@veraxhq/verax 0.2.0 → 0.3.0

package/src/verax/core/release/reproducibility.check.js

@@ -0,0 +1,221 @@
+/**
+ * PHASE 21.7 — Reproducibility Check
+ * 
+ * Verifies that same commit + same policies = same hashes.
+ * Difference = NON_REPRODUCIBLE (BLOCKING for GA).
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get current git commit
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {string|null} Commit hash or null
+ */
+function getGitCommit(projectDir) {
+  try {
+    const result = execSync('git rev-parse HEAD', { 
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    });
+    return result.trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get policy hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Policy hashes
+ */
+async function getPolicyHashes(projectDir) {
+  try {
+    const { loadGuardrailsPolicy } = await import('../guardrails/policy.loader.js');
+    const { loadConfidencePolicy } = await import('../confidence/confidence.loader.js');
+    
+    const guardrails = loadGuardrailsPolicy(null, projectDir);
+    const confidence = loadConfidencePolicy(null, projectDir);
+    
+    const guardrailsHash = createHash('sha256')
+      .update(JSON.stringify(guardrails, null, 0))
+      .digest('hex');
+    
+    const confidenceHash = createHash('sha256')
+      .update(JSON.stringify(confidence, null, 0))
+      .digest('hex');
+    
+    return {
+      guardrails: guardrailsHash,
+      confidence: confidenceHash
+    };
+  } catch {
+    return {
+      guardrails: null,
+      confidence: null
+    };
+  }
+}
+
+/**
+ * Get artifact hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Artifact hashes
+ */
+function getArtifactHashes(projectDir) {
+  const hashes = {};
+  
+  // Hash key files
+  const keyFiles = [
+    'package.json',
+    'bin/verax.js',
+    'src/cli/entry.js'
+  ];
+  
+  for (const file of keyFiles) {
+    const filePath = resolve(projectDir, file);
+    if (existsSync(filePath)) {
+      try {
+        const content = readFileSync(filePath);
+        hashes[file] = createHash('sha256').update(content).digest('hex');
+      } catch {
+        hashes[file] = null;
+      }
+    } else {
+      hashes[file] = null;
+    }
+  }
+  
+  return hashes;
+}
+
+/**
+ * Load previous reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object|null} Previous report or null
+ */
+function loadPreviousReport(projectDir) {
+  const reportPath = resolve(projectDir, 'release', 'reproducibility.report.json');
+  if (!existsSync(reportPath)) {
+    return null;
+  }
+  
+  try {
+    const content = readFileSync(reportPath, 'utf-8');
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check reproducibility
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Reproducibility check result
+ */
+export async function checkReproducibility(projectDir) {
+  const gitCommit = getGitCommit(projectDir);
+  const policyHashes = await getPolicyHashes(projectDir);
+  const artifactHashes = getArtifactHashes(projectDir);
+  
+  const current = {
+    gitCommit,
+    policies: policyHashes,
+    artifacts: artifactHashes,
+    checkedAt: new Date().toISOString()
+  };
+  
+  const previous = loadPreviousReport(projectDir);
+  
+  let reproducible = true;
+  const differences = [];
+  
+  if (previous) {
+    // Compare with previous build
+    if (previous.gitCommit !== gitCommit) {
+      reproducible = false;
+      differences.push({
+        type: 'git_commit',
+        previous: previous.gitCommit,
+        current: gitCommit,
+        message: 'Git commit changed'
+      });
+    }
+    
+    if (previous.policies?.guardrails !== policyHashes.guardrails) {
+      reproducible = false;
+      differences.push({
+        type: 'guardrails_policy',
+        previous: previous.policies?.guardrails,
+        current: policyHashes.guardrails,
+        message: 'Guardrails policy changed'
+      });
+    }
+    
+    if (previous.policies?.confidence !== policyHashes.confidence) {
+      reproducible = false;
+      differences.push({
+        type: 'confidence_policy',
+        previous: previous.policies?.confidence,
+        current: policyHashes.confidence,
+        message: 'Confidence policy changed'
+      });
+    }
+    
+    // Compare artifact hashes
+    for (const [file, hash] of Object.entries(artifactHashes)) {
+      if (previous.artifacts?.[file] !== hash) {
+        reproducible = false;
+        differences.push({
+          type: 'artifact',
+          file,
+          previous: previous.artifacts?.[file],
+          current: hash,
+          message: `Artifact ${file} changed`
+        });
+      }
+    }
+  }
+  
+  const verdict = reproducible ? 'REPRODUCIBLE' : 'NON_REPRODUCIBLE';
+  
+  const report = {
+    verdict,
+    reproducible,
+    differences,
+    current,
+    previous: previous || null,
+    checkedAt: new Date().toISOString()
+  };
+  
+  return report;
+}
+
+/**
+ * Write reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Reproducibility report
+ * @returns {string} Path to written file
+ */
+export function writeReproducibilityReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'reproducibility.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/release/sbom.builder.js

