@bounded-systems/conformance-kit 0.2.0

package/gates/semantic/deno.json

@@ -0,0 +1,7 @@
+{
+  "imports": {
+    "@bounded-systems/lone": "jsr:@bounded-systems/lone@^0.1",
+    "zod": "npm:zod@3",
+    "linkedom": "npm:linkedom@0.15.3"
+  }
+}

package/gates/semantic/gate.ts

@@ -0,0 +1,34 @@
+// gates/semantic/gate.ts — bless each rendered page's DOM with lone (semantic HTML
+// + a11y). Blocking: any error-severity finding fails CI. Run from the site root
+// after the build. lone is consumed from JSR (jsr:@bounded-systems/lone), pinned by
+// deno.lock — no git clone, no hand-managed sha (see deno.json import map).
+//
+//   deno run --allow-read --allow-net gates/semantic/gate.ts
+//
+// Site-agnostic injection (Deno.env, both optional):
+//   $SEMANTIC_DIR       directory of built HTML to bless (default "dist/blog").
+//   $SEMANTIC_SELECTOR  CSS selector for the subject node to validate per page,
+//                       falling back to <body> (default "article").
+import { parseHTML } from "linkedom";
+import { validate } from "@bounded-systems/lone";
+
+const DIR = Deno.env.get("SEMANTIC_DIR") ?? "dist/blog";
+const SELECTOR = Deno.env.get("SEMANTIC_SELECTOR") ?? "article";
+
+let posts = 0, errors = 0, warns = 0;
+for await (const e of Deno.readDir(DIR)) {
+  if (!e.name.endsWith(".html")) continue;
+  posts++;
+  const { document } = parseHTML(await Deno.readTextFile(`${DIR}/${e.name}`));
+  const subject = document.querySelector(SELECTOR) ?? document.body;
+  const { findings } = await validate(subject);
+  const errs = findings.filter((f) => f.severity === "error");
+  errors += errs.length;
+  warns += findings.length - errs.length;
+  if (findings.length) {
+    console.log(`\n${e.name} — ${errs.length} error(s), ${findings.length - errs.length} warn(s):`);
+    for (const f of findings) console.log(`  [${f.severity}] ${f.code} ${f.path} — ${f.message}`);
+  } else console.log(`${e.name} — clean`);
+}
+console.log(`\nlone: ${posts} page(s) · ${errors} error(s) · ${warns} warn(s)`);
+Deno.exit(errors > 0 ? 1 : 0);

package/gates/seo-gate.mjs

@@ -0,0 +1,208 @@
+#!/usr/bin/env node
+// SEO technical gate — turns the site's discoverability contract into an ENFORCEABLE
+// check over the BUILT dist/. SEO "best practices" are usually advice you hope you
+// followed; this gate fails closed (exit 1) the moment the built bytes break one.
+//
+//   node gates/seo-gate.mjs [distDir]      # build gate (exit 1 on any violation)
+//
+// What it enforces:
+//   1. canonical  — every indexable page has exactly one <link rel="canonical">, and
+//                   it is SELF-consistent: the canonical URL maps back to THIS file.
+//   2. title      — every indexable page has a non-empty <title>, unique across pages.
+//   3. description— every indexable page has a non-empty <meta name="description">,
+//                   unique across pages.
+//   4. noindex    — no indexable page carries an accidental robots `noindex` (the
+//                   error page is the only place noindex is allowed/expected).
+//   5. robots.txt — parses per RFC 9309: groups start with user-agent line(s); rules
+//                   (allow/disallow) never precede a user-agent; Sitemap values are
+//                   absolute URLs; the advertised sitemap resolves to a built file.
+//   6. sitemap    — every <loc> in sitemap.xml resolves to a built page (canonicalised),
+//                   and every URL shares the site's single origin.
+//   7. links      — zero broken internal links across all pages.
+//
+// Pure + offline: reads dist/ only, no network. Zero-dep.
+//
+// Site-agnostic injection (all optional, neutral defaults):
+//   argv[2] / $DIST       built output dir (default: "dist").
+//   $SEO_ERROR_PAGE       the page exempt from canonical/title/desc + required to be
+//                         noindex (default: "404.html").
+//   $SEO_DEPLOY_SIDECARS  comma list of deploy-time paths to treat as live links
+//                         (e.g. /rekor,/provenance.json,/resume.pdf).
+import { readFile, readdir, access } from "node:fs/promises";
+import { join, relative, dirname, resolve } from "node:path";
+
+const dist = resolve(process.argv[2] || process.env.DIST || "dist");
+const exists = async (p) => { try { await access(p); return true; } catch { return false; } };
+
+const ERROR_PAGE = process.env.SEO_ERROR_PAGE || "404.html";
+// Deploy-time sidecars: written by the deploy workflow (not the local/hermetic
+// build), so a link to one is resolvable rather than dead.
