npm - @veraxhq/verax - Versions diffs - 0.2.1 → 0.3.0 - Mend

@veraxhq/verax 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (152) hide show

package/README.md +14 -18
package/bin/verax.js +7 -0
package/package.json +3 -3
package/src/cli/commands/baseline.js +104 -0
package/src/cli/commands/default.js +79 -25
package/src/cli/commands/ga.js +243 -0
package/src/cli/commands/gates.js +95 -0
package/src/cli/commands/inspect.js +131 -2
package/src/cli/commands/release-check.js +213 -0
package/src/cli/commands/run.js +246 -35
package/src/cli/commands/security-check.js +211 -0
package/src/cli/commands/truth.js +114 -0
package/src/cli/entry.js +304 -67
package/src/cli/util/angular-component-extractor.js +179 -0
package/src/cli/util/angular-navigation-detector.js +141 -0
package/src/cli/util/angular-network-detector.js +161 -0
package/src/cli/util/angular-state-detector.js +162 -0
package/src/cli/util/ast-interactive-detector.js +546 -0
package/src/cli/util/ast-network-detector.js +603 -0
package/src/cli/util/ast-usestate-detector.js +602 -0
package/src/cli/util/bootstrap-guard.js +86 -0
package/src/cli/util/determinism-runner.js +123 -0
package/src/cli/util/determinism-writer.js +129 -0
package/src/cli/util/env-url.js +4 -0
package/src/cli/util/expectation-extractor.js +369 -73
package/src/cli/util/findings-writer.js +126 -16
package/src/cli/util/learn-writer.js +3 -1
package/src/cli/util/observe-writer.js +3 -1
package/src/cli/util/paths.js +3 -12
package/src/cli/util/project-discovery.js +3 -0
package/src/cli/util/project-writer.js +3 -1
package/src/cli/util/run-resolver.js +64 -0
package/src/cli/util/source-requirement.js +55 -0
package/src/cli/util/summary-writer.js +1 -0
package/src/cli/util/svelte-navigation-detector.js +163 -0
package/src/cli/util/svelte-network-detector.js +80 -0
package/src/cli/util/svelte-sfc-extractor.js +147 -0
package/src/cli/util/svelte-state-detector.js +243 -0
package/src/cli/util/vue-navigation-detector.js +177 -0
package/src/cli/util/vue-sfc-extractor.js +162 -0
package/src/cli/util/vue-state-detector.js +215 -0
package/src/verax/cli/finding-explainer.js +56 -3
package/src/verax/core/artifacts/registry.js +154 -0
package/src/verax/core/artifacts/verifier.js +980 -0
package/src/verax/core/baseline/baseline.enforcer.js +137 -0
package/src/verax/core/baseline/baseline.snapshot.js +231 -0
package/src/verax/core/capabilities/gates.js +499 -0
package/src/verax/core/capabilities/registry.js +475 -0
package/src/verax/core/confidence/confidence-compute.js +137 -0
package/src/verax/core/confidence/confidence-invariants.js +234 -0
package/src/verax/core/confidence/confidence-report-writer.js +112 -0
package/src/verax/core/confidence/confidence-weights.js +44 -0
package/src/verax/core/confidence/confidence.defaults.js +65 -0
package/src/verax/core/confidence/confidence.loader.js +79 -0
package/src/verax/core/confidence/confidence.schema.js +94 -0
package/src/verax/core/confidence-engine-refactor.js +484 -0
package/src/verax/core/confidence-engine.js +486 -0
package/src/verax/core/confidence-engine.js.backup +471 -0
package/src/verax/core/contracts/index.js +29 -0
package/src/verax/core/contracts/types.js +185 -0
package/src/verax/core/contracts/validators.js +381 -0
package/src/verax/core/decision-snapshot.js +30 -3
package/src/verax/core/decisions/decision.trace.js +276 -0
package/src/verax/core/determinism/contract-writer.js +89 -0
package/src/verax/core/determinism/contract.js +139 -0
package/src/verax/core/determinism/diff.js +364 -0
package/src/verax/core/determinism/engine.js +221 -0
package/src/verax/core/determinism/finding-identity.js +148 -0
package/src/verax/core/determinism/normalize.js +438 -0
