@decantr/verifier 2.3.3 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -21,7 +21,8 @@ npm install @decantr/verifier
21
21
  - schema-backed report types for project audits, Project Health, Decantr CI reports, Evidence Bundles, Workspace Health, file critiques, and showcase verification
22
22
  - `ProjectHealthReport`, `ProjectHealthFinding`, and `ProjectHealthRemediation` types for the CLI's end-user health surface
23
23
  - interaction findings now include scanned file counts, file line ranges, and expected signal evidence where available, so CLI health/check output can point agents at source-grounded remediation
24
- - contract-only Brownfield critique avoids requiring Decantr treatments/decorators when the project keeps its own styling authority
24
+ - contract-only and style-bridge Brownfield critique avoids requiring Decantr treatments/decorators when the project keeps its own styling authority
25
+ - Decantr CI report schemas include accepted style bridge status, mapping count, styling approach, and theme modes alongside local-law findings
25
26
  - project audits check that `pack-manifest.json` references real pack markdown/JSON files on disk
26
27
  - project audits tolerate partial or malformed generated review packs without crashing Project Health, so half-attached Brownfield projects still receive actionable findings
27
28
  - Next.js static/document outputs are treated as framework-rendered documents instead of requiring a Vite-style `id="root"` mount element
@@ -67,6 +68,10 @@ function isBlocking(report: ProjectHealthReport) {
67
68
  - `@decantr/verifier/schema/file-critique-report.v1.json`
68
69
  - `@decantr/verifier/schema/showcase-shortlist-report.v1.json`
69
70
 
71
+ ## Security And Permissions
72
+
73
+ The verifier is a local library. It reads selected project source, Decantr context, and built `dist`/`.next` output when callers request project or runtime audits. Built-output runtime audit starts a temporary loopback static server and fetches from that local server only; it does not contact external hosts. The verifier does not write files, spawn processes, emit telemetry, or upload source by itself. See [security permissions](https://decantr.ai/reference/security-permissions.md).
74
+
70
75
  ## Compatibility
71
76
 
72
77
  `@decantr/verifier` is stable in the `2.x` line for the documented verifier APIs and published report-schema exports.
package/dist/index.js CHANGED
@@ -2648,20 +2648,20 @@ function appendSourceAuditFindings(findings, sourceAudit, essence, reviewPack, a
2648
2648
  if (sourceAudit.filesChecked === 0) {
2649
2649
  return;
2650
2650
  }
2651
- const isContractOnly = adoptionMode === "contract-only";
2651
+ const isProjectOwnedStyling = adoptionMode === "contract-only" || adoptionMode === "style-bridge";
2652
2652
  if (sourceAudit.inlineStyles.count > 0) {
2653
2653
  findings.push(
2654
2654
  makeFinding({
2655
2655
  id: "source-inline-styles-present",
2656
2656
  category: "Source Audit",
2657
2657
  severity: "warn",
2658
- message: isContractOnly ? "Source files contain inline style attributes; contract-only projects should route static visual decisions through project-owned styling law." : "Source files still contain disallowed inline style attributes, which undermines the compiled treatment contract.",
2658
+ message: isProjectOwnedStyling ? "Source files contain inline style attributes; project-owned styling projects should route static visual decisions through local law or the style bridge." : "Source files still contain disallowed inline style attributes, which undermines the compiled treatment contract.",
2659
2659
  evidence: buildSourceAuditEvidence(
2660
2660
  sourceAudit,
2661
2661
  sourceAudit.inlineStyles,
2662
2662
  "Disallowed inline style attributes"
2663
2663
  ),
2664
- suggestedFix: isContractOnly ? "Move static visual styling into the app design system, Tailwind/theme tokens, component variants, or accepted local rules. Keep inline style only for truly dynamic geometry." : "Move static visual styling into treatments, atoms, or design-token-backed classes. Inline style remains acceptable for Decantr CSS-variable writes and truly dynamic geometry."
2664
+ suggestedFix: isProjectOwnedStyling ? "Move static visual styling into the app design system, Tailwind/theme tokens, component variants, or accepted local rules. Keep inline style only for truly dynamic geometry." : "Move static visual styling into treatments, atoms, or design-token-backed classes. Inline style remains acceptable for Decantr CSS-variable writes and truly dynamic geometry."
