@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/policy.js

@@ -1,295 +1,295 @@
-/**
- * Policy Presets v2
- * 
- * Pre-configured policy settings so users don't have to bikeshed.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-// =============================================================================
-// POLICY PRESETS
-// =============================================================================
-
-const POLICY_PRESETS = {
-  /**
-   * DEV: Warn-heavy, low thresholds
-   * For local development - informative but not blocking
-   */
-  dev: {
-    name: "dev",
-    description: "Development mode - warn-heavy, informative",
-    failOnWarn: false,
-    coverage: {
-      minActionCoverage: 0,
-      minRouteCoverage: 0,
-      requireAuthCoverage: false,
-    },
-    fastify: {
-      requireRuntimeDump: false,
-      allowStaticOnlyRoutes: true,
-    },
-    auth: {
-      requireVerifyAuth: false,
-      strictProtectedPatterns: false,
-    },
-    findings: {
-      // Downgrade some blockers to warnings in dev
-      downgradeToWarn: [
-        "D_ROUTE_MISSING",     // Missing routes less critical in dev
-        "D_CONTRACT_DRIFT",    // Drift expected during dev
-      ],
-    },
-    output: {
-      generateHTML: true,
-      verboseConsole: true,
-    },
-  },
-
-  /**
-   * CI: Strict enough to block bad PRs
-   * Default for CI pipelines
-   */
-  ci: {
-    name: "ci",
-    description: "CI mode - strict, blocks on real issues",
-    failOnWarn: false,
-    coverage: {
-      minActionCoverage: 0,       // Don't require coverage yet
-      minRouteCoverage: 0,
-      requireAuthCoverage: false,
-    },
-    fastify: {
-      requireRuntimeDump: false,   // Optional but recommended
-      allowStaticOnlyRoutes: true,
-    },
-    auth: {
-      requireVerifyAuth: false,    // Only if auth patterns exist
-      strictProtectedPatterns: true,
-    },
-    findings: {
-      downgradeToWarn: [],
-    },
-    output: {
-      generateHTML: true,
-      verboseConsole: false,
-    },
-  },
-
-  /**
-   * RELEASE: Production-ready checks
-   * Strictest mode for release gates
-   */
-  release: {
-    name: "release",
-    description: "Release mode - requires coverage if patterns exist",
-    failOnWarn: true,
-    coverage: {
-      minActionCoverage: 50,      // At least 50% of UI actions verified
-      minRouteCoverage: 80,       // At least 80% of routes covered
-      requireAuthCoverage: true,  // If auth patterns exist, verify them
-      minAuthCoverage: 80,
-    },
-    fastify: {
-      requireRuntimeDump: true,    // Must run runtime dump for Fastify
-      allowStaticOnlyRoutes: false,
-    },
-    auth: {
-      requireVerifyAuth: true,     // Must verify auth if patterns exist
-      strictProtectedPatterns: true,
-    },
-    findings: {
-      downgradeToWarn: [],
-      upgradeToBlock: [
-        "D_FAKE_SUCCESS",          // Fake success is blocking in release
-        "D_DEAD_CLICK",            // Dead clicks are blocking in release
-      ],
-    },
-    output: {
-      generateHTML: true,
-      verboseConsole: false,
-    },
-  },
-};
-
-// =============================================================================
-// POLICY RESOLUTION
-// =============================================================================
-
-/**
- * Load policy from file or preset
- */
-function loadPolicy(options = {}) {
-  const { 
-    preset = "ci", 
-    policyFile = null,
-    repoRoot = process.cwd(),
-    overrides = {},
-  } = options;
-
-  let policy;
-
-  // Try loading from file first
-  if (policyFile) {
-    const policyPath = path.isAbsolute(policyFile) 
-      ? policyFile 
-      : path.join(repoRoot, policyFile);
-    
-    if (fs.existsSync(policyPath)) {
-      try {
