@kirrosh/zond 0.26.0 → 0.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/CHANGELOG.md +59 -0
  2. package/README.md +22 -21
  3. package/bin/zond.mjs +23 -0
  4. package/package.json +13 -16
  5. package/scripts/npm/postinstall.mjs +76 -0
  6. package/src/CLAUDE.md +0 -112
  7. package/src/bun-types.d.ts +0 -5
  8. package/src/cli/argv.ts +0 -122
  9. package/src/cli/commands/add-api.ts +0 -146
  10. package/src/cli/commands/api/annotate/idempotency.ts +0 -59
  11. package/src/cli/commands/api/annotate/index.ts +0 -880
  12. package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
  13. package/src/cli/commands/api/annotate/overlay.ts +0 -206
  14. package/src/cli/commands/api/annotate/pagination.ts +0 -64
  15. package/src/cli/commands/api/annotate/prompts.ts +0 -220
  16. package/src/cli/commands/api/annotate/readback.ts +0 -58
  17. package/src/cli/commands/api/annotate/resources.ts +0 -91
  18. package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
  19. package/src/cli/commands/audit.ts +0 -786
  20. package/src/cli/commands/catalog.ts +0 -97
  21. package/src/cli/commands/check.ts +0 -361
  22. package/src/cli/commands/checks.ts +0 -1072
  23. package/src/cli/commands/ci-init.ts +0 -223
  24. package/src/cli/commands/clean.ts +0 -212
  25. package/src/cli/commands/cleanup.ts +0 -236
  26. package/src/cli/commands/completions.ts +0 -192
  27. package/src/cli/commands/coverage.ts +0 -872
  28. package/src/cli/commands/db.ts +0 -611
  29. package/src/cli/commands/describe.ts +0 -120
  30. package/src/cli/commands/discover.ts +0 -1356
  31. package/src/cli/commands/doctor.ts +0 -661
  32. package/src/cli/commands/fixtures.ts +0 -402
  33. package/src/cli/commands/generate.ts +0 -577
  34. package/src/cli/commands/init/agents-md.ts +0 -61
  35. package/src/cli/commands/init/bootstrap.ts +0 -111
  36. package/src/cli/commands/init/index.ts +0 -244
  37. package/src/cli/commands/init/skills.ts +0 -141
  38. package/src/cli/commands/init/templates/agents.md +0 -86
  39. package/src/cli/commands/init/templates/markdown.d.ts +0 -4
  40. package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
  41. package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
  42. package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
  43. package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
  44. package/src/cli/commands/init/templates/skills/zond.md +0 -861
  45. package/src/cli/commands/init/templates/zond-config.yml +0 -14
  46. package/src/cli/commands/prepare-fixtures.ts +0 -97
  47. package/src/cli/commands/probe/_seed-bodies.ts +0 -52
  48. package/src/cli/commands/probe/mass-assignment.ts +0 -594
  49. package/src/cli/commands/probe/security.ts +0 -537
  50. package/src/cli/commands/probe/static.ts +0 -255
  51. package/src/cli/commands/probe/webhooks.ts +0 -163
  52. package/src/cli/commands/probe.ts +0 -535
  53. package/src/cli/commands/reference.ts +0 -87
  54. package/src/cli/commands/refresh-api.ts +0 -227
  55. package/src/cli/commands/remove-api.ts +0 -150
  56. package/src/cli/commands/report-bundle.ts +0 -310
  57. package/src/cli/commands/report.ts +0 -241
  58. package/src/cli/commands/request.ts +0 -548
  59. package/src/cli/commands/run.ts +0 -1142
  60. package/src/cli/commands/schema-from-runs.ts +0 -128
  61. package/src/cli/commands/secrets.ts +0 -133
  62. package/src/cli/commands/session.ts +0 -244
  63. package/src/cli/commands/use.ts +0 -74
  64. package/src/cli/index.ts +0 -55
  65. package/src/cli/json-envelope.ts +0 -108
  66. package/src/cli/json-schemas.ts +0 -314
  67. package/src/cli/output.ts +0 -40
  68. package/src/cli/program.ts +0 -219
