npm - @qulib/core - Versions diffs - 0.4.2 → 0.4.3 - Mend

@qulib/core 0.4.2 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/README.md +34 -8
package/dist/analyze.d.ts.map +1 -1
package/dist/analyze.js +84 -5
package/dist/cli/auth-login-run.d.ts.map +1 -1
package/dist/cli/auth-login-run.js +26 -2
package/dist/cli/index.js +9 -6
package/dist/index.d.ts +6 -5
package/dist/index.d.ts.map +1 -1
package/dist/index.js +5 -5
package/dist/phases/observe.js +2 -2
package/dist/phases/think.js +1 -1
package/dist/telemetry/telemetry.interface.d.ts +1 -1
package/dist/telemetry/telemetry.interface.d.ts.map +1 -1
package/dist/tools/apply-auth.d.ts +4 -0
package/dist/tools/apply-auth.d.ts.map +1 -0
package/dist/tools/apply-auth.js +35 -0
package/dist/tools/auth/apply.d.ts +4 -0
package/dist/tools/auth/apply.d.ts.map +1 -0
package/dist/tools/auth/apply.js +35 -0
package/dist/tools/auth/block-gap.d.ts +9 -0
package/dist/tools/auth/block-gap.d.ts.map +1 -0
package/dist/tools/auth/block-gap.js +52 -0
package/dist/tools/auth/custom-providers.d.ts +15 -0
package/dist/tools/auth/custom-providers.d.ts.map +1 -0
package/dist/tools/auth/custom-providers.js +62 -0
package/dist/tools/auth/detect.d.ts +23 -0
package/dist/tools/auth/detect.d.ts.map +1 -0
package/dist/tools/auth/detect.js +526 -0
package/dist/tools/auth/detector.d.ts +23 -0
package/dist/tools/auth/detector.d.ts.map +1 -0
package/dist/tools/auth/detector.js +526 -0
package/dist/tools/auth/explore.d.ts +4 -0
package/dist/tools/auth/explore.d.ts.map +1 -0
package/dist/tools/auth/explore.js +346 -0
package/dist/tools/auth/explorer.d.ts +4 -0
package/dist/tools/auth/explorer.d.ts.map +1 -0
package/dist/tools/auth/explorer.js +346 -0
package/dist/tools/auth/gaps.d.ts +9 -0
package/dist/tools/auth/gaps.d.ts.map +1 -0
package/dist/tools/auth/gaps.js +52 -0
package/dist/tools/auth/oauth-providers.d.ts +7 -0
package/dist/tools/auth/oauth-providers.d.ts.map +1 -0
package/dist/tools/auth/oauth-providers.js +21 -0
package/dist/tools/auth/providers.d.ts +7 -0
package/dist/tools/auth/providers.d.ts.map +1 -0
package/dist/tools/auth/providers.js +21 -0
package/dist/tools/auth/surface-analyzer.d.ts +4 -0
package/dist/tools/auth/surface-analyzer.d.ts.map +1 -0
package/dist/tools/auth/surface-analyzer.js +170 -0
package/dist/tools/auth/surface.d.ts +4 -0
package/dist/tools/auth/surface.d.ts.map +1 -0
package/dist/tools/auth/surface.js +170 -0
package/dist/tools/auth/user-providers.d.ts +15 -0
package/dist/tools/auth/user-providers.d.ts.map +1 -0
package/dist/tools/auth/user-providers.js +62 -0
package/dist/tools/auth-block-gap.d.ts +6 -0
package/dist/tools/auth-block-gap.d.ts.map +1 -1
package/dist/tools/auth-block-gap.js +42 -9
package/dist/tools/auth-detector.d.ts +9 -8
package/dist/tools/auth-detector.d.ts.map +1 -1
package/dist/tools/auth-detector.js +106 -8
package/dist/tools/explorers/browser.d.ts +3 -0
package/dist/tools/explorers/browser.d.ts.map +1 -0
package/dist/tools/explorers/browser.js +13 -0
package/dist/tools/explorers/cypress-explorer.d.ts +8 -0
package/dist/tools/explorers/cypress-explorer.d.ts.map +1 -0
package/dist/tools/explorers/cypress-explorer.js +5 -0
package/dist/tools/explorers/cypress.d.ts +8 -0
package/dist/tools/explorers/cypress.d.ts.map +1 -0
package/dist/tools/explorers/cypress.js +5 -0
package/dist/tools/explorers/explorer.interface.d.ts +7 -0
package/dist/tools/explorers/explorer.interface.d.ts.map +1 -0
package/dist/tools/explorers/explorer.interface.js +1 -0
package/dist/tools/explorers/factory.d.ts +4 -0
package/dist/tools/explorers/factory.d.ts.map +1 -0
package/dist/tools/explorers/factory.js +12 -0
package/dist/tools/explorers/playwright-explorer.d.ts +8 -0
package/dist/tools/explorers/playwright-explorer.d.ts.map +1 -0
package/dist/tools/explorers/playwright-explorer.js +172 -0
package/dist/tools/explorers/playwright.d.ts +8 -0
package/dist/tools/explorers/playwright.d.ts.map +1 -0
package/dist/tools/explorers/playwright.js +172 -0
package/dist/tools/explorers/types.d.ts +7 -0
package/dist/tools/explorers/types.d.ts.map +1 -0
package/dist/tools/explorers/types.js +1 -0
package/dist/tools/playwright-explorer.js +1 -1
package/dist/tools/repo/detect-framework.d.ts +15 -0
package/dist/tools/repo/detect-framework.d.ts.map +1 -0
package/dist/tools/repo/detect-framework.js +153 -0
package/dist/tools/repo/framework-detector.d.ts +15 -0
package/dist/tools/repo/framework-detector.d.ts.map +1 -0
package/dist/tools/repo/framework-detector.js +153 -0
package/dist/tools/repo/scan.d.ts +19 -0
package/dist/tools/repo/scan.d.ts.map +1 -0
package/dist/tools/repo/scan.js +181 -0
package/dist/tools/repo/scanner.d.ts +19 -0
package/dist/tools/repo/scanner.d.ts.map +1 -0
package/dist/tools/repo/scanner.js +181 -0
package/dist/tools/scoring/automation-maturity.d.ts +4 -0
package/dist/tools/scoring/automation-maturity.d.ts.map +1 -0
package/dist/tools/scoring/automation-maturity.js +219 -0
package/dist/tools/scoring/gap-engine.d.ts +8 -0
package/dist/tools/scoring/gap-engine.d.ts.map +1 -0
package/dist/tools/scoring/gap-engine.js +138 -0
package/dist/tools/scoring/gaps.d.ts +8 -0
package/dist/tools/scoring/gaps.d.ts.map +1 -0
package/dist/tools/scoring/gaps.js +138 -0
package/dist/tools/scoring/public-surface.d.ts +5 -0
package/dist/tools/scoring/public-surface.d.ts.map +1 -0
package/dist/tools/scoring/public-surface.js +13 -0
package/package.json +3 -3

