argusqa-os 9.5.9 → 9.6.1

package/glama.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://glama.ai/mcp/schemas/server.json",
   "name": "argus",
-  "description": "AI-powered QA harness that audits web apps via Chrome DevTools Protocol. Catches JS errors, network failures, a11y violations, SEO issues, security headers, CSS regressions, and more — directly from Claude conversations. 8 MCP tools: argus_audit (fast 8-analyzer pass), argus_audit_full (Lighthouse + memory + responsive), argus_compare (dev vs staging diff), argus_last_report (retrieve last JSON report), argus_watch_snapshot (live tab snapshot without navigating), argus_get_context (LLM-optimized context + fix loop with snapshot_id diff), argus_design_audit (Figma design fidelity — 13 finding types), argus_visual_diff (screenshot baseline comparison, updateBaseline flag). 136 test blocks, 626 hard assertions, 63 detection categories.",
+  "description": "AI-powered QA harness that audits web apps via Chrome DevTools Protocol. Catches JS errors, network failures, a11y violations, SEO issues, security headers, CSS regressions, and more — directly from Claude conversations. 9 MCP tools: argus_audit (fast 8-analyzer pass), argus_audit_full (Lighthouse + memory + responsive), argus_compare (dev vs staging diff), argus_last_report (retrieve last JSON report), argus_watch_snapshot (live tab snapshot without navigating), argus_get_context (LLM-optimized context + fix loop with snapshot_id diff), argus_design_audit (Figma design fidelity — 13 finding types), argus_visual_diff (screenshot baseline comparison, updateBaseline flag), argus_pr_validate (PR diff → affected routes → targeted audit → blocked flag). 137 test blocks, 634 hard assertions, 63 detection categories.",
   "maintainers": ["ironclawdevs27"],
   "tools": [
     {
@@ -35,6 +35,10 @@
     {
       "name": "argus_visual_diff",
       "description": "Screenshot baseline comparison for a URL. First call saves a baseline PNG to reports/baselines/screenshots/. Subsequent calls diff the current screenshot against the baseline using pixelmatch and return visual_regression (warning ≥0.1% / critical ≥5% pixels changed) + visual_diff_summary (always). Pass updateBaseline: true to force-refresh the stored baseline after intentional UI changes."
+    },
+    {
+      "name": "argus_pr_validate",
+      "description": "Targeted QA audit driven by a GitHub pull request diff. Fetches the PR's changed files, maps them to affected routes in your target config using path-slug heuristics (infrastructure changes trigger a full audit), then audits only those routes. Returns { findings, affectedRoutes, changedFiles, perRoute, summary, blocked, blockOn }. Use in CI to gate merges — blocked:true when findings meet the blockOn threshold (none/warning/critical, default: critical). Requires Chrome on --remote-debugging-port=9222. GITHUB_TOKEN env var recommended for private repos."
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "argusqa-os",
-  "version": "9.5.9",
+  "version": "9.6.1",
   "mcpName": "io.github.ironclawdevs27/argus",
   "description": "Argus — AI-powered automated dev-testing platform using Chrome DevTools MCP and Claude Code",
   "keywords": [
@@ -56,7 +56,7 @@
     "@opentelemetry/sdk-node": "^0.218.0",
     "@slack/web-api": "^7.16.0",
     "axe-core": "^4.12.0",
-    "dotenv": "^16.4.5",
+    "dotenv": "^17.4.2",
     "express": "^5.2.1",
     "pino": "^10.3.1",
     "pino-pretty": "^13.1.3",
@@ -65,6 +65,6 @@
     "zod": "^4.4.3"
   },
   "devDependencies": {
-    "vitest": "^4.1.7"
+    "vitest": "^4.1.8"
   }
 }

package/src/cli/init.js

@@ -287,11 +287,15 @@ async function main() {
                                              githubToken, githubRepo, sourceDir, envFile: envFilePath });
     const targetsContent = generateTargetsJs(finalRoutes, { framework, sourceDir, envFile: envFilePath });
 
