@mneme-ai/xray 2.174.0 → 2.176.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mneme-ai/xray",
-  "version": "2.174.0",
+  "version": "2.176.0",
   "description": "Mneme Repo X-Ray — a signed, raw-free, deterministic X-Ray of any repo. Every number is reproducible from git/AST/metadata and sealed with an offline-verifiable NOTARY receipt. No source code ever leaves the machine; no LLM guesses anything.",
   "type": "module",
   "main": "./dist/index.js",
@@ -47,7 +47,7 @@
     "mneme"
   ],
   "dependencies": {
-    "@mneme-ai/core": "2.173.0",
+    "@mneme-ai/core": "2.175.0",
     "@resvg/resvg-js": "^2.6.2"
   },
   "engines": {

package/public/card.js

@@ -52,12 +52,58 @@
     return A;
   }
 
+  // VERDICT — turn the accurate metrics into a DECISION a human can act on:
+  // "should I trust / adopt / inherit this repo, and what do I do about it?"
+  // Every line is derived 100% from a signed metric (no new data, no AI guess).
+  function synthesizeVerdict(r) {
+    const num = (x) => (Number.isFinite(Number(x)) ? Number(x) : 0);
+    const dep = r.deps || {}, sec = r.secrets || {}, bf = r.busFactor || {}, age = r.age || {}, cx = r.complexity || {}, su = r.security || {}, hs = r.hotspots || {};
+    const dying = num((dep.byBand || {}).dead) + num((dep.byBand || {}).moribund);
+    const copyleft = num((dep.licenses || {})["strong-copyleft"]) + num((dep.licenses || {})["weak-copyleft"]);
+    const secrets = num(sec.totalFindings), destructive = (su.destructive || []).length;
+    const soloPct = num(bf.singleOwnerFilePct), topShare = num(bf.topContributorShare), busF = num(bf.busFactor);
+    const symbols = num(cx.totalSymbols), codeFiles = num(cx.filesAnalysed);
+    const isDocs = symbols < 30 && (codeFiles === 0 || symbols / Math.max(1, codeFiles) < 1.5);
+    const kind = isDocs ? "Docs / content repo" : "Code project";
+
+    // the takeaways — what it means + what to DO, severity-ranked, action-first
+    const T = [];
+    if (sec.worstVerdict === "BLOCK" && secrets > 0) T.push({ t: "bad", x: `🔴 ${secrets} live secret${secrets > 1 ? "s" : ""} in production code — rotate them now and add a pre-commit secret scan${sec.hits && sec.hits[0] ? ` (e.g. ${esc(sec.hits[0].file)}:${sec.hits[0].line})` : ""}.` });
+    else if (secrets > 0) T.push({ t: "warn", x: `🟠 ${secrets} credential-pattern match${secrets > 1 ? "es" : ""} to review in production code.` });
+    if (destructive > 0) T.push({ t: "bad", x: `🔴 ${destructive} destructive command${destructive > 1 ? "s" : ""} in build/CI (${esc((su.destructive[0] || {}).where || "ci")}) — audit before trusting this pipeline.` });
+    else if (num(su.injectionFindings) > 0) T.push({ t: "warn", x: `🟠 ${num(su.injectionFindings)} possible prompt-injection in docs — sanitize before feeding to an AI.` });
+    if (dying > 0) { const a = (dep.atRisk || [])[0]; T.push({ t: "warn", x: `🟠 ${dying} dependency${dying > 1 ? "ies" : "y"} dying/abandoned — plan a migration${a && a.successor ? ` (e.g. ${esc(a.name)} → ${esc(a.successor)})` : ""}.` }); }
+    if (copyleft > 0) T.push({ t: "warn", x: `🟠 ${copyleft} dependency${copyleft > 1 ? "ies" : "y"} with copyleft/unknown license — check before commercial use.` });
+    if (age.vitality === "archived" || age.dormant) T.push({ t: "warn", x: `🟠 No recent activity (${esc(age.vitality || "stalled")}) — may be unmaintained; pin a version if you depend on it.` });
+    else if (age.vitality === "active") T.push({ t: "ok", x: `✅ Actively maintained — ${num(age.totalCommits).toLocaleString()} commits over ${esc(age.lifespan || "its life")}, ${num(age.totalAuthors)} contributors. Low abandonment risk.` });
