@veraxhq/verax 0.3.0 → 0.4.0

package/src/cli/commands/inspect.js

@@ -1,41 +1,13 @@
-import { resolve, dirname, basename } from 'path';
+import { resolve } from 'path';
 import { existsSync, readFileSync, readdirSync } from 'fs';
 import { DataError } from '../util/errors.js';
-import { displayPerformanceInInspect } from '../../verax/core/perf/perf.display.js';
-import { loadRunTimeline } from '../../verax/core/observe/run-timeline.js';
-import { loadDecisionTrace } from '../../verax/core/decisions/decision.trace.js';
-import { loadCrossIndex } from '../../verax/core/report/cross-index.js';
-import { generateHumanSummary, formatHumanSummary } from '../../verax/core/report/human-summary.js';
-
-/**
- * Extract runId from runPath
- */
-function extractRunId(runPath) {
-  const fullPath = resolve(runPath);
-  const runDirBasename = basename(fullPath);
-  const parentDir = basename(dirname(fullPath));
-  
-  // Check if path is .verax/runs/<runId>
-  if (parentDir === 'runs') {
-    return runDirBasename;
-  }
-  
-  return runDirBasename;
-}
 
 /**
  * `verax inspect` command
  * Read an existing run folder and display summary
  */
 export async function inspectCommand(runPath, options = {}) {
-  const { 
-    json = false,
-    timeline = false,
-    decisions = false,
-    failures = false,
-    performance = false,
-    evidence = false
-  } = options;
+  const { json = false } = options;
   
   const fullPath = resolve(runPath);
   
@@ -65,13 +37,15 @@ export async function inspectCommand(runPath, options = {}) {
   let summary, findings;
   
   try {
-    summary = JSON.parse(readFileSync(`${fullPath}/summary.json`, 'utf8'));
+  // @ts-expect-error - readFileSync with encoding returns string
+    summary = JSON.parse(readFileSync(`${fullPath}/summary.json`, 'utf-8'));
   } catch (error) {
     throw new DataError(`Failed to parse summary.json: ${error.message}`);
   }
   
   try {
-    findings = JSON.parse(readFileSync(`${fullPath}/findings.json`, 'utf8'));
+  // @ts-expect-error - readFileSync with encoding returns string
+    findings = JSON.parse(readFileSync(`${fullPath}/findings.json`, 'utf-8'));
   } catch (error) {
     throw new DataError(`Failed to parse findings.json: ${error.message}`);
   }
@@ -130,108 +104,7 @@ export async function inspectCommand(runPath, options = {}) {
       console.log(`Evidence: not found`);
     }
     
