@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/engines/vibecheck-engines/lib/vibe-score-engine.js

@@ -0,0 +1,543 @@
+/**
+ * Vibe Score Engine
+ * 
+ * The ultimate metric for vibecoding quality. Aggregates findings from all
+ * analysis engines and produces a comprehensive "production readiness" score.
+ * 
+ * The Vibe Score answers: "How much of this code was vibe-coded vs properly implemented?"
+ * 
+ * Score Components:
+ * - Implementation Completeness (30%) - Are functions actually implemented?
+ * - Error Handling Quality (25%) - Are errors properly handled?
+ * - API/Data Integrity (20%) - Are API calls real and data valid?
+ * - Code Quality (15%) - Standard code quality metrics
+ * - Security Posture (10%) - Basic security checks
+ * 
+ * @module vibe-score-engine
+ */
+
+"use strict";
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SCORE WEIGHTS - How much each category contributes to final score
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SCORE_WEIGHTS = {
+  implementationCompleteness: 0.30, // Functions actually do what they claim
+  errorHandling: 0.25,              // Errors are properly caught and handled
+  apiDataIntegrity: 0.20,           // API calls are real, data is valid
+  codeQuality: 0.15,                // Standard quality metrics
+  securityPosture: 0.10,            // Basic security checks
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SEVERITY IMPACT - How much each severity level impacts the score
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SEVERITY_IMPACT = {
+  BLOCK: 15,      // Critical issues
+  critical: 15,
+  WARN: 8,        // Warnings
+  warning: 8,
+  high: 10,
+  medium: 5,
+  low: 2,
+  INFO: 1,
+  info: 1,
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// CATEGORY MAPPING - Map finding categories to score components
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const CATEGORY_TO_COMPONENT = {
+  // Implementation Completeness
+  AIHallucination: "implementationCompleteness",
+  stubImplementations: "implementationCompleteness",
+  DeadCode: "implementationCompleteness",
+  emptyFunction: "implementationCompleteness",
+  FakeSuccess: "implementationCompleteness",
+  placeholder: "implementationCompleteness",
+  
+  // Error Handling
+  EmptyCatch: "errorHandling",
+  SilentFailure: "errorHandling",
+  optimisticErrors: "errorHandling",
+  swallowedErrors: "errorHandling",
+  empty_async_catch: "errorHandling",
+  
+  // API/Data Integrity
+  FakeDomain: "apiDataIntegrity",
+  FakeResponse: "apiDataIntegrity",
+  MockData: "apiDataIntegrity",
+  hallucinatedAPIs: "apiDataIntegrity",
+  fakeData: "apiDataIntegrity",
+  MissingRoute: "apiDataIntegrity",
+  ContractDrift: "apiDataIntegrity",
+  
+  // Code Quality
+  CodeQuality: "codeQuality",
+  ConsoleLog: "codeQuality",
+  DeprecatedAPI: "codeQuality",
+  TypeAware: "codeQuality",
+  copyPaste: "codeQuality",
+  NamingConventions: "codeQuality",
+  naming_convention: "codeQuality",
+  boolean_naming: "codeQuality",
+  constant_naming: "codeQuality",
+  file_naming: "codeQuality",
+  non_descriptive_name: "codeQuality",
+  
+  // Security
+  HardcodedSecret: "securityPosture",
+  Security: "securityPosture",
+  AuthBypass: "securityPosture",
+  GhostAuth: "securityPosture",
+  UnsafeRegex: "securityPosture",
+  dangerous_default: "securityPosture",
+  exposed_secret: "securityPosture",
+  env_not_gitignored: "securityPosture",
+  insecure_default: "securityPosture",
+  insecure_env_default: "securityPosture",
+  
+  // Async Patterns (affects error handling and implementation)
+  AsyncPatterns: "errorHandling",
+  floating_promise: "errorHandling",
+  await_outside_async: "implementationCompleteness",
+  async_promise_executor: "errorHandling",
+  then_in_async: "codeQuality",
