@qulib/core 0.3.1 → 0.4.1

package/dist/schemas/repo-analysis.schema.d.ts

@@ -1,4 +1,25 @@
 import { z } from 'zod';
+export declare const DetectedFrameworkPrimarySchema: z.ZodEnum<["nextjs-app-router", "nextjs-pages-router", "express", "remix", "nuxt", "sveltekit", "astro", "vite", "unknown"]>;
+export declare const FrameworkDetectionConfidenceSchema: z.ZodEnum<["high", "medium", "low"]>;
+export declare const TestFrameworkDetectedSchema: z.ZodEnum<["playwright", "cypress-e2e", "cypress-component", "jest", "vitest", "other"]>;
+export declare const FrameworkDetectionSchema: z.ZodObject<{
+    primary: z.ZodEnum<["nextjs-app-router", "nextjs-pages-router", "express", "remix", "nuxt", "sveltekit", "astro", "vite", "unknown"]>;
+    confidence: z.ZodEnum<["high", "medium", "low"]>;
+    evidence: z.ZodArray<z.ZodString, "many">;
+    testFrameworks: z.ZodArray<z.ZodEnum<["playwright", "cypress-e2e", "cypress-component", "jest", "vitest", "other"]>, "many">;
+}, "strip", z.ZodTypeAny, {
+    confidence: "high" | "medium" | "low";
+    evidence: string[];
+    primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+    testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+}, {
+    confidence: "high" | "medium" | "low";
+    evidence: string[];
+    primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+    testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+}>;
+export type DetectedFrameworkPrimary = z.infer<typeof DetectedFrameworkPrimarySchema>;
+export type FrameworkDetectionResult = z.infer<typeof FrameworkDetectionSchema>;
 export declare const RepoRouteSchema: z.ZodObject<{
     path: z.ZodString;
     file: z.ZodString;
@@ -111,6 +132,77 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         fixturesFolder?: string | undefined;
         supportFolder?: string | undefined;
     }>;
+    framework: z.ZodOptional<z.ZodObject<{
+        primary: z.ZodEnum<["nextjs-app-router", "nextjs-pages-router", "express", "remix", "nuxt", "sveltekit", "astro", "vite", "unknown"]>;
+        confidence: z.ZodEnum<["high", "medium", "low"]>;
+        evidence: z.ZodArray<z.ZodString, "many">;
+        testFrameworks: z.ZodArray<z.ZodEnum<["playwright", "cypress-e2e", "cypress-component", "jest", "vitest", "other"]>, "many">;
+    }, "strip", z.ZodTypeAny, {
+        confidence: "high" | "medium" | "low";
+        evidence: string[];
+        primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+        testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+    }, {
+        confidence: "high" | "medium" | "low";
+        evidence: string[];
+        primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+        testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+    }>>;
+    automationMaturity: z.ZodOptional<z.ZodObject<{
+        computedAt: z.ZodString;
+        repoPath: z.ZodString;
+        overallScore: z.ZodNumber;
+        level: z.ZodNumber;
+        label: z.ZodString;
+        dimensions: z.ZodArray<z.ZodObject<{
+            dimension: z.ZodEnum<["test-coverage-breadth", "framework-adoption", "test-id-hygiene", "ci-integration", "auth-test-coverage", "component-test-ratio"]>;
+            score: z.ZodNumber;
+            weight: z.ZodNumber;
+            evidence: z.ZodArray<z.ZodString, "many">;
+            recommendations: z.ZodArray<z.ZodString, "many">;
+        }, "strip", z.ZodTypeAny, {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }, {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }>, "many">;
+        topRecommendations: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        label: string;
+        level: number;
+        computedAt: string;
+        repoPath: string;
+        overallScore: number;
+        dimensions: {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }[];
+        topRecommendations: string[];
+    }, {
+        label: string;
+        level: number;
+        computedAt: string;
+        repoPath: string;
+        overallScore: number;
+        dimensions: {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }[];
+        topRecommendations: string[];
+    }>>;
 }, "strip", z.ZodTypeAny, {
     scannedAt: string;
     routes: {
@@ -135,6 +227,27 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         fixturesFolder?: string | undefined;
         supportFolder?: string | undefined;
     };
+    framework?: {
+        confidence: "high" | "medium" | "low";
+        evidence: string[];
+        primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+        testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+    } | undefined;
+    automationMaturity?: {
+        label: string;
+        level: number;
+        computedAt: string;
+        repoPath: string;
+        overallScore: number;
+        dimensions: {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }[];
+        topRecommendations: string[];
+    } | undefined;
 }, {
     scannedAt: string;
     routes: {
@@ -159,6 +272,27 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         fixturesFolder?: string | undefined;
         supportFolder?: string | undefined;
     };
+    framework?: {
+        confidence: "high" | "medium" | "low";
+        evidence: string[];
+        primary: "unknown" | "nextjs-app-router" | "nextjs-pages-router" | "express" | "remix" | "nuxt" | "sveltekit" | "astro" | "vite";
+        testFrameworks: ("playwright" | "cypress-e2e" | "cypress-component" | "jest" | "vitest" | "other")[];
+    } | undefined;
+    automationMaturity?: {
+        label: string;
+        level: number;
+        computedAt: string;
+        repoPath: string;
+        overallScore: number;
+        dimensions: {
+            recommendations: string[];
+            dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
+            score: number;
+            weight: number;
+            evidence: string[];
+        }[];
+        topRecommendations: string[];
+    } | undefined;
 }>;
 export type RepoAnalysis = z.infer<typeof RepoAnalysisSchema>;
 export type CypressStructure = z.infer<typeof CypressStructureSchema>;

