@mainahq/core 0.2.0

package/src/verify/pipeline.ts

@@ -0,0 +1,328 @@
+/**
+ * Verify Pipeline Orchestrator — ties together all verification tools.
+ *
+ * Pipeline flow:
+ * 1. Get files to check (staged files, or provided list)
+ * 2. Run syntax guard FIRST — abort immediately if it fails
+ * 3. Auto-detect available tools
+ * 4. Run all available tools in PARALLEL (slop, semgrep, trivy, secretlint)
+ * 5. Collect all findings
+ * 6. Apply diff-only filter (unless diffOnly === false)
+ * 7. Determine pass/fail: passed = no error-severity findings
+ * 8. Return unified PipelineResult
+ */
+
+import { createCacheManager } from "../cache/manager";
+import { getNoisyRules } from "../feedback/preferences";
+import { getDiff, getStagedFiles } from "../git/index";
+import { detectLanguages } from "../language/detect";
+import type { LanguageId } from "../language/profile";
+import { getProfile } from "../language/profile";
+import { type AIReviewResult, runAIReview } from "./ai-review";
+import { runCoverage } from "./coverage";
+import type { DetectedTool } from "./detect";
+import { detectTools } from "./detect";
+import type { Finding } from "./diff-filter";
+import { filterByDiff } from "./diff-filter";
+import { runMutation } from "./mutation";
+import { runSecretlint } from "./secretlint";
+import { runSemgrep } from "./semgrep";
+import { detectSlop } from "./slop";
+import { runSonar } from "./sonar";
+import type { SyntaxDiagnostic } from "./syntax-guard";
+import { syntaxGuard } from "./syntax-guard";
+import { runTrivy } from "./trivy";
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+export interface ToolReport {
+	tool: string;
+	findings: Finding[];
+	skipped: boolean;
+	duration: number; // ms
+}
+
+export interface PipelineResult {
+	passed: boolean; // true if no errors
+	syntaxPassed: boolean; // syntax guard result
+	syntaxErrors?: SyntaxDiagnostic[];
+	tools: ToolReport[]; // per-tool results
+	findings: Finding[]; // all shown findings (after diff filter)
+	hiddenCount: number; // pre-existing findings hidden
+	detectedTools: DetectedTool[]; // what was found on PATH
+	duration: number; // total ms
+	cacheHits: number; // cache L1+L2 hits during this run
+	cacheMisses: number; // cache misses during this run
+}
+
+export interface PipelineOptions {
+	files?: string[]; // specific files (default: staged files)
+	baseBranch?: string; // for diff filter (default: "main")
+	diffOnly?: boolean; // default: true
+	deep?: boolean; // NEW — triggers standard-tier AI review
+	cwd?: string;
+	mainaDir?: string;
+	languages?: string[]; // override language detection
+}
+
+// ─── Tool Runner Helpers ──────────────────────────────────────────────────
+
+/**
+ * Run a single tool and wrap the result in a ToolReport with timing.
+ */
+async function runToolWithTiming(
+	toolName: string,
+	fn: () => Promise<{ findings: Finding[]; skipped: boolean }>,
+): Promise<ToolReport> {
+	const start = performance.now();
+	const result = await fn();
+	const duration = Math.round(performance.now() - start);
+
+	return {
+		tool: toolName,
+		findings: result.findings,
+		skipped: result.skipped,
+		duration,
+	};
+}
+
+// ─── Pipeline ─────────────────────────────────────────────────────────────
+
+/**
+ * Run the full verification pipeline.
+ *
+ * Orchestrates: syntax guard -> tool detection -> parallel tool execution
+ * -> diff-only filtering -> unified result.
