@boshu2/vibe-check 2.2.0 → 2.3.0

package/.beads/config.yaml

@@ -0,0 +1,62 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+# sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

package/.beads/issues.jsonl

@@ -0,0 +1,9 @@
+{"id":"vibe-check-263","title":"Session end AI safety integration","description":"Integrate AI safety analysis into session end command. Add ai_safety section to JSON output. Show warnings in terminal output with recommendations.","status":"closed","priority":1,"issue_type":"feature","created_at":"2025-12-28T12:07:22.458246-05:00","created_by":"fullerbt","updated_at":"2025-12-28T12:32:10.15324-05:00","closed_at":"2025-12-28T12:32:10.15324-05:00","close_reason":"Completed: AI safety integrated into session end. JSON output includes ai_safety section. Terminal shows warnings and recommendations. Follows inner-loop pattern.","dependencies":[{"issue_id":"vibe-check-263","depends_on_id":"vibe-check-swh","type":"blocks","created_at":"2025-12-28T12:07:42.272223-05:00","created_by":"daemon"}],"comments":[{"id":6,"issue_id":"vibe-check-263","author":"fullerbt","text":"✅ Implementation complete:\n\nUpdated src/commands/session.ts:\n- Imported analyzeAISafety and formatAISafetyAnalysis from ai-safety module\n- Added ai_safety field to SessionMetricsOutput interface\n- Integrated AI safety analysis in runSessionEnd() (parallel with inner-loop)\n- Added ai_safety section to JSON output with:\n  - health: 'healthy' | 'warning' | 'critical'\n  - issues_detected, secrets_leaked, scope_violations counts\n  - contract_drift_detected, token_spiral_detected booleans\n  - recommendations array\n- Added terminal output showing:\n  - Health status with emoji (🚨/⚠️/✅)\n  - Individual detector messages (🔐/🎯/📉/💥)\n  - Top 3 recommendations\n- Follows exact same pattern as inner-loop integration\n\nTesting:\n- Build passes ✅\n- Session start/end commands work ✅\n- JSON output structure confirmed (no commits = expected behavior)","created_at":"2025-12-28T17:32:04Z"}]}
+{"id":"vibe-check-56v","title":"Contract drift detector","description":"Track commit message format compliance over time. Detect degradation from conventional commits. Report drift percentage and trend. Warning at \u003e30% drift.","status":"closed","priority":2,"issue_type":"feature","created_at":"2025-12-28T12:07:24.054553-05:00","created_by":"fullerbt","updated_at":"2025-12-28T13:21:58.451526-05:00","closed_at":"2025-12-28T13:21:58.451526-05:00","close_reason":"Contract drift detector with compliance scoring and trend detection","dependencies":[{"issue_id":"vibe-check-56v","depends_on_id":"vibe-check-ash","type":"blocks","created_at":"2025-12-28T12:07:42.336535-05:00","created_by":"daemon"}]}
+{"id":"vibe-check-5s1","title":"Scope violation detector","description":"Detect commits touching files outside declared scope. Support scope config via .vibe-check/scope.yaml. Use glob patterns. Warning severity.","status":"closed","priority":2,"issue_type":"feature","created_at":"2025-12-28T12:07:23.888845-05:00","created_by":"fullerbt","updated_at":"2025-12-28T13:15:03.887086-05:00","closed_at":"2025-12-28T13:15:03.887086-05:00","close_reason":"Scope violation detector with YAML config and glob matching","dependencies":[{"issue_id":"vibe-check-5s1","depends_on_id":"vibe-check-ash","type":"blocks","created_at":"2025-12-28T12:07:42.3013-05:00","created_by":"daemon"}]}
+{"id":"vibe-check-ash","title":"AI Safety types and orchestrator","description":"Create src/ai-safety/types.ts and src/ai-safety/index.ts. Define AISafetyAnalysis interface matching inner-loop pattern. Foundation for all other detectors.","status":"closed","priority":0,"issue_type":"feature","created_at":"2025-12-28T12:07:20.710124-05:00","created_by":"fullerbt","updated_at":"2025-12-28T12:12:30.564652-05:00","closed_at":"2025-12-28T12:12:30.564652-05:00","close_reason":"Completed: AI Safety types and orchestrator foundation. Created types.ts with all interfaces and index.ts with orchestrator following inner-loop pattern. Build passes.","dependencies":[{"issue_id":"vibe-check-ash","depends_on_id":"vibe-check-lqb","type":"blocks","created_at":"2025-12-28T12:07:42.213339-05:00","created_by":"daemon"}],"comments":[{"id":2,"issue_id":"vibe-check-ash","author":"fullerbt","text":"Files to create:\n- src/ai-safety/types.ts\n- src/ai-safety/index.ts\n\nPattern: Follow src/inner-loop/ structure exactly","created_at":"2025-12-28T17:07:57Z"},{"id":4,"issue_id":"vibe-check-ash","author":"fullerbt","text":"✅ Implementation complete:\n\nCreated src/ai-safety/types.ts:\n- AISafetyAnalysis interface (matches inner-loop pattern)\n- 4 detector result types: SecretLeakageResult, ScopeViolationResult, ContractDriftResult, TokenSpiralResult\n- Config types with DEFAULT_AI_SAFETY_CONFIG\n- SECRET_PATTERNS constants for 8 secret types\n\nCreated src/ai-safety/index.ts:\n- analyzeAISafety() orchestrator function\n- generateRecommendations() helper\n- quickAISafetyCheck() fast check function\n- formatAISafetyAnalysis() terminal output formatter\n- Stub implementations for all detectors (to be filled by dependent issues)\n\nBuild verified: npm run build passes ✅","created_at":"2025-12-28T17:12:18Z"}]}