package/README.md CHANGED Viewed

@@ -77,6 +77,24 @@ qulib analyze --url https://app.example.com --auth-storage-state ./qulib-storage
 The storage state is just a JSON file of cookies and localStorage — keep it private, treat it like a credential.
+#### Storage state is validated before crawl
+Qulib now validates the provided storage state before doing any work. If the file is missing, unreadable, empty, on the wrong origin, or carries a session that is already expired, Qulib stops with an honest `blocked` result (no fake `releaseConfidence`) and a structured gap explaining how to recover. The validator reports one of these stable reason codes:
+| Reason code               | Meaning                                                                 |
+| ------------------------- | ----------------------------------------------------------------------- |
+| `missing-file`            | Path passed to `--auth-storage-state` does not exist.                   |
+| `unreadable-file`         | File exists but the process can't read it (permissions).                |
+| `invalid-json`            | File is present and readable but not valid JSON.                        |
+| `no-auth-cookies`         | File parses, but has zero cookies and zero localStorage entries.        |
+| `wrong-origin`            | Session redirects to a different origin (host/port/scheme mismatch).    |
+| `expired-or-unauthorized` | Loaded session shows the login form again, or the app returns 401/403. |
+| `unknown`                 | Validation could not be completed for an unexpected reason.             |
+Origin matching is strict — `https://app.example` and `https://www.app.example` are different origins, as are `http://localhost:3000` and `http://localhost:4000`. Re-run `qulib auth login` against the same origin you plan to `analyze`.
+Relatedly, `qulib auth login` will now refuse to save a storage state if the browser ends the flow on a different origin than `--base-url` (a federated/SSO redirect that never returned to the app). This prevents Qulib from quietly persisting an IdP-domain session that would later produce false-confidence scans.
 ### Multi-path auth exploration (`explore-auth`)
 For unfamiliar apps (especially enterprise SSO with several buttons), run **`qulib explore-auth --url <url>`** before `analyze`. The JSON lists every detected path (built-in OAuth names like Google/Clever, **heuristic** unknown buttons such as tenant-specific SSO labels, password forms, and magic-link copy) plus **`suggestedAgentBehavior`** for the agent.
@@ -194,16 +212,24 @@ TypeScript (strict, NodeNext), Commander, Zod, Playwright, @axe-core/playwright,
 ```text
 src/
   adapters/      # test rendering adapters
-  analyze.ts     # programmatic API (also used by @qulib/mcp)
-  cli/           # CLI entry
-  harness/       # state + decision logging
-  llm/           # LLM contracts
-  phases/        # observe / think / act
-  reporters/     # JSON + Markdown reports
-  schemas/       # Zod schemas
-  tools/         # explorers, auth, gap engine, repo scanner
+  analyze.ts        # programmatic API (also used by @qulib/mcp)
+  cli/              # CLI entry
+  harness/          # state + decision logging
+  llm/              # LLM contracts
+  phases/           # observe / think / act
+  reporters/        # JSON + Markdown reports
+  schemas/          # Zod schemas
+  telemetry/        # event sink + URL redaction
+  tools/
+    auth/           # detection, exploration, validation, providers, gap builders
+    explorers/      # browser launch, Playwright/Cypress crawlers, factory
+    repo/           # repo scanner, framework detection
+    scoring/        # gap engine, automation maturity, public surface
+  __tests__/        # integration and wiring tests live in __tests__/ in each folder
 ```
+A contributor map of which folder to touch for each kind of change lives at [`docs/source-map.md`](../../docs/source-map.md).
 Repo rules: see [`CLAUDE.md`](../../CLAUDE.md).
 ## Configuration

