itworksbut 0.7.1 → 0.7.3

package/README.md

@@ -270,6 +270,6 @@ Each check is a plain ESM module with an `id`, metadata, and async `run(context)
 
 ## What It Does Not Guarantee
 
-ItWorksBut is a static heuristic scanner, not a pentest, SAST replacement, dependency vulnerability database, or runtime security monitor. Findings intentionally use wording such as "possible", "potential", and "appears to" when a check is heuristic.
+ItWorksBut is a static heuristic scanner. Findings intentionally use wording such as "possible", "potential", and "appears to" when a check is heuristic.
 
 Use it as a CI guardrail for common project hygiene and security mistakes. For production systems, combine it with code review, tests, dependency scanning, secrets scanning, threat modeling, and focused security assessment.

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "itworksbut",
-    "version": "0.7.1",
+    "version": "0.7.3",
     "description": "Static CI checks for common security, repo, dependency, build, and deployment risks in JavaScript vibe coding projects.",
     "type": "module",
     "bin": {

package/src/cli/terminal.js

@@ -1,95 +1,109 @@
-import boxen from "boxen";
-import chalk, { Chalk } from "chalk";
-import figlet from "figlet";
-import gradient from "gradient-string";
-import ora from "ora";
+import boxen from 'boxen';
+import chalk, { Chalk } from 'chalk';
+import figlet from 'figlet';
+import gradient from 'gradient-string';
+import ora from 'ora';
 
 const SPINNER_TEXT = {
-  git: "Checking git hygiene",
-  env: "Sniffing for secrets",
-  dependencies: "Interrogating package.json",
-  ci: "Inspecting CI rituals",
-  node: "Poking the Node.js backend",
-  web: "Looking for frontend footguns",
-  api: "Testing the API trust issues",
-  database: "Watching SQL strings misbehave",
-  electron: "Opening the Electron danger drawer",
-  tauri: "Reading Tauri permissions",
-  default: "Looking for things that work but should not ship"
+    git: 'Checking git hygiene',
+    env: 'Sniffing for secrets',
+    dependencies: 'Interrogating package.json',
+    ci: 'Inspecting CI rituals',
+    node: 'Poking the Node.js backend',
+    web: 'Looking for frontend footguns',
+    api: 'Testing the API trust issues',
+    database: 'Watching SQL strings misbehave',
+    electron: 'Opening the Electron danger drawer',
+    tauri: 'Reading Tauri permissions',
+    stress: 'Running controlled API stress test',
+    default: 'Looking for things that work but should not ship',
 };
 
 export function isFancyOutputEnabled(options = {}, env = process.env, stdout = process.stdout) {
-  return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.todo && !options.noColor;
+    return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.todo && !options.noColor;
 }
 
 export function isColorEnabled(options = {}, env = process.env, stdout = process.stdout) {
-  if (options.noColor || options.json || options.sarif || options.todo) return false;
-  if (env.FORCE_COLOR && env.FORCE_COLOR !== "0") return true;
-  if (env.CI) return false;
-  return Boolean(stdout.isTTY);
+    if (options.noColor || options.json || options.sarif || options.todo) return false;
+    if (env.FORCE_COLOR && env.FORCE_COLOR !== '0') return true;
+    if (env.CI) return false;
+    return Boolean(stdout.isTTY);
 }
 
 export function getChalk(options = {}) {
-  if (!isColorEnabled(options)) return new Chalk({ level: 0 });
-  return chalk;
+    if (!isColorEnabled(options)) return new Chalk({ level: 0 });
+    return chalk;
 }
 
 export function shouldUseSpinner(options = {}, env = process.env, stdout = process.stdout) {
-  return (
-    Boolean(stdout.isTTY) &&
-    !env.CI &&
-    !options.json &&
-    !options.sarif &&
-    !options.todo &&
-    !options.quiet
-  );
+    return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.todo && !options.quiet;
 }
 
 export function createScanSpinner(options = {}) {
-  if (!shouldUseSpinner(options)) return null;
-  return ora({
-    text: SPINNER_TEXT.default,
-    stream: process.stderr,
-    color: "cyan"
-  });
+    if (!shouldUseSpinner(options)) return null;
+    return ora({
+        text: SPINNER_TEXT.default,
+        stream: process.stderr,
+        color: 'cyan',
+    });
+}
+
+export function createStressSpinner(options = {}) {
+    if (!shouldUseSpinner(options)) return null;
+    return ora({
+        text: SPINNER_TEXT.stress,
+        stream: process.stderr,
+        color: 'cyan',
+    });
 }
 
 export function printIntro(options = {}) {
-  if (options.json || options.sarif || options.todo || options.noBanner || options.quiet || process.env.CI || !process.stdout.isTTY) {
-    return;
-  }
+    if (
+        options.json ||
+        options.sarif ||
+        options.todo ||
+        options.noBanner ||
+        options.quiet ||
+        process.env.CI ||
+        !process.stdout.isTTY
+    ) {
+        return;
+    }
 
-  const colors = getChalk(options);
-  const title = renderTitle(options.noColor);
-  const claim = `${colors.bold("AI-built? Nice.")}\n${colors.yellow("Now let's see what breaks before production.")}`;
+    const colors = getChalk(options);
+    const stress = options.command === 'stress';
+    const title = renderTitle('ItWorksBut', options.noColor);
+    const claim = stress
+        ? `${colors.bold('Controlled API stress test.')}\n${colors.yellow('Only run this against systems you own or are authorized to test.')}`
+        : `${colors.bold('AI-built? Nice.')}\n${colors.yellow("Now let's see what breaks before production.")}`;
 
-  process.stdout.write(`${title}\n`);
-  process.stdout.write(
-    `${boxen(claim, {
-      padding: 1,
-      margin: 1,
-      borderStyle: "round",
-      borderColor: options.noColor ? undefined : "cyan"
-    })}\n`
-  );
+    process.stdout.write(`${title}\n`);
+    process.stdout.write(
+        `${boxen(claim, {
+            padding: 1,
+            margin: 1,
+            borderStyle: 'round',
+            borderColor: options.noColor ? undefined : 'cyan',
+        })}\n`,
+    );
 }
 
