@vibecheckai/cli 3.2.6 → 3.3.0

package/bin/runners/lib/agent-firewall/lawbook/distributor.js

@@ -0,0 +1,465 @@
+/**
+ * Lawbook Distributor
+ * 
+ * Syncs org-level policies to projects via API.
+ * Manages version control and conflict resolution.
+ * 
+ * Codename: Lawbook
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+const { parseLawbook, serializeLawbook, validateInvariant } = require("./schema.js");
+const { lawbookLogger: log, getErrorMessage } = require("../logger.js");
+
+/**
+ * @typedef {Object} SyncResult
+ * @property {boolean} success - Sync successful
+ * @property {number} added - Invariants added
+ * @property {number} updated - Invariants updated
+ * @property {number} removed - Invariants removed
+ * @property {string[]} conflicts - Conflict descriptions
+ * @property {string} version - Synced version
+ */
+
+/**
+ * Merge strategies for conflict resolution
+ */
+const MERGE_STRATEGIES = {
+  ORG_WINS: "org_wins",       // Org policies override local
+  LOCAL_WINS: "local_wins",   // Local policies override org
+  STRICT: "strict",           // Fail on conflicts
+  MERGE: "merge",             // Merge with local taking precedence on conflicts
+};
+
+/**
+ * Lawbook Distributor class
+ */
+class LawbookDistributor {
+  constructor(options = {}) {
+    this.projectRoot = options.projectRoot || process.cwd();
+    this.apiEndpoint = options.apiEndpoint || process.env.VIBECHECK_API_URL || "https://api.vibecheck.ai";
+    this.apiKey = options.apiKey || process.env.VIBECHECK_API_KEY;
+    this.cacheDir = path.join(this.projectRoot, ".vibecheck", "lawbook-cache");
+    this.syncHistoryPath = path.join(this.projectRoot, ".vibecheck", "lawbook-sync.json");
+  }
+  
+  /**
+   * Fetch org lawbook from API
+   * @param {string} orgId - Organization ID
+   * @param {string} libraryId - Library ID (optional)
+   * @returns {Object} Fetched lawbook
+   */
+  async fetchOrgLawbook(orgId, libraryId = "default") {
+    try {
+      const url = `${this.apiEndpoint}/v1/orgs/${orgId}/lawbooks/${libraryId}`;
+      
+      const response = await fetch(url, {
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json",
+        },
+      });
+      
+      if (!response.ok) {
+        throw new Error(`Failed to fetch lawbook: ${response.status}`);
+      }
+      
+      const data = await response.json();
+      
+      // Cache the result
+      this.cacheLawbook(orgId, libraryId, data);
+      
+      return data;
+    } catch (error) {
+      // Try to use cached version
+      const cached = this.getCachedLawbook(orgId, libraryId);
+      if (cached) {
+        log.warn(`Using cached lawbook: ${getErrorMessage(error)}`);
+        return cached;
+      }
+      throw error;
+    }
+  }
+  
+  /**
+   * Sync org lawbook to local project
+   * @param {string} orgId - Organization ID
+   * @param {Object} options - Sync options
+   * @returns {SyncResult} Sync result
+   */
+  async sync(orgId, options = {}) {
+    const {
+      libraryId = "default",
+      strategy = MERGE_STRATEGIES.MERGE,
+      dryRun = false,
+    } = options;
+    
+    const result = {
+      success: false,
+      added: 0,
+      updated: 0,
+      removed: 0,
+      conflicts: [],
+      version: null,
+    };
+    
+    try {
+      // Fetch org lawbook
+      const orgLawbook = await this.fetchOrgLawbook(orgId, libraryId);
+      result.version = orgLawbook.version;
+      
+      // Load local lawbook
+      const localPath = path.join(this.projectRoot, ".vibecheck", "invariants.yaml");
+      let localLawbook = null;
+      
+      if (fs.existsSync(localPath)) {
+        const content = fs.readFileSync(localPath, "utf-8");
+        localLawbook = parseLawbook(content);
+      }
+      
+      // Merge lawbooks
+      const merged = this.mergeLawbooks(orgLawbook, localLawbook, strategy, result);
+      
+      // Apply changes if not dry run
+      if (!dryRun && result.conflicts.length === 0) {
+        const dir = path.dirname(localPath);
+        if (!fs.existsSync(dir)) {
+          fs.mkdirSync(dir, { recursive: true });
+        }
+        
+        const content = serializeLawbook(merged);
+        fs.writeFileSync(localPath, content);
+        
+        // Record sync
+        this.recordSync(orgId, libraryId, result.version);
+        
+        result.success = true;
+      } else if (dryRun) {
+        result.success = true;
+      }
+      
+      return result;
+    } catch (error) {
+      result.success = false;
+      result.conflicts.push(`Sync error: ${error.message}`);
+      return result;
+    }
+  }
+  
+  /**
+   * Merge org and local lawbooks
