@qulib/core 0.4.1 → 0.4.2

package/dist/schemas/index.d.ts

@@ -4,6 +4,6 @@ export { RouteInventorySchema, RouteSchema, A11yViolationSchema, BrokenLinkSchem
 export { GapAnalysisSchema, GapSchema, NeutralScenarioSchema, GeneratedTestSchema, TestStepSchema, FrameworkRecommendationSchema, type GapAnalysis, type Gap, type NeutralScenario, type GeneratedTest, type TestStep, type FrameworkRecommendation, } from './gap-analysis.schema.js';
 export { CostIntelligenceSchema, LlmUsageRecordSchema, LlmDataQualitySchema, LlmOperationTypeSchema, RepeatedAiPatternSchema, DeterministicMaturitySchema, type CostIntelligence, type LlmUsageRecord, type LlmDataQuality, type LlmOperationType, type RepeatedAiPattern, type DeterministicMaturity, } from './cost-intelligence.schema.js';
 export { RepoAnalysisSchema, FrameworkDetectionSchema, DetectedFrameworkPrimarySchema, FrameworkDetectionConfidenceSchema, TestFrameworkDetectedSchema, type RepoAnalysis, type FrameworkDetectionResult, type DetectedFrameworkPrimary, } from './repo-analysis.schema.js';
-export { AutomationMaturitySchema, AutomationMaturityDimensionSchema, type AutomationMaturity, type AutomationMaturityDimension, } from './automation-maturity.schema.js';
+export { AutomationMaturitySchema, AutomationMaturityDimensionSchema, AutomationMaturityApplicabilitySchema, type AutomationMaturity, type AutomationMaturityDimension, type AutomationMaturityApplicability, } from './automation-maturity.schema.js';
 export { PublicSurfaceSchema, PublicSurfaceViolationSchema, PublicSurfaceBrokenLinkSchema, type PublicSurface, type PublicSurfaceViolation, type PublicSurfaceBrokenLink, } from './public-surface.schema.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/schemas/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/schemas/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,gCAAgC,EAChC,gBAAgB,EAChB,kBAAkB,EAClB,0BAA0B,EAC1B,cAAc,EACd,qBAAqB,EACrB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,GACtB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,KAAK,GACX,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,iBAAiB,EACjB,SAAS,EACT,qBAAqB,EACrB,mBAAmB,EACnB,cAAc,EACd,6BAA6B,EAC7B,KAAK,WAAW,EAChB,KAAK,GAAG,EACR,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,GAC3B,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,kBAAkB,EAClB,wBAAwB,EACxB,8BAA8B,EAC9B,kCAAkC,EAClC,2BAA2B,EAC3B,KAAK,YAAY,EACjB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,GAC9B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,wBAAwB,EACxB,iCAAiC,EACjC,KAAK,kBAAkB,EACvB,KAAK,2BAA2B,GACjC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,6BAA6B,EAC7B,KAAK,aAAa,EAClB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/schemas/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,gCAAgC,EAChC,gBAAgB,EAChB,kBAAkB,EAClB,0BAA0B,EAC1B,cAAc,EACd,qBAAqB,EACrB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,GACtB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,KAAK,GACX,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,iBAAiB,EACjB,SAAS,EACT,qBAAqB,EACrB,mBAAmB,EACnB,cAAc,EACd,6BAA6B,EAC7B,KAAK,WAAW,EAChB,KAAK,GAAG,EACR,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,GAC3B,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,kBAAkB,EAClB,wBAAwB,EACxB,8BAA8B,EAC9B,kCAAkC,EAClC,2BAA2B,EAC3B,KAAK,YAAY,EACjB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,GAC9B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,wBAAwB,EACxB,iCAAiC,EACjC,qCAAqC,EACrC,KAAK,kBAAkB,EACvB,KAAK,2BAA2B,EAChC,KAAK,+BAA+B,GACrC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,6BAA6B,EAC7B,KAAK,aAAa,EAClB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,4BAA4B,CAAC"}