+    if (busF <= 1 && num(bf.authors) > 0) T.push({ t: "warn", x: `🟠 Key-person risk: one author owns ${topShare}% of commits${soloPct ? ` and ${soloPct}% of files have a single owner` : ""}. If they leave, those areas stall — spread reviews + document.` });
+    else if (soloPct >= 40) { const ff = (bf.fragileFiles || []).slice(0, 3).map((x) => esc(x.file)).join(", "); T.push({ t: "warn", x: `🟠 ${soloPct}% of files have a single owner — pair-review the fragile ones${ff ? `: ${ff}` : ""}.` }); }
+    if (secrets === 0 && destructive === 0 && dying === 0 && copyleft === 0) T.push({ t: "ok", x: `✅ Clean to adopt — no leaked secrets, no dying/risky-licensed deps, no destructive CI.` });
+    if ((hs.hotspots || [])[0] && !isDocs) { const h = hs.hotspots[0]; T.push({ t: "info", x: `ℹ️ If you change one thing first, it's <b>${esc(h.file)}</b> (highest churn×size)${h.expert ? ` — ${esc(h.expert)} knows it best` : ""}.` }); }
+
+    // the headline DECISION (worst-signal-wins)
+    const hasRed = secrets > 0 || destructive > 0;
+    const stale = age.vitality === "archived" || age.dormant;
+    const keyrisk = busF <= 1 || soloPct >= 60;
+    let tone, head;
+    if (hasRed) { tone = "bad"; head = "⚠️ Exposed risk — fix the red items before you trust this repo"; }
+    else if (stale) { tone = "warn"; head = "🪦 Looks unmaintained — risky to depend on without pinning"; }
+    else if (dying > 0) { tone = "warn"; head = "Adopt with care — aging dependencies need a migration plan"; }
+    else if (keyrisk) { tone = "warn"; head = "✅ Maintained — but ⚠️ concentrated in one person (key-person risk)"; }
+    else if (age.vitality === "active") { tone = "ok"; head = `✅ Healthy & actively maintained — safe to build on`; }
+    else { tone = "neutral"; head = `Reviewed — ${T.length} thing${T.length === 1 ? "" : "s"} to know below`; }
+
+    const top = T.slice(0, 5);
+    return { tone, head, kind, takeaways: top };
+  }
+
   function xrayCardHTML(signed, opts) {
     opts = opts || {};
     const r = signed.report, s = r.summary;
     const dep = r.deps, sec = r.secrets, bf = r.busFactor, age = r.age, cx = r.complexity;
     const verified = signed.receipt ? '<span class="verified"><span class="dot"></span>Ed25519 — verifies offline</span>' : "unsigned";
     const tri = triageOf(r);
+    const vd = synthesizeVerdict(r);
 
     const depChips = (dep.atRisk || []).slice(0, 6).map((d) =>
       `<span class="chip ${d.band === "dead" ? "bad" : "warn"}">${esc(d.name)} · ${d.band}${d.successor ? ` → ${esc(d.successor)}` : ""}</span>`).join("") || `<span class="chip">none dying</span>`;
@@ -86,6 +132,11 @@
           ${r.subject.kind === "git-url" ? `<a class="repourl" href="${esc(r.subject.ref)}" target="_blank" rel="noopener">${esc(r.subject.ref)} ↗</a>` : `<div class="repourl">${esc(r.subject.ref)}</div>`}
           <div class="head">${esc(s.headline)} · ${s.signalsRun} signals · @ ${esc(String(r.subject.commitHash).slice(0, 10))}</div></div>
       </div>
+      <div class="verdict v-${vd.tone}">
+        <div class="vhead">${esc(vd.head)}</div>
+        <div class="vkind">${esc(vd.kind)} · what this means for you ↓</div>
+        <ul class="vlist">${vd.takeaways.map((t) => `<li class="vt-${t.t}">${t.x}</li>`).join("")}</ul>
+      </div>
       <div class="membrane">
         <div class="mp"><span class="mpk">① CAPABILITY</span><span class="mpv">${s.signalsRun} deterministic signals · ${(sec.filesScanned || 0).toLocaleString()} files scanned</span></div>
