From 882633e6af64bcd7b2eb26e43c83c93f3a42f910 Mon Sep 17 00:00:00 2001
From: Al Francis <fr4nc1stein@gmail.com>
Date: Mon, 25 May 2026 17:30:59 -0700
Subject: [PATCH 1/3] feat(scope): fill gaps in Scope Management module

- Migration 0011: add allowed_vuln_types, severity_restriction, notes,
  exclusion_paths, deleted_at columns to scopes table
- Schema: new fields typed in Drizzle schema
- GET /api/admin/scopes: filter soft-deleted records
- POST /api/admin/scopes: accept and persist new fields
- PATCH /api/admin/scopes/[id]: update new fields
- DELETE /api/admin/scopes/[id]: soft-delete (sets deleted_at) instead of hard delete
- GET /api/scopes: filter deleted, expose new fields to submission form
- Admin scope page: new fields in add/edit modal (vuln types, severity,
  notes, exclusion paths), archive dialog replaces delete dialog
- Submit page: shows scope restrictions banner and filters vuln type /
  severity options when a target with restrictions is selected

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/admin/scope/page.tsx               | 126 +++++++++++++++++++++++--
 app/api/admin/scopes/[id]/route.ts     | 104 +++++++++-----------
 app/api/admin/scopes/route.ts          |  52 +++++-----
 app/api/scopes/route.ts                |  20 ++--
 app/submit/page.tsx                    |  33 ++++++-
 lib/db/schema.ts                       |  21 +++--
 migrations/0011_scope_enhancements.sql |   9 ++
 7 files changed, 259 insertions(+), 106 deletions(-)
 create mode 100644 migrations/0011_scope_enhancements.sql

diff --git a/app/admin/scope/page.tsx b/app/admin/scope/page.tsx
index ed5a1bc..e12f619 100644
--- a/app/admin/scope/page.tsx
+++ b/app/admin/scope/page.tsx
@@ -13,11 +13,27 @@ interface Scope {
   description: string | null;
   targetType: string;
   status: string;
+  allowedVulnTypes: string | null;    // JSON array string
+  severityRestriction: string | null; // JSON array string
+  notes: string | null;
+  exclusionPaths: string | null;
   createdBy: string;
   createdAt: number;
   updatedAt: number;
 }
 
+const ALL_VULN_TYPES = [
+  'Broken Access Control', 'Cryptographic Failure', 'Injection (SQL / XSS / Command / SSTI)',
+  'Insecure Design', 'Security Misconfiguration', 'Vulnerable or Outdated Component',
+  'Authentication / Session Failure', 'Software & Data Integrity Failure',
+  'SSRF (Server-Side Request Forgery)', 'Business Logic Flaw',
+  'Information Disclosure / Data Leak', 'IDOR (Insecure Direct Object Reference)',
+  'Open Redirect', 'Clickjacking / UI Redressing', 'CORS Misconfiguration',
+  'Path Traversal / File Inclusion', 'Other',
+] as const;
+
+const ALL_SEVERITIES = ['Critical', 'High', 'Medium', 'Low', 'Info'] as const;
+
 const TARGET_TYPE_LABELS: Record<string, string> = {
   web_app: "Web Application",
   api: "API",
@@ -42,6 +58,10 @@ export default function ScopeManagement() {
     description: "",
     targetType: "web_app",
     status: "active",
+    allowedVulnTypes: [] as string[],
+    severityRestriction: [] as string[],
+    notes: "",
+    exclusionPaths: "",
   });
   const [toast, setToast] = useState<{ message: string; type: "success" | "error" | "info" } | null>(null);
   const [confirmDialog, setConfirmDialog] = useState<{ id: string; domain: string } | null>(null);
@@ -158,7 +178,7 @@ export default function ScopeManagement() {
       await fetchScopes();
       setShowAddModal(false);
       setEditingScope(null);
-      setFormData({ domain: "", description: "", targetType: "web_app", status: "active" });
+      setFormData({ domain: "", description: "", targetType: "web_app", status: "active", allowedVulnTypes: [], severityRestriction: [], notes: "", exclusionPaths: "" });
       setToast({
         message: editingScope ? 'Scope updated successfully!' : 'Scope added successfully!',
         type: 'success'
@@ -214,6 +234,10 @@ export default function ScopeManagement() {
       description: scope.description || "",
       targetType: scope.targetType,
       status: scope.status,
+      allowedVulnTypes: scope.allowedVulnTypes ? JSON.parse(scope.allowedVulnTypes) : [],
+      severityRestriction: scope.severityRestriction ? JSON.parse(scope.severityRestriction) : [],
+      notes: scope.notes || "",
+      exclusionPaths: scope.exclusionPaths || "",
     });
     setShowAddModal(true);
   }
@@ -221,7 +245,19 @@ export default function ScopeManagement() {
   function closeModal() {
     setShowAddModal(false);
     setEditingScope(null);
-    setFormData({ domain: "", description: "", targetType: "web_app", status: "active" });
+    setFormData({ domain: "", description: "", targetType: "web_app", status: "active", allowedVulnTypes: [], severityRestriction: [], notes: "", exclusionPaths: "" });
+  }
+
+  function toggleArrayField(field: 'allowedVulnTypes' | 'severityRestriction', value: string) {
+    setFormData(prev => {
+      const current = prev[field];
+      return {
+        ...prev,
+        [field]: current.includes(value)
+          ? current.filter(v => v !== value)
+          : [...current, value],
+      };
+    });
   }
 
   return (
@@ -402,7 +438,7 @@ export default function ScopeManagement() {
       {/* Add/Edit Modal */}
       {showAddModal && (
         <div className="fixed inset-0 bg-black/30 backdrop-blur-sm flex items-center justify-center z-50 p-4">
-          <div className="bg-white rounded-xl max-w-lg w-full p-6 shadow-2xl">
+          <div className="bg-white rounded-xl max-w-2xl w-full p-6 shadow-2xl max-h-[90vh] overflow-y-auto">
             <h2 className="text-xl font-bold text-gray-900 mb-4">
               {editingScope ? 'Edit Target' : 'Add New Target'}
             </h2>
@@ -465,6 +501,82 @@ export default function ScopeManagement() {
                 </select>
               </div>
 
