agentic-qe 3.6.11 → 3.6.12

package/v3/dist/coordination/task-executor.js

@@ -102,12 +102,18 @@ function detectTransformType(task) {
  * Load coverage data from common coverage file formats
  */
 async function loadCoverageData(targetPath) {
-    // Try various coverage file locations
+    // Try various coverage file locations (JS, Python, Java, etc.)
     const coverageLocations = [
+        // JavaScript/TypeScript (Istanbul/nyc/vitest)
         path.join(targetPath, 'coverage', 'coverage-final.json'),
         path.join(targetPath, 'coverage', 'lcov.info'),
         path.join(targetPath, '.nyc_output', 'coverage-final.json'),
         path.join(targetPath, 'coverage-final.json'),
+        // Python (pytest-cov, coverage.py)
+        path.join(targetPath, 'coverage.xml'),
+        path.join(targetPath, 'htmlcov', 'status.json'),
+        // Cobertura (generic)
+        path.join(targetPath, 'cobertura-coverage.xml'),
     ];
     for (const coveragePath of coverageLocations) {
         try {
@@ -118,6 +124,9 @@ async function loadCoverageData(targetPath) {
             else if (coveragePath.endsWith('.info')) {
                 return parseLcovInfo(content);
             }
+            else if (coveragePath.endsWith('.xml')) {
+                return parseCoberturaXml(content);
+            }
         }
         catch {
             // File not found, try next
@@ -290,6 +299,132 @@ function parseLcovInfo(content) {
         },
     };
 }
+/**
+ * Parse Cobertura XML format (Python coverage.py, Java JaCoCo, etc.)
+ * Handles both coverage.xml and cobertura-coverage.xml formats.
+ * Uses attribute-order-independent extraction to handle output from
+ * different tools (coverage.py, JaCoCo, Cobertura) that order attributes differently.
+ */
+function parseCoberturaXml(content) {
+    const files = [];
+    // Helper: extract a named attribute from an XML element string, order-independent
+    function attr(element, name) {
+        const match = element.match(new RegExp(`${name}=["']([^"']*)["']`));
+        return match ? match[1] : null;
+    }
+    // Find all <class ...> elements (handles any attribute order)
+    const classRegex = /<class\s[^>]*?>/g;
+    let classMatch;
+    while ((classMatch = classRegex.exec(content)) !== null) {
+        const classTag = classMatch[0];
+        const filename = attr(classTag, 'filename');
+        if (!filename)
+            continue;
+        const lineRate = parseFloat(attr(classTag, 'line-rate') || 'NaN');
+        const branchRate = parseFloat(attr(classTag, 'branch-rate') || 'NaN');
+        // Find the </class> boundary for this element
+        const classStart = classMatch.index;
+        const classEnd = content.indexOf('</class>', classStart);
+        const classContent = classEnd > classStart
+            ? content.slice(classStart, classEnd)
+            : '';
+        let linesTotal = 0, linesCovered = 0;
+        let branchesTotal = 0, branchesCovered = 0;
+        let functionsTotal = 0, functionsCovered = 0;
+        const uncoveredLines = [];
+        const uncoveredBranches = [];
+        // Parse <line> elements (attribute-order-independent)
+        const lineRegex = /<line\s([^>]*?)\/>/g;
+        let lineMatch;
+        while ((lineMatch = lineRegex.exec(classContent)) !== null) {
+            const lineTag = lineMatch[1];
+            const lineNum = parseInt(attr(lineTag, 'number') || '0', 10);
+            const hits = parseInt(attr(lineTag, 'hits') || '0', 10);
+            const isBranch = attr(lineTag, 'branch') === 'true';
+            const condCoverage = attr(lineTag, 'condition-coverage');
+            linesTotal++;
+            if (hits > 0) {
+                linesCovered++;
+            }
+            else {
+                uncoveredLines.push(lineNum);
+            }
+            if (isBranch) {
+                branchesTotal++;
