@kirrosh/zond 0.27.0 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +84 -0
  2. package/README.md +31 -2
  3. package/package.json +25 -8
package/CHANGELOG.md CHANGED
@@ -4,6 +4,90 @@ All notable changes to this project will be documented in this file.
4
4
 
5
5
  ## [Unreleased]
6
6
 
7
+ ## [0.28.0] — 2026-07-11
8
+
9
+ m-28 corpus-driven launch: every fix below came out of four live audits of
10
+ public APIs (GitHub, Vercel, Stripe, Sentry) — evidence-first, no speculative
11
+ checks.
12
+
13
+ ### Added
14
+ - **`zond fuzz` (ARV-436):** property-based fuzz phase in the checks pipeline
15
+ over fast-check — seeded (deterministic reruns), random bodies per op judged
16
+ by the existing 12 response checks; on failure the body auto-shrinks to a
17
+ minimal counterexample in `evidence.minimal_case` + curl repro. Thin alias
18
+ over `checks run --phase fuzz`; shrink walk survives per-send network flakes.
19
+ - **`seed_body.setup` (ARV-434):** ordered post-create readiness steps for
20
+ lifecycle tests ("create invoiceitem before finalizing the invoice") — agent
21
+ authors bodies+order, zond runs them with `{{id}}` bound to the created
22
+ resource; a non-2xx setup step skips the lifecycle test with the concrete
23
+ step+status instead of reporting a fake finding.
24
+ - **Currency-aware money bodies (ARV-430):** generator emits
25
+ `{{account_currency}}` (manifest source: body-value, `usd` default) so
26
+ non-USD sandboxes stop 400-ing every money create; `.env` scaffold now seeds
27
+ any manifest `defaultValue` (was always blank).
28
+
29
+ ### Safety (live-mode hardening from the Vercel run)
30
+ - **Unsafe smoke suites disarmed by default (ARV-412):** every destructive
31
+ step in `smoke-*-unsafe` gets `skip_if "{{zond_allow_unsafe}} != 1"` — a
32
+ naive `zond run` can no longer DELETE/PATCH pre-existing resources bound to
33
+ raw `.env` fixtures. `/zond-scan` live runs with `--exclude-tag unsafe`
34
+ (ARV-413).
35
+ - **Self-cleanup parity (ARV-415, ARV-429):** checks coverage phase
36
+ best-effort DELETEs resources its own 2xx POSTs created; mass-assignment
37
+ probe cleanup returns an audit record (id + deletePath + status).
38
+ - **`always:true` cleanup gated on capture provenance (ARV-428):** never fires
39
+ against a stale env id the create step did not capture this run.
40
+ - **`--safe` marks write steps as skipped with a reason (ARV-427)** instead of
41
+ deleting them from the plan silently.
42
+
43
+ ### Fixed
44
+ - **lifecycle_transitions (ARV-433):** an overlay with actions but an empty
45
+ transitions graph no longer flags every legitimate action as
46
+ `forbidden_transition`; transition-drift repro (declared→open, observed→paid)
47
+ locked in with a test.
48
+ - **Fail-fast on unresolved request vars (ARV-414):** kills the multi-minute
49
+ retry_until spin on never-created resources; `--strict-vars` abort still
50
+ writes the `--output` artifact.
51
+ - **Coverage accounting (ARV-409, ARV-426):** `--union` no longer aborts a
52
+ checks-only session (audit HTTP touches count as `run_kind='check'`);
53
+ RowBucket carries `passStatus` so covered2xx stops contradicting
54
+ chronological lastStatus.
55
+ - **cross_call_references (ARV-416):** empty/non-object 2xx readback skips
56
+ (broken-baseline guard) instead of reporting maximal drift.
57
+ - **fixtures add --validate (ARV-417, ARV-423, ARV-424):** derives auth via
58
+ liveAuthHeaders; resolves the readback endpoint via the manifest's
59
+ affectedEndpoints (namespaced vars validate again); each path-var resolves
60
+ from its own env var, so an empty sibling is reported, not misattributed.
61
+ - **Misc:** shared soft-delete detection in verify+validate (ARV-418);
62
+ `checks run --report json --output` writes the file (ARV-419); `add api`
63
+ merges an existing `.env.yaml` + `.bak` instead of clobbering (ARV-422);
64
+ form/query numeric coercion (ARV-431); `db run --json` includes bodies
65
+ (ARV-432).
66
+
67
+ ### Docs
68
+ - Case studies: GitHub (safe), Vercel (live), Stripe money-lifecycle deep-dive
69
+ (`docs/case-studies/`), linked from README.
70
+ - Head-to-head: zond vs Schemathesis on live Stripe, honest gap-list both ways
71
+ (ARV-407).
72
+
73
+ ## [0.27.1] — 2026-07-09
74
+
75
+ m-27 Bucket E (agentic discoverability): metadata release — no engine changes.
76
+
77
+ ### Added
78
+ - **Claude Code plugin / self-serve marketplace (ARV-395):**
79
+ `.claude-plugin/{plugin,marketplace}.json` — install skills via
80
+ `/plugin marketplace add kirrosh/zond`; skills mirrored to root
81
+ `skills/<name>/SKILL.md` (synced from init templates, drift-checked in
82
+ `bun run check`), also picked up by SkillsMP / `npx skills add kirrosh/zond`.
83
+ - **Agent discovery files (ARV-394):** `llms.txt` (machine index of docs) and
84
+ `context7.json` (Context7 config with agent rules) at the repo root.
85
+
86
+ ### Changed
87
+ - **Agentic metadata (ARV-393, ARV-400):** canonical tagline in npm
88
+ `description`, task-shaped `keywords`, `repository`/`homepage`/`bugs` links;
89
+ agent-first README top (what → when → install → minimal example).
90
+
7
91
  ## [0.27.0] — 2026-07-09
8
92
 
9
93
  m-27 start-distribution: every install channel works on a clean machine,
package/README.md CHANGED
@@ -1,8 +1,21 @@
1
1
  # zond
2
2
 
3
- API hygiene scanner for small teams — AI-powered API testing for Claude Code, Cursor, and CI/CD.
3
+ [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/kirrosh/zond)
4
+ [![npm](https://img.shields.io/npm/v/%40kirrosh%2Fzond)](https://www.npmjs.com/package/@kirrosh/zond)
4
5
 
5
- Say "test my API" get working tests, coverage dashboard, and CI config in minutes.
6
+ API hygiene scanner for small teams and their coding agents — test REST API endpoints against the OpenAPI spec, catch contract drift, track coverage.
7
+
8
+ **Use it when you need to:** test REST API endpoints from an OpenAPI spec,
9
+ verify an API contract after a deploy, debug a failing HTTP request with
10
+ stored run history, or raise endpoint coverage. Works standalone or through
11
+ a coding agent (Claude Code, Cursor) — say "test my API" and the agent
12
+ drives zond for you.
13
+
14
+ ```bash
15
+ curl -fsSL https://raw.githubusercontent.com/kirrosh/zond/master/install.sh | sh # or: npm i -g @kirrosh/zond
16
+ zond init && zond add api my-api --spec ./openapi.json
17
+ zond audit --api my-api --safe # read-only pass: spec lint → probes → tests → coverage → HTML report
18
+ ```
6
19
 
7
20
  > **Safe by default.** The first run (`zond audit --safe`) sends read-only
8
21
  > GET traffic — no writes, no deletes, nothing destructive. Mutating
@@ -21,6 +34,12 @@ Zond reads your OpenAPI spec and gives your AI agent everything it needs to test
21
34
  | **npm** (needs Node 20+) | `npm install -g @kirrosh/zond` |
22
35
  | **Windows** | `iwr https://raw.githubusercontent.com/kirrosh/zond/master/install.ps1 \| iex` |
23
36
  | **Manual** | grab a binary from [releases](https://github.com/kirrosh/zond/releases/latest) (darwin arm64/x64, linux x64/arm64, win x64) |
37
+ | **Claude Code plugin** | `/plugin marketplace add kirrosh/zond` then `/plugin install zond@zond` — the agent skills without `zond init` |
38
+ | **Agent skills** ([skills.sh](https://www.skills.sh)) | `npx skills add kirrosh/zond` |
39
+
40
+ The plugin/skills channels ship the [five zond skills](skills/) (audit
41
+ pipeline, depth checks, fixture seeding, triage, target warm-up); the zond
42
+ binary itself still comes from any of the channels above.
24
43
 
25
44
  Every channel ships the same self-contained binary — no Bun or Node
26
45
  required at runtime (npm uses Node only as a thin launcher).
@@ -87,6 +106,15 @@ The agent does all three steps autonomously. It asks you only when it needs an a
87
106
 
88
107
  Claude Code can write pytest from scratch — but it takes 30-60 minutes per flow, has no safety guardrails, no coverage tracking, and no run history. Zond gives the agent structured tools to do it in 5 minutes with full visibility.
89
108
 
