@vibecheckai/cli 3.2.6 → 3.3.0

package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js

@@ -0,0 +1,530 @@
+/**
+ * Time Machine Timeline Builder
+ * 
+ * Builds event timelines from multiple sources.
+ * Correlates agent actions with outcomes and incidents.
+ * 
+ * Codename: Time Machine
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { timeMachineLogger: log, getErrorMessage } = require("../logger.js");
+
+/**
+ * @typedef {Object} TimelineEvent
+ * @property {string} id - Event ID
+ * @property {Date} timestamp - When event occurred
+ * @property {string} type - Event type
+ * @property {string} source - Event source (firewall, conductor, git, etc.)
+ * @property {string} summary - Human-readable summary
+ * @property {Object} details - Full event details
+ * @property {string[]} relatedEvents - IDs of related events
+ * @property {Object} [causalLink] - Link to caused/causing events
+ */
+
+/**
+ * @typedef {Object} ForensicTimeline
+ * @property {string} timelineId - Timeline ID
+ * @property {Object} incident - Incident info if applicable
+ * @property {TimelineEvent[]} events - All events in timeline
+ * @property {Object[]} causalChain - Causal relationships
+ * @property {TimelineEvent} [rootCause] - Identified root cause
+ * @property {Date} generatedAt - When timeline was generated
+ */
+
+/**
+ * Event types for timeline
+ */
+const EVENT_TYPES = {
+  PROPOSAL_SUBMITTED: "proposal_submitted",
+  PROPOSAL_ALLOWED: "proposal_allowed",
+  PROPOSAL_BLOCKED: "proposal_blocked",
+  PROPOSAL_WARNED: "proposal_warned",
+  OVERRIDE_USED: "override_used",
+  FILE_CHANGED: "file_changed",
+  SESSION_STARTED: "session_started",
+  SESSION_ENDED: "session_ended",
+  LOCK_ACQUIRED: "lock_acquired",
+  LOCK_RELEASED: "lock_released",
+  CONFLICT_DETECTED: "conflict_detected",
+  INCIDENT_REPORTED: "incident_reported",
+  BUILD_FAILED: "build_failed",
+  TEST_FAILED: "test_failed",
+};
+
+/**
+ * Timeline Builder class
+ */
+class TimelineBuilder {
+  constructor(options = {}) {
+    this.projectRoot = options.projectRoot || process.cwd();
+    this.auditDir = path.join(this.projectRoot, ".vibecheck", "audit");
+    this.packetsDir = path.join(this.projectRoot, ".vibecheck", "packets");
+    this.incidentsDir = path.join(this.projectRoot, ".vibecheck", "incidents");
+  }
+  
+  /**
+   * Build a timeline for a time range
+   * @param {Object} options - Build options
+   * @returns {ForensicTimeline} Built timeline
+   */
+  async buildTimeline(options = {}) {
+    const {
+      startTime,
+      endTime = new Date(),
+      file = null,
+      agentId = null,
+      includeGit = true,
+      includeIncidents = true,
+    } = options;
+    
+    const timelineId = `timeline_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+    const events = [];
+    
+    // Load firewall events
+    const firewallEvents = await this.loadFirewallEvents(startTime, endTime, file, agentId);
+    events.push(...firewallEvents);
+    
+    // Load conductor events
+    const conductorEvents = await this.loadConductorEvents(startTime, endTime, agentId);
+    events.push(...conductorEvents);
+    
+    // Load git events if requested
+    if (includeGit) {
+      const gitEvents = await this.loadGitEvents(startTime, endTime, file);
+      events.push(...gitEvents);
+    }
+    
+    // Load incident events if requested
+    let incidentInfo = null;
+    if (includeIncidents) {
+      const incidentEvents = await this.loadIncidentEvents(startTime, endTime, file);
+      events.push(...incidentEvents);
+      
+      // Find the main incident if any
+      incidentInfo = incidentEvents.find(e => e.type === EVENT_TYPES.INCIDENT_REPORTED)?.details;
+    }
+    
+    // Sort by timestamp
+    events.sort((a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime());
+    
+    // Build causal relationships
+    const { causalChain, rootCause } = this.buildCausalChain(events);
+    
+    // Link related events
+    this.linkRelatedEvents(events);
+    
+    return {
+      timelineId,
+      incident: incidentInfo,
+      events,
+      causalChain,