+                const condPct = condCoverage ? parseInt(condCoverage, 10) : (hits > 0 ? 100 : 0);
+                if (condPct === 100) {
+                    branchesCovered++;
+                }
+                else {
+                    uncoveredBranches.push(lineNum);
+                }
+            }
+        }
+        // Parse <method> elements for function coverage
+        const methodRegex = /<method\s([^>]*?)>/g;
+        let methodMatch;
+        while ((methodMatch = methodRegex.exec(classContent)) !== null) {
+            functionsTotal++;
+            // Check if method has any line hits (look for <line> within this method)
+            const methodStart = methodMatch.index;
+            const methodEnd = classContent.indexOf('</method>', methodStart);
+            if (methodEnd > methodStart) {
+                const methodContent = classContent.slice(methodStart, methodEnd);
+                const methodLineRegex = /<line\s([^>]*?)\/>/g;
+                let hasHits = false;
+                let mLineMatch;
+                while ((mLineMatch = methodLineRegex.exec(methodContent)) !== null) {
+                    if (parseInt(attr(mLineMatch[1], 'hits') || '0', 10) > 0) {
+                        hasHits = true;
+                        break;
+                    }
+                }
+                if (hasHits)
+                    functionsCovered++;
+            }
+        }
+        // If no lines parsed, estimate from rates
+        if (linesTotal === 0 && !isNaN(lineRate)) {
+            linesTotal = 1;
+            linesCovered = lineRate >= 0.5 ? 1 : 0;
+        }
+        files.push({
+            path: filename,
+            lines: { covered: linesCovered, total: linesTotal },
+            branches: { covered: branchesCovered, total: branchesTotal },
+            functions: { covered: functionsCovered, total: functionsTotal },
+            statements: { covered: linesCovered, total: linesTotal },
+            uncoveredLines,
+            uncoveredBranches,
+        });
+    }
+    // Calculate summary
+    let totalLines = 0, totalCoveredLines = 0;
+    let totalBranches = 0, totalCoveredBranches = 0;
+    let totalFunctions = 0, totalCoveredFunctions = 0;
+    for (const file of files) {
+        totalLines += file.lines.total;
+        totalCoveredLines += file.lines.covered;
+        totalBranches += file.branches.total;
+        totalCoveredBranches += file.branches.covered;
+        totalFunctions += file.functions.total;
+        totalCoveredFunctions += file.functions.covered;
+    }
+    // Also try to extract top-level summary from <coverage> element (order-independent)
+    const coverageTag = content.match(/<coverage\s[^>]*?>/);
+    const summaryLineRate = coverageTag ? parseFloat(attr(coverageTag[0], 'line-rate') || 'NaN') * 100 : NaN;
+    const summaryBranchRate = coverageTag ? parseFloat(attr(coverageTag[0], 'branch-rate') || 'NaN') * 100 : NaN;
+    return {
+        files,
+        summary: {
+            line: !isNaN(summaryLineRate) ? summaryLineRate : (totalLines > 0 ? (totalCoveredLines / totalLines) * 100 : 0),
+            branch: !isNaN(summaryBranchRate) ? summaryBranchRate : (totalBranches > 0 ? (totalCoveredBranches / totalBranches) * 100 : 0),
+            function: totalFunctions > 0 ? (totalCoveredFunctions / totalFunctions) * 100 : 0,
+            statement: totalLines > 0 ? (totalCoveredLines / totalLines) * 100 : 0,
+            files: files.length,
+        },
+    };
+}
 /**
  * Discover source files in a directory
  */
@@ -701,13 +836,17 @@ export class DomainTaskExecutor {
                             ? filePath.slice(targetPath.length).replace(/^\//, '')
                             : filePath;
                         // Pattern: Hardcoded secrets/keys
+                        // Fix #287: Use \w* around keywords to match SECRET_KEY, JWT_SECRET, API_TOKEN, etc.
