@freshworks/shiftleft-tools 1.1.8

package/templates/postman-node/scripts/lib/api_coverage_node.py

@@ -0,0 +1,1137 @@
+#!/usr/bin/env python3
+"""
+API Coverage Matrix Generator for Node.js/Express services.
+
+Usage:
+    python3 api_coverage.py --routes-dir DIR --postman-dir DIR --html-output FILE
+"""
+
+import argparse
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description='API Coverage Matrix Generator')
+    parser.add_argument('--routes-dir', required=True, help='Path to Express routes/controllers directory')
+    parser.add_argument('--postman-dir', required=True, help='Path to Postman directory')
+    parser.add_argument('--html-output', required=True, help='Path for HTML output file')
+    return parser.parse_args()
+
+
+import os
+import re
+import json
+import sys
+import html as _html
+from collections import defaultdict
+from datetime import datetime
+
+esc = _html.escape
+
+MAX_FILE_SIZE_MB = 50
+
+_args = parse_args()
+ROUTES_DIR = _args.routes_dir
+POSTMAN_DIR = _args.postman_dir
+HTML_OUTPUT_FILE = _args.html_output
+
+endpoints = []
+tested = []
+errors = []
+
+print(f"Scanning {ROUTES_DIR}", flush=True)
+print(f"Scanning {POSTMAN_DIR}", flush=True)
+
+def safe_read_file(filepath, max_size_mb=MAX_FILE_SIZE_MB):
+    """Safely read a file with size limits."""
+    try:
+        file_size = os.path.getsize(filepath)
+        if file_size > max_size_mb * 1024 * 1024:
+            errors.append(f"Skipped {filepath}: file too large ({file_size // 1024 // 1024}MB)")
+            return None
+        with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+            return f.read()
+    except Exception as e:
+        errors.append(f"Error reading {filepath}: {str(e)}")
+        return None
+
+# =============================================================================
+# ROUTER MOUNTING MAP BUILDER
+# =============================================================================
+
+router_mount_map = {}
+router_files = {}
+
+def build_router_mount_map():
+    """
+    Build a map of router names to their mount paths using multiple passes.
+
+    This handles nested router mounting patterns like:
+    - rootRouter.use('/api/v2', v2Router)
+    - v2Router.use('/apps', appsRouter)
+
+    Result: appsRouter -> '/api/v2/apps'
+    """
+    print("Building router mounting map...", flush=True)
+
+    for root, dirs, files in os.walk(ROUTES_DIR):
+        dirs[:] = [d for d in dirs if not d.startswith('.') and d not in ['node_modules', 'build', 'dist', 'coverage']]
+
+        for file in files:
+            if file.endswith(('.js', '.ts')) and not file.endswith('.test.js') and not file.endswith('.spec.js'):
+                filepath = os.path.join(root, file)
+                content = safe_read_file(filepath)
+                if content is None:
+                    continue
+
+                router_decl_patterns = [
+                    r'const\s+([a-zA-Z_][a-zA-Z0-9_]*)Router\s*=\s*Router\s*\(',
+                    r'const\s+([a-zA-Z_][a-zA-Z0-9_]*)Router\s*=\s*new\s+Router\s*\(',
+                ]
+                for pattern in router_decl_patterns:
+                    for match in re.finditer(pattern, content):
+                        router_name = match.group(1) + 'Router'
+                        router_files[router_name] = filepath
+
+    mount_relationships = []
+
+    for root, dirs, files in os.walk(ROUTES_DIR):
+        dirs[:] = [d for d in dirs if not d.startswith('.') and d not in ['node_modules', 'build', 'dist', 'coverage']]
+
+        for file in files:
+            if file.endswith(('.js', '.ts')) and not file.endswith('.test.js') and not file.endswith('.spec.js'):
+                filepath = os.path.join(root, file)
+                content = safe_read_file(filepath)
+                if content is None:
+                    continue
+
+                mount_pattern = r'([a-zA-Z_][a-zA-Z0-9_]*)Router\.use\(["\']([^"\']+)["\'],\s*(?:\[[^\]]*\],\s*)?([a-zA-Z_][a-zA-Z0-9_]*)Router'
+                for match in re.finditer(mount_pattern, content):
+                    parent_router = match.group(1) + 'Router'
+                    mount_path = match.group(2)
+                    child_router = match.group(3) + 'Router'
+                    mount_relationships.append((parent_router, mount_path, child_router))
+
+                mount_array_pattern = r'([a-zA-Z_][a-zA-Z0-9_]*)Router\.use\(["\']([^"\']+)["\'],\s*\[([^\]]+)\]'
+                for match in re.finditer(mount_array_pattern, content):
+                    parent_router = match.group(1) + 'Router'
+                    mount_path = match.group(2)
+                    routers_str = match.group(3)
+                    for router_match in re.finditer(r'([a-zA-Z_][a-zA-Z0-9_]*)Router', routers_str):
+                        child_router = router_match.group(1) + 'Router'
+                        mount_relationships.append((parent_router, mount_path, child_router))
+
+                mount_backtick_pattern = r'([a-zA-Z_][a-zA-Z0-9_]*)Router\.use\(`([^`]+)`,\s*(?:\[[^\]]*\],\s*)?([a-zA-Z_][a-zA-Z0-9_]*)Router'
+                for match in re.finditer(mount_backtick_pattern, content):
+                    parent_router = match.group(1) + 'Router'
+                    mount_path = match.group(2)
+                    mount_path = re.sub(r'\(\$\{[^}]+\}\)', '', mount_path)
+                    mount_path = re.sub(r'\$\{[^}]+\}', '', mount_path)
+                    child_router = match.group(3) + 'Router'
+                    mount_relationships.append((parent_router, mount_path, child_router))
+
+                root_mount_pattern = r'(?:rootRouter|app|router)\.use\(["\']([^"\']+)["\'],\s*([a-zA-Z_][a-zA-Z0-9_]*)Router'
+                for match in re.finditer(root_mount_pattern, content):
+                    mount_path = match.group(1)
+                    child_router = match.group(2) + 'Router'
+                    mount_relationships.append(('rootRouter', mount_path, child_router))
+
+    router_mount_map['rootRouter'] = ''
+    for root_name in ['rootRouter', 'appRouter', 'mainRouter', 'serverRouter']:
+        if root_name not in router_mount_map:
+            router_mount_map[root_name] = ''
+
+    max_iterations = 20
+    for iteration in range(max_iterations):
+        changed = False
+        for parent, mount_path, child in mount_relationships:
+            if parent in router_mount_map and child not in router_mount_map:
+                parent_path = router_mount_map[parent]
+                full_path = parent_path + mount_path if parent_path else mount_path
+                full_path = re.sub(r'//+', '/', full_path)
+                router_mount_map[child] = full_path
+                changed = True
+        if not changed:
+            break
+
+    mounted_count = len([r for r in router_files if r in router_mount_map])
+    unmounted_count = len([r for r in router_files if r not in router_mount_map])
+    print(f"Found {len(router_files)} routers: {mounted_count} mounted, {unmounted_count} unmounted", flush=True)
+
+def extract_endpoints_from_file(filepath):
+    """Extract API endpoints from a Node.js route file."""
