npm - @veraxhq/verax - Versions diffs - 0.2.1 → 0.4.0 - Mend

@veraxhq/verax 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/README.md +10 -6
package/bin/verax.js +11 -11
package/package.json +29 -8
package/src/cli/commands/baseline.js +103 -0
package/src/cli/commands/default.js +51 -6
package/src/cli/commands/doctor.js +29 -0
package/src/cli/commands/ga.js +246 -0
package/src/cli/commands/gates.js +95 -0
package/src/cli/commands/inspect.js +4 -2
package/src/cli/commands/release-check.js +215 -0
package/src/cli/commands/run.js +45 -6
package/src/cli/commands/security-check.js +212 -0
package/src/cli/commands/truth.js +113 -0
package/src/cli/entry.js +30 -20
package/src/cli/util/angular-component-extractor.js +179 -0
package/src/cli/util/angular-navigation-detector.js +141 -0
package/src/cli/util/angular-network-detector.js +161 -0
package/src/cli/util/angular-state-detector.js +162 -0
package/src/cli/util/ast-interactive-detector.js +544 -0
package/src/cli/util/ast-network-detector.js +603 -0
package/src/cli/util/ast-promise-extractor.js +581 -0
package/src/cli/util/ast-usestate-detector.js +602 -0
package/src/cli/util/atomic-write.js +12 -1
package/src/cli/util/bootstrap-guard.js +86 -0
package/src/cli/util/console-reporter.js +72 -0
package/src/cli/util/detection-engine.js +105 -41
package/src/cli/util/determinism-runner.js +124 -0
package/src/cli/util/determinism-writer.js +129 -0
package/src/cli/util/digest-engine.js +359 -0
package/src/cli/util/dom-diff.js +226 -0
package/src/cli/util/evidence-engine.js +287 -0
package/src/cli/util/expectation-extractor.js +151 -5
package/src/cli/util/findings-writer.js +3 -0
package/src/cli/util/framework-detector.js +572 -0
package/src/cli/util/idgen.js +1 -1
package/src/cli/util/interaction-planner.js +529 -0
package/src/cli/util/learn-writer.js +2 -0
package/src/cli/util/ledger-writer.js +110 -0
package/src/cli/util/monorepo-resolver.js +162 -0
package/src/cli/util/observation-engine.js +127 -278
package/src/cli/util/observe-writer.js +2 -0
package/src/cli/util/project-discovery.js +284 -0
package/src/cli/util/project-writer.js +2 -0
package/src/cli/util/run-id.js +23 -27
package/src/cli/util/run-resolver.js +64 -0
package/src/cli/util/run-result.js +778 -0
package/src/cli/util/selector-resolver.js +235 -0
package/src/cli/util/source-requirement.js +55 -0
package/src/cli/util/summary-writer.js +2 -0
package/src/cli/util/svelte-navigation-detector.js +163 -0
package/src/cli/util/svelte-network-detector.js +80 -0
package/src/cli/util/svelte-sfc-extractor.js +146 -0
package/src/cli/util/svelte-state-detector.js +242 -0
package/src/cli/util/trust-activation-integration.js +496 -0
package/src/cli/util/trust-activation-wrapper.js +85 -0
package/src/cli/util/trust-integration-hooks.js +164 -0
package/src/cli/util/types.js +153 -0
package/src/cli/util/url-validation.js +40 -0
package/src/cli/util/vue-navigation-detector.js +178 -0
package/src/cli/util/vue-sfc-extractor.js +161 -0
package/src/cli/util/vue-state-detector.js +215 -0
package/src/types/fs-augment.d.ts +23 -0
package/src/types/global.d.ts +137 -0
package/src/types/internal-types.d.ts +35 -0
package/src/verax/cli/init.js +4 -18
package/src/verax/core/action-classifier.js +4 -3
package/src/verax/core/artifacts/registry.js +139 -0
package/src/verax/core/artifacts/verifier.js +990 -0
package/src/verax/core/baseline/baseline.enforcer.js +137 -0
package/src/verax/core/baseline/baseline.snapshot.js +233 -0
package/src/verax/core/capabilities/gates.js +505 -0
package/src/verax/core/capabilities/registry.js +475 -0
package/src/verax/core/confidence/confidence-compute.js +144 -0
package/src/verax/core/confidence/confidence-invariants.js +234 -0
package/src/verax/core/confidence/confidence-report-writer.js +112 -0
package/src/verax/core/confidence/confidence-weights.js +44 -0
