@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/extractors/truthpack-v2.js

@@ -1,377 +1,377 @@
-/**
- * Truthpack Builder v2
- * 
- * Builds the truthpack using v2 extractors with full evidence chains
- * and Proof Graph support.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-const { extractNextRoutes, detectNextMode } = require("./next-routes");
-const { extractFastifyRoutes, detectFastify } = require("./fastify-routes");
-const { normalizeUrl, matchRoute, RouteIndex, getMissingRouteSeverity, isCriticalPath } = require("./route-matcher");
-const { extractClientCalls } = require("./client-calls");
-const { buildProofGraph, findProofGaps, serializeProofGraph } = require("./proof-graph");
-
-// Import existing truth modules for env, auth, billing, enforcement
-let buildEnvTruth, buildAuthTruth, buildBillingTruth, buildEnforcementTruth;
-try {
-  buildEnvTruth = require("../env").buildEnvTruth;
-  buildAuthTruth = require("../auth-truth").buildAuthTruth;
-  buildBillingTruth = require("../billing").buildBillingTruth;
-  buildEnforcementTruth = require("../enforcement").buildEnforcementTruth;
-} catch {
-  // Modules may not exist, provide stubs
-  buildEnvTruth = async () => ({ vars: [], declared: [], declaredSources: [] });
-  buildAuthTruth = async () => ({ nextMiddleware: [], nextMatcherPatterns: [], fastify: {} });
-  buildBillingTruth = async () => ({ stripeWebhooks: [], stripeConfigs: [] });
-  buildEnforcementTruth = () => ({ enforcedEndpoints: [], paidSurfaces: [] });
-}
-
-/**
- * Extract all server routes from project (local implementation to avoid circular dep)
- */
-function extractServerRoutesLocal(projectRoot, options = {}) {
-  const { fastifyEntry = null } = options;
-  
-  const result = {
-    stack: {
-      next: { present: false, router: "unknown" },
-      fastify: { present: false, entryFile: null },
-    },
-    routes: [],
-    gaps: [],
-    middleware: { matchers: [], protectedHints: [] },
-    rewrites: [],
-  };
-
-  // Extract Next.js routes
-  const nextResult = extractNextRoutes(projectRoot);
-  if (nextResult.present) {
-    result.stack.next = {
-      present: true,
-      router: nextResult.router,
-      appDir: nextResult.appDir,
-      pagesDir: nextResult.pagesDir,
-      middlewareFile: nextResult.middlewareFile,
-    };
-    result.routes.push(...nextResult.routes);
-    result.middleware = nextResult.middleware;
-    result.rewrites = nextResult.rewrites || [];
-  }
-
-  // Extract Fastify routes
-  const fastifyResult = extractFastifyRoutes(projectRoot, fastifyEntry);
-  if (fastifyResult.present) {
-    result.stack.fastify = {
-      present: true,
-      entryFile: fastifyResult.entryFile,
-      prefixes: fastifyResult.prefixes,
-    };
-    result.routes.push(...fastifyResult.routes);
-    result.gaps.push(...(fastifyResult.gaps || []));
-  }
-
-  return result;
-}
-
-async function buildTruthpackV2(options = {}) {
-  const {
-    repoRoot,
-    fastifyEntry = null,
-    includeProofGraph = true,
-    runtimeReport = null,
-  } = options;
-
-  // 1. Extract server routes using v2 extractors
-  const routeExtraction = extractServerRoutesLocal(repoRoot, { fastifyEntry });
-  
-  // 2. Extract client calls
-  const clientExtraction = extractClientCalls(repoRoot);
-
-  // 3. Build env, auth, billing, enforcement truth
-  const env = await buildEnvTruth(repoRoot);
-  const auth = await buildAuthTruth(repoRoot, routeExtraction.routes);
-  const billing = await buildBillingTruth(repoRoot);
-  const enforcement = buildEnforcementTruth(repoRoot, routeExtraction.routes);
-
-  // 4. Match client calls to server routes to find gaps
-  const routeIndex = new RouteIndex(routeExtraction.routes);
-  const matchResults = [];
-  
-  for (const call of clientExtraction.calls) {
-    if (!call.canonicalPath) continue;
-    
-    const normalizedPath = normalizeUrl(call.canonicalPath);
-    const method = call.method || "UNKNOWN";
