@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,207 @@
1
+ /**
2
+ * `SecurityProbe` — Probe-contract wrapper around the existing
3
+ * `runSecurityProbes` engine in `security-probe.ts` (m-17 / ARV-49).
4
+ *
5
+ * Behavior is unchanged on this step. dryRun() returns the structured
6
+ * EndpointPlan[] shape (used by the new dry-run envelope in ARV-50);
7
+ * run() delegates to runSecurityProbes(); report() is a thin renderer
8
+ * that converts the SecurityProbeResult to either a markdown digest
9
+ * (existing formatter) or the structured per-endpoint shape (ARV-51).
10
+ */
11
+ import type { Probe, ProbeContext, ProbeFlags, EndpointPlan, ProbeResult, ProbeReportFormat, ProbeEndpointResult, ProbeEndpointStatus } from "./types.ts";
12
+ import {
13
+ runSecurityProbes,
14
+ formatSecurityDigest,
15
+ detectFields,
16
+ SECURITY_CLASSES,
17
+ type SecurityClass,
18
+ type SecurityProbeResult,
19
+ type SecurityVerdict,
20
+ } from "./security-probe.ts";
21
+ import { pathTouchesSeededVar } from "./shared.ts";
22
+ import { hasProbeBody } from "./probe-harness.ts";
23
+
24
+ const FLAGS: ProbeFlags = {
25
+ api: true,
26
+ tag: true,
27
+ include: true,
28
+ exclude: true,
29
+ dryRun: true,
30
+ listTags: true,
31
+ json: true,
32
+ output: true,
33
+ report: true,
34
+ };
35
+
36
+ function planForSecurity(
37
+ ctx: ProbeContext,
38
+ classes: SecurityClass[],
39
+ isolated: boolean,
40
+ ): EndpointPlan[] {
41
+ const out: EndpointPlan[] = [];
42
+ for (const ep of ctx.endpoints) {
43
+ if (ep.deprecated) continue;
44
+ const m = ep.method.toUpperCase();
45
+ if (m !== "POST" && m !== "PUT" && m !== "PATCH") continue;
46
+
47
+ if (isolated && (m === "PUT" || m === "PATCH") && pathTouchesSeededVar(ep.path, ctx.vars)) {
48
+ out.push({
49
+ path: ep.path,
50
+ method: m,
51
+ planned: false,
52
+ classes_planned: [],
53
+ fields_planned: [],
54
+ skip_reason: "isolated-protected",
55
+ });
56
+ continue;
57
+ }
58
+
59
+ // ARV-313: parity with the live orchestrator (which uses hasProbeBody)
60
+ // and the mass-assignment planner — accept application/x-www-form-urlencoded
61
+ // bodies, not just JSON. The old hasJsonBody gate made the dry-run
62
+ // inventory a no-op on form-encoded APIs (Stripe v1), so `probe security
63
+ // --dry-run` planned 0/291 while mass-assignment planned 290/291.
64
+ if (!hasProbeBody(ep)) {
65
+ out.push({
66
+ path: ep.path,
67
+ method: m,
68
+ planned: false,
69
+ classes_planned: [],
70
+ fields_planned: [],
71
+ skip_reason: "no-body",
72
+ });
73
+ continue;
74
+ }
75
+
76
+ const detected = detectFields(ep, classes);
77
+ if (detected.length === 0) {
78
+ out.push({
79
+ path: ep.path,
80
+ method: m,
81
+ planned: false,
82
+ classes_planned: [],
83
+ fields_planned: [],
84
+ skip_reason: "no-matched-field",
85
+ });
86
+ continue;
87
+ }
88
+
89
+ const classesPlanned = Array.from(new Set(detected.map((d) => d.class)));
90
+ const fieldsPlanned = Array.from(new Set(detected.map((d) => d.field)));
91
+ out.push({
92
+ path: ep.path,
93
+ method: m,
94
+ planned: true,
95
+ classes_planned: classesPlanned,
96
+ fields_planned: fieldsPlanned,
97
+ skip_reason: null,
98
+ });
99
+ }
100
+ return out;
101
+ }
102
+
103
+ function statusFromSeverity(s: SecurityVerdict["severity"]): ProbeEndpointStatus {
104
+ if (s === "high") return "high";
105
+ if (s === "low") return "low";
106
+ if (s === "ok") return "ok";
107
+ if (s === "skipped") return "skipped";
108
+ return "inconclusive";
109
+ }
110
+
111
+ function evidenceFromFinding(f: SecurityVerdict["findings"][number]): Record<string, unknown> {
112
+ return {
113
+ field: f.field,
114
+ payload: f.payload,
115
+ status: f.status,
116
+ echoed: f.echoed,
117
+ reason: f.reason,
118
+ ...(f.recommended_action ? { recommended_action: f.recommended_action } : {}),
119
+ };
120
+ }
121
+
122
+ function toProbeResult(sec: SecurityProbeResult): ProbeResult {
123
+ const endpoints: ProbeEndpointResult[] = sec.verdicts.map((v) => ({
124
+ path: v.path,
125
+ method: v.method,
126
+ classes_run: Array.from(new Set(v.detectedFields.map((d) => d.class))),
127
+ findings: v.findings.map((f) => ({
128
+ class: f.class,
129
+ severity:
130
+ f.severity === "inconclusive" || f.severity === "inconclusive-baseline"
131
+ ? "inconclusive"
132
+ : f.severity === "skipped"
133
+ ? "ok"
134
+ : f.severity === "info"
135
+ // ARV-253: ProbeFindingSeverity has no "info" tier. Collapse
136
+ // info → low for the public probe-result envelope; the digest
137
+ // / structured per-endpoint shape preserves the distinction.
