npm - @veraxhq/verax - Versions diffs - 0.3.0 → 0.4.0 - Mend

@veraxhq/verax 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (191) hide show

package/README.md +28 -20
package/bin/verax.js +11 -18
package/package.json +28 -7
package/src/cli/commands/baseline.js +1 -2
package/src/cli/commands/default.js +72 -81
package/src/cli/commands/doctor.js +29 -0
package/src/cli/commands/ga.js +3 -0
package/src/cli/commands/gates.js +1 -1
package/src/cli/commands/inspect.js +6 -133
package/src/cli/commands/release-check.js +2 -0
package/src/cli/commands/run.js +74 -246
package/src/cli/commands/security-check.js +2 -1
package/src/cli/commands/truth.js +0 -1
package/src/cli/entry.js +82 -309
package/src/cli/util/angular-component-extractor.js +2 -2
package/src/cli/util/angular-navigation-detector.js +2 -2
package/src/cli/util/ast-interactive-detector.js +4 -6
package/src/cli/util/ast-network-detector.js +3 -3
package/src/cli/util/ast-promise-extractor.js +581 -0
package/src/cli/util/ast-usestate-detector.js +3 -3
package/src/cli/util/atomic-write.js +12 -1
package/src/cli/util/console-reporter.js +72 -0
package/src/cli/util/detection-engine.js +105 -41
package/src/cli/util/determinism-runner.js +2 -1
package/src/cli/util/determinism-writer.js +1 -1
package/src/cli/util/digest-engine.js +359 -0
package/src/cli/util/dom-diff.js +226 -0
package/src/cli/util/env-url.js +0 -4
package/src/cli/util/evidence-engine.js +287 -0
package/src/cli/util/expectation-extractor.js +217 -367
package/src/cli/util/findings-writer.js +19 -126
package/src/cli/util/framework-detector.js +572 -0
package/src/cli/util/idgen.js +1 -1
package/src/cli/util/interaction-planner.js +529 -0
package/src/cli/util/learn-writer.js +2 -2
package/src/cli/util/ledger-writer.js +110 -0
package/src/cli/util/monorepo-resolver.js +162 -0
package/src/cli/util/observation-engine.js +127 -278
package/src/cli/util/observe-writer.js +2 -2
package/src/cli/util/paths.js +12 -3
package/src/cli/util/project-discovery.js +284 -3
package/src/cli/util/project-writer.js +2 -2
package/src/cli/util/run-id.js +23 -27
package/src/cli/util/run-result.js +778 -0
package/src/cli/util/selector-resolver.js +235 -0
package/src/cli/util/summary-writer.js +2 -1
package/src/cli/util/svelte-navigation-detector.js +3 -3
package/src/cli/util/svelte-sfc-extractor.js +0 -1
package/src/cli/util/svelte-state-detector.js +1 -2
package/src/cli/util/trust-activation-integration.js +496 -0
package/src/cli/util/trust-activation-wrapper.js +85 -0
package/src/cli/util/trust-integration-hooks.js +164 -0
package/src/cli/util/types.js +153 -0
package/src/cli/util/url-validation.js +40 -0
package/src/cli/util/vue-navigation-detector.js +4 -3
package/src/cli/util/vue-sfc-extractor.js +1 -2
package/src/cli/util/vue-state-detector.js +1 -1
package/src/types/fs-augment.d.ts +23 -0
package/src/types/global.d.ts +137 -0
package/src/types/internal-types.d.ts +35 -0
package/src/verax/cli/finding-explainer.js +3 -56
package/src/verax/cli/init.js +4 -18
package/src/verax/core/action-classifier.js +4 -3
package/src/verax/core/artifacts/registry.js +0 -15
package/src/verax/core/artifacts/verifier.js +18 -8
package/src/verax/core/baseline/baseline.snapshot.js +2 -0
package/src/verax/core/capabilities/gates.js +7 -1
package/src/verax/core/confidence/confidence-compute.js +14 -7
package/src/verax/core/confidence/confidence.loader.js +1 -0
package/src/verax/core/confidence-engine-refactor.js +8 -3
package/src/verax/core/confidence-engine.js +162 -23
package/src/verax/core/contracts/types.js +1 -0
package/src/verax/core/contracts/validators.js +79 -4
package/src/verax/core/decision-snapshot.js +3 -30
package/src/verax/core/decisions/decision.trace.js +2 -0
package/src/verax/core/determinism/contract-writer.js +2 -2
package/src/verax/core/determinism/contract.js +1 -1
package/src/verax/core/determinism/diff.js +42 -1
package/src/verax/core/determinism/engine.js +7 -6
package/src/verax/core/determinism/finding-identity.js +3 -2
package/src/verax/core/determinism/normalize.js +32 -4
package/src/verax/core/determinism/report-writer.js +1 -0
package/src/verax/core/determinism/run-fingerprint.js +7 -2
package/src/verax/core/dynamic-route-intelligence.js +8 -7
package/src/verax/core/evidence/evidence-capture-service.js +1 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +2 -1
package/src/verax/core/evidence-builder.js +2 -2
package/src/verax/core/execution-mode-context.js +1 -1
package/src/verax/core/execution-mode-detector.js +5 -3
package/src/verax/core/failures/exit-codes.js +39 -37
package/src/verax/core/failures/failure-summary.js +1 -1
package/src/verax/core/failures/failure.factory.js +3 -3
package/src/verax/core/failures/failure.ledger.js +3 -2
package/src/verax/core/ga/ga.artifact.js +1 -1
package/src/verax/core/ga/ga.contract.js +3 -2
package/src/verax/core/ga/ga.enforcer.js +1 -0
package/src/verax/core/guardrails/policy.loader.js +1 -0
package/src/verax/core/guardrails/truth-reconciliation.js +1 -1
