@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/ai-bridge.js

@@ -0,0 +1,416 @@
+const fs = require("fs");
+const path = require("path");
+const https = require("https");
+
+// Cache for package existence checks
+const packageCache = new Map();
+
+/**
+ * Check if a package exists in the NPM registry
+ */
+function checkNpmPackage(name) {
+  return new Promise((resolve) => {
+    if (packageCache.has(name)) return resolve(packageCache.get(name));
+
+    // Handle scoped packages and regular packages
+    const url = `https://registry.npmjs.org/${name}`;
+
+    const req = https.request(url, { method: "HEAD" }, (res) => {
+      const exists = res.statusCode === 200;
+      packageCache.set(name, exists);
+      resolve(exists);
+    });
+
+    req.on("error", () => resolve(false)); // Assume false on error or offline
+    req.end();
+  });
+}
+
+/**
+ * Extract imports from file content
+ */
+function extractImports(content) {
+  const imports = new Set();
+
+  // ESM imports
+  const importMatches = content.matchAll(
+    /import\s+(?:[\s\S]*?from\s+)?['"]([^'"]+)['"]/g,
+  );
+  for (const match of importMatches) {
+    if (match[1] && !match[1].startsWith(".") && !match[1].startsWith("/")) {
+      // Extract package name (handle scoped packages)
+      const parts = match[1].split("/");
+      const pkgName = match[1].startsWith("@")
+        ? `${parts[0]}/${parts[1]}`
+        : parts[0];
+      imports.add(pkgName);
+    }
+  }
+
+  // CommonJS requires
+  const requireMatches = content.matchAll(
+    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+  );
+  for (const match of requireMatches) {
+    if (match[1] && !match[1].startsWith(".") && !match[1].startsWith("/")) {
+      const parts = match[1].split("/");
+      const pkgName = match[1].startsWith("@")
+        ? `${parts[0]}/${parts[1]}`
+        : parts[0];
+      imports.add(pkgName);
+    }
+  }
+
+  return Array.from(imports);
+}
+
+/**
+ * Walk directory to find source files
+ */
+function walkDir(dir, fileList = []) {
+  if (!fs.existsSync(dir)) return fileList;
+
+  const files = fs.readdirSync(dir);
+  for (const file of files) {
+    if (
+      ["node_modules", ".git", "dist", "build", ".vibecheck", ".next"].includes(
+        file,
+      )
+    )
+      continue;
+
+    const filePath = path.join(dir, file);
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.isDirectory()) {
+        walkDir(filePath, fileList);
+      } else if (/\.(ts|js|tsx|jsx)$/.test(file) && !file.endsWith(".d.ts")) {
+        fileList.push(filePath);
+      }
+    } catch (e) {}
+  }
+  return fileList;
+}
+
+async function runHallucinationCheck(projectPath) {
+  const issues = [];
+  let score = 100;
+
+  try {
+    // 1. Check package.json dependencies
+    const pkgPath = path.join(projectPath, "package.json");
+    if (fs.existsSync(pkgPath)) {
+      const content = fs.readFileSync(pkgPath, "utf8");
+      if (content.trim()) {
+        try {
+          const pkg = JSON.parse(content);
+          const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+          // Limit checks to avoid rate limiting
+          const depNames = Object.keys(deps).slice(0, 20);
+
+          for (const dep of depNames) {
+            // Skip internal/scoped packages for now if they look private
+            if (dep.startsWith("@vibecheck") || dep.startsWith("@internal"))
+              continue;
+
+            const exists = await checkNpmPackage(dep);
+            if (!exists) {
+              issues.push({
+                severity: "critical",
+                type: "Hallucination",
+                message: `Dependency '${dep}' listed in package.json does not exist in public npm registry`,
+                file: "package.json",
+              });
+            }
+          }
+        } catch (e) {
+          console.warn("Failed to parse package.json:", e.message);
+        }
+      }
+    }
+
+    // 2. Scan source files for imports (if scanning a full project)
+    // For specific file validation in runValidate, we might want to check that specific file's imports too.
+    // However, runHallucinationCheck here is designed for project-level scanning.
