npm - @vibecheckai/cli - Versions diffs - 3.2.5 → 3.3.0 - Mend

@vibecheckai/cli 3.2.5 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/bin/.generated +25 -25
package/bin/dev/run-v2-torture.js +30 -30
package/bin/registry.js +192 -5
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -295
package/bin/runners/lib/agent-firewall/change-packet/builder.js +280 -6
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +312 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +113 -1
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +133 -6
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +321 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/analyzers.js +81 -18
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/auth-truth.js +193 -193
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -62
package/bin/runners/lib/billing.js +107 -107
package/bin/runners/lib/claims.js +118 -118
package/bin/runners/lib/cli-output.js +7 -1
package/bin/runners/lib/cli-ui.js +540 -540
package/bin/runners/lib/contracts/auth-contract.js +202 -202
package/bin/runners/lib/contracts/env-contract.js +181 -181
package/bin/runners/lib/contracts/external-contract.js +206 -206
package/bin/runners/lib/contracts/guard.js +168 -168
package/bin/runners/lib/contracts/index.js +89 -89
package/bin/runners/lib/contracts/plan-validator.js +311 -311
package/bin/runners/lib/contracts/route-contract.js +199 -199
package/bin/runners/lib/contracts.js +804 -804
package/bin/runners/lib/detect.js +89 -89
package/bin/runners/lib/doctor/autofix.js +254 -254
package/bin/runners/lib/doctor/index.js +37 -37
package/bin/runners/lib/doctor/modules/dependencies.js +325 -325
package/bin/runners/lib/doctor/modules/index.js +46 -46
package/bin/runners/lib/doctor/modules/network.js +250 -250
package/bin/runners/lib/doctor/modules/project.js +312 -312
package/bin/runners/lib/doctor/modules/runtime.js +224 -224
package/bin/runners/lib/doctor/modules/security.js +348 -348
package/bin/runners/lib/doctor/modules/system.js +213 -213
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -394
package/bin/runners/lib/doctor/reporter.js +262 -262
package/bin/runners/lib/doctor/service.js +262 -262
package/bin/runners/lib/doctor/types.js +113 -113
package/bin/runners/lib/doctor/ui.js +263 -263
package/bin/runners/lib/doctor-v2.js +608 -608
package/bin/runners/lib/drift.js +425 -425
package/bin/runners/lib/enforcement.js +72 -72
package/bin/runners/lib/enterprise-detect.js +603 -603
package/bin/runners/lib/enterprise-init.js +942 -942
package/bin/runners/lib/env-resolver.js +417 -417
package/bin/runners/lib/env-template.js +66 -66
package/bin/runners/lib/env.js +189 -189
package/bin/runners/lib/error-handler.js +16 -9
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -990
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -573
package/bin/runners/lib/extractors/fastify-routes.js +426 -426
package/bin/runners/lib/extractors/index.js +363 -363
package/bin/runners/lib/extractors/next-routes.js +524 -524
package/bin/runners/lib/extractors/proof-graph.js +431 -431
package/bin/runners/lib/extractors/route-matcher.js +451 -451
package/bin/runners/lib/extractors/truthpack-v2.js +377 -377
package/bin/runners/lib/extractors/ui-bindings.js +547 -547
package/bin/runners/lib/findings-schema.js +281 -281
package/bin/runners/lib/firewall-prompt.js +50 -50
package/bin/runners/lib/global-flags.js +37 -0
package/bin/runners/lib/graph/graph-builder.js +265 -265
package/bin/runners/lib/graph/html-renderer.js +413 -413
package/bin/runners/lib/graph/index.js +32 -32
package/bin/runners/lib/graph/runtime-collector.js +215 -215
package/bin/runners/lib/graph/static-extractor.js +518 -518
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-report.js +650 -650
package/bin/runners/lib/llm.js +75 -75
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -61
package/bin/runners/lib/missions/evidence.js +126 -126
package/bin/runners/lib/patch.js +40 -40
package/bin/runners/lib/permissions/auth-model.js +213 -213
