npm - @vibecheckai/cli - Versions diffs - 3.2.2 → 3.2.4 - Mend

@vibecheckai/cli 3.2.2 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/bin/.generated +25 -25
package/bin/dev/run-v2-torture.js +30 -30
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -121
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -295
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +117 -28
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +23 -14
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +72 -1
package/bin/runners/lib/agent-firewall/interceptor/base.js +2 -2
package/bin/runners/lib/agent-firewall/policy/default-policy.json +6 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +34 -3
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +29 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +12 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +21 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/analyzers.js +606 -325
package/bin/runners/lib/auth-truth.js +193 -193
package/bin/runners/lib/backup.js +62 -62
package/bin/runners/lib/billing.js +107 -107
package/bin/runners/lib/claims.js +118 -118
package/bin/runners/lib/cli-ui.js +540 -540
package/bin/runners/lib/contracts/auth-contract.js +202 -202
package/bin/runners/lib/contracts/env-contract.js +181 -181
package/bin/runners/lib/contracts/external-contract.js +206 -206
package/bin/runners/lib/contracts/guard.js +168 -168
package/bin/runners/lib/contracts/index.js +89 -89
package/bin/runners/lib/contracts/plan-validator.js +311 -311
package/bin/runners/lib/contracts/route-contract.js +199 -199
package/bin/runners/lib/contracts.js +804 -804
package/bin/runners/lib/detect.js +89 -89
package/bin/runners/lib/doctor/autofix.js +254 -254
package/bin/runners/lib/doctor/index.js +37 -37
package/bin/runners/lib/doctor/modules/dependencies.js +325 -325
package/bin/runners/lib/doctor/modules/index.js +46 -46
package/bin/runners/lib/doctor/modules/network.js +250 -250
package/bin/runners/lib/doctor/modules/project.js +312 -312
package/bin/runners/lib/doctor/modules/runtime.js +224 -224
package/bin/runners/lib/doctor/modules/security.js +348 -348
package/bin/runners/lib/doctor/modules/system.js +213 -213
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -394
package/bin/runners/lib/doctor/reporter.js +262 -262
package/bin/runners/lib/doctor/service.js +262 -262
package/bin/runners/lib/doctor/types.js +113 -113
package/bin/runners/lib/doctor/ui.js +263 -263
package/bin/runners/lib/doctor-v2.js +608 -608
package/bin/runners/lib/drift.js +425 -425
package/bin/runners/lib/enforcement.js +72 -72
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -603
package/bin/runners/lib/enterprise-init.js +942 -942
package/bin/runners/lib/env-resolver.js +417 -417
package/bin/runners/lib/env-template.js +66 -66
package/bin/runners/lib/env.js +189 -189
package/bin/runners/lib/extractors/client-calls.js +990 -990
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -573
package/bin/runners/lib/extractors/fastify-routes.js +426 -426
package/bin/runners/lib/extractors/index.js +363 -363
package/bin/runners/lib/extractors/next-routes.js +524 -524
package/bin/runners/lib/extractors/proof-graph.js +431 -431
package/bin/runners/lib/extractors/route-matcher.js +451 -451
package/bin/runners/lib/extractors/truthpack-v2.js +377 -377
package/bin/runners/lib/extractors/ui-bindings.js +547 -547
package/bin/runners/lib/findings-schema.js +281 -281
package/bin/runners/lib/firewall-prompt.js +50 -50
package/bin/runners/lib/global-flags.js +213 -213
package/bin/runners/lib/graph/graph-builder.js +265 -265