+              {/* Allowed Vulnerability Types */}
+              <div>
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  Allowed Vulnerability Types
+                  <span className="ml-1 text-xs text-gray-400 font-normal">(leave empty = all allowed)</span>
+                </label>
+                <div className="flex flex-wrap gap-2 max-h-40 overflow-y-auto p-2 border border-gray-200 rounded-lg">
+                  {ALL_VULN_TYPES.map(type => (
+                    <button
+                      key={type}
+                      type="button"
+                      onClick={() => toggleArrayField('allowedVulnTypes', type)}
+                      className={`px-2 py-1 text-xs rounded border transition-colors ${
+                        formData.allowedVulnTypes.includes(type)
+                          ? 'bg-blue-600 text-white border-blue-600'
+                          : 'bg-white text-gray-600 border-gray-300 hover:border-blue-400'
+                      }`}
+                    >
+                      {type}
+                    </button>
+                  ))}
+                </div>
+              </div>
+
+              {/* Severity Restriction */}
+              <div>
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  Severity Restriction
+                  <span className="ml-1 text-xs text-gray-400 font-normal">(leave empty = all allowed)</span>
+                </label>
+                <div className="flex flex-wrap gap-2">
+                  {ALL_SEVERITIES.map(sev => (
+                    <button
+                      key={sev}
+                      type="button"
+                      onClick={() => toggleArrayField('severityRestriction', sev)}
+                      className={`px-3 py-1 text-xs rounded border transition-colors ${
+                        formData.severityRestriction.includes(sev)
+                          ? 'bg-blue-600 text-white border-blue-600'
+                          : 'bg-white text-gray-600 border-gray-300 hover:border-blue-400'
+                      }`}
+                    >
+                      {sev}
+                    </button>
+                  ))}
+                </div>
+              </div>
+
+              {/* Notes */}
+              <div>
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  Notes / Guidelines for Researchers
+                </label>
+                <textarea
+                  rows={3}
+                  value={formData.notes}
+                  onChange={(e) => setFormData({ ...formData, notes: e.target.value })}
+                  placeholder="Special instructions, known issues, testing environment details..."
+                  className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm text-gray-900 placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-blue-500 resize-none"
+                />
+              </div>
+
+              {/* Exclusion Paths */}
+              <div>
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  Exclusion Paths / Out-of-Scope Rules
+                </label>
+                <textarea
+                  rows={3}
+                  value={formData.exclusionPaths}
+                  onChange={(e) => setFormData({ ...formData, exclusionPaths: e.target.value })}
+                  placeholder="/admin/*, /health, third-party login pages..."
+                  className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm text-gray-900 placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-blue-500 resize-none"
+                />
+              </div>
+
               <div className="flex gap-3 pt-2">
                 <button
                   type="submit"
@@ -501,11 +613,11 @@ export default function ScopeManagement() {
       {/* Confirm Delete Dialog */}
       {confirmDialog && (
         <ConfirmDialog
-          title="Delete Target"
-          message={`Are you sure you want to delete "${confirmDialog.domain}"? This action cannot be undone.`}
-          confirmText="Delete"
+          title="Archive Target"
+          message={`Are you sure you want to archive "${confirmDialog.domain}"? It will no longer appear in the submission form or scope list. This can be undone by an admin.`}
+          confirmText="Archive"
           cancelText="Cancel"
-          type="danger"
+          type="warning"
           onConfirm={handleDelete}
           onCancel={() => setConfirmDialog(null)}
         />
diff --git a/app/api/admin/scopes/[id]/route.ts b/app/api/admin/scopes/[id]/route.ts
index c225fc5..debf7b9 100644
--- a/app/api/admin/scopes/[id]/route.ts
+++ b/app/api/admin/scopes/[id]/route.ts
@@ -1,20 +1,25 @@
 /**
  * PATCH /api/admin/scopes/[id] — Update scope
- * DELETE /api/admin/scopes/[id] — Delete scope
+ * DELETE /api/admin/scopes/[id] — Soft-delete scope (sets deleted_at)
  */
 import { NextRequest, NextResponse } from 'next/server';
 import { getDb, getCfEnv } from '@/lib/db';
 import { scopes } from '@/lib/db/schema';
 import { requireRole } from '@/lib/auth';
 import { z } from 'zod';
-import { eq } from 'drizzle-orm';
+import { eq, isNull, and } from 'drizzle-orm';
+import { VULN_TYPES, SEVERITIES } from '@/lib/validation';
 
 // PATCH - Update scope
 const UpdateScopeSchema = z.object({
-  domain: z.string().min(1).max(200).optional(),
-  description: z.string().max(500).optional().nullable(),
-  targetType: z.enum(['web_app', 'api', 'mobile', 'infrastructure']).optional(),
-  status: z.enum(['active', 'deprecated', 'out_of_scope']).optional(),
+  domain:              z.string().min(1).max(200).optional(),
+  description:         z.string().max(500).optional().nullable(),
+  targetType:          z.enum(['web_app', 'api', 'mobile', 'infrastructure']).optional(),
+  status:              z.enum(['active', 'deprecated', 'out_of_scope']).optional(),
+  allowedVulnTypes:    z.array(z.enum(VULN_TYPES)).optional().nullable(),
+  severityRestriction: z.array(z.enum(SEVERITIES)).optional().nullable(),
+  notes:               z.string().max(2000).optional().nullable(),
+  exclusionPaths:      z.string().max(2000).optional().nullable(),
 });
 
 export async function PATCH(
@@ -22,11 +27,8 @@ export async function PATCH(
   context: { params: Promise<{ id: string }> },
 ) {
   try {
-    console.log('[PATCH /api/admin/scopes/[id]] Starting request');
-    const authResult = await requireRole('ADMIN');
-    console.log('[PATCH /api/admin/scopes/[id]] Auth successful:', authResult.userId);
+    await requireRole('ADMIN');
     const { id } = await context.params;
-    console.log('[PATCH /api/admin/scopes/[id]] Scope ID:', id);
 
     let body: unknown;
     try { body = await request.json(); } catch {
@@ -35,7 +37,6 @@ export async function PATCH(
 
     const parsed = UpdateScopeSchema.safeParse(body);
     if (!parsed.success) {
-      console.error('[PATCH /api/admin/scopes/[id]] Validation failed:', parsed.error.flatten());
       return NextResponse.json(
         { error: 'Validation failed', details: parsed.error.flatten().fieldErrors },
         { status: 422 },
@@ -43,61 +44,47 @@ export async function PATCH(
     }
 
     const data = parsed.data;
-    console.log('[PATCH /api/admin/scopes/[id]] Parsed data:', JSON.stringify(data));
-    
     const db = getDb(getCfEnv().DB);
 
