@kirrosh/zond 0.22.0 → 0.23.0

package/src/cli/commands/init/templates/skills/zond.md

@@ -1,184 +1,651 @@
 ---
 name: zond
 description: |
-  End-to-end API testing with zond — generate tests from an OpenAPI spec, run them,
-  diagnose failures, and hunt for typical backend bugs via probe suites. Use when
-  asked to: test an API, cover endpoints, raise coverage, find bugs, diagnose
-  failed runs, fix failing tests, debug 4xx/5xx, run probes, sync tests after a
-  spec change, set up API test infrastructure. Activates on: openapi.json,
-  openapi.yaml, swagger.json, .api-catalog.yaml, "test this API", "cover this
-  spec", "tests are failing", "diagnose run", "find bugs", "probe", "5xx",
-  "negative input".
-allowed-tools: [Read, Write, Bash(zond *), Bash(bunx zond *)]
+  Primary skill for any zond work. Loads on workspace touch
+  (`apis/<name>/`, `.env.yaml`, `.api-fixtures.yaml`) AND on intent —
+  full API audit, "find bugs", "raise coverage", "test the whole API",
+  contract-drift check, schema-drift detection, post-deploy regression,
+  case study, single-flow scenario authoring, fixture pack. Hand off to
+  `zond-checks` for depth-check reference / SARIF / stateful invariants,
+  to `zond-triage` for "what broke in the last run".
+allowed-tools: [Read, Write, Edit, Bash(zond *), Bash(bunx zond *), Bash(sqlite3 *)]
 ---
 
-# zond — API Coverage, Diagnosis & Bug Hunting
+# zond — Primary skill
+
+CLI-only. Run `zond --version` first; if missing:
+`curl -fsSL https://raw.githubusercontent.com/kirrosh/zond/master/install.sh | sh`.
+
+For depth-check reference (the catalog of conformance / security /
+stateful checks, SARIF output, m-20 invariants) — see `zond-checks`.
+For triage of a failing run — see `zond-triage`.
+
+## Iron rules (read once, apply always)
+
+- **NEVER read raw OpenAPI** with Read/cat/grep. The workspace has
+  pre-built artifacts (catalog/resources/fixtures) — use those. Drop
+  into `apis/<name>/spec.json` only when probe-class authoring needs
+  full schemas.
+- **NEVER `curl` or `wget`** — use `zond request <method> <url> --api <name>`
+  for ad-hoc HTTP so it lands in the run DB and respects auth. Never
+  shell-substitute the token by hand (`$(yq …)` is blocked by the sandbox).
+- **NEVER hardcode tokens** — put them in `apis/<name>/.secrets.yaml`
+  (auto-gitignored), reference from `.env.yaml` as `@secret:auth_token`.
+  Plain `${SHELL_VAR}` references also work. Tests read the resolved
+  value as `{{auth_token}}`.
+- **NEVER read `.secrets.yaml` directly.** Use `zond doctor --api <name> --json`
+  — reports `set | unset` and value length only.
+- **NEVER edit `.api-*.yaml`** (catalog / resources / fixtures) by hand —
+  regenerated by `zond refresh-api`. `.api-resources.local.yaml` IS the
+  hand-editable / annotate-target overlay; safe to edit. `.env.yaml`
+  values are editable (see ARV-114).
+- **NEVER invent endpoints.** Only use entries from `.api-catalog.yaml`.
+- **NEVER run destructive ops on a shared / production org without
+  `--dry-run` first.** Probes, `prepare-fixtures --apply`, `cleanup` hit
+  live APIs and can delete user data. `--dry-run` once → inspect → drop
+  the flag.
+- **NEVER share triage artefacts** outbound without `--redact-identity`.
+  Secret-redaction is on by default; identity values (org/member slugs,
+  real ids) need the extra flag.
+- **NEVER report cleanup failure as an API bug.** POST 200 → DELETE 5xx
+  is *probably* a fixture-isolation issue (orphan accumulation, race).
+  Re-run with `--no-cleanup` or isolated namespace before filing.
+- **`recommended_action: report_backend_bug` / 5xx → STOP** in interactive
+  mode (surface the request/response, get a decision; never `expect:`-mask).
+  In autonomous / loop / audit-sweep mode (no user-in-the-loop), log to
+  `api-bugs-<NN>.md`, continue the sweep — bailing on bug #1 forfeits #2..N.
+- **CRUD-run ≥80% 401/403 / `permission_denied` → `env_issue`, not bug.**
+  Token scope issue. Confirm via `zond db diagnose <run-id> --env-only`;
+  do not generate case-studies, do not `expect:`-mask.
+- **MUST run `zond doctor --api <name> --missing-only` before generating
+  fixtures or touching `.env.yaml`** — identifies unfilled keys early.
+- **Cascade cap is 8 passes** (`zond prepare-fixtures --cascade [--seed]`)
+  — never override without a written reason.
+
+## Workspace artifact model
+
+After `zond add api <name> --spec <path|url>`, `apis/<name>/` contains:
 