package/src/verax/core/confidence/confidence.defaults.js +65 -0
package/src/verax/core/confidence/confidence.loader.js +80 -0
package/src/verax/core/confidence/confidence.schema.js +94 -0
package/src/verax/core/confidence-engine-refactor.js +489 -0
package/src/verax/core/confidence-engine.js +625 -0
package/src/verax/core/contracts/index.js +29 -0
package/src/verax/core/contracts/types.js +186 -0
package/src/verax/core/contracts/validators.js +456 -0
package/src/verax/core/decisions/decision.trace.js +278 -0
package/src/verax/core/determinism/contract-writer.js +89 -0
package/src/verax/core/determinism/contract.js +139 -0
package/src/verax/core/determinism/diff.js +405 -0
package/src/verax/core/determinism/engine.js +222 -0
package/src/verax/core/determinism/finding-identity.js +149 -0
package/src/verax/core/determinism/normalize.js +466 -0
package/src/verax/core/determinism/report-writer.js +93 -0
package/src/verax/core/determinism/run-fingerprint.js +123 -0
package/src/verax/core/dynamic-route-intelligence.js +529 -0
package/src/verax/core/evidence/evidence-capture-service.js +308 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +166 -0
package/src/verax/core/evidence-builder.js +487 -0
package/src/verax/core/execution-mode-context.js +77 -0
package/src/verax/core/execution-mode-detector.js +192 -0
package/src/verax/core/failures/exit-codes.js +88 -0
package/src/verax/core/failures/failure-summary.js +76 -0
package/src/verax/core/failures/failure.factory.js +225 -0
package/src/verax/core/failures/failure.ledger.js +133 -0
package/src/verax/core/failures/failure.types.js +196 -0
package/src/verax/core/failures/index.js +10 -0
package/src/verax/core/ga/ga-report-writer.js +43 -0
package/src/verax/core/ga/ga.artifact.js +49 -0
package/src/verax/core/ga/ga.contract.js +435 -0
package/src/verax/core/ga/ga.enforcer.js +87 -0
package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
package/src/verax/core/guardrails/policy.defaults.js +210 -0
package/src/verax/core/guardrails/policy.loader.js +84 -0
package/src/verax/core/guardrails/policy.schema.js +110 -0
package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
package/src/verax/core/guardrails-engine.js +505 -0
package/src/verax/core/incremental-store.js +1 -0
package/src/verax/core/integrity/budget.js +138 -0
package/src/verax/core/integrity/determinism.js +342 -0
package/src/verax/core/integrity/integrity.js +208 -0
package/src/verax/core/integrity/poisoning.js +108 -0
package/src/verax/core/integrity/transaction.js +140 -0
package/src/verax/core/observe/run-timeline.js +318 -0
package/src/verax/core/perf/perf.contract.js +186 -0
package/src/verax/core/perf/perf.display.js +65 -0
package/src/verax/core/perf/perf.enforcer.js +91 -0
package/src/verax/core/perf/perf.monitor.js +209 -0
package/src/verax/core/perf/perf.report.js +200 -0
package/src/verax/core/pipeline-tracker.js +243 -0
package/src/verax/core/product-definition.js +127 -0
package/src/verax/core/release/provenance.builder.js +130 -0
package/src/verax/core/release/release-report-writer.js +40 -0
package/src/verax/core/release/release.enforcer.js +164 -0
package/src/verax/core/release/reproducibility.check.js +222 -0
package/src/verax/core/release/sbom.builder.js +292 -0
package/src/verax/core/replay-validator.js +2 -0
package/src/verax/core/replay.js +4 -0
package/src/verax/core/report/cross-index.js +195 -0
package/src/verax/core/report/human-summary.js +362 -0
package/src/verax/core/route-intelligence.js +420 -0
package/src/verax/core/run-id.js +6 -3
package/src/verax/core/run-manifest.js +4 -3
package/src/verax/core/security/secrets.scan.js +329 -0
package/src/verax/core/security/security-report.js +50 -0
package/src/verax/core/security/security.enforcer.js +128 -0
package/src/verax/core/security/supplychain.defaults.json +38 -0
package/src/verax/core/security/supplychain.policy.js +334 -0
package/src/verax/core/security/vuln.scan.js +265 -0
package/src/verax/core/truth/truth.certificate.js +252 -0
package/src/verax/core/ui-feedback-intelligence.js +481 -0
package/src/verax/detect/conditional-ui-silent-failure.js +84 -0
package/src/verax/detect/confidence-engine.js +62 -34
package/src/verax/detect/confidence-helper.js +34 -0
package/src/verax/detect/dynamic-route-findings.js +338 -0
package/src/verax/detect/expectation-chain-detector.js +417 -0
package/src/verax/detect/expectation-model.js +2 -2
package/src/verax/detect/failure-cause-inference.js +293 -0
package/src/verax/detect/findings-writer.js +131 -35
package/src/verax/detect/flow-detector.js +2 -2
package/src/verax/detect/form-silent-failure.js +98 -0
package/src/verax/detect/index.js +46 -5
package/src/verax/detect/invariants-enforcer.js +147 -0
package/src/verax/detect/journey-stall-detector.js +558 -0
package/src/verax/detect/navigation-silent-failure.js +82 -0
package/src/verax/detect/problem-aggregator.js +361 -0
package/src/verax/detect/route-findings.js +219 -0
package/src/verax/detect/summary-writer.js +477 -0
package/src/verax/detect/test-failure-cause-inference.js +314 -0
package/src/verax/detect/ui-feedback-findings.js +207 -0
package/src/verax/detect/view-switch-correlator.js +242 -0
package/src/verax/flow/flow-engine.js +2 -1
package/src/verax/flow/flow-spec.js +0 -6
package/src/verax/index.js +4 -0
package/src/verax/intel/ts-program.js +1 -0
package/src/verax/intel/vue-navigation-extractor.js +3 -0
package/src/verax/learn/action-contract-extractor.js +3 -0
package/src/verax/learn/ast-contract-extractor.js +1 -1
package/src/verax/learn/flow-extractor.js +1 -0
package/src/verax/learn/project-detector.js +5 -0
package/src/verax/learn/react-router-extractor.js +2 -0
package/src/verax/learn/source-instrumenter.js +1 -0
package/src/verax/learn/state-extractor.js +2 -1
package/src/verax/learn/static-extractor.js +1 -0
package/src/verax/observe/coverage-gaps.js +132 -0
package/src/verax/observe/expectation-handler.js +126 -0
package/src/verax/observe/incremental-skip.js +46 -0
package/src/verax/observe/index.js +51 -155
package/src/verax/observe/interaction-executor.js +192 -0
package/src/verax/observe/interaction-runner.js +782 -513
package/src/verax/observe/network-firewall.js +86 -0
package/src/verax/observe/observation-builder.js +169 -0
package/src/verax/observe/observe-context.js +205 -0
package/src/verax/observe/observe-helpers.js +192 -0
package/src/verax/observe/observe-runner.js +230 -0
package/src/verax/observe/observers/budget-observer.js +185 -0
package/src/verax/observe/observers/console-observer.js +102 -0
package/src/verax/observe/observers/coverage-observer.js +107 -0
package/src/verax/observe/observers/interaction-observer.js +471 -0
package/src/verax/observe/observers/navigation-observer.js +132 -0
package/src/verax/observe/observers/network-observer.js +87 -0
package/src/verax/observe/observers/safety-observer.js +82 -0
package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
package/src/verax/observe/page-traversal.js +138 -0
package/src/verax/observe/snapshot-ops.js +94 -0
package/src/verax/observe/ui-feedback-detector.js +742 -0
package/src/verax/scan-summary-writer.js +2 -0
package/src/verax/shared/artifact-manager.js +25 -5
package/src/verax/shared/caching.js +1 -0
package/src/verax/shared/css-spinner-rules.js +204 -0
package/src/verax/shared/expectation-tracker.js +1 -0
package/src/verax/shared/view-switch-rules.js +208 -0
package/src/verax/shared/zip-artifacts.js +6 -0
package/src/verax/shared/config-loader.js +0 -169
/package/src/verax/shared/{expectation-proof.js → expectation-validation.js} +0 -0

package/src/verax/core/guardrails/policy.defaults.js ADDED Viewed

@@ -0,0 +1,210 @@
+/**
+ * PHASE 21.4 — Guardrails Policy Defaults
+ *
+ * Default guardrails policy extracted from hardcoded rules.
+ * All rules are mandatory and cannot be disabled.
+ */
+/**
+ * PHASE 17: Guardrails Rule Codes
+ */
+export const GUARDRAILS_RULE = {
+  NET_SUCCESS_NO_UI: 'GUARD_NET_SUCCESS_NO_UI',
+  ANALYTICS_ONLY: 'GUARD_ANALYTICS_ONLY',
+  SHALLOW_ROUTING: 'GUARD_SHALLOW_ROUTING',
+  UI_FEEDBACK_PRESENT: 'GUARD_UI_FEEDBACK_PRESENT',
+  INTERACTION_BLOCKED: 'GUARD_INTERACTION_BLOCKED',
+  VALIDATION_PRESENT: 'GUARD_VALIDATION_PRESENT',
+  CONTRADICT_EVIDENCE: 'GUARD_CONTRADICT_EVIDENCE',
+  VIEW_SWITCH_MINOR_CHANGE: 'GUARD_VIEW_SWITCH_MINOR_CHANGE',
+  VIEW_SWITCH_ANALYTICS_ONLY: 'GUARD_VIEW_SWITCH_ANALYTICS_ONLY',
+  VIEW_SWITCH_AMBIGUOUS: 'GUARD_VIEW_SWITCH_AMBIGUOUS',
+};
+/**
+ * Default guardrails policy
+ *
+ * This policy matches the current hardcoded behavior exactly.
+ */
+export const DEFAULT_GUARDRAILS_POLICY = {
+  version: '21.4.0',
+  source: 'default',
+  rules: [
+    {
+      id: GUARDRAILS_RULE.NET_SUCCESS_NO_UI,
+      category: 'network',
+      trigger: 'Network request succeeded but no UI change observed',
+      action: 'BLOCK',
+      confidenceDelta: -0.3,
+      appliesTo: ['silent_failure', 'network'],
+      mandatory: true,
+      evaluation: {
+        type: 'network_success_no_ui',
+        conditions: {
+          networkSuccess: true,
+          noUiChange: true,
+          noErrors: true,
+          isSilentFailure: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.ANALYTICS_ONLY,
+      category: 'network',
+      trigger: 'Only analytics/beacon requests detected',
+      action: 'BLOCK',
+      confidenceDelta: -0.5,
+      appliesTo: ['network', 'silent_failure'],
+      mandatory: true,
+      evaluation: {
+        type: 'analytics_only',
+        conditions: {
+          isAnalyticsOnly: true,
+          isNetworkFinding: true,
+          isConfirmed: true,
+          singleRequest: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.SHALLOW_ROUTING,
+      category: 'navigation',
+      trigger: 'Hash-only or shallow routing detected',
+      action: 'BLOCK',
+      confidenceDelta: -0.2,
+      appliesTo: ['navigation', 'route'],
+      mandatory: true,
+      evaluation: {
+        type: 'shallow_routing',
+        conditions: {
+          isHashOnly: true,
+          isShallowRouting: true,
+          isNavigationFinding: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.UI_FEEDBACK_PRESENT,
+      category: 'ui-feedback',
+      trigger: 'UI feedback is present, contradicting silent failure claim',
+      action: 'BLOCK',
+      confidenceDelta: -0.4,
+      appliesTo: ['silent_failure', 'feedback_missing'],
+      mandatory: true,
+      evaluation: {
+        type: 'ui_feedback_present',
+        conditions: {
+          hasFeedback: true,
+          isSilentFailure: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.INTERACTION_BLOCKED,
+      category: 'state',
+      trigger: 'Interaction was disabled/blocked',
+      action: 'INFO',
+      confidenceDelta: -0.5,
+      appliesTo: ['silent_failure'],
+      mandatory: true,
+      evaluation: {
+        type: 'interaction_blocked',
+        conditions: {
+          isDisabled: true,
+          isSilentFailure: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.VALIDATION_PRESENT,
+      category: 'validation',
+      trigger: 'Validation feedback is present, contradicting validation failure claim',
+      action: 'BLOCK',
+      confidenceDelta: -0.3,
+      appliesTo: ['validation', 'form'],
+      mandatory: true,
+      evaluation: {
+        type: 'validation_present',
+        conditions: {
+          hasValidationFeedback: true,
+          isValidationFailure: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.CONTRADICT_EVIDENCE,
+      category: 'state',
+      trigger: 'Evidence package is incomplete',
+      action: 'BLOCK',
+      confidenceDelta: -0.2,
+      appliesTo: ['*'], // Applies to all findings
+      mandatory: true,
+      evaluation: {
+        type: 'contradict_evidence',
+        conditions: {
+          isConfirmed: true,
+          evidenceIncomplete: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.VIEW_SWITCH_MINOR_CHANGE,
+      category: 'view-switch',
+      trigger: 'URL unchanged and change is minor (e.g. button text only)',
+      action: 'BLOCK',
+      confidenceDelta: -0.4,
+      appliesTo: ['view_switch', 'state_action'],
+      mandatory: true,
+      evaluation: {
+        type: 'view_switch_minor_change',
+        conditions: {
+          isViewSwitch: true,
+          urlUnchanged: true,
+          isMinorChange: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.VIEW_SWITCH_ANALYTICS_ONLY,
+      category: 'view-switch',
+      trigger: 'Only analytics fired, no UI change',
+      action: 'BLOCK',
+      confidenceDelta: -0.5,
+      appliesTo: ['view_switch', 'state_action'],
+      mandatory: true,
+      evaluation: {
+        type: 'view_switch_analytics_only',
+        conditions: {
+          isViewSwitch: true,
+          analyticsOnly: true,
+          isConfirmed: true
+        }
+      }
+    },
+    {
+      id: GUARDRAILS_RULE.VIEW_SWITCH_AMBIGUOUS,
+      category: 'view-switch',
+      trigger: 'State change promise exists but UI outcome ambiguous (one signal only)',
+      action: 'DOWNGRADE',
+      confidenceDelta: -0.3,
+      appliesTo: ['view_switch', 'state_action'],
+      mandatory: true,
+      evaluation: {
+        type: 'view_switch_ambiguous',
+        conditions: {
+          isViewSwitch: true,
+          hasPromise: true,
+          ambiguousOutcome: true,
+          isConfirmed: true
+        }
+      }
+    }
+  ]
+};

package/src/verax/core/guardrails/policy.loader.js ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * PHASE 21.4 — Guardrails Policy Loader
+ *
+ * Loads guardrails policies from files or uses defaults.
+ * Validates policies and ensures all rules are mandatory.
+ */
+import { readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+import { validateGuardrailsPolicy } from './policy.schema.js';
+import { DEFAULT_GUARDRAILS_POLICY } from './policy.defaults.js';
+/**
+ * Load guardrails policy
+ *
+ * @param {string|null} policyPath - Path to custom policy file (optional)
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Guardrails policy
+ * @throws {Error} If policy is invalid
+ */
+export function loadGuardrailsPolicy(policyPath = null, projectDir = null) {
+  // If no custom policy path, use defaults
+  if (!policyPath) {
+    return DEFAULT_GUARDRAILS_POLICY;
+  }
+  // Resolve policy path
+  const resolvedPath = projectDir ? resolve(projectDir, policyPath) : resolve(policyPath);
+  // Check if file exists
+  if (!existsSync(resolvedPath)) {
+    throw new Error(`Guardrails policy file not found: ${resolvedPath}`);
+  }
+  // Read and parse policy
+  let policy;
+  try {
+    const policyContent = readFileSync(resolvedPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
+    policy = JSON.parse(policyContent);
+  } catch (error) {
+    throw new Error(`Failed to load guardrails policy: ${error.message}`);
+  }
+  // Validate policy
+  try {
+    validateGuardrailsPolicy(policy);
+  } catch (error) {
+    throw new Error(`Invalid guardrails policy: ${error.message}`);
+  }
+  // Mark as custom
+  policy.source = 'custom';
+  // HARD LOCK: Ensure all rules are mandatory
+  for (const rule of policy.rules) {
+    if (rule.mandatory !== true) {
+      throw new Error(`Guardrails rule ${rule.id} cannot be disabled (mandatory must be true)`);
+    }
+  }
+  return policy;
+}
+/**
+ * Get policy report metadata
+ *
+ * @param {Object} policy - Guardrails policy
+ * @returns {Object} Policy report metadata
+ */
+export function getPolicyReport(policy) {
+  return {
+    version: policy.version,
+    source: policy.source,
+    ruleCount: policy.rules.length,
+    rules: policy.rules.map(rule => ({
+      id: rule.id,
+      category: rule.category,
+      action: rule.action,
+      mandatory: rule.mandatory
+    }))
+  };
+}

package/src/verax/core/guardrails/policy.schema.js ADDED Viewed

@@ -0,0 +1,110 @@
+/**
+ * PHASE 21.4 — Guardrails Policy Schema
+ *
+ * Defines the structure for guardrails policies.
+ * All rules are mandatory and cannot be disabled.
+ */
+/**
+ * Guardrails Policy Schema
+ *
+ * @typedef {Object} GuardrailsPolicy
+ * @property {string} version - Policy version
+ * @property {string} source - 'default' | 'custom'
+ * @property {Array<GuardrailsRule>} rules - Array of guardrails rules
+ */
+/**
+ * Guardrails Rule
+ *
+ * @typedef {Object} GuardrailsRule
+ * @property {string} id - Stable rule identifier
+ * @property {string} category - Rule category (network, navigation, ui-feedback, validation, state)
+ * @property {string} trigger - Trigger condition description
+ * @property {string} action - Action type (BLOCK / DOWNGRADE / INFO)
+ * @property {number} confidenceDelta - Confidence adjustment (must be ≤ 0)
+ * @property {Array<string>} appliesTo - Capabilities list this rule applies to
+ * @property {boolean} mandatory - Always true (cannot be disabled)
+ * @property {Object} evaluation - Evaluation function parameters
+ */
+/**
+ * Validate guardrails policy
+ *
+ * @param {Object} policy - Policy to validate
+ * @throws {Error} If policy is invalid
+ */
+export function validateGuardrailsPolicy(policy) {
+  if (!policy) {
+    throw new Error('Guardrails policy is required');
+  }
+  if (!policy.version || typeof policy.version !== 'string') {
+    throw new Error('Guardrails policy must have a version string');
+  }
+  if (!policy.rules || !Array.isArray(policy.rules)) {
+    throw new Error('Guardrails policy must have a rules array');
+  }
+  for (const rule of policy.rules) {
+    validateGuardrailsRule(rule);
+  }
+}
+/**
+ * Validate a guardrails rule
+ *
+ * @param {Object} rule - Rule to validate
+ * @throws {Error} If rule is invalid
+ */
+export function validateGuardrailsRule(rule) {
+  if (!rule.id || typeof rule.id !== 'string') {
+    throw new Error('Guardrails rule must have a stable id string');
+  }
+  if (!rule.category || typeof rule.category !== 'string') {
+    throw new Error('Guardrails rule must have a category string');
+  }
+  const validCategories = ['network', 'navigation', 'ui-feedback', 'validation', 'state'];
+  if (!validCategories.includes(rule.category)) {
+    throw new Error(`Guardrails rule category must be one of: ${validCategories.join(', ')}`);
+  }
+  if (!rule.action || typeof rule.action !== 'string') {
+    throw new Error('Guardrails rule must have an action string');
+  }
+  const validActions = ['BLOCK', 'DOWNGRADE', 'INFO'];
+  if (!validActions.includes(rule.action)) {
+    throw new Error(`Guardrails rule action must be one of: ${validActions.join(', ')}`);
+  }
+  if (typeof rule.confidenceDelta !== 'number') {
+    throw new Error('Guardrails rule must have a confidenceDelta number');
+  }
+  // HARD LOCK: Confidence delta must be ≤ 0 (can only decrease confidence)
+  if (rule.confidenceDelta > 0) {
+    throw new Error('Guardrails rule confidenceDelta must be ≤ 0 (cannot increase confidence)');
+  }
+  if (!Array.isArray(rule.appliesTo)) {
+    throw new Error('Guardrails rule appliesTo must be an array');
+  }
+  // HARD LOCK: All rules are mandatory
+  if (rule.mandatory !== true) {
+    throw new Error('Guardrails rule must have mandatory: true (cannot be disabled)');
+  }
+  if (!rule.trigger || typeof rule.trigger !== 'string') {
+    throw new Error('Guardrails rule must have a trigger description');
+  }
+  if (!rule.evaluation || typeof rule.evaluation !== 'object') {
+    throw new Error('Guardrails rule must have an evaluation object');
+  }
+}

package/src/verax/core/guardrails/truth-reconciliation.js ADDED Viewed

@@ -0,0 +1,136 @@
+/**
+ * PHASE 23 — Guardrails Truth Reconciliation
+ *
+ * Reconciles confidence with guardrails outcome to ensure consistency.
+ * Guardrails outcome is the authoritative "final claim boundary".
+ */
+import { CONFIDENCE_LEVEL as _CONFIDENCE_LEVEL } from '../confidence-engine.js';
+/**
+ * Reconciliation reason codes
+ */
+export const RECONCILIATION_REASON = {
+  GUARDRAILS_DOWNGRADE_CONFIRMED: 'RECON_GUARDRAILS_DOWNGRADE_CONFIRMED',
+  GUARDRAILS_DOWNGRADE_SUSPECTED: 'RECON_GUARDRAILS_DOWNGRADE_SUSPECTED',
+  GUARDRAILS_INFORMATIONAL: 'RECON_GUARDRAILS_INFORMATIONAL',
+  GUARDRAILS_IGNORED: 'RECON_GUARDRAILS_IGNORED',
+  CONFIDENCE_CAP_GUARDRAILS_DOWNGRADE: 'RECON_CONF_CAP_GUARDRAILS_DOWNGRADE',
+  CONFIDENCE_CAP_INFORMATIONAL: 'RECON_CONF_CAP_INFORMATIONAL',
+  CONFIDENCE_CAP_IGNORED: 'RECON_CONF_CAP_IGNORED',
+  NO_RECONCILIATION_NEEDED: 'RECON_NO_RECONCILIATION_NEEDED',
+};
+/**
+ * Finalize finding truth by reconciling confidence with guardrails outcome.
+ *
+ * @param {Object} finding - Finding object (may have been modified by guardrails)
+ * @param {Object} guardrailsResult - Result from applyGuardrails
+ * @param {Object} context - Context { initialConfidence, initialConfidenceLevel }
+ * @returns {Object} { finalFinding, truthDecision }
+ */
+export function finalizeFindingTruth(finding, guardrailsResult, context = {}) {
+  const guardrails = guardrailsResult.guardrails || finding.guardrails || {};
+  const finalDecision = guardrails.finalDecision || guardrails.recommendedStatus || finding.severity || 'SUSPECTED';
+  // Capture initial confidence before guardrails
+  const confidenceBefore = context.initialConfidence !== undefined
+    ? context.initialConfidence
+    : (finding.confidence || 0);
+  const confidenceLevelBefore = context.initialConfidenceLevel
+    || finding.confidenceLevel
+    || (confidenceBefore >= 0.8 ? 'HIGH' : confidenceBefore >= 0.5 ? 'MEDIUM' : confidenceBefore >= 0.2 ? 'LOW' : 'UNPROVEN');
+  // Start with guardrails-adjusted confidence
+  let confidenceAfter = finding.confidence !== undefined ? finding.confidence : confidenceBefore;
+  let confidenceLevelAfter = finding.confidenceLevel || confidenceLevelBefore;
+  const reconciliationReasons = [];
+  const contradictionsResolved = [];
+  // Enforce truth boundaries based on final decision
+  if (finalDecision === 'CONFIRMED') {
+    // CONFIRMED must have guardrails finalDecision == CONFIRMED
+    if (guardrails.finalDecision !== 'CONFIRMED' && guardrails.recommendedStatus !== 'CONFIRMED') {
+      // This should not happen if guardrails are applied correctly, but enforce it
+      contradictionsResolved.push({
+        code: 'CONTRADICTION_CONFIRMED_WITHOUT_GUARDRAILS',
+        message: 'Finding marked CONFIRMED but guardrails did not approve CONFIRMED status'
+      });
+    }
+    // CONFIRMED can have any confidence level (no cap)
+  } else if (finalDecision === 'SUSPECTED') {
+    // SUSPECTED due to guardrails downgrade -> cap confidence at 0.69 (MEDIUM)
+    const wasDowngraded = guardrails.contradictions && guardrails.contradictions.length > 0;
+    const hasEvidenceIntentFailure = guardrails.appliedRules?.some(r =>
+      r.code?.includes('EVIDENCE') || r.message?.includes('evidence')
+    );
+    if (wasDowngraded || hasEvidenceIntentFailure) {
+      if (confidenceAfter > 0.69) {
+        confidenceAfter = 0.69;
+        confidenceLevelAfter = 'MEDIUM';
+        reconciliationReasons.push(RECONCILIATION_REASON.CONFIDENCE_CAP_GUARDRAILS_DOWNGRADE);
+      }
+      reconciliationReasons.push(RECONCILIATION_REASON.GUARDRAILS_DOWNGRADE_SUSPECTED);
+    }
+  } else if (finalDecision === 'INFORMATIONAL') {
+    // INFORMATIONAL -> confidence must be LOW or UNPROVEN
+    if (confidenceAfter > 0.2) {
+      confidenceAfter = 0.2;
+      confidenceLevelAfter = 'LOW';
+      reconciliationReasons.push(RECONCILIATION_REASON.CONFIDENCE_CAP_INFORMATIONAL);
+    }
+    reconciliationReasons.push(RECONCILIATION_REASON.GUARDRAILS_INFORMATIONAL);
+  } else if (finalDecision === 'IGNORED') {
+    // IGNORED -> confidence must be UNPROVEN
+    confidenceAfter = 0;
+    confidenceLevelAfter = 'UNPROVEN';
+    reconciliationReasons.push(RECONCILIATION_REASON.CONFIDENCE_CAP_IGNORED);
+    reconciliationReasons.push(RECONCILIATION_REASON.GUARDRAILS_IGNORED);
+  }
+  // If no reconciliation was needed, record it
+  if (reconciliationReasons.length === 0) {
+    reconciliationReasons.push(RECONCILIATION_REASON.NO_RECONCILIATION_NEEDED);
+  }
+  // Build final finding with reconciled confidence
+  const finalFinding = {
+    ...finding,
+    severity: finalDecision,
+    status: finalDecision,
+    confidence: confidenceAfter,
+    confidenceLevel: confidenceLevelAfter,
+    guardrails: {
+      ...guardrails,
+      reconciliation: {
+        confidenceBefore,
+        confidenceAfter,
+        confidenceLevelBefore,
+        confidenceLevelAfter,
+        reconciliationReasons,
+        contradictionsResolved
+      }
+    }
+  };
+  // Build truth decision
+  const truthDecision = {
+    finalStatus: finalDecision,
+    appliedGuardrails: guardrails.appliedRules?.map(r => r.code) || [],
+    confidenceBefore,
+    confidenceAfter,
+    confidenceLevelBefore,
+    confidenceLevelAfter,
+    reconciliationReasons,
+    contradictionsResolved,
+    confidenceDelta: confidenceAfter - confidenceBefore
+  };
+  return {
+    finalFinding,
+    truthDecision
+  };
+}