@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,114 @@
1
+ import { SUSPECTED_FIELDS } from "./suspects.ts";
2
+ import type {
3
+ EndpointVerdict,
4
+ MassAssignmentResult,
5
+ Severity,
6
+ } from "./types.ts";
7
+
8
+ const SEVERITY_ORDER: Severity[] = [
9
+ "high",
10
+ "inconclusive-baseline",
11
+ "inconclusive-5xx",
12
+ "medium",
13
+ "low",
14
+ "info",
15
+ "ok",
16
+ "skipped",
17
+ ];
18
+
19
+ const SEVERITY_HEADER: Record<Severity, string> = {
20
+ high: "🚨 HIGH — privilege escalation candidates",
21
+ "inconclusive-baseline": "⚠️ INCONCLUSIVE — baseline body invalid (fix fixture / FK / scope and re-probe)",
22
+ "inconclusive-5xx": "⚠️ INCONCLUSIVE — baseline 5xx (endpoint crashes — likely duplicate of validation-probe)",
23
+ medium: "⚠️ MEDIUM — inconclusive (no follow-up GET available)",
24
+ low: "ℹ️ LOW — inconclusive (single-signal, follow-up GET unavailable)",
25
+ info: "· INFO — accepted-and-ignored (correct framework behaviour, often ineligible to report)",
26
+ ok: "✅ OK — rejected 4xx (best behaviour)",
27
+ skipped: "⏭️ SKIPPED",
28
+ };
29
+
30
+ export function formatDigestMarkdown(
31
+ result: MassAssignmentResult,
32
+ specPath: string,
33
+ ): string {
34
+ const lines: string[] = [];
35
+ lines.push(`# Mass-assignment probe digest`);
36
+ lines.push("");
37
+ lines.push(`**Spec:** \`${specPath}\``);
38
+ lines.push(`**Endpoints probed:** ${result.specProbed} of ${result.totalEndpoints} mutating endpoints`);
39
+ lines.push("");
40
+ lines.push(`**Suspected fields tested:** ${Object.keys(SUSPECTED_FIELDS).join(", ")}`);
41
+ lines.push("");
42
+
43
+ const buckets = groupBySeverity(result.verdicts);
44
+ for (const sev of SEVERITY_ORDER) {
45
+ const items = buckets[sev];
46
+ if (!items || items.length === 0) continue;
47
+ lines.push(`## ${SEVERITY_HEADER[sev]} (${items.length})`);
48
+ lines.push("");
49
+ for (const v of items) {
50
+ lines.push(`### ${v.method} ${v.path}`);
51
+ lines.push("");
52
+ if (v.severity === "skipped") {
53
+ lines.push(`- Skipped: ${v.skipReason ?? v.summary}`);
54
+ lines.push("");
55
+ continue;
56
+ }
57
+ lines.push(`- ${v.summary}`);
58
+ lines.push(`- Injected: ${v.request.injectedFields.map(n => `\`${n}\``).join(", ")}`);
59
+ if (v.baseline) {
60
+ lines.push(`- Baseline (no extras): ${v.baseline.status}`);
61
+ }
62
+ if (v.response) {
63
+ lines.push(`- With extras: ${v.response.status}`);
64
+ }
65
+ if (v.followUpGet) {
66
+ lines.push(`- Follow-up GET → ${v.followUpGet.status}`);
67
+ }
68
+ const interesting = v.fields.filter(f => f.outcome !== "ignored" && f.outcome !== "absent");
69
+ if (interesting.length > 0) {
70
+ lines.push(`- Per-field outcomes:`);
71
+ for (const f of interesting) {
72
+ const obs = f.observed === undefined ? "n/a" : JSON.stringify(f.observed);
