@skyramp/mcp 0.1.8 → 0.2.0-rc.2

package/build/tools/test-management/analyzeChangesTool.js

@@ -8,8 +8,10 @@ import { simpleGit } from "simple-git";
 import { logger } from "../../utils/logger.js";
 import { parseWorkspaceAuthType, getDefaultAuthHeader, WorkspaceAuthType, readWorkspaceConfigRaw } from "../../utils/workspaceAuth.js";
 import { AnalyticsService } from "../../services/AnalyticsService.js";
-import { StateManager, registerSession, storeSessionData, } from "../../utils/AnalysisStateManager.js";
+import { StateManager, registerSession, storeSessionData, setTestsRepoDir, } from "../../utils/AnalysisStateManager.js";
 import { buildRecommendationPrompt } from "../../prompts/test-recommendation/test-recommendation-prompt.js";
+import { isFrontendFile, isTestFile } from "../../prompts/test-recommendation/scopeAssessment.js";
+import { enumerateCandidateUiPages } from "../../utils/uiPageEnumerator.js";
 import { MAX_RECOMMENDATIONS, MAX_TESTS_TO_GENERATE } from "../../prompts/test-recommendation/recommendationSections.js";
 import { TestDiscoveryService } from "../../services/TestDiscoveryService.js";
 import { ScenarioSource, AnalysisScope } from "../../types/RepositoryAnalysis.js";
@@ -32,6 +34,10 @@ export function buildTraceFileEntry(tracePath, result) {
     };
 }
 const TOOL_NAME = "skyramp_analyze_changes";
+const SECURITY_RELEVANT_DIFF_PATTERN = /\b(?:auth|authorization|permission|permissions|admin[-_\s]?key|x-admin-key|role|roles|rbac|owner|ownership|guard|auth[-_\s]?middleware|permission[-_\s]?middleware|require[-_\s]?(?:auth|admin|role)|authorize|authorized|authenticated|require_admin_key|destructive)\b/i;
+export function isSecurityRelevantDiff(diffContent) {
+    return SECURITY_RELEVANT_DIFF_PATTERN.test(diffContent);
+}
 // Must match testbot/src/constants.ts BOT_EMAIL
 const BOT_EMAIL = "test-bot@skyramp.dev";
 /**
@@ -192,23 +198,66 @@ export function filterEndpointsBySpec(scannedEndpoints, specPaths, specPathItems
     return filtered;
 }
 const GRAPHQL_EXT = /\.(graphql|gql)$/i;
-const GRAPHQL_CONTENT_PATTERN = /^\s*(type\s+(Query|Mutation|Subscription)\s*\{|schema\s*\{|extend\s+type|directive\s+@)/m;
+const GRAPHQL_SCHEMA_CONTENT_PATTERN = /^\s*(type\s+(Query|Mutation|Subscription)\s*\{|schema\s*\{|extend\s+type|directive\s+@)/m;
+const GRAPHQL_IMPLEMENTATION_CONTENT_PATTERN = /(?:@Resolver\b|from\s+["'](?:@nestjs\/graphql|apollo-server|graphql-yoga|type-graphql)["']|\b(?:ApolloServer|GraphQLObjectType|GraphQLSchema|makeExecutableSchema|buildSchema)\b|(?:\btypeDefs\b[\s\S]{0,200}\bresolvers\b|\bresolvers\b[\s\S]{0,200}\btypeDefs\b))/m;
+/** Path-based detection for non-code GraphQL artifacts.
+ *  Matches "graphql" as a directory segment for files without a code extension
+ *  (e.g. services/graphql/schema), but NOT filenames that merely contain
+ *  "graphql" (e.g. graphql-test-route.ts). */
+const GRAPHQL_DIR_PATTERN = /(?:^|[/\\])graphql(?:[/\\]|$)/i;
+/** Code file extensions — these should use content detection, not directory heuristic,
+ *  because .ts/.js files in a graphql/ directory are often resolvers or route-adjacent
+ *  code and should not trigger the GraphQL-only early return by path alone. */
+const CODE_EXT = /\.(ts|tsx|js|jsx|mjs|cjs|py|rb|go|java|kt|rs|cs)$/i;
 export async function isGraphQLFile(filePath, repositoryPath) {
     if (GRAPHQL_EXT.test(filePath))
         return true;
+    // Only use directory heuristic for non-code files (e.g. extensionless files).
+    // Code files in a graphql/ dir may be REST-reachable resolver glue; use content detection instead.
