@vibecheckai/cli 3.0.2 → 3.0.3

package/bin/runners/lib/ai-bridge.js

@@ -1,416 +0,0 @@
-const fs = require("fs");
-const path = require("path");
-const https = require("https");
-
-// Cache for package existence checks
-const packageCache = new Map();
-
-/**
- * Check if a package exists in the NPM registry
- */
-function checkNpmPackage(name) {
-  return new Promise((resolve) => {
-    if (packageCache.has(name)) return resolve(packageCache.get(name));
-
-    // Handle scoped packages and regular packages
-    const url = `https://registry.npmjs.org/${name}`;
-
-    const req = https.request(url, { method: "HEAD" }, (res) => {
-      const exists = res.statusCode === 200;
-      packageCache.set(name, exists);
-      resolve(exists);
-    });
-
-    req.on("error", () => resolve(false)); // Assume false on error or offline
-    req.end();
-  });
-}
-
-/**
- * Extract imports from file content
- */
-function extractImports(content) {
-  const imports = new Set();
-
-  // ESM imports
-  const importMatches = content.matchAll(
-    /import\s+(?:[\s\S]*?from\s+)?['"]([^'"]+)['"]/g,
-  );
-  for (const match of importMatches) {
-    if (match[1] && !match[1].startsWith(".") && !match[1].startsWith("/")) {
-      // Extract package name (handle scoped packages)
-      const parts = match[1].split("/");
-      const pkgName = match[1].startsWith("@")
-        ? `${parts[0]}/${parts[1]}`
-        : parts[0];
-      imports.add(pkgName);
-    }
-  }
-
-  // CommonJS requires
-  const requireMatches = content.matchAll(
-    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
-  );
-  for (const match of requireMatches) {
-    if (match[1] && !match[1].startsWith(".") && !match[1].startsWith("/")) {
-      const parts = match[1].split("/");
-      const pkgName = match[1].startsWith("@")
-        ? `${parts[0]}/${parts[1]}`
-        : parts[0];
-      imports.add(pkgName);
-    }
-  }
-
-  return Array.from(imports);
-}
-
-/**
- * Walk directory to find source files
- */
-function walkDir(dir, fileList = []) {
-  if (!fs.existsSync(dir)) return fileList;
-
-  const files = fs.readdirSync(dir);
-  for (const file of files) {
-    if (
-      ["node_modules", ".git", "dist", "build", ".vibecheck", ".next"].includes(
-        file,
-      )
-    )
-      continue;
-
-    const filePath = path.join(dir, file);
-    try {
-      const stat = fs.statSync(filePath);
-      if (stat.isDirectory()) {
-        walkDir(filePath, fileList);
-      } else if (/\.(ts|js|tsx|jsx)$/.test(file) && !file.endsWith(".d.ts")) {
-        fileList.push(filePath);
-      }
-    } catch (e) {}
-  }
-  return fileList;
-}
-
-async function runHallucinationCheck(projectPath) {
-  const issues = [];
-  let score = 100;
-
-  try {
-    // 1. Check package.json dependencies
-    const pkgPath = path.join(projectPath, "package.json");
-    if (fs.existsSync(pkgPath)) {
-      const content = fs.readFileSync(pkgPath, "utf8");
-      if (content.trim()) {
-        try {
-          const pkg = JSON.parse(content);
-          const deps = { ...pkg.dependencies, ...pkg.devDependencies };
-
-          // Limit checks to avoid rate limiting
-          const depNames = Object.keys(deps).slice(0, 20);
-
-          for (const dep of depNames) {
-            // Skip internal/scoped packages for now if they look private
-            if (dep.startsWith("@vibecheck") || dep.startsWith("@internal"))
-              continue;
-
-            const exists = await checkNpmPackage(dep);
-            if (!exists) {
-              issues.push({
-                severity: "critical",
-                type: "Hallucination",
-                message: `Dependency '${dep}' listed in package.json does not exist in public npm registry`,
-                file: "package.json",
-              });
-            }
-          }
-        } catch (e) {
-          console.warn("Failed to parse package.json:", e.message);
-        }
-      }
-    }
-
-    // 2. Scan source files for imports (if scanning a full project)
-    // For specific file validation in runValidate, we might want to check that specific file's imports too.
-    // However, runHallucinationCheck here is designed for project-level scanning.
