@kirrosh/zond 0.26.1 → 0.27.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/CHANGELOG.md +65 -0
  2. package/README.md +39 -22
  3. package/bin/zond.mjs +23 -0
  4. package/package.json +36 -23
  5. package/scripts/npm/postinstall.mjs +76 -0
  6. package/src/CLAUDE.md +0 -112
  7. package/src/bun-types.d.ts +0 -5
  8. package/src/cli/argv.ts +0 -122
  9. package/src/cli/commands/add-api.ts +0 -146
  10. package/src/cli/commands/api/annotate/idempotency.ts +0 -59
  11. package/src/cli/commands/api/annotate/index.ts +0 -880
  12. package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
  13. package/src/cli/commands/api/annotate/overlay.ts +0 -206
  14. package/src/cli/commands/api/annotate/pagination.ts +0 -64
  15. package/src/cli/commands/api/annotate/prompts.ts +0 -220
  16. package/src/cli/commands/api/annotate/readback.ts +0 -58
  17. package/src/cli/commands/api/annotate/resources.ts +0 -91
  18. package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
  19. package/src/cli/commands/audit.ts +0 -786
  20. package/src/cli/commands/catalog.ts +0 -97
  21. package/src/cli/commands/check.ts +0 -361
  22. package/src/cli/commands/checks.ts +0 -1072
  23. package/src/cli/commands/ci-init.ts +0 -223
  24. package/src/cli/commands/clean.ts +0 -212
  25. package/src/cli/commands/cleanup.ts +0 -236
  26. package/src/cli/commands/completions.ts +0 -192
  27. package/src/cli/commands/coverage.ts +0 -872
  28. package/src/cli/commands/db.ts +0 -611
  29. package/src/cli/commands/describe.ts +0 -120
  30. package/src/cli/commands/discover.ts +0 -1356
  31. package/src/cli/commands/doctor.ts +0 -661
  32. package/src/cli/commands/fixtures.ts +0 -402
  33. package/src/cli/commands/generate.ts +0 -577
  34. package/src/cli/commands/init/agents-md.ts +0 -61
  35. package/src/cli/commands/init/bootstrap.ts +0 -111
  36. package/src/cli/commands/init/index.ts +0 -244
  37. package/src/cli/commands/init/skills.ts +0 -141
  38. package/src/cli/commands/init/templates/agents.md +0 -86
  39. package/src/cli/commands/init/templates/markdown.d.ts +0 -4
  40. package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
  41. package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
  42. package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
  43. package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
  44. package/src/cli/commands/init/templates/skills/zond.md +0 -861
  45. package/src/cli/commands/init/templates/zond-config.yml +0 -14
  46. package/src/cli/commands/prepare-fixtures.ts +0 -97
  47. package/src/cli/commands/probe/_seed-bodies.ts +0 -52
  48. package/src/cli/commands/probe/mass-assignment.ts +0 -594
  49. package/src/cli/commands/probe/security.ts +0 -537
  50. package/src/cli/commands/probe/static.ts +0 -255
  51. package/src/cli/commands/probe/webhooks.ts +0 -163
  52. package/src/cli/commands/probe.ts +0 -535
  53. package/src/cli/commands/reference.ts +0 -87
  54. package/src/cli/commands/refresh-api.ts +0 -227
  55. package/src/cli/commands/remove-api.ts +0 -150
  56. package/src/cli/commands/report-bundle.ts +0 -310
  57. package/src/cli/commands/report.ts +0 -241
  58. package/src/cli/commands/request.ts +0 -548
  59. package/src/cli/commands/run.ts +0 -1162
  60. package/src/cli/commands/schema-from-runs.ts +0 -128
  61. package/src/cli/commands/secrets.ts +0 -133
  62. package/src/cli/commands/session.ts +0 -244
  63. package/src/cli/commands/use.ts +0 -74
  64. package/src/cli/index.ts +0 -55
  65. package/src/cli/json-envelope.ts +0 -108
  66. package/src/cli/json-schemas.ts +0 -314
  67. package/src/cli/output.ts +0 -40
  68. package/src/cli/program.ts +0 -219
  69. package/src/cli/resolve.ts +0 -105
  70. package/src/cli/runtime.ts +0 -7
  71. package/src/cli/safe-live.ts +0 -24
  72. package/src/cli/status-filter.ts +0 -114
  73. package/src/cli/util/api-context.ts +0 -85
  74. package/src/cli/version.ts +0 -8
  75. package/src/core/audit/persist.ts +0 -183
  76. package/src/core/checks/budget.ts +0 -59
  77. package/src/core/checks/checks/_crud-helpers.ts +0 -133
  78. package/src/core/checks/checks/_negative_mutator.ts +0 -133
  79. package/src/core/checks/checks/_readback-helpers.ts +0 -133
  80. package/src/core/checks/checks/content_type_conformance.ts +0 -39