-    // Check if scope exists
-    const existing = await db.select().from(scopes).where(eq(scopes.id, id)).get();
+    const existing = await db.select().from(scopes)
+      .where(and(eq(scopes.id, id), isNull(scopes.deletedAt)))
+      .get();
     if (!existing) {
-      console.error('[PATCH /api/admin/scopes/[id]] Scope not found:', id);
       return NextResponse.json({ error: 'Scope not found' }, { status: 404 });
     }
-    console.log('[PATCH /api/admin/scopes/[id]] Existing scope:', JSON.stringify(existing));
-
-    // Build update object with proper field mapping
-    const updateData: Partial<typeof scopes.$inferInsert> = {
-      updatedAt: Date.now(),
-    };
-    
-    if (data.domain !== undefined) updateData.domain = data.domain;
+
+    const updateData: Partial<typeof scopes.$inferInsert> = { updatedAt: Date.now() };
+
+    if (data.domain !== undefined)      updateData.domain      = data.domain;
     if (data.description !== undefined) updateData.description = data.description || null;
-    if (data.targetType !== undefined) updateData.targetType = data.targetType;
-    if (data.status !== undefined) updateData.status = data.status;
-
-    console.log('[PATCH /api/admin/scopes/[id]] Update data:', JSON.stringify(updateData));
-
-    // Update scope
-    try {
-      await db.update(scopes)
-        .set(updateData)
-        .where(eq(scopes.id, id));
-      console.log('[PATCH /api/admin/scopes/[id]] Update successful');
-    } catch (dbError) {
-      console.error('[PATCH /api/admin/scopes/[id]] Database error:', dbError);
-      console.error('[PATCH /api/admin/scopes/[id]] Database error details:', JSON.stringify(dbError));
-      throw dbError;
+    if (data.targetType !== undefined)  updateData.targetType  = data.targetType;
+    if (data.status !== undefined)      updateData.status      = data.status;
+    if (data.notes !== undefined)       updateData.notes       = data.notes || null;
+    if (data.exclusionPaths !== undefined) updateData.exclusionPaths = data.exclusionPaths || null;
+
+    if (data.allowedVulnTypes !== undefined) {
+      updateData.allowedVulnTypes = data.allowedVulnTypes?.length
+        ? JSON.stringify(data.allowedVulnTypes)
+        : null;
+    }
+    if (data.severityRestriction !== undefined) {
+      updateData.severityRestriction = data.severityRestriction?.length
+        ? JSON.stringify(data.severityRestriction)
+        : null;
     }
 
+    await db.update(scopes).set(updateData).where(eq(scopes.id, id));
     const updated = await db.select().from(scopes).where(eq(scopes.id, id)).get();
 
-    return NextResponse.json({
-      success: true,
-      scope: updated,
-    });
+    return NextResponse.json({ success: true, scope: updated });
   } catch (err) {
     if (err instanceof Response) return err;
-    console.error('[PATCH /api/admin/scopes/[id]] Error:', err);
-    console.error('[PATCH /api/admin/scopes/[id]] Error message:', err instanceof Error ? err.message : String(err));
-    console.error('[PATCH /api/admin/scopes/[id]] Error stack:', err instanceof Error ? err.stack : 'No stack');
-    return NextResponse.json({ 
-      error: 'Internal server error',
-      details: err instanceof Error ? err.message : String(err)
-    }, { status: 500 });
+    console.error('[PATCH /api/admin/scopes/[id]]', err);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
   }
 }
 
-// DELETE - Delete scope
+// DELETE - Soft-delete scope
 export async function DELETE(
   _request: NextRequest,
   context: { params: Promise<{ id: string }> },
@@ -108,19 +95,18 @@ export async function DELETE(
 
     const db = getDb(getCfEnv().DB);
 
-    // Check if scope exists
-    const existing = await db.select().from(scopes).where(eq(scopes.id, id)).get();
+    const existing = await db.select().from(scopes)
+      .where(and(eq(scopes.id, id), isNull(scopes.deletedAt)))
+      .get();
     if (!existing) {
       return NextResponse.json({ error: 'Scope not found' }, { status: 404 });
     }
 
-    // Delete scope
-    await db.delete(scopes).where(eq(scopes.id, id));
+    await db.update(scopes)
+      .set({ deletedAt: Date.now(), updatedAt: Date.now() })
+      .where(eq(scopes.id, id));
 
-    return NextResponse.json({
-      success: true,
-      message: 'Scope deleted successfully',
-    });
+    return NextResponse.json({ success: true, message: 'Scope archived successfully' });
   } catch (err) {
     if (err instanceof Response) return err;
     console.error('[DELETE /api/admin/scopes/[id]]', err);
diff --git a/app/api/admin/scopes/route.ts b/app/api/admin/scopes/route.ts
index 3213dc1..555704a 100644
--- a/app/api/admin/scopes/route.ts
+++ b/app/api/admin/scopes/route.ts
@@ -1,5 +1,5 @@
 /**
- * GET /api/admin/scopes — List all scopes
+ * GET /api/admin/scopes — List all non-deleted scopes
  * POST /api/admin/scopes — Create new scope
  */
 import { NextRequest, NextResponse } from 'next/server';
@@ -7,15 +7,20 @@ import { getDb, getCfEnv } from '@/lib/db';
 import { scopes } from '@/lib/db/schema';
 import { requireRole } from '@/lib/auth';
 import { z } from 'zod';
-import { eq } from 'drizzle-orm';
+import { eq, isNull } from 'drizzle-orm';
+import { VULN_TYPES, SEVERITIES } from '@/lib/validation';
 
