diff --git a/frontend/src/styles/global.css b/frontend/src/styles/global.css
index 5a08df74..3d5b2922 100644
--- a/frontend/src/styles/global.css
+++ b/frontend/src/styles/global.css
@@ -2504,6 +2504,139 @@ tr.selected td {
color: var(--text);
}
+/* ── Finding Detail: dynamic verification ─────────────────────────── */
+.badge-dyn-confirmed {
+ background: var(--success-bg);
+ color: var(--success);
+}
+.badge-dyn-notconfirmed {
+ background: var(--bg-secondary);
+ color: var(--text-secondary);
+}
+.badge-dyn-inconclusive {
+ background: var(--sev-medium-bg);
+ color: var(--sev-medium);
+}
+.badge-dyn-unsupported {
+ background: var(--conf-low-bg);
+ color: var(--conf-low);
+}
+.dynamic-verdict-section {
+ display: flex;
+ flex-direction: column;
+ gap: var(--space-3);
+ font-size: var(--text-sm);
+ line-height: 1.45;
+}
+.dynamic-verdict-badge-row {
+ display: flex;
+ align-items: center;
+ flex-wrap: wrap;
+ gap: var(--space-2);
+}
+.dynamic-toolchain-match {
+ display: inline-flex;
+ align-items: center;
+ min-height: 22px;
+ padding: 2px 8px;
+ border: 1px solid var(--border);
+ border-radius: var(--radius-sm);
+ background: var(--bg-secondary);
+ color: var(--text-secondary);
+ font-size: var(--text-xs);
+}
+.repro-panel,
+.dynamic-verdict-detail,
+.dynamic-attempts {
+ border: 1px solid var(--border-light);
+ border-radius: 6px;
+ background: var(--bg);
+ padding: var(--space-3);
+}
+.repro-cmd-row {
+ display: flex;
+ align-items: center;
+ gap: var(--space-2);
+ min-width: 0;
+ flex-wrap: wrap;
+}
+.repro-label,
+.dynamic-attempts > strong,
+.dynamic-verdict-detail strong {
+ color: var(--text-secondary);
+ font-size: var(--text-xs);
+ font-weight: var(--weight-semibold);
+ text-transform: uppercase;
+ letter-spacing: 0.06em;
+}
+.repro-cmd {
+ flex: 1 1 220px;
+ min-width: 0;
+ overflow-wrap: anywhere;
+ padding: 4px 7px;
+ border-radius: var(--radius-sm);
+ background: var(--terminal-bg);
+ color: var(--terminal-text);
+ font-size: 0.78rem;
+}
+.repro-copy-btn {
+ flex: 0 0 auto;
+}
+.dynamic-verdict-detail {
+ display: grid;
+ gap: var(--space-2);
+}
+.dynamic-verdict-detail-text {
+ color: var(--text-secondary);
+ overflow-wrap: anywhere;
+}
+.dynamic-attempt-list {
+ list-style: none;
+ display: grid;
+ gap: var(--space-2);
+ margin: var(--space-2) 0 0;
+ padding: 0;
+}
+.attempt-row {
+ display: grid;
+ grid-template-columns: minmax(0, 1fr) auto auto;
+ align-items: center;
+ gap: var(--space-2);
+ padding: 8px 10px;
+ border: 1px solid var(--border-light);
+ border-radius: 6px;
+ background: var(--surface);
+}
+.attempt-row.triggered {
+ border-color: color-mix(in srgb, var(--success) 35%, var(--border));
+ background: var(--success-bg);
+}
+.attempt-row code {
+ min-width: 0;
+ overflow-wrap: anywhere;
+ font-size: 0.8rem;
+}
+.attempt-outcome,
+.attempt-exit-code {
+ color: var(--text-secondary);
+ font-size: var(--text-xs);
+ white-space: nowrap;
+}
+.attempt-row.triggered .attempt-outcome {
+ color: var(--success);
+ font-weight: var(--weight-semibold);
+}
+@media (max-width: 640px) {
+ .attempt-row {
+ grid-template-columns: 1fr;
+ align-items: start;
+ }
+ .attempt-outcome,
+ .attempt-exit-code {
+ white-space: normal;
+ }
+}
+
/* ── Code Viewer Modal ────────────────────────────────────────────── */
.code-modal-overlay {
position: fixed;
diff --git a/frontend/src/test/components/dynamicVerdictSection.test.tsx b/frontend/src/test/components/dynamicVerdictSection.test.tsx
index 26758288..26ed1f3e 100644
--- a/frontend/src/test/components/dynamicVerdictSection.test.tsx
+++ b/frontend/src/test/components/dynamicVerdictSection.test.tsx
@@ -28,7 +28,9 @@ describe('DynamicVerdictSection', () => {
it('renders Confirmed badge', () => {
render(
,
);
expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument();
@@ -36,7 +38,18 @@ describe('DynamicVerdictSection', () => {
it('renders NotConfirmed badge', () => {
render();
- expect(screen.getByTestId('verdict-badge-notconfirmed')).toBeInTheDocument();