  81. package/src/core/checks/checks/cross_call_references.ts +0 -147
  82. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
  83. package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
  84. package/src/core/checks/checks/idempotency_replay.ts +0 -242
  85. package/src/core/checks/checks/ignored_auth.ts +0 -254
  86. package/src/core/checks/checks/index.ts +0 -68
  87. package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
  88. package/src/core/checks/checks/missing_required_header.ts +0 -40
  89. package/src/core/checks/checks/negative_data_rejection.ts +0 -148
  90. package/src/core/checks/checks/not_a_server_error.ts +0 -35
  91. package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
  92. package/src/core/checks/checks/pagination_invariants.ts +0 -419
  93. package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
  94. package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
  95. package/src/core/checks/checks/response_headers_conformance.ts +0 -74
  96. package/src/core/checks/checks/response_schema_conformance.ts +0 -30
  97. package/src/core/checks/checks/status_code_conformance.ts +0 -132
  98. package/src/core/checks/checks/unsupported_method.ts +0 -63
  99. package/src/core/checks/checks/use_after_free.ts +0 -78
  100. package/src/core/checks/index.ts +0 -30
  101. package/src/core/checks/mode.ts +0 -82
  102. package/src/core/checks/recommended-action.ts +0 -68
  103. package/src/core/checks/registry.ts +0 -78
  104. package/src/core/checks/runner.ts +0 -1461
  105. package/src/core/checks/sarif.ts +0 -230
  106. package/src/core/checks/spec-findings.ts +0 -308
  107. package/src/core/checks/stateful.ts +0 -121
  108. package/src/core/checks/types.ts +0 -305
  109. package/src/core/checks/zond-extensions.ts +0 -73
  110. package/src/core/classifier/recommended-action.ts +0 -251
  111. package/src/core/context/current.ts +0 -51
  112. package/src/core/context/session.ts +0 -78
  113. package/src/core/coverage/loader.ts +0 -216
  114. package/src/core/coverage/reasons.ts +0 -300
  115. package/src/core/diagnostics/db-analysis.ts +0 -666
  116. package/src/core/diagnostics/failure-class.ts +0 -140
  117. package/src/core/diagnostics/failure-hints.ts +0 -112
  118. package/src/core/diagnostics/spec-pointer.ts +0 -99
  119. package/src/core/diagnostics/suggested-fixes.ts +0 -155
  120. package/src/core/exporter/case-study/index.ts +0 -270
  121. package/src/core/exporter/curl.ts +0 -40
  122. package/src/core/exporter/exporter.ts +0 -48
  123. package/src/core/exporter/html-report/escape.ts +0 -24
  124. package/src/core/exporter/html-report/index.ts +0 -479
  125. package/src/core/exporter/html-report/script.ts +0 -100
  126. package/src/core/exporter/html-report/styles.ts +0 -408
  127. package/src/core/generator/catalog-builder.ts +0 -179
  128. package/src/core/generator/chunker.ts +0 -78
  129. package/src/core/generator/coverage-phase.ts +0 -0
  130. package/src/core/generator/coverage-scanner.ts +0 -87
  131. package/src/core/generator/data-factory.ts +0 -759
  132. package/src/core/generator/describe.ts +0 -302
  133. package/src/core/generator/endpoint-warnings.ts +0 -52
  134. package/src/core/generator/fixtures-builder.ts +0 -332
  135. package/src/core/generator/index.ts +0 -14
  136. package/src/core/generator/openapi-reader.ts +0 -297
  137. package/src/core/generator/path-param-disambig.ts +0 -140
  138. package/src/core/generator/resources-builder.ts +0 -898
  139. package/src/core/generator/schema-utils.ts +0 -112
  140. package/src/core/generator/serializer.ts +0 -343
  141. package/src/core/generator/suite-generator.ts +0 -1301
  142. package/src/core/generator/types.ts +0 -63
  143. package/src/core/identity/identity-file.ts +0 -0
  144. package/src/core/lint/affects.ts +0 -28
  145. package/src/core/lint/config.ts +0 -96
  146. package/src/core/lint/format.ts +0 -42
  147. package/src/core/lint/index.ts +0 -94
  148. package/src/core/lint/reporter.ts +0 -128
  149. package/src/core/lint/rules/consistency.ts +0 -158
  150. package/src/core/lint/rules/heuristics.ts +0 -97
  151. package/src/core/lint/rules/strictness.ts +0 -109
  152. package/src/core/lint/types.ts +0 -96
  153. package/src/core/lint/walker.ts +0 -248