package/src/verax/core/determinism/report-writer.js +92 -0
package/src/verax/core/determinism/run-fingerprint.js +118 -0
package/src/verax/core/dynamic-route-intelligence.js +528 -0
package/src/verax/core/evidence/evidence-capture-service.js +307 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +165 -0
package/src/verax/core/evidence-builder.js +487 -0
package/src/verax/core/execution-mode-context.js +77 -0
package/src/verax/core/execution-mode-detector.js +190 -0
package/src/verax/core/failures/exit-codes.js +86 -0
package/src/verax/core/failures/failure-summary.js +76 -0
package/src/verax/core/failures/failure.factory.js +225 -0
package/src/verax/core/failures/failure.ledger.js +132 -0
package/src/verax/core/failures/failure.types.js +196 -0
package/src/verax/core/failures/index.js +10 -0
package/src/verax/core/ga/ga-report-writer.js +43 -0
package/src/verax/core/ga/ga.artifact.js +49 -0
package/src/verax/core/ga/ga.contract.js +434 -0
package/src/verax/core/ga/ga.enforcer.js +86 -0
package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
package/src/verax/core/guardrails/policy.defaults.js +210 -0
package/src/verax/core/guardrails/policy.loader.js +83 -0
package/src/verax/core/guardrails/policy.schema.js +110 -0
package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
package/src/verax/core/guardrails-engine.js +505 -0
package/src/verax/core/observe/run-timeline.js +316 -0
package/src/verax/core/perf/perf.contract.js +186 -0
package/src/verax/core/perf/perf.display.js +65 -0
package/src/verax/core/perf/perf.enforcer.js +91 -0
package/src/verax/core/perf/perf.monitor.js +209 -0
package/src/verax/core/perf/perf.report.js +198 -0
package/src/verax/core/pipeline-tracker.js +238 -0
package/src/verax/core/product-definition.js +127 -0
package/src/verax/core/release/provenance.builder.js +271 -0
package/src/verax/core/release/release-report-writer.js +40 -0
package/src/verax/core/release/release.enforcer.js +159 -0
package/src/verax/core/release/reproducibility.check.js +221 -0
package/src/verax/core/release/sbom.builder.js +283 -0
package/src/verax/core/report/cross-index.js +192 -0
package/src/verax/core/report/human-summary.js +222 -0
package/src/verax/core/route-intelligence.js +419 -0
package/src/verax/core/security/secrets.scan.js +326 -0
package/src/verax/core/security/security-report.js +50 -0
package/src/verax/core/security/security.enforcer.js +124 -0
package/src/verax/core/security/supplychain.defaults.json +38 -0
package/src/verax/core/security/supplychain.policy.js +326 -0
package/src/verax/core/security/vuln.scan.js +265 -0
package/src/verax/core/truth/truth.certificate.js +250 -0
package/src/verax/core/ui-feedback-intelligence.js +515 -0
package/src/verax/detect/confidence-engine.js +628 -40
package/src/verax/detect/confidence-helper.js +33 -0
package/src/verax/detect/detection-engine.js +18 -1
package/src/verax/detect/dynamic-route-findings.js +335 -0
package/src/verax/detect/expectation-chain-detector.js +417 -0
package/src/verax/detect/expectation-model.js +3 -1
package/src/verax/detect/findings-writer.js +141 -5
package/src/verax/detect/index.js +229 -5
package/src/verax/detect/journey-stall-detector.js +558 -0
package/src/verax/detect/route-findings.js +218 -0
package/src/verax/detect/ui-feedback-findings.js +207 -0
package/src/verax/detect/verdict-engine.js +57 -3
package/src/verax/detect/view-switch-correlator.js +242 -0
package/src/verax/index.js +413 -45
package/src/verax/learn/action-contract-extractor.js +682 -64
package/src/verax/learn/route-validator.js +4 -1
package/src/verax/observe/index.js +88 -843
package/src/verax/observe/interaction-runner.js +25 -8
package/src/verax/observe/observe-context.js +205 -0
package/src/verax/observe/observe-helpers.js +191 -0
package/src/verax/observe/observe-runner.js +226 -0
package/src/verax/observe/observers/budget-observer.js +185 -0
package/src/verax/observe/observers/console-observer.js +102 -0
package/src/verax/observe/observers/coverage-observer.js +107 -0
package/src/verax/observe/observers/interaction-observer.js +471 -0
package/src/verax/observe/observers/navigation-observer.js +132 -0
package/src/verax/observe/observers/network-observer.js +87 -0
package/src/verax/observe/observers/safety-observer.js +82 -0
package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
package/src/verax/observe/ui-feedback-detector.js +742 -0
package/src/verax/observe/ui-signal-sensor.js +148 -2
package/src/verax/scan-summary-writer.js +42 -8
package/src/verax/shared/artifact-manager.js +8 -5
package/src/verax/shared/css-spinner-rules.js +204 -0
package/src/verax/shared/view-switch-rules.js +208 -0

package/src/verax/index.js CHANGED Viewed

@@ -9,8 +9,29 @@ import SilenceTracker from './core/silence-model.js';
 import { generateRunId, getRunArtifactDir, getArtifactPath } from './core/run-id.js';
 import { createRunManifest, updateRunManifestHashes } from './core/run-manifest.js';
 import { computeArtifactHashes } from './core/run-id.js';
+import { FailureLedger } from './core/failures/failure.ledger.js';
+import { errorToFailure, createIOFailure, createInternalFailure } from './core/failures/failure.factory.js';
+import { FAILURE_CODE, EXECUTION_PHASE } from './core/failures/failure.types.js';
+import { createPerformanceMonitor } from './core/perf/perf.monitor.js';
+import { generatePerformanceReport, writePerformanceReport } from './core/perf/perf.report.js';
+import { recordPerformanceViolations } from './core/perf/perf.enforcer.js';
+import { PipelineTracker, PIPELINE_STAGES } from './core/pipeline-tracker.js';
+import { verifyRun } from './core/artifacts/verifier.js';
+import { getArtifactVersions } from './core/artifacts/registry.js';
 export async function scan(projectDir, url, manifestPath = null, scanBudgetOverride = null, safetyFlags = {}) {
+  // PHASE 21.5: Initialize failure ledger (runId will be set after learn)
+  const scanBudget = scanBudgetOverride || createScanBudgetWithProfile();
+  const failureLedger = new FailureLedger(null, projectDir);
+  // PHASE 21.9: Initialize performance monitor
+  const perfMonitor = createPerformanceMonitor();
+  perfMonitor.startPhase('LEARN');
+  // ARCHITECTURAL HARDENING: Initialize pipeline tracker early (before runId is known)
+  // We'll set runId on the tracker once it's generated
+  let pipelineTracker = null;
   // If manifestPath is provided, read it first before learn() overwrites it
   let loadedManifest = null;
   if (manifestPath) {
@@ -19,26 +40,62 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
       const manifestContent = JSON.parse(readFileSync(manifestPath, 'utf-8'));
       loadedManifest = manifestContent;
     } catch (e) {
-      // Fall through to learn if we can't read the manifest
+      // PHASE 21.5: Record I/O failure
+      const failure = createIOFailure(
+        FAILURE_CODE.IO_READ_FAILED,
+        `Failed to read manifest: ${e.message}`,
+        'scan',
+        { manifestPath, error: e.message },
+        true // Recoverable - will fall through to learn
+      );
+      failureLedger.record(failure);
     }
   }
+  // ARCHITECTURAL HARDENING: Track LEARN stage
+  // Note: We can't track LEARN yet because we don't have runId, but we'll track it retroactively
+  const learnStartTime = Date.now();
   const learnedManifest = await learn(projectDir);
+  const learnEndTime = Date.now();
+  perfMonitor.endPhase('LEARN');
