canaria-computer · canaria-computer · Jan 13, 2026 · Jan 13, 2026 · Jan 13, 2026
diff --git a/cmd/lite.go b/cmd/lite.go
@@ -657,7 +657,8 @@ func generateReport(reportDir string, cfg *config.EvidenceConfig, accessInfo *ut
 		log.Warn("Failed to scan screenshots", "error", err)
 	}
 
-	if err := report.Generate(reportDir, reportID, cfg, accessInfo, targetIPv4, targetIPv6, targetGeo, screenshots); err != nil {
+	appCfg := appconfig.GetConfig()
+	if err := report.Generate(reportDir, reportID, cfg, appCfg, accessInfo, targetIPv4, targetIPv6, targetGeo, screenshots); err != nil {
 		log.Errorf("Failed to generate report: %v", err)
 		log.Warn("Evidence collection completed but report generation failed")
 	} else {

diff --git a/internal/appconfig/config.template.yaml b/internal/appconfig/config.template.yaml
@@ -52,14 +52,15 @@ reporter:
     email: "" # 例: "contact@example.com"
     phone: "" # 例: "+1 234 567 8900"
 
-  # 同意・開示設定 (Report.md の法的文言/同意フラグ等に反映)
-  # これらはデフォルトですべてfalseです。通知や共有を行う場合はtrueに設定してください。
+  # 同意・開示設定 (Report.md の「Information Sharing Policy」セクションに反映)
+  # いずれかの設定がtrueの場合、レポートに「Information Sharing Policy」セクションが表示されます。
+  # true: 同意を明示 / false: 不同意を明示 / すべてfalse: セクション非表示
   consent:
-    disclosure: false # XARF: Disclosure (情報公開の可否)
-    share_with_third_parties: false # 第三者（ホスティング会社等）への共有に同意するか
-    identity_to_third_parties: false # 第三者への「報告者身元」の開示に同意するか
-    share_with_site_owner: false # 侵害サイト所有者への通知に同意するか
-    identity_to_site_owner: false # 侵害サイト所有者への「報告者身元」の開示に同意するか
+    disclosure: false # レポート開示への同意 (XARF: Disclosure)
+    share_with_third_parties: false # 第三者（ホスティング会社、ISP等）への情報共有に同意するか
+    identity_to_third_parties: false # 第三者への報告者身元の開示に同意するか
+    share_with_site_owner: false # サイト所有者への通知に同意するか
+    identity_to_site_owner: false # サイト所有者への報告者身元の開示に同意するか
 
 # メール設定
 email:
@@ -81,5 +82,5 @@ email:
 
   # セキュリティオプション (開発環境専用、詳細はドキュメント参照)
   security:
-    ignore_tls_errors: false # TLS証明書検証をスキップ (WARNING: 開発環境のみ)
-    allow_unsafe_html: false # HTMLサニタイゼーションを無効化 (WARNING: XSSリスク)
+    ignore_tls_errors: false # TLS証明書検証をスキップ
+    allow_unsafe_html: false # HTMLサニタイゼーションを無効化
diff --git a/internal/report/report.go b/internal/report/report.go
@@ -9,6 +9,7 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/canaria-computer/down-force/internal/appconfig"
 	"github.com/canaria-computer/down-force/internal/config"
 	"github.com/canaria-computer/down-force/internal/utils"
 )
@@ -41,12 +42,17 @@ type ReportData struct {
 	ScreenshotCount      int
 	HARCount             int
 	HTMLCount            int
-	AbuseContactsList    string
 	Notes                string
+	HasConsentConfig     bool
+	Disclosure           bool
+	ShareWithThirdParties  bool
+	IdentityToThirdParties bool
+	ShareWithSiteOwner     bool
+	IdentityToSiteOwner    bool
 }
 
 // Generate creates the Report.md file
-func Generate(reportDir string, reportID string, cfg *config.EvidenceConfig, accessInfo *utils.AccessInfo, targetIPv4, targetIPv6 string, targetGeo *utils.GeoIPInfo, screenshots []string) error {
+func Generate(reportDir string, reportID string, cfg *config.EvidenceConfig, appCfg *appconfig.AppConfig, accessInfo *utils.AccessInfo, targetIPv4, targetIPv6 string, targetGeo *utils.GeoIPInfo, screenshots []string) error {
 	now := time.Now()
 	localTime := now.Format(time.RFC3339)
 	utcTime := now.UTC().Format(time.RFC3339)
@@ -63,22 +69,32 @@ func Generate(reportDir string, reportID string, cfg *config.EvidenceConfig, acc
 		PhishingURL:          cfg.Target.URL,
 		AccessIPv4:           accessInfo.FromIPv4,
 		AccessIPv6:           accessInfo.FromIPv6,
-		AccessLocation:       accessInfo.Country, // Country only
+		AccessLocation:       accessInfo.Country,
 		AccessASN:            accessInfo.ASN,
 		AccessISP:            accessInfo.ISP,
 		AccessTimestamp:      accessTimestamp,
 		UACount:              len(cfg.UserAgents),
 		SingleUA:             "",
 		PhishingIPv4:         targetIPv4,
 		PhishingIPv6:         targetIPv6,
-		RedirectChainDetails: "", // Empty so it shows nothing (User requested to keep header but "don't display None")
+		RedirectChainDetails: "",
 		ScreenshotCount:      len(screenshots),
 		HARCount:             0,
 		HTMLCount:            0,
-		AbuseContactsList:    "", // Empty, section will be hidden
 		Notes:                cfg.Notes,
 	}
 
