@vibecheckai/cli 3.1.8 → 3.2.1

package/bin/runners/lib/agent-firewall/change-packet/schema.json

@@ -0,0 +1,228 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["id", "timestamp", "agentId", "intent", "files", "claims", "verdict"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Unique packet ID (hash-based)"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO timestamp of the change"
+    },
+    "agentId": {
+      "type": "string",
+      "description": "Identifier for the AI agent (e.g., 'cursor', 'windsurf', 'copilot')"
+    },
+    "intent": {
+      "type": "string",
+      "description": "Agent's stated intent for the change"
+    },
+    "diff": {
+      "type": "object",
+      "properties": {
+        "before": {
+          "type": "string",
+          "description": "File content before change"
+        },
+        "after": {
+          "type": "string",
+          "description": "File content after change"
+        },
+        "unified": {
+          "type": "string",
+          "description": "Unified diff format"
+        }
+      }
+    },
+    "files": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["path", "linesChanged"],
+        "properties": {
+          "path": {
+            "type": "string",
+            "description": "Relative file path"
+          },
+          "linesChanged": {
+            "type": "number",
+            "description": "Number of lines changed"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"],
+            "description": "File domain classification"
+          }
+        }
+      },
+      "description": "List of changed files"
+    },
+    "claims": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["type", "value", "criticality"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["route", "env_used", "auth_boundary", "data_contract", "http_call", "ui_success_claim", "side_effect"],
+            "description": "Claim type"
+          },
+          "value": {
+            "type": "string",
+            "description": "Claim value (e.g., route path, env var name)"
+          },
+          "criticality": {
+            "type": "string",
+            "enum": ["hard", "soft"],
+            "description": "Claim criticality"
+          },
+          "pointer": {
+            "type": "string",
+            "description": "File:line pointer (e.g., 'file.ts:42-45')"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Reason for claim extraction"
+          },
+          "file": {
+            "type": "string",
+            "description": "File where claim was found"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"]
+          }
+        }
+      },
+      "description": "Extracted claims from the change"
+    },
+    "evidence": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["claimId", "result"],
+        "properties": {
+          "claimId": {
+            "type": "string",
+            "description": "Reference to claim in claims array"
+          },
+          "result": {
+            "type": "string",
+            "enum": ["PROVEN", "UNPROVEN", "CONTRADICTS"],
+            "description": "Evidence resolution result"
+          },
+          "sources": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "properties": {
+                "type": {
+                  "type": "string",
+                  "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
+                },
+                "pointer": {
+                  "type": "string"
+                },
+                "confidence": {
+                  "type": "number",
+                  "minimum": 0,
+                  "maximum": 1
+                }
+              }
+            }
+          }
+        }
+      },
+      "description": "Evidence resolution results"
+    },
+    "verdict": {
+      "type": "object",
+      "required": ["decision", "violations"],
+      "properties": {
+        "decision": {
+          "type": "string",
+          "enum": ["ALLOW", "WARN", "BLOCK"],
+          "description": "Final verdict"
+        },
+        "violations": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["rule", "severity", "message"],
+            "properties": {
+              "rule": {
+                "type": "string",
+                "description": "Rule ID that was violated"
+              },
+              "severity": {
+                "type": "string",
+                "enum": ["allow", "warn", "block"]
+              },
+              "message": {
+                "type": "string",
+                "description": "Violation message"
+              },
+              "claimId": {
+                "type": "string",
+                "description": "Related claim ID"
+              }
+            }
+          }
+        },
+        "message": {
+          "type": "string",
+          "description": "Human-readable verdict message"
+        }
+      }
+    },
+    "unblockPlan": {
+      "type": "object",
+      "properties": {
+        "steps": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["action", "file", "description"],
+            "properties": {
+              "action": {
+                "type": "string",
+                "enum": ["add", "modify", "create"]
+              },
+              "file": {
+                "type": "string"
+              },
+              "line": {
+                "type": "number"
+              },
+              "description": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      },
+      "description": "Plan to unblock if verdict is BLOCK"
+    },
+    "metadata": {
+      "type": "object",
+      "properties": {
+        "totalFiles": {
+          "type": "number"
+        },
+        "totalLines": {
+          "type": "number"
+        },
+        "policyVersion": {
+          "type": "string"
+        },
+        "policyProfile": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}