package/dist/analyze.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../src/analyze.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAwB,KAAK,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAU7F,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAGxE,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,WAAW,CAAC,EAAE,mBAAmB,CAAC;IAClC,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,aAAa,CAAC;IACtB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,0GAA0G;IAC1G,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,sFAAsF;IACtF,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,WAAW,EAAE,WAAW,CAAC;IACzB,8GAA8G;IAC9G,cAAc,EAAE,cAAc,CAAC;IAC/B,aAAa,EAAE,YAAY,GAAG,IAAI,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,0HAA0H;IAC1H,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC;AAcD,wBAAsB,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,~~CA8JhF~~"}
1	+ {"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../src/analyze.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAwB,KAAK,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAU7F,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAGxE,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,WAAW,CAAC,EAAE,mBAAmB,CAAC;IAClC,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,aAAa,CAAC;IACtB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,0GAA0G;IAC1G,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,sFAAsF;IACtF,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,WAAW,EAAE,WAAW,CAAC;IACzB,8GAA8G;IAC9G,cAAc,EAAE,cAAc,CAAC;IAC/B,aAAa,EAAE,YAAY,GAAG,IAAI,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,0HAA0H;IAC1H,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC;AAcD,wBAAsB,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAqQhF"}

package/dist/analyze.js CHANGED Viewed

@@ -4,11 +4,11 @@ import { PublicSurfaceSchema } from './schemas/public-surface.schema.js';
 import { observe } from './phases/observe.js';
 import { think } from './phases/think.js';
 import { act } from './phases/act.js';
-import { detectAuth } from './tools/auth-detector.js';
-import { analyzeGaps, computeCoverageScore, computeQualityScoreFromGaps } from './tools/gap-engine.js';
-import { analyzeAuthSurfaceGaps } from './tools/auth-surface-analyzer.js';
-import { buildPublicSurface } from './tools/public-surface.js';
-import { buildAuthBlockGap } from './tools/auth-block-gap.js';
+import { detectAuth, validateStorageState } from './tools/auth/detect.js';
+import { analyzeGaps, computeCoverageScore, computeQualityScoreFromGaps } from './tools/scoring/gaps.js';
+import { analyzeAuthSurfaceGaps } from './tools/auth/surface.js';
+import { buildPublicSurface } from './tools/scoring/public-surface.js';
+import { buildAuthBlockGap, buildStorageStateInvalidGap } from './tools/auth/gaps.js';
 import { finalizeGapAnalysisFromDraft } from './phases/think-finalize.js';
 import { emitTelemetry, redactUrlForTelemetry } from './telemetry/emit.js';
 function logScanEnd(progress, result) {
@@ -40,6 +40,85 @@ export async function analyzeApp(options) {
         hasAuth: Boolean(options.config.auth),
     });
     progress?.info(`Starting scan → ${options.url} maxPagesToScan=${options.config.maxPagesToScan}`);
+    if (options.config.auth?.type === 'storage-state') {
+        progress?.info('Validating provided storage state before crawl…');
+        const validation = await validateStorageState(options.url, options.config.auth.path, options.config.timeoutMs);
+        let targetOriginForTelemetry;
+        try {
+            targetOriginForTelemetry = new URL(options.url).origin;
+        }
+        catch {
+            targetOriginForTelemetry = '[unparseable-target-url]';
+        }
+        emitTelemetry(options.telemetry, 'auth.storage-state.validated', sessionId, {
+            targetOrigin: targetOriginForTelemetry,
+            valid: validation.valid,
+            reasonCode: validation.reasonCode,
+            storageStateProvided: true,
+        });
+        if (!validation.valid) {
+            progress?.warn(`Storage state rejected (${validation.reasonCode}): ${validation.reason}. Skipping crawl.`);
+            decisionLog.push({
+                timestamp: new Date().toISOString(),
+                phase: 'observe',
+                decision: 'storage-state-invalid',
+                reason: `${validation.reasonCode}: ${validation.reason}`,
+                metadata: {
+                    reasonCode: validation.reasonCode,
+                    targetOrigin: targetOriginForTelemetry,
+                },
+            });
+            const invalidGap = buildStorageStateInvalidGap({
+                url: options.url,
+                reasonCode: validation.reasonCode === 'ok' ? 'unknown' : validation.reasonCode,
+                reason: validation.reason,
+            });
+            const draft = {
+                analyzedAt: new Date().toISOString(),
+                mode: 'auth-required',
+                releaseConfidence: 0,
+                coveragePagesScanned: 0,
+                coverageBudgetExceeded: false,
+                coverageWarning: 'auth-required',
+                gaps: [invalidGap],
+            };
+            const costContext = {
+                mode: 'auth-required',
+                coveragePagesScanned: 0,
+                releaseConfidence: 0,
+                gaps: [invalidGap],
+            };
+            const gapAnalysis = await finalizeGapAnalysisFromDraft(draft, options.config, artifacts, costContext);
+            const emptyAuthRoutes = RouteInventorySchema.parse({
+                scannedAt: new Date().toISOString(),
+                baseUrl: options.url,
+                routes: [],
+                pagesSkipped: 0,
+                budgetExceeded: false,
+            });
+            await act(gapAnalysis, options.config, artifacts);
+            const blockedResult = {
+                status: 'blocked',
+                coverageScore: null,
+                releaseConfidence: 0,
+                gaps: gapAnalysis.gaps,
+                gapAnalysis,
+                routeInventory: emptyAuthRoutes,
+                repoInventory: null,
+                decisionLog,
+                publicSurface: null,
+            };
+            logScanEnd(progress, blockedResult);
+            emitTelemetry(options.telemetry, 'scan.blocked', sessionId, {
+                status: blockedResult.status,
+                coverageScore: blockedResult.coverageScore,
+                releaseConfidence: blockedResult.releaseConfidence,
+                gapCount: blockedResult.gaps.length,
+                reasonCode: validation.reasonCode,
+            });
+            return blockedResult;
+        }
+    }
     let detectedAuth;
     let authWall = false;
     if (!options.config.auth && !options.skipAuthDetection) {

