laxy-verify 1.3.3 → 1.4.0

package/README.md

@@ -199,7 +199,7 @@ For Free accounts, the CLI prints a tip instead:
 
 ```text
   Tip: Pro tracks your last 30 runs so you can see if Performance or Grade is improving.
-       https://laxy.app/pricing
+       https://laxy-blue.vercel.app/pricing
 ```
 
 ## The decision it helps you make
@@ -432,8 +432,26 @@ It is a pre-merge and pre-release verification layer, not your entire quality sy
 - a frontend app with a runnable build flow
 - optional: `playwright` if your project already uses it
 
+## Auto-update check
+
+When you run `npx laxy-verify .` interactively, the CLI checks npm for a newer version. If an update is available, it prompts:
+
+```text
+  laxy-verify update available: 1.3.3 → 1.4.0
+  Update now? (y/N):
+```
+
+Press `y` to update and re-run automatically. The check is skipped in CI environments and non-interactive terminals.
+
 ## Changelog
 
+### v1.4.0 - Auto-update check and evidence fix
+
+- **Auto-update prompt** - the CLI now checks for newer versions on npm at startup and offers a one-step update when running interactively. Skipped automatically in CI and non-TTY environments
+- **Evidence output fix** - fixed `screenshotDiffs: Pundefined Aundefined` in the evidence section caused by iterating non-Lighthouse fields in multi-viewport results
+- **URL fix** - corrected the pricing tip URL to point to the live domain
+- Removed leftover `[Pro+]` and `[Pro]` labels from multi-viewport and mobile Lighthouse output
+
 ### v1.3.3 - Cleaner output and route validation
 
 - Removed `Pro` and `Pro+` labels from verification logs so `npx laxy-verify .` prints plan-neutral output

package/dist/auto-fix.d.ts

@@ -0,0 +1,66 @@
+export interface AutoFixContext {
+    grade: string;
+    blockers: Array<{
+        title: string;
+        severity: string;
+        action: string;
+    }>;
+    lighthouseScores: {
+        performance: number;
+        accessibility: number;
+        seo: number;
+        bestPractices: number;
+    } | null;
+    thresholds: {
+        performance: number;
+        accessibility: number;
+        seo: number;
+        bestPractices: number;
+    };
+    buildErrors: string[];
+    e2eFailed: number;
+    e2eTotal: number;
+    securitySummary?: string;
+    /** Source file snippets keyed by relative path */
+    fileSnippets: Array<{
+        path: string;
+        content: string;
+    }>;
+}
+export interface CodeFix {
+    /** Relative file path to apply the fix to */
+    filePath: string;
+    /** Description of what this fix does */
+    description: string;
+    /** The complete replacement content for the file (or section) */
+    code: string;
+    /** Whether this is a full-file replacement or a targeted patch */
+    type: "full" | "patch";
+    /** Line range for patch-type fixes */
+    startLine?: number;
+    endLine?: number;
+}
+export interface AutoFixResult {
+    rootCause: string;
+    fixes: CodeFix[];
+    confidence: "high" | "medium" | "low";
+}
+/**
+ * Collect relevant source file snippets for AI context.
+ * Picks up to 5 files that are most likely related to the failures.
+ */
+export declare function collectFileSnippets(projectDir: string, buildErrors: string[]): Array<{
+    path: string;
+    content: string;
+}>;
+/**
+ * Apply a code fix to the project directory.
+ */
+export declare function applyCodeFix(projectDir: string, fix: CodeFix): {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Request AI auto-fix from the Laxy API.
+ */
+export declare function requestAutoFix(context: AutoFixContext): Promise<AutoFixResult | null>;