-  // Merge: prefer loaded manifest for routes, but use learned for project type and truth
+  // ARCHITECTURAL HARDENING: Explicit manifest merging with deterministic precedence
+  // Rule: Loaded manifest routes take precedence, but learned manifest provides truth and project type
   let manifest;
   if (loadedManifest) {
+    // Explicit merge: loaded manifest routes override learned, but learned provides truth
     manifest = {
       ...learnedManifest,
+      // Routes from loaded manifest (if present) override learned routes
+      publicRoutes: loadedManifest.publicRoutes || learnedManifest.publicRoutes || [],
+      routes: loadedManifest.routes || learnedManifest.routes || [],
+      internalRoutes: loadedManifest.internalRoutes || learnedManifest.internalRoutes || [],
+      staticExpectations: loadedManifest.staticExpectations || learnedManifest.staticExpectations || [],
+      // Project type: prefer loaded, fallback to learned
       projectType: loadedManifest.projectType || learnedManifest.projectType,
-      publicRoutes: loadedManifest.publicRoutes || learnedManifest.publicRoutes,
-      routes: loadedManifest.routes || learnedManifest.routes,
-      internalRoutes: loadedManifest.internalRoutes || learnedManifest.internalRoutes,
-      staticExpectations: loadedManifest.staticExpectations || learnedManifest.staticExpectations,
-      manifestPath: manifestPath
+      // Always preserve learned truth (this is the source of truth)
+      learnTruth: learnedManifest.learnTruth || {},
+      // Track manifest source for auditability
+      manifestSource: 'merged',
+      manifestPath: manifestPath,
+      mergeMetadata: {
+        loadedManifestProvided: true,
+        learnedManifestProvided: true,
+        routesSource: loadedManifest.routes ? 'loaded' : 'learned',
+        projectTypeSource: loadedManifest.projectType ? 'loaded' : 'learned'
+      }
     };
   } else {
-    manifest = learnedManifest;
+    manifest = {
+      ...learnedManifest,
+      manifestSource: 'learned',
+      mergeMetadata: {
+        loadedManifestProvided: false,
+        learnedManifestProvided: true,
+        routesSource: 'learned',
+        projectTypeSource: 'learned'
+      }
+    };
   }
   if (!url) {
@@ -53,18 +110,8 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
     manifestPath: manifest.manifestPath
   };
-  let validation = await validateRoutes(manifestForValidation, url);
-  if (!validation) {
-    // validateRoutes might return null if routes cannot be validated
-    validation = {
-      routesValidated: 0,
-      routesReachable: 0,
-      routesUnreachable: 0,
-      details: [],
-      warnings: []
-    };
-  }
+  // ARCHITECTURAL HARDENING: validateRoutes now always returns explicit validation object
+  const validation = await validateRoutes(manifestForValidation, url);
   if (validation.warnings && validation.warnings.length > 0) {
     if (!manifest.learnTruth.warnings) {
       manifest.learnTruth.warnings = [];
@@ -72,9 +119,6 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
     manifest.learnTruth.warnings.push(...validation.warnings);
   }
-  // Use budget profile if no override provided
-  const scanBudget = scanBudgetOverride || createScanBudgetWithProfile();
   // PHASE 5: Generate deterministic runId and create run manifest
   const { getBaseOrigin } = await import('./observe/domain-boundary.js');
   const baseOrigin = getBaseOrigin(url);
@@ -86,6 +130,41 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
     manifestPath
   });
+  // PHASE 21.5: Set runId in failure ledger
+  failureLedger.runId = runId;
+  // ARCHITECTURAL HARDENING: Initialize pipeline tracker now that we have runId
+  // PHASE 25: Pass runFingerprint params to PipelineTracker
+  const runFingerprintParams = url ? {
+    url,
+    projectDir,
+    manifestPath: null,
+    fixtureId: null
+  } : null;
+  pipelineTracker = new PipelineTracker(projectDir, runId, runFingerprintParams);
+  // Record LEARN stage retroactively (it completed before we had runId)
+  try {
+    pipelineTracker.stages[PIPELINE_STAGES.LEARN] = {
+      name: PIPELINE_STAGES.LEARN,
+      startedAt: new Date(learnStartTime).toISOString(),
+      completedAt: new Date(learnEndTime).toISOString(),
+      durationMs: learnEndTime - learnStartTime,
+      status: 'COMPLETE'
+    };
+    pipelineTracker.completedStages.push(PIPELINE_STAGES.LEARN);
+    pipelineTracker._writeMeta();
+  } catch (error) {
+    const failure = createInternalFailure(
+      FAILURE_CODE.INTERNAL_UNEXPECTED_ERROR,
+      `Failed to record LEARN stage: ${error.message}`,
+      'scan',
+      { error: error.message },
+      error.stack
+    );
+    failureLedger.record(failure);
+  }
   // Create run manifest at start of execution
   const runManifest = createRunManifest(projectDir, runId, {
     url,
@@ -97,15 +176,61 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
   });
   const usedManifestPath = manifestPath || manifest.manifestPath;
-  const observation = await observe(url, usedManifestPath, scanBudget, safetyFlags, projectDir, runId);
+  // ARCHITECTURAL HARDENING: Track OBSERVE stage
+  pipelineTracker.startStage(PIPELINE_STAGES.OBSERVE);
+  perfMonitor.startPhase('OBSERVE');
+  let observation;
+  try {
+    observation = await observe(url, usedManifestPath, scanBudget, safetyFlags, projectDir, runId);
+    perfMonitor.endPhase('OBSERVE');
+    pipelineTracker.completeStage(PIPELINE_STAGES.OBSERVE, {
+      pagesVisited: observation.observeTruth?.pagesVisited || 0,
+      interactionsExecuted: observation.observeTruth?.interactionsExecuted || 0
+    });
+  } catch (error) {
+    perfMonitor.endPhase('OBSERVE');
+    pipelineTracker.failStage(PIPELINE_STAGES.OBSERVE, error);
+    const failure = errorToFailure(
+      error,
+      FAILURE_CODE.OBSERVE_EXECUTION_FAILED,
+      'OBSERVE',
+      EXECUTION_PHASE.OBSERVE,
+      'observe',
+      { manifestPath: usedManifestPath }
+    );
+    failureLedger.record(failure);
+    throw error;
+  }
+  // Update performance monitor with observed metrics
+  if (observation.observeTruth) {
+    const pagesVisited = observation.observeTruth.pagesVisited || 0;
+    const interactionsExecuted = observation.observeTruth.interactionsExecuted || observation.observeTruth.candidatesSelected || 0;
+    for (let i = 0; i < pagesVisited; i++) {
+      perfMonitor.incrementPages();
+    }
+    for (let i = 0; i < interactionsExecuted; i++) {
+      perfMonitor.incrementInteractions();
+    }
+  }
   // Write a copy of the manifest into canonical run directory for replay integrity
   try {
     const { writeFileSync } = await import('fs');
     const manifestCopyPath = getArtifactPath(projectDir, runId, 'manifest.json');
     writeFileSync(manifestCopyPath, JSON.stringify(manifest, null, 2));
-  } catch {
-    // Ignore write errors
+  } catch (error) {
+    // PHASE 21.5: Record I/O failure (WARNING - recoverable)
+    const failure = createIOFailure(
+      FAILURE_CODE.IO_WRITE_FAILED,
+      `Failed to write manifest copy: ${error.message}`,
+      'scan',
+      { manifestPath, error: error.message },
+      true
+    );
+    failureLedger.record(failure);
   }
   // Create silence tracker from observation silences
@@ -114,27 +239,69 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
     silenceTracker.recordBatch(observation.silences.entries);
   }
