@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/truth.js

@@ -0,0 +1,667 @@
+// bin/runners/lib/truth.js
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+// Env Truth v1
+const { buildEnvTruth } = require("./env");
+// Auth Truth v1
+const { buildAuthTruth } = require("./auth-truth");
+// Billing Truth v1
+const { buildBillingTruth } = require("./billing");
+// Enforcement Truth v1
+const { buildEnforcementTruth } = require("./enforcement");
+// Multi-framework route detection v2
+const { resolveAllRoutes, detectFrameworks } = require("./route-detection");
+
+// ---------- helpers ----------
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function canonicalizeMethod(m) {
+  const u = String(m || "").toUpperCase();
+  if (u === "ALL" || u === "ANY" || u === "*") return "*";
+  return u;
+}
+
+function canonicalizePath(p) {
+  let s = String(p || "").trim();
+  if (!s.startsWith("/")) s = "/" + s;
+  s = s.replace(/\/+/g, "/");
+
+  // Next dynamic segments
+  s = s.replace(/\[\[\.{3}([^\]]+)\]\]/g, "*$1?"); // [[...slug]] -> *slug?
+  s = s.replace(/\[\.{3}([^\]]+)\]/g, "*$1");     // [...slug]  -> *slug
+  s = s.replace(/\[([^\]]+)\]/g, ":$1");          // [id]       -> :id
+
+  if (s.length > 1) s = s.replace(/\/$/, "");
+  return s;
+}
+
+function joinPaths(prefix, p) {
+  const a = canonicalizePath(prefix || "/");
+  const b = canonicalizePath(p || "/");
+  if (a === "/") return b;
+  if (b === "/") return a;
+  return canonicalizePath(a + "/" + b);
+}
+
+function parseFile(code) {
+  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function evidenceFromLoc({ fileAbs, fileRel, loc, reason }) {
+  if (!loc) return null;
+  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+// ---------- Next: app router API ----------
+const HTTP_EXPORTS = new Set(["GET","POST","PUT","PATCH","DELETE","OPTIONS","HEAD"]);
+
+async function resolveNextAppApiRoutes(repoRoot) {
+  const files = await fg(["**/app/api/**/route.@(ts|js)"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+
+  const out = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const idx = fileRel.indexOf("app/api/");
+    const sub = fileRel.slice(idx + "app/api/".length).replace(/\/route\.(ts|js)$/, "");
+    const routePath = canonicalizePath("/api/" + sub);
+
+    const code = safeRead(fileAbs);
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    const methods = [];
+    traverse(ast, {
+      ExportNamedDeclaration(p) {
+        const decl = p.node.declaration;
+        if (t.isFunctionDeclaration(decl) && decl.id?.name) {
+          const n = decl.id.name.toUpperCase();
+          if (HTTP_EXPORTS.has(n)) methods.push({ method: n, loc: decl.loc });
+        }
+      }
+    });
+
+    if (methods.length === 0) {
+      out.push({ method: "*", path: routePath, handler: fileRel, confidence: "low", evidence: [] });
+      continue;
+    }
+
+    for (const m of methods) {
+      const ev = evidenceFromLoc({
+        fileAbs, fileRel, loc: m.loc,
+        reason: `Next app router export ${m.method}` 
+      });
+      out.push({
+        method: m.method,
+        path: routePath,
+        handler: fileRel,
+        confidence: "high",
+        evidence: ev ? [ev] : []
+      });
+    }
+  }
+
+  return out;
+}
+
+// ---------- Next: pages router API ----------
+async function resolveNextPagesApiRoutes(repoRoot) {
+  const files = await fg(["**/pages/api/**/*.@(ts|js)"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+
+  const out = [];