-  } catch (err) {
-    console.error("AI Bridge Error:", err.message);
-  }
-
-  // Deduct score
-  if (issues.length > 0) {
-    score = Math.max(0, 100 - issues.length * 20);
-  }
-
-  return {
-    score,
-    issues,
-  };
-}
-
-// --- Intent Matcher Logic (Ported from packages/ai-vibechecks) ---
-
-function extractCodeIntent(code) {
-  const entities = [];
-  const operations = [];
-
-  // Extract function/class names
-  const functionMatches = code.matchAll(
-    /(?:function|const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g,
-  );
-  for (const match of functionMatches) {
-    if (match[1]) entities.push(match[1]);
-  }
-
-  const classMatches = code.matchAll(/class\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g);
-  for (const match of classMatches) {
-    if (match[1]) entities.push(match[1]);
-  }
-
-  // Detect operations
-  if (code.includes("fetch") || code.includes("axios") || code.includes("http"))
-    operations.push("API call");
-  if (
-    code.includes("fs.") ||
-    code.includes("writeFile") ||
-    code.includes("readFile")
-  )
-    operations.push("File I/O");
-  if (
-    code.includes("database") ||
-    code.includes("prisma") ||
-    code.includes("mongoose")
-  )
-    operations.push("Database operation");
-  if (
-    code.includes("map") ||
-    code.includes("filter") ||
-    code.includes("reduce")
-  )
-    operations.push("Data transformation");
-  if (code.includes("useState") || code.includes("useEffect"))
-    operations.push("React hooks");
-
-  return { entities, operations };
-}
-
-function parseRequestIntent(request) {
-  const lowerRequest = request.toLowerCase();
-
-  // Extract goal (simplified)
-  let goal = "Unknown";
-  if (lowerRequest.includes("create") || lowerRequest.includes("build"))
-    goal = "Create new functionality";
-  else if (lowerRequest.includes("fix") || lowerRequest.includes("debug"))
-    goal = "Fix issue";
-
-  // Extract constraints
-  const constraints = [];
-  if (lowerRequest.includes("without")) {
-    const match = lowerRequest.match(/without\s+([^.,;]+)/);
-    if (match) constraints.push(`Avoid: ${match[1].trim()}`);
-  }
-  if (lowerRequest.includes("using")) {
-    const match = lowerRequest.match(/using\s+([^.,;]+)/);
-    if (match) constraints.push(`Use: ${match[1].trim()}`);
-  }
-
-  // Extract expected entities
-  const expectedEntities = [];
-  const commonFrameworks = [
-    "react",
-    "vue",
-    "angular",
-    "express",
-    "fastify",
-    "next",
-    "prisma",
-    "postgres",
-    "mongo",
-  ];
-  for (const fw of commonFrameworks) {
-    if (lowerRequest.includes(fw)) expectedEntities.push(fw);
-  }
-
-  // Extract expected operations
-  const expectedOperations = [];
-  if (lowerRequest.includes("api") || lowerRequest.includes("fetch"))
-    expectedOperations.push("API call");
-  if (lowerRequest.includes("database") || lowerRequest.includes("store"))
-    expectedOperations.push("Database operation");
-  if (lowerRequest.includes("file")) expectedOperations.push("File I/O");
-
-  return { goal, constraints, expectedEntities, expectedOperations };
-}
-
-function compareIntents(requested, actual) {
-  const matches = [];
-  const mismatches = [];
-  let score = 0;
-
-  // Check expected entities
-  for (const expected of requested.expectedEntities) {
-    const found =
-      actual.entities.some((e) =>
-        e.toLowerCase().includes(expected.toLowerCase()),
-      ) ||
-      // Also check imports for entities (e.g. react)
-      actual.entities.some((e) =>
-        e.toLowerCase().includes(expected.toLowerCase()),
-      );
-
-    if (found) {
-      matches.push(`Expected entity '${expected}' found`);
-      score += 20;
-    } else {
-      mismatches.push(`Expected entity '${expected}' not found in structure`);
-    }
-  }
-
-  // Check expected operations
-  for (const expectedOp of requested.expectedOperations) {
-    const found = actual.operations.some((o) =>
-      o.toLowerCase().includes(expectedOp.toLowerCase()),
-    );
-    if (found) {
