@veraxhq/verax 0.2.1 → 0.3.0

package/src/cli/commands/run.js

@@ -17,6 +17,9 @@ import { detectFindings } from '../util/detection-engine.js';
 import { writeFindingsJson } from '../util/findings-writer.js';
 import { writeSummaryJson } from '../util/summary-writer.js';
 import { computeRuntimeBudget, withTimeout } from '../util/runtime-budget.js';
+import { assertHasLocalSource } from '../util/source-requirement.js';
+import { runWithDeterminism } from '../util/determinism-runner.js';
+import { runDeterminismCheck } from '../../verax/core/determinism/engine.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -27,7 +30,7 @@ function getVersion() {
     const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
     return pkg.version;
   } catch {
-    return '0.2.0';
+    return '0.3.0';
   }
 }
 
@@ -36,17 +39,68 @@ function getVersion() {
  * Strict, non-interactive CLI mode with explicit flags
  */
 export async function runCommand(options) {
+  return await runCommandInternal(options);
+}
+
+/**
+ * Internal run command implementation
+ */
+async function runCommandInternal(options) {
   const {
     url,
+    fixture,
     src = '.',
     out = '.verax',
     json = false,
     verbose = false,
+    determinism = false,
+    determinismRuns = 2,
   } = options;
   
+  // PHASE 25: Support fixture mode for determinism
+  let resolvedUrl = url;
+  let fixtureId = null;
+  
+  if (fixture && !url) {
+    // Extract URL from fixture
+    const { resolve } = await import('path');
+    const { existsSync, readFileSync } = await import('fs');
+    const { fileURLToPath } = await import('url');
+    const { dirname } = await import('path');
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    
+    const fixturePath = resolve(__dirname, '..', '..', '..', 'test', 'fixtures', 'realistic', fixture);
+    if (existsSync(fixturePath)) {
+      // Try to read package.json or index.html to extract URL
+      const packagePath = resolve(fixturePath, 'package.json');
+      const indexPath = resolve(fixturePath, 'index.html');
+      
+      if (existsSync(packagePath)) {
+        try {
+          const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+          if (pkg.verax && pkg.verax.url) {
+            resolvedUrl = pkg.verax.url;
+            fixtureId = fixture;
+          }
+        } catch {
+          // Ignore parse errors
+        }
+      }
+      
+      // If no URL found, use default localhost URL for fixture
+      if (!resolvedUrl) {
+        resolvedUrl = `http://localhost:5173`; // Default Vite dev server
+        fixtureId = fixture;
+      }
+    } else {
+      throw new DataError(`Fixture not found: ${fixture}`);
+    }
+  }
+  
   // Validate required arguments
-  if (!url) {
-    throw new UsageError('Missing required argument: --url <url>');
+  if (!resolvedUrl) {
+    throw new UsageError('Missing required argument: --url <url> or --fixture <fixture>');
   }
   
   const projectRoot = resolve(process.cwd());
@@ -56,6 +110,9 @@ export async function runCommand(options) {
   if (!existsSync(srcPath)) {
     throw new DataError(`Source directory not found: ${srcPath}`);
   }
+
+  // Enforce local source availability (no URL-only scans)
+  assertHasLocalSource(srcPath);
   
   // Create event emitter
   const events = new RunEventEmitter();
@@ -92,6 +149,8 @@ export async function runCommand(options) {
       try {
         const failedAt = new Date().toISOString();
         atomicWriteJson(paths.runStatusJson, {
+          contractVersion: 1,
+          artifactVersions: paths.artifactVersions,
           status: 'FAILED',
           runId,
           startedAt,
@@ -100,6 +159,8 @@ export async function runCommand(options) {
         });
         
         atomicWriteJson(paths.runMetaJson, {
+          contractVersion: 1,
+          artifactVersions: paths.artifactVersions,
           veraxVersion: getVersion(),
           nodeVersion: process.version,
           platform: process.platform,
@@ -120,7 +181,7 @@ export async function runCommand(options) {
             startedAt,
             completedAt: failedAt,
             command: 'run',
-            url,
+            url: resolvedUrl,
             notes: `Run timed out: ${reason}`,
           }, {
             expectationsTotal: 0,
@@ -145,6 +206,70 @@ export async function runCommand(options) {
     });
   };
   
