@kirrosh/zond 0.22.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +811 -0
- package/README.md +59 -6
- package/package.json +9 -7
- package/src/CLAUDE.md +112 -0
- package/src/cli/argv.ts +122 -0
- package/src/cli/commands/add-api.ts +146 -0
- package/src/cli/commands/api/annotate/idempotency.ts +59 -0
- package/src/cli/commands/api/annotate/index.ts +880 -0
- package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
- package/src/cli/commands/api/annotate/overlay.ts +206 -0
- package/src/cli/commands/api/annotate/pagination.ts +64 -0
- package/src/cli/commands/api/annotate/prompts.ts +220 -0
- package/src/cli/commands/api/annotate/readback.ts +58 -0
- package/src/cli/commands/api/annotate/resources.ts +91 -0
- package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
- package/src/cli/commands/audit.ts +786 -0
- package/src/cli/commands/catalog.ts +35 -0
- package/src/cli/commands/check.ts +361 -0
- package/src/cli/commands/checks.ts +1072 -0
- package/src/cli/commands/ci-init.ts +43 -0
- package/src/cli/commands/clean.ts +212 -0
- package/src/cli/commands/cleanup.ts +236 -0
- package/src/cli/commands/completions.ts +16 -0
- package/src/cli/commands/coverage.ts +823 -132
- package/src/cli/commands/db.ts +486 -12
- package/src/cli/commands/describe.ts +37 -2
- package/src/cli/commands/discover.ts +1356 -0
- package/src/cli/commands/doctor.ts +661 -0
- package/src/cli/commands/fixtures.ts +402 -0
- package/src/cli/commands/generate.ts +438 -47
- package/src/cli/commands/init/bootstrap.ts +34 -2
- package/src/cli/commands/{init.ts → init/index.ts} +99 -5
- package/src/cli/commands/init/skills.ts +99 -3
- package/src/cli/commands/init/templates/agents.md +77 -64
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
- package/src/cli/commands/init/templates/skills/zond.md +802 -125
- package/src/cli/commands/init/templates/zond-config.yml +8 -9
- package/src/cli/commands/prepare-fixtures.ts +97 -0
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +594 -0
- package/src/cli/commands/probe/security.ts +537 -0
- package/src/cli/commands/probe/static.ts +255 -0
- package/src/cli/commands/probe/webhooks.ts +163 -0
- package/src/cli/commands/probe.ts +535 -0
- package/src/cli/commands/reference.ts +87 -0
- package/src/cli/commands/refresh-api.ts +227 -0
- package/src/cli/commands/remove-api.ts +150 -0
- package/src/cli/commands/report-bundle.ts +310 -0
- package/src/cli/commands/report.ts +241 -0
- package/src/cli/commands/request.ts +495 -4
- package/src/cli/commands/run.ts +870 -53
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/commands/session.ts +244 -0
- package/src/cli/commands/use.ts +18 -1
- package/src/cli/index.ts +20 -3
- package/src/cli/json-envelope.ts +92 -3
- package/src/cli/json-schemas.ts +314 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +199 -635
- package/src/cli/resolve.ts +105 -0
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +114 -0
- package/src/cli/util/api-context.ts +85 -0
- package/src/cli/version.ts +5 -0
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/_crud-helpers.ts +133 -0
- package/src/core/checks/checks/_negative_mutator.ts +133 -0
- package/src/core/checks/checks/_readback-helpers.ts +133 -0
- package/src/core/checks/checks/content_type_conformance.ts +39 -0
- package/src/core/checks/checks/cross_call_references.ts +147 -0
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
- package/src/core/checks/checks/idempotency_replay.ts +242 -0
- package/src/core/checks/checks/ignored_auth.ts +254 -0
- package/src/core/checks/checks/index.ts +68 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
- package/src/core/checks/checks/missing_required_header.ts +40 -0
- package/src/core/checks/checks/negative_data_rejection.ts +148 -0
- package/src/core/checks/checks/not_a_server_error.ts +35 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
- package/src/core/checks/checks/pagination_invariants.ts +419 -0
- package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
- package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
- package/src/core/checks/checks/response_headers_conformance.ts +74 -0
- package/src/core/checks/checks/response_schema_conformance.ts +30 -0
- package/src/core/checks/checks/status_code_conformance.ts +132 -0
- package/src/core/checks/checks/unsupported_method.ts +63 -0
- package/src/core/checks/checks/use_after_free.ts +78 -0
- package/src/core/checks/index.ts +30 -0
- package/src/core/checks/mode.ts +82 -0
- package/src/core/checks/recommended-action.ts +68 -0
- package/src/core/checks/registry.ts +78 -0
- package/src/core/checks/runner.ts +1461 -0
- package/src/core/checks/sarif.ts +230 -0
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/stateful.ts +121 -0
- package/src/core/checks/types.ts +305 -0
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +251 -0
- package/src/core/context/current.ts +22 -6
- package/src/core/context/session.ts +78 -0
- package/src/core/coverage/loader.ts +216 -0
- package/src/core/coverage/reasons.ts +300 -0
- package/src/core/diagnostics/db-analysis.ts +293 -59
- package/src/core/diagnostics/failure-class.ts +140 -0
- package/src/core/diagnostics/failure-hints.ts +88 -89
- package/src/core/diagnostics/spec-pointer.ts +99 -0
