@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,537 @@
1
+ import { join } from "path";
2
+ import { mkdir, writeFile } from "fs/promises";
3
+ import { loadEnvironment, loadEnvFile } from "../../../core/parser/variables.ts";
4
+ import {
5
+ runSecurityProbes,
6
+ formatSecurityDigest,
7
+ emitSecurityRegressionSuites,
8
+ SECURITY_CLASSES,
9
+ type SecurityClass,
10
+ } from "../../../core/probe/security-probe.ts";
11
+ import { loadSpecForProbe, writeProbeSuites } from "../../../core/probe/runner.ts";
12
+ import { printError, printSuccess, printWarning } from "../../output.ts";
13
+ import { jsonOk, jsonError, printJson } from "../../json-envelope.ts";
14
+ import { getSecretRegistry } from "../../../core/secrets/registry.ts";
15
+ import { applySanitizer } from "../../../core/exporter/exporter.ts";
16
+ import { rotateOutputTarget } from "../../../core/workspace/output-rotation.ts";
17
+ import { tallyBySeverity, formatSummaryLine } from "../../../core/probe/verdict-aggregator.ts";
18
+ import { printMutationBanner, countCleanupFailures } from "../../../core/probe/shared.ts";
19
+ import { persistVerdictsAsOrphans } from "../../../core/probe/orphan-tracker.ts";
20
+ import { SecurityProbe } from "../../../core/probe/security-probe-class.ts";
21
+ import { summarizeDryRun } from "../../../core/probe/dry-run-envelope.ts";
22
+ import { compileOperationFilter } from "../../../core/selectors/operation-filter.ts";
23
+ import { loadSeedBodyOverlays } from "./_seed-bodies.ts";
24
+
25
+ interface Buckets {
26
+ high: number;
27
+ medium: number;
28
+ low: number;
29
+ info: number;
30
+ inconclusive: number;
31
+ inconclusiveBaseline: number;
32
+ ok: number;
33
+ skipped: number;
34
+ }
35
+
36
+ const SEC_BUCKETS: ReadonlyArray<readonly [string, keyof Buckets & string]> = [
37
+ ["high", "high"],
38
+ ["medium", "medium"],
39
+ ["low", "low"],
40
+ ["info", "info"],
41
+ ["inconclusive", "inconclusive"],
42
+ ["inconclusive-baseline", "inconclusiveBaseline"],
43
+ ["ok", "ok"],
44
+ ["skipped", "skipped"],
45
+ ];
46
+
47
+ const SEC_SUMMARY: ReadonlyArray<readonly [string, keyof Buckets & string]> = [
48
+ ["HIGH", "high"],
49
+ ["INCONCLUSIVE", "inconclusive"],
50
+ ["INCONCLUSIVE-BASE", "inconclusiveBaseline"],
51
+ ["MED", "medium"],
52
+ ["LOW", "low"],
53
+ ["INFO", "info"],
54
+ ["OK", "ok"],
55
+ ["SKIPPED", "skipped"],
56
+ ];
57
+
58
+ const SEC_ZERO: Buckets = {
59
+ high: 0, medium: 0, low: 0, info: 0, inconclusive: 0, inconclusiveBaseline: 0, ok: 0, skipped: 0,
60
+ };
61
+
62
+ export interface ProbeSecurityOptions {
63
+ specPath: string;
64
+ classes: string;
65
+ env?: string;
66
+ output?: string;
67
+ emitTests?: string;
68
+ tag?: string;
69
+ noCleanup?: boolean;
70
+ timeoutMs?: number;
71
+ dryRun?: boolean;
72
+ json?: boolean;
73
+ listTags?: boolean;
74
+ overwrite?: boolean;
75
+ /** TASK-278: API name for orphan-tracker file path
76
+ * (`~/.zond/orphans/<api>/<run-id>.jsonl`). Defaults to "default" when
77
+ * the probe is invoked without --api. */
78
+ apiName?: string;
79
+ /** TASK-264: refuse to attack PUT/PATCH endpoints whose path-params come
80
+ * from `.env.yaml` (seeded fixtures). Trade coverage for guaranteed
