@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/proof-certificate.js

@@ -0,0 +1,634 @@
+/**
+ * Proof Certificate Generator
+ * 
+ * Enterprise-grade proof certificates with:
+ * - Risk Radar visualization
+ * - Pre-flight checklist
+ * - Cryptographic verification
+ * - Audit trail
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+const path = require("path");
+
+// Terminal UI
+let terminalUI;
+try {
+  terminalUI = require("./terminal-ui");
+} catch {
+  terminalUI = {
+    c: { reset: "", bold: "", dim: "", red: "", yellow: "", green: "", cyan: "" },
+    rgb: () => "",
+    icons: { check: "✓", cross: "✗", warning: "⚠", info: "ℹ" },
+  };
+}
+
+const { c, rgb, icons } = terminalUI;
+
+// Colors
+const colors = {
+  critical: rgb(255, 80, 80),
+  high: rgb(255, 150, 50),
+  medium: rgb(255, 200, 0),
+  low: rgb(100, 200, 255),
+  info: rgb(150, 150, 150),
+  success: rgb(0, 255, 150),
+  accent: rgb(0, 200, 255),
+  gold: rgb(255, 215, 0),
+  silver: rgb(192, 192, 192),
+  bronze: rgb(205, 127, 50),
+};
+
+// Risk categories for radar
+const RISK_CATEGORIES = [
+  { id: "security", label: "Security", icon: "🔒" },
+  { id: "quality", label: "Code Quality", icon: "✨" },
+  { id: "reliability", label: "Reliability", icon: "⚡" },
+  { id: "maintainability", label: "Maintainability", icon: "🔧" },
+  { id: "performance", label: "Performance", icon: "🚀" },
+  { id: "compliance", label: "Compliance", icon: "📋" },
+];
+
+// Pre-flight checklist items
+const PREFLIGHT_CHECKS = [
+  { id: "no-critical", label: "No critical issues", category: "blocking", weight: 100 },
+  { id: "no-secrets", label: "No hardcoded secrets", category: "security", weight: 90 },
+  { id: "no-mock-data", label: "No mock/fake data in production paths", category: "quality", weight: 80 },
+  { id: "error-handling", label: "Error handling in place", category: "reliability", weight: 70 },
+  { id: "no-console", label: "No debug console statements", category: "quality", weight: 60 },
+  { id: "type-safety", label: "Type safety enforced", category: "quality", weight: 50 },
+  { id: "deps-secure", label: "Dependencies are secure", category: "security", weight: 85 },
+  { id: "api-consistency", label: "API contracts consistent", category: "reliability", weight: 65 },
+  { id: "auth-verified", label: "Authentication verified", category: "security", weight: 95 },
+  { id: "perf-acceptable", label: "Performance acceptable", category: "performance", weight: 55 },
+];
+
+/**
+ * Calculate risk scores for each category
+ */
+function calculateRiskRadar(findings) {
+  const radar = {};
+  
+  for (const category of RISK_CATEGORIES) {
+    radar[category.id] = {
+      ...category,
+      score: 100,
+      issues: 0,
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+    };
+  }
+
+  // Map findings to categories
+  const categoryMapping = {
+    "hardcoded-secrets": "security",
+    "security": "security",
+    "credentials": "security",
+    "authentication": "security",
+    "authorization": "security",
+    "injection": "security",
+    "xss": "security",
+    "csrf": "security",
+    "vulnerability": "security",
+    
+    "console-logs": "quality",
+    "dead-code": "quality",
+    "unused": "quality",
+    "duplicate": "quality",
+    "complexity": "quality",
+    "code-smell": "quality",
+    "type-any": "quality",
+    "naming": "quality",
+    
+    "error-handling": "reliability",
+    "empty-catch": "reliability",
+    "promise": "reliability",
+    "async": "reliability",
+    "null-check": "reliability",
+    "validation": "reliability",
+    
+    "deprecated": "maintainability",
+    "legacy": "maintainability",
+    "documentation": "maintainability",
+    "test-coverage": "maintainability",
+    
+    "performance": "performance",
+    "memory": "performance",
+    "n+1": "performance",
+    "bundle-size": "performance",
+    "lazy-load": "performance",
+    
+    "mock-data": "compliance",
+    "fake": "compliance",
+    "stub": "compliance",
+    "license": "compliance",
+    "gdpr": "compliance",
+    "pii": "compliance",
+  };
+
+  // Score findings
+  for (const finding of findings) {
