api-tests-coverage 1.0.15 → 1.0.17

package/dist/src/pipeline/stages/ast/rulesEnforcer.js

@@ -0,0 +1,411 @@
+"use strict";
+/**
+ * Structure-agnostic rules enforcer (Feature 27, Sub-PR 9)
+ *
+ * Validates the 10 behavioral rules (SA01-SA10) after all resolution completes.
+ * Emits diagnostics for violations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enforceStructureAgnosticRules = enforceStructureAgnosticRules;
+/**
+ * Run all SA rules against the resolved symbol table.
+ */
+function enforceStructureAgnosticRules(symbolTable, projectRoot) {
+    const violations = [];
+    let rulesChecked = 0;
+    let rulesPassed = 0;
+    const checks = [
+        { id: 'SA01', fn: () => checkRuleSA01(symbolTable, projectRoot) },
+        { id: 'SA02', fn: () => checkRuleSA02(symbolTable) },
+        { id: 'SA03', fn: () => checkRuleSA03(symbolTable) },
+        { id: 'SA04', fn: () => checkRuleSA04(symbolTable) },
+        { id: 'SA05', fn: () => checkRuleSA05(symbolTable) },
+        { id: 'SA06', fn: () => checkRuleSA06(symbolTable) },
+        { id: 'SA07', fn: () => checkRuleSA07(symbolTable) },
+        { id: 'SA08', fn: () => checkRuleSA08(symbolTable) },
+        { id: 'SA09', fn: () => checkRuleSA09(symbolTable) },
+        { id: 'SA10', fn: () => checkRuleSA10(symbolTable) },
+    ];
+    for (const check of checks) {
+        rulesChecked++;
+        const ruleViolations = check.fn();
+        violations.push(...ruleViolations);
+        if (ruleViolations.length === 0)
+            rulesPassed++;
+    }
+    return { violations, rulesChecked, rulesPassed };
+}
+/**
+ * RULE-SA01: No endpoint nodes should be classified based on directory name alone.
+ * Checks that route registrations have content-based evidence, not just path-based.
+ */
+function checkRuleSA01(symbolTable, projectRoot) {
+    const violations = [];
+    // Check route registrations for directory-only evidence
+    for (const [filePath, model] of symbolTable.models) {
+        if (!model.routeRegistrations)
+            continue;
+        for (const reg of model.routeRegistrations) {
+            // A route with no registrar (no decorator, no app.route, no router.METHOD)
+            // that was classified solely from its directory path is a violation
+            if (!reg.registrarName && !reg.methods && !reg.security) {
+                violations.push({
+                    ruleId: 'SA01',
+                    severity: 'error',
+                    message: `Route '${reg.path}' in ${filePath} appears to lack content-based evidence`,
+                    filePath,
+                    line: reg.line,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA02: All endpoint nodes must have fully resolved URLs.
+ * Checks for router mounts with empty or partial prefixes.
+ */
+function checkRuleSA02(symbolTable) {
+    const violations = [];
+    for (const [filePath, mounts] of symbolTable.routerMounts) {
+        for (const mount of mounts) {
+            if (!mount.prefix || mount.prefix === '/') {
+                // Empty or root prefix is only a warning if there's a target module
+                if (mount.targetModulePath) {
+                    violations.push({
+                        ruleId: 'SA02',
+                        severity: 'warning',
+                        message: `Router mount in ${filePath} has empty prefix for target '${mount.targetModulePath}'`,
+                        filePath,
+                        line: mount.line,
+                    });
+                }
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA03: Service/repository nodes must be detected without requiring framework annotations.
+ * Checks that interface implementations exist in the symbol table for projects that have
+ * classes following DDD patterns (Repository, Store, Gateway naming or method patterns).