+    if (GRAPHQL_DIR_PATTERN.test(filePath) && !CODE_EXT.test(filePath))
+        return true;
     try {
         const absPath = path.join(repositoryPath, filePath);
         const fileContent = await fs.promises.readFile(absPath, "utf-8");
-        return GRAPHQL_CONTENT_PATTERN.test(fileContent);
+        return GRAPHQL_SCHEMA_CONTENT_PATTERN.test(fileContent) ||
+            GRAPHQL_IMPLEMENTATION_CONTENT_PATTERN.test(fileContent);
     }
     catch {
         return false;
     }
 }
+function isGraphQLEndpointPath(endpointPath) {
+    return /(?:^|\/)graphql(?:\/|$)/i.test(endpointPath);
+}
+async function isUnsupportedGraphQLEndpoint(endpoint, repositoryPath, checkGraphQLFile = (filePath) => isGraphQLFile(filePath, repositoryPath)) {
+    return isGraphQLEndpointPath(endpoint.path) ||
+        await checkGraphQLFile(endpoint.sourceFile);
+}
+export async function filterUnsupportedGraphQLEndpoints(endpoints, repositoryPath) {
+    const graphqlFileCache = new Map();
+    const checkGraphQLFile = (filePath) => {
+        if (!filePath)
+            return Promise.resolve(false);
+        const cached = graphqlFileCache.get(filePath);
+        if (cached)
+            return cached;
+        const result = isGraphQLFile(filePath, repositoryPath);
+        graphqlFileCache.set(filePath, result);
+        return result;
+    };
+    const filtered = [];
+    for (const endpoint of endpoints) {
+        if (!(await isUnsupportedGraphQLEndpoint(endpoint, repositoryPath, checkGraphQLFile))) {
+            filtered.push(endpoint);
+        }
+    }
+    return filtered;
+}
 function isNonApplicationFile(filePath) {
     return NON_APP_PATTERNS.some((p) => p.test(filePath));
 }
-const ROUTE_FILE_PATTERN = /route|controller|endpoint|handler|view|urls|api|router/i;
+const ROUTE_FILE_PATTERN = /route|controller|endpoint|handler|view|urls|api|router|service|gateway|resolver|\bserver\b/i;
+const ROUTE_FILE_BASENAME_PATTERN = /\bapp\b|\bmain\b/i;
 const SOURCE_EXTS = /\.(ts|tsx|js|jsx|py|java|kt|go|rb|php|rs|cs|ex|exs)$/;
 /**
  * Recover endpoints from files deleted in this branch by reading their
@@ -216,7 +265,7 @@ const SOURCE_EXTS = /\.(ts|tsx|js|jsx|py|java|kt|go|rb|php|rs|cs|ex|exs)$/;
  * name matches route-file heuristics to keep I/O bounded.
  */
 async function recoverDeletedFileEndpoints(repositoryPath, baseBranch, deletedFiles) {
-    const candidates = deletedFiles.filter((f) => SOURCE_EXTS.test(f) && ROUTE_FILE_PATTERN.test(f));
+    const candidates = deletedFiles.filter((f) => SOURCE_EXTS.test(f) && (ROUTE_FILE_PATTERN.test(f) || ROUTE_FILE_BASENAME_PATTERN.test(path.basename(f))));
     if (candidates.length === 0)
         return [];
     const git = simpleGit(repositoryPath);
@@ -226,12 +275,15 @@ async function recoverDeletedFileEndpoints(repositoryPath, baseBranch, deletedFi
         try {
             const content = await git.show([`${baseBranch}:${file}`]);
             for (const ep of parseFileEndpoints(content, file)) {
-                const existing = endpointMap.get(ep.path);
+                const normalizedPath = ep.path.startsWith("/") ? ep.path : `/${ep.path}`;
+                const key = `${file}::${normalizedPath}`;
+                const existing = endpointMap.get(key);
                 if (existing) {
                     existing.methods.add(ep.method);
                 }
                 else {
-                    endpointMap.set(ep.path, {
+                    endpointMap.set(key, {
+                        path: normalizedPath,
                         methods: new Set([ep.method]),
                         sourceFile: file,
                     });
@@ -246,9 +298,9 @@ async function recoverDeletedFileEndpoints(repositoryPath, baseBranch, deletedFi
             });
         }
     }
-    for (const [apiPath, data] of endpointMap) {
+    for (const data of endpointMap.values()) {
         results.push({
-            path: apiPath,
+            path: data.path,
             methods: Array.from(data.methods),
             sourceFile: data.sourceFile,
         });
@@ -263,7 +315,7 @@ export const analyzeChangesInputSchema = {
         .enum(["full_repo", "branch_diff"])
         .default("branch_diff")
         .optional()
-        .describe("Analysis scope: 'full_repo' scans entire repo, 'branch_diff' focuses on current branch changes"),
+        .describe("Analysis scope. 'full_repo': scans all API endpoints in the repository. 'branch_diff': scans only API endpoints affected by current branch changes — faster for CI use. Default: 'branch_diff'."),
     baseBranch: z
         .string()
         .optional()
@@ -286,29 +338,31 @@ export const analyzeChangesInputSchema = {
     prNumber: z
         .number()
         .optional()
-        .describe("GitHub PR number. When provided, fetches previous TestBot comments for recommendation deduplication across commits."),
+        .describe("GitHub PR number. When provided, fetches previous TestBot comments on this PR and skips re-recommending tests already suggested in earlier commits — reduces duplicate recommendations across multiple pushes to the same PR."),
     stateOutputFile: z
         .string()
         .refine((v) => path.isAbsolute(v), { message: "stateOutputFile must be an absolute path" })
         .optional()
         .describe("Absolute path where the state file should be written. When provided, overrides the default auto-generated temp path so the caller can locate it without log parsing."),
+    testsRepoDir: z
+        .string()
+        .refine((v) => path.isAbsolute(v), { message: "testsRepoDir must be an absolute path" })
+        .optional()
+        .describe("Absolute path to a separate test repository clone. When set, existing test discovery scans this directory instead of repositoryPath. Used in cross-repo test delivery mode where tests live in a separate repo."),
 };
 export function registerAnalyzeChangesTool(server) {
     server.registerTool(TOOL_NAME, {
-        description: `Analyze repository changes and discover existing tests — first step of the unified Test Health Analysis Flow.
-
-This tool combines repository analysis (endpoint scanning, branch diff) with test discovery
-to produce a unified state file for the test health workflow.
+        annotations: {
+            readOnlyHint: false, // writes a state file to disk
+            destructiveHint: false,
+            idempotentHint: false,
+            openWorldHint: true, // may fetch PR comments from GitHub
+        },
+        description: `Scan repository API endpoints and discover existing tests — first step of the unified Test Health Analysis Flow.
 
-**Workflow:**
-1. Call \`skyramp_analyze_changes\` → discovers existing tests, scans endpoints, computes branch diff → returns a stateFile
-2. Call \`skyramp_analyze_test_health\` with stateFile → drift analysis + health scoring
-3. (Optional) Execute tests using \`skyramp_execute_test\` with \`stateFile\` param for each test file → validates test status live and writes results back for execution-aware health scoring
-4. Call \`skyramp_actions\` with stateFile → execute UPDATE/REGENERATE/ADD recommendations (with execution-aware prioritization if step 3 ran)
+Combines API endpoint scanning, branch diff computation, and test discovery into a single state file consumed by \`skyramp_analyze_test_health\` and \`skyramp_actions\`.
 
-**Output:** stateFile path + LLM instructions for enrichment and calling skyramp_analyze_test_health
-
-**Recommendation path:** The response also includes inline ranked test recommendations and source-code enrichment instructions. Follow the enrichment steps (read handler + schema files), draft enrichedScenarios, then call \`skyramp_recommend_tests\` with stateFile and enrichedScenarios for richer, field-accurate recommendations.`,
+**Output:** stateFile path + ranked test recommendations + enrichment instructions for calling \`skyramp_recommend_tests\`.`,
         // TODO: Define outputSchema here instead of embedding structured output format in the
         // description string — per Archit's review comment. outputSchema reduces token usage
         // by letting the MCP client understand the response shape structurally rather than
@@ -373,6 +427,7 @@ to produce a unified state file for the test health workflow.
             }
             // ── Step 2: Scan endpoints ──
             let scannedEndpoints = [];
+            let rawRelatedEndpointCount;
             if (analysisScope !== AnalysisScope.CurrentBranchDiff) {
                 await sendProgress(25, 100, "Scanning all repository endpoints...");
                 try {
@@ -391,15 +446,25 @@ to produce a unified state file for the test health workflow.
                 await sendProgress(25, 100, "Scanning related endpoints from diff...");
                 try {
                     scannedEndpoints = scanRelatedEndpoints(params.repositoryPath, diffData.changedFiles);
+                    rawRelatedEndpointCount = scannedEndpoints.length;
                     logger.info("Scanned related endpoints", {
                         count: scannedEndpoints.length,
                     });
                 }
                 catch (err) {
+                    rawRelatedEndpointCount = 0;
                     logger.warning("Related endpoint scan failed", {
                         error: err instanceof Error ? err.message : String(err),
                     });
                 }
+                const beforeGraphQLFilter = scannedEndpoints.length;
+                scannedEndpoints = await filterUnsupportedGraphQLEndpoints(scannedEndpoints, params.repositoryPath);
+                if (scannedEndpoints.length !== beforeGraphQLFilter) {
+                    logger.info("Filtered unsupported GraphQL endpoints from related scan", {
+                        before: beforeGraphQLFilter,
+                        after: scannedEndpoints.length,
+                    });
+                }
                 // No fallback to scanAllRepoEndpoints in PR mode.
                 // If the scanner found 0 related endpoints, the PR likely touches
                 // non-route code (services, models, schemas, client SDK). Flooding
@@ -419,6 +484,13 @@ to produce a unified state file for the test health workflow.
                     ? await recoverDeletedFileEndpoints(params.repositoryPath, diffData.baseBranch, diffData.deletedFiles)
                     : [];
                 classifiedEndpoints = classifyEndpointsByChangedFiles(diffData, scannedEndpoints, deletedFileEndpoints);
+                classifiedEndpoints = {
+                    ...classifiedEndpoints,
+                    // changed/new endpoints come from scannedEndpoints, which is already
+                    // GraphQL-filtered in branch-diff mode. Removed endpoints are recovered
+                    // from the base branch separately and still need unsupported-protocol filtering.
+                    removedEndpoints: await filterUnsupportedGraphQLEndpoints(classifiedEndpoints.removedEndpoints, params.repositoryPath),
+                };
                 logger.info("Classified endpoints from changed files", {
                     changed: classifiedEndpoints.changedEndpoints.length,
                     new: classifiedEndpoints.newEndpoints.length,
@@ -452,7 +524,7 @@ to produce a unified state file for the test health workflow.
                                 text: [
                                     "**GraphQL-only diff detected.**",
                                     "",
-                                    "The changed files appear to be GraphQL schema or resolver definitions.",
+                                    "The changed files appear to be GraphQL schema, artifact, or endpoint implementation files.",
                                     "Skyramp currently supports REST API testing only — GraphQL introspection,",
                                     "query validation, and type-name grounding are not yet supported.",
                                     "",
@@ -504,7 +576,9 @@ to produce a unified state file for the test health workflow.
             let discoveredRelevantExternalPaths = [];
             try {
                 const testDiscoveryService = new TestDiscoveryService();
-                const discoveryResult = await testDiscoveryService.discoverTests(params.repositoryPath, { changedResources });
+                setTestsRepoDir(params.testsRepoDir);
+                const testScanPath = params.testsRepoDir ?? params.repositoryPath;
+                const discoveryResult = await testDiscoveryService.discoverTests(testScanPath, { changedResources });
                 existingTests = discoveryResult.tests.map((test) => ({
                     testFile: test.testFile,
                     testType: test.testType,
@@ -642,15 +716,11 @@ to produce a unified state file for the test health workflow.
                 }
             }
             // ── Step 4d: Filter unsupported protocol endpoints (GraphQL) ──
-            // Must run AFTER spec-merge above — Directus spec includes /graphql and
-            // the merge step would re-add it if this ran earlier.
-            // Use segment check to catch /api/graphql, /v1/graphql, etc.
+            // Must run AFTER spec-merge above — specs may include /graphql and the
+            // merge step would re-add it if this ran earlier.
             {
                 const beforeUnsupported = scannedEndpoints.length;
-                scannedEndpoints = scannedEndpoints.filter(ep => {
-                    const normalized = ep.path.replace(/\/+$/, "").toLowerCase();
-                    return !normalized.split("/").some(seg => seg === "graphql");
-                });
+                scannedEndpoints = await filterUnsupportedGraphQLEndpoints(scannedEndpoints, params.repositoryPath);
                 if (scannedEndpoints.length < beforeUnsupported) {
                     logger.info("Filtered unsupported protocol endpoints (GraphQL)", {
                         removed: beforeUnsupported - scannedEndpoints.length,
@@ -761,6 +831,12 @@ to produce a unified state file for the test health workflow.
                 path: ep.path,
                 sourceFile: ep.sourceFile,
             }))) ?? [];
+            const changedEndpointsForSecurityExpansion = classifiedEndpoints?.changedEndpoints.flatMap((ep) => ep.methods.map((m) => ({
+                method: m,
+                path: ep.path,
+                sourceFile: ep.sourceFile,
+            }))) ?? [];
+            const securityRelevantDiff = Boolean(diffData?.diffContent && isSecurityRelevantDiff(diffData.diffContent));
             // Full-repo mode: no diff context, so seed scenario drafting from the entire
             // skeletonEndpoints catalog. We gate on analysisScope (not just array length)
             // to avoid drafting catalog-wide scenarios for PR-mode diffs that happened to
@@ -775,7 +851,10 @@ to produce a unified state file for the test health workflow.
                         sourceFile: m.sourceFile ?? "",
                     })))
                     : [];
-            const codeInferredScenarios = draftScenariosFromEndpoints(skeletonEndpoints, scenarioDraftSeed);
+            const codeInferredScenarios = draftScenariosFromEndpoints(skeletonEndpoints, scenarioDraftSeed, wsAuthType, {
+                changedEndpoints: changedEndpointsForSecurityExpansion,
+                securityRelevantDiff,
+            });
             let allDraftedScenarios = codeInferredScenarios;
             if (traceResult && traceResult.userFlows.length > 0) {
                 const traceScenarios = traceResult.userFlows
@@ -979,9 +1058,34 @@ to produce a unified state file for the test health workflow.
             // Without them, analyzeTestHealth would work only off the static catalog
             // which has wrong paths for nested resources and unsupported frameworks.
             const routerMountContext = grepRouterMountingContext(params.repositoryPath);
-            const candidateRouteFiles = analysisScope !== AnalysisScope.CurrentBranchDiff
-                ? findCandidateRouteFiles(params.repositoryPath)
-                : undefined;
+            const routeLikeUnmatchedFiles = [];
+            for (const file of classifiedEndpoints?.unmatchedFiles ?? []) {
+                const routeLike = SOURCE_EXTS.test(file) &&
+                    (ROUTE_FILE_PATTERN.test(file) || ROUTE_FILE_BASENAME_PATTERN.test(path.basename(file)));
+                if (routeLike && !(await isGraphQLFile(file, params.repositoryPath))) {
+                    routeLikeUnmatchedFiles.push(file);
+                }
+            }
+            const shouldIncludeCandidateRouteFiles = analysisScope !== AnalysisScope.CurrentBranchDiff ||
+                rawRelatedEndpointCount === 0 ||
+                scannedEndpoints.length === 0 ||
+                routeLikeUnmatchedFiles.length > 0;
+            let candidateRouteFiles;
+            if (shouldIncludeCandidateRouteFiles) {
+                candidateRouteFiles = [];
+                for (const file of findCandidateRouteFiles(params.repositoryPath)) {
+                    if (!(await isGraphQLFile(file, params.repositoryPath))) {
+                        candidateRouteFiles.push(file);
+                    }
+                }
+            }
+            // Write the full diff to a temp file before building state so the path
+            // can be persisted and read by analyzeTestHealthTool for per-line detection.
+            let diffFilePath;
+            if (diffData?.diffContent) {
+                diffFilePath = path.join(os.tmpdir(), `skyramp-diff-${sessionId}.diff`);
+                await fs.promises.writeFile(diffFilePath, diffData.diffContent, { encoding: "utf-8", mode: 0o600 });
+            }
             // Read router mount files server-side (size-capped) so the LLM has them
             // inline and doesn't need an extra read step when no spec is available.
             const ROUTER_INLINE_LIMIT = 4096; // bytes — skip files larger than ~4 KB
@@ -1001,10 +1105,38 @@ to produce a unified state file for the test health workflow.
                     return [];
                 }
             });
+            // Compute UI context from the diff's changed files using the shared
+            // `isFrontendFile` classifier. Persisting this in the stateFile lets
+            // skyramp_analyze_test_health and the recommendation prompt consume the
+            // same classification without re-deriving it. Absent on backend-only PRs.
+            //
+            // candidateUiPages is enumerated programmatically via the strategy
+            // ladder in uiPageEnumerator (framework route grep, source-grounded
+            // routes, root fallback). The same enumeration powers the
+            // skyramp_ui_analyze_changes pre-flight tool that the testbot prompt
+            // calls before this tool, so both code paths see the same candidates.
+            const uiContext = await (async () => {
+                const changedFiles = classifiedEndpoints?.changedFiles ?? [];
+                if (changedFiles.length === 0)
+                    return undefined;
+                // Filter to frontend source files only — exclude test files, which
+                // pass isFrontendFile (any .ts under a frontend directory matches
+                // the tier-3 rule) but aren't UI source we'd want to ground page
+                // enumeration in.
+                const frontendFiles = changedFiles.filter((f) => isFrontendFile(f) && !isTestFile(f));
+                if (frontendFiles.length === 0)
+                    return undefined;
+                const candidateUiPages = await enumerateCandidateUiPages(params.repositoryPath, frontendFiles);
+                return {
+                    changedFrontendFiles: frontendFiles,
+                    candidateUiPages,
+                };
+            })();
             const unifiedState = {
                 existingTests,
                 newEndpoints: newEndpointsForDrafting,
                 analysisScope,
+                ...(uiContext ? { uiContext } : {}),
                 repositoryAnalysis: {
                     skeletonEndpoints,
                     projectMeta,
@@ -1016,6 +1148,7 @@ to produce a unified state file for the test health workflow.
                     wsAuthMethod,
                     specFetchSucceeded,
                     scenarios: allDraftedScenarios,
+                    diffFilePath,
                     testLocations: testLocationsByType,
                     diff: classifiedEndpoints
                         ? {
@@ -1056,29 +1189,11 @@ to produce a unified state file for the test health workflow.
                 ? path.dirname(path.resolve(params.stateOutputFile))
                 : undefined;
             try {
-                await StateManager.cleanupOldStateFiles(24, stateDir);
+                await StateManager.cleanupOldFiles(24, stateDir);
             }
             catch (error) {
                 logger.warning(`Failed to cleanup old state files: ${error.message}`);
             }
-            // Clean up old diff temp files (>24 hours) from previous invocations
-            try {
-                const tmpDir = os.tmpdir();
-                const entries = await fs.promises.readdir(tmpDir);
-                const cutoff = Date.now() - 24 * 60 * 60 * 1000;
-                for (const entry of entries) {
-                    if (!entry.startsWith("skyramp-diff-") || !entry.endsWith(".diff"))
-                        continue;
-                    const fullPath = path.join(tmpDir, entry);
-                    const stat = await fs.promises.stat(fullPath).catch(() => null);
-                    if (stat && stat.mtimeMs < cutoff) {
-                        await fs.promises.unlink(fullPath).catch(() => { });
-                    }
-                }
-            }
-            catch {
-                // Non-critical — temp cleanup failure should not block analysis
-            }
             const stateManager = new StateManager("analysis", sessionId, undefined, params.stateOutputFile);
             await stateManager.writeData(unifiedState, {
                 repositoryPath: params.repositoryPath,
@@ -1130,7 +1245,10 @@ to produce a unified state file for the test health workflow.
                     }
                 }
             }
-            const recommendationPrompt = buildRecommendationPrompt(fullAnalysis, analysisScope, topN, prContext, wsAuthHeader, wsAuthType, wsAuthScheme, params.maxGenerate);
+            if (uiContext && uiContext.changedFrontendFiles.length > 0) {
+                logger.info("Frontend changes detected — UI rec grounding relies on the agent's own browser_blueprint history", { candidateUiPages: uiContext.candidateUiPages.map((p) => p.url) });
+            }
+            const recommendationPrompt = buildRecommendationPrompt(fullAnalysis, analysisScope, topN, prContext, wsAuthHeader, wsAuthType, wsAuthScheme, params.maxGenerate, sessionId);
             await sendProgress(100, 100, "Analysis complete.");
             const stateSize = await stateManager.getSizeFormatted();
             const structuredSummary = JSON.stringify({
@@ -1144,6 +1262,10 @@ to produce a unified state file for the test health workflow.
                     newEndpointCount: classifiedEndpoints?.newEndpoints.length ?? 0,
                     endpointCount: skeletonEndpoints.reduce((acc, ep) => acc + ep.methods.length, 0),
                 },
+                // Surface uiContext inline so the testbot prompt can iterate
+                // candidateUiPages and inspect changedFrontendFiles without
+                // re-reading the stateFile. Absent on backend-only PRs.
+                ...(uiContext ? { uiContext } : {}),
                 stateFileSize: stateSize,
                 nextStep: "Call skyramp_analyze_test_health with stateFile to run drift analysis and health scoring",
             }, null, 2);
@@ -1172,13 +1294,6 @@ to produce a unified state file for the test health workflow.
                     affectedServices: classifiedEndpoints.affectedServices,
                 }
                 : undefined;
-            // Write the full diff to a temp file so the LLM can read it on demand
-            // rather than embedding potentially large content inline in the prompt.
-            let diffFilePath;
-            if (diffData?.diffContent) {
-                diffFilePath = path.join(os.tmpdir(), `skyramp-diff-${sessionId}.diff`);
-                await fs.promises.writeFile(diffFilePath, diffData.diffContent, { encoding: "utf-8", mode: 0o600 });
-            }
             const outputText = buildAnalysisOutputText({
                 sessionId,
                 stateFile,
@@ -1186,7 +1301,6 @@ to produce a unified state file for the test health workflow.
                 analysisScope,
                 parsedDiff: parsedDiffShim,
                 diffFilePath,
-                diffContent: diffData?.diffContent,
                 candidateRouteFiles,
                 scannedEndpoints,
                 wsBaseUrl,

package/build/tools/test-management/analyzeChangesTool.test.js

@@ -64,8 +64,20 @@ jest.mock("@modelcontextprotocol/sdk/server/mcp.js", () => ({
 jest.mock("@modelcontextprotocol/sdk/types.js", () => ({}));
 jest.mock("@modelcontextprotocol/sdk/shared/protocol.js", () => ({}));
 import { z } from "zod";
-import { analyzeChangesInputSchema } from "./analyzeChangesTool.js";
+import { analyzeChangesInputSchema, isSecurityRelevantDiff } from "./analyzeChangesTool.js";
 const schema = z.object(analyzeChangesInputSchema);
+describe("isSecurityRelevantDiff", () => {
+    it("matches auth-specific middleware and admin-key signals", () => {
+        expect(isSecurityRelevantDiff("const authMiddleware = requireAuth();")).toBe(true);
+        expect(isSecurityRelevantDiff("require_admin_key(request)")).toBe(true);
+        expect(isSecurityRelevantDiff("headers['x-admin-key']")).toBe(true);
+        expect(isSecurityRelevantDiff("require-role for destructive delete")).toBe(true);
+    });
+    it("does not match generic middleware-only refactors", () => {
+        expect(isSecurityRelevantDiff("refactor logging middleware order")).toBe(false);
+        expect(isSecurityRelevantDiff("move compression middleware to server setup")).toBe(false);
+    });
+});
 describe("analyzeChangesInputSchema — stateOutputFile validation", () => {
     it("accepts a valid absolute path", () => {
         const result = schema.safeParse({
@@ -88,31 +100,37 @@ describe("analyzeChangesInputSchema — stateOutputFile validation", () => {
         expect(result.success).toBe(true);
     });
 });
-describe("automatic state file cleanup", () => {
+describe("automatic old files cleanup", () => {
     let StateManager;
-    let cleanupOldStateFilesSpy;
+    let cleanupOldFilesSpy;
     beforeEach(() => {
         jest.clearAllMocks();
         StateManager = require("../../utils/AnalysisStateManager.js").StateManager;
-        cleanupOldStateFilesSpy = jest.fn().mockResolvedValue(0);
-        StateManager.cleanupOldStateFiles = cleanupOldStateFilesSpy;
+        cleanupOldFilesSpy = jest.fn().mockResolvedValue(0);
+        StateManager.cleanupOldFiles = cleanupOldFilesSpy;
     });
-    it("calls cleanupOldStateFiles with default temp dir when no stateOutputFile provided", async () => {
+    it("calls cleanupOldFiles with default temp dir when no stateOutputFile provided", async () => {
         // This test verifies the cleanup call is made without stateDir when using default location
-        expect(StateManager.cleanupOldStateFiles).toBeDefined();
-        await StateManager.cleanupOldStateFiles(24, undefined);
-        expect(cleanupOldStateFilesSpy).toHaveBeenCalledWith(24, undefined);
+        expect(StateManager.cleanupOldFiles).toBeDefined();
+        await StateManager.cleanupOldFiles(24, undefined);
+        expect(cleanupOldFilesSpy).toHaveBeenCalledWith(24, undefined);
     });
-    it("calls cleanupOldStateFiles with custom dir when stateOutputFile is provided", async () => {
+    it("calls cleanupOldFiles with custom dir when stateOutputFile is provided", async () => {
         // This test verifies the cleanup call is made with the directory of stateOutputFile
         const customPath = "/custom/dir";
-        await StateManager.cleanupOldStateFiles(24, customPath);
-        expect(cleanupOldStateFilesSpy).toHaveBeenCalledWith(24, customPath);
+        await StateManager.cleanupOldFiles(24, customPath);
+        expect(cleanupOldFilesSpy).toHaveBeenCalledWith(24, customPath);
+    });
+    it("calls cleanupOldFiles with empty stateTypes to restrict to diff files only", async () => {
+        // analyzeTestHealthTool passes [] so state files (skyramp-analysis-*, skyramp-recommendation-*)
+        // are never deleted — the caller still needs args.stateFile for skyramp_actions.
+        await StateManager.cleanupOldFiles(24, undefined, []);
+        expect(cleanupOldFilesSpy).toHaveBeenCalledWith(24, undefined, []);
     });
     it("continues execution if cleanup fails", async () => {
         // Cleanup failures should not crash the analyze flow
-        cleanupOldStateFilesSpy.mockRejectedValue(new Error("permission denied"));
-        await expect(StateManager.cleanupOldStateFiles(24).catch(() => {
+        cleanupOldFilesSpy.mockRejectedValue(new Error("permission denied"));
+        await expect(StateManager.cleanupOldFiles(24).catch(() => {
             // In the real code, this is caught and logged as a warning
             return Promise.resolve();
         })).resolves.toBeUndefined();
@@ -206,7 +224,7 @@ describe("filterEndpointsBySpec", () => {
 // ─────────────────────────────────────────────────────────────────────────────
 // isGraphQLFile — unit tests
 // ─────────────────────────────────────────────────────────────────────────────
-import { isGraphQLFile } from "./analyzeChangesTool.js";
+import { filterUnsupportedGraphQLEndpoints, isGraphQLFile } from "./analyzeChangesTool.js";
 import * as os from "os";
 import * as path from "path";
 import * as fsSync from "fs";
@@ -220,6 +238,10 @@ describe("isGraphQLFile", () => {
         const result = await isGraphQLFile("types.gql", "/any/repo");
         expect(result).toBe(true);
     });
+    it("returns true for a top-level graphql directory non-code artifact", async () => {
+        const result = await isGraphQLFile("graphql/schema", "/any/repo");
+        expect(result).toBe(true);
+    });
     it("returns true for a file containing a GraphQL type Query block", async () => {
         const file = path.join(tmpDir, "graphql-test-query.ts");
         fsSync.writeFileSync(file, 'type Query {\n  hello: String\n}\n');
@@ -232,17 +254,55 @@ describe("isGraphQLFile", () => {
         const result = await isGraphQLFile(path.basename(file), tmpDir);
         expect(result).toBe(true);
     });
+    it("returns true for a GraphQL resolver implementation file", async () => {
+        const file = path.join(tmpDir, "users.resolver.ts");
+        fsSync.writeFileSync(file, 'import { Resolver, Query } from "@nestjs/graphql";\n@Resolver()\nclass UsersResolver { @Query() users() { return []; } }\n');
+        const result = await isGraphQLFile(path.basename(file), tmpDir);
+        expect(result).toBe(true);
+    });
+    it("returns false for a Nest REST controller using @Query params", async () => {
+        const file = path.join(tmpDir, "users.controller.ts");
+        fsSync.writeFileSync(file, 'import { Controller, Get, Query } from "@nestjs/common";\n@Controller("users")\nclass UsersController { @Get() list(@Query("page") page: string) { return page; } }\n');
+        const result = await isGraphQLFile(path.basename(file), tmpDir);
+        expect(result).toBe(false);
+    });
     it("returns false for a regular TypeScript route file", async () => {
         const file = path.join(tmpDir, "graphql-test-route.ts");
         fsSync.writeFileSync(file, 'import express from "express";\nrouter.get("/users", handler);\n');
