api-tests-coverage 1.0.13 → 1.0.14

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conflictDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/conflictDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2B,MAAM,aAAa,CAAC;AACzE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,GACjC,YAAY,EAAE,CA0ChB"}

package/dist/src/pipeline/stages/merge/conflictDetector.js

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * Conflict detector — detects stage disagreements and structural conflicts
+ * in the knowledge graph after all stages have run.
+ *
+ * Detects:
+ * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - Stage disagreement: Two stages assign different types to the same node
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectConflicts = detectConflicts;
+/**
+ * Detect conflicts across all stages.
+ */
+function detectConflicts(graph, iastOutput, dastOutput) {
+    var _a, _b, _c, _d, _e;
+    const conflicts = [];
+    // 1. Runtime-unconfirmed: endpoints that AST found but neither IAST nor DAST confirmed
+    const endpointNodes = graph.getNodesByType('endpoint');
+    const iastConfirmed = new Set((_a = iastOutput === null || iastOutput === void 0 ? void 0 : iastOutput.confirmedEndpoints) !== null && _a !== void 0 ? _a : []);
+    const dastConfirmed = new Set((_b = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.confirmedEndpoints) !== null && _b !== void 0 ? _b : []);
+    const dastUnreachable = new Set((_c = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.unreachableEndpoints) !== null && _c !== void 0 ? _c : []);
+    const hasRuntimeData = ((_d = iastOutput === null || iastOutput === void 0 ? void 0 : iastOutput.events.length) !== null && _d !== void 0 ? _d : 0) > 0 || ((_e = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.results.length) !== null && _e !== void 0 ? _e : 0) > 0;
+    if (hasRuntimeData) {
+        for (const node of endpointNodes) {
+            // Only check endpoints from static stages (AST/TIA)
+            if (node.sourceStage !== 'ast' && node.sourceStage !== 'sca')
+                continue;
+            const confirmed = iastConfirmed.has(node.id) || dastConfirmed.has(node.id);
+            const unreachable = dastUnreachable.has(node.id);
+            if (!confirmed && !unreachable) {
+                conflicts.push({
+                    conflictId: `conflict:runtime-unconfirmed:${node.id}`,
+                    nodeId: node.id,
+                    type: 'runtime-unconfirmed',
+                    stages: getRuntimeStages(iastOutput, dastOutput),
+                    stageOutputs: {
+                        ast: 'endpoint-declared',
+                        iast: iastConfirmed.has(node.id) ? 'confirmed' : 'not-observed',
+                        dast: dastConfirmed.has(node.id) ? 'confirmed' : 'not-probed',
+                    },
+                    detail: `${node.label} was found by static analysis but not confirmed by any runtime stage.`,
+                    suggestedAction: 'Check if the endpoint is covered by integration/e2e tests that produce IAST events or DAST probes.',
+                    severity: 'info',
+                });
+            }
+        }
+    }
+    // 2. Stage disagreement: same node ID added by multiple stages with different types
+    // (This is handled by the graph merge(), which already returns ConflictNode[])
+    return conflicts;
+}
+function getRuntimeStages(iastOutput, dastOutput) {
+    const stages = ['ast'];
+    if (iastOutput && iastOutput.events.length > 0)
+        stages.push('iast');
+    if (dastOutput && dastOutput.results.length > 0)
+        stages.push('dast');
+    return stages;
+}

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Coverage mapping builder — constructs `CoverageMapping` entries for every
+ * endpoint in the graph by walking its connected test files, assertions,
+ * mock boundaries, and runtime confirmations.
+ */
+import type { CoverageMapping } from '../../types';
+import type { CoverageKnowledgeGraph } from '../../graph';
+import type { TiaOutput } from '../tia/types';
+import type { IastOutput } from '../iast/types';
+import type { DastOutput } from '../dast/types';
+/**
+ * Build coverage mappings for all endpoint-type nodes in the graph.
+ */
+export declare function buildCoverageMappings(graph: CoverageKnowledgeGraph, tiaOutput: TiaOutput | undefined, iastOutput: IastOutput | undefined, dastOutput: DastOutput | undefined, isStaticOnlyMode: boolean): CoverageMapping[];
+//# sourceMappingURL=coverageMappingBuilder.d.ts.map

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"coverageMappingBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/coverageMappingBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,eAAe,EAMhB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAIhD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,gBAAgB,EAAE,OAAO,GACxB,eAAe,EAAE,CAuJnB"}

