@vibecheckai/cli 3.1.0 → 3.1.2

package/bin/runners/lib/truth.js

@@ -1,667 +1,667 @@
-// bin/runners/lib/truth.js
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-
-// Env Truth v1
-const { buildEnvTruth } = require("./env");
-// Auth Truth v1
-const { buildAuthTruth } = require("./auth-truth");
-// Billing Truth v1
-const { buildBillingTruth } = require("./billing");
-// Enforcement Truth v1
-const { buildEnforcementTruth } = require("./enforcement");
-// Multi-framework route detection v2
-const { resolveAllRoutes, detectFrameworks } = require("./route-detection");
-
-// ---------- helpers ----------
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function canonicalizeMethod(m) {
-  const u = String(m || "").toUpperCase();
-  if (u === "ALL" || u === "ANY" || u === "*") return "*";
-  return u;
-}
-
-function canonicalizePath(p) {
-  let s = String(p || "").trim();
-  if (!s.startsWith("/")) s = "/" + s;
-  s = s.replace(/\/+/g, "/");
-
-  // Next dynamic segments
-  s = s.replace(/\[\[\.{3}([^\]]+)\]\]/g, "*$1?"); // [[...slug]] -> *slug?
-  s = s.replace(/\[\.{3}([^\]]+)\]/g, "*$1");     // [...slug]  -> *slug
-  s = s.replace(/\[([^\]]+)\]/g, ":$1");          // [id]       -> :id
-
-  if (s.length > 1) s = s.replace(/\/$/, "");
-  return s;
-}
-
-function joinPaths(prefix, p) {
-  const a = canonicalizePath(prefix || "/");
-  const b = canonicalizePath(p || "/");
-  if (a === "/") return b;
-  if (b === "/") return a;
-  return canonicalizePath(a + "/" + b);
-}
-
-function parseFile(code) {
-  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
-}
-
-function safeRead(fileAbs) {
-  return fs.readFileSync(fileAbs, "utf8");
-}
-
-function ensureDir(p) {
-  fs.mkdirSync(p, { recursive: true });
-}
-
-function evidenceFromLoc({ fileAbs, fileRel, loc, reason }) {
-  if (!loc) return null;
-  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
-  const start = Math.max(1, loc.start?.line || 1);
-  const end = Math.max(start, loc.end?.line || start);
-  const snippet = lines.slice(start - 1, end).join("\n");
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${start}-${end}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-// ---------- Next: app router API ----------
-const HTTP_EXPORTS = new Set(["GET","POST","PUT","PATCH","DELETE","OPTIONS","HEAD"]);
-
-async function resolveNextAppApiRoutes(repoRoot) {
-  const files = await fg(["**/app/api/**/route.@(ts|js)"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
-  });
-
-  const out = [];
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const idx = fileRel.indexOf("app/api/");
-    const sub = fileRel.slice(idx + "app/api/".length).replace(/\/route\.(ts|js)$/, "");
-    const routePath = canonicalizePath("/api/" + sub);
-
-    const code = safeRead(fileAbs);
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    const methods = [];
-    traverse(ast, {
-      ExportNamedDeclaration(p) {
-        const decl = p.node.declaration;
-        if (t.isFunctionDeclaration(decl) && decl.id?.name) {
-          const n = decl.id.name.toUpperCase();
-          if (HTTP_EXPORTS.has(n)) methods.push({ method: n, loc: decl.loc });
-        }
-      }
-    });
-
-    if (methods.length === 0) {
-      out.push({ method: "*", path: routePath, handler: fileRel, confidence: "low", evidence: [] });
-      continue;
-    }
-
-    for (const m of methods) {
-      const ev = evidenceFromLoc({
-        fileAbs, fileRel, loc: m.loc,
-        reason: `Next app router export ${m.method}` 
-      });
-      out.push({
-        method: m.method,
-        path: routePath,
-        handler: fileRel,
-        confidence: "high",
-        evidence: ev ? [ev] : []
-      });
-    }
-  }
-
-  return out;
-}
-
-// ---------- Next: pages router API ----------
-async function resolveNextPagesApiRoutes(repoRoot) {
-  const files = await fg(["**/pages/api/**/*.@(ts|js)"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
-  });
-
-  const out = [];
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const idx = fileRel.indexOf("pages/api/");
-    const sub = fileRel.slice(idx + "pages/api/".length).replace(/\.(ts|js)$/, "");
-    const routePath = canonicalizePath("/api/" + sub);
-
-    out.push({
-      method: "*",
-      path: routePath,
-      handler: fileRel,
-      confidence: "med",
-      evidence: []
-    });
-  }
-  return out;
-}
-
