shipwright-cli 3.1.0 → 3.3.0

package/scripts/sw-e2e-orchestrator.sh

@@ -5,7 +5,7 @@
 # ╚═══════════════════════════════════════════════════════════════════════════╝
 set -euo pipefail
 
-VERSION="3.1.0"
+VERSION="3.3.0"
 
 # ─── Script directory resolution ────────────────────────────────────────────
 SOURCE="${BASH_SOURCE[0]}"
@@ -19,6 +19,7 @@ SCRIPT_DIR="$(cd "$(dirname "$SOURCE")" && pwd)"
 # ─── State directories ──────────────────────────────────────────────────────
 E2E_DIR="${HOME}/.shipwright/e2e"
 SUITE_REGISTRY="$E2E_DIR/suite-registry.json"
+# shellcheck disable=SC2034
 FLAKY_CACHE="$E2E_DIR/flaky-cache.json"
 RESULTS_LOG="$E2E_DIR/results.jsonl"
 LATEST_REPORT="$E2E_DIR/latest-report.json"
@@ -123,7 +124,7 @@ cmd_register() {
     fi
 
     # Parse existing registry
-    local registry=$(load_registry)
+    local registry; registry=$(load_registry)
     local new_suite
 
     # Create feature array
@@ -179,7 +180,7 @@ cmd_quarantine() {
         init_registry
     fi
 
-    local registry=$(load_registry)
+    local registry; registry=$(load_registry)
 
     if [[ "$action" == "quarantine" ]]; then
         # Add to quarantine list if not already present
@@ -207,20 +208,20 @@ cmd_quarantine() {
 # ─── Run a single test suite ────────────────────────────────────────────────
 run_suite() {
     local suite_id="$1"
-    local registry=$(load_registry)
+    local registry; registry=$(load_registry)
 
     # Find suite
-    local suite=$(echo "$registry" | jq ".suites[] | select(.id == \"$suite_id\")")
+    local suite; suite=$(echo "$registry" | jq ".suites[] | select(.id == \"$suite_id\")")
 
     if [[ -z "$suite" ]]; then
         error "Suite not found: $suite_id"
         return 1
     fi
 
-    local suite_name=$(echo "$suite" | jq -r '.name')
-    local script=$(echo "$suite" | jq -r '.script')
-    local timeout=$(echo "$suite" | jq -r '.timeout_seconds')
-    local features=$(echo "$suite" | jq -r '.features | join(", ")')
+    local suite_name; suite_name=$(echo "$suite" | jq -r '.name')
+    local script; script=$(echo "$suite" | jq -r '.script')
+    local timeout; timeout=$(echo "$suite" | jq -r '.timeout_seconds')
+    local features; features=$(echo "$suite" | jq -r '.features | join(", ")')
 
     local test_script="$SCRIPT_DIR/$script"
 
@@ -230,7 +231,7 @@ run_suite() {
     fi
 
     info "Running: $suite_name ($features)"
-    local start_time=$(date +%s)
+    local start_time; start_time=$(date +%s)
 
     # Run with timeout (gtimeout on macOS, timeout on Linux)
     local timeout_cmd="timeout"
@@ -238,7 +239,7 @@ run_suite() {
     local exit_code=0
     "$timeout_cmd" "$timeout" bash "$test_script" || exit_code=$?
 
-    local end_time=$(date +%s)
+    local end_time; end_time=$(date +%s)
     local duration=$((end_time - start_time))
 
     # Log result
@@ -257,9 +258,9 @@ run_parallel() {
     local max_parallel=${2:-3}
 
     ensure_state_dir
-    > "$RESULTS_LOG"  # Clear results log
+    true > "$RESULTS_LOG"  # Clear results log
 
-    local registry=$(load_registry)
+    local registry; registry=$(load_registry)
 
     # Filter suites by category and enabled status
     local suites
@@ -341,7 +342,7 @@ cmd_report() {
     local skip=0
 
     while IFS= read -r line; do
-        local exit_code=$(echo "$line" | jq -r '.exit_code // 0')
+        local exit_code; exit_code=$(echo "$line" | jq -r '.exit_code // 0')
         if [[ $exit_code -eq 0 ]]; then
             pass=$((pass + 1))
         elif [[ $exit_code -eq 124 ]]; then
@@ -354,7 +355,7 @@ cmd_report() {
     local total=$((pass + fail + timeout + skip))
 
     # Create report
-    local report=$(jq -n \
+    local report; report=$(jq -n \
         --arg ts "$(date -Iseconds)" \
         --arg version "$VERSION" \
         --argjson p "$pass" \
@@ -409,7 +410,7 @@ cmd_flaky() {
     info "Analyzing flaky tests..."
 
