@riddledc/riddle-proof 0.7.115 → 0.7.117

package/README.md

@@ -198,10 +198,27 @@ generic inline-script warning threshold. Use `--strict=true` when you
 deliberately want Riddle's non-critical script-safety warnings to block the run.
 Critical script-safety violations remain blocked by Riddle either way.
 
-The package includes a generic starter profile at
-`examples/profiles/page-content-basic.json`; copy that shape into a repository
-profile directory and replace the selector/text checks with app-specific
-invariants.
+The package includes generic starter profiles:
+
+- `examples/profiles/page-content-basic.json` for route/content/layout smoke profiles.
+- `examples/profiles/route-inventory-basic.json` for source-link and direct-route audits.
+- `examples/profiles/handled-recovery-list-load.json` for malformed list-load recovery profiles.
+
+Copy one of those shapes into a repository profile directory and replace the
+routes, selectors, mock URLs, and text checks with app-specific invariants.
+
+For handled recovery profiles, prefer proving the whole boundary instead of
+only checking that an error message appears. Mock one dependent endpoint into a
+malformed or failed response, keep independent endpoints healthy, and assert
+that the page still renders the independent evidence. Capture a setup
+screenshot immediately after the recovery state appears, before high-risk
+absence assertions, so failing runs keep durable visual evidence. Then reject
+raw parser text such as `SyntaxError`, `Expected property name`, and
+`[object Object]`; reject contradictory empty-state copy such as `No items yet`
+when the list failed to load; and keep `no_fatal_console_errors` plus
+`no_console_warnings` in the final checks. This pattern catches both visible
+recovery-quality bugs and hidden browser-health debt without requiring a
+separate CI or wrapper-specific path.
 
 Checks normally apply to every captured viewport. Add `viewports` (or
 `viewport_names`) to a check when responsive UI intentionally exposes an

package/dist/{chunk-QOOPPRYK.js → chunk-SBOGXOV5.js}

@@ -699,6 +699,38 @@ function collectRiddleProofProfileWarnings(profile) {
   }
   return warnings;
 }
+function profileStatusProbeCounts(profile) {
+  let httpStatus = 0;
+  let linkStatus = 0;
+  for (const check of profile.checks || []) {
+    if (check.type === "http_status") httpStatus += 1;
+    if (check.type === "link_status" || check.type === "artifact_link_status") linkStatus += 1;
+  }
+  return { httpStatus, linkStatus };
+}
+function riddleApiStrictSafetyWarnings(blocker) {
+  const rawWarnings = Array.isArray(blocker?.warnings) ? blocker.warnings.filter((warning) => typeof warning === "string") : [];
+  const errorText = typeof blocker?.error === "string" ? blocker.error.toLowerCase() : "";
+  const hasSafetyError = errorText.includes("potentially unsafe operations");
+  const hasDirectNetworkWarning = rawWarnings.some((warning) => warning.toLowerCase().includes("direct network operations"));
+  return hasSafetyError || hasDirectNetworkWarning ? rawWarnings : [];
+}
+function collectRiddleProofProfileEnvironmentBlockedWarnings(profile, blocker) {
+  const warnings = collectRiddleProofProfileWarnings(profile);
+  const safetyWarnings = riddleApiStrictSafetyWarnings(blocker);
+  if (!safetyWarnings.length) return warnings;
+  const counts = profileStatusProbeCounts(profile);
+  const statusProbeCount = counts.httpStatus + counts.linkStatus;
+  if (!statusProbeCount) return warnings;
+  const parts = [
+    counts.httpStatus ? `${counts.httpStatus} http_status` : "",
+    counts.linkStatus ? `${counts.linkStatus} link_status/artifact_link_status` : ""
+  ].filter(Boolean);
+  warnings.push(
+    `Riddle API strict script validation blocked a hosted profile runner with ${parts.join(" and ")} check(s). These checks intentionally collect endpoint/link evidence from inside the generated browser runner; hosted run-profile defaults to --strict=false, so omit --strict=true or rerun with --strict=false for trusted generated profile runs.`
+  );
+  return warnings;
+}
 function normalizeRouteInventoryPath(value, label) {
   const path = stringValue(value);
   if (!path) throw new Error(`${label} requires path.`);
@@ -2223,7 +2255,7 @@ function createRiddleProofProfileConfigurationError(name, error, runner = "riddl
 function createRiddleProofProfileEnvironmentBlockedResult(input) {
   const message = input.error instanceof Error ? input.error.message : input.error ? String(input.error) : "Riddle runner did not complete successfully.";
   const environmentBlocker = extractRiddleRunnerBlocker(message);
-  const warnings = collectRiddleProofProfileWarnings(input.profile);
+  const warnings = collectRiddleProofProfileEnvironmentBlockedWarnings(input.profile, environmentBlocker);
   return {
     version: RIDDLE_PROOF_PROFILE_RESULT_VERSION,
     profile_name: input.profile.name,
@@ -2266,6 +2298,11 @@ function extractRiddleRunnerBlocker(message) {
   for (const key of ["error", "required_seconds", "available_seconds", "deficit_seconds", "minimum_purchase_dollars"]) {
     copyScalar(key);
   }
+  const warnings = payload?.warnings;
+  if (Array.isArray(warnings)) {
+    const warningStrings = warnings.filter((warning) => typeof warning === "string");
+    if (warningStrings.length) details.warnings = warningStrings;
+  }
   const httpStatus = typeof details.http_status === "number" ? details.http_status : void 0;
   const errorText = typeof details.error === "string" ? details.error.toLowerCase() : "";
   if (httpStatus === 402 && errorText.includes("balance")) {