package/dist/schemas/repo-analysis.schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repo-analysis.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/repo-analysis.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,eAAe;;;;;;;;;;;;EAI1B,CAAC;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;EAIzB,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;EASjC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO7B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}
+{"version":3,"file":"repo-analysis.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/repo-analysis.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,eAAO,MAAM,8BAA8B,8HAUzC,CAAC;AAEH,eAAO,MAAM,kCAAkC,sCAAoC,CAAC;AAEpF,eAAO,MAAM,2BAA2B,0FAOtC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAC;AAEH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,eAAe;;;;;;;;;;;;EAI1B,CAAC;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;EAIzB,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;EASjC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAS7B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/schemas/repo-analysis.schema.js

@@ -1,4 +1,31 @@
 import { z } from 'zod';
+import { AutomationMaturitySchema } from './automation-maturity.schema.js';
+export const DetectedFrameworkPrimarySchema = z.enum([
+    'nextjs-app-router',
+    'nextjs-pages-router',
+    'express',
+    'remix',
+    'nuxt',
+    'sveltekit',
+    'astro',
+    'vite',
+    'unknown',
+]);
+export const FrameworkDetectionConfidenceSchema = z.enum(['high', 'medium', 'low']);
+export const TestFrameworkDetectedSchema = z.enum([
+    'playwright',
+    'cypress-e2e',
+    'cypress-component',
+    'jest',
+    'vitest',
+    'other',
+]);
+export const FrameworkDetectionSchema = z.object({
+    primary: DetectedFrameworkPrimarySchema,
+    confidence: FrameworkDetectionConfidenceSchema,
+    evidence: z.array(z.string()),
+    testFrameworks: z.array(TestFrameworkDetectedSchema),
+});
 export const RepoRouteSchema = z.object({
     path: z.string(),
     file: z.string(),
@@ -26,4 +53,6 @@ export const RepoAnalysisSchema = z.object({
     testFiles: z.array(TestFileSchema),
     missingTestIds: z.array(z.string()),
     cypressStructure: CypressStructureSchema,
+    framework: FrameworkDetectionSchema.optional(),
+    automationMaturity: AutomationMaturitySchema.optional(),
 });

package/dist/telemetry/emit.d.ts

@@ -0,0 +1,3 @@
+import type { TelemetryEvent, TelemetryEventKind, TelemetrySink } from './telemetry.interface.js';
+export declare function emitTelemetry(sink: TelemetrySink | undefined, kind: TelemetryEventKind, sessionId: string, metadata: TelemetryEvent['metadata'], durationMs?: number): void;
+//# sourceMappingURL=emit.d.ts.map

