@kirrosh/zond 0.22.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +811 -0
  2. package/README.md +59 -6
  3. package/package.json +9 -7
  4. package/src/CLAUDE.md +112 -0
  5. package/src/cli/argv.ts +122 -0
  6. package/src/cli/commands/add-api.ts +146 -0
  7. package/src/cli/commands/api/annotate/idempotency.ts +59 -0
  8. package/src/cli/commands/api/annotate/index.ts +880 -0
  9. package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
  10. package/src/cli/commands/api/annotate/overlay.ts +206 -0
  11. package/src/cli/commands/api/annotate/pagination.ts +64 -0
  12. package/src/cli/commands/api/annotate/prompts.ts +220 -0
  13. package/src/cli/commands/api/annotate/readback.ts +58 -0
  14. package/src/cli/commands/api/annotate/resources.ts +91 -0
  15. package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
  16. package/src/cli/commands/audit.ts +786 -0
  17. package/src/cli/commands/catalog.ts +35 -0
  18. package/src/cli/commands/check.ts +361 -0
  19. package/src/cli/commands/checks.ts +1072 -0
  20. package/src/cli/commands/ci-init.ts +43 -0
  21. package/src/cli/commands/clean.ts +212 -0
  22. package/src/cli/commands/cleanup.ts +236 -0
  23. package/src/cli/commands/completions.ts +16 -0
  24. package/src/cli/commands/coverage.ts +823 -132
  25. package/src/cli/commands/db.ts +486 -12
  26. package/src/cli/commands/describe.ts +37 -2
  27. package/src/cli/commands/discover.ts +1356 -0
  28. package/src/cli/commands/doctor.ts +661 -0
  29. package/src/cli/commands/fixtures.ts +402 -0
  30. package/src/cli/commands/generate.ts +438 -47
  31. package/src/cli/commands/init/bootstrap.ts +34 -2
  32. package/src/cli/commands/{init.ts → init/index.ts} +99 -5
  33. package/src/cli/commands/init/skills.ts +99 -3
  34. package/src/cli/commands/init/templates/agents.md +77 -64
  35. package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
  36. package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
  37. package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
  38. package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
  39. package/src/cli/commands/init/templates/skills/zond.md +802 -125
  40. package/src/cli/commands/init/templates/zond-config.yml +8 -9
  41. package/src/cli/commands/prepare-fixtures.ts +97 -0
  42. package/src/cli/commands/probe/_seed-bodies.ts +52 -0
  43. package/src/cli/commands/probe/mass-assignment.ts +594 -0
  44. package/src/cli/commands/probe/security.ts +537 -0
  45. package/src/cli/commands/probe/static.ts +255 -0
  46. package/src/cli/commands/probe/webhooks.ts +163 -0
  47. package/src/cli/commands/probe.ts +535 -0
  48. package/src/cli/commands/reference.ts +87 -0
  49. package/src/cli/commands/refresh-api.ts +227 -0
  50. package/src/cli/commands/remove-api.ts +150 -0
  51. package/src/cli/commands/report-bundle.ts +310 -0
  52. package/src/cli/commands/report.ts +241 -0
  53. package/src/cli/commands/request.ts +495 -4
  54. package/src/cli/commands/run.ts +870 -53
  55. package/src/cli/commands/schema-from-runs.ts +128 -0
  56. package/src/cli/commands/secrets.ts +133 -0
  57. package/src/cli/commands/session.ts +244 -0
  58. package/src/cli/commands/use.ts +18 -1
  59. package/src/cli/index.ts +20 -3
  60. package/src/cli/json-envelope.ts +92 -3
  61. package/src/cli/json-schemas.ts +314 -0
  62. package/src/cli/output.ts +17 -1
  63. package/src/cli/program.ts +199 -635
  64. package/src/cli/resolve.ts +105 -0
  65. package/src/cli/safe-live.ts +24 -0
  66. package/src/cli/status-filter.ts +114 -0
  67. package/src/cli/util/api-context.ts +85 -0
  68. package/src/cli/version.ts +5 -0
  69. package/src/core/audit/persist.ts +183 -0
  70. package/src/core/checks/budget.ts +59 -0
  71. package/src/core/checks/checks/_crud-helpers.ts +133 -0
  72. package/src/core/checks/checks/_negative_mutator.ts +133 -0
  73. package/src/core/checks/checks/_readback-helpers.ts +133 -0
  74. package/src/core/checks/checks/content_type_conformance.ts +39 -0
  75. package/src/core/checks/checks/cross_call_references.ts +147 -0
  76. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
  77. package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
  78. package/src/core/checks/checks/idempotency_replay.ts +242 -0
  79. package/src/core/checks/checks/ignored_auth.ts +254 -0
  80. package/src/core/checks/checks/index.ts +68 -0
  81. package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
  82. package/src/core/checks/checks/missing_required_header.ts +40 -0
  83. package/src/core/checks/checks/negative_data_rejection.ts +148 -0
  84. package/src/core/checks/checks/not_a_server_error.ts +35 -0
  85. package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
  86. package/src/core/checks/checks/pagination_invariants.ts +419 -0
  87. package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
