@qulib/core 0.9.0 → 0.10.1

package/dist/schemas/route-inventory.schema.d.ts

@@ -65,6 +65,10 @@ export declare const RouteSchema: z.ZodObject<{
         nodeCount: number;
     }>, "many">;
     statusCode: z.ZodOptional<z.ZodNumber>;
+    /** Optional: response headers from the page fetch (populated by explorers that capture them). */
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** Optional: first ~4000 chars of the raw HTML body (populated by explorers that capture it). */
+    bodySnippet: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     path: string;
     pageTitle: string;
@@ -84,6 +88,8 @@ export declare const RouteSchema: z.ZodObject<{
         nodeCount: number;
     }[];
     statusCode?: number | undefined;
+    headers?: Record<string, string> | undefined;
+    bodySnippet?: string | undefined;
 }, {
     path: string;
     pageTitle: string;
@@ -103,6 +109,8 @@ export declare const RouteSchema: z.ZodObject<{
         nodeCount: number;
     }[];
     statusCode?: number | undefined;
+    headers?: Record<string, string> | undefined;
+    bodySnippet?: string | undefined;
 }>;
 export declare const RouteInventorySchema: z.ZodObject<{
     scannedAt: z.ZodString;
@@ -144,6 +152,10 @@ export declare const RouteInventorySchema: z.ZodObject<{
             nodeCount: number;
         }>, "many">;
         statusCode: z.ZodOptional<z.ZodNumber>;
+        /** Optional: response headers from the page fetch (populated by explorers that capture them). */
+        headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        /** Optional: first ~4000 chars of the raw HTML body (populated by explorers that capture it). */
+        bodySnippet: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         path: string;
         pageTitle: string;
@@ -163,6 +175,8 @@ export declare const RouteInventorySchema: z.ZodObject<{
             nodeCount: number;
         }[];
         statusCode?: number | undefined;
+        headers?: Record<string, string> | undefined;
+        bodySnippet?: string | undefined;
     }, {
         path: string;
         pageTitle: string;
@@ -182,6 +196,8 @@ export declare const RouteInventorySchema: z.ZodObject<{
             nodeCount: number;
         }[];
         statusCode?: number | undefined;
+        headers?: Record<string, string> | undefined;
+        bodySnippet?: string | undefined;
     }>, "many">;
     pagesSkipped: z.ZodNumber;
     budgetExceeded: z.ZodBoolean;
@@ -207,6 +223,8 @@ export declare const RouteInventorySchema: z.ZodObject<{
             nodeCount: number;
         }[];
         statusCode?: number | undefined;
+        headers?: Record<string, string> | undefined;
+        bodySnippet?: string | undefined;
     }[];
     pagesSkipped: number;
     budgetExceeded: boolean;
@@ -232,6 +250,8 @@ export declare const RouteInventorySchema: z.ZodObject<{
             nodeCount: number;
         }[];
         statusCode?: number | undefined;
+        headers?: Record<string, string> | undefined;
+        bodySnippet?: string | undefined;
     }[];
     pagesSkipped: number;
     budgetExceeded: boolean;

package/dist/schemas/route-inventory.schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route-inventory.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/route-inventory.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;EAI3B,CAAC;AAEH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAUtB,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/B,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC"}
+{"version":3,"file":"route-inventory.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/route-inventory.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;EAI3B,CAAC;AAEH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAUtB,iGAAiG;;IAEjG,iGAAiG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEjG,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAN/B,iGAAiG;;QAEjG,iGAAiG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAUjG,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC"}

package/dist/schemas/route-inventory.schema.js

@@ -20,6 +20,10 @@ export const RouteSchema = z.object({
     brokenLinks: z.array(BrokenLinkSchema),
     a11yViolations: z.array(A11yViolationSchema),
     statusCode: z.number().int().optional(),
+    /** Optional: response headers from the page fetch (populated by explorers that capture them). */
