@kirrosh/zond 0.22.0 → 0.23.0

package/src/core/checks/checks/index.ts

@@ -0,0 +1,65 @@
+/**
+ * Auto-registers built-in checks at first import. ARV-1 ships with one
+ * seed check (`not_a_server_error`); ARV-2/3/4 fill in the remaining
+ * 11 conformance/security checks alongside it.
+ *
+ * Side-effect import is intentional: anywhere the runner or CLI loads
+ * `core/checks` it triggers this module and the registry is populated
+ * exactly once (Node/Bun ESM module cache guarantees idempotency).
+ */
+import { registerCheck } from "../registry.ts";
+import { registerStatefulCheck } from "../stateful.ts";
+import { notAServerError } from "./not_a_server_error.ts";
+import { statusCodeConformance } from "./status_code_conformance.ts";
+import { contentTypeConformance } from "./content_type_conformance.ts";
+import { responseHeadersConformance } from "./response_headers_conformance.ts";
+import { responseSchemaConformance } from "./response_schema_conformance.ts";
+import { missingRequiredHeader } from "./missing_required_header.ts";
+import { unsupportedMethod } from "./unsupported_method.ts";
+import { ignoredAuth } from "./ignored_auth.ts";
+import { useAfterFree } from "./use_after_free.ts";
+import { ensureResourceAvailability } from "./ensure_resource_availability.ts";
+import { negativeDataRejection } from "./negative_data_rejection.ts";
+import { positiveDataAcceptance } from "./positive_data_acceptance.ts";
+import { crossCallReferences } from "./cross_call_references.ts";
+import { idempotencyReplay } from "./idempotency_replay.ts";
+import { paginationInvariants } from "./pagination_invariants.ts";
+import { lifecycleTransitions } from "./lifecycle_transitions.ts";
+import { openCorsOnSensitive } from "./open_cors_on_sensitive.ts";
+import { rateLimitHeadersAbsent } from "./rate_limit_headers_absent.ts";
+
+let registered = false;
+
+export function registerBuiltinChecks(): void {
+  if (registered) return;
+  // ARV-1 seed.
+  registerCheck(notAServerError);
+  // ARV-2 — 6 conformance checks (7 total with the seed).
+  registerCheck(statusCodeConformance);
+  registerCheck(contentTypeConformance);
+  registerCheck(responseHeadersConformance);
+  registerCheck(responseSchemaConformance);
+  registerCheck(missingRequiredHeader);
+  registerCheck(unsupportedMethod);
+  // ARV-3 — 3 stateful security checks.
+  registerStatefulCheck(ignoredAuth);
+  registerStatefulCheck(useAfterFree);
+  registerStatefulCheck(ensureResourceAvailability);
+  // ARV-4 — 2 data-rejection checks with anti-FP guards.
+  registerCheck(negativeDataRejection);
+  registerCheck(positiveDataAcceptance);
+  // ARV-169 (m-20) — cross-call POST→GET shape-diff probe.
+  registerStatefulCheck(crossCallReferences);
+  // ARV-170 (m-20) — Idempotency-Key replay probe.
+  registerStatefulCheck(idempotencyReplay);
+  // ARV-171 (m-20) — cursor pagination invariants.
+  registerStatefulCheck(paginationInvariants);
+  // ARV-172 (m-20) — declared state-machine + action transitions.
+  registerStatefulCheck(lifecycleTransitions);
+  // ARV-256 (m-21) — small-team value-add checks.
+  registerStatefulCheck(openCorsOnSensitive);
+  registerCheck(rateLimitHeadersAbsent);
+  registered = true;
+}
+
+registerBuiltinChecks();

