@qulib/core 0.9.0 → 0.10.1

package/README.md

@@ -345,34 +345,34 @@ qulib analyze --url https://yourapp.com --auth-storage-state ./qulib-storage-sta
 
 ## Sample report (fixture baseline)
 
-From the local fixture baseline used in v0.5.0 PR 1/2:
+The fixture tests in `packages/core/src/__tests__/analyze.fixtures.test.ts` assert structural shape — that `releaseConfidence` is a number, `gaps` is an array, and coverage scores are non-negative. Exact scores vary with each scoring version; re-run the fixture suite for current reference values.
+
+A minimal structural snapshot looks like:
 
 ```json
 {
   "status": "complete",
   "releaseConfidence": 68,
   "gaps": [
-    "... 4 total gap items ..."
+    "... gap items ..."
   ]
 }
 ```
 
-Use these as conservative reference numbers:
-- public fixture (`/`): `releaseConfidence: 68/100`, `gaps: 4`
-- auth-wall fixture (`/auth`): `releaseConfidence: 24/100`, `gaps: 2`
-- broken fixture (`/broken`): `releaseConfidence: 0/100`, `gaps: 6`
-
 ## MCP tools quick map
 
 | Tool | When to use | Key input |
 |---|---|---|
 | **`qulib_score_confidence`** | **Flagship.** Fused verdict (ship/caution/hold/block) from all collectors | `url` and/or `repoPath`, optional `includeViews.replay` |
-| `analyze_app` | Live-app QA scan: release confidence + gaps + a11y | `url`, optional `auth`, optional LLM knobs |
+| `qulib_analyze_app` | Live-app QA scan: release confidence + gaps + a11y | `url`, optional `auth`, optional LLM knobs |
 | `qulib_score_automation` | Score local repo test-automation maturity | absolute `repoPath`, optional `includeFullDimensions` |
 | `qulib_score_api` | Discover API endpoints and score their test coverage | absolute `repoPath`, optional `enableTier3`, `includeEndpointDetail` |
-| `qulib_scaffold_tests` | Generate Cypress/Playwright scaffold from a live URL | `url`, optional `framework`, `maxPagesToScan`, `recipes` |
-| `explore_auth` | Deeper auth-path discovery on unfamiliar apps | `url`, optional `timeoutMs` |
-| `detect_auth` | Fast single-pass auth pattern guess | `url`, optional `timeoutMs` |
+| `qulib_scaffold_tests` | Generate Cypress scaffold from a live URL (`cypress-e2e` only; playwright not yet implemented) | `url`, optional `framework`, `maxPagesToScan`, `recipes` |
+| `qulib_explore_auth` | Deeper auth-path discovery on unfamiliar apps | `url`, optional `timeoutMs` |
+| `qulib_detect_auth` | Fast single-pass auth pattern guess | `url`, optional `timeoutMs` |
+| `analyze_app` | Legacy alias for `qulib_analyze_app` — kept for backwards compatibility | same as `qulib_analyze_app` |
+| `explore_auth` | Legacy alias for `qulib_explore_auth` — kept for backwards compatibility | same as `qulib_explore_auth` |
+| `detect_auth` | Legacy alias for `qulib_detect_auth` — kept for backwards compatibility | same as `qulib_detect_auth` |
 
