@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,254 @@
1
+ /**
2
+ * `ignored_auth` (m-15 ARV-3, refined in ARV-181) — for every operation
3
+ * that declares a security requirement, send 3 requests:
4
+ *
5
+ * 1. baseline — full real-auth headers,
6
+ * 2. no_auth — drop every auth-shaped header,
7
+ * 3. bogus_auth — replace each auth header value with a malformed-
8
+ * shaped, plausibly-typed bogus.
9
+ *
10
+ * Verdict logic (ARV-181 differential):
11
+ *
12
+ * - baseline 5xx → skip (server unhealthy; nothing we say is trustworthy).
13
+ * - baseline 2xx → strict mode. Any 2xx on no_auth/bogus → HIGH bypass.
14
+ * - baseline 4xx → soft mode. The auth token didn't get a 2xx (wrong
15
+ * permissions, real path-var not provided, etc.), but we can still
16
+ * learn from how the server treats *worse* credentials:
17
+ * · no_auth/bogus returns **strictly better** status (lower 4xx
18
+ * class, or 2xx/3xx) → HIGH bypass. The classic smoking gun
19
+ * is `baseline 403 / no_auth 200`.
20
+ * · same or worse status → pass (auth was checked; the resource
21
+ * simply isn't accessible to anyone).
22
+ *
23
+ * Strictness:
24
+ * - default: no_auth/bogus passes if status is in [400..499] (any 4xx).
25
+ * - --strict-401 (CheckRuntimeOptions.strict401): only 401 passes; any
26
+ * other status — even 403/404 — fails. Mirrors schemathesis V4.
27
+ *
28
+ * Anti-FP guards (kept from ARV-3):
29
+ * - skip operations with `security: []` override (explicitly public),
30
+ * - skip when `bootstrap_cleanup_failed` (data state corrupted),
31
+ * - skip when no auth headers provided to the harness at all.
32
+ *
33
+ * Severity matrix (ARV-286, dispatched per finding via outcome.severity;
34
+ * follow-up to ARV-284 `negative_data_rejection` pattern):
35
+ *
36
+ * Declared severity: 'low' (proof-cap baseline per ARV-250 — single-
37
+ * signal evidence alone caps at LOW; chain evidence elevates to HIGH).
38
+ *
39
+ * Per-finding dispatch:
40
+ *
41
+ * | evidence.variant | severity | rationale |
42
+ * |---------------------------|----------|-----------------------------------|
43
+ * | no_auth | HIGH | baseline 2xx + no-auth 2xx |
44
+ * | bogus_auth | HIGH | baseline 2xx + bogus 2xx |
45
+ * | no_auth_differential | HIGH | broken-baseline + lower bucket |
46
+ * | bogus_auth_differential | HIGH | broken-baseline + lower bucket |
47
+ * | no_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
48
+ * | bogus_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
49
+ *
50
+ * HIGH variants (bypass + differential) provide chain evidence: both a
51
+ * baseline probe and an auth-stripped probe contribute — two independent
52
+ * signals proving auth is ignored. MEDIUM variants (strict-401
53
+ * conformance) are single-signal: auth is likely enforced (server still
54
+ * rejects), just with the wrong status code (403/404 instead of 401).
55
+ * The agent re-severitizes from the raw evidence.
56
+ */
57
+ import type { OpenAPIV3 } from "openapi-types";
58
+ import type { AuthStatefulCheck } from "../stateful.ts";
59
+ import type { HttpRequest } from "../../runner/types.ts";
60
+
61
+ function buildBogus(name: string, value: string): string {
62
+ // Keep the original prefix so the auth scheme detection at the
63
+ // server still matches (Bearer xxx, Basic xxx). Only the secret
64
+ // payload is replaced.
65
+ if (/^Bearer\s+/i.test(value)) return "Bearer aaaaaaaaaaaa.bbbbbbbbbbbb.cccccccccccc";
66
+ if (/^Basic\s+/i.test(value)) return "Basic " + Buffer.from("zzz:zzz").toString("base64");
67
+ // apiKey / custom header — preserve length-class, replace content.
