apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss/grind] deferred session-0003 (20260521T201327Z-3848)

Browse source
This commit is contained in:
pitboss 2026-05-21 16:05:15 -05:00
parent d99361cff6
commit 368f628054
14 changed files with 672 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

133
frontend/src/styles/global.css
View file

@ -2504,6 +2504,139 @@ tr.selected td {
color: var(--text);
}
/* ── Finding Detail: dynamic verification ─────────────────────────── */
.badge-dyn-confirmed {
background: var(--success-bg);
color: var(--success);
}
.badge-dyn-notconfirmed {
background: var(--bg-secondary);
color: var(--text-secondary);
}
.badge-dyn-inconclusive {
background: var(--sev-medium-bg);
color: var(--sev-medium);
}
.badge-dyn-unsupported {
background: var(--conf-low-bg);
color: var(--conf-low);
}
.dynamic-verdict-section {
display: flex;
flex-direction: column;
gap: var(--space-3);
font-size: var(--text-sm);
line-height: 1.45;
}
.dynamic-verdict-badge-row {
display: flex;
align-items: center;
flex-wrap: wrap;
gap: var(--space-2);
}
.dynamic-toolchain-match {
display: inline-flex;
align-items: center;
min-height: 22px;
padding: 2px 8px;
border: 1px solid var(--border);
border-radius: var(--radius-sm);
background: var(--bg-secondary);
color: var(--text-secondary);
font-size: var(--text-xs);
}
.repro-panel,
.dynamic-verdict-detail,
.dynamic-attempts {
border: 1px solid var(--border-light);
border-radius: 6px;
background: var(--bg);
padding: var(--space-3);
}
.repro-cmd-row {
display: flex;
align-items: center;
gap: var(--space-2);
min-width: 0;
flex-wrap: wrap;
}
.repro-label,
.dynamic-attempts > strong,
.dynamic-verdict-detail strong {
color: var(--text-secondary);
font-size: var(--text-xs);
font-weight: var(--weight-semibold);
text-transform: uppercase;
letter-spacing: 0.06em;
}
.repro-cmd {
flex: 1 1 220px;
min-width: 0;
overflow-wrap: anywhere;
padding: 4px 7px;
border-radius: var(--radius-sm);
background: var(--terminal-bg);
color: var(--terminal-text);
font-size: 0.78rem;
}
.repro-copy-btn {
flex: 0 0 auto;
}
.dynamic-verdict-detail {
display: grid;
gap: var(--space-2);
}
.dynamic-verdict-detail-text {
color: var(--text-secondary);
overflow-wrap: anywhere;
}
.dynamic-attempt-list {
list-style: none;
display: grid;
gap: var(--space-2);
margin: var(--space-2) 0 0;
padding: 0;
}
.attempt-row {
display: grid;
grid-template-columns: minmax(0, 1fr) auto auto;
align-items: center;
gap: var(--space-2);
padding: 8px 10px;
border: 1px solid var(--border-light);
border-radius: 6px;
background: var(--surface);
}
.attempt-row.triggered {
border-color: color-mix(in srgb, var(--success) 35%, var(--border));
background: var(--success-bg);
}
.attempt-row code {
min-width: 0;
overflow-wrap: anywhere;
font-size: 0.8rem;
}
.attempt-outcome,
.attempt-exit-code {
color: var(--text-secondary);
font-size: var(--text-xs);
white-space: nowrap;
}
.attempt-row.triggered .attempt-outcome {
color: var(--success);
font-weight: var(--weight-semibold);
}
@media (max-width: 640px) {
.attempt-row {
grid-template-columns: 1fr;
align-items: start;
}
.attempt-outcome,
.attempt-exit-code {
white-space: normal;
}
}
/* ── Code Viewer Modal ────────────────────────────────────────────── */
.code-modal-overlay {
position: fixed;

