npm - @pseolint/core - Versions diffs - 0.4.3 → 0.5.4 - Mend

@pseolint/core 0.4.3 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (270) hide show

package/README.md +264 -169
package/dist/ai/manifest/diff.d.ts +78 -0
package/dist/ai/manifest/diff.d.ts.map +1 -0
package/dist/ai/manifest/diff.js +139 -0
package/dist/ai/manifest/diff.js.map +1 -0
package/dist/ai/manifest/index.d.ts +18 -0
package/dist/ai/manifest/index.d.ts.map +1 -0
package/dist/ai/manifest/index.js +15 -0
package/dist/ai/manifest/index.js.map +1 -0
package/dist/ai/manifest/validate-manifest.d.ts +37 -0
package/dist/ai/manifest/validate-manifest.d.ts.map +1 -0
package/dist/ai/manifest/validate-manifest.js +67 -0
package/dist/ai/manifest/validate-manifest.js.map +1 -0
package/dist/ai/manifest/validators/domain-patches.d.ts +15 -0
package/dist/ai/manifest/validators/domain-patches.d.ts.map +1 -0
package/dist/ai/manifest/validators/domain-patches.js +110 -0
package/dist/ai/manifest/validators/domain-patches.js.map +1 -0
package/dist/ai/manifest/validators/index.d.ts +5 -0
package/dist/ai/manifest/validators/index.d.ts.map +1 -0
package/dist/ai/manifest/validators/index.js +4 -0
package/dist/ai/manifest/validators/index.js.map +1 -0
package/dist/ai/manifest/validators/page-changes.d.ts +36 -0
package/dist/ai/manifest/validators/page-changes.d.ts.map +1 -0
package/dist/ai/manifest/validators/page-changes.js +221 -0
package/dist/ai/manifest/validators/page-changes.js.map +1 -0
package/dist/ai/manifest/validators/types.d.ts +17 -0
package/dist/ai/manifest/validators/types.d.ts.map +1 -0
package/dist/ai/manifest/validators/types.js +5 -0
package/dist/ai/manifest/validators/types.js.map +1 -0
package/dist/ai/orchestrate.d.ts +74 -0
package/dist/ai/orchestrate.d.ts.map +1 -0
package/dist/ai/orchestrate.js +54 -0
package/dist/ai/orchestrate.js.map +1 -0
package/dist/ai/orchestrator/budget.d.ts +57 -0
package/dist/ai/orchestrator/budget.d.ts.map +1 -0
package/dist/ai/orchestrator/budget.js +114 -0
package/dist/ai/orchestrator/budget.js.map +1 -0
package/dist/ai/orchestrator/finish-tool.d.ts +568 -0
package/dist/ai/orchestrator/finish-tool.d.ts.map +1 -0
package/dist/ai/orchestrator/finish-tool.js +114 -0
package/dist/ai/orchestrator/finish-tool.js.map +1 -0
package/dist/ai/orchestrator/index.d.ts +25 -0
package/dist/ai/orchestrator/index.d.ts.map +1 -0
package/dist/ai/orchestrator/index.js +21 -0
package/dist/ai/orchestrator/index.js.map +1 -0
package/dist/ai/orchestrator/log.d.ts +24 -0
package/dist/ai/orchestrator/log.d.ts.map +1 -0
package/dist/ai/orchestrator/log.js +48 -0
package/dist/ai/orchestrator/log.js.map +1 -0
package/dist/ai/orchestrator/page-cache.d.ts +64 -0
package/dist/ai/orchestrator/page-cache.d.ts.map +1 -0
package/dist/ai/orchestrator/page-cache.js +127 -0
package/dist/ai/orchestrator/page-cache.js.map +1 -0
package/dist/ai/orchestrator/prompt.d.ts +16 -0
package/dist/ai/orchestrator/prompt.d.ts.map +1 -0
package/dist/ai/orchestrator/prompt.js +52 -0
package/dist/ai/orchestrator/prompt.js.map +1 -0
package/dist/ai/orchestrator/runner.d.ts +65 -0
package/dist/ai/orchestrator/runner.d.ts.map +1 -0
package/dist/ai/orchestrator/runner.js +223 -0
package/dist/ai/orchestrator/runner.js.map +1 -0
package/dist/ai/orchestrator/session.d.ts +44 -0
package/dist/ai/orchestrator/session.d.ts.map +1 -0
package/dist/ai/orchestrator/session.js +64 -0
package/dist/ai/orchestrator/session.js.map +1 -0
package/dist/ai/orchestrator/types.d.ts +99 -0
package/dist/ai/orchestrator/types.d.ts.map +1 -0
package/dist/ai/orchestrator/types.js +8 -0
package/dist/ai/orchestrator/types.js.map +1 -0
package/dist/ai/probes/cache.d.ts +12 -0
package/dist/ai/probes/cache.d.ts.map +1 -0
package/dist/ai/probes/cache.js +46 -0
package/dist/ai/probes/cache.js.map +1 -0
package/dist/ai/tools/ask-ai-engine.d.ts +77 -0
package/dist/ai/tools/ask-ai-engine.d.ts.map +1 -0
package/dist/ai/tools/ask-ai-engine.js +253 -0
package/dist/ai/tools/ask-ai-engine.js.map +1 -0
package/dist/ai/tools/check-domain-crawler-access.d.ts +71 -0
package/dist/ai/tools/check-domain-crawler-access.d.ts.map +1 -0
package/dist/ai/tools/check-domain-crawler-access.js +76 -0
package/dist/ai/tools/check-domain-crawler-access.js.map +1 -0
package/dist/ai/tools/check-domain-llms-txt.d.ts +70 -0
package/dist/ai/tools/check-domain-llms-txt.d.ts.map +1 -0
package/dist/ai/tools/check-domain-llms-txt.js +75 -0
package/dist/ai/tools/check-domain-llms-txt.js.map +1 -0
package/dist/ai/tools/check-indexability.d.ts +58 -0
package/dist/ai/tools/check-indexability.d.ts.map +1 -0
package/dist/ai/tools/check-indexability.js +64 -0
package/dist/ai/tools/check-indexability.js.map +1 -0