+{"id":"vibe-check-gon","title":"Token spiral estimator","description":"Estimate token usage from commit size (~4 chars/token). Track cumulative session tokens. Detect explosion patterns (\u003e2x baseline). Advisory info severity.","status":"closed","priority":3,"issue_type":"feature","created_at":"2025-12-28T12:07:25.111778-05:00","created_by":"fullerbt","updated_at":"2025-12-28T13:27:24.916118-05:00","closed_at":"2025-12-28T13:27:24.916118-05:00","close_reason":"Token spiral estimator with 3 estimation methods and explosion detection","dependencies":[{"issue_id":"vibe-check-gon","depends_on_id":"vibe-check-ash","type":"blocks","created_at":"2025-12-28T12:07:42.370654-05:00","created_by":"daemon"}]}
+{"id":"vibe-check-gy2","title":"Watch command AI safety integration","description":"Add real-time secret detection alerts to watch mode. Red/bold for critical. Show file and pattern matched. Rate-limited alerts.","status":"closed","priority":2,"issue_type":"feature","created_at":"2025-12-28T12:07:26.399789-05:00","created_by":"fullerbt","updated_at":"2025-12-28T13:08:55.854894-05:00","closed_at":"2025-12-28T13:08:55.854894-05:00","close_reason":"Watch mode now detects secrets in real-time with rate-limited alerts","dependencies":[{"issue_id":"vibe-check-gy2","depends_on_id":"vibe-check-swh","type":"blocks","created_at":"2025-12-28T12:07:42.399267-05:00","created_by":"daemon"}]}
+{"id":"vibe-check-lqb","title":"Epic: AI Safety Detection Module","status":"closed","priority":1,"issue_type":"epic","created_at":"2025-12-28T12:07:01.674933-05:00","created_by":"fullerbt","updated_at":"2025-12-28T12:08:14.746447-05:00","closed_at":"2025-12-28T12:08:14.746447-05:00","close_reason":"Epic container - work tracked in child issues","comments":[{"id":1,"issue_id":"vibe-check-lqb","author":"fullerbt","text":"Research: .agents/research/2025-12-28-ai-platform-security-integration.md\nPlan: .agents/plans/2025-12-28-ai-safety-integration-plan.md\nSource patterns: ai-platform/tests/agents/test_agent_security.py","created_at":"2025-12-28T17:07:56Z"}]}
+{"id":"vibe-check-swh","title":"Secret leakage detector","description":"Detect exposed secrets in commit diffs: OpenAI keys, GitHub PATs, GitLab PATs, AWS keys, Slack tokens. Port patterns from ai-platform test_agent_security.py. Critical severity.","status":"closed","priority":1,"issue_type":"feature","created_at":"2025-12-28T12:07:21.42346-05:00","created_by":"fullerbt","updated_at":"2025-12-28T12:18:57.212488-05:00","closed_at":"2025-12-28T12:18:57.212488-05:00","close_reason":"Completed: Secret leakage detector with 8 pattern types. Detects OpenAI, GitHub, GitLab, AWS, Slack tokens. Masks secrets, extracts file context. Tested and working.","dependencies":[{"issue_id":"vibe-check-swh","depends_on_id":"vibe-check-ash","type":"blocks","created_at":"2025-12-28T12:07:42.242965-05:00","created_by":"daemon"}],"comments":[{"id":3,"issue_id":"vibe-check-swh","author":"fullerbt","text":"Secret patterns to detect:\n- sk-[a-zA-Z0-9]{48} (OpenAI)\n- ghp_[a-zA-Z0-9]{36} (GitHub PAT)\n- glpat-[a-zA-Z0-9]{20} (GitLab PAT)\n- AKIA[0-9A-Z]{16} (AWS)\n- xox[baprs]-* (Slack)\n\nSource: ai-platform/tests/agents/test_agent_security.py:297-306","created_at":"2025-12-28T17:07:58Z"},{"id":5,"issue_id":"vibe-check-swh","author":"fullerbt","text":"✅ Implementation complete:\n\nCreated src/ai-safety/secret-leakage.ts:\n- detectSecretLeakage() - Async version that scans full commit diffs using simple-git\n- detectSecretLeakageFromMessages() - Sync version that scans commit messages only\n- Detects 8 secret patterns: OpenAI, GitHub PAT, GitLab PAT, AWS, Slack, Generic API keys, Secrets, Passwords\n- Masks secrets (shows first 8 chars + ***)\n- Extracts file context from diffs\n- Determines severity (critical vs warning)\n\nUpdated src/ai-safety/index.ts:\n- Imported and wired detectSecretLeakageFromMessages into orchestrator\n- Re-exported detector functions for external use\n- Replaced stub with real implementation\n\nTesting:\n- Build passes ✅\n- Verified with sample commit containing OpenAI key\n- Correctly detected, masked (sk-12345***), and marked as critical\n- Message-based detection working (1 secret found)","created_at":"2025-12-28T17:18:42Z"}]}
+{"id":"vibe-check-vn7","title":"AI Safety tests and documentation","description":"Unit tests for each detector, integration test for orchestrator. Update CLAUDE.md and README.md with AI safety features. Target \u003e80% coverage.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-28T12:07:26.586099-05:00","created_by":"fullerbt","updated_at":"2025-12-28T13:35:48.191735-05:00","closed_at":"2025-12-28T13:35:48.191735-05:00","close_reason":"31 tests + documentation for AI Safety module","dependencies":[{"issue_id":"vibe-check-vn7","depends_on_id":"vibe-check-gon","type":"blocks","created_at":"2025-12-28T12:07:42.428834-05:00","created_by":"daemon"}]}