+  await_in_loop: "codeQuality",
+  sequential_await: "codeQuality",
+  
+  // Environment Variables (affects security and configuration)
+  EnvVariable: "securityPosture",
+  EnvSetup: "securityPosture",
+  unvalidated_env_var: "securityPosture",
+  env_type_coercion: "codeQuality",
+  empty_env_var: "codeQuality",
+  missing_env_example: "codeQuality",
+  
+  // React Patterns (affects implementation and code quality)
+  ReactPatterns: "implementationCompleteness",
+  missing_key: "implementationCompleteness",
+  index_as_key: "codeQuality",
+  conditional_hook: "implementationCompleteness",
+  hook_in_loop: "implementationCompleteness",
+  missing_deps_array: "errorHandling",
+  stale_closure: "errorHandling",
+  direct_state_mutation: "implementationCompleteness",
+  mutating_state_array: "implementationCompleteness",
+  props_spreading_dom: "codeQuality",
+  
+  // Database Patterns (affects API integrity and security)
+  DatabasePatterns: "apiDataIntegrity",
+  n_plus_1_query: "apiDataIntegrity",
+  query_in_loop: "apiDataIntegrity",
+  unbounded_query: "apiDataIntegrity",
+  missing_transaction: "apiDataIntegrity",
+  raw_query_interpolation: "securityPosture",
+  db_no_error_handling: "errorHandling",
+  
+  // Import Order (affects code quality)
+  ImportOrder: "codeQuality",
+  import_order: "codeQuality",
+  mixed_imports: "codeQuality",
+  code_between_imports: "codeQuality",
+  side_effect_import: "codeQuality",
+  unused_import: "codeQuality",
+  should_be_type_import: "codeQuality",
+  
+  // Error Handling Engine (complements existing)
+  empty_catch: "errorHandling",
+  untyped_catch: "codeQuality",
+  console_log_in_catch: "errorHandling",
+  rethrow_without_context: "errorHandling",
+  try_without_catch: "errorHandling",
+  generic_error_message: "errorHandling",
+  inconsistent_error_response: "apiDataIntegrity",
+  then_without_catch: "errorHandling",
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// GRADE THRESHOLDS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const GRADE_THRESHOLDS = {
+  A: { min: 90, label: "Production Ready", emoji: "🚀", riskLevel: "minimal" },
+  B: { min: 80, label: "Minor Polish Needed", emoji: "✅", riskLevel: "low" },
+  C: { min: 70, label: "Review Recommended", emoji: "⚠️", riskLevel: "medium" },
+  D: { min: 50, label: "Significant Issues", emoji: "🔧", riskLevel: "high" },
+  F: { min: 0, label: "Not Ship Ready", emoji: "🛑", riskLevel: "critical" },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// VIBE SCORE CALCULATOR
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Calculate comprehensive vibe score from all findings
+ * @param {Array} allFindings - Combined findings from all engines
+ * @param {object} options - Calculation options
+ * @returns {object} Comprehensive vibe score report
+ */
+function calculateVibeScore(allFindings, options = {}) {
+  const {
+    filesAnalyzed = 0,
+    linesOfCode = 0,
+    truthpack = null,
+  } = options;
+  
+  // Initialize component scores (start at 100 for each)
+  const componentScores = {
+    implementationCompleteness: 100,
+    errorHandling: 100,
+    apiDataIntegrity: 100,
+    codeQuality: 100,
+    securityPosture: 100,
+  };
+  
+  // Track deductions per component
+  const componentDeductions = {
+    implementationCompleteness: [],
+    errorHandling: [],
+    apiDataIntegrity: [],
+    codeQuality: [],
+    securityPosture: [],
+  };
+  
+  // Process each finding
+  for (const finding of allFindings) {
+    // Determine which component this finding affects
+    const category = finding.category || finding.type || "Other";
+    const component = CATEGORY_TO_COMPONENT[category] || 
+                      CATEGORY_TO_COMPONENT[finding.category_detail] ||
