@qulib/core 0.7.0 → 0.9.0

package/dist/tools/scoring/automation-maturity.js

@@ -1,16 +1,29 @@
 import { existsSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import { AutomationMaturitySchema } from '../../schemas/automation-maturity.schema.js';
+import { REBALANCED_WEIGHTS } from './api-coverage.js';
 /**
- * Dimension weights (sum = 1). Breadth + harness adoption dominate: shipping risk is mostly
- * untested routes and missing Playwright/Cypress-level coverage.
+ * Dimension weights (sum = 1).
+ *
+ * When apiSurface is NOT provided (backward-compat path), the original 6 dimensions
+ * continue to use the original weights (sum = 1.0). When apiSurface IS provided, the
+ * rebalanced weights from api-coverage.ts are used and the 7th dimension is added.
+ *
+ * Original weights (no API surface):
+ *   test-coverage-breadth  0.28, framework-adoption 0.22, test-id-hygiene 0.18,
+ *   ci-integration 0.14, auth-test-coverage 0.10, component-test-ratio 0.08
+ *
+ * Rebalanced weights (with API surface, sum still = 1.0 across all 7):
+ *   test-coverage-breadth  0.24, framework-adoption 0.19, test-id-hygiene 0.15,
+ *   ci-integration 0.12, auth-test-coverage 0.09, component-test-ratio 0.06,
+ *   api-test-coverage 0.15
  */
-const W_TEST_BREADTH = 0.28;
-const W_FRAMEWORK = 0.22;
-const W_TEST_ID = 0.18;
-const W_CI = 0.14;
-const W_AUTH_TESTS = 0.1;
-const W_COMPONENT_RATIO = 0.08;
+const W_TEST_BREADTH_ORIGINAL = 0.28;
+const W_FRAMEWORK_ORIGINAL = 0.22;
+const W_TEST_ID_ORIGINAL = 0.18;
+const W_CI_ORIGINAL = 0.14;
+const W_AUTH_TESTS_ORIGINAL = 0.1;
+const W_COMPONENT_RATIO_ORIGINAL = 0.08;
 function hasCiAtRoot(repoPath) {
     const ev = [];
     const gh = join(repoPath, '.github', 'workflows');
@@ -49,7 +62,24 @@ function scoreLevel(overall) {
         return { level: 4, label: 'L4 — strong automation' };
     return { level: 5, label: 'L5 — advanced QA automation' };
 }
-export function computeAutomationMaturity(repo) {
+/**
+ * Compute automation maturity for a repo.
+ *
+ * @param repo - The scanned repo analysis.
+ * @param apiCoverageResult - Optional pre-computed API coverage result. When absent the
+ *   6 original dimensions are scored with the original weights (backward-compatible).
+ *   When provided, a 7th dimension (`api-test-coverage`) is added and weights are
+ *   rebalanced so the total still sums to 1.0 across applicable dimensions.
+ */
+export function computeAutomationMaturity(repo, apiCoverageResult) {
+    // Choose weights based on whether we have an API surface result
+    const hasApiDim = apiCoverageResult !== undefined;
+    const W_TEST_BREADTH = hasApiDim ? REBALANCED_WEIGHTS.TEST_BREADTH : W_TEST_BREADTH_ORIGINAL;
+    const W_FRAMEWORK = hasApiDim ? REBALANCED_WEIGHTS.FRAMEWORK : W_FRAMEWORK_ORIGINAL;
+    const W_TEST_ID = hasApiDim ? REBALANCED_WEIGHTS.TEST_ID : W_TEST_ID_ORIGINAL;
+    const W_CI = hasApiDim ? REBALANCED_WEIGHTS.CI : W_CI_ORIGINAL;
+    const W_AUTH_TESTS = hasApiDim ? REBALANCED_WEIGHTS.AUTH_TESTS : W_AUTH_TESTS_ORIGINAL;
+    const W_COMPONENT_RATIO = hasApiDim ? REBALANCED_WEIGHTS.COMPONENT_RATIO : W_COMPONENT_RATIO_ORIGINAL;
     const routePaths = [...new Set(repo.routes.map((r) => r.path))];
     let coveredRoutes = 0;
     for (const p of routePaths) {
@@ -204,6 +234,10 @@ export function computeAutomationMaturity(repo) {
         ...(compGuidance && { guidance: compGuidance }),
     };
     const dimensions = [breadthDim, frameworkDim, hygieneDim, ciDim, authDim, compDim];
+    // Append api-test-coverage dimension when an API surface result was provided
+    if (apiCoverageResult) {
+        dimensions.push(apiCoverageResult.dimension);
+    }
     // Overall score normalizes over applicable dimensions only.
     // overallScore = round( Σ score_i * weight_i / Σ weight_i ) for i ∈ applicable.
     // If no dimension is applicable (degenerate repo), overall = 0 and level = L1.