+ expect(
+ screen.getByTestId('verdict-badge-notconfirmed'),
+ ).toBeInTheDocument();
+ });
+
+ it('does not crash when the API omits an empty attempts array', () => {
+ render(
+ ,
+ );
+ expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument();
});
it('renders Unsupported badge', () => {
@@ -51,10 +64,14 @@ describe('DynamicVerdictSection', () => {
it('renders Inconclusive badge', () => {
render(
,
);
- expect(screen.getByTestId('verdict-badge-inconclusive')).toBeInTheDocument();
+ expect(
+ screen.getByTestId('verdict-badge-inconclusive'),
+ ).toBeInTheDocument();
});
it('shows repro panel only for Confirmed status', () => {
@@ -64,7 +81,11 @@ describe('DynamicVerdictSection', () => {
expect(screen.getByTestId('repro-panel')).toBeInTheDocument();
unmount();
- for (const status of ['NotConfirmed', 'Unsupported', 'Inconclusive'] as const) {
+ for (const status of [
+ 'NotConfirmed',
+ 'Unsupported',
+ 'Inconclusive',
+ ] as const) {
const { unmount: u } = render(
,
);
@@ -92,8 +113,9 @@ describe('DynamicVerdictSection', () => {
fireEvent.click(copyBtn);
expect(navigator.clipboard.writeText).toHaveBeenCalledOnce();
- const calledWith = (navigator.clipboard.writeText as ReturnType).mock
- .calls[0][0] as string;
+ const calledWith = (
+ navigator.clipboard.writeText as ReturnType
+ ).mock.calls[0][0] as string;
expect(calledWith).toContain(findingId);
expect(calledWith).toContain('nyx repro');
});
diff --git a/frontend/src/test/components/verdictBadge.test.tsx b/frontend/src/test/components/verdictBadge.test.tsx
index 1380bd12..9a55c338 100644
--- a/frontend/src/test/components/verdictBadge.test.tsx
+++ b/frontend/src/test/components/verdictBadge.test.tsx
@@ -24,7 +24,9 @@ describe('VerdictBadge', () => {
it('renders Confirmed badge with flame and correct class', () => {
render(
,
);
const badge = screen.getByTestId('verdict-badge-confirmed');
@@ -41,6 +43,17 @@ describe('VerdictBadge', () => {
expect(badge.textContent).not.toContain('🔥');
});
+ it('renders when attempts are omitted by the API', () => {
+ render(
+ ,
+ );
+ expect(
+ screen.getByTestId('verdict-badge-notconfirmed'),
+ ).toBeInTheDocument();
+ });
+
it('renders Unsupported badge with correct class', () => {
render(
{
it('tooltip contains payload for Confirmed', () => {
render(
,
);
const badge = screen.getByTestId('verdict-badge-confirmed');
@@ -100,7 +115,9 @@ describe('VerdictBadge', () => {
'Inconclusive',
];
for (const status of statuses) {
- const { unmount } = render();
+ const { unmount } = render(
+ ,
+ );
expect(
screen.getByTestId(`verdict-badge-${status.toLowerCase()}`),
).toBeInTheDocument();
diff --git a/src/dynamic/build_sandbox.rs b/src/dynamic/build_sandbox.rs
index 93c9f669..d04b85fb 100644
--- a/src/dynamic/build_sandbox.rs
+++ b/src/dynamic/build_sandbox.rs
@@ -1389,7 +1389,7 @@ struct BuildContainerGuard {
impl Drop for BuildContainerGuard {
fn drop(&mut self) {
let _ = std::process::Command::new(&self.docker)
- .args(["stop", "--time=0", &self.name])
+ .args(["rm", "-f", &self.name])
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status();
diff --git a/src/dynamic/framework/adapters/graphql_apollo.rs b/src/dynamic/framework/adapters/graphql_apollo.rs
index 24f3e3f5..ad36003b 100644
--- a/src/dynamic/framework/adapters/graphql_apollo.rs
+++ b/src/dynamic/framework/adapters/graphql_apollo.rs
@@ -1,8 +1,16 @@
//! Phase 21 (Track M.3) — Apollo GraphQL resolver adapter (JS).
//!
//! Fires when the surrounding source imports `@apollo/server` / the
-//! legacy `apollo-server` / `apollo-server-express` package, or the
-//! function body sits inside a `Query` / `Mutation` resolver map.
+//! legacy `apollo-server` / `apollo-server-express` package AND the
+//! function under analysis looks like a resolver: either its name is
+//! a key inside a `Query: { … }` / `Mutation: { … }` / `Subscription:
+//! { … }` literal block, or its declaration carries the canonical
+//! `(parent, args, context, info?)` formal signature.
+//!
