@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -1,7 +1,8 @@
1
- import { setupApi, type SetupApiResult } from "../../core/setup-api.ts";
2
- import { printError, printSuccess } from "../output.ts";
3
- import { jsonOk, jsonError, printJson } from "../json-envelope.ts";
4
- import { bootstrapWorkspace, type BootstrapResult } from "./init/bootstrap.ts";
1
+ import { existsSync, readdirSync } from "node:fs";
2
+ import { setupApi, type SetupApiResult } from "../../../core/setup-api.ts";
3
+ import { printError, printSuccess } from "../../output.ts";
4
+ import { jsonOk, jsonError, printJson } from "../../json-envelope.ts";
5
+ import { bootstrapWorkspace, type BootstrapResult } from "./bootstrap.ts";
5
6
 
6
7
  export interface InitOptions {
7
8
  // register-an-API options (existing)
@@ -21,6 +22,8 @@ export interface InitOptions {
21
22
  noAgents?: boolean;
22
23
  /** Skip writing Claude Code skills under .claude/skills/. */
23
24
  noSkills?: boolean;
25
+ /** Remove legacy skill dirs (zond-base, zond-scenarios, …) — by default a warning is printed. */
26
+ pruneStaleSkills?: boolean;
24
27
  /** Override cwd for bootstrap (used by tests; CLI always uses process.cwd()). */
25
28
  cwd?: string;
26
29
  /** Override $HOME for MCP install (used by tests). */
@@ -55,7 +58,13 @@ export async function initCommand(options: InitOptions): Promise<number> {
55
58
  return 0;
56
59
  }
57
60
 
58
- const bootstrap = bootstrapWorkspace({ writeAgents, writeSkills, cwd: options.cwd, home: options.home });
61
+ const bootstrap = bootstrapWorkspace({
62
+ writeAgents,
63
+ writeSkills,
64
+ pruneStaleSkills: options.pruneStaleSkills,
65
+ cwd: options.cwd,
66
+ home: options.home,
67
+ });
59
68
  let register: SetupApiResult | null = null;
60
69
 
61
70
  if (mode === "bootstrap+register") {
@@ -72,6 +81,8 @@ export async function initCommand(options: InitOptions): Promise<number> {
72
81
  agentsPath: bootstrap.agents?.path ?? null,
73
82
  agentsAction: bootstrap.agents?.action ?? null,
74
83
  skills: bootstrap.skills.map((s) => ({ name: s.name, path: s.path, action: s.action })),
84
+ staleSkills: bootstrap.staleSkills.map((s) => ({ name: s.name, path: s.path })),
85
+ prunedSkills: bootstrap.prunedSkills.map((s) => ({ name: s.name, path: s.path })),
75
86
  };
76
87
  if (register) {
77
88
  data.collectionId = register.collectionId;
@@ -134,6 +145,9 @@ function printBootstrapResult(b: BootstrapResult, writeAgents: boolean): void {
134
145
  for (const s of b.skills) {
135
146
  lines.push(` ${verb(s.action)} .claude/skills/${s.name}/SKILL.md`);
136
147
  }
148
+ for (const s of b.prunedSkills) {
149
+ lines.push(` Removed .claude/skills/${s.name}/ (stale)`);
150
+ }
137
151
  for (const w of b.warnings) {
138
152
  process.stderr.write(`Warning: ${w}\n`);
139
153
  }
@@ -143,8 +157,88 @@ function printBootstrapResult(b: BootstrapResult, writeAgents: boolean): void {
143
157
  } else {
144
158
  printSuccess("Workspace ready. See AGENTS.md for the CLI workflow.");
145
159
  }
160
+ const apiNames = listExistingApis(b.cwd);
161
+ if (apiNames.length === 0) {
162
+ process.stderr.write(
163
+ `\nNext steps:\n` +
164
+ ` 1. zond add api <name> --spec <path|url> # register API → builds .api-fixtures.yaml (manifest)\n` +
165
