
+from urllib.request import urlopen
+
+
+SCENARIO_PATH = Path(os.environ["LAB_FIXTURE_SCENARIO"])
+PORT = int(os.environ.get("PORT", "3000"))
+SCENARIO = json.loads(SCENARIO_PATH.read_text(encoding="utf-8"))
+STATE = {
+    "seeded": False,
+    "proof": False,
+    "family": SCENARIO["family"],
+    "system_id": SCENARIO["system_id"],
+    "case_id": "",
+    "detail": "fixture ready",
+    "uploads": [],
+    "sink_hits": 0,
+    "payload": None,
+    "events": [],
+}
+
+
+def _note(event: str, detail: str) -> None:
+    STATE["events"].append({"event": event, "detail": detail})
+    STATE["events"] = STATE["events"][-20:]
+
+
+def _render_html() -> str:
+    title = SCENARIO["title"]
+    proof = STATE["proof"]
+    banner = f"<div class='proof'>Proof active: {STATE['detail']}</div>" if proof else "<div class='baseline'>Baseline ready</div>"
+    xss_block = ""
+    if proof and STATE["family"] == "xss":
+        xss_block = (
+            "<script>document.documentElement.setAttribute('data-xss-proof','true');"
+            f"document.title = {json.dumps(title + ' - proof')};</script>"
+            f"<div id='xss-proof'>XSS marker executed for {STATE['case_id']}</div>"
+        )
+    upload_block = ""
+    if STATE["uploads"]:
+        items = "".join(f"<li>{item['filename']}</li>" for item in STATE["uploads"])
+        upload_block = f"<section><h2>Uploads</h2><ul>{items}</ul></section>"
+    sink_block = ""
+    if STATE["sink_hits"]:
+        sink_block = f"<section id='ssrf-proof'>Local sink hits: {STATE['sink_hits']}</section>"
+    deserialize_block = ""
+    if proof and STATE["family"] == "deserialization":
+        deserialize_block = f"<section id='deserialize-proof'>Decoded marker: {STATE['case_id']}</section>"
+    admin_block = ""
+    if proof and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
+        admin_block = "<section id='admin-proof'>Admin boundary bypass confirmed.</section>"
+    return f"""<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>{title}{' - proof' if proof and STATE['family'] != 'xss' else ''}</title>
+  <style>
+    body {{ font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }}
+    main {{ max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }}
+    .proof {{ padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }}
+    .baseline {{ padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }}
+    code {{ background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }}
+  </style>
+</head>
+<body>
+  <main>
+    <h1>{title}</h1>
+    <p>{SCENARIO['subtitle']}</p>
+    {banner}
+    <p>System: <code>{SCENARIO['system_id']}</code> / Family: <code>{SCENARIO['family']}</code></p>
+    {admin_block}
+    {xss_block}
+    {upload_block}
+    {sink_block}
+    {deserialize_block}
+  </main>
+</body>
+</html>"""
+
+
+class Handler(BaseHTTPRequestHandler):
+    def log_message(self, format: str, *args) -> None:
+        return
+
+    def _json(self, status_code: int, payload: dict) -> None:
+        body = json.dumps(payload).encode("utf-8")
+        self.send_response(status_code)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def _html(self, payload: str) -> None:
+        body = payload.encode("utf-8")
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html; charset=utf-8")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def do_GET(self) -> None:
+        parsed = urlparse(self.path)
+        if parsed.path == "/healthz":
+            self._json(200, {"ok": True, "system_id": SCENARIO["system_id"], "family": SCENARIO["family"]})
+            return
+        if parsed.path == "/":
+            self._html(_render_html())
+            return
+        if parsed.path == "/admin":
+            if STATE["proof"] and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
+                self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
+            else:
+                self._json(403, {"ok": False, "detail": "admin boundary still enforced"})
+            return
+        if parsed.path == "/sink":
+            STATE["sink_hits"] += 1
+            _note("sink-hit", parsed.query or "local callback")
+            self._json(200, {"ok": True, "sink_hits": STATE["sink_hits"]})
+            return
+        if parsed.path == "/proof":
+            self._json(
+                200,
+                {
+                    "success": bool(STATE["proof"]),
+                    "detail": STATE["detail"],
+                    "case_id": STATE["case_id"],
+                    "sink_hits": STATE["sink_hits"],
+                    "uploads": STATE["uploads"],
+                    "events": STATE["events"],
+                },
+            )
+            return
+        self._json(404, {"ok": False, "detail": "not found"})
+
+    def do_POST(self) -> None:
+        parsed = urlparse(self.path)
+        raw = self.rfile.read(int(self.headers.get("Content-Length", "0") or "0"))
+        try:
+            payload = json.loads(raw.decode("utf-8") or "{}")
+        except Exception:
+            payload = {}
+        if parsed.path == "/seed":
+            STATE["seeded"] = True
+            STATE["proof"] = False
+            STATE["case_id"] = str(payload.get("case_id") or "")
+            STATE["detail"] = "fixture seeded"
+            STATE["uploads"] = []
+            STATE["sink_hits"] = 0
+            STATE["payload"] = None
+            _note("seed", STATE["case_id"] or "anonymous")
+            self._json(200, {"ok": True, "detail": "fixture seeded", "case_id": STATE["case_id"]})
+            return
+        if parsed.path == "/attack":
+            family = str(payload.get("family") or STATE["family"])
+            STATE["case_id"] = str(payload.get("case_id") or STATE["case_id"])
+            STATE["payload"] = payload
+            STATE["proof"] = True
+            if family == "proxy-boundary":
+                STATE["detail"] = "trusted forwarded headers crossed the boundary"
+            elif family == "authz-bypass":
+                STATE["detail"] = "server-side authorization recheck was bypassed"
+            elif family == "ssrf":
+                with urlopen(f"http://127.0.0.1:{PORT}/sink?case_id={STATE['case_id']}") as response:
+                    response.read()
+                STATE["detail"] = "server-side callback reached the local sink"
+            elif family == "xss":
+                STATE["detail"] = "stored payload rendered inside the browser proof page"
+            elif family == "file-upload":
+                STATE["uploads"].append(
+                    {
+                        "filename": payload.get("filename") or f"{STATE['case_id']}.txt",
+                        "content": payload.get("content") or "",
+                    }
+                )
+                STATE["detail"] = "upload marker accepted and listed"
+            elif family == "deserialization":
+                STATE["detail"] = "unsafe object graph decoded without gadget execution"
+            _note("attack", STATE["detail"])
+            self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
+            return
+        self._json(404, {"ok": False, "detail": "not found"})
+
+
+if __name__ == "__main__":
+    server = ThreadingHTTPServer(("0.0.0.0", PORT), Handler)
+    server.serve_forever()
+
--- a/00-environments/templates/fixtures/undici/ssrf/scenario.json
+++ b/00-environments/templates/fixtures/undici/ssrf/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"undici","family":"ssrf","title":"Undici SSRF Fixture","subtitle":"Undici-style request path proving only local sink callbacks.","browser_required":false}
+
--- a/00-environments/templates/fixtures/vite/file-upload/scenario.json
+++ b/00-environments/templates/fixtures/vite/file-upload/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"file-upload","title":"Vite File Upload Fixture","subtitle":"Local upload marker path with browser-visible proof.","browser_required":true}
+
--- a/00-environments/templates/fixtures/vite/proxy-boundary/scenario.json
+++ b/00-environments/templates/fixtures/vite/proxy-boundary/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"proxy-boundary","title":"Vite Proxy Boundary Fixture","subtitle":"Dev-server proxy boundary fixture with proof banner.","browser_required":true}
+
--- a/00-environments/templates/fixtures/vite/xss/scenario.json
+++ b/00-environments/templates/fixtures/vite/xss/scenario.json
@@ -0,0 +1,2 @@
+{"system_id":"vite","family":"xss","title":"Vite XSS Fixture","subtitle":"Client rendering proof for stored payload execution marker.","browser_required":true}
+
--- a/01-sql-injection/.DS_Store
+++ b/01-sql-injection/.DS_Store
--- a/01-sql-injection/tools/sqli-exploit.go
