@freshworks/shiftleft-tools 1.1.8

package/templates/postman/scripts/lib/api_coverage.py

@@ -0,0 +1,1122 @@
+#!/usr/bin/env python3
+"""
+API Coverage Matrix Generator.
+
+Analyzes Java Spring Boot controllers and Postman collections to produce
+an HTML coverage report showing which endpoints have test coverage.
+
+Usage:
+    python3 api_coverage.py --controller-dir DIR --postman-dir DIR --html-output FILE
+"""
+
+import argparse
+import os
+import re
+import json
+import sys
+from collections import defaultdict
+from datetime import datetime
+from html import escape as esc
+
+try:
+    from report_utils import (
+        get_css, get_html_template,
+        build_summary_card, build_coverage_item, build_gaps_section,
+        build_collapsible_table, build_endpoint_row
+    )
+    SHARED_CSS = get_css()
+    USE_HELPERS = True
+except ImportError:
+    SHARED_CSS = None
+    USE_HELPERS = False
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description='API Coverage Matrix Generator')
+    parser.add_argument('--controller-dir', required=True, help='Path to Java controller directory')
+    parser.add_argument('--postman-dir', required=True, help='Path to Postman directory')
+    parser.add_argument('--html-output', required=True, help='Path for HTML output file')
+    return parser.parse_args()
+
+
+args = parse_args()
+CONTROLLER_DIR = args.controller_dir
+POSTMAN_DIR = args.postman_dir
+HTML_OUTPUT_FILE = args.html_output
+
+endpoints = []
+tested = []
+errors = []
+
+print(f"Scanning {CONTROLLER_DIR}", flush=True)
+print(f"Scanning {POSTMAN_DIR}", flush=True)
+
+def safe_read_file(filepath, max_size_mb=50):
+    """Safely read a file with size limits."""
+    try:
+        file_size = os.path.getsize(filepath)
+        if file_size > max_size_mb * 1024 * 1024:
+            errors.append(f"Skipped {filepath}: file too large")
+            return None
+        with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+            return f.read()
+    except Exception as e:
+        errors.append(f"Error reading {filepath}: {str(e)}")
+        return None
+
+def join_concatenated_strings(text):
+    """Join Java string concatenations like '"part1" + "part2"' into single strings."""
+    result = text
+    result = re.sub(r'"\s*\n\s*\+\s*"', '', result)  # NOSONAR - input is trusted local Java source files
+    result = re.sub(r'"\s*\+\s*\n\s*"', '', result)  # NOSONAR
+    result = re.sub(r'"\s*\+\s*"', '', result)
+    return result
+
+def resolve_constants(content, controller_dir):
+    """Resolve Java constant references (e.g., PathConstants.V1) to their string values."""
+    constants = {}
+    constants_dir = os.path.dirname(controller_dir)
+
+    for root, dirs, files in os.walk(constants_dir):
+        dirs[:] = [d for d in dirs if not d.startswith('.') and d not in ['target', 'build']]
+        for f in files:
+            if f.endswith('.java'):
+                fpath = os.path.join(root, f)
+                try:
+                    fcontent = safe_read_file(fpath)
+                    if fcontent is None:
+                        continue
+                    class_match = re.search(r'(?:public\s+)?class\s+(\w+)', fcontent)
+                    if not class_match:
+                        continue
+                    class_name = class_match.group(1)
+                    for m in re.finditer(
+                        r'(?:public\s+)?static\s+final\s+String\s+(\w+)\s*=\s*"([^"]*)"',
+                        fcontent
+                    ):
+                        constants[f"{class_name}.{m.group(1)}"] = m.group(2)
+                except Exception:
+                    continue
+
+    if not constants:
+        return content
+
+    def replace_constant(match):
+        ref = match.group(0)
+        return f'"{constants[ref]}"' if ref in constants else match.group(0)
+
+    pattern = '|'.join(re.escape(k) for k in sorted(constants.keys(), key=len, reverse=True))
+    resolved = re.sub(pattern, replace_constant, content)
+    return resolved
+
+
+def extract_endpoints_from_file(filepath):
+    """Extract API endpoints from a Java controller file."""
+    content = safe_read_file(filepath)
+    if content is None:
+        return
+
+    content = resolve_constants(content, CONTROLLER_DIR)
+    content = join_concatenated_strings(content)
+    controller_name = os.path.basename(filepath).replace('.java', '')
+
+    class_path_match = re.search(r'@RequestMapping\s*\(\s*(?:path\s*=\s*)?["\']([^"\']+)["\']', content)
+    class_path = class_path_match.group(1) if class_path_match else ''
+
+    method_blocks = re.split(r'(?=@(?:Get|Post|Put|Delete|Patch)Mapping)', content)
+
+    for block in method_blocks:
+        if len(endpoints) >= 1000:
+            return
+
+        if not re.match(r'@(?:Get|Post|Put|Delete|Patch)Mapping', block.strip()):
+            continue
+
+        mapping_patterns = [
+            r'@(Get|Post|Put|Delete|Patch)Mapping\s*\(\s*value\s*=\s*\{?\s*["\']([^"\']+)["\']',
+            r'@(Get|Post|Put|Delete|Patch)Mapping\s*\(\s*\{?\s*["\']([^"\']+)["\']',
+            r'@(Get|Post|Put|Delete|Patch)Mapping\s*\(\s*["\']([^"\']+)["\']',
+            r'@(Get|Post|Put|Delete|Patch)Mapping\(["\']([^"\']+)["\']',
+        ]
+
+        http_method = None
+        path = None
+
+        for pattern in mapping_patterns:
+            match = re.search(pattern, block)
+            if match:
+                http_method = match.group(1).upper()
+                path = match.group(2)
+                break
+
+        if not http_method:
+            first_line = block.strip().split('\n')[0].strip()
+            no_path_match = re.match(  # NOSONAR - input is trusted local Java source files
+                r'@(Get|Post|Put|Delete|Patch)Mapping\s*(?:\([^"\']*\))?\s*$',
+                first_line
+            )
+            if not no_path_match:
+                no_path_match = re.match(
+                    r'@(Get|Post|Put|Delete|Patch)Mapping\s*$',
+                    first_line
+                )
+            if no_path_match:
+                http_method = no_path_match.group(1).upper()
+                path = ''
+
+        if not http_method:
+            continue
+        
+        if class_path and path:
+            full_path = f"{class_path.rstrip('/')}/{path.lstrip('/')}".replace('//', '/')
+        elif class_path:
+            full_path = class_path
+        else:
+            full_path = path
+        
+        full_path = re.sub(r'\.json$', '', full_path)
+        full_path = full_path.rstrip('/')
+        if not full_path.startswith('/'):
+            full_path = '/' + full_path
+        
+        param_block = block
+        defined_params = set()
+        include_params = set()
