@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -1,32 +1,48 @@
1
- import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
2
- import { join } from "node:path";
1
+ import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
2
+ import { dirname, join } from "node:path";
3
3
  import { findWorkspaceRoot } from "../workspace/root.ts";
4
4
 
5
- const FILENAME = ".zond-current";
5
+ /**
6
+ * TASK-290: current-API resolution chain.
7
+ * - Global --api flag is mirrored into ZOND_API_GLOBAL by program.ts preAction.
8
+ * - Users can also export ZOND_API in their shell.
9
+ * - Persisted choice lives in `.zond/current-api` (was `.zond-current`).
10
+ */
11
+ const FILENAME = ".zond/current-api";
6
12
 
7
13
  export function currentApiPath(cwd?: string): string {
8
14
  const base = cwd ?? findWorkspaceRoot().root;
9
15
  return join(base, FILENAME);
10
16
  }
11
17
 
12
- /** Returns the API collection name stored in `.zond-current`, or null when the file is absent or empty. */
18
+ /**
19
+ * Returns the active API name. Resolution order:
20
+ * 1. ZOND_API_GLOBAL (mirrored from `zond --api <name> ...`)
21
+ * 2. ZOND_API (user env)
22
+ * 3. `.zond/current-api` file (set by `zond use <name>`)
23
+ */
13
24
  export function readCurrentApi(cwd?: string): string | null {
25
+ const fromGlobalFlag = process.env.ZOND_API_GLOBAL?.trim();
26
+ if (fromGlobalFlag) return fromGlobalFlag;
27
+ const fromEnv = process.env.ZOND_API?.trim();
28
+ if (fromEnv) return fromEnv;
14
29
  const path = currentApiPath(cwd);
15
30
  if (!existsSync(path)) return null;
16
31
  const raw = readFileSync(path, "utf-8").trim();
17
32
  return raw.length > 0 ? raw : null;
18
33
  }
19
34
 
20
- /** Writes the API collection name to `.zond-current`. The file is single-line plain text. */
35
+ /** Writes the API collection name to `.zond/current-api`. Creates the dir if needed. */
21
36
  export function writeCurrentApi(name: string, cwd?: string): string {
22
37
  const trimmed = name.trim();
23
38
  if (!trimmed) throw new Error("API name cannot be empty");
24
39
  const path = currentApiPath(cwd);
40
+ mkdirSync(dirname(path), { recursive: true });
25
41
  writeFileSync(path, trimmed + "\n", "utf-8");
26
42
  return path;
27
43
  }
28
44
 
29
- /** Deletes `.zond-current`. Returns true when a file was removed, false when it did not exist. */
45
+ /** Deletes `.zond/current-api`. Returns true when a file was removed, false when it did not exist. */
30
46
  export function clearCurrentApi(cwd?: string): boolean {
31
47
  const path = currentApiPath(cwd);
32
48
  if (!existsSync(path)) return false;
@@ -0,0 +1,78 @@
1
+ import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync, statSync } from "node:fs";
2
+ import { join } from "node:path";
3
+ import { findWorkspaceRoot } from "../workspace/root.ts";
4
+
5
+ const SESSION_DIR = ".zond";
6
+ const SESSION_FILE = "current-session";
7
+
8
+ export interface SessionRecord {
9
+ id: string;
10
+ label?: string;
11
+ started_at: string;
12
+ }
13
+
14
+ export function sessionFilePath(cwd?: string): string {
15
+ const base = cwd ?? findWorkspaceRoot().root;
16
+ return join(base, SESSION_DIR, SESSION_FILE);
17
+ }
18
+
19
+ export function readCurrentSession(cwd?: string): SessionRecord | null {
20
+ const path = sessionFilePath(cwd);
21
+ if (!existsSync(path)) return null;