package/dist/telemetry/emit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emit.d.ts","sourceRoot":"","sources":["../../src/telemetry/emit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAElG,wBAAgB,aAAa,CAC3B,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,IAAI,EAAE,kBAAkB,EACxB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI,CASN"}

package/dist/telemetry/emit.js

@@ -0,0 +1,11 @@
+export function emitTelemetry(sink, kind, sessionId, metadata, durationMs) {
+    if (!sink)
+        return;
+    sink.emit({
+        kind,
+        timestamp: new Date().toISOString(),
+        sessionId,
+        metadata,
+        ...(durationMs !== undefined && { durationMs }),
+    });
+}

package/dist/telemetry/telemetry.interface.d.ts

@@ -0,0 +1,13 @@
+export type TelemetryEventKind = 'scan.started' | 'scan.completed' | 'scan.blocked' | 'phase.observe.started' | 'phase.observe.completed' | 'phase.think.started' | 'phase.think.completed' | 'phase.act.started' | 'phase.act.completed' | 'llm.call.started' | 'llm.call.completed' | 'llm.call.failed' | 'gap.detected' | 'auth.detected' | 'repo.scanned';
+export interface TelemetryEvent {
+    kind: TelemetryEventKind;
+    timestamp: string;
+    sessionId: string;
+    durationMs?: number;
+    metadata: Record<string, string | number | boolean | null>;
+}
+export interface TelemetrySink {
+    emit(event: TelemetryEvent): void;
+}
+export declare const NoopTelemetrySink: TelemetrySink;
+//# sourceMappingURL=telemetry.interface.d.ts.map

package/dist/telemetry/telemetry.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.interface.d.ts","sourceRoot":"","sources":["../../src/telemetry/telemetry.interface.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,kBAAkB,GAC1B,cAAc,GACd,gBAAgB,GAChB,cAAc,GACd,uBAAuB,GACvB,yBAAyB,GACzB,qBAAqB,GACrB,uBAAuB,GACvB,mBAAmB,GACnB,qBAAqB,GACrB,kBAAkB,GAClB,oBAAoB,GACpB,iBAAiB,GACjB,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI,CAAC;CACnC;AAED,eAAO,MAAM,iBAAiB,EAAE,aAE/B,CAAC"}

package/dist/telemetry/telemetry.interface.js

@@ -0,0 +1,3 @@
+export const NoopTelemetrySink = {
+    emit: () => { },
+};

package/dist/tools/auth-detector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-detector.d.ts","sourceRoot":"","sources":["../../src/tools/auth-detector.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAgEtE,wBAAsB,UAAU,CAC9B,GAAG,EAAE,MAAM,EACX,SAAS,SAAQ,EACjB,QAAQ,CAAC,EAAE,mBAAmB,GAC7B,OAAO,CAAC,YAAY,CAAC,CA8HvB"}
+{"version":3,"file":"auth-detector.d.ts","sourceRoot":"","sources":["../../src/tools/auth-detector.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAY,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAsPtE,wBAAsB,UAAU,CAC9B,GAAG,EAAE,MAAM,EACX,SAAS,SAAQ,EACjB,QAAQ,CAAC,EAAE,mBAAmB,GAC7B,OAAO,CAAC,YAAY,CAAC,CAkJvB"}

