@qasshq/qass 0.1.2

package/dist/runners/e2e/playwright-runner.js

@@ -0,0 +1,309 @@
+import chalk from "chalk";
+export async function runE2ETests(config, projectPath, diff, smokeOnly = false) {
+    const results = [];
+    let playwright;
+    try {
+        const mod = "playwright";
+        playwright = await import(/* @vite-ignore */ mod);
+    }
+    catch {
+        console.log(chalk.yellow("  Playwright not installed. Run: npm i -D playwright"));
+        return results;
+    }
+    const frontendUrl = config.services?.frontend?.url;
+    if (!frontendUrl) {
+        console.log(chalk.dim("  No frontend service configured"));
+        return results;
+    }
+    const isUp = await checkFrontend(frontendUrl);
+    if (!isUp) {
+        console.log(chalk.yellow("  Frontend not running. Skipping E2E tests."));
+        return results;
+    }
+    const changedPages = diff.changedFiles
+        .filter((f) => f.category === "frontend_page" || f.category === "component")
+        .map((f) => filePathToRoute(f.path));
+    const pagesToTest = changedPages.length > 0 ? changedPages : ["/"];
+    console.log(chalk.dim(`  Testing ${pagesToTest.length} pages...`));
+    const browser = await playwright.chromium.launch({ headless: true });
+    try {
+        const viewports = config.e2e?.viewports ?? [
+            { width: 1280, height: 720, name: "desktop" },
+        ];
+        for (const page of pagesToTest) {
+            for (const viewport of viewports) {
+                const context = await browser.newContext({
+                    viewport: { width: viewport.width, height: viewport.height },
+                });
+                const browserPage = await context.newPage();
+                const pageResults = await testPage(browserPage, frontendUrl, page, viewport.name, config, projectPath, smokeOnly);
+                results.push(...pageResults);
+                await context.close();
+            }
+        }
+        if (!smokeOnly && config.flows) {
+            const flowResults = await runFlows(playwright, browser, config, frontendUrl, projectPath);
+            results.push(...flowResults);
+        }
+    }
+    finally {
+        await browser.close();
+    }
+    return results;
+}
+async function testPage(page, baseUrl, route, viewportName, config, projectPath, smokeOnly) {
+    const results = [];
+    const url = `${baseUrl}${route}`;
+    const errors = [];
+    const networkErrors = [];
+    page.on("console", (msg) => {
+        if (msg.type() === "error") {
+            errors.push(msg.text());
+        }
+    });
+    page.on("pageerror", (err) => {
+        errors.push(`Uncaught: ${err.message}`);
+    });
+    page.on("response", (res) => {
+        if (res.status() >= 400) {
+            networkErrors.push(`${res.status()} ${res.url()}`);
+        }
+    });
+    page.on("requestfailed", (req) => {
+        networkErrors.push(`FAILED ${req.url()} ${req.failure()?.errorText ?? ""}`);
+    });
+    try {
+        const response = await page.goto(url, {
+            waitUntil: "networkidle",
+            timeout: 15000,
+        });
+        if (!response || response.status() >= 400) {
+            results.push({
+                name: `Page load ${route} [${viewportName}]`,
+                type: "e2e",
+                status: "failed",
+                error: `Page returned ${response?.status() ?? "no response"}`,
+                fix: `Check that ${route} is a valid route and the frontend is configured correctly.`,
+            });
+            return results;
+        }
+        results.push({
+            name: `Page load ${route} [${viewportName}]`,
+            type: "e2e",
+            status: "passed",
+        });
+    }
+    catch (e) {
+        results.push({
+            name: `Page load ${route} [${viewportName}]`,
+            type: "e2e",
+            status: "failed",
+            error: `Navigation failed: ${e instanceof Error ? e.message : "timeout"}`,
+            fix: `Page may be crashing on load. Check for initialization errors in the component.`,
+        });
+        return results;
+    }
+    if (errors.length > 0) {
+        results.push({
+            name: `Console errors on ${route} [${viewportName}]`,
+            type: "e2e",
+            status: "failed",