2665
2665
  })
2666
2666
  );
2667
2667
  }
@@ -2671,17 +2671,17 @@ function appendSourceAuditFindings(findings, sourceAudit, essence, reviewPack, a
2671
2671
  id: "source-component-style-tags-present",
2672
2672
  category: "Source Audit",
2673
2673
  severity: "warn",
2674
- message: isContractOnly ? "Source files inject component-scoped style tags or dynamic style elements, which makes project-owned styling rules harder to enforce." : "Source files inject component-scoped style tags or dynamic style elements, which bypass the compiled Decantr layer contract.",
2674
+ message: isProjectOwnedStyling ? "Source files inject component-scoped style tags or dynamic style elements, which makes project-owned styling rules harder to enforce." : "Source files inject component-scoped style tags or dynamic style elements, which bypass the compiled Decantr layer contract.",
2675
2675
  evidence: buildSourceAuditEvidence(
2676
2676
  sourceAudit,
2677
2677
  sourceAudit.componentStyleTags,
2678
2678
  "Component-level style tag signals"
2679
2679
  ),
2680
- suggestedFix: isContractOnly ? "Move shared keyframes, media queries, and visual rules into the project stylesheet, component library, or accepted local pattern/rule manifest." : "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so styling stays inside the reviewed Decantr layer stack."
2680
+ suggestedFix: isProjectOwnedStyling ? "Move shared keyframes, media queries, and visual rules into the project stylesheet, component library, or accepted local pattern/rule manifest." : "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so styling stays inside the reviewed Decantr layer stack."
2681
2681
  })
2682
2682
  );
2683
2683
  }
2684
- if (!isContractOnly && sourceAudit.localCssRuntimeSignals.count > 0) {
2684
+ if (!isProjectOwnedStyling && sourceAudit.localCssRuntimeSignals.count > 0) {
2685
2685
  findings.push(
2686
2686
  makeFinding({
2687
2687
  id: "source-local-css-runtime-stub-present",
@@ -3785,7 +3785,7 @@ async function auditProject(projectRoot) {
3785
3785
  const reviewPack = loadReviewPack(projectRoot);
3786
3786
  const packManifest = loadPackManifest(projectRoot);
3787
3787
  const adoptionMode = readProjectAdoptionMode(projectRoot);
3788
- const packHydrationOptional = adoptionMode === "contract-only";
3788
+ const packHydrationOptional = adoptionMode === "contract-only" || adoptionMode === "style-bridge";
3789
3789
  const packHydrationSeverity = packHydrationOptional ? "info" : "warn";
3790
3790
  const runtimeAudit = emptyRuntimeAudit();
3791
3791
  if (!existsSync2(essencePath)) {
@@ -3865,7 +3865,7 @@ async function auditProject(projectRoot) {
3865
3865
  id: "pack-manifest-missing",
3866
3866
  category: "Execution Packs",
3867
3867
  severity: packHydrationSeverity,
3868
- message: packHydrationOptional ? "Compiled execution pack manifest is not hydrated yet; this is optional for contract-only Brownfield adoption." : "Compiled execution pack manifest is missing.",
3868
+ message: packHydrationOptional ? "Compiled execution pack manifest is not hydrated yet; this is optional for contract-only/style-bridge Brownfield adoption." : "Compiled execution pack manifest is missing.",
3869
3869
  evidence: [join2(projectRoot, ".decantr", "context", "pack-manifest.json")],
3870
3870
  suggestedFix: packHydrationOptional ? "Optional: run `decantr registry compile-packs decantr.essence.json --write-context` when you want hosted page packs and review packs for richer assistant context." : "Run `decantr registry compile-packs decantr.essence.json --write-context` to hydrate scaffold, review, mutation, section, and page packs."
3871
3871
  })
@@ -3929,7 +3929,7 @@ async function auditProject(projectRoot) {
3929
3929
  id: "review-pack-file-missing",
3930
3930
  category: "Review Contract",
3931
3931
  severity: packHydrationSeverity,
3932
- message: packHydrationOptional ? "The compiled review pack file is not hydrated yet; contract-only Brownfield projects can continue without it." : "The compiled review pack file is missing.",
3932
+ message: packHydrationOptional ? "The compiled review pack file is not hydrated yet; contract-only/style-bridge Brownfield projects can continue without it." : "The compiled review pack file is missing.",
3933
3933
  evidence: [join2(projectRoot, ".decantr", "context", "review-pack.json")],
3934
3934
  suggestedFix: packHydrationOptional ? "Optional: hydrate hosted packs later if you want critique consumers to anchor findings to the compiled review contract." : "Hydrate the full hosted context bundle with `decantr registry compile-packs decantr.essence.json --write-context` so critique consumers can anchor findings to the compiled review contract."