  88. package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
  89. package/src/core/checks/checks/response_headers_conformance.ts +74 -0
  90. package/src/core/checks/checks/response_schema_conformance.ts +30 -0
  91. package/src/core/checks/checks/status_code_conformance.ts +132 -0
  92. package/src/core/checks/checks/unsupported_method.ts +63 -0
  93. package/src/core/checks/checks/use_after_free.ts +78 -0
  94. package/src/core/checks/index.ts +30 -0
  95. package/src/core/checks/mode.ts +82 -0
  96. package/src/core/checks/recommended-action.ts +68 -0
  97. package/src/core/checks/registry.ts +78 -0
  98. package/src/core/checks/runner.ts +1461 -0
  99. package/src/core/checks/sarif.ts +230 -0
  100. package/src/core/checks/spec-findings.ts +308 -0
  101. package/src/core/checks/stateful.ts +121 -0
  102. package/src/core/checks/types.ts +305 -0
  103. package/src/core/checks/zond-extensions.ts +73 -0
  104. package/src/core/classifier/recommended-action.ts +251 -0
  105. package/src/core/context/current.ts +22 -6
  106. package/src/core/context/session.ts +78 -0
  107. package/src/core/coverage/loader.ts +216 -0
  108. package/src/core/coverage/reasons.ts +300 -0
  109. package/src/core/diagnostics/db-analysis.ts +293 -59
  110. package/src/core/diagnostics/failure-class.ts +140 -0
  111. package/src/core/diagnostics/failure-hints.ts +88 -89
  112. package/src/core/diagnostics/spec-pointer.ts +99 -0
  113. package/src/core/diagnostics/suggested-fixes.ts +155 -0
  114. package/src/core/exporter/case-study/index.ts +270 -0
  115. package/src/core/exporter/curl.ts +40 -0
  116. package/src/core/exporter/exporter.ts +48 -0
  117. package/src/core/exporter/html-report/escape.ts +24 -0
  118. package/src/core/exporter/html-report/index.ts +479 -0
  119. package/src/core/exporter/html-report/script.ts +100 -0
  120. package/src/core/exporter/html-report/styles.ts +408 -0
  121. package/src/core/generator/chunker.ts +38 -19
  122. package/src/core/generator/coverage-phase.ts +0 -0
  123. package/src/core/generator/data-factory.ts +586 -22
  124. package/src/core/generator/describe.ts +1 -1
  125. package/src/core/generator/fixtures-builder.ts +332 -0
  126. package/src/core/generator/index.ts +5 -5
  127. package/src/core/generator/openapi-reader.ts +135 -7
  128. package/src/core/generator/path-param-disambig.ts +140 -0
  129. package/src/core/generator/resources-builder.ts +898 -0
  130. package/src/core/generator/schema-utils.ts +33 -3
  131. package/src/core/generator/serializer.ts +103 -13
  132. package/src/core/generator/suite-generator.ts +583 -122
  133. package/src/core/generator/types.ts +14 -0
  134. package/src/core/identity/identity-file.ts +0 -0
  135. package/src/core/lint/affects.ts +28 -0
  136. package/src/core/lint/config.ts +96 -0
  137. package/src/core/lint/format.ts +42 -0
  138. package/src/core/lint/index.ts +94 -0
  139. package/src/core/lint/reporter.ts +128 -0
  140. package/src/core/lint/rules/consistency.ts +158 -0
  141. package/src/core/lint/rules/heuristics.ts +97 -0
  142. package/src/core/lint/rules/strictness.ts +109 -0
  143. package/src/core/lint/types.ts +96 -0
  144. package/src/core/lint/walker.ts +248 -0
  145. package/src/core/meta/meta-store.ts +6 -73
  146. package/src/core/output/README.md +73 -0
  147. package/src/core/output/index.ts +13 -0
  148. package/src/core/output/run.ts +91 -0
  149. package/src/core/output/types.ts +122 -0
  150. package/src/core/parser/dynamic-values.ts +160 -0
  151. package/src/core/parser/env-interpolation.ts +104 -0
  152. package/src/core/parser/filter.ts +57 -0
  153. package/src/core/parser/schema.ts +129 -4
  154. package/src/core/parser/types.ts +19 -1
  155. package/src/core/parser/variables.ts +0 -0
  156. package/src/core/parser/yaml-parser.ts +58 -12
  157. package/src/core/probe/bootstrap.ts +34 -0
  158. package/src/core/probe/dry-run-envelope.ts +61 -0
  159. package/src/core/probe/mass-assignment/classify.ts +175 -0
  160. package/src/core/probe/mass-assignment/cleanup.ts +52 -0
  161. package/src/core/probe/mass-assignment/digest.ts +114 -0
  162. package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
  163. package/src/core/probe/mass-assignment/regression.ts +141 -0
  164. package/src/core/probe/mass-assignment/suspects.ts +92 -0
  165. package/src/core/probe/mass-assignment/types.ts +135 -0
  166. package/src/core/probe/mass-assignment-probe-class.ts +198 -0
  167. package/src/core/probe/mass-assignment-probe.ts +27 -0
  168. package/src/core/probe/mass-assignment-template.ts +240 -0
  169. package/src/core/probe/method-probe.ts +43 -76
  170. package/src/core/probe/method-shared.ts +69 -0
  171. package/src/core/probe/negative-probe.ts +183 -149
  172. package/src/core/probe/orphan-tracker.ts +188 -0
  173. package/src/core/probe/path-discovery.ts +439 -0
