@havoc-security/scanner 0.1.0

package/tests/new-analyzers.test.ts

@@ -0,0 +1,373 @@
+import { describe, it, expect } from 'vitest';
+import { readFile } from 'node:fs/promises';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { InsecureDeserializationAnalyzer } from '../src/analyzers/InsecureDeserializationAnalyzer.js';
+import { OpenRedirectAnalyzer } from '../src/analyzers/OpenRedirectAnalyzer.js';
+import { SecurityHeaderAnalyzer } from '../src/analyzers/SecurityHeaderAnalyzer.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import type { ParsedFile } from '../src/types/index.js';
+import { Severity } from '../src/types/index.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const FIXTURES = resolve(__dirname, 'fixtures');
+
+async function fixture(relativePath: string): Promise<ParsedFile> {
+  const absPath = resolve(FIXTURES, relativePath);
+  const content = await readFile(absPath, 'utf-8');
+  return { path: relativePath, content, ast: null };
+}
+
+function makeFile(path: string, content: string): ParsedFile {
+  return { path, content, ast: null };
+}
+
+// ─── InsecureDeserializationAnalyzer ─────────────────────────────────────────
+
+describe('InsecureDeserializationAnalyzer', () => {
+  const analyzer = new InsecureDeserializationAnalyzer();
+
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('InsecureDeserializationAnalyzer');
+  });
+
+  it('has non-empty description', () => {
+    expect(analyzer.description.length).toBeGreaterThan(0);
+  });
+
+  it('returns empty array for empty file list', async () => {
+    const result = await analyzer.analyze([], DEFAULT_CONFIG);
+    expect(result).toHaveLength(0);
+  });
+
+  it('detects CRITICAL unserialize() with $request->input()', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php $data = unserialize($request->input('session'));`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-001');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Critical);
+  });
+
+  it('detects CRITICAL unserialize() with $_GET', async () => {
+    const file = makeFile('app/Foo.php', `<?php $obj = unserialize($_GET['data']);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-001');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Critical);
+  });
+
+  it('detects MEDIUM unserialize() without allowed_classes', async () => {
+    const file = makeFile('app/Foo.php', `<?php $data = unserialize($cached);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-004');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Medium);
+  });
+
+  it('does NOT flag unserialize() with allowed_classes option', async () => {
+    const file = makeFile('app/Foo.php',
+      `<?php $data = unserialize($cached, ['allowed_classes' => false]);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter((f) => f.id.startsWith('HAVOC-DESER'))).toHaveLength(0);
+  });
+
+  it('detects HIGH eval() usage', async () => {
+    const file = makeFile('app/Foo.php', `<?php eval($template);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-002');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH create_function() usage', async () => {
+    const file = makeFile('app/Foo.php',
+      `<?php $fn = create_function('$x', 'return $x * 2;');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-003');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH preg_replace() with /e modifier', async () => {
+    const file = makeFile('app/Foo.php',
+      `<?php preg_replace('/pattern/e', 'strtoupper("$1")', $content);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-005');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH assert() with string argument', async () => {
+    const file = makeFile('app/Foo.php', `<?php assert('strlen($str) > 0');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-006');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH extract() with user input', async () => {
+    const file = makeFile('app/Foo.php', `<?php extract($request->all());`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-DESER-007');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('does NOT flag assert() with boolean expression', async () => {
+    const file = makeFile('app/Foo.php', `<?php assert($value > 0);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter((f) => f.id === 'HAVOC-DESER-006')).toHaveLength(0);
+  });
+
+  it('skips blade.php files', async () => {
+    const file = makeFile('resources/views/foo.blade.php',
+      `<?php unserialize($_GET['x']); eval($x); ?>`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('detects all issues in unsafe fixture', async () => {
+    const file = await fixture('deserialization/unsafe.php');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.length).toBeGreaterThanOrEqual(7);
