npm - @veraxhq/verax - Versions diffs - 0.2.1 → 0.4.0 - Mend

@veraxhq/verax 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/README.md +10 -6
package/bin/verax.js +11 -11
package/package.json +29 -8
package/src/cli/commands/baseline.js +103 -0
package/src/cli/commands/default.js +51 -6
package/src/cli/commands/doctor.js +29 -0
package/src/cli/commands/ga.js +246 -0
package/src/cli/commands/gates.js +95 -0
package/src/cli/commands/inspect.js +4 -2
package/src/cli/commands/release-check.js +215 -0
package/src/cli/commands/run.js +45 -6
package/src/cli/commands/security-check.js +212 -0
package/src/cli/commands/truth.js +113 -0
package/src/cli/entry.js +30 -20
package/src/cli/util/angular-component-extractor.js +179 -0
package/src/cli/util/angular-navigation-detector.js +141 -0
package/src/cli/util/angular-network-detector.js +161 -0
package/src/cli/util/angular-state-detector.js +162 -0
package/src/cli/util/ast-interactive-detector.js +544 -0
package/src/cli/util/ast-network-detector.js +603 -0
package/src/cli/util/ast-promise-extractor.js +581 -0
package/src/cli/util/ast-usestate-detector.js +602 -0
package/src/cli/util/atomic-write.js +12 -1
package/src/cli/util/bootstrap-guard.js +86 -0
package/src/cli/util/console-reporter.js +72 -0
package/src/cli/util/detection-engine.js +105 -41
package/src/cli/util/determinism-runner.js +124 -0
package/src/cli/util/determinism-writer.js +129 -0
package/src/cli/util/digest-engine.js +359 -0
package/src/cli/util/dom-diff.js +226 -0
package/src/cli/util/evidence-engine.js +287 -0
package/src/cli/util/expectation-extractor.js +151 -5
package/src/cli/util/findings-writer.js +3 -0
package/src/cli/util/framework-detector.js +572 -0
package/src/cli/util/idgen.js +1 -1
package/src/cli/util/interaction-planner.js +529 -0
package/src/cli/util/learn-writer.js +2 -0
package/src/cli/util/ledger-writer.js +110 -0
package/src/cli/util/monorepo-resolver.js +162 -0
package/src/cli/util/observation-engine.js +127 -278
package/src/cli/util/observe-writer.js +2 -0
package/src/cli/util/project-discovery.js +284 -0
package/src/cli/util/project-writer.js +2 -0
package/src/cli/util/run-id.js +23 -27
package/src/cli/util/run-resolver.js +64 -0
package/src/cli/util/run-result.js +778 -0
package/src/cli/util/selector-resolver.js +235 -0
package/src/cli/util/source-requirement.js +55 -0
package/src/cli/util/summary-writer.js +2 -0
package/src/cli/util/svelte-navigation-detector.js +163 -0
package/src/cli/util/svelte-network-detector.js +80 -0
package/src/cli/util/svelte-sfc-extractor.js +146 -0
package/src/cli/util/svelte-state-detector.js +242 -0
package/src/cli/util/trust-activation-integration.js +496 -0
package/src/cli/util/trust-activation-wrapper.js +85 -0
package/src/cli/util/trust-integration-hooks.js +164 -0
package/src/cli/util/types.js +153 -0
package/src/cli/util/url-validation.js +40 -0
package/src/cli/util/vue-navigation-detector.js +178 -0
package/src/cli/util/vue-sfc-extractor.js +161 -0
package/src/cli/util/vue-state-detector.js +215 -0
package/src/types/fs-augment.d.ts +23 -0
package/src/types/global.d.ts +137 -0
package/src/types/internal-types.d.ts +35 -0
package/src/verax/cli/init.js +4 -18
package/src/verax/core/action-classifier.js +4 -3
package/src/verax/core/artifacts/registry.js +139 -0
package/src/verax/core/artifacts/verifier.js +990 -0
package/src/verax/core/baseline/baseline.enforcer.js +137 -0
package/src/verax/core/baseline/baseline.snapshot.js +233 -0
package/src/verax/core/capabilities/gates.js +505 -0
package/src/verax/core/capabilities/registry.js +475 -0
package/src/verax/core/confidence/confidence-compute.js +144 -0
package/src/verax/core/confidence/confidence-invariants.js +234 -0
package/src/verax/core/confidence/confidence-report-writer.js +112 -0
package/src/verax/core/confidence/confidence-weights.js +44 -0
package/src/verax/core/confidence/confidence.defaults.js +65 -0
package/src/verax/core/confidence/confidence.loader.js +80 -0
