@veraxhq/verax 0.1.0 → 0.2.1

package/src/verax/learn/static-extractor.js

@@ -1,14 +1,13 @@
 import { glob } from 'glob';
-import { resolve, dirname, join, relative } from 'path';
+import { resolve, dirname, relative } from 'path';
 import { readFileSync, existsSync } from 'fs';
 import { parse } from 'node-html-parser';
-import { ExpectationProof } from '../shared/expectation-proof.js';
 
 const MAX_HTML_FILES = 200;
 
 function htmlFileToRoute(file) {
-  let path = file.replace(/[\\\/]/g, '/');
-  path = path.replace(/\/index\.html$/, '');
+  let path = file.replace(/[\\/]/g, '/');
+  path = path.replace(/\/index.html$/, '');
   path = path.replace(/\.html$/, '');
   path = path.replace(/^index$/, '');
   
@@ -121,7 +120,6 @@ function extractButtonNavigationExpectations(root, fromPath, file, routeMap, pro
         fromPath: fromPath,
         type: 'navigation',
         targetPath: targetPath,
-        proof: ExpectationProof.PROVEN_EXPECTATION,
         evidence: {
           source: file,
           selectorHint: selectorHint
@@ -151,7 +149,6 @@ function extractFormSubmissionExpectations(root, fromPath, file, routeMap, proje
       fromPath: fromPath,
       type: 'form_submission',
       targetPath: targetPath,
-      proof: ExpectationProof.PROVEN_EXPECTATION,
       evidence: {
         source: file,
         selectorHint: selectorHint
@@ -162,6 +159,105 @@ function extractFormSubmissionExpectations(root, fromPath, file, routeMap, proje
   return expectations;
 }
 
+function extractNetworkExpectations(root, fromPath, file, _projectDir) {
+  const expectations = [];
+  
+  // Extract from inline scripts
+  const scripts = root.querySelectorAll('script');
+  for (const script of scripts) {
+    const scriptContent = script.textContent || '';
+    if (!scriptContent) continue;
+    
+    // Find fetch() calls with string literals
+    const fetchMatches = scriptContent.matchAll(/fetch\s*\(\s*['"]([^'"]+)['"]/g);
+    for (const match of fetchMatches) {
+      const endpoint = match[1];
+      if (!endpoint) continue;
+      
+      // Only extract if it's an API endpoint (starts with /api/)
+      if (!endpoint.startsWith('/api/')) continue;
+      
+      // Find the button/function that triggers this
+      // Look for onclick handlers or function definitions
+      const buttonId = scriptContent.match(/getElementById\s*\(\s*['"]([^'"]+)['"]/)?.[1];
+      const functionName = scriptContent.match(/function\s+(\w+)\s*\(/)?.[1];
+      
+      let selectorHint = null;
+      if (buttonId) {
+        selectorHint = `#${buttonId}`;
+      } else if (functionName) {
+        // Try to find button with onclick that calls this function
+        const buttons = root.querySelectorAll(`button[onclick*="${functionName}"]`);
+        if (buttons.length > 0) {
+          const btn = buttons[0];
+          selectorHint = btn.id ? `#${btn.id}` : `button[onclick*="${functionName}"]`;
+        }
+      }
+      
+      if (selectorHint) {
+        // Determine method from fetch options if present
+        let method = 'GET';
+        const methodMatch = scriptContent.match(/method\s*:\s*['"]([^'"]+)['"]/i);
+        if (methodMatch) {
+          method = methodMatch[1].toUpperCase();
+        }
+        
+        expectations.push({
+          fromPath: fromPath,
+          type: 'network_action',
+          expectedTarget: endpoint,
+          urlPath: endpoint,
+          method: method,
+          proof: 'PROVEN_EXPECTATION',
+          sourceRef: `${file}:${scriptContent.indexOf(match[0])}`,
+          selectorHint: selectorHint,
+          evidence: {
+            source: file,
+            selectorHint: selectorHint
+          }
+        });
+      }
+    }
+  }
+  
+  // Also check onclick attributes directly
+  const buttons = root.querySelectorAll('button[onclick]');
+  for (const button of buttons) {
+    const onclick = button.getAttribute('onclick') || '';
+    const fetchMatch = onclick.match(/fetch\s*\(\s*['"]([^'"]+)['"]/);
+    if (fetchMatch) {
+      const endpoint = fetchMatch[1];
+      if (endpoint.startsWith('/api/')) {
+        const buttonId = button.getAttribute('id');
+        const selectorHint = buttonId ? `#${buttonId}` : `button[onclick*="${endpoint}"]`;
+        
+        let method = 'GET';
+        const methodMatch = onclick.match(/method\s*:\s*['"]([^'"]+)['"]/i);
+        if (methodMatch) {
+          method = methodMatch[1].toUpperCase();
+        }
+        
+        expectations.push({
+          fromPath: fromPath,
+          type: 'network_action',
+          expectedTarget: endpoint,
+          urlPath: endpoint,
+          method: method,
+          proof: 'PROVEN_EXPECTATION',
+          sourceRef: `${file}:onclick`,
+          selectorHint: selectorHint,
+          evidence: {
+            source: file,
+            selectorHint: selectorHint
+          }
+        });
+      }
+    }
+  }
+  
+  return expectations;
+}
+
 export async function extractStaticExpectations(projectDir, routes) {
   const expectations = [];
   const routeMap = new Map(routes.map(r => [r.path, r]));
@@ -190,16 +286,16 @@ export async function extractStaticExpectations(projectDir, routes) {
         const targetPath = resolveLinkPath(href, file, projectDir);
         if (!targetPath) continue;
         