package/dist/tools/scoring/confidence-from-qulib.d.ts

@@ -0,0 +1,34 @@
+/**
+ * qulib-native adapter — maps qulib collector outputs to EvidenceItem[].
+ *
+ * P3 — qulib Confidence Layer v1.
+ *
+ * This is the THIN WIRING layer, not the pure scorer. It translates:
+ *   AnalyzeResult   → live-app-quality + accessibility + crawl-coverage EvidenceItems
+ *   AutomationMaturity → test-automation EvidenceItem
+ *   ApiCoverageResult  → api-coverage EvidenceItem
+ *
+ * Honesty rules (mirrors agent-summary.ts and the spec §2.5):
+ * - auth-required scan → applicability='unknown' (never silent pass)
+ * - blocked scan       → blocking=true (hard blocker)
+ * - low-coverage       → crawl-coverage applicability='unknown'
+ * - 0-endpoint API     → api-coverage carries its own not_applicable (passed through verbatim)
+ *
+ * Pure function: no I/O.
+ */
+import type { AnalyzeResult } from '../../analyze.js';
+import type { AutomationMaturity } from '../../schemas/automation-maturity.schema.js';
+import type { ApiCoverageResult } from './api-coverage.js';
+import type { ConfidenceInput, ConfidenceSubject } from '../../schemas/confidence.schema.js';
+/**
+ * Build a ConfidenceInput from qulib's own collector outputs.
+ * Pass whichever collectors you have; omitted collectors produce no evidence item.
+ */
+export declare function buildConfidenceInputFromQulib(args: {
+    analyze?: AnalyzeResult;
+    maturity?: AutomationMaturity;
+    apiCoverage?: ApiCoverageResult;
+    subject: ConfidenceSubject;
+    policy?: ConfidenceInput['policy'];
+}): ConfidenceInput;
+//# sourceMappingURL=confidence-from-qulib.d.ts.map

package/dist/tools/scoring/confidence-from-qulib.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence-from-qulib.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/confidence-from-qulib.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,6CAA6C,CAAC;AACtF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAEV,eAAe,EACf,iBAAiB,EAClB,MAAM,oCAAoC,CAAC;AAS5C;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,EAAE;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;IAC9B,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,OAAO,EAAE,iBAAiB,CAAC;IAC3B,MAAM,CAAC,EAAE,eAAe,CAAC,QAAQ,CAAC,CAAC;CACpC,GAAG,eAAe,CAgMlB"}