22
+ const raw = readFileSync(path, "utf-8").trim();
23
+ if (!raw) return null;
24
+ try {
25
+ const parsed = JSON.parse(raw) as Partial<SessionRecord>;
26
+ if (typeof parsed.id !== "string" || parsed.id.length === 0) return null;
27
+ return {
28
+ id: parsed.id,
29
+ label: typeof parsed.label === "string" ? parsed.label : undefined,
30
+ started_at: typeof parsed.started_at === "string" ? parsed.started_at : new Date().toISOString(),
31
+ };
32
+ } catch {
33
+ // legacy / hand-edited single-line UUID
34
+ return { id: raw, started_at: new Date().toISOString() };
35
+ }
36
+ }
37
+
38
+ export function writeCurrentSession(record: SessionRecord, cwd?: string): string {
39
+ const path = sessionFilePath(cwd);
40
+ const dir = path.slice(0, path.lastIndexOf("/"));
41
+ if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
42
+ else {
43
+ const st = statSync(dir);
44
+ if (!st.isDirectory()) {
45
+ throw new Error(`${dir} exists and is not a directory; remove it before running 'zond session start'`);
46
+ }
47
+ }
48
+ writeFileSync(path, JSON.stringify(record) + "\n", "utf-8");
49
+ return path;
50
+ }
51
+
52
+ export function clearCurrentSession(cwd?: string): boolean {
53
+ const path = sessionFilePath(cwd);
54
+ if (!existsSync(path)) return false;
55
+ unlinkSync(path);
56
+ return true;
57
+ }
58
+
59
+ /**
60
+ * Resolution order for the session_id used by `zond run`:
61
+ * 1. explicit --session-id flag
62
+ * 2. ZOND_SESSION_ID env var
63
+ * 3. .zond/current-session file (written by `zond session start`)
64
+ *
65
+ * Returns null when none of the three is set.
66
+ */
67
+ export function resolveSessionId(opts: {
68
+ flag?: string | null;
69
+ env?: string | null;
70
+ cwd?: string;
71
+ }): string | null {
72
+ const flag = opts.flag?.trim();
73
+ if (flag) return flag;
74
+ const env = opts.env?.trim();
75
+ if (env) return env;
76
+ const record = readCurrentSession(opts.cwd);
77
+ return record?.id ?? null;
78
+ }
@@ -0,0 +1,216 @@
1
+ /**
2
+ * I/O wrapper around the pure `buildCoverageMatrix` engine — loads the
3
+ * registered API's spec snapshot, parses suites in the workspace to find
4
+ * ephemeral-tagged endpoints, reads `.api-fixtures.yaml` and `.env.yaml`,
5
+ * pulls run results from SQLite, and feeds it all into the engine.
6
+ *
7
+ * Server `/api/coverage`, the HTML exporter, and any future CLI command
8
+ * call this loader so they stay in sync.
9
+ */
10
+ import { join } from "node:path";
11
+ import { existsSync } from "node:fs";
12
+ import { findCollectionByNameOrId, getLatestRunByCollection, getResultsByRunId, getRunById, listRunsBySession, listRunsByCollectionFiltered } from "../../db/queries.ts";
13
+ import type { RunRecord } from "../../db/queries.ts";
14
+ import { assertLocalSpec } from "../setup-api.ts";
15
+ import { readOpenApiSpec, extractEndpoints } from "../generator/openapi-reader.ts";
16
+ import { parseDirectorySafe } from "../parser/yaml-parser.ts";
17
+ import { loadEnvironment } from "../parser/variables.ts";
18
+ import { findWorkspaceRoot } from "../workspace/root.ts";
19
+ import {
20
+ buildCoverageMatrix,
21
+ type CoverageMatrix,
22
+ type BuildMatrixInput,
23
+ } from "./reasons.ts";
24
+
25
+ export interface CoverageLoadOptions {
26
+ apiName: string;
27
+ /** ARV-265: which `run_kind`s contribute to the matrix.