+//! The previous version of this adapter accepted the bare source
+//! needle `const resolvers`, which bound every function inside any
+//! file that happened to declare such a variable (Phase 21
+//! binding-stealing audit follow-up).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@@ -13,14 +21,6 @@ pub struct GraphqlApolloAdapter;
const ADAPTER_NAME: &str = "graphql-apollo";
-fn callee_is_apollo(name: &str) -> bool {
- let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
- matches!(
- last,
- "ApolloServer" | "startStandaloneServer" | "gql" | "applyMiddleware" | "expressMiddleware"
- )
-}
-
fn source_imports_apollo(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"@apollo/server",
@@ -30,17 +30,96 @@ fn source_imports_apollo(file_bytes: &[u8]) -> bool {
b"from 'apollo-server",
b"from \"apollo-server",
b"new ApolloServer",
- b"const resolvers",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
+fn name_in_resolver_block(name: &str, file_bytes: &[u8]) -> bool {
+ if name.is_empty() {
+ return false;
+ }
+ if name.starts_with("Query.")
+ || name.starts_with("Mutation.")
+ || name.starts_with("Subscription.")
+ {
+ return true;
+ }
+ let text = match std::str::from_utf8(file_bytes) {
+ Ok(s) => s,
+ Err(_) => return false,
+ };
+ let bytes = text.as_bytes();
+ for opener in ["Query:", "Mutation:", "Subscription:"] {
+ let mut cursor = 0;
+ while let Some(idx) = text[cursor..].find(opener) {
+ let after_open = cursor + idx + opener.len();
+ let rest = &text[after_open..];
+ let trimmed = rest.trim_start();
+ if !trimmed.starts_with('{') {
+ cursor = after_open;
+ continue;
+ }
+ let body_start = after_open + (rest.len() - trimmed.len()) + 1;
+ let mut depth = 1i32;
+ let mut i = body_start;
+ while i < bytes.len() && depth > 0 {
+ match bytes[i] {
+ b'{' => depth += 1,
+ b'}' => depth -= 1,
+ _ => {}
+ }
+ i += 1;
+ }
+ let inner_end = i.saturating_sub(1).min(bytes.len());
+ let inner = &text[body_start..inner_end];
+ let key_colon = format!("{name}:");
+ let key_paren = format!("{name}(");
+ if inner.contains(&key_colon) || inner.contains(&key_paren) {
+ return true;
+ }
+ cursor = inner_end;
+ }
+ }
+ false
+}
+
+fn has_resolver_signature(name: &str, file_bytes: &[u8]) -> bool {
+ if name.is_empty() {
+ return false;
+ }
+ let text = match std::str::from_utf8(file_bytes) {
+ Ok(s) => s,
+ Err(_) => return false,
+ };
+ const PARENTS: &[&str] = &["parent", "root", "obj", "_"];
+ const ARGS: &[&str] = &["args", "input", "_args", "params", "variables"];
+ for p in PARENTS {
+ for a in ARGS {
+ let pairs = [
+ format!("function {name}({p}, {a}"),
+ format!("function {name}({p},{a}"),
+ format!("{name} = function({p}, {a}"),
+ format!("{name} = function({p},{a}"),
+ format!("{name} = ({p}, {a}"),
+ format!("{name} = ({p},{a}"),
+ format!("{name}: function({p}, {a}"),
+ format!("{name}: function({p},{a}"),
+ format!("{name}: ({p}, {a}"),
+ format!("{name}: ({p},{a}"),
+ format!("{name}({p}, {a}"),
+ format!("{name}({p},{a}"),
+ ];
+ if pairs.iter().any(|p| text.contains(p.as_str())) {
+ return true;
+ }
+ }
+ }
+ false
+}
+
fn extract_resolver(summary: &FuncSummary) -> (String, String) {
- // Best-effort: split a fully-qualified name like `Query.user` into
- // `("Query", "user")`. Falls back to ("Query", name) so the
- // binding always carries some type_name + field.
if let Some((parent, field)) = summary.name.rsplit_once('.') {
return (parent.to_owned(), field.to_owned());
}
@@ -62,21 +141,23 @@ impl FrameworkAdapter for GraphqlApolloAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option {
- let matches_call = super::any_callee_matches(summary, callee_is_apollo);
- let matches_source = source_imports_apollo(file_bytes);
- if matches_call || matches_source {
- let (type_name, field) = extract_resolver(summary);
- Some(FrameworkBinding {
- adapter: ADAPTER_NAME.to_owned(),
- kind: EntryKind::GraphQLResolver { type_name, field },
- route: None,
- request_params: Vec::new(),
- response_writer: None,
- middleware: Vec::new(),
- })
- } else {
- None
+ if !source_imports_apollo(file_bytes) {
+ return None;
}
+ let in_block = name_in_resolver_block(&summary.name, file_bytes);
+ let has_sig = has_resolver_signature(&summary.name, file_bytes);
+ if !(in_block || has_sig) {
+ return None;
+ }
+ let (type_name, field) = extract_resolver(summary);
+ Some(FrameworkBinding {
+ adapter: ADAPTER_NAME.to_owned(),
+ kind: EntryKind::GraphQLResolver { type_name, field },
+ route: None,
+ request_params: Vec::new(),
+ response_writer: None,
+ middleware: Vec::new(),
+ })
}
}
@@ -109,4 +190,65 @@ mod tests {
assert_eq!(field, "user");
}
}
+
+ #[test]
+ fn fires_on_resolver_signature_outside_query_block() {
+ // Real-world resolver declared as a standalone function with the
+ // canonical (parent, args, context) signature, exported for use
+ // in the schema. Matches the dynamic fixture shape.