+const DEPLOY_SIDECARS = (process.env.SEO_DEPLOY_SIDECARS || "/rekor,/provenance.json,/site.sha256")
+  .split(",").map((s) => s.trim()).filter(Boolean);
+
+let errors = 0;
+const err = (m) => { console.error(`  ✗ ${m}`); errors++; };
+
+async function walk(dir) {
+  const out = [];
+  for (const e of await readdir(dir, { withFileTypes: true })) {
+    const abs = join(dir, e.name);
+    if (e.isDirectory()) out.push(...await walk(abs));
+    else if (e.name.endsWith(".html")) out.push(abs);
+  }
+  return out;
+}
+
+// Normalise a served path to a canonical key (drop index.html / .html / trailing /).
+const canon = (p) => {
+  let s = p.replace(/\\/g, "/");
+  if (!s.startsWith("/")) s = "/" + s;
+  s = s.replace(/\/index\.html$/, "/").replace(/\.html$/, "");
+  if (s.length > 1) s = s.replace(/\/$/, "");
+  return s || "/";
+};
+
+// Resolve an internal href to "ok" / "dead" / "skip" (external/anchor/etc).
+async function resolveHref(pageAbs, href) {
+  if (!href || /^(https?:|mailto:|tel:|#|data:)/i.test(href)) return "skip";
+  const clean = href.split("#")[0].split("?")[0];
+  if (!clean) return "skip";
+  if (DEPLOY_SIDECARS.some((s) => clean === s || clean.startsWith(s + "/"))) return "ok";
+  const base = clean.startsWith("/") ? join(dist, clean) : resolve(dirname(pageAbs), clean);
+  for (const cand of [base, base + ".html", join(base, "index.html")]) {
+    if (await exists(cand)) return "ok";
+  }
+  return "dead";
+}
+
+const head = (html) => (html.match(/<head[\s\S]*?<\/head>/i) || [""])[0];
+
+async function main() {
+  if (!(await exists(dist))) { console.error(`✗ seo-gate: ${dist} not found — build first.`); process.exit(2); }
+
+  const pages = (await walk(dist)).sort();
+  const servedCanon = new Set(pages.map((p) => canon("/" + relative(dist, p))));
+
+  const isIndexable = (rel) => rel !== ERROR_PAGE;
+
+  const titles = new Map();        // title → first page (uniqueness)
+  const descriptions = new Map();  // description → first page (uniqueness)
+  let origin = null;               // the single canonical origin, learned from page 1
+
+  // ---- per-page <head> contract -------------------------------------------------
+  for (const pageAbs of pages) {
+    const rel = relative(dist, pageAbs).replace(/\\/g, "/");
+    const html = await readFile(pageAbs, "utf8");
+    const h = head(html);
+
+    const robotsMetas = [...h.matchAll(/<meta\s+name="robots"\s+content="([^"]*)"\s*\/?>/gi)].map((m) => m[1]);
+    const hasNoindex = robotsMetas.some((c) => /\bnoindex\b/i.test(c));
+    if (isIndexable(rel) && hasNoindex) err(`${rel}: indexable page carries robots noindex`);
+    if (!isIndexable(rel) && !hasNoindex) err(`${rel}: error page should be noindex (missing robots noindex)`);
+
+    if (!isIndexable(rel)) continue;
+
+    const canons = [...h.matchAll(/<link\s+rel="canonical"\s+href="([^"]*)"\s*\/?>/gi)].map((m) => m[1]);
+    if (canons.length !== 1) {
+      err(`${rel}: ${canons.length} <link rel="canonical"> (want exactly 1)`);
+    } else {
+      const url = canons[0];
+      let u;
+      try { u = new URL(url); } catch { u = null; }
+      if (!u) err(`${rel}: canonical is not an absolute URL — ${url}`);
+      else {
+        const thisOrigin = u.origin;
+        if (origin === null) origin = thisOrigin;
+        else if (thisOrigin !== origin) err(`${rel}: canonical origin ${thisOrigin} ≠ site origin ${origin}`);
+        const want = canon("/" + rel);
+        const got = canon(u.pathname);
+        if (got !== want) err(`${rel}: canonical points at ${got} but this file serves ${want} (not self-consistent)`);
+      }
+    }
+
+    const title = (h.match(/<title>([\s\S]*?)<\/title>/i) || [, ""])[1].trim();
+    if (!title) err(`${rel}: empty or missing <title>`);
+    else if (titles.has(title)) err(`${rel}: duplicate <title> (also in ${titles.get(title)}): "${title}"`);
+    else titles.set(title, rel);
+
+    let desc = null;
+    for (const m of h.matchAll(/<meta\s+name="description"\s+content="([^"]*)"\s*\/?>/gi)) desc = m[1];
+    if (desc == null || !desc.trim()) err(`${rel}: empty or missing <meta name="description">`);