-// ---------- minimal relative module resolver ----------
-function exists(p) {
-  try { return fs.statSync(p).isFile(); } catch { return false; }
-}
-function resolveRelativeModule(fromFileAbs, spec) {
-  if (!spec || (!spec.startsWith("./") && !spec.startsWith("../"))) return null;
-  const base = path.resolve(path.dirname(fromFileAbs), spec);
-  const candidates = [
-    base,
-    base + ".ts",
-    base + ".js",
-    path.join(base, "index.ts"),
-    path.join(base, "index.js")
-  ];
-  for (const c of candidates) if (exists(c)) return c;
-  return null;
-}
-
-// ---------- Fastify route extraction ----------
-const FASTIFY_METHODS = new Set(["get","post","put","patch","delete","options","head","all"]);
-
-function isFastifyMethod(name) {
-  return FASTIFY_METHODS.has(name);
-}
-
-function extractStringLiteral(node) {
-  return t.isStringLiteral(node) ? node.value : null;
-}
-
-function extractPrefixFromOpts(node) {
-  if (!t.isObjectExpression(node)) return null;
-  for (const p of node.properties) {
-    if (!t.isObjectProperty(p)) continue;
-    const key =
-      t.isIdentifier(p.key) ? p.key.name :
-      t.isStringLiteral(p.key) ? p.key.value :
-      null;
-    if (key === "prefix" && t.isStringLiteral(p.value)) return p.value.value;
-  }
-  return null;
-}
-
-function extractRouteObject(objExpr) {
-  let url = null;
-  let methods = [];
-  let hasHandler = false;
-  const hooks = [];
-
-  for (const p of objExpr.properties) {
-    if (!t.isObjectProperty(p)) continue;
-
-    const key =
-      t.isIdentifier(p.key) ? p.key.name :
-      t.isStringLiteral(p.key) ? p.key.value :
-      null;
-    if (!key) continue;
-
-    if (key === "url" && t.isStringLiteral(p.value)) url = p.value.value;
-
-    if (key === "method") {
-      if (t.isStringLiteral(p.value)) methods = [p.value.value];
-      if (t.isArrayExpression(p.value)) {
-        methods = p.value.elements.filter(e => t.isStringLiteral(e)).map(e => e.value);
-      }
-    }
-
-    if (key === "handler") hasHandler = true;
-    if (["preHandler","onRequest","preValidation","preSerialization"].includes(key)) hooks.push(key);
-  }
-
-  return { url, methods, hasHandler, hooks };
-}
-
-function resolveFastifyRoutes(repoRoot, entryAbs) {
-  const seen = new Set();
-  const routes = [];
-  const gaps = [];
-
-  function scanFile(fileAbs, prefix) {
-    if (!fileAbs || seen.has(fileAbs)) return;
-    seen.add(fileAbs);
-
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = safeRead(fileAbs);
-
-    let ast;
-    try { ast = parseFile(code); } catch { return; }
-
-    // best-effort: fastify instance identifiers
-    const fastifyNames = new Set(["fastify"]);
-
-    traverse(ast, {
-      VariableDeclarator(p) {
-        if (!t.isIdentifier(p.node.id)) return;
-        const id = p.node.id.name;
-        const init = p.node.init;
-        if (!init) return;
-        if (t.isCallExpression(init) && t.isIdentifier(init.callee)) {
-          const cal = init.callee.name;
-          if (cal === "Fastify" || cal === "fastify") fastifyNames.add(id);
-        }
-      }
-    });
-
-    // helper: resolve imports for register(pluginIdent,...)
-    function resolveImportSpecForLocal(localName) {
-      let spec = null;
-
-      traverse(ast, {
-        ImportDeclaration(ip) {
-          for (const s of ip.node.specifiers) {
-            if ((t.isImportDefaultSpecifier(s) || t.isImportSpecifier(s)) && s.local.name === localName) {
-              spec = ip.node.source.value;
-            }
-          }
-        },
-        VariableDeclarator(vp) {
-          if (!t.isIdentifier(vp.node.id) || vp.node.id.name !== localName) return;
-          const init = vp.node.init;
-          if (!t.isCallExpression(init)) return;
-          if (!t.isIdentifier(init.callee) || init.callee.name !== "require") return;
-          const a0 = init.arguments[0];
-          if (t.isStringLiteral(a0)) spec = a0.value;
-        }
-      });
-
-      return spec;
-    }
-
-    traverse(ast, {
-      CallExpression(p) {
-        const callee = p.node.callee;
-        if (!t.isMemberExpression(callee)) return;
-        if (!t.isIdentifier(callee.object) || !t.isIdentifier(callee.property)) return;
-
-        const obj = callee.object.name;
-        const prop = callee.property.name;
-
-        if (!fastifyNames.has(obj)) return;
-
-        // fastify.get('/x', ...)