+  // PHASE 25: If determinism mode, wrap execution
+  if (determinism) {
+    const scanFn = async (runConfig) => {
+      // Execute a single scan run
+      const singleRunId = generateRunId();
+      const singlePaths = getRunPaths(projectRoot, out, singleRunId);
+      ensureRunDirectories(singlePaths);
+      
+      // Execute scan (reuse existing logic but with single run)
+      // This is a simplified version - in production, you'd extract the scan logic
+      const { scan } = await import('../../verax/index.js');
+      const scanResult = await scan(
+        projectRoot,
+        resolvedUrl,
+        null, // manifestPath
+        null, // scanBudgetOverride
+        {}, // safetyFlags
+        singleRunId
+      );
+      
+      return {
+        runId: singleRunId,
+        artifactPaths: {
+          findings: singlePaths.findingsJson,
+          runStatus: singlePaths.runStatusJson,
+          summary: singlePaths.summaryJson,
+          learn: singlePaths.learnJson,
+          observe: singlePaths.observeJson,
+          runDir: singlePaths.baseDir
+        }
+      };
+    };
+    
+    const determinismResult = await runWithDeterminism(scanFn, {
+      runs: determinismRuns,
+      out,
+      url: resolvedUrl,
+      fixture: fixtureId,
+      src,
+      verbose,
+      json
+    });
+    
+    // PHASE 25: Output determinism report path
+    if (!json) {
+      console.log(`\nDeterminism check complete.`);
+      console.log(`Verdict: ${determinismResult.verdict}`);
+      console.log(`Report: ${determinismResult.reportPath}`);
+    } else {
+      console.log(JSON.stringify({
+        type: 'determinism:complete',
+        verdict: determinismResult.verdict,
+        reportPath: determinismResult.reportPath,
+        summary: determinismResult.summary
+      }));
+    }
+    
+    return {
+      success: determinismResult.verdict === 'DETERMINISTIC' || determinismResult.verdict === 'NON_DETERMINISTIC_EXPECTED',
+      verdict: determinismResult.verdict,
+      reportPath: determinismResult.reportPath
+    };
+  }
+  
   try {
     // Generate run ID
     runId = generateRunId();
@@ -197,6 +322,8 @@ export async function runCommand(options) {
     startedAt = now.toISOString();
     
     atomicWriteJson(paths.runStatusJson, {
+      contractVersion: 1,
+      artifactVersions: paths.artifactVersions,
       status: 'RUNNING',
       runId,
       startedAt,
@@ -204,13 +331,16 @@ export async function runCommand(options) {
     
     // Write metadata
     atomicWriteJson(paths.runMetaJson, {
+      contractVersion: 1,
+      artifactVersions: paths.artifactVersions,
       veraxVersion: getVersion(),
       nodeVersion: process.version,
       platform: process.platform,
       cwd: projectRoot,
       command: 'run',
-      args: { url, src, out },
-      url,
+      args: { url: resolvedUrl, fixture: fixtureId, src, out },
+      url: resolvedUrl,
+      fixtureId: fixtureId,
       src: srcPath,
       startedAt,
       completedAt: null,
@@ -402,29 +532,6 @@ export async function runCommand(options) {
     
     const completedAt = new Date().toISOString();
     
-    // Write completed status
-    atomicWriteJson(paths.runStatusJson, {
-      status: 'COMPLETE',
-      runId,
-      startedAt,
-      completedAt,
-    });
-    
-    // Update metadata with completion time
-    atomicWriteJson(paths.runMetaJson, {
-      veraxVersion: getVersion(),
-      nodeVersion: process.version,
-      platform: process.platform,
-      cwd: projectRoot,
-      command: 'run',
-      args: { url, src, out },
-      url,
-      src: srcPath,
-      startedAt,
-      completedAt,
-      error: null,
-    });
-    
     const runDurationMs = completedAt && startedAt ? (Date.parse(completedAt) - Date.parse(startedAt)) : 0;
     const metrics = {
       learnMs: observeData?.timings?.learnMs || 0,
@@ -439,6 +546,9 @@ export async function runCommand(options) {
       UNKNOWN: 0,
     };
 
