@vibecheckai/cli 3.1.8 → 3.2.0

package/bin/runners/lib/missions/plan.js

@@ -1,69 +1,259 @@
 // bin/runners/lib/missions/plan.js
+// ═══════════════════════════════════════════════════════════════════════════════
+// MISSION PLANNING - Hardened with confidence scoring and better deduplication
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Score a finding for priority ordering
+ * Enhanced with confidence-based scoring
+ */
 function scoreFinding(f) {
-  if (f.severity === "BLOCK") return 100;
-  if (f.severity === "WARN") return 50;
-  return 0;
+  let score = 0;
+  
+  // Base severity score
+  if (f.severity === "BLOCK") score += 100;
+  else if (f.severity === "WARN") score += 50;
+  
+  // Confidence adjustment (findings with evidence are more reliable)
+  const confidence = f.confidence || (f.evidence?.length > 0 ? 0.8 : 0.5);
+  score = Math.round(score * confidence);
+  
+  // Boost for findings with file evidence (more actionable)
+  if (f.file || f.evidence?.some(e => e.file)) {
+    score += 10;
+  }
+  
+  // Boost for security-related categories
+  if (['Security', 'GhostAuth', 'AuthCoverage', 'Billing'].includes(f.category)) {
+    score += 20;
+  }
+  
+  return score;
 }
 
-function missionFromFinding(f) {
-  const typeByCategory = {
-    Security: "REMOVE_OWNER_MODE",
-    Billing: "FIX_STRIPE_WEBHOOKS",
-    Entitlements: "ENFORCE_PAID_SURFACE",
-    GhostAuth: "ADD_SERVER_AUTH",
-    MissingRoute: "FIX_MISSING_ROUTE",
-    EnvContract: "FIX_ENV_CONTRACT",
-    FakeSuccess: "FIX_FAKE_SUCCESS",
-    DeadUI: "FIX_DEAD_UI",
-    AuthCoverage: "ADD_SERVER_AUTH"
-  };
+/**
+ * Generate a fingerprint for deduplication
+ * Uses multiple signals to identify truly unique findings
+ */
+function generateFingerprint(f) {
+  const parts = [];
+  
+  // Primary: category + normalized title
+  parts.push(f.category || 'Unknown');
+  
+  // Normalize title (remove specific IDs, file paths, line numbers)
+  let normalizedTitle = (f.title || '')
+    .replace(/[a-f0-9]{8,}/gi, 'HASH')  // Remove hash-like IDs
+    .replace(/:\d+/g, ':LINE')           // Normalize line numbers
+    .replace(/\/[^/\s]+\.(ts|js|tsx|jsx)/gi, '/FILE.$1')  // Normalize file paths
+    .trim();
+  parts.push(normalizedTitle);
+  
+  // Secondary: file if available (for file-specific issues)
+  if (f.file) {
+    // Normalize the file path to base name for grouping
+    const fileName = f.file.split(/[/\\]/).pop() || f.file;
+    parts.push(fileName);
+  }
+  
+  return parts.join('|');
+}
+
+/**
+ * Extended category to mission type mapping
+ * Includes new categories from enhanced detection
+ */
+const CATEGORY_TO_MISSION_TYPE = {
+  // Security & Auth
+  Security: "REMOVE_OWNER_MODE",
+  GhostAuth: "ADD_SERVER_AUTH",
+  AuthCoverage: "ADD_SERVER_AUTH",
+  AuthDrift: "FIX_AUTH_DRIFT",
+  
+  // Billing & Payments
+  Billing: "FIX_STRIPE_WEBHOOKS",
+  Entitlements: "ENFORCE_PAID_SURFACE",
+  
+  // Routes & APIs
+  MissingRoute: "FIX_MISSING_ROUTE",
+  RouteDrift: "FIX_ROUTE_DRIFT",
+  
+  // Environment & Config
+  EnvContract: "FIX_ENV_CONTRACT",
+  
+  // Reality/Runtime issues
+  FakeSuccess: "FIX_FAKE_SUCCESS",
+  DeadUI: "FIX_DEAD_UI",
+  FakeDomain: "FIX_MOCK_DOMAINS",
+  FakeResponse: "FIX_PLACEHOLDER_DATA",
+  MockStatus: "FIX_MOCK_DOMAINS",
+  
+  // Code Quality
+  EmptyCatch: "FIX_EMPTY_CATCH",
+  TestKeys: "FIX_TEST_KEYS",
+  HardcodedSecrets: "FIX_HARDCODED_SECRETS",
+  SilentFallback: "FIX_SILENT_FALLBACK",
+};
 