-// GET - List all scopes
+// GET - List all non-deleted scopes
 export async function GET(_request: NextRequest) {
   try {
     await requireRole('ADMIN');
 
     const db = getDb(getCfEnv().DB);
-    const allScopes = await db.select().from(scopes).all();
+    const allScopes = await db
+      .select()
+      .from(scopes)
+      .where(isNull(scopes.deletedAt))
+      .all();
 
     return NextResponse.json({
       scopes: allScopes,
@@ -24,9 +29,7 @@ export async function GET(_request: NextRequest) {
   } catch (err) {
     if (err instanceof Response) return err;
     console.error('[GET /api/admin/scopes] Error:', err);
-    console.error('[GET /api/admin/scopes] Error stack:', err instanceof Error ? err.stack : 'No stack');
-    console.error('[GET /api/admin/scopes] Error message:', err instanceof Error ? err.message : String(err));
-    return NextResponse.json({ 
+    return NextResponse.json({
       error: 'Internal server error',
       details: err instanceof Error ? err.message : String(err)
     }, { status: 500 });
@@ -35,10 +38,14 @@ export async function GET(_request: NextRequest) {
 
 // POST - Create new scope
 const CreateScopeSchema = z.object({
-  domain: z.string().min(1).max(200),
-  description: z.string().max(500).optional(),
-  targetType: z.enum(['web_app', 'api', 'mobile', 'infrastructure']).optional(),
-  status: z.enum(['active', 'deprecated', 'out_of_scope']).optional(),
+  domain:              z.string().min(1).max(200),
+  description:         z.string().max(500).optional(),
+  targetType:          z.enum(['web_app', 'api', 'mobile', 'infrastructure']).optional(),
+  status:              z.enum(['active', 'deprecated', 'out_of_scope']).optional(),
+  allowedVulnTypes:    z.array(z.enum(VULN_TYPES)).optional(),
+  severityRestriction: z.array(z.enum(SEVERITIES)).optional(),
+  notes:               z.string().max(2000).optional(),
+  exclusionPaths:      z.string().max(2000).optional(),
 });
 
 export async function POST(request: NextRequest) {
@@ -65,21 +72,22 @@ export async function POST(request: NextRequest) {
 
     await db.insert(scopes).values({
       id,
-      domain: data.domain,
-      description: data.description || null,
-      targetType: data.targetType || 'web_app',
-      status: data.status || 'active',
-      createdBy: userId,
-      createdAt: now,
-      updatedAt: now,
+      domain:              data.domain,
+      description:         data.description || null,
+      targetType:          data.targetType || 'web_app',
+      status:              data.status || 'active',
+      allowedVulnTypes:    data.allowedVulnTypes?.length ? JSON.stringify(data.allowedVulnTypes) : null,
+      severityRestriction: data.severityRestriction?.length ? JSON.stringify(data.severityRestriction) : null,
+      notes:               data.notes || null,
+      exclusionPaths:      data.exclusionPaths || null,
+      createdBy:           userId,
+      createdAt:           now,
+      updatedAt:           now,
     });
 
     const newScope = await db.select().from(scopes).where(eq(scopes.id, id)).get();
 
-    return NextResponse.json({
-      success: true,
-      scope: newScope,
-    }, { status: 201 });
+    return NextResponse.json({ success: true, scope: newScope }, { status: 201 });
   } catch (err) {
     if (err instanceof Response) return err;
     console.error('[POST /api/admin/scopes]', err);
diff --git a/app/api/scopes/route.ts b/app/api/scopes/route.ts
index 8708ec5..0923879 100644
--- a/app/api/scopes/route.ts
+++ b/app/api/scopes/route.ts
@@ -1,24 +1,28 @@
 /**
- * GET /api/scopes — Public endpoint to list active scopes
+ * GET /api/scopes — Public endpoint to list active scopes for the submission form
  */
 import { NextRequest, NextResponse } from 'next/server';
 import { getDb, getCfEnv } from '@/lib/db';
 import { scopes } from '@/lib/db/schema';
-import { eq } from 'drizzle-orm';
+import { eq, isNull, and } from 'drizzle-orm';
 
 export async function GET(_request: NextRequest) {
   try {
     const db = getDb(getCfEnv().DB);
     const activeScopes = await db
       .select({
-        id: scopes.id,
-        domain: scopes.domain,
-        description: scopes.description,
-        targetType: scopes.targetType,
-        status: scopes.status,
+        id:                  scopes.id,
+        domain:              scopes.domain,
+        description:         scopes.description,
+        targetType:          scopes.targetType,
+        status:              scopes.status,
+        allowedVulnTypes:    scopes.allowedVulnTypes,
+        severityRestriction: scopes.severityRestriction,
+        notes:               scopes.notes,
+        exclusionPaths:      scopes.exclusionPaths,
       })
       .from(scopes)
-      .where(eq(scopes.status, 'active'))
+      .where(and(eq(scopes.status, 'active'), isNull(scopes.deletedAt)))
       .all();
 
     return NextResponse.json({
diff --git a/app/submit/page.tsx b/app/submit/page.tsx
index 5563dda..ecbf23d 100644
--- a/app/submit/page.tsx
+++ b/app/submit/page.tsx
@@ -12,6 +12,10 @@ interface Scope {
   description: string | null;
   targetType: string;
   status: string;
+  allowedVulnTypes: string | null;    // JSON array string | null
+  severityRestriction: string | null; // JSON array string | null
+  notes: string | null;
+  exclusionPaths: string | null;
 }
 
 // ─── Vulnerability categories ─────────────────────────────────────────────────
@@ -149,6 +153,12 @@ export default function SubmitReport() {
   const [scopes, setScopes] = useState<Scope[]>([]);
   const [loadingScopes, setLoadingScopes] = useState(true);
 