-        if (isFastifyMethod(prop)) {
-          const routeStr = extractStringLiteral(p.node.arguments[0]);
-          if (!routeStr) return;
-
-          const fullPath = joinPaths(prefix, routeStr);
-          const method = canonicalizeMethod(prop);
-
-          const ev = evidenceFromLoc({
-            fileAbs, fileRel, loc: p.node.loc,
-            reason: `Fastify ${prop.toUpperCase()}("${routeStr}")` 
-          });
-
-          routes.push({
-            method,
-            path: fullPath,
-            handler: fileRel,
-            confidence: "med",
-            evidence: ev ? [ev] : []
-          });
-          return;
-        }
-
-        // fastify.route({ method, url, handler })
-        if (prop === "route") {
-          const arg0 = p.node.arguments[0];
-          if (!t.isObjectExpression(arg0)) return;
-
-          const r = extractRouteObject(arg0);
-          if (!r.url) return;
-
-          const fullPath = joinPaths(prefix, r.url);
-          const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
-
-          const ev = evidenceFromLoc({
-            fileAbs, fileRel, loc: p.node.loc,
-            reason: `Fastify.route({ url: "${r.url}" })` 
-          });
-
-          for (const m of ms) {
-            routes.push({
-              method: m,
-              path: fullPath,
-              handler: fileRel,
-              hooks: r.hooks,
-              confidence: r.hasHandler ? "med" : "low",
-              evidence: ev ? [ev] : []
-            });
-          }
-          return;
-        }
-
-        // fastify.register(plugin, { prefix })
-        if (prop === "register") {
-          const pluginArg = p.node.arguments[0];
-          const optsArg = p.node.arguments[1];
-          const childPrefixRaw = extractPrefixFromOpts(optsArg);
-          const childPrefix = childPrefixRaw ? joinPaths(prefix, childPrefixRaw) : prefix;
-
-          // inline plugin
-          if (t.isFunctionExpression(pluginArg) || t.isArrowFunctionExpression(pluginArg)) {
-            const param0 = pluginArg.params[0];
-            const innerName = t.isIdentifier(param0) ? param0.name : "fastify";
-
-            // traverse just the plugin body (best effort)
-            traverse(pluginArg.body, {
-              CallExpression(pp) {
-                const c = pp.node.callee;
-                if (!t.isMemberExpression(c)) return;
-                if (!t.isIdentifier(c.object) || !t.isIdentifier(c.property)) return;
-                if (c.object.name !== innerName) return;
-
-                const pr = c.property.name;
-
-                if (isFastifyMethod(pr)) {
-                  const rs = extractStringLiteral(pp.node.arguments[0]);
-                  if (!rs) return;
-                  const fullPath = joinPaths(childPrefix, rs);
-                  const method = canonicalizeMethod(pr);
-
-                  const ev = evidenceFromLoc({
-                    fileAbs, fileRel, loc: pp.node.loc,
-                    reason: `Fastify plugin ${pr.toUpperCase()}("${rs}") prefix="${childPrefixRaw || ""}"` 
-                  });
-
-                  routes.push({ method, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
-                }
-
-                if (pr === "route") {
-                  const a0 = pp.node.arguments[0];
-                  if (!t.isObjectExpression(a0)) return;
-                  const r = extractRouteObject(a0);
-                  if (!r.url) return;
-                  const fullPath = joinPaths(childPrefix, r.url);
-                  const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
-
-                  const ev = evidenceFromLoc({
-                    fileAbs, fileRel, loc: pp.node.loc,
-                    reason: `Fastify plugin route("${r.url}") prefix="${childPrefixRaw || ""}"` 
-                  });
-
-                  for (const m of ms) routes.push({ method: m, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
-                }
-              }
-            }, p.scope, p);
-
-            return;
-          }
-
-          // imported plugin identifier
-          if (t.isIdentifier(pluginArg)) {
-            const localName = pluginArg.name;
-            const spec = resolveImportSpecForLocal(localName);
-
-            if (!spec) {
-              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, name: localName });
-              return;
-            }
-
-            const resolved = resolveRelativeModule(fileAbs, spec);
-            if (!resolved) {
-              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, spec });
-              return;
-            }
-
-            scanFile(resolved, childPrefix);
-          }
-        }
-      }
-    });
-  }
-
-  scanFile(entryAbs, "/");
-  return { routes, gaps };
-}
-
-// ---------- client refs (fetch + axios string literal only) ----------
-function isAxiosMember(node) {
-  return t.isMemberExpression(node) &&