+            error: `${errors.length} console error(s): ${errors.slice(0, 3).join("; ")}`,
+            fix: `Fix the console errors on ${route}. These indicate runtime JavaScript failures.`,
+        });
+    }
+    if (networkErrors.length > 0) {
+        const critical = networkErrors.filter((e) => e.startsWith("5") || e.startsWith("FAILED"));
+        if (critical.length > 0) {
+            results.push({
+                name: `Network errors on ${route} [${viewportName}]`,
+                type: "e2e",
+                status: "failed",
+                error: `${critical.length} failed request(s): ${critical.slice(0, 3).join("; ")}`,
+                fix: `Fix the failed API calls on ${route}. 5xx errors indicate server-side issues.`,
+            });
+        }
+    }
+    if (config.e2e?.smoke_crawl !== false) {
+        const smokeResults = await smokeCrawl(page, route, viewportName, config);
+        results.push(...smokeResults);
+    }
+    if (!smokeOnly && config.e2e?.visual_regression) {
+        const vizResult = await visualRegression(page, route, viewportName, projectPath, config);
+        if (vizResult)
+            results.push(vizResult);
+    }
+    return results;
+}
+async function smokeCrawl(page, route, viewportName, config) {
+    const results = [];
+    try {
+        const buttons = await page.$$("button:visible, [role='button']:visible");
+        let clickErrors = 0;
+        for (const btn of buttons.slice(0, 10)) {
+            try {
+                const text = await btn.textContent();
+                if (/sign out|logout|delete|remove|cancel/i.test(text ?? ""))
+                    continue;
+                const errorsBeforeClick = [];
+                const errorHandler = (msg) => {
+                    if (msg.type() === "error")
+                        errorsBeforeClick.push(msg.text());
+                };
+                page.on("console", errorHandler);
+                await btn.click({ timeout: 3000 }).catch(() => { });
+                await page.waitForTimeout(500);
+                page.removeListener("console", errorHandler);
+                if (errorsBeforeClick.length > 0)
+                    clickErrors++;
+            }
+            catch {
+                // element may have been removed
+            }
+        }
+        if (clickErrors > 0) {
+            results.push({
+                name: `Smoke crawl ${route} [${viewportName}]: button clicks`,
+                type: "e2e",
+                status: "failed",
+                error: `${clickErrors} button(s) caused console errors when clicked`,
+                fix: `Test buttons on ${route} — some are throwing errors on click.`,
+            });
+        }
+        const stuckSpinners = await page.$$("[class*='spinner']:visible, [class*='loading']:visible, [class*='skeleton']:visible");
+        const timeout = config.e2e?.stuck_timeout ?? 10000;
+        if (stuckSpinners.length > 0) {
+            await page.waitForTimeout(timeout);
+            const stillSpinning = await page.$$("[class*='spinner']:visible, [class*='loading']:visible, [class*='skeleton']:visible");
+            if (stillSpinning.length > 0) {
+                results.push({
+                    name: `Smoke crawl ${route} [${viewportName}]: stuck loading`,
+                    type: "e2e",
+                    status: "failed",
+                    error: `${stillSpinning.length} loading indicator(s) still visible after ${timeout / 1000}s`,
+                    fix: `Something on ${route} is stuck loading. Check for failed API calls or infinite loading states.`,
+                });
+            }
+        }
+    }
+    catch {
+        // smoke crawl failed gracefully
+    }
+    return results;
+}
+async function visualRegression(page, route, viewportName, projectPath, _config) {
+    const { resolve, join } = await import("node:path");
+    const { mkdir, readFile, writeFile } = await import("node:fs/promises");
+    const baselineDir = resolve(projectPath, ".qass", "baselines");
+    const resultDir = resolve(projectPath, ".qass", "results", "screenshots");
+    await mkdir(baselineDir, { recursive: true });
+    await mkdir(resultDir, { recursive: true });
+    const safeName = route.replace(/[^a-zA-Z0-9]/g, "_");
+    const baselinePath = join(baselineDir, `${safeName}_${viewportName}.png`);