-    const match = routeIndex.match(normalizedPath, method, { allowMethodMismatch: true });
-    
-    matchResults.push({
-      call,
-      normalizedPath,
-      method,
-      match,
-      isCritical: isCriticalPath(normalizedPath),
-    });
-  }
-
-  // 5. Apply runtime proof if available
-  if (runtimeReport?.requests) {
-    const requestMap = new Map();
-    for (const req of runtimeReport.requests) {
-      const np = normalizeUrl(req.url);
-      if (!requestMap.has(np)) requestMap.set(np, []);
-      requestMap.get(np).push(req);
-    }
-    
-    for (const result of matchResults) {
-      const reqs = requestMap.get(result.normalizedPath) || [];
-      if (reqs.length > 0) {
-        result.hasRuntimeProof = true;
-        const failures = reqs.filter(r => r.status === 404 || r.status === 405);
-        const successes = reqs.filter(r => r.status >= 200 && r.status < 300);
-        if (failures.length > 0 && successes.length === 0) {
-          result.runtimeResult = failures[0].status === 405 ? "405" : "404";
-        } else if (successes.length > 0) {
-          result.runtimeResult = "2xx";
-        }
-      }
-    }
-  }
-
-  // 6. Generate route findings
-  const framework = routeExtraction.stack?.next?.present ? "next" : 
-                    routeExtraction.stack?.fastify?.present ? "fastify" : "unknown";
-  const routeFindings = [];
-  
-  for (const result of matchResults) {
-    if (!result.match.matched || result.match.matchType === "none") {
-      if (result.runtimeResult === "2xx") continue; // Skip if runtime confirmed exists
-      
-      const severity = getMissingRouteSeverity({
-        framework,
-        staticConfidence: result.match.confidence,
-        hasRuntimeProof: result.hasRuntimeProof,
-        runtimeResult: result.runtimeResult,
-        isCriticalPath: result.isCritical,
-      });
-      
-      routeFindings.push({
-        detectorId: "ROUTE_MISSING",
-        severity,
-        category: "Routes",
-        scope: result.call?.runtime || "client",
-        title: `Client calls ${result.method} ${result.normalizedPath} but no server route exists`,
-        why: severity === "BLOCK" ? "Route confirmed missing." : "Route may be missing.",
-        confidence: result.hasRuntimeProof ? "high" : result.match.confidence,
-        call: result.call,
-        matchResult: result.match,
-      });
-    }
-  }
-
-  // 7. Build proof graph
-  let proofGraph = null;
-  if (includeProofGraph) {
-    proofGraph = buildProofGraph({
-      serverRoutes: routeExtraction.routes,
-      clientCalls: clientExtraction.calls,
-      uiBindings: clientExtraction.uiBindings,
-      runtimeRequests: runtimeReport?.requests || [],
-      runtimeActions: runtimeReport?.actions || [],
-    });
-  }
-
-  // 8. Determine frameworks
-  const frameworks = new Set();
-  if (routeExtraction.stack?.next?.present) frameworks.add("next");
-  if (routeExtraction.stack?.fastify?.present) frameworks.add("fastify");
-
-  // 9. Build the truthpack
-  const truthpack = {
-    meta: {
-      version: "2.0.0",
-      generatedAt: new Date().toISOString(),
-      repoRoot,
-      commit: { sha: process.env.VIBECHECK_COMMIT_SHA || getGitCommit(repoRoot) },
-    },
-    project: {
-      frameworks: Array.from(frameworks),
-      workspaces: [],
-      entrypoints: routeExtraction.stack?.fastify?.entryFile 
-        ? [routeExtraction.stack.fastify.entryFile] 
-        : [],
-    },
-    routes: {
-      server: routeExtraction.routes.map(r => ({
-        id: r.id,
-        method: r.methods?.[0] || "UNKNOWN",
-        methods: r.methods,
-        path: r.canonicalPath || r.path,
-        rawPath: r.rawPath,
-        handler: r.handler?.file || r.handler,
-        confidence: r.confidence,
-        authRequired: r.authRequired,
-        evidence: r.evidence || [],
-      })),
-      clientCalls: clientExtraction.calls.map(c => ({
