@rigstate/cli 0.6.0

package/src/daemon/guardian-monitor.ts

@@ -0,0 +1,133 @@
+/**
+ * Guardian Monitor - Checks files against Guardian rules
+ */
+
+import axios from 'axios';
+import fs from 'fs/promises';
+import path from 'path';
+import { checkFile, type EffectiveRule, type Violation, type CheckResult } from '../utils/rule-engine.js';
+
+const CACHE_FILE = '.rigstate/rules-cache.json';
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+interface CachedRules {
+    timestamp: string;
+    projectId: string;
+    rules: EffectiveRule[];
+    settings: { lmax: number; lmax_warning: number };
+}
+
+export interface GuardianMonitor {
+    loadRules(): Promise<void>;
+    checkFile(filePath: string): Promise<CheckResult>;
+    getRuleCount(): number;
+    getRules(): EffectiveRule[];
+}
+
+export function createGuardianMonitor(
+    projectId: string,
+    apiUrl: string,
+    apiKey: string
+): GuardianMonitor {
+    let rules: EffectiveRule[] = [];
+    let lastFetch: number = 0;
+
+    const loadRules = async (): Promise<void> => {
+        // Check if cache is fresh
+        if (rules.length > 0 && Date.now() - lastFetch < CACHE_TTL_MS) {
+            return;
+        }
+
+        try {
+            // Try API first
+            const response = await axios.get(`${apiUrl}/api/v1/guardian/rules`, {
+                params: { project_id: projectId },
+                headers: { Authorization: `Bearer ${apiKey}` },
+                timeout: 10000
+            });
+
+            if (response.data.success && response.data.data.rules) {
+                rules = response.data.data.rules;
+                lastFetch = Date.now();
+
+                // Save to cache
+                await saveCachedRules(projectId, rules);
+                return;
+            }
+        } catch (error) {
+            // Try cache fallback
+            const cached = await loadCachedRules(projectId);
+            if (cached) {
+                rules = cached.rules;
+                lastFetch = Date.now();
+                return;
+            }
+        }
+
+        // No rules available
+        rules = [];
+    };
+
+    const checkFileImpl = async (filePath: string): Promise<CheckResult> => {
+        // Ensure rules are loaded
+        await loadRules();
+
+        if (rules.length === 0) {
+            return {
+                file: filePath,
+                violations: [],
+                passed: true
+            };
+        }
+
+        const absolutePath = path.resolve(process.cwd(), filePath);
+        return checkFile(absolutePath, rules, process.cwd());
+    };
+
+    const getRuleCount = (): number => rules.length;
+    const getRules = (): EffectiveRule[] => rules;
+
+    return {
+        loadRules,
+        checkFile: checkFileImpl,
+        getRuleCount,
+        getRules
+    };
+}
+
+async function loadCachedRules(projectId: string): Promise<CachedRules | null> {
+    try {
+        const cachePath = path.join(process.cwd(), CACHE_FILE);
+        const content = await fs.readFile(cachePath, 'utf-8');
+        const cached: CachedRules = JSON.parse(content);
+
+        if (cached.projectId !== projectId) {
+            return null;
+        }
+
+        return cached;
+    } catch {
+        return null;
+    }
+}
+
+async function saveCachedRules(projectId: string, rules: EffectiveRule[]): Promise<void> {
+    try {
+        const cacheDir = path.join(process.cwd(), '.rigstate');
+        await fs.mkdir(cacheDir, { recursive: true });
+
+        const cached: CachedRules = {
+            timestamp: new Date().toISOString(),
+            projectId,
+            rules,
+            settings: { lmax: 400, lmax_warning: 350 }
+        };
+
+        await fs.writeFile(
+            path.join(cacheDir, 'rules-cache.json'),
+            JSON.stringify(cached, null, 2)
+        );
+    } catch {
+        // Silently fail cache write
+    }
+}