package/bin/runners/lib/graph/html-renderer.js +413 -413
package/bin/runners/lib/graph/index.js +32 -32
package/bin/runners/lib/graph/runtime-collector.js +215 -215
package/bin/runners/lib/graph/static-extractor.js +518 -518
package/bin/runners/lib/html-report.js +650 -650
package/bin/runners/lib/interactive-menu.js +1496 -1496
package/bin/runners/lib/llm.js +75 -75
package/bin/runners/lib/meter.js +61 -61
package/bin/runners/lib/missions/evidence.js +126 -126
package/bin/runners/lib/patch.js +40 -40
package/bin/runners/lib/permissions/auth-model.js +213 -213
package/bin/runners/lib/permissions/idor-prover.js +205 -205
package/bin/runners/lib/permissions/index.js +45 -45
package/bin/runners/lib/permissions/matrix-builder.js +198 -198
package/bin/runners/lib/pkgjson.js +28 -28
package/bin/runners/lib/policy.js +295 -295
package/bin/runners/lib/preflight.js +142 -142
package/bin/runners/lib/reality/correlation-detectors.js +359 -359
package/bin/runners/lib/reality/index.js +318 -318
package/bin/runners/lib/reality/request-hashing.js +416 -416
package/bin/runners/lib/reality/request-mapper.js +453 -453
package/bin/runners/lib/reality/safety-rails.js +463 -463
package/bin/runners/lib/reality/semantic-snapshot.js +408 -408
package/bin/runners/lib/reality/toast-detector.js +393 -393
package/bin/runners/lib/reality-findings.js +84 -84
package/bin/runners/lib/receipts.js +179 -179
package/bin/runners/lib/redact.js +29 -29
package/bin/runners/lib/replay/capsule-manager.js +154 -154
package/bin/runners/lib/replay/index.js +263 -263
package/bin/runners/lib/replay/player.js +348 -348
package/bin/runners/lib/replay/recorder.js +331 -331
package/bin/runners/lib/report-output.js +187 -187
package/bin/runners/lib/report.js +135 -135
package/bin/runners/lib/route-detection.js +1140 -1140
package/bin/runners/lib/sandbox/index.js +59 -59
package/bin/runners/lib/sandbox/proof-chain.js +399 -399
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -205
package/bin/runners/lib/sandbox/worktree.js +174 -174
package/bin/runners/lib/scan-output.js +525 -190
package/bin/runners/lib/schema-validator.js +350 -350
package/bin/runners/lib/schemas/contracts.schema.json +160 -160
package/bin/runners/lib/schemas/finding.schema.json +100 -100
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -206
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -176
package/bin/runners/lib/schemas/reality-report.schema.json +162 -162
package/bin/runners/lib/schemas/share-pack.schema.json +180 -180
package/bin/runners/lib/schemas/ship-report.schema.json +117 -117
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -303
package/bin/runners/lib/schemas/validator.js +438 -438
package/bin/runners/lib/score-history.js +282 -282
package/bin/runners/lib/share-pack.js +239 -239
package/bin/runners/lib/snippets.js +67 -67
package/bin/runners/lib/status-output.js +253 -253
package/bin/runners/lib/terminal-ui.js +351 -271
package/bin/runners/lib/upsell.js +510 -510
package/bin/runners/lib/usage.js +153 -153
package/bin/runners/lib/validate-patch.js +156 -156
package/bin/runners/lib/verdict-engine.js +628 -628
package/bin/runners/reality/engine.js +917 -917
package/bin/runners/reality/flows.js +122 -122
package/bin/runners/reality/report.js +378 -378
package/bin/runners/reality/session.js +193 -193
package/bin/runners/runGuard.js +168 -168
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +8 -0
package/bin/runners/runReality.js +14 -0
package/bin/runners/runScan.js +17 -1
package/bin/runners/runTruth.js +15 -3
package/mcp-server/tier-auth.js +4 -4
package/mcp-server/tools/index.js +72 -72
package/package.json +1 -1

