npm - api-tests-coverage - Versions diffs - 1.0.12 → 1.0.14 - Mend

api-tests-coverage 1.0.12 → 1.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/dist/src/pipeline/stages/dast/conflictEmitter.js ADDED Viewed

@@ -0,0 +1,90 @@
+"use strict";
+/**
+ * DAST conflict emitter — detects conflicts between DAST probe results and
+ * AST-declared endpoints.
+ *
+ * Conflict rules from spec §7:
+ *
+ * | DAST Result              | AST Declared          | Conflict Type                      |
+ * |--------------------------|-----------------------|------------------------------------|
+ * | Not reachable            | Endpoint exists       | dast-unreachable                   |
+ * | Reachable, no auth check | @Secured present      | security-annotation-not-enforced   |
+ * | Returns 500              | No error handler      | unhandled-server-error             |
+ * | New endpoint found       | Not in AST            | undeclared-endpoint                |
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.emitDastConflicts = emitDastConflicts;
+/**
+ * Emit conflicts by comparing DAST results with the AST-declared graph.
+ *
+ * @param results - DAST probe results
+ * @param graph - Current coverage knowledge graph
+ * @returns Array of conflict nodes to be added to the graph
+ */
+function emitDastConflicts(results, graph) {
+    var _a, _b;
+    const conflicts = [];
+    const astEndpointIds = new Set(graph.getNodesByType('endpoint').map((n) => n.id));
+    for (const result of results) {
+        const endpointPath = (_a = result.normalizedPath) !== null && _a !== void 0 ? _a : result.path;
+        const endpointId = `endpoint:${result.method.toUpperCase()}:${endpointPath}`;
+        const existsInAst = astEndpointIds.has(endpointId);
+        // Rule 1: DAST can't reach an AST-declared endpoint
+        if (!result.reachable && existsInAst) {
+            conflicts.push({
+                conflictId: `conflict:dast-unreachable:${endpointId}`,
+                nodeId: endpointId,
+                type: 'dast-unreachable',
+                stages: ['ast', 'dast'],
+                stageOutputs: { ast: 'endpoint-declared', dast: 'not-reachable' },
+                detail: `DAST could not reach ${result.method} ${result.path}, but AST declares it as an endpoint.`,
+                suggestedAction: 'Verify the endpoint is deployed and accessible in the test environment. Check for routing middleware that may block access.',
+                severity: 'warning',
+            });
+        }
+        // Rule 2: DAST reaches endpoint without auth, but AST shows security annotation
+        if (result.reachable && result.authBypass && existsInAst) {
+            const endpointNode = graph.getNode(endpointId);
+            const hasSecurityAnnotation = ((_b = endpointNode === null || endpointNode === void 0 ? void 0 : endpointNode.metadata) === null || _b === void 0 ? void 0 : _b.securityAnnotation) != null;
+            if (hasSecurityAnnotation || result.authRequired === false) {
+                conflicts.push({
+                    conflictId: `conflict:security-not-enforced:${endpointId}`,
+                    nodeId: endpointId,
+                    type: 'security-annotation-not-enforced',
+                    stages: ['ast', 'dast'],
+                    stageOutputs: { ast: 'security-annotation-present', dast: 'auth-bypass-detected' },
+                    detail: `DAST accessed ${result.method} ${result.path} without authentication, but security annotation is present in code.`,
+                    suggestedAction: 'Review security configuration. Ensure authentication middleware is applied to this endpoint and annotations are enforced at runtime.',
+                    severity: 'error',
+                });
+            }
+        }
+        // Rule 3: DAST gets 500 error, indicating unhandled server error
+        if (result.reachable && result.serverError && existsInAst) {
+            conflicts.push({
+                conflictId: `conflict:unhandled-error:${endpointId}`,
+                nodeId: endpointId,
+                type: 'unhandled-server-error',
+                stages: ['ast', 'dast'],
+                stageOutputs: { ast: 'endpoint-declared', dast: 'server-error-500' },
+                detail: `DAST received a 500 error from ${result.method} ${result.path}. This may indicate unhandled exceptions.`,
+                suggestedAction: 'Add error handling for this endpoint. Review exception handling middleware and ensure all error paths return appropriate status codes.',
+                severity: 'warning',
+            });
+        }
+        // Rule 4: DAST finds an endpoint not declared in AST
+        if (result.reachable && !existsInAst) {
+            conflicts.push({
+                conflictId: `conflict:undeclared-endpoint:${endpointId}`,
+                nodeId: endpointId,
+                type: 'undeclared-endpoint',
+                stages: ['dast'],
+                stageOutputs: { dast: 'endpoint-reachable' },
+                detail: `DAST discovered ${result.method} ${result.path} which is not declared in any AST-analyzed source file.`,
+                suggestedAction: 'Check if this endpoint is generated dynamically, comes from a third-party library, or is defined in code not included in the analysis scope.',
+                severity: 'info',
+            });
+        }
+    }
+    return conflicts;
+}

