@vibecheckai/cli 3.2.0 → 3.2.2

package/bin/runners/lib/agent-firewall/change-packet/builder.js

@@ -0,0 +1,214 @@
+/**
+ * Change Packet Builder
+ * 
+ * Builds change packets from diffs + agent intent.
+ * Each packet is a complete audit artifact of an AI code change attempt.
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+const path = require("path");
+
+/**
+ * Build a change packet from diff and agent intent
+ * @param {object} params
+ * @param {string} params.agentId - Agent identifier
+ * @param {string} params.intent - Agent's stated intent
+ * @param {object} params.diff - Diff object { before, after, unified }
+ * @param {string} params.filePath - File path (relative to repo root)
+ * @param {object} params.claims - Extracted claims
+ * @param {object} params.evidence - Evidence resolution results
+ * @param {object} params.verdict - Policy verdict
+ * @param {object} params.unblockPlan - Unblock plan (if blocked)
+ * @param {object} params.policy - Policy used for evaluation
+ * @returns {object} Change packet
+ */
+function buildChangePacket({
+  agentId,
+  intent,
+  diff,
+  filePath,
+  claims = [],
+  evidence = [],
+  verdict,
+  unblockPlan = null,
+  policy = null
+}) {
+  const timestamp = new Date().toISOString();
+  
+  // Generate unique packet ID from content hash
+  const packetContent = JSON.stringify({
+    agentId,
+    intent,
+    filePath,
+    timestamp,
+    diff: diff?.unified || ""
+  });
+  const id = crypto.createHash("sha256")
+    .update(packetContent)
+    .digest("hex")
+    .slice(0, 16);
+  
+  // Calculate file statistics
+  const linesChanged = diff?.unified 
+    ? diff.unified.split('\n').filter(line => line.startsWith('+') || line.startsWith('-')).length
+    : 0;
+  
+  const files = [{
+    path: filePath,
+    linesChanged,
+    domain: classifyFileDomain(filePath)
+  }];
+  
+  // Build packet
+  const packet = {
+    id,
+    timestamp,
+    agentId,
+    intent: intent || "No intent provided",
+    diff: diff || null,
+    files,
+    claims,
+    evidence,
+    verdict: verdict || {
+      decision: "ALLOW",
+      violations: [],
+      message: "No verdict provided"
+    },
+    unblockPlan: unblockPlan || null,
+    metadata: {
+      totalFiles: files.length,
+      totalLines: linesChanged,
+      policyVersion: policy?.version || "unknown",
+      policyProfile: policy?.profile || "unknown"
+    }
+  };
+  
+  return packet;
+}
+
+/**
+ * Build change packet from multiple files
+ * @param {object} params
+ * @param {string} params.agentId - Agent identifier
+ * @param {string} params.intent - Agent's stated intent
+ * @param {array} params.changes - Array of { filePath, diff, claims }
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.verdict - Policy verdict
+ * @param {object} params.unblockPlan - Unblock plan (if blocked)
+ * @param {object} params.policy - Policy used for evaluation
+ * @returns {object} Change packet
