@kirrosh/zond 0.26.1 → 0.27.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +65 -0
- package/README.md +39 -22
- package/bin/zond.mjs +23 -0
- package/package.json +36 -23
- package/scripts/npm/postinstall.mjs +76 -0
- package/src/CLAUDE.md +0 -112
- package/src/bun-types.d.ts +0 -5
- package/src/cli/argv.ts +0 -122
- package/src/cli/commands/add-api.ts +0 -146
- package/src/cli/commands/api/annotate/idempotency.ts +0 -59
- package/src/cli/commands/api/annotate/index.ts +0 -880
- package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
- package/src/cli/commands/api/annotate/overlay.ts +0 -206
- package/src/cli/commands/api/annotate/pagination.ts +0 -64
- package/src/cli/commands/api/annotate/prompts.ts +0 -220
- package/src/cli/commands/api/annotate/readback.ts +0 -58
- package/src/cli/commands/api/annotate/resources.ts +0 -91
- package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
- package/src/cli/commands/audit.ts +0 -786
- package/src/cli/commands/catalog.ts +0 -97
- package/src/cli/commands/check.ts +0 -361
- package/src/cli/commands/checks.ts +0 -1072
- package/src/cli/commands/ci-init.ts +0 -223
- package/src/cli/commands/clean.ts +0 -212
- package/src/cli/commands/cleanup.ts +0 -236
- package/src/cli/commands/completions.ts +0 -192
- package/src/cli/commands/coverage.ts +0 -872
- package/src/cli/commands/db.ts +0 -611
- package/src/cli/commands/describe.ts +0 -120
- package/src/cli/commands/discover.ts +0 -1356
- package/src/cli/commands/doctor.ts +0 -661
- package/src/cli/commands/fixtures.ts +0 -402
- package/src/cli/commands/generate.ts +0 -577
- package/src/cli/commands/init/agents-md.ts +0 -61
- package/src/cli/commands/init/bootstrap.ts +0 -111
- package/src/cli/commands/init/index.ts +0 -244
- package/src/cli/commands/init/skills.ts +0 -141
- package/src/cli/commands/init/templates/agents.md +0 -86
- package/src/cli/commands/init/templates/markdown.d.ts +0 -4
- package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
- package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
- package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
- package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
- package/src/cli/commands/init/templates/skills/zond.md +0 -861
- package/src/cli/commands/init/templates/zond-config.yml +0 -14
- package/src/cli/commands/prepare-fixtures.ts +0 -97
- package/src/cli/commands/probe/_seed-bodies.ts +0 -52
- package/src/cli/commands/probe/mass-assignment.ts +0 -594
- package/src/cli/commands/probe/security.ts +0 -537
- package/src/cli/commands/probe/static.ts +0 -255
- package/src/cli/commands/probe/webhooks.ts +0 -163
- package/src/cli/commands/probe.ts +0 -535
- package/src/cli/commands/reference.ts +0 -87
- package/src/cli/commands/refresh-api.ts +0 -227
- package/src/cli/commands/remove-api.ts +0 -150
- package/src/cli/commands/report-bundle.ts +0 -310
- package/src/cli/commands/report.ts +0 -241
- package/src/cli/commands/request.ts +0 -548
- package/src/cli/commands/run.ts +0 -1162
- package/src/cli/commands/schema-from-runs.ts +0 -128
- package/src/cli/commands/secrets.ts +0 -133
- package/src/cli/commands/session.ts +0 -244
- package/src/cli/commands/use.ts +0 -74
- package/src/cli/index.ts +0 -55
- package/src/cli/json-envelope.ts +0 -108
- package/src/cli/json-schemas.ts +0 -314
- package/src/cli/output.ts +0 -40
- package/src/cli/program.ts +0 -219
- package/src/cli/resolve.ts +0 -105
- package/src/cli/runtime.ts +0 -7
- package/src/cli/safe-live.ts +0 -24
- package/src/cli/status-filter.ts +0 -114
- package/src/cli/util/api-context.ts +0 -85
- package/src/cli/version.ts +0 -8
- package/src/core/audit/persist.ts +0 -183
- package/src/core/checks/budget.ts +0 -59
- package/src/core/checks/checks/_crud-helpers.ts +0 -133
- package/src/core/checks/checks/_negative_mutator.ts +0 -133
- package/src/core/checks/checks/_readback-helpers.ts +0 -133
- package/src/core/checks/checks/content_type_conformance.ts +0 -39
- package/src/core/checks/checks/cross_call_references.ts +0 -147
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
- package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
- package/src/core/checks/checks/idempotency_replay.ts +0 -242
- package/src/core/checks/checks/ignored_auth.ts +0 -254
- package/src/core/checks/checks/index.ts +0 -68
- package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
- package/src/core/checks/checks/missing_required_header.ts +0 -40
- package/src/core/checks/checks/negative_data_rejection.ts +0 -148
- package/src/core/checks/checks/not_a_server_error.ts +0 -35
- package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
- package/src/core/checks/checks/pagination_invariants.ts +0 -419
- package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
- package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
- package/src/core/checks/checks/response_headers_conformance.ts +0 -74
- package/src/core/checks/checks/response_schema_conformance.ts +0 -30
- package/src/core/checks/checks/status_code_conformance.ts +0 -132
- package/src/core/checks/checks/unsupported_method.ts +0 -63
- package/src/core/checks/checks/use_after_free.ts +0 -78
- package/src/core/checks/index.ts +0 -30
- package/src/core/checks/mode.ts +0 -82
- package/src/core/checks/recommended-action.ts +0 -68
- package/src/core/checks/registry.ts +0 -78
- package/src/core/checks/runner.ts +0 -1461
- package/src/core/checks/sarif.ts +0 -230
- package/src/core/checks/spec-findings.ts +0 -308
- package/src/core/checks/stateful.ts +0 -121
- package/src/core/checks/types.ts +0 -305
- package/src/core/checks/zond-extensions.ts +0 -73
- package/src/core/classifier/recommended-action.ts +0 -251
- package/src/core/context/current.ts +0 -51
- package/src/core/context/session.ts +0 -78
- package/src/core/coverage/loader.ts +0 -216
- package/src/core/coverage/reasons.ts +0 -300
- package/src/core/diagnostics/db-analysis.ts +0 -666
- package/src/core/diagnostics/failure-class.ts +0 -140
- package/src/core/diagnostics/failure-hints.ts +0 -112
- package/src/core/diagnostics/spec-pointer.ts +0 -99
- package/src/core/diagnostics/suggested-fixes.ts +0 -155
- package/src/core/exporter/case-study/index.ts +0 -270
- package/src/core/exporter/curl.ts +0 -40
- package/src/core/exporter/exporter.ts +0 -48
- package/src/core/exporter/html-report/escape.ts +0 -24
- package/src/core/exporter/html-report/index.ts +0 -479
- package/src/core/exporter/html-report/script.ts +0 -100
- package/src/core/exporter/html-report/styles.ts +0 -408
- package/src/core/generator/catalog-builder.ts +0 -179
- package/src/core/generator/chunker.ts +0 -78
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/coverage-scanner.ts +0 -87
- package/src/core/generator/data-factory.ts +0 -759
- package/src/core/generator/describe.ts +0 -302
- package/src/core/generator/endpoint-warnings.ts +0 -52
- package/src/core/generator/fixtures-builder.ts +0 -332
- package/src/core/generator/index.ts +0 -14
- package/src/core/generator/openapi-reader.ts +0 -297
- package/src/core/generator/path-param-disambig.ts +0 -140
- package/src/core/generator/resources-builder.ts +0 -898
- package/src/core/generator/schema-utils.ts +0 -112
- package/src/core/generator/serializer.ts +0 -343
- package/src/core/generator/suite-generator.ts +0 -1301
- package/src/core/generator/types.ts +0 -63
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +0 -28
- package/src/core/lint/config.ts +0 -96
- package/src/core/lint/format.ts +0 -42
- package/src/core/lint/index.ts +0 -94
- package/src/core/lint/reporter.ts +0 -128
- package/src/core/lint/rules/consistency.ts +0 -158
- package/src/core/lint/rules/heuristics.ts +0 -97
- package/src/core/lint/rules/strictness.ts +0 -109
- package/src/core/lint/types.ts +0 -96
- package/src/core/lint/walker.ts +0 -248
- package/src/core/meta/meta-store.ts +0 -11
- package/src/core/output/README.md +0 -73
- package/src/core/output/index.ts +0 -13
- package/src/core/output/run.ts +0 -91
- package/src/core/output/types.ts +0 -122
- package/src/core/parser/dynamic-values.ts +0 -160
- package/src/core/parser/env-interpolation.ts +0 -104
- package/src/core/parser/filter.ts +0 -97
- package/src/core/parser/schema.ts +0 -359
- package/src/core/parser/types.ts +0 -117
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +0 -181
- package/src/core/probe/bootstrap.ts +0 -34
- package/src/core/probe/dry-run-envelope.ts +0 -61
- package/src/core/probe/mass-assignment/classify.ts +0 -175
- package/src/core/probe/mass-assignment/cleanup.ts +0 -52
- package/src/core/probe/mass-assignment/digest.ts +0 -114
- package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
- package/src/core/probe/mass-assignment/regression.ts +0 -141
- package/src/core/probe/mass-assignment/suspects.ts +0 -92
- package/src/core/probe/mass-assignment/types.ts +0 -135
- package/src/core/probe/mass-assignment-probe-class.ts +0 -198
- package/src/core/probe/mass-assignment-probe.ts +0 -27
- package/src/core/probe/mass-assignment-template.ts +0 -240
- package/src/core/probe/method-probe.ts +0 -164
- package/src/core/probe/method-shared.ts +0 -69
- package/src/core/probe/negative-probe.ts +0 -691
- package/src/core/probe/orphan-tracker.ts +0 -188
- package/src/core/probe/path-discovery.ts +0 -439
- package/src/core/probe/probe-harness.ts +0 -119
- package/src/core/probe/registry.ts +0 -89
- package/src/core/probe/runner.ts +0 -136
- package/src/core/probe/security/baseline.ts +0 -174
- package/src/core/probe/security/classify.ts +0 -341
- package/src/core/probe/security/cleanup.ts +0 -125
- package/src/core/probe/security/detectors.ts +0 -71
- package/src/core/probe/security/digest.ts +0 -104
- package/src/core/probe/security/orchestrator.ts +0 -398
- package/src/core/probe/security/regression.ts +0 -103
- package/src/core/probe/security/types.ts +0 -151
- package/src/core/probe/security-probe-class.ts +0 -207
- package/src/core/probe/security-probe.ts +0 -32
- package/src/core/probe/shared.ts +0 -531
- package/src/core/probe/static-probe-class.ts +0 -125
- package/src/core/probe/types.ts +0 -165
- package/src/core/probe/verdict-aggregator.ts +0 -33
- package/src/core/probe/webhooks-probe.ts +0 -282
- package/src/core/reporter/console.ts +0 -240
- package/src/core/reporter/index.ts +0 -22
- package/src/core/reporter/json.ts +0 -22
- package/src/core/reporter/junit.ts +0 -93
- package/src/core/reporter/ndjson.ts +0 -37
- package/src/core/reporter/types.ts +0 -15
- package/src/core/runner/assertions.ts +0 -383
- package/src/core/runner/async-pool.ts +0 -108
- package/src/core/runner/auth-path.ts +0 -8
- package/src/core/runner/ci-context.ts +0 -72
- package/src/core/runner/executor.ts +0 -652
- package/src/core/runner/expr-eval.ts +0 -41
- package/src/core/runner/form-encode.ts +0 -41
- package/src/core/runner/http-client.ts +0 -224
- package/src/core/runner/learn-drift.ts +0 -293
- package/src/core/runner/preflight-vars.ts +0 -153
- package/src/core/runner/progress-tracker.ts +0 -73
- package/src/core/runner/rate-limiter.ts +0 -185
- package/src/core/runner/run-kind.ts +0 -45
- package/src/core/runner/schema-validator.ts +0 -308
- package/src/core/runner/send-request.ts +0 -232
- package/src/core/runner/transforms.ts +0 -65
- package/src/core/runner/types.ts +0 -94
- package/src/core/secrets/registry.ts +0 -164
- package/src/core/secrets/secrets-file.ts +0 -115
- package/src/core/selectors/operation-filter.ts +0 -144
- package/src/core/setup-api.ts +0 -590
- package/src/core/severity/category.ts +0 -94
- package/src/core/severity/index.ts +0 -58
- package/src/core/spec/infer-schema.ts +0 -102
- package/src/core/spec/layers.ts +0 -154
- package/src/core/spec/merge-specs.ts +0 -156
- package/src/core/spec/schema-from-runs.ts +0 -117
- package/src/core/spec/schema-overlay.ts +0 -130
- package/src/core/util/ajv.ts +0 -13
- package/src/core/util/format-eta.ts +0 -21
- package/src/core/util/headers.ts +0 -9
- package/src/core/util/url.ts +0 -24
- package/src/core/utils.ts +0 -13
- package/src/core/workspace/config.ts +0 -129
- package/src/core/workspace/fixture-gap-report.ts +0 -84
- package/src/core/workspace/fixture-gaps.ts +0 -71
- package/src/core/workspace/manifest.ts +0 -283
- package/src/core/workspace/output-rotation.ts +0 -62
- package/src/core/workspace/root.ts +0 -96
- package/src/core/workspace/triage-path.ts +0 -87
- package/src/db/lint-runs.ts +0 -47
- package/src/db/migrate.ts +0 -128
- package/src/db/migrations/0001_run_kind.sql +0 -25
- package/src/db/migrations/0002_run_kind_request.sql +0 -59
- package/src/db/migrations/sql.d.ts +0 -4
- package/src/db/queries/collections.ts +0 -133
- package/src/db/queries/coverage.ts +0 -9
- package/src/db/queries/dashboard.ts +0 -59
- package/src/db/queries/results.ts +0 -216
- package/src/db/queries/runs.ts +0 -289
- package/src/db/queries/sessions.ts +0 -42
- package/src/db/queries/settings.ts +0 -28
- package/src/db/queries/types.ts +0 -172
- package/src/db/queries.ts +0 -75
- package/src/db/schema.ts +0 -298
|
@@ -1,207 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* `SecurityProbe` — Probe-contract wrapper around the existing
|
|
3
|
-
* `runSecurityProbes` engine in `security-probe.ts` (m-17 / ARV-49).
|
|
4
|
-
*
|
|
5
|
-
* Behavior is unchanged on this step. dryRun() returns the structured
|
|
6
|
-
* EndpointPlan[] shape (used by the new dry-run envelope in ARV-50);
|
|
7
|
-
* run() delegates to runSecurityProbes(); report() is a thin renderer
|
|
8
|
-
* that converts the SecurityProbeResult to either a markdown digest
|
|
9
|
-
* (existing formatter) or the structured per-endpoint shape (ARV-51).
|
|
10
|
-
*/
|
|
11
|
-
import type { Probe, ProbeContext, ProbeFlags, EndpointPlan, ProbeResult, ProbeReportFormat, ProbeEndpointResult, ProbeEndpointStatus } from "./types.ts";
|
|
12
|
-
import {
|
|
13
|
-
runSecurityProbes,
|
|
14
|
-
formatSecurityDigest,
|
|
15
|
-
detectFields,
|
|
16
|
-
SECURITY_CLASSES,
|
|
17
|
-
type SecurityClass,
|
|
18
|
-
type SecurityProbeResult,
|
|
19
|
-
type SecurityVerdict,
|
|
20
|
-
} from "./security-probe.ts";
|
|
21
|
-
import { pathTouchesSeededVar } from "./shared.ts";
|
|
22
|
-
import { hasProbeBody } from "./probe-harness.ts";
|
|
23
|
-
|
|
24
|
-
const FLAGS: ProbeFlags = {
|
|
25
|
-
api: true,
|
|
26
|
-
tag: true,
|
|
27
|
-
include: true,
|
|
28
|
-
exclude: true,
|
|
29
|
-
dryRun: true,
|
|
30
|
-
listTags: true,
|
|
31
|
-
json: true,
|
|
32
|
-
output: true,
|
|
33
|
-
report: true,
|
|
34
|
-
};
|
|
35
|
-
|
|
36
|
-
function planForSecurity(
|
|
37
|
-
ctx: ProbeContext,
|
|
38
|
-
classes: SecurityClass[],
|
|
39
|
-
isolated: boolean,
|
|
40
|
-
): EndpointPlan[] {
|
|
41
|
-
const out: EndpointPlan[] = [];
|
|
42
|
-
for (const ep of ctx.endpoints) {
|
|
43
|
-
if (ep.deprecated) continue;
|
|
44
|
-
const m = ep.method.toUpperCase();
|
|
45
|
-
if (m !== "POST" && m !== "PUT" && m !== "PATCH") continue;
|
|
46
|
-
|
|
47
|
-
if (isolated && (m === "PUT" || m === "PATCH") && pathTouchesSeededVar(ep.path, ctx.vars)) {
|
|
48
|
-
out.push({
|
|
49
|
-
path: ep.path,
|
|
50
|
-
method: m,
|
|
51
|
-
planned: false,
|
|
52
|
-
classes_planned: [],
|
|
53
|
-
fields_planned: [],
|
|
54
|
-
skip_reason: "isolated-protected",
|
|
55
|
-
});
|
|
56
|
-
continue;
|
|
57
|
-
}
|
|
58
|
-
|
|
59
|
-
// ARV-313: parity with the live orchestrator (which uses hasProbeBody)
|
|
60
|
-
// and the mass-assignment planner — accept application/x-www-form-urlencoded
|
|
61
|
-
// bodies, not just JSON. The old hasJsonBody gate made the dry-run
|
|
62
|
-
// inventory a no-op on form-encoded APIs (Stripe v1), so `probe security
|
|
63
|
-
// --dry-run` planned 0/291 while mass-assignment planned 290/291.
|
|
64
|
-
if (!hasProbeBody(ep)) {
|
|
65
|
-
out.push({
|
|
66
|
-
path: ep.path,
|
|
67
|
-
method: m,
|
|
68
|
-
planned: false,
|
|
69
|
-
classes_planned: [],
|
|
70
|
-
fields_planned: [],
|
|
71
|
-
skip_reason: "no-body",
|
|
72
|
-
});
|
|
73
|
-
continue;
|
|
74
|
-
}
|
|
75
|
-
|
|
76
|
-
const detected = detectFields(ep, classes);
|
|
77
|
-
if (detected.length === 0) {
|
|
78
|
-
out.push({
|
|
79
|
-
path: ep.path,
|
|
80
|
-
method: m,
|
|
81
|
-
planned: false,
|
|
82
|
-
classes_planned: [],
|
|
83
|
-
fields_planned: [],
|
|
84
|
-
skip_reason: "no-matched-field",
|
|
85
|
-
});
|
|
86
|
-
continue;
|
|
87
|
-
}
|
|
88
|
-
|
|
89
|
-
const classesPlanned = Array.from(new Set(detected.map((d) => d.class)));
|
|
90
|
-
const fieldsPlanned = Array.from(new Set(detected.map((d) => d.field)));
|
|
91
|
-
out.push({
|
|
92
|
-
path: ep.path,
|
|
93
|
-
method: m,
|
|
94
|
-
planned: true,
|
|
95
|
-
classes_planned: classesPlanned,
|
|
96
|
-
fields_planned: fieldsPlanned,
|
|
97
|
-
skip_reason: null,
|
|
98
|
-
});
|
|
99
|
-
}
|
|
100
|
-
return out;
|
|
101
|
-
}
|
|
102
|
-
|
|
103
|
-
function statusFromSeverity(s: SecurityVerdict["severity"]): ProbeEndpointStatus {
|
|
104
|
-
if (s === "high") return "high";
|
|
105
|
-
if (s === "low") return "low";
|
|
106
|
-
if (s === "ok") return "ok";
|
|
107
|
-
if (s === "skipped") return "skipped";
|
|
108
|
-
return "inconclusive";
|
|
109
|
-
}
|
|
110
|
-
|
|
111
|
-
function evidenceFromFinding(f: SecurityVerdict["findings"][number]): Record<string, unknown> {
|
|
112
|
-
return {
|
|
113
|
-
field: f.field,
|
|
114
|
-
payload: f.payload,
|
|
115
|
-
status: f.status,
|
|
116
|
-
echoed: f.echoed,
|
|
117
|
-
reason: f.reason,
|
|
118
|
-
...(f.recommended_action ? { recommended_action: f.recommended_action } : {}),
|
|
119
|
-
};
|
|
120
|
-
}
|
|
121
|
-
|
|
122
|
-
function toProbeResult(sec: SecurityProbeResult): ProbeResult {
|
|
123
|
-
const endpoints: ProbeEndpointResult[] = sec.verdicts.map((v) => ({
|
|
124
|
-
path: v.path,
|
|
125
|
-
method: v.method,
|
|
126
|
-
classes_run: Array.from(new Set(v.detectedFields.map((d) => d.class))),
|
|
127
|
-
findings: v.findings.map((f) => ({
|
|
128
|
-
class: f.class,
|
|
129
|
-
severity:
|
|
130
|
-
f.severity === "inconclusive" || f.severity === "inconclusive-baseline"
|
|
131
|
-
? "inconclusive"
|
|
132
|
-
: f.severity === "skipped"
|
|
133
|
-
? "ok"
|
|
134
|
-
: f.severity === "info"
|
|
135
|
-
// ARV-253: ProbeFindingSeverity has no "info" tier. Collapse
|
|
136
|
-
// info → low for the public probe-result envelope; the digest
|
|
137
|
-
// / structured per-endpoint shape preserves the distinction.
|
|
138
|
-
? "low"
|
|
139
|
-
: f.severity === "medium"
|
|
140
|
-
// ARV-254: ProbeFindingSeverity has no "medium" tier — collapse
|
|
141
|
-
// to "low" for the wire shape. MEDIUM is a digest-only severity
|
|
142
|
-
// marker (SSRF accept on endpoint declaring delivery, no OOB);
|
|
143
|
-
// by design it must NOT gate CI as a HIGH would.
|
|
144
|
-
? "low"
|
|
145
|
-
: f.severity,
|
|
146
|
-
evidence: evidenceFromFinding(f),
|
|
147
|
-
})),
|
|
148
|
-
status: statusFromSeverity(v.severity),
|
|
149
|
-
...(v.skipReason ? { skip_reason: v.skipReason } : {}),
|
|
150
|
-
}));
|
|
151
|
-
const by_status: Record<ProbeEndpointStatus, number> = {
|
|
152
|
-
ok: 0, high: 0, low: 0, inconclusive: 0, skipped: 0,
|
|
153
|
-
};
|
|
154
|
-
for (const ep of endpoints) by_status[ep.status]++;
|
|
155
|
-
return {
|
|
156
|
-
endpoints,
|
|
157
|
-
summary: {
|
|
158
|
-
totalEndpoints: sec.totalEndpoints,
|
|
159
|
-
probed: sec.specProbed,
|
|
160
|
-
by_status,
|
|
161
|
-
},
|
|
162
|
-
warnings: sec.warnings,
|
|
163
|
-
};
|
|
164
|
-
}
|
|
165
|
-
|
|
166
|
-
export class SecurityProbe implements Probe {
|
|
167
|
-
readonly name = "security";
|
|
168
|
-
readonly description =
|
|
169
|
-
"Live security probes: SSRF / CRLF / open-redirect. Spec-driven field detection + baseline-OK gate.";
|
|
170
|
-
readonly commonFlags = FLAGS;
|
|
171
|
-
|
|
172
|
-
async dryRun(ctx: ProbeContext): Promise<EndpointPlan[]> {
|
|
173
|
-
const classes = (ctx.classes ?? SECURITY_CLASSES) as SecurityClass[];
|
|
174
|
-
const isolated = ctx.options["isolated"] === true;
|
|
175
|
-
return planForSecurity(ctx, classes, isolated);
|
|
176
|
-
}
|
|
177
|
-
|
|
178
|
-
async run(ctx: ProbeContext): Promise<ProbeResult> {
|
|
179
|
-
const classes = (ctx.classes ?? SECURITY_CLASSES) as SecurityClass[];
|
|
180
|
-
const sec = await runSecurityProbes({
|
|
181
|
-
endpoints: ctx.endpoints,
|
|
182
|
-
securitySchemes: ctx.securitySchemes,
|
|
183
|
-
vars: ctx.vars,
|
|
184
|
-
classes,
|
|
185
|
-
noCleanup: ctx.options["noCleanup"] === true,
|
|
186
|
-
timeoutMs: typeof ctx.options["timeoutMs"] === "number" ? (ctx.options["timeoutMs"] as number) : undefined,
|
|
187
|
-
isolated: ctx.options["isolated"] === true,
|
|
188
|
-
});
|
|
189
|
-
const result = toProbeResult(sec);
|
|
190
|
-
// Pass through the raw sec result for legacy markdown rendering and
|
|
191
|
-
// for orphan-tracker consumers that need the full SecurityVerdict[].
|
|
192
|
-
result.extras = { raw: sec };
|
|
193
|
-
return result;
|
|
194
|
-
}
|
|
195
|
-
|
|
196
|
-
report(format: ProbeReportFormat, result: ProbeResult): string | object {
|
|
197
|
-
if (format === "markdown") {
|
|
198
|
-
const raw = (result.extras?.["raw"] as SecurityProbeResult | undefined);
|
|
199
|
-
if (raw) return formatSecurityDigest(raw, "");
|
|
200
|
-
return "(no markdown digest available)";
|
|
201
|
-
}
|
|
202
|
-
return {
|
|
203
|
-
endpoints: result.endpoints,
|
|
204
|
-
summary: result.summary,
|
|
205
|
-
};
|
|
206
|
-
}
|
|
207
|
-
}
|
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Barrel re-export for `zond probe-security <classes>`.
|
|
3
|
-
*
|
|
4
|
-
* The probe pipeline lives in `./security/`:
|
|
5
|
-
* - types.ts — public types / interfaces
|
|
6
|
-
* - detectors.ts — field detectors + payload table
|
|
7
|
-
* - baseline.ts — baseline send + snapshot/restore (PUT/PATCH cleanup)
|
|
8
|
-
* - classify.ts — per-finding classification + echo detection
|
|
9
|
-
* - cleanup.ts — best-effort DELETE on stateful endpoints
|
|
10
|
-
* - digest.ts — markdown digest formatter
|
|
11
|
-
* - regression.ts — regression-suite YAML emission
|
|
12
|
-
* - orchestrator.ts — runSecurityProbes + probeOneEndpoint loop
|
|
13
|
-
*
|
|
14
|
-
* History: split out of a 1473-LOC monolith (ARV-295, 2026-05-18) to keep
|
|
15
|
-
* each concern in a focused file. The public API surface is unchanged.
|
|
16
|
-
*/
|
|
17
|
-
export type {
|
|
18
|
-
SecurityClass,
|
|
19
|
-
SecuritySeverity,
|
|
20
|
-
SecurityFieldHit,
|
|
21
|
-
SecurityFinding,
|
|
22
|
-
SecurityVerdict,
|
|
23
|
-
SecurityProbeOptions,
|
|
24
|
-
CleanupFeasibility,
|
|
25
|
-
SecurityProbeResult,
|
|
26
|
-
} from "./security/types.ts";
|
|
27
|
-
export { SECURITY_CLASSES } from "./security/types.ts";
|
|
28
|
-
export { detectFields } from "./security/detectors.ts";
|
|
29
|
-
export { runSecurityProbes } from "./security/orchestrator.ts";
|
|
30
|
-
export { classifyEcho } from "./security/classify.ts";
|
|
31
|
-
export { formatSecurityDigest } from "./security/digest.ts";
|
|
32
|
-
export { emitSecurityRegressionSuites } from "./security/regression.ts";
|