@kirrosh/zond 0.22.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +811 -0
- package/README.md +59 -6
- package/package.json +9 -7
- package/src/CLAUDE.md +112 -0
- package/src/cli/argv.ts +122 -0
- package/src/cli/commands/add-api.ts +146 -0
- package/src/cli/commands/api/annotate/idempotency.ts +59 -0
- package/src/cli/commands/api/annotate/index.ts +880 -0
- package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
- package/src/cli/commands/api/annotate/overlay.ts +206 -0
- package/src/cli/commands/api/annotate/pagination.ts +64 -0
- package/src/cli/commands/api/annotate/prompts.ts +220 -0
- package/src/cli/commands/api/annotate/readback.ts +58 -0
- package/src/cli/commands/api/annotate/resources.ts +91 -0
- package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
- package/src/cli/commands/audit.ts +786 -0
- package/src/cli/commands/catalog.ts +35 -0
- package/src/cli/commands/check.ts +361 -0
- package/src/cli/commands/checks.ts +1072 -0
- package/src/cli/commands/ci-init.ts +43 -0
- package/src/cli/commands/clean.ts +212 -0
- package/src/cli/commands/cleanup.ts +236 -0
- package/src/cli/commands/completions.ts +16 -0
- package/src/cli/commands/coverage.ts +823 -132
- package/src/cli/commands/db.ts +486 -12
- package/src/cli/commands/describe.ts +37 -2
- package/src/cli/commands/discover.ts +1356 -0
- package/src/cli/commands/doctor.ts +661 -0
- package/src/cli/commands/fixtures.ts +402 -0
- package/src/cli/commands/generate.ts +438 -47
- package/src/cli/commands/init/bootstrap.ts +34 -2
- package/src/cli/commands/{init.ts → init/index.ts} +99 -5
- package/src/cli/commands/init/skills.ts +99 -3
- package/src/cli/commands/init/templates/agents.md +77 -64
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
- package/src/cli/commands/init/templates/skills/zond.md +802 -125
- package/src/cli/commands/init/templates/zond-config.yml +8 -9
- package/src/cli/commands/prepare-fixtures.ts +97 -0
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +594 -0
- package/src/cli/commands/probe/security.ts +537 -0
- package/src/cli/commands/probe/static.ts +255 -0
- package/src/cli/commands/probe/webhooks.ts +163 -0
- package/src/cli/commands/probe.ts +535 -0
- package/src/cli/commands/reference.ts +87 -0
- package/src/cli/commands/refresh-api.ts +227 -0
- package/src/cli/commands/remove-api.ts +150 -0
- package/src/cli/commands/report-bundle.ts +310 -0
- package/src/cli/commands/report.ts +241 -0
- package/src/cli/commands/request.ts +495 -4
- package/src/cli/commands/run.ts +870 -53
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/commands/session.ts +244 -0
- package/src/cli/commands/use.ts +18 -1
- package/src/cli/index.ts +20 -3
- package/src/cli/json-envelope.ts +92 -3
- package/src/cli/json-schemas.ts +314 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +199 -635
- package/src/cli/resolve.ts +105 -0
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +114 -0
- package/src/cli/util/api-context.ts +85 -0
- package/src/cli/version.ts +5 -0
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/_crud-helpers.ts +133 -0
- package/src/core/checks/checks/_negative_mutator.ts +133 -0
- package/src/core/checks/checks/_readback-helpers.ts +133 -0
- package/src/core/checks/checks/content_type_conformance.ts +39 -0
- package/src/core/checks/checks/cross_call_references.ts +147 -0
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
- package/src/core/checks/checks/idempotency_replay.ts +242 -0
- package/src/core/checks/checks/ignored_auth.ts +254 -0
- package/src/core/checks/checks/index.ts +68 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
- package/src/core/checks/checks/missing_required_header.ts +40 -0
- package/src/core/checks/checks/negative_data_rejection.ts +148 -0
- package/src/core/checks/checks/not_a_server_error.ts +35 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
- package/src/core/checks/checks/pagination_invariants.ts +419 -0
- package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
- package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
- package/src/core/checks/checks/response_headers_conformance.ts +74 -0
- package/src/core/checks/checks/response_schema_conformance.ts +30 -0
- package/src/core/checks/checks/status_code_conformance.ts +132 -0
- package/src/core/checks/checks/unsupported_method.ts +63 -0
- package/src/core/checks/checks/use_after_free.ts +78 -0
- package/src/core/checks/index.ts +30 -0
- package/src/core/checks/mode.ts +82 -0
- package/src/core/checks/recommended-action.ts +68 -0
- package/src/core/checks/registry.ts +78 -0
- package/src/core/checks/runner.ts +1461 -0
- package/src/core/checks/sarif.ts +230 -0
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/stateful.ts +121 -0
- package/src/core/checks/types.ts +305 -0
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +251 -0
- package/src/core/context/current.ts +22 -6
- package/src/core/context/session.ts +78 -0
- package/src/core/coverage/loader.ts +216 -0
- package/src/core/coverage/reasons.ts +300 -0
- package/src/core/diagnostics/db-analysis.ts +293 -59
- package/src/core/diagnostics/failure-class.ts +140 -0
- package/src/core/diagnostics/failure-hints.ts +88 -89
- package/src/core/diagnostics/spec-pointer.ts +99 -0
- package/src/core/diagnostics/suggested-fixes.ts +155 -0
- package/src/core/exporter/case-study/index.ts +270 -0
- package/src/core/exporter/curl.ts +40 -0
- package/src/core/exporter/exporter.ts +48 -0
- package/src/core/exporter/html-report/escape.ts +24 -0
- package/src/core/exporter/html-report/index.ts +479 -0
- package/src/core/exporter/html-report/script.ts +100 -0
- package/src/core/exporter/html-report/styles.ts +408 -0
- package/src/core/generator/chunker.ts +38 -19
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/data-factory.ts +586 -22
- package/src/core/generator/describe.ts +1 -1
- package/src/core/generator/fixtures-builder.ts +332 -0
- package/src/core/generator/index.ts +5 -5
- package/src/core/generator/openapi-reader.ts +135 -7
- package/src/core/generator/path-param-disambig.ts +140 -0
- package/src/core/generator/resources-builder.ts +898 -0