+ let src: &[u8] = b"const _NYX_ADAPTER_MARKER = \"require('@apollo/server')\";\n\
+ function resolveUser(parent, args, ctx) { return args.id; }\n\
+ module.exports = { resolveUser };\n";
+ let tree = parse_js(src);
+ let summary = FuncSummary {
+ name: "resolveUser".into(),
+ ..Default::default()
+ };
+ let binding = GraphqlApolloAdapter
+ .detect(&summary, tree.root_node(), src)
+ .expect("standalone resolver binds via signature");
+ assert_eq!(binding.adapter, "graphql-apollo");
+ }
+
+ #[test]
+ fn does_not_bind_unrelated_helper_in_apollo_file() {
+ // File imports Apollo and declares a `Query` block on a
+ // different field, but the analyser is asking about an unrelated
+ // helper that neither sits in the resolver block nor has the
+ // canonical (parent, args) shape.
+ let src: &[u8] = b"const { ApolloServer } = require('@apollo/server');\n\
+ function loadConfig() { return { port: 3000 }; }\n\
+ const resolvers = { Query: { user: () => 'x' } };\n";
+ let tree = parse_js(src);
+ let summary = FuncSummary {
+ name: "loadConfig".into(),
+ ..Default::default()
+ };
+ assert!(
+ GraphqlApolloAdapter
+ .detect(&summary, tree.root_node(), src)
+ .is_none(),
+ "unrelated helper in an Apollo file must not bind as a resolver",
+ );
+ }
+
+ #[test]
+ fn does_not_bind_bare_const_resolvers_outside_apollo() {
+ // File declares `const resolvers = …` without any Apollo import.
+ // The old needle `const resolvers` bound this; the tightened
+ // adapter requires a real Apollo source token first.
+ let src: &[u8] = b"const resolvers = { foo: () => 'bar' };\n\
+ function helper() { return 1; }\n";
+ let tree = parse_js(src);
+ let summary = FuncSummary {
+ name: "helper".into(),
+ ..Default::default()
+ };
+ assert!(
+ GraphqlApolloAdapter
+ .detect(&summary, tree.root_node(), src)
+ .is_none(),
+ "`const resolvers` alone must not bind without an Apollo import",
+ );
+ }
}
diff --git a/src/dynamic/framework/adapters/middleware_rails.rs b/src/dynamic/framework/adapters/middleware_rails.rs
index 10ad4f28..68e467b2 100644
--- a/src/dynamic/framework/adapters/middleware_rails.rs
+++ b/src/dynamic/framework/adapters/middleware_rails.rs
@@ -75,8 +75,7 @@ impl FrameworkAdapter for MiddlewareRailsAdapter {
}
let has_middleware_shape = source_has_rack_middleware_shape(file_bytes);
let name_matches = name_is_rack_entry(&summary.name);
- let body_mounts_middleware =
- super::any_callee_matches(summary, callee_is_rails_middleware);
+ let body_mounts_middleware = super::any_callee_matches(summary, callee_is_rails_middleware);
let binds = (name_matches && has_middleware_shape) || body_mounts_middleware;
if !binds {
return None;
diff --git a/src/dynamic/framework/adapters/migration_laravel.rs b/src/dynamic/framework/adapters/migration_laravel.rs
index 2a96de31..236d88bc 100644
--- a/src/dynamic/framework/adapters/migration_laravel.rs
+++ b/src/dynamic/framework/adapters/migration_laravel.rs
@@ -21,7 +21,10 @@ const ADAPTER_NAME: &str = "migration-laravel";
fn callee_is_laravel_migration_ddl(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
- matches!(last, "create" | "table" | "drop" | "statement" | "unprepared")
+ matches!(
+ last,
+ "create" | "table" | "drop" | "statement" | "unprepared"
+ )
}
fn source_has_migration_shape(file_bytes: &[u8]) -> bool {
diff --git a/src/dynamic/framework/adapters/ruby_hanami.rs b/src/dynamic/framework/adapters/ruby_hanami.rs
index d65b3ff2..a00511f2 100644
--- a/src/dynamic/framework/adapters/ruby_hanami.rs
+++ b/src/dynamic/framework/adapters/ruby_hanami.rs
@@ -30,11 +30,32 @@ fn class_is_hanami_action(class: Node<'_>, bytes: &[u8]) -> bool {
|| class_includes(class, bytes, "Hanami::Action")
}
-/// Walk the file for a `# nyx-route: ` comment so
-/// fixtures can pin an explicit route without needing the Hanami
-/// routes DSL. Defaults to `(GET, "/")` if no marker is found.
-fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String) {
- let text = std::str::from_utf8(file_bytes).unwrap_or("");
+/// Resolve the route metadata for `class_name`. Tries the inline
+/// Hanami v2 routes DSL first (`get "/run", to: "RunAction"` inside a
+/// `Hanami::Routes` / `routes do` block that co-exists with the
+/// action class in the same file), then the synthetic
+/// `# nyx-route: ` comment fixtures rely on, then
+/// finally a `(GET, fallback_path)` default.
+///
+/// Cross-file routes resolution (`config/routes.rb` + `app/actions//.rb`)
+/// still needs a project-level file index on the adapter trait —
+/// `FrameworkAdapter::detect` only sees one file at a time.
+fn route_for_class(
+ file_bytes: &[u8],
+ class_name: &str,
+ fallback_path: &str,
+) -> (HttpMethod, String) {
+ if let Some(found) = parse_inline_route(file_bytes, class_name) {
+ return found;
+ }
+ if let Some(found) = pinned_comment_route(file_bytes) {
+ return found;
+ }
+ (HttpMethod::GET, fallback_path.to_owned())
+}
+
+fn pinned_comment_route(file_bytes: &[u8]) -> Option<(HttpMethod, String)> {
+ let text = std::str::from_utf8(file_bytes).ok()?;
for line in text.lines() {
let trim = line.trim_start();
if let Some(rest) = trim.strip_prefix("# nyx-route:") {
@@ -42,11 +63,70 @@ fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String)
let mut parts = rest.split_ascii_whitespace();
if let (Some(verb), Some(path)) = (parts.next(), parts.next()) {
let method = HttpMethod::from_ident(verb).unwrap_or(HttpMethod::GET);
- return (method, path.to_owned());
+ return Some((method, path.to_owned()));
}
}
}
- (HttpMethod::GET, fallback_path.to_owned())
+ None
+}
+
+/// Parse the Hanami v2 routes DSL when the routes file and the action
+/// class co-exist in one file. Recognises lines of the form
+/// ` "", to: ""` (or single-quoted variants) and
+/// matches `` against `class_name` either by exact match or by
+/// its `snake_case` form (Hanami's container-key convention,
+/// e.g. `to: "actions.run_action"`).
+fn parse_inline_route(file_bytes: &[u8], class_name: &str) -> Option<(HttpMethod, String)> {
+ let text = std::str::from_utf8(file_bytes).ok()?;
+ let snake = camel_to_snake(class_name);
+ for raw_line in text.lines() {
+ let line = raw_line.trim_start();
+ if let Some(parsed) = parse_route_line(line, class_name, &snake) {
+ return Some(parsed);
+ }
+ }
+ None
+}
+
+fn parse_route_line(line: &str, class_orig: &str, class_snake: &str) -> Option<(HttpMethod, String)> {
+ let (verb_tok, after) = line.split_once(char::is_whitespace)?;
+ let method = HttpMethod::from_ident(verb_tok)?;
+ let after = after.trim_start();
+ let (path, rest) = parse_quoted(after)?;
+ let to_idx = rest.find("to:")?;
+ let after_to = rest[to_idx + 3..].trim_start();
+ let (target, _) = parse_quoted(after_to)?;
+ let target_last = target.rsplit_once('.').map(|(_, s)| s).unwrap_or(&target);
+ if target_last == class_orig || target_last == class_snake {
+ return Some((method, path));
+ }
+ None
+}
+
+fn parse_quoted(s: &str) -> Option<(String, &str)> {
+ let quote = match s.as_bytes().first() {
+ Some(b'"') => '"',
+ Some(b'\'') => '\'',
+ _ => return None,
+ };
+ let rest = &s[1..];
+ let end = rest.find(quote)?;
+ Some((rest[..end].to_owned(), &rest[end + 1..]))
+}
+
+fn camel_to_snake(s: &str) -> String {
+ let mut out = String::with_capacity(s.len() + 2);
+ for (i, ch) in s.char_indices() {
+ if ch.is_ascii_uppercase() {
+ if i > 0 {
+ out.push('_');
+ }
+ out.push(ch.to_ascii_lowercase());
+ } else {
+ out.push(ch);
+ }
+ }
+ out
}
fn hanami_default_path(class_name: &str) -> String {
@@ -89,7 +169,7 @@ impl FrameworkAdapter for RubyHanamiAdapter {
}
let cls_name = class_name(class, file_bytes).unwrap_or("Entry");
let default = hanami_default_path(cls_name);
- let (http_method, path) = pinned_route(file_bytes, &default);
+ let (http_method, path) = route_for_class(file_bytes, cls_name, &default);
let formals = method_formal_names(method, file_bytes);
let request_params = bind_path_params(&formals, &path);
Some(FrameworkBinding {
@@ -196,6 +276,86 @@ mod tests {
assert!(matches!(req.source, ParamSource::Implicit));
}
+ #[test]
+ fn picks_up_inline_routes_dsl_classname_to() {
+ // Hanami v2 routes DSL co-located with the action class. The
+ // routes block names the action class via `to: "RunAction"`;
+ // the adapter must pick up `POST /run` rather than the
+ // snake-case default.