+    const currentPath = join(resultDir, `${safeName}_${viewportName}.png`);
+    const screenshot = await page.screenshot({ fullPage: true });
+    await writeFile(currentPath, screenshot);
+    try {
+        const baseline = await readFile(baselinePath);
+        if (!Buffer.from(screenshot).equals(baseline)) {
+            return {
+                name: `Visual regression ${route} [${viewportName}]`,
+                type: "e2e",
+                status: "failed",
+                screenshot: currentPath,
+                error: `Screenshot differs from baseline.`,
+                fix: `Visual change detected on ${route}. Check ${currentPath} against baseline. Run 'qass test' with --update-baselines to accept the new version.`,
+            };
+        }
+    }
+    catch {
+        await writeFile(baselinePath, screenshot);
+    }
+    return null;
+}
+async function runFlows(playwright, browser, config, baseUrl, _projectPath) {
+    const results = [];
+    for (const [name, flow] of Object.entries(config.flows ?? {})) {
+        console.log(chalk.dim(`  Flow: ${name}`));
+        const context = await browser.newContext();
+        const page = await context.newPage();
+        let passed = true;
+        let error = "";
+        for (const step of flow.steps) {
+            try {
+                if ("goto" in step) {
+                    await page.goto(`${baseUrl}${step.goto}`, {
+                        waitUntil: "networkidle",
+                        timeout: 15000,
+                    });
+                }
+                else if ("fill" in step) {
+                    const [selector, value] = step.fill.split(" = ");
+                    await page.fill(selector.trim(), value?.trim() ?? "");
+                }
+                else if ("click" in step) {
+                    await page.click(step.click, { timeout: 5000 });
+                }
+                else if ("wait" in step) {
+                    await page.waitForSelector(step.wait, { timeout: 10000 });
+                }
+                else if ("wait_url" in step) {
+                    await page.waitForURL(`**${step.wait_url}*`, { timeout: 10000 });
+                }
+                else if ("assert_visible" in step) {
+                    const el = await page.$(step.assert_visible);
+                    if (!el || !(await el.isVisible())) {
+                        throw new Error(`Element not visible: ${step.assert_visible}`);
+                    }
+                }
+                else if ("assert_hidden" in step) {
+                    const el = await page.$(step.assert_hidden);
+                    if (el && (await el.isVisible())) {
+                        throw new Error(`Element should be hidden: ${step.assert_hidden}`);
+                    }
+                }
+                else if ("assert_url" in step) {
+                    const currentUrl = page.url();
+                    if (!currentUrl.includes(step.assert_url)) {
+                        throw new Error(`URL mismatch: expected ${step.assert_url}, got ${currentUrl}`);
+                    }
+                }
+            }
+            catch (e) {
+                passed = false;
+                error = `Step failed: ${JSON.stringify(step)} — ${e instanceof Error ? e.message : "unknown"}`;
+                break;
+            }
+        }
+        results.push({
+            name: `Flow: ${name}`,
+            type: "e2e",
+            status: passed ? "passed" : "failed",
+            error: error || undefined,
+            fix: error
+                ? `Fix the failing step in the '${name}' flow. The flow definition is in .qass/config.yaml.`
+                : undefined,
+        });
+        await context.close();
+    }
+    return results;
+}
+async function checkFrontend(url) {
+    try {
+        const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
+        return res.ok || res.status < 500;
+    }
+    catch {
+        return false;
+    }
+}
+function filePathToRoute(filePath) {
+    let route = filePath
+        .replace(/.*app\//, "/")
+        .replace(/\/page\.(tsx|jsx|ts|js)$/, "")
+        .replace(/\[([^\]]+)\]/g, "test-$1");
+    if (!route || route === "/")
+        route = "/";
+    return route;
+}
+//# sourceMappingURL=playwright-runner.js.map

