laxy-verify 1.2.1 → 1.2.3

package/dist/report-markdown.d.ts

@@ -2,6 +2,13 @@ import type { E2EScenarioResult } from "./e2e.js";
 import type { LighthouseScores } from "./grade.js";
 import type { TierVerificationView, VerificationReport } from "./verification-core/index.js";
 import { type VisualDiffResult } from "./visual-diff.js";
+import type { TypecheckResult } from "./typecheck.js";
+import type { SecretScanResult } from "./secret-scan.js";
+import type { BundleSizeResult } from "./bundle-size.js";
+import type { OutdatedCheckResult } from "./outdated-check.js";
+import type { A11yDeepResult } from "./a11y-deep.js";
+import type { SeoDeepResult } from "./seo-deep.js";
+import type { VitalsBudgetResult } from "./vitals-budget.js";
 export interface MarkdownReportResult {
     grade: string;
     timestamp: string;
@@ -20,6 +27,13 @@ export interface MarkdownReportResult {
         runs: number;
     }) | null;
     visualDiff?: VisualDiffResult | null;
+    typecheck?: TypecheckResult | null;
+    secretScan?: SecretScanResult | null;
+    bundleSize?: BundleSizeResult | null;
+    outdatedCheck?: OutdatedCheckResult | null;
+    a11yDeep?: A11yDeepResult | null;
+    seoDeep?: SeoDeepResult | null;
+    vitalsBudget?: VitalsBudgetResult | null;
     thresholds: {
         performance: number;
         accessibility: number;

package/dist/report-markdown.js

@@ -162,6 +162,27 @@ function renderMetrics(result) {
     if (result.visualDiff) {
         lines.push(`| Visual diff | ${(0, visual_diff_js_1.formatVisualDiffSummary)(result.visualDiff)} |`);
     }
+    if (result.typecheck && !result.typecheck.skipped) {
+        lines.push(`| TypeScript | ${result.typecheck.passed ? "OK" : `${result.typecheck.errorCount} error(s)`} |`);
+    }
+    if (result.secretScan && !result.secretScan.skipped) {
+        lines.push(`| Secret scan | ${result.secretScan.passed ? "OK" : `${result.secretScan.findings.length} finding(s)`} (${result.secretScan.filesScanned} files) |`);
+    }
+    if (result.bundleSize && !result.bundleSize.skipped) {
+        lines.push(`| Bundle size | ${result.bundleSize.advisory} |`);
+    }
+    if (result.outdatedCheck && !result.outdatedCheck.skipped) {
+        lines.push(`| Outdated deps | ${result.outdatedCheck.advisory} |`);
+    }
+    if (result.a11yDeep && !result.a11yDeep.skipped) {
+        lines.push(`| A11y deep | ${result.a11yDeep.summary} |`);
+    }
+    if (result.seoDeep && !result.seoDeep.skipped) {
+        lines.push(`| SEO deep | ${result.seoDeep.summary} |`);
+    }
+    if (result.vitalsBudget && !result.vitalsBudget.skipped) {
+        lines.push(`| Vitals budget | ${result.vitalsBudget.summary} |`);
+    }
     lines.push("");
     return `${lines.join("\n")}\n`;
 }

package/dist/route-discovery.d.ts

@@ -0,0 +1,7 @@
+export interface RuntimeRouteDiscoveryResult {
+    routes: string[];
+    scriptUrls: string[];
+}
+export declare function extractScriptUrlsFromHtml(html: string, baseUrl: string): string[];
+export declare function extractRoutesFromText(content: string): string[];
+export declare function discoverRuntimeRoutes(baseUrl: string): Promise<RuntimeRouteDiscoveryResult>;