+  } catch (err) {
+    console.error("AI Bridge Error:", err.message);
+  }
+
+  // Deduct score
+  if (issues.length > 0) {
+    score = Math.max(0, 100 - issues.length * 20);
+  }
+
+  return {
+    score,
+    issues,
+  };
+}
+
+// --- Intent Matcher Logic (Ported from packages/ai-vibechecks) ---
+
+function extractCodeIntent(code) {
+  const entities = [];
+  const operations = [];
+
+  // Extract function/class names
+  const functionMatches = code.matchAll(
+    /(?:function|const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g,
+  );
+  for (const match of functionMatches) {
+    if (match[1]) entities.push(match[1]);
+  }
+
+  const classMatches = code.matchAll(/class\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g);
+  for (const match of classMatches) {
+    if (match[1]) entities.push(match[1]);
+  }
+
+  // Detect operations
+  if (code.includes("fetch") || code.includes("axios") || code.includes("http"))
+    operations.push("API call");
+  if (
+    code.includes("fs.") ||
+    code.includes("writeFile") ||
+    code.includes("readFile")
+  )
+    operations.push("File I/O");
+  if (
+    code.includes("database") ||
+    code.includes("prisma") ||
+    code.includes("mongoose")
+  )
+    operations.push("Database operation");
+  if (
+    code.includes("map") ||
+    code.includes("filter") ||
+    code.includes("reduce")
+  )
+    operations.push("Data transformation");
+  if (code.includes("useState") || code.includes("useEffect"))
+    operations.push("React hooks");
+
+  return { entities, operations };
+}
+
+function parseRequestIntent(request) {
+  const lowerRequest = request.toLowerCase();
+
+  // Extract goal (simplified)
+  let goal = "Unknown";
+  if (lowerRequest.includes("create") || lowerRequest.includes("build"))
+    goal = "Create new functionality";
+  else if (lowerRequest.includes("fix") || lowerRequest.includes("debug"))
+    goal = "Fix issue";
+
+  // Extract constraints
+  const constraints = [];
+  if (lowerRequest.includes("without")) {
+    const match = lowerRequest.match(/without\s+([^.,;]+)/);
+    if (match) constraints.push(`Avoid: ${match[1].trim()}`);
+  }
+  if (lowerRequest.includes("using")) {
+    const match = lowerRequest.match(/using\s+([^.,;]+)/);
+    if (match) constraints.push(`Use: ${match[1].trim()}`);
+  }
+
+  // Extract expected entities
+  const expectedEntities = [];
+  const commonFrameworks = [
+    "react",
+    "vue",
+    "angular",
+    "express",
+    "fastify",
+    "next",
+    "prisma",
+    "postgres",
+    "mongo",
+  ];
+  for (const fw of commonFrameworks) {
+    if (lowerRequest.includes(fw)) expectedEntities.push(fw);
+  }
+
+  // Extract expected operations
+  const expectedOperations = [];
+  if (lowerRequest.includes("api") || lowerRequest.includes("fetch"))
+    expectedOperations.push("API call");
+  if (lowerRequest.includes("database") || lowerRequest.includes("store"))
+    expectedOperations.push("Database operation");
+  if (lowerRequest.includes("file")) expectedOperations.push("File I/O");
+
+  return { goal, constraints, expectedEntities, expectedOperations };
+}
+
+function compareIntents(requested, actual) {
+  const matches = [];
+  const mismatches = [];
+  let score = 0;
+
+  // Check expected entities
+  for (const expected of requested.expectedEntities) {
+    const found =
+      actual.entities.some((e) =>
+        e.toLowerCase().includes(expected.toLowerCase()),
+      ) ||
+      // Also check imports for entities (e.g. react)
+      actual.entities.some((e) =>
+        e.toLowerCase().includes(expected.toLowerCase()),
+      );
+
+    if (found) {
+      matches.push(`Expected entity '${expected}' found`);
+      score += 20;
+    } else {
+      mismatches.push(`Expected entity '${expected}' not found in structure`);
+    }
+  }
+
+  // Check expected operations
+  for (const expectedOp of requested.expectedOperations) {
+    const found = actual.operations.some((o) =>
+      o.toLowerCase().includes(expectedOp.toLowerCase()),
+    );
+    if (found) {
