@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/authority/authorities/architecture.js

@@ -0,0 +1,364 @@
+/**
+ * Architecture Authority - Automated architecture review
+ * 
+ * Checks for:
+ * - Import/export patterns
+ * - Circular dependencies
+ * - Layer violations
+ * - Naming conventions
+ * - File organization
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+const path = require("path");
+
+class ArchitectureAuthority {
+  static description = "Architecture review (patterns, structure)";
+  static automated = true;
+  static tier = "pro";
+  
+  constructor(options = {}) {
+    this.options = options;
+    this.rules = this._initializeRules();
+  }
+  
+  _initializeRules() {
+    return {
+      layerViolations: [
+        { 
+          name: "ui-imports-db",
+          pattern: /from\s+['"].*\/(database|db|prisma|models)\//,
+          context: /(components|pages|views|ui)\//,
+          message: "UI layer importing directly from database layer",
+          severity: "high",
+        },
+        {
+          name: "model-imports-ui",
+          pattern: /from\s+['"].*\/(components|views|pages)\//,
+          context: /(models|entities|database)\//,
+          message: "Data layer importing from UI layer",
+          severity: "high",
+        },
+      ],
+      circularDependencies: {
+        enabled: true,
+        severity: "medium",
+      },
+      namingConventions: [
+        {
+          name: "component-naming",
+          pattern: /^[A-Z][a-zA-Z0-9]*\.(tsx|jsx)$/,
+          context: /components\//,
+          message: "Component files should use PascalCase",
+          severity: "low",
+        },
+        {
+          name: "hook-naming",
+          pattern: /^use[A-Z][a-zA-Z0-9]*\.(ts|tsx)$/,
+          context: /hooks\//,
+          message: "Hook files should start with 'use' prefix",
+          severity: "low",
+        },
+        {
+          name: "util-naming",
+          pattern: /^[a-z][a-zA-Z0-9-]*\.(ts|js)$/,
+          context: /(utils?|lib|helpers)\//,
+          message: "Utility files should use camelCase or kebab-case",
+          severity: "low",
+        },
+      ],
+      importPatterns: [
+        {
+          name: "relative-import-depth",
+          pattern: /from\s+['"]\.\.\/\.\.\/\.\.\/\.\.\//,
+          message: "Import depth exceeds 3 levels - consider using path aliases",
+          severity: "medium",
+        },
+        {
+          name: "index-barrel-bloat",
+          pattern: /export\s+\*\s+from/,
+          message: "Barrel exports can cause bundle bloat - verify tree-shaking",
+          severity: "low",
+        },
+        {
+          name: "default-export-missing",
+          pattern: /^(?!.*export\s+default).*\.tsx$/m,
+          context: /(pages|app)\//,
+          message: "Page/App files typically need default export",
+          severity: "medium",
+        },
+      ],
+      fileOrganization: [
+        {
+          name: "test-colocation",
+          check: (files) => {
+            const srcFiles = files.filter(f => f.path.match(/src\/.*\.(ts|tsx|js|jsx)$/));
+            const testFiles = files.filter(f => f.path.match(/\.(test|spec)\.(ts|tsx|js|jsx)$/));
+            const colocated = testFiles.filter(t => {
+              const basePath = t.path.replace(/\.(test|spec)\.(ts|tsx|js|jsx)$/, "");
+              return srcFiles.some(s => s.path.startsWith(basePath));
+            });
+            return {
+              pass: colocated.length === testFiles.length,
+              message: "Tests should be colocated with source files",
+              severity: "low",
+            };
+          },
+        },
+      ],
+    };
+  }
+
+  async review(payload) {
+    const { files = [], diff = "", context = {} } = payload;
+    const findings = [];
+    const startTime = Date.now();
+
+    // Analyze imports and exports in diff
+    if (diff) {
+      findings.push(...this._analyzeDiffPatterns(diff));
+    }
+
+    // Analyze file structure
+    if (files.length > 0) {
+      findings.push(...this._analyzeFileStructure(files));
+      findings.push(...this._detectCircularDependencies(files));
+    }
+
+    // Check naming conventions
+    findings.push(...this._checkNamingConventions(files));
+
+    // Determine approval status
