@safetnsr/vet 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/checks/verify.d.ts +2 -0
- package/dist/checks/verify.js +219 -0
- package/dist/cli.js +4 -1
- package/package.json +1 -1
|
@@ -0,0 +1,219 @@
|
|
|
1
|
+
import { join, basename } from 'node:path';
|
|
2
|
+
import { readFileSync, existsSync, statSync } from 'node:fs';
|
|
3
|
+
import { execSync } from 'node:child_process';
|
|
4
|
+
// ── Helpers ──────────────────────────────────────────────────────────────────
|
|
5
|
+
function safeExec(cmd, cwd) {
|
|
6
|
+
try {
|
|
7
|
+
return execSync(cmd, { cwd, encoding: 'utf-8', timeout: 10_000, stdio: ['pipe', 'pipe', 'pipe'] });
|
|
8
|
+
}
|
|
9
|
+
catch {
|
|
10
|
+
return '';
|
|
11
|
+
}
|
|
12
|
+
}
|
|
13
|
+
function isTestFile(filePath) {
|
|
14
|
+
const base = basename(filePath);
|
|
15
|
+
if (/\.(test|spec)\.[a-z]+$/i.test(base))
|
|
16
|
+
return true;
|
|
17
|
+
const normalized = filePath.replace(/\\/g, '/');
|
|
18
|
+
// Match __tests__/ anywhere in path (including at root)
|
|
19
|
+
if (normalized.includes('__tests__/') || normalized.includes('/__tests__'))
|
|
20
|
+
return true;
|
|
21
|
+
if (normalized.includes('/test/') || normalized.startsWith('test/'))
|
|
22
|
+
return true;
|
|
23
|
+
if (normalized.includes('/tests/') || normalized.startsWith('tests/'))
|
|
24
|
+
return true;
|
|
25
|
+
return false;
|
|
26
|
+
}
|
|
27
|
+
function hasAssertions(content) {
|
|
28
|
+
return /\b(assert|expect\s*\(|it\s*\(|test\s*\(|describe\s*\(|should\.|toBe\(|toEqual\(|assertEqual|assertStrictEqual)\b/i.test(content);
|
|
29
|
+
}
|
|
30
|
+
function countLines(content) {
|
|
31
|
+
return content.split('\n').filter(l => l.trim().length > 0).length;
|
|
32
|
+
}
|
|
33
|
+
/** Extract file names mentioned in commit messages as claims */
|
|
34
|
+
function extractClaimsFromMessages(messages) {
|
|
35
|
+
const claims = [];
|
|
36
|
+
// All patterns require a file extension (dot in name) to avoid false positives
|
|
37
|
+
const patterns = [
|
|
38
|
+
/\b(?:creat\w*|add\w*|implement\w*|wrot\w*|built|generat\w*|scaffold\w*)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
|
|
39
|
+
/\b(?:fix\w*|resolv\w*|updat\w*|modify|modified)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
|
|
40
|
+
/\badd\w*\s+tests?\s+(?:for\s+)?([\w./\\-]+\.[a-z]{1,5})/gi,
|
|
41
|
+
];
|
|
42
|
+
for (const msg of messages) {
|
|
43
|
+
for (const pattern of patterns) {
|
|
44
|
+
pattern.lastIndex = 0;
|
|
45
|
+
let m;
|
|
46
|
+
while ((m = pattern.exec(msg)) !== null) {
|
|
47
|
+
const candidate = m[1].replace(/[,.:;)]+$/, '');
|
|
48
|
+
if (candidate && candidate.length > 2 && !candidate.startsWith('-')) {
|
|
49
|
+
claims.push(candidate);
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return [...new Set(claims)];
|
|
55
|
+
}
|
|
56
|
+
/** Get files changed in recent agent session (git diff against since or HEAD~1) */
|
|
57
|
+
function getChangedFiles(cwd, since) {
|
|
58
|
+
let raw = '';
|
|
59
|
+
if (since) {
|
|
60
|
+
raw = safeExec(`git diff ${since} --name-only`, cwd);
|
|
61
|
+
}
|
|
62
|
+
else {
|
|
63
|
+
// Try HEAD~1 first
|
|
64
|
+
raw = safeExec(`git diff HEAD~1 --name-only`, cwd);
|
|
65
|
+
if (!raw.trim()) {
|
|
66
|
+
// Fall back to last commit's added/modified files
|
|
67
|
+
raw = safeExec(`git show --name-only --format="" HEAD`, cwd);
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
