api-tests-coverage 1.0.15 → 1.0.16

package/dist/src/languages/javascript/mongooseDetector.js

@@ -0,0 +1,237 @@
+"use strict";
+/**
+ * Mongoose schema/model detector (Feature 27, Sub-PR 6)
+ *
+ * Detects:
+ * 1. mongoose.Schema({...}) — field definitions, validation rules
+ * 2. mongoose.model('Name', schema) — model creation
+ * 3. .methods.* — instance method definitions
+ * 4. .pre()/.post() hooks — lifecycle hooks
+ * 5. .plugin(validator) — plugin registrations
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectMongooseModels = detectMongooseModels;
+exports.detectExpressErrorHandlers = detectExpressErrorHandlers;
+exports.detectExpressAuthMiddleware = detectExpressAuthMiddleware;
+/**
+ * Detect Mongoose model/schema definitions from JS/TS source text.
+ */
+function detectMongooseModels(sourceText, filePath) {
+    var _a, _b, _c, _d;
+    const models = [];
+    const lines = sourceText.split('\n');
+    // Track schema variables and their fields
+    const schemaVars = new Map();
+    // Track methods, hooks, plugins per schema var
+    const schemaMethods = new Map();
+    const schemaHooks = new Map();
+    const schemaPlugins = new Map();
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // new mongoose.Schema({...}) or new Schema({...})
+        const schemaMatch = line.match(/(?:const|let|var)\s+(\w+)\s*=\s*new\s+(?:mongoose\.)?Schema\s*\(/);
+        if (schemaMatch) {
+            const varName = schemaMatch[1];
+            const fields = extractSchemaFields(sourceText, i);
+            schemaVars.set(varName, { fields, line: i + 1 });
+            continue;
+        }
+        // mongoose.model('Name', schema)
+        const modelMatch = line.match(/mongoose\.model\s*\(\s*['"](\w+)['"]\s*,\s*(\w+)/);
+        if (modelMatch) {
+            const modelName = modelMatch[1];
+            const schemaVar = modelMatch[2];
+            const schemaInfo = schemaVars.get(schemaVar);
+            models.push({
+                modelName,
+                schemaVariable: schemaVar,
+                fields: (_a = schemaInfo === null || schemaInfo === void 0 ? void 0 : schemaInfo.fields) !== null && _a !== void 0 ? _a : [],
+                methods: (_b = schemaMethods.get(schemaVar)) !== null && _b !== void 0 ? _b : [],
+                hooks: (_c = schemaHooks.get(schemaVar)) !== null && _c !== void 0 ? _c : [],
+                plugins: (_d = schemaPlugins.get(schemaVar)) !== null && _d !== void 0 ? _d : [],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // schema.methods.methodName = function
+        const methodMatch = line.match(/(\w+)\.methods\.(\w+)\s*=/);
+        if (methodMatch) {
+            const varName = methodMatch[1];
+            if (!schemaMethods.has(varName))
+                schemaMethods.set(varName, []);
+            schemaMethods.get(varName).push(methodMatch[2]);
+            continue;
+        }
+        // schema.pre('save', ...) or schema.post('save', ...)
+        const hookMatch = line.match(/(\w+)\.(pre|post)\s*\(\s*['"](\w+)['"]/);
+        if (hookMatch) {
+            const varName = hookMatch[1];
+            if (!schemaHooks.has(varName))
+                schemaHooks.set(varName, []);
+            schemaHooks.get(varName).push({
+                stage: hookMatch[2],
+                event: hookMatch[3],
+            });
+            continue;
+        }
+        // schema.plugin(uniqueValidator)
+        const pluginMatch = line.match(/(\w+)\.plugin\s*\(\s*(\w+)/);
+        if (pluginMatch) {
+            const varName = pluginMatch[1];
+            if (!schemaPlugins.has(varName))
+                schemaPlugins.set(varName, []);
+            schemaPlugins.get(varName).push(pluginMatch[2]);
+        }
+    }
+    return models;
+}
+/**
+ * Extract field definitions from a schema constructor.
+ * Simple regex extraction — handles the most common patterns.
