@vibecheckai/cli 3.0.4 → 3.0.7

package/bin/runners/runCtxDiff.js

@@ -0,0 +1,301 @@
+/**
+ * vibecheck ctx diff - Contract Diff
+ * 
+ * Shows detailed changes between current code and contracts.
+ * Useful for reviewing what would change before running ctx sync.
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const { buildTruthpack, loadTruthpack } = require("./lib/truth");
+const { 
+  buildAllContracts, 
+  loadContracts, 
+  diffAllContracts,
+  hasContractChanges
+} = require("./lib/contracts");
+
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+  red: '\x1b[31m',
+  blue: '\x1b[34m',
+  magenta: '\x1b[35m',
+};
+
+async function runCtxDiff(opts = {}) {
+  const root = path.resolve(opts.repoRoot || process.cwd());
+
+  console.log(`\n${c.cyan}${c.bold}📊 vibecheck ctx diff${c.reset}`);
+  console.log(`${c.dim}Comparing code against contracts...${c.reset}\n`);
+
+  // Load existing contracts
+  const existingContracts = loadContracts(root);
+  
+  if (Object.keys(existingContracts).length === 0) {
+    console.log(`${c.yellow}⚠️ No contracts found${c.reset}`);
+    console.log(`${c.dim}Run 'vibecheck ctx sync' first to generate contracts${c.reset}\n`);
+    return 0;
+  }
+
+  // Build truthpack
+  let truthpack = loadTruthpack(root);
+  if (!truthpack) {
+    console.log(`${c.dim}Building truthpack...${c.reset}`);
+    truthpack = await buildTruthpack({ repoRoot: root, fastifyEntry: opts.fastifyEntry });
+  }
+
+  // Build new contracts from current code
+  const newContracts = buildAllContracts(truthpack);
+
+  // Calculate diff
+  const diff = diffAllContracts(existingContracts, newContracts);
+
+  // Check if there are changes
+  if (!hasContractChanges(diff)) {
+    console.log(`${c.green}✓${c.reset} No drift detected - contracts match current code\n`);
+    return 0;
+  }
+
+  // Print route diff
+  if (diff.routes) {
+    printRouteDiff(diff.routes, opts.verbose);
+  }
+
+  // Print env diff
+  if (diff.env) {
+    printEnvDiff(diff.env, opts.verbose);
+  }
+
+  // Print auth diff
+  if (diff.auth) {
+    printAuthDiff(diff.auth, opts.verbose);
+  }
+
+  // Print external diff
+  if (diff.external) {
+    printExternalDiff(diff.external, opts.verbose);
+  }
+
+  // Summary
+  const totalAdded = (diff.routes?.added?.length || 0) + 
+                     (diff.env?.added?.length || 0) + 
+                     (diff.auth?.protectedAdded?.length || 0) +
+                     (diff.external?.added?.length || 0);
+  const totalRemoved = (diff.routes?.removed?.length || 0) + 
+                       (diff.env?.removed?.length || 0) + 
+                       (diff.auth?.protectedRemoved?.length || 0) +
+                       (diff.external?.removed?.length || 0);
+  const totalChanged = (diff.routes?.changed?.length || 0) + 
+                       (diff.env?.changed?.length || 0);
+
+  console.log(`\n${c.bold}Summary${c.reset}`);
+  console.log(`  ${c.green}+${totalAdded} added${c.reset}  ${c.red}-${totalRemoved} removed${c.reset}  ${c.yellow}~${totalChanged} changed${c.reset}`);
+  
+  if (totalAdded > 0 || totalRemoved > 0 || totalChanged > 0) {