+    const category = finding.category?.toLowerCase() || "";
+    const type = finding.type?.toLowerCase() || "";
+    const severity = finding.severity?.toLowerCase() || finding.type?.toLowerCase() || "medium";
+    
+    // Find matching risk category
+    let riskCategory = "quality"; // default
+    for (const [pattern, cat] of Object.entries(categoryMapping)) {
+      if (category.includes(pattern) || type.includes(pattern)) {
+        riskCategory = cat;
+        break;
+      }
+    }
+
+    // Update scores
+    const risk = radar[riskCategory];
+    if (risk) {
+      risk.issues++;
+      
+      switch (severity) {
+        case "critical":
+          risk.critical++;
+          risk.score -= 25;
+          break;
+        case "high":
+          risk.high++;
+          risk.score -= 15;
+          break;
+        case "warning":
+        case "medium":
+          risk.medium++;
+          risk.score -= 8;
+          break;
+        case "suggestion":
+        case "low":
+        case "info":
+          risk.low++;
+          risk.score -= 2;
+          break;
+        default:
+          risk.medium++;
+          risk.score -= 5;
+      }
+      
+      risk.score = Math.max(0, risk.score);
+    }
+  }
+
+  return radar;
+}
+
+/**
+ * Render risk radar visualization
+ */
+function renderRiskRadar(radar) {
+  const lines = [];
+  
+  lines.push(`  ${c.dim}╭${"─".repeat(60)}╮${c.reset}`);
+  lines.push(`  ${c.dim}│${c.reset} ${colors.accent}${c.bold}🎯 RISK RADAR${c.reset}                                              ${c.dim}│${c.reset}`);
+  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
+  
+  for (const category of RISK_CATEGORIES) {
+    const risk = radar[category.id];
+    const score = risk.score;
+    const barLength = Math.round(score / 100 * 30);
+    const emptyLength = 30 - barLength;
+    
+    // Color based on score
+    let color;
+    if (score >= 80) color = colors.success;
+    else if (score >= 60) color = colors.medium;
+    else if (score >= 40) color = colors.high;
+    else color = colors.critical;
+    
+    const bar = `${color}${"█".repeat(barLength)}${c.reset}${c.dim}${"░".repeat(emptyLength)}${c.reset}`;
+    const label = `${category.icon} ${category.label}`.padEnd(20);
+    const scoreStr = `${score}%`.padStart(4);
+    const issues = risk.issues > 0 ? `${c.dim}(${risk.issues} issues)${c.reset}` : "";
+    
+    lines.push(`  ${c.dim}│${c.reset} ${label} ${bar} ${color}${scoreStr}${c.reset} ${issues.padEnd(15)}${c.dim}│${c.reset}`);
+  }
+  
+  // Overall score
+  const categories = Object.values(radar);
+  const overallScore = Math.round(categories.reduce((sum, c) => sum + c.score, 0) / categories.length);
+  let overallColor = colors.success;
+  if (overallScore < 80) overallColor = colors.medium;
+  if (overallScore < 60) overallColor = colors.high;
+  if (overallScore < 40) overallColor = colors.critical;
+  
+  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
+  lines.push(`  ${c.dim}│${c.reset} ${c.bold}Overall Risk Score:${c.reset}                     ${overallColor}${c.bold}${overallScore}%${c.reset}                   ${c.dim}│${c.reset}`);
+  lines.push(`  ${c.dim}╰${"─".repeat(60)}╯${c.reset}`);
+  
+  return lines.join("\n");
+}
+
+/**
+ * Run pre-flight checklist
+ */
+function runPreflightChecklist(findings, proofGraph) {
+  const results = [];
+  const findingsLower = findings.map(f => ({
+    category: (f.category || "").toLowerCase(),
+    type: (f.type || f.severity || "").toLowerCase(),
+    severity: (f.severity || f.type || "").toLowerCase(),
+  }));
+
+  for (const check of PREFLIGHT_CHECKS) {
+    let passed = true;
+    let details = "";
+
+    switch (check.id) {
+      case "no-critical":
+        const criticals = findingsLower.filter(f => f.severity === "critical" || f.type === "critical");
+        passed = criticals.length === 0;
+        details = passed ? "All clear" : `${criticals.length} critical issue(s)`;
+        break;
+
+      case "no-secrets":
+        const secrets = findingsLower.filter(f => 
+          f.category.includes("secret") || 