68
+ return name.toLowerCase().includes("token") ? "ZZZZZZZZZZ" : "bogus-" + "z".repeat(8);
69
+ }
70
+
71
+ /** ARV-181: substitute path placeholders using `h.pathVars` first, then
72
+ * fall back to schema-derived placeholders. Mirrors `fillPathParams`
73
+ * in `runner.ts` (kept inline to avoid a cross-module dependency that
74
+ * would yank generator imports into stateful checks). */
75
+ function fillPath(
76
+ path: string,
77
+ op: { parameters: OpenAPIV3.ParameterObject[] },
78
+ pathVars: Record<string, string> | undefined,
79
+ ): string {
80
+ return path.replace(/\{([^}]+)\}/g, (_, name: string) => {
81
+ const real = pathVars?.[name];
82
+ if (typeof real === "string" && real.length > 0) return encodeURIComponent(real);
83
+ const param = op.parameters.find((p) => p.name === name && p.in === "path");
84
+ const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
85
+ if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
86
+ if (schema?.type === "integer" || schema?.type === "number") return "1";
87
+ return "x";
88
+ });
89
+ }
90
+
91
+ function isAuthHeaderName(name: string): boolean {
92
+ const n = name.toLowerCase();
93
+ return n === "authorization" || n.startsWith("x-api") || n.includes("token") || n.includes("key");
94
+ }
95
+
96
+ /** ARV-181: classify response status into a single ordering bucket so
97
+ * the differential broken-baseline logic can answer "did stripping
98
+ * auth give a *better* status than baseline?". Lower index = more
99
+ * permissive (worse from auth-enforcement POV). 5xx is its own
100
+ * bucket — never compare across it. */
101
+ function statusBucket(status: number): number {
102
+ if (status >= 200 && status < 400) return 0; // accepted-ish
103
+ if (status === 401) return 3; // canonical "auth required"
104
+ if (status === 403) return 2; // permission denied
105
+ if (status >= 400 && status < 500) return 1; // other 4xx (404, 422, ...)
106
+ return -1; // 5xx / 1xx — incomparable
107
+ }
108
+
109
+ function isAcceptableRejection(status: number, strict401: boolean): boolean {
110
+ if (strict401) return status === 401;
111
+ return status >= 400 && status < 500;
112
+ }
113
+
114
+ export const ignoredAuth: AuthStatefulCheck = {
115
+ id: "ignored_auth",
116
+ /** ARV-286: proof-cap baseline (ARV-250). Bypass findings emit
117
+ * outcome.severity="high" (chain evidence); strict-401 conformance
118
+ * findings emit outcome.severity="medium" (single-signal). */
119
+ severity: "low",
120
+ defaultExpected: "Server must reject requests without (or with bogus) auth credentials with 401/403",
121
+ references: [{ id: "OWASP-API-01" }],
122
+ phase: "auth",
123
+ applies(op) {
124
+ // Anti-FP: explicit `security: []` override means the op is intentionally public.
125
+ if (op.security.length === 0) return false;
126
+ return true;
127
+ },
128
+ async run(op, h) {
129
+ if (h.bootstrapCleanupFailed) {
130
+ return { kind: "skip", reason: "bootstrap-cleanup failed — security checks paused (ARV-3 AC #6)" };
131
+ }
132
+ if (Object.keys(h.authHeaders).length === 0) {
133
+ return { kind: "skip", reason: "no auth headers provided to harness — pass --auth-header" };
134
+ }
135
+ const strict401 = h.options?.strict401 === true;
136
+ const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPath(op.path, op, h.pathVars)}`;
137
+ const method = op.method.toUpperCase();
138
+ const baseHeaders: Record<string, string> = { Accept: "application/json", ...h.authHeaders };
139
+
140
+ // 1. baseline
141
+ const baseReq: HttpRequest = { method, url, headers: baseHeaders };
142
+ const baseline = await h.send(baseReq);
143
+ if (baseline.status >= 500) {
144
+ return { kind: "skip", reason: `baseline returned ${baseline.status} — server-side error, no trustworthy signal` };
145
+ }
146
+
147
+ // 2. no_auth — strip every auth-shaped header
148
+ const noAuthHeaders: Record<string, string> = { ...baseHeaders };
149
+ for (const k of Object.keys(noAuthHeaders)) {
150
+ if (isAuthHeaderName(k)) delete noAuthHeaders[k];
151
+ }
152
+ const noAuth = await h.send({ method, url, headers: noAuthHeaders });
153
+
154
+ // 3. bogus_auth — keep header names, replace values
155
+ const bogusHeaders: Record<string, string> = { ...baseHeaders };
156
+ for (const k of Object.keys(bogusHeaders)) {
157
