@kirrosh/zond 0.26.0 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +59 -0
- package/README.md +22 -21
- package/bin/zond.mjs +23 -0
- package/package.json +13 -16
- package/scripts/npm/postinstall.mjs +76 -0
- package/src/CLAUDE.md +0 -112
- package/src/bun-types.d.ts +0 -5
- package/src/cli/argv.ts +0 -122
- package/src/cli/commands/add-api.ts +0 -146
- package/src/cli/commands/api/annotate/idempotency.ts +0 -59
- package/src/cli/commands/api/annotate/index.ts +0 -880
- package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
- package/src/cli/commands/api/annotate/overlay.ts +0 -206
- package/src/cli/commands/api/annotate/pagination.ts +0 -64
- package/src/cli/commands/api/annotate/prompts.ts +0 -220
- package/src/cli/commands/api/annotate/readback.ts +0 -58
- package/src/cli/commands/api/annotate/resources.ts +0 -91
- package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
- package/src/cli/commands/audit.ts +0 -786
- package/src/cli/commands/catalog.ts +0 -97
- package/src/cli/commands/check.ts +0 -361
- package/src/cli/commands/checks.ts +0 -1072
- package/src/cli/commands/ci-init.ts +0 -223
- package/src/cli/commands/clean.ts +0 -212
- package/src/cli/commands/cleanup.ts +0 -236
- package/src/cli/commands/completions.ts +0 -192
- package/src/cli/commands/coverage.ts +0 -872
- package/src/cli/commands/db.ts +0 -611
- package/src/cli/commands/describe.ts +0 -120
- package/src/cli/commands/discover.ts +0 -1356
- package/src/cli/commands/doctor.ts +0 -661
- package/src/cli/commands/fixtures.ts +0 -402
- package/src/cli/commands/generate.ts +0 -577
- package/src/cli/commands/init/agents-md.ts +0 -61
- package/src/cli/commands/init/bootstrap.ts +0 -111
- package/src/cli/commands/init/index.ts +0 -244
- package/src/cli/commands/init/skills.ts +0 -141
- package/src/cli/commands/init/templates/agents.md +0 -86
- package/src/cli/commands/init/templates/markdown.d.ts +0 -4
- package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
- package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
- package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
- package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
- package/src/cli/commands/init/templates/skills/zond.md +0 -861
- package/src/cli/commands/init/templates/zond-config.yml +0 -14
- package/src/cli/commands/prepare-fixtures.ts +0 -97
- package/src/cli/commands/probe/_seed-bodies.ts +0 -52
- package/src/cli/commands/probe/mass-assignment.ts +0 -594
- package/src/cli/commands/probe/security.ts +0 -537
- package/src/cli/commands/probe/static.ts +0 -255
- package/src/cli/commands/probe/webhooks.ts +0 -163
- package/src/cli/commands/probe.ts +0 -535
- package/src/cli/commands/reference.ts +0 -87
- package/src/cli/commands/refresh-api.ts +0 -227
- package/src/cli/commands/remove-api.ts +0 -150
- package/src/cli/commands/report-bundle.ts +0 -310
- package/src/cli/commands/report.ts +0 -241
- package/src/cli/commands/request.ts +0 -548
- package/src/cli/commands/run.ts +0 -1142
- package/src/cli/commands/schema-from-runs.ts +0 -128
- package/src/cli/commands/secrets.ts +0 -133
- package/src/cli/commands/session.ts +0 -244
- package/src/cli/commands/use.ts +0 -74
- package/src/cli/index.ts +0 -55
- package/src/cli/json-envelope.ts +0 -108
- package/src/cli/json-schemas.ts +0 -314
- package/src/cli/output.ts +0 -40
- package/src/cli/program.ts +0 -219
- package/src/cli/resolve.ts +0 -105
- package/src/cli/runtime.ts +0 -7
- package/src/cli/safe-live.ts +0 -24
- package/src/cli/status-filter.ts +0 -114
- package/src/cli/util/api-context.ts +0 -85
- package/src/cli/version.ts +0 -8
- package/src/core/audit/persist.ts +0 -183
- package/src/core/checks/budget.ts +0 -59