package/dist/schemas/index.js

@@ -4,5 +4,5 @@ export { RouteInventorySchema, RouteSchema, A11yViolationSchema, BrokenLinkSchem
 export { GapAnalysisSchema, GapSchema, NeutralScenarioSchema, GeneratedTestSchema, TestStepSchema, FrameworkRecommendationSchema, } from './gap-analysis.schema.js';
 export { CostIntelligenceSchema, LlmUsageRecordSchema, LlmDataQualitySchema, LlmOperationTypeSchema, RepeatedAiPatternSchema, DeterministicMaturitySchema, } from './cost-intelligence.schema.js';
 export { RepoAnalysisSchema, FrameworkDetectionSchema, DetectedFrameworkPrimarySchema, FrameworkDetectionConfidenceSchema, TestFrameworkDetectedSchema, } from './repo-analysis.schema.js';
-export { AutomationMaturitySchema, AutomationMaturityDimensionSchema, } from './automation-maturity.schema.js';
+export { AutomationMaturitySchema, AutomationMaturityDimensionSchema, AutomationMaturityApplicabilitySchema, } from './automation-maturity.schema.js';
 export { PublicSurfaceSchema, PublicSurfaceViolationSchema, PublicSurfaceBrokenLinkSchema, } from './public-surface.schema.js';

package/dist/schemas/repo-analysis.schema.d.ts

@@ -104,6 +104,7 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         coveredPaths: string[];
     }>, "many">;
     missingTestIds: z.ZodArray<z.ZodString, "many">;
+    interactiveTsxFilesScanned: z.ZodOptional<z.ZodNumber>;
     cypressStructure: z.ZodObject<{
         detected: z.ZodBoolean;
         e2eFolder: z.ZodOptional<z.ZodString>;
@@ -160,20 +161,27 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
             weight: z.ZodNumber;
             evidence: z.ZodArray<z.ZodString, "many">;
             recommendations: z.ZodArray<z.ZodString, "many">;
+            applicability: z.ZodOptional<z.ZodEnum<["applicable", "not_applicable", "unknown"]>>;
+            reason: z.ZodOptional<z.ZodString>;
         }, "strip", z.ZodTypeAny, {
             recommendations: string[];
             dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }, {
             recommendations: string[];
             dimension: "test-coverage-breadth" | "framework-adoption" | "test-id-hygiene" | "ci-integration" | "auth-test-coverage" | "component-test-ratio";
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }>, "many">;
         topRecommendations: z.ZodArray<z.ZodString, "many">;
+        scoreFormula: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         label: string;
         level: number;
@@ -186,8 +194,11 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }[];
         topRecommendations: string[];
+        scoreFormula?: string | undefined;
     }, {
         label: string;
         level: number;
@@ -200,8 +211,11 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }[];
         topRecommendations: string[];
+        scoreFormula?: string | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
     scannedAt: string;
@@ -227,6 +241,7 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         fixturesFolder?: string | undefined;
         supportFolder?: string | undefined;
     };
+    interactiveTsxFilesScanned?: number | undefined;
     framework?: {
         confidence: "high" | "medium" | "low";
         evidence: string[];
@@ -245,8 +260,11 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }[];
         topRecommendations: string[];
+        scoreFormula?: string | undefined;
     } | undefined;
 }, {
     scannedAt: string;
@@ -272,6 +290,7 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
         fixturesFolder?: string | undefined;
         supportFolder?: string | undefined;
     };
+    interactiveTsxFilesScanned?: number | undefined;
     framework?: {
         confidence: "high" | "medium" | "low";
         evidence: string[];
@@ -290,8 +309,11 @@ export declare const RepoAnalysisSchema: z.ZodObject<{
             score: number;
             weight: number;
             evidence: string[];
+            reason?: string | undefined;
+            applicability?: "unknown" | "applicable" | "not_applicable" | undefined;
         }[];
         topRecommendations: string[];
+        scoreFormula?: string | undefined;
     } | undefined;
 }>;
 export type RepoAnalysis = z.infer<typeof RepoAnalysisSchema>;