package/dist/src/pipeline/stages/dast/dastStage.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * DAST Stage — Stage 5 of the coverage pipeline (optional).
+ *
+ * Reads dast-results.json if present, processes probe results,
+ * emits conflicts, and records endpoint reachability confirmations.
+ *
+ * When this stage is skipped (no DAST data), the pipeline continues
+ * without DAST confirmation (confidence cannot reach 'verified').
+ */
+import type { PipelineStage, PipelineContext } from '../../stageInterface';
+import type { DastOutput } from './types';
+export declare class DastStage implements PipelineStage<DastOutput> {
+    readonly name: "dast";
+    readonly optional = true;
+    execute(context: PipelineContext): Promise<DastOutput>;
+}
+//# sourceMappingURL=dastStage.d.ts.map

package/dist/src/pipeline/stages/dast/dastStage.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dastStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/dast/dastStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,UAAU,EAAmB,MAAM,SAAS,CAAC;AAG3D,qBAAa,SAAU,YAAW,aAAa,CAAC,UAAU,CAAC;IACzD,QAAQ,CAAC,IAAI,EAAG,MAAM,CAAU;IAChC,QAAQ,CAAC,QAAQ,QAAQ;IAEnB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;CAkK7D"}

package/dist/src/pipeline/stages/dast/dastStage.js ADDED Viewed

@@ -0,0 +1,203 @@
+"use strict";
+/**
+ * DAST Stage — Stage 5 of the coverage pipeline (optional).
+ *
+ * Reads dast-results.json if present, processes probe results,
+ * emits conflicts, and records endpoint reachability confirmations.
+ *
+ * When this stage is skipped (no DAST data), the pipeline continues
+ * without DAST confirmation (confidence cannot reach 'verified').
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DastStage = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const conflictEmitter_1 = require("./conflictEmitter");
+class DastStage {
+    constructor() {
+        this.name = 'dast';
+        this.optional = true;
+    }
+    async execute(context) {
+        var _a, _b, _c;
+        const startTime = Date.now();
+        const filesScanned = [];
+        const filesSkipped = [];
+        const output = {
+            results: [],
+            confirmedEndpoints: [],
+            unreachableEndpoints: [],
+            conflictsEmitted: 0,
+        };
+        // Determine the DAST results file path
+        const resultsPath = (_a = context.config.dastResultsPath) !== null && _a !== void 0 ? _a : path.join(context.projectRoot, 'dast-results.json');
+        // Try to read the results file
+        if (!fs.existsSync(resultsPath)) {
+            context.diagnostics.set('dast', {
+                stageName: 'dast',
+                filesScanned,
+                filesSkipped: [{ file: resultsPath, reason: 'file-not-found' }],
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'no-dast-results-file' },
+            });
+            context.stageOutputs.set('dast', output);
+            return output;
+        }
+        filesScanned.push(resultsPath);
+        let resultsFile;
+        try {
+            const content = fs.readFileSync(resultsPath, 'utf-8');
+            resultsFile = JSON.parse(content);
+        }
+        catch (err) {
+            filesSkipped.push({
+                file: resultsPath,
+                reason: `parse-error: ${err instanceof Error ? err.message : String(err)}`,
+            });
+            context.diagnostics.set('dast', {
+                stageName: 'dast',
+                filesScanned,
+                filesSkipped,
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'parse-error' },
+            });
+            context.stageOutputs.set('dast', output);
+            return output;
+        }
+        if (!resultsFile.results || !Array.isArray(resultsFile.results)) {
+            filesSkipped.push({ file: resultsPath, reason: 'invalid-format: missing results array' });
+            context.diagnostics.set('dast', {
+                stageName: 'dast',
+                filesScanned,
+                filesSkipped,
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'invalid-format' },
+            });
+            context.stageOutputs.set('dast', output);
+            return output;