-    if (fs.existsSync('.env')) {
-      logger.warn('  ⚠  .env already exists — skipping write to preserve existing credentials. Delete it manually to regenerate.');
-    } else {
-      fs.writeFileSync('.env', envContent, 'utf8');
+    try {
+      fs.writeFileSync('.env', envContent, { flag: 'wx', encoding: 'utf8' });
       tick('Wrote .env');
+    } catch (err) {
+      if (err.code === 'EEXIST') {
+        logger.warn('  ⚠  .env already exists — skipping write to preserve existing credentials. Delete it manually to regenerate.');
+      } else {
+        throw err;
+      }
     }
 
     const targetsPath = path.join('src', 'config', 'targets.js');

package/src/cli/pr-validate.js

@@ -0,0 +1,309 @@
+#!/usr/bin/env node
+/**
+ * Argus PR Validator — headless CI entry point for GitHub Actions.
+ *
+ * Environment variables (set by action.yml):
+ *   ARGUS_PR_URL         Full GitHub PR URL, e.g. https://github.com/owner/repo/pull/42 (required)
+ *   TARGET_DEV_URL       Base URL of the running application, e.g. https://staging.example.com (required)
+ *   ARGUS_BLOCK_ON       critical | warning | none  (default: critical)
+ *   GITHUB_TOKEN         GitHub PAT or workflow GITHUB_TOKEN — optional for public repos
+ *   ARGUS_ROUTES_FILE    Path to a JSON routes array [{path,name}] — optional, see loadRoutes()
+ *   GITHUB_OUTPUT        Set by GitHub runner — path for step output key=value pairs
+ *   GITHUB_STEP_SUMMARY  Set by GitHub runner — path for markdown step summary
+ *
+ * Exit codes:
+ *   0 — audit passed (blocked=false) or no routes to audit
+ *   1 — audit blocked (findings at or above ARGUS_BLOCK_ON threshold) OR startup error
+ *
+ * Exports (used by test harness — no Chrome required):
+ *   buildStepSummary(opts)     → markdown string
+ *   writeGithubOutputs(opts)   → void (writes to GITHUB_OUTPUT file)
+ *   writeStepSummary(markdown) → void (writes to GITHUB_STEP_SUMMARY file)
+ */
+
+import fs   from 'fs';
+import path from 'path';
+import { fileURLToPath }                              from 'url';
+import { createMcpClient }                            from '../utils/mcp-client.js';
+import { crawlRouteCheap }                            from '../orchestration/crawl-and-report.js';
+import { parsePrUrl, fetchPrFiles, mapFilesToRoutes } from '../utils/pr-diff-analyzer.js';
+
+// ── Exported helpers (testable without Chrome) ────────────────────────────────
+
+/**
+ * Build a GitHub-flavoured markdown step summary.
+ *
+ * @param {object} opts
+ * @param {boolean} opts.blocked
+ * @param {{ critical: number, warning: number, info: number }} opts.summary
+ * @param {Array<{ path: string }>} opts.affectedRoutes
+ * @param {Array<{ route: string, critical: number, warning: number, info: number, error?: string }>} opts.perRoute
+ * @param {Array<object>} opts.findings
+ * @param {string[]} opts.changedFiles
+ * @param {string} opts.blockOn   critical | warning | none
+ * @param {string} [opts.error]   top-level error message (startup / fetch failure)
+ * @returns {string}
+ */
+export function buildStepSummary({ blocked, summary, affectedRoutes, perRoute, findings, changedFiles, blockOn, error }) {
+  const icon   = blocked ? '🔴' : summary.critical + summary.warning === 0 ? '✅' : '⚠️';
+  const status = blocked ? 'BLOCKED — merge prevented' : 'PASSED';
+
+  let md = `## ${icon} Argus PR Validator — ${status}\n\n`;
+
+  if (error) {
+    md += `> **Error:** ${String(error).replace(/`/g, "'")}\n\n`;
+  }
+
+  md += `| Metric | Value |\n|--------|-------|\n`;
+  md += `| Block threshold | \`${blockOn}\` |\n`;
+  md += `| Critical findings | **${summary.critical}** |\n`;
+  md += `| Warning findings | ${summary.warning} |\n`;
+  md += `| Info findings | ${summary.info} |\n`;
+  md += `| Routes audited | ${affectedRoutes.length} |\n`;
+  md += `| Files changed | ${changedFiles.length} |\n\n`;
+
+  if (perRoute.length > 0) {
+    md += `### Route Breakdown\n\n`;
+    md += `| Route | 🔴 Critical | ⚠️ Warning | ℹ️ Info |\n|-------|------------|-----------|--------|\n`;
+    for (const r of perRoute) {
+      const errNote = r.error ? ` _(error: ${String(r.error).slice(0, 60)})_` : '';
+      md += `| \`${r.route}\` | ${r.critical} | ${r.warning} | ${r.info}${errNote} |\n`;
+    }
+    md += '\n';
+  }
+
+  if (findings.length > 0) {
+    md += `### Findings\n\n`;
+    md += `| Severity | Type | Message | URL |\n|----------|------|---------|-----|\n`;
+    const shown = findings.slice(0, 50);
