@vibecheckai/cli 3.2.6 → 3.3.0

package/mcp-server/agent-firewall-interceptor.js

@@ -3,25 +3,91 @@
  * 
  * Intercepts file write/patch tool calls from AI agents.
  * Validates changes against truthpack and policy before allowing writes.
+ * 
+ * Codename: Sentinel
+ * 
+ * Tier-based enforcement:
+ * - FREE: Observe mode (logs violations but allows writes)
+ * - STARTER: Advisory mode (warns but allows with confirmation)
+ * - PRO: Enforce mode (blocks violations)
+ * - ENTERPRISE: Enforce mode + audit trail
+ * 
+ * SECURITY: Tier is NEVER trusted from client - always derived from validated API key
  */
 
-"use strict";
+import path from "path";
+import fs from "fs";
+import { createRequire } from "module";
+
+// Import tier auth for secure tier validation
+import { getMcpToolAccess } from "./tier-auth.js";
 
-const path = require("path");
-const fs = require("fs");
-const { interceptFileWrite, interceptMultiFileWrite } = require("../../bin/runners/lib/agent-firewall/interceptor/base");
+const require = createRequire(import.meta.url);
+
+// Import core firewall modules
+const { interceptFileWrite, interceptMultiFileWrite } = require("../bin/runners/lib/agent-firewall/interceptor/base");
+const { loadPolicy } = require("../bin/runners/lib/agent-firewall/policy/loader");
+
+// Import new Sentinel modules
+let reality, risk, simulator, proposal, critic, proofBuilder;
+try {
+  reality = require("../bin/runners/lib/agent-firewall/reality");
+  risk = require("../bin/runners/lib/agent-firewall/risk");
+  simulator = require("../bin/runners/lib/agent-firewall/simulator");
+  proposal = require("../bin/runners/lib/agent-firewall/proposal");
+  critic = require("../bin/runners/lib/agent-firewall/critic");
+  proofBuilder = require("../bin/runners/lib/agent-firewall/change-packet/builder");
+} catch (err) {
+  console.warn(`[Agent Firewall] Some Sentinel modules not available: ${err.message}`);
+}
+
+// Tier-based policy mode mapping
+const TIER_POLICY_MODES = {
+  FREE: "observe",         // Log only, never block
+  STARTER: "advisory",     // Warn, allow with confirmation
+  PRO: "enforce",          // Block violations
+  ENTERPRISE: "enforce",   // Block + full audit
+};
+
+/**
+ * Get effective policy mode based on tier
+ * @param {string} tier - User's subscription tier
+ * @param {object} policy - Policy configuration
+ * @returns {string} Effective mode
+ */
+function getEffectivePolicyMode(tier, policy) {
+  // If policy explicitly sets mode, respect it for PRO+
+  if (policy.mode && (tier === "PRO" || tier === "ENTERPRISE")) {
+    return policy.mode;
+  }
+  
+  // Otherwise use tier-based defaults
+  return TIER_POLICY_MODES[tier] || "observe";
+}
 
 /**
  * MCP Tool Definition
  */
 const AGENT_FIREWALL_TOOL = {
   name: "vibecheck_agent_firewall_intercept",
-  description: `🛡️ Agent Firewall - Intercepts AI code changes and validates against repo truth.
+  description: `🛡️ Agent Firewall (Sentinel) - Intercepts AI code changes and validates against repo truth.
 
 This tool MUST be called before any file write/patch operations.
-It validates changes against truthpack and policy rules.
+It validates changes against truthpack, policy rules, and reality state.
+
+Features:
+- Reality state validation (routes, env vars, services)
+- Risk scoring (surface area, blast radius, irreversibility)
+- Diff simulation (broken imports, orphaned files)
+- Assumption verification
+- Proof artifact generation
+
+Tier modes:
+- FREE: Observe (logs only)
+- STARTER: Advisory (warns)
+- PRO/ENTERPRISE: Enforce (blocks)
 
-Returns: { allowed, verdict, violations, unblockPlan }`,
+Returns: { allowed, verdict, riskScore, violations, unblockPlan, proofId }`,
   inputSchema: {
     type: "object",
     required: ["agentId", "filePath", "content"],
@@ -46,17 +112,50 @@ Returns: { allowed, verdict, violations, unblockPlan }`,
         type: "string",
         description: "Agent's stated intent for this change"
       },
+      summary: {
+        type: "string",
+        description: "Human-readable summary of the change"
+      },
+      assumptions: {
+        type: "array",
+        description: "Declared assumptions (auto-extracted if not provided)",
+        items: {
+          type: "object",
+          properties: {
+            type: { type: "string", enum: ["env", "route", "service", "file"] },
+            key: { type: "string" },
+            reason: { type: "string" }
+          }
+        }
+      },
+      confidence: {
+        type: "number",
+        description: "Confidence level (0-1) that the change is correct",
+        minimum: 0,
+        maximum: 1
+      },
       projectRoot: {
         type: "string",
         default: ".",
         description: "Project root directory"
+      },
+      apiKey: {
+        type: "string",
+        description: "API key for authentication (tier is derived from this, never client-provided)"
       }
+      // NOTE: 'tier' parameter removed for security - tier is now derived from validated apiKey
+      // Accepting tier from client allowed privilege escalation attacks
     }
   }
 };
 
 /**
  * Handle MCP tool call
+ * 
+ * SECURITY: Tier is NEVER accepted from client args - always derived from validated API key.
+ * Previous implementation accepted args.tier which allowed attackers to escalate privileges
+ * by simply passing tier: "ENTERPRISE".
+ * 
  * @param {string} name - Tool name (unused, for consistency)
  * @param {object} args - Tool arguments
  * @returns {object} MCP tool response
@@ -69,6 +168,19 @@ async function handleAgentFirewallIntercept(name, args) {
   const oldContent = args.oldContent || null;
   const intent = args.intent || "No intent provided";
   
+  // SECURITY FIX: Derive tier from validated API key, NEVER trust client-provided tier
+  let tier = "FREE"; // Default to most restrictive (observe mode)
+  try {
+    const access = await getMcpToolAccess("vibecheck_agent_firewall_intercept", args.apiKey);
+    if (access.tier) {
+      tier = access.tier.toUpperCase();
+    }
+    // Note: Even if access check fails, we continue with FREE tier (observe mode)
+    // This allows the tool to still provide value while logging violations
+  } catch (err) {
+    console.warn(`[Agent Firewall] Tier validation failed, defaulting to FREE: ${err.message}`);
+  }
+  
   // Validate file path is within project root
   const fileAbs = path.resolve(projectRoot, filePath);
   if (!fileAbs.startsWith(projectRoot + path.sep) && fileAbs !== projectRoot) {
@@ -82,13 +194,97 @@ async function handleAgentFirewallIntercept(name, args) {
   }
   
   try {
+    // Load policy and determine effective mode based on tier
+    const policy = loadPolicy(projectRoot);
+    const effectiveMode = getEffectivePolicyMode(tier, policy);
+    
     // Read old content if not provided
+    // SECURITY FIX: Compute content hash to detect concurrent modifications
+    // Between reading and validation, another agent could modify the file.
+    // We provide the hash so callers can verify before actual write.
     let actualOldContent = oldContent;
+    let oldContentHash = null;
+    const crypto = require('crypto');
+    
     if (!actualOldContent && fs.existsSync(fileAbs)) {
       actualOldContent = fs.readFileSync(fileAbs, "utf8");
     }
     
-    // Intercept the write
+    // Compute hash of the content we're validating against
+    if (actualOldContent) {
+      oldContentHash = crypto.createHash('sha256').update(actualOldContent).digest('hex');
+    }
+    
+    // Build structured proposal from args
+    let structuredProposal = null;
+    if (proposal) {
+      structuredProposal = proposal.proposal.create(
+        proposal.proposal.normalizeIntent(intent),
+        [{ type: actualOldContent ? "modify" : "create", path: filePath, content }]
+      );
+      structuredProposal.summary = args.summary || intent;
+      structuredProposal.assumptions = args.assumptions || [];
+      structuredProposal.confidence = args.confidence ?? 0.5;
+      
+      // Auto-extract assumptions if not provided
+      if (structuredProposal.assumptions.length === 0) {
+        const extracted = proposal.extractFromOperations(structuredProposal.operations);
+        structuredProposal.assumptions = extracted;
+      }
+      
+      // Validate proposal
+      const validationResult = proposal.proposal.validate(structuredProposal);
+      if (!validationResult.valid && effectiveMode === "enforce") {
+        return {
+          content: [{
+            type: "text",
+            text: `❌ INVALID PROPOSAL: ${validationResult.errors.map(e => e.message).join(", ")}`
+          }],
+          isError: true
+        };
+      }
+    }
+    
+    // Get reality state
+    let realityState = null;
+    if (reality) {
+      try {
+        realityState = reality.reality.getState(projectRoot);
+      } catch (err) {
+        console.warn(`[Agent Firewall] Reality state unavailable: ${err.message}`);
+      }
+    }
+    
+    // Calculate risk score
+    let riskScore = null;
+    if (risk && structuredProposal) {
+      try {
+        riskScore = risk.calculateRiskScore({
+          files: [{ path: filePath }],
+          operations: structuredProposal.operations,
+          claims: [],
+          evidence: [],
+          intent,
+          assumptions: structuredProposal.assumptions,
+          proposalConfidence: structuredProposal.confidence,
+          policy,
+        });
+      } catch (err) {
+        console.warn(`[Agent Firewall] Risk scoring failed: ${err.message}`);
+      }
+    }
+    
+    // Run diff simulation
+    let simulationResult = null;
+    if (simulator && content) {
+      try {
+        simulationResult = simulator.quickSimulate(projectRoot, filePath, content, actualOldContent);
+      } catch (err) {
+        console.warn(`[Agent Firewall] Simulation failed: ${err.message}`);
+      }
+    }
+    
+    // Intercept the write with core firewall
     const result = await interceptFileWrite({
       projectRoot,
       agentId,
@@ -98,42 +294,182 @@ async function handleAgentFirewallIntercept(name, args) {
       oldContent: actualOldContent
     });
     