package/dist/runners/e2e/playwright-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"playwright-runner.js","sourceRoot":"","sources":["../../../src/runners/e2e/playwright-runner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAkB,EAClB,WAAmB,EACnB,IAAkB,EAClB,SAAS,GAAG,KAAK;IAEjB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC;QACzB,UAAU,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CAAC,sDAAsD,CAAC,CACrE,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC;IACnD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAC3D,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IAC9C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC,CAAC;QACzE,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY;SACnC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,eAAe,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC;SAC3E,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEvC,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEnE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,WAAW,CAAC,MAAM,WAAW,CAAC,CAAC,CAAC;IAEnE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAErE,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,SAAS,IAAI;YACzC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE;SAC9C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC;oBACvC,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBAC7D,CAAC,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;gBAE5C,MAAM,WAAW,GAAG,MAAM,QAAQ,CAChC,WAAW,EACX,WAAW,EACX,IAAI,EACJ,QAAQ,CAAC,IAAI,EACb,MAAM,EACN,WAAW,EACX,SAAS,CACV,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;gBAE7B,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,QAAQ,CAChC,UAAU,EACV,OAAO,EACP,MAAM,EACN,WAAW,EACX,WAAW,CACZ,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,IAAS,EACT,OAAe,EACf,KAAa,EACb,YAAoB,EACpB,MAAkB,EAClB,WAAmB,EACnB,SAAkB;IAElB,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,KAAK,EAAE,CAAC;IACjC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAQ,EAAE,EAAE;QAC9B,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,GAAU,EAAE,EAAE;QAClC,MAAM,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,GAAQ,EAAE,EAAE;QAC/B,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,GAAQ,EAAE,EAAE;QACpC,aAAa,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,SAAS,IAAI,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YACpC,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,aAAa,KAAK,KAAK,YAAY,GAAG;gBAC5C,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,iBAAiB,QAAQ,EAAE,MAAM,EAAE,IAAI,aAAa,EAAE;gBAC7D,GAAG,EAAE,cAAc,KAAK,6DAA6D;aACtF,CAAC,CAAC;YACH,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,aAAa,KAAK,KAAK,YAAY,GAAG;YAC5C,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,aAAa,KAAK,KAAK,YAAY,GAAG;YAC5C,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,sBAAsB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE;YACzE,GAAG,EAAE,iFAAiF;SACvF,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,qBAAqB,KAAK,KAAK,YAAY,GAAG;YACpD,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,GAAG,MAAM,CAAC,MAAM,sBAAsB,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC5E,GAAG,EAAE,6BAA6B,KAAK,+CAA+C;SACvF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,qBAAqB,KAAK,KAAK,YAAY,GAAG;gBACpD,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,GAAG,QAAQ,CAAC,MAAM,uBAAuB,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACjF,GAAG,EAAE,+BAA+B,KAAK,2CAA2C;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,EAAE,WAAW,KAAK,KAAK,EAAE,CAAC;QACtC,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,iBAAiB,EAAE,CAAC;QAChD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CACtC,IAAI,EACJ,KAAK,EACL,YAAY,EACZ,WAAW,EACX,MAAM,CACP,CAAC;QACF,IAAI,SAAS;YAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,IAAS,EACT,KAAa,EACb,YAAoB,EACpB,MAAkB;IAElB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,yCAAyC,CAAC,CAAC;QACzE,IAAI,WAAW,GAAG,CAAC,CAAC;QAEpB,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrC,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;oBAAE,SAAS;gBAEvE,MAAM,iBAAiB,GAAa,EAAE,CAAC;gBACvC,MAAM,YAAY,GAAG,CAAC,GAAQ,EAAE,EAAE;oBAChC,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,OAAO;wBAAE,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACjE,CAAC,CAAC;gBACF,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;gBAEjC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBACnD,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;gBAE/B,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;gBAE7C,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC;oBAAE,WAAW,EAAE,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,eAAe,KAAK,KAAK,YAAY,kBAAkB;gBAC7D,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,GAAG,WAAW,+CAA+C;gBACpE,GAAG,EAAE,mBAAmB,KAAK,uCAAuC;aACrE,CAAC,CAAC;QACL,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,EAAE,CACjC,qFAAqF,CACtF,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,EAAE,aAAa,IAAI,KAAK,CAAC;QAEnD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,EAAE,CACjC,qFAAqF,CACtF,CAAC;YACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,eAAe,KAAK,KAAK,YAAY,kBAAkB;oBAC7D,IAAI,EAAE,KAAK;oBACX,MAAM,EAAE,QAAQ;oBAChB,KAAK,EAAE,GAAG,aAAa,CAAC,MAAM,6CAA6C,OAAO,GAAG,IAAI,GAAG;oBAC5F,GAAG,EAAE,gBAAgB,KAAK,2EAA2E;iBACtG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAS,EACT,KAAa,EACb,YAAoB,EACpB,WAAmB,EACnB,OAAmB;IAEnB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAExE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;IAC1E,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,GAAG,QAAQ,IAAI,YAAY,MAAM,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,QAAQ,IAAI,YAAY,MAAM,CAAC,CAAC;IAEvE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7D,MAAM,SAAS,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,OAAO;gBACL,IAAI,EAAE,qBAAqB,KAAK,KAAK,YAAY,GAAG;gBACpD,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,QAAQ;gBAChB,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,mCAAmC;gBAC1C,GAAG,EAAE,6BAA6B,KAAK,WAAW,WAAW,uFAAuF;aACrJ,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,UAAe,EACf,OAAY,EACZ,MAAkB,EAClB,OAAe,EACf,YAAoB;IAEpB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;QACrC,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,IAAI,KAAK,GAAG,EAAE,CAAC;QAEf,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;oBACnB,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,EAAE;wBACxC,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,KAAK;qBACf,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;oBAC1B,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBACjD,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;gBACxD,CAAC;qBAAM,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;oBAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;gBAClD,CAAC;qBAAM,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;oBAC1B,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC5D,CAAC;qBAAM,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;oBAC9B,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,QAAQ,GAAG,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;gBACnE,CAAC;qBAAM,IAAI,gBAAgB,IAAI,IAAI,EAAE,CAAC;oBACpC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;oBAC7C,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;wBACnC,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;oBACjE,CAAC;gBACH,CAAC;qBAAM,IAAI,eAAe,IAAI,IAAI,EAAE,CAAC;oBACnC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;oBAC5C,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;wBACjC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;oBACrE,CAAC;gBACH,CAAC;qBAAM,IAAI,YAAY,IAAI,IAAI,EAAE,CAAC;oBAChC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAC9B,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC1C,MAAM,IAAI,KAAK,CACb,0BAA0B,IAAI,CAAC,UAAU,SAAS,UAAU,EAAE,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,CAAU,EAAE,CAAC;gBACpB,MAAM,GAAG,KAAK,CAAC;gBACf,KAAK,GAAG,gBAAgB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;gBAC/F,MAAM;YACR,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,SAAS,IAAI,EAAE;YACrB,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;YACpC,KAAK,EAAE,KAAK,IAAI,SAAS;YACzB,GAAG,EAAE,KAAK;gBACR,CAAC,CAAC,gCAAgC,IAAI,sDAAsD;gBAC5F,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;QAEH,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpE,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,KAAK,GAAG,QAAQ;SACjB,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC;SACvB,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;SACvC,OAAO,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;IAEvC,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,KAAK,GAAG,GAAG,CAAC;IACzC,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/runners/security/dynamic-checker.d.ts