+ let src: &[u8] = b"require 'hanami/routes'\n\
+ require 'hanami/action'\n\
+ class Routes < Hanami::Routes\n\
+ post \"/run\", to: \"RunAction\"\n\
+ end\n\
+ class RunAction < Hanami::Action\n\
+ def call(req)\n\
+ 'ok'\n\
+ end\n\
+ end\n";
+ let tree = parse(src);
+ let binding = RubyHanamiAdapter
+ .detect(&summary("call"), tree.root_node(), src)
+ .expect("binding");
+ let route = binding.route.unwrap();
+ assert_eq!(route.method, HttpMethod::POST);
+ assert_eq!(route.path, "/run");
+ }
+
+ #[test]
+ fn picks_up_inline_routes_dsl_snake_case_to() {
+ // Hanami v2 supports `to: "actions.run_action"` container-key
+ // notation in addition to the bare class name. The adapter
+ // should match `run_action` against the snake_case of
+ // `RunAction`.
+ let src: &[u8] = b"require 'hanami/routes'\n\
+ require 'hanami/action'\n\
+ class Routes < Hanami::Routes\n\
+ get \"/u/:id\", to: \"actions.run_action\"\n\
+ end\n\
+ class RunAction < Hanami::Action\n\
+ def call(req, id)\n\
+ id\n\
+ end\n\
+ end\n";
+ let tree = parse(src);
+ let binding = RubyHanamiAdapter
+ .detect(&summary("call"), tree.root_node(), src)
+ .expect("binding");
+ let route = binding.route.unwrap();
+ assert_eq!(route.method, HttpMethod::GET);
+ assert_eq!(route.path, "/u/:id");
+ let id = binding
+ .request_params
+ .iter()
+ .find(|p| p.name == "id")
+ .unwrap();
+ assert!(matches!(id.source, ParamSource::PathSegment(_)));
+ }
+
+ #[test]
+ fn inline_routes_dsl_wins_over_pinned_comment() {
+ // When both an inline routes-DSL line and a `# nyx-route:`
+ // comment are present, the routes-DSL line wins because it is
+ // the canonical source of truth.
+ let src: &[u8] = b"# nyx-route: GET /old\n\
+ require 'hanami/routes'\n\
+ class Routes < Hanami::Routes\n\
+ put \"/new\", to: \"PutAction\"\n\
+ end\n\
+ class PutAction < Hanami::Action\n\
+ def call(req)\n\
+ 'ok'\n\
+ end\n\
+ end\n";
+ let tree = parse(src);
+ let binding = RubyHanamiAdapter
+ .detect(&summary("call"), tree.root_node(), src)
+ .expect("binding");
+ let route = binding.route.unwrap();
+ assert_eq!(route.method, HttpMethod::PUT);
+ assert_eq!(route.path, "/new");
+ }
+
#[test]
fn skips_non_hanami_classes() {
let src: &[u8] =
diff --git a/src/dynamic/framework/adapters/scheduled_sidekiq.rs b/src/dynamic/framework/adapters/scheduled_sidekiq.rs
index 7d6189e3..81492fed 100644
--- a/src/dynamic/framework/adapters/scheduled_sidekiq.rs
+++ b/src/dynamic/framework/adapters/scheduled_sidekiq.rs
@@ -1,8 +1,18 @@
//! Phase 21 (Track M.3) — Ruby Sidekiq worker / scheduled-job adapter.
//!
-//! Fires when the surrounding source includes the Sidekiq worker
-//! mixin (`include Sidekiq::Worker` / `Sidekiq::Job`) or invokes a
-//! Sidekiq scheduling callee (`perform_async`, `perform_in`).
+//! Fires when the surrounding source carries a Sidekiq shape marker
+//! (`include Sidekiq::Worker` / `Sidekiq::Job` / `sidekiq_options` /
+//! `require 'sidekiq'`) AND either the function under analysis is the
+//! worker entry point (`perform` / `perform_async` / `perform_in`) or
+//! its body schedules a Sidekiq job (calls `perform_async` /
+//! `perform_in`).
+//!
+//! The previous version of this adapter matched the bare callee name
+//! `set` as a scheduling signal, which collided with unrelated methods
+//! like `Set#add` / `Hash#[]=` (Phase 21 binding-stealing audit
+//! follow-up). `set` is now recognised only as part of the Sidekiq
+//! shape gate; binding additionally requires the function itself to be
+//! a worker entry or to call the real scheduling callees.