+      matches.push(`Expected operation '${expectedOp}' found`);
+      score += 20;
+    } else {
+      mismatches.push(`Expected operation '${expectedOp}' not found`);
+    }
+  }
+
+  // Check constraints
+  for (const constraint of requested.constraints) {
+    if (constraint.startsWith("Avoid:")) {
+      const toAvoid = constraint.replace("Avoid:", "").trim().toLowerCase();
+      const found = actual.entities.some((e) =>
+        e.toLowerCase().includes(toAvoid),
+      );
+      if (!found) {
+        matches.push(`Successfully avoided '${toAvoid}'`);
+        score += 10;
+      } else {
+        mismatches.push(`Constraint violated: used '${toAvoid}'`);
+        score -= 20;
+      }
+    }
+    if (constraint.startsWith("Use:")) {
+      const toUse = constraint.replace("Use:", "").trim().toLowerCase();
+      const found = actual.entities.some((e) =>
+        e.toLowerCase().includes(toUse),
+      );
+      if (found) {
+        matches.push(`Required technology '${toUse}' used`);
+        score += 15;
+      } else {
+        mismatches.push(`Required technology '${toUse}' not used`);
+        score -= 15;
+      }
+    }
+  }
+
+  // Baseline score if nothing specific requested but code looks structured
+  if (
+    requested.expectedEntities.length === 0 &&
+    requested.expectedOperations.length === 0 &&
+    requested.constraints.length === 0
+  ) {
+    // If request is generic, and we found SOME entities, give it a pass
+    if (actual.entities.length > 0) score = 100;
+    else score = 50;
+  }
+
+  return {
+    alignmentScore: Math.max(0, Math.min(100, score)),
+    matches,
+    mismatches,
+  };
+}
+
+/**
+ * Validate code against an intent
+ */
+function validateIntent(code, intent) {
+  const issues = [];
+
+  if (!intent) return { score: 100, issues: [] };
+
+  const codeIntent = extractCodeIntent(code);
+  const requestIntent = parseRequestIntent(intent);
+
+  // Supplement codeIntent entities with imports for better matching (Bridge enhancement)
+  const imports = extractImports(code);
+  codeIntent.entities.push(...imports);
+
+  const comparison = compareIntents(requestIntent, codeIntent);
+
+  if (comparison.alignmentScore < 60) {
+    issues.push({
+      severity: "medium",
+      type: "Intent Mismatch",
+      message: `Code alignment score: ${comparison.alignmentScore}/100. ${comparison.mismatches.join(", ")}`,
+      file: "generated-code",
+    });
+  }
+
+  return {
+    score: comparison.alignmentScore,
+    issues,
+  };
+}
+
+/**
+ * Static Analysis/Quality Check
+ */
+function validateQuality(code) {
+  const issues = [];
+  let score = 100;
+
+  // Check for hardcoded secrets
+  if (
+    /['"][a-zA-Z0-9]{20,}['"]/.test(code) &&
+    (code.includes("key") || code.includes("token") || code.includes("secret"))
+  ) {
+    issues.push({
+      severity: "high",
+      type: "Security",
+      message: "Potential hardcoded secret detected",
+      file: "generated-code",
+    });
+  }
+
+  // Check for syntax errors (basic)
+  const openBraces = (code.match(/{/g) || []).length;
+  const closeBraces = (code.match(/}/g) || []).length;
+  if (openBraces !== closeBraces) {
+    issues.push({
+      severity: "critical",
+      type: "Syntax",
+      message: "Unbalanced braces detected",
+      file: "generated-code",
+    });
+  }
+
+  // Check for console.log
+  if (code.includes("console.log")) {
+    issues.push({
+      severity: "low",
+      type: "Quality",
+      message: "Console.log statement detected",
+      file: "generated-code",
+    });
+    score -= 5;
+  }
+
+  return {
+    score: Math.max(0, Math.min(100, score - issues.length * 10)),
+    issues,
+  };
+}
+
+module.exports = {
+  runHallucinationCheck,
+  validateIntent,
+  validateQuality,
+};

package/bin/runners/lib/analysis-core.js

@@ -0,0 +1,271 @@
+/**
+ * Analysis Core - Shared analysis engine for Ship and Scan
+ * 
+ * Consolidates common logic:
+ * - Truthpack generation
+ * - Finding collection
+ * - Verdict calculation
+ * - Output formatting
+ * 
+ * Ship = Fast path (core analyzers only)
