@vibecheckai/cli 3.2.0 → 3.2.2

package/bin/runners/runFirewallHook.js

@@ -0,0 +1,56 @@
+/**
+ * Firewall Hook Manager
+ * 
+ * Manages file system hook installation and control.
+ */
+
+"use strict";
+
+const { installFileSystemHook, startFileSystemHook, stopFileSystemHook } = require("./lib/agent-firewall/fs-hook/installer");
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Run firewall hook command
+ * @param {object} options - Command options
+ * @param {string} options.action - Action: 'install', 'start', 'stop', 'status'
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runFirewallHook(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  const action = options.action || "status";
+
+  switch (action) {
+    case "install":
+      return installFileSystemHook(projectRoot);
+
+    case "start":
+      startFileSystemHook(projectRoot);
+      return {
+        success: true,
+        message: "File system hook started"
+      };
+
+    case "stop":
+      stopFileSystemHook();
+      return {
+        success: true,
+        message: "File system hook stopped"
+      };
+
+    case "status":
+      const markerFile = path.join(projectRoot, ".vibecheck", "fs-hook-enabled");
+      const installed = fs.existsSync(markerFile);
+      return {
+        installed,
+        running: false // Would need process management to check
+      };
+
+    default:
+      throw new Error(`Unknown action: ${action}`);
+  }
+}
+
+module.exports = {
+  runFirewallHook
+};

package/bin/runners/runScan.js

@@ -42,6 +42,11 @@ const {
   calculateScore,
 } = require("./lib/scan-output");
 
+const {
+  enrichFindings,
+  saveBaseline,
+} = require("./lib/fingerprint");
+
 const BANNER = `
 ${ansi.rgb(0, 200, 255)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${ansi.reset}
 ${ansi.rgb(30, 180, 255)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${ansi.reset}
@@ -103,6 +108,9 @@ function parseArgs(args) {
     noBanner: globalFlags.noBanner || false,
     ci: globalFlags.ci || false,
     quiet: globalFlags.quiet || false,
+    // Baseline tracking (fingerprints)
+    baseline: true, // Compare against baseline by default
+    updateBaseline: false, // --update-baseline to save current findings as baseline
     // Allowlist subcommand
     allowlist: null, // null = not using allowlist, or 'list' | 'add' | 'remove' | 'check'
     allowlistId: null,
@@ -124,6 +132,8 @@ function parseArgs(args) {
     else if (arg === '--sarif') opts.sarif = true;
     else if (arg === '--autofix' || arg === '--fix' || arg === '-f') opts.autofix = true;
     else if (arg === '--no-save') opts.save = false;
+    else if (arg === '--no-baseline') opts.baseline = false;
+    else if (arg === '--update-baseline' || arg === '--set-baseline') opts.updateBaseline = true;
     else if (arg === '--path' || arg === '-p') opts.path = cleanArgs[++i] || process.cwd();
     else if (arg.startsWith('--path=')) opts.path = arg.split('=')[1];
     // Allowlist subcommand support
@@ -753,6 +763,7 @@ async function runScan(args) {
         findDeprecatedApis,
         findEmptyCatch,
         findUnsafeRegex,
+        clearFileCache, // V3: Memory management
       } = require('./lib/analyzers');
       
       scanRouteIntegrity = async function({ projectPath, layers, baseUrl, verbose }) {
@@ -778,6 +789,9 @@ async function runScan(args) {
         findings.push(...findEmptyCatch(projectPath));
         findings.push(...findUnsafeRegex(projectPath));
         
+        // V3: Clear file cache to prevent memory leaks in large monorepos
+        clearFileCache();
+        
         // Convert to scan format matching TypeScript scanner output
         const shipBlockers = findings.map((f, i) => ({
           id: f.id || `finding-${i}`,
@@ -1056,6 +1070,48 @@ async function runScan(args) {
       return getExitCodeFromUnified ? getExitCodeFromUnified(verdict) : getExitCode(verdict);
     }
 
