@qulib/core 0.2.1 → 0.3.0

package/dist/tools/auth-explorer.js

@@ -0,0 +1,346 @@
+import { AuthExplorationSchema, } from '../schemas/config.schema.js';
+import { launchBrowser } from './browser.js';
+import { BUILT_IN_OAUTH_PROVIDERS } from './oauth-providers.js';
+import { loadUserProviders } from './user-providers.js';
+const MAGIC_LINK_PATTERNS = [
+    /email me a (sign[- ]?in )?link/i,
+    /sign in with email/i,
+    /passwordless/i,
+    /we'll send you a link/i,
+];
+async function waitNetworkIdleBestEffort(page) {
+    try {
+        await page.waitForLoadState('networkidle', { timeout: 5000 });
+    }
+    catch {
+        // best-effort
+    }
+}
+function textLooksLikeOAuthIdpButton(text) {
+    const t = text.trim();
+    if (t.length === 0 || t.length > 120) {
+        return false;
+    }
+    return (/\b(sign in with|log in with|continue with|sign up with)\b/i.test(t) ||
+        /^(github|google|microsoft|apple)$/i.test(t));
+}
+function slugifyLabel(text) {
+    const s = text
+        .trim()
+        .toLowerCase()
+        .replace(/\s+/g, '-')
+        .replace(/[^a-z0-9-]/g, '')
+        .slice(0, 48);
+    return s.length > 0 ? s : 'unknown';
+}
+function onLoginishPage(url) {
+    return /login|sign[- ]?in|auth|sso|oauth/i.test(new URL(url).pathname + new URL(url).hostname);
+}
+function debugExplore() {
+    return process.env.QULIB_DEBUG === '1';
+}
+function isHeuristicUnknownSso(text, loginish) {
+    const t = text.trim();
+    if (!loginish || t.length < 3 || t.length > 80) {
+        return false;
+    }
+    if (/^(submit|cancel|back|close|next|skip|help|faq)$/i.test(t)) {
+        return false;
+    }
+    if (/\b(sign in with|log in with|continue with)\b/i.test(t)) {
+        return true;
+    }
+    if (/\b(sync|sso|portal|workspace|federation)\b/i.test(t)) {
+        return true;
+    }
+    return false;
+}
+function storageRequirement() {
+    return {
+        method: 'storage-state',
+        instruction: 'OAuth and most SSO flows cannot be scripted. Run `qulib auth init --base-url <app-url>` on this machine, then pass the saved storage state JSON to `analyze` or MCP `analyze_app` as `auth: { type: "storage-state", path: "..." }`.',
+    };
+}
+async function collectVisibleControlTexts(page) {
+    return page.evaluate(() => {
+        const seen = new Set();
+        const out = [];
+        const nodes = document.querySelectorAll('button, a[href], [role="button"]');
+        for (const el of nodes) {
+            const t = (el.textContent ?? '').trim().replace(/\s+/g, ' ');
+            if (!t || t.length > 120) {
+                continue;
+            }
+            const style = window.getComputedStyle(el);
+            if (style.display === 'none' || style.visibility === 'hidden' || style.opacity === '0') {
+                continue;
+            }
+            if (!seen.has(t)) {
+                seen.add(t);
+                out.push(t);
+            }
+        }
+        return out;
+    });
+}
+function buildAllProviders() {
+    const builtIn = BUILT_IN_OAUTH_PROVIDERS.map((p) => ({ ...p, source: 'built-in' }));
+    const user = loadUserProviders().map((p) => ({ ...p, source: 'user-local' }));
+    return [...builtIn, ...user];
+}
+function matchProvider(text, p) {
+    return p.patterns.some((re) => re.test(text));
+}
+function oauthConfidence(source, loginish) {
+    if (source === 'user-local') {
+        return 'high';
+    }
+    if (source === 'built-in' && loginish) {
+        return 'high';
+    }
+    if (source === 'built-in') {
+        return 'medium';
+    }
+    return 'low';
+}
+async function buildFormPaths(page) {
+    const passwordCount = await page.locator('input[type="password"]').count();
+    if (passwordCount === 0) {
+        return [];
+    }
+    const formType = passwordCount > 1 ? 'form-multi' : 'form-login';
+    const fields = await page.evaluate(() => {
+        const pwd = document.querySelector('input[type="password"]');
+        if (!pwd) {
+            return [];
+        }
+        const form = pwd.closest('form') ?? document.body;
+        const out = [];
+        const inputs = form.querySelectorAll('input, select, textarea');
+        for (const el of inputs) {
+            if (!(el instanceof HTMLElement)) {
+                continue;
+            }
+            const tag = el.tagName.toLowerCase();
+            if (tag === 'input') {
+                const inp = el;
+                const t = (inp.type || 'text').toLowerCase();
+                if (['hidden', 'submit', 'button', 'image', 'reset'].includes(t)) {
+                    continue;
+                }
+                let fieldType = 'text';
+                if (t === 'password') {
+                    fieldType = 'password';
+                }
+                else if (t === 'email') {
+                    fieldType = 'email';