28
+ * - 'test' (default, back-compat) — runs whose `run_kind` is
29
+ * 'regular' OR 'probe' (i.e. anything `zond run` produced). This
30
+ * is what `pass-coverage` / `hit-coverage` have always measured.
31
+ * - 'audit' — every kind (regular | probe | check | request |
32
+ * fixture). Used by `audit-coverage` to answer "did this scan
33
+ * reach the API?" regardless of producer. */
34
+ scope?: "test" | "audit";
35
+ runId?: number;
36
+ /** TASK-255: union across multiple runs (e.g. tests-run + probes-run from
37
+ * the same session). Loader concatenates results from each run before
38
+ * feeding the matrix engine — buildCoverageMatrix is order-agnostic. When
39
+ * set, takes precedence over `runId`. */
40
+ runIds?: number[];
41
+ /** TASK-255: when set, expanded to all runs in the session (filtered to
42
+ * this collection). Wins over `runIds` and `runId`. */
43
+ sessionId?: string;
44
+ /** TASK-274: ISO timestamp lower bound (inclusive) — fold every run of
45
+ * this collection started at-or-after this point. Wins over `runIds`
46
+ * and `runId`, loses to `sessionId`. */
47
+ sinceIso?: string;
48
+ /** TASK-274: tag membership filter — fold every run of this collection
49
+ * whose stored `tags` JSON contains this name. Wins over `runIds`
50
+ * and `runId`, loses to `sessionId` / `sinceIso`. */
51
+ tag?: string;
52
+ profile?: "safe" | "full";
53
+ tagFilter?: string[];
54
+ /** Override workspace root (defaults to findWorkspaceRoot). */
55
+ workspaceRoot?: string;
56
+ }
57
+
58
+ export interface CoverageLoadResult {
59
+ apiName: string;
60
+ baseDir: string;
61
+ specPath: string;
62
+ matrix: CoverageMatrix;
63
+ /** Latest of the runs included in the coverage. Null if no runs found.
64
+ * Kept singular for back-compat; for the full list use `runs`. */
65
+ run: RunRecord | null;
66
+ /** TASK-255: every run that contributed results to this coverage matrix,
67
+ * ordered by started_at ascending. Single-element when no union flags
68
+ * were used. */
69
+ runs: RunRecord[];
70
+ /** TASK-274: which selector resolved the run set, for diagnostics and
71
+ * the JSON envelope (`union_mode`). null when only a single run
72
+ * contributed and no union selector was used. */
73
+ unionMode: "session" | "since" | "tag" | "runs" | null;
74
+ profile: "safe" | "full";
75
+ tagFilter: string[];
76
+ ephemeralCount: number;
77
+ /** ARV-265: scope this matrix was built under. Echoes `options.scope`
78
+ * (default 'test') so dual-metric callers can sanity-check the result. */
79
+ scope: "test" | "audit";
80
+ }
81
+
82
+ async function readFixturesAffected(baseDir: string): Promise<BuildMatrixInput["fixturesAffected"]> {
83
+ const path = join(baseDir, ".api-fixtures.yaml");
84
+ if (!existsSync(path)) return new Map();
85
+ const text = await Bun.file(path).text();
86
+ const parsed = Bun.YAML.parse(text) as { fixtures?: Array<{ name: string; required: boolean; source: string; affectedEndpoints?: string[] }> };
87
+ const out = new Map<string, { name: string; required: boolean; source: string }[]>();
88
+ for (const f of parsed.fixtures ?? []) {
89
+ for (const ep of f.affectedEndpoints ?? []) {
90
+ if (ep === "*") continue;
91
+ const list = out.get(ep) ?? [];
92
+ list.push({ name: f.name, required: f.required, source: f.source });
93
+ out.set(ep, list);
94
+ }
95
+ }
96
+ return out;
97
+ }
98
+
99
+ async function readEphemeralEndpoints(workspaceRoot: string): Promise<Set<string>> {
100
+ const out = new Set<string>();
