opstruth 0.1.2 → 0.2.0

package/src/lib/markdown.js

@@ -178,9 +178,24 @@ export function evidenceMarkdown({ title = 'opstruth Evidence Pack', status = 'n
     '## Check Results',
     list(checks, '- No checks attached', 25),
     '',
+    '## Probe Results',
+    list(checks, '- No probe results attached', 25),
+    '',
     '## Verified Facts',
     list(liveVerification, '- No live verification evidence attached', 20),
     '',
+    '## Warnings',
+    list(risks.filter((risk) => /warn|warning|review/i.test(risk)), '- None recorded', 20),
+    '',
+    '## Failures',
+    list(risks.filter((risk) => /fail|failure|blocked/i.test(risk)), '- None recorded', 20),
+    '',
+    '## Skipped / Not Configured',
+    'Skipped checks are proof gaps, not failures. See command output for skipped probe IDs and reasons.',
+    '',
+    '## Not Verified',
+    'Production, local runtime, database state, queues, publishing, and external AI usage are not verified unless explicit read-only inputs or external evidence are attached.',
+    '',
     '## Risks And Gaps',
     table(['Severity', 'Finding'], riskRows.slice(0, 25)),
     '',
@@ -196,6 +211,12 @@ export function evidenceMarkdown({ title = 'opstruth Evidence Pack', status = 'n
     '## Safety Boundaries',
     list(safetyBoundaries, '- Read-only checks only'),
     '',
+    '## Evidence Files / Paths',
+    list(scope.concat(filesChanged).filter(Boolean), '- No evidence paths attached', 30),
+    '',
+    '## Confidence',
+    confidenceFor({ status, failures: risks.filter((risk) => /fail|failure|blocked/i.test(risk)), warnings: risks, skipped: [], notVerified: [] }),
+    '',
     '## Next Safe Step',
     nextSafeStep || 'Run the narrowest missing read-only verification and attach the result.'
   ].join('\n') + '\n';

package/src/lib/probes.js

@@ -10,7 +10,7 @@ function nodeDependencyDetector(name) {
   return async (_root, stack) => stack.dependencies?.includes(name);
 }
 
-export const PROBE_CATALOGUE = [
+const RAW_PROBE_CATALOGUE = [
   {
     id: 'git.status',
     name: 'Git status',
@@ -463,6 +463,48 @@ export const PROBE_CATALOGUE = [
   }
 ];
 
+function inputsRequiredFor(probe) {
+  if (probe.id.startsWith('routes.')) return ['--base-url or route config'];
+  if (probe.id === 'local.ports') return ['--port or local config'];
+  if (probe.id === 'local.health') return ['--port and --health or local config'];
+  if (probe.id === 'supabase.migrations') return ['supabase/migrations directory'];
+  if (probe.id === 'cloudflare.wrangler') return ['wrangler.toml, wrangler.json, or wrangler.jsonc'];
+  if (probe.id.startsWith('quality.')) return ['matching package.json script'];
+  if (probe.id.startsWith('node.')) return ['matching package metadata/config/source'];
+  if (probe.id.startsWith('git.')) return ['git repository'];
+  return [];
+}
+
+function skipReasonFor(probe) {
+  if (probe.id.startsWith('routes.')) return 'Requires --base-url, --routes, or opstruth.config.json route entries';
+  if (probe.id === 'local.ports') return 'Requires --port or opstruth.config.json local ports';
+  if (probe.id === 'local.health') return 'Requires --port with --health or opstruth.config.json local health paths';
+  if (probe.id === 'supabase.migrations') return 'Requires a Supabase migrations directory';
+  if (probe.id === 'cloudflare.wrangler') return 'Requires Wrangler configuration';
+  if (probe.id.startsWith('quality.')) return 'Requires a matching non-placeholder package.json script';
+  if (probe.id.startsWith('git.')) return 'Requires a git repository';
+  return 'Not relevant to detected stack or missing configuration';
+}
+
+function normalizeProbe(probe) {
+  const inputsRequired = probe.inputsRequired || inputsRequiredFor(probe);
+  return {
+    ...probe,
+    mode: probe.mode || probe.defaultMode,
+    mutability: probe.mutability || 'none',
+    inputsRequired,
+    evidenceExpectation: probe.evidenceExpectation || probe.evidenceCollected || [],
+    skipReason: probe.skipReason || skipReasonFor(probe),
+    proofLimitation: probe.proofLimitation || probe.doesNotProve,
+    supportedStacks: probe.supportedStacks || [probe.stack],
+    notVerified: probe.notVerified || [probe.doesNotProve],
+    falsePositiveRisk: probe.falsePositiveRisk || 'Low to medium; depends on project conventions and fixture/demo content.',
+    falseNegativeRisk: probe.falseNegativeRisk || 'Does not prove absence outside scanned files, configured inputs, or supported stack heuristics.'
+  };
+}
+
+export const PROBE_CATALOGUE = RAW_PROBE_CATALOGUE.map(normalizeProbe);
+
 export async function selectProbes({ root, stack, boundary, options = {} }) {
   const only = new Set(options.only || []);
   const skip = new Set(options.skip || []);
@@ -483,7 +525,7 @@ export async function selectProbes({ root, stack, boundary, options = {} }) {
     }
     const relevant = await probe.detector(root, stack, boundary, options);
     if (relevant) selected.push(probe);
-    else skipped.push({ ...probe, reason: 'Not relevant to detected stack or missing configuration' });
+    else skipped.push({ ...probe, reason: probe.skipReason || 'Not relevant to detected stack or missing configuration' });
   }
   return { selected, skipped, catalogueSize: PROBE_CATALOGUE.length };
 }