+ */
+export async function runPipeline(
+	options?: PipelineOptions,
+): Promise<PipelineResult> {
+	const start = performance.now();
+	const cwd = options?.cwd ?? process.cwd();
+	const diffOnly = options?.diffOnly !== false; // default: true
+	const baseBranch = options?.baseBranch ?? "main";
+
+	// ── Step 1: Get files to check ────────────────────────────────────────
+	const files = options?.files ?? (await getStagedFiles(cwd));
+
+	// Empty file list → nothing to verify
+	if (files.length === 0) {
+		return {
+			passed: true,
+			syntaxPassed: true,
+			tools: [],
+			findings: [],
+			hiddenCount: 0,
+			detectedTools: [],
+			duration: Math.round(performance.now() - start),
+			cacheHits: 0,
+			cacheMisses: 0,
+		};
+	}
+
+	// ── Step 2: Syntax guard (MUST run first) ─────────────────────────────
+	// Detect languages or use provided override
+	const languages = options?.languages ?? detectLanguages(cwd);
+	const primaryLang = (languages[0] ?? "typescript") as LanguageId;
+	const profile = getProfile(primaryLang);
+	const syntaxResult = await syntaxGuard(files, cwd, profile);
+
+	if (!syntaxResult.ok) {
+		return {
+			passed: false,
+			syntaxPassed: false,
+			syntaxErrors: syntaxResult.error,
+			tools: [],
+			findings: [],
+			hiddenCount: 0,
+			detectedTools: [],
+			duration: Math.round(performance.now() - start),
+			cacheHits: 0,
+			cacheMisses: 0,
+		};
+	}
+
+	// ── Step 3: Auto-detect tools ─────────────────────────────────────────
+	const detectedTools = await detectTools();
+
+	// ── Step 4: Run all available tools in PARALLEL ───────────────────────
+	// Build a lookup from detection results to avoid redundant subprocess spawns
+	const toolAvailability = new Map<string, boolean>();
+	for (const t of detectedTools) {
+		toolAvailability.set(t.name, t.available);
+	}
+
+	const toolPromises: Promise<ToolReport>[] = [];
+
+	// Slop detector always runs (no external tool dependency), cache-aware
+	const mainaDir = options?.mainaDir ?? ".maina";
+	const slopCache = createCacheManager(mainaDir);
+	toolPromises.push(
+		runToolWithTiming("slop", async () => {
+			const result = await detectSlop(files, { cwd, cache: slopCache });
+			return { findings: result.findings, skipped: false };
+		}),
+	);
+
+	// Semgrep — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("semgrep", () =>
+			runSemgrep({
+				files,
+				cwd,
+				available: toolAvailability.get("semgrep") ?? false,
+			}),
+		),
+	);
+
+	// Trivy — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("trivy", () =>
+			runTrivy({ cwd, available: toolAvailability.get("trivy") ?? false }),
+		),
+	);
+
+	// Secretlint — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("secretlint", () =>
+			runSecretlint({
+				files,
+				cwd,
+				available: toolAvailability.get("secretlint") ?? false,
+			}),
+		),
+	);
+
+	// SonarQube — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("sonarqube", () =>
+			runSonar({
+				cwd,
+				available: toolAvailability.get("sonarqube") ?? false,
+			}),
+		),
+	);
+
+	// Stryker mutation testing — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("stryker", () =>
+			runMutation({
+				cwd,
+				available: toolAvailability.get("stryker") ?? false,
+			}),
+		),
+	);
+
+	// diff-cover — pass pre-resolved availability
+	toolPromises.push(
+		runToolWithTiming("diff-cover", () =>
+			runCoverage({
+				cwd,
+				available: toolAvailability.get("diff-cover") ?? false,
+			}),
+		),
+	);
+
+	const toolReports = await Promise.all(toolPromises);
+
+	// ── Step 4b: Warn if all external tools were skipped ─────────────────
+	const externalTools = toolReports.filter((r) => r.tool !== "slop");
+	const allExternalSkipped =
+		externalTools.length > 0 && externalTools.every((r) => r.skipped);
+
+	// ── Step 5: Collect all findings ──────────────────────────────────────
+	const allFindings: Finding[] = [];
+	for (const report of toolReports) {
+		allFindings.push(...report.findings);
+	}
+
+	if (allExternalSkipped) {
+		const skippedNames = externalTools.map((r) => r.tool).join(", ");
+		allFindings.push({
+			tool: "pipeline",
+			file: "",
+			line: 0,
+			message: `No external verification tools ran (${skippedNames} skipped). Run \`maina doctor\` to check tool health or \`maina init\` to configure.`,