  174. package/src/core/probe/probe-harness.ts +119 -0
  175. package/src/core/probe/registry.ts +89 -0
  176. package/src/core/probe/runner.ts +136 -0
  177. package/src/core/probe/security/baseline.ts +174 -0
  178. package/src/core/probe/security/classify.ts +341 -0
  179. package/src/core/probe/security/cleanup.ts +125 -0
  180. package/src/core/probe/security/detectors.ts +71 -0
  181. package/src/core/probe/security/digest.ts +104 -0
  182. package/src/core/probe/security/orchestrator.ts +398 -0
  183. package/src/core/probe/security/regression.ts +103 -0
  184. package/src/core/probe/security/types.ts +151 -0
  185. package/src/core/probe/security-probe-class.ts +207 -0
  186. package/src/core/probe/security-probe.ts +32 -0
  187. package/src/core/probe/shared.ts +531 -0
  188. package/src/core/probe/static-probe-class.ts +125 -0
  189. package/src/core/probe/types.ts +165 -0
  190. package/src/core/probe/verdict-aggregator.ts +33 -0
  191. package/src/core/probe/webhooks-probe.ts +282 -0
  192. package/src/core/reporter/console.ts +41 -2
  193. package/src/core/reporter/index.ts +2 -3
  194. package/src/core/reporter/json.ts +11 -1
  195. package/src/core/reporter/junit.ts +27 -12
  196. package/src/core/reporter/ndjson.ts +37 -0
  197. package/src/core/reporter/types.ts +3 -0
  198. package/src/core/runner/assertions.ts +59 -2
  199. package/src/core/runner/async-pool.ts +108 -0
  200. package/src/core/runner/auth-path.ts +8 -0
  201. package/src/core/runner/ci-context.ts +72 -0
  202. package/src/core/runner/executor.ts +265 -36
  203. package/src/core/runner/form-encode.ts +41 -0
  204. package/src/core/runner/http-client.ts +112 -2
  205. package/src/core/runner/learn-drift.ts +293 -0
  206. package/src/core/runner/preflight-vars.ts +153 -0
  207. package/src/core/runner/progress-tracker.ts +73 -0
  208. package/src/core/runner/rate-limiter.ts +87 -33
  209. package/src/core/runner/run-kind.ts +45 -0
  210. package/src/core/runner/schema-validator.ts +308 -0
  211. package/src/core/runner/send-request.ts +158 -20
  212. package/src/core/runner/types.ts +44 -0
  213. package/src/core/secrets/registry.ts +164 -0
  214. package/src/core/secrets/secrets-file.ts +115 -0
  215. package/src/core/selectors/operation-filter.ts +144 -0
  216. package/src/core/setup-api.ts +457 -20
  217. package/src/core/severity/category.ts +94 -0
  218. package/src/core/severity/index.ts +58 -0
  219. package/src/core/spec/infer-schema.ts +102 -0
  220. package/src/core/spec/layers.ts +154 -0
  221. package/src/core/spec/merge-specs.ts +156 -0
  222. package/src/core/spec/schema-from-runs.ts +117 -0
  223. package/src/core/spec/schema-overlay.ts +130 -0
  224. package/src/core/util/ajv.ts +13 -0
  225. package/src/core/util/format-eta.ts +21 -0
  226. package/src/core/util/headers.ts +9 -0
  227. package/src/core/util/url.ts +24 -0
  228. package/src/core/utils.ts +5 -1
  229. package/src/core/workspace/config.ts +129 -0
  230. package/src/core/workspace/fixture-gap-report.ts +84 -0
  231. package/src/core/workspace/fixture-gaps.ts +71 -0
  232. package/src/core/workspace/manifest.ts +283 -0
  233. package/src/core/workspace/output-rotation.ts +62 -0
  234. package/src/core/workspace/root.ts +13 -11
  235. package/src/core/workspace/triage-path.ts +87 -0
  236. package/src/db/lint-runs.ts +47 -0
  237. package/src/db/migrate.ts +128 -0
  238. package/src/db/migrations/0001_run_kind.sql +25 -0
  239. package/src/db/migrations/0002_run_kind_request.sql +59 -0
  240. package/src/db/migrations/sql.d.ts +4 -0
  241. package/src/db/queries/collections.ts +133 -0
  242. package/src/db/queries/coverage.ts +9 -0
  243. package/src/db/queries/dashboard.ts +59 -0
  244. package/src/db/queries/results.ts +216 -0
  245. package/src/db/queries/runs.ts +289 -0
  246. package/src/db/queries/sessions.ts +42 -0
  247. package/src/db/queries/settings.ts +28 -0
  248. package/src/db/queries/types.ts +172 -0
  249. package/src/db/queries.ts +75 -802
  250. package/src/db/schema.ts +178 -50
  251. package/src/cli/commands/export.ts +0 -144
  252. package/src/cli/commands/guide.ts +0 -127
  253. package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
  254. package/src/cli/commands/probe-methods.ts +0 -108
  255. package/src/cli/commands/probe-validation.ts +0 -124
  256. package/src/cli/commands/serve.ts +0 -114
  257. package/src/cli/commands/sync.ts +0 -268
  258. package/src/cli/commands/update.ts +0 -189
  259. package/src/cli/commands/validate.ts +0 -34
  260. package/src/core/diagnostics/render-md.ts +0 -112
  261. package/src/core/exporter/postman.ts +0 -963
  262. package/src/core/generator/guide-builder.ts +0 -253
  263. package/src/core/meta/types.ts +0 -19
  264. package/src/core/parser/index.ts +0 -21
  265. package/src/core/runner/execute-run.ts +0 -132