package/bin/runners/lib/agent-firewall/change-packet/store.js

@@ -0,0 +1,200 @@
+/**
+ * Change Packet Store
+ * 
+ * Stores change packets in .vibecheck/packets/YYYY-MM-DD/<hash>.json
+ * Provides querying capabilities by agent, date, verdict.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Store a change packet to disk
+ * @param {string} projectRoot - Project root directory
+ * @param {object} packet - Change packet to store
+ * @returns {string} Path where packet was stored
+ */
+function storePacket(projectRoot, packet) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  // Create date-based directory
+  const date = new Date(packet.timestamp);
+  const dateDir = date.toISOString().split('T')[0]; // YYYY-MM-DD
+  const dayDir = path.join(packetsDir, dateDir);
+  
+  // Ensure directory exists
+  if (!fs.existsSync(dayDir)) {
+    fs.mkdirSync(dayDir, { recursive: true });
+  }
+  
+  // Write packet file
+  const packetPath = path.join(dayDir, `${packet.id}.json`);
+  fs.writeFileSync(packetPath, JSON.stringify(packet, null, 2));
+  
+  return packetPath;
+}
+
+/**
+ * Load a change packet by ID
+ * @param {string} projectRoot - Project root directory
+ * @param {string} packetId - Packet ID
+ * @returns {object|null} Change packet or null if not found
+ */
+function loadPacket(projectRoot, packetId) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  // Search all date directories
+  if (!fs.existsSync(packetsDir)) {
+    return null;
+  }
+  
+  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
+    .filter(dirent => dirent.isDirectory())
+    .map(dirent => dirent.name);
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    const packetPath = path.join(dayDir, `${packetId}.json`);
+    
+    if (fs.existsSync(packetPath)) {
+      return JSON.parse(fs.readFileSync(packetPath, "utf8"));
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Query change packets
+ * @param {string} projectRoot - Project root directory
+ * @param {object} filters - Query filters
+ * @param {string} filters.agentId - Filter by agent ID
+ * @param {string} filters.date - Filter by date (YYYY-MM-DD)
+ * @param {string} filters.verdict - Filter by verdict (ALLOW, WARN, BLOCK)
+ * @param {number} filters.limit - Maximum number of results
+ * @returns {array} Array of change packets
+ */
+function queryPackets(projectRoot, filters = {}) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  if (!fs.existsSync(packetsDir)) {
+    return [];
+  }
+  
+  const results = [];
+  const { agentId, date, verdict, limit } = filters;
+  
+  // Determine which date directories to search
+  const dateDirs = date 
+    ? [date]
+    : fs.readdirSync(packetsDir, { withFileTypes: true })
+        .filter(dirent => dirent.isDirectory())
+        .map(dirent => dirent.name)
+        .sort()
+        .reverse(); // Most recent first
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    
+    if (!fs.existsSync(dayDir)) continue;
+    
+    const packetFiles = fs.readdirSync(dayDir)
+      .filter(file => file.endsWith('.json'))
+      .map(file => path.join(dayDir, file));
+    
+    for (const packetPath of packetFiles) {
+      try {
+        const packet = JSON.parse(fs.readFileSync(packetPath, "utf8"));
+        
+        // Apply filters
+        if (agentId && packet.agentId !== agentId) continue;
+        if (verdict && packet.verdict?.decision !== verdict) continue;
+        
+        results.push(packet);
+        
+        // Apply limit
+        if (limit && results.length >= limit) {
+          return results;
+        }
+      } catch (error) {
+        // Skip invalid packets
+        continue;
+      }
+    }
+    
+    // If we have a date filter, we only need to check that one directory
+    if (date) break;
+  }
+  
+  return results;
+}
+
+/**
+ * Get statistics about stored packets
+ * @param {string} projectRoot - Project root directory
+ * @returns {object} Statistics
+ */
+function getPacketStats(projectRoot) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  if (!fs.existsSync(packetsDir)) {
+    return {
+      total: 0,
+      byAgent: {},
+      byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
+      byDate: {}
+    };
+  }
+  
+  const stats = {
+    total: 0,
+    byAgent: {},
+    byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
+    byDate: {}
+  };
+  
+  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
+    .filter(dirent => dirent.isDirectory())
+    .map(dirent => dirent.name);
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    if (!fs.existsSync(dayDir)) continue;
+    
+    const packetFiles = fs.readdirSync(dayDir)
+      .filter(file => file.endsWith('.json'));
+    
+    stats.byDate[dateDir] = packetFiles.length;
+    
+    for (const file of packetFiles) {
+      try {
+        const packet = JSON.parse(
+          fs.readFileSync(path.join(dayDir, file), "utf8")
+        );
+        
+        stats.total++;
+        
+        // Count by agent
+        stats.byAgent[packet.agentId] = (stats.byAgent[packet.agentId] || 0) + 1;
+        
+        // Count by verdict
+        const verdict = packet.verdict?.decision || "ALLOW";
+        stats.byVerdict[verdict] = (stats.byVerdict[verdict] || 0) + 1;
+      } catch (error) {
+        // Skip invalid packets
+        continue;
+      }
+    }
+  }
+  
+  return stats;
+}
+
+module.exports = {
+  storePacket,
+  loadPacket,
+  queryPackets,
+  getPacketStats
+};