+        
+        named_param_pattern = r'@RequestParam\s*\(\s*(?:(?:name|value)\s*=\s*)?["\']([^"\']+)["\'][^)]*\)'  # NOSONAR
+        unnamed_param_pattern = r'@RequestParam\s*(?:\([^"\']*\))?\s*\w+\s+(\w+)'  # NOSONAR
+        
+        named_params = set()
+        for pm in re.finditer(named_param_pattern, param_block):
+            param_name = pm.group(1)
+            if param_name:
+                named_params.add(param_name)
+                defined_params.add(param_name.lower().replace('_', ''))
+                if 'include' in param_name.lower():
+                    include_params.add(param_name)
+        
+        for pm in re.finditer(unnamed_param_pattern, param_block):
+            var_name = pm.group(1)
+            if var_name:
+                match_start = pm.start()
+                preceding = param_block[:match_start]
+                last_annotation = preceding.rfind('@RequestParam')
+                if last_annotation >= 0:
+                    annotation_text = param_block[last_annotation:match_start]
+                    if 'name' not in annotation_text and '"\'' not in annotation_text[:50]:
+                        defined_params.add(var_name.lower())
+                        if 'include' in var_name.lower():
+                            include_params.add(var_name)
+        
+        endpoint = {
+            'method': http_method,
+            'path': full_path,
+            'controller': controller_name,
+            'defined_params': defined_params,
+            'has_include_param': len(include_params) > 0
+        }
+        
+        is_duplicate = False
+        for existing in endpoints:
+            if existing['method'] == endpoint['method'] and existing['path'] == endpoint['path']:
+                existing['defined_params'].update(endpoint['defined_params'])
+                if endpoint['has_include_param']:
+                    existing['has_include_param'] = True
+                is_duplicate = True
+                break
+        
+        if not is_duplicate:
+            endpoints.append(endpoint)
+
+# Process controller files
+try:
+    for root, dirs, files in os.walk(CONTROLLER_DIR):
+        dirs[:] = [d for d in dirs if not d.startswith('.') and d not in ['target', 'build', 'node_modules']]
+        
+        for file in files:
+            if file.endswith('.java'):
+                filepath = os.path.join(root, file)
+                try:
+                    extract_endpoints_from_file(filepath)
+                except Exception as e:
+                    errors.append(f"Error processing {file}: {str(e)}")
+except Exception as e:
+    print(f"ERROR: Failed to scan controller directory: {e}", flush=True)
+    sys.exit(1)
+
+def extract_tests_from_item(item, collection_name, depth=0):
+    """Extract test information from Postman collection items."""
+    if depth > 20:
+        return []
+    
+    results = []
+    
+    if isinstance(item, list):
+        for i in item:
+            results.extend(extract_tests_from_item(i, collection_name, depth + 1))
+    elif isinstance(item, dict):
+        if 'request' in item:
+            try:
+                request = item['request']
+                if not isinstance(request, dict):
+                    return results
+                    
+                method = request.get('method', 'GET')
+                
+                url = request.get('url', {})
+                query_params = set()
+                query_param_values = defaultdict(set)
+                
+                if isinstance(url, str):
+                    url_path = url
+                    if '?' in url_path:
+                        url_path, query_string = url_path.split('?', 1)
+                        for param in query_string.split('&'):
+                            if '=' in param:
+                                key, val = param.split('=', 1)
+                                query_params.add(key)
+                                query_param_values[key].add(val)
+                elif isinstance(url, dict):
+                    path_parts = url.get('path', [])
+                    if isinstance(path_parts, list):
+                        url_path = '/' + '/'.join(str(p) for p in path_parts) if path_parts else ''
+                    else:
+                        url_path = str(path_parts)
+                    
+                    for qp in url.get('query', []) or []:
+                        if isinstance(qp, dict):
+                            key = qp.get('key', '')
+                            val = qp.get('value', '')
+                            if key:
+                                query_params.add(key)
+                                if val:
+                                    query_param_values[key].add(val)
+                else:
+                    url_path = ''
+                
+                if '?' in url_path:
+                    url_path, extra_qs = url_path.split('?', 1)
+                    for param in extra_qs.split('&'):
+                        if '=' in param:
+                            key, val = param.split('=', 1)
+                            query_params.add(key)
+                            query_param_values[key].add(val)
+
+                url_path = re.sub(r'\.json$', '', url_path)
+                url_path = re.sub(r'\{\{[^}]+\}\}', '{VAR}', url_path)
+                url_path = re.sub(r':[^/]+', '{VAR}', url_path)
+                
+                status_codes = set()
+                body_assertions = 0
+                has_oneof = False
+                has_skip = False
+                skip_reason = None
+                skip_env = None
+                
+                # Check pre-request scripts for skips
+                for event in item.get('event', []) or []:
+                    if isinstance(event, dict) and event.get('listen') == 'prerequest':
+                        script = event.get('script', {})
+                        if isinstance(script, dict):
+                            exec_lines = script.get('exec', [])
+                            if isinstance(exec_lines, list):
+                                prereq_text = '\n'.join(str(line) for line in exec_lines)
+                            else:
+                                prereq_text = str(exec_lines)
+                            
+                            # Detect pm.execution.skipRequest()
+                            if 'pm.execution.skipRequest()' in prereq_text:
+                                has_skip = True
+                                
+                                # Extract skip reason - multiple formats supported:
+                                # Format 1: console.log('[SKIP] Reason: ... | Env: ...')
