@kirrosh/zond 0.22.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +811 -0
- package/README.md +59 -6
- package/package.json +9 -7
- package/src/CLAUDE.md +112 -0
- package/src/cli/argv.ts +122 -0
- package/src/cli/commands/add-api.ts +146 -0
- package/src/cli/commands/api/annotate/idempotency.ts +59 -0
- package/src/cli/commands/api/annotate/index.ts +880 -0
- package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
- package/src/cli/commands/api/annotate/overlay.ts +206 -0
- package/src/cli/commands/api/annotate/pagination.ts +64 -0
- package/src/cli/commands/api/annotate/prompts.ts +220 -0
- package/src/cli/commands/api/annotate/readback.ts +58 -0
- package/src/cli/commands/api/annotate/resources.ts +91 -0
- package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
- package/src/cli/commands/audit.ts +786 -0
- package/src/cli/commands/catalog.ts +35 -0
- package/src/cli/commands/check.ts +361 -0
- package/src/cli/commands/checks.ts +1072 -0
- package/src/cli/commands/ci-init.ts +43 -0
- package/src/cli/commands/clean.ts +212 -0
- package/src/cli/commands/cleanup.ts +236 -0
- package/src/cli/commands/completions.ts +16 -0
- package/src/cli/commands/coverage.ts +823 -132
- package/src/cli/commands/db.ts +486 -12
- package/src/cli/commands/describe.ts +37 -2
- package/src/cli/commands/discover.ts +1356 -0
- package/src/cli/commands/doctor.ts +661 -0
- package/src/cli/commands/fixtures.ts +402 -0
- package/src/cli/commands/generate.ts +438 -47
- package/src/cli/commands/init/bootstrap.ts +34 -2
- package/src/cli/commands/{init.ts → init/index.ts} +99 -5
- package/src/cli/commands/init/skills.ts +99 -3
- package/src/cli/commands/init/templates/agents.md +77 -64
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
- package/src/cli/commands/init/templates/skills/zond.md +802 -125
- package/src/cli/commands/init/templates/zond-config.yml +8 -9
- package/src/cli/commands/prepare-fixtures.ts +97 -0
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +594 -0
- package/src/cli/commands/probe/security.ts +537 -0
- package/src/cli/commands/probe/static.ts +255 -0
- package/src/cli/commands/probe/webhooks.ts +163 -0
- package/src/cli/commands/probe.ts +535 -0
- package/src/cli/commands/reference.ts +87 -0
- package/src/cli/commands/refresh-api.ts +227 -0
- package/src/cli/commands/remove-api.ts +150 -0
- package/src/cli/commands/report-bundle.ts +310 -0
- package/src/cli/commands/report.ts +241 -0
- package/src/cli/commands/request.ts +495 -4
- package/src/cli/commands/run.ts +870 -53
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/commands/session.ts +244 -0
- package/src/cli/commands/use.ts +18 -1
- package/src/cli/index.ts +20 -3
- package/src/cli/json-envelope.ts +92 -3
- package/src/cli/json-schemas.ts +314 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +199 -635
- package/src/cli/resolve.ts +105 -0
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +114 -0
- package/src/cli/util/api-context.ts +85 -0
- package/src/cli/version.ts +5 -0
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/_crud-helpers.ts +133 -0
- package/src/core/checks/checks/_negative_mutator.ts +133 -0
- package/src/core/checks/checks/_readback-helpers.ts +133 -0
- package/src/core/checks/checks/content_type_conformance.ts +39 -0
- package/src/core/checks/checks/cross_call_references.ts +147 -0
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
- package/src/core/checks/checks/idempotency_replay.ts +242 -0
- package/src/core/checks/checks/ignored_auth.ts +254 -0
- package/src/core/checks/checks/index.ts +68 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
- package/src/core/checks/checks/missing_required_header.ts +40 -0
- package/src/core/checks/checks/negative_data_rejection.ts +148 -0
- package/src/core/checks/checks/not_a_server_error.ts +35 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
- package/src/core/checks/checks/pagination_invariants.ts +419 -0
- package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
- package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
- package/src/core/checks/checks/response_headers_conformance.ts +74 -0
- package/src/core/checks/checks/response_schema_conformance.ts +30 -0