- package/src/core/checks/checks/_crud-helpers.ts +0 -133
- package/src/core/checks/checks/_negative_mutator.ts +0 -133
- package/src/core/checks/checks/_readback-helpers.ts +0 -133
- package/src/core/checks/checks/content_type_conformance.ts +0 -39
- package/src/core/checks/checks/cross_call_references.ts +0 -147
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
- package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
- package/src/core/checks/checks/idempotency_replay.ts +0 -242
- package/src/core/checks/checks/ignored_auth.ts +0 -254
- package/src/core/checks/checks/index.ts +0 -68
- package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
- package/src/core/checks/checks/missing_required_header.ts +0 -40
- package/src/core/checks/checks/negative_data_rejection.ts +0 -148
- package/src/core/checks/checks/not_a_server_error.ts +0 -35
- package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
- package/src/core/checks/checks/pagination_invariants.ts +0 -419
- package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
- package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
- package/src/core/checks/checks/response_headers_conformance.ts +0 -74
- package/src/core/checks/checks/response_schema_conformance.ts +0 -30
- package/src/core/checks/checks/status_code_conformance.ts +0 -132
- package/src/core/checks/checks/unsupported_method.ts +0 -63
- package/src/core/checks/checks/use_after_free.ts +0 -78
- package/src/core/checks/index.ts +0 -30
- package/src/core/checks/mode.ts +0 -82
- package/src/core/checks/recommended-action.ts +0 -68
- package/src/core/checks/registry.ts +0 -78
- package/src/core/checks/runner.ts +0 -1461
- package/src/core/checks/sarif.ts +0 -230
- package/src/core/checks/spec-findings.ts +0 -308
- package/src/core/checks/stateful.ts +0 -121
- package/src/core/checks/types.ts +0 -305
- package/src/core/checks/zond-extensions.ts +0 -73
- package/src/core/classifier/recommended-action.ts +0 -251
- package/src/core/context/current.ts +0 -51
- package/src/core/context/session.ts +0 -78
- package/src/core/coverage/loader.ts +0 -216
- package/src/core/coverage/reasons.ts +0 -300
- package/src/core/diagnostics/db-analysis.ts +0 -666
- package/src/core/diagnostics/failure-class.ts +0 -140
- package/src/core/diagnostics/failure-hints.ts +0 -112
- package/src/core/diagnostics/spec-pointer.ts +0 -99
- package/src/core/diagnostics/suggested-fixes.ts +0 -155
- package/src/core/exporter/case-study/index.ts +0 -270
- package/src/core/exporter/curl.ts +0 -40
- package/src/core/exporter/exporter.ts +0 -48
- package/src/core/exporter/html-report/escape.ts +0 -24
- package/src/core/exporter/html-report/index.ts +0 -479
- package/src/core/exporter/html-report/script.ts +0 -100
- package/src/core/exporter/html-report/styles.ts +0 -408
- package/src/core/generator/catalog-builder.ts +0 -179
- package/src/core/generator/chunker.ts +0 -78
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/coverage-scanner.ts +0 -87
- package/src/core/generator/data-factory.ts +0 -759
- package/src/core/generator/describe.ts +0 -302
- package/src/core/generator/endpoint-warnings.ts +0 -52
- package/src/core/generator/fixtures-builder.ts +0 -332
- package/src/core/generator/index.ts +0 -14
- package/src/core/generator/openapi-reader.ts +0 -297
- package/src/core/generator/path-param-disambig.ts +0 -140
- package/src/core/generator/resources-builder.ts +0 -898
- package/src/core/generator/schema-utils.ts +0 -112
- package/src/core/generator/serializer.ts +0 -343
- package/src/core/generator/suite-generator.ts +0 -1301
- package/src/core/generator/types.ts +0 -63
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +0 -28
