@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/unified-output.js

@@ -0,0 +1,189 @@
+/**
+ * Unified Output System
+ * 
+ * Provides consistent, deterministic output across all vibecheck commands.
+ * This is what makes vibecheck feel "enterprise-grade".
+ */
+
+// Graceful fallback for missing compiled modules
+let EXIT_CODES, formatVerdictOutput;
+
+// Exit codes per product spec:
+// 0 = SHIP / no blockers
+// 1 = WARN (allowed if you choose)
+// 2 = BLOCK / blockers found
+EXIT_CODES = {
+  SHIP: 0,      // Ready to ship, no blockers
+  PASS: 0,      // Alias for SHIP
+  WARN: 1,      // Warnings found (allowed)
+  BLOCK: 2,     // Blockers found, do not ship
+  FAIL: 2,      // Alias for BLOCK
+  MISCONFIG: 2, // Configuration error = block
+  INTERNAL: 2,  // Internal error = block (safe default)
+};
+
+try {
+  const verdictFormatter = require('../../../dist/lib/cli/verdict-formatter');
+  formatVerdictOutput = verdictFormatter.formatVerdictOutput;
+} catch (err) {
+  // Fallback when dist not built
+  formatVerdictOutput = (verdict, options) => {
+    const c = {
+      reset: '\x1b[0m',
+      green: '\x1b[32m',
+      red: '\x1b[31m',
+      yellow: '\x1b[33m',
+      cyan: '\x1b[36m',
+      dim: '\x1b[2m',
+      bold: '\x1b[1m',
+    };
+    
+    if (!verdict) return 'No verdict available';
+    
+    const icon = verdict.verdict === 'PASS' ? `${c.green}✓${c.reset}` : 
+                 verdict.verdict === 'FAIL' ? `${c.red}✗${c.reset}` : 
+                 `${c.yellow}⚠${c.reset}`;
+    
+    let output = `\n${icon} ${c.bold}${verdict.verdict}${c.reset}\n`;
+    
+    if (verdict.summary) {
+      output += `\n${c.dim}Summary:${c.reset}\n`;
+      output += `  Blockers: ${verdict.summary.blockers || 0}\n`;
+      output += `  Warnings: ${verdict.summary.warnings || 0}\n`;
+    }
+    
+    if (verdict.findings && verdict.findings.length > 0) {
+      output += `\n${c.dim}Findings:${c.reset}\n`;
+      for (const finding of verdict.findings.slice(0, 10)) {
+        const sevColor = finding.severity === 'critical' ? c.red : 
+                        finding.severity === 'high' ? c.red : 
+                        finding.severity === 'medium' ? c.yellow : c.dim;
+        output += `  ${sevColor}[${finding.severity?.toUpperCase() || 'INFO'}]${c.reset} ${finding.title || finding.message || 'Unknown issue'}\n`;
+        if (finding.file) {
+          output += `    ${c.cyan}${finding.file}${finding.line ? `:${finding.line}` : ''}${c.reset}\n`;
+        }
+      }
+      if (verdict.findings.length > 10) {
+        output += `  ${c.dim}... and ${verdict.findings.length - 10} more${c.reset}\n`;
+      }
+    }
+    
+    return output;
+  };
+}
+
+/**
+ * Format scan output with unified contract
+ */
+function formatScanOutput(result, options = {}) {
+  const { verbose = false, json = false } = options;
+  
+  if (json) {
+    return JSON.stringify(result, null, 2);
+  }
+  
+  return formatVerdictOutput(result.verdict, { verbose, json });
+}
+
+/**
+ * Get exit code from verdict
+ * Per spec: 0=SHIP, 1=WARN, 2=BLOCK
+ */
+function getExitCode(verdict) {
+  if (!verdict) return EXIT_CODES.BLOCK; // Safe default
+  
+  switch (verdict.verdict) {
+    case 'SHIP':
+    case 'PASS':
+      return EXIT_CODES.SHIP;    // 0
+    case 'WARN':
+      return EXIT_CODES.WARN;    // 1
+    case 'BLOCK':
+    case 'FAIL':
+      return EXIT_CODES.BLOCK;   // 2
+    case 'ERROR':
+    case 'MISCONFIG':
+      return EXIT_CODES.BLOCK;   // 2 (safe default)
+    default:
+      return EXIT_CODES.BLOCK;   // 2 (safe default)
+  }
+}
+
+/**
+ * Handle errors with proper exit codes
+ */
+function handleError(error, context = '') {
+  const errorType = classifyError(error);
+  
+  let exitCode = EXIT_CODES.INTERNAL;
+  let message = error.message || 'Unknown error';
+  let nextStep = 'Run: vibecheck doctor';