  266. package/src/core/runner/index.ts +0 -12
  267. package/src/core/sync/spec-differ.ts +0 -38
  268. package/src/web/data/collection-state.ts +0 -362
  269. package/src/web/routes/api.ts +0 -314
  270. package/src/web/routes/dashboard.ts +0 -350
  271. package/src/web/routes/runs.ts +0 -64
  272. package/src/web/schemas.ts +0 -121
  273. package/src/web/server.ts +0 -134
  274. package/src/web/static/htmx.min.cjs +0 -1
  275. package/src/web/static/style.css +0 -1148
  276. package/src/web/views/endpoints-tab.ts +0 -174
  277. package/src/web/views/explorer-tab.ts +0 -402
  278. package/src/web/views/health-strip.ts +0 -92
  279. package/src/web/views/layout.ts +0 -48
  280. package/src/web/views/results.ts +0 -210
  281. package/src/web/views/runs-tab.ts +0 -126
  282. package/src/web/views/suites-tab.ts +0 -181
@@ -0,0 +1,59 @@
1
+ -- ARV-265 (m-22): extend `runs.run_kind` CHECK constraint to include
2
+ -- 'request' (zond request in-session) and 'fixture' (prepare-fixtures
3
+ -- cascade list-calls), so audit-coverage can attribute HTTP touches
4
+ -- back to those producers.
5
+ --
6
+ -- The CHECK constraint can't be added with ALTER TABLE in SQLite. Bun's
7
+ -- bun:sqlite also locks `sqlite_master` against direct UPDATEs, so the
8
+ -- usual `PRAGMA writable_schema=1` rewrite is rejected. We use the
9
+ -- canonical SQLite 12-step rebuild: create a parallel table with the
10
+ -- new constraint, copy rows over, drop the old, rename.
11
+ --
12
+ -- The migration runner wraps this in a transaction. FK references from
13
+ -- `results.run_id` to `runs(id)` survive the DROP+RENAME because SQLite
14
+ -- resolves FK targets by name at row-modification time, not at table
15
+ -- definition time — when the new `runs` ends up with the same name the
16
+ -- soft reference is reattached transparently. Indexes are explicitly
17
+ -- recreated post-rename (they don't survive a DROP).
18
+
19
+ CREATE TABLE runs_new (
20
+ id INTEGER PRIMARY KEY AUTOINCREMENT,
21
+ started_at TEXT NOT NULL,
22
+ finished_at TEXT,
23
+ total INTEGER NOT NULL DEFAULT 0,
24
+ passed INTEGER NOT NULL DEFAULT 0,
25
+ failed INTEGER NOT NULL DEFAULT 0,
26
+ skipped INTEGER NOT NULL DEFAULT 0,
27
+ trigger TEXT DEFAULT 'manual',
28
+ commit_sha TEXT,
29
+ branch TEXT,
30
+ environment TEXT,
31
+ duration_ms INTEGER,
32
+ collection_id INTEGER REFERENCES collections(id),
33
+ session_id TEXT,
34
+ tags TEXT,
35
+ run_kind TEXT NOT NULL DEFAULT 'regular'
36
+ CHECK (run_kind IN ('regular','probe','check','request','fixture'))
37
+ );
38
+
39
+ INSERT INTO runs_new (
40
+ id, started_at, finished_at, total, passed, failed, skipped, trigger,
41
+ commit_sha, branch, environment, duration_ms, collection_id, session_id,
42
+ tags, run_kind
43
+ )
44
+ SELECT
45
+ id, started_at, finished_at, total, passed, failed, skipped, trigger,
46
+ commit_sha, branch, environment, duration_ms, collection_id, session_id,
47
+ tags,
48
+ CASE
49
+ WHEN run_kind IN ('regular','probe','check','request','fixture') THEN run_kind
50
+ ELSE 'regular'
51
+ END
52
+ FROM runs;
53
+
54
+ DROP TABLE runs;
55
+ ALTER TABLE runs_new RENAME TO runs;
56
+
57
+ CREATE INDEX IF NOT EXISTS idx_runs_started ON runs(started_at DESC);
58
+ CREATE INDEX IF NOT EXISTS idx_runs_collection ON runs(collection_id);
59
+ CREATE INDEX IF NOT EXISTS idx_runs_session ON runs(session_id, started_at DESC);
@@ -0,0 +1,4 @@
1
+ declare module "*.sql" {
2
+ const content: string;
3
+ export default content;
4
+ }
@@ -0,0 +1,133 @@
1
+ import { getDb } from "../schema.ts";
2
+ import {
3
+ normalizePath,
4
+ type CollectionRecord,
5
+ type CollectionSummary,
6
+ type CreateCollectionOpts,
7
+ type RunRecord,
8
+ } from "./types.ts";
9
+
10
+ export function createCollection(opts: CreateCollectionOpts): number {
11
+ const db = getDb();
12
+ const stmt = db.prepare(`
13
+ INSERT INTO collections (name, base_dir, test_path, openapi_spec)
14
+ VALUES ($name, $base_dir, $test_path, $openapi_spec)
15
+ `);
16
+ const result = stmt.run({
17
+ $name: opts.name,
18
+ $base_dir: opts.base_dir ?? null,
19
+ $test_path: opts.test_path,
20
+ $openapi_spec: opts.openapi_spec ?? null,
21
+ });
22
+ return Number(result.lastInsertRowid);
23
+ }
24
+
25
+ export function getCollectionById(id: number): CollectionRecord | null {
26
+ const db = getDb();
27
+ return db.query("SELECT * FROM collections WHERE id = ?").get(id) as CollectionRecord | null;
28
+ }
29
+
30
+ export function getLatestRunByCollection(
31
+ collectionId: number,
32
+ opts: { runKind?: import("../../core/runner/run-kind.ts").RunKind | "any" } = {},
33
+ ): RunRecord | null {
34
+ const db = getDb();
35
+ // ARV-55: 'regular' is the default so coverage skips probe-only runs
36
+ // without an explicit predicate. 'any' opts back into the legacy
37
+ // behaviour (used by `coverage`'s probe-run hint logic).