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const idx = fileRel.indexOf("pages/api/");
+    const sub = fileRel.slice(idx + "pages/api/".length).replace(/\.(ts|js)$/, "");
+    const routePath = canonicalizePath("/api/" + sub);
+
+    out.push({
+      method: "*",
+      path: routePath,
+      handler: fileRel,
+      confidence: "med",
+      evidence: []
+    });
+  }
+  return out;
+}
+
+// ---------- minimal relative module resolver ----------
+function exists(p) {
+  try { return fs.statSync(p).isFile(); } catch { return false; }
+}
+function resolveRelativeModule(fromFileAbs, spec) {
+  if (!spec || (!spec.startsWith("./") && !spec.startsWith("../"))) return null;
+  const base = path.resolve(path.dirname(fromFileAbs), spec);
+  const candidates = [
+    base,
+    base + ".ts",
+    base + ".js",
+    path.join(base, "index.ts"),
+    path.join(base, "index.js")
+  ];
+  for (const c of candidates) if (exists(c)) return c;
+  return null;
+}
+
+// ---------- Fastify route extraction ----------
+const FASTIFY_METHODS = new Set(["get","post","put","patch","delete","options","head","all"]);
+
+function isFastifyMethod(name) {
+  return FASTIFY_METHODS.has(name);
+}
+
+function extractStringLiteral(node) {
+  return t.isStringLiteral(node) ? node.value : null;
+}
+
+function extractPrefixFromOpts(node) {
+  if (!t.isObjectExpression(node)) return null;
+  for (const p of node.properties) {
+    if (!t.isObjectProperty(p)) continue;
+    const key =
+      t.isIdentifier(p.key) ? p.key.name :
+      t.isStringLiteral(p.key) ? p.key.value :
+      null;
+    if (key === "prefix" && t.isStringLiteral(p.value)) return p.value.value;
+  }
+  return null;
+}
+
+function extractRouteObject(objExpr) {
+  let url = null;
+  let methods = [];
+  let hasHandler = false;
+  const hooks = [];
+
+  for (const p of objExpr.properties) {
+    if (!t.isObjectProperty(p)) continue;
+
+    const key =
+      t.isIdentifier(p.key) ? p.key.name :
+      t.isStringLiteral(p.key) ? p.key.value :
+      null;
+    if (!key) continue;
+
+    if (key === "url" && t.isStringLiteral(p.value)) url = p.value.value;
+
+    if (key === "method") {
+      if (t.isStringLiteral(p.value)) methods = [p.value.value];
+      if (t.isArrayExpression(p.value)) {
+        methods = p.value.elements.filter(e => t.isStringLiteral(e)).map(e => e.value);
+      }
+    }
+
+    if (key === "handler") hasHandler = true;
+    if (["preHandler","onRequest","preValidation","preSerialization"].includes(key)) hooks.push(key);
+  }
+
+  return { url, methods, hasHandler, hooks };
+}
+
+function resolveFastifyRoutes(repoRoot, entryAbs) {
+  const seen = new Set();
+  const routes = [];
+  const gaps = [];
+
+  function scanFile(fileAbs, prefix) {
+    if (!fileAbs || seen.has(fileAbs)) return;
+    seen.add(fileAbs);
+
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { return; }
+
+    // best-effort: fastify instance identifiers
+    const fastifyNames = new Set(["fastify"]);
+
+    traverse(ast, {
+      VariableDeclarator(p) {
+        if (!t.isIdentifier(p.node.id)) return;
+        const id = p.node.id.name;
+        const init = p.node.init;
+        if (!init) return;
+        if (t.isCallExpression(init) && t.isIdentifier(init.callee)) {
+          const cal = init.callee.name;
+          if (cal === "Fastify" || cal === "fastify") fastifyNames.add(id);
+        }
+      }
+    });
+
+    // helper: resolve imports for register(pluginIdent,...)