+  
+  switch (errorType) {
+    case 'MISCONFIG':
+      exitCode = EXIT_CODES.MISCONFIG;
+      message = `Configuration error: ${message}`;
+      nextStep = 'Run: vibecheck doctor --fix';
+      break;
+    case 'MISSING_DEPS':
+      exitCode = EXIT_CODES.MISCONFIG;
+      message = `Missing dependencies: ${message}`;
+      nextStep = 'Run: vibecheck doctor';
+      break;
+    case 'PERMISSION':
+      exitCode = EXIT_CODES.MISCONFIG;
+      message = `Permission error: ${message}`;
+      nextStep = 'Check file permissions and run: vibecheck doctor';
+      break;
+    default:
+      exitCode = EXIT_CODES.INTERNAL;
+      message = `Internal error: ${message}`;
+      nextStep = 'This looks like a bug. Run: vibecheck doctor';
+  }
+  
+  return {
+    exitCode,
+    message: `${context ? `[${context}] ` : ''}${message}`,
+    nextStep,
+    errorType,
+  };
+}
+
+function classifyError(error) {
+  const message = (error.message || '').toLowerCase();
+  const code = error.code || '';
+  
+  if (code === 'ENOENT' || message.includes('not found') || message.includes('missing')) {
+    return 'MISSING_DEPS';
+  }
+  
+  if (code === 'EACCES' || code === 'EPERM' || message.includes('permission')) {
+    return 'PERMISSION';
+  }
+  
+  if (message.includes('config') || message.includes('environment') || message.includes('env')) {
+    return 'MISCONFIG';
+  }
+  
+  return 'INTERNAL';
+}
+
+/**
+ * Print error with proper formatting
+ */
+function printError(error, context = '') {
+  const handled = handleError(error, context);
+  
+  console.error(`\n${handled.message}`);
+  console.error(`\n${handled.nextStep}\n`);
+  
+  return handled.exitCode;
+}
+
+module.exports = {
+  formatScanOutput,
+  getExitCode,
+  handleError,
+  printError,
+  EXIT_CODES,
+};

package/bin/runners/lib/validate-patch.js

@@ -0,0 +1,156 @@
+// bin/runners/lib/validate-patch.js
+const fs = require("fs");
+const path = require("path");
+
+function isRelSafe(p) {
+  if (!p || typeof p !== "string") return false;
+  if (p.includes("\0")) return false;
+  if (path.isAbsolute(p)) return false;
+  const norm = path.normalize(p).replace(/\\/g, "/");
+  if (norm.startsWith("../") || norm.startsWith("..\\")) return false;
+  return true;
+}
+
+function parseDiffTouchedFiles(diff) {
+  const files = new Set();
+  const lines = String(diff || "").split(/\r?\n/);
+  for (const line of lines) {
+    if (line.startsWith("+++ ")) {
+      const p = line.slice(4).trim();
+      if (p === "/dev/null") continue;
+      const cleaned = p.startsWith("b/") ? p.slice(2) : p;
+      files.add(cleaned);
+    }
+  }
+  return Array.from(files);
+}
+
+function countChangedLines(diff) {
+  const lines = String(diff || "").split(/\r?\n/);
+  let adds = 0, dels = 0;
+  for (const l of lines) {
+    if (l.startsWith("+++ ") || l.startsWith("--- ") || l.startsWith("@@")) continue;
+    if (l.startsWith("+")) adds++;
+    if (l.startsWith("-")) dels++;
+  }
+  return { adds, dels, total: adds + dels };
+}
+
+function extractAddedApiStrings(diff) {
+  const out = [];
+  const lines = String(diff || "").split(/\r?\n/);
+  for (const l of lines) {
+    if (!l.startsWith("+") || l.startsWith("+++")) continue;
+    const m = l.match(/["'`](\/api\/[^"'` ]+)["'`]/g);
+    if (m) out.push(...m.map(x => x.replace(/^[+"'`]+|[+"'`]+$/g, "")));
+  }
+  return Array.from(new Set(out));
+}
+
+function extractAddedEnvNames(diff) {
+  const out = new Set();
+  const lines = String(diff || "").split(/\r?\n/);
+  for (const l of lines) {
+    if (!l.startsWith("+") || l.startsWith("+++")) continue;
+
+    const re1 = /process\.env\.([A-Z0-9_]+)/g;
+    let m;
+    while ((m = re1.exec(l)) !== null) out.add(m[1]);
+
+    const re2 = /import\.meta\.env\.([A-Z0-9_]+)/g;
+    while ((m = re2.exec(l)) !== null) out.add(m[1]);
+  }
+  return Array.from(out);
