@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/sandbox/proof-chain.js

@@ -0,0 +1,399 @@
+/**
+ * Proof Chain
+ * Runs verification stages in sandbox before accepting patches
+ */
+
+"use strict";
+
+const { execSync } = require("child_process");
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Proof chain stages
+ */
+const PROOF_LEVELS = {
+  fast: ["static"],
+  balanced: ["static", "build"],
+  paranoid: ["static", "build", "reality"]
+};
+
+/**
+ * Run proof chain in sandbox
+ */
+async function runProofChain(sandboxPath, options = {}) {
+  const level = options.level || "balanced";
+  const stages = PROOF_LEVELS[level] || PROOF_LEVELS.balanced;
+  
+  const results = {
+    level,
+    stages: [],
+    passed: true,
+    duration: 0
+  };
+
+  const startTime = Date.now();
+
+  for (const stage of stages) {
+    const stageResult = await runStage(sandboxPath, stage, options);
+    results.stages.push(stageResult);
+
+    if (!stageResult.passed) {
+      results.passed = false;
+      results.failedAt = stage;
+      break;
+    }
+  }
+
+  results.duration = Date.now() - startTime;
+  return results;
+}
+
+/**
+ * Run individual proof stage
+ */
+async function runStage(sandboxPath, stage, options) {
+  const startTime = Date.now();
+  
+  switch (stage) {
+    case "static":
+      return runStaticProof(sandboxPath, options);
+    case "build":
+      return runBuildProof(sandboxPath, options);
+    case "reality":
+      return runRealityProof(sandboxPath, options);
+    default:
+      return { stage, passed: true, skipped: true, duration: 0 };
+  }
+}
+
+/**
+ * Static proof: ship + contracts guard
+ */
+async function runStaticProof(sandboxPath, options) {
+  const result = {
+    stage: "static",
+    passed: true,
+    checks: [],
+    duration: 0
+  };
+
+  const startTime = Date.now();
+
+  // Run vibecheck ship in sandbox
+  try {
+    const vibecheckBin = path.join(__dirname, "..", "..", "..", "guardrail.js");
+    const output = execSync(`node "${vibecheckBin}" ship --json`, {
+      cwd: sandboxPath,
+      encoding: "utf8",
+      timeout: 30000,
+      stdio: "pipe",
+      env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" }
+    });
+
+    // Parse verdict from output
+    const verdictMatch = output.match(/Verdict:\s*(SHIP|WARN|BLOCK)/i);
+    const verdict = verdictMatch ? verdictMatch[1].toUpperCase() : "UNKNOWN";
+
+    result.checks.push({
+      name: "ship",
+      passed: verdict !== "BLOCK",
+      verdict,
+      output: output.slice(-500)
+    });
+
+    if (verdict === "BLOCK") {
+      result.passed = false;
+      result.reason = "Ship verdict is BLOCK";
+    }
+  } catch (e) {
+    result.checks.push({
+      name: "ship",
+      passed: false,
+      error: e.message
+    });
+    result.passed = false;
+    result.reason = `Ship check failed: ${e.message}`;
+  }
+
+  // Run contracts guard if contracts exist
+  const contractsDir = path.join(sandboxPath, ".vibecheck", "contracts");
+  if (fs.existsSync(contractsDir)) {
+    try {
+      const vibecheckBin = path.join(__dirname, "..", "..", "..", "guardrail.js");
+      const output = execSync(`node "${vibecheckBin}" ctx guard --json`, {
+        cwd: sandboxPath,
+        encoding: "utf8",
+        timeout: 30000,
+        stdio: "pipe",
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" }
+      });
+
+      result.checks.push({
+        name: "contracts",
+        passed: true,
+        output: output.slice(-500)
+      });
+    } catch (e) {
+      // Check if it's a BLOCK
+      if (e.status === 2) {
+        result.checks.push({
+          name: "contracts",
+          passed: false,
+          error: "Contract violations found"
+        });
+        result.passed = false;
+        result.reason = "Contract guard failed";
+      } else {
