@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -1,17 +1,11 @@
1
1
  /**
2
- * Failure classification and diagnostic hints.
3
- * Extracted from query-db.ts for reuse in Web UI.
2
+ * Failure classification closed-enum `recommended_action`.
3
+ * ARV-338: prose hints (statusHint/envHint/softDeleteHint/schemaHint,
4
+ * env_issue clustering, auth_hint, agent_directive) removed — the agent
5
+ * triages by enum + raw evidence, not by heuristic guess-text.
4
6
  */
5
7
 
6
- export function statusHint(status: number | null | undefined): string | null {
7
- if (!status) return null;
8
- if (status >= 500) return "Server-side error — inspect response_body for errorMessage/errorDetail; likely a backend bug";
9
- if (status === 401 || status === 403) return "Auth failure — check auth_token/api_key in .env.yaml";
10
- if (status === 404) return "Resource not found — verify the path and ID";
11
- if (status === 400 || status === 422) return "Validation error — check request body fields match the schema";
12
- if (status === 429) return "Rate limited — too many requests. Consider consolidating auth/login steps or adding delays between suites";
13
- return null;
14
- }
8
+ import { classify } from "../classifier/recommended-action.ts";
15
9
 
16
10
  export function classifyFailure(status: string, responseStatus: number | null): "api_error" | "assertion_failed" | "network_error" {
17
11
  if (status === "error" && (responseStatus === null || responseStatus < 500)) return "network_error";
@@ -19,95 +13,100 @@ export function classifyFailure(status: string, responseStatus: number | null):
19
13
  return "assertion_failed";
20
14
  }
21
15
 
22
- export function envHint(url: string | null, errorMessage: string | null, envFilePath?: string): string | null {
23
- const envFile = envFilePath ? envFilePath : ".env.yaml in your API directory";
24
-
25
- if (url && /\{\{[^}]+\}\}/.test(url)) {
26
- return `URL contains unresolved variable: "${url}" — variable name may not match the key in ${envFile}`;
27
- }
28
- if (url && !url.startsWith("http://") && !url.startsWith("https://")) {
29
- return `base_url is not set or empty — URL resolved to "${url}". Add base_url to ${envFile}`;
30
- }
31
- if (errorMessage?.includes("base_url is not configured")) {
32
- return `base_url is missing or empty. Add base_url: https://your-api.com to ${envFile}`;
33
- }
34
- if (errorMessage?.includes("URL is invalid") || errorMessage?.includes("Failed to parse URL")) {
35
- return `URL is malformed — likely base_url is empty or invalid. Check base_url in ${envFile}`;
36
- }
37
- return null;
38
- }
39
-
40
16
  export type RecommendedAction =
41
17
  | "report_backend_bug"
42
18
  | "fix_auth_config"
43
19
  | "fix_test_logic"
44
- | "fix_network_config";
20
+ | "fix_network_config"
21
+ | "fix_env"
22
+ /** Fix the OpenAPI spec — emitted by lint-spec.Issue (TASK-294) and
23
+ * by `status_code_conformance` / `*_conformance` checks (ARV-11). */
24
+ | "fix_spec"
25
+ /** Add or correct a fixture in .env.yaml — emitted by discover for
26
+ * miss-* states (TASK-294). */
27
+ | "fix_fixture"
28
+ /** ARV-42 — generator-emitted suite produced a body the API rejected
29
+ * (4xx with validation hint). Editing the YAML is wrong: the next
30
+ * `zond generate` would clobber it. Re-run generate (or refine the
31
+ * spec/.api-resources hints) instead. */
32
+ | "regenerate_suite"
33
+ /** ARV-11 — server accepted an invalid request body. Backend should
34
+ * reject earlier; the test isn't wrong. */
35
+ | "tighten_validation"
36
+ /** ARV-11 — server didn't enforce a header marked `required: true`
37
+ * in the spec. Either enforce it, or drop `required` in the spec. */
38
+ | "add_required_header"
39
+ /** ARV-11 — known limitation that the team has accepted. Agents
40
+ * should not retry, file a bug, or include in dashboards. */
41
+ | "wontfix_known_limitation";
45
42
 
46
43
  export function recommendedAction(
47
44
  failureType: "api_error" | "assertion_failed" | "network_error",
48
45
  responseStatus: number | null,
49
46
  ): RecommendedAction {
50
- if (failureType === "api_error") return "report_backend_bug";
51
- if (failureType === "network_error") {
52
- if (responseStatus === 401 || responseStatus === 403) return "fix_auth_config";
53
- return "fix_network_config";
54
- }
55
- // assertion_failed
56
- if (responseStatus === 401 || responseStatus === 403) return "fix_auth_config";
57
- return "fix_test_logic";
58
- }
59
-
60
- export function envCategory(hint: string | undefined): string | null {
61
- if (!hint) return null;
62
- if (hint.includes("base_url is not set") || hint.includes("base_url is missing") || hint.includes("base_url is not configured")) return "base_url_missing";
63
- if (hint.includes("unresolved variable")) return "unresolved_variable";
64
- if (hint.includes("URL is malformed")) return "url_malformed";
65
- return null;
66
- }
67
-
68
- export function schemaHint(
69
- failureType: string,
70
- responseStatus: number | null | undefined,
71
- ): string | null {
72
- if (failureType === "assertion_failed" || responseStatus === 400 || responseStatus === 422) {
73
- return "Use describe_endpoint(specPath, method, path) to verify expected request/response schema";
74
- }
75
- return null;
47
+ // ARV-56: delegate to the single classifier.
