api-tests-coverage 1.0.16 → 1.0.17

package/dist/src/pipeline/stages/ast/rulesEnforcer.js

@@ -14,47 +14,25 @@ function enforceStructureAgnosticRules(symbolTable, projectRoot) {
     const violations = [];
     let rulesChecked = 0;
     let rulesPassed = 0;
-    // RULE-SA01: No endpoint nodes classified based on directory name alone
-    rulesChecked++;
-    const sa01Violations = checkRuleSA01(symbolTable, projectRoot);
-    violations.push(...sa01Violations);
-    if (sa01Violations.length === 0)
-        rulesPassed++;
-    // RULE-SA02: All endpoint nodes must have fully resolved URLs
-    rulesChecked++;
-    const sa02Violations = checkRuleSA02(symbolTable);
-    violations.push(...sa02Violations);
-    if (sa02Violations.length === 0)
-        rulesPassed++;
-    // RULE-SA03: Service/repository nodes detected without framework annotations
-    rulesChecked++;
-    // This is a capability check, not a violation check — always passes if detection code exists
-    rulesPassed++;
-    // RULE-SA04: Optional auth distinguished from public
-    rulesChecked++;
-    const sa04Violations = checkRuleSA04(symbolTable);
-    violations.push(...sa04Violations);
-    if (sa04Violations.length === 0)
-        rulesPassed++;
-    // RULE-SA05: @Mapper interfaces linked to XML
-    rulesChecked++;
-    // Checked by mybatisResolver — passes if no unresolved mappers
-    rulesPassed++;
-    // RULE-SA06: .graphqls files parsed as first-class
-    rulesChecked++;
-    rulesPassed++;
-    // RULE-SA07: Angular HttpClient in services followed through injection
-    rulesChecked++;
-    rulesPassed++;
-    // RULE-SA08: Vuex dispatch linked to actions
-    rulesChecked++;
-    rulesPassed++;
-    // RULE-SA09: Functional Angular guards detected
-    rulesChecked++;
-    rulesPassed++;
-    // RULE-SA10: webtest/TestApp detected as API test evidence
-    rulesChecked++;
-    rulesPassed++;
+    const checks = [
+        { id: 'SA01', fn: () => checkRuleSA01(symbolTable, projectRoot) },
+        { id: 'SA02', fn: () => checkRuleSA02(symbolTable) },
+        { id: 'SA03', fn: () => checkRuleSA03(symbolTable) },
+        { id: 'SA04', fn: () => checkRuleSA04(symbolTable) },
+        { id: 'SA05', fn: () => checkRuleSA05(symbolTable) },
+        { id: 'SA06', fn: () => checkRuleSA06(symbolTable) },
+        { id: 'SA07', fn: () => checkRuleSA07(symbolTable) },
+        { id: 'SA08', fn: () => checkRuleSA08(symbolTable) },
+        { id: 'SA09', fn: () => checkRuleSA09(symbolTable) },
+        { id: 'SA10', fn: () => checkRuleSA10(symbolTable) },
+    ];
+    for (const check of checks) {
+        rulesChecked++;
+        const ruleViolations = check.fn();
+        violations.push(...ruleViolations);
+        if (ruleViolations.length === 0)
+            rulesPassed++;
+    }
     return { violations, rulesChecked, rulesPassed };
 }
 /**
@@ -62,10 +40,26 @@ function enforceStructureAgnosticRules(symbolTable, projectRoot) {
  * Checks that route registrations have content-based evidence, not just path-based.
  */
 function checkRuleSA01(symbolTable, projectRoot) {
-    // This rule is enforced by design: all our detectors use content analysis (AST/regex),
-    // not directory-based classification. We verify no router mounts were added with
-    // directory-only evidence.
-    return [];
+    const violations = [];
+    // Check route registrations for directory-only evidence
+    for (const [filePath, model] of symbolTable.models) {
+        if (!model.routeRegistrations)
+            continue;
+        for (const reg of model.routeRegistrations) {
+            // A route with no registrar (no decorator, no app.route, no router.METHOD)
+            // that was classified solely from its directory path is a violation
+            if (!reg.registrarName && !reg.methods && !reg.security) {
+                violations.push({
+                    ruleId: 'SA01',
+                    severity: 'error',
+                    message: `Route '${reg.path}' in ${filePath} appears to lack content-based evidence`,
+                    filePath,
+                    line: reg.line,
+                });
+            }
+        }
+    }
+    return violations;
 }
 /**
  * RULE-SA02: All endpoint nodes must have fully resolved URLs.