+ * Scan = Deep path (core + extended analyzers + optional layers)
+ */
+
+const path = require("path");
+const fs = require("fs");
+const { buildTruthpack, writeTruthpack, detectFastifyEntry } = require("./truth");
+const {
+  findMissingRoutes,
+  findEnvGaps,
+  findFakeSuccess,
+  findGhostAuth,
+  findStripeWebhookViolations,
+  findPaidSurfaceNotEnforced,
+  findOwnerModeBypass
+} = require("./analyzers");
+const { findingsFromReality } = require("./reality-findings");
+
+// ============================================================================
+// CORE ANALYSIS (Used by both Ship and Scan)
+// ============================================================================
+
+/**
+ * Run core analyzers that apply to all projects
+ * @param {string} root - Project root path
+ * @param {object} truthpack - Generated truthpack
+ * @returns {Array} - Array of findings
+ */
+function runCoreAnalyzers(root, truthpack) {
+  return [
+    ...findMissingRoutes(truthpack),
+    ...findEnvGaps(truthpack),
+    ...findFakeSuccess(root),
+    ...findGhostAuth(truthpack, root),
+    ...findStripeWebhookViolations(truthpack),
+    ...findPaidSurfaceNotEnforced(truthpack),
+    ...findOwnerModeBypass(root),
+    ...findingsFromReality(root)
+  ];
+}
+
+/**
+ * Calculate verdict from findings
+ * @param {Array} findings - Array of findings
+ * @returns {string} - SHIP | WARN | BLOCK
+ */
+function calculateVerdict(findings) {
+  if (findings.some(f => f.severity === "BLOCK")) return "BLOCK";
+  if (findings.some(f => f.severity === "WARN")) return "WARN";
+  return "SHIP";
+}
+
+/**
+ * Build proof graph from findings
+ * @param {Array} findings - Array of findings
+ * @param {object} truthpack - Truthpack data
+ * @param {string} root - Project root path
+ * @returns {object} - Proof graph
+ */
+function buildProofGraph(findings, truthpack, root) {
+  const claims = [];
+  let claimId = 0;
+  
+  for (const finding of findings) {
+    const claim = {
+      id: `claim-${++claimId}`,
+      type: getClaimType(finding.category),
+      assertion: finding.title || finding.message,
+      verified: finding.severity !== 'BLOCK',
+      confidence: finding.confidence === 'high' ? 0.9 : finding.confidence === 'medium' ? 0.7 : 0.5,
+      evidence: (finding.evidence || []).map((e, i) => ({
+        id: `evidence-${claimId}-${i}`,
+        type: 'file_citation',
+        file: e.file,
+        line: parseInt(e.lines?.split('-')[0]) || e.line || 1,
+        snippet: e.snippetHash || '',
+        strength: 0.8,
+        verifiedAt: new Date().toISOString(),
+        method: 'static'
+      })),
+      gaps: [{
+        id: `gap-${claimId}`,
+        type: getGapType(finding.category),
+        description: finding.why || finding.title,
+        severity: finding.severity === 'BLOCK' ? 'critical' : finding.severity === 'WARN' ? 'medium' : 'low',
+        suggestion: (finding.fixHints || [])[0] || ''
+      }],
+      severity: finding.severity === 'BLOCK' ? 'critical' : finding.severity === 'WARN' ? 'medium' : 'low',
+      file: finding.evidence?.[0]?.file || '',
+      line: parseInt(finding.evidence?.[0]?.lines?.split('-')[0]) || 1
+    };
+    claims.push(claim);
+  }
+  
+  const verifiedClaims = claims.filter(c => c.verified);
+  const failedClaims = claims.filter(c => !c.verified);
+  const allGaps = claims.flatMap(c => c.gaps);
+  
+  const riskScore = Math.min(100, failedClaims.reduce((sum, c) => {
+    if (c.severity === 'critical') return sum + 30;
+    if (c.severity === 'high') return sum + 20;
+    if (c.severity === 'medium') return sum + 10;
+    return sum + 5;
+  }, 0));
+  
+  const confidence = claims.length > 0 
+    ? claims.reduce((sum, c) => sum + c.confidence, 0) / claims.length 
+    : 1.0;
+  
+  return {
+    version: '1.0.0',
+    generatedAt: new Date().toISOString(),
+    projectPath: root,
+    claims,
+    summary: {
+      totalClaims: claims.length,
+      verifiedClaims: verifiedClaims.length,
+      failedClaims: failedClaims.length,
+      gaps: allGaps.length,
+      riskScore,
