@xera-ai/core 0.4.3 → 0.5.0

package/src/classifier/contract-drift.ts

@@ -0,0 +1,111 @@
+import type { ClassifyResult } from './rate-limited';
+
+export interface OpenAPISchema {
+  type?: 'object' | 'array' | 'string' | 'integer' | 'number' | 'boolean' | 'null';
+  properties?: Record<string, OpenAPISchema>;
+  required?: readonly string[];
+  items?: OpenAPISchema;
+}
+
+interface OpenAPIOperation {
+  responses?: Record<string, { content?: Record<string, { schema?: OpenAPISchema }> }>;
+  requestBody?: { content?: Record<string, { schema?: OpenAPISchema }> };
+}
+
+export interface OpenAPIDocument {
+  paths: Record<
+    string,
+    Partial<Record<'get' | 'post' | 'put' | 'patch' | 'delete', OpenAPIOperation>>
+  >;
+}
+
+export interface ContractDriftCall {
+  method: string;
+  url: string;
+  status: number;
+  respBody: unknown;
+}
+
+export interface ClassifyContractDriftInput {
+  calls: readonly ContractDriftCall[];
+  openapi: OpenAPIDocument | null;
+}
+
+function matchPath(specPaths: readonly string[], actualUrl: string): string | null {
+  const path = actualUrl.split('?')[0] ?? actualUrl;
+  for (const tmpl of specPaths) {
+    const re = new RegExp(`^${tmpl.replace(/\{[^}]+\}/g, '[^/]+')}$`);
+    if (re.test(path)) return tmpl;
+  }
+  return null;
+}
+
+function matchesSchema(body: unknown, schema: OpenAPISchema | undefined): boolean {
+  if (!schema) return true;
+  if (schema.type === 'object') {
+    if (typeof body !== 'object' || body === null || Array.isArray(body)) return false;
+    const obj = body as Record<string, unknown>;
+    for (const req of schema.required ?? []) {
+      if (!(req in obj)) return false;
+    }
+    return true;
+  }
+  if (schema.type === 'array') return Array.isArray(body);
+  if (schema.type === 'string') return typeof body === 'string';
+  if (schema.type === 'integer' || schema.type === 'number') return typeof body === 'number';
+  if (schema.type === 'boolean') return typeof body === 'boolean';
+  if (schema.type === 'null') return body === null;
+  return true;
+}
+
+const VERBS = ['get', 'post', 'put', 'patch', 'delete'] as const;
+type Verb = (typeof VERBS)[number];
+
+function isVerb(s: string): s is Verb {
+  return (VERBS as readonly string[]).includes(s);
+}
+
+export function classifyContractDrift(input: ClassifyContractDriftInput): ClassifyResult | null {
+  if (input.openapi === null) return null;
+  const specPaths = Object.keys(input.openapi.paths);
+
+  for (const call of input.calls) {
+    const tmpl = matchPath(specPaths, call.url);
+    if (!tmpl) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Endpoint ${call.method} ${call.url} not found in OpenAPI`,
+      };
+    }
+    const methodLower = call.method.toLowerCase();
+    if (!isVerb(methodLower)) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Method ${call.method} not supported by classifier for ${tmpl}`,
+      };
+    }
+    const pathItem = input.openapi.paths[tmpl];
+    const op = pathItem?.[methodLower];
+    if (!op) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `${call.method} not defined for ${tmpl} in OpenAPI`,
+      };
+    }
+    const respDef = op.responses?.[String(call.status)];
+    if (!respDef) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Status ${call.status} not enumerated for ${call.method} ${tmpl} in OpenAPI`,
+      };
+    }
+    const schema = respDef.content?.['application/json']?.schema;
+    if (!matchesSchema(call.respBody, schema)) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Response body for ${call.method} ${tmpl} (${call.status}) does not match OpenAPI schema`,
+      };
+    }
+  }
+  return null;
+}

package/src/classifier/rate-limited.ts

@@ -0,0 +1,25 @@
+import type { Classification } from '../artifact/status';
+
+export interface HttpCallSummary {
+  method: string;
+  url: string;
+  status: number;
+}
+
+export interface ClassifyResult {
+  class: Classification;
+  rationale: string;
+}
+
+export interface ClassifyRateLimitedInput {
+  calls: readonly HttpCallSummary[];
+}
+
+export function classifyRateLimited(input: ClassifyRateLimitedInput): ClassifyResult | null {
+  const hit = input.calls.find((c) => c.status === 429);
+  if (!hit) return null;
+  return {
+    class: 'RATE_LIMITED',
+    rationale: `Captured HTTP 429 on ${hit.method} ${hit.url}`,
+  };
+}

package/src/config/schema.ts

@@ -31,6 +31,37 @@ const WebSchema = z
     path: ['defaultEnv'],
   });
 
+const HttpAuthRoleSchema = z.object({
+  tokenEnv: z.string().optional(),
+  userEnv: z.string().optional(),
+  passEnv: z.string().optional(),
+  tokenUrl: z.string().url().optional(),
+  clientIdEnv: z.string().optional(),
+  clientSecretEnv: z.string().optional(),
+  scope: z.string().optional(),
+});
+
+const HttpAuthSchema = z.object({
+  strategy: z.enum(['bearer', 'apiKey', 'basic', 'oauth-cc', 'custom', 'none']).default('none'),
+  ttl: z.string().default('8h'),
+  refreshBuffer: z.string().default('30m'),
+  roles: z.record(z.string(), HttpAuthRoleSchema).default({}),
+});
+
+const HttpSchema = z
+  .object({
+    baseUrl: z.record(z.string(), z.string().url()).refine((m) => Object.keys(m).length > 0, {
+      message: 'baseUrl must have at least one environment',
+    }),
+    defaultEnv: z.string(),
+    spec: z.string().optional(),
+    auth: HttpAuthSchema.prefault({}),
+  })
+  .refine((h) => h.baseUrl[h.defaultEnv] !== undefined, {
+    message: 'defaultEnv must exist in baseUrl map',
+    path: ['defaultEnv'],
+  });
+
 const JiraSchema = z.object({
   baseUrl: z.string().url(),
   projectKeys: z.array(z.string().min(1)).min(1),
@@ -74,19 +105,31 @@ const RunSchema = z
     autoImpact: z
       .object({
         enabled: z.boolean().default(true),
-        threshold: z.number().nonnegative().default(6.0),
+        threshold: z.number().nonnegative().default(8.0),
       })
       .prefault({}),
   })
   .prefault({});
 
-export const XeraConfigSchema = z.object({
-  jira: JiraSchema,
-  web: WebSchema,
-  ai: AISchema,
-  reporting: ReportingSchema,
-  run: RunSchema.prefault({}),
-  adapters: z.array(z.string().min(1)).min(1).default(['web']),
-});
+export const XeraConfigSchema = z
+  .object({
+    jira: JiraSchema,
+    web: WebSchema.optional(),
+    http: HttpSchema.optional(),
+    ai: AISchema,
+    reporting: ReportingSchema,
+    run: RunSchema.prefault({}),
+    adapters: z
+      .array(z.enum(['web', 'http']))
+      .min(1)
+      .default(['web']),
+  })
+  .refine((c) => c.web !== undefined || c.http !== undefined, {
+    message: 'At least one of `web` or `http` must be configured',
+  })
+  .refine((c) => c.adapters.every((a) => (a === 'web' ? c.web : c.http) !== undefined), {
+    message: 'Every adapter in `adapters` must have a corresponding config block',
+    path: ['adapters'],
+  });
 
 export type XeraConfig = z.infer<typeof XeraConfigSchema>;

package/src/graph/schema.ts

@@ -78,6 +78,9 @@ const classification = z.enum([
   'FLAKY',
   'PASS',
   'TEST_OUTDATED',
+  'CONTRACT_DRIFT',
+  'RATE_LIMITED',
+  'AUTH_EXPIRED',
 ]);
 
 const runClassified = z

package/src/graph/store.ts

@@ -185,7 +185,14 @@ export function deriveSnapshot(events: Event[]): Snapshot {
         edges.push(ed);
         break;
       }
-      // run.classified and classification.disputed: not materialized in v0.6.0 snapshot
+      case 'classification.disputed': {
+        const existing = latestFailures[e.payload.scenarioId];
+        if (existing && existing.runId === e.payload.runId) {
+          existing.disputed = true;
+        }
+        break;
+      }
+      // run.classified: not materialized in snapshot
       default:
         break;
     }