package/dist/ai/tools/check-robots.d.ts +68 -0
package/dist/ai/tools/check-robots.d.ts.map +1 -0
package/dist/ai/tools/check-robots.js +90 -0
package/dist/ai/tools/check-robots.js.map +1 -0
package/dist/ai/tools/check-rule-answer-first.d.ts +54 -0
package/dist/ai/tools/check-rule-answer-first.d.ts.map +1 -0
package/dist/ai/tools/check-rule-answer-first.js +50 -0
package/dist/ai/tools/check-rule-answer-first.js.map +1 -0
package/dist/ai/tools/check-rule-canonical-consistency.d.ts +66 -0
package/dist/ai/tools/check-rule-canonical-consistency.d.ts.map +1 -0
package/dist/ai/tools/check-rule-canonical-consistency.js +51 -0
package/dist/ai/tools/check-rule-canonical-consistency.js.map +1 -0
package/dist/ai/tools/check-rule-citable-facts.d.ts +58 -0
package/dist/ai/tools/check-rule-citable-facts.d.ts.map +1 -0
package/dist/ai/tools/check-rule-citable-facts.js +41 -0
package/dist/ai/tools/check-rule-citable-facts.js.map +1 -0
package/dist/ai/tools/check-rule-content-modularity.d.ts +58 -0
package/dist/ai/tools/check-rule-content-modularity.d.ts.map +1 -0
package/dist/ai/tools/check-rule-content-modularity.js +45 -0
package/dist/ai/tools/check-rule-content-modularity.js.map +1 -0
package/dist/ai/tools/check-rule-faq-coverage.d.ts +54 -0
package/dist/ai/tools/check-rule-faq-coverage.d.ts.map +1 -0
package/dist/ai/tools/check-rule-faq-coverage.js +39 -0
package/dist/ai/tools/check-rule-faq-coverage.js.map +1 -0
package/dist/ai/tools/check-rule-freshness-signals.d.ts +54 -0
package/dist/ai/tools/check-rule-freshness-signals.d.ts.map +1 -0
package/dist/ai/tools/check-rule-freshness-signals.js +45 -0
package/dist/ai/tools/check-rule-freshness-signals.js.map +1 -0
package/dist/ai/tools/check-rule-json-ld-valid.d.ts +54 -0
package/dist/ai/tools/check-rule-json-ld-valid.d.ts.map +1 -0
package/dist/ai/tools/check-rule-json-ld-valid.js +44 -0
package/dist/ai/tools/check-rule-json-ld-valid.js.map +1 -0
package/dist/ai/tools/check-rule-missing-author.d.ts +54 -0
package/dist/ai/tools/check-rule-missing-author.d.ts.map +1 -0
package/dist/ai/tools/check-rule-missing-author.js +45 -0
package/dist/ai/tools/check-rule-missing-author.js.map +1 -0
package/dist/ai/tools/check-rule-near-duplicate.d.ts +82 -0
package/dist/ai/tools/check-rule-near-duplicate.d.ts.map +1 -0
package/dist/ai/tools/check-rule-near-duplicate.js +63 -0
package/dist/ai/tools/check-rule-near-duplicate.js.map +1 -0
package/dist/ai/tools/check-rule-required-fields.d.ts +50 -0
package/dist/ai/tools/check-rule-required-fields.d.ts.map +1 -0
package/dist/ai/tools/check-rule-required-fields.js +38 -0
package/dist/ai/tools/check-rule-required-fields.js.map +1 -0
package/dist/ai/tools/check-rule-schema-consistency.d.ts +54 -0
package/dist/ai/tools/check-rule-schema-consistency.d.ts.map +1 -0
package/dist/ai/tools/check-rule-schema-consistency.js +44 -0
package/dist/ai/tools/check-rule-schema-consistency.js.map +1 -0
package/dist/ai/tools/check-rule-summary-bait.d.ts +54 -0
package/dist/ai/tools/check-rule-summary-bait.d.ts.map +1 -0
package/dist/ai/tools/check-rule-summary-bait.js +39 -0
package/dist/ai/tools/check-rule-summary-bait.js.map +1 -0
package/dist/ai/tools/check-rule-thin-content.d.ts +66 -0
package/dist/ai/tools/check-rule-thin-content.d.ts.map +1 -0
package/dist/ai/tools/check-rule-thin-content.js +58 -0
package/dist/ai/tools/check-rule-thin-content.js.map +1 -0
package/dist/ai/tools/detect-templates.d.ts +60 -0
package/dist/ai/tools/detect-templates.d.ts.map +1 -0
package/dist/ai/tools/detect-templates.js +43 -0
package/dist/ai/tools/detect-templates.js.map +1 -0
package/dist/ai/tools/fetch-page.d.ts +70 -0
package/dist/ai/tools/fetch-page.d.ts.map +1 -0
package/dist/ai/tools/fetch-page.js +93 -0
package/dist/ai/tools/fetch-page.js.map +1 -0
package/dist/ai/tools/fetch-sitemap.d.ts +60 -0
package/dist/ai/tools/fetch-sitemap.d.ts.map +1 -0
package/dist/ai/tools/fetch-sitemap.js +116 -0
package/dist/ai/tools/fetch-sitemap.js.map +1 -0
package/dist/ai/tools/index.d.ts +1555 -0
package/dist/ai/tools/index.d.ts.map +1 -0
package/dist/ai/tools/index.js +119 -0
package/dist/ai/tools/index.js.map +1 -0
package/dist/ai/tools/parse-page.d.ts +94 -0
package/dist/ai/tools/parse-page.d.ts.map +1 -0
package/dist/ai/tools/parse-page.js +108 -0
package/dist/ai/tools/parse-page.js.map +1 -0
package/dist/ai/tools/query-serp.d.ts +113 -0
package/dist/ai/tools/query-serp.d.ts.map +1 -0
package/dist/ai/tools/query-serp.js +131 -0
package/dist/ai/tools/query-serp.js.map +1 -0
package/dist/ai/tools/sample-template.d.ts +67 -0
package/dist/ai/tools/sample-template.d.ts.map +1 -0
package/dist/ai/tools/sample-template.js +75 -0
