@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,531 @@
1
+ /**
2
+ * Shared helpers for probe generators (negative-probe, mass-assignment-probe).
3
+ */
4
+ import type { OpenAPIV3 } from "openapi-types";
5
+ import type { EndpointInfo, SecuritySchemeInfo } from "../generator/types.ts";
6
+
7
+ export function convertPath(path: string): string {
8
+ return path.replace(/\{([^}]+)\}/g, "{{$1}}");
9
+ }
10
+
11
+ function slugify(s: string): string {
12
+ return s
13
+ .toLowerCase()
14
+ .replace(/[^a-z0-9]+/g, "-")
15
+ .replace(/^-|-$/g, "");
16
+ }
17
+
18
+ /**
19
+ * Build a short, distinguishable alias for an OpenAPI path-param name —
20
+ * used to keep probe filenames readable when several `{...id}` segments
21
+ * collapse to the same `by-id` (TASK-159, m-9 P3).
22
+ *
23
+ * organization_id_or_slug → "org"
24
+ * project_id_or_slug → "proj"
25
+ * replay_id → "replay"
26
+ * userId → "user"
27
+ * foo → "foo"
28
+ * id → "id"
29
+ *
30
+ * The general rule: drop trailing `_id` / `_slug` / `_or_slug` /
31
+ * `Id` / `Slug`, then slugify and trim to the first segment. We also
32
+ * canonicalise a couple of common common SaaS-style names to short aliases
33
+ * (`organization` → `org`, `project` → `proj`).
34
+ */
35
+ export function placeholderAlias(rawName: string): string {
36
+ let name = rawName.trim();
37
+ // Strip the OpenAPI noisy suffixes.
38
+ name = name.replace(/_or_slug$/i, "");
39
+ name = name.replace(/(_id|_slug)$/i, "");
40
+ name = name.replace(/(Id|Slug)$/g, "");
41
+ const slug = slugify(name);
42
+ if (!slug || slug === "id") return "id";
43
+ // Canonical short aliases for frequent long names.
44
+ const canonical: Record<string, string> = {
45
+ organization: "org",
46
+ project: "proj",
47
+ repository: "repo",
48
+ environment: "env",
49
+ application: "app",
50
+ integration: "intg",
51
+ notification: "notif",
52
+ };
53
+ const first = slug.split("-")[0]!;
54
+ if (canonical[first]) return canonical[first];
55
+ // Fall back to the slug, capped at 12 chars so really long names don't
56
+ // blow up the filename.
57
+ return slug.length > 12 ? slug.slice(0, 12) : slug;
58
+ }
59
+
60
+ /**
61
+ * Replace every `{name}` segment in an OpenAPI path with `by-<alias>`,
62
+ * preserving placeholder identity (TASK-159).
63
+ */
64
+ export function pathWithByAliases(path: string): string {
65
+ return path.replace(/\{([^}]+)\}/g, (_, name) => `by-${placeholderAlias(name)}`);
66
+ }
67
+
68
+ export function endpointStem(ep: EndpointInfo): string {
69
+ const path = pathWithByAliases(ep.path)
70
+ .replace(/^\//, "")
71
+ .replace(/\//g, "-");
72
+ return slugify(`${ep.method.toLowerCase()}-${path}`);
73
+ }
74
+
75
+ export function getAuthHeaders(
76
+ ep: EndpointInfo,
77
+ schemes: SecuritySchemeInfo[],
78
+ tokenVarFor?: (s: SecuritySchemeInfo) => string,
79
+ ): Record<string, string> | undefined {
80
+ if (ep.security.length === 0) return undefined;
81
+ const tokenVar = (s: SecuritySchemeInfo) => tokenVarFor?.(s) ?? "auth_token";
82
+
83
+ // Prefer bearer / apiKey schemes over basic when an endpoint declares
84
+ // multiple alternatives (ARV-147). Stripe v1 publishes `security: [basicAuth,
85
+ // bearerAuth]` with both pointing at the same `auth_token` value, but
86
+ // basicAuth expects base64(user:password) — feeding it a raw `sk_test_…`
87
+ // produces a 401. zond request already hardcodes Bearer for this reason
88
+ // (send-request.ts TASK-231); the generator + probes now agree by walking
89
+ // ep.security twice: first looking for a non-basic match, then falling
90
+ // back to basic only if nothing else worked.