+    else if (descriptions.has(desc.trim())) err(`${rel}: duplicate meta description (also in ${descriptions.get(desc.trim())})`);
+    else descriptions.set(desc.trim(), rel);
+  }
+
+  // ---- robots.txt — RFC 9309 ------------------------------------------------------
+  const robotsPath = join(dist, "robots.txt");
+  if (!(await exists(robotsPath))) {
+    err("robots.txt: missing from dist/");
+  } else {
+    const lines = (await readFile(robotsPath, "utf8")).split(/\r?\n/);
+    let seenUserAgent = false;
+    let groupOpen = false;
+    const sitemaps = [];
+    lines.forEach((raw, i) => {
+      const line = raw.replace(/#.*$/, "").trim();
+      if (!line) return;
+      const m = /^([A-Za-z-]+)\s*:\s*(.*)$/.exec(line);
+      if (!m) { err(`robots.txt:${i + 1}: not a "field: value" record — ${raw.trim()}`); return; }
+      const field = m[1].toLowerCase();
+      const value = m[2].trim();
+      if (field === "user-agent") { seenUserAgent = true; groupOpen = true; }
+      else if (field === "allow" || field === "disallow") {
+        if (!groupOpen) err(`robots.txt:${i + 1}: ${field} rule before any user-agent (RFC 9309 groups start with user-agent)`);
+        if (value && !value.startsWith("/") && !value.startsWith("*")) err(`robots.txt:${i + 1}: ${field} path should start with "/" — ${value}`);
+      }
+      else if (field === "sitemap") {
+        try { new URL(value); sitemaps.push(value); } catch { err(`robots.txt:${i + 1}: Sitemap is not an absolute URL — ${value}`); }
+      }
+      else if (field === "crawl-delay" || field === "host") { /* tolerated non-standard extensions */ }
+      else { /* RFC 9309 §2.2.4: unrecognised fields are ignored, not an error */ }
+    });
+    if (!seenUserAgent) err("robots.txt: no user-agent group (RFC 9309 requires at least one group)");
+    for (const sm of sitemaps) {
+      const u = new URL(sm);
+      if (origin && u.origin === origin) {
+        const f = canon(u.pathname);
+        const built = pages.some((p) => canon("/" + relative(dist, p)) === f) || (await exists(join(dist, u.pathname.replace(/^\//, ""))));
+        if (!built) err(`robots.txt: advertised Sitemap ${sm} does not resolve to a built file`);
+      }
+    }
+  }
+
+  // ---- sitemap.xml — every <loc> resolves to a built page -------------------------
+  const sitemapPath = join(dist, "sitemap.xml");
+  if (!(await exists(sitemapPath))) {
+    err("sitemap.xml: missing from dist/");
+  } else {
+    const xml = await readFile(sitemapPath, "utf8");
+    const locs = [...xml.matchAll(/<loc>\s*([^<\s]+)\s*<\/loc>/gi)].map((m) => m[1]);
+    if (locs.length === 0) err("sitemap.xml: no <loc> entries");
+    for (const loc of locs) {
+      let u;
+      try { u = new URL(loc); } catch { err(`sitemap.xml: <loc> is not an absolute URL — ${loc}`); continue; }
+      if (origin && u.origin !== origin) err(`sitemap.xml: <loc> origin ${u.origin} ≠ site origin ${origin} — ${loc}`);
+      const key = canon(u.pathname);
+      if (!servedCanon.has(key)) err(`sitemap.xml: <loc> ${loc} does not resolve to a built page (${key})`);
+    }
+  }
+
+  // ---- internal link graph — zero broken links ------------------------------------
+  for (const pageAbs of pages) {
+    const rel = relative(dist, pageAbs).replace(/\\/g, "/");
+    const html = await readFile(pageAbs, "utf8");
+    for (const a of html.matchAll(/<a\s[^>]*href="([^"]*)"/gi)) {
+      const href = a[1];
+      if ((await resolveHref(pageAbs, href)) === "dead") err(`${rel}: dead internal link → ${href}`);
+    }
+  }
+
+  console.log("");
+  if (errors) {
+    console.error(`✗ seo-gate: ${errors} violation(s) across ${pages.length} built page(s).`);
+    process.exit(1);
+  }
+  console.log(`✓ seo-gate: ${pages.length} page(s) — canonical/title/description/robots/sitemap/links all consistent (origin ${origin}).`);
+}
+
+main().catch((e) => { console.error("✗ seo-gate: error —", e.message); process.exit(1); });

package/gates/shacl-runner.mjs

@@ -0,0 +1,160 @@
+#!/usr/bin/env node
+// SHACL runner — turns a site's emitted JSON-LD into an ENFORCEABLE contract.