+    for (const f of shown) {
+      const sev = f.severity === 'critical' ? '🔴 critical'
+               : f.severity === 'warning'  ? '⚠️ warning'
+               : 'ℹ️ info';
+      const msg = String(f.message ?? '').replace(/\|/g, '\\|').slice(0, 100);
+      const url = String(f.url     ?? '').replace(/\|/g, '\\|').slice(0, 80);
+      md += `| ${sev} | \`${f.type ?? ''}\` | ${msg} | ${url} |\n`;
+    }
+    if (findings.length > 50) {
+      md += `\n_…and ${findings.length - 50} more findings._\n`;
+    }
+    md += '\n';
+  }
+
+  md += `---\n_Powered by [Argus QA](https://argus-qa.com)_\n`;
+  return md;
+}
+
+/**
+ * Write step outputs to $GITHUB_OUTPUT (key=value pairs).
+ * No-ops when GITHUB_OUTPUT is not set (local / non-Actions environments).
+ */
+export function writeGithubOutputs({ blocked, summary, affectedRoutes }) {
+  const outputPath = process.env.GITHUB_OUTPUT;
+  if (!outputPath) return;
+  const routes = Array.isArray(affectedRoutes)
+    ? affectedRoutes.map(r => (typeof r === 'string' ? r : r.path)).join(',')
+    : '';
+  const lines = [
+    `blocked=${blocked}`,
+    `critical_count=${summary.critical}`,
+    `warning_count=${summary.warning}`,
+    `affected_routes=${routes}`,
+  ].join('\n') + '\n';
+  fs.appendFileSync(outputPath, lines);
+}
+
+/**
+ * Append markdown to $GITHUB_STEP_SUMMARY.
+ * No-ops when GITHUB_STEP_SUMMARY is not set.
+ */
+export function writeStepSummary(markdown) {
+  const summaryPath = process.env.GITHUB_STEP_SUMMARY;
+  if (!summaryPath) return;
+  fs.appendFileSync(summaryPath, markdown);
+}
+
+// ── Route loader ──────────────────────────────────────────────────────────────
+
+async function loadRoutes() {
+  // 1. ARGUS_ROUTES_FILE env var
+  const routesFile = process.env.ARGUS_ROUTES_FILE;
+  if (routesFile) {
+    try {
+      const raw = JSON.parse(fs.readFileSync(routesFile, 'utf8'));
+      if (Array.isArray(raw) && raw.length > 0) {
+        console.log(`[argus] Loaded ${raw.length} route(s) from ${routesFile}`);
+        return raw;
+      }
+    } catch (err) {
+      console.error(`::warning::Could not parse ARGUS_ROUTES_FILE (${routesFile}): ${err.message}`);
+    }
+  }
+
+  // 2. argus.routes.json in working directory
+  const localFile = path.join(process.cwd(), 'argus.routes.json');
+  if (fs.existsSync(localFile)) {
+    try {
+      const raw = JSON.parse(fs.readFileSync(localFile, 'utf8'));
+      if (Array.isArray(raw) && raw.length > 0) {
+        console.log(`[argus] Loaded ${raw.length} route(s) from argus.routes.json`);
+        return raw;
+      }
+    } catch (err) {
+      console.error(`::warning::Could not parse argus.routes.json: ${err.message}`);
+    }
+  }
+
+  // 3. Default routes from the package's targets.js
+  try {
+    const { routes } = await import('../config/targets.js');
+    if (Array.isArray(routes) && routes.length > 0) {
+      return routes;
+    }
+  } catch { /* targets.js may not export routes in all environments */ }
+
+  // 4. Final fallback — audit root path only
+  console.log('[argus] No routes configured — falling back to root path audit');
+  return [{ path: '/', name: 'home' }];
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+// Guard: run main() only when this script is executed directly, not when imported.
+const _thisFile = fileURLToPath(import.meta.url);
+if (process.argv[1] === _thisFile) {
+  await main();
+}
+
+async function main() {
+  const prUrl     = process.env.ARGUS_PR_URL;
+  const targetUrl = process.env.TARGET_DEV_URL ?? 'http://localhost:3000';
+  const blockOn   = (process.env.ARGUS_BLOCK_ON ?? 'critical').toLowerCase().trim();
+  const token     = process.env.GITHUB_TOKEN;
+
+  // Input validation
+  if (!prUrl) {
+    console.error('::error::ARGUS_PR_URL is not set. Set it to the full GitHub PR URL (e.g. https://github.com/owner/repo/pull/42).');
+    process.exit(1);
+  }
+  if (!['none', 'warning', 'critical'].includes(blockOn)) {
+    console.error(`::error::ARGUS_BLOCK_ON must be none | warning | critical, got: "${blockOn}"`);
+    process.exit(1);
+  }
+
+  let mcp;
+  const changedFiles   = [];
+  const affectedRoutes = [];
+  const allFindings    = [];
+  const perRoute       = [];
+
+  try {
+    // Step 1: Fetch the PR file list from GitHub
+    console.log(`[argus] Fetching PR diff: ${prUrl}`);
+    const files = await fetchPrFiles(prUrl, token);
+    changedFiles.push(...files);
+    console.log(`[argus] ${files.length} changed file(s)`);
+