package/dist/tools/auth-detector.js

@@ -1,4 +1,5 @@
 import { launchBrowser } from './browser.js';
+import { BUILT_IN_OAUTH_PROVIDERS } from './oauth-providers.js';
 async function waitNetworkIdleBestEffort(page) {
     try {
         await page.waitForLoadState('networkidle', { timeout: 5000 });
@@ -7,27 +8,20 @@ async function waitNetworkIdleBestEffort(page) {
         // best-effort — analytics or polling can prevent networkidle
     }
 }
-const OAUTH_PROVIDERS = [
-    { provider: 'github', patterns: [/github/i, /sign in with github/i] },
-    {
-        provider: 'google',
-        patterns: [/google/i, /sign in with google/i, /accounts\.google\.com/i],
-    },
-    {
-        provider: 'microsoft',
-        patterns: [/microsoft/i, /sign in with microsoft/i, /login\.microsoftonline\.com/i],
-    },
-    { provider: 'apple', patterns: [/apple/i, /sign in with apple/i] },
-    { provider: 'auth0', patterns: [/auth0/i] },
-    { provider: 'okta', patterns: [/okta/i] },
-];
+const PROVIDER_LABELS = new Set(BUILT_IN_OAUTH_PROVIDERS.map((p) => p.label.toLowerCase()));
 function textLooksLikeOAuthIdpButton(text) {
     const t = text.trim();
     if (t.length === 0 || t.length > 120) {
         return false;
     }
-    return (/\b(sign in with|log in with|continue with|sign up with)\b/i.test(t) ||
-        /^(github|google|microsoft|apple)$/i.test(t));
+    if (/\b(sign in with|log in with|continue with|sign up with)\b/i.test(t)) {
+        return true;
+    }
+    // Accept single-word / short labels that exactly match a known provider name
+    if (PROVIDER_LABELS.has(t.toLowerCase())) {
+        return true;
+    }
+    return false;
 }
 const MAGIC_LINK_PATTERNS = [
     /email me a (sign[- ]?in )?link/i,
@@ -53,6 +47,177 @@ async function firstTextInputNameForLogin(page) {
 function debugAuth() {
     return process.env.QULIB_DEBUG === '1';
 }
+function slugify(label) {
+    const s = label
+        .toLowerCase()
+        .replace(/\s+/g, '-')
+        .replace(/[^a-z0-9-]+/g, '')
+        .replace(/^-+|-+$/g, '');
+    return s.length > 0 ? s : 'custom';
+}
+function escapeRegExp(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+async function resolveVisibleFieldLabel(page, el) {
+    const id = await el.getAttribute('id');
+    if (id) {
+        const lt = await page.locator(`label[for="${id.replace(/"/g, '\\"')}"]`).first().textContent().catch(() => null);
+        const fromLabel = (lt ?? '').trim();
+        if (fromLabel)
+            return fromLabel;
+    }
+    const placeholder = (await el.getAttribute('placeholder'))?.trim();
+    if (placeholder)
+        return placeholder;
+    const aria = (await el.getAttribute('aria-label'))?.trim();
+    if (aria)
+        return aria;
+    const name = (await el.getAttribute('name'))?.trim();
+    if (name)
+        return name;
+    const typ = (await el.getAttribute('type'))?.trim();
+    return typ && typ !== 'select' ? typ : 'text';
+}
+async function deriveCredentialFieldName(el) {
+    const name = (await el.getAttribute('name'))?.trim();
+    if (name)
+        return name;
+    const placeholder = (await el.getAttribute('placeholder'))?.trim();
+    if (placeholder)
+        return slugify(placeholder);
+    const aria = (await el.getAttribute('aria-label'))?.trim();
+    if (aria)
+        return slugify(aria);
+    const id = (await el.getAttribute('id'))?.trim();
+    if (id)
+        return slugify(id);
+    return 'field';
+}
+async function buildCredentialFieldsFromVisibleForm(page) {
+    const fields = [];
+    const seen = new Set();
+    const loc = page.locator('input[type="text"]:visible, input[type="email"]:visible, input[type="password"]:visible, select:visible');
+    const count = await loc.count();
+    for (let i = 0; i < count; i++) {
+        const el = loc.nth(i);
+        const tag = await el.evaluate((node) => node.tagName.toLowerCase()).catch(() => '');
+        if (tag === 'select') {
+            const name = await deriveCredentialFieldName(el);
+            const label = await resolveVisibleFieldLabel(page, el);
+            const opts = await el.locator('option').allInnerTexts();
+            const observedOptions = opts.map((o) => o.trim()).filter((x) => x.length > 0).slice(0, 20);
+            const dedupeKey = `select|${name}|${label}`;
+            if (seen.has(dedupeKey))
+                continue;
+            seen.add(dedupeKey);
+            fields.push({ name, label, type: 'select', observedOptions });
+            continue;
+        }
+        const rawType = ((await el.getAttribute('type')) ?? 'text').toLowerCase();