package/src/graph/types.ts

@@ -12,7 +12,10 @@ export type Classification =
   | 'SELECTOR_DRIFT'
   | 'FLAKY'
   | 'PASS'
-  | 'TEST_OUTDATED';
+  | 'TEST_OUTDATED'
+  | 'CONTRACT_DRIFT'
+  | 'RATE_LIMITED'
+  | 'AUTH_EXPIRED';
 
 export interface TicketFetchedPayload {
   ticketId: string;
@@ -154,6 +157,7 @@ export interface FailureNode {
   runId: string;
   traceId?: string;
   ts: string;
+  disputed?: boolean;
 }
 
 export interface EdgeRecord {

package/src/index.ts

@@ -8,6 +8,7 @@ export * from './auth/encrypt';
 export * from './auth/key';
 export * from './auth/refresh';
 export * from './auth/state';
+export type { OpenAPIDocument, OpenAPISchema } from './classifier/contract-drift';
 export * from './config/define';
 export * from './config/load';
 export * from './config/schema';
@@ -17,3 +18,4 @@ export * from './jira/retry';
 export * from './jira/types';
 export * from './lock/file-lock';
 export * from './logging/ndjson-logger';
+export * from './scrub';

package/src/scrub/index.ts

@@ -0,0 +1 @@
+export * from './rules';

package/src/scrub/rules.ts

@@ -0,0 +1,69 @@
+export const SENSITIVE_HEADERS: readonly string[] = [
+  'authorization',
+  'cookie',
+  'set-cookie',
+  'x-api-key',
+  'x-auth-token',
+  'x-csrf-token',
+  'proxy-authorization',
+];
+
+export const SENSITIVE_BODY_KEYS: readonly RegExp[] = [
+  /password/i,
+  /passwd/i,
+  /token/i,
+  /secret/i,
+  /api[-_]?key/i,
+  /access[-_]?key/i,
+  /private[-_]?key/i,
+  /authorization/i,
+  /credit[-_]?card/i,
+  /card[-_]?number/i,
+  /cvv/i,
+];
+
+export const JWT_RE = /\beyJ[A-Za-z0-9_-]{7,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{5,}\b/;
+export const CREDIT_CARD_RE = /\b(?:\d{4}[-\s]?){3}\d{4}\b/;
+export const EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+// E.164-ish phone with optional + and separators. Conservative: require at least 7 digits.
+export const PHONE_RE = /(?:\+?\d[\d\s().-]{6,}\d)/;
+
+const JWT_RE_G = new RegExp(JWT_RE.source, 'g');
+const CREDIT_CARD_RE_G = new RegExp(CREDIT_CARD_RE.source, 'g');
+export const EMAIL_RE_G = new RegExp(EMAIL_RE.source, 'g');
+export const PHONE_RE_G = new RegExp(PHONE_RE.source, 'g');
+
+const REDACTED = '[REDACTED]';
+
+export function scrubHeaders(headers: Record<string, string>): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const [k, v] of Object.entries(headers)) {
+    out[k] = SENSITIVE_HEADERS.includes(k.toLowerCase()) ? REDACTED : v;
+  }
+  return out;
+}
+
+export function scrubBodyJson(body: unknown): unknown {
+  if (Array.isArray(body)) return body.map(scrubBodyJson);
+  if (body && typeof body === 'object') {
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(body)) {
+      if (SENSITIVE_BODY_KEYS.some((re) => re.test(k))) {
+        out[k] = REDACTED;
+      } else {
+        out[k] = scrubBodyJson(v);
+      }
+    }
+    return out;
+  }
+  if (typeof body === 'string') return scrubFreeText(body);
+  return body;
+}
+
+export function scrubFreeText(s: string): string {
+  return s
+    .replace(JWT_RE_G, REDACTED)
+    .replace(CREDIT_CARD_RE_G, REDACTED)
+    .replace(EMAIL_RE_G, REDACTED)
+    .replace(PHONE_RE_G, REDACTED);
+}