@veraxhq/verax 0.2.1 → 0.3.0

package/src/verax/core/release/reproducibility.check.js

@@ -0,0 +1,221 @@
+/**
+ * PHASE 21.7 — Reproducibility Check
+ * 
+ * Verifies that same commit + same policies = same hashes.
+ * Difference = NON_REPRODUCIBLE (BLOCKING for GA).
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get current git commit
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {string|null} Commit hash or null
+ */
+function getGitCommit(projectDir) {
+  try {
+    const result = execSync('git rev-parse HEAD', { 
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    });
+    return result.trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get policy hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Policy hashes
+ */
+async function getPolicyHashes(projectDir) {
+  try {
+    const { loadGuardrailsPolicy } = await import('../guardrails/policy.loader.js');
+    const { loadConfidencePolicy } = await import('../confidence/confidence.loader.js');
+    
+    const guardrails = loadGuardrailsPolicy(null, projectDir);
+    const confidence = loadConfidencePolicy(null, projectDir);
+    
+    const guardrailsHash = createHash('sha256')
+      .update(JSON.stringify(guardrails, null, 0))
+      .digest('hex');
+    
+    const confidenceHash = createHash('sha256')
+      .update(JSON.stringify(confidence, null, 0))
+      .digest('hex');
+    
+    return {
+      guardrails: guardrailsHash,
+      confidence: confidenceHash
+    };
+  } catch {
+    return {
+      guardrails: null,
+      confidence: null
+    };
+  }
+}
+
+/**
+ * Get artifact hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Artifact hashes
+ */
+function getArtifactHashes(projectDir) {
+  const hashes = {};
+  
+  // Hash key files
+  const keyFiles = [
+    'package.json',
+    'bin/verax.js',
+    'src/cli/entry.js'
+  ];
+  
+  for (const file of keyFiles) {
+    const filePath = resolve(projectDir, file);
+    if (existsSync(filePath)) {
+      try {
+        const content = readFileSync(filePath);
+        hashes[file] = createHash('sha256').update(content).digest('hex');
+      } catch {
+        hashes[file] = null;
+      }
+    } else {
+      hashes[file] = null;
+    }
+  }
+  
+  return hashes;
+}
+
+/**
+ * Load previous reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object|null} Previous report or null
+ */
+function loadPreviousReport(projectDir) {
+  const reportPath = resolve(projectDir, 'release', 'reproducibility.report.json');
+  if (!existsSync(reportPath)) {
+    return null;
+  }
+  
+  try {
+    const content = readFileSync(reportPath, 'utf-8');
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check reproducibility
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Reproducibility check result
+ */
+export async function checkReproducibility(projectDir) {
+  const gitCommit = getGitCommit(projectDir);
+  const policyHashes = await getPolicyHashes(projectDir);
+  const artifactHashes = getArtifactHashes(projectDir);
+  
+  const current = {
+    gitCommit,
+    policies: policyHashes,
+    artifacts: artifactHashes,
+    checkedAt: new Date().toISOString()
+  };
+  
+  const previous = loadPreviousReport(projectDir);
+  
+  let reproducible = true;
+  const differences = [];
+  
+  if (previous) {
+    // Compare with previous build
+    if (previous.gitCommit !== gitCommit) {
+      reproducible = false;
+      differences.push({
+        type: 'git_commit',
+        previous: previous.gitCommit,
+        current: gitCommit,
+        message: 'Git commit changed'
+      });
+    }
+    
+    if (previous.policies?.guardrails !== policyHashes.guardrails) {
+      reproducible = false;
+      differences.push({
+        type: 'guardrails_policy',
+        previous: previous.policies?.guardrails,
+        current: policyHashes.guardrails,
+        message: 'Guardrails policy changed'
+      });
+    }
+    
+    if (previous.policies?.confidence !== policyHashes.confidence) {
+      reproducible = false;
+      differences.push({
+        type: 'confidence_policy',
+        previous: previous.policies?.confidence,
+        current: policyHashes.confidence,
+        message: 'Confidence policy changed'
+      });
+    }
+    
+    // Compare artifact hashes
+    for (const [file, hash] of Object.entries(artifactHashes)) {
+      if (previous.artifacts?.[file] !== hash) {
+        reproducible = false;
+        differences.push({
+          type: 'artifact',
+          file,
+          previous: previous.artifacts?.[file],
+          current: hash,
+          message: `Artifact ${file} changed`
+        });
+      }
+    }
+  }
+  
+  const verdict = reproducible ? 'REPRODUCIBLE' : 'NON_REPRODUCIBLE';
+  
+  const report = {
+    verdict,
+    reproducible,
+    differences,
+    current,
+    previous: previous || null,
+    checkedAt: new Date().toISOString()
+  };
+  
+  return report;
+}
+
+/**
+ * Write reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Reproducibility report
+ * @returns {string} Path to written file
+ */
+export function writeReproducibilityReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'reproducibility.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/release/sbom.builder.js

@@ -0,0 +1,283 @@
+/**
+ * PHASE 21.7 — SBOM Builder
+ * 
+ * Generates Software Bill of Materials (SBOM) in CycloneDX format.
