@vibecheckai/cli 3.2.6 → 3.3.0

package/bin/runners/lib/agent-firewall/change-packet/builder.js

@@ -3,6 +3,12 @@
  * 
  * Builds change packets from diffs + agent intent.
  * Each packet is a complete audit artifact of an AI code change attempt.
+ * 
+ * Enhanced with:
+ * - Risk scoring
+ * - Simulation results
+ * - Critic verdict
+ * - Override tracking
  */
 
 "use strict";
@@ -10,6 +16,22 @@
 const crypto = require("crypto");
 const path = require("path");
 
+/**
+ * @typedef {Object} ProofArtifact
+ * @property {string} changeId - Unique change identifier
+ * @property {string} decision - ALLOW, BLOCK, or REQUIRE_CONFIRMATION
+ * @property {Array} rulesTriggered - Rules that were triggered
+ * @property {Array} assumptionsFailed - Failed assumptions
+ * @property {number} riskScore - Numerical risk score
+ * @property {string} riskLevel - LOW, MEDIUM, HIGH, CRITICAL
+ * @property {Object} simulationResult - Result of diff simulation
+ * @property {Object} criticVerdict - Critic LLM verdict
+ * @property {string} timestamp - ISO timestamp
+ * @property {boolean} overrideUsed - Whether override was used
+ * @property {string} overrideBy - Who overrode (if applicable)
+ * @property {string} overrideReason - Reason for override
+ */
+
 /**
  * Build a change packet from diff and agent intent
  * @param {object} params
@@ -22,6 +44,11 @@ const path = require("path");
  * @param {object} params.verdict - Policy verdict
  * @param {object} params.unblockPlan - Unblock plan (if blocked)
  * @param {object} params.policy - Policy used for evaluation
+ * @param {object} params.riskScore - Risk scoring result
+ * @param {object} params.simulationResult - Diff simulation result
+ * @param {object} params.criticVerdict - Critic LLM verdict
+ * @param {object} params.proposal - Structured change proposal
+ * @param {object} params.override - Override information
  * @returns {object} Change packet
  */
 function buildChangePacket({
@@ -33,7 +60,12 @@ function buildChangePacket({
   evidence = [],
   verdict,
   unblockPlan = null,
-  policy = null
+  policy = null,
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  proposal = null,
+  override = null
 }) {
   const timestamp = new Date().toISOString();
   
@@ -61,27 +93,83 @@ function buildChangePacket({
     domain: classifyFileDomain(filePath)
   }];
   
-  // Build packet
+  // Extract failed assumptions from evidence
+  const assumptionsFailed = evidence
+    .filter(e => e.status === "UNPROVEN" || !e.verified)
+    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
+  
+  // Extract triggered rules from verdict
+  const rulesTriggered = (verdict?.violations || [])
+    .map(v => v.rule || v.type || v.id)
+    .filter(Boolean);
+  
+  // Build packet with enhanced proof artifact fields
   const packet = {
     id,
     timestamp,
     agentId,
     intent: intent || "No intent provided",
+    
+    // Original fields
     diff: diff || null,
     files,
     claims,
     evidence,
+    
+    // Verdict and decision
     verdict: verdict || {
       decision: "ALLOW",
       violations: [],
       message: "No verdict provided"
     },
     unblockPlan: unblockPlan || null,
+    
+    // Enhanced proof artifact fields
+    proof: {
+      changeId: `c-${id}`,
+      decision: verdict?.decision || "ALLOW",
+      rulesTriggered,
+      assumptionsFailed,
+      riskScore: riskScore?.total ?? null,
+      riskLevel: riskScore?.level || null,
+      riskFactors: riskScore?.reasons || [],
+      simulationResult: simulationResult ? {
+        passed: simulationResult.passed,
+        errorCount: simulationResult.errors?.length || 0,
+        warningCount: simulationResult.warnings?.length || 0,
+        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
+        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
+      } : null,
+      criticVerdict: criticVerdict ? {
+        verdict: criticVerdict.verdict,
+        confidence: criticVerdict.confidence,
+        reasoning: criticVerdict.reasoning || [],
+        violations: criticVerdict.violations || [],
+      } : null,
+      overrideUsed: override?.used || false,
+      overrideBy: override?.by || null,
+      overrideReason: override?.reason || null,
+      overrideTimestamp: override?.timestamp || null,
+    },
+    
+    // Structured proposal (if provided)
+    proposal: proposal ? {
+      intent: proposal.intent,
+      summary: proposal.summary,
+      confidence: proposal.confidence,
+      assumptions: proposal.assumptions,
+      filesTouched: proposal.filesTouched,
+      operationCount: proposal.operations?.length || 0,
+    } : null,
+    
+    // Metadata
     metadata: {
       totalFiles: files.length,
       totalLines: linesChanged,
       policyVersion: policy?.version || "unknown",
-      policyProfile: policy?.profile || "unknown"
+      policyProfile: policy?.profile || "unknown",
+      policyMode: policy?.mode || "unknown",
+      domains: [...new Set(files.map(f => f.domain))],
     }
   };
   
