@kirrosh/zond 0.27.1 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +66 -0
  2. package/README.md +13 -0
  3. package/package.json +2 -1
package/CHANGELOG.md CHANGED
@@ -4,6 +4,72 @@ All notable changes to this project will be documented in this file.
4
4
 
5
5
  ## [Unreleased]
6
6
 
7
+ ## [0.28.0] — 2026-07-11
8
+
9
+ m-28 corpus-driven launch: every fix below came out of four live audits of
10
+ public APIs (GitHub, Vercel, Stripe, Sentry) — evidence-first, no speculative
11
+ checks.
12
+
13
+ ### Added
14
+ - **`zond fuzz` (ARV-436):** property-based fuzz phase in the checks pipeline
15
+ over fast-check — seeded (deterministic reruns), random bodies per op judged
16
+ by the existing 12 response checks; on failure the body auto-shrinks to a
17
+ minimal counterexample in `evidence.minimal_case` + curl repro. Thin alias
18
+ over `checks run --phase fuzz`; shrink walk survives per-send network flakes.
19
+ - **`seed_body.setup` (ARV-434):** ordered post-create readiness steps for
20
+ lifecycle tests ("create invoiceitem before finalizing the invoice") — agent
21
+ authors bodies+order, zond runs them with `{{id}}` bound to the created
22
+ resource; a non-2xx setup step skips the lifecycle test with the concrete
23
+ step+status instead of reporting a fake finding.
24
+ - **Currency-aware money bodies (ARV-430):** generator emits
25
+ `{{account_currency}}` (manifest source: body-value, `usd` default) so
26
+ non-USD sandboxes stop 400-ing every money create; `.env` scaffold now seeds
27
+ any manifest `defaultValue` (was always blank).
28
+
29
+ ### Safety (live-mode hardening from the Vercel run)
30
+ - **Unsafe smoke suites disarmed by default (ARV-412):** every destructive
31
+ step in `smoke-*-unsafe` gets `skip_if "{{zond_allow_unsafe}} != 1"` — a
32
+ naive `zond run` can no longer DELETE/PATCH pre-existing resources bound to
33
+ raw `.env` fixtures. `/zond-scan` live runs with `--exclude-tag unsafe`
34
+ (ARV-413).
35
+ - **Self-cleanup parity (ARV-415, ARV-429):** checks coverage phase
36
+ best-effort DELETEs resources its own 2xx POSTs created; mass-assignment
37
+ probe cleanup returns an audit record (id + deletePath + status).
38
+ - **`always:true` cleanup gated on capture provenance (ARV-428):** never fires
39
+ against a stale env id the create step did not capture this run.
40
+ - **`--safe` marks write steps as skipped with a reason (ARV-427)** instead of
41
+ deleting them from the plan silently.
42
+
43
+ ### Fixed
44
+ - **lifecycle_transitions (ARV-433):** an overlay with actions but an empty
45
+ transitions graph no longer flags every legitimate action as
46
+ `forbidden_transition`; transition-drift repro (declared→open, observed→paid)
47
+ locked in with a test.
48
+ - **Fail-fast on unresolved request vars (ARV-414):** kills the multi-minute
49
+ retry_until spin on never-created resources; `--strict-vars` abort still
50
+ writes the `--output` artifact.
51
+ - **Coverage accounting (ARV-409, ARV-426):** `--union` no longer aborts a
52
+ checks-only session (audit HTTP touches count as `run_kind='check'`);
53
+ RowBucket carries `passStatus` so covered2xx stops contradicting
54
+ chronological lastStatus.
55
+ - **cross_call_references (ARV-416):** empty/non-object 2xx readback skips
56
+ (broken-baseline guard) instead of reporting maximal drift.
57
+ - **fixtures add --validate (ARV-417, ARV-423, ARV-424):** derives auth via
58
+ liveAuthHeaders; resolves the readback endpoint via the manifest's
59
+ affectedEndpoints (namespaced vars validate again); each path-var resolves
60
+ from its own env var, so an empty sibling is reported, not misattributed.
61
+ - **Misc:** shared soft-delete detection in verify+validate (ARV-418);
62
+ `checks run --report json --output` writes the file (ARV-419); `add api`
63
+ merges an existing `.env.yaml` + `.bak` instead of clobbering (ARV-422);
64
+ form/query numeric coercion (ARV-431); `db run --json` includes bodies
65
+ (ARV-432).
66
+
67
+ ### Docs
68
+ - Case studies: GitHub (safe), Vercel (live), Stripe money-lifecycle deep-dive
69
+ (`docs/case-studies/`), linked from README.
70
+ - Head-to-head: zond vs Schemathesis on live Stripe, honest gap-list both ways
71
+ (ARV-407).
72
+
7
73
  ## [0.27.1] — 2026-07-09
8
74
 