@@ -0,0 +1,283 @@
+/**
+ * PHASE 21.7 — SBOM Builder
+ * 
+ * Generates Software Bill of Materials (SBOM) in CycloneDX format.
+ * Missing SBOM = BLOCKING.
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get package.json dependencies
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Dependencies object
+ */
+function getDependencies(projectDir) {
+  try {
+    const pkgPath = resolve(projectDir, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return { dependencies: {}, devDependencies: {} };
+    }
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return {
+      dependencies: pkg.dependencies || {},
+      devDependencies: pkg.devDependencies || {}
+    };
+  } catch {
+    return { dependencies: {}, devDependencies: {} };
+  }
+}
+
+/**
+ * Get transitive dependencies from node_modules
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Array} Array of package info
+ */
+function getTransitiveDependencies(projectDir) {
+  const packages = [];
+  const nodeModulesPath = resolve(projectDir, 'node_modules');
+  
+  if (!existsSync(nodeModulesPath)) {
+    return packages;
+  }
+  
+  try {
+    // Use npm ls to get dependency tree
+    const result = execSync('npm ls --all --json', {
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    });
+    
+    const tree = JSON.parse(result);
+    
+    function traverseDeps(deps, parent = null) {
+      if (!deps || typeof deps !== 'object') {
+        return;
+      }
+      
+      for (const [name, info] of Object.entries(deps)) {
+        if (info && typeof info === 'object' && info.version) {
+          packages.push({
+            name,
+            version: info.version,
+            parent: parent || null
+          });
+          
+          if (info.dependencies) {
+            traverseDeps(info.dependencies, name);
+          }
+        }
+      }
+    }
+    
+    if (tree.dependencies) {
+      traverseDeps(tree.dependencies);
+    }
+  } catch {
+    // Fallback: scan node_modules directory
+    try {
+      const entries = readdirSync(nodeModulesPath, { withFileTypes: true });
+      
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith('.')) {
+          const pkgPath = resolve(nodeModulesPath, entry.name, 'package.json');
+          if (existsSync(pkgPath)) {
+            try {
+              const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+              packages.push({
+                name: pkg.name || entry.name,
+                version: pkg.version || 'unknown',
+                parent: null
+              });
+            } catch {
+              // Skip invalid packages
+            }
+          }
+        }
+      }
+    } catch {
+      // If scanning fails, return empty
+    }
+  }
+  
+  return packages;
+}
+
+/**
+ * Get license from package.json
+ * 
+ * @param {string} packagePath - Path to package.json
+ * @returns {string|null} License or null
+ */
+function getPackageLicense(packagePath) {
+  try {
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+    if (typeof pkg.license === 'string') {
+      return pkg.license;
+    } else if (pkg.license && pkg.license.type) {
+      return pkg.license.type;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Compute integrity hash for a package
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} packageName - Package name
+ * @returns {string|null} SHA256 hash or null
+ */
+function getPackageIntegrity(projectDir, packageName) {
+  try {
+    const packagePath = resolve(projectDir, 'node_modules', packageName);
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+    
+    // Hash the package.json as a proxy for package integrity
+    const pkgPath = resolve(packagePath, 'package.json');
+    if (existsSync(pkgPath)) {
+      const content = readFileSync(pkgPath);
+      return createHash('sha256').update(content).digest('hex');
+    }
+    
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build SBOM in CycloneDX format
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} SBOM object
+ */
+export async function buildSBOM(projectDir) {
+  const pkgPath = resolve(projectDir, 'package.json');
+  if (!existsSync(pkgPath)) {
+    throw new Error('Cannot build SBOM: package.json not found');
+  }
+  
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+  const deps = getDependencies(projectDir);
+  const transitive = getTransitiveDependencies(projectDir);
+  
+  // Build components list
+  const components = [];
+  
+  // Add main package
+  components.push({
+    type: 'application',
+    name: pkg.name || 'unknown',
+    version: pkg.version || 'unknown',
+    purl: `pkg:npm/${pkg.name}@${pkg.version}`,
+    licenses: pkg.license ? [{ license: { id: pkg.license } }] : []
+  });
+  
+  // Add direct dependencies
+  for (const [name, version] of Object.entries(deps.dependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : []
+    });
+  }
+  
+  // Add dev dependencies (marked as development)
+  for (const [name, version] of Object.entries(deps.devDependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : [],
+      scope: 'development'
+    });
+  }
+  
+  // Add transitive dependencies (simplified - in production, use proper dependency resolution)
+  const transitiveMap = new Map();
+  for (const trans of transitive) {
+    const key = `${trans.name}@${trans.version}`;
+    if (!transitiveMap.has(key)) {
+      transitiveMap.set(key, trans);
+      
+      const integrity = getPackageIntegrity(projectDir, trans.name);
+      const license = getPackageLicense(resolve(projectDir, 'node_modules', trans.name, 'package.json'));
+      
+      components.push({
+        type: 'library',
+        name: trans.name,
+        version: trans.version,
+        purl: `pkg:npm/${trans.name}@${trans.version}`,
+        hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+        licenses: license ? [{ license: { id: license } }] : []
+      });
+    }
+  }
+  
+  const sbom = {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.4',
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      tools: [{
+        vendor: 'VERAX',
+        name: 'SBOM Builder',
+        version: '1.0.0'
+      }],
+      component: {
+        type: 'application',
+        name: pkg.name || 'unknown',
+        version: pkg.version || 'unknown'
+      }
+    },
+    components: components
+  };
+  
+  return sbom;
+}
+
+/**
+ * Write SBOM to file
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} sbom - SBOM object
+ * @returns {string} Path to written file
+ */
+export function writeSBOM(projectDir, sbom) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'sbom.json');
+  writeFileSync(outputPath, JSON.stringify(sbom, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/replay-validator.js