package/dist/tools/scoring/confidence-from-qulib.js

@@ -0,0 +1,206 @@
+/**
+ * qulib-native adapter — maps qulib collector outputs to EvidenceItem[].
+ *
+ * P3 — qulib Confidence Layer v1.
+ *
+ * This is the THIN WIRING layer, not the pure scorer. It translates:
+ *   AnalyzeResult   → live-app-quality + accessibility + crawl-coverage EvidenceItems
+ *   AutomationMaturity → test-automation EvidenceItem
+ *   ApiCoverageResult  → api-coverage EvidenceItem
+ *
+ * Honesty rules (mirrors agent-summary.ts and the spec §2.5):
+ * - auth-required scan → applicability='unknown' (never silent pass)
+ * - blocked scan       → blocking=true (hard blocker)
+ * - low-coverage       → crawl-coverage applicability='unknown'
+ * - 0-endpoint API     → api-coverage carries its own not_applicable (passed through verbatim)
+ *
+ * Pure function: no I/O.
+ */
+// Default weights for the qulib-native sources (match confidence.ts DEFAULT_WEIGHTS).
+const W_LIVE_APP = 0.30;
+const W_TEST_AUTOMATION = 0.22;
+const W_API_COVERAGE = 0.15;
+const W_ACCESSIBILITY = 0.13;
+const W_CRAWL_COVERAGE = 0.10;
+/**
+ * Build a ConfidenceInput from qulib's own collector outputs.
+ * Pass whichever collectors you have; omitted collectors produce no evidence item.
+ */
+export function buildConfidenceInputFromQulib(args) {
+    const items = [];
+    const now = new Date().toISOString();
+    // ------------------------------------------------------------------
+    // AnalyzeResult → live-app-quality + accessibility + crawl-coverage
+    // ------------------------------------------------------------------
+    if (args.analyze) {
+        const r = args.analyze;
+        const g = r.gapAnalysis;
+        // Determine if auth-required (honest: never silently pass).
+        const authRequired = g.mode === 'auth-required' || g.coverageWarning === 'auth-required';
+        const isBlocked = r.status === 'blocked';
+        // --- live-app-quality ---
+        const appRecs = [];
+        if (authRequired) {
+            appRecs.push('Provide auth credentials (form login or storage state) and re-run to evaluate the protected surface.');
+        }
+        const criticalGaps = r.gaps.filter((gap) => gap.severity === 'critical');
+        const highGaps = r.gaps.filter((gap) => gap.severity === 'high');
+        if (criticalGaps.length > 0) {
+            appRecs.push(`Fix ${criticalGaps.length} critical gap(s) before shipping.`);
+        }
+        else if (highGaps.length > 0) {
+            appRecs.push(`Address ${highGaps.length} high-severity gap(s).`);
+        }
+        const appEvidence = [];
+        if (isBlocked) {
+            appEvidence.push('Scan was blocked before producing a meaningful evaluation.');
+        }
+        else if (authRequired) {
+            appEvidence.push('Auth wall prevented scanning the protected surface.');
+        }
+        else {
+            appEvidence.push(`releaseConfidence=${r.releaseConfidence ?? 'null'}, status=${r.status}, gaps=${r.gaps.length}`);
+            if (criticalGaps.length > 0) {
+                appEvidence.push(`Critical gaps: ${criticalGaps.map((g2) => g2.path).join(', ')}`);
+            }
+        }
+        const liveAppItem = {
+            source: 'live-app-quality',
+            score: isBlocked ? null : (authRequired ? null : (r.releaseConfidence ?? null)),
+            weight: W_LIVE_APP,
+            applicability: authRequired ? 'unknown' : 'applicable',
+            blocking: isBlocked || criticalGaps.length > 0,
+            evidence: appEvidence,
+            recommendations: appRecs,
+            reason: authRequired
+                ? 'Auth wall prevented scanning — confidence score would be dishonest without the protected surface.'
+                : isBlocked
+                    ? 'Scan was blocked; no evaluable surface.'
+                    : undefined,
+            collectedAt: g.analyzedAt,
+            collector: {
+                tool: 'analyze_app',
+                inputRef: undefined,
+            },
+        };
+        items.push(liveAppItem);
+        // --- accessibility ---
+        const a11yGaps = r.gaps.filter((gap) => gap.category === 'a11y');
+        const a11yPenalty = a11yGaps.reduce((acc, gap) => {
+            const penalties = { critical: 30, high: 20, medium: 10, low: 5 };
+            return acc + (penalties[gap.severity] ?? 5);
+        }, 0);
+        const a11yScore = !isBlocked && !authRequired
+            ? Math.max(0, 100 - a11yPenalty)