+}
+
+function validatePatchResponse({
+  repoRoot,
+  patchJson,
+  mission,
+  truthpack,
+  allowedFiles,
+  limits
+}) {
+  const errors = [];
+  const warnings = [];
+
+  const lim = {
+    maxEdits: limits?.maxEdits ?? 6,
+    maxFiles: limits?.maxFiles ?? 6,
+    maxChangedLines: limits?.maxChangedLines ?? 400
+  };
+
+  if (!patchJson || typeof patchJson !== "object") errors.push("Patch JSON missing or not an object.");
+  if (patchJson.status !== "ok") errors.push(`Patch status must be "ok" (got ${patchJson?.status}).`);
+  if (!Array.isArray(patchJson.edits)) errors.push("Patch edits must be an array.");
+  if ((patchJson.edits || []).length > lim.maxEdits) errors.push(`Too many edits (>${lim.maxEdits}).`);
+
+  if (errors.length) return { ok: false, errors, warnings };
+
+  const allowed = new Set((allowedFiles || []).filter(Boolean));
+  const touchedAll = new Set();
+
+  for (const ed of patchJson.edits) {
+    if (!ed || typeof ed !== "object") { errors.push("Edit entry not an object."); continue; }
+    if (!isRelSafe(ed.path)) errors.push(`Unsafe edit path: ${ed.path}`);
+    if (typeof ed.diff !== "string" || !ed.diff.includes("\n+++ ")) errors.push(`Diff missing or not unified for: ${ed.path}`);
+
+    const touched = parseDiffTouchedFiles(ed.diff);
+    for (const f of touched) touchedAll.add(f);
+
+    if (touched.length === 0) errors.push(`No touched file detected in diff for ${ed.path}`);
+  }
+
+  const touchedList = Array.from(touchedAll);
+  if (touchedList.length > lim.maxFiles) errors.push(`Too many touched files (>${lim.maxFiles}).`);
+
+  for (const f of touchedList) {
+    if (!isRelSafe(f)) errors.push(`Unsafe touched file: ${f}`);
+    if (allowed.size && !allowed.has(f)) {
+      errors.push(`Touched file not allowed by mission evidence: ${f}`);
+    }
+    if (f.includes("node_modules/") || f.includes(".next/") || f.includes("dist/") || f.includes("build/")) {
+      errors.push(`Touched forbidden build/vendor file: ${f}`);
+    }
+  }
+
+  let totalChanged = 0;
+  for (const ed of patchJson.edits) totalChanged += countChangedLines(ed.diff).total;
+  if (totalChanged > lim.maxChangedLines) errors.push(`Patch too large (>${lim.maxChangedLines} changed lines).`);
+
+  const type = mission?.type || "GENERIC_FIX";
+  const combinedDiff = patchJson.edits.map(e => e.diff).join("\n");
+
+  const addedApis = extractAddedApiStrings(combinedDiff);
+  if (addedApis.length && type !== "FIX_MISSING_ROUTE") {
+    errors.push(`No-drift: patch adds /api strings (${addedApis.join(", ")}) but mission is ${type}.`);
+  }
+
+  const addedEnv = extractAddedEnvNames(combinedDiff);
+  if (addedEnv.length && type !== "FIX_ENV_CONTRACT") {
+    warnings.push(`Patch introduces new env var usage (${addedEnv.join(", ")}). If that wasn't intended, reject this patch.`);
+  }
+
+  const touchesEntitlements = /enforceFeature|enforceLimit|getEntitlements|subscription|tier|plan|credits/i.test(combinedDiff);
+  if (touchesEntitlements && !["ENFORCE_PAID_SURFACE","FIX_STRIPE_WEBHOOKS","REMOVE_OWNER_MODE"].includes(type)) {
+    errors.push(`No-drift: patch touches entitlements/billing logic but mission is ${type}.`);
+  }
+
+  const touchesMiddleware = /middleware\.(ts|js)|matcher\s*:|NextResponse\.(redirect|rewrite)/i.test(combinedDiff);
+  if (touchesMiddleware && type !== "ADD_SERVER_AUTH") {
+    warnings.push("Patch touches Next middleware/matcher outside ADD_SERVER_AUTH mission. Verify intent.");
+  }
+
+  for (const f of touchedList) {
+    const abs = path.join(repoRoot, f);
+    if (!fs.existsSync(abs)) {
+      if (type === "FIX_MISSING_ROUTE" && (f.includes("app/api/") || f.includes("pages/api/"))) continue;
+      warnings.push(`Touched file does not exist (would be created): ${f}`);
+    }
+  }
+
+  if (errors.length) return { ok: false, errors, warnings };