return raw
|
|
71
|
+
.split('\n')
|
|
72
|
+
.map(l => l.trim())
|
|
73
|
+
.filter(l => l.length > 0 && !l.startsWith('diff') && !l.startsWith('index'));
|
|
74
|
+
}
|
|
75
|
+
/** Get recent git log messages */
|
|
76
|
+
function getRecentMessages(cwd, since) {
|
|
77
|
+
let raw = '';
|
|
78
|
+
if (since) {
|
|
79
|
+
raw = safeExec(`git log ${since}..HEAD --oneline`, cwd);
|
|
80
|
+
}
|
|
81
|
+
else {
|
|
82
|
+
raw = safeExec(`git log -10 --oneline`, cwd);
|
|
83
|
+
}
|
|
84
|
+
return raw.split('\n').map(l => l.replace(/^[a-f0-9]+\s+/, '').trim()).filter(l => l.length > 0);
|
|
85
|
+
}
|
|
86
|
+
// ── Main check ───────────────────────────────────────────────────────────────
|
|
87
|
+
export function checkVerify(cwd, since) {
|
|
88
|
+
const issues = [];
|
|
89
|
+
let deductions = 0;
|
|
90
|
+
// Check if git repo
|
|
91
|
+
const isGit = safeExec('git rev-parse --is-inside-work-tree', cwd).trim();
|
|
92
|
+
if (isGit !== 'true') {
|
|
93
|
+
return {
|
|
94
|
+
name: 'verify',
|
|
95
|
+
score: 100,
|
|
96
|
+
maxScore: 100,
|
|
97
|
+
issues: [],
|
|
98
|
+
summary: 'not a git repository — skipped',
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
// Check if any commits exist
|
|
102
|
+
const hasCommits = safeExec('git rev-parse HEAD', cwd).trim();
|
|
103
|
+
if (!hasCommits) {
|
|
104
|
+
return {
|
|
105
|
+
name: 'verify',
|
|
106
|
+
score: 100,
|
|
107
|
+
maxScore: 100,
|
|
108
|
+
issues: [],
|
|
109
|
+
summary: 'no commits found — skipped',
|
|
110
|
+
};
|
|
111
|
+
}
|
|
112
|
+
// Get changed files from git diff
|
|
113
|
+
const changedFiles = getChangedFiles(cwd, since);
|
|
114
|
+
// Get commit messages for claim extraction
|
|
115
|
+
const messages = getRecentMessages(cwd, since);
|
|
116
|
+
// Extract explicit claims from commit messages
|
|
117
|
+
const explicitClaims = extractClaimsFromMessages(messages);
|
|
118
|
+
// Build unified file list to verify: changed files + explicitly claimed files
|
|
119
|
+
const toVerify = new Set();
|
|
120
|
+
for (const f of changedFiles)
|
|
121
|
+
toVerify.add(f);
|
|
122
|
+
for (const f of explicitClaims)
|
|
123
|
+
toVerify.add(f);
|
|
124
|
+
if (toVerify.size === 0) {
|
|
125
|
+
return {
|
|
126
|
+
name: 'verify',
|
|
127
|
+
score: 100,
|
|
128
|
+
maxScore: 100,
|
|
129
|
+
issues: [],
|
|
130
|
+
summary: 'no agent claims found in recent git history',
|
|
131
|
+
};
|
|
132
|
+
}
|
|
133
|
+
let verified = 0;
|
|
134
|
+
let failed = 0;
|
|
135
|
+
for (const relPath of toVerify) {
|
|
136
|
+
const absPath = join(cwd, relPath);
|
|
137
|
+
// 1. File must exist
|
|
138
|
+
if (!existsSync(absPath)) {
|
|
139
|
+
// Only flag files that were explicitly in claims from messages (not just diff-referenced)
|
|
140
|
+
// Changed files that don't exist could be deletions — only flag if explicitly claimed
|
|
141
|
+
if (explicitClaims.includes(relPath)) {
|
|
142
|
+
issues.push({
|
|
143
|
+
severity: 'error',
|
|
144
|
+
message: `Claimed file missing: ${relPath}`,
|
|
145
|
+
file: relPath,
|
|
146
|
+
fixable: false,
|
|
147
|
+
fixHint: 'Agent claimed to create this file but it does not exist',
|
|
148
|
+
});
|
|
149
|
+
deductions += 15;
|
|
150
|
+
failed++;
|
|
151
|
+
}
|
|
152
|
+
continue;
|
|
153
|
+
}
|
|
154
|
+
let content = '';
|
|
155
|
+
try {
|
|
156
|
+
const stat = statSync(absPath);
|
|
157
|
+
if (!stat.isFile()) {
|
|
158
|
+