package/dist/ai/tools/sample-template.js.map +1 -0
package/dist/ai/tools/types.d.ts +73 -0
package/dist/ai/tools/types.d.ts.map +1 -0
package/dist/ai/tools/types.js +64 -0
package/dist/ai/tools/types.js.map +1 -0
package/dist/ai/tools/validate-jsonld.d.ts +62 -0
package/dist/ai/tools/validate-jsonld.d.ts.map +1 -0
package/dist/ai/tools/validate-jsonld.js +84 -0
package/dist/ai/tools/validate-jsonld.js.map +1 -0
package/dist/auditor.d.ts +4 -0
package/dist/auditor.d.ts.map +1 -1
package/dist/auditor.js +629 -64
package/dist/auditor.js.map +1 -1
package/dist/backpressure.d.ts.map +1 -1
package/dist/backpressure.js +10 -3
package/dist/backpressure.js.map +1 -1
package/dist/enrich-findings.d.ts.map +1 -1
package/dist/enrich-findings.js +15 -1
package/dist/enrich-findings.js.map +1 -1
package/dist/formatters/console.d.ts.map +1 -1
package/dist/formatters/console.js +13 -0
package/dist/formatters/console.js.map +1 -1
package/dist/formatters/markdown.d.ts.map +1 -1
package/dist/formatters/markdown.js +20 -2
package/dist/formatters/markdown.js.map +1 -1
package/dist/index.d.ts +12 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -0
package/dist/index.js.map +1 -1
package/dist/rule-references.d.ts.map +1 -1
package/dist/rule-references.js +5 -0
package/dist/rule-references.js.map +1 -1
package/dist/rules/content/heading-structure.d.ts +21 -0
package/dist/rules/content/heading-structure.d.ts.map +1 -0
package/dist/rules/content/heading-structure.js +56 -0
package/dist/rules/content/heading-structure.js.map +1 -0
package/dist/rules/content/image-alt-text.d.ts +18 -0
package/dist/rules/content/image-alt-text.d.ts.map +1 -0
package/dist/rules/content/image-alt-text.js +77 -0
package/dist/rules/content/image-alt-text.js.map +1 -0
package/dist/rules/content/title-uniqueness.d.ts +18 -0
package/dist/rules/content/title-uniqueness.d.ts.map +1 -0
package/dist/rules/content/title-uniqueness.js +70 -0
package/dist/rules/content/title-uniqueness.js.map +1 -0
package/dist/rules/links/host-section-divergence.d.ts +3 -0
package/dist/rules/links/host-section-divergence.d.ts.map +1 -0
package/dist/rules/links/host-section-divergence.js +158 -0
package/dist/rules/links/host-section-divergence.js.map +1 -0
package/dist/rules/links/link-depth.d.ts +12 -1
package/dist/rules/links/link-depth.d.ts.map +1 -1
package/dist/rules/links/link-depth.js +25 -12
package/dist/rules/links/link-depth.js.map +1 -1
package/dist/rules/scope.d.ts.map +1 -1
package/dist/rules/scope.js +5 -0
package/dist/rules/scope.js.map +1 -1
package/dist/rules/spam/doorway-pattern.d.ts.map +1 -1
package/dist/rules/spam/doorway-pattern.js +27 -4
package/dist/rules/spam/doorway-pattern.js.map +1 -1
package/dist/rules/spam/publication-velocity.d.ts +1 -1
package/dist/rules/spam/publication-velocity.d.ts.map +1 -1
package/dist/rules/spam/publication-velocity.js +9 -4
package/dist/rules/spam/publication-velocity.js.map +1 -1
package/dist/rules/spam/template-coverage.js +1 -1
package/dist/rules/spam/template-coverage.js.map +1 -1
package/dist/rules/spam/template-diversity.js +1 -1
package/dist/rules/spam/template-diversity.js.map +1 -1
package/dist/rules/tech/hreflang-consistency.d.ts.map +1 -1
package/dist/rules/tech/hreflang-consistency.js +33 -4
package/dist/rules/tech/hreflang-consistency.js.map +1 -1
package/dist/rules/tech/og-completeness.d.ts +11 -0
package/dist/rules/tech/og-completeness.d.ts.map +1 -1
package/dist/rules/tech/og-completeness.js +22 -23
package/dist/rules/tech/og-completeness.js.map +1 -1
package/dist/ruleset-version.d.ts +8 -0
package/dist/ruleset-version.d.ts.map +1 -0
package/dist/ruleset-version.js +8 -0
package/dist/ruleset-version.js.map +1 -0
package/dist/scrape-strategy.d.ts +42 -0
package/dist/scrape-strategy.d.ts.map +1 -0
package/dist/scrape-strategy.js +101 -0
package/dist/scrape-strategy.js.map +1 -0
package/dist/site-classifier.d.ts.map +1 -1
package/dist/site-classifier.js +1 -0
package/dist/site-classifier.js.map +1 -1
package/dist/state.d.ts +36 -1
package/dist/state.d.ts.map +1 -1
package/dist/state.js +3 -1
package/dist/state.js.map +1 -1
package/dist/stratified-sample.d.ts +9 -1
package/dist/stratified-sample.d.ts.map +1 -1
package/dist/stratified-sample.js +23 -6
package/dist/stratified-sample.js.map +1 -1
package/dist/types.d.ts +135 -2
package/dist/types.d.ts.map +1 -1
package/dist/url-normalize.d.ts.map +1 -1
package/dist/url-normalize.js +13 -1
package/dist/url-normalize.js.map +1 -1
package/package.json +90 -90

package/README.md CHANGED Viewed

@@ -1,170 +1,265 @@
-# @pseolint/core
-> Programmatic SEO audit engine for SpamBrain-risk detection across large template-generated sites.
