@qulib/core 0.7.0 → 0.9.0

package/dist/index.d.ts

@@ -1,4 +1,6 @@
 export { analyzeApp } from './analyze.js';
+export { slugifyUrl, defaultBaselineRoot, saveBaseline, loadBaseline, listBaselines, deleteBaseline, compareBaselines, } from './baseline/baseline.js';
+export type { BaselineGap, BaselineSnapshot, BaselineDeltaItem, BaselineDelta, } from './baseline/baseline.schema.js';
 export { toAgentSummary } from './agent-summary.js';
 export type { AgentSummary, AgentSummaryPolicy, AgentGate, CoverageStatus, AgentSummaryCostSummary, } from './agent-summary.js';
 export { detectAuth, validateStorageState, evaluateStorageStateValidity, preflightStorageStateFile, waitForReturnToOrigin, } from './tools/auth/detect.js';
@@ -6,9 +8,14 @@ export type { StorageStateInvalidReason, StorageStateValidationResult, } from '.
 export { exploreAuth } from './tools/auth/explore.js';
 export { addUserProvider, removeUserProvider, listUserProviders } from './tools/auth/custom-providers.js';
 export { scanRepo } from './tools/repo/scan.js';
+export { discoverApiSurface, discoverApiSurfaceWithRepo } from './tools/repo/api-surface.js';
+export type { ApiSurface, DiscoveredEndpoint, DiscoverApiSurfaceOptions } from './tools/repo/api-surface.js';
 export { computeAutomationMaturity } from './tools/scoring/automation-maturity.js';
+export { computeApiCoverage } from './tools/scoring/api-coverage.js';
+export type { ApiCoverageResult, ApiEndpointCoverage } from './tools/scoring/api-coverage.js';
 export { scaffoldTests } from './scaffold-tests.js';
 export type { ScaffoldOptions, ScaffoldResult, ProjectConfig } from './scaffold-tests.js';
+export { expandRecipes, buildAuthScenarios, buildA11yScenarios, buildNavScenarios, buildSeedScenarios } from './recipes/index.js';
 export { createProvider } from './llm/provider-registry.js';
 export { resolveMaxOutputTokensPerLlmCall } from './schemas/config.schema.js';
 export { resolveScanStateBaseDir, resolveReportDir } from './harness/state-manager.js';
@@ -19,5 +26,15 @@ export { NoopTelemetrySink } from './telemetry/telemetry.interface.js';
 export { redactUrlForTelemetry } from './telemetry/emit.js';
 export type { LlmCallResult, LlmProvider } from './llm/provider.interface.js';
 export type { CallLlmConfigSlice } from './llm/provider.js';
-export type { HarnessConfig, AuthConfig, RouteInventory, GapAnalysis, RepoAnalysis, DetectedAuth, AuthExploration, AuthPath, AuthPathRequirements, CostIntelligence, LlmUsageRecord, RepeatedAiPattern, DeterministicMaturity, PublicSurface, AutomationMaturity, AutomationMaturityDimension, FrameworkDetectionResult, DetectedFrameworkPrimary, } from './schemas/index.js';
+export type { HarnessConfig, AuthConfig, RouteInventory, GapAnalysis, RepoAnalysis, DetectedAuth, AuthExploration, AuthPath, AuthPathRequirements, CostIntelligence, LlmUsageRecord, RepeatedAiPattern, DeterministicMaturity, PublicSurface, AutomationMaturity, AutomationMaturityDimension, FrameworkDetectionResult, DetectedFrameworkPrimary, RecipeId, RecipeConfig, } from './schemas/index.js';
+export { RecipeIdSchema } from './schemas/index.js';
+export { computeReleaseConfidence } from './tools/scoring/confidence.js';
+export { ciResultsToEvidence } from './adapters/ci-results-adapter.js';
+export type { CiRunInput } from './adapters/ci-results-adapter.js';
+export { prMetadataToEvidence } from './adapters/pr-metadata-adapter.js';
+export type { PrMetadataInput, StatusCheck, ReviewDecision, MergeableState } from './adapters/pr-metadata-adapter.js';
+export { buildConfidenceInputFromQulib } from './tools/scoring/confidence-from-qulib.js';
+export { diffConfidence, deriveInbox, buildReplay, toAuditEntry } from './tools/scoring/confidence-views.js';
+export type { EvidenceSourceKind, EvidenceItem, ConfidenceSubject, ConfidenceInput, ConfidencePolicy, ConfidenceVerdict, ConfidenceContribution, ReleaseConfidence, DeliveryTrafficPoint, InboxItem, InboxItemKind, ReplayStep, ReplayTrace, AuditEntry, } from './schemas/index.js';
+export { EvidenceSourceKindSchema, EvidenceItemSchema, ConfidenceSubjectSchema, ConfidenceInputSchema, ConfidencePolicySchema, ConfidenceVerdictSchema, ReleaseConfidenceSchema, } from './schemas/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EACV,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,cAAc,EACd,uBAAuB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,4BAA4B,EAC5B,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,yBAAyB,EACzB,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAC1G,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,yBAAyB,EAAE,MAAM,wCAAwC,CAAC;AACnF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACvF,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjF,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,YAAY,EACV,aAAa,EACb,cAAc,EACd,kBAAkB,GACnB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC9E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5D,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,kBAAkB,EAClB,2BAA2B,EAC3B,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,WAAW,EACX,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,GACd,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EACV,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,cAAc,EACd,uBAAuB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,4BAA4B,EAC5B,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,yBAAyB,EACzB,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAC1G,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AAC7F,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AAC7G,OAAO,EAAE,yBAAyB,EAAE,MAAM,wCAAwC,CAAC;AACnF,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,YAAY,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAC9F,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAClI,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AACvF,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjF,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,YAAY,EACV,aAAa,EACb,cAAc,EACd,kBAAkB,GACnB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC9E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5D,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,kBAAkB,EAClB,2BAA2B,EAC3B,wBAAwB,EACxB,wBAAwB,EACxB,QAAQ,EACR,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAEzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,YAAY,EAAE,UAAU,EAAE,MAAM,kCAAkC,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACtH,OAAO,EAAE,6BAA6B,EAAE,MAAM,0CAA0C,CAAC;AACzF,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AAC7G,YAAY,EACV,kBAAkB,EAClB,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,SAAS,EACT,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,GACX,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,wBAAwB,EACxB,kBAAkB,EAClB,uBAAuB,EACvB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,oBAAoB,CAAC"}

