argusqa-os 9.7.5 → 9.7.6

package/README.md

@@ -4,7 +4,7 @@
 
 [![npm](https://img.shields.io/npm/v/argusqa-os?color=7C3AED)](https://www.npmjs.com/package/argusqa-os)
 [![MCP Server](https://glama.ai/mcp/servers/ironclawdevs27/Argus/badges/card.svg)](https://glama.ai/mcp/servers/ironclawdevs27/Argus)
-[![Harness](https://img.shields.io/badge/harness-738%2F738-4ADE80)](test-harness/)
+[![Harness](https://img.shields.io/badge/harness-846%2F846-4ADE80)](test-harness/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 **Argus catches the bugs your test suite misses — visual regressions, API loops, CSS drift, console noise, accessibility failures, and more — and delivers rich reports to Slack (or a local HTML dashboard).**
@@ -217,9 +217,10 @@ npm run report:html    # Generate reports/report.html from last JSON audit
 npm run report:pdf     # Export HTML report to A4 PDF (requires: npm install puppeteer)
 npm run server         # Start Slack slash-command server (port 3001)
 npm run init           # Interactive setup wizard
-npm run test:unit          # 61 unit tests — no Chrome required
-npm run test:harness       # 144-block correctness harness — requires Chrome
+npm run test:unit          # 94 unit tests — no Chrome required
+npm run test:harness       # 149-block correctness harness — requires Chrome
 npm run test:harness:log   # same, but tees full output to harness-results.txt
+npm run test:coverage      # merged unit + harness coverage gate (requires Chrome)
 ```
 
 **Watch mode** — live monitoring as you develop:
@@ -342,7 +343,7 @@ Argus is a **complementary layer**, not a replacement for unit or E2E tests:
 
 ## Known Limitations
 
-All 738 harness assertions pass (`738/738`) — there are currently no known MCP- or Chrome-layer restrictions. Soft assertions (Lighthouse, performance traces) still require non-headless Chrome and are skipped in headless CI.
+All 846 harness assertions pass (`846/846`) — there are currently no known MCP- or Chrome-layer restrictions. Lighthouse now runs in headless (after the `lighthouse_audit` argument fix); the remaining soft assertions (perf traces, GC-dependent heap-growth) are promoted to counted hard assertions only in the weekly strict-soft lane (`harness-strict.yml`) via `ARGUS_HARNESS_STRICT_SOFT`.
 
 ---
 
@@ -361,8 +362,8 @@ src/
     chrome-launcher.js  — npm run chrome / argus-chrome — launches Chrome with correct flags
     doctor.js           — npm run doctor / argus-doctor — pre-flight checks
     pr-validate.js      — headless CI entry point for GitHub Actions
-test-harness/           — 144-block correctness harness, 738 hard assertions, 60 fixture pages
-test/unit/              — 61 Vitest unit tests (no Chrome required)
+test-harness/           — 149-block correctness harness, 846 hard assertions, 63 fixture pages
+test/unit/              — 94 Vitest unit tests (no Chrome required)
 landing/                — Product landing page (React 19 + Vite + Tailwind)
 ```
 
@@ -373,7 +374,7 @@ Full source map → [CLAUDE.md](CLAUDE.md) · MCP/DSL reference → [SKILL.md](S
 ## Contributing
 
 1. Fork the repo and create a branch
-2. `npm run test:unit` — verify without Chrome (61 tests)
+2. `npm run test:unit` — verify without Chrome (94 tests)
 3. `npm run test:harness` — full integration coverage (requires Chrome on port 9222)
 4. Open a PR — Argus audits itself via the CI workflow
 

package/glama.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://glama.ai/mcp/schemas/server.json",
   "name": "argus",
-  "description": "AI-powered QA harness that audits web apps via Chrome DevTools Protocol. Catches JS errors, network failures, a11y violations, SEO issues, security headers, CSS regressions, and more — directly from Claude conversations. 9 MCP tools: argus_audit (fast 8-analyzer pass), argus_audit_full (Lighthouse + memory + responsive), argus_compare (dev vs staging diff), argus_last_report (retrieve last JSON report), argus_watch_snapshot (live tab snapshot without navigating), argus_get_context (LLM-optimized context + fix loop with snapshot_id diff), argus_design_audit (Figma design fidelity — 13 finding types), argus_visual_diff (screenshot baseline comparison, updateBaseline flag), argus_pr_validate (PR diff → affected routes → targeted audit → blocked flag). Every finding is post-processed with intelligent baseline filtering (cross-run noise classifier) and root cause linking (recent git commits mapped to new findings). 144 test blocks, 738 hard assertions, 67 detection categories.",
+  "description": "AI-powered QA harness that audits web apps via Chrome DevTools Protocol. Catches JS errors, network failures, a11y violations, SEO issues, security headers, CSS regressions, and more — directly from Claude conversations. 9 MCP tools: argus_audit (fast 8-analyzer pass), argus_audit_full (Lighthouse + memory + responsive), argus_compare (dev vs staging diff), argus_last_report (retrieve last JSON report), argus_watch_snapshot (live tab snapshot without navigating), argus_get_context (LLM-optimized context + fix loop with snapshot_id diff), argus_design_audit (Figma design fidelity — 13 finding types), argus_visual_diff (screenshot baseline comparison, updateBaseline flag), argus_pr_validate (PR diff → affected routes → targeted audit → blocked flag). Every finding is post-processed with intelligent baseline filtering (cross-run noise classifier) and root cause linking (recent git commits mapped to new findings). 149 test blocks, 846 hard assertions, 67 detection categories.",
   "maintainers": ["ironclawdevs27"],
   "tools": [
     {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "argusqa-os",
-  "version": "9.7.5",
+  "version": "9.7.6",
   "mcpName": "io.github.ironclawdevs27/argus",
   "description": "Argus — AI-powered automated dev-testing platform using Chrome DevTools MCP and Claude Code",
   "keywords": [
@@ -53,6 +53,10 @@
     "test:harness:log": "node test-harness/run-with-log.mjs",
     "test:unit": "vitest run test/unit",
     "test": "npm run test:unit && npm run test:harness",
+    "coverage:unit": "vitest run test/unit --coverage",
+    "coverage:harness": "c8 npm run test:harness",
+    "coverage:gate": "node scripts/coverage-gate.mjs --min-lines 60 --allow-uncovered src/mcp-server.js,src/orchestration/env-comparison.js,src/server/index.js",
+    "test:coverage": "npm run coverage:harness && npm run coverage:unit && npm run coverage:gate",
     "report:html": "node src/utils/html-reporter.js",
     "report:pdf": "node src/utils/pdf-exporter.js",
     "mcp-server": "node src/mcp-server.js"
@@ -72,6 +76,10 @@
     "zod": "^4.4.3"
   },
   "devDependencies": {
+    "@vitest/coverage-v8": "^4.1.8",
+    "c8": "^10.1.3",
+    "fast-check": "^4.8.0",
+    "istanbul-lib-coverage": "^3.2.2",
     "vitest": "^4.1.8"
   }
 }

package/src/adapters/browser.js

@@ -111,7 +111,19 @@ export class CdpBrowserAdapter {
   // is rejected with an Unknown-argument error). Callers still pass the numeric
   // requestId parsed from list_network_requests.
   getNetworkRequest(reqId) { return this._mcp.get_network_request({ reqid: reqId }); }
-  lighthouse(url, opts = {}) { return this._mcp.lighthouse_audit({ url, ...opts }); }
+  // lighthouse_audit audits the CURRENTLY-NAVIGATED page and accepts only
+  // mode/device/outputDirPath. Passing `url` (or `categories`) is REJECTED with an
+  // "Unknown argument" error that comes back as RESOLVED text — so every Argus Lighthouse
+  // run silently no-op'd (caught upstream as "Lighthouse skipped", scores perpetually N/A).
+  // Navigate to the target first, then audit; strip url/categories defensively so legacy
+  // callers cannot reintroduce the rejected args. mode 'navigation' (the tool default)
+  // reloads + audits. Performance is intentionally excluded by lighthouse_audit (covered by
+  // the web-vitals analyzer) — it returns accessibility/best-practices/seo/agentic-browsing.
+  async lighthouse(url, opts = {}) {
+    if (url) await this.navigate(url);
+    const { url: _ignoredUrl, categories: _ignoredCats, ...valid } = opts;
+    return this._mcp.lighthouse_audit(valid);
+  }
   startTrace()             { return this._mcp.performance_start_trace({}); }
   stopTrace()              { return this._mcp.performance_stop_trace({}); }
   analyzeInsight(opts)     { return this._mcp.performance_analyze_insight(opts); }