+                                # Format 2: console.log('[SKIP] ...')  (reason only)
+                                # Format 3: // SKIP: reason
+                                
+                                # Try format with Reason and Env (flexible spacing/separators)
+                                skip_match = re.search(
+                                    r"\[SKIP\].*?Reason:\s*([^|,;]+)(?:[|,;]\s*Env:\s*(\S+))?",
+                                    prereq_text, re.IGNORECASE
+                                )
+                                if skip_match:
+                                    skip_reason = skip_match.group(1).strip()
+                                    if skip_match.group(2):
+                                        skip_env = skip_match.group(2).strip().lower()
+                                
+                                # Try simple [SKIP] message format
+                                if not skip_reason:
+                                    simple_match = re.search(r"\[SKIP\]\s*(.+?)(?:['\"]|$)", prereq_text)
+                                    if simple_match and 'Reason:' not in simple_match.group(1):
+                                        skip_reason = simple_match.group(1).strip()
+                                
+                                # Try comment-based skip reason
+                                if not skip_reason:
+                                    comment_match = re.search(r"//\s*SKIP[:\s]+(.+)", prereq_text)
+                                    if comment_match:
+                                        skip_reason = comment_match.group(1).strip()
+                                
+                                # Auto-detect environment from the if condition if not specified
+                                if not skip_env:
+                                    # Check for environment condition patterns
+                                    env_patterns = [
+                                        # pm.environment.get('environment') === 'local'
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*===\s*['\"](\w+)['\"]", lambda m: m.group(1)),
+                                        # pm.environment.get('environment') !== 'local' -> skip in non-local
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*!==\s*['\"]local['\"]", lambda m: 'staging'),
+                                        (r"pm\.environment\.get\(['\"]environment['\"]\)\s*!==\s*['\"]staging['\"]", lambda m: 'local'),
+                                        # pm.variables.get('env') patterns
+                                        (r"pm\.variables\.get\(['\"]env['\"]\)\s*===\s*['\"](\w+)['\"]", lambda m: m.group(1)),
+                                    ]
+                                    for pattern, extractor in env_patterns:
+                                        env_match = re.search(pattern, prereq_text)
+                                        if env_match:
+                                            skip_env = extractor(env_match).lower()
+                                            break
+                
+                for event in item.get('event', []) or []:
+                    if isinstance(event, dict) and event.get('listen') == 'test':
+                        script = event.get('script', {})
+                        if isinstance(script, dict):
+                            exec_lines = script.get('exec', [])
+                            if isinstance(exec_lines, list):
+                                script_text = '\n'.join(str(line) for line in exec_lines)
+                            else:
+                                script_text = str(exec_lines)
+                            
+                            matches = re.findall(r'to\.have\.status\((\d+)\)', script_text)
+                            for m in matches:
+                                status_codes.add(str(m))
+                            
+                            matches_equal = re.findall(r'pm\.response\.code\)\.to\.equal\((\d+)\)', script_text)
+                            for m in matches_equal:
+                                status_codes.add(str(m))
+                            
+                            matches_eql = re.findall(r'pm\.response\.code\)\.to\.eql\((\d+)\)', script_text)
+                            for m in matches_eql:
+                                status_codes.add(str(m))
+                            
+                            # Detect weak assertions: oneOf, to.include with array for status codes
+                            if 'oneOf' in script_text:
+                                has_oneof = True
+                            # Detect pm.expect([...]).to.include(pm.response.code) pattern - weak status code assertion
+                            if re.search(r'pm\.expect\s*\(\s*\[.*?\]\s*\)\.to\.include\s*\(\s*pm\.response\.code', script_text):
+                                has_oneof = True
+                            # Detect pm.expect(pm.response.code).to.be.oneOf([...]) pattern
+                            if re.search(r'pm\.response\.code\s*\)\s*\.to\.be\.oneOf', script_text):
+                                has_oneof = True
+                            
+                            # Extract status codes from oneOf/include arrays (weak but still counts for coverage)
+                            for oneof_match in re.finditer(r'\.to\.be\.oneOf\s*\(\s*\[([^\]]+)\]', script_text):
+                                for code in re.findall(r'\d{3}', oneof_match.group(1)):
+                                    status_codes.add(str(code))
+                            for include_match in re.finditer(r'pm\.expect\s*\(\s*\[([\d,\s]+)\]\s*\)\.to\.include', script_text):
+                                for code in re.findall(r'\d{3}', include_match.group(1)):
+                                    status_codes.add(str(code))
+                            
+                            # Check for 5xx status code assertions (bad practice)
+                            has_5xx = any(str(code).startswith('5') for code in status_codes)
+                            
+                            body_patterns = [
+                                r'pm\.expect\s*\(\s*jsonData\.',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.be\.an\s*\(',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.have\.property\s*\(',
+                                r'pm\.expect\s*\(\s*jsonData\s*\)\.to\.not\.be\.null',
+                                r'pm\.expect\s*\(\s*response\.',
+                                r'\.to\.have\.property\(',
+                                r'\.to\.include\(',
+                                r'\.to\.eql\(',
+                            ]
+                            for p in body_patterns:
+                                body_assertions += len(re.findall(p, script_text))
+                
+                has_request_body = False
+                request_body_hash = None
+                request_body_fields = set()
+                body = request.get('body', {})
+                if isinstance(body, dict):
+                    raw_body = body.get('raw', '')
+                    if raw_body and isinstance(raw_body, str) and raw_body.strip():
+                        has_request_body = True
+                        request_body_hash = hash(raw_body.strip())
+                        # Try JSON parsing first, fallback to regex for Postman template variables
+                        try:
+                            parsed = json.loads(raw_body)
+                            if isinstance(parsed, dict):
+                                request_body_fields = set(parsed.keys())
+                        except (json.JSONDecodeError, ValueError):
+                            # Use regex to extract field names when JSON parsing fails
+                            # This handles Postman template variables like {{variable}}
+                            field_pattern = r'"([^"]+)"\s*:'
+                            request_body_fields = set(re.findall(field_pattern, raw_body))
+                
+                if url_path:
+                    results.append({
+                        'method': method,
+                        'path': url_path,
+                        'name': item.get('name', ''),
+                        'status_codes': list(status_codes) if status_codes else [],
+                        'collection': collection_name,
+                        'body_assertions': body_assertions,
+                        'has_request_body': has_request_body,
+                        'request_body_hash': request_body_hash,
+                        'request_body_fields': request_body_fields,
+                        'query_params': query_params,
+                        'query_param_values': dict(query_param_values),
+                        'has_oneof': has_oneof,
+                        'has_5xx': any(str(code).startswith('5') for code in status_codes),
+                        'has_skip': has_skip,
+                        'skip_reason': skip_reason,
+                        'skip_env': skip_env
+                    })
+            except Exception as e:
+                errors.append(f"Error parsing request in {collection_name}: {str(e)}")
+        
+        if 'item' in item:
+            results.extend(extract_tests_from_item(item['item'], collection_name, depth + 1))
+    
+    return results
+
+def find_collection_files(base_dir):
+    """Find all Postman collection JSON files in the given directory."""