  154. package/src/core/meta/meta-store.ts +0 -11
  155. package/src/core/output/README.md +0 -73
  156. package/src/core/output/index.ts +0 -13
  157. package/src/core/output/run.ts +0 -91
  158. package/src/core/output/types.ts +0 -122
  159. package/src/core/parser/dynamic-values.ts +0 -160
  160. package/src/core/parser/env-interpolation.ts +0 -104
  161. package/src/core/parser/filter.ts +0 -97
  162. package/src/core/parser/schema.ts +0 -359
  163. package/src/core/parser/types.ts +0 -117
  164. package/src/core/parser/variables.ts +0 -0
  165. package/src/core/parser/yaml-parser.ts +0 -181
  166. package/src/core/probe/bootstrap.ts +0 -34
  167. package/src/core/probe/dry-run-envelope.ts +0 -61
  168. package/src/core/probe/mass-assignment/classify.ts +0 -175
  169. package/src/core/probe/mass-assignment/cleanup.ts +0 -52
  170. package/src/core/probe/mass-assignment/digest.ts +0 -114
  171. package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
  172. package/src/core/probe/mass-assignment/regression.ts +0 -141
  173. package/src/core/probe/mass-assignment/suspects.ts +0 -92
  174. package/src/core/probe/mass-assignment/types.ts +0 -135
  175. package/src/core/probe/mass-assignment-probe-class.ts +0 -198
  176. package/src/core/probe/mass-assignment-probe.ts +0 -27
  177. package/src/core/probe/mass-assignment-template.ts +0 -240
  178. package/src/core/probe/method-probe.ts +0 -164
  179. package/src/core/probe/method-shared.ts +0 -69
  180. package/src/core/probe/negative-probe.ts +0 -691
  181. package/src/core/probe/orphan-tracker.ts +0 -188
  182. package/src/core/probe/path-discovery.ts +0 -439
  183. package/src/core/probe/probe-harness.ts +0 -119
  184. package/src/core/probe/registry.ts +0 -89
  185. package/src/core/probe/runner.ts +0 -136
  186. package/src/core/probe/security/baseline.ts +0 -174
  187. package/src/core/probe/security/classify.ts +0 -341
  188. package/src/core/probe/security/cleanup.ts +0 -125
  189. package/src/core/probe/security/detectors.ts +0 -71
  190. package/src/core/probe/security/digest.ts +0 -104
  191. package/src/core/probe/security/orchestrator.ts +0 -398
  192. package/src/core/probe/security/regression.ts +0 -103
  193. package/src/core/probe/security/types.ts +0 -151
  194. package/src/core/probe/security-probe-class.ts +0 -207
  195. package/src/core/probe/security-probe.ts +0 -32
  196. package/src/core/probe/shared.ts +0 -531
  197. package/src/core/probe/static-probe-class.ts +0 -125
  198. package/src/core/probe/types.ts +0 -165
  199. package/src/core/probe/verdict-aggregator.ts +0 -33
  200. package/src/core/probe/webhooks-probe.ts +0 -282
  201. package/src/core/reporter/console.ts +0 -240
  202. package/src/core/reporter/index.ts +0 -22
  203. package/src/core/reporter/json.ts +0 -22
  204. package/src/core/reporter/junit.ts +0 -93
  205. package/src/core/reporter/ndjson.ts +0 -37
  206. package/src/core/reporter/types.ts +0 -15
  207. package/src/core/runner/assertions.ts +0 -383
  208. package/src/core/runner/async-pool.ts +0 -108
  209. package/src/core/runner/auth-path.ts +0 -8
  210. package/src/core/runner/ci-context.ts +0 -72
  211. package/src/core/runner/executor.ts +0 -652
  212. package/src/core/runner/expr-eval.ts +0 -41
  213. package/src/core/runner/form-encode.ts +0 -41
  214. package/src/core/runner/http-client.ts +0 -224
  215. package/src/core/runner/learn-drift.ts +0 -293
  216. package/src/core/runner/preflight-vars.ts +0 -153
  217. package/src/core/runner/progress-tracker.ts +0 -73
  218. package/src/core/runner/rate-limiter.ts +0 -185
  219. package/src/core/runner/run-kind.ts +0 -45
  220. package/src/core/runner/schema-validator.ts +0 -308
  221. package/src/core/runner/send-request.ts +0 -232
  222. package/src/core/runner/transforms.ts +0 -65
  223. package/src/core/runner/types.ts +0 -94
  224. package/src/core/secrets/registry.ts +0 -164
  225. package/src/core/secrets/secrets-file.ts +0 -115
  226. package/src/core/selectors/operation-filter.ts +0 -144
  227. package/src/core/setup-api.ts +0 -590
  228. package/src/core/severity/category.ts +0 -94
  229. package/src/core/severity/index.ts +0 -58
  230. package/src/core/spec/infer-schema.ts +0 -102
  231. package/src/core/spec/layers.ts +0 -154
