api-tests-coverage 1.0.15 → 1.0.17

package/dist/src/languages/python/index.js

@@ -4,9 +4,11 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PythonAnalyzer = void 0;
+exports.classifyFlaskSecurity = classifyFlaskSecurity;
 const parserRegistry_1 = require("../../ast/parserRegistry");
 const treeSitterUtils_1 = require("../shared/treeSitterUtils");
 const resolvePaths_1 = require("../../coverage/deep-analysis/resolvePaths");
+const testPatternDetector_1 = require("./testPatternDetector");
 // ─── Parser ───────────────────────────────────────────────────────────────────
 let cachedParser = undefined;
 let parserLoaded = false;
@@ -44,7 +46,7 @@ class PythonAnalyzer {
         }
     }
     buildSemanticModel(parsed, _context) {
-        var _a, _b;
+        var _a, _b, _c, _d;
         const root = (_b = (_a = parsed.ast) === null || _a === void 0 ? void 0 : _a.rootNode) !== null && _b !== void 0 ? _b : parsed.ast;
         if (!root)
             return emptyModel(parsed.filePath);
@@ -52,6 +54,23 @@ class PythonAnalyzer {
         const functions = extractPythonFunctions(root, constants);
         const assertions = extractPythonAssertions(root);
         const businessRuleRefs = extractPythonBusinessRefs(root);
+        // Feature 27: Flask/FastAPI pattern detection
+        const decoratorStacks = extractFlaskDecoratorStacks(root, parsed.filePath);
+        const routeRegistrations = extractFlaskRouteRegistrations(root, parsed.filePath);
+        // Feature 27: webtest API call detection
+        const sourceText = (_d = (_c = root.text) !== null && _c !== void 0 ? _c : parsed.content) !== null && _d !== void 0 ? _d : '';
+        const webtestCalls = (0, testPatternDetector_1.detectWebtestCalls)(sourceText, parsed.filePath);
+        if (webtestCalls.length > 0) {
+            const httpCalls = (0, testPatternDetector_1.webtestCallsToHttpCalls)(webtestCalls);
+            // Merge webtest HTTP calls into the functions map under a synthetic entry
+            const webtestFunc = {
+                name: '__webtest_calls__',
+                parameters: [],
+                bodyHttpCalls: httpCalls,
+                calledFunctions: [],
+            };
+            functions.set('__webtest_calls__', webtestFunc);
+        }
         return {
             filePath: parsed.filePath,
             language: 'python',
@@ -63,6 +82,8 @@ class PythonAnalyzer {
             assertions,
             businessRuleRefs,
             flowRefs: [],
+            decoratorStacks,
+            routeRegistrations,
         };
     }
     extractHttpInteractions(model, _ctx) {
@@ -97,8 +118,23 @@ class PythonAnalyzer {
     extractBusinessRuleRefs(model) {
         return model.businessRuleRefs;
     }
-    extractFlowRefs(_model) {
-        return [];
+    extractFlowRefs(model) {
+        // Feature 27: Resolve pytest fixture chains
+        const refs = [...model.flowRefs];
+        // Use function parameter names to discover fixture dependencies
+        // In pytest, function parameters that aren't built-in fixtures are fixture references
+        const builtinFixtures = new Set([
+            'request', 'tmp_path', 'tmpdir', 'capsys', 'capfd', 'monkeypatch',
+            'pytestconfig', 'recwarn', 'caplog', 'cache', 'self',
+        ]);
+        for (const [funcName, func] of model.functions) {
+            for (const param of func.parameters) {
+                if (param && !builtinFixtures.has(param)) {
+                    refs.push({ flowId: `fixture:${param}`, source: 'tag' });
+                }
+            }
+        }
+        return refs;
     }
 }
 exports.PythonAnalyzer = PythonAnalyzer;
@@ -179,10 +215,12 @@ function extractPythonHttpCalls(body, constants, out) {
         if (!funcNode)
             continue;
         const funcText = (_c = funcNode.text) !== null && _c !== void 0 ? _c : '';
-        const match = funcText.match(/(?:requests|httpx|self\.client|client|self\.app|app)\.(get|post|put|patch|delete|head|options)/i);
