@veraxhq/verax 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/README.md +14 -18
  2. package/bin/verax.js +7 -0
  3. package/package.json +15 -5
  4. package/src/cli/commands/baseline.js +104 -0
  5. package/src/cli/commands/default.js +323 -111
  6. package/src/cli/commands/doctor.js +36 -4
  7. package/src/cli/commands/ga.js +243 -0
  8. package/src/cli/commands/gates.js +95 -0
  9. package/src/cli/commands/inspect.js +131 -2
  10. package/src/cli/commands/release-check.js +213 -0
  11. package/src/cli/commands/run.js +498 -103
  12. package/src/cli/commands/security-check.js +211 -0
  13. package/src/cli/commands/truth.js +114 -0
  14. package/src/cli/entry.js +305 -68
  15. package/src/cli/util/angular-component-extractor.js +179 -0
  16. package/src/cli/util/angular-navigation-detector.js +141 -0
  17. package/src/cli/util/angular-network-detector.js +161 -0
  18. package/src/cli/util/angular-state-detector.js +162 -0
  19. package/src/cli/util/ast-interactive-detector.js +546 -0
  20. package/src/cli/util/ast-network-detector.js +603 -0
  21. package/src/cli/util/ast-usestate-detector.js +602 -0
  22. package/src/cli/util/bootstrap-guard.js +86 -0
  23. package/src/cli/util/detection-engine.js +4 -3
  24. package/src/cli/util/determinism-runner.js +123 -0
  25. package/src/cli/util/determinism-writer.js +129 -0
  26. package/src/cli/util/env-url.js +4 -0
  27. package/src/cli/util/events.js +76 -0
  28. package/src/cli/util/expectation-extractor.js +380 -74
  29. package/src/cli/util/findings-writer.js +126 -15
  30. package/src/cli/util/learn-writer.js +3 -1
  31. package/src/cli/util/observation-engine.js +69 -23
  32. package/src/cli/util/observe-writer.js +3 -1
  33. package/src/cli/util/paths.js +6 -14
  34. package/src/cli/util/project-discovery.js +23 -0
  35. package/src/cli/util/project-writer.js +3 -1
  36. package/src/cli/util/redact.js +2 -2
  37. package/src/cli/util/run-resolver.js +64 -0
  38. package/src/cli/util/runtime-budget.js +147 -0
  39. package/src/cli/util/source-requirement.js +55 -0
  40. package/src/cli/util/summary-writer.js +13 -1
  41. package/src/cli/util/svelte-navigation-detector.js +163 -0
  42. package/src/cli/util/svelte-network-detector.js +80 -0
  43. package/src/cli/util/svelte-sfc-extractor.js +147 -0
  44. package/src/cli/util/svelte-state-detector.js +243 -0
  45. package/src/cli/util/vue-navigation-detector.js +177 -0
  46. package/src/cli/util/vue-sfc-extractor.js +162 -0
  47. package/src/cli/util/vue-state-detector.js +215 -0
  48. package/src/types/global.d.ts +28 -0
  49. package/src/types/ts-ast.d.ts +24 -0
  50. package/src/verax/cli/doctor.js +2 -2
  51. package/src/verax/cli/finding-explainer.js +56 -3
  52. package/src/verax/cli/init.js +1 -1
  53. package/src/verax/cli/url-safety.js +12 -2
  54. package/src/verax/cli/wizard.js +13 -2
  55. package/src/verax/core/artifacts/registry.js +154 -0
  56. package/src/verax/core/artifacts/verifier.js +980 -0
  57. package/src/verax/core/baseline/baseline.enforcer.js +137 -0
  58. package/src/verax/core/baseline/baseline.snapshot.js +231 -0
  59. package/src/verax/core/budget-engine.js +1 -1
  60. package/src/verax/core/capabilities/gates.js +499 -0
  61. package/src/verax/core/capabilities/registry.js +475 -0
  62. package/src/verax/core/confidence/confidence-compute.js +137 -0
  63. package/src/verax/core/confidence/confidence-invariants.js +234 -0
  64. package/src/verax/core/confidence/confidence-report-writer.js +112 -0
  65. package/src/verax/core/confidence/confidence-weights.js +44 -0
  66. package/src/verax/core/confidence/confidence.defaults.js +65 -0
  67. package/src/verax/core/confidence/confidence.loader.js +79 -0
  68. package/src/verax/core/confidence/confidence.schema.js +94 -0
  69. package/src/verax/core/confidence-engine-refactor.js +484 -0
  70. package/src/verax/core/confidence-engine.js +486 -0
  71. package/src/verax/core/confidence-engine.js.backup +471 -0
  72. package/src/verax/core/contracts/index.js +29 -0
  73. package/src/verax/core/contracts/types.js +185 -0
  74. package/src/verax/core/contracts/validators.js +381 -0
  75. package/src/verax/core/decision-snapshot.js +31 -4
  76. package/src/verax/core/decisions/decision.trace.js +276 -0
  77. package/src/verax/core/determinism/contract-writer.js +89 -0