+ */
+function checkRuleSA03(symbolTable) {
+    const violations = [];
+    // Find classes that look like repositories by naming convention
+    const repoLikeClasses = [];
+    for (const [className, classDecl] of symbolTable.classes) {
+        if (/(?:Repository|Repo|Store|Gateway)$/i.test(className)) {
+            repoLikeClasses.push(className);
+        }
+    }
+    // If there are repository-like classes, check that at least some have interface implementations resolved
+    if (repoLikeClasses.length > 0) {
+        let hasAnyImpl = false;
+        for (const [, impls] of symbolTable.interfaceImplementations) {
+            if (impls.length > 0) {
+                hasAnyImpl = true;
+                break;
+            }
+        }
+        if (!hasAnyImpl && repoLikeClasses.length >= 2) {
+            violations.push({
+                ruleId: 'SA03',
+                severity: 'warning',
+                message: `Found ${repoLikeClasses.length} repository-like class(es) but no interface→implementation mappings resolved`,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA04: Optional auth must be distinguished from public.
+ * Checks that models with route registrations having security classifications
+ * properly distinguish between required, optional, and public.
+ */
+function checkRuleSA04(symbolTable) {
+    const violations = [];
+    for (const [filePath, model] of symbolTable.models) {
+        if (!model.routeRegistrations)
+            continue;
+        for (const reg of model.routeRegistrations) {
+            if (reg.security) {
+                // Validate that optional and required are mutually exclusive
+                if (reg.security.required && reg.security.optional) {
+                    violations.push({
+                        ruleId: 'SA04',
+                        severity: 'error',
+                        message: `Route '${reg.path}' in ${filePath} has both required=true and optional=true`,
+                        filePath,
+                        line: reg.line,
+                    });
+                }
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA05: @Mapper interfaces must be linked to their XML mapper files.
+ * Checks that all interface implementations with MyBatis naming have corresponding XML bindings.
+ */
+function checkRuleSA05(symbolTable) {
+    const violations = [];
+    // Find @Mapper-like classes (by naming convention or annotations)
+    for (const [className, classDecl] of symbolTable.classes) {
+        if (!className.endsWith('Mapper'))
+            continue;
+        // Check if this mapper has a corresponding interface implementation (XML binding)
+        let hasBinding = false;
+        for (const [, impls] of symbolTable.interfaceImplementations) {
+            if (impls.some((impl) => impl.interfaceName === className || impl.implName.includes(className))) {
+                hasBinding = true;
+                break;
+            }
+        }
+        // Check if there are any models with MyBatis-related content
+        const model = symbolTable.models.get(classDecl.filePath);
+        if (model && !hasBinding) {
+            // Only warn if the project appears to use MyBatis (has XML-linked implementations)
+            let projectUsesMyBatis = false;
+            for (const [, impls] of symbolTable.interfaceImplementations) {
+                if (impls.some((impl) => impl.implName.includes('XmlMapper'))) {
+                    projectUsesMyBatis = true;
+                    break;
+                }
+            }
+            if (projectUsesMyBatis) {
+                violations.push({
+                    ruleId: 'SA05',
+                    severity: 'warning',
+                    message: `@Mapper interface '${className}' in ${classDecl.filePath} has no linked XML mapper`,
+                    filePath: classDecl.filePath,
+                    line: classDecl.line,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA06: .graphqls schema files must be parsed as first-class endpoint definitions.
+ * Checks that GraphQL schemas produce endpoint nodes when present.
+ */
+function checkRuleSA06(symbolTable) {
+    const violations = [];
+    // Check if there are any .graphqls or .graphql files in the models that lack route registrations
+    for (const [filePath, model] of symbolTable.models) {
+        if (!filePath.endsWith('.graphqls') && !filePath.endsWith('.graphql'))
+            continue;
+        // GraphQL schema files should produce route registrations
+        if (!model.routeRegistrations || model.routeRegistrations.length === 0) {
+            violations.push({
+                ruleId: 'SA06',
+                severity: 'warning',
+                message: `GraphQL schema file '${filePath}' was not parsed into endpoint definitions`,
+                filePath,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA07: Angular HttpClient calls in @Injectable services must be followed through injection.
+ * Checks that services with HTTP calls have injection chains linking them to consumers.