-    t.isIdentifier(node.object) &&
-    t.isIdentifier(node.property) &&
-    ["get","post","put","patch","delete"].includes(node.property.name);
-}
-
-async function resolveClientRouteRefs(repoRoot) {
-  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/test/**",
-      "**/tests/**",
-      "**/__tests__/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/jest.setup.*",
-      "**/jest.config.*",
-      "**/*.mock.*",
-      "**/mocks/**",
-      "**/fixtures/**"
-    ]
-  });
-
-  const out = [];
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = safeRead(fileAbs);
-
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    traverse(ast, {
-      CallExpression(p) {
-        const callee = p.node.callee;
-
-        // fetch("/api/x", { method: "POST" })
-        if (t.isIdentifier(callee) && callee.name === "fetch") {
-          const a0 = p.node.arguments[0];
-          if (!t.isStringLiteral(a0)) return;
-
-          const url = a0.value;
-          if (!url.startsWith("/")) return;
-
-          let method = "*";
-          const a1 = p.node.arguments[1];
-          if (t.isObjectExpression(a1)) {
-            for (const prop of a1.properties) {
-              if (!t.isObjectProperty(prop)) continue;
-              const key =
-                t.isIdentifier(prop.key) ? prop.key.name :
-                t.isStringLiteral(prop.key) ? prop.key.value :
-                null;
-              if (key === "method" && t.isStringLiteral(prop.value)) {
-                method = canonicalizeMethod(prop.value.value);
-              }
-            }
-          }
-
-          const ev = evidenceFromLoc({
-            fileAbs, fileRel, loc: p.node.loc,
-            reason: `Client fetch("${url}")` 
-          });
-
-          out.push({
-            method,
-            path: canonicalizePath(url),
-            source: fileRel,
-            confidence: "high",
-            evidence: ev ? [ev] : []
-          });
-          return;
-        }
-
-        // axios.get("/api/x")
-        if (isAxiosMember(callee)) {
-          const verb = callee.property.name.toUpperCase();
-          const a0 = p.node.arguments[0];
-          if (!t.isStringLiteral(a0)) return;
-
-          const url = a0.value;
-          if (!url.startsWith("/")) return;
-
-          const ev = evidenceFromLoc({
-            fileAbs, fileRel, loc: p.node.loc,
-            reason: `Client axios.${verb.toLowerCase()}("${url}")` 
-          });
-
-          out.push({
-            method: canonicalizeMethod(verb),
-            path: canonicalizePath(url),
-            source: fileRel,
-            confidence: "high",
-            evidence: ev ? [ev] : []
-          });
-        }
-      }
-    });
-  }
-
-  return out;
-}
-
-// ---------- fastify entry detection ----------
-function detectFastifyEntry(repoRoot) {
-  const candidates = [
-    "src/server.ts","src/server.js",
-    "server.ts","server.js",
-    "src/index.ts","src/index.js",
-    "index.ts","index.js"
-  ];
-  for (const rel of candidates) {
-    const abs = path.join(repoRoot, rel);
-    if (exists(abs)) return rel;
-  }
-  return null;
-}
-
-// ---------- truthpack build/write ----------
-async function buildTruthpack({ repoRoot, fastifyEntry }) {
-  // Next.js routes (App Router + Pages Router)
-  const nextApp = await resolveNextAppApiRoutes(repoRoot);
-  const nextPages = await resolveNextPagesApiRoutes(repoRoot);
-
-  // Fastify routes (legacy detection)
-  const entryRel = fastifyEntry || detectFastifyEntry(repoRoot);
-  let fastify = { routes: [], gaps: [] };
-  if (entryRel) {
-    const entryAbs = path.isAbsolute(entryRel) ? entryRel : path.join(repoRoot, entryRel);
-    if (exists(entryAbs)) fastify = resolveFastifyRoutes(repoRoot, entryAbs);
-  }
-
-  // Multi-framework route detection v2 (Express, Flask, FastAPI, Django, Hono, Koa, etc.)
-  const multiFramework = await resolveAllRoutes(repoRoot);
-  const detectedFrameworks = await detectFrameworks(repoRoot);
-
-  // Client refs (JS/TS fetch/axios + Python requests/httpx)
-  const clientRefs = await resolveClientRouteRefs(repoRoot);
-  const allClientRefs = [...clientRefs, ...multiFramework.clientRefs];
-
-  // Merge all server routes (dedupe by method+path)
-  const serverRoutesRaw = [...nextApp, ...nextPages, ...fastify.routes, ...multiFramework.routes];
-  const seenRoutes = new Set();
-  const server = [];
-  for (const r of serverRoutesRaw) {
-    const key = `${r.method}:${r.path}`;
-    if (!seenRoutes.has(key)) {
-      seenRoutes.add(key);
-      server.push(r);
-    }
-  }
-
-  // Merge gaps
-  const allGaps = [...(fastify.gaps || []), ...(multiFramework.gaps || [])];
-
-  // Env Truth v1
-  const env = await buildEnvTruth(repoRoot);
-
-  // Auth Truth v1
-  const auth = await buildAuthTruth(repoRoot, server);
-
-  // Billing Truth v1
-  const billing = await buildBillingTruth(repoRoot);
-
-  // Enforcement Truth v1