+      rootCause,
+      generatedAt: new Date(),
+      options,
+    };
+  }
+  
+  /**
+   * Load firewall events from audit log
+   * @param {Date} startTime - Start time
+   * @param {Date} endTime - End time
+   * @param {string} file - File filter
+   * @param {string} agentId - Agent filter
+   * @returns {TimelineEvent[]} Firewall events
+   */
+  async loadFirewallEvents(startTime, endTime, file, agentId) {
+    const events = [];
+    const auditFile = path.join(this.auditDir, "firewall-events.jsonl");
+    
+    if (!fs.existsSync(auditFile)) {
+      return events;
+    }
+    
+    try {
+      const content = fs.readFileSync(auditFile, "utf-8");
+      const lines = content.trim().split("\n").filter(l => l);
+      
+      for (const line of lines) {
+        try {
+          const raw = JSON.parse(line);
+          const eventTime = new Date(raw.timestamp);
+          
+          // Apply filters
+          if (startTime && eventTime < new Date(startTime)) continue;
+          if (endTime && eventTime > new Date(endTime)) continue;
+          if (file && raw.file !== file && !raw.file?.includes(file)) continue;
+          if (agentId && raw.agentId !== agentId) continue;
+          
+          events.push({
+            id: raw.id || `evt_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+            timestamp: eventTime,
+            type: this.mapVerdictToEventType(raw.verdict, raw.action),
+            source: "firewall",
+            summary: this.buildFirewallSummary(raw),
+            details: raw,
+            relatedEvents: [],
+          });
+        } catch {
+          // Skip invalid lines
+        }
+      }
+    } catch (error) {
+      log.warn(`Failed to load firewall events: ${getErrorMessage(error)}`);
+    }
+    
+    return events;
+  }
+  
+  /**
+   * Load conductor events
+   * @param {Date} startTime - Start time
+   * @param {Date} endTime - End time
+   * @param {string} agentId - Agent filter
+   * @returns {TimelineEvent[]} Conductor events
+   */
+  async loadConductorEvents(startTime, endTime, agentId) {
+    const events = [];
+    const conductorFile = path.join(this.auditDir, "conductor-events.jsonl");
+    
+    if (!fs.existsSync(conductorFile)) {
+      return events;
+    }
+    
+    try {
+      const content = fs.readFileSync(conductorFile, "utf-8");
+      const lines = content.trim().split("\n").filter(l => l);
+      
+      for (const line of lines) {
+        try {
+          const raw = JSON.parse(line);
+          const eventTime = new Date(raw.timestamp);
+          
+          if (startTime && eventTime < new Date(startTime)) continue;
+          if (endTime && eventTime > new Date(endTime)) continue;
+          if (agentId && raw.agentId !== agentId) continue;
+          
+          events.push({
+            id: raw.id || `evt_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+            timestamp: eventTime,
+            type: raw.type || raw.action,
+            source: "conductor",
+            summary: this.buildConductorSummary(raw),
+            details: raw,
+            relatedEvents: [],
+          });
+        } catch {
+          // Skip invalid lines
+        }
+      }
+    } catch (error) {
+      log.warn(`Failed to load conductor events: ${getErrorMessage(error)}`);
+    }
+    
+    return events;
+  }
+  
+  /**
+   * Load git events (commits, merges)
+   * @param {Date} startTime - Start time
+   * @param {Date} endTime - End time
+   * @param {string} file - File filter
+   * @returns {TimelineEvent[]} Git events
+   */
+  async loadGitEvents(startTime, endTime, file) {
+    const events = [];
+    
+    // This would typically call git log
+    // For now, return empty - would be implemented with git integration
+    
+    return events;
+  }
+  
+  /**
+   * Load incident events
+   * @param {Date} startTime - Start time
+   * @param {Date} endTime - End time
+   * @param {string} file - File filter
+   * @returns {TimelineEvent[]} Incident events
+   */
+  async loadIncidentEvents(startTime, endTime, file) {
+    const events = [];