+                      "codeQuality"; // Default to code quality
+    
+    // Calculate deduction based on severity and confidence
+    const severity = finding.severity || "WARN";
+    const confidence = finding.confidence || 0.8;
+    const baseDeduction = SEVERITY_IMPACT[severity] || 5;
+    const deduction = baseDeduction * confidence;
+    
+    // Apply deduction
+    componentScores[component] = Math.max(0, componentScores[component] - deduction);
+    
+    // Track for reporting
+    componentDeductions[component].push({
+      finding: finding.id || finding.type,
+      severity,
+      confidence,
+      deduction: Math.round(deduction * 10) / 10,
+      message: finding.message || finding.title,
+      file: finding.file,
+      line: finding.line,
+    });
+  }
+  
+  // Calculate weighted final score
+  let finalScore = 0;
+  for (const [component, weight] of Object.entries(SCORE_WEIGHTS)) {
+    finalScore += componentScores[component] * weight;
+  }
+  finalScore = Math.round(finalScore);
+  
+  // Determine grade
+  let grade = "F";
+  let gradeInfo = GRADE_THRESHOLDS.F;
+  for (const [g, info] of Object.entries(GRADE_THRESHOLDS)) {
+    if (finalScore >= info.min) {
+      grade = g;
+      gradeInfo = info;
+      break;
+    }
+  }
+  
+  // Calculate component summaries
+  const componentSummaries = {};
+  for (const [component, score] of Object.entries(componentScores)) {
+    const deductions = componentDeductions[component];
+    componentSummaries[component] = {
+      score: Math.round(score),
+      weight: SCORE_WEIGHTS[component],
+      contribution: Math.round(score * SCORE_WEIGHTS[component]),
+      issueCount: deductions.length,
+      topIssues: deductions
+        .sort((a, b) => b.deduction - a.deduction)
+        .slice(0, 3),
+      status: score >= 90 ? "excellent" : score >= 70 ? "good" : score >= 50 ? "needs-work" : "critical",
+    };
+  }
+  
+  // Generate insights
+  const insights = generateInsights(componentScores, componentDeductions, allFindings);
+  
+  // Calculate risk metrics
+  const riskMetrics = calculateRiskMetrics(allFindings, componentScores);
+  
+  return {
+    // Core score
+    score: finalScore,
+    grade,
+    label: gradeInfo.label,
+    emoji: gradeInfo.emoji,
+    riskLevel: gradeInfo.riskLevel,
+    
+    // Component breakdown
+    components: componentSummaries,
+    
+    // Finding summaries
+    summary: {
+      total: allFindings.length,
+      blockers: allFindings.filter(f => f.severity === "BLOCK" || f.severity === "critical").length,
+      warnings: allFindings.filter(f => f.severity === "WARN" || f.severity === "warning").length,
+      info: allFindings.filter(f => f.severity === "INFO" || f.severity === "info").length,
+    },
+    
+    // Risk metrics
+    risk: riskMetrics,
+    
+    // Actionable insights
+    insights,
+    
+    // Metadata
+    meta: {
+      filesAnalyzed,
+      linesOfCode,
+      calculatedAt: new Date().toISOString(),
+      version: "1.0.0",
+    },
+  };
+}
+
+/**
+ * Generate actionable insights from the analysis
+ */
+function generateInsights(componentScores, componentDeductions, allFindings) {
+  const insights = [];
+  
+  // Check each component for issues
+  if (componentScores.implementationCompleteness < 70) {
+    insights.push({
+      type: "critical",
+      category: "implementation",
+      title: "Incomplete Implementations Detected",
+      message: "Several functions appear to be stubs or return fake success without doing actual work.",
+      action: "Review functions flagged as 'fake success' or 'stub implementation' and complete them.",
+      impact: "high",
+    });
+  }
+  
+  if (componentScores.errorHandling < 70) {
+    insights.push({
+      type: "critical",
+      category: "reliability",
