npm - @veraxhq/verax - Versions diffs - 0.2.1 → 0.4.0 - Mend

@veraxhq/verax 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/README.md +10 -6
package/bin/verax.js +11 -11
package/package.json +29 -8
package/src/cli/commands/baseline.js +103 -0
package/src/cli/commands/default.js +51 -6
package/src/cli/commands/doctor.js +29 -0
package/src/cli/commands/ga.js +246 -0
package/src/cli/commands/gates.js +95 -0
package/src/cli/commands/inspect.js +4 -2
package/src/cli/commands/release-check.js +215 -0
package/src/cli/commands/run.js +45 -6
package/src/cli/commands/security-check.js +212 -0
package/src/cli/commands/truth.js +113 -0
package/src/cli/entry.js +30 -20
package/src/cli/util/angular-component-extractor.js +179 -0
package/src/cli/util/angular-navigation-detector.js +141 -0
package/src/cli/util/angular-network-detector.js +161 -0
package/src/cli/util/angular-state-detector.js +162 -0
package/src/cli/util/ast-interactive-detector.js +544 -0
package/src/cli/util/ast-network-detector.js +603 -0
package/src/cli/util/ast-promise-extractor.js +581 -0
package/src/cli/util/ast-usestate-detector.js +602 -0
package/src/cli/util/atomic-write.js +12 -1
package/src/cli/util/bootstrap-guard.js +86 -0
package/src/cli/util/console-reporter.js +72 -0
package/src/cli/util/detection-engine.js +105 -41
package/src/cli/util/determinism-runner.js +124 -0
package/src/cli/util/determinism-writer.js +129 -0
package/src/cli/util/digest-engine.js +359 -0
package/src/cli/util/dom-diff.js +226 -0
package/src/cli/util/evidence-engine.js +287 -0
package/src/cli/util/expectation-extractor.js +151 -5
package/src/cli/util/findings-writer.js +3 -0
package/src/cli/util/framework-detector.js +572 -0
package/src/cli/util/idgen.js +1 -1
package/src/cli/util/interaction-planner.js +529 -0
package/src/cli/util/learn-writer.js +2 -0
package/src/cli/util/ledger-writer.js +110 -0
package/src/cli/util/monorepo-resolver.js +162 -0
package/src/cli/util/observation-engine.js +127 -278
package/src/cli/util/observe-writer.js +2 -0
package/src/cli/util/project-discovery.js +284 -0
package/src/cli/util/project-writer.js +2 -0
package/src/cli/util/run-id.js +23 -27
package/src/cli/util/run-resolver.js +64 -0
package/src/cli/util/run-result.js +778 -0
package/src/cli/util/selector-resolver.js +235 -0
package/src/cli/util/source-requirement.js +55 -0
package/src/cli/util/summary-writer.js +2 -0
package/src/cli/util/svelte-navigation-detector.js +163 -0
package/src/cli/util/svelte-network-detector.js +80 -0
package/src/cli/util/svelte-sfc-extractor.js +146 -0
package/src/cli/util/svelte-state-detector.js +242 -0
package/src/cli/util/trust-activation-integration.js +496 -0
package/src/cli/util/trust-activation-wrapper.js +85 -0
package/src/cli/util/trust-integration-hooks.js +164 -0
package/src/cli/util/types.js +153 -0
package/src/cli/util/url-validation.js +40 -0
package/src/cli/util/vue-navigation-detector.js +178 -0
package/src/cli/util/vue-sfc-extractor.js +161 -0
package/src/cli/util/vue-state-detector.js +215 -0
package/src/types/fs-augment.d.ts +23 -0
package/src/types/global.d.ts +137 -0
package/src/types/internal-types.d.ts +35 -0
package/src/verax/cli/init.js +4 -18
package/src/verax/core/action-classifier.js +4 -3
package/src/verax/core/artifacts/registry.js +139 -0
package/src/verax/core/artifacts/verifier.js +990 -0
package/src/verax/core/baseline/baseline.enforcer.js +137 -0
package/src/verax/core/baseline/baseline.snapshot.js +233 -0
package/src/verax/core/capabilities/gates.js +505 -0
package/src/verax/core/capabilities/registry.js +475 -0
package/src/verax/core/confidence/confidence-compute.js +144 -0
package/src/verax/core/confidence/confidence-invariants.js +234 -0
package/src/verax/core/confidence/confidence-report-writer.js +112 -0
package/src/verax/core/confidence/confidence-weights.js +44 -0
package/src/verax/core/confidence/confidence.defaults.js +65 -0