+                }
+                else if (t === 'checkbox') {
+                    fieldType = 'checkbox';
+                }
+                const id = inp.id;
+                let label = inp.getAttribute('aria-label') ?? inp.placeholder ?? inp.name ?? fieldType;
+                if (id) {
+                    const lab = document.querySelector(`label[for="${CSS.escape(id)}"]`);
+                    if (lab?.textContent) {
+                        label = lab.textContent.trim();
+                    }
+                }
+                out.push({
+                    name: inp.name || inp.id || fieldType,
+                    label: label.slice(0, 120),
+                    type: fieldType,
+                    observedOptions: [],
+                });
+            }
+            else if (tag === 'select') {
+                const sel = el;
+                const opts = Array.from(sel.options).map((o) => o.text.trim()).filter(Boolean);
+                out.push({
+                    name: sel.name || sel.id || 'select',
+                    label: (sel.getAttribute('aria-label') ?? sel.name ?? 'select').slice(0, 120),
+                    type: 'select',
+                    observedOptions: opts.slice(0, 50),
+                });
+            }
+        }
+        return out;
+    });
+    const requirements = fields.length > 0
+        ? { method: 'credentials', fields }
+        : {
+            method: 'unknown',
+            instruction: 'A password field exists but field metadata could not be read. Inspect the page in devtools and configure form-login selectors manually, or use `qulib auth init`.',
+        };
+    return [
+        {
+            id: formType === 'form-multi' ? 'form-multi' : 'form-login',
+            label: formType === 'form-multi' ? 'Multi-field sign-in form' : 'Username / password form',
+            type: formType,
+            provider: null,
+            source: 'heuristic',
+            automatable: requirements.method === 'credentials',
+            confidence: requirements.method === 'credentials' ? 'medium' : 'low',
+            requirements,
+        },
+    ];
+}
+export async function exploreAuth(url, timeoutMs = 20000, progress) {
+    const browser = await launchBrowser();
+    try {
+        const context = await browser.newContext();
+        const page = await context.newPage();
+        progress?.info(`explore_auth URL=${url}`);
+        await page.goto(url, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+        await waitNetworkIdleBestEffort(page);
+        if (debugExplore()) {
+            const html = await page.content();
+            progress?.debug(`explore_auth HTML byteLength=${Buffer.byteLength(html, 'utf8')}`);
+        }
+        const loginishAfterFirst = /login|sign[- ]?in|auth/i.test(page.url()) || (await page.locator('input[type="password"]').count()) > 0;
+        if (!loginishAfterFirst) {
+            const loginLink = page.locator('a').filter({ hasText: /^(log ?in|sign ?in|sign in)$/i }).first();
+            const cnt = await loginLink.count();
+            progress?.debug(`explore_auth selector loginLink count=${cnt}`);
+            if (cnt > 0) {
+                const href = await loginLink.getAttribute('href');
+                progress?.debug(`explore_auth selector loginLink href matched=${Boolean(href)}`);
+                if (href) {
+                    const next = new URL(href, url).toString();
+                    await page.goto(next, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+                    await waitNetworkIdleBestEffort(page);
+                }
+            }
+        }
+        const finalUrl = page.url();
+        const loginish = onLoginishPage(finalUrl) || (await page.locator('input[type="password"]').count()) > 0;
+        const allProviders = buildAllProviders();
+        const texts = await collectVisibleControlTexts(page);
+        const consumed = new Set();
+        const authPaths = [];
+        const unrecognizedButtons = [];
+        for (const rawText of texts) {
+            const text = rawText.trim();
+            if (!text) {
+                continue;
+            }
+            let providerMatch = null;
+            for (const p of allProviders) {
+                const hit = matchProvider(text, p);
+                if (debugExplore()) {
+                    progress?.debug(`explore_auth provider try id=${p.id} matched=${hit}`);
+                }
+                if (!hit) {
+                    continue;
+                }
+                if (p.source === 'built-in' && !(textLooksLikeOAuthIdpButton(text) || loginish)) {
+                    continue;
+                }
+                providerMatch = { p, gate: textLooksLikeOAuthIdpButton(text) || loginish };
+                break;
+            }