-CLI-only skill. zond is invoked directly via shell. Run `zond --version` first;
-if missing, install via `curl -fsSL https://raw.githubusercontent.com/kirrosh/zond/master/install.sh | sh`.
+```
+spec.json                    ← dereferenced OpenAPI (machine source)
+.api-catalog.yaml            ← endpoint index (method, path, params)
+.api-resources.yaml          ← CRUD chains + FK deps (auto)
+.api-resources.local.yaml    ← overlay: extensions + annotate output (hand-edit OK; appears after first `zond api annotate apply` — or create by hand to use as overlay)
+.api-fixtures.yaml           ← MANIFEST: required vars + descriptions (read-only)
+.env.yaml                    ← VALUES: variable values (user / prepare-fixtures writes)
+.secrets.yaml                ← raw secret values (auto-gitignored)
+.identity.yaml               ← non-secret identifying values (gitignored)
+tests/                       ← generated/handwritten suites
+scenarios/                   ← handwritten flow suites
+probes/                      ← probe-emitted suites
+```
+
+### Manifest vs values (the #1 source of confusion)
+
+**`.api-fixtures.yaml` = the list of vars this API needs (manifest).
+`.env.yaml` = their values.**
+
+| Op | Touches manifest? | Touches env? |
+|---|---|---|
+| `zond add api` / `refresh-api` | rebuilds | seeds skeleton |
+| `zond generate` | extends (adds new `{{vars}}` discovered) | does **not** modify |
+| `zond prepare-fixtures` | reads | writes values |
+| `zond fixtures add` / `import` | reads | writes values (manual) |
+| user editing | never | always |
+
+- `{{var}}` in a generated test but NOT in `.api-fixtures.yaml` is a
+  bug in the manifest builder / generator. Don't "fix" it by adding to
+  `.env.yaml`.
+- A key in `.env.yaml` but NOT in `.api-fixtures.yaml` is shadow —
+  `prepare-fixtures` warns `not in manifest, ignored`.
+- "Generate should sync `.env.yaml`" is a rejected design (decision-7,
+  m-17).
+
+### Manual fixture-bootstrap (when `prepare-fixtures --seed` can't help)
+
+`prepare-fixtures --seed` requires a discoverable list endpoint or a
+postable create. Path-id ids that live only in a vendor dashboard
+(Stripe `cus_*`, GitHub PR numbers, Sentry issue ids) need a manual
+hand-off:
+
+| Input you have | Command |
+|---|---|
+| Concrete id values | `zond fixtures add <var>=<id> [--validate] --apply` |
+| Curl from devtools / dashboard | `pbpaste \| zond fixtures import --from-curl --apply` (URL is matched against spec paths to extract `{var}` bindings) |
+
+`--validate` GETs the spec's read-by-id endpoint and classifies the
+fixture as `live` / `stale` / `unknown` so dead ids don't silently
+break later runs (ARV-32). Both commands write to `apis/<name>/.env.yaml`
+with a `.env.yaml.bak` backup, mirroring `prepare-fixtures --apply`.
+
+### When to read which file
+
+| To know… | Read |
+|---|---|
+| What endpoints exist | `.api-catalog.yaml` |
+| How resources chain (CRUD, FK, ETag) | `.api-resources.yaml` |
+| What vars are needed and why | `.api-fixtures.yaml` |
+| What var values are set | `.env.yaml` |
+| Annotation overlay (seed_body, lifecycle, pagination, readback_diff) | `.api-resources.local.yaml` |
+| Full request/response schema (only when needed) | `spec.json` |
+
+## --json envelope (uniform across commands)
+
+```jsonc
+{
+  "ok": true|false,
+  "command": "<name>",
+  "data": { /* command-specific */ },
+  "warnings": ["..."],
+  "errors": [{ "code": "ZondErrorCode", "message": "...", "details": {} }],
+  "exit_code": 0|1|2
+}
+```
+
+Route on `errors[].code`, not message. Stdout discipline: `--json`
+emits only the envelope on stdout; progress/hints to stderr.
+
+`--json` ≠ `--report json`. `--json` wraps the **command result**;
+`--report json` wraps the **test-run artefact**. `zond run` doesn't
+accept `--json` — use `--report json`.
+
+## Entry points — pick by intent
+
+| User asked… | Start at |
+|---|---|
+| "audit this API", "test the whole API", "raise coverage" | Phase 0 → `zond audit --api <name>` (one-shot) OR walk Phase 0–8 |
+| "find bugs", "test for 5xx", "probe sweep" | Phase 0 → Phase 7 (Probes) |
+| "security only / SSRF / CRLF" | Phase 7.2 directly with `--dry-run` first |
+| "deep depth-checks", "SARIF", "stateful invariants" | Hand off → `zond-checks` |
+| "what broke in last run", "diagnose run X" | Hand off → `zond-triage` |
+| "write a test for X flow", "smoke this checkout" | Phase S (Scenarios) |
+| "what vars does this API need" | `zond doctor --api <name> --json` |
+| "share results", "case study" | Phase 9 (Share) |
+| "workspace looks messy" | `zond clean --api <name>` (dry-run → `--force`) |
+
+## Phase 0 — Orient
+
+```bash
+zond doctor --api <name> --json                 # gaps + freshness
+```
+
+Then read the three artifacts (NOT the raw spec):
+
+```bash
+cat apis/<name>/.api-catalog.yaml | head -80
+cat apis/<name>/.api-resources.yaml
+cat apis/<name>/.api-fixtures.yaml
+```
+
+If doctor reports stale → `zond refresh-api <name>`.
+
+## Phase 1 — Fixture pack
+
+`zond prepare-fixtures` walks `.api-resources.yaml`, hits each owner
+list endpoint, fills `.env.yaml`. Always `--apply`; add `--cascade --seed`
+for empty workspaces.
+
+```bash
+zond prepare-fixtures --api <name>                          # dry-run preview
+zond prepare-fixtures --api <name> --apply                  # single-pass
+zond prepare-fixtures --api <name> --apply --cascade --seed # cascade + POST-create when list is empty
+zond prepare-fixtures --api <name> --refresh                # = --verify --apply: drop stale ids, re-resolve
+```
+
+`--seed` POSTs to create endpoints when a list returns `[]`, using a
+schema-derived body. Bracket-notation nested params (Stripe's
+`card[number]`, `items[0][price]`) are a known weak spot (ARV-196) —
+some APIs will 400 here; **don't ask the user to fill missing ids
+manually first**, jump to Phase 2 (annotate seed_body) instead.
 