  69. package/src/cli/resolve.ts +0 -105
  70. package/src/cli/runtime.ts +0 -7
  71. package/src/cli/safe-live.ts +0 -24
  72. package/src/cli/status-filter.ts +0 -114
  73. package/src/cli/util/api-context.ts +0 -85
  74. package/src/cli/version.ts +0 -8
  75. package/src/core/audit/persist.ts +0 -183
  76. package/src/core/checks/budget.ts +0 -59
  77. package/src/core/checks/checks/_crud-helpers.ts +0 -133
  78. package/src/core/checks/checks/_negative_mutator.ts +0 -133
  79. package/src/core/checks/checks/_readback-helpers.ts +0 -133
  80. package/src/core/checks/checks/content_type_conformance.ts +0 -39
  81. package/src/core/checks/checks/cross_call_references.ts +0 -147
  82. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
  83. package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
  84. package/src/core/checks/checks/idempotency_replay.ts +0 -242
  85. package/src/core/checks/checks/ignored_auth.ts +0 -254
  86. package/src/core/checks/checks/index.ts +0 -68
  87. package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
  88. package/src/core/checks/checks/missing_required_header.ts +0 -40
  89. package/src/core/checks/checks/negative_data_rejection.ts +0 -148
  90. package/src/core/checks/checks/not_a_server_error.ts +0 -35
  91. package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
  92. package/src/core/checks/checks/pagination_invariants.ts +0 -419
  93. package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
  94. package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
  95. package/src/core/checks/checks/response_headers_conformance.ts +0 -74
  96. package/src/core/checks/checks/response_schema_conformance.ts +0 -30
  97. package/src/core/checks/checks/status_code_conformance.ts +0 -132
  98. package/src/core/checks/checks/unsupported_method.ts +0 -63
  99. package/src/core/checks/checks/use_after_free.ts +0 -78
  100. package/src/core/checks/index.ts +0 -30
  101. package/src/core/checks/mode.ts +0 -82
  102. package/src/core/checks/recommended-action.ts +0 -68
  103. package/src/core/checks/registry.ts +0 -78
  104. package/src/core/checks/runner.ts +0 -1461
  105. package/src/core/checks/sarif.ts +0 -230
  106. package/src/core/checks/spec-findings.ts +0 -308
  107. package/src/core/checks/stateful.ts +0 -121
  108. package/src/core/checks/types.ts +0 -305
  109. package/src/core/checks/zond-extensions.ts +0 -73
  110. package/src/core/classifier/recommended-action.ts +0 -251
  111. package/src/core/context/current.ts +0 -51
  112. package/src/core/context/session.ts +0 -78
  113. package/src/core/coverage/loader.ts +0 -216
  114. package/src/core/coverage/reasons.ts +0 -300
  115. package/src/core/diagnostics/db-analysis.ts +0 -666
  116. package/src/core/diagnostics/failure-class.ts +0 -140
  117. package/src/core/diagnostics/failure-hints.ts +0 -112
  118. package/src/core/diagnostics/spec-pointer.ts +0 -99
  119. package/src/core/diagnostics/suggested-fixes.ts +0 -155
  120. package/src/core/exporter/case-study/index.ts +0 -270
  121. package/src/core/exporter/curl.ts +0 -40
  122. package/src/core/exporter/exporter.ts +0 -48
  123. package/src/core/exporter/html-report/escape.ts +0 -24
  124. package/src/core/exporter/html-report/index.ts +0 -479
  125. package/src/core/exporter/html-report/script.ts +0 -100
  126. package/src/core/exporter/html-report/styles.ts +0 -408
  127. package/src/core/generator/catalog-builder.ts +0 -179
  128. package/src/core/generator/chunker.ts +0 -78
  129. package/src/core/generator/coverage-phase.ts +0 -0
  130. package/src/core/generator/coverage-scanner.ts +0 -87
  131. package/src/core/generator/data-factory.ts +0 -759