package/bin/runners/lib/permissions/idor-prover.js +205 -205
package/bin/runners/lib/permissions/index.js +45 -45
package/bin/runners/lib/permissions/matrix-builder.js +198 -198
package/bin/runners/lib/pkgjson.js +28 -28
package/bin/runners/lib/policy.js +295 -295
package/bin/runners/lib/preflight.js +142 -142
package/bin/runners/lib/reality/correlation-detectors.js +359 -359
package/bin/runners/lib/reality/index.js +318 -318
package/bin/runners/lib/reality/request-hashing.js +416 -416
package/bin/runners/lib/reality/request-mapper.js +453 -453
package/bin/runners/lib/reality/safety-rails.js +463 -463
package/bin/runners/lib/reality/semantic-snapshot.js +408 -408
package/bin/runners/lib/reality/toast-detector.js +393 -393
package/bin/runners/lib/reality-findings.js +84 -84
package/bin/runners/lib/receipts.js +179 -179
package/bin/runners/lib/redact.js +29 -29
package/bin/runners/lib/replay/capsule-manager.js +154 -154
package/bin/runners/lib/replay/index.js +263 -263
package/bin/runners/lib/replay/player.js +348 -348
package/bin/runners/lib/replay/recorder.js +331 -331
package/bin/runners/lib/report.js +135 -135
package/bin/runners/lib/route-detection.js +1140 -1140
package/bin/runners/lib/sandbox/index.js +59 -59
package/bin/runners/lib/sandbox/proof-chain.js +399 -399
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -205
package/bin/runners/lib/sandbox/worktree.js +174 -174
package/bin/runners/lib/schema-validator.js +350 -350
package/bin/runners/lib/schemas/contracts.schema.json +160 -160
package/bin/runners/lib/schemas/finding.schema.json +100 -100
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -206
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -176
package/bin/runners/lib/schemas/reality-report.schema.json +162 -162
package/bin/runners/lib/schemas/share-pack.schema.json +180 -180
package/bin/runners/lib/schemas/ship-report.schema.json +117 -117
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -303
package/bin/runners/lib/schemas/validator.js +438 -438
package/bin/runners/lib/score-history.js +282 -282
package/bin/runners/lib/share-pack.js +239 -239
package/bin/runners/lib/snippets.js +67 -67
package/bin/runners/lib/unified-cli-output.js +604 -0
package/bin/runners/lib/upsell.js +658 -510
package/bin/runners/lib/usage.js +153 -153
package/bin/runners/lib/validate-patch.js +156 -156
package/bin/runners/lib/verdict-engine.js +628 -628
package/bin/runners/reality/engine.js +917 -917
package/bin/runners/reality/flows.js +122 -122
package/bin/runners/reality/report.js +378 -378
package/bin/runners/reality/session.js +193 -193
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runApprove.js +1200 -0
package/bin/runners/runAuth.js +324 -95
package/bin/runners/runCheckpoint.js +39 -21
package/bin/runners/runClassify.js +859 -0
package/bin/runners/runContext.js +136 -24
package/bin/runners/runDoctor.js +108 -68
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFix.js +6 -5
package/bin/runners/runGuard.js +262 -168
package/bin/runners/runInit.js +3 -2
package/bin/runners/runMcp.js +130 -52
package/bin/runners/runPolish.js +43 -20
package/bin/runners/runProve.js +1 -2
package/bin/runners/runReport.js +3 -2
package/bin/runners/runScan.js +145 -44
package/bin/runners/runShip.js +3 -4
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runValidate.js +19 -2
package/bin/runners/runWatch.js +104 -53
package/bin/vibecheck.js +106 -19
package/mcp-server/HARDENING_SUMMARY.md +299 -0
package/mcp-server/agent-firewall-interceptor.js +367 -31
package/mcp-server/authority-tools.js +569 -0
package/mcp-server/conductor/conflict-resolver.js +588 -0
package/mcp-server/conductor/execution-planner.js +544 -0
package/mcp-server/conductor/index.js +377 -0
package/mcp-server/conductor/lock-manager.js +615 -0
package/mcp-server/conductor/request-queue.js +550 -0
package/mcp-server/conductor/session-manager.js +500 -0
package/mcp-server/conductor/tools.js +510 -0
package/mcp-server/index.js +1199 -208
package/mcp-server/lib/api-client.cjs +305 -0