+    // Write detect results (or empty if detection failed)
+    const findingsResult = writeFindingsJson(paths.baseDir, detectData);
+
     // Write summary with stable digest
     writeSummaryJson(paths.summaryJson, {
       runId,
@@ -462,9 +572,6 @@ export async function runCommand(options) {
       ...findingsCounts,
     });
     
-    // Write detect results (or empty if detection failed)
-    writeFindingsJson(paths.baseDir, detectData);
-    
     // Write traces (include all events including heartbeats)
     const allEvents = events.getEvents();
     const tracesContent = allEvents
@@ -480,6 +587,77 @@ export async function runCommand(options) {
     
     // Write observe results
     writeObserveJson(paths.baseDir, observeData);
+
+    // PHASE 6: Verify artifacts after all writers finish
+    const { verifyRun } = await import('../../verax/core/artifacts/verifier.js');
+    const verification = verifyRun(paths.baseDir, paths.artifactVersions);
+    
+    // Determine final status based on verification
+    let finalStatus = 'COMPLETE';
+    if (!verification.ok) {
+      finalStatus = 'INVALID';
+    } else if (verification.warnings.length > 0) {
+      finalStatus = 'VALID_WITH_WARNINGS';
+    }
+    
+    // PHASE 21.2: Compute determinism summary for run.status.json
+    let determinismSummary = null;
+    try {
+      const decisionsPath = resolve(paths.baseDir, 'decisions.json');
+      if (existsSync(decisionsPath)) {
+        const decisions = JSON.parse(readFileSync(decisionsPath, 'utf-8'));
+        const { DecisionRecorder } = await import('../../verax/core/determinism-model.js');
+        const recorder = DecisionRecorder.fromExport(decisions);
+        const { computeDeterminismVerdict } = await import('../../verax/core/determinism/contract.js');
+        const verdict = computeDeterminismVerdict(recorder);
+        
+        determinismSummary = {
+          verdict: verdict.verdict, // DETERMINISTIC or NON_DETERMINISTIC
+          message: verdict.message,
+          adaptiveEventsCount: verdict.adaptiveEvents.length
+        };
+      }
+    } catch (error) {
+      // Ignore errors - determinism summary is optional
+    }
+    
+    // Write completed status with contract + enforcement snapshot + verification + determinism
+    atomicWriteJson(paths.runStatusJson, {
+      contractVersion: 1,
+      artifactVersions: paths.artifactVersions,
+      status: finalStatus,
+      runId,
+      startedAt,
+      completedAt,
+      enforcement: findingsResult?.payload?.enforcement || null,
+      verification: {
+        ok: verification.ok,
+        status: finalStatus,
+        errorsCount: verification.errors.length,
+        warningsCount: verification.warnings.length,
+        verifiedAt: verification.verifiedAt
+      },
+      // PHASE 21.2: Determinism summary
+      determinismSummary: determinismSummary
+    });
+    
+    // Update metadata with completion time
+    atomicWriteJson(paths.runMetaJson, {
+      contractVersion: 1,
+      artifactVersions: paths.artifactVersions,
+      veraxVersion: getVersion(),
+      nodeVersion: process.version,
+      platform: process.platform,
+      cwd: projectRoot,
+      command: 'run',
+      args: { url: resolvedUrl, fixture: fixtureId, src, out },
+      url: resolvedUrl,
+      fixtureId: fixtureId,
+      src: srcPath,
+      startedAt,
+      completedAt,
+      error: null,
+    });
     