+    function resolveImportSpecForLocal(localName) {
+      let spec = null;
+
+      traverse(ast, {
+        ImportDeclaration(ip) {
+          for (const s of ip.node.specifiers) {
+            if ((t.isImportDefaultSpecifier(s) || t.isImportSpecifier(s)) && s.local.name === localName) {
+              spec = ip.node.source.value;
+            }
+          }
+        },
+        VariableDeclarator(vp) {
+          if (!t.isIdentifier(vp.node.id) || vp.node.id.name !== localName) return;
+          const init = vp.node.init;
+          if (!t.isCallExpression(init)) return;
+          if (!t.isIdentifier(init.callee) || init.callee.name !== "require") return;
+          const a0 = init.arguments[0];
+          if (t.isStringLiteral(a0)) spec = a0.value;
+        }
+      });
+
+      return spec;
+    }
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+        if (!t.isMemberExpression(callee)) return;
+        if (!t.isIdentifier(callee.object) || !t.isIdentifier(callee.property)) return;
+
+        const obj = callee.object.name;
+        const prop = callee.property.name;
+
+        if (!fastifyNames.has(obj)) return;
+
+        // fastify.get('/x', ...)
+        if (isFastifyMethod(prop)) {
+          const routeStr = extractStringLiteral(p.node.arguments[0]);
+          if (!routeStr) return;
+
+          const fullPath = joinPaths(prefix, routeStr);
+          const method = canonicalizeMethod(prop);
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Fastify ${prop.toUpperCase()}("${routeStr}")` 
+          });
+
+          routes.push({
+            method,
+            path: fullPath,
+            handler: fileRel,
+            confidence: "med",
+            evidence: ev ? [ev] : []
+          });
+          return;
+        }
+
+        // fastify.route({ method, url, handler })
+        if (prop === "route") {
+          const arg0 = p.node.arguments[0];
+          if (!t.isObjectExpression(arg0)) return;
+
+          const r = extractRouteObject(arg0);
+          if (!r.url) return;
+
+          const fullPath = joinPaths(prefix, r.url);
+          const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Fastify.route({ url: "${r.url}" })` 
+          });
+
+          for (const m of ms) {
+            routes.push({
+              method: m,
+              path: fullPath,
+              handler: fileRel,
+              hooks: r.hooks,
+              confidence: r.hasHandler ? "med" : "low",
+              evidence: ev ? [ev] : []
+            });
+          }
+          return;
+        }
+
+        // fastify.register(plugin, { prefix })
+        if (prop === "register") {
+          const pluginArg = p.node.arguments[0];
+          const optsArg = p.node.arguments[1];
+          const childPrefixRaw = extractPrefixFromOpts(optsArg);
+          const childPrefix = childPrefixRaw ? joinPaths(prefix, childPrefixRaw) : prefix;
+
+          // inline plugin
+          if (t.isFunctionExpression(pluginArg) || t.isArrowFunctionExpression(pluginArg)) {
+            const param0 = pluginArg.params[0];
+            const innerName = t.isIdentifier(param0) ? param0.name : "fastify";
+
+            // traverse just the plugin body (best effort)
+            traverse(pluginArg.body, {
+              CallExpression(pp) {
+                const c = pp.node.callee;
+                if (!t.isMemberExpression(c)) return;
+                if (!t.isIdentifier(c.object) || !t.isIdentifier(c.property)) return;
+                if (c.object.name !== innerName) return;
+
+                const pr = c.property.name;
+
+                if (isFastifyMethod(pr)) {
+                  const rs = extractStringLiteral(pp.node.arguments[0]);
+                  if (!rs) return;
+                  const fullPath = joinPaths(childPrefix, rs);
+                  const method = canonicalizeMethod(pr);
+
+                  const ev = evidenceFromLoc({
+                    fileAbs, fileRel, loc: pp.node.loc,
+                    reason: `Fastify plugin ${pr.toUpperCase()}("${rs}") prefix="${childPrefixRaw || ""}"` 
+                  });
+
+                  routes.push({ method, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
+                }
+
+                if (pr === "route") {
+                  const a0 = pp.node.arguments[0];
+                  if (!t.isObjectExpression(a0)) return;
+                  const r = extractRouteObject(a0);
+                  if (!r.url) return;
+                  const fullPath = joinPaths(childPrefix, r.url);
+                  const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
+
+                  const ev = evidenceFromLoc({
+                    fileAbs, fileRel, loc: pp.node.loc,