+ */
+function extractSchemaFields(source, startLine) {
+    var _a;
+    const fields = [];
+    const lines = source.split('\n');
+    // Find the opening brace of the schema definition
+    let braceDepth = 0;
+    let inSchema = false;
+    let schemaBody = '';
+    for (let i = startLine; i < Math.min(startLine + 50, lines.length); i++) {
+        const line = lines[i];
+        for (const ch of line) {
+            if (ch === '(' || ch === '{')
+                braceDepth++;
+            if (ch === ')' || ch === '}')
+                braceDepth--;
+            if (braceDepth >= 2 && !inSchema) {
+                inSchema = true;
+            }
+            if (inSchema)
+                schemaBody += ch;
+            if (inSchema && braceDepth < 2) {
+                inSchema = false;
+                break;
+            }
+        }
+        if (schemaBody && !inSchema)
+            break;
+        if (inSchema)
+            schemaBody += '\n';
+    }
+    // Parse field definitions from the schema body
+    // Pattern: fieldName: { type: Type, required: true, unique: true, enum: [...] }
+    const fieldPattern = /(\w+)\s*:\s*\{([^}]+)\}/g;
+    let match;
+    while ((match = fieldPattern.exec(schemaBody)) !== null) {
+        const name = match[1];
+        const body = match[2];
+        const typeMatch = body.match(/type\s*:\s*(\w+)/);
+        const required = /required\s*:\s*true/.test(body);
+        const unique = /unique\s*:\s*true/.test(body);
+        const enumMatch = body.match(/enum\s*:\s*\[([^\]]+)\]/);
+        const field = {
+            name,
+            type: (_a = typeMatch === null || typeMatch === void 0 ? void 0 : typeMatch[1]) !== null && _a !== void 0 ? _a : 'Mixed',
+        };
+        if (required)
+            field.required = true;
+        if (unique)
+            field.unique = true;
+        if (enumMatch) {
+            field.enumValues = enumMatch[1].split(',').map((s) => s.trim().replace(/['"]/g, '')).filter(Boolean);
+        }
+        fields.push(field);
+    }
+    // Also handle shorthand: fieldName: Type (e.g., fieldName: String)
+    const shorthandPattern = /(\w+)\s*:\s*(String|Number|Boolean|Date|ObjectId|Buffer|Mixed|Map)\b/g;
+    while ((match = shorthandPattern.exec(schemaBody)) !== null) {
+        const name = match[1];
+        // Skip if already captured as an object definition
+        if (!fields.some((f) => f.name === name)) {
+            fields.push({ name, type: match[2] });
+        }
+    }
+    return fields;
+}
+/**
+ * Detect Express 4-argument error handler middleware.
+ * Pattern: function(err, req, res, next) or (err, req, res, next) =>
+ */
+function detectExpressErrorHandlers(sourceText, filePath) {
+    const handlers = [];
+    const lines = sourceText.split('\n');
+    // Pattern: matches 4-argument functions (err, req, res, next)
+    const errorHandlerPattern = /(?:function\s+(\w+))?\s*\(\s*(?:err|error)\s*,\s*req\s*,\s*res\s*,\s*next\s*\)/;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const match = line.match(errorHandlerPattern);
+        if (!match)
+            continue;
+        const functionName = match[1];
+        const errorTypes = [];
+        const statusCodes = [];
+        // Scan ahead for error type checks and status codes
+        for (let j = i; j < Math.min(i + 30, lines.length); j++) {
+            const scanLine = lines[j];
+            // err.name === 'ValidationError'
+            const errorTypeMatch = scanLine.match(/err(?:or)?\.name\s*===?\s*['"](\w+)['"]/);
+            if (errorTypeMatch)
+                errorTypes.push(errorTypeMatch[1]);
+            // res.status(404)
+            const statusMatch = scanLine.match(/res\.status\s*\(\s*(\d{3})\s*\)/);
+            if (statusMatch)
+                statusCodes.push(parseInt(statusMatch[1], 10));
+        }
+        handlers.push({
+            functionName,
+            errorTypes,
+            statusCodes,
+            sourceFile: filePath,
+            line: i + 1,
+        });
+    }
+    return handlers;
+}
+function detectExpressAuthMiddleware(sourceText, filePath) {
+    const middleware = [];
+    const lines = sourceText.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // router.use(auth.required) or app.use(auth.required)
+        const simpleAuth = line.match(/(?:router|app)\.use\s*\(\s*auth\.(required|optional)/);
+        if (simpleAuth) {
+            middleware.push({
+                authType: simpleAuth[1],
+                sourcePattern: simpleAuth[0],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // router.use('/path', auth.required, router)
+        const pathAuth = line.match(/(?:router|app)\.use\s*\(\s*['"]([^'"]+)['"]\s*,\s*auth\.(required|optional)/);
+        if (pathAuth) {
+            middleware.push({
+                authType: pathAuth[2],
+                pathPrefix: pathAuth[1],
+                sourcePattern: pathAuth[0],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // passport.authenticate('jwt', { session: false })
+        const passportAuth = line.match(/passport\.authenticate\s*\(\s*['"](\w+)['"]/);
+        if (passportAuth) {
+            middleware.push({
+                authType: 'required',
+                sourcePattern: passportAuth[0],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+        }
+    }
+    return middleware;
+}

package/dist/src/languages/javascript/vueDetector.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Vue.js/Vuex pattern detector (Feature 27, Sub-PR 8)
+ *
+ * Detects:
+ * 1. axios.defaults.baseURL — global base URL
+ * 2. Vuex actions with API calls (ApiService.get, axios.get, etc.)
+ * 3. this.$store.dispatch('actionName') — component dispatches
+ * 4. ApiService.get('resource') — service-layer API calls
+ */
+export interface VueApiCall {
+    actionName?: string;
+    method: string;
+    urlPattern: string;
+    baseUrl?: string;
+    sourceFile: string;
+    line?: number;
+}
+export interface VuexDispatch {
+    actionName: string;
+    sourceFile: string;
+    line?: number;
+}
+export interface VueBaseUrl {
+    url: string;
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect axios.defaults.baseURL settings.
+ */
+export declare function detectAxiosBaseUrl(sourceText: string, filePath: string): VueBaseUrl | undefined;
+/**
+ * Detect Vuex action definitions with API calls.
+ */
+export declare function detectVuexActions(sourceText: string, filePath: string): VueApiCall[];
+/**
+ * Detect this.$store.dispatch() or store.dispatch() calls.
+ */
+export declare function detectVuexDispatches(sourceText: string, filePath: string): VuexDispatch[];
+//# sourceMappingURL=vueDetector.d.ts.map

package/dist/src/languages/javascript/vueDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vueDetector.d.ts","sourceRoot":"","sources":["../../../../src/languages/javascript/vueDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAO/F;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE,CA4CpF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,EAAE,CAkBzF"}

package/dist/src/languages/javascript/vueDetector.js

@@ -0,0 +1,87 @@
+"use strict";
+/**
+ * Vue.js/Vuex pattern detector (Feature 27, Sub-PR 8)
+ *
+ * Detects:
+ * 1. axios.defaults.baseURL — global base URL
+ * 2. Vuex actions with API calls (ApiService.get, axios.get, etc.)
+ * 3. this.$store.dispatch('actionName') — component dispatches
+ * 4. ApiService.get('resource') — service-layer API calls
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAxiosBaseUrl = detectAxiosBaseUrl;
+exports.detectVuexActions = detectVuexActions;
+exports.detectVuexDispatches = detectVuexDispatches;
+/**
+ * Detect axios.defaults.baseURL settings.
+ */
+function detectAxiosBaseUrl(sourceText, filePath) {
+    const match = sourceText.match(/axios\.defaults\.baseURL\s*=\s*['"`]([^'"`]+)['"`]/);
+    if (match) {
+        const line = sourceText.substring(0, match.index).split('\n').length;
+        return { url: match[1], sourceFile: filePath, line };
+    }
+    return undefined;
+}
+/**
+ * Detect Vuex action definitions with API calls.