73
+ lines.push(` - \`${f.field}\` → **${f.outcome}** (injected ${JSON.stringify(f.injected)}, observed ${obs})`);
74
+ }
75
+ }
76
+ if (v.cleanup) {
77
+ if (v.cleanup.attempted) {
78
+ lines.push(`- Cleanup DELETE: ${v.cleanup.status ?? "errored"}${v.cleanup.error ? ` — ${v.cleanup.error}` : ""}`);
79
+ } else {
80
+ lines.push(`- Cleanup skipped: ${v.cleanup.error ?? "unknown"}`);
81
+ }
82
+ }
83
+ if (v.notes && v.notes.length > 0) {
84
+ for (const n of v.notes) lines.push(`- Note: ${n}`);
85
+ }
86
+ if (v.severity === "high") {
87
+ lines.push(`- **Action:** treat as P0 — server should reject or strip these fields.`);
88
+ }
89
+ if (v.severity === "inconclusive-baseline") {
90
+ lines.push(
91
+ `- **Action:** the baseline POST itself failed — set the right fixture / FK / path-params in your env (e.g. \`domain_id\`, \`account_id\`) and re-run.`,
92
+ );
93
+ }
94
+ if (v.severity === "inconclusive-5xx") {
95
+ lines.push(
96
+ `- **Action:** baseline crashed with 5xx — fix the underlying server bug (validation-probe likely reported it for the same endpoint) before mass-assignment can be observed here.`,
97
+ );
98
+ }
99
+ lines.push("");
100
+ }
101
+ }
102
+
103
+ if (result.warnings.length > 0) {
104
+ lines.push(`## Warnings`);
105
+ lines.push("");
106
+ for (const w of result.warnings) lines.push(`- ${w}`);
107
+ lines.push("");
108
+ }
109
+ return lines.join("\n");
110
+ }
111
+
112
+ function groupBySeverity(verdicts: EndpointVerdict[]): Partial<Record<Severity, EndpointVerdict[]>> {
113
+ return Object.groupBy(verdicts, (v) => v.severity);
114
+ }
@@ -0,0 +1,459 @@
1
+ /**
2
+ * Mass-assignment probe (T58) orchestrator.
3
+ *
4
+ * For each POST endpoint we craft a JSON body augmented with "suspected" extra
5
+ * fields (is_admin, role, account_id, …) plus server-assigned fields lifted
6
+ * from the response schema (id, created_at, …). We send the request live,
7
+ * read the response, and — when the API returned 2xx — issue a follow-up GET
8
+ * to differentiate two outcomes:
9
+ *
10
+ * • accepted-and-applied — the suspicious value persisted ⇒ privilege
11
+ * escalation candidate (HIGH severity).
12
+ * • accepted-and-ignored — the suspicious value was silently dropped
13
+ * (LOW severity, soft-warn).
14
+ *
15
+ * Rejected (4xx) is the desired behaviour. 5xx is a separate bug class
16
+ * (negative-probe territory).
17
+ *
18
+ * Auth is loaded from a `.env.yaml`-style file — same surface as `zond run`
19
+ * uses via `loadEnvironment`. `base_url`, `auth_token`, `api_key` and any
20
+ * path-param placeholders supplied in env are substituted into URLs.
21
+ *
22
+ * Optionally emits a YAML regression suite (`--emit-tests`) that locks in
23
+ * the observed safe behaviour (rejected / ignored) so CI catches drift.