9
75
  m-27 Bucket E (agentic discoverability): metadata release — no engine changes.
package/README.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # zond
2
2
 
3
+ [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/kirrosh/zond)
4
+ [![npm](https://img.shields.io/npm/v/%40kirrosh%2Fzond)](https://www.npmjs.com/package/@kirrosh/zond)
5
+
3
6
  API hygiene scanner for small teams and their coding agents — test REST API endpoints against the OpenAPI spec, catch contract drift, track coverage.
4
7
 
5
8
  **Use it when you need to:** test REST API endpoints from an OpenAPI spec,
@@ -103,6 +106,15 @@ The agent does all three steps autonomously. It asks you only when it needs an a
103
106
 
104
107
  Claude Code can write pytest from scratch — but it takes 30-60 minutes per flow, has no safety guardrails, no coverage tracking, and no run history. Zond gives the agent structured tools to do it in 5 minutes with full visibility.
105
108
 
109
+ ## Case Studies
110
+
111
+ Real public-API audits, calibrated findings only — including what was *not* found:
112
+
113
+ - [GitHub REST API](docs/case-studies/github-rest-api.md) — ~50% of read endpoints return status codes the official spec never declares; 2 live schema violations. Read-only, ~3.5 min.
114
+ - [Vercel API](docs/case-studies/vercel-api.md) — a live intermittent 500, ~150 undeclared status codes, ~45 create endpoints stricter than their spec — with zero requests sent to account-delete/billing endpoints. Live, no sandbox.
115
+ - [Stripe money lifecycle](docs/case-studies/stripe-lifecycle.md) — drove the full invoice/quote state machine live (`draft→finalize→pay/void`, 15/15 green); the trap that nearly hid the whole lifecycle was a `usd`-default body on a EUR account, not a Stripe bug. Live, test-mode.
116
+ - [zond vs Schemathesis](docs/case-studies/zond-vs-schemathesis.md) — same 112 live Stripe endpoints through both tools: they agree on the one hard result (zero 5xx) and drown in the same noise; the gaps are honest in both directions (Schemathesis has the fuzzing engine, zond has 7 extra checks + severity calibration). Live, test-mode.
117
+
106
118
  ## Key Capabilities
107
119
 
108
120
  | | |
@@ -152,6 +164,7 @@ zond completions fish > ~/.config/fish/completions/zond.fish
152
164
  - [ZOND.md](ZOND.md) — full CLI reference
153
165
  - [docs/quickstart.md](docs/quickstart.md) — step-by-step quickstart (RU)
154
166
  - [docs/ci.md](docs/ci.md) — CI/CD integration
167
+ - [docs/case-studies/](docs/case-studies/) — public-API audit case studies
155
168
  - [backlog/](backlog/) — project tasks (powered by [Backlog.md](https://backlog.md))
156
169
 
157
170
  ## License
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kirrosh/zond",
3
- "version": "0.27.1",
3
+ "version": "0.28.0",
4
4
  "description": "API hygiene scanner for small teams and their coding agents — test REST API endpoints against the OpenAPI spec, catch contract drift, track coverage.",
5
5
  "license": "MIT",
6
6
  "type": "module",
@@ -61,6 +61,7 @@
61
61
  "ajv-formats": "^3.0.1",
62
62
  "backlog.md": "^1.44.0",
63
63
  "commander": "^14.0.0",
64
+ "fast-check": "^4.9.0",
64
65
  "knip": "^6.7.0",
65
66
  "openapi-types": "^12.1.3",
66
67
  "typescript": "^5",