websec-validator 0.2.4__tar.gz → 0.2.5__tar.gz

{websec_validator-0.2.4/src/websec_validator.egg-info → websec_validator-0.2.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.4
+Version: 0.2.5
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.4 → websec_validator-0.2.5}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.4"
+version = "0.2.5"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/cli.py

@@ -103,9 +103,16 @@ def cmd_run(args) -> int:
         for r in scan_results:
             tag = r.get("findings", r.get("status", "?"))
             print(f"    {r['name']}: {tag}")
-        unified = scanners.normalize_findings(scan_results, out)
+        unified = scanners.normalize_findings(scan_results, out, target=target)
         print(f"  → {unified['total']} de-duplicated findings "
               f"({unified['cross_tool_or_dup_merged']} merged) · {unified['by_severity']}")
+        _hyg = []
+        if unified.get('contamination_dropped'):
+            _hyg.append(f"{unified['contamination_dropped']} dropped (skip-dir contamination)")
+        if unified.get('local_only_downgraded'):
+            _hyg.append(f"{unified['local_only_downgraded']} downgraded (gitignored/local-only secret)")
+        if _hyg:
+            print(f"    hygiene: {' · '.join(_hyg)}")
     else:
         print(f"\n  scanners available: {', '.join(s['name'] for s in det['available']) or 'none'}"
               "  (add --scan to execute them)")
@@ -162,6 +169,12 @@ def cmd_dynamic(args) -> int:
         for r in u["results"]:
             mark = "🔓" if r["verdict"] == "OPEN-no-auth" else (" ·" if r["verdict"] == "protected" else "  ")
             print(f"    {mark} {str(r['status']):>4}  {r['verdict']:26} {r['path']}")
+        ftb = dyn.get("forged_token_bypass", {})
+        if ftb:
+            print(f"\n  forged-token (unverified-signature) → {ftb['summary']}")
+            for r in ftb.get("results", []):
+                if r["verdict"] == "BYPASS":
+                    print(f"    🚨 BYPASS  {r['baseline']}→{r['forged']}  {r['method']} {r['path']}  (via {r['via']})")
         if args.probe_writes:
             w = dyn["write_auth_enforcement"]
             print(f"\n  write-verb auth enforcement → {w['summary']}")

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/dynamic.py

@@ -37,10 +37,13 @@ def _dig(d: dict, dotted: str):
     return cur
 
 
-def _request(method: str, url: str, token: str | None, timeout: int = 20, data: bytes | None = None):
+def _request(method: str, url: str, token: str | None, timeout: int = 20,
+             data: bytes | None = None, cookie: str | None = None):
     headers = {"Accept": "application/json"}
     if token:
         headers["Authorization"] = f"Bearer {token}"
+    if cookie:
+        headers["Cookie"] = cookie
     if data is not None:
         headers["Content-Type"] = "application/json"
     req = urllib.request.Request(url, method=method, headers=headers, data=data)
@@ -254,9 +257,89 @@ def write_auth_enforcement(target: str, facts: dict, max_endpoints: int = 80) ->
     }
 
 
+# Codes that mean "the request reached the handler/validation" — i.e. auth PASSED. Used to
+# judge a forged-token attempt. Deliberately EXCLUDES 401/403 (blocked), 429 (rate-limited —
+# would otherwise be a false bypass), 5xx and 000/None (ambiguous/transport). A gated route
+# (401/403 with no token) that returns one of these WITH a forged token = signature not verified.
+_REACHED_HANDLER = {200, 201, 202, 203, 204, 206, 400, 404, 405, 409, 413, 415, 422}
+
+
+def _forge_jwt(payload: dict, alg: str = "RS256") -> str:
+    """A structurally-valid JWT with a DELIBERATELY INVALID signature (no real key). The whole
+    point is to see whether the target verifies the signature at all — a correct verifier
+    rejects this outright; a decode-only auth path (the decodeJwtPayloadUnsafe class) trusts it."""
+    import base64
+
+    def b(o):
+        return base64.urlsafe_b64encode(json.dumps(o).encode()).rstrip(b"=").decode()
+    sig = "" if alg == "none" else "d2Vic2VjLWZvcmdlZC1zaWc"  # 'websec-forged-sig' — not a real signature
+    return ".".join([b({"alg": alg, "typ": "JWT", "kid": "forged"}), b(payload), sig])
+
+
+def forged_token_bypass(target: str, facts: dict, cookie_names=None,
+                        probe_writes: bool = False, max_endpoints: int = 60) -> dict:
+    """Does the app actually VERIFY JWT signatures? Forge a token with a far-future `exp` and a
+    BOGUS signature, present it to each route that is GATED without auth, and compare. A route
+    that answers 401/403 with NO token but REACHES THE HANDLER with the forged token is trusting
+    an unverified token = authentication bypass (CWE-347 / OWASP API2:2023) — the dynamic verdict
+    on the `decodeJwtPayloadUnsafe`/`jwt.decode(verify=False)` hypothesis.
+
+    GET reads by default (read-safe); write verbs (empty body, dummy ids — non-destructive) only
+    when `probe_writes`. Tries `Authorization: Bearer` (universal) plus any `cookie_names` given,
+    since apps read tokens from different locations. 429/5xx are treated as inconclusive, never
+    a bypass, so an aggressive rate limiter can't manufacture a false positive."""
+    forged = _forge_jwt({"sub": "websec-forged", "email": "websec-forged@example.com",
+                         "role": "admin", "roles": ["admin"], "exp": 9999999999})
+    cookie_names = list(cookie_names or [])
+
+    targets = [("GET", e.get("path", "")) for e in (facts.get("routes") or {}).get("endpoints", [])
+               if e.get("method") == "GET" and "{" not in e.get("path", "")
+               and not SIDE_EFFECTING.search(e.get("path", ""))]
+    if probe_writes:
+        targets += [(e.get("method"), e.get("path", "")) for e in (facts.get("routes") or {}).get("endpoints", [])
+                    if e.get("method") in WRITE_VERBS and "{" not in e.get("path", "")
+                    and not SIDE_EFFECTING.search(e.get("path", ""))]
+    targets = sorted(set(targets))[:max_endpoints]
+
+    results, bypassed = [], []
+    for method, path in targets:
+        url = target + path
+        body = b"{}" if method in WRITE_VERBS else None
+        base_code, _ = _request(method, url, token=None, data=body)
+        if base_code not in (401, 403):
+            continue  # only routes that are gated WITHOUT auth tell us anything about forgery
+        attempts = [("Authorization: Bearer", _request(method, url, token=forged, data=body)[0])]
+        for cn in cookie_names:
+            attempts.append((f"cookie:{cn}", _request(method, url, token=None, data=body, cookie=f"{cn}={forged}")[0]))
+        hit = next(((via, code) for via, code in attempts if code in _REACHED_HANDLER), None)
+        if hit:
+            via, fcode = hit
+            row = {"method": method, "path": path, "baseline": base_code, "forged": fcode,
+                   "via": via, "verdict": "BYPASS"}
+            bypassed.append(row)
+        else:
+            row = {"method": method, "path": path, "baseline": base_code,
+                   "forged": attempts[0][1], "via": "Authorization: Bearer", "verdict": "rejected"}
+        results.append(row)
+
+    return {
+        "target": target,
+        "mode": "present an UNSIGNED/bogus-sig JWT (far-future exp) to each gated route; "
+                "reached-handler = signature not verified",
+        "token_locations": ["Authorization: Bearer"] + [f"cookie:{c}" for c in cookie_names],
+        "tested": len(results),
+        "bypassed": bypassed,
+        "results": results,
+        "summary": f"{len(bypassed)}/{len(results)} gated route(s) accepted a forged unsigned token"
+                   + (" — ⚠ SIGNATURE NOT VERIFIED (CWE-347 auth bypass)" if bypassed
+                      else " — all rejected the forged token"),
+    }
+
+
 def run_unauth(target: str, facts_path: Path, outdir: Path, probe_writes: bool = False) -> dict:
     facts = json.loads(Path(facts_path).read_text())
-    res = {"unauth_reachability": unauth_reachability(target, facts)}
+    res = {"unauth_reachability": unauth_reachability(target, facts),
+           "forged_token_bypass": forged_token_bypass(target, facts, probe_writes=probe_writes)}
     if probe_writes:
         res["write_auth_enforcement"] = write_auth_enforcement(target, facts)
     outdir.mkdir(parents=True, exist_ok=True)