         const result = await isGraphQLFile(path.basename(file), tmpDir);
         expect(result).toBe(false);
     });
+    it("returns false for frontend Apollo gql query templates", async () => {
+        const file = path.join(tmpDir, "usersQuery.tsx");
+        fsSync.writeFileSync(file, 'import { gql } from "@apollo/client";\nexport const USERS_QUERY = gql`query Users { users { id } }`;\n');
+        const result = await isGraphQLFile(path.basename(file), tmpDir);
+        expect(result).toBe(false);
+    });
     it("returns false (does not throw) when the file does not exist", async () => {
         const result = await isGraphQLFile("nonexistent-file.ts", tmpDir);
         expect(result).toBe(false);
     });
 });
+describe("filterUnsupportedGraphQLEndpoints", () => {
+    it("memoizes GraphQL source-file checks within one filter pass", async () => {
+        const endpoints = [
+            { path: "/users", methods: ["GET"], sourceFile: "src/routes/users.ts" },
+            { path: "/users/{id}", methods: ["GET"], sourceFile: "src/routes/users.ts" },
+            { path: "/orders", methods: ["GET"], sourceFile: "src/routes/orders.ts" },
+            { path: "/graphql", methods: ["POST"], sourceFile: "src/routes/graphql.ts" },
+            { path: "/openapi-only", methods: ["GET"], sourceFile: "" },
+        ];
+        const readSpy = jest.spyOn(fsModule.promises, "readFile").mockResolvedValue('router.get("/users", handler)');
+        const result = await filterUnsupportedGraphQLEndpoints(endpoints, "/repo");
+        expect(result.map((endpoint) => endpoint.path)).toEqual(["/users", "/users/{id}", "/orders", "/openapi-only"]);
+        expect(readSpy).toHaveBeenCalledTimes(2);
+        expect(readSpy.mock.calls.map(([file]) => String(file))).toEqual([
+            path.join("/repo", "src/routes/users.ts"),
+            path.join("/repo", "src/routes/orders.ts"),
+        ]);
+        readSpy.mockRestore();
+    });
+});
 // ─────────────────────────────────────────────────────────────────────────────
 // analyzeChangesTool handler — GraphQL-only early return (handler-level)
 // ─────────────────────────────────────────────────────────────────────────────
@@ -296,6 +356,32 @@ describe("analyzeChangesTool handler — GraphQL-only early return", () => {
         expect(result.content[0].text).toContain("schema.graphql");
         expect(result.content[0].text).toContain("REST API testing");
     });
+    it("returns the GraphQL-only message when only GraphQL resolver endpoints are scanned", async () => {
+        computeBranchDiff.mockResolvedValue({
+            currentBranch: "feature",
+            baseBranch: "main",
+            changedFiles: ["src/graphql/users.resolver.ts"],
+            deletedFiles: [],
+            diffContent: "",
+        });
+        scanRelatedEndpoints.mockReturnValue([
+            { path: "/users", methods: ["GET"], sourceFile: "src/graphql/users.resolver.ts" },
+        ]);
+        classifyEndpointsByChangedFiles.mockReturnValue({
+            changedEndpoints: [],
+            newEndpoints: [],
+            removedEndpoints: [],
+            unmatchedFiles: [],
+            affectedServices: [],
+        });
+        const readSpy = jest.spyOn(fsModule.promises, "readFile").mockResolvedValue('import { Resolver, Query } from "@nestjs/graphql";\n@Resolver()\nclass UsersResolver { @Query() users() { return []; } }');
+        const handler = captureAnalyzeHandler();
+        const result = await handler(baseParams);
+        expect(classifyEndpointsByChangedFiles).toHaveBeenCalledWith(expect.anything(), [], []);
+        expect(result.content[0].text).toContain("GraphQL-only diff detected");
+        expect(result.content[0].text).toContain("endpoint implementation");
+        readSpy.mockRestore();
+    });
     it("does NOT early-return when .graphql files are mixed with REST route files", async () => {
         computeBranchDiff.mockResolvedValue({
             currentBranch: "feature",
@@ -305,11 +391,12 @@ describe("analyzeChangesTool handler — GraphQL-only early return", () => {
             diffContent: "",
         });
         // users.ts is not a GraphQL file — isGraphQLFile will read it and return false
-        jest.spyOn(fsModule.promises, "readFile").mockResolvedValue('router.get("/users", handler)');
+        const readSpy = jest.spyOn(fsModule.promises, "readFile").mockResolvedValue('router.get("/users", handler)');
         const handler = captureAnalyzeHandler();
         const result = await handler(baseParams);
         // Should not early-return with GraphQL message
         expect(result.content[0].text).not.toContain("GraphQL-only diff detected");
+        readSpy.mockRestore();
     });
     it("does NOT early-return when scope is full_repo (only fires for PR diffs)", async () => {
         const { scanAllRepoEndpoints } = require("../../utils/repoScanner.js");