         <div class="mp"><span class="mpk">② ATTENTION</span><span class="mpv">${tri.length ? `${tri.length} signal(s) need attention` : `all signals clear`}</span></div>

package/public/index.html

@@ -70,6 +70,15 @@
   .top .repourl{display:inline-block;font-size:12.5px;color:var(--a);text-decoration:none;margin-top:3px;word-break:break-all;font-family:ui-monospace,Menlo,monospace}
   .top .repourl:hover{text-decoration:underline}
   .top .head{color:var(--sub);font-size:14px;margin-top:4px}
+  .verdict{padding:18px 30px;border-bottom:1px solid #eef0f2}
+  .verdict .vhead{font-size:17px;font-weight:680;letter-spacing:-.01em;line-height:1.3;color:#0b0b0f}
+  .verdict .vkind{font-size:12px;color:#8b8f98;margin:3px 0 12px;font-weight:560}
+  .verdict .vlist{margin:0;padding:0;list-style:none;display:flex;flex-direction:column;gap:8px}
+  .verdict .vlist li{font-size:13.5px;line-height:1.5;color:#33333b}
+  .v-bad{background:#fff5f6} .v-bad .vhead{color:#be123c}
+  .v-warn{background:#fffaf0} .v-warn .vhead{color:#b45309}
+  .v-ok{background:#f0fdf4} .v-ok .vhead{color:#15803d}
+  .v-neutral{background:#fafafb}
   .trustbar{display:flex;align-items:center;gap:14px;padding:13px 30px;background:#f0fdf4;border-bottom:1px solid #dcfce7;flex-wrap:wrap}
   .hgauge{display:inline-flex;align-items:center;gap:8px;font-weight:680;color:#15803d;font-size:14px;white-space:nowrap}
   .hdot{width:10px;height:10px;border-radius:50%;background:#16a34a;box-shadow:0 0 0 4px rgba(22,163,74,.16)}
@@ -146,8 +155,10 @@
   .listfoot{display:flex;justify-content:space-between;align-items:center;padding:14px 4px 0;font-size:13px}
   .moreb{height:38px;padding:0 18px;border:1px solid var(--line);background:#fff;border-radius:10px;cursor:pointer;font-size:13px;font-weight:540;transition:border-color .15s}
   .moreb:hover{border-color:var(--ink)}
-  .moreb:disabled{opacity:.4;cursor:not-allowed;border-color:var(--line)}
   .pagenav{display:inline-flex;gap:8px}
+  .pagenav .moreb{background:var(--ink);color:#fff;border-color:var(--ink)}
+  .pagenav .moreb:hover{opacity:.88}
+  .pagenav .moreb:disabled{background:#fff;color:#c8ccd2;border-color:var(--line);opacity:1;cursor:not-allowed}
   /* share + buttons */
   .share{display:flex;flex-wrap:wrap;align-items:center;gap:10px;padding:18px 30px;border-top:1px solid var(--line2)}
   .badgeimg{height:20px}
@@ -195,23 +206,25 @@
   .lscard .pill{display:inline-block;font-size:11px;background:var(--soft);border:1px solid var(--line);border-radius:20px;padding:1px 8px;color:var(--ink2)}
   .lscard .lsnote{margin-top:10px;font-size:11.5px;color:var(--sub);line-height:1.5;border-top:1px solid var(--line2);padding-top:9px}
   /* SHOWCASE — selling points; the graphic sits to the SIDE (grid areas, no markup move) */
-  .showcase{max-width:1060px;margin:64px auto 0;padding:0 20px;text-align:left;
-    display:grid;column-gap:36px;row-gap:18px;align-items:center;
-    grid-template-columns:1fr 360px;grid-template-areas:"title art" "sub art" "cards cards"}
-  .showcase .sctitle{grid-area:title;font-size:30px;font-weight:700;letter-spacing:-.02em;color:var(--ink);margin:0;line-height:1.2}
+  .showcase{max-width:1080px;margin:60px auto 0;padding:0 20px;
+    display:grid;column-gap:32px;row-gap:8px;align-items:center;
+    grid-template-columns:1fr 300px;grid-template-areas:"title title" "sub sub" "cards art"}
+  .showcase .sctitle{grid-area:title;text-align:center;font-size:29px;font-weight:700;letter-spacing:-.02em;color:var(--ink);margin:0;line-height:1.25}
   .showcase .sctitle .hl{color:var(--a)}
