api-tests-coverage 1.0.0

package/dist/src/intelligence/markdownReporter.js

@@ -0,0 +1,265 @@
+"use strict";
+/**
+ * Coverage Intelligence – AI-Friendly Markdown Reporter.
+ *
+ * Generates structured, concise markdown and JSON reports from
+ * IntelligenceReport data.  All outputs are deterministic.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderCoverageIntelligenceMd = renderCoverageIntelligenceMd;
+exports.renderMissingTestsMd = renderMissingTestsMd;
+exports.renderRiskPrioritizationMd = renderRiskPrioritizationMd;
+exports.writeIntelligenceReports = writeIntelligenceReports;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const riskScoring_1 = require("./riskScoring");
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+function severityEmoji(s) {
+    switch (s) {
+        case 'CRITICAL': return '🔴';
+        case 'HIGH': return '🟠';
+        case 'MEDIUM': return '🟡';
+        default: return '🔵';
+    }
+}
+function priorityEmoji(p) {
+    switch (p) {
+        case 'P0': return '🚨';
+        case 'P1': return '🔴';
+        case 'P2': return '🟠';
+        default: return '🟡';
+    }
+}
+function riskBandEmoji(score) {
+    const band = (0, riskScoring_1.scoreToRiskBand)(score);
+    switch (band) {
+        case 'Critical': return '🔴 Critical';
+        case 'High': return '🟠 High';
+        case 'Moderate': return '🟡 Moderate';
+        default: return '🔵 Low';
+    }
+}
+function formatEndpoint(ep) {
+    var _a, _b;
+    if (!ep)
+        return 'N/A';
+    return `\`${(_a = ep.method) !== null && _a !== void 0 ? _a : 'GET'} ${(_b = ep.path) !== null && _b !== void 0 ? _b : '/'}\``;
+}
+// ─── Coverage Intelligence Summary ───────────────────────────────────────────
+function renderCoverageIntelligenceMd(report) {
+    const { summary, findings, recommendations } = report;
+    const topFindings = findings.slice(0, 10);
+    const topRecs = recommendations.slice(0, 10);
+    const lines = [
+        `# Coverage Intelligence Report`,
+        ``,
+        `> Generated: ${report.generatedAt}  `,
+        `> Project: **${report.projectName}**`,
+        ``,
+        `## Summary`,
+        ``,
+        `| Metric | Value |`,
+        `|--------|-------|`,
+        `| Total Findings | ${summary.totalFindings} |`,
+        `| Total Recommendations | ${summary.totalRecommendations} |`,
+        `| Max Risk Score | ${summary.maxRiskScore} (${(0, riskScoring_1.scoreToRiskBand)(summary.maxRiskScore)}) |`,
+        `| Avg Risk Score | ${summary.avgRiskScore} |`,
+        `| Critical Uncovered Items | ${summary.criticalUncoveredItems} |`,
+        `| Unprotected Security Findings | ${summary.unprotectedSecurityFindings} |`,
+        ``,
+        `### Findings by Severity`,
+        ``,
+        `| Severity | Count |`,
+        `|----------|-------|`,
+        ...['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].map((s) => { var _a; return `| ${severityEmoji(s)} ${s} | ${(_a = summary.findingsBySeverity[s]) !== null && _a !== void 0 ? _a : 0} |`; }),
+        ``,
+        `### Recommendations by Priority`,
+        ``,
+        `| Priority | Count |`,
+        `|----------|-------|`,
+        ...['P0', 'P1', 'P2', 'P3'].map((p) => { var _a; return `| ${priorityEmoji(p)} ${p} | ${(_a = summary.recommendationsByPriority[p]) !== null && _a !== void 0 ? _a : 0} |`; }),
+        ``,
+        `## Top Functional Findings`,
+        ``,
+    ];
+    if (topFindings.length === 0) {
+        lines.push('_No findings detected._', '');
+    }
+    else {
+        topFindings.forEach((f, i) => {
+            var _a, _b;
