@vibecheckai/cli 3.1.6 → 3.2.0

package/mcp-server/truth-firewall-tools.js

@@ -398,7 +398,7 @@ export async function handleTruthFirewallTool(toolName, args, projectPath = proc
       return await addAssumption(projectPath, args);
       
     case "vibecheck.validate_plan":
-      return await validatePlanTool(projectPath, args);
+      return await getPlanValidationResult(projectPath, args);
       
     case "vibecheck.check_drift":
       return await checkDriftTool(projectPath, args);
@@ -421,8 +421,147 @@ const state = {
   assumptions: [],
   verifiedClaims: new Map(),
   maxAssumptions: 2,
+  lastValidationByProject: new Map(),
 };
 
+const MAX_EVIDENCE_SNIPPET = 200;
+
+/**
+ * Policy configuration - aligned with proof-context.js TRUTH_CONTRACT
+ */
+const POLICY_CONFIG = {
+  strict: {
+    minConfidence: 0.8,
+    allowUnknown: false,
+    requireValidation: true,
+    blockOnDrift: true,
+    validationTTL: 5 * 60 * 1000, // 5 minutes
+  },
+  balanced: {
+    minConfidence: 0.6,
+    allowUnknown: false,
+    requireValidation: true,
+    blockOnDrift: false,
+    validationTTL: 10 * 60 * 1000, // 10 minutes
+  },
+  permissive: {
+    minConfidence: 0.4,
+    allowUnknown: true,
+    requireValidation: false,
+    blockOnDrift: false,
+    validationTTL: 30 * 60 * 1000, // 30 minutes
+  },
+};
+
+/**
+ * Get policy configuration
+ */
+export function getPolicyConfig(policy = 'strict') {
+  return POLICY_CONFIG[policy] || POLICY_CONFIG.strict;
+}
+
+function confidenceToScore(confidence) {
+  if (typeof confidence === "number") return confidence;
+  switch (confidence) {
+    case "high":
+      return 0.9;
+    case "medium":
+      return 0.7;
+    case "low":
+      return 0.5;
+    default:
+      return 0.6;
+  }
+}
+
+async function readSnippet(projectPath, file, line) {
+  if (!file) return "";
+  try {
+    const content = await fs.readFile(path.join(projectPath, file), "utf8");
+    const lines = content.split("\n");
+    const idx = Math.max(0, Math.min(lines.length - 1, line - 1));
+    return (lines[idx] || "").slice(0, MAX_EVIDENCE_SNIPPET);
+  } catch {
+    return "";
+  }
+}
+
+async function normalizeEvidence(projectPath, evidence, fallback, confidence) {
+  const raw = Array.isArray(evidence) ? evidence : evidence ? [evidence] : [];
+  const normalized = [];
+
+  for (const item of raw) {
+    const file = item?.file || fallback?.file || "";
+    const line = Number(item?.line || item?.lines || fallback?.line || 1);
+    const snippet =
+      item?.snippet ||
+      item?.evidence ||
+      (await readSnippet(projectPath, file, line));
+
+    normalized.push({
+      file,
+      line,
+      snippet,
+      confidence: item?.confidence ?? confidenceToScore(confidence),
+    });
+  }
+
+  if (normalized.length === 0 && fallback?.file) {
+    normalized.push({
+      file: fallback.file,
+      line: fallback.line || 1,
+      snippet: await readSnippet(projectPath, fallback.file, fallback.line || 1),
+      confidence: confidenceToScore(confidence),
+    });
+  }
+
+  return normalized;
+}
+
+/**
+ * Check if there's a recent claim validation for the project.
+ * The TTL depends on the policy mode.
+ */
+export function hasRecentClaimValidation(projectPath, policy = 'strict') {
+  const last = state.lastValidationByProject.get(projectPath);
+  if (typeof last !== "number") return false;
+  
+  const config = getPolicyConfig(policy);
+  const maxAgeMs = config.validationTTL;
+  return Date.now() - last <= maxAgeMs;
+}
+
+/**
+ * Validate a claim result against policy thresholds.
+ * Returns an enforcement decision.
+ */
+export function enforceClaimResult(result, policy = 'strict') {
+  const config = getPolicyConfig(policy);
+  const confidence = confidenceToScore(result.confidence || result.result === 'true' ? 0.9 : 0.3);
+  
+  // Unknown results
+  if (result.result === 'unknown') {
+    if (!config.allowUnknown) {
+      return {
+        allowed: false,
+        reason: `Unknown claims are not allowed in ${policy} mode`,
+        suggestion: 'Use search_evidence to find proof or get_truthpack to refresh context',
+      };
+    }
+  }
+  
+  // Low confidence
+  if (confidence < config.minConfidence) {
+    return {
+      allowed: false,
+      reason: `Confidence ${(confidence * 100).toFixed(0)}% below ${policy} threshold ${(config.minConfidence * 100).toFixed(0)}%`,
+      suggestion: 'Find additional evidence or use permissive policy',
+    };
+  }
+  
+  return { allowed: true };
+}
+
 async function getTruthPack(projectPath, args) {
   const scope = args.scope || 'all';
   const refresh = args.refresh || false;
@@ -439,6 +578,7 @@ async function getTruthPack(projectPath, args) {
     commitHash: getCommitHash(projectPath),
     sections: {},
     confidence: 0,
+    _attribution: CONTEXT_ATTRIBUTION,
   };
   
   if (scope === 'all' || scope === 'routes') {
@@ -510,22 +650,45 @@ async function validateClaim(projectPath, args) {
     result.nextSteps = [`Verification error: ${error.message}`];
   }
   
