npm - @vibecheckai/cli - Versions diffs - 3.1.8 → 3.2.1 - Mend

@vibecheckai/cli 3.1.8 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/bin/registry.js +106 -116
package/bin/runners/context/generators/mcp.js +18 -0
package/bin/runners/context/index.js +72 -4
package/bin/runners/context/proof-context.js +293 -1
package/bin/runners/context/security-scanner.js +311 -73
package/bin/runners/lib/agent-firewall/change-packet/builder.js +214 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +214 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +118 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +142 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +304 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +84 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +72 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +143 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +61 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +116 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/analysis-core.js +198 -180
package/bin/runners/lib/analyzers.js +1394 -224
package/bin/runners/lib/detectors-v2.js +560 -641
package/bin/runners/lib/entitlements-v2.js +48 -1
package/bin/runners/lib/evidence-pack.js +678 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/missions/plan.js +231 -41
package/bin/runners/lib/missions/templates.js +125 -0
package/bin/runners/lib/route-truth.js +1167 -322
package/bin/runners/lib/scan-output.js +558 -235
package/bin/runners/lib/ship-output.js +901 -641
package/bin/runners/lib/truth.js +1004 -321
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runCheckpoint.js +44 -3
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runDoctor.js +10 -2
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +51 -341
package/bin/runners/runInit.js +11 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +608 -29
package/bin/runners/runProve.js +210 -25
package/bin/runners/runReality.js +846 -101
package/bin/runners/runScan.js +351 -14
package/bin/runners/runShip.js +19 -3
package/bin/runners/runTruth.js +89 -0
package/bin/runners/runWatch.js +14 -1
package/bin/vibecheck.js +32 -2
package/mcp-server/agent-firewall-interceptor.js +164 -0
package/mcp-server/consolidated-tools.js +408 -42
package/mcp-server/index.js +498 -327
package/mcp-server/proof-tools.js +571 -0
package/mcp-server/tier-auth.js +22 -19
package/mcp-server/tools-v3.js +744 -0
package/mcp-server/truth-context.js +131 -90
package/mcp-server/truth-firewall-tools.js +1494 -941
package/package.json +3 -1
package/bin/runners/runInstall.js +0 -281
package/bin/runners/runLabs.js +0 -341

package/bin/runners/lib/agent-firewall/interceptor/base.js ADDED Viewed

@@ -0,0 +1,304 @@
+/**
+ * Base Interceptor
+ *
+ * Common logic for all IDE interceptors.
+ */
+"use strict";
+const path = require("path");
+const fs = require("fs");
+const { extractClaims } = require("../claims/extractor");
+const { resolveEvidence } = require("../evidence/resolver");
+const { evaluatePolicy } = require("../policy/engine");
+const { buildChangePacket, buildMultiFileChangePacket } = require("../change-packet/builder");
+const { storePacket } = require("../change-packet/store");
+const { generateUnblockPlan } = require("../unblock/planner");
+const { loadPolicy } = require("../policy/loader");
+/**
+ * Intercept a file write attempt
+ * @param {object} params
+ * @param {string} params.projectRoot - Project root directory
+ * @param {string} params.agentId - Agent identifier
+ * @param {string} params.intent - Agent intent message
+ * @param {string} params.filePath - File path (relative to project root)
+ * @param {string} params.content - New file content
+ * @param {string} params.oldContent - Old file content (optional)
+ * @returns {object} Interception result
+ */
+async function interceptFileWrite({
+  projectRoot,
+  agentId,
+  intent,
+  filePath,
+  content,
+  oldContent = null
+}) {
+  // Load policy
+  const policy = loadPolicy(projectRoot);
+  // Generate diff
+  const diff = generateDiff(oldContent, content);
+  // Extract claims - write content to temp file if file doesn't exist
+  const fileAbs = path.join(projectRoot, filePath);
+  let tempFile = null;
+  if (!fs.existsSync(fileAbs) && content) {
+    // Write content to temp file for extraction
+    const tempDir = path.join(projectRoot, ".vibecheck", "temp");
+    if (!fs.existsSync(tempDir)) {
+      fs.mkdirSync(tempDir, { recursive: true });
+    }
+    tempFile = path.join(tempDir, path.basename(filePath));
+    fs.writeFileSync(tempFile, content, "utf8");
+  }
+  const fileToExtract = fs.existsSync(fileAbs) ? fileAbs : (tempFile || fileAbs);
+  const { claims } = extractClaims({
+    repoRoot: projectRoot,
+    changedFilesAbs: [fileToExtract]
+  });
+  // Clean up temp file
+  if (tempFile && fs.existsSync(tempFile)) {
+    fs.unlinkSync(tempFile);
+  }
+  // Resolve evidence
+  const evidence = resolveEvidence(projectRoot, claims);
+  // Build file info
+  const files = [{
+    path: filePath,
+    linesChanged: calculateLinesChanged(diff),
+    domain: classifyFileDomain(filePath)
+  }];
+  // Evaluate policy
+  const verdict = evaluatePolicy({
+    policy,
+    claims,
+    evidence,
+    files,
+    intent
+  });
+  // Generate unblock plan if blocked
+  let unblockPlan = null;
+  if (verdict.decision === "BLOCK") {
+    unblockPlan = generateUnblockPlan({
+      violations: verdict.violations,
+      claims,
+      projectRoot
+    });
+  }
+  // Build change packet
+  const packet = buildChangePacket({
+    agentId,
+    intent,
+    diff,
+    filePath,
+    claims,
+    evidence,
+    verdict,
+    unblockPlan,
+    policy
+  });
+  // Store packet if policy requires it
+  if (policy.output?.write_change_packets !== false) {
+    storePacket(projectRoot, packet);
+  }
+  // Return interception result
+  return {
+    allowed: verdict.decision === "ALLOW",
+    verdict: verdict.decision,
+    violations: verdict.violations,
+    unblockPlan,
+    packetId: packet.id,
+    message: verdict.message
+  };
+}
+/**
+ * Intercept multiple file writes
+ */
+async function interceptMultiFileWrite({
+  projectRoot,
+  agentId,
+  intent,
+  changes
+}) {
+  // Load policy
+  const policy = loadPolicy(projectRoot);
+  // Extract claims from all files
+  const allClaims = [];
+  const allFiles = [];
+  for (const change of changes) {
+    const fileAbs = path.join(projectRoot, change.filePath);
+    const { claims } = extractClaims({
+      repoRoot: projectRoot,
+      changedFilesAbs: [fileAbs]
+    });
+    allClaims.push(...claims.map(c => ({ ...c, file: change.filePath })));
+    allFiles.push({
+      path: change.filePath,
+      linesChanged: calculateLinesChanged(change.diff),
+      domain: classifyFileDomain(change.filePath)
+    });
+  }
+  // Resolve evidence
+  const evidence = resolveEvidence(projectRoot, allClaims);
+  // Evaluate policy
+  const verdict = evaluatePolicy({
+    policy,
+    claims: allClaims,
+    evidence,
+    files: allFiles,
+    intent
+  });
+  // Generate unblock plan if blocked
+  let unblockPlan = null;
+  if (verdict.decision === "BLOCK") {
+    unblockPlan = generateUnblockPlan({
+      violations: verdict.violations,
+      claims: allClaims,
+      projectRoot
+    });
+  }
+  // Build change packet
+  const packet = buildMultiFileChangePacket({
+    agentId,
+    intent,
+    changes: changes.map(c => ({
+      filePath: c.filePath,
+      diff: c.diff,
+      claims: allClaims.filter(cl => cl.file === c.filePath)
+    })),
+    evidence,
+    verdict,
+    unblockPlan,
+    policy
+  });
+  // Store packet if policy requires it
+  if (policy.output?.write_change_packets !== false) {
+    storePacket(projectRoot, packet);
+  }
+  // Return interception result
+  return {
+    allowed: verdict.decision === "ALLOW",
+    verdict: verdict.decision,
+    violations: verdict.violations,
+    unblockPlan,
+    packetId: packet.id,
+    message: verdict.message
+  };
+}
+/**
+ * Generate unified diff
+ */
+function generateDiff(oldContent, newContent) {
+  if (!oldContent) {
+    return {
+      before: "",
+      after: newContent,
+      unified: generateUnifiedDiff("", newContent)
+    };
+  }
+  return {
+    before: oldContent,
+    after: newContent,
+    unified: generateUnifiedDiff(oldContent, newContent)
+  };
+}
+/**
+ * Generate unified diff format
+ */
+function generateUnifiedDiff(oldContent, newContent) {
+  const oldLines = oldContent.split(/\r?\n/);
+  const newLines = newContent.split(/\r?\n/);
+  const diff = [];
+  let i = 0, j = 0;
+  while (i < oldLines.length || j < newLines.length) {
+    if (i >= oldLines.length) {
+      diff.push(`+${newLines[j]}`);
+      j++;
+    } else if (j >= newLines.length) {
+      diff.push(`-${oldLines[i]}`);
+      i++;
+    } else if (oldLines[i] === newLines[j]) {
+      diff.push(` ${oldLines[i]}`);
+      i++;
+      j++;
+    } else {
+      // Try to find matching line ahead
+      let found = false;
+      for (let k = j + 1; k < Math.min(j + 10, newLines.length); k++) {
+        if (oldLines[i] === newLines[k]) {
+          // Add new lines
+          for (let l = j; l < k; l++) {
+            diff.push(`+${newLines[l]}`);
+          }
+          j = k;
+          found = true;
+          break;
+        }
+      }
+      if (!found) {
+        diff.push(`-${oldLines[i]}`);
+        diff.push(`+${newLines[j]}`);
+        i++;
+        j++;
+      }
+    }
+  }
+  return diff.join("\n");
+}
+/**
+ * Calculate lines changed from diff
+ */
+function calculateLinesChanged(diff) {
+  if (!diff || !diff.unified) return 0;
+  return diff.unified.split('\n').filter(line =>
+    line.startsWith('+') || line.startsWith('-')
+  ).length;
+}
+/**
+ * Classify file domain
+ */
+function classifyFileDomain(filePath) {
+  const s = filePath.toLowerCase();
+  if (s.includes("auth")) return "auth";
+  if (s.includes("stripe") || s.includes("payment")) return "payments";
+  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
+  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
+  return "general";
+}
+module.exports = {
+  interceptFileWrite,
+  interceptMultiFileWrite
+};