package/dist/index.js

@@ -1,13 +1,26 @@
 export { analyzeApp } from './analyze.js';
+export { slugifyUrl, defaultBaselineRoot, saveBaseline, loadBaseline, listBaselines, deleteBaseline, compareBaselines, } from './baseline/baseline.js';
 export { toAgentSummary } from './agent-summary.js';
 export { detectAuth, validateStorageState, evaluateStorageStateValidity, preflightStorageStateFile, waitForReturnToOrigin, } from './tools/auth/detect.js';
 export { exploreAuth } from './tools/auth/explore.js';
 export { addUserProvider, removeUserProvider, listUserProviders } from './tools/auth/custom-providers.js';
 export { scanRepo } from './tools/repo/scan.js';
+export { discoverApiSurface, discoverApiSurfaceWithRepo } from './tools/repo/api-surface.js';
 export { computeAutomationMaturity } from './tools/scoring/automation-maturity.js';
+export { computeApiCoverage } from './tools/scoring/api-coverage.js';
 export { scaffoldTests } from './scaffold-tests.js';
+export { expandRecipes, buildAuthScenarios, buildA11yScenarios, buildNavScenarios, buildSeedScenarios } from './recipes/index.js';
 export { createProvider } from './llm/provider-registry.js';
 export { resolveMaxOutputTokensPerLlmCall } from './schemas/config.schema.js';
 export { resolveScanStateBaseDir, resolveReportDir } from './harness/state-manager.js';
 export { NoopTelemetrySink } from './telemetry/telemetry.interface.js';
 export { redactUrlForTelemetry } from './telemetry/emit.js';
+export { RecipeIdSchema } from './schemas/index.js';
+// P3 — Confidence Layer exports
+export { computeReleaseConfidence } from './tools/scoring/confidence.js';
+// P4 — Evidence adapters (CI results + PR metadata)
+export { ciResultsToEvidence } from './adapters/ci-results-adapter.js';
+export { prMetadataToEvidence } from './adapters/pr-metadata-adapter.js';
+export { buildConfidenceInputFromQulib } from './tools/scoring/confidence-from-qulib.js';
+export { diffConfidence, deriveInbox, buildReplay, toAuditEntry } from './tools/scoring/confidence-views.js';
+export { EvidenceSourceKindSchema, EvidenceItemSchema, ConfidenceSubjectSchema, ConfidenceInputSchema, ConfidencePolicySchema, ConfidenceVerdictSchema, ReleaseConfidenceSchema, } from './schemas/index.js';

