@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/schemas/validator.js

@@ -1,438 +1,438 @@
-/**
- * Schema Validator v2
- * 
- * Validates artifacts against JSON schemas and provides
- * consistent finding/evidence generation.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-// Schema cache
-const schemaCache = new Map();
-
-// Schema IDs
-const SCHEMAS = {
-  FINDING: "finding.schema.json",
-  SHIP_REPORT: "ship-report.schema.json",
-  REALITY_REPORT: "reality-report.schema.json",
-  TRUTHPACK_V2: "truthpack-v2.schema.json",
-  CONTRACTS: "contracts.schema.json",
-  PROOF_GRAPH: "proof-graph.schema.json",
-  MISSION_PACK: "mission-pack.schema.json",
-  SHARE_PACK: "share-pack.schema.json",
-};
-
-// =============================================================================
-// SCHEMA LOADING
-// =============================================================================
-
-/**
- * Load a schema by ID
- */
-function loadSchema(schemaId) {
-  if (schemaCache.has(schemaId)) {
-    return schemaCache.get(schemaId);
-  }
-
-  const schemaPath = path.join(__dirname, schemaId);
-  if (!fs.existsSync(schemaPath)) {
-    return null;
-  }
-
-  try {
-    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
-    schemaCache.set(schemaId, schema);
-    return schema;
-  } catch (e) {
-    console.error(`Failed to load schema ${schemaId}:`, e.message);
-    return null;
-  }
-}
-
-/**
- * Simple JSON Schema validator (subset of draft 2020-12)
- * For production, use Ajv - this is a minimal implementation
- */
-function validateAgainstSchema(data, schema, path = "") {
-  const errors = [];
-
-  if (!schema || !data) {
-    return errors;
-  }
-
-  // Type check
-  if (schema.type) {
-    let actualType = Array.isArray(data) ? "array" : typeof data;
-    
-    // Handle integer type - JavaScript has no integer type, only number
-    // Treat whole numbers as integers for schema validation
-    if (actualType === "number" && Number.isInteger(data)) {
-      actualType = "integer";
-    }
-    
-    const allowedTypes = Array.isArray(schema.type) ? schema.type : [schema.type];
-    
-    // Allow integer where number is expected, and vice versa for whole numbers
-    const typeMatches = allowedTypes.some(t => {
-      if (t === actualType) return true;
-      if (t === "integer" && actualType === "number" && Number.isInteger(data)) return true;
-      if (t === "number" && actualType === "integer") return true;
-      if (t === "null" && data === null) return true;
-      return false;
-    });
-    
-    if (!typeMatches) {
-      errors.push({
-        path,
-        message: `Expected ${allowedTypes.join("|")}, got ${actualType}`,
-        keyword: "type",
-      });
-      return errors; // Stop on type mismatch
-    }
-  }
-
-  // Const check
-  if (schema.const !== undefined && data !== schema.const) {
-    errors.push({
-      path,
-      message: `Expected constant "${schema.const}", got "${data}"`,
-      keyword: "const",
-    });
-  }
-
-  // Enum check
-  if (schema.enum && !schema.enum.includes(data)) {
-    errors.push({
-      path,
-      message: `Value must be one of: ${schema.enum.join(", ")}`,
-      keyword: "enum",
-    });
-  }
-
-  // Pattern check
-  if (schema.pattern && typeof data === "string") {
-    const regex = new RegExp(schema.pattern);
-    if (!regex.test(data)) {
-      errors.push({
-        path,
-        message: `String must match pattern: ${schema.pattern}`,
-        keyword: "pattern",
-      });
-    }
-  }
-
-  // Required properties
-  if (schema.required && typeof data === "object" && !Array.isArray(data)) {
-    for (const prop of schema.required) {
-      if (!(prop in data)) {
-        errors.push({
-          path: path ? `${path}.${prop}` : prop,
-          message: `Required property "${prop}" is missing`,
-          keyword: "required",
-        });
-      }
-    }
-  }
-
-  // Object properties
-  if (schema.properties && typeof data === "object" && !Array.isArray(data)) {
-    for (const [key, propSchema] of Object.entries(schema.properties)) {
-      if (key in data) {
-        const propPath = path ? `${path}.${key}` : key;
-        errors.push(...validateAgainstSchema(data[key], propSchema, propPath));
-      }
-    }
-  }
-
-  // Array items
-  if (schema.items && Array.isArray(data)) {
-    for (let i = 0; i < data.length; i++) {
-      const itemPath = `${path}[${i}]`;
-      errors.push(...validateAgainstSchema(data[i], schema.items, itemPath));