+            : null;
+        const a11yItem = {
+            source: 'accessibility',
+            score: a11yScore,
+            weight: W_ACCESSIBILITY,
+            applicability: authRequired ? 'unknown' : 'applicable',
+            blocking: false,
+            evidence: isBlocked || authRequired
+                ? ['Accessibility could not be evaluated (scan blocked or auth-required).']
+                : a11yGaps.length === 0
+                    ? ['No a11y gaps detected.']
+                    : [`${a11yGaps.length} a11y gap(s) — penalty ${a11yPenalty} pts.`],
+            recommendations: a11yGaps.length > 0
+                ? ['Fix a11y violations flagged by the qulib scan (see gaps[].category=\'a11y\').']
+                : [],
+            reason: authRequired
+                ? 'Auth wall prevented a11y evaluation.'
+                : isBlocked
+                    ? 'Scan blocked; no a11y signal.'
+                    : undefined,
+            collectedAt: g.analyzedAt,
+            collector: {
+                tool: 'analyze_app',
+                inputRef: undefined,
+            },
+        };
+        items.push(a11yItem);
+        // --- crawl-coverage ---
+        const lowCoverage = g.coverageWarning === 'low-coverage';
+        const crawlScore = !isBlocked && !authRequired
+            ? (r.coverageScore ?? null)
+            : null;
+        const crawlItem = {
+            source: 'crawl-coverage',
+            score: crawlScore,
+            weight: W_CRAWL_COVERAGE,
+            applicability: authRequired || lowCoverage ? 'unknown' : 'applicable',
+            blocking: false,
+            evidence: [
+                `coverageScore=${r.coverageScore ?? 'null'}, pagesScanned=${g.coveragePagesScanned}`,
+                ...(g.coverageWarning ? [`coverageWarning: ${g.coverageWarning}`] : []),
+            ],
+            recommendations: lowCoverage
+                ? ['Increase crawl budget or supply deeper entry URLs to raise coverage above the floor.']
+                : [],
+            reason: authRequired
+                ? 'Auth-required scan; coverage limited to pre-auth pages.'
+                : lowCoverage
+                    ? 'Coverage was below the confidence floor; treating as unknown signal.'
+                    : undefined,
+            collectedAt: g.analyzedAt,
+            collector: {
+                tool: 'analyze_app',
+                inputRef: undefined,
+            },
+        };
+        items.push(crawlItem);
+    }
+    // ------------------------------------------------------------------
+    // AutomationMaturity → test-automation
+    // ------------------------------------------------------------------
+    if (args.maturity) {
+        const m = args.maturity;
+        const maturityItem = {
+            source: 'test-automation',
+            score: m.overallScore,
+            weight: W_TEST_AUTOMATION,
+            applicability: 'applicable',
+            blocking: false,
+            evidence: [`Automation maturity: ${m.label} (score ${m.overallScore})`],
+            recommendations: m.topRecommendations.slice(0, 3),
+            collectedAt: m.computedAt,
+            collector: {
+                tool: 'qulib_score_automation',
+                inputRef: m.repoPath,
+            },
+        };
+        items.push(maturityItem);
+    }
+    // ------------------------------------------------------------------
+    // ApiCoverageResult → api-coverage
+    // ------------------------------------------------------------------
+    if (args.apiCoverage) {
+        const d = args.apiCoverage.dimension;
+        const apiApplicability = d.applicability === 'not_applicable'
+            ? 'not_applicable'
+            : d.applicability === 'unknown'
+                ? 'unknown'
+                : 'applicable';
+        const apiItem = {
+            source: 'api-coverage',
+            score: d.score,
+            weight: W_API_COVERAGE,
+            applicability: apiApplicability,
+            blocking: false,
+            evidence: d.evidence,
+            recommendations: d.recommendations,
+            reason: d.reason,
+            collectedAt: new Date().toISOString(),
+            collector: {
+                tool: 'qulib_score_api',
+                inputRef: undefined,
+            },
+        };
+        items.push(apiItem);
+    }
+    return {
+        subject: args.subject,
+        evidence: items,
+        policy: args.policy,
+    };
+}