+        result.checks.push({
+          name: "contracts",
+          passed: true,
+          warning: e.message
+        });
+      }
+    }
+  }
+
+  result.duration = Date.now() - startTime;
+  return result;
+}
+
+/**
+ * Build proof: typecheck + build + targeted tests
+ */
+async function runBuildProof(sandboxPath, options) {
+  const result = {
+    stage: "build",
+    passed: true,
+    checks: [],
+    duration: 0
+  };
+
+  const startTime = Date.now();
+
+  // Detect package manager
+  const pm = detectPackageManager(sandboxPath);
+
+  // Check for TypeScript
+  const tsconfigPath = path.join(sandboxPath, "tsconfig.json");
+  if (fs.existsSync(tsconfigPath)) {
+    try {
+      execSync(`${pm} run typecheck 2>&1 || npx tsc --noEmit 2>&1`, {
+        cwd: sandboxPath,
+        encoding: "utf8",
+        timeout: 60000,
+        stdio: "pipe"
+      });
+
+      result.checks.push({
+        name: "typecheck",
+        passed: true
+      });
+    } catch (e) {
+      // TypeScript errors
+      result.checks.push({
+        name: "typecheck",
+        passed: false,
+        error: e.stdout?.slice(-500) || e.message
+      });
+      result.passed = false;
+      result.reason = "TypeScript errors";
+    }
+  }
+
+  // Try to run build
+  const pkgPath = path.join(sandboxPath, "package.json");
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+      
+      if (pkg.scripts?.build) {
+        execSync(`${pm} run build`, {
+          cwd: sandboxPath,
+          encoding: "utf8",
+          timeout: 120000,
+          stdio: "pipe"
+        });
+
+        result.checks.push({
+          name: "build",
+          passed: true
+        });
+      }
+    } catch (e) {
+      result.checks.push({
+        name: "build",
+        passed: false,
+        error: e.message?.slice(-500)
+      });
+      result.passed = false;
+      result.reason = "Build failed";
+    }
+  }
+
+  // Run targeted tests if changed files have test files
+  if (options.changedFiles?.length) {
+    const testFiles = findRelatedTests(sandboxPath, options.changedFiles);
+    
+    if (testFiles.length > 0) {
+      try {
+        const testCmd = `${pm} test -- ${testFiles.join(" ")}`;
+        execSync(testCmd, {
+          cwd: sandboxPath,
+          encoding: "utf8",
+          timeout: 120000,
+          stdio: "pipe"
+        });
+
+        result.checks.push({
+          name: "tests",
+          passed: true,
+          files: testFiles
+        });
+      } catch (e) {
+        result.checks.push({
+          name: "tests",
+          passed: false,
+          files: testFiles,
+          error: e.message?.slice(-500)
+        });
+        result.passed = false;
+        result.reason = "Tests failed";
+      }
+    }
+  }
+
+  result.duration = Date.now() - startTime;
+  return result;
+}
+
+/**
+ * Reality proof: run reality checks on critical paths
+ */
+async function runRealityProof(sandboxPath, options) {
+  const result = {
+    stage: "reality",
+    passed: true,
+    checks: [],
+    duration: 0
+  };
+
+  const startTime = Date.now();
+
+  if (!options.url) {
+    result.checks.push({
+      name: "reality",
+      passed: true,
+      skipped: true,
+      reason: "No URL provided"
+    });
+    result.duration = Date.now() - startTime;
+    return result;
+  }
+
+  // Run vibecheck reality
+  try {
+    const vibecheckBin = path.join(__dirname, "..", "..", "..", "guardrail.js");
+    const cmd = `node "${vibecheckBin}" reality --url ${options.url} --max-pages 5 --max-depth 1`;
+    
+    execSync(cmd, {
+      cwd: sandboxPath,
+      encoding: "utf8",
+      timeout: 120000,
+      stdio: "pipe",
+      env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" }
+    });
+
+    result.checks.push({
+      name: "reality",
+      passed: true
+    });