81
+ * fixture safety. */
82
+ isolated?: boolean;
83
+ /** ARV-140: opt-in to POST attacks on endpoints with no DELETE counterpart
84
+ * in the spec. Defaults to off so probes can't leak resources the CLI
85
+ * has no way to clean up afterwards. */
86
+ allowLeaks?: boolean;
87
+ /** m-17 / ARV-51: structured report format for `--output` and the
88
+ * non-`--json` stdout path. `--json` envelope is always structured
89
+ * (no markdown blob) regardless of this flag. Default: "markdown" so
90
+ * human invocations keep the existing behaviour. */
91
+ report?: "markdown" | "json";
92
+ /** m-15 ARV-9 / m-17 ARV-J: unified operation selectors. */
93
+ include?: string[];
94
+ exclude?: string[];
95
+ /** ARV-253: surface INFO-severity findings (CRLF accepted, no
96
+ * reflection — sanitization signal only). Hidden by default since
97
+ * they carry single_signal proof with no exploit pathway. */
98
+ verbose?: boolean;
99
+ /** ARV-302: cap the number of endpoints probed in this run (after
100
+ * --include / --exclude / --tag filters). Used by `zond audit
101
+ * --budget` to keep the security stage inside a wall-clock budget
102
+ * on big specs (Stripe: 587 endpoints) instead of unbounded scanning. */
103
+ maxEndpoints?: number;
104
+ }
105
+
106
+ function parseClasses(input: string): SecurityClass[] | string {
107
+ const parts = input.split(",").map(s => s.trim()).filter(Boolean);
108
+ const out: SecurityClass[] = [];
109
+ for (const p of parts) {
110
+ if (!(SECURITY_CLASSES as readonly string[]).includes(p)) {
111
+ return `Unknown class: ${p}. Available: ${SECURITY_CLASSES.join(", ")}`;
112
+ }
113
+ out.push(p as SecurityClass);
114
+ }
115
+ if (out.length === 0) return `At least one class required (${SECURITY_CLASSES.join(", ")})`;
116
+ return out;
117
+ }
118
+
119
+ export async function probeSecurityCommand(
120
+ options: ProbeSecurityOptions,
121
+ ): Promise<number> {
122
+ try {
123
+ const classes = parseClasses(options.classes);
124
+ if (typeof classes === "string") {
125
+ if (options.json) printJson(jsonError("probe-security", [classes]));
126
+ else printError(classes);
127
+ return 2;
128
+ }
129
+
130
+ const loaded = await loadSpecForProbe({
131
+ specPath: options.specPath,
132
+ tag: options.tag,
133
+ listTags: options.listTags,
134
+ });
135
+
136
+ if (loaded.kind === "tags") {
137
+ if (options.json) printJson(jsonOk("probe-security", { tags: loaded.tags }));
138
+ else if (loaded.tags.length === 0) console.log("No tags found in spec.");
139
+ else {
140
+ console.log("Available tags:");
141
+ for (const t of loaded.tags) console.log(` - ${t}`);
142
+ }
143
+ return 0;
144
+ }
145
+ if (loaded.kind === "tag-not-found") {
146
+ const msg = `No endpoints tagged "${loaded.tag}". Available tags: ${loaded.available.length ? loaded.available.join(", ") : "(none)"}`;
147
+ if (options.json) printJson(jsonError("probe-security", [msg]));
148
+ else printWarning(msg);
149
+ return 2;
150
+ }
151
+ const { endpoints: rawEndpoints, securitySchemes } = loaded;
152
+
153
+ // m-17 / ARV-J: unified --include/--exclude (m-15 ARV-9). Closes
154
+ // ARV-9 AC#3 for probe-family.