-  .showcase .scsub{grid-area:sub;font-size:15px;color:var(--sub);margin:0;line-height:1.6}
-  .showcase .bigart{grid-area:art;display:flex;justify-content:center;align-self:center;opacity:.95}
-  .showcase .sc3{grid-area:cards;display:grid;grid-template-columns:repeat(3,1fr);gap:16px;margin-top:14px}
-  .showcase .sccard{background:var(--soft);border:1px solid var(--line);border-radius:16px;padding:20px}
-  .showcase .scico{font-size:26px;margin-bottom:8px}
-  .showcase .sccard b{display:block;font-size:15px;color:var(--ink);margin-bottom:6px}
-  .showcase .sccard span{font-size:13px;color:var(--sub);line-height:1.55}
-  @media(max-width:820px){
-    .showcase{grid-template-columns:1fr;grid-template-areas:"title" "sub" "art" "cards"}
-    .showcase .sc3{grid-template-columns:1fr}
-    .showcase .bigart svg{width:300px;height:auto}
+  .showcase .scsub{grid-area:sub;text-align:center;font-size:15px;color:var(--sub);max-width:680px;margin:6px auto 22px;line-height:1.6}
+  .showcase .bigart{grid-area:art;display:flex;justify-content:center;align-self:center;opacity:.92}
+  .showcase .bigart svg{width:100%;height:auto;max-width:300px}
+  .showcase .sc3{grid-area:cards;display:grid;grid-template-columns:repeat(3,1fr);gap:14px}
+  .showcase .sccard{background:var(--soft);border:1px solid var(--line);border-radius:16px;padding:18px}
+  .showcase .scico{font-size:24px;margin-bottom:8px}
+  .showcase .sccard b{display:block;font-size:14.5px;color:var(--ink);margin-bottom:6px}
+  .showcase .sccard span{font-size:12.5px;color:var(--sub);line-height:1.5}
+  @media(max-width:880px){
+    .showcase{grid-template-columns:1fr;grid-template-areas:"title" "sub" "cards" "art"}
+    .showcase .sc3{grid-template-columns:1fr 1fr}
+    .showcase .bigart{margin-top:18px}
   }
+  @media(max-width:560px){ .showcase .sc3{grid-template-columns:1fr} }
   .picker{display:none;margin-top:12px;border:1px solid var(--line);border-radius:10px;background:#fff;overflow:hidden}
   .picker.on{display:block}
   .pkbar{display:flex;align-items:center;gap:8px;padding:10px 12px;border-bottom:1px solid var(--line2);font-size:12.5px}
@@ -656,6 +669,14 @@ function renderLocalScan(r){
   const sec=s.secrets, secCls=sec.totalFindings>0?"bad":"ok";
   const langs=s.langs.map(([e,n])=>`<span class="pill">${esc(e)} ${n}</span>`).join(" ");
   const g=s.git, vit = !g.has ? "" : (s.dormantDays>365?"dormant":s.dormantDays>120?"slowing":"active");
+  // VERDICT — turn the local numbers into a decision + what-to-do (same idea as the URL report)
+  const lt=[]; let ltone="ok", lhead="✅ Quick scan looks clean — see details below";
+  if(sec.totalFindings>0){ ltone="bad"; lhead="⚠️ Secret(s) in this folder — fix before sharing"; lt.push(`🔴 ${sec.totalFindings} credential${sec.totalFindings>1?"s":""} in production code — rotate + add a pre-commit secret scan.`); }
+  if(g.has && g.authors<=1){ if(ltone==="ok"){ltone="warn"; lhead="✅ Scanned — ⚠️ solo-owned (key-person risk)";} lt.push(`🟠 Bus factor 1 — one author made all ${g.commits} commits. If they leave, this stalls; add reviewers + docs.`); }
+  if(g.has && s.dormantDays>365){ if(ltone==="ok"){ltone="warn"; lhead="🪦 Looks unmaintained — last commit over a year ago";} lt.push(`🟠 No activity for ${s.dormantDays} days — may be stale; confirm it is still maintained.`); }
+  if(sec.totalFindings===0 && (!g.has || (g.authors>1 && s.dormantDays<=365))) lt.push(`✅ No leaked secrets${g.has?`, actively worked (${g.commits} commits, ${g.authors} authors)`:""} — clean for a quick local check.`);