 ## Output directories
 

package/dist/baseline/baseline.schema.d.ts

@@ -7,18 +7,18 @@ import { z } from 'zod';
 export declare const BaselineGapSchema: z.ZodObject<{
     path: z.ZodString;
     severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
-    category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+    category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
     reason: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     path: string;
     severity: "critical" | "high" | "medium" | "low";
     reason: string;
-    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
 }, {
     path: string;
     severity: "critical" | "high" | "medium" | "low";
     reason: string;
-    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
 }>;
 export type BaselineGap = z.infer<typeof BaselineGapSchema>;
 /**
@@ -34,18 +34,18 @@ export declare const BaselineSnapshotSchema: z.ZodObject<{
     gaps: z.ZodArray<z.ZodObject<{
         path: z.ZodString;
         severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
-        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
         reason: z.ZodString;
     }, "strip", z.ZodTypeAny, {
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }, {
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }>, "many">;
     label: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
@@ -56,7 +56,7 @@ export declare const BaselineSnapshotSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     gapCount: number;
     savedAt: string;
@@ -69,7 +69,7 @@ export declare const BaselineSnapshotSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     gapCount: number;
     savedAt: string;
@@ -81,7 +81,7 @@ export type BaselineSnapshot = z.infer<typeof BaselineSnapshotSchema>;
  */
 export declare const BaselineDeltaItemSchema: z.ZodObject<{
     path: z.ZodString;
-    category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+    category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
     severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
     reason: z.ZodString;
     status: z.ZodEnum<["new", "resolved", "severity-increased", "severity-decreased"]>;
@@ -90,13 +90,13 @@ export declare const BaselineDeltaItemSchema: z.ZodObject<{
     path: string;
     severity: "critical" | "high" | "medium" | "low";
     reason: string;
-    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
 }, {
     status: "new" | "resolved" | "severity-increased" | "severity-decreased";
     path: string;
     severity: "critical" | "high" | "medium" | "low";
     reason: string;
-    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+    category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
 }>;
 export type BaselineDeltaItem = z.infer<typeof BaselineDeltaItemSchema>;
 /**
@@ -112,7 +112,7 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
     confidenceDelta: z.ZodNumber;
     newGaps: z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
         severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
         reason: z.ZodString;
         status: z.ZodEnum<["new", "resolved", "severity-increased", "severity-decreased"]>;
@@ -121,17 +121,17 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }, {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }>, "many">;
     resolvedGaps: z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
         severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
         reason: z.ZodString;
         status: z.ZodEnum<["new", "resolved", "severity-increased", "severity-decreased"]>;
@@ -140,17 +140,17 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }, {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }>, "many">;
     severityChanges: z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint"]>;
+        category: z.ZodEnum<["untested-route", "a11y", "console-error", "broken-link", "auth-surface", "coverage", "untested-api-endpoint", "prompt-leakage"]>;
         severity: z.ZodEnum<["critical", "high", "medium", "low"]>;
         reason: z.ZodString;
         status: z.ZodEnum<["new", "resolved", "severity-increased", "severity-decreased"]>;
@@ -159,13 +159,13 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }, {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }>, "many">;
     summary: z.ZodString;
 }, "strip", z.ZodTypeAny, {
@@ -182,21 +182,21 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     resolvedGaps: {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     severityChanges: {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
 }, {
     summary: string;
@@ -212,21 +212,21 @@ export declare const BaselineDeltaSchema: z.ZodObject<{
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     resolvedGaps: {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
     severityChanges: {
         status: "new" | "resolved" | "severity-increased" | "severity-decreased";
         path: string;
         severity: "critical" | "high" | "medium" | "low";
         reason: string;
-        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint";
+        category: "untested-route" | "a11y" | "console-error" | "broken-link" | "auth-surface" | "coverage" | "untested-api-endpoint" | "prompt-leakage";
     }[];
 }>;
 export type BaselineDelta = z.infer<typeof BaselineDeltaSchema>;

package/dist/baseline/baseline.schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"baseline.schema.d.ts","sourceRoot":"","sources":["../../src/baseline/baseline.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAa5B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,gFAAgF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQhF,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAMlC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC"}
+{"version":3,"file":"baseline.schema.d.ts","sourceRoot":"","sources":["../../src/baseline/baseline.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAc5B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,gFAAgF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQhF,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAMlC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/baseline/baseline.schema.js