+                    reason: `Fastify plugin route("${r.url}") prefix="${childPrefixRaw || ""}"` 
+                  });
+
+                  for (const m of ms) routes.push({ method: m, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
+                }
+              }
+            }, p.scope, p);
+
+            return;
+          }
+
+          // imported plugin identifier
+          if (t.isIdentifier(pluginArg)) {
+            const localName = pluginArg.name;
+            const spec = resolveImportSpecForLocal(localName);
+
+            if (!spec) {
+              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, name: localName });
+              return;
+            }
+
+            const resolved = resolveRelativeModule(fileAbs, spec);
+            if (!resolved) {
+              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, spec });
+              return;
+            }
+
+            scanFile(resolved, childPrefix);
+          }
+        }
+      }
+    });
+  }
+
+  scanFile(entryAbs, "/");
+  return { routes, gaps };
+}
+
+// ---------- client refs (fetch + axios string literal only) ----------
+function isAxiosMember(node) {
+  return t.isMemberExpression(node) &&
+    t.isIdentifier(node.object) &&
+    t.isIdentifier(node.property) &&
+    ["get","post","put","patch","delete"].includes(node.property.name);
+}
+
+async function resolveClientRouteRefs(repoRoot) {
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/test/**",
+      "**/tests/**",
+      "**/__tests__/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/jest.setup.*",
+      "**/jest.config.*",
+      "**/*.mock.*",
+      "**/mocks/**",
+      "**/fixtures/**"
+    ]
+  });
+
+  const out = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+
+        // fetch("/api/x", { method: "POST" })
+        if (t.isIdentifier(callee) && callee.name === "fetch") {
+          const a0 = p.node.arguments[0];
+          if (!t.isStringLiteral(a0)) return;
+
+          const url = a0.value;
+          if (!url.startsWith("/")) return;
+
+          let method = "*";
+          const a1 = p.node.arguments[1];
+          if (t.isObjectExpression(a1)) {
+            for (const prop of a1.properties) {
+              if (!t.isObjectProperty(prop)) continue;
+              const key =
+                t.isIdentifier(prop.key) ? prop.key.name :
+                t.isStringLiteral(prop.key) ? prop.key.value :
+                null;
+              if (key === "method" && t.isStringLiteral(prop.value)) {
+                method = canonicalizeMethod(prop.value.value);
+              }
+            }
+          }
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Client fetch("${url}")` 
+          });
+
+          out.push({
+            method,
+            path: canonicalizePath(url),
+            source: fileRel,
+            confidence: "high",
+            evidence: ev ? [ev] : []
+          });
+          return;
+        }
+
+        // axios.get("/api/x")
+        if (isAxiosMember(callee)) {
+          const verb = callee.property.name.toUpperCase();
+          const a0 = p.node.arguments[0];
+          if (!t.isStringLiteral(a0)) return;
+
+          const url = a0.value;
+          if (!url.startsWith("/")) return;
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Client axios.${verb.toLowerCase()}("${url}")` 
+          });
+
+          out.push({
+            method: canonicalizeMethod(verb),
+            path: canonicalizePath(url),
+            source: fileRel,
+            confidence: "high",
+            evidence: ev ? [ev] : []
+          });
+        }
+      }
+    });
+  }
+
+  return out;
+}
+
+// ---------- fastify entry detection ----------
+function detectFastifyEntry(repoRoot) {
+  const candidates = [
+    "src/server.ts","src/server.js",
+    "server.ts","server.js",
+    "src/index.ts","src/index.js",
+    "index.ts","index.js"
+  ];
+  for (const rel of candidates) {
+    const abs = path.join(repoRoot, rel);
+    if (exists(abs)) return rel;
+  }
+  return null;
+}
+
+// ---------- truthpack build/write ----------
+async function buildTruthpack({ repoRoot, fastifyEntry }) {
+  // Next.js routes (App Router + Pages Router)
+  const nextApp = await resolveNextAppApiRoutes(repoRoot);
+  const nextPages = await resolveNextPagesApiRoutes(repoRoot);
+
+  // Fastify routes (legacy detection)
+  const entryRel = fastifyEntry || detectFastifyEntry(repoRoot);
+  let fastify = { routes: [], gaps: [] };
+  if (entryRel) {
+    const entryAbs = path.isAbsolute(entryRel) ? entryRel : path.join(repoRoot, entryRel);
+    if (exists(entryAbs)) fastify = resolveFastifyRoutes(repoRoot, entryAbs);
+  }
+
+  // Multi-framework route detection v2 (Express, Flask, FastAPI, Django, Hono, Koa, etc.)