+//
+//   node gates/shacl-runner.mjs <shapes.ttl> <htmlDir>
+//
+// Schema.org alone is flexible guidance. Schema.org + SHACL is an enforceable
+// contract: this runner extracts every JSON-LD block from the BUILT HTML under
+// <htmlDir>, expands it to RDF, and validates it against the SHACL <shapes.ttl>. It
+// FAILS (exit 1) unless the SHACL report says conforms: true — printing every
+// violation.
+//
+// The shapes file is an INPUT and stays in the consuming site (each site's
+// structured data differs); only the runner is shared. What it does NOT check
+// (separate / manual): that the structured data matches the VISIBLE page content,
+// and search-engine rich-result eligibility. SHACL is the enforceable STRUCTURAL
+// contract.
+//
+// Site-agnostic injection:
+//   argv[2]         path to the SHACL shapes Turtle file (required).
+//   argv[3]         directory of built HTML to scan recursively (required).
+//   $SHACL_CONTEXT  optional path to a JSON-LD context document to use instead of
+//                   the built-in offline schema.org context (for non-schema.org
+//                   vocabularies). The gate NEVER fetches a context over the network.
+import { readFile, readdir } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { join, resolve } from "node:path";
+
+import jsonld from "jsonld";
+import { Parser as N3Parser } from "n3";
+import rdf from "@zazuko/env-node"; // RDF/JS env with .dataset() + clownface (required by rdf-validate-shacl)
+import SHACLValidator from "rdf-validate-shacl";
+
+const shapesPath = process.argv[2];
+const htmlDir = process.argv[3];
+if (!shapesPath || !htmlDir) {
+  console.error("usage: shacl-runner <shapes.ttl> <htmlDir>");
+  process.exit(2);
+}
+const SHAPES = resolve(shapesPath);
+const DIST = resolve(htmlDir);
+
+// --- offline JSON-LD context ----------------------------------------------------
+// Sites commonly emit `"@context": "https://schema.org"`. Expanding that normally
+// dereferences the remote context over the network — non-deterministic and
+// unavailable in hermetic CI. We serve a tiny local context instead: @vocab maps
+// every type/property name to a stable https://schema.org/ IRI; a few URL-valued
+// properties coerce to IRIs. A consumer with a different vocabulary points
+// $SHACL_CONTEXT at its own context document.
+const DEFAULT_SCHEMA_CONTEXT = {
+  "@context": {
+    "@vocab": "https://schema.org/",
+    url: { "@type": "@id" },
+    sameAs: { "@type": "@id" },
+    mainEntityOfPage: { "@type": "@id" },
+  },
+};
+const SCHEMA_IRIS = new Set([
+  "https://schema.org", "https://schema.org/",
+  "http://schema.org", "http://schema.org/",
+]);
+const localContext = process.env.SHACL_CONTEXT
+  ? JSON.parse(await readFile(resolve(process.env.SHACL_CONTEXT), "utf8"))
+  : DEFAULT_SCHEMA_CONTEXT;
+const documentLoader = async (urlArg) => {
+  if (SCHEMA_IRIS.has(urlArg) || process.env.SHACL_CONTEXT) {
+    return { contextUrl: null, documentUrl: urlArg, document: localContext };
+  }
+  throw new Error(`shacl-runner: refusing network fetch for context <${urlArg}> (offline gate)`);
+};
+
+// --- extract JSON-LD blocks from built HTML -------------------------------------
+const LD_RE = /<script[^>]*type=["']application\/ld\+json["'][^>]*>([\s\S]*?)<\/script>/gi;
+function extractJsonLd(html) {
+  const out = [];
+  let m;
+  while ((m = LD_RE.exec(html)) !== null) {
+    // Many builders escape "<" as "<" before embedding; undo so JSON.parse sees valid text.