package/dist/auto-fix.js

@@ -0,0 +1,176 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectFileSnippets = collectFileSnippets;
+exports.applyCodeFix = applyCodeFix;
+exports.requestAutoFix = requestAutoFix;
+/**
+ * AI Auto-Fix client (Pro feature).
+ *
+ * Sends verification failure context plus relevant source files
+ * to the Laxy API, which returns code fix suggestions that can
+ * be applied directly or pushed as a PR.
+ */
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const auth_js_1 = require("./auth.js");
+/**
+ * Collect relevant source file snippets for AI context.
+ * Picks up to 5 files that are most likely related to the failures.
+ */
+function collectFileSnippets(projectDir, buildErrors) {
+    const snippets = [];
+    const seen = new Set();
+    // Extract file paths from build errors
+    const errorFilePattern = /(?:^|\n)(\.?[^\s:]+(?:\/[^\s:]+)*\.[a-zA-Z]+)(?::|\s)/g;
+    const errorFiles = new Set();
+    for (const err of buildErrors) {
+        let match;
+        const localPattern = new RegExp(errorFilePattern.source, "g");
+        while ((match = localPattern.exec(err)) !== null) {
+            errorFiles.add(match[1]);
+        }
+    }
+    // Add files from build errors first
+    for (const filePath of errorFiles) {
+        if (seen.has(filePath) || snippets.length >= 5)
+            continue;
+        const absPath = path.join(projectDir, filePath);
+        if (fs.existsSync(absPath)) {
+            try {
+                const content = fs.readFileSync(absPath, "utf-8");
+                if (content.length <= 20000) {
+                    snippets.push({ path: filePath, content: content.slice(0, 4000) });
+                    seen.add(filePath);
+                }
+            }
+            catch { /* ignore */ }
+        }
+    }
+    // Fill remaining slots with common config/entry files
+    const commonFiles = [
+        "package.json",
+        "tsconfig.json",
+        "vite.config.ts",
+        "vite.config.js",
+        "next.config.js",
+        "next.config.mjs",
+        "src/App.tsx",
+        "src/App.jsx",
+        "src/main.tsx",
+        "src/main.jsx",
+        "src/pages/index.tsx",
+        "src/pages/_app.tsx",
+        "app/page.tsx",
+        "app/layout.tsx",
+        "index.html",
+    ];
+    for (const filePath of commonFiles) {
+        if (seen.has(filePath) || snippets.length >= 5)
+            continue;
+        const absPath = path.join(projectDir, filePath);
+        if (fs.existsSync(absPath)) {
+            try {
+                const content = fs.readFileSync(absPath, "utf-8");
+                if (content.length <= 20000) {
+                    snippets.push({ path: filePath, content: content.slice(0, 4000) });
+                    seen.add(filePath);
+                }
+            }
+            catch { /* ignore */ }
+        }
+    }
+    return snippets;
+}
+/**
+ * Apply a code fix to the project directory.
+ */
+function applyCodeFix(projectDir, fix) {
+    const absPath = path.resolve(projectDir, fix.filePath);
+    // Prevent path traversal outside the project directory
+    if (!absPath.startsWith(path.resolve(projectDir) + path.sep) && absPath !== path.resolve(projectDir)) {
+        return { success: false, error: `Path traversal detected: ${fix.filePath}` };
+    }
+    if (fix.type === "full") {
+        try {
+            fs.writeFileSync(absPath, fix.code, "utf-8");
+            return { success: true };
+        }
+        catch (err) {
+            return { success: false, error: err instanceof Error ? err.message : "Write failed" };
+        }
+    }
+    // Patch type: replace specific lines
+    if (!fs.existsSync(absPath)) {
+        return { success: false, error: `File not found: ${fix.filePath}` };
+    }
+    try {
+        const lines = fs.readFileSync(absPath, "utf-8").split("\n");
+        const start = (fix.startLine ?? 1) - 1;
+        const end = fix.endLine ?? lines.length;
+        const newLines = fix.code.split("\n");
+        lines.splice(start, end - start, ...newLines);
+        fs.writeFileSync(absPath, lines.join("\n"), "utf-8");
+        return { success: true };
+    }
+    catch (err) {
+        return { success: false, error: err instanceof Error ? err.message : "Patch failed" };
+    }
+}
+/**
+ * Request AI auto-fix from the Laxy API.
+ */
+async function requestAutoFix(context) {
+    const token = (0, auth_js_1.loadToken)();
+    if (!token)
+        return null;
+    try {
+        const res = await fetch(`${auth_js_1.LAXY_API_URL}/api/v1/auto-fix`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify(context),
+            signal: AbortSignal.timeout(60_000),
+        });
+        if (!res.ok)
+            return null;
+        return (await res.json());
+    }
+    catch {
+        return null;
+    }
+}