+    const hasHigh = findings.some(f => f.severity === "high");
+    const hasMedium = findings.some(f => f.severity === "medium");
+
+    return {
+      approved: !hasHigh,
+      reason: hasHigh 
+        ? "Architecture violations found - review required" 
+        : hasMedium
+          ? "Approved with architecture warnings"
+          : findings.length > 0 
+            ? "Approved with minor suggestions"
+            : "Architecture patterns look good",
+      findings,
+      signature: this._sign(findings),
+      metadata: {
+        analysisTimeMs: Date.now() - startTime,
+        filesAnalyzed: files.length,
+        rulesChecked: this._countRules(),
+      },
+    };
+  }
+
+  _analyzeDiffPatterns(diff) {
+    const findings = [];
+    const lines = diff.split("\n");
+    let currentFile = "unknown";
+    let lineNumber = 0;
+
+    for (const line of lines) {
+      // Track file context
+      if (line.startsWith("+++") || line.startsWith("---")) {
+        const match = line.match(/[ab]\/(.+)/);
+        if (match) currentFile = match[1];
+        continue;
+      }
+
+      if (line.startsWith("@@")) {
+        const match = line.match(/@@ -\d+(?:,\d+)? \+(\d+)/);
+        if (match) lineNumber = parseInt(match[1], 10);
+        continue;
+      }
+
+      // Only check added lines
+      if (line.startsWith("+") && !line.startsWith("+++")) {
+        const addedContent = line.slice(1);
+
+        // Check layer violations
+        for (const rule of this.rules.layerViolations) {
+          if (rule.context.test(currentFile) && rule.pattern.test(addedContent)) {
+            findings.push({
+              type: "layer-violation",
+              rule: rule.name,
+              severity: rule.severity,
+              message: rule.message,
+              file: currentFile,
+              line: lineNumber,
+              evidence: addedContent.trim().slice(0, 100),
+            });
+          }
+        }
+
+        // Check import patterns
+        for (const rule of this.rules.importPatterns) {
+          if (rule.pattern.test(addedContent)) {
+            if (!rule.context || rule.context.test(currentFile)) {
+              findings.push({
+                type: "import-pattern",
+                rule: rule.name,
+                severity: rule.severity,
+                message: rule.message,
+                file: currentFile,
+                line: lineNumber,
+                evidence: addedContent.trim().slice(0, 100),
+              });
+            }
+          }
+        }
+
+        lineNumber++;
+      } else if (!line.startsWith("-")) {
+        lineNumber++;
+      }
+    }
+
+    return findings;
+  }
+
+  _analyzeFileStructure(files) {
+    const findings = [];
+
+    for (const rule of this.rules.fileOrganization) {
+      if (typeof rule.check === "function") {
+        const result = rule.check(files);
+        if (!result.pass) {
+          findings.push({
+            type: "file-organization",
+            rule: rule.name,
+            severity: result.severity || "low",
+            message: result.message,
+          });
+        }
+      }
+    }
+
+    return findings;
+  }
+
+  _detectCircularDependencies(files) {
+    const findings = [];
+    const graph = new Map();
+
+    // Build dependency graph
+    for (const file of files) {
+      if (!file.content) continue;
+      
+      const imports = [];
+      const importRegex = /import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]/g;
+      let match;
+      
+      while ((match = importRegex.exec(file.content)) !== null) {
+        const importPath = match[1];
+        // Only track relative imports
+        if (importPath.startsWith(".")) {
+          const resolvedPath = this._resolveImportPath(file.path, importPath);
+          imports.push(resolvedPath);
+        }
+      }
+      
+      graph.set(file.path, imports);
+    }
+
+    // Detect cycles using DFS
+    const visited = new Set();
+    const recursionStack = new Set();
+
+    const detectCycle = (node, path = []) => {
+      if (recursionStack.has(node)) {
+        const cycleStart = path.indexOf(node);
+        const cycle = path.slice(cycleStart);
+        return { hasCycle: true, cycle: [...cycle, node] };
+      }
+      
+      if (visited.has(node)) {
