@vibecheckai/cli 3.2.0 → 3.2.1

package/bin/runners/runAgent.js

@@ -0,0 +1,161 @@
+/**
+ * Agent Management Command Handler
+ * 
+ * Install/uninstall hooks, status checks.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { loadPolicy } = require("./lib/agent-firewall/policy/loader");
+
+/**
+ * Run agent command
+ * @param {object} options - Command options
+ * @param {string} options.action - Action: 'install', 'status', 'lock', 'unlock'
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runAgent(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  const action = options.action || "status";
+  
+  switch (action) {
+    case "install":
+      return installHooks(projectRoot);
+      
+    case "status":
+      return showAgentStatus(projectRoot);
+      
+    case "lock":
+      return lockRepo(projectRoot);
+      
+    case "unlock":
+      return unlockRepo(projectRoot);
+      
+    default:
+      throw new Error(`Unknown action: ${action}`);
+  }
+}
+
+/**
+ * Install IDE hooks
+ */
+function installHooks(projectRoot) {
+  // Create .vibecheck directory if it doesn't exist
+  const vibecheckDir = path.join(projectRoot, ".vibecheck");
+  if (!fs.existsSync(vibecheckDir)) {
+    fs.mkdirSync(vibecheckDir, { recursive: true });
+  }
+  
+  // Create hook marker file
+  const hookFile = path.join(vibecheckDir, "agent-firewall-enabled");
+  fs.writeFileSync(hookFile, JSON.stringify({
+    enabled: true,
+    installedAt: new Date().toISOString()
+  }, null, 2));
+  
+  return {
+    success: true,
+    message: "Agent Firewall hooks installed. Firewall will intercept AI code changes."
+  };
+}
+
+/**
+ * Show agent status
+ */
+function showAgentStatus(projectRoot) {
+  const hookFile = path.join(projectRoot, ".vibecheck", "agent-firewall-enabled");
+  const installed = fs.existsSync(hookFile);
+  
+  let policy;
+  try {
+    policy = loadPolicy(projectRoot);
+  } catch {
+    policy = { mode: "observe", profile: "default" };
+  }
+  
+  return {
+    installed,
+    mode: policy.mode,
+    profile: policy.profile,
+    locked: policy.mode === "enforce" && policy.profile === "repo-lock"
+  };
+}
+
+/**
+ * Lock repo (enable repo-lock mode)
+ */
+function lockRepo(projectRoot) {
+  const { loadPolicy, savePolicy, getDefaultPolicy } = require("./lib/agent-firewall/policy/loader");
+  
+  let policy;
+  try {
+    policy = loadPolicy(projectRoot);
+  } catch {
+    policy = getDefaultPolicy();
+  }
+  
+  policy.mode = "enforce";
+  policy.profile = "repo-lock";
+  
+  // Enable all hard rules
+  if (!policy.rules) {
+    policy.rules = {};
+  }
+  
+  const hardRules = [
+    "ghost_route",
+    "ghost_env",
+    "auth_drift",
+    "contract_drift",
+    "scope_explosion",
+    "unsafe_side_effect"
+  ];
+  
+  for (const rule of hardRules) {
+    if (!policy.rules[rule]) {
+      policy.rules[rule] = {};
+    }
+    policy.rules[rule].enabled = true;
+    policy.rules[rule].severity = "block";
+  }
+  
+  savePolicy(projectRoot, policy);
+  
+  return {
+    success: true,
+    message: "Repo Lock Mode enabled. All hard rules enforced."
+  };
+}
+
+/**
+ * Unlock repo (disable repo-lock mode)
+ */
+function unlockRepo(projectRoot) {
+  const { loadPolicy, savePolicy } = require("./lib/agent-firewall/policy/loader");
+  
+  let policy;
+  try {
+    policy = loadPolicy(projectRoot);
+  } catch {
+    return {
+      success: false,
+      message: "No policy found to unlock"
+    };
+  }
+  
+  policy.mode = "observe";
+  policy.profile = "balanced";
+  
+  savePolicy(projectRoot, policy);
+  
+  return {
+    success: true,
+    message: "Repo Lock Mode disabled. Firewall in observe mode."
+  };
+}
+
+module.exports = {
+  runAgent
+};