package/dist/schemas/repo-analysis.schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repo-analysis.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/repo-analysis.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,eAAO,MAAM,8BAA8B,8HAUzC,CAAC;AAEH,eAAO,MAAM,kCAAkC,sCAAoC,CAAC;AAEpF,eAAO,MAAM,2BAA2B,0FAOtC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAC;AAEH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,eAAe;;;;;;;;;;;;EAI1B,CAAC;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;EAIzB,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;EASjC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAS7B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}
+{"version":3,"file":"repo-analysis.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/repo-analysis.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,eAAO,MAAM,8BAA8B,8HAUzC,CAAC;AAEH,eAAO,MAAM,kCAAkC,sCAAoC,CAAC;AAEpF,eAAO,MAAM,2BAA2B,0FAOtC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAC;AAEH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,eAAe;;;;;;;;;;;;EAI1B,CAAC;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;EAIzB,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;EASjC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU7B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/schemas/repo-analysis.schema.js

@@ -52,6 +52,7 @@ export const RepoAnalysisSchema = z.object({
     routes: z.array(RepoRouteSchema),
     testFiles: z.array(TestFileSchema),
     missingTestIds: z.array(z.string()),
+    interactiveTsxFilesScanned: z.number().int().min(0).optional(),
     cypressStructure: CypressStructureSchema,
     framework: FrameworkDetectionSchema.optional(),
     automationMaturity: AutomationMaturitySchema.optional(),

package/dist/telemetry/emit.d.ts

@@ -1,3 +1,25 @@
 import type { TelemetryEvent, TelemetryEventKind, TelemetrySink } from './telemetry.interface.js';
 export declare function emitTelemetry(sink: TelemetrySink | undefined, kind: TelemetryEventKind, sessionId: string, metadata: TelemetryEvent['metadata'], durationMs?: number): void;
+/**
+ * Strip the query string and fragment from a URL before emitting it in telemetry.
+ *
+ * Telemetry must not carry credentials, share tokens, or any other secret-shaped
+ * material that callers may embed in query strings (e.g. `?token=...`, `?key=...`).
+ * Returns `origin + pathname` only for valid `http:` / `https:` URLs, and additionally
+ * strips any `user:pass@` userinfo from the origin.
+ *
+ * If the input is not a valid `http(s)` URL, this helper returns the literal string
+ * `'[redacted-non-url]'` rather than echoing the original input. Two reasons:
+ *
+ *  1. `new URL(...)` parses many `scheme:rest` shapes that are not real URLs
+ *     (e.g. `mailto:`, custom `user:pass@host`, `data:`). Those still produce a
+ *     non-empty `origin + pathname` and would echo the right-hand side back.
+ *  2. The exported helper makes no assumption about caller provenance: a non-URL
+ *     string passed in may itself be secret-shaped (a raw token, a path with
+ *     embedded credentials, etc.), so the only safe fallback is to discard the
+ *     value entirely.
+ *
+ * Telemetry never throws on malformed input.
+ */
+export declare function redactUrlForTelemetry(url: string): string;
 //# sourceMappingURL=emit.d.ts.map

package/dist/telemetry/emit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"emit.d.ts","sourceRoot":"","sources":["../../src/telemetry/emit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAElG,wBAAgB,aAAa,CAC3B,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,IAAI,EAAE,kBAAkB,EACxB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI,CASN"}
+{"version":3,"file":"emit.d.ts","sourceRoot":"","sources":["../../src/telemetry/emit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAElG,wBAAgB,aAAa,CAC3B,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,IAAI,EAAE,kBAAkB,EACxB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,EACpC,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI,CASN;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAczD"}