-  // PHASE 21.9: Display performance metrics
-  const runId = output.runId;
-  const projectDir = resolve(process.cwd());
-  
-  // PHASE 21.10: Handle specific flags
-  if (timeline) {
-    const timelineData = loadRunTimeline(projectDir, runId);
-    if (timelineData) {
-      if (json) {
-        console.log(JSON.stringify(timelineData, null, 2));
-      } else {
-        console.log('\n=== Timeline ===\n');
-        for (const event of timelineData.events) {
-          console.log(`${event.timestamp || 'N/A'} [${event.phase}] ${event.event}`);
-          if (event.data) {
-            console.log(`  ${JSON.stringify(event.data)}`);
-          }
-        }
-        console.log('');
-      }
-      return output;
-    }
-  }
-  
-  if (decisions) {
-    const decisionTrace = loadDecisionTrace(projectDir, runId);
-    if (decisionTrace) {
-      if (json) {
-        console.log(JSON.stringify(decisionTrace, null, 2));
-      } else {
-        console.log('\n=== Decision Trace ===\n');
-        for (const trace of decisionTrace.findings) {
-          console.log(`Finding: ${trace.findingId}`);
-          console.log(`  Status: ${trace.status.value}`);
-          console.log(`  Confidence: ${trace.confidence.level || 'UNKNOWN'}`);
-          console.log(`  Why detected: ${trace.detection.why.map(w => w.reason).join('; ')}`);
-          console.log(`  Why status: ${trace.status.why.map(w => w.reason).join('; ')}`);
-          console.log('');
-        }
-      }
-      return output;
-    }
-  }
-  
-  if (failures) {
-    const failureLedgerPath = resolve(fullPath, 'failure.ledger.json');
-    if (existsSync(failureLedgerPath)) {
-      const failureLedger = JSON.parse(readFileSync(failureLedgerPath, 'utf-8'));
-      if (json) {
-        console.log(JSON.stringify(failureLedger, null, 2));
-      } else {
-        console.log('\n=== Failures ===\n');
-        console.log(`Total: ${failureLedger.summary?.total || 0}`);
-        if (failureLedger.failures) {
-          for (const failure of failureLedger.failures) {
-            console.log(`[${failure.severity || 'UNKNOWN'}] ${failure.code}: ${failure.message}`);
-          }
-        }
-        console.log('');
-      }
-      return output;
-    }
-  }
-  
-  if (performance) {
-    displayPerformanceInInspect(projectDir, runId);
     console.log('');
-    return output;
-  }
-  
-  if (evidence) {
-    const crossIndex = loadCrossIndex(projectDir, runId);
-    if (crossIndex) {
-      if (json) {
-        console.log(JSON.stringify(crossIndex, null, 2));
-      } else {
-        console.log('\n=== Evidence Cross-Index ===\n');
-        for (const [findingId, entry] of Object.entries(crossIndex.findings)) {
-          console.log(`Finding: ${findingId}`);
-          console.log(`  Evidence files: ${entry.evidence.files.length}`);
-          console.log(`  Evidence complete: ${entry.evidence.isComplete}`);
-          console.log(`  Confidence: ${entry.confidence.level || 'UNKNOWN'}`);
-          console.log(`  Guardrails: ${entry.guardrails.applied.length} rule(s) applied`);
-          console.log('');
-        }
-      }
-      return output;
-    }
-  }
-  
-  // Default: show summary + human summary
-  displayPerformanceInInspect(projectDir, runId);
-  
-  // PHASE 21.10: Display human summary
-  const humanSummary = await generateHumanSummary(projectDir, runId);
-  if (humanSummary && !json) {
-    console.log(formatHumanSummary(humanSummary));
-  } else if (humanSummary && json) {
-    output.humanSummary = humanSummary;
-  }
-  
-  console.log('');
   }
   
   return output;

package/src/cli/commands/release-check.js

@@ -53,6 +53,7 @@ export async function releaseCheckCommand(options = {}) {
     const provenancePath = resolve(projectDir, 'release', 'release.provenance.json');
     if (existsSync(provenancePath)) {
       status.provenance.exists = true;
+  // @ts-expect-error - readFileSync with encoding returns string
       const provenance = JSON.parse(readFileSync(provenancePath, 'utf-8'));
       
       // Validate provenance structure
@@ -85,6 +86,7 @@ export async function releaseCheckCommand(options = {}) {
     const sbomPath = resolve(projectDir, 'release', 'sbom.json');
     if (existsSync(sbomPath)) {
       status.sbom.exists = true;
+  // @ts-expect-error - readFileSync with encoding returns string
       const sbom = JSON.parse(readFileSync(sbomPath, 'utf-8'));
       
       // Validate SBOM structure

package/src/cli/commands/run.js

@@ -17,9 +17,8 @@ import { detectFindings } from '../util/detection-engine.js';
 import { writeFindingsJson } from '../util/findings-writer.js';
 import { writeSummaryJson } from '../util/summary-writer.js';
 import { computeRuntimeBudget, withTimeout } from '../util/runtime-budget.js';
-import { assertHasLocalSource } from '../util/source-requirement.js';
-import { runWithDeterminism } from '../util/determinism-runner.js';
-import { runDeterminismCheck } from '../../verax/core/determinism/engine.js';
+import { saveDigest } from '../util/digest-engine.js';
+import { ARTIFACT_REGISTRY, getArtifactVersions } from '../../verax/core/artifacts/registry.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -27,10 +26,11 @@ const __dirname = dirname(__filename);
 function getVersion() {
   try {
     const pkgPath = resolve(__dirname, '../../../package.json');
-    const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  // @ts-expect-error - readFileSync with encoding returns string
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
     return pkg.version;
   } catch {
-    return '0.3.0';
+    return '0.2.0';
   }
 }
 
@@ -39,68 +39,17 @@ function getVersion() {
  * Strict, non-interactive CLI mode with explicit flags
  */
 export async function runCommand(options) {
-  return await runCommandInternal(options);
-}
-
-/**
- * Internal run command implementation
- */
-async function runCommandInternal(options) {
   const {
     url,
-    fixture,
     src = '.',
     out = '.verax',
     json = false,
     verbose = false,
-    determinism = false,
-    determinismRuns = 2,
   } = options;
   