+ * Missing SBOM = BLOCKING.
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get package.json dependencies
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Dependencies object
+ */
+function getDependencies(projectDir) {
+  try {
+    const pkgPath = resolve(projectDir, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return { dependencies: {}, devDependencies: {} };
+    }
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return {
+      dependencies: pkg.dependencies || {},
+      devDependencies: pkg.devDependencies || {}
+    };
+  } catch {
+    return { dependencies: {}, devDependencies: {} };
+  }
+}
+
+/**
+ * Get transitive dependencies from node_modules
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Array} Array of package info
+ */
+function getTransitiveDependencies(projectDir) {
+  const packages = [];
+  const nodeModulesPath = resolve(projectDir, 'node_modules');
+  
+  if (!existsSync(nodeModulesPath)) {
+    return packages;
+  }
+  
+  try {
+    // Use npm ls to get dependency tree
+    const result = execSync('npm ls --all --json', {
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    });
+    
+    const tree = JSON.parse(result);
+    
+    function traverseDeps(deps, parent = null) {
+      if (!deps || typeof deps !== 'object') {
+        return;
+      }
+      
+      for (const [name, info] of Object.entries(deps)) {
+        if (info && typeof info === 'object' && info.version) {
+          packages.push({
+            name,
+            version: info.version,
+            parent: parent || null
+          });
+          
+          if (info.dependencies) {
+            traverseDeps(info.dependencies, name);
+          }
+        }
+      }
+    }
+    
+    if (tree.dependencies) {
+      traverseDeps(tree.dependencies);
+    }
+  } catch {
+    // Fallback: scan node_modules directory
+    try {
+      const entries = readdirSync(nodeModulesPath, { withFileTypes: true });
+      
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith('.')) {
+          const pkgPath = resolve(nodeModulesPath, entry.name, 'package.json');
+          if (existsSync(pkgPath)) {
+            try {
+              const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+              packages.push({
+                name: pkg.name || entry.name,
+                version: pkg.version || 'unknown',
+                parent: null
+              });
+            } catch {
+              // Skip invalid packages
+            }
+          }
+        }
+      }
+    } catch {
+      // If scanning fails, return empty
+    }
+  }
+  
+  return packages;
+}
+
+/**
+ * Get license from package.json
+ * 
+ * @param {string} packagePath - Path to package.json
+ * @returns {string|null} License or null
+ */
+function getPackageLicense(packagePath) {
+  try {
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+    if (typeof pkg.license === 'string') {
+      return pkg.license;
+    } else if (pkg.license && pkg.license.type) {
+      return pkg.license.type;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Compute integrity hash for a package
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} packageName - Package name
+ * @returns {string|null} SHA256 hash or null
+ */
+function getPackageIntegrity(projectDir, packageName) {
+  try {
+    const packagePath = resolve(projectDir, 'node_modules', packageName);
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+    
+    // Hash the package.json as a proxy for package integrity
+    const pkgPath = resolve(packagePath, 'package.json');
+    if (existsSync(pkgPath)) {
+      const content = readFileSync(pkgPath);
+      return createHash('sha256').update(content).digest('hex');
+    }
+    
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build SBOM in CycloneDX format
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} SBOM object
+ */
+export async function buildSBOM(projectDir) {
+  const pkgPath = resolve(projectDir, 'package.json');
+  if (!existsSync(pkgPath)) {
+    throw new Error('Cannot build SBOM: package.json not found');
+  }
+  