package/dist/telemetry/emit.js

@@ -9,3 +9,40 @@ export function emitTelemetry(sink, kind, sessionId, metadata, durationMs) {
         ...(durationMs !== undefined && { durationMs }),
     });
 }
+/**
+ * Strip the query string and fragment from a URL before emitting it in telemetry.
+ *
+ * Telemetry must not carry credentials, share tokens, or any other secret-shaped
+ * material that callers may embed in query strings (e.g. `?token=...`, `?key=...`).
+ * Returns `origin + pathname` only for valid `http:` / `https:` URLs, and additionally
+ * strips any `user:pass@` userinfo from the origin.
+ *
+ * If the input is not a valid `http(s)` URL, this helper returns the literal string
+ * `'[redacted-non-url]'` rather than echoing the original input. Two reasons:
+ *
+ *  1. `new URL(...)` parses many `scheme:rest` shapes that are not real URLs
+ *     (e.g. `mailto:`, custom `user:pass@host`, `data:`). Those still produce a
+ *     non-empty `origin + pathname` and would echo the right-hand side back.
+ *  2. The exported helper makes no assumption about caller provenance: a non-URL
+ *     string passed in may itself be secret-shaped (a raw token, a path with
+ *     embedded credentials, etc.), so the only safe fallback is to discard the
+ *     value entirely.
+ *
+ * Telemetry never throws on malformed input.
+ */
+export function redactUrlForTelemetry(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return '[redacted-non-url]';
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        return '[redacted-non-url]';
+    }
+    // Strip any user:pass@ from the origin. `URL.origin` already omits userinfo,
+    // but rebuilding from `protocol + host` makes the intent explicit and removes
+    // any chance of credentials leaking through future Node URL changes.
+    return `${parsed.protocol}//${parsed.host}${parsed.pathname}`;
+}

package/dist/tools/auth-detector.d.ts

@@ -1,4 +1,22 @@
+import type { Page } from '@playwright/test';
 import type { DetectedAuth } from '../schemas/config.schema.js';
 import type { AnalyzeProgressSink } from '../harness/progress-log.js';
+export declare function evaluateStorageStateValidity(signals: {
+    expectedOrigin: string;
+    finalUrl: string;
+    visiblePasswordCount: number;
+    hadUnauthorizedHttp: boolean;
+}): {
+    valid: boolean;
+    reason: string;
+};
+export declare function waitForReturnToOrigin(page: Page, baseUrl: string, timeoutMs?: number): Promise<{
+    returned: boolean;
+    finalUrl: string;
+}>;
+export declare function validateStorageState(url: string, storagePath: string, timeoutMs?: number): Promise<{
+    valid: boolean;
+    reason: string;
+}>;
 export declare function detectAuth(url: string, timeoutMs?: number, progress?: AnalyzeProgressSink): Promise<DetectedAuth>;
 //# sourceMappingURL=auth-detector.d.ts.map

package/dist/tools/auth-detector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-detector.d.ts","sourceRoot":"","sources":["../../src/tools/auth-detector.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAY,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAsPtE,wBAAsB,UAAU,CAC9B,GAAG,EAAE,MAAM,EACX,SAAS,SAAQ,EACjB,QAAQ,CAAC,EAAE,mBAAmB,GAC7B,OAAO,CAAC,YAAY,CAAC,CAkJvB"}
+{"version":3,"file":"auth-detector.d.ts","sourceRoot":"","sources":["../../src/tools/auth-detector.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,KAAK,EAAY,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAwQtE,wBAAgB,4BAA4B,CAAC,OAAO,EAAE;IACpD,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,mBAAmB,EAAE,OAAO,CAAC;CAC9B,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAWrC;AAED,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,EACf,SAAS,SAAQ,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAelD;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,WAAW,EAAE,MAAM,EACnB,SAAS,SAAQ,GAChB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA+B7C;AAED,wBAAsB,UAAU,CAC9B,GAAG,EAAE,MAAM,EACX,SAAS,SAAQ,EACjB,QAAQ,CAAC,EAAE,mBAAmB,GAC7B,OAAO,CAAC,YAAY,CAAC,CAqJvB"}

