@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js

@@ -1,86 +0,0 @@
-/**
- * Fake Success UI Rule
- * 
- * Warns/blocks if UI shows success without mutation.
- */
-
-"use strict";
-
-const { CLAIM_TYPES } = require("../../claims/claim-types");
-
-/**
- * Evaluate fake success UI rule
- * @param {object} params
- * @param {array} params.claims - Extracted claims
- * @param {array} params.evidence - Evidence resolution results
- * @param {object} params.policy - Policy configuration
- * @returns {object|null} Violation or null
- */
-function evaluate({ claims, evidence, policy }) {
-  const ruleConfig = policy.rules?.fake_success_ui;
-  
-  if (!ruleConfig || !ruleConfig.enabled) {
-    return null;
-  }
-  
-  // Find UI success claims
-  const successClaims = claims.filter(c => c.type === CLAIM_TYPES.UI_SUCCESS);
-  
-  if (successClaims.length === 0) {
-    return null;
-  }
-  
-  // Filter out false positives: if there's an HTTP call in the same file, it's likely a response check
-  const realSuccessClaims = successClaims.filter(claim => {
-    const claimFile = claim.pointer ? claim.pointer.split(":")[0] : "";
-    if (!claimFile) return true;
-    
-    // Check if there's an HTTP call in the same file (within reasonable distance)
-    const claimLine = claim.pointer ? parseInt(claim.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
-    const hasNearbyHttpCall = claims.some(c => {
-      if (c.type !== CLAIM_TYPES.HTTP_CALL && c.type !== CLAIM_TYPES.ROUTE) return false;
-      const cFile = c.pointer ? c.pointer.split(":")[0] : "";
-      if (cFile !== claimFile) return false;
-      const cLine = c.pointer ? parseInt(c.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
-      // Within 50 lines is considered "nearby"
-      return Math.abs(cLine - claimLine) <= 50;
-    });
-    
-    // If there's a nearby HTTP call, this is likely checking the response, not showing UI
-    // Only flag if there's NO HTTP call nearby
-    return !hasNearbyHttpCall;
-  });
-  
-  if (realSuccessClaims.length === 0) {
-    return null; // All were false positives (likely API response checks)
-  }
-  
-  // Check if there's a corresponding HTTP call or side effect globally
-  const hasHttpCall = claims.some(c => 
-    c.type === CLAIM_TYPES.HTTP_CALL || c.type === CLAIM_TYPES.ROUTE
-  );
-  
-  const hasSideEffect = claims.some(c => c.type === CLAIM_TYPES.SIDE_EFFECT);
-  
-  if (!hasHttpCall && !hasSideEffect) {
-    // Check if domain requires blocking
-    const blockDomains = ruleConfig.block_if_domain || [];
-    const fileDomain = realSuccessClaims[0].domain || "general";
-    
-    const shouldBlock = blockDomains.includes(fileDomain);
-    
-    return {
-      rule: "fake_success_ui",
-      severity: shouldBlock ? "block" : (ruleConfig.severity || "warn"),
-      message: `Fake success UI: Success message shown but no HTTP call or side effect detected`,
-      claimId: `claim_${claims.indexOf(realSuccessClaims[0])}`,
-      claim: realSuccessClaims[0]
-    };
-  }
-  
-  return null;
-}
-
-module.exports = {
-  evaluate
-};

