@scenarist/core 0.3.0 → 0.3.2

package/dist/adapters/in-memory-state-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"in-memory-state-manager.d.ts","sourceRoot":"","sources":["../../src/adapters/in-memory-state-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAMrE;;;;;;GAMG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8C;IAEtE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO;IAUzC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAyBtD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAI/C,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3B,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAgB7D,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,cAAc;IA0CtB,OAAO,CAAC,cAAc;CA6BvB;AAED;;;GAGG;AACH,eAAO,MAAM,0BAA0B,QAAO,YAE7C,CAAC"}
+{"version":3,"file":"in-memory-state-manager.d.ts","sourceRoot":"","sources":["../../src/adapters/in-memory-state-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAcrE;;;;;;GAMG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8C;IAEtE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO;IAUzC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAyBtD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAI/C,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3B,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAgB7D,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,cAAc;IA6CtB,OAAO,CAAC,cAAc;CA8BvB;AAED;;;GAGG;AACH,eAAO,MAAM,0BAA0B,QAAO,YAE7C,CAAC"}

package/dist/adapters/in-memory-state-manager.js

@@ -1,5 +1,12 @@
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 const isDangerousKey = (key) => DANGEROUS_KEYS.has(key);
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * In-memory implementation of StateManager port.
  * Fast, single-process state storage for stateful mocks.
@@ -80,21 +87,24 @@ export class InMemoryStateManager {
             });
             return;
         }
+        // Get or create nested object for this path segment
         // eslint-disable-next-line security/detect-object-injection -- Guarded by isDangerousKey and Object.hasOwn
         const existingValue = Object.hasOwn(obj, key) ? obj[key] : undefined;
-        if (typeof existingValue !== "object" ||
-            existingValue === null ||
-            Array.isArray(existingValue)) {
+        // Determine target: use existing record OR create new empty object
+        const target = isRecord(existingValue)
+            ? existingValue
+            : {};
+        // If we created a new object, assign it to the parent
+        if (!isRecord(existingValue)) {
             Object.defineProperty(obj, key, {
-                value: {},
+                value: target,
                 writable: true,
                 enumerable: true,
                 configurable: true,
             });
         }
-        // eslint-disable-next-line security/detect-object-injection -- Guarded by isDangerousKey, Object.hasOwn, and Object.defineProperty
-        const nested = obj[key];
-        this.setNestedValue(nested, path.slice(1), value);
+        // Recurse to next path segment
+        this.setNestedValue(target, path.slice(1), value);
     }
     getNestedValue(obj, path) {
         const key = path[0];
@@ -111,7 +121,8 @@ export class InMemoryStateManager {
         if (path.length === 1) {
             return value;
         }
-        if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        // Use type guard for proper type narrowing instead of assertion
+        if (!isRecord(value)) {
             return undefined;
         }
         return this.getNestedValue(value, path.slice(1));

package/dist/domain/deep-equals.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deep-equals.d.ts","sourceRoot":"","sources":["../../src/domain/deep-equals.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,GAAI,GAAG,OAAO,EAAE,GAAG,OAAO,KAAG,OAoEnD,CAAC"}
+{"version":3,"file":"deep-equals.d.ts","sourceRoot":"","sources":["../../src/domain/deep-equals.ts"],"names":[],"mappings":"AAQA;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,GAAI,GAAG,OAAO,EAAE,GAAG,OAAO,KAAG,OA+DnD,CAAC"}

package/dist/domain/deep-equals.js

@@ -1,3 +1,10 @@
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * Deep equality comparison for values.
  *
@@ -42,8 +49,8 @@ export const deepEquals = (a, b) => {
     if (Array.isArray(a) !== Array.isArray(b)) {
         return false;
     }
-    // Handle objects
-    if (typeof a === "object" && typeof b === "object") {
+    // Handle objects (use type guard instead of type assertion)
+    if (isRecord(a) && isRecord(b)) {
         const aKeys = Object.keys(a);
         const bKeys = Object.keys(b);
         if (aKeys.length !== bKeys.length) {

package/dist/domain/log-events.d.ts

@@ -52,6 +52,10 @@ export declare const LogEvents: {
     readonly STATE_CAPTURED: "state_captured";
     /** State injected into response */
     readonly STATE_INJECTED: "state_injected";
+    /** State set via afterResponse.setState */
+    readonly STATE_SET: "state_set";
+    /** State response resolved (condition matched or default) */
+    readonly STATE_RESPONSE_RESOLVED: "state_response_resolved";
     /** Sequence advanced to next response */
     readonly SEQUENCE_ADVANCED: "sequence_advanced";
     /** Sequence exhausted all responses */