- package/src/core/generator/schema-utils.ts +33 -3
- package/src/core/generator/serializer.ts +103 -13
- package/src/core/generator/suite-generator.ts +583 -122
- package/src/core/generator/types.ts +14 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +28 -0
- package/src/core/lint/config.ts +96 -0
- package/src/core/lint/format.ts +42 -0
- package/src/core/lint/index.ts +94 -0
- package/src/core/lint/reporter.ts +128 -0
- package/src/core/lint/rules/consistency.ts +158 -0
- package/src/core/lint/rules/heuristics.ts +97 -0
- package/src/core/lint/rules/strictness.ts +109 -0
- package/src/core/lint/types.ts +96 -0
- package/src/core/lint/walker.ts +248 -0
- package/src/core/meta/meta-store.ts +6 -73
- package/src/core/output/README.md +73 -0
- package/src/core/output/index.ts +13 -0
- package/src/core/output/run.ts +91 -0
- package/src/core/output/types.ts +122 -0
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/env-interpolation.ts +104 -0
- package/src/core/parser/filter.ts +57 -0
- package/src/core/parser/schema.ts +129 -4
- package/src/core/parser/types.ts +19 -1
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +58 -12
- package/src/core/probe/bootstrap.ts +34 -0
- package/src/core/probe/dry-run-envelope.ts +61 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe-class.ts +198 -0
- package/src/core/probe/mass-assignment-probe.ts +27 -0
- package/src/core/probe/mass-assignment-template.ts +240 -0
- package/src/core/probe/method-probe.ts +43 -76
- package/src/core/probe/method-shared.ts +69 -0
- package/src/core/probe/negative-probe.ts +183 -149
- package/src/core/probe/orphan-tracker.ts +188 -0
- package/src/core/probe/path-discovery.ts +439 -0
- package/src/core/probe/probe-harness.ts +119 -0
- package/src/core/probe/registry.ts +89 -0
- package/src/core/probe/runner.ts +136 -0
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +207 -0
- package/src/core/probe/security-probe.ts +32 -0
- package/src/core/probe/shared.ts +531 -0
- package/src/core/probe/static-probe-class.ts +125 -0
- package/src/core/probe/types.ts +165 -0
- package/src/core/probe/verdict-aggregator.ts +33 -0
- package/src/core/probe/webhooks-probe.ts +282 -0
- package/src/core/reporter/console.ts +41 -2
- package/src/core/reporter/index.ts +2 -3
- package/src/core/reporter/json.ts +11 -1
- package/src/core/reporter/junit.ts +27 -12
- package/src/core/reporter/ndjson.ts +37 -0
- package/src/core/reporter/types.ts +3 -0
- package/src/core/runner/assertions.ts +59 -2
- package/src/core/runner/async-pool.ts +108 -0
- package/src/core/runner/auth-path.ts +8 -0
- package/src/core/runner/ci-context.ts +72 -0
- package/src/core/runner/executor.ts +265 -36
- package/src/core/runner/form-encode.ts +41 -0
- package/src/core/runner/http-client.ts +112 -2
- package/src/core/runner/learn-drift.ts +293 -0
- package/src/core/runner/preflight-vars.ts +153 -0
- package/src/core/runner/progress-tracker.ts +73 -0
- package/src/core/runner/rate-limiter.ts +87 -33
- package/src/core/runner/run-kind.ts +45 -0
- package/src/core/runner/schema-validator.ts +308 -0
- package/src/core/runner/send-request.ts +158 -20
- package/src/core/runner/types.ts +44 -0
- package/src/core/secrets/registry.ts +164 -0
- package/src/core/secrets/secrets-file.ts +115 -0
- package/src/core/selectors/operation-filter.ts +144 -0
- package/src/core/setup-api.ts +457 -20
- package/src/core/severity/category.ts +94 -0
- package/src/core/severity/index.ts +58 -0
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/layers.ts +154 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/format-eta.ts +21 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/utils.ts +5 -1
- package/src/core/workspace/config.ts +129 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/manifest.ts +283 -0
- package/src/core/workspace/output-rotation.ts +62 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/core/workspace/triage-path.ts +87 -0
- package/src/db/lint-runs.ts +47 -0
- package/src/db/migrate.ts +128 -0
- package/src/db/migrations/0001_run_kind.sql +25 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/migrations/sql.d.ts +4 -0
- package/src/db/queries/collections.ts +133 -0
- package/src/db/queries/coverage.ts +9 -0
- package/src/db/queries/dashboard.ts +59 -0
- package/src/db/queries/results.ts +216 -0
- package/src/db/queries/runs.ts +289 -0
- package/src/db/queries/sessions.ts +42 -0
- package/src/db/queries/settings.ts +28 -0
- package/src/db/queries/types.ts +172 -0
- package/src/db/queries.ts +75 -802
- package/src/db/schema.ts +178 -50
- package/src/cli/commands/export.ts +0 -144
- package/src/cli/commands/guide.ts +0 -127
- package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
- package/src/cli/commands/probe-methods.ts +0 -108
- package/src/cli/commands/probe-validation.ts +0 -124
- package/src/cli/commands/serve.ts +0 -114
- package/src/cli/commands/sync.ts +0 -268
- package/src/cli/commands/update.ts +0 -189
- package/src/cli/commands/validate.ts +0 -34
- package/src/core/diagnostics/render-md.ts +0 -112
- package/src/core/exporter/postman.ts +0 -963
- package/src/core/generator/guide-builder.ts +0 -253
- package/src/core/meta/types.ts +0 -19
- package/src/core/parser/index.ts +0 -21
- package/src/core/runner/execute-run.ts +0 -132
- package/src/core/runner/index.ts +0 -12
- package/src/core/sync/spec-differ.ts +0 -38
- package/src/web/data/collection-state.ts +0 -362
- package/src/web/routes/api.ts +0 -314
- package/src/web/routes/dashboard.ts +0 -350
- package/src/web/routes/runs.ts +0 -64
- package/src/web/schemas.ts +0 -121
- package/src/web/server.ts +0 -134
- package/src/web/static/htmx.min.cjs +0 -1
- package/src/web/static/style.css +0 -1148
- package/src/web/views/endpoints-tab.ts +0 -174
- package/src/web/views/explorer-tab.ts +0 -402
- package/src/web/views/health-strip.ts +0 -92
- package/src/web/views/layout.ts +0 -48
- package/src/web/views/results.ts +0 -210
- package/src/web/views/runs-tab.ts +0 -126
- package/src/web/views/suites-tab.ts +0 -181
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared id-extraction helpers for stateful CRUD checks (m-15 ARV-3).