package/.beads/metadata.json

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "issues.jsonl"
+}

package/.gitattributes

@@ -0,0 +1,3 @@
+
+# Use bd merge for beads JSONL files
+.beads/issues.jsonl merge=beads

package/AGENTS.md

@@ -0,0 +1,40 @@
+# Agent Instructions
+
+This project uses **bd** (beads) for issue tracking. Run `bd onboard` to get started.
+
+## Quick Reference
+
+```bash
+bd ready              # Find available work
+bd show <id>          # View issue details
+bd update <id> --status in_progress  # Claim work
+bd close <id>         # Complete work
+bd sync               # Sync with git
+```
+
+## Landing the Plane (Session Completion)
+
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+
+**MANDATORY WORKFLOW:**
+
+1. **File issues for remaining work** - Create issues for anything that needs follow-up
+2. **Run quality gates** (if code changed) - Tests, linters, builds
+3. **Update issue status** - Close finished work, update in-progress items
+4. **PUSH TO REMOTE** - This is MANDATORY:
+   ```bash
+   git pull --rebase
+   bd sync
+   git push
+   git status  # MUST show "up to date with origin"
+   ```
+5. **Clean up** - Clear stashes, prune remote branches
+6. **Verify** - All changes committed AND pushed
+7. **Hand off** - Provide context for next session
+
+**CRITICAL RULES:**
+- Work is NOT complete until `git push` succeeds
+- NEVER stop before pushing - that leaves work stranded locally
+- NEVER say "ready to push when you are" - YOU must push
+- If push fails, resolve and retry until it succeeds
+

