Verification (canonical gate)
May 4, 2026 · View on GitHub
All merge-gated ordering lives in scripts/verification-truth.mjs, which loads schemas/ci/verification-truth.manifest.json and runs regeneration, git diff, structural checks, Postgres-backed distribution steps, then the journey tail in scripts/verification-truth-stages.mjs.
Integrator-facing execution semantics (CLI receipts, identity pin, compose replay): verification-execution-ssot.md.
package.json exposes npm run verification:truth (and npm test / npm run test:ci as identical aliases); no raw test/…/*.mjs paths are embedded in package.json scripts (see test/no-handrolled-node-test-lists.mjs).
Commands
| Command | Meaning |
|---|---|
npm run verification:truth | Full gate (same as npm test and npm run test:ci) |
npm run verification:truth:local | Same full gate, after loading website/.env via dotenv-cli (use this from repo root when DB URLs are only in that file; do not copy secrets to a root .env) |
npm run test:node:sqlite | Quick SQLite node:test batch after npm run build |
npm run test:postgres | Postgres node:test batch with scripts/pg-ci-init.mjs |
npm run test:workflow-truth-contract | Run CI workflow-truth postgres contract file only |
npm run conformance:all | Build TS/Python conformance artifacts, canonicalize, parity-check, and compute capability states |
npm run conformance:gate | Enforce supported-scope 100% behavior + scenario-shape gates |
npm run docs:check:capabilities | Assert generated capability matrix is up to date in docs |
Decision-readiness website-only Vitest: run from repo root (example):
npm run test:vitest -w agentskeptic-web -- __tests__/… with modules listed in website/__tests__/decision-readiness-gate.modules.json (see that JSON for the exact file set).
node --test file membership is the single registry in test/suites.mjs. Website Vitest file lists for the CI gate are JSON next to the website tests: website/__tests__/ci-website-gate.modules.json (read by verification-truth-stages.mjs).
GitHub Actions
../.github/workflows/ci.yml runs on every push and PR (no path filters). The verification job runs npm run verification:truth once (after checkout, Postgres env, LangGraph oracle fixture npm ci, and setup); replay_verification_truth reruns that gate inside Docker Compose (npm run replay:verification). The same workflow also runs CodeQL, Python (pytest, timed smoke, Docker), PR-only Conventional Commits and release preview, and main-only Vercel production after those jobs succeed.
Postgres env for the gate: POSTGRES_ADMIN_URL, POSTGRES_VERIFICATION_URL, DATABASE_URL, and TELEMETRY_DATABASE_URL (see ci.yml and README). CI sets these on the runner. Locally, if you keep DATABASE_URL / TELEMETRY_DATABASE_URL only in website/.env, run npm run verification:truth:local from the repo root so that file is loaded before the canonical npm run verification:truth (do not copy website/.env to a root .env).
Audiences
- Engineer: add a new
test/*.test.mjsby editingtest/suites.mjs(sqlite or postgres) sotest/suite-coverage.mjspasses. - Integrator / operator: use the table above; use
docs/core-database-boundary.mdfor website DB split in CI. - Reviewer: ensure
package.jsonscripts never reintroducetest/…/*.mjsfragments.