+  } catch (e) {
+    if (e.status === 2) {
+      result.checks.push({
+        name: "reality",
+        passed: false,
+        error: "Reality check found blocking issues"
+      });
+      result.passed = false;
+      result.reason = "Reality check failed";
+    } else {
+      result.checks.push({
+        name: "reality",
+        passed: true,
+        warning: e.message
+      });
+    }
+  }
+
+  result.duration = Date.now() - startTime;
+  return result;
+}
+
+/**
+ * Detect package manager
+ */
+function detectPackageManager(repoRoot) {
+  if (fs.existsSync(path.join(repoRoot, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs.existsSync(path.join(repoRoot, "yarn.lock"))) return "yarn";
+  return "npm";
+}
+
+/**
+ * Find test files related to changed files
+ */
+function findRelatedTests(repoRoot, changedFiles) {
+  const testFiles = [];
+
+  for (const file of changedFiles) {
+    // Look for .test.ts, .spec.ts variants
+    const base = file.replace(/\.(ts|tsx|js|jsx)$/, "");
+    const testVariants = [
+      `${base}.test.ts`,
+      `${base}.test.tsx`,
+      `${base}.test.js`,
+      `${base}.spec.ts`,
+      `${base}.spec.tsx`,
+      `${base}.spec.js`
+    ];
+
+    for (const variant of testVariants) {
+      const testPath = path.join(repoRoot, variant);
+      if (fs.existsSync(testPath)) {
+        testFiles.push(variant);
+        break;
+      }
+    }
+
+    // Also check __tests__ directory
+    const dir = path.dirname(file);
+    const name = path.basename(file).replace(/\.(ts|tsx|js|jsx)$/, "");
+    const testsDir = path.join(repoRoot, dir, "__tests__");
+    
+    if (fs.existsSync(testsDir)) {
+      const testVariants = [
+        `${name}.test.ts`,
+        `${name}.test.tsx`,
+        `${name}.test.js`
+      ];
+
+      for (const variant of testVariants) {
+        const testPath = path.join(testsDir, variant);
+        if (fs.existsSync(testPath)) {
+          testFiles.push(path.join(dir, "__tests__", variant));
+          break;
+        }
+      }
+    }
+  }
+
+  return [...new Set(testFiles)];
+}
+
+module.exports = {
+  runProofChain,
+  runStaticProof,
+  runBuildProof,
+  runRealityProof,
+  PROOF_LEVELS
+};

package/bin/runners/lib/sandbox/sandbox-runner.js

@@ -0,0 +1,205 @@
+/**
+ * Sandbox Runner
+ * Orchestrates the complete sandbox workflow:
+ * 1. Create isolated workspace
+ * 2. Apply patches
+ * 3. Run proof chain
+ * 4. Merge back or rollback
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { 
+  isGitRepo, 
+  isGitClean, 
+  createWorktree, 
+  removeWorktree,
+  copyChangesBack,
+  runInSandbox,
+  getChangedFiles 
+} = require("./worktree");
+const { runProofChain, PROOF_LEVELS } = require("./proof-chain");
+
+/**
+ * Run patch in sandbox with proof chain
+ */
+async function runPatchInSandbox(repoRoot, patchFn, options = {}) {
+  const result = {
+    ok: false,
+    sandboxPath: null,
+    patchApplied: false,
+    proofPassed: false,
+    mergedBack: false,
+    proofResult: null,
+    changedFiles: [],
+    error: null,
+    duration: 0
+  };
+
+  const startTime = Date.now();
+
+  // Verify git repo
+  if (!isGitRepo(repoRoot)) {
+    result.error = "Not a git repository. Sandbox requires git.";
+    return result;
+  }
+
+  // Create worktree
+  const worktree = createWorktree(repoRoot);
+  if (!worktree.ok) {
+    result.error = `Failed to create worktree: ${worktree.error}`;
+    return result;
+  }
+
+  result.sandboxPath = worktree.path;
+
+  try {
+    // Apply patch in sandbox
+    const patchResult = await patchFn(worktree.path);
+    
+    if (!patchResult.ok) {
+      result.error = `Patch failed: ${patchResult.error}`;
+      return result;
+    }
+
+    result.patchApplied = true;
+    result.changedFiles = getChangedFiles(worktree.path);
+
+    // Run proof chain