package/dist/tools/scoring/confidence-views.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Pure view projections for the qulib Confidence Layer (Views 2–5).
+ *
+ * P3 — qulib Confidence Layer v1.
+ *
+ * All functions are pure (no I/O). Persistence sinks (file/db) are deferred to P4.
+ * View 1 (Release Confidence) IS the ReleaseConfidence object from the scorer.
+ *
+ * View 2 — diffConfidence: build a DeliveryTrafficPoint from two consecutive verdicts.
+ * View 3 — deriveInbox: extract human-judgment items from a verdict.
+ * View 4 — buildReplay: construct the provenance trace from input + result.
+ * View 5 — toAuditEntry: serialize a verdict to a tamper-evident audit record.
+ */
+import type { ReleaseConfidence, ConfidenceInput } from '../../schemas/confidence.schema.js';
+import type { DeliveryTrafficPoint, InboxItem, ReplayTrace, AuditEntry } from '../../schemas/views.schema.js';
+/**
+ * Build a DeliveryTrafficPoint from the current verdict and an optional prior verdict.
+ * deltaFromPrev is null when there is no prior point.
+ */
+export declare function diffConfidence(current: ReleaseConfidence, prior: ReleaseConfidence | null): DeliveryTrafficPoint;
+/**
+ * Derive human-judgment inbox items from a verdict.
+ * Raises items for:
+ *   - every blocking evidence item
+ *   - every 'unknown' contribution on a requiredSource (when policy provides them)
+ *   - 'block' verdict with a null score (nothing evaluable)
+ */
+export declare function deriveInbox(rc: ReleaseConfidence, input: ConfidenceInput): InboxItem[];
+/**
+ * Build the provenance trace from the scorer input + result.
+ * Steps are ordered by their appearance in the input evidence array,
+ * with all provenance fields carried from EvidenceItem.collector.
+ */
+export declare function buildReplay(input: ConfidenceInput, rc: ReleaseConfidence): ReplayTrace;
+/**
+ * Serialize a verdict to a tamper-evident audit record.
+ * recordHash is SHA-256 over the canonical record — changes when any field changes.
+ */
+export declare function toAuditEntry(rc: ReleaseConfidence, evidenceSourceCount: number): AuditEntry;
+//# sourceMappingURL=confidence-views.d.ts.map