package/src/verax/core/confidence/confidence.schema.js +94 -0
package/src/verax/core/confidence-engine-refactor.js +489 -0
package/src/verax/core/confidence-engine.js +625 -0
package/src/verax/core/contracts/index.js +29 -0
package/src/verax/core/contracts/types.js +186 -0
package/src/verax/core/contracts/validators.js +456 -0
package/src/verax/core/decisions/decision.trace.js +278 -0
package/src/verax/core/determinism/contract-writer.js +89 -0
package/src/verax/core/determinism/contract.js +139 -0
package/src/verax/core/determinism/diff.js +405 -0
package/src/verax/core/determinism/engine.js +222 -0
package/src/verax/core/determinism/finding-identity.js +149 -0
package/src/verax/core/determinism/normalize.js +466 -0
package/src/verax/core/determinism/report-writer.js +93 -0
package/src/verax/core/determinism/run-fingerprint.js +123 -0
package/src/verax/core/dynamic-route-intelligence.js +529 -0
package/src/verax/core/evidence/evidence-capture-service.js +308 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +166 -0
package/src/verax/core/evidence-builder.js +487 -0
package/src/verax/core/execution-mode-context.js +77 -0
package/src/verax/core/execution-mode-detector.js +192 -0
package/src/verax/core/failures/exit-codes.js +88 -0
package/src/verax/core/failures/failure-summary.js +76 -0
package/src/verax/core/failures/failure.factory.js +225 -0
package/src/verax/core/failures/failure.ledger.js +133 -0
package/src/verax/core/failures/failure.types.js +196 -0
package/src/verax/core/failures/index.js +10 -0
package/src/verax/core/ga/ga-report-writer.js +43 -0
package/src/verax/core/ga/ga.artifact.js +49 -0
package/src/verax/core/ga/ga.contract.js +435 -0
package/src/verax/core/ga/ga.enforcer.js +87 -0
package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
package/src/verax/core/guardrails/policy.defaults.js +210 -0
package/src/verax/core/guardrails/policy.loader.js +84 -0
package/src/verax/core/guardrails/policy.schema.js +110 -0
package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
package/src/verax/core/guardrails-engine.js +505 -0
package/src/verax/core/incremental-store.js +1 -0
package/src/verax/core/integrity/budget.js +138 -0
package/src/verax/core/integrity/determinism.js +342 -0
package/src/verax/core/integrity/integrity.js +208 -0
package/src/verax/core/integrity/poisoning.js +108 -0
package/src/verax/core/integrity/transaction.js +140 -0
package/src/verax/core/observe/run-timeline.js +318 -0
package/src/verax/core/perf/perf.contract.js +186 -0
package/src/verax/core/perf/perf.display.js +65 -0
package/src/verax/core/perf/perf.enforcer.js +91 -0
package/src/verax/core/perf/perf.monitor.js +209 -0
package/src/verax/core/perf/perf.report.js +200 -0
package/src/verax/core/pipeline-tracker.js +243 -0
package/src/verax/core/product-definition.js +127 -0
package/src/verax/core/release/provenance.builder.js +130 -0
package/src/verax/core/release/release-report-writer.js +40 -0
package/src/verax/core/release/release.enforcer.js +164 -0
package/src/verax/core/release/reproducibility.check.js +222 -0
package/src/verax/core/release/sbom.builder.js +292 -0
package/src/verax/core/replay-validator.js +2 -0
package/src/verax/core/replay.js +4 -0
package/src/verax/core/report/cross-index.js +195 -0
package/src/verax/core/report/human-summary.js +362 -0
package/src/verax/core/route-intelligence.js +420 -0
package/src/verax/core/run-id.js +6 -3
package/src/verax/core/run-manifest.js +4 -3
package/src/verax/core/security/secrets.scan.js +329 -0
package/src/verax/core/security/security-report.js +50 -0
package/src/verax/core/security/security.enforcer.js +128 -0
package/src/verax/core/security/supplychain.defaults.json +38 -0
package/src/verax/core/security/supplychain.policy.js +334 -0
package/src/verax/core/security/vuln.scan.js +265 -0
package/src/verax/core/truth/truth.certificate.js +252 -0
package/src/verax/core/ui-feedback-intelligence.js +481 -0
package/src/verax/detect/conditional-ui-silent-failure.js +84 -0