+      confidence
+    },
+    verdict: calculateVerdict(findings),
+    topBlockers: failedClaims.filter(c => c.severity === 'critical' || c.severity === 'high').slice(0, 5),
+    topGaps: allGaps.filter(g => g.severity === 'critical' || g.severity === 'high').slice(0, 5)
+  };
+}
+
+function getClaimType(category) {
+  const map = {
+    'MissingRoute': 'route_exists',
+    'EnvContract': 'env_declared',
+    'FakeSuccess': 'success_verified',
+    'GhostAuth': 'auth_protected',
+    'StripeWebhook': 'billing_enforced',
+    'PaidSurface': 'billing_enforced',
+    'OwnerModeBypass': 'billing_enforced',
+    'DeadUI': 'ui_wired'
+  };
+  return map[category] || 'ui_wired';
+}
+
+function getGapType(category) {
+  const map = {
+    'MissingRoute': 'missing_handler',
+    'EnvContract': 'missing_verification',
+    'FakeSuccess': 'missing_verification',
+    'GhostAuth': 'missing_gate',
+    'StripeWebhook': 'missing_verification',
+    'PaidSurface': 'missing_gate',
+    'OwnerModeBypass': 'missing_gate',
+    'DeadUI': 'missing_handler'
+  };
+  return map[category] || 'untested_path';
+}
+
+// ============================================================================
+// UNIFIED ANALYSIS RUNNER
+// ============================================================================
+
+/**
+ * Run unified analysis (used by both ship and scan)
+ * @param {object} options - Analysis options
+ * @returns {object} - Analysis result with findings, verdict, proofGraph
+ */
+async function runAnalysis({ 
+  repoRoot = process.cwd(), 
+  fastifyEntry = null,
+  extended = false,  // If true, run extended analyzers (scan mode)
+  noWrite = false 
+} = {}) {
+  const root = repoRoot;
+  const fastEntry = fastifyEntry || detectFastifyEntry(root);
+
+  // Build truthpack
+  const truthpack = await buildTruthpack({ repoRoot: root, fastifyEntry: fastEntry });
+  if (!noWrite) {
+    writeTruthpack(root, truthpack);
+  }
+
+  // Run core analyzers
+  const findings = runCoreAnalyzers(root, truthpack);
+
+  // Calculate verdict
+  const verdict = calculateVerdict(findings);
+
+  // Build proof graph
+  const proofGraph = buildProofGraph(findings, truthpack, root);
+
+  // Build report
+  const report = {
+    meta: { 
+      generatedAt: new Date().toISOString(), 
+      verdict,
+      mode: extended ? 'scan' : 'ship'
+    },
+    truthpackHash: truthpack.index?.hashes?.truthpackHash,
+    findings,
+    proofGraph: {
+      summary: proofGraph.summary,
+      topBlockers: proofGraph.topBlockers.slice(0, 5),
+      topGaps: proofGraph.topGaps.slice(0, 5)
+    }
+  };
+
+  // Write outputs
+  if (!noWrite) {
+    const outDir = path.join(root, ".vibecheck");
+    fs.mkdirSync(outDir, { recursive: true });
+    fs.writeFileSync(path.join(outDir, "last_ship.json"), JSON.stringify(report, null, 2));
+    fs.writeFileSync(path.join(outDir, "proof-graph.json"), JSON.stringify(proofGraph, null, 2));
+  }
+
+  return { report, truthpack, verdict, proofGraph, findings };
+}
+
+// ============================================================================
+// FINDING UTILITIES
+// ============================================================================
+
+/**
+ * Group findings by category
+ */
+function groupFindings(findings) {
+  const groups = {};
+  for (const f of findings) {
+    const cat = f.category || 'Other';
+    if (!groups[cat]) groups[cat] = [];
+    groups[cat].push(f);
+  }
+  return groups;
+}
+
+/**
+ * Count findings by severity
+ */
+function countBySeverity(findings) {
+  return {
+    block: findings.filter(f => f.severity === 'BLOCK').length,
+    warn: findings.filter(f => f.severity === 'WARN').length,
+    info: findings.filter(f => f.severity === 'INFO').length
+  };
+}
+
+/**
+ * Get top N blockers
+ */
+function getTopBlockers(findings, n = 5) {
+  return findings
+    .filter(f => f.severity === 'BLOCK')
+    .slice(0, n);
+}
+
+module.exports = {
+  runCoreAnalyzers,
+  calculateVerdict,
+  buildProofGraph,
+  runAnalysis,
+  groupFindings,
+  countBySeverity,
+  getTopBlockers
+};