@@ -98,6 +186,11 @@ function buildChangePacket({
  * @param {object} params.verdict - Policy verdict
  * @param {object} params.unblockPlan - Unblock plan (if blocked)
  * @param {object} params.policy - Policy used for evaluation
+ * @param {object} params.riskScore - Risk scoring result
+ * @param {object} params.simulationResult - Diff simulation result
+ * @param {object} params.criticVerdict - Critic LLM verdict
+ * @param {object} params.proposal - Structured change proposal
+ * @param {object} params.override - Override information
  * @returns {object} Change packet
  */
 function buildMultiFileChangePacket({
@@ -107,7 +200,12 @@ function buildMultiFileChangePacket({
   evidence = [],
   verdict,
   unblockPlan = null,
-  policy = null
+  policy = null,
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  proposal = null,
+  override = null
 }) {
   const timestamp = new Date().toISOString();
   
@@ -148,30 +246,86 @@ function buildMultiFileChangePacket({
     .filter(Boolean)
     .join("\n\n");
   
+  // Extract failed assumptions from evidence
+  const assumptionsFailed = evidence
+    .filter(e => e.status === "UNPROVEN" || !e.verified)
+    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
+  
+  // Extract triggered rules from verdict
+  const rulesTriggered = (verdict?.violations || [])
+    .map(v => v.rule || v.type || v.id)
+    .filter(Boolean);
+  
   const packet = {
     id,
     timestamp,
     agentId,
     intent: intent || "No intent provided",
+    
+    // Original fields
     diff: unifiedDiff ? {
       unified: unifiedDiff,
-      before: null, // Multi-file diffs don't store full before/after
+      before: null,
       after: null
     } : null,
     files,
     claims,
     evidence,
+    
+    // Verdict and decision
     verdict: verdict || {
       decision: "ALLOW",
       violations: [],
       message: "No verdict provided"
     },
     unblockPlan: unblockPlan || null,
+    
+    // Enhanced proof artifact fields
+    proof: {
+      changeId: `c-${id}`,
+      decision: verdict?.decision || "ALLOW",
+      rulesTriggered,
+      assumptionsFailed,
+      riskScore: riskScore?.total ?? null,
+      riskLevel: riskScore?.level || null,
+      riskFactors: riskScore?.reasons || [],
+      simulationResult: simulationResult ? {
+        passed: simulationResult.passed,
+        errorCount: simulationResult.errors?.length || 0,
+        warningCount: simulationResult.warnings?.length || 0,
+        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
+        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
+      } : null,
+      criticVerdict: criticVerdict ? {
+        verdict: criticVerdict.verdict,
+        confidence: criticVerdict.confidence,
+        reasoning: criticVerdict.reasoning || [],
+        violations: criticVerdict.violations || [],
+      } : null,
+      overrideUsed: override?.used || false,
+      overrideBy: override?.by || null,
+      overrideReason: override?.reason || null,
+      overrideTimestamp: override?.timestamp || null,
+    },
+    
+    // Structured proposal (if provided)
+    proposal: proposal ? {
+      intent: proposal.intent,
+      summary: proposal.summary,
+      confidence: proposal.confidence,
+      assumptions: proposal.assumptions,
+      filesTouched: proposal.filesTouched,
+      operationCount: proposal.operations?.length || 0,
+    } : null,
+    
+    // Metadata
     metadata: {
       totalFiles: files.length,
       totalLines: files.reduce((sum, f) => sum + f.linesChanged, 0),
       policyVersion: policy?.version || "unknown",
-      policyProfile: policy?.profile || "unknown"
+      policyProfile: policy?.profile || "unknown",
+      policyMode: policy?.mode || "unknown",
+      domains: [...new Set(files.map(f => f.domain))],
     }
   };
   