package/src/verax/detect/confidence-engine.js +62 -34
package/src/verax/detect/confidence-helper.js +34 -0
package/src/verax/detect/dynamic-route-findings.js +338 -0
package/src/verax/detect/expectation-chain-detector.js +417 -0
package/src/verax/detect/expectation-model.js +2 -2
package/src/verax/detect/failure-cause-inference.js +293 -0
package/src/verax/detect/findings-writer.js +131 -35
package/src/verax/detect/flow-detector.js +2 -2
package/src/verax/detect/form-silent-failure.js +98 -0
package/src/verax/detect/index.js +46 -5
package/src/verax/detect/invariants-enforcer.js +147 -0
package/src/verax/detect/journey-stall-detector.js +558 -0
package/src/verax/detect/navigation-silent-failure.js +82 -0
package/src/verax/detect/problem-aggregator.js +361 -0
package/src/verax/detect/route-findings.js +219 -0
package/src/verax/detect/summary-writer.js +477 -0
package/src/verax/detect/test-failure-cause-inference.js +314 -0
package/src/verax/detect/ui-feedback-findings.js +207 -0
package/src/verax/detect/view-switch-correlator.js +242 -0
package/src/verax/flow/flow-engine.js +2 -1
package/src/verax/flow/flow-spec.js +0 -6
package/src/verax/index.js +4 -0
package/src/verax/intel/ts-program.js +1 -0
package/src/verax/intel/vue-navigation-extractor.js +3 -0
package/src/verax/learn/action-contract-extractor.js +3 -0
package/src/verax/learn/ast-contract-extractor.js +1 -1
package/src/verax/learn/flow-extractor.js +1 -0
package/src/verax/learn/project-detector.js +5 -0
package/src/verax/learn/react-router-extractor.js +2 -0
package/src/verax/learn/source-instrumenter.js +1 -0
package/src/verax/learn/state-extractor.js +2 -1
package/src/verax/learn/static-extractor.js +1 -0
package/src/verax/observe/coverage-gaps.js +132 -0
package/src/verax/observe/expectation-handler.js +126 -0
package/src/verax/observe/incremental-skip.js +46 -0
package/src/verax/observe/index.js +51 -155
package/src/verax/observe/interaction-executor.js +192 -0
package/src/verax/observe/interaction-runner.js +782 -513
package/src/verax/observe/network-firewall.js +86 -0
package/src/verax/observe/observation-builder.js +169 -0
package/src/verax/observe/observe-context.js +205 -0
package/src/verax/observe/observe-helpers.js +192 -0
package/src/verax/observe/observe-runner.js +230 -0
package/src/verax/observe/observers/budget-observer.js +185 -0
package/src/verax/observe/observers/console-observer.js +102 -0
package/src/verax/observe/observers/coverage-observer.js +107 -0
package/src/verax/observe/observers/interaction-observer.js +471 -0
package/src/verax/observe/observers/navigation-observer.js +132 -0
package/src/verax/observe/observers/network-observer.js +87 -0
package/src/verax/observe/observers/safety-observer.js +82 -0
package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
package/src/verax/observe/page-traversal.js +138 -0
package/src/verax/observe/snapshot-ops.js +94 -0
package/src/verax/observe/ui-feedback-detector.js +742 -0
package/src/verax/scan-summary-writer.js +2 -0
package/src/verax/shared/artifact-manager.js +25 -5
package/src/verax/shared/caching.js +1 -0
package/src/verax/shared/css-spinner-rules.js +204 -0
package/src/verax/shared/expectation-tracker.js +1 -0
package/src/verax/shared/view-switch-rules.js +208 -0
package/src/verax/shared/zip-artifacts.js +6 -0
package/src/verax/shared/config-loader.js +0 -169
/package/src/verax/shared/{expectation-proof.js → expectation-validation.js} +0 -0

package/src/verax/observe/network-firewall.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * NETWORK SAFETY FIREWALL
+ *
+ * Handles network request interception and blocking:
+ * - Cross-origin blocking (unless --allow-cross-origin)
+ * - Read-only mode (blocks POST/PUT/PATCH/DELETE unconditionally)
+ * - Safety tracking via SilenceTracker
+ */
+/**
+ * Setup network interception firewall for safety mode
+ *
+ * @param {Object} page - Playwright page object
+ * @param {string} baseOrigin - Base origin URL for cross-origin checks