36
frontend/src/test/components/dynamicVerdictSection.test.tsx
View file

@ -28,7 +28,9 @@ describe('DynamicVerdictSection', () => {
it('renders Confirmed badge', () => {
render(
<DynamicVerdictSection
verdict={makeVerdict('Confirmed', { triggered_payload: 'sqli-tautology' })}
verdict={makeVerdict('Confirmed', {
triggered_payload: 'sqli-tautology',
})}
/>,
);
expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument();
@ -36,7 +38,18 @@ describe('DynamicVerdictSection', () => {
it('renders NotConfirmed badge', () => {
render(<DynamicVerdictSection verdict={makeVerdict('NotConfirmed')} />);
expect(screen.getByTestId('verdict-badge-notconfirmed')).toBeInTheDocument();
expect(
screen.getByTestId('verdict-badge-notconfirmed'),
).toBeInTheDocument();
});
it('does not crash when the API omits an empty attempts array', () => {
render(
<DynamicVerdictSection
verdict={{ finding_id: 'no-attempts', status: 'Confirmed' }}
/>,
);
expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument();
});
it('renders Unsupported badge', () => {
@ -51,10 +64,14 @@ describe('DynamicVerdictSection', () => {
it('renders Inconclusive badge', () => {
render(
<DynamicVerdictSection
verdict={makeVerdict('Inconclusive', { inconclusive_reason: 'BuildFailed' })}
verdict={makeVerdict('Inconclusive', {
inconclusive_reason: 'BuildFailed',
})}
/>,
);
expect(screen.getByTestId('verdict-badge-inconclusive')).toBeInTheDocument();
expect(
screen.getByTestId('verdict-badge-inconclusive'),
).toBeInTheDocument();
});
it('shows repro panel only for Confirmed status', () => {
@ -64,7 +81,11 @@ describe('DynamicVerdictSection', () => {
expect(screen.getByTestId('repro-panel')).toBeInTheDocument();
unmount();
for (const status of ['NotConfirmed', 'Unsupported', 'Inconclusive'] as const) {
for (const status of [
'NotConfirmed',
'Unsupported',
'Inconclusive',
] as const) {
const { unmount: u } = render(
<DynamicVerdictSection verdict={makeVerdict(status)} />,
);
@ -92,8 +113,9 @@ describe('DynamicVerdictSection', () => {
fireEvent.click(copyBtn);
expect(navigator.clipboard.writeText).toHaveBeenCalledOnce();
const calledWith = (navigator.clipboard.writeText as ReturnType<typeof vi.fn>).mock
.calls[0][0] as string;
const calledWith = (
navigator.clipboard.writeText as ReturnType<typeof vi.fn>
).mock.calls[0][0] as string;
expect(calledWith).toContain(findingId);
expect(calledWith).toContain('nyx repro');
});

23
frontend/src/test/components/verdictBadge.test.tsx
View file

@ -24,7 +24,9 @@ describe('VerdictBadge', () => {
it('renders Confirmed badge with flame and correct class', () => {
render(
<VerdictBadge
verdict={makeVerdict('Confirmed', { triggered_payload: 'sqli-tautology' })}
verdict={makeVerdict('Confirmed', {
triggered_payload: 'sqli-tautology',
})}
/>,
);
const badge = screen.getByTestId('verdict-badge-confirmed');
@ -41,6 +43,17 @@ describe('VerdictBadge', () => {
expect(badge.textContent).not.toContain('🔥');
});
it('renders when attempts are omitted by the API', () => {
render(
<VerdictBadge
verdict={{ finding_id: 'test-finding-id', status: 'NotConfirmed' }}
/>,
);
expect(
screen.getByTestId('verdict-badge-notconfirmed'),
).toBeInTheDocument();
});
it('renders Unsupported badge with correct class', () => {
render(
<VerdictBadge
@ -68,7 +81,9 @@ describe('VerdictBadge', () => {
it('tooltip contains payload for Confirmed', () => {
render(
<VerdictBadge
verdict={makeVerdict('Confirmed', { triggered_payload: 'sqli-payload' })}
verdict={makeVerdict('Confirmed', {
triggered_payload: 'sqli-payload',
})}
/>,
);
const badge = screen.getByTestId('verdict-badge-confirmed');
@ -100,7 +115,9 @@ describe('VerdictBadge', () => {
'Inconclusive',
];
for (const status of statuses) {
const { unmount } = render(<VerdictBadge verdict={makeVerdict(status)} />);
const { unmount } = render(
<VerdictBadge verdict={makeVerdict(status)} />,
);
expect(
screen.getByTestId(`verdict-badge-${status.toLowerCase()}`),
).toBeInTheDocument();