+          f.category.includes("credential") ||
+          f.category.includes("password") ||
+          f.category.includes("api-key")
+        );
+        passed = secrets.length === 0;
+        details = passed ? "No secrets detected" : `${secrets.length} secret(s) found`;
+        break;
+
+      case "no-mock-data":
+        const mocks = findingsLower.filter(f => 
+          f.category.includes("mock") || 
+          f.category.includes("fake") ||
+          f.category.includes("stub") ||
+          f.category.includes("test-data")
+        );
+        passed = mocks.length === 0;
+        details = passed ? "No mock data" : `${mocks.length} mock data instance(s)`;
+        break;
+
+      case "error-handling":
+        const errorIssues = findingsLower.filter(f => 
+          f.category.includes("error") || 
+          f.category.includes("catch") ||
+          f.category.includes("exception")
+        );
+        passed = errorIssues.length === 0;
+        details = passed ? "Error handling OK" : `${errorIssues.length} error handling issue(s)`;
+        break;
+
+      case "no-console":
+        const consoles = findingsLower.filter(f => 
+          f.category.includes("console")
+        );
+        passed = consoles.length === 0;
+        details = passed ? "No console statements" : `${consoles.length} console statement(s)`;
+        break;
+
+      case "type-safety":
+        const typeIssues = findingsLower.filter(f => 
+          f.category.includes("type") || 
+          f.category.includes("any")
+        );
+        passed = typeIssues.length <= 2; // Allow some flexibility
+        details = passed ? "Types OK" : `${typeIssues.length} type issue(s)`;
+        break;
+
+      case "deps-secure":
+        const vulns = findingsLower.filter(f => 
+          f.category.includes("vulnerability") || 
+          f.category.includes("cve") ||
+          f.category.includes("security") && f.category.includes("dep")
+        );
+        passed = vulns.length === 0;
+        details = passed ? "Dependencies secure" : `${vulns.length} vulnerability(ies)`;
+        break;
+
+      case "api-consistency":
+        const apiIssues = findingsLower.filter(f => 
+          f.category.includes("api") && (
+            f.category.includes("inconsistent") ||
+            f.category.includes("mismatch")
+          )
+        );
+        passed = apiIssues.length === 0;
+        details = passed ? "API contracts OK" : `${apiIssues.length} API issue(s)`;
+        break;
+
+      case "auth-verified":
+        const authIssues = findingsLower.filter(f => 
+          f.category.includes("auth") && f.severity === "critical"
+        );
+        passed = authIssues.length === 0;
+        details = passed ? "Auth verified" : `${authIssues.length} auth issue(s)`;
+        break;
+
+      case "perf-acceptable":
+        const perfIssues = findingsLower.filter(f => 
+          f.category.includes("performance") && 
+          (f.severity === "critical" || f.severity === "high")
+        );
+        passed = perfIssues.length === 0;
+        details = passed ? "Performance OK" : `${perfIssues.length} perf issue(s)`;
+        break;
+
+      default:
+        passed = true;
+        details = "Check not implemented";
+    }
+
+    results.push({
+      ...check,
+      passed,
+      details,
+    });
+  }
+
+  return results;
+}
+
+/**
+ * Render pre-flight checklist
+ */
+function renderPreflightChecklist(checks) {
+  const lines = [];
+  
+  lines.push(`  ${c.dim}╭${"─".repeat(60)}╮${c.reset}`);
+  lines.push(`  ${c.dim}│${c.reset} ${colors.accent}${c.bold}✈️  PRE-FLIGHT CHECKLIST${c.reset}                                    ${c.dim}│${c.reset}`);
+  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
+  
+  const passed = checks.filter(c => c.passed).length;
+  const total = checks.length;
+  const passRate = Math.round(passed / total * 100);
+  
+  for (const check of checks) {
+    const icon = check.passed ? `${colors.success}✓${c.reset}` : `${colors.critical}✗${c.reset}`;
+    const label = check.label.padEnd(35);
+    const details = check.details.padEnd(15);