-        policy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
-      } catch (e) {
-        console.warn(`Warning: Could not parse policy file ${policyPath}: ${e.message}`);
-      }
-    }
-  }
-
-  // Try loading from .vibecheck/policy.json
-  if (!policy) {
-    const defaultPolicyPath = path.join(repoRoot, ".vibecheck", "policy.json");
-    if (fs.existsSync(defaultPolicyPath)) {
-      try {
-        policy = JSON.parse(fs.readFileSync(defaultPolicyPath, "utf8"));
-      } catch (e) {
-        // Ignore parse errors for default file
-      }
-    }
-  }
-
-  // Fall back to preset
-  if (!policy) {
-    policy = POLICY_PRESETS[preset] || POLICY_PRESETS.ci;
-  }
-
-  // Apply overrides
-  return mergePolicy(policy, overrides);
-}
-
-/**
- * Deep merge policy with overrides
- */
-function mergePolicy(base, overrides) {
-  const merged = JSON.parse(JSON.stringify(base));
-
-  for (const [key, value] of Object.entries(overrides)) {
-    if (value === undefined) continue;
-    
-    if (typeof value === "object" && value !== null && !Array.isArray(value)) {
-      merged[key] = mergePolicy(merged[key] || {}, value);
-    } else {
-      merged[key] = value;
-    }
-  }
-
-  return merged;
-}
-
-/**
- * Get effective thresholds from policy
- */
-function getThresholdsFromPolicy(policy) {
-  return {
-    minActionCoverage: policy.coverage?.minActionCoverage ?? 0,
-    minRouteCoverage: policy.coverage?.minRouteCoverage ?? 0,
-    requireAuthCoverage: policy.coverage?.requireAuthCoverage ?? false,
-    minAuthCoverage: policy.coverage?.minAuthCoverage ?? 80,
-  };
-}
-
-/**
- * Apply policy to findings (downgrades/upgrades)
- */
-function applyPolicyToFindings(findings, policy) {
-  const downgrade = new Set(policy.findings?.downgradeToWarn || []);
-  const upgrade = new Set(policy.findings?.upgradeToBlock || []);
-
-  return findings.map(finding => {
-    if (downgrade.has(finding.detectorId) && finding.severity === "BLOCK") {
-      return {
-        ...finding,
-        severity: "WARN",
-        originalSeverity: "BLOCK",
-        policyDowngraded: true,
-      };
-    }
-    
-    if (upgrade.has(finding.detectorId) && finding.severity === "WARN") {
-      return {
-        ...finding,
-        severity: "BLOCK",
-        originalSeverity: "WARN",
-        policyUpgraded: true,
-      };
-    }
-    
-    return finding;
-  });
-}
-
-/**
- * Check if auth verification is required based on policy and truthpack
- */
-function requiresAuthVerification(policy, truthpack) {
-  if (!policy.auth?.requireVerifyAuth) return false;
-  
-  // Only require if auth patterns exist
-  const hasAuthPatterns = truthpack?.auth?.protectedPatterns?.length > 0;
-  return hasAuthPatterns;
-}
-
-/**
- * Check if Fastify runtime dump is required
- */
-function requiresFastifyRuntimeDump(policy, truthpack) {
-  if (!policy.fastify?.requireRuntimeDump) return false;
-  
-  // Only require if Fastify is detected
-  const hasFastify = truthpack?.stack?.fastify?.present;
-  return hasFastify;
-}
-
-/**
- * Write policy file
- */
-function writePolicyFile(repoRoot, policy) {
-  const dir = path.join(repoRoot, ".vibecheck");
-  fs.mkdirSync(dir, { recursive: true });
-
-  const policyPath = path.join(dir, "policy.json");
-  fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
-
-  return policyPath;
-}
-
-/**
- * Get preset names
- */
-function getPresetNames() {
-  return Object.keys(POLICY_PRESETS);
-}
-
-/**
- * Get preset by name
- */
-function getPreset(name) {
-  return POLICY_PRESETS[name] || null;
-}
-
-// =============================================================================
-// EXPORTS
-// =============================================================================
-
-module.exports = {
-  POLICY_PRESETS,
-  loadPolicy,
-  mergePolicy,