-        id: c.id,
-        kind: c.kind,
-        runtime: c.runtime,
-        method: c.method,
-        urlTemplate: c.urlTemplate,
-        canonicalPath: c.canonicalPath,
-        expectsJson: c.expectsJson,
-        authHint: c.authHint,
-        confidence: c.confidence,
-        evidence: c.evidence || [],
-        meta: c.meta,
-      })),
-      gaps: [
-        ...(routeExtraction.gaps || []),
-        ...routeFindings.filter(f => f.severity === "BLOCK" || f.severity === "WARN").map(f => ({
-          type: f.category,
-          severity: f.severity,
-          path: f.call?.canonicalPath || f.matchResult?.normalizedPath,
-          method: f.call?.method,
-          reason: f.title,
-        })),
-      ],
-      wrappers: clientExtraction.wrappers,
-      uiBindings: clientExtraction.uiBindings,
-    },
-    env,
-    auth: {
-      ...auth,
-      middleware: routeExtraction.middleware,
-    },
-    billing,
-    enforcement,
-  };
-
-  // 10. Add proof graph if requested
-  if (proofGraph) {
-    truthpack.proofGraph = serializeProofGraph(proofGraph);
-  }
-
-  // 11. Compute truthpack hash
-  const hash = sha256(JSON.stringify(truthpack));
-  truthpack.index = {
-    hashes: { truthpackHash: hash },
-    evidenceRefs: collectEvidenceRefs(truthpack),
-  };
-
-  return {
-    truthpack,
-    extraction: {
-      routes: routeExtraction,
-      clientCalls: clientExtraction,
-    },
-    findings: routeFindings,
-    proofGraph,
-    stats: {
-      serverRoutes: routeExtraction.routes.length,
-      clientCalls: clientExtraction.calls.length,
-      wrappers: clientExtraction.wrappers.length,
-      uiBindings: clientExtraction.uiBindings.length,
-      gaps: truthpack.routes.gaps.length,
-      findings: routeFindings.length,
-    },
-  };
-}
-
-/**
- * Write truthpack to disk
- */
-function writeTruthpackV2(repoRoot, truthpack) {
-  const dir = path.join(repoRoot, ".vibecheck");
-  fs.mkdirSync(dir, { recursive: true });
-  
-  // Write main truthpack
-  fs.writeFileSync(
-    path.join(dir, "truthpack.json"),
-    JSON.stringify(truthpack, null, 2)
-  );
-
-  // Write proof graph separately if present (can be large)
-  if (truthpack.proofGraph) {
-    fs.writeFileSync(
-      path.join(dir, "proof-graph.json"),
-      JSON.stringify(truthpack.proofGraph, null, 2)
-    );
-  }
-}
-
-/**
- * Load truthpack from disk
- */
-function loadTruthpackV2(repoRoot) {
-  const specPath = path.join(repoRoot, ".vibecheck", "truthpack.json");
-  const legacyPath = path.join(repoRoot, ".vibecheck", "truth", "truthpack.json");
-
-  try {
-    return JSON.parse(fs.readFileSync(specPath, "utf8"));
-  } catch {
-    try {
-      return JSON.parse(fs.readFileSync(legacyPath, "utf8"));
-    } catch {
-      return null;
-    }
-  }
-}
-
-/**
- * Collect all evidence references from truthpack
- */
-function collectEvidenceRefs(truthpack) {
-  const refs = [];
-
-  // From routes
-  for (const route of truthpack.routes?.server || []) {
-    for (const ev of route.evidence || []) {
-      refs.push({ type: "route", routeId: route.id, evidenceId: ev.id });
-    }
-  }
-
-  // From client calls
-  for (const call of truthpack.routes?.clientCalls || []) {
-    for (const ev of call.evidence || []) {
-      refs.push({ type: "clientCall", callId: call.id, evidenceId: ev.id });
-    }
-  }
-
-  return refs;
-}
-
-/**
- * Get git commit SHA
- */
-function getGitCommit(repoRoot) {
-  try {
-    const headPath = path.join(repoRoot, ".git", "HEAD");
-    const head = fs.readFileSync(headPath, "utf8").trim();
-    
-    if (head.startsWith("ref:")) {
-      const refPath = path.join(repoRoot, ".git", head.slice(5).trim());
-      return fs.readFileSync(refPath, "utf8").trim().slice(0, 12);
-    }
-    return head.slice(0, 12);
-  } catch {
-    return "unknown";
-  }
-}
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-module.exports = {
-  buildTruthpackV2,
-  writeTruthpackV2,