155
+ let endpoints = rawEndpoints;
156
+ if (options.include?.length || options.exclude?.length) {
157
+ const compiled = compileOperationFilter({ includes: options.include, excludes: options.exclude });
158
+ if (compiled.errors.length > 0) {
159
+ const message = compiled.errors.join("\n");
160
+ if (options.json) printJson(jsonError("probe-security", [message]));
161
+ else printError(message);
162
+ return 2;
163
+ }
164
+ endpoints = endpoints.filter(compiled.filter);
165
+ }
166
+ // ARV-302: --max-endpoints cap — see probe/mass-assignment.ts for the
167
+ // rationale. Applied after user-visible filters; a warning fires so
168
+ // partial output is obvious.
169
+ let cappedEndpoints = false;
170
+ if (typeof options.maxEndpoints === "number" && options.maxEndpoints > 0
171
+ && endpoints.length > options.maxEndpoints) {
172
+ const total = endpoints.length;
173
+ endpoints = endpoints.slice(0, options.maxEndpoints);
174
+ cappedEndpoints = true;
175
+ if (!options.json) {
176
+ process.stderr.write(
177
+ `zond: probe security capped at ${options.maxEndpoints}/${total} endpoints (--max-endpoints) — pass --max-endpoints <N> or --budget full to widen.\n`,
178
+ );
179
+ }
180
+ }
181
+
182
+ let vars: Record<string, string> = {};
183
+ if (options.env) {
184
+ const fromFile = await loadEnvFile(options.env);
185
+ if (!fromFile) {
186
+ const msg = `Environment file not found: ${options.env}`;
187
+ if (options.json) printJson(jsonError("probe-security", [msg]));
188
+ else printError(msg);
189
+ return 2;
190
+ }
191
+ vars = fromFile;
192
+ } else {
193
+ vars = await loadEnvironment();
194
+ }
195
+
196
+ if (!options.dryRun && !vars["base_url"]) {
197
+ const msg = "base_url is required (set in .env.yaml or via --env file). Probing requires a live API.";
198
+ if (options.json) printJson(jsonError("probe-security", [msg]));
199
+ else printError(msg);
200
+ return 2;
201
+ }
202
+
203
+ // m-17 / ARV-50: dry-run answers "what would I attack" — severity is
204
+ // undefined here, so we use a separate `data.endpoints[]` shape with
205
+ // explicit `planned: boolean` and `skip_reason` enum. The previous
206
+ // conflation (severity.skipped == 32, which silently included 14
207
+ // planned attacks) is what made `severity.skipped == totalEndpoints`
208
+ // a misleading CI gate (F1-15).
209
+ if (options.dryRun) {
210
+ const probe = new SecurityProbe();
211
+ const plan = await probe.dryRun({
212
+ specPath: options.specPath,
213
+ endpoints,
214
+ securitySchemes,
215
+ vars,
216
+ classes,
217
+ options: { isolated: options.isolated === true },
218
+ });
219
+ const data = summarizeDryRun(plan);
220
+ const { formatDryRunDigest } = await import("../../../core/probe/dry-run-envelope.ts");
221
+ // ARV-317: persist the planned inventory when --output is given (parity
222
+ // with probe mass-assignment). --emit-tests is skipped on dry-run —
223
+ // there are no findings to turn into regression suites.
224
+ // ARV-321: say so explicitly — see mass-assignment.ts for the friction
225
+ // that prompted this.