package/dist/cli/auth-login-run.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-login-run.d.ts","sourceRoot":"","sources":["../../src/cli/auth-login-run.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;~~AAqB5D~~,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAEhE;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,QAAQ,CAAC;IACf,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,~~CA4GhB~~"}
1	+ {"version":3,"file":"auth-login-run.d.ts","sourceRoot":"","sources":["../../src/cli/auth-login-run.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAsB5D,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAEhE;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,QAAQ,CAAC;IACf,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoIhB"}

package/dist/cli/auth-login-run.js CHANGED Viewed

@@ -1,4 +1,5 @@
-import { BUILT_IN_OAUTH_PROVIDERS } from '../tools/oauth-providers.js';
+import { BUILT_IN_OAUTH_PROVIDERS } from '../tools/auth/providers.js';
+import { waitForReturnToOrigin } from '../tools/auth/detect.js';
 const builtInOAuthIds = new Set(BUILT_IN_OAUTH_PROVIDERS.map((p) => p.id));
 function escapeRegExp(s) {
     return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
@@ -109,8 +110,31 @@ export async function runAutomatedAuthLogin(params) {
                 await sleep(250);
             }
         }
+        const originReturn = await waitForReturnToOrigin(page, params.baseUrlHint, params.timeoutMs);
+        if (!originReturn.returned) {
+            let targetOrigin = '<unknown>';
+            let finalOrigin = '<unknown>';
+            try {
+                targetOrigin = new URL(params.baseUrlHint).origin;
+            }
+            catch {
+                /* targetOrigin stays <unknown> */
+            }
+            try {
+                finalOrigin = new URL(originReturn.finalUrl).origin;
+            }
+            catch {
+                /* finalOrigin stays <unknown> */
+            }
+            throw new Error(`Login flow did not return to the app origin (expected ${targetOrigin}, final ${finalOrigin}). ` +
+                `Refusing to save the storage state — it would belong to the wrong domain and produce ` +
+                `false-confidence scans. Retry the login (the federated provider may need a redirect tweak) ` +
+                `or capture the session manually with \`qulib auth init --base-url ${params.baseUrlHint}\`.`);
+        }
         if (!confirmed) {
-            console.error('[qulib] Could not confirm login success. Storage state saved; verify manually before relying on it.');
+            console.error('[qulib] Could not confirm login success heuristically, but the browser ended on the app origin. ' +
+                'Storage state will be saved; verify the session before relying on it (run `qulib analyze` ' +
+                'and check that releaseConfidence is not null).');
         }
         const fs = await import('node:fs/promises');
         const pathMod = await import('node:path');

package/dist/cli/index.js CHANGED Viewed

@@ -8,8 +8,8 @@ const requirePkg = createRequire(import.meta.url);
 const pkg = requirePkg('../../package.json');
 import { HarnessConfigSchema } from '../schemas/config.schema.js';
 import { analyzeApp } from '../analyze.js';
-import { detectAuth } from '../tools/auth-detector.js';
-import { exploreAuth } from '../tools/auth-explorer.js';
+import { detectAuth } from '../tools/auth/detect.js';
+import { exploreAuth } from '../tools/auth/explore.js';
 import { assertExactlyOneCredentialSource, parseCredentialsJsonString, resolveAuthLoginConfig, } from './auth-login-resolve.js';
 import { runAutomatedAuthLogin } from './auth-login-run.js';
 const program = new Command();
@@ -33,11 +33,14 @@ function redactConfigForLog(config) {
         base.auth = {
             ...config.auth,
             credentials: {
-                username: config.auth.credentials.username,
+                username: '***',
                 password: '***',
             },
         };
     }
+    if (config.auth?.type === 'storage-state') {
+        base.auth = { type: 'storage-state', path: '<provided>' };
+    }
     return base;
 }
 function mergeAuthFromCli(config, options) {
@@ -212,7 +215,7 @@ providersCmd
     .command('list')
     .description('List user-local providers registered on this machine')
     .action(async () => {
-    const { listUserProviders } = await import('../tools/user-providers.js');
+    const { listUserProviders } = await import('../tools/auth/custom-providers.js');
     const providers = listUserProviders();
     console.log(JSON.stringify(providers, null, 2));
 });
@@ -229,7 +232,7 @@ providersCmd
     catch {
         throw new Error(`Invalid regex pattern: ${opts.pattern}`);
     }
-    const { addUserProvider } = await import('../tools/user-providers.js');
+    const { addUserProvider } = await import('../tools/auth/custom-providers.js');
     addUserProvider({ id: opts.id, label: opts.label, pattern: opts.pattern });
     console.log(`[qulib] Added provider "${opts.label}" (id: ${opts.id}) to ~/.qulib/providers.json`);
 });
@@ -238,7 +241,7 @@ providersCmd
     .description('Remove a user-local provider by id')
     .requiredOption('--id <id>', 'Provider id to remove')
     .action(async (opts) => {
-    const { removeUserProvider } = await import('../tools/user-providers.js');
+    const { removeUserProvider } = await import('../tools/auth/custom-providers.js');
     const removed = removeUserProvider(opts.id);
     console.log(removed ? `[qulib] Removed "${opts.id}"` : `[qulib] No provider with id "${opts.id}" found`);
 });