+    const raw = m[1].replace(/\\u003c/g, "<").trim();
+    if (raw) out.push(raw);
+  }
+  return out;
+}
+
+async function listHtmlFiles(dir) {
+  const out = [];
+  for (const e of await readdir(dir, { withFileTypes: true })) {
+    const abs = join(dir, e.name);
+    if (e.isDirectory()) out.push(...await listHtmlFiles(abs));
+    else if (e.name.endsWith(".html")) out.push(abs);
+  }
+  return out.sort();
+}
+
+// --- jsonld → rdf-ext dataset ---------------------------------------------------
+async function jsonLdToDataset(doc) {
+  const nquads = await jsonld.toRDF(doc, { format: "application/n-quads", documentLoader });
+  const quads = new N3Parser({ format: "application/n-quads" }).parse(nquads);
+  return rdf.dataset(quads);
+}
+async function turtleToDataset(ttl) {
+  const quads = new N3Parser({ format: "text/turtle" }).parse(ttl);
+  return rdf.dataset(quads);
+}
+
+async function main() {
+  if (!existsSync(SHAPES)) { console.error(`✗ shacl-runner: shapes file not found — ${SHAPES}`); process.exit(2); }
+  if (!existsSync(DIST)) { console.error(`✗ shacl-runner: html dir not found — ${DIST}`); process.exit(2); }
+
+  const shapesTtl = await readFile(SHAPES, "utf8");
+  const shapes = await turtleToDataset(shapesTtl);
+  const validator = new SHACLValidator(shapes, { factory: rdf });
+
+  const files = await listHtmlFiles(DIST);
+  let totalBlocks = 0;
+  let failed = false;
+
+  for (const file of files) {
+    const rel = file.slice(DIST.length + 1);
+    const blocks = extractJsonLd(await readFile(file, "utf8"));
+    if (blocks.length === 0) {
+      console.log(`  ${rel}: no JSON-LD (ok)`);
+      continue;
+    }
+    totalBlocks += blocks.length;
+
+    const data = rdf.dataset();
+    for (const block of blocks) {
+      const doc = JSON.parse(block);
+      const ds = await jsonLdToDataset(doc);
+      for (const q of ds) data.add(q);
+    }
+
+    const report = validator.validate(data);
+    if (report.conforms) {
+      console.log(`  ${rel}: ${blocks.length} block(s) — conforms: true`);
+    } else {
+      failed = true;
+      console.log(`  ${rel}: ${blocks.length} block(s) — conforms: FALSE`);
+      for (const r of report.results) {
+        const path = r.path?.value ?? "(node)";
+        const focus = r.focusNode?.value ?? "(?)";
+        const shape = r.sourceShape?.value ?? "";
+        const msg = r.message?.map((m) => m.value).join("; ") || r.sourceConstraintComponent?.value || "violation";
+        console.log(`      ✗ ${focus}  [${path}]  ${msg}  <${shape}>`);
+      }
+    }
+  }
+
+  console.log("");
+  if (failed) {
+    console.error(`✗ shacl-runner: JSON-LD does NOT conform to ${shapesPath}`);
+    process.exit(1);
+  }
+  console.log(`✓ shacl-runner: conforms: true — ${totalBlocks} JSON-LD block(s) across ${files.length} page(s) satisfy the SHACL contract`);
+}
+
+main().catch((err) => {
+  console.error("✗ shacl-runner: error —", err.message);
+  process.exit(1);
+});

package/gates/vuln-gate.mjs

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+// known-vulnerability gate — turns "npm audit looked fine once" into a
+// CONTINUOUSLY-ENFORCED member of the conformance contract. It runs `npm audit`
+// over a project's lockfile and FAILS CLOSED (exit 1) when the count of known
+// critical/high advisories exceeds a configurable threshold (default 0). The
+// machine-readable result is exactly the shape lone's conformance() model consumes
+// for `security.no-critical-vulns` (`{ knownCriticalOrHighVulns }`), so a clean run
+// is what lets a site honestly assert that criterion — and a new advisory turns CI red.
+//
+//   node gates/vuln-gate.mjs [projectDir]      # build gate (exit 1 when over threshold)
+//
+// Everything is config-driven; NOTHING about any one project is hard-coded:
+//   argv[2] / $VULN_ROOT       project dir containing the lockfile   (default: ".")
+//   $VULN_OMIT_DEV             "true" → audit production deps only    (default: "true")
+//                             A static site SHIPS no runtime deps, so production scope
+//                             == the deployed bytes; the build toolchain's own
+//                             advisories are a separate concern. Set "false" to audit all.
+//   $VULN_THRESHOLD           highest tolerated known critical/high   (default: 0)
+//   $VULN_REPORT              path to write the JSON report           (default: none)
+//
+// The pure parse/evaluation functions are exported for unit testing without a network.
+import { writeFile, access } from "node:fs/promises";
+import { resolve } from "node:path";
+import { spawnSync } from "node:child_process";
+
+// ── Pure core (network-free; unit-testable) ──────────────────────────────────
+
+/** Extract the known critical + high count from an `npm audit --json` payload.