91
+ const tryScheme = (scheme: SecuritySchemeInfo): Record<string, string> | undefined => {
92
+ if (scheme.type === "http") {
93
+ if (scheme.scheme === "bearer" || !scheme.scheme) {
94
+ return { Authorization: `Bearer {{${tokenVar(scheme)}}}` };
95
+ }
96
+ if (scheme.scheme === "basic") {
97
+ return { Authorization: `Basic {{${tokenVar(scheme)}}}` };
98
+ }
99
+ }
100
+ if (scheme.type === "apiKey" && scheme.in === "header" && scheme.apiKeyName) {
101
+ if (scheme.apiKeyName === "Authorization") {
102
+ return { Authorization: `Bearer {{${tokenVar(scheme)}}}` };
103
+ }
104
+ return { [scheme.apiKeyName]: "{{api_key}}" };
105
+ }
106
+ return undefined;
107
+ };
108
+
109
+ const isBasic = (s: SecuritySchemeInfo): boolean =>
110
+ s.type === "http" && s.scheme === "basic";
111
+
112
+ // Pass 1: skip basic.
113
+ for (const secName of ep.security) {
114
+ const scheme = schemes.find((s) => s.name === secName);
115
+ if (!scheme || isBasic(scheme)) continue;
116
+ const headers = tryScheme(scheme);
117
+ if (headers) return headers;
118
+ }
119
+ // Pass 2: basic-only fallback.
120
+ for (const secName of ep.security) {
121
+ const scheme = schemes.find((s) => s.name === secName);
122
+ if (!scheme || !isBasic(scheme)) continue;
123
+ const headers = tryScheme(scheme);
124
+ if (headers) return headers;
125
+ }
126
+ return undefined;
127
+ }
128
+
129
+ /** Path with placeholders replaced by valid-but-nonexistent IDs. */
130
+ function pathWithPlaceholders(ep: EndpointInfo, badId: string): string {
131
+ return ep.path.replace(/\{([^}]+)\}/g, (_, name: string) => {
132
+ const param = ep.parameters.find((p) => p.name === name && p.in === "path");
133
+ const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
134
+ if (badId === "valid-shape") {
135
+ if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
136
+ if (schema?.type === "integer" || schema?.type === "number") return "999999999";
137
+ return "nonexistent-zzzzz";
138
+ }
139
+ return badId;
140
+ });
141
+ }
142
+
143
+ /**
144
+ * Render a path for probe execution. The "attacked" param (if any) is replaced
145
+ * with `attacked.value`; remaining params are rendered as either runtime
146
+ * placeholders (`{{name}}`, resolved from `.env.yaml` by `zond run`) when
147
+ * `useRealParents=true`, or as synthetic-by-type sentinels in the legacy mode.
148
+ *
149
+ * The output is the final path string written into the YAML — no further
150
+ * `convertPath` pass is required (and would in fact corrupt the doubled
151
+ * braces).
152
+ *
153
+ * Why `useRealParents` exists (TASK-135 / m-8): probe-validation used to bake
154
+ * `nonexistent-zzzzz` into every parent path-param, which short-circuits to
155
+ * 404 on real APIs (e.g. `/orgs/zzzzz/repos/{repo}/commits` never reaches the
156
+ * `{repo}` validator). Using the real parent slug from the env restores
157
+ * recall — the API actually walks past the parent and starts validating the
158
+ * leaf, so 5xx bugs there become observable.