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+  const deps = getDependencies(projectDir);
+  const transitive = getTransitiveDependencies(projectDir);
+  
+  // Build components list
+  const components = [];
+  
+  // Add main package
+  components.push({
+    type: 'application',
+    name: pkg.name || 'unknown',
+    version: pkg.version || 'unknown',
+    purl: `pkg:npm/${pkg.name}@${pkg.version}`,
+    licenses: pkg.license ? [{ license: { id: pkg.license } }] : []
+  });
+  
+  // Add direct dependencies
+  for (const [name, version] of Object.entries(deps.dependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : []
+    });
+  }
+  
+  // Add dev dependencies (marked as development)
+  for (const [name, version] of Object.entries(deps.devDependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : [],
+      scope: 'development'
+    });
+  }
+  
+  // Add transitive dependencies (simplified - in production, use proper dependency resolution)
+  const transitiveMap = new Map();
+  for (const trans of transitive) {
+    const key = `${trans.name}@${trans.version}`;
+    if (!transitiveMap.has(key)) {
+      transitiveMap.set(key, trans);
+      
+      const integrity = getPackageIntegrity(projectDir, trans.name);
+      const license = getPackageLicense(resolve(projectDir, 'node_modules', trans.name, 'package.json'));
+      
+      components.push({
+        type: 'library',
+        name: trans.name,
+        version: trans.version,
+        purl: `pkg:npm/${trans.name}@${trans.version}`,
+        hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+        licenses: license ? [{ license: { id: license } }] : []
+      });
+    }
+  }
+  
+  const sbom = {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.4',
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      tools: [{
+        vendor: 'VERAX',
+        name: 'SBOM Builder',
+        version: '1.0.0'
+      }],
+      component: {
+        type: 'application',
+        name: pkg.name || 'unknown',
+        version: pkg.version || 'unknown'
+      }
+    },
+    components: components
+  };
+  
+  return sbom;
+}
+
+/**
+ * Write SBOM to file
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} sbom - SBOM object
+ * @returns {string} Path to written file
+ */
+export function writeSBOM(projectDir, sbom) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'sbom.json');
+  writeFileSync(outputPath, JSON.stringify(sbom, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/report/cross-index.js

@@ -0,0 +1,192 @@
+/**
+ * PHASE 21.10 — Artifact Cross-Index
+ * 
+ * Builds cross-index linking findingId to all related artifacts.
+ */
+
+import { readFileSync, existsSync, writeFileSync, readdirSync } from 'fs';
+import { resolve, relative } from 'path';
+
+/**
+ * Build cross-index
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} runId - Run ID
+ * @returns {Object} Cross-index
+ */
+export function buildCrossIndex(projectDir, runId) {
+  const runDir = resolve(projectDir, '.verax', 'runs', runId);
+  
+  if (!existsSync(runDir)) {
+    return null;
+  }
+  
+  const index = {};
+  
+  // Load findings
+  const findingsPath = resolve(runDir, 'findings.json');
+  if (!existsSync(findingsPath)) {
+    return {
+      runId,
+      findings: {},
+      summary: { total: 0 },
+      generatedAt: new Date().toISOString()
+    };
+  }
+  
+  const findings = JSON.parse(readFileSync(findingsPath, 'utf-8'));
+  const evidenceIndex = loadArtifact(runDir, 'evidence.index.json');
+  const decisionTrace = loadArtifact(runDir, 'decisions.trace.json');
+  const timeline = loadArtifact(runDir, 'run.timeline.json');
+  const failureLedger = loadArtifact(runDir, 'failure.ledger.json');
+  const performanceReport = loadArtifact(runDir, 'performance.report.json');
+  
+  if (!Array.isArray(findings.findings)) {
+    return {
+      runId,
+      findings: {},
+      summary: { total: 0 },
+      generatedAt: new Date().toISOString()
+    };
+  }
+  
+  for (const finding of findings.findings) {
+    const findingId = finding.findingId || finding.id || `finding-${Object.keys(index).length}`;
+    
+    const entry = {