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/extractors/routes.py

@@ -25,7 +25,18 @@ import subprocess
 import tempfile
 from pathlib import Path
 
-from .base import Extractor, RepoContext
+from .base import SKIP_DIRS, Extractor, RepoContext
+
+# Noir is a subprocess that scans the raw tree — it does NOT know the walker's SKIP_DIRS,
+# so without this it grinds through (and emits routes from) build output (.next, cdk.out,
+# dist), dependencies (node_modules, vendor), and NESTED WORKTREES (.claude/worktrees — a
+# full copy of the repo → doubled routes). Pass the skip dirs as exclude globs (perf) AND
+# post-filter Noir's output by code_path (the correctness guarantee).
+_NOIR_SKIP_GLOBS = ",".join(f"**/{d}/**" for d in sorted(SKIP_DIRS))
+
+
+def _in_skip_dir(code_path: str) -> bool:
+    return any(part in SKIP_DIRS for part in (code_path or "").replace("\\", "/").split("/"))
 
 WRITE_VERBS = {"POST", "PUT", "PATCH", "DELETE"}
 EXCLUDE_GLOBS = "*.test.ts,*.test.tsx,*.spec.ts,*.test.js,*.spec.js,*_test.go,*_test.py,test_*.py,*.stories.tsx"
@@ -71,7 +82,7 @@ def _noir_scan(root: Path, extra_excludes: list | None = None) -> list | None:
     """Run Noir → list of endpoint dicts, or None if Noir unavailable/failed."""
     if not shutil.which("noir"):
         return None
-    excl = EXCLUDE_GLOBS + ("," + ",".join(extra_excludes) if extra_excludes else "")
+    excl = ",".join([EXCLUDE_GLOBS, _NOIR_SKIP_GLOBS] + (list(extra_excludes) if extra_excludes else []))
     with tempfile.NamedTemporaryFile(suffix=".json", delete=False) as tf:
         out = Path(tf.name)
     try:
@@ -222,6 +233,9 @@ class RoutesExtractor(Extractor):
         # unreliable for bare dir names; this guarantees `--exclude <path>` drops those routes).
         if getattr(ctx, "excludes", None):
             routes = [r for r in routes if not ctx._excluded(r.get("code_path", ""))]
+        # Noir doesn't honor SKIP_DIRS — drop any route it found under build output / deps /
+        # nested worktrees (e.g. .claude/worktrees/* doubling the whole app).
+        routes = [r for r in routes if not _in_skip_dir(r.get("code_path", ""))]
         by_method: dict = {}
         by_tech: dict = {}
         for r in routes:

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/findings.py

@@ -164,6 +164,20 @@ def build_ledger(facts: dict, unified: dict | None, dynamic: dict | None = None,
                         f"{ud.get('decoder')}() — if that decodes a token/signature WITHOUT verifying it, a forged "
                         "value is trusted (the decodeJwtPayloadUnsafe → requireAdmin class of bug). Trace the call path."}]))
 
+    # ---- 1d. Forged-token acceptance — unverified signature, DYNAMICALLY CONFIRMED ----
+    # The verdict for 1c: we presented an UNSIGNED/bogus-sig token and the route reached its
+    # handler anyway (no-auth 401/403 → reached-handler with the forged token). That is the
+    # decodeJwtPayloadUnsafe/jwt.decode(verify=False) hypothesis proven — CWE-347 broken auth.
+    for b in ((dynamic or {}).get("forged_token_bypass", {}) or {}).get("bypassed", []):
+        out.append(_f(
+            f"Auth bypass: forged unsigned token accepted — {b.get('method')} {b.get('path')}",
+            "access-control", "unsafe-auth-decoder", "CRITICAL", "HIGH",
+            f"{b.get('method')} {b.get('path')}",
+            [{"layer": "dynamic", "detail": f"no auth → HTTP {b.get('baseline')}; a token with NO valid "
+              f"signature (via {b.get('via')}, far-future exp) → HTTP {b.get('forged')} — the auth gate "
+              "accepted it, so the signature is NOT verified. Reachable by anyone who can craft a token "
+              "string; route the guard through a verifying decode (jwt.verify w/ the key / a checked session)."}]))
+
     # ---- 2. Static scanner findings (de-duplicated `unified`) ----
     cat_to_class = {"sca": "cve", "secret": "secret", "iac": "iac", "sast": "sast"}
     for t in (unified or {}).get("top", []):