- package/src/core/checks/checks/status_code_conformance.ts +132 -0
- package/src/core/checks/checks/unsupported_method.ts +63 -0
- package/src/core/checks/checks/use_after_free.ts +78 -0
- package/src/core/checks/index.ts +30 -0
- package/src/core/checks/mode.ts +82 -0
- package/src/core/checks/recommended-action.ts +68 -0
- package/src/core/checks/registry.ts +78 -0
- package/src/core/checks/runner.ts +1461 -0
- package/src/core/checks/sarif.ts +230 -0
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/stateful.ts +121 -0
- package/src/core/checks/types.ts +305 -0
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +251 -0
- package/src/core/context/current.ts +22 -6
- package/src/core/context/session.ts +78 -0
- package/src/core/coverage/loader.ts +216 -0
- package/src/core/coverage/reasons.ts +300 -0
- package/src/core/diagnostics/db-analysis.ts +293 -59
- package/src/core/diagnostics/failure-class.ts +140 -0
- package/src/core/diagnostics/failure-hints.ts +88 -89
- package/src/core/diagnostics/spec-pointer.ts +99 -0
- package/src/core/diagnostics/suggested-fixes.ts +155 -0
- package/src/core/exporter/case-study/index.ts +270 -0
- package/src/core/exporter/curl.ts +40 -0
- package/src/core/exporter/exporter.ts +48 -0
- package/src/core/exporter/html-report/escape.ts +24 -0
- package/src/core/exporter/html-report/index.ts +479 -0
- package/src/core/exporter/html-report/script.ts +100 -0
- package/src/core/exporter/html-report/styles.ts +408 -0
- package/src/core/generator/chunker.ts +38 -19
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/data-factory.ts +586 -22
- package/src/core/generator/describe.ts +1 -1
- package/src/core/generator/fixtures-builder.ts +332 -0
- package/src/core/generator/index.ts +5 -5
- package/src/core/generator/openapi-reader.ts +135 -7
- package/src/core/generator/path-param-disambig.ts +140 -0
- package/src/core/generator/resources-builder.ts +898 -0
- package/src/core/generator/schema-utils.ts +33 -3
- package/src/core/generator/serializer.ts +103 -13
- package/src/core/generator/suite-generator.ts +583 -122
- package/src/core/generator/types.ts +14 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +28 -0
- package/src/core/lint/config.ts +96 -0
- package/src/core/lint/format.ts +42 -0
- package/src/core/lint/index.ts +94 -0
- package/src/core/lint/reporter.ts +128 -0
- package/src/core/lint/rules/consistency.ts +158 -0
- package/src/core/lint/rules/heuristics.ts +97 -0
- package/src/core/lint/rules/strictness.ts +109 -0
- package/src/core/lint/types.ts +96 -0
- package/src/core/lint/walker.ts +248 -0
- package/src/core/meta/meta-store.ts +6 -73
- package/src/core/output/README.md +73 -0
- package/src/core/output/index.ts +13 -0
- package/src/core/output/run.ts +91 -0
- package/src/core/output/types.ts +122 -0
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/env-interpolation.ts +104 -0
- package/src/core/parser/filter.ts +57 -0
- package/src/core/parser/schema.ts +129 -4
- package/src/core/parser/types.ts +19 -1
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +58 -12
- package/src/core/probe/bootstrap.ts +34 -0
- package/src/core/probe/dry-run-envelope.ts +61 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe-class.ts +198 -0
- package/src/core/probe/mass-assignment-probe.ts +27 -0
- package/src/core/probe/mass-assignment-template.ts +240 -0
- package/src/core/probe/method-probe.ts +43 -76
- package/src/core/probe/method-shared.ts +69 -0
- package/src/core/probe/negative-probe.ts +183 -149
- package/src/core/probe/orphan-tracker.ts +188 -0
- package/src/core/probe/path-discovery.ts +439 -0
- package/src/core/probe/probe-harness.ts +119 -0
- package/src/core/probe/registry.ts +89 -0
- package/src/core/probe/runner.ts +136 -0
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +207 -0
- package/src/core/probe/security-probe.ts +32 -0
- package/src/core/probe/shared.ts +531 -0
- package/src/core/probe/static-probe-class.ts +125 -0
- package/src/core/probe/types.ts +165 -0
- package/src/core/probe/verdict-aggregator.ts +33 -0
- package/src/core/probe/webhooks-probe.ts +282 -0
- package/src/core/reporter/console.ts +41 -2