package/bin/runners/lib/agent-firewall/interceptor/cursor.js ADDED Viewed

@@ -0,0 +1,35 @@
+/**
+ * Cursor IDE Interceptor
+ *
+ * Cursor-specific integration for agent firewall.
+ * Hooks into Cursor's file write events.
+ */
+"use strict";
+const { interceptFileWrite } = require("./base");
+/**
+ * Intercept file write in Cursor
+ * This would be called by Cursor's extension/plugin system
+ */
+async function interceptCursorWrite({
+  projectRoot,
+  filePath,
+  content,
+  oldContent,
+  agentId = "cursor"
+}) {
+  return await interceptFileWrite({
+    projectRoot,
+    agentId,
+    intent: "Cursor AI edit",
+    filePath,
+    content,
+    oldContent
+  });
+}
+module.exports = {
+  interceptCursorWrite
+};

package/bin/runners/lib/agent-firewall/interceptor/vscode.js ADDED Viewed

@@ -0,0 +1,35 @@
+/**
+ * VS Code LSP Interceptor
+ *
+ * VS Code LSP integration for agent firewall.
+ * Generic LSP hook for file writes.
+ */
+"use strict";
+const { interceptFileWrite } = require("./base");
+/**
+ * Intercept file write via LSP
+ * This would be called by VS Code's LSP server
+ */
+async function interceptVSCodeWrite({
+  projectRoot,
+  filePath,
+  content,
+  oldContent,
+  agentId = "vscode"
+}) {
+  return await interceptFileWrite({
+    projectRoot,
+    agentId,
+    intent: "VS Code AI edit",
+    filePath,
+    content,
+    oldContent
+  });
+}
+module.exports = {
+  interceptVSCodeWrite
+};

package/bin/runners/lib/agent-firewall/interceptor/windsurf.js ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Windsurf IDE Interceptor
+ *
+ * Windsurf-specific integration for agent firewall.
+ */
+"use strict";
+const { interceptFileWrite } = require("./base");
+/**
+ * Intercept file write in Windsurf
+ * This would be called by Windsurf's extension/plugin system
+ */
+async function interceptWindsurfWrite({
+  projectRoot,
+  filePath,
+  content,
+  oldContent,
+  agentId = "windsurf"
+}) {
+  return await interceptFileWrite({
+    projectRoot,
+    agentId,
+    intent: "Windsurf AI edit",
+    filePath,
+    content,
+    oldContent
+  });
+}
+module.exports = {
+  interceptWindsurfWrite
+};

package/bin/runners/lib/agent-firewall/policy/default-policy.json ADDED Viewed

@@ -0,0 +1,84 @@
+{
+  "version": "1.0",
+  "mode": "enforce",
+  "profile": "repo-lock",
+  "scope": {
+    "max_files_touched": 10,
+    "max_lines_changed": 600,
+    "blocked_paths": [
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/.next/**",
+      "**/.vibecheck/packets/**"
+    ],
+    "allowed_paths": [
+      "apps/**",
+      "packages/**",
+      "src/**"
+    ],
+    "require_intent_for_expand_scope": true
+  },
+  "hard_domains": {
+    "routes": true,
+    "env": true,
+    "auth": true,
+    "contracts": true,
+    "payments": true,
+    "side_effects": true
+  },
+  "rules": {
+    "ghost_route": {
+      "severity": "block",
+      "enabled": true
+    },
+    "ghost_env": {
+      "severity": "block",
+      "enabled": true
+    },
+    "auth_drift": {
+      "severity": "block",
+      "enabled": true
+    },
+    "contract_drift": {
+      "severity": "block",
+      "enabled": true
+    },
+    "fake_success_ui": {
+      "severity": "warn",
+      "enabled": true,
+      "block_if_domain": ["payments", "auth", "side_effects"]
+    },
+    "scope_explosion": {
+      "severity": "block",
+      "enabled": true
+    },
+    "unsafe_side_effect": {
+      "severity": "block",
+      "enabled": true
+    }
+  },
+  "evidence": {
+    "require_pointers": true,
+    "acceptable_sources": [
+      "truthpack.routes",
+      "truthpack.env",
+      "truthpack.auth",
+      "truthpack.contracts",
+      "repo.search"
+    ],
+    "pointer_format": "file:lineStart-lineEnd"
+  },
+  "verification": {
+    "require_for_domains": ["auth", "payments", "side_effects"],
+    "accepted": ["tests", "reality"],
+    "reality": {
+      "enabled": true,
+      "block_on": ["fake_success", "no_mutation", "network_error"]
+    }
+  },
+  "output": {
+    "write_change_packets": true,
+    "packet_dir": ".vibecheck/packets",
+    "report_formats": ["md", "html"]
+  }
+}

package/bin/runners/lib/agent-firewall/policy/engine.js ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Policy Engine
+ *
+ * Main policy engine that evaluates all rules deterministically.
+ * No LLM opinions - pure rule-based evaluation.
+ */
+"use strict";
+const ghostRoute = require("./rules/ghost-route");
+const ghostEnv = require("./rules/ghost-env");
+const authDrift = require("./rules/auth-drift");
+const contractDrift = require("./rules/contract-drift");
+const fakeSuccess = require("./rules/fake-success");
+const scope = require("./rules/scope");
+const unsafeSideEffect = require("./rules/unsafe-side-effect");
+const { generateVerdict } = require("./verdict");
+/**
+ * Evaluate policy against change packet
+ * @param {object} params
+ * @param {object} params.policy - Policy configuration
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {array} params.files - Changed files
+ * @param {string} params.intent - Agent intent message
+ * @returns {object} Verdict object
+ */
+function evaluatePolicy({ policy, claims, evidence, files, intent }) {
+  const violations = [];
+  // Evaluate all rules
+  const ruleEvaluators = [
+    ghostRoute,
+    ghostEnv,
+    authDrift,
+    contractDrift,
+    fakeSuccess,
+    unsafeSideEffect
+  ];
+  // Evaluate claim-based rules
+  for (const evaluator of ruleEvaluators) {
+    try {
+      const violation = evaluator.evaluate({ claims, evidence, policy });
+      if (violation) {
+        violations.push(violation);
+      }
+    } catch (error) {
+      console.warn(`Rule evaluation error: ${error.message}`);
+    }
+  }
+  // Evaluate scope rule (file-based)
+  try {
+    const violation = scope.evaluate({ files, intent, policy });
+    if (violation) {
+      violations.push(violation);
+    }
+  } catch (error) {
+    console.warn(`Scope rule evaluation error: ${error.message}`);
+  }
+  // Generate final verdict
+  const verdict = generateVerdict(violations);
+  return verdict;
+}
+module.exports = {
+  evaluatePolicy
+};