- package/src/core/lint/config.ts +0 -96
- package/src/core/lint/format.ts +0 -42
- package/src/core/lint/index.ts +0 -94
- package/src/core/lint/reporter.ts +0 -128
- package/src/core/lint/rules/consistency.ts +0 -158
- package/src/core/lint/rules/heuristics.ts +0 -97
- package/src/core/lint/rules/strictness.ts +0 -109
- package/src/core/lint/types.ts +0 -96
- package/src/core/lint/walker.ts +0 -248
- package/src/core/meta/meta-store.ts +0 -11
- package/src/core/output/README.md +0 -73
- package/src/core/output/index.ts +0 -13
- package/src/core/output/run.ts +0 -91
- package/src/core/output/types.ts +0 -122
- package/src/core/parser/dynamic-values.ts +0 -160
- package/src/core/parser/env-interpolation.ts +0 -104
- package/src/core/parser/filter.ts +0 -97
- package/src/core/parser/schema.ts +0 -359
- package/src/core/parser/types.ts +0 -117
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +0 -181
- package/src/core/probe/bootstrap.ts +0 -34
- package/src/core/probe/dry-run-envelope.ts +0 -61
- package/src/core/probe/mass-assignment/classify.ts +0 -175
- package/src/core/probe/mass-assignment/cleanup.ts +0 -52
- package/src/core/probe/mass-assignment/digest.ts +0 -114
- package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
- package/src/core/probe/mass-assignment/regression.ts +0 -141
- package/src/core/probe/mass-assignment/suspects.ts +0 -92
- package/src/core/probe/mass-assignment/types.ts +0 -135
- package/src/core/probe/mass-assignment-probe-class.ts +0 -198
- package/src/core/probe/mass-assignment-probe.ts +0 -27
- package/src/core/probe/mass-assignment-template.ts +0 -240
- package/src/core/probe/method-probe.ts +0 -164
- package/src/core/probe/method-shared.ts +0 -69
- package/src/core/probe/negative-probe.ts +0 -691
- package/src/core/probe/orphan-tracker.ts +0 -188
- package/src/core/probe/path-discovery.ts +0 -439
- package/src/core/probe/probe-harness.ts +0 -119
- package/src/core/probe/registry.ts +0 -89
- package/src/core/probe/runner.ts +0 -136
- package/src/core/probe/security/baseline.ts +0 -174
- package/src/core/probe/security/classify.ts +0 -341
- package/src/core/probe/security/cleanup.ts +0 -125
- package/src/core/probe/security/detectors.ts +0 -71
- package/src/core/probe/security/digest.ts +0 -104
- package/src/core/probe/security/orchestrator.ts +0 -398
- package/src/core/probe/security/regression.ts +0 -103
- package/src/core/probe/security/types.ts +0 -151
- package/src/core/probe/security-probe-class.ts +0 -207
- package/src/core/probe/security-probe.ts +0 -32
- package/src/core/probe/shared.ts +0 -531
- package/src/core/probe/static-probe-class.ts +0 -125
- package/src/core/probe/types.ts +0 -165
- package/src/core/probe/verdict-aggregator.ts +0 -33
- package/src/core/probe/webhooks-probe.ts +0 -282
- package/src/core/reporter/console.ts +0 -240
- package/src/core/reporter/index.ts +0 -22
- package/src/core/reporter/json.ts +0 -22
- package/src/core/reporter/junit.ts +0 -93
- package/src/core/reporter/ndjson.ts +0 -37
- package/src/core/reporter/types.ts +0 -15
- package/src/core/runner/assertions.ts +0 -383
- package/src/core/runner/async-pool.ts +0 -108
- package/src/core/runner/auth-path.ts +0 -8
- package/src/core/runner/ci-context.ts +0 -72
- package/src/core/runner/executor.ts +0 -652
- package/src/core/runner/expr-eval.ts +0 -41
- package/src/core/runner/form-encode.ts +0 -41
- package/src/core/runner/http-client.ts +0 -224
- package/src/core/runner/learn-drift.ts +0 -293
- package/src/core/runner/preflight-vars.ts +0 -153
- package/src/core/runner/progress-tracker.ts +0 -73
- package/src/core/runner/rate-limiter.ts +0 -185
- package/src/core/runner/run-kind.ts +0 -45