package/dist/recipes/a11y.d.ts

@@ -0,0 +1,36 @@
+/**
+ * a11y recipe — accessibility assertion patterns.
+ *
+ * Lifted from the PROVEN NQ-2 Playwright a11y suite and qulib's own axe-core
+ * integration in src/phases/accessibility.ts. Real patterns re-derived from
+ * first principles.
+ *
+ * NQ-2 Playwright a11y reference patterns:
+ *   - import AxeBuilder from '@axe-core/playwright'
+ *   - const results = await new AxeBuilder({ page }).analyze()
+ *   - expect(violations.filter(v => v.impact === 'serious' || v.impact === 'critical')).toHaveLength(0)
+ *   - await expect(page.locator('main')).toBeVisible()
+ *   - await expect(page.locator('h1')).toBeVisible()
+ *   - expect(await page.title()).not.toBe('')
+ *
+ * For Cypress (no axe-core adapter in the scaffold toolchain), we use:
+ *   - Structural presence checks (h1, main, nav, [role=...])
+ *   - Sufficient-contrast guards via role/aria-label checks
+ *   - Focus-visible checks via keyboard nav simulation
+ */
+import type { NeutralScenario } from '../schemas/gap-analysis.schema.js';
+import type { RecipeConfig } from '../schemas/recipe.schema.js';
+/**
+ * Generate NeutralScenarios for the a11y recipe.
+ *
+ * Returns 3 scenarios:
+ *   1. Page-level a11y — heading structure + landmark regions (all frameworks)
+ *   2. Interactive a11y — focus order / aria roles for primary CTA (smoke)
+ *   3. Image/text a11y — alt text presence + non-empty page title
+ *
+ * The Playwright adapter will render axe-core assertions for scenarios tagged
+ * 'a11y-axe'. The Cypress adapter renders structural/aria assertions (axe-core
+ * Cypress integration is out-of-scope for the scaffold toolchain today).
+ */
+export declare function buildA11yScenarios(config?: RecipeConfig): NeutralScenario[];
+//# sourceMappingURL=a11y.d.ts.map

package/dist/recipes/a11y.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a11y.d.ts","sourceRoot":"","sources":["../../src/recipes/a11y.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,GAAE,YAAiB,GAAG,eAAe,EAAE,CA6G/E"}