package/dist/cli.cjs

@@ -7636,6 +7636,38 @@ function collectRiddleProofProfileWarnings(profile) {
   }
   return warnings;
 }
+function profileStatusProbeCounts(profile) {
+  let httpStatus = 0;
+  let linkStatus = 0;
+  for (const check of profile.checks || []) {
+    if (check.type === "http_status") httpStatus += 1;
+    if (check.type === "link_status" || check.type === "artifact_link_status") linkStatus += 1;
+  }
+  return { httpStatus, linkStatus };
+}
+function riddleApiStrictSafetyWarnings(blocker) {
+  const rawWarnings = Array.isArray(blocker?.warnings) ? blocker.warnings.filter((warning) => typeof warning === "string") : [];
+  const errorText = typeof blocker?.error === "string" ? blocker.error.toLowerCase() : "";
+  const hasSafetyError = errorText.includes("potentially unsafe operations");
+  const hasDirectNetworkWarning = rawWarnings.some((warning) => warning.toLowerCase().includes("direct network operations"));
+  return hasSafetyError || hasDirectNetworkWarning ? rawWarnings : [];
+}
+function collectRiddleProofProfileEnvironmentBlockedWarnings(profile, blocker) {
+  const warnings = collectRiddleProofProfileWarnings(profile);
+  const safetyWarnings = riddleApiStrictSafetyWarnings(blocker);
+  if (!safetyWarnings.length) return warnings;
+  const counts = profileStatusProbeCounts(profile);
+  const statusProbeCount = counts.httpStatus + counts.linkStatus;
+  if (!statusProbeCount) return warnings;
+  const parts = [
+    counts.httpStatus ? `${counts.httpStatus} http_status` : "",
+    counts.linkStatus ? `${counts.linkStatus} link_status/artifact_link_status` : ""
+  ].filter(Boolean);
+  warnings.push(
+    `Riddle API strict script validation blocked a hosted profile runner with ${parts.join(" and ")} check(s). These checks intentionally collect endpoint/link evidence from inside the generated browser runner; hosted run-profile defaults to --strict=false, so omit --strict=true or rerun with --strict=false for trusted generated profile runs.`
+  );
+  return warnings;
+}
 function normalizeRouteInventoryPath(value, label) {
   const path7 = stringValue2(value);
   if (!path7) throw new Error(`${label} requires path.`);
@@ -9144,7 +9176,7 @@ function profileStatusExitCode(profile, status) {
 function createRiddleProofProfileEnvironmentBlockedResult(input) {
   const message = input.error instanceof Error ? input.error.message : input.error ? String(input.error) : "Riddle runner did not complete successfully.";
   const environmentBlocker = extractRiddleRunnerBlocker(message);
-  const warnings = collectRiddleProofProfileWarnings(input.profile);
+  const warnings = collectRiddleProofProfileEnvironmentBlockedWarnings(input.profile, environmentBlocker);
   return {
     version: RIDDLE_PROOF_PROFILE_RESULT_VERSION,
     profile_name: input.profile.name,
@@ -9187,6 +9219,11 @@ function extractRiddleRunnerBlocker(message) {
   for (const key of ["error", "required_seconds", "available_seconds", "deficit_seconds", "minimum_purchase_dollars"]) {
     copyScalar(key);
   }
+  const warnings = payload?.warnings;
+  if (Array.isArray(warnings)) {
+    const warningStrings = warnings.filter((warning) => typeof warning === "string");
+    if (warningStrings.length) details.warnings = warningStrings;
+  }
   const httpStatus = typeof details.http_status === "number" ? details.http_status : void 0;
   const errorText = typeof details.error === "string" ? details.error.toLowerCase() : "";
   if (httpStatus === 402 && errorText.includes("balance")) {