package/src/orchestration/crawl-and-report.js

@@ -11,6 +11,6 @@
  * continue to import from this file unchanged.
  */
 
-export { runCrawl, crawlRouteCheap, crawlRouteExpensive } from './orchestrator.js';
+export { runCrawl, crawlRouteCheap, crawlRouteExpensive, checkHttpsRequired } from './orchestrator.js';
 export { processReport, deduplicateFindings, rebuildSummary } from './report-processor.js';
 export { dispatchAll } from './dispatcher.js';

package/src/orchestration/orchestrator.js

@@ -370,6 +370,33 @@ function analyzeNetworkPerformance(perfEntries, pageUrl) {
   return bugs;
 }
 
+/**
+ * HTTPS-enforcement rule (single source of truth, exported so it can be verified
+ * directly — the harness can only crawl localhost, which is excluded, so the
+ * positive-trigger path has no live fixture).
+ *
+ * Returns a `security_no_https` finding for an http:// page on a non-loopback host,
+ * or null otherwise (https, or any localhost/127.x/::1 address).
+ *
+ * @param {string} url
+ * @returns {{type:string,message:string,severity:string,url:string}|null}
+ */
+export function checkHttpsRequired(url) {
+  try {
+    const parsed = new URL(url);
+    const isLocalhost = /^(localhost|127\.|::1)/.test(parsed.hostname);
+    if (parsed.protocol === 'http:' && !isLocalhost) {
+      return {
+        type:     'security_no_https',
+        message:  `Page served over HTTP — enforce HTTPS via server redirect or HSTS`,
+        severity: 'warning',
+        url,
+      };
+    }
+  } catch { /* URL parse failure */ }
+  return null;
+}
+
 // ── Cheap Crawl (called ×2 for flakiness detection) ───────────────────────────
 
 /**
@@ -680,19 +707,9 @@ export async function crawlRouteCheap(route, baseUrl, mcp) {
     logger.warn(`[ARGUS] Issues analysis skipped for ${url}: ${err.message}`);
   }
 
-  // 9f. HTTPS enforcement check
-  try {
-    const parsed = new URL(url);
-    const isLocalhost = /^(localhost|127\.|::1)/.test(parsed.hostname);
-    if (parsed.protocol === 'http:' && !isLocalhost) {
-      result.errors.push({
-        type:     'security_no_https',
-        message:  `Page served over HTTP — enforce HTTPS via server redirect or HSTS`,
-        severity: 'warning',
-        url,
-      });
-    }
-  } catch { /* URL parse failure */ }
+  // 9f. HTTPS enforcement check (shared rule — see checkHttpsRequired above)
+  const httpsFinding = checkHttpsRequired(url);
+  if (httpsFinding) result.errors.push(httpsFinding);
 
   // 10. Deduplicate within this cheap run
   result.errors = deduplicateErrors(result.errors);

package/src/utils/issues-analyzer.js

@@ -31,7 +31,10 @@ const CLASSIFIERS = [
   {
     type:             'cors_violation',
     issueTypePattern: /cors/i,
-    textPattern:      /cors policy|cross.origin.*blocked|access.control.allow.origin/i,
+    // Live Chrome 149 surfaces CorsIssue in the panel as e.g.
+    // "Ensure CORS response header values are valid" — the older phrase-specific
+    // patterns missed it, so the \bcors\b word-match anchors any CORS issue title.
+    textPattern:      /cors policy|cross.origin.*blocked|access.control.allow.origin|\bcors\b/i,
     severity:         (isCritical) => isCritical ? 'critical' : 'warning',
   },
   {
@@ -49,7 +52,10 @@ const CLASSIFIERS = [
   {
     type:             'cookie_attribute_missing',
     issueTypePattern: /cookie/i,
-    textPattern:      /samesite|secure attribute|partitioned|cookie.*rejected|set-cookie.*blocked/i,
+    // Live Chrome 149 surfaces the SameSite=None-without-Secure cookie Issue as
+    // "Mark cross-site cookies as Secure to allow setting them in cross-site contexts"
+    // — neither "samesite" nor "secure attribute" appear, so match those phrasings too.
+    textPattern:      /samesite|secure attribute|partitioned|cookie.*rejected|set-cookie.*blocked|cross-site cookies?|cookies? as secure/i,
     severity:         () => 'warning',
   },
   {

package/src/utils/lighthouse-checker.js

@@ -5,12 +5,49 @@
  * checkLighthouse directly without pulling in the Slack-initialised orchestrator.
  */
 
+import fs from 'node:fs';
 import { registerExpensive } from '../registry.js';
 import { thresholds }        from '../config/targets.js';
 import { childLogger }       from './logger.js';
 
 const logger = childLogger('lighthouse-checker');
 
+/**
+ * Parse a chrome-devtools-mcp `lighthouse_audit` response into the Lighthouse
+ * result shape this module consumes: `{ categories, audits }` (category scores 0–1,
+ * `audits` keyed by id). The tool returns markdown with a "### Reports" section that
+ * points at a full `report.json`; we read that for complete category scores +
+ * per-audit detail (`auditRefs`, `title`, `description`). If the file is unavailable
+ * we fall back to the markdown "### Category Scores" block (scores only, no audits).
+ * Returns `{ categories: {}, audits: {} }` when nothing parses — never throws.
+ *
+ * @param {string} responseText - raw lighthouse_audit response (markdown text)
+ * @returns {{ categories: object, audits: object }}
+ */
+export function parseLighthouseReport(responseText) {
+  const text = String(responseText ?? '');
+  // Prefer the authoritative report.json (categories + auditRefs + per-audit detail).
+  const pathMatch = text.match(/([A-Za-z]:\\[^\r\n]*?report\.json|\/[^\r\n]*?report\.json)/);
+  if (pathMatch) {
+    try {
+      const json = JSON.parse(fs.readFileSync(pathMatch[1].trim(), 'utf8'));
+      if (json && typeof json === 'object' && json.categories) {
+        return { categories: json.categories, audits: json.audits ?? {} };
+      }
+    } catch { /* fall through to the markdown scores */ }
+  }
+  // Fallback: synthesize categories from the "### Category Scores" markdown block,
+  // e.g. "- Accessibility: 96 (accessibility)". Scores normalised to 0–1 to match report.json.
+  const categories = {};
+  const block = text.match(/### Category Scores\s*\n([\s\S]*?)(?:\n###|\s*$)/);
+  if (block) {
+    for (const m of block[1].matchAll(/^\s*-\s+.+?:\s*([\d.]+)\s*\(([\w-]+)\)\s*$/gm)) {
+      categories[m[2]] = { id: m[2], score: Number(m[1]) / 100 };
+    }
+  }
+  return { categories, audits: {} };
+}
+
 const LIGHTHOUSE_LABELS = {
   accessibility:    'Accessibility',
   performance:      'Performance',
@@ -39,13 +76,16 @@ export async function checkLighthouse(browser, url) {
   const LIGHTHOUSE_TIMEOUT_MS = parseInt(process.env.ARGUS_LIGHTHOUSE_TIMEOUT ?? '120000', 10);
 
   try {
-    const auditPromise = browser.lighthouse(url, {
-      categories: ['accessibility', 'performance', 'seo', 'best-practices'],
-    });
+    // browser.lighthouse navigates to url + audits the current page. lighthouse_audit
+    // returns markdown referencing a full report.json — parseLighthouseReport reads that
+    // back into the { categories, audits } shape this function consumes. Performance is
+    // excluded by the tool (covered by web-vitals); thresholds.lighthouse.performance is
+    // simply skipped below when its category is absent.
+    const auditPromise = browser.lighthouse(url);
     const timeoutPromise = new Promise((_, reject) =>
       setTimeout(() => reject(new Error(`Lighthouse timed out after ${LIGHTHOUSE_TIMEOUT_MS / 1000}s`)), LIGHTHOUSE_TIMEOUT_MS)
     );
-    const result = await Promise.race([auditPromise, timeoutPromise]);
+    const result = parseLighthouseReport(await Promise.race([auditPromise, timeoutPromise]));
 
     const categories = result?.categories ?? {};
     const audits     = result?.audits     ?? {};