-  loadTruthpackV2,
-  collectEvidenceRefs,
-};
+/**
+ * Truthpack Builder v2
+ * 
+ * Builds the truthpack using v2 extractors with full evidence chains
+ * and Proof Graph support.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+const { extractNextRoutes, detectNextMode } = require("./next-routes");
+const { extractFastifyRoutes, detectFastify } = require("./fastify-routes");
+const { normalizeUrl, matchRoute, RouteIndex, getMissingRouteSeverity, isCriticalPath } = require("./route-matcher");
+const { extractClientCalls } = require("./client-calls");
+const { buildProofGraph, findProofGaps, serializeProofGraph } = require("./proof-graph");
+
+// Import existing truth modules for env, auth, billing, enforcement
+let buildEnvTruth, buildAuthTruth, buildBillingTruth, buildEnforcementTruth;
+try {
+  buildEnvTruth = require("../env").buildEnvTruth;
+  buildAuthTruth = require("../auth-truth").buildAuthTruth;
+  buildBillingTruth = require("../billing").buildBillingTruth;
+  buildEnforcementTruth = require("../enforcement").buildEnforcementTruth;
+} catch {
+  // Modules may not exist, provide stubs
+  buildEnvTruth = async () => ({ vars: [], declared: [], declaredSources: [] });
+  buildAuthTruth = async () => ({ nextMiddleware: [], nextMatcherPatterns: [], fastify: {} });
+  buildBillingTruth = async () => ({ stripeWebhooks: [], stripeConfigs: [] });
+  buildEnforcementTruth = () => ({ enforcedEndpoints: [], paidSurfaces: [] });
+}
+
+/**
+ * Extract all server routes from project (local implementation to avoid circular dep)
+ */
+function extractServerRoutesLocal(projectRoot, options = {}) {
+  const { fastifyEntry = null } = options;
+  
+  const result = {
+    stack: {
+      next: { present: false, router: "unknown" },
+      fastify: { present: false, entryFile: null },
+    },
+    routes: [],
+    gaps: [],
+    middleware: { matchers: [], protectedHints: [] },
+    rewrites: [],
+  };
+
+  // Extract Next.js routes
+  const nextResult = extractNextRoutes(projectRoot);
+  if (nextResult.present) {
+    result.stack.next = {
+      present: true,
+      router: nextResult.router,
+      appDir: nextResult.appDir,
+      pagesDir: nextResult.pagesDir,
+      middlewareFile: nextResult.middlewareFile,
+    };
+    result.routes.push(...nextResult.routes);
+    result.middleware = nextResult.middleware;
+    result.rewrites = nextResult.rewrites || [];
+  }
+
+  // Extract Fastify routes
+  const fastifyResult = extractFastifyRoutes(projectRoot, fastifyEntry);
+  if (fastifyResult.present) {
+    result.stack.fastify = {
+      present: true,
+      entryFile: fastifyResult.entryFile,
+      prefixes: fastifyResult.prefixes,
+    };
+    result.routes.push(...fastifyResult.routes);
+    result.gaps.push(...(fastifyResult.gaps || []));
+  }
+
+  return result;
+}
+
+async function buildTruthpackV2(options = {}) {
+  const {
+    repoRoot,
+    fastifyEntry = null,
+    includeProofGraph = true,
+    runtimeReport = null,
+  } = options;
+
+  // 1. Extract server routes using v2 extractors
+  const routeExtraction = extractServerRoutesLocal(repoRoot, { fastifyEntry });
+  
+  // 2. Extract client calls
+  const clientExtraction = extractClientCalls(repoRoot);
+
+  // 3. Build env, auth, billing, enforcement truth
+  const env = await buildEnvTruth(repoRoot);
+  const auth = await buildAuthTruth(repoRoot, routeExtraction.routes);
+  const billing = await buildBillingTruth(repoRoot);
+  const enforcement = buildEnforcementTruth(repoRoot, routeExtraction.routes);
+
+  // 4. Match client calls to server routes to find gaps
+  const routeIndex = new RouteIndex(routeExtraction.routes);
+  const matchResults = [];
+  
+  for (const call of clientExtraction.calls) {
+    if (!call.canonicalPath) continue;
+    
+    const normalizedPath = normalizeUrl(call.canonicalPath);
+    const method = call.method || "UNKNOWN";