+ if (isAuthHeaderName(k)) bogusHeaders[k] = buildBogus(k, bogusHeaders[k]!);
158
+ }
159
+ const bogus = await h.send({ method, url, headers: bogusHeaders });
160
+
161
+ const baseBucket = statusBucket(baseline.status);
162
+ const baseIs2xx = baseline.status >= 200 && baseline.status < 300;
163
+
164
+ // ── strict-2xx-baseline branch (legacy path, unchanged semantically) ──
165
+ if (baseIs2xx) {
166
+ if (noAuth.status >= 200 && noAuth.status < 300) {
167
+ return {
168
+ kind: "fail",
169
+ // chain evidence: baseline 2xx + no-auth 2xx → proven bypass
170
+ severity: "high",
171
+ message: `Server accepted request without auth credentials (status ${noAuth.status}) — auth is being ignored`,
172
+ evidence: { variant: "no_auth", baseline_status: baseline.status, no_auth_status: noAuth.status },
173
+ };
174
+ }
175
+ if (bogus.status >= 200 && bogus.status < 300) {
176
+ return {
177
+ kind: "fail",
178
+ // chain evidence: baseline 2xx + bogus-auth 2xx → credentials not validated
179
+ severity: "high",
180
+ message: `Server accepted request with bogus auth (status ${bogus.status}) — credentials not validated`,
181
+ evidence: { variant: "bogus_auth", baseline_status: baseline.status, bogus_auth_status: bogus.status },
182
+ };
183
+ }
184
+ if (strict401) {
185
+ if (noAuth.status !== 401) {
186
+ return {
187
+ kind: "fail",
188
+ // single-signal: auth is likely enforced (4xx returned), just wrong status code
189
+ severity: "medium",
190
+ message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401)`,
191
+ evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
192
+ };
193
+ }
194
+ if (bogus.status !== 401) {
195
+ return {
196
+ kind: "fail",
197
+ // single-signal: auth is likely enforced (4xx returned), just wrong status code
198
+ severity: "medium",
199
+ message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401)`,
200
+ evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
201
+ };
202
+ }
203
+ }
204
+ return { kind: "pass" };
205
+ }
206
+
207
+ // ── differential 4xx-baseline branch (ARV-181) ─────────────────────
208
+ if (baseBucket < 0) {
209
+ return { kind: "skip", reason: `baseline returned ${baseline.status} — incomparable status, no trustworthy signal` };
210
+ }
211
+ const noAuthBucket = statusBucket(noAuth.status);
212
+ const bogusBucket = statusBucket(bogus.status);
213
+
214
+ if (noAuthBucket >= 0 && noAuthBucket < baseBucket) {
215
+ return {
216
+ kind: "fail",
217
+ // chain evidence: broken-baseline + lower bucket without auth → smoking gun bypass
218
+ severity: "high",
219
+ message: `Server gave a more permissive status (${noAuth.status}) without auth than with valid auth (${baseline.status}) — possible bypass`,
220
+ evidence: { variant: "no_auth_differential", baseline_status: baseline.status, no_auth_status: noAuth.status },
221
+ };
222
+ }
223
+ if (bogusBucket >= 0 && bogusBucket < baseBucket) {
224
+ return {
225
+ kind: "fail",
226
+ // chain evidence: broken-baseline + lower bucket with bogus token → bypass
227
+ severity: "high",
228
+ message: `Server gave a more permissive status (${bogus.status}) with bogus auth than with valid auth (${baseline.status}) — possible bypass`,
229
+ evidence: { variant: "bogus_auth_differential", baseline_status: baseline.status, bogus_auth_status: bogus.status },
230
+ };
231
+ }
232
+ if (strict401) {
233
+ if (!isAcceptableRejection(noAuth.status, true) && noAuthBucket >= 0) {
234
+ return {
235
+ kind: "fail",
236
+ // single-signal: auth is enforced (server still rejects), wrong status code
237
+ severity: "medium",
238
+ message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
239
+ evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
240
+ };
241
+ }
242
+ if (!isAcceptableRejection(bogus.status, true) && bogusBucket >= 0) {
243
+ return {
244
+ kind: "fail",
245
+ // single-signal: auth is enforced (server still rejects), wrong status code
246
+ severity: "medium",
247
+ message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
248
+ evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
249
+ };
250
+ }
251
+ }
252
+ return { kind: "pass" };
253
+ },
254
+ };
@@ -0,0 +1,68 @@
1
+ /**
2
+ * Auto-registers built-in checks at first import. ARV-1 ships with one
3
+ * seed check (`not_a_server_error`); ARV-2/3/4 fill in the remaining
4
+ * 11 conformance/security checks alongside it.