+    console.log(`\n${c.dim}Run 'vibecheck ctx sync' to update contracts${c.reset}`);
+    console.log(`${c.dim}Run 'vibecheck ship' to see if drift causes BLOCK${c.reset}\n`);
+  }
+
+  // JSON output
+  if (opts.json) {
+    const jsonPath = path.join(root, ".vibecheck", "diff-result.json");
+    fs.mkdirSync(path.dirname(jsonPath), { recursive: true });
+    fs.writeFileSync(jsonPath, JSON.stringify({
+      hasDrift: true,
+      diff,
+      summary: { added: totalAdded, removed: totalRemoved, changed: totalChanged }
+    }, null, 2), "utf8");
+    console.log(`${c.dim}JSON output: .vibecheck/diff-result.json${c.reset}\n`);
+  }
+
+  return totalRemoved > 0 || totalChanged > 0 ? 1 : 0;
+}
+
+function printRouteDiff(diff, verbose) {
+  const hasChanges = diff.added?.length || diff.removed?.length || diff.changed?.length;
+  if (!hasChanges) return;
+
+  console.log(`${c.bold}Routes${c.reset}`);
+  
+  if (diff.added?.length) {
+    console.log(`  ${c.green}+ ${diff.added.length} new routes${c.reset}`);
+    if (verbose) {
+      for (const r of diff.added.slice(0, 10)) {
+        console.log(`    ${c.green}+${c.reset} ${r.method} ${r.path}`);
+      }
+      if (diff.added.length > 10) {
+        console.log(`    ${c.dim}...and ${diff.added.length - 10} more${c.reset}`);
+      }
+    }
+  }
+  
+  if (diff.removed?.length) {
+    console.log(`  ${c.red}- ${diff.removed.length} removed routes${c.reset}`);
+    if (verbose) {
+      for (const r of diff.removed.slice(0, 10)) {
+        console.log(`    ${c.red}-${c.reset} ${r.method} ${r.path}`);
+      }
+      if (diff.removed.length > 10) {
+        console.log(`    ${c.dim}...and ${diff.removed.length - 10} more${c.reset}`);
+      }
+    }
+  }
+  
+  if (diff.changed?.length) {
+    console.log(`  ${c.yellow}~ ${diff.changed.length} changed routes${c.reset}`);
+    if (verbose) {
+      for (const { before, after } of diff.changed.slice(0, 5)) {
+        console.log(`    ${c.yellow}~${c.reset} ${before.path}: auth ${before.auth} → ${after.auth}`);
+      }
+    }
+  }
+}
+
+function printEnvDiff(diff, verbose) {
+  const hasChanges = diff.added?.length || diff.removed?.length || diff.changed?.length;
+  if (!hasChanges) return;
+
+  console.log(`\n${c.bold}Environment Variables${c.reset}`);
+  
+  if (diff.added?.length) {
+    console.log(`  ${c.green}+ ${diff.added.length} new vars${c.reset}`);
+    if (verbose) {
+      for (const v of diff.added.slice(0, 10)) {
+        console.log(`    ${c.green}+${c.reset} ${v.name}${v.required ? ' (required)' : ''}`);
+      }
+    }
+  }
+  
+  if (diff.removed?.length) {
+    console.log(`  ${c.red}- ${diff.removed.length} removed vars${c.reset}`);
+    if (verbose) {
+      for (const v of diff.removed.slice(0, 10)) {
+        console.log(`    ${c.red}-${c.reset} ${v.name}`);
+      }
+    }
+  }
+  
+  if (diff.changed?.length) {
+    console.log(`  ${c.yellow}~ ${diff.changed.length} changed vars${c.reset}`);
+  }
+}
+
+function printAuthDiff(diff, verbose) {
+  const hasChanges = diff.protectedAdded?.length || diff.protectedRemoved?.length;
+  if (!hasChanges) return;
+
+  console.log(`\n${c.bold}Auth Patterns${c.reset}`);