package/src/daemon/heuristic-engine.ts

@@ -0,0 +1,203 @@
+import { readFile, writeFile, mkdir } from 'fs/promises';
+import { dirname } from 'path';
+import path from 'path';
+import axios from 'axios';
+
+export interface SkillTrigger {
+    skillId: string;
+    patterns: {
+        imports?: string[]; // e.g. "@stripe/stripe-js"
+        content?: string[]; // Regex strings e.g. "payment_intent"
+        files?: string[];   // Glob patterns e.g. "**/*.sql"
+        violation_id?: string;
+        metric_threshold?: number;
+    };
+    confidence: 'high' | 'medium' | 'low';
+}
+
+export interface HeuristicMatch {
+    skillId: string;
+    file: string;
+    reason: string;
+    confidence: 'high' | 'medium' | 'low';
+}
+
+// TODO: In the future, this should fetch from the Rigstate API (The Registry)
+const GLOBAL_HEURISTICS: SkillTrigger[] = [
+    {
+        skillId: 'payment-expert',
+        patterns: {
+            imports: ['@stripe/', 'stripe'],
+            content: ['PaymentIntent', 'CheckoutSession'],
+        },
+        confidence: 'high'
+    },
+    {
+        skillId: 'rigstate-integrity-gate',
+        patterns: {
+            files: ['**/release.config.js', '**/manifest.json', '**/.rigstate/release/*'],
+            content: ['[CORE INTEGRITY]', 'prepare_release']
+        },
+        confidence: 'high'
+    },
+    {
+        skillId: 'database-architect',
+        patterns: {
+            files: ['**/*.sql', '**/schema.prisma', '**/migrations/*'],
+            imports: ['@supabase/supabase-js', 'drizzle-orm', 'prisma']
+        },
+        confidence: 'medium'
+    }
+];
+
+export class HeuristicEngine {
+    private rules: SkillTrigger[] = [];
+    private cachePath: string;
+
+    constructor() {
+        this.cachePath = path.join(process.cwd(), '.rigstate', 'cache', 'heuristics.json');
+        this.loadRules();
+    }
+
+    private async loadRules() {
+        try {
+            const cached = await readFile(this.cachePath, 'utf-8');
+            const data = JSON.parse(cached);
+            if (Array.isArray(data) && data.length > 0) {
+                this.rules = data;
+                return;
+            }
+        } catch (e) {
+            // No cache, use defaults
+        }
+        this.rules = GLOBAL_HEURISTICS;
+    }
+
+    async refreshRules(projectId: string, apiUrl: string, apiKey: string) {
+        try {
+            // Ensure cache directory exists
+            await mkdir(dirname(this.cachePath), { recursive: true });
+
+            const endpoint = `${apiUrl}/api/v1/skills/triggers`;
+
+            const response = await axios.get(endpoint, {
+                headers: {
+                    'x-api-key': apiKey,
+                    'Content-Type': 'application/json'
+                }
+            });
+
+            if (response.data && Array.isArray(response.data.triggers)) {
+                const cloudRules = response.data.triggers;
+
+                // Write to cache
+                await writeFile(this.cachePath, JSON.stringify(cloudRules, null, 2));
+
+                this.rules = cloudRules;
+                return true;
+            }
+        } catch (error) {
+            return false;
+        }
+    }
+
+    async analyzeFile(filePath: string, metrics?: { lineCount: number, rules: any[] }): Promise<HeuristicMatch[]> {
+        try {
+            const content = await readFile(filePath, 'utf-8');
+            const matches: HeuristicMatch[] = [];
+
+            // Use dynamic rules
+            const activeRules = this.rules.length > 0 ? this.rules : GLOBAL_HEURISTICS;
+
+            for (const heuristic of activeRules) {
+                const match = this.checkHeuristic(filePath, content, heuristic, metrics);
+                if (match) {
+                    matches.push(match);
+                }
+            }
+
+            return matches;
+        } catch (error) {
+            // Ignore file read errors (deleted files, etc)
+            return [];
+        }
+    }
+
+    private checkHeuristic(
+        filePath: string,
+        content: string,
+        heuristic: SkillTrigger,
+        metrics?: { lineCount: number, rules: any[] }
+    ): HeuristicMatch | null {
+        // 0. Check Metric Thresholds (The 80% Rule)
+        if (heuristic.patterns.metric_threshold && metrics) {
+            const lineLimitRule = metrics.rules.find(r => r.rule_type === 'MAX_FILE_LINES');
+            if (lineLimitRule) {
+                const limit = (lineLimitRule.value as any).limit;
+                const threshold = limit * heuristic.patterns.metric_threshold;
+
+                if (metrics.lineCount >= threshold && metrics.lineCount < limit) {
+                    return {
+                        skillId: heuristic.skillId,
+                        file: filePath,
+                        reason: `File reached ${Math.round((metrics.lineCount / limit) * 100)}% of its line limit (${metrics.lineCount}/${limit})`,
+                        confidence: 'high'
+                    };
+                }
+            }
+        }
+
+        // 1. Check File Path Patterns
+        if (heuristic.patterns.files) {
+            // Simple endsWith check for now, ideally use micromatch
+            const matchesFile = heuristic.patterns.files.some(pattern => {
+                if (pattern.startsWith('**/*')) return filePath.endsWith(pattern.replace('**/*', ''));
+                return filePath.includes(pattern);
+            });
+            if (matchesFile) {
+                return {
+                    skillId: heuristic.skillId,
+                    file: filePath,
+                    reason: `Matches file pattern: ${heuristic.patterns.files.join(', ')}`,
+                    confidence: heuristic.confidence
+                };
+            }
+        }
+
+        // 2. Check Imports
+        if (heuristic.patterns.imports) {
+            for (const imp of heuristic.patterns.imports) {
+                // Regex to find import or require
+                const importRegex = new RegExp(`(import .* from ['"]${imp}|require\\(['"]${imp})`, 'i');
+                if (importRegex.test(content)) {
+                    return {
+                        skillId: heuristic.skillId,
+                        file: filePath,
+                        reason: `Detected import: ${imp}`,
+                        confidence: heuristic.confidence
+                    };
+                }
+            }
+        }
+
+        // 3. Check Content
+        if (heuristic.patterns.content) {
+            for (const pattern of heuristic.patterns.content) {
+                if (content.includes(pattern)) {
+                    return {
+                        skillId: heuristic.skillId,
+                        file: filePath,
+                        reason: `Detected content pattern: ${pattern}`,
+                        confidence: heuristic.confidence
+                    };
+                }
+            }
+        }
+
+        return null;
+    }
+}
+
+export function createHeuristicEngine() {
+    return new HeuristicEngine();
+}