-      matches.push(`Expected operation '${expectedOp}' found`);
-      score += 20;
-    } else {
-      mismatches.push(`Expected operation '${expectedOp}' not found`);
-    }
-  }
-
-  // Check constraints
-  for (const constraint of requested.constraints) {
-    if (constraint.startsWith("Avoid:")) {
-      const toAvoid = constraint.replace("Avoid:", "").trim().toLowerCase();
-      const found = actual.entities.some((e) =>
-        e.toLowerCase().includes(toAvoid),
-      );
-      if (!found) {
-        matches.push(`Successfully avoided '${toAvoid}'`);
-        score += 10;
-      } else {
-        mismatches.push(`Constraint violated: used '${toAvoid}'`);
-        score -= 20;
-      }
-    }
-    if (constraint.startsWith("Use:")) {
-      const toUse = constraint.replace("Use:", "").trim().toLowerCase();
-      const found = actual.entities.some((e) =>
-        e.toLowerCase().includes(toUse),
-      );
-      if (found) {
-        matches.push(`Required technology '${toUse}' used`);
-        score += 15;
-      } else {
-        mismatches.push(`Required technology '${toUse}' not used`);
-        score -= 15;
-      }
-    }
-  }
-
-  // Baseline score if nothing specific requested but code looks structured
-  if (
-    requested.expectedEntities.length === 0 &&
-    requested.expectedOperations.length === 0 &&
-    requested.constraints.length === 0
-  ) {
-    // If request is generic, and we found SOME entities, give it a pass
-    if (actual.entities.length > 0) score = 100;
-    else score = 50;
-  }
-
-  return {
-    alignmentScore: Math.max(0, Math.min(100, score)),
-    matches,
-    mismatches,
-  };
-}
-
-/**
- * Validate code against an intent
- */
-function validateIntent(code, intent) {
-  const issues = [];
-
-  if (!intent) return { score: 100, issues: [] };
-
-  const codeIntent = extractCodeIntent(code);
-  const requestIntent = parseRequestIntent(intent);
-
-  // Supplement codeIntent entities with imports for better matching (Bridge enhancement)
-  const imports = extractImports(code);
-  codeIntent.entities.push(...imports);
-
-  const comparison = compareIntents(requestIntent, codeIntent);
-
-  if (comparison.alignmentScore < 60) {
-    issues.push({
-      severity: "medium",
-      type: "Intent Mismatch",
-      message: `Code alignment score: ${comparison.alignmentScore}/100. ${comparison.mismatches.join(", ")}`,
-      file: "generated-code",
-    });
-  }
-
-  return {
-    score: comparison.alignmentScore,
-    issues,
-  };
-}
-
-/**
- * Static Analysis/Quality Check
- */
-function validateQuality(code) {
-  const issues = [];
-  let score = 100;
-
-  // Check for hardcoded secrets
-  if (
-    /['"][a-zA-Z0-9]{20,}['"]/.test(code) &&
-    (code.includes("key") || code.includes("token") || code.includes("secret"))
-  ) {
-    issues.push({
-      severity: "high",
-      type: "Security",
-      message: "Potential hardcoded secret detected",
-      file: "generated-code",
-    });
-  }
-
-  // Check for syntax errors (basic)
-  const openBraces = (code.match(/{/g) || []).length;
-  const closeBraces = (code.match(/}/g) || []).length;
-  if (openBraces !== closeBraces) {
-    issues.push({
-      severity: "critical",
-      type: "Syntax",
-      message: "Unbalanced braces detected",
-      file: "generated-code",
-    });
-  }
-
-  // Check for console.log
-  if (code.includes("console.log")) {
-    issues.push({
-      severity: "low",
-      type: "Quality",
-      message: "Console.log statement detected",
-      file: "generated-code",
-    });
-    score -= 5;
-  }
-
-  return {
-    score: Math.max(0, Math.min(100, score - issues.length * 10)),
-    issues,
-  };
-}
-
-module.exports = {
-  runHallucinationCheck,
-  validateIntent,
-  validateQuality,
-};

package/bin/runners/lib/analysis-core.js

@@ -1,271 +0,0 @@
-/**
- * Analysis Core - Shared analysis engine for Ship and Scan
- * 
- * Consolidates common logic:
- * - Truthpack generation
- * - Finding collection
- * - Verdict calculation
- * - Output formatting
- * 
- * Ship = Fast path (core analyzers only)