  78. package/src/verax/core/determinism/contract.js +139 -0
  79. package/src/verax/core/determinism/diff.js +364 -0
  80. package/src/verax/core/determinism/engine.js +221 -0
  81. package/src/verax/core/determinism/finding-identity.js +148 -0
  82. package/src/verax/core/determinism/normalize.js +438 -0
  83. package/src/verax/core/determinism/report-writer.js +92 -0
  84. package/src/verax/core/determinism/run-fingerprint.js +118 -0
  85. package/src/verax/core/determinism-model.js +35 -6
  86. package/src/verax/core/dynamic-route-intelligence.js +528 -0
  87. package/src/verax/core/evidence/evidence-capture-service.js +307 -0
  88. package/src/verax/core/evidence/evidence-intent-ledger.js +165 -0
  89. package/src/verax/core/evidence-builder.js +487 -0
  90. package/src/verax/core/execution-mode-context.js +77 -0
  91. package/src/verax/core/execution-mode-detector.js +190 -0
  92. package/src/verax/core/failures/exit-codes.js +86 -0
  93. package/src/verax/core/failures/failure-summary.js +76 -0
  94. package/src/verax/core/failures/failure.factory.js +225 -0
  95. package/src/verax/core/failures/failure.ledger.js +132 -0
  96. package/src/verax/core/failures/failure.types.js +196 -0
  97. package/src/verax/core/failures/index.js +10 -0
  98. package/src/verax/core/ga/ga-report-writer.js +43 -0
  99. package/src/verax/core/ga/ga.artifact.js +49 -0
  100. package/src/verax/core/ga/ga.contract.js +434 -0
  101. package/src/verax/core/ga/ga.enforcer.js +86 -0
  102. package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
  103. package/src/verax/core/guardrails/policy.defaults.js +210 -0
  104. package/src/verax/core/guardrails/policy.loader.js +83 -0
  105. package/src/verax/core/guardrails/policy.schema.js +110 -0
  106. package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
  107. package/src/verax/core/guardrails-engine.js +505 -0
  108. package/src/verax/core/incremental-store.js +15 -7
  109. package/src/verax/core/observe/run-timeline.js +316 -0
  110. package/src/verax/core/perf/perf.contract.js +186 -0
  111. package/src/verax/core/perf/perf.display.js +65 -0
  112. package/src/verax/core/perf/perf.enforcer.js +91 -0
  113. package/src/verax/core/perf/perf.monitor.js +209 -0
  114. package/src/verax/core/perf/perf.report.js +198 -0
  115. package/src/verax/core/pipeline-tracker.js +238 -0
  116. package/src/verax/core/product-definition.js +127 -0
  117. package/src/verax/core/release/provenance.builder.js +271 -0
  118. package/src/verax/core/release/release-report-writer.js +40 -0
  119. package/src/verax/core/release/release.enforcer.js +159 -0
  120. package/src/verax/core/release/reproducibility.check.js +221 -0
  121. package/src/verax/core/release/sbom.builder.js +283 -0
  122. package/src/verax/core/replay-validator.js +4 -4
  123. package/src/verax/core/replay.js +1 -1
  124. package/src/verax/core/report/cross-index.js +192 -0
  125. package/src/verax/core/report/human-summary.js +222 -0
  126. package/src/verax/core/route-intelligence.js +419 -0
  127. package/src/verax/core/security/secrets.scan.js +326 -0
  128. package/src/verax/core/security/security-report.js +50 -0
  129. package/src/verax/core/security/security.enforcer.js +124 -0
  130. package/src/verax/core/security/supplychain.defaults.json +38 -0
  131. package/src/verax/core/security/supplychain.policy.js +326 -0
  132. package/src/verax/core/security/vuln.scan.js +265 -0
  133. package/src/verax/core/silence-impact.js +1 -1
  134. package/src/verax/core/silence-model.js +9 -7
  135. package/src/verax/core/truth/truth.certificate.js +250 -0
  136. package/src/verax/core/ui-feedback-intelligence.js +515 -0
  137. package/src/verax/detect/comparison.js +8 -3
  138. package/src/verax/detect/confidence-engine.js +645 -57
  139. package/src/verax/detect/confidence-helper.js +33 -0
  140. package/src/verax/detect/detection-engine.js +19 -2
  141. package/src/verax/detect/dynamic-route-findings.js +335 -0
  142. package/src/verax/detect/evidence-index.js +15 -65
  143. package/src/verax/detect/expectation-chain-detector.js +417 -0
  144. package/src/verax/detect/expectation-model.js +56 -3
  145. package/src/verax/detect/explanation-helpers.js +1 -1
  146. package/src/verax/detect/finding-detector.js +2 -2