+ */
+function detectVuexActions(sourceText, filePath) {
+    const calls = [];
+    const lines = sourceText.split('\n');
+    let currentAction = '';
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Vuex action definition: [ACTION_NAME]({ commit }, payload) {
+        // or: actionName({ commit }) {
+        const actionMatch = line.match(/(?:\[(\w+)\]|(\w+))\s*\(\s*\{\s*(?:commit|dispatch|state|getters|rootState)/);
+        if (actionMatch) {
+            currentAction = actionMatch[1] || actionMatch[2] || '';
+            continue;
+        }
+        // ApiService.get/post/put/delete('resource')
+        const apiServiceMatch = line.match(/ApiService\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/i);
+        if (apiServiceMatch) {
+            calls.push({
+                actionName: currentAction || undefined,
+                method: apiServiceMatch[1].toUpperCase(),
+                urlPattern: apiServiceMatch[2],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // axios.get/post/put/delete('url')
+        const axiosMatch = line.match(/axios\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/i);
+        if (axiosMatch) {
+            calls.push({
+                actionName: currentAction || undefined,
+                method: axiosMatch[1].toUpperCase(),
+                urlPattern: axiosMatch[2],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+        }
+    }
+    return calls;
+}
+/**
+ * Detect this.$store.dispatch() or store.dispatch() calls.
+ */
+function detectVuexDispatches(sourceText, filePath) {
+    const dispatches = [];
+    const lines = sourceText.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // this.$store.dispatch('ACTION_NAME') or store.dispatch('actionName')
+        const match = line.match(/(?:this\.\$store|store)\.dispatch\s*\(\s*['"](\w+)['"]/);
+        if (match) {
+            dispatches.push({
+                actionName: match[1],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+        }
+    }
+    return dispatches;
+}

package/dist/src/languages/python/index.d.ts

@@ -2,7 +2,7 @@
  * Python language analyzer using tree-sitter-python.
  */
 import type { LanguageAnalyzer } from '../../ast/languageAnalyzer';
-import type { SupportedLanguage, ParsedSourceFile, SemanticModel, ResolvedHttpInteraction, SemanticAssertion, BusinessRuleRef, FlowRef, AnalysisContext } from '../../ast/astTypes';
+import type { SupportedLanguage, ParsedSourceFile, SemanticModel, ResolvedHttpInteraction, SemanticAssertion, BusinessRuleRef, FlowRef, AnalysisContext, DecoratorInfo, SecurityClassification } from '../../ast/astTypes';
 export declare class PythonAnalyzer implements LanguageAnalyzer {
     readonly language: SupportedLanguage;
     parse(filePath: string, content: string): ParsedSourceFile;
@@ -12,4 +12,8 @@ export declare class PythonAnalyzer implements LanguageAnalyzer {
     extractBusinessRuleRefs(model: SemanticModel): BusinessRuleRef[];
     extractFlowRefs(_model: SemanticModel): FlowRef[];
 }
+/**
+ * Classify JWT/auth security from decorator information.
+ */
+export declare function classifyFlaskSecurity(decorators: DecoratorInfo[]): SecurityClassification | undefined;
 //# sourceMappingURL=index.d.ts.map

package/dist/src/languages/python/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/languages/python/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EAIb,uBAAuB,EACvB,iBAAiB,EACjB,eAAe,EACf,OAAO,EACP,eAAe,EAChB,MAAM,oBAAoB,CAAC;AA8B5B,qBAAa,cAAe,YAAW,gBAAgB;IACrD,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAY;IAEhD,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,gBAAgB;IAc1D,kBAAkB,CAAC,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,eAAe,GAAG,aAAa;IAuBtF,uBAAuB,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,GAAG,uBAAuB,EAAE;IAwB/F,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,iBAAiB,EAAE;IAG5D,uBAAuB,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,EAAE;IAGhE,eAAe,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,EAAE;CAGlD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/languages/python/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EAIb,uBAAuB,EACvB,iBAAiB,EACjB,eAAe,EACf,OAAO,EACP,eAAe,EAEf,aAAa,EAEb,sBAAsB,EACvB,MAAM,oBAAoB,CAAC;AAkC5B,qBAAa,cAAe,YAAW,gBAAgB;IACrD,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAY;IAEhD,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,gBAAgB;IAc1D,kBAAkB,CAAC,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,eAAe,GAAG,aAAa;IA6BtF,uBAAuB,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,GAAG,uBAAuB,EAAE;IAwB/F,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,iBAAiB,EAAE;IAG5D,uBAAuB,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,EAAE;IAGhE,eAAe,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,EAAE;CAGlD;AA2WD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,aAAa,EAAE,GAAG,sBAAsB,GAAG,SAAS,CAarG"}

package/dist/src/languages/python/index.js