|
|
3
|
+
* Kept under `_` prefix so it doesn't get auto-registered.
|
|
4
|
+
*/
|
|
5
|
+
import { encodeFormBody } from "../../runner/form-encode.ts";
|
|
6
|
+
import { substituteDeep } from "../../parser/variables.ts";
|
|
7
|
+
import { generateFromSchema } from "../../generator/data-factory.ts";
|
|
8
|
+
import type { EndpointInfo } from "../../generator/types.ts";
|
|
9
|
+
import type { SeedBodyConfig } from "../../generator/resources-builder.ts";
|
|
10
|
+
|
|
11
|
+
/**
|
|
12
|
+
* ARV-187: pick the create body for a stateful CRUD step. Prefers an
|
|
13
|
+
* LLM-authored `seed_body` block (from `.api-resources.local.yaml`)
|
|
14
|
+
* because random scalars from `generateFromSchema` consistently get
|
|
15
|
+
* rejected by strict-validating APIs (Stripe's `expand[]`, Stripe
|
|
16
|
+
* required-field XORs, FK-bearing creates). When no seed_body is set,
|
|
17
|
+
* falls back to generation — preserves the pre-ARV-187 behaviour for
|
|
18
|
+
* APIs we haven't annotated yet.
|
|
19
|
+
*
|
|
20
|
+
* Returns `null` when neither path can produce an object (no schema +
|
|
21
|
+
* no seed). Caller should skip with a broken-baseline reason.
|
|
22
|
+
*/
|
|
23
|
+
export function resolveCreateBody(
|
|
24
|
+
create: EndpointInfo,
|
|
25
|
+
seedBody: SeedBodyConfig | undefined,
|
|
26
|
+
): Record<string, unknown> | null {
|
|
27
|
+
if (seedBody && seedBody.body && typeof seedBody.body === "object") {
|
|
28
|
+
return seedBody.body;
|
|
29
|
+
}
|
|
30
|
+
if (!create.requestBodySchema) return null;
|
|
31
|
+
const generated = generateFromSchema(create.requestBodySchema);
|
|
32
|
+
if (generated == null || typeof generated !== "object") return null;
|
|
33
|
+
return generated as Record<string, unknown>;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
/**
|
|
37
|
+
* ARV-191: serialise a generated body using whichever wire format the
|
|
38
|
+
* create endpoint declares, and resolve the `{{$randomString}}` /
|
|
39
|
+
* `{{$randomInt}}` / `{{$randomEmail}}` markers that
|
|
40
|
+
* `generateFromSchema` embeds. Two failure modes this addresses:
|
|
41
|
+
*
|
|
42
|
+
* 1. Content-type — Stripe-style APIs declare only
|
|
43
|
+
* `application/x-www-form-urlencoded`; JSON.stringify yields a
|
|
44
|
+
* 400 "missing required param" the broken-baseline guard swallows.
|
|
45
|
+
* Mirrors `serializeProbeBody` (ARV-150) for probes.
|
|
46
|
+
* 2. Placeholder resolution — `data-factory` emits literal markers
|
|
47
|
+
* that downstream callers (the YAML runner, the probe-harness)
|
|
48
|
+
* resolve via `substituteDeep`. Stateful checks bypassed this and
|
|
49
|
+
* sent `balance={{$randomInt}}` to Stripe → 400. Sending JSON
|
|
50
|
+
* previously masked the bug because Stripe ignored the body
|
|
51
|
+
* entirely on form-encoded endpoints.
|
|
52
|
+
*
|
|
53
|
+
* Pass `vars` when the caller has live env values (path-fixtures); the
|
|
54
|
+
* helper otherwise relies on the built-in `GENERATORS` table inside
|
|
55
|
+
* `substituteDeep` to fabricate values for the random markers.
|
|
56
|
+
*/
|
|
57
|
+
export function serializeCheckBody(
|
|
58
|
+
create: { requestBodyContentType?: string },
|
|
59
|
+
body: Record<string, unknown>,
|
|
60
|
+
vars: Record<string, unknown> = {},
|
|
61
|
+
contentTypeOverride?: string,
|
|
62
|
+
): { body: string; contentType: string } {
|
|
63
|
+
const resolved = substituteDeep(body, vars);
|
|
64
|
+
const obj = (resolved && typeof resolved === "object" && !Array.isArray(resolved))
|
|
65
|
+
? (resolved as Record<string, unknown>)
|
|
66
|
+
: {};
|
|
67
|
+
const ct = contentTypeOverride ?? create.requestBodyContentType ?? "application/json";
|
|
68
|
+
if (ct === "application/x-www-form-urlencoded") {
|
|
69
|
+
return { body: encodeFormBody(obj), contentType: "application/x-www-form-urlencoded" };
|
|
70
|
+
}
|
|
71
|
+
return { body: JSON.stringify(obj), contentType: ct };
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
export function fillPathWithId(path: string, idParam: string, id: string | number): string {
|
|
75
|
+
const v = encodeURIComponent(String(id));
|
|
76
|
+
return path
|
|
77
|
+
.replace(new RegExp(`\\{${idParam}\\}`), v)
|
|
78
|
+
// Fallback: any single placeholder gets replaced.
