@vibecheckai/cli 3.4.0 → 3.5.0

package/bin/runners/lib/policy-engine.js

@@ -0,0 +1,652 @@
+/**
+ * Enterprise Policy Enforcement Engine
+ * 
+ * Define and enforce security policies:
+ * - Custom rules
+ * - Threshold-based policies
+ * - Team/org policies
+ * - Branch policies
+ * - Time-based policies
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+/**
+ * Policy condition operators
+ */
+const OPERATORS = {
+  eq: (a, b) => a === b,
+  ne: (a, b) => a !== b,
+  gt: (a, b) => a > b,
+  gte: (a, b) => a >= b,
+  lt: (a, b) => a < b,
+  lte: (a, b) => a <= b,
+  contains: (a, b) => String(a).includes(String(b)),
+  notContains: (a, b) => !String(a).includes(String(b)),
+  matches: (a, b) => new RegExp(b).test(String(a)),
+  notMatches: (a, b) => !new RegExp(b).test(String(a)),
+  in: (a, b) => Array.isArray(b) && b.includes(a),
+  notIn: (a, b) => Array.isArray(b) && !b.includes(a),
+  exists: (a) => a !== undefined && a !== null,
+  notExists: (a) => a === undefined || a === null,
+};
+
+/**
+ * Policy actions
+ */
+const ACTIONS = {
+  BLOCK: "block",
+  WARN: "warn",
+  ALLOW: "allow",
+  NOTIFY: "notify",
+  REQUIRE_APPROVAL: "require_approval",
+  AUTO_FIX: "auto_fix",
+  ESCALATE: "escalate",
+};
+
+/**
+ * Built-in policy templates
+ */
+const POLICY_TEMPLATES = {
+  "no-secrets": {
+    id: "no-secrets",
+    name: "No Hardcoded Secrets",
+    description: "Block deployments with hardcoded secrets",
+    enabled: true,
+    priority: 100,
+    conditions: [
+      {
+        field: "findings",
+        path: "category",
+        operator: "contains",
+        value: "secret",
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Hardcoded secrets detected. Remove all secrets before deploying.",
+    remediation: "Use environment variables or a secrets manager for sensitive data.",
+    tags: ["security", "secrets", "critical"],
+  },
+  
+  "no-critical-vulns": {
+    id: "no-critical-vulns",
+    name: "No Critical Vulnerabilities",
+    description: "Block deployments with critical vulnerabilities",
+    enabled: true,
+    priority: 95,
+    conditions: [
+      {
+        field: "summary.critical",
+        operator: "gt",
+        value: 0,
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Critical vulnerabilities detected. Fix all critical issues before deploying.",
+    tags: ["security", "vulnerabilities", "critical"],
+  },
+  
+  "max-high-issues": {
+    id: "max-high-issues",
+    name: "Maximum High-Severity Issues",
+    description: "Limit number of high-severity issues",
+    enabled: true,
+    priority: 80,
+    conditions: [
+      {
+        field: "summary.high",
+        operator: "gt",
+        value: 5,
+      },
+    ],
+    action: ACTIONS.WARN,
+    message: "Too many high-severity issues detected (>5).",
+    tags: ["quality", "threshold"],
+  },
+  
+  "minimum-score": {
+    id: "minimum-score",
+    name: "Minimum Quality Score",
+    description: "Require minimum quality score for deployment",
+    enabled: true,
+    priority: 70,
+    conditions: [
+      {
+        field: "score",
+        operator: "lt",
+        value: 70,
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Quality score too low. Minimum required: 70.",
+    tags: ["quality", "threshold"],
+  },
+  
+  "no-mock-data": {
+    id: "no-mock-data",
+    name: "No Mock Data in Production",
+    description: "Block mock/fake data in production code",
+    enabled: true,
+    priority: 90,
+    conditions: [
+      {
+        field: "findings",
+        path: "category",
+        operator: "matches",
+        value: "mock|fake|stub|test-data",
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Mock data detected in production paths.",
+    tags: ["quality", "data"],
+  },
+  
+  "require-tests": {
+    id: "require-tests",
+    name: "Require Test Coverage",
+    description: "Ensure test coverage meets minimum threshold",
+    enabled: false,
+    priority: 60,
+    conditions: [
+      {
+        field: "coverage",
+        operator: "lt",
+        value: 80,
+      },
+    ],
+    action: ACTIONS.WARN,
+    message: "Test coverage below 80%.",
+    tags: ["quality", "testing"],
+  },
+  
+  "branch-protection": {
+    id: "branch-protection",
+    name: "Main Branch Protection",
+    description: "Stricter rules for main/master branch",
+    enabled: true,
+    priority: 100,
+    conditions: [
+      {
+        field: "branch",
+        operator: "matches",
+        value: "^(main|master)$",
+      },
+      {
+        field: "summary.critical",
+        operator: "gt",
+        value: 0,
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Cannot merge to main/master with critical issues.",
+    tags: ["branch", "protection"],
+  },
+  
+  "after-hours-approval": {
+    id: "after-hours-approval",
+    name: "After-Hours Approval Required",
+    description: "Require approval for deployments outside business hours",
+    enabled: false,
+    priority: 50,
+    conditions: [
+      {
+        field: "time.hour",
+        operator: "notIn",
+        value: [9, 10, 11, 12, 13, 14, 15, 16, 17],
+      },
+    ],
+    action: ACTIONS.REQUIRE_APPROVAL,
+    message: "Deployment outside business hours requires approval.",
+    tags: ["time", "approval"],
+  },
+  
+  "weekend-block": {
+    id: "weekend-block",
+    name: "Weekend Deployment Block",
+    description: "Block deployments on weekends",
+    enabled: false,
+    priority: 40,
+    conditions: [
+      {
+        field: "time.dayOfWeek",
+        operator: "in",
+        value: [0, 6], // Sunday, Saturday
+      },
+    ],
+    action: ACTIONS.BLOCK,
+    message: "Deployments are not allowed on weekends.",
+    tags: ["time", "weekend"],
+  },
+};
+
+/**
+ * Policy evaluation result
+ */
+class PolicyResult {
+  constructor(policy, matched, action, message) {
+    this.policyId = policy.id;
+    this.policyName = policy.name;
+    this.matched = matched;
+    this.action = action;
+    this.message = message;
+    this.remediation = policy.remediation;
+    this.priority = policy.priority;
+    this.tags = policy.tags || [];
+    this.timestamp = new Date().toISOString();
+  }
+}
+
+/**
+ * Policy Engine class
+ */
+class PolicyEngine {
+  constructor(options = {}) {
+    this.options = {
+      policiesDir: options.policiesDir || path.join(process.cwd(), ".vibecheck", "policies"),
+      enableBuiltIn: options.enableBuiltIn !== false,
+      strictMode: options.strictMode || false,
+      ...options,
+    };
+    
+    this.policies = new Map();
+    this.customPolicies = new Map();
+    
+    // Load built-in policies
+    if (this.options.enableBuiltIn) {
+      this.loadBuiltInPolicies();
+    }
+    
+    // Load custom policies
+    this.loadCustomPolicies();
+  }
+  
+  /**
+   * Load built-in policies
+   */
+  loadBuiltInPolicies() {
+    for (const [id, policy] of Object.entries(POLICY_TEMPLATES)) {
+      this.policies.set(id, { ...policy, builtIn: true });
+    }
+  }
+  
+  /**
+   * Load custom policies from directory
+   */
+  loadCustomPolicies() {
+    if (!fs.existsSync(this.options.policiesDir)) {
+      return;
+    }
+    
+    const files = fs.readdirSync(this.options.policiesDir)
+      .filter(f => f.endsWith(".json") || f.endsWith(".yaml") || f.endsWith(".yml"));
+    
+    for (const file of files) {
+      try {
+        const content = fs.readFileSync(path.join(this.options.policiesDir, file), "utf-8");
+        const policy = JSON.parse(content);
+        
+        if (this.validatePolicy(policy)) {
+          this.customPolicies.set(policy.id, { ...policy, builtIn: false });
+        }
+      } catch (error) {
+        console.error(`Failed to load policy ${file}:`, error.message);
+      }
+    }
+  }
+  
+  /**
+   * Validate policy structure
+   */
+  validatePolicy(policy) {
+    if (!policy.id || !policy.name || !policy.conditions || !policy.action) {
+      return false;
+    }
+    
+    if (!Array.isArray(policy.conditions)) {
+      return false;
+    }
+    
+    for (const condition of policy.conditions) {
+      if (!condition.field || !condition.operator) {
+        return false;
+      }
+      if (!OPERATORS[condition.operator]) {
+        return false;
+      }
+    }
+    
+    if (!Object.values(ACTIONS).includes(policy.action)) {
+      return false;
+    }
+    
+    return true;
+  }
+  
+  /**
+   * Add or update a policy
+   */
+  addPolicy(policy) {
+    if (!this.validatePolicy(policy)) {
+      throw new Error("Invalid policy structure");
+    }
+    
+    this.customPolicies.set(policy.id, { ...policy, builtIn: false });
+    
+    // Save to disk
+    const policyPath = path.join(this.options.policiesDir, `${policy.id}.json`);
+    fs.mkdirSync(this.options.policiesDir, { recursive: true });
+    fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
+    
+    return policy;
+  }
+  
+  /**
+   * Remove a custom policy
+   */
+  removePolicy(policyId) {
+    if (!this.customPolicies.has(policyId)) {
+      return false;
+    }
+    
+    this.customPolicies.delete(policyId);
+    
+    const policyPath = path.join(this.options.policiesDir, `${policyId}.json`);
+    if (fs.existsSync(policyPath)) {
+      fs.unlinkSync(policyPath);
+    }
+    
+    return true;
+  }
+  
+  /**
+   * Get all policies (built-in + custom)
+   */
+  getAllPolicies() {
+    const all = new Map([...this.policies, ...this.customPolicies]);
+    return Array.from(all.values())
+      .filter(p => p.enabled)
+      .sort((a, b) => (b.priority || 0) - (a.priority || 0));
+  }
+  
+  /**
+   * Evaluate a condition against context
+   */
+  evaluateCondition(condition, context) {
+    let value = context;
+    
+    // Navigate to field
+    const fieldParts = condition.field.split(".");
+    for (const part of fieldParts) {
+      if (value === undefined || value === null) break;
+      value = value[part];
+    }
+    
+    // If path is specified, check array items
+    if (condition.path && Array.isArray(value)) {
+      return value.some(item => {
+        let itemValue = item;
+        const pathParts = condition.path.split(".");
+        for (const part of pathParts) {
+          if (itemValue === undefined || itemValue === null) break;
+          itemValue = itemValue[part];
+        }
+        return OPERATORS[condition.operator](itemValue, condition.value);
+      });
+    }
+    
+    // Regular evaluation
+    return OPERATORS[condition.operator](value, condition.value);
+  }
+  
+  /**
+   * Evaluate all policies against context
+   */
+  evaluate(context) {
+    const results = [];
+    const policies = this.getAllPolicies();
+    
+    // Add time context
+    const now = new Date();
+    context.time = {
+      hour: now.getHours(),
+      minute: now.getMinutes(),
+      dayOfWeek: now.getDay(),
+      date: now.toISOString().split("T")[0],
+      timestamp: now.toISOString(),
+    };
+    
+    // Evaluate each policy
+    for (const policy of policies) {
+      let matched = true;
+      
+      // All conditions must match (AND logic)
+      for (const condition of policy.conditions) {
+        if (!this.evaluateCondition(condition, context)) {
+          matched = false;
+          break;
+        }
+      }
+      
+      if (matched) {
+        results.push(new PolicyResult(
+          policy,
+          true,
+          policy.action,
+          policy.message
+        ));
+      }
+    }
+    
+    return results;
+  }
+  
+  /**
+   * Get the most severe action from results
+   */
+  getMostSevereAction(results) {
+    const actionPriority = {
+      [ACTIONS.BLOCK]: 100,
+      [ACTIONS.REQUIRE_APPROVAL]: 80,
+      [ACTIONS.ESCALATE]: 70,
+      [ACTIONS.WARN]: 50,
+      [ACTIONS.NOTIFY]: 30,
+      [ACTIONS.AUTO_FIX]: 20,
+      [ACTIONS.ALLOW]: 0,
+    };
+    
+    let mostSevere = ACTIONS.ALLOW;
+    let maxPriority = 0;
+    
+    for (const result of results) {
+      const priority = actionPriority[result.action] || 0;
+      if (priority > maxPriority) {
+        maxPriority = priority;
+        mostSevere = result.action;
+      }
+    }
+    
+    return mostSevere;
+  }
+  
+  /**
+   * Check if deployment should be blocked
+   */
+  shouldBlock(results) {
+    return results.some(r => r.action === ACTIONS.BLOCK);
+  }
+  
+  /**
+   * Check if approval is required
+   */
+  requiresApproval(results) {
+    return results.some(r => r.action === ACTIONS.REQUIRE_APPROVAL);
+  }
+  
+  /**
+   * Generate policy enforcement summary
+   */
+  generateSummary(results) {
+    const summary = {
+      totalPolicies: this.getAllPolicies().length,
+      evaluated: results.length,
+      blocked: results.filter(r => r.action === ACTIONS.BLOCK).length,
+      warnings: results.filter(r => r.action === ACTIONS.WARN).length,
+      requiresApproval: results.filter(r => r.action === ACTIONS.REQUIRE_APPROVAL).length,
+      finalAction: this.getMostSevereAction(results),
+      policies: results.map(r => ({
+        id: r.policyId,
+        name: r.policyName,
+        action: r.action,
+        message: r.message,
+      })),
+    };
+    
+    return summary;
+  }
+  
+  /**
+   * Create override request
+   */
+  createOverrideRequest(results, requestedBy, reason) {
+    const request = {
+      id: crypto.randomUUID(),
+      timestamp: new Date().toISOString(),
+      requestedBy,
+      reason,
+      policies: results.filter(r => r.action === ACTIONS.BLOCK).map(r => r.policyId),
+      status: "pending",
+      approvals: [],
+      expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(), // 24 hours
+    };
+    
+    // Save override request
+    const overridesDir = path.join(this.options.policiesDir, "overrides");
+    fs.mkdirSync(overridesDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(overridesDir, `${request.id}.json`),
+      JSON.stringify(request, null, 2)
+    );
+    
+    return request;
+  }
+  
+  /**
+   * Approve override request
+   */
+  approveOverride(requestId, approvedBy) {
+    const overridesDir = path.join(this.options.policiesDir, "overrides");
+    const requestPath = path.join(overridesDir, `${requestId}.json`);
+    
+    if (!fs.existsSync(requestPath)) {
+      throw new Error("Override request not found");
+    }
+    
+    const request = JSON.parse(fs.readFileSync(requestPath, "utf-8"));
+    
+    if (new Date(request.expiresAt) < new Date()) {
+      request.status = "expired";
+    } else {
+      request.approvals.push({
+        approvedBy,
+        timestamp: new Date().toISOString(),
+      });
+      request.status = "approved";
+    }
+    
+    fs.writeFileSync(requestPath, JSON.stringify(request, null, 2));
+    
+    return request;
+  }
+  
+  /**
+   * Check if override is valid
+   */
+  isOverrideValid(requestId) {
+    const overridesDir = path.join(this.options.policiesDir, "overrides");
+    const requestPath = path.join(overridesDir, `${requestId}.json`);
+    
+    if (!fs.existsSync(requestPath)) {
+      return false;
+    }
+    
+    const request = JSON.parse(fs.readFileSync(requestPath, "utf-8"));
+    
+    return request.status === "approved" && new Date(request.expiresAt) > new Date();
+  }
+}
+
+// Terminal UI rendering
+let terminalUI;
+try {
+  terminalUI = require("./terminal-ui");
+} catch {
+  terminalUI = {
+    c: { reset: "", bold: "", dim: "" },
+    rgb: () => "",
+  };
+}
+
+const { c, rgb } = terminalUI;
+
+const colors = {
+  block: rgb(255, 80, 80),
+  warn: rgb(255, 200, 0),
+  allow: rgb(0, 255, 150),
+  approval: rgb(255, 150, 50),
+};
+
+/**
+ * Render policy results for terminal
+ */
+function renderPolicyResults(results) {
+  const lines = [];
+  
+  lines.push(`  ${c.dim}╭${"─".repeat(60)}╮${c.reset}`);
+  lines.push(`  ${c.dim}│${c.reset} ${rgb(0, 200, 255)}${c.bold}🛡️  POLICY ENFORCEMENT${c.reset}                                    ${c.dim}│${c.reset}`);
+  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
+  
+  if (results.length === 0) {
+    lines.push(`  ${c.dim}│${c.reset} ${colors.allow}✓${c.reset} All policies passed                                     ${c.dim}│${c.reset}`);
+  } else {
+    for (const result of results) {
+      const actionIcon = {
+        block: `${colors.block}✗`,
+        warn: `${colors.warn}⚠`,
+        allow: `${colors.allow}✓`,
+        require_approval: `${colors.approval}🔐`,
+        notify: `${rgb(100, 200, 255)}📢`,
+      }[result.action] || "•";
+      
+      const actionColor = {
+        block: colors.block,
+        warn: colors.warn,
+        allow: colors.allow,
+        require_approval: colors.approval,
+      }[result.action] || c.dim;
+      
+      lines.push(`  ${c.dim}│${c.reset} ${actionIcon}${c.reset} ${result.policyName.padEnd(45)} ${actionColor}${result.action.toUpperCase().padEnd(6)}${c.reset}${c.dim}│${c.reset}`);
+      
+      if (result.message) {
+        const msg = result.message.substring(0, 54);
+        lines.push(`  ${c.dim}│${c.reset}   ${c.dim}${msg}${c.reset}`.padEnd(73) + `${c.dim}│${c.reset}`);
+      }
+    }
+  }
+  
+  lines.push(`  ${c.dim}╰${"─".repeat(60)}╯${c.reset}`);
+  
+  return lines.join("\n");
+}
+
+module.exports = {
+  PolicyEngine,
+  PolicyResult,
+  renderPolicyResults,
+  OPERATORS,
+  ACTIONS,
+  POLICY_TEMPLATES,
+};