159
+ */
160
+ export function renderPath(
161
+ ep: EndpointInfo,
162
+ attacked: { name: string; value: string } | null,
163
+ opts: { useRealParents: boolean },
164
+ ): string {
165
+ return ep.path.replace(/\{([^}]+)\}/g, (_, name: string) => {
166
+ if (attacked && name === attacked.name) return attacked.value;
167
+ if (opts.useRealParents) return `{{${name}}}`;
168
+ const param = ep.parameters.find((p) => p.name === name && p.in === "path");
169
+ const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
170
+ if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
171
+ if (schema?.type === "integer" || schema?.type === "number") return "999999999";
172
+ return "nonexistent-zzzzz";
173
+ });
174
+ }
175
+
176
+ /** ARV-244/ARV-245: percent-encode unsafe characters per path segment,
177
+ * preserving anything already percent-encoded (`%XX`). Slashes, the
178
+ * unreserved set, and a conservative slice of sub-delims are kept
179
+ * verbatim. Used both for orphan-cleanup DELETE URLs and paste-ready
180
+ * manual repro lines in the security-probe digest. */
181
+ export function encodePathForRepro(deletePath: string): string {
182
+ const SAFE = /[A-Za-z0-9._~!$&'()*+,;=:@-]/;
183
+ return deletePath
184
+ .split("/")
185
+ .map((segment) => {
186
+ if (segment.length === 0) return segment;
187
+ let out = "";
188
+ for (let i = 0; i < segment.length; i++) {
189
+ const ch = segment.charAt(i);
190
+ if (ch === "%" && /^[0-9A-Fa-f]{2}$/.test(segment.slice(i + 1, i + 3))) {
191
+ out += segment.slice(i, i + 3);
192
+ i += 2;
193
+ continue;
194
+ }
195
+ out += SAFE.test(ch) ? ch : encodeURIComponent(ch);
196
+ }
197
+ return out;
198
+ })
199
+ .join("/");
200
+ }
201
+
202
+ export function isMutating(method: string): boolean {
203
+ const m = method.toUpperCase();
204
+ return m === "POST" || m === "PUT" || m === "PATCH";
205
+ }
206
+
207
+ /**
208
+ * TASK-259: pre-run banner shown to stderr before any mutating probe runs
209
+ * on a live API. Lists the probe's name and reminds the user that:
210
+ * 1. resources will be created and deleted on the target;
211
+ * 2. seeded `.env.yaml` fixtures (slug/id/name) may go stale because
212
+ * probes may rename or replace them;
213
+ * 3. `--no-cleanup` keeps created resources around for inspection.
214
+ *
215
+ * Emits to stderr (not stdout) so it doesn't pollute --json envelopes or
216
+ * the Markdown digest. Suppressed when `quiet` is true (used in CI/JSON
217
+ * paths where the structured envelope already carries warnings).
218
+ */
219
+ export function printMutationBanner(
220
+ probeName: string,
221
+ vars: Record<string, string>,
222
+ opts?: { quiet?: boolean },
223
+ ): void {
224
+ if (opts?.quiet) return;
225
+ const fixtureKeys = Object.keys(vars).filter((k) =>
226
+ /(_id|_slug|_uuid|_name|_token)$/i.test(k) || /^(monitor|project|team|alert_rule|rule|organization)_id_or_slug$/.test(k),
227
+ );
228
+ const fixtureLine = fixtureKeys.length > 0
229
+ ? ` FK fixtures that may go stale: ${fixtureKeys.slice(0, 8).join(", ")}${fixtureKeys.length > 8 ? `, +${fixtureKeys.length - 8} more` : ""}\n`
230
+ : "";
231
+ process.stderr.write(
232
+ `\n` +
233
+ `⚠ ${probeName} mutates live data on the target API.\n` +
234
+ ` It creates and (by default) deletes resources via POST/PUT/PATCH/DELETE.\n` +
235
+ `${fixtureLine}` +
236
+ ` Recovery if FK fixtures change: re-run \`zond prepare-fixtures --api <name>\` to refresh \`.env.yaml\`.\n` +
237
+ ` Pass \`--no-cleanup\` to keep probe-created resources for inspection.\n` +
238
+ `\n`,
239
+ );
240
+ }
241
+
242
+ /**
243
+ * TASK-259: count probe verdicts whose cleanup DELETE was attempted but
244
+ * failed (network error, or 4xx other than 404). 404 is intentionally
245
+ * treated as success: the resource is gone, possibly already removed by
246
+ * the API itself or by the test under inspection. Used to surface an
247
+ * "N orphans, manual cleanup needed" line in the CLI summary.