|
|
79
|
+
.replace(/\{[^}]+\}/g, v);
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
/** ARV-169: substitute parent-scope path-params on a create endpoint
|
|
83
|
+
* using harness.pathVars. Resource-scoped APIs (Sentry's
|
|
84
|
+
* `/api/0/organizations/{organization_id_or_slug}/projects/`) need
|
|
85
|
+
* the parent id resolved before the create call lands — without it
|
|
86
|
+
* the create 404s and the broken-baseline guard skips the whole
|
|
87
|
+
* CRUD chain. Vars not present in `pathVars` are left as literal
|
|
88
|
+
* placeholders so the caller can spot the gap in skip diagnostics.
|
|
89
|
+
* Idempotent for paths with no placeholders (most flat-CRUD APIs). */
|
|
90
|
+
export function fillPathParams(path: string, pathVars?: Record<string, string>): string {
|
|
91
|
+
if (!pathVars) return path;
|
|
92
|
+
return path.replace(/\{([^}]+)\}/g, (_, name) => {
|
|
93
|
+
const v = pathVars[name];
|
|
94
|
+
return v && v.length > 0 ? encodeURIComponent(v) : `{${name}}`;
|
|
95
|
+
});
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
/**
|
|
99
|
+
* Pull a usable id out of a create-response body. Honours the spec's
|
|
100
|
+
* declared `idParam` first (so `userId` matches `user_id` / `userId`),
|
|
101
|
+
* then falls back to a list of common keys. Returns null if nothing
|
|
102
|
+
* looks like a usable id.
|
|
103
|
+
*/
|
|
104
|
+
export function extractIdFromCreateResponse(body: unknown, idParam: string): string | number | null {
|
|
105
|
+
if (body == null || typeof body !== "object") {
|
|
106
|
+
if (typeof body === "string" || typeof body === "number") return body;
|
|
107
|
+
return null;
|
|
108
|
+
}
|
|
109
|
+
// Strings often arrive as parsed JSON via http-client; treat both.
|
|
110
|
+
const obj = body as Record<string, unknown>;
|
|
111
|
+
const candidates = [
|
|
112
|
+
idParam,
|
|
113
|
+
idParam.replace(/[_-]/g, ""),
|
|
114
|
+
"id",
|
|
115
|
+
"uuid",
|
|
116
|
+
"slug",
|
|
117
|
+
"name",
|
|
118
|
+
"key",
|
|
119
|
+
];
|
|
120
|
+
for (const k of candidates) {
|
|
121
|
+
const v = obj[k];
|
|
122
|
+
if (typeof v === "string" || typeof v === "number") return v;
|
|
123
|
+
}
|
|
124
|
+
// common SaaS-style { data: { id } } envelope.
|
|
125
|
+
const data = obj.data as Record<string, unknown> | undefined;
|
|
126
|
+
if (data && typeof data === "object") {
|
|
127
|
+
for (const k of candidates) {
|
|
128
|
+
const v = data[k];
|
|
129
|
+
if (typeof v === "string" || typeof v === "number") return v;
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
return null;
|
|
133
|
+
}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Single-site negative-body mutator (m-15 ARV-4). Applies exactly one
|
|
3
|
+
* mutation to a valid body so the data-rejection check can attribute
|
|
4
|
+
* accept/reject decisions to a known cause. Three strategies, picked
|
|
5
|
+
* in priority order:
|
|
6
|
+
*
|
|
7
|
+
* 1. drop_required — remove the first required field.
|
|
8
|
+
* 2. type_mutation — flip the first scalar field's type.
|
|
9
|
+
* 3. constraint_violation — violate the first declared constraint
|
|
10
|
+
* (minLength/maximum/pattern/enum).
|
|
11
|
+
*
|
|
12
|
+
* The first applicable strategy wins — keeps mutations deterministic
|
|
13
|
+
* across runs (matches schemathesis' "isolate the failure site" goal).
|
|
14
|
+
* `meta` carries the strategy + field path so anti-FP guards and
|
|
15
|
+
* findings can describe what was changed without reparsing the body.
|
|
16
|
+
*/
|
|
17
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
18
|
+
import { generateFromSchema } from "../../generator/data-factory.ts";
|
|
19
|
+
|
|
20
|
+
export interface MutationMeta {
|
|
21
|
+
mutation: "drop_required" | "type_mutation" | "constraint_violation";
|
|
22
|
+
field_path: string;
|
|
23
|
+
/** For type_mutation. */
|
|
24
|
+
from_type?: string;
|
|
25
|
+
to_type?: string;
|
|
26
|
+
to_value?: unknown;
|
|
27
|
+
/** For constraint_violation. */
|
|
28
|
+
constraint?: string;
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
export interface MutationResult {
|
|
32
|
+
body: unknown;
|
|
33
|
+
meta: MutationMeta;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
function isObject(v: unknown): v is Record<string, unknown> {
|
|
37
|
+
return typeof v === "object" && v !== null && !Array.isArray(v);
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
function pickWrongValue(t: string): { type: string; value: unknown } {
|
|
41
|
+
// Pick a value that is *clearly* the wrong type — and not a string
|
|
42
|
+
// that the server might coerce. Anti-FP guard #2 takes care of the
|
|
43
|
+
// "stringified primitive" case separately, but we avoid emitting it
|
|
44
|
+
// in the first place where we can.