-    // Check policy mode (already loaded in interceptFileWrite, but we need it for mode check)
-    const { loadPolicy } = require("../../bin/runners/lib/agent-firewall/policy/loader");
-    const policy = loadPolicy(projectRoot);
+    // Get critic verdict (rule-based, LLM optional)
+    let criticVerdict = null;
+    if (critic) {
+      try {
+        criticVerdict = await critic.critic.evaluate({
+          proposal: structuredProposal,
+          validationResults: result,
+          riskScore,
+          simulationResult,
+          realityState,
+        });
+      } catch (err) {
+        console.warn(`[Agent Firewall] Critic evaluation failed: ${err.message}`);
+      }
+    }
     
-    if (policy.mode === "observe") {
-      // Observe mode - log but don't block
-      return {
-        content: [{
-          type: "text",
-          text: `📊 OBSERVE MODE: ${result.verdict}\n\n${result.message}\n\nPacket ID: ${result.packetId}`
-        }]
-      };
+    // Build enhanced proof artifact
+    let proofId = result.packetId;
+    if (proofBuilder && riskScore) {
+      try {
+        const proofArtifact = proofBuilder.buildProofArtifact({
+          changeId: `c-${result.packetId}`,
+          decision: result.verdict,
+          rulesTriggered: (result.violations || []).map(v => v.rule),
+          assumptionsFailed: (result.violations || []).filter(v => v.type === "assumption").map(v => v.key),
+          riskScore,
+          simulationResult,
+          criticVerdict,
+        });
+        proofId = proofArtifact.changeId;
+      } catch (err) {
+        console.warn(`[Agent Firewall] Proof artifact generation failed: ${err.message}`);
+      }
     }
     
-    // Enforce mode - block if not allowed
-    if (!result.allowed) {
-      let message = `❌ BLOCKED: ${result.message}\n\n`;
+    // Format response based on mode
+    const formatResponse = (isBlocked) => {
+      let message = "";
+      const icon = isBlocked ? "❌" : (effectiveMode === "observe" ? "📊" : "✅");
+      const modeLabel = effectiveMode.toUpperCase();
+      
+      message += `${icon} ${modeLabel} MODE: ${result.verdict}\n\n`;
+      
+      // Risk score
+      if (riskScore) {
+        message += `Risk: ${riskScore.total} (${riskScore.level})\n`;
+        if (riskScore.reasons.length > 0) {
+          message += `Factors: ${riskScore.reasons.slice(0, 3).join(", ")}\n`;
+        }
+        message += "\n";
+      }
       
+      // Simulation result
+      if (simulationResult) {
+        message += `Simulation: ${simulationResult.passed ? "✅ Passed" : "❌ Failed"}\n`;
+        if (!simulationResult.passed && simulationResult.errors.length > 0) {
+          message += `Errors: ${simulationResult.errors.slice(0, 2).map(e => e.message).join("; ")}\n`;
+        }
+        message += "\n";
+      }
+      
+      // Violations
       if (result.violations && result.violations.length > 0) {
         message += "Violations:\n";
-        for (const violation of result.violations) {
-          message += `  - ${violation.rule}: ${violation.message}\n`;
+        for (const violation of result.violations.slice(0, 5)) {
+          message += `  - ${violation.rule || violation.type}: ${violation.message}\n`;
         }
+        message += "\n";
       }
       
-      if (result.unblockPlan && result.unblockPlan.steps.length > 0) {
-        message += "\nTo unblock:\n";
-        for (const step of result.unblockPlan.steps) {
-          message += `  ${step.action === "create" ? "Create" : "Modify"} ${step.file || "file"}: ${step.description}\n`;
+      // Critic verdict (if blocked)
+      if (criticVerdict && criticVerdict.verdict === "BLOCK") {
+        message += `Critic: ${criticVerdict.verdict} (${(criticVerdict.confidence * 100).toFixed(0)}% confidence)\n`;
+        if (criticVerdict.reasoning.length > 0) {
+          message += `Reasoning: ${criticVerdict.reasoning[0]}\n`;
         }
+        message += "\n";
       }
       