+        if (rawType === 'hidden')
+            continue;
+        const fieldType = rawType === 'email' ? 'email' : rawType === 'password' ? 'password' : 'text';
+        const name = await deriveCredentialFieldName(el);
+        const label = await resolveVisibleFieldLabel(page, el);
+        const placeholder = (await el.getAttribute('placeholder'))?.trim() ?? '';
+        const dedupeKey = `${name}|${placeholder}`;
+        if (seen.has(dedupeKey))
+            continue;
+        seen.add(dedupeKey);
+        fields.push({ name, label, type: fieldType, observedOptions: [] });
+    }
+    return fields;
+}
+function authPathsFromOauthButtons(oauthButtons, loginUrl) {
+    return oauthButtons.map((b) => {
+        const isUnknown = b.provider === 'unknown';
+        const id = isUnknown ? slugify(b.text) : b.provider;
+        return {
+            id,
+            label: b.text,
+            type: isUnknown ? 'oauth-unknown' : 'oauth',
+            provider: isUnknown ? slugify(b.text) : b.provider,
+            source: isUnknown ? 'heuristic' : 'built-in',
+            automatable: false,
+            confidence: isUnknown ? 'low' : 'high',
+            requirements: {
+                method: 'storage-state',
+                instruction: `Run qulib auth init --base-url ${loginUrl}`,
+            },
+        };
+    });
+}
+async function probeClickToRevealForms(page, loginUrl, alreadyMatchedTexts, timeoutMs, progress) {
+    const out = [];
+    const buttons = page.locator('button');
+    const n = await buttons.count();
+    const seenLabels = new Set();
+    const SUBMIT_RE = /^(sign in|log in|submit|continue|next|cancel|close)$/i;
+    let candidateAttempts = 0;
+    for (let i = 0; i < n && candidateAttempts < 4; i++) {
+        const label = ((await buttons.nth(i).textContent()) ?? '').trim();
+        if (!label || label.length > 80)
+            continue;
+        if (alreadyMatchedTexts.has(label))
+            continue;
+        if (SUBMIT_RE.test(label))
+            continue;
+        if (seenLabels.has(label))
+            continue;
+        seenLabels.add(label);
+        candidateAttempts += 1;
+        if (debugAuth()) {
+            progress?.debug(`detect_auth click-reveal try label="${label.slice(0, 80)}"`);
+        }
+        let clicked = false;
+        try {
+            await page.getByRole('button', { name: label, exact: true }).first().click({ timeout: 2000 });
+            clicked = true;
+        }
+        catch {
+            try {
+                await page
+                    .locator('button')
+                    .filter({ hasText: new RegExp(`^\\s*${escapeRegExp(label)}\\s*$`, 'i') })
+                    .first()
+                    .click({ timeout: 2000 });
+                clicked = true;
+            }
+            catch {
+                /* skip */
+            }
+        }
+        if (!clicked) {
+            continue;
+        }
+        try {
+            await page.locator('input[type="password"]').first().waitFor({ state: 'visible', timeout: 2000 });
+        }
+        catch {
+            await page.goto(loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+            await waitNetworkIdleBestEffort(page);
+            continue;
+        }
+        const fields = await buildCredentialFieldsFromVisibleForm(page);
+        const slug = slugify(label);
+        out.push({
+            id: slug,
+            label,
+            type: 'form-login',
+            provider: slug,
+            source: 'heuristic',
+            automatable: true,
+            confidence: 'medium',
+            requirements: {
+                method: 'credentials',
+                fields,
+            },
+        });
+        await page.goto(loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+        await waitNetworkIdleBestEffort(page);
+    }
+    return out;
+}
 export async function detectAuth(url, timeoutMs = 15000, progress) {
     const browser = await launchBrowser();
     try {
@@ -96,18 +261,27 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
                 }
                 continue;
             }
-            for (const { provider, patterns } of OAUTH_PROVIDERS) {
+            let matchedAny = false;
+            for (const { id, patterns } of BUILT_IN_OAUTH_PROVIDERS) {
                 const matched = patterns.some((p) => p.test(trimmed));
                 if (debugAuth()) {
-                    progress?.debug(`detect_auth oauth pattern try provider=${provider} matched=${matched}`);
+                    progress?.debug(`detect_auth oauth pattern try provider=${id} matched=${matched}`);
                 }
                 if (matched) {
-                    if (!oauthButtons.find((b) => b.provider === provider)) {
-                        oauthButtons.push({ provider, text: trimmed.slice(0, 100) });
+                    if (!oauthButtons.find((b) => b.provider === id)) {
+                        oauthButtons.push({ provider: id, text: trimmed.slice(0, 100) });
                     }
+                    matchedAny = true;
                 }
             }
+            // Capture unrecognized SSO-like buttons so they appear in the result
+            if (!matchedAny && !oauthButtons.find((b) => b.text === trimmed.slice(0, 100))) {
+                oauthButtons.push({ provider: 'unknown', text: trimmed.slice(0, 100) });
+            }
         }
+        // Only skip buttons already tied to a built-in IdP — leave `unknown` labels probe-able for click-to-reveal forms.
+        const skipProbeLabels = new Set(oauthButtons.filter((b) => b.provider !== 'unknown').map((b) => b.text.trim()));
+        const clickRevealForms = await probeClickToRevealForms(page, loginUrl, skipProbeLabels, timeoutMs, progress);
         const pageText = await page.locator('body').innerText().catch(() => '');
         const hasMagicLink = MAGIC_LINK_PATTERNS.some((p) => p.test(pageText));
         let type = 'none';
@@ -117,7 +291,7 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
         if (oauthButtons.length > 0) {
             type = 'oauth';
             provider = oauthButtons[0].provider;
-            recommendation = `OAuth detected (${oauthButtons.map((b) => b.provider).join(', ')}). OAuth cannot be automated. Run "qulib auth init --base-url ${url}" to log in manually once and save a reusable storage state file.`;
+            recommendation = `OAuth detected (${oauthButtons.map((b) => b.provider).join(', ')}). OAuth cannot be automated. Run "qulib auth init --base-url ${loginUrl}" to log in manually once and save a reusable storage state file.`;
         }
         else if (hasFormLogin) {
             type = 'form-login';
@@ -140,26 +314,31 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
         }
         else if (hasMagicLink) {
             type = 'magic-link';
-            recommendation = `Magic link / passwordless auth detected. Qulib cannot complete email-link flows. Run "qulib auth init --base-url ${url}" to log in manually once and save a storage state file.`;
+            recommendation = `Magic link / passwordless auth detected. Qulib cannot complete email-link flows. Run "qulib auth init --base-url ${loginUrl}" to log in manually once and save a storage state file.`;
         }
         else if (looksLikeLoginPage) {
             type = 'unknown';
-            recommendation = `Authentication required but the pattern is unrecognized. Use "qulib auth init --base-url ${url}" to capture a storage state by logging in manually.`;
+            recommendation = `Authentication required but the pattern is unrecognized. Use "qulib auth init --base-url ${loginUrl}" to capture a storage state by logging in manually.`;
         }
         else {
             type = 'none';
             recommendation = `No authentication required for the entry URL. Qulib can scan anonymously.`;
         }
+        if (clickRevealForms.length > 0) {
+            recommendation += `\nAutomatable form login detected via: ${clickRevealForms.map((f) => f.label).join(', ')}. Use type="form-login" with the observed selectors in authOptions.`;
+        }
         const providerList = oauthButtons.length > 0 ? oauthButtons.map((b) => b.provider).join(', ') : provider ?? 'none';
-        const automatable = type === 'form-login';
+        const automatable = type === 'form-login' || clickRevealForms.length > 0;
         progress?.info(`Auth detected: ${type} (${providerList}) automatable=${automatable}`);
+        const authOptions = [...authPathsFromOauthButtons(oauthButtons, loginUrl), ...clickRevealForms];
         return {
-            hasAuth: type !== 'none',
+            hasAuth: type !== 'none' || oauthButtons.length > 0 || clickRevealForms.length > 0,
             type,
             provider,
-            loginUrl: type === 'none' ? null : loginUrl,
+            loginUrl: type === 'none' && oauthButtons.length === 0 && clickRevealForms.length === 0 ? null : loginUrl,
             observedSelectors,
             oauthButtons,
+            ...(authOptions.length > 0 ? { authOptions } : {}),
             recommendation,
         };
     }

package/dist/tools/auth-surface-analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-surface-analyzer.d.ts","sourceRoot":"","sources":["../../src/tools/auth-surface-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,mCAAmC,CAAC;AAW7D,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,YAAY,EACvB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,GAAG,EAAE,CAAC,CAuJhB"}
+{"version":3,"file":"auth-surface-analyzer.d.ts","sourceRoot":"","sources":["../../src/tools/auth-surface-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,mCAAmC,CAAC;AAW7D,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,YAAY,EACvB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,GAAG,EAAE,CAAC,CAwKhB"}

package/dist/tools/auth-surface-analyzer.js

@@ -110,16 +110,32 @@ export async function analyzeAuthSurfaceGaps(url, detection, timeoutMs) {
         const hasEmailLink = await page.getByText(/magic link|email.*link|passwordless/i).count();
         const hasOAuthUi = detection.oauthButtons.length > 0 ||
             (await page.getByText(/sign in with|continue with google|microsoft|github/i).count()) > 0;
-        if (hasOAuthUi && !hasPassword && !hasEmailLink) {
-            gaps.push({
-                id: randomUUID(),
-                path: '/',
-                severity: 'medium',
-                category: 'auth-surface',
-                reason: 'OAuth-only entry with no visible password or magic-link fallback.',
-                description: 'Users who cannot use a social IdP need another path (email/password, help, or support).',
-                recommendation: 'Add a documented fallback (email/password, help desk link, or alternate IdP).',
-            });
+        const formLoginFallbacks = (detection.authOptions ?? []).filter((o) => o.type === 'form-login');
+        const hasFormLoginFallback = formLoginFallbacks.length > 0;
+        if (detection.type === 'oauth' && hasOAuthUi && !hasPassword && !hasEmailLink) {
+            if (hasFormLoginFallback) {
+                const labels = formLoginFallbacks.map((o) => o.label).join(', ');
+                gaps.push({
+                    id: randomUUID(),
+                    path: '/',
+                    severity: 'low',
+                    category: 'auth-surface',
+                    reason: `OAuth-primary login with form-login fallback detected via: ${labels}`,
+                    description: 'A form-based login path exists alongside OAuth. Automate via type="form-login" using the selectors in authOptions.',
+                    recommendation: `Automatable form option(s): ${labels}. Configure type="form-login" with credentials and selectors from detectedAuth.authOptions.`,
+                });
+            }
+            else {
+                gaps.push({
+                    id: randomUUID(),
+                    path: '/',
+                    severity: 'medium',
+                    category: 'auth-surface',
+                    reason: 'OAuth-only entry with no visible password or magic-link fallback.',
+                    description: 'Users who cannot use a social IdP need another path (email/password, help, or support).',
+                    recommendation: 'Add a documented fallback (email/password, help desk link, or alternate IdP).',
+                });
+            }
         }
         const errorSelectors = '[role="alert"], [data-testid*="error" i], .error, .alert-danger, [class*="error" i]';
         const errCount = await page.locator(errorSelectors).count();

package/dist/tools/automation-maturity.d.ts

@@ -0,0 +1,4 @@
+import type { RepoAnalysis } from '../schemas/repo-analysis.schema.js';
+import type { AutomationMaturity } from '../schemas/automation-maturity.schema.js';
+export declare function computeAutomationMaturity(repo: RepoAnalysis): AutomationMaturity;
+//# sourceMappingURL=automation-maturity.d.ts.map

package/dist/tools/automation-maturity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"automation-maturity.d.ts","sourceRoot":"","sources":["../../src/tools/automation-maturity.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAA+B,MAAM,0CAA0C,CAAC;AAiDhH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,YAAY,GAAG,kBAAkB,CA6HhF"}