package/bin/runners/runFirewall.js

@@ -0,0 +1,134 @@
+/**
+ * Firewall Command Handler
+ * 
+ * Main firewall command handler.
+ * Enable/disable firewall, set mode, show status and statistics.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { loadPolicy, savePolicy, getDefaultPolicy } = require("./lib/agent-firewall/policy/loader");
+const { getPacketStats, queryPackets } = require("./lib/agent-firewall/change-packet/store");
+const { isTruthpackFresh } = require("./lib/agent-firewall/truthpack/loader");
+
+/**
+ * Run firewall command
+ * @param {object} options - Command options
+ * @param {string} options.mode - Set mode: 'observe' or 'enforce'
+ * @param {boolean} options.status - Show firewall status
+ * @param {boolean} options.stats - Show statistics
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runFirewall(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  
+  if (options.status) {
+    return showStatus(projectRoot);
+  }
+  
+  if (options.stats) {
+    return showStats(projectRoot);
+  }
+  
+  if (options.mode) {
+    return setMode(projectRoot, options.mode);
+  }
+  
+  // Default: show status
+  return showStatus(projectRoot);
+}
+
+/**
+ * Show firewall status
+ */
+function showStatus(projectRoot) {
+  try {
+    const policy = loadPolicy(projectRoot);
+    const truthpackFresh = isTruthpackFresh(projectRoot);
+    
+    const output = {
+      mode: policy.mode || "observe",
+      profile: policy.profile || "default",
+      truthpackFresh,
+      rulesEnabled: Object.keys(policy.rules || {}).filter(
+        key => policy.rules[key]?.enabled !== false
+      ).length
+    };
+    
+    return output;
+  } catch (error) {
+    return {
+      error: error.message,
+      mode: "unknown",
+      truthpackFresh: false
+    };
+  }
+}
+
+/**
+ * Show firewall statistics
+ */
+function showStats(projectRoot) {
+  try {
+    const stats = getPacketStats(projectRoot);
+    const recentPackets = queryPackets(projectRoot, { limit: 10 });
+    
+    return {
+      total: stats.total,
+      byAgent: stats.byAgent,
+      byVerdict: stats.byVerdict,
+      byDate: stats.byDate,
+      recent: recentPackets.map(p => ({
+        id: p.id,
+        timestamp: p.timestamp,
+        agentId: p.agentId,
+        verdict: p.verdict?.decision,
+        files: p.files.length
+      }))
+    };
+  } catch (error) {
+    return {
+      error: error.message,
+      total: 0
+    };
+  }
+}
+
+/**
+ * Set firewall mode
+ */
+function setMode(projectRoot, mode) {
+  if (mode !== "observe" && mode !== "enforce") {
+    throw new Error(`Invalid mode: ${mode}. Must be 'observe' or 'enforce'`);
+  }
+  
+  try {
+    let policy;
+    try {
+      policy = loadPolicy(projectRoot);
+    } catch {
+      // Policy doesn't exist, use default
+      policy = getDefaultPolicy();
+    }
+    
+    policy.mode = mode;
+    savePolicy(projectRoot, policy);
+    
+    return {
+      success: true,
+      mode,
+      message: `Firewall mode set to: ${mode}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error.message
+    };
+  }
+}
+
+module.exports = {
+  runFirewall
+};

package/bin/runners/runFirewallHook.js

@@ -0,0 +1,56 @@
+/**
+ * Firewall Hook Manager
+ * 
+ * Manages file system hook installation and control.
+ */
+
+"use strict";
+
+const { installFileSystemHook, startFileSystemHook, stopFileSystemHook } = require("./lib/agent-firewall/fs-hook/installer");
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Run firewall hook command
+ * @param {object} options - Command options
+ * @param {string} options.action - Action: 'install', 'start', 'stop', 'status'
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runFirewallHook(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  const action = options.action || "status";
+
+  switch (action) {
+    case "install":
+      return installFileSystemHook(projectRoot);
+
+    case "start":
+      startFileSystemHook(projectRoot);
+      return {
+        success: true,
+        message: "File system hook started"
+      };
+
+    case "stop":
+      stopFileSystemHook();
+      return {
+        success: true,
+        message: "File system hook stopped"
+      };
+
+    case "status":
+      const markerFile = path.join(projectRoot, ".vibecheck", "fs-hook-enabled");
+      const installed = fs.existsSync(markerFile);
+      return {
+        installed,
+        running: false // Would need process management to check
+      };
+
+    default:
+      throw new Error(`Unknown action: ${action}`);
+  }
+}
+
+module.exports = {
+  runFirewallHook
+};

package/bin/runners/runScan.js

@@ -42,6 +42,11 @@ const {
   calculateScore,
 } = require("./lib/scan-output");
 