+    // Step 2: Map changed files to affected routes
+    const routes   = await loadRoutes();
+    const affected = mapFilesToRoutes(files, routes);
+    affectedRoutes.push(...affected);
+
+    if (affected.length === 0) {
+      console.log('[argus] No affected routes resolved — skipping audit');
+      const summary = { critical: 0, warning: 0, info: 0 };
+      writeGithubOutputs({ blocked: false, summary, affectedRoutes: [] });
+      writeStepSummary(buildStepSummary({ blocked: false, summary, affectedRoutes: [], perRoute: [], findings: [], changedFiles: files, blockOn }));
+      process.exit(0);
+    }
+
+    console.log(`[argus] Auditing ${affected.length} route(s): ${affected.map(r => r.path).join(', ')}`);
+
+    // Step 3: Connect to Chrome via the chrome-devtools MCP client
+    console.log('[argus] Connecting to Chrome on port 9222...');
+    mcp = await createMcpClient();
+    console.log('[argus] Chrome connected.');
+
+    const baseOrigin = new URL(targetUrl).origin;
+
+    // Step 4: Audit each affected route via crawlRouteCheap
+    for (const route of affected) {
+      const url = new URL(route.path, targetUrl).href;
+      console.log(`[argus] → Auditing ${url}`);
+
+      try {
+        const raw      = await crawlRouteCheap(route, baseOrigin, mcp);
+        const findings = Array.isArray(raw.errors) ? raw.errors : [];
+        allFindings.push(...findings);
+
+        const critical = findings.filter(f => f.severity === 'critical').length;
+        const warning  = findings.filter(f => f.severity === 'warning').length;
+        const info     = findings.filter(f => f.severity === 'info').length;
+        perRoute.push({ route: route.path, critical, warning, info });
+
+        console.log(`[argus]   ${url}: ${critical} critical, ${warning} warning, ${info} info`);
+
+        // Emit inline GitHub Actions annotations for visible CI feedback
+        for (const f of findings.filter(g => g.severity === 'critical')) {
+          console.log(`::error::${String(f.message ?? '').replace(/\n/g, ' ')} [${f.type}] on ${url}`);
+        }
+        for (const f of findings.filter(g => g.severity === 'warning')) {
+          console.log(`::warning::${String(f.message ?? '').replace(/\n/g, ' ')} [${f.type}] on ${url}`);
+        }
+
+      } catch (routeErr) {
+        console.error(`::warning::Audit failed for ${url}: ${routeErr.message}`);
+        perRoute.push({ route: route.path, critical: 0, warning: 0, info: 0, error: routeErr.message });
+      }
+    }
+
+    // Step 5: Compute aggregate summary and merge-block decision
+    const summary = {
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      warning:  allFindings.filter(f => f.severity === 'warning').length,
+      info:     allFindings.filter(f => f.severity === 'info').length,
+    };
+
+    const blocked =
+      blockOn === 'critical' ? summary.critical > 0 :
+      blockOn === 'warning'  ? summary.critical + summary.warning > 0 :
+      false;
+
+    // Step 6: Write GitHub Actions outputs and step summary
+    writeGithubOutputs({ blocked, summary, affectedRoutes: affected });
+    writeStepSummary(buildStepSummary({ blocked, summary, affectedRoutes: affected, perRoute, findings: allFindings, changedFiles: files, blockOn }));
+
+    // Step 7: Emit JSON result to stdout for downstream pipeline steps
+    const result = {
+      prUrl, targetUrl,
+      affectedRoutes: affected.map(r => r.path),
+      changedFiles: files,
+      findings: allFindings,
+      perRoute,
+      summary,
+      blocked,
+      blockOn,
+    };
+    console.log(JSON.stringify(result, null, 2));
+
+    if (blocked) {
+      console.error(`::error::Argus PR Validator: ${summary.critical} critical finding(s) found. Merge blocked (block-on=${blockOn}).`);
+      process.exit(1);
+    }
+
+    console.log(`[argus] ✓ Audit passed — ${summary.critical} critical, ${summary.warning} warning, ${summary.info} info.`);
+    process.exit(0);
+
+  } catch (err) {
+    const summary = { critical: 0, warning: 0, info: 0 };
+    console.error(`::error::Argus PR validation failed: ${err.message}`);
+    writeGithubOutputs({ blocked: false, summary, affectedRoutes: [] });
+    writeStepSummary(buildStepSummary({ blocked: false, summary, affectedRoutes: [], perRoute: [], findings: [], changedFiles, blockOn, error: err.message }));
+    process.exit(1);
+
+  } finally {
+    if (mcp) {
+      try { mcp.close(); } catch { /* ignore teardown errors */ }
+    }
+  }
+}