24
+ */
25
+ import type { EndpointInfo, SecuritySchemeInfo } from "../../generator/types.ts";
26
+ import { executeRequest } from "../../runner/http-client.ts";
27
+ import {
28
+ captureFieldFor,
29
+ classifyPostSemantics,
30
+ findDeleteCounterpart,
31
+ findGetByIdCounterpart,
32
+ liveAuthHeaders,
33
+ } from "../shared.ts";
34
+ import {
35
+ buildBaselineFromSpec,
36
+ buildBodyAuthHeaders,
37
+ buildProbeUrl,
38
+ hasProbeBody,
39
+ serializeProbeBody,
40
+ } from "../probe-harness.ts";
41
+ import {
42
+ createDiscoveryCache,
43
+ discoverBodyFkVars,
44
+ discoverPathParams,
45
+ type DiscoveryCache,
46
+ } from "../path-discovery.ts";
47
+ import {
48
+ isStrictContract,
49
+ serverAssignedExtras,
50
+ suspectedExtras,
51
+ } from "./suspects.ts";
52
+ import {
53
+ classifyFromBody,
54
+ finaliseSeverity,
55
+ findIdParam,
56
+ inconclusiveBaselineSummary,
57
+ needsFollowUp,
58
+ stampRecommendedAction,
59
+ } from "./classify.ts";
60
+ import { tryCleanupBaseline } from "./cleanup.ts";
61
+ import type {
62
+ EndpointVerdict,
63
+ MassAssignmentOptions,
64
+ MassAssignmentResult,
65
+ ProbeEndpointOpts,
66
+ } from "./types.ts";
67
+
68
+ export async function runMassAssignmentProbes(
69
+ opts: MassAssignmentOptions,
70
+ ): Promise<MassAssignmentResult> {
71
+ const { endpoints, securitySchemes, vars, noCleanup, timeoutMs } = opts;
72
+ const discover = opts.discover !== false;
73
+ const cache: DiscoveryCache = createDiscoveryCache();
74
+ const verdicts: EndpointVerdict[] = [];
75
+ const warnings: string[] = [];
76
+ let totalEndpoints = 0;
77
+
78
+ for (const ep of endpoints) {
79
+ if (ep.deprecated) continue;
80
+ const m = ep.method.toUpperCase();
81
+ if (m !== "POST" && m !== "PATCH" && m !== "PUT") continue;
82
+ totalEndpoints++;
83
+
84
+ // ARV-150: accept form-urlencoded endpoints in addition to JSON. Stripe
85
+ // v1 declares only application/x-www-form-urlencoded for every mutating
86
+ // operation — 265 endpoints were SKIPPED before this loosening.
87
+ if (!hasProbeBody(ep)) {
88
+ verdicts.push(skipped(ep, "no JSON or form-urlencoded request body"));
89
+ continue;
90
+ }
91
+
92
+ // Resolve path placeholders, attempting auto-discovery when env doesn't
93
+ // supply them and the spec has a sibling list endpoint (TASK-92).
94
+ let effectiveVars = vars;
95
+ const probe = buildProbeUrl(ep, vars);
96
+ if (probe.unresolved.length > 0) {
97
+ if (!discover) {
98
+ const reason =
99
+ m === "POST"
100
+ ? `cannot resolve path placeholders: ${probe.unresolved.join(", ")} (set them in --env file)`
101
+ : `${m} requires existing resource id; missing env vars: ${probe.unresolved.join(", ")}`;
102
+ verdicts.push(skipped(ep, reason));
103
+ continue;
104
+ }
105
+ const discovered = await discoverPathParams({
106
+ ep,
107
+ unresolved: probe.unresolved,
108
+ allEndpoints: endpoints,
109
+ schemes: securitySchemes,
110
+ vars,
111
+ cache,
112
+ timeoutMs,
113
+ });
114
+ if (discovered.kind === "miss") {
115
+ verdicts.push(
116
+ skipped(
117
+ ep,
118
+ `cannot resolve path placeholders: ${probe.unresolved.join(", ")} — auto-discover failed (${discovered.reason})`,
119
+ ),
120
+ );
121
+ continue;
122
+ }
123
+ effectiveVars = { ...vars, ...discovered.values };
124
+ }
125
+
126
+ // TASK-137: body-FK discovery. Required body fields named `audience_id`,
127
+ // `project_slug`, `team_uuid`… get filled from sibling collection
128
+ // endpoints. Without this, baseline POST hits 4xx because the random
129
+ // string we'd otherwise send fails FK validation, and the verdict
130
+ // becomes INCONCLUSIVE-baseline — a noise class that buried 51 verdicts
131
+ // in the dogfooding audit (m-8 feedback §B).