- package/src/core/diagnostics/suggested-fixes.ts +155 -0
- package/src/core/exporter/case-study/index.ts +270 -0
- package/src/core/exporter/curl.ts +40 -0
- package/src/core/exporter/exporter.ts +48 -0
- package/src/core/exporter/html-report/escape.ts +24 -0
- package/src/core/exporter/html-report/index.ts +479 -0
- package/src/core/exporter/html-report/script.ts +100 -0
- package/src/core/exporter/html-report/styles.ts +408 -0
- package/src/core/generator/chunker.ts +38 -19
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/data-factory.ts +586 -22
- package/src/core/generator/describe.ts +1 -1
- package/src/core/generator/fixtures-builder.ts +332 -0
- package/src/core/generator/index.ts +5 -5
- package/src/core/generator/openapi-reader.ts +135 -7
- package/src/core/generator/path-param-disambig.ts +140 -0
- package/src/core/generator/resources-builder.ts +898 -0
- package/src/core/generator/schema-utils.ts +33 -3
- package/src/core/generator/serializer.ts +103 -13
- package/src/core/generator/suite-generator.ts +583 -122
- package/src/core/generator/types.ts +14 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +28 -0
- package/src/core/lint/config.ts +96 -0
- package/src/core/lint/format.ts +42 -0
- package/src/core/lint/index.ts +94 -0
- package/src/core/lint/reporter.ts +128 -0
- package/src/core/lint/rules/consistency.ts +158 -0
- package/src/core/lint/rules/heuristics.ts +97 -0
- package/src/core/lint/rules/strictness.ts +109 -0
- package/src/core/lint/types.ts +96 -0
- package/src/core/lint/walker.ts +248 -0
- package/src/core/meta/meta-store.ts +6 -73
- package/src/core/output/README.md +73 -0
- package/src/core/output/index.ts +13 -0
- package/src/core/output/run.ts +91 -0
- package/src/core/output/types.ts +122 -0
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/env-interpolation.ts +104 -0
- package/src/core/parser/filter.ts +57 -0
- package/src/core/parser/schema.ts +129 -4
- package/src/core/parser/types.ts +19 -1
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +58 -12
- package/src/core/probe/bootstrap.ts +34 -0
- package/src/core/probe/dry-run-envelope.ts +61 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe-class.ts +198 -0
- package/src/core/probe/mass-assignment-probe.ts +27 -0
- package/src/core/probe/mass-assignment-template.ts +240 -0
- package/src/core/probe/method-probe.ts +43 -76
- package/src/core/probe/method-shared.ts +69 -0
- package/src/core/probe/negative-probe.ts +183 -149
- package/src/core/probe/orphan-tracker.ts +188 -0
- package/src/core/probe/path-discovery.ts +439 -0
- package/src/core/probe/probe-harness.ts +119 -0
- package/src/core/probe/registry.ts +89 -0
- package/src/core/probe/runner.ts +136 -0
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +207 -0
- package/src/core/probe/security-probe.ts +32 -0
- package/src/core/probe/shared.ts +531 -0
- package/src/core/probe/static-probe-class.ts +125 -0
- package/src/core/probe/types.ts +165 -0
- package/src/core/probe/verdict-aggregator.ts +33 -0
- package/src/core/probe/webhooks-probe.ts +282 -0
- package/src/core/reporter/console.ts +41 -2
- package/src/core/reporter/index.ts +2 -3
- package/src/core/reporter/json.ts +11 -1
- package/src/core/reporter/junit.ts +27 -12
- package/src/core/reporter/ndjson.ts +37 -0
- package/src/core/reporter/types.ts +3 -0
- package/src/core/runner/assertions.ts +59 -2
- package/src/core/runner/async-pool.ts +108 -0
- package/src/core/runner/auth-path.ts +8 -0
- package/src/core/runner/ci-context.ts +72 -0
- package/src/core/runner/executor.ts +265 -36
- package/src/core/runner/form-encode.ts +41 -0
- package/src/core/runner/http-client.ts +112 -2
- package/src/core/runner/learn-drift.ts +293 -0
- package/src/core/runner/preflight-vars.ts +153 -0
- package/src/core/runner/progress-tracker.ts +73 -0
- package/src/core/runner/rate-limiter.ts +87 -33
- package/src/core/runner/run-kind.ts +45 -0
- package/src/core/runner/schema-validator.ts +308 -0
- package/src/core/runner/send-request.ts +158 -20
- package/src/core/runner/types.ts +44 -0
- package/src/core/secrets/registry.ts +164 -0
- package/src/core/secrets/secrets-file.ts +115 -0
- package/src/core/selectors/operation-filter.ts +144 -0
- package/src/core/setup-api.ts +457 -20
- package/src/core/severity/category.ts +94 -0
- package/src/core/severity/index.ts +58 -0
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/layers.ts +154 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/format-eta.ts +21 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/utils.ts +5 -1
- package/src/core/workspace/config.ts +129 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/manifest.ts +283 -0
- package/src/core/workspace/output-rotation.ts +62 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/core/workspace/triage-path.ts +87 -0
- package/src/db/lint-runs.ts +47 -0
- package/src/db/migrate.ts +128 -0
- package/src/db/migrations/0001_run_kind.sql +25 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/migrations/sql.d.ts +4 -0
- package/src/db/queries/collections.ts +133 -0
- package/src/db/queries/coverage.ts +9 -0
- package/src/db/queries/dashboard.ts +59 -0
- package/src/db/queries/results.ts +216 -0
- package/src/db/queries/runs.ts +289 -0
- package/src/db/queries/sessions.ts +42 -0