  232. package/src/core/spec/merge-specs.ts +0 -156
  233. package/src/core/spec/schema-from-runs.ts +0 -117
  234. package/src/core/spec/schema-overlay.ts +0 -130
  235. package/src/core/util/ajv.ts +0 -13
  236. package/src/core/util/format-eta.ts +0 -21
  237. package/src/core/util/headers.ts +0 -9
  238. package/src/core/util/url.ts +0 -24
  239. package/src/core/utils.ts +0 -13
  240. package/src/core/workspace/config.ts +0 -129
  241. package/src/core/workspace/fixture-gap-report.ts +0 -84
  242. package/src/core/workspace/fixture-gaps.ts +0 -71
  243. package/src/core/workspace/manifest.ts +0 -283
  244. package/src/core/workspace/output-rotation.ts +0 -62
  245. package/src/core/workspace/root.ts +0 -96
  246. package/src/core/workspace/triage-path.ts +0 -87
  247. package/src/db/lint-runs.ts +0 -47
  248. package/src/db/migrate.ts +0 -128
  249. package/src/db/migrations/0001_run_kind.sql +0 -25
  250. package/src/db/migrations/0002_run_kind_request.sql +0 -59
  251. package/src/db/migrations/sql.d.ts +0 -4
  252. package/src/db/queries/collections.ts +0 -133
  253. package/src/db/queries/coverage.ts +0 -9
  254. package/src/db/queries/dashboard.ts +0 -59
  255. package/src/db/queries/results.ts +0 -216
  256. package/src/db/queries/runs.ts +0 -289
  257. package/src/db/queries/sessions.ts +0 -42
  258. package/src/db/queries/settings.ts +0 -28
  259. package/src/db/queries/types.ts +0 -172
  260. package/src/db/queries.ts +0 -75
  261. package/src/db/schema.ts +0 -298
@@ -1,97 +0,0 @@
1
- import { join } from "path";
2
- import { mkdir } from "fs/promises";
3
- import { readOpenApiSpec, extractEndpoints, extractSecuritySchemes } from "../../core/generator/index.ts";
4
- import { buildCatalog, serializeCatalog } from "../../core/generator/catalog-builder.ts";
5
- import { decycleSchema } from "../../core/generator/schema-utils.ts";
6
- import { hashSpec } from "../../core/meta/meta-store.ts";
7
- import { printError, printSuccess } from "../output.ts";
8
- import { jsonOk, jsonError, printJson } from "../json-envelope.ts";
9
-
10
- export interface CatalogOptions {
11
- specPath: string;
12
- /** Output directory. Defaults to the API's base dir when --api is given, otherwise cwd. */
13
- output?: string;
14
- json?: boolean;
15
- }
16
-
17
- export async function catalogCommand(options: CatalogOptions): Promise<number> {
18
- try {
19
- const doc = await readOpenApiSpec(options.specPath);
20
- const endpoints = extractEndpoints(doc);
21
- const securitySchemes = extractSecuritySchemes(doc);
22
- const baseUrl = ((doc as any).servers?.[0]?.url) as string | undefined;
23
- const apiName = (doc as any).info?.title as string | undefined;
24
- const apiVersion = (doc as any).info?.version as string | undefined;
25
- const specContent = JSON.stringify(decycleSchema(doc));
26
-
27
- const catalog = buildCatalog({
28
- endpoints,
29
- securitySchemes,
30
- specSource: options.specPath,
31
- specHash: hashSpec(specContent),
32
- apiName,
33
- apiVersion,
34
- baseUrl,
35
- });
36
-
37
- const outputDir = options.output ?? ".";
38
- await mkdir(outputDir, { recursive: true });
39
-
40
- const catalogPath = join(outputDir, ".api-catalog.yaml");
41
- await Bun.write(catalogPath, serializeCatalog(catalog));
42
-
43
- if (options.json) {
44
- printJson(jsonOk("catalog", {
45
- path: catalogPath,
46
- endpointCount: catalog.endpointCount,
47
- apiName: catalog.apiName,
48
- }));
49
- } else {
50
- printSuccess(`Generated API catalog: ${catalogPath} (${catalog.endpointCount} endpoints)`);
51
- }
52
-
53
- return 0;
54
- } catch (err) {
55
- const message = err instanceof Error ? err.message : String(err);
56
- if (options.json) {
57
- printJson(jsonError("catalog", [message]));
58
- } else {
59
- printError(message);
60
- }
61
- return 2;
62
- }
63
- }
64
-
65
- import type { Command } from "commander";
66
- import { globalJson, resolveSpecArg, resolveApiCollection } from "../resolve.ts";
67
-
68
- export function registerCatalog(program: Command): void {
69
- program
70
- .command("catalog [spec]")
71
- .description("Generate API catalog (compact endpoint reference). For registered APIs prefer --api <name>; the artifact is also available at apis/<name>/.api-catalog.yaml.")