+    const incidentsFile = path.join(this.incidentsDir, "incidents.jsonl");
+    
+    if (!fs.existsSync(incidentsFile)) {
+      return events;
+    }
+    
+    try {
+      const content = fs.readFileSync(incidentsFile, "utf-8");
+      const lines = content.trim().split("\n").filter(l => l);
+      
+      for (const line of lines) {
+        try {
+          const raw = JSON.parse(line);
+          const eventTime = new Date(raw.timestamp || raw.reportedAt);
+          
+          if (startTime && eventTime < new Date(startTime)) continue;
+          if (endTime && eventTime > new Date(endTime)) continue;
+          if (file && !raw.affectedFiles?.includes(file)) continue;
+          
+          events.push({
+            id: raw.id || raw.incidentId,
+            timestamp: eventTime,
+            type: EVENT_TYPES.INCIDENT_REPORTED,
+            source: "incident",
+            summary: `Incident: ${raw.title || raw.description || "Unknown"}`,
+            details: raw,
+            relatedEvents: [],
+          });
+        } catch {
+          // Skip invalid lines
+        }
+      }
+    } catch (error) {
+      log.warn(`Failed to load incident events: ${getErrorMessage(error)}`);
+    }
+    
+    return events;
+  }
+  
+  /**
+   * Map verdict to event type
+   * @param {string} verdict - Verdict
+   * @param {string} action - Action
+   * @returns {string} Event type
+   */
+  mapVerdictToEventType(verdict, action) {
+    if (action === "override") return EVENT_TYPES.OVERRIDE_USED;
+    
+    switch (verdict) {
+      case "ALLOW":
+        return EVENT_TYPES.PROPOSAL_ALLOWED;
+      case "BLOCK":
+        return EVENT_TYPES.PROPOSAL_BLOCKED;
+      case "WARN":
+        return EVENT_TYPES.PROPOSAL_WARNED;
+      default:
+        return EVENT_TYPES.PROPOSAL_SUBMITTED;
+    }
+  }
+  
+  /**
+   * Build summary for firewall event
+   * @param {Object} raw - Raw event data
+   * @returns {string} Summary
+   */
+  buildFirewallSummary(raw) {
+    const parts = [];
+    
+    if (raw.verdict) {
+      parts.push(`[${raw.verdict}]`);
+    }
+    
+    if (raw.agentId) {
+      parts.push(`Agent: ${raw.agentId}`);
+    }
+    
+    if (raw.file) {
+      parts.push(`File: ${path.basename(raw.file)}`);
+    }
+    
+    if (raw.intent) {
+      parts.push(raw.intent.slice(0, 50) + (raw.intent.length > 50 ? "..." : ""));
+    }
+    
+    return parts.join(" | ") || "Firewall event";
+  }
+  
+  /**
+   * Build summary for conductor event
+   * @param {Object} raw - Raw event data
+   * @returns {string} Summary
+   */
+  buildConductorSummary(raw) {
+    const parts = [];
+    
+    if (raw.type || raw.action) {
+      parts.push(`[${raw.type || raw.action}]`);
+    }
+    
+    if (raw.agentId) {
+      parts.push(`Agent: ${raw.agentId}`);
+    }
+    
+    if (raw.sessionId) {
+      parts.push(`Session: ${raw.sessionId.slice(0, 12)}...`);
+    }
+    
+    return parts.join(" | ") || "Conductor event";
+  }
+  
+  /**
+   * Build causal chain from events
+   * @param {TimelineEvent[]} events - Events to analyze
+   * @returns {Object} Causal chain and root cause
+   */
+  buildCausalChain(events) {
+    const causalChain = [];
+    let rootCause = null;
+    
+    // Find incident events
+    const incidents = events.filter(e => e.type === EVENT_TYPES.INCIDENT_REPORTED);
+    
+    if (incidents.length === 0) {
+      return { causalChain, rootCause };
+    }
+    
+    // For each incident, trace back to find potential causes
+    for (const incident of incidents) {
+      const affectedFiles = incident.details.affectedFiles || [];
+      const incidentTime = new Date(incident.timestamp);
+      
+      // Find events that affected the same files before the incident
+      const potentialCauses = events.filter(e => {
+        const eventTime = new Date(e.timestamp);
+        if (eventTime >= incidentTime) return false;
+        
+        const eventFile = e.details?.file;
+        if (!eventFile) return false;
+        
+        return affectedFiles.some(f => f.includes(eventFile) || eventFile.includes(f));
+      });
+      
+      // Look for overrides or blocked proposals that were overridden
+      for (const cause of potentialCauses) {
+        if (cause.type === EVENT_TYPES.OVERRIDE_USED ||
+            (cause.type === EVENT_TYPES.PROPOSAL_ALLOWED && cause.details?.overrideUsed)) {
+          causalChain.push({
+            cause: cause.id,
+            effect: incident.id,
+            relationship: "override_led_to_incident",
+            confidence: 0.8,
+          });
+          
+          if (!rootCause) {
+            rootCause = cause;
+          }
+        }
+      }
+      
+      // Also look for the first suspicious change
+      const firstSuspicious = potentialCauses.find(e => 
+        e.type === EVENT_TYPES.PROPOSAL_ALLOWED &&
+        (e.details?.riskScore || 0) >= 50
+      );
+      
+      if (firstSuspicious && !rootCause) {
+        rootCause = firstSuspicious;
+        causalChain.push({
+          cause: firstSuspicious.id,
+          effect: incident.id,
+          relationship: "high_risk_change_led_to_incident",
+          confidence: 0.6,
+        });
+      }
+    }
+    
+    return { causalChain, rootCause };
+  }
+  
+  /**
+   * Link related events together
+   * @param {TimelineEvent[]} events - Events to link
+   */
+  linkRelatedEvents(events) {
+    // Group events by file
+    const byFile = new Map();
+    
+    for (const event of events) {
+      const file = event.details?.file;
+      if (file) {
+        if (!byFile.has(file)) {
+          byFile.set(file, []);
+        }
+        byFile.get(file).push(event);
+      }
+    }
+    
+    // Link events that share the same file
+    for (const [, fileEvents] of byFile) {
+      for (let i = 0; i < fileEvents.length; i++) {
+        for (let j = i + 1; j < fileEvents.length; j++) {
+          fileEvents[i].relatedEvents.push(fileEvents[j].id);
+          fileEvents[j].relatedEvents.push(fileEvents[i].id);
+        }
+      }
+    }
+    
+    // Group events by session
+    const bySession = new Map();
+    
+    for (const event of events) {
+      const sessionId = event.details?.sessionId;
+      if (sessionId) {
+        if (!bySession.has(sessionId)) {
+          bySession.set(sessionId, []);
+        }
+        bySession.get(sessionId).push(event);
+      }
+    }
+    
+    // Link events in same session
+    for (const [, sessionEvents] of bySession) {
+      for (let i = 0; i < sessionEvents.length; i++) {
+        for (let j = i + 1; j < sessionEvents.length; j++) {
+          if (!sessionEvents[i].relatedEvents.includes(sessionEvents[j].id)) {
+            sessionEvents[i].relatedEvents.push(sessionEvents[j].id);
+          }
+          if (!sessionEvents[j].relatedEvents.includes(sessionEvents[i].id)) {
+            sessionEvents[j].relatedEvents.push(sessionEvents[i].id);
+          }
+        }
+      }
+    }
+  }
+  
+  /**
+   * Generate a timeline report
+   * @param {ForensicTimeline} timeline - Timeline to report on
+   * @returns {Object} Report
+   */
+  generateReport(timeline) {
+    const eventCounts = {};
+    const sourceCounts = {};
+    
+    for (const event of timeline.events) {
+      eventCounts[event.type] = (eventCounts[event.type] || 0) + 1;
+      sourceCounts[event.source] = (sourceCounts[event.source] || 0) + 1;
+    }
+    
+    return {
+      timelineId: timeline.timelineId,
+      generatedAt: timeline.generatedAt,
+      totalEvents: timeline.events.length,
+      eventCounts,
+      sourceCounts,
+      hasIncident: !!timeline.incident,
+      rootCauseIdentified: !!timeline.rootCause,
+      causalChainLength: timeline.causalChain.length,
+      timeRange: {
+        start: timeline.events[0]?.timestamp,
+        end: timeline.events[timeline.events.length - 1]?.timestamp,
+      },
+    };
+  }
+}
+
+/**
+ * Create a timeline builder instance
+ * @param {Object} options - Options
+ * @returns {TimelineBuilder} Timeline builder
+ */
+function createTimelineBuilder(options = {}) {
+  return new TimelineBuilder(options);
+}
+
+module.exports = { TimelineBuilder, createTimelineBuilder, EVENT_TYPES };