- package/src/core/reporter/index.ts +2 -3
- package/src/core/reporter/json.ts +11 -1
- package/src/core/reporter/junit.ts +27 -12
- package/src/core/reporter/ndjson.ts +37 -0
- package/src/core/reporter/types.ts +3 -0
- package/src/core/runner/assertions.ts +59 -2
- package/src/core/runner/async-pool.ts +108 -0
- package/src/core/runner/auth-path.ts +8 -0
- package/src/core/runner/ci-context.ts +72 -0
- package/src/core/runner/executor.ts +265 -36
- package/src/core/runner/form-encode.ts +41 -0
- package/src/core/runner/http-client.ts +112 -2
- package/src/core/runner/learn-drift.ts +293 -0
- package/src/core/runner/preflight-vars.ts +153 -0
- package/src/core/runner/progress-tracker.ts +73 -0
- package/src/core/runner/rate-limiter.ts +87 -33
- package/src/core/runner/run-kind.ts +45 -0
- package/src/core/runner/schema-validator.ts +308 -0
- package/src/core/runner/send-request.ts +158 -20
- package/src/core/runner/types.ts +44 -0
- package/src/core/secrets/registry.ts +164 -0
- package/src/core/secrets/secrets-file.ts +115 -0
- package/src/core/selectors/operation-filter.ts +144 -0
- package/src/core/setup-api.ts +457 -20
- package/src/core/severity/category.ts +94 -0
- package/src/core/severity/index.ts +58 -0
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/layers.ts +154 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/format-eta.ts +21 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/utils.ts +5 -1
- package/src/core/workspace/config.ts +129 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/manifest.ts +283 -0
- package/src/core/workspace/output-rotation.ts +62 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/core/workspace/triage-path.ts +87 -0
- package/src/db/lint-runs.ts +47 -0
- package/src/db/migrate.ts +128 -0
- package/src/db/migrations/0001_run_kind.sql +25 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/migrations/sql.d.ts +4 -0
- package/src/db/queries/collections.ts +133 -0
- package/src/db/queries/coverage.ts +9 -0
- package/src/db/queries/dashboard.ts +59 -0
- package/src/db/queries/results.ts +216 -0
- package/src/db/queries/runs.ts +289 -0
- package/src/db/queries/sessions.ts +42 -0
- package/src/db/queries/settings.ts +28 -0
- package/src/db/queries/types.ts +172 -0
- package/src/db/queries.ts +75 -802
- package/src/db/schema.ts +178 -50
- package/src/cli/commands/export.ts +0 -144
- package/src/cli/commands/guide.ts +0 -127
- package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
- package/src/cli/commands/probe-methods.ts +0 -108
- package/src/cli/commands/probe-validation.ts +0 -124
- package/src/cli/commands/serve.ts +0 -114
- package/src/cli/commands/sync.ts +0 -268
- package/src/cli/commands/update.ts +0 -189
- package/src/cli/commands/validate.ts +0 -34
- package/src/core/diagnostics/render-md.ts +0 -112
- package/src/core/exporter/postman.ts +0 -963
- package/src/core/generator/guide-builder.ts +0 -253
- package/src/core/meta/types.ts +0 -19
- package/src/core/parser/index.ts +0 -21
- package/src/core/runner/execute-run.ts +0 -132
- package/src/core/runner/index.ts +0 -12
- package/src/core/sync/spec-differ.ts +0 -38
- package/src/web/data/collection-state.ts +0 -362
- package/src/web/routes/api.ts +0 -314
- package/src/web/routes/dashboard.ts +0 -350
- package/src/web/routes/runs.ts +0 -64
- package/src/web/schemas.ts +0 -121
- package/src/web/server.ts +0 -134
- package/src/web/static/htmx.min.cjs +0 -1
- package/src/web/static/style.css +0 -1148
- package/src/web/views/endpoints-tab.ts +0 -174
- package/src/web/views/explorer-tab.ts +0 -402
- package/src/web/views/health-strip.ts +0 -92
- package/src/web/views/layout.ts +0 -48
- package/src/web/views/results.ts +0 -210
- package/src/web/views/runs-tab.ts +0 -126
- package/src/web/views/suites-tab.ts +0 -181
|
@@ -1,17 +1,11 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Failure classification
|
|
3
|
-
*
|
|
2
|
+
* Failure classification → closed-enum `recommended_action`.
|
|
3
|
+
* ARV-338: prose hints (statusHint/envHint/softDeleteHint/schemaHint,
|
|
4
|
+
* env_issue clustering, auth_hint, agent_directive) removed — the agent
|
|
5
|
+
* triages by enum + raw evidence, not by heuristic guess-text.