+ * @param {boolean} allowCrossOrigin - Whether to allow cross-origin requests
+ * @param {Object} silenceTracker - Silence tracker instance
+ * @returns {Promise<{blockedNetworkWrites: Array, blockedCrossOrigin: Array}>}
+ */
+export async function setupNetworkFirewall(page, baseOrigin, allowCrossOrigin, silenceTracker) {
+  const blockedNetworkWrites = [];
+  const blockedCrossOrigin = [];
+  await page.route('**/*', (route) => {
+    const request = route.request();
+    const method = request.method();
+    const requestUrl = request.url();
+    const resourceType = request.resourceType();
+    // Check cross-origin blocking (skip for file:// URLs)
+    if (!allowCrossOrigin && !requestUrl.startsWith('file://')) {
+      try {
+        const reqOrigin = new URL(requestUrl).origin;
+        if (reqOrigin !== baseOrigin) {
+          blockedCrossOrigin.push({
+            url: requestUrl,
+            origin: reqOrigin,
+            method,
+            resourceType,
+            timestamp: Date.now()
+          });
+          silenceTracker.record({
+            scope: 'safety',
+            reason: 'cross_origin_blocked',
+            description: `Cross-origin request blocked: ${method} ${requestUrl}`,
+            context: { url: requestUrl, origin: reqOrigin, method, baseOrigin },
+            impact: 'request_blocked'
+          });
+          return route.abort('blockedbyclient');
+        }
+      } catch (e) {
+        // Invalid URL, allow and let browser handle
+      }
+    }
+    // CONSTITUTIONAL: Block all write methods (read-only mode enforced)
+    if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+      // Check if it's a GraphQL mutation (best-effort)
+      const isGraphQLMutation = requestUrl.includes('/graphql') && method === 'POST';
+      blockedNetworkWrites.push({
+        url: requestUrl,
+        method,
+        resourceType,
+        isGraphQLMutation,
+        timestamp: Date.now()
+      });
+      silenceTracker.record({
+        scope: 'safety',
+        reason: 'blocked_network_write',
+        description: `Network write blocked: ${method} ${requestUrl}${isGraphQLMutation ? ' (GraphQL mutation)' : ''}`,
+        context: { url: requestUrl, method, resourceType, isGraphQLMutation },
+        impact: 'write_blocked'
+      });
+      return route.abort('blockedbyclient');
+    }
+    // Allow request
+    route.continue();
+  });
+  return { blockedNetworkWrites, blockedCrossOrigin };
+}

package/src/verax/observe/observation-builder.js ADDED Viewed

@@ -0,0 +1,169 @@
+/**
+ * OBSERVATION BUILDER
+ *
+ * Constructs observation object from traces, calculates coverage, and generates warnings.
+ */
+/**
+ * Build observation object from collected traces
+ *
+ * @param {Array} traces - Array of interaction traces
+ * @param {Array} coverage - Coverage information
+ * @param {Array} warnings - Warning messages
+ * @param {Object} safetyStats - Safety mode statistics
+ * @returns {Object}
+ */
+export function buildObservation(traces, coverage, warnings, safetyStats) {
+  const observation = {
+    timestamp: new Date().toISOString(),
+    traces: traces,
+    coverage: coverage || [],
+    warnings: warnings || [],
+    safetyStats: safetyStats || {}
+  };
+  return observation;
+}
+/**
+ * Calculate coverage gaps from traces
+ *
+ * @param {Array} traces - Array of interaction traces
+ * @param {Array} discoveredInteractions - All interactions discovered during scan
+ * @returns {Array}
+ */
+export function calculateCoverageGaps(traces, discoveredInteractions) {
+  if (!discoveredInteractions || discoveredInteractions.length === 0) {
+    return [];
+  }
+  const executedSelectors = new Set(
+    traces
+      .filter(t => t.interaction && t.interaction.selector)
+      .map(t => t.interaction.selector)
+  );
+  const gaps = discoveredInteractions
+    .filter(interaction => !executedSelectors.has(interaction.selector))
+    .map(interaction => ({