226
+ if (options.emitTests) {
227
+ printWarning(`--emit-tests skipped: safe/dry-run mode has no live verdicts to lock in as regression suites. Re-run with --live to emit ${options.emitTests}.`);
228
+ }
229
+ if (options.output) {
230
+ const payload = options.report === "json"
231
+ ? JSON.stringify(data, null, 2)
232
+ : formatDryRunDigest(plan);
233
+ await mkdir(join(options.output, "..").replace(/\/\.$/, ""), { recursive: true }).catch(() => {});
234
+ rotateOutputTarget(options.output, { overwrite: options.overwrite });
235
+ await writeFile(options.output, payload + "\n", "utf-8");
236
+ }
237
+ if (options.json) {
238
+ printJson(jsonOk("probe-security", data));
239
+ } else {
240
+ console.log(formatDryRunDigest(plan));
241
+ }
242
+ return 0;
243
+ }
244
+
245
+ // TASK-259: live security probes mutate via PUT/PATCH/POST + cleanup
246
+ // DELETE. Skip the banner in --dry-run (no live calls) and --json (warnings
247
+ // travel in the envelope instead).
248
+ printMutationBanner("probe-security", vars, { quiet: options.json === true });
249
+
250
+ // ARV-265: capture every HTTP request the probe sends so audit-coverage
251
+ // sees the touches. Dry-run never reaches this branch (early return
252
+ // above), so AC#5 holds — only live probes pollute the run table.
253
+ const { withHttpAudit, beginAuditRun, finalizeAuditRun, auditRecordToCase, checksPersistEnabled } =
254
+ await import("../../../core/audit/persist.ts");
255
+ const auditEnabled = checksPersistEnabled();
256
+ // ARV-269: same overlay-lift as probe-mass-assignment.
257
+ const seedBodies = await loadSeedBodyOverlays(options.apiName);
258
+ const { value: result, records: auditRecords } = await withHttpAudit(async () =>
259
+ runSecurityProbes({
260
+ endpoints,
261
+ securitySchemes,
262
+ vars,
263
+ classes,
264
+ noCleanup: options.noCleanup,
265
+ timeoutMs: options.timeoutMs,
266
+ dryRun: options.dryRun,
267
+ isolated: options.isolated === true,
268
+ allowLeaks: options.allowLeaks === true,
269
+ seedBodies,
270
+ }),
271
+ );
272
+
273
+ if (auditEnabled && auditRecords.length > 0) {
274
+ try {
275
+ const { getDb } = await import("../../../db/schema.ts");
276
+ const { findCollectionByNameOrId } = await import("../../../db/queries.ts");
277
+ const { readCurrentSession } = await import("../../../core/context/session.ts");
278
+ getDb();
279
+ const collectionId = options.apiName ? findCollectionByNameOrId(options.apiName)?.id : undefined;
280
+ const session = readCurrentSession();
281
+ const runId = beginAuditRun({
282
+ runKind: "probe",
283
+ ...(collectionId != null ? { collectionId } : {}),
284
+ ...(session?.id ? { sessionId: session.id } : {}),
285
+ tags: ["probe", "security", ...classes],
286
+ });
287
+ const suiteFile = `apis/${options.apiName ?? "_"}/probes/security.yaml`;
288
+ finalizeAuditRun(runId, auditRecords.map((rec) =>
289
+ auditRecordToCase(rec, {
290
+ suiteName: "probe/security",
291
+ suiteFile,
292
+ testName: `security::${rec.request.method.toUpperCase()} ${rec.request.url}`,
293
+ }),
294
+ ));
295
+ } catch (err) {
296
+ process.stderr.write(`zond: audit persistence failed (${(err as Error).message}).\n`);
297
+ }
298
+ }
299
+
300
+ // ARV-253: filter verdicts for display under the evidence-chain
301
+ // principle. INFO-severity findings (CRLF accepted, no reflection
302
+ // — sanitization signal only) are hidden by default; surfaced under
303
+ // --verbose for hygiene auditors. JSON envelope keeps the unfiltered
304
+ // list so agents can opt in explicitly.
305
+ const displayResult = options.verbose === true
306
+ ? result
307
+ : { ...result, verdicts: result.verdicts.map((v) => ({
308
+ ...v,
309
+ findings: v.findings.filter((f) => f.severity !== "info"),
310
+ })) };
311
+
312
+ // TASK-168 (m-10): register env vars + redact the digest before
313
+ // either writing to disk or echoing to stdout.