-function renderTitle(noColor) {
-  let title = "ItWorksBut";
-  try {
-    title = figlet.textSync("ItWorksBut", {
-      font: "ANSI Shadow",
-      horizontalLayout: "default",
-      verticalLayout: "default"
-    });
-  } catch {
-    title = "ItWorksBut";
-  }
+function renderTitle(value, noColor) {
+    let title = value;
+    try {
+        title = figlet.textSync(value, {
+            font: 'ANSI Shadow',
+            horizontalLayout: 'default',
+            verticalLayout: 'default',
+        });
+    } catch {
+        title = 'ItWorksBut';
+    }
 
-  try {
-    if (noColor) return title;
-    return gradient.rainbow(title);
-  } catch {
-    return title;
-  }
+    try {
+        if (noColor) return title;
+        return gradient.rainbow(title);
+    } catch {
+        return title;
+    }
 }

package/src/commands/stress.js

@@ -6,16 +6,31 @@ import { runArtillery } from "../stress/artilleryRunner.js";
 import { parseArtilleryResult } from "../stress/stressResultParser.js";
 import { reportStressConsole } from "../stress/stressRenderer.js";
 import { writeStressMarkdownReport } from "../reporters/stressMarkdownReport.js";
+import { createStressSpinner, printIntro } from "../cli/terminal.js";
 
 export async function runStressCommand(args, options = {}) {
   if (args.todo || args.sarif) {
     throw new Error("The stress command supports console output, --json, and --report.");
   }
 
-  const result = await runStress({
+  const stressOptions = {
     rootPath: path.resolve(args.path || "."),
     ...validateStressOptions(args)
-  }, options);
+  };
+
+  printIntro(args);
+
+  const spinner = createStressSpinner(args);
+  if (spinner) spinner.start();
+
+  let result;
+  try {
+    result = await runStress(stressOptions, options);
+    if (spinner) spinner.succeed("Stress test complete. Now the pressure readings.");
+  } catch (error) {
+    if (spinner) spinner.fail("Stress test stopped before results were printed.");
+    throw error;
+  }
 
   if (args.json) {
     process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);

package/src/stress/discoverEndpoints.js

@@ -2,10 +2,21 @@ import path from "node:path";
 import { DEFAULT_IGNORE } from "../core/config.js";
 import { walkProject } from "../core/fileWalker.js";
 import { readFileSafe } from "../utils/fs.js";
+import { isServerOrApiFile } from "../checks/helpers.js";
 
-const HTTP_METHODS = ["get", "head", "post", "put", "patch", "delete"];
+const HTTP_METHODS = ["get", "head", "post", "put", "patch", "delete", "options"];
 const MUTATING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
-const ROUTE_EXTENSIONS = new Set([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"]);
+const ROUTE_EXTENSIONS = new Set([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs", ".mts", ".cts"]);
+const API_HANDLER_EVIDENCE = [
+  /\b(?:req|request)\s*,\s*(?:res|response)\b/i,
+  /\b(?:res|response)\s*\.\s*(?:json|send|status|end|redirect|writeHead|setHeader)\s*\(/i,
+  /\b(?:ctx|context)\s*\.\s*(?:body|response|status|json)\b/i,
+  /\bNextResponse\s*\.\s*(?:json|redirect)\s*\(/,
+  /\b(?:new\s+Response|Response\.json)\s*\(/,
+  /\bdefineEventHandler\s*\(/,
+  /\bexport\s+(?:async\s+)?function\s+(?:GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)\b/,
+  /\bexport\s+(?:const|let|var)\s+(?:GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)\s*=/
+];
 const DISCOVERY_IGNORE = [
   ...DEFAULT_IGNORE,
   "test/**",
@@ -28,15 +39,23 @@ export async function discoverEndpoints(rootPath) {
 
 export async function discoverEndpointsFromFiles({ rootPath, files, readFile }) {
   const endpoints = [];
+  const fileContents = [];
 
   for (const file of files.filter(isSourceFile)) {
     const content = await readFile(file);
     if (content === null || content === undefined) continue;
+    fileContents.push({ file, content });
+  }
+
+  const mountPrefixes = collectMountPrefixes(fileContents);
 
-    endpoints.push(...discoverExpressEndpoints(file, content));
+  for (const { file, content } of fileContents) {
+    endpoints.push(...discoverExpressEndpoints(file, content, mountPrefixes));
+    endpoints.push(...discoverMountedRouterEndpoints(file, content, mountPrefixes));
+    endpoints.push(...discoverFastifyRouteObjects(file, content));
     endpoints.push(...discoverFetchReferences(file, content));
-    endpoints.push(...discoverNextAppRouterEndpoints(file, content));
-    endpoints.push(...discoverNextPagesRouterEndpoints(file, content));
+    endpoints.push(...discoverFileConventionEndpoints(file, content));
+    endpoints.push(...discoverApiCandidateFileEndpoints(file, content));
   }
 
   return classifyEndpoints(dedupeEndpoints(endpoints), rootPath);
@@ -50,7 +69,10 @@ export function classifyEndpoints(endpoints) {
     let status = "selected";
     let reason;
 
-    if (unsafe) {
+    if (method === "OPTIONS") {
+      status = "skipped";
+      reason = "unsupported method";
+    } else if (unsafe) {
       status = "skipped";
       reason = "unsafe method";
     } else if (dynamic) {
@@ -77,16 +99,60 @@ export function classifyEndpoints(endpoints) {
   };
 }
 