-The core engine behind [pseolint](https://www.npmjs.com/package/pseolint). Use this package to embed pSEO auditing into your own tools, CI pipelines, or SaaS products.
-## Install
-```bash
-npm install @pseolint/core
-```
-## Usage
-```ts
-import { auditSource } from "@pseolint/core";
-const summary = await auditSource("./out");
-console.log(`Score: ${summary.score}/100`);
-console.log(`Findings: ${summary.findings.length}`);
-```
-`auditSource` accepts a local directory, a single HTML file, a page URL, or a sitemap URL.
-## What It Checks
-32 rules grouped into 4 scoring super-categories (v0.4): **Integrity** (spam + content + cannibal, weight 0.50), **Discoverability** (links + tech, 0.20), **Citation** (aeo + schema, 0.25), **Data** (0.05). Source-tree namespaces remain `spam/*`, `aeo/*`, etc. for stable rule IDs.
-- **Spam / SpamBrain risk** (8) — near-duplicate (SimHash), entity-swap doorways, thin content, boilerplate ratio, template diversity, template coverage, publication velocity, doorway pattern
-- **Technical SEO** (8) — canonical consistency, canonical/noindex and robots/noindex conflicts, sitemap completeness, robots compliance, redirect chains, soft 404s, Open Graph, hreflang
-- **AEO / AI Overview citability** (9, v0.3.0–v0.3.1) — `llms.txt` presence, AI-crawler access in robots.txt, freshness signals, FAQ coverage, answer-first opener, citable-fact density, non-replicable value, content modularity, **summary-bait** (pages optimized for summarization over retention)
-- **Content** (5) — unique value, heading / meta uniqueness, author attribution, E-E-A-T signals
-- **Internal linking** (5) — orphan pages, dead ends, cluster connectivity, hub pages, link depth
-- **Structured data** (3) — JSON-LD validity, required fields, cross-page schema consistency
-- **Cannibalization** (3) — title overlap, keyword collision, URL pattern conflicts
-- **Data binding** (2) — verify rendered pages expose values from a source dataset (missing or identical-across-pages bindings)
-## API
-### `auditSource(source, options?)`
-Returns an `AuditSummary` with composite score, category scores, enriched findings, and optional cache / state / AI-triage metadata.
-Selected options (see `AuditOptions` in `types.ts` for the full surface):
-```ts
-await auditSource("https://example.com/sitemap.xml", {
-  concurrency: 5,
-  timeout: 30_000,
-  sampleSize: 200,
-  samplingStrategy: "stratified",        // or "random"
-  ignore: ["**/api/**"],
-  maxFetchBytes: 52_428_800,             // 50 MB hard cap per run
-  cache: { dir: ".pseolint/cache", ttlMs: 7 * 24 * 60 * 60 * 1000 },
-  state: { path: ".pseolint/state.json", since: true, exitOnRegression: true },
-  pageGroups: {
-    blog:     { match: "**/blog/**", rules: ["content/*", "spam/*"] },
-    products: { match: "**/p/**",    overrides: { "spam/thin-content": { thinContentMinWords: 200 } } },
-  },
-  dataSource: { records: [{ url: "/p/*", data: { price: "$19", stock: 12 } }] },
-  entityPatterns: [{ placeholder: "[CITY]", pattern: "\\b(NYC|LA|SF)\\b", flags: "gi" }],
-  ai: { enabled: true, provider: "anthropic", model: "claude-haiku-4-5-20251001", maxCostUsd: 0.1 },
-  telemetry: { enabled: true, path: ".pseolint/telemetry.jsonl" },
-  // Safety (v0.3.2–v0.3.3)
-  safeMode: "saas",                       // "saas" | "cli" — flips guardSsrf + caps
-  guardSsrf: true,                        // DNS-validated SSRF check on every URL
-  respectRobotsTxt: true,                 // skip sitemap URLs Disallow'd by target robots.txt
-  followRedirects: true,
-  maxCrawlDiscovered: 2000,               // hard ceiling on link-discovery fan-out
-  signal: controller.signal,              // AbortSignal — ctrl-C / quota-exhausted cancels cleanly
-  rules: {
-    nearDuplicateThreshold: 0.85,
-    thinContentMinWords: 300,
-    titleOverlapThreshold: 0.8,
-    // ...
-  },
-});
-```
-### Safety primitives (SSRF, abort, crawl-ceiling)
-`@pseolint/core` ships a few primitives for hosts that run audits against
-user-submitted URLs. All are opt-in; local CLI use doesn't change.
