@safetnsr/vet 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,6 @@
1
1
  import { join, relative } from 'node:path';
2
- import { readFileSync, readdirSync, statSync, existsSync } from 'node:fs';
2
+ import { readFileSync, statSync, existsSync } from 'node:fs';
3
+ import { isTextFile as utilIsTextFile, collectDirFiles as utilCollectDirFiles } from '../util.js';
3
4
  const CRITICAL_PATTERNS = [
4
5
  {
5
6
  id: 'base64-url',
@@ -89,38 +90,9 @@ const CONFIG_TARGETS = [
89
90
  '.mcp',
90
91
  '.roomodes', '.roo',
91
92
  ];
92
- // ── File helpers ─────────────────────────────────────────────────────────────
93
- function isTextFile(filePath) {
94
- try {
95
- const buf = readFileSync(filePath);
96
- const sampleSize = Math.min(512, buf.length);
97
- for (let i = 0; i < sampleSize; i++) {
98
- if (buf[i] === 0)
99
- return false;
100
- }
101
- return true;
102
- }
103
- catch {
104
- return false;
105
- }
106
- }
107
- function collectDirFiles(dir) {
108
- const files = [];
109
- try {
110
- const entries = readdirSync(dir, { withFileTypes: true });
111
- for (const entry of entries) {
112
- const full = join(dir, entry.name);
113
- if (entry.isFile()) {
114
- files.push(full);
115
- }
116
- else if (entry.isDirectory()) {
117
- files.push(...collectDirFiles(full));
118
- }
119
- }
120
- }
121
- catch { /* skip */ }
122
- return files;
123
- }
93
+ // ── File helpers (delegated to util.ts) ──────────────────────────────────────
94
+ const isTextFile = utilIsTextFile;
95
+ const collectDirFiles = utilCollectDirFiles;
124
96
  function collectConfigFiles(cwd) {
125
97
  const files = [];
126
98
  for (const target of CONFIG_TARGETS) {
@@ -0,0 +1,2 @@
1
+ import type { CheckResult } from '../types.js';
2
+ export declare function checkVerify(cwd: string, since?: string): CheckResult;
@@ -0,0 +1,219 @@
1
+ import { join, basename } from 'node:path';
2
+ import { readFileSync, existsSync, statSync } from 'node:fs';
3
+ import { execSync } from 'node:child_process';
4
+ // ── Helpers ──────────────────────────────────────────────────────────────────
5
+ function safeExec(cmd, cwd) {
6
+ try {
7
+ return execSync(cmd, { cwd, encoding: 'utf-8', timeout: 10_000, stdio: ['pipe', 'pipe', 'pipe'] });
8
+ }
9
+ catch {
10
+ return '';
11
+ }
12
+ }
13
+ function isTestFile(filePath) {
14
+ const base = basename(filePath);
15
+ if (/\.(test|spec)\.[a-z]+$/i.test(base))
16
+ return true;
17
+ const normalized = filePath.replace(/\\/g, '/');
18
+ // Match __tests__/ anywhere in path (including at root)
19
+ if (normalized.includes('__tests__/') || normalized.includes('/__tests__'))
20
+ return true;
21
+ if (normalized.includes('/test/') || normalized.startsWith('test/'))
22
+ return true;
23
+ if (normalized.includes('/tests/') || normalized.startsWith('tests/'))
24
+ return true;
25
+ return false;
26
+ }
27
+ function hasAssertions(content) {
28
+ return /\b(assert|expect\s*\(|it\s*\(|test\s*\(|describe\s*\(|should\.|toBe\(|toEqual\(|assertEqual|assertStrictEqual)\b/i.test(content);
29
+ }
30
+ function countLines(content) {
31
+ return content.split('\n').filter(l => l.trim().length > 0).length;
32
+ }
33
+ /** Extract file names mentioned in commit messages as claims */
34
+ function extractClaimsFromMessages(messages) {
35
+ const claims = [];
36
+ // All patterns require a file extension (dot in name) to avoid false positives
37
+ const patterns = [
38
+ /\b(?:creat\w*|add\w*|implement\w*|wrot\w*|built|generat\w*|scaffold\w*)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
39
+ /\b(?:fix\w*|resolv\w*|updat\w*|modify|modified)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
40
+ /\badd\w*\s+tests?\s+(?:for\s+)?([\w./\\-]+\.[a-z]{1,5})/gi,
41
+ ];
42
+ for (const msg of messages) {
43
+ for (const pattern of patterns) {
44
+ pattern.lastIndex = 0;
45
+ let m;
46
+ while ((m = pattern.exec(msg)) !== null) {
47
+ const candidate = m[1].replace(/[,.:;)]+$/, '');
48
+ if (candidate && candidate.length > 2 && !candidate.startsWith('-')) {