+            if (providerMatch) {
+                const { p, gate } = providerMatch;
+                const id = `oauth:${p.id}`;
+                if (consumed.has(id)) {
+                    continue;
+                }
+                consumed.add(id);
+                authPaths.push({
+                    id,
+                    label: p.label,
+                    type: 'oauth',
+                    provider: p.id,
+                    source: p.source,
+                    automatable: false,
+                    confidence: oauthConfidence(p.source, loginish || gate),
+                    requirements: storageRequirement(),
+                });
+                progress?.info(`explore_auth path id=${id} type=oauth provider=${p.id} automatable=false`);
+                continue;
+            }
+            if (isHeuristicUnknownSso(text, loginish)) {
+                const slug = slugifyLabel(text);
+                const id = `oauth-unknown:${slug}`;
+                if (consumed.has(id)) {
+                    continue;
+                }
+                consumed.add(id);
+                authPaths.push({
+                    id,
+                    label: text.slice(0, 100),
+                    type: 'oauth-unknown',
+                    provider: null,
+                    source: 'heuristic',
+                    automatable: false,
+                    confidence: 'low',
+                    requirements: storageRequirement(),
+                });
+                progress?.info(`explore_auth path id=${id} type=oauth-unknown automatable=false`);
+                const safePattern = text.slice(0, 48).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+                unrecognizedButtons.push({
+                    label: text.slice(0, 100),
+                    hint: `If this is your org SSO, register it: qulib auth providers add --id "${slug}" --label "${text.replace(/"/g, '\\"').slice(0, 80)}" --pattern "${safePattern}"`,
+                });
+            }
+        }
+        const pageText = await page.locator('body').innerText().catch(() => '');
+        if (MAGIC_LINK_PATTERNS.some((re) => re.test(pageText))) {
+            authPaths.push({
+                id: 'magic-link',
+                label: 'Magic link / passwordless',
+                type: 'magic-link',
+                provider: null,
+                source: 'heuristic',
+                automatable: false,
+                confidence: 'medium',
+                requirements: {
+                    method: 'storage-state',
+                    instruction: 'Magic-link flows need a human in the loop. Use `qulib auth init --base-url <app-url>` and complete email or provider steps in the opened browser, then reuse the saved storage state for scans.',
+                },
+            });
+            progress?.info('explore_auth path id=magic-link type=magic-link automatable=false');
+        }
+        const formPaths = await buildFormPaths(page);
+        for (const fp of formPaths) {
+            authPaths.push(fp);
+            progress?.info(`explore_auth path id=${fp.id} type=${fp.type} automatable=${fp.automatable}`);
+        }
+        const authRequired = authPaths.length > 0;
+        let authScope = 'none';
+        if (authRequired) {
+            if (loginish) {
+                authScope = 'site-wide';
+            }
+            else {
+                authScope = /login|signin|auth/i.test(new URL(finalUrl).pathname) ? 'site-wide' : 'optional';
+            }
+        }
+        const suggestedParts = [];
+        if (authPaths.some((p) => p.type === 'oauth' || p.type === 'oauth-unknown')) {
+            suggestedParts.push('For OAuth or unrecognized SSO buttons, collect a Playwright storage state with `qulib auth init` before calling `analyze_app`.');
+        }
+        if (authPaths.some((p) => p.type === 'form-login' || p.type === 'form-multi')) {
+            suggestedParts.push('For password forms, gather username/password and stable selectors (or use storage state if MFA applies).');
+        }
+        if (authPaths.some((p) => p.type === 'magic-link')) {
+            suggestedParts.push('For magic-link, use `qulib auth init` after the user completes email delivery.');
+        }
+        if (!authRequired) {
+            suggestedParts.push('No sign-in surface detected at this URL; you can run `analyze_app` without auth unless gated deeper in the app.');
+        }
+        const exploration = {
+            url: finalUrl,
+            authRequired,
+            authScope,
+            authPaths,
+            observedAt: new Date().toISOString(),
+            suggestedAgentBehavior: suggestedParts.join(' '),
+            unrecognizedButtons,
+        };
+        return AuthExplorationSchema.parse(exploration);
+    }
+    finally {
+        await browser.close();
+    }
+}