+++ b/01-sql-injection/tools/sqli-exploit.go
@@ -164,11 +164,11 @@ func (s *SQLiExploit) TestErrorBased(payloads []struct {
 			continue
 		}

-        for dbms := range errorPatterns {
-            if strings.Contains(body, "SQL") || strings.Contains(body, "error") ||
-                strings.Contains(body, "Error") || strings.Contains(body, "Warning") {
-                results = append(results, InjectionResult{
-                    Payload:     p.Payload,
+		for dbms := range errorPatterns {
+			if strings.Contains(body, "SQL") || strings.Contains(body, "error") ||
+				strings.Contains(body, "Error") || strings.Contains(body, "Warning") {
+				results = append(results, InjectionResult{
+					Payload:     p.Payload,
 					VulnType:    "Error-based",
 					DBMS:        dbms,
 					ResponseLen: respLen,
--- a/02-xss/.DS_Store
+++ b/02-xss/.DS_Store
--- a/02-xss/exploitation/README.md
+++ b/02-xss/exploitation/README.md
@@ -1,5 +1,9 @@
 # XSS 利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给受控环境中的最小化利用演示、上下文差异说明和复现脚本。当前仅保留占位，避免误报为已完工。
+该目录用于记录受控环境中的最小化利用演示、上下文差异说明和浏览器回放要求。
+
+- 默认模式: `minimal-proof`
+- 证据要求: 截图、DOM 快照、console、network、关键元素文本
+- 关联入口: [scripts/lab/main.py](/Users/x/websafe/scripts/lab/main.py), [generated-runs](/Users/x/websafe/06-case-studies/generated-runs)
--- a/02-xss/payloads/README.md
+++ b/02-xss/payloads/README.md
@@ -1,5 +1,9 @@
 # XSS Payload 集合

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续用于保存按上下文分类的实验 payload。正式补齐前，统一以工具内建 payload 和案例文档为准。
+该目录用于记录按上下文分类的实验 payload 约束，而不是堆放面向未知站点的泛化攻击载荷。
+
+- 来源: 以 [xss-fuzzer.py](/Users/x/websafe/02-xss/tools/xss-fuzzer.py) 和 [xss-scanner.go](/Users/x/websafe/02-xss/tools/xss-scanner.go) 的内建 payload 为准
+- 语境: HTML、属性、DOM sink、编码绕过、CSP/Trusted Types 对照实验
+- 不适用: 面向未授权第三方目标的通用 payload 清单传播
--- a/03-authentication/.DS_Store
+++ b/03-authentication/.DS_Store
--- a/03-authentication/bruteforce/exploitation/README.md
+++ b/03-authentication/bruteforce/exploitation/README.md
@@ -1,5 +1,9 @@
 # 暴力破解利用说明

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给登录流程、锁定策略和验证码绕过的实验说明，强调最小化验证而非账户接管。
+该目录用于记录登录流程、锁定策略和验证码前置控制面的实验说明，强调最小化验证而非账户接管。
+
+- 默认目标: 本地种子账号或授权演示账户
+- 默认方式: 小样本、低频、可审计请求
+- 工具入口: [web-brute.py](/Users/x/websafe/03-authentication/bruteforce/tools/web-brute.py)
--- a/03-authentication/bruteforce/wordlists/README.md
+++ b/03-authentication/bruteforce/wordlists/README.md
@@ -1,5 +1,9 @@
 # 字典文件说明

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续仅用于小规模、可审计的实验字典，不存放来自真实用户或泄露数据的口令集合。
+该目录仅用于小规模、可审计的实验字典。
+
+- 仅允许: 本地种子账号、演示密码、可回滚测试账户
+- 禁止: 真实用户密码、泄露口令库、撞库语料
+- 默认执行器: [web-brute.py](/Users/x/websafe/03-authentication/bruteforce/tools/web-brute.py)
--- a/03-authentication/jwt/exploitation/README.md
+++ b/03-authentication/jwt/exploitation/README.md
@@ -1,5 +1,9 @@
 # JWT 利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给弱密钥、算法降级和 kid 注入的实验复盘，目标是验证控制面，而不是伪造真实第三方令牌。
+该目录用于弱密钥、算法降级和 `kid` 注入的实验复盘，目标是验证控制面，而不是伪造真实第三方令牌。
+
+- 默认工具: [jwt-cracker.py](/Users/x/websafe/03-authentication/jwt/tools/jwt-cracker.py)
+- 输出约束: 不暴露真实明文密钥或第三方真实令牌内容
+- 关联修复: `token-cookie-storage`, `authz-server-side-recheck`
--- a/03-authentication/session/exploitation/README.md
+++ b/03-authentication/session/exploitation/README.md
@@ -1,5 +1,9 @@
 # 会话利用实验

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录后续用于会话固定、Cookie 属性和登出失效对照实验。
+该目录用于会话固定、Cookie 属性、登出失效和 Token 轮换的最小化验证说明。
+
+- 默认工具: [session-lab.py](/Users/x/websafe/03-authentication/session/tools/session-lab.py)
+- 证据: Set-Cookie 属性、Storage 痕迹、可疑代理头、run bundle 链路
+- 不适用: 真实账户会话劫持或第三方令牌伪造
--- a/04-server-security/.DS_Store
+++ b/04-server-security/.DS_Store
--- a/04-server-security/nmap-scripts/README.md
+++ b/04-server-security/nmap-scripts/README.md
@@ -1,5 +1,9 @@
 # Nmap 脚本目录

-> `LAB NOTE` | `规划中`
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

-该目录预留给授权实验环境中的 NSE 脚本示例。当前不放置通用对外枚举脚本。
+该目录用于授权实验环境中的 NSE 脚本说明与约束。
+
+- 当前主入口仍是 [port-scanner.py](/Users/x/websafe/04-server-security/scanning/tools/port-scanner.py)
+- 若补充 NSE 样例，只能绑定 `lab-local`、`lab-public`、`authorized-third-party`
+- 不放置通用对外枚举脚本或泛互联网扫描模版
--- a/05-defense/.DS_Store
+++ b/05-defense/.DS_Store
--- a/06-case-studies/.DS_Store
+++ b/06-case-studies/.DS_Store
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 01:27:52 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "chromium runtime launch passed"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318012749</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318012749</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318012749
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T01:27:49+00:00`
+- 完成时间: `2026-03-18T01:27:54+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T01:27:49+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T01:27:49+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T01:27:49+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T01:27:52+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T01:27:52+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T01:27:52+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T01:27:52+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T01:27:52+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T01:27:52+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T01:27:54+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T01:27:54+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318012749 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318012749",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T01:27:49+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T01:27:52+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T01:27:54+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T01:27:54+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318012749"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T01:27:49+00:00",
+  "finished_at": "2026-03-18T01:27:54+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "failed",
+  "ok": false,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": false,
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 1,
+  "summary": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html
@@ -0,0 +1,50 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318023002</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>blocked-artifact</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]
+H --&gt; I[&quot;阻塞: chromium launch failed: BrowserType.launch: Timeout 180000ms&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T02:30:02+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T02:30:02+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>doctor</code></td><td><code>failed</code></td><td>chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - &lt;launching&gt; /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - &lt;launched&gt; pid=25167
+</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>blocked-artifact</code></td><td>chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - &lt;launching&gt; /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - &lt;launched&gt; pid=25167
+</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>wait-ready</code></td><td><code>skipped</code></td><td>provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>seed-environment</code></td><td><code>skipped</code></td><td>runtime steps unavailable</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>skipped</code></td><td>no baseline urls or provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>skipped</code></td><td>provisioning blocked</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>skipped</code></td><td>container_logs=0</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>skipped</code></td><td>cleanup_policy not destroy</td></tr>
+<tr><td><code>2026-03-18T02:42:30+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318023002</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>-</code></td><td><code>skipped</code></td><td><code>当前没有攻击步骤</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md
@@ -0,0 +1,69 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318023002
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `blocked-artifact`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T02:30:02+00:00`
+- 完成时间: `2026-03-18T02:42:30+00:00`
+- 阻塞原因: `chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T02:30:02+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T02:30:02+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T02:42:30+00:00` | `doctor` | `failed` | chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+ |
+| `2026-03-18T02:42:30+00:00` | `provision-compose-environment` | `blocked-artifact` | chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.