-function discoverExpressEndpoints(file, content) {
+function discoverExpressEndpoints(file, content, mountPrefixes = []) {
   const endpoints = [];
   const methods = HTTP_METHODS.join("|");
-  const regex = new RegExp(`\\b(?:app|router|server)\\s*\\.\\s*(${methods})\\s*\\(\\s*(['"\`])([^'"\`]+)\\2`, "gi");
+  const regex = new RegExp(`\\b([A-Za-z_$][\\w$]*)\\s*\\.\\s*(${methods})\\s*\\(\\s*(['"\`])([^'"\`]+)\\3`, "gi");
+  const receivers = collectRouteReceivers(content);
+  const mountedRouterFile = hasApplicableMount(file, mountPrefixes);
   let match;
 
   while ((match = regex.exec(content)) !== null) {
-    const routePath = normalizeRoutePath(match[3]);
+    if (!isRouteReceiver(match[1], receivers)) continue;
+    if (mountedRouterFile && isRouterReceiver(match[1], receivers)) continue;
+    const routePath = normalizeRoutePath(match[4]);
     if (!routePath) continue;
-    endpoints.push(endpoint(match[1], routePath, file, "express"));
+    endpoints.push(endpoint(match[2], routePath, file, "express"));
+  }
+
+  return endpoints;
+}
+
+function discoverMountedRouterEndpoints(file, content, mountPrefixes) {
+  const applicableMounts = mountPrefixes.filter((mount) => mountAppliesToFile(mount, file));
+  if (applicableMounts.length === 0) return [];
+
+  const endpoints = [];
+  const methods = HTTP_METHODS.join("|");
+  const regex = new RegExp(`\\b([A-Za-z_$][\\w$]*)\\s*\\.\\s*(${methods})\\s*\\(\\s*(['"\`])([^'"\`]+)\\3`, "gi");
+  const receivers = collectRouteReceivers(content);
+  let match;
+
+  while ((match = regex.exec(content)) !== null) {
+    if (!isRouterReceiver(match[1], receivers)) continue;
+    const routePath = normalizeRoutePath(match[4]);
+    if (!routePath || routePath.startsWith("/api")) continue;
+    for (const mount of applicableMounts) {
+      endpoints.push(endpoint(match[2], joinRoutePath(mount.prefix, routePath), file, "mounted-router"));
+    }
+  }
+
+  return endpoints;
+}
+
+function discoverFastifyRouteObjects(file, content) {
+  const endpoints = [];
+  const regex = /\bfastify\s*\.\s*route\s*\(\s*\{([\s\S]*?)\}\s*\)/gi;
+  let match;
+
+  while ((match = regex.exec(content)) !== null) {
+    const objectText = match[1];
+    const methodMatch = objectText.match(/\bmethod\s*:\s*(['"`])(GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)\1/i);
+    const urlMatch = objectText.match(/\b(?:url|path)\s*:\s*(['"`])([^'"`]+)\1/i);
+    if (!methodMatch || !urlMatch) continue;
+    const routePath = normalizeRoutePath(urlMatch[2]);
+    if (!routePath) continue;
+    endpoints.push(endpoint(methodMatch[2], routePath, file, "fastify-route-object"));
   }
 
   return endpoints;
@@ -106,12 +172,22 @@ function discoverFetchReferences(file, content) {
   return endpoints;
 }
 
+function discoverFileConventionEndpoints(file, content) {
+  return [
+    ...discoverNextAppRouterEndpoints(file, content),
+    ...discoverNextPagesRouterEndpoints(file, content),
+    ...discoverSvelteKitEndpoints(file, content),
+    ...discoverNitroEndpoints(file, content),
+    ...discoverAstroApiEndpoints(file, content)
+  ];
+}
+
 function discoverNextAppRouterEndpoints(file, content) {
   const normalized = normalizeFilePath(file);
-  const match = normalized.match(/(?:^|\/)(?:src\/)?app\/api\/(.+)\/route\.(?:js|jsx|ts|tsx|mjs|cjs)$/);
+  const match = normalized.match(/(?:^|\/)(?:src\/)?app\/(.+)\/route\.(?:js|jsx|ts|tsx|mjs|cjs|mts|cts)$/);
   if (!match) return [];
 
-  const routePath = normalizeRoutePath(`/api/${routeSegmentsToPath(match[1])}`);
+  const routePath = normalizeRoutePath(`/${routeSegmentsToPath(match[1])}`);
   const exportedMethods = discoverExportedRouteMethods(content);
   const methods = exportedMethods.length > 0 ? exportedMethods : ["GET"];
 
@@ -120,7 +196,7 @@ function discoverNextAppRouterEndpoints(file, content) {
 
 function discoverNextPagesRouterEndpoints(file, content) {
   const normalized = normalizeFilePath(file);
-  const match = normalized.match(/(?:^|\/)(?:src\/)?pages\/api\/(.+)\.(?:js|jsx|ts|tsx|mjs|cjs)$/);
+  const match = normalized.match(/(?:^|\/)(?:src\/)?pages\/api\/(.+)\.(?:js|jsx|ts|tsx|mjs|cjs|mts|cts)$/);
   if (!match) return [];
 
   const routePath = normalizeRoutePath(`/api/${routeSegmentsToPath(match[1])}`);
@@ -130,13 +206,67 @@ function discoverNextPagesRouterEndpoints(file, content) {
   return methods.map((method) => endpoint(method, routePath, file, "next-pages-router"));
 }
 