-  const enforcement = buildEnforcementTruth(repoRoot, server);
-
-  // Determine frameworks
-  const frameworks = new Set(["next", "fastify"]);
-  detectedFrameworks.forEach(f => frameworks.add(f));
-  server.forEach(r => r.framework && frameworks.add(r.framework));
-
-  const truthpack = {
-    meta: {
-      version: "2.0.0",
-      generatedAt: new Date().toISOString(),
-      repoRoot,
-      commit: { sha: process.env.VIBECHECK_COMMIT_SHA || "unknown" }
-    },
-    project: { frameworks: Array.from(frameworks), workspaces: [], entrypoints: [] },
-    routes: { server, clientRefs: allClientRefs, gaps: allGaps },
-    env,
-    auth,
-    billing,
-    enforcement
-  };
-
-  const hash = sha256(JSON.stringify(truthpack));
-  truthpack.index = { hashes: { truthpackHash: hash }, evidenceRefs: [] };
-
-  return truthpack;
-}
-
-function writeTruthpack(repoRoot, truthpack) {
-  const dir = path.join(repoRoot, ".vibecheck");
-  ensureDir(dir);
-  // Spec: .vibecheck/truthpack.json (not .vibecheck/truth/truthpack.json)
-  fs.writeFileSync(path.join(dir, "truthpack.json"), JSON.stringify(truthpack, null, 2));
-}
-
-function loadTruthpack(repoRoot) {
-  // Spec path: .vibecheck/truthpack.json
-  const specPath = path.join(repoRoot, ".vibecheck", "truthpack.json");
-  // Legacy path: .vibecheck/truth/truthpack.json (backward compat)
-  const legacyPath = path.join(repoRoot, ".vibecheck", "truth", "truthpack.json");
-  
-  try { 
-    return JSON.parse(fs.readFileSync(specPath, "utf8")); 
-  } catch { 
-    // Try legacy path
-    try { return JSON.parse(fs.readFileSync(legacyPath, "utf8")); } catch { return null; }
-  }
-}
-
-module.exports = {
-  canonicalizeMethod,
-  canonicalizePath,
-  buildTruthpack,
-  writeTruthpack,
-  loadTruthpack,
-  detectFastifyEntry
-};
+// bin/runners/lib/truth.js
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+// Env Truth v1
+const { buildEnvTruth } = require("./env");
+// Auth Truth v1
+const { buildAuthTruth } = require("./auth-truth");
+// Billing Truth v1
+const { buildBillingTruth } = require("./billing");
+// Enforcement Truth v1
+const { buildEnforcementTruth } = require("./enforcement");
+// Multi-framework route detection v2
+const { resolveAllRoutes, detectFrameworks } = require("./route-detection");
+
+// ---------- helpers ----------
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function canonicalizeMethod(m) {
+  const u = String(m || "").toUpperCase();
+  if (u === "ALL" || u === "ANY" || u === "*") return "*";
+  return u;
+}
+
+function canonicalizePath(p) {
+  let s = String(p || "").trim();
+  if (!s.startsWith("/")) s = "/" + s;
+  s = s.replace(/\/+/g, "/");
+
+  // Next dynamic segments
+  s = s.replace(/\[\[\.{3}([^\]]+)\]\]/g, "*$1?"); // [[...slug]] -> *slug?
+  s = s.replace(/\[\.{3}([^\]]+)\]/g, "*$1");     // [...slug]  -> *slug
+  s = s.replace(/\[([^\]]+)\]/g, ":$1");          // [id]       -> :id
+
+  if (s.length > 1) s = s.replace(/\/$/, "");
+  return s;
+}
+
+function joinPaths(prefix, p) {
+  const a = canonicalizePath(prefix || "/");
+  const b = canonicalizePath(p || "/");
+  if (a === "/") return b;
+  if (b === "/") return a;
+  return canonicalizePath(a + "/" + b);
+}
+
+function parseFile(code) {
+  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function evidenceFromLoc({ fileAbs, fileRel, loc, reason }) {
+  if (!loc) return null;
+  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+// ---------- Next: app router API ----------
+const HTTP_EXPORTS = new Set(["GET","POST","PUT","PATCH","DELETE","OPTIONS","HEAD"]);
+
+async function resolveNextAppApiRoutes(repoRoot) {
+  const files = await fg(["**/app/api/**/route.@(ts|js)"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+
+  const out = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const idx = fileRel.indexOf("app/api/");
+    const sub = fileRel.slice(idx + "app/api/".length).replace(/\/route\.(ts|js)$/, "");
+    const routePath = canonicalizePath("/api/" + sub);
+
+    const code = safeRead(fileAbs);
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    const methods = [];
+    traverse(ast, {
+      ExportNamedDeclaration(p) {
+        const decl = p.node.declaration;
+        if (t.isFunctionDeclaration(decl) && decl.id?.name) {
+          const n = decl.id.name.toUpperCase();
+          if (HTTP_EXPORTS.has(n)) methods.push({ method: n, loc: decl.loc });
+        }
+      }
+    });
+
+    if (methods.length === 0) {
+      out.push({ method: "*", path: routePath, handler: fileRel, confidence: "low", evidence: [] });
+      continue;
+    }
+
+    for (const m of methods) {
+      const ev = evidenceFromLoc({
+        fileAbs, fileRel, loc: m.loc,
+        reason: `Next app router export ${m.method}` 
+      });
+      out.push({
+        method: m.method,
+        path: routePath,
+        handler: fileRel,
+        confidence: "high",
+        evidence: ev ? [ev] : []
+      });
+    }