5
+ *
6
+ * Side-effect import is intentional: anywhere the runner or CLI loads
7
+ * `core/checks` it triggers this module and the registry is populated
8
+ * exactly once (Node/Bun ESM module cache guarantees idempotency).
9
+ */
10
+ import { registerCheck } from "../registry.ts";
11
+ import { registerStatefulCheck } from "../stateful.ts";
12
+ import { notAServerError } from "./not_a_server_error.ts";
13
+ import { statusCodeConformance } from "./status_code_conformance.ts";
14
+ import { contentTypeConformance } from "./content_type_conformance.ts";
15
+ import { responseHeadersConformance } from "./response_headers_conformance.ts";
16
+ import { responseSchemaConformance } from "./response_schema_conformance.ts";
17
+ import { missingRequiredHeader } from "./missing_required_header.ts";
18
+ import { unsupportedMethod } from "./unsupported_method.ts";
19
+ import { ignoredAuth } from "./ignored_auth.ts";
20
+ import { useAfterFree } from "./use_after_free.ts";
21
+ import { ensureResourceAvailability } from "./ensure_resource_availability.ts";
22
+ import { negativeDataRejection } from "./negative_data_rejection.ts";
23
+ import { positiveDataAcceptance } from "./positive_data_acceptance.ts";
24
+ import { crossCallReferences } from "./cross_call_references.ts";
25
+ import { idempotencyReplay } from "./idempotency_replay.ts";
26
+ import { paginationInvariants } from "./pagination_invariants.ts";
27
+ import { lifecycleTransitions } from "./lifecycle_transitions.ts";
28
+ import { openCorsOnSensitive } from "./open_cors_on_sensitive.ts";
29
+ import { rateLimitHeadersAbsent } from "./rate_limit_headers_absent.ts";
30
+ import { cursorBoundaryFuzzing } from "./cursor_boundary_fuzzing.ts";
31
+
32
+ let registered = false;
33
+
34
+ export function registerBuiltinChecks(): void {
35
+ if (registered) return;
36
+ // ARV-1 seed.
37
+ registerCheck(notAServerError);
38
+ // ARV-2 — 6 conformance checks (7 total with the seed).
39
+ registerCheck(statusCodeConformance);
40
+ registerCheck(contentTypeConformance);
41
+ registerCheck(responseHeadersConformance);
42
+ registerCheck(responseSchemaConformance);
43
+ registerCheck(missingRequiredHeader);
44
+ registerCheck(unsupportedMethod);
45
+ // ARV-3 — 3 stateful security checks.
46
+ registerStatefulCheck(ignoredAuth);
47
+ registerStatefulCheck(useAfterFree);
48
+ registerStatefulCheck(ensureResourceAvailability);
49
+ // ARV-4 — 2 data-rejection checks with anti-FP guards.
50
+ registerCheck(negativeDataRejection);
51
+ registerCheck(positiveDataAcceptance);
52
+ // ARV-169 (m-20) — cross-call POST→GET shape-diff probe.
53
+ registerStatefulCheck(crossCallReferences);
54
+ // ARV-170 (m-20) — Idempotency-Key replay probe.
55
+ registerStatefulCheck(idempotencyReplay);
56
+ // ARV-171 (m-20) — cursor pagination invariants.
57
+ registerStatefulCheck(paginationInvariants);
58
+ // ARV-172 (m-20) — declared state-machine + action transitions.
59
+ registerStatefulCheck(lifecycleTransitions);
60
+ // ARV-256 (m-21) — small-team value-add checks.
61
+ registerStatefulCheck(openCorsOnSensitive);
62
+ registerCheck(rateLimitHeadersAbsent);
63
+ // ARV-273 (m-22) — cursor/page-token fuzzing on list endpoints.
64
+ registerStatefulCheck(cursorBoundaryFuzzing);
65
+ registered = true;
66
+ }
67
+
68
+ registerBuiltinChecks();