+    const status = check.passed ? `${colors.success}PASS${c.reset}` : `${colors.critical}FAIL${c.reset}`;
+    
+    lines.push(`  ${c.dim}│${c.reset} ${icon} ${label} ${c.dim}${details}${c.reset} ${status} ${c.dim}│${c.reset}`);
+  }
+  
+  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
+  
+  const passColor = passRate >= 80 ? colors.success : passRate >= 60 ? colors.medium : colors.critical;
+  lines.push(`  ${c.dim}│${c.reset} ${c.bold}Pre-flight Status:${c.reset} ${passed}/${total} checks passed ${passColor}(${passRate}%)${c.reset}          ${c.dim}│${c.reset}`);
+  
+  const canShip = checks.filter(c => c.category === "blocking" && !c.passed).length === 0;
+  const shipStatus = canShip 
+    ? `${colors.success}${c.bold}CLEARED FOR TAKEOFF${c.reset}`
+    : `${colors.critical}${c.bold}GROUNDED - BLOCKING ISSUES${c.reset}`;
+  
+  lines.push(`  ${c.dim}│${c.reset} ${shipStatus}                             ${c.dim}│${c.reset}`);
+  lines.push(`  ${c.dim}╰${"─".repeat(60)}╯${c.reset}`);
+  
+  return lines.join("\n");
+}
+
+/**
+ * Generate a cryptographic proof certificate
+ */
+function generateProofCertificate(options) {
+  const {
+    projectPath,
+    projectName,
+    verdict,
+    score,
+    findings,
+    truthpack,
+    proofGraph,
+    duration,
+    tier,
+    version,
+  } = options;
+
+  const timestamp = new Date().toISOString();
+  const certificateId = generateCertificateId();
+  const shortCode = generateShortCode(certificateId);
+  
+  // Calculate checksums
+  const findingsHash = hashObject(findings);
+  const truthpackHash = truthpack ? hashObject(truthpack) : null;
+  
+  // Build certificate
+  const certificate = {
+    certificateId,
+    shortCode,
+    version: "2.0.0",
+    generator: `vibecheck-cli@${version}`,
+    timestamp,
+    expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
+    
+    project: {
+      name: projectName,
+      path: projectPath,
+      scannedAt: timestamp,
+    },
+    
+    verdict: {
+      status: verdict,
+      score,
+      confidence: calculateConfidence(findings, proofGraph),
+      tier,
+    },
+    
+    summary: {
+      totalFindings: findings.length,
+      critical: findings.filter(f => f.severity === "critical" || f.type === "critical").length,
+      high: findings.filter(f => f.severity === "high" || f.type === "high").length,
+      medium: findings.filter(f => f.severity === "warning" || f.type === "warning" || f.severity === "medium").length,
+      low: findings.filter(f => f.severity === "suggestion" || f.type === "suggestion" || f.severity === "low").length,
+    },
+    
+    riskRadar: calculateRiskRadar(findings),
+    preflight: runPreflightChecklist(findings, proofGraph),
+    
+    integrity: {
+      findingsHash,
+      truthpackHash,
+      certificateHash: null, // Set after signing
+    },
+    
+    metadata: {
+      duration,
+      engineVersion: version,
+      nodeVersion: process.version,
+      platform: process.platform,
+    },
+    
+    verificationUrl: `https://verify.vibecheckai.dev/cert/${shortCode}`,
+  };
+  
+  // Sign the certificate
+  certificate.integrity.certificateHash = hashObject({
+    certificateId,
+    timestamp,
+    verdict: certificate.verdict,
+    summary: certificate.summary,
+    findingsHash,
+  });
+  
+  return {
+    certificate,
+    shortCode,
+    qrCode: generateQRCodeData(certificate.verificationUrl),
+  };
+}
+
+/**
+ * Generate unique certificate ID
+ */
+function generateCertificateId() {
+  const timestamp = Date.now().toString(36);
+  const random = crypto.randomBytes(8).toString("hex");
+  return `VC-${timestamp}-${random}`.toUpperCase();
+}
+
+/**
+ * Generate short verification code
+ */
+function generateShortCode(certificateId) {
+  const hash = crypto.createHash("sha256").update(certificateId).digest("hex");
+  return hash.substring(0, 8).toUpperCase();
+}
+
+/**
+ * Calculate confidence score
+ */
+function calculateConfidence(findings, proofGraph) {
+  let confidence = 100;
+  
+  // Reduce confidence based on findings
+  const critical = findings.filter(f => f.severity === "critical" || f.type === "critical").length;