+	if appCfg != nil {
+		consent := appCfg.Reporter.Consent
+		hasAnyConsent := consent.Disclosure || consent.ShareWithThirdParties || consent.IdentityToThirdParties || consent.ShareWithSiteOwner || consent.IdentityToSiteOwner
+		data.HasConsentConfig = hasAnyConsent
+		data.Disclosure = consent.Disclosure
+		data.ShareWithThirdParties = consent.ShareWithThirdParties
+		data.IdentityToThirdParties = consent.IdentityToThirdParties
+		data.ShareWithSiteOwner = consent.ShareWithSiteOwner
+		data.IdentityToSiteOwner = consent.IdentityToSiteOwner
+	}
+
 	if data.UACount == 1 {
 		data.SingleUA = cfg.UserAgents[0].UserAgentString
 	}

diff --git a/internal/report/report.tmpl b/internal/report/report.tmpl
@@ -9,7 +9,7 @@
 
 Dear Abuse Team,
 
-I am reporting a phishing site that is impersonating  [{{.Brand}}]({{.LegitimateURL}}) in an attempt to steal credentials.
+I am reporting a phishing site that is impersonating {{if .LegitimateURL}}[{{.Brand}}]({{.LegitimateURL}}){{else}}{{.Brand}}{{end}} in an attempt to steal credentials.
 Could you please review this case and take appropriate action?
 
 ## Target Information
@@ -44,6 +44,32 @@ Could you please review this case and take appropriate action?
 {{.RedirectChainDetails}}
 {{end}}
 
+{{if .HasConsentConfig}}## Information Sharing Policy
+
+This report is provided in good faith to support the investigation and mitigation of suspected phishing activity.
+
+### Disclosure Consent
+{{if .Disclosure}}- **Report Disclosure**: The reporter consents to the disclosure of this report.
+{{else}}- **Report Disclosure**: The reporter does NOT consent to the disclosure of this report.
+{{end}}
+
+### Third-Party Sharing
+{{if .ShareWithThirdParties}}- **Third-Party Sharing**: Information may be shared with relevant third parties (e.g., hosting providers, ISPs, or trusted security organizations) for abuse mitigation purposes.
+{{else}}- **Third-Party Sharing**: Information is NOT authorized to be shared with third parties beyond the receiving organization.
+{{end}}
+{{if .IdentityToThirdParties}}- **Reporter Identity to Third Parties**: Reporter identity and contact details may be shared with third parties.
+{{else}}- **Reporter Identity to Third Parties**: Reporter identity and contact details must NOT be disclosed to third parties.
+{{end}}
+
+### Site Owner Notification
+{{if .ShareWithSiteOwner}}- **Site Owner Notification**: Notification to the site owner regarding this report is permitted.
+{{if .IdentityToSiteOwner}}- **Reporter Identity to Site Owner**: Reporter identity and contact details may be shared with the site owner.
+{{else}}- **Reporter Identity to Site Owner**: Reporter identity and contact details must NOT be disclosed to the site owner.
+{{end}}
+{{else}}- **Site Owner Notification**: Notification to the site owner is NOT authorized.
+{{end}}
+{{end}}
+
 ## Evidence
 
 - **Screenshots:** {{.ScreenshotCount}} files captured
@@ -52,20 +78,15 @@ Could you please review this case and take appropriate action?
 {{end}}
 All evidence files are included in this report package.
 
-
 {{if or .Notes (ne .UACount 1)}}
 ## Notes
 
 {{if ne .UACount 1}}Testing was performed using multiple User-Agents.
 A representative screenshot is attached.
 Additional screenshots and evidence are available upon request.
-
 {{end}}{{.Notes}}
 {{end}}
-{{if .AbuseContactsList}}## Abuse Contacts
 
-{{.AbuseContactsList}}
-{{end}}
 ---
 
 **Note:**