+    headers: z.record(z.string(), z.string()).optional(),
+    /** Optional: first ~4000 chars of the raw HTML body (populated by explorers that capture it). */
+    bodySnippet: z.string().max(8000).optional(),
 });
 export const RouteInventorySchema = z.object({
     scannedAt: z.string().datetime(),

package/dist/schemas/views.schema.d.ts

@@ -211,8 +211,8 @@ export declare const AuditEntrySchema: z.ZodObject<{
     recordHash: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     computedAt: string;
-    tenantId: string;
     schemaVersion: 1;
+    tenantId: string;
     confidenceScore: number | null;
     verdict: "ship" | "caution" | "hold" | "block";
     blockers: string[];

package/dist/tools/scoring/confidence.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/confidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EACV,eAAe,EAGf,iBAAiB,EAElB,MAAM,oCAAoC,CAAC;AAiE5C;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,CA8HlF"}
+{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/confidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EACV,eAAe,EAIf,iBAAiB,EAElB,MAAM,oCAAoC,CAAC;AA8L5C;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,CAgKlF"}

package/dist/tools/scoring/confidence.js

@@ -43,6 +43,18 @@ const DEFAULT_WEIGHTS = {
     'human-approval': 0.0,
     'agent-evidence': 0.0,
 };
+/** Model sources with non-zero default weight — the full evidence model for partial-run disclosure. */
+const MODEL_SOURCES = Object.entries(DEFAULT_WEIGHTS)
+    .filter(([, weight]) => weight > 0)
+    .map(([source]) => source);
+const UNCOLLECTED_NEXT_CHECKS = {
+    'live-app-quality': 'Run analyze_app against the deployed URL to collect live-app quality evidence.',
+    'accessibility': 'Run analyze_app against the deployed URL to evaluate accessibility.',
+    'crawl-coverage': 'Run analyze_app against the deployed URL to measure crawl coverage.',
+    'test-automation': 'Run qulib score-automation against the repo to score test automation maturity.',
+    'api-coverage': 'Run qulib score-api against the repo to measure API test coverage.',
+    'ci-results': 'Ingest CI status from your pipeline (ci-results source not yet wired).',
+};
 function resolvePolicy(p) {
     const base = ConfidencePolicySchema.parse(p ?? {});
     return {
@@ -72,6 +84,93 @@ function buildHonestyNote(item) {
     }
     return `${base} has partial or degraded signal.`;
 }
+function resolveModelWeight(source, policyWeights) {
+    if (policyWeights && source in policyWeights) {
+        return policyWeights[source];
+    }
+    return DEFAULT_WEIGHTS[source] ?? 0;
+}
+function inferUncollectedReason(source, presentSources) {
+    const hasAnalyzeEvidence = presentSources.has('live-app-quality') ||
+        presentSources.has('accessibility') ||
+        presentSources.has('crawl-coverage');
+    const hasRepoEvidence = presentSources.has('test-automation') || presentSources.has('api-coverage');
+    switch (source) {
+        case 'live-app-quality':
+        case 'accessibility':
+        case 'crawl-coverage':
+            return hasAnalyzeEvidence
+                ? 'not collected in this confidence run'
+                : 'app-runtime analysis not run — no url provided';
+        case 'test-automation':
+        case 'api-coverage':
+            return hasRepoEvidence
+                ? 'not collected in this confidence run'
+                : 'repo scoring not run — no repo provided';
+        case 'ci-results':
+            return 'CI status not ingested — no ci-results source wired';
+        default:
+            return 'not collected';
+    }
+}
+function buildUncollectedHonestyNote(source, reason, rawWeight) {
+    const pct = Math.round(rawWeight * 100);
+    return `'${source}' not collected (${pct}% raw model weight): ${reason}.`;
+}
+function buildCoverageSummaryNote(scoredSourceCount, modelSourceCount, rawWeightScored, rawWeightModel) {
+    const coveragePct = rawWeightModel > 0 ? Math.round((rawWeightScored / rawWeightModel) * 100) : 0;
+    return (`Partial evidence: verdict computed on ${scoredSourceCount} of ${modelSourceCount} model sources ` +
+        `(~${coveragePct}% of raw model weight). Collected weights were renormalized to 100% for the score.`);
+}
+function isPositiveEvidence(text) {
+    if (/appear covered/i.test(text))