+ *  Tolerates both the v2 `metadata.vulnerabilities` shape and a missing field. */
+export function parseAudit(json) {
+  const v = (json && json.metadata && json.metadata.vulnerabilities) || {};
+  const critical = v.critical || 0;
+  const high = v.high || 0;
+  return { critical, high, known: critical + high };
+}
+
+/** Evaluate a parsed audit against the threshold. Pure: (parsed, threshold) → report. */
+export function evaluateVulns({ critical, high, known }, threshold = 0) {
+  return {
+    passed: known <= threshold,
+    threshold,
+    critical,
+    high,
+    knownCriticalOrHighVulns: known,
+    // The envelope lone's conformance() consumes for `security.no-critical-vulns`.
+    vulns: { knownCriticalOrHighVulns: known },
+  };
+}
+
+// ── Impure runner ────────────────────────────────────────────────────────────
+
+/** Run `npm audit --json` and return the parsed payload. npm exits non-zero when
+ *  advisories exist, so we capture stdout regardless of exit code. */
+export function runNpmAudit({ root = ".", omitDev = true } = {}) {
+  const args = ["audit", "--json", ...(omitDev ? ["--omit=dev"] : [])];
+  const res = spawnSync("npm", args, { cwd: resolve(root), encoding: "utf8", maxBuffer: 64 * 1024 * 1024 });
+  if (res.error) throw new Error(`cannot run npm audit (${res.error.message})`);
+  if (!res.stdout) throw new Error(`npm audit produced no JSON (stderr: ${(res.stderr || "").slice(0, 300)})`);
+  return JSON.parse(res.stdout);
+}
+
+/** Audit + evaluate → report. Exposed for programmatic use and the kit's own test. */
+export function runVulnGate({ root = ".", omitDev = true, threshold = 0 } = {}) {
+  return evaluateVulns(parseAudit(runNpmAudit({ root, omitDev })), threshold);
+}
+
+// ── CLI ──────────────────────────────────────────────────────────────────────
+
+async function main() {
+  const root = resolve(process.argv[2] && !process.argv[2].startsWith("--") ? process.argv[2] : process.env.VULN_ROOT || ".");
+  const exists = async (p) => { try { await access(p); return true; } catch { return false; } };
+  if (!(await exists(resolve(root, "package-lock.json"))) && !(await exists(resolve(root, "npm-shrinkwrap.json")))) {
+    console.error(`✗ vuln-gate: no package-lock.json under ${root} — nothing to audit.`);
+    process.exit(2);
+  }
+  const omitDev = (process.env.VULN_OMIT_DEV ?? "true").trim() !== "false";
+  const threshold = Number.parseInt(process.env.VULN_THRESHOLD ?? "0", 10);
+  if (!Number.isInteger(threshold) || threshold < 0) {
+    console.error(`✗ vuln-gate: $VULN_THRESHOLD must be an integer ≥ 0 (got "${process.env.VULN_THRESHOLD}")`);
+    process.exit(2);
+  }
+
+  const report = runVulnGate({ root, omitDev, threshold });
+  if (process.env.VULN_REPORT) {
+    await writeFile(resolve(process.env.VULN_REPORT), JSON.stringify(report, null, 2) + "\n");
+  }
+
+  const scope = omitDev ? "production deps" : "all deps";
+  const line = `vuln-gate: ${report.knownCriticalOrHighVulns} known critical/high in ${scope} (${report.critical} critical, ${report.high} high) · threshold ${threshold}`;
+  if (!report.passed) {
+    console.error(`✗ ${line}`);
+    console.error(`  a known critical/high advisory exceeds the threshold — fix it, or (if accepted) raise $VULN_THRESHOLD.`);
+    process.exit(1);
+  }
+  console.log(`✓ ${line}`);
+}
+
+// Only run the CLI when invoked directly (not when imported by a test).
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch((e) => { console.error("✗ vuln-gate: error —", e.stack || e.message); process.exit(1); });
+}

package/generators/gen-cid.mjs

@@ -0,0 +1,144 @@
+#!/usr/bin/env node
+// gen-cid — content-address the served site as an IPFS UnixFS directory CID, with
+// NO daemon and NO new dependency, and record it in the build provenance alongside
+// the existing digests (the site.sha256 manifest hash).
+//
+//   node generators/gen-cid.mjs            # uses ./dist
+//   DIST=out node generators/gen-cid.mjs
+//
+// Runs LAST, after every served byte exists. It builds the exact UnixFS dag-pb DAG
+// `ipfs add -r` would (classic layout: sha2-256, 256 KiB fixed chunker, no raw
+// leaves), so the reported CIDv1 re-derives from the served bytes by any IPFS
+// implementation. The file set is exactly the signed whole-site manifest
+// ($DIST/site.sha256) when present, so the CID and the manifest cover identical
+// content; otherwise it walks $DIST with the same sidecar exclusions. No pinning,
+// no DNSLink — just a portable address.