+Call log:
+  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window
+  - <launched> pid=25167
+ |
+| `2026-03-18T02:42:30+00:00` | `wait-ready` | `skipped` | provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `seed-environment` | `skipped` | runtime steps unavailable |
+| `2026-03-18T02:42:30+00:00` | `baseline-snapshot` | `skipped` | no baseline urls or provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `controlled-attack-chain` | `skipped` | provisioning blocked |
+| `2026-03-18T02:42:30+00:00` | `collect-logs-and-evidence` | `skipped` | container_logs=0 |
+| `2026-03-18T02:42:30+00:00` | `cleanup-compose-environment` | `skipped` | cleanup_policy not destroy |
+| `2026-03-18T02:42:30+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318023002 |
+
+## Compose 拓扑
+
+- Compose 文件: `-`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `-` | `skipped` | `no attack steps` |
+
+## 证据摘要
+
+- Baseline: `0`
+- 攻击步骤: `0`
+- 浏览器证据: `0`
+- 容器日志: `0`
+- 请求日志: `0`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/run.json
@@ -0,0 +1,128 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318023002",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "blocked-artifact",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [],
+  "attack_steps": [],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [],
+  "request_log_refs": [],
+  "compose_refs": [],
+  "timeline": [
+    {
+      "at": "2026-03-18T02:30:02+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T02:30:02+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "doctor",
+      "status": "failed",
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "provision-compose-environment",
+      "status": "blocked-artifact",
+      "detail": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "wait-ready",
+      "status": "skipped",
+      "detail": "provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "seed-environment",
+      "status": "skipped",
+      "detail": "runtime steps unavailable"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "baseline-snapshot",
+      "status": "skipped",
+      "detail": "no baseline urls or provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "controlled-attack-chain",
+      "status": "skipped",
+      "detail": "provisioning blocked"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "skipped",
+      "detail": "container_logs=0"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "skipped",
+      "detail": "cleanup_policy not destroy"
+    },
+    {
+      "at": "2026-03-18T02:42:30+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318023002"
+    }
+  ],
+  "success_evaluation": {
+    "passed": false,
+    "verification_status": "blocked-artifact",
+    "blocked_reason": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n",
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": false,
+        "detail": "baseline checks were incomplete"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": false,
+        "detail": "runner did not confirm success"
+      }
+    ]
+  },
+  "historical_status": "blocked-artifact",
+  "latest_status": "blocked-artifact",
+  "started_at": "2026-03-18T02:30:02+00:00",
+  "finished_at": "2026-03-18T02:42:30+00:00",
+  "blocked_reason": "chromium launch failed: BrowserType.launch: Timeout 180000ms exceeded.\nCall log:\n  - <launching> /Users/x/Library/Caches/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-mac-arm64/chrome-headless-shell --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate,RenderDocument,OptimizationHints --enable-features=CDPScreenshotNewSurface --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --disable-infobars --disable-search-engine-choice-screen --disable-sync --enable-unsafe-swiftshader --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=/var/folders/n7/4hh5kwt50913gn3xqyzf426c0000gn/T/playwright_chromiumdev_profile-azzIJQ --remote-debugging-pipe --no-startup-window\n  - <launched> pid=25167\n",
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318023002/timeline.mmd
@@ -0,0 +1,9 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
+H --> I["阻塞: chromium launch failed: BrowserType.launch: Timeout 180000ms"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:46:23 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318034620</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:46:20+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:46:20+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:46:21+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:46:23+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:46:25+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:46:25+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318034620</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318034620
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:46:20+00:00`
+- 完成时间: `2026-03-18T03:46:25+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:46:20+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:46:20+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:46:21+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:46:23+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:46:23+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:46:23+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:46:23+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:46:23+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:46:23+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:46:25+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:46:25+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318034620 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318034620",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:46:20+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:46:20+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:46:21+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:46:23+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:46:25+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:46:25+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318034620"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:46:20+00:00",
+  "finished_at": "2026-03-18T03:46:25+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034620/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:49:35 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318034932</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:49:32+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:49:32+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:49:33+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:49:35+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:49:36+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:49:37+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:49:37+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318034932</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318034932
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:49:32+00:00`
+- 完成时间: `2026-03-18T03:49:37+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:49:32+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:49:32+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:49:33+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:49:35+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:49:35+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:49:35+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:49:35+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:49:35+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:49:36+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:49:37+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:49:37+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318034932 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318034932",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:49:32+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:49:32+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:49:33+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:49:35+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:49:36+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:49:37+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:49:37+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318034932"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:49:32+00:00",
+  "finished_at": "2026-03-18T03:49:37+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318034932/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18105:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json
@@ -0,0 +1,57 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "server-side callback reached the local sink",
+  "before": {},
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  },
+  "after": {},
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "server-side callback reached the local sink",
+      "case_id": "gitea--CVE-2018-15192",
+      "sink_hits": 1,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-15192"
+        },
+        {
+          "event": "sink-hit",
+          "detail": "case_id=gitea--CVE-2018-15192"
+        },
+        {
+          "event": "attack",
+          "detail": "server-side callback reached the local sink"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "server-side callback reached the local sink"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 03:51:27 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "979"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea SSRF Fixture</title>\n  <style>\n    body { font"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "not required for selected profiles"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-ssrf",
+          "service": "app",
+          "binding": "18105:3000",
+          "port": 18105
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-ssrf"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/ready.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/ready.json
@@ -0,0 +1,12 @@
+{
+  "status": "completed",
+  "detail": "baseline urls ready (1)",
+  "elapsed_seconds": 0.0,
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18105/",
+      "status_code": 200
+    }
+  ],
+  "compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/seed.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/seed.json
@@ -0,0 +1,21 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "detail": "fixture seeded"
+    }
+  ],
+  "seeded": true,
+  "result": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "fixture seeded",
+      "case_id": "gitea--CVE-2018-15192"
+    }
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
+<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
+</head><body>
+<h1>运行 gitea-gitea--CVE-2018-15192-20260318035123</h1>
+<div class='grid'>
+<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
+<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
+<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
+<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
+</div>
+<h2>Mermaid 时间线</h2>
+<pre>flowchart LR
+A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
+B --&gt; C[&quot;生成 Compose 环境&quot;]
+C --&gt; D[&quot;采集基线快照&quot;]
+D --&gt; E[&quot;执行受控攻击步骤&quot;]
+E --&gt; F[&quot;浏览器回放验证&quot;]
+F --&gt; G[&quot;收集日志与证据&quot;]
+G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
+<h2>运行时间线</h2>
+<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
+<tr><td><code>2026-03-18T03:51:23+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
+<tr><td><code>2026-03-18T03:51:27+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
+<tr><td><code>2026-03-18T03:51:28+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
+<tr><td><code>2026-03-18T03:51:29+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
+<tr><td><code>2026-03-18T03:51:29+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318035123</td></tr>
+</tbody></table>
+<h2>攻击步骤</h2>
+<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
+<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json</code></td></tr>
+</tbody></table>
+<h2>证据清单</h2><ul>
+<li><code>compose/compose.yaml</code></li>
+<li><code>logs/docker/app.log</code></li>
+<li><code>logs/attack.json</code></li>
+<li><code>logs/baseline.json</code></li>
+</ul>
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md
@@ -0,0 +1,66 @@
+# 运行 gitea-gitea--CVE-2018-15192-20260318035123
+
+> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
+
+- 漏洞条目: `gitea--CVE-2018-15192`
+- 系统: `gitea`
+- Repro Profile: `gitea-ssrf`
+- 实证状态: `verified-real`
+- 实证方式: `real`
+- Artifact 模式: `local-fixture`
+- 启动时间: `2026-03-18T03:51:23+00:00`
+- 完成时间: `2026-03-18T03:51:29+00:00`
+- 阻塞原因: `-`
+- Compose 服务: `app`
+
+## 运行时间线
+
+- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd)
+
+| 时间 | 步骤 | 状态 | 说明 |
+|------|------|------|------|
+| `2026-03-18T03:51:23+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
+| `2026-03-18T03:51:23+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
+| `2026-03-18T03:51:23+00:00` | `doctor` | `completed` | all checks passed |
+| `2026-03-18T03:51:27+00:00` | `provision-compose-environment` | `ready` | - |
+| `2026-03-18T03:51:27+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
+| `2026-03-18T03:51:27+00:00` | `seed-environment` | `completed` | steps=1 |
+| `2026-03-18T03:51:27+00:00` | `baseline-snapshot` | `completed` | urls=1 |
+| `2026-03-18T03:51:27+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
+| `2026-03-18T03:51:28+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
+| `2026-03-18T03:51:29+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
+| `2026-03-18T03:51:29+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318035123 |
+
+## Compose 拓扑
+
+- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml`
+- 服务列表: `app`
+
+## 攻击步骤
+
+| 工具/步骤 | 状态 | 结果 |
+|-----------|------|------|
+| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json` |
+
+## 证据摘要
+
+- Baseline: `1`
+- 攻击步骤: `1`
+- 浏览器证据: `0`
+- 容器日志: `1`
+- 请求日志: `2`
+
+## 容器日志
+
+- `logs/docker/app.log`
+
+## 请求与基线日志
+
+- `logs/attack.json`
+- `logs/baseline.json`
+
+## 最小化验证说明
+
+- 仅限自有资产、本地靶场或已授权实验目标。
+- 默认执行 minimal-proof；不会把破坏性或不可回滚动作作为默认路径。
+- 若浏览器证据缺失，前端类案例不会被标为 `verified-*`。