package/mcp-server/lib/logger.cjs +30 -0
package/mcp-server/logger.js +173 -0
package/mcp-server/package.json +2 -2
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/tier-auth.js +351 -136
package/mcp-server/tools/index.js +72 -72
package/mcp-server/truth-firewall-tools.js +145 -15
package/mcp-server/vibecheck-tools.js +2 -2
package/package.json +2 -3
package/mcp-server/index.old.js +0 -4137
package/mcp-server/package-lock.json +0 -165

package/bin/runners/lib/global-flags.js CHANGED Viewed

@@ -128,6 +128,41 @@ function shouldShowBanner(flags = {}) {
   return true;
 }
+// ═══════════════════════════════════════════════════════════════════════════════
+// OUTPUT SUPPRESSION CHECK
+// ═══════════════════════════════════════════════════════════════════════════════
+/**
+ * Check if non-essential output should be suppressed
+ * Use this before any console output that isn't errors or JSON
+ *
+ * @param {object} flags - Parsed flags object
+ * @returns {boolean} true if output should be suppressed
+ */
+function shouldSuppressOutput(flags = {}) {
+  // Suppress if quiet or CI mode
+  if (flags.quiet || flags.ci) return true;
+  // Suppress if JSON mode (only structured output allowed)
+  if (flags.json) return true;
+  // Check environment
+  if (process.env.VIBECHECK_QUIET === "true") return true;
+  return false;
+}
+/**
+ * Check if we're in JSON output mode
+ * Use this to decide between pretty output and structured JSON
+ *
+ * @param {object} flags - Parsed flags object
+ * @returns {boolean} true if JSON output is requested
+ */
+function isJsonMode(flags = {}) {
+  return flags.json === true;
+}
 // ═══════════════════════════════════════════════════════════════════════════════
 // CI DETECTION
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -204,6 +239,8 @@ function loadConfig(flags = {}) {
 module.exports = {
   parseGlobalFlags,
   shouldShowBanner,
+  shouldSuppressOutput,
+  isJsonMode,
   isCI,
   loadConfig,
   lazy,

package/bin/runners/lib/graph/graph-builder.js CHANGED Viewed

@@ -1,265 +1,265 @@
-/**
- * Graph Builder
- * Builds the complete ProofGraph from static and runtime edges
- */
-"use strict";
-const crypto = require("crypto");
-function sha256(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
-}
-/**
- * Build ProofGraph from extracted nodes and edges
- */
-function buildProofGraph({ nodes, edges, runtimeEdges = [], meta = {} }) {
-  const graph = {
-    meta: {
-      version: "1.0.0",
-      generatedAt: new Date().toISOString(),
-      commit: meta.commit || process.env.VIBECHECK_COMMIT_SHA || "unknown",
-      ...meta
-    },
-    nodes: [],
-    edges: [],
-    brokenEdges: [],
-    coverage: {
-      static: 0,
-      runtime: 0,
-      total: 0
-    }
-  };
-  // Dedupe and add nodes
-  const nodeMap = new Map();
-  for (const n of nodes) {
-    if (!nodeMap.has(n.id)) {
-      nodeMap.set(n.id, n);
-    }
-  }
-  graph.nodes = Array.from(nodeMap.values());
-  // Process edges, separate broken ones
-  const brokenEdges = [];
-  const validEdges = [];
-  for (const edge of edges) {
-    if (edge.broken) {
-      brokenEdges.push({
-        edge: {
-          id: edge.id,
-          from: edge.from,
-          to: edge.to,
-          type: edge.type,
-          confidence: edge.confidence || "low"
-        },
-        reason: edge.brokenReason || "Edge target not found",
-        severity: determineSeverity(edge),
-        route: edge.toRoute || null
-      });
-    } else {
-      validEdges.push({
-        id: edge.id,
-        from: edge.from,
-        to: edge.to,
-        type: edge.type,
-        confidence: edge.confidence || "med",
-        verifiedAt: "static"
-      });
-    }
-  }
-  // Add runtime edges
-  for (const re of runtimeEdges) {
-    const existing = validEdges.find(e => e.from === re.from && e.to === re.to);
-    if (existing) {
-      existing.verifiedAt = "runtime";
-      existing.runtimeData = re.data;
-    } else {
-      validEdges.push({