-    }
-  }
-
-  // Min/max length
-  if (schema.maxLength && typeof data === "string" && data.length > schema.maxLength) {
-    errors.push({
-      path,
-      message: `String length must be <= ${schema.maxLength}`,
-      keyword: "maxLength",
-    });
-  }
-
-  // Min/max for numbers
-  if (schema.minimum !== undefined && typeof data === "number" && data < schema.minimum) {
-    errors.push({
-      path,
-      message: `Value must be >= ${schema.minimum}`,
-      keyword: "minimum",
-    });
-  }
-  if (schema.maximum !== undefined && typeof data === "number" && data > schema.maximum) {
-    errors.push({
-      path,
-      message: `Value must be <= ${schema.maximum}`,
-      keyword: "maximum",
-    });
-  }
-
-  return errors;
-}
-
-// =============================================================================
-// ARTIFACT VALIDATION
-// =============================================================================
-
-/**
- * Validate an artifact file against its schema
- */
-function validateArtifact(filePath, schemaId) {
-  const schema = loadSchema(schemaId);
-  if (!schema) {
-    return {
-      valid: false,
-      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
-    };
-  }
-
-  let data;
-  try {
-    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
-  } catch (e) {
-    return {
-      valid: false,
-      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
-    };
-  }
-
-  const errors = validateAgainstSchema(data, schema);
-  return {
-    valid: errors.length === 0,
-    errors,
-    data,
-  };
-}
-
-/**
- * Validate and write artifact with schema check
- */
-function writeValidatedArtifact(filePath, data, schemaId) {
-  const schema = loadSchema(schemaId);
-  
-  if (schema) {
-    const errors = validateAgainstSchema(data, schema);
-    if (errors.length > 0) {
-      console.warn(`Warning: Artifact ${filePath} has ${errors.length} schema violations:`);
-      errors.slice(0, 5).forEach(e => console.warn(`  - ${e.path}: ${e.message}`));
-    }
-  }
-
-  fs.mkdirSync(path.dirname(filePath), { recursive: true });
-  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
-  
-  return { written: true, path: filePath };
-}
-
-// =============================================================================
-// FINDING GENERATION
-// =============================================================================
-
-/**
- * Generate stable fingerprint for deduplication
- */
-function generateFingerprint(parts) {
-  const content = parts.filter(Boolean).join("|");
-  return crypto.createHash("sha256").update(content).digest("hex");
-}
-
-/**
- * Generate finding ID
- */
-function generateFindingId(detectorId, fingerprint) {
-  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
-}
-
-/**
- * Generate evidence ID
- */
-function generateEvidenceId(fingerprint) {
-  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
-}
-
-/**
- * Create a spec-compliant finding
- */
-function createFinding(options = {}) {
-  const {
-    detectorId,
-    severity = "WARN",
-    category = "Routes",
-    scope = "client",
-    title,
-    why,
-    confidence = "medium",
-    evidence = [],
-    repro = null,
-    related = [],
-    proofNode = null,
-    missionType = null,
-    // For fingerprint generation
-    file = null,
-    path: routePath = null,
-    method = null,
-  } = options;
-
-  const fingerprint = generateFingerprint([
-    detectorId,
-    file,
-    routePath,
-    method,
-    title,
-  ]);
-
-  return {
-    id: generateFindingId(detectorId, fingerprint),
-    detectorId,
-    fingerprint: `sha256:${fingerprint}`,
-    severity,
-    category,
-    scope,
-    title,
-    why,
-    confidence,
-    evidence: evidence.map((e, i) => ({
-      id: e.id || generateEvidenceId(fingerprint + i),
-      kind: e.kind || "file",
-      ...e,
-    })),
-    repro,
-    related,
-    proofNode,
-    missionType,
-  };
-}
-
-/**
- * Create file evidence
- */
-function createFileEvidence(options = {}) {
-  const { file, lines, snippetHash, reason } = options;
-  const fp = generateFingerprint([file, lines, reason]);
-  
-  return {
-    id: generateEvidenceId(fp),
-    kind: "file",
-    file,
-    lines,
-    snippetHash,
-    reason,
-  };
-}
-
-/**
- * Create runtime evidence
- */
-function createRuntimeEvidence(options = {}) {
-  const { url, httpStatus, reason, data } = options;
-  const fp = generateFingerprint([url, httpStatus, reason]);