package/dist/domain/log-events.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"log-events.d.ts","sourceRoot":"","sources":["../../src/domain/log-events.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa;IACxB,oEAAoE;;IAEpE,yCAAyC;;IAEzC,yCAAyC;;IAEzC,kCAAkC;;IAElC,8BAA8B;;CAEtB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;IAEpB,uCAAuC;;IAEvC,mDAAmD;;IAEnD,mCAAmC;;IAEnC,kCAAkC;;IAIlC,2CAA2C;;IAE3C,4CAA4C;;IAE5C,sCAAsC;;IAEtC,kCAAkC;;IAIlC,mCAAmC;;IAEnC,mCAAmC;;IAInC,yCAAyC;;IAEzC,uCAAuC;;IAIvC,yCAAyC;;IAEzC,8CAA8C;;IAE9C,qCAAqC;;CAE7B,CAAC;AAEX,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC"}
+{"version":3,"file":"log-events.d.ts","sourceRoot":"","sources":["../../src/domain/log-events.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa;IACxB,oEAAoE;;IAEpE,yCAAyC;;IAEzC,yCAAyC;;IAEzC,kCAAkC;;IAElC,8BAA8B;;CAEtB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;IAEpB,uCAAuC;;IAEvC,mDAAmD;;IAEnD,mCAAmC;;IAEnC,kCAAkC;;IAIlC,2CAA2C;;IAE3C,4CAA4C;;IAE5C,sCAAsC;;IAEtC,kCAAkC;;IAIlC,mCAAmC;;IAEnC,mCAAmC;;IAEnC,2CAA2C;;IAE3C,6DAA6D;;IAI7D,yCAAyC;;IAEzC,uCAAuC;;IAIvC,yCAAyC;;IAEzC,8CAA8C;;IAE9C,qCAAqC;;CAE7B,CAAC;AAEX,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC"}

package/dist/domain/log-events.js

@@ -55,6 +55,10 @@ export const LogEvents = {
     STATE_CAPTURED: "state_captured",
     /** State injected into response */
     STATE_INJECTED: "state_injected",
+    /** State set via afterResponse.setState */
+    STATE_SET: "state_set",
+    /** State response resolved (condition matched or default) */
+    STATE_RESPONSE_RESOLVED: "state_response_resolved",
     // Sequence progression
     /** Sequence advanced to next response */
     SEQUENCE_ADVANCED: "sequence_advanced",

package/dist/domain/path-extraction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"path-extraction.d.ts","sourceRoot":"","sources":["../../src/domain/path-extraction.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAM/D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC1B,SAAS,kBAAkB,EAC3B,MAAM,MAAM,KACX,OAyBF,CAAC"}
+{"version":3,"file":"path-extraction.d.ts","sourceRoot":"","sources":["../../src/domain/path-extraction.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAc/D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC1B,SAAS,kBAAkB,EAC3B,MAAM,MAAM,KACX,OAyBF,CAAC"}

package/dist/domain/path-extraction.js

@@ -1,5 +1,12 @@
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 const isDangerousKey = (key) => DANGEROUS_KEYS.has(key);
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * Extracts a value from HttpRequestContext based on a path expression.
  *
@@ -55,8 +62,8 @@ const traversePath = (obj, path) => {
     if (path.length === 0) {
         return obj;
     }
-    // Guard: Can only traverse objects
-    if (typeof obj !== "object" || obj === null || Array.isArray(obj)) {
+    // Guard: Can only traverse objects - use type guard for proper narrowing
+    if (!isRecord(obj)) {
         return undefined;
     }
     const key = path[0];
@@ -68,9 +75,8 @@ const traversePath = (obj, path) => {
     if (!Object.hasOwn(obj, key)) {
         return undefined;
     }
-    const record = obj;
     // eslint-disable-next-line security/detect-object-injection -- Key validated by Object.hasOwn and isDangerousKey guard
-    const value = record[key];
+    const value = obj[key];
     // Recursively traverse remaining path
     return traversePath(value, path.slice(1));
 };