2
src/dynamic/build_sandbox.rs
View file

@ -1389,7 +1389,7 @@ struct BuildContainerGuard {
impl Drop for BuildContainerGuard {
fn drop(&mut self) {
let _ = std::process::Command::new(&self.docker)
.args(["stop", "--time=0", &self.name])
.args(["rm", "-f", &self.name])
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status();

198
src/dynamic/framework/adapters/graphql_apollo.rs
View file

@ -1,8 +1,16 @@
//! Phase 21 (Track M.3) — Apollo GraphQL resolver adapter (JS).
//!
//! Fires when the surrounding source imports `@apollo/server` / the
//! legacy `apollo-server` / `apollo-server-express` package, or the
//! function body sits inside a `Query` / `Mutation` resolver map.
//! legacy `apollo-server` / `apollo-server-express` package AND the
//! function under analysis looks like a resolver: either its name is
//! a key inside a `Query: { … }` / `Mutation: { … }` / `Subscription:
//! { … }` literal block, or its declaration carries the canonical
//! `(parent, args, context, info?)` formal signature.
//!
//! The previous version of this adapter accepted the bare source
//! needle `const resolvers`, which bound every function inside any
//! file that happened to declare such a variable (Phase 21
//! binding-stealing audit follow-up).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -13,14 +21,6 @@ pub struct GraphqlApolloAdapter;
const ADAPTER_NAME: &str = "graphql-apollo";
fn callee_is_apollo(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(
last,
"ApolloServer" | "startStandaloneServer" | "gql" | "applyMiddleware" | "expressMiddleware"
)
}
fn source_imports_apollo(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"@apollo/server",
@ -30,17 +30,96 @@ fn source_imports_apollo(file_bytes: &[u8]) -> bool {
b"from 'apollo-server",
b"from \"apollo-server",
b"new ApolloServer",
b"const resolvers",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn name_in_resolver_block(name: &str, file_bytes: &[u8]) -> bool {
if name.is_empty() {
return false;
}
if name.starts_with("Query.")
|| name.starts_with("Mutation.")
|| name.starts_with("Subscription.")
{
return true;
}
let text = match std::str::from_utf8(file_bytes) {
Ok(s) => s,
Err(_) => return false,
};
let bytes = text.as_bytes();
for opener in ["Query:", "Mutation:", "Subscription:"] {
let mut cursor = 0;
while let Some(idx) = text[cursor..].find(opener) {
let after_open = cursor + idx + opener.len();
let rest = &text[after_open..];
let trimmed = rest.trim_start();
if !trimmed.starts_with('{') {
cursor = after_open;
continue;
}
let body_start = after_open + (rest.len() - trimmed.len()) + 1;
let mut depth = 1i32;
let mut i = body_start;
while i < bytes.len() && depth > 0 {
match bytes[i] {
b'{' => depth += 1,
b'}' => depth -= 1,
_ => {}
}
i += 1;
}
let inner_end = i.saturating_sub(1).min(bytes.len());
let inner = &text[body_start..inner_end];
let key_colon = format!("{name}:");
let key_paren = format!("{name}(");
if inner.contains(&key_colon) || inner.contains(&key_paren) {
return true;
}
cursor = inner_end;
}
}
false
}
fn has_resolver_signature(name: &str, file_bytes: &[u8]) -> bool {
if name.is_empty() {
return false;
}
let text = match std::str::from_utf8(file_bytes) {
Ok(s) => s,
Err(_) => return false,
};
const PARENTS: &[&str] = &["parent", "root", "obj", "_"];
const ARGS: &[&str] = &["args", "input", "_args", "params", "variables"];
for p in PARENTS {
for a in ARGS {
let pairs = [
format!("function {name}({p}, {a}"),
format!("function {name}({p},{a}"),
format!("{name} = function({p}, {a}"),
format!("{name} = function({p},{a}"),
format!("{name} = ({p}, {a}"),