|
|
4
6
|
*/
|
|
5
7
|
|
|
6
|
-
|
|
7
|
-
if (!status) return null;
|
|
8
|
-
if (status >= 500) return "Server-side error — inspect response_body for errorMessage/errorDetail; likely a backend bug";
|
|
9
|
-
if (status === 401 || status === 403) return "Auth failure — check auth_token/api_key in .env.yaml";
|
|
10
|
-
if (status === 404) return "Resource not found — verify the path and ID";
|
|
11
|
-
if (status === 400 || status === 422) return "Validation error — check request body fields match the schema";
|
|
12
|
-
if (status === 429) return "Rate limited — too many requests. Consider consolidating auth/login steps or adding delays between suites";
|
|
13
|
-
return null;
|
|
14
|
-
}
|
|
8
|
+
import { classify } from "../classifier/recommended-action.ts";
|
|
15
9
|
|
|
16
10
|
export function classifyFailure(status: string, responseStatus: number | null): "api_error" | "assertion_failed" | "network_error" {
|
|
17
11
|
if (status === "error" && (responseStatus === null || responseStatus < 500)) return "network_error";
|
|
@@ -19,95 +13,100 @@ export function classifyFailure(status: string, responseStatus: number | null):
|
|
|
19
13
|
return "assertion_failed";
|
|
20
14
|
}
|
|
21
15
|
|
|
22
|
-
export function envHint(url: string | null, errorMessage: string | null, envFilePath?: string): string | null {
|
|
23
|
-
const envFile = envFilePath ? envFilePath : ".env.yaml in your API directory";
|
|
24
|
-
|
|
25
|
-
if (url && /\{\{[^}]+\}\}/.test(url)) {
|
|
26
|
-
return `URL contains unresolved variable: "${url}" — variable name may not match the key in ${envFile}`;
|
|
27
|
-
}
|
|
28
|
-
if (url && !url.startsWith("http://") && !url.startsWith("https://")) {
|
|
29
|
-
return `base_url is not set or empty — URL resolved to "${url}". Add base_url to ${envFile}`;
|
|
30
|
-
}
|
|
31
|
-
if (errorMessage?.includes("base_url is not configured")) {
|
|
32
|
-
return `base_url is missing or empty. Add base_url: https://your-api.com to ${envFile}`;
|
|
33
|
-
}
|
|
34
|
-
if (errorMessage?.includes("URL is invalid") || errorMessage?.includes("Failed to parse URL")) {
|
|
35
|
-
return `URL is malformed — likely base_url is empty or invalid. Check base_url in ${envFile}`;
|
|
36
|
-
}
|
|
37
|
-
return null;
|
|
38
|
-
}
|
|
39
|
-
|
|
40
16
|
export type RecommendedAction =
|
|
41
17
|
| "report_backend_bug"
|
|
42
18
|
| "fix_auth_config"
|
|
43
19
|
| "fix_test_logic"
|
|
44
|
-
| "fix_network_config"
|
|
20
|
+
| "fix_network_config"
|
|
21
|
+
| "fix_env"
|
|
22
|
+
/** Fix the OpenAPI spec — emitted by lint-spec.Issue (TASK-294) and
|
|
23
|
+
* by `status_code_conformance` / `*_conformance` checks (ARV-11). */
|
|
24
|
+
| "fix_spec"
|
|
25
|
+
/** Add or correct a fixture in .env.yaml — emitted by discover for
|
|
26
|
+
* miss-* states (TASK-294). */
|
|
27
|
+
| "fix_fixture"
|
|
28
|
+
/** ARV-42 — generator-emitted suite produced a body the API rejected
|
|
29
|
+
* (4xx with validation hint). Editing the YAML is wrong: the next
|
|
30
|
+
* `zond generate` would clobber it. Re-run generate (or refine the
|
|
31
|
+
* spec/.api-resources hints) instead. */
|
|
32
|
+
| "regenerate_suite"
|
|
33
|
+
/** ARV-11 — server accepted an invalid request body. Backend should
|
|
34
|
+
* reject earlier; the test isn't wrong. */
|
|
35
|
+
| "tighten_validation"
|
|
36
|
+
/** ARV-11 — server didn't enforce a header marked `required: true`
|
|
37
|
+
* in the spec. Either enforce it, or drop `required` in the spec. */
|
|
38
|
+
| "add_required_header"
|
|
39
|
+
/** ARV-11 — known limitation that the team has accepted. Agents
|
|
40
|
+
* should not retry, file a bug, or include in dashboards. */
|
|
41
|
+
| "wontfix_known_limitation";
|
|
45
42
|
|
|
46
43
|
export function recommendedAction(
|
|
47
44
|
failureType: "api_error" | "assertion_failed" | "network_error",
|
|
48
45
|
responseStatus: number | null,
|
|
49
46
|
): RecommendedAction {
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
}
|
|
59
|
-
|
|
60
|
-
export function envCategory(hint: string | undefined): string | null {
|
|
61
|
-
if (!hint) return null;
|
|
62
|
-
if (hint.includes("base_url is not set") || hint.includes("base_url is missing") || hint.includes("base_url is not configured")) return "base_url_missing";
|
|
63
|
-
if (hint.includes("unresolved variable")) return "unresolved_variable";
|
|
64
|
-
if (hint.includes("URL is malformed")) return "url_malformed";
|
|
65
|
-
return null;
|
|
66
|
-
}
|
|
67
|
-
|
|
68
|
-
export function schemaHint(
|
|
69
|
-
failureType: string,
|
|
70
|
-
responseStatus: number | null | undefined,
|
|
71
|
-
): string | null {
|
|
72
|
-
if (failureType === "assertion_failed" || responseStatus === 400 || responseStatus === 422) {
|
|
73
|
-
return "Use describe_endpoint(specPath, method, path) to verify expected request/response schema";
|
|
74
|
-
}
|
|
75
|
-
return null;
|
|
47
|
+
// ARV-56: delegate to the single classifier.