+        }
+        output.results = resultsFile.results;
+        // Categorize results
+        for (const result of resultsFile.results) {
+            const endpointPath = (_b = result.normalizedPath) !== null && _b !== void 0 ? _b : result.path;
+            const endpointId = `endpoint:${result.method.toUpperCase()}:${endpointPath}`;
+            if (result.reachable) {
+                if (!output.confirmedEndpoints.includes(endpointId)) {
+                    output.confirmedEndpoints.push(endpointId);
+                }
+            }
+            else {
+                if (!output.unreachableEndpoints.includes(endpointId)) {
+                    output.unreachableEndpoints.push(endpointId);
+                }
+            }
+        }
+        // Add DAST-discovered endpoints that don't exist in the graph (RULE-09: don't override types)
+        for (const result of resultsFile.results) {
+            if (!result.reachable)
+                continue;
+            const endpointPath = (_c = result.normalizedPath) !== null && _c !== void 0 ? _c : result.path;
+            const endpointId = `endpoint:${result.method.toUpperCase()}:${endpointPath}`;
+            if (!context.graph.hasNode(endpointId)) {
+                // New endpoint discovered by DAST — add it as a DAST-sourced node
+                const node = {
+                    id: endpointId,
+                    type: 'endpoint',
+                    label: `${result.method.toUpperCase()} ${endpointPath}`,
+                    sourceStage: 'dast',
+                    metadata: {
+                        method: result.method.toUpperCase(),
+                        path: endpointPath,
+                        statusCode: result.statusCode,
+                        discoveredBy: 'dast',
+                    },
+                };
+                context.graph.addNode(node);
+            }
+        }
+        // Emit conflicts (spec §7)
+        const conflicts = (0, conflictEmitter_1.emitDastConflicts)(resultsFile.results, context.graph);
+        output.conflictsEmitted = conflicts.length;
+        // Add conflict nodes to graph
+        for (const conflict of conflicts) {
+            const conflictNodeId = conflict.conflictId;
+            if (!context.graph.hasNode(conflictNodeId)) {
+                const node = {
+                    id: conflictNodeId,
+                    type: 'conflict',
+                    label: `Conflict: ${conflict.type}`,
+                    sourceStage: 'dast',
+                    metadata: {
+                        conflictType: conflict.type,
+                        stages: conflict.stages,
+                        detail: conflict.detail,
+                        suggestedAction: conflict.suggestedAction,
+                        severity: conflict.severity,
+                    },
+                };
+                context.graph.addNode(node);
+                // Link conflict to the affected endpoint
+                if (context.graph.hasNode(conflict.nodeId)) {
+                    context.graph.addEdge({
+                        id: `${conflictNodeId}->conflicts-with->${conflict.nodeId}`,
+                        type: 'conflicts-with',
+                        sourceNodeId: conflictNodeId,
+                        targetNodeId: conflict.nodeId,
+                        sourceStage: 'dast',
+                        metadata: { conflictType: conflict.type },
+                    });
+                }
+            }
+        }
+        // Record diagnostics
+        const diagnostics = {
+            stageName: 'dast',
+            filesScanned,
+            filesSkipped,
+            durationMs: Date.now() - startTime,
+            metadata: {
+                totalResults: output.results.length,
+                confirmedEndpoints: output.confirmedEndpoints.length,
+                unreachableEndpoints: output.unreachableEndpoints.length,
+                conflictsEmitted: output.conflictsEmitted,
+            },
+        };
+        context.diagnostics.set('dast', diagnostics);
+        context.stageOutputs.set('dast', output);
+        return output;
+    }
+}
+exports.DastStage = DastStage;