@@ -91,6 +85,39 @@ function checkRuleSA02(symbolTable) {
     }
     return violations;
 }
+/**
+ * RULE-SA03: Service/repository nodes must be detected without requiring framework annotations.
+ * Checks that interface implementations exist in the symbol table for projects that have
+ * classes following DDD patterns (Repository, Store, Gateway naming or method patterns).
+ */
+function checkRuleSA03(symbolTable) {
+    const violations = [];
+    // Find classes that look like repositories by naming convention
+    const repoLikeClasses = [];
+    for (const [className, classDecl] of symbolTable.classes) {
+        if (/(?:Repository|Repo|Store|Gateway)$/i.test(className)) {
+            repoLikeClasses.push(className);
+        }
+    }
+    // If there are repository-like classes, check that at least some have interface implementations resolved
+    if (repoLikeClasses.length > 0) {
+        let hasAnyImpl = false;
+        for (const [, impls] of symbolTable.interfaceImplementations) {
+            if (impls.length > 0) {
+                hasAnyImpl = true;
+                break;
+            }
+        }
+        if (!hasAnyImpl && repoLikeClasses.length >= 2) {
+            violations.push({
+                ruleId: 'SA03',
+                severity: 'warning',
+                message: `Found ${repoLikeClasses.length} repository-like class(es) but no interface→implementation mappings resolved`,
+            });
+        }
+    }
+    return violations;
+}
 /**
  * RULE-SA04: Optional auth must be distinguished from public.
  * Checks that models with route registrations having security classifications
@@ -118,3 +145,267 @@ function checkRuleSA04(symbolTable) {
     }
     return violations;
 }
+/**
+ * RULE-SA05: @Mapper interfaces must be linked to their XML mapper files.
+ * Checks that all interface implementations with MyBatis naming have corresponding XML bindings.
+ */
+function checkRuleSA05(symbolTable) {
+    const violations = [];
+    // Find @Mapper-like classes (by naming convention or annotations)
+    for (const [className, classDecl] of symbolTable.classes) {
+        if (!className.endsWith('Mapper'))
+            continue;
+        // Check if this mapper has a corresponding interface implementation (XML binding)
+        let hasBinding = false;
+        for (const [, impls] of symbolTable.interfaceImplementations) {
+            if (impls.some((impl) => impl.interfaceName === className || impl.implName.includes(className))) {
+                hasBinding = true;
+                break;
+            }
+        }
+        // Check if there are any models with MyBatis-related content
+        const model = symbolTable.models.get(classDecl.filePath);
+        if (model && !hasBinding) {
+            // Only warn if the project appears to use MyBatis (has XML-linked implementations)
+            let projectUsesMyBatis = false;
+            for (const [, impls] of symbolTable.interfaceImplementations) {
+                if (impls.some((impl) => impl.implName.includes('XmlMapper'))) {
+                    projectUsesMyBatis = true;
+                    break;
+                }
+            }
+            if (projectUsesMyBatis) {
+                violations.push({
+                    ruleId: 'SA05',
+                    severity: 'warning',
+                    message: `@Mapper interface '${className}' in ${classDecl.filePath} has no linked XML mapper`,
+                    filePath: classDecl.filePath,
+                    line: classDecl.line,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA06: .graphqls schema files must be parsed as first-class endpoint definitions.
+ * Checks that GraphQL schemas produce endpoint nodes when present.
+ */
+function checkRuleSA06(symbolTable) {
+    const violations = [];
+    // Check if there are any .graphqls or .graphql files in the models that lack route registrations
+    for (const [filePath, model] of symbolTable.models) {
+        if (!filePath.endsWith('.graphqls') && !filePath.endsWith('.graphql'))
+            continue;
+        // GraphQL schema files should produce route registrations
+        if (!model.routeRegistrations || model.routeRegistrations.length === 0) {
+            violations.push({
+                ruleId: 'SA06',