+  });
+
+  it('returns no findings for safe fixture', async () => {
+    const file = await fixture('deserialization/safe.php');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('findings include file path and line number', async () => {
+    const file = makeFile('app/Foo.php', `<?php\neval($x);\n`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0].file).toBe('app/Foo.php');
+    expect(findings[0].line).toBe(2);
+  });
+
+  it('findings include CWE identifier', async () => {
+    const file = makeFile('app/Foo.php', `<?php eval($x);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0].cwe).toBeDefined();
+    expect(findings[0].cwe).toMatch(/^CWE-/);
+  });
+});
+
+// ─── OpenRedirectAnalyzer ─────────────────────────────────────────────────────
+
+describe('OpenRedirectAnalyzer', () => {
+  const analyzer = new OpenRedirectAnalyzer();
+
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('OpenRedirectAnalyzer');
+  });
+
+  it('has non-empty description', () => {
+    expect(analyzer.description.length).toBeGreaterThan(0);
+  });
+
+  it('returns empty array for empty file list', async () => {
+    const result = await analyzer.analyze([], DEFAULT_CONFIG);
+    expect(result).toHaveLength(0);
+  });
+
+  it('detects HIGH: redirect($request->input())', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return redirect($request->input('url'));`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-REDIRECT-001');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH: Redirect::to($request->get())', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return \\Redirect::to($request->get('redirect'));`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-REDIRECT-001');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.High);
+  });
+
+  it('detects HIGH: redirect($_GET[]) with common param', async () => {
+    const file = makeFile('app/Foo.php', `<?php return redirect($_GET['next']);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-REDIRECT-001');
+    expect(found).toBeDefined();
+  });
+
+  it('detects MEDIUM: redirect($url) — named variable', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return redirect($url);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-REDIRECT-002');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Medium);
+  });
+
+  it('detects MEDIUM: Redirect::to($redirect)', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return \\Redirect::to($redirect);`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-REDIRECT-002');
+    expect(found).toBeDefined();
+  });
+
+  it('does NOT flag redirect()->intended()', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return redirect()->intended('/dashboard');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does NOT flag back()', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return back();`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does NOT flag redirect() to string literal', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return redirect('/home');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does NOT flag redirect(route())', async () => {
+    const file = makeFile('app/Http/Controllers/Foo.php',
+      `<?php return redirect(route('dashboard'));`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('skips blade.php files', async () => {
+    const file = makeFile('resources/views/foo.blade.php',
+      `<?php return redirect($request->input('url')); ?>`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('detects issues in unsafe fixture', async () => {
+    const file = await fixture('redirect/unsafe.php');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.length).toBeGreaterThanOrEqual(3);
+  });
+
+  it('returns no findings for safe fixture', async () => {
+    const file = await fixture('redirect/safe.php');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('findings include CWE-601', async () => {
+    const file = makeFile('app/Foo.php',
+      `<?php return redirect($request->input('url'));`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0].cwe).toBe('CWE-601');
+  });
+});
+
+// ─── SecurityHeaderAnalyzer ───────────────────────────────────────────────────
+
+describe('SecurityHeaderAnalyzer', () => {
+  const analyzer = new SecurityHeaderAnalyzer();
+
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('SecurityHeaderAnalyzer');
+  });
+
+  it('has non-empty description', () => {
+    expect(analyzer.description.length).toBeGreaterThan(0);
+  });
+
+  it('returns empty array for empty file list', async () => {
+    const result = await analyzer.analyze([], DEFAULT_CONFIG);