package/dist/tools/scoring/confidence-views.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence-views.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/confidence-views.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAC7F,OAAO,KAAK,EACV,oBAAoB,EACpB,SAAS,EACT,WAAW,EACX,UAAU,EACX,MAAM,+BAA+B,CAAC;AAYvC;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,iBAAiB,EAC1B,KAAK,EAAE,iBAAiB,GAAG,IAAI,GAC9B,oBAAoB,CAgBtB;AAMD;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,EAAE,EAAE,iBAAiB,EACrB,KAAK,EAAE,eAAe,GACrB,SAAS,EAAE,CAwDb;AAMD;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,GAAG,WAAW,CAsBtF;AA0BD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,GAAG,UAAU,CAe3F"}

package/dist/tools/scoring/confidence-views.js

@@ -0,0 +1,163 @@
+/**
+ * Pure view projections for the qulib Confidence Layer (Views 2–5).
+ *
+ * P3 — qulib Confidence Layer v1.
+ *
+ * All functions are pure (no I/O). Persistence sinks (file/db) are deferred to P4.
+ * View 1 (Release Confidence) IS the ReleaseConfidence object from the scorer.
+ *
+ * View 2 — diffConfidence: build a DeliveryTrafficPoint from two consecutive verdicts.
+ * View 3 — deriveInbox: extract human-judgment items from a verdict.
+ * View 4 — buildReplay: construct the provenance trace from input + result.
+ * View 5 — toAuditEntry: serialize a verdict to a tamper-evident audit record.
+ */
+import { createHash } from 'node:crypto';
+import { randomUUID } from 'node:crypto';
+import { DeliveryTrafficPointSchema, InboxItemSchema, ReplayTraceSchema, AuditEntrySchema, } from '../../schemas/views.schema.js';
+// ---------------------------------------------------------------------------
+// View 2 — Delivery Traffic
+// ---------------------------------------------------------------------------
+/**
+ * Build a DeliveryTrafficPoint from the current verdict and an optional prior verdict.
+ * deltaFromPrev is null when there is no prior point.
+ */
+export function diffConfidence(current, prior) {
+    const delta = prior !== null &&
+        current.confidenceScore !== null &&
+        prior.confidenceScore !== null
+        ? current.confidenceScore - prior.confidenceScore
+        : null;
+    return DeliveryTrafficPointSchema.parse({
+        subjectRef: current.subject.ref,
+        tenantId: current.subject.tenantId,
+        computedAt: current.computedAt,
+        confidenceScore: current.confidenceScore,
+        verdict: current.verdict,
+        deltaFromPrev: delta,
+    });
+}
+// ---------------------------------------------------------------------------
+// View 3 — Inbox
+// ---------------------------------------------------------------------------
+/**
+ * Derive human-judgment inbox items from a verdict.
+ * Raises items for:
+ *   - every blocking evidence item
+ *   - every 'unknown' contribution on a requiredSource (when policy provides them)
+ *   - 'block' verdict with a null score (nothing evaluable)
+ */
+export function deriveInbox(rc, input) {
+    const items = [];
+    const now = rc.computedAt;
+    const requiredSources = input.policy?.requiredSources ?? [];
+    for (const evidence of input.evidence) {
+        if (evidence.blocking) {
+            items.push(InboxItemSchema.parse({
+                id: randomUUID(),
+                subjectRef: rc.subject.ref,
+                tenantId: rc.subject.tenantId,
+                kind: 'blocker',
+                source: evidence.source,
+                summary: evidence.reason
+                    ? `${evidence.source}: ${evidence.reason}`
+                    : `${evidence.source} is a hard blocker.`,
+                raisedAt: now,
+            }));
+        }
+        else if ((evidence.applicability ?? 'applicable') === 'unknown' &&
+            requiredSources.includes(evidence.source)) {
+            items.push(InboxItemSchema.parse({
+                id: randomUUID(),
+                subjectRef: rc.subject.ref,
+                tenantId: rc.subject.tenantId,
+                kind: 'unknown-signal',
+                source: evidence.source,
+                summary: evidence.reason
+                    ? `${evidence.source}: ${evidence.reason}`
+                    : `${evidence.source} could not produce a reliable score and is a required source.`,
+                raisedAt: now,
+            }));
+        }
+    }
+    // Raise an inbox item if verdict=block with null score (nothing evaluable).
+    if (rc.verdict === 'block' && rc.confidenceScore === null && input.evidence.every((e) => !e.blocking)) {
+        items.push(InboxItemSchema.parse({
+            id: randomUUID(),
+            subjectRef: rc.subject.ref,
+            tenantId: rc.subject.tenantId,
+            kind: 'approval-needed',
+            source: 'human-approval',
+            summary: 'No applicable evidence produced a score — manual review required before shipping.',
+            raisedAt: now,
+        }));
+    }
+    return items;
+}
+// ---------------------------------------------------------------------------
+// View 4 — Replay
+// ---------------------------------------------------------------------------
+/**
+ * Build the provenance trace from the scorer input + result.
+ * Steps are ordered by their appearance in the input evidence array,
+ * with all provenance fields carried from EvidenceItem.collector.
+ */
+export function buildReplay(input, rc) {
+    const steps = input.evidence.map((item, idx) => {
+        const contribution = rc.contributions[idx];
+        return {
+            source: item.source,
+            tool: item.collector.tool,
+            inputRef: item.collector.inputRef,
+            score: item.score,
+            weight: contribution?.weight ?? item.weight,
+            effectiveWeight: contribution?.effectiveWeight ?? 0,
+            durationMs: item.collector.durationMs,
+            cost: item.collector.cost,
+        };
+    });
+    return ReplayTraceSchema.parse({
+        subjectRef: rc.subject.ref,
+        computedAt: rc.computedAt,
+        steps,
+        formula: rc.scoreFormula,
+        finalVerdict: rc.verdict,
+    });
+}
+// ---------------------------------------------------------------------------
+// View 5 — Audit Trail
+// ---------------------------------------------------------------------------
+/**
+ * Canonical audit record shape for hashing.
+ * Fields are sorted so the hash is deterministic regardless of insertion order.
+ */
+function canonicalRecord(rc, evidenceSourceCount) {
+    return JSON.stringify({
+        blockers: [...rc.blockers].sort(),
+        computedAt: rc.computedAt,
+        confidenceScore: rc.confidenceScore,
+        evidenceSourceCount,
+        schemaVersion: 1,
+        subjectRef: rc.subject.ref,
+        tenantId: rc.subject.tenantId,
+        verdict: rc.verdict,
+    });
+}
+/**
+ * Serialize a verdict to a tamper-evident audit record.
+ * recordHash is SHA-256 over the canonical record — changes when any field changes.
+ */
+export function toAuditEntry(rc, evidenceSourceCount) {
+    const canonical = canonicalRecord(rc, evidenceSourceCount);
+    const recordHash = createHash('sha256').update(canonical).digest('hex');
+    return AuditEntrySchema.parse({
+        tenantId: rc.subject.tenantId,
+        subjectRef: rc.subject.ref,
+        computedAt: rc.computedAt,
+        confidenceScore: rc.confidenceScore,
+        verdict: rc.verdict,
+        evidenceSourceCount,
+        blockers: rc.blockers,
+        schemaVersion: 1,
+        recordHash,
+    });
+}