|
|
45
|
+
switch (t) {
|
|
46
|
+
case "integer":
|
|
47
|
+
case "number":
|
|
48
|
+
return { type: "boolean", value: true };
|
|
49
|
+
case "boolean":
|
|
50
|
+
return { type: "integer", value: 7 };
|
|
51
|
+
case "string":
|
|
52
|
+
return { type: "object", value: { unexpected: "shape" } };
|
|
53
|
+
case "array":
|
|
54
|
+
return { type: "object", value: {} };
|
|
55
|
+
case "object":
|
|
56
|
+
return { type: "array", value: [] };
|
|
57
|
+
default:
|
|
58
|
+
return { type: "boolean", value: true };
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
function tryDropRequired(schema: OpenAPIV3.SchemaObject, body: unknown): MutationResult | null {
|
|
63
|
+
if (!isObject(body)) return null;
|
|
64
|
+
const required = schema.required ?? [];
|
|
65
|
+
for (const f of required) {
|
|
66
|
+
if (f in body) {
|
|
67
|
+
const next = { ...body };
|
|
68
|
+
delete next[f];
|
|
69
|
+
return { body: next, meta: { mutation: "drop_required", field_path: f, dropped_field: f } as MutationMeta };
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
return null;
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
function tryTypeMutation(schema: OpenAPIV3.SchemaObject, body: unknown): MutationResult | null {
|
|
76
|
+
if (!isObject(body)) return null;
|
|
77
|
+
const props = (schema.properties ?? {}) as Record<string, OpenAPIV3.SchemaObject>;
|
|
78
|
+
for (const [name, propSchema] of Object.entries(props)) {
|
|
79
|
+
const t = propSchema.type;
|
|
80
|
+
if (typeof t !== "string") continue;
|
|
81
|
+
if (!(name in body)) continue;
|
|
82
|
+
const wrong = pickWrongValue(t);
|
|
83
|
+
return {
|
|
84
|
+
body: { ...body, [name]: wrong.value },
|
|
85
|
+
meta: {
|
|
86
|
+
mutation: "type_mutation",
|
|
87
|
+
field_path: name,
|
|
88
|
+
from_type: t,
|
|
89
|
+
to_type: wrong.type,
|
|
90
|
+
to_value: wrong.value,
|
|
91
|
+
},
|
|
92
|
+
};
|
|
93
|
+
}
|
|
94
|
+
return null;
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
function tryConstraintViolation(schema: OpenAPIV3.SchemaObject, body: unknown): MutationResult | null {
|
|
98
|
+
if (!isObject(body)) return null;
|
|
99
|
+
const props = (schema.properties ?? {}) as Record<string, OpenAPIV3.SchemaObject>;
|
|
100
|
+
for (const [name, propSchema] of Object.entries(props)) {
|
|
101
|
+
if (!(name in body)) continue;
|
|
102
|
+
if (propSchema.enum && propSchema.enum.length > 0) {
|
|
103
|
+
return { body: { ...body, [name]: "__not_in_enum__" }, meta: { mutation: "constraint_violation", field_path: name, constraint: "enum" } };
|
|
104
|
+
}
|
|
105
|
+
if (typeof propSchema.minLength === "number" && propSchema.minLength > 0) {
|
|
106
|
+
return { body: { ...body, [name]: "" }, meta: { mutation: "constraint_violation", field_path: name, constraint: "minLength" } };
|
|
107
|
+
}
|
|
108
|
+
if (typeof propSchema.maxLength === "number") {
|
|
109
|
+
return {
|
|
110
|
+
body: { ...body, [name]: "x".repeat(propSchema.maxLength + 1) },
|
|
111
|
+
meta: { mutation: "constraint_violation", field_path: name, constraint: "maxLength" },
|
|
112
|
+
};
|
|
113
|
+
}
|
|
114
|
+
if (typeof propSchema.minimum === "number") {
|
|
115
|
+
return { body: { ...body, [name]: propSchema.minimum - 1 }, meta: { mutation: "constraint_violation", field_path: name, constraint: "minimum" } };
|
|
116
|
+
}
|
|
117
|
+
if (typeof propSchema.maximum === "number") {
|
|
118
|
+
return { body: { ...body, [name]: propSchema.maximum + 1 }, meta: { mutation: "constraint_violation", field_path: name, constraint: "maximum" } };
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
return null;
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
/**
|
|
125
|
+
* Build a single-site negative case from a request-body schema.
|
|
126
|
+
* Returns `null` when the schema offers no exploit surface (no
|
|
127
|
+
* required fields, no typed properties, no constraints) — the caller
|
|
128
|
+
* should skip emitting a probe rather than send a meaningless one.
|
|
129
|
+
*/
|
|
130
|
+
export function buildNegativeBody(schema: OpenAPIV3.SchemaObject): MutationResult | null {
|
|
131
|
+
const valid = generateFromSchema(schema);
|
|
132
|
+
return tryDropRequired(schema, valid) ?? tryTypeMutation(schema, valid) ?? tryConstraintViolation(schema, valid);
|
|
133
|
+
}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ARV-169 (m-20): POST→GET cross-call drift diff logic.
|
|
3
|
+
*
|
|
4
|
+
* The check creates a resource, reads it back, and compares the
|
|
5
|
+
* write-shape (what the client sent + what the create response echoed)
|
|
6
|
+
* against the read-shape (what GET returned). Three flavours of drift:
|
|
7
|
+
*
|
|
8
|
+
* • write-only — POST accepted the field, GET never returned it.
|
|
9
|
+
* Often a secret/write-once design; can also be a silent data drop.
|
|
10
|
+
* Suppressible via `ignore_fields` per resource.
|
|
11
|
+
* • state-not-persisted — POST *echoed* the field in its 2xx response
|
|
12
|
+
* but GET dropped it. This is the high-signal class: server lied
|
|
13
|
+
* about persisting state. Always HIGH unless explicitly ignored.
|
|
14
|
+
* • undeclared-on-read — GET returned a field the spec doesn't
|
|
15
|
+
* document. Surfaced by response_schema_conformance already; this
|
|
16
|
+
* check is the cross-call analogue and stays out of the way.
|
|
17
|
+
*
|
|
18
|
+
* Anti-FP: a baseline `DEFAULT_READBACK_IGNORE` filters timestamp/etag
|
|
19
|
+
* envelope fields shared across every SaaS API, so a probe on a stock
|
|
20
|
+
* spec without yaml overrides doesn't drown in noise. Per-API quirks
|
|
21
|
+
* (Stripe `metadata` stripping, `livemode`) are layered on top via
|
|
22
|
+
* `.api-resources.local.yaml` (authored by `zond api annotate` or by
|
|
23
|
+
* hand — see backlog/notes/m-20-validation.md §«Review boundary»).