248
+ */
249
+ /**
250
+ * TASK-264: does this OpenAPI path template have ANY `{param}` segment
251
+ * whose name matches a non-empty entry in `vars` (a seeded fixture)?
252
+ * Used by `--isolated` to gate PUT/PATCH/DELETE attacks.
253
+ *
254
+ * Permissive on the var-side: we treat `audience_id`, `audience-slug`,
255
+ * `audience` as the same fixture so spec-naming variations don't leak.
256
+ */
257
+ export function pathTouchesSeededVar(path: string, vars: Record<string, string>): boolean {
258
+ const placeholders = [...path.matchAll(/\{([^}]+)\}/g)].map(m => m[1]!);
259
+ if (placeholders.length === 0) return false;
260
+ const filledKeys = new Set(
261
+ Object.keys(vars).filter(k => {
262
+ const v = vars[k];
263
+ return typeof v === "string" && v.trim().length > 0;
264
+ }).map(k => k.toLowerCase().replace(/[-_]/g, "")),
265
+ );
266
+ for (const ph of placeholders) {
267
+ const norm = ph.toLowerCase().replace(/[-_]/g, "");
268
+ if (filledKeys.has(norm)) return true;
269
+ // Strip the OpenAPI noisy suffixes (e.g. `_id`, `_or_slug`) and try again.
270
+ const stripped = norm.replace(/(idorslug|orslug|id|slug)$/i, "");
271
+ if (stripped && filledKeys.has(stripped)) return true;
272
+ }
273
+ return false;
274
+ }
275
+
276
+ export function countCleanupFailures(
277
+ verdicts: Array<{ cleanup?: { attempted: boolean; status?: number; error?: string } }>,
278
+ ): number {
279
+ let n = 0;
280
+ for (const v of verdicts) {
281
+ const c = v.cleanup;
282
+ if (!c || !c.attempted) continue;
283
+ if (c.error) { n++; continue; }
284
+ if (c.status != null && c.status >= 400 && c.status !== 404) n++;
285
+ }
286
+ return n;
287
+ }
288
+
289
+ function escapeRegex(s: string): string {
290
+ return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
291
+ }
292
+
293
+ /**
294
+ * Strip a single trailing slash so `/keys/` and `/keys` compare equal.
295
+ * common SaaS-style APIs mix both forms; without this normalisation, the
296
+ * counterpart lookup misses on every collection that ends in `/`,
297
+ * leaking created resources during probe runs.
298
+ */
299
+ function stripTrailingSlash(p: string): string {
300
+ return p.length > 1 && p.endsWith("/") ? p.slice(0, -1) : p;
301
+ }
302
+
303
+ function pathsEqual(a: string, b: string): boolean {
304
+ return stripTrailingSlash(a) === stripTrailingSlash(b);
305
+ }
306
+
307
+ /**
308
+ * Find DELETE counterpart for resource-creating endpoint:
309
+ * - POST /collection → DELETE /collection/{id}
310
+ * - PUT /collection/{id} → DELETE /collection/{id}
311
+ * - PATCH /collection/{id} → DELETE /collection/{id}
312
+ *
313
+ * Trailing-slash tolerant on both sides (TASK-139-style fix carried
314
+ * into shared.ts after round-4 dogfooding showed a real-world `POST /keys/`
315
+ * leaked DSN keys because the regex required identical slash forms).
316
+ */
317
+ export function findDeleteCounterpart(
318
+ ep: EndpointInfo,
319
+ all: EndpointInfo[],
320
+ ): EndpointInfo | undefined {
321
+ const m = ep.method.toUpperCase();
322
+ const base = stripTrailingSlash(ep.path);
323
+ if (m === "POST") {
324
+ const re = new RegExp(`^${escapeRegex(base)}/\\{[^}]+\\}/?$`);
325
+ return all.find(e => e.method.toUpperCase() === "DELETE" && !e.deprecated && re.test(e.path));
326
+ }
327
+ if (m === "PUT" || m === "PATCH") {
328
+ return all.find(e => e.method.toUpperCase() === "DELETE" && !e.deprecated && pathsEqual(e.path, ep.path));
329
+ }
330
+ return undefined;
331
+ }
332
+
333
+ /**
334
+ * Find GET-by-id counterpart for follow-up reads after a mutating request:
335
+ * - POST /collection → GET /collection/{id}
336
+ * - PUT /collection/{id} → GET /collection/{id} (same path)
337
+ * - PATCH /collection/{id} → GET /collection/{id} (same path)
338
+ *
339
+ * See `findDeleteCounterpart` for the trailing-slash rationale.