+  const selectedScope = scopes.find(s => s.domain === form.target) ?? null;
+  const allowedVulnTypes: string[] = selectedScope?.allowedVulnTypes
+    ? JSON.parse(selectedScope.allowedVulnTypes) : [];
+  const allowedSeverities: string[] = selectedScope?.severityRestriction
+    ? JSON.parse(selectedScope.severityRestriction) : [];
+
   // Fetch active scopes from API
   useEffect(() => {
     async function fetchScopes() {
@@ -355,6 +365,25 @@ export default function SubmitReport() {
                 </select>
               </Field>
 
+              {/* Scope-specific restrictions banner */}
+              {selectedScope && (allowedVulnTypes.length > 0 || allowedSeverities.length > 0 || selectedScope.notes || selectedScope.exclusionPaths) && (
+                <div className="bg-amber-50 border border-amber-200 rounded-lg p-3 space-y-1.5 text-xs text-amber-800">
+                  <p className="font-semibold">⚠️ Scope restrictions for {selectedScope.domain}</p>
+                  {allowedVulnTypes.length > 0 && (
+                    <p><span className="font-medium">Accepted types:</span> {allowedVulnTypes.join(', ')}</p>
+                  )}
+                  {allowedSeverities.length > 0 && (
+                    <p><span className="font-medium">Accepted severities:</span> {allowedSeverities.join(', ')}</p>
+                  )}
+                  {selectedScope.notes && (
+                    <p><span className="font-medium">Notes:</span> {selectedScope.notes}</p>
+                  )}
+                  {selectedScope.exclusionPaths && (
+                    <p><span className="font-medium">Exclusions:</span> {selectedScope.exclusionPaths}</p>
+                  )}
+                </div>
+              )}
+
               <Field label="Vulnerability Type" required error={errors.vulnType}>
                 <select
                   value={form.vulnType}
@@ -363,7 +392,7 @@ export default function SubmitReport() {
                   data-error={errors.vulnType ? true : undefined}
                 >
                   <option value="">Select a type…</option>
-                  {VULN_TYPES.map((t) => (
+                  {(allowedVulnTypes.length > 0 ? allowedVulnTypes : VULN_TYPES).map((t) => (
                     <option key={t} value={t}>{t}</option>
                   ))}
                 </select>
@@ -375,7 +404,7 @@ export default function SubmitReport() {
                   Severity <span className="text-red-500">*</span>
                 </label>
                 <div className="grid grid-cols-2 sm:grid-cols-5 gap-2">
-                  {SEVERITIES.map((s) => (
+                  {SEVERITIES.filter(s => allowedSeverities.length === 0 || allowedSeverities.includes(s.value)).map((s) => (
                     <button
                       key={s.value}
                       type="button"
diff --git a/lib/db/schema.ts b/lib/db/schema.ts
index 3bb9de8..437718a 100644
--- a/lib/db/schema.ts
+++ b/lib/db/schema.ts
@@ -43,14 +43,19 @@ export const auditLogs = sqliteTable('audit_logs', {
 
 // ── Scopes (In-Scope Targets) ────────────────────────────────────────────────
 export const scopes = sqliteTable('scopes', {
-  id:          text('id').primaryKey(),
-  domain:      text('domain').notNull(),
-  description: text('description'),
-  targetType:  text('target_type').notNull(), // 'web_app', 'api', 'mobile', 'infrastructure'
-  status:      text('status').notNull(), // 'active', 'deprecated', 'out_of_scope'
-  createdBy:   text('created_by').notNull(), // Clerk user ID
-  createdAt:   integer('created_at').notNull(),
-  updatedAt:   integer('updated_at').notNull(),
+  id:                  text('id').primaryKey(),
+  domain:              text('domain').notNull(),
+  description:         text('description'),
+  targetType:          text('target_type').notNull(), // 'web_app', 'api', 'mobile', 'infrastructure'
+  status:              text('status').notNull(), // 'active', 'deprecated', 'out_of_scope'
+  allowedVulnTypes:    text('allowed_vuln_types'),    // JSON array | null = all allowed
+  severityRestriction: text('severity_restriction'),  // JSON array | null = all allowed
+  notes:               text('notes'),                 // freeform guidance shown to researchers
+  exclusionPaths:      text('exclusion_paths'),       // freeform exclusion rules
+  deletedAt:           integer('deleted_at'),          // null = live, set = soft-deleted
+  createdBy:           text('created_by').notNull(), // Clerk user ID
+  createdAt:           integer('created_at').notNull(),
+  updatedAt:           integer('updated_at').notNull(),
 });
 
 // ── Comments (Researcher-Triager Communication) ──────────────────────────────
diff --git a/migrations/0011_scope_enhancements.sql b/migrations/0011_scope_enhancements.sql
new file mode 100644
index 0000000..fe9c617
--- /dev/null
+++ b/migrations/0011_scope_enhancements.sql
@@ -0,0 +1,9 @@
+-- Migration: Add vuln type restrictions, severity restrictions, notes,
+--            exclusion paths, and soft-delete to the scopes table
+-- Created: 2026-05-25
+
+ALTER TABLE scopes ADD COLUMN allowed_vuln_types TEXT;      -- JSON array, NULL = all allowed
+ALTER TABLE scopes ADD COLUMN severity_restriction TEXT;     -- JSON array, NULL = all allowed
+ALTER TABLE scopes ADD COLUMN notes TEXT;                    -- freeform guidance for researchers
+ALTER TABLE scopes ADD COLUMN exclusion_paths TEXT;          -- freeform exclusion paths / rules
+ALTER TABLE scopes ADD COLUMN deleted_at INTEGER;            -- NULL = active, set = soft-deleted

From 60e37d6d151bf3e4508e5b87915ffed48f78ce43 Mon Sep 17 00:00:00 2001
From: Al Francis <fr4nc1stein@gmail.com>
Date: Mon, 25 May 2026 17:46:13 -0700
Subject: [PATCH 2/3] Fix scope restrictions and restore flow