package/bin/runners/lib/agent-firewall/policy/loader.js ADDED Viewed

@@ -0,0 +1,143 @@
+/**
+ * Policy Loader
+ *
+ * Loads and validates agent firewall policy from .vibecheck/policy.json
+ * Falls back to default policy if not found.
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const Ajv = require("ajv").default || require("ajv");
+// Load schema
+const schemaPath = path.join(__dirname, "schema.json");
+const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+// Load default policy
+const defaultPolicyPath = path.join(__dirname, "default-policy.json");
+const defaultPolicy = JSON.parse(fs.readFileSync(defaultPolicyPath, "utf8"));
+/**
+ * Load policy from project root
+ * @param {string} projectRoot - Project root directory
+ * @param {object} overrides - Optional policy overrides
+ * @returns {object} Loaded and validated policy
+ */
+function loadPolicy(projectRoot, overrides = {}) {
+  const policyPath = path.join(projectRoot, ".vibecheck", "policy.json");
+  let policy;
+  // Try to load project policy
+  if (fs.existsSync(policyPath)) {
+    try {
+      policy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
+    } catch (error) {
+      throw new Error(`Failed to parse policy file: ${error.message}`);
+    }
+  } else {
+    // Use default policy
+    policy = JSON.parse(JSON.stringify(defaultPolicy));
+  }
+  // Apply overrides (deep merge)
+  if (Object.keys(overrides).length > 0) {
+    policy = deepMerge(policy, overrides);
+  }
+  // Validate against schema
+  const ajv = new Ajv({ allErrors: true });
+  const validate = ajv.compile(schema);
+  const valid = validate(policy);
+  if (!valid) {
+    const errors = validate.errors.map(e =>
+      `${e.instancePath || 'root'} ${e.message}`
+    ).join(', ');
+    throw new Error(`Policy validation failed: ${errors}`);
+  }
+  return policy;
+}
+/**
+ * Deep merge two objects
+ * @param {object} target - Target object
+ * @param {object} source - Source object to merge
+ * @returns {object} Merged object
+ */
+function deepMerge(target, source) {
+  const output = Object.assign({}, target);
+  if (isObject(target) && isObject(source)) {
+    Object.keys(source).forEach(key => {
+      if (isObject(source[key])) {
+        if (!(key in target)) {
+          Object.assign(output, { [key]: source[key] });
+        } else {
+          output[key] = deepMerge(target[key], source[key]);
+        }
+      } else {
+        Object.assign(output, { [key]: source[key] });
+      }
+    });
+  }
+  return output;
+}
+/**
+ * Check if value is a plain object
+ * @param {*} item - Value to check
+ * @returns {boolean}
+ */
+function isObject(item) {
+  return item && typeof item === 'object' && !Array.isArray(item);
+}
+/**
+ * Get default policy
+ * @returns {object} Default policy
+ */
+function getDefaultPolicy() {
+  return JSON.parse(JSON.stringify(defaultPolicy));
+}
+/**
+ * Save policy to project root
+ * @param {string} projectRoot - Project root directory
+ * @param {object} policy - Policy to save
+ */
+function savePolicy(projectRoot, policy) {
+  const vibecheckDir = path.join(projectRoot, ".vibecheck");
+  const policyPath = path.join(vibecheckDir, "policy.json");
+  // Ensure .vibecheck directory exists
+  if (!fs.existsSync(vibecheckDir)) {
+    fs.mkdirSync(vibecheckDir, { recursive: true });
+  }
+  // Validate before saving
+  const ajv = new Ajv({ allErrors: true });
+  const validate = ajv.compile(schema);
+  const valid = validate(policy);
+  if (!valid) {
+    const errors = validate.errors.map(e =>
+      `${e.instancePath || 'root'} ${e.message}`
+    ).join(', ');
+    throw new Error(`Policy validation failed: ${errors}`);
+  }
+  fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
+}
+module.exports = {
+  loadPolicy,
+  getDefaultPolicy,
+  savePolicy,
+  schema,
+  defaultPolicy
+};