package/src/verax/core/confidence/confidence.loader.js +80 -0
package/src/verax/core/confidence/confidence.schema.js +94 -0
package/src/verax/core/confidence-engine-refactor.js +489 -0
package/src/verax/core/confidence-engine.js +625 -0
package/src/verax/core/contracts/index.js +29 -0
package/src/verax/core/contracts/types.js +186 -0
package/src/verax/core/contracts/validators.js +456 -0
package/src/verax/core/decisions/decision.trace.js +278 -0
package/src/verax/core/determinism/contract-writer.js +89 -0
package/src/verax/core/determinism/contract.js +139 -0
package/src/verax/core/determinism/diff.js +405 -0
package/src/verax/core/determinism/engine.js +222 -0
package/src/verax/core/determinism/finding-identity.js +149 -0
package/src/verax/core/determinism/normalize.js +466 -0
package/src/verax/core/determinism/report-writer.js +93 -0
package/src/verax/core/determinism/run-fingerprint.js +123 -0
package/src/verax/core/dynamic-route-intelligence.js +529 -0
package/src/verax/core/evidence/evidence-capture-service.js +308 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +166 -0
package/src/verax/core/evidence-builder.js +487 -0
package/src/verax/core/execution-mode-context.js +77 -0
package/src/verax/core/execution-mode-detector.js +192 -0
package/src/verax/core/failures/exit-codes.js +88 -0
package/src/verax/core/failures/failure-summary.js +76 -0
package/src/verax/core/failures/failure.factory.js +225 -0
package/src/verax/core/failures/failure.ledger.js +133 -0
package/src/verax/core/failures/failure.types.js +196 -0
package/src/verax/core/failures/index.js +10 -0
package/src/verax/core/ga/ga-report-writer.js +43 -0
package/src/verax/core/ga/ga.artifact.js +49 -0
package/src/verax/core/ga/ga.contract.js +435 -0
package/src/verax/core/ga/ga.enforcer.js +87 -0
package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
package/src/verax/core/guardrails/policy.defaults.js +210 -0
package/src/verax/core/guardrails/policy.loader.js +84 -0
package/src/verax/core/guardrails/policy.schema.js +110 -0
package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
package/src/verax/core/guardrails-engine.js +505 -0
package/src/verax/core/incremental-store.js +1 -0
package/src/verax/core/integrity/budget.js +138 -0
package/src/verax/core/integrity/determinism.js +342 -0
package/src/verax/core/integrity/integrity.js +208 -0
package/src/verax/core/integrity/poisoning.js +108 -0
package/src/verax/core/integrity/transaction.js +140 -0
package/src/verax/core/observe/run-timeline.js +318 -0
package/src/verax/core/perf/perf.contract.js +186 -0
package/src/verax/core/perf/perf.display.js +65 -0
package/src/verax/core/perf/perf.enforcer.js +91 -0
package/src/verax/core/perf/perf.monitor.js +209 -0
package/src/verax/core/perf/perf.report.js +200 -0
package/src/verax/core/pipeline-tracker.js +243 -0
package/src/verax/core/product-definition.js +127 -0
package/src/verax/core/release/provenance.builder.js +130 -0
package/src/verax/core/release/release-report-writer.js +40 -0
package/src/verax/core/release/release.enforcer.js +164 -0
package/src/verax/core/release/reproducibility.check.js +222 -0
package/src/verax/core/release/sbom.builder.js +292 -0
package/src/verax/core/replay-validator.js +2 -0
package/src/verax/core/replay.js +4 -0
package/src/verax/core/report/cross-index.js +195 -0
package/src/verax/core/report/human-summary.js +362 -0
package/src/verax/core/route-intelligence.js +420 -0
package/src/verax/core/run-id.js +6 -3
package/src/verax/core/run-manifest.js +4 -3
package/src/verax/core/security/secrets.scan.js +329 -0
package/src/verax/core/security/security-report.js +50 -0
package/src/verax/core/security/security.enforcer.js +128 -0
package/src/verax/core/security/supplychain.defaults.json +38 -0
package/src/verax/core/security/supplychain.policy.js +334 -0
package/src/verax/core/security/vuln.scan.js +265 -0
package/src/verax/core/truth/truth.certificate.js +252 -0
package/src/verax/core/ui-feedback-intelligence.js +481 -0
package/src/verax/detect/conditional-ui-silent-failure.js +84 -0
package/src/verax/detect/confidence-engine.js +62 -34
package/src/verax/detect/confidence-helper.js +34 -0
package/src/verax/detect/dynamic-route-findings.js +338 -0
package/src/verax/detect/expectation-chain-detector.js +417 -0
package/src/verax/detect/expectation-model.js +2 -2
package/src/verax/detect/failure-cause-inference.js +293 -0
package/src/verax/detect/findings-writer.js +131 -35
package/src/verax/detect/flow-detector.js +2 -2
package/src/verax/detect/form-silent-failure.js +98 -0
package/src/verax/detect/index.js +46 -5
package/src/verax/detect/invariants-enforcer.js +147 -0
package/src/verax/detect/journey-stall-detector.js +558 -0
package/src/verax/detect/navigation-silent-failure.js +82 -0
package/src/verax/detect/problem-aggregator.js +361 -0
package/src/verax/detect/route-findings.js +219 -0
package/src/verax/detect/summary-writer.js +477 -0
package/src/verax/detect/test-failure-cause-inference.js +314 -0
package/src/verax/detect/ui-feedback-findings.js +207 -0
package/src/verax/detect/view-switch-correlator.js +242 -0
package/src/verax/flow/flow-engine.js +2 -1
package/src/verax/flow/flow-spec.js +0 -6
package/src/verax/index.js +4 -0
package/src/verax/intel/ts-program.js +1 -0
package/src/verax/intel/vue-navigation-extractor.js +3 -0
package/src/verax/learn/action-contract-extractor.js +3 -0
package/src/verax/learn/ast-contract-extractor.js +1 -1
package/src/verax/learn/flow-extractor.js +1 -0
package/src/verax/learn/project-detector.js +5 -0
package/src/verax/learn/react-router-extractor.js +2 -0
package/src/verax/learn/source-instrumenter.js +1 -0
package/src/verax/learn/state-extractor.js +2 -1
package/src/verax/learn/static-extractor.js +1 -0
package/src/verax/observe/coverage-gaps.js +132 -0
package/src/verax/observe/expectation-handler.js +126 -0
package/src/verax/observe/incremental-skip.js +46 -0
package/src/verax/observe/index.js +51 -155
package/src/verax/observe/interaction-executor.js +192 -0
package/src/verax/observe/interaction-runner.js +782 -513
package/src/verax/observe/network-firewall.js +86 -0
package/src/verax/observe/observation-builder.js +169 -0
package/src/verax/observe/observe-context.js +205 -0
package/src/verax/observe/observe-helpers.js +192 -0
package/src/verax/observe/observe-runner.js +230 -0
package/src/verax/observe/observers/budget-observer.js +185 -0
package/src/verax/observe/observers/console-observer.js +102 -0
package/src/verax/observe/observers/coverage-observer.js +107 -0
package/src/verax/observe/observers/interaction-observer.js +471 -0
package/src/verax/observe/observers/navigation-observer.js +132 -0
package/src/verax/observe/observers/network-observer.js +87 -0
package/src/verax/observe/observers/safety-observer.js +82 -0
package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
package/src/verax/observe/page-traversal.js +138 -0
package/src/verax/observe/snapshot-ops.js +94 -0
package/src/verax/observe/ui-feedback-detector.js +742 -0
package/src/verax/scan-summary-writer.js +2 -0
package/src/verax/shared/artifact-manager.js +25 -5
package/src/verax/shared/caching.js +1 -0
package/src/verax/shared/css-spinner-rules.js +204 -0
package/src/verax/shared/expectation-tracker.js +1 -0
package/src/verax/shared/view-switch-rules.js +208 -0
package/src/verax/shared/zip-artifacts.js +6 -0
package/src/verax/shared/config-loader.js +0 -169
/package/src/verax/shared/{expectation-proof.js → expectation-validation.js} +0 -0

package/src/cli/util/evidence-engine.js ADDED Viewed

@@ -0,0 +1,287 @@
+import { writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { computeDOMDiff, hasFeedbackElements as _hasFeedbackElements, hasValidationErrors as _hasValidationErrors } from './dom-diff.js';
+/**
+ * Evidence Engine
+ * Captures and bundles evidence for each interaction attempt
+ */
+export class EvidenceBundle {
+  constructor(promiseId, expNum, evidencePath) {
+    this.promiseId = promiseId;
+    this.expNum = expNum;
+    this.evidencePath = evidencePath;
+    this.beforeScreenshot = null;
+    this.afterScreenshot = null;
+    this.beforeHTML = null;
+    this.afterHTML = null;
+    this.domDiff = null;
+    this.networkEvents = [];
+    this.networkEventsByTime = new Map(); // For correlation
+    this.consoleErrors = [];
+    this.actionStartTime = null; // When action was executed
+    this.timing = {
+      startedAt: null,
+      endedAt: null,
+    };
+    this.signals = {
+      navigationChanged: false,
+      domChanged: false,
+      feedbackSeen: false,
+      networkActivity: false,
+      consoleErrors: false,
+      meaningfulDomChange: false, // NEW: tracks only meaningful changes
+      correlatedNetworkActivity: false, // NEW: tracks network within action window
+    };
+    this.files = [];
+    this.correlatedRequests = []; // Network requests correlated to this action
+  }
+  /**
+   * Capture before state
+   */
+  async captureBeforeState(page, suffix = '') {
+    try {
+      this.beforeScreenshot = `exp_${this.expNum}_before${suffix}.png`;
+      const screenshotPath = resolve(this.evidencePath, this.beforeScreenshot);
+      await page.screenshot({ path: screenshotPath });
+      this.files.push(this.beforeScreenshot);
+    } catch (e) {
+      this.beforeScreenshot = null;
+    }
+    try {
+      this.beforeHTML = await page.content();
+    } catch (e) {
+      this.beforeHTML = null;
+    }
+  }
+  /**
+   * Capture after state
+   */
+  async captureAfterState(page, suffix = '') {
+    try {
+      this.afterScreenshot = `exp_${this.expNum}_after${suffix}.png`;
+      const screenshotPath = resolve(this.evidencePath, this.afterScreenshot);
+      await page.screenshot({ path: screenshotPath });
+      this.files.push(this.afterScreenshot);
+    } catch (e) {
+      this.afterScreenshot = null;
+    }
+    try {
+      this.afterHTML = await page.content();
+    } catch (e) {
+      this.afterHTML = null;
+    }
+  }
+  /**
+   * Analyze changes between before and after
+   */
+  analyzeChanges(urlBefore, urlAfter) {
+    // Navigation change
+    if (urlBefore && urlAfter && urlBefore !== urlAfter) {
+      this.signals.navigationChanged = true;
+    }
+    // DOM change
+    if (this.beforeHTML && this.afterHTML) {
+      this.domDiff = computeDOMDiff(this.beforeHTML, this.afterHTML);
+      if (this.domDiff.changed) {
+        this.signals.domChanged = true;
+      }
+      // Track meaningful changes separately
+      if (this.domDiff.isMeaningful) {
+        this.signals.meaningfulDomChange = true;
+      }
+      // Check for feedback elements visibility change
+      if (detectNewFeedback(this.beforeHTML, this.afterHTML)) {
+        this.signals.feedbackSeen = true;
+      }
+      // Check for validation error appearance
+      if (detectNewValidationError(this.beforeHTML, this.afterHTML)) {
+        this.signals.feedbackSeen = true;
+      }
+    }
+  }
+  /**
+   * Record network events that occurred during this action
+   */
+  recordNetworkEvent(networkLog) {
+    this.networkEvents.push(networkLog);
+    // Track event time for correlation
+    if (networkLog.startTime) {
+      this.networkEventsByTime.set(networkLog.startTime, networkLog);
+    }
+    if (this.networkEvents.length > 0) {
+      this.signals.networkActivity = true;
+    }
+  }
+  /**
+   * Correlate network events to this action
+   * Captures requests that started within correlation window after action
+   * Window: 0-2500ms after action starts
+   */
+  correlateNetworkRequests() {