package/dist/index.d.ts CHANGED Viewed

@@ -1,9 +1,10 @@
 export { analyzeApp } from './analyze.js';
-export { detectAuth } from './tools/auth-detector.js';
-export { exploreAuth } from './tools/auth-explorer.js';
-export { addUserProvider, removeUserProvider, listUserProviders } from './tools/user-providers.js';
-export { scanRepo } from './tools/repo-scanner.js';
-export { computeAutomationMaturity } from './tools/automation-maturity.js';
+export { detectAuth, validateStorageState, evaluateStorageStateValidity, preflightStorageStateFile, waitForReturnToOrigin, } from './tools/auth/detect.js';
+export type { StorageStateInvalidReason, StorageStateValidationResult, } from './tools/auth/detect.js';
+export { exploreAuth } from './tools/auth/explore.js';
+export { addUserProvider, removeUserProvider, listUserProviders } from './tools/auth/custom-providers.js';
+export { scanRepo } from './tools/repo/scan.js';
+export { computeAutomationMaturity } from './tools/scoring/automation-maturity.js';
 export { createProvider } from './llm/provider-registry.js';
 export { resolveMaxOutputTokensPerLlmCall } from './schemas/config.schema.js';
 export { resolveScanStateBaseDir, resolveReportDir } from './harness/state-manager.js';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,~~EAAE~~,UAAU,~~EAAE~~,MAAM,~~0BAA0B~~,CAAC;~~AACtD~~,OAAO,EAAE,WAAW,EAAE,MAAM,~~0BAA0B~~,CAAC;~~AACvD~~,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,~~2BAA2B~~,CAAC;~~AACnG~~,OAAO,EAAE,QAAQ,EAAE,MAAM,~~yBAAyB~~,CAAC;~~AACnD~~,OAAO,EAAE,yBAAyB,EAAE,MAAM,~~gCAAgC~~,CAAC;~~AAC3E~~,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACvF,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjF,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,YAAY,EACV,aAAa,EACb,cAAc,EACd,kBAAkB,GACnB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC9E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5D,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,kBAAkB,EAClB,2BAA2B,EAC3B,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,4BAA4B,EAC5B,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,yBAAyB,EACzB,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAC1G,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,yBAAyB,EAAE,MAAM,wCAAwC,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACvF,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjF,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,YAAY,EACV,aAAa,EACb,cAAc,EACd,kBAAkB,GACnB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC9E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5D,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,kBAAkB,EAClB,2BAA2B,EAC3B,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,9 @@
 export { analyzeApp } from './analyze.js';
-export { detectAuth } from './tools/auth-detector.js';
-export { exploreAuth } from './tools/auth-explorer.js';
-export { addUserProvider, removeUserProvider, listUserProviders } from './tools/user-providers.js';
-export { scanRepo } from './tools/repo-scanner.js';
-export { computeAutomationMaturity } from './tools/automation-maturity.js';
+export { detectAuth, validateStorageState, evaluateStorageStateValidity, preflightStorageStateFile, waitForReturnToOrigin, } from './tools/auth/detect.js';
+export { exploreAuth } from './tools/auth/explore.js';
+export { addUserProvider, removeUserProvider, listUserProviders } from './tools/auth/custom-providers.js';
+export { scanRepo } from './tools/repo/scan.js';
+export { computeAutomationMaturity } from './tools/scoring/automation-maturity.js';
 export { createProvider } from './llm/provider-registry.js';
 export { resolveMaxOutputTokensPerLlmCall } from './schemas/config.schema.js';
 export { resolveScanStateBaseDir, resolveReportDir } from './harness/state-manager.js';

package/dist/phases/observe.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { RouteInventorySchema } from '../schemas/route-inventory.schema.js';
 import { RepoAnalysisSchema } from '../schemas/repo-analysis.schema.js';
-import { createExplorer } from '../tools/explorer-factory.js';
-import { scanRepo } from '../tools/repo-scanner.js';
+import { createExplorer } from '../tools/explorers/factory.js';
+import { scanRepo } from '../tools/repo/scan.js';
 import { StateManager } from '../harness/state-manager.js';
 import { logDecision } from '../harness/decision-logger.js';
 import { emitTelemetry, redactUrlForTelemetry } from '../telemetry/emit.js';

package/dist/phases/think.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { GapAnalysisSchema } from '../schemas/gap-analysis.schema.js';
-import { analyzeGaps } from '../tools/gap-engine.js';
+import { analyzeGaps } from '../tools/scoring/gaps.js';
 import { logDecision } from '../harness/decision-logger.js';
 import { finalizeGapAnalysisFromDraft } from './think-finalize.js';
 import { emitTelemetry } from '../telemetry/emit.js';