|
|
48
|
+
const action = classify({
|
|
49
|
+
finding_class: failureType === "api_error" ? "test:api_error" :
|
|
50
|
+
failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
|
|
51
|
+
status: responseStatus,
|
|
52
|
+
});
|
|
53
|
+
// The three failure_type classes are total in the classifier — a missing
|
|
54
|
+
// branch means a future refactor stripped one; surface loudly.
|
|
55
|
+
if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
|
|
56
|
+
return action;
|
|
76
57
|
}
|
|
77
58
|
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
59
|
+
/**
|
|
60
|
+
* ARV-42: extended recommender that knows whether the failing test was
|
|
61
|
+
* emitted by `zond generate`. For generated suites, "fix_test_logic" is
|
|
62
|
+
* actively misleading — the generated YAML carries the header
|
|
63
|
+
* "⚠️ Edits will be overwritten on regenerate" and the next `zond audit`
|
|
64
|
+
* really does clobber manual edits. Branch into the actually-actionable
|
|
65
|
+
* remediation instead.
|
|
66
|
+
*
|
|
67
|
+
* - 4xx (400/422) → regenerate_suite: the body the generator emitted
|
|
68
|
+
* didn't pass validation; either re-run generate (so newer heuristics
|
|
69
|
+
* apply, e.g. ARV-38 default-string) or tighten .api-resources hints.
|
|
70
|
+
* - 404 → fix_fixture: a path-param resolved to an empty / stale id
|
|
71
|
+
* in .env.yaml; `prepare-fixtures --seed` is the correct remedy.
|
|
72
|
+
* - everything else → falls back to recommendedAction (auth → 401/403,
|
|
73
|
+
* api_error → 5xx, etc.).
|
|
74
|
+
*
|
|
75
|
+
* `isGenerated` is the heuristic from db-analysis: provenance.type
|
|
76
|
+
* "openapi-generated" OR suite_file under apis/<api>/tests/.
|
|
77
|
+
*/
|
|
78
|
+
export function recommendedActionForGenerated(
|
|
79
|
+
failureType: "api_error" | "assertion_failed" | "network_error",
|
|
80
|
+
responseStatus: number | null,
|
|
81
|
+
isGenerated: boolean,
|
|
82
|
+
schemaViolation = false,
|
|
83
|
+
): RecommendedAction {
|
|
84
|
+
// ARV-56: delegate to classifier. `isGenerated` is encoded via a
|
|
85
|
+
// synthetic suite_path so the same logic flows through classify().
|
|
86
|
+
// ARV-103 (F8): `schemaViolation` propagates the assertion-kind flag —
|
|
87
|
+
// when true, the classifier's "treat schema bugs like 5xx" branch wins
|
|
88
|
+
// over the generator's regenerate_suite default.
|
|
89
|
+
const action = classify({
|
|
90
|
+
finding_class: failureType === "api_error" ? "test:api_error" :
|
|
91
|
+
failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
|
|
92
|
+
status: responseStatus,
|
|
93
|
+
...(isGenerated ? { suite_path: "apis/_/tests/_.yaml" } : {}),
|
|
94
|
+
...(schemaViolation ? { schema_violation: true } : {}),
|
|
95
|
+
});
|
|
96
|
+
if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
|
|
97
|
+
return action;
|
|
95
98
|
}
|
|
96
99
|
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
if (
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
return `All failures: some variables are not substituted — check variable names in ${envFile}`;
|
|
110
|
-
}
|
|
111
|
-
// url_malformed
|
|
112
|
-
return [...failures.map(f => f.hint).filter(Boolean)][0] ?? null;
|
|
100
|
+
/** ARV-42: classify a failing result row as generator-emitted. The two
|
|
101
|
+
* signals are independent — provenance is missing on older runs, while
|
|
102
|
+
* suite_file disambiguates against ad-hoc YAMLs the user dropped into
|
|
103
|
+
* apis/<api>/tests/ themselves (rare but supported). */
|
|
104
|
+
export function isGeneratedTest(
|
|
105
|
+
provenance: { type?: string; generator?: string } | null | undefined,
|
|
106
|
+
suite_file: string | null | undefined,
|
|
107
|
+
): boolean {
|
|
108
|
+
if (provenance?.type === "openapi-generated") return true;
|
|
109
|
+
if (provenance?.generator && provenance.generator.toLowerCase().includes("zond")) return true;
|
|
110
|
+
if (typeof suite_file === "string" && /(^|\/)apis\/[^/]+\/tests\//.test(suite_file)) return true;
|
|
111
|
+
return false;
|
|
113
112
|
}
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* TASK-102: build a JSON Pointer (RFC 6901) into the OpenAPI document for the
|
|
3
|
+
* response branch a step exercises, plus a small excerpt of the schema at that
|
|
4
|
+
* pointer. The excerpt is captured at run time and frozen into the DB so that
|
|
5
|
+
* later spec edits can't rewrite history.