-  const findings = await detect(usedManifestPath, observation.tracesPath, validation, observation.expectationCoverageGaps || [], silenceTracker);
+  // ARCHITECTURAL HARDENING: Track DETECT stage
+  pipelineTracker.startStage(PIPELINE_STAGES.DETECT);
+  perfMonitor.startPhase('DETECT');
+  let findings;
+  try {
+    findings = await detect(usedManifestPath, observation.tracesPath, validation, observation.expectationCoverageGaps || [], silenceTracker);
+    perfMonitor.endPhase('DETECT');
+    pipelineTracker.completeStage(PIPELINE_STAGES.DETECT, {
+      findingsCount: findings.findings?.length || 0,
+      coverageGapsCount: findings.coverageGaps?.length || 0
+    });
+  } catch (error) {
+    perfMonitor.endPhase('DETECT');
+    pipelineTracker.failStage(PIPELINE_STAGES.DETECT, error);
+    const failure = errorToFailure(
+      error,
+      FAILURE_CODE.DETECT_FINDING_PROCESSING_FAILED,
+      'DETECT',
+      EXECUTION_PHASE.DETECT,
+      'detect',
+      { manifestPath: usedManifestPath }
+    );
+    failureLedger.record(failure);
+    throw error; // Re-throw BLOCKING failures
+  }
   const learnTruthWithValidation = {
     ...manifest.learnTruth,
     validation: validation
   };
+  // ARCHITECTURAL HARDENING: Track WRITE stage
+  pipelineTracker.startStage(PIPELINE_STAGES.WRITE);
   const runDir = getRunArtifactDir(projectDir, runId);
-  const scanSummary = writeScanSummary(
-    projectDir,
-    url,
-    manifest.projectType,
-    learnTruthWithValidation,
-    observation.observeTruth,
-    findings.detectTruth,
-    manifest.manifestPath,
-    observation.tracesPath,
-    findings.findingsPath,
-    runDir,
-    findings.findings // PHASE 7: Pass findings array for decision snapshot
-  );
+  let scanSummary;
+  try {
+    scanSummary = await writeScanSummary(
+      projectDir,
+      url,
+      manifest.projectType,
+      learnTruthWithValidation,
+      observation.observeTruth,
+      findings.detectTruth,
+      manifest.manifestPath,
+      observation.tracesPath,
+      findings.findingsPath,
+      runDir,
+      findings.findings // PHASE 7: Pass findings array for decision snapshot
+    );
+    pipelineTracker.completeStage(PIPELINE_STAGES.WRITE);
+  } catch (error) {
+    pipelineTracker.failStage(PIPELINE_STAGES.WRITE, error);
+    const failure = errorToFailure(
+      error,
+      FAILURE_CODE.IO_WRITE_FAILED,
+      'WRITE',
+      EXECUTION_PHASE.WRITE,
+      'writeScanSummary',
+      { runDir }
+    );
+    failureLedger.record(failure);
+    throw error;
+  }
   // Compute observation summary from scan results (not a verdict)
   // Pass observation object (which includes traces) to observation engine
@@ -163,9 +330,204 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
   );
   observationSummary.evidenceIndexPath = evidenceIndexPath;
-  // PHASE 5: Compute artifact hashes and update run manifest
-  const artifactHashes = computeArtifactHashes(projectDir, runId);
-  updateRunManifestHashes(projectDir, runId, artifactHashes);
+  // PHASE 21.4: Write policy artifacts
+  try {
+    const { writeFileSync } = await import('fs');
+    const { loadGuardrailsPolicy, getPolicyReport: getGuardrailsPolicyReport } = await import('./core/guardrails/policy.loader.js');
+    const { loadConfidencePolicy, getPolicyReport: getConfidencePolicyReport } = await import('./core/confidence/confidence.loader.js');
+    const guardrailsPolicy = loadGuardrailsPolicy();
+    const confidencePolicy = loadConfidencePolicy();
+    const guardrailsPolicyPath = getArtifactPath(projectDir, failureLedger.runId, 'guardrails.policy.json');
+    const confidencePolicyPath = getArtifactPath(projectDir, failureLedger.runId, 'confidence.policy.json');