package/dist/tools/auth-surface-analyzer.d.ts

@@ -0,0 +1,4 @@
+import type { DetectedAuth } from '../schemas/config.schema.js';
+import type { Gap } from '../schemas/gap-analysis.schema.js';
+export declare function analyzeAuthSurfaceGaps(url: string, detection: DetectedAuth, timeoutMs: number): Promise<Gap[]>;
+//# sourceMappingURL=auth-surface-analyzer.d.ts.map

package/dist/tools/auth-surface-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-surface-analyzer.d.ts","sourceRoot":"","sources":["../../src/tools/auth-surface-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,mCAAmC,CAAC;AAW7D,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,YAAY,EACvB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,GAAG,EAAE,CAAC,CAuJhB"}

package/dist/tools/auth-surface-analyzer.js

@@ -0,0 +1,154 @@
+import { randomUUID } from 'node:crypto';
+import { launchBrowser } from './browser.js';
+async function waitNetworkIdleBestEffort(page) {
+    try {
+        await page.waitForLoadState('networkidle', { timeout: 5000 });
+    }
+    catch {
+        /* best-effort */
+    }
+}
+export async function analyzeAuthSurfaceGaps(url, detection, timeoutMs) {
+    if (!detection.hasAuth) {
+        return [];
+    }
+    const gaps = [];
+    const browser = await launchBrowser();
+    try {
+        const context = await browser.newContext();
+        const page = await context.newPage();
+        const resp = await page.goto(url, { timeout: timeoutMs, waitUntil: 'domcontentloaded' }).catch(() => null);
+        if (!resp || !resp.ok()) {
+            gaps.push({
+                id: randomUUID(),
+                path: new URL(url).pathname || '/',
+                severity: 'critical',
+                category: 'auth-surface',
+                reason: 'Sign-in surface did not load successfully for evaluation.',
+                description: 'The auth entry URL failed to load or returned a non-OK status before DOM checks could run.',
+                recommendation: 'Verify DNS, TLS, and that the URL is reachable from the scan environment.',
+            });
+            return gaps;
+        }
+        await waitNetworkIdleBestEffort(page);
+        const title = await page.title().catch(() => '');
+        if (!title || title.trim().length < 3) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'medium',
+                category: 'auth-surface',
+                reason: 'Missing or trivial document title on the sign-in surface.',
+                description: 'Users and assistive tech rely on a meaningful window title.',
+                recommendation: 'Set a concise, unique <title> for the login experience.',
+            });
+        }
+        const metaDesc = await page.locator('meta[name="description"]').getAttribute('content').catch(() => null);
+        if (!metaDesc || metaDesc.trim().length < 8) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'low',
+                category: 'auth-surface',
+                reason: 'No meta description on the sign-in surface.',
+                description: 'Search and sharing previews benefit from meta description on public entry pages.',
+                recommendation: 'Add <meta name="description" content="..."> with a short summary of the product.',
+            });
+        }
+        const h1Count = await page.locator('h1').count();
+        if (h1Count === 0) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'medium',
+                category: 'auth-surface',
+                reason: 'No visible primary heading (h1) on the sign-in surface.',
+                description: 'A primary heading helps users orient on the login page.',
+                recommendation: 'Add a single descriptive <h1> for the sign-in view.',
+            });
+        }
+        const oauthButtons = page.locator('button, a[href], [role="button"]');
+        const n = await oauthButtons.count();
+        for (let i = 0; i < Math.min(n, 25); i++) {
+            const el = oauthButtons.nth(i);
+            const text = ((await el.textContent()) ?? '').trim();
+            if (!text || text.length > 120)
+                continue;
+            const isOAuthish = /google|microsoft|github|apple|sso|sign in with|log in with|continue with|oauth/i.test(text);
+            if (!isOAuthish)
+                continue;
+            const role = await el.getAttribute('role');
+            const tag = await el.evaluate((node) => node.tagName.toLowerCase());
+            const tabIndex = await el.getAttribute('tabindex');
+            const aria = await el.getAttribute('aria-label');
+            const keyboardable = tag === 'button' || tag === 'a' || role === 'button';
+            const labeled = Boolean(aria && aria.trim().length > 0) || text.length > 0;
+            if (!keyboardable || tabIndex === '-1') {
+                gaps.push({
+                    id: randomUUID(),
+                    path: '/',
+                    severity: 'high',
+                    category: 'auth-surface',
+                    reason: `OAuth control "${text.slice(0, 60)}" may not be keyboard-accessible.`,
+                    description: 'SSO entry points should be real buttons or links with focus support.',
+                    recommendation: 'Use <button> or <a href> with visible label; avoid tabindex=-1 on the only sign-in path.',
+                });
+            }
+            else if (!labeled) {
+                gaps.push({
+                    id: randomUUID(),
+                    path: '/',
+                    severity: 'medium',
+                    category: 'auth-surface',
+                    reason: `OAuth control "${text.slice(0, 60)}" lacks aria-label and has weak visible text.`,
+                    description: 'Assistive technologies need a clear accessible name for IdP buttons.',
+                    recommendation: 'Add aria-label or visible text that names the provider and action.',
+                });
+            }
+        }
+        const hasPassword = (await page.locator('input[type="password"]').count()) > 0;
+        const hasEmailLink = await page.getByText(/magic link|email.*link|passwordless/i).count();
+        const hasOAuthUi = detection.oauthButtons.length > 0 ||
+            (await page.getByText(/sign in with|continue with google|microsoft|github/i).count()) > 0;
+        if (hasOAuthUi && !hasPassword && !hasEmailLink) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'medium',
+                category: 'auth-surface',
+                reason: 'OAuth-only entry with no visible password or magic-link fallback.',
+                description: 'Users who cannot use a social IdP need another path (email/password, help, or support).',
+                recommendation: 'Add a documented fallback (email/password, help desk link, or alternate IdP).',
+            });
+        }
+        const errorSelectors = '[role="alert"], [data-testid*="error" i], .error, .alert-danger, [class*="error" i]';
+        const errCount = await page.locator(errorSelectors).count();
+        if (errCount === 0 && hasOAuthUi) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'low',
+                category: 'auth-surface',
+                reason: 'No obvious in-DOM error container found for OAuth sign-in failures.',
+                description: 'IdP failures should surface recoverable feedback in the page.',
+                recommendation: 'Reserve a live region or inline alert for OAuth errors returned from the provider.',
+            });
+        }
+        const help = await page.getByText(/forgot password|need help|contact support|get help/i).count();
+        if (help === 0 && hasOAuthUi) {
+            gaps.push({
+                id: randomUUID(),
+                path: '/',
+                severity: 'low',
+                category: 'auth-surface',
+                reason: 'No visible “forgot password” or help path detected near OAuth controls.',
+                description: 'Users locked out of an IdP need a support or recovery affordance.',
+                recommendation: 'Link to account recovery, IT help, or a support URL near the sign-in actions.',
+            });
+        }
+    }
+    finally {
+        await browser.close();
+    }
+    return gaps;
+}

package/dist/tools/cypress-explorer.d.ts

@@ -1,7 +1,8 @@
 import type { AppExplorer } from './explorer.interface.js';
 import type { HarnessConfig } from '../schemas/config.schema.js';
 import type { RouteInventory } from '../schemas/route-inventory.schema.js';
+import type { RunArtifactsOptions } from '../harness/run-options.js';
 export declare class CypressExplorer implements AppExplorer {
-    explore(baseUrl: string, config: HarnessConfig): Promise<RouteInventory>;
+    explore(_baseUrl: string, _config: HarnessConfig, _artifacts?: RunArtifactsOptions): Promise<RouteInventory>;
 }
 //# sourceMappingURL=cypress-explorer.d.ts.map

package/dist/tools/cypress-explorer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cypress-explorer.d.ts","sourceRoot":"","sources":["../../src/tools/cypress-explorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAE3E,qBAAa,eAAgB,YAAW,WAAW;IAC3C,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;CAG/E"}
+{"version":3,"file":"cypress-explorer.d.ts","sourceRoot":"","sources":["../../src/tools/cypress-explorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAC3E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAErE,qBAAa,eAAgB,YAAW,WAAW;IAC3C,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC;CAGnH"}

package/dist/tools/cypress-explorer.js

@@ -1,5 +1,5 @@
 export class CypressExplorer {
-    async explore(baseUrl, config) {
+    async explore(_baseUrl, _config, _artifacts) {
         throw new Error('Not implemented');
     }
 }

package/dist/tools/explorer.interface.d.ts

@@ -1,6 +1,7 @@
 import type { HarnessConfig } from '../schemas/config.schema.js';
 import type { RouteInventory } from '../schemas/route-inventory.schema.js';
+import type { RunArtifactsOptions } from '../harness/run-options.js';
 export interface AppExplorer {
-    explore(baseUrl: string, config: HarnessConfig): Promise<RouteInventory>;
+    explore(baseUrl: string, config: HarnessConfig, artifacts?: RunArtifactsOptions): Promise<RouteInventory>;
 }
 //# sourceMappingURL=explorer.interface.d.ts.map

package/dist/tools/explorer.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"explorer.interface.d.ts","sourceRoot":"","sources":["../../src/tools/explorer.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAE3E,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;CAC1E"}
+{"version":3,"file":"explorer.interface.d.ts","sourceRoot":"","sources":["../../src/tools/explorer.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAC3E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAErE,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;CAC3G"}

package/dist/tools/gap-engine.d.ts

@@ -1,6 +1,8 @@
-import { type GapAnalysis } from '../schemas/gap-analysis.schema.js';
+import { type GapAnalysis, type Gap } from '../schemas/gap-analysis.schema.js';
 import type { RouteInventory } from '../schemas/route-inventory.schema.js';
 import type { RepoAnalysis } from '../schemas/repo-analysis.schema.js';
 import type { HarnessConfig } from '../schemas/config.schema.js';
+export declare function computeQualityScoreFromGaps(gaps: Gap[]): number;
+export declare function computeCoverageScore(routes: RouteInventory): number | null;
 export declare function analyzeGaps(routes: RouteInventory, repo: RepoAnalysis | null, mode: 'url-only' | 'url-repo', config: HarnessConfig): Omit<GapAnalysis, 'scenarios' | 'generatedTests'>;
 //# sourceMappingURL=gap-engine.d.ts.map

package/dist/tools/gap-engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gap-engine.d.ts","sourceRoot":"","sources":["../../src/tools/gap-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAa,KAAK,WAAW,EAAY,MAAM,mCAAmC,CAAC;AAC1F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,wBAAgB,WAAW,CACzB,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,YAAY,GAAG,IAAI,EACzB,IAAI,EAAE,UAAU,GAAG,UAAU,EAC7B,MAAM,EAAE,aAAa,GACpB,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,gBAAgB,CAAC,CA0GnD"}
+{"version":3,"file":"gap-engine.d.ts","sourceRoot":"","sources":["../../src/tools/gap-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAa,KAAK,WAAW,EAAE,KAAK,GAAG,EAAE,MAAM,mCAAmC,CAAC;AAC1F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,MAAM,CAY/D;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI,CAa1E;AAED,wBAAgB,WAAW,CACzB,MAAM,EAAE,cAAc,EACtB,IAAI,EAAE,YAAY,GAAG,IAAI,EACzB,IAAI,EAAE,UAAU,GAAG,UAAU,EAC7B,MAAM,EAAE,aAAa,GACpB,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,gBAAgB,CAAC,CAqGnD"}

package/dist/tools/gap-engine.js

@@ -1,5 +1,36 @@
 import { randomUUID } from 'node:crypto';
 import { GapSchema } from '../schemas/gap-analysis.schema.js';
+export function computeQualityScoreFromGaps(gaps) {
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    for (const g of gaps) {
+        if (g.severity === 'critical')
+            critical++;
+        else if (g.severity === 'high')
+            high++;
+        else if (g.severity === 'medium')
+            medium++;
+        else
+            low++;
+    }
+    return Math.max(0, 100 - critical * 25 - high * 20 - medium * 8 - low * 3);
+}
+export function computeCoverageScore(routes) {
+    const scanned = routes.routes.length;
+    const skipped = routes.pagesSkipped;
+    const denom = scanned + skipped;
+    // TODO: return null here once the explorer exposes an explicit "discovered-but-unknown" signal
+    //       (i.e. routes were found but the full set couldn't be confirmed — a low score is misleading)
+    if (denom === 0) {
+        if (routes.budgetExceeded) {
+            return 0;
+        }
+        return scanned === 0 ? 0 : 100;
+    }
+    return Math.round((100 * scanned) / denom);
+}
 export function analyzeGaps(routes, repo, mode, config) {
     const coveredPaths = new Set();
     if (repo) {
@@ -57,11 +88,13 @@ export function analyzeGaps(routes, repo, mode, config) {
         }
         for (const violation of route.a11yViolations) {
             const impact = violation.impact.toLowerCase();
-            const severity = impact === 'critical' || impact === 'serious'
-                ? 'high'
-                : impact === 'moderate'
-                    ? 'medium'
-                    : 'low';
+            const severity = impact === 'critical'
+                ? 'critical'
+                : impact === 'serious'
+                    ? 'high'
+                    : impact === 'moderate'
+                        ? 'medium'
+                        : 'low';
             addGap({
                 id: randomUUID(),
                 path: route.path,
@@ -71,14 +104,8 @@ export function analyzeGaps(routes, repo, mode, config) {
             });
         }
     }
-    const highCount = gaps.filter((g) => g.severity === 'high').length;
-    const mediumCount = gaps.filter((g) => g.severity === 'medium').length;
-    const lowCount = gaps.filter((g) => g.severity === 'low').length;
-    let releaseConfidence = Math.max(0, 100 - highCount * 20 - mediumCount * 8 - lowCount * 3);
+    const releaseConfidence = computeQualityScoreFromGaps(gaps);
     const pagesScanned = routes.routes.length;
-    if (pagesScanned < config.minPagesForConfidence) {
-        releaseConfidence = Math.min(releaseConfidence, 40);
-    }
     let coverageWarning;
     if (routes.budgetExceeded) {
         coverageWarning = 'budget-exceeded';

package/dist/tools/oauth-providers.d.ts

@@ -0,0 +1,7 @@
+export interface OAuthProvider {
+    id: string;
+    label: string;
+    patterns: RegExp[];
+}
+export declare const BUILT_IN_OAUTH_PROVIDERS: OAuthProvider[];
+//# sourceMappingURL=oauth-providers.d.ts.map

package/dist/tools/oauth-providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-providers.d.ts","sourceRoot":"","sources":["../../src/tools/oauth-providers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAsBnD,CAAC"}