+function discoverSvelteKitEndpoints(file, content) {
+  const normalized = normalizeFilePath(file);
+  const match = normalized.match(/(?:^|\/)(?:src\/)?routes\/(.+)\/\+server\.(?:js|ts|mjs|cjs|mts|cts)$/);
+  if (!match) return [];
+
+  const routePath = normalizeRoutePath(`/${routeSegmentsToPath(match[1])}`);
+  const exportedMethods = discoverExportedRouteMethods(content);
+  const methods = exportedMethods.length > 0 ? exportedMethods : ["GET"];
+
+  return methods.map((method) => endpoint(method, routePath, file, "sveltekit-server-route"));
+}
+
+function discoverNitroEndpoints(file, content) {
+  const normalized = normalizeFilePath(file);
+  const match = normalized.match(/(?:^|\/)(?:src\/)?server\/api\/(.+?)(?:\.(get|head|post|put|patch|delete|options))?\.(?:js|ts|mjs|cjs|mts|cts)$/i);
+  if (!match) return [];
+
+  const routePath = normalizeRoutePath(`/api/${routeSegmentsToPath(match[1])}`);
+  const methods = match[2] ? [match[2].toUpperCase()] : discoverMethodGuards(content);
+
+  return (methods.length > 0 ? methods : ["GET"]).map((method) => endpoint(method, routePath, file, "nitro-server-api"));
+}
+
+function discoverAstroApiEndpoints(file, content) {
+  const normalized = normalizeFilePath(file);
+  const match = normalized.match(/(?:^|\/)(?:src\/)?pages\/api\/(.+)\.(?:js|ts|mjs|cjs|mts|cts)$/);
+  if (!match) return [];
+
+  const routePath = normalizeRoutePath(`/api/${routeSegmentsToPath(match[1])}`);
+  const exportedMethods = discoverExportedRouteMethods(content);
+  const methods = exportedMethods.length > 0 ? exportedMethods : ["GET"];
+
+  return methods.map((method) => endpoint(method, routePath, file, "astro-api-route"));
+}
+
+function discoverApiCandidateFileEndpoints(file, content) {
+  if (!isSastApiCandidate(file, content)) return [];
+  if (hasExplicitRouteDeclaration(content) || isFileConventionRoute(file)) return [];
+
+  const routePath = inferRoutePathFromFile(file);
+  if (!routePath) return [];
+
+  const methods = discoverExportedRouteMethods(content);
+  const guardedMethods = discoverMethodGuards(content);
+  const inferredMethods = methods.length > 0 ? methods : guardedMethods;
+
+  return (inferredMethods.length > 0 ? inferredMethods : ["GET"]).map((method) => endpoint(method, routePath, file, "sast-api-candidate"));
+}
+
 function discoverExportedRouteMethods(content) {
   const methods = new Set();
-  const regex = /\bexport\s+(?:async\s+)?function\s+(GET|HEAD|POST|PUT|PATCH|DELETE)\b/g;
-  let match;
-
-  while ((match = regex.exec(content)) !== null) {
-    methods.add(match[1]);
+  const regexes = [
+    /\bexport\s+(?:async\s+)?function\s+(GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)\b/g,
+    /\bexport\s+(?:const|let|var)\s+(GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)\s*=/g
+  ];
+
+  for (const regex of regexes) {
+    let match;
+    while ((match = regex.exec(content)) !== null) {
+      methods.add(match[1]);
+    }
   }
 
   return [...methods];
@@ -144,7 +274,7 @@ function discoverExportedRouteMethods(content) {
 
 function discoverMethodGuards(content) {
   const methods = new Set();
-  const regex = /\b(?:req|request)\.method\s*(?:===|!==|==|!=)\s*['"`](GET|HEAD|POST|PUT|PATCH|DELETE)['"`]/gi;
+  const regex = /\b(?:req|request)\.method\s*(?:===|!==|==|!=)\s*['"`](GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS)['"`]/gi;
   let match;
 
   while ((match = regex.exec(content)) !== null) {
@@ -154,6 +284,131 @@ function discoverMethodGuards(content) {
   return [...methods];
 }
 