+   * @param {Object} orgLawbook - Org lawbook
+   * @param {Object} localLawbook - Local lawbook
+   * @param {string} strategy - Merge strategy
+   * @param {Object} result - Result object to update
+   * @returns {Object} Merged lawbook
+   */
+  mergeLawbooks(orgLawbook, localLawbook, strategy, result) {
+    const merged = {
+      version: orgLawbook.version,
+      name: localLawbook?.name || orgLawbook.name,
+      description: localLawbook?.description || orgLawbook.description,
+      extends: orgLawbook.name,
+      invariants: [],
+    };
+    
+    // Index invariants by ID
+    const orgInvariants = new Map();
+    const localInvariants = new Map();
+    
+    for (const inv of orgLawbook.invariants || []) {
+      inv._source = "org";
+      orgInvariants.set(inv.id, inv);
+    }
+    
+    for (const inv of localLawbook?.invariants || []) {
+      inv._source = "local";
+      localInvariants.set(inv.id, inv);
+    }
+    
+    // Process org invariants
+    for (const [id, orgInv] of orgInvariants) {
+      const localInv = localInvariants.get(id);
+      
+      if (!localInv) {
+        // New from org
+        merged.invariants.push({ ...orgInv, _source: undefined });
+        result.added++;
+      } else {
+        // Exists in both - check for conflicts
+        const conflict = this.detectConflict(orgInv, localInv);
+        
+        if (conflict) {
+          switch (strategy) {
+            case MERGE_STRATEGIES.ORG_WINS:
+              merged.invariants.push({ ...orgInv, _source: undefined });
+              result.updated++;
+              break;
+              
+            case MERGE_STRATEGIES.LOCAL_WINS:
+              merged.invariants.push({ ...localInv, _source: undefined });
+              break;
+              
+            case MERGE_STRATEGIES.STRICT:
+              result.conflicts.push(`Conflict on '${id}': ${conflict}`);
+              break;
+              
+            case MERGE_STRATEGIES.MERGE:
+            default:
+              // Merge with local taking precedence
+              const mergedInv = { ...orgInv, ...localInv, _source: undefined };
+              merged.invariants.push(mergedInv);
+              result.updated++;
+              break;
+          }
+        } else {
+          // No conflict - use org version (might have updates)
+          merged.invariants.push({ ...orgInv, _source: undefined });
+        }
+        
+        localInvariants.delete(id);
+      }
+    }
+    
+    // Add remaining local-only invariants
+    for (const [, localInv] of localInvariants) {
+      merged.invariants.push({ ...localInv, _source: undefined });
+    }
+    
+    return merged;
+  }
+  
+  /**
+   * Detect conflict between org and local invariant
+   * @param {Object} orgInv - Org invariant
+   * @param {Object} localInv - Local invariant
+   * @returns {string|null} Conflict description or null
+   */
+  detectConflict(orgInv, localInv) {
+    // Check for rule type conflict
+    if (orgInv.rule !== localInv.rule) {
+      return `Rule type mismatch: org='${orgInv.rule}', local='${localInv.rule}'`;
+    }
+    
+    // Check for severity conflict
+    if (orgInv.severity !== localInv.severity) {
+      return `Severity mismatch: org='${orgInv.severity}', local='${localInv.severity}'`;
+    }
+    
+    // Check for scope conflict
+    if (orgInv.scope !== localInv.scope) {
+      return `Scope mismatch: org='${orgInv.scope}', local='${localInv.scope}'`;
+    }
+    
+    return null;
+  }
+  
+  /**
+   * Cache a lawbook locally
+   * @param {string} orgId - Org ID
+   * @param {string} libraryId - Library ID
+   * @param {Object} lawbook - Lawbook to cache
+   */
+  cacheLawbook(orgId, libraryId, lawbook) {
+    try {
+      if (!fs.existsSync(this.cacheDir)) {
+        fs.mkdirSync(this.cacheDir, { recursive: true });
+      }
+      
+      const cachePath = path.join(this.cacheDir, `${orgId}-${libraryId}.json`);
+      fs.writeFileSync(cachePath, JSON.stringify({
+        lawbook,
+        cachedAt: new Date().toISOString(),
+      }, null, 2));
+    } catch (error) {
+      log.warn(`Failed to cache lawbook: ${getErrorMessage(error)}`);
+    }
+  }
+  
+  /**
+   * Get cached lawbook
+   * @param {string} orgId - Org ID
+   * @param {string} libraryId - Library ID
+   * @returns {Object|null} Cached lawbook or null
+   */
+  getCachedLawbook(orgId, libraryId) {
+    try {
+      const cachePath = path.join(this.cacheDir, `${orgId}-${libraryId}.json`);
+      
+      if (fs.existsSync(cachePath)) {
+        const content = fs.readFileSync(cachePath, "utf-8");