314
+ getSecretRegistry().registerAll(vars);
315
+ const md = applySanitizer(formatSecurityDigest(displayResult, options.specPath));
316
+
317
+ // m-17 / ARV-51: --output writes whichever format `--report` selected
318
+ // (default markdown). `--json` envelope is always structured —
319
+ // never carries `data.digest.stdout` (F3-15).
320
+ const reportFmt: "markdown" | "json" = options.report ?? "markdown";
321
+ const structuredEndpoints = buildStructuredEndpoints(result);
322
+ if (options.output) {
323
+ await mkdir(join(options.output, "..").replace(/\/\.$/, ""), { recursive: true }).catch(() => {});
324
+ rotateOutputTarget(options.output, { overwrite: options.overwrite });
325
+ const payload = reportFmt === "json"
326
+ ? JSON.stringify(structuredReport(result, structuredEndpoints), null, 2) + "\n"
327
+ : md;
328
+ await writeFile(options.output, payload, "utf-8");
329
+ }
330
+
331
+ let emittedSuites: Array<{ file: string; suite: string; tests: number }> = [];
332
+ if (options.emitTests && !options.dryRun) {
333
+ const suites = emitSecurityRegressionSuites(result, endpoints, securitySchemes);
334
+ const written = await writeProbeSuites({
335
+ output: options.emitTests,
336
+ suites,
337
+ command: "zond probe-security --emit-tests",
338
+ headerExample: `zond probe-security --api <name> --emit-tests ${options.emitTests}`,
339
+ });
340
+ emittedSuites = written.files;
341
+ }
342
+
343
+ const counts = tallyBySeverity(result.verdicts, SEC_BUCKETS, SEC_ZERO);
344
+ // TASK-259: shared cleanup-failure counter (404 treated as success — the
345
+ // resource is already gone, which is the cleanup goal). Replaces the
346
+ // previous local filter that flagged any `cleanup.error` regardless of
347
+ // the underlying status.
348
+ const orphans = countCleanupFailures(result.verdicts);
349
+
350
+ // TASK-278: persist created-resource records to ~/.zond/orphans/<api>/<run-id>.jsonl
351
+ // even when cleanup succeeded — successful entries become tombstones that
352
+ // suppress the leak; failed ones are picked up by `zond cleanup --orphans`.
353
+ const orphanRunId = `${Date.now()}`;
354
+ const orphanApi = options.apiName ?? "default";
355
+ if (!options.dryRun) {
356
+ try {
357
+ await persistVerdictsAsOrphans(orphanApi, orphanRunId, result.verdicts);
358
+ } catch (err) {
359
+ // Non-fatal — orphan tracking is a hygiene aid, not a probe blocker.
360
+ if (!options.json) {
361
+ process.stderr.write(`zond: failed to persist orphan tracker: ${(err as Error).message}\n`);
362
+ }
363
+ }
364
+ }
365
+ const orphanList = result.verdicts
366
+ .filter(v => {
367
+ const c = v.cleanup;
368
+ if (!c?.attempted || c.id === undefined) return false;
369
+ if (c.error) return true;
370
+ return c.status != null && c.status >= 400 && c.status !== 404;
371
+ })
372
+ .map(v => ({
373
+ method: v.method.toUpperCase(),
374
+ path: v.path,
375
+ id: String(v.cleanup!.id),
376
+ deletePath: v.cleanup!.deletePath ?? "",
377
+ lastStatus: v.cleanup!.status ?? null,
378
+ error: v.cleanup!.error ?? null,
379
+ }));
380
+
381
+ if (options.json) {
382
+ // m-17 / ARV-51: structured envelope. `data.digest.stdout` is gone
383
+ // (F3-15) — markdown lives in `--output <file>` or `--report markdown`
384
+ // on the non-json path. Severity becomes summary.by_status.