132
+ const bodyFkMisses: Array<{ field: string; reason: string }> = [];
133
+ if (discover) {
134
+ const bodyDiscovery = await discoverBodyFkVars({
135
+ ep,
136
+ allEndpoints: endpoints,
137
+ schemes: securitySchemes,
138
+ vars: effectiveVars,
139
+ cache,
140
+ timeoutMs,
141
+ });
142
+ if (Object.keys(bodyDiscovery.values).length > 0) {
143
+ effectiveVars = { ...effectiveVars, ...bodyDiscovery.values };
144
+ }
145
+ bodyFkMisses.push(...bodyDiscovery.misses);
146
+ }
147
+
148
+ // Body-FK overlays. discoverBodyFkVars wrote into effectiveVars but the
149
+ // baseline body is generated from spec via fake UUIDs / random strings —
150
+ // substituteDeep only handles literal `{{var}}` markers, not field-name
151
+ // matches. So we pass the resolved field→value map separately and the
152
+ // probe overlays it onto baseline directly.
153
+ let bodyFkOverlay: Record<string, string> | undefined;
154
+ if (discover) {
155
+ bodyFkOverlay = {};
156
+ for (const k of Object.keys(effectiveVars)) {
157
+ if (vars[k] === undefined && k.includes("_") && /(_id|_slug|_uuid|_key)$/.test(k)) {
158
+ bodyFkOverlay[k] = effectiveVars[k]!;
159
+ }
160
+ }
161
+ if (Object.keys(bodyFkOverlay).length === 0) bodyFkOverlay = undefined;
162
+ }
163
+
164
+ const verdict = await probeEndpoint(ep, endpoints, securitySchemes, effectiveVars, {
165
+ noCleanup: noCleanup === true,
166
+ timeoutMs,
167
+ bodyFkMisses,
168
+ bodyFkOverlay,
169
+ extraSuspectFields: opts.extraSuspectFields,
170
+ seedBody: opts.seedBodies?.get(`${ep.method.toUpperCase()} ${ep.path}`),
171
+ });
172
+ stampRecommendedAction(verdict);
173
+ verdicts.push(verdict);
174
+ }
175
+
176
+ return {
177
+ specProbed: verdicts.length,
178
+ totalEndpoints,
179
+ verdicts,
180
+ warnings,
181
+ };
182
+ }
183
+
184
+ function skipped(ep: EndpointInfo, reason: string): EndpointVerdict {
185
+ return {
186
+ method: ep.method.toUpperCase(),
187
+ path: ep.path,
188
+ severity: "skipped",
189
+ summary: reason,
190
+ request: { url: "", body: undefined, injectedFields: [] },
191
+ fields: [],
192
+ strictContract: isStrictContract(ep.requestBodySchema),
193
+ skipReason: reason,
194
+ };
195
+ }
196
+
197
+ async function probeEndpoint(
198
+ ep: EndpointInfo,
199
+ allEndpoints: EndpointInfo[],
200
+ schemes: SecuritySchemeInfo[],
201
+ vars: Record<string, string>,
202
+ opts: ProbeEndpointOpts,
203
+ ): Promise<EndpointVerdict> {
204
+ const m = ep.method.toUpperCase();
205
+ const strict = isStrictContract(ep.requestBodySchema);
206
+
207
+ // Build baseline payload from spec then substitute generators ({{$uuid}}, …).
208
+ const baseline = buildBaselineFromSpec(ep, vars, opts.seedBody);
209
+ if (baseline === null) {
210
+ return skipped(ep, "request body not a JSON object");
211
+ }
212
+ // TASK-137: overlay discovered FK values directly by field name so the
213
+ // baseline body actually carries the real audience_id / project_slug / …
214
+ // instead of the random UUID generateFromSchema synthesised.