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Coverage mapping builder — constructs `CoverageMapping` entries for every
+ * endpoint in the graph by walking its connected test files, assertions,
+ * mock boundaries, and runtime confirmations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCoverageMappings = buildCoverageMappings;
+const confidence_1 = require("../../confidence");
+const mergeRules_1 = require("./mergeRules");
+/**
+ * Build coverage mappings for all endpoint-type nodes in the graph.
+ */
+function buildCoverageMappings(graph, tiaOutput, iastOutput, dastOutput, isStaticOnlyMode) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    const mappings = [];
+    const endpointNodes = graph.getNodesByType('endpoint');
+    const iastConfirmed = new Set((_a = iastOutput === null || iastOutput === void 0 ? void 0 : iastOutput.confirmedEndpoints) !== null && _a !== void 0 ? _a : []);
+    const dastConfirmed = new Set((_b = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.confirmedEndpoints) !== null && _b !== void 0 ? _b : []);
+    const dastUnreachable = new Set((_c = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.unreachableEndpoints) !== null && _c !== void 0 ? _c : []);
+    // Build a lookup: endpointId → test classifications
+    const testLayerLookup = new Map();
+    if (tiaOutput) {
+        for (const classification of tiaOutput.classifications) {
+            testLayerLookup.set(classification.filePath, classification.layer);
+        }
+    }
+    // Build a lookup: endpointId → mock boundary test files
+    const mockBoundaryLookup = new Map();
+    if (tiaOutput) {
+        for (const boundary of tiaOutput.mockBoundaries) {
+            if (!mockBoundaryLookup.has(boundary.testFilePath)) {
+                mockBoundaryLookup.set(boundary.testFilePath, new Set());
+            }
+            mockBoundaryLookup.get(boundary.testFilePath).add(boundary.mockedTarget);
+        }
+    }
+    for (const endpoint of endpointNodes) {
+        // Find linked tests (incoming 'tests' and 'asserts' edges)
+        const incomingEdges = graph.getEdgesTo(endpoint.id);
+        const testEdges = incomingEdges.filter((e) => e.type === 'tests' || e.type === 'asserts');
+        const linkedTests = [];
+        const sourceStages = new Set([endpoint.sourceStage]);
+        let assertionConfirmed = false;
+        let assertionSource = 'unresolved';
+        let hasMockBoundary = false;
+        let bestTestLayer;
+        let urlResolution = 'literal';
+        let traversalDepth = 0;
+        for (const edge of testEdges) {
+            // Extract file path from source node ID (format: file:/path/to/test.ts)
+            const testFilePath = edge.sourceNodeId.replace(/^file:/, '');
+            if (!linkedTests.includes(testFilePath)) {
+                linkedTests.push(testFilePath);
+            }
+            sourceStages.add(edge.sourceStage);
+            // Check if this test has assertions
+            if (edge.type === 'asserts') {
+                assertionConfirmed = true;
+                assertionSource = 'direct';
+            }
+            // Check test layer
+            const layer = testLayerLookup.get(testFilePath);
+            if (layer) {
+                bestTestLayer = layer;
+            }
+            // Check for mock boundaries on this test file
+            if (mockBoundaryLookup.has(testFilePath)) {
+                hasMockBoundary = true;
+            }
+        }
+        // Check for assertion nodes linked to this file
+        if (!assertionConfirmed) {
+            for (const testFile of linkedTests) {
+                const assertionNodeId = `assertion:${testFile}`;
+                if (graph.hasNode(assertionNodeId)) {
+                    const assertionNode = graph.getNode(assertionNodeId);
+                    if (assertionNode) {
+                        assertionConfirmed = true;
+                        assertionSource = (_e = (_d = assertionNode.metadata) === null || _d === void 0 ? void 0 : _d.assertionSource) !== null && _e !== void 0 ? _e : 'direct';
+                        traversalDepth = (_g = (_f = assertionNode.metadata) === null || _f === void 0 ? void 0 : _f.traversalDepth) !== null && _g !== void 0 ? _g : 0;
+                    }
+                }
+            }
+        }
+        // Determine URL resolution type from endpoint metadata
+        const resolutionType = (_h = endpoint.metadata) === null || _h === void 0 ? void 0 : _h.resolutionType;
+        if (resolutionType === 'heuristic' || resolutionType === 'string-template' || resolutionType === 'interpolated-path') {
+            urlResolution = 'symbolic';
+        }
+        else if (resolutionType === 'direct' || resolutionType === 'constant' || resolutionType === 'enum') {
+            urlResolution = 'literal';
+        }
+        else if (!resolutionType) {
+            urlResolution = 'unresolved';
+        }
+        // Check mock boundaries on path
+        const pathNodeIds = [endpoint.id, ...linkedTests.map((t) => `file:${t}`)];
+        const mockBoundaryOnPath = hasMockBoundary;
+        // Build confidence evidence
+        const evidence = (0, confidence_1.buildConfidenceEvidence)(graph, pathNodeIds, isStaticOnlyMode);
+        // Compute confidence
+        const confidence = (0, confidence_1.computeConfidence)(evidence);
+        // Determine coverage class
+        const coverageClass = linkedTests.length > 0
+            ? (0, mergeRules_1.determineCoverageClass)(bestTestLayer, mockBoundaryOnPath)
+            : 'uncovered';
+        // Check DAST reachability
+        const dastReachable = dastConfirmed.has(endpoint.id)
+            ? true
+            : dastUnreachable.has(endpoint.id)
+                ? false
+                : 'not-probed';
+        // Check runtime confirmation
+        const runtimeConfirmed = iastConfirmed.has(endpoint.id) || dastConfirmed.has(endpoint.id);
+        // Collect conflict IDs linked to this endpoint
+        const conflictEdges = graph.getEdgesTo(endpoint.id).filter((e) => e.type === 'conflicts-with');
+        const conflicts = conflictEdges.map((e) => e.sourceNodeId);
+        mappings.push({
+            itemId: endpoint.id,
+            itemType: 'endpoint',
+            linkedTests,
+            sourceStages: Array.from(sourceStages),
+            confidence,
+            coverageClass,
+            mockBoundaries: mockBoundaryOnPath
+                ? linkedTests
+                    .filter((t) => mockBoundaryLookup.has(t))
+                    .flatMap((t) => Array.from(mockBoundaryLookup.get(t)))
+                : [],
+            assertionSource,
+            assertionConfirmed,
+            dastReachable,
+            runtimeConfirmed,
+            urlResolution,
+            conflicts,
+            traversalDepth,
+        });
+    }
+    return mappings;
+}