package/dist/recipes/a11y.js

@@ -0,0 +1,118 @@
+/**
+ * Generate NeutralScenarios for the a11y recipe.
+ *
+ * Returns 3 scenarios:
+ *   1. Page-level a11y — heading structure + landmark regions (all frameworks)
+ *   2. Interactive a11y — focus order / aria roles for primary CTA (smoke)
+ *   3. Image/text a11y — alt text presence + non-empty page title
+ *
+ * The Playwright adapter will render axe-core assertions for scenarios tagged
+ * 'a11y-axe'. The Cypress adapter renders structural/aria assertions (axe-core
+ * Cypress integration is out-of-scope for the scaffold toolchain today).
+ */
+export function buildA11yScenarios(config = {}) {
+    const impact = config.a11yImpact ?? 'serious';
+    return [
+        {
+            id: 'recipe-a11y-heading-structure',
+            title: 'Page has proper heading structure and landmark regions',
+            description: 'The root page has an H1 heading and at least one landmark region (main/nav/header/footer), providing a navigable document outline for screen-reader users',
+            targetPath: '/',
+            steps: [
+                { action: 'navigate', target: '/', description: 'Open the root page' },
+                {
+                    action: 'assert-visible',
+                    target: 'h1',
+                    description: 'Page has an H1 heading (document outline)',
+                },
+                {
+                    action: 'assert-visible',
+                    target: 'main',
+                    description: 'Page has a main landmark region',
+                },
+                {
+                    action: 'assert-count',
+                    target: 'nav',
+                    value: '1',
+                    description: 'At least one navigation landmark exists',
+                },
+            ],
+            tags: ['a11y', 'smoke', 'recipe-a11y', `a11y-impact-${impact}`],
+            recommendations: [
+                {
+                    adapter: 'playwright',
+                    reason: 'Landmark + heading assertions with Playwright locator — real NQ-2 pattern',
+                    confidence: 'high',
+                },
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'Structural a11y assertions — cy.get on semantic elements',
+                    confidence: 'high',
+                },
+            ],
+            sourceGapIds: ['recipe-a11y'],
+        },
+        {
+            id: 'recipe-a11y-interactive-aria',
+            title: 'Primary interactive elements have accessible names',
+            description: 'Buttons and links visible on the page carry accessible names (aria-label or text content), ensuring assistive technologies can identify the action',
+            targetPath: '/',
+            steps: [
+                { action: 'navigate', target: '/', description: 'Open the root page' },
+                {
+                    action: 'assert-count',
+                    target: 'button, a[href]',
+                    value: '1',
+                    description: 'At least one interactive element is present',
+                },
+                {
+                    action: 'assert-visible',
+                    target: 'button, [role=button]',
+                    description: 'An accessible interactive element is visible on the page',
+                },
+            ],
+            tags: ['a11y', 'aria', 'recipe-a11y'],
+            recommendations: [
+                {
+                    adapter: 'playwright',
+                    reason: 'aria-label presence check — Playwright locator + toBeVisible',
+                    confidence: 'medium',
+                },
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'Aria attribute presence — cy.get selector chain',
+                    confidence: 'medium',
+                },
+            ],
+            sourceGapIds: ['recipe-a11y'],
+        },
+        {
+            id: 'recipe-a11y-page-title',
+            title: 'Page has a non-empty, descriptive document title',
+            description: 'The <title> element is non-empty — required for bookmarks, browser tabs, and screen-reader orientation',
+            targetPath: '/',
+            steps: [
+                { action: 'navigate', target: '/', description: 'Open the root page' },
+                {
+                    action: 'assert-text',
+                    target: 'title',
+                    description: 'Document title element is non-empty',
+                },
+            ],
+            tags: ['a11y', 'seo', 'recipe-a11y'],
+            recommendations: [
+                {
+                    adapter: 'playwright',
+                    reason: 'page.title() !== "" — lightweight page-level a11y gate',
+                    confidence: 'high',
+                },
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'cy.title().should("not.be.empty") — smoke a11y gate',
+                    confidence: 'high',
+                },
+            ],
+            sourceGapIds: ['recipe-a11y'],
+        },
+    ];
+}