-  
-  return {
-    id: generateEvidenceId(fp),
-    kind: "request",
-    url,
-    httpStatus,
-    reason,
-    data,
-  };
-}
-
-// =============================================================================
-// SEVERITY POLICY
-// =============================================================================
-
-const SEVERITY_POLICY = {
-  // Route issues
-  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
-  ROUTE_404: { default: "BLOCK" },
-  ROUTE_405: { default: "WARN" },
-  
-  // Auth issues
-  AUTH_BYPASS: { default: "BLOCK" },
-  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
-  
-  // Fake success
-  FAKE_SUCCESS: { default: "BLOCK" },
-  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
-  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
-  
-  // Dead UI
-  DEAD_CLICK: { default: "BLOCK" },
-  NO_FEEDBACK: { default: "WARN" },
-  
-  // Contract drift
-  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
-  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
-  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
-  
-  // Billing
-  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
-  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
-  
-  // Security
-  OWNER_MODE_BYPASS: { default: "BLOCK" },
-  HARDCODED_SECRET: { default: "BLOCK" },
-};
-
-/**
- * Get severity based on policy
- */
-function getSeverity(issueType, context = {}) {
-  const policy = SEVERITY_POLICY[issueType];
-  if (!policy) return "WARN";
-
-  // Check context-specific overrides
-  if (context.hasRuntimeProof && policy.withRuntimeProof) {
-    return policy.withRuntimeProof;
-  }
-  if (context.isCriticalPath && policy.criticalPath) {
-    return policy.criticalPath;
-  }
-  if (context.isBlocking && policy.blocking) {
-    return policy.blocking;
-  }
-  if (context.isRequired && policy.required) {
-    return policy.required;
-  }
-
-  return policy.default;
-}
-
-// =============================================================================
-// EXPORTS
-// =============================================================================
-
-module.exports = {
-  // Schema operations
-  SCHEMAS,
-  loadSchema,
-  validateAgainstSchema,
-  validateArtifact,
-  writeValidatedArtifact,
-  
-  // Finding generation
-  generateFingerprint,
-  generateFindingId,
-  generateEvidenceId,
-  createFinding,
-  createFileEvidence,
-  createRuntimeEvidence,
-  
-  // Severity policy
-  SEVERITY_POLICY,
-  getSeverity,
-};
+/**
+ * Schema Validator v2
+ * 
+ * Validates artifacts against JSON schemas and provides
+ * consistent finding/evidence generation.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+// Schema cache
+const schemaCache = new Map();
+
+// Schema IDs
+const SCHEMAS = {
+  FINDING: "finding.schema.json",
+  SHIP_REPORT: "ship-report.schema.json",
+  REALITY_REPORT: "reality-report.schema.json",
+  TRUTHPACK_V2: "truthpack-v2.schema.json",
+  CONTRACTS: "contracts.schema.json",
+  PROOF_GRAPH: "proof-graph.schema.json",
+  MISSION_PACK: "mission-pack.schema.json",
+  SHARE_PACK: "share-pack.schema.json",
+};
+
+// =============================================================================
+// SCHEMA LOADING
+// =============================================================================
+
+/**
+ * Load a schema by ID
+ */
+function loadSchema(schemaId) {
+  if (schemaCache.has(schemaId)) {
+    return schemaCache.get(schemaId);
+  }
+
+  const schemaPath = path.join(__dirname, schemaId);
+  if (!fs.existsSync(schemaPath)) {
+    return null;
+  }
+
+  try {
+    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+    schemaCache.set(schemaId, schema);
+    return schema;
+  } catch (e) {
+    console.error(`Failed to load schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Simple JSON Schema validator (subset of draft 2020-12)
+ * For production, use Ajv - this is a minimal implementation
+ */
+function validateAgainstSchema(data, schema, path = "") {
+  const errors = [];
+
+  if (!schema || !data) {
+    return errors;
+  }
+
+  // Type check
+  if (schema.type) {
+    let actualType = Array.isArray(data) ? "array" : typeof data;
+    
+    // Handle integer type - JavaScript has no integer type, only number
+    // Treat whole numbers as integers for schema validation
+    if (actualType === "number" && Number.isInteger(data)) {
+      actualType = "integer";
+    }
+    
+    const allowedTypes = Array.isArray(schema.type) ? schema.type : [schema.type];