verified++;
|
|
159
|
+
continue;
|
|
160
|
+
}
|
|
161
|
+
content = readFileSync(absPath, 'utf-8');
|
|
162
|
+
}
|
|
163
|
+
catch {
|
|
164
|
+
continue;
|
|
165
|
+
}
|
|
166
|
+
const lineCount = countLines(content);
|
|
167
|
+
// 2. File must have meaningful content (>10 non-empty lines)
|
|
168
|
+
if (lineCount < 10 && lineCount > 0) {
|
|
169
|
+
issues.push({
|
|
170
|
+
severity: 'warning',
|
|
171
|
+
message: `Thin file: ${relPath} (${lineCount} non-empty lines)`,
|
|
172
|
+
file: relPath,
|
|
173
|
+
fixable: false,
|
|
174
|
+
fixHint: 'Agent claimed to create/modify this file but it has minimal content',
|
|
175
|
+
});
|
|
176
|
+
deductions += 8;
|
|
177
|
+
failed++;
|
|
178
|
+
continue;
|
|
179
|
+
}
|
|
180
|
+
if (lineCount === 0) {
|
|
181
|
+
issues.push({
|
|
182
|
+
severity: 'error',
|
|
183
|
+
message: `Empty file: ${relPath}`,
|
|
184
|
+
file: relPath,
|
|
185
|
+
fixable: false,
|
|
186
|
+
fixHint: 'Agent claimed to create this file but it is empty',
|
|
187
|
+
});
|
|
188
|
+
deductions += 15;
|
|
189
|
+
failed++;
|
|
190
|
+
continue;
|
|
191
|
+
}
|
|
192
|
+
// 3. Test files must have actual assertions
|
|
193
|
+
if (isTestFile(relPath)) {
|
|
194
|
+
if (!hasAssertions(content)) {
|
|
195
|
+
issues.push({
|
|
196
|
+
severity: 'error',
|
|
197
|
+
message: `Test file has no assertions: ${relPath}`,
|
|
198
|
+
file: relPath,
|
|
199
|
+
fixable: false,
|
|
200
|
+
fixHint: 'Test file exists but contains no expect(), assert(), or test() calls',
|
|
201
|
+
});
|
|
202
|
+
deductions += 12;
|
|
203
|
+
failed++;
|
|
204
|
+
continue;
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
verified++;
|
|
208
|
+
}
|
|
209
|
+
const finalScore = Math.max(0, 100 - deductions);
|
|
210
|
+
return {
|
|
211
|
+
name: 'verify',
|
|
212
|
+
score: finalScore,
|
|
213
|
+
maxScore: 100,
|
|
214
|
+
issues,
|
|
215
|
+
summary: failed === 0
|
|
216
|
+
? `${verified} agent claim${verified !== 1 ? 's' : ''} verified clean`
|
|
217
|
+
: `${failed} claim${failed !== 1 ? 's' : ''} failed verification (${verified} passed)`,
|
|
218
|
+
};
|
|
219
|
+
}
|
package/dist/cli.js
CHANGED
|
@@ -15,6 +15,7 @@ import { checkDebt } from './checks/debt.js';
|
|
|
15
15
|
import { checkIntegrity } from './checks/integrity.js';
|
|
16
16
|
import { checkReceipt, runReceiptCommand } from './checks/receipt.js';
|
|
17
17
|
import { checkMemory } from './checks/memory.js';
|
|
18
|
+
import { checkVerify } from './checks/verify.js';
|
|
18
19
|
import { checkMap, renderMapReport } from './checks/map.js';
|
|
19
20
|
import { score } from './scorer.js';
|
|
20
21
|
import { reportPretty, reportJSON, reportBadge } from './reporter.js';
|
|
@@ -166,9 +167,11 @@ async function runChecks() {
|
|
|
166
167
|
const receiptResult = await checkReceipt(cwd);
|
|
167
168
|
// Memory: stale facts in agent memory files
|
|
168
169
|
const memoryResult = checkMemory(cwd);
|
|
170
|
+
// Verify: agent claim validation
|
|
171
|
+
const verifyResult = checkVerify(cwd, since);
|
|
169
172
|
return score(cwd, {
|
|
170
173
|
security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
|
|
171
|
-
integrity: [diffResult, integrityResult, receiptResult, memoryResult],
|
|
174
|
+
integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult],
|
|
172
175
|
debt: [readyResult, historyResult, debtResult],
|
|
173
176
|
deps: [depsResult],
|
|
174
177
|
});
|