|
|
6
|
+
*
|
|
7
|
+
* Inputs come from {@link SourceMetadata} populated by TASK-100:
|
|
8
|
+
* - `endpoint` e.g. "POST /webhooks"
|
|
9
|
+
* - `response_branch` e.g. "422" or "400|422" (first wins for the pointer)
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
import type { SourceMetadata } from "../parser/types.ts";
|
|
13
|
+
|
|
14
|
+
export interface SpecPointer {
|
|
15
|
+
pointer: string;
|
|
16
|
+
excerpt: string;
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
const EXCERPT_MAX_BYTES = 500;
|
|
20
|
+
|
|
21
|
+
function escapeJsonPointerSegment(s: string): string {
|
|
22
|
+
return s.replace(/~/g, "~0").replace(/\//g, "~1");
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
function parseEndpoint(endpoint: string): { method: string; path: string } | null {
|
|
26
|
+
const m = endpoint.match(/^([A-Z]+)\s+(\/.*)$/);
|
|
27
|
+
if (!m) return null;
|
|
28
|
+
return { method: m[1]!.toLowerCase(), path: m[2]! };
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
function pickPrimaryStatus(responseBranch: string | undefined): string | null {
|
|
32
|
+
if (!responseBranch) return null;
|
|
33
|
+
const first = responseBranch.split(/[|,\s]/).find((s) => /^\d{3}$/.test(s));
|
|
34
|
+
return first ?? null;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
function trimExcerpt(json: string): string {
|
|
38
|
+
if (json.length <= EXCERPT_MAX_BYTES) return json;
|
|
39
|
+
return json.slice(0, EXCERPT_MAX_BYTES) + "\n…[truncated]";
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
/**
|
|
43
|
+
* Resolve the response operation in the OpenAPI document and produce a pointer
|
|
44
|
+
* + frozen excerpt. Returns `null` if any link in the chain is missing — caller
|
|
45
|
+
* persists `null` rather than crashing.
|
|
46
|
+
*/
|
|
47
|
+
export function buildSpecPointer(
|
|
48
|
+
source: SourceMetadata | null | undefined,
|
|
49
|
+
openApiDoc: unknown,
|
|
50
|
+
): SpecPointer | null {
|
|
51
|
+
if (!source || !openApiDoc || typeof openApiDoc !== "object") return null;
|
|
52
|
+
if (typeof source.endpoint !== "string") return null;
|
|
53
|
+
|
|
54
|
+
const parsed = parseEndpoint(source.endpoint);
|
|
55
|
+
if (!parsed) return null;
|
|
56
|
+
const status = pickPrimaryStatus(source.response_branch ?? undefined);
|
|
57
|
+
if (!status) return null;
|
|
58
|
+
|
|
59
|
+
const doc = openApiDoc as Record<string, unknown>;
|
|
60
|
+
const paths = doc.paths as Record<string, unknown> | undefined;
|
|
61
|
+
if (!paths || typeof paths !== "object") return null;
|
|
62
|
+
|
|
63
|
+
const pathItem = paths[parsed.path] as Record<string, unknown> | undefined;
|
|
64
|
+
if (!pathItem || typeof pathItem !== "object") return null;
|
|
65
|
+
|
|
66
|
+
const operation = pathItem[parsed.method] as Record<string, unknown> | undefined;
|
|
67
|
+
if (!operation || typeof operation !== "object") return null;
|
|
68
|
+
|
|
69
|
+
const responses = operation.responses as Record<string, unknown> | undefined;
|
|
70
|
+
if (!responses || typeof responses !== "object") return null;
|
|
71
|
+
|
|
72
|
+
const response = (responses[status] ?? responses.default) as Record<string, unknown> | undefined;
|
|
73
|
+
if (!response || typeof response !== "object") return null;
|
|
74
|
+
|
|
75
|
+
const escapedPath = escapeJsonPointerSegment(parsed.path);
|
|
76
|
+
let pointer = `#/paths/${escapedPath}/${parsed.method}/responses/${status}`;
|
|
77
|
+
let excerptValue: unknown = response;
|
|
78
|
+
|
|
79
|
+
// Drill into application/json schema when available — that's the most useful
|
|
80
|
+
// surface for UI rendering ("backend promised X, returned Y").