+ ` 2. zond doctor --api <name> # gap report: which vars are UNSET in .env.yaml\n` +
166
+ ` 3. zond prepare-fixtures --api <name> --apply # fill .env.yaml values (single-pass); fill any gaps by hand\n` +
167
+ `\nNote: zond init only refreshes workspace files (skills, AGENTS.md, zond.config.yml).\n` +
168
+ ` It does NOT touch fixtures or .env.yaml — that's the doctor/prepare-fixtures loop above.\n`
169
+ );
170
+ } else {
171
+ const sample = apiNames[0]!;
172
+ process.stderr.write(
173
+ `\nFixtures untouched. zond init only refreshes skills/AGENTS.md/zond.config.yml.\n` +
174
+ `Verify env state with:\n` +
175
+ ` zond doctor --api ${sample} --missing-only # show UNSET vars + blocked endpoints\n` +
176
+ ` zond prepare-fixtures --api ${sample} --apply # discover values (single-pass); fill any gaps by hand\n`
177
+ );
178
+ }
179
+ }
180
+
181
+ function listExistingApis(cwd: string): string[] {
182
+ try {
183
+ const apisDir = `${cwd}/apis`;
184
+ if (!existsSync(apisDir)) return [];
185
+ return readdirSync(apisDir, { withFileTypes: true })
186
+ .filter((d) => d.isDirectory() && existsSync(`${apisDir}/${d.name}/spec.json`))
187
+ .map((d) => d.name)
188
+ .sort();
189
+ } catch {
190
+ return [];
191
+ }
146
192
  }
147
193
 
148
194
  function verb(action: "created" | "updated" | "noop"): string {
149
195
  return action === "created" ? "Created" : action === "updated" ? "Updated" : "Up-to-date:";
150
196
  }
197
+
198
+ import type { Command } from "commander";
199
+ import { globalJson } from "../../resolve.ts";
200
+
201
+ export function registerInit(program: Command): void {
202
+ program
203
+ .command("init [spec]")
204
+ .description("Bootstrap a workspace, or register an API when --spec is given")
205
+ .option("--name <name>", "API name (auto-detected from spec title if omitted)")
206
+ .option("--spec <path>", "Path to OpenAPI spec file (registers a single API)")
207
+ .option("--base-url <url>", "Override base URL")
208
+ .option("--dir <path>", "Target directory")
209
+ .option("--force", "Overwrite existing API collection")
210
+ .option("--insecure", "Skip TLS verification when fetching the spec")
211
+ .option("--db <path>", "Path to SQLite database file")
212
+ .option("--workspace", "Bootstrap a zond workspace (zond.config.yml, apis/, AGENTS.md)")
213
+ .option("--with-spec <path>", "Bootstrap workspace AND register first API from spec")
214
+ .option("--no-agents-md", "Skip writing AGENTS.md when bootstrapping")
215
+ .option("--no-skills", "Skip writing Claude Code skills under .claude/skills/")
216
+ .option(
217
+ "--prune-stale-skills",
218
+ "Remove .claude/skills/ dirs for retired template names (zond-base, zond-scenarios)",
219
+ )
220
+ .action(async (specPos: string | undefined, opts, cmd: Command) => {
221
+ const spec = opts.spec ?? specPos;
222
+ const json = globalJson(cmd);
223
+ if ((spec || opts.withSpec) && !json) {
224
+ process.stderr.write(
225
+ `Warning: 'zond init --spec' / '--with-spec' is deprecated. Use \`zond add api <name> --spec <path>\` (run \`zond init\` separately to bootstrap the workspace).\n`,
226
+ );
227
+ }
228
+ process.exitCode = await initCommand({
229
+ name: opts.name,
230
+ spec,
231
+ baseUrl: opts.baseUrl,
232
+ dir: opts.dir,
233
+ force: opts.force === true,
234
+ insecure: opts.insecure === true,
235
+ dbPath: opts.db,