38
+ const kind = opts.runKind ?? "regular";
39
+ const kindClause = kind === "any" ? "" : "AND run_kind = ?";
40
+ const params: (string | number)[] = [collectionId];
41
+ if (kind !== "any") params.push(kind);
42
+ const row = db.query(`
43
+ SELECT * FROM runs
44
+ WHERE collection_id = ? AND finished_at IS NOT NULL ${kindClause}
45
+ ORDER BY started_at DESC
46
+ LIMIT 1
47
+ `).get(...params) as (Record<string, unknown> & { tags?: unknown }) | null;
48
+ if (!row) return null;
49
+ let tags: string[] | null = null;
50
+ if (typeof row.tags === "string") {
51
+ try {
52
+ const v = JSON.parse(row.tags);
53
+ if (Array.isArray(v) && v.every((x) => typeof x === "string")) tags = v;
54
+ } catch {
55
+ // legacy/corrupt — leave null
56
+ }
57
+ }
58
+ // ARV-55: normalise run_kind alongside tags so RunRecord stays consistent.
59
+ const rk = row.run_kind;
60
+ const run_kind: import("../../core/runner/run-kind.ts").RunKind =
61
+ rk === "probe" || rk === "check" || rk === "request" || rk === "fixture" ? rk : "regular";
62
+ return { ...(row as unknown as RunRecord), tags, run_kind };
63
+ }
64
+
65
+ export function listCollections(): CollectionSummary[] {
66
+ const db = getDb();
67
+ return db.query(`
68
+ SELECT
69
+ c.id, c.name, c.base_dir, c.test_path, c.openapi_spec, c.created_at,
70
+ COUNT(r.id) AS total_runs,
71
+ CASE WHEN SUM(r.total) > 0
72
+ THEN ROUND(SUM(r.passed) * 100.0 / SUM(r.total), 1)
73
+ ELSE 0 END AS pass_rate,
74
+ MAX(r.started_at) AS last_run_at,
75
+ COALESCE((SELECT passed FROM runs WHERE collection_id = c.id ORDER BY started_at DESC LIMIT 1), 0) AS last_run_passed,
76
+ COALESCE((SELECT failed FROM runs WHERE collection_id = c.id ORDER BY started_at DESC LIMIT 1), 0) AS last_run_failed,
77
+ COALESCE((SELECT total FROM runs WHERE collection_id = c.id ORDER BY started_at DESC LIMIT 1), 0) AS last_run_total
78
+ FROM collections c
79
+ LEFT JOIN runs r ON r.collection_id = c.id AND r.finished_at IS NOT NULL
80
+ GROUP BY c.id
81
+ ORDER BY c.name
82
+ `).all() as CollectionSummary[];
83
+ }
84
+
85
+ export function updateCollection(id: number, opts: Partial<CreateCollectionOpts>): boolean {
86
+ const db = getDb();
87
+ const sets: string[] = [];
88
+ const params: Record<string, any> = { $id: id };
89
+
90
+ if (opts.name !== undefined) { sets.push("name = $name"); params.$name = opts.name; }
91
+ if (opts.base_dir !== undefined) { sets.push("base_dir = $base_dir"); params.$base_dir = opts.base_dir; }
92
+ if (opts.test_path !== undefined) { sets.push("test_path = $test_path"); params.$test_path = opts.test_path; }
93
+ if (opts.openapi_spec !== undefined) { sets.push("openapi_spec = $openapi_spec"); params.$openapi_spec = opts.openapi_spec; }
94
+
95
+ if (sets.length === 0) return false;
96
+
97
+ const result = db.prepare(`UPDATE collections SET ${sets.join(", ")} WHERE id = $id`).run(params);
98
+ return result.changes > 0;
99
+ }
100
+
101
+ export function deleteCollection(id: number, deleteRuns = false): boolean {
102
+ const db = getDb();
103
+ if (deleteRuns) {
104
+ const runIds = db.query("SELECT id FROM runs WHERE collection_id = ?").all(id) as { id: number }[];
105
+ for (const row of runIds) {
106
+ db.prepare("DELETE FROM results WHERE run_id = ?").run(row.id);
107
+ }
108
+ db.prepare("DELETE FROM runs WHERE collection_id = ?").run(id);
109
+ } else {
110
+ db.prepare("UPDATE runs SET collection_id = NULL WHERE collection_id = ?").run(id);
111
+ }
112
+ const result = db.prepare("DELETE FROM collections WHERE id = ?").run(id);
113
+ return result.changes > 0;
114
+ }
115
+
116
+ export function findCollectionByTestPath(path: string): CollectionRecord | null {
117
+ const db = getDb();
118
+ const normalized = normalizePath(path);
119
+ return db.query("SELECT * FROM collections WHERE test_path = ?").get(normalized) as CollectionRecord | null;
120
+ }
121
+
122
+ export function findCollectionByNameOrId(nameOrId: string): CollectionRecord | null {
123
+ const db = getDb();
124
+ // Try as numeric ID first
125
+ const id = parseInt(nameOrId, 10);
126
+ if (!isNaN(id)) {
127
+ const byId = db.query("SELECT * FROM collections WHERE id = ?").get(id) as CollectionRecord | null;
128
+ if (byId) return byId;
129
+ }
130
+ // Then by name (case-insensitive)
131
+ return db.query("SELECT * FROM collections WHERE lower(name) = lower(?)").get(nameOrId) as CollectionRecord | null;
132
+ }
133
+
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Reserved for coverage-domain DB queries. As of TASK-187, coverage
3
+ * tables (`coverage_runs`, etc.) are still managed entirely from
4
+ * `src/core/coverage/`; nothing in `queries.ts` was coverage-specific to
5
+ * move here. The file exists so the per-domain layout is future-proof
6
+ * — when a coverage table-backed feature lands, queries land here and
7
+ * the cli/UI imports stay stable.
8
+ */
9
+ export {};
@@ -0,0 +1,59 @@
1
+ import { getDb } from "../schema.ts";
2
+ import type {
3
+ DashboardStats,
4
+ PassRateTrendPoint,
5
+ SlowestTest,
6
+ FlakyTest,
7
+ } from "./types.ts";
8
+
9
+ export function getDashboardStats(): DashboardStats {
10
+ const db = getDb();
11
+ const row = db.query(`
12
+ SELECT
13
+ COUNT(*) AS totalRuns,
14
+ COALESCE(SUM(total), 0) AS totalTests,
15
+ CASE WHEN SUM(total) > 0
16
+ THEN ROUND(SUM(passed) * 100.0 / SUM(total), 1)
17
+ ELSE 0 END AS overallPassRate,
18
+ COALESCE(ROUND(AVG(duration_ms), 0), 0) AS avgDuration
19
+ FROM runs
20
+ WHERE finished_at IS NOT NULL
21
+ `).get() as { totalRuns: number; totalTests: number; overallPassRate: number; avgDuration: number };
22
+ return row;
23
+ }
24
+
25
+ export function getPassRateTrend(limit = 30): PassRateTrendPoint[] {
26
+ const db = getDb();
27
+ return db.query(`
28
+ SELECT id AS run_id, started_at,
29
+ CASE WHEN total > 0 THEN ROUND(passed * 100.0 / total, 1) ELSE 0 END AS pass_rate
30
+ FROM runs
31
+ WHERE finished_at IS NOT NULL
32
+ ORDER BY started_at DESC
33
+ LIMIT ?
34
+ `).all(limit) as PassRateTrendPoint[];
35
+ }
36
+
37
+ export function getSlowestTests(limit = 5): SlowestTest[] {
38
+ const db = getDb();
39
+ return db.query(`
40
+ SELECT suite_name, test_name, ROUND(AVG(duration_ms), 0) AS avg_duration
41
+ FROM results
42
+ GROUP BY suite_name, test_name
43
+ ORDER BY avg_duration DESC
44
+ LIMIT ?
45
+ `).all(limit) as SlowestTest[];
46
+ }
47
+
48
+ export function getFlakyTests(runsBack = 20, limit = 5): FlakyTest[] {
49
+ const db = getDb();
50
+ return db.query(`
51
+ SELECT r.suite_name, r.test_name, COUNT(DISTINCT r.status) AS distinct_statuses
52
+ FROM results r
53
+ INNER JOIN (SELECT id FROM runs ORDER BY started_at DESC LIMIT ?) recent ON r.run_id = recent.id
54
+ GROUP BY r.suite_name, r.test_name
55
+ HAVING COUNT(DISTINCT r.status) > 1
56
+ ORDER BY distinct_statuses DESC
57
+ LIMIT ?