+ */
+function buildMultiFileChangePacket({
+  agentId,
+  intent,
+  changes = [],
+  evidence = [],
+  verdict,
+  unblockPlan = null,
+  policy = null
+}) {
+  const timestamp = new Date().toISOString();
+  
+  // Aggregate all file changes
+  const files = changes.map(change => ({
+    path: change.filePath,
+    linesChanged: calculateLinesChanged(change.diff),
+    domain: classifyFileDomain(change.filePath)
+  }));
+  
+  // Aggregate all claims
+  const claims = changes.flatMap(change => 
+    (change.claims || []).map(claim => ({
+      ...claim,
+      file: change.filePath
+    }))
+  );
+  
+  // Generate unique packet ID from all changes
+  const packetContent = JSON.stringify({
+    agentId,
+    intent,
+    timestamp,
+    files: files.map(f => f.path),
+    claims: claims.map(c => `${c.type}:${c.value}`)
+  });
+  const id = crypto.createHash("sha256")
+    .update(packetContent)
+    .digest("hex")
+    .slice(0, 16);
+  
+  // Build unified diff (concatenate all diffs)
+  const unifiedDiff = changes
+    .map(change => {
+      const diff = change.diff?.unified || "";
+      return diff ? `--- ${change.filePath}\n+++ ${change.filePath}\n${diff}` : "";
+    })
+    .filter(Boolean)
+    .join("\n\n");
+  
+  const packet = {
+    id,
+    timestamp,
+    agentId,
+    intent: intent || "No intent provided",
+    diff: unifiedDiff ? {
+      unified: unifiedDiff,
+      before: null, // Multi-file diffs don't store full before/after
+      after: null
+    } : null,
+    files,
+    claims,
+    evidence,
+    verdict: verdict || {
+      decision: "ALLOW",
+      violations: [],
+      message: "No verdict provided"
+    },
+    unblockPlan: unblockPlan || null,
+    metadata: {
+      totalFiles: files.length,
+      totalLines: files.reduce((sum, f) => sum + f.linesChanged, 0),
+      policyVersion: policy?.version || "unknown",
+      policyProfile: policy?.profile || "unknown"
+    }
+  };
+  
+  return packet;
+}
+
+/**
+ * Calculate number of lines changed from diff
+ * @param {object} diff - Diff object
+ * @returns {number} Number of lines changed
+ */
+function calculateLinesChanged(diff) {
+  if (!diff || !diff.unified) return 0;
+  return diff.unified
+    .split('\n')
+    .filter(line => line.startsWith('+') || line.startsWith('-'))
+    .length;
+}
+
+/**
+ * Classify file domain from path
+ * @param {string} filePath - File path
+ * @returns {string} Domain classification
+ */
+function classifyFileDomain(filePath) {
+  const s = filePath.toLowerCase();
+  if (s.includes("auth")) return "auth";
+  if (s.includes("stripe") || s.includes("payment")) return "payments";
+  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
+  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
+  return "general";
+}
+
+module.exports = {
+  buildChangePacket,
+  buildMultiFileChangePacket,
+  calculateLinesChanged,
+  classifyFileDomain
+};