package/src/daemon/intervention-protocol.ts

@@ -0,0 +1,128 @@
+import chalk from 'chalk';
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+export type GovernanceMode = 'OPEN' | 'SOFT_LOCK' | 'HARD_LOCK';
+
+export interface InterventionDecision {
+    mode: GovernanceMode;
+    message: string;
+    blockCommit: boolean;
+}
+
+/**
+ * The Silent Sentinel (Frank's Enforcer)
+ * Determines the severity of an event and the required system response.
+ */
+export class InterventionProtocol {
+    private activeViolators = new Set<string>();
+
+    /**
+     * Registers a violation outcome to update the global lock state.
+     */
+    registerViolation(filePath: string, decision: InterventionDecision) {
+        if (decision.mode === 'HARD_LOCK') {
+            this.activeViolators.add(filePath);
+            this.syncLockFile();
+        }
+    }
+
+    /**
+     * Clears any active locks for a specific file (e.g. after a fix).
+     */
+    clear(filePath: string) {
+        if (this.activeViolators.has(filePath)) {
+            this.activeViolators.delete(filePath);
+            this.syncLockFile();
+        }
+    }
+
+    private syncLockFile() {
+        try {
+            const lockDir = path.join(process.cwd(), '.rigstate');
+            if (!fs.existsSync(lockDir)) fs.mkdirSync(lockDir, { recursive: true });
+
+            const lockPath = path.join(lockDir, 'guardian.lock');
+
+            if (this.activeViolators.size > 0) {
+                const content = `HARD_LOCK_ACTIVE\nTimestamp: ${new Date().toISOString()}\n\nBlocking Files:\n${Array.from(this.activeViolators).join('\n')}`;
+                fs.writeFileSync(lockPath, content, 'utf-8');
+            } else {
+                if (fs.existsSync(lockPath)) fs.unlinkSync(lockPath);
+            }
+        } catch (e) {
+            console.error('Failed to sync guardian lock file:', e);
+        }
+    }
+
+    /**
+     * Evaluate a Heuristic Trigger (Preventative)
+     */
+    evaluateTrigger(skillId: string, confidence: string): InterventionDecision {
+        // Example: If a skill is marked as 'HARD_LOCK' in its metadata, we block.
+        // For now, most triggers are informational (JIT provisioning).
+
+        if (skillId === 'rigstate-integrity-gate') {
+            return {
+                mode: 'SOFT_LOCK',
+                message: 'Integrity Gate detected. Release Manifest required before final push.',
+                blockCommit: false // Soft lock just warns
+            };
+        }
+
+        return {
+            mode: 'OPEN',
+            message: `Predictive activation: ${skillId}`,
+            blockCommit: false
+        };
+    }
+
+    /**
+     * Evaluate a Guardian Violation (Corrective)
+     */
+    evaluateViolation(ruleId: string, severity: 'critical' | 'warning' | 'info'): InterventionDecision {
+        if (severity === 'critical' || (severity as any) === 'error') {
+            return {
+                mode: 'HARD_LOCK',
+                message: `CRITICAL VIOLATION: ${ruleId}. System Integrity Compromised.`,
+                blockCommit: true
+            };
+        }
+
+        if (severity === 'warning') {
+            return {
+                mode: 'SOFT_LOCK',
+                message: `Warning: ${ruleId}. Review recommended.`,
+                blockCommit: false
+            };
+        }
+
+        return {
+            mode: 'OPEN',
+            message: 'Info notice.',
+            blockCommit: false
+        };
+    }
+
+    /**
+     * Logs the intervention to the console with appropriate visual weight
+     */
+    enforce(decision: InterventionDecision) {
+        if (decision.mode === 'OPEN') return;
+
+        const icon = decision.mode === 'HARD_LOCK' ? '🚫' : '⚠️';
+        const color = decision.mode === 'HARD_LOCK' ? chalk.bgRed.white.bold : chalk.yellow.bold;
+
+        console.log('\n' + color(` ${icon} [${decision.mode}] INTERVENTION `));
+        console.log(chalk.redBright(` ${decision.message}`));
+
+        if (decision.blockCommit) {
+            console.log(chalk.dim(' 🔒 Commit functionality is logically suspended until fixed.'));
+        }
+    }
+}
+
+export function createInterventionProtocol() {
+    return new InterventionProtocol();
+}