package/dist/src/pipeline/stages/dast/types.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * DAST (Dynamic Application Security Testing) stage types.
+ *
+ * DAST results are produced by an external scanner (e.g. ZAP, Burp)
+ * and consumed by this stage to verify endpoint reachability and
+ * detect security annotation enforcement gaps.
+ */
+/**
+ * A single DAST probe result.
+ */
+export interface DastProbeResult {
+    /** HTTP method probed */
+    method: string;
+    /** URL path probed */
+    path: string;
+    /** Normalized path template */
+    normalizedPath?: string;
+    /** Whether the endpoint was reachable */
+    reachable: boolean;
+    /** HTTP status code returned */
+    statusCode?: number;
+    /** Whether authentication was required */
+    authRequired?: boolean;
+    /** Whether the probe detected an auth bypass */
+    authBypass?: boolean;
+    /** Whether the response indicated server error */
+    serverError?: boolean;
+    /** Additional metadata (e.g. response headers, scan tool info) */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Shape of the dast-results.json file.
+ */
+export interface DastResultsFile {
+    results: DastProbeResult[];
+    generatedAt?: string;
+    scannerVersion?: string;
+    targetUrl?: string;
+}
+/**
+ * Output of the DAST stage.
+ */
+export interface DastOutput {
+    results: DastProbeResult[];
+    confirmedEndpoints: string[];
+    unreachableEndpoints: string[];
+    conflictsEmitted: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/pipeline/stages/dast/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/dast/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,yBAAyB;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,yCAAyC;IACzC,SAAS,EAAE,OAAO,CAAC;IACnB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gDAAgD;IAChD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,kDAAkD;IAClD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,gBAAgB,EAAE,MAAM,CAAC;CAC1B"}

package/dist/src/pipeline/stages/dast/types.js ADDED Viewed

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * DAST (Dynamic Application Security Testing) stage types.
+ *
+ * DAST results are produced by an external scanner (e.g. ZAP, Burp)
+ * and consumed by this stage to verify endpoint reachability and
+ * detect security annotation enforcement gaps.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/pipeline/stages/iast/iastStage.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * IAST Stage — Stage 4 of the coverage pipeline (optional).
+ *
+ * Reads iast-events.json if present, creates runtime-event nodes in the graph,
+ * and upgrades confidence for confirmed endpoints.
+ *
+ * When this stage is skipped (no IAST data), the pipeline continues
+ * in static-only mode with confidence capped at medium.
+ */
+import type { PipelineStage, PipelineContext } from '../../stageInterface';
+import type { IastOutput } from './types';
+export declare class IastStage implements PipelineStage<IastOutput> {
+    readonly name: "iast";
+    readonly optional = true;
+    execute(context: PipelineContext): Promise<IastOutput>;
+}
+//# sourceMappingURL=iastStage.d.ts.map

package/dist/src/pipeline/stages/iast/iastStage.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"iastStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/iast/iastStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,UAAU,EAA6B,MAAM,SAAS,CAAC;AAErE,qBAAa,SAAU,YAAW,aAAa,CAAC,UAAU,CAAC;IACzD,QAAQ,CAAC,IAAI,EAAG,MAAM,CAAU;IAChC,QAAQ,CAAC,QAAQ,QAAQ;IAEnB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;CAsJ7D"}