@@ -4,6 +4,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PythonAnalyzer = void 0;
+exports.classifyFlaskSecurity = classifyFlaskSecurity;
 const parserRegistry_1 = require("../../ast/parserRegistry");
 const treeSitterUtils_1 = require("../shared/treeSitterUtils");
 const resolvePaths_1 = require("../../coverage/deep-analysis/resolvePaths");
@@ -52,6 +53,9 @@ class PythonAnalyzer {
         const functions = extractPythonFunctions(root, constants);
         const assertions = extractPythonAssertions(root);
         const businessRuleRefs = extractPythonBusinessRefs(root);
+        // Feature 27: Flask/FastAPI pattern detection
+        const decoratorStacks = extractFlaskDecoratorStacks(root, parsed.filePath);
+        const routeRegistrations = extractFlaskRouteRegistrations(root, parsed.filePath);
         return {
             filePath: parsed.filePath,
             language: 'python',
@@ -63,6 +67,8 @@ class PythonAnalyzer {
             assertions,
             businessRuleRefs,
             flowRefs: [],
+            decoratorStacks,
+            routeRegistrations,
         };
     }
     extractHttpInteractions(model, _ctx) {
@@ -179,10 +185,12 @@ function extractPythonHttpCalls(body, constants, out) {
         if (!funcNode)
             continue;
         const funcText = (_c = funcNode.text) !== null && _c !== void 0 ? _c : '';
-        const match = funcText.match(/(?:requests|httpx|self\.client|client|self\.app|app)\.(get|post|put|patch|delete|head|options)/i);
+        const match = funcText.match(/(?:requests|httpx|self\.client|client|self\.app|app|testapp|self\.testapp)\.(get|post|post_json|put|put_json|patch|patch_json|delete|delete_json|head|options)/i);
         if (!match)
             continue;
         const [, methodName] = match;
+        // Normalize webtest methods: post_json → POST, put_json → PUT, etc.
+        const normalizedMethod = methodName.replace(/_json$/i, '').toUpperCase();
         const argList = (_e = (_d = call.childForFieldName) === null || _d === void 0 ? void 0 : _d.call(call, 'arguments')) !== null && _e !== void 0 ? _e : (0, treeSitterUtils_1.firstChildOfType)(call, 'argument_list');
         if (!argList)
             continue;
@@ -195,7 +203,7 @@ function extractPythonHttpCalls(body, constants, out) {
         // Resolve f-string variables against constants
         const resolvedPath = rawPath.includes('{') ? resolveFString(rawPath, constants) : rawPath;
         out.push({
-            method: methodName.toUpperCase(),
+            method: normalizedMethod,
             rawPathArg: rawPath,
             resolvedPath,
             normalizedPath: resolvedPath.startsWith('/') ? (0, resolvePaths_1.normalizePathToTemplate)(resolvedPath) : undefined,
@@ -290,4 +298,161 @@ function emptyModel(filePath) {
         flowRefs: [],
     };
 }
+// ─── Flask / FastAPI pattern extraction (Feature 27) ─────────────────────────
+/**
+ * Extract decorator stacks for Flask/FastAPI route functions.
+ * Groups decorators by the function they decorate:
+ *   @blueprint.route('/articles', methods=['GET'])
+ *   @use_kwargs({...})
+ *   @marshal_with(ArticleSchema)
+ *   @jwt_required
+ *   def get_articles():
+ *     → DecoratorStack for 'get_articles' with 4 decorators
+ */
+function extractFlaskDecoratorStacks(root, filePath) {
+    var _a, _b, _c, _d, _e, _f, _g;
+    const stacks = [];
+    const fnDefs = (0, treeSitterUtils_1.findNodes)(root, ['function_definition']);
+    for (const fn of fnDefs) {
+        const nameNode = (_b = (_a = fn.childForFieldName) === null || _a === void 0 ? void 0 : _a.call(fn, 'name')) !== null && _b !== void 0 ? _b : (0, treeSitterUtils_1.firstChildOfType)(fn, 'identifier');
+        const funcName = (_c = nameNode === null || nameNode === void 0 ? void 0 : nameNode.text) !== null && _c !== void 0 ? _c : '';
+        if (!funcName)
+            continue;
+        const decorators = [];
+        for (let i = 0; i < ((_d = fn === null || fn === void 0 ? void 0 : fn.childCount) !== null && _d !== void 0 ? _d : 0); i++) {
+            const child = fn.child(i);
+            if ((child === null || child === void 0 ? void 0 : child.type) !== 'decorator')
+                continue;
+            const decText = (_e = child.text) !== null && _e !== void 0 ? _e : '';
+            const dec = parseFlaskDecorator(decText, (_f = child.startPosition) === null || _f === void 0 ? void 0 : _f.row);
+            if (dec)
+                decorators.push(dec);
+        }
+        if (decorators.length > 0) {
+            stacks.push({
+                functionName: funcName,
+                decorators,
+                sourceFile: filePath,
+                line: ((_g = fn.startPosition) === null || _g === void 0 ? void 0 : _g.row) ? fn.startPosition.row + 1 : undefined,
+            });
+        }
+    }
+    return stacks;
+}
+/**
+ * Parse a single Flask/FastAPI decorator into a DecoratorInfo.