package/CHANGELOG.md

@@ -7,7 +7,49 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [2.2.0] - 2025-12-27
+## [2.3.0] - 2025-12-28
+
+### Added
+
+- **AI Safety Detection Module** - Detects LLM-specific security antipatterns in commit history
+  - **Secret Leakage Detector** - Scans commits for exposed credentials
+    - 8 patterns: OpenAI API keys, GitHub PATs, GitLab PATs, AWS keys, Slack tokens, generic secrets
+    - Two modes: full diff scanning (async) and message-only scanning (sync)
+    - Masks secrets in output (first 8 chars + `***`)
+    - Critical severity for high-value secrets (API keys, tokens)
+  - **Scope Violation Detector** - Detects files modified outside declared scope
+    - Configure via `.vibe-check/scope.yaml` with glob patterns
+    - Supports allowed patterns, directories, and exceptions
+    - Uses minimatch for flexible pattern matching
+  - **Contract Drift Detector** - Tracks commit message format compliance
+    - Scores commits against conventional commit format (0-100)
+    - Detects issues: missing_type, invalid_type, vague_message, too_short, etc.
+    - Calculates baseline vs current compliance with trend detection
+    - Configurable drift threshold (default: 30%)
+  - **Token Spiral Estimator** - Estimates token usage and detects explosions
+    - Three estimation methods: char_count, lines, diff_size
+    - Baseline from first 5 commits, explosion at >2x baseline
+    - Indicators: large_diff, many_files, massive_additions, bulk_additions
+
+- **Watch Mode Integration** - Real-time secret detection with severity-based alerts
+  - Rate-limited alerts via commit:pattern:file tracking
+  - Red/bold for critical secrets, yellow for warnings
+
+- **Session Integration** - AI Safety included in session end metrics
+  - New `ai_safety` section in JSON output
+  - Terminal output with health status and recommendations
+
+### Changed
+
+- `analyzeAISafety()` orchestrator runs all 4 detectors and aggregates results
+- Added `minimatch` and `js-yaml` dependencies for scope configuration
+
+### Developer
+
+- 31 new unit and integration tests for AI Safety module
+- Updated CLAUDE.md with AI Safety documentation and architecture
+
+## [2.2.1] - 2025-12-27
 
 ### Added
 

package/CLAUDE.md

@@ -169,6 +169,13 @@ src/
 │   ├── context-amnesia.ts      # Context Amnesia detector
 │   ├── instruction-drift.ts    # Instruction Drift detector
 │   └── logging-only.ts         # Debug Loop Spiral detector
+├── ai-safety/
+│   ├── index.ts           # AI Safety orchestrator
+│   ├── types.ts           # AI Safety types and config
+│   ├── secret-leakage.ts  # Secret/credential detection
+│   ├── scope-violation.ts # Scope boundary detection
+│   ├── contract-drift.ts  # Commit format compliance
+│   └── token-spiral.ts    # Token usage estimation
 ├── analyzers/
 │   ├── audit.ts           # Codebase audit (monoliths, test gaps, TODOs)
 │   ├── eldritch.ts        # Eldritch horror detector (oversized functions)
@@ -337,6 +344,74 @@ EMERGENCY PROTOCOL: Multiple inner loop failures detected.
 STOP → git status → backup → start simple
 ```
 
+## AI Safety Detection
+
+vibe-check detects LLM-specific security antipatterns in commit history:
+
+| Detector | Detects | Severity |
+|----------|---------|----------|
+| **Secret Leakage** | API keys, tokens, credentials in commits | Critical |
+| **Scope Violation** | Files modified outside declared scope | Warning |
+| **Contract Drift** | Commit message format degrading | Warning |
+| **Token Spiral** | Token usage explosion (>2x baseline) | Advisory |
+
+### Secret Patterns Detected
+
+- OpenAI API Keys (`sk-...`)
+- GitHub Personal Access Tokens (`ghp_...`)
+- GitLab Personal Access Tokens (`glpat-...`)
+- AWS Access Keys (`AKIA...`)
+- Slack Tokens (`xox...`)
+- Generic API keys and passwords
+
+### Scope Configuration
+
+Define allowed scope in `.vibe-check/scope.yaml`:
+
+```yaml
+scope:
+  allowed_patterns:
+    - "src/feature/**"
+    - "tests/feature/**"
+  allowed_dirs:
+    - "src/feature"
+  description: "Only modify feature module"
+exceptions:
+  - "package.json"
+  - "*.md"
+```
+
+### Integration Points
+
+**Session End Output:**
+```json
+{
+  "ai_safety": {
+    "health": "healthy",
+    "issues_detected": 0,
+    "secrets_leaked": 0,
+    "scope_violations": 0,
+    "contract_drift_detected": false,
+    "token_spiral_detected": false,
+    "recommendations": []
+  }
+}
+```
+
+**Watch Mode:** Real-time secret detection with severity-based alerts.
+
+### Architecture
+
+```
+src/ai-safety/
+├── index.ts           # Orchestrator and exports
+├── types.ts           # Types, patterns, config
+├── secret-leakage.ts  # Secret/credential detection
+├── scope-violation.ts # Scope boundary enforcement
+├── contract-drift.ts  # Commit format compliance
+└── token-spiral.ts    # Token usage estimation
+```
+
 ---
 
 # Vibe-Coding Methodology

package/README.md

@@ -73,12 +73,38 @@ npx @boshu2/vibe-check dashboard
 
 ## What It Measures
 
+### Core Metrics
+
 | Metric | Question | Target |
 |--------|----------|--------|
 | **Trust Pass Rate** | Does the code stick? | >95% |
 | **Rework Ratio** | Building or debugging? | <30% |
 | **Debug Spirals** | Are you stuck? | 0 active |
 
+### Enhanced Metrics (v2.2.0)
+
+Three deeper metrics for understanding development habits:
+
+| Metric | Question | Target |
+|--------|----------|--------|
+| **Tracer Bullet Ratio** | Are you validating assumptions? | >20% |
+| **Investigation Time** | How much hidden debugging? | 0 min |
+| **Domain Cohesion** | Are changes focused? | >80% |
+
+**Tracer Bullets** — Use `tracer:` or `tb:` prefix for validation commits:
+
+```
+tracer(auth): validate OAuth token refresh
+tb(api): test streaming endpoint response
+```
+
+- Tracers **before features** = proactive validation ✅
+- Tracers **before fixes** = reactive debugging ❌ (too late!)
+
+**Investigation Gaps** — Detects hidden debugging time (15-120 min gaps followed by fix commits).
+
+**Domain Cohesion** — Measures how scattered changes are. Single-domain commits indicate clean vertical slices.
+
 ---
 
 ## The 12 Failure Patterns
@@ -190,12 +216,31 @@ vibe-check insights             # Your spiral patterns
 ### Code Quality
 