+    if (!this.actionStartTime || this.networkEvents.length === 0) {
+      return;
+    }
+    const actionTime = new Date(this.actionStartTime).getTime();
+    const correlationWindow = 2500; // milliseconds
+    for (const event of this.networkEvents) {
+      if (event.startTime) {
+        const eventTime = new Date(event.startTime).getTime();
+        if (eventTime >= actionTime && eventTime <= actionTime + correlationWindow) {
+          this.correlatedRequests.push(event);
+          this.signals.correlatedNetworkActivity = true;
+        }
+      }
+    }
+  }
+  /**
+   * Record console errors
+   */
+  recordConsoleError(error) {
+    this.consoleErrors.push(error);
+    if (this.consoleErrors.length > 0) {
+      this.signals.consoleErrors = true;
+    }
+  }
+  /**
+   * Finalize evidence bundle
+   */
+  finalize(_page) {
+    this.timing.endedAt = new Date().toISOString();
+    // Persist evidence files
+    try {
+      mkdirSync(this.evidencePath, { recursive: true });
+      // Save DOM diff if available
+      if (this.domDiff) {
+        const diffFile = `exp_${this.expNum}_dom_diff.json`;
+        writeFileSync(
+          resolve(this.evidencePath, diffFile),
+          JSON.stringify(this.domDiff, null, 2),
+          'utf-8'
+        );
+        this.files.push(diffFile);
+      }
+      // Save network events if any
+      if (this.networkEvents.length > 0) {
+        const netFile = `exp_${this.expNum}_network.json`;
+        writeFileSync(
+          resolve(this.evidencePath, netFile),
+          JSON.stringify(this.networkEvents, null, 2),
+          'utf-8'
+        );
+        this.files.push(netFile);
+      }
+      // Save console errors if any
+      if (this.consoleErrors.length > 0) {
+        const errFile = `exp_${this.expNum}_console_errors.json`;
+        writeFileSync(
+          resolve(this.evidencePath, errFile),
+          JSON.stringify(this.consoleErrors, null, 2),
+          'utf-8'
+        );
+        this.files.push(errFile);
+      }
+    } catch (e) {
+      // Best effort
+    }
+  }
+  /**
+   * Check if we have meaningful evidence
+   */
+  hasEvidence() {
+    return (
+      this.beforeScreenshot ||
+      this.afterScreenshot ||
+      this.domDiff?.changed ||
+      this.networkEvents.length > 0 ||
+      this.consoleErrors.length > 0 ||
+      Object.values(this.signals).some(v => v === true)
+    );
+  }
+  /**
+   * Summarize signals for observation
+   */
+  getSummary() {
+    return {
+      files: this.files,
+      timing: this.timing,
+      signals: this.signals,
+      hasEvidence: this.hasEvidence(),
+    };
+  }
+}
+/**
+ * Create a bundle for a promise
+ */
+export function createEvidenceBundle(promise, expNum, evidencePath) {
+  return new EvidenceBundle(promise.id, expNum, evidencePath);
+}
+/**
+ * Detect if new feedback elements appeared
+ */
+function detectNewFeedback(htmlBefore, htmlAfter) {
+  const feedbackPatterns = [
+    'role="alert"',
+    'role="status"',
+    'aria-live="polite"',
+    'aria-live="assertive"',
+    'class="toast"',
+    'class="modal"',
+    'class="dialog"',
+  ];
+  for (const pattern of feedbackPatterns) {
+    if (!htmlBefore.includes(pattern) && htmlAfter.includes(pattern)) {
+      return true;
+    }
+  }
+  return false;
+}
+/**
+ * Detect if new validation errors appeared
+ */
+function detectNewValidationError(htmlBefore, htmlAfter) {
+  const errorPatterns = [
+    'aria-invalid="true"',
+    'aria-invalid=\'true\'',
+    'class="error"',
+    'class="invalid"',
+    '[data-error]',
+  ];
+  for (const pattern of errorPatterns) {
+    if (!htmlBefore.includes(pattern) && htmlAfter.includes(pattern)) {
+      return true;
+    }
+  }
+  return false;
+}

package/src/cli/util/expectation-extractor.js CHANGED Viewed

@@ -1,10 +1,12 @@
 import { readdirSync, readFileSync, statSync } from 'fs';