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/run.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/run.json
@@ -0,0 +1,145 @@
+{
+  "run_id": "gitea-gitea--CVE-2018-15192-20260318035123",
+  "system_id": "gitea",
+  "advisory_id": "gitea--CVE-2018-15192",
+  "repro_profile_id": "gitea-ssrf",
+  "verification_status": "verified-real",
+  "verification_mode": "real",
+  "artifact_mode": "local-fixture",
+  "target_env": "local-docker",
+  "compose_services": [
+    "app"
+  ],
+  "baseline_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json"
+  ],
+  "attack_steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.ssrf",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json"
+    }
+  ],
+  "browser_refs": [],
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": [],
+    "baseline_refs": [],
+    "proof_refs": [],
+    "baseline_title": null,
+    "proof_title": null,
+    "error_kind": null,
+    "reason": null
+  },
+  "container_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/docker/app.log"
+  ],
+  "request_log_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/attack.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/logs/baseline.json"
+  ],
+  "compose_refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/compose/compose.yaml"
+  ],
+  "timeline": [
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "select-advisory",
+      "status": "completed",
+      "detail": "gitea--CVE-2018-15192"
+    },
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "resolve-repro-profile",
+      "status": "completed",
+      "detail": "gitea-ssrf"
+    },
+    {
+      "at": "2026-03-18T03:51:23+00:00",
+      "step": "doctor",
+      "status": "completed",
+      "detail": "all checks passed"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "provision-compose-environment",
+      "status": "ready",
+      "detail": ""
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "wait-ready",
+      "status": "completed",
+      "detail": "baseline urls ready (1)"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "seed-environment",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "baseline-snapshot",
+      "status": "completed",
+      "detail": "urls=1"
+    },
+    {
+      "at": "2026-03-18T03:51:27+00:00",
+      "step": "controlled-attack-chain",
+      "status": "completed",
+      "detail": "steps=1"
+    },
+    {
+      "at": "2026-03-18T03:51:28+00:00",
+      "step": "collect-logs-and-evidence",
+      "status": "completed",
+      "detail": "container_logs=1"
+    },
+    {
+      "at": "2026-03-18T03:51:29+00:00",
+      "step": "cleanup-compose-environment",
+      "status": "completed",
+      "detail": "docker compose down completed"
+    },
+    {
+      "at": "2026-03-18T03:51:29+00:00",
+      "step": "update-registry-and-reports",
+      "status": "completed",
+      "detail": "gitea-gitea--CVE-2018-15192-20260318035123"
+    }
+  ],
+  "success_evaluation": {
+    "passed": true,
+    "verification_status": "verified-real",
+    "blocked_reason": null,
+    "assertions": [
+      {
+        "name": "baseline-ok",
+        "kind": "baseline-ok",
+        "passed": true,
+        "detail": "baseline URLs responded without 5xx or transport errors"
+      },
+      {
+        "name": "runner-success",
+        "kind": "runner-success",
+        "passed": true,
+        "detail": "server-side callback reached the local sink"
+      }
+    ]
+  },
+  "historical_status": "verified-real",
+  "latest_status": "verified-real",
+  "started_at": "2026-03-18T03:51:23+00:00",
+  "finished_at": "2026-03-18T03:51:29+00:00",
+  "blocked_reason": null,
+  "report_refs": {
+    "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123",
+    "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.md",
+    "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/report.html",
+    "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd"
+  }
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318035123/timeline.mmd
@@ -0,0 +1,8 @@
+flowchart LR
+A["选择 Advisory"] --> B["解析 Repro Profile"]
+B --> C["生成 Compose 环境"]
+C --> D["采集基线快照"]
+D --> E["执行受控攻击步骤"]
+E --> F["浏览器回放验证"]
+F --> G["收集日志与证据"]
+G --> H["回写 Registry 与报告"]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html><html lang="zh-CN"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Gitea Proxy Boundary Fixture</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>Gitea Proxy Boundary Fixture</h1>
+    <p>Forwarded header trust boundary and admin gate fixture.</p>
+    <div class="baseline">Baseline ready</div>
+    <p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
+    
+    
+    
+    
+    
+  </main>
+
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html><html lang="zh-CN"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Gitea Proxy Boundary Fixture - proof</title>
+  <style>
+    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
+    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
+    .proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
+    .baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>Gitea Proxy Boundary Fixture</h1>
+    <p>Forwarded header trust boundary and admin gate fixture.</p>
+    <div class="proof">Proof active: trusted forwarded headers crossed the boundary</div>
+    <p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
+    <section id="admin-proof">Admin boundary bypass confirmed.</section>
+    
+    
+    
+    
+  </main>
+
+</body></html>
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml
@@ -0,0 +1,26 @@
+services:
+  app:
+    image: python:3.12-alpine
+    networks:
+    - labnet
+    ports:
+    - 18101:3000
+    environment:
+      LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
+      PORT: '3000'
+    command:
+    - python
+    - /workspace/00-environments/templates/fixtures/shared/python_fixture.py
+    working_dir: /workspace
+    volumes:
+    - /Users/x/websafe:/workspace:ro
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
+      interval: 2s
+      timeout: 2s
+      retries: 20
+networks:
+  labnet:
+    driver: bridge
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json
@@ -0,0 +1,68 @@
+{
+  "steps": [
+    {
+      "kind": "runner",
+      "tool": "gitea.proxy-boundary",
+      "status": "completed",
+      "status_code": 200,
+      "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json"
+    }
+  ],
+  "success": true,
+  "detail": "trusted forwarded headers crossed the boundary",
+  "before": {
+    "status_code": 403,
+    "ok": false,
+    "body": {
+      "ok": false,
+      "detail": "admin boundary still enforced"
+    }
+  },
+  "attack": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926"
+    }
+  },
+  "after": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "ok": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926"
+    }
+  },
+  "proof": {
+    "status_code": 200,
+    "ok": true,
+    "body": {
+      "success": true,
+      "detail": "trusted forwarded headers crossed the boundary",
+      "case_id": "gitea--CVE-2018-18926",
+      "sink_hits": 0,
+      "uploads": [],
+      "events": [
+        {