package/bin/runners/lib/analyzers.js

@@ -177,19 +177,69 @@ function pathLooksLikeAsset(p) {
 }
 
 function isInternalUtilityRoute(p) {
-  return !!rxTest(/^\/(health|metrics|ready|live|version|debug|internal|security|websocket|ws|admin|dashboard|_|\.)/i, p);
+  // Common internal/utility routes that should NOT be flagged as missing
+  // These are typically framework-specific, monitoring, or debugging endpoints
+  const internalPatterns = [
+    // Health/monitoring
+    /^\/(health|healthz|healthcheck|ready|readyz|live|livez|liveness|readiness|metrics|status|ping|version)/i,
+    // Internal/debug
+    /^\/(debug|internal|_internal|__internal|security|\.well-known)/i,
+    // WebSockets
+    /^\/(websocket|ws|socket\.io|sockjs)/i,
+    // Admin/dashboard
+    /^\/(admin|dashboard|_admin|__admin)/i,
+    // Next.js internals
+    /^\/_next\//i,
+    // Vite/dev tools
+    /^\/@vite|^\/@fs|^\/__vite/i,
+    // GraphQL
+    /^\/(graphql|graphiql|playground)/i,
+    // Swagger/API docs
+    /^\/(swagger|api-docs|openapi|docs|redoc)/i,
+    // Auth callbacks
+    /^\/(auth|oauth|callback|login|logout|signin|signout)\/?(callback|redirect)?$/i,
+    // Common framework routes
+    /^\/(favicon\.ico|robots\.txt|sitemap\.xml|manifest\.json)$/i,
+    // Vercel/serverless
+    /^\/api\/_/i,
+    // Hidden paths
+    /^\/[._]/i,
+  ];
+  return internalPatterns.some(rx => rxTest(rx, p));
 }
 