package/dist/route-discovery.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractScriptUrlsFromHtml = extractScriptUrlsFromHtml;
+exports.extractRoutesFromText = extractRoutesFromText;
+exports.discoverRuntimeRoutes = discoverRuntimeRoutes;
+const SCRIPT_SRC_REGEX = /<script[^>]+src=["']([^"'#?]+(?:\?[^"'#]*)?)["']/gi;
+const HTML_ROUTE_REGEX = /(?:href|data-href)=["'](\/[^"'#? ]*)/gi;
+const ROUTE_SNIPPET_REGEXES = [
+    /(?:path|pathname|href|to|route|router\.push|navigate)\s*[:=(]\s*["'`]((?:\/(?!\/)[^"'`?#]+))["'`]/g,
+    /["'`]((?:\/(?!\/)[a-z0-9][^"'`?#]*))["'`]/gi,
+];
+function normalizeRoute(candidate) {
+    const decoded = candidate
+        .replace(/\\u002F/gi, "/")
+        .replace(/\\\//g, "/")
+        .trim();
+    if (!decoded.startsWith("/"))
+        return null;
+    const normalized = decoded
+        .split("?")[0]
+        ?.split("#")[0]
+        ?.replace(/\/+/g, "/")
+        ?.replace(/\/$/, "") || "/";
+    if (normalized === "/" || normalized.length < 2)
+        return null;
+    if (normalized.startsWith("/_next/") || normalized.startsWith("/api/"))
+        return null;
+    if (/[.*:[\]]/.test(normalized))
+        return null;
+    if (/\.[a-z0-9]{2,8}$/i.test(normalized))
+        return null;
+    if (/\s/.test(normalized))
+        return null;
+    if (!/^\/[a-z0-9/_-]+$/i.test(normalized))
+        return null;
+    return normalized;
+}
+function extractScriptUrlsFromHtml(html, baseUrl) {
+    const urls = [];
+    const seen = new Set();
+    for (const match of html.matchAll(SCRIPT_SRC_REGEX)) {
+        const raw = match[1];
+        if (!raw)
+            continue;
+        try {
+            const scriptUrl = new URL(raw, baseUrl);
+            if (scriptUrl.origin !== new URL(baseUrl).origin)
+                continue;
+            const href = scriptUrl.href;
+            if (!seen.has(href)) {
+                seen.add(href);
+                urls.push(href);
+            }
+        }
+        catch {
+            // Ignore malformed URLs.
+        }
+    }
+    return urls;
+}
+function extractRoutesFromText(content) {
+    const routes = [];
+    const seen = new Set();
+    for (const regex of ROUTE_SNIPPET_REGEXES) {
+        for (const match of content.matchAll(regex)) {
+            const route = normalizeRoute(match[1] ?? "");
+            if (!route || seen.has(route))
+                continue;
+            seen.add(route);
+            routes.push(route);
+        }
+    }
+    return routes;
+}
+async function discoverRuntimeRoutes(baseUrl) {
+    const htmlRes = await fetch(baseUrl, {
+        signal: AbortSignal.timeout(8000),
+        headers: { accept: "text/html,application/xhtml+xml" },
+    });
+    const html = await htmlRes.text();
+    const routes = new Set(extractRoutesFromText(html));
+    for (const match of html.matchAll(HTML_ROUTE_REGEX)) {
+        const route = normalizeRoute(match[1] ?? "");
+        if (route)
+            routes.add(route);
+    }
+    const scriptUrls = extractScriptUrlsFromHtml(html, baseUrl)
+        .filter((url) => /\/_next\/static\/chunks\/|assets\/|static\/|build\//i.test(url))
+        .slice(0, 10);
+    await Promise.all(scriptUrls.map(async (scriptUrl) => {
+        try {
+            const res = await fetch(scriptUrl, { signal: AbortSignal.timeout(5000) });
+            if (!res.ok)
+                return;
+            const content = await res.text();
+            for (const route of extractRoutesFromText(content)) {
+                routes.add(route);
+            }
+        }
+        catch {
+            // Skip chunk fetch failures. This is best-effort coverage expansion.
+        }
+    }));
+    return {
+        routes: Array.from(routes).sort((a, b) => a.localeCompare(b)),
+        scriptUrls,
+    };
+}

package/dist/secret-scan.d.ts

@@ -0,0 +1,15 @@
+export interface SecretScanResult {
+    passed: boolean;
+    findings: SecretFinding[];
+    filesScanned: number;
+    skipped: boolean;
+}
+export interface SecretFinding {
+    file: string;
+    line: number;
+    pattern: string;
+    preview: string;
+}
+export declare function runSecretScan(projectDir: string, options?: {
+    ignorePaths?: string[];
+}): Promise<SecretScanResult>;

