@veraxhq/verax 0.2.1 → 0.4.0

package/src/verax/core/release/release.enforcer.js

@@ -0,0 +1,164 @@
+/**
+ * PHASE 21.7 — Release Enforcer
+ * 
+ * Hard lock: blocks publish/release without GA-READY + Provenance + SBOM + Reproducible.
+ */
+
+import { existsSync, readFileSync } from 'fs';
+import { resolve } from 'path';
+import { checkGAStatus } from '../ga/ga.enforcer.js';
+import { findLatestRunId } from '../../../cli/util/run-resolver.js';
+import { FAILURE_CODE } from '../failures/failure.types.js';
+import { isBaselineFrozen, enforceBaseline } from '../baseline/baseline.enforcer.js';
+import { FailureLedger } from '../failures/failure.ledger.js';
+
+/**
+ * Check if release is allowed
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} operation - Operation name (publish, release, tag)
+ * @throws {Error} If release is blocked
+ */
+export async function enforceReleaseReadiness(projectDir, operation = 'release') {
+  const blockers = [];
+  
+  // 1. Check GA status
+  try {
+    const runId = findLatestRunId(projectDir);
+    if (!runId) {
+      blockers.push('No runs found. Run a scan and verify GA readiness first.');
+    } else {
+      const gaCheck = checkGAStatus(projectDir, runId);
+      if (!gaCheck.ready) {
+        const blockerMessages = gaCheck.status?.blockers?.map(b => b.message).join('; ') || 'GA not ready';
+        blockers.push(`GA-BLOCKED: ${blockerMessages}`);
+      }
+    }
+  } catch (error) {
+    blockers.push(`GA check failed: ${error.message}`);
+  }
+  
+  // 2. Check Provenance
+  const provenancePath = resolve(projectDir, 'release', 'release.provenance.json');
+  if (!existsSync(provenancePath)) {
+    blockers.push('Provenance not found. Run "verax release:check" first.');
+  } else {
+    try {
+  // @ts-expect-error - readFileSync with encoding returns string
+      const provenance = JSON.parse(readFileSync(provenancePath, 'utf-8'));
+      if (provenance.git?.dirty) {
+        blockers.push('Provenance indicates dirty git repository');
+      }
+      if (provenance.gaStatus !== 'GA-READY') {
+        blockers.push(`Provenance GA status is ${provenance.gaStatus}, not GA-READY`);
+      }
+    } catch (error) {
+      blockers.push(`Invalid provenance: ${error.message}`);
+    }
+  }
+  
+  // 3. Check SBOM
+  const sbomPath = resolve(projectDir, 'release', 'sbom.json');
+  if (!existsSync(sbomPath)) {
+    blockers.push('SBOM not found. Run "verax release:check" first.');
+  } else {
+    try {
+  // @ts-expect-error - readFileSync with encoding returns string
+      const sbom = JSON.parse(readFileSync(sbomPath, 'utf-8'));
+      if (!sbom.bomFormat || !sbom.components || !Array.isArray(sbom.components) || sbom.components.length === 0) {
+        blockers.push('Invalid or empty SBOM');
+      }
+    } catch (error) {
+      blockers.push(`Invalid SBOM: ${error.message}`);
+    }
+  }
+  
+  // 4. Check Reproducibility
+  const reproducibilityPath = resolve(projectDir, 'release', 'reproducibility.report.json');
+  if (!existsSync(reproducibilityPath)) {
+    blockers.push('Reproducibility report not found. Run "verax release:check" first.');
+  } else {
+    try {
+  // @ts-expect-error - readFileSync with encoding returns string
+      const report = JSON.parse(readFileSync(reproducibilityPath, 'utf-8'));
+      if (report.verdict !== 'REPRODUCIBLE') {
+        const differences = report.differences?.map(d => d.message).join('; ') || 'Build is not reproducible';
+        blockers.push(`NON_REPRODUCIBLE: ${differences}`);