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/probes.py

@@ -28,6 +28,8 @@ PROBES = {
                         "a low-priv token + a write endpoint that updates a record"),
     "jwt-attacks": ("jwt-attacks.sh", "JWT: alg:none, tamper, expiry, replay",
                    "a valid token + the login + a protected endpoint"),
+    "forged-token": ("forged-token.sh", "Forged/unsigned-JWT acceptance (CWE-347 broken auth)",
+                     "just the target base URL — it forges its own token + reads routes from probe-context.json"),
     "hs256-brute-force": ("hs256-brute-force.py", "Offline HS256 weak-secret brute",
                          "one HS256 JWT (offline — no live app needed)"),
     "ssrf-probes": ("ssrf-probes.sh", "SSRF: IMDS / RFC1918 / file://",
@@ -47,7 +49,7 @@ PROBES = {
 
 # unauth-baseline is ALWAYS staged: it's the cheapest probe and directly exercises the
 # #1 lead class (missing authentication) — the one a no-creds run can confirm immediately.
-ALWAYS = ["unauth-baseline", "jwt-attacks", "hs256-brute-force", "rate-limit-burst"]
+ALWAYS = ["unauth-baseline", "forged-token", "jwt-attacks", "hs256-brute-force", "rate-limit-burst"]
 
 # which targeting bucket each probe should be pointed at (for the manifest's real targets)
 _TARGET_KEYS = {
@@ -100,6 +102,10 @@ def build_context(facts: dict) -> dict:
     auth = facts.get("auth") or {}
     writes = [f"{e.get('method')} {e.get('path')}" for e in routes.get("endpoints", [])
               if e.get("method") in WRITE_VERBS][:80]
+    # GET/HEAD data-read routes — the read half of the protected surface (the forged-token probe
+    # needs these; the bypass class hits reads like /api/wallets/lookup that are in no other bucket).
+    reads = [f"{e.get('method')} {e.get('path')}" for e in routes.get("endpoints", [])
+             if e.get("method") in ("GET", "HEAD")][:80]
     return {
         "target_base_url": "FILL_ME (e.g. http://localhost:3000)",
         "auth": {
@@ -111,6 +117,7 @@ def build_context(facts: dict) -> dict:
         },
         "endpoints": {
             "writes": writes,
+            "reads": reads,
             "idor_candidates": tgt.get("idor_candidates", [])[:60],
             "ssrf_candidates": tgt.get("ssrf_candidates", [])[:40],
             "upload_candidates": tgt.get("upload_candidates", [])[:40],

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator/scanners.py

@@ -20,6 +20,8 @@ import subprocess
 from dataclasses import dataclass
 from pathlib import Path
 
+from .extractors.base import SKIP_DIRS
+
 
 @dataclass(frozen=True)
 class Scanner:
@@ -33,11 +35,19 @@ class Scanner:
     argv: object = None
 
 
-# Never scan the tool's own output, deps, or build artifacts. Scanning `websec-out/`
-# made Semgrep re-flag the AWS keys Gitleaks had just written into the report (and the
-# count compounded across runs). Filesystem scanners get these excluded explicitly.
-EXCLUDE_DIRS = ("websec-out", "node_modules", ".next", "dist", "build", ".git",
-                "security", ".venv", "venv", "__pycache__", ".mypy_cache", "coverage")
+# ONE source of truth for "don't scan here": the walker's SKIP_DIRS (extractors/base.py).
+# A subprocess scanner has its OWN traversal and will otherwise re-enter dirs the walker
+# skips — e.g. trivy walked `.claude/worktrees/<full-repo-copy>/websec-out/.../gitleaks.json`
+# and reported the tool's OWN prior output back as an AWS-key CRITICAL (bug-066). The
+# --skip-dirs / --exclude flags below are best-effort perf; `_in_skip_dir` post-filtering in
+# normalize_findings is the correctness guarantee (it also covers gitleaks, which has no skip
+# flag). Was previously a hand-maintained subset that omitted .claude / .worktrees / .wolf.
+EXCLUDE_DIRS = tuple(sorted(SKIP_DIRS))
+
+
+def _in_skip_dir(path: str) -> bool:
+    """True if any path segment is a SKIP_DIR — mirrors the walker's per-segment rule."""
+    return any(part in SKIP_DIRS for part in (path or "").replace("\\", "/").split("/"))
 
 
 def _trivy(target: Path, out: Path, excludes=()) -> list:
@@ -243,9 +253,30 @@ def _norm_semgrep(data: dict) -> list:
 _PARSERS = {"trivy": _norm_trivy, "gitleaks": _norm_gitleaks, "semgrep": _norm_semgrep}
 