     events.emit('phase:completed', {
       phase: 'Finalize Artifacts',
@@ -511,6 +689,34 @@ export async function runCommand(options) {
       console.log('\nRun complete.');
       console.log(`Run ID: ${runId}`);
       console.log(`Artifacts: ${paths.baseDir}`);
+      
+      // PHASE 21.2: Display determinism truth
+      if (determinismSummary) {
+        console.log('');
+        if (determinismSummary.verdict === 'DETERMINISTIC') {
+          console.log('Deterministic: YES');
+        } else {
+          console.log(`Deterministic: NO (${determinismSummary.message})`);
+          if (determinismSummary.adaptiveEventsCount > 0) {
+            console.log(`  Adaptive events detected: ${determinismSummary.adaptiveEventsCount}`);
+          }
+        }
+      }
+      
+      // PHASE 6: Display verification results
+      const { formatVerificationOutput } = await import('../../verax/core/artifacts/verifier.js');
+      const verificationOutput = formatVerificationOutput(verification, verbose);
+      console.log('');
+      console.log(verificationOutput);
+      
+      // PHASE 21.9: Display performance metrics
+      const { loadPerformanceReport } = await import('../../verax/core/perf/perf.report.js');
+      const { formatPerformanceMetrics } = await import('../../verax/core/perf/perf.display.js');
+      const perfReport = loadPerformanceReport(projectRoot, runId);
+      if (perfReport) {
+        console.log('');
+        console.log(formatPerformanceMetrics(perfReport));
+      }
     }
     
     return { runId, paths, success: true };
@@ -528,6 +734,8 @@ export async function runCommand(options) {
       try {
         const failedAt = new Date().toISOString();
         atomicWriteJson(paths.runStatusJson, {
+          contractVersion: 1,
+          artifactVersions: paths.artifactVersions,
           status: 'FAILED',
           runId,
           startedAt,
@@ -537,13 +745,16 @@ export async function runCommand(options) {
         
         // Update metadata
         atomicWriteJson(paths.runMetaJson, {
+          contractVersion: 1,
+          artifactVersions: paths.artifactVersions,
           veraxVersion: getVersion(),
           nodeVersion: process.version,
           platform: process.platform,
           cwd: projectRoot,
           command: 'run',
-          args: { url, src, out },
-          url,
+          args: { url: resolvedUrl || url, fixture: fixtureId, src, out },
+          url: resolvedUrl || url,
+          fixtureId: fixtureId,
           src: srcPath,
           startedAt,
           completedAt: failedAt,
@@ -558,7 +769,7 @@ export async function runCommand(options) {
             startedAt,
             completedAt: failedAt,
             command: 'run',
-            url,
+            url: resolvedUrl || url,
             notes: `Run failed: ${error.message}`,
           }, {
             expectationsTotal: 0,

