@safetnsr/vet 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2 @@
1
+ import type { CheckResult } from '../types.js';
2
+ export declare function checkVerify(cwd: string, since?: string): CheckResult;
@@ -0,0 +1,219 @@
1
+ import { join, basename } from 'node:path';
2
+ import { readFileSync, existsSync, statSync } from 'node:fs';
3
+ import { execSync } from 'node:child_process';
4
+ // ── Helpers ──────────────────────────────────────────────────────────────────
5
+ function safeExec(cmd, cwd) {
6
+ try {
7
+ return execSync(cmd, { cwd, encoding: 'utf-8', timeout: 10_000, stdio: ['pipe', 'pipe', 'pipe'] });
8
+ }
9
+ catch {
10
+ return '';
11
+ }
12
+ }
13
+ function isTestFile(filePath) {
14
+ const base = basename(filePath);
15
+ if (/\.(test|spec)\.[a-z]+$/i.test(base))
16
+ return true;
17
+ const normalized = filePath.replace(/\\/g, '/');
18
+ // Match __tests__/ anywhere in path (including at root)
19
+ if (normalized.includes('__tests__/') || normalized.includes('/__tests__'))
20
+ return true;
21
+ if (normalized.includes('/test/') || normalized.startsWith('test/'))
22
+ return true;
23
+ if (normalized.includes('/tests/') || normalized.startsWith('tests/'))
24
+ return true;
25
+ return false;
26
+ }
27
+ function hasAssertions(content) {
28
+ return /\b(assert|expect\s*\(|it\s*\(|test\s*\(|describe\s*\(|should\.|toBe\(|toEqual\(|assertEqual|assertStrictEqual)\b/i.test(content);
29
+ }
30
+ function countLines(content) {
31
+ return content.split('\n').filter(l => l.trim().length > 0).length;
32
+ }
33
+ /** Extract file names mentioned in commit messages as claims */
34
+ function extractClaimsFromMessages(messages) {
35
+ const claims = [];
36
+ // All patterns require a file extension (dot in name) to avoid false positives
37
+ const patterns = [
38
+ /\b(?:creat\w*|add\w*|implement\w*|wrot\w*|built|generat\w*|scaffold\w*)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
39
+ /\b(?:fix\w*|resolv\w*|updat\w*|modify|modified)\s+([\w./\\-]+\.[a-z]{1,5})/gi,
40
+ /\badd\w*\s+tests?\s+(?:for\s+)?([\w./\\-]+\.[a-z]{1,5})/gi,
41
+ ];
42
+ for (const msg of messages) {
43
+ for (const pattern of patterns) {
44
+ pattern.lastIndex = 0;
45
+ let m;
46
+ while ((m = pattern.exec(msg)) !== null) {
47
+ const candidate = m[1].replace(/[,.:;)]+$/, '');
48
+ if (candidate && candidate.length > 2 && !candidate.startsWith('-')) {
49
+ claims.push(candidate);
50
+ }
51
+ }
52
+ }
53
+ }
54
+ return [...new Set(claims)];
55
+ }
56
+ /** Get files changed in recent agent session (git diff against since or HEAD~1) */
57
+ function getChangedFiles(cwd, since) {
58
+ let raw = '';
59
+ if (since) {
60
+ raw = safeExec(`git diff ${since} --name-only`, cwd);
61
+ }
62
+ else {
63
+ // Try HEAD~1 first
64
+ raw = safeExec(`git diff HEAD~1 --name-only`, cwd);
65
+ if (!raw.trim()) {
66
+ // Fall back to last commit's added/modified files
67
+ raw = safeExec(`git show --name-only --format="" HEAD`, cwd);
68
+ }
69
+ }
70
+ return raw
71
+ .split('\n')
72
+ .map(l => l.trim())
73
+ .filter(l => l.length > 0 && !l.startsWith('diff') && !l.startsWith('index'));
74
+ }
75
+ /** Get recent git log messages */
76
+ function getRecentMessages(cwd, since) {
77
+ let raw = '';
78
+ if (since) {
79
+ raw = safeExec(`git log ${since}..HEAD --oneline`, cwd);
80
+ }
81
+ else {
82
+ raw = safeExec(`git log -10 --oneline`, cwd);
83
+ }
84
+ return raw.split('\n').map(l => l.replace(/^[a-f0-9]+\s+/, '').trim()).filter(l => l.length > 0);
85
+ }
86
+ // ── Main check ───────────────────────────────────────────────────────────────
87
+ export function checkVerify(cwd, since) {
88
+ const issues = [];
89
+ let deductions = 0;
90
+ // Check if git repo
91
+ const isGit = safeExec('git rev-parse --is-inside-work-tree', cwd).trim();
92
+ if (isGit !== 'true') {
93
+ return {
94
+ name: 'verify',
95
+ score: 100,
96
+ maxScore: 100,
97
+ issues: [],
98
+ summary: 'not a git repository — skipped',
99
+ };
100
+ }
101
+ // Check if any commits exist
102
+ const hasCommits = safeExec('git rev-parse HEAD', cwd).trim();
103
+ if (!hasCommits) {
104
+ return {
105
+ name: 'verify',
106
+ score: 100,
107
+ maxScore: 100,
108
+ issues: [],
109
+ summary: 'no commits found — skipped',
110
+ };
111
+ }
112
+ // Get changed files from git diff
113
+ const changedFiles = getChangedFiles(cwd, since);
114
+ // Get commit messages for claim extraction
115
+ const messages = getRecentMessages(cwd, since);
116
+ // Extract explicit claims from commit messages
117