58
+ `).all(runsBack, limit) as FlakyTest[];
59
+ }
@@ -0,0 +1,216 @@
1
+ import { getDb, withDbRetry } from "../schema.ts";
2
+ import type { TestRunResult } from "../../core/runner/types.ts";
3
+ import { getSecretRegistry } from "../../core/secrets/registry.ts";
4
+ import type { StoredStepResult } from "./types.ts";
5
+
6
+ function parseProvenance(raw: unknown): import("../../core/parser/types.ts").SourceMetadata | null {
7
+ if (typeof raw !== "string" || raw.length === 0) return null;
8
+ try {
9
+ const parsed = JSON.parse(raw);
10
+ return parsed && typeof parsed === "object" ? parsed : null;
11
+ } catch {
12
+ return null;
13
+ }
14
+ }
15
+
16
+ export function saveResults(runId: number, suiteResults: TestRunResult[]): void {
17
+ const db = getDb();
18
+
19
+ const stmt = db.prepare(`
20
+ INSERT INTO results
21
+ (run_id, suite_name, test_name, status, duration_ms,
22
+ request_method, request_url, request_body,
23
+ response_status, response_body, response_headers, error_message, assertions, captures, suite_file, provenance, failure_class, failure_class_reason, spec_pointer, spec_excerpt)
24
+ VALUES
25
+ ($run_id, $suite_name, $test_name, $status, $duration_ms,
26
+ $request_method, $request_url, $request_body,
27
+ $response_status, $response_body, $response_headers, $error_message, $assertions, $captures, $suite_file, $provenance, $failure_class, $failure_class_reason, $spec_pointer, $spec_excerpt)
28
+ `);
29
+
30
+ // TASK-167 (m-10): every string field that can carry a leaked secret
31
+ // (URL with token in query, body echo on 401, Set-Cookie header, etc.)
32
+ // goes through the registry sanitizer before INSERT.
33
+ const reg = getSecretRegistry();
34
+ const redactString = (s: string | null | undefined): string | null =>
35
+ s == null ? null : reg.redact(s);
36
+ const redactJson = (v: unknown): string | null => {
37
+ if (v == null) return null;
38
+ if (typeof v === "string") return reg.redact(v);
39
+ return reg.redact(JSON.stringify(v));
40
+ };
41
+
42
+ withDbRetry("saveResults", () => db.transaction(() => {
43
+ for (const suite of suiteResults) {
44
+ for (const step of suite.steps) {
45
+ const maxBodySize = 50_000;
46
+ const truncBody = (s: string | null | undefined) =>
47
+ s && s.length > maxBodySize ? s.slice(0, maxBodySize) + "\n...[truncated]" : (s ?? null);
48
+ stmt.run({
49
+ $run_id: runId,
50
+ $suite_name: suite.suite_name,
51
+ $test_name: step.name,
52
+ $status: step.status,
53
+ $duration_ms: step.duration_ms,
54
+ $request_method: step.request.method,
55
+ $request_url: redactString(step.request.url),
56
+ $request_body: redactString(truncBody(step.request.body)),
57
+ $response_status: step.response?.status ?? null,
58
+ $response_body: redactString(truncBody(step.response?.body)),
59
+ $response_headers: step.response?.headers
60
+ ? redactJson(step.response.headers)
61
+ : null,
62
+ $error_message: redactString(step.error ?? null),
63
+ $assertions: step.assertions.length > 0 ? redactJson(step.assertions) : null,
64
+ $captures: Object.keys(step.captures).length > 0 ? redactJson(step.captures) : null,
65
+ $suite_file: suite.suite_file ?? null,
66
+ $provenance: step.provenance ? JSON.stringify(step.provenance) : null,
67
+ $failure_class: step.failure_class ?? null,
68
+ $failure_class_reason: step.failure_class_reason ?? null,
69
+ $spec_pointer: step.spec_pointer ?? null,
70
+ $spec_excerpt: redactString(step.spec_excerpt ?? null),
71
+ });
72
+ }
73
+ }
74
+ })());
75
+ }
76
+
77
+ export function getResultsByRunId(runId: number): StoredStepResult[] {
78
+ const db = getDb();
79
+ const rows = db.query("SELECT * FROM results WHERE run_id = ? ORDER BY id").all(runId) as Array<
80
+ Omit<StoredStepResult, "assertions" | "captures" | "provenance"> & {
81
+ assertions: string | null;
82
+ captures: string | null;
83
+ provenance: string | null;
84
+ }
85
+ >;
86
+ return rows.map((row) => ({
87
+ ...row,
88
+ assertions: row.assertions ? JSON.parse(row.assertions) : [],
89
+ captures: row.captures ? JSON.parse(row.captures) : {},
90
+ provenance: parseProvenance(row.provenance),
91
+ }));
92
+ }
93
+
94
+ /**
95
+ * Row shape for the fixture-kind POST history matched by
96
+ * `getRecentFixturePosts`'s SQL LIKE pattern (typically the
97
+ * create-endpoint URL with `{var}` path params replaced by `%`).
98
+ */
99
+ export interface LastFixtureAttempt {
100
+ request_method: string;
101
+ request_url: string;
102
+ request_body: string | null;
103
+ response_status: number | null;
104
+ response_body: string | null;
105
+ attempted_at: string;
106
+ }
107
+
108
+ /**
109
+ * ARV-278: return the most recent N fixture-POST attempts (most recent
110
+ * first). Powers `dump --with-last-attempt --history N` so the agent
111
+ * sees the progression of errors as the overlay was iterated — e.g.
