@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/contracts/plan-validator.js

@@ -1,311 +1,311 @@
-/**
- * Plan Validator
- * Validates AI agent plans against contracts
- * This is the core of the "hallucination stopper"
- */
-
-"use strict";
-
-/**
- * Validate an AI-generated plan against contracts
- * Returns validation result with specific violations
- */
-function validatePlan(plan, contracts) {
-  const result = {
-    valid: true,
-    violations: [],
-    warnings: [],
-    suggestions: []
-  };
-
-  // Parse plan to extract intended actions
-  const actions = parsePlanActions(plan);
-
-  // Validate route references
-  if (contracts.routes) {
-    const routeResult = validateRouteActions(actions, contracts.routes);
-    result.violations.push(...routeResult.violations);
-    result.warnings.push(...routeResult.warnings);
-  }
-
-  // Validate env references
-  if (contracts.env) {
-    const envResult = validateEnvActions(actions, contracts.env);
-    result.violations.push(...envResult.violations);
-    result.warnings.push(...envResult.warnings);
-  }
-
-  // Validate auth assumptions
-  if (contracts.auth) {
-    const authResult = validateAuthActions(actions, contracts.auth);
-    result.violations.push(...authResult.violations);
-    result.warnings.push(...authResult.warnings);
-  }
-
-  // Validate external service usage
-  if (contracts.external) {
-    const externalResult = validateExternalActions(actions, contracts.external);
-    result.violations.push(...externalResult.violations);
-    result.warnings.push(...externalResult.warnings);
-  }
-
-  result.valid = result.violations.length === 0;
-  return result;
-}
-
-/**
- * Parse plan to extract intended actions
- */
-function parsePlanActions(plan) {
-  const actions = {
-    routes: [],
-    envVars: [],
-    files: [],
-    authAssumptions: [],
-    externalCalls: []
-  };
-
-  // Handle different plan formats
-  const planText = typeof plan === "string" ? plan : JSON.stringify(plan);
-
-  // Extract route references
-  const routePatterns = [
-    /(?:fetch|axios|api\.)\s*\(\s*['"`]([/][^'"`]+)['"`]/gi,
-    /(?:GET|POST|PUT|PATCH|DELETE)\s+([/][^\s]+)/gi,
-    /\/api\/[a-z0-9/_-]+/gi
-  ];
-
-  for (const pattern of routePatterns) {
-    let match;
-    while ((match = pattern.exec(planText)) !== null) {
-      const path = match[1] || match[0];
-      if (path.startsWith("/")) {
-        actions.routes.push({
-          path: path.replace(/['"`]/g, ""),
-          method: inferMethod(match[0])
-        });
-      }
-    }
-  }
-
-  // Extract env var references
-  const envPatterns = [
-    /process\.env\.([A-Z_][A-Z0-9_]*)/gi,
-    /import\.meta\.env\.([A-Z_][A-Z0-9_]*)/gi,
-    /\$\{?([A-Z_][A-Z0-9_]*)\}?/g
-  ];
-
-  for (const pattern of envPatterns) {
-    let match;
-    while ((match = pattern.exec(planText)) !== null) {
-      if (match[1] && /^[A-Z]/.test(match[1])) {
-        actions.envVars.push(match[1]);
-      }
-    }
-  }
-
-  // Extract file references
-  const filePatterns = [
-    /(?:create|modify|edit|update|delete|add to)\s+['"`]?([a-z0-9/_.-]+\.[a-z]+)['"`]?/gi,
-    /(?:in|at|file)\s+['"`]([^'"`]+)['"`]/gi
-  ];
-
-  for (const pattern of filePatterns) {
-    let match;
-    while ((match = pattern.exec(planText)) !== null) {
-      if (match[1]) {
-        actions.files.push(match[1]);
-      }
-    }
-  }
-
-  // Extract auth assumptions
-  const authPatterns = [
-    /(?:authenticated|logged in|auth required|protected)/gi,
-    /(?:public|no auth|unauthenticated)/gi
-  ];
-
-  if (/(?:authenticated|logged in|auth required|protected)/i.test(planText)) {
-    actions.authAssumptions.push({ type: "requires_auth" });
-  }
-  if (/(?:public|no auth|unauthenticated)/i.test(planText)) {
-    actions.authAssumptions.push({ type: "no_auth" });
-  }
-
-  // Extract external service references
-  const externalPatterns = [
-    /stripe\./gi,
-    /github\./gi,
-    /sendgrid\./gi,
-    /twilio\./gi,
-    /supabase\./gi
-  ];
-
-  for (const pattern of externalPatterns) {
-    if (pattern.test(planText)) {
-      const service = pattern.source.replace(/\\\./g, "").toLowerCase();
-      actions.externalCalls.push({ service });
-    }
-  }
-
-  return actions;
-}
-
-function inferMethod(text) {
-  const upper = text.toUpperCase();
-  if (upper.includes("POST")) return "POST";
-  if (upper.includes("PUT")) return "PUT";
-  if (upper.includes("PATCH")) return "PATCH";
-  if (upper.includes("DELETE")) return "DELETE";
-  return "GET";
-}
-
-/**
- * Validate route actions against contract
- */
-function validateRouteActions(actions, routeContract) {
-  const violations = [];
-  const warnings = [];
-  const contractRoutes = new Set(routeContract.routes.map(r => r.path));
-
-  for (const route of actions.routes) {
-    // Check exact match
-    if (!contractRoutes.has(route.path)) {
-      // Check parameterized match
-      const match = routeContract.routes.find(r => matchesParameterized(r.path, route.path));
-      
-      if (!match) {
-        violations.push({
-          type: "invented_route",
-          severity: "BLOCK",
-          route: route.path,
-          method: route.method,
-          message: `Plan references route ${route.method} ${route.path} which does not exist in contract`,
-          suggestion: `Available routes: ${routeContract.routes.slice(0, 5).map(r => r.path).join(", ")}...`
-        });
-      }
-    }
-  }
-
-  return { violations, warnings };
-}
-
-/**
- * Validate env actions against contract
- */
-function validateEnvActions(actions, envContract) {
-  const violations = [];
-  const warnings = [];
-  const contractVars = new Set(envContract.vars.map(v => v.name));
-
-  for (const varName of actions.envVars) {
-    if (!contractVars.has(varName)) {
-      warnings.push({
-        type: "undeclared_env",
-        severity: "WARN",
-        name: varName,
-        message: `Plan uses env var ${varName} which is not in contract`,
-        suggestion: "Add to .vibecheck/contracts/env.json or .env.example"
-      });
-    }
-  }
-
-  return { violations, warnings };
-}
-
-/**
- * Validate auth actions against contract
- */
-function validateAuthActions(actions, authContract) {
-  const violations = [];
-  const warnings = [];
-
-  // Check for auth assumptions that conflict with contract
-  for (const assumption of actions.authAssumptions) {
-    if (assumption.type === "no_auth") {
-      // Plan assumes no auth - check if referenced routes are actually public
-      warnings.push({
-        type: "auth_assumption",
-        severity: "WARN",
-        message: "Plan assumes some routes are public - verify against auth contract",
-        suggestion: `Protected patterns: ${authContract.protectedPatterns.slice(0, 3).join(", ")}...`
-      });
-    }
-  }
-
-  return { violations, warnings };
-}
-
-/**
- * Validate external service actions against contract
- */
-function validateExternalActions(actions, externalContract) {
-  const violations = [];
-  const warnings = [];
-  const contractServices = new Set(externalContract.services.map(s => s.name));
-
-  for (const call of actions.externalCalls) {
-    if (!contractServices.has(call.service)) {
-      warnings.push({
-        type: "undeclared_service",
-        severity: "WARN",
-        service: call.service,
-        message: `Plan uses ${call.service} which is not declared in external contract`,
-        suggestion: "Add to .vibecheck/contracts/external.json"
-      });
-    }
-  }
-
-  return { violations, warnings };
-}
-
-function matchesParameterized(pattern, actual) {
-  const patternParts = pattern.split("/").filter(Boolean);
-  const actualParts = actual.split("/").filter(Boolean);
-
-  if (patternParts.length !== actualParts.length) return false;
-
-  for (let i = 0; i < patternParts.length; i++) {
-    const p = patternParts[i];
-    if (p.startsWith(":") || p.startsWith("*")) continue;
-    if (p !== actualParts[i]) return false;
-  }
-  return true;
-}
-
-/**
- * Format validation result for display
- */
-function formatValidationResult(result) {
-  const lines = [];
-
-  if (result.valid) {
-    lines.push("✓ Plan validated against contracts");
-  } else {
-    lines.push("✗ Plan validation failed");
-  }
-
-  if (result.violations.length > 0) {
-    lines.push(`\n🛑 VIOLATIONS (${result.violations.length}):`);
-    for (const v of result.violations) {
-      lines.push(`  ✗ ${v.message}`);
-      if (v.suggestion) lines.push(`    → ${v.suggestion}`);
-    }
-  }
-
-  if (result.warnings.length > 0) {
-    lines.push(`\n⚠️ WARNINGS (${result.warnings.length}):`);
-    for (const w of result.warnings) {
-      lines.push(`  ⚠ ${w.message}`);
-      if (w.suggestion) lines.push(`    → ${w.suggestion}`);
-    }
-  }
-
-  return lines.join("\n");
-}
-
-module.exports = {
-  validatePlan,
-  parsePlanActions,
-  formatValidationResult
-};
+/**
+ * Plan Validator
+ * Validates AI agent plans against contracts
+ * This is the core of the "hallucination stopper"
+ */
+
+"use strict";
+
+/**
+ * Validate an AI-generated plan against contracts
+ * Returns validation result with specific violations
+ */
+function validatePlan(plan, contracts) {
+  const result = {
+    valid: true,
+    violations: [],
+    warnings: [],
+    suggestions: []
+  };
+
+  // Parse plan to extract intended actions
+  const actions = parsePlanActions(plan);
+
+  // Validate route references
+  if (contracts.routes) {
+    const routeResult = validateRouteActions(actions, contracts.routes);
+    result.violations.push(...routeResult.violations);
+    result.warnings.push(...routeResult.warnings);
+  }
+
+  // Validate env references
+  if (contracts.env) {
+    const envResult = validateEnvActions(actions, contracts.env);
+    result.violations.push(...envResult.violations);
+    result.warnings.push(...envResult.warnings);
+  }
+
+  // Validate auth assumptions
+  if (contracts.auth) {
+    const authResult = validateAuthActions(actions, contracts.auth);
+    result.violations.push(...authResult.violations);
+    result.warnings.push(...authResult.warnings);
+  }
+
+  // Validate external service usage
+  if (contracts.external) {
+    const externalResult = validateExternalActions(actions, contracts.external);
+    result.violations.push(...externalResult.violations);
+    result.warnings.push(...externalResult.warnings);
+  }
+
+  result.valid = result.violations.length === 0;
+  return result;
+}
+
+/**
+ * Parse plan to extract intended actions
+ */
+function parsePlanActions(plan) {
+  const actions = {
+    routes: [],
+    envVars: [],
+    files: [],
+    authAssumptions: [],
+    externalCalls: []
+  };
+
+  // Handle different plan formats
+  const planText = typeof plan === "string" ? plan : JSON.stringify(plan);
+
+  // Extract route references
+  const routePatterns = [
+    /(?:fetch|axios|api\.)\s*\(\s*['"`]([/][^'"`]+)['"`]/gi,
+    /(?:GET|POST|PUT|PATCH|DELETE)\s+([/][^\s]+)/gi,
+    /\/api\/[a-z0-9/_-]+/gi
+  ];
+
+  for (const pattern of routePatterns) {
+    let match;
+    while ((match = pattern.exec(planText)) !== null) {
+      const path = match[1] || match[0];
+      if (path.startsWith("/")) {
+        actions.routes.push({
+          path: path.replace(/['"`]/g, ""),
+          method: inferMethod(match[0])
+        });
+      }
+    }
+  }
+
+  // Extract env var references
+  const envPatterns = [
+    /process\.env\.([A-Z_][A-Z0-9_]*)/gi,
+    /import\.meta\.env\.([A-Z_][A-Z0-9_]*)/gi,
+    /\$\{?([A-Z_][A-Z0-9_]*)\}?/g
+  ];
+
+  for (const pattern of envPatterns) {
+    let match;
+    while ((match = pattern.exec(planText)) !== null) {
+      if (match[1] && /^[A-Z]/.test(match[1])) {
+        actions.envVars.push(match[1]);
+      }
+    }
+  }
+
+  // Extract file references
+  const filePatterns = [
+    /(?:create|modify|edit|update|delete|add to)\s+['"`]?([a-z0-9/_.-]+\.[a-z]+)['"`]?/gi,
+    /(?:in|at|file)\s+['"`]([^'"`]+)['"`]/gi
+  ];
+
+  for (const pattern of filePatterns) {
+    let match;
+    while ((match = pattern.exec(planText)) !== null) {
+      if (match[1]) {
+        actions.files.push(match[1]);
+      }
+    }
+  }
+
+  // Extract auth assumptions
+  const authPatterns = [
+    /(?:authenticated|logged in|auth required|protected)/gi,
+    /(?:public|no auth|unauthenticated)/gi
+  ];
+
+  if (/(?:authenticated|logged in|auth required|protected)/i.test(planText)) {
+    actions.authAssumptions.push({ type: "requires_auth" });
+  }
+  if (/(?:public|no auth|unauthenticated)/i.test(planText)) {
+    actions.authAssumptions.push({ type: "no_auth" });
+  }
+
+  // Extract external service references
+  const externalPatterns = [
+    /stripe\./gi,
+    /github\./gi,
+    /sendgrid\./gi,
+    /twilio\./gi,
+    /supabase\./gi
+  ];
+
+  for (const pattern of externalPatterns) {
+    if (pattern.test(planText)) {
+      const service = pattern.source.replace(/\\\./g, "").toLowerCase();
+      actions.externalCalls.push({ service });
+    }
+  }
+
+  return actions;
+}
+
+function inferMethod(text) {
+  const upper = text.toUpperCase();
+  if (upper.includes("POST")) return "POST";
+  if (upper.includes("PUT")) return "PUT";
+  if (upper.includes("PATCH")) return "PATCH";
+  if (upper.includes("DELETE")) return "DELETE";
+  return "GET";
+}
+
+/**
+ * Validate route actions against contract
+ */
+function validateRouteActions(actions, routeContract) {
+  const violations = [];
+  const warnings = [];
+  const contractRoutes = new Set(routeContract.routes.map(r => r.path));
+
+  for (const route of actions.routes) {
+    // Check exact match
+    if (!contractRoutes.has(route.path)) {
+      // Check parameterized match
+      const match = routeContract.routes.find(r => matchesParameterized(r.path, route.path));
+      
+      if (!match) {
+        violations.push({
+          type: "invented_route",
+          severity: "BLOCK",
+          route: route.path,
+          method: route.method,
+          message: `Plan references route ${route.method} ${route.path} which does not exist in contract`,
+          suggestion: `Available routes: ${routeContract.routes.slice(0, 5).map(r => r.path).join(", ")}...`
+        });
+      }
+    }
+  }
+
+  return { violations, warnings };
+}
+
+/**
+ * Validate env actions against contract
+ */
+function validateEnvActions(actions, envContract) {
+  const violations = [];
+  const warnings = [];
+  const contractVars = new Set(envContract.vars.map(v => v.name));
+
+  for (const varName of actions.envVars) {
+    if (!contractVars.has(varName)) {
+      warnings.push({
+        type: "undeclared_env",
+        severity: "WARN",
+        name: varName,
+        message: `Plan uses env var ${varName} which is not in contract`,
+        suggestion: "Add to .vibecheck/contracts/env.json or .env.example"
+      });
+    }
+  }
+
+  return { violations, warnings };
+}
+
+/**
+ * Validate auth actions against contract
+ */
+function validateAuthActions(actions, authContract) {
+  const violations = [];
+  const warnings = [];
+
+  // Check for auth assumptions that conflict with contract
+  for (const assumption of actions.authAssumptions) {
+    if (assumption.type === "no_auth") {
+      // Plan assumes no auth - check if referenced routes are actually public
+      warnings.push({
+        type: "auth_assumption",
+        severity: "WARN",
+        message: "Plan assumes some routes are public - verify against auth contract",
+        suggestion: `Protected patterns: ${authContract.protectedPatterns.slice(0, 3).join(", ")}...`
+      });
+    }
+  }
+
+  return { violations, warnings };
+}
+
+/**
+ * Validate external service actions against contract
+ */
+function validateExternalActions(actions, externalContract) {
+  const violations = [];
+  const warnings = [];
+  const contractServices = new Set(externalContract.services.map(s => s.name));
+
+  for (const call of actions.externalCalls) {
+    if (!contractServices.has(call.service)) {
+      warnings.push({
+        type: "undeclared_service",
+        severity: "WARN",
+        service: call.service,
+        message: `Plan uses ${call.service} which is not declared in external contract`,
+        suggestion: "Add to .vibecheck/contracts/external.json"
+      });
+    }
+  }
+
+  return { violations, warnings };
+}
+
+function matchesParameterized(pattern, actual) {
+  const patternParts = pattern.split("/").filter(Boolean);
+  const actualParts = actual.split("/").filter(Boolean);
+
+  if (patternParts.length !== actualParts.length) return false;
+
+  for (let i = 0; i < patternParts.length; i++) {
+    const p = patternParts[i];
+    if (p.startsWith(":") || p.startsWith("*")) continue;
+    if (p !== actualParts[i]) return false;
+  }
+  return true;
+}
+
+/**
+ * Format validation result for display
+ */
+function formatValidationResult(result) {
+  const lines = [];
+
+  if (result.valid) {
+    lines.push("✓ Plan validated against contracts");
+  } else {
+    lines.push("✗ Plan validation failed");
+  }
+
+  if (result.violations.length > 0) {
+    lines.push(`\n🛑 VIOLATIONS (${result.violations.length}):`);
+    for (const v of result.violations) {
+      lines.push(`  ✗ ${v.message}`);
+      if (v.suggestion) lines.push(`    → ${v.suggestion}`);
+    }
+  }
+
+  if (result.warnings.length > 0) {
+    lines.push(`\n⚠️ WARNINGS (${result.warnings.length}):`);
+    for (const w of result.warnings) {
+      lines.push(`  ⚠ ${w.message}`);
+      if (w.suggestion) lines.push(`    → ${w.suggestion}`);
+    }
+  }
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  validatePlan,
+  parsePlanActions,
+  formatValidationResult
+};