138
+ ? "low"
139
+ : f.severity === "medium"
140
+ // ARV-254: ProbeFindingSeverity has no "medium" tier — collapse
141
+ // to "low" for the wire shape. MEDIUM is a digest-only severity
142
+ // marker (SSRF accept on endpoint declaring delivery, no OOB);
143
+ // by design it must NOT gate CI as a HIGH would.
144
+ ? "low"
145
+ : f.severity,
146
+ evidence: evidenceFromFinding(f),
147
+ })),
148
+ status: statusFromSeverity(v.severity),
149
+ ...(v.skipReason ? { skip_reason: v.skipReason } : {}),
150
+ }));
151
+ const by_status: Record<ProbeEndpointStatus, number> = {
152
+ ok: 0, high: 0, low: 0, inconclusive: 0, skipped: 0,
153
+ };
154
+ for (const ep of endpoints) by_status[ep.status]++;
155
+ return {
156
+ endpoints,
157
+ summary: {
158
+ totalEndpoints: sec.totalEndpoints,
159
+ probed: sec.specProbed,
160
+ by_status,
161
+ },
162
+ warnings: sec.warnings,
163
+ };
164
+ }
165
+
166
+ export class SecurityProbe implements Probe {
167
+ readonly name = "security";
168
+ readonly description =
169
+ "Live security probes: SSRF / CRLF / open-redirect. Spec-driven field detection + baseline-OK gate.";
170
+ readonly commonFlags = FLAGS;
171
+
172
+ async dryRun(ctx: ProbeContext): Promise<EndpointPlan[]> {
173
+ const classes = (ctx.classes ?? SECURITY_CLASSES) as SecurityClass[];
174
+ const isolated = ctx.options["isolated"] === true;
175
+ return planForSecurity(ctx, classes, isolated);
176
+ }
177
+
178
+ async run(ctx: ProbeContext): Promise<ProbeResult> {
179
+ const classes = (ctx.classes ?? SECURITY_CLASSES) as SecurityClass[];
180
+ const sec = await runSecurityProbes({
181
+ endpoints: ctx.endpoints,
182
+ securitySchemes: ctx.securitySchemes,
183
+ vars: ctx.vars,
184
+ classes,
185
+ noCleanup: ctx.options["noCleanup"] === true,
186
+ timeoutMs: typeof ctx.options["timeoutMs"] === "number" ? (ctx.options["timeoutMs"] as number) : undefined,
187
+ isolated: ctx.options["isolated"] === true,
188
+ });
189
+ const result = toProbeResult(sec);
190
+ // Pass through the raw sec result for legacy markdown rendering and
191
+ // for orphan-tracker consumers that need the full SecurityVerdict[].
192
+ result.extras = { raw: sec };
193
+ return result;
194
+ }
195
+
196
+ report(format: ProbeReportFormat, result: ProbeResult): string | object {
197
+ if (format === "markdown") {
198
+ const raw = (result.extras?.["raw"] as SecurityProbeResult | undefined);
199
+ if (raw) return formatSecurityDigest(raw, "");
200
+ return "(no markdown digest available)";
201
+ }
202
+ return {
203
+ endpoints: result.endpoints,
204
+ summary: result.summary,
205
+ };
206
+ }
207
+ }
@@ -0,0 +1,32 @@
1
+ /**
2
+ * Barrel re-export for `zond probe-security <classes>`.
3
+ *
4
+ * The probe pipeline lives in `./security/`:
5
+ * - types.ts — public types / interfaces
6
+ * - detectors.ts — field detectors + payload table
7
+ * - baseline.ts — baseline send + snapshot/restore (PUT/PATCH cleanup)
8
+ * - classify.ts — per-finding classification + echo detection
9
+ * - cleanup.ts — best-effort DELETE on stateful endpoints
10
+ * - digest.ts — markdown digest formatter
11
+ * - regression.ts — regression-suite YAML emission
12
+ * - orchestrator.ts — runSecurityProbes + probeOneEndpoint loop
13
+ *
14
+ * History: split out of a 1473-LOC monolith (ARV-295, 2026-05-18) to keep
15
+ * each concern in a focused file. The public API surface is unchanged.
16
+ */
17
+ export type {
18
+ SecurityClass,
19
+ SecuritySeverity,
20
+ SecurityFieldHit,
21
+ SecurityFinding,
22
+ SecurityVerdict,
23
+ SecurityProbeOptions,
24
+ CleanupFeasibility,
25
+ SecurityProbeResult,
26
+ } from "./security/types.ts";
27
+ export { SECURITY_CLASSES } from "./security/types.ts";
28
+ export { detectFields } from "./security/detectors.ts";
29
+ export { runSecurityProbes } from "./security/orchestrator.ts";
30
+ export { classifyEcho } from "./security/classify.ts";
31
+ export { formatSecurityDigest } from "./security/digest.ts";
32
+ export { emitSecurityRegressionSuites } from "./security/regression.ts";