-        id: re.id || `runtime_${sha256(re.from + re.to)}`,
-        from: re.from,
-        to: re.to,
-        type: re.type || "runtime",
-        confidence: "high",
-        verifiedAt: "runtime",
-        runtimeData: re.data
-      });
-    }
-  }
-  graph.edges = validEdges;
-  graph.brokenEdges = brokenEdges;
-  // Calculate coverage
-  const totalPossibleEdges = graph.edges.length + graph.brokenEdges.length;
-  graph.coverage = {
-    static: graph.edges.filter(e => e.verifiedAt === "static").length,
-    runtime: graph.edges.filter(e => e.verifiedAt === "runtime").length,
-    broken: graph.brokenEdges.length,
-    total: totalPossibleEdges,
-    percent: totalPossibleEdges > 0
-      ? Math.round((graph.edges.length / totalPossibleEdges) * 100)
-      : 100
-  };
-  return graph;
-}
-function determineSeverity(edge) {
-  // Missing routes are always BLOCK
-  if (edge.toRoute) return "BLOCK";
-  // Unresolved function calls are WARN
-  if (edge.to?.startsWith("unresolved_")) return "WARN";
-  return "WARN";
-}
-/**
- * Merge runtime verification results into graph
- */
-function mergeRuntimeResults(graph, runtimeResults) {
-  const updatedGraph = { ...graph };
-  for (const result of runtimeResults) {
-    // Find edge that matches this runtime result
-    const edge = updatedGraph.edges.find(e =>
-      e.to?.includes(result.path) ||
-      (e.type === "calls_route" && e.toRoute?.path === result.path)
-    );
-    if (edge) {
-      edge.verifiedAt = "runtime";
-      edge.runtimeData = {
-        status: result.status,
-        latencyMs: result.latencyMs,
-        error: result.error
-      };
-      // Check for runtime failures
-      if (result.status >= 400) {
-        const brokenEdge = {
-          edge: { ...edge },
-          reason: `Route returns ${result.status} at runtime`,
-          severity: result.status >= 500 ? "BLOCK" : "WARN",
-          runtimeData: edge.runtimeData
-        };
-        // Move to broken edges
-        updatedGraph.brokenEdges.push(brokenEdge);
-        updatedGraph.edges = updatedGraph.edges.filter(e => e.id !== edge.id);
-      }
-    }
-  }
-  // Recalculate coverage
-  const totalPossibleEdges = updatedGraph.edges.length + updatedGraph.brokenEdges.length;
-  updatedGraph.coverage = {
-    static: updatedGraph.edges.filter(e => e.verifiedAt === "static").length,
-    runtime: updatedGraph.edges.filter(e => e.verifiedAt === "runtime").length,
-    broken: updatedGraph.brokenEdges.length,
-    total: totalPossibleEdges,
-    percent: totalPossibleEdges > 0
-      ? Math.round((updatedGraph.edges.length / totalPossibleEdges) * 100)
-      : 100
-  };
-  return updatedGraph;
-}
-/**
- * Compute graph diff between two graphs
- */
-function computeGraphDiff(before, after) {
-  const diff = {
-    nodesAdded: [],
-    nodesRemoved: [],
-    edgesAdded: [],
-    edgesRemoved: [],
-    edgesFixed: [],
-    edgesBroken: []
-  };
-  const beforeNodeIds = new Set(before.nodes.map(n => n.id));
-  const afterNodeIds = new Set(after.nodes.map(n => n.id));
-  for (const n of after.nodes) {
-    if (!beforeNodeIds.has(n.id)) diff.nodesAdded.push(n);
-  }
-  for (const n of before.nodes) {
-    if (!afterNodeIds.has(n.id)) diff.nodesRemoved.push(n);
-  }
-  const beforeEdgeIds = new Set(before.edges.map(e => e.id));
-  const afterEdgeIds = new Set(after.edges.map(e => e.id));
-  const beforeBrokenIds = new Set(before.brokenEdges.map(e => e.edge.id));
-  const afterBrokenIds = new Set(after.brokenEdges.map(e => e.edge.id));
-  for (const e of after.edges) {
-    if (!beforeEdgeIds.has(e.id)) {
-      if (beforeBrokenIds.has(e.id)) {
-        diff.edgesFixed.push(e);
-      } else {
-        diff.edgesAdded.push(e);
-      }
-    }
-  }
-  for (const e of before.edges) {
-    if (!afterEdgeIds.has(e.id)) {
-      if (afterBrokenIds.has(e.id)) {
-        diff.edgesBroken.push(e);
-      } else {
-        diff.edgesRemoved.push(e);
-      }
-    }
-  }
-  return diff;
-}
-/**
- * Get findings from broken edges