+  
+  if (diff.protectedAdded?.length) {
+    console.log(`  ${c.green}+ ${diff.protectedAdded.length} new protected patterns${c.reset}`);
+    if (verbose) {
+      for (const p of diff.protectedAdded.slice(0, 5)) {
+        console.log(`    ${c.green}+${c.reset} ${p}`);
+      }
+    }
+  }
+  
+  if (diff.protectedRemoved?.length) {
+    console.log(`  ${c.red}- ${diff.protectedRemoved.length} removed patterns (security!)${c.reset}`);
+    if (verbose) {
+      for (const p of diff.protectedRemoved.slice(0, 5)) {
+        console.log(`    ${c.red}-${c.reset} ${p}`);
+      }
+    }
+  }
+}
+
+function printExternalDiff(diff, verbose) {
+  const hasChanges = diff.added?.length || diff.removed?.length;
+  if (!hasChanges) return;
+
+  console.log(`\n${c.bold}External Services${c.reset}`);
+  
+  if (diff.added?.length) {
+    console.log(`  ${c.green}+ ${diff.added.length} new services${c.reset}`);
+    if (verbose) {
+      for (const s of diff.added) {
+        console.log(`    ${c.green}+${c.reset} ${s.name}`);
+      }
+    }
+  }
+  
+  if (diff.removed?.length) {
+    console.log(`  ${c.red}- ${diff.removed.length} removed services${c.reset}`);
+    if (verbose) {
+      for (const s of diff.removed) {
+        console.log(`    ${c.red}-${c.reset} ${s.name}`);
+      }
+    }
+  }
+}
+
+function parseArgs(args) {
+  const opts = {
+    repoRoot: process.cwd(),
+    fastifyEntry: null,
+    json: false,
+    verbose: false,
+    help: false
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--json") opts.json = true;
+    else if (arg === "--verbose" || arg === "-v") opts.verbose = true;
+    else if (arg === "--fastify-entry") opts.fastifyEntry = args[++i];
+    else if (arg === "--path" || arg === "-p") opts.repoRoot = args[++i];
+    else if (arg === "--help" || arg === "-h") opts.help = true;
+  }
+
+  return opts;
+}
+
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}📊 vibecheck ctx diff${c.reset} - Contract Diff
+
+Shows what would change if you run 'vibecheck ctx sync'.
+Useful for reviewing drift before committing.
+
+${c.bold}USAGE${c.reset}
+  vibecheck ctx diff                 ${c.dim}# Show drift summary${c.reset}
+  vibecheck ctx diff --verbose       ${c.dim}# Show detailed changes${c.reset}
+  vibecheck ctx diff --json          ${c.dim}# Output JSON${c.reset}
+
+${c.bold}OPTIONS${c.reset}
+  --verbose, -v     Show detailed changes
+  --json            Output JSON to .vibecheck/diff-result.json
+  --fastify-entry   Fastify entry file
+  --path, -p        Project path (default: current directory)
+  --help, -h        Show this help
+
+${c.bold}EXIT CODES${c.reset}
+  0 = No drift (or only additions)
+  1 = Drift detected (removals or changes)
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck ctx diff                          ${c.dim}# Quick check${c.reset}
+  vibecheck ctx diff -v                       ${c.dim}# Detailed view${c.reset}
+`);
+}
+
+async function main(args) {
+  const opts = parseArgs(args);
+  
+  if (opts.help) {
+    printHelp();
+    return 0;
+  }
+
+  return runCtxDiff(opts);
+}
+
+module.exports = { runCtxDiff, main };