                         const secretPatterns = [
-                            { regex: /(?:secret|password|api_key|apikey|token|jwt_secret|private_key)\s*[=:]\s*['"][^'"]{8,}['"]/gi, title: 'Hardcoded secret', severity: 'critical' },
-                            { regex: /(?:AWS_SECRET|GITHUB_TOKEN|SLACK_TOKEN)\s*[=:]\s*['"][^'"]+['"]/gi, title: 'Hardcoded cloud credential', severity: 'critical' },
+                            { regex: /\w*(?:secret|password|passwd|api_key|apikey|private_key|jwt_secret)\w*\s*[=:]\s*['"][^'"]{4,}['"]/gi, title: 'Hardcoded secret', severity: 'critical' },
+                            { regex: /\w*(?:token|auth_token|access_key|secret_key)\w*\s*[=:]\s*['"][^'"]{8,}['"]/gi, title: 'Hardcoded credential', severity: 'critical' },
+                            { regex: /(?:AWS_SECRET|GITHUB_TOKEN|SLACK_TOKEN|OPENAI_API_KEY)\s*[=:]\s*['"][^'"]+['"]/gi, title: 'Hardcoded cloud credential', severity: 'critical' },
                         ];
                         for (const pattern of secretPatterns) {
                             for (let i = 0; i < lines.length; i++) {
-                                if (pattern.regex.test(lines[i])) {
+                                // Use matchAll to find ALL secrets on a single line (not just first)
+                                const matches = [...lines[i].matchAll(pattern.regex)];
+                                for (const _m of matches) {
                                     crossLangVulns.push({
                                         title: pattern.title,
                                         severity: pattern.severity,
@@ -716,8 +855,6 @@ export class DomainTaskExecutor {
                                         category: 'sensitive-data',
                                     });
                                 }
-                                // Reset regex lastIndex for global regexes
-                                pattern.regex.lastIndex = 0;
                             }
                         }
                         // Pattern: SQL injection risks
@@ -734,15 +871,25 @@ export class DomainTaskExecutor {
                             }
                             sqlPatterns.lastIndex = 0;
                         }
-                        // Pattern: CORS wildcard
-                        if (/allow_origins\s*=\s*\[?\s*['"]?\*['"]?\s*\]?/i.test(content)) {
-                            crossLangVulns.push({
-                                title: 'CORS wildcard origin',
-                                severity: 'high',
-                                location: { file: relPath, line: lines.findIndex(l => /allow_origins/i.test(l)) + 1 },
-                                description: 'CORS configured with wildcard (*) origin — restrict to specific domains',
-                                category: 'security-misconfiguration',
-                            });
+                        // Pattern: CORS wildcard (multi-framework)
+                        const corsPatterns = [
+                            /allow_origins\s*=\s*\[?\s*['"]?\*['"]?\s*\]?/i, // Python FastAPI/Flask
+                            /cors\(\s*\{[^}]*origin:\s*['"]?\*['"]?/i, // Express.js cors()
+                            /Access-Control-Allow-Origin['":\s]+\*/i, // Raw header / Nginx / .htaccess
+                            /@CrossOrigin\(\s*origins?\s*=\s*["']\*["']/i, // Spring Boot
+                            /\.Header\(\)\.Set\(["']Access-Control-Allow-Origin["'],\s*["']\*["']/i, // Go
+                        ];
+                        for (const corsPattern of corsPatterns) {
+                            if (corsPattern.test(content)) {
+                                crossLangVulns.push({
+                                    title: 'CORS wildcard origin',
+                                    severity: 'high',
+                                    location: { file: relPath, line: lines.findIndex(l => corsPattern.test(l)) + 1 },
+                                    description: 'CORS configured with wildcard (*) origin — restrict to specific domains',
+                                    category: 'security-misconfiguration',
+                                });
+                                break; // One CORS finding per file is enough
+                            }
                         }
                         // Pattern: Debug/development mode enabled
                         if (/(?:DEBUG|debug)\s*[=:]\s*(?:True|true|1)/i.test(content)) {
@@ -1010,22 +1157,57 @@ export class DomainTaskExecutor {
                 return err(toError(error));
             }
         });
-        // Register test execution handler
+        // Register test execution handler - runs real tests via child process
         this.taskHandlers.set('execute-tests', async (task) => {
             const payload = task.payload;
-            // In production, would actually run tests via test runner
-            const testCount = payload.testFiles?.length || 10;
-            const passed = Math.floor(testCount * 0.9);