+  return { ok: true, errors: [], warnings };
+}
+
+module.exports = { validatePatchResponse, parseDiffTouchedFiles };

package/bin/runners/lib/verification.js

@@ -0,0 +1,345 @@
+/**
+ * Verification Module - Pure JavaScript Implementation
+ * For CLI usage without TypeScript compilation
+ */
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const crypto = require("crypto");
+const { spawn } = require("child_process");
+
+// Constants
+const PROTECTED_PATHS = [
+  ".git",
+  "node_modules",
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development",
+  "package-lock.json",
+  "pnpm-lock.yaml",
+  "yarn.lock",
+  "bun.lockb",
+];
+
+const DANGEROUS_COMMANDS = [
+  "rm -rf",
+  "rm -r /",
+  "rmdir /s",
+  "del /f /s /q",
+  "sudo",
+  "chmod 777",
+  "curl | bash",
+  "curl | sh",
+  "wget | bash",
+  "wget | sh",
+  "> /dev/sd",
+  "mkfs",
+  "dd if=",
+  ":(){:|:&};:",
+  "format c:",
+  "rd /s /q",
+];
+
+const SECRET_PATTERNS = [
+  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/g, severity: "critical" },
+  { name: "GitHub Token", pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g, severity: "critical" },
+  { name: "Stripe Key", pattern: /sk_live_[0-9a-zA-Z]{24}/g, severity: "critical" },
+  { name: "Private Key", pattern: /-----BEGIN (?:RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----/g, severity: "critical" },
+  { name: "Database URL", pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^\s'"]+:[^\s'"]+@[^\s'"]+/gi, severity: "critical" },
+];
+
+const STUB_PATTERNS = [
+  { name: "Placeholder function", pattern: /throw new Error\(['"]not implemented['"]\)/gi },
+  { name: "Console placeholder", pattern: /console\.log\(['"]placeholder['"]\)/gi },
+  { name: "Lorem ipsum", pattern: /lorem\s+ipsum/gi },
+  { name: "NotImplementedError", pattern: /raise NotImplementedError/g },
+  { name: "unimplemented!", pattern: /unimplemented!\(\)/g },
+  { name: "todo!", pattern: /todo!\(\)/g },
+];
+
+const FORMAT_RETRY_PROMPT = `Your response was not in the required format. Please respond with ONLY valid JSON in this exact structure:
+
+{
+  "format": "vibecheck-v1",
+  "diff": "<unified diff for ALL file changes>",
+  "commands": ["optional array of commands to run"],
+  "tests": ["optional array of test commands"],
+  "notes": "optional notes"
+}
+
+If you cannot provide the requested changes, respond with:
+{ "format": "vibecheck-v1", "error": "reason why you cannot provide the changes" }
+
+Do NOT include any markdown fencing, explanations, or text outside the JSON object.`;
+
+const DIFF_FORMAT_RETRY_PROMPT = `Your diff is malformed. The diff field must be a valid unified diff containing:
+- File headers starting with "diff --git a/path b/path"
+- Old file marker "--- a/path" or "--- /dev/null" for new files
+- New file marker "+++ b/path"
+- Hunk headers like "@@ -start,count +start,count @@"
+
+Please regenerate your response with a properly formatted unified diff.`;
+
+// Extract JSON from raw input
+function extractJson(raw) {
+  const trimmed = raw.trim();
+  if (trimmed.startsWith("{")) return trimmed;
+
+  const jsonFenceMatch = trimmed.match(/```json\s*([\s\S]*?)\s*```/);
+  if (jsonFenceMatch) return jsonFenceMatch[1].trim();
+
+  const plainFenceMatch = trimmed.match(/```\s*([\s\S]*?)\s*```/);
+  if (plainFenceMatch) {
+    const content = plainFenceMatch[1].trim();
+    if (content.startsWith("{")) return content;
+  }
+
+  return null;
+}
+
+// Validate diff structure
+function isValidDiffStructure(diff) {
+  if (!diff || typeof diff !== "string" || diff.trim().length === 0) return false;
+  const hasDiffHeader = diff.includes("diff --git") || diff.includes("diff -");
+  const hasOldMarker = diff.includes("---");
+  const hasNewMarker = diff.includes("+++");
+  const hasHunk = /@@ -\d+(?:,\d+)? \+\d+(?:,\d+)? @@/.test(diff);
+  return hasDiffHeader && hasOldMarker && hasNewMarker && hasHunk;
