@vibecheckai/cli 3.2.6 → 3.3.0

package/bin/runners/lib/agent-firewall/lawbook/registry.js

@@ -0,0 +1,514 @@
+/**
+ * Lawbook Registry
+ * 
+ * Manages invariant library versions and industry templates.
+ * Provides import/export functionality for sharing invariants.
+ * 
+ * Codename: Lawbook
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+const {
+  INVARIANT_TYPES,
+  INVARIANT_SEVERITY,
+  validateInvariant,
+  parseLawbook,
+  serializeLawbook,
+} = require("./schema.js");
+const { lawbookLogger: log, getErrorMessage } = require("../logger.js");
+
+/**
+ * Built-in industry templates
+ */
+const INDUSTRY_TEMPLATES = {
+  // Security-focused invariants
+  security: {
+    name: "Security Essentials",
+    description: "Common security rules for web applications",
+    invariants: [
+      {
+        id: "no-eval",
+        description: "Prevent use of eval() which can lead to code injection",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts,jsx,tsx}",
+        pattern: "\\beval\\s*\\(",
+        severity: INVARIANT_SEVERITY.BLOCK,
+      },
+      {
+        id: "no-innerhtml",
+        description: "Prevent innerHTML usage that can lead to XSS",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts,jsx,tsx}",
+        pattern: "\\.innerHTML\\s*=",
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+      {
+        id: "no-hardcoded-secrets",
+        description: "Prevent hardcoded API keys and secrets",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts,jsx,tsx,json}",
+        pattern: "(api[_-]?key|secret|password|token)\\s*[=:]\\s*['\"][a-zA-Z0-9]{16,}",
+        exclude: ["**/*.test.*", "**/*.spec.*", "**/mock*"],
+        severity: INVARIANT_SEVERITY.BLOCK,
+      },
+      {
+        id: "no-cors-wildcard",
+        description: "Prevent CORS wildcard in production",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts}",
+        pattern: "origin:\\s*['\"]\\*['\"]",
+        exclude: ["**/*.test.*", "**/dev*"],
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+    ],
+  },
+  
+  // Quality-focused invariants
+  quality: {
+    name: "Code Quality",
+    description: "Common code quality rules",
+    invariants: [
+      {
+        id: "no-console-log",
+        description: "No console.log in production code",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "src/**/*.{js,ts,jsx,tsx}",
+        pattern: "console\\.log\\(",
+        exclude: ["**/*.test.*", "**/*.spec.*"],
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+      {
+        id: "no-debugger",
+        description: "No debugger statements",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts,jsx,tsx}",
+        pattern: "\\bdebugger\\b",
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+      {
+        id: "no-todo-in-main",
+        description: "No TODO comments in main branch",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "src/**/*.{js,ts,jsx,tsx}",
+        pattern: "//\\s*TODO[:\\s]",
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+    ],
+  },
+  
+  // Architecture-focused invariants
+  architecture: {
+    name: "Architecture Patterns",
+    description: "Common architectural patterns and boundaries",
+    invariants: [
+      {
+        id: "no-relative-imports-outside",
+        description: "Use absolute imports for cross-module dependencies",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "src/**/*.{js,ts,jsx,tsx}",
+        pattern: "from\\s+['\"]\\.\\.\\/(\\.\\.\\/)+((?!node_modules)[^'\"]+)['\"]",
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+      {
+        id: "no-circular-json",
+        description: "Prevent circular JSON references",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts}",
+        pattern: "JSON\\.stringify\\([^,]+,\\s*null",
+        severity: INVARIANT_SEVERITY.INFO,
+      },
+    ],
+  },
+  
+  // React-specific invariants
+  react: {
+    name: "React Best Practices",
+    description: "React-specific rules and patterns",
+    invariants: [
+      {
+        id: "no-direct-state-mutation",
+        description: "Never mutate state directly",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{jsx,tsx}",
+        pattern: "this\\.state\\.[a-zA-Z]+\\s*=",
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+      {
+        id: "no-array-index-key",
+        description: "Avoid using array index as key in lists",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{jsx,tsx}",
+        pattern: "key=\\{\\s*index\\s*\\}|key=\\{\\s*i\\s*\\}",
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+    ],
+  },
+  
+  // Node.js-specific invariants
+  nodejs: {
+    name: "Node.js Security",
+    description: "Node.js-specific security rules",
+    invariants: [
+      {
+        id: "no-sync-fs",
+        description: "Avoid synchronous file operations in server code",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "src/**/*.{js,ts}",
