sentinelayer-cli 0.8.11 → 0.9.0

package/package.json

@@ -1,15 +1,16 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.8.11",
+  "version": "0.9.0",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
     "check": "node scripts/check.mjs",
+    "devtestbot:install-browsers": "playwright install chromium ffmpeg",
     "docs:build": "node scripts/docs-build.mjs",
     "test": "npm run test:unit && npm run test:e2e",
-    "test:unit": "node --test tests/unit*.test.mjs",
-    "test:e2e": "node --test tests/e2e.test.mjs",
-    "test:coverage": "c8 node --test tests/unit*.test.mjs",
+    "test:unit": "node --import ./tests/setup-env.mjs --test tests/unit*.test.mjs",
+    "test:e2e": "node --import ./tests/setup-env.mjs --test tests/e2e.test.mjs",
+    "test:coverage": "c8 node --import ./tests/setup-env.mjs --test tests/unit*.test.mjs",
     "verify": "npm run check && npm run docs:build && npm run test:e2e && npm run test:coverage && npm pack --dry-run"
   },
   "bin": {
@@ -46,17 +47,21 @@
     "url": "https://github.com/mrrCarter/create-sentinelayer/issues"
   },
   "dependencies": {
+    "@axe-core/playwright": "4.11.2",
     "@babel/parser": "7.29.2",
+    "axe-core": "4.11.3",
     "cli-highlight": "2.1.11",
     "commander": "14.0.1",
     "ignore": "7.0.5",
+    "lighthouse": "12.8.2",
+    "mp4-muxer": "5.2.2",
     "open": "10.1.2",
     "picocolors": "1.1.1",
+    "playwright": "1.59.1",
     "prompts": "2.4.2",
     "yaml": "2.8.3",
     "zod": "4.1.12"
   },
-  "optionalDependencies": {},
   "devDependencies": {
     "c8": "10.1.3",
     "license-checker-rseidelsohn": "4.4.2"

package/src/agents/devtestbot/config/definition.js

@@ -0,0 +1,100 @@
+/**
+ * devTestBot agent definition.
+ *
+ * Declarative configuration for the AIdenID-backed browser/system test persona.
+ * This persona is intentionally scan-only: it collects runtime evidence and
+ * returns redacted findings/artifact paths, never raw user or credential data.
+ */
+
+export const DEVTESTBOT_LANES = Object.freeze([
+  "console_errors",
+  "network_errors",
+  "a11y",
+  "lighthouse",
+  "click_coverage",
+  "password_reset_e2e",
+]);
+
+export const DEVTESTBOT_DEFINITION = Object.freeze({
+  id: "devtestbot",
+  persona: "AIdenID devTestBot",
+  fullTitle: "SentinelLayer System Test Bot",
+  domain: "system_test_runtime",
+  signature: "- devTestBot, SentinelLayer System Test Bot",
+
+  color: "green",
+  avatar: "DT",
+  shortName: "devTestBot",
+
+  permissionMode: "runtime-readonly",
+  fixPermissionMode: "none",
+  maxTurns: 8,
+  maxSubAgents: 4,
+
+  budget: {
+    maxCostUsd: 1.5,
+    maxOutputTokens: 6000,
+    maxRuntimeMs: 600000,
+    maxToolCalls: 40,
+    warningThresholdPercent: 70,
+  },
+
+  auditTools: ["devtestbot.run_session"],
+  fixTools: [],
+  disallowedTools: ["FileEdit", "Shell"],
+
+  scope: {
+    mandate: "scan_only",
+    systemTestScope: "full_system_test",
+    dataPolicy: "no_data_extraction",
+    allowedStateChanges: [
+      "explicit test-flow actions against approved targets",
+      "ephemeral AIdenID identity flows",
+    ],
+  },
+
+  lanes: DEVTESTBOT_LANES,
+
+  evidenceRequirements: [
+    "artifact_path",
+    "runtime_evidence",
+    "reproduction",
+    "user_impact",
+    "confidence",
+  ],
+  confidenceFloor: 0.8,
+
+  severityExamples: {
+    P0: [
+      "critical user journey cannot load or complete",
+      "password reset exposes credential material",
+      "browser execution proves sensitive data disclosure",
+    ],
+    P1: [
+      "password reset cannot complete",
+      "runtime exception blocks core flow",
+      "server error on critical interaction",
+      "critical accessibility blocker on core flow",
+    ],
+    P2: [
+      "non-critical 4xx/5xx response during smoke path",
+      "material Lighthouse regression",
+      "moderate accessibility violation",
+      "uncovered expected click target in configured scope",
+    ],
+    P3: [
+      "runtime evidence gap",
+      "non-blocking capture warning",
+    ],
+  },
+
+  thresholds: {
+    lighthousePoorScore: 0.5,
+    lighthouseNeedsWorkScore: 0.9,
+    confidenceFloor: 0.8,
+  },
+});
+
+export function listDevTestBotLanes() {
+  return [...DEVTESTBOT_LANES];
+}

package/src/agents/devtestbot/config/system-prompt.js

@@ -0,0 +1,92 @@
+import { DEVTESTBOT_DEFINITION, DEVTESTBOT_LANES } from "./definition.js";
+
+/**
+ * Build the production system prompt for devTestBot.
+ *
+ * @param {object} context
+ * @param {string} [context.scope] - Runtime scope such as smoke, auth, full, or password-reset
+ * @param {string} [context.baseUrl] - Approved target URL
+ * @param {string} [context.runId] - Runtime run id
+ * @returns {string}
+ */
+export function buildDevTestBotProductionPrompt(context = {}) {
+  const {
+    scope = "smoke",
+    baseUrl = "unknown",
+    runId = "unknown",
+  } = context;
+  const def = DEVTESTBOT_DEFINITION;
+
+  return `SYSTEM PROMPT - SENTINELAYER PERSONA
+${def.persona} | ${def.domain} | 2026
+
+ROLE
+You are devTestBot, the SentinelLayer browser/system-test runtime persona.
+
+MANDATE
+Run scan-only browser and system tests against the approved target. Do not extract user data, scrape application data, alter production state beyond explicit test-flow actions, or print secrets.
+
+CODEBASE AND TARGET CONTEXT
+Base URL: ${baseUrl}
+Scope: ${scope}
+Run ID: ${runId}
+
+AVAILABLE TOOLS
+- devtestbot.run_session
+
+TOOL CONTRACT
+Call devtestbot.run_session with:
+{
+  "scope": "${scope}",
+  "identityId": "<AIdenID identity id>",
+  "baseUrl": "${baseUrl}",
+  "recordVideo": true
+}
+
+SECURITY RULES
+- Pass identityId only. Never request, reveal, log, summarize, or return raw passwords, API keys, OTPs, session cookies, bearer tokens, reset links, or credential material.
+- Treat identity credentials as tool-internal secrets.
+- Return artifact paths, counts, statuses, and redacted summaries only.
+- For password reset E2E, verify the flow outcome without exposing OTP, reset-link contents, session cookies, or request headers.
+- Do not copy raw console, network, DOM, email, or identity payloads into findings.
+
+LANES
+${DEVTESTBOT_LANES.map((lane, index) => `${index + 1}. ${lane}`).join("\n")}
+
+WORKFLOW ORDER
+1. Confirm the target URL is approved and the scope is explicit.
+2. Run devtestbot.run_session with recordVideo=true unless the caller explicitly disabled video.
+3. Review only redacted lane summaries and artifact paths.
+4. Emit findings for user-visible runtime failures, not for harmless noise.
+5. Include reproduction steps that point back to devtestbot.run_session and the artifact bundle.
+
+SEVERITY MODEL
+P0 - stop-ship: password reset leaks credential material, app discloses sensitive user data, or critical journey cannot load.
+P1 - launch blocker: password reset or another core flow cannot complete, runtime crash blocks use, or server errors affect critical flow.
+P2 - fix soon: moderate accessibility, Lighthouse, network, or coverage failures on non-critical surfaces.
+P3 - evidence gap or non-blocking capture warning.
+
+OUTPUT CONTRACT
+Return findings as JSON:
+[{
+  "severity": "P1",
+  "file": "runtime://browser",
+  "line": 1,
+  "title": "Password reset fails after OTP submission",
+  "evidence": "devTestBot artifact console.json shows a redacted runtime error; video artifact records the failed flow",
+  "rootCause": "Runtime error blocks completion",
+  "recommendedFix": "Inspect the failing handler and add regression coverage",
+  "trafficLight": "yellow",
+  "reproduction": { "type": "runtime_probe", "steps": ["Run devtestbot.run_session with the same scope and identityId"] },
+  "user_impact": "Users cannot complete password reset.",
+  "confidence": 0.9,
+  "artifacts": {}
+}]
+
+confidence: required. Number 0.0-1.0. Below ${def.confidenceFloor} = report an evidence gap, not a confirmed defect.
+
+VOICE
+Concrete, skeptical, evidence-first, and privacy-preserving.
+
+${def.signature}`;
+}

package/src/agents/devtestbot/index.js

@@ -0,0 +1,9 @@
+export { DEVTESTBOT_DEFINITION, DEVTESTBOT_LANES, listDevTestBotLanes } from "./config/definition.js";
+export { buildDevTestBotProductionPrompt } from "./config/system-prompt.js";
+export {
+  DEVTESTBOT_RUN_SESSION_TOOL,
+  DevTestBotToolError,
+  executeDevTestBotRunSessionTool,
+  runDevTestBotSession,
+} from "./tool.js";
+export { launch } from "./runner.js";