+    const proofResult = await runProofChain(worktree.path, {
+      level: options.proofLevel || "balanced",
+      url: options.url,
+      changedFiles: result.changedFiles
+    });
+
+    result.proofResult = proofResult;
+    result.proofPassed = proofResult.passed;
+
+    if (!proofResult.passed) {
+      result.error = `Proof chain failed at ${proofResult.failedAt}: ${proofResult.reason}`;
+      return result;
+    }
+
+    // Copy changes back to main worktree
+    if (options.apply !== false) {
+      const copyResult = copyChangesBack(worktree.path, repoRoot, result.changedFiles);
+      
+      if (copyResult.failed.length > 0) {
+        result.error = `Failed to copy some files: ${copyResult.failed.map(f => f.file).join(", ")}`;
+        return result;
+      }
+
+      result.mergedBack = true;
+    }
+
+    result.ok = true;
+  } finally {
+    // Cleanup worktree
+    removeWorktree(repoRoot, worktree.path);
+    result.duration = Date.now() - startTime;
+  }
+
+  return result;
+}
+
+/**
+ * Apply unified diff in sandbox
+ */
+function applyDiffInSandbox(sandboxPath, diff) {
+  const { applyUnifiedDiff } = require("../patch");
+  return applyUnifiedDiff(sandboxPath, diff);
+}
+
+/**
+ * Create sandbox, apply edits, and verify
+ */
+async function sandboxApplyEdits(repoRoot, edits, options = {}) {
+  return runPatchInSandbox(repoRoot, async (sandboxPath) => {
+    const results = [];
+
+    for (const edit of edits) {
+      if (edit.diff) {
+        const res = applyDiffInSandbox(sandboxPath, edit.diff);
+        results.push(res);
+        if (!res.ok) {
+          return { ok: false, error: res.error, results };
+        }
+      } else if (edit.file && edit.content) {
+        // Direct file write
+        try {
+          const filePath = path.join(sandboxPath, edit.file);
+          fs.mkdirSync(path.dirname(filePath), { recursive: true });
+          fs.writeFileSync(filePath, edit.content, "utf8");
+          results.push({ ok: true, file: edit.file });
+        } catch (e) {
+          return { ok: false, error: e.message, results };
+        }
+      }
+    }
+
+    return { ok: true, results };
+  }, options);
+}
+
+/**
+ * Write proof result to output directory
+ */
+function writeProofResult(outDir, result) {
+  fs.mkdirSync(outDir, { recursive: true });
+  
+  const proofPath = path.join(outDir, "proof.json");
+  fs.writeFileSync(proofPath, JSON.stringify(result, null, 2), "utf8");
+
+  // Write human-readable log
+  const logLines = [
+    `# Sandbox Proof Result`,
+    ``,
+    `**Status**: ${result.ok ? "✅ PASSED" : "❌ FAILED"}`,
+    `**Duration**: ${result.duration}ms`,
+    `**Proof Level**: ${result.proofResult?.level || "unknown"}`,
+    ``
+  ];
+
+  if (result.changedFiles.length) {
+    logLines.push(`## Changed Files`);
+    for (const f of result.changedFiles) {
+      logLines.push(`- ${f}`);
+    }
+    logLines.push(``);
+  }
+
+  if (result.proofResult?.stages) {
+    logLines.push(`## Proof Stages`);
+    for (const stage of result.proofResult.stages) {
+      const icon = stage.passed ? "✅" : "❌";
+      logLines.push(`### ${icon} ${stage.stage} (${stage.duration}ms)`);
+      
+      for (const check of stage.checks || []) {
+        const checkIcon = check.passed ? "✓" : "✗";
+        logLines.push(`- ${checkIcon} ${check.name}`);
+        if (check.error) logLines.push(`  Error: ${check.error}`);
+      }
+      logLines.push(``);
+    }
+  }
+
+  if (result.error) {
+    logLines.push(`## Error`);
+    logLines.push(result.error);
+  }
+
+  const logPath = path.join(outDir, "proof.md");
+  fs.writeFileSync(logPath, logLines.join("\n"), "utf8");
+
+  return { proofPath, logPath };
+}
+
+module.exports = {
+  runPatchInSandbox,
+  sandboxApplyEdits,
+  applyDiffInSandbox,
+  writeProofResult,
+  PROOF_LEVELS
+};