package/bin/runners/runGuard.js

@@ -0,0 +1,168 @@
+/**
+ * vibecheck guard - Unified trust boundary enforcement
+ * 
+ * Combines: validate + claim-verifier + prompt-firewall
+ * 
+ * Usage:
+ *   vibecheck guard                    # Run all checks
+ *   vibecheck guard --claims           # Verify AI claims against truthpack
+ *   vibecheck guard --prompts          # Check for prompt injection
+ *   vibecheck guard --hallucinations   # Detect AI hallucination patterns
+ */
+
+const path = require("path");
+const fs = require("fs");
+
+// Import underlying implementations
+const { runValidate } = require("./runValidate");
+const { runPromptFirewall } = require("./runPromptFirewall");
+
+// ANSI colors
+const c = {
+  reset: "\x1b[0m",
+  dim: "\x1b[2m",
+  bold: "\x1b[1m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  magenta: "\x1b[35m",
+};
+
+function printHelp() {
+  console.log(`
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+  ${c.bold}vibecheck guard${c.reset} - Trust boundary enforcement for AI outputs
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+
+${c.green}USAGE${c.reset}
+  vibecheck guard [options]
+
+${c.yellow}OPTIONS${c.reset}
+  --claims           Verify AI claims against truthpack (route_exists, auth_enforced, etc.)
+  --prompts          Check code for prompt injection vulnerabilities
+  --hallucinations   Detect AI hallucination patterns in generated code
+  --file <path>      Check specific file(s)
+  --json             Output JSON for CI integration
+  --strict           Fail on warnings (default: fail on errors only)
+
+${c.magenta}EXAMPLES${c.reset}
+  vibecheck guard                           # Run all checks
+  vibecheck guard --claims --file api.ts    # Verify claims in specific file
+  vibecheck guard --prompts                 # Prompt injection scan
+  vibecheck guard --json                    # CI-friendly output
+
+${c.dim}This command unifies trust boundary checks for AI-generated code.${c.reset}
+`);
+}
+
+async function runGuard(args = []) {
+  // Parse arguments
+  if (args.includes("--help") || args.includes("-h")) {
+    printHelp();
+    return 0;
+  }
+
+  const runClaims = args.includes("--claims") || (!args.includes("--prompts") && !args.includes("--hallucinations"));
+  const runPrompts = args.includes("--prompts") || (!args.includes("--claims") && !args.includes("--hallucinations"));
+  const runHallucinations = args.includes("--hallucinations") || (!args.includes("--claims") && !args.includes("--prompts"));
+  const jsonOutput = args.includes("--json");
+  const strict = args.includes("--strict");
+
+  const results = {
+    claims: null,
+    prompts: null,
+    hallucinations: null,
+    verdict: "PASS",
+    errors: 0,
+    warnings: 0,
+  };
+
+  console.log(`
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+  ${c.bold}🛡️  VIBECHECK GUARD${c.reset} - Trust Boundary Enforcement
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+`);
+
+  // Run claims verification (validates AI claims against truthpack)
+  if (runClaims) {
+    console.log(`${c.dim}▸ Verifying AI claims against truthpack...${c.reset}`);
+    try {
+      const validateArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
+      const exitCode = await runValidate(validateArgs);
+      results.claims = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.errors++;
+        results.verdict = "FAIL";
+      }
+      console.log(exitCode === 0 
+        ? `  ${c.green}✓${c.reset} Claims verified` 
+        : `  ${c.red}✗${c.reset} Claim verification failed`);
+    } catch (e) {
+      results.claims = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Claims check skipped: ${e.message}`);
+    }
+  }
+
+  // Run prompt injection detection
+  if (runPrompts) {
+    console.log(`${c.dim}▸ Scanning for prompt injection vulnerabilities...${c.reset}`);
+    try {
+      const firewallArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
+      const exitCode = await runPromptFirewall(firewallArgs);
+      results.prompts = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.warnings++;
+        if (strict) results.verdict = "FAIL";
+      }
+      console.log(exitCode === 0 
+        ? `  ${c.green}✓${c.reset} No prompt injection risks` 
+        : `  ${c.yellow}⚠${c.reset} Prompt injection risks detected`);
+    } catch (e) {
+      results.prompts = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Prompt check skipped: ${e.message}`);
+    }
+  }
+
+  // Run hallucination detection
+  if (runHallucinations) {
+    console.log(`${c.dim}▸ Detecting hallucination patterns...${c.reset}`);
+    // Use validate with hallucination focus
+    try {
+      const validateArgs = ["--hallucinations", ...args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a))];
+      const exitCode = await runValidate(validateArgs);
+      results.hallucinations = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.warnings++;
+        if (strict) results.verdict = "FAIL";
+      }
+      console.log(exitCode === 0 
+        ? `  ${c.green}✓${c.reset} No hallucination patterns` 
+        : `  ${c.yellow}⚠${c.reset} Potential hallucinations detected`);
+    } catch (e) {
+      results.hallucinations = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Hallucination check skipped: ${e.message}`);
+    }
+  }
+
+  // Summary
+  console.log(`
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}`);
+  
+  if (results.verdict === "PASS") {
+    console.log(`  ${c.green}${c.bold}✓ GUARD PASS${c.reset} - All trust boundaries intact`);
+  } else {
+    console.log(`  ${c.red}${c.bold}✗ GUARD FAIL${c.reset} - Trust boundary violations detected`);
+  }
+
+  console.log(`${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+`);
+
+  if (jsonOutput) {
+    console.log(JSON.stringify(results, null, 2));
+  }
+
+  return results.verdict === "PASS" ? 0 : (results.errors > 0 ? 2 : 1);
+}
+
+module.exports = { runGuard };

package/bin/runners/runInitGha.js

@@ -6,16 +6,23 @@ function ensureDir(p) {
   fs.mkdirSync(p, { recursive: true });
 }
 
-function workflowYaml({ packageRunner = "npx vibecheck", failOnWarn = false } = {}) {
+function workflowYaml({ packageRunner = "npx vibecheck", failOnWarn = false, policy = "ci" } = {}) {
+  const policyFlag = policy !== "ci" ? `--policy ${policy}` : "--policy ci";
+  const failFlag = failOnWarn ? "--fail-on-warn" : "";
+  
   return `name: vibecheck
 
 on:
   pull_request:
+    types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
   pull-requests: write
 
+env:
+  VIBECHECK_CI: "true"
+
 jobs:
   vibecheck:
     runs-on: ubuntu-latest
@@ -26,7 +33,7 @@ jobs:
         with:
           node-version: 20
 