340
+ */
341
+ export function findGetByIdCounterpart(
342
+ ep: EndpointInfo,
343
+ all: EndpointInfo[],
344
+ ): EndpointInfo | undefined {
345
+ const m = ep.method.toUpperCase();
346
+ const base = stripTrailingSlash(ep.path);
347
+ if (m === "POST") {
348
+ const re = new RegExp(`^${escapeRegex(base)}/\\{[^}]+\\}/?$`);
349
+ return all.find(e => e.method.toUpperCase() === "GET" && !e.deprecated && re.test(e.path));
350
+ }
351
+ if (m === "PUT" || m === "PATCH") {
352
+ return all.find(e => e.method.toUpperCase() === "GET" && !e.deprecated && pathsEqual(e.path, ep.path));
353
+ }
354
+ return undefined;
355
+ }
356
+
357
+ /** Pick the response field that holds the new resource's id. */
358
+ export function captureFieldFor(ep: EndpointInfo): string {
359
+ const success = ep.responses.find(r => r.statusCode >= 200 && r.statusCode < 300 && r.schema);
360
+ const schema = success?.schema;
361
+ if (schema?.properties) {
362
+ if ("id" in schema.properties) return "id";
363
+ for (const [name, propSchema] of Object.entries(schema.properties)) {
364
+ const s = propSchema as OpenAPIV3.SchemaObject;
365
+ if (s.type === "integer" || s.format === "uuid") return name;
366
+ }
367
+ }
368
+ return "id";
369
+ }
370
+
371
+ export function headersEqual(a: Record<string, string>, b: Record<string, string>): boolean {
372
+ const ka = Object.keys(a);
373
+ const kb = Object.keys(b);
374
+ if (ka.length !== kb.length) return false;
375
+ for (const k of ka) if (a[k] !== b[k]) return false;
376
+ return true;
377
+ }
378
+
379
+ /**
380
+ * Resolve auth headers with live values from `vars` (used by probe runtimes
381
+ * and path-discovery). Mirrors `getAuthHeaders` but produces concrete header
382
+ * values, not `{{auth_token}}` placeholders.
383
+ */
384
+ export function liveAuthHeaders(
385
+ ep: EndpointInfo,
386
+ schemes: SecuritySchemeInfo[],
387
+ vars: Record<string, string>,
388
+ ): Record<string, string> {
389
+ if (ep.security.length === 0) {
390
+ // ARV-218 (R15/F25): for bare specs (no components.securitySchemes,
391
+ // empty per-endpoint .security — GitHub publishes its OpenAPI this
392
+ // way), zond's workspace-level conventions still wire `auth_token`
393
+ // end-to-end (ARV-201 seeds it in .env.yaml; zond request — see
394
+ // resolveAdHocRequest — auto-attaches `Authorization: Bearer
395
+ // {{auth_token}}`). Mirror that fallback into the live-call path so
396
+ // probes (mass-assignment / security) and stateful create-steps don't
397
+ // 401 their baseline on these specs. Without this, the whole
398
+ // depth-pass on GitHub-style APIs stays unauth even after ARV-212
399
+ // emitted the suite-level Bearer header for `zond run`.