385
+ printJson(
386
+ jsonOk("probe-security", {
387
+ endpoints: structuredEndpoints,
388
+ summary: {
389
+ totalEndpoints: result.totalEndpoints,
390
+ probed: result.specProbed,
391
+ by_status: byStatus(structuredEndpoints),
392
+ // ARV-140: pre-flight cleanup-feasibility counts. Lets CI gate on
393
+ // "no leak-prone POSTs slipped in" independently of HIGH findings.
394
+ ...(result.cleanupFeasibility ? {
395
+ cleanup_feasibility: {
396
+ skipped_no_cleanup: result.cleanupFeasibility.skippedNoCleanup,
397
+ forced_no_cleanup: result.cleanupFeasibility.forcedNoCleanup,
398
+ // ARV-153: action POSTs attacked even without a DELETE
399
+ // counterpart (e.g. /capture, /verify, /cancel).
400
+ action_no_cleanup_needed: result.cleanupFeasibility.actionNoCleanupNeeded,
401
+ },
402
+ } : {}),
403
+ },
404
+ orphans,
405
+ emittedTests: emittedSuites,
406
+ // ARV-302: surface the partial-run warning so JSON consumers
407
+ // see that --max-endpoints trimmed the set (otherwise the cap
408
+ // is invisible in machine-readable output).
409
+ ...(cappedEndpoints ? {
410
+ warnings: [
411
+ `--max-endpoints capped this run at ${options.maxEndpoints}; pass --max-endpoints <N> or --budget full to widen.`,
412
+ ],
413
+ } : {}),
414
+ }),
415
+ );
416
+ } else {
417
+ if (!options.output) {
418
+ if (reportFmt === "json") {
419
+ process.stdout.write(JSON.stringify(structuredReport(result, structuredEndpoints), null, 2) + "\n");
420
+ } else {
421
+ console.log(md);
422
+ }
423
+ } else printSuccess(`${reportFmt === "json" ? "Structured report" : "Digest"} written to ${options.output}`);
424
+ console.log("");
425
+ console.log(formatSummaryLine(counts, SEC_SUMMARY));
426
+ if (emittedSuites.length > 0) {
427
+ printSuccess(`Emitted ${emittedSuites.length} regression suite(s) in ${options.emitTests}`);
428
+ // TASK-154 §M: print one ready-to-paste command that re-runs the
429
+ // emitted suites against the same API. Keeps the CI handoff short
430
+ // (issue body / runbook entry: copy this line, not three).
431
+ const envFlag = options.apiName ? ` --env apis/${options.apiName}/.env.yaml` : "";
432
+ console.log(`Run regression suite on CI: zond run ${options.emitTests}${envFlag}`);
433
+ } else if (options.emitTests && !options.dryRun) {
434
+ console.log(`No 2xx findings to emit. Directory ${options.emitTests} not created.`);
435
+ }
436
+ if (counts.high > 0) {
437
+ printWarning(`${counts.high} HIGH-severity finding(s) — review the digest before deploy.`);
438
+ }
439
+ if (orphans > 0) {
440
+ printWarning(
441
+ `${orphans} orphan resource(s): cleanup DELETE failed (non-404). Manual remediation may be needed.`,
442
+ );
443
+ // TASK-278: list each orphan with id + deletePath so the operator can
444
+ // see what's leaked without grep'ing the digest.