- package/src/core/runner/schema-validator.ts +0 -308
- package/src/core/runner/send-request.ts +0 -232
- package/src/core/runner/transforms.ts +0 -65
- package/src/core/runner/types.ts +0 -94
- package/src/core/secrets/registry.ts +0 -164
- package/src/core/secrets/secrets-file.ts +0 -115
- package/src/core/selectors/operation-filter.ts +0 -144
- package/src/core/setup-api.ts +0 -590
- package/src/core/severity/category.ts +0 -94
- package/src/core/severity/index.ts +0 -58
- package/src/core/spec/infer-schema.ts +0 -102
- package/src/core/spec/layers.ts +0 -154
- package/src/core/spec/merge-specs.ts +0 -156
- package/src/core/spec/schema-from-runs.ts +0 -117
- package/src/core/spec/schema-overlay.ts +0 -130
- package/src/core/util/ajv.ts +0 -13
- package/src/core/util/format-eta.ts +0 -21
- package/src/core/util/headers.ts +0 -9
- package/src/core/util/url.ts +0 -24
- package/src/core/utils.ts +0 -13
- package/src/core/workspace/config.ts +0 -129
- package/src/core/workspace/fixture-gap-report.ts +0 -84
- package/src/core/workspace/fixture-gaps.ts +0 -71
- package/src/core/workspace/manifest.ts +0 -283
- package/src/core/workspace/output-rotation.ts +0 -62
- package/src/core/workspace/root.ts +0 -96
- package/src/core/workspace/triage-path.ts +0 -87
- package/src/db/lint-runs.ts +0 -47
- package/src/db/migrate.ts +0 -128
- package/src/db/migrations/0001_run_kind.sql +0 -25
- package/src/db/migrations/0002_run_kind_request.sql +0 -59
- package/src/db/migrations/sql.d.ts +0 -4
- package/src/db/queries/collections.ts +0 -133
- package/src/db/queries/coverage.ts +0 -9
- package/src/db/queries/dashboard.ts +0 -59
- package/src/db/queries/results.ts +0 -216
- package/src/db/queries/runs.ts +0 -289
- package/src/db/queries/sessions.ts +0 -42
- package/src/db/queries/settings.ts +0 -28
- package/src/db/queries/types.ts +0 -172
- package/src/db/queries.ts +0 -75
- package/src/db/schema.ts +0 -298
|
@@ -1,164 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* HTTP method completeness probe (T48).
|
|
3
|
-
*
|
|
4
|
-
* Goal: catch the class of bugs where an API responds to *unsupported* HTTP
|
|
5
|
-
* methods with anything other than 405 / 404. A 500 here means an unhandled
|
|
6
|
-
* exception in the routing layer; a 200/201 means a forgotten or shadowed
|
|
7
|
-
* route; both are bug candidates.
|
|
8
|
-
*
|
|
9
|
-
* For every path declared in the spec, we look at which of {GET, POST, PUT,
|
|
10
|
-
* PATCH, DELETE} are *not* declared and emit one probe step per missing
|
|
11
|
-
* method. Each probe expects status in [404, 405, 401, 403] — anything else
|
|
12
|
-
* (notably 5xx, 200, 201) is a regular test failure surfaced via the
|
|
13
|
-
* existing runner / reporter / `zond db diagnose` flow.
|
|
14
|
-
*
|
|
15
|
-
* The probes are deterministic — same spec → same suites — so the generated
|
|
16
|
-
* YAML can be committed as a regression test.
|
|
17
|
-
*/
|
|
18
|
-
import type { OpenAPIV3 } from "openapi-types";
|
|
19
|
-
import type { EndpointInfo, SecuritySchemeInfo } from "../generator/types.ts";
|
|
20
|
-
import type { RawSuite, RawStep } from "../generator/serializer.ts";
|
|
21
|
-
import { pathWithByAliases, getAuthHeaders } from "./shared.ts";
|
|
22
|
-
import {
|
|
23
|
-
ALL_METHODS,
|
|
24
|
-
ACCEPTABLE_UNSUPPORTED_STATUSES,
|
|
25
|
-
bucketEndpointsByPath,
|
|
26
|
-
pathWithMethodPlaceholders,
|
|
27
|
-
type Method,
|
|
28
|
-
} from "./method-shared.ts";
|
|
29
|
-
|
|
30
|
-
// 405-or-equivalent statuses for an *undeclared* method probe. ARV-2
|
|
31
|
-
// (m-15) extracted this list to method-shared.ts so the live
|
|
32
|
-
// `unsupported_method` check stays in lock-step with the offline probe.