package/src/verax/core/guardrails-engine.js +2 -2
package/src/verax/core/incremental-store.js +1 -0
package/src/verax/core/integrity/budget.js +138 -0
package/src/verax/core/integrity/determinism.js +342 -0
package/src/verax/core/integrity/integrity.js +208 -0
package/src/verax/core/integrity/poisoning.js +108 -0
package/src/verax/core/integrity/transaction.js +140 -0
package/src/verax/core/observe/run-timeline.js +2 -0
package/src/verax/core/perf/perf.report.js +2 -0
package/src/verax/core/pipeline-tracker.js +5 -0
package/src/verax/core/release/provenance.builder.js +73 -214
package/src/verax/core/release/release.enforcer.js +14 -9
package/src/verax/core/release/reproducibility.check.js +1 -0
package/src/verax/core/release/sbom.builder.js +32 -23
package/src/verax/core/replay-validator.js +2 -0
package/src/verax/core/replay.js +4 -0
package/src/verax/core/report/cross-index.js +6 -3
package/src/verax/core/report/human-summary.js +141 -1
package/src/verax/core/route-intelligence.js +4 -3
package/src/verax/core/run-id.js +6 -3
package/src/verax/core/run-manifest.js +4 -3
package/src/verax/core/security/secrets.scan.js +10 -7
package/src/verax/core/security/security.enforcer.js +4 -0
package/src/verax/core/security/supplychain.policy.js +9 -1
package/src/verax/core/security/vuln.scan.js +2 -2
package/src/verax/core/truth/truth.certificate.js +3 -1
package/src/verax/core/ui-feedback-intelligence.js +12 -46
package/src/verax/detect/conditional-ui-silent-failure.js +84 -0
package/src/verax/detect/confidence-engine.js +100 -660
package/src/verax/detect/confidence-helper.js +1 -0
package/src/verax/detect/detection-engine.js +1 -18
package/src/verax/detect/dynamic-route-findings.js +17 -14
package/src/verax/detect/expectation-chain-detector.js +1 -1
package/src/verax/detect/expectation-model.js +3 -5
package/src/verax/detect/failure-cause-inference.js +293 -0
package/src/verax/detect/findings-writer.js +126 -166
package/src/verax/detect/flow-detector.js +2 -2
package/src/verax/detect/form-silent-failure.js +98 -0
package/src/verax/detect/index.js +51 -234
package/src/verax/detect/invariants-enforcer.js +147 -0
package/src/verax/detect/journey-stall-detector.js +4 -4
package/src/verax/detect/navigation-silent-failure.js +82 -0
package/src/verax/detect/problem-aggregator.js +361 -0
package/src/verax/detect/route-findings.js +7 -6
package/src/verax/detect/summary-writer.js +477 -0
package/src/verax/detect/test-failure-cause-inference.js +314 -0
package/src/verax/detect/ui-feedback-findings.js +18 -18
package/src/verax/detect/verdict-engine.js +3 -57
package/src/verax/detect/view-switch-correlator.js +2 -2
package/src/verax/flow/flow-engine.js +2 -1
package/src/verax/flow/flow-spec.js +0 -6
package/src/verax/index.js +48 -412
package/src/verax/intel/ts-program.js +1 -0
package/src/verax/intel/vue-navigation-extractor.js +3 -0
package/src/verax/learn/action-contract-extractor.js +67 -682
package/src/verax/learn/ast-contract-extractor.js +1 -1
package/src/verax/learn/flow-extractor.js +1 -0
package/src/verax/learn/project-detector.js +5 -0
package/src/verax/learn/react-router-extractor.js +2 -0
package/src/verax/learn/route-validator.js +1 -4
package/src/verax/learn/source-instrumenter.js +1 -0
package/src/verax/learn/state-extractor.js +2 -1
package/src/verax/learn/static-extractor.js +1 -0
package/src/verax/observe/coverage-gaps.js +132 -0
package/src/verax/observe/expectation-handler.js +126 -0
package/src/verax/observe/incremental-skip.js +46 -0
package/src/verax/observe/index.js +735 -84
package/src/verax/observe/interaction-executor.js +192 -0
package/src/verax/observe/interaction-runner.js +782 -530
package/src/verax/observe/network-firewall.js +86 -0
package/src/verax/observe/observation-builder.js +169 -0
package/src/verax/observe/observe-context.js +1 -1
package/src/verax/observe/observe-helpers.js +2 -1
package/src/verax/observe/observe-runner.js +28 -24
package/src/verax/observe/observers/budget-observer.js +3 -3
package/src/verax/observe/observers/console-observer.js +4 -4
package/src/verax/observe/observers/coverage-observer.js +4 -4
package/src/verax/observe/observers/interaction-observer.js +3 -3
package/src/verax/observe/observers/navigation-observer.js +4 -4
package/src/verax/observe/observers/network-observer.js +4 -4
package/src/verax/observe/observers/safety-observer.js +1 -1
package/src/verax/observe/observers/ui-feedback-observer.js +4 -4
package/src/verax/observe/page-traversal.js +138 -0
package/src/verax/observe/snapshot-ops.js +94 -0
package/src/verax/observe/ui-signal-sensor.js +2 -148
package/src/verax/scan-summary-writer.js +10 -42
package/src/verax/shared/artifact-manager.js +30 -13
package/src/verax/shared/caching.js +1 -0
package/src/verax/shared/expectation-tracker.js +1 -0
package/src/verax/shared/zip-artifacts.js +6 -0
package/src/verax/core/confidence-engine.js.backup +0 -471
package/src/verax/shared/config-loader.js +0 -169
/package/src/verax/shared/{expectation-proof.js → expectation-validation.js} +0 -0