+        return true;
+    if (/Automation maturity: L\d/i.test(text))
+        return true;
+    if (/No a11y gaps/i.test(text))
+        return true;
+    if (/^L\d —/i.test(text))
+        return true;
+    if (/^releaseConfidence=/i.test(text))
+        return true;
+    if (/^coverageScore=/i.test(text))
+        return true;
+    if (/^No .* gaps detected/i.test(text))
+        return true;
+    return false;
+}
+function extractItemRisks(item, passThreshold) {
+    const risks = [];
+    if (item.blocking) {
+        if (item.reason)
+            risks.push(item.reason);
+        risks.push(...item.evidence.filter((entry) => !isPositiveEvidence(entry)));
+        return risks;
+    }
+    const applicability = item.applicability ?? 'applicable';
+    if (applicability === 'unknown' || item.score === null) {
+        if (item.reason)
+            risks.push(`${item.source}: ${item.reason}`);
+        risks.push(...item.evidence.filter((entry) => !isPositiveEvidence(entry) && /(gap|critical|high|untested|uncovered|missing|block|fail|warning|auth|blocked)/i.test(entry)));
+        return risks;
+    }
+    if (applicability === 'not_applicable') {
+        if (item.reason)
+            risks.push(`${item.source}: ${item.reason}`);
+        return risks;
+    }
+    if (item.score !== null && item.score < passThreshold) {
+        risks.push(...item.evidence.filter((entry) => !isPositiveEvidence(entry)));
+        if (item.score < passThreshold) {
+            risks.push(`${item.source} scored ${item.score}/100 — below pass threshold (${passThreshold}).`);
+        }
+    }
+    else {
+        risks.push(...item.evidence.filter((entry) => !isPositiveEvidence(entry) &&
+            /(gap|critical|high|untested|uncovered|missing|block|fail|warning|penalty|below)/i.test(entry)));
+    }
+    return risks;
+}
 /**
  * Compute the fused Release Confidence result from an evidence bundle.
  *
@@ -137,29 +236,56 @@ export function computeReleaseConfidence(input) {
     }
     // Level / label from shared ladder.
     const { level, label } = scoreLevel(confidenceScore ?? 0);
-    // Honesty notes — one per degraded/excluded source.
+    const presentSources = new Set(input.evidence.map((item) => item.source));
+    const uncollectedSources = MODEL_SOURCES.filter((source) => !presentSources.has(source));
+    const modelWeightSum = MODEL_SOURCES.reduce((sum, source) => sum + resolveModelWeight(source, policy.weights), 0);
+    // Honesty notes — partial-run summary first, then present-but-excluded sources (must not
+    // be truncated by maxListLength), then uncollected model sources.
     const honestyNotes = [];
+    if (uncollectedSources.length > 0 || (weightSum > 0 && weightSum < modelWeightSum - 0.001)) {
+        honestyNotes.push(buildCoverageSummaryNote(applicable.length, MODEL_SOURCES.length, weightSum, modelWeightSum));
+    }
     for (const item of excluded) {
         honestyNotes.push(buildHonestyNote(item));
     }
-    // Also note any blocking items that aren't in the excluded set.
+    for (const source of uncollectedSources) {
+        const rawWeight = resolveModelWeight(source, policy.weights);
+        const reason = inferUncollectedReason(source, presentSources);
+        honestyNotes.push(buildUncollectedHonestyNote(source, reason, rawWeight));
+    }
     for (const item of blockingItems) {
         if ((item.applicability ?? 'applicable') === 'applicable' && item.score !== null) {
             honestyNotes.push(`'${item.source}' is a hard blocker${item.reason ? ': ' + item.reason : ''}.`);
         }
     }
-    // Top risks — merge evidence across sources, severity-sorted by position.
-    const allRisks = [
-        ...blockingItems.flatMap((item) => item.evidence),
-        ...input.evidence
-            .filter((item) => (item.applicability ?? 'applicable') === 'applicable')
-            .sort((a, b) => (a.score ?? 0) - (b.score ?? 0))
-            .flatMap((item) => item.evidence),
-    ];
-    const topRisks = [...new Set(allRisks)].slice(0, limit);
-    // Recommended next checks — merge and deduplicate.
-    const allRecs = input.evidence.flatMap((item) => item.recommendations ?? []);
-    const recommendedNextChecks = [...new Set(allRecs)].slice(0, limit);
+    // Top risks — gaps and blockers only; never surface coverage successes as risks.