+    content = safe_read_file(filepath)
+    if content is None:
+        return
+
+    file_name = os.path.basename(filepath)
+
+    base_path = None
+    for router_name, router_file in router_files.items():
+        if router_file == filepath:
+            if router_name in router_mount_map:
+                base_path = router_mount_map[router_name]
+            break
+
+    if base_path is None:
+        content_check = content or ''
+        has_router = bool(re.search(r'const\s+[a-zA-Z_][a-zA-Z0-9_]*Router\s*=', content_check))
+        if has_router:
+            return
+        base_path = ''
+
+    if not base_path:
+        base_path_patterns = [
+            r"(?:router|app|server|rootRouter|v2Router)\.use\(['\"]([^'\"]+)['\"]",
+            r"[a-zA-Z_][a-zA-Z0-9_]*Router\.use\(['\"]([^'\"]+)['\"]",
+        ]
+        for pattern in base_path_patterns:
+            matches = re.findall(pattern, content)
+            if matches:
+                for match in matches:
+                    if isinstance(match, tuple):
+                        match = match[0] if match[0] else ''
+                    if match and len(match) > len(base_path):
+                        base_path = match
+
+    all_query_params = set()
+    all_include_params = set()
+
+    query_param_pattern = r'req\.query\.([a-zA-Z_][a-zA-Z0-9_]*)'
+    for qp_match in re.finditer(query_param_pattern, content):
+        param_name = qp_match.group(1).lower()
+        all_query_params.add(param_name)
+        if 'include' in param_name:
+            all_include_params.add(param_name)
+
+    destructure_pattern = r'const\s*\{[^}]*([a-zA-Z_][a-zA-Z0-9_]*)[^}]*\}\s*=\s*req\.query'
+    for ds_match in re.finditer(destructure_pattern, content):
+        param_name = ds_match.group(1).lower()
+        all_query_params.add(param_name)
+        if 'include' in param_name:
+            all_include_params.add(param_name)
+
+    bracket_pattern = r'req\.query\[["\']([a-zA-Z_][a-zA-Z0-9_]*)["\']'
+    for br_match in re.finditer(bracket_pattern, content):
+        param_name = br_match.group(1).lower()
+        all_query_params.add(param_name)
+        if 'include' in param_name:
+            all_include_params.add(param_name)
+
+    route_patterns = [
+        r'(?:app|router|server)\.(get|post|put|patch|delete)\s*\(\s*["\']([^"\']+)["\']',
+        r'[a-zA-Z_][a-zA-Z0-9_]*Router\.(get|post|put|patch|delete)\s*\(\s*["\']([^"\']+)["\']',
+        r'(?:app|router|server)\.(get|post|put|patch|delete)\s*\(\s*`([^`]+)`',
+        r'[a-zA-Z_][a-zA-Z0-9_]*Router\.(get|post|put|patch|delete)\s*\(\s*`([^`]+)`',
+        r'\.route\s*\(\s*["\']([^"\']+)["\']\s*\)\s*\.(get|post|put|patch|delete)',
+        r'(?:app|router|server)\.(get|post|put|patch|delete)\s*\(\s*["\']([^"\']+)["\']\s*,\s*\{',
+    ]
+
+    for pattern in route_patterns:
+        for match in re.finditer(pattern, content):
+            if 'route' in pattern:
+                path = match.group(1)
+                method = match.group(2).upper()
+            else:
+                method = match.group(1).upper()
+                path = match.group(2)
+
+            if base_path:
+                if path.startswith('/'):
+                    full_path = base_path + path
+                else:
+                    full_path = base_path + '/' + path
+            else:
+                full_path = path if path.startswith('/') else '/' + path
+
+            full_path = re.sub(r'\(\$\{[^}]+\}\)', '', full_path)
+            full_path = re.sub(r'\$\{[^}]+\}', '', full_path)
+            full_path = re.sub(r'\.json$', '', full_path)
+            full_path = re.sub(r'//+', '/', full_path)
+            full_path = full_path.rstrip('/')
+            if not full_path.startswith('/'):
+                full_path = '/' + full_path
+            if full_path == '':
+                full_path = '/'
+
+            defined_params = all_query_params.copy()
+            include_params = all_include_params.copy()
+
+            endpoint = {
+                'method': method,
+                'path': full_path,
+                'file': file_name,
+                'defined_params': defined_params,
+                'has_include_param': len(include_params) > 0
+            }
+
+            is_duplicate = False
+            for existing in endpoints:
+                if existing['method'] == endpoint['method'] and existing['path'] == endpoint['path']:
+                    existing['defined_params'].update(endpoint['defined_params'])
+                    if endpoint['has_include_param']:
+                        existing['has_include_param'] = True
+                    is_duplicate = True
+                    break
+
+            if not is_duplicate:
+                endpoints.append(endpoint)
+
+# Process route files
+try:
+    build_router_mount_map()
+
+    for root, dirs, files in os.walk(ROUTES_DIR):
+        dirs[:] = [d for d in dirs if not d.startswith('.') and d not in ['node_modules', 'build', 'dist', 'coverage']]
+
+        for file in files:
+            if file.endswith(('.js', '.ts')) and not file.endswith('.test.js') and not file.endswith('.spec.js'):
+                filepath = os.path.join(root, file)
+                try:
+                    extract_endpoints_from_file(filepath)
+                except Exception as e:
+                    errors.append(f"Error processing {file}: {str(e)}")
+except Exception as e:
+    print(f"ERROR: Failed to scan routes directory: {e}", flush=True)
+    sys.exit(1)
+
+# =============================================================================
+# POSTMAN COLLECTION PARSER (with quality tracking)
+# =============================================================================
+
+def extract_tests_from_item(item, collection_name, depth=0):
+    """Extract test information from Postman collection items."""