+  const multiFramework = await resolveAllRoutes(repoRoot);
+  const detectedFrameworks = await detectFrameworks(repoRoot);
+
+  // Client refs (JS/TS fetch/axios + Python requests/httpx)
+  const clientRefs = await resolveClientRouteRefs(repoRoot);
+  const allClientRefs = [...clientRefs, ...multiFramework.clientRefs];
+
+  // Merge all server routes (dedupe by method+path)
+  const serverRoutesRaw = [...nextApp, ...nextPages, ...fastify.routes, ...multiFramework.routes];
+  const seenRoutes = new Set();
+  const server = [];
+  for (const r of serverRoutesRaw) {
+    const key = `${r.method}:${r.path}`;
+    if (!seenRoutes.has(key)) {
+      seenRoutes.add(key);
+      server.push(r);
+    }
+  }
+
+  // Merge gaps
+  const allGaps = [...(fastify.gaps || []), ...(multiFramework.gaps || [])];
+
+  // Env Truth v1
+  const env = await buildEnvTruth(repoRoot);
+
+  // Auth Truth v1
+  const auth = await buildAuthTruth(repoRoot, server);
+
+  // Billing Truth v1
+  const billing = await buildBillingTruth(repoRoot);
+
+  // Enforcement Truth v1
+  const enforcement = buildEnforcementTruth(repoRoot, server);
+
+  // Determine frameworks
+  const frameworks = new Set(["next", "fastify"]);
+  detectedFrameworks.forEach(f => frameworks.add(f));
+  server.forEach(r => r.framework && frameworks.add(r.framework));
+
+  const truthpack = {
+    meta: {
+      version: "2.0.0",
+      generatedAt: new Date().toISOString(),
+      repoRoot,
+      commit: { sha: process.env.VIBECHECK_COMMIT_SHA || "unknown" }
+    },
+    project: { frameworks: Array.from(frameworks), workspaces: [], entrypoints: [] },
+    routes: { server, clientRefs: allClientRefs, gaps: allGaps },
+    env,
+    auth,
+    billing,
+    enforcement
+  };
+
+  const hash = sha256(JSON.stringify(truthpack));
+  truthpack.index = { hashes: { truthpackHash: hash }, evidenceRefs: [] };
+
+  return truthpack;
+}
+
+function writeTruthpack(repoRoot, truthpack) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  ensureDir(dir);
+  // Spec: .vibecheck/truthpack.json (not .vibecheck/truth/truthpack.json)
+  fs.writeFileSync(path.join(dir, "truthpack.json"), JSON.stringify(truthpack, null, 2));
+}
+
+function loadTruthpack(repoRoot) {
+  // Spec path: .vibecheck/truthpack.json
+  const specPath = path.join(repoRoot, ".vibecheck", "truthpack.json");
+  // Legacy path: .vibecheck/truth/truthpack.json (backward compat)
+  const legacyPath = path.join(repoRoot, ".vibecheck", "truth", "truthpack.json");
+  
+  try { 
+    return JSON.parse(fs.readFileSync(specPath, "utf8")); 
+  } catch { 
+    // Try legacy path
+    try { return JSON.parse(fs.readFileSync(legacyPath, "utf8")); } catch { return null; }
+  }
+}
+
+module.exports = {
+  canonicalizeMethod,
+  canonicalizePath,
+  buildTruthpack,
+  writeTruthpack,
+  loadTruthpack,
+  detectFastifyEntry
+};