  132. package/src/core/generator/describe.ts +0 -302
  133. package/src/core/generator/endpoint-warnings.ts +0 -52
  134. package/src/core/generator/fixtures-builder.ts +0 -332
  135. package/src/core/generator/index.ts +0 -14
  136. package/src/core/generator/openapi-reader.ts +0 -297
  137. package/src/core/generator/path-param-disambig.ts +0 -140
  138. package/src/core/generator/resources-builder.ts +0 -898
  139. package/src/core/generator/schema-utils.ts +0 -112
  140. package/src/core/generator/serializer.ts +0 -343
  141. package/src/core/generator/suite-generator.ts +0 -1301
  142. package/src/core/generator/types.ts +0 -63
  143. package/src/core/identity/identity-file.ts +0 -0
  144. package/src/core/lint/affects.ts +0 -28
  145. package/src/core/lint/config.ts +0 -96
  146. package/src/core/lint/format.ts +0 -42
  147. package/src/core/lint/index.ts +0 -94
  148. package/src/core/lint/reporter.ts +0 -128
  149. package/src/core/lint/rules/consistency.ts +0 -158
  150. package/src/core/lint/rules/heuristics.ts +0 -97
  151. package/src/core/lint/rules/strictness.ts +0 -109
  152. package/src/core/lint/types.ts +0 -96
  153. package/src/core/lint/walker.ts +0 -248
  154. package/src/core/meta/meta-store.ts +0 -11
  155. package/src/core/output/README.md +0 -73
  156. package/src/core/output/index.ts +0 -13
  157. package/src/core/output/run.ts +0 -91
  158. package/src/core/output/types.ts +0 -122
  159. package/src/core/parser/dynamic-values.ts +0 -160
  160. package/src/core/parser/env-interpolation.ts +0 -104
  161. package/src/core/parser/filter.ts +0 -97
  162. package/src/core/parser/schema.ts +0 -359
  163. package/src/core/parser/types.ts +0 -117
  164. package/src/core/parser/variables.ts +0 -0
  165. package/src/core/parser/yaml-parser.ts +0 -181
  166. package/src/core/probe/bootstrap.ts +0 -34
  167. package/src/core/probe/dry-run-envelope.ts +0 -61
  168. package/src/core/probe/mass-assignment/classify.ts +0 -175
  169. package/src/core/probe/mass-assignment/cleanup.ts +0 -52
  170. package/src/core/probe/mass-assignment/digest.ts +0 -114
  171. package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
  172. package/src/core/probe/mass-assignment/regression.ts +0 -141
  173. package/src/core/probe/mass-assignment/suspects.ts +0 -92
  174. package/src/core/probe/mass-assignment/types.ts +0 -135
  175. package/src/core/probe/mass-assignment-probe-class.ts +0 -198
  176. package/src/core/probe/mass-assignment-probe.ts +0 -27
  177. package/src/core/probe/mass-assignment-template.ts +0 -240
  178. package/src/core/probe/method-probe.ts +0 -164
  179. package/src/core/probe/method-shared.ts +0 -69
  180. package/src/core/probe/negative-probe.ts +0 -691
  181. package/src/core/probe/orphan-tracker.ts +0 -188
  182. package/src/core/probe/path-discovery.ts +0 -439
  183. package/src/core/probe/probe-harness.ts +0 -119
  184. package/src/core/probe/registry.ts +0 -89
  185. package/src/core/probe/runner.ts +0 -136
  186. package/src/core/probe/security/baseline.ts +0 -174
  187. package/src/core/probe/security/classify.ts +0 -341
  188. package/src/core/probe/security/cleanup.ts +0 -125
  189. package/src/core/probe/security/detectors.ts +0 -71
  190. package/src/core/probe/security/digest.ts +0 -104
  191. package/src/core/probe/security/orchestrator.ts +0 -398
  192. package/src/core/probe/security/regression.ts +0 -103
  193. package/src/core/probe/security/types.ts +0 -151
  194. package/src/core/probe/security-probe-class.ts +0 -207
  195. package/src/core/probe/security-probe.ts +0 -32
  196. package/src/core/probe/shared.ts +0 -531
  197. package/src/core/probe/static-probe-class.ts +0 -125
  198. package/src/core/probe/types.ts +0 -165
  199. package/src/core/probe/verdict-aggregator.ts +0 -33
  200. package/src/core/probe/webhooks-probe.ts +0 -282
  201. package/src/core/reporter/console.ts +0 -240
  202. package/src/core/reporter/index.ts +0 -22
  203. package/src/core/reporter/json.ts +0 -22
  204. package/src/core/reporter/junit.ts +0 -93
  205. package/src/core/reporter/ndjson.ts +0 -37
  206. package/src/core/reporter/types.ts +0 -15
  207. package/src/core/runner/assertions.ts +0 -383
  208. package/src/core/runner/async-pool.ts +0 -108
  209. package/src/core/runner/auth-path.ts +0 -8
  210. package/src/core/runner/ci-context.ts +0 -72
  211. package/src/core/runner/executor.ts +0 -652
  212. package/src/core/runner/expr-eval.ts +0 -41
  213. package/src/core/runner/form-encode.ts +0 -41
  214. package/src/core/runner/http-client.ts +0 -224
  215. package/src/core/runner/learn-drift.ts +0 -293
  216. package/src/core/runner/preflight-vars.ts +0 -153
  217. package/src/core/runner/progress-tracker.ts +0 -73
  218. package/src/core/runner/rate-limiter.ts +0 -185
  219. package/src/core/runner/run-kind.ts +0 -45
  220. package/src/core/runner/schema-validator.ts +0 -308
  221. package/src/core/runner/send-request.ts +0 -232
  222. package/src/core/runner/transforms.ts +0 -65
  223. package/src/core/runner/types.ts +0 -94
  224. package/src/core/secrets/registry.ts +0 -164
  225. package/src/core/secrets/secrets-file.ts +0 -115
  226. package/src/core/selectors/operation-filter.ts +0 -144
  227. package/src/core/setup-api.ts +0 -590
  228. package/src/core/severity/category.ts +0 -94
  229. package/src/core/severity/index.ts +0 -58
  230. package/src/core/spec/infer-schema.ts +0 -102
  231. package/src/core/spec/layers.ts +0 -154
  232. package/src/core/spec/merge-specs.ts +0 -156
  233. package/src/core/spec/schema-from-runs.ts +0 -117
  234. package/src/core/spec/schema-overlay.ts +0 -130
  235. package/src/core/util/ajv.ts +0 -13
  236. package/src/core/util/format-eta.ts +0 -21
  237. package/src/core/util/headers.ts +0 -9
  238. package/src/core/util/url.ts +0 -24
  239. package/src/core/utils.ts +0 -13
  240. package/src/core/workspace/config.ts +0 -129
  241. package/src/core/workspace/fixture-gap-report.ts +0 -84
  242. package/src/core/workspace/fixture-gaps.ts +0 -71
  243. package/src/core/workspace/manifest.ts +0 -283
  244. package/src/core/workspace/output-rotation.ts +0 -62
  245. package/src/core/workspace/root.ts +0 -96
  246. package/src/core/workspace/triage-path.ts +0 -87
  247. package/src/db/lint-runs.ts +0 -47
  248. package/src/db/migrate.ts +0 -128
  249. package/src/db/migrations/0001_run_kind.sql +0 -25
  250. package/src/db/migrations/0002_run_kind_request.sql +0 -59
  251. package/src/db/migrations/sql.d.ts +0 -4
  252. package/src/db/queries/collections.ts +0 -133
  253. package/src/db/queries/coverage.ts +0 -9
  254. package/src/db/queries/dashboard.ts +0 -59
  255. package/src/db/queries/results.ts +0 -216
  256. package/src/db/queries/runs.ts +0 -289
  257. package/src/db/queries/sessions.ts +0 -42
  258. package/src/db/queries/settings.ts +0 -28
  259. package/src/db/queries/types.ts +0 -172
  260. package/src/db/queries.ts +0 -75
  261. package/src/db/schema.ts +0 -298
@@ -1,254 +0,0 @@
1
- /**
2
- * `ignored_auth` (m-15 ARV-3, refined in ARV-181) — for every operation
3
- * that declares a security requirement, send 3 requests:
4
- *
5
- * 1. baseline — full real-auth headers,
6
- * 2. no_auth — drop every auth-shaped header,
7
- * 3. bogus_auth — replace each auth header value with a malformed-
8
- * shaped, plausibly-typed bogus.