package/dist/secret-scan.js

@@ -0,0 +1,218 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSecretScan = runSecretScan;
+/**
+ * Secret/credential leak scanner.
+ *
+ * Scans source files for hardcoded secrets using regex patterns.
+ * Supports ignore paths and custom ignore patterns from .laxy.yml.
+ */
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const DEFAULT_IGNORE_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".next",
+    "dist",
+    "build",
+    ".laxy-tmp",
+    ".laxy-baselines",
+    "coverage",
+    ".cache",
+    "test",
+    "tests",
+    "__tests__",
+    "spec",
+]);
+const SECRET_PATTERNS = [
+    { name: "AWS Access Key", regex: /AKIA[0-9A-Z]{16}/ },
+    { name: "AWS Secret Key", regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"][A-Za-z0-9/+=]{40}['"]/ },
+    { name: "GitHub Token", regex: /ghp_[A-Za-z0-9]{36}/ },
+    { name: "GitHub OAuth", regex: /gho_[A-Za-z0-9]{36}/ },
+    { name: "GitHub App Token", regex: /(?:ghs_|ghu_)[A-Za-z0-9]{36}/ },
+    { name: "Slack Token", regex: /xox[baprs]-[A-Za-z0-9-]{10,}/ },
+    { name: "Slack Webhook", regex: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/ },
+    { name: "Private Key Block", regex: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/ },
+    { name: "Google API Key", regex: /AIza[0-9A-Za-z_-]{35}/ },
+    { name: "Google OAuth Token", regex: /[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com/ },
+    { name: "Stripe Secret Key", regex: /sk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Stripe Publishable Key", regex: /pk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Twilio API Key", regex: /SK[0-9a-fA-F]{32}/ },
+    { name: "SendGrid API Key", regex: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/ },
+    { name: "Mailgun API Key", regex: /key-[0-9a-zA-Z]{32}/ },
+    { name: "Hardcoded Bearer Token", regex: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/ },
+    { name: "JWT-like Secret", regex: /['"]eyJ[A-Za-z0-9\-._~+/]+=*\.[A-Za-z0-9\-._~+/]+=*['"]/ },
+    { name: "Generic Secret Assignment", regex: /(?:secret|password|passwd|token|api_key|apikey|access_key|private_key)\s*[=:]\s*['"][^'"]{8,}['"]/i },
+];
+const ALLOWLIST_PATTERNS = [
+    // Common false positives
+    /process\.env\./,
+    /import\.meta\.env\./,
+    /NEXT_PUBLIC_/,
+    /VITE_/,
+    /REACT_APP_/,
+    /NUXT_ENV_/,
+    /placeholder/i,
+    /example/i,
+    /your[_-]?(?:api|secret|key|token)/i,
+    /xxx+/,
+    /<[^>]+>/,
+    /\$\{\{.*\}\}/, // GitHub Actions / CI template variables
+    /secrets\.[A-Z_]+/, // GitHub Actions secrets references
+    /env\.[A-Z_]+/, // CI env variable references
+    /regex:\s*\//, // Regex pattern definitions in source code
+    /^\s*\/\//, // Single-line comments (// ...)
+    /^\s*\*/, // Block comment lines (* ...)
+    /^\s*<!--/, // HTML comment lines
+];
+function shouldIgnoreLine(line) {
+    return ALLOWLIST_PATTERNS.some((p) => p.test(line));
+}
+/**
+ * Masks potential secret values in a line preview so that
+ * actual credentials are never exposed in JSON output or reports.
+ * Replaces quoted string contents after = or : with ***.
+ */
+function maskSecret(line) {
+    return line
+        // Mask single-quoted values: = '...' or : '...'
+        .replace(/([=:])\s*'([^']{4,})'/g, "$1 '***'")
+        // Mask double-quoted values: = "..." or : "..."
+        .replace(/([=:])\s*"([^"]{4,})"/g, '$1 "***"')
+        // Mask bare tokens after Bearer
+        .replace(/(Bearer\s+)[A-Za-z0-9\-._~+/]+=*/g, "$1***")
+        // Mask AKIA keys
+        .replace(/(AKIA)[0-9A-Z]{16}/g, "$1****************")
+        // Mask ghp_/gho_/ghs_/ghu_ tokens
+        .replace(/(gh[pous]_)[A-Za-z0-9]{36}/g, "$1************************************")
+        // Mask xoxb-/xoxp- etc tokens
+        .replace(/(xox[baprs]-)[A-Za-z0-9-]{10,}/g, "$1**********")
+        // Mask AIza keys
+        .replace(/(AIza)[0-9A-Za-z_-]{35}/g, "$1***********************************")
+        // Mask sk_live_/pk_live_ keys
+        .replace(/(s?k_live_)[0-9a-zA-Z]{24,}/g, "$1************************")
+        // Mask SK hex keys (Twilio)
+        .replace(/(SK)[0-9a-fA-F]{32}/g, "$1********************************")
+        // Mask key- prefix (Mailgun)
+        .replace(/(key-)[0-9a-zA-Z]{32}/g, "$1********************************")
+        // Mask SG. tokens (SendGrid)
+        .replace(/(SG\.)[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, "$1**********************.*******************************************");
+}
+function scanFile(filePath, relativePath, ignorePatterns) {
+    if (ignorePatterns.some((p) => relativePath.includes(p)))
+        return [];
+    const findings = [];
+    let content;
+    try {
+        content = fs.readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return [];
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (shouldIgnoreLine(line))
+            continue;
+        for (const { name, regex } of SECRET_PATTERNS) {
+            if (regex.test(line)) {
+                const preview = maskSecret(line.trim().slice(0, 120));
+                findings.push({
+                    file: relativePath,
+                    line: i + 1,
+                    pattern: name,
+                    preview,
+                });
+                break; // one finding per line max
+            }
+        }
+    }
+    return findings;
+}
+function walkDir(dir, rootDir, ignoreDirs, ignorePatterns) {
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return results;
+    }
+    for (const entry of entries) {
+        if (ignoreDirs.has(entry.name))
+            continue;
+        if (entry.name.startsWith(".") && entry.name !== ".env")
+            continue;
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.relative(rootDir, fullPath).replace(/\\/g, "/");
+        if (ignorePatterns.some((p) => relativePath.includes(p)))
+            continue;
+        if (entry.isDirectory()) {
+            results.push(...walkDir(fullPath, rootDir, ignoreDirs, ignorePatterns));
+        }
+        else if (entry.isFile()) {
+            const ext = path.extname(entry.name).toLowerCase();
+            if ([".ts", ".tsx", ".js", ".jsx", ".vue", ".svelte", ".env", ".json", ".yml", ".yaml", ".toml", ".py", ".rb"].includes(ext) ||
+                entry.name === ".env" || entry.name.startsWith(".env.")) {
+                results.push(fullPath);
+            }
+        }
+    }
+    return results;
+}
+async function runSecretScan(projectDir, options) {
+    const ignorePatterns = options?.ignorePaths ?? [];
+    const ignoreDirs = new Set(DEFAULT_IGNORE_DIRS);
+    console.log("  Running secret scan...");
+    const files = walkDir(projectDir, projectDir, ignoreDirs, ignorePatterns);
+    const allFindings = [];
+    for (const file of files) {
+        const relativePath = path.relative(projectDir, file).replace(/\\/g, "/");
+        const findings = scanFile(file, relativePath, ignorePatterns);
+        allFindings.push(...findings);
+    }
+    const passed = allFindings.length === 0;
+    if (passed) {
+        console.log(`  Secret scan: OK (${files.length} files scanned)`);
+    }
+    else {
+        console.log(`  Secret scan: ${allFindings.length} finding(s) in ${files.length} files`);
+        for (const f of allFindings.slice(0, 5)) {
+            console.error(`    ${f.file}:${f.line} [${f.pattern}]`);
+        }
+    }
+    return { passed, findings: allFindings, filesScanned: files.length, skipped: false };
+}

package/dist/security-audit.d.ts

@@ -5,5 +5,13 @@ export interface SecurityAuditResult {
     moderate: number;
     low: number;
     summary: string;
+    missingHeaders: string[];
+    headerCheckUrl?: string;
+    headerCheckError?: string;
 }
-export declare function runSecurityAudit(cwd: string, timeoutMs?: number): Promise<SecurityAuditResult>;
+export declare function auditSecurityHeaders(url: string): Promise<{
+    missingHeaders: string[];
+    checkedUrl: string;
+    error?: string;
+}>;
+export declare function runSecurityAudit(cwd: string, appUrl?: string, timeoutMs?: number): Promise<SecurityAuditResult>;

package/dist/security-audit.js

@@ -1,15 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditSecurityHeaders = auditSecurityHeaders;
 exports.runSecurityAudit = runSecurityAudit;
 /**
- * npm audit wrapper for Pro/Pro+ security scanning.
+ * npm audit wrapper plus runtime security-header checks.
  *
- * Runs `npm audit --json` in the project directory and extracts
- * severity counts + a short summary for the verification report.
+ * The package audit catches known dependency vulnerabilities.
+ * The header audit adds shallow runtime coverage for common missing
+ * browser-enforced protections on the running app.
  */
 const node_child_process_1 = require("node:child_process");
-async function runSecurityAudit(cwd, timeoutMs = 30000) {
-    console.log("  Running security audit (npm audit)...");
+async function runNpmAudit(cwd, timeoutMs) {
     return new Promise((resolve) => {
         const chunks = [];
         const proc = process.platform === "win32"
@@ -27,38 +28,100 @@ async function runSecurityAudit(cwd, timeoutMs = 30000) {
                 proc.kill();
             }
             catch { }
-            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0, summary: "Audit timed out" });
+            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
         }, timeoutMs);
         proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
-        proc.stderr?.on("data", () => { }); // ignore stderr
+        proc.stderr?.on("data", () => { });
         proc.on("exit", () => {
             clearTimeout(timer);
-            const raw = chunks.join("");
             try {
-                const json = JSON.parse(raw);
-                // npm audit v2 format
+                const json = JSON.parse(chunks.join(""));
                 const meta = json.metadata?.vulnerabilities ?? json.vulnerabilities ?? {};
                 const critical = meta.critical ?? 0;
                 const high = meta.high ?? 0;
                 const moderate = meta.moderate ?? 0;
                 const low = meta.low ?? 0;
-                const total = critical + high + moderate + low;
-                const parts = [];
-                if (critical > 0)
-                    parts.push(`${critical} critical`);
-                if (high > 0)
-                    parts.push(`${high} high`);
-                if (moderate > 0)
-                    parts.push(`${moderate} moderate`);
-                if (low > 0)
-                    parts.push(`${low} low`);
-                const summary = total === 0 ? "No known vulnerabilities" : parts.join(", ");
-                console.log(`  Security: ${summary}`);
-                resolve({ totalVulnerabilities: total, critical, high, moderate, low, summary });
+                resolve({
+                    totalVulnerabilities: critical + high + moderate + low,
+                    critical,
+                    high,
+                    moderate,
+                    low,
+                });
             }
             catch {
-                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0, summary: "Audit parse failed" });
+                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
             }
         });
     });
 }
+async function auditSecurityHeaders(url) {
+    const requiredHeaders = ["X-Frame-Options", "Content-Security-Policy"];
+    const urlObj = new URL(url);
+    if (urlObj.protocol === "https:") {
+        requiredHeaders.push("Strict-Transport-Security");
+    }
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "HEAD",
+            redirect: "follow",
+            signal: AbortSignal.timeout(5000),
+        });
+    }
+    catch {
+        try {
+            response = await fetch(url, {
+                method: "GET",
+                redirect: "follow",
+                signal: AbortSignal.timeout(5000),
+            });
+        }
+        catch (error) {
+            return {
+                missingHeaders: [],
+                checkedUrl: url,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    const missingHeaders = requiredHeaders.filter((headerName) => !response.headers.get(headerName));
+    return {
+        missingHeaders,
+        checkedUrl: response.url || url,
+    };
+}
+async function runSecurityAudit(cwd, appUrl, timeoutMs = 30000) {
+    console.log("  Running security audit (npm audit + runtime headers)...");
+    const [npmAudit, headerAudit] = await Promise.all([
+        runNpmAudit(cwd, timeoutMs),
+        appUrl ? auditSecurityHeaders(appUrl) : Promise.resolve(null),
+    ]);
+    const parts = [];
+    if (npmAudit.critical > 0)
+        parts.push(`${npmAudit.critical} critical`);
+    if (npmAudit.high > 0)
+        parts.push(`${npmAudit.high} high`);
+    if (npmAudit.moderate > 0)
+        parts.push(`${npmAudit.moderate} moderate`);
+    if (npmAudit.low > 0)
+        parts.push(`${npmAudit.low} low`);
+    const missingHeaders = headerAudit?.missingHeaders ?? [];
+    if (missingHeaders.length > 0) {
+        parts.push(`missing headers: ${missingHeaders.join(", ")}`);
+    }
+    if (headerAudit?.error) {
+        parts.push(`header check skipped: ${headerAudit.error}`);
+    }
+    const summary = parts.length > 0
+        ? parts.join(" | ")
+        : "No known vulnerabilities or missing security headers";
+    console.log(`  Security: ${summary}`);
+    return {
+        ...npmAudit,
+        summary,
+        missingHeaders,
+        headerCheckUrl: headerAudit?.checkedUrl,
+        headerCheckError: headerAudit?.error,
+    };
+}

package/dist/seo-deep.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Deep SEO audit.
+ *
+ * Checks page-level SEO signals beyond Lighthouse's basic SEO category:
+ * title, meta description, canonical, robots, Open Graph, Twitter Card,
+ * JSON-LD structured data. Runs against the running dev server via HTTP.
+ */
+export interface SeoDeepResult {
+    passed: boolean;
+    checks: SeoCheck[];
+    warningCount: number;
+    errorCount: number;
+    url: string;
+    skipped: boolean;
+    summary: string;
+}
+export interface SeoCheck {
+    key: string;
+    label: string;
+    passed: boolean;
+    value: string | null;
+    severity: "error" | "warning";
+}
+export declare function runSeoDeep(url: string): Promise<SeoDeepResult>;