+      }
+    } catch (error) {
+      blockers.push(`Invalid reproducibility report: ${error.message}`);
+    }
+  }
+  
+  // 5. Check Security (PHASE 21.8)
+  const secretsPath = resolve(projectDir, 'release', 'security.secrets.report.json');
+  const vulnPath = resolve(projectDir, 'release', 'security.vuln.report.json');
+  const supplyChainPath = resolve(projectDir, 'release', 'security.supplychain.report.json');
+  
+  if (!existsSync(secretsPath) || !existsSync(vulnPath) || !existsSync(supplyChainPath)) {
+    blockers.push('Security reports not found. Run "verax security:check" first.');
+  } else {
+    try {
+      // Check secrets
+      // @ts-expect-error - readFileSync with encoding returns string
+      const secretsReport = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+      if (secretsReport.hasSecrets) {
+        blockers.push(`SECURITY-BLOCKED: Secrets detected (${secretsReport.summary.total} finding(s))`);
+      }
+      
+      // Check vulnerabilities
+      // @ts-expect-error - readFileSync with encoding returns string
+      const vulnReport = JSON.parse(readFileSync(vulnPath, 'utf-8'));
+      if (vulnReport.blocking) {
+        blockers.push(`SECURITY-BLOCKED: Critical/High vulnerabilities detected (${vulnReport.summary.critical + vulnReport.summary.high} total)`);
+      }
+      
+      // Check supply-chain
+      // @ts-expect-error - readFileSync with encoding returns string
+      const supplyChainReport = JSON.parse(readFileSync(supplyChainPath, 'utf-8'));
+      if (!supplyChainReport.ok) {
+        blockers.push(`SECURITY-BLOCKED: Supply-chain violations (${supplyChainReport.summary.totalViolations} violation(s))`);
+      }
+    } catch (error) {
+      blockers.push(`Security check failed: ${error.message}`);
+    }
+  }
+  
+  // 6. Check Performance (PHASE 21.9) - BLOCKING perf violations block release
+  const runId = findLatestRunId(projectDir);
+  if (runId) {
+    try {
+      const { checkPerformanceStatus } = await import('../perf/perf.enforcer.js');
+      const perfCheck = checkPerformanceStatus(projectDir, runId);
+      
+      if (perfCheck.exists && !perfCheck.ok) {
+        blockers.push(`PERFORMANCE-BLOCKED: ${perfCheck.blockers.join('; ')}`);
+      }
+    } catch (error) {
+      // Performance check failure is not a blocker (may be from old runs)
+    }
+  }
+  
+  // 7. Baseline Freeze Enforcement (PHASE 21.11)
+  // After GA, baseline must be frozen and unchanged
+  if (isBaselineFrozen(projectDir)) {
+    const failureLedger = new FailureLedger(projectDir, runId || 'unknown');
+    const baselineCheck = enforceBaseline(projectDir, failureLedger);
+    if (baselineCheck.blocked) {
+      blockers.push(`BASELINE-DRIFT: ${baselineCheck.message}. Changes to core contracts/policies after GA require MAJOR version bump and baseline regeneration.`);
+    }
+  }
+  
+  // If any blockers, throw error
+  if (blockers.length > 0) {
+    const message = `Cannot ${operation}: RELEASE-BLOCKED. ${blockers.join('; ')}`;
+    const error = new Error(message);
+    /** @type {any} */
+    const e = error;
+    e.code = FAILURE_CODE.INTERNAL_UNEXPECTED_ERROR;
+    e.component = 'release.enforcer';
+    e.context = { operation, blockers };
+    throw error;
+  }
+}
+

package/src/verax/core/release/reproducibility.check.js

@@ -0,0 +1,222 @@
+/**
+ * PHASE 21.7 — Reproducibility Check
+ * 
+ * Verifies that same commit + same policies = same hashes.
+ * Difference = NON_REPRODUCIBLE (BLOCKING for GA).