400
+ if (schemes.length === 0) {
401
+ const tok = vars["auth_token"];
402
+ if (typeof tok === "string" && tok.length > 0) {
403
+ return { Authorization: `Bearer ${tok}` };
404
+ }
405
+ }
406
+ return {};
407
+ }
408
+
409
+ // Two-pass walk: prefer bearer/apiKey over basic (ARV-148, mirrors the
410
+ // generator-side fix in `getAuthHeaders` above). Without this, every
411
+ // prepare-fixtures discover/seed request on Stripe-style APIs picks the
412
+ // first declared scheme (basicAuth) and ships the raw `sk_test_…` token
413
+ // as Basic Auth credentials → Stripe base64-decodes the garbage and
414
+ // returns 401 across 98/98 vars.
415
+ const tryScheme = (scheme: SecuritySchemeInfo): Record<string, string> | undefined => {
416
+ if (scheme.type === "http") {
417
+ if (scheme.scheme === "bearer" || !scheme.scheme) {
418
+ const tok = vars["auth_token"];
419
+ if (tok) return { Authorization: `Bearer ${tok}` };
420
+ }
421
+ if (scheme.scheme === "basic") {
422
+ const tok = vars["auth_token"];
423
+ if (tok) return { Authorization: `Basic ${tok}` };
424
+ }
425
+ }
426
+ if (scheme.type === "apiKey" && scheme.in === "header" && scheme.apiKeyName) {
427
+ if (scheme.apiKeyName === "Authorization") {
428
+ const tok = vars["auth_token"];
429
+ if (tok) return { Authorization: `Bearer ${tok}` };
430
+ }
431
+ const key = vars["api_key"];
432
+ if (key) return { [scheme.apiKeyName]: key };
433
+ }
434
+ return undefined;
435
+ };
436
+
437
+ const isBasic = (s: SecuritySchemeInfo): boolean =>
438
+ s.type === "http" && s.scheme === "basic";
439
+
440
+ // Pass 1: skip basic.
441
+ for (const secName of ep.security) {
442
+ const scheme = schemes.find(s => s.name === secName);
443
+ if (!scheme || isBasic(scheme)) continue;
444
+ const headers = tryScheme(scheme);
445
+ if (headers) return headers;
446
+ }
447
+ // Pass 2: basic fallback.
448
+ for (const secName of ep.security) {
449
+ const scheme = schemes.find(s => s.name === secName);
450
+ if (!scheme || !isBasic(scheme)) continue;
451
+ const headers = tryScheme(scheme);
452
+ if (headers) return headers;
453
+ }
454
+ return {};
455
+ }
456
+
457
+ // ──────────────────────────────────────────────
458
+ // ARV-153: semantic classification of POST operations
459
+ // ──────────────────────────────────────────────
460
+
461
+ /**
462
+ * ARV-153: action verbs that, when they appear as the last path segment,
463
+ * mark a POST as "operates on an existing resource" rather than
464
+ * "allocates a new one". A DELETE counterpart is meaningless for these —
465
+ * there's nothing to delete because nothing new was created.
466
+ *
467
+ * Examples that fit this pattern:
468
+ * POST /v1/charges/{id}/capture
469
+ * POST /v1/customers/{id}/sources/{src}/verify
470
+ * POST /v1/payment_intents/{id}/cancel
471
+ * POST /v1/users/{id}/activate
472
+ * POST /api/messages/{id}/resend
473
+ *
474
+ * Compound forms ("mark-as-read", "send-email", "verify-otp") are also
475
+ * recognised — we look at the first slug segment ("mark", "send", "verify").
476
+ *
477
+ * Conservative on purpose: a misclassified create-resource attacked without
478
+ * cleanup leaks. Verbs that double as nouns ("filter", "lock"…) are kept
479
+ * out; add only when a real-world spec proves the false-positive risk is
480
+ * lower than the recall win.
