npm - @vibecheckai/cli - Versions diffs - 3.2.0 → 3.2.2 - Mend

@vibecheckai/cli 3.2.0 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/bin/runners/lib/agent-firewall/change-packet/builder.js +214 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +214 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +118 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +142 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +304 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +84 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +72 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +143 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +61 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +116 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/analysis-core.js +198 -180
package/bin/runners/lib/analyzers.js +1119 -536
package/bin/runners/lib/cli-output.js +236 -210
package/bin/runners/lib/detectors-v2.js +547 -785
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/route-truth.js +1167 -322
package/bin/runners/lib/scan-output.js +144 -738
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/terminal-ui.js +188 -770
package/bin/runners/lib/truth.js +1004 -321
package/bin/runners/lib/unified-output.js +162 -158
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runScan.js +113 -10
package/bin/runners/runShip.js +7 -8
package/bin/runners/runTruth.js +89 -0
package/mcp-server/agent-firewall-interceptor.js +164 -0
package/mcp-server/index.js +347 -313
package/mcp-server/truth-context.js +131 -90
package/mcp-server/truth-firewall-tools.js +1412 -1045
package/package.json +1 -1

package/bin/runners/lib/agent-firewall/claims/extractor.js ADDED Viewed

@@ -0,0 +1,214 @@
+/**
+ * Claim Extractor
+ *
+ * Extracts "drift-causing claims" from changed files.
+ * Uses AST-based extraction with Babel parser.
+ */
+const fs = require("fs");
+const path = require("path");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { CLAIM_TYPES, CRITICALITY } = require("./claim-types");
+const { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI } = require("./patterns");
+function parse(code) {
+  return parser.parse(code, {
+    sourceType: "unambiguous",
+    plugins: ["typescript", "jsx"]
+  });
+}
+function locPtr(fileRel, node) {
+  const loc = node && node.loc;
+  if (!loc) return null;
+  return `${fileRel}:${loc.start.line}-${loc.end.line}`;
+}
+function pushClaim(out, claim) {
+  const key = `${claim.type}|${claim.value}|${claim.pointer || ""}`;
+  if (!out._dedupe.has(key)) {
+    out._dedupe.add(key);
+    out.claims.push(claim);
+  }
+}
+function extractStringLiterals(code) {
+  // Cheap scan for route-ish strings even if AST misses template parts.
+  const hits = [];
+  for (const rx of ROUTE_LIKE) {
+    const m = code.match(rx);
+    if (m) hits.push(...m);
+  }
+  return [...new Set(hits)];
+}
+function classifyFileDomain(fileRel) {
+  const s = fileRel.toLowerCase();
+  if (s.includes("auth")) return "auth";
+  if (s.includes("stripe") || s.includes("payment")) return "payments";
+  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
+  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
+  return "general";
+}
+function extractClaimsFromFile({ repoRoot, fileAbs }) {
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const code = fs.readFileSync(fileAbs, "utf8");
+  const ast = parse(code);
+  const out = { fileRel, domain: classifyFileDomain(fileRel), claims: [], _dedupe: new Set() };
+  // 1) quick string route-ish scan
+  for (const r of extractStringLiterals(code)) {
+    pushClaim(out, {
+      type: CLAIM_TYPES.ROUTE,
+      value: r,
+      criticality: CRITICALITY.HARD,
+      pointer: `${fileRel}:1-1`,
+      reason: "route-like string literal"
+    });
+  }
+  // 2) AST-based env extraction
+  traverse(ast, {
+    MemberExpression(p) {
+      // process.env.X
+      const n = p.node;
+      if (
+        t.isMemberExpression(n.object) &&
+        t.isIdentifier(n.object.object, { name: "process" }) &&
+        t.isIdentifier(n.object.property, { name: "env" }) &&