+    const allRisks = [];
+    for (const source of uncollectedSources) {
+        const rawWeight = resolveModelWeight(source, policy.weights);
+        if (rawWeight >= 0.10) {
+            const reason = inferUncollectedReason(source, presentSources);
+            allRisks.push(`Uncollected high-weight evidence: ${source} (${Math.round(rawWeight * 100)}% raw weight) — ${reason}.`);
+        }
+    }
+    for (const item of blockingItems) {
+        allRisks.push(...extractItemRisks(item, policy.passThreshold));
+    }
+    for (const item of [...excluded].sort((a, b) => resolveWeight(a, policy.weights) - resolveWeight(b, policy.weights))) {
+        allRisks.push(...extractItemRisks(item, policy.passThreshold));
+    }
+    for (const item of [...applicable].sort((a, b) => (a.score ?? 0) - (b.score ?? 0))) {
+        allRisks.push(...extractItemRisks(item, policy.passThreshold));
+    }
+    const topRisks = [...new Set(allRisks.filter(Boolean))].slice(0, limit);
+    // Recommended next checks — concrete actions for uncollected sources plus per-item recommendations.
+    const allRecs = [];
+    for (const source of uncollectedSources) {
+        const rec = UNCOLLECTED_NEXT_CHECKS[source];
+        if (rec)
+            allRecs.push(rec);
+    }
+    allRecs.push(...input.evidence.flatMap((item) => item.recommendations ?? []));
+    const recommendedNextChecks = [...new Set(allRecs.filter(Boolean))].slice(0, limit);
     const result = {
         schemaVersion: 1,
         computedAt: now,

package/dist/tools/scoring/prompt-leakage.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Prompt-leakage detector — gap category `prompt-leakage`.
+ *
+ * Flags when a web page inadvertently exposes AI system-prompt / agent
+ * instructions in its public surface: inline scripts, HTML comments, meta
+ * tags, visible text, response headers, or error bodies.
+ *
+ * CONSERVATIVE design: every signal requires TWO corroborating markers
+ * before generating a Gap, to keep the false-positive rate low.
+ * A page that merely uses the word "AI" or "assistant" will NOT trip.
+ *
+ * Heuristics are derived from first principles — the structural telltale
+ * shapes of an exposed instruction block.  No third-party leaked-prompt
+ * text or vendor identifiers were used.
+ */
+import type { Gap } from '../../schemas/gap-analysis.schema.js';
+import type { Route } from '../../schemas/route-inventory.schema.js';
+/**
+ * Scan a captured page surface for signals that an AI system prompt or agent
+ * instructions are exposed in its public surface.
+ *
+ * Accepts the `Route` shape from `route-inventory.schema.ts`, which now
+ * includes the optional `headers` and `bodySnippet` fields.
+ *
+ * Returns an array of `Gap` objects with `category: 'prompt-leakage'`.
+ * Returns an empty array when no signals are found.
+ */
+export declare function detectPromptLeakage(route: Pick<Route, 'path' | 'headers' | 'bodySnippet'>): Gap[];
+//# sourceMappingURL=prompt-leakage.d.ts.map

package/dist/tools/scoring/prompt-leakage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-leakage.d.ts","sourceRoot":"","sources":["../../../src/tools/scoring/prompt-leakage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,sCAAsC,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,yCAAyC,CAAC;AAqLrE;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,aAAa,CAAC,GAAG,GAAG,EAAE,CAgGjG"}

package/dist/tools/scoring/prompt-leakage.js

@@ -0,0 +1,256 @@
+/**
+ * Prompt-leakage detector — gap category `prompt-leakage`.
+ *
+ * Flags when a web page inadvertently exposes AI system-prompt / agent
+ * instructions in its public surface: inline scripts, HTML comments, meta
+ * tags, visible text, response headers, or error bodies.
+ *
+ * CONSERVATIVE design: every signal requires TWO corroborating markers
+ * before generating a Gap, to keep the false-positive rate low.
+ * A page that merely uses the word "AI" or "assistant" will NOT trip.
+ *
+ * Heuristics are derived from first principles — the structural telltale
+ * shapes of an exposed instruction block.  No third-party leaked-prompt
+ * text or vendor identifiers were used.
+ */
+import { randomUUID } from 'node:crypto';
+// ---------------------------------------------------------------------------
+// Pattern constants — all original heuristics; no vendor identifiers
+// ---------------------------------------------------------------------------
+/**
+ * Patterns that mark the OPENING of a system-instruction block.
+ * These alone are weak — we require corroboration.
+ */
+const ROLE_DIRECTIVE_RE = /\b(?:you\s+are\s+(?:an?\s+)?(?:ai|assistant|agent|bot|helpful|language\s+model)|act\s+as\s+(?:an?\s+)?(?:ai|assistant|agent|bot)|your\s+(?:role|persona|job|task|purpose)\s+is\s+to|i\s+am\s+(?:an?\s+)?(?:ai|assistant|agent|bot)|as\s+(?:an?\s+)?(?:ai|assistant|agent|language\s+model))\b/i;
+/**
+ * Patterns that mark instruction-block structural keywords.
+ * Typical in system prompts to delineate sections/rules.
+ */
+const INSTRUCTION_KEYWORD_RE = /\b(?:do\s+not\s+(?:reveal|disclose|share|tell|mention|discuss)\s+(?:this|these|your\s+instructions?|the\s+(?:system\s+)?prompt)|never\s+(?:reveal|disclose|share|tell)\s+(?:this|these|your|the)\b|keep\s+(?:this|these|the\s+following)\s+(?:confidential|secret|private|hidden)|do\s+not\s+(?:break|exit|leave)\s+(?:character|role|persona)|stay\s+in\s+character|maintain\s+(?:your\s+)?(?:persona|role|character))\b/i;
+/**
+ * Markers that signal a tool/function definition block being echoed back
+ * (e.g. an OpenAI-style function spec or a Claude tool_use block).
+ */
+const TOOL_DEFINITION_RE = /(?:"function_call"\s*:|"tool_use"\s*:|"tools"\s*:\s*\[|"tool_name"\s*:|function\s+definitions?\s*:)/i;
+/**
+ * Structural markers of a multi-turn instruction payload being echoed:
+ * system/user/assistant roles in JSON or XML-style markup.
+ */
+const SYSTEM_ROLE_BLOCK_RE = /(?:"role"\s*:\s*"system"|<\s*system\s*>[\s\S]{10,}<\s*\/\s*system\s*>|<\s*instructions?\s*>[\s\S]{10,}<\s*\/\s*instructions?\s*>|\[\s*INST\s*\][\s\S]{10,}\[\/\s*INST\s*\])/i;
+/**
+ * Header names that should never expose agent instructions.
+ */
+const LEAKY_HEADER_NAMES_RE = /^(?:x-system-prompt|x-agent-instructions?|x-llm-prompt|x-ai-context|x-openai-system|x-anthropic-system|x-bot-instructions?)$/i;
+/**
+ * Markers that suggest a debug-mode echo of the model's instructions
+ * inside an error or JSON response body.
+ */
+const DEBUG_ECHO_RE = /(?:"system_prompt"\s*:|"system_message"\s*:|"instructions"\s*:\s*"[^"]{50,}"|"agent_instructions"\s*:|"prompt_template"\s*:)/i;
+// ---------------------------------------------------------------------------
+// Helper utilities
+// ---------------------------------------------------------------------------
+/** Strip HTML tags, returning visible text only. */
+function stripHtml(html) {
+    return html.replace(/<[^>]*>/g, ' ').replace(/\s+/g, ' ').trim();
+}
+/** Extract content of HTML comments. */
+function extractComments(html) {
+    const results = [];
+    const re = /<!--([\s\S]*?)-->/g;
+    let m;
+    while ((m = re.exec(html)) !== null) {
+        const content = m[1]?.trim() ?? '';
+        if (content.length > 0)
+            results.push(content);
+    }
+    return results;
+}
+/** Extract inline <script> content (non-src scripts). */
+function extractInlineScripts(html) {
+    const results = [];
+    const re = /<script(?![^>]+\bsrc\s*=)[^>]*>([\s\S]*?)<\/script>/gi;
+    let m;
+    while ((m = re.exec(html)) !== null) {
+        const content = m[1]?.trim() ?? '';
+        if (content.length > 0)
+            results.push(content);
+    }
+    return results;
+}
+/** Extract <meta> tag content values. */
+function extractMetaContents(html) {
+    const results = [];
+    const re = /<meta[^>]+content\s*=\s*["']([^"']{30,})["'][^>]*>/gi;
+    let m;
+    while ((m = re.exec(html)) !== null) {
+        const content = m[1]?.trim() ?? '';
+        if (content.length > 0)
+            results.push(content);
+    }
+    return results;
+}
+/** Truncate a string for embedding in gap evidence. */
+function truncate(s, max = 200) {
+    return s.length <= max ? s : `${s.slice(0, max)}…`;
+}
+// ---------------------------------------------------------------------------
+// Two-signal corroboration check
+//
+// A "leak" is flagged only when BOTH a role-directive AND at least one of the
+// structural markers co-occur in the same text block.  This prevents a single
+// casual mention of "AI" from tripping the detector.
