npm - @vibecheckai/cli - Versions diffs - 3.0.4 → 3.0.7 - Mend

@vibecheckai/cli 3.0.4 → 3.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (108) hide show

package/bin/dev/run-v2-torture.js +30 -0
package/bin/runners/context/index.js +1 -1
package/bin/runners/lib/analyzers.js +38 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/contracts/auth-contract.js +8 -0
package/bin/runners/lib/contracts/env-contract.js +3 -0
package/bin/runners/lib/contracts/external-contract.js +10 -2
package/bin/runners/lib/contracts/route-contract.js +7 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/detectors-v2.js +703 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/entitlements-v2.js +3 -1
package/bin/runners/lib/entitlements.js +11 -3
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/missions/templates.js +45 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/report-html.js +5 -0
package/bin/runners/lib/report-templates.js +5 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-truth.js +10 -10
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +438 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/runAIAgent.js +228 -1
package/bin/runners/runBadge.js +181 -1
package/bin/runners/runCtx.js +7 -2
package/bin/runners/runCtxDiff.js +301 -0
package/bin/runners/runGuard.js +168 -0
package/bin/runners/runInitGha.js +78 -15
package/bin/runners/runLabs.js +341 -0
package/bin/runners/runLaunch.js +180 -1
package/bin/runners/runMdc.js +203 -1
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +23 -0
package/bin/runners/runReplay.js +114 -84
package/bin/runners/runScan.js +111 -32
package/bin/runners/runShip.js +23 -2
package/bin/runners/runTruthpack.js +9 -7
package/bin/runners/runValidate.js +161 -1
package/bin/vibecheck.js +416 -770
package/mcp-server/.guardrail/audit/audit.log.jsonl +2 -0
package/mcp-server/.specs/architecture.mdc +90 -0
package/mcp-server/.specs/security.mdc +30 -0
package/mcp-server/README.md +252 -0
package/mcp-server/agent-checkpoint.js +364 -0
package/mcp-server/architect-tools.js +707 -0
package/mcp-server/audit-mcp.js +206 -0
package/mcp-server/codebase-architect-tools.js +838 -0
package/mcp-server/consolidated-tools.js +804 -0
package/mcp-server/hygiene-tools.js +428 -0
package/mcp-server/index-v1.js +698 -0
package/mcp-server/index.js +2092 -0
package/mcp-server/index.old.js +4137 -0
package/mcp-server/intelligence-tools.js +664 -0
package/mcp-server/intent-drift-tools.js +873 -0
package/mcp-server/mdc-generator.js +298 -0
package/mcp-server/package-lock.json +165 -0
package/mcp-server/package.json +47 -0
package/mcp-server/premium-tools.js +1275 -0
package/mcp-server/test-mcp.js +108 -0
package/mcp-server/test-tools.js +36 -0
package/mcp-server/tier-auth.js +147 -0
package/mcp-server/tools/index.js +72 -0
package/mcp-server/tools-reorganized.ts +244 -0
package/mcp-server/truth-context.js +581 -0
package/mcp-server/truth-firewall-tools.js +1500 -0
package/mcp-server/vibecheck-2.0-tools.js +748 -0
package/mcp-server/vibecheck-tools.js +1075 -0
package/package.json +10 -8
package/bin/guardrail.js +0 -834
package/bin/runners/runAudit.js +0 -2
package/bin/runners/runAutopilot.js +0 -2
package/bin/runners/runCertify.js +0 -2
package/bin/runners/runDashboard.js +0 -10
package/bin/runners/runEnhancedShip.js +0 -2
package/bin/runners/runFixPacks.js +0 -2
package/bin/runners/runNaturalLanguage.js +0 -3
package/bin/runners/runProof.js +0 -2
package/bin/runners/runRealitySniff.js +0 -2
package/bin/runners/runUpgrade.js +0 -2
package/bin/runners/runVerifyAgentOutput.js +0 -2