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@@ -13,12 +23,16 @@ pub struct ScheduledSidekiqAdapter;
const ADAPTER_NAME: &str = "scheduled-sidekiq";
-fn callee_is_sidekiq(name: &str) -> bool {
+fn callee_schedules_sidekiq(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
- matches!(last, "perform_async" | "perform_in" | "perform" | "set")
+ matches!(last, "perform_async" | "perform_in")
}
-fn source_imports_sidekiq(file_bytes: &[u8]) -> bool {
+fn name_is_sidekiq_entry(name: &str) -> bool {
+ matches!(name, "perform" | "perform_async" | "perform_in")
+}
+
+fn source_has_sidekiq_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"include Sidekiq::Worker",
b"include Sidekiq::Job",
@@ -75,22 +89,25 @@ impl FrameworkAdapter for ScheduledSidekiqAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option {
- let matches_call = super::any_callee_matches(summary, callee_is_sidekiq);
- let matches_source = source_imports_sidekiq(file_bytes);
- if matches_call || matches_source {
- Some(FrameworkBinding {
- adapter: ADAPTER_NAME.to_owned(),
- kind: EntryKind::ScheduledJob {
- schedule: extract_schedule(file_bytes),
- },
- route: None,
- request_params: Vec::new(),
- response_writer: None,
- middleware: Vec::new(),
- })
- } else {
- None
+ let has_shape = source_has_sidekiq_shape(file_bytes);
+ if !has_shape {
+ return None;
}
+ let name_matches = name_is_sidekiq_entry(&summary.name);
+ let body_schedules = super::any_callee_matches(summary, callee_schedules_sidekiq);
+ if !(name_matches || body_schedules) {
+ return None;
+ }
+ Some(FrameworkBinding {
+ adapter: ADAPTER_NAME.to_owned(),
+ kind: EntryKind::ScheduledJob {
+ schedule: extract_schedule(file_bytes),
+ },
+ route: None,
+ request_params: Vec::new(),
+ response_writer: None,
+ middleware: Vec::new(),
+ })
}
}
@@ -119,4 +136,42 @@ mod tests {
assert_eq!(binding.adapter, "scheduled-sidekiq");
assert!(matches!(binding.kind, EntryKind::ScheduledJob { .. }));
}
+
+ #[test]
+ fn does_not_bind_set_method_in_non_sidekiq_file() {
+ // Method named `set` on a class with no Sidekiq tokens anywhere
+ // — used to bind because the prior `callee_is_sidekiq` matched
+ // the bare callee `set`, colliding with `Set#add` / `Hash#[]=`.
+ let src: &[u8] = b"class MySet\n def set(key, val)\n @h[key] = val\n end\nend\n";
+ let tree = parse_ruby(src);
+ let summary = FuncSummary {
+ name: "set".into(),
+ ..Default::default()
+ };
+ assert!(
+ ScheduledSidekiqAdapter
+ .detect(&summary, tree.root_node(), src)
+ .is_none(),
+ "bare `set` method outside Sidekiq scope must not bind",
+ );
+ }
+
+ #[test]
+ fn does_not_bind_unrelated_method_inside_sidekiq_file() {
+ // Sidekiq-flavoured file but the analyser is asking about an
+ // unrelated helper that neither shares the worker entry name
+ // nor calls `perform_async` / `perform_in`.
+ let src: &[u8] = b"# include Sidekiq::Worker\nclass MySet\n def set(key)\n @s.add(key)\n end\nend\n";
+ let tree = parse_ruby(src);
+ let summary = FuncSummary {
+ name: "set".into(),
+ ..Default::default()
+ };
+ assert!(
+ ScheduledSidekiqAdapter
+ .detect(&summary, tree.root_node(), src)
+ .is_none(),
+ "non-worker helper in a Sidekiq file must not bind",
+ );
+ }
}
diff --git a/src/dynamic/sandbox/mod.rs b/src/dynamic/sandbox/mod.rs
index 3637e7f7..ccadc62e 100644
--- a/src/dynamic/sandbox/mod.rs
+++ b/src/dynamic/sandbox/mod.rs
@@ -19,8 +19,8 @@
//! backend is intentionally weaker and is for dev iteration only.
//!
//! All public state on the sandbox is owned by the caller — there is no
-//! global runtime, no daemon. Containers are stopped and removed when the
-//! process exits.
+//! daemon. Containers are stopped and removed when the caller explicitly
+//! cleans up or when the process exits.
use crate::dynamic::harness::BuiltHarness;
use crate::dynamic::oob::OobListener;
@@ -679,30 +679,37 @@ fn container_registry() -> &'static dashmap::DashMap {
})
}
-/// extern "C" fn registered via atexit(3).
-///
-/// Stops all containers in the registry with --time=0 (immediate SIGKILL).
-/// Runs on normal process exit and on `std::process::exit()`. Does not run
-/// on SIGKILL; the `sleep 300` in started containers bounds the leak window.
-#[cfg(unix)]
-extern "C" fn stop_all_containers() {
+/// Stop and remove every docker container currently tracked by the verifier.
+pub(crate) fn cleanup_docker_containers() {
let Some(reg) = CONTAINER_REGISTRY.get() else {
return;
};
let bin = std::env::var("NYX_DOCKER_BIN").unwrap_or_else(|_| "docker".to_owned());
- for entry in reg.iter() {
+ let names: Vec = reg.iter().map(|entry| entry.key().clone()).collect();
+ for name in names {
// Remove OOB egress filter before stopping the container so stale
// iptables rules don't accumulate across scans.