package/dist/domain/response-selector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"response-selector.d.ts","sourceRoot":"","sources":["../../src/domain/response-selector.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAiB3B;;GAEG;AACH,KAAK,6BAA6B,GAAG;IACnC,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,GACjC,UAAS,6BAAkC,KAC1C,gBAgQF,CAAC"}
+{"version":3,"file":"response-selector.d.ts","sourceRoot":"","sources":["../../src/domain/response-selector.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAyB3B;;GAEG;AACH,KAAK,6BAA6B,GAAG;IACnC,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,GACjC,UAAS,6BAAkC,KAC1C,gBAwQF,CAAC"}

package/dist/domain/response-selector.js

@@ -6,6 +6,13 @@ import { createStateResponseResolver } from "./state-response-resolver.js";
 import { deepEquals } from "./deep-equals.js";
 import { noOpLogger } from "../adapters/index.js";
 import { LogCategories, LogEvents } from "./log-events.js";
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 const SPECIFICITY_RANGES = {
     MATCH_CRITERIA_BASE: 100,
     SEQUENCE_FALLBACK: 1,
@@ -72,11 +79,14 @@ export const createResponseSelector = (options = {}) => {
                     continue;
                 }
                 // No match criteria = fallback mock (always matches)
-                // Log fallback evaluation
+                // Log fallback evaluation with response type info for debugging Issue #328
                 logger.debug(LogCategories.MATCHING, LogEvents.MOCK_MATCH_EVALUATED, logContext, {
                     mockIndex,
                     matched: true,
                     hasCriteria: false,
+                    hasSequence: !!mock.sequence,
+                    hasStateResponse: !!mock.stateResponse,
+                    hasResponse: !!mock.response,
                 });
                 // Dynamic response types (sequence, stateResponse) get higher priority than simple responses
                 // This ensures they are selected over simple fallback responses
@@ -105,7 +115,7 @@ export const createResponseSelector = (options = {}) => {
                     specificity,
                 });
                 // Select response (single, sequence, or stateResponse)
-                const response = selectResponseFromMock(testId, scenarioId, mockIndex, mock, sequenceTracker, stateManager);
+                const response = selectResponseFromMock(testId, scenarioId, mockIndex, mock, sequenceTracker, stateManager, logger);
                 if (!response) {
                     return {
                         success: false,
@@ -136,11 +146,15 @@ export const createResponseSelector = (options = {}) => {
                         state: currentState,
                         params: mockWithParams.params || {},
                     };
+                    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- applyTemplates preserves structure; input ScenaristResponse → output ScenaristResponse
                     finalResponse = applyTemplates(response, templateData);
                 }
                 // Apply afterResponse.setState to mutate state for subsequent requests
                 if (mock.afterResponse?.setState && stateManager) {
                     stateManager.merge(testId, mock.afterResponse.setState);
+                    logger.debug(LogCategories.STATE, LogEvents.STATE_SET, logContext, {
+                        setState: mock.afterResponse.setState,
+                    });
                 }
                 return { success: true, data: finalResponse };
             }
@@ -199,9 +213,11 @@ export const createResponseSelector = (options = {}) => {
  * @param mock - The mock definition
  * @param sequenceTracker - Optional sequence tracker for Phase 2
  * @param stateManager - Optional state manager for stateResponse
+ * @param logger - Logger for debugging
  * @returns ScenaristResponse or null if mock has no response type
  */
-const selectResponseFromMock = (testId, scenarioId, mockIndex, mock, sequenceTracker, stateManager) => {
+const selectResponseFromMock = (testId, scenarioId, mockIndex, mock, sequenceTracker, stateManager, logger) => {
+    const logContext = { testId, scenarioId };
     // Phase 2: If mock has a sequence, use sequence tracker
     if (mock.sequence) {
         if (!sequenceTracker) {
@@ -222,7 +238,7 @@ const selectResponseFromMock = (testId, scenarioId, mockIndex, mock, sequenceTra
     }
     // State-aware response: evaluate conditions against current state
     if (mock.stateResponse) {
-        return resolveStateResponse(testId, mock.stateResponse, stateManager);
+        return resolveStateResponse(testId, mock.stateResponse, stateManager, logger, logContext);
     }
     // Phase 1: Single response
     if (mock.response) {