+ */
+function checkRuleSA07(symbolTable) {
+    var _a, _b;
+    const violations = [];
+    // Find services with HTTP calls that have no injection chain consumers
+    for (const [className, classDecl] of symbolTable.classes) {
+        const model = symbolTable.models.get(classDecl.filePath);
+        if (!model)
+            continue;
+        // Check if this class has methods with HTTP calls
+        let hasHttpCalls = false;
+        for (const [, func] of model.functions) {
+            if (func.bodyHttpCalls.length > 0) {
+                hasHttpCalls = true;
+                break;
+            }
+        }
+        if (!hasHttpCalls)
+            continue;
+        // Content-based check: is this an Angular @Injectable service?
+        // (RULE-SA01 compliant — no filename convention used)
+        const hasInjectableMarker = ((_b = (_a = model.decoratorStacks) === null || _a === void 0 ? void 0 : _a.some((ds) => ds.decorators.some((d) => d.name === 'Injectable' || d.name.includes('Injectable')))) !== null && _b !== void 0 ? _b : false) ||
+            Array.from(model.functions.values()).some((f) => { var _a; return (_a = f.annotations) === null || _a === void 0 ? void 0 : _a.some((a) => a === 'Injectable' || a === '@Injectable'); });
+        if (!hasInjectableMarker)
+            continue;
+        // Check if any injection chains reference this service
+        let hasConsumer = false;
+        for (const [, chains] of symbolTable.injectionChains) {
+            if (chains.some((c) => c.serviceClass === className)) {
+                hasConsumer = true;
+                break;
+            }
+        }
+        if (!hasConsumer) {
+            violations.push({
+                ruleId: 'SA07',
+                severity: 'info',
+                message: `Angular service '${className}' in ${classDecl.filePath} has HTTP calls but no resolved injection consumers`,
+                filePath: classDecl.filePath,
+                line: classDecl.line,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA08: Vuex dispatch calls must be linked to store action definitions.
+ * Checks that dispatch calls have corresponding injection chain entries.
+ */
+function checkRuleSA08(symbolTable) {
+    const violations = [];
+    // Find models with dispatch calls that have no injection chain linking
+    for (const [filePath, model] of symbolTable.models) {
+        let hasDispatch = false;
+        for (const [, func] of model.functions) {
+            if (func.calledFunctions.some((f) => f.includes('dispatch'))) {
+                hasDispatch = true;
+                break;
+            }
+        }
+        if (!hasDispatch)
+            continue;
+        // Check if there's an injection chain linking this file to a store
+        const chains = symbolTable.injectionChains.get(filePath);
+        if (!chains || chains.length === 0) {
+            // Only warn if the project has Vuex store files (files with both actions and HTTP calls)
+            let hasStoreFiles = false;
+            for (const [otherFile, otherModel] of symbolTable.models) {
+                if (otherFile === filePath)
+                    continue;
+                for (const [, func] of otherModel.functions) {
+                    if (func.bodyHttpCalls.length > 0) {
+                        hasStoreFiles = true;
+                        break;
+                    }
+                }
+                if (hasStoreFiles)
+                    break;
+            }
+            if (hasStoreFiles) {
+                violations.push({
+                    ruleId: 'SA08',
+                    severity: 'info',
+                    message: `File '${filePath}' dispatches Vuex actions but no dispatch→action links were resolved`,
+                    filePath,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA09: Functional Angular guards (CanActivateFn) must be detected.
+ * Checks that guard files are recognized and linked to routes.
+ */
+function checkRuleSA09(symbolTable) {
+    var _a, _b;
+    const violations = [];
+    // Find files with Angular guard-related content (content-based, not filename-based)
+    for (const [filePath, model] of symbolTable.models) {
+        // Content-based check: does this file have guard-related types or implementations?
+        // (RULE-SA01 compliant — no filename convention used)
+        let hasGuardContent = false;
+        // Check function annotations for guard type markers (CanActivateFn, etc.)
