@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/agent-firewall/change-packet/store.js

@@ -1,200 +0,0 @@
-/**
- * Change Packet Store
- * 
- * Stores change packets in .vibecheck/packets/YYYY-MM-DD/<hash>.json
- * Provides querying capabilities by agent, date, verdict.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-/**
- * Store a change packet to disk
- * @param {string} projectRoot - Project root directory
- * @param {object} packet - Change packet to store
- * @returns {string} Path where packet was stored
- */
-function storePacket(projectRoot, packet) {
-  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
-  
-  // Create date-based directory
-  const date = new Date(packet.timestamp);
-  const dateDir = date.toISOString().split('T')[0]; // YYYY-MM-DD
-  const dayDir = path.join(packetsDir, dateDir);
-  
-  // Ensure directory exists
-  if (!fs.existsSync(dayDir)) {
-    fs.mkdirSync(dayDir, { recursive: true });
-  }
-  
-  // Write packet file
-  const packetPath = path.join(dayDir, `${packet.id}.json`);
-  fs.writeFileSync(packetPath, JSON.stringify(packet, null, 2));
-  
-  return packetPath;
-}
-
-/**
- * Load a change packet by ID
- * @param {string} projectRoot - Project root directory
- * @param {string} packetId - Packet ID
- * @returns {object|null} Change packet or null if not found
- */
-function loadPacket(projectRoot, packetId) {
-  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
-  
-  // Search all date directories
-  if (!fs.existsSync(packetsDir)) {
-    return null;
-  }
-  
-  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
-    .filter(dirent => dirent.isDirectory())
-    .map(dirent => dirent.name);
-  
-  for (const dateDir of dateDirs) {
-    const dayDir = path.join(packetsDir, dateDir);
-    const packetPath = path.join(dayDir, `${packetId}.json`);
-    
-    if (fs.existsSync(packetPath)) {
-      return JSON.parse(fs.readFileSync(packetPath, "utf8"));
-    }
-  }
-  
-  return null;
-}
-
-/**
- * Query change packets
- * @param {string} projectRoot - Project root directory
- * @param {object} filters - Query filters
- * @param {string} filters.agentId - Filter by agent ID
- * @param {string} filters.date - Filter by date (YYYY-MM-DD)
- * @param {string} filters.verdict - Filter by verdict (ALLOW, WARN, BLOCK)
- * @param {number} filters.limit - Maximum number of results
- * @returns {array} Array of change packets
- */
-function queryPackets(projectRoot, filters = {}) {
-  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
-  
-  if (!fs.existsSync(packetsDir)) {
-    return [];
-  }
-  
-  const results = [];
-  const { agentId, date, verdict, limit } = filters;
-  
-  // Determine which date directories to search
-  const dateDirs = date 
-    ? [date]
-    : fs.readdirSync(packetsDir, { withFileTypes: true })
-        .filter(dirent => dirent.isDirectory())
-        .map(dirent => dirent.name)
-        .sort()
-        .reverse(); // Most recent first
-  
-  for (const dateDir of dateDirs) {
-    const dayDir = path.join(packetsDir, dateDir);
-    
-    if (!fs.existsSync(dayDir)) continue;
-    
-    const packetFiles = fs.readdirSync(dayDir)
-      .filter(file => file.endsWith('.json'))
-      .map(file => path.join(dayDir, file));
-    
-    for (const packetPath of packetFiles) {
-      try {
-        const packet = JSON.parse(fs.readFileSync(packetPath, "utf8"));
-        
-        // Apply filters
-        if (agentId && packet.agentId !== agentId) continue;
-        if (verdict && packet.verdict?.decision !== verdict) continue;
-        
-        results.push(packet);
-        
-        // Apply limit
