@vibecheckai/cli 3.2.0 → 3.2.2

package/bin/runners/lib/agent-firewall/policy/rules/scope.js

@@ -0,0 +1,93 @@
+/**
+ * Scope Explosion Rule
+ * 
+ * Blocks if too many files touched.
+ */
+
+"use strict";
+
+/**
+ * Evaluate scope explosion rule
+ * @param {object} params
+ * @param {array} params.files - Changed files
+ * @param {string} params.intent - Agent intent message
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ files, intent, policy }) {
+  const ruleConfig = policy.rules?.scope_explosion;
+  
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  
+  const scope = policy.scope || {};
+  const maxFiles = scope.max_files_touched || 10;
+  const maxLines = scope.max_lines_changed || 600;
+  const requireIntent = scope.require_intent_for_expand_scope || false;
+  
+  const totalFiles = files.length;
+  const totalLines = files.reduce((sum, f) => sum + (f.linesChanged || 0), 0);
+  
+  // Check file count
+  if (totalFiles > maxFiles) {
+    const hasIntent = intent && intent.trim().length > 0;
+    
+    if (requireIntent && !hasIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles}). Intent required for scope expansion.`,
+        metadata: {
+          totalFiles,
+          maxFiles,
+          hasIntent
+        }
+      };
+    } else if (!requireIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles})`,
+        metadata: {
+          totalFiles,
+          maxFiles
+        }
+      };
+    }
+  }
+  
+  // Check line count
+  if (totalLines > maxLines) {
+    const hasIntent = intent && intent.trim().length > 0;
+    
+    if (requireIntent && !hasIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines}). Intent required for scope expansion.`,
+        metadata: {
+          totalLines,
+          maxLines,
+          hasIntent
+        }
+      };
+    } else if (!requireIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines})`,
+        metadata: {
+          totalLines,
+          maxLines
+        }
+      };
+    }
+  }
+  
+  return null;
+}
+
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js

@@ -0,0 +1,57 @@
+/**
+ * Unsafe Side Effect Rule
+ * 
+ * Blocks unverified side effects.
+ */
+
+"use strict";
+
+const { CLAIM_TYPES } = require("../../claims/claim-types");
+
+/**
+ * Evaluate unsafe side effect rule
+ * @param {object} params
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ claims, evidence, policy }) {
+  const ruleConfig = policy.rules?.unsafe_side_effect;
+  
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  
+  const verification = policy.verification || {};
+  const requireForDomains = verification.require_for_domains || [];
+  
+  // Find side effect claims
+  for (let i = 0; i < claims.length; i++) {
+    const claim = claims[i];
+    
+    if (claim.type === CLAIM_TYPES.SIDE_EFFECT) {
+      const ev = evidence.find(e => e.claimId === `claim_${i}`);
+      
+      // Check if domain requires verification
+      const claimDomain = claim.domain || "general";
+      const requiresVerification = requireForDomains.includes(claimDomain);
+      
+      if (requiresVerification && ev && ev.result === "UNPROVEN") {
+        return {
+          rule: "unsafe_side_effect",
+          severity: ruleConfig.severity || "block",
+          message: `Unsafe side effect: ${claim.value} requires verification (test coverage or reality proof)`,
+          claimId: `claim_${i}`,
+          claim
+        };
+      }
+    }
+  }
+  
+  return null;
+}
+
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/schema.json