101
+ const { suites } = await parseDirectorySafe(workspaceRoot);
102
+ for (const suite of suites) {
103
+ if (!suite.tags?.includes("ephemeral")) continue;
104
+ for (const t of suite.tests) out.add(`${t.method.toUpperCase()} ${t.path}`);
105
+ }
106
+ return out;
107
+ }
108
+
109
+ export async function loadCoverage(options: CoverageLoadOptions): Promise<CoverageLoadResult> {
110
+ const root = options.workspaceRoot ?? findWorkspaceRoot().root;
111
+ const collection = findCollectionByNameOrId(options.apiName);
112
+ if (!collection) throw new Error(`API '${options.apiName}' is not registered. Run \`zond add api --spec <path>\`.`);
113
+
114
+ const baseDir = collection.base_dir ?? join(root, "apis", collection.name);
115
+ const specPath = collection.openapi_spec
116
+ ? assertLocalSpec(collection.openapi_spec, collection.name)
117
+ : (() => { throw new Error(`Collection '${collection.name}' has no spec recorded.`); })();
118
+
119
+ const doc = await readOpenApiSpec(specPath);
120
+ const endpoints = extractEndpoints(doc);
121
+
122
+ // Resolve which runs contribute results. Precedence:
123
+ // sessionId > sinceIso > tag > runIds > runId > latest. since:/tag: are
124
+ // filtered to this collection only — the user has named an API, so they
125
+ // want runs of that API, not every collection that happens to share a tag.
126
+ // ARV-265: `scope` toggles which run_kinds survive the post-resolution
127
+ // filter (see CoverageLoadOptions.scope). Default 'test' keeps the
128
+ // pre-ARV-265 semantics (regular + probe rows contribute) so existing
129
+ // CI consumers see no surprise.
130
+ const scope = options.scope ?? "test";
131
+ const allowedKinds: ReadonlySet<string> = scope === "audit"
132
+ ? new Set(["regular", "probe", "check", "request", "fixture"])
133
+ : new Set(["regular", "probe"]);
134
+ let runs: RunRecord[] = [];
135
+ let unionMode: "session" | "since" | "tag" | "runs" | null = null;
136
+ if (options.sessionId) {
137
+ const sessRuns = listRunsBySession(options.sessionId);
138
+ // Include runs whose collection matches AND runs with NULL collection_id —
139
+ // the latter covers probe-suites and ad-hoc runs that didn't tag the API
140
+ // explicitly but still produced results against this session's workdir.
141
+ // Filtering them out makes `coverage --union session` silently show only
142
+ // the test-suite run (the original feedback-12 #F1 symptom).
143
+ runs = sessRuns
144
+ .filter((r) => r.collection_id === collection.id || r.collection_id == null)
145
+ .map((r) => getRunById(r.id))
146
+ .filter((r): r is RunRecord => r !== null);
147
+ unionMode = "session";
148
+ } else if (options.sinceIso) {
149
+ runs = listRunsByCollectionFiltered(collection.id, { since: options.sinceIso });
150
+ unionMode = "since";
151
+ } else if (options.tag) {
152
+ runs = listRunsByCollectionFiltered(collection.id, { tag: options.tag });
153
+ unionMode = "tag";
154
+ } else if (options.runIds && options.runIds.length > 0) {
155
+ runs = options.runIds
156
+ .map((id) => getRunById(id))
157
+ .filter((r): r is RunRecord => r !== null);
158
+ unionMode = "runs";
159
+ } else if (options.runId != null) {
160
+ const r = getRunById(options.runId);
161
+ if (r) runs = [r];
162
+ } else if (scope === "audit") {
163
+ // ARV-265 audit mode latest-fallback: pick the most recent run of any
164
+ // kind so a scan that only ran `checks run` (no `zond run`) still
165
+ // produces a meaningful audit metric.