+            lines.push(`### ${i + 1}. ${severityEmoji(f.severity)} ${f.title}`, ``, `- **Category:** ${f.category}`, `- **Source:** ${f.source}`, `- **Severity:** ${f.severity}`, `- **Endpoint:** ${formatEndpoint(f.endpoint)}`, `- **Description:** ${f.description}`, ((_a = f.missingTestTypes) === null || _a === void 0 ? void 0 : _a.length)
+                ? `- **Missing Tests:** ${f.missingTestTypes.join(', ')}`
+                : '', ((_b = f.frameworkHints) === null || _b === void 0 ? void 0 : _b.length)
+                ? `- **Framework Hints:** ${f.frameworkHints.join(', ')}`
+                : '', ``);
+        });
+    }
+    lines.push(`## Top Missing Test Recommendations`, ``);
+    if (topRecs.length === 0) {
+        lines.push('_No recommendations._', '');
+    }
+    else {
+        topRecs.forEach((r, i) => {
+            var _a, _b;
+            lines.push(`### ${i + 1}. ${priorityEmoji(r.priority)} ${r.title}`, ``, `| Field | Value |`, `|-------|-------|`, `| **Priority** | ${r.priority} |`, `| **Risk Score** | ${r.riskScore} (${riskBandEmoji(r.riskScore)}) |`, `| **Test Type** | ${r.recommendedTestType} |`, `| **Endpoint** | ${formatEndpoint(r.endpoint)} |`, `| **Framework** | ${(_a = r.likelyFramework) !== null && _a !== void 0 ? _a : 'N/A'} |`, `| **Language** | ${(_b = r.likelyLanguage) !== null && _b !== void 0 ? _b : 'N/A'} |`, `| **Confidence** | ${r.confidence} |`, ``, `**Rationale:** ${r.rationale}`, ``, `**Linked Findings:** ${r.linkedFindingIds.join(', ')}`, ``);
+        });
+    }
+    if (summary.topRiskAreas.length > 0) {
+        lines.push(`## Highest-Risk Areas`, ``, ...summary.topRiskAreas.map((a) => `- ${a}`), ``);
+    }
+    return lines.filter((l) => l !== undefined).join('\n');
+}
+// ─── Missing Test Recommendations report ─────────────────────────────────────
+function renderMissingTestsMd(report) {
+    var _a, _b;
+    const { recommendations } = report;
+    const lines = [
+        `# Missing Test Recommendations`,
+        ``,
+        `> Generated: ${report.generatedAt}  `,
+        `> Project: **${report.projectName}**`,
+        ``,
+        `Total: **${recommendations.length}** recommendations`,
+        ``,
+    ];
+    if (recommendations.length === 0) {
+        lines.push('_No missing test recommendations at this time._', '');
+        return lines.join('\n');
+    }
+    for (const r of recommendations) {
+        lines.push(`## ${priorityEmoji(r.priority)} [${r.priority}] ${r.title}`, ``, `| Field | Value |`, `|-------|-------|`, `| **Priority** | \`${r.priority}\` |`, `| **Risk Score** | ${r.riskScore} — ${riskBandEmoji(r.riskScore)} |`, `| **Test Type** | \`${r.recommendedTestType}\` |`, `| **Endpoint** | ${formatEndpoint(r.endpoint)} |`, `| **Language** | ${(_a = r.likelyLanguage) !== null && _a !== void 0 ? _a : '_undetected_'} |`, `| **Framework** | ${(_b = r.likelyFramework) !== null && _b !== void 0 ? _b : '_undetected_'} |`, `| **Confidence** | ${r.confidence} |`, ``, `> ${r.rationale}`, ``, `**Linked Findings:** ${r.linkedFindingIds.join(', ')}`, ``, `---`, ``);
+    }
+    return lines.join('\n');
+}
+// ─── Risk Prioritization report ───────────────────────────────────────────────
+function renderRiskPrioritizationMd(report) {
+    var _a, _b, _c;
+    const { findings, recommendations } = report;
+    const criticalRecs = recommendations.filter((r) => (0, riskScoring_1.scoreToRiskBand)(r.riskScore) === 'Critical');
+    const highRecs = recommendations.filter((r) => (0, riskScoring_1.scoreToRiskBand)(r.riskScore) === 'High');
+    const byCategory = new Map();
+    for (const r of recommendations) {
+        const f = findings.find((ff) => r.linkedFindingIds.includes(ff.id));
+        const cat = (_a = f === null || f === void 0 ? void 0 : f.category) !== null && _a !== void 0 ? _a : 'unknown';
+        if (!byCategory.has(cat))