9
- *
10
- * Verdict logic (ARV-181 differential):
11
- *
12
- * - baseline 5xx → skip (server unhealthy; nothing we say is trustworthy).
13
- * - baseline 2xx → strict mode. Any 2xx on no_auth/bogus → HIGH bypass.
14
- * - baseline 4xx → soft mode. The auth token didn't get a 2xx (wrong
15
- * permissions, real path-var not provided, etc.), but we can still
16
- * learn from how the server treats *worse* credentials:
17
- * · no_auth/bogus returns **strictly better** status (lower 4xx
18
- * class, or 2xx/3xx) → HIGH bypass. The classic smoking gun
19
- * is `baseline 403 / no_auth 200`.
20
- * · same or worse status → pass (auth was checked; the resource
21
- * simply isn't accessible to anyone).
22
- *
23
- * Strictness:
24
- * - default: no_auth/bogus passes if status is in [400..499] (any 4xx).
25
- * - --strict-401 (CheckRuntimeOptions.strict401): only 401 passes; any
26
- * other status — even 403/404 — fails. Mirrors schemathesis V4.
27
- *
28
- * Anti-FP guards (kept from ARV-3):
29
- * - skip operations with `security: []` override (explicitly public),
30
- * - skip when `bootstrap_cleanup_failed` (data state corrupted),
31
- * - skip when no auth headers provided to the harness at all.
32
- *
33
- * Severity matrix (ARV-286, dispatched per finding via outcome.severity;
34
- * follow-up to ARV-284 `negative_data_rejection` pattern):
35
- *
36
- * Declared severity: 'low' (proof-cap baseline per ARV-250 — single-
37
- * signal evidence alone caps at LOW; chain evidence elevates to HIGH).
38
- *
39
- * Per-finding dispatch:
40
- *
41
- * | evidence.variant | severity | rationale |
42
- * |---------------------------|----------|-----------------------------------|
43
- * | no_auth | HIGH | baseline 2xx + no-auth 2xx |
44
- * | bogus_auth | HIGH | baseline 2xx + bogus 2xx |
45
- * | no_auth_differential | HIGH | broken-baseline + lower bucket |
46
- * | bogus_auth_differential | HIGH | broken-baseline + lower bucket |
47
- * | no_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
48
- * | bogus_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
49
- *
50
- * HIGH variants (bypass + differential) provide chain evidence: both a
51
- * baseline probe and an auth-stripped probe contribute — two independent
52
- * signals proving auth is ignored. MEDIUM variants (strict-401
53
- * conformance) are single-signal: auth is likely enforced (server still
54
- * rejects), just with the wrong status code (403/404 instead of 401).
55
- * The agent re-severitizes from the raw evidence.
56
- */
57
- import type { OpenAPIV3 } from "openapi-types";
58
- import type { AuthStatefulCheck } from "../stateful.ts";
59
- import type { HttpRequest } from "../../runner/types.ts";
60
-
61
- function buildBogus(name: string, value: string): string {
62
- // Keep the original prefix so the auth scheme detection at the
63
- // server still matches (Bearer xxx, Basic xxx). Only the secret
64
- // payload is replaced.
65
- if (/^Bearer\s+/i.test(value)) return "Bearer aaaaaaaaaaaa.bbbbbbbbbbbb.cccccccccccc";
66
- if (/^Basic\s+/i.test(value)) return "Basic " + Buffer.from("zzz:zzz").toString("base64");
67
- // apiKey / custom header — preserve length-class, replace content.