+ */
+function parseFlaskDecorator(text, line) {
+    // @blueprint.route('/path', methods=['GET', 'POST'])
+    const routeMatch = text.match(/@(\w+)\.route\s*\(\s*['"]([^'"]+)['"]/);
+    if (routeMatch) {
+        const args = { path: routeMatch[2] };
+        const methodsMatch = text.match(/methods\s*=\s*\[([^\]]+)\]/);
+        if (methodsMatch)
+            args.methods = methodsMatch[1].replace(/['"]/g, '').trim();
+        return { name: 'route', fullText: text, args, line };
+    }
+    // @use_kwargs({...}) or @use_kwargs(SchemaClass)
+    const useKwargsMatch = text.match(/@use_kwargs\s*\((.+)\)/s);
+    if (useKwargsMatch) {
+        return { name: 'use_kwargs', fullText: text, args: { schema: useKwargsMatch[1].trim() }, line };
+    }
+    // @marshal_with(SchemaClass)
+    const marshalMatch = text.match(/@marshal_with\s*\(\s*(\w+)/);
+    if (marshalMatch) {
+        return { name: 'marshal_with', fullText: text, args: { schema: marshalMatch[1] }, line };
+    }
+    // @jwt_required, @jwt_required(), @jwt_required(optional=True), @jwt_optional
+    if (text.includes('@jwt_required') || text.includes('@jwt_optional')) {
+        const isOptional = text.includes('jwt_optional') || text.includes('optional=True') || text.includes('optional = True');
+        return {
+            name: isOptional ? 'jwt_optional' : 'jwt_required',
+            fullText: text,
+            args: { optional: isOptional ? 'true' : 'false' },
+            line,
+        };
+    }
+    // @login_required
+    if (text.includes('@login_required')) {
+        return { name: 'login_required', fullText: text, args: {}, line };
+    }
+    // Generic decorator
+    const genericMatch = text.match(/@(\w[\w.]*)/);
+    if (genericMatch) {
+        return { name: genericMatch[1], fullText: text, line };
+    }
+    return null;
+}
+/**
+ * Extract Flask Blueprint route registrations.
+ * Detects: Blueprint() constructors, register_blueprint() calls,
+ *          @blueprint.route() registrations.
+ */
+function extractFlaskRouteRegistrations(root, filePath) {
+    var _a, _b, _c;
+    const registrations = [];
+    // Use regex on the full source text since tree-sitter node traversal
+    // for call arguments is complex. This is a targeted pattern match.
+    const sourceText = (_a = root.text) !== null && _a !== void 0 ? _a : '';
+    const lines = sourceText.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Blueprint constructor: bp = Blueprint('name', __name__, url_prefix='/api')
+        const bpMatch = line.match(/(\w+)\s*=\s*Blueprint\s*\(\s*['"](\w+)['"](?:[^)]*?url_prefix\s*=\s*['"]([^'"]+)['"])?\s*\)/);
+        if (bpMatch) {
+            registrations.push({
+                registrarName: bpMatch[1],
+                path: (_b = bpMatch[3]) !== null && _b !== void 0 ? _b : '',
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // register_blueprint(bp, url_prefix='/api/articles')
+        const regMatch = line.match(/register_blueprint\s*\(\s*(\w+)(?:\s*,\s*url_prefix\s*=\s*['"]([^'"]+)['"])?\s*\)/);
+        if (regMatch) {
+            registrations.push({
+                registrarName: regMatch[1],
+                path: (_c = regMatch[2]) !== null && _c !== void 0 ? _c : '',
+                targetModule: regMatch[1],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // @blueprint.route('/path', methods=[...])