 
-def normalize_findings(scan_results: list, outdir: Path) -> dict:
+def _gitignored(target: Path | None, paths) -> set:
+    """Subset of `paths` (relative to `target`) that git IGNORES — local-only files that were
+    never committed. A WORKING-TREE secret in such a file (e.g. a gitignored `.env.local`) is
+    not a repo leak, so we downgrade it instead of crying CRITICAL (bug-066). Empty set if not
+    a git repo / git absent (fail-open). Git-HISTORY findings (gitleaks) are left untouched —
+    those ARE committed."""
+    paths = sorted({p for p in paths if p})
+    if not target or not paths or not shutil.which("git"):
+        return set()
+    try:
+        proc = subprocess.run(["git", "-C", str(target), "check-ignore", "--stdin"],
+                              input="\n".join(paths), capture_output=True, text=True, timeout=30)
+        return {ln.strip() for ln in proc.stdout.splitlines() if ln.strip()}
+    except Exception:
+        return set()
+
+
+def normalize_findings(scan_results: list, outdir: Path, target: Path | None = None) -> dict:
     """Merge every scanner's native JSON into one de-duplicated, severity-ranked
-    findings.json. Returns a summary (raw vs deduped, by severity/category)."""
+    findings.json. Returns a summary (raw vs deduped, by severity/category).
+
+    `target` (the scanned repo) enables two bug-066 hygiene passes: drop findings under a
+    SKIP_DIR (a scanner re-entered a dir the walker skips), and downgrade working-tree secrets
+    that live in gitignored (never-committed) files."""
     raw = []
     for r in scan_results:
         out, key = r.get("output"), r.get("key")
@@ -257,6 +288,28 @@ def normalize_findings(scan_results: list, outdir: Path) -> dict:
         except Exception:
             continue
 
+    # bug-066 (a): a subprocess scanner can re-enter dirs the walker skips (nested worktrees,
+    # build output, the tool's own websec-out) → drop anything under a SKIP_DIR. The
+    # correctness guarantee behind the best-effort flags; also catches gitleaks (no skip flag).
+    before = len(raw)
+    raw = [f for f in raw if not _in_skip_dir(f.get("file", ""))]
+    contamination_dropped = before - len(raw)
+
+    # bug-066 (b): working-tree secrets (trivy fs) in GITIGNORED files are local-only / never
+    # committed — not a repo leak. Downgrade + annotate rather than report CRITICAL. Gitleaks
+    # findings come from git HISTORY (already committed) and are deliberately left alone.
+    ignored = _gitignored(target, (f.get("file", "") for f in raw
+                                   if f.get("tool") == "trivy" and f.get("category") == "secret"))
+    local_only_downgraded = 0
+    for f in raw:
+        if (f.get("tool") == "trivy" and f.get("category") == "secret"
+                and f.get("file", "") in ignored
+                and SEV_ORDER.get(f.get("severity"), 0) >= SEV_ORDER["MEDIUM"]):
+            f["severity"] = "LOW"
+            if "local-only" not in f["title"]:
+                f["title"] += " — local-only (gitignored, never committed; rotate if real, not a repo leak)"
+            local_only_downgraded += 1
+
     by_fp: dict = {}
     for f in raw:
         fp = f["fingerprint"]
@@ -278,6 +331,8 @@ def normalize_findings(scan_results: list, outdir: Path) -> dict:
         by_cat[f["category"]] = by_cat.get(f["category"], 0) + 1
     return {"total_raw": len(raw), "total": len(deduped),
             "cross_tool_or_dup_merged": len(raw) - len(deduped),
+            "contamination_dropped": contamination_dropped,
+            "local_only_downgraded": local_only_downgraded,
             "by_severity": by_sev, "by_category": by_cat,
             "top": [{"severity": f["severity"], "category": f["category"], "title": f["title"],
                      "file": f["file"], "tools": f["tools"]} for f in deduped[:15]]}

websec_validator-0.2.5/src/websec_validator/templates/probes/forged-token.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# forged-token — does this app actually VERIFY JWT signatures? Forge a token with a BOGUS
+# signature + far-future exp and present it to each route that is GATED without auth. A route
+# that returns 401/403 with NO token but REACHES THE HANDLER (200/400/404/422/…) WITH the
+# forged token is trusting an UNVERIFIED token = authentication bypass (CWE-347 / OWASP API2).
+# This is the dynamic VERDICT on a `decodeJwtPayloadUnsafe` / `jwt.decode(verify=False)` finding:
+# the recon says "an unverified decoder feeds an auth decision"; this proves which routes fall.
+#
+# Read-only by default (GET routes). Set PROBE_WRITES=1 to ALSO test write verbs (empty body —
+# non-destructive) — LOCALHOST/TEST only. Reads this app's routes from ./probe-context.json
+# (written by websec). Tries Authorization: Bearer, plus a cookie if you pass COOKIE_NAME.
+# Usage:  TARGET=https://127.0.0.1:8443 [PROBE_WRITES=1] [COOKIE_NAME=session] bash forged-token.sh
+set -uo pipefail
+ctx="$(dirname "$0")/probe-context.json"
+BASE="${TARGET:-$(python3 -c "import json;print(json.load(open('$ctx'))['target_base_url'])" 2>/dev/null)}"
+if [ -z "${BASE:-}" ] || [ "${BASE#FILL}" != "$BASE" ]; then
+  echo "Set TARGET=http://host:port (or fill target_base_url in probe-context.json)"; exit 2
+fi
+BASE="${BASE%/}"
+
+# A structurally-valid JWT with a DELIBERATELY INVALID signature + far-future exp. A correct
+# verifier rejects this outright; a decode-only auth path trusts its claims.
+FORGED=$(python3 -c "
+import base64, json
+def b(o): return base64.urlsafe_b64encode(json.dumps(o).encode()).rstrip(b'=').decode()
+print(b({'alg':'RS256','typ':'JWT','kid':'forged'})+'.'+b({'sub':'websec-forged','email':'websec-forged@example.com','role':'admin','roles':['admin'],'exp':9999999999})+'.d2Vic2VjLWZvcmdlZC1zaWc')
+")
+
+# Routes to test: GET reads + GET idor/ssrf candidates (always); writes when PROBE_WRITES=1.
+# Skip any path with an unfilled {param}. (portable; macOS bash 3.2 lacks `mapfile`.)
+ROUTES=()
+while IFS= read -r line; do [ -n "$line" ] && ROUTES+=("$line"); done < <(PROBE_WRITES="${PROBE_WRITES:-0}" python3 -c "
+import json, os
+c = json.load(open('$ctx')); eps = c['endpoints']
+rows = list(eps.get('reads', []))
+rows += [r.split('  ')[0] for r in eps.get('ssrf_candidates', [])]          # 'GET /x  (param: y)' -> 'GET /x'
+rows += [r for r in eps.get('idor_candidates', []) if r.split(' ',1)[0] == 'GET']
+if os.environ.get('PROBE_WRITES') == '1': rows += eps.get('writes', [])
+seen=set(); out=[]
+for r in rows:
+    m = r.strip().split(' ', 1)
+    if len(m) != 2: continue
+    meth, path = m[0], m[1].split('  ')[0].strip()
+    if '{' in path or (meth, path) in seen: continue
+    seen.add((meth, path)); out.append(meth + ' ' + path)
+print('\n'.join(out[:80]))
+" 2>/dev/null)
+if [ "${#ROUTES[@]}" -eq 0 ]; then
+  echo "No concrete (no-{param}) routes in probe-context.json to test."; exit 2
+fi
+
+# Codes that mean the request REACHED THE HANDLER (auth passed). Excludes 401/403 (blocked),
+# 429 (rate-limited), 5xx/000 (ambiguous) so an aggressive limiter can't manufacture a bypass.
+reached() { case "$1" in 200|201|202|203|204|206|400|404|405|409|413|415|422) return 0;; *) return 1;; esac; }
+
+echo "forged-token vs $BASE  ·  unsigned/bogus-sig JWT, far-future exp"
+echo "  (a gated route that REACHES its handler with this token is NOT verifying the signature)"
+echo "----------------------------------------------------------------------------------------------------"
+bypass=0; ok=0; skip=0
+for ep in "${ROUTES[@]}"; do
+  method="${ep%% *}"; path="${ep#* }"
+  data=(); { [ "$method" != "GET" ] && [ "$method" != "HEAD" ]; } && data=(-H 'content-type: application/json' --data '{}')
+  na=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" ${data[@]+"${data[@]}"} --max-time 15)
+  if [ "$na" != "401" ] && [ "$na" != "403" ]; then skip=$((skip+1)); continue; fi   # not gated unauthenticated → N/A here
+  fg=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" -H "Authorization: Bearer $FORGED" ${data[@]+"${data[@]}"} --max-time 15)
+  via="Bearer"
+  if ! reached "$fg" && [ -n "${COOKIE_NAME:-}" ]; then
+    fg=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" -H "Cookie: $COOKIE_NAME=$FORGED" ${data[@]+"${data[@]}"} --max-time 15)
+    via="cookie:$COOKIE_NAME"
+  fi
+  if reached "$fg"; then
+    printf '  BYPASS  %s→%s  %s %s   (forged token accepted via %s)\n' "$na" "$fg" "$method" "$path" "$via"; bypass=$((bypass+1))
+  else
+    printf '  ok      %s→%s  %s %s\n' "$na" "$fg" "$method" "$path"; ok=$((ok+1))
+  fi
+done
+echo "----------------------------------------------------------------------------------------------------"
+echo "summary: $bypass forged-token BYPASS · $ok rejected · $skip not-gated (skipped)"
+if [ "$bypass" -gt 0 ]; then
+  echo "⚠ A token with NO valid signature reached the handler on $bypass route(s) — CWE-347 broken auth."
+  echo "  Route the guard through a VERIFYING decode (jwt.verify with the key / a checked server session),"
+  echo "  the same path your properly-protected routes use. Never trust a decode-only (\"Unsafe\") result."
+fi
+exit "$bypass"