package/dist/src/pipeline/stages/iast/iastStage.js ADDED Viewed

@@ -0,0 +1,191 @@
+"use strict";
+/**
+ * IAST Stage — Stage 4 of the coverage pipeline (optional).
+ *
+ * Reads iast-events.json if present, creates runtime-event nodes in the graph,
+ * and upgrades confidence for confirmed endpoints.
+ *
+ * When this stage is skipped (no IAST data), the pipeline continues
+ * in static-only mode with confidence capped at medium.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IastStage = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+class IastStage {
+    constructor() {
+        this.name = 'iast';
+        this.optional = true;
+    }
+    async execute(context) {
+        var _a, _b, _c;
+        const startTime = Date.now();
+        const filesScanned = [];
+        const filesSkipped = [];
+        const output = {
+            events: [],
+            confirmedEndpoints: [],
+            runtimeEventNodesCreated: 0,
+        };
+        // Determine the IAST events file path
+        const eventsPath = (_a = context.config.iastEventsPath) !== null && _a !== void 0 ? _a : path.join(context.projectRoot, 'iast-events.json');
+        // Try to read the events file
+        if (!fs.existsSync(eventsPath)) {
+            // No IAST data — stage produces empty output (pipeline continues in static-only mode)
+            context.diagnostics.set('iast', {
+                stageName: 'iast',
+                filesScanned,
+                filesSkipped: [{ file: eventsPath, reason: 'file-not-found' }],
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'no-iast-events-file' },
+            });
+            context.stageOutputs.set('iast', output);
+            return output;
+        }
+        filesScanned.push(eventsPath);
+        let eventsFile;
+        try {
+            const content = fs.readFileSync(eventsPath, 'utf-8');
+            eventsFile = JSON.parse(content);
+        }
+        catch (err) {
+            filesSkipped.push({
+                file: eventsPath,
+                reason: `parse-error: ${err instanceof Error ? err.message : String(err)}`,
+            });
+            context.diagnostics.set('iast', {
+                stageName: 'iast',
+                filesScanned,
+                filesSkipped,
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'parse-error' },
+            });
+            context.stageOutputs.set('iast', output);
+            return output;
+        }
+        if (!eventsFile.events || !Array.isArray(eventsFile.events)) {
+            filesSkipped.push({ file: eventsPath, reason: 'invalid-format: missing events array' });
+            context.diagnostics.set('iast', {
+                stageName: 'iast',
+                filesScanned,
+                filesSkipped,
+                durationMs: Date.now() - startTime,
+                metadata: { skipped: true, reason: 'invalid-format' },
+            });
+            context.stageOutputs.set('iast', output);
+            return output;
+        }
+        output.events = eventsFile.events;
+        // Process each event: create runtime-event nodes and link to endpoints
+        for (const event of eventsFile.events) {
+            if (!event.method || !event.path)
+                continue;
+            const endpointPath = (_b = event.normalizedPath) !== null && _b !== void 0 ? _b : event.path;
+            const endpointId = `endpoint:${event.method.toUpperCase()}:${endpointPath}`;
+            const nodeId = `runtime-event:iast:${(_c = event.eventId) !== null && _c !== void 0 ? _c : `${event.method}:${event.path}`}`;
+            // Create runtime-event node
+            if (!context.graph.hasNode(nodeId)) {
+                const node = {
+                    id: nodeId,
+                    type: 'runtime-event',
+                    label: `IAST: ${event.method} ${event.path}`,
+                    sourceStage: 'iast',
+                    filePath: event.handlerFile,
+                    metadata: {
+                        method: event.method,
+                        path: event.path,
+                        normalizedPath: event.normalizedPath,
+                        statusCode: event.statusCode,
+                        testId: event.testId,
+                        timestamp: event.timestamp,
+                    },
+                };
+                context.graph.addNode(node);
+                output.runtimeEventNodesCreated++;
+            }
+            // Link to endpoint node if it exists
+            if (context.graph.hasNode(endpointId)) {
+                const edgeId = `${nodeId}->observed-by->${endpointId}`;
+                if (!context.graph.hasEdge(edgeId)) {
+                    context.graph.addEdge({
+                        id: edgeId,
+                        type: 'observed-by',
+                        sourceNodeId: nodeId,
+                        targetNodeId: endpointId,
+                        sourceStage: 'iast',
+                        metadata: { statusCode: event.statusCode },
+                    });
+                }
+                if (!output.confirmedEndpoints.includes(endpointId)) {
+                    output.confirmedEndpoints.push(endpointId);
+                }
+            }
+            // Link to test file if known
+            if (event.testId) {
+                const testFileId = `file:${event.testId}`;
+                if (context.graph.hasNode(testFileId)) {
+                    const edgeId = `${testFileId}->executes->${nodeId}`;
+                    if (!context.graph.hasEdge(edgeId)) {
+                        context.graph.addEdge({
+                            id: edgeId,
+                            type: 'executes',
+                            sourceNodeId: testFileId,
+                            targetNodeId: nodeId,
+                            sourceStage: 'iast',
+                            metadata: {},
+                        });
+                    }
+                }
+            }
+        }
+        // Record diagnostics
+        const diagnostics = {
+            stageName: 'iast',
+            filesScanned,
+            filesSkipped,
+            durationMs: Date.now() - startTime,
+            metadata: {
+                totalEvents: output.events.length,
+                confirmedEndpoints: output.confirmedEndpoints.length,
+                runtimeEventNodesCreated: output.runtimeEventNodesCreated,
+            },
+        };
+        context.diagnostics.set('iast', diagnostics);
+        context.stageOutputs.set('iast', output);
+        return output;
+    }
+}
+exports.IastStage = IastStage;