 function looksInventedRoute(p) {
-  // Stuff AI loves to hallucinate - but NOT legitimate test endpoints like /test-email
-  // Only flag truly fake/placeholder routes, not common test/debug endpoints
-  if (rxTest(/^\/(fake|dummy|foo|bar|baz|xxx|yyy|placeholder|asdf|qwerty|lorem|ipsum)\b/i, p)) return true;
-  // Random hashes in path
-  if (rxTest(/\/[a-f0-9]{32,}\b/i, p)) return true;
-  // Obvious "ai generated" patterns
-  if (rxTest(/^\/(generated|auto[-_]?gen)\b/i, p)) return true;
-  // Obvious placeholder test data patterns (not legitimate /test-* endpoints)
-  if (rxTest(/\/(test123|abc123|demo123|sample123)\b/i, p)) return true;
+  // Stuff AI loves to hallucinate - but be VERY precise to avoid false positives
+  // Only flag patterns that are CLEARLY fake/placeholder
+  
+  // Require routes to start with these patterns (not just contain them)
+  // This avoids flagging legitimate routes like /users/foo-bar-123
+  const clearlyFakeStarts = [
+    /^\/(fake|dummy|placeholder|asdf|qwerty|lorem|ipsum)\b/i,
+    /^\/(foo|bar|baz|xxx|yyy)$/i, // Only if it's the ENTIRE route segment
+  ];
+  
+  for (const rx of clearlyFakeStarts) {
+    if (rxTest(rx, p)) return true;
+  }
+  
+  // Obvious "ai generated" patterns - must be at route start
+  if (rxTest(/^\/(generated|auto[-_]?gen|ai[-_]?gen)\b/i, p)) return true;
+  
+  // Obvious placeholder test data patterns (test123, abc123, demo123)
+  // Only if the ENTIRE segment is clearly placeholder
+  if (rxTest(/\/(test123|abc123|demo123|sample123|example123)$/i, p)) return true;
+  
+  // Very long hex strings in route (32+ chars) that aren't IDs
+  // Skip if it looks like a valid UUID pattern or session token
+  const segments = p.split('/').filter(Boolean);
+  for (const seg of segments) {
+    // Long hex that's NOT a UUID format and NOT a reasonable ID length
+    if (/^[a-f0-9]{40,}$/i.test(seg) && !/^[a-f0-9]{8}-/.test(seg)) {
+      return true;
+    }
+  }
+  
   return false;
 }
 
@@ -445,7 +495,9 @@ function findMissingRoutes(truthpack) {
       .sort((a, b) => b.score - a.score)
       .slice(0, 3);
 
-    return scored.filter((x) => x.score >= 0.35).map((x) => ({
+    // Raise threshold to 0.50 to only show genuinely similar routes
+    // This reduces "did you mean" noise for unrelated routes
+    return scored.filter((x) => x.score >= 0.50).map((x) => ({
       method: x.r._method,
       path: x.r._pathNorm,
       score: Number(x.score.toFixed(2)),
@@ -553,28 +605,39 @@ function findMissingRoutes(truthpack) {
 
     const invented = looksInventedRoute(pNorm);
     const internal = isInternalUtilityRoute(pNorm);
+    
+    // Skip internal utility routes entirely - they're almost never real issues
+    if (internal) continue;
 
     // Similarity suggestions
     const suggestions = closestSuggestions(method, pNorm);
 
-    // Confidence + severity gating
+    // Confidence + severity gating - CONSERVATIVE by default to reduce noise
     let confidence = "low";
     let severity = "WARN";
 
-    if (invented && !internal) {
+    if (invented) {
+      // Only BLOCK truly invented routes - and require high confidence
       severity = "BLOCK";
       confidence = "high";
-    } else if (routeMapQuality === "strong" && !isLikelyMonorepo && !internal) {
-      // Only escalate if route map quality is strong and it doesn't look like a monorepo
+    } else if (routeMapQuality === "strong" && !isLikelyMonorepo) {
+      // Even with strong route map, be conservative
       const best = suggestions[0]?.score ?? 0;
-      // If there's no close suggestion, it's more likely actually missing
-      if (best < 0.40) {
-        severity = "WARN"; // keep WARN by default; you can flip to BLOCK if you want
+      if (best < 0.30) {
+        // No close matches - more likely to be a real issue, but still WARN
         confidence = "med";
+        severity = "WARN";
+      } else if (best >= 0.70) {
+        // Very close match exists - probably a typo, keep as low-priority WARN
+        confidence = "low";
+        severity = "WARN";
       } else {
+        // Moderate similarity - unclear
         confidence = "low";
+        severity = "WARN";
       }
     } else {
+      // Weak route map or monorepo - don't trust findings, always WARN with low confidence
       confidence = "low";
       severity = "WARN";
     }