166
+ const latest = getLatestRunByCollection(collection.id, { runKind: "any" });
167
+ if (latest) runs = [latest];
168
+ } else {
169
+ const latest = getLatestRunByCollection(collection.id);
170
+ if (latest) runs = [latest];
171
+ }
172
+ // ARV-265: post-resolution kind filter. Session/since/tag may have
173
+ // pulled in audit-only kinds (check/request/fixture); the test-scope
174
+ // filter strips them so `pass-coverage` keeps the "curated suites
175
+ // passed" semantics. Audit scope keeps everything.
176
+ runs = runs.filter((r) => allowedKinds.has(r.run_kind));
177
+ const results = runs.flatMap((r) => getResultsByRunId(r.id));
178
+ // `run` (singular) reflects the latest contributing run for back-compat
179
+ // with consumers that only care about a single run label.
180
+ const run = runs.length > 0 ? runs[runs.length - 1]! : null;
181
+
182
+ const fixturesAffected = await readFixturesAffected(baseDir);
183
+ const ephemeralEndpoints = await readEphemeralEndpoints(root);
184
+ const envVarsObj = await loadEnvironment(undefined, baseDir);
185
+ const envVars = new Set(Object.keys(envVarsObj).filter((k) => {
186
+ const v = envVarsObj[k];
187
+ return typeof v === "string" ? v.length > 0 : v != null;
188
+ }));
189
+
190
+ const profile = options.profile ?? "full";
191
+ const tagFilter = options.tagFilter ?? [];
192
+
193
+ const matrix = buildCoverageMatrix({
194
+ endpoints, results, fixturesAffected, envVars, ephemeralEndpoints,
195
+ tagFilter, profile,
196
+ });
197
+
198
+ return {
199
+ apiName: collection.name,
200
+ baseDir,
201
+ specPath,
202
+ matrix,
203
+ run,
204
+ runs,
205
+ unionMode,
206
+ profile,
207
+ tagFilter,
208
+ ephemeralCount: ephemeralEndpoints.size,
209
+ scope,
210
+ };
211
+ }
212
+
213
+ async function listRegisteredApiNames(): Promise<string[]> {
214
+ const { listCollections } = await import("../../db/queries.ts");
215
+ return listCollections().map((c) => c.name);
216
+ }
@@ -0,0 +1,300 @@
1
+ /**
2
+ * Coverage reasons engine — pure function: spec endpoints + run results +
3
+ * workspace context → matrix cells with explicit reason codes.
4
+ *
5
+ * The matrix has rows per endpoint (METHOD path) and three status-class
6
+ * columns (`2xx`, `4xx`, `5xx`). Each cell carries:
7
+ * - status: covered | partial | uncovered
8
+ * - reasons: zero or more codes that explain the cell state
9
+ * - results: stored step results that contributed to this cell
10
+ *
11
+ * "Default" branch is intentionally omitted — extractEndpoints already
12
+ * skips OpenAPI's "default" status code, so making a column for it would
13
+ * be permanently empty and noisy.
14
+ *
15
+ * The function is intentionally I/O-free: callers (server, exporter, CLI)
16
+ * load endpoints/results/fixtures separately and feed them in. This keeps
17
+ * the engine trivial to unit-test.
18
+ */
19
+ import type { EndpointInfo } from "../generator/types.ts";
20
+ import type { StoredStepResult } from "../../db/queries.ts";
21
+
22
+ export type StatusClass = "2xx" | "4xx" | "5xx";
23
+ const STATUS_CLASSES: StatusClass[] = ["2xx", "4xx", "5xx"];
24
+
25
+ export type ReasonCode =
26
+ | "covered"
27
+ | "partial-failed"
28
+ | "not-generated"
29
+ | "no-spec"
30
+ | "deprecated"
31
+ | "no-fixtures"
32
+ | "ephemeral-only"
33
+ | "auth-scope-mismatch"
34
+ | "tag-filtered";
35
+
36
+ export interface CellResultRef {
37
+ resultId: number;
38
+ runId: number;
39
+ status: string;
40
+ responseStatus: number | null;
41
+ failureClass: string | null;
42
+ testName: string;
43
+ suiteFile: string | null;
44
+ }
45
+
46
+ export interface MatrixCell {
47
+ status: "covered" | "partial" | "uncovered";
48
+ reasons: ReasonCode[];
49
+ results: CellResultRef[];
50
+ }
51
+
52
+ export interface MatrixRow {
53
+ endpoint: string;
54
+ method: string;
55
+ path: string;
56
+ tags: string[];
57
+ deprecated: boolean;
58
+ security: string[];
59
+ declaredStatuses: number[];
60
+ cells: Record<StatusClass, MatrixCell>;
61
+ }
62
+
63
+ export interface BuildMatrixInput {
64
+ endpoints: EndpointInfo[];
65
+ results: StoredStepResult[];
66
+ fixturesAffected: Map<string, { name: string; required: boolean; source: string }[]>;
67
+ envVars: Set<string>;
68
+ ephemeralEndpoints: Set<string>;
69
+ tagFilter: string[];
70
+ profile: "safe" | "full";
71
+ }
72
+
73
+ export interface MatrixTotals {
74
+ endpoints: number;
75
+ cells: number;
76
+ covered: number;
77
+ partial: number;
78
+ uncovered: number;
79
+ byReason: Record<ReasonCode, number>;
80
+ }
81
+
82
+ export interface CoverageMatrix {
83
+ rows: MatrixRow[];
84
+ totals: MatrixTotals;
85
+ }
86
+
87
+ function endpointKey(method: string, path: string): string {
88
+ return `${method.toUpperCase()} ${path}`;
89
+ }
90
+
91
+ function classifyStatus(code: number): StatusClass | null {
92
+ if (code >= 200 && code < 300) return "2xx";
93
+ if (code >= 400 && code < 500) return "4xx";
94
+ if (code >= 500 && code < 600) return "5xx";
95
+ return null;
96
+ }
97
+
98
+ /**
99
+ * Build a regex that matches a concrete URL path against an OpenAPI path
100
+ * template. `/pets/{id}` becomes `^/pets/[^/]+$`.
101
+ */
102
+ function specPathToRegex(specPath: string): RegExp {
103
+ const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
104
+ return new RegExp(`^${pattern}$`);
105
+ }
106
+
107
+ function extractPathname(url: string | null): string | null {
108
+ if (!url) return null;
109
+ try {
110
+ const u = new URL(url);
111
+ return u.pathname;
112
+ } catch {
113
+ if (url.startsWith("/")) {
114
+ const q = url.indexOf("?");
115
+ return q === -1 ? url : url.slice(0, q);
116
+ }
117
+ return null;
118
+ }
119
+ }
120
+
121
+ function matchResultToEndpoint(
122
+ result: StoredStepResult,
123
+ endpointsByKey: Map<string, EndpointInfo>,
124
+ endpointsByMethod: Map<string, { ep: EndpointInfo; rx: RegExp }[]>,
125
+ ): EndpointInfo | null {
126
+ const provEp = (result.provenance as Record<string, unknown> | null)?.endpoint;
127
+ if (typeof provEp === "string") {
128
+ const sp = provEp.indexOf(" ");
129
+ const normalised = sp === -1
130
+ ? provEp
131
+ : `${provEp.slice(0, sp).toUpperCase()}${provEp.slice(sp)}`;
132
+ const direct = endpointsByKey.get(normalised);
133
+ if (direct) return direct;
134
+ }
135
+ const method = result.request_method?.toUpperCase();
136
+ if (!method) return null;
137
+ const candidates = endpointsByMethod.get(method);
138
+ if (!candidates) return null;
139
+ const pathname = extractPathname(result.request_url);
140
+ if (!pathname) return null;
141
+ for (const c of candidates) if (c.rx.test(pathname)) return c.ep;
142
+ return null;
143
+ }
144
+
145
+ function pathParamNames(path: string): string[] {
146
+ return [...path.matchAll(/\{([^}]+)\}/g)].map((m) => m[1]!);
147
+ }
148
+
149
+ function hasMissingPathFixtures(
150
+ ep: EndpointInfo,
151
+ fixturesAffected: Map<string, { name: string; required: boolean; source: string }[]>,
152
+ envVars: Set<string>,
153
+ ): boolean {
154
+ const params = pathParamNames(ep.path);
155
+ if (params.length === 0) return false;
156
+ const label = endpointKey(ep.method, ep.path);
157
+ const declared = fixturesAffected.get(label) ?? [];
158
+ // Manifest entry per param? Required + missing = no-fixtures.
159
+ const required = declared.filter((f) => f.source === "path" && f.required);
160
+ for (const f of required) if (!envVars.has(f.name)) return true;
161
+ // Manifest may not enumerate every param when it was generated before this
162
+ // endpoint existed, so also require: every {param} must map to an env var.
163
+ for (const p of params) {
164
+ if (envVars.has(p)) continue;
165
+ const declaredForP = declared.find((f) => f.name === p);
166
+ if (declaredForP && envVars.has(declaredForP.name)) continue;
167
+ return true;
168
+ }
169
+ return false;
170
+ }
171
+
172
+ function hasMissingAuthFixtures(ep: EndpointInfo, envVars: Set<string>): boolean {
173
+ if (ep.security.length === 0) return false;
174
+ // Convention: a security scheme name maps to one of `<name>`, `<name>_token`,
175
+ // or the lowercased `<name>_token` env var. The endpoint is satisfied if
176
+ // *any* of its required schemes has a configured token.
177
+ for (const scheme of ep.security) {
178
+ const variants = [scheme, `${scheme}_token`, `${scheme.toLowerCase()}_token`, "auth_token"];
179
+ if (variants.some((v) => envVars.has(v))) return false;
180
+ }
181
+ return true;
182
+ }
183
+
184
+ function declaredStatusClasses(ep: EndpointInfo): Set<StatusClass> {
185
+ const out = new Set<StatusClass>();
186
+ for (const r of ep.responses) {
187
+ const cls = classifyStatus(r.statusCode);
188
+ if (cls) out.add(cls);
189
+ }
190
+ return out;
191
+ }
192
+
193
+ export function buildCoverageMatrix(input: BuildMatrixInput): CoverageMatrix {
194
+ const endpointsByKey = new Map<string, EndpointInfo>();
195
+ const endpointsByMethod = new Map<string, { ep: EndpointInfo; rx: RegExp }[]>();
196
+ for (const ep of input.endpoints) {
197
+ endpointsByKey.set(endpointKey(ep.method, ep.path), ep);
198
+ const method = ep.method.toUpperCase();
199
+ const list = endpointsByMethod.get(method) ?? [];
200
+ list.push({ ep, rx: specPathToRegex(ep.path) });
201
+ endpointsByMethod.set(method, list);
202
+ }
203
+
204
+ // Bucket results: key = "METHOD path" → statusClass → list of refs.