 ```bash
-vibe-check audit                # Scan for monoliths, test gaps, TODOs
+vibe-check audit                # Scan for monoliths, test gaps, TODOs, eldritch horrors
 vibe-check modularity           # Pattern-aware modularity analysis
 vibe-check modularity --verbose # Detailed breakdown with metrics
 vibe-check modularity -f json   # JSON output for CI integration
 ```
 
+#### Audit Command (v2.2.0)
+
+The `audit` command now includes **Eldritch Horror Detection**—identifying oversized functions that are symptomatic of AI-generated code gone wrong:
+
+```
+👹 Eldritch Horrors (oversized functions):
+  src/services/auth.ts:45
+    handleAuthentication: 523 lines (CRITICAL)
+  src/api/routes.ts:120
+    processRequest: 287 lines (warning)
+```
+
+| Severity | Threshold | What It Means |
+|----------|-----------|---------------|
+| Warning | >200 lines | Hard to understand |
+| Critical | >500 lines | Impossible to maintain |
+
+Supports: TypeScript, JavaScript, Python, Go
+
 ### Tools
 
 ```bash

package/dist/ai-safety/contract-drift.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Contract Drift Detector
+ *
+ * Tracks commit message format compliance over time.
+ * Detects degradation from conventional commits format.
+ * Reports drift percentage and trend.
+ */
+import { Commit } from '../types.js';
+import { ContractDriftResult, AISafetyConfig } from './types.js';
+/**
+ * Detect contract drift in commit messages.
+ */
+export declare function detectContractDrift(commits: Commit[], config?: Partial<AISafetyConfig>): ContractDriftResult;
+//# sourceMappingURL=contract-drift.d.ts.map

package/dist/ai-safety/contract-drift.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contract-drift.d.ts","sourceRoot":"","sources":["../../src/ai-safety/contract-drift.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,mBAAmB,EAGnB,cAAc,EACf,MAAM,YAAY,CAAC;AA8IpB;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EAAE,EACjB,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM,GACnC,mBAAmB,CAsHrB"}