-        if (!routeMap.has(targetPath)) continue;
-        
-        const linkText = link.textContent?.trim() || '';
+        // Extract expectation even if target route doesn't exist yet
+        // This allows detection of broken links or prevented navigation
+        // (The route may not exist, but the link promises navigation)
+        const _linkText = link.textContent?.trim() || '';
         const selectorHint = link.id ? `#${link.id}` : `a[href="${href}"]`;
         
         expectations.push({
           fromPath: fromPath,
           type: 'navigation',
           targetPath: targetPath,
-          proof: ExpectationProof.PROVEN_EXPECTATION,
           evidence: {
             source: file,
             selectorHint: selectorHint
@@ -212,6 +308,19 @@ export async function extractStaticExpectations(projectDir, routes) {
       
       const formExpectations = extractFormSubmissionExpectations(root, fromPath, file, routeMap, projectDir);
       expectations.push(...formExpectations);
+      
+      const networkExpectations = extractNetworkExpectations(root, fromPath, file, projectDir);
+      expectations.push(...networkExpectations);
+      
+      // NAVIGATION INTELLIGENCE v2: Extract navigation expectations from inline scripts
+      const { extractNavigationExpectations } = await import('./static-extractor-navigation.js');
+      const navigationExpectations = extractNavigationExpectations(root, fromPath, file, projectDir);
+      expectations.push(...navigationExpectations);
+      
+      // VALIDATION INTELLIGENCE v1: Extract validation_block expectations from inline scripts
+      const { extractValidationExpectations } = await import('./static-extractor-validation.js');
+      const validationExpectations = extractValidationExpectations(root, fromPath, file, projectDir);
+      expectations.push(...validationExpectations);
     } catch (error) {
       continue;
     }

package/src/verax/learn/truth-assessor.js

@@ -3,7 +3,7 @@ import { hasReactRouterDom } from './project-detector.js';
 
 const MAX_HTML_FILES = 200;
 
-export async function assessLearnTruth(projectDir, projectType, routes, staticExpectations, spaExpectations = null) {
+export async function assessLearnTruth(projectDir, projectType, routes, staticExpectations) {
   const truth = {
     routesDiscovered: routes.length,
     routesSource: 'none',
@@ -18,14 +18,24 @@ export async function assessLearnTruth(projectDir, projectType, routes, staticEx
   if (projectType === 'nextjs_app_router' || projectType === 'nextjs_pages_router') {
     truth.routesSource = 'nextjs_fs';
     truth.routesConfidence = 'HIGH';
+  } else if (projectType === 'vue_router') {
+    truth.routesSource = 'vue_router_ast';
+    truth.routesConfidence = 'HIGH';
     
-    // Wave 1 - CODE TRUTH ENGINE: Count AST-derived expectations
-    if (spaExpectations && spaExpectations.length > 0) {
-      truth.expectationsDiscovered = spaExpectations.length;
-      truth.expectationsStrong = spaExpectations.length;
+    if (staticExpectations && staticExpectations.length > 0) {
+      truth.expectationsDiscovered = staticExpectations.length;
+      truth.expectationsStrong = staticExpectations.filter(e => 
+        e.type === 'spa_navigation'
+      ).length;
       truth.expectationsWeak = 0;
-      truth.expectationsSource = 'ast_contracts';
     }
+  } else if (projectType === 'vue_spa') {
+    truth.routesSource = 'vue_no_router';
+    truth.routesConfidence = 'LOW';
+    truth.limitations.push({
+      code: 'VUE_ROUTER_NOT_INSTALLED',
+      message: 'Vue detected but vue-router not installed. Routes cannot be extracted from router configuration.'
+    });
   } else if (projectType === 'static') {
     truth.routesSource = 'static_html';
     
@@ -67,21 +77,14 @@ export async function assessLearnTruth(projectDir, projectType, routes, staticEx
       });
     }
     
-    // Wave 1 - CODE TRUTH ENGINE: Report AST-based expectations instead of routes
-    if (spaExpectations && spaExpectations.length > 0) {
-      truth.expectationsDiscovered = spaExpectations.length;
-      truth.expectationsStrong = spaExpectations.length;
-      truth.expectationsWeak = 0;
-      truth.expectationsSource = 'ast_contracts';
-    } else {
-      truth.expectationsDiscovered = 0;
-      truth.expectationsStrong = 0;
-      truth.expectationsWeak = 0;
-      truth.warnings.push({
-        code: 'NO_AST_CONTRACTS_FOUND',
-        message: 'No JSX Link/NavLink elements with static href/to found. No PROVEN expectations available.'
-      });
-    }
+    truth.warnings.push({
+      code: 'REACT_ROUTE_EXTRACTION_FRAGILE',
+      message: 'Route extraction uses regex parsing of source files. Dynamic routes, nested routers, and code-split route definitions may be missed.'
+    });
+    
+    truth.expectationsDiscovered = routes.length;
+    truth.expectationsStrong = routes.length;
+    truth.expectationsWeak = 0;
   } else if (projectType === 'unknown') {
     truth.routesSource = 'none';
     truth.routesConfidence = 'LOW';

package/src/verax/learn/ts-contract-resolver.js

@@ -9,7 +9,7 @@
 
 import ts from 'typescript';
 import { resolve, relative, dirname, sep, join } from 'path';
-import { readFileSync, existsSync, statSync } from 'fs';
+import { existsSync, statSync } from 'fs';
 import { glob } from 'glob';
 
 const MAX_DEPTH = 3;
@@ -45,14 +45,8 @@ export async function resolveActionContracts(rootDir, workspaceRoot) {
   const checker = program.getTypeChecker();
   const contracts = [];
 
-  for (const sourceFile of program.getSourceFiles()) {
-    const sourcePath = resolve(sourceFile.fileName);
-    if (!sourcePath.toLowerCase().startsWith(normalizedRoot.toLowerCase())) continue;
-    if (sourceFile.isDeclarationFile) continue;
-
-    const importMap = buildImportMap(sourceFile, rootDir, workspaceRoot);
-
-    function visit(node) {
+  function createVisitFunction(importMap, sourceFile) {
+    return function visit(node) {
       if (ts.isJsxAttribute(node)) {
         const name = node.name.getText();
         if (name !== 'onClick' && name !== 'onSubmit') return;
@@ -64,7 +58,7 @@ export async function resolveActionContracts(rootDir, workspaceRoot) {
         // We only handle identifier handlers (cross-file capable)
         if (!ts.isIdentifier(expr)) return;
 
-        const handlerName = expr.text;
+        const _handlerName = expr.text;
         const handlerRef = deriveHandlerRef(expr, importMap, sourceFile, workspaceRoot);
         if (!handlerRef) return;
 
@@ -112,8 +106,16 @@ export async function resolveActionContracts(rootDir, workspaceRoot) {
         }
       }
       ts.forEachChild(node, visit);
-    }
+    };
+  }
 
+  for (const sourceFile of program.getSourceFiles()) {
+    const sourcePath = resolve(sourceFile.fileName);
+    if (!sourcePath.toLowerCase().startsWith(normalizedRoot.toLowerCase())) continue;
+    if (sourceFile.isDeclarationFile) continue;
+
+    const importMap = buildImportMap(sourceFile, rootDir, workspaceRoot);
+    const visit = createVisitFunction(importMap, sourceFile);
     visit(sourceFile);
   }
 
@@ -313,7 +315,7 @@ function analyzeStateCall(node) {
 
   // Zustand: store.set(...) or setState(...)
   if (ts.isPropertyAccessExpression(callee)) {
-    const obj = callee.expression;
+    const _obj = callee.expression;
     const prop = callee.name;
     // Common pattern: storeObj.set(...)
     if (prop.text === 'set') {

package/src/verax/observe/aria-sensor.js

@@ -0,0 +1,211 @@
+/**
+ * ARIA Announcement Sensor
+ * Tracks ARIA live regions, status/alert roles, and announcements
+ */
+
+export class AriaSensor {
+  constructor() {
+    this.ariaStateBefore = null;
+    this.ariaStateAfter = null;
+  }
+
+  /**
+   * Capture ARIA state before interaction
+   */
+  async captureBefore(page) {
+    const ariaData = await page.evaluate(() => {
+      const result = {
+        liveRegions: [],
+        statusRoles: [],
+        alerts: [],
+        ariaBusyElements: [],
+        ariaLive: [],
+        announcements: []
+      };
+
+      // Find all live regions
+      const liveRegions = document.querySelectorAll('[aria-live]');
+      liveRegions.forEach(el => {
+        result.liveRegions.push({
+          selector: generateSelector(el),
+          ariaLive: el.getAttribute('aria-live'),
+          text: el.textContent?.slice(0, 100) || '',
+          ariaAtomic: el.getAttribute('aria-atomic'),
+          ariaRelevant: el.getAttribute('aria-relevant')
+        });
+      });
+
+      // Find status and alert roles
+      const statusAlerts = document.querySelectorAll('[role="status"], [role="alert"]');
+      statusAlerts.forEach(el => {
+        result.statusRoles.push({
+          selector: generateSelector(el),
+          role: el.getAttribute('role'),
+          text: el.textContent?.slice(0, 100) || '',
+          ariaLive: el.getAttribute('aria-live')
+        });
+      });
+
+      // Find aria-busy elements
+      const busyElements = document.querySelectorAll('[aria-busy="true"]');
+      busyElements.forEach(el => {
+        result.ariaBusyElements.push({
+          selector: generateSelector(el),
+          ariaBusy: el.getAttribute('aria-busy')
+        });
+      });
+
+      return result;
+
+      function generateSelector(el) {
+        if (el.id) return `#${el.id}`;
+        if (el.className) {
+          const classes = Array.from(el.classList || []).slice(0, 2).join('.');
+          return el.tagName.toLowerCase() + (classes ? `.${classes}` : '');
+        }
+        return el.tagName.toLowerCase();
+      }
+    });
+
+    this.ariaStateBefore = ariaData;
+    return ariaData;
+  }
+
+  /**
+   * Capture ARIA state after interaction
+   */
+  async captureAfter(page) {
+    const ariaData = await page.evaluate(() => {
+      const result = {
+        liveRegions: [],
+        statusRoles: [],
+        alerts: [],
+        ariaBusyElements: [],
+        ariaLive: [],
+        announcements: []
+      };
+
+      // Find all live regions
+      const liveRegions = document.querySelectorAll('[aria-live]');
+      liveRegions.forEach(el => {
+        result.liveRegions.push({
+          selector: generateSelector(el),
+          ariaLive: el.getAttribute('aria-live'),
+          text: el.textContent?.slice(0, 100) || '',
+          ariaAtomic: el.getAttribute('aria-atomic'),
+          ariaRelevant: el.getAttribute('aria-relevant')
+        });
+      });
+
+      // Find status and alert roles
+      const statusAlerts = document.querySelectorAll('[role="status"], [role="alert"]');
+      statusAlerts.forEach(el => {
+        result.statusRoles.push({
+          selector: generateSelector(el),
+          role: el.getAttribute('role'),
+          text: el.textContent?.slice(0, 100) || '',
+          ariaLive: el.getAttribute('aria-live')
+        });
+      });
+
+      // Find aria-busy elements
+      const busyElements = document.querySelectorAll('[aria-busy="true"]');
+      busyElements.forEach(el => {
+        result.ariaBusyElements.push({
+          selector: generateSelector(el),
+          ariaBusy: el.getAttribute('aria-busy')
+        });
+      });
+
+      return result;
+
+      function generateSelector(el) {
+        if (el.id) return `#${el.id}`;
+        if (el.className) {
+          const classes = Array.from(el.classList || []).slice(0, 2).join('.');
+          return el.tagName.toLowerCase() + (classes ? `.${classes}` : '');
+        }
+        return el.tagName.toLowerCase();
+      }
+    });
+
+    this.ariaStateAfter = ariaData;
+    return ariaData;
+  }
+
+  /**
+   * Detect if ARIA state changed (live region updates, role changes, etc)
+   */
+  detectAriaChange() {
+    if (!this.ariaStateBefore || !this.ariaStateAfter) {
+      return false;
+    }
+
+    // Check if live region text changed
+    const beforeLiveText = this.ariaStateBefore.liveRegions.map(r => r.text).join('|');
+    const afterLiveText = this.ariaStateAfter.liveRegions.map(r => r.text).join('|');
+
+    if (beforeLiveText !== afterLiveText) {
+      return true;
+    }
+
+    // Check if status/alert role text changed
+    const beforeStatusText = this.ariaStateBefore.statusRoles.map(r => r.text).join('|');
+    const afterStatusText = this.ariaStateAfter.statusRoles.map(r => r.text).join('|');
+
+    if (beforeStatusText !== afterStatusText) {
+      return true;
+    }
+
+    // Check if aria-busy state changed
+    const beforeBusy = this.ariaStateBefore.ariaBusyElements.length;
+    const afterBusy = this.ariaStateAfter.ariaBusyElements.length;
+
+    if (beforeBusy !== afterBusy) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if ARIA announcement should have occurred but didn't
+   */
+  detectMissingAnnouncement(eventType) {
+    // eventType: 'submit', 'network_success', 'network_error', 'validation_error', etc
+    // These meaningful events should typically trigger ARIA announcements
+
+    if (!this.ariaStateBefore || !this.ariaStateAfter) {
+      return false;
+    }
+
+    // Check if any live region exists (at least one should for accessibility)
+    const hasLiveRegion = this.ariaStateAfter.liveRegions.length > 0;
+    const hasStatus = this.ariaStateAfter.statusRoles.length > 0;
+
+    if (!hasLiveRegion && !hasStatus) {
+      return true; // No ARIA announcement mechanism present
+    }
+
+    // Check if announcement actually changed
+    const ariaChanged = this.detectAriaChange();
+
+    // For meaningful events, ARIA should have changed
+    if (!ariaChanged && (eventType === 'submit' || eventType === 'network_success' || eventType === 'network_error')) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Get ARIA diff for evidence
+   */
+  getAriaDiff() {
+    return {
+      before: this.ariaStateBefore,
+      after: this.ariaStateAfter,
+      changed: this.detectAriaChange()
+    };
+  }
+}

package/src/verax/observe/browser.js

@@ -1,6 +1,5 @@
 import { chromium } from 'playwright';
-
-const STABLE_WAIT_MS = 2000;
+import { DEFAULT_SCAN_BUDGET } from '../shared/scan-budget.js';
 
 export async function createBrowser() {
   const browser = await chromium.launch({ headless: true });
@@ -11,12 +10,37 @@ export async function createBrowser() {
   return { browser, page };
 }
 
-export async function navigateToUrl(page, url) {
-  await page.goto(url, { waitUntil: 'networkidle', timeout: 30000 });
-  await page.waitForTimeout(STABLE_WAIT_MS);
+export async function navigateToUrl(page, url, scanBudget = DEFAULT_SCAN_BUDGET) {
+  let stableWait = scanBudget.navigationStableWaitMs;
+  try {
+    if (url.startsWith('file:') || url.includes('localhost:') || url.includes('127.0.0.1')) {
+      stableWait = 200; // Short wait for local fixtures
+    }
+  } catch {
+    // Ignore config errors
+  }
+  // Use domcontentloaded first for faster timeout, then wait for networkidle separately
+  await page.goto(url, { waitUntil: 'domcontentloaded', timeout: scanBudget.initialNavigationTimeoutMs });
+  await page.waitForLoadState('networkidle', { timeout: 10000 }).catch(() => {
+    // Network idle timeout is acceptable, continue
+  });
+  await page.waitForTimeout(stableWait);
 }
 
 export async function closeBrowser(browser) {
-  await browser.close();
+  try {
+    // Close all contexts first
+    const contexts = browser.contexts();
+    for (const context of contexts) {
+      try {
+        await context.close({ timeout: 5000 }).catch(() => {});
+      } catch (e) {
+        // Ignore context close errors
+      }
+    }
+    await browser.close({ timeout: 5000 }).catch(() => {});
+  } catch (e) {
+    // Ignore browser close errors - best effort cleanup
+  }
 }
 

package/src/verax/observe/console-sensor.js

@@ -57,7 +57,7 @@ export class ConsoleSensor {
     };
 
     // Capture unhandled promise rejections
-    const onUnhandledRejection = (promise, reason) => {
+    const _onUnhandledRejection = (promise, reason) => {
       const message = (reason?.toString?.() || String(reason)).slice(0, 200);
       state.unhandledRejections.push({
         message: message,
@@ -104,7 +104,7 @@ export class ConsoleSensor {
   /**
    * Stop monitoring and return a summary for the window.
    */
-  async stopWindow(windowId, page) {
+  stopWindow(windowId, _page) {
     const state = this.windows.get(windowId);
     if (!state) {
       return this.getEmptySummary();
@@ -112,22 +112,6 @@ export class ConsoleSensor {
 
     state.cleanup();
 
-    // Collect any unhandled rejections that were captured
-    let capturedRejections = [];
-    try {
-      capturedRejections = await page.evaluate(() => {
-        return window.__unhandledRejections || [];
-      });
-    } catch {
-      // Page may not have this
-    }
-
-    // Merge captured rejections with ones we heard about
-    state.unhandledRejections = [
-      ...state.unhandledRejections,
-      ...capturedRejections
-    ].slice(0, this.maxErrorsToKeep);
-
     const summary = {
       windowId,
       errorCount: state.consoleErrors.length + state.pageErrors.length,

package/src/verax/observe/domain-boundary.js

@@ -1,7 +1,10 @@
 export function getBaseOrigin(url) {
   try {
     const urlObj = new URL(url);
-    return `${urlObj.protocol}//${urlObj.host}${urlObj.port ? `:${urlObj.port}` : ''}`;
+    if (urlObj.protocol === 'file:') {
+      return 'file://';
+    }
+    return urlObj.origin;
   } catch (error) {
     return null;
   }
@@ -12,6 +15,12 @@ export function isExternalUrl(url, baseOrigin) {
   
   try {
     const urlObj = new URL(url);
+    // Special-case file protocol: treat all file:// URLs as same-origin
+    const isFileProtocol = urlObj.protocol === 'file:';
+    const baseIsFile = baseOrigin.startsWith('file:');
+    if (isFileProtocol && baseIsFile) {
+      return false;
+    }
     const urlOrigin = urlObj.origin;
     return urlOrigin !== baseOrigin;
   } catch (error) {