68
- return name.toLowerCase().includes("token") ? "ZZZZZZZZZZ" : "bogus-" + "z".repeat(8);
69
- }
70
-
71
- /** ARV-181: substitute path placeholders using `h.pathVars` first, then
72
- * fall back to schema-derived placeholders. Mirrors `fillPathParams`
73
- * in `runner.ts` (kept inline to avoid a cross-module dependency that
74
- * would yank generator imports into stateful checks). */
75
- function fillPath(
76
- path: string,
77
- op: { parameters: OpenAPIV3.ParameterObject[] },
78
- pathVars: Record<string, string> | undefined,
79
- ): string {
80
- return path.replace(/\{([^}]+)\}/g, (_, name: string) => {
81
- const real = pathVars?.[name];
82
- if (typeof real === "string" && real.length > 0) return encodeURIComponent(real);
83
- const param = op.parameters.find((p) => p.name === name && p.in === "path");
84
- const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
85
- if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
86
- if (schema?.type === "integer" || schema?.type === "number") return "1";
87
- return "x";
88
- });
89
- }
90
-
91
- function isAuthHeaderName(name: string): boolean {
92
- const n = name.toLowerCase();
93
- return n === "authorization" || n.startsWith("x-api") || n.includes("token") || n.includes("key");
94
- }
95
-
96
- /** ARV-181: classify response status into a single ordering bucket so
97
- * the differential broken-baseline logic can answer "did stripping
98
- * auth give a *better* status than baseline?". Lower index = more
99
- * permissive (worse from auth-enforcement POV). 5xx is its own
100
- * bucket — never compare across it. */
101
- function statusBucket(status: number): number {
102
- if (status >= 200 && status < 400) return 0; // accepted-ish
103
- if (status === 401) return 3; // canonical "auth required"
104
- if (status === 403) return 2; // permission denied
105
- if (status >= 400 && status < 500) return 1; // other 4xx (404, 422, ...)
106
- return -1; // 5xx / 1xx — incomparable
107
- }
108
-
109
- function isAcceptableRejection(status: number, strict401: boolean): boolean {
110
- if (strict401) return status === 401;
111
- return status >= 400 && status < 500;
112
- }
113
-
114
- export const ignoredAuth: AuthStatefulCheck = {
115
- id: "ignored_auth",
116
- /** ARV-286: proof-cap baseline (ARV-250). Bypass findings emit
117
- * outcome.severity="high" (chain evidence); strict-401 conformance
118
- * findings emit outcome.severity="medium" (single-signal). */
119
- severity: "low",
120
- defaultExpected: "Server must reject requests without (or with bogus) auth credentials with 401/403",
121
- references: [{ id: "OWASP-API-01" }],
122
- phase: "auth",
123
- applies(op) {
124
- // Anti-FP: explicit `security: []` override means the op is intentionally public.
125
- if (op.security.length === 0) return false;
126
- return true;
127
- },
128
- async run(op, h) {
129
- if (h.bootstrapCleanupFailed) {
130
- return { kind: "skip", reason: "bootstrap-cleanup failed — security checks paused (ARV-3 AC #6)" };
131
- }
132
- if (Object.keys(h.authHeaders).length === 0) {
133
- return { kind: "skip", reason: "no auth headers provided to harness — pass --auth-header" };
134
- }
135
- const strict401 = h.options?.strict401 === true;
136
- const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPath(op.path, op, h.pathVars)}`;
137
- const method = op.method.toUpperCase();
138
- const baseHeaders: Record<string, string> = { Accept: "application/json", ...h.authHeaders };
139
-
140
- // 1. baseline
141
- const baseReq: HttpRequest = { method, url, headers: baseHeaders };
142
- const baseline = await h.send(baseReq);
143
- if (baseline.status >= 500) {
144
- return { kind: "skip", reason: `baseline returned ${baseline.status} — server-side error, no trustworthy signal` };
145
- }
146
-
147
- // 2. no_auth — strip every auth-shaped header
148
- const noAuthHeaders: Record<string, string> = { ...baseHeaders };
149
- for (const k of Object.keys(noAuthHeaders)) {
150
- if (isAuthHeaderName(k)) delete noAuthHeaders[k];
151
- }
152
- const noAuth = await h.send({ method, url, headers: noAuthHeaders });
153
-
154
- // 3. bogus_auth — keep header names, replace values
155
- const bogusHeaders: Record<string, string> = { ...baseHeaders };
156
- for (const k of Object.keys(bogusHeaders)) {
157
- if (isAuthHeaderName(k)) bogusHeaders[k] = buildBogus(k, bogusHeaders[k]!);
158
- }
159
- const bogus = await h.send({ method, url, headers: bogusHeaders });
160
-
161
- const baseBucket = statusBucket(baseline.status);
162
- const baseIs2xx = baseline.status >= 200 && baseline.status < 300;
163
-
164
- // ── strict-2xx-baseline branch (legacy path, unchanged semantically) ──
165
- if (baseIs2xx) {
166
- if (noAuth.status >= 200 && noAuth.status < 300) {
167
- return {
168
- kind: "fail",
169
- // chain evidence: baseline 2xx + no-auth 2xx → proven bypass
170
- severity: "high",
171
- message: `Server accepted request without auth credentials (status ${noAuth.status}) — auth is being ignored`,
172
- evidence: { variant: "no_auth", baseline_status: baseline.status, no_auth_status: noAuth.status },
173
- };
174
- }
175
- if (bogus.status >= 200 && bogus.status < 300) {
176
- return {
177
- kind: "fail",
178
- // chain evidence: baseline 2xx + bogus-auth 2xx → credentials not validated
179
- severity: "high",
180
- message: `Server accepted request with bogus auth (status ${bogus.status}) — credentials not validated`,
181
- evidence: { variant: "bogus_auth", baseline_status: baseline.status, bogus_auth_status: bogus.status },
182
- };
183
- }
184
- if (strict401) {
185
- if (noAuth.status !== 401) {
186
- return {
187
- kind: "fail",
188
- // single-signal: auth is likely enforced (4xx returned), just wrong status code
189
- severity: "medium",
190
- message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401)`,
191
- evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
192
- };
193
- }
194
- if (bogus.status !== 401) {
195
- return {
196
- kind: "fail",
197
- // single-signal: auth is likely enforced (4xx returned), just wrong status code
198
- severity: "medium",
199
- message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401)`,
200
- evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
201
- };
202
- }
203
- }
204
- return { kind: "pass" };
205
- }
206
-
207
- // ── differential 4xx-baseline branch (ARV-181) ─────────────────────
208
- if (baseBucket < 0) {
209
- return { kind: "skip", reason: `baseline returned ${baseline.status} — incomparable status, no trustworthy signal` };
210
- }
211
- const noAuthBucket = statusBucket(noAuth.status);
212
- const bogusBucket = statusBucket(bogus.status);
213
-
214
- if (noAuthBucket >= 0 && noAuthBucket < baseBucket) {
215
- return {
216
- kind: "fail",
217
- // chain evidence: broken-baseline + lower bucket without auth → smoking gun bypass
218
- severity: "high",
219
- message: `Server gave a more permissive status (${noAuth.status}) without auth than with valid auth (${baseline.status}) — possible bypass`,
220
- evidence: { variant: "no_auth_differential", baseline_status: baseline.status, no_auth_status: noAuth.status },
221
- };
222
- }
223
- if (bogusBucket >= 0 && bogusBucket < baseBucket) {
224
- return {
225
- kind: "fail",
226
- // chain evidence: broken-baseline + lower bucket with bogus token → bypass
227
- severity: "high",
228
- message: `Server gave a more permissive status (${bogus.status}) with bogus auth than with valid auth (${baseline.status}) — possible bypass`,
229
- evidence: { variant: "bogus_auth_differential", baseline_status: baseline.status, bogus_auth_status: bogus.status },
230
- };
231
- }
232
- if (strict401) {
233
- if (!isAcceptableRejection(noAuth.status, true) && noAuthBucket >= 0) {
234
- return {
235
- kind: "fail",
236
- // single-signal: auth is enforced (server still rejects), wrong status code
237
- severity: "medium",
238
- message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
239
- evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
240
- };
241
- }
242
- if (!isAcceptableRejection(bogus.status, true) && bogusBucket >= 0) {
243
- return {
244
- kind: "fail",
245
- // single-signal: auth is enforced (server still rejects), wrong status code
246
- severity: "medium",
247
- message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
248
- evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
249
- };
250
- }
251
- }
252
- return { kind: "pass" };
253
- },
254
- };
@@ -1,68 +0,0 @@
1
- /**
2
- * Auto-registers built-in checks at first import. ARV-1 ships with one
3
- * seed check (`not_a_server_error`); ARV-2/3/4 fill in the remaining
4
- * 11 conformance/security checks alongside it.