+  }
+
+  return out;
+}
+
+// ---------- Next: pages router API ----------
+async function resolveNextPagesApiRoutes(repoRoot) {
+  const files = await fg(["**/pages/api/**/*.@(ts|js)"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+
+  const out = [];
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const idx = fileRel.indexOf("pages/api/");
+    const sub = fileRel.slice(idx + "pages/api/".length).replace(/\.(ts|js)$/, "");
+    const routePath = canonicalizePath("/api/" + sub);
+
+    out.push({
+      method: "*",
+      path: routePath,
+      handler: fileRel,
+      confidence: "med",
+      evidence: []
+    });
+  }
+  return out;
+}
+
+// ---------- minimal relative module resolver ----------
+function exists(p) {
+  try { return fs.statSync(p).isFile(); } catch { return false; }
+}
+function resolveRelativeModule(fromFileAbs, spec) {
+  if (!spec || (!spec.startsWith("./") && !spec.startsWith("../"))) return null;
+  const base = path.resolve(path.dirname(fromFileAbs), spec);
+  const candidates = [
+    base,
+    base + ".ts",
+    base + ".js",
+    path.join(base, "index.ts"),
+    path.join(base, "index.js")
+  ];
+  for (const c of candidates) if (exists(c)) return c;
+  return null;
+}
+
+// ---------- Fastify route extraction ----------
+const FASTIFY_METHODS = new Set(["get","post","put","patch","delete","options","head","all"]);
+
+function isFastifyMethod(name) {
+  return FASTIFY_METHODS.has(name);
+}
+
+function extractStringLiteral(node) {
+  return t.isStringLiteral(node) ? node.value : null;
+}
+
+function extractPrefixFromOpts(node) {
+  if (!t.isObjectExpression(node)) return null;
+  for (const p of node.properties) {
+    if (!t.isObjectProperty(p)) continue;
+    const key =
+      t.isIdentifier(p.key) ? p.key.name :
+      t.isStringLiteral(p.key) ? p.key.value :
+      null;
+    if (key === "prefix" && t.isStringLiteral(p.value)) return p.value.value;
+  }
+  return null;
+}
+
+function extractRouteObject(objExpr) {
+  let url = null;
+  let methods = [];
+  let hasHandler = false;
+  const hooks = [];
+
+  for (const p of objExpr.properties) {
+    if (!t.isObjectProperty(p)) continue;
+
+    const key =
+      t.isIdentifier(p.key) ? p.key.name :
+      t.isStringLiteral(p.key) ? p.key.value :
+      null;
+    if (!key) continue;
+
+    if (key === "url" && t.isStringLiteral(p.value)) url = p.value.value;
+
+    if (key === "method") {
+      if (t.isStringLiteral(p.value)) methods = [p.value.value];
+      if (t.isArrayExpression(p.value)) {
+        methods = p.value.elements.filter(e => t.isStringLiteral(e)).map(e => e.value);
+      }
+    }
+
+    if (key === "handler") hasHandler = true;
+    if (["preHandler","onRequest","preValidation","preSerialization"].includes(key)) hooks.push(key);
+  }
+
+  return { url, methods, hasHandler, hooks };
+}
+
+function resolveFastifyRoutes(repoRoot, entryAbs) {
+  const seen = new Set();
+  const routes = [];
+  const gaps = [];
+
+  function scanFile(fileAbs, prefix) {
+    if (!fileAbs || seen.has(fileAbs)) return;
+    seen.add(fileAbs);
+
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { return; }
+
+    // best-effort: fastify instance identifiers
+    const fastifyNames = new Set(["fastify"]);
+
+    traverse(ast, {
+      VariableDeclarator(p) {
+        if (!t.isIdentifier(p.node.id)) return;
+        const id = p.node.id.name;
+        const init = p.node.init;
+        if (!init) return;
+        if (t.isCallExpression(init) && t.isIdentifier(init.callee)) {
+          const cal = init.callee.name;
+          if (cal === "Fastify" || cal === "fastify") fastifyNames.add(id);
+        }
+      }
+    });
+
+    // helper: resolve imports for register(pluginIdent,...)
+    function resolveImportSpecForLocal(localName) {
+      let spec = null;
+
+      traverse(ast, {
+        ImportDeclaration(ip) {
+          for (const s of ip.node.specifiers) {
+            if ((t.isImportDefaultSpecifier(s) || t.isImportSpecifier(s)) && s.local.name === localName) {
+              spec = ip.node.source.value;
+            }
+          }
+        },
+        VariableDeclarator(vp) {
+          if (!t.isIdentifier(vp.node.id) || vp.node.id.name !== localName) return;
+          const init = vp.node.init;
+          if (!t.isCallExpression(init)) return;
+          if (!t.isIdentifier(init.callee) || init.callee.name !== "require") return;
+          const a0 = init.arguments[0];
+          if (t.isStringLiteral(a0)) spec = a0.value;
+        }
+      });
+
+      return spec;
+    }
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+        if (!t.isMemberExpression(callee)) return;
+        if (!t.isIdentifier(callee.object) || !t.isIdentifier(callee.property)) return;
+
+        const obj = callee.object.name;
+        const prop = callee.property.name;
+
+        if (!fastifyNames.has(obj)) return;
+
+        // fastify.get('/x', ...)