package/src/verax/cli/init.js CHANGED Viewed

@@ -6,7 +6,6 @@
 import { existsSync, writeFileSync, mkdirSync } from 'fs';
 import { resolve } from 'path';
-import { getDefaultConfig } from '../shared/config-loader.js';
 /**
  * Initialize VERAX configuration
@@ -27,16 +26,8 @@ export async function runInit(options = {}) {
   // Create .verax directory if needed
   const veraxDir = resolve(projectRoot, '.verax');
   mkdirSync(veraxDir, { recursive: true });
-  // Create config.json
-  const configPath = resolve(veraxDir, 'config.json');
-  if (existsSync(configPath) && !yes) {
-    skipped.push('config.json');
-  } else {
-    const defaultConfig = getDefaultConfig();
-    writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2) + '\n');
-    created.push('config.json');
-  }
+  // Zero-config enforcement: do not scaffold config files
   // Create CI template if requested
   if (ciTemplate === 'github') {
@@ -75,7 +66,7 @@ jobs:
       - name: Start fixture server
         id: fixture-server
         run: |
-          node test/helpers/fixture-server.js &
+          node test/infrastructure/fixture-server.js &
           SERVER_PID=$!
           echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
           sleep 3
@@ -211,12 +202,7 @@ export function printInitResults(results) {
     });
   }
-  if (results.created.includes('config.json')) {
-    console.error('\n📝 Next Steps:');
-    console.error('  1. Review .verax/config.json and adjust settings');
-    console.error('  2. Run: verax doctor (to verify setup)');
-    console.error('  3. Run: verax run --url <your-url>');
-  }
+  // No config scaffolding in zero-config mode
   if (results.created.includes('.github/workflows/verax-ci.yml')) {
     console.error('\n🔧 CI Setup:');

package/src/verax/core/action-classifier.js CHANGED Viewed

@@ -67,18 +67,19 @@ export function classifyAction(interaction) {
 /**
  * Check if action should be blocked based on safety mode and flags
  * @param {Object} interaction - Interaction to check
- * @param {Object} flags - Safety flags { allowWrites: boolean, allowRiskyActions: boolean }
+ * @param {Object} flags - Safety flags { allowRiskyActions: boolean }
  * @returns {Object} { shouldBlock: boolean, classification: string, reason: string }
  */
 export function shouldBlockAction(interaction, flags = {}) {
-  const { allowWrites = false, allowRiskyActions = false } = flags;
+  const { allowRiskyActions = false } = flags;
   const { classification, reason } = classifyAction(interaction);
   if (classification === 'RISKY' && !allowRiskyActions) {
     return { shouldBlock: true, classification, reason };
   }
-  if (classification === 'WRITE_INTENT' && !allowWrites) {
+  // CONSTITUTIONAL: Always block write intents (read-only mode enforced)
+  if (classification === 'WRITE_INTENT') {
     return { shouldBlock: true, classification, reason };
   }

package/src/verax/core/artifacts/registry.js CHANGED Viewed

@@ -105,20 +105,6 @@ export const ARTIFACT_REGISTRY = {
     stage: 'observe',
     contractVersion: 1,
     type: 'file'
-  },
-  determinismReport: {
-    key: 'determinismReport',
-    filename: 'determinism.report.json',
-    stage: 'verify',
-    contractVersion: 1,
-    type: 'file'
-  },
-  runMeta: {
-    key: 'runMeta',
-    filename: 'run.meta.json',
-    stage: 'learn',
-    contractVersion: 1,
-    type: 'file'
   }
 };
@@ -148,7 +134,6 @@ export function buildRunArtifactPaths(baseDir) {
     confidenceReportJson: join(baseDir, ARTIFACT_REGISTRY.confidenceReport.filename),
     determinismContractJson: join(baseDir, ARTIFACT_REGISTRY.determinismContract.filename),
     determinismReportJson: join(baseDir, ARTIFACT_REGISTRY.determinismReport.filename),
-    runMetaJson: join(baseDir, ARTIFACT_REGISTRY.runMeta.filename),
     artifactVersions: getArtifactVersions()
   };
 }