- package/src/db/queries/settings.ts +28 -0
- package/src/db/queries/types.ts +172 -0
- package/src/db/queries.ts +75 -802
- package/src/db/schema.ts +178 -50
- package/src/cli/commands/export.ts +0 -144
- package/src/cli/commands/guide.ts +0 -127
- package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
- package/src/cli/commands/probe-methods.ts +0 -108
- package/src/cli/commands/probe-validation.ts +0 -124
- package/src/cli/commands/serve.ts +0 -114
- package/src/cli/commands/sync.ts +0 -268
- package/src/cli/commands/update.ts +0 -189
- package/src/cli/commands/validate.ts +0 -34
- package/src/core/diagnostics/render-md.ts +0 -112
- package/src/core/exporter/postman.ts +0 -963
- package/src/core/generator/guide-builder.ts +0 -253
- package/src/core/meta/types.ts +0 -19
- package/src/core/parser/index.ts +0 -21
- package/src/core/runner/execute-run.ts +0 -132
- package/src/core/runner/index.ts +0 -12
- package/src/core/sync/spec-differ.ts +0 -38
- package/src/web/data/collection-state.ts +0 -362
- package/src/web/routes/api.ts +0 -314
- package/src/web/routes/dashboard.ts +0 -350
- package/src/web/routes/runs.ts +0 -64
- package/src/web/schemas.ts +0 -121
- package/src/web/server.ts +0 -134
- package/src/web/static/htmx.min.cjs +0 -1
- package/src/web/static/style.css +0 -1148
- package/src/web/views/endpoints-tab.ts +0 -174
- package/src/web/views/explorer-tab.ts +0 -402
- package/src/web/views/health-strip.ts +0 -92
- package/src/web/views/layout.ts +0 -48
- package/src/web/views/results.ts +0 -210
- package/src/web/views/runs-tab.ts +0 -126
- package/src/web/views/suites-tab.ts +0 -181
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
import { SUSPECTED_FIELDS } from "./suspects.ts";
|
|
2
|
+
import type {
|
|
3
|
+
EndpointVerdict,
|
|
4
|
+
MassAssignmentResult,
|
|
5
|
+
Severity,
|
|
6
|
+
} from "./types.ts";
|
|
7
|
+
|
|
8
|
+
const SEVERITY_ORDER: Severity[] = [
|
|
9
|
+
"high",
|
|
10
|
+
"inconclusive-baseline",
|
|
11
|
+
"inconclusive-5xx",
|
|
12
|
+
"medium",
|
|
13
|
+
"low",
|
|
14
|
+
"info",
|
|
15
|
+
"ok",
|
|
16
|
+
"skipped",
|
|
17
|
+
];
|
|
18
|
+
|
|
19
|
+
const SEVERITY_HEADER: Record<Severity, string> = {
|
|
20
|
+
high: "🚨 HIGH — privilege escalation candidates",
|
|
21
|
+
"inconclusive-baseline": "⚠️ INCONCLUSIVE — baseline body invalid (fix fixture / FK / scope and re-probe)",
|
|
22
|
+
"inconclusive-5xx": "⚠️ INCONCLUSIVE — baseline 5xx (endpoint crashes — likely duplicate of validation-probe)",
|
|
23
|
+
medium: "⚠️ MEDIUM — inconclusive (no follow-up GET available)",
|
|
24
|
+
low: "ℹ️ LOW — inconclusive (single-signal, follow-up GET unavailable)",
|
|
25
|
+
info: "· INFO — accepted-and-ignored (correct framework behaviour, often ineligible to report)",
|
|
26
|
+
ok: "✅ OK — rejected 4xx (best behaviour)",
|
|
27
|
+
skipped: "⏭️ SKIPPED",
|
|
28
|
+
};
|
|
29
|
+
|
|
30
|
+
export function formatDigestMarkdown(
|
|
31
|
+
result: MassAssignmentResult,
|
|
32
|
+
specPath: string,
|
|
33
|
+
): string {
|
|
34
|
+
const lines: string[] = [];
|
|
35
|
+
lines.push(`# Mass-assignment probe digest`);
|
|
36
|
+
lines.push("");
|
|
37
|
+
lines.push(`**Spec:** \`${specPath}\``);
|
|
38
|
+
lines.push(`**Endpoints probed:** ${result.specProbed} of ${result.totalEndpoints} mutating endpoints`);
|
|
39
|
+
lines.push("");
|
|
40
|
+
lines.push(`**Suspected fields tested:** ${Object.keys(SUSPECTED_FIELDS).join(", ")}`);
|
|
41
|
+
lines.push("");
|
|
42
|
+
|
|
43
|
+
const buckets = groupBySeverity(result.verdicts);
|
|
44
|
+
for (const sev of SEVERITY_ORDER) {
|
|
45
|
+
const items = buckets[sev];
|
|
46
|
+
if (!items || items.length === 0) continue;
|
|
47
|
+
lines.push(`## ${SEVERITY_HEADER[sev]} (${items.length})`);
|
|
48
|
+
lines.push("");
|
|
49
|
+
for (const v of items) {
|
|
50
|
+
lines.push(`### ${v.method} ${v.path}`);
|
|
51
|
+
lines.push("");
|
|
52
|
+
if (v.severity === "skipped") {
|
|
53
|
+
lines.push(`- Skipped: ${v.skipReason ?? v.summary}`);
|
|
54
|
+
lines.push("");
|
|
55
|
+
continue;
|
|
56
|
+
}
|
|
57
|
+
lines.push(`- ${v.summary}`);
|
|
58
|
+
lines.push(`- Injected: ${v.request.injectedFields.map(n => `\`${n}\``).join(", ")}`);
|
|
59
|
+
if (v.baseline) {
|
|
60
|
+
lines.push(`- Baseline (no extras): ${v.baseline.status}`);
|
|
61
|
+
}
|
|
62
|
+
if (v.response) {
|
|
63
|
+
lines.push(`- With extras: ${v.response.status}`);
|
|
64
|
+
}
|
|
65
|
+
if (v.followUpGet) {
|
|
66
|
+
lines.push(`- Follow-up GET → ${v.followUpGet.status}`);
|
|
67
|
+
}
|
|
68
|
+
const interesting = v.fields.filter(f => f.outcome !== "ignored" && f.outcome !== "absent");
|
|
69
|
+
if (interesting.length > 0) {
|
|
70
|
+
lines.push(`- Per-field outcomes:`);
|
|
71
|
+
for (const f of interesting) {
|
|
72
|
+
const obs = f.observed === undefined ? "n/a" : JSON.stringify(f.observed);
|
|
73
|
+
lines.push(` - \`${f.field}\` → **${f.outcome}** (injected ${JSON.stringify(f.injected)}, observed ${obs})`);
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
if (v.cleanup) {
|
|
77
|
+
if (v.cleanup.attempted) {
|
|
78
|
+
lines.push(`- Cleanup DELETE: ${v.cleanup.status ?? "errored"}${v.cleanup.error ? ` — ${v.cleanup.error}` : ""}`);
|
|
79
|
+
} else {
|
|
80
|
+