package/bin/runners/lib/agent-firewall/change-packet/schema.json

@@ -0,0 +1,228 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["id", "timestamp", "agentId", "intent", "files", "claims", "verdict"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Unique packet ID (hash-based)"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO timestamp of the change"
+    },
+    "agentId": {
+      "type": "string",
+      "description": "Identifier for the AI agent (e.g., 'cursor', 'windsurf', 'copilot')"
+    },
+    "intent": {
+      "type": "string",
+      "description": "Agent's stated intent for the change"
+    },
+    "diff": {
+      "type": "object",
+      "properties": {
+        "before": {
+          "type": "string",
+          "description": "File content before change"
+        },
+        "after": {
+          "type": "string",
+          "description": "File content after change"
+        },
+        "unified": {
+          "type": "string",
+          "description": "Unified diff format"
+        }
+      }
+    },
+    "files": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["path", "linesChanged"],
+        "properties": {
+          "path": {
+            "type": "string",
+            "description": "Relative file path"
+          },
+          "linesChanged": {
+            "type": "number",
+            "description": "Number of lines changed"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"],
+            "description": "File domain classification"
+          }
+        }
+      },
+      "description": "List of changed files"
+    },
+    "claims": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["type", "value", "criticality"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["route", "env_used", "auth_boundary", "data_contract", "http_call", "ui_success_claim", "side_effect"],
+            "description": "Claim type"
+          },
+          "value": {
+            "type": "string",
+            "description": "Claim value (e.g., route path, env var name)"
+          },
+          "criticality": {
+            "type": "string",
+            "enum": ["hard", "soft"],
+            "description": "Claim criticality"
+          },
+          "pointer": {
+            "type": "string",
+            "description": "File:line pointer (e.g., 'file.ts:42-45')"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Reason for claim extraction"
+          },
+          "file": {
+            "type": "string",
+            "description": "File where claim was found"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"]
+          }
+        }
+      },
+      "description": "Extracted claims from the change"
+    },
+    "evidence": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["claimId", "result"],
+        "properties": {
+          "claimId": {
+            "type": "string",
+            "description": "Reference to claim in claims array"
+          },
+          "result": {
+            "type": "string",
+            "enum": ["PROVEN", "UNPROVEN", "CONTRADICTS"],
+            "description": "Evidence resolution result"
+          },
+          "sources": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "properties": {
+                "type": {
+                  "type": "string",
+                  "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
+                },
+                "pointer": {
+                  "type": "string"
+                },
+                "confidence": {
+                  "type": "number",
+                  "minimum": 0,
+                  "maximum": 1
+                }
+              }
+            }
+          }
+        }
+      },
+      "description": "Evidence resolution results"
+    },
+    "verdict": {
+      "type": "object",
+      "required": ["decision", "violations"],
+      "properties": {
+        "decision": {
+          "type": "string",
+          "enum": ["ALLOW", "WARN", "BLOCK"],
+          "description": "Final verdict"
+        },
+        "violations": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["rule", "severity", "message"],
+            "properties": {
+              "rule": {
+                "type": "string",
+                "description": "Rule ID that was violated"
+              },
+              "severity": {
+                "type": "string",
+                "enum": ["allow", "warn", "block"]
+              },
+              "message": {
+                "type": "string",
+                "description": "Violation message"
+              },
+              "claimId": {
+                "type": "string",
+                "description": "Related claim ID"
+              }
+            }
+          }
+        },
+        "message": {
+          "type": "string",
+          "description": "Human-readable verdict message"
+        }
+      }
+    },
+    "unblockPlan": {
+      "type": "object",
+      "properties": {
+        "steps": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["action", "file", "description"],
+            "properties": {
+              "action": {
+                "type": "string",
+                "enum": ["add", "modify", "create"]
+              },
+              "file": {
+                "type": "string"
+              },
+              "line": {
+                "type": "number"
+              },
+              "description": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      },
+      "description": "Plan to unblock if verdict is BLOCK"
+    },
+    "metadata": {
+      "type": "object",
+      "properties": {
+        "totalFiles": {
+          "type": "number"
+        },
+        "totalLines": {
+          "type": "number"
+        },
+        "policyVersion": {
+          "type": "string"
+        },
+        "policyProfile": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}

package/bin/runners/lib/agent-firewall/change-packet/store.js

@@ -0,0 +1,200 @@
+/**
+ * Change Packet Store
+ * 
+ * Stores change packets in .vibecheck/packets/YYYY-MM-DD/<hash>.json
+ * Provides querying capabilities by agent, date, verdict.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Store a change packet to disk
+ * @param {string} projectRoot - Project root directory
+ * @param {object} packet - Change packet to store
+ * @returns {string} Path where packet was stored
+ */
+function storePacket(projectRoot, packet) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  // Create date-based directory
+  const date = new Date(packet.timestamp);
+  const dateDir = date.toISOString().split('T')[0]; // YYYY-MM-DD
+  const dayDir = path.join(packetsDir, dateDir);
+  
+  // Ensure directory exists
+  if (!fs.existsSync(dayDir)) {
+    fs.mkdirSync(dayDir, { recursive: true });
+  }
+  
+  // Write packet file
+  const packetPath = path.join(dayDir, `${packet.id}.json`);
+  fs.writeFileSync(packetPath, JSON.stringify(packet, null, 2));
+  
+  return packetPath;
+}
+
+/**
+ * Load a change packet by ID
+ * @param {string} projectRoot - Project root directory
+ * @param {string} packetId - Packet ID
+ * @returns {object|null} Change packet or null if not found
+ */
+function loadPacket(projectRoot, packetId) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  // Search all date directories
+  if (!fs.existsSync(packetsDir)) {
+    return null;
+  }
+  
+  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
+    .filter(dirent => dirent.isDirectory())
+    .map(dirent => dirent.name);
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    const packetPath = path.join(dayDir, `${packetId}.json`);
+    
+    if (fs.existsSync(packetPath)) {
+      return JSON.parse(fs.readFileSync(packetPath, "utf8"));
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Query change packets
+ * @param {string} projectRoot - Project root directory
+ * @param {object} filters - Query filters
+ * @param {string} filters.agentId - Filter by agent ID
+ * @param {string} filters.date - Filter by date (YYYY-MM-DD)
+ * @param {string} filters.verdict - Filter by verdict (ALLOW, WARN, BLOCK)
+ * @param {number} filters.limit - Maximum number of results
+ * @returns {array} Array of change packets
+ */
+function queryPackets(projectRoot, filters = {}) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  if (!fs.existsSync(packetsDir)) {
+    return [];
+  }
+  
+  const results = [];
+  const { agentId, date, verdict, limit } = filters;
+  
+  // Determine which date directories to search
+  const dateDirs = date 
+    ? [date]
+    : fs.readdirSync(packetsDir, { withFileTypes: true })
+        .filter(dirent => dirent.isDirectory())
+        .map(dirent => dirent.name)
+        .sort()
+        .reverse(); // Most recent first
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    
+    if (!fs.existsSync(dayDir)) continue;
+    
+    const packetFiles = fs.readdirSync(dayDir)
+      .filter(file => file.endsWith('.json'))
+      .map(file => path.join(dayDir, file));
+    
+    for (const packetPath of packetFiles) {
+      try {
+        const packet = JSON.parse(fs.readFileSync(packetPath, "utf8"));
+        
+        // Apply filters
+        if (agentId && packet.agentId !== agentId) continue;
+        if (verdict && packet.verdict?.decision !== verdict) continue;
+        
+        results.push(packet);
+        
+        // Apply limit
+        if (limit && results.length >= limit) {
+          return results;
+        }
+      } catch (error) {
+        // Skip invalid packets
+        continue;
+      }
+    }
+    
+    // If we have a date filter, we only need to check that one directory
+    if (date) break;
+  }
+  
+  return results;
+}
+
+/**
+ * Get statistics about stored packets
+ * @param {string} projectRoot - Project root directory
+ * @returns {object} Statistics
+ */
+function getPacketStats(projectRoot) {
+  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
+  
+  if (!fs.existsSync(packetsDir)) {
+    return {
+      total: 0,
+      byAgent: {},
+      byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
+      byDate: {}
+    };
+  }
+  
+  const stats = {
+    total: 0,
+    byAgent: {},
+    byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
+    byDate: {}
+  };
+  
+  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
+    .filter(dirent => dirent.isDirectory())
+    .map(dirent => dirent.name);
+  
+  for (const dateDir of dateDirs) {
+    const dayDir = path.join(packetsDir, dateDir);
+    if (!fs.existsSync(dayDir)) continue;
+    
+    const packetFiles = fs.readdirSync(dayDir)
+      .filter(file => file.endsWith('.json'));
+    
+    stats.byDate[dateDir] = packetFiles.length;
+    
+    for (const file of packetFiles) {
+      try {
+        const packet = JSON.parse(
+          fs.readFileSync(path.join(dayDir, file), "utf8")
+        );
+        
+        stats.total++;
+        
+        // Count by agent
+        stats.byAgent[packet.agentId] = (stats.byAgent[packet.agentId] || 0) + 1;
+        
+        // Count by verdict
+        const verdict = packet.verdict?.decision || "ALLOW";
+        stats.byVerdict[verdict] = (stats.byVerdict[verdict] || 0) + 1;
+      } catch (error) {
+        // Skip invalid packets
+        continue;
+      }
+    }
+  }
+  
+  return stats;
+}
+
+module.exports = {
+  storePacket,
+  loadPacket,
+  queryPackets,
+  getPacketStats
+};

package/bin/runners/lib/agent-firewall/claims/claim-types.js

@@ -0,0 +1,21 @@
+/**
+ * Claim Types
+ * 
+ * Enumeration of claim types and criticality levels.
+ */
+
+module.exports = {
+  CLAIM_TYPES: {
+    ROUTE: "route",
+    ENV: "env_used",
+    AUTH: "auth_boundary",
+    CONTRACT: "data_contract",
+    HTTP_CALL: "http_call",
+    UI_SUCCESS: "ui_success_claim",
+    SIDE_EFFECT: "side_effect"
+  },
+  CRITICALITY: {
+    HARD: "hard",
+    SOFT: "soft"
+  }
+};