feat(P04): verification intelligence — git-native coverage, npm audit, TS compilation

---ci---
project: ci
phase: 4
milestone: v0.5
status: complete
decisions:
  - id: D-028
    decision: Phase 4 Verification Intelligence complete
    rationale: All INTEL requirements covered; 31 suites, 355 tests
    confidence: 0.95
    alternatives: []
requirements:
  covered: [INTEL-01, INTEL-02, INTEL-03]
---/ci---

src/verification/behavioral.ts

@@ -27,6 +27,7 @@ export class BehavioralVerification extends VerificationLayer {
     checks.push(this.checkSpecificationRequirements(projectPath));
     checks.push(this.checkPlanMustHaves(projectPath, phase));
     checks.push(this.checkCodeHasExports(projectPath));
+    checks.push(this.checkRequirementTestCoverage(projectPath));
 
     const passed = checks.every((c) => c.status !== "fail");
     return {
@@ -219,6 +220,98 @@ export class BehavioralVerification extends VerificationLayer {
     );
   }
 
+  private checkRequirementTestCoverage(projectPath: string): VerificationCheck {
+    const isGitRepo = fs.existsSync(path.join(projectPath, ".git"));
+    if (!isGitRepo) {
+      return this.check(
+        "Requirement test coverage via git log",
+        "skipped",
+        "Not a git repository — cannot check requirement coverage from commit history"
+      );
+    }
+
+    try {
+      const raw = execSync(
+        `git log --all --max-count=100 --format="%B%x01"`,
+        { cwd: projectPath, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 }
+      );
+
+      const coveredReqs = new Set<string>();
+      const ciBlockRegex = /---ci---[\s\S]*?---\/ci---/g;
+      const entries = raw.split("\x01").filter(Boolean);
+
+      for (const entry of entries) {
+        let match;
+        while ((match = ciBlockRegex.exec(entry)) !== null) {
+          const reqMatch = match[0].match(/covered:\s*\[([^\]]*)\]/);
+          if (reqMatch) {
+            const reqs = reqMatch[1].split(",").map((r: string) => r.trim().replace(/['"]/g, "")).filter(Boolean);
+            for (const req of reqs) coveredReqs.add(req);
+          }
+        }
+        ciBlockRegex.lastIndex = 0;
+      }
+
+      const reqPath = path.join(projectPath, ".ci", "REQUIREMENTS.md");
+      if (!fs.existsSync(reqPath)) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "skipped",
+          "No REQUIREMENTS.md found to check coverage against"
+        );
+      }
+
+      const content = fs.readFileSync(reqPath, "utf-8");
+      const allReqs = content
+        .split("\n")
+        .filter((line) => /^\|.*\|.*\|.*\|/.test(line) && !line.includes("REQ-ID") && !line.includes("---"))
+        .map((line) => {
+          const cols = line.split("|").map((c) => c.trim()).filter(Boolean);
+          return cols.length >= 1 ? cols[0] : "";
+        })
+        .filter(Boolean);
+
+      if (allReqs.length === 0) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "skipped",
+          "No requirements with REQ-IDs found in REQUIREMENTS.md"
+        );
+      }
+
+      const covered = allReqs.filter((r) => coveredReqs.has(r));
+      const coveragePct = Math.round((covered.length / allReqs.length) * 100);
+
+      if (coveragePct >= 80) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "pass",
+          `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%)`
+        );
+      }
+
+      if (coveragePct >= 50) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "warning",
+          `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%) — target ≥80%`
+        );
+      }
+
+      return this.check(
+        "Requirement test coverage via git log",
+        "warning",
+        `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%) — significant gaps`
+      );
+    } catch {
+      return this.check(
+        "Requirement test coverage via git log",
+        "skipped",
+        "Could not read git log for requirement coverage"
+      );
+    }
+  }
+
   private checkCodeHasExports(projectPath: string): VerificationCheck {
     const srcDir = path.join(projectPath, "src");
     if (!fs.existsSync(srcDir)) {

src/verification/quality.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { execSync } from "node:child_process";
 import { VerificationLayer, VerificationResult, VerificationCheck } from "./types.js";
 
 interface CodeFinding {
@@ -66,6 +67,7 @@ export class QualityVerification extends VerificationLayer {
     checks.push(this.checkP2P3Findings(p2p3Findings));
     checks.push(this.checkTypeScriptStrictness(projectPath));
     checks.push(this.checkConsistentNaming(projectPath));
+    checks.push(this.checkTypeScriptCompilation(projectPath));
 
     const hasP0Fail = p0Findings.length > 3;
     const passed = !hasP0Fail;
@@ -226,6 +228,32 @@ export class QualityVerification extends VerificationLayer {
     );
   }
 