+function collectMountPrefixes(fileContents) {
+  const mounts = [];
+  const useRegex = /\b[A-Za-z_$][\w$]*\s*\.\s*use\s*\(\s*(['"`])([^'"`]+)\1\s*,\s*(?:([A-Za-z_$][\w$]*)\s*\(|([A-Za-z_$][\w$]*)\b|require\s*\(\s*(['"`])([^'"`]+)\5\s*\))/gi;
+  const registerRegex = /\b[A-Za-z_$][\w$]*\s*\.\s*register\s*\(\s*([A-Za-z_$][\w$]*)\b[\s\S]*?\bprefix\s*:\s*(['"`])([^'"`]+)\2/gi;
+
+  for (const { file, content } of fileContents) {
+    const localModuleBindings = collectLocalModuleBindings(file, content);
+    let match;
+
+    useRegex.lastIndex = 0;
+    while ((match = useRegex.exec(content)) !== null) {
+      const mount = createUseMount(match, localModuleBindings, file);
+      if (mount) mounts.push(mount);
+    }
+
+    registerRegex.lastIndex = 0;
+    while ((match = registerRegex.exec(content)) !== null) {
+      const mount = createNamedMount(match[3], match[1], localModuleBindings);
+      if (mount) mounts.push(mount);
+    }
+  }
+
+  return dedupeMounts(mounts);
+}
+
+function collectLocalModuleBindings(file, content) {
+  const bindings = new Map();
+  const destructuredRequireRegex = /\b(?:const|let|var)\s*\{\s*([^}]+)\s*\}\s*=\s*require\s*\(\s*(['"`])([^'"`]+)\2\s*\)/g;
+  const requireRegex = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*require\s*\(\s*(['"`])([^'"`]+)\2\s*\)/g;
+  const namedImportRegex = /\bimport\s*\{\s*([^}]+)\s*\}\s*from\s*(['"`])([^'"`]+)\2/g;
+  const defaultImportRegex = /\bimport\s+([A-Za-z_$][\w$]*)\s+from\s*(['"`])([^'"`]+)\2/g;
+  const namespaceImportRegex = /\bimport\s+\*\s+as\s+([A-Za-z_$][\w$]*)\s+from\s*(['"`])([^'"`]+)\2/g;
+
+  let match;
+  while ((match = destructuredRequireRegex.exec(content)) !== null) {
+    addNamedBindings(bindings, match[1], resolveLocalModuleFiles(file, match[3]));
+  }
+
+  while ((match = requireRegex.exec(content)) !== null) {
+    addBinding(bindings, match[1], resolveLocalModuleFiles(file, match[3]));
+  }
+
+  while ((match = namedImportRegex.exec(content)) !== null) {
+    addNamedBindings(bindings, match[1], resolveLocalModuleFiles(file, match[3]));
+  }
+
+  while ((match = defaultImportRegex.exec(content)) !== null) {
+    addBinding(bindings, match[1], resolveLocalModuleFiles(file, match[3]));
+  }
+
+  while ((match = namespaceImportRegex.exec(content)) !== null) {
+    addBinding(bindings, match[1], resolveLocalModuleFiles(file, match[3]));
+  }
+
+  return bindings;
+}
+
+function addNamedBindings(bindings, bindingList, targetFiles) {
+  for (const binding of bindingList.split(",")) {
+    const normalized = binding.trim();
+    if (!normalized) continue;
+    const localName = normalized.includes(" as ")
+      ? normalized.split(/\s+as\s+/).pop().trim()
+      : normalized.split(":").pop().trim();
+    addBinding(bindings, localName, targetFiles);
+  }
+}
+
+function addBinding(bindings, name, targetFiles) {
+  if (!name || targetFiles.length === 0) return;
+  bindings.set(name, targetFiles);
+}
+
+function createUseMount(match, localModuleBindings, file) {
+  const [, , rawPrefix, calledIdentifier, identifier, , requireSpecifier] = match;
+  const mountedName = calledIdentifier || identifier;
+  if (requireSpecifier) {
+    return createMount(rawPrefix, resolveLocalModuleFiles(file, requireSpecifier));
+  }
+  return createNamedMount(rawPrefix, mountedName, localModuleBindings, Boolean(calledIdentifier));
+}
+
+function createNamedMount(rawPrefix, mountedName, localModuleBindings, called = false) {
+  const prefix = normalizeRoutePath(rawPrefix);
+  if (!prefix || prefix === "/") return null;
+
+  const targetFiles = localModuleBindings.get(mountedName) || [];
+  if (targetFiles.length > 0) return { prefix, targetFiles };
+  if (!called && isRouterReceiver(mountedName)) return { prefix, targetFiles: [] };
+
+  return null;
+}
+
+function createMount(rawPrefix, targetFiles) {
+  const prefix = normalizeRoutePath(rawPrefix);
+  if (!prefix || prefix === "/" || targetFiles.length === 0) return null;
+  return { prefix, targetFiles };
+}
+
+function resolveLocalModuleFiles(file, specifier) {
+  if (!specifier || !specifier.startsWith(".")) return [];
+
+  const dirname = path.posix.dirname(normalizeFilePath(file));
+  const base = path.posix.normalize(path.posix.join(dirname, normalizeFilePath(specifier)));
+  if (ROUTE_EXTENSIONS.has(path.posix.extname(base))) return [base];
+
+  return [
+    ...[...ROUTE_EXTENSIONS].map((extension) => `${base}${extension}`),
+    ...[...ROUTE_EXTENSIONS].map((extension) => `${base}/index${extension}`)
+  ];
+}
+
+function dedupeMounts(mounts) {
+  const byKey = new Map();
+  for (const mount of mounts) {
+    const key = `${mount.prefix}|${mount.targetFiles.join(",")}`;
+    if (!byKey.has(key)) byKey.set(key, mount);
+  }
+  return [...byKey.values()].sort((a, b) => {
+    const byPrefix = a.prefix.localeCompare(b.prefix);
+    if (byPrefix !== 0) return byPrefix;
+    return a.targetFiles.join(",").localeCompare(b.targetFiles.join(","));
+  });
+}
+
 function endpoint(method, routePath, file, type) {
   return {
     method: method.toUpperCase(),
@@ -177,6 +432,113 @@ function isSourceFile(file) {
   return ROUTE_EXTENSIONS.has(path.extname(normalized));
 }
 
+function hasApplicableMount(file, mounts) {
+  return mounts.some((mount) => mountAppliesToFile(mount, file));
+}
+
+function mountAppliesToFile(mount, file) {
+  const normalized = normalizeFilePath(file);
+  if (mount.targetFiles.length > 0) return mount.targetFiles.includes(normalized);
+  return isLikelyRouterModulePath(normalized);
+}
+
+function isLikelyRouterModulePath(file) {
+  return (
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/routes/") ||
+    file.includes("/api/")
+  );
+}
+
+function collectRouteReceivers(content) {
+  const all = new Set(["app", "server", "router", "apirouter", "routes", "route", "fastify"]);
+  const routers = new Set(["router", "apirouter", "routes", "route"]);
+  const expressAppRegex = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(?:express|fastify)\s*\(/g;
+  const expressRouterRegex = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(?:express\s*\.\s*Router|Router)\s*\(/g;
+
+  let match;
+  while ((match = expressAppRegex.exec(content)) !== null) {
+    all.add(match[1].toLowerCase());
+  }
+
+  while ((match = expressRouterRegex.exec(content)) !== null) {
+    all.add(match[1].toLowerCase());
+    routers.add(match[1].toLowerCase());
+  }
+
+  return { all, routers };
+}
+
+function isRouteReceiver(value, receivers = collectRouteReceivers("")) {
+  const normalized = String(value || "").toLowerCase();
+  return receivers.all.has(normalized) || normalized.endsWith("router") || normalized.endsWith("server");
+}
+
+function isRouterReceiver(value, receivers = collectRouteReceivers("")) {
+  const normalized = String(value || "").toLowerCase();
+  return receivers.routers.has(normalized) || normalized.endsWith("router");
+}
+
+function isSastApiCandidate(file, content) {
+  const normalized = normalizeFilePath(file);
+  if (hasVendoredPathSegment(normalized)) return false;
+
+  return (
+    isServerOrApiFile(normalized) ||
+    normalized.startsWith("api/") ||
+    normalized.startsWith("routes/") ||
+    normalized.startsWith("handlers/") ||
+    normalized.startsWith("controllers/") ||
+    normalized.includes("/handlers/") ||
+    normalized.includes("/controllers/")
+  ) && hasApiHandlerEvidence(content);
+}
+
+function hasApiHandlerEvidence(content) {
+  return API_HANDLER_EVIDENCE.some((regex) => regex.test(content));
+}
+
+function hasVendoredPathSegment(file) {
+  return /(?:^|\/)(?:vendor|vendors|third_party|third-party)\//i.test(file);
+}
+
+function hasExplicitRouteDeclaration(content) {
+  const methods = HTTP_METHODS.join("|");
+  return new RegExp(`\\b[A-Za-z_$][\\w$]*\\s*\\.\\s*(?:${methods}|route)\\s*\\(`, "i").test(content);
+}
+
+function isFileConventionRoute(file) {
+  const normalized = normalizeFilePath(file);
+  return (
+    /(?:^|\/)(?:src\/)?app\/.+\/route\./.test(normalized) ||
+    /(?:^|\/)(?:src\/)?pages\/api\/.+\./.test(normalized) ||
+    /(?:^|\/)(?:src\/)?routes\/.+\/\+server\./.test(normalized) ||
+    /(?:^|\/)(?:src\/)?server\/api\/.+\./.test(normalized)
+  );
+}
+
+function inferRoutePathFromFile(file) {
+  const normalized = normalizeFilePath(file);
+  const withoutExtension = normalized.replace(/\.(?:js|jsx|ts|tsx|mjs|cjs|mts|cts)$/, "");
+  const patterns = [
+    { regex: /(?:^|\/)(?:src\/)?api\/(.+)$/, prefix: "/api/" },
+    { regex: /(?:^|\/)(?:src\/)?server\/api\/(.+)$/, prefix: "/api/" },
+    { regex: /(?:^|\/)(?:src\/)?routes\/(.+)$/, prefix: "/" },
+    { regex: /(?:^|\/)(?:src\/)?server\/routes\/(.+)$/, prefix: "/" },
+    { regex: /(?:^|\/)(?:src\/)?handlers\/(.+)$/, prefix: "/" },
+    { regex: /(?:^|\/)(?:src\/)?controllers\/(.+)$/, prefix: "/" }
+  ];
+
+  for (const { regex, prefix } of patterns) {
+    const match = withoutExtension.match(regex);
+    if (!match) continue;
+    return normalizeRoutePath(`${prefix}${routeSegmentsToPath(match[1])}`);
+  }
+
+  return null;
+}
+
 function normalizeFilePath(file) {
   return String(file).replace(/\\/g, "/");
 }
@@ -187,11 +549,17 @@ function normalizeRoutePath(value) {
   return pathValue.replace(/\/+/g, "/").replace(/\/$/, "") || "/";
 }
 
+function joinRoutePath(prefix, routePath) {
+  return normalizeRoutePath(`${prefix}/${routePath.replace(/^\//, "")}`);
+}
+
 function routeSegmentsToPath(value) {
   return value
     .split("/")
     .filter(Boolean)
-    .map((segment) => segment.replace(/^\[(\.\.\.)?(.+)]$/, ":$2"))
+    .filter((segment) => !segment.startsWith("(") && !segment.startsWith("@") && !segment.startsWith("_"))
+    .map((segment) => segment.replace(/^\[\[?\.\.\.(.+)]]?$/, ":$1").replace(/^\[(.+)]$/, ":$1"))
+    .filter((segment) => segment !== "index")
     .join("/");
 }
 

package/src/stress/stressRenderer.js

@@ -1,80 +1,94 @@
-import { getChalk } from "../cli/terminal.js";
+import { getChalk, isFancyOutputEnabled } from '../cli/terminal.js';
 
 export function reportStressConsole(result, options = {}) {
-  const colors = getChalk(options);
-  const details = result.details || {};
+    const colors = getChalk(options);
+    const details = result.details || {};
+    const rich = isFancyOutputEnabled(options);
 
-  if (!options.quiet) {
-    process.stdout.write(`${colors.bold("ItWorksBut Stress")}\n\n`);
-    process.stdout.write("Only run this against systems you own or are explicitly authorized to test.\n\n");
-    process.stdout.write(`Target: ${details.target}\n`);
-    process.stdout.write(`Duration: ${details.duration}s\n`);
-    process.stdout.write(`Arrival rate: ${details.arrivalRate} req/s\n`);
-    process.stdout.write(`Max virtual users: ${details.maxVusers}\n\n`);
+    if (!options.quiet) {
+        if (!rich) process.stdout.write(`${colors.bold('ItWorksBut Stress')}\n\n`);
+        process.stdout.write('Only run this against systems you own or are explicitly authorized to test.\n\n');
+        process.stdout.write(`Target: ${details.target}\n`);
+        process.stdout.write(`Duration: ${details.duration}s\n`);
+        process.stdout.write(`Arrival rate: ${details.arrivalRate} req/s\n`);
+        process.stdout.write(`Max virtual users: ${details.maxVusers}\n\n`);
 
-    writeDiscovery(details, colors);
-    writeEndpoints(details, colors);
-  }
+        writeDiscovery(details, colors);
+        writeEndpoints(details, colors);
+    }
 
-  writeSummary(result, colors);
+    writeSummary(result, colors);
 }
 
 function writeDiscovery(details, colors) {
-  const found = details.endpointsFound || 0;
-  const safe = details.safeEndpoints || 0;
-  const skipped = details.skippedEndpoints?.length || 0;
-  const unsafe = details.skippedEndpoints?.filter((endpoint) => endpoint.reason === "unsafe method").length || 0;
-  const dynamic = details.skippedEndpoints?.filter((endpoint) => endpoint.reason === "dynamic route requires parameter").length || 0;
+    const found = details.endpointsFound || 0;
+    const safe = details.safeEndpoints || 0;
+    const skipped = details.skippedEndpoints?.length || 0;
+    const unsafe = details.skippedEndpoints?.filter(endpoint => endpoint.reason === 'unsafe method').length || 0;
+    const dynamic =
+        details.skippedEndpoints?.filter(endpoint => endpoint.reason === 'dynamic route requires parameter').length ||
+        0;
 
