@vibecheckai/cli 3.0.4 → 3.0.7

package/bin/runners/lib/schemas/validator.js

@@ -0,0 +1,438 @@
+/**
+ * Schema Validator v2
+ * 
+ * Validates artifacts against JSON schemas and provides
+ * consistent finding/evidence generation.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+// Schema cache
+const schemaCache = new Map();
+
+// Schema IDs
+const SCHEMAS = {
+  FINDING: "finding.schema.json",
+  SHIP_REPORT: "ship-report.schema.json",
+  REALITY_REPORT: "reality-report.schema.json",
+  TRUTHPACK_V2: "truthpack-v2.schema.json",
+  CONTRACTS: "contracts.schema.json",
+  PROOF_GRAPH: "proof-graph.schema.json",
+  MISSION_PACK: "mission-pack.schema.json",
+  SHARE_PACK: "share-pack.schema.json",
+};
+
+// =============================================================================
+// SCHEMA LOADING
+// =============================================================================
+
+/**
+ * Load a schema by ID
+ */
+function loadSchema(schemaId) {
+  if (schemaCache.has(schemaId)) {
+    return schemaCache.get(schemaId);
+  }
+
+  const schemaPath = path.join(__dirname, schemaId);
+  if (!fs.existsSync(schemaPath)) {
+    return null;
+  }
+
+  try {
+    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+    schemaCache.set(schemaId, schema);
+    return schema;
+  } catch (e) {
+    console.error(`Failed to load schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Simple JSON Schema validator (subset of draft 2020-12)
+ * For production, use Ajv - this is a minimal implementation
+ */
+function validateAgainstSchema(data, schema, path = "") {
+  const errors = [];
+
+  if (!schema || !data) {
+    return errors;
+  }
+
+  // Type check
+  if (schema.type) {
+    let actualType = Array.isArray(data) ? "array" : typeof data;
+    
+    // Handle integer type - JavaScript has no integer type, only number
+    // Treat whole numbers as integers for schema validation
+    if (actualType === "number" && Number.isInteger(data)) {
+      actualType = "integer";
+    }
+    
+    const allowedTypes = Array.isArray(schema.type) ? schema.type : [schema.type];
+    
+    // Allow integer where number is expected, and vice versa for whole numbers
+    const typeMatches = allowedTypes.some(t => {
+      if (t === actualType) return true;
+      if (t === "integer" && actualType === "number" && Number.isInteger(data)) return true;
+      if (t === "number" && actualType === "integer") return true;
+      if (t === "null" && data === null) return true;
+      return false;
+    });
+    
+    if (!typeMatches) {
+      errors.push({
+        path,
+        message: `Expected ${allowedTypes.join("|")}, got ${actualType}`,
+        keyword: "type",
+      });
+      return errors; // Stop on type mismatch
+    }
+  }
+
+  // Const check
+  if (schema.const !== undefined && data !== schema.const) {
+    errors.push({
+      path,
+      message: `Expected constant "${schema.const}", got "${data}"`,
+      keyword: "const",
+    });
+  }
+
+  // Enum check
+  if (schema.enum && !schema.enum.includes(data)) {
+    errors.push({
+      path,
+      message: `Value must be one of: ${schema.enum.join(", ")}`,
+      keyword: "enum",
+    });
+  }
+
+  // Pattern check
+  if (schema.pattern && typeof data === "string") {
+    const regex = new RegExp(schema.pattern);
+    if (!regex.test(data)) {
+      errors.push({
+        path,
+        message: `String must match pattern: ${schema.pattern}`,
+        keyword: "pattern",
+      });
+    }
+  }
+
+  // Required properties
+  if (schema.required && typeof data === "object" && !Array.isArray(data)) {
+    for (const prop of schema.required) {
+      if (!(prop in data)) {
+        errors.push({
+          path: path ? `${path}.${prop}` : prop,
+          message: `Required property "${prop}" is missing`,
+          keyword: "required",
+        });
+      }
+    }
+  }
+
+  // Object properties
+  if (schema.properties && typeof data === "object" && !Array.isArray(data)) {
+    for (const [key, propSchema] of Object.entries(schema.properties)) {
+      if (key in data) {
+        const propPath = path ? `${path}.${key}` : key;
+        errors.push(...validateAgainstSchema(data[key], propSchema, propPath));
+      }
+    }
+  }
+
+  // Array items
+  if (schema.items && Array.isArray(data)) {
+    for (let i = 0; i < data.length; i++) {
+      const itemPath = `${path}[${i}]`;
+      errors.push(...validateAgainstSchema(data[i], schema.items, itemPath));
+    }
+  }
+
+  // Min/max length
+  if (schema.maxLength && typeof data === "string" && data.length > schema.maxLength) {
+    errors.push({
+      path,
+      message: `String length must be <= ${schema.maxLength}`,
+      keyword: "maxLength",
+    });
+  }
+
+  // Min/max for numbers
+  if (schema.minimum !== undefined && typeof data === "number" && data < schema.minimum) {
+    errors.push({
+      path,
+      message: `Value must be >= ${schema.minimum}`,
+      keyword: "minimum",
+    });
+  }
+  if (schema.maximum !== undefined && typeof data === "number" && data > schema.maximum) {
+    errors.push({
+      path,
+      message: `Value must be <= ${schema.maximum}`,
+      keyword: "maximum",
+    });
+  }
+
+  return errors;
+}
+
+// =============================================================================
+// ARTIFACT VALIDATION
+// =============================================================================
+
+/**
+ * Validate an artifact file against its schema
+ */