-      - name: Install deps (auto)
+      - name: Install deps (auto-detect package manager)
         run: |
           set -e
           if [ -f pnpm-lock.yaml ]; then
@@ -41,61 +48,117 @@ jobs:
             npm install
           fi
 
-      - name: vibecheck pr (generate comment)
+      - name: Vibecheck - Build truthpack
+        run: ${packageRunner} ctx ${policyFlag}
+
+      - name: Vibecheck - Generate PR report
         id: vc
         run: |
           set +e
           mkdir -p .vibecheck
-          ${packageRunner} pr --out .vibecheck/pr_comment.md ${failOnWarn ? "--fail-on-warn" : ""}
+          ${packageRunner} pr --out .vibecheck/pr_comment.md ${policyFlag} ${failFlag}
           code=$?
           echo "code=$code" >> $GITHUB_OUTPUT
+          echo "verdict=$code" >> $GITHUB_ENV
           echo "---- vibecheck exit code: $code ----"
+          # Generate HTML report
+          ${packageRunner} ship --html || true
           exit 0
 
       - name: Post PR comment
+        if: github.event_name == 'pull_request'
         uses: actions/github-script@v7
         with:
           script: |
             const fs = require('fs');
-            const body = fs.readFileSync('.vibecheck/pr_comment.md', 'utf8');
+            const commentPath = '.vibecheck/pr_comment.md';
+            if (!fs.existsSync(commentPath)) {
+              core.warning('No PR comment generated');
+              return;
+            }
+            const body = fs.readFileSync(commentPath, 'utf8');
             const pr = context.payload.pull_request;
-            if (!pr) { core.warning('No pull_request in context; skipping comment'); return; }
-            await github.rest.issues.createComment({
+            if (!pr) {
+              core.warning('No pull_request in context; skipping comment');
+              return;
+            }
+            
+            // Find existing vibecheck comment to update
+            const { data: comments } = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: pr.number,
-              body
             });
+            const existingComment = comments.find(c => 
+              c.body.includes('Vibecheck:') && c.user.type === 'Bot'
+            );
+            
+            if (existingComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body
+              });
+            }
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: vibecheck-report
+          path: |
+            .vibecheck/last_ship.json
+            .vibecheck/last_ship.html
+            .vibecheck/pr_comment.md
+            .vibecheck/contracts_diff.json
+          retention-days: 30
+          if-no-files-found: ignore
 
       - name: Enforce verdict
         run: |
           code="\${{ steps.vc.outputs.code }}"
-          echo "vibecheck code=$code"
+          echo "vibecheck verdict code: $code"
           if [ "$code" = "0" ]; then
-            echo "SHIP/WARN allowed."
+            echo "✅ SHIP - All checks passed"
             exit 0
           fi
           if [ "$code" = "1" ]; then
-            echo "WARN failing (policy)."
+            echo "⚠️ WARN - Warnings found (failing per policy)"
+            exit 1
+          fi
+          if [ "$code" = "2" ]; then
+            echo "🚫 BLOCK - Blocking issues found"
             exit 1
           fi
-          echo "BLOCK failing."
+          echo "❓ Unknown exit code"
           exit 1
 `;
 }
 
-async function runInitGha({ repoRoot, failOnWarn = false } = {}) {
+async function runInitGha({ repoRoot, failOnWarn = false, policy = "ci" } = {}) {
   const root = repoRoot || process.cwd();
   const wfDir = path.join(root, ".github", "workflows");
   ensureDir(wfDir);
 
   const wfPath = path.join(wfDir, "vibecheck.yml");
-  fs.writeFileSync(wfPath, workflowYaml({ failOnWarn }), "utf8");
+  fs.writeFileSync(wfPath, workflowYaml({ failOnWarn, policy }), "utf8");
 
   console.log(`✅ Wrote: ${path.relative(root, wfPath).replace(/\\/g, "/")}`);
+  console.log(`\nPolicy: ${policy}`);
+  console.log(`Fail on warn: ${failOnWarn}`);
   console.log(`\nNotes:`);
   console.log(`- If your CLI isn't called via "npx vibecheck", edit the workflow line.`);
   console.log(`- Set VIBECHECK_API_KEY as a GitHub Actions secret for cloud features.`);
+  console.log(`- Artifacts (JSON + HTML reports) uploaded automatically.`);
+  console.log(`- PR comments auto-updated on each push.`);
 }
 
-module.exports = { runInitGha };
+module.exports = { runInitGha, workflowYaml };