72
- .option("--api <name>", "Use the registered API's spec (apis/<name>/spec.json)")
73
- .option("--db <path>", "Path to SQLite database file")
74
- .option("--output <dir>", "Output directory (default: apis/<name>/ when --api is given, else cwd)")
75
- .action(async (specPos: string | undefined, opts, cmd: Command) => {
76
- const resolved = resolveSpecArg(specPos, opts.api, opts.db);
77
- if ("error" in resolved) { printError(resolved.error); process.exitCode = 2; return; }
78
-
79
- // When --api is given and no explicit --output, default to the API's base dir so
80
- // the artifact lands alongside spec.json / .api-resources.yaml / .api-fixtures.yaml.
81
- let outputDir: string | undefined = opts.output;
82
- if (!outputDir && opts.api) {
83
- const col = resolveApiCollection(opts.api, opts.db);
84
- if (!("error" in col) && col.testPath) {
85
- // testPath is apis/<name>/tests — go up one level to get apis/<name>/
86
- const { dirname } = await import("path");
87
- outputDir = dirname(col.testPath);
88
- }
89
- }
90
-
91
- process.exitCode = await catalogCommand({
92
- specPath: resolved.spec,
93
- output: outputDir,
94
- json: globalJson(cmd),
95
- });
96
- });
97
- }
@@ -1,361 +0,0 @@
1
- /**
2
- * `zond check` — unified conformance entry point.
3
- *
4
- * `check tests <path>` → schema-validate YAML test files (no HTTP).
5
- * `check spec [spec]` → static-analyse the OpenAPI document.
6
- *
7
- * TASK-298 (m-13 block D): replaces the old top-level `validate` and
8
- * `lint-spec` commands with a single mental model.
9
- */
10
-
11
- import { parse } from "../../core/parser/yaml-parser.ts";
12
- import { readOpenApiSpec } from "../../core/generator/openapi-reader.ts";
13
- import {
14
- lintSpec,
15
- loadConfig,
16
- formatHuman,
17
- formatNdjson,
18
- formatGrouped,
19
- buildRuleSummary,
20
- } from "../../core/lint/index.ts";
21
- import type { Issue, Severity } from "../../core/lint/index.ts";
22
- import { getDb } from "../../db/schema.ts";
23
- import { createLintRun, finalizeLintRun } from "../../db/lint-runs.ts";
24
- import { jsonOk, jsonError, printJson, zerr } from "../json-envelope.ts";
25
- import { printError, printSuccess } from "../output.ts";
26
-
27
- import type { Command } from "commander";
28
- import { globalJson, resolveSpecArg } from "../resolve.ts";
29
- import { parsePositiveInt } from "../argv.ts";
30
-
31
- // ── check tests ────────────────────────────────────────────────────────────
32
-
33
- export interface CheckTestsOptions {
34
- path: string;
35
- json?: boolean;
36
- verbose?: boolean;
37
- }
38
-
39
- export async function checkTestsCommand(options: CheckTestsOptions): Promise<number> {
40
- try {
41
- const suites = await parse(options.path, { verbose: options.verbose });
42
- const totalSteps = suites.reduce((sum, s) => sum + s.tests.length, 0);
43
- if (options.json) {
44
- printJson(jsonOk("check tests", {
45
- files: suites.length,
46
- suites: suites.length,
47
- tests: totalSteps,
48
- valid: true,
49
- }));
50
- } else {
51
- printSuccess(`OK: ${suites.length} suite(s), ${totalSteps} test(s) validated successfully`);