- */
-function getFindingsFromGraph(graph) {
-  const findings = [];
-  for (const broken of graph.brokenEdges) {
-    const finding = {
-      id: `GRAPH_${broken.edge.id}`,
-      severity: broken.severity,
-      category: "BrokenEdge",
-      title: broken.reason,
-      evidence: [],
-      graphEdge: broken.edge
-    };
-    if (broken.route) {
-      finding.title = `Route ${broken.route.method} ${broken.route.path} referenced but doesn't exist`;
-      finding.category = "MissingRoute";
-    }
-    if (broken.runtimeData) {
-      finding.title = `Route returns ${broken.runtimeData.status} at runtime`;
-      finding.category = "RuntimeFailure";
-      if (broken.runtimeData.status === 401) {
-        finding.title = "UI shows success but server returned 401 (auth required)";
-        finding.category = "CausalContradiction";
-      }
-    }
-    findings.push(finding);
-  }
-  return findings;
-}
-module.exports = {
-  buildProofGraph,
-  mergeRuntimeResults,
-  computeGraphDiff,
-  getFindingsFromGraph
-};
+/**
+ * Graph Builder
+ * Builds the complete ProofGraph from static and runtime edges
+ */
+"use strict";
+const crypto = require("crypto");
+function sha256(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+/**
+ * Build ProofGraph from extracted nodes and edges
+ */
+function buildProofGraph({ nodes, edges, runtimeEdges = [], meta = {} }) {
+  const graph = {
+    meta: {
+      version: "1.0.0",
+      generatedAt: new Date().toISOString(),
+      commit: meta.commit || process.env.VIBECHECK_COMMIT_SHA || "unknown",
+      ...meta
+    },
+    nodes: [],
+    edges: [],
+    brokenEdges: [],
+    coverage: {
+      static: 0,
+      runtime: 0,
+      total: 0
+    }
+  };
+  // Dedupe and add nodes
+  const nodeMap = new Map();
+  for (const n of nodes) {
+    if (!nodeMap.has(n.id)) {
+      nodeMap.set(n.id, n);
+    }
+  }
+  graph.nodes = Array.from(nodeMap.values());
+  // Process edges, separate broken ones
+  const brokenEdges = [];
+  const validEdges = [];
+  for (const edge of edges) {
+    if (edge.broken) {
+      brokenEdges.push({
+        edge: {
+          id: edge.id,
+          from: edge.from,
+          to: edge.to,
+          type: edge.type,
+          confidence: edge.confidence || "low"
+        },
+        reason: edge.brokenReason || "Edge target not found",
+        severity: determineSeverity(edge),
+        route: edge.toRoute || null
+      });
+    } else {
+      validEdges.push({
+        id: edge.id,
+        from: edge.from,
+        to: edge.to,
+        type: edge.type,
+        confidence: edge.confidence || "med",
+        verifiedAt: "static"
+      });
+    }
+  }
+  // Add runtime edges
+  for (const re of runtimeEdges) {
+    const existing = validEdges.find(e => e.from === re.from && e.to === re.to);
+    if (existing) {
+      existing.verifiedAt = "runtime";
+      existing.runtimeData = re.data;
+    } else {
+      validEdges.push({
+        id: re.id || `runtime_${sha256(re.from + re.to)}`,
+        from: re.from,
+        to: re.to,
+        type: re.type || "runtime",
+        confidence: "high",
+        verifiedAt: "runtime",
+        runtimeData: re.data
+      });
+    }
+  }
+  graph.edges = validEdges;
+  graph.brokenEdges = brokenEdges;
+  // Calculate coverage
+  const totalPossibleEdges = graph.edges.length + graph.brokenEdges.length;
+  graph.coverage = {
+    static: graph.edges.filter(e => e.verifiedAt === "static").length,
+    runtime: graph.edges.filter(e => e.verifiedAt === "runtime").length,
+    broken: graph.brokenEdges.length,
+    total: totalPossibleEdges,
+    percent: totalPossibleEdges > 0
+      ? Math.round((graph.edges.length / totalPossibleEdges) * 100)
+      : 100
+  };
+  return graph;
+}
+function determineSeverity(edge) {
+  // Missing routes are always BLOCK
+  if (edge.toRoute) return "BLOCK";
+  // Unresolved function calls are WARN
+  if (edge.to?.startsWith("unresolved_")) return "WARN";
+  return "WARN";
+}
+/**