package/dist/recipes/auth.d.ts

@@ -0,0 +1,38 @@
+/**
+ * auth recipe — login / logout / protected-route patterns.
+ *
+ * Lifted from the PROVEN NQ-2 Playwright specs and CaseLoom Cypress specs.
+ * These are REAL selector patterns and assertion patterns used in those test
+ * suites, re-derived from first principles (not copy-pasted).
+ *
+ * NQ-2 Playwright reference patterns:
+ *   - page.goto('/login')
+ *   - page.locator('[data-testid=login-email]').fill(email)
+ *   - page.locator('[data-testid=login-password]').fill(password)
+ *   - page.locator('[data-testid=login-submit]').click()
+ *   - expect(page.locator('[data-testid=dashboard-root]')).toBeVisible()
+ *   - expect(page.locator('[data-testid=login-error]')).toContainText('Invalid')
+ *
+ * CaseLoom Cypress reference patterns:
+ *   - cy.visit('/login')
+ *   - cy.get('[data-testid=login-email]').type(email)
+ *   - cy.get('[data-testid=login-password]').type(password)
+ *   - cy.get('[data-testid=login-submit]').click()
+ *   - cy.get('[data-testid=dashboard-root]').should('be.visible')
+ *   - cy.get('[data-testid=login-error]').should('contain.text', 'Invalid')
+ */
+import type { NeutralScenario } from '../schemas/gap-analysis.schema.js';
+import type { RecipeConfig } from '../schemas/recipe.schema.js';
+/**
+ * Generate NeutralScenarios for the auth recipe.
+ *
+ * Returns 3 scenarios:
+ *   1. Happy-path login → lands on dashboard (smoke gate)
+ *   2. Invalid-credentials → inline error message shown (negative gate)
+ *   3. Protected route redirects unauthenticated users to login (security gate)
+ *
+ * All selectors come from the proven NQ-2/CaseLoom patterns and are overridable
+ * via RecipeConfig, so the recipe works for any form-login app.
+ */
+export declare function buildAuthScenarios(config?: RecipeConfig): NeutralScenario[];
+//# sourceMappingURL=auth.d.ts.map

package/dist/recipes/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/recipes/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAWhE;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,GAAE,YAAiB,GAAG,eAAe,EAAE,CA0I/E"}