package/dist/check-run.d.ts

@@ -0,0 +1,58 @@
+import type { TrendDelta } from "./trend.js";
+interface CheckRunResult {
+    grade: string;
+    verdict: string;
+    exitCode: number;
+    lighthouse: {
+        performance: number;
+        accessibility: number;
+        seo: number;
+        bestPractices: number;
+        runs: number;
+    } | null;
+    thresholds: {
+        performance: number;
+        accessibility: number;
+        seo: number;
+        bestPractices: number;
+    };
+    e2e?: {
+        passed: number;
+        failed: number;
+        total: number;
+    } | null;
+    security?: {
+        critical: number;
+        high: number;
+        total: number;
+    } | null;
+    build?: {
+        success: boolean;
+        durationMs: number;
+    };
+    blockers: Array<{
+        title: string;
+        severity: string;
+    }>;
+    typecheck?: {
+        errorCount: number;
+    } | null;
+    secretScan?: {
+        findingsCount: number;
+    } | null;
+    bundleSize?: {
+        advisory: string;
+    } | null;
+    a11yDeep?: {
+        criticalCount: number;
+        seriousCount: number;
+    } | null;
+    brokenLinks?: {
+        broken: number;
+        checked: number;
+    } | null;
+    consoleErrors?: number;
+    config_fail_on: string;
+}
+export declare function createCheckRun(result: CheckRunResult, trend?: TrendDelta | null): Promise<void>;
+export {};

package/dist/check-run.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCheckRun = createCheckRun;
+/**
+ * GitHub Check Run API integration (Pro feature).
+ *
+ * Creates a rich Check Run on the PR that appears in the merge box
+ * with expandable details: grade, blockers, Lighthouse scores, E2E,
+ * security, and verification verdict.
+ */
+const github_js_1 = require("./github.js");
+const trend_js_1 = require("./trend.js");
+function renderCheckRunSummary(result, trend) {
+    const lines = [];
+    const emoji = result.grade === "Gold" ? "🏆" :
+        result.grade === "Silver" ? "✅" :
+            result.grade === "Bronze" ? "🔨" : "⚠️";
+    lines.push(`## ${emoji} ${result.grade} — ${result.verdict}`);
+    lines.push("");
+    // Trend table
+    if (trend) {
+        lines.push("### vs Base Branch");
+        lines.push("| Check | This PR | Base | Delta |");
+        lines.push("|---|---|---|---|");
+        const gradeUp = (0, trend_js_1.gradeIndex)(trend.grade.current) > (0, trend_js_1.gradeIndex)(trend.grade.base);
+        const gradeDown = (0, trend_js_1.gradeIndex)(trend.grade.current) < (0, trend_js_1.gradeIndex)(trend.grade.base);
+        const gradeDelta = gradeUp ? " ↑" : gradeDown ? " ↓" : "";
+        lines.push(`| Grade | **${trend.grade.current}** | ${trend.grade.base} |${gradeDelta} |`);
+        const fmtD = (d) => d === null ? "—" : d > 0 ? `+${d}` : d < 0 ? `${d}` : "—";
+        if (trend.performance.current !== null)
+            lines.push(`| Performance | ${trend.performance.current} | ${trend.performance.base ?? "—"} | ${fmtD(trend.performance.delta)} |`);
+        if (trend.accessibility.current !== null)
+            lines.push(`| Accessibility | ${trend.accessibility.current} | ${trend.accessibility.base ?? "—"} | ${fmtD(trend.accessibility.delta)} |`);
+        if (trend.seo.current !== null)
+            lines.push(`| SEO | ${trend.seo.current} | ${trend.seo.base ?? "—"} | ${fmtD(trend.seo.delta)} |`);
+        if (trend.bestPractices.current !== null)
+            lines.push(`| Best Practices | ${trend.bestPractices.current} | ${trend.bestPractices.base ?? "—"} | ${fmtD(trend.bestPractices.delta)} |`);
+        if (trend.e2e.current !== null)
+            lines.push(`| E2E | ${trend.e2e.current} | ${trend.e2e.base ?? "—"} | — |`);
+        lines.push("");
+    }
+    // Build
+    if (result.build) {
+        const dur = (result.build.durationMs / 1000).toFixed(1);
+        lines.push(`### Build: ${result.build.success ? "✅ Passed" : "❌ Failed"} (${dur}s)`);
+        lines.push("");
+    }
+    // Lighthouse
+    if (result.lighthouse) {
+        const lh = result.lighthouse;
+        const t = result.thresholds;
+        lines.push("### Lighthouse");
+        lines.push("| Category | Score | Threshold | Status |");
+        lines.push("|---|---|---|---|");
+        lines.push(`| Performance | ${lh.performance} | ≥${t.performance} | ${lh.performance >= t.performance ? "✅" : "❌"} |`);
+        lines.push(`| Accessibility | ${lh.accessibility} | ≥${t.accessibility} | ${lh.accessibility >= t.accessibility ? "✅" : "❌"} |`);
+        lines.push(`| SEO | ${lh.seo} | ≥${t.seo} | ${lh.seo >= t.seo ? "✅" : "❌"} |`);
+        lines.push(`| Best Practices | ${lh.bestPractices} | ≥${t.bestPractices} | ${lh.bestPractices >= t.bestPractices ? "✅" : "❌"} |`);
+        lines.push("");
+    }
+    // E2E
+    if (result.e2e && result.e2e.total > 0) {
+        const e2e = result.e2e;
+        lines.push(`### E2E: ${e2e.failed === 0 ? "✅" : "❌"} ${e2e.passed}/${e2e.total} passed`);
+        lines.push("");
+    }
+    // Blockers
+    if (result.blockers.length > 0) {
+        lines.push("### Blockers");
+        for (const b of result.blockers.slice(0, 8)) {
+            lines.push(`- **[${b.severity}]** ${b.title}`);
+        }
+        lines.push("");
+    }
+    // Extra checks
+    const extras = [];
+    if (result.security && result.security.total > 0)
+        extras.push(`Security: ${result.security.critical} critical, ${result.security.high} high`);
+    if (result.typecheck && result.typecheck.errorCount > 0)
+        extras.push(`TypeScript: ${result.typecheck.errorCount} errors`);
+    if (result.secretScan && result.secretScan.findingsCount > 0)
+        extras.push(`Secrets: ${result.secretScan.findingsCount} findings`);
+    if (result.a11yDeep && (result.a11yDeep.criticalCount > 0 || result.a11yDeep.seriousCount > 0))
+        extras.push(`WCAG: ${result.a11yDeep.criticalCount} critical, ${result.a11yDeep.seriousCount} serious`);
+    if (result.brokenLinks && result.brokenLinks.broken > 0)
+        extras.push(`Broken links: ${result.brokenLinks.broken}/${result.brokenLinks.checked}`);
+    if (result.consoleErrors && result.consoleErrors > 0)
+        extras.push(`Console errors: ${result.consoleErrors}`);
+    if (extras.length > 0) {
+        lines.push("### Additional findings");
+        for (const e of extras)
+            lines.push(`- ${e}`);
+        lines.push("");
+    }
+    lines.push(`**Fail-on threshold**: ${result.config_fail_on ?? "bronze"}`);
+    lines.push("");
+    lines.push("---");
+    lines.push("[laxy-verify docs](https://github.com/SUNgm24/Laxy/tree/main/laxy-verify)");
+    return lines.join("\n");
+}
+async function createCheckRun(result, trend) {
+    const ctx = (0, github_js_1.getGitHubContext)();
+    if (!ctx)
+        return;
+    const [owner, repo] = ctx.repository.split("/");
+    const conclusion = result.exitCode === 0 ? "success" : "failure";
+    const title = result.exitCode === 0
+        ? `Laxy Verify: ${result.grade} — no blockers`
+        : `Laxy Verify: ${result.grade} — ${result.blockers.length} blocker(s)`;
+    const summary = renderCheckRunSummary(result, trend);
+    // GitHub Check Runs API
+    const url = `https://api.github.com/repos/${owner}/${repo}/check-runs`;
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${ctx.token}`,
+                Accept: "application/vnd.github.v3+json",
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                name: "laxy-verify",
+                head_sha: ctx.sha,
+                status: "completed",
+                conclusion,
+                output: {
+                    title,
+                    summary,
+                },
+            }),
+        });
+        if (!res.ok) {
+            console.warn(`GitHub Check Run API returned ${res.status}; falling back to status check.`);
+        }
+    }
+    catch (err) {
+        console.warn(`GitHub Check Run request failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}

package/dist/cli.js

@@ -48,6 +48,7 @@ const grade_js_1 = require("./grade.js");
 const init_js_1 = require("./init.js");
 const badge_js_1 = require("./badge.js");
 const comment_js_1 = require("./comment.js");
+const check_run_js_1 = require("./check-run.js");
 const status_js_1 = require("./status.js");
 const auth_js_1 = require("./auth.js");
 const entitlement_js_1 = require("./entitlement.js");
@@ -68,8 +69,10 @@ const vitals_budget_js_1 = require("./vitals-budget.js");
 const index_js_1 = require("./verification-core/index.js");
 const trend_js_1 = require("./trend.js");
 const ai_analysis_js_1 = require("./ai-analysis.js");
+const auto_fix_js_1 = require("./auto-fix.js");
 const compare_env_js_1 = require("./compare-env.js");
 const route_discovery_js_1 = require("./route-discovery.js");
+const update_check_js_1 = require("./update-check.js");
 const package_json_1 = __importDefault(require("../package.json"));
 let activeDevServerPid;
 let activeDevServerCleanup = null;
@@ -173,6 +176,7 @@ function parseArgs() {
         a11yDeep: flags["a11y-deep"] !== undefined,
         seoDeep: flags["seo-deep"] !== undefined,
         vitalsBudget: flags["vitals-budget"] !== undefined,
+        autoFix: flags["auto-fix"] !== undefined,
     };
 }
 function writeResultFile(projectDir, result) {
@@ -200,8 +204,10 @@ function uniqueRouteList(routes) {
 function summarizeViewportIssues(scores, thresholds) {
     if (!scores)
         return { count: 0 };
+    const viewportKeys = ["desktop", "tablet", "mobile"];
     const failed = [];
-    for (const [label, viewportScores] of Object.entries(scores)) {
+    for (const label of viewportKeys) {
+        const viewportScores = scores[label];
         if (!viewportScores) {
             failed.push(`${label}: missing`);
             continue;
@@ -399,7 +405,7 @@ async function run() {
     --config <path>   Path to .laxy.yml
     --fail-on         unverified | bronze | silver | gold
     --skip-lighthouse Skip Lighthouse but still run build and E2E
-    --port <port>     Use an already-running dev server on this port (skip build & server start)
+    --port <port>     Use an already-running dev server on this port (skip build & server start)
     --share           Create a public share link for this verification result (Pro)
     --compare <url>   Compare Lighthouse scores against a reference environment URL (Pro)
     --plan-override   free | pro | team (testing metadata only)
@@ -413,6 +419,7 @@ async function run() {
     --a11y-deep       Deep accessibility audit (axe-core)
     --seo-deep        Deep SEO audit (meta, OG, JSON-LD)
     --vitals-budget   Core Web Vitals budget check (LCP, CLS, INP)
+    --auto-fix         AI code fix suggestions for blockers (Pro)
     --help            Show this help
 
   Exit codes:
@@ -421,10 +428,10 @@ async function run() {
     2   Configuration error
 
   Examples:
-    npx laxy-verify --init --run        # Setup + first verification
-    npx laxy-verify .                   # Run in current directory
-    npx laxy-verify .                   # Auto-falls back if port 3000 is already busy
-    npx laxy-verify . --ci              # CI mode
+    npx laxy-verify --init --run        # Setup + first verification
+    npx laxy-verify .                   # Run in current directory
+    npx laxy-verify .                   # Auto-falls back if port 3000 is already busy
+    npx laxy-verify . --ci              # CI mode
     npx laxy-verify . --fail-on silver  # Block Bronze or worse
     npx laxy-verify . --port 3001       # Use existing dev server on port 3001
     npx laxy-verify . --share           # Save and share a public verification link
@@ -450,6 +457,28 @@ async function run() {
         exitGracefully(0);
         return;
     }
+    // Check for updates (skip in CI mode and non-interactive environments)
+    if (!args.ciMode && !process.env.CI && process.stdin.isTTY) {
+        const updated = await (0, update_check_js_1.checkForUpdates)();
+        if (updated) {
+            // Re-exec with npx to use the updated version
+            const { execSync } = await Promise.resolve().then(() => __importStar(require("node:child_process")));
+            try {
+                execSync(`npx laxy-verify ${process.argv.slice(2).join(" ")}`, {
+                    stdio: "inherit",
+                    cwd: process.cwd(),
+                });
+                exitGracefully(0);
+                return;
+            }
+            catch (reExecErr) {
+                // If re-exec fails, the child already printed errors — propagate exit code
+                const code = reExecErr.status ?? 1;
+                exitGracefully(code);
+                return;
+            }
+        }
+    }
     if (args.init) {
         let initEntitlements = null;
         try {
@@ -625,6 +654,8 @@ async function run() {
         compare_env: false,
         share_result: false,
         history_trend: false,
+        pr_decoration: false,
+        auto_fix: false,
     };
     let effectiveFeatures = features;
     if (args.planOverride) {
@@ -1134,7 +1165,6 @@ async function run() {
     if ((0, report_markdown_js_1.shouldWriteMarkdownReport)(resultObj)) {
         const markdownReport = (0, report_markdown_js_1.buildMarkdownReport)(args.projectDir, resultObj);
         fs.writeFileSync(markdownReportPath, markdownReport, "utf-8");
-        resultObj.markdownReportPath = markdownReportPath;
     }
     else if (fs.existsSync(markdownReportPath)) {
         fs.rmSync(markdownReportPath, { force: true });
@@ -1142,8 +1172,8 @@ async function run() {
     const inGitHubActions = !!process.env.GITHUB_ACTIONS;
     if (inGitHubActions) {
         try {
+            let trendDelta = null;
             if (process.env.GITHUB_EVENT_NAME === "pull_request") {
-                let trendDelta = null;
                 const baseSnapshot = (0, trend_js_1.loadBaseSnapshot)((0, trend_js_1.getBaseResultPath)(args.projectDir));
                 if (baseSnapshot) {
                     const currentSnapshot = {
@@ -1154,11 +1184,41 @@ async function run() {
                     };
                     trendDelta = (0, trend_js_1.computeTrendDelta)(currentSnapshot, baseSnapshot);
                 }
-                await (0, comment_js_1.postPRComment)(resultObj, trendDelta);
-                resultObj.github = { status: "comment_posted", grade: resultObj.grade };
             }
-            await (0, status_js_1.createStatusCheck)({ grade: resultObj.grade, exitCode: resultObj.exitCode });
-            resultObj.github ??= { status: "status_set", grade: resultObj.grade };
+            // Pro: Check Run (rich merge-box integration) + enhanced PR comment
+            if (effectiveFeatures.pr_decoration) {
+                if (process.env.GITHUB_EVENT_NAME === "pull_request") {
+                    await (0, check_run_js_1.createCheckRun)({
+                        grade: resultObj.grade,
+                        verdict: verificationReport.verdict,
+                        exitCode: resultObj.exitCode,
+                        lighthouse: resultObj.lighthouse,
+                        thresholds: adjustedThresholds,
+                        e2e: resultObj.e2e,
+                        security: securityAuditResult ? { critical: securityAuditResult.critical, high: securityAuditResult.high, total: securityAuditResult.totalVulnerabilities } : undefined,
+                        build: { success: buildResult.success, durationMs: buildResult.durationMs },
+                        blockers: verificationView.blockers.slice(0, 10).map((b) => ({ title: b.title, severity: b.severity })),
+                        typecheck: typecheckResult ? { errorCount: typecheckResult.errorCount } : undefined,
+                        secretScan: secretScanResult ? { findingsCount: secretScanResult.findings.length } : undefined,
+                        bundleSize: bundleSizeResult ? { advisory: bundleSizeResult.advisory } : undefined,
+                        a11yDeep: a11yDeepResult ? { criticalCount: a11yDeepResult.criticalCount, seriousCount: a11yDeepResult.seriousCount } : undefined,
+                        brokenLinks: brokenLinksResult ? { broken: brokenLinksResult.brokenLinks.length, checked: brokenLinksResult.checkedCount } : undefined,
+                        consoleErrors: e2eConsoleErrors.length,
+                        config_fail_on: config.fail_on,
+                    }, trendDelta);
+                    await (0, comment_js_1.postPRComment)(resultObj, trendDelta);
+                    resultObj.github = { status: "check_run_created", grade: resultObj.grade };
+                }
+            }
+            else {
+                // Free: basic status check + simple PR comment
+                if (process.env.GITHUB_EVENT_NAME === "pull_request") {
+                    await (0, comment_js_1.postPRComment)(resultObj, trendDelta);
+                    resultObj.github = { status: "comment_posted", grade: resultObj.grade };
+                }
+                await (0, status_js_1.createStatusCheck)({ grade: resultObj.grade, exitCode: resultObj.exitCode });
+                resultObj.github ??= { status: "status_set", grade: resultObj.grade };
+            }
         }
         catch (ghErr) {
             console.error(`GitHub API warning: ${ghErr instanceof Error ? ghErr.message : String(ghErr)}`);
@@ -1263,6 +1323,79 @@ async function run() {
             // AI analysis errors are non-critical
         }
     }
+    // Pro: AI Auto-Fix — collect source files, request code fixes, optionally apply
+    if (effectiveFeatures.auto_fix &&
+        args.autoFix &&
+        verificationReport.verdict !== "client-ready" &&
+        verificationReport.verdict !== "release-ready" &&
+        args.format !== "json") {
+        try {
+            console.log("\n  Requesting AI Auto-Fix...");
+            console.log("  Note: Source files will be sent to an external AI provider for analysis.");
+            const fileSnippets = (0, auto_fix_js_1.collectFileSnippets)(args.projectDir, buildResult.errors);
+            const autoFixResult = await (0, auto_fix_js_1.requestAutoFix)({
+                grade: unifiedGrade,
+                blockers: verificationView.blockers.map((b) => ({
+                    title: b.title,
+                    severity: b.severity,
+                    action: b.action,
+                })),
+                lighthouseScores: scores ?? null,
+                thresholds: adjustedThresholds,
+                buildErrors: buildResult.errors.slice(0, 3),
+                e2eFailed: e2eResult ? e2eResult.failed : 0,
+                e2eTotal: e2eResult ? e2eResult.total : 0,
+                securitySummary: securityAuditResult?.summary,
+                fileSnippets,
+            });
+            if (autoFixResult && autoFixResult.fixes.length > 0) {
+                console.log(`\n  AI Auto-Fix (Pro) — confidence: ${autoFixResult.confidence}`);
+                console.log(`    Root cause: ${autoFixResult.rootCause}`);
+                console.log(`    Suggested fixes:`);
+                for (const fix of autoFixResult.fixes) {
+                    console.log(`      - ${fix.filePath}: ${fix.description} (${fix.type})`);
+                }
+                // In CI with GITHUB_ACTIONS: write fixes as patch files for PR creation
+                if (inGitHubActions) {
+                    const patchDir = path.join(args.projectDir, ".laxy-fixes");
+                    fs.mkdirSync(patchDir, { recursive: true });
+                    for (const fix of autoFixResult.fixes) {
+                        const fixPath = path.join(patchDir, fix.filePath.replace(/\//g, "_") + ".patch.json");
+                        fs.writeFileSync(fixPath, JSON.stringify(fix, null, 2), "utf-8");
+                    }
+                    console.log(`    Fixes written to .laxy-fixes/ for PR automation.`);
+                }
+                else {
+                    // Interactive: apply fixes to local project
+                    console.log(`\n    Applying fixes to local project...`);
+                    let applied = 0;
+                    for (const fix of autoFixResult.fixes) {
+                        const result = (0, auto_fix_js_1.applyCodeFix)(args.projectDir, fix);
+                        if (result.success) {
+                            console.log(`      ✓ ${fix.filePath}`);
+                            applied++;
+                        }
+                        else {
+                            console.log(`      ✗ ${fix.filePath}: ${result.error}`);
+                        }
+                    }
+                    if (applied > 0) {
+                        console.log(`\n    ${applied}/${autoFixResult.fixes.length} fix(es) applied. Rerun verification to check results.`);
+                    }
+                }
+            }
+            else if (autoFixResult) {
+                console.log(`\n  AI Auto-Fix: ${autoFixResult.rootCause}`);
+                console.log(`    No concrete code fixes could be generated (confidence: ${autoFixResult.confidence}).`);
+            }
+        }
+        catch {
+            // Auto-fix errors are non-critical
+        }
+    }
+    else if (args.autoFix && !effectiveFeatures.auto_fix) {
+        console.log("\n  [warn] --auto-fix requires a logged-in Pro account. Skipping AI auto-fix.");
+    }
     if (args.format === "json") {
         console.log(JSON.stringify(resultObj, null, 2));
     }
@@ -1276,7 +1409,7 @@ async function run() {
         }
         if (!effectiveFeatures.history_trend) {
             console.log(`\n  Tip: Pro tracks your last 30 runs so you can see if Performance or Grade is improving.`);
-            console.log(`       https://laxy.app/pricing`);
+            console.log(`       https://laxy-blue.vercel.app/pricing`);
         }
     }
     if (inGitHubActions && process.env.GITHUB_OUTPUT) {

package/dist/entitlement.d.ts

@@ -7,6 +7,8 @@ export interface EntitlementFeatures {
     compare_env: boolean;
     share_result: boolean;
     history_trend: boolean;
+    pr_decoration: boolean;
+    auto_fix: boolean;
 }
 export type TestablePlan = "free" | "pro" | "team";
 export declare function normalizePlan(plan?: string | null): TestablePlan;

package/dist/entitlement.js

@@ -22,6 +22,8 @@ const FREE_FEATURES = {
     compare_env: false,
     share_result: false,
     history_trend: false,
+    pr_decoration: false,
+    auto_fix: false,
 };
 let cache = null;
 const CACHE_TTL_MS = 5 * 60 * 1000;
@@ -80,6 +82,8 @@ function applyPlanOverride(features, overridePlan) {
         compare_env: isPro,
         share_result: isPro,
         history_trend: isPro,
+        pr_decoration: isPro,
+        auto_fix: isPro,
         // queue_priority, parallel_execution — Team only
         queue_priority: isTeam,
         parallel_execution: isTeam,

package/dist/update-check.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Checks for updates and prompts the user.
+ * Returns true if the user updated (caller should re-exec with npx).
+ * Returns false if no update needed or user declined.
+ */
+export declare function checkForUpdates(): Promise<boolean>;

package/dist/update-check.js

@@ -0,0 +1,138 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkForUpdates = checkForUpdates;
+/**
+ * Check for newer versions of laxy-verify on npm.
+ * Prompts the user to update if a newer version is available.
+ */
+const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const readline = __importStar(require("node:readline"));
+const PACKAGE_NAME = "laxy-verify";
+function getInstalledVersion() {
+    const pkgPath = require.resolve(`${PACKAGE_NAME}/package.json`);
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+    return pkg.version;
+}
+function getLatestVersion() {
+    try {
+        const result = (0, node_child_process_1.execSync)(`npm view ${PACKAGE_NAME} version`, {
+            encoding: "utf-8",
+            timeout: 10_000,
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        return result.trim();
+    }
+    catch {
+        return null;
+    }
+}
+function compareVersions(installed, latest) {
+    const a = installed.split(".").map(Number);
+    const b = latest.split(".").map(Number);
+    for (let i = 0; i < 3; i++) {
+        if ((a[i] ?? 0) < (b[i] ?? 0))
+            return -1;
+        if ((a[i] ?? 0) > (b[i] ?? 0))
+            return 1;
+    }
+    return 0;
+}
+function promptUser(question) {
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim().toLowerCase() === "y" || answer.trim().toLowerCase() === "yes");
+        });
+    });
+}
+function runUpdate() {
+    try {
+        console.log(`  Updating ${PACKAGE_NAME}...`);
+        (0, node_child_process_1.execSync)(`npm install -g ${PACKAGE_NAME}@latest`, {
+            encoding: "utf-8",
+            timeout: 60_000,
+            stdio: "inherit",
+        });
+        return true;
+    }
+    catch {
+        // Global install failed — try local update
+        try {
+            (0, node_child_process_1.execSync)(`npm install ${PACKAGE_NAME}@latest`, {
+                encoding: "utf-8",
+                timeout: 60_000,
+                stdio: "inherit",
+            });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+/**
+ * Checks for updates and prompts the user.
+ * Returns true if the user updated (caller should re-exec with npx).
+ * Returns false if no update needed or user declined.
+ */
+async function checkForUpdates() {
+    const installed = getInstalledVersion();
+    const latest = getLatestVersion();
+    if (!latest)
+        return false;
+    if (compareVersions(installed, latest) >= 0)
+        return false;
+    console.log(`\n  laxy-verify update available: ${installed} → ${latest}`);
+    const shouldUpdate = await promptUser("  Update now? (y/N): ");
+    if (!shouldUpdate) {
+        console.log("  Skipping update.\n");
+        return false;
+    }
+    const success = runUpdate();
+    if (success) {
+        console.log(`  Updated to ${PACKAGE_NAME}@${latest}. Re-running verification...\n`);
+        return true;
+    }
+    else {
+        console.error(`  Update failed. Continuing with ${installed}.\n`);
+        return false;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "laxy-verify",
-  "version": "1.3.3",
+  "version": "1.4.0",
   "description": "Frontend verification CLI for build checks, Lighthouse, E2E, and release readiness",
   "license": "MIT",
   "type": "commonjs",