52
- }
53
- return 0;
54
- } catch (err) {
55
- const message = err instanceof Error ? err.message : String(err);
56
- if (options.json) {
57
- printJson(jsonError("check tests", [message]));
58
- } else {
59
- printError(message);
60
- }
61
- return 2;
62
- }
63
- }
64
-
65
- // ── check spec ─────────────────────────────────────────────────────────────
66
-
67
- export interface CheckSpecOptions {
68
- specPath: string;
69
- json?: boolean;
70
- ndjson?: boolean;
71
- strict?: boolean;
72
- rule?: string;
73
- config?: string;
74
- includePath?: string[];
75
- maxIssues?: number;
76
- noDb?: boolean;
77
- verbose?: boolean;
78
- severityFilter?: Severity[];
79
- filterRule?: string[];
80
- top?: number;
81
- }
82
-
83
- export async function checkSpecCommand(opts: CheckSpecOptions): Promise<number> {
84
- let doc;
85
- try {
86
- doc = await readOpenApiSpec(opts.specPath);
87
- } catch (err) {
88
- const message = err instanceof Error ? err.message : String(err);
89
- if (opts.json || opts.ndjson) {
90
- printJson(jsonError("check spec", [
91
- zerr("spec_load_failure", `Failed to load spec: ${message}`, { specPath: opts.specPath }),
92
- ]));
93
- } else {
94
- printError(`Failed to load spec: ${message}`);
95
- }
96
- return 2;
97
- }
98
-
99
- let config;
100
- try {
101
- config = loadConfig({
102
- configPath: opts.config,
103
- cliRule: opts.rule,
104
- includePaths: opts.includePath,
105
- maxIssues: opts.maxIssues,
106
- });
107
- } catch (err) {
108
- const message = err instanceof Error ? err.message : String(err);
109
- if (opts.json || opts.ndjson) {
110
- printJson(jsonError("check spec", [zerr("argument_invalid", message)]));
111
- } else {
112
- printError(message);
113
- }
114
- return 2;
115
- }
116
-
117
- let runId: number | null = null;
118
- if (!opts.noDb) {
119
- try {
120
- const db = getDb();
121
- runId = createLintRun(db, opts.specPath);
122
- } catch {
123
- runId = null;
124
- }
125
- }
126
-
127
- const result = lintSpec(doc, config);
128
-
129
- if (runId !== null) {
130
- try {
131
- finalizeLintRun(getDb(), runId, result.issues, result.stats, config);
132
- } catch {
133
- // best-effort
134
- }
135
- }
136
-
137
- const filtered = applyFilters(result.issues, opts);
138
- const filteredStats = recomputeStats(filtered);
139
-
140
- if (opts.ndjson) {
141
- process.stdout.write(formatNdjson(filtered));
142
- } else if (opts.json) {
143
- printJson(jsonOk("check spec", {
144
- issues: filtered,
145
- stats: filteredStats,
146
- summary: buildRuleSummary(filtered),
147
- }));
148
- } else if (opts.verbose) {
149
- process.stdout.write(formatHuman(filtered, filteredStats));
150
- } else {
151
- process.stdout.write(formatGrouped(filtered, filteredStats, { top: opts.top }));
152
- }
153
-
154
- // ARV-255: lint is hygiene — never gates CI by default. `--strict`
155
- // opts back into a non-zero exit when any issue lands. The old "high
156
- // → 1, medium → 2" gating is gone because no rule emits HIGH/MEDIUM
157
- // anymore (severity matrix forbids it for static analysis).