+function validateArtifact(filePath, schemaId) {
+  const schema = loadSchema(schemaId);
+  if (!schema) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
+    };
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (e) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
+    };
+  }
+
+  const errors = validateAgainstSchema(data, schema);
+  return {
+    valid: errors.length === 0,
+    errors,
+    data,
+  };
+}
+
+/**
+ * Validate and write artifact with schema check
+ */
+function writeValidatedArtifact(filePath, data, schemaId) {
+  const schema = loadSchema(schemaId);
+  
+  if (schema) {
+    const errors = validateAgainstSchema(data, schema);
+    if (errors.length > 0) {
+      console.warn(`Warning: Artifact ${filePath} has ${errors.length} schema violations:`);
+      errors.slice(0, 5).forEach(e => console.warn(`  - ${e.path}: ${e.message}`));
+    }
+  }
+
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+  
+  return { written: true, path: filePath };
+}
+
+// =============================================================================
+// FINDING GENERATION
+// =============================================================================
+
+/**
+ * Generate stable fingerprint for deduplication
+ */
+function generateFingerprint(parts) {
+  const content = parts.filter(Boolean).join("|");
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Generate finding ID
+ */
+function generateFindingId(detectorId, fingerprint) {
+  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
+}
+
+/**
+ * Generate evidence ID
+ */
+function generateEvidenceId(fingerprint) {
+  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
+}
+
+/**
+ * Create a spec-compliant finding
+ */
+function createFinding(options = {}) {
+  const {
+    detectorId,
+    severity = "WARN",
+    category = "Routes",
+    scope = "client",
+    title,
+    why,
+    confidence = "medium",
+    evidence = [],
+    repro = null,
+    related = [],
+    proofNode = null,
+    missionType = null,
+    // For fingerprint generation
+    file = null,
+    path: routePath = null,
+    method = null,
+  } = options;
+
+  const fingerprint = generateFingerprint([
+    detectorId,
+    file,
+    routePath,
+    method,
+    title,
+  ]);
+
+  return {
+    id: generateFindingId(detectorId, fingerprint),
+    detectorId,
+    fingerprint: `sha256:${fingerprint}`,
+    severity,
+    category,
+    scope,
+    title,
+    why,
+    confidence,
+    evidence: evidence.map((e, i) => ({
+      id: e.id || generateEvidenceId(fingerprint + i),
+      kind: e.kind || "file",
+      ...e,
+    })),
+    repro,
+    related,
+    proofNode,
+    missionType,
+  };
+}
+
+/**
+ * Create file evidence
+ */
+function createFileEvidence(options = {}) {
+  const { file, lines, snippetHash, reason } = options;
+  const fp = generateFingerprint([file, lines, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "file",
+    file,
+    lines,
+    snippetHash,
+    reason,
+  };
+}
+
+/**
+ * Create runtime evidence
+ */
+function createRuntimeEvidence(options = {}) {
+  const { url, httpStatus, reason, data } = options;
+  const fp = generateFingerprint([url, httpStatus, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "request",
+    url,
+    httpStatus,
+    reason,
+    data,
+  };
+}
+
+// =============================================================================
+// SEVERITY POLICY
+// =============================================================================
+
+const SEVERITY_POLICY = {
+  // Route issues
+  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
+  ROUTE_404: { default: "BLOCK" },
+  ROUTE_405: { default: "WARN" },
+  
+  // Auth issues
+  AUTH_BYPASS: { default: "BLOCK" },
+  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
+  
+  // Fake success
+  FAKE_SUCCESS: { default: "BLOCK" },
+  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
+  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
+  
+  // Dead UI
+  DEAD_CLICK: { default: "BLOCK" },
+  NO_FEEDBACK: { default: "WARN" },
+  
+  // Contract drift
+  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
+  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
+  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
+  
+  // Billing
+  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
+  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
+  
+  // Security
+  OWNER_MODE_BYPASS: { default: "BLOCK" },
+  HARDCODED_SECRET: { default: "BLOCK" },
+};
+
+/**
+ * Get severity based on policy
+ */
+function getSeverity(issueType, context = {}) {
+  const policy = SEVERITY_POLICY[issueType];
+  if (!policy) return "WARN";
+
+  // Check context-specific overrides
+  if (context.hasRuntimeProof && policy.withRuntimeProof) {
+    return policy.withRuntimeProof;
+  }
+  if (context.isCriticalPath && policy.criticalPath) {
+    return policy.criticalPath;
+  }
+  if (context.isBlocking && policy.blocking) {
+    return policy.blocking;
+  }
+  if (context.isRequired && policy.required) {
+    return policy.required;
+  }
+
+  return policy.default;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Schema operations
+  SCHEMAS,
+  loadSchema,
+  validateAgainstSchema,
+  validateArtifact,
+  writeValidatedArtifact,
+  
+  // Finding generation
+  generateFingerprint,
+  generateFindingId,
+  generateEvidenceId,
+  createFinding,
+  createFileEvidence,
+  createRuntimeEvidence,
+  
+  // Severity policy
+  SEVERITY_POLICY,
+  getSeverity,
+};