@@ -206,9 +360,129 @@ function classifyFileDomain(filePath) {
   return "general";
 }
 
+/**
+ * Build a standalone proof artifact for compliance
+ * @param {object} params - Proof parameters
+ * @returns {ProofArtifact} Proof artifact
+ */
+function buildProofArtifact({
+  changeId,
+  decision,
+  rulesTriggered = [],
+  assumptionsFailed = [],
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  override = null,
+}) {
+  const timestamp = new Date().toISOString();
+  
+  return {
+    changeId: changeId || `c-${crypto.randomBytes(8).toString("hex")}`,
+    decision: decision || "BLOCK",
+    rulesTriggered,
+    assumptionsFailed,
+    riskScore: riskScore?.total ?? null,
+    riskLevel: riskScore?.level || "UNKNOWN",
+    riskFactors: riskScore?.reasons || [],
+    simulationResult: simulationResult ? {
+      passed: simulationResult.passed,
+      errorCount: simulationResult.errors?.length || 0,
+      warningCount: simulationResult.warnings?.length || 0,
+      brokenImports: (simulationResult.errors || [])
+        .filter(e => e.type === "broken_import" || e.type === "unresolved_import")
+        .map(e => e.import),
+    } : null,
+    criticVerdict: criticVerdict ? {
+      verdict: criticVerdict.verdict,
+      confidence: criticVerdict.confidence,
+      reasoning: criticVerdict.reasoning || [],
+    } : null,
+    timestamp,
+    overrideUsed: override?.used || false,
+    overrideBy: override?.by || null,
+    overrideReason: override?.reason || null,
+  };
+}
+
+/**
+ * Extract proof artifact from a change packet
+ * @param {object} packet - Change packet
+ * @returns {ProofArtifact} Proof artifact
+ */
+function extractProofArtifact(packet) {
+  if (packet.proof) {
+    return {
+      ...packet.proof,
+      timestamp: packet.timestamp,
+    };
+  }
+  
+  // Build from legacy packet format
+  return {
+    changeId: `c-${packet.id}`,
+    decision: packet.verdict?.decision || "UNKNOWN",
+    rulesTriggered: (packet.verdict?.violations || []).map(v => v.rule || v.type),
+    assumptionsFailed: packet.evidence
+      ?.filter(e => e.status === "UNPROVEN")
+      .map(e => e.claim?.key) || [],
+    riskScore: null,
+    riskLevel: "UNKNOWN",
+    simulationResult: null,
+    criticVerdict: null,
+    timestamp: packet.timestamp,
+    overrideUsed: false,
+    overrideBy: null,
+    overrideReason: null,
+  };
+}
+
+/**
+ * Format proof artifact for display
+ * @param {ProofArtifact} proof - Proof artifact
+ * @returns {string} Formatted string
+ */
+function formatProofArtifact(proof) {
+  const lines = [
+    `Change ID: ${proof.changeId}`,
+    `Decision: ${proof.decision}`,
+    `Timestamp: ${proof.timestamp}`,
+    "",
+  ];
+  
+  if (proof.riskScore !== null) {
+    lines.push(`Risk Score: ${proof.riskScore} (${proof.riskLevel})`);
+  }
+  
+  if (proof.rulesTriggered.length > 0) {
+    lines.push(`Rules Triggered: ${proof.rulesTriggered.join(", ")}`);
+  }
+  
+  if (proof.assumptionsFailed.length > 0) {
+    lines.push(`Assumptions Failed: ${proof.assumptionsFailed.join(", ")}`);
+  }
+  
+  if (proof.simulationResult) {
+    lines.push(`Simulation: ${proof.simulationResult.passed ? "PASSED" : "FAILED"} (${proof.simulationResult.errorCount} errors)`);
+  }
+  
+  if (proof.criticVerdict) {
+    lines.push(`Critic: ${proof.criticVerdict.verdict} (${(proof.criticVerdict.confidence * 100).toFixed(0)}% confidence)`);
+  }
+  
+  if (proof.overrideUsed) {
+    lines.push(`Override: Used by ${proof.overrideBy} - ${proof.overrideReason}`);
+  }
+  
+  return lines.join("\n");
+}
+
 module.exports = {
   buildChangePacket,
   buildMultiFileChangePacket,
+  buildProofArtifact,
+  extractProofArtifact,
+  formatProofArtifact,
   calculateLinesChanged,
   classifyFileDomain
 };