+        const guardTypeAnnotations = [
+            'CanActivateFn',
+            'CanActivateChildFn',
+            'CanDeactivateFn',
+            'ResolveFn',
+            'CanMatchFn',
+        ];
+        for (const [, func] of model.functions) {
+            if ((_a = func.annotations) === null || _a === void 0 ? void 0 : _a.some((a) => guardTypeAnnotations.includes(a))) {
+                hasGuardContent = true;
+                break;
+            }
+        }
+        // Check if any class in this file implements guard interfaces
+        if (!hasGuardContent) {
+            const guardInterfaces = [
+                'CanActivate',
+                'CanActivateChild',
+                'CanDeactivate',
+                'Resolve',
+                'CanMatch',
+            ];
+            for (const [, classDecl] of symbolTable.classes) {
+                if (classDecl.filePath === filePath &&
+                    ((_b = classDecl.implementsInterfaces) === null || _b === void 0 ? void 0 : _b.some((i) => guardInterfaces.includes(i)))) {
+                    hasGuardContent = true;
+                    break;
+                }
+            }
+        }
+        // Check function names for guard-related patterns as content heuristic
+        if (!hasGuardContent) {
+            for (const [funcName] of model.functions) {
+                if (/guard|canActivate|canDeactivate|canMatch/i.test(funcName)) {
+                    hasGuardContent = true;
+                    break;
+                }
+            }
+        }
+        if (!hasGuardContent)
+            continue;
+        // Check if this guard has any route registrations or middleware entries
+        let isLinked = false;
+        for (const [, middleware] of symbolTable.middlewareInheritance) {
+            if (middleware.some((m) => m.sourceFile === filePath || m.name.includes('guard'))) {
+                isLinked = true;
+                break;
+            }
+        }
+        if (!isLinked) {
+            // Check if there's at least a function export that looks like a guard
+            let hasGuardFunction = false;
+            for (const [funcName] of model.functions) {
+                if (/guard|canActivate|canDeactivate|canMatch/i.test(funcName)) {
+                    hasGuardFunction = true;
+                    break;
+                }
+            }
+            if (hasGuardFunction) {
+                violations.push({
+                    ruleId: 'SA09',
+                    severity: 'info',
+                    message: `Angular guard in '${filePath}' has guard functions but is not linked to any route`,
+                    filePath,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA10: webtest/TestApp must be detected as API test evidence.
+ * Checks that files using webtest patterns have their HTTP calls extracted.
+ */
+function checkRuleSA10(symbolTable) {
+    const violations = [];
+    for (const [filePath, model] of symbolTable.models) {
+        // Check if this model has webtest-detected calls (via the __webtest_calls__ synthetic function)
+        const webtestFunc = model.functions.get('__webtest_calls__');
+        if (!webtestFunc)
+            continue;
+        // Verify the webtest calls actually produced HTTP call entries
+        if (webtestFunc.bodyHttpCalls.length === 0) {
+            violations.push({
+                ruleId: 'SA10',
+                severity: 'warning',
+                message: `File '${filePath}' has webtest detection but produced no HTTP call entries`,
+                filePath,
+            });
+        }
+    }
+    return violations;
+}

package/dist/src/pipeline/stages/ast/types.d.ts

@@ -1,8 +1,9 @@
 /**
  * AST stage types — cross-file analysis, import resolution, and abstract layer traversal.
  */
-import type { SemanticModel, SemanticHttpCall, SemanticAssertion } from '../../../ast/astTypes';
+import type { SemanticModel, SemanticHttpCall, SemanticAssertion, SecurityClassification } from '../../../ast/astTypes';
 import type { AssertionSource } from '../../types';
+import type { DetectedApiFramework } from '../../../discovery/frameworkDetector';
 /**
  * An import declaration extracted from a source file.
  */
@@ -29,6 +30,62 @@ export interface ClassDeclaration {
     filePath: string;
     line?: number;
 }
+/**
+ * A router mount point: app.use('/prefix', router) or register_blueprint(bp, url_prefix=...)