236
+ workspace: opts.workspace === true,
237
+ withSpec: opts.withSpec,
238
+ noAgents: opts.agentsMd === false,
239
+ noSkills: opts.skills === false,
240
+ pruneStaleSkills: opts.pruneStaleSkills === true,
241
+ json,
242
+ });
243
+ });
244
+ }
@@ -1,8 +1,11 @@
1
- import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
1
+ import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
2
2
  import { dirname, join } from "node:path";
3
3
 
4
4
  import zondSkill from "./templates/skills/zond.md" with { type: "text" };
5
- import scenariosSkill from "./templates/skills/scenarios.md" with { type: "text" };
5
+ import checksSkill from "./templates/skills/zond-checks.md" with { type: "text" };
6
+ import triageSkill from "./templates/skills/zond-triage.md" with { type: "text" };
7
+ import seedSkill from "./templates/skills/zond-seed.md" with { type: "text" };
8
+ import warmUpSkill from "./templates/skills/warm-up-target.md" with { type: "text" };
6
9
 
7
10
  export interface SkillResult {
8
11
  name: string;
@@ -16,10 +19,103 @@ interface SkillTemplate {
16
19
  }
17
20
 
18
21
  const SKILLS: SkillTemplate[] = [
22
+ // Primary skill: artifact model + iron rules + full workflow
23
+ // (init → fixtures → annotate → generate → run → stateful checks →
24
+ // probes → coverage → share) + single-flow scenario authoring.
19
25
  { name: "zond", body: zondSkill },
20
- { name: "zond-scenarios", body: scenariosSkill },
26
+ // Depth-check reference: conformance + security + m-20 stateful
27
+ // (cross_call_references, idempotency_replay, pagination_invariants,
28
+ // lifecycle_transitions) with per-aspect annotate flow.
29
+ { name: "zond-checks", body: checksSkill },
30
+ // Read-only triage of a finished run / probe artifact.
31
+ { name: "zond-triage", body: triageSkill },
32
+ // ARV-355: agent-orchestrated auto-seed loop (read gaps → order by
33
+ // fkDependencies → author body → request POST --capture → fix 4xx + retry).
34
+ { name: "zond-seed", body: seedSkill },
35
+ // ARV-366: warm up external-input fixtures (issue_id/file_id/integration_id)
36
+ // via the target's own SDK/CLI/replay — the honest-2xx ceiling zond-seed
37
+ // can't reach with a plain POST. Agent warms, zond stores + measures.
38
+ { name: "warm-up-target", body: warmUpSkill },
21
39
  ];
22
40
 
41
+ /**
42
+ * Names previously emitted by `upsertSkills` but no longer in `SKILLS`.
43
+ * Detected as stale by `detectStaleSkills` and removed by
44
+ * `pruneStaleSkills` (only when the user opts in via `--prune-stale-skills`).
45
+ *
46
+ * Append a name here whenever a skill template is retired. User-authored
47
+ * skills (any name NOT in this list) are never touched.
48
+ */
49
+ const LEGACY_SKILL_NAMES: readonly string[] = [
50
+ "zond-base", // retired by skills-consolidation refactor (folded into zond)
51
+ "zond-scenarios", // retired by skills-consolidation refactor (folded into zond)
52
+ ] as const;
53
+
54
+ export interface StaleSkill {
55
+ name: string;
56
+ path: string;
57
+ }
58
+
59
+ /**
60
+ * Per-skill drift status vs the in-binary template. `missing` is
61
+ * non-actionable on its own (user may have intentionally passed
62
+ * `--no-skills`); `outdated` is the actionable one — workspace skill
63
+ * predates a binary upgrade and `zond init` will refresh it.