package/dist/tools/scoring/confidence.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Release Confidence Aggregator — pure scorer.
+ *
+ * P3 — qulib Confidence Layer v1.
+ *
+ * Pure function: no I/O, no side effects. All I/O (CLI, MCP) lives in the wiring layer.
+ * Algorithm mirrors computeAutomationMaturity's denominator-renormalization math, generalized
+ * to operate over a heterogeneous evidence bundle.
+ *
+ * Score formula:
+ *   confidenceScore = round( Σ score_i * weight_i / Σ weight_i )
+ *   where i ∈ { applicable items with score !== null }
+ *
+ * Excluded from denominator: not_applicable | unknown | score === null items.
+ * Each excluded item is reported in contributions + narrated in honestyNotes.
+ *
+ * Verdict ladder (mirrors agent-summary.ts deriveGate, lifted to fused score):
+ *   any blocking item              → block
+ *   confidenceScore === null       → block  (nothing evaluable; honesty floor)
+ *   confidenceScore < failThreshold → hold
+ *   unknown on a requiredSource OR
+ *   confidenceScore < passThreshold → caution
+ *   else                           → ship
+ */
+import type { ConfidenceInput, ReleaseConfidence } from '../../schemas/confidence.schema.js';
+/**
+ * Compute the fused Release Confidence result from an evidence bundle.
+ *
+ * Pure function — deterministic over the same input.
+ */
+export declare function computeReleaseConfidence(input: ConfidenceInput): ReleaseConfidence;
+//# sourceMappingURL=confidence.d.ts.map

package/dist/tools/scoring/confidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/confidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EACV,eAAe,EAGf,iBAAiB,EAElB,MAAM,oCAAoC,CAAC;AAiE5C;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,CA8HlF"}