websec_validator-0.2.5/src/websec_validator/templates/probes/rate-limit-burst.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# rate-limit-burst — verify rate limiters actually fire, and that they can't be bypassed by
+# spoofing X-Forwarded-For. FACTS-driven: reads the login route + base URL from
+# ./probe-context.json (written by websec) — no separate .env needed.
+#
+# Three tests:
+#   1. AUTH limiter — N+1 failed logins; expect a 429 by attempt N+1. (A limit of N ALLOWS N and
+#      blocks the N+1th, so sending only N false-FAILs a working limiter — the classic off-by-one.)
+#   2. General limiter — burst of GETs at a public endpoint; expect 429s once over the per-IP budget.
+#   3. XFF bypass — once limited, rotate X-Forwarded-For between requests. If the limit lifts, the
+#      backend keys on a client-controlled header without verifying the proxy chain (bypassable).
+#
+# Env: TARGET (or target_base_url in probe-context.json). Optional overrides:
+#      AUTH_LIMIT (default 10), LOGIN_PATH, HEALTH_PATH.
+# Usage:  TARGET=http://localhost:3000 bash rate-limit-burst.sh
+set -uo pipefail
+ctx="$(dirname "$0")/probe-context.json"
+BASE="${TARGET:-$(python3 -c "import json;print(json.load(open('$ctx'))['target_base_url'])" 2>/dev/null)}"
+if [ -z "${BASE:-}" ] || [ "${BASE#FILL}" != "$BASE" ]; then
+  echo "Set TARGET=http://host:port (or fill target_base_url in probe-context.json)"; exit 2
+fi
+BASE="${BASE%/}"
+
+# Login path: explicit override → the POST .../login from probe-context → a sane default.
+LOGIN_PATH="${LOGIN_PATH:-$(python3 -c "
+import json
+c = json.load(open('$ctx'))
+eps = c.get('auth', {}).get('login_endpoints', []) + c.get('endpoints', {}).get('auth_endpoints', [])
+cand = [e.split(' ', 1)[1] for e in eps if e.upper().startswith('POST ') and 'login' in e.lower()]
+print(cand[0] if cand else '/api/auth/login')
+" 2>/dev/null)}"
+LOGIN_PATH="${LOGIN_PATH:-/api/auth/login}"
+HEALTH_PATH="${HEALTH_PATH:-/api/health}"
+LIMIT="${AUTH_LIMIT:-10}"
+N=$((LIMIT + 1))   # N+1: a limit of N allows N and blocks the (N+1)th
+
+fails=0
+
+echo "=== Test 1: AUTH limiter — $N failed logins at $LOGIN_PATH (expect a 429 by #$N) ==="
+saw429=0
+for i in $(seq 1 "$N"); do
+  code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$BASE$LOGIN_PATH" \
+         -H 'content-type: application/json' --data '{"email":"rl-test@example.com","password":"wrong"}' --max-time 15)
+  printf '  attempt %2d → %s\n' "$i" "$code"
+  [ "$code" = "429" ] && saw429=1
+done
+if [ "$saw429" = "1" ]; then
+  echo "  PASS  AUTH limiter fired (saw 429)"
+else
+  echo "  FAIL  AUTH limiter never fired in $N attempts — misconfigured, or the limit is > $LIMIT (raise AUTH_LIMIT)"
+  fails=$((fails+1))
+fi
+echo
+
+echo "=== Test 2: general limiter — 200 GET $HEALTH_PATH in ~10s ==="
+codes=$(seq 1 200 | xargs -n1 -P20 -I{} curl -s -o /dev/null -w '%{http_code}\n' "$BASE$HEALTH_PATH" --max-time 15)
+n429=$(printf '%s\n' "$codes" | grep -c '^429$' || true)
+n200=$(printf '%s\n' "$codes" | grep -c '^200$' || true)
+echo "  200: $n200 · 429: $n429"
+if [ "$n429" -gt 0 ]; then echo "  INFO  general limiter fires under burst"; else
+  echo "  INFO  general limiter did not fire at 200 reqs — below threshold (raise for a real pentest)"; fi
+echo
+
+echo "=== Test 3: X-Forwarded-For spoof bypass ==="
+for i in $(seq 1 "$N"); do
+  curl -s -o /dev/null -X POST "$BASE$LOGIN_PATH" -H 'content-type: application/json' \
+       --data '{"email":"xff-test@example.com","password":"wrong"}' --max-time 15 || true
+done
+baseline=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$BASE$LOGIN_PATH" \
+           -H 'content-type: application/json' --data '{"email":"xff-test@example.com","password":"wrong"}' --max-time 15)
+echo "  baseline (no XFF): $baseline"
+spoofed=0
+for xff in "1.2.3.4" "10.0.0.1" "192.168.1.99" "127.0.0.1" "1.1.1.1, 2.2.2.2"; do
+  code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$BASE$LOGIN_PATH" -H "X-Forwarded-For: $xff" \
+         -H 'content-type: application/json' --data '{"email":"xff-test@example.com","password":"wrong"}' --max-time 15)
+  printf '  XFF=%-22s → %s\n' "$xff" "$code"
+  { [ "$baseline" = "429" ] && [ "$code" != "429" ]; } && spoofed=$((spoofed+1))
+done
+if [ "$baseline" != "429" ]; then
+  echo "  SKIP  limiter not in 429 state for the baseline — can't test bypass (raise AUTH_LIMIT or the window)"
+elif [ "$spoofed" -gt 0 ]; then
+  echo "  FAIL  XFF spoof bypassed the limiter ($spoofed/5) — it keys on client-supplied XFF without verifying the proxy chain"
+  fails=$((fails+1))
+else
+  echo "  PASS  XFF spoof did NOT bypass the limiter (all stayed 429)"
+fi
+echo
+echo "=== summary: $fails failure(s) ==="
+exit "$fails"

{websec_validator-0.2.4 → websec_validator-0.2.5/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.4
+Version: 0.2.5
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.4 → websec_validator-0.2.5}/src/websec_validator.egg-info/SOURCES.txt

@@ -38,6 +38,7 @@ src/websec_validator/templates/probes/bola-cross-tenant.sh
 src/websec_validator/templates/probes/bola-write-verbs.py
 src/websec_validator/templates/probes/compare-roles.sh
 src/websec_validator/templates/probes/dlp-bypass-offline.py
+src/websec_validator/templates/probes/forged-token.sh
 src/websec_validator/templates/probes/hs256-brute-force.py
 src/websec_validator/templates/probes/jwt-attacks.sh
 src/websec_validator/templates/probes/mass-assignment.py
@@ -52,4 +53,5 @@ src/websec_validator/templates/reports/access-control-matrix.md.template
 src/websec_validator/templates/reports/findings-triage.md.template
 src/websec_validator/templates/reports/pentest-handover-brief.md.template
 src/websec_validator/templates/reports/per-tool-FINDINGS.md.template
+tests/test_hardening.py
 tests/test_recon.py