205
+ const buckets = new Map<string, Record<StatusClass, CellResultRef[]>>();
206
+ for (const r of input.results) {
207
+ const ep = matchResultToEndpoint(r, endpointsByKey, endpointsByMethod);
208
+ if (!ep) continue;
209
+ const key = endpointKey(ep.method, ep.path);
210
+ let bucket = buckets.get(key);
211
+ if (!bucket) {
212
+ bucket = { "2xx": [], "4xx": [], "5xx": [] };
213
+ buckets.set(key, bucket);
214
+ }
215
+ if (r.response_status == null) continue;
216
+ const cls = classifyStatus(r.response_status);
217
+ if (!cls) continue;
218
+ bucket[cls].push({
219
+ resultId: r.id,
220
+ runId: r.run_id,
221
+ status: r.status,
222
+ responseStatus: r.response_status,
223
+ failureClass: r.failure_class,
224
+ testName: r.test_name,
225
+ suiteFile: r.suite_file,
226
+ });
227
+ }
228
+
229
+ const totals: MatrixTotals = {
230
+ endpoints: input.endpoints.length,
231
+ cells: 0,
232
+ covered: 0,
233
+ partial: 0,
234
+ uncovered: 0,
235
+ byReason: {
236
+ "covered": 0, "partial-failed": 0, "not-generated": 0, "no-spec": 0,
237
+ "deprecated": 0, "no-fixtures": 0, "ephemeral-only": 0,
238
+ "auth-scope-mismatch": 0, "tag-filtered": 0,
239
+ },
240
+ };
241
+
242
+ const filterTags = new Set(input.tagFilter);
243
+ const rows: MatrixRow[] = input.endpoints.map((ep) => {
244
+ const key = endpointKey(ep.method, ep.path);
245
+ const bucket = buckets.get(key) ?? { "2xx": [], "4xx": [], "5xx": [] };
246
+ const declared = declaredStatusClasses(ep);
247
+ const tagFiltered = filterTags.size > 0 && !ep.tags.some((t) => filterTags.has(t));
248
+ const cells: Record<StatusClass, MatrixCell> = { "2xx": null!, "4xx": null!, "5xx": null!};
249
+
250
+ for (const cls of STATUS_CLASSES) {
251
+ const refs = bucket[cls];
252
+ const passing = refs.some((r) => r.status === "pass");
253
+ const failing = refs.some((r) => r.status !== "pass");
254
+ const reasons: ReasonCode[] = [];
255
+ let cellStatus: MatrixCell["status"];
256
+ if (passing && !failing) {
257
+ cellStatus = "covered";
258
+ reasons.push("covered");
259
+ } else if (passing && failing) {
260
+ cellStatus = "covered";
261
+ reasons.push("covered", "partial-failed");
262
+ } else if (failing) {
263
+ cellStatus = "partial";
264
+ reasons.push("partial-failed");
265
+ } else {
266
+ cellStatus = "uncovered";
267
+ if (!declared.has(cls)) reasons.push("no-spec");
268
+ if (ep.deprecated) reasons.push("deprecated");
269
+ if (input.ephemeralEndpoints.has(key) && input.profile === "safe") reasons.push("ephemeral-only");
270
+ if (tagFiltered) reasons.push("tag-filtered");
271
+ if (hasMissingPathFixtures(ep, input.fixturesAffected, input.envVars)) reasons.push("no-fixtures");
272
+ if (hasMissingAuthFixtures(ep, input.envVars)) reasons.push("auth-scope-mismatch");
273
+ if (reasons.length === 0) reasons.push("not-generated");
274
+ }
275
+ // Always tag deprecated even on covered cells — it's an awareness flag.
276
+ if (ep.deprecated && !reasons.includes("deprecated")) reasons.push("deprecated");
277
+
278
+ cells[cls] = { status: cellStatus, reasons, results: refs };
279
+
280
+ totals.cells += 1;
281
+ if (cellStatus === "covered") totals.covered += 1;
282
+ else if (cellStatus === "partial") totals.partial += 1;
283
+ else totals.uncovered += 1;
284
+ for (const code of reasons) totals.byReason[code] += 1;
285
+ }
286
+
287
+ return {
288
+ endpoint: key,
289
+ method: ep.method.toUpperCase(),
290
+ path: ep.path,
291
+ tags: ep.tags,
292
+ deprecated: !!ep.deprecated,
293
+ security: ep.security,
294
+ declaredStatuses: ep.responses.map((r) => r.statusCode).sort((a, b) => a - b),
295
+ cells,
296
+ };
297
+ });
298
+
299
+ return { rows, totals };
300
+ }