package/dist/tools/auth-detector.js

@@ -1,3 +1,4 @@
+import { resolve } from 'node:path';
 import { launchBrowser } from './browser.js';
 import { BUILT_IN_OAUTH_PROVIDERS } from './oauth-providers.js';
 async function waitNetworkIdleBestEffort(page) {
@@ -166,6 +167,7 @@ async function probeClickToRevealForms(page, loginUrl, alreadyMatchedTexts, time
             continue;
         seenLabels.add(label);
         candidateAttempts += 1;
+        const originBefore = new URL(page.url()).origin;
         if (debugAuth()) {
             progress?.debug(`detect_auth click-reveal try label="${label.slice(0, 80)}"`);
         }
@@ -191,7 +193,21 @@ async function probeClickToRevealForms(page, loginUrl, alreadyMatchedTexts, time
             continue;
         }
         try {
-            await page.locator('input[type="password"]').first().waitFor({ state: 'visible', timeout: 2000 });
+            await page.waitForLoadState('domcontentloaded', { timeout: 5000 });
+        }
+        catch {
+            /* best-effort after navigation */
+        }
+        if (new URL(page.url()).origin !== originBefore) {
+            if (debugAuth()) {
+                progress?.debug(`detect_auth click-reveal aborted (cross-origin after click): was ${originBefore} now ${new URL(page.url()).origin}`);
+            }
+            await page.goto(loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+            await waitNetworkIdleBestEffort(page);
+            continue;
+        }
+        try {
+            await page.locator('input[type="password"]:visible').first().waitFor({ state: 'visible', timeout: 2000 });
         }
         catch {
             await page.goto(loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
@@ -218,6 +234,64 @@ async function probeClickToRevealForms(page, loginUrl, alreadyMatchedTexts, time
     }
     return out;
 }
+export function evaluateStorageStateValidity(signals) {
+    if (new URL(signals.finalUrl).origin !== signals.expectedOrigin) {
+        return { valid: false, reason: 'session redirected to external IdP' };
+    }
+    if (signals.visiblePasswordCount > 0) {
+        return { valid: false, reason: 'login form still visible after loading storage state' };
+    }
+    if (signals.hadUnauthorizedHttp) {
+        return { valid: false, reason: 'HTTP 401/403 on authenticated request' };
+    }
+    return { valid: true, reason: 'session appears active' };
+}
+export async function waitForReturnToOrigin(page, baseUrl, timeoutMs = 15000) {
+    const targetOrigin = new URL(baseUrl).origin;
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        const finalUrl = page.url();
+        try {
+            if (new URL(finalUrl).origin === targetOrigin) {
+                return { returned: true, finalUrl };
+            }
+        }
+        catch {
+            /* ignore transient invalid URLs */
+        }
+        await new Promise((r) => setTimeout(r, 500));
+    }
+    return { returned: false, finalUrl: page.url() };
+}
+export async function validateStorageState(url, storagePath, timeoutMs = 10000) {
+    const storageAbs = resolve(process.cwd(), storagePath);
+    const expectedOrigin = new URL(url).origin;
+    let hadUnauthorizedHttp = false;
+    const browser = await launchBrowser();
+    try {
+        const context = await browser.newContext({ storageState: storageAbs });
+        const page = await context.newPage();
+        page.on('response', (res) => {
+            const s = res.status();
+            if (s === 401 || s === 403) {
+                hadUnauthorizedHttp = true;
+            }
+        });
+        await page.goto(url, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+        await waitNetworkIdleBestEffort(page);
+        const finalUrl = page.url();
+        const visiblePasswordCount = await page.locator('input[type="password"]:visible').count();
+        return evaluateStorageStateValidity({
+            expectedOrigin,
+            finalUrl,
+            visiblePasswordCount,
+            hadUnauthorizedHttp,
+        });
+    }
+    finally {
+        await browser.close();
+    }
+}
 export async function detectAuth(url, timeoutMs = 15000, progress) {
     const browser = await launchBrowser();
     try {
@@ -232,7 +306,7 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
         }
         let loginUrl = url;
         const looksLikeLoginPage = /login|sign[- ]?in|auth/i.test(page.url()) ||
-            (await page.locator('input[type="password"]').count()) > 0;
+            (await page.locator('input[type="password"]:visible').count()) > 0;
         if (!looksLikeLoginPage) {
             const loginLink = page.locator('a').filter({ hasText: /^(log ?in|sign ?in|sign in)$/i }).first();
             const loginLinkCount = await loginLink.count();
@@ -247,7 +321,7 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
                 }
             }
         }
-        const passwordInputs = page.locator('input[type="password"]');
+        const passwordInputs = page.locator('input[type="password"]:visible');
         const passwordCount = await passwordInputs.count();
         progress?.debug(`detect_auth selector input[type=password] count=${passwordCount}`);
         const hasFormLogin = passwordCount > 0;
@@ -274,13 +348,19 @@ export async function detectAuth(url, timeoutMs = 15000, progress) {
                     matchedAny = true;
                 }
             }
-            // Capture unrecognized SSO-like buttons so they appear in the result
-            if (!matchedAny && !oauthButtons.find((b) => b.text === trimmed.slice(0, 100))) {
-                oauthButtons.push({ provider: 'unknown', text: trimmed.slice(0, 100) });
+            if (!matchedAny) {
+                const builtIn = BUILT_IN_OAUTH_PROVIDERS.find((p) => p.label.toLowerCase() === trimmed.toLowerCase());
+                if (builtIn) {
+                    if (!oauthButtons.find((b) => b.provider === builtIn.id)) {
+                        oauthButtons.push({ provider: builtIn.id, text: trimmed.slice(0, 100) });
+                    }
+                }
+                else if (!oauthButtons.find((b) => b.text === trimmed.slice(0, 100))) {
+                    oauthButtons.push({ provider: 'unknown', text: trimmed.slice(0, 100) });
+                }
             }
         }
-        // Only skip buttons already tied to a built-in IdP — leave `unknown` labels probe-able for click-to-reveal forms.
-        const skipProbeLabels = new Set(oauthButtons.filter((b) => b.provider !== 'unknown').map((b) => b.text.trim()));
+        const skipProbeLabels = new Set(oauthButtons.map((b) => b.text.trim()));
         const clickRevealForms = await probeClickToRevealForms(page, loginUrl, skipProbeLabels, timeoutMs, progress);
         const pageText = await page.locator('body').innerText().catch(() => '');
         const hasMagicLink = MAGIC_LINK_PATTERNS.some((p) => p.test(pageText));