+  const high = findings.filter(f => f.severity === "high" || f.type === "high").length;
+  
+  confidence -= critical * 15;
+  confidence -= high * 8;
+  
+  // Boost confidence if proof graph has verified nodes
+  if (proofGraph?.nodes?.length > 0) {
+    const verifiedNodes = proofGraph.nodes.filter(n => n.verified).length;
+    const totalNodes = proofGraph.nodes.length;
+    confidence += Math.round((verifiedNodes / totalNodes) * 10);
+  }
+  
+  return Math.max(0, Math.min(100, confidence));
+}
+
+/**
+ * Hash an object deterministically
+ */
+function hashObject(obj) {
+  const str = JSON.stringify(obj, Object.keys(obj).sort());
+  return crypto.createHash("sha256").update(str).digest("hex").substring(0, 16);
+}
+
+/**
+ * Generate QR code data URL (placeholder - would use actual QR library)
+ */
+function generateQRCodeData(url) {
+  // In production, this would generate an actual QR code
+  return `data:image/svg+xml,${encodeURIComponent(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><text x="10" y="50" font-size="8">${url}</text></svg>`)}`;
+}
+
+/**
+ * Render certificate badge for terminal
+ */
+function renderCertificateBadge(certificate) {
+  const lines = [];
+  const { verdict, score, confidence } = certificate.verdict;
+  
+  // Badge colors
+  let badgeColor, badgeIcon, badgeLabel;
+  switch (verdict) {
+    case "SHIP":
+      badgeColor = colors.success;
+      badgeIcon = "🚀";
+      badgeLabel = "SHIP CERTIFIED";
+      break;
+    case "WARN":
+      badgeColor = colors.medium;
+      badgeIcon = "⚠️";
+      badgeLabel = "CONDITIONAL";
+      break;
+    case "BLOCK":
+      badgeColor = colors.critical;
+      badgeIcon = "🛑";
+      badgeLabel = "BLOCKED";
+      break;
+    default:
+      badgeColor = colors.info;
+      badgeIcon = "❓";
+      badgeLabel = "UNKNOWN";
+  }
+  
+  lines.push("");
+  lines.push(`  ${badgeColor}╭${"═".repeat(40)}╮${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}                                        ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}  ${badgeIcon} ${c.bold}${badgeColor}${badgeLabel}${c.reset}                      ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}                                        ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}  Score: ${c.bold}${score}/100${c.reset}  Confidence: ${c.bold}${confidence}%${c.reset}   ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}                                        ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}  ${c.dim}ID: ${certificate.certificateId}${c.reset}      ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}  ${c.dim}Verify: ${certificate.shortCode}${c.reset}                     ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}║${c.reset}                                        ${badgeColor}║${c.reset}`);
+  lines.push(`  ${badgeColor}╰${"═".repeat(40)}╯${c.reset}`);
+  lines.push("");
+  
+  return lines.join("\n");
+}
+
+/**
+ * Export certificate as Markdown
+ */
+function exportCertificateMarkdown(certificate) {
+  const { verdict, score, confidence } = certificate.verdict;
+  const { summary, project } = certificate;
+  
+  return `# VibeCheck Proof Certificate
+
+## Project: ${project.name}
+
+| Metric | Value |
+|--------|-------|
+| Verdict | **${verdict}** |
+| Score | ${score}/100 |
+| Confidence | ${confidence}% |
+| Certificate ID | \`${certificate.certificateId}\` |
+| Short Code | \`${certificate.shortCode}\` |
+| Generated | ${certificate.timestamp} |
+| Expires | ${certificate.expires} |
+
+## Summary
+
+- Critical Issues: ${summary.critical}
+- High Issues: ${summary.high}
+- Medium Issues: ${summary.medium}
+- Low Issues: ${summary.low}
+
+## Verification
+
+Verify this certificate at: ${certificate.verificationUrl}
+
+---
+*Generated by VibeCheck v${certificate.metadata.engineVersion}*
+`;
+}
+
+module.exports = {
+  calculateRiskRadar,
+  renderRiskRadar,
+  runPreflightChecklist,
+  renderPreflightChecklist,
+  generateProofCertificate,
+  renderCertificateBadge,
+  exportCertificateMarkdown,
+  RISK_CATEGORIES,
+  PREFLIGHT_CHECKS,
+};