
Security News
Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Music Scraping
A Shai-Hulud infection exposed Suno's source code, which shows the AI music startup stream-ripped tracks to train its models.
@czap/gauntlet
Advanced tools
The rigor engine behind LiteShip's release gates: define quality gates that report findings and earn blocking power only by proving themselves against their own fixtures.
The self-proving, extendable rigor engine — gates, findings, assurance levels (L0–L4), the authority ratchet, and defineFactGate (evidence-bound gates). It is the contract every LiteShip fitness function speaks, and the one a downstream project extends.
You usually don't run this directly — it arrives via
czap checkin @czap/cli, which builds the repo-IR and runs LiteShip's gates for you. Install it directly only to author and compose your own gates.
pnpm add @czap/gauntlet
No effect, no typescript — the engine is deliberately lean. It defines the RepoIR type but never parses; the heavy oracles are host-injected (that work lives in @czap/audit, which depends on the gauntlet, not the reverse).
import { defineGate, finding, memoryContext, runGates } from '@czap/gauntlet';
// A gate is (context) => Finding[]. It ships its own red/green/mutation
// fixtures — that is how it EARNS blocking authority instead of being granted it.
const noFixme = defineGate({
id: 'no-fixme',
level: 'L2',
describe: 'No FIXME left in source.',
run: (ctx) =>
ctx.files()
.filter((f) => ctx.readFile(f)?.includes('FIXME'))
.map((f) => finding({ ruleId: 'no-fixme', severity: 'error', level: 'L2', title: 'FIXME found', detail: `${f} still carries a FIXME.`, location: { file: f } })),
fixtures: {
red: { name: 'has-fixme', context: memoryContext({ 'a.ts': '// FIXME later' }) },
green: { name: 'clean', context: memoryContext({ 'a.ts': 'export const x = 1;' }) },
mutation: { describe: 'never flags', mutate: (g) => ({ ...g, run: () => [] }) },
},
});
const result = runGates([noFixme], memoryContext({ 'src/app.ts': '// FIXME' }));
console.log(result.blocked); // true — the gate self-proved, so its error blocks
console.log(result.findings[0].detail);
runGates first verifies each gate against its own fixtures: the red must flag, the green must pass clean, and the mutation must break one of them. A gate that proves itself blocks; one that can't is demoted to advisory and runs anyway. Compose your own gates alongside LITESHIP_GATES — the same ratchet qualifies all of them.
This is the floor of LiteShip's rigor stack. It owns the vocabulary — Finding, AssuranceLevel, Gate, Waiver, RepoIR — and the engine that runs and qualifies gates. Its only @czap dependency is @czap/error, whose tagged failures project to Findings via fromError. It carries no parser by design: a Gate reads the world only through GateContext, so the same gate runs against a memoryContext fixture and against the real repo unchanged. @czap/audit builds the triangulated RepoIR and the AST oracles and injects them; @czap/cli hosts the run. For the gate-as-data variant whose decision is bounded to a declared FactBundle, see defineFactGate. See the package surfaces map for the full layout.
The authority ratchet is the usual surprise: a gate whose findings stay advisory has not self-proven. Check its fixtures — the red must produce at least one finding, the green must produce none, and the mutation must make one of those fail. A gate that can't demonstrate catching its own target is advisory forever, on purpose.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
The rigor engine behind LiteShip's release gates: define quality gates that report findings and earn blocking power only by proving themselves against their own fixtures.
We found that @czap/gauntlet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
A Shai-Hulud infection exposed Suno's source code, which shows the AI music startup stream-ripped tracks to train its models.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.