+const {
+  enrichFindings,
+  saveBaseline,
+} = require("./lib/fingerprint");
+
 const BANNER = `
 ${ansi.rgb(0, 200, 255)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${ansi.reset}
 ${ansi.rgb(30, 180, 255)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${ansi.reset}
@@ -103,6 +108,9 @@ function parseArgs(args) {
     noBanner: globalFlags.noBanner || false,
     ci: globalFlags.ci || false,
     quiet: globalFlags.quiet || false,
+    // Baseline tracking (fingerprints)
+    baseline: true, // Compare against baseline by default
+    updateBaseline: false, // --update-baseline to save current findings as baseline
     // Allowlist subcommand
     allowlist: null, // null = not using allowlist, or 'list' | 'add' | 'remove' | 'check'
     allowlistId: null,
@@ -124,6 +132,8 @@ function parseArgs(args) {
     else if (arg === '--sarif') opts.sarif = true;
     else if (arg === '--autofix' || arg === '--fix' || arg === '-f') opts.autofix = true;
     else if (arg === '--no-save') opts.save = false;
+    else if (arg === '--no-baseline') opts.baseline = false;
+    else if (arg === '--update-baseline' || arg === '--set-baseline') opts.updateBaseline = true;
     else if (arg === '--path' || arg === '-p') opts.path = cleanArgs[++i] || process.cwd();
     else if (arg.startsWith('--path=')) opts.path = arg.split('=')[1];
     // Allowlist subcommand support
@@ -753,6 +763,7 @@ async function runScan(args) {
         findDeprecatedApis,
         findEmptyCatch,
         findUnsafeRegex,
+        clearFileCache, // V3: Memory management
       } = require('./lib/analyzers');
       
       scanRouteIntegrity = async function({ projectPath, layers, baseUrl, verbose }) {
@@ -778,6 +789,9 @@ async function runScan(args) {
         findings.push(...findEmptyCatch(projectPath));
         findings.push(...findUnsafeRegex(projectPath));
         
+        // V3: Clear file cache to prevent memory leaks in large monorepos
+        clearFileCache();
+        
         // Convert to scan format matching TypeScript scanner output
         const shipBlockers = findings.map((f, i) => ({
           id: f.id || `finding-${i}`,
@@ -1056,6 +1070,48 @@ async function runScan(args) {
       return getExitCodeFromUnified ? getExitCodeFromUnified(verdict) : getExitCode(verdict);
     }
 
+    // ═══════════════════════════════════════════════════════════════════════════
+    // FINGERPRINTING & BASELINE COMPARISON
+    // ═══════════════════════════════════════════════════════════════════════════
+    
+    let diff = null;
+    if (opts.baseline) {
+      try {
+        const enrichResult = enrichFindings(normalizedFindings, projectPath, true);
+        diff = enrichResult.diff;
+        
+        // Update findings with fingerprints and status
+        for (let i = 0; i < normalizedFindings.length; i++) {
+          if (enrichResult.findings[i]) {
+            normalizedFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+            normalizedFindings[i].status = enrichResult.findings[i].status;
+            normalizedFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+          }
+        }
+      } catch (fpError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+        }
+      }
+    }
+    
+    // Update baseline if requested
+    if (opts.updateBaseline) {
+      try {
+        saveBaseline(projectPath, normalizedFindings, {
+          verdict: verdict?.verdict,
+          scanTime: new Date().toISOString(),
+        });
+        if (!opts.json && !opts.quiet) {
+          console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedFindings.length} findings`);
+        }
+      } catch (blError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+        }
+      }
+    }
+
     // ═══════════════════════════════════════════════════════════════════════════
     // ENHANCED OUTPUT
     // ═══════════════════════════════════════════════════════════════════════════
@@ -1069,6 +1125,7 @@ async function runScan(args) {
       breakdown: report.score?.breakdown,
       timings,
       cached,
+      diff, // Include diff for display
     };
     console.log(formatScanOutput(resultForOutput, { verbose: opts.verbose }));
 
@@ -1164,6 +1221,60 @@ async function runScan(args) {
       
       const verdict = criticalCount > 0 ? 'BLOCK' : warningCount > 0 ? 'WARN' : 'SHIP';
       