@@ -240,18 +256,36 @@ const selectResponseFromMock = (testId, scenarioId, mockIndex, mock, sequenceTra
  * @param testId - Test ID for state isolation
  * @param stateResponse - The stateResponse configuration
  * @param stateManager - Optional state manager for state lookup
+ * @param logger - Logger for debugging
+ * @param logContext - Context for log messages
  * @returns The resolved response (matching condition or default)
  */
-const resolveStateResponse = (testId, stateResponse, stateManager) => {
+const resolveStateResponse = (testId, stateResponse, stateManager, logger, logContext) => {
     // Without stateManager, always return default
     if (!stateManager) {
+        logger.debug(LogCategories.STATE, LogEvents.STATE_RESPONSE_RESOLVED, logContext, {
+            result: "default",
+            reason: "no_state_manager",
+        });
         return stateResponse.default;
     }
     // Get current state for this test
     const currentState = stateManager.getAll(testId);
     // Create resolver and evaluate conditions
     const resolver = createStateResponseResolver();
-    return resolver.resolveResponse(stateResponse, currentState);
+    const response = resolver.resolveResponse(stateResponse, currentState);
+    // Log which response was selected and why
+    const isDefault = response === stateResponse.default;
+    const matchedCondition = isDefault
+        ? null
+        : stateResponse.conditions.find((c) => resolver.resolveResponse({ default: stateResponse.default, conditions: [c] }, currentState) !== stateResponse.default);
+    logger.debug(LogCategories.STATE, LogEvents.STATE_RESPONSE_RESOLVED, logContext, {
+        result: isDefault ? "default" : "condition",
+        currentState,
+        conditionsCount: stateResponse.conditions.length,
+        matchedWhen: matchedCondition?.when ?? null,
+    });
+    return response;
 };
 /**
  * Calculate specificity score for match criteria.
@@ -367,15 +401,14 @@ const matchesState = (stateCriteria, testId, stateManager) => {
  * Non-string values are converted to strings before matching.
  */
 const matchesBody = (requestBody, criteriaBody) => {
-    // If request has no body, can't match
-    if (!requestBody || typeof requestBody !== "object") {
+    // If request has no body, can't match - use type guard for proper narrowing
+    if (!isRecord(requestBody)) {
         return false;
     }
-    const body = requestBody;
     // Check all required fields exist in request body with matching values
     for (const [key, criteriaValue] of Object.entries(criteriaBody)) {
         // eslint-disable-next-line security/detect-object-injection -- Key from Object.entries iteration
-        const requestValue = body[key];
+        const requestValue = requestBody[key];
         // Convert to string for matching (type coercion like headers/query)
         const stringValue = requestValue == null ? "" : String(requestValue);
         if (!matchesValue(stringValue, criteriaValue)) {
@@ -435,21 +468,30 @@ const matchesValue = (requestValue, criteriaValue) => {
     if (criteriaValue == null) {
         return requestValue === "";
     }
-    const strategyValue = criteriaValue;
-    if (strategyValue.equals !== undefined) {
-        return requestValue === String(strategyValue.equals);
+    // After ruling out string, RegExp, number, boolean, null - remaining must be object strategy
+    if (!isRecord(criteriaValue)) {
+        return false;
+    }
+    if (criteriaValue.equals !== undefined) {
+        return requestValue === String(criteriaValue.equals);
     }
-    if (strategyValue.contains !== undefined) {
-        return requestValue.includes(String(strategyValue.contains));
+    if (criteriaValue.contains !== undefined) {
+        return requestValue.includes(String(criteriaValue.contains));
     }
-    if (strategyValue.startsWith !== undefined) {
-        return requestValue.startsWith(String(strategyValue.startsWith));
+    if (criteriaValue.startsWith !== undefined) {
+        return requestValue.startsWith(String(criteriaValue.startsWith));
     }
-    if (strategyValue.endsWith !== undefined) {
-        return requestValue.endsWith(String(strategyValue.endsWith));
+    if (criteriaValue.endsWith !== undefined) {
+        return requestValue.endsWith(String(criteriaValue.endsWith));
     }
-    if (strategyValue.regex !== undefined) {
-        return matchesRegex(requestValue, strategyValue.regex);
+    if (criteriaValue.regex !== undefined && isRecord(criteriaValue.regex)) {
+        const regex = criteriaValue.regex;
+        if (typeof regex.source === "string") {
+            return matchesRegex(requestValue, {
+                source: regex.source,
+                flags: typeof regex.flags === "string" ? regex.flags : undefined,
+            });
+        }
     }
     return false;
 };