-        if (limit && results.length >= limit) {
-          return results;
-        }
-      } catch (error) {
-        // Skip invalid packets
-        continue;
-      }
-    }
-    
-    // If we have a date filter, we only need to check that one directory
-    if (date) break;
-  }
-  
-  return results;
-}
-
-/**
- * Get statistics about stored packets
- * @param {string} projectRoot - Project root directory
- * @returns {object} Statistics
- */
-function getPacketStats(projectRoot) {
-  const packetsDir = path.join(projectRoot, ".vibecheck", "packets");
-  
-  if (!fs.existsSync(packetsDir)) {
-    return {
-      total: 0,
-      byAgent: {},
-      byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
-      byDate: {}
-    };
-  }
-  
-  const stats = {
-    total: 0,
-    byAgent: {},
-    byVerdict: { ALLOW: 0, WARN: 0, BLOCK: 0 },
-    byDate: {}
-  };
-  
-  const dateDirs = fs.readdirSync(packetsDir, { withFileTypes: true })
-    .filter(dirent => dirent.isDirectory())
-    .map(dirent => dirent.name);
-  
-  for (const dateDir of dateDirs) {
-    const dayDir = path.join(packetsDir, dateDir);
-    if (!fs.existsSync(dayDir)) continue;
-    
-    const packetFiles = fs.readdirSync(dayDir)
-      .filter(file => file.endsWith('.json'));
-    
-    stats.byDate[dateDir] = packetFiles.length;
-    
-    for (const file of packetFiles) {
-      try {
-        const packet = JSON.parse(
-          fs.readFileSync(path.join(dayDir, file), "utf8")
-        );
-        
-        stats.total++;
-        
-        // Count by agent
-        stats.byAgent[packet.agentId] = (stats.byAgent[packet.agentId] || 0) + 1;
-        
-        // Count by verdict
-        const verdict = packet.verdict?.decision || "ALLOW";
-        stats.byVerdict[verdict] = (stats.byVerdict[verdict] || 0) + 1;
-      } catch (error) {
-        // Skip invalid packets
-        continue;
-      }
-    }
-  }
-  
-  return stats;
-}
-
-module.exports = {
-  storePacket,
-  loadPacket,
-  queryPackets,
-  getPacketStats
-};

package/bin/runners/lib/agent-firewall/claims/claim-types.js

@@ -1,21 +0,0 @@
-/**
- * Claim Types
- * 
- * Enumeration of claim types and criticality levels.
- */
-
-module.exports = {
-  CLAIM_TYPES: {
-    ROUTE: "route",
-    ENV: "env_used",
-    AUTH: "auth_boundary",
-    CONTRACT: "data_contract",
-    HTTP_CALL: "http_call",
-    UI_SUCCESS: "ui_success_claim",
-    SIDE_EFFECT: "side_effect"
-  },
-  CRITICALITY: {
-    HARD: "hard",
-    SOFT: "soft"
-  }
-};

package/bin/runners/lib/agent-firewall/claims/extractor.js

@@ -1,303 +0,0 @@
-/**
- * Claim Extractor
- * 
- * Extracts "drift-causing claims" from changed files.
- * Uses AST-based extraction with Babel parser.
- */
-
-const fs = require("fs");
-const path = require("path");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const { CLAIM_TYPES, CRITICALITY } = require("./claim-types");
-const { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI } = require("./patterns");
-const { shouldIgnore } = require("../utils/ignore-checker");
-
-function parse(code) {
-  return parser.parse(code, {
-    sourceType: "unambiguous",
-    plugins: ["typescript", "jsx"]
-  });
-}
-
-function locPtr(fileRel, node) {
-  const loc = node && node.loc;
-  if (!loc) return null;
-  return `${fileRel}:${loc.start.line}-${loc.end.line}`;
-}
-
-function pushClaim(out, claim) {
-  const key = `${claim.type}|${claim.value}|${claim.pointer || ""}`;
-  if (!out._dedupe.has(key)) {
-    out._dedupe.add(key);
-    out.claims.push(claim);
-  }
-}
-
-function extractStringLiterals(code) {
-  // Cheap scan for route-ish strings even if AST misses template parts.