---
 app/admin/scope/page.tsx           | 143 ++++++++++++++++++++---------
 app/api/admin/scopes/[id]/route.ts |   4 +-
 app/api/admin/scopes/route.ts      |  12 +--
 app/api/reports/route.ts           |  40 +++++++-
 docs/MIGRATION_ORDER.md            |   3 +-
 5 files changed, 148 insertions(+), 54 deletions(-)

diff --git a/app/admin/scope/page.tsx b/app/admin/scope/page.tsx
index e12f619..5973c23 100644
--- a/app/admin/scope/page.tsx
+++ b/app/admin/scope/page.tsx
@@ -1,5 +1,5 @@
 "use client";
-import React, { useEffect, useState } from "react";
+import React, { useCallback, useEffect, useState } from "react";
 import Link from "next/link";
 import SiteHeader from "../../components/SiteHeader";
 import SiteFooter from "../../components/SiteFooter";
@@ -17,6 +17,7 @@ interface Scope {
   severityRestriction: string | null; // JSON array string
   notes: string | null;
   exclusionPaths: string | null;
+  deletedAt: number | null;
   createdBy: string;
   createdAt: number;
   updatedAt: number;
@@ -45,6 +46,7 @@ const STATUS_COLORS: Record<string, string> = {
   active: "bg-green-100 text-green-700 border-green-200",
   deprecated: "bg-yellow-100 text-yellow-700 border-yellow-200",
   out_of_scope: "bg-red-100 text-red-700 border-red-200",
+  archived: "bg-gray-100 text-gray-700 border-gray-200",
 };
 
 export default function ScopeManagement() {
@@ -65,15 +67,35 @@ export default function ScopeManagement() {
   });
   const [toast, setToast] = useState<{ message: string; type: "success" | "error" | "info" } | null>(null);
   const [confirmDialog, setConfirmDialog] = useState<{ id: string; domain: string } | null>(null);
+  const [showArchived, setShowArchived] = useState(false);
   const [currentPage, setCurrentPage] = useState(1);
   const itemsPerPage = 25;
   const [searchQuery, setSearchQuery] = useState("");
   const [sortField, setSortField] = useState<keyof Scope | null>(null);
   const [sortDirection, setSortDirection] = useState<"asc" | "desc">("desc");
 
+  const fetchScopes = useCallback(async () => {
+    setLoading(true);
+    try {
+      const params = showArchived ? '?include_archived=true' : '';
+      const res = await fetch(`/api/admin/scopes${params}`);
+      if (!res.ok) throw new Error('Failed to fetch scopes');
+      const data = await res.json();
+      setScopes(data.scopes);
+    } catch (err) {
+      console.error('[fetchScopes]', err);
+      setToast({
+        message: 'Failed to load scopes',
+        type: 'error'
+      });
+    } finally {
+      setLoading(false);
+    }
+  }, [showArchived]);
+
   useEffect(() => {
     fetchScopes();
-  }, []);
+  }, [fetchScopes]);
 
   // Search and filter logic
   const filteredScopes = scopes.filter(scope => {
@@ -83,7 +105,8 @@ export default function ScopeManagement() {
       scope.domain.toLowerCase().includes(query) ||
       (scope.description && scope.description.toLowerCase().includes(query)) ||
       scope.targetType.toLowerCase().includes(query) ||
-      scope.status.toLowerCase().includes(query)
+      scope.status.toLowerCase().includes(query) ||
+      (scope.deletedAt !== null && 'archived'.includes(query))
     );
   });
 
@@ -91,8 +114,8 @@ export default function ScopeManagement() {
   const sortedScopes = [...filteredScopes].sort((a, b) => {
     if (!sortField) return 0;
     
-    let aVal: any = a[sortField];
-    let bVal: any = b[sortField];
+    let aVal: string | number | null = a[sortField];
+    let bVal: string | number | null = b[sortField];
     
     // Handle null values
     if (aVal === null || aVal === undefined) return 1;
@@ -138,24 +161,6 @@ export default function ScopeManagement() {
     return <span className="ml-1">{sortDirection === 'asc' ? '↑' : '↓'}</span>;
   };
 
-  async function fetchScopes() {
-    setLoading(true);
-    try {
-      const res = await fetch('/api/admin/scopes');
-      if (!res.ok) throw new Error('Failed to fetch scopes');
-      const data = await res.json();
-      setScopes(data.scopes);
-    } catch (err) {
-      console.error('[fetchScopes]', err);
-      setToast({
-        message: 'Failed to load scopes',
-        type: 'error'
-      });
-    } finally {
-      setLoading(false);
-    }
-  }
-
   async function handleSubmit(e: React.FormEvent) {
     e.preventDefault();
     setSubmitting(true);
@@ -215,7 +220,7 @@ export default function ScopeManagement() {
 
       await fetchScopes();
       setToast({
-        message: 'Scope deleted successfully!',
+        message: 'Scope archived successfully!',
         type: 'success'
       });
     } catch (err: unknown) {
@@ -227,6 +232,33 @@ export default function ScopeManagement() {
     }
   }
 