|
|
24
|
+
*/
|
|
25
|
+
import type { ReadbackDiffConfig } from "../../generator/resources-builder.ts";
|
|
26
|
+
|
|
27
|
+
/** Fields excluded from drift detection on every resource, regardless
|
|
28
|
+
* of yaml config. These are universally non-comparable across the
|
|
29
|
+
* POST→GET hop. */
|
|
30
|
+
export const DEFAULT_READBACK_IGNORE: ReadonlySet<string> = new Set([
|
|
31
|
+
"id",
|
|
32
|
+
"object",
|
|
33
|
+
"created",
|
|
34
|
+
"created_at",
|
|
35
|
+
"createdAt",
|
|
36
|
+
"updated",
|
|
37
|
+
"updated_at",
|
|
38
|
+
"updatedAt",
|
|
39
|
+
"deleted_at",
|
|
40
|
+
"etag",
|
|
41
|
+
"_etag",
|
|
42
|
+
"version",
|
|
43
|
+
"livemode",
|
|
44
|
+
"_links",
|
|
45
|
+
"self",
|
|
46
|
+
"url",
|
|
47
|
+
]);
|
|
48
|
+
|
|
49
|
+
export interface DriftField {
|
|
50
|
+
field: string;
|
|
51
|
+
kind: "write_only" | "state_not_persisted" | "undeclared_on_read";
|
|
52
|
+
/** For state_not_persisted: the value the create response echoed. */
|
|
53
|
+
writtenValue?: unknown;
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
export interface DriftReport {
|
|
57
|
+
writeOnly: DriftField[];
|
|
58
|
+
stateNotPersisted: DriftField[];
|
|
59
|
+
undeclaredOnRead: DriftField[];
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
function shallowFields(v: unknown): Set<string> {
|
|
63
|
+
if (v == null || typeof v !== "object" || Array.isArray(v)) return new Set();
|
|
64
|
+
return new Set(Object.keys(v as Record<string, unknown>));
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
/**
|
|
68
|
+
* Compute drift between write-shape and read-shape.
|
|
69
|
+
*
|
|
70
|
+
* @param writeBody what the client POSTed (parsed JSON)
|
|
71
|
+
* @param createEcho the 2xx response body of the POST
|
|
72
|
+
* @param readBody the 2xx response body of the subsequent GET
|
|
73
|
+
* @param specDeclared field names declared in spec.responses for the GET
|
|
74
|
+
* (used to suppress write-only fields that the spec
|
|
75
|
+
* marks as write-only — `password`-style secrets).
|
|
76
|
+
* Empty Set ⇒ no suppression by spec.
|
|
77
|
+
* @param cfg per-resource readback overrides
|
|
78
|
+
*/
|
|
79
|
+
export function computeDrift(
|
|
80
|
+
writeBody: unknown,
|
|
81
|
+
createEcho: unknown,
|
|
82
|
+
readBody: unknown,
|
|
83
|
+
specDeclared: ReadonlySet<string>,
|
|
84
|
+
cfg: ReadbackDiffConfig | undefined,
|
|
85
|
+
): DriftReport {
|
|
86
|
+
const writeFields = shallowFields(writeBody);
|
|
87
|
+
const echoFields = shallowFields(createEcho);
|
|
88
|
+
const readFields = shallowFields(readBody);
|
|
89
|
+
|
|
90
|
+
const ignore = new Set<string>(DEFAULT_READBACK_IGNORE);
|
|
91
|
+
for (const f of cfg?.ignoreFields ?? []) ignore.add(f);
|
|
92
|
+
const renameMap = cfg?.writeToReadMap ?? {};
|
|
93
|
+
|
|
94
|
+
// Apply rename: a write-side field maps to a different read-side name.
|
|
95
|
+
const writeAfterRename = new Set<string>();
|
|
96
|
+
for (const f of writeFields) writeAfterRename.add(renameMap[f] ?? f);
|
|
97
|
+
const echoAfterRename = new Set<string>();
|
|
98
|
+
for (const f of echoFields) echoAfterRename.add(renameMap[f] ?? f);
|
|
99
|
+
|
|
100
|
+
const writeOnly: DriftField[] = [];
|
|
101
|
+
for (const f of writeAfterRename) {
|
|
102
|
+
if (ignore.has(f)) continue;
|
|
103
|
+
if (readFields.has(f)) continue;
|
|
104
|
+
// If the field isn't declared on the GET response schema at all,
|
|
105
|
+
// it's a write-only-by-spec contract — not a drift. (Secrets, etc.)
|
|
106
|
+
if (specDeclared.size > 0 && !specDeclared.has(f)) continue;
|
|
107
|
+
writeOnly.push({ field: f, kind: "write_only" });
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
const stateNotPersisted: DriftField[] = [];
|
|
111
|
+
const echoBody = (createEcho ?? {}) as Record<string, unknown>;
|
|
112
|
+
for (const f of echoAfterRename) {
|
|
113
|
+
if (ignore.has(f)) continue;
|
|
114
|
+
if (readFields.has(f)) continue;
|
|
115
|
+
// Only report fields the echo actually carried with a non-null value —
|
|
116
|
+
// a null echo is the server signalling "not set", not a persistence bug.
|
|
117
|
+
const originalKey = Object.keys(renameMap).find((k) => renameMap[k] === f) ?? f;
|
|
118
|
+
const v = echoBody[originalKey];
|
|
119
|
+
if (v === undefined || v === null) continue;
|
|
120
|
+
stateNotPersisted.push({ field: f, kind: "state_not_persisted", writtenValue: v });
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
const undeclaredOnRead: DriftField[] = [];
|
|
124
|
+
if (specDeclared.size > 0) {
|
|
125
|
+
for (const f of readFields) {
|
|
126
|
+
if (ignore.has(f)) continue;
|
|
127
|
+
if (specDeclared.has(f)) continue;
|
|
128
|
+
undeclaredOnRead.push({ field: f, kind: "undeclared_on_read" });
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
|
|
132
|
+
return { writeOnly, stateNotPersisted, undeclaredOnRead };
|
|
133
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `content_type_conformance` — Content-Type returned by the server
|
|
3
|
+
* isn't among those declared in `op.responses[*].content`. Mirrors
|
|
4
|
+
* schemathesis. We only fail when a body is present and Content-Type
|
|
5
|
+
* is meaningful — empty 204 responses don't carry a type and pass.