158
- if (opts.strict && result.stats.total > 0) return 2;
159
- return 0;
160
- }
161
-
162
- function applyFilters(issues: Issue[], opts: CheckSpecOptions): Issue[] {
163
- let out = issues;
164
- if (opts.severityFilter && opts.severityFilter.length > 0) {
165
- const allow = new Set(opts.severityFilter);
166
- out = out.filter(i => allow.has(i.severity));
167
- }
168
- if (opts.filterRule && opts.filterRule.length > 0) {
169
- const allow = new Set(opts.filterRule.map(r => r.toUpperCase()));
170
- out = out.filter(i => allow.has(i.rule));
171
- }
172
- return out;
173
- }
174
-
175
- function recomputeStats(issues: Issue[]) {
176
- const endpoints = new Set<string>();
177
- for (const i of issues) {
178
- if (i.path) endpoints.add(`${i.method ?? "*"} ${i.path}`);
179
- }
180
- return {
181
- total: issues.length,
182
- critical: issues.filter(i => i.severity === "critical").length,
183
- high: issues.filter(i => i.severity === "high").length,
184
- medium: issues.filter(i => i.severity === "medium").length,
185
- low: issues.filter(i => i.severity === "low").length,
186
- info: issues.filter(i => i.severity === "info").length,
187
- endpoints: endpoints.size,
188
- };
189
- }
190
-
191
- function parseSeverityList(raw: unknown): Severity[] | undefined {
192
- if (typeof raw !== "string" || raw.trim() === "") return undefined;
193
- const allowed: Severity[] = ["critical", "high", "medium", "low", "info"];
194
- const items = raw.split(",").map(s => s.trim().toLowerCase()).filter(Boolean) as Severity[];
195
- return items.filter(s => allowed.includes(s));
196
- }
197
-
198
- /**
199
- * TASK-291 / TASK-298: parse --rule (and the deprecated --filter-rule) into
200
- * the two downstream channels: cliRule (severity overrides + disables, fed
201
- * to loadConfig) and whitelist (rule-id allow-list, applied post-lint).
202
- */
203
- export function mergeRuleFlags(
204
- ruleArg: unknown,
205
- filterRuleArg: unknown,
206
- ): { cliRule: string | undefined; whitelist: string[] | undefined } {
207
- const ruleItems = splitCsv(ruleArg);
208
- const filterItems = splitCsv(filterRuleArg);
209
-
210
- if (filterItems.length > 0) {
211
- process.stderr.write(
212
- "[zond] --filter-rule is deprecated, use --rule with the same comma-separated rule ids (TASK-291).\n",
213
- );
214
- }
215
-
216
- const cliRuleItems: string[] = [];
217
- const whitelist = new Set<string>();
218
- let anyPositive = false;
219
-
220
- for (const raw of ruleItems) {
221
- const item = raw.trim();
222
- if (!item) continue;
223
- if (item.startsWith("!")) {
224
- cliRuleItems.push(item);
225
- continue;
226
- }
227
- const eq = item.indexOf("=");
228
- if (eq >= 0) {
229
- const id = item.slice(0, eq).trim().toUpperCase();
230
- const sev = item.slice(eq + 1).trim().toLowerCase();
231
- if (sev === "off") {
232
- cliRuleItems.push(`!${id}`);
233
- } else {
234
- cliRuleItems.push(`${id}=${sev}`);
235
- whitelist.add(id);
236
- anyPositive = true;
237
- }
238
- continue;
239
- }
240
- whitelist.add(item.toUpperCase());
241
- anyPositive = true;
242
- }
243
-
244
- for (const raw of filterItems) {
245
- const id = raw.trim().toUpperCase();
246
- if (!id) continue;
247
- whitelist.add(id);
248
- anyPositive = true;
249
- }
250
-
251
- return {
252
- cliRule: cliRuleItems.length > 0 ? cliRuleItems.join(",") : undefined,
253
- whitelist: anyPositive ? [...whitelist] : undefined,
254
- };
255
- }
256
-
257
- function splitCsv(raw: unknown): string[] {
258
- if (typeof raw !== "string") return [];
259
- return raw.split(",").map(s => s.trim()).filter(Boolean);
260
- }
261
-
262
- // ── registration ───────────────────────────────────────────────────────────
263
-
264
- export function registerCheck(program: Command): void {
265
- const check = program
266
- .command("check")
267
- .description("Conformance checks: YAML test files (`check tests`) and the OpenAPI spec (`check spec`)");
268
-
269
- check
270
- .command("tests <path>")
271
- .description("Schema-validate test files without running them")
272
- .option("--verbose", "Show full zod issue stack instead of human-friendly summary")
273
- .action(async (path: string, opts: { verbose?: boolean }, cmd: Command) => {
274
- process.exitCode = await checkTestsCommand({
275
- path,
276
- json: globalJson(cmd),
277
- verbose: opts.verbose === true,
278
- });
279
- });
280
-
281
- defineCheckSpec(check, "spec");
282
- }
283
-
284
- /**
285
- * ARV-255 (m-21 pivot): register `zond lint` as a top-level command,
286
- * aliasing the existing `check spec` workflow. Spec-lint is hygiene —
287
- * not part of the security/contract audit — so it gets a dedicated
288
- * verb that makes the workflow explicit and keeps the audit report
289
- * uncluttered. Same flag wiring, same code path, just a clearer name.