package/dist/tools/automation-maturity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"automation-maturity.d.ts","sourceRoot":"","sources":["../../src/tools/automation-maturity.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAA+B,MAAM,0CAA0C,CAAC;AAiDhH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,YAAY,GAAG,kBAAkB,CA6HhF"}
+{"version":3,"file":"automation-maturity.d.ts","sourceRoot":"","sources":["../../src/tools/automation-maturity.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,KAAK,EACV,kBAAkB,EAGnB,MAAM,0CAA0C,CAAC;AAiDlD,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,YAAY,GAAG,kBAAkB,CAuLhF"}

package/dist/tools/automation-maturity.js

@@ -97,16 +97,32 @@ export function computeAutomationMaturity(repo) {
         evidence: fwEvidence,
         recommendations: frameworkScore >= 80 ? [] : ['Standardize on Playwright or Cypress for E2E against deployed URLs.'],
     };
-    const hygienePenalty = Math.min(100, repo.missingTestIds.length * 6);
-    const hygieneScore = Math.max(0, 100 - hygienePenalty);
+    const missingIds = repo.missingTestIds.length;
+    const interactiveTsxScanned = repo.interactiveTsxFilesScanned ?? missingIds;
+    let hygieneScore = 0;
+    let hygieneApplicability = 'applicable';
+    let hygieneReason;
+    const hygieneEvidence = [];
+    if (interactiveTsxScanned === 0) {
+        hygieneApplicability = 'unknown';
+        hygieneReason = 'No interactive TSX files scanned — cannot compute a missing-id ratio honestly.';
+        hygieneEvidence.push(hygieneReason);
+    }
+    else {
+        const missingRatio = missingIds / interactiveTsxScanned;
+        hygieneScore = Math.round(Math.max(0, 100 * (1 - missingRatio)));
+        hygieneEvidence.push(`${missingIds}/${interactiveTsxScanned} interactive TSX file(s) lacked data-testid (heuristic scan).`);
+    }
     const hygieneDim = {
         dimension: 'test-id-hygiene',
         score: hygieneScore,
         weight: W_TEST_ID,
-        evidence: [
-            `${repo.missingTestIds.length} TSX file(s) with interactive markup but no data-testid (heuristic scan).`,
-        ],
-        recommendations: hygieneScore >= 85 ? [] : ['Add stable data-testid (or role-based selectors) on interactive components used in tests.'],
+        evidence: hygieneEvidence,
+        recommendations: hygieneApplicability === 'applicable' && hygieneScore < 85
+            ? ['Add stable data-testid (or role-based selectors) on interactive components used in tests.']
+            : [],
+        applicability: hygieneApplicability,
+        ...(hygieneReason && { reason: hygieneReason }),
     };
     const ci = hasCiAtRoot(repo.repoPath);
     const ciDim = {
@@ -117,36 +133,75 @@ export function computeAutomationMaturity(repo) {
         recommendations: ci.ok ? [] : ['Add a CI workflow that runs unit/E2E tests on every PR.'],
     };
     const authRe = /\/(login|auth|signin)(\/|$)/i;
+    const authRouteFileRe = /(login|auth|signin)/i;
     const authCovered = repo.testFiles.some((tf) => tf.coveredPaths.some((c) => authRe.test(c)));
-    const authScore = authCovered ? 90 : 25;
+    const repoHasAuthRoute = repo.routes.some((r) => authRe.test(r.path));
+    const repoHasAuthTestFile = repo.testFiles.some((tf) => authRouteFileRe.test(tf.file));
+    const repoHasAnyAuthSignal = repoHasAuthRoute || repoHasAuthTestFile || authCovered;
+    let authScore = 0;
+    let authApplicability = 'applicable';
+    let authReason;
+    const authEvidence = [];
+    if (!repoHasAnyAuthSignal) {
+        authApplicability = 'not_applicable';
+        authReason = 'No auth routes, auth-named test files, or auth path coverage detected — repo appears auth-free.';
+        authEvidence.push(authReason);
+    }
+    else {
+        authScore = authCovered ? 90 : 25;
+        authEvidence.push(authCovered
+            ? 'At least one test references /login, /auth, or /signin in coveredPaths.'