package/src/cli/commands/security-check.js

@@ -0,0 +1,211 @@
+/**
+ * PHASE 21.8 — Security Check CLI Command
+ * 
+ * Checks security baseline: secrets, vulnerabilities, supply-chain.
+ * Exit codes: 0 = SECURITY-OK, 6 = SECURITY-BLOCKED, 70 = Internal corruption
+ */
+
+import { scanSecrets, writeSecretsReport } from '../../verax/core/security/secrets.scan.js';
+import { scanVulnerabilities, writeVulnReport } from '../../verax/core/security/vuln.scan.js';
+import { evaluateSupplyChainPolicy, writeSupplyChainReport } from '../../verax/core/security/supplychain.policy.js';
+import { writeSecurityReport } from '../../verax/core/security/security-report.js';
+import { resolve } from 'path';
+import { mkdirSync, existsSync } from 'fs';
+
+/**
+ * Security check command
+ * 
+ * @param {Object} options - Options
+ * @param {boolean} [options.json] - Output as JSON
+ */
+export async function securityCheckCommand(options = {}) {
+  const { json = false } = options;
+  const projectDir = resolve(process.cwd());
+  
+  const status = {
+    secrets: { ok: false, hasSecrets: false, blockers: [], tool: 'VERAX_SECRETS_SCANNER' },
+    vulnerabilities: { ok: false, blocking: false, blockers: [], warnings: [], tool: null, availability: 'UNKNOWN' },
+    supplychain: { ok: false, violations: [], blockers: [], tool: 'VERAX_SUPPLYCHAIN_POLICY' }
+  };
+  
+  // 1. Scan for secrets
+  try {
+    const secretsResult = await scanSecrets(projectDir);
+    writeSecretsReport(projectDir, secretsResult);
+    
+    status.secrets.ok = secretsResult.ok;
+    status.secrets.hasSecrets = secretsResult.hasSecrets;
+    
+    if (secretsResult.hasSecrets) {
+      const critical = secretsResult.findings.filter(f => f.severity === 'CRITICAL');
+      const high = secretsResult.findings.filter(f => f.severity === 'HIGH');
+      
+      if (critical.length > 0) {
+        status.secrets.blockers.push(`${critical.length} CRITICAL secret(s) detected`);
+      }
+      if (high.length > 0) {
+        status.secrets.blockers.push(`${high.length} HIGH severity secret(s) detected`);
+      }
+      
+      // Add sample findings (first 3)
+      const sampleFindings = secretsResult.findings.slice(0, 3).map(f => 
+        `${f.type} in ${f.file}:${f.line}`
+      );
+      status.secrets.blockers.push(`Sample findings: ${sampleFindings.join(', ')}`);
+    }
+  } catch (error) {
+    status.secrets.blockers.push(`Secrets scan failed: ${error.message}`);
+  }
+  
+  // 2. Scan vulnerabilities
+  let vulnResult = null;
+  try {
+    vulnResult = await scanVulnerabilities(projectDir);
+    writeVulnReport(projectDir, vulnResult);
+    
+    status.vulnerabilities.ok = !vulnResult.blocking;
+    status.vulnerabilities.blocking = vulnResult.blocking;
+    status.vulnerabilities.tool = vulnResult.tool || null;
+    status.vulnerabilities.availability = vulnResult.availability || 'UNKNOWN';
+    status.vulnerabilities.osvAvailable = vulnResult.osvAvailable || false;
+    
+    if (vulnResult.availability === 'NOT_AVAILABLE') {
+      status.vulnerabilities.warnings.push('OSV scanner not available, using npm audit fallback');
+    }
+    
+    if (vulnResult.blocking) {
+      if (vulnResult.summary.critical > 0) {
+        status.vulnerabilities.blockers.push(`${vulnResult.summary.critical} CRITICAL vulnerability/vulnerabilities`);
+      }
+      if (vulnResult.summary.high > 0) {
+        status.vulnerabilities.blockers.push(`${vulnResult.summary.high} HIGH severity vulnerability/vulnerabilities`);
+      }
+    }
+    
+    if (vulnResult.summary.medium > 0 && !vulnResult.blocking) {
+      status.vulnerabilities.warnings.push(`${vulnResult.summary.medium} MEDIUM severity vulnerability/vulnerabilities (non-blocking)`);
+    }
+  } catch (error) {
+    status.vulnerabilities.blockers.push(`Vulnerability scan failed: ${error.message}`);
+  }
+  
+  // 3. Check supply-chain policy
+  let supplyChainResult = null;
+  try {
+    supplyChainResult = await evaluateSupplyChainPolicy(projectDir);
+    writeSupplyChainReport(projectDir, supplyChainResult);
+    
+    status.supplychain.ok = supplyChainResult.ok;
+    status.supplychain.violations = supplyChainResult.violations;