package/bin/runners/lib/agent-firewall/evidence/env-evidence.js CHANGED Viewed

@@ -48,24 +48,33 @@ function resolve(projectRoot, claim) {
   }
   // Check if env var exists in .env.example or schema files
-  const envExamplePath = path.join(projectRoot, ".env.example");
-  const envSchemaPath = findEnvSchemaFile(projectRoot);
+  // Check multiple possible locations for .env.example
+  const envExamplePaths = [
+    path.join(projectRoot, ".env.example"),
+    path.join(projectRoot, "apps", "web-ui", ".env.example"),
+    path.join(projectRoot, "apps", "api", ".env.example")
+  ];
-  if (fs.existsSync(envExamplePath)) {
-    const envExample = fs.readFileSync(envExamplePath, "utf8");
-    if (envExample.includes(envVarName)) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "repo.search",
-          pointer: ".env.example",
-          confidence: 0.7
-        }],
-        reason: `Environment variable ${envVarName} found in .env.example`
-      };
+  for (const envExamplePath of envExamplePaths) {
+    if (fs.existsSync(envExamplePath)) {
+      const envExample = fs.readFileSync(envExamplePath, "utf8");
+      if (envExample.includes(envVarName)) {
+        const relativePath = path.relative(projectRoot, envExamplePath).replace(/\\/g, "/");
+        return {
+          result: "PROVEN",
+          sources: [{
+            type: "repo.search",
+            pointer: relativePath,
+            confidence: 0.7
+          }],
+          reason: `Environment variable ${envVarName} found in ${relativePath}`
+        };
+      }
     }
   }
+  const envSchemaPath = findEnvSchemaFile(projectRoot);
   if (envSchemaPath && fs.existsSync(envSchemaPath)) {
     const envSchema = fs.readFileSync(envSchemaPath, "utf8");
     if (envSchema.includes(envVarName)) {

package/bin/runners/lib/agent-firewall/evidence/route-evidence.js CHANGED Viewed

@@ -9,6 +9,7 @@
 const { getRoutes } = require("../truthpack");
 const { canonicalizePath } = require("../../route-truth");
+const { shouldIgnore } = require("../utils/ignore-checker");
 /**
  * Resolve route claim evidence
@@ -17,11 +18,81 @@ const { canonicalizePath } = require("../../route-truth");
  * @returns {object} Evidence result
  */
 function resolve(projectRoot, claim) {
-  const routes = getRoutes(projectRoot);
+  // Skip checking routes from ignored files (test files, fixtures, etc.)
+  if (claim.pointer && shouldIgnore(projectRoot, claim.pointer.split(":")[0])) {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "ignored",
+        pointer: claim.pointer,
+        confidence: 1.0
+      }],
+      reason: `Route from ignored file (test/fixture)`
+    };
+  }
   // Normalize route path from claim
   const routePath = canonicalizePath(claim.value);
+  // Skip external API calls (routes that don't start with /api/ in Next.js context)
+  // Routes like /content/blog, /content/faq are external backend API calls, not Next.js routes
+  // Only validate Next.js API routes (those in apps/web-ui/src/app/api/)
+  if (!routePath.startsWith('/api/')) {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "external_api",
+        pointer: claim.pointer,
+        confidence: 1.0
+      }],
+      reason: `Route ${routePath} is an external API call, not a Next.js route`
+    };
+  }
+  // Skip wildcard patterns from template literals (they're approximations)
+  // These are detected from fetch(`${url}/api/...`) and are not exact routes
+  if (routePath.includes('*') || routePath === '/api/*') {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "pattern",
+        pointer: claim.pointer,
+        confidence: 0.8
+      }],
+      reason: `Route pattern ${routePath} is a template literal approximation, not an exact route`
+    };
+  }
+  // Skip backend API routes (routes from template literals using apiUrl)
+  // These are calls to the backend API server, not Next.js API routes
+  if (claim.isBackendApi || (claim.reason && claim.reason.includes('backend API'))) {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "backend_api",
+        pointer: claim.pointer,
+        confidence: 0.9
+      }],
+      reason: `Route ${routePath} is a backend API call (using apiUrl variable), not a Next.js route`
+    };
+  }
+  // Skip routes that are clearly backend API routes (v1, v2, etc. are typically backend)
+  // Next.js API routes are usually simpler like /api/checkout, /api/health
+  if (routePath.match(/^\/api\/v\d+\//)) {
+    return {
+      result: "PROVEN",
+      sources: [{
+        type: "backend_api",
+        pointer: claim.pointer,
+        confidence: 0.85
+      }],
+      reason: `Route ${routePath} appears to be a backend API route (versioned), not a Next.js route`
+    };
+  }
+  const routes = getRoutes(projectRoot);
   // Check if route exists in truthpack
   if (routes && routes.length > 0) {
     // First, check for exact match