+    expect(result).toHaveLength(0);
+  });
+
+  it('detects missing X-Frame-Options', async () => {
+    const file = makeFile('app/Http/Kernel.php', `<?php // no headers`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('X-Frame-Options'));
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Medium);
+  });
+
+  it('detects missing X-Content-Type-Options', async () => {
+    const file = makeFile('app/Http/Kernel.php', `<?php // no headers`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('X-Content-Type-Options'));
+    expect(found).toBeDefined();
+  });
+
+  it('detects missing Strict-Transport-Security', async () => {
+    const file = makeFile('app/Http/Kernel.php', `<?php // no headers`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('Strict-Transport-Security'));
+    expect(found).toBeDefined();
+  });
+
+  it('detects missing Content-Security-Policy', async () => {
+    const file = makeFile('app/Http/Kernel.php', `<?php // no headers`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('Content-Security-Policy'));
+    expect(found).toBeDefined();
+  });
+
+  it('detects missing HTTPS enforcement', async () => {
+    const file = makeFile('app/Providers/AppServiceProvider.php',
+      `<?php class AppServiceProvider extends ServiceProvider { public function boot() {} }`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-HEADER-003');
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Medium);
+  });
+
+  it('does NOT flag X-Frame-Options when header is set', async () => {
+    const file = makeFile('app/Http/Middleware/Security.php',
+      `<?php $response->headers->set('X-Frame-Options', 'SAMEORIGIN');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('X-Frame-Options'));
+    expect(found).toBeUndefined();
+  });
+
+  it('does NOT flag HTTPS when URL::forceScheme is present', async () => {
+    const file = makeFile('app/Providers/AppServiceProvider.php',
+      `<?php URL::forceScheme('https');`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.id === 'HAVOC-HEADER-003');
+    expect(found).toBeUndefined();
+  });
+
+  it('returns no security header findings when all headers are set', async () => {
+    const middleware = await fixture('security-headers/app/Http/Middleware/SecurityHeaders.php');
+    const provider = await fixture('security-headers/app/Providers/AppServiceProvider.php');
+    const findings = await analyzer.analyze([middleware, provider], DEFAULT_CONFIG);
+    const headerFindings = findings.filter((f) => f.id.startsWith('HAVOC-HEADER'));
+    expect(headerFindings).toHaveLength(0);
+  });
+
+  it('missing Permissions-Policy flagged as INFO', async () => {
+    const file = makeFile('app/Http/Middleware/Security.php', `<?php
+      $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
+      $response->headers->set('X-Content-Type-Options', 'nosniff');
+      $response->headers->set('Strict-Transport-Security', 'max-age=31536000');
+      $response->headers->set('X-XSS-Protection', '1; mode=block');
+      $response->headers->set('Content-Security-Policy', "default-src 'self'");
+      $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
+      URL::forceScheme('https');
+    `);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const found = findings.find((f) => f.title.includes('Permissions-Policy'));
+    expect(found).toBeDefined();
+    expect(found!.severity).toBe(Severity.Info);
+  });
+
+  it('findings include file path', async () => {
+    const file = makeFile('app/Http/Kernel.php', `<?php // bare kernel`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0]?.file).toBe('app/Http/Kernel.php');
+  });
+});

package/tests/route-parser.test.ts

@@ -0,0 +1,257 @@
+import { describe, it, expect } from 'vitest';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import {
+  RouteParser,
+  buildRouteMap,
+  getRouteMiddleware,
+  isAuthorizationMiddleware,
+  isAuthenticationMiddleware,
+  isWebhookHandler,
+} from '../src/parsers/RouteParser.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const FIXTURES = resolve(__dirname, 'fixtures');
+
+// ─── Middleware Classification ────────────────────────────────────────────────
+
+describe('isAuthorizationMiddleware', () => {
+  it('detects can: prefix', () => {
+    expect(isAuthorizationMiddleware('can:view-admin')).toBe(true);
+    expect(isAuthorizationMiddleware('can:manage-team')).toBe(true);
+  });
+
+  it('detects permission: prefix (Spatie)', () => {
+    expect(isAuthorizationMiddleware('permission:edit-posts')).toBe(true);
+  });
+
+  it('detects role: prefix (Spatie)', () => {
+    expect(isAuthorizationMiddleware('role:admin')).toBe(true);
+  });
+
+  it('returns false for auth middleware', () => {