package/dist/cli.js

@@ -10,7 +10,7 @@ import {
   profileStatusExitCode,
   resolveRiddleProofProfileTargetUrl,
   resolveRiddleProofProfileTimeoutSec
-} from "./chunk-QOOPPRYK.js";
+} from "./chunk-SBOGXOV5.js";
 import {
   createRiddleApiClient,
   parseRiddleViewport

package/dist/index.cjs

@@ -9429,6 +9429,38 @@ function collectRiddleProofProfileWarnings(profile) {
   }
   return warnings;
 }
+function profileStatusProbeCounts(profile) {
+  let httpStatus = 0;
+  let linkStatus = 0;
+  for (const check of profile.checks || []) {
+    if (check.type === "http_status") httpStatus += 1;
+    if (check.type === "link_status" || check.type === "artifact_link_status") linkStatus += 1;
+  }
+  return { httpStatus, linkStatus };
+}
+function riddleApiStrictSafetyWarnings(blocker) {
+  const rawWarnings = Array.isArray(blocker?.warnings) ? blocker.warnings.filter((warning) => typeof warning === "string") : [];
+  const errorText = typeof blocker?.error === "string" ? blocker.error.toLowerCase() : "";
+  const hasSafetyError = errorText.includes("potentially unsafe operations");
+  const hasDirectNetworkWarning = rawWarnings.some((warning) => warning.toLowerCase().includes("direct network operations"));
+  return hasSafetyError || hasDirectNetworkWarning ? rawWarnings : [];
+}
+function collectRiddleProofProfileEnvironmentBlockedWarnings(profile, blocker) {
+  const warnings = collectRiddleProofProfileWarnings(profile);
+  const safetyWarnings = riddleApiStrictSafetyWarnings(blocker);
+  if (!safetyWarnings.length) return warnings;
+  const counts = profileStatusProbeCounts(profile);
+  const statusProbeCount = counts.httpStatus + counts.linkStatus;
+  if (!statusProbeCount) return warnings;
+  const parts = [
+    counts.httpStatus ? `${counts.httpStatus} http_status` : "",
+    counts.linkStatus ? `${counts.linkStatus} link_status/artifact_link_status` : ""
+  ].filter(Boolean);
+  warnings.push(
+    `Riddle API strict script validation blocked a hosted profile runner with ${parts.join(" and ")} check(s). These checks intentionally collect endpoint/link evidence from inside the generated browser runner; hosted run-profile defaults to --strict=false, so omit --strict=true or rerun with --strict=false for trusted generated profile runs.`
+  );
+  return warnings;
+}
 function normalizeRouteInventoryPath(value, label) {
   const path6 = stringValue5(value);
   if (!path6) throw new Error(`${label} requires path.`);
@@ -10953,7 +10985,7 @@ function createRiddleProofProfileConfigurationError(name, error, runner = "riddl
 function createRiddleProofProfileEnvironmentBlockedResult(input) {
   const message = input.error instanceof Error ? input.error.message : input.error ? String(input.error) : "Riddle runner did not complete successfully.";
   const environmentBlocker = extractRiddleRunnerBlocker(message);
-  const warnings = collectRiddleProofProfileWarnings(input.profile);
+  const warnings = collectRiddleProofProfileEnvironmentBlockedWarnings(input.profile, environmentBlocker);
   return {
     version: RIDDLE_PROOF_PROFILE_RESULT_VERSION,
     profile_name: input.profile.name,
@@ -10996,6 +11028,11 @@ function extractRiddleRunnerBlocker(message) {
   for (const key of ["error", "required_seconds", "available_seconds", "deficit_seconds", "minimum_purchase_dollars"]) {
     copyScalar(key);
   }
+  const warnings = payload?.warnings;
+  if (Array.isArray(warnings)) {
+    const warningStrings = warnings.filter((warning) => typeof warning === "string");
+    if (warningStrings.length) details.warnings = warningStrings;
+  }
   const httpStatus = typeof details.http_status === "number" ? details.http_status : void 0;
   const errorText = typeof details.error === "string" ? details.error.toLowerCase() : "";
   if (httpStatus === 402 && errorText.includes("balance")) {

package/dist/index.js

@@ -59,7 +59,7 @@ import {
   resolveRiddleProofProfileTimeoutSec,
   slugifyRiddleProofProfileName,
   summarizeRiddleProofProfileResult
-} from "./chunk-QOOPPRYK.js";
+} from "./chunk-SBOGXOV5.js";
 import {
   DEFAULT_RIDDLE_API_BASE_URL,
   DEFAULT_RIDDLE_API_KEY_FILE,