package/bin/runners/lib/agent-firewall/interceptor/base.js CHANGED Viewed

@@ -77,7 +77,7 @@ async function interceptFileWrite({
   }];
   // Evaluate policy
-  const verdict = evaluatePolicy({
+  const verdict = await evaluatePolicy({
     policy,
     claims,
     evidence,
@@ -159,7 +159,7 @@ async function interceptMultiFileWrite({
   const evidence = resolveEvidence(projectRoot, allClaims);
   // Evaluate policy
-  const verdict = evaluatePolicy({
+  const verdict = await evaluatePolicy({
     policy,
     claims: allClaims,
     evidence,

package/bin/runners/lib/agent-firewall/policy/default-policy.json CHANGED Viewed

@@ -55,6 +55,12 @@
     "unsafe_side_effect": {
       "severity": "block",
       "enabled": true
+    },
+    "ai_false_positive_detection": {
+      "enabled": true,
+      "confidence_threshold": 0.8,
+      "logSkipped": true,
+      "useLLM": false
     }
   },
   "evidence": {

package/bin/runners/lib/agent-firewall/policy/engine.js CHANGED Viewed

@@ -2,7 +2,7 @@
  * Policy Engine
  *
  * Main policy engine that evaluates all rules deterministically.
- * No LLM opinions - pure rule-based evaluation.
+ * Uses AI to reduce false positives when enabled.
  */
 "use strict";
@@ -15,6 +15,7 @@ const fakeSuccess = require("./rules/fake-success");
 const scope = require("./rules/scope");
 const unsafeSideEffect = require("./rules/unsafe-side-effect");
 const { generateVerdict } = require("./verdict");
+const { analyzeFalsePositive } = require("../ai/false-positive-analyzer");
 /**
  * Evaluate policy against change packet
@@ -24,9 +25,9 @@ const { generateVerdict } = require("./verdict");
  * @param {array} params.evidence - Evidence resolution results
  * @param {array} params.files - Changed files
  * @param {string} params.intent - Agent intent message
- * @returns {object} Verdict object
+ * @returns {Promise<object>} Verdict object
  */
-function evaluatePolicy({ policy, claims, evidence, files, intent }) {
+async function evaluatePolicy({ policy, claims, evidence, files, intent }) {
   const violations = [];
   // Evaluate all rules
@@ -44,6 +45,36 @@ function evaluatePolicy({ policy, claims, evidence, files, intent }) {
     try {
       const violation = evaluator.evaluate({ claims, evidence, policy });
       if (violation) {
+        // Use AI to check if this is a false positive
+        const claim = claims.find(c =>
+          c.type === violation.claim?.type &&
+          c.value === violation.claim?.value
+        );
+        if (claim && policy.rules?.ai_false_positive_detection?.enabled) {
+          try {
+            const aiAnalysis = await analyzeFalsePositive({
+              violation,
+              claim,
+              filePath: claim.file || violation.claim?.file || "unknown",
+              projectRoot: process.cwd(),
+              policy
+            });
+            // If AI determines it's a false positive with high confidence, skip it
+            if (aiAnalysis.isFalsePositive && aiAnalysis.confidence >= 0.8) {
+              // Log but don't add to violations
+              if (policy.rules?.ai_false_positive_detection?.logSkipped) {
+                console.log(`[AI] Skipping false positive: ${violation.message} (confidence: ${aiAnalysis.confidence}, reason: ${aiAnalysis.reason})`);
+              }
+              continue;
+            }
+          } catch (aiError) {
+            // If AI analysis fails, proceed with the violation
+            console.warn(`[AI] False positive analysis failed: ${aiError.message}`);
+          }
+        }
         violations.push(violation);
       }
     } catch (error) {

package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js CHANGED Viewed

@@ -30,7 +30,32 @@ function evaluate({ claims, evidence, policy }) {
     return null;
   }
-  // Check if there's a corresponding HTTP call or side effect
+  // Filter out false positives: if there's an HTTP call in the same file, it's likely a response check
+  const realSuccessClaims = successClaims.filter(claim => {
+    const claimFile = claim.pointer ? claim.pointer.split(":")[0] : "";
+    if (!claimFile) return true;
+    // Check if there's an HTTP call in the same file (within reasonable distance)
+    const claimLine = claim.pointer ? parseInt(claim.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
+    const hasNearbyHttpCall = claims.some(c => {
+      if (c.type !== CLAIM_TYPES.HTTP_CALL && c.type !== CLAIM_TYPES.ROUTE) return false;
+      const cFile = c.pointer ? c.pointer.split(":")[0] : "";
+      if (cFile !== claimFile) return false;
+      const cLine = c.pointer ? parseInt(c.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
+      // Within 50 lines is considered "nearby"
+      return Math.abs(cLine - claimLine) <= 50;
+    });
+    // If there's a nearby HTTP call, this is likely checking the response, not showing UI
+    // Only flag if there's NO HTTP call nearby
+    return !hasNearbyHttpCall;
+  });
+  if (realSuccessClaims.length === 0) {
+    return null; // All were false positives (likely API response checks)
+  }
+  // Check if there's a corresponding HTTP call or side effect globally
   const hasHttpCall = claims.some(c =>
     c.type === CLAIM_TYPES.HTTP_CALL || c.type === CLAIM_TYPES.ROUTE
   );
@@ -40,7 +65,7 @@ function evaluate({ claims, evidence, policy }) {
   if (!hasHttpCall && !hasSideEffect) {
     // Check if domain requires blocking
     const blockDomains = ruleConfig.block_if_domain || [];
-    const fileDomain = successClaims[0].domain || "general";
+    const fileDomain = realSuccessClaims[0].domain || "general";
     const shouldBlock = blockDomains.includes(fileDomain);
@@ -48,8 +73,8 @@ function evaluate({ claims, evidence, policy }) {
       rule: "fake_success_ui",
       severity: shouldBlock ? "block" : (ruleConfig.severity || "warn"),
       message: `Fake success UI: Success message shown but no HTTP call or side effect detected`,
-      claimId: `claim_${claims.indexOf(successClaims[0])}`,
-      claim: successClaims[0]
+      claimId: `claim_${claims.indexOf(realSuccessClaims[0])}`,
+      claim: realSuccessClaims[0]
     };
   }

package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js CHANGED Viewed

@@ -30,7 +30,19 @@ function evaluate({ claims, evidence, policy }) {
     if (claim.type === CLAIM_TYPES.ROUTE || claim.type === CLAIM_TYPES.HTTP_CALL) {
       const ev = evidence.find(e => e.claimId === `claim_${i}`);
+      // Skip if evidence shows it's an external API call or ignored file
+      if (ev && (ev.result === "PROVEN" && (ev.reason?.includes("external API") || ev.reason?.includes("ignored file")))) {
+        continue;
+      }
       if (ev && ev.result === "UNPROVEN") {
+        // Double-check: skip external API calls (routes not starting with /api/)
+        const routePath = String(claim.value || "").trim();
+        if (!routePath.startsWith('/api/')) {
+          // This is an external API call, not a Next.js route - skip
+          continue;
+        }
         return {
           rule: "ghost_route",
           severity: ruleConfig.severity || "block",