+            byCategory.set(cat, []);
+        byCategory.get(cat).push(r);
+    }
+    const lines = [
+        `# Risk Prioritization Report`,
+        ``,
+        `> Generated: ${report.generatedAt}  `,
+        `> Project: **${report.projectName}**`,
+        ``,
+        `## Critical Risks (Score ≥ 75)`,
+        ``,
+    ];
+    if (criticalRecs.length === 0) {
+        lines.push('_No critical-risk items detected._', '');
+    }
+    else {
+        criticalRecs.forEach((r) => {
+            lines.push(`- 🔴 **[${r.priority}]** ${r.title} — Score: ${r.riskScore}`);
+        });
+        lines.push('');
+    }
+    lines.push(`## High Risks (Score 50–74)`, ``);
+    if (highRecs.length === 0) {
+        lines.push('_No high-risk items detected._', '');
+    }
+    else {
+        highRecs.forEach((r) => {
+            lines.push(`- 🟠 **[${r.priority}]** ${r.title} — Score: ${r.riskScore}`);
+        });
+        lines.push('');
+    }
+    lines.push(`## Risks by Category`, ``);
+    if (byCategory.size === 0) {
+        lines.push('_No risks by category detected._', '');
+    }
+    else {
+        for (const [cat, recs] of byCategory.entries()) {
+            lines.push(`### ${cat}`, ``);
+            recs.forEach((r) => {
+                lines.push(`- ${priorityEmoji(r.priority)} **[${r.priority}]** ${r.title} — Score: ${r.riskScore}`);
+            });
+            lines.push('');
+        }
+    }
+    const byEndpoint = new Map();
+    for (const r of recommendations) {
+        if (!((_b = r.endpoint) === null || _b === void 0 ? void 0 : _b.path))
+            continue;
+        const key = `${(_c = r.endpoint.method) !== null && _c !== void 0 ? _c : 'GET'} ${r.endpoint.path}`;
+        if (!byEndpoint.has(key))
+            byEndpoint.set(key, []);
+        byEndpoint.get(key).push(r);
+    }
+    if (byEndpoint.size > 0) {
+        lines.push(`## Risks by Endpoint`, ``);
+        for (const [ep, recs] of byEndpoint.entries()) {
+            lines.push(`### \`${ep}\``, ``);
+            recs.forEach((r) => {
+                lines.push(`- ${priorityEmoji(r.priority)} **[${r.priority}]** ${r.title} — Score: ${r.riskScore}`);
+            });
+            lines.push('');
+        }
+    }
+    return lines.join('\n');
+}
+// ─── Write reports to disk ────────────────────────────────────────────────────
+function writeIntelligenceReports(report, outDir) {
+    if (!fs.existsSync(outDir)) {
+        fs.mkdirSync(outDir, { recursive: true });
+    }
+    // coverage-intelligence.json
+    fs.writeFileSync(path.join(outDir, 'coverage-intelligence.json'), JSON.stringify(report, null, 2), 'utf-8');
+    // coverage-intelligence.md
+    fs.writeFileSync(path.join(outDir, 'coverage-intelligence.md'), renderCoverageIntelligenceMd(report), 'utf-8');
+    // missing-tests-recommendations.json
+    fs.writeFileSync(path.join(outDir, 'missing-tests-recommendations.json'), JSON.stringify({ generatedAt: report.generatedAt, recommendations: report.recommendations }, null, 2), 'utf-8');
+    // missing-tests-recommendations.md
+    fs.writeFileSync(path.join(outDir, 'missing-tests-recommendations.md'), renderMissingTestsMd(report), 'utf-8');
+    // risk-prioritization.json
+    fs.writeFileSync(path.join(outDir, 'risk-prioritization.json'), JSON.stringify({
+        generatedAt: report.generatedAt,
+        summary: report.summary,
+        recommendations: report.recommendations,
+    }, null, 2), 'utf-8');
+    // risk-prioritization.md
+    fs.writeFileSync(path.join(outDir, 'risk-prioritization.md'), renderRiskPrioritizationMd(report), 'utf-8');
+}

package/dist/src/intelligence/riskScoring.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Coverage Intelligence – Risk Scoring Engine.