+                severity: 'warning',
+                message: `GraphQL schema file '${filePath}' was not parsed into endpoint definitions`,
+                filePath,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA07: Angular HttpClient calls in @Injectable services must be followed through injection.
+ * Checks that services with HTTP calls have injection chains linking them to consumers.
+ */
+function checkRuleSA07(symbolTable) {
+    var _a, _b;
+    const violations = [];
+    // Find services with HTTP calls that have no injection chain consumers
+    for (const [className, classDecl] of symbolTable.classes) {
+        const model = symbolTable.models.get(classDecl.filePath);
+        if (!model)
+            continue;
+        // Check if this class has methods with HTTP calls
+        let hasHttpCalls = false;
+        for (const [, func] of model.functions) {
+            if (func.bodyHttpCalls.length > 0) {
+                hasHttpCalls = true;
+                break;
+            }
+        }
+        if (!hasHttpCalls)
+            continue;
+        // Content-based check: is this an Angular @Injectable service?
+        // (RULE-SA01 compliant — no filename convention used)
+        const hasInjectableMarker = ((_b = (_a = model.decoratorStacks) === null || _a === void 0 ? void 0 : _a.some((ds) => ds.decorators.some((d) => d.name === 'Injectable' || d.name.includes('Injectable')))) !== null && _b !== void 0 ? _b : false) ||
+            Array.from(model.functions.values()).some((f) => { var _a; return (_a = f.annotations) === null || _a === void 0 ? void 0 : _a.some((a) => a === 'Injectable' || a === '@Injectable'); });
+        if (!hasInjectableMarker)
+            continue;
+        // Check if any injection chains reference this service
+        let hasConsumer = false;
+        for (const [, chains] of symbolTable.injectionChains) {
+            if (chains.some((c) => c.serviceClass === className)) {
+                hasConsumer = true;
+                break;
+            }
+        }
+        if (!hasConsumer) {
+            violations.push({
+                ruleId: 'SA07',
+                severity: 'info',
+                message: `Angular service '${className}' in ${classDecl.filePath} has HTTP calls but no resolved injection consumers`,
+                filePath: classDecl.filePath,
+                line: classDecl.line,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA08: Vuex dispatch calls must be linked to store action definitions.
+ * Checks that dispatch calls have corresponding injection chain entries.
+ */
+function checkRuleSA08(symbolTable) {
+    const violations = [];
+    // Find models with dispatch calls that have no injection chain linking
+    for (const [filePath, model] of symbolTable.models) {
+        let hasDispatch = false;
+        for (const [, func] of model.functions) {
+            if (func.calledFunctions.some((f) => f.includes('dispatch'))) {
+                hasDispatch = true;
+                break;
+            }
+        }
+        if (!hasDispatch)
+            continue;
+        // Check if there's an injection chain linking this file to a store
+        const chains = symbolTable.injectionChains.get(filePath);
+        if (!chains || chains.length === 0) {
+            // Only warn if the project has Vuex store files (files with both actions and HTTP calls)
+            let hasStoreFiles = false;
+            for (const [otherFile, otherModel] of symbolTable.models) {
+                if (otherFile === filePath)
+                    continue;
+                for (const [, func] of otherModel.functions) {
+                    if (func.bodyHttpCalls.length > 0) {
+                        hasStoreFiles = true;
+                        break;
+                    }
+                }
+                if (hasStoreFiles)
+                    break;
+            }
+            if (hasStoreFiles) {
+                violations.push({
+                    ruleId: 'SA08',
+                    severity: 'info',
+                    message: `File '${filePath}' dispatches Vuex actions but no dispatch→action links were resolved`,
+                    filePath,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA09: Functional Angular guards (CanActivateFn) must be detected.