+}
+
+// Parse diff to extract files
+function parseDiff(diffStr) {
+  const files = [];
+  const fileChunks = diffStr.split(/^diff --git /m).filter(Boolean);
+
+  for (const chunk of fileChunks) {
+    const lines = chunk.split("\n");
+    if (lines.length === 0) continue;
+    const headerMatch = lines[0].match(/a\/(.+?)\s+b\/(.+)/);
+    if (!headerMatch) continue;
+    files.push({ path: headerMatch[2], additions: 0, deletions: 0 });
+  }
+
+  return { files, totalFiles: files.length };
+}
+
+// Validate format
+function validateFormat(raw) {
+  if (!raw || typeof raw !== "string") {
+    return { valid: false, retryPrompt: FORMAT_RETRY_PROMPT, error: "Empty input" };
+  }
+
+  const jsonStr = extractJson(raw);
+  if (!jsonStr) {
+    return { valid: false, retryPrompt: FORMAT_RETRY_PROMPT, error: "Could not extract JSON" };
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(jsonStr);
+  } catch (e) {
+    return { valid: false, retryPrompt: FORMAT_RETRY_PROMPT, error: `JSON parse error: ${e.message}` };
+  }
+
+  if (!parsed || typeof parsed !== "object") {
+    return { valid: false, retryPrompt: FORMAT_RETRY_PROMPT, error: "Response must be a JSON object" };
+  }
+
+  if (parsed.format !== "vibecheck-v1") {
+    return { valid: false, retryPrompt: FORMAT_RETRY_PROMPT, error: `Invalid format: ${parsed.format}` };
+  }
+
+  if (parsed.error) {
+    return { valid: true, output: { format: "vibecheck-v1", diff: "", error: parsed.error } };
+  }
+
+  if (typeof parsed.diff !== "string" || parsed.diff.trim().length === 0) {
+    return { valid: false, retryPrompt: DIFF_FORMAT_RETRY_PROMPT, error: "Empty diff" };
+  }
+
+  if (!isValidDiffStructure(parsed.diff)) {
+    return { valid: false, retryPrompt: DIFF_FORMAT_RETRY_PROMPT, error: "Invalid diff structure" };
+  }
+
+  return { valid: true, output: parsed };
+}
+
+// Validate path
+function validatePath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/").replace(/^\/+/, "");
+
+  if (normalized.includes("..") || normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized)) {
+    return { status: "fail", message: `Path traversal detected: ${filePath}` };
+  }
+
+  for (const protected_ of PROTECTED_PATHS) {
+    if (normalized === protected_ || normalized.startsWith(protected_ + "/")) {
+      return { status: "fail", message: `Protected path: ${filePath}` };
+    }
+  }
+
+  return { status: "pass", message: `Safe: ${normalized}` };
+}
+
+// Validate command
+function validateCommand(command) {
+  const normalized = command.toLowerCase().trim();
+  for (const dangerous of DANGEROUS_COMMANDS) {
+    if (normalized.includes(dangerous.toLowerCase())) {
+      return { status: "fail", message: `Dangerous command: ${command}` };
+    }
+  }
+  return { status: "pass", message: "Safe command" };
+}
+
+// Detect secrets
+function detectSecrets(content, filePath) {
+  if (filePath.endsWith(".md") || filePath.includes("__mocks__")) {
+    return { status: "pass", message: "Skipped" };
+  }
+
+  for (const { name, pattern, severity } of SECRET_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(content)) {
+      return { status: "fail", message: `${severity.toUpperCase()} secret: ${name}` };
+    }
+  }
+  return { status: "pass", message: "No secrets" };
+}
+
+// Detect stubs
+function detectStubs(content, mode) {
+  for (const { name, pattern } of STUB_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(content)) {
+      return { status: "fail", message: `Placeholder code: ${name}` };
+    }
+  }
+  return { status: "pass", message: "No stubs" };
+}
+
+// Build failure context
+function buildFailureContext(blockers) {
+  if (blockers.length === 0) return "";
+
+  const top3 = blockers.slice(0, 3);
+  return `## Verification Failed
+
+Fix ONLY these issues. Return corrected diff in vibecheck-v1 JSON format.
+
+### Issues:
+${top3.map((b, i) => `${i + 1}. ${b}`).join("\n")}
+${blockers.length > 3 ? `\n... and ${blockers.length - 3} more` : ""}
+
+Respond with corrected vibecheck-v1 JSON only.`;
+}
+
+// Main verification function
+async function verifyAgentOutput(rawResponse, context) {
+  const checks = [];
+  const blockers = [];
+  const warnings = [];
+
+  // Format validation
+  const formatResult = validateFormat(rawResponse);
+  if (!formatResult.valid) {
+    return {
+      success: false,
+      checks: [{ check: "format-validation", status: "fail", message: formatResult.error }],
+      blockers: [formatResult.error],
+      warnings: [],
+      failureContext: formatResult.retryPrompt,
+    };
+  }
+
+  const output = formatResult.output;
+
+  // Handle error response
+  if (output.error) {
+    return {
+      success: false,
+      checks: [{ check: "agent-error", status: "fail", message: output.error }],
+      blockers: [`Agent error: ${output.error}`],
+      warnings: [],
+      parsedOutput: output,
+    };
+  }
+
+  // Diff structure
+  checks.push({ check: "diff-structure", status: "pass", message: "Valid diff" });
+
+  // Path validation
+  const parsed = parseDiff(output.diff);
+  for (const file of parsed.files) {
+    const pathResult = validatePath(file.path);
+    if (pathResult.status === "fail") {
+      checks.push({ check: "path-safety", status: "fail", message: pathResult.message, file: file.path });
+      blockers.push(pathResult.message);
+    }
+  }
+  if (!blockers.some(b => b.includes("Path"))) {
+    checks.push({ check: "path-safety", status: "pass", message: `${parsed.files.length} path(s) validated` });
+  }
+
+  // Command validation
+  if (output.commands && output.commands.length > 0) {
+    for (const cmd of output.commands) {
+      const cmdResult = validateCommand(cmd);
+      if (cmdResult.status === "fail") {
+        checks.push({ check: "command-safety", status: "fail", message: cmdResult.message });
+        blockers.push(cmdResult.message);
+      }
+    }
+    if (!blockers.some(b => b.includes("Dangerous"))) {
+      checks.push({ check: "command-safety", status: "pass", message: `${output.commands.length} command(s) validated` });
+    }
+  } else {
+    checks.push({ check: "command-safety", status: "pass", message: "No commands" });
+  }
+
+  // Fail fast on blockers
+  if (blockers.length > 0) {
+    return {
+      success: false,
+      checks,
+      blockers,
+      warnings,
+      failureContext: buildFailureContext(blockers),
+      parsedOutput: output,
+    };
+  }
+
+  // Content checks (simplified - check diff content directly)
+  const secretCheck = detectSecrets(output.diff, "diff");
+  if (secretCheck.status === "fail") {
+    checks.push({ check: "secret-detection", status: "fail", message: secretCheck.message });
+    blockers.push(secretCheck.message);
+  } else {
+    checks.push({ check: "secret-detection", status: "pass", message: "No secrets in diff" });
+  }
+
+  const stubCheck = detectStubs(output.diff, context.mode);
+  if (stubCheck.status === "fail" && context.mode === "ship") {
+    checks.push({ check: "stub-detection", status: "fail", message: stubCheck.message });
+    blockers.push(stubCheck.message);
+  } else if (stubCheck.status === "fail") {
+    checks.push({ check: "stub-detection", status: "warn", message: stubCheck.message });
+    warnings.push(stubCheck.message);
+  } else {
+    checks.push({ check: "stub-detection", status: "pass", message: "No placeholder code" });
+  }
+
+  const success = blockers.length === 0;
+  return {
+    success,
+    checks,
+    blockers,
+    warnings,
+    failureContext: success ? undefined : buildFailureContext(blockers),
+    parsedOutput: output,
+  };
+}
+
+module.exports = { verifyAgentOutput };