+        const routeMatch = line.match(/@(\w+)\.route\s*\(\s*['"]([^'"]+)['"]/);
+        if (routeMatch) {
+            const methodsMatch = line.match(/methods\s*=\s*\[([^\]]+)\]/);
+            const methods = methodsMatch
+                ? methodsMatch[1].replace(/['"]/g, '').split(',').map((m) => m.trim().toUpperCase())
+                : ['GET'];
+            registrations.push({
+                registrarName: routeMatch[1],
+                path: routeMatch[2],
+                methods,
+                sourceFile: filePath,
+                line: i + 1,
+            });
+        }
+    }
+    return registrations;
+}
+/**
+ * Classify JWT/auth security from decorator information.
+ */
+function classifyFlaskSecurity(decorators) {
+    for (const dec of decorators) {
+        if (dec.name === 'jwt_required') {
+            return { type: 'jwt', required: true, optional: false, sourcePattern: '@jwt_required' };
+        }
+        if (dec.name === 'jwt_optional') {
+            return { type: 'jwt', required: false, optional: true, sourcePattern: '@jwt_optional' };
+        }
+        if (dec.name === 'login_required') {
+            return { type: 'session', required: true, optional: false, sourcePattern: '@login_required' };
+        }
+    }
+    return undefined;
+}
 (0, parserRegistry_1.registerAnalyzer)('python', () => new PythonAnalyzer());

package/dist/src/languages/python/testPatternDetector.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Python test pattern detector (Feature 27, Sub-PR 4)
+ *
+ * Detects:
+ * 1. Factory Boy factories (factory.Factory subclasses, SubFactory, Meta.model)
+ * 2. webtest API calls (TestApp, testapp.get/post_json/put_json/delete)
+ * 3. pytest fixture chains (@pytest.fixture, fixture dependencies)
+ */
+import type { SemanticHttpCall } from '../../ast/astTypes';
+export interface FactoryBoyFactory {
+    /** The factory class name (e.g. 'ArticleFactory') */
+    className: string;
+    /** The model the factory creates (from Meta.model) */
+    modelName?: string;
+    /** SubFactory references */
+    subFactories: string[];
+    /** RelatedFactoryList references */
+    relatedFactoryLists: string[];
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect Factory Boy factory classes from source text.
+ * Looks for `class XFactory(factory.Factory):` and parses Meta.model, SubFactory, RelatedFactoryList.
+ */
+export declare function detectFactoryBoyFactories(sourceText: string, filePath: string): FactoryBoyFactory[];
+export interface WebtestApiCall {
+    method: string;
+    path: string;
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect webtest HTTP calls from source text.
+ * Looks for `testapp.get('/path')`, `testapp.post_json('/path', {...})`, etc.
+ */
+export declare function detectWebtestCalls(sourceText: string, filePath: string): WebtestApiCall[];
+/**
+ * Convert webtest API calls into SemanticHttpCall objects.
+ */
+export declare function webtestCallsToHttpCalls(calls: WebtestApiCall[]): SemanticHttpCall[];
+export interface PytestFixture {
+    /** Name of the fixture function */
+    name: string;
+    /** Scope: 'function' (default), 'class', 'module', 'session' */
+    scope: string;
+    /** Parameter names that are dependencies on other fixtures */
+    dependencies: string[];
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect @pytest.fixture functions and their parameter dependencies.
+ */
+export declare function detectPytestFixtures(sourceText: string, filePath: string): PytestFixture[];
+/**
+ * Detect if a file creates a webtest TestApp instance.
+ * Looks for `TestApp(app)` or `TestApp(...)`.
+ */
+export declare function hasWebtestTestApp(sourceText: string): boolean;
+/**
+ * Check if a file uses real DB fixtures (not mocked).
+ * Looks for pytest fixtures that reference db, database, session, engine, etc.
+ */
+export declare function hasRealDbFixtures(sourceText: string): boolean;
+/**
+ * Check if a file uses Factory Boy factories.
+ */
+export declare function usesFactoryBoy(sourceText: string): boolean;
+//# sourceMappingURL=testPatternDetector.d.ts.map