-  // Exclude import paths (from './api/...' or from '../api/...')
-  const hits = [];
-  const lines = code.split('\n');
-  
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    
-    // Skip import/require statements to avoid false positives
-    if (/^\s*(import|export|require)\s+.*from\s+['"]/.test(line) ||
-        /^\s*const\s+\w+\s*=\s*require\(/.test(line)) {
-      continue;
-    }
-    
-    // Check for route-like patterns in this line
-    for (const rx of ROUTE_LIKE) {
-      const matches = line.match(rx);
-      if (matches) {
-        // Filter out matches that are part of import paths
-        for (const match of matches) {
-          // Exclude if it's part of an import path (has './' or '../' before it)
-          const matchIndex = line.indexOf(match);
-          const beforeMatch = line.substring(Math.max(0, matchIndex - 10), matchIndex);
-          if (!/['"]\.\.?\/.*$/.test(beforeMatch)) {
-            hits.push(match);
-          }
-        }
-      }
-    }
-  }
-  
-  return [...new Set(hits)];
-}
-
-function classifyFileDomain(fileRel) {
-  const s = fileRel.toLowerCase();
-  if (s.includes("auth")) return "auth";
-  if (s.includes("stripe") || s.includes("payment")) return "payments";
-  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
-  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
-  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
-  return "general";
-}
-
-function extractClaimsFromFile({ repoRoot, fileAbs }) {
-  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  
-  // Skip ignored files (test files, fixtures, etc.)
-  if (shouldIgnore(repoRoot, fileRel)) {
-    return { fileRel, domain: "ignored", claims: [], _dedupe: new Set() };
-  }
-  
-  const code = fs.readFileSync(fileAbs, "utf8");
-  const ast = parse(code);
-
-  const out = { fileRel, domain: classifyFileDomain(fileRel), claims: [], _dedupe: new Set() };
-
-  // 1) quick string route-ish scan (skip - AST-based detection is more accurate)
-  // Removed to avoid false positives from import paths
-
-  // 2) AST-based env extraction
-  traverse(ast, {
-    MemberExpression(p) {
-      // process.env.X
-      const n = p.node;
-      if (
-        t.isMemberExpression(n.object) &&
-        t.isIdentifier(n.object.object, { name: "process" }) &&
-        t.isIdentifier(n.object.property, { name: "env" }) &&
-        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
-      ) {
-        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
-        pushClaim(out, {
-          type: CLAIM_TYPES.ENV,
-          value: name,
-          criticality: CRITICALITY.HARD,
-          pointer: locPtr(fileRel, n),
-          reason: "process.env usage"
-        });
-      }
-
-      // import.meta.env.X (Vite)
-      if (
-        t.isMemberExpression(n.object) &&
-        t.isMemberExpression(n.object.object) &&
-        t.isIdentifier(n.object.object.object, { name: "import" }) &&
-        t.isIdentifier(n.object.object.property, { name: "meta" }) &&
-        t.isIdentifier(n.object.property, { name: "env" }) &&
-        (t.isIdentifier(n.property) || t.isStringLiteral(n.property))
-      ) {
-        const name = t.isIdentifier(n.property) ? n.property.name : n.property.value;
-        pushClaim(out, {
-          type: CLAIM_TYPES.ENV,
-          value: name,
-          criticality: CRITICALITY.HARD,
-          pointer: locPtr(fileRel, n),
-          reason: "import.meta.env usage"
-        });
-      }
-    },
-
-    CallExpression(p) {
-      const n = p.node;
-
-      // fetch("/api/..." or fetch(`${url}/api/...`))