package/bin/runners/lib/findings-schema.js ADDED Viewed

@@ -0,0 +1,281 @@
+/**
+ * Findings Schema v2
+ *
+ * Per spec section 7.1, findings must include:
+ * - fingerprint: stable hash for dedupe across runs
+ * - scope: client|server|runtime|contracts
+ * - repro: minimal reproduction steps (for runtime findings)
+ * - related: linked finding IDs
+ *
+ * This module provides helpers to create and validate v2 findings.
+ */
+"use strict";
+const crypto = require("crypto");
+/**
+ * Generate a stable fingerprint for a finding
+ * Used for dedupe across runs - same issue = same fingerprint
+ */
+function generateFingerprint(category, ...identifiers) {
+  const data = [category, ...identifiers.filter(Boolean)].join("|");
+  return crypto.createHash("sha256").update(data).digest("hex").slice(0, 12);
+}
+/**
+ * Infer scope from finding category and evidence
+ */
+function inferScope(category, evidence = []) {
+  const scopeMap = {
+    // Client-side findings
+    'DeadUI': 'runtime',
+    'FakeSuccess': 'client',
+    // Server-side findings
+    'MissingRoute': 'server',
+    'GhostAuth': 'server',
+    'StripeWebhook': 'server',
+    'PaidSurface': 'server',
+    'OwnerModeBypass': 'server',
+    // Contract findings
+    'ContractDrift': 'contracts',
+    'EnvContract': 'contracts',
+    // Runtime findings
+    'AuthCoverage': 'runtime',
+    'RouteCoverage': 'runtime',
+  };
+  return scopeMap[category] || 'server';
+}
+/**
+ * Create a v2-compliant finding
+ */
+function createFinding({
+  id,
+  category,
+  type,
+  severity,
+  title,
+  message,
+  why,
+  confidence = 'med',
+  evidence = [],
+  fixHints = [],
+  repro = null,
+  related = [],
+  scope = null,
+  source = null,
+}) {
+  // Generate stable fingerprint
+  const fingerprint = generateFingerprint(
+    category,
+    type || title,
+    evidence[0]?.file,
+    evidence[0]?.lines
+  );
+  // Infer scope if not provided
+  const resolvedScope = scope || inferScope(category, evidence);
+  return {
+    // Core fields
+    id: id || `F_${category.toUpperCase()}_${fingerprint}`,
+    category,
+    type: type || category.toLowerCase(),
+    severity,
+    title,
+    message: message || title,
+    why,
+    confidence,
+    // Evidence
+    evidence,
+    fixHints,
+    // v2 fields (spec 7.1)
+    fingerprint,
+    scope: resolvedScope,
+    repro: repro || null,
+    related: related || [],
+    // Metadata
+    source: source || 'static',
+    createdAt: new Date().toISOString(),
+  };
+}
+/**
+ * Create a runtime finding with reproduction steps
+ */
+function createRuntimeFinding({
+  category,
+  type,
+  severity,
+  title,
+  why,
+  url,
+  action,
+  expected,
+  actual,
+  screenshot = null,
+  trace = null,
+  evidence = [],
+  related = [],
+}) {
+  const repro = {
+    url,
+    steps: [
+      `Navigate to ${url}`,
+      action ? `Action: ${action}` : null,
+      `Expected: ${expected}`,
+      `Actual: ${actual}`,
+    ].filter(Boolean),
+    screenshot,
+    trace,
+  };
+  return createFinding({
+    category,
+    type,
+    severity,
+    title,
+    why,
+    evidence,
+    related,
+    repro,
+    scope: 'runtime',
+    source: 'reality',
+  });
+}
+/**
+ * Create a contract drift finding
+ */
+function createDriftFinding({
+  type,
+  severity,
+  title,
+  message,
+  subject,
+  contractFile,
+  evidence = [],
+}) {
+  return createFinding({
+    category: 'ContractDrift',
+    type,
+    severity,
+    title,
+    message,
+    why: 'Contracts are the source of truth. Drift causes AI hallucinations.',
+    evidence: evidence.length > 0 ? evidence : [{
+      file: `.vibecheck/contracts/${contractFile || 'contracts'}`,
+      lines: '1',
+      reason: title,
+    }],
+    fixHints: [
+      "Run 'vibecheck ctx sync' to update contracts",
+      "Or revert the code change if unintended",
+    ],
+    scope: 'contracts',
+    source: 'drift',
+  });
+}
+/**
+ * Link related findings
+ */
+function linkFindings(findings) {
+  // Group findings by file
+  const byFile = new Map();
+  for (const f of findings) {
+    for (const ev of f.evidence || []) {
+      if (ev.file) {
+        if (!byFile.has(ev.file)) byFile.set(ev.file, []);
+        byFile.get(ev.file).push(f.id);
+      }
+    }
+  }
+  // Link findings that share files
+  for (const f of findings) {
+    const relatedIds = new Set();
+    for (const ev of f.evidence || []) {
+      if (ev.file && byFile.has(ev.file)) {
+        for (const id of byFile.get(ev.file)) {
+          if (id !== f.id) relatedIds.add(id);
+        }
+      }
+    }
+    f.related = [...relatedIds].slice(0, 5); // Max 5 related
+  }
+  return findings;
+}
+/**
+ * Validate a finding against v2 schema
+ */
+function validateFinding(finding) {
+  const errors = [];
+  // Required fields
+  if (!finding.id) errors.push('Missing id');
+  if (!finding.category) errors.push('Missing category');
+  if (!finding.severity) errors.push('Missing severity');
+  if (!['BLOCK', 'WARN', 'INFO'].includes(finding.severity)) {
+    errors.push(`Invalid severity: ${finding.severity}`);
+  }
+  if (!finding.title) errors.push('Missing title');
+  // v2 fields
+  if (!finding.fingerprint) errors.push('Missing fingerprint (v2)');
+  if (!finding.scope) errors.push('Missing scope (v2)');
+  if (!['client', 'server', 'runtime', 'contracts'].includes(finding.scope)) {
+    errors.push(`Invalid scope: ${finding.scope}`);
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+  };
+}
+/**
+ * Migrate a v1 finding to v2 format
+ */
+function migrateFindingToV2(finding) {
+  // Already has fingerprint = already v2
+  if (finding.fingerprint && finding.scope) {
+    return finding;
+  }
+  // Generate fingerprint
+  const fingerprint = generateFingerprint(
+    finding.category || 'Unknown',
+    finding.type || finding.title,
+    finding.evidence?.[0]?.file
+  );
+  return {
+    ...finding,
+    fingerprint,
+    scope: finding.scope || inferScope(finding.category, finding.evidence),
+    repro: finding.repro || null,
+    related: finding.related || [],
+  };
+}
+module.exports = {
+  generateFingerprint,
+  inferScope,
+  createFinding,
+  createRuntimeFinding,
+  createDriftFinding,
+  linkFindings,
+  validateFinding,
+  migrateFindingToV2,
+};