|
|
33
|
-
const ACCEPTABLE_STATUSES = [...ACCEPTABLE_UNSUPPORTED_STATUSES];
|
|
34
|
-
|
|
35
|
-
// ──────────────────────────────────────────────
|
|
36
|
-
// Types
|
|
37
|
-
// ──────────────────────────────────────────────
|
|
38
|
-
|
|
39
|
-
export interface MethodProbeOptions {
|
|
40
|
-
endpoints: EndpointInfo[];
|
|
41
|
-
securitySchemes: SecuritySchemeInfo[];
|
|
42
|
-
}
|
|
43
|
-
|
|
44
|
-
export interface MethodProbeResult {
|
|
45
|
-
suites: RawSuite[];
|
|
46
|
-
/** Number of distinct paths probed. */
|
|
47
|
-
probedPaths: number;
|
|
48
|
-
/** Paths skipped because every method in {GET,POST,PUT,PATCH,DELETE} is declared. */
|
|
49
|
-
skippedPaths: number;
|
|
50
|
-
/** Total generated probe steps. */
|
|
51
|
-
totalProbes: number;
|
|
52
|
-
}
|
|
53
|
-
|
|
54
|
-
// ──────────────────────────────────────────────
|
|
55
|
-
// Helpers
|
|
56
|
-
// ──────────────────────────────────────────────
|
|
57
|
-
|
|
58
|
-
function convertPath(path: string): string {
|
|
59
|
-
return path.replace(/\{([^}]+)\}/g, "{{$1}}");
|
|
60
|
-
}
|
|
61
|
-
|
|
62
|
-
function slugify(s: string): string {
|
|
63
|
-
return s
|
|
64
|
-
.toLowerCase()
|
|
65
|
-
.replace(/[^a-z0-9]+/g, "-")
|
|
66
|
-
.replace(/^-|-$/g, "");
|
|
67
|
-
}
|
|
68
|
-
|
|
69
|
-
function pathStem(path: string): string {
|
|
70
|
-
// TASK-159 (m-9 P3): preserve placeholder name (`by-org`, `by-proj`)
|
|
71
|
-
// instead of collapsing every `{x}` to a generic `by-id`.
|
|
72
|
-
const cleaned = pathWithByAliases(path)
|
|
73
|
-
.replace(/^\//, "")
|
|
74
|
-
.replace(/\//g, "-");
|
|
75
|
-
return slugify(cleaned) || "root";
|
|
76
|
-
}
|
|
77
|
-
|
|
78
|
-
// pathWithPlaceholders + bucketByPath moved to ./method-shared.ts for
|
|
79
|
-
// reuse by the live `unsupported_method` check (m-15 ARV-2).
|
|
80
|
-
const pathWithPlaceholders = pathWithMethodPlaceholders;
|
|
81
|
-
const bucketByPath = (endpoints: EndpointInfo[]): Array<{
|
|
82
|
-
path: string;
|
|
83
|
-
declared: Set<string>;
|
|
84
|
-
sample: EndpointInfo;
|
|
85
|
-
}> => Array.from(bucketEndpointsByPath(endpoints).values());
|
|
86
|
-
|
|
87
|
-
// ──────────────────────────────────────────────
|
|
88
|
-
// Public API
|
|
89
|
-
// ──────────────────────────────────────────────
|
|
90
|
-
|
|
91
|
-
export function generateMethodProbes(opts: MethodProbeOptions): MethodProbeResult {
|
|
92
|
-
const { endpoints, securitySchemes } = opts;
|
|
93
|
-
const methodSet: readonly Method[] = ALL_METHODS;
|
|
94
|
-
|
|
95
|
-
const buckets = bucketByPath(endpoints);
|
|
96
|
-
const suites: RawSuite[] = [];
|
|
97
|
-
let probedPaths = 0;
|
|
98
|
-
let skippedPaths = 0;
|
|
99
|
-
let totalProbes = 0;
|
|
100
|
-
|
|
101
|
-
for (const bucket of buckets) {
|
|
102
|
-
const missing = methodSet.filter((m) => !bucket.declared.has(m));
|
|
103
|
-
if (missing.length === 0) {
|
|
104
|
-
skippedPaths++;
|
|
105
|
-
continue;
|
|
106
|
-
}
|
|
107
|
-
|
|
108
|
-
const concretePath = pathWithPlaceholders(
|
|
109
|
-
bucket.path,
|
|
110
|
-
bucket.sample.parameters,
|
|
111
|
-
);
|
|
112
|
-
const headers = getAuthHeaders(bucket.sample, securitySchemes);
|
|
113
|
-
|
|
114
|
-
const steps: RawStep[] = missing.map((method) => {
|
|
115
|
-
// ARV-179: OPTIONS on an undeclared path is legitimately handled
|
|
116
|
-
// by most stacks (CORS preflight, 200/204 with Allow header). Let
|
|
117
|
-
// the probe accept 2xx for OPTIONS only; everything else keeps
|
|
118
|
-
// the strict "no 2xx, no 5xx" expectation.
|
|
119
|
-
const acceptable = method === "OPTIONS"
|
|
120
|
-
? [200, 204, ...ACCEPTABLE_STATUSES]
|
|
121
|
-
: ACCEPTABLE_STATUSES;
|
|
122
|
-
const expectLabel = method === "OPTIONS"
|
|
123
|
-
? `${method} ${bucket.path} — undeclared method must not 5xx (OPTIONS may legitimately succeed)`
|
|
124
|
-
: `${method} ${bucket.path} — undeclared method must reject (no 5xx, no 2xx)`;
|
|
125
|
-
const step: RawStep = {
|
|
126
|
-
name: expectLabel,
|
|
127
|
-
source: {
|
|
128
|
-
generator: "method-probe",
|
|
129
|
-
endpoint: `${method} ${bucket.path}`,
|
|
130
|
-
response_branch: acceptable.map(String).join("|"),
|
|
131
|
-
},
|
|
132
|
-
[method]: convertPath(concretePath),
|
|
133
|
-
expect: { status: acceptable },
|
|
134
|
-
};
|
|
135
|
-
// Body-bearing methods on an undeclared route — send a minimal valid
|
|
136
|
-
// JSON object to provoke any body-parsing path while the router is
|
|
137
|
-
// still expected to reject the method first.
|
|
138
|
-
if (method === "POST" || method === "PUT" || method === "PATCH") {
|
|
139
|
-
(step as any).json = {};
|
|
140
|
-
}
|
|
141
|
-
return step;
|
|
142
|
-
});
|
|
143
|
-
|
|
144
|
-
probedPaths++;
|
|
145
|
-
totalProbes += steps.length;
|
|
146
|
-
|
|
147
|
-
const stem = pathStem(bucket.path);
|
|
148
|
-
suites.push({
|
|
149
|
-
name: `probe methods ${bucket.path}`,
|
|
150
|
-
tags: ["probe-methods", "negative-method", "no-5xx", "smoke"],
|
|
151
|
-
source: {
|
|
152
|
-
type: "probe-suite",
|
|
153
|
-
generator: "method-probe",
|
|
154
|
-
endpoint: bucket.path,
|
|
155
|
-
},
|
|
156
|
-
fileStem: `probe-methods-${stem}`,
|
|
157
|
-
base_url: "{{base_url}}",
|
|
158
|
-
...(headers ? { headers } : {}),
|
|
159
|
-
tests: steps,
|
|
160
|
-
});
|
|
161
|
-
}
|
|
162
|
-
|
|
163
|
-
return { suites, probedPaths, skippedPaths, totalProbes };
|
|
164
|
-
}
|
|
@@ -1,69 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Shared bits between the offline `method-probe` (which emits YAML
|
|
3
|
-
* suites) and the live `unsupported_method` check from `core/checks`
|
|
4
|
-
* (m-15 ARV-2). Both ask the same question — "which HTTP methods aren't
|
|
5
|
-
* declared on this path?" — so the constants and helpers live here so
|
|
6
|
-
* the two stay in lock-step (ARV-2 AC #4).