+        return { hasCycle: false };
+      }
+
+      visited.add(node);
+      recursionStack.add(node);
+
+      const neighbors = graph.get(node) || [];
+      for (const neighbor of neighbors) {
+        const result = detectCycle(neighbor, [...path, node]);
+        if (result.hasCycle) {
+          return result;
+        }
+      }
+
+      recursionStack.delete(node);
+      return { hasCycle: false };
+    };
+
+    for (const node of graph.keys()) {
+      visited.clear();
+      recursionStack.clear();
+      const result = detectCycle(node);
+      
+      if (result.hasCycle) {
+        findings.push({
+          type: "circular-dependency",
+          severity: this.rules.circularDependencies.severity,
+          message: "Circular dependency detected",
+          evidence: result.cycle.join(" → "),
+        });
+        break; // Report only first cycle found
+      }
+    }
+
+    return findings;
+  }
+
+  _checkNamingConventions(files) {
+    const findings = [];
+
+    for (const file of files) {
+      const fileName = path.basename(file.path);
+      
+      for (const rule of this.rules.namingConventions) {
+        if (rule.context.test(file.path)) {
+          if (!rule.pattern.test(fileName)) {
+            findings.push({
+              type: "naming-convention",
+              rule: rule.name,
+              severity: rule.severity,
+              message: rule.message,
+              file: file.path,
+            });
+          }
+        }
+      }
+    }
+
+    return findings;
+  }
+
+  _resolveImportPath(fromPath, importPath) {
+    const fromDir = path.dirname(fromPath);
+    return path.normalize(path.join(fromDir, importPath));
+  }
+
+  _countRules() {
+    return (
+      this.rules.layerViolations.length +
+      this.rules.namingConventions.length +
+      this.rules.importPatterns.length +
+      this.rules.fileOrganization.length +
+      1 // circular dependencies
+    );
+  }
+
+  _sign(findings) {
+    const timestamp = Date.now();
+    const hash = crypto
+      .createHash("sha256")
+      .update(JSON.stringify({ findings: findings.length, timestamp }))
+      .digest("hex")
+      .slice(0, 16);
+    return `arch_${timestamp}_${hash}_${findings.length}`;
+  }
+}
+
+module.exports = { ArchitectureAuthority };

package/bin/runners/lib/authority/authorities/compliance.js

@@ -0,0 +1,341 @@
+/**
+ * Compliance Authority - Automated compliance review
+ * 
+ * Checks for:
+ * - SOC2 compliance issues
+ * - GDPR data handling
+ * - HIPAA PHI handling
+ * - PCI-DSS requirements
+ * - License compliance
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+class ComplianceAuthority {
+  static description = "Compliance check (SOC2, GDPR, HIPAA, etc.)";
+  static automated = true;
+  static tier = "pro";
+  
+  constructor(options = {}) {
+    this.options = options;
+    this.frameworks = options.frameworks || ["soc2", "gdpr"];
+    this.rules = this._initializeRules();
+  }
+  
+  _initializeRules() {
+    return {
+      soc2: [
+        {
+          name: "logging-required",
+          pattern: /(authentication|login|logout|password|permission|access)/i,
+          checkAuditLog: true,
+          message: "Security events must be logged for SOC2 compliance",
+          severity: "high",
+        },
+        {
+          name: "encryption-at-rest",
+          pattern: /\.encrypt|crypto\.|bcrypt|argon2/,
+          inverse: true,
+          context: /(password|secret|token|key)/i,
+          message: "Sensitive data should be encrypted at rest",
+          severity: "high",
+        },
+        {
+          name: "access-control",
+          pattern: /(isAdmin|isAuthenticated|hasPermission|authorize|checkRole)/i,
+          context: /(route|endpoint|api|handler)/i,
+          message: "API endpoints should have access control checks",
+          severity: "medium",
+        },
+      ],
+      gdpr: [
+        {
+          name: "pii-handling",
+          pattern: /(email|phone|address|ssn|social[_-]?security|passport|license)/i,
+          message: "Personal Identifiable Information detected - ensure GDPR compliance",
+          severity: "medium",
+        },
+        {
+          name: "consent-tracking",
+          pattern: /(consent|gdpr|optIn|optOut|dataSubject)/i,