format!("{name} = ({p},{a}"),
format!("{name}: function({p}, {a}"),
format!("{name}: function({p},{a}"),
format!("{name}: ({p}, {a}"),
format!("{name}: ({p},{a}"),
format!("{name}({p}, {a}"),
format!("{name}({p},{a}"),
];
if pairs.iter().any(|p| text.contains(p.as_str())) {
return true;
}
}
}
false
}
fn extract_resolver(summary: &FuncSummary) -> (String, String) {
// Best-effort: split a fully-qualified name like `Query.user` into
// `("Query", "user")`. Falls back to ("Query", name) so the
// binding always carries some type_name + field.
if let Some((parent, field)) = summary.name.rsplit_once('.') {
return (parent.to_owned(), field.to_owned());
}
@ -62,21 +141,23 @@ impl FrameworkAdapter for GraphqlApolloAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_apollo);
let matches_source = source_imports_apollo(file_bytes);
if matches_call || matches_source {
let (type_name, field) = extract_resolver(summary);
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::GraphQLResolver { type_name, field },
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
if !source_imports_apollo(file_bytes) {
return None;
}
let in_block = name_in_resolver_block(&summary.name, file_bytes);
let has_sig = has_resolver_signature(&summary.name, file_bytes);
if !(in_block || has_sig) {
return None;
}
let (type_name, field) = extract_resolver(summary);
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::GraphQLResolver { type_name, field },
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -109,4 +190,65 @@ mod tests {
assert_eq!(field, "user");
}
}
#[test]
fn fires_on_resolver_signature_outside_query_block() {
// Real-world resolver declared as a standalone function with the
// canonical (parent, args, context) signature, exported for use
// in the schema. Matches the dynamic fixture shape.
let src: &[u8] = b"const _NYX_ADAPTER_MARKER = \"require('@apollo/server')\";\n\
function resolveUser(parent, args, ctx) { return args.id; }\n\
module.exports = { resolveUser };\n";
let tree = parse_js(src);
let summary = FuncSummary {
name: "resolveUser".into(),
..Default::default()
};
let binding = GraphqlApolloAdapter
.detect(&summary, tree.root_node(), src)
.expect("standalone resolver binds via signature");
assert_eq!(binding.adapter, "graphql-apollo");
}
#[test]
fn does_not_bind_unrelated_helper_in_apollo_file() {
// File imports Apollo and declares a `Query` block on a
// different field, but the analyser is asking about an unrelated
// helper that neither sits in the resolver block nor has the
// canonical (parent, args) shape.
let src: &[u8] = b"const { ApolloServer } = require('@apollo/server');\n\
function loadConfig() { return { port: 3000 }; }\n\
const resolvers = { Query: { user: () => 'x' } };\n";
let tree = parse_js(src);
let summary = FuncSummary {
name: "loadConfig".into(),
..Default::default()
};
assert!(
GraphqlApolloAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"unrelated helper in an Apollo file must not bind as a resolver",
);
}
#[test]
fn does_not_bind_bare_const_resolvers_outside_apollo() {
// File declares `const resolvers = …` without any Apollo import.
// The old needle `const resolvers` bound this; the tightened
// adapter requires a real Apollo source token first.
let src: &[u8] = b"const resolvers = { foo: () => 'bar' };\n\
function helper() { return 1; }\n";
let tree = parse_js(src);
let summary = FuncSummary {
name: "helper".into(),
..Default::default()
};
assert!(
GraphqlApolloAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"`const resolvers` alone must not bind without an Apollo import",
);
}
}

3
src/dynamic/framework/adapters/middleware_rails.rs
View file

@ -75,8 +75,7 @@ impl FrameworkAdapter for MiddlewareRailsAdapter {
}
let has_middleware_shape = source_has_rack_middleware_shape(file_bytes);
let name_matches = name_is_rack_entry(&summary.name);
let body_mounts_middleware =
super::any_callee_matches(summary, callee_is_rails_middleware);
let body_mounts_middleware = super::any_callee_matches(summary, callee_is_rails_middleware);
let binds = (name_matches && has_middleware_shape) || body_mounts_middleware;
if !binds {
return None;

5
src/dynamic/framework/adapters/migration_laravel.rs
View file

@ -21,7 +21,10 @@ const ADAPTER_NAME: &str = "migration-laravel";
fn callee_is_laravel_migration_ddl(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(last, "create" | "table" | "drop" | "statement" | "unprepared")
matches!(
last,
"create" | "table" | "drop" | "statement" | "unprepared"
)
}
fn source_has_migration_shape(file_bytes: &[u8]) -> bool {

176
src/dynamic/framework/adapters/ruby_hanami.rs
View file

@ -30,11 +30,32 @@ fn class_is_hanami_action(class: Node<'_>, bytes: &[u8]) -> bool {
|| class_includes(class, bytes, "Hanami::Action")
}
/// Walk the file for a `# nyx-route: <METHOD> <path>` comment so
/// fixtures can pin an explicit route without needing the Hanami
/// routes DSL. Defaults to `(GET, "/")` if no marker is found.
fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String) {
let text = std::str::from_utf8(file_bytes).unwrap_or("");
/// Resolve the route metadata for `class_name`. Tries the inline
/// Hanami v2 routes DSL first (`get "/run", to: "RunAction"` inside a
/// `Hanami::Routes` / `routes do` block that co-exists with the
/// action class in the same file), then the synthetic
/// `# nyx-route: <METHOD> <path>` comment fixtures rely on, then
/// finally a `(GET, fallback_path)` default.
///
/// Cross-file routes resolution (`config/routes.rb` + `app/actions/<slug>/<verb>.rb`)
/// still needs a project-level file index on the adapter trait —
/// `FrameworkAdapter::detect` only sees one file at a time.
fn route_for_class(
file_bytes: &[u8],
class_name: &str,
fallback_path: &str,
) -> (HttpMethod, String) {
if let Some(found) = parse_inline_route(file_bytes, class_name) {
return found;
}
if let Some(found) = pinned_comment_route(file_bytes) {
return found;
}
(HttpMethod::GET, fallback_path.to_owned())
}
fn pinned_comment_route(file_bytes: &[u8]) -> Option<(HttpMethod, String)> {
let text = std::str::from_utf8(file_bytes).ok()?;
for line in text.lines() {
let trim = line.trim_start();
if let Some(rest) = trim.strip_prefix("# nyx-route:") {
@ -42,11 +63,70 @@ fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String)
let mut parts = rest.split_ascii_whitespace();
if let (Some(verb), Some(path)) = (parts.next(), parts.next()) {
let method = HttpMethod::from_ident(verb).unwrap_or(HttpMethod::GET);
return (method, path.to_owned());
return Some((method, path.to_owned()));
}
}
}
(HttpMethod::GET, fallback_path.to_owned())
None
}
/// Parse the Hanami v2 routes DSL when the routes file and the action
/// class co-exist in one file. Recognises lines of the form
/// `<verb> "<path>", to: "<target>"` (or single-quoted variants) and
/// matches `<target>` against `class_name` either by exact match or by
/// its `snake_case` form (Hanami's container-key convention,
/// e.g. `to: "actions.run_action"`).
fn parse_inline_route(file_bytes: &[u8], class_name: &str) -> Option<(HttpMethod, String)> {
let text = std::str::from_utf8(file_bytes).ok()?;
let snake = camel_to_snake(class_name);
for raw_line in text.lines() {
let line = raw_line.trim_start();
if let Some(parsed) = parse_route_line(line, class_name, &snake) {
return Some(parsed);
}
}
None
}
fn parse_route_line(line: &str, class_orig: &str, class_snake: &str) -> Option<(HttpMethod, String)> {