- * Scan = Deep path (core + extended analyzers + optional layers)
- */
-
-const path = require("path");
-const fs = require("fs");
-const { buildTruthpack, writeTruthpack, detectFastifyEntry } = require("./truth");
-const {
-  findMissingRoutes,
-  findEnvGaps,
-  findFakeSuccess,
-  findGhostAuth,
-  findStripeWebhookViolations,
-  findPaidSurfaceNotEnforced,
-  findOwnerModeBypass
-} = require("./analyzers");
-const { findingsFromReality } = require("./reality-findings");
-
-// ============================================================================
-// CORE ANALYSIS (Used by both Ship and Scan)
-// ============================================================================
-
-/**
- * Run core analyzers that apply to all projects
- * @param {string} root - Project root path
- * @param {object} truthpack - Generated truthpack
- * @returns {Array} - Array of findings
- */
-function runCoreAnalyzers(root, truthpack) {
-  return [
-    ...findMissingRoutes(truthpack),
-    ...findEnvGaps(truthpack),
-    ...findFakeSuccess(root),
-    ...findGhostAuth(truthpack, root),
-    ...findStripeWebhookViolations(truthpack),
-    ...findPaidSurfaceNotEnforced(truthpack),
-    ...findOwnerModeBypass(root),
-    ...findingsFromReality(root)
-  ];
-}
-
-/**
- * Calculate verdict from findings
- * @param {Array} findings - Array of findings
- * @returns {string} - SHIP | WARN | BLOCK
- */
-function calculateVerdict(findings) {
-  if (findings.some(f => f.severity === "BLOCK")) return "BLOCK";
-  if (findings.some(f => f.severity === "WARN")) return "WARN";
-  return "SHIP";
-}
-
-/**
- * Build proof graph from findings
- * @param {Array} findings - Array of findings
- * @param {object} truthpack - Truthpack data
- * @param {string} root - Project root path
- * @returns {object} - Proof graph
- */
-function buildProofGraph(findings, truthpack, root) {
-  const claims = [];
-  let claimId = 0;
-  
-  for (const finding of findings) {
-    const claim = {
-      id: `claim-${++claimId}`,
-      type: getClaimType(finding.category),
-      assertion: finding.title || finding.message,
-      verified: finding.severity !== 'BLOCK',
-      confidence: finding.confidence === 'high' ? 0.9 : finding.confidence === 'medium' ? 0.7 : 0.5,
-      evidence: (finding.evidence || []).map((e, i) => ({
-        id: `evidence-${claimId}-${i}`,
-        type: 'file_citation',
-        file: e.file,
-        line: parseInt(e.lines?.split('-')[0]) || e.line || 1,
-        snippet: e.snippetHash || '',
-        strength: 0.8,
-        verifiedAt: new Date().toISOString(),
-        method: 'static'
-      })),
-      gaps: [{
-        id: `gap-${claimId}`,
-        type: getGapType(finding.category),
-        description: finding.why || finding.title,
-        severity: finding.severity === 'BLOCK' ? 'critical' : finding.severity === 'WARN' ? 'medium' : 'low',
-        suggestion: (finding.fixHints || [])[0] || ''
-      }],
-      severity: finding.severity === 'BLOCK' ? 'critical' : finding.severity === 'WARN' ? 'medium' : 'low',
-      file: finding.evidence?.[0]?.file || '',
-      line: parseInt(finding.evidence?.[0]?.lines?.split('-')[0]) || 1
-    };
-    claims.push(claim);
-  }
-  
-  const verifiedClaims = claims.filter(c => c.verified);
-  const failedClaims = claims.filter(c => !c.verified);
-  const allGaps = claims.flatMap(c => c.gaps);
-  
-  const riskScore = Math.min(100, failedClaims.reduce((sum, c) => {
-    if (c.severity === 'critical') return sum + 30;
-    if (c.severity === 'high') return sum + 20;
-    if (c.severity === 'medium') return sum + 10;
-    return sum + 5;
-  }, 0));
-  
-  const confidence = claims.length > 0 
-    ? claims.reduce((sum, c) => sum + c.confidence, 0) / claims.length 
-    : 1.0;
-  
-  return {
-    version: '1.0.0',
-    generatedAt: new Date().toISOString(),
-    projectPath: root,
-    claims,
-    summary: {
-      totalClaims: claims.length,
-      verifiedClaims: verifiedClaims.length,
-      failedClaims: failedClaims.length,
-      gaps: allGaps.length,
-      riskScore,
-      confidence
-    },
-    verdict: calculateVerdict(findings),
-    topBlockers: failedClaims.filter(c => c.severity === 'critical' || c.severity === 'high').slice(0, 5),
-    topGaps: allGaps.filter(g => g.severity === 'critical' || g.severity === 'high').slice(0, 5)
-  };
-}
-
-function getClaimType(category) {
-  const map = {
-    'MissingRoute': 'route_exists',
-    'EnvContract': 'env_declared',
-    'FakeSuccess': 'success_verified',
-    'GhostAuth': 'auth_protected',
-    'StripeWebhook': 'billing_enforced',
-    'PaidSurface': 'billing_enforced',
-    'OwnerModeBypass': 'billing_enforced',
-    'DeadUI': 'ui_wired'
-  };
-  return map[category] || 'ui_wired';
-}
-
-function getGapType(category) {
-  const map = {
-    'MissingRoute': 'missing_handler',
-    'EnvContract': 'missing_verification',
-    'FakeSuccess': 'missing_verification',
-    'GhostAuth': 'missing_gate',
-    'StripeWebhook': 'missing_verification',
-    'PaidSurface': 'missing_gate',
-    'OwnerModeBypass': 'missing_gate',
-    'DeadUI': 'missing_handler'
-  };
-  return map[category] || 'untested_path';
-}
-
-// ============================================================================
-// UNIFIED ANALYSIS RUNNER
-// ============================================================================
-
-/**
- * Run unified analysis (used by both ship and scan)
- * @param {object} options - Analysis options
- * @returns {object} - Analysis result with findings, verdict, proofGraph
- */
-async function runAnalysis({ 
-  repoRoot = process.cwd(), 
-  fastifyEntry = null,
-  extended = false,  // If true, run extended analyzers (scan mode)
-  noWrite = false 
-} = {}) {
-  const root = repoRoot;
-  const fastEntry = fastifyEntry || detectFastifyEntry(root);
-
-  // Build truthpack
-  const truthpack = await buildTruthpack({ repoRoot: root, fastifyEntry: fastEntry });
-  if (!noWrite) {
-    writeTruthpack(root, truthpack);
-  }
-
-  // Run core analyzers
-  const findings = runCoreAnalyzers(root, truthpack);
-
-  // Calculate verdict
-  const verdict = calculateVerdict(findings);
-
-  // Build proof graph
-  const proofGraph = buildProofGraph(findings, truthpack, root);
-
-  // Build report
-  const report = {
-    meta: { 
-      generatedAt: new Date().toISOString(), 
-      verdict,
-      mode: extended ? 'scan' : 'ship'
-    },
-    truthpackHash: truthpack.index?.hashes?.truthpackHash,
-    findings,
-    proofGraph: {
-      summary: proofGraph.summary,
-      topBlockers: proofGraph.topBlockers.slice(0, 5),
-      topGaps: proofGraph.topGaps.slice(0, 5)
-    }
-  };
-
-  // Write outputs
-  if (!noWrite) {
-    const outDir = path.join(root, ".vibecheck");
-    fs.mkdirSync(outDir, { recursive: true });
-    fs.writeFileSync(path.join(outDir, "last_ship.json"), JSON.stringify(report, null, 2));
-    fs.writeFileSync(path.join(outDir, "proof-graph.json"), JSON.stringify(proofGraph, null, 2));
-  }
-
-  return { report, truthpack, verdict, proofGraph, findings };
-}
-
-// ============================================================================
-// FINDING UTILITIES
-// ============================================================================
-
-/**
- * Group findings by category
- */
-function groupFindings(findings) {
-  const groups = {};
-  for (const f of findings) {
-    const cat = f.category || 'Other';
-    if (!groups[cat]) groups[cat] = [];
-    groups[cat].push(f);
-  }
-  return groups;
-}
-
-/**
- * Count findings by severity
- */
-function countBySeverity(findings) {
-  return {
-    block: findings.filter(f => f.severity === 'BLOCK').length,
-    warn: findings.filter(f => f.severity === 'WARN').length,
-    info: findings.filter(f => f.severity === 'INFO').length
-  };
-}
-
-/**
- * Get top N blockers
- */
-function getTopBlockers(findings, n = 5) {
-  return findings
-    .filter(f => f.severity === 'BLOCK')
-    .slice(0, n);
-}
-
-module.exports = {
-  runCoreAnalyzers,
-  calculateVerdict,
-  buildProofGraph,
-  runAnalysis,
-  groupFindings,
-  countBySeverity,
-  getTopBlockers
-};