websec_validator-0.2.5/tests/test_hardening.py

@@ -0,0 +1,137 @@
+"""Tests for the 0.2.5 hardening pass (from the agent-wallet dogfood run):
+  - forged-token / unverified-signature bypass detection (bug: static said 'verify manually')
+  - scanner contamination hygiene (bug-066): SKIP_DIR drop + gitignored-secret downgrade
+  - rate-limit probe is FACTS-driven (bug-067)
+Stdlib unittest only:  python3 -m unittest discover -s tests
+"""
+import json
+import shutil
+import subprocess
+import sys
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+ROOT = Path(__file__).resolve().parents[1]
+sys.path.insert(0, str(ROOT / "src"))
+
+from websec_validator import dynamic, findings, probes, scanners  # noqa: E402
+
+FACTS = {"routes": {"endpoints": [
+    {"method": "GET", "path": "/api/bypass"},      # gated; accepts forged token  -> BYPASS
+    {"method": "GET", "path": "/api/safe"},        # gated; rejects forged token  -> ok
+    {"method": "GET", "path": "/api/ratelimited"},  # gated; forged -> 429         -> NOT a bypass
+    {"method": "GET", "path": "/api/public"},      # 200 with no auth              -> skipped (not gated)
+]}}
+
+
+def _fake_request(method, url, token=None, timeout=20, data=None, cookie=None):
+    authed = bool(token or cookie)
+    if url.endswith("/api/bypass"):
+        return (400 if authed else 401), "x"      # forged token reaches handler
+    if url.endswith("/api/safe"):
+        return 401, "x"                            # forged token still rejected
+    if url.endswith("/api/ratelimited"):
+        return (429 if authed else 401), "x"       # rate-limited, must NOT count as bypass
+    if url.endswith("/api/public"):
+        return 200, "x"                            # not gated unauthenticated
+    return 404, ""
+
+
+class ForgedTokenBypassTests(unittest.TestCase):
+    def test_detects_only_the_real_bypass(self):
+        with mock.patch.object(dynamic, "_request", _fake_request):
+            r = dynamic.forged_token_bypass("http://t", FACTS)
+        paths = [b["path"] for b in r["bypassed"]]
+        self.assertEqual(paths, ["/api/bypass"])          # exactly the one that reached the handler
+        self.assertEqual(r["tested"], 3)                  # public route skipped (baseline 200)
+
+    def test_rate_limited_is_not_a_bypass(self):
+        with mock.patch.object(dynamic, "_request", _fake_request):
+            r = dynamic.forged_token_bypass("http://t", FACTS)
+        self.assertNotIn("/api/ratelimited", [b["path"] for b in r["bypassed"]])
+
+    def test_forged_jwt_is_three_part_and_bogus(self):
+        tok = dynamic._forge_jwt({"exp": 9999999999})
+        self.assertEqual(len(tok.split(".")), 3)
+        self.assertTrue(tok.split(".")[2])                # has a (deliberately invalid) signature segment
+
+
+class LedgerForgedBypassTests(unittest.TestCase):
+    def test_bypass_becomes_critical(self):
+        dyn = {"forged_token_bypass": {"bypassed": [
+            {"method": "GET", "path": "/api/x", "baseline": 401, "forged": 400, "via": "Authorization: Bearer"}]}}
+        led = findings.build_ledger({}, None, dyn, [])
+        hit = [f for f in led["findings"] if "forged unsigned token" in f["title"]]
+        self.assertEqual(len(hit), 1)
+        self.assertEqual(hit[0]["severity"], "CRITICAL")
+        self.assertEqual(hit[0]["attack_class"], "unsafe-auth-decoder")
+
+
+class ScannerHygieneTests(unittest.TestCase):
+    def test_in_skip_dir(self):
+        self.assertTrue(scanners._in_skip_dir(".claude/worktrees/x/gitleaks.json"))
+        self.assertTrue(scanners._in_skip_dir("node_modules/dep/a.js"))
+        self.assertFalse(scanners._in_skip_dir("src/app/api/route.ts"))
+
+    def test_exclude_dirs_includes_agent_tooling(self):
+        self.assertIn(".claude", scanners.EXCLUDE_DIRS)
+        self.assertIn(".worktrees", scanners.EXCLUDE_DIRS)
+
+    def test_normalize_drops_skipdir_contamination(self):
+        trivy = {"Results": [
+            {"Target": ".claude/worktrees/copy/websec-out/scanners/gitleaks.json",
+             "Secrets": [{"RuleID": "aws", "Title": "AWS key", "Match": "AKIA" + "A" * 16, "StartLine": 1}]},
+            {"Target": "src/app/route.ts",
+             "Secrets": [{"RuleID": "aws", "Title": "AWS key", "Match": "AKIA" + "B" * 16, "StartLine": 1}]},
+        ]}
+        with tempfile.TemporaryDirectory() as d:
+            d = Path(d)
+            (d / "trivy.json").write_text(json.dumps(trivy))
+            res = [{"key": "trivy", "output": str(d / "trivy.json"), "name": "Trivy", "category": "sca"}]
+            summary = scanners.normalize_findings(res, d, target=None)
+            files = [f["file"] for f in json.loads((d / "findings.json").read_text())]
+        self.assertIn("src/app/route.ts", files)
+        self.assertNotIn(".claude/worktrees/copy/websec-out/scanners/gitleaks.json", files)
+        self.assertEqual(summary["contamination_dropped"], 1)
+
+    @unittest.skipUnless(shutil.which("git"), "git required")
+    def test_gitignored_secret_is_downgraded(self):
+        trivy = {"Results": [
+            {"Target": "secret.local",
+             "Secrets": [{"RuleID": "aws", "Title": "AWS key", "Match": "AKIA" + "C" * 16, "StartLine": 1}]},
+            {"Target": "src/real.ts",
+             "Secrets": [{"RuleID": "aws", "Title": "AWS key", "Match": "AKIA" + "D" * 16, "StartLine": 1}]},
+        ]}
+        with tempfile.TemporaryDirectory() as d:
+            d = Path(d)
+            subprocess.run(["git", "init", "-q", str(d)], check=True)
+            (d / ".gitignore").write_text("*.local\n")
+            out = d / "out"
+            out.mkdir()
+            (out / "trivy.json").write_text(json.dumps(trivy))
+            res = [{"key": "trivy", "output": str(out / "trivy.json"), "name": "Trivy", "category": "sca"}]
+            summary = scanners.normalize_findings(res, out, target=d)
+            by_file = {f["file"]: f for f in json.loads((out / "findings.json").read_text())}
+        self.assertEqual(by_file["secret.local"]["severity"], "LOW")           # gitignored → downgraded
+        self.assertIn("local-only", by_file["secret.local"]["title"])
+        self.assertEqual(by_file["src/real.ts"]["severity"], "HIGH")           # tracked → unchanged
+        self.assertEqual(summary["local_only_downgraded"], 1)
+
+
+class ProbeRegistrationTests(unittest.TestCase):
+    def test_forged_token_always_staged(self):
+        self.assertIn("forged-token", probes.ALWAYS)
+        self.assertIn("forged-token", probes.PROBES)
+        self.assertIn("forged-token", probes.applicable({"routes": {"targeting": {}}}))
+
+    def test_context_has_reads(self):
+        ctx = probes.build_context({"routes": {"endpoints": [
+            {"method": "GET", "path": "/api/a"}, {"method": "POST", "path": "/api/b"}], "targeting": {}}, "auth": {}})
+        self.assertIn("reads", ctx["endpoints"])
+        self.assertEqual(ctx["endpoints"]["reads"], ["GET /api/a"])
+
+
+if __name__ == "__main__":
+    unittest.main()