@@ -0,0 +1,183 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["version", "mode", "scope", "rules"],
+  "properties": {
+    "version": {
+      "type": "string",
+      "description": "Policy schema version"
+    },
+    "mode": {
+      "type": "string",
+      "enum": ["observe", "enforce"],
+      "description": "Firewall mode: observe (log only) or enforce (block writes)"
+    },
+    "profile": {
+      "type": "string",
+      "description": "Policy profile name (e.g., 'repo-lock', 'balanced', 'permissive')"
+    },
+    "scope": {
+      "type": "object",
+      "properties": {
+        "max_files_touched": {
+          "type": "number",
+          "description": "Maximum number of files that can be touched in a single change"
+        },
+        "max_lines_changed": {
+          "type": "number",
+          "description": "Maximum number of lines that can be changed in a single change"
+        },
+        "blocked_paths": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Glob patterns for paths that are blocked from changes"
+        },
+        "allowed_paths": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Glob patterns for paths that are allowed for changes"
+        },
+        "require_intent_for_expand_scope": {
+          "type": "boolean",
+          "description": "Require explicit intent message when scope exceeds limits"
+        }
+      }
+    },
+    "hard_domains": {
+      "type": "object",
+      "properties": {
+        "routes": {
+          "type": "boolean",
+          "description": "Enforce route truth"
+        },
+        "env": {
+          "type": "boolean",
+          "description": "Enforce environment variable truth"
+        },
+        "auth": {
+          "type": "boolean",
+          "description": "Enforce authentication truth"
+        },
+        "contracts": {
+          "type": "boolean",
+          "description": "Enforce API contract truth"
+        },
+        "payments": {
+          "type": "boolean",
+          "description": "Enforce payment-related changes"
+        },
+        "side_effects": {
+          "type": "boolean",
+          "description": "Enforce side effect verification"
+        }
+      }
+    },
+    "rules": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "severity": {
+            "type": "string",
+            "enum": ["allow", "warn", "block"],
+            "description": "Rule severity level"
+          },
+          "block_if_domain": {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "enum": ["auth", "payments", "side_effects", "routes", "env", "contracts"]
+            },
+            "description": "Upgrade to block if change affects these domains"
+          },
+          "enabled": {
+            "type": "boolean",
+            "description": "Whether this rule is enabled"
+          }
+        }
+      }
+    },
+    "evidence": {
+      "type": "object",
+      "properties": {
+        "require_pointers": {
+          "type": "boolean",
+          "description": "Require file:line pointers in evidence"
+        },
+        "acceptable_sources": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
+          },
+          "description": "Acceptable evidence sources"
+        },
+        "pointer_format": {
+          "type": "string",
+          "description": "Expected pointer format (e.g., 'file:lineStart-lineEnd')"
+        }
+      }
+    },
+    "verification": {
+      "type": "object",
+      "properties": {
+        "require_for_domains": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["auth", "payments", "side_effects"]
+          },
+          "description": "Domains that require verification"
+        },
+        "accepted": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["tests", "reality"]
+          },
+          "description": "Accepted verification methods"
+        },
+        "reality": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "block_on": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "enum": ["fake_success", "no_mutation", "network_error"]
+              }
+            }
+          }
+        }
+      }
+    },
+    "output": {
+      "type": "object",
+      "properties": {
+        "write_change_packets": {
+          "type": "boolean",
+          "description": "Write change packets to disk"
+        },
+        "packet_dir": {
+          "type": "string",
+          "description": "Directory for change packets"
+        },
+        "report_formats": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["md", "html", "json", "sarif"]
+          },
+          "description": "Report output formats"
+        }
+      }
+    }
+  }
+}

package/bin/runners/lib/agent-firewall/policy/verdict.js

@@ -0,0 +1,54 @@
+/**
+ * Verdict Generator
+ * 
+ * Combines rule results into final verdict.
+ * Priority: BLOCK > WARN > ALLOW
+ */
+
+"use strict";
+
+/**
+ * Generate verdict from violations
+ * @param {array} violations - Array of rule violations
+ * @returns {object} Verdict object
+ */
+function generateVerdict(violations) {
+  if (!violations || violations.length === 0) {
+    return {
+      decision: "ALLOW",
+      violations: [],
+      message: "No violations detected"
+    };
+  }
+  
+  // Check for blocks (highest priority)
+  const blocks = violations.filter(v => v.severity === "block");
+  if (blocks.length > 0) {
+    return {
+      decision: "BLOCK",
+      violations,
+      message: `BLOCKED: ${blocks.length} blocking violation(s) found`
+    };
+  }
+  
+  // Check for warnings
+  const warns = violations.filter(v => v.severity === "warn");
+  if (warns.length > 0) {
+    return {
+      decision: "WARN",
+      violations,
+      message: `WARNING: ${warns.length} warning(s) found`
+    };
+  }
+  
+  // Only allows (shouldn't happen, but handle gracefully)
+  return {
+    decision: "ALLOW",
+    violations,
+    message: "Violations found but all are allow-level"
+  };
+}
+
+module.exports = {
+  generateVerdict
+};

package/bin/runners/lib/agent-firewall/truthpack/index.js

@@ -0,0 +1,67 @@
+/**
+ * Truthpack Accessor
+ * 
+ * Unified interface for accessing truthpack data.
+ */
+
+"use strict";
+
+const { loadTruthpack } = require("./loader");
+
+/**
+ * Get routes from truthpack
+ * @param {string} projectRoot - Project root directory
+ * @returns {array} Array of routes
+ */
+function getRoutes(projectRoot) {
+  const truthpack = loadTruthpack(projectRoot);
+  return truthpack.routes?.routes || [];
+}
+
+/**
+ * Get environment variables from truthpack
+ * @param {string} projectRoot - Project root directory
+ * @returns {object} Env vars data
+ */
+function getEnvVars(projectRoot) {
+  const truthpack = loadTruthpack(projectRoot);
+  return truthpack.env || { vars: [], declared: [], declaredSources: [] };
+}
+
+/**
+ * Get auth rules from truthpack
+ * @param {string} projectRoot - Project root directory
+ * @returns {object} Auth rules data
+ */
+function getAuthRules(projectRoot) {
+  const truthpack = loadTruthpack(projectRoot);
+  return truthpack.auth || { nextMiddleware: [], nextMatcherPatterns: [], fastify: {} };
+}
+
+/**
+ * Get contracts from truthpack
+ * @param {string} projectRoot - Project root directory
+ * @returns {object} Contracts data
+ */
+function getContracts(projectRoot) {
+  const truthpack = loadTruthpack(projectRoot);
+  return truthpack.contracts || {};
+}
+
+/**
+ * Get UI graph from truthpack
+ * @param {string} projectRoot - Project root directory
+ * @returns {object|null} UI graph or null
+ */
+function getUIGraph(projectRoot) {
+  const truthpack = loadTruthpack(projectRoot);
+  return truthpack.uiGraph || null;
+}
+
+module.exports = {
+  getRoutes,
+  getEnvVars,
+  getAuthRules,
+  getContracts,
+  getUIGraph
+};

package/bin/runners/lib/agent-firewall/truthpack/loader.js

@@ -0,0 +1,116 @@
+/**
+ * Truthpack Loader
+ * 
+ * Loads truthpack files from .vibecheck/truthpack/
+ * Caches for performance and validates freshness.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+const TRUTHPACK_DIR = ".vibecheck/truthpack";
+const STALE_AFTER_HOURS = 24;
+
+let cache = {
+  routes: null,
+  env: null,
+  auth: null,
+  contracts: null,
+  loadedAt: null
+};
+
+/**
+ * Load truthpack from project root
+ * @param {string} projectRoot - Project root directory
+ * @param {boolean} forceRefresh - Force reload even if cached
+ * @returns {object} Truthpack data
+ */
+function loadTruthpack(projectRoot, forceRefresh = false) {
+  const truthpackPath = path.join(projectRoot, TRUTHPACK_DIR);
+  
+  // Check cache freshness
+  if (!forceRefresh && cache.loadedAt) {
+    const ageHours = (Date.now() - cache.loadedAt) / (1000 * 60 * 60);
+    if (ageHours < STALE_AFTER_HOURS && cache.routes !== null) {
+      return cache;
+    }
+  }
+  
+  const truthpack = {
+    routes: loadTruthpackFile(projectRoot, "routes.json"),
+    env: loadTruthpackFile(projectRoot, "env.json"),
+    auth: loadTruthpackFile(projectRoot, "auth.json"),
+    contracts: loadTruthpackFile(projectRoot, "contracts.json"),
+    uiGraph: loadTruthpackFile(projectRoot, "ui.graph.json")
+  };
+  
+  // Update cache
+  cache = {
+    ...truthpack,
+    loadedAt: Date.now()
+  };
+  
+  return truthpack;
+}
+
+/**
+ * Load a specific truthpack file
+ * @param {string} projectRoot - Project root directory
+ * @param {string} filename - Truthpack filename
+ * @returns {object|null} Parsed JSON or null if not found
+ */
+function loadTruthpackFile(projectRoot, filename) {
+  const filePath = path.join(projectRoot, TRUTHPACK_DIR, filename);
+  
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (error) {
+    console.warn(`Failed to load truthpack file ${filename}: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Check if truthpack is fresh
+ * @param {string} projectRoot - Project root directory
+ * @returns {boolean} True if truthpack exists and is fresh
+ */
+function isTruthpackFresh(projectRoot) {
+  const truthpackPath = path.join(projectRoot, TRUTHPACK_DIR);
+  const routesPath = path.join(truthpackPath, "routes.json");
+  
+  if (!fs.existsSync(routesPath)) {
+    return false;
+  }
+  
+  const stats = fs.statSync(routesPath);
+  const ageHours = (Date.now() - stats.mtime.getTime()) / (1000 * 60 * 60);
+  
+  return ageHours < STALE_AFTER_HOURS;
+}
+
+/**
+ * Clear truthpack cache
+ */
+function clearCache() {
+  cache = {
+    routes: null,
+    env: null,
+    auth: null,
+    contracts: null,
+    loadedAt: null
+  };
+}
+
+module.exports = {
+  loadTruthpack,
+  loadTruthpackFile,
+  isTruthpackFresh,
+  clearCache
+};