+  async function restoreScope(id: string) {
+    try {
+      const res = await fetch(`/api/admin/scopes/${id}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ restore: true }),
+      });
+
+      if (!res.ok) {
+        const err = await res.json();
+        throw new Error(err.error || 'Failed to restore scope');
+      }
+
+      await fetchScopes();
+      setToast({
+        message: 'Scope restored successfully!',
+        type: 'success'
+      });
+    } catch (err: unknown) {
+      console.error('[restoreScope]', err);
+      setToast({
+        message: err instanceof Error ? err.message : 'Failed to restore scope',
+        type: 'error'
+      });
+    }
+  }
+
   function openEditModal(scope: Scope) {
     setEditingScope(scope);
     setFormData({
@@ -278,6 +310,16 @@ export default function ScopeManagement() {
             >
               + Add Target
             </button>
+            <button
+              onClick={() => setShowArchived((value) => !value)}
+              className={`px-4 py-2 text-sm font-semibold rounded-lg border transition-colors ${
+                showArchived
+                  ? 'bg-gray-900 text-white border-gray-900 hover:bg-gray-800'
+                  : 'bg-white text-gray-700 border-gray-300 hover:bg-gray-50'
+              }`}
+            >
+              {showArchived ? 'Hide Archived' : 'Show Archived'}
+            </button>
             <Link
               href="/admin"
               className="px-4 py-2 text-sm text-gray-600 hover:text-blue-600 transition-colors"
@@ -316,15 +358,19 @@ export default function ScopeManagement() {
           </div>
           <div className="bg-white rounded-xl border border-gray-200 p-4">
             <p className="text-xs text-gray-500 font-medium uppercase tracking-wide mb-1">Active</p>
-            <p className="text-2xl font-bold text-green-700">{scopes.filter(s => s.status === 'active').length}</p>
+            <p className="text-2xl font-bold text-green-700">{scopes.filter(s => s.status === 'active' && s.deletedAt === null).length}</p>
           </div>
           <div className="bg-white rounded-xl border border-gray-200 p-4">
             <p className="text-xs text-gray-500 font-medium uppercase tracking-wide mb-1">Deprecated</p>
-            <p className="text-2xl font-bold text-yellow-700">{scopes.filter(s => s.status === 'deprecated').length}</p>
+            <p className="text-2xl font-bold text-yellow-700">{scopes.filter(s => s.status === 'deprecated' && s.deletedAt === null).length}</p>
           </div>
           <div className="bg-white rounded-xl border border-gray-200 p-4">
-            <p className="text-xs text-gray-500 font-medium uppercase tracking-wide mb-1">Out of Scope</p>
-            <p className="text-2xl font-bold text-red-700">{scopes.filter(s => s.status === 'out_of_scope').length}</p>
+            <p className="text-xs text-gray-500 font-medium uppercase tracking-wide mb-1">{showArchived ? 'Archived' : 'Out of Scope'}</p>
+            <p className={`text-2xl font-bold ${showArchived ? 'text-gray-700' : 'text-red-700'}`}>
+              {showArchived
+                ? scopes.filter(s => s.deletedAt !== null).length
+                : scopes.filter(s => s.status === 'out_of_scope' && s.deletedAt === null).length}
+            </p>
           </div>
         </div>
 
@@ -373,7 +419,7 @@ export default function ScopeManagement() {
                 </thead>
                 <tbody className="divide-y divide-gray-100">
                   {paginatedScopes.map((scope) => (
-                    <tr key={scope.id} className="hover:bg-gray-50 transition-colors">
+                    <tr key={scope.id} className={`hover:bg-gray-50 transition-colors ${scope.deletedAt !== null ? 'opacity-60' : ''}`}>
                       <td className="px-4 py-3">
                         <p className="font-mono text-sm text-gray-900">{scope.domain}</p>
                       </td>
@@ -386,8 +432,8 @@ export default function ScopeManagement() {
                         </span>
                       </td>
                       <td className="px-4 py-3">
-                        <span className={`inline-block px-2 py-0.5 rounded border text-xs font-semibold capitalize ${STATUS_COLORS[scope.status] || STATUS_COLORS.active}`}>
-                          {scope.status.replace('_', ' ')}
+                        <span className={`inline-block px-2 py-0.5 rounded border text-xs font-semibold capitalize ${scope.deletedAt !== null ? STATUS_COLORS.archived : STATUS_COLORS[scope.status] || STATUS_COLORS.active}`}>
+                          {scope.deletedAt !== null ? 'archived' : scope.status.replace('_', ' ')}
                         </span>
                       </td>
                       <td className="px-4 py-3 text-xs text-gray-500">
@@ -395,18 +441,29 @@ export default function ScopeManagement() {
                       </td>
                       <td className="px-4 py-3">
                         <div className="flex items-center gap-2">
-                          <button
-                            onClick={() => openEditModal(scope)}
-                            className="px-3 py-1 bg-blue-600 text-white text-xs font-medium rounded hover:bg-blue-700 transition-colors"
-                          >
-                            Edit
-                          </button>
-                          <button
-                            onClick={() => confirmDelete(scope.id, scope.domain)}
-                            className="px-3 py-1 text-xs text-red-600 hover:bg-red-50 rounded-lg transition-colors"
-                          >
-                            Delete
-                          </button>
+                          {scope.deletedAt === null ? (
+                            <>
+                              <button
+                                onClick={() => openEditModal(scope)}
+                                className="px-3 py-1 bg-blue-600 text-white text-xs font-medium rounded hover:bg-blue-700 transition-colors"
+                              >
+                                Edit
+                              </button>
+                              <button
+                                onClick={() => confirmDelete(scope.id, scope.domain)}
+                                className="px-3 py-1 text-xs text-red-600 hover:bg-red-50 rounded-lg transition-colors"
+                              >
+                                Archive
+                              </button>
+                            </>
+                          ) : (
+                            <button
+                              onClick={() => restoreScope(scope.id)}
+                              className="px-3 py-1 bg-green-600 text-white text-xs font-medium rounded hover:bg-green-700 transition-colors"
+                            >
+                              Restore
+                            </button>
+                          )}
                         </div>
                       </td>
                     </tr>
diff --git a/app/api/admin/scopes/[id]/route.ts b/app/api/admin/scopes/[id]/route.ts
index debf7b9..024e084 100644
--- a/app/api/admin/scopes/[id]/route.ts
+++ b/app/api/admin/scopes/[id]/route.ts
@@ -20,6 +20,7 @@ const UpdateScopeSchema = z.object({
   severityRestriction: z.array(z.enum(SEVERITIES)).optional().nullable(),
   notes:               z.string().max(2000).optional().nullable(),
   exclusionPaths:      z.string().max(2000).optional().nullable(),
+  restore:             z.boolean().optional(),
 });
 
 export async function PATCH(
@@ -47,13 +48,14 @@ export async function PATCH(
     const db = getDb(getCfEnv().DB);
 
     const existing = await db.select().from(scopes)
-      .where(and(eq(scopes.id, id), isNull(scopes.deletedAt)))
+      .where(data.restore ? eq(scopes.id, id) : and(eq(scopes.id, id), isNull(scopes.deletedAt)))
       .get();
     if (!existing) {
       return NextResponse.json({ error: 'Scope not found' }, { status: 404 });
     }
 
     const updateData: Partial<typeof scopes.$inferInsert> = { updatedAt: Date.now() };
+    if (data.restore) updateData.deletedAt = null;
 
     if (data.domain !== undefined)      updateData.domain      = data.domain;
     if (data.description !== undefined) updateData.description = data.description || null;
diff --git a/app/api/admin/scopes/route.ts b/app/api/admin/scopes/route.ts
index 555704a..95af7ff 100644
--- a/app/api/admin/scopes/route.ts
+++ b/app/api/admin/scopes/route.ts
@@ -11,16 +11,16 @@ import { eq, isNull } from 'drizzle-orm';
 import { VULN_TYPES, SEVERITIES } from '@/lib/validation';
 