+    collection_files = []
+    seen_files = set()  # Track seen file paths to avoid duplicates
+    
+    search_dirs = [base_dir]
+    
+    for subdir in ['collections', 'api-tests', 'tests']:
+        subpath = os.path.join(base_dir, subdir)
+        if os.path.isdir(subpath):
+            search_dirs.append(subpath)
+    
+    seen_dirs = set()
+    
+    for search_dir in search_dirs:
+        if search_dir in seen_dirs:
+            continue
+        seen_dirs.add(search_dir)
+        
+        try:
+            for root, dirs, files in os.walk(search_dir):
+                # Skip directories that definitely don't contain Postman collections
+                dirs[:] = [d for d in dirs if d not in [
+                    'node_modules', 'environments', 'reports', 'config',
+                    'scripts', '.git', 'data', 'schemas'
+                ]]
+                
+                for file in files:
+                    if file.endswith('.json'):
+                        # Only skip files that are DEFINITELY not Postman collections
+                        # Use exact matches or specific patterns to avoid false positives
+                        # The Postman structure validation later will handle edge cases
+                        skip_exact = [
+                            'package.json', 'package-lock.json',
+                            'tsconfig.json', 'jsconfig.json',
+                            '.eslintrc.json', '.prettierrc.json',
+                            'newman-reporter-config.json'
+                        ]
+                        
+                        # Skip Postman environment files
+                        # Common patterns: *.environment.json, *_environment.json, 
+                        # *.postman_environment.json (Postman export format)
+                        is_environment_file = (
+                            file.lower().endswith('.environment.json') or
+                            file.lower().endswith('_environment.json') or
+                            file.lower().endswith('.postman_environment.json') or
+                            file.lower() == 'environment.json'
+                        )
+                        
+                        if file.lower() in skip_exact:
+                            continue
+                        if is_environment_file:
+                            continue
+                        
+                        # Deduplicate by absolute path
+                        full_path = os.path.abspath(os.path.join(root, file))
+                        if full_path not in seen_files:
+                            seen_files.add(full_path)
+                            collection_files.append(full_path)
+        except Exception as e:
+            errors.append(f"Error scanning {search_dir}: {str(e)}")
+    
+    return collection_files
+
+try:
+    collection_files = find_collection_files(POSTMAN_DIR)
+    print(f"Found {len(collection_files)} collection file(s)", flush=True)
+    
+    for filepath in collection_files:
+        file = os.path.basename(filepath)
+        
+        file_size = os.path.getsize(filepath)
+        if file_size > 50 * 1024 * 1024:
+            errors.append(f"Skipped {file}: collection too large")
+            continue
+        
+        try:
+            content = safe_read_file(filepath)
+            if content:
+                collection = json.loads(content)
+                if not isinstance(collection, dict) or ('item' not in collection and 'info' not in collection):
+                    continue
+                collection_name = file.replace('.json', '')
+                tests = extract_tests_from_item(collection.get('item', []), collection_name)
+                tested.extend(tests)
+        except json.JSONDecodeError as e:
+            errors.append(f"Invalid JSON in {file}: {str(e)}")
+        except Exception as e:
+            errors.append(f"Error processing {file}: {str(e)}")
+except Exception as e:
+    print(f"ERROR: Failed to scan Postman directory: {e}", flush=True)
+    sys.exit(1)
+
+# Sort and deduplicate endpoints
+seen = set()
+unique_endpoints = []
+for ep in endpoints:
+    key = (ep['method'], ep['path'])
+    if key not in seen:
+        seen.add(key)
+        unique_endpoints.append(ep)
+endpoints = sorted(unique_endpoints, key=lambda x: (x['path'], x['method']))
+
+# Aggregate stats per endpoint
+endpoint_stats = defaultdict(lambda: {
+    'test_count': 0,
+    'status_codes': set(),
+    'body_assertions': 0,
+    'request_body_variations': set(),
+    'has_body_test': False,
+    'query_params': set(),
+    'query_param_values': defaultdict(set),
+    'request_body_fields': set(),
+    'has_oneof': False,
+    'oneof_count': 0,
+    'has_5xx': False,
+    'count_5xx': 0,
+    'skipped_tests': []
+})
+
+# Track all skipped tests separately for reporting
+all_skipped_tests = []
+
+def normalize_path(path):
+    """Normalize path for comparison."""
+    if not path:
+        return ''
+    normalized = re.sub(r'^/?(api/)?v\d+/', '/', path)
+    normalized = re.sub(r'\{\{[^}]+\}\}', '{VAR}', normalized)
+    normalized = re.sub(r'\{[^}]+\}', '{VAR}', normalized)
+    normalized = re.sub(r':[^/]+', '{VAR}', normalized)
+    normalized = re.sub(r'/(\d+)(?=/|$)', '/{VAR}', normalized)
+    normalized = re.sub(r'\.json$', '', normalized)
+    return normalized.lower().replace('{var}', '{VAR}')
+
+def paths_match(controller_path, test_path):
+    """Check if a test path matches a controller path."""