+      findingId,
+      type: finding.type || null,
+      status: finding.severity || finding.status || null,
+      
+      // Evidence files
+      evidence: {
+        packageId: finding.evidencePackage?.id || null,
+        files: finding.evidencePackage?.files || [],
+        isComplete: finding.evidencePackage?.isComplete || false,
+        beforeScreenshot: finding.evidence?.before || null,
+        afterScreenshot: finding.evidence?.after || null
+      },
+      
+      // Confidence reasons
+      confidence: {
+        level: finding.confidenceLevel || null,
+        score: finding.confidence !== undefined ? finding.confidence : null,
+        reasons: finding.confidenceReasons || [],
+        trace: decisionTrace?.findings?.find(t => t.findingId === findingId)?.confidence || null
+      },
+      
+      // Guardrails rules
+      guardrails: {
+        applied: finding.guardrails?.appliedRules?.map(r => ({
+          id: r.id || r,
+          category: r.category || null,
+          action: r.action || null
+        })) || [],
+        finalDecision: finding.guardrails?.finalDecision || null,
+        contradictions: finding.guardrails?.contradictions || [],
+        trace: decisionTrace?.findings?.find(t => t.findingId === findingId)?.guardrails || null
+      },
+      
+      // Failures (if any related)
+      failures: failureLedger?.failures?.filter(f => 
+        f.context?.findingId === findingId || 
+        f.message?.includes(findingId)
+      ).map(f => ({
+        code: f.code,
+        message: f.message,
+        severity: f.severity,
+        timestamp: f.timestamp
+      })) || [],
+      
+      // Performance impacts (if any)
+      performance: performanceReport?.violations?.some(v => 
+        v.message?.includes(findingId)
+      ) ? {
+        impacted: true,
+        violations: performanceReport.violations.filter(v => 
+          v.message?.includes(findingId)
+        )
+      } : null,
+      
+      // Timeline entries
+      timeline: timeline?.events?.filter(e => 
+        e.data?.findingId === findingId ||
+        (e.event === 'guardrails_applied' && e.data?.findingId === findingId) ||
+        (e.event === 'evidence_enforced' && e.data?.findingId === findingId)
+      ).map(e => ({
+        timestamp: e.timestamp,
+        phase: e.phase,
+        event: e.event,
+        data: e.data
+      })) || []
+    };
+    
+    index[findingId] = entry;
+  }
+  
+  return {
+    runId,
+    findings: index,
+    summary: {
+      total: Object.keys(index).length,
+      withEvidence: Object.values(index).filter(e => e.evidence.files.length > 0).length,
+      withGuardrails: Object.values(index).filter(e => e.guardrails.applied.length > 0).length,
+      withFailures: Object.values(index).filter(e => e.failures.length > 0).length,
+      withTimeline: Object.values(index).filter(e => e.timeline.length > 0).length
+    },
+    generatedAt: new Date().toISOString()
+  };
+}
+
+/**
+ * Load artifact JSON
+ */
+function loadArtifact(runDir, filename) {
+  const path = resolve(runDir, filename);
+  if (!existsSync(path)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Write cross-index to file
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} runId - Run ID
+ * @param {Object} index - Cross-index
+ * @returns {string} Path to written file
+ */
+export function writeCrossIndex(projectDir, runId, index) {
+  const runDir = resolve(projectDir, '.verax', 'runs', runId);
+  const outputPath = resolve(runDir, 'artifacts.index.json');
+  writeFileSync(outputPath, JSON.stringify(index, null, 2), 'utf-8');
+  return outputPath;
+}
+
+/**
+ * Load cross-index from file
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} runId - Run ID
+ * @returns {Object|null} Cross-index or null
+ */
+export function loadCrossIndex(projectDir, runId) {
+  const runDir = resolve(projectDir, '.verax', 'runs', runId);
+  const indexPath = resolve(runDir, 'artifacts.index.json');
+  
+  if (!existsSync(indexPath)) {
+    return null;
+  }
+  
+  try {
+    return JSON.parse(readFileSync(indexPath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+