112
+ * "first 400 said missing X, after fixing the body the next 400 said
113
+ * resource_missing customer" surfaces the cascade-staleness issue (see
114
+ * ARV-282) one level earlier than a single-snapshot view.
115
+ */
116
+ export function getRecentFixturePosts(
117
+ urlLikePattern: string,
118
+ limit: number,
119
+ ): LastFixtureAttempt[] {
120
+ if (!Number.isFinite(limit) || limit <= 0) return [];
121
+ const db = getDb();
122
+ const rows = db.query(`
123
+ SELECT
124
+ r.request_method AS request_method,
125
+ r.request_url AS request_url,
126
+ r.request_body AS request_body,
127
+ r.response_status AS response_status,
128
+ r.response_body AS response_body,
129
+ ru.started_at AS attempted_at
130
+ FROM results r
131
+ JOIN runs ru ON r.run_id = ru.id
132
+ WHERE ru.run_kind = 'fixture'
133
+ AND r.request_method = 'POST'
134
+ AND r.request_url LIKE ?
135
+ ORDER BY ru.started_at DESC, r.id DESC
136
+ LIMIT ?
137
+ `).all(urlLikePattern, Math.floor(limit)) as LastFixtureAttempt[];
138
+ return rows;
139
+ }
140
+
141
+ /**
142
+ * ARV-330: like `getRecentFixturePosts` but across ALL run kinds
143
+ * (`check`/`probe`/`run`/`request`/`fixture`). A root resource with no
144
+ * seed_body is `skip-no-create` by prepare-fixtures, so it never records
145
+ * a fixture-kind POST — yet a depth-check or probe may have POSTed the
146
+ * same create-path and captured the account-level capability error. The
147
+ * hard-blocked classifier reads this wider source so it can still
148
+ * diagnose the gate. Caller is responsible for filtering auth-probe
149
+ * noise (deliberately-broken-cred 401/403s).
150
+ */
151
+ export function getRecentCreatePosts(
152
+ urlLikePattern: string,
153
+ limit: number,
154
+ excludeLikePattern?: string,
155
+ ): LastFixtureAttempt[] {
156
+ if (!Number.isFinite(limit) || limit <= 0) return [];
157
+ const db = getDb();
158
+ // `excludeLikePattern` filters out child sub-resource POSTs in SQL (e.g.
159
+ // `%/v1/accounts/%` drops `/v1/accounts/{id}/reject`); without it the
160
+ // loose trailing wildcard lets a burst of probe sub-calls monopolize the
161
+ // LIMIT window and starve the real create-path attempts (ARV-330).
162
+ const rows = excludeLikePattern
163
+ ? db.query(`
164
+ SELECT r.request_method AS request_method, r.request_url AS request_url,
165
+ r.request_body AS request_body, r.response_status AS response_status,
166
+ r.response_body AS response_body, ru.started_at AS attempted_at
167
+ FROM results r JOIN runs ru ON r.run_id = ru.id
168
+ WHERE r.request_method = 'POST' AND r.request_url LIKE ? AND r.request_url NOT LIKE ?
169
+ ORDER BY ru.started_at DESC, r.id DESC LIMIT ?
170
+ `).all(urlLikePattern, excludeLikePattern, Math.floor(limit))
171
+ : db.query(`
172
+ SELECT r.request_method AS request_method, r.request_url AS request_url,
173
+ r.request_body AS request_body, r.response_status AS response_status,
174
+ r.response_body AS response_body, ru.started_at AS attempted_at
175
+ FROM results r JOIN runs ru ON r.run_id = ru.id
176
+ WHERE r.request_method = 'POST' AND r.request_url LIKE ?
177
+ ORDER BY ru.started_at DESC, r.id DESC LIMIT ?
178
+ `).all(urlLikePattern, Math.floor(limit));
179
+ return rows as LastFixtureAttempt[];
180
+ }
181
+
182
+ export function getFilteredResults(
183
+ runId: number,
184
+ filters: {
185
+ method?: string;
186
+ /** Compiled SQL fragment for the `--status` filter (TASK-140). */
187
+ statusSql?: { sql: string; params: number[] };
188
+ },
189
+ ): StoredStepResult[] {
190
+ const db = getDb();
191
+ const conditions = ["run_id = ?"];
192
+ const params: (string | number)[] = [runId];
193
+
194
+ if (filters.method) {
195
+ conditions.push("request_method = ?");
196
+ params.push(filters.method.toUpperCase());
197
+ }
198
+ if (filters.statusSql) {
199
+ conditions.push(filters.statusSql.sql);
200
+ params.push(...filters.statusSql.params);
201
+ }
202
+
203
+ const rows = db.query(`SELECT * FROM results WHERE ${conditions.join(" AND ")} ORDER BY id`).all(...params) as Array<
204
+ Omit<StoredStepResult, "assertions" | "captures" | "provenance"> & {
205
+ assertions: string | null;
206
+ captures: string | null;
207
+ provenance: string | null;
208
+ }
209
+ >;
210
+ return rows.map((row) => ({
211
+ ...row,
212
+ assertions: row.assertions ? JSON.parse(row.assertions) : [],
213
+ captures: row.captures ? JSON.parse(row.captures) : {},
214
+ provenance: parseProvenance(row.provenance),
215
+ }));
216
+ }