+//
+// Recorded into $DIST/provenance.json (merged if gen-provenance already wrote it;
+// created minimally for a local build). provenance.json is excluded from the
+// manifest + the CID set, so there is no circularity. Site-agnostic: the only knob
+// is $DIST.
+import { readFile, writeFile, readdir, access } from "node:fs/promises";
+import { createHash } from "node:crypto";
+import { join, relative, resolve } from "node:path";
+
+// $DIST may be absolute or relative-to-cwd (resolve handles both); default ./dist.
+const dist = resolve(process.cwd(), process.env.DIST || "dist");
+const exists = async (p) => { try { await access(p); return true; } catch { return false; } };
+
+const CHUNK = 262144;  // kubo default fixed chunker
+const MAX_LINKS = 174; // kubo default balanced-layout fanout
+
+// Same sidecars gen-sitemanifest.mjs excludes from site.sha256 (they describe the
+// site, they are not the site) — plus any Sigstore bundle, which is written after.
+const EXCLUDE = new Set([
+  "site.sha256", "provenance.json", "rekor/index.html",
+  "attestation.intoto.json", "_headers", "_redirects", "_routes.json",
+]);
+const isExcluded = (rel) => EXCLUDE.has(rel) || rel.endsWith(".sigstore.json") || rel.startsWith("rekor/");
+
+// ---- protobuf + dag-pb + UnixFS (single-block + balanced multi-block) --------
+const varint = (n) => { const o = []; let v = BigInt(n); do { let b = Number(v & 0x7fn); v >>= 7n; if (v) b |= 0x80; o.push(b); } while (v); return Buffer.from(o); };
+const lenDelim = (tag, buf) => Buffer.concat([varint(tag), varint(buf.length), buf]);
+const vfield = (tag, n) => Buffer.concat([varint(tag), varint(n)]);
+const sha256 = (buf) => createHash("sha256").update(buf).digest();
+const multihash = (buf) => Buffer.concat([Buffer.from([0x12, 0x20]), sha256(buf)]); // 0x12 sha2-256, 0x20 len
+
+const B32 = "abcdefghijklmnopqrstuvwxyz234567";
+const base32 = (bytes) => { let bits = 0, value = 0, out = ""; for (const b of bytes) { value = (value << 8) | b; bits += 8; while (bits >= 5) { out += B32[(value >>> (bits - 5)) & 31]; bits -= 5; } } if (bits > 0) out += B32[(value << (5 - bits)) & 31]; return out; };
+const B58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+const base58 = (bytes) => { let zeros = 0; while (zeros < bytes.length && bytes[zeros] === 0) zeros++; let n = 0n; for (const b of bytes) n = n * 256n + BigInt(b); let out = ""; while (n > 0n) { out = B58[Number(n % 58n)] + out; n /= 58n; } return "1".repeat(zeros) + out; };
+const cidV1Base32 = (mh) => "b" + base32(Buffer.concat([Buffer.from([0x01, 0x70]), mh])); // 0x01 v1, 0x70 dag-pb
+const cidV0Base58 = (mh) => base58(mh); // v0 == bare dag-pb multihash, base58btc
+
+// UnixFS Data: Type(1) File=2 / Directory=1, Data(2), filesize(3), blocksizes(4 repeated)
+const ufLeaf = (data) => Buffer.concat([vfield(0x08, 2), lenDelim(0x12, data), vfield(0x18, data.length)]);
+const ufFileRoot = (filesize, blocksizes) => Buffer.concat([vfield(0x08, 2), vfield(0x18, filesize), ...blocksizes.map((b) => vfield(0x20, b))]);
+const ufDir = () => vfield(0x08, 1);
+// dag-pb PBNode: Links(2) entries first, then Data(1). PBLink: Hash(1), Name(2), Tsize(3)
+const pbLink = (mh, name, tsize) => Buffer.concat([lenDelim(0x0a, mh), lenDelim(0x12, Buffer.from(name, "utf8")), vfield(0x18, tsize)]);
+const pbNode = (linkBufs, data) => Buffer.concat([...linkBufs.map((l) => lenDelim(0x12, l)), ...(data ? [lenDelim(0x0a, data)] : [])]);
+
+// → { mh, size }  size = cumulative (this block's bytes + all descendants)
+function encodeFile(content) {
+  if (content.length <= CHUNK) { const node = pbNode([], ufLeaf(content)); return { mh: multihash(node), size: node.length }; }
+  let layer = [];
+  for (let i = 0; i < content.length; i += CHUNK) { const c = content.subarray(i, i + CHUNK); const node = pbNode([], ufLeaf(c)); layer.push({ mh: multihash(node), size: node.length, bs: c.length }); }