 // GET - List all non-deleted scopes
-export async function GET(_request: NextRequest) {
+export async function GET(request: NextRequest) {
   try {
     await requireRole('ADMIN');
 
+    const includeArchived = request.nextUrl.searchParams.get('include_archived') === 'true';
     const db = getDb(getCfEnv().DB);
-    const allScopes = await db
-      .select()
-      .from(scopes)
-      .where(isNull(scopes.deletedAt))
-      .all();
+    const query = db.select().from(scopes);
+    const allScopes = includeArchived
+      ? await query.all()
+      : await query.where(isNull(scopes.deletedAt)).all();
 
     return NextResponse.json({
       scopes: allScopes,
diff --git a/app/api/reports/route.ts b/app/api/reports/route.ts
index 239f557..520d5a0 100644
--- a/app/api/reports/route.ts
+++ b/app/api/reports/route.ts
@@ -10,7 +10,7 @@
  * - Optionally notifies via Discord webhook
  */
 import { NextRequest, NextResponse } from 'next/server';
-import { and, eq } from 'drizzle-orm';
+import { and, eq, isNull } from 'drizzle-orm';
 import { getDb, getCfEnv } from '@/lib/db';
 import { reports, scopes } from '@/lib/db/schema';
 import { encryptText, hashValue } from '@/lib/crypto';
@@ -29,6 +29,16 @@ function generateRefId(severity: string): string {
   return `VVDP-${severityCode}-${year}-${random}`;
 }
 
+function parseScopeArray(value: string | null): string[] {
+  if (!value) return [];
+  try {
+    const parsed = JSON.parse(value);
+    return Array.isArray(parsed) ? parsed.filter((item): item is string => typeof item === 'string') : [];
+  } catch {
+    return [];
+  }
+}
+
 export async function POST(request: NextRequest) {
   // ── Rate limiting — prevent spam submissions ─────────────────────────────
   const clientIp = getClientIP(request);
@@ -69,9 +79,17 @@ export async function POST(request: NextRequest) {
 
     // ── Validate target against active scope records ─────────────────────────
     const activeScope = await db
-      .select({ id: scopes.id })
+      .select({
+        id: scopes.id,
+        allowedVulnTypes: scopes.allowedVulnTypes,
+        severityRestriction: scopes.severityRestriction,
+      })
       .from(scopes)
-      .where(and(eq(scopes.domain, data.target), eq(scopes.status, 'active')))
+      .where(and(
+        eq(scopes.domain, data.target),
+        eq(scopes.status, 'active'),
+        isNull(scopes.deletedAt),
+      ))
       .get();
     if (!activeScope) {
       return NextResponse.json(
@@ -80,6 +98,22 @@ export async function POST(request: NextRequest) {
       );
     }
 
+    const allowedVulnTypes = parseScopeArray(activeScope.allowedVulnTypes);
+    if (allowedVulnTypes.length > 0 && !allowedVulnTypes.includes(data.vulnType)) {
+      return NextResponse.json(
+        { error: 'Validation failed', details: { vulnType: ['This vulnerability type is not allowed for the selected target'] } },
+        { status: 422 },
+      );
+    }
+
+    const severityRestriction = parseScopeArray(activeScope.severityRestriction);
+    if (severityRestriction.length > 0 && !severityRestriction.includes(data.severity)) {
+      return NextResponse.json(
+        { error: 'Validation failed', details: { severity: ['This severity is not allowed for the selected target'] } },
+        { status: 422 },
+      );
+    }
+
     // ── Ensure unique refId ──────────────────────────────────────────────────
     let refId = generateRefId(data.severity);
     const existing = await db.select().from(reports).where(eq(reports.refId, refId)).get();
diff --git a/docs/MIGRATION_ORDER.md b/docs/MIGRATION_ORDER.md
index 62dfd6f..cfef50d 100644
--- a/docs/MIGRATION_ORDER.md
+++ b/docs/MIGRATION_ORDER.md
@@ -12,10 +12,11 @@ Apply migrations in the order below for a fresh database. The filenames are not
 8. `migrations/0009_add_internal_flags.sql`
 9. `migrations/0010_convert_assigned_to_user_ids.sql`
 10. `migrations/0011_support_user_audit_logs.sql`
+11. `migrations/0012_scope_enhancements.sql`
 
 Run data maintenance scripts only after the schema migrations they depend on:
 
 - `migrations/backfill_hall_of_fame.sql`
 - `migrations/redact_existing_pii.sql`
 
-When adding new migrations, use four-digit zero-padded prefixes starting at `0011_` and keep Drizzle definitions in `lib/db/schema.ts` aligned with the resulting schema.
+When adding new migrations, use four-digit zero-padded prefixes starting at `0013_` and keep Drizzle definitions in `lib/db/schema.ts` aligned with the resulting schema.

From fd40df928ab4ed8d0acf8f99a17793bb285d812f Mon Sep 17 00:00:00 2001
From: Al Francis <fr4nc1stein@gmail.com>
Date: Mon, 25 May 2026 17:49:35 -0700
Subject: [PATCH 3/3] fix: rename migration 0011 to 0012 to avoid conflict with
 user audit logs migration

---
 .../{0011_scope_enhancements.sql => 0012_scope_enhancements.sql}  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename migrations/{0011_scope_enhancements.sql => 0012_scope_enhancements.sql} (100%)

diff --git a/migrations/0011_scope_enhancements.sql b/migrations/0012_scope_enhancements.sql
similarity index 100%
rename from migrations/0011_scope_enhancements.sql
rename to migrations/0012_scope_enhancements.sql