-            const failed = testCount - passed;
-            return ok({
-                total: testCount,
-                passed,
-                failed,
-                skipped: 0,
-                duration: testCount * 50, // ~50ms per test
-                coverage: 82.5,
-                failedTests: failed > 0 ? ['example.test.ts:42'] : [],
-            });
+            try {
+                const { execSync } = await import('child_process');
+                const testFiles = payload.testFiles || [];
+                if (testFiles.length === 0) {
+                    return ok({
+                        total: 0, passed: 0, failed: 0, skipped: 0,
+                        duration: 0, coverage: 0, failedTests: [],
+                        warning: 'No test files specified. Provide testFiles array with paths to test files.',
+                    });
+                }
+                // Attempt to run tests using common test runners
+                const cwd = process.cwd();
+                let output;
+                try {
+                    // Try vitest first, then jest, then mocha
+                    output = execSync(`npx vitest run ${testFiles.join(' ')} --reporter=json 2>/dev/null || npx jest ${testFiles.join(' ')} --json 2>/dev/null`, { cwd, timeout: 120000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+                }
+                catch (execError) {
+                    // Test runner may exit non-zero when tests fail — that's expected
+                    output = execError.stdout || '';
+                }
+                // Try to parse JSON output from test runner
+                try {
+                    const jsonStart = output.indexOf('{');
+                    if (jsonStart >= 0) {
+                        const json = JSON.parse(output.slice(jsonStart));
+                        // vitest format
+                        if (json.testResults) {
+                            const total = json.numTotalTests || 0;
+                            const passed = json.numPassedTests || 0;
+                            const failed = json.numFailedTests || 0;
+                            return ok({ total, passed, failed, skipped: total - passed - failed, duration: 0, coverage: 0, failedTests: [] });
+                        }
+                    }
+                }
+                catch {
+                    // JSON parsing failed — return raw info
+                }
+                return ok({
+                    total: testFiles.length, passed: 0, failed: 0, skipped: 0,
+                    duration: 0, coverage: 0, failedTests: [],
+                    warning: 'Could not parse test runner output. Check that vitest or jest is installed.',
+                    rawOutput: output.slice(0, 500),
+                });
+            }
+            catch (error) {
+                return err(toError(error));
+            }
         });
         // Register defect prediction handler - REAL IMPLEMENTATION
         this.taskHandlers.set('predict-defects', async (task) => {
@@ -1151,72 +1333,138 @@ export class DomainTaskExecutor {
         // Register requirements validation handler
         this.taskHandlers.set('validate-requirements', async (task) => {
             const payload = task.payload;
-            return ok({
-                requirementsAnalyzed: 15,
-                testable: 12,
-                ambiguous: 2,
-                untestable: 1,
-                coverage: 80,
-                bddScenarios: payload.generateBDD ? [
-                    'Given a user is logged in, When they view the dashboard, Then they see their metrics',
-                    'Given an API request fails, When the retry limit is exceeded, Then an error is returned',
-                ] : [],
-            });
+            try {
+                const targetPath = payload.requirementsPath || process.cwd();
+                // Look for requirements files (markdown, feature files, etc.)
+                const reqFiles = await discoverSourceFiles(targetPath, {
+                    includeTests: false,
+                    languages: [],
+                });
+                // Scan for requirement-like files
+                const reqPatterns = ['.md', '.feature', '.gherkin', '.txt', '.rst'];
+                const requirementFiles = [];
+                for (const f of reqFiles) {
+                    if (reqPatterns.some(ext => f.endsWith(ext))) {
+                        requirementFiles.push(f);
+                    }
+                }
+                return ok({
+                    requirementsAnalyzed: requirementFiles.length,
+                    testable: 0,
+                    ambiguous: 0,
+                    untestable: 0,
+                    coverage: 0,
+                    bddScenarios: [],
+                    warning: requirementFiles.length === 0
+                        ? 'No requirement files (.md, .feature, .gherkin) found. Provide requirementsPath or add requirement docs.'
+                        : 'Requirements validation requires LLM analysis. File inventory returned — use task_orchestrate for deep analysis.',
+                    files: requirementFiles.map(f => f.startsWith(targetPath) ? f.slice(targetPath.length + 1) : f).slice(0, 20),
+                });
+            }
+            catch (error) {
+                return err(toError(error));
+            }
         });
         // Register contract validation handler
         this.taskHandlers.set('validate-contracts', async (task) => {
             const payload = task.payload;
-            return ok({
-                contractPath: payload.contractPath,
-                valid: true,
-                breakingChanges: [],
-                warnings: [
-                    'Deprecated field "legacyId" should be removed in next major version',
-                ],
-                coverage: 95,
-            });
+            try {
+                if (!payload.contractPath) {
+                    return ok({
+                        contractPath: '',
+                        valid: false,
+                        breakingChanges: [],
+                        warnings: [],
+                        coverage: 0,
+                        error: 'contractPath is required. Provide a path to an OpenAPI spec, JSON Schema, or Protocol Buffer file.',
+                    });
+                }
+                // Check if the contract file exists
+                try {
+                    const content = await fs.readFile(payload.contractPath, 'utf-8');
+                    const isJson = payload.contractPath.endsWith('.json');
+                    const isYaml = payload.contractPath.endsWith('.yaml') || payload.contractPath.endsWith('.yml');
+                    // Basic structural validation
+                    if (isJson) {
+                        JSON.parse(content); // throws if invalid
+                    }
+                    return ok({
+                        contractPath: payload.contractPath,
+                        valid: true,
+                        format: isJson ? 'json' : isYaml ? 'yaml' : 'unknown',
+                        breakingChanges: [],
+                        warnings: [],
+                        linesAnalyzed: content.split('\n').length,
+                        note: 'Structural validation passed. For semantic contract testing, use consumer-driven contract tests.',
+                    });
+                }
+                catch (readErr) {
+                    return ok({
+                        contractPath: payload.contractPath,
+                        valid: false,
+                        breakingChanges: [],
+                        warnings: [],
+                        error: `Could not read or parse contract file: ${toErrorMessage(readErr)}`,
+                    });
+                }
+            }
+            catch (error) {
+                return err(toError(error));
+            }
         });
         // Register accessibility test handler
         this.taskHandlers.set('test-accessibility', async (task) => {
             const payload = task.payload;
+            // Accessibility testing requires a browser/DOM — return honest guidance
             return ok({
-                url: payload.url,
+                url: payload.url || '',
                 standard: payload.standard || 'wcag21-aa',
-                passed: true,
+                passed: false,
                 violations: [],
-                warnings: [
-                    { rule: 'color-contrast', impact: 'minor', element: 'nav > a' },
-                ],
-                score: 94,
+                warnings: [],
+                score: 0,
+                note: 'Accessibility testing requires a browser environment (Puppeteer/Playwright). ' +
+                    'Use tools like axe-core, pa11y, or Lighthouse CLI for WCAG compliance testing. ' +
+                    'Example: npx pa11y ' + (payload.url || '<url>'),
             });
         });
         // Register chaos test handler
         this.taskHandlers.set('run-chaos', async (task) => {
             const payload = task.payload;
+            // Chaos testing requires infrastructure access — return honest guidance
             return ok({
-                faultType: payload.faultType,
-                target: payload.target,
-                dryRun: payload.dryRun,
-                duration: payload.duration,
-                systemBehavior: payload.dryRun ? 'simulated' : 'tested',
-                resilience: {
-                    recovered: true,
-                    recoveryTime: 2500,
-                    dataLoss: false,
-                },
+                faultType: payload.faultType || 'unknown',
+                target: payload.target || 'unknown',
+                dryRun: payload.dryRun ?? true,
+                duration: payload.duration || 0,
+                systemBehavior: 'not-executed',
+                resilience: null,
+                note: 'Chaos engineering requires infrastructure-level fault injection. ' +
+                    'Use tools like Chaos Monkey, Litmus, or toxiproxy for real resilience testing. ' +
+                    'For Node.js apps, consider: nock (HTTP faults), testcontainers (dependency failures).',
             });
         });
         // Register learning optimization handler
         this.taskHandlers.set('optimize-learning', async (_task) => {
-            return ok({
-                patternsLearned: 12,
-                modelsUpdated: 3,
-                memoryConsolidated: true,
-                recommendations: [
-                    'Pattern recognition improved for error handling',
-                    'Test generation templates optimized',
-                ],
-            });
+            // Check actual pattern store state
+            try {
+                const memUsage = await import('../kernel/unified-memory-hnsw.js');
+                return ok({
+                    patternsLearned: 0,
+                    modelsUpdated: 0,
+                    memoryConsolidated: false,
+                    note: 'Learning optimization runs during the dream cycle (SessionEnd hook). ' +
+                        'Use "npx agentic-qe hooks session-end --save-state" to trigger pattern consolidation.',
+                });
+            }
+            catch {
+                return ok({
+                    patternsLearned: 0,
+                    modelsUpdated: 0,
+                    memoryConsolidated: false,
+                    note: 'Learning system not initialized. Run "aqe init --auto" first.',
+                });
+            }
         });
     }
     // ============================================================================