+    if depth > 20:
+        return []
+
+    results = []
+
+    if isinstance(item, list):
+        for i in item:
+            results.extend(extract_tests_from_item(i, collection_name, depth + 1))
+    elif isinstance(item, dict):
+        if 'request' in item:
+            try:
+                request = item['request']
+                if not isinstance(request, dict):
+                    return results
+
+                method = request.get('method', 'GET')
+
+                url = request.get('url', {})
+                query_params = set()
+                query_param_values = defaultdict(set)
+
+                if isinstance(url, str):
+                    url_path = url
+                    if '?' in url_path:
+                        url_path, query_string = url_path.split('?', 1)
+                        for param in query_string.split('&'):
+                            if '=' in param:
+                                key, val = param.split('=', 1)
+                                query_params.add(key)
+                                query_param_values[key].add(val)
+                elif isinstance(url, dict):
+                    path_parts = url.get('path', [])
+                    if isinstance(path_parts, list):
+                        url_path = '/' + '/'.join(str(p) for p in path_parts) if path_parts else ''
+                    else:
+                        url_path = str(path_parts)
+
+                    for qp in url.get('query', []) or []:
+                        if isinstance(qp, dict):
+                            key = qp.get('key', '')
+                            val = qp.get('value', '')
+                            if key:
+                                query_params.add(key)
+                                if val:
+                                    query_param_values[key].add(val)
+                else:
+                    url_path = ''
+
+                if '?' in url_path:
+                    url_path, extra_qs = url_path.split('?', 1)
+                    for param in extra_qs.split('&'):
+                        if '=' in param:
+                            key, val = param.split('=', 1)
+                            query_params.add(key)
+                            query_param_values[key].add(val)
+
+                url_path = re.sub(r'\.json$', '', url_path)
+                url_path = re.sub(r'\{\{[^}]+\}\}', '{VAR}', url_path)
+                url_path = re.sub(r':[^/]+', '{VAR}', url_path)
+
+                status_codes = set()
+                body_assertions = 0
+                has_oneof = False
+                has_skip = False
+                skip_reason = None
+                skip_env = None
+
+                # Check pre-request scripts for skips
+                for event in item.get('event', []) or []:
+                    if isinstance(event, dict) and event.get('listen') == 'prerequest':
+                        script = event.get('script', {})
+                        if isinstance(script, dict):
+                            exec_lines = script.get('exec', [])
+                            if isinstance(exec_lines, list):
+                                prereq_text = '\n'.join(str(line) for line in exec_lines)
+                            else:
+                                prereq_text = str(exec_lines)
+
+                            if 'pm.execution.skipRequest()' in prereq_text:
+                                has_skip = True
+
+                                # Format 1: [SKIP] Reason: ... | Env: ...
+                                skip_match = re.search(
+                                    r"\[SKIP\].*?Reason:\s*([^|,;]+)(?:[|,;]\s*Env:\s*(\S+))?",
+                                    prereq_text, re.IGNORECASE
+                                )
+                                if skip_match:
+                                    skip_reason = skip_match.group(1).strip()
+                                    if skip_match.group(2):
+                                        skip_env = skip_match.group(2).strip().lower()
+
+                                # Format 2: simple [SKIP] message
+                                if not skip_reason:
+                                    simple_match = re.search(r"\[SKIP\]\s*(.+?)(?:['\"]|$)", prereq_text)
+                                    if simple_match and 'Reason:' not in simple_match.group(1):
+                                        skip_reason = simple_match.group(1).strip()
+
+                                # Format 3: comment-based skip
+                                if not skip_reason:
+                                    comment_match = re.search(r"//\s*SKIP[:\s]+(.+)", prereq_text)
+                                    if comment_match:
+                                        skip_reason = comment_match.group(1).strip()
+
+                                # Format 4: console.log with reason (common Node pattern)
+                                if not skip_reason:
+                                    log_match = re.search(r"console\.log\(['\"](?:\[SKIP\]\s*)?([^'\"]+)['\"]", prereq_text)
+                                    if log_match:
+                                        skip_reason = log_match.group(1).strip()
+                                        if skip_reason.startswith('Skipping:'):
+                                            skip_reason = skip_reason[len('Skipping:'):].strip()
+
+                                # Auto-detect environment from the if condition
+                                if not skip_env:
+                                    env_patterns = [
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*===\s*['\"](\w+)['\"]", lambda m: m.group(1)),
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*!==\s*['\"]local['\"]", lambda m: 'staging'),
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*!==\s*['\"]staging['\"]", lambda m: 'local'),
+                                        (r"pm\.environment\.get\(['\"]env_name['\"]\)\s*===\s*['\"](\w+)['\"]", lambda m: m.group(1)),
+                                        (r"pm\.environment\.get\(['\"]env_name['\"]\)\s*!==\s*['\"]local['\"]", lambda m: 'staging'),
+                                        (r"pm\.environment\.get\(['\"]env_name['\"]\)\s*!==\s*['\"]staging['\"]", lambda m: 'local'),
+                                        (r"pm\.variables\.get\(['\"]env['\"]\)\s*===\s*['\"](\w+)['\"]", lambda m: m.group(1)),
+                                    ]
+                                    for pattern, extractor in env_patterns:
+                                        env_match = re.search(pattern, prereq_text)
+                                        if env_match:
+                                            skip_env = extractor(env_match).lower()
+                                            break
+
+                # Parse test scripts for assertions
+                for event in item.get('event', []) or []:
+                    if isinstance(event, dict) and event.get('listen') == 'test':
+                        script = event.get('script', {})
+                        if isinstance(script, dict):
+                            exec_lines = script.get('exec', [])
+                            if isinstance(exec_lines, list):
+                                script_text = '\n'.join(str(line) for line in exec_lines)
+                            else:
+                                script_text = str(exec_lines)
+
+                            # Status code patterns
+                            for m in re.findall(r'to\.have\.status\((\d+)\)', script_text):
+                                status_codes.add(str(m))
+                            for m in re.findall(r'pm\.response\.code\)\.to\.equal\((\d+)\)', script_text):
+                                status_codes.add(str(m))
+                            for m in re.findall(r'pm\.response\.code\)\.to\.eql\((\d+)\)', script_text):
+                                status_codes.add(str(m))
+
+                            # Detect weak assertions: oneOf patterns
+                            if 'oneOf' in script_text:
+                                has_oneof = True
+                            if re.search(r'pm\.expect\s*\(\s*\[.*?\]\s*\)\.to\.include\s*\(\s*pm\.response\.code', script_text):
+                                has_oneof = True
+                            if re.search(r'pm\.response\.code\s*\)\s*\.to\.be\.oneOf', script_text):
+                                has_oneof = True
+
+                            # Extract status codes from oneOf/include arrays