package/src/verax/core/artifacts/verifier.js CHANGED Viewed

@@ -90,6 +90,7 @@ export function verifyRun(runDir, registrySnapshot = null) {
       if (def.filename.endsWith('.json')) {
         try {
           const content = readFileSync(artifactPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
           const data = JSON.parse(content);
           // Check contractVersion
@@ -162,6 +163,7 @@ export function verifyRun(runDir, registrySnapshot = null) {
               if (existsSync(evidenceIntentPath)) {
                 try {
                   const intentContent = readFileSync(evidenceIntentPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
                   evidenceIntentLedger = JSON.parse(intentContent);
                 } catch (e) {
                   // Will be caught by artifact validation
@@ -213,7 +215,7 @@ export function verifyRun(runDir, registrySnapshot = null) {
                       // PHASE 21.1: HARD FAILURE - blocking error, not warning
                       enforcementSummary.findingsWithoutEvidence++;
                       errors.push(
-                        `EVIDENCE_LAW_VIOLATION: Finding marked CONFIRMED but evidencePackage is incomplete. ` +
+                        `Evidence Law violation: Finding marked CONFIRMED but evidencePackage is incomplete. ` +
                         `Missing fields: ${error.missingFields?.join(', ') || 'unknown'}. ` +
                         `(finding type: ${finding.type || 'unknown'}, index: ${i})`
                       );
@@ -222,7 +224,7 @@ export function verifyRun(runDir, registrySnapshot = null) {
                     // PHASE 21.1: CONFIRMED without evidencePackage and without substantive evidence → HARD FAILURE
                     enforcementSummary.findingsWithoutEvidence++;
                     errors.push(
-                      `EVIDENCE_LAW_VIOLATION: Finding marked CONFIRMED but lacks evidencePackage and evidence is insufficient. ` +
+                      `Evidence Law violation: Finding marked CONFIRMED but lacks evidencePackage and has insufficient evidence. ` +
                       `(finding type: ${finding.type || 'unknown'}, index: ${i})`
                     );
                   }
@@ -372,11 +374,11 @@ export function verifyRun(runDir, registrySnapshot = null) {
   }
   // Determine overall verdict
-  // PHASE 21.1: EVIDENCE_LAW_VIOLATION errors are blocking - do not allow VALID_WITH_WARNINGS
+  // PHASE 21.1: Evidence Law violation errors are blocking - do not allow VALID_WITH_WARNINGS
   // PHASE 22: EVIDENCE_INTENT_MISMATCH errors mark run as VERIFIED_WITH_ERRORS
   // PHASE 23: GUARDRAILS_REPORT_MISMATCH errors mark run as VERIFIED_WITH_ERRORS
   // PHASE 24: CONFIDENCE_INVARIANT_VIOLATION and CONFIDENCE_REPORT_MISMATCH errors mark run as VERIFIED_WITH_ERRORS
-  const hasEvidenceLawViolations = errors.some(e => e.includes('EVIDENCE_LAW_VIOLATION'));
+  const hasEvidenceLawViolations = errors.some(e => e.includes('Evidence Law violation'));
   const hasEvidenceIntentMismatches = errors.some(e => e.includes('EVIDENCE_INTENT_MISMATCH'));
   const hasGuardrailsReportMismatches = errors.some(e => e.includes('GUARDRAILS_REPORT_MISMATCH'));
   const hasConfidenceInvariantViolations = errors.some(e => e.includes('CONFIDENCE_INVARIANT_VIOLATION'));
@@ -398,7 +400,7 @@ export function verifyRun(runDir, registrySnapshot = null) {
     enforcementSummary,
     verifiedAt: new Date().toISOString(),
     // PHASE 21.1: Track evidence law violations separately
-    evidenceLawViolations: hasEvidenceLawViolations ? errors.filter(e => e.includes('EVIDENCE_LAW_VIOLATION')) : [],
+    evidenceLawViolations: hasEvidenceLawViolations ? errors.filter(e => e.includes('Evidence Law violation')) : [],
     // PHASE 22: Track evidence intent mismatches separately
     evidenceIntentMismatches: hasEvidenceIntentMismatches ? errors.filter(e => e.includes('EVIDENCE_INTENT_MISMATCH')) : [],
     // PHASE 23: Track guardrails report mismatches separately
@@ -453,9 +455,9 @@ function validateFindingsArtifact(findingsData, runDir) {
             validateEvidencePackageStrict(finding.evidencePackage, severity);
             // If we get here, evidencePackage is complete
           } catch (error) {
-            // PHASE 21.1: HARD FAILURE - blocking error with EVIDENCE_LAW_VIOLATION code
+            // PHASE 21.1: HARD FAILURE - blocking error with Evidence Law violation code
             errors.push(
-              `EVIDENCE_LAW_VIOLATION: Finding at index ${i} is marked CONFIRMED but evidencePackage is incomplete. ` +