-  // PHASE 25: Support fixture mode for determinism
-  let resolvedUrl = url;
-  let fixtureId = null;
-  
-  if (fixture && !url) {
-    // Extract URL from fixture
-    const { resolve } = await import('path');
-    const { existsSync, readFileSync } = await import('fs');
-    const { fileURLToPath } = await import('url');
-    const { dirname } = await import('path');
-    const __filename = fileURLToPath(import.meta.url);
-    const __dirname = dirname(__filename);
-    
-    const fixturePath = resolve(__dirname, '..', '..', '..', 'test', 'fixtures', 'realistic', fixture);
-    if (existsSync(fixturePath)) {
-      // Try to read package.json or index.html to extract URL
-      const packagePath = resolve(fixturePath, 'package.json');
-      const indexPath = resolve(fixturePath, 'index.html');
-      
-      if (existsSync(packagePath)) {
-        try {
-          const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
-          if (pkg.verax && pkg.verax.url) {
-            resolvedUrl = pkg.verax.url;
-            fixtureId = fixture;
-          }
-        } catch {
-          // Ignore parse errors
-        }
-      }
-      
-      // If no URL found, use default localhost URL for fixture
-      if (!resolvedUrl) {
-        resolvedUrl = `http://localhost:5173`; // Default Vite dev server
-        fixtureId = fixture;
-      }
-    } else {
-      throw new DataError(`Fixture not found: ${fixture}`);
-    }
-  }
-  
   // Validate required arguments
-  if (!resolvedUrl) {
-    throw new UsageError('Missing required argument: --url <url> or --fixture <fixture>');
+  if (!url) {
+    throw new UsageError('Missing required argument: --url <url>');
   }
   
   const projectRoot = resolve(process.cwd());
@@ -110,9 +59,6 @@ async function runCommandInternal(options) {
   if (!existsSync(srcPath)) {
     throw new DataError(`Source directory not found: ${srcPath}`);
   }
-
-  // Enforce local source availability (no URL-only scans)
-  assertHasLocalSource(srcPath);
   
   // Create event emitter
   const events = new RunEventEmitter();
@@ -150,7 +96,7 @@ async function runCommandInternal(options) {
         const failedAt = new Date().toISOString();
         atomicWriteJson(paths.runStatusJson, {
           contractVersion: 1,
-          artifactVersions: paths.artifactVersions,
+          artifactVersions: getArtifactVersions(),
           status: 'FAILED',
           runId,
           startedAt,
@@ -159,8 +105,7 @@ async function runCommandInternal(options) {
         });
         
         atomicWriteJson(paths.runMetaJson, {
-          contractVersion: 1,
-          artifactVersions: paths.artifactVersions,
+          contractVersion: ARTIFACT_REGISTRY.runMeta.contractVersion,
           veraxVersion: getVersion(),
           nodeVersion: process.version,
           platform: process.platform,
@@ -181,7 +126,7 @@ async function runCommandInternal(options) {
             startedAt,
             completedAt: failedAt,
             command: 'run',
-            url: resolvedUrl,
+            url,
             notes: `Run timed out: ${reason}`,
           }, {
             expectationsTotal: 0,
@@ -206,73 +151,9 @@ async function runCommandInternal(options) {
     });
   };
   