-  getThresholdsFromPolicy,
-  applyPolicyToFindings,
-  requiresAuthVerification,
-  requiresFastifyRuntimeDump,
-  writePolicyFile,
-  getPresetNames,
-  getPreset,
-};
+/**
+ * Policy Presets v2
+ * 
+ * Pre-configured policy settings so users don't have to bikeshed.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// =============================================================================
+// POLICY PRESETS
+// =============================================================================
+
+const POLICY_PRESETS = {
+  /**
+   * DEV: Warn-heavy, low thresholds
+   * For local development - informative but not blocking
+   */
+  dev: {
+    name: "dev",
+    description: "Development mode - warn-heavy, informative",
+    failOnWarn: false,
+    coverage: {
+      minActionCoverage: 0,
+      minRouteCoverage: 0,
+      requireAuthCoverage: false,
+    },
+    fastify: {
+      requireRuntimeDump: false,
+      allowStaticOnlyRoutes: true,
+    },
+    auth: {
+      requireVerifyAuth: false,
+      strictProtectedPatterns: false,
+    },
+    findings: {
+      // Downgrade some blockers to warnings in dev
+      downgradeToWarn: [
+        "D_ROUTE_MISSING",     // Missing routes less critical in dev
+        "D_CONTRACT_DRIFT",    // Drift expected during dev
+      ],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: true,
+    },
+  },
+
+  /**
+   * CI: Strict enough to block bad PRs
+   * Default for CI pipelines
+   */
+  ci: {
+    name: "ci",
+    description: "CI mode - strict, blocks on real issues",
+    failOnWarn: false,
+    coverage: {
+      minActionCoverage: 0,       // Don't require coverage yet
+      minRouteCoverage: 0,
+      requireAuthCoverage: false,
+    },
+    fastify: {
+      requireRuntimeDump: false,   // Optional but recommended
+      allowStaticOnlyRoutes: true,
+    },
+    auth: {
+      requireVerifyAuth: false,    // Only if auth patterns exist
+      strictProtectedPatterns: true,
+    },
+    findings: {
+      downgradeToWarn: [],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: false,
+    },
+  },
+
+  /**
+   * RELEASE: Production-ready checks
+   * Strictest mode for release gates
+   */
+  release: {
+    name: "release",
+    description: "Release mode - requires coverage if patterns exist",
+    failOnWarn: true,
+    coverage: {
+      minActionCoverage: 50,      // At least 50% of UI actions verified
+      minRouteCoverage: 80,       // At least 80% of routes covered
+      requireAuthCoverage: true,  // If auth patterns exist, verify them
+      minAuthCoverage: 80,
+    },
+    fastify: {
+      requireRuntimeDump: true,    // Must run runtime dump for Fastify
+      allowStaticOnlyRoutes: false,
+    },
+    auth: {
+      requireVerifyAuth: true,     // Must verify auth if patterns exist
+      strictProtectedPatterns: true,
+    },
+    findings: {
+      downgradeToWarn: [],
+      upgradeToBlock: [
+        "D_FAKE_SUCCESS",          // Fake success is blocking in release
+        "D_DEAD_CLICK",            // Dead clicks are blocking in release
+      ],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: false,
+    },
+  },
+};
+
+// =============================================================================
+// POLICY RESOLUTION
+// =============================================================================
+
+/**
+ * Load policy from file or preset
+ */
+function loadPolicy(options = {}) {
+  const { 
+    preset = "ci", 
+    policyFile = null,
+    repoRoot = process.cwd(),
+    overrides = {},
+  } = options;
+
+  let policy;
+
+  // Try loading from file first
+  if (policyFile) {
+    const policyPath = path.isAbsolute(policyFile) 
+      ? policyFile 
+      : path.join(repoRoot, policyFile);
+    
+    if (fs.existsSync(policyPath)) {
+      try {