@@ -15,6 +15,7 @@ export const BaselineGapSchema = z.object({
         'auth-surface',
         'coverage',
         'untested-api-endpoint',
+        'prompt-leakage',
     ]),
     reason: z.string(),
 });

package/dist/cli/analyze-diff-run.d.ts

@@ -0,0 +1,77 @@
+import type { Command } from 'commander';
+import type { GapAnalysis } from '../schemas/gap-analysis.schema.js';
+import type { BaselineDeltaItem } from '../baseline/baseline.schema.js';
+/**
+ * The structured result of diffing two analyze_app outputs.
+ * Wraps `BaselineDelta` with source provenance (file labels, timestamps).
+ */
+export interface AnalyzeDiffResult {
+    /** Human label for the "before" report (path by default). */
+    fromLabel: string;
+    /** Human label for the "after" report (path by default). */
+    toLabel: string;
+    /** ISO timestamp from the "before" report's analyzedAt field. */
+    fromAnalyzedAt: string;
+    /** ISO timestamp from the "after" report's analyzedAt field. */
+    toAnalyzedAt: string;
+    /** Release confidence from the "before" report (0–100, or null). */
+    fromReleaseConfidence: number | null;
+    /** Release confidence from the "after" report (0–100, or null). */
+    toReleaseConfidence: number | null;
+    /** Numeric delta: toReleaseConfidence − fromReleaseConfidence. Null if either is null. */
+    confidenceDelta: number | null;
+    /** Direction of the confidence delta. */
+    direction: 'improved' | 'regressed' | 'unchanged' | 'unknown';
+    /** Findings present in "to" that were absent in "from" (new regressions). */
+    added: BaselineDeltaItem[];
+    /** Findings present in "from" that are absent in "to" (resolved issues). */
+    removed: BaselineDeltaItem[];
+    /** Same finding (path + category) with a changed severity between the two reports. */
+    changed: BaselineDeltaItem[];
+    /** One-line human summary. */
+    summary: string;
+}
+/**
+ * Pure function: diff two GapAnalysis objects.
+ *
+ * Does NOT read files, make network requests, or touch disk. Both inputs must
+ * already be validated GapAnalysis objects.
+ *
+ * @param from  The "before" (baseline) analysis.
+ * @param to    The "after" (current) analysis.
+ * @param opts  Optional labels for provenance metadata.
+ */
+export declare function analyzeRunDiff(from: GapAnalysis, to: GapAnalysis, opts?: {
+    fromLabel?: string;
+    toLabel?: string;
+}): AnalyzeDiffResult;
+/**
+ * Read and validate a GapAnalysis from a report.json file path.
+ * Fails loudly on a missing/malformed/foreign file rather than diffing garbage.
+ */
+export declare function loadGapAnalysisFile(filePath: string, cwd?: string): Promise<GapAnalysis>;
+export interface AnalyzeDiffOptions {
+    from: string;
+    to: string;
+    labelFrom?: string;
+    labelTo?: string;
+    json?: boolean;
+}
+/**
+ * Core of `analyze diff`, factored out for direct testing.
+ * Loads both files, validates them, diffs them, and emits the result.
+ */
+export declare function runAnalyzeDiff(options: AnalyzeDiffOptions, out?: (line: string) => void): Promise<AnalyzeDiffResult>;
+/**
+ * Render an AnalyzeDiffResult as a human-readable Markdown report.
+ *
+ * The report is structured for readability in CI logs, GitHub PR comments, and
+ * terminal output. It covers:
+ *   - Header with report labels and timestamps
+ *   - Confidence score delta with direction indicator
+ *   - Added / Removed / Changed findings as tables
+ *   - One-line summary
+ */
+export declare function formatAnalyzeDiffMarkdown(result: AnalyzeDiffResult): string;
+export declare function registerAnalyzeDiffCommand(program: Command): void;
+//# sourceMappingURL=analyze-diff-run.d.ts.map