+      selector: interaction.selector,
+      type: interaction.type,
+      reason: 'budget_exhausted_or_skipped'
+    }));
+  return gaps;
+}
+/**
+ * Generate warnings from observation data
+ *
+ * @param {Object} frontier - Page frontier
+ * @param {Array} coverage - Coverage data
+ * @param {Object} safetyStats - Safety statistics
+ * @returns {Array}
+ */
+export function generateWarnings(frontier, coverage, safetyStats) {
+  const warnings = [];
+  // Warn if frontier has unexplored pages
+  if (frontier && frontier.queue && frontier.queue.length > 0) {
+    warnings.push({
+      type: 'unexplored_pages',
+      count: frontier.queue.length,
+      message: `${frontier.queue.length} pages in queue were not explored due to budget constraints`
+    });
+  }
+  // Warn if safety mode blocked actions
+  if (safetyStats && safetyStats.blockedNetworkWrites > 0) {
+    warnings.push({
+      type: 'safety_mode_active',
+      blockedWrites: safetyStats.blockedNetworkWrites,
+      message: `Safety mode prevented ${safetyStats.blockedNetworkWrites} write operations`
+    });
+  }
+  if (safetyStats && safetyStats.blockedCrossOrigin > 0) {
+    warnings.push({
+      type: 'cross_origin_blocked',
+      count: safetyStats.blockedCrossOrigin,
+      message: `${safetyStats.blockedCrossOrigin} cross-origin requests were blocked`
+    });
+  }
+  return warnings;
+}
+/**
+ * Build safety statistics object
+ *
+ * @param {number} blockedNetworkWrites - Number of blocked write operations
+ * @param {number} blockedCrossOrigin - Number of blocked cross-origin requests
+ * @param {Array} skippedInteractions - Interactions that were skipped
+ * @returns {Object}
+ */
+export function buildSafetyStatistics(blockedNetworkWrites, blockedCrossOrigin, skippedInteractions) {
+  return {
+    safetyModeEnabled: true,
+    blockedNetworkWrites: blockedNetworkWrites || 0,
+    blockedCrossOrigin: blockedCrossOrigin || 0,
+    skippedInteractions: skippedInteractions ? skippedInteractions.length : 0,
+    skippedReasons: skippedInteractions ? countSkipReasons(skippedInteractions) : {}
+  };
+}
+/**
+ * Count reasons for skipped interactions
+ *
+ * @param {Array} skippedInteractions - Skipped interactions
+ * @returns {Object}
+ */
+function countSkipReasons(skippedInteractions) {
+  const reasons = {};
+  for (const skip of skippedInteractions) {
+    const reason = skip.reason || 'unknown';
+    reasons[reason] = (reasons[reason] || 0) + 1;
+  }
+  return reasons;
+}
+/**
+ * Extract observedExpectations from traces
+ *
+ * @param {Array} traces - Array of interaction traces
+ * @returns {Array}
+ */
+export function extractObservedExpectations(traces) {
+  const expectations = [];
+  for (const trace of traces) {
+    if (trace.observedExpectation) {
+      expectations.push({
+        ...trace.observedExpectation,
+        traceId: trace.id,
+        executionTimestamp: trace.timestamp
+      });
+    }
+  }
+  return expectations;
+}
+/**
+ * Build skipped interactions summary
+ *
+ * @param {Array} interactions - Skipped interactions
+ * @returns {Array}
+ */
+export function buildSkippedInteractionsSummary(interactions) {
+  if (!interactions || interactions.length === 0) {
+    return [];
+  }
+  return interactions.map(skip => ({
+    selector: skip.selector,
+    type: skip.type,
+    reason: skip.reason,
+    element: skip.element
+  }));
+}

package/src/verax/observe/observe-context.js ADDED Viewed

@@ -0,0 +1,205 @@
+/**
+ * PHASE 21.3 — Observe Context Contract
+ *
+ * HARD CONTRACT: Defines the interface between observe-runner and observers
+ *
+ * RULES:
+ * - Observers MUST only access fields defined in this contract
+ * - Observers MUST NOT import from outside observe/*
+ * - Observers MUST NOT read files
+ * - Observers MUST NOT write artifacts directly
+ * - Observers MUST NOT mutate global state
+ * - Observers MUST propagate all errors (no silent catches)
+ *
+ * Runtime invariant checks enforce these rules.