+// ---------------------------------------------------------------------------
+function detectInBlock(text, location) {
+    const hasRoleDirective = ROLE_DIRECTIVE_RE.test(text);
+    const hasToolDef = TOOL_DEFINITION_RE.test(text);
+    const hasSystemRoleBlock = SYSTEM_ROLE_BLOCK_RE.test(text);
+    const hasInstructionKeyword = INSTRUCTION_KEYWORD_RE.test(text);
+    const hasDebugEcho = DEBUG_ECHO_RE.test(text);
+    // Highest confidence: a role directive + an explicit secrecy/instruction keyword
+    if (hasRoleDirective && hasInstructionKeyword) {
+        const match = text.match(ROLE_DIRECTIVE_RE)?.[0] ?? '';
+        return {
+            description: `Role-framing directive with instruction confidentiality keyword in ${location}`,
+            evidence: truncate(`${match} … [instruction keyword found]`),
+            severity: 'critical',
+        };
+    }
+    // High confidence: system-role JSON/XML block containing a role directive
+    if (hasSystemRoleBlock && hasRoleDirective) {
+        return {
+            description: `System-role payload block with role directive in ${location}`,
+            evidence: truncate(text.match(SYSTEM_ROLE_BLOCK_RE)?.[0] ?? text),
+            severity: 'high',
+        };
+    }
+    // High confidence: tool/function definition echoed in page surface with role directive
+    if (hasToolDef && hasRoleDirective) {
+        return {
+            description: `Tool/function definition block with role directive in ${location}`,
+            evidence: truncate(text.match(TOOL_DEFINITION_RE)?.[0] ?? text),
+            severity: 'high',
+        };
+    }
+    // Medium confidence: debug echo of system prompt field in JSON
+    if (hasDebugEcho && (hasRoleDirective || hasSystemRoleBlock)) {
+        return {
+            description: `Debug-mode system-prompt echo in ${location}`,
+            evidence: truncate(text.match(DEBUG_ECHO_RE)?.[0] ?? text),
+            severity: 'high',
+        };
+    }
+    // Lower confidence: standalone debug echo field (without corroborating role directive)
+    // Still worth flagging if the field name alone is a strong indicator
+    if (hasDebugEcho && text.length > 100) {
+        return {
+            description: `Possible debug-mode prompt field echo in ${location}`,
+            evidence: truncate(text.match(DEBUG_ECHO_RE)?.[0] ?? text),
+            severity: 'medium',
+        };
+    }
+    return null;
+}
+// ---------------------------------------------------------------------------
+// Public detector
+// ---------------------------------------------------------------------------
+/**
+ * Scan a captured page surface for signals that an AI system prompt or agent
+ * instructions are exposed in its public surface.
+ *
+ * Accepts the `Route` shape from `route-inventory.schema.ts`, which now
+ * includes the optional `headers` and `bodySnippet` fields.
+ *
+ * Returns an array of `Gap` objects with `category: 'prompt-leakage'`.
+ * Returns an empty array when no signals are found.