|
|
81
|
+
const content = response.content as Record<string, unknown> | undefined;
|
|
82
|
+
if (content && typeof content === "object") {
|
|
83
|
+
const jsonMedia = (content["application/json"] ?? content["application/json; charset=utf-8"]) as
|
|
84
|
+
| Record<string, unknown>
|
|
85
|
+
| undefined;
|
|
86
|
+
if (jsonMedia && typeof jsonMedia === "object" && "schema" in jsonMedia) {
|
|
87
|
+
pointer += "/content/application~1json/schema";
|
|
88
|
+
excerptValue = jsonMedia.schema;
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
let excerpt: string;
|
|
93
|
+
try {
|
|
94
|
+
excerpt = JSON.stringify(excerptValue, null, 2);
|
|
95
|
+
} catch {
|
|
96
|
+
excerpt = String(excerptValue);
|
|
97
|
+
}
|
|
98
|
+
return { pointer, excerpt: trimExcerpt(excerpt) };
|
|
99
|
+
}
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* TASK-29: actionable "Suggested fixes" surfaces for `zond db diagnose`.
|
|
3
|
+
*
|
|
4
|
+
* The base diagnose envelope already classifies failures and wires
|
|
5
|
+
* recommended_action. This layer adds two concrete, fixable signals that
|
|
6
|
+
* the LLM agent can act on without a second round-trip:
|
|
7
|
+
*
|
|
8
|
+
* 1. Placeholder path-params on 404s — when a 404 hits a URL that still
|
|
9
|
+
* contains literal example/placeholder values (`example`, all-zeros
|
|
10
|
+
* UUID, `your-…-here`, `00000000-…`, …), surface the exact path
|
|
11
|
+
* segment that's broken plus the variable name we'd expect (best-effort
|
|
12
|
+
* from the segment shape).
|
|
13
|
+
*
|
|
14
|
+
* 2. Untilled .env.yaml keys — read the API's .env.yaml and flag values
|
|
15
|
+
* that are empty, `<TODO>`, `example`, `null`, or look like
|
|
16
|
+
* placeholders (`replace-me`, `your-...`). These block CRUD sweeps
|
|
17
|
+
* silently — without them, the agent can't tell apart "value missing"
|
|
18
|
+
* from "value present and wrong".
|
|
19
|
+
*/
|
|
20
|
+
import { existsSync, readFileSync } from "node:fs";
|
|
21
|
+
import { parse as parseYaml } from "yaml";
|
|
22
|
+
|
|
23
|
+
export type SuggestedFixKind =
|
|
24
|
+
| "placeholder_path_param"
|
|
25
|
+
| "unfilled_env_key";
|
|
26
|
+
|
|
27
|
+
export interface SuggestedFix {
|
|
28
|
+
kind: SuggestedFixKind;
|
|
29
|
+
/** When `kind=unfilled_env_key`: the key name. When `kind=placeholder_path_param`:
|
|
30
|
+
* the path segment that looks like a placeholder. */
|
|
31
|
+
key: string;
|
|
32
|
+
message: string;
|
|
33
|
+
/** File path the user should edit (usually the API's .env.yaml). */
|
|
34
|
+
source?: string;
|
|
35
|
+
/** Optional one-line example of what to put there. */
|
|
36
|
+
example?: string;
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
const PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
|
|
40
|
+
{ re: /^example$/i, reason: "literal `example`" },
|
|
41
|
+
{ re: /^placeholder$/i, reason: "literal `placeholder`" },
|
|
42
|
+
{ re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
|
|
43
|
+
{ re: /^00000000-0000-0000-0000-0+(?:beef|dead|cafe|f00d|0+)$/i, reason: "all-zero / sentinel UUID" },
|
|
44
|
+
{ re: /^0+$/, reason: "all-zero numeric id" },
|
|
45
|
+
{ re: /^replace-me$/i, reason: "`replace-me` placeholder" },
|
|
46
|
+
];
|
|
47
|
+
|
|
48
|
+
const ENV_PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
|
|
49
|
+
{ re: /^<.*>$/, reason: "TODO / angle-bracket placeholder" },
|
|
50
|
+
{ re: /^example$/i, reason: "literal `example`" },
|
|
51
|
+
{ re: /^placeholder$/i, reason: "literal `placeholder`" },
|
|
52
|
+
{ re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
|
|
53
|
+
{ re: /^replace-?me$/i, reason: "`replace-me` placeholder" },
|
|
54
|
+
{ re: /^<TODO>$/i, reason: "explicit TODO" },
|
|
55
|
+
];
|
|
56
|
+
|
|
57
|
+
/** Identify path segments that look like placeholders. Used on 404 URLs. */
|
|
58
|
+
export function detectPlaceholderSegments(url: string | null): Array<{ segment: string; reason: string }> {