package/dist/telemetry/telemetry.interface.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export type TelemetryEventKind = 'scan.started' | 'scan.completed' | 'scan.blocked' | 'phase.observe.started' | 'phase.observe.completed' | 'phase.think.started' | 'phase.think.completed' | 'phase.act.started' | 'phase.act.completed' | 'llm.call.started' | 'llm.call.completed' | 'llm.call.failed' | 'gap.detected' | 'auth.detected' | 'repo.scanned';
+export type TelemetryEventKind = 'scan.started' | 'scan.completed' | 'scan.blocked' | 'phase.observe.started' | 'phase.observe.completed' | 'phase.think.started' | 'phase.think.completed' | 'phase.act.started' | 'phase.act.completed' | 'llm.call.started' | 'llm.call.completed' | 'llm.call.failed' | 'gap.detected' | 'auth.detected' | 'auth.storage-state.validated' | 'repo.scanned';
 export interface TelemetryEvent {
     kind: TelemetryEventKind;
     timestamp: string;

package/dist/telemetry/telemetry.interface.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"telemetry.interface.d.ts","sourceRoot":"","sources":["../../src/telemetry/telemetry.interface.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,kBAAkB,GAC1B,cAAc,GACd,gBAAgB,GAChB,cAAc,GACd,uBAAuB,GACvB,yBAAyB,GACzB,qBAAqB,GACrB,uBAAuB,GACvB,mBAAmB,GACnB,qBAAqB,GACrB,kBAAkB,GAClB,oBAAoB,GACpB,iBAAiB,GACjB,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI,CAAC;CACnC;AAED,eAAO,MAAM,iBAAiB,EAAE,aAE/B,CAAC"}
1	+ {"version":3,"file":"telemetry.interface.d.ts","sourceRoot":"","sources":["../../src/telemetry/telemetry.interface.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,kBAAkB,GAC1B,cAAc,GACd,gBAAgB,GAChB,cAAc,GACd,uBAAuB,GACvB,yBAAyB,GACzB,qBAAqB,GACrB,uBAAuB,GACvB,mBAAmB,GACnB,qBAAqB,GACrB,kBAAkB,GAClB,oBAAoB,GACpB,iBAAiB,GACjB,cAAc,GACd,eAAe,GACf,8BAA8B,GAC9B,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI,CAAC;CACnC;AAED,eAAO,MAAM,iBAAiB,EAAE,aAE/B,CAAC"}

package/dist/tools/apply-auth.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Browser, BrowserContext } from '@playwright/test';
+import type { AuthConfig } from '../schemas/config.schema.js';
+export declare function createAuthenticatedContext(browser: Browser, auth: AuthConfig | undefined, timeoutMs: number): Promise<BrowserContext>;
+//# sourceMappingURL=apply-auth.d.ts.map

package/dist/tools/apply-auth.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"apply-auth.d.ts","sourceRoot":"","sources":["../../src/tools/apply-auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEhE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,UAAU,GAAG,SAAS,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,cAAc,CAAC,CAsCzB"}

package/dist/tools/apply-auth.js ADDED Viewed

@@ -0,0 +1,35 @@
+import { resolve } from 'node:path';
+export async function createAuthenticatedContext(browser, auth, timeoutMs) {
+    if (!auth) {
+        return browser.newContext();
+    }
+    if (auth.type === 'storage-state') {
+        const storagePath = resolve(process.cwd(), auth.path);
+        return browser.newContext({ storageState: storagePath });
+    }
+    const context = await browser.newContext();
+    const page = await context.newPage();
+    try {
+        await page.goto(auth.loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+        await page.fill(auth.selectors.username, auth.credentials.username);
+        await page.fill(auth.selectors.password, auth.credentials.password);
+        await page.click(auth.selectors.submit);
+        const urlFragment = auth.successIndicator.urlContains;
+        if (urlFragment) {
+            await page.waitForURL((url) => url.toString().includes(urlFragment), {
+                timeout: timeoutMs,
+            });
+        }
+        const visibleSelector = auth.successIndicator.selectorVisible;
+        if (visibleSelector) {
+            await page.waitForSelector(visibleSelector, {
+                timeout: timeoutMs,
+                state: 'visible',
+            });
+        }
+    }
+    finally {
+        await page.close();
+    }
+    return context;
+}

package/dist/tools/auth/apply.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Browser, BrowserContext } from '@playwright/test';
+import type { AuthConfig } from '../../schemas/config.schema.js';
+export declare function createAuthenticatedContext(browser: Browser, auth: AuthConfig | undefined, timeoutMs: number): Promise<BrowserContext>;
+//# sourceMappingURL=apply.d.ts.map

package/dist/tools/auth/apply.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"apply.d.ts","sourceRoot":"","sources":["../../../src/tools/auth/apply.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEhE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAEjE,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,UAAU,GAAG,SAAS,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,cAAc,CAAC,CAsCzB"}