+ */
+export interface RouterMount {
+    /** URL prefix being mounted */
+    prefix: string;
+    /** Path to the target module/file being mounted */
+    targetModulePath: string;
+    /** Middleware applied at this mount point */
+    middleware: MiddlewareEntry[];
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * An Angular/Vue/React injection chain: component → service → HTTP call
+ */
+export interface InjectionChain {
+    /** File containing the consumer (component) */
+    consumerFile: string;
+    /** Class name of the consumer */
+    consumerClass: string;
+    /** Class name of the injected service */
+    serviceClass: string;
+    /** File containing the service */
+    serviceFile: string;
+    /** How injection was detected */
+    injectionStyle: 'constructor' | 'inject-fn' | 'decorator' | 'property';
+}
+/**
+ * A middleware entry in a chain (auth, validation, error handling)
+ */
+export interface MiddlewareEntry {
+    /** Middleware name or identifier */
+    name: string;
+    /** Classified type */
+    type: 'auth-required' | 'auth-optional' | 'validation' | 'error-handler' | 'custom';
+    /** Whether this applies to an entire router or a single route */
+    appliedTo: 'router' | 'route';
+    /** Security classification if this is an auth middleware */
+    security?: SecurityClassification;
+    sourceFile: string;
+    line?: number;
+}
+/**
+ * A domain interface → infrastructure implementation mapping (DDD)
+ */
+export interface InterfaceImpl {
+    /** Fully qualified interface name */
+    interfaceName: string;
+    /** File containing the interface */
+    interfaceFile: string;
+    /** Fully qualified implementation class name */
+    implName: string;
+    /** File containing the implementation */
+    implFile: string;
+}
 /**
  * Multi-file symbol table aggregating all parsed file models.
  */
@@ -44,6 +101,52 @@ export interface CrossFileSymbolTable {
     classes: Map<string, ClassDeclaration>;
     /** Import graph: filePath → array of resolved import file paths */
     importGraph: Map<string, string[]>;
+    /** Router/blueprint mounts: sourceFile → mounts (Feature 27) */
+    routerMounts: Map<string, RouterMount[]>;
+    /** Injection chains: consumerFile → chains (Feature 27) */
+    injectionChains: Map<string, InjectionChain[]>;
+    /** Interface → implementations: interfaceName → implNames (Feature 27) */
+    interfaceImplementations: Map<string, InterfaceImpl[]>;
+    /** Middleware applied to routers: routerFile → middleware (Feature 27) */
+    middlewareInheritance: Map<string, MiddlewareEntry[]>;
+}
+/**
+ * Context threaded through all cross-file resolvers.
+ */
+export interface CrossFileResolutionContext {
+    /** The cross-file symbol table to enrich */
+    symbolTable: CrossFileSymbolTable;
+    /** Project root directory */
+    projectRoot: string;
+    /** Detected API frameworks */
+    apiFrameworks: DetectedApiFramework[];
+    /** All source file paths */
+    allSourceFiles: string[];
+}
+/**
+ * Result from a single cross-file resolver.
+ */
+export interface CrossFileResolutionResult {
+    /** Number of new entries added to the symbol table */
+    entriesAdded: number;
+    /** Diagnostic messages from resolution */
+    diagnostics: string[];
+    /** Unresolved references that could not be completed */
+    unresolvedRefs: Array<{
+        ref: string;
+        reason: string;
+    }>;
+}
+/**
+ * Interface that each framework-specific cross-file resolver must implement.
+ */
+export interface CrossFileResolver {
+    /** Human-readable resolver name */
+    name: string;
+    /** Returns true if this resolver should run given the detected frameworks */
+    appliesTo(frameworks: DetectedApiFramework[]): boolean;
+    /** Perform cross-file resolution, mutating the symbol table */
+    resolve(ctx: CrossFileResolutionContext): CrossFileResolutionResult;
 }
 /**
  * Result of abstract layer traversal (inheritance, helpers, fixtures).