+			severity: "warning",
+		});
+	}
+
+	// ── Step 6: Apply diff-only filter ────────────────────────────────────
+	let shownFindings: Finding[];
+	let hiddenCount: number;
+
+	if (diffOnly) {
+		const filtered = await filterByDiff(allFindings, baseBranch, cwd);
+		shownFindings = filtered.shown;
+		hiddenCount = filtered.hidden;
+	} else {
+		shownFindings = allFindings;
+		hiddenCount = 0;
+	}
+
+	// ── Step 6b: Skip or downgrade noisy rules based on preferences ─────
+	try {
+		const noisy = getNoisyRules(mainaDir);
+		const noisyMap = new Map(noisy.map((r) => [r.ruleId, r]));
+		shownFindings = shownFindings.filter((finding) => {
+			if (!finding.ruleId) return true;
+			const rule = noisyMap.get(finding.ruleId);
+			if (!rule) return true;
+			// Skip entirely if FP rate > 50% — these erode trust
+			if (rule.falsePositiveRate > 0.5) return false;
+			// Downgrade if borderline (>30%)
+			if (rule.falsePositiveRate > 0.3) {
+				if (finding.severity === "error") finding.severity = "warning";
+				else if (finding.severity === "warning") finding.severity = "info";
+			}
+			return true;
+		});
+	} catch {
+		// Preference loading failure should never block verification
+	}
+
+	// ── Step 7: AI review (mechanical always, standard if --deep) ────────
+	const deep = options?.deep ?? false;
+	let diffText = "";
+	try {
+		diffText = diffOnly ? await getDiff(baseBranch, undefined, cwd) : "";
+	} catch {
+		// getDiff failure should not block pipeline
+	}
+
+	const aiReviewResult: AIReviewResult = await runAIReview({
+		diff: diffText,
+		entities: [], // Entities require tree-sitter + file body reads; wired when semantic index is hydrated
+		deep,
+		mainaDir: options?.mainaDir ?? ".maina",
+	});
+
+	const aiReport: ToolReport = {
+		tool: "ai-review",
+		findings: aiReviewResult.findings,
+		skipped: aiReviewResult.skipped,
+		duration: aiReviewResult.duration,
+	};
+
+	toolReports.push(aiReport);
+
+	// Merge AI findings into shown findings
+	shownFindings.push(...aiReviewResult.findings);
+
+	// ── Step 8: Determine pass/fail ───────────────────────────────────────
+	const passed = !shownFindings.some((f) => f.severity === "error");
+
+	// ── Step 9: Return unified result ─────────────────────────────────────
+	const cacheStats = slopCache.stats();
+	return {
+		passed,
+		syntaxPassed: true,
+		tools: toolReports,
+		findings: shownFindings,
+		hiddenCount,
+		detectedTools,
+		duration: Math.round(performance.now() - start),
+		cacheHits: cacheStats.l1Hits + cacheStats.l2Hits,
+		cacheMisses: cacheStats.misses,
+	};
+}

package/src/verify/proof.ts

@@ -0,0 +1,277 @@
+/**
+ * Verification Proof — gathers and formats verification evidence for PRs.
+ *
+ * Collects pipeline results, test count, review results, slop check,
+ * and visual verification into a formatted markdown section.
+ */
+
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { createCacheManager } from "../cache/manager";
+import { loadWorkflowContext } from "../workflow/context";
+import type { PipelineResult } from "./pipeline";
+import { runPipeline } from "./pipeline";
+import { detectSlop } from "./slop";
+import { runVisualVerification } from "./visual";
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+export interface ToolProof {
+	tool: string;
+	findings: number;
+	duration: number;
+	skipped: boolean;
+}
+
+export interface VerificationProof {
+	pipeline: ToolProof[];
+	pipelinePassed: boolean;
+	pipelineDuration: number;
+	tests: { passed: number; failed: number; files: number } | null;
+	review: {
+		stage1Passed: boolean;
+		stage1Findings: number;
+		stage2Passed: boolean;
+		stage2Findings: number;
+	} | null;
+	slop: { findings: number } | null;
+	visual: { pages: number; regressions: number } | null;
+	workflowSummary: string | null;
+}
+
+export interface ProofOptions {
+	cwd?: string;
+	mainaDir?: string;
+	baseBranch?: string;
+	skipTests?: boolean;
+	skipVisual?: boolean;
+	pipelineResult?: PipelineResult;
+	reviewResult?: {
+		passed: boolean;
+		stage1: { passed: boolean; findings: unknown[] };
+		stage2?: { passed: boolean; findings: unknown[] } | null;
+	};
+}
+
+// ─── Gather ───────────────────────────────────────────────────────────────
+
+/**
+ * Run tests and parse the output for pass/fail count.