package/dist/tools/auth/apply.js ADDED Viewed

@@ -0,0 +1,35 @@
+import { resolve } from 'node:path';
+export async function createAuthenticatedContext(browser, auth, timeoutMs) {
+    if (!auth) {
+        return browser.newContext();
+    }
+    if (auth.type === 'storage-state') {
+        const storagePath = resolve(process.cwd(), auth.path);
+        return browser.newContext({ storageState: storagePath });
+    }
+    const context = await browser.newContext();
+    const page = await context.newPage();
+    try {
+        await page.goto(auth.loginUrl, { timeout: timeoutMs, waitUntil: 'domcontentloaded' });
+        await page.fill(auth.selectors.username, auth.credentials.username);
+        await page.fill(auth.selectors.password, auth.credentials.password);
+        await page.click(auth.selectors.submit);
+        const urlFragment = auth.successIndicator.urlContains;
+        if (urlFragment) {
+            await page.waitForURL((url) => url.toString().includes(urlFragment), {
+                timeout: timeoutMs,
+            });
+        }
+        const visibleSelector = auth.successIndicator.selectorVisible;
+        if (visibleSelector) {
+            await page.waitForSelector(visibleSelector, {
+                timeout: timeoutMs,
+                state: 'visible',
+            });
+        }
+    }
+    finally {
+        await page.close();
+    }
+    return context;
+}

package/dist/tools/auth/block-gap.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Gap } from '../../schemas/gap-analysis.schema.js';
+import type { StorageStateInvalidReason } from './detector.js';
+export declare function buildAuthBlockGap(url: string): Gap;
+export declare function buildStorageStateInvalidGap(input: {
+    url: string;
+    reasonCode: StorageStateInvalidReason;
+    reason: string;
+}): Gap;
+//# sourceMappingURL=block-gap.d.ts.map

package/dist/tools/auth/block-gap.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"block-gap.d.ts","sourceRoot":"","sources":["../../../src/tools/auth/block-gap.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,sCAAsC,CAAC;AAChE,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAmB/D,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAYlD;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,yBAAyB,CAAC;IACtC,MAAM,EAAE,MAAM,CAAC;CAChB,GAAG,GAAG,CAqBN"}

package/dist/tools/auth/block-gap.js ADDED Viewed

@@ -0,0 +1,52 @@
+function safeOriginAndPath(url) {
+    try {
+        const u = new URL(url);
+        return `${u.origin}${u.pathname}`;
+    }
+    catch {
+        return url;
+    }
+}
+function safeHost(url) {
+    try {
+        return new URL(url).hostname;
+    }
+    catch {
+        return url;
+    }
+}
+export function buildAuthBlockGap(url) {
+    const host = safeHost(url);
+    const safeUrl = safeOriginAndPath(url);
+    return {
+        id: 'auth-block',
+        path: '/',
+        severity: 'critical',
+        category: 'coverage',
+        reason: `Scan blocked by authentication. No authenticated pages were evaluated for ${host}.`,
+        description: 'Scan blocked by authentication. 0 authenticated pages were evaluated.',
+        recommendation: `Run \`qulib auth init --base-url ${safeUrl}\` to capture a storage state, then re-run with --auth storage-state.`,
+    };
+}
+export function buildStorageStateInvalidGap(input) {
+    const host = safeHost(input.url);
+    const safeUrl = safeOriginAndPath(input.url);
+    const recoveryByCode = {
+        'missing-file': `Storage state file was not found. Run \`qulib auth login --base-url ${safeUrl} --out <path>\` (or \`qulib auth init\`) to capture a fresh state, then re-run \`qulib analyze --url ${safeUrl} --auth-storage-state <path>\`.`,
+        'unreadable-file': `Storage state file exists but could not be read. Check file permissions, then re-run \`qulib auth login\` if needed.`,
+        'invalid-json': `Storage state file is not valid JSON. Run \`qulib auth login --base-url ${safeUrl} --out <path>\` again to regenerate it.`,
+        'wrong-origin': `Storage state belongs to a different origin than ${host}. Re-run \`qulib auth login --base-url ${safeUrl}\` against this target and pass the new file to \`qulib analyze\`.`,
+        'expired-or-unauthorized': `The session in the storage state has expired or is unauthorized. Run \`qulib auth login --base-url ${safeUrl}\` to capture a fresh state, then re-run \`qulib analyze --url ${safeUrl} --auth-storage-state <path>\`.`,
+        'no-auth-cookies': `Storage state file contains no cookies or localStorage entries — it is effectively empty. Run \`qulib auth login --base-url ${safeUrl}\` to capture a real session.`,
+        unknown: `Storage state could not be validated. Try \`qulib auth login --base-url ${safeUrl}\` again, and verify the file was saved on the same origin.`,
+    };
+    return {
+        id: 'storage-state-invalid',
+        path: '/',
+        severity: 'critical',
+        category: 'coverage',
+        reason: `Authenticated scan could not continue because the provided storage state is invalid for ${host}. Reason: ${input.reasonCode} — ${input.reason}.`,
+        description: `Storage state validation failed before crawling. The session was checked against ${host} and rejected with reason code "${input.reasonCode}".`,
+        recommendation: recoveryByCode[input.reasonCode],
+    };
+}

package/dist/tools/auth/custom-providers.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { OAuthProvider } from './providers.js';
+export interface SerializedProvider {
+    id: string;
+    label: string;
+    patterns: string[];
+}
+export declare function loadUserProviders(): OAuthProvider[];
+export declare function addUserProvider(input: {
+    id: string;
+    label: string;
+    pattern: string;
+}): void;
+export declare function removeUserProvider(id: string): boolean;
+export declare function listUserProviders(): SerializedProvider[];
+//# sourceMappingURL=custom-providers.d.ts.map

package/dist/tools/auth/custom-providers.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"custom-providers.d.ts","sourceRoot":"","sources":["../../../src/tools/auth/custom-providers.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAIpD,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,wBAAgB,iBAAiB,IAAI,aAAa,EAAE,CAOnD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAc3F;AAED,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAStD;AAED,wBAAgB,iBAAiB,IAAI,kBAAkB,EAAE,CAExD"}

package/dist/tools/auth/custom-providers.js ADDED Viewed

@@ -0,0 +1,62 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { homedir } from 'node:os';
+const USER_PROVIDERS_PATH = join(homedir(), '.qulib', 'providers.json');
+export function loadUserProviders() {
+    const raw = loadSerialized();
+    return raw.map((p) => ({
+        id: p.id,
+        label: p.label,
+        patterns: p.patterns.map((src) => new RegExp(src, 'i')),
+    }));
+}
+export function addUserProvider(input) {
+    const existing = loadSerialized();
+    const idx = existing.findIndex((p) => p.id === input.id);
+    if (idx >= 0) {
+        const p = existing[idx];
+        if (!p.patterns.includes(input.pattern)) {
+            p.patterns.push(input.pattern);
+        }
+        p.label = input.label;
+    }
+    else {
+        existing.push({ id: input.id, label: input.label, patterns: [input.pattern] });
+    }
+    ensureDir();
+    writeFileSync(USER_PROVIDERS_PATH, JSON.stringify(existing, null, 2), 'utf-8');
+}
+export function removeUserProvider(id) {
+    const existing = loadSerialized();
+    const filtered = existing.filter((p) => p.id !== id);
+    if (filtered.length === existing.length) {
+        return false;
+    }
+    ensureDir();
+    writeFileSync(USER_PROVIDERS_PATH, JSON.stringify(filtered, null, 2), 'utf-8');
+    return true;
+}
+export function listUserProviders() {
+    return loadSerialized();
+}
+function loadSerialized() {
+    if (!existsSync(USER_PROVIDERS_PATH)) {
+        return [];
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(USER_PROVIDERS_PATH, 'utf-8'));
+        if (!Array.isArray(parsed)) {
+            return [];
+        }
+        return parsed;
+    }
+    catch {
+        return [];
+    }
+}
+function ensureDir() {
+    const dir = dirname(USER_PROVIDERS_PATH);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+}

package/dist/tools/auth/detect.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { Page } from '@playwright/test';
+import type { DetectedAuth } from '../../schemas/config.schema.js';
+import type { AnalyzeProgressSink } from '../../harness/progress-log.js';
+export type StorageStateInvalidReason = 'missing-file' | 'unreadable-file' | 'invalid-json' | 'wrong-origin' | 'expired-or-unauthorized' | 'no-auth-cookies' | 'unknown';
+export interface StorageStateValidationResult {
+    valid: boolean;
+    reasonCode: StorageStateInvalidReason | 'ok';
+    reason: string;
+}
+export declare function evaluateStorageStateValidity(signals: {
+    expectedOrigin: string;
+    finalUrl: string;
+    visiblePasswordCount: number;
+    hadUnauthorizedHttp: boolean;
+}): StorageStateValidationResult;
+export declare function preflightStorageStateFile(storagePath: string): Promise<StorageStateValidationResult | null>;
+export declare function waitForReturnToOrigin(page: Page, baseUrl: string, timeoutMs?: number): Promise<{
+    returned: boolean;
+    finalUrl: string;
+}>;
+export declare function validateStorageState(url: string, storagePath: string, timeoutMs?: number): Promise<StorageStateValidationResult>;
+export declare function detectAuth(url: string, timeoutMs?: number, progress?: AnalyzeProgressSink): Promise<DetectedAuth>;
+//# sourceMappingURL=detect.d.ts.map

package/dist/tools/auth/detect.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../../../src/tools/auth/detect.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,KAAK,EAAY,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAIzE,MAAM,MAAM,yBAAyB,GACjC,cAAc,GACd,iBAAiB,GACjB,cAAc,GACd,cAAc,GACd,yBAAyB,GACzB,iBAAiB,GACjB,SAAS,CAAC;AAEd,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,yBAAyB,GAAG,IAAI,CAAC;IAC7C,MAAM,EAAE,MAAM,CAAC;CAChB;AAsQD,wBAAgB,4BAA4B,CAAC,OAAO,EAAE;IACpD,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,mBAAmB,EAAE,OAAO,CAAC;CAC9B,GAAG,4BAA4B,CA6B/B;AAOD,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CAgD9C;AAED,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,EACf,SAAS,SAAQ,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAelD;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,WAAW,EAAE,MAAM,EACnB,SAAS,SAAQ,GAChB,OAAO,CAAC,4BAA4B,CAAC,CAyDvC;AAED,wBAAsB,UAAU,CAC9B,GAAG,EAAE,MAAM,EACX,SAAS,SAAQ,EACjB,QAAQ,CAAC,EAAE,mBAAmB,GAC7B,OAAO,CAAC,YAAY,CAAC,CAqJvB"}