48
+ const action = classify({
49
+ finding_class: failureType === "api_error" ? "test:api_error" :
50
+ failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
51
+ status: responseStatus,
52
+ });
53
+ // The three failure_type classes are total in the classifier — a missing
54
+ // branch means a future refactor stripped one; surface loudly.
55
+ if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
56
+ return action;
76
57
  }
77
58
 
78
- export function softDeleteHint(
79
- actualStatus: number | null | undefined,
80
- requestMethod: string | null | undefined,
81
- responseBody: unknown,
82
- ): string | null {
83
- if (actualStatus !== 200 || requestMethod?.toUpperCase() !== "GET") return null;
84
- if (responseBody && typeof responseBody === "object") {
85
- const hasStatusField =
86
- "status" in (responseBody as object) ||
87
- "state" in (responseBody as object) ||
88
- "deleted" in (responseBody as object) ||
89
- "is_deleted" in (responseBody as object);
90
- if (hasStatusField) {
91
- return 'GET returned 200 with a status/state field after DELETE — likely soft delete. Update the test: remove the "Verify deleted 404" step and instead assert the status field value (e.g. status: "cancelled")';
92
- }
93
- }
94
- return null;
59
+ /**
60
+ * ARV-42: extended recommender that knows whether the failing test was
61
+ * emitted by `zond generate`. For generated suites, "fix_test_logic" is
62
+ * actively misleading — the generated YAML carries the header
63
+ * "⚠️ Edits will be overwritten on regenerate" and the next `zond audit`
64
+ * really does clobber manual edits. Branch into the actually-actionable
65
+ * remediation instead.
66
+ *
67
+ * - 4xx (400/422) regenerate_suite: the body the generator emitted
68
+ * didn't pass validation; either re-run generate (so newer heuristics
69
+ * apply, e.g. ARV-38 default-string) or tighten .api-resources hints.
70
+ * - 404 fix_fixture: a path-param resolved to an empty / stale id
71
+ * in .env.yaml; `prepare-fixtures --seed` is the correct remedy.
72
+ * - everything elsefalls back to recommendedAction (auth 401/403,
73
+ * api_error → 5xx, etc.).
74
+ *
75
+ * `isGenerated` is the heuristic from db-analysis: provenance.type
76
+ * "openapi-generated" OR suite_file under apis/<api>/tests/.
77
+ */
78
+ export function recommendedActionForGenerated(
79
+ failureType: "api_error" | "assertion_failed" | "network_error",
80
+ responseStatus: number | null,
81
+ isGenerated: boolean,
82
+ schemaViolation = false,
83
+ ): RecommendedAction {
84
+ // ARV-56: delegate to classifier. `isGenerated` is encoded via a
85
+ // synthetic suite_path so the same logic flows through classify().
86
+ // ARV-103 (F8): `schemaViolation` propagates the assertion-kind flag —
87
+ // when true, the classifier's "treat schema bugs like 5xx" branch wins
88
+ // over the generator's regenerate_suite default.