-For multi-step user journeys / fixture creation through the API, hand off to
-`zond-scenarios` instead — that is a different concern.
+If `--seed` converges but vars stay UNSET, the reason is outside the
+API path (email verify / paid plan / SCIM / TOS limits). Document the
+gap; don't loop further.
 
-## Critical rules (always-on)
+Editing `.env.yaml` by hand is the sanctioned fallback when the CLI
+cannot harvest a value (write-only ingest endpoints, SDK-only ids,
+slugs that live in user's project config). Touch values only — never
+add keys not in `.api-fixtures.yaml`.
 
-- **NEVER** open OpenAPI/Swagger files with Read/cat/grep — use `zond describe`,
-  `zond catalog`, or the generated `.api-catalog.yaml`.
-- **NEVER** use curl/wget — use `zond request <method> <url>`.
-- **NEVER** write test YAML from scratch — start with `zond generate`, then edit failures.
-- **NEVER** hardcode tokens — `apis/<name>/.env.yaml` (auto-gitignored), reference as `{{auth_token}}`.
-- **`--safe` enforces GET-only** — required for first-pass smoke against unknown envs.
-- **`recommended_action: report_backend_bug` (5xx) → STOP**. Do NOT modify
-  `expect: status` to make the test pass. Surface the bug to the user with the
-  request/response excerpt.
-- **5xx in any run is a bug candidate** — never edit assertions to mask it.
-- For multi-suite tag filters always include the setup tag: `--tag crud,setup`.
-- Captures are file-scoped — pass auth across suites via a `setup: true` suite.
-- Re-run after each fix with `--safe --json`; do not batch many edits without verifying.
+## Phase 2 — Annotate (NEW, m-20 / ARV-187)
 
-## Entry points (skip phases when the request is narrow)
+**Critical**: zond itself does NOT call any LLM. The flow is
+**dump → agent fills YAML → apply**. The agent (you) generates the
+overlay; zond validates and writes it into `.api-resources.local.yaml`.
 