+ */
+export function detectPromptLeakage(route) {
+    const gaps = [];
+    const path = route.path;
+    const html = route.bodySnippet ?? '';
+    // 1. Check inline scripts
+    for (const script of extractInlineScripts(html)) {
+        const signal = detectInBlock(script, 'inline-script');
+        if (signal) {
+            gaps.push({
+                id: randomUUID(),
+                path,
+                severity: signal.severity,
+                reason: signal.description,
+                category: 'prompt-leakage',
+                description: `Prompt-leakage signal detected in inline JavaScript: ${signal.evidence}`,
+                recommendation: 'Remove agent instruction content from client-facing JavaScript. Never embed system prompts in frontend bundles or inline scripts.',
+            });
+        }
+    }
+    // 2. Check HTML comments
+    for (const comment of extractComments(html)) {
+        const signal = detectInBlock(comment, 'HTML-comment');
+        if (signal) {
+            gaps.push({
+                id: randomUUID(),
+                path,
+                severity: signal.severity,
+                reason: signal.description,
+                category: 'prompt-leakage',
+                description: `Prompt-leakage signal detected in HTML comment: ${signal.evidence}`,
+                recommendation: 'Remove agent instructions from HTML comments. Comments are visible in page source.',
+            });
+        }
+    }
+    // 3. Check meta tag content
+    for (const content of extractMetaContents(html)) {
+        const signal = detectInBlock(content, 'meta-tag');
+        if (signal) {
+            gaps.push({
+                id: randomUUID(),
+                path,
+                severity: signal.severity,
+                reason: signal.description,
+                category: 'prompt-leakage',
+                description: `Prompt-leakage signal detected in meta tag: ${signal.evidence}`,
+                recommendation: 'Remove agent instructions from HTML meta tags. Meta content is public.',
+            });
+        }
+    }
+    // 4. Check visible body text (stripped of tags)
+    if (html.length > 0) {
+        const visible = stripHtml(html);
+        const signal = detectInBlock(visible, 'page-body');
+        if (signal) {
+            gaps.push({
+                id: randomUUID(),
+                path,
+                severity: signal.severity,
+                reason: signal.description,
+                category: 'prompt-leakage',
+                description: `Prompt-leakage signal detected in visible page body: ${signal.evidence}`,
+                recommendation: 'Ensure agent instructions are never rendered into visible page content. Check debug/error pages.',
+            });
+        }
+    }
+    // 5. Check response headers
+    const headers = route.headers ?? {};
+    for (const [name, value] of Object.entries(headers)) {
+        if (LEAKY_HEADER_NAMES_RE.test(name)) {
+            gaps.push({
+                id: randomUUID(),
+                path,
+                severity: 'critical',
+                reason: `Response header "${name}" exposes agent configuration`,
+                category: 'prompt-leakage',
+                description: `Header "${name}: ${truncate(value, 80)}" should not be sent to clients.`,
+                recommendation: `Remove the "${name}" response header. Agent configuration must never be transmitted to the browser.`,
+            });
+        }
+    }
+    // Deduplicate by (path + severity + reason) to avoid double-counting when
+    // the same signal appears in multiple extraction contexts.