+ * Merge runtime verification results into graph
+ */
+function mergeRuntimeResults(graph, runtimeResults) {
+  const updatedGraph = { ...graph };
+  for (const result of runtimeResults) {
+    // Find edge that matches this runtime result
+    const edge = updatedGraph.edges.find(e =>
+      e.to?.includes(result.path) ||
+      (e.type === "calls_route" && e.toRoute?.path === result.path)
+    );
+    if (edge) {
+      edge.verifiedAt = "runtime";
+      edge.runtimeData = {
+        status: result.status,
+        latencyMs: result.latencyMs,
+        error: result.error
+      };
+      // Check for runtime failures
+      if (result.status >= 400) {
+        const brokenEdge = {
+          edge: { ...edge },
+          reason: `Route returns ${result.status} at runtime`,
+          severity: result.status >= 500 ? "BLOCK" : "WARN",
+          runtimeData: edge.runtimeData
+        };
+        // Move to broken edges
+        updatedGraph.brokenEdges.push(brokenEdge);
+        updatedGraph.edges = updatedGraph.edges.filter(e => e.id !== edge.id);
+      }
+    }
+  }
+  // Recalculate coverage
+  const totalPossibleEdges = updatedGraph.edges.length + updatedGraph.brokenEdges.length;
+  updatedGraph.coverage = {
+    static: updatedGraph.edges.filter(e => e.verifiedAt === "static").length,
+    runtime: updatedGraph.edges.filter(e => e.verifiedAt === "runtime").length,
+    broken: updatedGraph.brokenEdges.length,
+    total: totalPossibleEdges,
+    percent: totalPossibleEdges > 0
+      ? Math.round((updatedGraph.edges.length / totalPossibleEdges) * 100)
+      : 100
+  };
+  return updatedGraph;
+}
+/**
+ * Compute graph diff between two graphs
+ */
+function computeGraphDiff(before, after) {
+  const diff = {
+    nodesAdded: [],
+    nodesRemoved: [],
+    edgesAdded: [],
+    edgesRemoved: [],
+    edgesFixed: [],
+    edgesBroken: []
+  };
+  const beforeNodeIds = new Set(before.nodes.map(n => n.id));
+  const afterNodeIds = new Set(after.nodes.map(n => n.id));
+  for (const n of after.nodes) {
+    if (!beforeNodeIds.has(n.id)) diff.nodesAdded.push(n);
+  }
+  for (const n of before.nodes) {
+    if (!afterNodeIds.has(n.id)) diff.nodesRemoved.push(n);
+  }
+  const beforeEdgeIds = new Set(before.edges.map(e => e.id));
+  const afterEdgeIds = new Set(after.edges.map(e => e.id));
+  const beforeBrokenIds = new Set(before.brokenEdges.map(e => e.edge.id));
+  const afterBrokenIds = new Set(after.brokenEdges.map(e => e.edge.id));
+  for (const e of after.edges) {
+    if (!beforeEdgeIds.has(e.id)) {
+      if (beforeBrokenIds.has(e.id)) {
+        diff.edgesFixed.push(e);
+      } else {
+        diff.edgesAdded.push(e);
+      }
+    }
+  }
+  for (const e of before.edges) {
+    if (!afterEdgeIds.has(e.id)) {
+      if (afterBrokenIds.has(e.id)) {
+        diff.edgesBroken.push(e);
+      } else {
+        diff.edgesRemoved.push(e);
+      }
+    }
+  }
+  return diff;
+}
+/**
+ * Get findings from broken edges
+ */
+function getFindingsFromGraph(graph) {
+  const findings = [];
+  for (const broken of graph.brokenEdges) {
+    const finding = {
+      id: `GRAPH_${broken.edge.id}`,
+      severity: broken.severity,
+      category: "BrokenEdge",
+      title: broken.reason,
+      evidence: [],
+      graphEdge: broken.edge
+    };
+    if (broken.route) {
+      finding.title = `Route ${broken.route.method} ${broken.route.path} referenced but doesn't exist`;
+      finding.category = "MissingRoute";
+    }
+    if (broken.runtimeData) {
+      finding.title = `Route returns ${broken.runtimeData.status} at runtime`;
+      finding.category = "RuntimeFailure";
+      if (broken.runtimeData.status === 401) {
+        finding.title = "UI shows success but server returned 401 (auth required)";
+        finding.category = "CausalContradiction";
+      }
+    }
+    findings.push(finding);
+  }
+  return findings;
+}
+module.exports = {
+  buildProofGraph,
+  mergeRuntimeResults,
+  computeGraphDiff,
+  getFindingsFromGraph
+};