-| User asked... | Start at phase | Skip |
+`zond api annotate` has 6 dump-subcommands (one per aspect). Pick what
+your downstream check needs:
+
+| Aspect | Dump produces | Feeds into |
 |---|---|---|
-| "cover this API", "raise coverage", "test this spec" | 1 (Discover) | — |
-| "find bugs", "probe this API", "test for 5xx" | 1 then 5 (Probes) | — |
-| "tests are failing", "diagnose run X", "fix failures" | 4 (Diagnose) | 1–3 |
-| "the run after my fix" | 3.x (Run) → 4 (Diagnose) | 1–2 |
+| `--seed-bodies` | request-body schema per resource | `prepare-fixtures --seed`, all stateful checks |
+| `--readback` | create+read pair (write-shape vs read-shape) | `cross_call_references` ignore_fields, write_to_read_map |
+| `--idempotency` | header candidates | `idempotency_replay` (header, scope, body_hash_fields) |
+| `--pagination` | list-endpoint cursor/page detection | `pagination_invariants` (type, cursor_param) |
+| `--lifecycle` | action-endpoint candidates per resource | `lifecycle_transitions` (states, transitions) |
+| `--resources` | orphan endpoints not in resource graph | `.api-resources.local.yaml` extensions |
+
+**Workflow** (for ANY aspect):
+
+```bash
+# 1. Dump — emits JSON slices on stdout. Restrict scope with --only.
+zond api annotate dump --api <name> --seed-bodies --only r1,r2 > /tmp/dump.json
+
+# 2. Agent reads the dump and writes a YAML response file (see format below).
+
+# 3. Apply — dry-run first (diff), then --yes to write.
+zond api annotate apply --api <name> --seed-bodies --input /tmp/out.yaml          # dry-run + diff
+zond api annotate apply --api <name> --seed-bodies --input /tmp/out.yaml --yes    # write
+```
+
+YAML response format — a top-level list of entries, each one resource:
+
+```yaml
+- resource: <name>
+  seed_body:                              # (--seed-bodies)
+    content_type: application/x-www-form-urlencoded
+    body:
+      amount: 1000
+      currency: usd
+  rationale: 'why this shape'             # optional, helps future review
+  confidence: high                        # high|medium|low — optional
+```
+
+Same shape for `readback_diff`, `idempotency`, `pagination`,
+`lifecycle` blocks (see `zond-checks` for the per-aspect schemas).
+
+**When to annotate**: run dump+apply BEFORE Phase 6 (stateful checks)
+for any production API. Without annotation, stateful checks fall back
+to defaults and miss API-specific quirks (custom pagination params,
+non-standard lifecycle field names, write-only fields in create body).
+
+**For Stripe-style form-encoded APIs**: `--seed-bodies` is the single
+biggest win — it fixes `--seed` 400s for the bulk of resources.
+
+## Phase 3 — Generate tests
+
+```bash
+zond generate apis/<name>/spec.json --output apis/<name>/tests [--tag <spec-tag>] [--uncovered-only]
+zond check tests apis/<name>/tests
+```
+
+`generate` fills bodies with `{{$randomString}}`. Format-strict APIs
+reject many — that's a **test-fix**, not a backend bug. Pair with
+Phase 1 fixtures + Phase 2 annotation.
+
+If a CRUD chain you expected is missing, run
+`zond generate <spec> --explain` — diagnostic table shows every POST
+endpoint with verdict (no GET-by-id, non-`{id}` item param,
+trailing-slash mismatch, …).
+
+## Phase 4 — Spec-lint (hygiene, separate workflow)
+
+```bash
+zond lint --api <name>                           # 0 network requests
+zond lint --api <name> --json | jq '.data.stats'
+# Equivalent: `zond check spec --api <name>`
+```
+
+ARV-255 (m-21 pivot): **spec-lint is hygiene, not security or
+contract.** It runs separately from `zond audit` / `zond probe` /
+`zond checks run` — those produce the security/reliability/contract
+report, lint stays out of that pile.
+
+Severity capped at **LOW / INFO** by design:
+- LOW: real spec violations (format mismatch in example, missing
+  path-param format, response without schema).
+- INFO: style and documentation gaps (additionalProperties missing,
+  naming, missing examples).
+
+No HIGH/MEDIUM ever — static analysis has no runtime evidence, so the
+severity matrix forbids escalation. `--strict` opts back into a
+non-zero exit when any LOW lands.
+
+## Phase 5 — Run (sanity → smoke → CRUD)
 
-## Phase 1 — Discover
+Wrap multi-run sweeps in a session so `/runs` shows one row:
 
 ```bash
-# Workspace + register API (idempotent)
-zond init --with-spec <spec> --name <name> [--base-url <url>]
-zond use <name>
+zond session start --label "smoke + probes"
+zond run apis/<name>/tests --tag sanity --report json                              # 5.1 sanity
+zond run apis/<name>/tests --safe --report json                                    # 5.2 smoke (GET-only)
+zond run apis/<name>/tests --tag crud,setup --validate-schema --report json        # 5.3 full CRUD
+zond run apis/<name>/tests --tag positive --include 'path:^/emails'                # 5.4 narrow
+zond session end
+```
+
+**Always pass `--validate-schema` for CRUD** — contract drift is
+invisible without it. `schema_violation` failures are real backend bugs;
+treat them like 5xx.
+
+Rate limit: `zond run` defaults to an adaptive limiter (no-op until
+`RateLimit-*` headers appear). Pass `--rate-limit <N>` for a hard cap;
+`--sequential` for old binaries.
+
+**Long runs**: `zond run` shows a periodic progress line on stderr when
+stdout/stderr is a TTY (`zond: [42s] 234/10927 steps (2%), 230 req, ~30
+req/s, ETA ~5m`) — overwrites itself in place. Suppressed by `--quiet`
+and on non-interactive output. For huge probe-suites (e.g. GitHub spec
+→ ~10k probes under `--rate-limit 30` = 6+ min), this signals "alive,
+not hung". `zond probe static` itself prints a scale-warning block with
+ETA-at-rate-limit estimates and a `--max-per-endpoint K` sampling hint
+when `totalProbes ≥ 2000`.
+
+**Hard cap on requests**: pass `--max-requests N` to cap outgoing HTTP
+calls across the whole run. Remaining steps short-circuit to `skip` with
+`error: "max-requests-cap-reached"`. Each `retry_until` attempt counts as
+one request. Useful for sampling huge probe runs (`--max-requests 500`)
+and for CI time-boxing.
+
+`--all`: fold every `apis/<name>/tests/` dir into one `runs.id` per
+invocation (CI shape). CI context (commit_sha, branch, trigger=ci)
+auto-stamped from env vars.
+
+### Spec-drift learning tail (`--learn`)
 
-# Endpoint discovery (do NOT read the raw spec)
-zond catalog <spec> --output apis/<name>/tests   # writes .api-catalog.yaml
-zond describe <spec> --compact                   # quick overview
-zond guide <spec> --tests-dir apis/<name>/tests  # uncovered + suggestions
+After the initial CRUD run, **always** close with `--learn` /
+`--learn-apply`. R09 measured a 28% → 58% pass-coverage jump from this
+phase alone.
+
+```bash
+zond run apis/<name>/tests --learn                            # detect (read-only)
+zond run apis/<name>/tests --learn-apply --learn-target test  # rewrite expect.status
+zond run apis/<name>/tests --learn-apply --learn-target drifts # allowlist in tolerated-drifts.yaml
 ```
 
-## Phase 2 — Generate
+**Caveat — `--learn-apply test` weakens assertions, not the code.**
+Diff `apis/<name>/tests/*.yaml` + `tolerated-drifts.yaml` after every
+apply; treat unexpected widenings as a review-blocker.
+
+## Phase 6 — Stateful checks (m-20)
+
+After Phase 2 annotation is applied, run the cross-call invariants.
+See `zond-checks` for per-check semantics.
 
 ```bash
-zond generate <spec> --output apis/<name>/tests              # all
-zond generate <spec> --output apis/<name>/tests --tag <tag>  # by spec tag
-zond generate <spec> --output apis/<name>/tests --uncovered-only
-zond validate apis/<name>/tests                              # YAML lint
+zond checks run --api <name> --check stateful --report ndjson
 ```
 
-`generate` fills bodies with `{{$randomString}}`. Format-strict APIs will reject
-many of these — that is a **test-fix**, not a backend bug. See phase 4 for the fix flow.
+5 m-20 stateful checks:
+- `cross_call_references` — POST→GET drift (uses readback_diff overlay)
+- `idempotency_replay` — bit-identical replay on `Idempotency-Key`
+- `pagination_invariants` — `?limit=N` + `?after=last_id` non-overlap
+- `lifecycle_transitions` — declared state-machine validity
+- `webhooks` (recipe-based, see `docs/recipes/webhook-receiver.md`)
+
+**Iron rule**: don't run `--check stateful` without prior `api annotate`
+review. Defaults catch the obvious; quirks need declared config.
 
-## Phase 3 — Run (sanity → smoke → full)
+## Phase 7 — Proactive bug hunting (probes)
 
 ```bash
-# 3.1 Sanity gate — must pass before broad runs
-zond run apis/<name>/tests --tag sanity --json
+zond probe static --api <name>                # validation + methods (defaults)
+zond probe mass-assignment --api <name> --emit-tests apis/<name>/probes/mass-assignment
+zond probe security ssrf,crlf,open-redirect,prompt-injection --api <name> \
+  --emit-tests apis/<name>/probes/security
+zond run apis/<name>/probes --report json
+```
 
-# 3.2 Smoke (GET-only)
-zond run apis/<name>/tests --safe --json
+Flag: 5xx on null/empty/wrong-type body → missing validation. 2xx on
+undeclared method → contract drift. `is_admin: true` echoed in response
+→ HIGH from mass-assignment.
 
-# 3.3 Full CRUD — only after setup-token capture works
-zond run apis/<name>/tests --tag crud,setup --json
+**Body-FK auto-discovery** — `mass-assignment` resolves required
+`*_id`/`*_slug`/`*_uuid`/`*_key` fields by hitting sibling list endpoints.
+If digest still says "unresolved body FKs:" — add to `.env.yaml` manually.
+
+**Auto-path-FK** — same logic for path params (`{domain_id}`/`{webhook_id}`).
+Cached per run. Pass `--no-discover` to opt out.
+
+### 7.1 — Manual mass-assignment catch-up
+
+`mass-assignment` digest splits findings: HIGH / MED / LOW /
+INCONCLUSIVE (no valid body — fixture problem) / INCONCLUSIVE-5XX
+(baseline crashed — already in validation-probe). Sweep INCONCLUSIVE
+with `--emit-template`:
+
+```bash
+zond probe mass-assignment --api <name> --emit-template "POST:/<resource>" \
+  --output apis/<name>/probes/mass-assignment/<resource>.yaml
 ```
 