lines.push(`- Cleanup skipped: ${v.cleanup.error ?? "unknown"}`);
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
if (v.notes && v.notes.length > 0) {
|
|
84
|
+
for (const n of v.notes) lines.push(`- Note: ${n}`);
|
|
85
|
+
}
|
|
86
|
+
if (v.severity === "high") {
|
|
87
|
+
lines.push(`- **Action:** treat as P0 — server should reject or strip these fields.`);
|
|
88
|
+
}
|
|
89
|
+
if (v.severity === "inconclusive-baseline") {
|
|
90
|
+
lines.push(
|
|
91
|
+
`- **Action:** the baseline POST itself failed — set the right fixture / FK / path-params in your env (e.g. \`domain_id\`, \`account_id\`) and re-run.`,
|
|
92
|
+
);
|
|
93
|
+
}
|
|
94
|
+
if (v.severity === "inconclusive-5xx") {
|
|
95
|
+
lines.push(
|
|
96
|
+
`- **Action:** baseline crashed with 5xx — fix the underlying server bug (validation-probe likely reported it for the same endpoint) before mass-assignment can be observed here.`,
|
|
97
|
+
);
|
|
98
|
+
}
|
|
99
|
+
lines.push("");
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
|
|
103
|
+
if (result.warnings.length > 0) {
|
|
104
|
+
lines.push(`## Warnings`);
|
|
105
|
+
lines.push("");
|
|
106
|
+
for (const w of result.warnings) lines.push(`- ${w}`);
|
|
107
|
+
lines.push("");
|
|
108
|
+
}
|
|
109
|
+
return lines.join("\n");
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
function groupBySeverity(verdicts: EndpointVerdict[]): Partial<Record<Severity, EndpointVerdict[]>> {
|
|
113
|
+
return Object.groupBy(verdicts, (v) => v.severity);
|
|
114
|
+
}
|
|
@@ -0,0 +1,459 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Mass-assignment probe (T58) orchestrator.
|
|
3
|
+
*
|
|
4
|
+
* For each POST endpoint we craft a JSON body augmented with "suspected" extra
|
|
5
|
+
* fields (is_admin, role, account_id, …) plus server-assigned fields lifted
|
|
6
|
+
* from the response schema (id, created_at, …). We send the request live,
|
|
7
|
+
* read the response, and — when the API returned 2xx — issue a follow-up GET
|
|
8
|
+
* to differentiate two outcomes:
|
|
9
|
+
*
|
|
10
|
+
* • accepted-and-applied — the suspicious value persisted ⇒ privilege
|
|
11
|
+
* escalation candidate (HIGH severity).
|
|
12
|
+
* • accepted-and-ignored — the suspicious value was silently dropped
|
|
13
|
+
* (LOW severity, soft-warn).
|
|
14
|
+
*
|
|
15
|
+
* Rejected (4xx) is the desired behaviour. 5xx is a separate bug class
|
|
16
|
+
* (negative-probe territory).
|
|
17
|
+
*
|
|
18
|
+
* Auth is loaded from a `.env.yaml`-style file — same surface as `zond run`
|
|
19
|
+
* uses via `loadEnvironment`. `base_url`, `auth_token`, `api_key` and any
|
|
20
|
+
* path-param placeholders supplied in env are substituted into URLs.
|
|
21
|
+
*
|
|
22
|
+
* Optionally emits a YAML regression suite (`--emit-tests`) that locks in
|
|
23
|
+
* the observed safe behaviour (rejected / ignored) so CI catches drift.
|
|
24
|
+
*/
|
|
25
|
+
import type { EndpointInfo, SecuritySchemeInfo } from "../../generator/types.ts";
|
|
26
|
+
import { executeRequest } from "../../runner/http-client.ts";
|
|
27
|
+
import {
|
|
28
|
+
captureFieldFor,
|
|
29
|
+
classifyPostSemantics,
|
|
30
|
+
findDeleteCounterpart,
|
|
31
|
+
findGetByIdCounterpart,
|
|
32
|
+
liveAuthHeaders,
|
|
33
|
+
} from "../shared.ts";
|
|
34
|
+
import {
|
|
35
|
+
buildBaselineFromSpec,
|
|
36
|
+
buildBodyAuthHeaders,
|
|
37
|
+
buildProbeUrl,
|
|
38
|
+
hasProbeBody,
|
|
39
|
+
serializeProbeBody,
|
|
40
|
+
} from "../probe-harness.ts";
|
|
41
|
+
import {
|
|
42
|
+
createDiscoveryCache,
|
|
43
|
+
discoverBodyFkVars,
|
|
44
|
+
discoverPathParams,
|
|
45
|
+
type DiscoveryCache,
|
|
46
|
+
} from "../path-discovery.ts";
|
|
47
|
+
import {
|
|
48
|
+
isStrictContract,
|
|
49
|
+
serverAssignedExtras,
|
|
50
|
+
suspectedExtras,
|
|
51
|
+
} from "./suspects.ts";
|
|
52
|
+
import {
|
|
53
|
+
classifyFromBody,
|
|
54
|
+
finaliseSeverity,
|
|
55
|
+
findIdParam,
|
|
56
|
+
inconclusiveBaselineSummary,
|
|
57
|
+
needsFollowUp,
|
|
58
|
+
stampRecommendedAction,
|
|
59
|
+
} from "./classify.ts";
|
|
60
|
+
import { tryCleanupBaseline } from "./cleanup.ts";
|
|
61
|
+
import type {
|
|
62
|
+
EndpointVerdict,
|
|
63
|
+
MassAssignmentOptions,
|
|
64
|
+
MassAssignmentResult,
|
|
65
|
+
ProbeEndpointOpts,
|
|
66
|
+
} from "./types.ts";
|
|
67
|
+
|
|
68
|
+
export async function runMassAssignmentProbes(
|
|
69
|
+
opts: MassAssignmentOptions,
|
|
70
|
+
): Promise<MassAssignmentResult> {
|
|
71
|
+
const { endpoints, securitySchemes, vars, noCleanup, timeoutMs } = opts;
|
|
72
|
+
const discover = opts.discover !== false;
|
|
73
|
+
const cache: DiscoveryCache = createDiscoveryCache();
|
|
74
|
+
const verdicts: EndpointVerdict[] = [];
|
|
75
|
+
const warnings: string[] = [];
|
|
76
|
+
let totalEndpoints = 0;
|
|
77
|
+
|
|
78
|
+
for (const ep of endpoints) {
|
|
79
|
+
if (ep.deprecated) continue;
|
|
80
|
+
const m = ep.method.toUpperCase();
|
|
81
|
+
if (m !== "POST" && m !== "PATCH" && m !== "PUT") continue;
|
|
82
|
+
totalEndpoints++;
|
|
83
|
+
|
|
84
|
+
// ARV-150: accept form-urlencoded endpoints in addition to JSON. Stripe
|
|
85
|
+
// v1 declares only application/x-www-form-urlencoded for every mutating
|
|
86
|
+
// operation — 265 endpoints were SKIPPED before this loosening.