|
|
7
|
-
*/
|
|
8
|
-
import type { OpenAPIV3 } from "openapi-types";
|
|
9
|
-
import type { EndpointInfo } from "../generator/types.ts";
|
|
10
|
-
|
|
11
|
-
/** ARV-179: full HTTP method complement used for `unsupported_method`
|
|
12
|
-
* enumeration. Matches schemathesis V4 `DEFAULT_UNEXPECTED_METHODS`
|
|
13
|
-
* minus the WebDAV-style `query` (not a REST norm) and `CONNECT`
|
|
14
|
-
* (irrelevant to API routing). `HEAD` is intentionally excluded
|
|
15
|
-
* because most stacks auto-derive it from `GET`, so a 2xx response is
|
|
16
|
-
* expected behaviour rather than a leak. */
|
|
17
|
-
export const ALL_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "TRACE"] as const;
|
|
18
|
-
export type Method = (typeof ALL_METHODS)[number];
|
|
19
|
-
|
|
20
|
-
/** Statuses we accept for an *undeclared* method on a path. 405 is
|
|
21
|
-
* canonical, 404 is a common fallback (path not registered for that
|
|
22
|
-
* method), 401/403 are acceptable when auth is checked before routing. */
|
|
23
|
-
export const ACCEPTABLE_UNSUPPORTED_STATUSES = [401, 403, 404, 405] as const;
|
|
24
|
-
|
|
25
|
-
/** ARV-179: OPTIONS is special — it's legitimately implemented by most
|
|
26
|
-
* stacks for CORS preflight and may legitimately return 2xx with
|
|
27
|
-
* `Allow`/`Access-Control-*` headers. A 2xx OPTIONS on an undeclared
|
|
28
|
-
* path is the spec-compliant outcome, not a finding. Use this helper
|
|
29
|
-
* in both the offline probe and the live check to keep the policy in
|
|
30
|
-
* one place. */
|
|
31
|
-
export function isPermissibleOptionsResponse(method: string, status: number): boolean {
|
|
32
|
-
return method.toUpperCase() === "OPTIONS" && status >= 200 && status < 300;
|
|
33
|
-
}
|
|
34
|
-
|
|
35
|
-
/**
|
|
36
|
-
* Replace `{name}` segments with valid-shape placeholders so the
|
|
37
|
-
* request can reach the routing layer without being rejected purely on
|
|
38
|
-
* path syntax. Used by both the offline probe and the live check.
|
|
39
|
-
*/
|
|
40
|
-
export function pathWithMethodPlaceholders(
|
|
41
|
-
path: string,
|
|
42
|
-
parameters: OpenAPIV3.ParameterObject[],
|
|
43
|
-
): string {
|
|
44
|
-
return path.replace(/\{([^}]+)\}/g, (_, name: string) => {
|
|
45
|
-
const param = parameters.find((p) => p.name === name && p.in === "path");
|
|
46
|
-
const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
|
|
47
|
-
if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
|
|
48
|
-
if (schema?.type === "integer" || schema?.type === "number") return "999999999";
|
|
49
|
-
return "nonexistent-zzzzz";
|
|
50
|
-
});
|
|
51
|
-
}
|
|
52
|
-
|
|
53
|
-
export function bucketEndpointsByPath(endpoints: EndpointInfo[]): Map<string, {
|
|
54
|
-
path: string;
|
|
55
|
-
declared: Set<string>;
|
|
56
|
-
sample: EndpointInfo;
|
|
57
|
-
}> {
|
|
58
|
-
const map = new Map<string, { path: string; declared: Set<string>; sample: EndpointInfo }>();
|
|
59
|
-
for (const ep of endpoints) {
|
|
60
|
-
if (ep.deprecated) continue;
|
|
61
|
-
let bucket = map.get(ep.path);
|
|
62
|
-
if (!bucket) {
|
|
63
|
-
bucket = { path: ep.path, declared: new Set(), sample: ep };
|
|
64
|
-
map.set(ep.path, bucket);
|
|
65
|
-
}
|
|
66
|
-
bucket.declared.add(ep.method.toUpperCase());
|
|
67
|
-
}
|
|
68
|
-
return map;
|
|
69
|
-
}
|