-      if (t.isIdentifier(n.callee, { name: "fetch" }) && n.arguments[0]) {
-        const a0 = n.arguments[0];
-        if (t.isStringLiteral(a0)) {
-          const routeValue = a0.value;
-          // Skip if it's an external URL (starts with http:// or https://)
-          // Only track Next.js API routes (starting with /api/)
-          // External API calls (like /content/blog) are handled by backend, not validated here
-          if (!routeValue.startsWith('http://') && !routeValue.startsWith('https://') && routeValue.startsWith('/api/')) {
-            pushClaim(out, {
-              type: CLAIM_TYPES.HTTP_CALL,
-              value: routeValue,
-              criticality: CRITICALITY.HARD,
-              pointer: locPtr(fileRel, n),
-              reason: "fetch call"
-            });
-          }
-        } else if (t.isTemplateLiteral(a0)) {
-          // Template literal like fetch(`${apiUrl}/api/...`)
-          // Check if it contains /api/ pattern - this indicates an HTTP call
-          const templateParts = a0.quasis.map(q => q.value.cooked || q.value.raw).join('');
-          // Check if it uses apiUrl or similar variable (backend API call)
-          const hasApiUrlVar = a0.expressions.some(expr => 
-            t.isIdentifier(expr) && (
-              expr.name.includes('apiUrl') || 
-              expr.name.includes('API_URL') ||
-              expr.name.includes('api')
-            )
-          );
-          
-          // Extract the actual route path if possible (e.g., /api/v1/dashboard/summary)
-          const apiMatch = templateParts.match(/\/api\/[a-zA-Z0-9_\/\-]+/);
-          if (apiMatch) {
-            pushClaim(out, {
-              type: CLAIM_TYPES.HTTP_CALL,
-              value: apiMatch[0], // Use the actual matched route
-              criticality: CRITICALITY.HARD,
-              pointer: locPtr(fileRel, n),
-              reason: hasApiUrlVar ? "fetch call (backend API - template literal)" : "fetch call (template literal)",
-              isBackendApi: hasApiUrlVar // Flag for evidence resolver
-            });
-          } else if (templateParts.includes('/api/')) {
-            // Fallback: if we can't extract exact route, still mark as HTTP call
-            pushClaim(out, {
-              type: CLAIM_TYPES.HTTP_CALL,
-              value: '/api/*', // Pattern for template literals
-              criticality: CRITICALITY.HARD,
-              pointer: locPtr(fileRel, n),
-              reason: hasApiUrlVar ? "fetch call (backend API - pattern)" : "fetch call (template literal - pattern)",
-              isBackendApi: hasApiUrlVar
-            });
-          }
-        }
-      }
-
-      // axios.get("/api/...")
-      if (t.isMemberExpression(n.callee) && t.isIdentifier(n.callee.object, { name: "axios" })) {
-        const method = t.isIdentifier(n.callee.property) ? n.callee.property.name : "call";
-        const a0 = n.arguments[0];
-        if (a0 && t.isStringLiteral(a0)) {
-          const routeValue = a0.value;
-          // Only track Next.js API routes (starting with /api/)
-          // External API calls (like /content/blog) are handled by backend, not validated here
-          if (routeValue.startsWith('/api/')) {
-            pushClaim(out, {
-              type: CLAIM_TYPES.HTTP_CALL,
-              value: `${method.toUpperCase()} ${routeValue}`,
-              criticality: CRITICALITY.HARD,
-              pointer: locPtr(fileRel, n),
-              reason: "axios call"
-            });
-          }
-        }
-      }
-      