+        const cached = JSON.parse(content);
+        
+        // Check cache age (24 hours max)
+        const cacheAge = Date.now() - new Date(cached.cachedAt).getTime();
+        if (cacheAge < 24 * 60 * 60 * 1000) {
+          return cached.lawbook;
+        }
+      }
+    } catch (error) {
+      log.warn(`Failed to read cached lawbook: ${getErrorMessage(error)}`);
+    }
+    return null;
+  }
+  
+  /**
+   * Record a sync event
+   * @param {string} orgId - Org ID
+   * @param {string} libraryId - Library ID
+   * @param {string} version - Synced version
+   */
+  recordSync(orgId, libraryId, version) {
+    try {
+      let history = [];
+      
+      if (fs.existsSync(this.syncHistoryPath)) {
+        const content = fs.readFileSync(this.syncHistoryPath, "utf-8");
+        history = JSON.parse(content);
+      }
+      
+      history.push({
+        orgId,
+        libraryId,
+        version,
+        syncedAt: new Date().toISOString(),
+      });
+      
+      // Keep last 50 entries
+      if (history.length > 50) {
+        history = history.slice(-50);
+      }
+      
+      const dir = path.dirname(this.syncHistoryPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
+      
+      fs.writeFileSync(this.syncHistoryPath, JSON.stringify(history, null, 2));
+    } catch (error) {
+      log.warn(`Failed to record sync: ${getErrorMessage(error)}`);
+    }
+  }
+  
+  /**
+   * Get sync history
+   * @returns {Object[]} Sync history
+   */
+  getSyncHistory() {
+    try {
+      if (fs.existsSync(this.syncHistoryPath)) {
+        const content = fs.readFileSync(this.syncHistoryPath, "utf-8");
+        return JSON.parse(content);
+      }
+    } catch (error) {
+      log.warn(`Failed to read sync history: ${getErrorMessage(error)}`);
+    }
+    return [];
+  }
+  
+  /**
+   * Check if sync is needed
+   * @param {string} orgId - Org ID
+   * @param {string} libraryId - Library ID
+   * @returns {Object} Sync status
+   */
+  async checkSyncStatus(orgId, libraryId = "default") {
+    const history = this.getSyncHistory();
+    const lastSync = history.filter(h => h.orgId === orgId && h.libraryId === libraryId).pop();
+    
+    // Fetch current version from API
+    try {
+      const url = `${this.apiEndpoint}/v1/orgs/${orgId}/lawbooks/${libraryId}/version`;
+      const response = await fetch(url, {
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+        },
+      });
+      
+      if (response.ok) {
+        const data = await response.json();
+        
+        return {
+          needsSync: !lastSync || lastSync.version !== data.version,
+          currentVersion: data.version,
+          lastSyncVersion: lastSync?.version || null,
+          lastSyncTime: lastSync?.syncedAt || null,
+        };
+      }
+    } catch (error) {
+      // Ignore - will use cached data
+    }
+    
+    return {
+      needsSync: !lastSync,
+      currentVersion: null,
+      lastSyncVersion: lastSync?.version || null,
+      lastSyncTime: lastSync?.syncedAt || null,
+    };
+  }
+  
+  /**
+   * Publish local invariants to org (requires admin)
+   * @param {string} orgId - Org ID
+   * @param {Object[]} invariants - Invariants to publish
+   * @returns {Object} Publish result
+   */
+  async publishToOrg(orgId, invariants, options = {}) {
+    const {
+      libraryId = "default",
+      message = "Published from local project",
+    } = options;
+    
+    try {
+      // Validate all invariants first
+      for (const inv of invariants) {
+        const validation = validateInvariant(inv);
+        if (!validation.valid) {
+          throw new Error(`Invalid invariant '${inv.id}': ${validation.errors.map(e => e.message).join(", ")}`);
+        }
+      }
+      
+      const url = `${this.apiEndpoint}/v1/orgs/${orgId}/lawbooks/${libraryId}/publish`;
+      
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          invariants,
+          message,
+          publishedAt: new Date().toISOString(),
+        }),
+      });
+      
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({}));
+        throw new Error(error.message || `Publish failed: ${response.status}`);
+      }
+      
+      return await response.json();
+    } catch (error) {
+      return {
+        success: false,
+        error: error.message,
+      };
+    }
+  }
+}
+
+/**
+ * Create a distributor instance
+ * @param {Object} options - Options
+ * @returns {LawbookDistributor} Distributor instance
+ */
+function createDistributor(options = {}) {
+  return new LawbookDistributor(options);
+}
+
+module.exports = { LawbookDistributor, createDistributor, MERGE_STRATEGIES };