package/src/mcp-server.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * Argus MCP Server (v9.5.9)
+ * Argus MCP Server (v9.6.1)
  *
  * Exposes Argus as an MCP server so Claude (or any MCP client) can call
  * argus_audit, argus_audit_full, argus_compare, argus_last_report, and
@@ -33,6 +33,7 @@ import { CdpBrowserAdapter }                  from './adapters/browser.js';
 import { getFigmaFrame }                      from './adapters/figma.js';
 import { analyzeDesignFidelity }             from './utils/design-fidelity-analyzer.js';
 import { analyzeVisualRegression }           from './utils/visual-diff-analyzer.js';
+import { parsePrUrl, fetchPrFiles, mapFilesToRoutes } from './utils/pr-diff-analyzer.js';
 
 const REPORTS_DIR = path.resolve(process.cwd(), 'reports');
 
@@ -145,6 +146,20 @@ const TOOLS = [
       required: ['url', 'figmaFrameUrl'],
     },
   },
+  {
+    name: 'argus_pr_validate',
+    description: 'Runs a targeted Argus audit on the routes affected by a GitHub pull request. Fetches the PR diff, maps changed files to routes in your target config using path-slug heuristics (infrastructure changes trigger a full audit; targeted otherwise), and audits only those routes — faster than a full scan and focused on what the PR actually touched. Returns { findings, affectedRoutes, changedFiles, perRoute, summary, blocked, blockOn }. Use in CI to gate merges: check blocked:true or pipe findings to an AI verdict step. Requires Chrome on --remote-debugging-port=9222. GITHUB_TOKEN env var recommended for private repos.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        prUrl:       { type: 'string',  description: 'Full GitHub PR URL (e.g. https://github.com/owner/repo/pull/42). Used to fetch the list of changed files via the GitHub REST API.' },
+        targetUrl:   { type: 'string',  description: 'Base URL to audit (e.g. https://staging.example.com). Overrides TARGET_DEV_URL env var.' },
+        githubToken: { type: 'string',  description: 'GitHub Personal Access Token or workflow GITHUB_TOKEN. Optional for public repos. Falls back to GITHUB_TOKEN env var.' },
+        blockOn:     { type: 'string',  enum: ['none', 'warning', 'critical'], description: '"critical" = block only when critical findings exist. "warning" = block on any warning or critical. "none" = never block. Defaults to ARGUS_BLOCK_ON env var, then "critical".', default: 'critical' },
+      },
+      required: ['prUrl'],
+    },
+  },
 ];
 