package/bin/runners/lib/agent-firewall/critic/index.js

@@ -0,0 +1,151 @@
+/**
+ * Critic Module
+ * 
+ * Entry point for the Critic LLM judge.
+ * The "savage" that evaluates proposal quality.
+ * 
+ * Usage:
+ *   const { critic } = require('./critic');
+ *   
+ *   // Configure with LLM client
+ *   critic.setClient(async (params) => {
+ *     return await callOpenAI(params);
+ *   });
+ *   
+ *   // Evaluate a proposal
+ *   const verdict = await critic.evaluate({
+ *     proposal,
+ *     validationResults,
+ *     riskScore,
+ *     simulationResult,
+ *     realityState,
+ *   });
+ */
+
+"use strict";
+
+const {
+  CriticJudge,
+  createJudge,
+  defaultJudge,
+} = require("./judge");
+
+const {
+  CRITIC_SYSTEM_PROMPT,
+  EVALUATION_PROMPT_TEMPLATE,
+  VAGUENESS_CHECK_PROMPT,
+  ASSUMPTION_VERIFICATION_PROMPT,
+  buildEvaluationPrompt,
+  buildVaguenessPrompt,
+  buildVerificationPrompt,
+  parseCriticResponse,
+} = require("./prompts");
+
+/**
+ * Critic singleton interface
+ */
+const critic = {
+  /**
+   * Set the LLM client for the default judge
+   * @param {Function} client - LLM client function
+   */
+  setClient(client) {
+    defaultJudge.setClient(client);
+  },
+  
+  /**
+   * Check if critic is available
+   * @returns {boolean} Is available
+   */
+  isAvailable() {
+    return defaultJudge.isAvailable();
+  },
+  
+  /**
+   * Evaluate a proposal
+   * @param {Object} params - Evaluation parameters
+   * @returns {Promise<Object>} Critic verdict
+   */
+  async evaluate(params) {
+    return defaultJudge.evaluate(params);
+  },
+  
+  /**
+   * Check for vagueness
+   * @param {Object} proposal - Proposal to check
+   * @returns {Promise<Object>} Vagueness analysis
+   */
+  async checkVagueness(proposal) {
+    return defaultJudge.checkVagueness(proposal);
+  },
+  
+  /**
+   * Verify assumptions
+   * @param {Array} assumptions - Assumptions to verify
+   * @param {Object} realityState - Repository state
+   * @returns {Promise<Object>} Verification results
+   */
+  async verifyAssumptions(assumptions, realityState) {
+    return defaultJudge.verifyAssumptions(assumptions, realityState);
+  },
+  
+  /**
+   * Create a new judge instance
+   * @param {Object} options - Configuration
+   * @returns {CriticJudge} New judge instance
+   */
+  createJudge(options) {
+    return createJudge(options);
+  },
+  
+  /**
+   * Get the system prompt
+   * @returns {string} System prompt
+   */
+  getSystemPrompt() {
+    return CRITIC_SYSTEM_PROMPT;
+  },
+  
+  /**
+   * Build an evaluation prompt
+   * @param {Object} data - Prompt data
+   * @returns {string} Filled prompt
+   */
+  buildPrompt(data) {
+    return buildEvaluationPrompt(data);
+  },
+  
+  /**
+   * Parse a critic response
+   * @param {string} response - LLM response
+   * @returns {Object} Parsed verdict
+   */
+  parseResponse(response) {
+    return parseCriticResponse(response);
+  },
+  
+  /**
+   * Quick rule-based evaluation (no LLM)
+   * @param {Object} params - Evaluation params
+   * @returns {Object} Verdict
+   */
+  quickEvaluate(params) {
+    return defaultJudge.ruleBasedEvaluation(params);
+  },
+};
+
+module.exports = {
+  critic,
+  CriticJudge,
+  createJudge,
+  defaultJudge,
+  // Prompt exports
+  CRITIC_SYSTEM_PROMPT,
+  EVALUATION_PROMPT_TEMPLATE,
+  VAGUENESS_CHECK_PROMPT,
+  ASSUMPTION_VERIFICATION_PROMPT,
+  buildEvaluationPrompt,
+  buildVaguenessPrompt,
+  buildVerificationPrompt,
+  parseCriticResponse,
+};