|
|
59
|
+
if (!url) return [];
|
|
60
|
+
let pathname: string;
|
|
61
|
+
try {
|
|
62
|
+
pathname = url.startsWith("http") ? new URL(url).pathname : url.split("?")[0]!;
|
|
63
|
+
} catch {
|
|
64
|
+
pathname = url;
|
|
65
|
+
}
|
|
66
|
+
const out: Array<{ segment: string; reason: string }> = [];
|
|
67
|
+
for (const seg of pathname.split("/").filter(Boolean)) {
|
|
68
|
+
for (const { re, reason } of PLACEHOLDER_PATTERNS) {
|
|
69
|
+
if (re.test(seg)) {
|
|
70
|
+
out.push({ segment: seg, reason });
|
|
71
|
+
break;
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
return out;
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
/** Read .env.yaml and return keys whose value is empty/null/placeholder-shaped. */
|
|
79
|
+
export function findUnfilledEnvKeys(envFilePath: string | undefined): SuggestedFix[] {
|
|
80
|
+
if (!envFilePath || !existsSync(envFilePath)) return [];
|
|
81
|
+
let parsed: unknown;
|
|
82
|
+
try {
|
|
83
|
+
parsed = parseYaml(readFileSync(envFilePath, "utf-8"));
|
|
84
|
+
} catch {
|
|
85
|
+
return [];
|
|
86
|
+
}
|
|
87
|
+
if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
|
|
88
|
+
|
|
89
|
+
const out: SuggestedFix[] = [];
|
|
90
|
+
for (const [key, val] of Object.entries(parsed as Record<string, unknown>)) {
|
|
91
|
+
const reason = classifyEnvValue(val);
|
|
92
|
+
if (reason) {
|
|
93
|
+
out.push({
|
|
94
|
+
kind: "unfilled_env_key",
|
|
95
|
+
key,
|
|
96
|
+
message: `\`${key}\` in ${envFilePath} is unfilled (${reason}). Set it to a real value before re-running.`,
|
|
97
|
+
source: envFilePath,
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
return out;
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
function classifyEnvValue(val: unknown): string | null {
|
|
105
|
+
if (val === null || val === undefined) return "null / missing";
|
|
106
|
+
if (typeof val === "string") {
|
|
107
|
+
const trimmed = val.trim();
|
|
108
|
+
if (trimmed === "") return "empty string";
|
|
109
|
+
for (const { re, reason } of ENV_PLACEHOLDER_PATTERNS) {
|
|
110
|
+
if (re.test(trimmed)) return reason;
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
return null;
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
export interface BuildSuggestedFixesInput {
|
|
117
|
+
failures: Array<{
|
|
118
|
+
response_status: number | null;
|
|
119
|
+
request_url: string | null;
|
|
120
|
+
suite_name: string;
|
|
121
|
+
test_name: string;
|
|
122
|
+
}>;
|
|
123
|
+
envFilePath?: string;
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
/**
|
|
127
|
+
* Combine placeholder-detection across all 404 failures + env-yaml audit
|
|
128
|
+
* into a single deduplicated list of fixes the agent should apply before
|
|
129
|
+
* re-running.
|
|
130
|
+
*/
|
|
131
|
+
export function buildSuggestedFixes(input: BuildSuggestedFixesInput): SuggestedFix[] {
|
|
132
|
+
const fixes: SuggestedFix[] = [];
|
|
133
|
+
const seenSegments = new Set<string>();
|
|
134
|
+
|
|
135
|
+
for (const f of input.failures) {
|
|
136
|
+
if (f.response_status !== 404) continue;
|
|
137
|
+
for (const ph of detectPlaceholderSegments(f.request_url)) {
|
|
138
|
+
const dedupeKey = `seg:${ph.segment}`;
|
|
139
|
+
if (seenSegments.has(dedupeKey)) continue;
|
|
140
|
+
seenSegments.add(dedupeKey);
|
|
141
|
+
fixes.push({
|
|
142
|
+
kind: "placeholder_path_param",
|
|
143
|
+
key: ph.segment,
|
|
144
|
+
message:
|
|
145
|
+
`404 on \`${f.request_url}\` — path segment \`${ph.segment}\` is a ${ph.reason}. ` +
|
|
146
|
+
`Replace with a real id from the live API (e.g. \`zond prepare-fixtures --apply\`) ` +
|
|
147
|
+
`or set the corresponding fixture in ${input.envFilePath ?? ".env.yaml"}.`,
|
|
148
|
+
source: input.envFilePath,
|
|
149
|
+
});
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
fixes.push(...findUnfilledEnvKeys(input.envFilePath));
|
|
154
|
+
return fixes;
|
|
155
|
+
}
|