+ *
+ * Implements a deterministic, formula-driven risk score for each functional
+ * finding or missing-test recommendation.
+ *
+ * Formula:
+ *   Risk Score =
+ *     0.30 * SeverityWeight +
+ *     0.20 * ExposureWeight +
+ *     0.15 * CriticalityWeight +
+ *     0.15 * MissingCoverageWeight +
+ *     0.10 * SecuritySignalWeight +
+ *     0.05 * FlowImpactWeight +
+ *     0.05 * ChangeVolatilityWeight
+ *
+ * All components are normalized to 0–100.  Final score is clamped to 0–100
+ * and rounded to the nearest integer.
+ */
+import type { Severity, RiskBand, RiskScoreComponents, RecommendationPriority, FindingCategory } from './types';
+/** Maps severity label → 0-100 score component. */
+export declare function severityToWeight(severity: Severity | string): number;
+/**
+ * Derive default exposure, criticality, and flow-impact values from the
+ * finding category and optional endpoint information.
+ */
+export declare function defaultExposureWeight(category: FindingCategory | string, endpointPath?: string): number;
+export declare function defaultCriticalityWeight(category: FindingCategory | string, endpointPath?: string): number;
+export declare function defaultFlowImpactWeight(category: FindingCategory | string, endpointPath?: string): number;
+export interface RiskScoreInput {
+    severity: Severity | string;
+    category: FindingCategory | string;
+    endpointPath?: string;
+    /** Override individual components (0-100 each) */
+    components?: Partial<RiskScoreComponents>;
+    /** Whether linked security scanner findings exist */
+    hasSecuritySignal?: boolean;
+    /** Whether there are zero tests covering this area */
+    zeroCoverage?: boolean;
+}
+/**
+ * Compute a 0–100 risk score for a finding or recommendation.
+ */
+export declare function computeRiskScore(input: RiskScoreInput): number;
+export declare function scoreToRiskBand(score: number): RiskBand;
+/** Derive recommendation priority from risk score, with override rules. */
+export declare function scoreToPriority(score: number, overrides?: {
+    isCriticalSecurityFinding?: boolean;
+    isMoneyMovementEndpoint?: boolean;
+    isAuthGap?: boolean;
+    isZeroCoverageCriticalFlow?: boolean;
+}): RecommendationPriority;
+//# sourceMappingURL=riskScoring.d.ts.map

package/dist/src/intelligence/riskScoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"riskScoring.d.ts","sourceRoot":"","sources":["../../../src/intelligence/riskScoring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,mBAAmB,EACnB,sBAAsB,EACtB,eAAe,EAChB,MAAM,SAAS,CAAC;AAgBjB,mDAAmD;AACnD,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAQpE;AAID;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,eAAe,GAAG,MAAM,EAClC,YAAY,CAAC,EAAE,MAAM,GACpB,MAAM,CAaR;AAED,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,eAAe,GAAG,MAAM,EAClC,YAAY,CAAC,EAAE,MAAM,GACpB,MAAM,CAmCR;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,eAAe,GAAG,MAAM,EAClC,YAAY,CAAC,EAAE,MAAM,GACpB,MAAM,CAeR;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAAC;IAC5B,QAAQ,EAAE,eAAe,GAAG,MAAM,CAAC;IACnC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,UAAU,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC1C,qDAAqD;IACrD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sDAAsD;IACtD,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAqB9D;AAID,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAKvD;AAID,2EAA2E;AAC3E,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,SAAS,CAAC,EAAE;IACV,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC,GACA,sBAAsB,CAuBxB"}

package/dist/src/intelligence/riskScoring.js

@@ -0,0 +1,181 @@
+"use strict";
+/**
+ * Coverage Intelligence – Risk Scoring Engine.