package/src/lib/redact.js

@@ -16,6 +16,7 @@ export function redact(value = '') {
   let output = String(value);
   for (const pattern of VALUE_PATTERNS) output = output.replace(pattern, '$1[REDACTED]');
   output = output.replace(/([A-Za-z0-9_]{12,}\.[A-Za-z0-9_\-]{12,}\.[A-Za-z0-9_\-]{12,})/g, '[REDACTED_TOKEN]');
+  output = output.replace(/\b[A-Za-z0-9_-]{40,}\b/g, '[REDACTED_TOKEN]');
   return output;
 }
 

package/src/lib/scan.js

@@ -1,53 +1,280 @@
 import path from 'node:path';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
 import { walkFiles, readText, readJson, pathExists } from './fs.js';
 import { redact } from './redact.js';
 import { mergeIgnores } from './boundary.js';
 
+const execFileAsync = promisify(execFile);
+
 export const DEFAULT_SKIP_DIRS = mergeIgnores();
-export const RISK_PATTERNS = [/OPENAI_API_KEY/i, /SUPABASE_SERVICE_ROLE_KEY/i, /service_role/i, /access_token/i, /refresh_token/i, /client_secret/i, /private_key/i, /webhook_secret/i, /api_key/i, /bearer/i, /authorization/i];
+export const SECRET_CATEGORIES = [
+  'actionable_source_finding',
+  'documentation_reference',
+  'placeholder_or_example',
+  'local_only_file',
+  'generated_artifact',
+  'dependency_or_lockfile',
+  'ignored_binary',
+  'unknown_requires_review'
+];
+
+export const RISK_PATTERNS = [
+  { label: 'OPENAI_API_KEY', regex: /OPENAI_API_KEY/i },
+  { label: 'SUPABASE_SERVICE_ROLE_KEY', regex: /SUPABASE_SERVICE_ROLE_KEY/i },
+  { label: 'service_role', regex: /service_role/i },
+  { label: 'access_token', regex: /access_token/i },
+  { label: 'refresh_token', regex: /refresh_token/i },
+  { label: 'client_secret', regex: /client_secret/i },
+  { label: 'private_key', regex: /private_key/i },
+  { label: 'webhook_secret', regex: /webhook_secret/i },
+  { label: 'api_key', regex: /api_key/i },
+  { label: 'bearer', regex: /bearer/i },
+  { label: 'authorization', regex: /authorization/i },
+  { label: 'GH_TOKEN', regex: /GH_TOKEN/i },
+  { label: 'GITHUB_TOKEN', regex: /GITHUB_TOKEN/i },
+  { label: 'SUPABASE_ACCESS_TOKEN', regex: /SUPABASE_ACCESS_TOKEN/i },
+  { label: 'IMPORT_REDDIT_TIPS_SECRET', regex: /IMPORT_REDDIT_TIPS_SECRET/i },
+  { label: 'NPM_TOKEN', regex: /NPM_TOKEN/i },
+  { label: 'jwt_like', regex: /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/ },
+  { label: 'unknown_token_like', regex: /\b[A-Za-z0-9_-]{40,}\b/ }
+];
+
 const OPSTRUTH_SCANNER_FILES = new Set([
   'src/lib/redact.js',
   'src/lib/scan.js',
   'src/lib/probes.js',
   'test/typescript-compatibility.test.js',
+  'cli/src/lib/redact.js',
+  'cli/src/lib/scan.js',
+  'cli/src/lib/probes.js',
+  'cli/test/typescript-compatibility.test.js',
   'fixtures/risky-secret-app/src/config.js'
 ]);
 