package/bin/runners/lib/agent-firewall/claims/claim-types.js

@@ -0,0 +1,21 @@
+/**
+ * Claim Types
+ * 
+ * Enumeration of claim types and criticality levels.
+ */
+
+module.exports = {
+  CLAIM_TYPES: {
+    ROUTE: "route",
+    ENV: "env_used",
+    AUTH: "auth_boundary",
+    CONTRACT: "data_contract",
+    HTTP_CALL: "http_call",
+    UI_SUCCESS: "ui_success_claim",
+    SIDE_EFFECT: "side_effect"
+  },
+  CRITICALITY: {
+    HARD: "hard",
+    SOFT: "soft"
+  }
+};

package/bin/runners/lib/agent-firewall/claims/extractor.js

@@ -0,0 +1,214 @@
+/**
+ * Claim Extractor
+ * 
+ * Extracts "drift-causing claims" from changed files.
+ * Uses AST-based extraction with Babel parser.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { CLAIM_TYPES, CRITICALITY } = require("./claim-types");
+const { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI } = require("./patterns");
+
+function parse(code) {
+  return parser.parse(code, {
+    sourceType: "unambiguous",
+    plugins: ["typescript", "jsx"]
+  });
+}
+
+function locPtr(fileRel, node) {
+  const loc = node && node.loc;
+  if (!loc) return null;
+  return `${fileRel}:${loc.start.line}-${loc.end.line}`;
+}
+
+function pushClaim(out, claim) {
+  const key = `${claim.type}|${claim.value}|${claim.pointer || ""}`;
+  if (!out._dedupe.has(key)) {
+    out._dedupe.add(key);
+    out.claims.push(claim);
+  }
+}
+
+function extractStringLiterals(code) {
+  // Cheap scan for route-ish strings even if AST misses template parts.
+  const hits = [];
+  for (const rx of ROUTE_LIKE) {
+    const m = code.match(rx);
+    if (m) hits.push(...m);
+  }
+  return [...new Set(hits)];
+}
+
+function classifyFileDomain(fileRel) {
+  const s = fileRel.toLowerCase();
+  if (s.includes("auth")) return "auth";
+  if (s.includes("stripe") || s.includes("payment")) return "payments";
+  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
+  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
+  return "general";
+}
+
+function extractClaimsFromFile({ repoRoot, fileAbs }) {
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const code = fs.readFileSync(fileAbs, "utf8");
+  const ast = parse(code);
+
+  const out = { fileRel, domain: classifyFileDomain(fileRel), claims: [], _dedupe: new Set() };
+
+  // 1) quick string route-ish scan
+  for (const r of extractStringLiterals(code)) {
+    pushClaim(out, {
+      type: CLAIM_TYPES.ROUTE,
+      value: r,
+      criticality: CRITICALITY.HARD,
+      pointer: `${fileRel}:1-1`,
+      reason: "route-like string literal"
+    });
+  }
+
+  // 2) AST-based env extraction
+  traverse(ast, {
+    MemberExpression(p) {
+      // process.env.X
+      const n = p.node;
+      if (
+        t.isMemberExpression(n.object) &&
+        t.isIdentifier(n.object.object, { name: "process" }) &&
+        t.isIdentifier(n.object.property, { name: "env" }) &&
+        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
+      ) {
+        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
+        pushClaim(out, {
+          type: CLAIM_TYPES.ENV,
+          value: name,
+          criticality: CRITICALITY.HARD,
+          pointer: locPtr(fileRel, n),
+          reason: "process.env usage"
+        });
+      }
+
+      // import.meta.env.X (Vite)
+      if (
+        t.isMemberExpression(n.object) &&
+        t.isMemberExpression(n.object.object) &&
+        t.isIdentifier(n.object.object.object, { name: "import" }) &&
+        t.isIdentifier(n.object.object.property, { name: "meta" }) &&
+        t.isIdentifier(n.object.property, { name: "env" }) &&
+        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
+      ) {
+        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
+        pushClaim(out, {
+          type: CLAIM_TYPES.ENV,
+          value: name,
+          criticality: CRITICALITY.HARD,