+              `Evidence Law violation: Finding at index ${i} is marked CONFIRMED but evidencePackage is incomplete. ` +
               `Missing fields: ${error.missingFields?.join(', ') || 'unknown'}. ` +
               `(type: ${finding.type || 'unknown'})`
             );
@@ -463,7 +465,7 @@ function validateFindingsArtifact(findingsData, runDir) {
         } else if (!finding.evidence || !isEvidenceSubstantive(finding.evidence)) {
           // PHASE 21.1: CONFIRMED without evidencePackage and without substantive evidence → HARD FAILURE
           errors.push(
-            `EVIDENCE_LAW_VIOLATION: Finding at index ${i} is marked CONFIRMED but lacks evidencePackage and evidence is insufficient. ` +
+            `Evidence Law violation: Finding at index ${i} is marked CONFIRMED but lacks evidencePackage and has insufficient evidence. ` +
             `(type: ${finding.type || 'unknown'})`
           );
         }
@@ -658,6 +660,7 @@ function validateGuardrailsReportArtifact(reportData, runDir) {
   if (existsSync(findingsPath)) {
     try {
       const findingsContent = readFileSync(findingsPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
       const findingsData = JSON.parse(findingsContent);
       if (findingsData.findings && Array.isArray(findingsData.findings)) {
@@ -763,6 +766,7 @@ function validateConfidenceReportArtifact(reportData, runDir) {
   if (existsSync(findingsPath)) {
     try {
       const findingsContent = readFileSync(findingsPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
       const findingsData = JSON.parse(findingsContent);
       if (findingsData.findings && Array.isArray(findingsData.findings)) {
@@ -820,6 +824,7 @@ function checkCrossArtifactConsistency(runDir) {
     if (existsSync(statusPath)) {
       try {
+  // @ts-expect-error - readFileSync with encoding returns string
         const statusData = JSON.parse(readFileSync(statusPath, 'utf-8'));
         runId = statusData.runId;
@@ -832,6 +837,7 @@ function checkCrossArtifactConsistency(runDir) {
           const findingsPath = join(runDir, ARTIFACT_REGISTRY.findings.filename);
           if (existsSync(findingsPath)) {
             try {
+  // @ts-expect-error - readFileSync with encoding returns string
               const findingsData = JSON.parse(readFileSync(findingsPath, 'utf-8'));
               // Findings don't always have runId, so this is optional
               if (findingsData.runId && findingsData.runId !== runId) {
@@ -848,6 +854,7 @@ function checkCrossArtifactConsistency(runDir) {
           const summaryPath = join(runDir, ARTIFACT_REGISTRY.summary.filename);
           if (existsSync(summaryPath)) {
             try {
+  // @ts-expect-error - readFileSync with encoding returns string
               const summaryData = JSON.parse(readFileSync(summaryPath, 'utf-8'));
               if (summaryData.runId && summaryData.runId !== runId) {
                 warnings.push(
@@ -870,6 +877,7 @@ function checkCrossArtifactConsistency(runDir) {
       const findingsPathForTimestamp = join(runDir, ARTIFACT_REGISTRY.findings.filename);
       if (existsSync(findingsPathForTimestamp)) {
         try {
+  // @ts-expect-error - readFileSync with encoding returns string
           const findingsDataForTimestamp = JSON.parse(readFileSync(findingsPathForTimestamp, 'utf-8'));
           if (findingsDataForTimestamp.detectedAt) timestamps.push({ artifact: 'findings', time: findingsDataForTimestamp.detectedAt });
         } catch (e) {
@@ -881,6 +889,7 @@ function checkCrossArtifactConsistency(runDir) {
       const findingsPathForTimestamp = join(runDir, ARTIFACT_REGISTRY.findings.filename);
       if (existsSync(findingsPathForTimestamp)) {
         try {
+  // @ts-expect-error - readFileSync with encoding returns string
           const findingsDataForTimestamp = JSON.parse(readFileSync(findingsPathForTimestamp, 'utf-8'));
           if (findingsDataForTimestamp.detectedAt) timestamps.push({ artifact: 'findings', time: findingsDataForTimestamp.detectedAt });
         } catch (e) {
@@ -891,6 +900,7 @@ function checkCrossArtifactConsistency(runDir) {
     // Sort timestamps and check monotonicity
     if (timestamps.length > 1) {
+      // @ts-expect-error - Date arithmetic for sorting
       timestamps.sort((a, b) => new Date(a.time) - new Date(b.time));
       for (let i = 1; i < timestamps.length; i++) {
         if (new Date(timestamps[i].time) < new Date(timestamps[i - 1].time)) {