+    
+    if (!supplyChainResult.ok) {
+      for (const violation of supplyChainResult.violations) {
+        status.supplychain.blockers.push(violation.message);
+      }
+    }
+  } catch (error) {
+    status.supplychain.blockers.push(`Supply-chain check failed: ${error.message}`);
+  }
+  
+  // Determine overall status
+  const allOk = status.secrets.ok && status.vulnerabilities.ok && status.supplychain.ok;
+  
+  // Write unified security report
+  let secretsReport = null;
+  try {
+    const secretsPath = resolve(projectDir, 'release', 'security.secrets.report.json');
+    if (existsSync(secretsPath)) {
+      const { readFileSync } = await import('fs');
+      secretsReport = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+    }
+  } catch {
+    // Ignore
+  }
+  
+  let vulnReportData = vulnResult;
+  let supplyChainReportData = supplyChainResult;
+  
+  const unifiedReport = {
+    securityOk: allOk,
+    status,
+    summary: {
+      secrets: status.secrets.ok ? 'OK' : 'BLOCKED',
+      vulnerabilities: status.vulnerabilities.ok ? 'OK' : (status.vulnerabilities.blocking ? 'BLOCKED' : (status.vulnerabilities.availability === 'NOT_AVAILABLE' ? 'NOT_AVAILABLE' : 'WARN')),
+      supplychain: status.supplychain.ok ? 'OK' : 'BLOCKED'
+    },
+    secretsReport,
+    vulnReport: vulnReportData,
+    supplyChainReport: supplyChainReportData
+  };
+  
+  const unifiedReportPath = writeSecurityReport(projectDir, unifiedReport);
+  const hasInternalCorruption = 
+    status.secrets.blockers.some(b => b.includes('corruption') || b.includes('Internal')) ||
+    status.vulnerabilities.blockers.some(b => b.includes('corruption')) ||
+    status.supplychain.blockers.some(b => b.includes('corruption'));
+  
+  // Output
+  if (json) {
+    console.log(JSON.stringify({
+      securityOk: allOk,
+      status,
+      summary: {
+        secrets: status.secrets.ok ? 'OK' : 'BLOCKED',
+        vulnerabilities: status.vulnerabilities.ok ? 'OK' : (status.vulnerabilities.blocking ? 'BLOCKED' : (status.vulnerabilities.availability === 'NOT_AVAILABLE' ? 'NOT_AVAILABLE' : 'WARN')),
+        supplychain: status.supplychain.ok ? 'OK' : 'BLOCKED'
+      },
+      unifiedReportPath: unifiedReportPath
+    }, null, 2));
+  } else {
+    console.log('\n' + '='.repeat(80));
+    console.log('SECURITY BASELINE CHECK');
+    console.log('='.repeat(80));
+    
+    console.log(`\nSecrets: ${status.secrets.ok ? '✅ OK' : '❌ BLOCKED'}`);
+    if (status.secrets.blockers.length > 0) {
+      for (const blocker of status.secrets.blockers) {
+        console.log(`  - ${blocker}`);
+      }
+    }
+    
+    console.log(`\nVulnerabilities: ${status.vulnerabilities.ok ? '✅ OK' : (status.vulnerabilities.blocking ? '❌ BLOCKED' : '⚠️  WARN')}`);
+    if (status.vulnerabilities.blockers.length > 0) {
+      for (const blocker of status.vulnerabilities.blockers) {
+        console.log(`  - ${blocker}`);
+      }
+    }
+    if (status.vulnerabilities.warnings.length > 0) {
+      for (const warning of status.vulnerabilities.warnings) {
+        console.log(`  ⚠️  ${warning}`);
+      }
+    }
+    
+    console.log(`\nSupply-chain: ${status.supplychain.ok ? '✅ OK' : '❌ BLOCKED'}`);
+    if (status.supplychain.blockers.length > 0) {
+      for (const blocker of status.supplychain.blockers) {
+        console.log(`  - ${blocker}`);
+      }
+    }
+    
+    console.log(`\nOverall: ${allOk ? '✅ SECURITY-OK' : '❌ SECURITY-BLOCKED'}`);
+    console.log(`\nSee unified report: ${unifiedReportPath}`);
+    console.log('='.repeat(80) + '\n');
+  }
+  
+  // Exit codes: 0 = SECURITY-OK, 6 = SECURITY-BLOCKED, 70 = Internal corruption
+  // NOT_AVAILABLE tools exit 0 only if policy allows (strict mode would exit 2)
+  const hasNotAvailable = status.vulnerabilities.availability === 'NOT_AVAILABLE';
+  const strictMode = process.env.VERAX_SECURITY_STRICT === '1';
+  
+  if (allOk) {
+    process.exit(0);
+  } else if (hasNotAvailable && !strictMode) {
+    // NOT_AVAILABLE is not a blocker unless strict mode
+    process.exit(0);
+  } else if (hasInternalCorruption) {
+    process.exit(70);
+  } else {
+    process.exit(6);
+  }
+}
+