+  private checkTypeScriptCompilation(projectPath: string): VerificationCheck {
+    const tsconfigPath = path.join(projectPath, "tsconfig.json");
+    if (!fs.existsSync(tsconfigPath)) {
+      return this.check("TypeScript compilation", "skipped", "No tsconfig.json found");
+    }
+
+    try {
+      execSync("npx tsc --noEmit 2>&1", {
+        cwd: projectPath,
+        encoding: "utf-8",
+        timeout: 60000,
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+      return this.check("TypeScript compilation", "pass", "TypeScript compiles without errors");
+    } catch (err) {
+      const execErr = err as { stdout?: string };
+      const output = execErr.stdout || "";
+      const errorCount = (output.match(/error TS/g) || []).length;
+      return this.check(
+        "TypeScript compilation",
+        errorCount > 5 ? "fail" : "warning",
+        `${errorCount} TypeScript compilation error(s)`
+      );
+    }
+  }
+
   private collectFiles(dir: string, files: string[]): void {
     const entries = fs.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {

src/verification/security.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { execSync } from "node:child_process";
 import { VerificationLayer, VerificationResult, VerificationCheck } from "./types.js";
 
 interface ThreatEntry {
@@ -250,24 +251,80 @@ export class SecurityVerification extends VerificationLayer {
   }
 
   private checkDependencyVulnerabilities(projectPath: string): VerificationCheck {
-    const packageLockPath = path.join(projectPath, "package-lock.json");
-    if (!fs.existsSync(packageLockPath)) {
-      return this.check(
-        "Dependency audit",
-        "skipped",
-        "No package-lock.json found — cannot audit dependencies"
-      );
-    }
-
     const packageJsonPath = path.join(projectPath, "package.json");
     if (!fs.existsSync(packageJsonPath)) {
       return this.check("Dependency audit", "skipped", "No package.json found");
     }
 
-    return this.check(
-      "Dependency audit",
-      "pass",
-      "Dependency structure available for audit (run `npm audit` for full check)"
-    );
+    try {
+      const result = execSync("npm audit --json 2>/dev/null", {
+        cwd: projectPath,
+        encoding: "utf-8",
+        timeout: 30000,
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+      const audit = JSON.parse(result);
+      const vulnerabilities = audit.metadata?.vulnerabilities || {};
+      const high = vulnerabilities.high || 0;
+      const critical = vulnerabilities.critical || 0;
+      const medium = vulnerabilities.moderate || 0;
+      const low = vulnerabilities.low || 0;
+      const total = high + critical + medium + low;
+
+      if (total === 0) {
+        return this.check("Dependency audit", "pass", "No known vulnerabilities in dependencies");
+      }
+
+      if (critical > 0 || high > 0) {
+        return this.check(
+          "Dependency audit",
+          "fail",
+          `${total} vulnerabilities (critical: ${critical}, high: ${high}, medium: ${medium}, low: ${low})`
+        );
+      }
+
+      return this.check(
+        "Dependency audit",
+        "warning",
+        `${total} vulnerabilities (medium: ${medium}, low: ${low}) — no critical/high`
+      );
+    } catch (err) {
+      const output = (err as { stdout?: string }).stdout;
+      if (output) {
+        try {
+          const audit = JSON.parse(output);
+          const vulnerabilities = audit.metadata?.vulnerabilities || {};
+          const high = vulnerabilities.high || 0;
+          const critical = vulnerabilities.critical || 0;
+          const medium = vulnerabilities.moderate || 0;
+          const low = vulnerabilities.low || 0;
+          const total = high + critical + medium + low;
+
+          if (total === 0) {
+            return this.check("Dependency audit", "pass", "No known vulnerabilities in dependencies");
+          }
+
+          if (critical > 0 || high > 0) {
+            return this.check(
+              "Dependency audit",
+              "fail",
+              `${total} vulnerabilities (critical: ${critical}, high: ${high}, medium: ${medium}, low: ${low})`
+            );
+          }
+
+          return this.check(
+            "Dependency audit",
+            "warning",
+            `${total} vulnerabilities (medium: ${medium}, low: ${low}) — no critical/high`
+          );
+        } catch {}
+      }
+
+      return this.check(
+        "Dependency audit",
+        "skipped",
+        "npm audit not available — run manually for full check"
+      );
+    }
   }
 }