+        pattern: "\\.(readFileSync|writeFileSync|existsSync)\\(",
+        exclude: ["**/scripts/**", "**/cli/**", "**/*.test.*"],
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+      {
+        id: "no-child-process-shell",
+        description: "Avoid shell execution in child_process",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts}",
+        pattern: "exec\\(['\"][^'\"]+['\"]|execSync\\(['\"][^'\"]+['\"]",
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+    ],
+  },
+  
+  // Database-specific invariants
+  database: {
+    name: "Database Patterns",
+    description: "Database access patterns and security",
+    invariants: [
+      {
+        id: "no-raw-sql",
+        description: "Use parameterized queries, not raw SQL",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "**/*.{js,ts}",
+        pattern: "\\$queryRaw`[^`]*\\$\\{|\\$executeRaw`[^`]*\\$\\{",
+        severity: INVARIANT_SEVERITY.ERROR,
+      },
+      {
+        id: "no-direct-prisma",
+        description: "Use repository pattern for database access",
+        rule: INVARIANT_TYPES.NEVER,
+        scope: "src/**/*.{js,ts}",
+        pattern: "prisma\\.(create|update|delete|findMany|findFirst)\\(",
+        exclude: ["**/repositories/**", "**/db/**"],
+        severity: INVARIANT_SEVERITY.WARNING,
+      },
+    ],
+  },
+};
+
+/**
+ * Lawbook Registry class
+ */
+class LawbookRegistry {
+  constructor(options = {}) {
+    this.projectRoot = options.projectRoot || process.cwd();
+    this.registryDir = path.join(this.projectRoot, ".vibecheck", "lawbook-registry");
+    this.libraries = new Map();
+    
+    // Load registered libraries
+    this.loadRegisteredLibraries();
+  }
+  
+  /**
+   * Load registered libraries from disk
+   */
+  loadRegisteredLibraries() {
+    try {
+      if (!fs.existsSync(this.registryDir)) return;
+      
+      const files = fs.readdirSync(this.registryDir);
+      
+      for (const file of files) {
+        if (file.endsWith(".json")) {
+          const filePath = path.join(this.registryDir, file);
+          const content = fs.readFileSync(filePath, "utf-8");
+          const library = JSON.parse(content);
+          
+          this.libraries.set(library.id, library);
+        }
+      }
+    } catch (error) {
+      log.warn(`Failed to load registered libraries: ${getErrorMessage(error)}`);
+    }
+  }
+  
+  /**
+   * Register a library
+   * @param {Object} library - Library to register
+   * @returns {string} Library ID
+   */
+  registerLibrary(library) {
+    const id = library.id || this.generateId(library.name);
+    
+    const registeredLibrary = {
+      id,
+      name: library.name,
+      description: library.description,
+      version: library.version || "1.0.0",
+      invariants: library.invariants || [],
+      registeredAt: new Date().toISOString(),
+      checksum: this.calculateChecksum(library.invariants),
+    };
+    
+    // Validate all invariants
+    for (const inv of registeredLibrary.invariants) {
+      const validation = validateInvariant(inv);
+      if (!validation.valid) {
+        throw new Error(`Invalid invariant '${inv.id}': ${validation.errors.map(e => e.message).join(", ")}`);
+      }
+    }
+    
+    // Save to registry
+    this.saveLibrary(registeredLibrary);
+    this.libraries.set(id, registeredLibrary);
+    
+    return id;
+  }
+  
+  /**
+   * Get a library by ID
+   * @param {string} id - Library ID
+   * @returns {Object|null} Library or null
+   */
+  getLibrary(id) {
+    return this.libraries.get(id) || null;
+  }
+  
+  /**
+   * List all registered libraries
+   * @returns {Object[]} Libraries
+   */
+  listLibraries() {
+    return Array.from(this.libraries.values()).map(lib => ({
+      id: lib.id,
+      name: lib.name,
+      description: lib.description,
+      version: lib.version,
+      invariantCount: lib.invariants.length,
+      registeredAt: lib.registeredAt,
+    }));
+  }
+  
+  /**
+   * Remove a library
+   * @param {string} id - Library ID
+   * @returns {boolean} Success
+   */
+  removeLibrary(id) {
+    if (!this.libraries.has(id)) return false;
+    
+    try {
+      const filePath = path.join(this.registryDir, `${id}.json`);
+      if (fs.existsSync(filePath)) {
+        fs.unlinkSync(filePath);
+      }
+      
+      this.libraries.delete(id);
+      return true;
+    } catch (error) {
+      log.error(`Failed to remove library: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+  
+  /**
+   * Import invariants from a lawbook file
+   * @param {string} filePath - Path to lawbook file
+   * @returns {Object} Import result
+   */
+  importFromFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath, "utf-8");
+      const lawbook = parseLawbook(content);
+      
+      const id = this.registerLibrary(lawbook);
+      
+      return {
+        success: true,
+        libraryId: id,