+    writeFileSync(guardrailsPolicyPath, JSON.stringify({
+      ...getGuardrailsPolicyReport(guardrailsPolicy),
+      rules: guardrailsPolicy.rules.map(r => ({
+        id: r.id,
+        category: r.category,
+        action: r.action,
+        mandatory: r.mandatory
+      }))
+    }, null, 2));
+    writeFileSync(confidencePolicyPath, JSON.stringify(getConfidencePolicyReport(confidencePolicy), null, 2));
+  } catch (error) {
+    // PHASE 21.5: Record I/O failure (WARNING - recoverable)
+    const failure = createIOFailure(
+      FAILURE_CODE.IO_WRITE_FAILED,
+      `Failed to write policy artifacts: ${error.message}`,
+      'scan',
+      { error: error.message },
+      true
+    );
+    failureLedger.record(failure);
+  }
+  // ARCHITECTURAL HARDENING: Write failure ledger with fallback to run.status.json
+  let ledgerPath;
+  try {
+    ledgerPath = failureLedger.write();
+  } catch (error) {
+    // If ledger write fails, write fallback entry to run.status.json
+    const failure = createInternalFailure(
+      FAILURE_CODE.INTERNAL_UNEXPECTED_ERROR,
+      `Failed to write failure ledger: ${error.message}`,
+      'scan',
+      { error: error.message },
+      error.stack
+    );
+    failureLedger.record(failure);
+    // Write fallback failure entry to run.status.json
+    try {
+      const { writeFileSync, readFileSync } = await import('fs');
+      const runStatusPath = getArtifactPath(projectDir, runId, 'run.status.json');
+      let runStatus = { status: 'FAILED', failures: [] };
+      try {
+        const existing = readFileSync(runStatusPath, 'utf-8');
+        runStatus = JSON.parse(existing);
+      } catch {
+        // File doesn't exist or is invalid, use defaults
+      }
+      runStatus.failures = runStatus.failures || [];
+      runStatus.failures.push({
+        code: FAILURE_CODE.INTERNAL_UNEXPECTED_ERROR,
+        message: `Failed to write failure ledger: ${error.message}`,
+        timestamp: new Date().toISOString(),
+        recoverable: false
+      });
+      runStatus.ledgerWriteFailed = true;
+      runStatus.ledgerWriteError = error.message;
+      writeFileSync(runStatusPath, JSON.stringify(runStatus, null, 2) + '\n', 'utf-8');
+    } catch (fallbackError) {
+      // Even fallback write failed - log only
+      console.error('CRITICAL: Failed to write failure ledger and fallback:', error.message, fallbackError.message);
+    }
+  }
+  // PHASE 21.9: Generate and write performance report
+  try {
+    perfMonitor.stop();
+    const monitorReport = perfMonitor.getFinalReport();
+    const profileName = process.env.VERAX_BUDGET_PROFILE || 'STANDARD';
+    const perfReport = generatePerformanceReport(projectDir, runId, monitorReport, profileName);
+    writePerformanceReport(projectDir, runId, perfReport);
+    // Record performance violations in failure ledger
+    recordPerformanceViolations(projectDir, runId, failureLedger);
+  } catch (error) {
+    // Record performance report failure (WARNING - recoverable)
+    const failure = createIOFailure(
+      FAILURE_CODE.IO_WRITE_FAILED,
+      `Failed to write performance report: ${error.message}`,
+      'scan',
+      { error: error.message },
+      true
+    );
+    failureLedger.record(failure);
+  }
+  // ARCHITECTURAL HARDENING: Track VERIFY stage
+  pipelineTracker.startStage(PIPELINE_STAGES.VERIFY);
+  let verification = null;
+  try {
+    const artifactVersions = getArtifactVersions();
+    verification = verifyRun(runDir, artifactVersions);
+    pipelineTracker.completeStage(PIPELINE_STAGES.VERIFY, {
+      ok: verification.ok,
+      errorsCount: verification.errors.length,
+      warningsCount: verification.warnings.length
+    });