package/dist/recipes/auth.js

@@ -0,0 +1,156 @@
+/** Defaults from the proven NQ-2 data-testid convention. */
+const DEFAULTS = {
+    loginUrl: '/login',
+    usernameSelector: '[data-testid=login-email]',
+    passwordSelector: '[data-testid=login-password]',
+    submitSelector: '[data-testid=login-submit]',
+    successSelector: '[data-testid=dashboard-root]',
+};
+/**
+ * Generate NeutralScenarios for the auth recipe.
+ *
+ * Returns 3 scenarios:
+ *   1. Happy-path login → lands on dashboard (smoke gate)
+ *   2. Invalid-credentials → inline error message shown (negative gate)
+ *   3. Protected route redirects unauthenticated users to login (security gate)
+ *
+ * All selectors come from the proven NQ-2/CaseLoom patterns and are overridable
+ * via RecipeConfig, so the recipe works for any form-login app.
+ */
+export function buildAuthScenarios(config = {}) {
+    const loginUrl = config.loginUrl ?? DEFAULTS.loginUrl;
+    const usernameSelector = config.usernameSelector ?? DEFAULTS.usernameSelector;
+    const passwordSelector = config.passwordSelector ?? DEFAULTS.passwordSelector;
+    const submitSelector = config.submitSelector ?? DEFAULTS.submitSelector;
+    const successSelector = config.successSelector ?? DEFAULTS.successSelector;
+    return [
+        {
+            id: 'recipe-auth-happy-path',
+            title: 'User can log in with valid credentials',
+            description: 'Submitting valid credentials navigates to the authenticated dashboard',
+            targetPath: loginUrl,
+            steps: [
+                { action: 'navigate', target: loginUrl, description: 'Open the login page' },
+                {
+                    action: 'type',
+                    target: usernameSelector,
+                    value: 'user@example.test',
+                    description: 'Enter email address',
+                },
+                {
+                    action: 'type',
+                    target: passwordSelector,
+                    value: 'correct-horse',
+                    description: 'Enter password',
+                },
+                {
+                    action: 'click',
+                    target: submitSelector,
+                    description: 'Submit the login form',
+                },
+                {
+                    action: 'assert-visible',
+                    target: successSelector,
+                    description: 'Dashboard or success indicator is shown',
+                },
+            ],
+            tags: ['auth', 'smoke', 'recipe-auth'],
+            recommendations: [
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'Proven NQ-2 / CaseLoom pattern — cy.get + type/click/should',
+                    confidence: 'high',
+                },
+                {
+                    adapter: 'playwright',
+                    reason: 'Proven NQ-2 pattern — page.locator + fill/click/expect',
+                    confidence: 'high',
+                },
+            ],
+            sourceGapIds: ['recipe-auth'],
+        },
+        {
+            id: 'recipe-auth-invalid-credentials',
+            title: 'Invalid credentials show an inline error',
+            description: 'Submitting wrong credentials stays on the login page and shows an error message',
+            targetPath: loginUrl,
+            steps: [
+                { action: 'navigate', target: loginUrl, description: 'Open the login page' },
+                {
+                    action: 'type',
+                    target: usernameSelector,
+                    value: 'user@example.test',
+                    description: 'Enter email address',
+                },
+                {
+                    action: 'type',
+                    target: passwordSelector,
+                    value: 'wrong-password',
+                    description: 'Enter an incorrect password',
+                },
+                {
+                    action: 'click',
+                    target: submitSelector,
+                    description: 'Submit with wrong credentials',
+                },
+                {
+                    action: 'assert-text',
+                    target: '[data-testid=login-error]',
+                    value: 'Invalid',
+                    description: 'Inline error message is shown',
+                },
+                {
+                    action: 'assert-visible',
+                    target: submitSelector,
+                    description: 'Still on the login page (submit button visible)',
+                },
+            ],
+            tags: ['auth', 'negative', 'recipe-auth'],
+            recommendations: [
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'Proven NQ-2 negative path — assert-text on error element',
+                    confidence: 'high',
+                },
+                {
+                    adapter: 'playwright',
+                    reason: 'Proven NQ-2 negative path — toContainText on error element',
+                    confidence: 'high',
+                },
+            ],
+            sourceGapIds: ['recipe-auth'],
+        },
+        {
+            id: 'recipe-auth-protected-redirect',
+            title: 'Unauthenticated access to a protected route redirects to login',
+            description: 'Visiting a protected route without a session redirects to the login page — authentication guard is wired',
+            targetPath: '/dashboard',
+            steps: [
+                {
+                    action: 'navigate',
+                    target: '/dashboard',
+                    description: 'Navigate directly to a protected route',
+                },
+                {
+                    action: 'assert-visible',
+                    target: submitSelector,
+                    description: 'Login form submit button is visible — we were redirected to login',
+                },
+            ],
+            tags: ['auth', 'security', 'recipe-auth'],
+            recommendations: [
+                {
+                    adapter: 'cypress-e2e',
+                    reason: 'Guards a critical security property — protected routes must redirect',
+                    confidence: 'medium',
+                },
+                {
+                    adapter: 'playwright',
+                    reason: 'Guards a critical security property — protected routes must redirect',
+                    confidence: 'medium',
+                },
+            ],
+            sourceGapIds: ['recipe-auth'],
+        },
+    ];
+}

package/dist/recipes/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Recipe toolshed — reusable NeutralScenario builders.
+ *
+ * Each recipe module exports a build* function that returns NeutralScenario[].
+ * Recipes are merged (additive) into whatever scenarios the adapter already has;
+ * they never replace existing scenarios.
+ *
+ * Available recipes:
+ *   auth  — login / logout / protected-route flows
+ *   a11y  — accessibility checks (landmark/heading/aria/title)
+ *   nav   — deep-link / browser-back / 404-handling
+ *   seed  — data-seeding and state-reset helpers
+ */
+import type { RecipeId, RecipeConfig } from '../schemas/recipe.schema.js';
+import type { NeutralScenario } from '../schemas/gap-analysis.schema.js';
+export { buildAuthScenarios } from './auth.js';
+export { buildA11yScenarios } from './a11y.js';
+export { buildNavScenarios } from './nav.js';
+export { buildSeedScenarios } from './seed.js';
+/**
+ * Expand a list of RecipeIds into their NeutralScenario arrays, applying
+ * optional per-recipe config. Returns an empty array when ids is empty or
+ * undefined — safe to call unconditionally.
+ */
+export declare function expandRecipes(ids: RecipeId[] | undefined, config?: RecipeConfig): NeutralScenario[];
+//# sourceMappingURL=index.d.ts.map

package/dist/recipes/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipes/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAMzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,QAAQ,EAAE,GAAG,SAAS,EAC3B,MAAM,GAAE,YAAiB,GACxB,eAAe,EAAE,CA2BnB"}

package/dist/recipes/index.js

@@ -0,0 +1,41 @@
+import { buildAuthScenarios } from './auth.js';
+import { buildA11yScenarios } from './a11y.js';
+import { buildNavScenarios } from './nav.js';
+import { buildSeedScenarios } from './seed.js';
+export { buildAuthScenarios } from './auth.js';
+export { buildA11yScenarios } from './a11y.js';
+export { buildNavScenarios } from './nav.js';
+export { buildSeedScenarios } from './seed.js';
+/**
+ * Expand a list of RecipeIds into their NeutralScenario arrays, applying
+ * optional per-recipe config. Returns an empty array when ids is empty or
+ * undefined — safe to call unconditionally.
+ */
+export function expandRecipes(ids, config = {}) {
+    if (!ids || ids.length === 0)
+        return [];
+    const scenarios = [];
+    for (const id of ids) {
+        switch (id) {
+            case 'auth':
+                scenarios.push(...buildAuthScenarios(config));
+                break;
+            case 'a11y':
+                scenarios.push(...buildA11yScenarios(config));
+                break;
+            case 'nav':
+                scenarios.push(...buildNavScenarios(config));
+                break;
+            case 'seed':
+                scenarios.push(...buildSeedScenarios(config));
+                break;
+            default: {
+                // TypeScript exhaustiveness: if a new RecipeId is added without a case
+                // this will cause a compile error.
+                const _exhaustive = id;
+                throw new Error(`Unknown recipe id: ${String(_exhaustive)}`);
+            }
+        }
+    }
+    return scenarios;
+}

package/dist/recipes/nav.d.ts

@@ -0,0 +1,34 @@
+/**
+ * nav recipe — navigation, deep-linking, back/forward, 404 handling.
+ *
+ * Lifted from the PROVEN NQ-2 Playwright navigation suite and CaseLoom Cypress
+ * navigation specs. Real selector and navigation patterns, re-derived from
+ * first principles.
+ *
+ * NQ-2 Playwright nav reference patterns:
+ *   - page.goto('/about')
+ *   - expect(page).toHaveURL(/\/about/)
+ *   - await page.goBack()
+ *   - expect(page).toHaveURL('/')
+ *   - page.goto('/nonexistent-route-that-404s')
+ *   - expect(page.locator('[data-testid=not-found]')).toBeVisible()  OR
+ *   - expect(page.getByText('404')).toBeVisible()
+ *
+ * CaseLoom Cypress nav reference patterns:
+ *   - cy.visit('/about')
+ *   - cy.url().should('include', '/about')
+ *   - cy.go('back')
+ *   - cy.url().should('eq', Cypress.config('baseUrl') + '/')
+ */
+import type { NeutralScenario } from '../schemas/gap-analysis.schema.js';
+import type { RecipeConfig } from '../schemas/recipe.schema.js';
+/**
+ * Generate NeutralScenarios for the nav recipe.
+ *
+ * Returns 3 scenarios:
+ *   1. Deep-link routes — direct navigation lands on the correct page
+ *   2. Browser-back — back button returns to the previous route
+ *   3. 404 handling — unknown routes show a user-friendly not-found page
+ */
+export declare function buildNavScenarios(config?: RecipeConfig): NeutralScenario[];
+//# sourceMappingURL=nav.d.ts.map

package/dist/recipes/nav.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nav.d.ts","sourceRoot":"","sources":["../../src/recipes/nav.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAIhE;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,YAAiB,GAAG,eAAe,EAAE,CA2H9E"}