|
|
6
|
+
*/
|
|
7
|
+
import type { Check } from "../types.ts";
|
|
8
|
+
|
|
9
|
+
function baseType(ct: string): string {
|
|
10
|
+
return ct.split(";")[0]!.trim().toLowerCase();
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
export const contentTypeConformance: Check = {
|
|
14
|
+
id: "content_type_conformance",
|
|
15
|
+
severity: "medium",
|
|
16
|
+
defaultExpected: "Response Content-Type must be one of those declared on the OpenAPI response",
|
|
17
|
+
references: [{ id: "OAS3-mediaType", url: "https://spec.openapis.org/oas/v3.0.3#media-type-object" }],
|
|
18
|
+
applies: (op) => op.responseContentTypes.length > 0,
|
|
19
|
+
run({ case: c, response }) {
|
|
20
|
+
// 204 / 304 by definition have no body — Content-Type irrelevant.
|
|
21
|
+
if (response.status === 204 || response.status === 304) return { kind: "pass" };
|
|
22
|
+
const got = response.headers["content-type"] ?? response.headers["Content-Type"];
|
|
23
|
+
if (!got) {
|
|
24
|
+
return {
|
|
25
|
+
kind: "fail",
|
|
26
|
+
message: `Missing Content-Type header on ${c.operation.method} ${c.operation.path}`,
|
|
27
|
+
evidence: { declared: c.operation.responseContentTypes },
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
const declared = c.operation.responseContentTypes.map(baseType);
|
|
31
|
+
if (declared.length === 0) return { kind: "skip", reason: "no declared content types" };
|
|
32
|
+
if (declared.includes(baseType(got))) return { kind: "pass" };
|
|
33
|
+
return {
|
|
34
|
+
kind: "fail",
|
|
35
|
+
message: `Content-Type "${got}" not declared in OpenAPI for ${c.operation.method} ${c.operation.path}`,
|
|
36
|
+
evidence: { actual: got, declared },
|
|
37
|
+
};
|
|
38
|
+
},
|
|
39
|
+
};
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `cross_call_references` (m-20 ARV-169) — POST→GET shape-diff probe.
|
|
3
|
+
*
|
|
4
|
+
* For each CRUD group with create+read, POST a generated body, capture
|
|
5
|
+
* the new id from the response, then GET the resource and diff the
|
|
6
|
+
* write-shape against the read-shape. Fields the create accepted (or
|
|
7
|
+
* echoed) but the read didn't return surface as drift findings — the
|
|
8
|
+
* server is silently dropping state.
|
|
9
|
+
*
|
|
10
|
+
* Severity policy (ARV-287, follow-up to ARV-284):
|
|
11
|
+
* • Declared check severity is LOW (proof-cap baseline per ARV-250:
|
|
12
|
+
* single-signal checks cap at LOW until evidence confirms higher).
|
|
13
|
+
* • Per-finding dispatch in the fail branch:
|
|
14
|
+
* - state_not_persisted non-empty → HIGH
|
|
15
|
+
* (POST echoed field, GET dropped it: two-signal evidence chain —
|
|
16
|
+
* the server promised state it later discarded)
|
|
17
|
+
* - write-only-only (state_not_persisted=[], writeOnly non-empty) → MEDIUM
|
|
18
|
+
* (single-signal contract gap per ARV-250)
|
|
19
|
+
* • `write_only` (POST accepted, GET never returned) is also surfaced
|
|
20
|
+
* in the same finding's evidence. Anti-FP: write-only fields the
|
|
21
|
+
* spec explicitly declares are *not* present on GET (e.g. password
|
|
22
|
+
* write-only properties) are filtered out via spec.responses.GET
|
|
23
|
+
* declared field set.
|
|
24
|
+
* • Per-resource quirks (Stripe `metadata` stripping, livemode) are
|
|
25
|
+
* declared in `.api-resources[.local].yaml` `readback_diff` blocks
|
|
26
|
+
* and the harness threads them through `resourceConfigs`.
|
|
27
|
+
*
|
|
28
|
+
* The check fails (one finding) when EITHER list is non-empty. The
|
|
29
|
+
* evidence carries the per-field breakdown so the reporter can show
|
|
30
|
+
* exactly which fields drifted and how. We deliberately emit a single
|
|
31
|
+
* finding per resource — splitting into one-finding-per-field would
|
|
32
|
+
* inflate counts but tell the user the same story.
|
|
33
|
+
*/
|
|
34
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
35
|
+
import type { CrudStatefulCheck } from "../stateful.ts";
|
|
36
|
+
import { extractIdFromCreateResponse, fillPathWithId, fillPathParams, serializeCheckBody, resolveCreateBody } from "./_crud-helpers.ts";
|
|
37
|
+
import { computeDrift } from "./_readback-helpers.ts";
|
|
38
|
+
|
|
39
|
+
function declaredReadFields(read: { responses: Array<{ statusCode: number; schema?: unknown }> }): Set<string> {
|
|
40
|
+
const success = read.responses.find((r) => r.statusCode >= 200 && r.statusCode < 300);
|
|
41
|
+
const schema = success?.schema as OpenAPIV3.SchemaObject | undefined;
|
|
42
|
+
if (!schema?.properties) return new Set();
|
|
43
|
+
return new Set(Object.keys(schema.properties));
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
function safeParse(v: unknown): unknown {
|
|
47
|
+
if (typeof v !== "string") return v;
|
|
48
|
+
try {
|
|
49
|
+
return JSON.parse(v);
|
|
50
|
+
} catch {
|
|
51
|
+
return v;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
export const crossCallReferences: CrudStatefulCheck = {
|
|
56
|
+
id: "cross_call_references",
|
|
57
|
+
// ARV-287: proof-cap baseline per ARV-250 (single-signal cap → LOW).
|
|
58
|
+
// Per-finding dispatch in run() escalates to HIGH / MEDIUM by evidence.