@@ -0,0 +1,3 @@
+import type { QassConfig, SecurityFinding } from "../../types.js";
+export declare function runDynamicSecurityChecks(config: QassConfig, projectPath: string): Promise<SecurityFinding[]>;
+//# sourceMappingURL=dynamic-checker.d.ts.map

package/dist/runners/security/dynamic-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamic-checker.d.ts","sourceRoot":"","sources":["../../../src/runners/security/dynamic-checker.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAY,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAG5E,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,UAAU,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CAqB5B"}

package/dist/runners/security/dynamic-checker.js

@@ -0,0 +1,136 @@
+import chalk from "chalk";
+import { discoverEndpoints } from "../api/endpoint-discovery.js";
+export async function runDynamicSecurityChecks(config, projectPath) {
+    const findings = [];
+    const baseUrl = getApiBaseUrl(config);
+    if (!baseUrl)
+        return findings;
+    const isUp = await isServerUp(baseUrl, config);
+    if (!isUp) {
+        console.log(chalk.dim("  API not running, skipping dynamic checks"));
+        return findings;
+    }
+    const endpoints = await discoverEndpoints(config, projectPath);
+    console.log(chalk.dim(`  Checking ${endpoints.length} endpoints...`));
+    findings.push(...(await checkUnauthenticatedAccess(endpoints, baseUrl)));
+    findings.push(...(await checkSecurityHeaders(baseUrl, config)));
+    findings.push(...(await checkErrorDisclosure(endpoints, baseUrl)));
+    return findings;
+}
+async function checkUnauthenticatedAccess(endpoints, baseUrl) {
+    const findings = [];
+    const authEndpoints = endpoints.filter((ep) => ep.requiresAuth && ep.method === "GET");
+    for (const ep of authEndpoints) {
+        const url = `${baseUrl}${ep.fullPath.replace(/:(\w+)/g, "test-$1")}`;
+        try {
+            const res = await fetch(url, {
+                method: "GET",
+                signal: AbortSignal.timeout(5000),
+            });
+            if (res.status === 200) {
+                findings.push({
+                    rule: "dynamic-unauth-access",
+                    severity: "HIGH",
+                    file: ep.routeFile,
+                    description: `${ep.method} ${ep.fullPath} returns 200 without authentication. This endpoint should require auth but is publicly accessible.`,
+                    fix: `Add auth middleware to this route: router.${ep.method.toLowerCase()}("${ep.path}", auth, ...)`,
+                });
+            }
+            else if (res.status >= 500) {
+                findings.push({
+                    rule: "dynamic-unauth-access",
+                    severity: "MEDIUM",
+                    file: ep.routeFile,
+                    description: `${ep.method} ${ep.fullPath} returns ${res.status} without authentication. The handler may be crashing instead of returning 401.`,
+                    fix: `Ensure auth middleware runs before the handler. The 500 error suggests the handler tries to access req.user before auth validates the token.`,
+                });
+            }
+        }
+        catch {
+            // timeout or connection error
+        }
+    }
+    return findings;
+}
+async function checkSecurityHeaders(baseUrl, config) {
+    const findings = [];
+    const requiredHeaders = config.security?.required_headers ?? [
+        "X-Content-Type-Options",
+        "Strict-Transport-Security",
+        "X-Frame-Options",
+    ];
+    try {
+        const res = await fetch(baseUrl, {
+            method: "GET",
+            signal: AbortSignal.timeout(5000),
+        });
+        for (const header of requiredHeaders) {
+            if (!res.headers.get(header)) {
+                findings.push({
+                    rule: "dynamic-security-headers",
+                    severity: "LOW",
+                    file: "API configuration",
+                    description: `Missing security header: ${header}. This header helps protect against common web attacks.`,
+                    fix: header === "Strict-Transport-Security"
+                        ? "Add Helmet middleware or set the header manually: app.use(helmet())"
+                        : `Ensure Helmet is configured and the ${header} header is not disabled.`,
+                });
+            }
+        }
+    }
+    catch {
+        // server not reachable
+    }
+    return findings;
+}
+async function checkErrorDisclosure(endpoints, baseUrl) {
+    const findings = [];
+    const testEndpoints = endpoints.filter((ep) => ep.method === "GET").slice(0, 5);
+    for (const ep of testEndpoints) {
+        const url = `${baseUrl}${ep.fullPath.replace(/:(\w+)/g, "test-$1")}`;
+        try {
+            const res = await fetch(url, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: "{{invalid json",
+                signal: AbortSignal.timeout(5000),
+            });
+            if (res.status >= 400) {
+                const body = await res.text();
+                const leaksInfo = /stack|trace|at\s+\w+\s+\(|node_modules|\.ts:|\.js:/i.test(body) ||
+                    /ECONNREFUSED|ENOTFOUND|password|secret/i.test(body);
+                if (leaksInfo) {
+                    findings.push({
+                        rule: "dynamic-error-disclosure",
+                        severity: "MEDIUM",
+                        file: ep.routeFile,
+                        description: `Error response from ${ep.method} ${ep.fullPath} leaks internal details (stack traces, file paths, or sensitive information).`,
+                        fix: `Ensure the error handler returns generic messages in production: res.json({ error: "Internal server error" }) instead of exposing err.message or err.stack.`,
+                    });
+                    break;
+                }
+            }
+        }
+        catch {
+            // expected
+        }
+    }
+    return findings;
+}
+function getApiBaseUrl(config) {
+    const api = config.services?.api;
+    if (!api)
+        return null;
+    return api.health?.replace(/\/[^/]*$/, "") ?? `http://localhost:${api.port}`;
+}
+async function isServerUp(baseUrl, config) {
+    const healthUrl = config.services?.api?.health;
+    try {
+        const res = await fetch(healthUrl ?? baseUrl, { signal: AbortSignal.timeout(5000) });
+        return res.ok || res.status < 500;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=dynamic-checker.js.map

package/dist/runners/security/dynamic-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamic-checker.js","sourceRoot":"","sources":["../../../src/runners/security/dynamic-checker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAEjE,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAAkB,EAClB,WAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,QAAQ,CAAC;IAE9B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC,CAAC;QACrE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAE/D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,SAAS,CAAC,MAAM,eAAe,CAAC,CAAC,CAAC;IAEtE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,0BAA0B,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IACzE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IAEnE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,SAAqB,EACrB,OAAe;IAEf,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;IAEvF,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;QACrE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,EAAE,CAAC,SAAS;oBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,QAAQ,oGAAoG;oBAC5I,GAAG,EAAE,6CAA6C,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,eAAe;iBACrG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,EAAE,CAAC,SAAS;oBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,QAAQ,YAAY,GAAG,CAAC,MAAM,gFAAgF;oBAC9I,GAAG,EAAE,8IAA8I;iBACpJ,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,8BAA8B;QAChC,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,OAAe,EACf,MAAkB;IAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,gBAAgB,IAAI;QAC3D,wBAAwB;QACxB,2BAA2B;QAC3B,iBAAiB;KAClB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YAC/B,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,0BAA0B;oBAChC,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,mBAAmB;oBACzB,WAAW,EAAE,4BAA4B,MAAM,yDAAyD;oBACxG,GAAG,EAAE,MAAM,KAAK,2BAA2B;wBACzC,CAAC,CAAC,qEAAqE;wBACvE,CAAC,CAAC,uCAAuC,MAAM,0BAA0B;iBAC5E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;IACzB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,SAAqB,EACrB,OAAe;IAEf,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEhF,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;QAErE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,gBAAgB;gBACtB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC9B,MAAM,SAAS,GACb,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC;oBAChE,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEvD,IAAI,SAAS,EAAE,CAAC;oBACd,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,0BAA0B;wBAChC,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,EAAE,CAAC,SAAS;wBAClB,WAAW,EAAE,uBAAuB,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,QAAQ,+EAA+E;wBAC3I,GAAG,EAAE,6JAA6J;qBACnK,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,MAAkB;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC;IACjC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,oBAAoB,GAAG,CAAC,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,OAAe,EAAE,MAAkB;IAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,MAAM,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,IAAI,OAAO,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrF,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/runners/security/rules/auth-middleware.d.ts

@@ -0,0 +1,13 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Detects route handlers that access req.user without auth middleware in the chain.
+ *
+ * Checks for:
+ * - router.get/post/put/delete/patch calls where the handler uses req.user
+ *   but 'auth' is not in the middleware arguments
+ * - Routes that should have auth based on accessing user-specific data
+ *   but have no auth middleware applied (either inline or via router.use)
+ */
+export declare function runAuthMiddlewareRule(files: FileContent[], _config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=auth-middleware.d.ts.map

package/dist/runners/security/rules/auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/auth-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CAqE5B"}

package/dist/runners/security/rules/auth-middleware.js

@@ -0,0 +1,94 @@
+/**
+ * Detects route handlers that access req.user without auth middleware in the chain.
+ *
+ * Checks for:
+ * - router.get/post/put/delete/patch calls where the handler uses req.user
+ *   but 'auth' is not in the middleware arguments
+ * - Routes that should have auth based on accessing user-specific data
+ *   but have no auth middleware applied (either inline or via router.use)
+ */
+export async function runAuthMiddlewareRule(files, _config) {
+    const findings = [];
+    const routeFiles = files.filter((f) => f.path.endsWith(".routes.ts") || f.path.endsWith(".routes.js"));
+    for (const file of routeFiles) {
+        const lines = file.content.split("\n");
+        const hasRouterLevelAuth = checkRouterLevelAuth(file.content);
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const routeMatch = line.match(/router\.(get|post|put|delete|patch)\s*\(\s*["'`]([^"'`]+)["'`]/);
+            if (!routeMatch)
+                continue;
+            const method = routeMatch[1].toUpperCase();
+            const path = routeMatch[2];
+            const middlewareArgs = extractMiddlewareArgs(lines, i);
+            const handlerBody = extractHandlerBody(lines, i);
+            const usesReqUser = /req\.user/.test(handlerBody) ||
+                /req\.fleetCourier/.test(handlerBody) ||
+                /req\.fleetContext/.test(handlerBody);
+            const hasInlineAuth = middlewareArgs.includes("auth") ||
+                middlewareArgs.includes("requireAuth");
+            if (usesReqUser && !hasInlineAuth && !hasRouterLevelAuth) {
+                findings.push({
+                    rule: "auth-middleware",
+                    severity: "HIGH",
+                    file: file.path,
+                    line: i + 1,
+                    description: `${method} ${path} accesses req.user but 'auth' middleware is not in the middleware chain. Unauthenticated requests will reach this handler with req.user undefined.`,
+                    fix: `Add auth middleware to the route definition. Change to: router.${method.toLowerCase()}("${path}", auth, ${middlewareArgs.length > 0 ? middlewareArgs.join(", ") + ", " : ""}async (req, res) => {`,
+                });
+            }
+            const accessesSensitiveData = /\.select\(/.test(handlerBody) &&
+                (/email|password|phone|token|secret|key/i.test(handlerBody));
+            if (accessesSensitiveData &&
+                !hasInlineAuth &&
+                !hasRouterLevelAuth &&
+                !usesReqUser) {
+                findings.push({
+                    rule: "auth-middleware",
+                    severity: "MEDIUM",
+                    file: file.path,
+                    line: i + 1,
+                    description: `${method} ${path} accesses sensitive data but has no auth middleware. This endpoint may be publicly accessible.`,
+                    fix: `Add auth middleware: router.${method.toLowerCase()}("${path}", auth, ...)`,
+                });
+            }
+        }
+    }
+    return findings;
+}
+function checkRouterLevelAuth(content) {
+    return /router\.use\s*\(\s*auth\b/.test(content);
+}
+function extractMiddlewareArgs(lines, startLine) {
+    const chunk = lines.slice(startLine, startLine + 5).join(" ");
+    const argsMatch = chunk.match(/router\.\w+\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(.*?)\s*(?:async\s*)?\(/);
+    if (!argsMatch)
+        return [];
+    return argsMatch[1]
+        .split(",")
+        .map((a) => a.trim())
+        .filter((a) => a && !a.startsWith("async") && !a.startsWith("("));
+}
+function extractHandlerBody(lines, startLine) {
+    let braceDepth = 0;
+    let started = false;
+    const bodyLines = [];
+    for (let i = startLine; i < Math.min(startLine + 150, lines.length); i++) {
+        const line = lines[i];
+        for (const ch of line) {
+            if (ch === "{") {
+                braceDepth++;
+                started = true;
+            }
+            else if (ch === "}") {
+                braceDepth--;
+            }
+        }
+        if (started)
+            bodyLines.push(line);
+        if (started && braceDepth <= 0)
+            break;
+    }
+    return bodyLines.join("\n");
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/runners/security/rules/auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/auth-middleware.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAoB,EACpB,OAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CACtE,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC3B,gEAAgE,CACjE,CAAC;YAEF,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAE3B,MAAM,cAAc,GAAG,qBAAqB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YACvD,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEjD,MAAM,WAAW,GACf,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC;gBAC7B,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC;gBACrC,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAExC,MAAM,aAAa,GACjB,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC/B,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAEzC,IAAI,WAAW,IAAI,CAAC,aAAa,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACzD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,MAAM,IAAI,IAAI,oJAAoJ;oBAClL,GAAG,EAAE,kEAAkE,MAAM,CAAC,WAAW,EAAE,KAAK,IAAI,YAAY,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,uBAAuB;iBACzM,CAAC,CAAC;YACL,CAAC;YAED,MAAM,qBAAqB,GACzB,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC;gBAC9B,CAAC,wCAAwC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;YAE/D,IACE,qBAAqB;gBACrB,CAAC,aAAa;gBACd,CAAC,kBAAkB;gBACnB,CAAC,WAAW,EACZ,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,MAAM,IAAI,IAAI,gGAAgG;oBAC9H,GAAG,EAAE,+BAA+B,MAAM,CAAC,WAAW,EAAE,KAAK,IAAI,eAAe;iBACjF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,OAAO,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAe,EAAE,SAAiB;IAC/D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAC3B,oEAAoE,CACrE,CAAC;IAEF,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAE1B,OAAO,SAAS,CAAC,CAAC,CAAC;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAe,EAAE,SAAiB;IAC5D,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACzE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;YACtB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACf,UAAU,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;iBAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACtB,UAAU,EAAE,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,OAAO;YAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,OAAO,IAAI,UAAU,IAAI,CAAC;YAAE,MAAM;IACxC,CAAC;IAED,OAAO,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC"}

package/dist/runners/security/rules/config-audit.d.ts

@@ -0,0 +1,14 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Audits application configuration for security issues.
+ *
+ * Checks for:
+ * - CORS with localhost origins in non-dev configuration
+ * - Helmet CSP disabled
+ * - Error handlers leaking err.message in production
+ * - trust proxy misconfiguration
+ * - Hardcoded admin emails as fallbacks
+ */
+export declare function runConfigAuditRule(files: FileContent[], _config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=config-audit.d.ts.map

package/dist/runners/security/rules/config-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-audit.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/config-audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CAgG5B"}