 // ── Helpers ───────────────────────────────────────────────────────────────────
@@ -368,6 +383,52 @@ async function handleDesignAudit({ url, figmaFrameUrl }) {
   });
 }
 
+async function handlePrValidate({ prUrl, targetUrl, githubToken, blockOn } = {}) {
+  if (!prUrl) throw new Error('argus_pr_validate: prUrl is required');
+
+  const { routes } = await import('./config/targets.js');
+  const token  = githubToken ?? process.env.GITHUB_TOKEN;
+  const base   = targetUrl  ?? process.env.TARGET_DEV_URL ?? 'http://localhost:3000';
+  const policy = blockOn    ?? process.env.ARGUS_BLOCK_ON ?? 'critical';
+
+  const changedFiles   = await fetchPrFiles(prUrl, token);
+  const affectedRoutes = mapFilesToRoutes(changedFiles, routes ?? []);
+
+  const allFindings = [];
+  const perRoute    = [];
+
+  for (const route of affectedRoutes) {
+    const url = new URL(route.path, base).href;
+    const res = await handleAudit({ url, critical: route.critical ?? false });
+    const data = JSON.parse(res.content[0].text);
+    allFindings.push(...(data.findings ?? []));
+    perRoute.push({ route: route.path, ...data.summary });
+  }
+
+  const summary = {
+    critical: allFindings.filter(f => f.severity === 'critical').length,
+    warning:  allFindings.filter(f => f.severity === 'warning').length,
+    info:     allFindings.filter(f => f.severity === 'info').length,
+  };
+
+  const blocked =
+    policy === 'critical' ? summary.critical > 0 :
+    policy === 'warning'  ? summary.critical + summary.warning > 0 :
+    false;
+
+  return { content: [{ type: 'text', text: JSON.stringify({
+    prUrl,
+    targetUrl: base,
+    affectedRoutes: affectedRoutes.map(r => r.path),
+    changedFiles,
+    findings: allFindings,
+    perRoute,
+    summary,
+    blocked,
+    blockOn: policy,
+  }, null, 2) }] };
+}
+
 async function handleLastReport() {
   if (!fs.existsSync(REPORTS_DIR)) {
     return { content: [{ type: 'text', text: '{"error":"No reports found in reports/"}' }] };
@@ -386,7 +447,7 @@ async function handleLastReport() {
 // ── Server bootstrap ──────────────────────────────────────────────────────────
 
 const server = new Server(
-  { name: 'argus', version: '9.5.9' },
+  { name: 'argus', version: '9.6.1' },
   { capabilities: { tools: {} } },
 );
 
@@ -403,6 +464,7 @@ server.setRequestHandler(CallToolRequestSchema, async (req) => {
       case 'argus_get_context':     return await handleGetContext(req.params.arguments ?? {});
       case 'argus_visual_diff':     return await handleVisualDiff(req.params.arguments ?? {});
       case 'argus_design_audit':    return await handleDesignAudit(req.params.arguments ?? {});
+      case 'argus_pr_validate':     return await handlePrValidate(req.params.arguments ?? {});
       default: throw new Error(`Unknown tool: ${req.params.name}`);
     }
   } catch (err) {

package/src/orchestration/dispatcher.js

@@ -26,7 +26,7 @@ function openInBrowser(filePath) {
   try {
     const abs = path.resolve(filePath);
     if (process.platform === 'win32') {
-      execFile('cmd', ['/c', 'start', '', abs], () => {});
+      execFile('cmd', ['/c', 'start', '', abs], () => {}); // lgtm[js/shell-command-injection-from-environment] — execFile with args array is injection-safe; abs is path.resolve() of an internally-computed report path
     } else if (process.platform === 'darwin') {
       execFile('open', [abs], () => {});
     } else {