-  process.stdout.write(`${colors.green("✓")} Endpoint discovery: ${found} ${found === 1 ? "endpoint" : "endpoints"} found\n`);
-  process.stdout.write(`${colors.green("✓")} Safe endpoints: ${safe} GET/HEAD ${safe === 1 ? "endpoint" : "endpoints"} selected\n`);
-  if (skipped > 0) {
-    process.stdout.write(`- Skipped: ${unsafe} unsafe methods, ${dynamic} dynamic routes\n`);
-  }
-  process.stdout.write("\n");
+    process.stdout.write(
+        `${colors.green('✓')} Endpoint discovery: ${found} ${found === 1 ? 'endpoint' : 'endpoints'} found\n`,
+    );
+    process.stdout.write(
+        `${colors.green('✓')} Safe endpoints: ${safe} GET/HEAD ${safe === 1 ? 'endpoint' : 'endpoints'} selected\n`,
+    );
+    if (skipped > 0) {
+        process.stdout.write(`- Skipped: ${unsafe} unsafe methods, ${dynamic} dynamic routes\n`);
+    }
+    process.stdout.write('\n');
 }
 
 function writeEndpoints(details, colors) {
-  const testedEndpoints = details.testedEndpoints || [];
-  if (testedEndpoints.length === 0) {
-    process.stdout.write("Running Artillery: skipped\n\n");
-    return;
-  }
+    const testedEndpoints = details.testedEndpoints || [];
+    if (testedEndpoints.length === 0) {
+        process.stdout.write('Running Artillery: skipped\n\n');
+        return;
+    }
 
-  process.stdout.write("Running Artillery: complete\n\n");
-  for (const endpoint of testedEndpoints) {
-    const symbol = endpoint.status === "pass" ? colors.green("✓") : endpoint.status === "warn" ? colors.yellow("⚠") : colors.red("✕");
-    process.stdout.write(`${symbol} ${endpoint.method} ${endpoint.path}\n`);
-    process.stdout.write(`  p95: ${formatMs(endpoint.p95)}\n`);
-    process.stdout.write(`  p99: ${formatMs(endpoint.p99)}\n`);
-    process.stdout.write(`  errors: ${endpoint.errors}\n`);
-    process.stdout.write(`  error rate: ${formatPercent(endpoint.errorRate)}\n\n`);
-  }
+    process.stdout.write('Running Artillery: complete\n\n');
+    for (const endpoint of testedEndpoints) {
+        const symbol =
+            endpoint.status === 'pass'
+                ? colors.green('✓')
+                : endpoint.status === 'warn'
+                  ? colors.yellow('⚠')
+                  : colors.red('✕');
+        process.stdout.write(`${symbol} ${endpoint.method} ${endpoint.path}\n`);
+        process.stdout.write(`  p95: ${formatMs(endpoint.p95)}\n`);
+        process.stdout.write(`  p99: ${formatMs(endpoint.p99)}\n`);
+        process.stdout.write(`  errors: ${endpoint.errors}\n`);
+        process.stdout.write(`  error rate: ${formatPercent(endpoint.errorRate)}\n\n`);
+    }
 }
 
 function writeSummary(result, colors) {
-  const details = result.details || {};
-  const warnings = details.warnings || 0;
-  const failed = details.failed || 0;
-  const tested = details.testedEndpoints?.length || 0;
-  const skipped = details.skippedEndpoints?.length || 0;
+    const details = result.details || {};
+    const warnings = details.warnings || 0;
+    const failed = details.failed || 0;
+    const tested = details.testedEndpoints?.length || 0;
+    const skipped = details.skippedEndpoints?.length || 0;
 
-  process.stdout.write("Summary:\n");
-  process.stdout.write(`${colors.green("✓")} Tested endpoints: ${tested}\n`);
-  process.stdout.write(`${colors.yellow("⚠")} Warnings: ${warnings}\n`);
-  process.stdout.write(`${colors.red("✕")} Failed: ${failed}\n`);
-  process.stdout.write(`- Skipped: ${skipped}\n`);
-  process.stdout.write(`- Status: ${result.status}\n`);
-  process.stdout.write(`- ${result.summary}\n`);
-  if (details.artilleryError) {
-    process.stdout.write(`- Artillery error: ${details.artilleryError}\n`);
-  }
+    process.stdout.write('Summary:\n');
+    process.stdout.write(`${colors.green('✓')} Tested endpoints: ${tested}\n`);
+    process.stdout.write(`${colors.yellow('⚠')} Warnings: ${warnings}\n`);
+    process.stdout.write(`${colors.red('✕')} Failed: ${failed}\n`);
+    process.stdout.write(`- Skipped: ${skipped}\n`);
+    process.stdout.write(`- Status: ${result.status}\n`);
+    process.stdout.write(`- ${result.summary}\n`);
+    if (details.artilleryError) {
+        process.stdout.write(`- Artillery error: ${details.artilleryError}\n`);
+    }
 }
 
 function formatMs(value) {
-  return value === null || value === undefined ? "n/a" : `${Math.round(value)} ms`;
+    return value === null || value === undefined ? 'n/a' : `${Math.round(value)} ms`;
 }
 
 function formatPercent(value) {
-  return `${Number(value || 0).toFixed(Number.isInteger(value) ? 0 : 2).replace(/\.00$/, "")}%`;
+    return `${Number(value || 0)
+        .toFixed(Number.isInteger(value) ? 0 : 2)
+        .replace(/\.00$/, '')}%`;
 }

package/src/utils/targetSafety.js

@@ -1,100 +1,99 @@
-const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "0.0.0.0"]);
+const LOCAL_HOSTS = new Set(['localhost', '127.0.0.1', '0.0.0.0']);
 
 export const STRESS_DEFAULTS = {
-  target: "http://localhost:3000",
-  duration: 30,
-  arrivalRate: 5,
-  maxVusers: 50
+    target: 'http://localhost:3000',
+    duration: 30,
+    arrivalRate: 50,
+    maxVusers: 200,
 };
-
 export const STRESS_LIMITS = {
-  duration: 300,
-  arrivalRate: 50,
-  maxVusers: 100
+    duration: 300,
+    arrivalRate: 100,
+    maxVusers: 400,
 };
 