5
- *
6
- * Side-effect import is intentional: anywhere the runner or CLI loads
7
- * `core/checks` it triggers this module and the registry is populated
8
- * exactly once (Node/Bun ESM module cache guarantees idempotency).
9
- */
10
- import { registerCheck } from "../registry.ts";
11
- import { registerStatefulCheck } from "../stateful.ts";
12
- import { notAServerError } from "./not_a_server_error.ts";
13
- import { statusCodeConformance } from "./status_code_conformance.ts";
14
- import { contentTypeConformance } from "./content_type_conformance.ts";
15
- import { responseHeadersConformance } from "./response_headers_conformance.ts";
16
- import { responseSchemaConformance } from "./response_schema_conformance.ts";
17
- import { missingRequiredHeader } from "./missing_required_header.ts";
18
- import { unsupportedMethod } from "./unsupported_method.ts";
19
- import { ignoredAuth } from "./ignored_auth.ts";
20
- import { useAfterFree } from "./use_after_free.ts";
21
- import { ensureResourceAvailability } from "./ensure_resource_availability.ts";
22
- import { negativeDataRejection } from "./negative_data_rejection.ts";
23
- import { positiveDataAcceptance } from "./positive_data_acceptance.ts";
24
- import { crossCallReferences } from "./cross_call_references.ts";
25
- import { idempotencyReplay } from "./idempotency_replay.ts";
26
- import { paginationInvariants } from "./pagination_invariants.ts";
27
- import { lifecycleTransitions } from "./lifecycle_transitions.ts";
28
- import { openCorsOnSensitive } from "./open_cors_on_sensitive.ts";
29
- import { rateLimitHeadersAbsent } from "./rate_limit_headers_absent.ts";
30
- import { cursorBoundaryFuzzing } from "./cursor_boundary_fuzzing.ts";
31
-
32
- let registered = false;
33
-
34
- export function registerBuiltinChecks(): void {
35
- if (registered) return;
36
- // ARV-1 seed.
37
- registerCheck(notAServerError);
38
- // ARV-2 — 6 conformance checks (7 total with the seed).
39
- registerCheck(statusCodeConformance);
40
- registerCheck(contentTypeConformance);
41
- registerCheck(responseHeadersConformance);
42
- registerCheck(responseSchemaConformance);
43
- registerCheck(missingRequiredHeader);
44
- registerCheck(unsupportedMethod);
45
- // ARV-3 — 3 stateful security checks.
46
- registerStatefulCheck(ignoredAuth);
47
- registerStatefulCheck(useAfterFree);
48
- registerStatefulCheck(ensureResourceAvailability);
49
- // ARV-4 — 2 data-rejection checks with anti-FP guards.
50
- registerCheck(negativeDataRejection);
51
- registerCheck(positiveDataAcceptance);
52
- // ARV-169 (m-20) — cross-call POST→GET shape-diff probe.
53
- registerStatefulCheck(crossCallReferences);
54
- // ARV-170 (m-20) — Idempotency-Key replay probe.
55
- registerStatefulCheck(idempotencyReplay);
56
- // ARV-171 (m-20) — cursor pagination invariants.
57
- registerStatefulCheck(paginationInvariants);
58
- // ARV-172 (m-20) — declared state-machine + action transitions.
59
- registerStatefulCheck(lifecycleTransitions);
60
- // ARV-256 (m-21) — small-team value-add checks.
61
- registerStatefulCheck(openCorsOnSensitive);
62
- registerCheck(rateLimitHeadersAbsent);
63
- // ARV-273 (m-22) — cursor/page-token fuzzing on list endpoints.
64
- registerStatefulCheck(cursorBoundaryFuzzing);
65
- registered = true;
66
- }
67
-
68
- registerBuiltinChecks();