481
+ */
482
+ const ACTION_VERBS = new Set([
483
+ "accept", "acknowledge", "activate", "approve", "archive", "attach",
484
+ "cancel", "capture", "check", "claim", "clone", "close", "complete",
485
+ "confirm", "copy", "deactivate", "decline", "decrypt", "demote", "deploy",
486
+ "detach", "disable", "disconnect", "dismiss", "dispatch", "duplicate",
487
+ "enable", "encrypt", "execute", "expire", "export", "fail", "finalize",
488
+ "fork", "ignore", "import", "invalidate", "invite", "link", "lookup",
489
+ "merge", "mute", "notify", "pause", "ping", "preview", "process",
490
+ "promote", "publish", "purge", "queue", "reactivate", "rebuild", "redeem",
491
+ "refresh", "refund", "register", "reject", "release", "remind",
492
+ "render", "renew", "reopen", "report", "reprocess", "request", "resend",
493
+ "reset", "resolve", "restart", "restore", "resubmit", "resume", "retry",
494
+ "revert", "review", "revoke", "rollback", "rotate", "run", "schedule",
495
+ "search", "send", "settle", "share", "snooze", "start", "stop", "submit",
496
+ "subscribe", "suspend", "swap", "sync", "test", "transfer", "trigger",
497
+ "unarchive", "unassign", "unblock", "unlink", "unlock", "unmute",
498
+ "unpublish", "unshare", "unsubscribe", "unsuspend", "validate", "verify",
499
+ "void", "withdraw",
500
+ ]);
501
+
502
+ export type PostSemantics = "action" | "create-resource" | "unknown";
503
+
504
+ /** ARV-153: classify a POST endpoint by looking at the last path segment.
505
+ * Returns "action" when the verb at the tail clearly identifies the
506
+ * operation as a side-effecting verb against an existing resource (no
507
+ * new resource allocated → no DELETE counterpart needed). Conservative:
508
+ * unknown verbs fall back to "create-resource", which keeps the existing
509
+ * cleanup-feasibility gate intact for safety. */
510
+ export function classifyPostSemantics(ep: EndpointInfo): PostSemantics {
511
+ if (ep.method.toUpperCase() !== "POST") return "unknown";
512
+ const segments = ep.path.split("/").filter(Boolean);
513
+ if (segments.length === 0) return "unknown";
514
+ const last = segments[segments.length - 1]!.toLowerCase();
515
+ if (last.startsWith("{")) return "unknown";
516
+ if (ACTION_VERBS.has(last)) return "action";
517
+ // Compound action forms: "mark-as-read", "send-email", "verify-otp",
518
+ // "request_reset", "do.export". Use first slug as the verb candidate.
519
+ const head = last.split(/[-_.]/)[0]!;
520
+ if (head && ACTION_VERBS.has(head)) return "action";
521
+ return "create-resource";
522
+ }
523
+
524
+ export function hasJsonBody(ep: EndpointInfo): boolean {
525
+ return (
526
+ ep.method !== "GET" &&
527
+ ep.method !== "DELETE" &&
528
+ ep.requestBodyContentType === "application/json" &&
529
+ ep.requestBodySchema !== undefined
530
+ );
531
+ }
@@ -0,0 +1,125 @@
1
+ /**
2
+ * `StaticProbe` — Probe-contract wrapper around the static-input probe
3
+ * generators (validation + methods) (m-17 / ARV-49).
4
+ *
5
+ * Static probes don't make HTTP calls — they emit YAML suites the user
6
+ * later runs through `zond run`. dryRun lists the endpoints + classes
7
+ * that would have suites generated; run() invokes the generators and
8
+ * returns the produced files via `extras` (the CLI handler is
9
+ * responsible for writing them — see `probe-static.ts`). This keeps
10
+ * static under the same Probe contract as live probes (ARV-49 #3)
11
+ * without forcing an artificial dry-run / run distinction the
12
+ * generator never had.
13
+ */
14
+ import type { Probe, ProbeContext, ProbeFlags, EndpointPlan, ProbeResult, ProbeReportFormat, ProbeEndpointResult } from "./types.ts";
15
+ import { generateNegativeProbes } from "./negative-probe.ts";
16
+ import { generateMethodProbes } from "./method-probe.ts";
17
+
18
+ const ALL_CLASSES = ["validation", "methods"] as const;
19
+ type StaticClass = typeof ALL_CLASSES[number];
20
+
21
+ const FLAGS: ProbeFlags = {
22
+ api: true,
23
+ tag: true,
24
+ include: true,
25
+ exclude: true,
26
+ // Static probes have no live mode — dry-run vs run is not meaningful.