 import { join, relative, resolve } from 'path';
 import { expIdFromHash, compareExpectations } from './idgen.js';
+import { extractPromisesFromAST } from './ast-promise-extractor.js';
 /**
  * Static Expectation Extractor
- * Extracts explicit, static expectations from source files
+ * PHASE H2/M2: AST-based promise extraction
+ * Extracts explicit, static expectations from source files using AST parsing
  */
 export async function extractExpectations(projectProfile, _srcPath) {
@@ -61,7 +63,16 @@ function getScanPaths(projectProfile, sourceRoot) {
   }
   if (framework === 'react-vite' || framework === 'react-cra') {
-    return [resolve(sourceRoot, 'src')];
+    const srcPath = resolve(sourceRoot, 'src');
+    try {
+      if (statSync(srcPath).isDirectory()) {
+        return [srcPath];
+      }
+    } catch (error) {
+      // src doesn't exist - scan root for React files
+    }
+    // Fallback: scan root directory for React files
+    return [sourceRoot];
   }
   if (framework === 'static-html') {
@@ -78,7 +89,7 @@ function getScanPaths(projectProfile, sourceRoot) {
     }
   }
-  // Unknown framework - scan src if it exists
+  // Unknown framework - scan src if it exists, otherwise scan root
   const srcPath = resolve(sourceRoot, 'src');
   try {
     if (statSync(srcPath).isDirectory()) {
@@ -88,7 +99,8 @@ function getScanPaths(projectProfile, sourceRoot) {
     // src doesn't exist
   }
-  return [];
+  // Fallback: scan root directory
+  return [sourceRoot];
 }
 /**
@@ -163,9 +175,15 @@ function scanFile(filePath, sourceRoot, skipped) {
     const relPath = relative(sourceRoot, filePath);
     if (filePath.endsWith('.html')) {
+      // HTML files: Use regex-based extraction (static HTML fallback)
       const htmlExpectations = extractHtmlExpectations(content, filePath, relPath);
       expectations.push(...htmlExpectations);
     } else {
+      // JS/JSX/TS/TSX files: Use AST-based extraction (PHASE H2)
+      const astPromises = extractPromisesFromAST(content, filePath, relPath);
+      expectations.push(...astPromises);
+      // Legacy regex-based extraction (preserved for navigation/network/state)
       const jsExpectations = extractJsExpectations(content, filePath, relPath, skipped);
       expectations.push(...jsExpectations);
     }
@@ -178,11 +196,12 @@ function scanFile(filePath, sourceRoot, skipped) {
 /**
  * Extract expectations from HTML files
+ * PHASE H2: Enhanced with button, form, and validation detection
  */
 function extractHtmlExpectations(content, filePath, relPath) {
   const expectations = [];
-  // Extract <a href="/path"> links
+  // Extract <a href="/path"> links (navigation)
   const hrefRegex = /<a\s+[^>]*href=["']([^"']+)["']/gi;
   let match;
@@ -208,9 +227,136 @@ function extractHtmlExpectations(content, filePath, relPath) {
     }
   }
+  // Extract <button> elements (interaction promise)
+  const buttonRegex = /<button\s+[^>]*>/gi;
+  while ((match = buttonRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const buttonText = extractTextFromTag(content, match.index, 'button');
+    expectations.push({
+      category: 'button',
+      type: 'interaction',
+      promise: {
+        kind: 'click',
+        value: buttonText || 'button click',
+      },
+      source: {
+        file: relPath,
+        line: lineNum,
+        column: match.index - content.lastIndexOf('\n', match.index),
+      },
+      selector: buttonText ? `button:contains("${buttonText}")` : 'button',
+      action: 'click',
+      expectedOutcome: 'ui-change',
+      confidenceHint: 'low',
+    });
+  }
+  // Extract <form> elements (submission promise)
+  const formRegex = /<form\s+[^>]*>/gi;
+  while ((match = formRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const formTag = match[0];
+    // Check for action attribute
+    const actionMatch = /action=["']([^"']+)["']/.exec(formTag);