+          context: /(user|customer|profile)/i,
+          inverse: true,
+          message: "User data handling should include consent management",
+          severity: "high",
+        },
+        {
+          name: "data-retention",
+          pattern: /(delete|purge|anonymize|retention)/i,
+          context: /(user|customer|pii)/i,
+          inverse: true,
+          message: "Consider data retention and right-to-be-forgotten requirements",
+          severity: "medium",
+        },
+        {
+          name: "data-export",
+          pattern: /(export|download|portability)/i,
+          context: /(user|customer|data)/i,
+          inverse: true,
+          message: "GDPR requires data portability capability",
+          severity: "low",
+        },
+      ],
+      hipaa: [
+        {
+          name: "phi-logging",
+          pattern: /(patient|medical|health|diagnosis|prescription|treatment)/i,
+          message: "Protected Health Information detected - ensure HIPAA compliance",
+          severity: "critical",
+        },
+        {
+          name: "phi-encryption",
+          pattern: /\.encrypt|crypto\./,
+          context: /(patient|medical|health)/i,
+          inverse: true,
+          message: "PHI must be encrypted in transit and at rest",
+          severity: "critical",
+        },
+        {
+          name: "access-audit",
+          pattern: /(audit|log|track)/i,
+          context: /(patient|medical|record)/i,
+          inverse: true,
+          message: "Access to PHI must be logged for HIPAA audit requirements",
+          severity: "high",
+        },
+      ],
+      pciDss: [
+        {
+          name: "card-data",
+          pattern: /(cardNumber|cvv|expiry|pan|primaryAccountNumber)/i,
+          message: "Payment card data detected - ensure PCI-DSS compliance",
+          severity: "critical",
+        },
+        {
+          name: "card-storage",
+          pattern: /(save|store|persist).*card/i,
+          message: "Storing payment card data requires PCI-DSS compliance",
+          severity: "critical",
+        },
+        {
+          name: "card-logging",
+          pattern: /console\.(log|info|debug).*card/i,
+          message: "Never log payment card data",
+          severity: "critical",
+        },
+      ],
+      licenses: [
+        {
+          name: "gpl-viral",
+          pattern: /GPL|GNU General Public/i,
+          context: /LICENSE|package\.json/,
+          message: "GPL license detected - may require source disclosure",
+          severity: "medium",
+        },
+        {
+          name: "agpl-network",
+          pattern: /AGPL|Affero/i,
+          context: /LICENSE|package\.json/,
+          message: "AGPL license detected - network use triggers disclosure",
+          severity: "high",
+        },
+      ],
+    };
+  }
+
+  async review(payload) {
+    const { files = [], diff = "", context = {} } = payload;
+    const findings = [];
+    const startTime = Date.now();
+
+    // Determine which frameworks to check
+    const activeFrameworks = context.frameworks || this.frameworks;
+
+    // Analyze diff content
+    if (diff) {
+      findings.push(...this._analyzeDiff(diff, activeFrameworks));
+    }
+
+    // Analyze files
+    for (const file of files) {
+      if (file.content) {
+        findings.push(...this._analyzeFile(file.path || "unknown", file.content, activeFrameworks));
+      }
+    }
+
+    // Check for missing compliance requirements
+    findings.push(...this._checkMissingRequirements(files, activeFrameworks));
+
+    // Determine approval status
+    const hasCritical = findings.some(f => f.severity === "critical");
+    const hasHigh = findings.some(f => f.severity === "high");
+
+    return {
+      approved: !hasCritical,
+      reason: hasCritical 
+        ? "Critical compliance violations found - immediate action required" 
+        : hasHigh
+          ? "Approved with compliance warnings - review required"
+          : findings.length > 0 
+            ? "Approved with minor compliance notes"
+            : "Compliance checks passed",
+      findings,
+      signature: this._sign(findings),
+      metadata: {
+        analysisTimeMs: Date.now() - startTime,
+        filesAnalyzed: files.length,