-```ts
-import {
-  safeFetch,             // SSRF-safe fetch for non-audit use cases
-  validateTargetHost,    // throws SSRFError on private-range / DNS-rebinding targets
-  isPrivateOrReservedHost,
-  SSRFError,
-  DnsResolutionError,
-} from "@pseolint/core";
-// Validate a user-submitted URL before enqueuing:
-await validateTargetHost(new URL(userUrl).hostname);
-// Fetch with SSRF guard baked in:
-const res = await safeFetch(userUrl, { timeoutMs: 10_000, followRedirects: false });
-```
-The full audit picks up the same guard via `auditSource(url, { safeMode: "saas" })`
-or via the individual `guardSsrf` / `respectRobotsTxt` / `followRedirects` flags.
-### Render-mode analytics blocking
-Rendered audits (`options.render = {...}`) block known analytics endpoints
-by default so the audit doesn't inject fake sessions into the site owner's
-GA / Plausible / PostHog / Mixpanel / Hotjar / Sentry dashboards.
-```ts
-await auditSource(url, {
-  render: {
-    analyticsMode: "block",               // default — blocks ~40 analytics hosts
-    // "allow-first-party" — block third-party only
-    // "allow" — don't intercept anything
-    extraBlockedHosts: ["my-internal-metrics.corp"],
-  },
-});
-```
-### Formatters
-```ts
-import { formatConsole, formatJson, formatMarkdown, formatHtml } from "@pseolint/core";
-const out = formatConsole(summary);
-const json = formatJson(summary);
-const md   = formatMarkdown(summary);
-const html = formatHtml(summary);
-```
-### AI triage
-When `ai.enabled` is set, findings are clustered into root-causes by an LLM. Providers are loaded lazily from optional peer deps — install only the one you need:
-```bash
-npm install @ai-sdk/anthropic   # or @ai-sdk/openai, @ai-sdk/google, @ai-sdk/mistral,
-                                #    @ai-sdk/groq, @ai-sdk/xai, @ai-sdk/cohere,
-                                #    ollama-ai-provider-v2
-```
-```ts
-import { triageFindings, createLanguageModel, estimateCostUsd } from "@pseolint/core";
-```
-Cost and daily-budget caps are enforced pre-flight; results are cached on disk by default.
-### Delta runs & regression gating
-Pass `state.since: true` to audit only URLs whose content hash changed since the last run, and `state.exitOnRegression: true` to flag a run where a new rule ID fires on any previously clean URL (`summary.hasRegression`).
-### Caching
-Setting `cache` enables an ETag/Last-Modified-aware disk cache for HTTP fetches. `summary.cacheStats` reports `{ hits, total, bytesSavedEstimate }`.
-### Page groups
-Classify pages by glob and apply different rule subsets or threshold overrides per group. Results are surfaced in `summary.groupScores` / `summary.groupPageCounts`.
-### Rendering
-For client-rendered pages, install `playwright-core` and pass `render: { browserWsEndpoint }` to connect to an existing browser endpoint.
-## Peer dependencies
-All AI providers and `playwright-core` are optional peers — you only install the ones you actually use.
-## License
+# @pseolint/core
+> Programmatic SEO audit engine for SpamBrain-risk detection across large template-generated sites.
+The core engine behind [pseolint](https://www.npmjs.com/package/pseolint). Use this package to embed pSEO auditing into your own tools, CI pipelines, or SaaS products.
+## Install
+```bash
+npm install @pseolint/core
+```
+## Usage
+```ts
+import { auditSource } from "@pseolint/core";
+const summary = await auditSource("./out");
+console.log(`Score: ${summary.score}/100`);
+console.log(`Findings: ${summary.findings.length}`);
+```
+`auditSource` accepts a local directory, a single HTML file, a page URL, or a sitemap URL.
+## What It Checks
+45 rules grouped into 4 scoring super-categories (v0.4): **Integrity** (spam + content + cannibal, weight 0.50), **Discoverability** (links + tech, 0.20), **Citation** (aeo + schema, 0.25), **Data** (0.05). Source-tree namespaces remain `spam/*`, `aeo/*`, etc. for stable rule IDs.
+- **Spam / SpamBrain risk** (8) — near-duplicate (SimHash), entity-swap doorways, thin content, boilerplate ratio, template diversity, template coverage, publication velocity, doorway pattern (cluster-collapsed since v0.5.2)
+- **Technical SEO** (9) — canonical consistency, canonical/noindex and robots/noindex conflicts, sitemap completeness, robots compliance, redirect chains, soft 404s, hreflang reciprocity, robots-sitemap presence, **og-completeness** (v0.5.2)
+- **AEO / AI Overview citability** (8, v0.3.0–v0.3.1) — `llms.txt` presence, AI-crawler access in robots.txt, freshness signals, FAQ coverage, answer-first opener, citable-fact density, content modularity, **summary-bait** (pages optimized for summarization over retention)
+- **Content** (7) — unique value, meta uniqueness, author attribution, E-E-A-T signals, plus **title-uniqueness**, **heading-structure**, **image-alt-text** (all v0.5.2)
+- **Internal linking** (6) — orphan pages, dead ends, cluster connectivity, link depth, unreachable-from-root (sample-aware), **host-section-divergence** (v0.5.1, site-reputation-abuse detector)
+- **Structured data** (3) — JSON-LD validity, required fields, cross-page schema consistency
+- **Cannibalization** (1) — URL pattern conflicts (`title-overlap` and `keyword-collision` were dropped in v0.4 due to high false-positive rates)
+- **Data binding** (2) — verify rendered pages expose values from a source dataset (missing or identical-across-pages bindings)
+## What's new in v0.5.2 — credibility layer
+- **4 new content-quality rules** addressing the v0.5.1 blind-spot audit's tier-1 gaps: `content/title-uniqueness` (raw, not entity-masked — catalog templates with per-record entity values still pass), `content/heading-structure` (H1 presence, single-H1, hierarchy), `content/image-alt-text` (skips `role="presentation"` / `aria-hidden="true"` / explicit `alt=""`), `tech/og-completeness` (the README-promised rule that finally ships).