+                            for oneof_match in re.finditer(r'\.to\.be\.oneOf\s*\(\s*\[([^\]]+)\]', script_text):
+                                for code in re.findall(r'\d{3}', oneof_match.group(1)):
+                                    status_codes.add(str(code))
+                            for include_match in re.finditer(r'pm\.expect\s*\(\s*\[([\d,\s]+)\]\s*\)\.to\.include', script_text):
+                                for code in re.findall(r'\d{3}', include_match.group(1)):
+                                    status_codes.add(str(code))
+
+                            # Body assertion patterns
+                            body_patterns = [
+                                r'pm\.expect\s*\(\s*jsonData\.',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.be\.an\s*\(',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.have\.property\s*\(',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.not\.be\.null',
+                                r'pm\.expect\s*\(\s*response\.',
+                                r'\.to\.have\.property\(',
+                                r'\.to\.include\(',
+                                r'\.to\.eql\(',
+                            ]
+                            for p in body_patterns:
+                                body_assertions += len(re.findall(p, script_text))
+
+                # Extract request body
+                has_request_body = False
+                request_body_hash = None
+                request_body_fields = set()
+                body = request.get('body', {})
+                if isinstance(body, dict):
+                    raw_body = body.get('raw', '')
+                    if raw_body and isinstance(raw_body, str) and raw_body.strip():
+                        has_request_body = True
+                        request_body_hash = hash(raw_body.strip())
+                        try:
+                            parsed = json.loads(raw_body)
+                            if isinstance(parsed, dict):
+                                request_body_fields = set(parsed.keys())
+                        except (json.JSONDecodeError, ValueError):
+                            field_pattern = r'"([^"]+)"\s*:'
+                            request_body_fields = set(re.findall(field_pattern, raw_body))
+
+                if url_path:
+                    results.append({
+                        'method': method,
+                        'path': url_path,
+                        'name': item.get('name', ''),
+                        'status_codes': list(status_codes) if status_codes else [],
+                        'collection': collection_name,
+                        'body_assertions': body_assertions,
+                        'has_request_body': has_request_body,
+                        'request_body_hash': request_body_hash,
+                        'request_body_fields': request_body_fields,
+                        'query_params': query_params,
+                        'query_param_values': dict(query_param_values),
+                        'has_oneof': has_oneof,
+                        'has_5xx': any(str(code).startswith('5') for code in status_codes),
+                        'has_skip': has_skip,
+                        'skip_reason': skip_reason,
+                        'skip_env': skip_env
+                    })
+            except Exception as e:
+                errors.append(f"Error parsing request in {collection_name}: {str(e)}")
+
+        if 'item' in item:
+            results.extend(extract_tests_from_item(item['item'], collection_name, depth + 1))
+
+    return results
+
+def find_collection_files(base_dir):
+    """Find all Postman collection JSON files in the given directory."""
+    collection_files = []
+    seen_files = set()
+
+    search_dirs = [base_dir]
+    for subdir in ['collections', 'api-tests', 'tests']:
+        subpath = os.path.join(base_dir, subdir)
+        if os.path.isdir(subpath):
+            search_dirs.append(subpath)
+
+    seen_dirs = set()
+    for search_dir in search_dirs:
+        if search_dir in seen_dirs:
+            continue
+        seen_dirs.add(search_dir)
+
+        try:
+            for root, dirs, files in os.walk(search_dir):
+                dirs[:] = [d for d in dirs if d not in [
+                    'node_modules', 'environments', 'reports', 'config',
+                    'scripts', '.git', 'data', 'schemas', 'seeders',
+                    'mocks', 'test_data'
+                ]]
+
+                for file in files:
+                    if file.endswith('.json'):
+                        skip_exact = [
+                            'package.json', 'package-lock.json',
+                            'tsconfig.json', 'jsconfig.json',
+                            '.eslintrc.json', '.prettierrc.json',
+                            'newman-reporter-config.json'
+                        ]
+
+                        is_environment_file = (
+                            file.lower().endswith('.environment.json') or
+                            file.lower().endswith('_environment.json') or
+                            file.lower().endswith('.postman_environment.json') or
+                            file.lower() == 'environment.json'
+                        )
+
+                        if file.lower() in skip_exact:
+                            continue
+                        if is_environment_file:
+                            continue
+
+                        full_path = os.path.abspath(os.path.join(root, file))
+                        if full_path not in seen_files:
+                            seen_files.add(full_path)
+                            collection_files.append(full_path)
+        except Exception as e:
+            errors.append(f"Error scanning {search_dir}: {str(e)}")
+
+    return collection_files
+
+try:
+    collection_files = find_collection_files(POSTMAN_DIR)
+    print(f"Found {len(collection_files)} collection file(s)", flush=True)
+
+    for filepath in collection_files:
+        file = os.path.basename(filepath)
+        file_size = os.path.getsize(filepath)
+        if file_size > MAX_FILE_SIZE_MB * 1024 * 1024:
+            errors.append(f"Skipped {file}: collection too large")
+            continue
+
+        try:
+            content = safe_read_file(filepath)
+            if content:
+                collection = json.loads(content)
+                if not isinstance(collection, dict) or ('item' not in collection and 'info' not in collection):
+                    continue
+                collection_name = file.replace('.json', '')
+                tests = extract_tests_from_item(collection.get('item', []), collection_name)
+                tested.extend(tests)
+        except json.JSONDecodeError as e:
+            errors.append(f"Invalid JSON in {file}: {str(e)}")
+        except Exception as e:
+            errors.append(f"Error processing {file}: {str(e)}")
+except Exception as e:
+    print(f"ERROR: Failed to scan Postman directory: {e}", flush=True)
+    sys.exit(1)
+
+# =============================================================================
+# MATCHING AND AGGREGATION
+# =============================================================================
+
+seen = set()
+unique_endpoints = []
+for ep in endpoints:
+    key = (ep['method'], ep['path'])
+    if key not in seen:
+        seen.add(key)
+        unique_endpoints.append(ep)
+endpoints = sorted(unique_endpoints, key=lambda x: (x['path'], x['method']))
+
+endpoint_stats = defaultdict(lambda: {
+    'test_count': 0,
+    'status_codes': set(),
+    'body_assertions': 0,
+    'request_body_variations': set(),
+    'has_body_test': False,
+    'query_params': set(),
+    'query_param_values': defaultdict(set),
+    'request_body_fields': set(),
+    'has_oneof': False,
+    'oneof_count': 0,
+    'has_5xx': False,
+    'count_5xx': 0,
+    'skipped_tests': []
+})
+
+all_skipped_tests = []
+
+def normalize_path(path):
+    """Normalize path for comparison."""
+    if not path:
+        return ''
+    normalized = re.sub(r'^/?(api/)?v\d+/', '/', path)
+    normalized = re.sub(r'\{\{[^}]+\}\}', '{VAR}', normalized)
+    normalized = re.sub(r'\{[^}]+\}', '{VAR}', normalized)
+    normalized = re.sub(r':[^/]+', '{VAR}', normalized)
+    normalized = re.sub(r'/(\d+)(?=/|$)', '/{VAR}', normalized)
+    normalized = re.sub(r'\.json$', '', normalized)
+    return normalized.lower().replace('{var}', '{VAR}')
+
+def paths_match(controller_path, test_path):
+    """Check if a test path matches a controller path."""
+    norm_controller = normalize_path(controller_path)
+    norm_test = normalize_path(test_path)
+
+    if norm_controller == norm_test:
+        return True
+
+    try:
+        pattern = re.escape(norm_controller).replace(r'\{VAR\}', '[^/]+')
+        if re.fullmatch(pattern, norm_test):
+            return True
+    except re.error:
+        pass
+
+    controller_parts = norm_controller.rstrip('/').split('/')
+    test_parts = norm_test.rstrip('/').split('/')
+
+    if len(controller_parts) >= 2 and len(test_parts) >= 2:
+        if controller_parts[-2:] == test_parts[-2:]:
+            return True
+        c_last = '/'.join(controller_parts[-2:])
+        t_last = '/'.join(test_parts[-2:])
+        pattern = re.sub(r'\{VAR\}', '[^/]+', re.escape(c_last)).replace(r'\{VAR\}', '[^/]+')
+        try:
+            if re.fullmatch(pattern, t_last):
+                return True
+        except re.error:
+            pass
+
+    return False
+
+def update_stats(key, test):
+    """Update endpoint stats with test data."""
+    endpoint_stats[key]['test_count'] += 1
+    endpoint_stats[key]['status_codes'].update(test['status_codes'])
+    endpoint_stats[key]['body_assertions'] += test['body_assertions']
+    if test['body_assertions'] > 0:
+        endpoint_stats[key]['has_body_test'] = True
+    if test['request_body_hash']:
+        endpoint_stats[key]['request_body_variations'].add(test['request_body_hash'])
+    endpoint_stats[key]['query_params'].update(test.get('query_params', set()))
+    for param, values in test.get('query_param_values', {}).items():
+        endpoint_stats[key]['query_param_values'][param].update(values)
+    endpoint_stats[key]['request_body_fields'].update(test.get('request_body_fields', set()))
+    if test.get('has_oneof', False):
+        endpoint_stats[key]['has_oneof'] = True
+        endpoint_stats[key]['oneof_count'] += 1
+    if test.get('has_5xx', False):
+        endpoint_stats[key]['has_5xx'] = True
+        endpoint_stats[key]['count_5xx'] += 1
+    if test.get('has_skip', False):
+        endpoint_stats[key]['skipped_tests'].append({
+            'name': test.get('name', ''),
+            'reason': test.get('skip_reason'),
+            'env': test.get('skip_env')
+        })
+
+for test in tested:
+    test_path = test['path']
+    test_method = test['method']
+
+    if test.get('has_skip', False):
+        all_skipped_tests.append({
+            'name': test.get('name', 'Unknown'),
+            'collection': test.get('collection', ''),
+            'method': test_method,
+            'path': test_path,
+            'reason': test.get('skip_reason'),
+            'env': test.get('skip_env')
+        })
+
+    matched = False
+    for ep in endpoints:
+        if test_method == ep['method'] and paths_match(ep['path'], test_path):
+            key = f"{ep['method']} {ep['path']}"
+            update_stats(key, test)
+            matched = True
+            break
+
+    if not matched:
+        key = f"{test_method} {test_path}"
+        update_stats(key, test)
+
+# =============================================================================
+# METRICS CALCULATION
+# =============================================================================
+
+total_tests = sum(s['test_count'] for s in endpoint_stats.values())
+total_body = sum(s['body_assertions'] for s in endpoint_stats.values())
+tested_ep = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('test_count', 0) > 0)
+well_tested = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('test_count', 0) >= 3)
+with_body = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_body_test', False))
+not_tested = len(endpoints) - tested_ep
+
+def has_success_code(status_codes):
+    return any(str(code).startswith('2') for code in status_codes)
+
+def has_401_code(status_codes):
+    return '401' in [str(code) for code in status_codes]
+
+success_tested = sum(1 for ep in endpoints if has_success_code(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('status_codes', set())))
+error_only = tested_ep - success_tested
+
+auth_tested = sum(1 for ep in endpoints if has_401_code(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('status_codes', set())))
+auth_pct = (auth_tested / len(endpoints) * 100) if endpoints else 0
+
+oneof_endpoints = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_oneof', False))
+total_oneof_tests = sum(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('oneof_count', 0) for ep in endpoints)
+
+endpoints_with_5xx = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_5xx', False))
+total_5xx_tests = sum(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('count_5xx', 0) for ep in endpoints)
+
+total_skipped_tests = len(all_skipped_tests)
+skips_with_reason = sum(1 for s in all_skipped_tests if s.get('reason'))
+skips_without_reason = total_skipped_tests - skips_with_reason
+skips_by_env = defaultdict(list)
+for skip in all_skipped_tests:
+    env = skip.get('env', 'unknown')
+    skips_by_env[env].append(skip)
+
+# Query params metrics
+total_defined_params = 0
+total_tested_params = 0
+endpoints_with_params = []
+for ep in endpoints:
+    defined_params = ep.get('defined_params', set())
+    if defined_params:
+        total_defined_params += len(defined_params)
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        tested_params = stats.get('query_params', set())
+        tested_normalized = set(p.lower().replace('_', '') for p in tested_params)
+        covered = len(defined_params.intersection(tested_normalized))
+        total_tested_params += covered
+
+        param_values = stats.get('query_param_values', {})
+        if tested_params:
+            endpoints_with_params.append({
+                'method': ep['method'],
+                'path': ep['path'],
+                'params': tested_params,
+                'param_values': param_values,
+                'total_values': sum(len(v) for v in param_values.values())
+            })
+
+# Include params metrics
+endpoints_with_include = []
+total_expected_include_values = 0
+total_tested_include_values = 0
+
+for ep in endpoints:
+    if ep.get('has_include_param', False):
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        tested_params = stats.get('query_params', set())
+        param_values = stats.get('query_param_values', {})
+
+        include_tested = any('include' in p.lower() for p in tested_params)
+        include_values = set()
+        include_variations = 0
+
+        for param, values in param_values.items():
+            if 'include' in param.lower():
+                for v in values:
+                    for single_val in v.split(','):
+                        include_values.add(single_val.strip())
+                include_variations = len(values)
+
+        endpoints_with_include.append({
+            'method': ep['method'],
+            'path': ep['path'],
+            'tested': include_tested,
+            'values': include_values,
+            'variations': include_variations
+        })
+
+# Request body metrics
+endpoints_with_body = []
+for ep in endpoints:
+    if ep['method'] in ['POST', 'PUT', 'PATCH']:
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        fields = stats.get('request_body_fields', set())
+        variations = len(stats.get('request_body_variations', set()))
+
+        if fields or variations > 0:
+            endpoints_with_body.append({
+                'method': ep['method'],
+                'path': ep['path'],
+                'fields': fields,
+                'variations': variations
+            })
+
+# Percentages
+tested_pct = (tested_ep / len(endpoints) * 100) if endpoints else 0
+well_tested_pct = (well_tested / len(endpoints) * 100) if endpoints else 0
+body_pct = (with_body / len(endpoints) * 100) if endpoints else 0
+qp_pct = (total_tested_params / total_defined_params * 100) if total_defined_params > 0 else 0
+success_pct = (success_tested / len(endpoints) * 100) if endpoints else 0
+
+include_tested_count = sum(1 for ep in endpoints_with_include if ep['tested'])
+include_total_count = len(endpoints_with_include)
+include_endpoints_pct = (include_tested_count / include_total_count * 100) if include_total_count > 0 else 100
+
+# Gaps analysis
+gaps_no_tests = []
+gaps_no_2xx = []
+gaps_weak_assertions = []
+gaps_5xx_assertions = []
+
+for ep in endpoints:
+    key = f"{ep['method']} {ep['path']}"
+    stats = endpoint_stats.get(key, {'test_count': 0, 'status_codes': set()})
+
+    if stats['test_count'] == 0:
+        gaps_no_tests.append(ep)
+    elif not has_success_code(stats.get('status_codes', set())):
+        gaps_no_2xx.append(ep)
+
+    if stats.get('has_oneof', False):
+        gaps_weak_assertions.append({**ep, 'oneof_count': stats.get('oneof_count', 0)})
+
+    if stats.get('has_5xx', False):
+        gaps_5xx_assertions.append({**ep, 'count_5xx': stats.get('count_5xx', 0)})
+
+# Health status
+def get_health_status(success_pct, well_tested_pct, error_only, oneof_count):
+    if success_pct >= 100 and well_tested_pct >= 80 and error_only == 0 and oneof_count == 0:
+        return ('excellent', '🟢', 'Excellent', 'All endpoints have 2xx tests with strong assertions')
+    elif success_pct >= 90 and well_tested_pct >= 60 and error_only <= 2:
+        return ('good', '&#x1f7e1;', 'Good', 'Most endpoints well tested, minor gaps exist')
+    elif success_pct >= 70 and well_tested_pct >= 40:
+        return ('fair', '&#x1f7e0;', 'Fair', 'Moderate coverage, needs improvement')
+    else:
+        return ('poor', '&#x1f534;', 'Needs Work', 'Significant testing gaps exist')
+
+health_class, health_icon, health_label, health_desc = get_health_status(success_pct, well_tested_pct, error_only, total_oneof_tests)
+
+# =============================================================================
+# HTML GENERATION (single-pass, direct)
+# =============================================================================
+
+CSS = """
+:root {
+    --color-primary: #3b82f6; --color-success: #10b981; --color-warning: #f59e0b;
+    --color-error: #ef4444; --color-heading: #0f172a; --color-text: #1e293b;
+    --color-muted: #64748b; --color-card: #ffffff; --color-bg: #f8fafc;
+    --color-border: #e2e8f0; --radius-sm: 8px; --radius-md: 12px;
+    --shadow-sm: 0 1px 2px rgba(0,0,0,0.05); --shadow-md: 0 4px 6px rgba(0,0,0,0.07);
+}
+* { margin: 0; padding: 0; box-sizing: border-box; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: var(--color-bg); color: var(--color-text); line-height: 1.6; padding: 2rem; }
+.container { max-width: 1200px; margin: 0 auto; }
+.header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 2rem; padding-bottom: 1rem; border-bottom: 2px solid var(--color-border); }
+.header-left h1 { font-size: 1.5rem; font-weight: 700; color: var(--color-heading); }
+.header-left .logo { font-size: 0.75rem; font-weight: 600; color: var(--color-primary); text-transform: uppercase; letter-spacing: 0.05em; }
+.timestamp { color: var(--color-muted); font-size: 0.8rem; }
+.health-badge { padding: 0.5rem 1rem; border-radius: var(--radius-sm); font-weight: 600; font-size: 0.9rem; }
+.health-badge.excellent { background: #ecfdf5; color: #047857; border: 1px solid #a7f3d0; }
+.health-badge.good { background: #fefce8; color: #a16207; border: 1px solid #fde68a; }
+.health-badge.fair { background: #fff7ed; color: #c2410c; border: 1px solid #fed7aa; }
+.health-badge.poor { background: #fef2f2; color: #b91c1c; border: 1px solid #fecaca; }
+.section { margin-bottom: 1.5rem; }
+.section-title { font-size: 1.1rem; font-weight: 600; color: var(--color-heading); margin-bottom: 0.75rem; display: flex; align-items: center; gap: 0.5rem; }
+table { width: 100%; border-collapse: collapse; background: var(--color-card); border: 1px solid var(--color-border); border-radius: var(--radius-sm); overflow: hidden; margin-bottom: 1rem; font-size: 0.8rem; }
+th, td { padding: 0.5rem; text-align: center; border-bottom: 1px solid var(--color-border); vertical-align: middle; }
+th { background: #f1f5f9; font-weight: 600; font-size: 0.65rem; text-transform: uppercase; color: var(--color-muted); }
+td.left, th.left { text-align: left; }
+tr:hover { background: #f8fafc; }
+.method { font-weight: 600; padding: 0.15rem 0.4rem; border-radius: 4px; font-size: 0.7rem; display: inline-block; }
+.method-GET { background: #dbeafe; color: #1d4ed8; }
+.method-POST { background: #d1fae5; color: #047857; }
+.method-PUT { background: #fef3c7; color: #b45309; }
+.method-PATCH { background: #ede9fe; color: #6d28d9; }
+.method-DELETE { background: #fee2e2; color: #b91c1c; }
+.path { font-family: 'SF Mono', Consolas, monospace; font-size: 0.78rem; color: var(--color-heading); word-break: break-all; }
+.status-icon { font-size: 1rem; }
+.count { background: var(--color-border); padding: 0.125rem 0.5rem; border-radius: 10px; font-size: 0.75rem; font-weight: 500; margin-left: 0.5rem; }
+.gaps-section { margin-bottom: 1rem; padding: 0.75rem 1rem; border-radius: var(--radius-sm); background: #fef2f2; border: 1px solid #fecaca; }
+.gaps-section.warning { background: #fffbeb; border-color: #fde68a; }
+.gaps-section .title { font-weight: 600; font-size: 0.85rem; margin-bottom: 0.5rem; }
+.gap-item { font-size: 0.8rem; padding: 0.2rem 0; color: var(--color-text); }
+details { margin-bottom: 1rem; background: var(--color-card); border: 1px solid var(--color-border); border-radius: var(--radius-sm); overflow: hidden; }
+details summary { padding: 0.75rem 1rem; cursor: pointer; font-weight: 600; font-size: 0.9rem; background: #f8fafc; display: flex; align-items: center; gap: 0.5rem; }
+details summary:hover { background: #f1f5f9; }
+details .content { padding: 0; }
+footer { margin-top: 2rem; text-align: center; color: #94a3b8; font-size: 0.75rem; padding-top: 1rem; border-top: 1px solid var(--color-border); }
+"""
+
+def metric(label, value, detail=None, status=None):
+    color = f'var(--color-{status})' if status else 'var(--color-primary)'
+    det = f' <span style="color:var(--color-muted);font-size:0.75rem;">({esc(str(detail))})</span>' if detail else ''
+    return f'<span style="margin-right:1.5rem;"><strong style="color:{color};">{esc(str(value))}</strong> {esc(str(label))}{det}</span>'
+
+def gaps_section(title, items, warning=False, count_key=None):
+    if not items:
+        return ''
+    cls = 'gaps-section warning' if warning else 'gaps-section'
+    items_html = ''.join(
+        f'<div class="gap-item"><span class="method method-{esc(ep["method"])}">{esc(ep["method"])}</span> {esc(ep["path"])}'
+        f'{f" ({ep.get(count_key, 0)} tests)" if count_key else ""}</div>'
+        for ep in items
+    )
+    return f'<div class="{cls}"><div class="title">{esc(title)}</div>{items_html}</div>'
+
+def collapsible(title, count, headers, rows):
+    if not rows:
+        return ''
+    h = ''.join(f'<th style="{esc(hdr.get("style",""))}">{esc(hdr["label"])}</th>' for hdr in headers)
+    r = ''.join(rows)
+    return f'''<details><summary>{esc(title)}<span class="count">{esc(str(count))}</span></summary>
+<div class="content"><table><thead><tr>{h}</tr></thead><tbody>{r}</tbody></table></div></details>'''
+
+# Issues summary
+issues = []
+if not_tested > 0:
+    issues.append(f'{not_tested} untested')
+if total_5xx_tests > 0:
+    issues.append(f'{total_5xx_tests} 5xx')
+if total_oneof_tests > 0:
+    issues.append(f'{total_oneof_tests} weak')
+if skips_without_reason > 0:
+    issues.append(f'{skips_without_reason} undoc skips')
+issues_str = ', '.join(issues) if issues else None
+
+# Build summary
+summary_html = f'''<div class="section">
+<div style="display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:1rem;padding:1rem 1.25rem;background:var(--color-card);border:1px solid var(--color-border);border-radius:var(--radius-sm);box-shadow:var(--shadow-sm);">
+    <div style="display:flex;align-items:center;gap:0.75rem;">
+        <span style="font-size:1.5rem;">{health_icon}</span>
+        <span style="font-weight:600;color:var(--color-heading);">{health_label}</span>
+    </div>
+    <div style="display:flex;flex-wrap:wrap;align-items:center;">
+        {metric('endpoints', len(endpoints), f'{total_tests} tests')}
+        {metric('2xx', f'{success_pct:.0f}%', f'{success_tested}/{len(endpoints)}', 'success' if success_pct >= 100 else 'warning' if success_pct >= 80 else 'error')}
+        {metric('well tested', f'{well_tested_pct:.0f}%', f'{well_tested}/{len(endpoints)}', 'success' if well_tested_pct >= 100 else 'warning' if well_tested_pct >= 80 else 'error')}
+        {metric('body validated', f'{body_pct:.0f}%', f'{with_body}/{len(endpoints)}', 'success' if body_pct >= 100 else 'warning' if body_pct >= 80 else 'error')}
+        {metric('query params', f'{qp_pct:.0f}%', f'{total_tested_params}/{total_defined_params}', 'success' if qp_pct >= 100 else 'warning' if qp_pct >= 80 else 'error')}
+        {f'<span style="color:var(--color-error);font-weight:500;">&#x26A0; {issues_str}</span>' if issues_str else ''}
+    </div>
+</div>
+</div>'''
+
+# Gaps analysis
+gaps_html = ''
+if gaps_no_tests or gaps_no_2xx or gaps_weak_assertions or gaps_5xx_assertions:
+    gaps_html = '<div class="section"><div class="section-title">&#x26A0;&#xFE0F; Gaps Analysis</div>'
+    gaps_html += gaps_section(f'&#x274C; No Tests ({len(gaps_no_tests)} endpoints)', gaps_no_tests)
+    gaps_html += gaps_section(f'&#x274C; No 2xx Tests ({len(gaps_no_2xx)} endpoints)', gaps_no_2xx)
+    gaps_html += gaps_section(f'&#x26A0;&#xFE0F; Weak Assertions (oneOf) - {len(gaps_weak_assertions)} endpoints', gaps_weak_assertions, warning=True, count_key='oneof_count')
+    gaps_html += gaps_section(f'&#x1F534; 5xx Assertions (bad practice) - {len(gaps_5xx_assertions)} endpoints', gaps_5xx_assertions, count_key='count_5xx')
+    gaps_html += '</div>'
+
+# Endpoint details table
+def endpoint_row(ep, stats):
+    tc = stats.get('test_count', 0)
+    codes = stats.get('status_codes', set())
+    codes_str = ', '.join(sorted(codes, key=lambda x: int(x) if x.isdigit() else 0)) if codes else '&#x2014;'
+    body = stats.get('body_assertions', 0) or '&#x2014;'
+    has_2xx = any(str(c).startswith('2') for c in codes)
+    success_icon = '&#x2705;' if has_2xx else ('&#x274C;' if tc > 0 else '&#x2014;')
+    defined = ep.get('defined_params', set())
+    tested_p = stats.get('query_params', set())
+    qp_str = '&#x2014;' if not defined else f'{len(defined.intersection(set(p.lower().replace("_","") for p in tested_p)))}/{len(defined)}' if tested_p else f'0/{len(defined)}'
+    oneof = stats.get('oneof_count', 0)
+    weak = f'&#x26A0;&#xFE0F; {oneof}' if oneof > 0 else '&#x2014;'
+    fivexx = stats.get('count_5xx', 0)
+    fivexx_str = f'&#x1F534; {fivexx}' if fivexx > 0 else '&#x2014;'
+    icon = '&#x274C;' if tc == 0 else '&#x26A0;&#xFE0F;' if tc < 3 else '&#x2705;'
+    style = 'background:#fef2f2;' if tc == 0 else ''
+    return f'<tr style="{style}"><td class="status-icon">{icon}</td><td><span class="method method-{ep["method"]}">{ep["method"]}</span></td><td class="left"><span class="path">{ep["path"]}</span></td><td>{tc}</td><td class="status-icon">{success_icon}</td><td>{codes_str}</td><td>{body}</td><td>{qp_str}</td><td>{weak}</td><td>{fivexx_str}</td></tr>'
+
+endpoint_rows = [endpoint_row(ep, endpoint_stats.get(f"{ep['method']} {ep['path']}", {})) for ep in endpoints]
+details_html = f'''<div class="section"><div class="section-title">Endpoint Details<span class="count">{len(endpoints)} endpoints</span></div>
+<table><thead><tr><th style="width:40px;">Status</th><th style="width:70px;">Method</th><th class="left">Endpoint</th><th style="width:50px;">Tests</th><th style="width:50px;">2xx</th><th style="width:120px;">Status Codes</th><th style="width:70px;">Body</th><th style="width:70px;">Query</th><th style="width:70px;">Weak</th><th style="width:70px;">5xx</th></tr></thead>
+<tbody>{''.join(endpoint_rows)}</tbody></table></div>'''
+
+# Collapsible sections
+qp_rows = [f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td><code>{", ".join(sorted(ep["params"]))}</code></td><td>{ep["total_values"]}</td></tr>' for ep in endpoints_with_params]
+qp_html = collapsible('Query Parameter Details', f'{len(endpoints_with_params)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Parameters Tested','style':''},{'label':'Value Variations','style':''}], qp_rows)
+
+body_rows = [f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td>{len(ep["fields"])} fields</td><td>{ep["variations"]}</td></tr>' for ep in endpoints_with_body]
+body_detail_html = collapsible('Request Body Coverage', f'{len(endpoints_with_body)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Fields Tested','style':''},{'label':'Variations','style':''}], body_rows)
+
+def include_row(ep):
+    vals = ', '.join(sorted(ep['values'])) or 'None'
+    status = '&#x2705;' if ep['tested'] else '&#x274C;'
+    return f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td>{status}</td><td><code>{vals}</code></td><td>{ep["variations"]}</td></tr>'
+
+include_rows = [include_row(ep) for ep in endpoints_with_include]
+include_html = collapsible('Include Parameter Details', f'{len(endpoints_with_include)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Tested','style':''},{'label':'Values','style':''},{'label':'Variations','style':''}], include_rows) if endpoints_with_include else ''
+
+skip_rows = [f'<tr><td class="left"><span class="path">{s["collection"]}: {s["name"]}</span></td><td>{(s.get("env") or "unknown").upper()}</td><td class="left" style="color:{"var(--color-error)" if not s.get("reason") else "inherit"};">{s.get("reason") or "Missing reason"}</td></tr>' for s in all_skipped_tests]
+skip_html = collapsible('Environment-Conditional Skips', f'{total_skipped_tests} tests', [{'label':'Test','style':'text-align:left;'},{'label':'Skipped In','style':''},{'label':'Reason','style':'text-align:left;'}], skip_rows) if total_skipped_tests > 0 else ''
+
+# Assemble full HTML
+content = summary_html + gaps_html + details_html + qp_html + body_detail_html + include_html + skip_html
+
+html = f'''<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>API Coverage Report | freshapps_api_node</title>
+    <style>{CSS}</style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <div class="header-left">
+                <div class="logo">freshapps_api_node</div>
+                <h1>API Test Coverage Report</h1>
+                <p class="timestamp">Generated: {datetime.now().strftime("%Y-%m-%d %H:%M:%S")}</p>
+            </div>
+            <div class="health-badge {health_class}">{health_icon} {health_label}</div>
+        </div>
+        {content}
+        <footer>API Test Coverage Report &bull; Generated by Node.js API Coverage Matrix Generator &bull; {total_tests} test cases analyzed</footer>
+    </div>
+</body>
+</html>'''
+
+# Write HTML
+with open(HTML_OUTPUT_FILE, 'w', encoding='utf-8') as f:
+    f.write(html)
+
+# Write JSON summary
+json_output_file = HTML_OUTPUT_FILE.replace('.html', '.json')
+
+method_stats = {}
+gaps = []
+for ep in endpoints:
+    m = ep['method']
+    if m not in method_stats:
+        method_stats[m] = {'tested': 0, 'total': 0}
+    method_stats[m]['total'] += 1
+    key = f"{ep['method']} {ep['path']}"
+    if has_success_code(endpoint_stats.get(key, {}).get('status_codes', set())):
+        method_stats[m]['tested'] += 1
+    else:
+        gaps.append({'method': ep['method'], 'path': ep['path'], 'file': ep.get('file', '')})
+
+coverage_summary = {
+    'coverage_percent': round(success_pct, 1),
+    'tested': success_tested,
+    'total': len(endpoints),
+    'well_tested_percent': round(well_tested_pct, 1),
+    'query_params_percent': round(qp_pct, 1),
+    'oneof_tests': total_oneof_tests,
+    'fivexx_tests': total_5xx_tests,
+    'skipped_tests': total_skipped_tests,
+    'undocumented_skips': skips_without_reason,
+    'gaps': gaps[:20],
+    'by_method': method_stats,
+    'full_report': os.path.basename(HTML_OUTPUT_FILE)
+}
+
+with open(json_output_file, 'w', encoding='utf-8') as f:
+    json.dump(coverage_summary, f, indent=2)
+
+# Console output
+print(f"\nEndpoints in Code: {len(endpoints)}", flush=True)
+print(f"Total Test Cases: {total_tests}", flush=True)
+print(f"Success Path (2xx) Tested: {success_pct:.1f}% ({success_tested}/{len(endpoints)})", flush=True)
+print(f"Well Tested (>=3 tests): {well_tested_pct:.1f}% ({well_tested}/{len(endpoints)})", flush=True)
+print(f"Response Body Validated: {body_pct:.1f}% ({with_body}/{len(endpoints)})", flush=True)
+print(f"Query Params Tested: {qp_pct:.1f}% ({total_tested_params}/{total_defined_params})", flush=True)
+print(f"Auth (401) Coverage: {auth_pct:.1f}% ({auth_tested}/{len(endpoints)})", flush=True)
+if error_only > 0:
+    print(f"  Error-Only Tests (no 2xx): {error_only} endpoints", flush=True)
+if total_oneof_tests > 0:
+    print(f"  oneOf Tests (weak assertions): {total_oneof_tests} tests in {oneof_endpoints} endpoints", flush=True)
+if total_5xx_tests > 0:
+    print(f"  5xx Assertions (bad practice): {total_5xx_tests} tests in {endpoints_with_5xx} endpoints", flush=True)
+if total_skipped_tests > 0:
+    print(f"  Environment-conditional skips: {total_skipped_tests} tests", flush=True)
+    for env, skips in sorted(skips_by_env.items(), key=lambda x: x[0] or 'zzz'):
+        print(f"    - {env or 'unknown'}: {len(skips)} tests", flush=True)
+    if skips_without_reason > 0:
+        print(f"  Undocumented skips: {skips_without_reason} tests (add [SKIP] Reason: ... | Env: ...)", flush=True)
+if errors:
+    print(f"\nWarnings ({len(errors)}):", flush=True)
+    for err in errors[:5]:
+        print(f"  - {err}", flush=True)
+    if len(errors) > 5:
+        print(f"  ... and {len(errors) - 5} more", flush=True)