+            : 'Repo has auth-shaped routes or test files but no auth-route coverage in extracted test path strings.');
+    }
     const authDim = {
         dimension: 'auth-test-coverage',
         score: authScore,
         weight: W_AUTH_TESTS,
-        evidence: authCovered
-            ? ['At least one test references /login, /auth, or /signin in coveredPaths.']
-            : ['No obvious auth-route coverage in extracted test path strings.'],
-        recommendations: authCovered ? [] : ['Add focused tests for sign-in and post-auth landing behavior.'],
+        evidence: authEvidence,
+        recommendations: authApplicability === 'applicable' && !authCovered
+            ? ['Add focused tests for sign-in and post-auth landing behavior.']
+            : [],
+        applicability: authApplicability,
+        ...(authReason && { reason: authReason }),
     };
     const cypressE2e = repo.testFiles.filter((t) => t.type === 'cypress-e2e').length;
     const cypressComp = repo.testFiles.filter((t) => t.type === 'cypress-component').length;
     const cypressTotal = cypressE2e + cypressComp;
-    const compRatioScore = cypressTotal === 0 ? 50 : Math.round((100 * cypressComp) / cypressTotal);
+    let compRatioScore = 0;
+    let compApplicability = 'applicable';
+    let compReason;
+    const compEvidence = [];
+    if (cypressTotal === 0) {
+        compApplicability = 'not_applicable';
+        compReason = 'No Cypress (e2e or component) tests detected — component-test-ratio does not apply.';
+        compEvidence.push(compReason);
+    }
+    else {
+        compRatioScore = Math.round((100 * cypressComp) / cypressTotal);
+        compEvidence.push(`Cypress e2e files (matched): ${cypressE2e}, component: ${cypressComp}.`);
+    }
     const compDim = {
         dimension: 'component-test-ratio',
         score: compRatioScore,
         weight: W_COMPONENT_RATIO,
-        evidence: [
-            `Cypress e2e files (matched): ${cypressE2e}, component: ${cypressComp}.`,
-        ],
-        recommendations: cypressComp === 0 || cypressTotal === 0
-            ? []
-            : ['Balance component vs E2E Cypress tests so critical flows stay fast in CI.'],
+        evidence: compEvidence,
+        recommendations: compApplicability === 'applicable' && cypressComp > 0
+            ? ['Balance component vs E2E Cypress tests so critical flows stay fast in CI.']
+            : [],
+        applicability: compApplicability,
+        ...(compReason && { reason: compReason }),
     };
     const dimensions = [breadthDim, frameworkDim, hygieneDim, ciDim, authDim, compDim];
-    const overallScore = Math.round(dimensions.reduce((s, d) => s + d.score * d.weight, 0));
+    // Overall score normalizes over applicable dimensions only.
+    // overallScore = round( Σ score_i * weight_i / Σ weight_i ) for i ∈ applicable.
+    // If no dimension is applicable (degenerate repo), overall = 0 and level = L1.
+    const applicableDims = dimensions.filter((d) => (d.applicability ?? 'applicable') === 'applicable');
+    const weightSum = applicableDims.reduce((s, d) => s + d.weight, 0);
+    const overallScore = weightSum > 0
+        ? Math.round(applicableDims.reduce((s, d) => s + d.score * d.weight, 0) / weightSum)
+        : 0;
     const { level, label } = scoreLevel(overallScore);
-    const topRecommendations = [...dimensions]
+    const topRecommendations = [...applicableDims]
         .sort((a, b) => a.score - b.score)
         .flatMap((d) => d.recommendations)
         .filter(Boolean)
@@ -159,5 +214,6 @@ export function computeAutomationMaturity(repo) {
         label,
         dimensions,
         topRecommendations,
+        scoreFormula: 'overallScore = round( Σ (score * weight) / Σ weight ) for applicable dimensions only. not_applicable and unknown dimensions are excluded from the denominator.',
     });
 }