49
+ claims.push(candidate);
50
+ }
51
+ }
52
+ }
53
+ }
54
+ return [...new Set(claims)];
55
+ }
56
+ /** Get files changed in recent agent session (git diff against since or HEAD~1) */
57
+ function getChangedFiles(cwd, since) {
58
+ let raw = '';
59
+ if (since) {
60
+ raw = safeExec(`git diff ${since} --name-only`, cwd);
61
+ }
62
+ else {
63
+ // Try HEAD~1 first
64
+ raw = safeExec(`git diff HEAD~1 --name-only`, cwd);
65
+ if (!raw.trim()) {
66
+ // Fall back to last commit's added/modified files
67
+ raw = safeExec(`git show --name-only --format="" HEAD`, cwd);
68
+ }
69
+ }
70
+ return raw
71
+ .split('\n')
72
+ .map(l => l.trim())
73
+ .filter(l => l.length > 0 && !l.startsWith('diff') && !l.startsWith('index'));
74
+ }
75
+ /** Get recent git log messages */
76
+ function getRecentMessages(cwd, since) {
77
+ let raw = '';
78
+ if (since) {
79
+ raw = safeExec(`git log ${since}..HEAD --oneline`, cwd);
80
+ }
81
+ else {
82
+ raw = safeExec(`git log -10 --oneline`, cwd);
83
+ }
84
+ return raw.split('\n').map(l => l.replace(/^[a-f0-9]+\s+/, '').trim()).filter(l => l.length > 0);
85
+ }
86
+ // ── Main check ───────────────────────────────────────────────────────────────
87
+ export function checkVerify(cwd, since) {
88
+ const issues = [];
89
+ let deductions = 0;
90
+ // Check if git repo
91
+ const isGit = safeExec('git rev-parse --is-inside-work-tree', cwd).trim();
92
+ if (isGit !== 'true') {
93
+ return {
94
+ name: 'verify',
95
+ score: 100,
96
+ maxScore: 100,
97
+ issues: [],
98
+ summary: 'not a git repository — skipped',
99
+ };
100
+ }
101
+ // Check if any commits exist
102
+ const hasCommits = safeExec('git rev-parse HEAD', cwd).trim();
103
+ if (!hasCommits) {
104
+ return {
105
+ name: 'verify',
106
+ score: 100,
107
+ maxScore: 100,
108
+ issues: [],
109
+ summary: 'no commits found — skipped',
110
+ };
111
+ }
112
+ // Get changed files from git diff
113
+ const changedFiles = getChangedFiles(cwd, since);
114
+ // Get commit messages for claim extraction
115
+ const messages = getRecentMessages(cwd, since);
116
+ // Extract explicit claims from commit messages
117
+ const explicitClaims = extractClaimsFromMessages(messages);
118
+ // Build unified file list to verify: changed files + explicitly claimed files
119
+ const toVerify = new Set();
120
+ for (const f of changedFiles)
121
+ toVerify.add(f);
122
+ for (const f of explicitClaims)
123
+ toVerify.add(f);
124
+ if (toVerify.size === 0) {
125
+ return {
126
+ name: 'verify',
127
+ score: 100,
128
+ maxScore: 100,
129
+ issues: [],
130
+ summary: 'no agent claims found in recent git history',
131
+ };
132
+ }
133
+ let verified = 0;
134
+ let failed = 0;
135
+ for (const relPath of toVerify) {
136
+ const absPath = join(cwd, relPath);
137
+ // 1. File must exist
138
+ if (!existsSync(absPath)) {
139
+ // Only flag files that were explicitly in claims from messages (not just diff-referenced)
140
+ // Changed files that don't exist could be deletions — only flag if explicitly claimed
141
+ if (explicitClaims.includes(relPath)) {
142
+ issues.push({
143
+ severity: 'error',
144
+ message: `Claimed file missing: ${relPath}`,
145
+ file: relPath,
146
+ fixable: false,
147
+ fixHint: 'Agent claimed to create this file but it does not exist',
148
+ });
149
+ deductions += 15;
150
+ failed++;
151
+ }
152
+ continue;
153
+ }
154
+ let content = '';
155
+ try {
156
+ const stat = statSync(absPath);
157
+ if (!stat.isFile()) {
158
+ verified++;
159
+ continue;
160
+ }
161
+ content = readFileSync(absPath, 'utf-8');
162
+ }
163
+ catch {
164
+ continue;
165
+ }
166
+ const lineCount = countLines(content);
167
+ // 2. File must have meaningful content (>10 non-empty lines)
168
+ if (lineCount < 10 && lineCount > 0) {
169
+ issues.push({
170
+ severity: 'warning',
171
+ message: `Thin file: ${relPath} (${lineCount} non-empty lines)`,
172
+ file: relPath,
173
+ fixable: false,
174
+ fixHint: 'Agent claimed to create/modify this file but it has minimal content',