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get current git commit
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {string|null} Commit hash or null
+ */
+function getGitCommit(projectDir) {
+  try {
+    const result = execSync('git rev-parse HEAD', { 
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    });
+    return result.trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get policy hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Policy hashes
+ */
+async function getPolicyHashes(projectDir) {
+  try {
+    const { loadGuardrailsPolicy } = await import('../guardrails/policy.loader.js');
+    const { loadConfidencePolicy } = await import('../confidence/confidence.loader.js');
+    
+    const guardrails = loadGuardrailsPolicy(null, projectDir);
+    const confidence = loadConfidencePolicy(null, projectDir);
+    
+    const guardrailsHash = createHash('sha256')
+      .update(JSON.stringify(guardrails, null, 0))
+      .digest('hex');
+    
+    const confidenceHash = createHash('sha256')
+      .update(JSON.stringify(confidence, null, 0))
+      .digest('hex');
+    
+    return {
+      guardrails: guardrailsHash,
+      confidence: confidenceHash
+    };
+  } catch {
+    return {
+      guardrails: null,
+      confidence: null
+    };
+  }
+}
+
+/**
+ * Get artifact hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Artifact hashes
+ */
+function getArtifactHashes(projectDir) {
+  const hashes = {};
+  
+  // Hash key files
+  const keyFiles = [
+    'package.json',
+    'bin/verax.js',
+    'src/cli/entry.js'
+  ];
+  
+  for (const file of keyFiles) {
+    const filePath = resolve(projectDir, file);
+    if (existsSync(filePath)) {
+      try {
+        const content = readFileSync(filePath);
+        hashes[file] = createHash('sha256').update(content).digest('hex');
+      } catch {
+        hashes[file] = null;
+      }
+    } else {
+      hashes[file] = null;
+    }
+  }
+  
+  return hashes;
+}
+
+/**
+ * Load previous reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object|null} Previous report or null
+ */
+function loadPreviousReport(projectDir) {
+  const reportPath = resolve(projectDir, 'release', 'reproducibility.report.json');
+  if (!existsSync(reportPath)) {
+    return null;
+  }
+  
+  try {
+    const content = readFileSync(reportPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check reproducibility
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Reproducibility check result
+ */
+export async function checkReproducibility(projectDir) {
+  const gitCommit = getGitCommit(projectDir);
+  const policyHashes = await getPolicyHashes(projectDir);
+  const artifactHashes = getArtifactHashes(projectDir);
+  
+  const current = {
+    gitCommit,
+    policies: policyHashes,
+    artifacts: artifactHashes,
+    checkedAt: new Date().toISOString()
+  };
+  
+  const previous = loadPreviousReport(projectDir);
+  
+  let reproducible = true;
+  const differences = [];
+  
+  if (previous) {
+    // Compare with previous build
+    if (previous.gitCommit !== gitCommit) {
+      reproducible = false;
+      differences.push({
+        type: 'git_commit',
+        previous: previous.gitCommit,
+        current: gitCommit,
+        message: 'Git commit changed'
+      });
+    }
+    
+    if (previous.policies?.guardrails !== policyHashes.guardrails) {
+      reproducible = false;
+      differences.push({
+        type: 'guardrails_policy',
+        previous: previous.policies?.guardrails,
+        current: policyHashes.guardrails,
+        message: 'Guardrails policy changed'
+      });
+    }
+    
+    if (previous.policies?.confidence !== policyHashes.confidence) {
+      reproducible = false;
+      differences.push({
+        type: 'confidence_policy',
+        previous: previous.policies?.confidence,
+        current: policyHashes.confidence,
+        message: 'Confidence policy changed'
+      });
+    }
+    
+    // Compare artifact hashes
+    for (const [file, hash] of Object.entries(artifactHashes)) {
+      if (previous.artifacts?.[file] !== hash) {
+        reproducible = false;
+        differences.push({
+          type: 'artifact',
+          file,
+          previous: previous.artifacts?.[file],
+          current: hash,
+          message: `Artifact ${file} changed`
+        });
+      }
+    }
+  }
+  
+  const verdict = reproducible ? 'REPRODUCIBLE' : 'NON_REPRODUCIBLE';
+  
+  const report = {
+    verdict,
+    reproducible,
+    differences,
+    current,
+    previous: previous || null,
+    checkedAt: new Date().toISOString()
+  };
+  
+  return report;
+}
+
+/**
+ * Write reproducibility report
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Reproducibility report
+ * @returns {string} Path to written file
+ */
+export function writeReproducibilityReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'reproducibility.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/release/sbom.builder.js

@@ -0,0 +1,292 @@
+/**
+ * PHASE 21.7 — SBOM Builder
+ * 
+ * Generates Software Bill of Materials (SBOM) in CycloneDX format.
+ * Missing SBOM = BLOCKING.
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+/**
+ * Get package.json dependencies
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Dependencies object
+ */
+function getDependencies(projectDir) {
+  try {
+    const pkgPath = resolve(projectDir, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return { dependencies: {}, devDependencies: {} };
+    }
+  // @ts-expect-error - readFileSync with encoding returns string
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return {
+      dependencies: pkg.dependencies || {},
+      devDependencies: pkg.devDependencies || {}
+    };
+  } catch {
+    return { dependencies: {}, devDependencies: {} };
+  }
+}
+
+/**
+ * Helper to traverse dependency tree recursively
+ */
+function traverseDepsHelper(deps, packages, parent = null) {
+  if (!deps || typeof deps !== 'object') {
+    return;
+  }
+  
+  for (const [name, info] of Object.entries(deps)) {
+    if (info && typeof info === 'object' && info.version) {
+      packages.push({
+        name,
+        version: info.version,
+        parent: parent || null
+      });
+      
+      if (info.dependencies) {
+        traverseDepsHelper(info.dependencies, packages, name);
+      }
+    }
+  }
+}
+
+/**
+ * Get transitive dependencies from node_modules
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Array} Array of package info
+ */
+function getTransitiveDependencies(projectDir) {
+  const packages = [];
+  const nodeModulesPath = resolve(projectDir, 'node_modules');
+  
+  if (!existsSync(nodeModulesPath)) {
+    return packages;
+  }
+  
+  try {
+    // Use npm ls to get dependency tree (with timeout to prevent hanging)
+    const result = execSync('npm ls --all --json', {
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+      timeout: 5000 // 5 second timeout
+    });
+    
+    const tree = JSON.parse(result);
+    
+    if (tree.dependencies) {
+      traverseDepsHelper(tree.dependencies, packages);
+    }
+  } catch {
+    // Fallback: scan node_modules directory
+    try {
+      const entries = readdirSync(nodeModulesPath, { withFileTypes: true });
+      
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith('.')) {
+          const pkgPath = resolve(nodeModulesPath, entry.name, 'package.json');
+          if (existsSync(pkgPath)) {
+            try {
+  // @ts-expect-error - readFileSync with encoding returns string
+              const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+              packages.push({
+                name: pkg.name || entry.name,
+                version: pkg.version || 'unknown',
+                parent: null
+              });
+            } catch {
+              // Skip invalid packages
+            }
+          }
+        }
+      }
+    } catch {
+      // If scanning fails, return empty
+    }
+  }
+  
+  return packages;
+}
+
+/**
+ * Get license from package.json
+ * 
+ * @param {string} packagePath - Path to package.json
+ * @returns {string|null} License or null
+ */
+function getPackageLicense(packagePath) {
+  try {
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+  // @ts-expect-error - readFileSync with encoding returns string
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+    if (typeof pkg.license === 'string') {
+      return pkg.license;
+    } else if (pkg.license && pkg.license.type) {
+      return pkg.license.type;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Compute integrity hash for a package
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} packageName - Package name
+ * @returns {string|null} SHA256 hash or null
+ */
+function getPackageIntegrity(projectDir, packageName) {
+  try {
+    const packagePath = resolve(projectDir, 'node_modules', packageName);
+    if (!existsSync(packagePath)) {
+      return null;
+    }
+    
+    // Hash the package.json as a proxy for package integrity
+    const pkgPath = resolve(packagePath, 'package.json');
+    if (existsSync(pkgPath)) {
+      const content = readFileSync(pkgPath);
+      // @ts-expect-error - digest returns string
+      return createHash('sha256').update(content).digest('hex');
+    }
+    
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build SBOM in CycloneDX format
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} SBOM object
+ */
+export async function buildSBOM(projectDir) {
+  const pkgPath = resolve(projectDir, 'package.json');
+  if (!existsSync(pkgPath)) {
+    throw new Error('Cannot build SBOM: package.json not found');
+  }
+  
+  // @ts-expect-error - readFileSync with encoding returns string
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+  const deps = getDependencies(projectDir);
+  const transitive = getTransitiveDependencies(projectDir);
+  
+  // Build components list
+  const components = [];
+  
+  // Add main package
+  components.push({
+    type: 'application',
+    name: pkg.name || 'unknown',
+    version: pkg.version || 'unknown',
+    purl: `pkg:npm/${pkg.name}@${pkg.version}`,
+    licenses: pkg.license ? [{ license: { id: pkg.license } }] : []
+  });
+  
+  // Add direct dependencies
+  for (const [name, version] of Object.entries(deps.dependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : []
+    });
+  }
+  
+  // Add dev dependencies (marked as development)
+  for (const [name, version] of Object.entries(deps.devDependencies)) {
+    const integrity = getPackageIntegrity(projectDir, name);
+    const license = getPackageLicense(resolve(projectDir, 'node_modules', name, 'package.json'));
+    
+    components.push({
+      type: 'library',
+      name,
+      version: version.replace(/^[\^~]/, ''),
+      purl: `pkg:npm/${name}@${version.replace(/^[\^~]/, '')}`,
+      hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+      licenses: license ? [{ license: { id: license } }] : [],
+      scope: 'development'
+    });
+  }
+  
+  // Add transitive dependencies (simplified - in production, use proper dependency resolution)
+  const transitiveMap = new Map();
+  for (const trans of transitive) {
+    const key = `${trans.name}@${trans.version}`;
+    if (!transitiveMap.has(key)) {
+      transitiveMap.set(key, trans);
+      
+      const integrity = getPackageIntegrity(projectDir, trans.name);
+      const license = getPackageLicense(resolve(projectDir, 'node_modules', trans.name, 'package.json'));
+      
+      components.push({
+        type: 'library',
+        name: trans.name,
+        version: trans.version,
+        purl: `pkg:npm/${trans.name}@${trans.version}`,
+        hashes: integrity ? [{ alg: 'SHA-256', content: integrity }] : [],
+        licenses: license ? [{ license: { id: license } }] : []
+      });
+    }
+  }
+  
+  const sbom = {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.4',
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      tools: [{
+        vendor: 'VERAX',
+        name: 'SBOM Builder',
+        version: '1.0.0'
+      }],
+      component: {
+        type: 'application',
+        name: pkg.name || 'unknown',
+        version: pkg.version || 'unknown'
+      }
+    },
+    components: components
+  };
+  
+  return sbom;
+}
+
+/**
+ * Write SBOM to file
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} sbom - SBOM object
+ * @returns {string} Path to written file
+ */
+export function writeSBOM(projectDir, sbom) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'sbom.json');
+  writeFileSync(outputPath, JSON.stringify(sbom, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/replay-validator.js

@@ -292,7 +292,9 @@ export function validateReplay(baselinePath, currentPath) {
     throw new Error(`Current decisions not found: ${currentPath}`);
   }
   
+  // @ts-expect-error - readFileSync with encoding returns string
   const baseline = JSON.parse(fs.readFileSync(baselinePath, 'utf-8'));
+  // @ts-expect-error - readFileSync with encoding returns string
   const current = JSON.parse(fs.readFileSync(currentPath, 'utf-8'));
   
   return compareReplayDecisions(baseline, current);