package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js

@@ -1,162 +0,0 @@
-/**
- * Ghost Env Rule
- * 
- * Blocks if process.env.X used but not declared.
- * Includes smart whitelisting to reduce false positives.
- */
-
-"use strict";
-
-const { CLAIM_TYPES } = require("../../claims/claim-types");
-
-/**
- * Common environment variables that are safe to use without explicit declaration.
- * These are well-known Node.js, Next.js, and common deployment platform vars.
- */
-const SAFE_ENV_VARS = new Set([
-  // Node.js core
-  "NODE_ENV",
-  "NODE_OPTIONS",
-  "NODE_PATH",
-  "NODE_DEBUG",
-  
-  // Next.js / React
-  "NEXT_PUBLIC_",      // Prefix pattern
-  "REACT_APP_",        // Prefix pattern
-  "VERCEL",
-  "VERCEL_ENV",
-  "VERCEL_URL",
-  "NEXT_RUNTIME",
-  
-  // Common deployment
-  "PORT",
-  "HOST",
-  "HOSTNAME",
-  "CI",
-  "DEBUG",
-  "LOG_LEVEL",
-  "TZ",
-  "LANG",
-  "HOME",
-  "USER",
-  "PATH",
-  "PWD",
-  "SHELL",
-  "TERM",
-  
-  // Testing
-  "TEST",
-  "JEST_WORKER_ID",
-  "VITEST",
-  
-  // Build tools
-  "npm_package_name",
-  "npm_package_version",
-  "npm_lifecycle_event",
-]);
-
-/**
- * Prefix patterns that are safe
- */
-const SAFE_ENV_PREFIXES = [
-  "NEXT_PUBLIC_",
-  "REACT_APP_",
-  "VITE_",
-  "npm_",
-  "GITHUB_",
-  "CI_",
-  "VERCEL_",
-  "RAILWAY_",
-  "RENDER_",
-  "HEROKU_",
-  "AWS_",
-];
-
-/**
- * Check if an env var is in the safe list
- * @param {string} varName - Environment variable name
- * @returns {boolean} Is safe
- */
-function isSafeEnvVar(varName) {
-  if (!varName || typeof varName !== 'string') return false;
-  
-  const normalized = varName.toUpperCase();
-  
-  // Direct match
-  if (SAFE_ENV_VARS.has(normalized)) return true;
-  
-  // Prefix match
-  for (const prefix of SAFE_ENV_PREFIXES) {
-    if (normalized.startsWith(prefix)) return true;
-  }
-  
-  return false;
-}
-
-/**
- * Evaluate ghost env rule
- * @param {object} params
- * @param {array} params.claims - Extracted claims
- * @param {array} params.evidence - Evidence resolution results
- * @param {object} params.policy - Policy configuration
- * @returns {object|null} Violation or null
- */
-function evaluate({ claims, evidence, policy }) {
-  const ruleConfig = policy.rules?.ghost_env;
-  
-  if (!ruleConfig || !ruleConfig.enabled) {
-    return null;
-  }
-  
-  // Get custom whitelist from policy
-  const customWhitelist = new Set(ruleConfig.whitelist || []);
-  
-  // Find env claims with UNPROVEN evidence
-  for (let i = 0; i < claims.length; i++) {
-    const claim = claims[i];
-    
-    if (claim.type === CLAIM_TYPES.ENV) {
-      const ev = evidence.find(e => e.claimId === `claim_${i}`);
-      
-      if (ev && ev.result === "UNPROVEN") {
-        const envVar = String(claim.value || claim.key || "");
-        
-        // Skip if it's a known safe env var
-        if (isSafeEnvVar(envVar)) {
-          continue;
-        }
-        
-        // Skip if in custom whitelist
-        if (customWhitelist.has(envVar)) {
-          continue;
-        }
-        
-        // Skip if it's a fallback pattern (e.g., process.env.X || 'default')
-        if (claim.hasFallback) {
-          // Downgrade to warning instead of block
-          return {
-            rule: "ghost_env",
-            severity: "warn",
-            message: `Env var ${envVar} is used with fallback but not declared`,
-            claimId: `claim_${i}`,
-            claim
-          };
-        }
-        
-        return {
-          rule: "ghost_env",
-          severity: ruleConfig.severity || "block",
-          message: `Ghost env var: ${envVar} is used but not declared`,
-          claimId: `claim_${i}`,
-          claim
-        };
-      }
-    }
-  }
-  
-  return null;
-}
-
-module.exports = {
-  evaluate
-};

package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js

@@ -1,189 +0,0 @@
-/**
- * Ghost Route Rule
- * 
- * Blocks if UI references route not registered in truthpack.
- * Includes smart detection of external APIs and common patterns.
- */
-
-"use strict";
-
-const { CLAIM_TYPES } = require("../../claims/claim-types");
-
-/**
- * Patterns that indicate an external API (not a local route)
- */
-const EXTERNAL_API_PATTERNS = [
-  // Full URLs
-  /^https?:\/\//i,
-  /^\/\/[a-z]/i,
-  
-  // Common external API domains
-  /api\.github\.com/i,
-  /api\.stripe\.com/i,
-  /api\.openai\.com/i,
-  /api\.anthropic\.com/i,
-  /api\.twilio\.com/i,
-  /api\.sendgrid\.com/i,
-  /graph\.facebook\.com/i,
-  /api\.twitter\.com/i,
-  /googleapis\.com/i,
-  /aws\.amazon\.com/i,
-  /cloudflare\.com/i,
-  /api\.clerk\.dev/i,
-  /api\.auth0\.com/i,
-  /api\.supabase\.co/i,
-  /api\.vercel\.app/i,
-  
-  // GraphQL endpoints
-  /graphql/i,
-  
-  // Webhook patterns
-  /webhook/i,
-  /hook\//i,
-];
-
-/**
- * Path patterns that are safe to skip (dynamic or template)
- */
-const SAFE_ROUTE_PATTERNS = [
-  // Dynamic segments
-  /\$\{/,                    // Template literals
-  /\[.*\]/,                  // Dynamic route segments [id]
-  /:\w+/,                    // URL params :id
-  /\{\{.*\}\}/,              // Template syntax
-  
-  // Hash-only routes
-  /^#/,
-  
-  // Query-only
-  /^\?/,
-  
-  // Empty or undefined
-  /^undefined$/i,
-  /^null$/i,
-];
-
-/**
- * Check if a route is external
- * @param {string} route - Route path
- * @returns {boolean} Is external
- */
-function isExternalRoute(route) {
-  if (!route || typeof route !== 'string') return true;
-  
-  const trimmed = route.trim();
-  
-  // Check external patterns
-  for (const pattern of EXTERNAL_API_PATTERNS) {
-    if (pattern.test(trimmed)) return true;
-  }
-  
-  return false;
-}
-
-/**
- * Check if a route should be skipped
- * @param {string} route - Route path
- * @returns {boolean} Should skip
- */
-function shouldSkipRoute(route) {
-  if (!route || typeof route !== 'string') return true;
-  
-  const trimmed = route.trim();
-  
-  // Skip empty routes
-  if (trimmed.length === 0) return true;
-  
-  // Check safe patterns
-  for (const pattern of SAFE_ROUTE_PATTERNS) {
-    if (pattern.test(trimmed)) return true;
-  }
-  
-  return false;
-}
-
-/**
- * Check if route is a local API route
- * @param {string} route - Route path
- * @returns {boolean} Is local API
- */
-function isLocalApiRoute(route) {
-  if (!route || typeof route !== 'string') return false;
-  
-  const trimmed = route.trim().toLowerCase();
-  
-  // Must start with /api/ to be a local Next.js API route
-  return trimmed.startsWith('/api/');
-}
-
-/**
- * Evaluate ghost route rule
- * @param {object} params
- * @param {array} params.claims - Extracted claims
- * @param {array} params.evidence - Evidence resolution results
- * @param {object} params.policy - Policy configuration
- * @returns {object|null} Violation or null
- */
-function evaluate({ claims, evidence, policy }) {
-  const ruleConfig = policy.rules?.ghost_route;
-  
-  if (!ruleConfig || !ruleConfig.enabled) {
-    return null;
-  }
-  
-  // Get custom whitelist from policy
-  const customWhitelist = new Set(ruleConfig.whitelist || []);
-  
-  // Find route claims with UNPROVEN evidence
-  for (let i = 0; i < claims.length; i++) {
-    const claim = claims[i];
-    
-    if (claim.type === CLAIM_TYPES.ROUTE || claim.type === CLAIM_TYPES.HTTP_CALL) {
-      const ev = evidence.find(e => e.claimId === `claim_${i}`);
-      
-      // Skip if evidence shows it's already proven
-      if (ev && ev.result === "PROVEN") {
-        continue;
-      }
-      
-      if (ev && ev.result === "UNPROVEN") {
-        const routePath = String(claim.value || "").trim();
-        
-        // Skip dynamic or template routes
-        if (shouldSkipRoute(routePath)) {
-          continue;
-        }
-        
-        // Skip external API calls
-        if (isExternalRoute(routePath)) {
-          continue;
-        }
-        
-        // Only flag local API routes
-        if (!isLocalApiRoute(routePath)) {
-          // Not a local API route - could be page navigation, skip
-          continue;
-        }
-        
-        // Skip if in custom whitelist
-        if (customWhitelist.has(routePath)) {
-          continue;
-        }
-        
-        return {
-          rule: "ghost_route",
-          severity: ruleConfig.severity || "block",
-          message: `Ghost route: ${routePath} is referenced but not registered in truthpack`,
-          claimId: `claim_${i}`,
-          claim
-        };
-      }
-    }
-  }
-  
-  return null;
-}
-
-module.exports = {
-  evaluate
-};

package/bin/runners/lib/agent-firewall/policy/rules/scope.js

@@ -1,93 +0,0 @@
-/**
- * Scope Explosion Rule
- * 
- * Blocks if too many files touched.
- */
-
-"use strict";
-
-/**
- * Evaluate scope explosion rule
- * @param {object} params
- * @param {array} params.files - Changed files
- * @param {string} params.intent - Agent intent message
- * @param {object} params.policy - Policy configuration
- * @returns {object|null} Violation or null
- */
-function evaluate({ files, intent, policy }) {
-  const ruleConfig = policy.rules?.scope_explosion;
-  
-  if (!ruleConfig || !ruleConfig.enabled) {
-    return null;
-  }
-  
-  const scope = policy.scope || {};
-  const maxFiles = scope.max_files_touched || 10;
-  const maxLines = scope.max_lines_changed || 600;
-  const requireIntent = scope.require_intent_for_expand_scope || false;
-  
-  const totalFiles = files.length;
-  const totalLines = files.reduce((sum, f) => sum + (f.linesChanged || 0), 0);
-  
-  // Check file count
-  if (totalFiles > maxFiles) {
-    const hasIntent = intent && intent.trim().length > 0;
-    
-    if (requireIntent && !hasIntent) {
-      return {
-        rule: "scope_explosion",
-        severity: ruleConfig.severity || "block",
-        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles}). Intent required for scope expansion.`,
-        metadata: {
-          totalFiles,
-          maxFiles,
-          hasIntent
-        }
-      };
-    } else if (!requireIntent) {
-      return {
-        rule: "scope_explosion",
-        severity: ruleConfig.severity || "block",
-        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles})`,
-        metadata: {
-          totalFiles,
-          maxFiles
-        }
-      };
-    }
-  }
-  
-  // Check line count
-  if (totalLines > maxLines) {
-    const hasIntent = intent && intent.trim().length > 0;
-    
-    if (requireIntent && !hasIntent) {
-      return {
-        rule: "scope_explosion",
-        severity: ruleConfig.severity || "block",
-        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines}). Intent required for scope expansion.`,
-        metadata: {
-          totalLines,
-          maxLines,
-          hasIntent
-        }
-      };
-    } else if (!requireIntent) {
-      return {
-        rule: "scope_explosion",
-        severity: ruleConfig.severity || "block",
-        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines})`,
-        metadata: {
-          totalLines,
-          maxLines
-        }
-      };
-    }
-  }
-  
-  return null;
-}
-
-module.exports = {
-  evaluate
-};

package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js

@@ -1,57 +0,0 @@
-/**
- * Unsafe Side Effect Rule
- * 
- * Blocks unverified side effects.
- */
-
-"use strict";
-
-const { CLAIM_TYPES } = require("../../claims/claim-types");
-
-/**
- * Evaluate unsafe side effect rule
- * @param {object} params
- * @param {array} params.claims - Extracted claims
- * @param {array} params.evidence - Evidence resolution results
- * @param {object} params.policy - Policy configuration
- * @returns {object|null} Violation or null
- */
-function evaluate({ claims, evidence, policy }) {
-  const ruleConfig = policy.rules?.unsafe_side_effect;
-  
-  if (!ruleConfig || !ruleConfig.enabled) {
-    return null;
-  }
-  
-  const verification = policy.verification || {};
-  const requireForDomains = verification.require_for_domains || [];
-  
-  // Find side effect claims
-  for (let i = 0; i < claims.length; i++) {
-    const claim = claims[i];
-    
-    if (claim.type === CLAIM_TYPES.SIDE_EFFECT) {
-      const ev = evidence.find(e => e.claimId === `claim_${i}`);
-      
-      // Check if domain requires verification
-      const claimDomain = claim.domain || "general";
-      const requiresVerification = requireForDomains.includes(claimDomain);
-      
-      if (requiresVerification && ev && ev.result === "UNPROVEN") {
-        return {
-          rule: "unsafe_side_effect",
-          severity: ruleConfig.severity || "block",
-          message: `Unsafe side effect: ${claim.value} requires verification (test coverage or reality proof)`,
-          claimId: `claim_${i}`,
-          claim
-        };
-      }
-    }
-  }
-  
-  return null;
-}
-
-module.exports = {
-  evaluate
-};