  147. package/src/verax/detect/findings-writer.js +149 -20
  148. package/src/verax/detect/flow-detector.js +4 -4
  149. package/src/verax/detect/index.js +265 -15
  150. package/src/verax/detect/interactive-findings.js +3 -4
  151. package/src/verax/detect/journey-stall-detector.js +558 -0
  152. package/src/verax/detect/route-findings.js +218 -0
  153. package/src/verax/detect/signal-mapper.js +2 -2
  154. package/src/verax/detect/skip-classifier.js +4 -4
  155. package/src/verax/detect/ui-feedback-findings.js +207 -0
  156. package/src/verax/detect/verdict-engine.js +61 -9
  157. package/src/verax/detect/view-switch-correlator.js +242 -0
  158. package/src/verax/flow/flow-engine.js +3 -2
  159. package/src/verax/flow/flow-spec.js +1 -2
  160. package/src/verax/index.js +413 -33
  161. package/src/verax/intel/effect-detector.js +1 -1
  162. package/src/verax/intel/index.js +2 -2
  163. package/src/verax/intel/route-extractor.js +3 -3
  164. package/src/verax/intel/vue-navigation-extractor.js +81 -18
  165. package/src/verax/intel/vue-router-extractor.js +4 -2
  166. package/src/verax/learn/action-contract-extractor.js +684 -66
  167. package/src/verax/learn/ast-contract-extractor.js +53 -1
  168. package/src/verax/learn/index.js +36 -2
  169. package/src/verax/learn/manifest-writer.js +28 -14
  170. package/src/verax/learn/route-extractor.js +1 -1
  171. package/src/verax/learn/route-validator.js +12 -8
  172. package/src/verax/learn/state-extractor.js +1 -1
  173. package/src/verax/learn/static-extractor-navigation.js +1 -1
  174. package/src/verax/learn/static-extractor-validation.js +2 -2
  175. package/src/verax/learn/static-extractor.js +8 -7
  176. package/src/verax/learn/ts-contract-resolver.js +14 -12
  177. package/src/verax/observe/browser.js +22 -3
  178. package/src/verax/observe/console-sensor.js +2 -2
  179. package/src/verax/observe/expectation-executor.js +2 -1
  180. package/src/verax/observe/focus-sensor.js +1 -1
  181. package/src/verax/observe/human-driver.js +29 -10
  182. package/src/verax/observe/index.js +92 -844
  183. package/src/verax/observe/interaction-discovery.js +27 -15
  184. package/src/verax/observe/interaction-runner.js +31 -14
  185. package/src/verax/observe/loading-sensor.js +6 -0
  186. package/src/verax/observe/navigation-sensor.js +1 -1
  187. package/src/verax/observe/observe-context.js +205 -0
  188. package/src/verax/observe/observe-helpers.js +191 -0
  189. package/src/verax/observe/observe-runner.js +226 -0
  190. package/src/verax/observe/observers/budget-observer.js +185 -0
  191. package/src/verax/observe/observers/console-observer.js +102 -0
  192. package/src/verax/observe/observers/coverage-observer.js +107 -0
  193. package/src/verax/observe/observers/interaction-observer.js +471 -0
  194. package/src/verax/observe/observers/navigation-observer.js +132 -0
  195. package/src/verax/observe/observers/network-observer.js +87 -0
  196. package/src/verax/observe/observers/safety-observer.js +82 -0
  197. package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
  198. package/src/verax/observe/settle.js +1 -0
  199. package/src/verax/observe/state-sensor.js +8 -4
  200. package/src/verax/observe/state-ui-sensor.js +7 -1
  201. package/src/verax/observe/traces-writer.js +27 -16
  202. package/src/verax/observe/ui-feedback-detector.js +742 -0
  203. package/src/verax/observe/ui-signal-sensor.js +155 -2
  204. package/src/verax/scan-summary-writer.js +46 -9
  205. package/src/verax/shared/artifact-manager.js +9 -6
  206. package/src/verax/shared/budget-profiles.js +2 -2
  207. package/src/verax/shared/caching.js +1 -1
  208. package/src/verax/shared/config-loader.js +1 -2
  209. package/src/verax/shared/css-spinner-rules.js +204 -0
  210. package/src/verax/shared/dynamic-route-utils.js +12 -6
  211. package/src/verax/shared/retry-policy.js +1 -6
  212. package/src/verax/shared/root-artifacts.js +1 -1
  213. package/src/verax/shared/view-switch-rules.js +208 -0
  214. package/src/verax/shared/zip-artifacts.js +1 -0
  215. package/src/verax/validate/context-validator.js +1 -1
  216. package/src/verax/observe/index.js.backup +0 -1
  217. package/src/verax/validate/context-validator.js.bak +0 -0
package/README.md CHANGED
@@ -1,5 +1,7 @@
1
1
  # 🛡️ VERAX
2
2
 