+ *
+ * Implements a deterministic, formula-driven risk score for each functional
+ * finding or missing-test recommendation.
+ *
+ * Formula:
+ *   Risk Score =
+ *     0.30 * SeverityWeight +
+ *     0.20 * ExposureWeight +
+ *     0.15 * CriticalityWeight +
+ *     0.15 * MissingCoverageWeight +
+ *     0.10 * SecuritySignalWeight +
+ *     0.05 * FlowImpactWeight +
+ *     0.05 * ChangeVolatilityWeight
+ *
+ * All components are normalized to 0–100.  Final score is clamped to 0–100
+ * and rounded to the nearest integer.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.severityToWeight = severityToWeight;
+exports.defaultExposureWeight = defaultExposureWeight;
+exports.defaultCriticalityWeight = defaultCriticalityWeight;
+exports.defaultFlowImpactWeight = defaultFlowImpactWeight;
+exports.computeRiskScore = computeRiskScore;
+exports.scoreToRiskBand = scoreToRiskBand;
+exports.scoreToPriority = scoreToPriority;
+// ─── Component weights ────────────────────────────────────────────────────────
+const WEIGHTS = {
+    severity: 0.30,
+    exposure: 0.20,
+    criticality: 0.15,
+    missingCoverage: 0.15,
+    securitySignal: 0.10,
+    flowImpact: 0.05,
+    changeVolatility: 0.05,
+};
+// ─── Severity mapping ─────────────────────────────────────────────────────────
+/** Maps severity label → 0-100 score component. */
+function severityToWeight(severity) {
+    switch (severity.toUpperCase()) {
+        case 'CRITICAL': return 100;
+        case 'HIGH': return 75;
+        case 'MEDIUM': return 50;
+        case 'LOW': return 25;
+        default: return 25;
+    }
+}
+// ─── Category-based defaults ──────────────────────────────────────────────────
+/**
+ * Derive default exposure, criticality, and flow-impact values from the
+ * finding category and optional endpoint information.
+ */
+function defaultExposureWeight(category, endpointPath) {
+    // Auth/authz gaps are typically on exposed endpoints
+    if (category === 'missing-auth-test' || category === 'security-finding-unprotected') {
+        return 80;
+    }
+    // Public endpoint patterns
+    if (endpointPath) {
+        const lower = endpointPath.toLowerCase();
+        if (lower.includes('admin') || lower.includes('internal'))
+            return 30;
+        if (lower.includes('auth') || lower.includes('login') || lower.includes('token'))
+            return 90;
+        if (lower.includes('payment') || lower.includes('wallet') || lower.includes('transfer'))
+            return 90;
+    }
+    return 50; // default
+}
+function defaultCriticalityWeight(category, endpointPath) {
+    const criticalCategories = [
+        'missing-auth-test',
+        'security-finding-unprotected',
+    ];
+    if (criticalCategories.includes(category))
+        return 90;
+    if (endpointPath) {
+        const lower = endpointPath.toLowerCase();
+        if (lower.includes('payment') ||
+            lower.includes('wallet') ||
+            lower.includes('transfer') ||
+            lower.includes('refund') ||
+            lower.includes('debit') ||
+            lower.includes('charge')) {
+            return 95;
+        }
+        if (lower.includes('auth') || lower.includes('login') || lower.includes('token'))
+            return 90;
+        if (lower.includes('profile') || lower.includes('account') || lower.includes('user'))
+            return 50;
+    }
+    switch (category) {
+        case 'uncovered-endpoint': return 70;
+        case 'missing-business-rule-test': return 75;
+        case 'missing-flow-step-test': return 65;
+        case 'error-scenario-gap': return 55;
+        case 'missing-negative-test': return 60;
+        case 'missing-boundary-test': return 45;
+        case 'compatibility-risk': return 70;