|
|
87
|
+
if (!hasProbeBody(ep)) {
|
|
88
|
+
verdicts.push(skipped(ep, "no JSON or form-urlencoded request body"));
|
|
89
|
+
continue;
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
// Resolve path placeholders, attempting auto-discovery when env doesn't
|
|
93
|
+
// supply them and the spec has a sibling list endpoint (TASK-92).
|
|
94
|
+
let effectiveVars = vars;
|
|
95
|
+
const probe = buildProbeUrl(ep, vars);
|
|
96
|
+
if (probe.unresolved.length > 0) {
|
|
97
|
+
if (!discover) {
|
|
98
|
+
const reason =
|
|
99
|
+
m === "POST"
|
|
100
|
+
? `cannot resolve path placeholders: ${probe.unresolved.join(", ")} (set them in --env file)`
|
|
101
|
+
: `${m} requires existing resource id; missing env vars: ${probe.unresolved.join(", ")}`;
|
|
102
|
+
verdicts.push(skipped(ep, reason));
|
|
103
|
+
continue;
|
|
104
|
+
}
|
|
105
|
+
const discovered = await discoverPathParams({
|
|
106
|
+
ep,
|
|
107
|
+
unresolved: probe.unresolved,
|
|
108
|
+
allEndpoints: endpoints,
|
|
109
|
+
schemes: securitySchemes,
|
|
110
|
+
vars,
|
|
111
|
+
cache,
|
|
112
|
+
timeoutMs,
|
|
113
|
+
});
|
|
114
|
+
if (discovered.kind === "miss") {
|
|
115
|
+
verdicts.push(
|
|
116
|
+
skipped(
|
|
117
|
+
ep,
|
|
118
|
+
`cannot resolve path placeholders: ${probe.unresolved.join(", ")} — auto-discover failed (${discovered.reason})`,
|
|
119
|
+
),
|
|
120
|
+
);
|
|
121
|
+
continue;
|
|
122
|
+
}
|
|
123
|
+
effectiveVars = { ...vars, ...discovered.values };
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
// TASK-137: body-FK discovery. Required body fields named `audience_id`,
|
|
127
|
+
// `project_slug`, `team_uuid`… get filled from sibling collection
|
|
128
|
+
// endpoints. Without this, baseline POST hits 4xx because the random
|
|
129
|
+
// string we'd otherwise send fails FK validation, and the verdict
|
|
130
|
+
// becomes INCONCLUSIVE-baseline — a noise class that buried 51 verdicts
|
|
131
|
+
// in the dogfooding audit (m-8 feedback §B).
|
|
132
|
+
const bodyFkMisses: Array<{ field: string; reason: string }> = [];
|
|
133
|
+
if (discover) {
|
|
134
|
+
const bodyDiscovery = await discoverBodyFkVars({
|
|
135
|
+
ep,
|
|
136
|
+
allEndpoints: endpoints,
|
|
137
|
+
schemes: securitySchemes,
|
|
138
|
+
vars: effectiveVars,
|
|
139
|
+
cache,
|
|
140
|
+
timeoutMs,
|
|
141
|
+
});
|
|
142
|
+
if (Object.keys(bodyDiscovery.values).length > 0) {
|
|
143
|
+
effectiveVars = { ...effectiveVars, ...bodyDiscovery.values };
|
|
144
|
+
}
|
|
145
|
+
bodyFkMisses.push(...bodyDiscovery.misses);
|
|
146
|
+
}
|
|
147
|
+
|
|
148
|
+
// Body-FK overlays. discoverBodyFkVars wrote into effectiveVars but the
|
|
149
|
+
// baseline body is generated from spec via fake UUIDs / random strings —
|
|
150
|
+
// substituteDeep only handles literal `{{var}}` markers, not field-name
|
|
151
|
+
// matches. So we pass the resolved field→value map separately and the
|
|
152
|
+
// probe overlays it onto baseline directly.