215
+ if (opts.bodyFkOverlay) {
216
+ for (const [k, v] of Object.entries(opts.bodyFkOverlay)) {
217
+ if (k in baseline) baseline[k] = v;
218
+ }
219
+ }
220
+
221
+ const suspects = suspectedExtras(ep, opts.extraSuspectFields);
222
+ const serverFields = serverAssignedExtras(ep);
223
+ // Suspects win over server-assigned: if a field is both (e.g. `is_admin`
224
+ // appears in the response schema AND is in our suspect list), the suspect
225
+ // sentinel must be sent so we can detect privilege escalation.
226
+ const injectedSet = { ...serverFields, ...suspects };
227
+ const injectedNames = Object.keys(injectedSet);
228
+ if (injectedNames.length === 0) {
229
+ return skipped(ep, "no extra fields to inject (request schema covers everything)");
230
+ }
231
+
232
+ const body = { ...baseline, ...injectedSet };
233
+ const { url, unresolved } = buildProbeUrl(ep, vars);
234
+ if (unresolved.length > 0) {
235
+ return skipped(
236
+ ep,
237
+ `cannot resolve path placeholders: ${unresolved.join(", ")} (set them in --env file)`,
238
+ );
239
+ }
240
+
241
+ // ARV-150: Content-Type follows the spec — form-urlencoded for Stripe v1,
242
+ // JSON otherwise. `serializeProbeBody` encodes the actual wire payload.
243
+ const headers = buildBodyAuthHeaders(ep, schemes, vars);
244
+
245
+ const verdict: EndpointVerdict = {
246
+ method: m,
247
+ path: ep.path,
248
+ severity: "ok",
249
+ summary: "",
250
+ request: { url, body, injectedFields: injectedNames },
251
+ fields: injectedNames.map(name => ({
252
+ field: name,
253
+ injected: injectedSet[name],
254
+ outcome: "unknown",
255
+ })),
256
+ strictContract: strict,
257
+ };
258
+
259
+ // ── Baseline probe (TASK-91) ─────────────────────────────────────────────
260
+ // Send the *clean* baseline body first. Without this, a 4xx caused by FK
261
+ // miss / bad fixture / scope mismatch is indistinguishable from a 4xx that
262
+ // actually rejected our extras — false-OK on FK-heavy SaaS APIs (Stripe /
263
+ // Linear / GitHub-shaped). The baseline lets us classify:
264
+ // • baseline 4xx + injected 4xx → INCONCLUSIVE-baseline (fixture bug).
265
+ // • baseline 2xx + injected 4xx → OK (real extras rejection).
266
+ // • baseline 4xx + injected 2xx → HIGH (extras opened a code path the
267
+ // baseline never reached — privilege/auth bypass).
268
+ // • baseline 2xx + injected 2xx → existing applied/ignored flow.
269
+ let baselineResp;
270
+ try {
271
+ baselineResp = await executeRequest(
272
+ { method: m, url, headers, body: serializeProbeBody(ep, baseline).content },
273
+ { timeout: opts.timeoutMs ?? 30000, retries: 0 },
274
+ );
275
+ } catch (err) {
276
+ verdict.severity = "high";
277
+ verdict.summary = `baseline network error: ${err instanceof Error ? err.message : String(err)}`;
278
+ return verdict;
279
+ }
280
+ const baselineBody = baselineResp.body_parsed ?? baselineResp.body;
281
+ verdict.baseline = { status: baselineResp.status, body: baselineBody };
282
+ const baselineOk = baselineResp.status >= 200 && baselineResp.status < 300;
283
+ // If baseline created a resource, DELETE it before issuing the injected
284
+ // probe so the second POST doesn't trip a unique-constraint and so we
285
+ // don't leak resources.