+        case 'performance-risk': return 60;
+        case 'high-risk-parameter-gap': return 55;
+        default: return 40;
+    }
+}
+function defaultFlowImpactWeight(category, endpointPath) {
+    if (category === 'missing-flow-step-test')
+        return 80;
+    if (endpointPath) {
+        const lower = endpointPath.toLowerCase();
+        if (lower.includes('payment') || lower.includes('checkout') || lower.includes('signup')) {
+            return 80;
+        }
+    }
+    switch (category) {
+        case 'uncovered-endpoint': return 30;
+        case 'missing-business-rule-test': return 50;
+        case 'security-finding-unprotected': return 60;
+        case 'compatibility-risk': return 60;
+        default: return 20;
+    }
+}
+/**
+ * Compute a 0–100 risk score for a finding or recommendation.
+ */
+function computeRiskScore(input) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    const c = (_a = input.components) !== null && _a !== void 0 ? _a : {};
+    const severityW = (_b = c.severityWeight) !== null && _b !== void 0 ? _b : severityToWeight(input.severity);
+    const exposureW = (_c = c.exposureWeight) !== null && _c !== void 0 ? _c : defaultExposureWeight(input.category, input.endpointPath);
+    const criticalW = (_d = c.criticalityWeight) !== null && _d !== void 0 ? _d : defaultCriticalityWeight(input.category, input.endpointPath);
+    const missingCovW = (_e = c.missingCoverageWeight) !== null && _e !== void 0 ? _e : (input.zeroCoverage ? 100 : 75);
+    const secSignalW = (_f = c.securitySignalWeight) !== null && _f !== void 0 ? _f : (input.hasSecuritySignal ? 100 : 0);
+    const flowImpW = (_g = c.flowImpactWeight) !== null && _g !== void 0 ? _g : defaultFlowImpactWeight(input.category, input.endpointPath);
+    const changeVolW = (_h = c.changeVolatilityWeight) !== null && _h !== void 0 ? _h : 40; // default when no git data
+    const raw = WEIGHTS.severity * severityW +
+        WEIGHTS.exposure * exposureW +
+        WEIGHTS.criticality * criticalW +
+        WEIGHTS.missingCoverage * missingCovW +
+        WEIGHTS.securitySignal * secSignalW +
+        WEIGHTS.flowImpact * flowImpW +
+        WEIGHTS.changeVolatility * changeVolW;
+    return Math.min(100, Math.max(0, Math.round(raw)));
+}
+// ─── Risk band ────────────────────────────────────────────────────────────────
+function scoreToRiskBand(score) {
+    if (score >= 75)
+        return 'Critical';
+    if (score >= 50)
+        return 'High';
+    if (score >= 25)
+        return 'Moderate';
+    return 'Low';
+}
+// ─── Priority assignment ──────────────────────────────────────────────────────
+/** Derive recommendation priority from risk score, with override rules. */
+function scoreToPriority(score, overrides) {
+    // Override rules: never lower than P1 for high-stakes scenarios
+    const mustBeP1OrHigher = (overrides === null || overrides === void 0 ? void 0 : overrides.isCriticalSecurityFinding) ||
+        (overrides === null || overrides === void 0 ? void 0 : overrides.isMoneyMovementEndpoint) ||
+        (overrides === null || overrides === void 0 ? void 0 : overrides.isAuthGap) ||
+        (overrides === null || overrides === void 0 ? void 0 : overrides.isZeroCoverageCriticalFlow);
+    let priority;
+    if (score >= 85) {
+        priority = 'P0';
+    }
+    else if (score >= 70) {
+        priority = 'P1';
+    }
+    else if (score >= 50) {
+        priority = 'P2';
+    }
+    else {
+        priority = 'P3';
+    }
+    if (mustBeP1OrHigher && (priority === 'P2' || priority === 'P3')) {
+        return 'P1';
+    }
+    return priority;
+}

package/dist/src/intelligence/types.d.ts

@@ -0,0 +1,121 @@
+/**
+ * Coverage Intelligence – shared types.