109
+ ## Case Studies
110
+
111
+ Real public-API audits, calibrated findings only — including what was *not* found:
112
+
113
+ - [GitHub REST API](docs/case-studies/github-rest-api.md) — ~50% of read endpoints return status codes the official spec never declares; 2 live schema violations. Read-only, ~3.5 min.
114
+ - [Vercel API](docs/case-studies/vercel-api.md) — a live intermittent 500, ~150 undeclared status codes, ~45 create endpoints stricter than their spec — with zero requests sent to account-delete/billing endpoints. Live, no sandbox.
115
+ - [Stripe money lifecycle](docs/case-studies/stripe-lifecycle.md) — drove the full invoice/quote state machine live (`draft→finalize→pay/void`, 15/15 green); the trap that nearly hid the whole lifecycle was a `usd`-default body on a EUR account, not a Stripe bug. Live, test-mode.
116
+ - [zond vs Schemathesis](docs/case-studies/zond-vs-schemathesis.md) — same 112 live Stripe endpoints through both tools: they agree on the one hard result (zero 5xx) and drown in the same noise; the gaps are honest in both directions (Schemathesis has the fuzzing engine, zond has 7 extra checks + severity calibration). Live, test-mode.
117
+
90
118
  ## Key Capabilities
91
119
 
92
120
  | | |
@@ -136,6 +164,7 @@ zond completions fish > ~/.config/fish/completions/zond.fish
136
164
  - [ZOND.md](ZOND.md) — full CLI reference
137
165
  - [docs/quickstart.md](docs/quickstart.md) — step-by-step quickstart (RU)
138
166
  - [docs/ci.md](docs/ci.md) — CI/CD integration
167
+ - [docs/case-studies/](docs/case-studies/) — public-API audit case studies
139
168
  - [backlog/](backlog/) — project tasks (powered by [Backlog.md](https://backlog.md))
140
169
 
141
170
  ## License
package/package.json CHANGED
@@ -1,16 +1,31 @@
1
1
  {
2
2
  "name": "@kirrosh/zond",
3
- "version": "0.27.0",
4
- "description": "API testing platformdefine tests in YAML, run from CLI, generate from OpenAPI specs",
3
+ "version": "0.28.0",
4
+ "description": "API hygiene scanner for small teams and their coding agents test REST API endpoints against the OpenAPI spec, catch contract drift, track coverage.",
5
5
  "license": "MIT",
6
6
  "type": "module",
7
+ "repository": {
8
+ "type": "git",
9
+ "url": "git+https://github.com/kirrosh/zond.git"
10
+ },
11
+ "homepage": "https://github.com/kirrosh/zond#readme",
12
+ "bugs": {
13
+ "url": "https://github.com/kirrosh/zond/issues"
14
+ },
7
15
  "keywords": [
8
- "api",
9
- "testing",
16
+ "api-testing",
17
+ "rest-api",
10
18
  "openapi",
11
- "yaml",
19
+ "contract-testing",
20
+ "contract-drift",
21
+ "schema-validation",
22
+ "api-coverage",
23
+ "api-hygiene",
24
+ "coding-agents",
25
+ "ai-agents",
26
+ "claude-code",
27
+ "sarif",
12
28
  "cli",
13
- "rest",
14
29
  "http"
15
30
  ],
16
31
  "files": [
@@ -31,11 +46,12 @@
31
46
  "test": "bun run test:unit && bun run test:mocked",
32
47
  "test:unit": "bun test tests/",
33
48
  "test:mocked": "bun run scripts/run-mocked-tests.ts",
34
- "check": "tsc --noEmit --project tsconfig.json",
49
+ "check": "tsc --noEmit --project tsconfig.json && bun run scripts/sync-plugin-skills.ts --check",
35
50
  "schemas": "bun run scripts/emit-json-schemas.ts",
36
51
  "schemas:check": "bun run scripts/emit-json-schemas.ts --check",
37
52
  "lint:dead": "knip --reporter compact",
38
- "build": "bun build --compile src/cli/index.ts --outfile dist/zond && bun run scripts/codesign-darwin.ts ./dist/zond"
53
+ "build": "bun build --compile src/cli/index.ts --outfile dist/zond && bun run scripts/codesign-darwin.ts ./dist/zond",
54
+ "sync:plugin": "bun run scripts/sync-plugin-skills.ts"
39
55
  },
40
56
  "devDependencies": {
41
57
  "@readme/openapi-parser": "^5.5.0",
@@ -45,6 +61,7 @@
45
61
  "ajv-formats": "^3.0.1",
46
62
  "backlog.md": "^1.44.0",
47
63
  "commander": "^14.0.0",
64
+ "fast-check": "^4.9.0",
48
65
  "knip": "^6.7.0",
49
66
  "openapi-types": "^12.1.3",
50
67
  "typescript": "^5",