+    // ═══════════════════════════════════════════════════════════════════════════
+    // FINGERPRINTING & BASELINE COMPARISON
+    // ═══════════════════════════════════════════════════════════════════════════
+    
+    let diff = null;
+    if (opts.baseline) {
+      try {
+        const enrichResult = enrichFindings(normalizedFindings, projectPath, true);
+        diff = enrichResult.diff;
+        
+        // Update findings with fingerprints and status
+        for (let i = 0; i < normalizedFindings.length; i++) {
+          if (enrichResult.findings[i]) {
+            normalizedFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+            normalizedFindings[i].status = enrichResult.findings[i].status;
+            normalizedFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+          }
+        }
+      } catch (fpError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+        }
+      }
+    }
+    
+    // Update baseline if requested
+    if (opts.updateBaseline) {
+      try {
+        saveBaseline(projectPath, normalizedFindings, {
+          verdict: verdict?.verdict,
+          scanTime: new Date().toISOString(),
+        });
+        if (!opts.json && !opts.quiet) {
+          console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedFindings.length} findings`);
+        }
+      } catch (blError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+        }
+      }
+    }
+
     // ═══════════════════════════════════════════════════════════════════════════
     // ENHANCED OUTPUT
     // ═══════════════════════════════════════════════════════════════════════════
@@ -1069,6 +1125,7 @@ async function runScan(args) {
       breakdown: report.score?.breakdown,
       timings,
       cached,
+      diff, // Include diff for display
     };
     console.log(formatScanOutput(resultForOutput, { verbose: opts.verbose }));
 
@@ -1164,6 +1221,60 @@ async function runScan(args) {
       
       const verdict = criticalCount > 0 ? 'BLOCK' : warningCount > 0 ? 'WARN' : 'SHIP';
       
+      // ═══════════════════════════════════════════════════════════════════════════
+      // FINGERPRINTING & BASELINE COMPARISON (Legacy path)
+      // ═══════════════════════════════════════════════════════════════════════════
+      
+      const normalizedLegacyFindings = findings.map(f => ({
+        severity: f.severity === 'critical' || f.severity === 'BLOCK' ? 'critical' :
+                 f.severity === 'warning' || f.severity === 'WARN' ? 'medium' : 'low',
+        category: f.category || 'ROUTE',
+        title: f.title || f.message,
+        message: f.message || f.title,
+        file: f.file || f.evidence?.[0]?.file,
+        line: f.line || parseInt(f.evidence?.[0]?.lines?.split('-')[0]) || 1,
+        evidence: f.evidence,
+        fix: f.fixSuggestion,
+      }));
+      
+      let diff = null;
+      if (opts.baseline) {
+        try {
+          const enrichResult = enrichFindings(normalizedLegacyFindings, projectPath, true);
+          diff = enrichResult.diff;
+          
+          // Update findings with fingerprints and status
+          for (let i = 0; i < normalizedLegacyFindings.length; i++) {
+            if (enrichResult.findings[i]) {
+              normalizedLegacyFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+              normalizedLegacyFindings[i].status = enrichResult.findings[i].status;
+              normalizedLegacyFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+            }
+          }
+        } catch (fpError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
+      // Update baseline if requested
+      if (opts.updateBaseline) {
+        try {
+          saveBaseline(projectPath, normalizedLegacyFindings, {
+            verdict,
+            scanTime: new Date().toISOString(),
+          });
+          if (!opts.json && !opts.quiet) {
+            console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedLegacyFindings.length} findings`);
+          }
+        } catch (blError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
       // Use enhanced output formatter for legacy fallback
       const severityCounts = {
         critical: criticalCount,
@@ -1175,18 +1286,10 @@ async function runScan(args) {
       
       const result = {
         verdict: { verdict, score },
-        findings: findings.map(f => ({
-          severity: f.severity === 'critical' || f.severity === 'BLOCK' ? 'critical' :
-                   f.severity === 'warning' || f.severity === 'WARN' ? 'medium' : 'low',
-          category: f.category || 'ROUTE',
-          title: f.title || f.message,
-          message: f.message || f.title,
-          file: f.file,
-          line: f.line,
-          fix: f.fixSuggestion,
-        })),
+        findings: normalizedLegacyFindings,
         layers: [],
         timings,
+        diff,
       };
       
       console.log(formatScanOutput(result, { verbose: opts.verbose }));

package/bin/runners/runShip.js

@@ -54,7 +54,7 @@ const {
 } = require("./lib/terminal-ui");
 
 const {
-  formatShipOutput,
+  formatShipOutput: formatShipOutputLegacy,
   renderVerdictCard,
   renderFixModeHeader,
   renderFixResults,
@@ -64,6 +64,10 @@ const {
   shipIcons,
 } = require("./lib/ship-output");
 
+const {
+  formatShipOutput,
+} = require("./lib/ship-output-enterprise");
+
 // ═══════════════════════════════════════════════════════════════════════════════
 // PREMIUM BANNER
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -1031,7 +1035,7 @@ async function runShip(args, context = {}) {
       if (spinner) spinner.succeed('Safe fixes applied');
     }
 
-    // Human-readable output using ship-output module
+    // Human-readable output using enterprise ship-output module
     const result = {
       verdict,
       score: results.score,
@@ -1047,14 +1051,9 @@ async function runShip(args, context = {}) {
     // Get current tier for output formatting
     const currentTier = context?.authInfo?.access?.tier || getCurrentTier() || "free";
     
+    // Use enterprise format
     console.log(formatShipOutput(result, {
-      verbose: opts.verbose,
-      showFix: opts.fix,
-      showBadge: opts.badge,
-      outputDir,
-      projectPath,
       tier: currentTier,
-      isVerified: opts.withRuntime || false, // Reality testing = verified
     }));
 
     // Badge file generation (STARTER+ only)

package/bin/runners/runTruth.js

@@ -0,0 +1,89 @@
+/**
+ * Truth Command Handler
+ * 
+ * Enhanced truth command to generate truthpack files.
+ * Generates: routes.json, env.json, auth.json, contracts.json, ui.graph.json
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { buildTruthpackV2 } = require("./lib/extractors/truthpack-v2");
+
+/**
+ * Run truth command
+ * @param {object} options - Command options
+ * @param {string} options.scope - Scope: 'routes', 'env', 'auth', 'contracts', 'all'
+ * @param {string} options.projectRoot - Project root directory
+ */
+async function runTruth(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+  const scope = options.scope || "all";
+  
+  const truthpackDir = path.join(projectRoot, ".vibecheck", "truthpack");
+  
+  // Ensure directory exists
+  if (!fs.existsSync(truthpackDir)) {
+    fs.mkdirSync(truthpackDir, { recursive: true });
+  }
+  
+  try {
+    // Build truthpack
+    const truthpack = await buildTruthpackV2({
+      repoRoot: projectRoot
+    });
+    
+    // Write truthpack files based on scope
+    if (scope === "all" || scope === "routes") {
+      const routesFile = path.join(truthpackDir, "routes.json");
+      fs.writeFileSync(routesFile, JSON.stringify({
+        routes: truthpack.routes || [],
+        gaps: truthpack.gaps || [],
+        stack: truthpack.stack || {}
+      }, null, 2));
+    }
+    
+    if (scope === "all" || scope === "env") {
+      const envFile = path.join(truthpackDir, "env.json");
+      fs.writeFileSync(envFile, JSON.stringify(truthpack.env || {}, null, 2));
+    }
+    
+    if (scope === "all" || scope === "auth") {
+      const authFile = path.join(truthpackDir, "auth.json");
+      fs.writeFileSync(authFile, JSON.stringify(truthpack.auth || {}, null, 2));
+    }
+    
+    if (scope === "all" || scope === "contracts") {
+      const contractsFile = path.join(truthpackDir, "contracts.json");
+      fs.writeFileSync(contractsFile, JSON.stringify(truthpack.contracts || {}, null, 2));
+    }
+    
+    // UI graph (if Reality enabled)
+    if (scope === "all" && truthpack.uiGraph) {
+      const uiGraphFile = path.join(truthpackDir, "ui.graph.json");
+      fs.writeFileSync(uiGraphFile, JSON.stringify(truthpack.uiGraph, null, 2));
+    }
+    
+    return {
+      success: true,
+      message: `Truthpack generated successfully (scope: ${scope})`,
+      files: {
+        routes: scope === "all" || scope === "routes" ? "routes.json" : null,
+        env: scope === "all" || scope === "env" ? "env.json" : null,
+        auth: scope === "all" || scope === "auth" ? "auth.json" : null,
+        contracts: scope === "all" || scope === "contracts" ? "contracts.json" : null,
+        uiGraph: scope === "all" && truthpack.uiGraph ? "ui.graph.json" : null
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error.message
+    };
+  }
+}
+
+module.exports = {
+  runTruth
+};

package/mcp-server/agent-firewall-interceptor.js

@@ -0,0 +1,164 @@
+/**
+ * Agent Firewall Interceptor - MCP Tool
+ * 
+ * Intercepts file write/patch tool calls from AI agents.
+ * Validates changes against truthpack and policy before allowing writes.
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const { interceptFileWrite, interceptMultiFileWrite } = require("../../bin/runners/lib/agent-firewall/interceptor/base");
+
+/**
+ * MCP Tool Definition
+ */
+const AGENT_FIREWALL_TOOL = {
+  name: "vibecheck_agent_firewall_intercept",
+  description: `🛡️ Agent Firewall - Intercepts AI code changes and validates against repo truth.
+
+This tool MUST be called before any file write/patch operations.
+It validates changes against truthpack and policy rules.
+
+Returns: { allowed, verdict, violations, unblockPlan }`,
+  inputSchema: {
+    type: "object",
+    required: ["agentId", "filePath", "content"],
+    properties: {
+      agentId: {
+        type: "string",
+        description: "Agent identifier (e.g., 'cursor', 'windsurf', 'copilot')"
+      },
+      filePath: {
+        type: "string",
+        description: "File path relative to project root"
+      },
+      content: {
+        type: "string",
+        description: "New file content"
+      },
+      oldContent: {
+        type: "string",
+        description: "Old file content (optional, for diff generation)"
+      },
+      intent: {
+        type: "string",
+        description: "Agent's stated intent for this change"
+      },
+      projectRoot: {
+        type: "string",
+        default: ".",
+        description: "Project root directory"
+      }
+    }
+  }
+};
+
+/**
+ * Handle MCP tool call
+ * @param {string} name - Tool name (unused, for consistency)
+ * @param {object} args - Tool arguments
+ * @returns {object} MCP tool response
+ */
+async function handleAgentFirewallIntercept(name, args) {
+  const projectRoot = path.resolve(args.projectRoot || ".");
+  const agentId = args.agentId || "unknown";
+  const filePath = args.filePath;
+  const content = args.content;
+  const oldContent = args.oldContent || null;
+  const intent = args.intent || "No intent provided";
+  
+  // Validate file path is within project root
+  const fileAbs = path.resolve(projectRoot, filePath);
+  if (!fileAbs.startsWith(projectRoot + path.sep) && fileAbs !== projectRoot) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ BLOCKED: File path outside project root: ${filePath}`
+      }],
+      isError: true
+    };
+  }
+  
+  try {
+    // Read old content if not provided
+    let actualOldContent = oldContent;
+    if (!actualOldContent && fs.existsSync(fileAbs)) {
+      actualOldContent = fs.readFileSync(fileAbs, "utf8");
+    }
+    
+    // Intercept the write
+    const result = await interceptFileWrite({
+      projectRoot,
+      agentId,
+      intent,
+      filePath,
+      content,
+      oldContent: actualOldContent
+    });
+    
+    // Check policy mode (already loaded in interceptFileWrite, but we need it for mode check)
+    const { loadPolicy } = require("../../bin/runners/lib/agent-firewall/policy/loader");
+    const policy = loadPolicy(projectRoot);
+    
+    if (policy.mode === "observe") {
+      // Observe mode - log but don't block
+      return {
+        content: [{
+          type: "text",
+          text: `📊 OBSERVE MODE: ${result.verdict}\n\n${result.message}\n\nPacket ID: ${result.packetId}`
+        }]
+      };
+    }
+    
+    // Enforce mode - block if not allowed
+    if (!result.allowed) {
+      let message = `❌ BLOCKED: ${result.message}\n\n`;
+      
+      if (result.violations && result.violations.length > 0) {
+        message += "Violations:\n";
+        for (const violation of result.violations) {
+          message += `  - ${violation.rule}: ${violation.message}\n`;
+        }
+      }
+      
+      if (result.unblockPlan && result.unblockPlan.steps.length > 0) {
+        message += "\nTo unblock:\n";
+        for (const step of result.unblockPlan.steps) {
+          message += `  ${step.action === "create" ? "Create" : "Modify"} ${step.file || "file"}: ${step.description}\n`;
+        }
+      }
+      
+      return {
+        content: [{
+          type: "text",
+          text: message
+        }],
+        isError: true
+      };
+    }
+    
+    // Allowed
+    return {
+      content: [{
+        type: "text",
+        text: `✅ ALLOWED: ${result.message}\n\nPacket ID: ${result.packetId}`
+      }]
+    };
+    
+  } catch (error) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ Error intercepting write: ${error.message}\n\n${error.stack}`
+      }],
+      isError: true
+    };
+  }
+}
+
+module.exports = {
+  AGENT_FIREWALL_TOOL,
+  handleAgentFirewallIntercept
+};