286
+ if (baselineOk && !opts.noCleanup) {
287
+ await tryCleanupBaseline(ep, allEndpoints, schemes, vars, baselineBody, opts);
288
+ }
289
+
290
+ // ── Injected probe ──────────────────────────────────────────────────────
291
+ let resp;
292
+ try {
293
+ resp = await executeRequest(
294
+ { method: m, url, headers, body: serializeProbeBody(ep, body).content },
295
+ { timeout: opts.timeoutMs ?? 30000, retries: 0 },
296
+ );
297
+ } catch (err) {
298
+ verdict.severity = "high";
299
+ verdict.summary = `network error: ${err instanceof Error ? err.message : String(err)}`;
300
+ return verdict;
301
+ }
302
+ verdict.response = { status: resp.status, body: resp.body_parsed ?? resp.body };
303
+
304
+ if (resp.status >= 500) {
305
+ // TASK-276: if the baseline (no extras) also crashed with ≥500, the
306
+ // endpoint is just crashing — mass-assignment semantics aren't
307
+ // observable, and validation-probe will already have flagged the same
308
+ // endpoint. Don't surface as HIGH privilege-escalation; that buries
309
+ // real findings under noise.
310
+ if (baselineResp.status >= 500) {
311
+ verdict.severity = "inconclusive-5xx";
312
+ verdict.summary = `baseline ${baselineResp.status} → injected ${resp.status} — endpoint crashes regardless of extras (likely duplicate of validation-probe)`;
313
+ for (const f of verdict.fields) f.outcome = "unknown";
314
+ return verdict;
315
+ }
316
+ verdict.severity = "high";
317
+ verdict.summary = `5xx unhandled (${resp.status}) — see negative-probe`;
318
+ return verdict;
319
+ }
320
+
321
+ const injectedOk = resp.status >= 200 && resp.status < 300;
322
+
323
+ // Matrix dispatch on baseline×injected (TASK-91):
324
+ if (resp.status >= 400 && !injectedOk) {
325
+ if (!baselineOk) {
326
+ // Baseline body itself invalid — extras never reached validation.
327
+ verdict.severity = "inconclusive-baseline";
328
+ verdict.summary = inconclusiveBaselineSummary(
329
+ baselineResp.status,
330
+ baselineBody,
331
+ opts.bodyFkMisses,
332
+ );
333
+ for (const f of verdict.fields) f.outcome = "unknown";
334
+ return verdict;
335
+ }
336
+ // Baseline succeeded, injected rejected → real extras rejection.
337
+ verdict.severity = "ok";
338
+ verdict.summary = strict
339
+ ? `rejected ${resp.status} — strict contract honoured`
340
+ : `rejected ${resp.status} — extras refused (baseline ${baselineResp.status})`;
341
+ for (const f of verdict.fields) f.outcome = "absent";
342
+ return verdict;
343
+ }
344
+
345
+ if (injectedOk && !baselineOk) {
346
+ // Extras-as-bypass: baseline didn't make it through, but adding extras did.
347
+ // The extra fields opened a code path that baseline didn't reach (auth
348
+ // scope, FK shadowing, etc.). Treat as HIGH — likely a real bug —
349
+ // and continue to body-classification so per-field outcomes are still
350
+ // recorded for the digest.
351
+ verdict.severity = "high";
352
+ const bypassReason =
353
+ baselineResp.status >= 500
354
+ ? "server crash on baseline — extras-bypass turned a 5xx into a successful write"
355
+ : "extras opened a code path baseline didn't reach";
356
+ verdict.summary = `extras-bypass: baseline ${baselineResp.status} → injected ${resp.status} (${bypassReason})`;
357
+ // Fall through to the 2xx classification below; finaliseSeverity won't
358
+ // overwrite "high" once it's set — but we also want to still mark
359
+ // applied/ignored fields. We skip finaliseSeverity at the end for this
360
+ // case to preserve the bypass summary.
361
+ }
362
+
363
+ // 2xx — analyse the response body for echoed values, then maybe GET.
364
+ const respBody =
365
+ typeof resp.body_parsed === "object" && resp.body_parsed !== null
366
+ ? (resp.body_parsed as Record<string, unknown>)
367
+ : undefined;
368
+
369
+ classifyFromBody(verdict, respBody);
370
+
371
+ // Follow-up GET if any field is still "absent" or "unknown" — to distinguish
372
+ // ignored from silently-persisted-but-not-echoed.