+/**
+ * Mission type priority (lower = higher priority)
+ * Security issues come first, then billing, then everything else
+ */
+const MISSION_PRIORITY = {
+  // P0: Critical security (immediate fix required)
+  REMOVE_OWNER_MODE: 1,
+  FIX_HARDCODED_SECRETS: 2,
+  FIX_AUTH_DRIFT: 3,
+  
+  // P1: Security & billing (fix before shipping)
+  FIX_STRIPE_WEBHOOKS: 10,
+  ENFORCE_PAID_SURFACE: 11,
+  ADD_SERVER_AUTH: 12,
+  FIX_TEST_KEYS: 13,
+  
+  // P2: Fake data (fix before production)
+  FIX_MOCK_DOMAINS: 20,
+  FIX_PLACEHOLDER_DATA: 21,
+  FIX_FAKE_SUCCESS: 22,
+  
+  // P3: Code quality (fix when possible)
+  FIX_MISSING_ROUTE: 30,
+  FIX_ROUTE_DRIFT: 31,
+  FIX_ENV_CONTRACT: 32,
+  FIX_EMPTY_CATCH: 33,
+  FIX_SILENT_FALLBACK: 34,
+  
+  // P4: UI issues (fix before polish)
+  FIX_DEAD_UI: 40,
+  
+  // P5: Generic (lowest priority)
+  GENERIC_FIX: 99,
+};
+
+/**
+ * Create a mission from a finding
+ * Enhanced with confidence and better metadata
+ */
+function missionFromFinding(f, relatedFindings = []) {
+  const type = CATEGORY_TO_MISSION_TYPE[f.category] || "GENERIC_FIX";
+  const allFindingIds = [f.id, ...relatedFindings.map(r => r.id)];
+  
+  // Calculate mission confidence based on findings
+  const confidences = [f.confidence || 0.5, ...relatedFindings.map(r => r.confidence || 0.5)];
+  const avgConfidence = confidences.reduce((a, b) => a + b, 0) / confidences.length;
+  
   return {
     id: `M_${f.id}`,
-    type: typeByCategory[f.category] || "GENERIC_FIX",
+    type,
     title: f.title,
     severity: f.severity,
     category: f.category,
+    confidence: avgConfidence,
     successCriteria: [
-      `Finding ${f.id} no longer appears in ship results` 
+      `Finding ${f.id} no longer appears in ship results`,
+      ...(relatedFindings.length > 0 ? 
+        [`${relatedFindings.length} related finding(s) also resolved`] : []
+      )
     ],
-    targetFindingIds: [f.id]
+    targetFindingIds: allFindingIds,
+    findingCount: allFindingIds.length,
+    // Include evidence for the LLM context
+    evidence: f.evidence || [],
+    file: f.file || null,
   };
 }
 
-function planMissions(findings, { maxMissions = 12, blocksOnlyFirst = true } = {}) {
-  const sorted = [...findings].sort((a,b) => scoreFinding(b) - scoreFinding(a));
+/**
+ * Group related findings that can be fixed together
+ * E.g., multiple Dead UI issues in the same file
+ */
+function groupRelatedFindings(findings) {
+  const groups = new Map();
+  
+  for (const f of findings) {
+    // Group key: category + file (if available)
+    const file = f.file || f.evidence?.[0]?.file || 'unknown';
+    const groupKey = `${f.category}:${file}`;
+    
+    if (!groups.has(groupKey)) {
+      groups.set(groupKey, []);
+    }
+    groups.get(groupKey).push(f);
+  }
+  
+  return groups;
+}
+
+/**
+ * Plan missions from findings with enhanced deduplication and prioritization
+ * 
+ * @param {Array} findings - List of findings from ship/scan
+ * @param {Object} options - Planning options
+ * @returns {Array} Planned missions
+ */
+function planMissions(findings, { maxMissions = 12, blocksOnlyFirst = true, groupRelated = true } = {}) {
+  // Step 1: Sort by score (severity + confidence + evidence)
+  const sorted = [...findings].sort((a, b) => scoreFinding(b) - scoreFinding(a));
 
-  // Cost control: if there are BLOCKs, only plan for BLOCKs first
+  // Step 2: Filter to BLOCKs only if we have them (cost control)
   const hasBlocks = sorted.some(f => f.severity === "BLOCK");
   const scoped = (blocksOnlyFirst && hasBlocks)
     ? sorted.filter(f => f.severity === "BLOCK")
     : sorted;
 