+ */
+/**
+ * ObserveContext — The context passed to all observers
+ *
+ * @typedef {Object} ObserveContext
+ * @property {import('playwright').Page} page - Playwright page instance
+ * @property {string} baseOrigin - Base origin for same-origin checks
+ * @property {Object} scanBudget - Scan budget configuration
+ * @property {number} startTime - Start time of the scan (timestamp)
+ * @property {Object} frontier - PageFrontier instance
+ * @property {Object|null} manifest - Manifest object (if available)
+ * @property {Object|null} expectationResults - Expectation execution results
+ * @property {boolean} incrementalMode - Whether incremental mode is enabled
+ * @property {Object|null} oldSnapshot - Previous snapshot (if available)
+ * @property {Object|null} snapshotDiff - Snapshot diff (if available)
+ * @property {string} currentUrl - Current page URL
+ * @property {string} screenshotsDir - Directory for screenshots
+ * @property {number} timestamp - Timestamp for this observation
+ * @property {Object} decisionRecorder - DecisionRecorder instance
+ * @property {Object} silenceTracker - SilenceTracker instance
+ * @property {Object} safetyFlags - Safety flags { allowWrites, allowRiskyActions, allowCrossOrigin }
+ * @property {Object} routeBudget - Route-specific budget (computed)
+ */
+/**
+ * RunState — Mutable state passed between observers
+ *
+ * @typedef {Object} RunState
+ * @property {Array} traces - Array of interaction traces
+ * @property {Array} skippedInteractions - Array of skipped interactions
+ * @property {Array} observedExpectations - Array of observed expectations
+ * @property {number} totalInteractionsDiscovered - Total interactions discovered
+ * @property {number} totalInteractionsExecuted - Total interactions executed
+ * @property {Array} remainingInteractionsGaps - Remaining interaction gaps
+ * @property {boolean} navigatedToNewPage - Whether navigation occurred
+ * @property {string|null} navigatedPageUrl - URL of navigated page (if any)
+ */
+/**
+ * Observation — Result returned by an observer
+ *
+ * @typedef {Object} Observation
+ * @property {string} type - Type of observation (e.g., 'network_idle', 'console_error', 'ui_feedback')
+ * @property {string} scope - Scope of observation (e.g., 'page', 'interaction', 'navigation')
+ * @property {Object} data - Observation data
+ * @property {number} timestamp - Timestamp of observation
+ * @property {string} [url] - URL where observation occurred
+ */
+/**
+ * Forbidden imports that observers MUST NOT use
+ */
+const _FORBIDDEN_IMPORTS = [
+  'fs',
+  'path',
+  '../core/determinism/report-writer',
+  '../core/scan-summary-writer',
+  './traces-writer',
+  './expectation-executor'
+];
+/**
+ * Forbidden context fields that observers MUST NOT access
+ */
+const FORBIDDEN_CONTEXT_FIELDS = [
+  'projectDir',
+  'runId',
+  'writeFileSync',
+  'readFileSync',
+  'mkdirSync'
+];
+/**
+ * Validate that an observer result is a valid Observation
+ *
+ * @param {Object} observation - Observation to validate
+ * @param {string} observerName - Name of observer for error messages
+ * @throws {Error} If observation is invalid
+ */
+export function validateObservation(observation, observerName) {
+  if (!observation) {
+    throw new Error(`${observerName}: Observer returned null/undefined observation`);
+  }
+  if (typeof observation !== 'object') {
+    throw new Error(`${observerName}: Observer returned non-object observation: ${typeof observation}`);
+  }
+  if (!observation.type || typeof observation.type !== 'string') {
+    throw new Error(`${observerName}: Observation missing or invalid 'type' field`);
+  }
+  if (!observation.scope || typeof observation.scope !== 'string') {
+    throw new Error(`${observerName}: Observation missing or invalid 'scope' field`);
+  }
+  if (!observation.data || typeof observation.data !== 'object') {
+    throw new Error(`${observerName}: Observation missing or invalid 'data' field`);
+  }
+  if (typeof observation.timestamp !== 'number') {
+    throw new Error(`${observerName}: Observation missing or invalid 'timestamp' field`);
+  }
+}
+/**
+ * Validate that context contains only allowed fields
+ *
+ * @param {Object} context - Context to validate
+ * @throws {Error} If context contains forbidden fields
+ */
+export function validateContext(context) {
+  for (const field of FORBIDDEN_CONTEXT_FIELDS) {
+    if (field in context) {
+      throw new Error(`ObserveContext contains forbidden field: ${field}. Observers must not access file I/O or project directories.`);
+    }
+  }
+}
+/**
+ * Create a safe context for observers (removes forbidden fields)
+ *
+ * @param {Object} rawContext - Raw context from observe-runner
+ * @returns {ObserveContext} Safe context for observers
+ */
+export function createObserveContext(rawContext) {
+  const {
+    page,
+    baseOrigin,
+    scanBudget,
+    startTime,
+    frontier,
+    manifest,
+    expectationResults,
+    incrementalMode,
+    oldSnapshot,
+    snapshotDiff,
+    currentUrl,
+    screenshotsDir,
+    timestamp,
+    decisionRecorder,
+    silenceTracker,
+    safetyFlags,
+    routeBudget
+  } = rawContext;
+  return {
+    page,
+    baseOrigin,
+    scanBudget,
+    startTime,
+    frontier,
+    manifest,
+    expectationResults,
+    incrementalMode,
+    oldSnapshot,
+    snapshotDiff,
+    currentUrl,
+    screenshotsDir,
+    timestamp,
+    decisionRecorder,
+    silenceTracker,
+    safetyFlags: safetyFlags || { allowWrites: false, allowRiskyActions: false, allowCrossOrigin: false },
+    routeBudget
+  };
+}
+/**
+ * Observer execution order (FIXED - must not change)
+ *
+ * This order is critical for determinism and correctness.