package/src/core/checks/checks/lifecycle_transitions.ts

@@ -0,0 +1,273 @@
+/**
+ * `lifecycle_transitions` (m-20 ARV-172) — verify a resource's declared
+ * state machine on the live API.
+ *
+ * For each CRUD group whose resource has a `lifecycle:` yaml block:
+ *
+ *   1. POST create → capture id + initial state from the response.
+ *   2. Assert initial state ∈ declared `states[]`. Undeclared state →
+ *      finding (`undeclared_state`).
+ *   3. For each declared `action` in turn:
+ *       a. POST <action.endpoint> with {id} substituted.
+ *       b. GET resource → read `state.field`.
+ *       c. Assert observed state == `action.expected_state`. Wrong
+ *          terminal → finding (`wrong_expected_state`).
+ *       d. Assert (previous_state, observed_state) ∈ declared
+ *          transitions. Forbidden hop → finding (`forbidden_transition`).
+ *       e. POST <action.endpoint> a second time (idempotency probe):
+ *          either 4xx (rejected) or 2xx with state unchanged. State
+ *          regression on replay → finding (`state_regression_on_replay`).
+ *
+ * Severity: HIGH. The four failure classes share one finding per
+ * action (consistent with cross_call_references / idempotency_replay /
+ * pagination_invariants). evidence.kind discriminates.
+ *
+ * Anti-FP guards:
+ *   • Yaml manifest validated at load (validateLifecycleManifest in
+ *     resources-builder); a malformed manifest skips with the
+ *     concrete error so the operator gets actionable feedback.
+ *   • POST create non-2xx → broken-baseline skip.
+ *   • Action POST non-2xx on first call → action-not-supported skip
+ *     (the API may have authoritative server-side gating; not a
+ *     contract bug).
+ *   • Each action runs once per check execution — actions interact in
+ *     the order yaml declares them, so authoring the yaml in a
+ *     legal-transition order lets the chain advance the resource.
+ */
+import type { OpenAPIV3 } from "openapi-types";
+import type { CrudStatefulCheck } from "../stateful.ts";
+import type { LifecycleConfig, LifecycleAction } from "../../generator/resources-builder.ts";
+import { validateLifecycleManifest } from "../../generator/resources-builder.ts";
+import {
+  extractIdFromCreateResponse,
+  fillPathWithId,
+  fillPathParams,
+  serializeCheckBody,
+  resolveCreateBody,
+} from "./_crud-helpers.ts";
+
+function safeParse(v: unknown): unknown {
+  if (typeof v !== "string") return v;
+  try { return JSON.parse(v); } catch { return v; }
+}
+
+function readState(body: unknown, field: string): string | null {
+  if (!body || typeof body !== "object") return null;
+  const v = (body as Record<string, unknown>)[field];
+  return typeof v === "string" ? v : null;
+}
+
+function parseEndpointLabel(label: string): { method: string; path: string } | null {
+  const parts = label.trim().split(/\s+/);
+  if (parts.length < 2) return null;
+  return { method: parts[0]!.toUpperCase(), path: parts[1]! };
+}
+
+function transitionAllowed(cfg: LifecycleConfig, from: string, to: string): boolean {
+  // Same-state replay is always OK (idempotent action).
+  if (from === to) return true;
+  for (const t of cfg.transitions) {
+    if (t.from === from && t.to.includes(to)) return true;
+  }
+  return false;
+}
+
+interface Finding {
+  kind: string;
+  message: string;
+  extra?: Record<string, unknown>;
+}
+
+export const lifecycleTransitions: CrudStatefulCheck = {
+  id: "lifecycle_transitions",
+  severity: "high",
+  defaultExpected: "Declared lifecycle actions must move the resource through declared states without regression",
+  references: [{ id: "ARV-172" }],
+  phase: "crud",
+  applies(g) {
+    return Boolean(g.create && g.read);
+  },
+  async run(g, h) {
+    if (h.bootstrapCleanupFailed) {
+      return { kind: "skip", reason: "bootstrap-cleanup failed — stateful checks paused" };
+    }
+    const cfg = h.resourceConfigs?.get(g.resource)?.lifecycle;
+    if (!cfg) return { kind: "skip", reason: "no lifecycle config for this resource" };
+
+    const manifestErrors = validateLifecycleManifest(cfg);
+    if (manifestErrors.length > 0) {
+      return { kind: "skip", reason: `lifecycle manifest invalid: ${manifestErrors[0]}` };
+    }
+    if (Object.keys(cfg.actions).length === 0) {
+      return { kind: "skip", reason: "lifecycle has no actions to verify" };
+    }
+
+    const create = g.create!;
+    const read = g.read!;
+    const baseHeaders = { Accept: "application/json", ...h.authHeaders };
+    const stateSet = new Set(cfg.states);
+
+    // 1. Create — prefer seed_body (ARV-187) over generator.
+    const seedBody = h.resourceConfigs?.get(g.resource)?.seedBody;
+    const generated = resolveCreateBody(create, seedBody) ?? {};
+    const { body: createBody, contentType } = serializeCheckBody(
+      create,
+      generated,
+      h.pathVars,
+      seedBody?.contentType,
+    );
+    const createUrl = `${h.baseUrl.replace(/\/+$/, "")}${fillPathParams(create.path, h.pathVars)}`;
+    const createResp = await h.send({
+      method: "POST",
+      url: createUrl,
+      headers: { ...baseHeaders, "Content-Type": contentType },
+      body: createBody,
+    });
+    if (createResp.status < 200 || createResp.status >= 300) {
+      return { kind: "skip", reason: `create returned ${createResp.status} — broken-baseline guard` };
+    }
+    const createBodyParsed = createResp.body_parsed ?? safeParse(createResp.body);
+    const id = extractIdFromCreateResponse(createBodyParsed, g.idParam);
+    if (id == null) return { kind: "skip", reason: "could not extract id from create response" };
+
+    const findings: Finding[] = [];
+
+    let currentState = readState(createBodyParsed, cfg.field);
+    if (currentState == null) {
+      return { kind: "skip", reason: `state field "${cfg.field}" missing on create response — yaml mismatch or hidden field` };