package/dist/src/pipeline/stages/merge/mergeRules.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Merge rules — defines how graph nodes and edges from different stages
+ * are reconciled during the final merge stage.
+ *
+ * Core principle (RULE-09): A later stage may raise a node's confidence
+ * or enrich its test evidence, but MUST NOT demote it.
+ */
+import type { PipelineConfidence, CoverageClass, TestLayer, StageName } from '../../types';
+/**
+ * RULE-09: Confidence can only be raised, never demoted.
+ *
+ * Returns the higher of two confidence levels.
+ */
+export declare function mergeConfidence(existing: PipelineConfidence, incoming: PipelineConfidence): PipelineConfidence;
+/**
+ * Merge test evidence arrays (de-duplicate).
+ */
+export declare function mergeTestEvidence(existing: string[], incoming: string[]): string[];
+/**
+ * Merge source stages (de-duplicate).
+ */
+export declare function mergeSourceStages(existing: StageName[], incoming: StageName[]): StageName[];
+/**
+ * Determine coverage class from test layer and mock boundary presence.
+ *
+ * RULE-03: If a mock boundary exists on the path, the coverage class
+ * is 'mock-covered' regardless of the test layer.
+ */
+export declare function determineCoverageClass(testLayer: TestLayer | undefined, hasMockBoundary: boolean): CoverageClass;
+/**
+ * Rank coverage classes for comparison (higher is better).
+ */
+export declare function coverageClassRank(cls: CoverageClass): number;
+/**
+ * Merge two coverage classes — keep the highest rank.
+ * RULE-09: Never demote coverage class.
+ */
+export declare function mergeCoverageClass(existing: CoverageClass, incoming: CoverageClass): CoverageClass;
+//# sourceMappingURL=mergeRules.d.ts.map

package/dist/src/pipeline/stages/merge/mergeRules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mergeRules.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/mergeRules.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE3F;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,kBAAkB,EAC5B,QAAQ,EAAE,kBAAkB,GAC3B,kBAAkB,CAKpB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAIlF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,SAAS,EAAE,CAI3F;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,eAAe,EAAE,OAAO,GACvB,aAAa,CAef;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAW5D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,aAAa,GAAG,aAAa,CAElG"}

package/dist/src/pipeline/stages/merge/mergeRules.js

@@ -0,0 +1,90 @@
+"use strict";
+/**
+ * Merge rules — defines how graph nodes and edges from different stages
+ * are reconciled during the final merge stage.
+ *
+ * Core principle (RULE-09): A later stage may raise a node's confidence
+ * or enrich its test evidence, but MUST NOT demote it.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mergeConfidence = mergeConfidence;
+exports.mergeTestEvidence = mergeTestEvidence;
+exports.mergeSourceStages = mergeSourceStages;
+exports.determineCoverageClass = determineCoverageClass;
+exports.coverageClassRank = coverageClassRank;
+exports.mergeCoverageClass = mergeCoverageClass;
+/**
+ * RULE-09: Confidence can only be raised, never demoted.
+ *
+ * Returns the higher of two confidence levels.
+ */
+function mergeConfidence(existing, incoming) {
+    const order = ['low', 'medium', 'high', 'verified'];
+    const existingIdx = order.indexOf(existing);
+    const incomingIdx = order.indexOf(incoming);
+    return existingIdx >= incomingIdx ? existing : incoming;
+}
+/**
+ * Merge test evidence arrays (de-duplicate).
+ */
+function mergeTestEvidence(existing, incoming) {
+    const set = new Set(existing);
+    for (const item of incoming)
+        set.add(item);
+    return Array.from(set);
+}
+/**
+ * Merge source stages (de-duplicate).
+ */
+function mergeSourceStages(existing, incoming) {
+    const set = new Set(existing);
+    for (const item of incoming)
+        set.add(item);
+    return Array.from(set);
+}
+/**
+ * Determine coverage class from test layer and mock boundary presence.
+ *
+ * RULE-03: If a mock boundary exists on the path, the coverage class
+ * is 'mock-covered' regardless of the test layer.
+ */
+function determineCoverageClass(testLayer, hasMockBoundary) {
+    var _a;
+    if (hasMockBoundary)
+        return 'mock-covered';
+    if (!testLayer)
+        return 'uncovered';
+    const layerToCoverageClass = {
+        unit: 'unit-covered',
+        component: 'component-covered',
+        integration: 'integration-covered',
+        api: 'api-covered',
+        e2e: 'e2e-covered',
+        performance: 'api-covered', // Performance tests are API-level coverage
+        security: 'api-covered', // Security tests are API-level coverage
+    };
+    return (_a = layerToCoverageClass[testLayer]) !== null && _a !== void 0 ? _a : 'uncovered';
+}
+/**
+ * Rank coverage classes for comparison (higher is better).
+ */
+function coverageClassRank(cls) {
+    var _a;
+    const ranks = {
+        uncovered: 0,
+        'mock-covered': 1,
+        'unit-covered': 2,
+        'component-covered': 3,
+        'integration-covered': 4,
+        'api-covered': 5,
+        'e2e-covered': 6,
+    };
+    return (_a = ranks[cls]) !== null && _a !== void 0 ? _a : 0;
+}
+/**
+ * Merge two coverage classes — keep the highest rank.
+ * RULE-09: Never demote coverage class.
+ */
+function mergeCoverageClass(existing, incoming) {
+    return coverageClassRank(existing) >= coverageClassRank(incoming) ? existing : incoming;
+}

package/dist/src/pipeline/stages/merge/mergeStage.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Merge Stage — Stage 6 (final) of the coverage pipeline.
+ *
+ * Responsibilities:
+ * 1. Run conflict detection across all stage outputs
+ * 2. Build coverage mappings for every endpoint
+ * 3. Compute the final pipeline summary
+ * 4. Produce the `PipelineOutput` with graph, sections, diagnostics, summary
+ */
+import type { PipelineStage, PipelineContext } from '../../stageInterface';
+import type { PipelineOutput } from '../../types';
+/**
+ * Output of the merge stage is the full `PipelineOutput`.
+ */
+export declare class MergeStage implements PipelineStage<PipelineOutput> {
+    readonly name: "merge";
+    readonly optional = false;
+    execute(context: PipelineContext): Promise<PipelineOutput>;
+}
+//# sourceMappingURL=mergeStage.d.ts.map

package/dist/src/pipeline/stages/merge/mergeStage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mergeStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/mergeStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC3E,OAAO,KAAK,EAEV,cAAc,EAMf,MAAM,aAAa,CAAC;AAQrB;;GAEG;AACH,qBAAa,UAAW,YAAW,aAAa,CAAC,cAAc,CAAC;IAC9D,QAAQ,CAAC,IAAI,EAAG,OAAO,CAAU;IACjC,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAmGjE"}

package/dist/src/pipeline/stages/merge/mergeStage.js

@@ -0,0 +1,145 @@
+"use strict";
+/**
+ * Merge Stage — Stage 6 (final) of the coverage pipeline.
+ *
+ * Responsibilities:
+ * 1. Run conflict detection across all stage outputs
+ * 2. Build coverage mappings for every endpoint
+ * 3. Compute the final pipeline summary
+ * 4. Produce the `PipelineOutput` with graph, sections, diagnostics, summary
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MergeStage = void 0;
+const conflictDetector_1 = require("./conflictDetector");
+const coverageMappingBuilder_1 = require("./coverageMappingBuilder");
+const summaryComputer_1 = require("./summaryComputer");
+/**
+ * Output of the merge stage is the full `PipelineOutput`.
+ */
+class MergeStage {
+    constructor() {
+        this.name = 'merge';
+        this.optional = false;
+    }
+    async execute(context) {
+        var _a, _b;
+        const startTime = Date.now();
+        // Retrieve upstream stage outputs
+        const tiaOutput = context.stageOutputs.get('tia');
+        const iastOutput = context.stageOutputs.get('iast');
+        const dastOutput = context.stageOutputs.get('dast');
+        // Determine if we're in static-only mode (no IAST/DAST data)
+        const isStaticOnlyMode = ((_a = iastOutput === null || iastOutput === void 0 ? void 0 : iastOutput.events.length) !== null && _a !== void 0 ? _a : 0) === 0 && ((_b = dastOutput === null || dastOutput === void 0 ? void 0 : dastOutput.results.length) !== null && _b !== void 0 ? _b : 0) === 0;
+        // 1. Detect conflicts
+        const conflicts = (0, conflictDetector_1.detectConflicts)(context.graph, iastOutput, dastOutput);
+        // Add conflict nodes to graph
+        for (const conflict of conflicts) {
+            if (!context.graph.hasNode(conflict.conflictId)) {
+                const node = {
+                    id: conflict.conflictId,
+                    type: 'conflict',
+                    label: `Conflict: ${conflict.type}`,
+                    sourceStage: 'merge',
+                    metadata: {
+                        conflictType: conflict.type,
+                        stages: conflict.stages,
+                        detail: conflict.detail,
+                        suggestedAction: conflict.suggestedAction,
+                        severity: conflict.severity,
+                    },
+                };
+                context.graph.addNode(node);
+                // Link to affected node
+                if (context.graph.hasNode(conflict.nodeId)) {
+                    context.graph.addEdge({
+                        id: `${conflict.conflictId}->conflicts-with->${conflict.nodeId}`,
+                        type: 'conflicts-with',
+                        sourceNodeId: conflict.conflictId,
+                        targetNodeId: conflict.nodeId,
+                        sourceStage: 'merge',
+                        metadata: {},
+                    });
+                }
+            }
+        }
+        // 2. Build coverage mappings
+        const allMappings = (0, coverageMappingBuilder_1.buildCoverageMappings)(context.graph, tiaOutput, iastOutput, dastOutput, isStaticOnlyMode);
+        // 3. Organize into sections
+        const sections = organizeSections(allMappings, context.graph);
+        // 4. Compute summary
+        const summary = (0, summaryComputer_1.computeSummary)(allMappings, tiaOutput);
+        // 5. Serialize graph
+        const graphSerialized = context.graph.toSerializable();
+        // 6. Collect diagnostics
+        const diagnosticsRecord = {};
+        for (const [stageName, diag] of context.diagnostics) {
+            diagnosticsRecord[stageName] = diag;
+        }
+        // Add merge diagnostics
+        const mergeDiagnostics = {
+            stageName: 'merge',
+            filesScanned: [],
+            filesSkipped: [],
+            durationMs: Date.now() - startTime,
+            metadata: {
+                totalMappings: allMappings.length,
+                conflictsDetected: conflicts.length,
+                isStaticOnlyMode,
+                graphNodeCount: graphSerialized.nodes.length,
+                graphEdgeCount: graphSerialized.edges.length,
+            },
+        };
+        context.diagnostics.set('merge', mergeDiagnostics);
+        diagnosticsRecord['merge'] = mergeDiagnostics;
+        // 7. Build final output
+        const output = {
+            graph: graphSerialized,
+            sections,
+            diagnostics: diagnosticsRecord,
+            summary,
+        };
+        context.stageOutputs.set('merge', output);
+        return output;
+    }
+}
+exports.MergeStage = MergeStage;
+/**
+ * Organize coverage mappings into the 6 output sections.
+ */
+function organizeSections(mappings, graph) {
+    const endpoints = [];
+    const parameters = [];
+    const integrationFlows = [];
+    const security = [];
+    const errorHandling = [];
+    const performance = [];
+    for (const mapping of mappings) {
+        switch (mapping.itemType) {
+            case 'endpoint':
+                endpoints.push(mapping);
+                break;
+            case 'service':
+                integrationFlows.push(mapping);
+                break;
+            case 'error-branch':
+                errorHandling.push(mapping);
+                break;
+            case 'security-path':
+                security.push(mapping);
+                break;
+            case 'validation-rule':
+                parameters.push(mapping);
+                break;
+            default:
+                endpoints.push(mapping);
+        }
+    }
+    return {
+        endpoints,
+        parameters,
+        integrationFlows,
+        security,
+        errorHandling,
+        performance,
+    };
+}

package/dist/src/pipeline/stages/merge/summaryComputer.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Summary computer — computes the `PipelineSummary` from the final
+ * set of coverage mappings.
+ */
+import type { PipelineSummary, CoverageMapping } from '../../types';
+import type { TiaOutput } from '../tia/types';
+/**
+ * Compute the pipeline summary from coverage mappings.
+ */
+export declare function computeSummary(mappings: CoverageMapping[], tiaOutput: TiaOutput | undefined): PipelineSummary;
+//# sourceMappingURL=summaryComputer.d.ts.map

package/dist/src/pipeline/stages/merge/summaryComputer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"summaryComputer.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/summaryComputer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAa,MAAM,aAAa,CAAC;AAC/E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C;;GAEG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,eAAe,EAAE,EAC3B,SAAS,EAAE,SAAS,GAAG,SAAS,GAC/B,eAAe,CAwCjB"}

package/dist/src/pipeline/stages/merge/summaryComputer.js

@@ -0,0 +1,46 @@
+"use strict";
+/**
+ * Summary computer — computes the `PipelineSummary` from the final
+ * set of coverage mappings.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeSummary = computeSummary;
+/**
+ * Compute the pipeline summary from coverage mappings.
+ */
+function computeSummary(mappings, tiaOutput) {
+    var _a;
+    const endpointMappings = mappings.filter((m) => m.itemType === 'endpoint');
+    const totalEndpoints = endpointMappings.length;
+    const coveredEndpoints = endpointMappings.filter((m) => m.coverageClass !== 'uncovered').length;
+    const verifiedEndpoints = endpointMappings.filter((m) => m.confidence === 'verified').length;
+    const uncoveredEndpoints = endpointMappings.filter((m) => m.coverageClass === 'uncovered').length;
+    const mockLimitedPaths = endpointMappings.filter((m) => m.coverageClass === 'mock-covered').length;
+    const unresolvedAbstractions = endpointMappings.filter((m) => m.assertionSource === 'unresolved' && m.linkedTests.length > 0).length;
+    const conflictCount = endpointMappings.reduce((sum, m) => sum + m.conflicts.length, 0);
+    // Coverage by layer from TIA classifications
+    const coverageByLayer = {
+        unit: 0,
+        component: 0,
+        integration: 0,
+        api: 0,
+        e2e: 0,
+        performance: 0,
+        security: 0,
+    };
+    if (tiaOutput) {
+        for (const classification of tiaOutput.classifications) {
+            coverageByLayer[classification.layer] = ((_a = coverageByLayer[classification.layer]) !== null && _a !== void 0 ? _a : 0) + 1;
+        }
+    }
+    return {
+        totalEndpoints,
+        coveredEndpoints,
+        verifiedEndpoints,
+        uncoveredEndpoints,
+        mockLimitedPaths,
+        unresolvedAbstractions,
+        conflictCount,
+        coverageByLayer,
+    };
+}

package/dist/src/pipeline/stages/sca/ciDetector.d.ts

@@ -0,0 +1,15 @@
+/**
+ * CI platform detection.
+ *
+ * Detects the CI platform from project structure by checking
+ * for well-known CI configuration files.
+ */
+import type { CiPlatform } from './types';
+/**
+ * Detect the CI platform from project structure.
+ *
+ * Returns the first matching platform, or 'none' if no CI configuration is found.
+ * Checks directories with `fs.existsSync` which handles both files and directories.
+ */
+export declare function detectCiPlatform(projectRoot: string): CiPlatform;
+//# sourceMappingURL=ciDetector.d.ts.map

package/dist/src/pipeline/stages/sca/ciDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ciDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/sca/ciDetector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAmC1C;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,UAAU,CAUhE"}