-  // If unknown, add helpful next steps
+  // ENFORCED: Unknown claims must return explicit "unknown" error 
+  // that blocks dependent actions in strict/balanced modes
   if (result.result === 'unknown') {
     result.nextSteps.push(
       'call vibecheck.search_evidence to find related code',
       'call vibecheck.get_truthpack to get full context',
     );
     result.warning = '⚠️ UNKNOWN claims BLOCK dependent actions. Verify before proceeding.';
+    result.enforcement = {
+      allowed: false,
+      reason: 'Claim result is unknown - cannot proceed without evidence',
+      blockedActions: ['fix', 'autopilot_apply', 'propose_patch'],
+    };
+  } else if (result.result === 'true') {
+    result.enforcement = {
+      allowed: true,
+      confidence: confidenceToScore(result.confidence),
+    };
+  } else {
+    // result is 'false'
+    result.enforcement = {
+      allowed: false,
+      reason: 'Claim is disproven - do not proceed with dependent actions',
+    };
   }
   
   // Cache result
-  state.verifiedClaims.set(claimId, { result, timestamp: Date.now() });
+  state.verifiedClaims.set(claimId, { result, timestamp: Date.now(), projectPath });
+  state.lastValidationByProject.set(projectPath, Date.now());
   
   return {
     claimId,
     ...result,
+    evidence: await normalizeEvidence(projectPath, result.evidence, {
+      file: subject?.path || subject?.name,
+      line: 1,
+    }, result.confidence),
     timestamp: new Date().toISOString(),
+    _attribution: CONTEXT_ATTRIBUTION,
   };
 }
 
@@ -565,6 +728,7 @@ async function compileContext(projectPath, args) {
     invariants,
     tokenCount,
     warnings: generateContextWarnings(domains, policy, relevantRoutes.length),
+    _attribution: CONTEXT_ATTRIBUTION,
   };
 }
 
@@ -589,6 +753,7 @@ async function searchEvidence(projectPath, args) {
             line: i + 1,
             snippet: snippet.slice(0, 300),
             hash: crypto.createHash('sha256').update(lines[i]).digest('hex').slice(0, 16),
+            confidence: 0.6,
           });
           
           if (results.length >= limit) break;
@@ -604,6 +769,7 @@ async function searchEvidence(projectPath, args) {
     query,
     count: results.length,
     results,
+    _attribution: CONTEXT_ATTRIBUTION,
   };
 }
 
@@ -780,7 +946,7 @@ async function addAssumption(projectPath, args) {
 // PLAN VALIDATION & DRIFT DETECTION (Spec 10.3)
 // =============================================================================
 
-async function validatePlanTool(projectPath, args) {
+async function getPlanValidationResult(projectPath, args) {
   const { plan, strict = false } = args;
   
   // Load contracts
@@ -1224,6 +1390,11 @@ export function getProjectFingerprint(projectPath) {
   };
 }
 
+/**
+ * Context attribution message shown when AI uses vibecheck data
+ */
+const CONTEXT_ATTRIBUTION = "🧠 Context enhanced by vibecheck";
+
 /**
  * Wrap MCP response with standard metadata including fingerprint (Spec 10.2)
  */
@@ -1233,9 +1404,17 @@ export function wrapMcpResponse(data, projectPath) {
     version: '2.0.0',
     projectFingerprint: getProjectFingerprint(projectPath),
     data,
+    _attribution: CONTEXT_ATTRIBUTION,
   };
 }
 
+/**
+ * Get the context attribution message
+ */
+export function getContextAttribution() {
+  return CONTEXT_ATTRIBUTION;
+}
+
 async function extractRoutes(projectPath) {
   const routes = [];
   const files = await findSourceFiles(projectPath);
@@ -1497,4 +1676,11 @@ async function findSourceFiles(projectPath) {
 export default {
   TRUTH_FIREWALL_TOOLS,
   handleTruthFirewallTool,
+  hasRecentClaimValidation,
+  enforceClaimResult,
+  getPolicyConfig,
+  getProjectFingerprint,
+  wrapMcpResponse,
+  getContextAttribution,
+  CONTEXT_ATTRIBUTION,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecheckai/cli",
-  "version": "3.1.6",
+  "version": "3.2.0",
   "description": "Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.",
   "main": "bin/vibecheck.js",
   "bin": {
@@ -28,6 +28,8 @@
     "@babel/parser": "^7.23.0",
     "@babel/traverse": "^7.23.0",
     "@babel/types": "^7.23.0",
+    "@vibecheck/core": "workspace:*",
+    "@vibecheck/security": "workspace:*",
     "chalk": "^5.3.0",
     "commander": "^12.0.0",
     "debug": "^4.3.4",