+    const seen = new Set();
+    return gaps.filter((g) => {
+        const key = `${g.path}::${g.severity}::${g.reason}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qulib/core",
-  "version": "0.9.0",
+  "version": "0.10.1",
   "description": "Qulib — release confidence for deployed web apps. Fuses live-app quality, automation maturity, and API coverage into a single ship/caution/hold/block verdict.",
   "license": "MIT",
   "author": "Tapesh Nagarwal",
@@ -23,7 +23,11 @@
     "accessibility",
     "playwright",
     "mcp",
-    "ai"
+    "ai",
+    "ci-gate",
+    "test-confidence",
+    "web-quality",
+    "wcag"
   ],
   "publishConfig": {
     "access": "public"
@@ -52,7 +56,7 @@
     "build": "tsc",
     "prepack": "npm run build",
     "prepublishOnly": "npm run build",
-    "test": "node --import tsx/esm --test src/llm/__tests__/cost-intelligence.test.ts src/llm/__tests__/context-builder.test.ts src/tools/scoring/__tests__/gaps.test.ts src/tools/auth/__tests__/gaps.test.ts src/tools/auth/__tests__/detect.test.ts src/tools/scoring/__tests__/automation-maturity.test.ts src/tools/scoring/__tests__/api-coverage.test.ts src/tools/scoring/__tests__/automation-maturity-with-api.test.ts src/harness/__tests__/state-manager.test.ts src/telemetry/__tests__/redact-url.test.ts src/cli/__tests__/auth-login.test.ts src/cli/__tests__/cli-version.test.ts src/cli/__tests__/bin-shim.test.ts src/cli/__tests__/score-automation.test.ts src/cli/__tests__/scaffold.test.ts src/__tests__/agent-summary.test.ts src/__tests__/cli-agent-summary.test.ts src/__tests__/analyze.storage-state-invalid.test.ts src/__tests__/analyze.fixtures.test.ts src/adapters/__tests__/playwright-adapter.test.ts src/adapters/__tests__/api-adapter.test.ts src/adapters/__tests__/ci-results-adapter.test.ts src/adapters/__tests__/pr-metadata-adapter.test.ts src/adapters/__tests__/validate-specs.test.ts src/tools/repo/__tests__/api-surface.test.ts src/baseline/__tests__/baseline.test.ts evals/runner/__tests__/runner.test.ts evals/judge/__tests__/judge.test.ts src/tools/scoring/__tests__/confidence.test.ts src/tools/scoring/__tests__/confidence-from-qulib.test.ts src/tools/scoring/__tests__/confidence-views.test.ts src/cli/__tests__/confidence.test.ts src/__tests__/notquality-dogfood.test.ts src/cli/__tests__/default-config-fallback.test.ts",
+    "test": "node --import tsx/esm --test src/llm/__tests__/cost-intelligence.test.ts src/llm/__tests__/context-builder.test.ts src/tools/scoring/__tests__/gaps.test.ts src/tools/auth/__tests__/gaps.test.ts src/tools/auth/__tests__/detect.test.ts src/tools/scoring/__tests__/automation-maturity.test.ts src/tools/scoring/__tests__/api-coverage.test.ts src/tools/scoring/__tests__/automation-maturity-with-api.test.ts src/harness/__tests__/state-manager.test.ts src/telemetry/__tests__/redact-url.test.ts src/cli/__tests__/auth-login.test.ts src/cli/__tests__/cli-version.test.ts src/cli/__tests__/bin-shim.test.ts src/cli/__tests__/score-automation.test.ts src/cli/__tests__/scaffold.test.ts src/__tests__/agent-summary.test.ts src/__tests__/cli-agent-summary.test.ts src/__tests__/analyze.storage-state-invalid.test.ts src/__tests__/analyze.fixtures.test.ts src/adapters/__tests__/playwright-adapter.test.ts src/adapters/__tests__/api-adapter.test.ts src/adapters/__tests__/ci-results-adapter.test.ts src/adapters/__tests__/pr-metadata-adapter.test.ts src/adapters/__tests__/validate-specs.test.ts src/tools/repo/__tests__/api-surface.test.ts src/baseline/__tests__/baseline.test.ts evals/runner/__tests__/runner.test.ts evals/runner/__tests__/golden-manifest.test.ts evals/judge/__tests__/judge.test.ts src/tools/scoring/__tests__/confidence.test.ts src/tools/scoring/__tests__/confidence-from-qulib.test.ts src/tools/scoring/__tests__/confidence-views.test.ts src/cli/__tests__/confidence.test.ts src/__tests__/notquality-dogfood.test.ts src/cli/__tests__/default-config-fallback.test.ts src/cli/__tests__/baseline.test.ts src/cli/__tests__/naming-aliases.test.ts src/cli/__tests__/analyze-diff.test.ts src/reporters/__tests__/heatmap.test.ts src/tools/scoring/__tests__/prompt-leakage.test.ts",
     "test:integration": "node --import tsx/esm --test src/__tests__/analyze.integration.test.ts",
     "eval": "node --import tsx/esm evals/runner/index.ts",
     "eval:judge": "node --import tsx/esm evals/judge/eval-judge.ts",
@@ -71,6 +75,6 @@
   "devDependencies": {
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.0.0",
-    "tsx": "^4.11.0"
+    "tsx": "^4.22.4"
   }
 }