+- **`AuditOptions.authorityScore`** (0-100) — bring-your-own-DA. ≥80 shifts the verdict ladder one tier lenient (established brand can absorb shapes a newer site can't). ≤30 shifts one tier stricter (newer/lower-authority operator). Raw `risk` number unchanged so CI gates stay stable. The engine itself remains authority-blind by design — no Moz/Ahrefs/Semrush dependency.
+- **`AuditOptions.sampleSeed`** — deterministic `mulberry32` PRNG plumbed through the stratified sampler. Repeated audits with the same seed pick the same pages and produce reproducible verdicts.
+- **`spam/doorway-pattern` cluster collapse** — emits in the same `pageUrl` + `relatedUrls[0]` shape as `spam/near-duplicate` and is registered in `CLUSTERABLE_RULES`. C(N,2) per-pair findings on entity-swap-heavy catalogs collapse into one cluster finding per template-tied group.
+- **Per-bucket info-severity cap** — a flood of info findings can't fill a category bucket on its own (capped at 50 separately from the 100 cap on warning+ findings).
+- **`summary.appliedSeverityDemotions: string[]`** — engine emits the list of rule IDs whose severity was overridden by the active scoring profile so consumers (formatters, CI) can show *which* rules got demoted and *why*. Pass `--strict` to disable demotions entirely.
+- **Sample-aware rules** — `links/unreachable-from-root` skips on partial-sample audits (it can't distinguish real graph isolation from sample-shape).
+- **Markdown formatter** collapses informational findings under `<details>` so PR comments don't drown actionable items in 100+ info bullets.
+The full per-round iteration story (9 calibration rounds against a curated reputable-pSEO corpus) and the trade-offs we accepted are at [`docs/superpowers/specs/2026-05-03-calibration-against-reputable-pseo.md`](../../docs/superpowers/specs/2026-05-03-calibration-against-reputable-pseo.md). The honest blind-spot audit (what we still don't detect, including the domain-authority gap that motivated `--authority-score`) is at [`docs/superpowers/specs/2026-05-03-pseolint-blind-spots.md`](../../docs/superpowers/specs/2026-05-03-pseolint-blind-spots.md). The dated user-facing methodology summary is at [pseolint.dev/methodology](https://pseolint.dev/methodology).
+## API
+### `auditSource(source, options?)`
+Returns an `AuditSummary` with composite score, category scores, enriched findings, and optional cache / state / AI-triage metadata.
+Selected options (see `AuditOptions` in `types.ts` for the full surface):
+```ts
+await auditSource("https://example.com/sitemap.xml", {
+  concurrency: 5,
+  timeout: 30_000,
+  sampleSize: 200,
+  samplingStrategy: "stratified",        // or "random"
+  ignore: ["**/api/**"],
+  maxFetchBytes: 52_428_800,             // 50 MB hard cap per run
+  cache: { dir: ".pseolint/cache", ttlMs: 7 * 24 * 60 * 60 * 1000 },
+  state: {
+    path: ".pseolint/state.json",
+    mode: "monitoring",       // v0.5+: pre-fetch decision matrix; "fresh" forces full re-audit.
+                              // Omit to auto-monitor when prior state exists.
+    ageFloorDays: 7,          // v0.5+: forces refetch on URLs older than N days
+    exitOnRegression: true,
+    since: true,              // v0.5+ alias for mode: "monitoring" (back-compat)
+  },
+  pageGroups: {
+    blog:     { match: "**/blog/**", rules: ["content/*", "spam/*"] },
+    products: { match: "**/p/**",    overrides: { "spam/thin-content": { thinContentMinWords: 200 } } },
+  },
+  dataSource: { records: [{ url: "/p/*", data: { price: "$19", stock: 12 } }] },
+  entityPatterns: [{ placeholder: "[CITY]", pattern: "\\b(NYC|LA|SF)\\b", flags: "gi" }],
+  ai: { enabled: true, provider: "anthropic", model: "claude-haiku-4-5-20251001", maxCostUsd: 0.1 },
+  telemetry: { enabled: true, path: ".pseolint/telemetry.jsonl" },
+  // Safety (v0.3.2–v0.3.3)
+  safeMode: "saas",                       // "saas" | "cli" — flips guardSsrf + caps
+  guardSsrf: true,                        // DNS-validated SSRF check on every URL
+  respectRobotsTxt: true,                 // skip sitemap URLs Disallow'd by target robots.txt
+  followRedirects: true,
+  maxCrawlDiscovered: 2000,               // hard ceiling on link-discovery fan-out
+  signal: controller.signal,              // AbortSignal — ctrl-C / quota-exhausted cancels cleanly
+  rules: {
+    nearDuplicateThreshold: 0.85,
+    thinContentMinWords: 300,
+    titleOverlapThreshold: 0.8,
+    // ...
+  },
+});
+```
+### Safety primitives (SSRF, abort, crawl-ceiling)
+`@pseolint/core` ships a few primitives for hosts that run audits against
+user-submitted URLs. All are opt-in; local CLI use doesn't change.
+```ts
+import {
+  safeFetch,             // SSRF-safe fetch for non-audit use cases
+  validateTargetHost,    // throws SSRFError on private-range / DNS-rebinding targets
+  isPrivateOrReservedHost,
+  SSRFError,
+  DnsResolutionError,
+} from "@pseolint/core";
+// Validate a user-submitted URL before enqueuing:
+await validateTargetHost(new URL(userUrl).hostname);
+// Fetch with SSRF guard baked in:
+const res = await safeFetch(userUrl, { timeoutMs: 10_000, followRedirects: false });
+```
+The full audit picks up the same guard via `auditSource(url, { safeMode: "saas" })`
+or via the individual `guardSsrf` / `respectRobotsTxt` / `followRedirects` flags.
+### Render-mode analytics blocking
+Rendered audits (`options.render = {...}`) block known analytics endpoints
+by default so the audit doesn't inject fake sessions into the site owner's
+GA / Plausible / PostHog / Mixpanel / Hotjar / Sentry dashboards.
+```ts
+await auditSource(url, {
+  render: {
+    analyticsMode: "block",               // default — blocks ~40 analytics hosts
+    // "allow-first-party" — block third-party only
+    // "allow" — don't intercept anything
+    extraBlockedHosts: ["my-internal-metrics.corp"],
+  },
+});
+```
+### Formatters
+```ts
+import { formatConsole, formatJson, formatMarkdown, formatHtml } from "@pseolint/core";
+const out = formatConsole(summary);
+const json = formatJson(summary);
+const md   = formatMarkdown(summary);
+const html = formatHtml(summary);
+```
+### AI triage
+When `ai.enabled` is set, findings are clustered into root-causes by an LLM. Providers are loaded lazily from optional peer deps — install only the one you need:
+```bash
+npm install @ai-sdk/anthropic   # or @ai-sdk/openai, @ai-sdk/google, @ai-sdk/mistral,
+                                #    @ai-sdk/groq, @ai-sdk/xai, @ai-sdk/cohere,
+                                #    ollama-ai-provider-v2
+```
+```ts
+import { triageFindings, createLanguageModel, estimateCostUsd } from "@pseolint/core";
+```
+Cost and daily-budget caps are enforced pre-flight; results are cached on disk by default.
+### AI orchestrator (v0.5)
+Net-new in v0.5. `orchestrate()` drives an LLM through 25 deterministic tools (sitemap fetch, template clustering, per-page rule checks, AEO probes against live answer engines, SerpAPI) and produces a **fix manifest** of concrete patches — not just a list of findings.
+```ts
+import { orchestrate } from "@pseolint/core";
+const { session, manifest, validation, diff } = await orchestrate({
+  domain: "https://example.com",
+  userId: "demo",
+  budget: { maxSessionUsd: 3 },         // optional; default $5
+  onEvent: (e) => console.log(e),       // optional; SSE-friendly callback
+});
+if (session.reason === "completed") {
+  console.log(`Verdict: ${manifest!.verdict}`);
+  console.log(`${validation!.validPatches}/${validation!.totalPatches} patches valid`);
+}
+```
+**What you get:**
+- `manifest` — `FixManifest` with verdict, category grades, page/template/domain patches (replace_h1, rewrite_meta, add_jsonld, add_faq_block, rewrite_intro, add_internal_link, remove_thin_block, robots_txt, sitemap_xml, canonical_strategy)
+- `validation` — patch-by-patch `ManifestValidationReport`. Failed patches are dropped from the manifest before it returns; `failures` carries the location + reason.
+- `diff` — `ManifestDiff` of structured `PatchDiff` objects (5 kinds — text_replace, html_insert, html_remove, file_replace, guidance) suitable for direct UI rendering.
+**Architecture**: rules become tools the LLM calls. The LLM picks order. Budget caps (LLM tokens + external probe USD, pre-flight + reactive) bound spend. Watchdog injects a convergence reminder every N tool calls. AsyncLocalStorage-backed page cache means HTML never travels in conversation history — token cost stays bounded as audits scale.
+**Lower-level exports** for callers who want individual pieces:
+```ts
+import {
+  runOrchestrator,           // direct runner — bring your own LanguageModel
+  orchestratorTools,         // the 25-tool registry
+  defineTool,                // helper to add custom tools
+  validateManifest,          // walk a manifest, return per-failure report
+  diffManifest,              // produce a structured-diff projection
+  manifestSchema,            // Zod schema for FixManifest
+  buildSystemPrompt,         // canonical orchestrator system prompt
+  DEFAULT_BUDGET,            // BudgetCaps defaults
+} from "@pseolint/core";
+```
+External probes (`query_serp`, `ask_ai_engine`) read API keys from the call's `apiKey` arg or `SERPAPI_API_KEY` / `ANTHROPIC_API_KEY` / `PERPLEXITY_API_KEY` / `GOOGLE_GENERATIVE_AI_API_KEY` env vars.
+### Change-driven monitoring (v0.5)
+When prior state exists, `auditSource` defaults to **monitoring mode**: the decision matrix decides which URLs to fetch BEFORE the network round-trip. URLs without change signals are skipped entirely; their findings are carried forward from prior state with `carriedForward: true` and `lastVerifiedAt` markers.
+```ts
+import { planScrapeStrategy, CORE_RULESET_VERSION, DEFAULT_AGE_FLOOR_DAYS } from "@pseolint/core";
+// The decision matrix is also exposed as a pure function for callers that
+// want to plan their own fetches:
+const plan = planScrapeStrategy({
+  candidateUrls,
+  priorState,
+  sitemapLastmodByUrl,        // Map<url, ISO-string>
+  currentRulesetVersion: CORE_RULESET_VERSION,
+  ageFloorDays: DEFAULT_AGE_FLOOR_DAYS,
+  now: new Date(),
+  // Optional Pro-only inputs:
+  // gscDeltasByUrl, gscThresholds
+});
+// plan.refetch: Map<url, RefetchReason>
+// plan.skip:    Map<url, "unchanged">
+```
+**Reasons** (first match wins): `new` → `age` → `ruleset` → `recheck` (warning/error/critical only — info findings carry forward) → `lastmod` → `gsc` → `no-signal` → else `unchanged`.
+`AuditSummary.scrapePlan` reports `{ fetched, intended, carriedForward, reasonCounts, rulesetVersion, lastFullAuditAt }` — populated only on monitoring runs.
+**Bump `CORE_RULESET_VERSION`** when shipping a new rule or materially changing rule logic so monitoring runs re-evaluate previously-skipped URLs against the new ruleset.
+**Regression gating.** `state.exitOnRegression: true` flags a run where a new rule ID fires on any previously clean URL (`summary.hasRegression`). Carried-forward findings are excluded from the regression baseline so a regression on a skipped URL isn't masked by stale findings.
+### State schema v2
+`UrlStateEntry` v2 stores full finding records (not just IDs) so future runs can carry them forward. Persists `lastModified`, `etag`, `sitemapLastmodAtAudit`, `rulesetVersion` per URL. `RunState` adds `lastFullAuditAt` and `rulesetVersion`. Existing v1 state files (v0.4) are discarded on read with a warning, triggering one baseline re-audit.
+### Caching
+Setting `cache` enables an ETag/Last-Modified-aware disk cache for HTTP fetches. `summary.cacheStats` reports `{ hits, total, bytesSavedEstimate }`.
+### Page groups
+Classify pages by glob and apply different rule subsets or threshold overrides per group. Results are surfaced in `summary.groupScores` / `summary.groupPageCounts`.
+### Rendering
+For client-rendered pages, install `playwright-core` and pass `render: { browserWsEndpoint }` to connect to an existing browser endpoint.
+## Peer dependencies
+All AI providers and `playwright-core` are optional peers — you only install the ones you actually use.
+## License
 MIT

package/dist/ai/manifest/diff.d.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import type { FixManifest } from "../orchestrator/finish-tool.js";
+type PageChange = FixManifest["pages"][number]["changes"][number];
+type DomainPatch = FixManifest["domainLevel"][number];
+/**
+ * Structured patch diff. Each manifest change maps to one of these,
+ * which downstream consumers (web UI, CLI, GitHub-PR generator) render
+ * differently:
+ *   - text_replace → before/after blocks side-by-side, copy-paste UI
+ *   - html_insert  → HTML snippet to paste into the named region
+ *   - html_remove  → CSS selector to delete
+ *   - file_replace → full-file diff (robots.txt / sitemap.xml)
+ *   - guidance     → freeform prose (canonical_strategy)
+ *
+ * Kept deliberately narrow — not a unified-diff library. The manifest
+ * patches are paste-into-CMS-friendly outputs, not source-level diffs.
+ */
+export type PatchDiff = {
+    kind: "text_replace";
+    field: "h1" | "title" | "meta_description" | "intro";
+    before: string;
+    after: string;
+    reason: string;
+} | {
+    kind: "html_insert";
+    target: "head" | "body" | "after_h1";
+    description: string;
+    html: string;
+    reason: string;
+} | {
+    kind: "html_remove";
+    selector: string;
+    reason: string;
+} | {
+    kind: "file_replace";
+    path: string;
+    before: string | null;
+    after: string;
+    reason: string;
+} | {
+    kind: "guidance";
+    topic: "canonical_strategy";
+    text: string;
+    reason: string;
+};
+/**
+ * Convert a single page-change into a `PatchDiff`. Pure transformation —
+ * does not validate (use `validatePageChange` for that). The two should
+ * be called in sequence at manifest finalization: validate first, drop
+ * failures, then diff the survivors.
+ */
+export declare function diffPageChange(c: PageChange): PatchDiff;
+/** Convert a single domain patch into a `PatchDiff`. */
+export declare function diffDomainPatch(p: DomainPatch): PatchDiff;
+export interface ManifestDiff {
+    pages: Array<{
+        url: string;
+        diffs: PatchDiff[];
+    }>;
+    templates: Array<{
+        templateId: string;
+        affectedUrlCount: number;
+        recommendation: string;
+        examples: Array<{
+            url: string;
+            diffs: PatchDiff[];
+        }>;
+    }>;
+    domainLevel: PatchDiff[];
+}
+/**
+ * Walk every patch in a manifest and produce a structured-diff projection.
+ * Mirrors the manifest's tree structure so the UI can render side-by-side
+ * (page list / template clusters / domain-level), each populated with
+ * already-typed patch diffs.
+ */
+export declare function diffManifest(manifest: FixManifest): ManifestDiff;
+export {};
+//# sourceMappingURL=diff.d.ts.map

package/dist/ai/manifest/diff.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../../src/ai/manifest/diff.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAElE,KAAK,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC;AAClE,KAAK,WAAW,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEtD;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,SAAS,GACjB;IACE,IAAI,EAAE,cAAc,CAAC;IACrB,KAAK,EAAE,IAAI,GAAG,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;IACrD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,GACD;IACE,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB,GACD;IACE,IAAI,EAAE,aAAa,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB,GACD;IACE,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,GACD;IACE,IAAI,EAAE,UAAU,CAAC;IACjB,KAAK,EAAE,oBAAoB,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAgBN;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,UAAU,GAAG,SAAS,CAmEvD;AAED,wDAAwD;AACxD,wBAAgB,eAAe,CAAC,CAAC,EAAE,WAAW,GAAG,SAAS,CA0BzD;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE,CAAC,CAAC;IAClD,SAAS,EAAE,KAAK,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,QAAQ,EAAE,KAAK,CAAC;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,SAAS,EAAE,CAAA;SAAE,CAAC,CAAC;KACtD,CAAC,CAAC;IACH,WAAW,EAAE,SAAS,EAAE,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,WAAW,GAAG,YAAY,CAiBhE"}