package/dist/ai-safety/contract-drift.js

@@ -0,0 +1,230 @@
+/**
+ * Contract Drift Detector
+ *
+ * Tracks commit message format compliance over time.
+ * Detects degradation from conventional commits format.
+ * Reports drift percentage and trend.
+ */
+// Valid conventional commit types
+const VALID_TYPES = new Set([
+    'feat', 'fix', 'docs', 'style', 'refactor', 'perf',
+    'test', 'build', 'ci', 'chore', 'revert', 'tracer', 'tb',
+]);
+// Vague words that indicate low-quality commit messages
+const VAGUE_WORDS = new Set([
+    'fix', 'update', 'change', 'modify', 'stuff', 'things',
+    'misc', 'wip', 'temp', 'test', 'debug', 'asdf', 'foo',
+]);
+/**
+ * Calculate compliance score for a single commit message.
+ * Returns 0-100 where 100 is perfect conventional commit format.
+ */
+function scoreCommitCompliance(message) {
+    const issues = [];
+    let score = 100;
+    // Check conventional commit format: type(scope): description
+    const conventionalMatch = message.match(/^(\w+)(?:\(([^)]+)\))?:\s*(.+)/);
+    if (!conventionalMatch) {
+        // No conventional format at all
+        if (!message.includes(':')) {
+            issues.push('missing_colon');
+            score -= 30;
+        }
+        // Try to detect if there's a type-like prefix
+        const words = message.split(/\s+/);
+        if (words.length > 0 && !VALID_TYPES.has(words[0].toLowerCase())) {
+            issues.push('missing_type');
+            score -= 25;
+        }
+    }
+    else {
+        const [, type, , description] = conventionalMatch;
+        // Check if type is valid
+        if (!VALID_TYPES.has(type.toLowerCase())) {
+            issues.push('invalid_type');
+            score -= 20;
+        }
+        // Check description quality
+        if (!description || description.trim().length === 0) {
+            issues.push('no_description');
+            score -= 30;
+        }
+        else {
+            // Check for vague descriptions
+            const descWords = description.toLowerCase().split(/\s+/);
+            const vagueCount = descWords.filter(w => VAGUE_WORDS.has(w)).length;
+            if (vagueCount > 0 && descWords.length <= 3) {
+                issues.push('vague_message');
+                score -= 15;
+            }
+            // Check for too short description
+            if (description.length < 10) {
+                issues.push('too_short');
+                score -= 10;
+            }
+            // Check for all caps (shouting)
+            if (description === description.toUpperCase() && description.length > 5) {
+                issues.push('all_caps');
+                score -= 10;
+            }
+            // Check for lowercase start (should be lowercase for conventional commits)
+            if (description[0] && description[0] === description[0].toUpperCase() &&
+                description[0] !== description[0].toLowerCase()) {
+                // Starts with uppercase - minor issue
+                issues.push('starts_with_lowercase');
+                score -= 5;
+            }
+        }
+    }
+    // Ensure score stays in bounds
+    return {
+        score: Math.max(0, Math.min(100, score)),
+        issues,
+    };
+}
+/**
+ * Calculate entropy score for commit messages.
+ * Higher entropy (0-1) means more random/inconsistent messages.
+ */
+function calculateEntropy(commits) {
+    if (commits.length === 0)
+        return 0;
+    // Count type distribution
+    const typeCounts = new Map();
+    for (const commit of commits) {
+        const count = typeCounts.get(commit.type) || 0;
+        typeCounts.set(commit.type, count + 1);
+    }
+    // Calculate Shannon entropy
+    let entropy = 0;
+    const total = commits.length;
+    for (const count of typeCounts.values()) {
+        const p = count / total;
+        if (p > 0) {
+            entropy -= p * Math.log2(p);
+        }
+    }
+    // Normalize to 0-1 range (max entropy = log2(n) for n categories)
+    const maxEntropy = Math.log2(Math.max(typeCounts.size, 1));
+    const normalizedEntropy = maxEntropy > 0 ? entropy / maxEntropy : 0;
+    // Invert: we want high entropy for BAD (inconsistent) commits
+    // Low variety in types is actually good for contract compliance
+    // So we measure "type consistency" inversely
+    // Actually, for contract drift, we want to measure message QUALITY entropy
+    // A mix of good and bad messages = medium entropy
+    // All bad messages = low entropy (consistently bad)