+  while (layer.length > 1) {
+    const next = [];
+    for (let i = 0; i < layer.length; i += MAX_LINKS) {
+      const group = layer.slice(i, i + MAX_LINKS);
+      const blocksizes = group.map((g) => g.bs);
+      const filesize = blocksizes.reduce((a, b) => a + b, 0);
+      const node = pbNode(group.map((g) => pbLink(g.mh, "", g.size)), ufFileRoot(filesize, blocksizes));
+      next.push({ mh: multihash(node), size: node.length + group.reduce((a, g) => a + g.size, 0), bs: filesize });
+    }
+    layer = next;
+  }
+  return { mh: layer[0].mh, size: layer[0].size };
+}
+
+// A directory tree node: { dirs: Map<name,node>, files: Map<name,absPath> }
+const newDir = () => ({ dirs: new Map(), files: new Map() });
+function insert(treeRoot, relParts, abs) {
+  let node = treeRoot;
+  for (let i = 0; i < relParts.length - 1; i++) { const seg = relParts[i]; if (!node.dirs.has(seg)) node.dirs.set(seg, newDir()); node = node.dirs.get(seg); }
+  node.files.set(relParts[relParts.length - 1], abs);
+}
+async function encodeDir(node) {
+  const links = [];
+  for (const [name, abs] of node.files) { const r = encodeFile(await readFile(abs)); links.push({ name, mh: r.mh, size: r.size }); }
+  for (const [name, child] of node.dirs) { const r = await encodeDir(child); links.push({ name, mh: r.mh, size: r.size }); }
+  links.sort((a, b) => Buffer.compare(Buffer.from(a.name), Buffer.from(b.name))); // go-ipfs sorts dir links by raw name
+  const node2 = pbNode(links.map((l) => pbLink(l.mh, l.name, l.size)), ufDir());
+  return { mh: multihash(node2), size: node2.length + links.reduce((a, l) => a + l.size, 0) };
+}
+
+// ---- collect the served file set ---------------------------------------------
+async function fromManifest() {
+  const text = await readFile(join(dist, "site.sha256"), "utf8");
+  return text.trim().split("\n").filter(Boolean).map((line) => line.slice(line.indexOf("  ") + 2));
+}
+async function fromWalk() {
+  const out = [];
+  const walk = async (dir) => {
+    for (const ent of await readdir(dir, { withFileTypes: true })) {
+      const abs = join(dir, ent.name); const rel = relative(dist, abs);
+      if (ent.isDirectory()) { await walk(abs); continue; }
+      if (isExcluded(rel)) continue;
+      out.push(rel);
+    }
+  };
+  await walk(dist);
+  return out;
+}
+
+const usedManifest = await exists(join(dist, "site.sha256"));
+const rels = (usedManifest ? await fromManifest() : await fromWalk()).filter((r) => !isExcluded(r)).sort();
+const tree = newDir();
+for (const rel of rels) insert(tree, rel.split("/"), join(dist, rel));
+const r = await encodeDir(tree);
+const cid = cidV1Base32(r.mh);
+const cidV0 = cidV0Base58(r.mh);
+
+// ---- record into the build provenance ----------------------------------------
+const provPath = join(dist, "provenance.json");
+const provenance = (await exists(provPath)) ? JSON.parse(await readFile(provPath, "utf8")) : { scope: "entire-site" };
+provenance.contentAddress = {
+  ...(provenance.contentAddress || {}),
+  ipfs: {
+    cid,
+    cidV0,
+    codec: "dag-pb",
+    multihash: "sha2-256",
+    scope: usedManifest ? "served-site (site.sha256 file set)" : "served-site (dist minus provenance sidecars)",
+    fileCount: rels.length,
+    pinned: false,
+    dnslink: false,
+    derivation: "generators/gen-cid.mjs — zero-dep UnixFS v1 (dag-pb, sha2-256, 256 KiB fixed chunker, no raw leaves)",
+    note: "IPFS UnixFS directory CID over the served site, computed with no daemon. Re-derives from the served bytes: `ipfs add -rQ --cid-version=1` over the same file set yields this CID (or `ipfs add -rQ` then `ipfs cid base32` from the v0 form).",
+  },
+};
+await writeFile(provPath, JSON.stringify(provenance, null, 2) + "\n");
+
+console.log(`✓ ipfs CID: ${cid} (${rels.length} files, ${usedManifest ? "from site.sha256" : "from dist walk"}) → provenance.json contentAddress.ipfs`);