+        if (isFastifyMethod(prop)) {
+          const routeStr = extractStringLiteral(p.node.arguments[0]);
+          if (!routeStr) return;
+
+          const fullPath = joinPaths(prefix, routeStr);
+          const method = canonicalizeMethod(prop);
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Fastify ${prop.toUpperCase()}("${routeStr}")` 
+          });
+
+          routes.push({
+            method,
+            path: fullPath,
+            handler: fileRel,
+            confidence: "med",
+            evidence: ev ? [ev] : []
+          });
+          return;
+        }
+
+        // fastify.route({ method, url, handler })
+        if (prop === "route") {
+          const arg0 = p.node.arguments[0];
+          if (!t.isObjectExpression(arg0)) return;
+
+          const r = extractRouteObject(arg0);
+          if (!r.url) return;
+
+          const fullPath = joinPaths(prefix, r.url);
+          const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Fastify.route({ url: "${r.url}" })` 
+          });
+
+          for (const m of ms) {
+            routes.push({
+              method: m,
+              path: fullPath,
+              handler: fileRel,
+              hooks: r.hooks,
+              confidence: r.hasHandler ? "med" : "low",
+              evidence: ev ? [ev] : []
+            });
+          }
+          return;
+        }
+
+        // fastify.register(plugin, { prefix })
+        if (prop === "register") {
+          const pluginArg = p.node.arguments[0];
+          const optsArg = p.node.arguments[1];
+          const childPrefixRaw = extractPrefixFromOpts(optsArg);
+          const childPrefix = childPrefixRaw ? joinPaths(prefix, childPrefixRaw) : prefix;
+
+          // inline plugin
+          if (t.isFunctionExpression(pluginArg) || t.isArrowFunctionExpression(pluginArg)) {
+            const param0 = pluginArg.params[0];
+            const innerName = t.isIdentifier(param0) ? param0.name : "fastify";
+
+            // traverse just the plugin body (best effort)
+            traverse(pluginArg.body, {
+              CallExpression(pp) {
+                const c = pp.node.callee;
+                if (!t.isMemberExpression(c)) return;
+                if (!t.isIdentifier(c.object) || !t.isIdentifier(c.property)) return;
+                if (c.object.name !== innerName) return;
+
+                const pr = c.property.name;
+
+                if (isFastifyMethod(pr)) {
+                  const rs = extractStringLiteral(pp.node.arguments[0]);
+                  if (!rs) return;
+                  const fullPath = joinPaths(childPrefix, rs);
+                  const method = canonicalizeMethod(pr);
+
+                  const ev = evidenceFromLoc({
+                    fileAbs, fileRel, loc: pp.node.loc,
+                    reason: `Fastify plugin ${pr.toUpperCase()}("${rs}") prefix="${childPrefixRaw || ""}"` 
+                  });
+
+                  routes.push({ method, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
+                }
+
+                if (pr === "route") {
+                  const a0 = pp.node.arguments[0];
+                  if (!t.isObjectExpression(a0)) return;
+                  const r = extractRouteObject(a0);
+                  if (!r.url) return;
+                  const fullPath = joinPaths(childPrefix, r.url);
+                  const ms = (r.methods.length ? r.methods : ["*"]).map(canonicalizeMethod);
+
+                  const ev = evidenceFromLoc({
+                    fileAbs, fileRel, loc: pp.node.loc,
+                    reason: `Fastify plugin route("${r.url}") prefix="${childPrefixRaw || ""}"` 
+                  });
+
+                  for (const m of ms) routes.push({ method: m, path: fullPath, handler: fileRel, confidence: "med", evidence: ev ? [ev] : [] });
+                }
+              }
+            }, p.scope, p);
+
+            return;
+          }
+
+          // imported plugin identifier
+          if (t.isIdentifier(pluginArg)) {
+            const localName = pluginArg.name;
+            const spec = resolveImportSpecForLocal(localName);
+
+            if (!spec) {
+              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, name: localName });
+              return;
+            }
+
+            const resolved = resolveRelativeModule(fileAbs, spec);
+            if (!resolved) {
+              gaps.push({ kind: "fastify_plugin_unresolved", file: fileRel, spec });
+              return;
+            }
+
+            scanFile(resolved, childPrefix);
+          }
+        }
+      }
+    });
+  }
+
+  scanFile(entryAbs, "/");
+  return { routes, gaps };
+}
+
+// ---------- client refs (fetch + axios string literal only) ----------
+function isAxiosMember(node) {
+  return t.isMemberExpression(node) &&
+    t.isIdentifier(node.object) &&
+    t.isIdentifier(node.property) &&
+    ["get","post","put","patch","delete"].includes(node.property.name);
+}
+
+async function resolveClientRouteRefs(repoRoot) {
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/test/**",
+      "**/tests/**",
+      "**/__tests__/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/jest.setup.*",
+      "**/jest.config.*",
+      "**/*.mock.*",
+      "**/mocks/**",
+      "**/fixtures/**"
+    ]
+  });
+
+  const out = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+
+        // fetch("/api/x", { method: "POST" })
+        if (t.isIdentifier(callee) && callee.name === "fetch") {
+          const a0 = p.node.arguments[0];
+          if (!t.isStringLiteral(a0)) return;
+
+          const url = a0.value;
+          if (!url.startsWith("/")) return;