+        const match = funcText.match(/(?:requests|httpx|self\.client|client|self\.app|app|testapp|self\.testapp)\.(get|post|post_json|put|put_json|patch|patch_json|delete|delete_json|head|options)/i);
         if (!match)
             continue;
         const [, methodName] = match;
+        // Normalize webtest methods: post_json → POST, put_json → PUT, etc.
+        const normalizedMethod = methodName.replace(/_json$/i, '').toUpperCase();
         const argList = (_e = (_d = call.childForFieldName) === null || _d === void 0 ? void 0 : _d.call(call, 'arguments')) !== null && _e !== void 0 ? _e : (0, treeSitterUtils_1.firstChildOfType)(call, 'argument_list');
         if (!argList)
             continue;
@@ -195,7 +233,7 @@ function extractPythonHttpCalls(body, constants, out) {
         // Resolve f-string variables against constants
         const resolvedPath = rawPath.includes('{') ? resolveFString(rawPath, constants) : rawPath;
         out.push({
-            method: methodName.toUpperCase(),
+            method: normalizedMethod,
             rawPathArg: rawPath,
             resolvedPath,
             normalizedPath: resolvedPath.startsWith('/') ? (0, resolvePaths_1.normalizePathToTemplate)(resolvedPath) : undefined,
@@ -290,4 +328,161 @@ function emptyModel(filePath) {
         flowRefs: [],
     };
 }
+// ─── Flask / FastAPI pattern extraction (Feature 27) ─────────────────────────
+/**
+ * Extract decorator stacks for Flask/FastAPI route functions.
+ * Groups decorators by the function they decorate:
+ *   @blueprint.route('/articles', methods=['GET'])
+ *   @use_kwargs({...})
+ *   @marshal_with(ArticleSchema)
+ *   @jwt_required
+ *   def get_articles():
+ *     → DecoratorStack for 'get_articles' with 4 decorators
+ */
+function extractFlaskDecoratorStacks(root, filePath) {
+    var _a, _b, _c, _d, _e, _f, _g;
+    const stacks = [];
+    const fnDefs = (0, treeSitterUtils_1.findNodes)(root, ['function_definition']);
+    for (const fn of fnDefs) {
+        const nameNode = (_b = (_a = fn.childForFieldName) === null || _a === void 0 ? void 0 : _a.call(fn, 'name')) !== null && _b !== void 0 ? _b : (0, treeSitterUtils_1.firstChildOfType)(fn, 'identifier');
+        const funcName = (_c = nameNode === null || nameNode === void 0 ? void 0 : nameNode.text) !== null && _c !== void 0 ? _c : '';
+        if (!funcName)
+            continue;
+        const decorators = [];
+        for (let i = 0; i < ((_d = fn === null || fn === void 0 ? void 0 : fn.childCount) !== null && _d !== void 0 ? _d : 0); i++) {
+            const child = fn.child(i);
+            if ((child === null || child === void 0 ? void 0 : child.type) !== 'decorator')
+                continue;
+            const decText = (_e = child.text) !== null && _e !== void 0 ? _e : '';
+            const dec = parseFlaskDecorator(decText, (_f = child.startPosition) === null || _f === void 0 ? void 0 : _f.row);
+            if (dec)
+                decorators.push(dec);
+        }
+        if (decorators.length > 0) {
+            stacks.push({
+                functionName: funcName,
+                decorators,
+                sourceFile: filePath,
+                line: ((_g = fn.startPosition) === null || _g === void 0 ? void 0 : _g.row) ? fn.startPosition.row + 1 : undefined,
+            });
+        }
+    }
+    return stacks;
+}
+/**
+ * Parse a single Flask/FastAPI decorator into a DecoratorInfo.
+ */
+function parseFlaskDecorator(text, line) {
+    // @blueprint.route('/path', methods=['GET', 'POST'])
+    const routeMatch = text.match(/@(\w+)\.route\s*\(\s*['"]([^'"]+)['"]/);
+    if (routeMatch) {
+        const args = { path: routeMatch[2] };
+        const methodsMatch = text.match(/methods\s*=\s*\[([^\]]+)\]/);
+        if (methodsMatch)
+            args.methods = methodsMatch[1].replace(/['"]/g, '').trim();
+        return { name: 'route', fullText: text, args, line };
+    }
+    // @use_kwargs({...}) or @use_kwargs(SchemaClass)
+    const useKwargsMatch = text.match(/@use_kwargs\s*\((.+)\)/s);
+    if (useKwargsMatch) {
+        return { name: 'use_kwargs', fullText: text, args: { schema: useKwargsMatch[1].trim() }, line };
+    }
+    // @marshal_with(SchemaClass)
+    const marshalMatch = text.match(/@marshal_with\s*\(\s*(\w+)/);
+    if (marshalMatch) {
+        return { name: 'marshal_with', fullText: text, args: { schema: marshalMatch[1] }, line };
+    }
+    // @jwt_required, @jwt_required(), @jwt_required(optional=True), @jwt_optional
+    if (text.includes('@jwt_required') || text.includes('@jwt_optional')) {
+        const isOptional = text.includes('jwt_optional') || text.includes('optional=True') || text.includes('optional = True');
+        return {
+            name: isOptional ? 'jwt_optional' : 'jwt_required',
+            fullText: text,
+            args: { optional: isOptional ? 'true' : 'false' },
+            line,
+        };
+    }
+    // @login_required
+    if (text.includes('@login_required')) {
+        return { name: 'login_required', fullText: text, args: {}, line };
+    }
+    // Generic decorator
+    const genericMatch = text.match(/@(\w[\w.]*)/);
+    if (genericMatch) {
+        return { name: genericMatch[1], fullText: text, line };
+    }
+    return null;
+}
+/**
+ * Extract Flask Blueprint route registrations.
+ * Detects: Blueprint() constructors, register_blueprint() calls,
+ *          @blueprint.route() registrations.
+ */
+function extractFlaskRouteRegistrations(root, filePath) {
+    var _a, _b, _c;
+    const registrations = [];
+    // Use regex on the full source text since tree-sitter node traversal
+    // for call arguments is complex. This is a targeted pattern match.
+    const sourceText = (_a = root.text) !== null && _a !== void 0 ? _a : '';
+    const lines = sourceText.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Blueprint constructor: bp = Blueprint('name', __name__, url_prefix='/api')
+        const bpMatch = line.match(/(\w+)\s*=\s*Blueprint\s*\(\s*['"](\w+)['"](?:[^)]*?url_prefix\s*=\s*['"]([^'"]+)['"])?\s*\)/);
+        if (bpMatch) {
+            registrations.push({
+                registrarName: bpMatch[1],
+                path: (_b = bpMatch[3]) !== null && _b !== void 0 ? _b : '',
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // register_blueprint(bp, url_prefix='/api/articles')
+        const regMatch = line.match(/register_blueprint\s*\(\s*(\w+)(?:\s*,\s*url_prefix\s*=\s*['"]([^'"]+)['"])?\s*\)/);
+        if (regMatch) {
+            registrations.push({
+                registrarName: regMatch[1],
+                path: (_c = regMatch[2]) !== null && _c !== void 0 ? _c : '',
+                targetModule: regMatch[1],
+                sourceFile: filePath,
+                line: i + 1,
+            });
+            continue;
+        }
+        // @blueprint.route('/path', methods=[...])
+        const routeMatch = line.match(/@(\w+)\.route\s*\(\s*['"]([^'"]+)['"]/);
+        if (routeMatch) {
+            const methodsMatch = line.match(/methods\s*=\s*\[([^\]]+)\]/);
+            const methods = methodsMatch
+                ? methodsMatch[1].replace(/['"]/g, '').split(',').map((m) => m.trim().toUpperCase())
+                : ['GET'];
+            registrations.push({
+                registrarName: routeMatch[1],
+                path: routeMatch[2],
+                methods,
+                sourceFile: filePath,
+                line: i + 1,
+            });
+        }
+    }
+    return registrations;
+}
+/**
+ * Classify JWT/auth security from decorator information.
+ */
+function classifyFlaskSecurity(decorators) {
+    for (const dec of decorators) {
+        if (dec.name === 'jwt_required') {
+            return { type: 'jwt', required: true, optional: false, sourcePattern: '@jwt_required' };
+        }
+        if (dec.name === 'jwt_optional') {
+            return { type: 'jwt', required: false, optional: true, sourcePattern: '@jwt_optional' };
+        }
+        if (dec.name === 'login_required') {
+            return { type: 'session', required: true, optional: false, sourcePattern: '@login_required' };
+        }
+    }
+    return undefined;
+}
 (0, parserRegistry_1.registerAnalyzer)('python', () => new PythonAnalyzer());