+      title: "Poor Error Handling",
+      message: "Errors are being silently swallowed or logged without proper handling.",
+      action: "Add proper error handling - either rethrow, return error responses, or implement recovery logic.",
+      impact: "high",
+    });
+  }
+  
+  if (componentScores.apiDataIntegrity < 70) {
+    insights.push({
+      type: "critical",
+      category: "integrity",
+      title: "Fake/Placeholder Data Detected",
+      message: "API calls may be pointing to fake endpoints or using placeholder data.",
+      action: "Replace placeholder URLs and data with real values from environment variables.",
+      impact: "high",
+    });
+  }
+  
+  if (componentScores.securityPosture < 70) {
+    insights.push({
+      type: "critical",
+      category: "security",
+      title: "Security Issues Found",
+      message: "Hardcoded secrets or auth bypasses detected.",
+      action: "Move secrets to environment variables and remove any auth bypass code.",
+      impact: "critical",
+    });
+  }
+  
+  // Check for common patterns
+  const fakeSuccessCount = allFindings.filter(f => 
+    f.type?.includes("fake-success") || f.type?.includes("fakeSuccess")
+  ).length;
+  
+  if (fakeSuccessCount >= 3) {
+    insights.push({
+      type: "pattern",
+      category: "vibe-coding",
+      title: "Vibe Coding Pattern Detected",
+      message: `Found ${fakeSuccessCount} instances of fake success returns - common AI generation pattern.`,
+      action: "These functions need real implementation. Consider using vibecheck fix to generate fixes.",
+      impact: "high",
+    });
+  }
+  
+  // Positive insights
+  if (componentScores.implementationCompleteness >= 90 && componentScores.errorHandling >= 90) {
+    insights.push({
+      type: "positive",
+      category: "quality",
+      title: "Well-Implemented Codebase",
+      message: "Functions are properly implemented with good error handling.",
+      action: "Keep up the good practices!",
+      impact: "positive",
+    });
+  }
+  
+  return insights;
+}
+
+/**
+ * Calculate risk metrics
+ */
+function calculateRiskMetrics(allFindings, componentScores) {
+  // Calculate technical debt estimate
+  const blockerHours = allFindings.filter(f => f.severity === "BLOCK").length * 2; // ~2 hours per blocker
+  const warningHours = allFindings.filter(f => f.severity === "WARN").length * 0.5; // ~30 min per warning
+  const technicalDebtHours = blockerHours + warningHours;
+  
+  // Categorize risks
+  const securityRisks = allFindings.filter(f => 
+    CATEGORY_TO_COMPONENT[f.category] === "securityPosture"
+  );
+  
+  const reliabilityRisks = allFindings.filter(f =>
+    CATEGORY_TO_COMPONENT[f.category] === "errorHandling"
+  );
+  
+  const integrityRisks = allFindings.filter(f =>
+    CATEGORY_TO_COMPONENT[f.category] === "apiDataIntegrity"
+  );
+  
+  return {
+    technicalDebtHours: Math.round(technicalDebtHours * 10) / 10,
+    technicalDebtLabel: technicalDebtHours > 40 ? "high" : technicalDebtHours > 10 ? "medium" : "low",
+    
+    securityRiskCount: securityRisks.length,
+    securityRiskLevel: securityRisks.some(r => r.severity === "BLOCK") ? "critical" : 
+                       securityRisks.length > 0 ? "elevated" : "normal",
+    
+    reliabilityRiskCount: reliabilityRisks.length,
+    reliabilityRiskLevel: reliabilityRisks.filter(r => r.severity === "BLOCK").length > 3 ? "high" :
+                          reliabilityRisks.length > 5 ? "medium" : "low",
+    
+    integrityRiskCount: integrityRisks.length,
+    integrityRiskLevel: integrityRisks.some(r => r.severity === "BLOCK") ? "high" :
+                        integrityRisks.length > 3 ? "medium" : "low",
+    
+    // Overall deployment risk