-      // apiRequest("/api/...") - check if it's the apiRequest helper
-      if (t.isIdentifier(n.callee, { name: "apiRequest" }) && n.arguments[0]) {
-        const a0 = n.arguments[0];
-        if (t.isStringLiteral(a0)) {
-          const routeValue = a0.value;
-          // Only track Next.js API routes (starting with /api/)
-          // External API calls (like /content/blog) go to backend API, not Next.js routes
-          if (routeValue.startsWith('/api/')) {
-            pushClaim(out, {
-              type: CLAIM_TYPES.HTTP_CALL,
-              value: routeValue,
-              criticality: CRITICALITY.HARD,
-              pointer: locPtr(fileRel, n),
-              reason: "apiRequest call"
-            });
-          }
-        }
-      }
-
-      // toast.success("Saved")
-      if (
-        t.isMemberExpression(n.callee) &&
-        t.isIdentifier(n.callee.object, { name: "toast" }) &&
-        t.isIdentifier(n.callee.property, { name: "success" })
-      ) {
-        const msg = n.arguments[0] && t.isStringLiteral(n.arguments[0]) ? n.arguments[0].value : "toast.success";
-        pushClaim(out, {
-          type: CLAIM_TYPES.UI_SUCCESS,
-          value: msg,
-          criticality: CRITICALITY.SOFT,
-          pointer: locPtr(fileRel, n),
-          reason: "success UI signal"
-        });
-      }
-    }
-  });
-
-  // 3) auth-ish keyword scan (cheap but effective)
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    if (AUTH_HINTS.some((rx) => rx.test(line))) {
-      pushClaim(out, {
-        type: CLAIM_TYPES.AUTH,
-        value: line.trim().slice(0, 140),
-        criticality: CRITICALITY.HARD,
-        pointer: `${fileRel}:${i + 1}-${i + 1}`,
-        reason: "auth/role/scope hint"
-      });
-    }
-    if (SUCCESS_UI.some((rx) => rx.test(line))) {
-      pushClaim(out, {
-        type: CLAIM_TYPES.UI_SUCCESS,
-        value: line.trim().slice(0, 140),
-        criticality: CRITICALITY.SOFT,
-        pointer: `${fileRel}:${i + 1}-${i + 1}`,
-        reason: "success UI hint"
-      });
-    }
-  }
-
-  delete out._dedupe;
-  return out;
-}
-
-function extractClaims({ repoRoot, changedFilesAbs }) {
-  const files = changedFilesAbs.filter((f) => fs.existsSync(f));
-  const perFile = files.map((fileAbs) => extractClaimsFromFile({ repoRoot, fileAbs }));
-
-  // Flatten + dedupe across files
-  const dedupe = new Set();
-  const claims = [];
-  for (const f of perFile) {
-    for (const c of f.claims) {
-      const k = `${c.type}|${c.value}`;
-      if (!dedupe.has(k)) {
-        dedupe.add(k);
-        claims.push({ ...c, file: f.fileRel, domain: f.domain });
-      }
-    }
-  }
-
-  return { claims, perFile };
-}
-
-module.exports = { extractClaims, extractClaimsFromFile };

package/bin/runners/lib/agent-firewall/claims/patterns.js

@@ -1,24 +0,0 @@
-/**
- * Claim Patterns
- * 
- * Regex patterns for detecting claims in code.
- */
-
-const ROUTE_LIKE = [
-  /\/api\/[a-zA-Z0-9_\/\-]+/g,
-  /\/health\/[a-zA-Z0-9_\/\-]+/g
-];
-
-const AUTH_HINTS = [
-  /\b(admin|owner|staff|superadmin|root)\b/i,
-  /\b(role|roles|scope|scopes|permission|permissions)\b/i,
-  /\b(auth|authorize|authorization|requireAuth|requireRole|rbac)\b/i
-];
-
-const SUCCESS_UI = [
-  /\b(success|saved|updated|complete|done)\b/i,
-  /\btoast\.(success|info)\b/i,
-  /\benqueueSnackbar\b/i
-];
-
-module.exports = { ROUTE_LIKE, AUTH_HINTS, SUCCESS_UI };

package/bin/runners/lib/agent-firewall/critic/index.js

@@ -1,151 +0,0 @@
-/**
- * Critic Module
- * 
- * Entry point for the Critic LLM judge.
- * The "savage" that evaluates proposal quality.