+    
+    // Allow integer where number is expected, and vice versa for whole numbers
+    const typeMatches = allowedTypes.some(t => {
+      if (t === actualType) return true;
+      if (t === "integer" && actualType === "number" && Number.isInteger(data)) return true;
+      if (t === "number" && actualType === "integer") return true;
+      if (t === "null" && data === null) return true;
+      return false;
+    });
+    
+    if (!typeMatches) {
+      errors.push({
+        path,
+        message: `Expected ${allowedTypes.join("|")}, got ${actualType}`,
+        keyword: "type",
+      });
+      return errors; // Stop on type mismatch
+    }
+  }
+
+  // Const check
+  if (schema.const !== undefined && data !== schema.const) {
+    errors.push({
+      path,
+      message: `Expected constant "${schema.const}", got "${data}"`,
+      keyword: "const",
+    });
+  }
+
+  // Enum check
+  if (schema.enum && !schema.enum.includes(data)) {
+    errors.push({
+      path,
+      message: `Value must be one of: ${schema.enum.join(", ")}`,
+      keyword: "enum",
+    });
+  }
+
+  // Pattern check
+  if (schema.pattern && typeof data === "string") {
+    const regex = new RegExp(schema.pattern);
+    if (!regex.test(data)) {
+      errors.push({
+        path,
+        message: `String must match pattern: ${schema.pattern}`,
+        keyword: "pattern",
+      });
+    }
+  }
+
+  // Required properties
+  if (schema.required && typeof data === "object" && !Array.isArray(data)) {
+    for (const prop of schema.required) {
+      if (!(prop in data)) {
+        errors.push({
+          path: path ? `${path}.${prop}` : prop,
+          message: `Required property "${prop}" is missing`,
+          keyword: "required",
+        });
+      }
+    }
+  }
+
+  // Object properties
+  if (schema.properties && typeof data === "object" && !Array.isArray(data)) {
+    for (const [key, propSchema] of Object.entries(schema.properties)) {
+      if (key in data) {
+        const propPath = path ? `${path}.${key}` : key;
+        errors.push(...validateAgainstSchema(data[key], propSchema, propPath));
+      }
+    }
+  }
+
+  // Array items
+  if (schema.items && Array.isArray(data)) {
+    for (let i = 0; i < data.length; i++) {
+      const itemPath = `${path}[${i}]`;
+      errors.push(...validateAgainstSchema(data[i], schema.items, itemPath));
+    }
+  }
+
+  // Min/max length
+  if (schema.maxLength && typeof data === "string" && data.length > schema.maxLength) {
+    errors.push({
+      path,
+      message: `String length must be <= ${schema.maxLength}`,
+      keyword: "maxLength",
+    });
+  }
+
+  // Min/max for numbers
+  if (schema.minimum !== undefined && typeof data === "number" && data < schema.minimum) {
+    errors.push({
+      path,
+      message: `Value must be >= ${schema.minimum}`,
+      keyword: "minimum",
+    });
+  }
+  if (schema.maximum !== undefined && typeof data === "number" && data > schema.maximum) {
+    errors.push({
+      path,
+      message: `Value must be <= ${schema.maximum}`,
+      keyword: "maximum",
+    });
+  }
+
+  return errors;
+}
+
+// =============================================================================
+// ARTIFACT VALIDATION
+// =============================================================================
+
+/**
+ * Validate an artifact file against its schema
+ */
+function validateArtifact(filePath, schemaId) {
+  const schema = loadSchema(schemaId);
+  if (!schema) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
+    };
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (e) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
+    };
+  }
+
+  const errors = validateAgainstSchema(data, schema);
+  return {
+    valid: errors.length === 0,
+    errors,
+    data,
+  };
+}
+
+/**
+ * Validate and write artifact with schema check
+ */
+function writeValidatedArtifact(filePath, data, schemaId) {
+  const schema = loadSchema(schemaId);
+  
+  if (schema) {
+    const errors = validateAgainstSchema(data, schema);
+    if (errors.length > 0) {
+      console.warn(`Warning: Artifact ${filePath} has ${errors.length} schema violations:`);
+      errors.slice(0, 5).forEach(e => console.warn(`  - ${e.path}: ${e.message}`));
+    }
+  }
+
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+  
+  return { written: true, path: filePath };
+}
+
+// =============================================================================