package/dist/cli/analyze-diff-run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze-diff-run.d.ts","sourceRoot":"","sources":["../../src/cli/analyze-diff-run.ts"],"names":[],"mappings":"AAmCA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AAGrE,OAAO,KAAK,EAAiB,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAOvF;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,OAAO,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,cAAc,EAAE,MAAM,CAAC;IACvB,gEAAgE;IAChE,YAAY,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,mEAAmE;IACnE,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,0FAA0F;IAC1F,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,yCAAyC;IACzC,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,SAAS,CAAC;IAC9D,6EAA6E;IAC7E,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC3B,4EAA4E;IAC5E,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,sFAAsF;IACtF,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,8BAA8B;IAC9B,OAAO,EAAE,MAAM,CAAC;CACjB;AAqCD;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,WAAW,EACjB,EAAE,EAAE,WAAW,EACf,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAO,GAClD,iBAAiB,CA6CnB;AAMD;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,GAAG,GAAE,MAAsB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAsBtB;AAMD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,GAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAkC,GACxD,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AA8BD;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAgD3E;AAMD,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAiCjE"}

package/dist/cli/analyze-diff-run.js

@@ -0,0 +1,266 @@
+/**
+ * `qulib analyze diff` — structured diff between two analyze_app outputs.
+ *
+ * Produces a structured report (JSON + Markdown) that compares two GapAnalysis
+ * objects (the serialized output of `qulib analyze`): added findings, removed
+ * findings, severity changes, and a confidence score delta.
+ *
+ * The diff is a PURE function of two GapAnalysis objects — no disk state, no
+ * network, no LLM. Callers supply paths to report.json files; this module reads
+ * them, validates them, and produces the diff.
+ *
+ * Subcommand:
+ *   qulib analyze diff --from <path> --to <path>
+ *
+ * Flags:
+ *   --from <path>   Path to the baseline report.json (the "before" state).
+ *   --to <path>     Path to the current report.json (the "after" state).
+ *   --json          Emit the AnalyzeDiffResult as JSON to stdout (default: Markdown).
+ *   --label-from    Optional human label for the baseline report.
+ *   --label-to      Optional human label for the current report.
+ *
+ * Design rationale:
+ *   - Reuses the existing `BaselineDelta` shape and `compareBaselines` logic by
+ *     converting GapAnalysis objects to transient BaselineSnapshot objects.
+ *     No second format is introduced; the schema is the same.
+ *   - The result type `AnalyzeDiffResult` wraps `BaselineDelta` with the source
+ *     report metadata (analyzedAt, path labels) for full provenance.
+ *   - `analyzeRunDiff` is factored out as a pure function so it is testable and
+ *     importable without the CLI layer (follows the baseline-run.ts convention).
+ *
+ * Registered from cli/index.ts via `registerAnalyzeDiffCommand(program)` so this
+ * command never edits index.ts beyond a single additive registration line.
+ */
+import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { GapAnalysisSchema } from '../schemas/gap-analysis.schema.js';
+import { compareBaselines } from '../baseline/baseline.js';
+// ---------------------------------------------------------------------------
+// Pure diff function
+// ---------------------------------------------------------------------------
+/**
+ * Stable key used to match gaps between two reports.
+ * Same key as compareBaselines: path + category identifies the same problem.
+ */
+function gapKey(path, category) {
+    return `${path}|||${category}`;
+}
+/**
+ * Convert a GapAnalysis to a minimal BaselineSnapshot shape for reuse with
+ * compareBaselines. The `id` and `savedAt` fields are synthetic — we use
+ * `analyzedAt` for temporal ordering. `url` is left as an empty string since
+ * this path does not require URL-keyed baseline storage.
+ */
+function toTransientSnapshot(analysis, id) {
+    const confidence = analysis.releaseConfidence ?? 0;
+    return {
+        id,
+        url: '',
+        savedAt: analysis.analyzedAt,
+        releaseConfidence: confidence,
+        gapCount: analysis.gaps.length,
+        gaps: analysis.gaps.map((g) => ({
+            path: g.path,
+            severity: g.severity,
+            category: g.category,
+            reason: g.reason,
+        })),
+    };
+}
+/**
+ * Pure function: diff two GapAnalysis objects.
+ *
+ * Does NOT read files, make network requests, or touch disk. Both inputs must
+ * already be validated GapAnalysis objects.
+ *
+ * @param from  The "before" (baseline) analysis.
+ * @param to    The "after" (current) analysis.
+ * @param opts  Optional labels for provenance metadata.
+ */
+export function analyzeRunDiff(from, to, opts = {}) {
+    const fromLabel = opts.fromLabel ?? 'from';
+    const toLabel = opts.toLabel ?? 'to';
+    const priorSnap = toTransientSnapshot(from, 'from');
+    const currentSnap = toTransientSnapshot(to, 'to');
+    const delta = compareBaselines(priorSnap, currentSnap);
+    const fromConf = from.releaseConfidence;
+    const toConf = to.releaseConfidence;
+    const confidenceDelta = fromConf !== null && toConf !== null ? toConf - fromConf : null;
+    let direction = 'unknown';
+    if (confidenceDelta !== null) {
+        direction = confidenceDelta > 0 ? 'improved' : confidenceDelta < 0 ? 'regressed' : 'unchanged';
+    }
+    // Build a richer summary that covers the null-confidence case.
+    const confLine = fromConf !== null && toConf !== null
+        ? `Confidence ${direction} (${fromConf} → ${toConf})`
+        : 'Confidence unavailable in one or both reports';
+    const summaryParts = [
+        confLine,
+        delta.newGaps.length > 0 ? `${delta.newGaps.length} added finding(s)` : '',
+        delta.resolvedGaps.length > 0 ? `${delta.resolvedGaps.length} removed finding(s)` : '',
+        delta.severityChanges.length > 0 ? `${delta.severityChanges.length} severity change(s)` : '',
+    ].filter(Boolean);
+    return {
+        fromLabel,
+        toLabel,
+        fromAnalyzedAt: from.analyzedAt,
+        toAnalyzedAt: to.analyzedAt,
+        fromReleaseConfidence: fromConf,
+        toReleaseConfidence: toConf,
+        confidenceDelta,
+        direction,
+        added: delta.newGaps,
+        removed: delta.resolvedGaps,
+        changed: delta.severityChanges,
+        summary: summaryParts.join(', '),
+    };
+}
+// ---------------------------------------------------------------------------
+// File loader
+// ---------------------------------------------------------------------------
+/**
+ * Read and validate a GapAnalysis from a report.json file path.
+ * Fails loudly on a missing/malformed/foreign file rather than diffing garbage.
+ */
+export async function loadGapAnalysisFile(filePath, cwd = process.cwd()) {
+    const abs = resolve(cwd, filePath);
+    let raw;
+    try {
+        raw = await readFile(abs, 'utf8');
+    }
+    catch {
+        throw new Error(`analyze diff: could not read file: ${abs}`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new Error(`analyze diff: file is not valid JSON: ${abs}`);
+    }
+    const result = GapAnalysisSchema.safeParse(parsed);
+    if (!result.success) {
+        throw new Error(`analyze diff: file is not a valid qulib report.json (GapAnalysis): ${abs}\n` +
+            result.error.issues.map((i) => `  • ${i.path.join('.')}: ${i.message}`).join('\n'));
+    }
+    return result.data;
+}
+/**
+ * Core of `analyze diff`, factored out for direct testing.
+ * Loads both files, validates them, diffs them, and emits the result.
+ */
+export async function runAnalyzeDiff(options, out = (line) => console.log(line)) {
+    const fromAnalysis = await loadGapAnalysisFile(options.from);
+    const toAnalysis = await loadGapAnalysisFile(options.to);
+    const result = analyzeRunDiff(fromAnalysis, toAnalysis, {
+        fromLabel: options.labelFrom ?? options.from,
+        toLabel: options.labelTo ?? options.to,
+    });
+    if (options.json) {
+        out(JSON.stringify(result, null, 2));
+    }
+    else {
+        out(formatAnalyzeDiffMarkdown(result));
+    }
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Markdown renderer
+// ---------------------------------------------------------------------------
+const SEVERITY_EMOJI = {
+    critical: '🔴',
+    high: '🟠',
+    medium: '🟡',
+    low: '🔵',
+};
+function severityTag(severity) {
+    return `${SEVERITY_EMOJI[severity] ?? ''} **${severity}**`.trim();
+}
+function renderDeltaTable(items) {
+    if (items.length === 0)
+        return '_none_';
+    const rows = items.map((i) => `| ${i.path} | ${i.category} | ${severityTag(i.severity)} | ${i.reason} |`);
+    return [
+        '| Path | Category | Severity | Reason |',
+        '|------|----------|----------|--------|',
+        ...rows,
+    ].join('\n');
+}
+/**
+ * Render an AnalyzeDiffResult as a human-readable Markdown report.
+ *
+ * The report is structured for readability in CI logs, GitHub PR comments, and
+ * terminal output. It covers:
+ *   - Header with report labels and timestamps
+ *   - Confidence score delta with direction indicator
+ *   - Added / Removed / Changed findings as tables
+ *   - One-line summary
+ */
+export function formatAnalyzeDiffMarkdown(result) {
+    const lines = [];
+    lines.push('## qulib analyze diff');
+    lines.push('');
+    lines.push(`| | Report |`);
+    lines.push(`|---|---|`);
+    lines.push(`| **From** | ${result.fromLabel} (${result.fromAnalyzedAt}) |`);
+    lines.push(`| **To** | ${result.toLabel} (${result.toAnalyzedAt}) |`);
+    lines.push('');
+    // Confidence delta
+    lines.push('### Release Confidence');
+    if (result.fromReleaseConfidence !== null && result.toReleaseConfidence !== null) {
+        const delta = result.confidenceDelta;
+        const arrow = delta > 0 ? '↑' : delta < 0 ? '↓' : '→';
+        const sign = delta > 0 ? '+' : '';
+        lines.push(`${result.fromReleaseConfidence}/100 ${arrow} ${result.toReleaseConfidence}/100 ` +
+            `(${sign}${delta}) — **${result.direction}**`);
+    }
+    else {
+        lines.push('_Confidence unavailable in one or both reports._');
+    }
+    lines.push('');
+    // Added findings
+    lines.push(`### Added Findings (${result.added.length})`);
+    lines.push('');
+    lines.push(renderDeltaTable(result.added));
+    lines.push('');
+    // Removed findings
+    lines.push(`### Removed Findings (${result.removed.length})`);
+    lines.push('');
+    lines.push(renderDeltaTable(result.removed));
+    lines.push('');
+    // Changed severity
+    lines.push(`### Severity Changes (${result.changed.length})`);
+    lines.push('');
+    lines.push(renderDeltaTable(result.changed));
+    lines.push('');
+    lines.push(`---`);
+    lines.push(`_${result.summary}_`);
+    return lines.join('\n');
+}
+// ---------------------------------------------------------------------------
+// CLI registration
+// ---------------------------------------------------------------------------
+export function registerAnalyzeDiffCommand(program) {
+    // Nest `diff` under the existing (or new) `analyze` group.
+    // Commander allows a subcommand under a top-level command; the analyze command
+    // already exists in index.ts as a `program.command('analyze')` — we add a peer
+    // group `analyze-diff` to avoid colliding with the top-level `analyze` action.
+    // The user-facing name is `qulib analyze-diff` to keep wiring simple.
+    program
+        .command('analyze-diff')
+        .description('Diff two analyze_app report.json outputs — surface added / removed / changed findings and confidence delta')
+        .requiredOption('--from <path>', 'Path to the baseline report.json ("before")')
+        .requiredOption('--to <path>', 'Path to the current report.json ("after")')
+        .option('--label-from <label>', 'Human label for the baseline report (default: the file path)')
+        .option('--label-to <label>', 'Human label for the current report (default: the file path)')
+        .option('--json', 'Emit the AnalyzeDiffResult as JSON to stdout (default: Markdown)', false)
+        .action(async (options) => {
+        await runAnalyzeDiff({
+            from: options.from,
+            to: options.to,
+            labelFrom: options.labelFrom,
+            labelTo: options.labelTo,
+            json: Boolean(options.json),
+        });
+    });
+}