package/dist/src/languages/python/testPatternDetector.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Python test pattern detector (Feature 27, Sub-PR 4)
+ *
+ * Detects:
+ * 1. Factory Boy factories (factory.Factory subclasses, SubFactory, Meta.model)
+ * 2. webtest API calls (TestApp, testapp.get/post_json/put_json/delete)
+ * 3. pytest fixture chains (@pytest.fixture, fixture dependencies)
+ */
+import type { SemanticHttpCall } from '../../ast/astTypes';
+export interface FactoryBoyFactory {
+    /** The factory class name (e.g. 'ArticleFactory') */
+    className: string;
+    /** The model the factory creates (from Meta.model) */
+    modelName?: string;
+    /** SubFactory references */
+    subFactories: string[];
+    /** RelatedFactoryList references */
+    relatedFactoryLists: string[];
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect Factory Boy factory classes from source text.
+ * Looks for `class XFactory(factory.Factory):` and parses Meta.model, SubFactory, RelatedFactoryList.
+ */
+export declare function detectFactoryBoyFactories(sourceText: string, filePath: string): FactoryBoyFactory[];
+export interface WebtestApiCall {
+    method: string;
+    path: string;
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect webtest HTTP calls from source text.
+ * Looks for `testapp.get('/path')`, `testapp.post_json('/path', {...})`, etc.
+ */
+export declare function detectWebtestCalls(sourceText: string, filePath: string): WebtestApiCall[];
+/**
+ * Convert webtest API calls into SemanticHttpCall objects.
+ */
+export declare function webtestCallsToHttpCalls(calls: WebtestApiCall[]): SemanticHttpCall[];
+export interface PytestFixture {
+    /** Name of the fixture function */
+    name: string;
+    /** Scope: 'function' (default), 'class', 'module', 'session' */
+    scope: string;
+    /** Parameter names that are dependencies on other fixtures */
+    dependencies: string[];
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * Detect @pytest.fixture functions and their parameter dependencies.
+ */
+export declare function detectPytestFixtures(sourceText: string, filePath: string): PytestFixture[];
+/**
+ * Detect if a file creates a webtest TestApp instance.
+ * Looks for `TestApp(app)` or `TestApp(...)`.
+ */
+export declare function hasWebtestTestApp(sourceText: string): boolean;
+/**
+ * Check if a file uses real DB fixtures (not mocked).
+ * Looks for pytest fixtures that reference db, database, session, engine, etc.
+ */
+export declare function hasRealDbFixtures(sourceText: string): boolean;
+/**
+ * Check if a file uses Factory Boy factories.
+ */
+export declare function usesFactoryBoy(sourceText: string): boolean;
+//# sourceMappingURL=testPatternDetector.d.ts.map