package/dist/src/pipeline/stages/iast/types.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * IAST (Interactive Application Security Testing) stage types.
+ *
+ * IAST events are produced by an external runtime agent and consumed
+ * by this stage to confirm code paths observed during test execution.
+ */
+/**
+ * A single IAST event recording a runtime observation.
+ */
+export interface IastEvent {
+    /** Unique event identifier */
+    eventId: string;
+    /** HTTP method observed */
+    method: string;
+    /** URL path observed */
+    path: string;
+    /** Normalized path template (e.g. /users/{id}) */
+    normalizedPath?: string;
+    /** Timestamp of the observation */
+    timestamp?: string;
+    /** Test that triggered this event (if known) */
+    testId?: string;
+    /** Source file of the handler (if known) */
+    handlerFile?: string;
+    /** Handler function name (if known) */
+    handlerFunction?: string;
+    /** HTTP status code observed */
+    statusCode?: number;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Shape of the iast-events.json file.
+ */
+export interface IastEventsFile {
+    events: IastEvent[];
+    generatedAt?: string;
+    agentVersion?: string;
+}
+/**
+ * Output of the IAST stage.
+ */
+export interface IastOutput {
+    events: IastEvent[];
+    confirmedEndpoints: string[];
+    runtimeEventNodesCreated: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/pipeline/stages/iast/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/iast/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,8BAA8B;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,wBAAwB,EAAE,MAAM,CAAC;CAClC"}

package/dist/src/pipeline/stages/iast/types.js ADDED Viewed

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * IAST (Interactive Application Security Testing) stage types.
+ *
+ * IAST events are produced by an external runtime agent and consumed
+ * by this stage to confirm code paths observed during test execution.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Conflict detector — detects stage disagreements and structural conflicts
+ * in the knowledge graph after all stages have run.
+ *
+ * Detects:
+ * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - Stage disagreement: Two stages assign different types to the same node
+ */
+import type { ConflictNode } from '../../types';
+import type { CoverageKnowledgeGraph } from '../../graph';
+import type { IastOutput } from '../iast/types';
+import type { DastOutput } from '../dast/types';
+/**
+ * Detect conflicts across all stages.
+ */
+export declare function detectConflicts(graph: CoverageKnowledgeGraph, iastOutput: IastOutput | undefined, dastOutput: DastOutput | undefined): ConflictNode[];
+//# sourceMappingURL=conflictDetector.d.ts.map