 export function validateStressOptions(args = {}) {
-  const target = normalizeTarget(args.target || STRESS_DEFAULTS.target);
-  const parsedTarget = new URL(target);
-  const targetPath = getExplicitTargetPath(parsedTarget);
-  const duration = parsePositiveNumber(args.duration, STRESS_DEFAULTS.duration, "duration");
-  const arrivalRate = parsePositiveNumber(args.arrivalRate, STRESS_DEFAULTS.arrivalRate, "arrival-rate");
-  const maxVusers = parsePositiveInteger(args.maxVusers, STRESS_DEFAULTS.maxVusers, "max-vusers");
+    const target = normalizeTarget(args.target || STRESS_DEFAULTS.target);
+    const parsedTarget = new URL(target);
+    const targetPath = getExplicitTargetPath(parsedTarget);
+    const duration = parsePositiveNumber(args.duration, STRESS_DEFAULTS.duration, 'duration');
+    const arrivalRate = parsePositiveNumber(args.arrivalRate, STRESS_DEFAULTS.arrivalRate, 'arrival-rate');
+    const maxVusers = parsePositiveInteger(args.maxVusers, STRESS_DEFAULTS.maxVusers, 'max-vusers');
 
-  assertWithinLimit(duration, STRESS_LIMITS.duration, "duration", "seconds");
-  assertWithinLimit(arrivalRate, STRESS_LIMITS.arrivalRate, "arrival-rate", "requests/second");
-  assertWithinLimit(maxVusers, STRESS_LIMITS.maxVusers, "max-vusers", "virtual users");
+    assertWithinLimit(duration, STRESS_LIMITS.duration, 'duration', 'seconds');
+    assertWithinLimit(arrivalRate, STRESS_LIMITS.arrivalRate, 'arrival-rate', 'requests/second');
+    assertWithinLimit(maxVusers, STRESS_LIMITS.maxVusers, 'max-vusers', 'virtual users');
 
-  const local = isLocalTarget(target);
-  if (!local && !args.iOwnThis) {
-    throw new Error(
-      "Refusing to stress-test an external target without --i-own-this. Only run this against systems you own or are explicitly authorized to test."
-    );
-  }
+    const local = isLocalTarget(target);
+    if (!local && !args.iOwnThis) {
+        throw new Error(
+            'Refusing to stress-test an external target without --i-own-this. Only run this against systems you own or are explicitly authorized to test.',
+        );
+    }
 
-  return {
-    target,
-    artilleryTarget: targetPath ? parsedTarget.origin : target,
-    targetPath,
-    duration,
-    arrivalRate,
-    maxVusers,
-    iOwnThis: Boolean(args.iOwnThis),
-    local
-  };
+    return {
+        target,
+        artilleryTarget: targetPath ? parsedTarget.origin : target,
+        targetPath,
+        duration,
+        arrivalRate,
+        maxVusers,
+        iOwnThis: Boolean(args.iOwnThis),
+        local,
+    };
 }
 
 export function isLocalTarget(target) {
-  let parsed;
-  try {
-    parsed = new URL(target);
-  } catch {
-    return false;
-  }
+    let parsed;
+    try {
+        parsed = new URL(target);
+    } catch {
+        return false;
+    }
 
-  return LOCAL_HOSTS.has(parsed.hostname.toLowerCase());
+    return LOCAL_HOSTS.has(parsed.hostname.toLowerCase());
 }
 
 function normalizeTarget(value) {
-  let parsed;
-  try {
-    parsed = new URL(value);
-  } catch {
-    throw new Error(`Invalid stress target URL: ${value}`);
-  }
+    let parsed;
+    try {
+        parsed = new URL(value);
+    } catch {
+        throw new Error(`Invalid stress target URL: ${value}`);
+    }
 
-  if (!["http:", "https:"].includes(parsed.protocol)) {
-    throw new Error("Stress target must use http:// or https://.");
-  }
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+        throw new Error('Stress target must use http:// or https://.');
+    }
 
-  return parsed.toString().replace(/\/$/, "");
+    return parsed.toString().replace(/\/$/, '');
 }
 
 function getExplicitTargetPath(parsed) {
-  const pathname = parsed.pathname.replace(/\/$/, "") || "/";
-  if (pathname === "/" && !parsed.search) return null;
-  return `${pathname}${parsed.search}`;
+    const pathname = parsed.pathname.replace(/\/$/, '') || '/';
+    if (pathname === '/' && !parsed.search) return null;
+    return `${pathname}${parsed.search}`;
 }
 
 function parsePositiveNumber(value, fallback, label) {
-  if (value === undefined || value === null || value === "") return fallback;
-  const number = Number(value);
-  if (!Number.isFinite(number) || number <= 0) {
-    throw new Error(`Invalid --${label}: expected a positive number.`);
-  }
-  return number;
+    if (value === undefined || value === null || value === '') return fallback;
+    const number = Number(value);
+    if (!Number.isFinite(number) || number <= 0) {
+        throw new Error(`Invalid --${label}: expected a positive number.`);
+    }
+    return number;
 }
 
 function parsePositiveInteger(value, fallback, label) {
-  const number = parsePositiveNumber(value, fallback, label);
-  if (!Number.isInteger(number)) {
-    throw new Error(`Invalid --${label}: expected a positive integer.`);
-  }
-  return number;
+    const number = parsePositiveNumber(value, fallback, label);
+    if (!Number.isInteger(number)) {
+        throw new Error(`Invalid --${label}: expected a positive integer.`);
+    }
+    return number;
 }
 
 function assertWithinLimit(value, limit, label, unit) {
-  if (value > limit) {
-    throw new Error(`Refusing --${label} ${value}. Maximum allowed is ${limit} ${unit}.`);
-  }
+    if (value > limit) {
+        throw new Error(`Refusing --${label} ${value}. Maximum allowed is ${limit} ${unit}.`);
+    }
 }