+ * Checks that guard files are recognized and linked to routes.
+ */
+function checkRuleSA09(symbolTable) {
+    var _a, _b;
+    const violations = [];
+    // Find files with Angular guard-related content (content-based, not filename-based)
+    for (const [filePath, model] of symbolTable.models) {
+        // Content-based check: does this file have guard-related types or implementations?
+        // (RULE-SA01 compliant — no filename convention used)
+        let hasGuardContent = false;
+        // Check function annotations for guard type markers (CanActivateFn, etc.)
+        const guardTypeAnnotations = [
+            'CanActivateFn',
+            'CanActivateChildFn',
+            'CanDeactivateFn',
+            'ResolveFn',
+            'CanMatchFn',
+        ];
+        for (const [, func] of model.functions) {
+            if ((_a = func.annotations) === null || _a === void 0 ? void 0 : _a.some((a) => guardTypeAnnotations.includes(a))) {
+                hasGuardContent = true;
+                break;
+            }
+        }
+        // Check if any class in this file implements guard interfaces
+        if (!hasGuardContent) {
+            const guardInterfaces = [
+                'CanActivate',
+                'CanActivateChild',
+                'CanDeactivate',
+                'Resolve',
+                'CanMatch',
+            ];
+            for (const [, classDecl] of symbolTable.classes) {
+                if (classDecl.filePath === filePath &&
+                    ((_b = classDecl.implementsInterfaces) === null || _b === void 0 ? void 0 : _b.some((i) => guardInterfaces.includes(i)))) {
+                    hasGuardContent = true;
+                    break;
+                }
+            }
+        }
+        // Check function names for guard-related patterns as content heuristic
+        if (!hasGuardContent) {
+            for (const [funcName] of model.functions) {
+                if (/guard|canActivate|canDeactivate|canMatch/i.test(funcName)) {
+                    hasGuardContent = true;
+                    break;
+                }
+            }
+        }
+        if (!hasGuardContent)
+            continue;
+        // Check if this guard has any route registrations or middleware entries
+        let isLinked = false;
+        for (const [, middleware] of symbolTable.middlewareInheritance) {
+            if (middleware.some((m) => m.sourceFile === filePath || m.name.includes('guard'))) {
+                isLinked = true;
+                break;
+            }
+        }
+        if (!isLinked) {
+            // Check if there's at least a function export that looks like a guard
+            let hasGuardFunction = false;
+            for (const [funcName] of model.functions) {
+                if (/guard|canActivate|canDeactivate|canMatch/i.test(funcName)) {
+                    hasGuardFunction = true;
+                    break;
+                }
+            }
+            if (hasGuardFunction) {
+                violations.push({
+                    ruleId: 'SA09',
+                    severity: 'info',
+                    message: `Angular guard in '${filePath}' has guard functions but is not linked to any route`,
+                    filePath,
+                });
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * RULE-SA10: webtest/TestApp must be detected as API test evidence.
+ * Checks that files using webtest patterns have their HTTP calls extracted.
+ */
+function checkRuleSA10(symbolTable) {
+    const violations = [];
+    for (const [filePath, model] of symbolTable.models) {
+        // Check if this model has webtest-detected calls (via the __webtest_calls__ synthetic function)
+        const webtestFunc = model.functions.get('__webtest_calls__');
+        if (!webtestFunc)
+            continue;
+        // Verify the webtest calls actually produced HTTP call entries
+        if (webtestFunc.bodyHttpCalls.length === 0) {
+            violations.push({
+                ruleId: 'SA10',
+                severity: 'warning',
+                message: `File '${filePath}' has webtest detection but produced no HTTP call entries`,
+                filePath,
+            });
+        }
+    }
+    return violations;
+}