64
+ */
65
+ export type SkillDriftStatus = "fresh" | "outdated" | "missing";
66
+
67
+ export interface SkillDrift {
68
+ name: string;
69
+ path: string;
70
+ status: SkillDriftStatus;
71
+ }
72
+
73
+ /**
74
+ * Compare each in-binary skill template against the workspace copy at
75
+ * `<cwd>/.claude/skills/<name>/SKILL.md`. Returns one entry per skill —
76
+ * callers filter by status (`outdated` → warn the user to re-run
77
+ * `zond init`).
78
+ */
79
+ export function detectSkillDrift(cwd: string): SkillDrift[] {
80
+ return SKILLS.map(({ name, body }) => {
81
+ const path = join(cwd, ".claude", "skills", name, "SKILL.md");
82
+ const desired = body.endsWith("\n") ? body : body + "\n";
83
+ if (!existsSync(path)) return { name, path, status: "missing" as const };
84
+ const current = readFileSync(path, "utf-8");
85
+ return {
86
+ name,
87
+ path,
88
+ status: (current === desired ? "fresh" : "outdated") as SkillDriftStatus,
89
+ };
90
+ });
91
+ }
92
+
93
+ /**
94
+ * Returns directories under `<cwd>/.claude/skills/` whose name is in
95
+ * `LEGACY_SKILL_NAMES`. User-authored skill directories (any other
96
+ * name) are intentionally ignored.
97
+ */
98
+ export function detectStaleSkills(cwd: string): StaleSkill[] {
99
+ const out: StaleSkill[] = [];
100
+ for (const name of LEGACY_SKILL_NAMES) {
101
+ const path = join(cwd, ".claude", "skills", name);
102
+ if (existsSync(path)) out.push({ name, path });
103
+ }
104
+ return out;
105
+ }
106
+
107
+ /**
108
+ * Recursively removes the directories returned by `detectStaleSkills`.
109
+ * Returns the list of names that were actually removed.
110
+ */
111
+ export function pruneStaleSkills(cwd: string, opts: { dryRun?: boolean } = {}): StaleSkill[] {
112
+ const stale = detectStaleSkills(cwd);
113
+ if (!opts.dryRun) {
114
+ for (const { path } of stale) rmSync(path, { recursive: true, force: true });
115
+ }
116
+ return stale;
117
+ }
118
+
23
119
  /**
24
120
  * Idempotently writes Claude Code skills into `<cwd>/.claude/skills/<name>/SKILL.md`.
25
121
  * Body is identical to the in-binary template — overwrites on drift, noop on match.
@@ -1,73 +1,86 @@
1
1
  ## API testing with zond
2
2
 
3
- This workspace uses [zond](https://github.com/kirrosh/zond) for API testing. The MCP
4
- server is **not** configured for this workspace, so use the CLI directly.
3
+ This workspace uses [zond](https://github.com/kirrosh/zond) for API testing CLI
4
+ only, no MCP server in this workspace.
5
+
6
+ ### Skills
7
+
8
+ - **`.claude/skills/zond/SKILL.md` (primary)** — artifact model + iron
9
+ rules + full workflow: fixtures → annotate → generate → smoke → CRUD
10
+ → stateful checks → probes → coverage → report, plus single-flow
11
+ scenario authoring. Loads on workspace touch and on intent ("audit
12
+ this API", "find bugs", "write a test for X flow").
13
+ - **`.claude/skills/zond-checks/SKILL.md`** — depth-check reference:
14
+ conformance + security + m-20 stateful invariants
15
+ (cross_call_references, idempotency_replay, pagination_invariants,
16
+ lifecycle_transitions) and the `zond api annotate dump+apply` flow.
17
+ - **`.claude/skills/zond-triage/SKILL.md`** — read-only triage of a
18
+ finished run / probe artifact. Routes by `recommended_action` enum.
19
+ - **`.claude/skills/zond-seed/SKILL.md`** — agent-orchestrated seed loop:
20
+ read fixture gaps → order by FK deps → author body → `request POST
21
+ --capture` → fix 4xx + retry. Fills what `prepare-fixtures` reports missing.
22
+ - **`.claude/skills/warm-up-target/SKILL.md`** — warm external-input
23
+ fixtures (issue_id/file_id/integration_id) via the target's own
24
+ SDK/CLI/replay — the honest-2xx ceiling a plain POST can't reach.
25
+
26
+ These skills work off the per-API artifacts written by `zond add api`:
5
27
 
6
- ### Detailed playbooks (skills)
7
-
8
- Detailed task-specific playbooks live in `.claude/skills/` and are auto-discovered by
9
- Claude Code. Other agents (Codex, Cursor, Aider) can read them as plain markdown:
10
-
11
- - `.claude/skills/zond/SKILL.md` — end-to-end API testing: generate from OpenAPI,
12
- run, diagnose failures, hunt bugs via probes, report coverage. Has explicit
13
- entry points so narrow requests (only diagnose, only probe) skip earlier phases.
14
- - `.claude/skills/zond-scenarios/SKILL.md` — author multi-step user-journey tests
15
- and fixture creation via the API (hand-written YAML with captures,
16
- `setup: true`, `always: true`). NOT for spec coverage or bug hunting.
17
-
18
- ### Mandatory rules (always-on)
28
+ ```
29
+ apis/<name>/
30
+ spec.json # dereferenced OpenAPI (machine source only generators read it)
31
+ .api-catalog.yaml # endpoint index (cheap to read, agent-friendly)
32
+ .api-resources.yaml # CRUD chains, FK deps, ETag/soft-delete flags
33
+ .api-fixtures.yaml # MANIFEST: required {{vars}} (read-only, auto-generated)
34
+ .env.yaml # VALUES: variable values (user-edited; auto-gitignored)
35
+ tests/ scenarios/ probes/
36
+ ```
19
37
 
20
- - **NEVER** read OpenAPI/Swagger/JSON spec files with Read/cat — use `zond describe`,
21
- `zond catalog`, or the generated `.api-catalog.yaml`.
22
- - **NEVER** use curl/wget for ad-hoc requestsuse `zond request <method> <url>`.
23
- - **NEVER** write test YAML from scratch start with `zond generate <spec> --output <dir>`,
24
- then edit failing cases.
25
- - **NEVER** hardcode tokens — put them in `apis/<name>/.env.yaml` (already gitignored)
26
- and reference as `{{auth_token}}` in test YAML.
27
- - `--safe` enforces GET-only; never run CRUD tests against production without explicit
28
- user confirmation and a staging environment.
29
- - When `zond db diagnose` reports `recommended_action: report_backend_bug` — STOP, do
30
- not change the test to make it pass.
38
+ `.api-fixtures.yaml` is the **manifest** (single source of truth for the
39
+ list of vars an API needs) and `.env.yaml` holds their **values**. Don't
40
+ add a key to `.env.yaml` that's not in the manifest it'll be warned and
41
+ ignored. A missing entry in the manifest is a generator/manifest bug, not
42
+ an env fix.
31
43
 
32
- ### Workflow — covering an API end-to-end
44
+ ### Setup flow
33
45
 
34
46
  ```bash
35
- # 1. Register the API
36
- zond init --spec <path-or-url> --name <name> [--base-url <url>]
37
- zond use <name> # remember as current
38
-
39
- # 2. Inspect endpoints (avoid reading the raw spec)
40
- zond catalog <spec> --output apis/<name> # writes .api-catalog.yaml
41
- zond describe <spec> --compact
42
-
43
- # 3. Generate test stubs and run smoke (GET-only)
44
- zond generate <spec> --output apis/<name>/tests --tag smoke
45
- zond run --safe --json
46
-
47
- # 4. Diagnose failures
48
- zond db runs --limit 5
49
- zond db diagnose <run-id> --json
50
-
51
- # 5. Coverage gate
52
- zond coverage --fail-on-coverage 50
53
-
54
- # 6. CRUD only with explicit user confirmation + staging env
55
- zond run --tag crud --dry-run # show what would be sent
56
- zond run --tag crud --env staging
47
+ zond init # bootstrap workspace (no fixture changes)
48
+ zond add api <name> --spec <path-or-url> # register API + emit manifest + seed empty .env.yaml
49
+ zond doctor --api <name> --missing-only # gap report: which vars are UNSET
50
+ zond prepare-fixtures --api <name> # gap report: verify + which FK vars need a value
51
+ # fill each gap yourself: `zond fixtures add` / edit .env.yaml (you pick the value)
52
+ zond doctor --api <name> # re-check (exit 0 = ready)
57
53
  ```
58
54
 
59
- ### Filtering by tag
60
-
61
- `--tag <name>` filters suites. If a `setup` suite primes auth tokens, always include
62
- its tag together with the target group: `--tag crud,setup`.
63
-
64
- ### Auth patterns
65
-
66
- For in-memory or test backends that issue tokens via login, use a `setup.yaml` suite
67
- with `setup: true`. Captured variables (e.g. `auth_token`) propagate to subsequent
68
- suites in the same run. Do NOT hardcode bearer tokens for these flows.
69
-
70
- ### Environments
71
-
72
- `zond run --env <name>` loads `.env.<name>.yaml` (or `.env.yaml` by default) from the
73
- API directory. Environment files are auto-gitignored by `zond init`.
55
+ What each step does to `.env.yaml`:
56
+
57
+ | Command | Touches `.env.yaml`? |
58
+ |---|---|
59
+ | `zond init` | no — only writes workspace/skills files |
60
+ | `zond add api` | seeds skeleton with empty placeholders for every required var |
61
+ | `zond doctor` | no — read-only diagnostic |
62
+ | `zond prepare-fixtures` | no reports gaps only; **never harvests a value** (which record/field fills a slot is your call) |
63
+ | `zond prepare-fixtures --refresh` | unsets stale (404) ids so they resurface as gaps (`.bak` backup); does not re-resolve |
64
+ | `zond fixtures add` / `import` | writes the value you supply (`.bak` backup) |
65
+ | `zond refresh-api` | no — only re-snapshots `spec.json` and rebuilds the manifest |
66
+
67
+ `zond refresh-api <name> [--spec <new-source>]` re-snapshots when the upstream
68
+ spec changes.
69
+
70
+ **Re-running `zond init`** is safe and expected after a CLI upgrade: it
71
+ re-emits skills/AGENTS.md/zond.config.yml only. Fixtures stay exactly as
72
+ they were — never relies on init to fill `.env.yaml`.
73
+
74
+ ### Mandatory rules (mirrored from the skills — non-negotiable)
75
+
76
+ - **NEVER read raw OpenAPI/Swagger** with Read/cat/grep — use the artifacts
77
+ in `apis/<name>/.api-*.yaml`. Drop into `spec.json` only when a probe
78
+ generator needs full schemas.
79
+ - **NEVER use curl/wget** — use `zond request <method> <url>` for ad-hoc HTTP.
80
+ - **NEVER write test YAML from scratch for autogen flows** — start with
81
+ `zond generate`, then edit failures. (Hand-written YAML is fine for
82
+ scenarios.)
83
+ - **NEVER hardcode tokens** — `apis/<name>/.env.yaml` (auto-gitignored),
84
+ reference as `{{auth_token}}`.
85
+ - **`recommended_action: report_backend_bug` (5xx) → STOP**, do not edit
86
+ assertions to make the test pass.
@@ -0,0 +1,122 @@
1
+ ---
2
+ name: warm-up-target
3
+ description: |
4
+ Warm up the TARGET API's environment so honest-2xx coverage stops being
5
+ capped by empty state. Picks up where `zond-seed` stops: the fixtures the
6
+ API cannot self-create via a plain POST — a real error `issue_id` (needs an
7
+ actual event), a `file_id` (needs a sourcemap/artifact upload), an
8
+ `integration_id` (needs an OAuth/app install), a `webhook_event_id` (needs a
9
+ replay). YOU decide HOW to warm each one using the target's OWN tooling (its
10
+ SDK, CLI, dashboard, replay/trigger endpoints); then harvest the resulting
11
+ LIVE id into `.env.yaml`. Use when honest-2xx is stuck low (~30%), when
12
+ `zond-seed` / `prepare-fixtures` report roots as un-seedable / external-input,
13
+ or the user asks to "warm up the target", "raise honest-2xx", "seed via the
14
+ SDK", "generate real test data". zond only STORES the id and MEASURES the
15
+ lift — the warm-up judgment is yours. Hand back to `zond` once warm.
16
+ allowed-tools: [Read, Write, Edit, Bash]
17
+ ---
18
+
19
+ # warm-up-target — get the API into a testable state
20
+
21
+ `prepare-fixtures` reports fixture gaps; `zond-seed` fills the ones the API
22
+ self-serves (plain `POST` + capture). Whatever is left — resources that exist
23
+ only after a **real-world event** — is the honest-2xx ceiling. This skill
24
+ breaks that ceiling by warming the target with **its own means**, then storing
25
+ the live ids zond will reuse.
26
+
27
+ This is **not** core zond and **not** a heuristic: zond never learns how to
28
+ warm an API (that judgment has an infinite tail — every provider is different).
29
+ YOU read the provider's docs/SDK and drive it; zond only records the id
30
+ (`fixtures add`) and measures the coverage delta (`coverage`). Keep it that way
31
+ — no warm-up logic goes into zond core (litmus test).
32
+
33
+ ## Iron rules
34
+
35
+ - **You warm, zond stores + measures.** You run the SDK/CLI/dashboard action
36
+ that creates the real resource; you read the returned id; `zond fixtures add`
37
+ writes it. Never ask zond to "figure out" how to warm a resource.
38
+ - **Live + throwaway/sandbox + cleanup.** Warm-ups create real state (events,
39
+ files, installs). Confirm `base_url` is a sandbox/test account first. Track
40
+ what you create; tear it down after (or use a disposable org). If you can't
41
+ guarantee cleanup, ask before creating.
42
+ - **Hand off to `zond-seed` first.** Only warm what `zond-seed` marked
43
+ un-seedable. Don't reinvent plain-POST creation here — that's zond-seed's job.
44
+ - **Ask early, don't reverse-engineer.** Give yourself a hard budget of ~1-2
45
+ attempts to derive a create-recipe from the spec/API. If a blind create 4xx/5xx
46
+ (missing an integer id the API doesn't expose, an opaque body shape), STOP —
47
+ ask the user for an example request (a working `curl`/HAR/body from their UI).
48
+ Extract the ids from it deterministically and replay. Do NOT spelunk 10 endpoints
49
+ guessing how creation works — that's the slow path the user hates.
50
+ - **Delete only by self-captured id.** Tear-down must target the id YOUR create
51
+ returned, never a harvested read-fixture value. Deleting by `{{key}}` when that
52
+ key came from a live resource wipes pre-existing data (see ARV-368). Track
53
+ created ids explicitly; DELETE those and only those.
54
+ - **Report honestly what you can't warm.** Some fixtures need a human (a paid
55
+ plan, a KYC step, a physical device, a manual dashboard toggle). Surface those
56
+ as a short "needs you" list with the exact action — never fake a value (it
57
+ just 422s and lies about coverage).
58
+ - **Measure the lift.** Snapshot honest-2xx before and after so the warm-up's
59
+ value is visible (`zond coverage --api <name> --union session`).
60
+
61
+ ## Inputs — what needs warming
62
+
63
+ | Signal | Command | What it tells you |
64
+ |---|---|---|
65
+ | Un-seedable roots | `zond-seed` handoff / `zond prepare-fixtures --api <name> --json` → `summary.fixtureGaps.unseededRoots[]` | fixtures no plain-POST can create |
66
+ | Empty-list gaps | `prepare-fixtures` items with `status: miss-empty` | resource exists in spec, zero records in the target |
67
+ | What each id is for | `apis/<name>/.api-resources.yaml` (the owning resource + its create/read endpoints) | which real-world action mints this id |
68
+ | Current honest-2xx | `zond coverage --api <name> --union session --json` | the ceiling you're trying to raise |
69
+
70
+ ## Warm-up patterns (pick per resource)
71
+
72
+ The resource's *nature* tells you the warm-up path. Common families:
73
+
74
+ | Fixture shape | Warm-up path (via the target's own tooling) |
75
+ |---|---|
76
+ | Error / issue id (`issue_id`, `event_id`) | Trigger a real event: `sentry-cli send-event`, the app's error-report endpoint, or an SDK `captureException`. Poll the list endpoint until the id appears, capture it. |
77
+ | Uploaded-artifact id (`file_id`, `release`, `sourcemap`) | Upload via the provider CLI/SDK (`sentry-cli releases files upload`, a `POST .../files` multipart). Capture the returned id. |
78
+ | Integration / connection id (`integration_id`, `installation_id`) | Install the app/integration into a **sandbox** org (OAuth flow / provider dashboard "add to test workspace"). Capture the id from the callback or the list endpoint. |
79
+ | Delivered-webhook id (`delivery_id`, `webhook_event_id`) | Register a webhook, trigger the source event, replay/list deliveries, capture the id. |
80
+ | Provisioned-async id (needs a background job to finish) | Kick off the job, poll the status endpoint until ready, capture. |
81
+
82
+ These are *examples*, not a lookup table — read the actual provider's docs for
83
+ the target you're on.
84
+
85
+ ## The loop
86
+
87
+ For each un-seedable root:
88
+
89
+ 1. **Identify the warm-up path.** From `.api-resources.yaml` + the provider
90
+ docs, decide which real-world action mints this id. If it needs a human,
91
+ add it to the "needs you" list and move on.
92
+
93
+ 2. **Warm it via the target's own tooling.** Run the SDK/CLI/curl that creates
94
+ the real resource in the sandbox. Read the id from the response (or poll the
95
+ list endpoint until it shows up — async resources aren't instant).
96
+
97
+ 3. **Store the live id.**
98
+ ```bash
99
+ zond fixtures add --api <name> issue_id=<real-id-you-got> --validate --apply
100
+ ```
101
+ `--validate` GETs the read-by-id endpoint and confirms the id is `live`
102
+ before writing (so a warm-up that half-failed doesn't poison later runs).
103
+
104
+ 4. **Verify the gap closed.** Re-run `zond prepare-fixtures --api <name> --json`
105
+ — the warmed root should drop out of `unseededRoots` / flip off `miss-empty`.
106
+
107
+ 5. **Measure + hand back.** When the worklist is drained (or only "needs you"
108
+ items remain), snapshot honest-2xx again and report the delta, then hand
109
+ back to `zond` for the audit:
110
+ ```bash
111
+ zond coverage --api <name> --union session # after — compare to the before snapshot
112
+ ```
113
+
114
+ ## Output to the user
115
+
116
+ - **Warmed:** table of `fixture → how it was warmed → live id captured`.
117
+ - **Needs you:** fixtures that require a human action, each with the exact step
118
+ (e.g. "enable the Slack integration in the sandbox workspace, then re-run").
119
+ - **Coverage:** honest-2xx before → after, so the lift is measurable.
120
+
121
+ Cleanup: DELETE the resources you created (or note they live in a disposable
122
+ sandbox). Never leave test events/files/installs on a shared account.