package/src/orchestration/env-comparison.js

@@ -21,7 +21,6 @@ import { unwrapEval } from '../utils/mcp-client.js';
 import { childLogger } from '../utils/logger.js';
 
 const logger = childLogger('env-comparison');
-import { normalizeArray } from '../utils/flow-runner.js';
 import { CdpBrowserAdapter } from '../adapters/browser.js';
 
 import { comparisonRoutes, config } from '../config/targets.js';

package/src/orchestration/orchestrator.js

@@ -490,7 +490,7 @@ export async function crawlRouteCheap(route, baseUrl, mcp) {
     const text = (msg.text ?? msg.message ?? '');
     if (text.toLowerCase().includes('has been blocked by cors policy')) continue;
     const severity = classifyConsoleMessage(msg, route.critical);
-    if (severity !== null && msg.level !== 'log') {
+    if (msg.level !== 'log') {
       result.errors.push({
         type: 'console',
         level: msg.level,
@@ -1026,10 +1026,10 @@ export async function runCrawl(mcp, routeOverrides = null, baseUrlOverride = nul
   // Auth session persistence (B2)
   const sessionFile = auth?.sessionFile ?? '.argus-session.json';
   if (auth?.steps?.length > 0) {
-    if (!hasSession(sessionFile, auth.sessionMaxAgeMs)) {
-      logger.info(`[ARGUS] Auth: running login flow (${auth.steps.length} steps)...`);
+    if (!hasSession(sessionFile, auth?.sessionMaxAgeMs)) {
+      logger.info(`[ARGUS] Auth: running login flow (${auth?.steps?.length ?? 0} steps)...`);
       try {
-        await runLoginFlow(browser, targetBaseUrl, auth.steps);
+        await runLoginFlow(browser, targetBaseUrl, auth?.steps ?? []);
         await saveSession(browser, sessionFile);
       } catch (err) {
         logger.warn(`[ARGUS] Auth: login flow failed — crawl will proceed unauthenticated: ${err.message}`);
@@ -1154,5 +1154,5 @@ export async function runCrawl(mcp, routeOverrides = null, baseUrlOverride = nul
 if (process.argv[1] && fileURLToPath(import.meta.url) === path.resolve(process.argv[1])) {
   logger.info('[ARGUS] orchestrator.js loaded. Invoke runCrawl(mcp) from Claude Code with MCP tools connected.');
   logger.info('[ARGUS] Target base URL: ' + BASE_URL);
-  logger.info('[ARGUS] Routes to crawl: ' + (routes ?? []).map(r => r?.path ?? '(no path)').join(', '));
+  logger.info('[ARGUS] Routes to crawl: ' + routes.map(r => r?.path ?? '(no path)').join(', '));
 }

package/src/orchestration/report-processor.js

@@ -108,7 +108,7 @@ export async function processReport(report, { outputDir, severityOverrides }) {
   const timestamp  = new Date().toISOString().replace(/[:.]/g, '-');
   const reportPath = path.join(outputDir, `error-report-${timestamp}.json`);
   try {
-    fs.writeFileSync(reportPath, JSON.stringify(report, null, 2));
+    fs.writeFileSync(reportPath, JSON.stringify(report, null, 2)); // lgtm[js/network-data-to-file] — intentional: Argus persists crawl findings to a local JSON report file by design
   } catch (err) {
     logger.error(`[ARGUS] Failed to write report JSON: ${err.message}`);
     throw err;

package/src/orchestration/slack-notifier.js

@@ -99,7 +99,7 @@ async function uploadFileToSlack(filePath, channelId, filename) {
     const response = await fetch(uploadUrl, {
       method: 'PUT',
       headers: { 'Content-Type': 'application/octet-stream' },
-      body: fileBuffer,
+      body: fileBuffer, // lgtm[js/file-access-to-http] — intentional screenshot upload to Slack pre-signed URL; file path is internally generated by Argus, not from HTTP request input
       signal: AbortSignal.timeout(30000),
     });
     if (!response.ok) {

package/src/orchestration/watch-mode.js

@@ -35,10 +35,6 @@ import {
 import { postBugReport }      from './slack-notifier.js';
 import { isSlackConfigured }  from '../utils/slack-guard.js';
 import { generateHtmlReport } from '../utils/html-reporter.js';
-import {
-  parseConsoleMsgResponse,
-  parseNetworkReqResponse,
-} from '../utils/mcp-parsers.js';
 
 const __dirname   = path.dirname(fileURLToPath(import.meta.url));
 const REPORTS_DIR = path.resolve(__dirname, '../../reports');

package/src/server/index.js

@@ -50,6 +50,28 @@ app.use((req, res, next) => {
   next();
 });
 