+  } catch (error) {
+    pipelineTracker.failStage(PIPELINE_STAGES.VERIFY, error);
+    const failure = errorToFailure(
+      error,
+      FAILURE_CODE.VERIFICATION_FAILED,
+      'VERIFY',
+      EXECUTION_PHASE.VERIFY,
+      'verifyRun',
+      { runDir }
+    );
+    failureLedger.record(failure);
+    // Verification failure is not blocking, but we record it
+    verification = {
+      ok: false,
+      errors: [error.message],
+      warnings: [],
+      verifiedAt: new Date().toISOString()
+    };
+  }
+  // ARCHITECTURAL HARDENING: Track VERDICT stage (only after verification completes)
+  pipelineTracker.startStage(PIPELINE_STAGES.VERDICT);
+  try {
+    // PHASE 5: Compute artifact hashes and update run manifest
+    const artifactHashes = computeArtifactHashes(projectDir, runId);
+    updateRunManifestHashes(projectDir, runId, artifactHashes);
+    // Verdict computation (determinism and evidence law checks)
+    let determinismVerdict = null;
+    let evidenceLawViolated = false;
+    try {
+      const decisionsPath = getArtifactPath(projectDir, runId, 'decisions.json');
+      const { readFileSync, existsSync } = await import('fs');
+      if (existsSync(decisionsPath)) {
+        const decisions = JSON.parse(readFileSync(decisionsPath, 'utf-8'));
+        const { DecisionRecorder } = await import('./core/determinism-model.js');
+        const recorder = DecisionRecorder.fromExport(decisions);
+        const { computeDeterminismVerdict } = await import('./core/determinism/contract.js');
+        const verdict = computeDeterminismVerdict(recorder);
+        determinismVerdict = verdict.verdict;
+      }
+      // Check for Evidence Law violations (incomplete evidence with CONFIRMED findings)
+      if (findings.findings) {
+        for (const finding of findings.findings) {
+          if ((finding.severity === 'CONFIRMED' || finding.status === 'CONFIRMED') &&
+              finding.evidencePackage && !finding.evidencePackage.isComplete) {
+            evidenceLawViolated = true;
+            break;
+          }
+        }
+      }
+    } catch (error) {
+      // Record failure but don't block
+      const failure = createInternalFailure(
+        FAILURE_CODE.INTERNAL_UNEXPECTED_ERROR,
+        `Failed to compute determinism verdict: ${error.message}`,
+        'scan',
+        { error: error.message },
+        error.stack
+      );
+      failureLedger.record(failure);
+    }
+    pipelineTracker.completeStage(PIPELINE_STAGES.VERDICT, {
+      determinismVerdict,
+      evidenceLawViolated,
+      verificationOk: verification?.ok || false
+    });
+  } catch (error) {
+    pipelineTracker.failStage(PIPELINE_STAGES.VERDICT, error);
+    const failure = errorToFailure(
+      error,
+      FAILURE_CODE.VERDICT_COMPUTATION_FAILED,
+      'VERDICT',
+      EXECUTION_PHASE.VERDICT,
+      'computeVerdict',
+      {}
+    );
+    failureLedger.record(failure);
+    throw error;
+  }
+  // Extract verdict data from pipeline tracker
+  const verdictStage = pipelineTracker.getStage(PIPELINE_STAGES.VERDICT);
+  const determinismVerdict = verdictStage?.determinismVerdict || null;
+  const evidenceLawViolated = verdictStage?.evidenceLawViolated || false;
   return {
     manifest,
@@ -175,8 +537,14 @@ export async function scan(projectDir, url, manifestPath = null, scanBudgetOverr
     validation,
     coverageGaps: findings.coverageGaps || [],
     observationSummary,
-    runId,
-    runManifest
+    runId: failureLedger.runId,
+    runManifest,
+    failureLedger: failureLedger.export(),
+    ledgerPath,
+    determinismVerdict,
+    evidenceLawViolated,
+    verification,
+    pipelineStages: pipelineTracker.getAllStages()
   };
 }