     # Group by test name, count passes/fails
-    local flaky_analysis=$(jq -s 'group_by(.suite_id) | map({
+    local flaky_analysis; flaky_analysis=$(jq -s 'group_by(.suite_id) | map({
         test: .[0].suite_id,
         runs: length,
         passes: (map(select(.exit_code == 0)) | length),

package/scripts/sw-eventbus.sh

@@ -7,7 +7,8 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────
@@ -31,6 +32,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -94,6 +96,8 @@ cmd_subscribe() {
     while true; do
         if db_available 2>/dev/null; then
             local events batch_last_id=0
+            # Numeric validation for last_id
+            [[ ! "$last_id" =~ ^[0-9]+$ ]] && last_id=0
             events=$(sqlite3 -json "$DB_FILE" "SELECT * FROM events WHERE id > $last_id ORDER BY id ASC LIMIT 50;" 2>/dev/null || echo "[]")
             if [[ "$events" != "[]" && -n "$events" ]]; then
                 while IFS= read -r event; do
@@ -124,6 +128,7 @@ cmd_subscribe() {
 
 # ─── Process reaper (SIGCHLD monitor) ──────────────────────────────────────
 cmd_reaper() {
+    # shellcheck disable=SC2034
     local pid_list=()
 
     info "Starting process reaper. Press Ctrl+C to exit."
@@ -145,6 +150,7 @@ cmd_reaper() {
                 # Check if process is still alive
                 if ! kill -0 "$pid" 2>/dev/null; then
                     # Process died — emit event
+                    # shellcheck disable=SC2155
                     local payload="{\"pid\": $pid, \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}"
                     cmd_publish "process.exited" "reaper" "$(generate_uuid)" "$payload"
                 fi
@@ -251,7 +257,8 @@ cmd_status() {
         fi
     elif [[ -f "$EVENTS_FILE" ]]; then
         local total_events last_event_ts
-        total_events=$(wc -l < "$EVENTS_FILE" || echo 0)
+        total_events=$(wc -l < "$EVENTS_FILE" || true)
+        total_events="${total_events:-0}"
         last_event_ts=$(tail -1 "$EVENTS_FILE" | jq -r '.ts // "never"' 2>/dev/null || echo "never")
         echo -e "  ${CYAN}Event Store:${RESET} $EVENTS_FILE (file fallback)"
         echo -e "  ${CYAN}Total Events:${RESET} ${BOLD}${total_events}${RESET}"
@@ -290,7 +297,8 @@ cmd_clean() {
     elif [[ -f "$EVENTS_FILE" ]]; then
         info "Cleaning events older than ${ttl_days} days..."
         local old_count tmp_file new_count removed
-        old_count=$(grep -c "ts" "$EVENTS_FILE" 2>/dev/null || echo 0)
+        old_count=$(grep -c "ts" "$EVENTS_FILE" 2>/dev/null || true)
+        old_count="${old_count:-0}"
         tmp_file="$(mktemp)"
         while IFS= read -r line; do
             [[ -z "$line" ]] && continue
@@ -299,7 +307,8 @@ cmd_clean() {
             [[ -n "$ts" && "$ts" > "$cutoff_iso" ]] && echo "$line" >> "$tmp_file"
         done < "$EVENTS_FILE"
         mv "$tmp_file" "$EVENTS_FILE"
-        new_count=$(wc -l < "$EVENTS_FILE" || echo 0)
+        new_count=$(wc -l < "$EVENTS_FILE" || true)
+        new_count="${new_count:-0}"
         removed=$((old_count - new_count))
         success "Removed $removed old events. Remaining: $new_count"
     else

package/scripts/sw-evidence.sh

@@ -8,7 +8,8 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
@@ -187,6 +188,7 @@ collect_api() {
     local name="$1"
     local collector_json="$2"
 
+    # shellcheck disable=SC2034
     local url method expected_status headers_json body timeout
     url=$(echo "$collector_json" | jq -r '.url // ""')
     method=$(echo "$collector_json" | jq -r '.method // "GET"')
@@ -444,6 +446,191 @@ collect_custom() {
         '{command: $cmd, exit_code: $exit_code, expected_exit_code: $expected, output_preview: $output_preview}')"
 }
 
+# ─── Mutation Testing: Verify mutations are caught by test suite ───────────────
+
+collect_mutation() {
+    local name="$1"
+    local collector_json="$2"
+
+    local test_cmd target_files threshold
+    test_cmd=$(echo "$collector_json" | jq -r '.testCommand // ""')
+    target_files=$(echo "$collector_json" | jq -r '.targetFiles // ""')
+    threshold=$(echo "$collector_json" | jq -r '.mutationThreshold // 60')
+
+    if [[ -z "$test_cmd" ]] || [[ -z "$target_files" ]]; then
+        error "[mutation] ${name}: testCommand and targetFiles required"
+        write_evidence_record "$name" "mutation" "false" '{"error": "testCommand and targetFiles required"}'
+        return
+    fi
+
+    info "[mutation] ${name}: testing mutation coverage (threshold: ${threshold}%)"
+
+    local mutation_dir
+    mutation_dir=$(mktemp -d "${TMPDIR:-/tmp}/sw-evidence-mutations.XXXXXX")
+    trap "rm -rf '$mutation_dir'" RETURN
+
+    local total_mutants=0
+    local killed_mutants=0
+
+    # For each target file, create mutations
+    local file
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+        [[ ! -f "$REPO_DIR/$file" ]] && continue
+
+        # Copy file to mutation dir for testing
+        local file_copy="$mutation_dir/$(basename "$file")"
+        cp "$REPO_DIR/$file" "$file_copy"
+
+        # Apply mutations: swap operators, negate conditions, change exit codes
+        local mutations=()
+
+        # Mutation 1: swap == to !=
+        if grep -q "==" "$file_copy"; then
+            mutations+=("sed 's/==/!=/g'")
+        fi
+
+        # Mutation 2: swap != to ==
+        if grep -q "!=" "$file_copy"; then
+            mutations+=("sed 's/!=/==/g'")
+        fi
+
+        # Mutation 3: change -gt to -lt
+        if grep -q "\-gt" "$file_copy"; then
+            mutations+=("sed 's/-gt/-lt/g'")
+        fi
+
+        # Mutation 4: change -lt to -gt
+        if grep -q "\-lt" "$file_copy"; then
+            mutations+=("sed 's/-lt/-gt/g'")
+        fi
+
+        # Mutation 5: change exit 0 to exit 1
+        if grep -q "exit 0" "$file_copy"; then
+            mutations+=("sed 's/exit 0/exit 1/g'")
+        fi
+
+        # Mutation 6: comment out error traps
+        if grep -q "trap.*ERR" "$file_copy"; then
+            mutations+=("sed 's/^trap /#trap /g'")
+        fi
+
+        # Apply each mutation and test
+        for i in "${!mutations[@]}"; do
+            total_mutants=$((total_mutants + 1))
+            local mutated_copy="$file_copy.mutant.$i"
+            cp "$file_copy" "$mutated_copy"
+
+            # Apply mutation
+            eval "${mutations[$i]} \"$mutated_copy\" > \"${mutated_copy}.tmp\" && mv \"${mutated_copy}.tmp\" \"$mutated_copy\"" 2>/dev/null || true
+
+            # Run test with mutation — test should fail (mutation caught)
+            local test_result=0
+            (cd "$REPO_DIR" && _run_with_timeout 30 bash -c "$test_cmd" > /dev/null 2>&1) || test_result=$?
+
+            # If test failed (non-zero), mutation was caught
+            if [[ "$test_result" -ne 0 ]]; then
+                killed_mutants=$((killed_mutants + 1))
+            fi
+
+            rm -f "$mutated_copy"
+        done
+
+    done <<< "$target_files"
+
+    local mutation_score=0
+    local passed="false"
+    if [[ "$total_mutants" -gt 0 ]]; then
+        mutation_score=$((killed_mutants * 100 / total_mutants))
+        [[ "$mutation_score" -ge "$threshold" ]] && passed="true"
+    fi
+
+    write_evidence_record "$name" "mutation" "$passed" \
+        "$(jq -n --argjson total "$total_mutants" --argjson killed "$killed_mutants" \
+        --argjson score "$mutation_score" --argjson threshold "$threshold" \
+        '{total_mutants: $total, killed_mutants: $killed, mutation_score: $score, threshold: $threshold}')"
+}
+
+# ─── Property-Based Testing: Verify properties hold over iterations ──────────
+
+collect_property() {
+    local name="$1"
+    local collector_json="$2"
+
+    local property_cmd iterations
+    property_cmd=$(echo "$collector_json" | jq -r '.propertyCommand // ""')
+    iterations=$(echo "$collector_json" | jq -r '.iterations // 100')
+
+    if [[ -z "$property_cmd" ]]; then
+        error "[property] ${name}: propertyCommand required"
+        write_evidence_record "$name" "property" "false" '{"error": "propertyCommand required"}'
+        return
+    fi
+
+    info "[property] ${name}: running property test (${iterations} iterations)"
+
+    local passed_count=0
+    local failed_count=0
+    local counterexamples="[]"
+
+    # Run property test multiple times
+    local i
+    for ((i = 0; i < iterations; i++)); do
+        local output=0
+        local result_output=""
+        result_output=$(cd "$REPO_DIR" && _run_with_timeout 10 bash -c "$property_cmd" 2>&1) || output=$?
+
+        if [[ "$output" -eq 0 ]]; then
+            passed_count=$((passed_count + 1))
+        else
+            failed_count=$((failed_count + 1))
+            # Capture counterexample (first 200 chars of output)
+            counterexamples=$(echo "$counterexamples" | jq \
+                --arg ce "${result_output:0:200}" \
+                '. += [{"iteration": '$i', "output": $ce}]')
+        fi
+    done
+
+    local passed="false"
+    [[ "$failed_count" -eq 0 ]] && passed="true"
+
+    write_evidence_record "$name" "property" "$passed" \
+        "$(jq -n --argjson passed_count "$passed_count" --argjson failed_count "$failed_count" \
+        --argjson iterations "$iterations" --argjson counterexamples "$counterexamples" \
+        '{passed_count: $passed_count, failed_count: $failed_count, total_iterations: $iterations, counterexamples: $counterexamples}')"
+}
+
+# ─── Invariant Checking: Verify system invariants ────────────────────────────
+
+collect_invariant() {
+    local name="$1"
+    local collector_json="$2"
+
+    local check_cmd invariant_name
+    check_cmd=$(echo "$collector_json" | jq -r '.checkCommand // ""')
+    invariant_name=$(echo "$collector_json" | jq -r '.invariantName // "unnamed"')
+
+    if [[ -z "$check_cmd" ]]; then
+        error "[invariant] ${name}: checkCommand required"
+        write_evidence_record "$name" "invariant" "false" '{"error": "checkCommand required"}'
+        return
+    fi
+
+    info "[invariant] ${name}: checking invariant '${invariant_name}'"
+
+    local exit_code=0
+    local output=""
+    output=$(cd "$REPO_DIR" && _run_with_timeout 30 bash -c "$check_cmd" 2>&1) || exit_code=$?
+
+    local passed="false"
+    [[ "$exit_code" -eq 0 ]] && passed="true"
+
+    write_evidence_record "$name" "invariant" "$passed" \
+        "$(jq -n --arg invariant_name "$invariant_name" --argjson exit_code "$exit_code" \
+        --arg output "${output:0:2000}" \
+        '{invariant_name: $invariant_name, check_exit_code: $exit_code, output: $output}')"
+}
+
 # ═════════════════════════════════════════════════════════════════════════════
 # EVIDENCE RECORD WRITER
 # ═════════════════════════════════════════════════════════════════════════════
@@ -477,6 +664,142 @@ write_evidence_record() {
     fi
 }
 
+# ═════════════════════════════════════════════════════════════════════════════
+# ARTIFACT CAPTURE
+# Stores build logs, test reports, coverage as evidence artifacts with manifest
+# ═════════════════════════════════════════════════════════════════════════════
+
+evidence_capture_artifact() {
+    local artifact_name="$1"
+    local artifact_path="$2"
+
+    if [[ ! -f "$artifact_path" ]]; then
+        warn "[artifact] ${artifact_name}: file not found"
+        return 1
+    fi
+
+    local artifacts_dir="${EVIDENCE_DIR}/artifacts"
+    mkdir -p "$artifacts_dir"
+
+    # Copy artifact to artifacts directory
+    local dest_file="$artifacts_dir/${artifact_name}"
+    cp "$artifact_path" "$dest_file"
+
+    # Compute SHA-256 of artifact
+    local artifact_sha256
+    if command -v shasum >/dev/null 2>&1; then
+        artifact_sha256=$(shasum -a 256 "$dest_file" | awk '{print $1}')
+    elif command -v sha256sum >/dev/null 2>&1; then
+        artifact_sha256=$(sha256sum "$dest_file" | awk '{print $1}')
+    else
+        artifact_sha256="unknown"
+    fi
+
+    info "[artifact] ${artifact_name}: captured (${artifact_sha256:0:16}...)"
+
+    # Append to artifacts manifest
+    local artifacts_manifest="${EVIDENCE_DIR}/artifacts-manifest.json"
+    if [[ ! -f "$artifacts_manifest" ]]; then
+        echo "[]" > "$artifacts_manifest"
+    fi
+
+    local tmp_manifest
+    tmp_manifest=$(mktemp "${TMPDIR:-/tmp}/sw-evidence-artifacts.XXXXXX")
+    jq \
+        --arg name "$artifact_name" \
+        --arg path "$dest_file" \
+        --arg sha256 "$artifact_sha256" \
+        --arg captured_at "$(now_iso)" \
+        '. += [{"name": $name, "path": $path, "sha256": $sha256, "captured_at": $captured_at}]' \
+        "$artifacts_manifest" > "$tmp_manifest"
+    mv "$tmp_manifest" "$artifacts_manifest"
+
+    return 0
+}
+
+# ═════════════════════════════════════════════════════════════════════════════
+# QUALITY SCORE COMPUTATION
+# Weights: mutation (30%), property tests (25%), invariants (25%), collectors (20%)
+# ═════════════════════════════════════════════════════════════════════════════
+
+evidence_quality_score() {
+    ensure_evidence_dir
+
+    if [[ ! -f "$MANIFEST_FILE" ]]; then
+        echo "0"
+        return 1
+    fi
+
+    # Extract collector results
+    local mutation_score=0
+    local property_score=0
+    local invariant_score=0
+    local collector_pass_rate=0
+
+    # Mutation test score (from manifest)
+    local mutation_evidence="${EVIDENCE_DIR}/mutation_test.json"
+    if [[ -f "$mutation_evidence" ]]; then
+        local mutation_passed
+        mutation_passed=$(jq -r '.passed // false' "$mutation_evidence" 2>/dev/null || echo "false")
+        if [[ "$mutation_passed" == "true" ]]; then
+            mutation_score=$(jq -r '.details.mutation_score // 0' "$mutation_evidence" 2>/dev/null || echo "0")
+            [[ -z "$mutation_score" ]] && mutation_score="0"
+        fi
+    fi
+
+    # Property test score (failed_count == 0 => 100, else 0)
+    local property_evidence="${EVIDENCE_DIR}/property_test.json"
+    if [[ -f "$property_evidence" ]]; then
+        local prop_failed
+        prop_failed=$(jq -r '.details.failed_count // 0' "$property_evidence" 2>/dev/null || echo "0")
+        [[ -z "$prop_failed" ]] && prop_failed="0"
+        if [[ "$prop_failed" -eq 0 ]]; then
+            property_score=100
+        fi
+    fi
+
+    # Invariant score (all pass => 100, else 50)
+    local invariant_evidence="${EVIDENCE_DIR}/invariant_check.json"
+    if [[ -f "$invariant_evidence" ]]; then
+        local invariant_passed
+        invariant_passed=$(jq -r '.passed // false' "$invariant_evidence" 2>/dev/null || echo "false")
+        if [[ "$invariant_passed" == "true" ]]; then
+            invariant_score=100
+        else
+            invariant_score=50
+        fi
+    fi
+
+    # Collector pass rate
+    local collector_count
+    collector_count=$(jq -r '.collector_count // 0' "$MANIFEST_FILE" 2>/dev/null || echo "0")
+    [[ -z "$collector_count" ]] && collector_count="0"
+
+    local passed_count
+    passed_count=$(jq -r '.passed // 0' "$MANIFEST_FILE" 2>/dev/null || echo "0")
+    [[ -z "$passed_count" ]] && passed_count="0"
+
+    if [[ "$collector_count" -gt 0 ]]; then
+        collector_pass_rate=$((passed_count * 100 / collector_count))
+    fi
+
+    # Weighted score: 30% mutation + 25% property + 25% invariant + 20% collector
+    local weighted_score=0
+    weighted_score=$((
+        (mutation_score * 30) +
+        (property_score * 25) +
+        (invariant_score * 25) +
+        (collector_pass_rate * 20)
+    ))
+    weighted_score=$((weighted_score / 100))
+
+    # Cap at 100
+    [[ "$weighted_score" -gt 100 ]] && weighted_score=100
+
+    echo "$weighted_score"
+    return 0
+}
+
 # ═════════════════════════════════════════════════════════════════════════════
 # COMMANDS
 # ═════════════════════════════════════════════════════════════════════════════
@@ -514,6 +837,9 @@ cmd_capture() {
             database)  collect_database "$cname" "$collector" ;;
             webhook)   collect_webhook "$cname" "$collector" ;;
             custom)    collect_custom "$cname" "$collector" ;;
+            mutation)  collect_mutation "$cname" "$collector" ;;
+            property)  collect_property "$cname" "$collector" ;;
+            invariant) collect_invariant "$cname" "$collector" ;;
             *)         warn "Unknown collector type: ${ctype} (skipping ${cname})" ; continue ;;
         esac
 
@@ -675,26 +1001,40 @@ cmd_status() {
 cmd_list_types() {
     echo "Supported evidence types:"
     echo ""
-    echo "  browser    HTTP page load — verifies UI renders correctly"
-    echo "  api        REST/GraphQL endpoint — verifies response status, body, content-type"
-    echo "  database   Schema/migration check — verifies DB integrity via command"
-    echo "  cli        Command execution — verifies exit code and output"
-    echo "  webhook    Callback verification — verifies webhook endpoint responds"
-    echo "  custom     User-defined script — any verification logic"
+    echo "  browser     HTTP page load — verifies UI renders correctly"
+    echo "  api         REST/GraphQL endpoint — verifies response status, body, content-type"
+    echo "  database    Schema/migration check — verifies DB integrity via command"
+    echo "  cli         Command execution — verifies exit code and output"
+    echo "  webhook     Callback verification — verifies webhook endpoint responds"
+    echo "  custom      User-defined script — any verification logic"
+    echo "  mutation    Mutation testing — verifies test suite catches code mutations"
+    echo "  property    Property-based testing — verifies properties hold over iterations"
+    echo "  invariant   Invariant checking — verifies system invariants hold"
     echo ""
     echo "Configure collectors in config/policy.json under the 'evidence' section."
 }
 
+cmd_quality_score() {
+    ensure_evidence_dir
+    local score
+    score=$(evidence_quality_score)
+    echo "Evidence-based quality score: ${score}/100"
+    emit_event "evidence.quality_score" "score=${score}"
+    return 0
+}
+
 show_help() {
     cat << 'EOF'
 Usage: shipwright evidence <command> [args]
 
 Commands:
-  capture [type]    Capture evidence (optionally filter by type)
-  verify            Verify evidence manifest and freshness
-  pre-pr [type]     Capture + verify (run before PR creation)
-  status            Show current evidence state grouped by type
-  types             List supported evidence types
+  capture [type]      Capture evidence (optionally filter by type)
+  verify              Verify evidence manifest and freshness
+  pre-pr [type]       Capture + verify (run before PR creation)
+  status              Show current evidence state grouped by type
+  types               List supported evidence types
+  quality-score       Compute quality score from evidence
+  artifact <name> <path>  Capture artifact with SHA-256 manifest
 
 Evidence Types:
   browser     HTTP page load verification
@@ -703,11 +1043,17 @@ Evidence Types:
   cli         Command execution and exit code
   webhook     Callback endpoint verification
   custom      User-defined verification scripts
+  mutation    Mutation testing (verify test suite catches mutations)
+  property    Property-based testing (verify properties hold)
+  invariant   Invariant checking (verify system invariants)
 
 Evidence collectors are defined in config/policy.json under the
 'evidence.collectors' array. Each collector specifies a type,
 target, and assertions.
 
+Machine-verifiable proof: mutation testing, property-based testing,
+invariant checking, artifact capture with SHA-256 manifests.
+
 Part of the Code Factory pattern for machine-verifiable proof.
 EOF
 }
@@ -732,6 +1078,12 @@ main() {
         types)
             cmd_list_types
             ;;
+        quality-score)
+            cmd_quality_score
+            ;;
+        artifact)
+            evidence_capture_artifact "$@"
+            ;;
         help|--help|-h)
             show_help
             ;;