-  const seen = new Set();
-  const filtered = [];
+  // Step 3: Deduplicate using fingerprints
+  const seenFingerprints = new Set();
+  const deduplicated = [];
+  
   for (const f of scoped) {
-    const k = `${f.category}:${f.title}`;
-    if (f.severity === "WARN" && seen.has(k)) continue;
-    seen.add(k);
-    filtered.push(f);
+    const fingerprint = generateFingerprint(f);
+    
+    // Skip exact duplicates
+    if (seenFingerprints.has(fingerprint)) continue;
+    seenFingerprints.add(fingerprint);
+    
+    // Also check for near-duplicates (same category + similar title)
+    const nearDupeKey = `${f.category}:${(f.title || '').substring(0, 50)}`;
+    if (f.severity === "WARN" && seenFingerprints.has(nearDupeKey)) continue;
+    seenFingerprints.add(nearDupeKey);
+    
+    deduplicated.push(f);
   }
 
-  const missions = filtered.slice(0, maxMissions).map(missionFromFinding);
+  // Step 4: Group related findings (optional - reduces noise)
+  let missions = [];
+  
+  if (groupRelated) {
+    const groups = groupRelatedFindings(deduplicated);
+    
+    for (const [groupKey, groupFindings] of groups) {
+      // Take the highest severity finding as primary
+      const primary = groupFindings[0]; // Already sorted by score
+      const related = groupFindings.slice(1, 5); // Limit related findings
+      
+      missions.push(missionFromFinding(primary, related));
+    }
+  } else {
+    missions = deduplicated.map(f => missionFromFinding(f));
+  }
 
-  const priority = {
-    REMOVE_OWNER_MODE: 1,
-    FIX_STRIPE_WEBHOOKS: 2,
-    ENFORCE_PAID_SURFACE: 3,
-    ADD_SERVER_AUTH: 4,
-    FIX_MISSING_ROUTE: 5,
-    FIX_FAKE_SUCCESS: 6,
-    FIX_ENV_CONTRACT: 7,
-    GENERIC_FIX: 99
-  };
+  // Step 5: Sort by priority and limit
+  missions.sort((a, b) => {
+    const prioA = MISSION_PRIORITY[a.type] || 50;
+    const prioB = MISSION_PRIORITY[b.type] || 50;
+    if (prioA !== prioB) return prioA - prioB;
+    
+    // Secondary sort by confidence (higher first)
+    return (b.confidence || 0.5) - (a.confidence || 0.5);
+  });
 
-  missions.sort((a,b) => (priority[a.type] || 50) - (priority[b.type] || 50));
-  return missions;
+  return missions.slice(0, maxMissions);
 }
 
-module.exports = { planMissions };
+module.exports = { 
+  planMissions,
+  scoreFinding,
+  generateFingerprint,
+  CATEGORY_TO_MISSION_TYPE,
+  MISSION_PRIORITY
+};

package/bin/runners/lib/missions/templates.js

@@ -179,6 +179,131 @@ function templateForMissionType(type) {
         success: ["Auth drift findings disappear."]
       };
 