+    const match = routeIndex.match(normalizedPath, method, { allowMethodMismatch: true });
+    
+    matchResults.push({
+      call,
+      normalizedPath,
+      method,
+      match,
+      isCritical: isCriticalPath(normalizedPath),
+    });
+  }
+
+  // 5. Apply runtime proof if available
+  if (runtimeReport?.requests) {
+    const requestMap = new Map();
+    for (const req of runtimeReport.requests) {
+      const np = normalizeUrl(req.url);
+      if (!requestMap.has(np)) requestMap.set(np, []);
+      requestMap.get(np).push(req);
+    }
+    
+    for (const result of matchResults) {
+      const reqs = requestMap.get(result.normalizedPath) || [];
+      if (reqs.length > 0) {
+        result.hasRuntimeProof = true;
+        const failures = reqs.filter(r => r.status === 404 || r.status === 405);
+        const successes = reqs.filter(r => r.status >= 200 && r.status < 300);
+        if (failures.length > 0 && successes.length === 0) {
+          result.runtimeResult = failures[0].status === 405 ? "405" : "404";
+        } else if (successes.length > 0) {
+          result.runtimeResult = "2xx";
+        }
+      }
+    }
+  }
+
+  // 6. Generate route findings
+  const framework = routeExtraction.stack?.next?.present ? "next" : 
+                    routeExtraction.stack?.fastify?.present ? "fastify" : "unknown";
+  const routeFindings = [];
+  
+  for (const result of matchResults) {
+    if (!result.match.matched || result.match.matchType === "none") {
+      if (result.runtimeResult === "2xx") continue; // Skip if runtime confirmed exists
+      
+      const severity = getMissingRouteSeverity({
+        framework,
+        staticConfidence: result.match.confidence,
+        hasRuntimeProof: result.hasRuntimeProof,
+        runtimeResult: result.runtimeResult,
+        isCriticalPath: result.isCritical,
+      });
+      
+      routeFindings.push({
+        detectorId: "ROUTE_MISSING",
+        severity,
+        category: "Routes",
+        scope: result.call?.runtime || "client",
+        title: `Client calls ${result.method} ${result.normalizedPath} but no server route exists`,
+        why: severity === "BLOCK" ? "Route confirmed missing." : "Route may be missing.",
+        confidence: result.hasRuntimeProof ? "high" : result.match.confidence,
+        call: result.call,
+        matchResult: result.match,
+      });
+    }
+  }
+
+  // 7. Build proof graph
+  let proofGraph = null;
+  if (includeProofGraph) {
+    proofGraph = buildProofGraph({
+      serverRoutes: routeExtraction.routes,
+      clientCalls: clientExtraction.calls,
+      uiBindings: clientExtraction.uiBindings,
+      runtimeRequests: runtimeReport?.requests || [],
+      runtimeActions: runtimeReport?.actions || [],
+    });
+  }
+
+  // 8. Determine frameworks
+  const frameworks = new Set();
+  if (routeExtraction.stack?.next?.present) frameworks.add("next");
+  if (routeExtraction.stack?.fastify?.present) frameworks.add("fastify");
+
+  // 9. Build the truthpack
+  const truthpack = {
+    meta: {
+      version: "2.0.0",
+      generatedAt: new Date().toISOString(),
+      repoRoot,
+      commit: { sha: process.env.VIBECHECK_COMMIT_SHA || getGitCommit(repoRoot) },
+    },
+    project: {
+      frameworks: Array.from(frameworks),
+      workspaces: [],
+      entrypoints: routeExtraction.stack?.fastify?.entryFile 
+        ? [routeExtraction.stack.fastify.entryFile] 
+        : [],
+    },
+    routes: {
+      server: routeExtraction.routes.map(r => ({
+        id: r.id,
+        method: r.methods?.[0] || "UNKNOWN",
+        methods: r.methods,
+        path: r.canonicalPath || r.path,
+        rawPath: r.rawPath,
+        handler: r.handler?.file || r.handler,
+        confidence: r.confidence,
+        authRequired: r.authRequired,
+        evidence: r.evidence || [],
+      })),
+      clientCalls: clientExtraction.calls.map(c => ({
+        id: c.id,
+        kind: c.kind,
+        runtime: c.runtime,
+        method: c.method,
+        urlTemplate: c.urlTemplate,
+        canonicalPath: c.canonicalPath,
+        expectsJson: c.expectsJson,
+        authHint: c.authHint,
+        confidence: c.confidence,
+        evidence: c.evidence || [],
+        meta: c.meta,
+      })),
+      gaps: [
+        ...(routeExtraction.gaps || []),
+        ...routeFindings.filter(f => f.severity === "BLOCK" || f.severity === "WARN").map(f => ({
+          type: f.category,
+          severity: f.severity,
+          path: f.call?.canonicalPath || f.matchResult?.normalizedPath,
+          method: f.call?.method,
+          reason: f.title,
+        })),
+      ],
+      wrappers: clientExtraction.wrappers,
+      uiBindings: clientExtraction.uiBindings,
+    },
+    env,
+    auth: {
+      ...auth,
+      middleware: routeExtraction.middleware,
+    },
+    billing,
+    enforcement,
+  };
+
+  // 10. Add proof graph if requested
+  if (proofGraph) {
+    truthpack.proofGraph = serializeProofGraph(proofGraph);
+  }
+
+  // 11. Compute truthpack hash
+  const hash = sha256(JSON.stringify(truthpack));
+  truthpack.index = {
+    hashes: { truthpackHash: hash },
+    evidenceRefs: collectEvidenceRefs(truthpack),
+  };
+
+  return {
+    truthpack,
+    extraction: {
+      routes: routeExtraction,
+      clientCalls: clientExtraction,
+    },
+    findings: routeFindings,
+    proofGraph,
+    stats: {
+      serverRoutes: routeExtraction.routes.length,
+      clientCalls: clientExtraction.calls.length,
+      wrappers: clientExtraction.wrappers.length,
+      uiBindings: clientExtraction.uiBindings.length,
+      gaps: truthpack.routes.gaps.length,
+      findings: routeFindings.length,
+    },
+  };
+}
+
+/**
+ * Write truthpack to disk
+ */
+function writeTruthpackV2(repoRoot, truthpack) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  fs.mkdirSync(dir, { recursive: true });
+  
+  // Write main truthpack
+  fs.writeFileSync(
+    path.join(dir, "truthpack.json"),
+    JSON.stringify(truthpack, null, 2)
+  );
+
+  // Write proof graph separately if present (can be large)
+  if (truthpack.proofGraph) {
+    fs.writeFileSync(
+      path.join(dir, "proof-graph.json"),
+      JSON.stringify(truthpack.proofGraph, null, 2)
+    );
+  }
+}
+
+/**
+ * Load truthpack from disk
+ */
+function loadTruthpackV2(repoRoot) {
+  const specPath = path.join(repoRoot, ".vibecheck", "truthpack.json");
+  const legacyPath = path.join(repoRoot, ".vibecheck", "truth", "truthpack.json");
+
+  try {
+    return JSON.parse(fs.readFileSync(specPath, "utf8"));
+  } catch {
+    try {
+      return JSON.parse(fs.readFileSync(legacyPath, "utf8"));
+    } catch {
+      return null;
+    }
+  }
+}
+
+/**
+ * Collect all evidence references from truthpack
+ */
+function collectEvidenceRefs(truthpack) {
+  const refs = [];
+
+  // From routes
+  for (const route of truthpack.routes?.server || []) {
+    for (const ev of route.evidence || []) {
+      refs.push({ type: "route", routeId: route.id, evidenceId: ev.id });
+    }
+  }
+
+  // From client calls
+  for (const call of truthpack.routes?.clientCalls || []) {
+    for (const ev of call.evidence || []) {
+      refs.push({ type: "clientCall", callId: call.id, evidenceId: ev.id });
+    }
+  }
+
+  return refs;
+}
+
+/**
+ * Get git commit SHA
+ */
+function getGitCommit(repoRoot) {
+  try {
+    const headPath = path.join(repoRoot, ".git", "HEAD");
+    const head = fs.readFileSync(headPath, "utf8").trim();
+    
+    if (head.startsWith("ref:")) {
+      const refPath = path.join(repoRoot, ".git", head.slice(5).trim());
+      return fs.readFileSync(refPath, "utf8").trim().slice(0, 12);
+    }
+    return head.slice(0, 12);
+  } catch {
+    return "unknown";
+  }
+}
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+module.exports = {
+  buildTruthpackV2,
+  writeTruthpackV2,
+  loadTruthpackV2,
+  collectEvidenceRefs,
+};