373
+ if (respBody && needsFollowUp(verdict)) {
374
+ const idField = captureFieldFor(ep);
375
+ const id = respBody[idField];
376
+ const getEp = findGetByIdCounterpart(ep, allEndpoints);
377
+ if (id !== undefined && getEp) {
378
+ const getVars = { ...vars, [findIdParam(getEp)]: String(id), id: String(id) };
379
+ const getUrl = buildProbeUrl(getEp, getVars);
380
+ if (getUrl.unresolved.length === 0) {
381
+ try {
382
+ const getResp = await executeRequest(
383
+ {
384
+ method: "GET",
385
+ url: getUrl.url,
386
+ headers: {
387
+ accept: "application/json",
388
+ ...liveAuthHeaders(getEp, schemes, vars),
389
+ },
390
+ },
391
+ { timeout: opts.timeoutMs ?? 30000, retries: 0 },
392
+ );
393
+ const getBody =
394
+ typeof getResp.body_parsed === "object" && getResp.body_parsed !== null
395
+ ? (getResp.body_parsed as Record<string, unknown>)
396
+ : undefined;
397
+ verdict.followUpGet = {
398
+ url: getUrl.url,
399
+ status: getResp.status,
400
+ body: getResp.body_parsed ?? getResp.body,
401
+ };
402
+ if (getBody) classifyFromBody(verdict, getBody, true);
403
+ } catch (err) {
404
+ verdict.notes = [
405
+ ...(verdict.notes ?? []),
406
+ `follow-up GET failed: ${err instanceof Error ? err.message : String(err)}`,
407
+ ];
408
+ }
409
+ }
410
+ }
411
+
412
+ // Cleanup
413
+ if (!opts.noCleanup && id !== undefined) {
414
+ const delEp = findDeleteCounterpart(ep, allEndpoints);
415
+ if (delEp) {
416
+ const delVars = { ...vars, [findIdParam(delEp)]: String(id), id: String(id) };
417
+ const delUrl = buildProbeUrl(delEp, delVars);
418
+ if (delUrl.unresolved.length === 0) {
419
+ try {
420
+ const delResp = await executeRequest(
421
+ {
422
+ method: "DELETE",
423
+ url: delUrl.url,
424
+ headers: {
425
+ accept: "application/json",
426
+ ...liveAuthHeaders(delEp, schemes, vars),
427
+ },
428
+ },
429
+ { timeout: opts.timeoutMs ?? 30000, retries: 0 },
430
+ );
431
+ verdict.cleanup = { attempted: true, status: delResp.status };
432
+ } catch (err) {
433
+ verdict.cleanup = {
434
+ attempted: true,
435
+ error: err instanceof Error ? err.message : String(err),
436
+ };
437
+ }
438
+ } else {
439
+ verdict.cleanup = { attempted: false, error: "unresolved DELETE path placeholders" };
440
+ }
441
+ } else {
442
+ // ARV-153: action POSTs (`/capture`, `/verify`, `/cancel`, …) never
443
+ // allocate a new resource — surface that instead of the alarming
444
+ // "no DELETE counterpart" line that triggered F7's leak-risk noise.
445
+ const reason =
446
+ classifyPostSemantics(ep) === "action"
447
+ ? "no cleanup needed (action endpoint — no resource created)"
448
+ : "no DELETE counterpart in spec";
449
+ verdict.cleanup = { attempted: false, error: reason };
450
+ }
451
+ }
452
+ }
453
+
454
+ // Preserve "high" already set by the extras-bypass branch; otherwise
455
+ // derive severity from per-field outcomes.
456
+ if (verdict.severity !== "high") finaliseSeverity(verdict, strict);
457
+ stampRecommendedAction(verdict);
458
+ return verdict;
459
+ }