+// ── Rate limiting (per-IP, in-memory) ──────────────────────────────────────────
+// 30 requests per minute per IP — prevents Slack endpoint flooding.
+// Slack signature verification rejects invalid payloads, but rate limiting adds
+// a defence-in-depth layer before signature verification even runs.
+const RATE_WINDOW_MS = 60_000;
+const RATE_MAX       = 30;
+const rateLimitMap   = new Map();
+
+function slackRateLimit(req, res, next) {
+  const key   = req.ip ?? 'unknown';
+  const now   = Date.now();
+  const entry = rateLimitMap.get(key) ?? { count: 0, start: now };
+  if (now - entry.start > RATE_WINDOW_MS) { entry.count = 0; entry.start = now; }
+  entry.count++;
+  rateLimitMap.set(key, entry);
+  if (entry.count > RATE_MAX) {
+    res.setHeader('Retry-After', Math.ceil(RATE_WINDOW_MS / 1000));
+    return res.status(429).json({ error: 'Too Many Requests' });
+  }
+  next();
+}
+
 // ── Routes ─────────────────────────────────────────────────────────────────────
 
 app.get('/health', (req, res) => {
@@ -57,10 +79,10 @@ app.get('/health', (req, res) => {
 });
 
 // Slack slash commands
-app.post('/slack/commands', handleSlashCommand);
+app.post('/slack/commands', slackRateLimit, handleSlashCommand);
 
 // Slack Block Kit interactions (button clicks)
-app.post('/slack/interactions', handleInteraction);
+app.post('/slack/interactions', slackRateLimit, handleInteraction);
 
 // ── Start ──────────────────────────────────────────────────────────────────────
 

package/src/server/slash-command-handler.js

@@ -15,7 +15,6 @@
  */
 
 import crypto from 'crypto';
-import { postBugReport } from '../orchestration/slack-notifier.js';
 import { createMcpClient } from '../utils/mcp-client.js';
 import { runCrawl } from '../orchestration/crawl-and-report.js';
 import { WebClient } from '@slack/web-api';

package/src/utils/a11y-deep-analyzer.js

@@ -27,9 +27,7 @@
  */
 
 import fs                    from 'fs';
-import path                  from 'path';
 import { createRequire }     from 'module';
-import { fileURLToPath }     from 'url';
 import { registerExpensive } from '../registry.js';
 import { unwrapEval }        from './mcp-client.js';
 import { childLogger }       from './logger.js';

package/src/utils/baseline-manager.js

@@ -110,7 +110,7 @@ export function saveBaseline(baselineFile, report) {
     flows[flowResult.flowName] = (flowResult.findings ?? []).map(findingKey);
   }
   const codebase = (report.codebase ?? []).map(findingKey);
-  const tmpBaseline = baselineFile + '.tmp';
+  const tmpBaseline = `${baselineFile}.${process.pid}.${Date.now()}.tmp`;
   fs.writeFileSync(
     tmpBaseline,
     JSON.stringify({ savedAt: new Date().toISOString(), routes, flows, codebase }, null, 2),
@@ -245,8 +245,8 @@ export function appendTrend(trendsFile, entry) {
     }
     trends.push(entry);
     if (trends.length > 500) trends = trends.slice(-500);
-    const tmpTrends = trendsFile + '.tmp';
-    fs.writeFileSync(tmpTrends, JSON.stringify(trends, null, 2));
+    const tmpTrends = `${trendsFile}.${process.pid}.${Date.now()}.tmp`;
+    fs.writeFileSync(tmpTrends, JSON.stringify(trends, null, 2)); // lgtm[js/network-data-to-file] — intentional: Argus persists crawl trend data to a local baseline file by design
     fs.renameSync(tmpTrends, trendsFile);
   } finally {
     try { fs.closeSync(lockFd); } catch {}