+        frameworksChecked: activeFrameworks,
+        rulesChecked: this._countRules(activeFrameworks),
+      },
+    };
+  }
+
+  _analyzeDiff(diff, frameworks) {
+    const findings = [];
+    const lines = diff.split("\n");
+    let currentFile = "unknown";
+    let lineNumber = 0;
+
+    for (const line of lines) {
+      if (line.startsWith("+++") || line.startsWith("---")) {
+        const match = line.match(/[ab]\/(.+)/);
+        if (match) currentFile = match[1];
+        continue;
+      }
+
+      if (line.startsWith("@@")) {
+        const match = line.match(/@@ -\d+(?:,\d+)? \+(\d+)/);
+        if (match) lineNumber = parseInt(match[1], 10);
+        continue;
+      }
+
+      if (line.startsWith("+") && !line.startsWith("+++")) {
+        const addedContent = line.slice(1);
+        
+        for (const framework of frameworks) {
+          const rules = this.rules[framework] || [];
+          for (const rule of rules) {
+            if (this._matchesRule(addedContent, currentFile, rule)) {
+              findings.push({
+                type: "compliance-violation",
+                framework,
+                rule: rule.name,
+                severity: rule.severity,
+                message: rule.message,
+                file: currentFile,
+                line: lineNumber,
+                evidence: addedContent.trim().slice(0, 100),
+              });
+            }
+          }
+        }
+
+        lineNumber++;
+      } else if (!line.startsWith("-")) {
+        lineNumber++;
+      }
+    }
+
+    return findings;
+  }
+
+  _analyzeFile(filePath, content, frameworks) {
+    const findings = [];
+    const lines = content.split("\n");
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      
+      for (const framework of frameworks) {
+        const rules = this.rules[framework] || [];
+        for (const rule of rules) {
+          if (this._matchesRule(line, filePath, rule)) {
+            findings.push({
+              type: "compliance-violation",
+              framework,
+              rule: rule.name,
+              severity: rule.severity,
+              message: rule.message,
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim().slice(0, 100),
+            });
+          }
+        }
+      }
+    }
+
+    return findings;
+  }
+
+  _matchesRule(content, filePath, rule) {
+    // Check context filter first
+    if (rule.context && !rule.context.test(content) && !rule.context.test(filePath)) {
+      return false;
+    }
+
+    const matches = rule.pattern.test(content);
+    
+    // Handle inverse rules (checking for absence of something)
+    if (rule.inverse) {
+      return !matches;
+    }
+    
+    return matches;
+  }
+
+  _checkMissingRequirements(files, frameworks) {
+    const findings = [];
+    const allContent = files.map(f => f.content || "").join("\n");
+
+    // Check for missing privacy policy reference (GDPR)
+    if (frameworks.includes("gdpr")) {
+      if (!/(privacy[_-]?policy|gdpr|data[_-]?protection)/i.test(allContent)) {
+        findings.push({
+          type: "compliance-missing",
+          framework: "gdpr",
+          rule: "privacy-policy-reference",
+          severity: "medium",
+          message: "Consider adding privacy policy references for GDPR compliance",
+        });
+      }
+    }
+
+    // Check for missing audit logging setup (SOC2)
+    if (frameworks.includes("soc2")) {
+      if (!/(auditLog|securityLog|eventLog|audit\.log)/i.test(allContent)) {
+        findings.push({
+          type: "compliance-missing",
+          framework: "soc2",
+          rule: "audit-logging-setup",
+          severity: "medium",
+          message: "SOC2 requires audit logging infrastructure",
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  _countRules(frameworks) {
+    let count = 0;
+    for (const framework of frameworks) {
+      count += (this.rules[framework] || []).length;
+    }
+    return count;
+  }
+
+  _sign(findings) {
+    const timestamp = Date.now();
+    const hash = crypto
+      .createHash("sha256")
+      .update(JSON.stringify({ findings: findings.length, timestamp }))
+      .digest("hex")
+      .slice(0, 16);
+    return `compl_${timestamp}_${hash}_${findings.length}`;
+  }
+}
+
+module.exports = { ComplianceAuthority };