+ */
+async function runTests(
+	cwd: string,
+): Promise<{ passed: number; failed: number; files: number } | null> {
+	try {
+		const proc = Bun.spawn(["bun", "test"], {
+			cwd,
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+
+		const stdout = await new Response(proc.stdout).text();
+		await proc.exited;
+
+		// Parse "980 pass, 0 fail across 87 files."
+		const match = stdout.match(/(\d+)\s+pass,?\s+(\d+)\s+fail.*?(\d+)\s+file/);
+		if (match) {
+			return {
+				passed: Number.parseInt(match[1] ?? "0", 10),
+				failed: Number.parseInt(match[2] ?? "0", 10),
+				files: Number.parseInt(match[3] ?? "0", 10),
+			};
+		}
+
+		// Fallback: just check exit code
+		return null;
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Gather all verification proof.
+ */
+export async function gatherVerificationProof(
+	options: ProofOptions = {},
+): Promise<VerificationProof> {
+	const cwd = options.cwd ?? process.cwd();
+	const mainaDir = options.mainaDir ?? join(cwd, ".maina");
+	const baseBranch = options.baseBranch ?? "main";
+
+	// Pipeline
+	let pipelineResult = options.pipelineResult;
+	if (!pipelineResult) {
+		pipelineResult = await runPipeline({
+			baseBranch,
+			diffOnly: true,
+			cwd,
+			mainaDir,
+		});
+	}
+
+	const pipeline: ToolProof[] = pipelineResult.tools.map((t) => ({
+		tool: t.tool,
+		findings: t.findings.length,
+		duration: t.duration,
+		skipped: t.skipped,
+	}));
+
+	// Tests
+	const tests = options.skipTests ? null : await runTests(cwd);
+
+	// Review (passed from caller if available)
+	const review = options.reviewResult
+		? {
+				stage1Passed: options.reviewResult.stage1.passed,
+				stage1Findings: options.reviewResult.stage1.findings.length,
+				stage2Passed: options.reviewResult.stage2?.passed ?? true,
+				stage2Findings: options.reviewResult.stage2?.findings.length ?? 0,
+			}
+		: null;
+
+	// Slop
+	let slop: { findings: number } | null = null;
+	try {
+		const cache = createCacheManager(mainaDir);
+		const slopResult = await detectSlop([], { cwd, cache });
+		slop = { findings: slopResult.findings.length };
+	} catch {
+		slop = null;
+	}
+
+	// Visual
+	let visual: { pages: number; regressions: number } | null = null;
+	if (!options.skipVisual) {
+		const baselineDir = join(mainaDir, "visual-baselines");
+		if (existsSync(baselineDir)) {
+			try {
+				const visualResult = await runVisualVerification(mainaDir);
+				if (!visualResult.skipped) {
+					const regressions = visualResult.findings.filter(
+						(f) => f.ruleId === "visual/regression",
+					).length;
+					visual = { pages: visualResult.comparisons, regressions };
+				}
+			} catch {
+				// Visual verification failure shouldn't block PR
+			}
+		}
+	}
+
+	// Workflow context
+	const workflowSummary = loadWorkflowContext(mainaDir);
+
+	return {
+		pipeline,
+		pipelinePassed: pipelineResult.passed,
+		pipelineDuration: pipelineResult.duration,
+		tests,
+		review,
+		slop,
+		visual,
+		workflowSummary,
+	};
+}
+
+// ─── Format ───────────────────────────────────────────────────────────────
+
+/**
+ * Format verification proof as a markdown section with collapsible details.
