@decantr/verifier
Support status: core-supported
Release channel: stable
Shared Decantr verification, critique, and report-schema engine used by the CLI, MCP server, and future CI/hosted verification surfaces.
Install
npm install @decantr/verifierWhat It Exports
auditProject()for project-level Decantr auditsauditBuiltDist()for built-output runtime verification against emitted HTML, assets, and route hintsscanProject()for read-only Brownfield reconnaissance of framework, routes, components, styling, static-hosting hints, Decantr presence, and assistant-rule filesauditComponentReuse()for the first AST-derived component reuse drift slice, focused on AI reimplementing common UI primitives instead of importing project-owned components, plus local import references that the typed graph can turn into source-to-source impact edgesauditStyleBridgeDrift()for accepted style bridge drift, focused on productionclassName, common class-helper values, stylesheet declarations, and hardcoded inline color styles that bypass project-owned token/class authoritycollectProjectSourceFiles()for the shared production-source file selection used by Project Health, component reuse drift, style bridge drift, and typed graph source provenanceresolveGitHubScanInput()andprobePublishedSite()for hosted scan inputs and HTML-only published-site metadata probescritiqueFile()for file-level review against compiled review-pack contractscreateContractAssertions()for explicit route, shell, accessibility, context, and design-token assertions derived from Essence/contextcreateEvidenceBundle()for privacy-redacted local evidence artifacts used by AI repair loops and CIcreateEvidenceTier(),createAuthorityResolution(), andcreateLoopReadiness()for the shared v2 Brownfield control-loop blocks used by CLI, MCP, Studio, and verifier consumersresolveGraphAnchorForFinding()andanchorFindingsToGraph()for attaching verifier/Project Health findings to typed Contract graph nodes when a graph snapshot existsderiveVerificationDiagnostic()andKNOWN_VERIFICATION_DIAGNOSTICSfor stable finding codes and typed repair IDs used by Project Health, MCP health, and Evidence Bundles- schema-backed report types for project audits, v2 Project Health, v2 Decantr CI reports, v2 Evidence Bundles, v2 Workspace Health, v2 authority resolution, v2 loop readiness, v2 proof field reports, file critiques, and showcase verification
ProjectHealthReport,ProjectHealthFinding, andProjectHealthRemediationtypes for the CLI's end-user health surface- Project Health and Evidence Bundle finding schemas include optional
code,repair,repairPlan, andgraphfields so agents can identify, anchor, and act on findings without parsing prose; Evidence Bundle provenance also records graph snapshot, manifest, diff, and contract-capsule hashes when present - interaction findings now include scanned file counts, file line ranges, and expected signal evidence where available, so CLI health/check output can point agents at source-grounded remediation
- contract-only and style-bridge Brownfield critique avoids requiring Decantr treatments/decorators when the project keeps its own styling authority
- Decantr CI report schemas include accepted style bridge status, mapping count, styling approach, theme modes, evidence tier, authority resolution, and loop readiness alongside local-law findings
- project audits check that
pack-manifest.jsonreferences real pack markdown/JSON files on disk - project audits tolerate partial or malformed generated review packs without crashing Project Health, so half-attached Brownfield projects still receive actionable findings
- Next.js static/document outputs are treated as framework-rendered documents instead of requiring a Vite-style
id="root"mount element - generic static apps can satisfy runtime root proof through semantic app roots such as
main,role="main",section.todoapp, or#todoapp, while framework targets still require framework mount/document evidence - project source audits ignore test, spec, story, fixture, and mock files for production drift warnings such as localhost endpoints and unsafe rendering patterns
- project audits emit
COMP001/import-existing-componentfindings when a production source file locally redeclares a primitive such asButton,Card, orDialogwhile an exported reusable primitive already exists under common component paths - project audits emit
COMP010/replace-raw-control-with-local-componentfindings when production JSX renders generic raw controls such as<button>or text-like<input>while a project-owned primitive already exists; specialized inputs such as file, hidden, checkbox, radio, color, range, and DropzonegetInputProps()controls are not treated as genericInputdrift - project audits emit behavior-obligation findings when accepted
.decantr/local-patterns.jsonpatterns declarebehavior_obligationsand production source strongly violates statically checkable dialog/form obligations:A11Y010/restore-dialog-accessible-nameA11Y011/restore-label-associationINT010/restore-visible-consequence-copyINT011/restore-cancel-affordanceINT012/restore-submitting-guardINT013/set-explicit-button-typeCOMP020/use-project-owned-interaction-primitive
- project audits emit
TOKEN010/replace-arbitrary-style-with-bridge-tokenfindings when an accepted.decantr/style-bridge.jsonexists and production JSX uses arbitrary Tailwind values such asbg-[#0f172a], values insidecn(),clsx(),classnames(),cva(), andtv()calls, hardcoded inline color styles such asstyle={{ backgroundColor: "#0f172a" }}, or hardcoded visual values in production CSS/module stylesheets - published verifier report schemas are exercised by AJV-backed round-trip tests against real audit, critique, and shortlist-report outputs
- project audits include runtime evidence when a built
dist/output is present:- root document, including semantic static app roots for generic static apps
- document title
- document
langandviewportmetadata - emitted assets
- route-document coverage
- built asset byte budgets for JS, CSS, and total payload
- auth-topology warnings when the essence declares authentication without clear gateway or entry routes
Example
import {
auditProject,
createContractAssertions,
createEvidenceBundle,
critiqueFile,
scanProject,
type ProjectHealthReport,
} from '@decantr/verifier';
const scan = await scanProject(process.cwd());
const audit = await auditProject(process.cwd());
const assertions = createContractAssertions(process.cwd(), audit);
const critique = await critiqueFile('./src/pages/overview.tsx', process.cwd());
function isBlocking(report: ProjectHealthReport) {
return report.status === 'error';
}Schema Exports
@decantr/verifier/schema/verification-report.common.v1.json@decantr/verifier/schema/verification-report.common.v2.json@decantr/verifier/schema/project-audit-report.v1.json@decantr/verifier/schema/project-health-report.v1.json@decantr/verifier/schema/project-health-report.v2.json@decantr/verifier/schema/decantr-ci-report.v1.json@decantr/verifier/schema/decantr-ci-report.v2.json@decantr/verifier/schema/evidence-bundle.v1.json@decantr/verifier/schema/evidence-bundle.v2.json@decantr/verifier/schema/runtime-probe-payload.v2.json@decantr/verifier/schema/authority-resolution.v2.json@decantr/verifier/schema/loop-readiness.v2.json@decantr/verifier/schema/proof-field-report.v2.json@decantr/verifier/schema/scan-report.v1.json@decantr/verifier/schema/workspace-health-report.v1.json@decantr/verifier/schema/workspace-health-report.v2.json@decantr/verifier/schema/file-critique-report.v1.json@decantr/verifier/schema/showcase-shortlist-report.v1.json
The v2 schema assets are the active Decantr 3.5 contracts for Project Health, CI, Workspace Health, Evidence Bundles, runtime probes, authority resolution, loop readiness, and proof field reports. v1 health/evidence schemas remain published for stored-artifact compatibility; audit, scan, file-critique, and showcase reports remain v1 until those wires need to change. See Report Schemas.
Security And Permissions
The verifier is a local library. It reads selected project source, Decantr context, read-only scan files, and built dist/.next output when callers request project or runtime audits. scanProject() returns relative evidence and does not write artifacts, install dependencies, build projects, execute scripts, or open pull requests. probePublishedSite() fetches HTML metadata over HTTP(S) only and does not execute JavaScript or capture screenshots. Built-output runtime audit starts a temporary loopback static server and fetches from that local server. The verifier does not write files, spawn processes, emit telemetry, or upload source by itself. See security permissions.
Compatibility
@decantr/verifier is stable in the Decantr 3 line for the documented verifier APIs and published report-schema assets.
- new checks and additive report fields may appear in compatible releases
- report-shape changes are versioned through explicit
$schemaURLs - hosted, CLI, MCP, and Studio consumers should treat the published schemas as the supported contract surface
License
MIT