- * 
- * Usage:
- *   const { critic } = require('./critic');
- *   
- *   // Configure with LLM client
- *   critic.setClient(async (params) => {
- *     return await callOpenAI(params);
- *   });
- *   
- *   // Evaluate a proposal
- *   const verdict = await critic.evaluate({
- *     proposal,
- *     validationResults,
- *     riskScore,
- *     simulationResult,
- *     realityState,
- *   });
- */
-
-"use strict";
-
-const {
-  CriticJudge,
-  createJudge,
-  defaultJudge,
-} = require("./judge");
-
-const {
-  CRITIC_SYSTEM_PROMPT,
-  EVALUATION_PROMPT_TEMPLATE,
-  VAGUENESS_CHECK_PROMPT,
-  ASSUMPTION_VERIFICATION_PROMPT,
-  buildEvaluationPrompt,
-  buildVaguenessPrompt,
-  buildVerificationPrompt,
-  parseCriticResponse,
-} = require("./prompts");
-
-/**
- * Critic singleton interface
- */
-const critic = {
-  /**
-   * Set the LLM client for the default judge
-   * @param {Function} client - LLM client function
-   */
-  setClient(client) {
-    defaultJudge.setClient(client);
-  },
-  
-  /**
-   * Check if critic is available
-   * @returns {boolean} Is available
-   */
-  isAvailable() {
-    return defaultJudge.isAvailable();
-  },
-  
-  /**
-   * Evaluate a proposal
-   * @param {Object} params - Evaluation parameters
-   * @returns {Promise<Object>} Critic verdict
-   */
-  async evaluate(params) {
-    return defaultJudge.evaluate(params);
-  },
-  
-  /**
-   * Check for vagueness
-   * @param {Object} proposal - Proposal to check
-   * @returns {Promise<Object>} Vagueness analysis
-   */
-  async checkVagueness(proposal) {
-    return defaultJudge.checkVagueness(proposal);
-  },
-  
-  /**
-   * Verify assumptions
-   * @param {Array} assumptions - Assumptions to verify
-   * @param {Object} realityState - Repository state
-   * @returns {Promise<Object>} Verification results
-   */
-  async verifyAssumptions(assumptions, realityState) {
-    return defaultJudge.verifyAssumptions(assumptions, realityState);
-  },
-  
-  /**
-   * Create a new judge instance
-   * @param {Object} options - Configuration
-   * @returns {CriticJudge} New judge instance
-   */
-  createJudge(options) {
-    return createJudge(options);
-  },
-  
-  /**
-   * Get the system prompt
-   * @returns {string} System prompt
-   */
-  getSystemPrompt() {
-    return CRITIC_SYSTEM_PROMPT;
-  },
-  
-  /**
-   * Build an evaluation prompt
-   * @param {Object} data - Prompt data
-   * @returns {string} Filled prompt
-   */
-  buildPrompt(data) {
-    return buildEvaluationPrompt(data);
-  },
-  
-  /**
-   * Parse a critic response
-   * @param {string} response - LLM response
-   * @returns {Object} Parsed verdict
-   */
-  parseResponse(response) {
-    return parseCriticResponse(response);
-  },
-  
-  /**
-   * Quick rule-based evaluation (no LLM)
-   * @param {Object} params - Evaluation params
-   * @returns {Object} Verdict
-   */
-  quickEvaluate(params) {
-    return defaultJudge.ruleBasedEvaluation(params);
-  },
-};
-
-module.exports = {
-  critic,
-  CriticJudge,
-  createJudge,
-  defaultJudge,
-  // Prompt exports
-  CRITIC_SYSTEM_PROMPT,
-  EVALUATION_PROMPT_TEMPLATE,
-  VAGUENESS_CHECK_PROMPT,
-  ASSUMPTION_VERIFICATION_PROMPT,
-  buildEvaluationPrompt,
-  buildVaguenessPrompt,
-  buildVerificationPrompt,
-  parseCriticResponse,
-};