89
+ const action = classify({
90
+ finding_class: failureType === "api_error" ? "test:api_error" :
91
+ failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
92
+ status: responseStatus,
93
+ ...(isGenerated ? { suite_path: "apis/_/tests/_.yaml" } : {}),
94
+ ...(schemaViolation ? { schema_violation: true } : {}),
95
+ });
96
+ if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
97
+ return action;
95
98
  }
96
99
 
97
- export function computeSharedEnvIssue(
98
- failures: Array<{ hint?: string }>,
99
- envFilePath?: string,
100
- ): string | null {
101
- const categories = new Set(failures.map(f => envCategory(f.hint)).filter(Boolean));
102
- if (categories.size !== 1) return null;
103
-
104
- const envFile = envFilePath ?? ".env.yaml";
105
- if (categories.has("base_url_missing")) {
106
- return `All failures: base_url is not set — add base_url to ${envFile}`;
107
- }
108
- if (categories.has("unresolved_variable")) {
109
- return `All failures: some variables are not substituted — check variable names in ${envFile}`;
110
- }
111
- // url_malformed
112
- return [...failures.map(f => f.hint).filter(Boolean)][0] ?? null;
100
+ /** ARV-42: classify a failing result row as generator-emitted. The two
101
+ * signals are independent provenance is missing on older runs, while
102
+ * suite_file disambiguates against ad-hoc YAMLs the user dropped into
103
+ * apis/<api>/tests/ themselves (rare but supported). */
104
+ export function isGeneratedTest(
105
+ provenance: { type?: string; generator?: string } | null | undefined,
106
+ suite_file: string | null | undefined,
107
+ ): boolean {
108
+ if (provenance?.type === "openapi-generated") return true;
109
+ if (provenance?.generator && provenance.generator.toLowerCase().includes("zond")) return true;
110
+ if (typeof suite_file === "string" && /(^|\/)apis\/[^/]+\/tests\//.test(suite_file)) return true;
111
+ return false;
113
112
  }
@@ -0,0 +1,99 @@
1
+ /**
2
+ * TASK-102: build a JSON Pointer (RFC 6901) into the OpenAPI document for the
3
+ * response branch a step exercises, plus a small excerpt of the schema at that
4
+ * pointer. The excerpt is captured at run time and frozen into the DB so that
5
+ * later spec edits can't rewrite history.
6
+ *
7
+ * Inputs come from {@link SourceMetadata} populated by TASK-100:
8
+ * - `endpoint` e.g. "POST /webhooks"
9
+ * - `response_branch` e.g. "422" or "400|422" (first wins for the pointer)
10
+ */
11
+
12
+ import type { SourceMetadata } from "../parser/types.ts";
13
+
14
+ export interface SpecPointer {
15
+ pointer: string;
16
+ excerpt: string;
17
+ }
18
+
19
+ const EXCERPT_MAX_BYTES = 500;
20
+
21
+ function escapeJsonPointerSegment(s: string): string {
22
+ return s.replace(/~/g, "~0").replace(/\//g, "~1");
23
+ }
24
+
25
+ function parseEndpoint(endpoint: string): { method: string; path: string } | null {
26
+ const m = endpoint.match(/^([A-Z]+)\s+(\/.*)$/);
27
+ if (!m) return null;
28
+ return { method: m[1]!.toLowerCase(), path: m[2]! };
29
+ }
30
+
31
+ function pickPrimaryStatus(responseBranch: string | undefined): string | null {
32
+ if (!responseBranch) return null;
33
+ const first = responseBranch.split(/[|,\s]/).find((s) => /^\d{3}$/.test(s));
34
+ return first ?? null;
35
+ }
36
+
37
+ function trimExcerpt(json: string): string {
38
+ if (json.length <= EXCERPT_MAX_BYTES) return json;
39
+ return json.slice(0, EXCERPT_MAX_BYTES) + "\n…[truncated]";
40
+ }
41
+
42
+ /**
43
+ * Resolve the response operation in the OpenAPI document and produce a pointer
44
+ * + frozen excerpt. Returns `null` if any link in the chain is missing — caller
45
+ * persists `null` rather than crashing.
46
+ */
47
+ export function buildSpecPointer(
48
+ source: SourceMetadata | null | undefined,
49
+ openApiDoc: unknown,
50
+ ): SpecPointer | null {
51
+ if (!source || !openApiDoc || typeof openApiDoc !== "object") return null;
52
+ if (typeof source.endpoint !== "string") return null;
53
+
54
+ const parsed = parseEndpoint(source.endpoint);
55
+ if (!parsed) return null;
56
+ const status = pickPrimaryStatus(source.response_branch ?? undefined);
57
+ if (!status) return null;
58
+
59
+ const doc = openApiDoc as Record<string, unknown>;
60
+ const paths = doc.paths as Record<string, unknown> | undefined;
61
+ if (!paths || typeof paths !== "object") return null;
62
+
63
+ const pathItem = paths[parsed.path] as Record<string, unknown> | undefined;
64
+ if (!pathItem || typeof pathItem !== "object") return null;
65
+
66
+ const operation = pathItem[parsed.method] as Record<string, unknown> | undefined;
67
+ if (!operation || typeof operation !== "object") return null;
68
+
69
+ const responses = operation.responses as Record<string, unknown> | undefined;
70
+ if (!responses || typeof responses !== "object") return null;
71
+
72
+ const response = (responses[status] ?? responses.default) as Record<string, unknown> | undefined;
73
+ if (!response || typeof response !== "object") return null;
74
+
75
+ const escapedPath = escapeJsonPointerSegment(parsed.path);
76
+ let pointer = `#/paths/${escapedPath}/${parsed.method}/responses/${status}`;
77
+ let excerptValue: unknown = response;
78
+
79
+ // Drill into application/json schema when available — that's the most useful
80
+ // surface for UI rendering ("backend promised X, returned Y").
81
+ const content = response.content as Record<string, unknown> | undefined;
82
+ if (content && typeof content === "object") {
83
+ const jsonMedia = (content["application/json"] ?? content["application/json; charset=utf-8"]) as
84
+ | Record<string, unknown>
85
+ | undefined;
86
+ if (jsonMedia && typeof jsonMedia === "object" && "schema" in jsonMedia) {
87
+ pointer += "/content/application~1json/schema";
88
+ excerptValue = jsonMedia.schema;
89
+ }
90
+ }
91
+
92
+ let excerpt: string;
93
+ try {
94
+ excerpt = JSON.stringify(excerptValue, null, 2);
95
+ } catch {
96
+ excerpt = String(excerptValue);
97
+ }
98
+ return { pointer, excerpt: trimExcerpt(excerpt) };
99
+ }
@@ -0,0 +1,155 @@
1
+ /**
2
+ * TASK-29: actionable "Suggested fixes" surfaces for `zond db diagnose`.
3
+ *
4
+ * The base diagnose envelope already classifies failures and wires
5
+ * recommended_action. This layer adds two concrete, fixable signals that
6
+ * the LLM agent can act on without a second round-trip:
7
+ *
8
+ * 1. Placeholder path-params on 404s — when a 404 hits a URL that still
9
+ * contains literal example/placeholder values (`example`, all-zeros
10
+ * UUID, `your-…-here`, `00000000-…`, …), surface the exact path
11
+ * segment that's broken plus the variable name we'd expect (best-effort
12
+ * from the segment shape).
13
+ *
14
+ * 2. Untilled .env.yaml keys — read the API's .env.yaml and flag values
15
+ * that are empty, `<TODO>`, `example`, `null`, or look like
16
+ * placeholders (`replace-me`, `your-...`). These block CRUD sweeps
17
+ * silently — without them, the agent can't tell apart "value missing"
18
+ * from "value present and wrong".
19
+ */
20
+ import { existsSync, readFileSync } from "node:fs";
21
+ import { parse as parseYaml } from "yaml";
22
+
23
+ export type SuggestedFixKind =
24
+ | "placeholder_path_param"
25
+ | "unfilled_env_key";
26
+
27
+ export interface SuggestedFix {
28
+ kind: SuggestedFixKind;
29
+ /** When `kind=unfilled_env_key`: the key name. When `kind=placeholder_path_param`:
30
+ * the path segment that looks like a placeholder. */
31
+ key: string;
32
+ message: string;
33
+ /** File path the user should edit (usually the API's .env.yaml). */
34
+ source?: string;
35
+ /** Optional one-line example of what to put there. */
36
+ example?: string;
37
+ }
38
+
39
+ const PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
40
+ { re: /^example$/i, reason: "literal `example`" },
41
+ { re: /^placeholder$/i, reason: "literal `placeholder`" },
42
+ { re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
43
+ { re: /^00000000-0000-0000-0000-0+(?:beef|dead|cafe|f00d|0+)$/i, reason: "all-zero / sentinel UUID" },
44
+ { re: /^0+$/, reason: "all-zero numeric id" },
45
+ { re: /^replace-me$/i, reason: "`replace-me` placeholder" },
46
+ ];
47
+
48
+ const ENV_PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
49
+ { re: /^<.*>$/, reason: "TODO / angle-bracket placeholder" },
50
+ { re: /^example$/i, reason: "literal `example`" },
51
+ { re: /^placeholder$/i, reason: "literal `placeholder`" },
52
+ { re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
53
+ { re: /^replace-?me$/i, reason: "`replace-me` placeholder" },
54
+ { re: /^<TODO>$/i, reason: "explicit TODO" },
55
+ ];
56
+
57
+ /** Identify path segments that look like placeholders. Used on 404 URLs. */
58
+ export function detectPlaceholderSegments(url: string | null): Array<{ segment: string; reason: string }> {
59
+ if (!url) return [];
60
+ let pathname: string;
61
+ try {
62
+ pathname = url.startsWith("http") ? new URL(url).pathname : url.split("?")[0]!;
63
+ } catch {
64
+ pathname = url;
65
+ }
66
+ const out: Array<{ segment: string; reason: string }> = [];
67
+ for (const seg of pathname.split("/").filter(Boolean)) {
68
+ for (const { re, reason } of PLACEHOLDER_PATTERNS) {
69
+ if (re.test(seg)) {
70
+ out.push({ segment: seg, reason });
71
+ break;
72
+ }
73
+ }
74
+ }
75
+ return out;
76
+ }
77
+
78
+ /** Read .env.yaml and return keys whose value is empty/null/placeholder-shaped. */
79
+ export function findUnfilledEnvKeys(envFilePath: string | undefined): SuggestedFix[] {
80
+ if (!envFilePath || !existsSync(envFilePath)) return [];
81
+ let parsed: unknown;
82
+ try {
83
+ parsed = parseYaml(readFileSync(envFilePath, "utf-8"));
84
+ } catch {
85
+ return [];
86
+ }
87
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
88
+
89
+ const out: SuggestedFix[] = [];
90
+ for (const [key, val] of Object.entries(parsed as Record<string, unknown>)) {
91
+ const reason = classifyEnvValue(val);
92
+ if (reason) {
93
+ out.push({
94
+ kind: "unfilled_env_key",
95
+ key,
96
+ message: `\`${key}\` in ${envFilePath} is unfilled (${reason}). Set it to a real value before re-running.`,
97
+ source: envFilePath,
98
+ });
99
+ }
100
+ }
101
+ return out;
102
+ }
103
+
104
+ function classifyEnvValue(val: unknown): string | null {
105
+ if (val === null || val === undefined) return "null / missing";
106
+ if (typeof val === "string") {
107
+ const trimmed = val.trim();
108
+ if (trimmed === "") return "empty string";
109
+ for (const { re, reason } of ENV_PLACEHOLDER_PATTERNS) {
110
+ if (re.test(trimmed)) return reason;
111
+ }
112
+ }
113
+ return null;
114
+ }
115
+
116
+ export interface BuildSuggestedFixesInput {
117
+ failures: Array<{
118
+ response_status: number | null;
119
+ request_url: string | null;
120
+ suite_name: string;
121
+ test_name: string;
122
+ }>;
123
+ envFilePath?: string;
124
+ }
125
+
126
+ /**
127
+ * Combine placeholder-detection across all 404 failures + env-yaml audit
128
+ * into a single deduplicated list of fixes the agent should apply before
129
+ * re-running.
130
+ */
131
+ export function buildSuggestedFixes(input: BuildSuggestedFixesInput): SuggestedFix[] {
132
+ const fixes: SuggestedFix[] = [];
133
+ const seenSegments = new Set<string>();
134
+
135
+ for (const f of input.failures) {
136
+ if (f.response_status !== 404) continue;
137
+ for (const ph of detectPlaceholderSegments(f.request_url)) {
138
+ const dedupeKey = `seg:${ph.segment}`;
139
+ if (seenSegments.has(dedupeKey)) continue;
140
+ seenSegments.add(dedupeKey);
141
+ fixes.push({
142
+ kind: "placeholder_path_param",
143
+ key: ph.segment,
144
+ message:
145
+ `404 on \`${f.request_url}\` — path segment \`${ph.segment}\` is a ${ph.reason}. ` +
146
+ `Replace with a real id from the live API (e.g. \`zond prepare-fixtures --apply\`) ` +
147
+ `or set the corresponding fixture in ${input.envFilePath ?? ".env.yaml"}.`,
148
+ source: input.envFilePath,
149
+ });
150
+ }
151
+ }
152
+
153
+ fixes.push(...findUnfilledEnvKeys(input.envFilePath));
154
+ return fixes;
155
+ }