+ *
+ * Defines FunctionalFinding, MissingTestRecommendation, and all supporting
+ * enumerations used by the linkage engine, risk scorer, and markdown reporter.
+ */
+export type FindingSource = 'coverage-gap-analysis' | 'error-coverage' | 'security-coverage' | 'security-scan' | 'integration-flow' | 'parameter-coverage' | 'business-coverage' | 'compatibility' | 'performance-resilience' | 'mcp-analysis' | 'manual-rule';
+export type FindingCategory = 'uncovered-endpoint' | 'missing-negative-test' | 'missing-auth-test' | 'missing-boundary-test' | 'missing-business-rule-test' | 'missing-flow-step-test' | 'security-finding-unprotected' | 'high-risk-parameter-gap' | 'compatibility-risk' | 'performance-risk' | 'error-scenario-gap';
+export type Severity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+export interface EndpointRef {
+    method?: string;
+    path?: string;
+}
+export interface FunctionalFinding {
+    id: string;
+    source: FindingSource;
+    category: FindingCategory;
+    severity: Severity;
+    title: string;
+    description: string;
+    endpoint?: EndpointRef;
+    filePaths?: string[];
+    relatedTests?: string[];
+    relatedRules?: string[];
+    relatedScanners?: string[];
+    relatedFindings?: string[];
+    missingTestTypes?: string[];
+    frameworkHints?: string[];
+    languageHints?: string[];
+    tags?: string[];
+}
+export type RecommendationPriority = 'P0' | 'P1' | 'P2' | 'P3';
+export type RecommendedTestType = 'positive-api-test' | 'negative-api-test' | 'auth-test' | 'authz-test' | 'boundary-test' | 'business-rule-test' | 'integration-flow-test' | 'security-test' | 'performance-test' | 'resilience-test' | 'compatibility-test';
+export interface MissingTestRecommendation {
+    id: string;
+    priority: RecommendationPriority;
+    title: string;
+    rationale: string;
+    recommendedTestType: RecommendedTestType;
+    endpoint?: EndpointRef;
+    likelyFileTargets?: string[];
+    likelyFramework?: string;
+    likelyLanguage?: string;
+    linkedFindingIds: string[];
+    riskScore: number;
+    confidence: 'low' | 'medium' | 'high';
+}
+export type RiskBand = 'Low' | 'Moderate' | 'High' | 'Critical';
+export interface RiskScoreComponents {
+    /** 0-100: derived from severity */
+    severityWeight: number;
+    /** 0-100: how exposed is this area */
+    exposureWeight: number;
+    /** 0-100: business/domain criticality */
+    criticalityWeight: number;
+    /** 0-100: how uncovered is the area */
+    missingCoverageWeight: number;
+    /** 0-100: security signal from scanners */
+    securitySignalWeight: number;
+    /** 0-100: impact on broader integration flow */
+    flowImpactWeight: number;
+    /** 0-100: change volatility / instability */
+    changeVolatilityWeight: number;
+}
+export interface IntelligenceInput {
+    /** Coverage results from all analyzers */
+    coverageResults: Array<{
+        type: string;
+        totalItems: number;
+        coveredItems: number;
+        coveragePercent: number;
+        details: unknown;
+    }>;
+    /** Security scan findings (optional) */
+    securityFindings?: Array<{
+        id?: string;
+        severity: string;
+        title: string;
+        description?: string;
+        category?: string;
+        scanner?: string;
+        filePath?: string;
+        endpoint?: EndpointRef;
+    }>;
+    /** Detected languages in the project */
+    languages?: string[];
+    /** Detected test frameworks */
+    frameworks?: string[];
+    /** Whether MCP is enabled */
+    mcpEnabled?: boolean;
+    /** Output directory for reports */
+    outDir?: string;
+    /** Project/service name */
+    projectName?: string;
+    /** Coverage thresholds */