package/dist/domain/scenario-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scenario-manager.d.ts","sourceRoot":"","sources":["../../src/domain/scenario-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAwC3B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,GAAI,6DAMnC;IACD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,KAAG,eAwHH,CAAC"}
+{"version":3,"file":"scenario-manager.d.ts","sourceRoot":"","sources":["../../src/domain/scenario-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAwC3B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,GAAI,6DAMnC;IACD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,KAAG,eA+HH,CAAC"}

package/dist/domain/scenario-manager.js

@@ -40,7 +40,13 @@ export const createScenarioManager = ({ registry, store, stateManager, sequenceT
             const validationResult = ScenaristScenarioSchema.safeParse(definition);
             if (!validationResult.success) {
                 const errorMessages = validationResult.error.issues.map((err) => `${err.path.join(".")}: ${err.message}`);
-                const scenarioId = definition?.id || "<unknown>";
+                // Extract id safely without type assertion - definition failed validation so type is untrusted
+                const scenarioId = typeof definition === "object" &&
+                    definition !== null &&
+                    "id" in definition &&
+                    typeof definition.id === "string"
+                    ? definition.id
+                    : "<unknown>";
                 throw createScenarioValidationError(scenarioId, errorMessages);
             }
             const existing = registry.get(definition.id);

package/dist/domain/template-replacement.d.ts

@@ -2,6 +2,10 @@
  * Applies templates to a value.
  * Replaces {{state.key}} and {{params.key}} patterns with actual values.
  *
+ * Note: This function preserves the structure of the input value.
+ * Callers passing typed objects (like ScenaristResponse) can safely
+ * cast the return value back to the input type.
+ *
  * @param value - Value to apply templates to (string, object, array, or primitive)
  * @param templateData - Object containing state and params for template replacement.
  *                       Can be flat object (backward compatible) or { state: {...}, params: {...} }

package/dist/domain/template-replacement.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template-replacement.d.ts","sourceRoot":"","sources":["../../src/domain/template-replacement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,GACzB,OAAO,OAAO,EACd,cAAc,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KACpC,OA+DF,CAAC"}
+{"version":3,"file":"template-replacement.d.ts","sourceRoot":"","sources":["../../src/domain/template-replacement.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GACzB,OAAO,OAAO,EACd,cAAc,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KACpC,OA+DF,CAAC"}

package/dist/domain/template-replacement.js

@@ -1,7 +1,25 @@
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+/**
+ * Security: Check if a property key could cause prototype pollution.
+ * @see https://github.com/citypaul/scenarist/security/code-scanning
+ */
+const isDangerousKey = (key) => {
+    return key === "__proto__" || key === "constructor" || key === "prototype";
+};
 /**
  * Applies templates to a value.
  * Replaces {{state.key}} and {{params.key}} patterns with actual values.
  *
+ * Note: This function preserves the structure of the input value.
+ * Callers passing typed objects (like ScenaristResponse) can safely
+ * cast the return value back to the input type.
+ *
  * @param value - Value to apply templates to (string, object, array, or primitive)
  * @param templateData - Object containing state and params for template replacement.
  *                       Can be flat object (backward compatible) or { state: {...}, params: {...} }
@@ -86,10 +104,18 @@ const resolveTemplatePath = (templateData, prefix, path) => {
         if (Array.isArray(current) && segment === "length") {
             return current.length;
         }
-        // Traverse object
-        const record = current;
-        // eslint-disable-next-line security/detect-object-injection -- Segment from split() iteration
-        current = record[segment];
+        // Traverse object - use type guard for proper narrowing
+        if (!isRecord(current)) {
+            return undefined;
+        }
+        // Security: Prevent prototype pollution attacks
+        // @see https://github.com/citypaul/scenarist/security/code-scanning/165
+        if (isDangerousKey(segment) || !Object.hasOwn(current, segment)) {
+            return undefined;
+        }
+        // nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop
+        // eslint-disable-next-line security/detect-object-injection -- Segment validated by isDangerousKey and Object.hasOwn checks above
+        current = current[segment];
         // Guard: Return undefined if property doesn't exist
         if (current === undefined) {
             return undefined;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@scenarist/core",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Internal: Hexagonal architecture core for scenario-based testing with MSW",
   "author": "Paul Hammond (citypaul) <paul@packsoftware.co.uk>",
   "license": "MIT",