+        policy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
+      } catch (e) {
+        console.warn(`Warning: Could not parse policy file ${policyPath}: ${e.message}`);
+      }
+    }
+  }
+
+  // Try loading from .vibecheck/policy.json
+  if (!policy) {
+    const defaultPolicyPath = path.join(repoRoot, ".vibecheck", "policy.json");
+    if (fs.existsSync(defaultPolicyPath)) {
+      try {
+        policy = JSON.parse(fs.readFileSync(defaultPolicyPath, "utf8"));
+      } catch (e) {
+        // Ignore parse errors for default file
+      }
+    }
+  }
+
+  // Fall back to preset
+  if (!policy) {
+    policy = POLICY_PRESETS[preset] || POLICY_PRESETS.ci;
+  }
+
+  // Apply overrides
+  return mergePolicy(policy, overrides);
+}
+
+/**
+ * Deep merge policy with overrides
+ */
+function mergePolicy(base, overrides) {
+  const merged = JSON.parse(JSON.stringify(base));
+
+  for (const [key, value] of Object.entries(overrides)) {
+    if (value === undefined) continue;
+    
+    if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+      merged[key] = mergePolicy(merged[key] || {}, value);
+    } else {
+      merged[key] = value;
+    }
+  }
+
+  return merged;
+}
+
+/**
+ * Get effective thresholds from policy
+ */
+function getThresholdsFromPolicy(policy) {
+  return {
+    minActionCoverage: policy.coverage?.minActionCoverage ?? 0,
+    minRouteCoverage: policy.coverage?.minRouteCoverage ?? 0,
+    requireAuthCoverage: policy.coverage?.requireAuthCoverage ?? false,
+    minAuthCoverage: policy.coverage?.minAuthCoverage ?? 80,
+  };
+}
+
+/**
+ * Apply policy to findings (downgrades/upgrades)
+ */
+function applyPolicyToFindings(findings, policy) {
+  const downgrade = new Set(policy.findings?.downgradeToWarn || []);
+  const upgrade = new Set(policy.findings?.upgradeToBlock || []);
+
+  return findings.map(finding => {
+    if (downgrade.has(finding.detectorId) && finding.severity === "BLOCK") {
+      return {
+        ...finding,
+        severity: "WARN",
+        originalSeverity: "BLOCK",
+        policyDowngraded: true,
+      };
+    }
+    
+    if (upgrade.has(finding.detectorId) && finding.severity === "WARN") {
+      return {
+        ...finding,
+        severity: "BLOCK",
+        originalSeverity: "WARN",
+        policyUpgraded: true,
+      };
+    }
+    
+    return finding;
+  });
+}
+
+/**
+ * Check if auth verification is required based on policy and truthpack
+ */
+function requiresAuthVerification(policy, truthpack) {
+  if (!policy.auth?.requireVerifyAuth) return false;
+  
+  // Only require if auth patterns exist
+  const hasAuthPatterns = truthpack?.auth?.protectedPatterns?.length > 0;
+  return hasAuthPatterns;
+}
+
+/**
+ * Check if Fastify runtime dump is required
+ */
+function requiresFastifyRuntimeDump(policy, truthpack) {
+  if (!policy.fastify?.requireRuntimeDump) return false;
+  
+  // Only require if Fastify is detected
+  const hasFastify = truthpack?.stack?.fastify?.present;
+  return hasFastify;
+}
+
+/**
+ * Write policy file
+ */
+function writePolicyFile(repoRoot, policy) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  fs.mkdirSync(dir, { recursive: true });
+
+  const policyPath = path.join(dir, "policy.json");
+  fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
+
+  return policyPath;
+}
+
+/**
+ * Get preset names
+ */
+function getPresetNames() {
+  return Object.keys(POLICY_PRESETS);
+}
+
+/**
+ * Get preset by name
+ */
+function getPreset(name) {
+  return POLICY_PRESETS[name] || null;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  POLICY_PRESETS,
+  loadPolicy,
+  mergePolicy,
+  getThresholdsFromPolicy,
+  applyPolicyToFindings,
+  requiresAuthVerification,
+  requiresFastifyRuntimeDump,
+  writePolicyFile,
+  getPresetNames,
+  getPreset,
+};