+ */
+export function formatVerificationProof(proof: VerificationProof): string {
+	const sections: string[] = [];
+	sections.push("\n## Verification Proof\n");
+
+	// Pipeline
+	const pipelineIcon = proof.pipelinePassed ? "✅" : "❌";
+	const toolCount = proof.pipeline.length;
+	const totalFindings = proof.pipeline.reduce((sum, t) => sum + t.findings, 0);
+	const duration = (proof.pipelineDuration / 1000).toFixed(1);
+
+	sections.push(`<details>`);
+	sections.push(
+		`<summary>${pipelineIcon} Pipeline: ${toolCount} tools, ${totalFindings} findings, ${duration}s</summary>\n`,
+	);
+	sections.push("| Tool | Findings | Duration | Status |");
+	sections.push("|------|----------|----------|--------|");
+	for (const t of proof.pipeline) {
+		const status = t.skipped
+			? "skipped"
+			: t.findings > 0
+				? `${t.findings} found`
+				: "✅";
+		const dur = t.skipped ? "-" : `${t.duration}ms`;
+		const findings = t.skipped ? "-" : String(t.findings);
+		sections.push(`| ${t.tool} | ${findings} | ${dur} | ${status} |`);
+	}
+	sections.push("\n</details>\n");
+
+	// Tests
+	if (proof.tests) {
+		const testIcon = proof.tests.failed === 0 ? "✅" : "❌";
+		sections.push(`<details>`);
+		sections.push(
+			`<summary>${testIcon} Tests: ${proof.tests.passed} pass, ${proof.tests.failed} fail</summary>\n`,
+		);
+		sections.push(
+			`${proof.tests.passed} pass, ${proof.tests.failed} fail across ${proof.tests.files} files.`,
+		);
+		sections.push("\n</details>\n");
+	}
+
+	// Code Review
+	if (proof.review) {
+		const reviewIcon =
+			proof.review.stage1Passed && proof.review.stage2Passed ? "✅" : "⚠️";
+		sections.push(`<details>`);
+		sections.push(`<summary>${reviewIcon} Code Review</summary>\n`);
+		sections.push(
+			`- Stage 1 (spec compliance): ${proof.review.stage1Passed ? "passed" : "failed"}, ${proof.review.stage1Findings} finding(s)`,
+		);
+		sections.push(
+			`- Stage 2 (code quality): ${proof.review.stage2Passed ? "passed" : "failed"}, ${proof.review.stage2Findings} finding(s)`,
+		);
+		sections.push("\n</details>\n");
+	}
+
+	// Slop
+	if (proof.slop) {
+		const slopIcon = proof.slop.findings === 0 ? "✅" : "⚠️";
+		sections.push(`<details>`);
+		sections.push(
+			`<summary>${slopIcon} Slop: ${proof.slop.findings === 0 ? "clean" : `${proof.slop.findings} patterns`}</summary>\n`,
+		);
+		sections.push(`${proof.slop.findings} slop pattern(s) detected.`);
+		sections.push("\n</details>\n");
+	}
+
+	// Visual
+	if (proof.visual) {
+		const visualIcon = proof.visual.regressions === 0 ? "✅" : "⚠️";
+		sections.push(`<details>`);
+		sections.push(
+			`<summary>${visualIcon} Visual: ${proof.visual.pages} page(s), ${proof.visual.regressions} regression(s)</summary>\n`,
+		);
+		sections.push(
+			`Compared ${proof.visual.pages} page(s) against baselines. ${proof.visual.regressions} regression(s) found.`,
+		);
+		sections.push("\n</details>\n");
+	}
+
+	// Workflow
+	if (proof.workflowSummary) {
+		sections.push(`<details>`);
+		sections.push(`<summary>📋 Workflow Context</summary>\n`);
+		sections.push("```");
+		// Truncate to last 500 chars to keep PR body reasonable
+		const summary =
+			proof.workflowSummary.length > 500
+				? `...${proof.workflowSummary.slice(-500)}`
+				: proof.workflowSummary;
+		sections.push(summary);
+		sections.push("```");
+		sections.push("\n</details>");
+	}
+
+	return sections.join("\n");
+}