+    // All good messages = low entropy (consistently good)
+    // For our purposes, we'll measure the "other" type ratio as entropy proxy
+    const otherCount = typeCounts.get('other') || 0;
+    const otherRatio = otherCount / total;
+    return otherRatio; // 0 = all conventional, 1 = all non-conventional
+}
+/**
+ * Detect contract drift in commit messages.
+ */
+export function detectContractDrift(commits, config = {}) {
+    // Check if contract checking is enabled
+    if (config.contractCheckEnabled === false) {
+        return {
+            detected: false,
+            driftMetrics: {
+                baselineCompliance: 0,
+                currentCompliance: 0,
+                driftPercentage: 0,
+                trend: 'stable',
+                entropyScore: 0,
+            },
+            degradingCommits: [],
+            totalDegradingCommits: 0,
+            message: 'Contract checking disabled',
+        };
+    }
+    if (commits.length === 0) {
+        return {
+            detected: false,
+            driftMetrics: {
+                baselineCompliance: 100,
+                currentCompliance: 100,
+                driftPercentage: 0,
+                trend: 'stable',
+                entropyScore: 0,
+            },
+            degradingCommits: [],
+            totalDegradingCommits: 0,
+            message: 'No commits to analyze',
+        };
+    }
+    const driftThreshold = config.driftThreshold ?? 30;
+    // Sort commits by date (oldest first)
+    const sortedCommits = [...commits].sort((a, b) => a.date.getTime() - b.date.getTime());
+    // Calculate compliance for all commits
+    const complianceData = sortedCommits.map(commit => ({
+        commit,
+        ...scoreCommitCompliance(commit.message),
+    }));
+    // Determine baseline window (first 20% or at least 3 commits)
+    const baselineSize = Math.max(3, Math.floor(commits.length * 0.2));
+    const currentSize = Math.max(3, Math.floor(commits.length * 0.2));
+    const baselineCommits = complianceData.slice(0, baselineSize);
+    const currentCommits = complianceData.slice(-currentSize);
+    // Calculate average compliance
+    const baselineCompliance = baselineCommits.length > 0
+        ? baselineCommits.reduce((sum, c) => sum + c.score, 0) / baselineCommits.length
+        : 100;
+    const currentCompliance = currentCommits.length > 0
+        ? currentCommits.reduce((sum, c) => sum + c.score, 0) / currentCommits.length
+        : 100;
+    // Calculate drift percentage (negative = improvement, positive = degradation)
+    const driftPercentage = baselineCompliance > 0
+        ? ((baselineCompliance - currentCompliance) / baselineCompliance) * 100
+        : 0;
+    // Determine trend
+    let trend = 'stable';
+    if (driftPercentage > 10) {
+        trend = 'degrading';
+    }
+    else if (driftPercentage < -10) {
+        trend = 'improving';
+    }
+    // Calculate entropy score
+    const entropyScore = calculateEntropy(sortedCommits);
+    // Find degrading commits (score below 70)
+    const degradingCommits = complianceData
+        .filter(c => c.score < 70)
+        .map(c => ({
+        hash: c.commit.hash,
+        message: c.commit.message,
+        timestamp: c.commit.date,
+        issues: c.issues,
+        complianceScore: c.score,
+    }));
+    // Detect if contract drift is significant
+    const detected = driftPercentage > driftThreshold || degradingCommits.length > commits.length * 0.3;
+    // Generate message
+    let message = 'Commit format compliance stable';
+    if (detected) {
+        if (trend === 'degrading') {
+            message = `Commit format degrading: ${driftPercentage.toFixed(0)}% drift from baseline`;
+        }
+        else {
+            message = `${degradingCommits.length} commits below quality threshold`;
+        }
+    }
+    else if (trend === 'improving') {
+        message = 'Commit format improving over time';
+    }
+    return {
+        detected,
+        driftMetrics: {
+            baselineCompliance: Math.round(baselineCompliance),
+            currentCompliance: Math.round(currentCompliance),
+            driftPercentage: Math.round(driftPercentage),
+            trend,
+            entropyScore: Math.round(entropyScore * 100) / 100,
+        },
+        degradingCommits,
+        totalDegradingCommits: degradingCommits.length,
+        message,
+    };
+}
+//# sourceMappingURL=contract-drift.js.map