package/src/daemon/telemetry.ts

@@ -0,0 +1,23 @@
+import axios from 'axios';
+
+/**
+ * Reports skill usage to the Rigstate Cloud.
+ */
+export async function trackSkillUsage(
+    apiUrl: string,
+    apiKey: string,
+    projectId: string,
+    skillId: string
+) {
+    try {
+        await axios.post(`${apiUrl}/api/v1/skills/usage`, {
+            projectId,
+            skillName: skillId,
+            status: 'ACTIVATED'
+        }, {
+            headers: { 'x-api-key': apiKey }
+        });
+    } catch (e) {
+        // Silhouette feedback failure - do not interrupt user
+    }
+}

package/src/daemon/types.ts

@@ -0,0 +1,18 @@
+export interface DaemonConfig {
+    projectId: string;
+    apiUrl: string;
+    apiKey: string;
+    watchPath: string;
+    checkOnChange: boolean;
+    bridgeEnabled: boolean;
+    verbose: boolean;
+}
+
+export interface DaemonState {
+    isRunning: boolean;
+    startedAt: string | null;
+    filesChecked: number;
+    violationsFound: number;
+    tasksProcessed: number;
+    lastActivity: string | null;
+}

package/src/hive/gateway.ts

@@ -0,0 +1,74 @@
+
+import axios, { AxiosInstance } from 'axios';
+import { ImmuneSignal } from './protocol';
+import { HiveScrubber } from './scrubber';
+import chalk from 'chalk';
+
+/**
+ * THE HIVE GATEWAY
+ * Connects the local Rigstate instance to the Global Hive Mind (rigstate.com).
+ */
+export class HiveGateway {
+    private client: AxiosInstance;
+    private enabled: boolean;
+    private lastSignalTime: number = 0;
+    private readonly MIN_INTERVAL_MS = 5000; // Throttle: Max 1 signal per 5s
+
+    constructor(baseUrl: string, token?: string) {
+        this.enabled = !!token;
+
+        if (!this.enabled) {
+            console.log(chalk.dim('⚠️ Hive Gateway disabled (No Token provided). Running in localized mode.'));
+        }
+
+        this.client = axios.create({
+            baseURL: baseUrl,
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'Content-Type': 'application/json',
+                'X-Rigstate-Client': 'CLI-0.2.0'
+            },
+            timeout: 5000
+        });
+    }
+
+    /**
+     * Transmit an Immune Signal to the Hive.
+     * Includes Pre-Flight Scrubbing and Throttling.
+     */
+    public async transmit(signal: ImmuneSignal): Promise<boolean> {
+        if (!this.enabled) return false;
+
+        // 1. THROTTLE CHECK
+        const now = Date.now();
+        if (now - this.lastSignalTime < this.MIN_INTERVAL_MS) {
+            console.warn(chalk.yellow('⏳ Hive Gateway Throttled. Signal dropped to preventing spam.'));
+            return false;
+        }
+
+        // 2. SCRUBBER VERIFICATION (Double Check)
+        // Even if Frank ran it, we run it again here at the edge.
+        const scrubResult = HiveScrubber.scrub(signal.ruleContent);
+        if (scrubResult.riskScore > 20) {
+            console.error(chalk.red(`🛑 HIVE BLOCKED: Signal contains sensitive data (Risk: ${scrubResult.riskScore})`));
+            return false;
+        }
+
+        // 3. TRANSMISSION
+        try {
+            console.log(chalk.blue(`📡 Uplinking to Hive... [${signal.vector}]`));
+
+            // Using the scrubbed content just to be 100% safe
+            const payload = { ...signal, ruleContent: scrubResult.sanitizedContent };
+
+            await this.client.post('/signal', payload);
+
+            this.lastSignalTime = now;
+            console.log(chalk.green('✅ Signal Received by Hive Core. Knowledge Shared.'));
+            return true;
+        } catch (error: any) {
+            console.error(chalk.red(`❌ Hive Transmission Failed: ${error.message}`));
+            return false;
+        }
+    }
+}