package/src/verax/core/baseline/baseline.snapshot.js CHANGED Viewed

@@ -62,6 +62,7 @@ function isGitDirty() {
  */
 function getVeraxVersion() {
   try {
+  // @ts-expect-error - readFileSync with encoding returns string
     const packageJson = JSON.parse(readFileSync(resolve(process.cwd(), 'package.json'), 'utf-8'));
     return packageJson.version || 'unknown';
   } catch {
@@ -223,6 +224,7 @@ export function loadBaselineSnapshot(projectDir) {
   }
   try {
+  // @ts-expect-error - readFileSync with encoding returns string
     return JSON.parse(readFileSync(snapshotPath, 'utf-8'));
   } catch {
     return null;

package/src/verax/core/capabilities/gates.js CHANGED Viewed

@@ -60,7 +60,7 @@ export function evaluateCapabilityGates(capabilityId, context) {
     testMatrix,
     fixtureIndex,
     docsIndex,
-    artifactsRegistry,
+    _artifactsRegistry,
     guardrailsRules,
     determinismTests,
   } = context;
@@ -333,6 +333,7 @@ function buildFixtureIndex(projectRoot) {
           const readmeContent = readFileSync(readmePath, 'utf-8');
         // Extract capability IDs from README (look for patterns like "capability-id" or "capabilityId")
         // Also check for capability mentions in test matrix format
+        // @ts-expect-error - readFileSync with encoding returns string
         const capabilityMatches = readmeContent.match(/(['"])([a-z0-9-]+)(['"])/g);
         if (capabilityMatches) {
           capabilities = capabilityMatches.map(m => {
@@ -342,6 +343,7 @@ function buildFixtureIndex(projectRoot) {
         }
         // Also look for capability registry format
+        // @ts-expect-error - readFileSync with encoding returns string
         const registryMatches = readmeContent.match(/([a-z0-9-]+-[a-z0-9-]+)/g);
         if (registryMatches) {
           capabilities.push(...registryMatches.filter(m => m.includes('-')));
@@ -382,6 +384,7 @@ function buildDocsIndex(projectRoot) {
         // Extract capability IDs from docs (look for patterns)
         const capabilities = [];
+        // @ts-expect-error - readFileSync with encoding returns string
         const capabilityMatches = docContent.match(/([a-z0-9-]+-[a-z0-9-]+)/g);
         if (capabilityMatches) {
           // Filter to likely capability IDs (contain hyphens, reasonable length)
@@ -427,6 +430,7 @@ function buildGuardrailsIndex(projectRoot) {
         // Extract capability categories from test content
         const capabilities = [];
         // Look for capability mentions or category mentions
+        // @ts-expect-error - readFileSync with encoding returns string
         const categoryMatches = testContent.match(/(network|navigation|routes|ui-feedback|validation)/gi);
         if (categoryMatches) {
           capabilities.push(...categoryMatches.map(m => m.toLowerCase()));
@@ -467,6 +471,7 @@ function buildDeterminismTestsIndex(projectRoot) {
         // Extract capability IDs from test content by looking at test matrix references
         const capabilities = [];
         // Look for test matrix references or capability mentions
+        // @ts-expect-error - readFileSync with encoding returns string
         const testMatrixMatches = testContent.match(/testMatrix\[['"]([a-z0-9-]+)['"]\]/g);
         if (testMatrixMatches) {
           for (const match of testMatrixMatches) {
@@ -478,6 +483,7 @@ function buildDeterminismTestsIndex(projectRoot) {
         }
         // Also look for capability mentions in test descriptions
+        // @ts-expect-error - readFileSync with encoding returns string
         const capabilityMentions = testContent.match(/([a-z0-9-]+-[a-z0-9-]+)/g);
         if (capabilityMentions) {
           capabilities.push(...capabilityMentions.filter(m => m.includes('-')));