27
+ // The interface still requires the slot; we expose it as a no-op
28
+ // (`dryRun` returns the same list `run` would produce, just without
29
+ // writing files).
30
+ dryRun: false,
31
+ listTags: true,
32
+ json: true,
33
+ output: true,
34
+ report: true,
35
+ };
36
+
37
+ function classesFromCtx(ctx: ProbeContext): StaticClass[] {
38
+ const raw = ctx.classes ?? [...ALL_CLASSES];
39
+ return raw.filter((c): c is StaticClass => c === "validation" || c === "methods");
40
+ }
41
+
42
+ export class StaticProbe implements Probe {
43
+ readonly name = "static";
44
+ readonly description =
45
+ "Generate static-input probe suites: validation (bogus types/values) + methods (undeclared HTTP methods). Spec-only; no live traffic.";
46
+ readonly commonFlags = FLAGS;
47
+
48
+ async dryRun(ctx: ProbeContext): Promise<EndpointPlan[]> {
49
+ const classes = classesFromCtx(ctx);
50
+ return ctx.endpoints.map((ep) => ({
51
+ path: ep.path,
52
+ method: ep.method.toUpperCase(),
53
+ planned: true,
54
+ classes_planned: [...classes],
55
+ fields_planned: [],
56
+ skip_reason: null,
57
+ }));
58
+ }
59
+
60
+ async run(ctx: ProbeContext): Promise<ProbeResult> {
61
+ const classes = classesFromCtx(ctx);
62
+ const include: StaticClass[] = classes;
63
+
64
+ const endpoints: ProbeEndpointResult[] = [];
65
+ let totalProbes = 0;
66
+ const warnings: string[] = [];
67
+ const suitesPerClass: Record<string, unknown> = {};
68
+
69
+ if (include.includes("validation")) {
70
+ const r = generateNegativeProbes({
71
+ endpoints: ctx.endpoints,
72
+ securitySchemes: ctx.securitySchemes,
73
+ maxProbesPerEndpoint: ctx.options["maxPerEndpoint"] as number | undefined,
74
+ noCleanup: ctx.options["noCleanup"] === true,
75
+ useRealParents: ctx.options["useRealParents"] !== false,
76
+ });
77
+ suitesPerClass["validation"] = {
78
+ suites: r.suites,
79
+ probedEndpoints: r.probedEndpoints,
80
+ skippedEndpoints: r.skippedEndpoints,
81
+ totalProbes: r.totalProbes,
82
+ warnings: r.warnings,
83
+ };
84
+ totalProbes += r.totalProbes;
85
+ for (const w of r.warnings) warnings.push(w);
86
+ }
87
+
88
+ if (include.includes("methods")) {
89
+ const r = generateMethodProbes({
90
+ endpoints: ctx.endpoints,
91
+ securitySchemes: ctx.securitySchemes,
92
+ });
93
+ suitesPerClass["methods"] = {
94
+ suites: r.suites,
95
+ probedPaths: r.probedPaths,
96
+ skippedPaths: r.skippedPaths,
97
+ totalProbes: r.totalProbes,
98
+ };
99
+ totalProbes += r.totalProbes;
100
+ }
101
+
102
+ return {
103
+ endpoints,
104
+ summary: {
105
+ totalEndpoints: ctx.endpoints.length,
106
+ probed: ctx.endpoints.length,
107
+ by_status: { ok: ctx.endpoints.length, high: 0, low: 0, inconclusive: 0, skipped: 0 },
108
+ },
109
+ warnings,
110
+ extras: { classes: include, suites: suitesPerClass, totalProbes },
111
+ };
112
+ }
113
+
114
+ report(format: ProbeReportFormat, result: ProbeResult): string | object {
115
+ if (format === "markdown") {
116
+ const totalProbes = (result.extras?.["totalProbes"] as number) ?? 0;
117
+ const classes = (result.extras?.["classes"] as string[]) ?? [];
118
+ return `Generated ${totalProbes} static-input probe(s) for class(es): ${classes.join(", ")}`;
119
+ }
120
+ return {
121
+ summary: result.summary,
122
+ ...(result.extras ?? {}),
123
+ };
124
+ }
125
+ }