package/src/hive/protocol.ts

@@ -0,0 +1,29 @@
+
+/**
+ * THE HIVE PROTOCOL
+ * The standard format for "Immune Signals" shared between Rigstate Instances.
+ */
+
+export interface ImmuneSignal {
+    id: string; // UUID
+    type: 'SECURITY_PATCH' | 'PERFORMANCE_FIX' | 'ARCH_VIOLATION';
+
+    // Abstracted vector (e.g. "Next.js Server Action")
+    vector: string;
+
+    // The rule itself (Sanitized via Scrubber)
+    ruleContent: string;
+
+    // Metrics proving why this is good
+    confidenceScore: number; // 0-100 (Based on local tests passed)
+
+    schemaVersion: '1.0';
+    timestamp: string;
+}
+
+export interface HiveSyncConfig {
+    enabled: boolean;
+    endpoint: string;
+    mode: 'CONSUME_ONLY' | 'CONTRIBUTE' | 'FULL_DUPLEX';
+    minConfidenceThreshold: number; // Only import rules with score > 80
+}

package/src/hive/scrubber.ts

@@ -0,0 +1,72 @@
+
+/**
+ * THE HIVE SCRUBBER
+ * Sanitizes local rules and signals before they are broadcast to the Global Registry.
+ * Ensures strict anonymity.
+ */
+
+export interface ScrubberResult {
+    sanitizedContent: string;
+    redactionCount: number;
+    riskScore: number; // 0-100 (If too high, do not broadcast)
+}
+
+export class HiveScrubber {
+
+    // Patterns that definitely identify a project and MUST be removed
+    private static SENSITIVE_PATTERNS = [
+        /(api_key|secret|token|password)[\s]*[:=][\s]*['"][a-zA-Z0-9_\-]+['"]/gi, // Secrets
+        /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, // Emails
+        /(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/g, // IPs
+        /postgres:\/\/[^:]+:[^@]+@/g, // DB Connection Strings
+    ];
+
+    // Generic replacements for project-specific terms to keep the rule abstract
+    private static ABSTRACTION_MAP: Record<string, string> = {
+        'Vibeline': '{PROJECT_NAME}',
+        'Rigstate': '{FRAMEWORK}',
+        'Steinhofve': '{USER}',
+    };
+
+    /**
+     * Scrubs a string (rule content or log excerpt) of sensitive data.
+     */
+    public static scrub(content: string, customTerms: string[] = []): ScrubberResult {
+        let scrubbed = content;
+        let count = 0;
+        let risk = 0;
+
+        // 1. Remove Hard Credentials (High Risk)
+        this.SENSITIVE_PATTERNS.forEach(pattern => {
+            if (pattern.test(scrubbed)) {
+                scrubbed = scrubbed.replace(pattern, '[REDACTED_CREDENTIAL]');
+                count++;
+                risk += 50; // High penalty for finding secrets
+            }
+        });
+
+        // 2. Abstract Project Specifics (Medium Risk)
+        Object.entries(this.ABSTRACTION_MAP).forEach(([term, replacement]) => {
+            const regex = new RegExp(term, 'gi');
+            if (regex.test(scrubbed)) {
+                scrubbed = scrubbed.replace(regex, replacement);
+                count++;
+            }
+        });
+
+        // 3. Scrub Custom Terms (e.g. Table names passed from context)
+        customTerms.forEach(term => {
+            const regex = new RegExp(term, 'gi');
+            if (regex.test(scrubbed)) {
+                scrubbed = scrubbed.replace(regex, '{ENTITY}');
+                count++;
+            }
+        });
+
+        return {
+            sanitizedContent: scrubbed,
+            redactionCount: count,
+            riskScore: Math.min(risk, 100)
+        };
+    }
+}