445
+ if (orphanList.length > 0) {
446
+ for (const o of orphanList) {
447
+ const tail = o.lastStatus != null ? `→ ${o.lastStatus}` : (o.error ? `→ err: ${o.error.split(" | ")[0]}` : "");
448
+ process.stderr.write(` ${o.method} ${o.path} (id=${o.id}); DELETE ${o.deletePath} ${tail}\n`);
449
+ }
450
+ process.stderr.write(`Run \`zond cleanup --orphans --api ${orphanApi}\` to retry.\n`);
451
+ }
452
+ }
453
+ const cleanedCount = result.verdicts.filter(v => v.cleanup?.attempted && v.cleanup.status != null && v.cleanup.status < 400).length;
454
+ if (cleanedCount > 0) {
455
+ printWarning(
456
+ `${cleanedCount} resource(s) created and deleted by probes. FK fixtures in .env.yaml may be stale — re-run \`zond prepare-fixtures --api <name>\` before next CRUD run.`,
457
+ );
458
+ }
459
+ }
460
+
461
+ // Exit non-zero on HIGH (CI gate) or cleanup failures (data
462
+ // integrity). Cleanup failure means probe-security mutated state
463
+ // it couldn't restore — the operator needs to act.
464
+ return counts.high > 0 || orphans > 0 ? 1 : 0;
465
+ } catch (err) {
466
+ const message = err instanceof Error ? err.message : String(err);
467
+ if (options.json) printJson(jsonError("probe-security", [message]));
468
+ else printError(message);
469
+ return 2;
470
+ }
471
+ }
472
+
473
+ // m-17 / ARV-51: structured per-endpoint shape used by both the `--json`
474
+ // envelope and the non-json `--report json` path. Mirrors the Probe
475
+ // contract result (src/core/probe/types.ts), but built from the legacy
476
+ // SecurityVerdict[] so the live runner keeps emitting its richer
477
+ // internal structure.
478
+
479
+ import type { SecurityProbeResult, SecurityVerdict } from "../../../core/probe/security-probe.ts";
480
+ import type { ProbeEndpointResult, ProbeEndpointStatus, ProbeFindingSeverity } from "../../../core/probe/types.ts";
481
+
482
+ function statusFromSeverity(s: SecurityVerdict["severity"]): ProbeEndpointStatus {
483
+ if (s === "high") return "high";
484
+ if (s === "low") return "low";
485
+ if (s === "ok") return "ok";
486
+ if (s === "skipped") return "skipped";
487
+ return "inconclusive";
488
+ }
489
+
490
+ function findingSeverity(s: string): ProbeFindingSeverity {
491
+ if (s === "high") return "high";
492
+ if (s === "low") return "low";
493
+ if (s === "ok") return "ok";
494
+ return "inconclusive";
495
+ }
496
+
497
+ function buildStructuredEndpoints(result: SecurityProbeResult): ProbeEndpointResult[] {
498
+ return result.verdicts.map((v) => ({
499
+ path: v.path,
500
+ method: v.method,
501
+ classes_run: Array.from(new Set(v.detectedFields.map((d) => d.class))),
502
+ findings: v.findings.map((f) => ({
503
+ class: f.class,
504
+ severity: findingSeverity(f.severity),
505
+ evidence: {
506
+ field: f.field,
507
+ payload: f.payload,
508
+ status: f.status,
509
+ echoed: f.echoed,
510
+ reason: f.reason,
511
+ ...(f.recommended_action ? { recommended_action: f.recommended_action } : {}),
512
+ },
513
+ })),
514
+ status: statusFromSeverity(v.severity),
515
+ ...(v.skipReason ? { skip_reason: v.skipReason } : {}),
516
+ }));
517
+ }
518
+
519
+ function byStatus(endpoints: ProbeEndpointResult[]): Record<ProbeEndpointStatus, number> {
520
+ const out: Record<ProbeEndpointStatus, number> = {
521
+ ok: 0, high: 0, low: 0, inconclusive: 0, skipped: 0,
522
+ };
523
+ for (const e of endpoints) out[e.status]++;
524
+ return out;
525
+ }
526
+
527
+ function structuredReport(result: SecurityProbeResult, endpoints: ProbeEndpointResult[]): object {
528
+ return {
529
+ endpoints,
530
+ summary: {
531
+ totalEndpoints: result.totalEndpoints,
532
+ probed: result.specProbed,
533
+ by_status: byStatus(endpoints),
534
+ },
535
+ };
536
+ }
537
+