+    }
+    if (!stateSet.has(currentState)) {
+      findings.push({
+        kind: "undeclared_state",
+        message: `initial state "${currentState}" not in declared states [${cfg.states.join(", ")}]`,
+        extra: { observed: currentState, declared: cfg.states },
+      });
+    }
+
+    const readUrlFor = (resId: string | number): string =>
+      `${h.baseUrl.replace(/\/+$/, "")}${fillPathWithId(fillPathParams(read.path, h.pathVars), g.idParam, resId)}`;
+
+    // 2. For each action: invoke, read, assert.
+    for (const [name, action] of Object.entries(cfg.actions) as Array<[string, LifecycleAction]>) {
+      const parsed = parseEndpointLabel(action.endpoint);
+      if (!parsed) {
+        findings.push({
+          kind: "action_endpoint_malformed",
+          message: `action "${name}".endpoint "${action.endpoint}" must be "METHOD /path"`,
+        });
+        continue;
+      }
+      const actionUrl = `${h.baseUrl.replace(/\/+$/, "")}${fillPathWithId(fillPathParams(parsed.path, h.pathVars), g.idParam, id)}`;
+      const actionBody = action.body
+        ? serializeCheckBody(create, action.body, h.pathVars)
+        : { body: "", contentType: "application/json" };
+      const actionHeaders: Record<string, string> = { ...baseHeaders };
+      if (action.body) actionHeaders["Content-Type"] = actionBody.contentType;
+
+      const firstResp = await h.send({
+        method: parsed.method,
+        url: actionUrl,
+        headers: actionHeaders,
+        body: action.body ? actionBody.body : undefined,
+      });
+      if (firstResp.status < 200 || firstResp.status >= 300) {
+        // Server-side gating; not a contract violation.
+        findings.push({
+          kind: "action_rejected",
+          message: `action "${name}" returned ${firstResp.status} on first call — server may gate this transition`,
+          extra: { action: name, status: firstResp.status },
+        });
+        continue;
+      }
+
+      // Read state after action.
+      const readResp = await h.send({ method: "GET", url: readUrlFor(id), headers: baseHeaders });
+      if (readResp.status < 200 || readResp.status >= 300) {
+        findings.push({
+          kind: "read_after_action_failed",
+          message: `GET after action "${name}" returned ${readResp.status}`,
+          extra: { action: name, read_status: readResp.status },
+        });
+        break;
+      }
+      const observedState = readState(readResp.body_parsed ?? safeParse(readResp.body), cfg.field);
+      if (observedState == null) {
+        findings.push({
+          kind: "state_field_missing",
+          message: `GET after action "${name}": state field "${cfg.field}" missing`,
+          extra: { action: name },
+        });
+        break;
+      }
+      if (!stateSet.has(observedState)) {
+        findings.push({
+          kind: "undeclared_state",
+          message: `action "${name}" produced state "${observedState}" not in declared states`,
+          extra: { action: name, observed: observedState },
+        });
+      } else {
+        if (!transitionAllowed(cfg, currentState, observedState)) {
+          findings.push({
+            kind: "forbidden_transition",
+            message: `action "${name}": ${currentState} → ${observedState} is not allowed by declared transitions`,
+            extra: { action: name, from: currentState, to: observedState },
+          });
+        }
+        if (observedState !== action.expectedState) {
+          findings.push({
+            kind: "wrong_expected_state",
+            message: `action "${name}": expected state "${action.expectedState}", observed "${observedState}"`,
+            extra: { action: name, expected: action.expectedState, observed: observedState },
+          });
+        }
+      }
+
+      // 3. Idempotency probe: invoke action again, state must not regress.
+      const secondResp = await h.send({
+        method: parsed.method,
+        url: actionUrl,
+        headers: actionHeaders,
+        body: action.body ? actionBody.body : undefined,
+      });
+      if (secondResp.status >= 500) {
+        findings.push({
+          kind: "double_action_5xx",
+          message: `action "${name}" 5xx'd on replay (${secondResp.status}) — should be idempotent or 4xx`,
+          extra: { action: name, status: secondResp.status },
+        });
+      } else if (secondResp.status >= 200 && secondResp.status < 300) {
+        // Replay accepted — state must remain the action's expected state.
+        const replayRead = await h.send({ method: "GET", url: readUrlFor(id), headers: baseHeaders });
+        if (replayRead.status >= 200 && replayRead.status < 300) {
+          const replayState = readState(replayRead.body_parsed ?? safeParse(replayRead.body), cfg.field);
+          if (replayState != null && replayState !== observedState) {
+            findings.push({
+              kind: "state_regression_on_replay",
+              message: `action "${name}" replay drifted state ${observedState} → ${replayState}`,
+              extra: { action: name, before_replay: observedState, after_replay: replayState },
+            });
+          }
+        }
+      }
+      // 4xx on replay is an acceptable "not-idempotent but safe" rejection.
+
+      currentState = observedState;
+    }
+
+    if (findings.length === 0) return { kind: "pass" };
+    const kinds = findings.map((f) => f.kind);
+    const message = findings.length === 1
+      ? findings[0]!.message
+      : `Lifecycle on ${g.resource}: ${findings.length} issue(s) — ${kinds.join(", ")}`;
+    return {
+      kind: "fail",
+      message,
+      evidence: {
+        resource: g.resource,
+        id,
+        kind: kinds.join("+"),
+        findings: findings.map((f) => ({ kind: f.kind, message: f.message, ...(f.extra ?? {}) })),
+      },
+    };
+  },
+};