-## Phase 4 — Diagnose failures
+Emits `create → verify → cleanup` chain pre-filled with classic vectors
+(`is_admin`, `role`, `owner_id`). If a privileged field survives the
+round-trip GET → **HIGH**, file via `report bundle --include case-study`.
+
+### 7.2 — Security probes
 
 ```bash
-zond db runs --limit 5 --json                # find failed runId
-zond db diagnose <run-id> --json             # full DiagnoseResult (grouped by root_cause)
-zond db run <id> --status 500 --json         # filter results within a run
-zond db run <id> --method POST --json
-zond db compare <idA> <idB> --json           # regression diff between runs
+zond probe security ssrf,crlf --api <name> --dry-run         # first run: which (endpoint, field)
+zond probe security ssrf,crlf,open-redirect,prompt-injection --api <name>
 ```
 
-DiagnoseResult guide:
-- `agent_directive` — literal next step. Do exactly that.
-- `recommended_action`:
-  - `fix_test_logic` → edit the YAML (assertion, generator, capture).
-  - `report_backend_bug` → STOP, report to user.
-  - `update_expectation` → only if the user confirms the new contract is correct.
-- `root_cause` groups identical failures so one fix covers many cases.
+Field autodetection: SSRF (`*_url`/`webhook`/`callback`/`format: uri`),
+CRLF (`subject`/`*_prefix`/`name`), open-redirect (`redirect`/`next`).
+
+Baseline-OK request first; if baseline ≠ 2xx → `INCONCLUSIVE-BASELINE`,
+attacks skipped (kills 5×404 noise on scope-locked endpoints).
+
+Verdict: HIGH (5xx OR payload echoed in 2xx — stored injection),
+LOW (2xx, no echo — verify side-effects manually), OK (4xx).
+
+**Cleanup is state-aware**: PUT/PATCH does `GET` → snapshot → attack →
+restore. POST falls back to `DELETE` with eventual-consistency retry.
+Restore failures → `## ⚠️ Cleanup failures` at top of digest.
+
+CI exit: non-zero on HIGH > 0 OR `cleanup.error > 0`.
+
+### 7.3 — Post-probe hygiene
+
+```bash
+zond prepare-fixtures --api <name> --refresh    # drop stale FK ids
+zond cleanup --orphans                           # retry DELETE for ~/.zond/orphans/
+```
 
-### 4a. Fixing 4xx caused by stub generators
+Skip only with `probe security --isolated` (isolated mode never attacks
+seeded-fixture endpoints).
 
-When `recommended_action: fix_test_logic` and the body is rejected on format
-(400/422 with a field name and an "expected ..." message):
+## Phase 8 — Coverage + spec drift
 
-1. Read the failure body: `zond db run <id> --status 422 --json`.
-2. **First pass** — swap `{{$randomString}}` for the matching typed generator:
+```bash
+zond coverage --api <name> --union session                  # default for an audit window
+zond coverage --api <name> --union since:1h                 # last hour
+zond coverage --api <name> --union tag:smoke                # tag-filtered
+zond coverage --api <name> --fail-on-coverage 50            # CI gate (use hit-coverage)
+```
 
-   | API expects   | Use                  |
-   |---------------|----------------------|
-   | email         | `{{$randomEmail}}`   |
-   | hostname/FQDN | `{{$randomFqdn}}`    |
-   | URL           | `{{$randomUrl}}`     |
-   | IPv4          | `{{$randomIpv4}}`    |
-   | UUID          | `{{$uuid}}`          |
-   | integer       | `{{$randomInt}}`     |
-   | ISO date      | `{{$randomIsoDate}}` |
-   | date          | `{{$randomDate}}`    |
-   | person name   | `{{$randomName}}`    |
+**Two metrics**: `pass-coverage` (covered2xx — strict, CI gate) vs
+`hit-coverage` (any stored result, breadth proxy). Three-bucket JSON:
+`covered2xx`, `coveredButNon2xx` (hit but failed — usually fixture gap,
+not API bug), `unhit`.
 
-3. **Second pass** — if a typed generator still fails (regex too strict, enum,
-   business constraint), drop to a hardcoded literal that satisfies the contract
-   (e.g. `"https://example.com"`, `"info@example.com"`, `"2026-01-01T00:00:00Z"`).
-4. **Dependent IDs** (`audience_id`, `topic_id`, anything that must reference an
-   existing resource) — generators cannot help. Either capture the ID from a
-   prior `create_*` step in the same suite, or move that creation into a
-   `setup: true` suite and reference the captured variable.
+**Quality signals to gate CI on** (not raw pass-coverage):
 
-## Phase 5 — Proactive bug hunting (probes)
+| Signal | Command |
+|---|---|
+| Contract drift | `checks run --phase coverage` HIGH count == 0 |
+| Stateful invariants | `checks run --check stateful` HIGH count == 0 |
+| Auth / Authz / injection | `probe security` HIGH count == 0 |
+| Mass-assignment | `probe mass-assignment` HIGH count == 0 |
+| Response conformance | `run --validate-schema` `schema_violation` == 0 |
+| Drift allowlist review | `git diff apis/<name>/tolerated-drifts.yaml` |
 
-Run on a passing API to surface latent bugs.
+## Phase 9 — Share findings
 
 ```bash
-# Negative-input — 5xx on malformed bodies/query/path
-zond probe-validation <spec> --output apis/<name>/probes/validation
-zond run apis/<name>/probes/validation --json
+zond report export <run-id>                                # default: triage/<api>/run-<id>/
+zond report bundle 135..142 -o triage/sweep/               # all artefacts (default): case-study + html + diagnose + index.md
+zond report bundle <run-id> --include case-study,diagnose  # subset only (drop html)
+zond report bundle --session <id> -o triage/session/       # group by session
+```
+
+Bodies > 8 KB truncated by default; `--no-body-cap` to keep full.
+Existing files at `--output` auto-rotate to `<stem>-vN.<ext>`;
+`--overwrite` to silence. **Always pass `--redact-identity` for
+outbound sharing** (secret-redaction is on by default; identity slugs
+need the extra flag).
+
+Offer this proactively after a run surfaces `definitely_bug`
+(5xx / schema violation / mass-assignment 2xx). Skip for `env_issue` /
+`quirk`.
+
+## One-shot full audit
 
-# Undeclared HTTP methods — 5xx or unexpected 2xx on methods not in spec
-zond probe-methods <spec> --output apis/<name>/probes/methods
-zond run apis/<name>/probes/methods --json
+`zond audit --api <name>` runs the whole pipeline in one shot:
+prepare-fixtures → generate → probe static → session-wrapped run on
+tests+probes → coverage → `audit-report.html`. Each stage prints
+`==> Stage N/M: <name>`; stage failure doesn't stop the rest; final
+exit 1 if any stage failed.
 
-# Triage
-zond db diagnose <run-id> --json
+```bash
+zond audit --api <name> --dry-run                       # plan
+zond audit --api <name>                                  # minimal pipeline
+zond audit --api <name> --seed                           # add prepare-fixtures --cascade --seed
+zond audit --api <name> --with-mass-assignment --with-security
+zond audit --api <name> --out reports/audit-<name>.html
 ```
 
-Typical findings:
-- **5xx on null / empty / oversized body** → missing input validation.
-- **5xx on wrong type** (string for int, etc.) → unguarded coercion.
-- **2xx on undeclared method** → contract drift (spec lies, or method is unprotected).
-- **5xx on missing required field** → uncaught NPE on the server.
+`generate` skipped via mtime when `tests/` is fresher than `spec.json`
+(pass `--force` to override).
+
+**Gotchas**:
+- Wraps its own session — closes any prior `session start` silently.
+- Can exit 0 on failed stages (parse stdout `Warning: N failed`).
+- `audit-report.html` path not echoed by default — pass `--out`.
+
+When NOT to use audit: narrow asks ("fix run X", "why this endpoint
+500s") — walk phases.
+
+## Phase S — Single-flow scenarios
+
+When the user wants to verify one specific flow (not breadth):
 
-Filter probe scope when an API is large:
 ```bash
-zond probe-validation <spec> --tag <spec-tag> --max-per-endpoint 20
-zond probe-methods <spec> --tag <spec-tag>
+zond doctor --api <name>                                 # confirm fixtures
+# write apis/<name>/scenarios/<flow-slug>.yaml directly (no scaffold cmd)
+zond session start --label "<short reason>"
+zond run apis/<name>/scenarios/<flow>.yaml --report json
+zond session end
+```
+
+YAML grammar (zond runner format — NOT Postman / OpenAPI shape):
+
+```yaml
+name: cancel-pending-order
+tags: [scenario, orders]
+base_url: "{{base_url}}"
+headers: { Authorization: "Bearer {{auth_token}}" }
+tests:
+  - name: create order
+    POST: /workspaces/{{ws_id}}/orders
+    json: { amount: 100, currency: USD }
+    expect:
+      status: 201
+      body:
+        id: { capture: order_id }
+        status: { equals: pending }
+  - name: cancel
+    POST: /orders/{{order_id}}/cancel
+    expect: { status: 200 }
+  - name: verify cancelled
+    GET: /orders/{{order_id}}
+    expect:
+      status: 200
+      body: { status: { equals: cancelled } }
+  - name: cleanup
+    DELETE: /orders/{{order_id}}
+    always: true                                          # runs even on prior failure
+    expect: { status: [200, 204, 404] }
 ```
 
-## Phase 6 — Coverage report & spec drift
+Grammar:
+- HTTP verb is a top-level key on the step (`GET:`, `POST:`, …).
+- Body: `json: {...}` / `form: {...}` / `multipart:` / `text:`.
+- Captures: `expect.body.<field>: { capture: <var> }`.
+- Assertions: `equals`, `type`, `exists`, `matches`, `gt`/`lt`,
+  `length*`, `each`, `contains_item`, `set_equals`, `oneOf`.
+- `expect.status`: number or array. `oneOf` / `anyOf` string forms NOT
+  supported — pass an array directly.
+- `always: true` — runs on prior failure (cleanup).
+- `skip_if: "{{var}} =="` — skip when fixture var unset.
+- Generators: `{{$randomEmail}}`, `{{$uuid}}`, `{{$randomString}}`,
+  `{{$randomInt}}`, `{{$randomIsoDate}}`. Full list:
+  `zond reference random-helpers`.
+
+Hand-crafted scenarios are for **bug repro / post-deploy smoke /
+verifying a fix** — small focused work. For breadth, use Phase 3
+(generate) and the full audit chain.
+
+## Diagnose failures
 
 ```bash
-zond coverage --api <name> --fail-on-coverage 80
-zond coverage --api <name> --run-id <id>          # per-run breakdown
-zond sync <spec> --tests apis/<name>/tests        # detect new/removed endpoints
+zond db runs --limit 5 --json
+zond db diagnose <run-id> --json              # grouped by root_cause
+zond db run <id> --status 500 --json
+zond db compare <idA> <idB> --json            # regression diff
 ```
 
+`recommended_action` enum (closed):
+- `report_backend_bug` — STOP, surface to user
+- `fix_test_logic` — edit the YAML
+- `fix_auth_config` / `fix_network_config` / `fix_env` — config issues
+- `fix_spec` — edit OpenAPI (from `check spec`)
+- `fix_fixture` — fill `.env.yaml` (from `prepare-fixtures` miss-* or
+  inconclusive mass-assignment baseline)
+- `update_spec` — status-drift from `--learn`
+
+`cascade` failures collapse under root cause — fix upstream, not
+individually.
+
+### Fixing 4xx from stub generators (`fix_test_logic`)
+
+When body rejected on format (400/422 + "expected ..."):
+
+1. Read failure: `zond db run <id> --status 422 --json`.
+2. **Fixture pack first** — if it's a FK id / verified resource /
+   constrained enum, add to `.env.yaml` (Phase 1).
+3. **Typed generator** — swap `{{$randomString}}` for matching format
+   helper.
+4. **Hardcoded literal** — when typed generators fail (regex too strict).
+5. **Runtime captures** — for resources the test creates (capture from
+   prior `create_*` step or `setup: true` suite). For pre-existing FKs,
+   prefer step 2.
+
+For deep triage of a specific failing run → hand off to `zond-triage`.
+
 ## Auth / environments
 
-- Tokens go in `apis/<name>/.env.yaml` (auto-gitignored), referenced as `{{auth_token}}`.
-- Login-flow tokens: a `setup: true` suite captures into vars that propagate to later
-  suites in the same run. See `apis/<name>/tests/setup.yaml` examples emitted by `zond generate`.
-- `zond run --env <name>` loads `.env.<name>.yaml` from the API directory.
+- `apis/<name>/.env.yaml` is both auth and fixture pack — any key
+  interpolatable as `{{key}}`. Auto-gitignored.
+- Login-flow tokens: `setup: true` suite captures vars that propagate
+  to later suites in the same run.
+- `zond run --env <name>` loads `.env.<name>.yaml`. Discovery walks up
+  to workspace root; deeper files override shallower.
+
+## File lifecycle
+
+Everything zond writes is tracked in `.zond/manifest.json` with
+sha256-at-write. Files whose hash no longer matches are **skipped**
+on clean (user edits stay safe). Re-running a generator overwrites
+the entry — manual edits to generator-owned files are lost on
+regenerate; promote them to a separate suite first.
+
+```bash
+zond clean --api <name>                     # dry-run: lists what would be removed
+zond clean --api <name> --force             # delete (preserves probes/)
+zond clean --api <name> --probes --force    # also probe suites
+zond clean --all --force                    # nuclear
+```
+
+Triage outputs default to
+`triage/<api>/<run-id>/<command>-<ts>.<ext>`. Don't pass `--output`
+unless the user has a specific destination.
 
-## When to hand off to `zond-scenarios`
+## When to hand off
 
-- The user asks for a multi-step user journey, business flow, or fixture creation
-  through the API (login → create cart → checkout → cleanup).
-- A failing run's root cause requires a hand-written multi-step suite that
-  `zond generate` cannot express.
+- "deep depth-checks", "SARIF", "boundary coverage", "stateful
+  invariants details", "annotate aspect XYZ" → `zond-checks`
+- "what failed in last run", "why is it red", "case study from run X"
+  → `zond-triage`
 
-For YAML format (assertions, generators, captures, `always: true` cleanup,
-`setup: true` propagation), see `ZOND.md` at the repo root or `zond run --help`.
+If the user is mid-workflow in one of those, don't restart from here.