+
+          let method = "*";
+          const a1 = p.node.arguments[1];
+          if (t.isObjectExpression(a1)) {
+            for (const prop of a1.properties) {
+              if (!t.isObjectProperty(prop)) continue;
+              const key =
+                t.isIdentifier(prop.key) ? prop.key.name :
+                t.isStringLiteral(prop.key) ? prop.key.value :
+                null;
+              if (key === "method" && t.isStringLiteral(prop.value)) {
+                method = canonicalizeMethod(prop.value.value);
+              }
+            }
+          }
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Client fetch("${url}")` 
+          });
+
+          out.push({
+            method,
+            path: canonicalizePath(url),
+            source: fileRel,
+            confidence: "high",
+            evidence: ev ? [ev] : []
+          });
+          return;
+        }
+
+        // axios.get("/api/x")
+        if (isAxiosMember(callee)) {
+          const verb = callee.property.name.toUpperCase();
+          const a0 = p.node.arguments[0];
+          if (!t.isStringLiteral(a0)) return;
+
+          const url = a0.value;
+          if (!url.startsWith("/")) return;
+
+          const ev = evidenceFromLoc({
+            fileAbs, fileRel, loc: p.node.loc,
+            reason: `Client axios.${verb.toLowerCase()}("${url}")` 
+          });
+
+          out.push({
+            method: canonicalizeMethod(verb),
+            path: canonicalizePath(url),
+            source: fileRel,
+            confidence: "high",
+            evidence: ev ? [ev] : []
+          });
+        }
+      }
+    });
+  }
+
+  return out;
+}
+
+// ---------- fastify entry detection ----------
+function detectFastifyEntry(repoRoot) {
+  const candidates = [
+    "src/server.ts","src/server.js",
+    "server.ts","server.js",
+    "src/index.ts","src/index.js",
+    "index.ts","index.js"
+  ];
+  for (const rel of candidates) {
+    const abs = path.join(repoRoot, rel);
+    if (exists(abs)) return rel;
+  }
+  return null;
+}
+
+// ---------- truthpack build/write ----------
+async function buildTruthpack({ repoRoot, fastifyEntry }) {
+  // Next.js routes (App Router + Pages Router)
+  const nextApp = await resolveNextAppApiRoutes(repoRoot);
+  const nextPages = await resolveNextPagesApiRoutes(repoRoot);
+
+  // Fastify routes (legacy detection)
+  const entryRel = fastifyEntry || detectFastifyEntry(repoRoot);
+  let fastify = { routes: [], gaps: [] };
+  if (entryRel) {
+    const entryAbs = path.isAbsolute(entryRel) ? entryRel : path.join(repoRoot, entryRel);
+    if (exists(entryAbs)) fastify = resolveFastifyRoutes(repoRoot, entryAbs);
+  }
+
+  // Multi-framework route detection v2 (Express, Flask, FastAPI, Django, Hono, Koa, etc.)
+  const multiFramework = await resolveAllRoutes(repoRoot);
+  const detectedFrameworks = await detectFrameworks(repoRoot);
+
+  // Client refs (JS/TS fetch/axios + Python requests/httpx)
+  const clientRefs = await resolveClientRouteRefs(repoRoot);
+  const allClientRefs = [...clientRefs, ...multiFramework.clientRefs];
+
+  // Merge all server routes (dedupe by method+path)
+  const serverRoutesRaw = [...nextApp, ...nextPages, ...fastify.routes, ...multiFramework.routes];
+  const seenRoutes = new Set();
+  const server = [];
+  for (const r of serverRoutesRaw) {
+    const key = `${r.method}:${r.path}`;
+    if (!seenRoutes.has(key)) {
+      seenRoutes.add(key);
+      server.push(r);
+    }
+  }
+
+  // Merge gaps
+  const allGaps = [...(fastify.gaps || []), ...(multiFramework.gaps || [])];
+
+  // Env Truth v1
+  const env = await buildEnvTruth(repoRoot);
+
+  // Auth Truth v1
+  const auth = await buildAuthTruth(repoRoot, server);
+
+  // Billing Truth v1
+  const billing = await buildBillingTruth(repoRoot);
+
+  // Enforcement Truth v1
+  const enforcement = buildEnforcementTruth(repoRoot, server);
+
+  // Determine frameworks
+  const frameworks = new Set(["next", "fastify"]);
+  detectedFrameworks.forEach(f => frameworks.add(f));
+  server.forEach(r => r.framework && frameworks.add(r.framework));
+
+  const truthpack = {
+    meta: {
+      version: "2.0.0",
+      generatedAt: new Date().toISOString(),
+      repoRoot,
+      commit: { sha: process.env.VIBECHECK_COMMIT_SHA || "unknown" }
+    },
+    project: { frameworks: Array.from(frameworks), workspaces: [], entrypoints: [] },
+    routes: { server, clientRefs: allClientRefs, gaps: allGaps },
+    env,
+    auth,
+    billing,
+    enforcement
+  };
+
+  const hash = sha256(JSON.stringify(truthpack));
+  truthpack.index = { hashes: { truthpackHash: hash }, evidenceRefs: [] };
+
+  return truthpack;
+}
+
+function writeTruthpack(repoRoot, truthpack) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  ensureDir(dir);
+  // Spec: .vibecheck/truthpack.json (not .vibecheck/truth/truthpack.json)
+  fs.writeFileSync(path.join(dir, "truthpack.json"), JSON.stringify(truthpack, null, 2));
+}
+
+function loadTruthpack(repoRoot) {
+  // Spec path: .vibecheck/truthpack.json
+  const specPath = path.join(repoRoot, ".vibecheck", "truthpack.json");
+  // Legacy path: .vibecheck/truth/truthpack.json (backward compat)
+  const legacyPath = path.join(repoRoot, ".vibecheck", "truth", "truthpack.json");
+  
+  try { 
+    return JSON.parse(fs.readFileSync(specPath, "utf8")); 
+  } catch { 
+    // Try legacy path
+    try { return JSON.parse(fs.readFileSync(legacyPath, "utf8")); } catch { return null; }
+  }
+}
+
+module.exports = {
+  canonicalizeMethod,
+  canonicalizePath,
+  buildTruthpack,
+  writeTruthpack,
+  loadTruthpack,
+  detectFastifyEntry
+};