+      // Unblock plan
+      if (isBlocked && result.unblockPlan && result.unblockPlan.steps?.length > 0) {
+        message += "To unblock:\n";
+        for (const step of result.unblockPlan.steps.slice(0, 3)) {
+          message += `  ${step.action === "create" ? "➕ Create" : "✏️ Modify"} ${step.file || "file"}: ${step.description}\n`;
+        }
+        message += "\n";
+      }
+      
+      message += `Proof ID: ${proofId}\n`;
+      
+      // SECURITY: Include content hash for race condition protection
+      // Callers MUST verify this hash matches current file content before writing
+      // to prevent TOCTOU (time-of-check-time-of-use) vulnerabilities
+      if (oldContentHash) {
+        message += `\n⚠️ IMPORTANT: Before writing, verify file hash matches:\n`;
+        message += `Content Hash: ${oldContentHash}\n`;
+        message += `(Re-read file and compare SHA-256 hash to detect concurrent modifications)`;
+      } else {
+        message += `\nNote: New file (no existing content to verify)`;
+      }
+      
+      return message;
+    };
+    
+    // Determine final decision based on mode
+    if (effectiveMode === "observe") {
+      // Observe mode - always allow, log everything
+      return {
+        content: [{
+          type: "text",
+          text: formatResponse(false)
+        }]
+      };
+    }
+    
+    if (effectiveMode === "advisory") {
+      // Advisory mode - warn but allow (for STARTER tier)
+      const shouldWarn = !result.allowed || (riskScore && riskScore.total > 50);
+      return {
+        content: [{
+          type: "text",
+          text: formatResponse(false) + (shouldWarn ? "\n\n⚠️ Consider reviewing before proceeding." : "")
+        }]
+      };
+    }
+    
+    // Enforce mode - block if not allowed
+    // More intelligent blocking logic to reduce false positives:
+    // 1. Base interception result must say not allowed, OR
+    // 2. Simulation failed with actual errors (not just warnings), OR
+    // 3. Critic says BLOCK with very high confidence (90%+), OR
+    // 4. Risk score decision is BLOCK (but respect lowered thresholds)
+    
+    // Count the number of blocking signals
+    let blockingSignals = 0;
+    const blockReasons = [];
+    
+    if (!result.allowed) {
+      blockingSignals++;
+      blockReasons.push("policy_violation");
+    }
+    
+    // Only count simulation failure if it has actual errors (not just warnings)
+    if (simulationResult && !simulationResult.passed) {
+      const hasActualErrors = simulationResult.errors?.some(e => 
+        e.severity === 'error' || e.type === 'broken_import' || e.type === 'syntax_error'
+      );
+      if (hasActualErrors) {
+        blockingSignals++;
+        blockReasons.push("simulation_failed");
+      }
+    }
+    
+    // Critic verdict - require very high confidence (90%+) to block
+    if (criticVerdict && criticVerdict.verdict === "BLOCK" && criticVerdict.confidence >= 0.9) {
+      blockingSignals++;
+      blockReasons.push("critic_blocked");
+    }
+    
+    // Risk score decision
+    if (riskScore && riskScore.decision?.decision === "BLOCK") {
+      blockingSignals++;
+      blockReasons.push("risk_threshold_exceeded");
+    }
+    
+    // Only block if we have at least 2 independent blocking signals
+    // This prevents a single false positive from blocking legitimate changes
+    // Exception: if risk score is CRITICAL (total >= 120), block with 1 signal
+    const isCriticalRisk = riskScore && riskScore.total >= 120;
+    const shouldBlock = (blockingSignals >= 2) || (isCriticalRisk && blockingSignals >= 1);
+    
+    if (shouldBlock) {
       return {
         content: [{
           type: "text",
-          text: message
+          text: formatResponse(true) + `\n\nBlocking reasons: ${blockReasons.join(", ")}`
         }],
         isError: true
       };
@@ -143,7 +479,7 @@ async function handleAgentFirewallIntercept(name, args) {
     return {
       content: [{
         type: "text",
-        text: `✅ ALLOWED: ${result.message}\n\nPacket ID: ${result.packetId}`
+        text: formatResponse(false)
       }]
     };
     
@@ -158,7 +494,7 @@ async function handleAgentFirewallIntercept(name, args) {
   }
 }
 
-module.exports = {
+export {
   AGENT_FIREWALL_TOOL,
   handleAgentFirewallIntercept
 };