+  if(s.deps.total>0) lt.push(`ℹ️ ${s.deps.total} dependencies declared — run the full report (public URL / bridge) to check which are dying or risky-licensed.`);
+  const lverdict = `<div class="verdict v-${ltone}" style="margin:0 -16px 12px;border-radius:0;border-bottom:1px solid #eef0f2"><div class="vhead" style="font-size:15px">${esc(lhead)}</div><ul class="vlist" style="margin-top:8px">${lt.slice(0,4).map(t=>`<li>${t}</li>`).join("")}</ul></div>`;
   const gitRows = g.has ? `
     <div class="lsrow"><span class="lsk">Bus factor</span><span class="lsv ${g.authors===1?"bad":""}"><b>${g.authors}</b> author${g.authors===1?" — single point of failure":"s"} · top author ${Math.round(g.topShare*100)}% of ${g.commits} commits</span></div>
     <div class="lsrow"><span class="lsk">Vitality</span><span class="lsv ${vit==="dormant"?"bad":""}"><b>${vit}</b> · ${s.ageDays}d span · last activity ${s.dormantDays}d ago</span></div>`
@@ -663,6 +684,7 @@ function renderLocalScan(r){
   out.innerHTML=`<div class="lscard">
     <div class="lstop"><div class="lsgrade g-${("ABCDEF".includes(s.grade)?s.grade:"C")}">${esc(s.grade)}</div>
       <div><div class="lsh"><b>📂 ${esc(r.folder)}</b></div><div class="muted" style="font-size:12px">scanned in your browser · ${r.files} files · nothing uploaded</div></div></div>
+    ${lverdict}
     <div class="lsrow"><span class="lsk">Secrets</span><span class="lsv ${secCls}"><b>${sec.totalFindings}</b> in production code${sec.excludedTestHits?` · ${sec.excludedTestHits} in tests (excluded)`:""}</span></div>
     ${sec.hits.length?`<div class="lshits">${sec.hits.slice(0,6).map(h=>`<div>🔴 ${esc(h.kind)} — ${esc(h.file)}:${h.line}</div>`).join("")}</div>`:`<div class="lsok">✓ no leaked credentials in production code</div>`}
     ${gitRows}

package/public/report.html

@@ -23,6 +23,15 @@
   .g-A{background:linear-gradient(135deg,#1fb255,#15863f)}.g-B{background:linear-gradient(135deg,#7bb736,#5c8f1e)}
   .g-C{background:linear-gradient(135deg,#eaa83a,#c9821a)}.g-D{background:linear-gradient(135deg,#f0742e,#d4571a)}.g-F{background:linear-gradient(135deg,#f43f5e,#be123c)}
   .top .repo{font-size:22px;font-weight:640;letter-spacing:-.02em;color:var(--ink);word-break:break-all;line-height:1.2}.top .repobr{font-size:13px;font-weight:600;color:var(--a);background:var(--a-soft);border-radius:6px;padding:1px 7px;vertical-align:middle}.top .repourl{display:inline-block;font-size:12.5px;color:var(--a);text-decoration:none;margin-top:3px;word-break:break-all;font-family:ui-monospace,Menlo,monospace}.top .repourl:hover{text-decoration:underline}.top .head{color:var(--sub);font-size:14px;margin-top:4px}
+  .verdict{padding:18px 30px;border-bottom:1px solid #eef0f2}
+  .verdict .vhead{font-size:17px;font-weight:680;letter-spacing:-.01em;line-height:1.3;color:#0b0b0f}
+  .verdict .vkind{font-size:12px;color:#8b8f98;margin:3px 0 12px;font-weight:560}
+  .verdict .vlist{margin:0;padding:0;list-style:none;display:flex;flex-direction:column;gap:8px}
+  .verdict .vlist li{font-size:13.5px;line-height:1.5;color:#33333b}
+  .v-bad{background:#fff5f6} .v-bad .vhead{color:#be123c}
+  .v-warn{background:#fffaf0} .v-warn .vhead{color:#b45309}
+  .v-ok{background:#f0fdf4} .v-ok .vhead{color:#15803d}
+  .v-neutral{background:#fafafb}
   .trustbar{display:flex;align-items:center;gap:14px;padding:13px 30px;background:#f0fdf4;border-bottom:1px solid #dcfce7;flex-wrap:wrap}
   .hgauge{display:inline-flex;align-items:center;gap:8px;font-weight:680;color:#15803d;font-size:14px}
   .hdot{width:10px;height:10px;border-radius:50%;background:#16a34a;box-shadow:0 0 0 4px rgba(22,163,74,.16)}