-  // PHASE 25: If determinism mode, wrap execution
-  if (determinism) {
-    const scanFn = async (runConfig) => {
-      // Execute a single scan run
-      const singleRunId = generateRunId();
-      const singlePaths = getRunPaths(projectRoot, out, singleRunId);
-      ensureRunDirectories(singlePaths);
-      
-      // Execute scan (reuse existing logic but with single run)
-      // This is a simplified version - in production, you'd extract the scan logic
-      const { scan } = await import('../../verax/index.js');
-      const scanResult = await scan(
-        projectRoot,
-        resolvedUrl,
-        null, // manifestPath
-        null, // scanBudgetOverride
-        {}, // safetyFlags
-        singleRunId
-      );
-      
-      return {
-        runId: singleRunId,
-        artifactPaths: {
-          findings: singlePaths.findingsJson,
-          runStatus: singlePaths.runStatusJson,
-          summary: singlePaths.summaryJson,
-          learn: singlePaths.learnJson,
-          observe: singlePaths.observeJson,
-          runDir: singlePaths.baseDir
-        }
-      };
-    };
-    
-    const determinismResult = await runWithDeterminism(scanFn, {
-      runs: determinismRuns,
-      out,
-      url: resolvedUrl,
-      fixture: fixtureId,
-      src,
-      verbose,
-      json
-    });
-    
-    // PHASE 25: Output determinism report path
-    if (!json) {
-      console.log(`\nDeterminism check complete.`);
-      console.log(`Verdict: ${determinismResult.verdict}`);
-      console.log(`Report: ${determinismResult.reportPath}`);
-    } else {
-      console.log(JSON.stringify({
-        type: 'determinism:complete',
-        verdict: determinismResult.verdict,
-        reportPath: determinismResult.reportPath,
-        summary: determinismResult.summary
-      }));
-    }
-    
-    return {
-      success: determinismResult.verdict === 'DETERMINISTIC' || determinismResult.verdict === 'NON_DETERMINISTIC_EXPECTED',
-      verdict: determinismResult.verdict,
-      reportPath: determinismResult.reportPath
-    };
-  }
-  
   try {
     // Generate run ID
-    runId = generateRunId();
+    runId = generateRunId(url);
     if (verbose && !json) console.log(`Run ID: ${runId}`);
     
     paths = getRunPaths(projectRoot, out, runId);
@@ -323,7 +204,7 @@ async function runCommandInternal(options) {
     
     atomicWriteJson(paths.runStatusJson, {
       contractVersion: 1,
-      artifactVersions: paths.artifactVersions,
+      artifactVersions: getArtifactVersions(),
       status: 'RUNNING',
       runId,
       startedAt,
@@ -331,16 +212,14 @@ async function runCommandInternal(options) {
     
     // Write metadata
     atomicWriteJson(paths.runMetaJson, {
-      contractVersion: 1,
-      artifactVersions: paths.artifactVersions,
+      contractVersion: ARTIFACT_REGISTRY.runMeta.contractVersion,
       veraxVersion: getVersion(),
       nodeVersion: process.version,
       platform: process.platform,
       cwd: projectRoot,
       command: 'run',
-      args: { url: resolvedUrl, fixture: fixtureId, src, out },
-      url: resolvedUrl,
-      fixtureId: fixtureId,
+      args: { url, src, out },
+      url,
       src: srcPath,
       startedAt,
       completedAt: null,
@@ -421,7 +300,8 @@ async function runCommandInternal(options) {
               paths.evidenceDir,
               (progress) => {
                 events.emit(progress.event, progress);
-              }
+              },
+              {}
             ),
             'Observe'
           );
@@ -532,6 +412,32 @@ async function runCommandInternal(options) {
     
     const completedAt = new Date().toISOString();
     
+    // Write completed status
+    atomicWriteJson(paths.runStatusJson, {
+      contractVersion: 1,
+      artifactVersions: getArtifactVersions(),
+      status: 'COMPLETE',
+      runId,
+      startedAt,
+      completedAt,
+    });
+    
+    // Update metadata with completion time
+    atomicWriteJson(paths.runMetaJson, {
+      contractVersion: ARTIFACT_REGISTRY.runMeta.contractVersion,
+      veraxVersion: getVersion(),
+      nodeVersion: process.version,
+      platform: process.platform,
+      cwd: projectRoot,
+      command: 'run',
+      args: { url, src, out },
+      url,
+      src: srcPath,
+      startedAt,
+      completedAt,
+      error: null,
+    });
+    
     const runDurationMs = completedAt && startedAt ? (Date.parse(completedAt) - Date.parse(startedAt)) : 0;
     const metrics = {
       learnMs: observeData?.timings?.learnMs || 0,
@@ -546,9 +452,6 @@ async function runCommandInternal(options) {
       UNKNOWN: 0,
     };
 
-    // Write detect results (or empty if detection failed)
-    const findingsResult = writeFindingsJson(paths.baseDir, detectData);
-
     // Write summary with stable digest
     writeSummaryJson(paths.summaryJson, {
       runId,
@@ -572,6 +475,9 @@ async function runCommandInternal(options) {
       ...findingsCounts,
     });
     