+ const explicitClaims = extractClaimsFromMessages(messages);
118
+ // Build unified file list to verify: changed files + explicitly claimed files
119
+ const toVerify = new Set();
120
+ for (const f of changedFiles)
121
+ toVerify.add(f);
122
+ for (const f of explicitClaims)
123
+ toVerify.add(f);
124
+ if (toVerify.size === 0) {
125
+ return {
126
+ name: 'verify',
127
+ score: 100,
128
+ maxScore: 100,
129
+ issues: [],
130
+ summary: 'no agent claims found in recent git history',
131
+ };
132
+ }
133
+ let verified = 0;
134
+ let failed = 0;
135
+ for (const relPath of toVerify) {
136
+ const absPath = join(cwd, relPath);
137
+ // 1. File must exist
138
+ if (!existsSync(absPath)) {
139
+ // Only flag files that were explicitly in claims from messages (not just diff-referenced)
140
+ // Changed files that don't exist could be deletions — only flag if explicitly claimed
141
+ if (explicitClaims.includes(relPath)) {
142
+ issues.push({
143
+ severity: 'error',
144
+ message: `Claimed file missing: ${relPath}`,
145
+ file: relPath,
146
+ fixable: false,
147
+ fixHint: 'Agent claimed to create this file but it does not exist',
148
+ });
149
+ deductions += 15;
150
+ failed++;
151
+ }
152
+ continue;
153
+ }
154
+ let content = '';
155
+ try {
156
+ const stat = statSync(absPath);
157
+ if (!stat.isFile()) {
158
+ verified++;
159
+ continue;
160
+ }
161
+ content = readFileSync(absPath, 'utf-8');
162
+ }
163
+ catch {
164
+ continue;
165
+ }
166
+ const lineCount = countLines(content);
167
+ // 2. File must have meaningful content (>10 non-empty lines)
168
+ if (lineCount < 10 && lineCount > 0) {
169
+ issues.push({
170
+ severity: 'warning',
171
+ message: `Thin file: ${relPath} (${lineCount} non-empty lines)`,
172
+ file: relPath,
173
+ fixable: false,
174
+ fixHint: 'Agent claimed to create/modify this file but it has minimal content',
175
+ });
176
+ deductions += 8;
177
+ failed++;
178
+ continue;
179
+ }
180
+ if (lineCount === 0) {
181
+ issues.push({
182
+ severity: 'error',
183
+ message: `Empty file: ${relPath}`,
184
+ file: relPath,
185
+ fixable: false,
186
+ fixHint: 'Agent claimed to create this file but it is empty',
187
+ });
188
+ deductions += 15;
189
+ failed++;
190
+ continue;
191
+ }
192
+ // 3. Test files must have actual assertions
193
+ if (isTestFile(relPath)) {
194
+ if (!hasAssertions(content)) {
195
+ issues.push({
196
+ severity: 'error',
197
+ message: `Test file has no assertions: ${relPath}`,
198
+ file: relPath,
199
+ fixable: false,
200
+ fixHint: 'Test file exists but contains no expect(), assert(), or test() calls',
201
+ });
202
+ deductions += 12;
203
+ failed++;
204
+ continue;
205
+ }
206
+ }
207
+ verified++;
208
+ }
209
+ const finalScore = Math.max(0, 100 - deductions);
210
+ return {
211
+ name: 'verify',
212
+ score: finalScore,
213
+ maxScore: 100,
214
+ issues,
215
+ summary: failed === 0
216
+ ? `${verified} agent claim${verified !== 1 ? 's' : ''} verified clean`
217
+ : `${failed} claim${failed !== 1 ? 's' : ''} failed verification (${verified} passed)`,
218
+ };
219
+ }
package/dist/cli.js CHANGED
@@ -15,6 +15,7 @@ import { checkDebt } from './checks/debt.js';
15
15
  import { checkIntegrity } from './checks/integrity.js';
16
16
  import { checkReceipt, runReceiptCommand } from './checks/receipt.js';
17
17
  import { checkMemory } from './checks/memory.js';
18
+ import { checkVerify } from './checks/verify.js';
18
19
  import { checkMap, renderMapReport } from './checks/map.js';
19
20
  import { score } from './scorer.js';
20
21
  import { reportPretty, reportJSON, reportBadge } from './reporter.js';
@@ -166,9 +167,11 @@ async function runChecks() {
166
167
  const receiptResult = await checkReceipt(cwd);
167
168
  // Memory: stale facts in agent memory files
168
169
  const memoryResult = checkMemory(cwd);
170
+ // Verify: agent claim validation
171
+ const verifyResult = checkVerify(cwd, since);
169
172
  return score(cwd, {
170
173
  security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
171
- integrity: [diffResult, integrityResult, receiptResult, memoryResult],
174
+ integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult],
172
175
  debt: [readyResult, historyResult, debtResult],
173
176
  deps: [depsResult],
174
177
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@safetnsr/vet",
3
- "version": "1.1.0",
3
+ "version": "1.2.0",
4
4
  "description": "vet your AI-generated code — one command, one score card, one letter grade",
5
5
  "type": "module",
6
6
  "bin": {