+    const hasAction = actionMatch && actionMatch[1];
+    expectations.push({
+      category: 'form',
+      type: 'interaction',
+      promise: {
+        kind: 'submit',
+        value: hasAction ? `form submit to ${actionMatch[1]}` : 'form submission',
+      },
+      source: {
+        file: relPath,
+        line: lineNum,
+        column: match.index - content.lastIndexOf('\n', match.index),
+      },
+      selector: hasAction ? `form[action="${actionMatch[1]}"]` : 'form',
+      action: 'submit',
+      expectedOutcome: hasAction ? 'navigation' : 'ui-change',
+      confidenceHint: hasAction ? 'medium' : 'low',
+    });
+  }
+  // Extract required input fields (validation promise)
+  const requiredRegex = /<input\s+[^>]*required[^>]*>/gi;
+  while ((match = requiredRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const inputTag = match[0];
+    // Extract name or id for selector
+    const nameMatch = /name=["']([^"']+)["']/.exec(inputTag);
+    const idMatch = /id=["']([^"']+)["']/.exec(inputTag);
+    const selector = nameMatch ? `input[name="${nameMatch[1]}"]` :
+                     idMatch ? `input#${idMatch[1]}` : 'input[required]';
+    expectations.push({
+      category: 'validation',
+      type: 'feedback',
+      promise: {
+        kind: 'validation',
+        value: 'required field validation',
+      },
+      source: {
+        file: relPath,
+        line: lineNum,
+        column: match.index - content.lastIndexOf('\n', match.index),
+      },
+      selector,
+      action: 'observe',
+      expectedOutcome: 'feedback',
+      confidenceHint: 'medium',
+    });
+  }
+  // Extract aria-live regions (feedback promise)
+  const ariaLiveRegex = /<[^>]+aria-live=["']([^"']+)["'][^>]*>/gi;
+  while ((match = ariaLiveRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    expectations.push({
+      category: 'feedback',
+      type: 'feedback',
+      promise: {
+        kind: 'ui-feedback',
+        value: 'live region update',
+      },
+      source: {
+        file: relPath,
+        line: lineNum,
+        column: match.index - content.lastIndexOf('\n', match.index),
+      },
+      selector: '[aria-live]',
+      action: 'observe',
+      expectedOutcome: 'feedback',
+      confidenceHint: 'medium',
+    });
+  }
   return expectations;
 }
+/**
+ * Extract text content from HTML tag
+ */
+function extractTextFromTag(content, startIndex, tagName) {
+  const closeTagRegex = new RegExp(`</${tagName}>`, 'i');
+  const closeMatch = closeTagRegex.exec(content.substring(startIndex));
+  if (!closeMatch) return '';
+  const endOfOpenTag = content.indexOf('>', startIndex);
+  if (endOfOpenTag === -1) return '';
+  const textContent = content.substring(endOfOpenTag + 1, startIndex + closeMatch.index);
+  // Strip HTML tags and trim
+  return textContent.replace(/<[^>]+>/g, '').trim();
+}
 /**
  * Extract expectations from JavaScript/TypeScript files
  */

package/src/cli/util/findings-writer.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { atomicWriteJson } from './atomic-write.js';
 import { resolve } from 'path';
 import { findingIdFromExpectationId } from './idgen.js';
+import { ARTIFACT_REGISTRY } from '../../verax/core/artifacts/registry.js';
 /**
  * Write findings.json artifact with deterministic IDs
@@ -15,6 +16,7 @@ export function writeFindingsJson(runDir, findingsData) {
   }));
   const payload = {
+    contractVersion: ARTIFACT_REGISTRY.findings.contractVersion,
     findings: findingsWithIds,
     total: findingsData.stats?.total || 0,
     stats: {
@@ -26,6 +28,7 @@ export function writeFindingsJson(runDir, findingsData) {
       informational: findingsData.stats?.informational || 0,
     },
     detectedAt: findingsData.detectedAt || new Date().toISOString(),
+    enforcement: findingsData.enforcement || null,
   };
   atomicWriteJson(findingsPath, payload);