package/dist/profile.cjs

@@ -743,6 +743,38 @@ function collectRiddleProofProfileWarnings(profile) {
   }
   return warnings;
 }
+function profileStatusProbeCounts(profile) {
+  let httpStatus = 0;
+  let linkStatus = 0;
+  for (const check of profile.checks || []) {
+    if (check.type === "http_status") httpStatus += 1;
+    if (check.type === "link_status" || check.type === "artifact_link_status") linkStatus += 1;
+  }
+  return { httpStatus, linkStatus };
+}
+function riddleApiStrictSafetyWarnings(blocker) {
+  const rawWarnings = Array.isArray(blocker?.warnings) ? blocker.warnings.filter((warning) => typeof warning === "string") : [];
+  const errorText = typeof blocker?.error === "string" ? blocker.error.toLowerCase() : "";
+  const hasSafetyError = errorText.includes("potentially unsafe operations");
+  const hasDirectNetworkWarning = rawWarnings.some((warning) => warning.toLowerCase().includes("direct network operations"));
+  return hasSafetyError || hasDirectNetworkWarning ? rawWarnings : [];
+}
+function collectRiddleProofProfileEnvironmentBlockedWarnings(profile, blocker) {
+  const warnings = collectRiddleProofProfileWarnings(profile);
+  const safetyWarnings = riddleApiStrictSafetyWarnings(blocker);
+  if (!safetyWarnings.length) return warnings;
+  const counts = profileStatusProbeCounts(profile);
+  const statusProbeCount = counts.httpStatus + counts.linkStatus;
+  if (!statusProbeCount) return warnings;
+  const parts = [
+    counts.httpStatus ? `${counts.httpStatus} http_status` : "",
+    counts.linkStatus ? `${counts.linkStatus} link_status/artifact_link_status` : ""
+  ].filter(Boolean);
+  warnings.push(
+    `Riddle API strict script validation blocked a hosted profile runner with ${parts.join(" and ")} check(s). These checks intentionally collect endpoint/link evidence from inside the generated browser runner; hosted run-profile defaults to --strict=false, so omit --strict=true or rerun with --strict=false for trusted generated profile runs.`
+  );
+  return warnings;
+}
 function normalizeRouteInventoryPath(value, label) {
   const path = stringValue(value);
   if (!path) throw new Error(`${label} requires path.`);
@@ -2267,7 +2299,7 @@ function createRiddleProofProfileConfigurationError(name, error, runner = "riddl
 function createRiddleProofProfileEnvironmentBlockedResult(input) {
   const message = input.error instanceof Error ? input.error.message : input.error ? String(input.error) : "Riddle runner did not complete successfully.";
   const environmentBlocker = extractRiddleRunnerBlocker(message);
-  const warnings = collectRiddleProofProfileWarnings(input.profile);
+  const warnings = collectRiddleProofProfileEnvironmentBlockedWarnings(input.profile, environmentBlocker);
   return {
     version: RIDDLE_PROOF_PROFILE_RESULT_VERSION,
     profile_name: input.profile.name,
@@ -2310,6 +2342,11 @@ function extractRiddleRunnerBlocker(message) {
   for (const key of ["error", "required_seconds", "available_seconds", "deficit_seconds", "minimum_purchase_dollars"]) {
     copyScalar(key);
   }
+  const warnings = payload?.warnings;
+  if (Array.isArray(warnings)) {
+    const warningStrings = warnings.filter((warning) => typeof warning === "string");
+    if (warningStrings.length) details.warnings = warningStrings;
+  }
   const httpStatus = typeof details.http_status === "number" ? details.http_status : void 0;
   const errorText = typeof details.error === "string" ? details.error.toLowerCase() : "";
   if (httpStatus === 402 && errorText.includes("balance")) {

package/dist/profile.js

@@ -20,7 +20,7 @@ import {
   resolveRiddleProofProfileTimeoutSec,
   slugifyRiddleProofProfileName,
   summarizeRiddleProofProfileResult
-} from "./chunk-QOOPPRYK.js";
+} from "./chunk-SBOGXOV5.js";
 export {
   RIDDLE_PROOF_PROFILE_CHECK_TYPES,
   RIDDLE_PROOF_PROFILE_EVIDENCE_VERSION,

package/examples/profiles/handled-recovery-list-load.json

@@ -0,0 +1,95 @@
+{
+  "version": "riddle-proof.profile.v1",
+  "name": "handled-recovery-list-load",
+  "target": {
+    "route": "/account",
+    "viewports": [
+      { "name": "mobile", "width": 390, "height": 844 },
+      { "name": "tablet", "width": 820, "height": 1180 },
+      { "name": "desktop", "width": 1440, "height": 1000 }
+    ],
+    "timeout_sec": 300,
+    "wait_ms": 800,
+    "network_mocks": [
+      {
+        "label": "account-summary",
+        "url": "**/api/account/summary",
+        "method": "GET",
+        "status": 200,
+        "content_type": "application/json",
+        "required_hit_count": 3,
+        "json": {
+          "available_time": "4h 0m",
+          "active_jobs": 2
+        }
+      },
+      {
+        "label": "recent-jobs",
+        "url": "**/api/jobs?limit=10",
+        "method": "GET",
+        "status": 200,
+        "content_type": "application/json",
+        "required_hit_count": 3,
+        "json": {
+          "jobs": [
+            {
+              "id": "job_recovery_template_survives",
+              "status": "completed"
+            }
+          ]
+        }
+      },
+      {
+        "label": "saved-items-malformed-load",
+        "url": "**/api/saved-items",
+        "method": "GET",
+        "status": 200,
+        "content_type": "application/json",
+        "required_hit_count": 3,
+        "body": "{not valid saved items json"
+      }
+    ],
+    "setup_actions": [
+      { "type": "clear_storage", "storage": "both", "reload": true },
+      { "type": "wait_for_selector", "selector": "[data-testid='account-page']", "timeout_ms": 30000 },
+      { "type": "wait_for_text", "selector": "body", "text": "4h 0m", "timeout_ms": 30000 },
+      { "type": "wait_for_text", "selector": "body", "text": "job_recovery_template_survives", "timeout_ms": 30000 },
+      { "type": "wait_for_text", "selector": "body", "text": "Failed to load saved items", "timeout_ms": 30000 },
+      { "type": "screenshot", "label": "saved-items-malformed-load-visible-recovery" },
+      { "type": "assert_text_absent", "selector": "body", "text": "No saved items yet", "timeout_ms": 1000 },
+      { "type": "assert_text_absent", "selector": "body", "text": "Expected property name", "timeout_ms": 1000 },
+      { "type": "assert_text_absent", "selector": "body", "text": "SyntaxError", "timeout_ms": 1000 },
+      { "type": "assert_text_absent", "selector": "body", "text": "[object Object]", "timeout_ms": 1000 }
+    ]
+  },
+  "checks": [
+    { "type": "route_loaded", "expected_path": "/account" },
+    { "type": "selector_visible", "selector": "[data-testid='account-page']" },
+    { "type": "selector_visible", "selector": "[data-testid='saved-items-error']" },
+    { "type": "text_visible", "text": "4h 0m" },
+    { "type": "text_visible", "text": "2 active" },
+    { "type": "text_visible", "text": "job_recovery_template_survives" },
+    { "type": "text_visible", "text": "Failed to load saved items" },
+    { "type": "text_absent", "text": "No saved items yet" },
+    { "type": "text_absent", "text": "Expected property name" },
+    { "type": "text_absent", "text": "SyntaxError" },
+    { "type": "text_absent", "text": "[object Object]" },
+    { "type": "text_absent", "text": "Application error" },
+    { "type": "selector_count_equals", "selector": "[data-testid='saved-items-error']", "expected_count": 1 },
+    { "type": "selector_count_equals", "selector": "[data-testid='recent-job-row']", "expected_count": 1 },
+    { "type": "selector_count_equals", "selector": "[data-testid='saved-item-row']", "expected_count": 0 },
+    { "type": "no_horizontal_overflow", "max_overflow_px": 1 },
+    { "type": "no_fatal_console_errors" },
+    { "type": "no_console_warnings" }
+  ],
+  "artifacts": ["screenshot", "console", "dom_summary", "proof_json"],
+  "baseline_policy": "invariant_only",
+  "failure_policy": {
+    "environment_blocked": "neutral",
+    "proof_insufficient": "fail",
+    "product_regression": "fail"
+  },
+  "metadata": {
+    "purpose": "Template for handled malformed list-load recovery: prove independent page data still renders, the failed list shows one recovery message, contradictory empty-state copy and raw parser text stay absent, and browser console evidence remains clean."
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@riddledc/riddle-proof",
-  "version": "0.7.115",
+  "version": "0.7.117",
   "description": "Reusable Riddle Proof contracts and helpers for evidence-backed agent changes.",
   "license": "MIT",
   "author": "RiddleDC",