3
+ > **SOURCE CODE REQUIRED** — VERAX requires local access to source code. It is not a public website scanner. See [docs/README.md](docs/README.md) for the canonical product contract.
4
+
3
5
  A forensic observation engine for real user outcomes
4
6
 
5
7
  VERAX observes and reports gaps between what your code explicitly promises and what users can actually observe.
@@ -229,27 +231,21 @@ MEDIUM (60–79) — likely discrepancy with some ambiguity
229
231
 
230
232
  LOW (<60) — weak or partial evidence; interpret cautiously
231
233
 
232
- 🧭 When VERAX is a good fit
233
-
234
- SaaS signup and pricing flows
235
-
236
- React and Next.js projects
237
-
238
- CI pipelines that need UX reality checks
239
-
240
- Teams that value evidence over assumptions
241
-
242
- 🚫 When VERAX is NOT a good fit
243
-
244
- Internal admin dashboards
245
-
246
- Authentication-heavy systems
234
+ 🧭 Supported use cases
247
235
 
248
- Apps built around highly dynamic routing
236
+ - React, Next.js, or static HTML projects where you can provide local source code
237
+ - CI pipelines that can mount the repository so VERAX can analyze it
238
+ - Developer workstations that need evidence-backed silent failure detection
239
+ - Teams that value deterministic evidence over heuristics or AI guesses
240
+ - Demo projects in this repo (see [demos/](demos/))
249
241
 
250
- Unsupported frameworks
242
+ 🚫 Not supported
251
243
 
252
- Teams expecting a full QA replacement
244
+ - URL-only scans without source code (fails fast with guidance)
245
+ - Production monitoring or hosted/public scanning
246
+ - Highly dynamic routing without static promises to analyze
247
+ - Closed-source third-party targets where code is unavailable
248
+ - Using VERAX as a drop-in QA replacement
253
249
 
254
250
  🧪 Project status
255
251
 
package/bin/verax.js CHANGED
@@ -2,10 +2,17 @@
2
2
 
3
3
  /**
4
4
  * VERAX CLI Shim
5
+ * PHASE 21.6.1: Verified entry point
5
6
  * Delegates to src/cli/entry.js
7
+ *
8
+ * This file MUST be the only entry point for the verax CLI.
9
+ * package.json "bin" field points to this file.
6
10
  */
7
11
 
8
12
  import('../src/cli/entry.js').catch((error) => {
9
13
  console.error(`Failed to load CLI: ${error.message}`);
14
+ if (error.stack) {
15
+ console.error(error.stack);
16
+ }
10
17
  process.exit(2);
11
18
  });
package/package.json CHANGED
@@ -1,11 +1,11 @@
1
1
  {
2
2
  "name": "@veraxhq/verax",
3
- "version": "0.2.0",
3
+ "version": "0.3.0",
4
4
  "description": "VERAX - Silent failure detection for websites",
5
5
  "license": "MIT",
6
6
  "type": "module",
7
7
  "bin": {
8
- "verax": "./bin/verax.js"
8
+ "verax": "bin/verax.js"
9
9
  },
10
10
  "files": [
11
11
  "bin/",
@@ -14,8 +14,11 @@
14
14
  "LICENSE"
15
15
  ],
16
16
  "scripts": {
17
- "test": "node --test",
18
- "test:pack": "node scripts/test-pack.js"
17
+ "test": "node scripts/test-runner-wrapper.js",
18
+ "test:pack": "node scripts/test-pack.js",
19
+ "verify-release": "node scripts/verify-release.js",
20
+ "lint": "eslint . --max-warnings 0",
21
+ "typecheck": "tsc -p tsconfig.json --noEmit"
19
22
  },
20
23
  "dependencies": {
21
24
  "glob": "^10.3.10",
@@ -30,6 +33,13 @@
30
33
  "devDependencies": {
31
34
  "@babel/parser": "^7.28.5",
32
35
  "@babel/traverse": "^7.28.5",
33
- "@veraxhq/verax": "file:veraxhq-verax-0.2.0.tgz"
36
+ "@reduxjs/toolkit": "^2.11.2",
37
+ "@veraxhq/verax": "file:veraxhq-verax-0.3.0.tgz",
38
+ "eslint": "^8.57.0",
39
+ "next": "^16.1.1",
40
+ "react": "^19.2.3",
41
+ "react-dom": "^19.2.3",
42
+ "react-redux": "^9.2.0",
43
+ "react-router-dom": "^7.12.0"
34
44
  }
35
45
  }
package/src/cli/commands/baseline.js ADDED
@@ -0,0 +1,104 @@
1
+ /**
2
+ * PHASE 21.11 — Baseline Command
3
+ *
4
+ * `verax baseline` - Shows baseline hash and drift status
5
+ */
6
+
7
+ import { resolve } from 'path';
8
+ import { loadBaselineSnapshot, buildBaselineSnapshot } from '../../verax/core/baseline/baseline.snapshot.js';
9
+ import { compareBaselines, isBaselineFrozen } from '../../verax/core/baseline/baseline.enforcer.js';
10
+
11
+ /**
12
+ * Baseline command
13
+ *
14
+ * @param {string} projectDir - Project directory
15
+ * @param {Object} options - Command options
16
+ */
17
+ export async function baselineCommand(projectDir, options = {}) {
18
+ const { json = false } = options;
19
+
20
+ const frozen = loadBaselineSnapshot(projectDir);
21
+ const current = buildBaselineSnapshot(projectDir);
22
+
23
+ if (!frozen) {
24
+ if (json) {
25
+ console.log(JSON.stringify({
26
+ status: 'NO_BASELINE',
27
+ message: 'No baseline snapshot found (pre-GA)',
28
+ current: {
29
+ hash: current.baselineHash,
30
+ version: current.veraxVersion,
31
+ commit: current.gitCommit
32
+ }
33
+ }, null, 2));
34
+ } else {
35
+ console.log('\n=== Baseline Status ===\n');
36
+ console.log('Status: NO_BASELINE (pre-GA)');
37
+ console.log(`Current baseline hash: ${current.baselineHash}`);
38
+ console.log(`Version: ${current.veraxVersion}`);
39
+ console.log(`Commit: ${current.gitCommit}`);
40
+ console.log(`Dirty: ${current.gitDirty ? 'YES' : 'NO'}`);
41
+ console.log('\nNote: Baseline will be frozen when GA-READY is achieved.\n');
42
+ }
43
+ return;
44
+ }
45
+
46
+ const comparison = compareBaselines(current, frozen);
47
+ const frozenStatus = frozen.frozen ? 'FROZEN' : 'NOT_FROZEN';
48
+
49
+ if (json) {
50
+ console.log(JSON.stringify({
51
+ status: frozenStatus,
52
+ frozen: frozen.frozen,
53
+ drifted: comparison.drifted,
54
+ message: comparison.message,
55
+ frozenBaseline: {
56
+ hash: frozen.baselineHash,
57
+ version: frozen.veraxVersion,
58
+ commit: frozen.gitCommit,
59
+ timestamp: frozen.timestamp
60
+ },
61
+ currentBaseline: {
62
+ hash: current.baselineHash,
63
+ version: current.veraxVersion,
64
+ commit: current.gitCommit
65
+ },
66
+ differences: comparison.differences
67
+ }, null, 2));
68
+ } else {
69
+ console.log('\n=== Baseline Status ===\n');
70
+ console.log(`Status: ${frozenStatus}`);
71
+ console.log(`Frozen: ${frozen.frozen ? 'YES' : 'NO'}`);
72
+ console.log(`Drifted: ${comparison.drifted ? 'YES' : 'NO'}`);
73
+ console.log(`\nMessage: ${comparison.message}`);
74
+
75
+ console.log('\nFrozen Baseline:');
76
+ console.log(` Hash: ${frozen.baselineHash}`);
77
+ console.log(` Version: ${frozen.veraxVersion}`);
78
+ console.log(` Commit: ${frozen.gitCommit}`);
79
+ console.log(` Timestamp: ${frozen.timestamp}`);
80
+
81
+ console.log('\nCurrent Baseline:');
82
+ console.log(` Hash: ${current.baselineHash}`);
83
+ console.log(` Version: ${current.veraxVersion}`);
84
+ console.log(` Commit: ${current.gitCommit}`);
85
+ console.log(` Dirty: ${current.gitDirty ? 'YES' : 'NO'}`);
86
+
87
+ if (comparison.drifted) {
88
+ console.log('\n⚠️ BASELINE DRIFT DETECTED:');
89
+ for (const diff of comparison.differences) {
90
+ console.log(` - ${diff.message}`);
91
+ if (diff.component) {
92
+ console.log(` Component: ${diff.component}`);
93
+ }
94
+ }
95
+ console.log('\n⚠️ Changes to core contracts/policies after GA require:');
96
+ console.log(' 1. MAJOR version bump');
97
+ console.log(' 2. Baseline regeneration');
98
+ console.log(' 3. GA re-evaluation\n');
99
+ } else {
100
+ console.log('\n✓ Baseline integrity maintained\n');
101
+ }
102
+ }
103
+ }
104
+