+        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
+      ) {
+        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
+        pushClaim(out, {
+          type: CLAIM_TYPES.ENV,
+          value: name,
+          criticality: CRITICALITY.HARD,
+          pointer: locPtr(fileRel, n),
+          reason: "process.env usage"
+        });
+      }
+      // import.meta.env.X (Vite)
+      if (
+        t.isMemberExpression(n.object) &&
+        t.isMemberExpression(n.object.object) &&
+        t.isIdentifier(n.object.object.object, { name: "import" }) &&
+        t.isIdentifier(n.object.object.property, { name: "meta" }) &&
+        t.isIdentifier(n.object.property, { name: "env" }) &&
+        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
+      ) {
+        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
+        pushClaim(out, {
+          type: CLAIM_TYPES.ENV,
+          value: name,
+          criticality: CRITICALITY.HARD,
+          pointer: locPtr(fileRel, n),
+          reason: "import.meta.env usage"
+        });
+      }
+    },
+    CallExpression(p) {
+      const n = p.node;
+      // fetch("/api/...")
+      if (t.isIdentifier(n.callee, { name: "fetch" }) && n.arguments[0]) {
+        const a0 = n.arguments[0];
+        if (t.isStringLiteral(a0)) {
+          pushClaim(out, {
+            type: CLAIM_TYPES.HTTP_CALL,
+            value: a0.value,
+            criticality: CRITICALITY.HARD,
+            pointer: locPtr(fileRel, n),
+            reason: "fetch call"
+          });
+        }
+      }
+      // axios.get("/api/...")
+      if (t.isMemberExpression(n.callee) && t.isIdentifier(n.callee.object, { name: "axios" })) {
+        const method = t.isIdentifier(n.callee.property) ? n.callee.property.name : "call";
+        const a0 = n.arguments[0];
+        if (a0 && t.isStringLiteral(a0)) {
+          pushClaim(out, {
+            type: CLAIM_TYPES.HTTP_CALL,
+            value: `${method.toUpperCase()} ${a0.value}`,
+            criticality: CRITICALITY.HARD,
+            pointer: locPtr(fileRel, n),
+            reason: "axios call"
+          });
+        }
+      }
+      // toast.success("Saved")
+      if (
+        t.isMemberExpression(n.callee) &&
+        t.isIdentifier(n.callee.object, { name: "toast" }) &&
+        t.isIdentifier(n.callee.property, { name: "success" })
+      ) {
+        const msg = n.arguments[0] && t.isStringLiteral(n.arguments[0]) ? n.arguments[0].value : "toast.success";
+        pushClaim(out, {
+          type: CLAIM_TYPES.UI_SUCCESS,
+          value: msg,
+          criticality: CRITICALITY.SOFT,
+          pointer: locPtr(fileRel, n),
+          reason: "success UI signal"
+        });
+      }
+    }
+  });
+  // 3) auth-ish keyword scan (cheap but effective)
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (AUTH_HINTS.some((rx) => rx.test(line))) {
+      pushClaim(out, {
+        type: CLAIM_TYPES.AUTH,
+        value: line.trim().slice(0, 140),
+        criticality: CRITICALITY.HARD,
+        pointer: `${fileRel}:${i + 1}-${i + 1}`,
+        reason: "auth/role/scope hint"
+      });
+    }
+    if (SUCCESS_UI.some((rx) => rx.test(line))) {
+      pushClaim(out, {
+        type: CLAIM_TYPES.UI_SUCCESS,
+        value: line.trim().slice(0, 140),
+        criticality: CRITICALITY.SOFT,
+        pointer: `${fileRel}:${i + 1}-${i + 1}`,
+        reason: "success UI hint"
+      });
+    }
+  }
+  delete out._dedupe;
+  return out;
+}
+function extractClaims({ repoRoot, changedFilesAbs }) {
+  const files = changedFilesAbs.filter((f) => fs.existsSync(f));
+  const perFile = files.map((fileAbs) => extractClaimsFromFile({ repoRoot, fileAbs }));
+  // Flatten + dedupe across files
+  const dedupe = new Set();
+  const claims = [];
+  for (const f of perFile) {
+    for (const c of f.claims) {
+      const k = `${c.type}|${c.value}`;
+      if (!dedupe.has(k)) {
+        dedupe.add(k);
+        claims.push({ ...c, file: f.fileRel, domain: f.domain });
+      }
+    }
+  }
+  return { claims, perFile };
+}
+module.exports = { extractClaims, extractClaimsFromFile };

package/bin/runners/lib/agent-firewall/claims/patterns.js ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Claim Patterns
+ *
+ * Regex patterns for detecting claims in code.
+ */
+const ROUTE_LIKE = [
+  /\/api\/[a-zA-Z0-9_\/\-]+/g,
+  /\/health\/[a-zA-Z0-9_\/\-]+/g
+];
+const AUTH_HINTS = [
+  /\b(admin|owner|staff|superadmin|root)\b/i,
+  /\b(role|roles|scope|scopes|permission|permissions)\b/i,
+  /\b(auth|authorize|authorization|requireAuth|requireRole|rbac)\b/i
+];
+const SUCCESS_UI = [
+  /\b(success|saved|updated|complete|done)\b/i,
+  /\btoast\.(success|info)\b/i,
+  /\benqueueSnackbar\b/i
+];
+module.exports = { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI };

package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js ADDED Viewed

@@ -0,0 +1,88 @@
+/**
+ * Auth Evidence Resolver
+ *
+ * Resolves auth claims against truthpack.auth.json
+ * Checks for auth drift (claimed restriction not enforced).
+ */
+"use strict";
+const { getAuthRules } = require("../truthpack");
+/**
+ * Resolve auth claim evidence
+ * @param {string} projectRoot - Project root directory
+ * @param {object} claim - Auth claim
+ * @returns {object} Evidence result
+ */
+function resolve(projectRoot, claim) {
+  const authData = getAuthRules(projectRoot);
+  // Extract auth keywords from claim value
+  const claimText = claim.value.toLowerCase();
+  const hasAuthKeywords = /\b(admin|owner|staff|role|scope|permission|auth|authorize|rbac)\b/i.test(claimText);
+  if (!hasAuthKeywords) {
+    // Not an auth-related claim
+    return {
+      result: "PROVEN",
+      sources: [],
+      reason: "No auth keywords detected in claim"
+    };
+  }
+  // Check if auth middleware exists
+  const nextMiddleware = authData.nextMiddleware || [];
+  const fastifyHooks = authData.fastify?.hooks || [];
+  if (nextMiddleware.length > 0 || fastifyHooks.length > 0) {
+    // Auth infrastructure exists
+    // Check if claim matches protected patterns
+    const matcherPatterns = authData.nextMatcherPatterns || [];
+    const claimFile = claim.file || "";
+    // Check if file is in protected path
+    const isProtected = matcherPatterns.some(pattern => {
+      // Simple pattern matching
+      if (pattern.includes("*")) {
+        const regex = new RegExp(pattern.replace(/\*/g, ".*"));
+        return regex.test(claimFile);
+      }
+      return claimFile.includes(pattern);
+    });
+    if (isProtected) {
+      return {
+        result: "PROVEN",
+        sources: [{
+          type: "truthpack.auth",
+          pointer: claim.pointer,
+          confidence: 0.8
+        }],
+        reason: "Auth claim matches protected route pattern"
+      };
+    } else {
+      // Auth keywords present but route not protected - potential drift
+      return {
+        result: "CONTRADICTS",
+        sources: [{
+          type: "truthpack.auth",
+          pointer: claim.pointer,
+          confidence: 0.7
+        }],
+        reason: "Auth keywords present but route not in protected patterns (auth drift)"
+      };
+    }
+  } else {
+    // No auth infrastructure - cannot verify
+    return {
+      result: "UNPROVEN",
+      sources: [],
+      reason: "No auth middleware found in truthpack"
+    };
+  }
+}
+module.exports = {
+  resolve
+};

package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Contract Evidence Resolver
+ *
+ * Resolves contract claims against truthpack.contracts.json
+ * Checks for contract drift (API shape mismatch).
+ */
+"use strict";
+const { getContracts } = require("../truthpack");
+/**
+ * Resolve contract claim evidence
+ * @param {string} projectRoot - Project root directory
+ * @param {object} claim - Contract claim
+ * @returns {object} Evidence result
+ */
+function resolve(projectRoot, claim) {
+  const contracts = getContracts(projectRoot);
+  // Extract contract identifier from claim
+  // Contract claims might reference API endpoints, types, or schemas
+  const claimValue = claim.value.toLowerCase();
+  // Check if contracts exist
+  if (!contracts || Object.keys(contracts).length === 0) {
+    return {
+      result: "UNPROVEN",
+      sources: [],
+      reason: "No contracts found in truthpack"
+    };
+  }
+  // Try to match claim against contract definitions
+  // This is a simplified check - full implementation would parse contract schemas
+  const contractKeys = Object.keys(contracts);
+  const matchingContract = contractKeys.find(key =>
+    key.toLowerCase().includes(claimValue) ||
+    claimValue.includes(key.toLowerCase())
+  );
+  if (matchingContract) {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "truthpack.contracts",
+        pointer: claim.pointer,
+        confidence: 0.8
+      }],
+      reason: `Contract ${matchingContract} found in truthpack`
+    };
+  }
+  // Check for contract drift by examining the claim context
+  // If claim references an API endpoint, check if contract exists for that endpoint
+  if (claimValue.includes("api") || claimValue.includes("endpoint")) {
+    // Potential contract drift - endpoint referenced but contract not found
+    return {
+      result: "CONTRADICTS",
+      sources: [],
+      reason: "API endpoint referenced but contract not found in truthpack (contract drift)"
+    };
+  }
+  // Cannot verify contract
+  return {
+    result: "UNPROVEN",
+    sources: [],
+    reason: "Contract not found in truthpack"
+  };
+}
+module.exports = {
+  resolve
+};

package/bin/runners/lib/agent-firewall/evidence/env-evidence.js ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * Environment Variable Evidence Resolver
+ *
+ * Resolves env var claims against truthpack.env.json
+ * Checks for ghost env vars (used but not declared).
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const { getEnvVars } = require("../truthpack");
+/**
+ * Resolve env var claim evidence
+ * @param {string} projectRoot - Project root directory
+ * @param {object} claim - Env var claim
+ * @returns {object} Evidence result
+ */
+function resolve(projectRoot, claim) {
+  const envData = getEnvVars(projectRoot);
+  // Check declared env vars
+  const declared = envData.declared || [];
+  const declaredSet = new Set(declared.map(v => v.name || v));
+  // Check declared sources (env.schema.ts, .env.example, etc.)
+  const declaredSources = envData.declaredSources || [];
+  const envVarName = claim.value;
+  // Check if env var is declared
+  if (declaredSet.has(envVarName)) {
+    // Find source file
+    const source = declaredSources.find(s =>
+      s.vars && s.vars.includes(envVarName)
+    );
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "truthpack.env",
+        pointer: source ? source.file : claim.pointer,
+        confidence: 0.9
+      }],
+      reason: `Environment variable ${envVarName} found in truthpack`
+    };
+  }
+  // Check if env var exists in .env.example or schema files
+  const envExamplePath = path.join(projectRoot, ".env.example");
+  const envSchemaPath = findEnvSchemaFile(projectRoot);
+  if (fs.existsSync(envExamplePath)) {
+    const envExample = fs.readFileSync(envExamplePath, "utf8");
+    if (envExample.includes(envVarName)) {
+      return {
+        result: "PROVEN",
+        sources: [{
+          type: "repo.search",
+          pointer: ".env.example",
+          confidence: 0.7
+        }],
+        reason: `Environment variable ${envVarName} found in .env.example`
+      };
+    }
+  }
+  if (envSchemaPath && fs.existsSync(envSchemaPath)) {
+    const envSchema = fs.readFileSync(envSchemaPath, "utf8");
+    if (envSchema.includes(envVarName)) {
+      return {
+        result: "PROVEN",
+        sources: [{
+          type: "repo.search",
+          pointer: envSchemaPath,
+          confidence: 0.8
+        }],
+        reason: `Environment variable ${envVarName} found in env schema`
+      };
+    }
+  }
+  // Not found - ghost env var
+  return {
+    result: "UNPROVEN",
+    sources: [],
+    reason: `Environment variable ${envVarName} not declared (ghost env var)`
+  };
+}
+/**
+ * Find env schema file (env.schema.ts, env.ts, etc.)
+ * @param {string} projectRoot - Project root directory
+ * @returns {string|null} Path to schema file or null
+ */
+function findEnvSchemaFile(projectRoot) {
+  const candidates = [
+    "apps/api/src/config/env.schema.ts",
+    "apps/api/src/env.schema.ts",
+    "src/config/env.schema.ts",
+    "src/env.schema.ts",
+    "env.schema.ts"
+  ];
+  for (const candidate of candidates) {
+    const fullPath = path.join(projectRoot, candidate);
+    if (fs.existsSync(fullPath)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+module.exports = {
+  resolve
+};

package/bin/runners/lib/agent-firewall/evidence/resolver.js ADDED Viewed

@@ -0,0 +1,102 @@
+/**
+ * Evidence Resolver
+ *
+ * Main orchestrator for resolving claims against truthpack.
+ * Returns PROVEN, UNPROVEN, or CONTRADICTS for each claim.
+ */
+"use strict";
+const routeEvidence = require("./route-evidence");
+const envEvidence = require("./env-evidence");
+const authEvidence = require("./auth-evidence");
+const contractEvidence = require("./contract-evidence");
+const sideEffectEvidence = require("./side-effect-evidence");
+const { CLAIM_TYPES } = require("../claims/claim-types");
+/**
+ * Resolve evidence for all claims
+ * @param {string} projectRoot - Project root directory
+ * @param {array} claims - Array of claims to resolve
+ * @returns {array} Array of evidence results
+ */
+function resolveEvidence(projectRoot, claims) {
+  const results = [];
+  for (let i = 0; i < claims.length; i++) {
+    const claim = claims[i];
+    const claimId = `claim_${i}`;
+    let result;
+    switch (claim.type) {
+      case CLAIM_TYPES.ROUTE:
+        result = routeEvidence.resolve(projectRoot, claim);
+        break;
+      case CLAIM_TYPES.ENV:
+        result = envEvidence.resolve(projectRoot, claim);
+        break;
+      case CLAIM_TYPES.AUTH:
+        result = authEvidence.resolve(projectRoot, claim);
+        break;
+      case CLAIM_TYPES.CONTRACT:
+        result = contractEvidence.resolve(projectRoot, claim);
+        break;
+      case CLAIM_TYPES.SIDE_EFFECT:
+        result = sideEffectEvidence.resolve(projectRoot, claim);
+        break;
+      case CLAIM_TYPES.HTTP_CALL:
+        // HTTP calls are checked as routes
+        result = routeEvidence.resolve(projectRoot, {
+          ...claim,
+          type: CLAIM_TYPES.ROUTE,
+          value: extractRouteFromHttpCall(claim.value)
+        });
+        break;
+      case CLAIM_TYPES.UI_SUCCESS:
+        // UI success claims are checked for side effects
+        result = sideEffectEvidence.resolve(projectRoot, claim);
+        break;
+      default:
+        result = {
+          claimId,
+          result: "UNPROVEN",
+          sources: [],
+          reason: `Unknown claim type: ${claim.type}`
+        };
+    }
+    results.push({
+      claimId,
+      ...result
+    });
+  }
+  return results;
+}
+/**
+ * Extract route path from HTTP call claim value
+ * @param {string} httpCall - HTTP call string (e.g., "GET /api/users")
+ * @returns {string} Route path
+ */
+function extractRouteFromHttpCall(httpCall) {
+  // Handle "GET /api/users" format
+  const match = httpCall.match(/\s+(.+)$/);
+  if (match) {
+    return match[1];
+  }
+  // Handle "/api/users" format
+  return httpCall.startsWith("/") ? httpCall : `/${httpCall}`;
+}
+module.exports = {
+  resolveEvidence
+};