+    // Write detect results (or empty if detection failed)
+    writeFindingsJson(paths.baseDir, detectData);
+    
     // Write traces (include all events including heartbeats)
     const allEvents = events.getEvents();
     const tracesContent = allEvents
@@ -587,78 +493,12 @@ async function runCommandInternal(options) {
     
     // Write observe results
     writeObserveJson(paths.baseDir, observeData);
-
-    // PHASE 6: Verify artifacts after all writers finish
-    const { verifyRun } = await import('../../verax/core/artifacts/verifier.js');
-    const verification = verifyRun(paths.baseDir, paths.artifactVersions);
-    
-    // Determine final status based on verification
-    let finalStatus = 'COMPLETE';
-    if (!verification.ok) {
-      finalStatus = 'INVALID';
-    } else if (verification.warnings.length > 0) {
-      finalStatus = 'VALID_WITH_WARNINGS';
-    }
     
-    // PHASE 21.2: Compute determinism summary for run.status.json
-    let determinismSummary = null;
-    try {
-      const decisionsPath = resolve(paths.baseDir, 'decisions.json');
-      if (existsSync(decisionsPath)) {
-        const decisions = JSON.parse(readFileSync(decisionsPath, 'utf-8'));
-        const { DecisionRecorder } = await import('../../verax/core/determinism-model.js');
-        const recorder = DecisionRecorder.fromExport(decisions);
-        const { computeDeterminismVerdict } = await import('../../verax/core/determinism/contract.js');
-        const verdict = computeDeterminismVerdict(recorder);
-        
-        determinismSummary = {
-          verdict: verdict.verdict, // DETERMINISTIC or NON_DETERMINISTIC
-          message: verdict.message,
-          adaptiveEventsCount: verdict.adaptiveEvents.length
-        };
-      }
-    } catch (error) {
-      // Ignore errors - determinism summary is optional
+    // H5: Write deterministic digest for reproducibility proof
+    if (observeData && observeData.digest) {
+      saveDigest(resolve(paths.baseDir, 'run.digest.json'), observeData.digest);
     }
     
-    // Write completed status with contract + enforcement snapshot + verification + determinism
-    atomicWriteJson(paths.runStatusJson, {
-      contractVersion: 1,
-      artifactVersions: paths.artifactVersions,
-      status: finalStatus,
-      runId,
-      startedAt,
-      completedAt,
-      enforcement: findingsResult?.payload?.enforcement || null,
-      verification: {
-        ok: verification.ok,
-        status: finalStatus,
-        errorsCount: verification.errors.length,
-        warningsCount: verification.warnings.length,
-        verifiedAt: verification.verifiedAt
-      },
-      // PHASE 21.2: Determinism summary
-      determinismSummary: determinismSummary
-    });
-    
-    // Update metadata with completion time
-    atomicWriteJson(paths.runMetaJson, {
-      contractVersion: 1,
-      artifactVersions: paths.artifactVersions,
-      veraxVersion: getVersion(),
-      nodeVersion: process.version,
-      platform: process.platform,
-      cwd: projectRoot,
-      command: 'run',
-      args: { url: resolvedUrl, fixture: fixtureId, src, out },
-      url: resolvedUrl,
-      fixtureId: fixtureId,
-      src: srcPath,
-      startedAt,
-      completedAt,
-      error: null,
-    });
-    
     events.emit('phase:completed', {
       phase: 'Finalize Artifacts',
       message: 'Run artifacts written',
@@ -686,37 +526,27 @@ async function runCommandInternal(options) {
     
