@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/agent-firewall/change-packet/builder.js

@@ -1,488 +0,0 @@
-/**
- * Change Packet Builder
- * 
- * Builds change packets from diffs + agent intent.
- * Each packet is a complete audit artifact of an AI code change attempt.
- * 
- * Enhanced with:
- * - Risk scoring
- * - Simulation results
- * - Critic verdict
- * - Override tracking
- */
-
-"use strict";
-
-const crypto = require("crypto");
-const path = require("path");
-
-/**
- * @typedef {Object} ProofArtifact
- * @property {string} changeId - Unique change identifier
- * @property {string} decision - ALLOW, BLOCK, or REQUIRE_CONFIRMATION
- * @property {Array} rulesTriggered - Rules that were triggered
- * @property {Array} assumptionsFailed - Failed assumptions
- * @property {number} riskScore - Numerical risk score
- * @property {string} riskLevel - LOW, MEDIUM, HIGH, CRITICAL
- * @property {Object} simulationResult - Result of diff simulation
- * @property {Object} criticVerdict - Critic LLM verdict
- * @property {string} timestamp - ISO timestamp
- * @property {boolean} overrideUsed - Whether override was used
- * @property {string} overrideBy - Who overrode (if applicable)
- * @property {string} overrideReason - Reason for override
- */
-
-/**
- * Build a change packet from diff and agent intent
- * @param {object} params
- * @param {string} params.agentId - Agent identifier
- * @param {string} params.intent - Agent's stated intent
- * @param {object} params.diff - Diff object { before, after, unified }
- * @param {string} params.filePath - File path (relative to repo root)
- * @param {object} params.claims - Extracted claims
- * @param {object} params.evidence - Evidence resolution results
- * @param {object} params.verdict - Policy verdict
- * @param {object} params.unblockPlan - Unblock plan (if blocked)
- * @param {object} params.policy - Policy used for evaluation
- * @param {object} params.riskScore - Risk scoring result
- * @param {object} params.simulationResult - Diff simulation result
- * @param {object} params.criticVerdict - Critic LLM verdict
- * @param {object} params.proposal - Structured change proposal
- * @param {object} params.override - Override information
- * @returns {object} Change packet
- */
-function buildChangePacket({
-  agentId,
-  intent,
-  diff,
-  filePath,
-  claims = [],
-  evidence = [],
-  verdict,
-  unblockPlan = null,
-  policy = null,
-  riskScore = null,
-  simulationResult = null,
-  criticVerdict = null,
-  proposal = null,
-  override = null
-}) {
-  const timestamp = new Date().toISOString();
-  
-  // Generate unique packet ID from content hash
-  const packetContent = JSON.stringify({
-    agentId,
-    intent,
-    filePath,
-    timestamp,
-    diff: diff?.unified || ""
-  });
-  const id = crypto.createHash("sha256")
-    .update(packetContent)
-    .digest("hex")
-    .slice(0, 16);
-  
-  // Calculate file statistics
-  const linesChanged = diff?.unified 
-    ? diff.unified.split('\n').filter(line => line.startsWith('+') || line.startsWith('-')).length
-    : 0;
-  
-  const files = [{
-    path: filePath,
-    linesChanged,
-    domain: classifyFileDomain(filePath)
-  }];
-  
-  // Extract failed assumptions from evidence
-  const assumptionsFailed = evidence
-    .filter(e => e.status === "UNPROVEN" || !e.verified)
-    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
-  
-  // Extract triggered rules from verdict
-  const rulesTriggered = (verdict?.violations || [])
-    .map(v => v.rule || v.type || v.id)
-    .filter(Boolean);
-  
-  // Build packet with enhanced proof artifact fields
-  const packet = {
-    id,
-    timestamp,
-    agentId,
-    intent: intent || "No intent provided",
-    
-    // Original fields
-    diff: diff || null,
-    files,
-    claims,
-    evidence,
-    
-    // Verdict and decision
-    verdict: verdict || {
-      decision: "ALLOW",
-      violations: [],
-      message: "No verdict provided"
-    },
-    unblockPlan: unblockPlan || null,
-    
-    // Enhanced proof artifact fields
-    proof: {
-      changeId: `c-${id}`,
-      decision: verdict?.decision || "ALLOW",
-      rulesTriggered,
-      assumptionsFailed,
-      riskScore: riskScore?.total ?? null,
-      riskLevel: riskScore?.level || null,
-      riskFactors: riskScore?.reasons || [],
-      simulationResult: simulationResult ? {
-        passed: simulationResult.passed,
-        errorCount: simulationResult.errors?.length || 0,
-        warningCount: simulationResult.warnings?.length || 0,
-        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
-        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
-      } : null,
-      criticVerdict: criticVerdict ? {
-        verdict: criticVerdict.verdict,
-        confidence: criticVerdict.confidence,
-        reasoning: criticVerdict.reasoning || [],
-        violations: criticVerdict.violations || [],
-      } : null,
-      overrideUsed: override?.used || false,
-      overrideBy: override?.by || null,
-      overrideReason: override?.reason || null,
-      overrideTimestamp: override?.timestamp || null,
-    },
-    
-    // Structured proposal (if provided)
-    proposal: proposal ? {
-      intent: proposal.intent,
-      summary: proposal.summary,
-      confidence: proposal.confidence,
-      assumptions: proposal.assumptions,
-      filesTouched: proposal.filesTouched,
-      operationCount: proposal.operations?.length || 0,
-    } : null,
-    
-    // Metadata
-    metadata: {
-      totalFiles: files.length,
-      totalLines: linesChanged,
-      policyVersion: policy?.version || "unknown",
-      policyProfile: policy?.profile || "unknown",
-      policyMode: policy?.mode || "unknown",
-      domains: [...new Set(files.map(f => f.domain))],
-    }
-  };
-  
-  return packet;
-}
-
-/**
- * Build change packet from multiple files
- * @param {object} params
- * @param {string} params.agentId - Agent identifier
- * @param {string} params.intent - Agent's stated intent
- * @param {array} params.changes - Array of { filePath, diff, claims }
- * @param {array} params.evidence - Evidence resolution results
- * @param {object} params.verdict - Policy verdict
- * @param {object} params.unblockPlan - Unblock plan (if blocked)
- * @param {object} params.policy - Policy used for evaluation
- * @param {object} params.riskScore - Risk scoring result
- * @param {object} params.simulationResult - Diff simulation result
- * @param {object} params.criticVerdict - Critic LLM verdict
- * @param {object} params.proposal - Structured change proposal
- * @param {object} params.override - Override information
- * @returns {object} Change packet
- */
-function buildMultiFileChangePacket({
-  agentId,
-  intent,
-  changes = [],
-  evidence = [],
-  verdict,
-  unblockPlan = null,
-  policy = null,
-  riskScore = null,
-  simulationResult = null,
-  criticVerdict = null,
-  proposal = null,
-  override = null
-}) {
-  const timestamp = new Date().toISOString();
-  
-  // Aggregate all file changes
-  const files = changes.map(change => ({
-    path: change.filePath,
-    linesChanged: calculateLinesChanged(change.diff),
-    domain: classifyFileDomain(change.filePath)
-  }));
-  
-  // Aggregate all claims
-  const claims = changes.flatMap(change => 
-    (change.claims || []).map(claim => ({
-      ...claim,
-      file: change.filePath
-    }))
-  );
-  
-  // Generate unique packet ID from all changes
-  const packetContent = JSON.stringify({
-    agentId,
-    intent,
-    timestamp,
-    files: files.map(f => f.path),
-    claims: claims.map(c => `${c.type}:${c.value}`)
-  });
-  const id = crypto.createHash("sha256")
-    .update(packetContent)
-    .digest("hex")
-    .slice(0, 16);
-  
-  // Build unified diff (concatenate all diffs)
-  const unifiedDiff = changes
-    .map(change => {
-      const diff = change.diff?.unified || "";
-      return diff ? `--- ${change.filePath}\n+++ ${change.filePath}\n${diff}` : "";
-    })
-    .filter(Boolean)
-    .join("\n\n");
-  
-  // Extract failed assumptions from evidence
-  const assumptionsFailed = evidence
-    .filter(e => e.status === "UNPROVEN" || !e.verified)
-    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
-  
-  // Extract triggered rules from verdict
-  const rulesTriggered = (verdict?.violations || [])
-    .map(v => v.rule || v.type || v.id)
-    .filter(Boolean);
-  
-  const packet = {
-    id,
-    timestamp,
-    agentId,
-    intent: intent || "No intent provided",
-    
-    // Original fields
-    diff: unifiedDiff ? {
-      unified: unifiedDiff,
-      before: null,
-      after: null
-    } : null,
-    files,
-    claims,
-    evidence,
-    
-    // Verdict and decision
-    verdict: verdict || {
-      decision: "ALLOW",
-      violations: [],
-      message: "No verdict provided"
-    },
-    unblockPlan: unblockPlan || null,
-    
-    // Enhanced proof artifact fields
-    proof: {
-      changeId: `c-${id}`,
-      decision: verdict?.decision || "ALLOW",
-      rulesTriggered,
-      assumptionsFailed,
-      riskScore: riskScore?.total ?? null,
-      riskLevel: riskScore?.level || null,
-      riskFactors: riskScore?.reasons || [],
-      simulationResult: simulationResult ? {
-        passed: simulationResult.passed,
-        errorCount: simulationResult.errors?.length || 0,
-        warningCount: simulationResult.warnings?.length || 0,
-        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
-        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
-      } : null,
-      criticVerdict: criticVerdict ? {
-        verdict: criticVerdict.verdict,
-        confidence: criticVerdict.confidence,
-        reasoning: criticVerdict.reasoning || [],
-        violations: criticVerdict.violations || [],
-      } : null,
-      overrideUsed: override?.used || false,
-      overrideBy: override?.by || null,
-      overrideReason: override?.reason || null,
-      overrideTimestamp: override?.timestamp || null,
-    },
-    
-    // Structured proposal (if provided)
-    proposal: proposal ? {
-      intent: proposal.intent,
-      summary: proposal.summary,
-      confidence: proposal.confidence,
-      assumptions: proposal.assumptions,
-      filesTouched: proposal.filesTouched,
-      operationCount: proposal.operations?.length || 0,
-    } : null,
-    
-    // Metadata
-    metadata: {
-      totalFiles: files.length,
-      totalLines: files.reduce((sum, f) => sum + f.linesChanged, 0),
-      policyVersion: policy?.version || "unknown",
-      policyProfile: policy?.profile || "unknown",
-      policyMode: policy?.mode || "unknown",
-      domains: [...new Set(files.map(f => f.domain))],
-    }
-  };
-  
-  return packet;
-}
-
-/**
- * Calculate number of lines changed from diff
- * @param {object} diff - Diff object
- * @returns {number} Number of lines changed
- */
-function calculateLinesChanged(diff) {
-  if (!diff || !diff.unified) return 0;
-  return diff.unified
-    .split('\n')
-    .filter(line => line.startsWith('+') || line.startsWith('-'))
-    .length;
-}
-
-/**
- * Classify file domain from path
- * @param {string} filePath - File path
- * @returns {string} Domain classification
- */
-function classifyFileDomain(filePath) {
-  const s = filePath.toLowerCase();
-  if (s.includes("auth")) return "auth";
-  if (s.includes("stripe") || s.includes("payment")) return "payments";
-  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
-  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
-  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
-  return "general";
-}
-
-/**
- * Build a standalone proof artifact for compliance
- * @param {object} params - Proof parameters
- * @returns {ProofArtifact} Proof artifact
- */
-function buildProofArtifact({
-  changeId,
-  decision,
-  rulesTriggered = [],
-  assumptionsFailed = [],
-  riskScore = null,
-  simulationResult = null,
-  criticVerdict = null,
-  override = null,
-}) {
-  const timestamp = new Date().toISOString();
-  
-  return {
-    changeId: changeId || `c-${crypto.randomBytes(8).toString("hex")}`,
-    decision: decision || "BLOCK",
-    rulesTriggered,
-    assumptionsFailed,
-    riskScore: riskScore?.total ?? null,
-    riskLevel: riskScore?.level || "UNKNOWN",
-    riskFactors: riskScore?.reasons || [],
-    simulationResult: simulationResult ? {
-      passed: simulationResult.passed,
-      errorCount: simulationResult.errors?.length || 0,
-      warningCount: simulationResult.warnings?.length || 0,
-      brokenImports: (simulationResult.errors || [])
-        .filter(e => e.type === "broken_import" || e.type === "unresolved_import")
-        .map(e => e.import),
-    } : null,
-    criticVerdict: criticVerdict ? {
-      verdict: criticVerdict.verdict,
-      confidence: criticVerdict.confidence,
-      reasoning: criticVerdict.reasoning || [],
-    } : null,
-    timestamp,
-    overrideUsed: override?.used || false,
-    overrideBy: override?.by || null,
-    overrideReason: override?.reason || null,
-  };
-}
-
-/**
- * Extract proof artifact from a change packet
- * @param {object} packet - Change packet
- * @returns {ProofArtifact} Proof artifact
- */
-function extractProofArtifact(packet) {
-  if (packet.proof) {
-    return {
-      ...packet.proof,
-      timestamp: packet.timestamp,
-    };
-  }
-  
-  // Build from legacy packet format
-  return {
-    changeId: `c-${packet.id}`,
-    decision: packet.verdict?.decision || "UNKNOWN",
-    rulesTriggered: (packet.verdict?.violations || []).map(v => v.rule || v.type),
-    assumptionsFailed: packet.evidence
-      ?.filter(e => e.status === "UNPROVEN")
-      .map(e => e.claim?.key) || [],
-    riskScore: null,
-    riskLevel: "UNKNOWN",
-    simulationResult: null,
-    criticVerdict: null,
-    timestamp: packet.timestamp,
-    overrideUsed: false,
-    overrideBy: null,
-    overrideReason: null,
-  };
-}
-
-/**
- * Format proof artifact for display
- * @param {ProofArtifact} proof - Proof artifact
- * @returns {string} Formatted string
- */
-function formatProofArtifact(proof) {
-  const lines = [
-    `Change ID: ${proof.changeId}`,
-    `Decision: ${proof.decision}`,
-    `Timestamp: ${proof.timestamp}`,
-    "",
-  ];
-  
-  if (proof.riskScore !== null) {
-    lines.push(`Risk Score: ${proof.riskScore} (${proof.riskLevel})`);
-  }
-  
-  if (proof.rulesTriggered.length > 0) {
-    lines.push(`Rules Triggered: ${proof.rulesTriggered.join(", ")}`);
-  }
-  
-  if (proof.assumptionsFailed.length > 0) {
-    lines.push(`Assumptions Failed: ${proof.assumptionsFailed.join(", ")}`);
-  }
-  
-  if (proof.simulationResult) {
-    lines.push(`Simulation: ${proof.simulationResult.passed ? "PASSED" : "FAILED"} (${proof.simulationResult.errorCount} errors)`);
-  }
-  
-  if (proof.criticVerdict) {
-    lines.push(`Critic: ${proof.criticVerdict.verdict} (${(proof.criticVerdict.confidence * 100).toFixed(0)}% confidence)`);
-  }
-  
-  if (proof.overrideUsed) {
-    lines.push(`Override: Used by ${proof.overrideBy} - ${proof.overrideReason}`);
-  }
-  
-  return lines.join("\n");
-}
-
-module.exports = {
-  buildChangePacket,
-  buildMultiFileChangePacket,
-  buildProofArtifact,
-  extractProofArtifact,
-  formatProofArtifact,
-  calculateLinesChanged,
-  classifyFileDomain
-};

package/bin/runners/lib/agent-firewall/change-packet/schema.json

@@ -1,228 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "type": "object",
-  "required": ["id", "timestamp", "agentId", "intent", "files", "claims", "verdict"],
-  "properties": {
-    "id": {
-      "type": "string",
-      "description": "Unique packet ID (hash-based)"
-    },
-    "timestamp": {
-      "type": "string",
-      "format": "date-time",
-      "description": "ISO timestamp of the change"
-    },
-    "agentId": {
-      "type": "string",
-      "description": "Identifier for the AI agent (e.g., 'cursor', 'windsurf', 'copilot')"
-    },
-    "intent": {
-      "type": "string",
-      "description": "Agent's stated intent for the change"
-    },
-    "diff": {
-      "type": "object",
-      "properties": {
-        "before": {
-          "type": "string",
-          "description": "File content before change"
-        },
-        "after": {
-          "type": "string",
-          "description": "File content after change"
-        },
-        "unified": {
-          "type": "string",
-          "description": "Unified diff format"
-        }
-      }
-    },
-    "files": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "required": ["path", "linesChanged"],
-        "properties": {
-          "path": {
-            "type": "string",
-            "description": "Relative file path"
-          },
-          "linesChanged": {
-            "type": "number",
-            "description": "Number of lines changed"
-          },
-          "domain": {
-            "type": "string",
-            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"],
-            "description": "File domain classification"
-          }
-        }
-      },
-      "description": "List of changed files"
-    },
-    "claims": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "required": ["type", "value", "criticality"],
-        "properties": {
-          "type": {
-            "type": "string",
-            "enum": ["route", "env_used", "auth_boundary", "data_contract", "http_call", "ui_success_claim", "side_effect"],
-            "description": "Claim type"
-          },
-          "value": {
-            "type": "string",
-            "description": "Claim value (e.g., route path, env var name)"
-          },
-          "criticality": {
-            "type": "string",
-            "enum": ["hard", "soft"],
-            "description": "Claim criticality"
-          },
-          "pointer": {
-            "type": "string",
-            "description": "File:line pointer (e.g., 'file.ts:42-45')"
-          },
-          "reason": {
-            "type": "string",
-            "description": "Reason for claim extraction"
-          },
-          "file": {
-            "type": "string",
-            "description": "File where claim was found"
-          },
-          "domain": {
-            "type": "string",
-            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"]
-          }
-        }
-      },
-      "description": "Extracted claims from the change"
-    },
-    "evidence": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "required": ["claimId", "result"],
-        "properties": {
-          "claimId": {
-            "type": "string",
-            "description": "Reference to claim in claims array"
-          },
-          "result": {
-            "type": "string",
-            "enum": ["PROVEN", "UNPROVEN", "CONTRADICTS"],
-            "description": "Evidence resolution result"
-          },
-          "sources": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "type": {
-                  "type": "string",
-                  "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
-                },
-                "pointer": {
-                  "type": "string"
-                },
-                "confidence": {
-                  "type": "number",
-                  "minimum": 0,
-                  "maximum": 1
-                }
-              }
-            }
-          }
-        }
-      },
-      "description": "Evidence resolution results"
-    },
-    "verdict": {
-      "type": "object",
-      "required": ["decision", "violations"],
-      "properties": {
-        "decision": {
-          "type": "string",
-          "enum": ["ALLOW", "WARN", "BLOCK"],
-          "description": "Final verdict"
-        },
-        "violations": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "required": ["rule", "severity", "message"],
-            "properties": {
-              "rule": {
-                "type": "string",
-                "description": "Rule ID that was violated"
-              },
-              "severity": {
-                "type": "string",
-                "enum": ["allow", "warn", "block"]
-              },
-              "message": {
-                "type": "string",
-                "description": "Violation message"
-              },
-              "claimId": {
-                "type": "string",
-                "description": "Related claim ID"
-              }
-            }
-          }
-        },
-        "message": {
-          "type": "string",
-          "description": "Human-readable verdict message"
-        }
-      }
-    },
-    "unblockPlan": {
-      "type": "object",
-      "properties": {
-        "steps": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "required": ["action", "file", "description"],
-            "properties": {
-              "action": {
-                "type": "string",
-                "enum": ["add", "modify", "create"]
-              },
-              "file": {
-                "type": "string"
-              },
-              "line": {
-                "type": "number"
-              },
-              "description": {
-                "type": "string"
-              }
-            }
-          }
-        }
-      },
-      "description": "Plan to unblock if verdict is BLOCK"
-    },
-    "metadata": {
-      "type": "object",
-      "properties": {
-        "totalFiles": {
-          "type": "number"
-        },
-        "totalLines": {
-          "type": "number"
-        },
-        "policyVersion": {
-          "type": "string"
-        },
-        "policyProfile": {
-          "type": "string"
-        }
-      }
-    }
-  }
-}