+    deploymentRisk: componentScores.securityPosture < 50 ? "do-not-deploy" :
+                    componentScores.implementationCompleteness < 50 ? "high-risk" :
+                    componentScores.errorHandling < 50 ? "medium-risk" : "acceptable",
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// VIBE REPORT GENERATOR
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Generate a human-readable vibe report
+ */
+function generateVibeReport(vibeScore) {
+  const lines = [];
+  
+  // Header
+  lines.push(`═══════════════════════════════════════════════════════════════`);
+  lines.push(`                    VIBE SCORE REPORT                          `);
+  lines.push(`═══════════════════════════════════════════════════════════════`);
+  lines.push(``);
+  
+  // Main score
+  lines.push(`  ${vibeScore.emoji} Overall Score: ${vibeScore.score}/100 (Grade: ${vibeScore.grade})`);
+  lines.push(`  ${vibeScore.label}`);
+  lines.push(``);
+  
+  // Component breakdown
+  lines.push(`  COMPONENT BREAKDOWN:`);
+  lines.push(`  ─────────────────────────────────────────────────────────────`);
+  
+  for (const [name, data] of Object.entries(vibeScore.components)) {
+    const status = data.status === "excellent" ? "✅" :
+                   data.status === "good" ? "👍" :
+                   data.status === "needs-work" ? "⚠️" : "🛑";
+    
+    const displayName = name.replace(/([A-Z])/g, " $1").trim();
+    lines.push(`  ${status} ${displayName.padEnd(28)} ${data.score}/100 (${data.issueCount} issues)`);
+  }
+  
+  lines.push(``);
+  
+  // Risk metrics
+  lines.push(`  RISK ASSESSMENT:`);
+  lines.push(`  ─────────────────────────────────────────────────────────────`);
+  lines.push(`  Technical Debt: ~${vibeScore.risk.technicalDebtHours} hours (${vibeScore.risk.technicalDebtLabel})`);
+  lines.push(`  Security Risk:  ${vibeScore.risk.securityRiskLevel}`);
+  lines.push(`  Reliability:    ${vibeScore.risk.reliabilityRiskLevel}`);
+  lines.push(`  Deployment:     ${vibeScore.risk.deploymentRisk}`);
+  lines.push(``);
+  
+  // Insights
+  if (vibeScore.insights.length > 0) {
+    lines.push(`  INSIGHTS:`);
+    lines.push(`  ─────────────────────────────────────────────────────────────`);
+    
+    for (const insight of vibeScore.insights.slice(0, 5)) {
+      const icon = insight.type === "critical" ? "🚨" :
+                   insight.type === "pattern" ? "🔍" :
+                   insight.type === "positive" ? "✨" : "💡";
+      lines.push(`  ${icon} ${insight.title}`);
+      lines.push(`     ${insight.message}`);
+      lines.push(`     → ${insight.action}`);
+      lines.push(``);
+    }
+  }
+  
+  // Summary
+  lines.push(`  SUMMARY:`);
+  lines.push(`  ─────────────────────────────────────────────────────────────`);
+  lines.push(`  ${vibeScore.summary.blockers} blockers | ${vibeScore.summary.warnings} warnings | ${vibeScore.summary.info} info`);
+  lines.push(`  Files analyzed: ${vibeScore.meta.filesAnalyzed || "N/A"}`);
+  lines.push(``);
+  lines.push(`═══════════════════════════════════════════════════════════════`);
+  
+  return lines.join("\n");
+}
+
+/**
+ * Generate JSON-compatible vibe report for CI/CD
+ */
+function generateVibeReportJSON(vibeScore) {
+  return {
+    vibecheck: {
+      score: vibeScore.score,
+      grade: vibeScore.grade,
+      status: vibeScore.riskLevel,
+      summary: vibeScore.summary,
+    },
+    components: Object.fromEntries(
+      Object.entries(vibeScore.components).map(([k, v]) => [k, v.score])
+    ),
+    risk: vibeScore.risk,
+    insights: vibeScore.insights,
+    meta: vibeScore.meta,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  calculateVibeScore,
+  generateVibeReport,
+  generateVibeReportJSON,
+  SCORE_WEIGHTS,
+  SEVERITY_IMPACT,
+  CATEGORY_TO_COMPONENT,
+  GRADE_THRESHOLDS,
+};