@@ -13,7 +13,7 @@
  * - Categorize deviations: truncation_difference, timeout_difference, environment_difference
  */
 
-import { DecisionRecorder, DECISION_IDS } from './determinism-model.js';
+import { DecisionRecorder } from './determinism-model.js';
 
 /**
  * Compare two decision values and determine if they're equivalent
@@ -47,10 +47,10 @@ function areValuesEquivalent(value1, value2) {
 /**
  * Categorize a decision deviation
  * @param {Object} baseline - Baseline decision
- * @param {Object} current - Current decision
+ * @param {Object} _current - Current decision (unused parameter, kept for API compatibility)
  * @returns {string} - Deviation category
  */
-function categorizeDeviation(baseline, current) {
+function categorizeDeviation(baseline, _current) {
   const category = baseline.category;
   
   switch (category) {
@@ -78,7 +78,7 @@ function categorizeDeviation(baseline, current) {
  * @returns {string} - Human-readable explanation
  */
 function explainDeviation(baseline, current) {
-  const category = baseline.category;
+  const _category = baseline.category;
   const devCategory = categorizeDeviation(baseline, current);
   
   // Build explanation based on decision type

package/src/verax/core/replay.js

@@ -141,7 +141,7 @@ export function loadRunArtifacts(runDir) {
  * Replay a previous run from artifacts
  * 
  * @param {string} runDir - Path to run directory
- * @returns {Object} Replay result with observation summary
+ * @returns {Promise<any>} Replay result with observation summary
  */
 export async function replayRun(runDir) {
   // Load artifacts