290
- */
291
- export function registerLint(program: Command): void {
292
- defineCheckSpec(program, "lint");
293
- }
294
-
295
- function defineCheckSpec(parent: Command, name: string): void {
296
- parent
297
- .command(`${name} [spec]`)
298
- .description(
299
- name === "lint"
300
- ? "ARV-255: spec-lint (hygiene category). Static-analyse an OpenAPI spec for style and structural gaps. Severity capped at LOW/INFO — never gates CI unless --strict. Equivalent to `zond check spec`."
301
- : "Static-analyse an OpenAPI spec for internal-consistency and strictness gaps (catches bugs before any HTTP). ARV-255: severity capped at LOW/INFO — no HIGH/MEDIUM from static analysis.",
302
- )
303
- .option("--api <name>", "Use the registered API's spec (apis/<name>/spec.json)")
304
- .option("--strict", "Exit non-zero even on LOW-severity issues")
305
- .option("--ndjson", "Stream issues as one JSON per line (NDJSON), instead of the wrapped envelope")
306
- .option(
307
- "--report <format>",
308
- "ARV-204: output format alias for parity with `checks run`. Accepts: console (default human summary), json (equivalent to --json envelope), ndjson (equivalent to --ndjson). Last writer wins if combined with --json/--ndjson.",
309
- )
310
- .option(
311
- "--rule <list>",
312
- "Unified rule selector (TASK-291). Comma-separated items: 'B1' (whitelist), " +
313
- "'!B2' (disable), 'B3=low|info' (severity override; also implicitly whitelists). " +
314
- "All-plain or all-override → whitelist mode (only these rules render). All-'!' → blacklist mode " +
315
- "(exclude these). Mixed → whitelist + overrides + disables together. ARV-255: high/medium overrides ignored (cap is LOW).",
316
- )
317
- .option(
318
- "--filter-rule <list>",
319
- "Deprecated alias for the whitelist subset of --rule (TASK-291). Will be removed; emits a stderr warning.",
320
- )
321
- .option("--config <path>", "Path to .zond-lint.json")
322
- .option("--include-path <glob...>", "Only lint endpoints whose path matches glob (repeatable)")
323
- .option("--max-issues <N>", "Stop after N issues", parsePositiveInt("--max-issues"))
324
- .option("--verbose, --flat", "Render the legacy flat one-line-per-issue list (default is now a rule × severity rollup, TASK-279)")
325
- .option("--severity <list>", "Filter rendered/JSON output to severities (comma-separated: low,info)")
326
- .option("--top <N>", "In the grouped summary, show only the top-N rules by count", parsePositiveInt("--top"))
327
- .option("--no-db", "Don't write to lint_runs SQLite history")
328
- .action(async (specPos: string | undefined, opts, cmd: Command) => {
329
- const dbPath = typeof opts.db === "string" ? opts.db : undefined;
330
- const resolved = resolveSpecArg(specPos, opts.api, dbPath);
331
- if ("error" in resolved) { printError(resolved.error); process.exitCode = 2; return; }
332
- const sevFilter = parseSeverityList(opts.severity);
333
-
334
- const merged = mergeRuleFlags(opts.rule, opts.filterRule);
335
-
336
- // ARV-204: --report ndjson|json|console aliases the existing booleans
337
- // so scripts can keep one flag shape across `checks run` and `check spec`.
338
- let report = typeof opts.report === "string" ? opts.report.toLowerCase() : undefined;
339
- if (report && !["console", "json", "ndjson"].includes(report)) {
340
- printError(`--report: unknown format '${opts.report}'. Use one of: console, json, ndjson.`);
341
- process.exitCode = 2;
342
- return;
343
- }
344
-
345
- process.exitCode = await checkSpecCommand({
346
- specPath: resolved.spec,
347
- json: globalJson(cmd) || report === "json",
348
- ndjson: opts.ndjson === true || report === "ndjson",
349
- strict: opts.strict === true,
350
- rule: merged.cliRule,
351
- config: opts.config,
352
- includePath: opts.includePath,
353
- maxIssues: opts.maxIssues,
354
- noDb: opts.db === false,
355
- verbose: opts.verbose === true || opts.flat === true,
356
- severityFilter: sevFilter,
357
- filterRule: merged.whitelist,
358
- top: typeof opts.top === "number" ? opts.top : undefined,
359
- });
360
- });
361
- }