package/dist/ai-safety/contract-drift.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contract-drift.js","sourceRoot":"","sources":["../../src/ai-safety/contract-drift.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,kCAAkC;AAClC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM;IAClD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI;CACzD,CAAC,CAAC;AAEH,wDAAwD;AACxD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ;IACtD,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK;CACtD,CAAC,CAAC;AAOH;;;GAGG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAI5C,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,IAAI,KAAK,GAAG,GAAG,CAAC;IAEhB,6DAA6D;IAC7D,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAE1E,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,gCAAgC;QAChC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAC7B,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;QAED,8CAA8C;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC5B,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,EAAE,IAAI,EAAE,AAAD,EAAG,WAAW,CAAC,GAAG,iBAAiB,CAAC;QAElD,yBAAyB;QACzB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC5B,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;QAED,4BAA4B;QAC5B,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC9B,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YACpE,IAAI,UAAU,GAAG,CAAC,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAC5C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAC7B,KAAK,IAAI,EAAE,CAAC;YACd,CAAC;YAED,kCAAkC;YAClC,IAAI,WAAW,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACzB,KAAK,IAAI,EAAE,CAAC;YACd,CAAC;YAED,gCAAgC;YAChC,IAAI,WAAW,KAAK,WAAW,CAAC,WAAW,EAAE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACxB,KAAK,IAAI,EAAE,CAAC;YACd,CAAC;YAED,2EAA2E;YAC3E,IAAI,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE;gBACjE,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;gBACpD,sCAAsC;gBACtC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;gBACrC,KAAK,IAAI,CAAC,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxC,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAAiB;IACzC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,0BAA0B;IAC1B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;IAE7B,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC;QACxB,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACV,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,iBAAiB,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpE,8DAA8D;IAC9D,gEAAgE;IAChE,6CAA6C;IAE7C,2EAA2E;IAC3E,kDAAkD;IAClD,oDAAoD;IACpD,sDAAsD;IAEtD,0EAA0E;IAC1E,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,UAAU,GAAG,KAAK,CAAC;IAEtC,OAAO,UAAU,CAAC,CAAC,iDAAiD;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAiB,EACjB,SAAkC,EAAE;IAEpC,wCAAwC;IACxC,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK,EAAE,CAAC;QAC1C,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,YAAY,EAAE;gBACZ,kBAAkB,EAAE,CAAC;gBACrB,iBAAiB,EAAE,CAAC;gBACpB,eAAe,EAAE,CAAC;gBAClB,KAAK,EAAE,QAAQ;gBACf,YAAY,EAAE,CAAC;aAChB;YACD,gBAAgB,EAAE,EAAE;YACpB,qBAAqB,EAAE,CAAC;YACxB,OAAO,EAAE,4BAA4B;SACtC,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,YAAY,EAAE;gBACZ,kBAAkB,EAAE,GAAG;gBACvB,iBAAiB,EAAE,GAAG;gBACtB,eAAe,EAAE,CAAC;gBAClB,KAAK,EAAE,QAAQ;gBACf,YAAY,EAAE,CAAC;aAChB;YACD,gBAAgB,EAAE,EAAE;YACpB,qBAAqB,EAAE,CAAC;YACxB,OAAO,EAAE,uBAAuB;SACjC,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;IAEnD,sCAAsC;IACtC,MAAM,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,CAC9C,CAAC;IAEF,uCAAuC;IACvC,MAAM,cAAc,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM;QACN,GAAG,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC;KACzC,CAAC,CAAC,CAAC;IAEJ,8DAA8D;IAC9D,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC;IAElE,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,MAAM,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC;IAE1D,+BAA+B;IAC/B,MAAM,kBAAkB,GAAG,eAAe,CAAC,MAAM,GAAG,CAAC;QACnD,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,eAAe,CAAC,MAAM;QAC/E,CAAC,CAAC,GAAG,CAAC;IAER,MAAM,iBAAiB,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC;QACjD,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,cAAc,CAAC,MAAM;QAC7E,CAAC,CAAC,GAAG,CAAC;IAER,8EAA8E;IAC9E,MAAM,eAAe,GAAG,kBAAkB,GAAG,CAAC;QAC5C,CAAC,CAAC,CAAC,CAAC,kBAAkB,GAAG,iBAAiB,CAAC,GAAG,kBAAkB,CAAC,GAAG,GAAG;QACvE,CAAC,CAAC,CAAC,CAAC;IAEN,kBAAkB;IAClB,IAAI,KAAK,GAAyC,QAAQ,CAAC;IAC3D,IAAI,eAAe,GAAG,EAAE,EAAE,CAAC;QACzB,KAAK,GAAG,WAAW,CAAC;IACtB,CAAC;SAAM,IAAI,eAAe,GAAG,CAAC,EAAE,EAAE,CAAC;QACjC,KAAK,GAAG,WAAW,CAAC;IACtB,CAAC;IAED,0BAA0B;IAC1B,MAAM,YAAY,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAErD,0CAA0C;IAC1C,MAAM,gBAAgB,GAAsB,cAAc;SACvD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;SACzB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACT,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI;QACnB,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI;QACxB,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,eAAe,EAAE,CAAC,CAAC,KAAK;KACzB,CAAC,CAAC,CAAC;IAEN,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,eAAe,GAAG,cAAc,IAAI,gBAAgB,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC;IAEpG,mBAAmB;IACnB,IAAI,OAAO,GAAG,iCAAiC,CAAC;IAChD,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;YAC1B,OAAO,GAAG,4BAA4B,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,GAAG,gBAAgB,CAAC,MAAM,kCAAkC,CAAC;QACzE,CAAC;IACH,CAAC;SAAM,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;QACjC,OAAO,GAAG,mCAAmC,CAAC;IAChD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,YAAY,EAAE;YACZ,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YAClD,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC;YAChD,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC;YAC5C,KAAK;YACL,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,GAAG,GAAG;SACnD;QACD,gBAAgB;QAChB,qBAAqB,EAAE,gBAAgB,CAAC,MAAM;QAC9C,OAAO;KACR,CAAC;AACJ,CAAC"}