package/dist/tools/repo-scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repo-scanner.d.ts","sourceRoot":"","sources":["../../src/tools/repo-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAsB,KAAK,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAmC3F,wBAAsB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAyItE"}
+{"version":3,"file":"repo-scanner.d.ts","sourceRoot":"","sources":["../../src/tools/repo-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAsB,KAAK,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAmC3F,wBAAsB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA8ItE"}

package/dist/tools/repo-scanner.js

@@ -137,12 +137,16 @@ export async function scanRepo(repoPath) {
         ignore: [...IGNORE_PATTERNS, '**/*.spec.tsx'],
     });
     const missingTestIds = [];
+    let interactiveTsxFilesScanned = 0;
     for (const file of tsxFiles) {
         const rel = toPosix(relative(repoPath, file));
         const content = await readFile(file, 'utf8');
         const hasInteractive = content.includes('<button') || content.includes('<input') || content.includes('<a ');
-        if (hasInteractive && !content.includes('data-testid')) {
-            missingTestIds.push(rel);
+        if (hasInteractive) {
+            interactiveTsxFilesScanned += 1;
+            if (!content.includes('data-testid')) {
+                missingTestIds.push(rel);
+            }
         }
     }
     const base = {
@@ -151,6 +155,7 @@ export async function scanRepo(repoPath) {
         routes,
         testFiles,
         missingTestIds: [...new Set(missingTestIds)],
+        interactiveTsxFilesScanned,
         cypressStructure: {
             detected: cypressRoot.length > 0,
             e2eFolder: e2eFolder[0],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qulib/core",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Qulib — analyze deployed web apps for honest quality gaps (CLI + programmatic API)",
   "license": "MIT",
   "author": "Tapesh Nagarwal",
@@ -48,7 +48,7 @@
     "analyze": "tsx src/cli/index.ts analyze",
     "clean": "tsx src/cli/index.ts clean",
     "build": "tsc",
-    "test": "node --import tsx/esm --test src/llm/cost-intelligence.test.ts src/tools/gap-engine.test.ts src/tools/auth-block-gap.test.ts",
+    "test": "node --import tsx/esm --test src/llm/cost-intelligence.test.ts src/tools/gap-engine.test.ts src/tools/auth-block-gap.test.ts src/tools/auth-detector.test.ts src/tools/automation-maturity.test.ts src/harness/state-manager.test.ts src/telemetry/redact-url.test.ts src/cli/auth-login.test.ts src/cli/cli-version.test.ts",
     "test:integration": "node --import tsx/esm --test src/analyze.integration.test.ts",
     "smoke": "tsx src/cli/index.ts analyze --url https://example.com --ephemeral",
     "cost-doctor": "tsx src/cli/index.ts cost doctor"