+// FINDING GENERATION
+// =============================================================================
+
+/**
+ * Generate stable fingerprint for deduplication
+ */
+function generateFingerprint(parts) {
+  const content = parts.filter(Boolean).join("|");
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Generate finding ID
+ */
+function generateFindingId(detectorId, fingerprint) {
+  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
+}
+
+/**
+ * Generate evidence ID
+ */
+function generateEvidenceId(fingerprint) {
+  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
+}
+
+/**
+ * Create a spec-compliant finding
+ */
+function createFinding(options = {}) {
+  const {
+    detectorId,
+    severity = "WARN",
+    category = "Routes",
+    scope = "client",
+    title,
+    why,
+    confidence = "medium",
+    evidence = [],
+    repro = null,
+    related = [],
+    proofNode = null,
+    missionType = null,
+    // For fingerprint generation
+    file = null,
+    path: routePath = null,
+    method = null,
+  } = options;
+
+  const fingerprint = generateFingerprint([
+    detectorId,
+    file,
+    routePath,
+    method,
+    title,
+  ]);
+
+  return {
+    id: generateFindingId(detectorId, fingerprint),
+    detectorId,
+    fingerprint: `sha256:${fingerprint}`,
+    severity,
+    category,
+    scope,
+    title,
+    why,
+    confidence,
+    evidence: evidence.map((e, i) => ({
+      id: e.id || generateEvidenceId(fingerprint + i),
+      kind: e.kind || "file",
+      ...e,
+    })),
+    repro,
+    related,
+    proofNode,
+    missionType,
+  };
+}
+
+/**
+ * Create file evidence
+ */
+function createFileEvidence(options = {}) {
+  const { file, lines, snippetHash, reason } = options;
+  const fp = generateFingerprint([file, lines, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "file",
+    file,
+    lines,
+    snippetHash,
+    reason,
+  };
+}
+
+/**
+ * Create runtime evidence
+ */
+function createRuntimeEvidence(options = {}) {
+  const { url, httpStatus, reason, data } = options;
+  const fp = generateFingerprint([url, httpStatus, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "request",
+    url,
+    httpStatus,
+    reason,
+    data,
+  };
+}
+
+// =============================================================================
+// SEVERITY POLICY
+// =============================================================================
+
+const SEVERITY_POLICY = {
+  // Route issues
+  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
+  ROUTE_404: { default: "BLOCK" },
+  ROUTE_405: { default: "WARN" },
+  
+  // Auth issues
+  AUTH_BYPASS: { default: "BLOCK" },
+  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
+  
+  // Fake success
+  FAKE_SUCCESS: { default: "BLOCK" },
+  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
+  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
+  
+  // Dead UI
+  DEAD_CLICK: { default: "BLOCK" },
+  NO_FEEDBACK: { default: "WARN" },
+  
+  // Contract drift
+  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
+  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
+  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
+  
+  // Billing
+  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
+  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
+  
+  // Security
+  OWNER_MODE_BYPASS: { default: "BLOCK" },
+  HARDCODED_SECRET: { default: "BLOCK" },
+};
+
+/**
+ * Get severity based on policy
+ */
+function getSeverity(issueType, context = {}) {
+  const policy = SEVERITY_POLICY[issueType];
+  if (!policy) return "WARN";
+
+  // Check context-specific overrides
+  if (context.hasRuntimeProof && policy.withRuntimeProof) {
+    return policy.withRuntimeProof;
+  }
+  if (context.isCriticalPath && policy.criticalPath) {
+    return policy.criticalPath;
+  }
+  if (context.isBlocking && policy.blocking) {
+    return policy.blocking;
+  }
+  if (context.isRequired && policy.required) {
+    return policy.required;
+  }
+
+  return policy.default;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Schema operations
+  SCHEMAS,
+  loadSchema,
+  validateAgainstSchema,
+  validateArtifact,
+  writeValidatedArtifact,
+  
+  // Finding generation
+  generateFingerprint,
+  generateFindingId,
+  generateEvidenceId,
+  createFinding,
+  createFileEvidence,
+  createRuntimeEvidence,
+  
+  // Severity policy
+  SEVERITY_POLICY,
+  getSeverity,
+};