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // ENHANCED MISSION TYPES - World-class detection and fixing
+    // ═══════════════════════════════════════════════════════════════════════════════
+
+    case "FIX_EMPTY_CATCH":
+      return {
+        intent: "Add proper error handling to empty catch blocks. Silent failures hide bugs and security issues.",
+        do: [
+          "Add error logging: console.error('Context:', err) or use structured logger.",
+          "Re-throw the error OR return a meaningful error response to caller.",
+          "If intentionally ignoring, add explicit comment explaining WHY (e.g., // Expected: optional feature).",
+          "Consider adding error tracking (Sentry, etc.) for production visibility."
+        ],
+        dont: [
+          "Do not just add a comment without actual handling.",
+          "Do not swallow errors in auth, payment, or data mutation paths.",
+          "Do not use console.log for errors (use console.error)."
+        ],
+        success: ["Empty catch findings disappear and errors become visible."]
+      };
+
+    case "FIX_TEST_KEYS":
+      return {
+        intent: "Replace test/demo API keys with environment variable references. Test keys in production = security breach.",
+        do: [
+          "Replace sk_test_*, pk_test_*, api_key_test with process.env.STRIPE_SECRET_KEY etc.",
+          "Add the env var to .env.example with a placeholder comment.",
+          "Ensure the code fails fast if env var is missing (no silent fallback to test key).",
+          "Add runtime validation: if (!process.env.STRIPE_SECRET_KEY) throw new Error('Missing STRIPE_SECRET_KEY')."
+        ],
+        dont: [
+          "Do not leave test keys as fallback defaults.",
+          "Do not commit .env files with real keys.",
+          "Do not use generic names like API_KEY - be specific (STRIPE_SECRET_KEY, SENDGRID_API_KEY)."
+        ],
+        success: ["Test key findings disappear and production uses real credentials."]
+      };
+
+    case "FIX_MOCK_DOMAINS":
+      return {
+        intent: "Replace hardcoded mock/localhost URLs with configurable endpoints. Mock domains in production = broken features.",
+        do: [
+          "Replace localhost:*, jsonplaceholder.typicode.com, mockapi.io with process.env.API_BASE_URL.",
+          "Add the env var to .env.example: API_BASE_URL=https://api.yourproduct.com",
+          "Add URL validation at startup to catch misconfiguration early.",
+          "For development, use .env.local with localhost values."
+        ],
+        dont: [
+          "Do not use localhost as a fallback default.",
+          "Do not hardcode staging URLs - use env vars for all environments.",
+          "Do not mix mock and real endpoints in the same codebase without clear separation."
+        ],
+        success: ["Mock domain findings disappear and API calls hit real backends."]
+      };
+
+    case "FIX_PLACEHOLDER_DATA":
+      return {
+        intent: "Replace lorem ipsum and placeholder data with real data fetching or meaningful defaults.",
+        do: [
+          "Replace 'Lorem ipsum', 'John Doe', 'user@example.com' with actual data bindings.",
+          "If data comes from API: ensure proper loading states and error handling.",
+          "If truly static: use real, contextually appropriate content.",
+          "For avatars/images: use real assets or proper placeholder services with fallbacks."
+        ],
+        dont: [
+          "Do not show placeholder data to real users.",
+          "Do not use obviously fake data (123-456-7890, test@test.com) in production UI.",
+          "Do not remove placeholder without adding real data source."
+        ],
+        success: ["Placeholder data findings disappear and UI shows real content."]
+      };
+
+    case "FIX_HARDCODED_SECRETS":
+      return {
+        intent: "Move hardcoded secrets to environment variables. Secrets in code = compromised on first commit.",
+        do: [
+          "Extract secret to environment variable with descriptive name.",
+          "Add to .env.example with CHANGEME or empty placeholder.",
+          "Add .env to .gitignore if not already present.",
+          "Add startup validation to fail fast on missing secrets.",
+          "Consider using a secrets manager (Vault, AWS Secrets Manager) for production."
+        ],
+        dont: [
+          "Do not leave secrets in code comments.",
+          "Do not use generic names (SECRET, PASSWORD) - be specific.",
+          "Do not commit the actual secret value anywhere.",
+          "Do not use base64 encoding as 'encryption' - it's not."
+        ],
+        success: ["Hardcoded secret findings disappear and secrets are externalized."]
+      };
+
+    case "FIX_SIMULATED_BILLING":
+      return {
+        intent: "Replace simulated billing responses with real payment processor integration.",
+        do: [
+          "Connect to real Stripe/payment processor in production mode.",
+          "Ensure webhook handlers verify signatures and process real events.",
+          "Add proper error handling for payment failures.",
+          "Implement idempotency to prevent double charges."
+        ],
+        dont: [
+          "Do not show 'Payment successful' without real charge.",
+          "Do not skip signature verification in production.",
+          "Do not trust client-side payment confirmations."
+        ],
+        success: ["Simulated billing findings disappear and payments are real."]
+      };
+
+    case "FIX_SILENT_FALLBACK":
+      return {
+        intent: "Make failures visible instead of silently returning success. Silent fallbacks hide broken features.",
+        do: [
+          "Remove catch blocks that return { success: true } or empty data.",
+          "Surface errors to the UI with appropriate messaging.",
+          "Log errors with context for debugging.",
+          "Consider graceful degradation that's VISIBLE (e.g., 'Feature temporarily unavailable')."
+        ],
+        dont: [
+          "Do not return success: true when operation failed.",
+          "Do not show success toast/UI when API returned error.",
+          "Do not hide errors from users entirely - they need to know something went wrong."
+        ],
+        success: ["Silent fallback findings disappear and failures become visible."]
+      };
+
     default:
       return {
         intent: "Fix the specific finding with smallest correct patch.",