-export function isLikelyText(file) { return /\.(js|mjs|cjs|ts|tsx|jsx|json|jsonc|toml|yml|yaml|md|txt|env|sql|html|css)$/i.test(file) || !path.extname(file); }
+const FIXTURE_PACKAGE_NAMES = new Set([
+  'plain-node-app',
+  'vite-react-app',
+  'next-app',
+  'tanstack-app',
+  'cloudflare-worker-app',
+  'supabase-app',
+  'default-npm-placeholder-test',
+  'failing-real-test-script',
+  'risky-secret-app',
+  'missing-build-script',
+  'route-config-app'
+]);
+
+const LOCKFILE_NAMES = new Set(['package-lock.json', 'npm-shrinkwrap.json', 'pnpm-lock.yaml', 'yarn.lock', 'bun.lock', 'bun.lockb']);
+const GENERATED_PREFIXES = ['dist/', 'dist-ssr/', 'build/', '.next/', '.cache/', 'coverage/'];
+const DEPENDENCY_PREFIXES = ['node_modules/'];
+
+export function isLikelyText(file) {
+  return /\.(js|mjs|cjs|ts|tsx|jsx|json|jsonc|toml|yml|yaml|md|txt|env|sql|html|css)$/i.test(file) || !path.extname(file);
+}
+
+function matchesAllowlist(file, line, { allowlistPaths = [], allowlistPatterns = [] } = {}) {
+  if (allowlistPaths.some((item) => file === item || file.startsWith(item.replace(/\/$/, '') + '/'))) return true;
+  return allowlistPatterns.some((pattern) => {
+    try {
+      return new RegExp(pattern).test(line) || new RegExp(pattern).test(file);
+    } catch {
+      return false;
+    }
+  });
+}
+
+function isDocumentationFile(file) {
+  return file === 'README.md' || file.endsWith('/README.md') || file.startsWith('docs/') || file.startsWith('cli/docs/') || /\.md$/i.test(file);
+}
+
+function isGeneratedPath(file) {
+  return GENERATED_PREFIXES.some((prefix) => file.startsWith(prefix));
+}
+
+function isDependencyPath(file) {
+  return DEPENDENCY_PREFIXES.some((prefix) => file.startsWith(prefix));
+}
+
+function isLockfile(file) {
+  return LOCKFILE_NAMES.has(path.basename(file));
+}
+
+function isEnvFile(file) {
+  return path.basename(file).startsWith('.env');
+}
+
+const SECRET_ASSIGNMENT_RE = /\b(?:const\s+|let\s+|var\s+|export\s+)?(?:OPENAI_API_KEY|SUPABASE_SERVICE_ROLE_KEY|GH_TOKEN|GITHUB_TOKEN|SUPABASE_ACCESS_TOKEN|IMPORT_REDDIT_TIPS_SECRET|NPM_TOKEN|service_role|access_token|refresh_token|client_secret|private_key|webhook_secret|api_key|authorization|bearer)\b\s*[:=]\s*["']?([^"'\s;]+)/i;
+
+function hasAssignment(line) {
+  return SECRET_ASSIGNMENT_RE.test(line);
+}
+
+function assignedValue(line) {
+  const match = line.match(SECRET_ASSIGNMENT_RE);
+  return match?.[1] || '';
+}
+
+function isPlaceholderValue(line) {
+  const value = assignedValue(line).trim();
+  return /^(YOUR_[A-Z0-9_]+_HERE|__REDACTED_VALUE__|<[^>]*secret[^>]*>|example-only|\[REDACTED\]|REDACTED|\*{3,}|xxx+|placeholder)$/i.test(value);
+}
+
+function classifyKind(line) {
+  if (hasAssignment(line)) return 'secret-like value';
+  return 'secret reference';
+}
+
+export function classifySecretReference({ file, line = '', pattern = '', tracked = false, rootContext = 'source file' } = {}) {
+  if (!isLikelyText(file)) {
+    return { category: 'ignored_binary', severity: 'skipped', status: 'skipped', kind: 'ignored binary', context: 'binary file' };
+  }
+  if (isDependencyPath(file) || isLockfile(file)) {
+    return { category: 'dependency_or_lockfile', severity: 'skipped', status: 'skipped', kind: 'ignored dependency/lockfile', context: 'dependency or lockfile' };
+  }
+  if (isGeneratedPath(file)) {
+    return { category: 'generated_artifact', severity: 'skipped', status: 'skipped', kind: 'ignored generated artifact', context: 'generated artifact' };
+  }
+  if (isEnvFile(file) && !tracked) {
+    return { category: 'local_only_file', severity: 'skipped', status: 'skipped', kind: 'local-only env file', context: 'local-only file' };
+  }
+  if (isPlaceholderValue(line)) {
+    return { category: 'placeholder_or_example', severity: 'info', status: 'info', kind: 'placeholder/example', context: classifySourceContext(file, rootContext) };
+  }
+  if (pattern === 'unknown_token_like') {
+    return { category: 'unknown_requires_review', severity: 'review', status: 'warn', kind: 'unknown token-like content', context: classifySourceContext(file, rootContext) };
+  }
+  if (isDocumentationFile(file) && !hasAssignment(line)) {
+    return { category: 'documentation_reference', severity: 'info', status: 'info', kind: 'documentation reference', context: 'documentation reference' };
+  }
+  if (isEnvFile(file) && tracked) {
+    return { category: 'actionable_source_finding', severity: 'review', status: 'warn', kind: classifyKind(line), context: 'tracked env file' };
+  }
+  return { category: 'actionable_source_finding', severity: 'review', status: 'warn', kind: classifyKind(line), context: classifySourceContext(file, rootContext) };
+}
+
+function classifySourceContext(file, rootContext = 'source file') {
+  if (file.startsWith('fixtures/') || file.startsWith('cli/fixtures/')) return 'fixture/demo file';
+  if (isDocumentationFile(file)) return 'documentation reference';
+  return rootContext;
+}
+
+async function classifyRootContext(root) {
+  const packageFile = path.join(root, 'package.json');
+  if (!(await pathExists(packageFile))) return 'source file';
+  try {
+    const name = (await readJson(packageFile)).name;
+    return FIXTURE_PACKAGE_NAMES.has(name) ? 'fixture/demo file' : 'source file';
+  } catch {
+    return 'source file';
+  }
+}
 
 async function isOpstruthRoot(root) {
   const packageFile = path.join(root, 'package.json');
-  if (!(await pathExists(packageFile))) return false;
-  try { return (await readJson(packageFile)).name === 'opstruth'; } catch { return false; }
+  const cliPackageFile = path.join(root, 'cli/package.json');
+  try {
+    if (await pathExists(packageFile)) {
+      const name = (await readJson(packageFile)).name;
+      if (name === 'opstruth' || name === 'opstruth-monorepo') return true;
+    }
+    if (await pathExists(cliPackageFile)) {
+      return (await readJson(cliPackageFile)).name === 'opstruth';
+    }
+  } catch {
+    return false;
+  }
+  return false;
 }
 
-export async function scanRiskyReferences(root, { skipDirs = DEFAULT_SKIP_DIRS } = {}) {
+async function trackedFiles(root) {
+  try {
+    const { stdout } = await execFileAsync('git', ['ls-files'], { cwd: root });
+    return new Set(stdout.split(/\r?\n/).filter(Boolean).map((file) => file.replaceAll('\\', '/')));
+  } catch {
+    return new Set();
+  }
+}
+
+function emptySummary() {
+  return Object.fromEntries(SECRET_CATEGORIES.map((category) => [category, 0]));
+}
+
+function summaryText(summary) {
+  return [
+    `Actionable findings: ${summary.actionable_source_finding || 0}`,
+    `Documentation references: ${summary.documentation_reference || 0}`,
+    `Placeholders/examples: ${summary.placeholder_or_example || 0}`,
+    `Local-only files: ${summary.local_only_file || 0}`,
+    `Generated artifacts: ${summary.generated_artifact || 0}`,
+    `Dependency/lockfile paths: ${summary.dependency_or_lockfile || 0}`,
+    `Ignored binaries: ${summary.ignored_binary || 0}`,
+    `Unknown requiring review: ${summary.unknown_requires_review || 0}`
+  ].join('; ');
+}
+
+export function formatSecretSummary(summary = emptySummary()) {
+  return summaryText(summary);
+}
+
+export async function scanRiskyReferencesDetailed(root, { skipDirs = DEFAULT_SKIP_DIRS, allowlistPaths = [], allowlistPatterns = [] } = {}) {
   const files = await walkFiles(root, { skipDirs: mergeIgnores(skipDirs) });
+  const records = [];
   const findings = [];
+  const summary = emptySummary();
   const suppressInternalScannerDefinitions = await isOpstruthRoot(root);
+  const rootContext = await classifyRootContext(root);
+  const tracked = await trackedFiles(root);
+
+  function record(item) {
+    summary[item.category] = (summary[item.category] || 0) + 1;
+    records.push(item);
+    if (item.status === 'warn' || item.status === 'fail') findings.push(item);
+  }
+
   for (const file of files) {
     if (suppressInternalScannerDefinitions && OPSTRUTH_SCANNER_FILES.has(file.rel)) continue;
+    const isTracked = tracked.has(file.rel);
+    const pathOnly = classifySecretReference({ file: file.rel, line: '', tracked: isTracked, rootContext });
+    if (pathOnly.category === 'ignored_binary' || pathOnly.category === 'dependency_or_lockfile' || pathOnly.category === 'generated_artifact') {
+      record({ file: file.rel, line: null, pattern: 'path', match: 'path', preview: '', excerpt: '', ...pathOnly });
+      continue;
+    }
+    if (pathOnly.category === 'local_only_file') {
+      record({ file: file.rel, line: null, pattern: 'env_file', match: 'env_file', preview: '', excerpt: '', ...pathOnly });
+      continue;
+    }
     if (!isLikelyText(file.rel)) continue;
-    if (path.basename(file.rel).startsWith('.env')) continue;
     let text = '';
-    try { text = await readText(file.full); } catch { continue; }
+    try {
+      text = await readText(file.full);
+    } catch {
+      continue;
+    }
     const lines = text.split(/\r?\n/);
     lines.forEach((line, index) => {
-      for (const pattern of RISK_PATTERNS) {
-        if (pattern.test(line)) {
-          findings.push({
+      if (matchesAllowlist(file.rel, line, { allowlistPaths, allowlistPatterns })) return;
+      for (const matcher of RISK_PATTERNS) {
+        if (matcher.regex.test(line)) {
+          const classification = classifySecretReference({ file: file.rel, line, pattern: matcher.label, tracked: isTracked, rootContext });
+          record({
             file: file.rel,
             line: index + 1,
-            pattern: pattern.source.replaceAll('\\', ''),
-            match: pattern.source.replaceAll('\\', ''),
+            pattern: matcher.label,
+            match: matcher.label,
             preview: redact(line.trim()).slice(0, 160),
             excerpt: redact(line.trim()).slice(0, 160),
-            severity: 'review'
+            ...classification
           });
           break;
         }
       }
     });
   }
-  return findings;
+  return { findings, records, summary, summaryText: summaryText(summary) };
+}
+
+export async function scanRiskyReferences(root, options = {}) {
+  return (await scanRiskyReferencesDetailed(root, options)).findings;
 }

package/src/orchestrator.js

@@ -1,4 +1,3 @@
-import path from 'node:path';
 import { runRepo } from './commands/repo.js';
 import { runSecrets } from './commands/secrets.js';
 import { runQuality } from './commands/quality.js';
@@ -6,11 +5,11 @@ import { runSupabase } from './commands/supabase.js';
 import { runCloudflare } from './commands/cloudflare.js';
 import { runRoutes } from './commands/routes.js';
 import { runLocal } from './commands/local.js';
+import { runGitHubCi } from './commands/github-ci.js';
 import { runEvidence } from './commands/evidence.js';
 import { createResult, finalizeStatus, worstStatus } from './lib/result.js';
 import { detectStack, hasSupabase, hasCloudflare } from './lib/detect.js';
-import { findDefaultRoutesConfig } from './lib/config.js';
-import { pathExists } from './lib/fs.js';
+import { findDefaultRoutesConfig, loadOpstruthConfig } from './lib/config.js';
 import { resolveProjectBoundary } from './lib/boundary.js';
 import { selectProbes } from './lib/probes.js';
 
@@ -25,12 +24,42 @@ function nextStepFor(aggregate) {
   return 'Attach the evidence pack to the change or handoff.';
 }
 
+function probeJson(probe) {
+  return {
+    id: probe.id,
+    name: probe.name,
+    area: probe.area,
+    stack: probe.stack,
+    mode: probe.mode,
+    safetyLevel: probe.safetyLevel,
+    defaultMode: probe.defaultMode,
+    mutability: probe.mutability,
+    inputsRequired: probe.inputsRequired,
+    evidenceCollected: probe.evidenceCollected,
+    evidenceExpectation: probe.evidenceExpectation,
+    proves: probe.proves,
+    doesNotProve: probe.doesNotProve,
+    proofLimitation: probe.proofLimitation,
+    skipReason: probe.skipReason,
+    nextSafeStep: probe.nextSafeStep,
+    supportedStacks: probe.supportedStacks,
+    notVerified: probe.notVerified
+  };
+}
+
+function hasConfigLocalInputs(loadedConfig) {
+  if (loadedConfig.warning) return true;
+  const configLocal = loadedConfig.config?.local || {};
+  return Array.isArray(configLocal.ports) && configLocal.ports.length > 0;
+}
+
 export async function runOrchestrator(options = {}) {
   const startCwd = options.cwd || process.cwd();
   const boundary = await resolveProjectBoundary(startCwd);
   const cwd = boundary.root;
   const stack = await detectStack(cwd);
   const probeSelection = await selectProbes({ root: cwd, stack, boundary, options });
+  const loadedConfig = await loadOpstruthConfig(cwd);
   options = { ...options, cwd };
   const skip = new Set(options.skip || []);
   const childResults = [];
@@ -45,11 +74,14 @@ export async function runOrchestrator(options = {}) {
   else childResults.push(skippedResult('supabase', 'Supabase checks skipped because no supabase directory was detected.', 'Supabase database exposure was not checked'));
   if (await hasCloudflare(cwd)) await maybe('cloudflare', () => runCloudflare(options));
   else childResults.push(skippedResult('cloudflare', 'Cloudflare checks skipped because no Wrangler config was detected.', 'Cloudflare deployment configuration was not checked'));
+  const githubCiConfig = loadedConfig.config?.github?.ci || {};
+  if (options.githubCi || githubCiConfig.enabled === true) {
+    await maybe('github-ci', () => runGitHubCi({ ...options, workflow: options.workflow || githubCiConfig.workflow }));
+  }
   const routeConfig = await findDefaultRoutesConfig(cwd);
   if (options.baseUrl || options.routesFile || routeConfig) await maybe('routes', () => runRoutes(options));
   else childResults.push(skippedResult('routes', 'Route checks skipped because no base URL or routes config was provided.', 'Production/public route availability was not checked'));
-  const hasLocalConfig = await pathExists(path.join(cwd, 'opstruth.local.json'));
-  if (options.port?.length || options.healthProvided || options.process || options.service || hasLocalConfig) await maybe('local', () => runLocal(options));
+  if (options.port?.length || options.healthProvided || options.process || options.service || hasConfigLocalInputs(loadedConfig)) await maybe('local', () => runLocal(options));
   else childResults.push(skippedResult('local', 'Local runtime checks skipped because no port, health path, process, or service was provided.', 'Local runtime liveness was not checked'));
   const aggregate = createResult('opstruth', worstStatus(childResults.map((item) => item.status)), {
     summary: 'One-command read-only proof run completed.',
@@ -75,18 +107,8 @@ export async function runOrchestrator(options = {}) {
       stack,
       probes: {
         catalogueSize: probeSelection.catalogueSize,
-        selected: probeSelection.selected.map((probe) => ({
-          id: probe.id,
-          name: probe.name,
-          area: probe.area,
-          stack: probe.stack,
-          safetyLevel: probe.safetyLevel,
-          defaultMode: probe.defaultMode,
-          proves: probe.proves,
-          doesNotProve: probe.doesNotProve,
-          evidenceCollected: probe.evidenceCollected
-        })),
-        skipped: probeSelection.skipped.map((probe) => ({ id: probe.id, area: probe.area, stack: probe.stack, reason: probe.reason }))
+        selected: probeSelection.selected.map(probeJson),
+        skipped: probeSelection.skipped.map((probe) => ({ ...probeJson(probe), reason: probe.reason }))
       },
       childResults
     },