3935
3935
  })
@@ -10358,16 +10358,16 @@ function critiqueSource({
10358
10358
  const findings = [];
10359
10359
  const scores = [];
10360
10360
  const antiPatternIds = new Set(reviewPack?.antiPatterns.map((entry) => entry.id) ?? []);
10361
- const isContractOnly = adoptionMode === "contract-only";
10361
+ const isProjectOwnedStyling = adoptionMode === "contract-only" || adoptionMode === "style-bridge";
10362
10362
  const usedTreatments = TREATMENT_CLASSES.filter((token) => code.includes(token));
10363
- if (isContractOnly) {
10363
+ if (isProjectOwnedStyling) {
10364
10364
  scores.push({
10365
10365
  category: "Styling Authority",
10366
10366
  focusArea: "treatment-usage",
10367
10367
  score: 3,
10368
- details: "Contract-only adoption does not require Decantr d-* treatment classes in source files.",
10368
+ details: "Contract-only/style-bridge adoption does not require Decantr d-* treatment classes in source files.",
10369
10369
  suggestions: [
10370
- "Codify project-owned component variants and local rules when button/card/surface drift needs mechanical enforcement."
10370
+ "Codify project-owned component variants, local rules, or a style bridge when button/card/surface drift needs stronger enforcement."
10371
10371
  ]
10372
10372
  });
10373
10373
  } else {
@@ -10404,12 +10404,12 @@ function critiqueSource({
10404
10404
  const decoratorNames = buildDecoratorInventory(treatmentsCss);
10405
10405
  const usedDecorators = decoratorNames.filter((name) => code.includes(name));
10406
10406
  const usesCssVars = code.includes("var(--");
10407
- if (isContractOnly) {
10407
+ if (isProjectOwnedStyling) {
10408
10408
  scores.push({
10409
10409
  category: "Theme Consistency",
10410
10410
  focusArea: "theme-consistency",
10411
10411
  score: usesCssVars ? 4 : 3,
10412
- details: `Contract-only mode: Decantr decorators are not required; CSS vars: ${usesCssVars ? "yes" : "no"}.`,
10412
+ details: `Contract-only/style-bridge mode: Decantr decorators are not required; CSS vars: ${usesCssVars ? "yes" : "no"}.`,
10413
10413
  suggestions: [
10414
10414
  "Use the app design system, Tailwind theme, Sass variables, component variants, or accepted local rules as the styling authority."
10415
10415
  ]
@@ -11436,7 +11436,7 @@ function critiqueSource({
11436
11436
  `Disallowed inline style attributes: ${astSignals.inlineStyleAttributeCount}`
11437
11437
  ],
11438
11438
  file: filePath,
11439
- suggestedFix: isContractOnly ? "Replace static inline visual values with the project design system, accepted component variants, or local style rules. Keep inline style only for truly dynamic geometry." : "Replace static inline visual values with treatments, decorators, and CSS variables from the compiled contract. Keep inline style only for Decantr CSS-variable writes and truly dynamic geometry."
11439
+ suggestedFix: isProjectOwnedStyling ? "Replace static inline visual values with the project design system, accepted component variants, or local style rules. Keep inline style only for truly dynamic geometry." : "Replace static inline visual values with treatments, decorators, and CSS variables from the compiled contract. Keep inline style only for Decantr CSS-variable writes and truly dynamic geometry."
11440
11440
  })
11441
11441
  );
11442
11442
  }
@@ -11453,7 +11453,7 @@ function critiqueSource({
11453
11453
  message: "Component-scoped style tags or dynamic style elements were detected in the reviewed file.",
11454
11454
  evidence: [filePath, `Component style tag signals: ${componentStyleTagSignals}`],
11455
11455
  file: filePath,
11456
- suggestedFix: isContractOnly ? "Move shared keyframes, media queries, and visual rules into the project stylesheet, component library, or accepted local pattern/rule manifest." : "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so the file stays aligned with the Decantr layer contract."
11456
+ suggestedFix: isProjectOwnedStyling ? "Move shared keyframes, media queries, and visual rules into the project stylesheet, component library, or accepted local pattern/rule manifest." : "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so the file stays aligned with the Decantr layer contract."
11457
11457
  })
11458
11458
  );
11459
11459
  }