|
|
153
|
+
let bodyFkOverlay: Record<string, string> | undefined;
|
|
154
|
+
if (discover) {
|
|
155
|
+
bodyFkOverlay = {};
|
|
156
|
+
for (const k of Object.keys(effectiveVars)) {
|
|
157
|
+
if (vars[k] === undefined && k.includes("_") && /(_id|_slug|_uuid|_key)$/.test(k)) {
|
|
158
|
+
bodyFkOverlay[k] = effectiveVars[k]!;
|
|
159
|
+
}
|
|
160
|
+
}
|
|
161
|
+
if (Object.keys(bodyFkOverlay).length === 0) bodyFkOverlay = undefined;
|
|
162
|
+
}
|
|
163
|
+
|
|
164
|
+
const verdict = await probeEndpoint(ep, endpoints, securitySchemes, effectiveVars, {
|
|
165
|
+
noCleanup: noCleanup === true,
|
|
166
|
+
timeoutMs,
|
|
167
|
+
bodyFkMisses,
|
|
168
|
+
bodyFkOverlay,
|
|
169
|
+
extraSuspectFields: opts.extraSuspectFields,
|
|
170
|
+
seedBody: opts.seedBodies?.get(`${ep.method.toUpperCase()} ${ep.path}`),
|
|
171
|
+
});
|
|
172
|
+
stampRecommendedAction(verdict);
|
|
173
|
+
verdicts.push(verdict);
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
return {
|
|
177
|
+
specProbed: verdicts.length,
|
|
178
|
+
totalEndpoints,
|
|
179
|
+
verdicts,
|
|
180
|
+
warnings,
|
|
181
|
+
};
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
function skipped(ep: EndpointInfo, reason: string): EndpointVerdict {
|
|
185
|
+
return {
|
|
186
|
+
method: ep.method.toUpperCase(),
|
|
187
|
+
path: ep.path,
|
|
188
|
+
severity: "skipped",
|
|
189
|
+
summary: reason,
|
|
190
|
+
request: { url: "", body: undefined, injectedFields: [] },
|
|
191
|
+
fields: [],
|
|
192
|
+
strictContract: isStrictContract(ep.requestBodySchema),
|
|
193
|
+
skipReason: reason,
|
|
194
|
+
};
|
|
195
|
+
}
|
|
196
|
+
|
|
197
|
+
async function probeEndpoint(
|
|
198
|
+
ep: EndpointInfo,
|
|
199
|
+
allEndpoints: EndpointInfo[],
|
|
200
|
+
schemes: SecuritySchemeInfo[],
|
|
201
|
+
vars: Record<string, string>,
|
|
202
|
+
opts: ProbeEndpointOpts,
|
|
203
|
+
): Promise<EndpointVerdict> {
|
|
204
|
+
const m = ep.method.toUpperCase();
|
|
205
|
+
const strict = isStrictContract(ep.requestBodySchema);
|
|
206
|
+
|
|
207
|
+
// Build baseline payload from spec then substitute generators ({{$uuid}}, …).
|
|
208
|
+
const baseline = buildBaselineFromSpec(ep, vars, opts.seedBody);
|
|
209
|
+
if (baseline === null) {
|
|
210
|
+
return skipped(ep, "request body not a JSON object");
|
|
211
|
+
}
|
|
212
|
+
// TASK-137: overlay discovered FK values directly by field name so the
|
|
213
|
+
// baseline body actually carries the real audience_id / project_slug / …
|
|
214
|
+
// instead of the random UUID generateFromSchema synthesised.
|
|
215
|
+
if (opts.bodyFkOverlay) {
|
|
216
|
+
for (const [k, v] of Object.entries(opts.bodyFkOverlay)) {
|
|
217
|
+
if (k in baseline) baseline[k] = v;
|
|
218
|
+
}
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
const suspects = suspectedExtras(ep, opts.extraSuspectFields);
|
|
222
|
+
const serverFields = serverAssignedExtras(ep);
|
|
223
|
+
// Suspects win over server-assigned: if a field is both (e.g. `is_admin`
|
|
224
|
+
// appears in the response schema AND is in our suspect list), the suspect
|
|
225
|
+
// sentinel must be sent so we can detect privilege escalation.
|
|
226
|
+
const injectedSet = { ...serverFields, ...suspects };
|
|
227
|
+
const injectedNames = Object.keys(injectedSet);
|
|
228
|
+
if (injectedNames.length === 0) {
|
|
229
|
+
return skipped(ep, "no extra fields to inject (request schema covers everything)");
|
|
230
|
+
}
|
|
231
|
+
|
|
232
|
+
const body = { ...baseline, ...injectedSet };
|
|
233
|
+
const { url, unresolved } = buildProbeUrl(ep, vars);
|
|
234
|
+
if (unresolved.length > 0) {
|
|
235
|
+
return skipped(
|
|
236
|
+
ep,
|
|
237
|
+
`cannot resolve path placeholders: ${unresolved.join(", ")} (set them in --env file)`,
|
|
238
|
+
);
|
|
239
|
+
}
|
|
240
|
+
|
|
241
|
+
// ARV-150: Content-Type follows the spec — form-urlencoded for Stripe v1,
|
|
242
|
+
// JSON otherwise. `serializeProbeBody` encodes the actual wire payload.
|
|
243
|
+
const headers = buildBodyAuthHeaders(ep, schemes, vars);
|
|
244
|
+
|
|
245
|
+
const verdict: EndpointVerdict = {
|
|
246
|
+
method: m,
|
|
247
|
+
path: ep.path,
|
|
248
|
+
severity: "ok",
|
|
249
|
+
summary: "",
|
|
250
|
+
request: { url, body, injectedFields: injectedNames },
|
|
251
|
+
fields: injectedNames.map(name => ({
|
|
252
|
+
field: name,
|
|
253
|
+
injected: injectedSet[name],
|
|
254
|
+
outcome: "unknown",
|
|
255
|
+
})),
|
|
256
|
+
strictContract: strict,
|
|
257
|
+
};
|
|
258
|
+
|
|
259
|
+
// ── Baseline probe (TASK-91) ─────────────────────────────────────────────
|
|
260
|
+
// Send the *clean* baseline body first. Without this, a 4xx caused by FK
|
|
261
|
+
// miss / bad fixture / scope mismatch is indistinguishable from a 4xx that
|
|
262
|
+
// actually rejected our extras — false-OK on FK-heavy SaaS APIs (Stripe /
|
|
263
|
+
// Linear / GitHub-shaped). The baseline lets us classify:
|
|
264
|
+
// • baseline 4xx + injected 4xx → INCONCLUSIVE-baseline (fixture bug).
|
|
265
|
+
// • baseline 2xx + injected 4xx → OK (real extras rejection).
|
|
266
|
+
// • baseline 4xx + injected 2xx → HIGH (extras opened a code path the
|
|
267
|
+
// baseline never reached — privilege/auth bypass).
|
|
268
|
+
// • baseline 2xx + injected 2xx → existing applied/ignored flow.
|
|
269
|
+
let baselineResp;
|
|
270
|
+
try {
|
|
271
|
+
baselineResp = await executeRequest(
|
|
272
|
+
{ method: m, url, headers, body: serializeProbeBody(ep, baseline).content },
|
|
273
|
+
{ timeout: opts.timeoutMs ?? 30000, retries: 0 },
|
|
274
|
+
);
|
|
275
|
+
} catch (err) {
|
|
276
|
+
verdict.severity = "high";
|
|
277
|
+
verdict.summary = `baseline network error: ${err instanceof Error ? err.message : String(err)}`;
|
|
278
|
+
return verdict;
|
|
279
|
+
}
|
|
280
|
+
const baselineBody = baselineResp.body_parsed ?? baselineResp.body;
|
|
281
|
+
verdict.baseline = { status: baselineResp.status, body: baselineBody };
|
|
282
|
+
const baselineOk = baselineResp.status >= 200 && baselineResp.status < 300;
|
|
283
|
+
// If baseline created a resource, DELETE it before issuing the injected
|
|
284
|
+
// probe so the second POST doesn't trip a unique-constraint and so we
|
|
285
|
+
// don't leak resources.
|
|
286
|
+
if (baselineOk && !opts.noCleanup) {
|
|
287
|
+
await tryCleanupBaseline(ep, allEndpoints, schemes, vars, baselineBody, opts);
|
|
288
|
+
}
|
|
289
|
+
|
|
290
|
+
// ── Injected probe ──────────────────────────────────────────────────────
|
|
291
|
+
let resp;
|
|
292
|
+
try {
|
|
293
|
+
resp = await executeRequest(
|
|
294
|
+
{ method: m, url, headers, body: serializeProbeBody(ep, body).content },
|
|
295
|
+
{ timeout: opts.timeoutMs ?? 30000, retries: 0 },
|
|
296
|
+
);
|
|
297
|
+
} catch (err) {
|
|
298
|
+
verdict.severity = "high";
|
|
299
|
+
verdict.summary = `network error: ${err instanceof Error ? err.message : String(err)}`;
|
|
300
|
+
return verdict;
|
|
301
|
+
}
|
|
302
|
+
verdict.response = { status: resp.status, body: resp.body_parsed ?? resp.body };
|
|
303
|
+
|
|
304
|
+
if (resp.status >= 500) {
|
|
305
|
+
// TASK-276: if the baseline (no extras) also crashed with ≥500, the
|
|
306
|
+
// endpoint is just crashing — mass-assignment semantics aren't
|
|
307
|
+
// observable, and validation-probe will already have flagged the same
|
|
308
|
+
// endpoint. Don't surface as HIGH privilege-escalation; that buries
|
|
309
|
+
// real findings under noise.
|
|
310
|
+
if (baselineResp.status >= 500) {
|
|
311
|
+
verdict.severity = "inconclusive-5xx";
|
|
312
|
+
verdict.summary = `baseline ${baselineResp.status} → injected ${resp.status} — endpoint crashes regardless of extras (likely duplicate of validation-probe)`;
|
|
313
|
+
for (const f of verdict.fields) f.outcome = "unknown";
|
|
314
|
+
return verdict;
|
|
315
|
+
}
|
|
316
|
+
verdict.severity = "high";
|
|
317
|
+
verdict.summary = `5xx unhandled (${resp.status}) — see negative-probe`;
|
|
318
|
+
return verdict;
|
|
319
|
+
}
|
|
320
|
+
|
|
321
|
+
const injectedOk = resp.status >= 200 && resp.status < 300;
|
|
322
|
+
|
|
323
|
+
// Matrix dispatch on baseline×injected (TASK-91):
|
|
324
|
+
if (resp.status >= 400 && !injectedOk) {
|
|
325
|
+
if (!baselineOk) {
|
|
326
|
+
// Baseline body itself invalid — extras never reached validation.
|
|
327
|
+
verdict.severity = "inconclusive-baseline";
|
|
328
|
+
verdict.summary = inconclusiveBaselineSummary(
|
|
329
|
+
baselineResp.status,
|
|
330
|
+
baselineBody,
|
|
331
|
+
opts.bodyFkMisses,
|
|
332
|
+
);
|
|
333
|
+
for (const f of verdict.fields) f.outcome = "unknown";
|
|
334
|
+
return verdict;
|
|
335
|
+
}
|
|
336
|
+
// Baseline succeeded, injected rejected → real extras rejection.
|
|
337
|
+
verdict.severity = "ok";
|
|
338
|
+
verdict.summary = strict
|
|
339
|
+
? `rejected ${resp.status} — strict contract honoured`
|
|
340
|
+
: `rejected ${resp.status} — extras refused (baseline ${baselineResp.status})`;
|
|
341
|
+
for (const f of verdict.fields) f.outcome = "absent";
|
|
342
|
+
return verdict;
|
|
343
|
+
}
|
|
344
|
+
|
|
345
|
+
if (injectedOk && !baselineOk) {
|
|
346
|
+
// Extras-as-bypass: baseline didn't make it through, but adding extras did.
|
|
347
|
+
// The extra fields opened a code path that baseline didn't reach (auth
|
|
348
|
+
// scope, FK shadowing, etc.). Treat as HIGH — likely a real bug —
|
|
349
|
+
// and continue to body-classification so per-field outcomes are still
|
|
350
|
+
// recorded for the digest.
|
|
351
|
+
verdict.severity = "high";
|
|
352
|
+
const bypassReason =
|
|
353
|
+
baselineResp.status >= 500
|
|
354
|
+
? "server crash on baseline — extras-bypass turned a 5xx into a successful write"
|
|
355
|
+
: "extras opened a code path baseline didn't reach";
|
|
356
|
+
verdict.summary = `extras-bypass: baseline ${baselineResp.status} → injected ${resp.status} (${bypassReason})`;
|
|
357
|
+
// Fall through to the 2xx classification below; finaliseSeverity won't
|
|
358
|
+
// overwrite "high" once it's set — but we also want to still mark
|
|
359
|
+
// applied/ignored fields. We skip finaliseSeverity at the end for this
|
|
360
|
+
// case to preserve the bypass summary.
|
|
361
|
+
}
|
|
362
|
+
|
|
363
|
+
// 2xx — analyse the response body for echoed values, then maybe GET.
|
|
364
|
+
const respBody =
|
|
365
|
+
typeof resp.body_parsed === "object" && resp.body_parsed !== null
|
|
366
|
+
? (resp.body_parsed as Record<string, unknown>)
|
|
367
|
+
: undefined;
|
|
368
|
+
|
|
369
|
+
classifyFromBody(verdict, respBody);
|
|
370
|
+
|
|
371
|
+
// Follow-up GET if any field is still "absent" or "unknown" — to distinguish
|
|
372
|
+
// ignored from silently-persisted-but-not-echoed.
|
|
373
|
+
if (respBody && needsFollowUp(verdict)) {
|
|
374
|
+
const idField = captureFieldFor(ep);
|
|
375
|
+
const id = respBody[idField];
|
|
376
|
+
const getEp = findGetByIdCounterpart(ep, allEndpoints);
|
|
377
|
+
if (id !== undefined && getEp) {
|
|
378
|
+
const getVars = { ...vars, [findIdParam(getEp)]: String(id), id: String(id) };
|
|
379
|
+
const getUrl = buildProbeUrl(getEp, getVars);
|
|
380
|
+
if (getUrl.unresolved.length === 0) {
|
|
381
|
+
try {
|
|
382
|
+
const getResp = await executeRequest(
|
|
383
|
+
{
|
|
384
|
+
method: "GET",
|
|
385
|
+
url: getUrl.url,
|
|
386
|
+
headers: {
|
|
387
|
+
accept: "application/json",
|
|
388
|
+
...liveAuthHeaders(getEp, schemes, vars),
|
|
389
|
+
},
|
|
390
|
+
},
|
|
391
|
+
{ timeout: opts.timeoutMs ?? 30000, retries: 0 },
|
|
392
|
+
);
|
|
393
|
+
const getBody =
|
|
394
|
+
typeof getResp.body_parsed === "object" && getResp.body_parsed !== null
|
|
395
|
+
? (getResp.body_parsed as Record<string, unknown>)
|
|
396
|
+
: undefined;
|
|
397
|
+
verdict.followUpGet = {
|
|
398
|
+
url: getUrl.url,
|
|
399
|
+
status: getResp.status,
|
|
400
|
+
body: getResp.body_parsed ?? getResp.body,
|
|
401
|
+
};
|
|
402
|
+
if (getBody) classifyFromBody(verdict, getBody, true);
|
|
403
|
+
} catch (err) {
|
|
404
|
+
verdict.notes = [
|
|
405
|
+
...(verdict.notes ?? []),
|
|
406
|
+
`follow-up GET failed: ${err instanceof Error ? err.message : String(err)}`,
|
|
407
|
+
];
|
|
408
|
+
}
|
|
409
|
+
}
|
|
410
|
+
}
|
|
411
|
+
|
|
412
|
+
// Cleanup
|
|
413
|
+
if (!opts.noCleanup && id !== undefined) {
|
|
414
|
+
const delEp = findDeleteCounterpart(ep, allEndpoints);
|
|
415
|
+
if (delEp) {
|
|
416
|
+
const delVars = { ...vars, [findIdParam(delEp)]: String(id), id: String(id) };
|
|
417
|
+
const delUrl = buildProbeUrl(delEp, delVars);
|
|
418
|
+
if (delUrl.unresolved.length === 0) {
|
|
419
|
+
try {
|
|
420
|
+
const delResp = await executeRequest(
|
|
421
|
+
{
|
|
422
|
+
method: "DELETE",
|
|
423
|
+
url: delUrl.url,
|
|
424
|
+
headers: {
|
|
425
|
+
accept: "application/json",
|
|
426
|
+
...liveAuthHeaders(delEp, schemes, vars),
|
|
427
|
+
},
|
|
428
|
+
},
|
|
429
|
+
{ timeout: opts.timeoutMs ?? 30000, retries: 0 },
|
|
430
|
+
);
|
|
431
|
+
verdict.cleanup = { attempted: true, status: delResp.status };
|
|
432
|
+
} catch (err) {
|
|
433
|
+
verdict.cleanup = {
|
|
434
|
+
attempted: true,
|
|
435
|
+
error: err instanceof Error ? err.message : String(err),
|
|
436
|
+
};
|
|
437
|
+
}
|
|
438
|
+
} else {
|
|
439
|
+
verdict.cleanup = { attempted: false, error: "unresolved DELETE path placeholders" };
|
|
440
|
+
}
|
|
441
|
+
} else {
|
|
442
|
+
// ARV-153: action POSTs (`/capture`, `/verify`, `/cancel`, …) never
|
|
443
|
+
// allocate a new resource — surface that instead of the alarming
|
|
444
|
+
// "no DELETE counterpart" line that triggered F7's leak-risk noise.
|
|
445
|
+
const reason =
|
|
446
|
+
classifyPostSemantics(ep) === "action"
|
|
447
|
+
? "no cleanup needed (action endpoint — no resource created)"
|
|
448
|
+
: "no DELETE counterpart in spec";
|
|
449
|
+
verdict.cleanup = { attempted: false, error: reason };
|
|
450
|
+
}
|
|
451
|
+
}
|
|
452
|
+
}
|
|
453
|
+
|
|
454
|
+
// Preserve "high" already set by the extras-bypass branch; otherwise
|
|
455
|
+
// derive severity from per-field outcomes.
|
|
456
|
+
if (verdict.severity !== "high") finaliseSeverity(verdict, strict);
|
|
457
|
+
stampRecommendedAction(verdict);
|
|
458
|
+
return verdict;
|
|
459
|
+
}
|