package/dist/src/languages/python/testPatternDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testPatternDetector.d.ts","sourceRoot":"","sources":["../../../../src/languages/python/testPatternDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAmB,MAAM,oBAAoB,CAAC;AAK5E,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,oCAAoC;IACpC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAiEnG;AAID,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAiBD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CA6BzF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,gBAAgB,EAAE,CAUnF;AAID,MAAM,WAAW,aAAa;IAC5B,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAyC1F;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAO7D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAE1D"}

package/dist/src/languages/python/testPatternDetector.js

@@ -0,0 +1,201 @@
+"use strict";
+/**
+ * Python test pattern detector (Feature 27, Sub-PR 4)
+ *
+ * Detects:
+ * 1. Factory Boy factories (factory.Factory subclasses, SubFactory, Meta.model)
+ * 2. webtest API calls (TestApp, testapp.get/post_json/put_json/delete)
+ * 3. pytest fixture chains (@pytest.fixture, fixture dependencies)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectFactoryBoyFactories = detectFactoryBoyFactories;
+exports.detectWebtestCalls = detectWebtestCalls;
+exports.webtestCallsToHttpCalls = webtestCallsToHttpCalls;
+exports.detectPytestFixtures = detectPytestFixtures;
+exports.hasWebtestTestApp = hasWebtestTestApp;
+exports.hasRealDbFixtures = hasRealDbFixtures;
+exports.usesFactoryBoy = usesFactoryBoy;
+/**
+ * Detect Factory Boy factory classes from source text.
+ * Looks for `class XFactory(factory.Factory):` and parses Meta.model, SubFactory, RelatedFactoryList.
+ */
+function detectFactoryBoyFactories(sourceText, filePath) {
+    const factories = [];
+    const lines = sourceText.split('\n');
+    // Regex for class definition inheriting from factory.Factory or factory.DjangoModelFactory etc.
+    const classPattern = /^class\s+(\w+)\s*\(\s*(?:factory\.(?:Factory|DjangoModelFactory|SQLAlchemyModelFactory|MongoEngineFactory)|Factory)\s*\)/;
+    const metaModelPattern = /model\s*=\s*(\w+)/;
+    const subFactoryPattern = /=\s*(?:factory\.)?SubFactory\s*\(\s*['"]?(\w+)/g;
+    const relatedFactoryPattern = /=\s*(?:factory\.)?RelatedFactoryList\s*\(\s*['"]?(\w+)/g;
+    let currentFactory = null;
+    let classIndent = -1;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const indent = line.search(/\S/);
+        // If we're inside a factory class, check for end of class
+        if (currentFactory && indent >= 0 && indent <= classIndent && line.trim().length > 0) {
+            factories.push(currentFactory);
+            currentFactory = null;
+            classIndent = -1;
+        }
+        const classMatch = line.match(classPattern);
+        if (classMatch) {
+            if (currentFactory)
+                factories.push(currentFactory);
+            currentFactory = {
+                className: classMatch[1],
+                subFactories: [],
+                relatedFactoryLists: [],
+                sourceFile: filePath,
+                line: i + 1,
+            };
+            classIndent = indent;
+            continue;
+        }
+        if (currentFactory) {
+            // Meta.model
+            const metaMatch = line.match(metaModelPattern);
+            if (metaMatch) {
+                currentFactory.modelName = metaMatch[1];
+            }
+            // SubFactory
+            let sfMatch;
+            subFactoryPattern.lastIndex = 0;
+            while ((sfMatch = subFactoryPattern.exec(line)) !== null) {
+                currentFactory.subFactories.push(sfMatch[1]);
+            }
+            // RelatedFactoryList
+            let rfMatch;
+            relatedFactoryPattern.lastIndex = 0;
+            while ((rfMatch = relatedFactoryPattern.exec(line)) !== null) {
+                currentFactory.relatedFactoryLists.push(rfMatch[1]);
+            }
+        }
+    }
+    // Push last factory if still open
+    if (currentFactory)
+        factories.push(currentFactory);
+    return factories;
+}
+/** Map webtest methods to HTTP methods */
+const WEBTEST_METHOD_MAP = {
+    get: 'GET',
+    post: 'POST',
+    post_json: 'POST',
+    put: 'PUT',
+    put_json: 'PUT',
+    patch: 'PATCH',
+    patch_json: 'PATCH',
+    delete: 'DELETE',
+    delete_json: 'DELETE',
+    head: 'HEAD',
+    options: 'OPTIONS',
+};
+/**
+ * Detect webtest HTTP calls from source text.
+ * Looks for `testapp.get('/path')`, `testapp.post_json('/path', {...})`, etc.
+ */
+function detectWebtestCalls(sourceText, filePath) {
+    const calls = [];
+    const lines = sourceText.split('\n');
+    // Pattern: any_var.METHOD('/path'...) where METHOD is a webtest HTTP method
+    const webtestMethods = Object.keys(WEBTEST_METHOD_MAP).join('|');
+    const callPattern = new RegExp(`\\w+\\.(${webtestMethods})\\s*\\(\\s*['"]([^'"]+)['"]`, 'g');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        callPattern.lastIndex = 0;
+        let match;
+        while ((match = callPattern.exec(line)) !== null) {
+            const method = WEBTEST_METHOD_MAP[match[1]];
+            if (method) {
+                calls.push({
+                    method,
+                    path: match[2],
+                    sourceFile: filePath,
+                    line: i + 1,
+                });
+            }
+        }
+    }
+    return calls;
+}
+/**
+ * Convert webtest API calls into SemanticHttpCall objects.
+ */
+function webtestCallsToHttpCalls(calls) {
+    return calls.map((call) => ({
+        method: call.method,
+        rawPathArg: call.path,
+        resolvedPath: call.path,
+        normalizedPath: call.path.startsWith('/') ? call.path : undefined,
+        resolutionType: 'direct',
+        confidence: 'high',
+        line: call.line,
+    }));
+}
+/**
+ * Detect @pytest.fixture functions and their parameter dependencies.
+ */
+function detectPytestFixtures(sourceText, filePath) {
+    const fixtures = [];
+    const lines = sourceText.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // @pytest.fixture or @pytest.fixture(scope='...')
+        const fixtureMatch = line.match(/@pytest\.fixture(?:\s*\(([^)]*)\))?/);
+        if (!fixtureMatch)
+            continue;
+        // Parse scope from decorator args
+        let scope = 'function';
+        if (fixtureMatch[1]) {
+            const scopeMatch = fixtureMatch[1].match(/scope\s*=\s*['"](\w+)['"]/);
+            if (scopeMatch)
+                scope = scopeMatch[1];
+        }
+        // Find the next def line (typically the line right after the decorator)
+        for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+            const defMatch = lines[j].match(/def\s+(\w+)\s*\(([^)]*)\)/);
+            if (defMatch) {
+                const name = defMatch[1];
+                const params = defMatch[2]
+                    .split(',')
+                    .map((p) => p.trim().split(':')[0].split('=')[0].trim())
+                    .filter((p) => p.length > 0 && p !== 'request');
+                fixtures.push({
+                    name,
+                    scope,
+                    dependencies: params,
+                    sourceFile: filePath,
+                    line: j + 1,
+                });
+                break;
+            }
+        }
+    }
+    return fixtures;
+}
+// ─── TestApp Detection ──────────────────────────────────────────────────────
+/**
+ * Detect if a file creates a webtest TestApp instance.
+ * Looks for `TestApp(app)` or `TestApp(...)`.
+ */
+function hasWebtestTestApp(sourceText) {
+    return /TestApp\s*\(/.test(sourceText);
+}
+/**
+ * Check if a file uses real DB fixtures (not mocked).
+ * Looks for pytest fixtures that reference db, database, session, engine, etc.
+ */
+function hasRealDbFixtures(sourceText) {
+    // Check for DB fixture names in function parameters
+    const dbFixturePattern = /def\s+\w+\s*\([^)]*\b(db|database|dbsession|db_session|engine|session|connection)\b/;
+    // Also check for common DB setup patterns
+    const dbSetupPattern = /(?:create_all|Base\.metadata|sessionmaker|create_engine|init_db|setup_database)/;
+    return dbFixturePattern.test(sourceText) || dbSetupPattern.test(sourceText);
+}
+/**
+ * Check if a file uses Factory Boy factories.
+ */
+function usesFactoryBoy(sourceText) {
+    return /(?:import\s+factory|from\s+factory\s+import|factory\.Factory|factory\.SubFactory)/.test(sourceText);
+}

package/dist/src/pipeline/confidence.d.ts

@@ -65,6 +65,11 @@ export declare function hasPartialResolution(graph: CoverageKnowledgeGraph, path
 /**
  * Build a ConfidenceEvidence object from a coverage path in the graph.
  * Inspects the nodes and their source stages to determine what evidence exists.
+ *
+ * Optional `iastConfirmed` and `dastConfirmed` flags allow the caller to
+ * inject runtime confirmation state that may not be discoverable by walking
+ * `pathNodeIds` alone (e.g. when IAST/DAST nodes are not directly on the
+ * endpoint→test path in the graph).
  */
-export declare function buildConfidenceEvidence(graph: CoverageKnowledgeGraph, pathNodeIds: string[], isStaticOnlyMode: boolean): ConfidenceEvidence;
+export declare function buildConfidenceEvidence(graph: CoverageKnowledgeGraph, pathNodeIds: string[], isStaticOnlyMode: boolean, iastConfirmed?: boolean, dastConfirmed?: boolean): ConfidenceEvidence;
 //# sourceMappingURL=confidence.d.ts.map

package/dist/src/pipeline/confidence.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../../src/pipeline/confidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAa,MAAM,SAAS,CAAC;AACjF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AAYtD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,kBAAkB,CAwBtF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,kBAAkB,EAC7B,QAAQ,EAAE,kBAAkB,GAC3B,kBAAkB,CAoBpB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,kBAAkB,CAGlF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,kBAAkB,GAC3B,kBAAkB,CAIpB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,CAAC,EAAE,kBAAkB,EACrB,CAAC,EAAE,kBAAkB,GACpB,MAAM,CAER;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,kBAAkB,EAAE,GAAG,kBAAkB,CAS9E;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAMT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAMT;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,EACrB,gBAAgB,EAAE,OAAO,GACxB,kBAAkB,CA6CpB"}
+{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../../src/pipeline/confidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAa,MAAM,SAAS,CAAC;AACjF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AAYtD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,kBAAkB,CAwBtF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,kBAAkB,EAC7B,QAAQ,EAAE,kBAAkB,GAC3B,kBAAkB,CAoBpB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,kBAAkB,CAGlF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,kBAAkB,GAC3B,kBAAkB,CAIpB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,CAAC,EAAE,kBAAkB,EACrB,CAAC,EAAE,kBAAkB,GACpB,MAAM,CAER;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,kBAAkB,EAAE,GAAG,kBAAkB,CAS9E;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAMT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAMT;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,sBAAsB,EAC7B,WAAW,EAAE,MAAM,EAAE,EACrB,gBAAgB,EAAE,OAAO,EACzB,aAAa,CAAC,EAAE,OAAO,EACvB,aAAa,CAAC,EAAE,OAAO,GACtB,kBAAkB,CA6CpB"}

package/dist/src/pipeline/confidence.js

@@ -151,8 +151,13 @@ function hasPartialResolution(graph, pathNodeIds) {
 /**
  * Build a ConfidenceEvidence object from a coverage path in the graph.
  * Inspects the nodes and their source stages to determine what evidence exists.
+ *
+ * Optional `iastConfirmed` and `dastConfirmed` flags allow the caller to
+ * inject runtime confirmation state that may not be discoverable by walking
+ * `pathNodeIds` alone (e.g. when IAST/DAST nodes are not directly on the
+ * endpoint→test path in the graph).
  */
-function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode) {
+function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode, iastConfirmed, dastConfirmed) {
     var _a, _b;
     const sourceStages = new Set();
     let hasIastConfirmation = false;
@@ -187,8 +192,8 @@ function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode) {
     }
     return {
         sourceStages: Array.from(sourceStages),
-        hasIastConfirmation,
-        hasDastConfirmation,
+        hasIastConfirmation: hasIastConfirmation || (iastConfirmed !== null && iastConfirmed !== void 0 ? iastConfirmed : false),
+        hasDastConfirmation: hasDastConfirmation || (dastConfirmed !== null && dastConfirmed !== void 0 ? dastConfirmed : false),
         hasAssertionConfirmation,
         hasMockBoundary,
         hasPartialResolution: hasPartial,

package/dist/src/pipeline/graph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../../src/pipeline/graph.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,qBAAa,sBAAsB;IACjC,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,KAAK,CAAqC;IAIlD,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,SAAS,EAAE;IAI9C,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,mDAAmD;IACnD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIzC,8CAA8C;IAC9C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIvC,sEAAsE;IACtE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE;IAQ9D,wCAAwC;IACxC,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE;IA4B5E;;;OAGG;IACH,iBAAiB,CACf,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,aAAa,GACtB,OAAO;IAiCV;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,sBAAsB,GAAG,YAAY,EAAE;IAwCpD,cAAc,IAAI;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE;IAO5D,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,sBAAsB;IAajG,KAAK,IAAI,IAAI;CAId"}
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../../src/pipeline/graph.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,qBAAa,sBAAsB;IACjC,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,KAAK,CAAqC;IAIlD,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAa/B,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,SAAS,EAAE;IAI9C,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,mDAAmD;IACnD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIzC,8CAA8C;IAC9C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIvC,sEAAsE;IACtE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE;IAQ9D,wCAAwC;IACxC,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE;IA4B5E;;;OAGG;IACH,iBAAiB,CACf,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,aAAa,GACtB,OAAO;IAmCV;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,sBAAsB,GAAG,YAAY,EAAE;IAwCpD,cAAc,IAAI;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE;IAO5D,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,sBAAsB;IAajG,KAAK,IAAI,IAAI;CAId"}

package/dist/src/pipeline/graph.js

@@ -23,7 +23,16 @@ class CoverageKnowledgeGraph {
         return this.nodes.has(id);
     }
     removeNode(id) {
-        return this.nodes.delete(id);
+        const deleted = this.nodes.delete(id);
+        if (deleted) {
+            // Remove all edges that reference this node to avoid dangling edges
+            for (const [edgeId, edge] of this.edges) {
+                if (edge.sourceNodeId === id || edge.targetNodeId === id) {
+                    this.edges.delete(edgeId);
+                }
+            }
+        }
+        return deleted;
     }
     getNodesByType(type) {
         return Array.from(this.nodes.values()).filter((n) => n.type === type);
@@ -112,9 +121,11 @@ class CoverageKnowledgeGraph {
         while (queue.length > 0) {
             const path = queue.shift();
             const currentId = path[path.length - 1];
-            if (visited.has(currentId))
+            // Don't skip endId — we need to check every path that arrives at it
+            if (currentId !== endId && visited.has(currentId))
                 continue;
-            visited.add(currentId);
+            if (currentId !== endId)
+                visited.add(currentId);
             if (currentId === endId) {
                 // Check interior nodes (not start or end)
                 for (let i = 1; i < path.length - 1; i++) {
@@ -122,7 +133,8 @@ class CoverageKnowledgeGraph {
                     if ((node === null || node === void 0 ? void 0 : node.type) === nodeType)
                         return true;
                 }
-                return false;
+                // Don't return false here — other paths may still contain the node type
+                continue;
             }
             const outEdges = this.getEdgesFrom(currentId);
             for (const edge of outEdges) {

package/dist/src/pipeline/stages/ast/astStage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"astStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/astStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAkB9C,qBAAa,QAAS,YAAW,aAAa,CAAC,cAAc,CAAC;IAC5D,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAU;IAC/B,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAyKjE"}
+{"version":3,"file":"astStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/astStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AA2B9C,qBAAa,QAAS,YAAW,aAAa,CAAC,cAAc,CAAC;IAC5D,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAU;IAC/B,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAoNjE"}