#[cfg(target_os = "linux")]
- remove_oob_egress_filter(entry.key());
+ remove_oob_egress_filter(&name);
let _ = std::process::Command::new(&bin)
- .args(["stop", "--time=0", entry.key()])
+ .args(["rm", "-f", &name])
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status();
+ reg.remove(&name);
}
}
+/// extern "C" fn registered via atexit(3).
+///
+/// Stops all containers in the registry with an immediate force remove.
+/// Runs on normal process exit and on `std::process::exit()`. Does not run
+/// on SIGKILL; the `sleep 300` in started containers bounds the leak window.
+#[cfg(unix)]
+extern "C" fn stop_all_containers() {
+ cleanup_docker_containers();
+}
+
#[cfg(unix)]
fn register_exit_cleanup() {
unsafe extern "C" {
diff --git a/src/server/jobs.rs b/src/server/jobs.rs
index accd7b62..f0dae6e7 100644
--- a/src/server/jobs.rs
+++ b/src/server/jobs.rs
@@ -268,6 +268,8 @@ impl JobManager {
}
Ok(diags)
});
+ #[cfg(feature = "dynamic")]
+ crate::dynamic::sandbox::cleanup_docker_containers();
let elapsed = start.elapsed().as_secs_f64();
// Collect snapshots and do expensive work (post-processing,
diff --git a/src/server/models.rs b/src/server/models.rs
index e8c8bb01..7f382d7b 100644
--- a/src/server/models.rs
+++ b/src/server/models.rs
@@ -234,7 +234,11 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
}
rules.insert(d.id.clone());
statuses.insert(status_for_diag(d).to_string());
- verification_statuses.insert(dynamic_status_for_diag(d).unwrap_or("Unverified").to_string());
+ verification_statuses.insert(
+ dynamic_status_for_diag(d)
+ .unwrap_or("Unverified")
+ .to_string(),
+ );
}
// Always include all valid triage states so the filter dropdown is complete
diff --git a/src/server/routes/findings.rs b/src/server/routes/findings.rs
index ed99abb0..4482518d 100644
--- a/src/server/routes/findings.rs
+++ b/src/server/routes/findings.rs
@@ -5,8 +5,8 @@ use crate::database::index::Indexer;
use crate::server::app::{AppState, CachedFindings};
use crate::server::error::{ApiError, ApiResult};
use crate::server::models::{
- FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
- finding_from_diag_with_detail, dynamic_status_label, overlay_triage_states, summarize_findings,
+ FilterValues, FindingSummary, FindingView, collect_filter_values, dynamic_status_label,
+ finding_from_diag, finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
};
use axum::extract::{Path, Query, State};
use axum::routing::get;
diff --git a/src/server/routes/scans.rs b/src/server/routes/scans.rs
index a47d17e4..d011a5ed 100644
--- a/src/server/routes/scans.rs
+++ b/src/server/routes/scans.rs
@@ -45,6 +45,10 @@ struct StartScanRequest {
verify: Option,
/// Also verify `Confidence < Medium` findings. Default false.
verify_all_confidence: Option,
+ /// Dynamic verification backend: "auto" | "docker" | "process" | "firecracker".
+ verify_backend: Option,
+ /// Process-backend hardening profile: "standard" | "strict".
+ harden_profile: Option,
#[allow(dead_code)]
languages: Option>,
#[allow(dead_code)]
@@ -89,6 +93,38 @@ fn apply_engine_profile(
Ok(())
}
+fn apply_verify_backend(
+ config: &mut crate::utils::config::Config,
+ backend: &str,
+) -> Result<(), (StatusCode, Json)> {
+ let backend = backend.to_ascii_lowercase();
+ match backend.as_str() {
+ "auto" | "docker" | "process" | "firecracker" => {
+ config.scanner.verify_backend = backend;
+ Ok(())
+ }
+ _ => Err(bad_request(
+ "verify_backend must be one of: auto, docker, process, firecracker",
+ )),
+ }
+}
+
+fn apply_harden_profile(
+ config: &mut crate::utils::config::Config,
+ profile: &str,
+) -> Result<(), (StatusCode, Json)> {
+ let profile = profile.to_ascii_lowercase();
+ match profile.as_str() {
+ "standard" | "strict" => {
+ config.scanner.harden_profile = profile;
+ Ok(())
+ }
+ _ => Err(bad_request(
+ "harden_profile must be one of: standard, strict",
+ )),
+ }
+}
+
async fn start_scan(
State(state): State,
body: Option>,
@@ -125,6 +161,12 @@ async fn start_scan(
if req.verify_all_confidence == Some(true) {
config.scanner.verify_all_confidence = true;
}
+ if let Some(ref backend) = req.verify_backend {
+ apply_verify_backend(&mut config, backend)?;
+ }
+ if let Some(ref profile) = req.harden_profile {
+ apply_harden_profile(&mut config, profile)?;
+ }
#[cfg(not(feature = "dynamic"))]
if config.scanner.verify || config.scanner.verify_all_confidence {