+          "event": "seed",
+          "detail": "gitea--CVE-2018-18926"
+        },
+        {
+          "event": "attack",
+          "detail": "trusted forwarded headers crossed the boundary"
+        }
+      ]
+    }
+  },
+  "assertions": [
+    {
+      "name": "proof-success",
+      "kind": "runner-proof",
+      "passed": true,
+      "detail": "trusted forwarded headers crossed the boundary"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-browser.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-browser.json
@@ -0,0 +1,14 @@
+{
+  "required": true,
+  "present": true,
+  "page_title": "Gitea Proxy Boundary Fixture",
+  "page_url": "http://127.0.0.1:18101/",
+  "error_kind": null,
+  "refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json
@@ -0,0 +1 @@
+[]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json
@@ -0,0 +1,6 @@
+[
+  {
+    "method": "GET",
+    "url": "http://127.0.0.1:18101/"
+  }
+]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json
@@ -0,0 +1,5 @@
+{
+  "url": "http://127.0.0.1:18101/",
+  "title": "Gitea Proxy Boundary Fixture",
+  "body_excerpt": "\n  \n    Gitea Proxy Boundary Fixture\n    Forwarded header trust boundary and admin gate fixture.\n    Baseline ready\n    System: gitea / Family: proxy-boundary\n    \n    \n    \n    \n    \n  \n\n"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json
@@ -0,0 +1,24 @@
+{
+  "observations": [
+    {
+      "url": "http://127.0.0.1:18101/",
+      "status_code": 200,
+      "headers": {
+        "Server": "BaseHTTP/0.6 Python/3.12.13",
+        "Date": "Wed, 18 Mar 2026 01:25:42 GMT",
+        "Content-Type": "text/html; charset=utf-8",
+        "Content-Length": "1010"
+      },
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea Proxy Boundary Fixture</title>\n  <style>\n    body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n    main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radi"
+    }
+  ],
+  "steps": [
+    {
+      "kind": "http-get",
+      "status": "completed",
+      "path": "/",
+      "status_code": 200,
+      "body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Gitea Proxy Boundary Fixture</title>\n  <style>\n    b"
+    }
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/doctor.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/doctor.json
@@ -0,0 +1,44 @@
+{
+  "status": "passed",
+  "ok": true,
+  "checks": [
+    {
+      "name": "docker-cli",
+      "ok": true,
+      "detail": "docker CLI available"
+    },
+    {
+      "name": "docker-daemon",
+      "ok": true,
+      "detail": "context=desktop-linux"
+    },
+    {
+      "name": "playwright-import",
+      "ok": true,
+      "detail": "playwright Python package import passed"
+    },
+    {
+      "name": "playwright-browser",
+      "ok": true,
+      "detail": "chromium runtime launch passed"
+    },
+    {
+      "name": "ports",
+      "ok": true,
+      "detail": "checked 1 host port bindings",
+      "bindings": [
+        {
+          "profile_id": "gitea-proxy-boundary",
+          "service": "app",
+          "binding": "18101:3000",
+          "port": 18101
+        }
+      ]
+    }
+  ],
+  "profile_ids": [
+    "gitea-proxy-boundary"
+  ],
+  "failure_count": 0,
+  "summary": "all checks passed"
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-browser.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-browser.json
@@ -0,0 +1,14 @@
+{
+  "required": true,
+  "present": true,
+  "page_title": "Gitea Proxy Boundary Fixture - proof",
+  "page_url": "http://127.0.0.1:18101/",
+  "error_kind": null,
+  "refs": [
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
+    "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
+  ]
+}
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json
@@ -0,0 +1 @@
+[]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json
@@ -0,0 +1,6 @@
+[
+  {
+    "method": "GET",
+    "url": "http://127.0.0.1:18101/"
+  }
+]
--- a/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json
+++ b/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json
@@ -0,0 +1,5 @@
+{
+  "url": "http://127.0.0.1:18101/",
+  "title": "Gitea Proxy Boundary Fixture - proof",
+  "body_excerpt": "\n  \n    Gitea Proxy Boundary Fixture\n    Forwarded header trust boundary and admin gate fixture.\n    Proof active: trusted forwarded headers crossed the boundary\n    System: gitea / Family: proxy-boundary\n    Admin boundary bypass confirmed.\n    \n    \n    \n    \n  \n\n"
+}
--- a/显示更多
+++ b/显示更多
作者	SHA1	备注	提交日期
hao	6b2c96ab39	更新: 1 个文件 - 2026-04-02 05:50:37	2026-04-02 05:50:37 -07:00
hao	3e91bf1335	更新: 1 个文件 - 2026-04-02 05:45:25	2026-04-02 05:45:25 -07:00
hao	5c1b1412ac	更新: 1 个文件 - 2026-04-02 05:45:07	2026-04-02 05:45:07 -07:00
hao	353f6b9ded	更新: 1 个文件 - 2026-04-02 05:40:06	2026-04-02 05:40:07 -07:00
hao	fdcef59bd5	更新: 1 个文件 - 2026-04-02 05:34:52	2026-04-02 05:34:52 -07:00
hao	2175115eb8	更新: 1 个文件 - 2026-04-02 05:30:07	2026-04-02 05:30:07 -07:00
hao	f188256489	更新: 1 个文件 - 2026-04-02 05:29:40	2026-04-02 05:29:40 -07:00
hao	cdb4b6e7aa	更新: 1 个文件 - 2026-04-02 05:24:28	2026-04-02 05:24:28 -07:00
hao	1b2b184e05	更新: 1 个文件 - 2026-04-02 04:30:07	2026-04-02 04:30:07 -07:00
hao	bfabca157f	更新: 1 个文件 - 2026-04-02 04:29:16	2026-04-02 04:29:16 -07:00
hao	22dac5744d	更新: 1 个文件 - 2026-04-02 04:24:06	2026-04-02 04:24:06 -07:00
hao	a57889760e	更新: 1 个文件 - 2026-04-02 04:18:57	2026-04-02 04:18:57 -07:00
hao	fdbda88700	更新: 1 个文件 - 2026-04-02 04:15:08	2026-04-02 04:15:08 -07:00
hao	f7623235f1	更新: 1 个文件 - 2026-04-02 04:13:44	2026-04-02 04:13:44 -07:00
hao	c290377cb9	更新: 1 个文件 - 2026-04-02 04:08:36	2026-04-02 04:08:36 -07:00
hao	841df7b796	更新: 1 个文件 - 2026-04-02 04:03:28	2026-04-02 04:03:28 -07:00
hao	1f459afffd	更新: 1 个文件 - 2026-04-02 04:00:08	2026-04-02 04:00:08 -07:00
hao	6fd6ed1a84	更新: 1 个文件 - 2026-04-02 03:58:21	2026-04-02 03:58:21 -07:00
hao	b39886d37e	更新: 1 个文件 - 2026-04-02 03:51:56	2026-04-02 03:51:56 -07:00
hao	e4bae0d1ea	更新: 1 个文件 - 2026-04-02 03:46:49	2026-04-02 03:46:49 -07:00
hao	31793384d9	更新: 1 个文件 - 2026-04-02 03:45:07	2026-04-02 03:45:07 -07:00
hao	ffd41760b1	更新: 1 个文件 - 2026-04-02 03:41:41	2026-04-02 03:41:41 -07:00
hao	c2d0aa12e8	更新: 1 个文件 - 2026-04-02 03:36:33	2026-04-02 03:36:33 -07:00
hao	73cbdd8589	更新: 1 个文件 - 2026-04-02 03:31:26	2026-04-02 03:31:26 -07:00
hao	340ae2432c	更新: 1 个文件 - 2026-04-02 03:30:08	2026-04-02 03:30:08 -07:00
hao	78a6408a8f	更新: 1 个文件 - 2026-04-02 03:26:19	2026-04-02 03:26:19 -07:00
hao	27ec1c7927	更新: 1 个文件 - 2026-04-02 03:21:11	2026-04-02 03:21:11 -07:00
hao	b8f1db4828	更新: 1 个文件 - 2026-04-02 03:16:02	2026-04-02 03:16:02 -07:00
hao	ee25f55719	更新: 331 个文件 - 2026-04-02 03:15:10	2026-04-02 03:15:10 -07:00
hao	602f8b2d52	更新: 1 个文件 - 2026-04-02 02:15:51	2026-04-02 02:15:51 -07:00
hao	6881bda5c7	更新: 1 个文件 - 2026-04-02 02:15:06	2026-04-02 02:15:06 -07:00
hao	2d8fe53fc9	更新: 1 个文件 - 2026-04-02 02:10:42	2026-04-02 02:10:42 -07:00
hao	fe7b40f10b	更新: 1 个文件 - 2026-04-02 02:05:34	2026-04-02 02:05:34 -07:00
hao	ac68e791a8	更新: 1 个文件 - 2026-04-02 02:00:25	2026-04-02 02:00:25 -07:00
hao	694a7e14e6	更新: 1 个文件 - 2026-04-02 02:00:06	2026-04-02 02:00:06 -07:00