+          pointer: locPtr(fileRel, n),
+          reason: "import.meta.env usage"
+        });
+      }
+    },
+
+    CallExpression(p) {
+      const n = p.node;
+
+      // fetch("/api/...")
+      if (t.isIdentifier(n.callee, { name: "fetch" }) && n.arguments[0]) {
+        const a0 = n.arguments[0];
+        if (t.isStringLiteral(a0)) {
+          pushClaim(out, {
+            type: CLAIM_TYPES.HTTP_CALL,
+            value: a0.value,
+            criticality: CRITICALITY.HARD,
+            pointer: locPtr(fileRel, n),
+            reason: "fetch call"
+          });
+        }
+      }
+
+      // axios.get("/api/...")
+      if (t.isMemberExpression(n.callee) && t.isIdentifier(n.callee.object, { name: "axios" })) {
+        const method = t.isIdentifier(n.callee.property) ? n.callee.property.name : "call";
+        const a0 = n.arguments[0];
+        if (a0 && t.isStringLiteral(a0)) {
+          pushClaim(out, {
+            type: CLAIM_TYPES.HTTP_CALL,
+            value: `${method.toUpperCase()} ${a0.value}`,
+            criticality: CRITICALITY.HARD,
+            pointer: locPtr(fileRel, n),
+            reason: "axios call"
+          });
+        }
+      }
+
+      // toast.success("Saved")
+      if (
+        t.isMemberExpression(n.callee) &&
+        t.isIdentifier(n.callee.object, { name: "toast" }) &&
+        t.isIdentifier(n.callee.property, { name: "success" })
+      ) {
+        const msg = n.arguments[0] && t.isStringLiteral(n.arguments[0]) ? n.arguments[0].value : "toast.success";
+        pushClaim(out, {
+          type: CLAIM_TYPES.UI_SUCCESS,
+          value: msg,
+          criticality: CRITICALITY.SOFT,
+          pointer: locPtr(fileRel, n),
+          reason: "success UI signal"
+        });
+      }
+    }
+  });
+
+  // 3) auth-ish keyword scan (cheap but effective)
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (AUTH_HINTS.some((rx) => rx.test(line))) {
+      pushClaim(out, {
+        type: CLAIM_TYPES.AUTH,
+        value: line.trim().slice(0, 140),
+        criticality: CRITICALITY.HARD,
+        pointer: `${fileRel}:${i + 1}-${i + 1}`,
+        reason: "auth/role/scope hint"
+      });
+    }
+    if (SUCCESS_UI.some((rx) => rx.test(line))) {
+      pushClaim(out, {
+        type: CLAIM_TYPES.UI_SUCCESS,
+        value: line.trim().slice(0, 140),
+        criticality: CRITICALITY.SOFT,
+        pointer: `${fileRel}:${i + 1}-${i + 1}`,
+        reason: "success UI hint"
+      });
+    }
+  }
+
+  delete out._dedupe;
+  return out;
+}
+
+function extractClaims({ repoRoot, changedFilesAbs }) {
+  const files = changedFilesAbs.filter((f) => fs.existsSync(f));
+  const perFile = files.map((fileAbs) => extractClaimsFromFile({ repoRoot, fileAbs }));
+
+  // Flatten + dedupe across files
+  const dedupe = new Set();
+  const claims = [];
+  for (const f of perFile) {
+    for (const c of f.claims) {
+      const k = `${c.type}|${c.value}`;
+      if (!dedupe.has(k)) {
+        dedupe.add(k);
+        claims.push({ ...c, file: f.fileRel, domain: f.domain });
+      }
+    }
+  }
+
+  return { claims, perFile };
+}
+
+module.exports = { extractClaims, extractClaimsFromFile };

package/bin/runners/lib/agent-firewall/claims/patterns.js

@@ -0,0 +1,24 @@
+/**
+ * Claim Patterns
+ * 
+ * Regex patterns for detecting claims in code.
+ */
+
+const ROUTE_LIKE = [
+  /\/api\/[a-zA-Z0-9_\/\-]+/g,
+  /\/health\/[a-zA-Z0-9_\/\-]+/g
+];
+
+const AUTH_HINTS = [
+  /\b(admin|owner|staff|superadmin|root)\b/i,
+  /\b(role|roles|scope|scopes|permission|permissions)\b/i,
+  /\b(auth|authorize|authorization|requireAuth|requireRole|rbac)\b/i
+];
+
+const SUCCESS_UI = [
+  /\b(success|saved|updated|complete|done)\b/i,
+  /\btoast\.(success|info)\b/i,
+  /\benqueueSnackbar\b/i
+];
+
+module.exports = { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI };