@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/agent-firewall/evidence/route-evidence.js

@@ -1,213 +0,0 @@
-/**
- * Route Evidence Resolver
- * 
- * Resolves route claims against truthpack.routes.json
- * Checks for ghost routes (UI references route not registered).
- */
-
-"use strict";
-
-const { getRoutes } = require("../truthpack");
-const { canonicalizePath } = require("../../route-truth");
-const { shouldIgnore } = require("../utils/ignore-checker");
-
-/**
- * Resolve route claim evidence
- * @param {string} projectRoot - Project root directory
- * @param {object} claim - Route claim
- * @returns {object} Evidence result
- */
-function resolve(projectRoot, claim) {
-  // Skip checking routes from ignored files (test files, fixtures, etc.)
-  if (claim.pointer && shouldIgnore(projectRoot, claim.pointer.split(":")[0])) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "ignored",
-        pointer: claim.pointer,
-        confidence: 1.0
-      }],
-      reason: `Route from ignored file (test/fixture)`
-    };
-  }
-  
-  // Normalize route path from claim
-  const routePath = canonicalizePath(claim.value);
-  
-  // Skip external API calls (routes that don't start with /api/ in Next.js context)
-  // Routes like /content/blog, /content/faq are external backend API calls, not Next.js routes
-  // Only validate Next.js API routes (those in apps/web-ui/src/app/api/)
-  if (!routePath.startsWith('/api/')) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "external_api",
-        pointer: claim.pointer,
-        confidence: 1.0
-      }],
-      reason: `Route ${routePath} is an external API call, not a Next.js route`
-    };
-  }
-  
-  // Skip wildcard patterns from template literals (they're approximations)
-  // These are detected from fetch(`${url}/api/...`) and are not exact routes
-  if (routePath.includes('*') || routePath === '/api/*') {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "pattern",
-        pointer: claim.pointer,
-        confidence: 0.8
-      }],
-      reason: `Route pattern ${routePath} is a template literal approximation, not an exact route`
-    };
-  }
-  
-  // Skip backend API routes (routes from template literals using apiUrl)
-  // These are calls to the backend API server, not Next.js API routes
-  if (claim.isBackendApi || (claim.reason && claim.reason.includes('backend API'))) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "backend_api",
-        pointer: claim.pointer,
-        confidence: 0.9
-      }],
-      reason: `Route ${routePath} is a backend API call (using apiUrl variable), not a Next.js route`
-    };
-  }
-  
-  // Skip routes that are clearly backend API routes (v1, v2, etc. are typically backend)
-  // Next.js API routes are usually simpler like /api/checkout, /api/health
-  if (routePath.match(/^\/api\/v\d+\//)) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "backend_api",
-        pointer: claim.pointer,
-        confidence: 0.85
-      }],
-      reason: `Route ${routePath} appears to be a backend API route (versioned), not a Next.js route`
-    };
-  }
-  
-  const routes = getRoutes(projectRoot);
-  
-  // Check if route exists in truthpack
-  if (routes && routes.length > 0) {
-    // First, check for exact match
-    const exactMatch = routes.find(route => {
-      const routePathNormalized = canonicalizePath(route.path || route);
-      return routePathNormalized === routePath;
-    });
-    
-    if (exactMatch) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "truthpack.routes",
-          pointer: claim.pointer,
-          confidence: 0.9
-        }],
-        reason: `Route ${routePath} found in truthpack (exact match)`
-      };
-    }
-    
-    // Then check parameterized routes - but be conservative
-    // Only match if it looks like a parameter value (numeric/UUID-like)
-    const paramMatch = routes.find(route => {
-      const routePathNormalized = canonicalizePath(route.path || route);
-      
-      if (!isParameterizedPath(routePathNormalized)) return false;
-      
-      const routeParts = routePathNormalized.split("/").filter(Boolean);
-      const claimParts = routePath.split("/").filter(Boolean);
-      
-      if (routeParts.length !== claimParts.length) return false;
-      
-      // Check if all non-parameter segments match exactly
-      for (let i = 0; i < routeParts.length; i++) {
-        const rSeg = routeParts[i];
-        const cSeg = claimParts[i];
-        
-        // If it's a parameter, check if the concrete value looks like a parameter
-        if (rSeg.startsWith(":")) {
-          // Only match if it looks like an ID (numeric or UUID-like)
-          // Don't match literal words like "create", "update", etc.
-          const looksLikeId = /^\d+$/.test(cSeg) || /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(cSeg);
-          if (!looksLikeId) return false;
-        } else if (rSeg !== cSeg) {
-          return false;
-        }
-      }
-      
-      return true;
-    });
-    
-    if (paramMatch) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "truthpack.routes",
-          pointer: claim.pointer,
-          confidence: 0.7
-        }],
-        reason: `Route ${routePath} matches parameterized route in truthpack`
-      };
-    }
-    
-    // No match found - ghost route
-    return {
-      result: "UNPROVEN",
-      sources: [],
-      reason: `Route ${routePath} not found in truthpack (ghost route)`
-    };
-  } else {
-    // No routes in truthpack - cannot prove
-    return {
-      result: "UNPROVEN",
-      sources: [],
-      reason: "No routes found in truthpack"
-    };
-  }
-}
-
-function isParameterizedPath(p) {
-  const s = String(p || "").trim();
-  return s.includes(":") || s.includes("*");
-}
-
-function matchPath(pattern, concrete) {
-  const pat = String(pattern || "").trim();
-  const con = String(concrete || "").trim();
-  
-  if (pat === con) return true;
-  
-  // Simple parameterized matching - only match if segments align
-  const patParts = pat.split("/").filter(Boolean);
-  const conParts = con.split("/").filter(Boolean);
-  
-  if (patParts.length !== conParts.length) return false;
-  
-  for (let i = 0; i < patParts.length; i++) {
-    const pSeg = patParts[i];
-    const cSeg = conParts[i];
-    
-    // Parameter placeholder (:id, :slug) matches any segment
-    if (pSeg.startsWith(":")) {
-      continue;
-    }
-    // Wildcard (*slug) matches remainder
-    if (pSeg.startsWith("*")) {
-      return true;
-    }
-    // Exact match required for literal segments
-    if (pSeg !== cSeg) return false;
-  }
-  
-  return true;
-}
-
-module.exports = {
-  resolve
-};

package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js

@@ -1,145 +0,0 @@
-/**
- * Side Effect Evidence Resolver
- * 
- * Detects unverified side effects (DB writes, email, payments).
- * Checks for test coverage or reality proof.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-/**
- * Resolve side effect claim evidence
- * @param {string} projectRoot - Project root directory
- * @param {object} claim - Side effect claim
- * @returns {object} Evidence result
- */
-function resolve(projectRoot, claim) {
-  const claimFile = claim.file || "";
-  const claimValue = claim.value.toLowerCase();
-  
-  // Detect side effect types
-  const hasDbWrite = /\b(create|update|delete|insert|save|write)\b/i.test(claimValue) ||
-                     /\b(prisma|sequelize|mongoose|db\.|database\.)\b/i.test(claimValue);
-  
-  const hasEmail = /\b(email|sendMail|nodemailer|sendgrid|mailgun)\b/i.test(claimValue);
-  
-  const hasPayment = /\b(stripe|payment|charge|checkout|billing)\b/i.test(claimValue);
-  
-  if (!hasDbWrite && !hasEmail && !hasPayment) {
-    // Not a side effect
-    return {
-      result: "PROVEN",
-      sources: [],
-      reason: "No side effect detected"
-    };
-  }
-  
-  // Check for test coverage
-  const testFile = findTestFile(projectRoot, claimFile);
-  if (testFile && fs.existsSync(testFile)) {
-    const testContent = fs.readFileSync(testFile, "utf8");
-    // Check if test covers the side effect
-    if (testContent.includes(claimValue.slice(0, 20)) || 
-        testContent.includes("mock") || 
-        testContent.includes("test")) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "repo.search",
-          pointer: testFile,
-          confidence: 0.7
-        }],
-        reason: "Test file found for side effect"
-      };
-    }
-  }
-  
-  // Check for reality proof (reality report)
-  const realityReport = findRealityReport(projectRoot, claimFile);
-  if (realityReport) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "repo.search",
-        pointer: realityReport,
-        confidence: 0.8
-      }],
-      reason: "Reality proof found for side effect"
-    };
-  }
-  
-  // Side effect detected but no verification found
-  return {
-    result: "UNPROVEN",
-    sources: [],
-    reason: `Side effect detected (${hasDbWrite ? 'DB' : ''}${hasEmail ? 'Email' : ''}${hasPayment ? 'Payment' : ''}) but no test coverage or reality proof found`
-  };
-}
-
-/**
- * Find test file for a source file
- * @param {string} projectRoot - Project root directory
- * @param {string} sourceFile - Source file path
- * @returns {string|null} Test file path or null
- */
-function findTestFile(projectRoot, sourceFile) {
-  if (!sourceFile) return null;
-  
-  // Try common test file patterns
-  const baseName = path.basename(sourceFile, path.extname(sourceFile));
-  const dir = path.dirname(sourceFile);
-  
-  const patterns = [
-    `${dir}/${baseName}.test.ts`,
-    `${dir}/${baseName}.test.tsx`,
-    `${dir}/${baseName}.test.js`,
-    `${dir}/__tests__/${baseName}.test.ts`,
-    `${dir}/__tests__/${baseName}.test.tsx`,
-    `${dir.replace(/\/src\//, '/tests/')}/${baseName}.test.ts`
-  ];
-  
-  for (const pattern of patterns) {
-    const testPath = path.join(projectRoot, pattern);
-    if (fs.existsSync(testPath)) {
-      return pattern;
-    }
-  }
-  
-  return null;
-}
-
-/**
- * Find reality report for a file
- * @param {string} projectRoot - Project root directory
- * @param {string} sourceFile - Source file path
- * @returns {string|null} Reality report path or null
- */
-function findRealityReport(projectRoot, sourceFile) {
-  const realityDir = path.join(projectRoot, ".vibecheck", "reality");
-  
-  if (!fs.existsSync(realityDir)) {
-    return null;
-  }
-  
-  // Look for recent reality reports
-  const reports = fs.readdirSync(realityDir)
-    .filter(file => file.endsWith('.json'))
-    .map(file => path.join(realityDir, file))
-    .filter(file => {
-      try {
-        const report = JSON.parse(fs.readFileSync(file, "utf8"));
-        return report.files && report.files.includes(sourceFile);
-      } catch {
-        return false;
-      }
-    });
-  
-  return reports.length > 0 ? reports[0] : null;
-}
-
-module.exports = {
-  resolve
-};

package/bin/runners/lib/agent-firewall/fs-hook/daemon.js

@@ -1,19 +0,0 @@
-#!/usr/bin/env node
-/**
- * File System Hook Daemon
- * 
- * Runs as a background process to intercept file writes.
- * Start with: node bin/runners/lib/agent-firewall/fs-hook/daemon.js
- */
-
-const path = require("path");
-const { startFileSystemHook } = require("./installer");
-
-const projectRoot = process.cwd();
-
-console.log("🛡️  Starting Agent Firewall File System Hook...\n");
-console.log(`   Project: ${projectRoot}\n`);
-
-startFileSystemHook(projectRoot);
-
-console.log("✅ File System Hook running (press Ctrl+C to stop)\n");

package/bin/runners/lib/agent-firewall/fs-hook/installer.js

@@ -1,87 +0,0 @@
-/**
- * File System Hook Installer
- * 
- * Installs and manages the file system hook daemon.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const { FileSystemHook } = require("./watcher");
-
-let globalHook = null;
-
-/**
- * Install file system hook
- * @param {string} projectRoot - Project root directory
- * @returns {object} Installation result
- */
-function installFileSystemHook(projectRoot) {
-  const hookScript = path.join(__dirname, "daemon.js");
-  const packageJson = path.join(projectRoot, "package.json");
-
-  // Add script to package.json
-  if (fs.existsSync(packageJson)) {
-    const pkg = JSON.parse(fs.readFileSync(packageJson, "utf8"));
-    if (!pkg.scripts) {
-      pkg.scripts = {};
-    }
-    pkg.scripts["firewall:fs-hook"] = `node ${path.relative(projectRoot, hookScript)}`;
-    fs.writeFileSync(packageJson, JSON.stringify(pkg, null, 2));
-  }
-
-  // Create marker file
-  const markerFile = path.join(projectRoot, ".vibecheck", "fs-hook-enabled");
-  fs.writeFileSync(markerFile, JSON.stringify({
-    enabled: true,
-    installedAt: new Date().toISOString()
-  }, null, 2));
-
-  return {
-    success: true,
-    message: "File system hook installed. Run 'npm run firewall:fs-hook' to start."
-  };
-}
-
-/**
- * Start file system hook daemon
- * @param {string} projectRoot - Project root directory
- */
-function startFileSystemHook(projectRoot) {
-  if (globalHook) {
-    console.log("⚠️  File system hook already running");
-    return;
-  }
-
-  globalHook = new FileSystemHook(projectRoot);
-  globalHook.start().catch(console.error);
-
-  // Keep process alive
-  process.on("SIGINT", () => {
-    if (globalHook) {
-      globalHook.stop();
-    }
-    process.exit(0);
-  });
-
-  // Keep alive
-  setInterval(() => {}, 1000);
-}
-
-/**
- * Stop file system hook
- */
-function stopFileSystemHook() {
-  if (globalHook) {
-    globalHook.stop();
-    globalHook = null;
-  }
-}
-
-module.exports = {
-  installFileSystemHook,
-  startFileSystemHook,
-  stopFileSystemHook,
-  FileSystemHook
-};

package/bin/runners/lib/agent-firewall/fs-hook/watcher.js

@@ -1,184 +0,0 @@
-/**
- * File System Hook - Intercepts ALL file writes at OS level
- * 
- * Uses chokidar to watch for file changes and intercepts them
- * before they're written to disk.
- */
-
-"use strict";
-
-const chokidar = require("chokidar");
-const fs = require("fs");
-const path = require("path");
-const { interceptFileWrite } = require("../interceptor/base");
-const { loadPolicy } = require("../policy/loader");
-
-class FileSystemHook {
-  constructor(projectRoot) {
-    this.projectRoot = projectRoot;
-    this.watcher = null;
-    this.pendingWrites = new Map(); // Track writes in progress
-    this.isEnabled = false;
-  }
-
-  /**
-   * Start watching for file writes
-   */
-  async start() {
-    if (this.watcher) {
-      return; // Already watching
-    }
-
-    const policy = loadPolicy(this.projectRoot);
-    if (policy.mode !== "enforce") {
-      console.log("⚠️  File system hook only active in enforce mode");
-      return;
-    }
-
-    this.isEnabled = true;
-
-    // Watch for file changes
-    this.watcher = chokidar.watch([
-      "**/*.ts",
-      "**/*.tsx",
-      "**/*.js",
-      "**/*.jsx",
-      "**/*.py",
-      "**/*.go",
-      "**/*.rs"
-    ], {
-      cwd: this.projectRoot,
-      ignored: [
-        "**/node_modules/**",
-        "**/dist/**",
-        "**/.next/**",
-        "**/.vibecheck/**",
-        "**/.git/**",
-        "**/build/**"
-      ],
-      persistent: true,
-      ignoreInitial: true,
-      awaitWriteFinish: {
-        stabilityThreshold: 100,
-        pollInterval: 50
-      }
-    });
-
-    // Intercept file writes
-    this.watcher.on("add", (filePath) => this.handleFileWrite(filePath, "create"));
-    this.watcher.on("change", (filePath) => this.handleFileWrite(filePath, "modify"));
-
-    console.log("🛡️  File System Hook ACTIVE - intercepting all file writes");
-  }
-
-  /**
-   * Handle file write event
-   */
-  async handleFileWrite(filePath, operation) {
-    // Skip if we're already processing this file
-    if (this.pendingWrites.has(filePath)) {
-      return;
-    }
-
-    this.pendingWrites.set(filePath, true);
-
-    try {
-      // Read the new content
-      const fileAbs = path.join(this.projectRoot, filePath);
-      if (!fs.existsSync(fileAbs)) {
-        this.pendingWrites.delete(filePath);
-        return;
-      }
-
-      const newContent = fs.readFileSync(fileAbs, "utf8");
-
-      // Try to get old content from git or backup
-      let oldContent = null;
-      try {
-        // Check if file existed before (for modifications)
-        if (operation === "modify") {
-          // Try to read from git index
-          const { execSync } = require("child_process");
-          try {
-            oldContent = execSync(
-              `git show :${filePath}`,
-              { cwd: this.projectRoot, encoding: "utf8", stdio: "pipe" }
-            );
-          } catch {
-            // File not in git, that's okay
-          }
-        }
-      } catch {
-        // Couldn't get old content, that's okay
-      }
-
-      // Intercept the write
-      const result = await interceptFileWrite({
-        projectRoot: this.projectRoot,
-        agentId: "filesystem-hook",
-        intent: `File ${operation} via filesystem`,
-        filePath: filePath,
-        content: newContent,
-        oldContent: oldContent
-      });
-
-      const policy = loadPolicy(this.projectRoot);
-
-      // If blocked and in enforce mode, revert the file
-      if (!result.allowed && policy.mode === "enforce") {
-        console.error(`\n❌ BLOCKED: ${filePath}`);
-        console.error(`   ${result.message}`);
-
-        if (result.violations) {
-          result.violations.forEach(v => {
-            console.error(`   - ${v.rule}: ${v.message}`);
-          });
-        }
-
-        // Revert the file
-        if (oldContent !== null) {
-          fs.writeFileSync(fileAbs, oldContent, "utf8");
-          console.error(`   ✅ File reverted to previous version\n`);
-        } else {
-          // Delete the file if it was newly created
-          fs.unlinkSync(fileAbs);
-          console.error(`   ✅ File deleted (was newly created)\n`);
-        }
-
-        // Show unblock plan
-        if (result.unblockPlan && result.unblockPlan.steps.length > 0) {
-          console.error("   To fix:");
-          result.unblockPlan.steps.forEach((step, i) => {
-            console.error(`     ${i + 1}. ${step.action}: ${step.description}`);
-          });
-          console.error("");
-        }
-      } else if (result.allowed || policy.mode === "observe") {
-        // Log in observe mode
-        if (policy.mode === "observe" && result.violations && result.violations.length > 0) {
-          console.log(`📊 OBSERVE: ${filePath} - violations logged (not blocked)`);
-        }
-      }
-    } catch (error) {
-      console.error(`Error intercepting file write: ${error.message}`);
-    } finally {
-      this.pendingWrites.delete(filePath);
-    }
-  }
-
-  /**
-   * Stop watching
-   */
-  stop() {
-    if (this.watcher) {
-      this.watcher.close();
-      this.watcher = null;
-      this.isEnabled = false;
-      console.log("🛡️  File System Hook stopped");
-    }
-  }
-}
-
-module.exports = {
-  FileSystemHook
-};