+    norm_controller = normalize_path(controller_path)
+    norm_test = normalize_path(test_path)
+    
+    if norm_controller == norm_test:
+        return True
+    
+    try:
+        pattern = re.escape(norm_controller).replace(r'\{VAR\}', '[^/]+')
+        if re.fullmatch(pattern, norm_test):
+            return True
+    except re.error:
+        pass
+    
+    return False
+
+for test in tested:
+    test_path = test['path']
+    test_method = test['method']
+    
+    # Track skipped tests globally
+    if test.get('has_skip', False):
+        skip_info = {
+            'name': test.get('name', 'Unknown'),
+            'collection': test.get('collection', ''),
+            'method': test_method,
+            'path': test_path,
+            'reason': test.get('skip_reason'),
+            'env': test.get('skip_env')
+        }
+        all_skipped_tests.append(skip_info)
+    
+    matched = False
+    for ep in endpoints:
+        if test_method == ep['method'] and paths_match(ep['path'], test_path):
+            key = f"{ep['method']} {ep['path']}"
+            endpoint_stats[key]['test_count'] += 1
+            endpoint_stats[key]['status_codes'].update(test['status_codes'])
+            endpoint_stats[key]['body_assertions'] += test['body_assertions']
+            if test['body_assertions'] > 0:
+                endpoint_stats[key]['has_body_test'] = True
+            if test['request_body_hash']:
+                endpoint_stats[key]['request_body_variations'].add(test['request_body_hash'])
+            endpoint_stats[key]['query_params'].update(test.get('query_params', set()))
+            for param, values in test.get('query_param_values', {}).items():
+                endpoint_stats[key]['query_param_values'][param].update(values)
+            endpoint_stats[key]['request_body_fields'].update(test.get('request_body_fields', set()))
+            if test.get('has_oneof', False):
+                endpoint_stats[key]['has_oneof'] = True
+                endpoint_stats[key]['oneof_count'] += 1
+            if test.get('has_5xx', False):
+                endpoint_stats[key]['has_5xx'] = True
+                endpoint_stats[key]['count_5xx'] += 1
+            if test.get('has_skip', False):
+                endpoint_stats[key]['skipped_tests'].append({
+                    'name': test.get('name', ''),
+                    'reason': test.get('skip_reason'),
+                    'env': test.get('skip_env')
+                })
+            matched = True
+            break
+    
+    if not matched:
+        key = f"{test_method} {test_path}"
+        endpoint_stats[key]['test_count'] += 1
+        endpoint_stats[key]['status_codes'].update(test['status_codes'])
+        endpoint_stats[key]['body_assertions'] += test['body_assertions']
+        if test['body_assertions'] > 0:
+            endpoint_stats[key]['has_body_test'] = True
+        if test['request_body_hash']:
+            endpoint_stats[key]['request_body_variations'].add(test['request_body_hash'])
+        endpoint_stats[key]['query_params'].update(test.get('query_params', set()))
+        for param, values in test.get('query_param_values', {}).items():
+            endpoint_stats[key]['query_param_values'][param].update(values)
+        endpoint_stats[key]['request_body_fields'].update(test.get('request_body_fields', set()))
+        if test.get('has_oneof', False):
+            endpoint_stats[key]['has_oneof'] = True
+            endpoint_stats[key]['oneof_count'] += 1
+        if test.get('has_5xx', False):
+            endpoint_stats[key]['has_5xx'] = True
+            endpoint_stats[key]['count_5xx'] += 1
+        if test.get('has_skip', False):
+            endpoint_stats[key]['skipped_tests'].append({
+                'name': test.get('name', ''),
+                'reason': test.get('skip_reason'),
+                'env': test.get('skip_env')
+            })
+
+# Calculate metrics
+total_tests = sum(s['test_count'] for s in endpoint_stats.values())
+total_body = sum(s['body_assertions'] for s in endpoint_stats.values())
+tested_ep = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('test_count', 0) > 0)
+well_tested = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('test_count', 0) >= 3)
+with_body = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_body_test', False))
+not_tested = len(endpoints) - tested_ep
+
+# Success path tested (has at least one 2xx status code)
+def has_success_code(status_codes):
+    """Check if any status code is a 2xx success code."""
+    return any(str(code).startswith('2') for code in status_codes)
+
+def has_401_code(status_codes):
+    """Check if any status code is 401 (unauthorized)."""
+    return '401' in [str(code) for code in status_codes]
+
+success_tested = sum(1 for ep in endpoints if has_success_code(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('status_codes', set())))
+error_only = tested_ep - success_tested
+
+# 401 coverage (endpoints with auth tests)
+auth_tested = sum(1 for ep in endpoints if has_401_code(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('status_codes', set())))
+auth_pct = (auth_tested / len(endpoints) * 100) if endpoints else 0
+
+# oneOf (weak assertion) metrics
+oneof_endpoints = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_oneof', False))
+total_oneof_tests = sum(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('oneof_count', 0) for ep in endpoints)
+
+# 5xx assertion metrics (bad practice)
+endpoints_with_5xx = sum(1 for ep in endpoints if endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('has_5xx', False))
+total_5xx_tests = sum(endpoint_stats.get(f"{ep['method']} {ep['path']}", {}).get('count_5xx', 0) for ep in endpoints)
+
+# Skip metrics
+total_skipped_tests = len(all_skipped_tests)
+skips_with_reason = sum(1 for s in all_skipped_tests if s.get('reason'))
+skips_without_reason = total_skipped_tests - skips_with_reason
+skips_by_env = defaultdict(list)
+for skip in all_skipped_tests:
+    env = skip.get('env', 'unknown')
+    skips_by_env[env].append(skip)
+
+# Query params metrics
+total_defined_params = 0
+total_tested_params = 0
+endpoints_with_params = []
+for ep in endpoints:
+    defined_params = ep.get('defined_params', set())
+    if defined_params:
+        total_defined_params += len(defined_params)
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        tested_params = stats.get('query_params', set())
+        tested_normalized = set(p.lower().replace('_', '') for p in tested_params)
+        covered = len(defined_params.intersection(tested_normalized))
+        total_tested_params += covered
+        
+        param_values = stats.get('query_param_values', {})
+        if tested_params:
+            endpoints_with_params.append({
+                'method': ep['method'],
+                'path': ep['path'],
+                'params': tested_params,
+                'param_values': param_values,
+                'total_values': sum(len(v) for v in param_values.values())
+            })
+
+# Include params metrics
+# Define expected include values per endpoint type
+# - List endpoints: configs, oauth_configs_list, secure_iparams
+# - Configuration endpoints: secure_iparams, oauth_iparams, extension_type
+INCLUDE_VALUES_LIST = {'configs', 'oauth_configs_list', 'secure_iparams'}
+INCLUDE_VALUES_CONFIG = {'secure_iparams', 'oauth_iparams', 'extension_type'}
+
+endpoints_with_include = []
+total_expected_include_values = 0
+total_tested_include_values = 0
+
+for ep in endpoints:
+    if ep.get('has_include_param', False):
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        tested_params = stats.get('query_params', set())
+        param_values = stats.get('query_param_values', {})
+        
+        include_tested = any('include' in p.lower() for p in tested_params)
+        include_values = set()
+        include_variations = 0
+        
+        for param, values in param_values.items():
+            if 'include' in param.lower():
+                for v in values:
+                    for single_val in v.split(','):
+                        include_values.add(single_val.strip())
+                include_variations = len(values)
+        
+        # Determine expected values based on endpoint type
+        if 'configurations' in ep['path'].lower():
+            expected_values = INCLUDE_VALUES_CONFIG
+        else:
+            expected_values = INCLUDE_VALUES_LIST
+        
+        tested_expected = include_values & expected_values
+        missing_values = expected_values - include_values
+        
+        total_expected_include_values += len(expected_values)
+        total_tested_include_values += len(tested_expected)
+        
+        endpoints_with_include.append({
+            'method': ep['method'],
+            'path': ep['path'],
+            'tested': include_tested,
+            'values': include_values,
+            'expected_values': expected_values,
+            'tested_expected': tested_expected,
+            'missing_values': missing_values,
+            'variations': include_variations
+        })
+
+# Request body metrics
+endpoints_with_body = []
+for ep in endpoints:
+    if ep['method'] in ['POST', 'PUT', 'PATCH']:
+        key = f"{ep['method']} {ep['path']}"
+        stats = endpoint_stats.get(key, {})
+        fields = stats.get('request_body_fields', set())
+        variations = len(stats.get('request_body_variations', set()))
+        
+        if fields or variations > 0:
+            endpoints_with_body.append({
+                'method': ep['method'],
+                'path': ep['path'],
+                'fields': fields,
+                'variations': variations
+            })
+
+# Calculate percentages
+tested_pct = (tested_ep / len(endpoints) * 100) if endpoints else 0
+well_tested_pct = (well_tested / len(endpoints) * 100) if endpoints else 0
+body_pct = (with_body / len(endpoints) * 100) if endpoints else 0
+qp_pct = (total_tested_params / total_defined_params * 100) if total_defined_params > 0 else 0
+success_pct = (success_tested / len(endpoints) * 100) if endpoints else 0
+
+# Include param coverage - now based on individual values tested vs expected
+include_tested_count = sum(1 for ep in endpoints_with_include if ep['tested'])
+include_total_count = len(endpoints_with_include)
+include_pct = (total_tested_include_values / total_expected_include_values * 100) if total_expected_include_values > 0 else 100
+include_endpoints_pct = (include_tested_count / include_total_count * 100) if include_total_count > 0 else 100
+
+# Categorize endpoints for gaps analysis
+gaps_no_tests = []
+gaps_no_2xx = []
+gaps_weak_assertions = []
+gaps_5xx_assertions = []
+
+for ep in endpoints:
+    key = f"{ep['method']} {ep['path']}"
+    stats = endpoint_stats.get(key, {'test_count': 0, 'status_codes': set()})
+    
+    if stats['test_count'] == 0:
+        gaps_no_tests.append(ep)
+    elif not has_success_code(stats.get('status_codes', set())):
+        gaps_no_2xx.append(ep)
+    
+    if stats.get('has_oneof', False):
+        gaps_weak_assertions.append({**ep, 'oneof_count': stats.get('oneof_count', 0)})
+    
+    if stats.get('has_5xx', False):
+        gaps_5xx_assertions.append({**ep, 'count_5xx': stats.get('count_5xx', 0)})
+
+def get_status_class(pct):
+    if pct >= 80: return 'success'
+    if pct >= 50: return 'warning'
+    return 'error'
+
+def get_health_status(success_pct, well_tested_pct, error_only, oneof_count):
+    """Determine overall API test health."""
+    if success_pct >= 100 and well_tested_pct >= 80 and error_only == 0 and oneof_count == 0:
+        return ('excellent', '🟢', 'Excellent', 'All endpoints have 2xx tests with strong assertions')
+    elif success_pct >= 90 and well_tested_pct >= 60 and error_only <= 2:
+        return ('good', '🟡', 'Good', 'Most endpoints well tested, minor gaps exist')
+    elif success_pct >= 70 and well_tested_pct >= 40:
+        return ('fair', '🟠', 'Fair', 'Moderate coverage, needs improvement')
+    else:
+        return ('poor', '🔴', 'Needs Work', 'Significant testing gaps exist')
+
+health_class, health_icon, health_label, health_desc = get_health_status(success_pct, well_tested_pct, error_only, total_oneof_tests)
+
+# Build HTML content sections
+def card(val, lbl, sub=None, status=None):
+    """Build a summary card."""
+    cls = f'summary-card{" " + esc(str(status)) if status else ""}'
+    sub_html = f'<div class="sub-value">{esc(str(sub))}</div>' if sub else ''
+    return f'<div class="{cls}"><div class="value">{esc(str(val))}</div><div class="label">{esc(str(lbl))}</div>{sub_html}</div>'
+
+def coverage_item(name, pct, details):
+    """Build a coverage metric item."""
+    status = 'success' if pct >= 80 else 'warning' if pct >= 50 else 'error'
+    safe_pct = min(float(pct), 100)
+    return f'''<div class="coverage-item">
+    <div class="header"><span class="metric-name">{esc(str(name))}</span><span class="metric-value" style="color: var(--color-{status});">{safe_pct:.1f}%</span></div>
+    <div class="progress-bar"><div class="progress-fill {status}" style="width: {safe_pct:.1f}%;"></div></div>
+    <div class="details">{esc(str(details))}</div>
+</div>'''
+
+def gaps_section(title, items, warning=False, count_key=None):
+    """Build a gaps section."""
+    if not items: return ''
+    cls = 'gaps-section warning' if warning else 'gaps-section'
+    def gap_line(ep):
+        method = esc(str(ep["method"]))
+        path = esc(str(ep["path"]))
+        count_suffix = f' ({esc(str(ep.get(count_key, 0)))} tests)' if count_key else ''
+        return f'<div class="gap-item"><span class="method method-{method}">{method}</span> {path}{count_suffix}</div>'
+    items_html = ''.join(gap_line(ep) for ep in items)
+    return f'<div class="{cls}"><div class="title">{esc(str(title))}</div><div class="gap-list">{items_html}</div></div>'
+
+def collapsible(title, count, headers, rows):
+    """Build a collapsible table section."""
+    if not rows: return ''
+    h = ''.join(f'<th style="{hdr.get("style","")}">{hdr["label"]}</th>' for hdr in headers)
+    r = ''.join(rows)
+    return f'''<details><summary>{title}<span class="count" style="background: var(--color-border); padding: 0.125rem 0.5rem; border-radius: 10px; font-size: 0.75rem; font-weight: 500;">{count}</span></summary>
+<div class="content"><table><thead><tr>{h}</tr></thead><tbody>{r}</tbody></table></div></details>'''
+
+# Compact summary - single row with key metrics
+def metric(label, value, detail=None, status=None):
+    """Inline metric span."""