hao	2411f2e1d4	更新: 1 个文件 - 2026-04-02 01:55:17	2026-04-02 01:55:17 -07:00
hao	04bcb7b8ed	更新: 1 个文件 - 2026-04-02 01:50:08	2026-04-02 01:50:08 -07:00
hao	bc9b8b4980	更新: 1 个文件 - 2026-04-02 01:44:59	2026-04-02 01:44:59 -07:00
hao	a9d5eb5ed2	更新: 1 个文件 - 2026-04-02 01:39:46	2026-04-02 01:39:46 -07:00
hao	57b2330089	更新: 1 个文件 - 2026-04-02 01:34:26	2026-04-02 01:34:26 -07:00
hao	d9e5769c4a	更新: 1 个文件 - 2026-04-02 01:30:09	2026-04-02 01:30:10 -07:00
hao	cf6e2bf5af	更新: 1 个文件 - 2026-04-02 01:29:15	2026-04-02 01:29:15 -07:00
hao	708ec9e4a7	更新: 1 个文件 - 2026-04-02 01:24:04	2026-04-02 01:24:04 -07:00
hao	88cce4ee39	更新: 1 个文件 - 2026-04-02 01:18:54	2026-04-02 01:18:54 -07:00
hao	9af59802b8	更新: 1 个文件 - 2026-04-02 01:15:08	2026-04-02 01:15:08 -07:00
hao	329a4df7f7	更新: 1 个文件 - 2026-04-02 01:13:43	2026-04-02 01:13:43 -07:00
hao	c4a2ea81c9	更新: 1 个文件 - 2026-04-02 01:08:24	2026-04-02 01:08:24 -07:00
hao	982a352a54	更新: 1 个文件 - 2026-04-02 01:03:07	2026-04-02 01:03:07 -07:00
hao	55931d0caf	更新: 1 个文件 - 2026-04-02 01:00:07	2026-04-02 01:00:07 -07:00
hao	f821cf7252	更新: 1 个文件 - 2026-04-02 00:57:56	2026-04-02 00:57:56 -07:00
hao	8ea0ea23c2	更新: 1 个文件 - 2026-04-02 00:52:37	2026-04-02 00:52:37 -07:00
hao	6f09edeb2a	更新: 1 个文件 - 2026-04-02 00:47:27	2026-04-02 00:47:27 -07:00
hao	b35185f27d	更新: 1 个文件 - 2026-04-02 00:45:07	2026-04-02 00:45:07 -07:00
hao	9881c9f054	更新: 1 个文件 - 2026-04-02 00:42:10	2026-04-02 00:42:10 -07:00
hao	0a358199f9	更新: 1 个文件 - 2026-04-02 00:36:50	2026-04-02 00:36:50 -07:00
hao	204c10304f	更新: 1 个文件 - 2026-04-02 00:31:35	2026-04-02 00:31:35 -07:00
hao	9304d8bf5c	更新: 1 个文件 - 2026-04-02 00:30:08	2026-04-02 00:30:08 -07:00
hao	7645fe1f1b	更新: 1 个文件 - 2026-04-02 00:26:23	2026-04-02 00:26:23 -07:00
hao	5da1f89b8d	更新: 1 个文件 - 2026-04-02 00:21:12	2026-04-02 00:21:12 -07:00
hao	6aee1961ad	更新: 1 个文件 - 2026-04-01 20:00:53	2026-04-01 20:00:54 -07:00
hao	6efe8bc490	更新: 1 个文件 - 2026-04-01 20:00:07	2026-04-01 20:00:07 -07:00
hao	63fac31f71	更新: 1 个文件 - 2026-04-01 19:55:41	2026-04-01 19:55:41 -07:00
hao	66a4af13a3	更新: 1 个文件 - 2026-04-01 19:50:33	2026-04-01 19:50:33 -07:00
hao	c6b011894b	更新: 1 个文件 - 2026-04-01 19:45:24	2026-04-01 19:45:24 -07:00
hao	7145236d75	更新: 1 个文件 - 2026-04-01 19:45:07	2026-04-01 19:45:07 -07:00
hao	b38324b648	更新: 1 个文件 - 2026-04-01 19:40:15	2026-04-01 19:40:15 -07:00
hao	be2a0f9c84	更新: 1 个文件 - 2026-04-01 19:35:07	2026-04-01 19:35:07 -07:00
hao	f776727376	更新: 1 个文件 - 2026-04-01 19:29:59	2026-04-01 19:29:59 -07:00
hao	a8f50b02bc	更新: 1 个文件 - 2026-04-01 19:24:47	2026-04-01 19:24:47 -07:00
hao	69f48eb328	更新: 1 个文件 - 2026-04-01 19:19:39	2026-04-01 19:19:39 -07:00
hao	87f2670261	更新: 1 个文件 - 2026-04-01 19:15:07	2026-04-01 19:15:07 -07:00
hao	0690ce86b8	更新: 1 个文件 - 2026-04-01 19:14:32	2026-04-01 19:14:32 -07:00
hao	4d6feaf969	更新: 1 个文件 - 2026-04-01 19:09:22	2026-04-01 19:09:22 -07:00
hao	a34986b5f0	更新: 1 个文件 - 2026-04-01 19:04:13	2026-04-01 19:04:13 -07:00
hao	82df24cf96	更新: 1 个文件 - 2026-04-01 18:58:54	2026-04-01 18:58:55 -07:00
hao	c99a318991	更新: 1 个文件 - 2026-04-01 18:03:08	2026-04-01 18:03:08 -07:00
hao	8f6fc5de14	更新: 1 个文件 - 2026-04-01 18:00:11	2026-04-01 18:00:11 -07:00
hao	792af1f0a5	更新: 1 个文件 - 2026-04-01 17:57:55	2026-04-01 17:57:55 -07:00
hao	c61fd35507	更新: 1 个文件 - 2026-04-01 17:52:41	2026-04-01 17:52:41 -07:00
hao	ac7a34d56d	更新: 1 个文件 - 2026-04-01 17:50:14	2026-04-01 17:50:17 -07:00
hao	2a130f4013	更新: 1 个文件 - 2026-04-01 17:47:13	2026-04-01 17:47:15 -07:00
hao	df1d3596ce	更新: 1 个文件 - 2026-04-01 17:39:46	2026-04-01 17:39:46 -07:00
hao	a5af83d6d3	更新: 1 个文件 - 2026-04-01 17:34:38	2026-04-01 17:34:38 -07:00
hao	4e8bf14ed6	更新: 1 个文件 - 2026-04-01 17:30:11	2026-04-01 17:30:11 -07:00
hao	ba38ea5d21	更新: 1 个文件 - 2026-04-01 17:29:28	2026-04-01 17:29:28 -07:00
hao	4bbf3a34f0	更新: 1 个文件 - 2026-04-01 17:24:02	2026-04-01 17:24:02 -07:00
hao	3a25f50148	更新: 1 个文件 - 2026-04-01 17:18:55	2026-04-01 17:18:55 -07:00
hao	fbe566ee85	更新: 1 个文件 - 2026-04-01 17:15:08	2026-04-01 17:15:08 -07:00
hao	d4ac52aef6	更新: 1 个文件 - 2026-04-01 17:13:43	2026-04-01 17:13:43 -07:00
hao	92c30f4b94	更新: 1 个文件 - 2026-04-01 17:08:36	2026-04-01 17:08:36 -07:00
hao	12354356d8	更新: 1 个文件 - 2026-04-01 17:03:27	2026-04-01 17:03:28 -07:00
hao	aa37f0b848	更新: 1 个文件 - 2026-04-01 17:00:08	2026-04-01 17:00:08 -07:00
hao	875ddf245a	更新: 1 个文件 - 2026-04-01 16:58:03	2026-04-01 16:58:03 -07:00
hao	9a7051d7c0	更新: 1 个文件 - 2026-04-01 16:52:56	2026-04-01 16:52:56 -07:00
hao	b8012dd4b3	更新: 1 个文件 - 2026-04-01 16:46:33	2026-04-01 16:46:33 -07:00
hao	0a0b2c8c91	更新: 1 个文件 - 2026-04-01 16:45:08	2026-04-01 16:45:08 -07:00
hao	58ce1a47dc	更新: 1 个文件 - 2026-04-01 16:41:26	2026-04-01 16:41:26 -07:00
hao	8e32cfc8da	更新: 1 个文件 - 2026-04-01 16:36:19	2026-04-01 16:36:19 -07:00
hao	931e1f64ee	更新: 1 个文件 - 2026-04-01 16:31:11	2026-04-01 16:31:11 -07:00
hao	1277ba4344	更新: 1 个文件 - 2026-04-01 16:30:09	2026-04-01 16:30:09 -07:00
hao	11a9ae4ccc	更新: 1 个文件 - 2026-04-01 16:21:02	2026-04-01 16:21:02 -07:00
hao	99e38526b2	更新: 1 个文件 - 2026-04-01 16:10:53	2026-04-01 16:10:53 -07:00
hao	7d59acc64b	更新: 1 个文件 - 2026-04-01 16:00:08	2026-04-01 16:00:08 -07:00
hao	8333d8ca12	更新: 1 个文件 - 2026-04-01 09:10:29	2026-04-01 09:10:29 -07:00
hao	280fc8e70b	更新: 1 个文件 - 2026-04-01 09:05:20	2026-04-01 09:05:20 -07:00
hao	235506dab9	更新: 1 个文件 - 2026-04-01 09:00:08	2026-04-01 09:00:08 -07:00
hao	8e98d8e3b0	更新: 1 个文件 - 2026-04-01 08:55:00	2026-04-01 08:55:01 -07:00
hao	7ad189fd09	更新: 1 个文件 - 2026-04-01 08:49:51	2026-04-01 08:49:51 -07:00
hao	c101a6fd40	更新: 1 个文件 - 2026-04-01 08:45:08	2026-04-01 08:45:08 -07:00
hao	477a74b375	更新: 1 个文件 - 2026-04-01 08:44:43	2026-04-01 08:44:43 -07:00
hao	a9afe3ff52	更新: 1 个文件 - 2026-04-01 08:39:32	2026-04-01 08:39:32 -07:00
hao	f1f85fc9d2	更新: 1 个文件 - 2026-04-01 08:29:24	2026-04-01 08:29:24 -07:00
hao	04285631db	更新: 1 个文件 - 2026-04-01 08:24:15	2026-04-01 08:24:15 -07:00
hao	652b915214	更新: 1 个文件 - 2026-04-01 08:19:05	2026-04-01 08:19:05 -07:00
hao	7f99f96c6a	更新: 1 个文件 - 2026-04-01 08:13:57	2026-04-01 08:13:57 -07:00
hao	4c0a513954	更新: 1 个文件 - 2026-04-01 08:08:49	2026-04-01 08:08:49 -07:00
hao	eff5a2505d	更新: 1 个文件 - 2026-04-01 08:03:40	2026-04-01 08:03:40 -07:00
hao	03e1a07bc4	更新: 1 个文件 - 2026-04-01 08:00:08	2026-04-01 08:00:08 -07:00
hao	d68ccea41f	更新: 1 个文件 - 2026-04-01 07:58:32	2026-04-01 07:58:32 -07:00
hao	6f4a03f63a	更新: 1 个文件 - 2026-04-01 07:53:23	2026-04-01 07:53:23 -07:00
hao	d0747e440c	更新: 1 个文件 - 2026-04-01 07:48:14	2026-04-01 07:48:14 -07:00
hao	ed26f34b7e	更新: 1 个文件 - 2026-04-01 07:45:08	2026-04-01 07:45:08 -07:00
hao	08c53c7071	更新: 1 个文件 - 2026-04-01 07:43:06	2026-04-01 07:43:06 -07:00
hao	fe8bd0c074	更新: 1 个文件 - 2026-04-01 06:52:54	2026-04-01 06:52:54 -07:00
hao	4b02834f77	更新: 1 个文件 - 2026-04-01 05:12:41	2026-04-01 05:12:41 -07:00
hao	1a9cfdb6f9	更新: 1 个文件 - 2026-04-01 05:07:34	2026-04-01 05:07:34 -07:00
hao	183c0bbf7a	更新: 1 个文件 - 2026-04-01 05:02:26	2026-04-01 05:02:26 -07:00
hao	96bde2118d	更新: 331 个文件 - 2026-04-01 05:00:10	2026-04-01 05:00:10 -07:00
hao	5beac32c48	更新: 319 个文件 - 2026-03-31 03:06:10	2026-03-31 03:06:11 -07:00
hao	e8a083bc68	更新: 269 个文件 - 2026-03-30 03:53:37	2026-03-30 03:53:37 -07:00
hao	6a60b43be7	监控更新: 2026-03-29 03:49:34	2026-03-29 03:50:57 -07:00
hao	d560e6b421	更新: 270 个文件 - 2026-03-28 03:48:48	2026-03-28 03:48:48 -07:00