package/src/verax/core/confidence/confidence-compute.js CHANGED Viewed

@@ -6,8 +6,8 @@
  */
 import { computeConfidenceForFinding } from '../confidence-engine.js';
-import { CONFIDENCE_WEIGHTS } from './confidence-weights.js';
-import { checkConfidenceInvariants, enforceConfidenceInvariants } from './confidence-invariants.js';
+import { CONFIDENCE_WEIGHTS as _CONFIDENCE_WEIGHTS } from './confidence-weights.js';
+import { checkConfidenceInvariants, enforceConfidenceInvariants as _enforceConfidenceInvariants } from './confidence-invariants.js';
 /**
  * Compute final confidence with full truth-aware reconciliation
@@ -39,6 +39,7 @@ export function computeFinalConfidence(params) {
   // Step 1: Compute raw confidence using unified engine
   const rawConfidenceResult = computeConfidenceForFinding({
+    // @ts-expect-error - Optional params structure
     findingType: params.findingType || 'unknown',
     expectation,
     sensors: rawSignals || sensors,
@@ -112,6 +113,9 @@ export function computeFinalConfidence(params) {
   // Step 6: Determine final confidence level
   const confidenceLevel = determineConfidenceLevel(confidenceAfter);
+  // Extract top 2-4 reasons for contract compliance
+  const topReasons = explanation.slice(0, 4).filter((r, idx) => idx < 2 || idx < 4);
   return {
     confidenceBefore,
     confidenceAfter,
@@ -119,6 +123,7 @@ export function computeFinalConfidence(params) {
     appliedInvariants,
     invariantViolations,
     explanation: explanation.slice(0, 20), // Limit to 20 for determinism
+    topReasons, // Contract v1: 2-4 reasons
     truthStatus: finalTruthStatus,
     expectationProof,
     verificationStatus
@@ -126,12 +131,14 @@ export function computeFinalConfidence(params) {
 }
 /**
- * Determine confidence level from score
+ * Determine confidence level from score01 (Contract v1)
+ * HIGH: score01 >= 0.85
+ * MEDIUM: 0.60 <= score01 < 0.85
+ * LOW: score01 < 0.60
  */
 function determineConfidenceLevel(score) {
-  if (score >= 0.80) return 'HIGH';
-  if (score >= 0.50) return 'MEDIUM';
-  if (score >= 0.20) return 'LOW';
-  return 'UNPROVEN';
+  if (score >= 0.85) return 'HIGH';
+  if (score >= 0.60) return 'MEDIUM';
+  return 'LOW';
 }

package/src/verax/core/confidence/confidence.loader.js CHANGED Viewed

@@ -36,6 +36,7 @@ export function loadConfidencePolicy(policyPath = null, projectDir = null) {
   let policy;
   try {
     const policyContent = readFileSync(resolvedPath, 'utf-8');
+  // @ts-expect-error - readFileSync with encoding returns string
     policy = JSON.parse(policyContent);
   } catch (error) {
     throw new Error(`Failed to load confidence policy: ${error.message}`);

package/src/verax/core/confidence-engine-refactor.js CHANGED Viewed

@@ -283,7 +283,7 @@ function assessCorrelationQuality(expectation, sensors, comparisons, evidence, r
 /**
  * Assess guardrails & contradictions (Pillar D) using policy
  */
-function assessGuardrails(sensors, comparisons, findingType, reasons, policy) {
+function assessGuardrails(sensors, comparisons, findingType, reasons, _policy) {
   let guardrailScore = 1.0;
   const networkSensor = sensors.network || {};
@@ -406,6 +406,7 @@ export function computeConfidenceForFinding(params) {
   }
   // === TRUTH LOCKS: Evidence Law cap ===
+  // @ts-expect-error - Optional params structure
   const evidencePackage = options.evidencePackage || params.evidence?.evidencePackage || {};
   if (evidencePackage.severity === 'CONFIRMED' || evidencePackage.status === 'CONFIRMED') {
     if (policy.truthLocks.evidenceCompleteRequired && !evidencePackage.isComplete) {
@@ -415,10 +416,14 @@ export function computeConfidenceForFinding(params) {
   }
   // Determine level using policy thresholds
+  // @ts-expect-error - params has expectation property
+  const promiseStrength = assessPromiseStrength(params.expectation, [], policy);
+  // @ts-expect-error - params has evidence and sensors properties
+  const evidenceComplete = assessEvidenceCompleteness(params.evidence || {}, params.sensors || {}, [], policy);
   const level = determineConfidenceLevel(
     normalizedScore,
-    assessPromiseStrength(params.expectation, [], policy),
-    assessEvidenceCompleteness(params.evidence || {}, params.sensors || {}, [], policy),
+    promiseStrength,
+    evidenceComplete,
     policy
   );