+ */
+export const OBSERVER_ORDER = [
+  'navigation-observer',  // 1. Navigation decisions first
+  'budget-observer',      // 2. Budget checks before interactions
+  'interaction-observer', // 3. Interaction discovery and execution
+  'network-observer',     // 4. Network state observation
+  'ui-feedback-observer', // 5. UI state observation
+  'console-observer',     // 6. Console error observation
+  'coverage-observer'     // 7. Coverage gap tracking
+];
+/**
+ * Get observer execution order
+ *
+ * @returns {Array<string>} Ordered list of observer names
+ */
+export function getObserverOrder() {
+  return [...OBSERVER_ORDER];
+}

package/src/verax/observe/observe-helpers.js ADDED Viewed

@@ -0,0 +1,192 @@
+/**
+ * PHASE 21.3 — Observe Helpers
+ *
+ * Helper functions extracted from observe/index.js to keep it slim
+ */
+import { resolve } from 'path';
+import { mkdirSync, writeFileSync } from 'fs';
+import { writeTraces } from './traces-writer.js';
+/**
+ * Setup manifest and expectations
+ */
+export async function setupManifestAndExpectations(manifestPath, projectDir, page, url, screenshotsDir, scanBudget, startTime, silenceTracker) {
+  const { readFileSync, existsSync } = await import('fs');
+  const { loadPreviousSnapshot, saveSnapshot: _saveSnapshot, buildSnapshot, compareSnapshots } = await import('../core/incremental-store.js');
+  const { executeProvenExpectations } = await import('./expectation-executor.js');
+  const { isProvenExpectation } = await import('../shared/expectation-prover.js');
+  let manifest = null;
+  let expectationResults = null;
+  let expectationCoverageGaps = [];
+  let incrementalMode = false;
+  let snapshotDiff = null;
+  let oldSnapshot = null;
+  if (manifestPath && existsSync(manifestPath)) {
+    try {
+      const manifestContent = readFileSync(manifestPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
+      manifest = JSON.parse(manifestContent);
+      oldSnapshot = loadPreviousSnapshot(projectDir);
+      if (oldSnapshot) {
+        const currentSnapshot = buildSnapshot(manifest, []);
+        snapshotDiff = compareSnapshots(oldSnapshot, currentSnapshot);
+        incrementalMode = !snapshotDiff.hasChanges;
+      }
+      const provenCount = (manifest.staticExpectations || []).filter(exp => isProvenExpectation(exp)).length;
+      if (provenCount > 0) {
+        expectationResults = await executeProvenExpectations(page, manifest, url, screenshotsDir, scanBudget, startTime, projectDir);
+        expectationCoverageGaps = expectationResults.coverageGaps || [];
+      }
+    } catch (err) {
+      silenceTracker.record({
+        scope: 'discovery',
+        reason: 'discovery_error',
+        description: 'Manifest load or expectation execution failed',
+        context: { error: err?.message },
+        impact: 'incomplete_check'
+      });
+    }
+  }
+  return { manifest, expectationResults, expectationCoverageGaps, incrementalMode, snapshotDiff, oldSnapshot };
+}
+/**
+ * Process traversal results and build observation
+ */
+export async function processTraversalResults(traversalResult, expectationResults, expectationCoverageGaps, remainingInteractionsGaps, frontier, scanBudget, page, url, finalTraces, finalSkippedInteractions, finalObservedExpectations, silenceTracker, manifest, incrementalMode, snapshotDiff, projectDir, runId) {
+  // Combine all coverage gaps
+  const allCoverageGaps = [...expectationCoverageGaps];
+  if (remainingInteractionsGaps.length > 0) {
+    allCoverageGaps.push(...remainingInteractionsGaps.map(gap => ({
+      expectationId: null,
+      type: gap.interaction.type,
+      reason: gap.reason,
+      fromPath: gap.url,
+      source: null,
+      evidence: { interaction: gap.interaction }
+    })));
+  }
+  if (frontier.frontierCapped) {
+    allCoverageGaps.push({
+      expectationId: null,
+      type: 'navigation',
+      reason: 'frontier_capped',
+      fromPath: page.url(),
+      source: null,
+      evidence: { message: `Frontier capped at ${scanBudget.maxUniqueUrls || 'unlimited'} unique URLs` }
+    });
+  }
+  // Build coverage object
+  const coverage = {