+        imported: lawbook.invariants?.length || 0,
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error.message,
+      };
+    }
+  }
+  
+  /**
+   * Export a library to a lawbook file
+   * @param {string} libraryId - Library ID
+   * @param {string} outputPath - Output path
+   * @returns {boolean} Success
+   */
+  exportToFile(libraryId, outputPath) {
+    const library = this.getLibrary(libraryId);
+    if (!library) return false;
+    
+    try {
+      const lawbook = {
+        version: library.version,
+        name: library.name,
+        description: library.description,
+        invariants: library.invariants,
+      };
+      
+      const content = serializeLawbook(lawbook);
+      
+      const dir = path.dirname(outputPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
+      
+      fs.writeFileSync(outputPath, content);
+      return true;
+    } catch (error) {
+      log.error(`Failed to export library: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+  
+  /**
+   * Get a built-in industry template
+   * @param {string} templateId - Template ID
+   * @returns {Object|null} Template or null
+   */
+  getTemplate(templateId) {
+    return INDUSTRY_TEMPLATES[templateId] || null;
+  }
+  
+  /**
+   * List all built-in templates
+   * @returns {Object[]} Template summaries
+   */
+  listTemplates() {
+    return Object.entries(INDUSTRY_TEMPLATES).map(([id, template]) => ({
+      id,
+      name: template.name,
+      description: template.description,
+      invariantCount: template.invariants.length,
+    }));
+  }
+  
+  /**
+   * Import a template into the registry
+   * @param {string} templateId - Template ID
+   * @param {string} name - Optional custom name
+   * @returns {string|null} Library ID or null
+   */
+  importTemplate(templateId, name = null) {
+    const template = this.getTemplate(templateId);
+    if (!template) return null;
+    
+    const library = {
+      name: name || template.name,
+      description: template.description,
+      version: "1.0.0",
+      invariants: template.invariants,
+    };
+    
+    return this.registerLibrary(library);
+  }
+  
+  /**
+   * Merge multiple libraries into one
+   * @param {string[]} libraryIds - Library IDs to merge
+   * @param {string} name - Name for merged library
+   * @returns {string|null} Merged library ID or null
+   */
+  mergeLibraries(libraryIds, name) {
+    const invariants = [];
+    const seen = new Set();
+    
+    for (const id of libraryIds) {
+      const library = this.getLibrary(id);
+      if (!library) continue;
+      
+      for (const inv of library.invariants) {
+        if (!seen.has(inv.id)) {
+          invariants.push(inv);
+          seen.add(inv.id);
+        }
+      }
+    }
+    
+    if (invariants.length === 0) return null;
+    
+    const merged = {
+      name,
+      description: `Merged from: ${libraryIds.join(", ")}`,
+      version: "1.0.0",
+      invariants,
+    };
+    
+    return this.registerLibrary(merged);
+  }
+  
+  /**
+   * Save a library to disk
+   * @param {Object} library - Library to save
+   */
+  saveLibrary(library) {
+    try {
+      if (!fs.existsSync(this.registryDir)) {
+        fs.mkdirSync(this.registryDir, { recursive: true });
+      }
+      
+      const filePath = path.join(this.registryDir, `${library.id}.json`);
+      fs.writeFileSync(filePath, JSON.stringify(library, null, 2));
+    } catch (error) {
+      throw new Error(`Failed to save library: ${error.message}`);
+    }
+  }
+  
+  /**
+   * Generate a unique ID for a library
+   * @param {string} name - Library name
+   * @returns {string} Generated ID
+   */
+  generateId(name) {
+    const base = name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+    const suffix = crypto.randomBytes(4).toString("hex");
+    return `${base}-${suffix}`;
+  }
+  
+  /**
+   * Calculate checksum for invariants
+   * @param {Object[]} invariants - Invariants
+   * @returns {string} Checksum
+   */
+  calculateChecksum(invariants) {
+    const content = JSON.stringify(invariants || []);
+    return crypto.createHash("sha256").update(content).digest("hex").slice(0, 16);
+  }
+  
+  /**
+   * Check if a library needs update based on checksum
+   * @param {string} id - Library ID
+   * @param {Object[]} invariants - New invariants
+   * @returns {boolean} Needs update
+   */
+  needsUpdate(id, invariants) {
+    const library = this.getLibrary(id);
+    if (!library) return true;
+    
+    const newChecksum = this.calculateChecksum(invariants);
+    return library.checksum !== newChecksum;
+  }
+}
+
+/**
+ * Create a registry instance
+ * @param {Object} options - Options
+ * @returns {LawbookRegistry} Registry instance
+ */
+function createRegistry(options = {}) {
+  return new LawbookRegistry(options);
+}
+
+module.exports = { LawbookRegistry, createRegistry, INDUSTRY_TEMPLATES };