package/src/core/checks/checks/missing_required_header.ts

@@ -0,0 +1,40 @@
+/**
+ * `missing_required_header` — schemathesis-equivalent. Sends a request
+ * with one declared-required header dropped; the server must reject
+ * with a 4xx (400 / 401 / 403 / 406 / 422). Anything else (2xx, 3xx,
+ * 5xx) is a finding.
+ *
+ * The runner generates the probe case (kind="missing_required_header")
+ * only when at least one operation declares a required header — we
+ * skip otherwise to avoid a second wave of pointless requests.
+ */
+import type { Check } from "../types.ts";
+
+const ACCEPTABLE_REJECT_STATUSES = new Set([400, 401, 403, 406, 422, 412]);
+
+export const missingRequiredHeader: Check = {
+  id: "missing_required_header",
+  severity: "high",
+  defaultExpected: "Server must reject the request with 4xx when a required header is missing",
+  references: [{ id: "OWASP-API-04" }],
+  caseKinds: ["missing_required_header"],
+  applies: (op) =>
+    op.parameters.some((p) => p.in === "header" && p.required === true),
+  run({ case: c, response }) {
+    const status = response.status;
+    if (status >= 500) {
+      return {
+        kind: "fail",
+        message: `Server 5xx'd when required header was dropped (${c.meta?.dropped_header}) — should be a 4xx rejection`,
+        evidence: { dropped_header: c.meta?.dropped_header, status },
+      };
+    }
+    if (ACCEPTABLE_REJECT_STATUSES.has(status)) return { kind: "pass" };
+    if (status >= 400 && status < 500) return { kind: "pass" }; // any 4xx counts
+    return {
+      kind: "fail",
+      message: `Server accepted request without required header "${c.meta?.dropped_header}" (status ${status})`,
+      evidence: { dropped_header: c.meta?.dropped_header, status },
+    };
+  },
+};

package/src/core/checks/checks/negative_data_rejection.ts

@@ -0,0 +1,45 @@
+/**
+ * `negative_data_rejection` (m-15 ARV-4) — schemathesis-equivalent.
+ * The runner builds a single-site negative case (one mutation against
+ * a valid body, see `_negative_mutator.ts`); if the server still
+ * accepts it (status outside 4xx/5xx + 401/403/404 admin set), we
+ * raise a finding — *unless* an anti-FP guard fires (see `_anti_fp.ts`).
+ *
+ * Default expected: 400 / 401 / 403 / 404 / 422 / 428 / 5xx.
+ *   2xx and 3xx with our payload are findings.
+ */
+import type { Check } from "../types.ts";
+import { applyAntiFp } from "../../anti-fp/index.ts";
+
+const ACCEPTABLE = (status: number): boolean => {
+  if (status === 400 || status === 401 || status === 403 || status === 404 || status === 422 || status === 428) return true;
+  if (status >= 500 && status < 600) return true; // 5xx accepted: a bug, but not a *silent* accept
+  return false;
+};
+
+export const negativeDataRejection: Check = {
+  id: "negative_data_rejection",
+  severity: "high",
+  defaultExpected: "Server must reject invalid bodies with 400/401/403/404/422/428 (or 5xx)",
+  references: [{ id: "OWASP-API-08" }],
+  caseKinds: ["negative_data"],
+  applies: (op) => Boolean(op.requestBodySchema),
+  run({ case: c, response }) {
+    if (ACCEPTABLE(response.status)) return { kind: "pass" };
+    const skip = applyAntiFp(c, "check:negative_data_rejection");
+    if (skip) {
+      return { kind: "skip", reason: `${skip.ruleId}: ${skip.reason}` };
+    }
+    return {
+      kind: "fail",
+      message: `Server accepted an invalid body (status ${response.status}) — single-site mutation: ${
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (c.meta as any)?.mutation
+      } @ ${
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (c.meta as any)?.field_path
+      }`,
+      evidence: { status: response.status, mutation: c.meta },
+    };
+  },
+};

package/src/core/checks/checks/not_a_server_error.ts

@@ -0,0 +1,27 @@
+/**
+ * `not_a_server_error` — schemathesis-equivalent baseline check: a
+ * well-formed request must never produce a 5xx response. Acts as the
+ * seed check for the ARV-1 scaffolding; the rest of the conformance
+ * suite lands in ARV-2.
+ */
+import type { Check } from "../types.ts";
+
+export const notAServerError: Check = {
+  id: "not_a_server_error",
+  severity: "high",
+  defaultExpected: "Server must not respond with 5xx for any well-formed request",
+  references: [
+    { id: "RFC-9110-15.6", url: "https://www.rfc-editor.org/rfc/rfc9110#name-server-error-5xx" },
+  ],
+  applies: () => true,
+  run({ response }) {
+    if (response.status >= 500 && response.status < 600) {
+      return {
+        kind: "fail",
+        message: `Server responded with ${response.status} (5xx) — request triggered an unhandled error`,
+        evidence: { status: response.status },
+      };
+    }
+    return { kind: "pass" };
+  },
+};

package/src/core/checks/checks/open_cors_on_sensitive.ts

@@ -0,0 +1,131 @@
+/**
+ * `open_cors_on_sensitive` (ARV-256, m-21 pivot) — verify that an
+ * authenticated endpoint does not echo arbitrary Origin values with
+ * Access-Control-Allow-Credentials: true.
+ *
+ * The dangerous combo, in two shapes:
+ *   - `Access-Control-Allow-Origin: *` + `Access-Control-Allow-Credentials: true`
+ *     (illegal per spec but seen in the wild; some servers patch out the
+ *     star and emit just the credentials header — still broken)
+ *   - `Access-Control-Allow-Origin: <reflected attacker Origin>` +
+ *     `Access-Control-Allow-Credentials: true`
+ *
+ * Both let any cross-origin site read authenticated responses on behalf
+ * of a logged-in user — classic CSRF-with-data-exfil surface.
+ *
+ * Sends one request with `Origin: https://evil.zond.test`, then
+ * inspects the response CORS headers. Evidence_chain proof: request
+ * Origin + response headers travel together in the finding.
+ *
+ * Anti-FP: skips endpoints with `security: []` override (intentionally
+ * public). Skips when server doesn't emit any CORS headers (API isn't
+ * configured for cross-origin — no problem to find).
+ */
+import type { AuthStatefulCheck } from "../stateful.ts";
+import type { OpenAPIV3 } from "openapi-types";
+import type { HttpRequest } from "../../runner/types.ts";
+
+const PROBE_ORIGIN = "https://evil.zond.test";
+
+function fillPath(
+  path: string,
+  op: { parameters: OpenAPIV3.ParameterObject[] },
+  pathVars: Record<string, string> | undefined,
+): string {
+  return path.replace(/\{([^}]+)\}/g, (_, name: string) => {
+    const real = pathVars?.[name];
+    if (typeof real === "string" && real.length > 0) return encodeURIComponent(real);
+    const param = op.parameters.find((p) => p.name === name && p.in === "path");
+    const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
+    if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
+    if (schema?.type === "integer" || schema?.type === "number") return "1";
+    return "x";
+  });
+}
+
+function getHeader(headers: Record<string, string>, name: string): string | undefined {
+  return headers[name] ?? headers[name.toLowerCase()];
+}
+
+export const openCorsOnSensitive: AuthStatefulCheck = {
+  id: "open_cors_on_sensitive",
+  severity: "high",
+  defaultExpected:
+    "Authenticated endpoints must not echo arbitrary Origin with Allow-Credentials: true (cross-origin read of authed data)",
+  references: [{ id: "OWASP-API-09-CORS" }],
+  phase: "auth",
+  applies(op) {
+    // Same anti-FP as ignored_auth: skip explicit-public endpoints.
+    if (op.security.length === 0) return false;
+    return true;
+  },
+  async run(op, h) {
+    const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPath(op.path, op, h.pathVars)}`;
+    const method = op.method.toUpperCase();
+    // GET-only probe — bursting on POST/PATCH would create resources.
+    // For mutating-only endpoints we still send the actual method with
+    // the OPTIONS preflight-style Origin header, since most CORS
+    // misconfigurations apply to non-preflight responses.
+    const safeMethod = method === "GET" || method === "HEAD" || method === "OPTIONS" ? method : "OPTIONS";
+    const req: HttpRequest = {
+      method: safeMethod,
+      url,
+      headers: {
+        Accept: "application/json",
+        ...h.authHeaders,
+        Origin: PROBE_ORIGIN,
+        // For non-GET probes, advertise the real method as the preflight
+        // would.
+        ...(safeMethod === "OPTIONS"
+          ? {
+              "Access-Control-Request-Method": method,
+              "Access-Control-Request-Headers": "Authorization",
+            }
+          : {}),
+      },
+    };
+    const resp = await h.send(req);
+
+    const allowOrigin = getHeader(resp.headers, "access-control-allow-origin");
+    const allowCreds = getHeader(resp.headers, "access-control-allow-credentials");
+
+    // No CORS headers emitted → endpoint isn't configured for cross-origin.
+    // Nothing to flag.
+    if (!allowOrigin && !allowCreds) {
+      return { kind: "skip", reason: "no CORS headers in response — API not configured for cross-origin" };
+    }
+
+    const credsTrue = (allowCreds ?? "").toLowerCase() === "true";
+    const originIsStar = allowOrigin === "*";
+    const originReflects = allowOrigin === PROBE_ORIGIN;
+
+    // The smoking guns.
+    if (credsTrue && originIsStar) {
+      return {
+        kind: "fail",
+        message:
+          "CORS misconfiguration: Allow-Origin: * with Allow-Credentials: true allows cross-origin reads of authenticated data",
+        evidence: {
+          request_origin: PROBE_ORIGIN,
+          access_control_allow_origin: allowOrigin,
+          access_control_allow_credentials: allowCreds,
+          variant: "wildcard+credentials",
+        },
+      };
+    }
+    if (credsTrue && originReflects) {
+      return {
+        kind: "fail",
+        message:
+          "CORS misconfiguration: response reflects arbitrary Origin with Allow-Credentials: true — any attacker site can read authed responses",
+        evidence: {
+          request_origin: PROBE_ORIGIN,
+          access_control_allow_origin: allowOrigin,
+          access_control_allow_credentials: allowCreds,
+          variant: "reflected+credentials",
+        },
+      };
+    }
+    return { kind: "pass" };
+  },
+};