+    candidatesDiscovered: traversalResult.totalInteractionsDiscovered,
+    candidatesSelected: traversalResult.totalInteractionsExecuted,
+    cap: scanBudget.maxTotalInteractions,
+    capped: traversalResult.totalInteractionsExecuted >= scanBudget.maxTotalInteractions || remainingInteractionsGaps.length > 0,
+    pagesVisited: frontier.pagesVisited,
+    pagesDiscovered: frontier.pagesDiscovered,
+    skippedInteractions: finalSkippedInteractions.length,
+    interactionsDiscovered: traversalResult.totalInteractionsDiscovered,
+    interactionsExecuted: traversalResult.totalInteractionsExecuted
+  };
+  // Build warnings
+  const observeWarnings = [];
+  if (coverage.capped) {
+    observeWarnings.push({
+      code: 'INTERACTIONS_CAPPED',
+      message: `Interaction execution capped. Visited ${coverage.pagesVisited} pages, discovered ${coverage.pagesDiscovered}, executed ${coverage.candidatesSelected} of ${coverage.candidatesDiscovered} interactions. Coverage incomplete.`
+    });
+  }
+  if (finalSkippedInteractions.length > 0) {
+    observeWarnings.push({
+      code: 'INTERACTIONS_SKIPPED',
+      message: `Skipped ${finalSkippedInteractions.length} dangerous interactions`,
+      details: finalSkippedInteractions
+    });
+  }
+  // Append expectation traces
+  if (expectationResults?.results) {
+    for (const result of expectationResults.results) {
+      if (result.trace) {
+        result.trace.expectationDriven = true;
+        result.trace.expectationId = result.expectationId;
+        result.trace.expectationOutcome = result.outcome;
+        finalTraces.push(result.trace);
+      }
+    }
+  }
+  // Write traces
+  const observation = writeTraces(projectDir, url, finalTraces, coverage, observeWarnings, finalObservedExpectations, silenceTracker, runId);
+  observation.silences = silenceTracker.getDetailedSummary();
+  // Add expectation execution results
+  if (expectationResults) {
+    observation.expectationExecution = {
+      totalProvenExpectations: expectationResults.totalProvenExpectations,
+      executedCount: expectationResults.executedCount,
+      coverageGapsCount: allCoverageGaps.length,
+      results: expectationResults.results.map(r => ({
+        expectationId: r.expectationId,
+        type: r.type,
+        fromPath: r.fromPath,
+        outcome: r.outcome,
+        reason: r.reason
+      }))
+    };
+    observation.expectationCoverageGaps = allCoverageGaps;
+  }
+  // Add incremental mode metadata
+  if (manifest) {
+    const { buildSnapshot, saveSnapshot } = await import('../core/incremental-store.js');
+    const observedInteractions = finalTraces
+      .filter(t => t.interaction && !t.incremental)
+      .map(t => ({
+        type: t.interaction?.type,
+        selector: t.interaction?.selector,
+        url: t.before?.url || url
+      }));
+    const currentSnapshot = buildSnapshot(manifest, observedInteractions);
+    saveSnapshot(projectDir, currentSnapshot, runId);
+    observation.incremental = {
+      enabled: incrementalMode,
+      snapshotDiff: snapshotDiff,
+      skippedInteractionsCount: finalSkippedInteractions.filter(s => s.reason === 'incremental_unchanged').length
+    };
+  }
+  return observation;
+}
+/**
+ * Write determinism artifacts
+ */
+export async function writeDeterminismArtifacts(projectDir, runId, decisionRecorder) {
+  // PHASE 25: Write determinism contract
+  const { writeDeterminismContract } = await import('../core/determinism/contract-writer.js');
+  const { getRunArtifactDir } = await import('../core/run-id.js');
+  const runDir = getRunArtifactDir(projectDir, runId);
+  writeDeterminismContract(runDir, decisionRecorder);
+  if (!runId || !projectDir) return;
+  const runsDir = resolve(projectDir, '.verax', 'runs', runId);
+  mkdirSync(runsDir, { recursive: true });
+  const decisionsPath = resolve(runsDir, 'decisions.json');
+  writeFileSync(decisionsPath, JSON.stringify(decisionRecorder.export(), null, 2), 'utf-8');
+  const { writeDeterminismReport } = await import('../core/determinism/report-writer.js');
+  writeDeterminismReport(runsDir, decisionRecorder);
+}