let (verb_tok, after) = line.split_once(char::is_whitespace)?;
let method = HttpMethod::from_ident(verb_tok)?;
let after = after.trim_start();
let (path, rest) = parse_quoted(after)?;
let to_idx = rest.find("to:")?;
let after_to = rest[to_idx + 3..].trim_start();
let (target, _) = parse_quoted(after_to)?;
let target_last = target.rsplit_once('.').map(|(_, s)| s).unwrap_or(&target);
if target_last == class_orig || target_last == class_snake {
return Some((method, path));
}
None
}
fn parse_quoted(s: &str) -> Option<(String, &str)> {
let quote = match s.as_bytes().first() {
Some(b'"') => '"',
Some(b'\'') => '\'',
_ => return None,
};
let rest = &s[1..];
let end = rest.find(quote)?;
Some((rest[..end].to_owned(), &rest[end + 1..]))
}
fn camel_to_snake(s: &str) -> String {
let mut out = String::with_capacity(s.len() + 2);
for (i, ch) in s.char_indices() {
if ch.is_ascii_uppercase() {
if i > 0 {
out.push('_');
}
out.push(ch.to_ascii_lowercase());
} else {
out.push(ch);
}
}
out
}
fn hanami_default_path(class_name: &str) -> String {
@ -89,7 +169,7 @@ impl FrameworkAdapter for RubyHanamiAdapter {
}
let cls_name = class_name(class, file_bytes).unwrap_or("Entry");
let default = hanami_default_path(cls_name);
let (http_method, path) = pinned_route(file_bytes, &default);
let (http_method, path) = route_for_class(file_bytes, cls_name, &default);
let formals = method_formal_names(method, file_bytes);
let request_params = bind_path_params(&formals, &path);
Some(FrameworkBinding {
@ -196,6 +276,86 @@ mod tests {
assert!(matches!(req.source, ParamSource::Implicit));
}
#[test]
fn picks_up_inline_routes_dsl_classname_to() {
// Hanami v2 routes DSL co-located with the action class. The
// routes block names the action class via `to: "RunAction"`;
// the adapter must pick up `POST /run` rather than the
// snake-case default.
let src: &[u8] = b"require 'hanami/routes'\n\
require 'hanami/action'\n\
class Routes < Hanami::Routes\n\
post \"/run\", to: \"RunAction\"\n\
end\n\
class RunAction < Hanami::Action\n\
def call(req)\n\
'ok'\n\
end\n\
end\n";
let tree = parse(src);
let binding = RubyHanamiAdapter
.detect(&summary("call"), tree.root_node(), src)
.expect("binding");
let route = binding.route.unwrap();
assert_eq!(route.method, HttpMethod::POST);
assert_eq!(route.path, "/run");
}
#[test]
fn picks_up_inline_routes_dsl_snake_case_to() {
// Hanami v2 supports `to: "actions.run_action"` container-key
// notation in addition to the bare class name. The adapter
// should match `run_action` against the snake_case of
// `RunAction`.
let src: &[u8] = b"require 'hanami/routes'\n\
require 'hanami/action'\n\
class Routes < Hanami::Routes\n\
get \"/u/:id\", to: \"actions.run_action\"\n\
end\n\
class RunAction < Hanami::Action\n\
def call(req, id)\n\
id\n\
end\n\
end\n";
let tree = parse(src);
let binding = RubyHanamiAdapter
.detect(&summary("call"), tree.root_node(), src)
.expect("binding");
let route = binding.route.unwrap();
assert_eq!(route.method, HttpMethod::GET);
assert_eq!(route.path, "/u/:id");
let id = binding
.request_params
.iter()
.find(|p| p.name == "id")
.unwrap();
assert!(matches!(id.source, ParamSource::PathSegment(_)));
}
#[test]
fn inline_routes_dsl_wins_over_pinned_comment() {
// When both an inline routes-DSL line and a `# nyx-route:`
// comment are present, the routes-DSL line wins because it is
// the canonical source of truth.
let src: &[u8] = b"# nyx-route: GET /old\n\
require 'hanami/routes'\n\
class Routes < Hanami::Routes\n\
put \"/new\", to: \"PutAction\"\n\
end\n\
class PutAction < Hanami::Action\n\
def call(req)\n\
'ok'\n\
end\n\
end\n";
let tree = parse(src);
let binding = RubyHanamiAdapter
.detect(&summary("call"), tree.root_node(), src)
.expect("binding");
let route = binding.route.unwrap();
assert_eq!(route.method, HttpMethod::PUT);
assert_eq!(route.path, "/new");
}
#[test]
fn skips_non_hanami_classes() {
let src: &[u8] =

97
src/dynamic/framework/adapters/scheduled_sidekiq.rs
View file

@ -1,8 +1,18 @@
//! Phase 21 (Track M.3) — Ruby Sidekiq worker / scheduled-job adapter.
//!
//! Fires when the surrounding source includes the Sidekiq worker
//! mixin (`include Sidekiq::Worker` / `Sidekiq::Job`) or invokes a
//! Sidekiq scheduling callee (`perform_async`, `perform_in`).
//! Fires when the surrounding source carries a Sidekiq shape marker
//! (`include Sidekiq::Worker` / `Sidekiq::Job` / `sidekiq_options` /
//! `require 'sidekiq'`) AND either the function under analysis is the
//! worker entry point (`perform` / `perform_async` / `perform_in`) or
//! its body schedules a Sidekiq job (calls `perform_async` /
//! `perform_in`).
//!
//! The previous version of this adapter matched the bare callee name
//! `set` as a scheduling signal, which collided with unrelated methods
//! like `Set#add` / `Hash#[]=` (Phase 21 binding-stealing audit
//! follow-up). `set` is now recognised only as part of the Sidekiq
//! shape gate; binding additionally requires the function itself to be
//! a worker entry or to call the real scheduling callees.
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -13,12 +23,16 @@ pub struct ScheduledSidekiqAdapter;
const ADAPTER_NAME: &str = "scheduled-sidekiq";
fn callee_is_sidekiq(name: &str) -> bool {
fn callee_schedules_sidekiq(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(last, "perform_async" | "perform_in" | "perform" | "set")
matches!(last, "perform_async" | "perform_in")
}
fn source_imports_sidekiq(file_bytes: &[u8]) -> bool {
fn name_is_sidekiq_entry(name: &str) -> bool {
matches!(name, "perform" | "perform_async" | "perform_in")
}
fn source_has_sidekiq_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"include Sidekiq::Worker",
b"include Sidekiq::Job",
@ -75,22 +89,25 @@ impl FrameworkAdapter for ScheduledSidekiqAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_sidekiq);
let matches_source = source_imports_sidekiq(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::ScheduledJob {
schedule: extract_schedule(file_bytes),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
let has_shape = source_has_sidekiq_shape(file_bytes);
if !has_shape {
return None;
}
let name_matches = name_is_sidekiq_entry(&summary.name);
let body_schedules = super::any_callee_matches(summary, callee_schedules_sidekiq);
if !(name_matches || body_schedules) {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::ScheduledJob {
schedule: extract_schedule(file_bytes),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -119,4 +136,42 @@ mod tests {
assert_eq!(binding.adapter, "scheduled-sidekiq");
assert!(matches!(binding.kind, EntryKind::ScheduledJob { .. }));
}
#[test]
fn does_not_bind_set_method_in_non_sidekiq_file() {
// Method named `set` on a class with no Sidekiq tokens anywhere
// — used to bind because the prior `callee_is_sidekiq` matched
// the bare callee `set`, colliding with `Set#add` / `Hash#[]=`.
let src: &[u8] = b"class MySet\n def set(key, val)\n @h[key] = val\n end\nend\n";
let tree = parse_ruby(src);
let summary = FuncSummary {
name: "set".into(),
..Default::default()
};
assert!(
ScheduledSidekiqAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"bare `set` method outside Sidekiq scope must not bind",
);
}
#[test]
fn does_not_bind_unrelated_method_inside_sidekiq_file() {
// Sidekiq-flavoured file but the analyser is asking about an
// unrelated helper that neither shares the worker entry name
// nor calls `perform_async` / `perform_in`.
let src: &[u8] = b"# include Sidekiq::Worker\nclass MySet\n def set(key)\n @s.add(key)\n end\nend\n";
let tree = parse_ruby(src);
let summary = FuncSummary {
name: "set".into(),
..Default::default()
};
assert!(
ScheduledSidekiqAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"non-worker helper in a Sidekiq file must not bind",
);
}
}

31
src/dynamic/sandbox/mod.rs
View file

@ -19,8 +19,8 @@
//! backend is intentionally weaker and is for dev iteration only.
//!
//! All public state on the sandbox is owned by the caller — there is no
//! global runtime, no daemon. Containers are stopped and removed when the
//! process exits.
//! daemon. Containers are stopped and removed when the caller explicitly
//! cleans up or when the process exits.
use crate::dynamic::harness::BuiltHarness;
use crate::dynamic::oob::OobListener;
@ -679,30 +679,37 @@ fn container_registry() -> &'static dashmap::DashMap<String, String> {
})
}
/// extern "C" fn registered via atexit(3).
///
/// Stops all containers in the registry with --time=0 (immediate SIGKILL).
/// Runs on normal process exit and on `std::process::exit()`. Does not run
/// on SIGKILL; the `sleep 300` in started containers bounds the leak window.
#[cfg(unix)]
extern "C" fn stop_all_containers() {
/// Stop and remove every docker container currently tracked by the verifier.
pub(crate) fn cleanup_docker_containers() {
let Some(reg) = CONTAINER_REGISTRY.get() else {
return;
};
let bin = std::env::var("NYX_DOCKER_BIN").unwrap_or_else(|_| "docker".to_owned());
for entry in reg.iter() {
let names: Vec<String> = reg.iter().map(|entry| entry.key().clone()).collect();
for name in names {
// Remove OOB egress filter before stopping the container so stale
// iptables rules don't accumulate across scans.
#[cfg(target_os = "linux")]
remove_oob_egress_filter(entry.key());
remove_oob_egress_filter(&name);
let _ = std::process::Command::new(&bin)
.args(["stop", "--time=0", entry.key()])
.args(["rm", "-f", &name])
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status();
reg.remove(&name);
}
}
/// extern "C" fn registered via atexit(3).
///
/// Stops all containers in the registry with an immediate force remove.
/// Runs on normal process exit and on `std::process::exit()`. Does not run
/// on SIGKILL; the `sleep 300` in started containers bounds the leak window.
#[cfg(unix)]
extern "C" fn stop_all_containers() {
cleanup_docker_containers();
}
#[cfg(unix)]
fn register_exit_cleanup() {
unsafe extern "C" {

2
src/server/jobs.rs
View file

@ -268,6 +268,8 @@ impl JobManager {
}
Ok(diags)
});
#[cfg(feature = "dynamic")]
crate::dynamic::sandbox::cleanup_docker_containers();
let elapsed = start.elapsed().as_secs_f64();
// Collect snapshots and do expensive work (post-processing,

6
src/server/models.rs
View file

@ -234,7 +234,11 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
}
rules.insert(d.id.clone());
statuses.insert(status_for_diag(d).to_string());
verification_statuses.insert(dynamic_status_for_diag(d).unwrap_or("Unverified").to_string());
verification_statuses.insert(
dynamic_status_for_diag(d)
.unwrap_or("Unverified")
.to_string(),
);
}
// Always include all valid triage states so the filter dropdown is complete

4
src/server/routes/findings.rs
View file

@ -5,8 +5,8 @@ use crate::database::index::Indexer;
use crate::server::app::{AppState, CachedFindings};
use crate::server::error::{ApiError, ApiResult};
use crate::server::models::{
FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
finding_from_diag_with_detail, dynamic_status_label, overlay_triage_states, summarize_findings,
FilterValues, FindingSummary, FindingView, collect_filter_values, dynamic_status_label,
finding_from_diag, finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
};
use axum::extract::{Path, Query, State};
use axum::routing::get;

42
src/server/routes/scans.rs
View file

@ -45,6 +45,10 @@ struct StartScanRequest {
verify: Option<bool>,
/// Also verify `Confidence < Medium` findings. Default false.
verify_all_confidence: Option<bool>,
/// Dynamic verification backend: "auto" | "docker" | "process" | "firecracker".
verify_backend: Option<String>,
/// Process-backend hardening profile: "standard" | "strict".
harden_profile: Option<String>,
#[allow(dead_code)]
languages: Option<Vec<String>>,
#[allow(dead_code)]
@ -89,6 +93,38 @@ fn apply_engine_profile(
Ok(())
}
fn apply_verify_backend(
config: &mut crate::utils::config::Config,
backend: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
let backend = backend.to_ascii_lowercase();
match backend.as_str() {
"auto" | "docker" | "process" | "firecracker" => {
config.scanner.verify_backend = backend;
Ok(())
}
_ => Err(bad_request(
"verify_backend must be one of: auto, docker, process, firecracker",
)),
}
}
fn apply_harden_profile(
config: &mut crate::utils::config::Config,
profile: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
let profile = profile.to_ascii_lowercase();
match profile.as_str() {
"standard" | "strict" => {
config.scanner.harden_profile = profile;
Ok(())
}
_ => Err(bad_request(
"harden_profile must be one of: standard, strict",
)),
}
}
async fn start_scan(
State(state): State<AppState>,
body: Option<Json<StartScanRequest>>,
@ -125,6 +161,12 @@ async fn start_scan(
if req.verify_all_confidence == Some(true) {
config.scanner.verify_all_confidence = true;
}
if let Some(ref backend) = req.verify_backend {
apply_verify_backend(&mut config, backend)?;
}
if let Some(ref profile) = req.harden_profile {
apply_harden_profile(&mut config, profile)?;
}
#[cfg(not(feature = "dynamic"))]
if config.scanner.verify || config.scanner.verify_all_confidence {