+    thresholds?: Record<string, number | undefined>;
+}
+export interface IntelligenceReport {
+    /** Generation timestamp */
+    generatedAt: string;
+    /** Project/service name */
+    projectName: string;
+    /** All functional findings discovered */
+    findings: FunctionalFinding[];
+    /** All missing test recommendations */
+    recommendations: MissingTestRecommendation[];
+    /** Summary statistics */
+    summary: IntelligenceSummary;
+}
+export interface IntelligenceSummary {
+    totalFindings: number;
+    findingsBySeverity: Record<Severity, number>;
+    totalRecommendations: number;
+    recommendationsByPriority: Record<RecommendationPriority, number>;
+    maxRiskScore: number;
+    avgRiskScore: number;
+    criticalUncoveredItems: number;
+    unprotectedSecurityFindings: number;
+    topRiskAreas: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/intelligence/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/intelligence/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,aAAa,GACrB,uBAAuB,GACvB,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,eAAe,GACf,wBAAwB,GACxB,cAAc,GACd,aAAa,CAAC;AAElB,MAAM,MAAM,eAAe,GACvB,oBAAoB,GACpB,uBAAuB,GACvB,mBAAmB,GACnB,uBAAuB,GACvB,4BAA4B,GAC5B,wBAAwB,GACxB,8BAA8B,GAC9B,yBAAyB,GACzB,oBAAoB,GACpB,kBAAkB,GAClB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE9D,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,aAAa,CAAC;IACtB,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAID,MAAM,MAAM,sBAAsB,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;AAE/D,MAAM,MAAM,mBAAmB,GAC3B,mBAAmB,GACnB,mBAAmB,GACnB,WAAW,GACX,YAAY,GACZ,eAAe,GACf,oBAAoB,GACpB,uBAAuB,GACvB,eAAe,GACf,kBAAkB,GAClB,iBAAiB,GACjB,oBAAoB,CAAC;AAEzB,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,sBAAsB,CAAC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,mBAAmB,CAAC;IACzC,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CACvC;AAID,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,CAAC;AAIhE,MAAM,WAAW,mBAAmB;IAClC,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,yCAAyC;IACzC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uCAAuC;IACvC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,2CAA2C;IAC3C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,gDAAgD;IAChD,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAID,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,eAAe,EAAE,KAAK,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,MAAM,CAAC;QACxB,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC,CAAC;IACH,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,KAAK,CAAC;QACvB,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,WAAW,CAAC;KACxB,CAAC,CAAC;IACH,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,+BAA+B;IAC/B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,6BAA6B;IAC7B,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,mCAAmC;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CACjD;AAID,MAAM,WAAW,kBAAkB;IACjC,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,uCAAuC;IACvC,eAAe,EAAE,yBAAyB,EAAE,CAAC;IAC7C,yBAAyB;IACzB,OAAO,EAAE,mBAAmB,CAAC;CAC9B;AAED,MAAM,WAAW,mBAAmB;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,yBAAyB,EAAE,MAAM,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;IAClE,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,2BAA2B,EAAE,MAAM,CAAC;IACpC,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB"}

package/dist/src/intelligence/types.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Coverage Intelligence – shared types.
+ *
+ * Defines FunctionalFinding, MissingTestRecommendation, and all supporting
+ * enumerations used by the linkage engine, risk scorer, and markdown reporter.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });