feat: add risk-based prioritization engine

[ChaudhariPiyush15]

Description

Implements Issue #143: Risk-Based Prioritization Engine.

Backend

• Added risk_score calculation based on severity, category, ML score, and reachability
• Preserved existing ML ranking behavior
• Added risk_score persistence in the database
• Exposed risk_score through findings API responses

Frontend

• Added risk score support to TypeScript models
• Added risk score display and sorting in findings UI

Evidence Pack

• Added prioritized findings reporting

Database

• Added risk_score column
• Added migration support for existing databases

Closes #143

[github-actions]

⚠️ Automated Check: This PR does not strictly follow the required template. Please ensure you have not deleted any checkboxes or mandatory headings, and that you have written explanations under What this PR does and How did you test this?.

Correct PR Template

Please copy and paste the raw template below into your PR description and fill it out:

> **Before opening:** make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.

## Linked issue

Closes #

## What this PR does



## Type of change

- [ ] Bug fix
- [ ] New feature
- [ ] ML model / training pipeline
- [ ] Refactor (no behaviour change)
- [ ] Documentation
- [ ] Tests only

## ML tier (if applicable)

- [ ] Tier 1 — Triage
- [ ] Tier 2 — Predictive
- [ ] Tier 3 — Autonomous
- [ ] Not ML-related

## Stack affected

- [ ] Backend
- [ ] Frontend
- [ ] Both

---

## Changes

### Backend



-

### Frontend



-

### New dependencies



-

### Database / schema changes



-

---

## Testing

**How did you test this?**



**Checklist**

- [ ] Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
- [ ] New ML model falls back gracefully when model file is absent
- [ ] No new `console.error` or unhandled Python exceptions introduced
- [ ] Added or updated tests where applicable
- [ ] `requirements.txt` / `package.json` updated if new dependencies added
- [ ] New model files (`.pkl`, `.pt`, etc.) are gitignored, not committed

---

## Anything reviewers should focus on



## Screenshots (if UI changed)

[arpit2006]

Thanks for working on this @ChaudhariPiyush15 ! The overall implementation is heading in the right direction, and the end-to-end propagation of risk scores (scoring → database → API → frontend) provides a solid foundation for the feature. Before this PR can be merged, however, there are a few issues that need to be addressed.

🔴 Critical Issues

1. Risk Score Is Not Normalized

The issue specification explicitly requires a normalized risk score in the range 0–100.

The current scoring formula can exceed this range significantly. For example, a finding with a critical severity, secret category bonus, ML bonus, and reachability multiplier can result in a score well above 100.

Please normalize the final score by capping it before persistence:

f.risk_score = round(min(total, 100), 2)

This ensures compliance with the specification and keeps score interpretation consistent across the application.

---

2. RiskScorePill Thresholds Do Not Match the Specification

The issue defines the following priority tiers:

Priority | Score Range -- | -- Critical | 90–100 High | 70–89 Medium | 40–69 Low | 0–39

The current implementation uses custom thresholds (>=100, >=50, etc.) that do not align with the accepted criteria.

Additionally, the UI currently displays only the numeric score and does not expose the corresponding priority label (e.g., Critical Priority, High Priority).

Please update the component to:

• Use the specified thresholds.

• Display the appropriate priority tier.

• Ensure the visual styling reflects the assigned priority level.

---

🟡 Missing Acceptance Criteria

3. risk-score-summary.txt Missing from Evidence Pack

The issue explicitly requires generated evidence packs to include:

• risk-prioritization-report.json

• risk-score-summary.txt

At present, only the JSON output is included (under a renamed file), while the summary text report is missing.

Please generate and package the summary file as part of the evidence pack output.

---

4. Risk Score Filtering Not Implemented

One of the acceptance criteria states:

"Findings can be sorted and filtered by risk score."

Sorting support has been added, but filtering functionality is still absent.

Examples of acceptable implementations include:

• Priority-based dropdown filters

• Score range filters

• "High Priority and Above" quick filters

Please add a filtering mechanism so users can narrow findings based on risk level.

---

5. Risk Distribution Visualization Missing

The issue also calls for:

"Add risk distribution visualization."

No visualization appears to have been added as part of this PR.

A simple implementation such as:

• Priority distribution chart

• Risk category breakdown

• Summary dashboard widget

would satisfy this requirement.

---

Summary

The foundation of the feature is solid, but the following items must be addressed before merge:

Required

• Normalize risk scores to 0–100.

• Align RiskScorePill thresholds and labels with the specification.

Acceptance Criteria Still Missing

• Add risk-score-summary.txt to evidence packs.

• Implement risk score filtering.

• Add a risk distribution visualization.

Once these changes are completed, I'd be happy to take another look. Thanks again for the contribution!