package/bin/runners/lib/agent-firewall/truthpack/loader.js CHANGED Viewed

@@ -65,6 +65,27 @@ function loadTruthpackFile(projectRoot, filename) {
   const filePath = path.join(projectRoot, TRUTHPACK_DIR, filename);
   if (!fs.existsSync(filePath)) {
+    // Fallback: try loading from truthpack.json if routes.json doesn't exist
+    if (filename === "routes.json") {
+      const truthpackPath = path.join(projectRoot, ".vibecheck", "truthpack.json");
+      if (fs.existsSync(truthpackPath)) {
+        try {
+          const truthpack = JSON.parse(fs.readFileSync(truthpackPath, "utf8"));
+          // Extract server routes from truthpack.json format
+          if (truthpack.routes && truthpack.routes.server) {
+            return {
+              routes: truthpack.routes.server.map(r => ({
+                path: r.path,
+                method: r.method,
+                handler: r.handler || r.source
+              }))
+            };
+          }
+        } catch (error) {
+          // Fall through to return null
+        }
+      }
+    }
     return null;
   }

package/bin/runners/lib/agent-firewall/utils/ignore-checker.js ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * Ignore File Checker
+ *
+ * Checks if a file matches patterns in .vibecheckignore
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+// Try to use minimatch if available, otherwise use simple pattern matching
+let minimatch;
+try {
+  minimatch = require("minimatch").minimatch;
+} catch {
+  minimatch = null;
+}
+let ignorePatterns = null;
+let ignoreFile = null;
+/**
+ * Load ignore patterns from .vibecheckignore
+ * @param {string} projectRoot - Project root directory
+ * @returns {array} Array of ignore patterns
+ */
+function loadIgnorePatterns(projectRoot) {
+  if (ignorePatterns !== null && ignoreFile === projectRoot) {
+    return ignorePatterns;
+  }
+  const ignorePath = path.join(projectRoot, ".vibecheckignore");
+  ignorePatterns = [];
+  if (fs.existsSync(ignorePath)) {
+    const content = fs.readFileSync(ignorePath, "utf8");
+    ignorePatterns = content
+      .split("\n")
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith("#"));
+  }
+  ignoreFile = projectRoot;
+  return ignorePatterns;
+}
+/**
+ * Check if a file should be ignored
+ * @param {string} projectRoot - Project root directory
+ * @param {string} filePath - File path (relative to project root)
+ * @returns {boolean} True if file should be ignored
+ */
+function shouldIgnore(projectRoot, filePath) {
+  const patterns = loadIgnorePatterns(projectRoot);
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  // Check against all patterns
+  for (const pattern of patterns) {
+    // Handle both glob patterns and simple path matches
+    if (minimatch) {
+      if (minimatch(normalizedPath, pattern, { matchBase: true }) ||
+          minimatch(normalizedPath, `**/${pattern}`, { matchBase: true })) {
+        return true;
+      }
+    } else {
+      // Fallback: simple pattern matching
+      const regexPattern = pattern
+        .replace(/\*\*/g, ".*")
+        .replace(/\*/g, "[^/]*")
+        .replace(/\//g, "\\/");
+      const regex = new RegExp(`^${regexPattern}$`);
+      if (regex.test(normalizedPath)) {
+        return true;
+      }
+    }
+    // Also check if path contains the pattern as a substring (for directory patterns)
+    const cleanPattern = pattern.replace(/\*\*/g, "").replace(/\*/g, "");
+    if (normalizedPath.includes(cleanPattern)) {
+      return true;
+    }
+  }
+  // Also check common test file patterns
+  const testPatterns = [
+    /\/__tests__\//,
+    /\.test\.(ts|tsx|js|jsx)$/,
+    /\.spec\.(ts|tsx|js|jsx)$/,
+    /\/tests\//,
+    /\/test\//,
+    /\/fixtures\//,
+    /\/examples\//,
+    /\/templates\//
+  ];
+  for (const pattern of testPatterns) {
+    if (pattern.test(normalizedPath)) {
+      return true;
+    }
+  }
+  return false;
+}
+/**
+ * Clear cached ignore patterns (for testing)
+ */
+function clearCache() {
+  ignorePatterns = null;
+  ignoreFile = null;
+}
+module.exports = {
+  shouldIgnore,
+  loadIgnorePatterns,
+  clearCache
+};