+    expect(isAuthorizationMiddleware('auth')).toBe(false);
+    expect(isAuthorizationMiddleware('auth:sanctum')).toBe(false);
+    expect(isAuthorizationMiddleware('verified')).toBe(false);
+  });
+});
+
+describe('isAuthenticationMiddleware', () => {
+  it('detects plain auth', () => {
+    expect(isAuthenticationMiddleware('auth')).toBe(true);
+  });
+
+  it('detects auth:sanctum', () => {
+    expect(isAuthenticationMiddleware('auth:sanctum')).toBe(true);
+  });
+
+  it('detects verified', () => {
+    expect(isAuthenticationMiddleware('verified')).toBe(true);
+  });
+
+  it('returns false for can: middleware', () => {
+    expect(isAuthenticationMiddleware('can:view-admin')).toBe(false);
+  });
+});
+
+// ─── Webhook Detection ────────────────────────────────────────────────────────
+
+describe('isWebhookHandler', () => {
+  it('detects X-Signature header check', () => {
+    const body = `$sig = $request->header('X-Stripe-Signature'); hash_equals($sig, $expected);`;
+    expect(isWebhookHandler(body)).toBe(true);
+  });
+
+  it('detects hash_hmac', () => {
+    expect(isWebhookHandler('$computed = hash_hmac("sha256", $payload, $secret);')).toBe(true);
+  });
+
+  it('detects hash_equals', () => {
+    expect(isWebhookHandler('return hash_equals($sig, $expected);')).toBe(true);
+  });
+
+  it('classifies Stripe and X-Hub signatures correctly', () => {
+    expect(isWebhookHandler('use Stripe\\Webhook; $event = Webhook::constructEvent($payload, $sig, $secret);')).toBe(false);
+    expect(isWebhookHandler('$sig = $request->header(\'X-Hub-Signature\');')).toBe(true);
+  });
+
+  it('returns false for plain controller body', () => {
+    expect(isWebhookHandler('return Post::all();')).toBe(false);
+  });
+});
+
+// ─── RouteParser: Simple Routes ──────────────────────────────────────────────
+
+describe('RouteParser — simple routes', () => {
+  const parser = new RouteParser();
+
+  it('parses a GET route with array controller syntax', () => {
+    const content = `Route::get('/dashboard', [DashboardController::class, 'index']);`;
+    const result = parser.parseContent(content, 'routes/web.php');
+    expect(result.routes).toHaveLength(1);
+    expect(result.routes[0].controller).toBe('DashboardController');
+    expect(result.routes[0].action).toBe('index');
+    expect(result.routes[0].method).toBe('GET');
+    expect(result.routes[0].middleware).toHaveLength(0);
+  });
+
+  it('parses a POST route with @syntax', () => {
+    const content = `Route::post('/login', 'AuthController@login');`;
+    const result = parser.parseContent(content);
+    expect(result.routes).toHaveLength(1);
+    expect(result.routes[0].controller).toBe('AuthController');
+    expect(result.routes[0].action).toBe('login');
+  });
+
+  it('parses inline middleware on a single route', () => {
+    const content = `Route::get('/profile', [ProfileController::class, 'show'])->middleware('auth');`;
+    const result = parser.parseContent(content);
+    expect(result.routes[0].middleware).toContain('auth');
+  });
+
+  it('parses inline middleware array on a single route', () => {
+    const content = `Route::delete('/post/{id}', [PostController::class, 'destroy'])->middleware(['auth', 'can:delete-post']);`;
+    const result = parser.parseContent(content);
+    expect(result.routes[0].middleware).toContain('auth');
+    expect(result.routes[0].middleware).toContain('can:delete-post');
+  });
+});
+
+// ─── RouteParser: Resource Routes ────────────────────────────────────────────
+
+describe('RouteParser — resource routes', () => {
+  const parser = new RouteParser();
+
+  it('expands resource route into 7 actions', () => {
+    const content = `Route::resource('posts', PostController::class);`;
+    const result = parser.parseContent(content);
+    expect(result.routes).toHaveLength(7);
+    const actions = result.routes.map((r) => r.action);
+    expect(actions).toContain('index');
+    expect(actions).toContain('store');
+    expect(actions).toContain('destroy');
+  });
+
+  it('propagates middleware to all resource actions', () => {
+    const content = `Route::resource('posts', PostController::class)->middleware('can:manage-posts');`;
+    const result = parser.parseContent(content);
+    expect(result.routes.every((r) => r.middleware.includes('can:manage-posts'))).toBe(true);
+  });
+
+  it('expands apiResource into 5 actions', () => {
+    const content = `Route::apiResource('articles', ArticleController::class);`;
+    const result = parser.parseContent(content);
+    expect(result.routes).toHaveLength(5);
+  });
+});
+
+// ─── RouteParser: Grouped Routes ─────────────────────────────────────────────
+
+describe('RouteParser — grouped routes', () => {
+  const parser = new RouteParser();
+
+  it('inherits group middleware into child routes', () => {
+    const content = `
+      Route::middleware(['auth'])->group(function () {
+        Route::get('/dashboard', [DashboardController::class, 'index']);
+        Route::get('/profile', [ProfileController::class, 'show']);
+      });
+    `;
+    const result = parser.parseContent(content);
+    expect(result.routes).toHaveLength(2);
+    expect(result.routes.every((r) => r.middleware.includes('auth'))).toBe(true);
+  });
+
+  it('handles nested middleware groups', () => {
+    const content = `
+      Route::middleware(['auth'])->group(function () {
+        Route::middleware(['can:admin'])->group(function () {
+          Route::get('/admin', [AdminController::class, 'dashboard']);
+        });
+      });
+    `;
+    const result = parser.parseContent(content);
+    expect(result.routes).toHaveLength(1);
+    expect(result.routes[0].middleware).toContain('auth');
+    expect(result.routes[0].middleware).toContain('can:admin');
+  });
+
+  it('does not apply group middleware to routes outside the group', () => {
+    const content = `
+      Route::middleware(['auth'])->group(function () {
+        Route::get('/protected', [ProtectedController::class, 'index']);
+      });
+      Route::get('/', [HomeController::class, 'index']);
+    `;
+    const result = parser.parseContent(content);
+    const home = result.routes.find((r) => r.controller === 'HomeController');
+    expect(home?.middleware).toHaveLength(0);
+    const protected_ = result.routes.find((r) => r.controller === 'ProtectedController');
+    expect(protected_?.middleware).toContain('auth');
+  });
+});
+
+// ─── RouteParser: fixture file ────────────────────────────────────────────────
+
+describe('RouteParser — fixture web.php', () => {
+  const parser = new RouteParser();
+
+  it('parses the fixture web.php without error', async () => {
+    const result = await parser.parseFile(resolve(FIXTURES, 'routes/web.php'), FIXTURES);
+    expect(result.routes.length).toBeGreaterThan(0);
+  });
+
+  it('extracts PostController routes from fixture', async () => {
+    const result = await parser.parseFile(resolve(FIXTURES, 'routes/web.php'), FIXTURES);
+    const postRoutes = result.routes.filter((r) => r.controller === 'PostController');
+    expect(postRoutes.length).toBeGreaterThan(0);
+  });
+
+  it('fixture group routes have auth middleware', async () => {
+    const result = await parser.parseFile(resolve(FIXTURES, 'routes/web.php'), FIXTURES);
+    const postRoutes = result.routes.filter((r) => r.controller === 'PostController' && r.action !== 'showUserPost');
+    // Routes inside the auth group should have auth middleware
+    const groupRoutes = postRoutes.filter((r) => r.middleware.includes('auth'));
+    expect(groupRoutes.length).toBeGreaterThan(0);
+  });
+});
+
+// ─── buildRouteMap / getRouteMiddleware ───────────────────────────────────────
+
+describe('buildRouteMap and getRouteMiddleware', () => {
+  const parser = new RouteParser();
+
+  it('builds a map from parsed route files', () => {
+    const content = `Route::get('/admin', [AdminController::class, 'dashboard'])->middleware(['auth', 'can:admin']);`;
+    const parsed = parser.parseContent(content);
+    const map = buildRouteMap([parsed]);
+    expect(map.has('AdminController::dashboard')).toBe(true);
+  });
+
+  it('getRouteMiddleware returns middleware for known action', () => {
+    const content = `Route::get('/admin', [AdminController::class, 'dashboard'])->middleware(['auth', 'can:admin']);`;
+    const parsed = parser.parseContent(content);
+    const map = buildRouteMap([parsed]);
+    const mw = getRouteMiddleware(map, 'AdminController', 'dashboard');
+    expect(mw).toContain('auth');
+    expect(mw).toContain('can:admin');
+  });
+
+  it('getRouteMiddleware returns empty array for unknown action', () => {
+    const parsed = parser.parseContent('');
+    const map = buildRouteMap([parsed]);
+    const mw = getRouteMiddleware(map, 'UnknownController', 'index');
+    expect(mw).toHaveLength(0);
+  });
+
+  it('deduplicates middleware from multiple routes to the same action', () => {
+    const content = `
+      Route::get('/posts', [PostController::class, 'index'])->middleware('auth');
+      Route::get('/posts/all', [PostController::class, 'index'])->middleware('auth');
+    `;
+    const parsed = parser.parseContent(content);
+    const map = buildRouteMap([parsed]);
+    const mw = getRouteMiddleware(map, 'PostController', 'index');
+    expect(mw.filter((m) => m === 'auth').length).toBe(1);
+  });
+});