175
+ });
176
+ deductions += 8;
177
+ failed++;
178
+ continue;
179
+ }
180
+ if (lineCount === 0) {
181
+ issues.push({
182
+ severity: 'error',
183
+ message: `Empty file: ${relPath}`,
184
+ file: relPath,
185
+ fixable: false,
186
+ fixHint: 'Agent claimed to create this file but it is empty',
187
+ });
188
+ deductions += 15;
189
+ failed++;
190
+ continue;
191
+ }
192
+ // 3. Test files must have actual assertions
193
+ if (isTestFile(relPath)) {
194
+ if (!hasAssertions(content)) {
195
+ issues.push({
196
+ severity: 'error',
197
+ message: `Test file has no assertions: ${relPath}`,
198
+ file: relPath,
199
+ fixable: false,
200
+ fixHint: 'Test file exists but contains no expect(), assert(), or test() calls',
201
+ });
202
+ deductions += 12;
203
+ failed++;
204
+ continue;
205
+ }
206
+ }
207
+ verified++;
208
+ }
209
+ const finalScore = Math.max(0, 100 - deductions);
210
+ return {
211
+ name: 'verify',
212
+ score: finalScore,
213
+ maxScore: 100,
214
+ issues,
215
+ summary: failed === 0
216
+ ? `${verified} agent claim${verified !== 1 ? 's' : ''} verified clean`
217
+ : `${failed} claim${failed !== 1 ? 's' : ''} failed verification (${verified} passed)`,
218
+ };
219
+ }
package/dist/cli.js CHANGED
@@ -14,6 +14,8 @@ import { checkDeps } from './checks/deps.js';
14
14
  import { checkDebt } from './checks/debt.js';
15
15
  import { checkIntegrity } from './checks/integrity.js';
16
16
  import { checkReceipt, runReceiptCommand } from './checks/receipt.js';
17
+ import { checkMemory } from './checks/memory.js';
18
+ import { checkVerify } from './checks/verify.js';
17
19
  import { checkMap, renderMapReport } from './checks/map.js';
18
20
  import { score } from './scorer.js';
19
21
  import { reportPretty, reportJSON, reportBadge } from './reporter.js';
@@ -163,9 +165,13 @@ async function runChecks() {
163
165
  const depsResult = await checkDeps(cwd);
164
166
  // Receipt is informational — fold into integrity category but keep low weight
165
167
  const receiptResult = await checkReceipt(cwd);
168
+ // Memory: stale facts in agent memory files
169
+ const memoryResult = checkMemory(cwd);
170
+ // Verify: agent claim validation
171
+ const verifyResult = checkVerify(cwd, since);
166
172
  return score(cwd, {
167
173
  security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
168
- integrity: [diffResult, integrityResult, receiptResult],
174
+ integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult],
169
175
  debt: [readyResult, historyResult, debtResult],
170
176
  deps: [depsResult],
171
177
  });
package/dist/reporter.js CHANGED
@@ -15,9 +15,6 @@ function gradeColor(grade) {
15
15
  default: return c.red;
16
16
  }
17
17
  }
18
- function categoryLabel(name) {
19
- return name.padEnd(10);
20
- }
21
18
  export function reportPretty(result) {
22
19
  const lines = [];
23
20
  // Read version from result
@@ -29,7 +26,7 @@ export function reportPretty(result) {
29
26
  for (const cat of result.categories) {
30
27
  const scoreStr = `${cat.score}/100`;
31
28
  const pad = ' '.repeat(Math.max(0, 6 - scoreStr.length));
32
- lines.push(` ${categoryLabel(cat.name)}${scoreStr}${pad} ${bar(cat.score)}`);
29
+ lines.push(` ${cat.name.padEnd(10)}${scoreStr}${pad} ${bar(cat.score)}`);
33
30
  }
34
31
  // Overall grade
35
32
  const gc = gradeColor(result.grade);
@@ -63,7 +60,14 @@ export function reportPretty(result) {
63
60
  return lines.join('\n');
64
61
  }
65
62
  export function reportJSON(result) {
66
- return JSON.stringify(result, null, 2);
63
+ return JSON.stringify({
64
+ project: result.project,
65
+ version: result.version,
66
+ score: result.score,
67
+ grade: result.grade,
68
+ fixableIssues: result.fixableIssues,
69
+ categories: result.categories,
70
+ }, null, 2);
67
71
  }
68
72
  export function reportBadge(result) {
69
73
  const grade = result.grade;
package/dist/util.d.ts CHANGED
@@ -9,10 +9,17 @@ export declare const c: {
9
9
  cyan: string;
10
10
  gray: string;
11
11
  };
12