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts

@@ -4,6 +4,8 @@
  *
  * Detects:
  * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - DAST-unreachable: DAST probed an endpoint but could not reach it
+ * - Undeclared-endpoint: DAST discovered endpoints not found by static analysis
  * - Stage disagreement: Two stages assign different types to the same node
  */
 import type { ConflictNode } from '../../types';

package/dist/src/pipeline/stages/merge/conflictDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"conflictDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/conflictDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2B,MAAM,aAAa,CAAC;AACzE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,GACjC,YAAY,EAAE,CA0ChB"}
+{"version":3,"file":"conflictDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/conflictDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2B,MAAM,aAAa,CAAC;AACzE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,GACjC,YAAY,EAAE,CAmGhB"}

package/dist/src/pipeline/stages/merge/conflictDetector.js

@@ -5,6 +5,8 @@
  *
  * Detects:
  * - Runtime-unconfirmed: AST+TIA say covered, but IAST/DAST disagree
+ * - DAST-unreachable: DAST probed an endpoint but could not reach it
+ * - Undeclared-endpoint: DAST discovered endpoints not found by static analysis
  * - Stage disagreement: Two stages assign different types to the same node
  */
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -13,7 +15,7 @@ exports.detectConflicts = detectConflicts;
  * Detect conflicts across all stages.
  */
 function detectConflicts(graph, iastOutput, dastOutput) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c, _d, _e, _f, _g;
     const conflicts = [];
     // 1. Runtime-unconfirmed: endpoints that AST found but neither IAST nor DAST confirmed
     const endpointNodes = graph.getNodesByType('endpoint');
@@ -46,7 +48,57 @@ function detectConflicts(graph, iastOutput, dastOutput) {
             }
         }
     }
-    // 2. Stage disagreement: same node ID added by multiple stages with different types
+    // 2. DAST-unreachable: endpoints that DAST explicitly could not reach
+    if (dastOutput) {
+        for (const endpointId of dastUnreachable) {
+            const node = graph.getNode(endpointId);
+            const label = (_f = node === null || node === void 0 ? void 0 : node.label) !== null && _f !== void 0 ? _f : endpointId;
+            conflicts.push({
+                conflictId: `conflict:dast-unreachable:${endpointId}`,
+                nodeId: endpointId,
+                type: 'dast-unreachable',
+                stages: ['dast'],
+                stageOutputs: {
+                    dast: 'unreachable',
+                },
+                detail: `${label} was probed by DAST but could not be reached.`,
+                suggestedAction: 'Verify the endpoint is deployed and accessible. Check authentication requirements and network configuration for the DAST scanner.',
+                severity: 'warning',
+            });
+        }
+    }
+    // 3. Undeclared-endpoint: DAST discovered endpoints not found by static analysis
+    if (dastOutput) {
+        const staticEndpointIds = new Set(endpointNodes
+            .filter((n) => n.sourceStage !== 'dast')
+            .map((n) => n.id));
+        for (const result of dastOutput.results) {
+            if (!result.reachable)
+                continue;
+            const endpointPath = (_g = result.normalizedPath) !== null && _g !== void 0 ? _g : result.path;
+            const endpointId = `endpoint:${result.method.toUpperCase()}:${endpointPath}`;
+            if (!staticEndpointIds.has(endpointId)) {
+                // Avoid duplicate conflicts for the same endpoint
+                const conflictId = `conflict:undeclared-endpoint:${endpointId}`;
+                if (conflicts.some((c) => c.conflictId === conflictId))
+                    continue;
+                conflicts.push({
+                    conflictId,
+                    nodeId: endpointId,
+                    type: 'undeclared-endpoint',
+                    stages: ['dast'],
+                    stageOutputs: {
+                        dast: 'discovered',
+                        ast: 'not-declared',
+                    },
+                    detail: `${result.method.toUpperCase()} ${endpointPath} was discovered by DAST but not found by static analysis.`,
+                    suggestedAction: 'Review the endpoint source. It may be dynamically registered, generated by a framework, or missing from the scanned codebase.',
+                    severity: 'warning',
+                });
+            }
+        }
+    }
+    // 4. Stage disagreement: same node ID added by multiple stages with different types
     // (This is handled by the graph merge(), which already returns ConflictNode[])
     return conflicts;
 }

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"coverageMappingBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/coverageMappingBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,eAAe,EAMhB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAIhD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,gBAAgB,EAAE,OAAO,GACxB,eAAe,EAAE,CAuJnB"}
+{"version":3,"file":"coverageMappingBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/merge/coverageMappingBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,eAAe,EAOhB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAoBhD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,sBAAsB,EAC7B,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,UAAU,EAAE,UAAU,GAAG,SAAS,EAClC,gBAAgB,EAAE,OAAO,GACxB,eAAe,EAAE,CAyNnB"}

package/dist/src/pipeline/stages/merge/coverageMappingBuilder.js

@@ -8,6 +8,22 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildCoverageMappings = buildCoverageMappings;
 const confidence_1 = require("../../confidence");
 const mergeRules_1 = require("./mergeRules");
+/** Rank test layers so deeper coverage layers win when comparing. */
+const TEST_LAYER_RANK = {
+    e2e: 6,
+    api: 5,
+    integration: 4,
+    component: 3,
+    unit: 2,
+    security: 1,
+    performance: 1,
+};
+function testLayerRank(layer) {
+    var _a;
+    if (!layer)
+        return 0;
+    return (_a = TEST_LAYER_RANK[layer]) !== null && _a !== void 0 ? _a : 0;
+}
 /**
  * Build coverage mappings for all endpoint-type nodes in the graph.
  */
@@ -59,9 +75,9 @@ function buildCoverageMappings(graph, tiaOutput, iastOutput, dastOutput, isStati
                 assertionConfirmed = true;
                 assertionSource = 'direct';
             }
-            // Check test layer
+            // Check test layer — only replace if the new layer has a higher rank
             const layer = testLayerLookup.get(testFilePath);
-            if (layer) {
+            if (layer && testLayerRank(layer) > testLayerRank(bestTestLayer)) {
                 bestTestLayer = layer;
             }
             // Check for mock boundaries on this test file
@@ -98,7 +114,7 @@ function buildCoverageMappings(graph, tiaOutput, iastOutput, dastOutput, isStati
         const pathNodeIds = [endpoint.id, ...linkedTests.map((t) => `file:${t}`)];
         const mockBoundaryOnPath = hasMockBoundary;
         // Build confidence evidence
-        const evidence = (0, confidence_1.buildConfidenceEvidence)(graph, pathNodeIds, isStaticOnlyMode);
+        const evidence = (0, confidence_1.buildConfidenceEvidence)(graph, pathNodeIds, isStaticOnlyMode, iastConfirmed.has(endpoint.id), dastConfirmed.has(endpoint.id));
         // Compute confidence
         const confidence = (0, confidence_1.computeConfidence)(evidence);
         // Determine coverage class
@@ -137,5 +153,53 @@ function buildCoverageMappings(graph, tiaOutput, iastOutput, dastOutput, isStati
             traversalDepth,
         });
     }
+    // ─── Secondary mappings: service, error-branch, repository ────────────────
+    const secondaryNodeTypes = [
+        { nodeType: 'service', itemType: 'service' },
+        { nodeType: 'exception-branch', itemType: 'error-branch' },
+        { nodeType: 'repository', itemType: 'repository' },
+    ];
+    for (const { nodeType, itemType } of secondaryNodeTypes) {
+        const nodes = graph.getNodesByType(nodeType);
+        for (const node of nodes) {
+            const incomingEdges = graph.getEdgesTo(node.id);
+            const testEdges = incomingEdges.filter((e) => e.type === 'tests' || e.type === 'asserts');
+            const linkedTests = [];
+            const sourceStages = new Set([node.sourceStage]);
+            let assertionConfirmed = false;
+            let assertionSource = 'unresolved';
+            for (const edge of testEdges) {
+                const testFilePath = edge.sourceNodeId.replace(/^file:/, '');
+                if (!linkedTests.includes(testFilePath)) {
+                    linkedTests.push(testFilePath);
+                }
+                sourceStages.add(edge.sourceStage);
+                if (edge.type === 'asserts') {
+                    assertionConfirmed = true;
+                    assertionSource = 'direct';
+                }
+            }
+            const pathNodeIds = [node.id, ...linkedTests.map((t) => `file:${t}`)];
+            const evidence = (0, confidence_1.buildConfidenceEvidence)(graph, pathNodeIds, isStaticOnlyMode, false, false);
+            const confidence = (0, confidence_1.computeConfidence)(evidence);
+            const coverageClass = linkedTests.length > 0 ? 'unit-covered' : 'uncovered';
+            mappings.push({
+                itemId: node.id,
+                itemType,
+                linkedTests,
+                sourceStages: Array.from(sourceStages),
+                confidence,
+                coverageClass,
+                mockBoundaries: [],
+                assertionSource,
+                assertionConfirmed,
+                dastReachable: 'not-probed',
+                runtimeConfirmed: false,
+                urlResolution: 'unresolved',
+                conflicts: [],
+                traversalDepth: 0,
+            });
+        }
+    }
     return mappings;
 }