websec_validator-0.2.4/src/websec_validator/templates/probes/rate-limit-burst.sh

@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-#
-# rate-limit-burst.sh — verify rate limiters actually fire under load.
-#
-# Three tests:
-#   1. AUTH_RATE_LIMIT — N failed login attempts; expect a 429 by attempt K
-#      (the project's documented per-IP login throttle).
-#   2. General apiRateLimiter — burst of GET requests against a public health
-#      endpoint; expect 429s once over the per-IP budget.
-#   3. X-Forwarded-For bypass — repeat (1) but rotate the XFF header between
-#      requests. If the backend honors XFF for rate-limit keying WITHOUT
-#      verifying the proxy chain, attackers bypass the limiter.
-#
-# Usage:  ./rate-limit-burst.sh
-set -euo pipefail
-cd "$(dirname "$0")"
-
-[[ -f .env ]] || { echo "No .env found" >&2; exit 1; }
-
-read_env() {
-    local key="$1"
-    python3 -c "
-for l in open('.env'):
-    l = l.rstrip('\n')
-    if l.startswith('#') or '=' not in l: continue
-    k, v = l.split('=', 1)
-    if k.strip() == '$key':
-        print(v); break
-"
-}
-
-TARGET="$(read_env ZAP_TARGET)"
-[[ -n "$TARGET" ]] || { echo "ZAP_TARGET missing from .env" >&2; exit 2; }
-
-# TODO: adjust login path and public health path to match your API.
-LOGIN_PATH="/api/auth/login"
-HEALTH_PATH="/api/health"
-
-PASS_COUNT=0
-FAIL_COUNT=0
-FAIL_LINES=()
-
-# === Test 1: AUTH_RATE_LIMIT ===
-echo "=== Test 1: AUTH_RATE_LIMIT (expected ≥1 of 10 attempts to be 429) ==="
-codes_seen=()
-for i in $(seq 1 10); do
-    code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
-        -H 'Content-Type: application/json' \
-        -d '{"email":"rl-test@example.com","password":"wrong"}')
-    codes_seen+=("$code")
-    printf '  attempt %2d → %s\n' "$i" "$code"
-done
-if printf '%s\n' "${codes_seen[@]}" | grep -q '^429$'; then
-    echo "  PASS  AUTH_RATE_LIMIT fires (saw 429)"
-    PASS_COUNT=$((PASS_COUNT+1))
-else
-    echo "  FAIL  AUTH_RATE_LIMIT never fired — limiter may be misconfigured"
-    FAIL_COUNT=$((FAIL_COUNT+1))
-    FAIL_LINES+=("AUTH_RATE_LIMIT did not fire in 10 attempts")
-fi
-echo
-
-# === Test 2: General health burst ===
-echo "=== Test 2: 200 GET ${HEALTH_PATH} requests in ~10s ==="
-codes_file=$(mktemp)
-trap 'rm -f "$codes_file"' EXIT
-seq 1 200 | xargs -n 1 -P 20 -I{} curl -s -o /dev/null -w '%{http_code}\n' "$TARGET$HEALTH_PATH" > "$codes_file"
-
-total=$(wc -l < "$codes_file" | tr -d ' ')
-two_oh_oh=$(grep -c '^200$' "$codes_file" || true)
-four_two_nine=$(grep -c '^429$' "$codes_file" || true)
-other=$((total - two_oh_oh - four_two_nine))
-echo "  Total responses: $total"
-echo "  200: $two_oh_oh"
-echo "  429: $four_two_nine"
-echo "  Other: $other"
-if [[ "$four_two_nine" -gt 0 ]]; then
-    echo "  INFO  apiRateLimiter fires under burst (saw 429s)"
-else
-    echo "  INFO  apiRateLimiter did NOT fire — 200 reqs is below threshold."
-    echo "        (general limit is per-IP; for a pentest, escalate to ~5000 reqs)"
-fi
-echo
-
-# === Test 3: X-Forwarded-For bypass attempt ===
-echo "=== Test 3: try XFF spoof to bypass AUTH_RATE_LIMIT ==="
-echo "    (If the backend respects 'trust proxy = 1' correctly, spoofed XFF"
-echo "     headers from us — a direct client — should be IGNORED for rate-limit"
-echo "     keying.)"
-
-# First, get rate-limited so subsequent requests are blocked
-for i in $(seq 1 7); do
-    curl -s -o /dev/null -X POST "$TARGET$LOGIN_PATH" \
-        -H 'Content-Type: application/json' \
-        -d '{"email":"xff-test@example.com","password":"wrong"}' >/dev/null
-done
-
-code_baseline=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
-    -H 'Content-Type: application/json' \
-    -d '{"email":"xff-test@example.com","password":"wrong"}')
-echo "  baseline (no XFF):       $code_baseline"
-
-spoofed_pass_count=0
-for xff in "1.2.3.4" "10.0.0.1" "192.168.1.99" "127.0.0.1" "1.1.1.1, 2.2.2.2"; do
-    code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
-        -H 'Content-Type: application/json' \
-        -H "X-Forwarded-For: $xff" \
-        -d '{"email":"xff-test@example.com","password":"wrong"}')
-    printf '  XFF=%-25s → %s\n' "$xff" "$code"
-    if [[ "$code_baseline" == "429" && "$code" != "429" ]]; then
-        spoofed_pass_count=$((spoofed_pass_count + 1))
-    fi
-done
-
-if [[ "$code_baseline" != "429" ]]; then
-    echo "  SKIP  AUTH limiter not in 429 state for baseline — can't test bypass"
-elif [[ $spoofed_pass_count -gt 0 ]]; then
-    echo "  FAIL  XFF spoof bypassed AUTH_RATE_LIMIT ($spoofed_pass_count probes)"
-    FAIL_COUNT=$((FAIL_COUNT+1))
-    FAIL_LINES+=("XFF spoof bypasses AUTH_RATE_LIMIT — limiter may be keyed on req.ip without trust proxy validation")
-else
-    echo "  PASS  XFF spoof did NOT bypass the limiter (all stayed 429)"
-    PASS_COUNT=$((PASS_COUNT+1))
-fi
-echo
-
-echo "=== Summary ==="
-echo "  PASS: $PASS_COUNT"
-echo "  FAIL: $FAIL_COUNT"
-if [[ $FAIL_COUNT -gt 0 ]]; then
-    echo
-    echo "FAILED:"
-    printf '  - %s\n' "${FAIL_LINES[@]}"
-    exit 1
-fi
-echo "Rate limiters behave as expected."