     // Print summary if not JSON mode
     if (!json) {
-      console.log('\nRun complete.');
-      console.log(`Run ID: ${runId}`);
-      console.log(`Artifacts: ${paths.baseDir}`);
-      
-      // PHASE 21.2: Display determinism truth
-      if (determinismSummary) {
-        console.log('');
-        if (determinismSummary.verdict === 'DETERMINISTIC') {
-          console.log('Deterministic: YES');
-        } else {
-          console.log(`Deterministic: NO (${determinismSummary.message})`);
-          if (determinismSummary.adaptiveEventsCount > 0) {
-            console.log(`  Adaptive events detected: ${determinismSummary.adaptiveEventsCount}`);
-          }
-        }
-      }
-      
-      // PHASE 6: Display verification results
-      const { formatVerificationOutput } = await import('../../verax/core/artifacts/verifier.js');
-      const verificationOutput = formatVerificationOutput(verification, verbose);
+      const relativePath = paths.baseDir.replace(/\\/g, '/').split('/').slice(-1)[0];
+      console.log('');
+      console.log('VERAX — Silent Failure Detection');
+      console.log('');
+      console.log(`✔ URL: ${url}`);
+      console.log('');
+      console.log('Learn phase:');
+      console.log(`  → Extracted ${expectations.length} promises`);
+      console.log('');
+      console.log('Observe phase:');
+      console.log(`  → Executed ${observeData.stats?.attempted || 0} interactions`);
+      console.log(`  → Observed: ${observeData.stats?.observed || 0}/${observeData.stats?.attempted || 0}`);
+      console.log('');
+      console.log('Detect phase:');
+      console.log(`  → Silent failures: ${detectData.stats?.silentFailures || 0}`);
+      console.log(`  → Unproven: ${detectData.stats?.unproven || 0}`);
+      console.log(`  → Coverage gaps: ${detectData.stats?.coverageGaps || 0}`);
+      console.log('');
+      console.log('Artifacts written to:');
+      console.log(`  .verax/runs/${relativePath}/`);
       console.log('');
-      console.log(verificationOutput);
-      
-      // PHASE 21.9: Display performance metrics
-      const { loadPerformanceReport } = await import('../../verax/core/perf/perf.report.js');
-      const { formatPerformanceMetrics } = await import('../../verax/core/perf/perf.display.js');
-      const perfReport = loadPerformanceReport(projectRoot, runId);
-      if (perfReport) {
-        console.log('');
-        console.log(formatPerformanceMetrics(perfReport));
-      }
     }
     
     return { runId, paths, success: true };
@@ -735,7 +565,7 @@ async function runCommandInternal(options) {
         const failedAt = new Date().toISOString();
         atomicWriteJson(paths.runStatusJson, {
           contractVersion: 1,
-          artifactVersions: paths.artifactVersions,
+          artifactVersions: getArtifactVersions(),
           status: 'FAILED',
           runId,
           startedAt,
@@ -745,16 +575,14 @@ async function runCommandInternal(options) {
         
         // Update metadata
         atomicWriteJson(paths.runMetaJson, {
-          contractVersion: 1,
-          artifactVersions: paths.artifactVersions,
+          contractVersion: ARTIFACT_REGISTRY.runMeta.contractVersion,
           veraxVersion: getVersion(),
           nodeVersion: process.version,
           platform: process.platform,
           cwd: projectRoot,
           command: 'run',
-          args: { url: resolvedUrl || url, fixture: fixtureId, src, out },
-          url: resolvedUrl || url,
-          fixtureId: fixtureId,
+          args: { url, src, out },
+          url,
           src: srcPath,
           startedAt,
           completedAt: failedAt,
@@ -769,7 +597,7 @@ async function runCommandInternal(options) {
             startedAt,
             completedAt: failedAt,
             command: 'run',
-            url: resolvedUrl || url,
+            url,
             notes: `Run failed: ${error.message}`,
           }, {
             expectationsTotal: 0,

package/src/cli/commands/security-check.js

@@ -10,7 +10,7 @@ import { scanVulnerabilities, writeVulnReport } from '../../verax/core/security/
 import { evaluateSupplyChainPolicy, writeSupplyChainReport } from '../../verax/core/security/supplychain.policy.js';
 import { writeSecurityReport } from '../../verax/core/security/security-report.js';
 import { resolve } from 'path';
-import { mkdirSync, existsSync } from 'fs';
+import { mkdirSync as _mkdirSync, existsSync } from 'fs';
 
 /**
  * Security check command
@@ -116,6 +116,7 @@ export async function securityCheckCommand(options = {}) {
     const secretsPath = resolve(projectDir, 'release', 'security.secrets.report.json');
     if (existsSync(secretsPath)) {
       const { readFileSync } = await import('fs');
+  // @ts-expect-error - readFileSync with encoding returns string
       secretsReport = JSON.parse(readFileSync(secretsPath, 'utf-8'));
     }
   } catch {

package/src/cli/commands/truth.js

@@ -4,7 +4,6 @@
  * `verax truth` - Shows truth certificate summary
  */
 
-import { resolve } from 'path';
 import { findLatestRunId } from '../util/run-resolver.js';
 import { generateTruthCertificate, loadTruthCertificate } from '../../verax/core/truth/truth.certificate.js';