package/dist/src/pipeline/stages/tia/mockBoundaryDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mockBoundaryDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/tia/mockBoundaryDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAmEpD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,oBAAoB,EAAE,CA8CxB"}
+{"version":3,"file":"mockBoundaryDetector.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/tia/mockBoundaryDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAmEpD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,oBAAoB,EAAE,CAwDxB"}

package/dist/src/pipeline/stages/tia/mockBoundaryDetector.js

@@ -102,7 +102,14 @@ function detectMockBoundaries(filePath, content, language) {
             if (pattern.regex.test(line)) {
                 // Extract mocked target (heuristic: argument in parentheses)
                 const targetMatch = /[\(][\s]*['"`]?([a-zA-Z0-9_./@]+)['"`]?/.exec(line);
-                const mockedTarget = (_a = targetMatch === null || targetMatch === void 0 ? void 0 : targetMatch[1]) !== null && _a !== void 0 ? _a : 'unknown';
+                let mockedTarget = (_a = targetMatch === null || targetMatch === void 0 ? void 0 : targetMatch[1]) !== null && _a !== void 0 ? _a : 'unknown';
+                // Secondary extraction for Java/Kotlin annotation-style mocks (e.g. @Mock private UserService userService;)
+                if (mockedTarget === 'unknown') {
+                    const annotationTypeMatch = line.match(/(?:private|protected|public)?\s*(\w+)\s+\w+\s*;/);
+                    if (annotationTypeMatch) {
+                        mockedTarget = annotationTypeMatch[1];
+                    }
+                }
                 boundaries.push({
                     testFilePath: filePath,
                     mockingLibrary: pattern.library,

package/dist/src/pipeline/stages/tia/parameterizedTestExpander.js

@@ -102,9 +102,10 @@ function expandJavaKotlinParameterized(filePath, content) {
 }
 // ─── Jest Parameterized ─────────────────────────────────────────────────────
 function expandJestParameterized(filePath, content) {
-    var _a;
+    var _a, _b;
     const results = [];
     const lines = content.split('\n');
+    let lineStartOffset = 0;
     for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
         // test.each([...])('name', ...)
@@ -113,11 +114,13 @@ function expandJestParameterized(filePath, content) {
         const eachMatch = /(?:test|it|describe)\.each\s*\(\s*\[/.exec(line);
         if (eachMatch) {
             // Try to extract the array and count items
-            const arrayContent = extractBalancedBrackets(content, content.indexOf(eachMatch[0], i > 0 ? content.indexOf(lines[i]) : 0));
+            const matchOffset = lineStartOffset + ((_a = eachMatch.index) !== null && _a !== void 0 ? _a : 0);
+            const bracketStart = content.indexOf('[', matchOffset);
+            const arrayContent = extractBalancedBrackets(content, bracketStart);
             const variantCount = arrayContent ? countArrayElements(arrayContent) : 'unresolvable';
             // Extract test name from the next argument
-            const nameMatch = /\)\s*\(\s*['"`]([^'"`]+)['"`]/.exec(content.substring(content.indexOf(eachMatch[0])));
-            const testName = (_a = nameMatch === null || nameMatch === void 0 ? void 0 : nameMatch[1]) !== null && _a !== void 0 ? _a : 'parameterized test';
+            const nameMatch = /\)\s*\(\s*['"`]([^'"`]+)['"`]/.exec(content.substring(matchOffset));
+            const testName = (_b = nameMatch === null || nameMatch === void 0 ? void 0 : nameMatch[1]) !== null && _b !== void 0 ? _b : 'parameterized test';
             results.push({
                 testFilePath: filePath,
                 testName,
@@ -146,6 +149,7 @@ function expandJestParameterized(filePath, content) {
                 line: i + 1,
             });
         }
+        lineStartOffset += lines[i].length + 1; // +1 for newline
     }
     return results;
 }

package/dist/src/pipeline/stages/tia/testLayerClassifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testLayerClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/tia/testLayerClassifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AA8GlD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,GACf,kBAAkB,CA0DpB"}
+{"version":3,"file":"testLayerClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/tia/testLayerClassifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AA8GlD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,GACf,kBAAkB,CAqFpB"}