|
|
59
|
+
severity: "low",
|
|
60
|
+
defaultExpected: "Fields accepted or echoed by POST must be readable via GET on the same resource",
|
|
61
|
+
references: [{ id: "ARV-169" }, { id: "OWASP-API-3-2023" }],
|
|
62
|
+
phase: "crud",
|
|
63
|
+
applies(g) {
|
|
64
|
+
return Boolean(g.create && g.read);
|
|
65
|
+
},
|
|
66
|
+
async run(g, h) {
|
|
67
|
+
if (h.bootstrapCleanupFailed) {
|
|
68
|
+
return { kind: "skip", reason: "bootstrap-cleanup failed — stateful checks paused" };
|
|
69
|
+
}
|
|
70
|
+
const create = g.create!;
|
|
71
|
+
const read = g.read!;
|
|
72
|
+
const baseHeaders = { Accept: "application/json", ...h.authHeaders };
|
|
73
|
+
|
|
74
|
+
const seedBody = h.resourceConfigs?.get(g.resource)?.seedBody;
|
|
75
|
+
if (!create.requestBodySchema && !seedBody) {
|
|
76
|
+
return { kind: "skip", reason: "create has no requestBody schema and no seed_body — nothing to diff" };
|
|
77
|
+
}
|
|
78
|
+
const writeBody = resolveCreateBody(create, seedBody);
|
|
79
|
+
if (writeBody == null) {
|
|
80
|
+
return { kind: "skip", reason: "could not produce a create body (no seed_body, generator returned non-object)" };
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
const createUrl = `${h.baseUrl.replace(/\/+$/, "")}${fillPathParams(create.path, h.pathVars)}`;
|
|
84
|
+
// ARV-191: form-urlencoded dispatch — see _crud-helpers.serializeCheckBody.
|
|
85
|
+
// ARV-187: seed_body.content_type overrides spec'd contentType when set.
|
|
86
|
+
const { body: createBodyStr, contentType } = serializeCheckBody(create, writeBody, h.pathVars, seedBody?.contentType);
|
|
87
|
+
const createResp = await h.send({
|
|
88
|
+
method: "POST",
|
|
89
|
+
url: createUrl,
|
|
90
|
+
headers: { ...baseHeaders, "Content-Type": contentType },
|
|
91
|
+
body: createBodyStr,
|
|
92
|
+
});
|
|
93
|
+
if (createResp.status < 200 || createResp.status >= 300) {
|
|
94
|
+
return { kind: "skip", reason: `create returned ${createResp.status} — broken-baseline guard` };
|
|
95
|
+
}
|
|
96
|
+
const echo = createResp.body_parsed ?? safeParse(createResp.body);
|
|
97
|
+
const id = extractIdFromCreateResponse(echo, g.idParam);
|
|
98
|
+
if (id == null) return { kind: "skip", reason: "could not extract id from create response" };
|
|
99
|
+
|
|
100
|
+
// Substitute parent-scope vars first (e.g., {organization_id_or_slug}),
|
|
101
|
+
// then the captured id for {idParam}. Order matters: fillPathWithId's
|
|
102
|
+
// fallback regex replaces ANY remaining `{...}` with the id, so parent
|
|
103
|
+
// vars must already be resolved when it runs.
|
|
104
|
+
const readPath = fillPathWithId(fillPathParams(read.path, h.pathVars), g.idParam, id);
|
|
105
|
+
const readUrl = `${h.baseUrl.replace(/\/+$/, "")}${readPath}`;
|
|
106
|
+
const readResp = await h.send({ method: "GET", url: readUrl, headers: baseHeaders });
|
|
107
|
+
if (readResp.status < 200 || readResp.status >= 300) {
|
|
108
|
+
return { kind: "skip", reason: `read returned ${readResp.status} — broken-baseline guard` };
|
|
109
|
+
}
|
|
110
|
+
const readBody = readResp.body_parsed ?? safeParse(readResp.body);
|
|
111
|
+
|
|
112
|
+
const cfg = h.resourceConfigs?.get(g.resource)?.readbackDiff;
|
|
113
|
+
const specDeclared = declaredReadFields(read);
|
|
114
|
+
const drift = computeDrift(writeBody, echo, readBody, specDeclared, cfg);
|
|
115
|
+
|
|
116
|
+
const stateNotPersisted = drift.stateNotPersisted;
|
|
117
|
+
const writeOnly = drift.writeOnly;
|
|
118
|
+
if (stateNotPersisted.length === 0 && writeOnly.length === 0) {
|
|
119
|
+
return { kind: "pass" };
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
const driftedFields = [
|
|
123
|
+
...stateNotPersisted.map((d) => d.field),
|
|
124
|
+
...writeOnly.map((d) => d.field),
|
|
125
|
+
];
|
|
126
|
+
return {
|
|
127
|
+
kind: "fail",
|
|
128
|
+
// ARV-287: per-finding severity dispatch (follow-up to ARV-284).
|
|
129
|
+
// state_not_persisted → HIGH: two-signal evidence chain (POST echoed,
|
|
130
|
+
// GET dropped) confirms the server is discarding persisted state.
|
|
131
|
+
// write-only-only → MEDIUM: single-signal contract gap per ARV-250.
|
|
132
|
+
severity: stateNotPersisted.length > 0 ? "high" : "medium",
|
|
133
|
+
message:
|
|
134
|
+
stateNotPersisted.length > 0
|
|
135
|
+
? `POST→GET drift on ${g.resource}: ${stateNotPersisted.length} state-not-persisted field(s)` +
|
|
136
|
+
(writeOnly.length > 0 ? `, ${writeOnly.length} write-only field(s)` : "")
|
|
137
|
+
: `POST→GET drift on ${g.resource}: ${writeOnly.length} write-only field(s)`,
|
|
138
|
+
evidence: {
|
|
139
|
+
resource: g.resource,
|
|
140
|
+
id,
|
|
141
|
+
state_not_persisted: stateNotPersisted.map((d) => ({ field: d.field, written_value: d.writtenValue })),
|
|
142
|
+
write_only: writeOnly.map((d) => d.field),
|
|
143
|
+
drifted_fields: driftedFields,
|
|
144
|
+
},
|
|
145
|
+
};
|
|
146
|
+
},
|
|
147
|
+
};
|