+      // ═══════════════════════════════════════════════════════════════════════════
+      // FINGERPRINTING & BASELINE COMPARISON (Legacy path)
+      // ═══════════════════════════════════════════════════════════════════════════
+      
+      const normalizedLegacyFindings = findings.map(f => ({
+        severity: f.severity === 'critical' || f.severity === 'BLOCK' ? 'critical' :
+                 f.severity === 'warning' || f.severity === 'WARN' ? 'medium' : 'low',
+        category: f.category || 'ROUTE',
+        title: f.title || f.message,
+        message: f.message || f.title,
+        file: f.file || f.evidence?.[0]?.file,
+        line: f.line || parseInt(f.evidence?.[0]?.lines?.split('-')[0]) || 1,
+        evidence: f.evidence,
+        fix: f.fixSuggestion,
+      }));
+      
+      let diff = null;
+      if (opts.baseline) {
+        try {
+          const enrichResult = enrichFindings(normalizedLegacyFindings, projectPath, true);
+          diff = enrichResult.diff;
+          
+          // Update findings with fingerprints and status
+          for (let i = 0; i < normalizedLegacyFindings.length; i++) {
+            if (enrichResult.findings[i]) {
+              normalizedLegacyFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+              normalizedLegacyFindings[i].status = enrichResult.findings[i].status;
+              normalizedLegacyFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+            }
+          }
+        } catch (fpError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
+      // Update baseline if requested
+      if (opts.updateBaseline) {
+        try {
+          saveBaseline(projectPath, normalizedLegacyFindings, {
+            verdict,
+            scanTime: new Date().toISOString(),
+          });
+          if (!opts.json && !opts.quiet) {
+            console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedLegacyFindings.length} findings`);
+          }
+        } catch (blError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
       // Use enhanced output formatter for legacy fallback
       const severityCounts = {
         critical: criticalCount,
@@ -1175,18 +1286,10 @@ async function runScan(args) {
       
       const result = {
         verdict: { verdict, score },
-        findings: findings.map(f => ({
-          severity: f.severity === 'critical' || f.severity === 'BLOCK' ? 'critical' :
-                   f.severity === 'warning' || f.severity === 'WARN' ? 'medium' : 'low',
-          category: f.category || 'ROUTE',
-          title: f.title || f.message,
-          message: f.message || f.title,
-          file: f.file,
-          line: f.line,
-          fix: f.fixSuggestion,
-        })),
+        findings: normalizedLegacyFindings,
         layers: [],
         timings,
+        diff,
       };
       
       console.log(formatScanOutput(result, { verbose: opts.verbose }));

package/bin/runners/runTruth.js

@@ -0,0 +1,89 @@
+/**
+ * Truth Command Handler
+ * 
+ * Enhanced truth command to generate truthpack files.
+ * Generates: routes.json, env.json, auth.json, contracts.json, ui.graph.json
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { buildTruthpackV2 } = require("./lib/extractors/truthpack-v2");
+
+/**
+ * Run truth command
+ * @param {object} options - Command options
+ * @param {string} options.scope - Scope: 'routes', 'env', 'auth', 'contracts', 'all'
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runTruth(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  const scope = options.scope || "all";
+  
+  const truthpackDir = path.join(projectRoot, ".vibecheck", "truthpack");
+  
+  // Ensure directory exists
+  if (!fs.existsSync(truthpackDir)) {
+    fs.mkdirSync(truthpackDir, { recursive: true });
+  }
+  
+  try {
+    // Build truthpack
+    const truthpack = await buildTruthpackV2({
+      repoRoot: projectRoot
+    });
+    
+    // Write truthpack files based on scope
+    if (scope === "all" || scope === "routes") {
+      const routesFile = path.join(truthpackDir, "routes.json");
+      fs.writeFileSync(routesFile, JSON.stringify({
+        routes: truthpack.routes || [],
+        gaps: truthpack.gaps || [],
+        stack: truthpack.stack || {}
+      }, null, 2));
+    }
+    
+    if (scope === "all" || scope === "env") {
+      const envFile = path.join(truthpackDir, "env.json");
+      fs.writeFileSync(envFile, JSON.stringify(truthpack.env || {}, null, 2));
+    }
+    
+    if (scope === "all" || scope === "auth") {
+      const authFile = path.join(truthpackDir, "auth.json");
+      fs.writeFileSync(authFile, JSON.stringify(truthpack.auth || {}, null, 2));
+    }
+    
+    if (scope === "all" || scope === "contracts") {
+      const contractsFile = path.join(truthpackDir, "contracts.json");
+      fs.writeFileSync(contractsFile, JSON.stringify(truthpack.contracts || {}, null, 2));
+    }
+    
+    // UI graph (if Reality enabled)
+    if (scope === "all" && truthpack.uiGraph) {
+      const uiGraphFile = path.join(truthpackDir, "ui.graph.json");
+      fs.writeFileSync(uiGraphFile, JSON.stringify(truthpack.uiGraph, null, 2));
+    }
+    
+    return {
+      success: true,
+      message: `Truthpack generated successfully (scope: ${scope})`,
+      files: {
+        routes: scope === "all" || scope === "routes" ? "routes.json" : null,
+        env: scope === "all" || scope === "env" ? "env.json" : null,
+        auth: scope === "all" || scope === "auth" ? "auth.json" : null,
+        contracts: scope === "all" || scope === "contracts" ? "contracts.json" : null,
+        uiGraph: scope === "all" && truthpack.uiGraph ? "ui.graph.json" : null
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error.message
+    };
+  }
+}
+
+module.exports = {
+  runTruth
+};