@@ -81,5 +184,15 @@ export interface AstStageOutput {
         file: string;
         reason: string;
     }>;
+    /** Cross-file resolution diagnostics (Feature 27) */
+    crossFileResolutionDiagnostics?: Array<{
+        resolverName: string;
+        entriesAdded: number;
+        diagnostics: string[];
+        unresolvedRefs: Array<{
+            ref: string;
+            reason: string;
+        }>;
+    }>;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/src/pipeline/stages/ast/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,gBAAgB,EAAE,iBAAiB,EAAuC,MAAM,uBAAuB,CAAC;AACrI,OAAO,KAAK,EAAE,eAAe,EAAiB,MAAM,aAAa,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,uCAAuC;IACvC,SAAS,EAAE,OAAO,CAAC;IACnB,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,oDAAoD;IACpD,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACnC,yDAAyD;IACzD,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClE,2CAA2C;IAC3C,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACvC,mEAAmE;IACnE,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,+CAA+C;IAC/C,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,oCAAoC;IACpC,eAAe,EAAE,eAAe,CAAC;IACjC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IACvB,4CAA4C;IAC5C,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,uDAAuD;IACvD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,iCAAiC;IACjC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACnC,8BAA8B;IAC9B,cAAc,EAAE,oBAAoB,CAAC;IACrC,sCAAsC;IACtC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC/C,4CAA4C;IAC5C,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,YAAY,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACvD"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,gBAAgB,EAAE,iBAAiB,EAAuC,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC7J,OAAO,KAAK,EAAE,eAAe,EAAiB,MAAM,aAAa,CAAC;AAClE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAEjF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,uCAAuC;IACvC,SAAS,EAAE,OAAO,CAAC;IACnB,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAID;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,+CAA+C;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,cAAc,EAAE,aAAa,GAAG,WAAW,GAAG,WAAW,GAAG,UAAU,CAAC;CACxE;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,IAAI,EAAE,eAAe,GAAG,eAAe,GAAG,YAAY,GAAG,eAAe,GAAG,QAAQ,CAAC;IACpF,iEAAiE;IACjE,SAAS,EAAE,QAAQ,GAAG,OAAO,CAAC;IAC9B,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,oDAAoD;IACpD,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACnC,yDAAyD;IACzD,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClE,2CAA2C;IAC3C,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACvC,mEAAmE;IACnE,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACnC,gEAAgE;IAChE,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IACzC,2DAA2D;IAC3D,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;IAC/C,0EAA0E;IAC1E,wBAAwB,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;IACvD,0EAA0E;IAC1E,qBAAqB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;CACvD;AAID;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,4CAA4C;IAC5C,WAAW,EAAE,oBAAoB,CAAC;IAClC,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,8BAA8B;IAC9B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,4BAA4B;IAC5B,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,wDAAwD;IACxD,cAAc,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACxD;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,6EAA6E;IAC7E,SAAS,CAAC,UAAU,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC;IACvD,+DAA+D;IAC/D,OAAO,CAAC,GAAG,EAAE,0BAA0B,GAAG,yBAAyB,CAAC;CACrE;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,+CAA+C;IAC/C,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,oCAAoC;IACpC,eAAe,EAAE,eAAe,CAAC;IACjC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IACvB,4CAA4C;IAC5C,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,uDAAuD;IACvD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,iCAAiC;IACjC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACnC,8BAA8B;IAC9B,cAAc,EAAE,oBAAoB,CAAC;IACrC,sCAAsC;IACtC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC/C,4CAA4C;IAC5C,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,YAAY,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtD,qDAAqD;IACrD,8BAA8B,CAAC,EAAE,KAAK,CAAC;QACrC,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,cAAc,EAAE,KAAK,CAAC;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KACxD,CAAC,CAAC;CACJ"}

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts

@@ -4,6 +4,8 @@
  *
  * Detects:
  * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - DAST-unreachable: DAST probed an endpoint but could not reach it
+ * - Undeclared-endpoint: DAST discovered endpoints not found by static analysis
  * - Stage disagreement: Two stages assign different types to the same node
  */
 import type { ConflictNode } from '../../types';

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"conflictDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/conflictDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2B,MAAM,aAAa,CAAC;AACzE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,GACjC,YAAY,EAAE,CA0ChB"}
+{"version":3,"file":"conflictDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/conflictDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2B,MAAM,aAAa,CAAC;AACzE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,GACjC,YAAY,EAAE,CAmGhB"}

package/dist/src/pipeline/stages/merge/conflictDetector.js

@@ -5,6 +5,8 @@
  *
  * Detects:
  * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - DAST-unreachable: DAST probed an endpoint but could not reach it
+ * - Undeclared-endpoint: DAST discovered endpoints not found by static analysis
  * - Stage disagreement: Two stages assign different types to the same node
  */
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -13,7 +15,7 @@ exports.detectConflicts = detectConflicts;
  * Detect conflicts across all stages.
  */
 function detectConflicts(graph, iastOutput, dastOutput) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c, _d, _e, _f, _g;
     const conflicts = [];
     // 1. Runtime-unconfirmed: endpoints that AST found but neither IAST nor DAST confirmed
     const endpointNodes = graph.getNodesByType('endpoint');
@@ -46,7 +48,57 @@ function detectConflicts(graph, iastOutput, dastOutput) {
             }
         }
     }
-    // 2. Stage disagreement: same node ID added by multiple stages with different types
+    // 2. DAST-unreachable: endpoints that DAST explicitly could not reach
+    if (dastOutput) {
+        for (const endpointId of dastUnreachable) {
+            const node = graph.getNode(endpointId);
+            const label = (_f = node === null || node === void 0 ? void 0 : node.label) !== null && _f !== void 0 ? _f : endpointId;
+            conflicts.push({
+                conflictId: `conflict:dast-unreachable:${endpointId}`,
+                nodeId: endpointId,
+                type: 'dast-unreachable',
+                stages: ['dast'],
+                stageOutputs: {
+                    dast: 'unreachable',
+                },
+                detail: `${label} was probed by DAST but could not be reached.`,
+                suggestedAction: 'Verify the endpoint is deployed and accessible. Check authentication requirements and network configuration for the DAST scanner.',
+                severity: 'warning',
+            });
+        }
+    }
+    // 3. Undeclared-endpoint: DAST discovered endpoints not found by static analysis
+    if (dastOutput) {
+        const staticEndpointIds = new Set(endpointNodes
+            .filter((n) => n.sourceStage !== 'dast')
+            .map((n) => n.id));
+        for (const result of dastOutput.results) {
+            if (!result.reachable)
+                continue;
+            const endpointPath = (_g = result.normalizedPath) !== null && _g !== void 0 ? _g : result.path;
+            const endpointId = `endpoint:${result.method.toUpperCase()}:${endpointPath}`;
+            if (!staticEndpointIds.has(endpointId)) {
+                // Avoid duplicate conflicts for the same endpoint
+                const conflictId = `conflict:undeclared-endpoint:${endpointId}`;
+                if (conflicts.some((c) => c.conflictId === conflictId))
+                    continue;
+                conflicts.push({
+                    conflictId,
+                    nodeId: endpointId,
+                    type: 'undeclared-endpoint',
+                    stages: ['dast'],
+                    stageOutputs: {
+                        dast: 'discovered',
+                        ast: 'not-declared',
+                    },
+                    detail: `${result.method.toUpperCase()} ${endpointPath} was discovered by DAST but not found by static analysis.`,
+                    suggestedAction: 'Review the endpoint source. It may be dynamically registered, generated by a framework, or missing from the scanned codebase.',
+                    severity: 'warning',
+                });
+            }
+        }
+    }
+    // 4. Stage disagreement: same node ID added by multiple stages with different types
     // (This is handled by the graph merge(), which already returns ConflictNode[])
     return conflicts;
 }

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"coverageMappingBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/coverageMappingBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,eAAe,EAMhB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAIhD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,gBAAgB,EAAE,OAAO,GACxB,eAAe,EAAE,CAuJnB"}
+{"version":3,"file":"coverageMappingBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/coverageMappingBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,eAAe,EAOhB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAoBhD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,gBAAgB,EAAE,OAAO,GACxB,eAAe,EAAE,CAyNnB"}