+    color = f'var(--color-{status})' if status else 'var(--color-primary)'
+    det = f' <span style="color:var(--color-muted);font-size:0.75rem;">({detail})</span>' if detail else ''
+    return f'<span style="margin-right:1.5rem;"><strong style="color:{color};">{value}</strong> {label}{det}</span>'
+
+issues = []
+if not_tested > 0: issues.append(f'{not_tested} untested')
+if total_5xx_tests > 0: issues.append(f'{total_5xx_tests} 5xx')
+if total_oneof_tests > 0: issues.append(f'{total_oneof_tests} weak')
+if skips_without_reason > 0: issues.append(f'{skips_without_reason} undoc')
+issues_str = ', '.join(issues) if issues else None
+
+summary_html = f'''<div class="section">
+<div style="display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:1rem;padding:1rem 1.25rem;background:var(--color-card);border:1px solid var(--color-border);border-radius:var(--radius-sm);box-shadow:var(--shadow-sm);">
+    <div style="display:flex;align-items:center;gap:0.75rem;">
+        <span style="font-size:1.5rem;">{health_icon}</span>
+        <span style="font-weight:600;color:var(--color-heading);">{health_label}</span>
+    </div>
+    <div style="display:flex;flex-wrap:wrap;align-items:center;">
+        {metric('endpoints', len(endpoints), f'{total_tests} tests')}
+        {metric('2xx', f'{success_pct:.0f}%', f'{success_tested}/{len(endpoints)}', 'success' if success_pct >= 100 else 'warning' if success_pct >= 80 else 'error')}
+        {metric('well tested', f'{well_tested_pct:.0f}%', f'{well_tested}/{len(endpoints)}', 'success' if well_tested_pct >= 100 else 'warning' if well_tested_pct >= 80 else 'error')}
+        {metric('body validated', f'{body_pct:.0f}%', f'{with_body}/{len(endpoints)}', 'success' if body_pct >= 100 else 'warning' if body_pct >= 80 else 'error')}
+        {metric('query params', f'{qp_pct:.0f}%', f'{total_tested_params}/{total_defined_params}', 'success' if qp_pct >= 100 else 'warning' if qp_pct >= 80 else 'error')}
+        {f'<span style="color:var(--color-error);font-weight:500;">⚠ {issues_str}</span>' if issues_str else ''}
+    </div>
+</div>
+</div>'''
+
+# No separate coverage breakdown needed - all in summary
+coverage_html = ''
+
+# Gaps analysis
+gaps_html = ''
+if gaps_no_tests or gaps_no_2xx or gaps_weak_assertions or gaps_5xx_assertions:
+    gaps_html = '<div class="section"><div class="section-title">⚠️ Gaps Analysis</div>'
+    gaps_html += gaps_section(f'❌ No Tests ({len(gaps_no_tests)} endpoints)', gaps_no_tests)
+    gaps_html += gaps_section(f'❌ No 2xx Tests ({len(gaps_no_2xx)} endpoints)', gaps_no_2xx)
+    gaps_html += gaps_section(f'⚠️ Weak Assertions (oneOf) - {len(gaps_weak_assertions)} endpoints', gaps_weak_assertions, warning=True, count_key='oneof_count')
+    gaps_html += gaps_section(f'🔴 5xx Assertions (bad practice) - {len(gaps_5xx_assertions)} endpoints', gaps_5xx_assertions, count_key='count_5xx')
+    gaps_html += '</div>'
+
+# Endpoint details table
+def endpoint_row(ep, stats):
+    tc = stats.get('test_count', 0)
+    codes = stats.get('status_codes', set())
+    codes_str = ', '.join(sorted(codes, key=lambda x: int(x) if x.isdigit() else 0)) if codes else '—'
+    body = stats.get('body_assertions', 0) or '—'
+    has_2xx = any(str(c).startswith('2') for c in codes)
+    success_icon = '✅' if has_2xx else ('❌' if tc > 0 else '—')
+    defined = ep.get('defined_params', set())
+    tested = stats.get('query_params', set())
+    qp_str = '—' if not defined else f'{len(defined.intersection(set(p.lower().replace("_","") for p in tested)))}/{len(defined)}' if tested else f'0/{len(defined)}'
+    oneof = stats.get('oneof_count', 0)
+    weak = f'⚠️ {oneof}' if oneof > 0 else '—'
+    icon, style = ('❌', 'background:#fef2f2;') if tc == 0 else ('⚠️', '') if tc < 3 else ('✅', '')
+    return f'<tr style="{style}"><td class="status-icon">{icon}</td><td><span class="method method-{ep["method"]}">{ep["method"]}</span></td><td class="left"><span class="path">{ep["path"]}</span></td><td>{tc}</td><td class="status-icon">{success_icon}</td><td>{codes_str}</td><td>{body}</td><td>{qp_str}</td><td>{weak}</td></tr>'
+
+endpoint_rows = [endpoint_row(ep, endpoint_stats.get(f"{ep['method']} {ep['path']}", {})) for ep in endpoints]
+details_html = f'''<div class="section"><div class="section-title">Endpoint Details<span class="count">{len(endpoints)} endpoints</span></div>
+<table><thead><tr><th style="width:40px;">Status</th><th style="width:70px;">Method</th><th style="text-align:left;">Endpoint</th><th style="width:50px;">Tests</th><th style="width:50px;">2xx</th><th style="width:120px;">Status Codes Asserted</th><th style="width:80px;">Response Assertions</th><th style="width:80px;">Query Params Coverage</th><th style="width:80px;">Weak Assertions</th></tr></thead>
+<tbody>{''.join(endpoint_rows)}</tbody></table></div>'''
+
+# Collapsible detail sections
+qp_rows = [f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td><code>{", ".join(sorted(ep["params"]))}</code></td><td>{ep["total_values"]}</td></tr>' for ep in endpoints_with_params]
+qp_html = collapsible('Query Parameter Details', f'{len(endpoints_with_params)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Parameters Tested'},{'label':'Value Variations'}], qp_rows)
+
+body_rows = [f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td>{len(ep["fields"])} fields</td><td>{ep["variations"]}</td></tr>' for ep in endpoints_with_body]
+body_html = collapsible('Request Body Coverage', f'{len(endpoints_with_body)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Fields Tested'},{'label':'Variations'}], body_rows)
+
+def include_row(ep):
+    tc, ec = len(ep['tested_expected']), len(ep['expected_values'])
+    pct = (tc / ec * 100) if ec > 0 else 0
+    col = 'var(--color-success)' if pct >= 100 else 'var(--color-warning)' if pct >= 50 else 'var(--color-error)'
+    exp = ', '.join(sorted(ep['expected_values'])) or 'None'
+    vals = ', '.join(sorted(ep['values'])) or 'None'
+    miss = ', '.join(sorted(ep['missing_values'])) or '—'
+    miss_col = 'var(--color-error)' if ep['missing_values'] else 'var(--color-success)'
+    return f'<tr><td class="left"><span class="method method-{ep["method"]}">{ep["method"]}</span> <span class="path">{ep["path"]}</span></td><td style="color:{col};">{tc}/{ec} ({pct:.0f}%)</td><td><code>{exp}</code></td><td><code>{vals}</code></td><td style="color:{miss_col};"><code>{miss}</code></td></tr>'
+
+include_rows = [include_row(ep) for ep in endpoints_with_include]
+include_html = collapsible('Include Parameter Details', f'{len(endpoints_with_include)} endpoints', [{'label':'Endpoint','style':'text-align:left;'},{'label':'Coverage'},{'label':'Expected Values'},{'label':'Tested Values'},{'label':'Missing'}], include_rows)
+
+skip_rows = [f'<tr><td class="left"><span class="path">{s["collection"]}: {s["name"]}</span></td><td>{s.get("env","unknown").upper()}</td><td class="left" style="color:{"var(--color-error)" if not s.get("reason") else "inherit"};">{s.get("reason") or "Missing reason"}</td></tr>' for s in all_skipped_tests]
+skip_html = collapsible('Environment-Conditional Skips', f'{total_skipped_tests} tests', [{'label':'Test','style':'text-align:left;'},{'label':'Skipped In'},{'label':'Reason','style':'text-align:left;'}], skip_rows) if total_skipped_tests > 0 else ''
+
+# Assemble full HTML
+content = summary_html + coverage_html + gaps_html + details_html + qp_html + body_html + include_html + skip_html
+
+if USE_HELPERS:
+    html = get_html_template(
+        title='API Test Coverage Report',
+        logo='DP Apps',
+        content=content,
+        health_badge={'class': health_class, 'icon': health_icon, 'label': health_label},
+        footer_text=f'API Test Coverage Report • Generated by API Coverage Matrix Generator • {total_tests} test cases analyzed'
+    )
+else:
+    # Fallback: manual HTML construction
+    html = f'''<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>API Coverage Report | DP Apps</title>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+    <style>{SHARED_CSS if SHARED_CSS else "/* Error: shared CSS library not loaded */"}</style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <div class="header-left">
+                <div class="logo">DP Apps</div>
+                <h1>API Test Coverage Report</h1>
+                <p class="timestamp">Generated: {datetime.now().strftime("%Y-%m-%d %H:%M:%S")}</p>
+            </div>
+            <div class="health-badge {health_class}">{health_icon} {health_label}</div>
+        </div>
+        {content}
+        <footer>API Test Coverage Report • Generated by API Coverage Matrix Generator • {total_tests} test cases analyzed</footer>
+    </div>
+</body>
+</html>'''
+
+# Write HTML
+with open(HTML_OUTPUT_FILE, 'w', encoding='utf-8') as f:
+    f.write(html)
+
+# Also generate JSON summary for consolidated reports
+json_output_file = HTML_OUTPUT_FILE.replace('.html', '.json')
+
+# Helper to check if endpoint has 2xx coverage
+def ep_has_2xx(ep):
+    key = f"{ep['method']} {ep['path']}"
+    stats = endpoint_stats.get(key, {})
+    return has_success_code(stats.get('status_codes', set()))
+
+# Calculate by-method stats
+method_stats = {}
+gaps = []
+for ep in endpoints:
+    m = ep['method']
+    if m not in method_stats:
+        method_stats[m] = {'tested': 0, 'total': 0}
+    method_stats[m]['total'] += 1
+    if ep_has_2xx(ep):
+        method_stats[m]['tested'] += 1
+    else:
+        gaps.append({
+            'method': ep['method'],
+            'path': ep['path'],
+            'controller': ep['controller']
+        })
+
+coverage_summary = {
+    'coverage_percent': round(success_pct, 1),
+    'tested': success_tested,
+    'total': len(endpoints),
+    'well_tested_percent': round(well_tested_pct, 1),
+    'query_params_percent': round(qp_pct, 1),
+    'gaps': gaps[:20],
+    'by_method': method_stats,
+    'full_report': os.path.basename(HTML_OUTPUT_FILE)
+}
+
+with open(json_output_file, 'w', encoding='utf-8') as f:
+    json.dump(coverage_summary, f, indent=2)
+
+print(f"\nEndpoints in Code: {len(endpoints)}", flush=True)
+print(f"Total Test Cases: {total_tests}", flush=True)
+print(f"Success Path (2xx) Tested: {success_pct:.1f}% ({success_tested}/{len(endpoints)})", flush=True)
+print(f"Well Tested (≥3 tests): {well_tested_pct:.1f}% ({well_tested}/{len(endpoints)})", flush=True)
+print(f"Response Body Validated: {body_pct:.1f}% ({with_body}/{len(endpoints)})", flush=True)
+print(f"Query Params Tested: {qp_pct:.1f}% ({total_tested_params}/{total_defined_params})", flush=True)
+if include_total_count > 0:
+    print(f"Include Params Tested: {include_pct:.1f}% ({total_tested_include_values}/{total_expected_include_values} values across {include_total_count} endpoints)", flush=True)
+if error_only > 0:
+    print(f"⚠️  Error-Only Tests (no 2xx): {error_only} endpoints", flush=True)
+if total_oneof_tests > 0:
+    print(f"⚠️  oneOf Tests (weak assertions): {total_oneof_tests} tests in {oneof_endpoints} endpoints", flush=True)
+
+if total_skipped_tests > 0:
+    print(f"⏭️  Environment-conditional skips: {total_skipped_tests} tests", flush=True)
+    for env, skips in sorted(skips_by_env.items()):
+        print(f"    - {env}: {len(skips)} tests", flush=True)
+    if skips_without_reason > 0:
+        print(f"❌  Undocumented skips: {skips_without_reason} tests (add [SKIP] Reason: ... | Env: ...)", flush=True)
+
+if errors:
+    print(f"\nWarnings ({len(errors)}):", flush=True)
+    for err in errors[:5]:
+        print(f"  - {err}", flush=True)
+    if len(errors) > 5:
+        print(f"  ... and {len(errors) - 5} more", flush=True)