hao	bce7f9ef61	更新: 307 个文件 - 2026-03-27 02:33:52	2026-03-27 02:33:52 -07:00
hao	3406fdb83f	更新: 2 个文件 - 2026-03-27 02:30:16	2026-03-27 02:30:16 -07:00
hao	1f7a3d6c60	更新: 489 个文件 - 2026-03-26 16:06:46	2026-03-26 16:06:46 -07:00
hao	1e447fe97f	更新: 413 个文件 - 2026-03-24 03:45:07	2026-03-24 03:45:08 -07:00
hao	cd808b4358	更新: 291 个文件 - 2026-03-23 03:00:08	2026-03-23 03:00:09 -07:00
hao	9c8cc7ec8a	监控更新: 2026-03-22 02:17:04	2026-03-22 02:19:03 -07:00
hao	bfd7d732ae	feat: sync version-driven intel coverage	2026-03-21 18:18:55 -07:00
hao	2d92ef6bce	更新: 2 个文件 - 2026-03-21 18:00:07	2026-03-21 18:00:07 -07:00
hao	e82b7d8cf6	更新: 4 个文件 - 2026-03-21 17:54:57	2026-03-21 17:54:57 -07:00
hao	af31c1b8d0	更新: 2 个文件 - 2026-03-21 17:49:36	2026-03-21 17:49:36 -07:00
hao	a0a5067ae1	更新: 3 个文件 - 2026-03-21 17:44:22	2026-03-21 17:44:22 -07:00
hao	e13c138232	监控更新: 2026-03-21 02:17:05	2026-03-21 06:37:00 -07:00
hao	c3a853d2cf	增强系统级实体覆盖摘要与工作台索引	2026-03-20 08:47:16 -07:00
hao	5e1ea395ef	监控更新: 2026-03-20 02:24:12	2026-03-20 06:41:46 -07:00
hao	1e81279e32	实现分层实体漏洞知识库与实体级完整度监控	2026-03-19 17:57:45 -07:00
hao	49fe46ab89	更新: 114 个文件 - 2026-03-19 16:45:07	2026-03-19 16:45:07 -07:00
hao	2e67bff9a7	Optimize cold source health probes	2026-03-19 02:31:34 -07:00
hao	826a907455	更新: 3 个文件 - 2026-03-19 02:29:34	2026-03-19 02:29:34 -07:00
hao	b57d649a2d	监控更新: 2026-03-19 02:17:03	2026-03-19 02:17:16 -07:00
hao	b0398f30b5	Retire remaining active NVD sources	2026-03-18 20:38:36 -07:00
hao	eb0e5d587a	Wire local NVD key loading	2026-03-18 19:54:45 -07:00
hao	baf8e8fa64	Cache NVD responses with API keys	2026-03-18 19:39:47 -07:00
hao	94d257177c	Stabilize source health monitoring	2026-03-18 19:28:13 -07:00
hao	9b0d72b112	更新: 103 个文件 - 2026-03-18 19:24:37	2026-03-18 19:24:37 -07:00
hao	8e13fcfbe0	更新: 4 个文件 - 2026-03-18 18:54:21	2026-03-18 18:54:21 -07:00
hao	42f380ef82	更新: 1 个文件 - 2026-03-18 18:49:00	2026-03-18 18:49:00 -07:00
hao	a950845ec6	更新: 2 个文件 - 2026-03-18 17:30:05	2026-03-18 17:30:05 -07:00
hao	6dff954778	更新: 4 个文件 - 2026-03-18 17:23:40	2026-03-18 17:23:40 -07:00
hao	301d15e91e	更新: 2 个文件 - 2026-03-18 16:28:30	2026-03-18 16:28:30 -07:00
hao	df455d7fb5	更新: 1 个文件 - 2026-03-18 16:13:21	2026-03-18 16:13:21 -07:00
hao	b9c67410c8	Fix completeness scope and restore generated summaries	2026-03-18 14:24:10 -07:00
hao	96b5353a91	更新: 2423 个文件 - 2026-03-18 14:23:01	2026-03-18 14:23:01 -07:00
hao	9a5f48cdf7	Refresh rendered dashboard snapshots	2026-03-18 14:18:50 -07:00
hao	00d828d090	Expand intel coverage and refresh monitoring	2026-03-18 14:18:09 -07:00
hao	87008d1bd5	更新: 15 个文件 - 2026-03-18 11:41:40	2026-03-18 11:41:40 -07:00
hao	13d341e71f	更新: 2933 个文件 - 2026-03-18 11:36:11	2026-03-18 11:36:12 -07:00
hao	1e9522e1a8	更新: 1 个文件 - 2026-03-18 11:26:00	2026-03-18 11:26:00 -07:00
hao	dbf9c375bc	监控更新: 2026-03-18 11:09:51	2026-03-18 11:21:09 -07:00
hao	fd8c4c6e31	更新: 3 个文件 - 2026-03-18 11:15:06	2026-03-18 11:15:06 -07:00
hao	48e5ce87f8	监控更新: 2026-03-18 10:58:07	2026-03-18 11:09:30 -07:00
hao	62adc24770	更新: 11 个文件 - 2026-03-18 11:00:06	2026-03-18 11:00:06 -07:00
hao	1f9d9b1d16	更新: 109 个文件 - 2026-03-18 10:55:52	2026-03-18 10:55:52 -07:00
hao	1d5cb533e3	更新: 5 个文件 - 2026-03-18 09:50:04	2026-03-18 09:50:04 -07:00
hao	dc31e6e80f	更新: 13 个文件 - 2026-03-18 09:44:57	2026-03-18 09:44:57 -07:00
hao	91d6f4d04e	更新: 178 个文件 - 2026-03-18 07:47:37	2026-03-18 07:47:37 -07:00
hao	63d89f2b0c	更新: 1 个文件 - 2026-03-18 07:33:19	2026-03-18 07:33:19 -07:00
hao	509281cfe9	更新: 8 个文件 - 2026-03-18 07:24:21	2026-03-18 07:24:21 -07:00
hao	0d30ca296c	更新: 8 个文件 - 2026-03-18 07:22:21	2026-03-18 07:22:21 -07:00
hao	bb436bc76f	更新: 8 个文件 - 2026-03-18 07:15:06	2026-03-18 07:15:06 -07:00
hao	99908f3e05	更新: 1 个文件 - 2026-03-17 23:14:38	2026-03-17 23:14:38 -07:00
hao	ab159308b5	更新: 1 个文件 - 2026-03-17 23:10:49	2026-03-17 23:10:49 -07:00
hao	29e753c170	更新: 1 个文件 - 2026-03-17 21:34:01	2026-03-17 21:34:01 -07:00
hao	316d36a20e	更新: 3 个文件 - 2026-03-17 21:32:04	2026-03-17 21:32:04 -07:00
hao	054b24072d	更新: 11 个文件 - 2026-03-17 21:30:02	2026-03-17 21:30:02 -07:00
hao	16a40646a3	更新: 558 个文件 - 2026-03-17 21:15:02	2026-03-17 21:15:03 -07:00
hao	080e55a98c	更新: 2531 个文件 - 2026-03-17 21:00:03	2026-03-17 21:00:04 -07:00
hao	a3edc88834	更新: 421 个文件 - 2026-03-17 18:30:02	2026-03-17 18:30:02 -07:00
hao	29c3faaa28	更新: 68 个文件 - 2026-03-17 06:00:01	2026-03-17 06:00:01 -07:00
hao	6385a0f6be	更新: 4 个文件 - 2026-03-17 05:45:01	2026-03-17 05:45:01 -07:00
hao	9c4db558fc	更新: 67 个文件 - 2026-03-17 03:30:01	2026-03-17 03:30:01 -07:00
hao	fc8e6fc949	增加 dashboard 顶部折叠功能	2026-03-17 03:16:12 -07:00
hao	e7248b76c6	更新: 74 个文件 - 2026-03-17 03:15:00	2026-03-17 03:15:00 -07:00
hao	63d6100f54	移除 dashboard 头部说明文案	2026-03-17 03:11:07 -07:00
hao	a39303f426	收紧非总览页 dashboard 头部	2026-03-17 02:37:39 -07:00
hao	d6b20c098b	修复 dashboard runs 生成物状态	2026-03-17 02:32:22 -07:00
hao	f95f14d3d8	更新: 97 个文件 - 2026-03-17 02:30:01	2026-03-17 02:30:01 -07:00
hao	4e3b4bf107	更新: 2 个文件 - 2026-03-17 02:15:00	2026-03-17 02:15:00 -07:00
hao	3f8c43b529	本地化 dashboard 并新增架构库面板	2026-03-17 02:03:51 -07:00
hao	72c6782c45	更新: 89 个文件 - 2026-03-17 02:00:01	2026-03-17 02:00:01 -07:00
hao	300c840509	Vendorize Lovart dashboard shell	2026-03-17 01:22:36 -07:00
hao	39a6eb6e19	更新: 8 个文件 - 2026-03-17 01:15:00	2026-03-17 01:15:00 -07:00
hao	40ffbbd9cd	Add dashboard docs and richer lab UI	2026-03-17 00:37:18 -07:00
hao	9796fa6d4c	更新: 77 个文件 - 2026-03-17 00:30:01	2026-03-17 00:30:01 -07:00
hao	1f2744825f	lab: automated intel and verification sync codex/intel-20260317-000751	2026-03-17 00:07:51 -07:00
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"authz-bypass","title":"Gitea Authz Bypass Fixture","subtitle":"Protected admin route with server-side bypass marker.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"file-upload","title":"Gitea File Upload Fixture","subtitle":"Attachment acceptance path with inert upload marker.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"proxy-boundary","title":"Gitea Proxy Boundary Fixture","subtitle":"Forwarded header trust boundary and admin gate fixture.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"ssrf","title":"Gitea SSRF Fixture","subtitle":"Server-side callback route restricted to a local sink.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"gitea","family":"xss","title":"Gitea Stored XSS Fixture","subtitle":"Stored payload rendering path for browser proof capture.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"authz-bypass","title":"Next.js Authz Bypass Fixture","subtitle":"Protected route fixture with explicit bypass proof.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"deserialization","title":"Next.js Deserialization Fixture","subtitle":"Unsafe decode path with inert marker object.","browser_required":false}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"proxy-boundary","title":"Next.js Proxy Boundary Fixture","subtitle":"Middleware trust-boundary fixture with forwarded-header proof.","browser_required":true}`
				`@@ -0,0 +1,2 @@`
				`{"system_id":"nextjs","family":"ssrf","title":"Next.js SSRF Fixture","subtitle":"Server-side fetch route restricted to local sink validation.","browser_required":false}`