- export declare function git(cmd: string, cwd: string): string;
12
+ /** Run git with an array of args (safe, no shell injection). */
13
13
  export declare function gitExec(args: string[], cwd: string): string;
14
+ /** Run git with a command string (splits on spaces). Use gitExec for dynamic args. */
15
+ export declare function git(cmd: string, cwd: string): string;
14
16
  export declare function isGitRepo(cwd: string): boolean;
15
17
  export declare function readFile(path: string): string | null;
18
+ /** Returns true if the path exists (file or directory). Convenience alias for existsSync. */
16
19
  export declare function fileExists(path: string): boolean;
17
20
  export declare function walkFiles(dir: string, ignore?: string[]): string[];
21
+ /** Check if a file is binary by sampling first 512 bytes for null bytes */
22
+ export declare function isTextFile(filePath: string): boolean;
23
+ /** Recursively collect all file paths under a directory */
24
+ export declare function collectDirFiles(dir: string): string[];
18
25
  export declare function matchesAny(file: string, patterns: string[]): boolean;
package/dist/util.js CHANGED
@@ -1,4 +1,4 @@
1
- import { execSync, execFileSync } from 'node:child_process';
1
+ import { execFileSync } from 'node:child_process';
2
2
  import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
3
3
  import { join, relative } from 'node:path';
4
4
  // ANSI colors — zero deps
@@ -13,14 +13,7 @@ export const c = {
13
13
  cyan: '\x1b[36m',
14
14
  gray: '\x1b[90m',
15
15
  };
16
- export function git(cmd, cwd) {
17
- try {
18
- return execSync(`git ${cmd}`, { cwd, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
19
- }
20
- catch {
21
- return '';
22
- }
23
- }
16
+ /** Run git with an array of args (safe, no shell injection). */
24
17
  export function gitExec(args, cwd) {
25
18
  try {
26
19
  return execFileSync('git', args, { cwd, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
@@ -29,6 +22,10 @@ export function gitExec(args, cwd) {
29
22
  return '';
30
23
  }
31
24
  }
25
+ /** Run git with a command string (splits on spaces). Use gitExec for dynamic args. */
26
+ export function git(cmd, cwd) {
27
+ return gitExec(cmd.split(/\s+/), cwd);
28
+ }
32
29
  export function isGitRepo(cwd) {
33
30
  return git('rev-parse --is-inside-work-tree', cwd) === 'true';
34
31
  }
@@ -40,6 +37,7 @@ export function readFile(path) {
40
37
  return null;
41
38
  }
42
39
  }
40
+ /** Returns true if the path exists (file or directory). Convenience alias for existsSync. */
43
41
  export function fileExists(path) {
44
42
  return existsSync(path);
45
43
  }
@@ -72,6 +70,39 @@ export function walkFiles(dir, ignore = []) {
72
70
  walk(dir);
73
71
  return results;
74
72
  }
73
+ /** Check if a file is binary by sampling first 512 bytes for null bytes */
74
+ export function isTextFile(filePath) {
75
+ try {
76
+ const buf = readFileSync(filePath);
77
+ const sampleSize = Math.min(512, buf.length);
78
+ for (let i = 0; i < sampleSize; i++) {
79
+ if (buf[i] === 0)
80
+ return false;
81
+ }
82
+ return true;
83
+ }
84
+ catch {
85
+ return false;
86
+ }
87
+ }
88
+ /** Recursively collect all file paths under a directory */
89
+ export function collectDirFiles(dir) {
90
+ const files = [];
91
+ try {
92
+ const entries = readdirSync(dir, { withFileTypes: true });
93
+ for (const entry of entries) {
94
+ const full = join(dir, entry.name);
95
+ if (entry.isFile()) {
96
+ files.push(full);
97
+ }
98
+ else if (entry.isDirectory()) {
99
+ files.push(...collectDirFiles(full));
100
+ }
101
+ }
102
+ }
103
+ catch { /* skip */ }
104
+ return files;
105
+ }
75
106
  export function matchesAny(file, patterns) {
76
107
  return patterns.some(p => {
77
108
  if (p.endsWith('/'))
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@safetnsr/vet",
3
- "version": "1.0.0",
3
+ "version": "1.2.0",
4
4
  "description": "vet your AI-generated code — one command, one score card, one letter grade",
5
5
  "type": "module",
6
6
  "bin": {