@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js

@@ -1,661 +0,0 @@
-/**
- * Time Machine Incident Correlator
- * 
- * Links incidents to their causal chain.
- * Finds the "first bad change" that led to problems.
- * 
- * Codename: Time Machine
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-/**
- * @typedef {Object} Incident
- * @property {string} id - Incident ID
- * @property {string} title - Incident title
- * @property {string} description - Incident description
- * @property {Date} reportedAt - When reported
- * @property {string} severity - Incident severity
- * @property {string[]} affectedFiles - Files affected
- * @property {string[]} affectedServices - Services affected
- * @property {string} status - open, investigating, resolved
- */
-
-/**
- * @typedef {Object} CausalLink
- * @property {string} fromEvent - Source event ID
- * @property {string} toEvent - Target event ID
- * @property {string} relationship - Type of causal relationship
- * @property {number} confidence - Confidence score (0-1)
- * @property {string[]} evidence - Evidence supporting the link
- */
-
-/**
- * @typedef {Object} IncidentReport
- * @property {Incident} incident - The incident
- * @property {Object[]} causalChain - Chain of events leading to incident
- * @property {Object} rootCause - Identified root cause
- * @property {Object[]} contributingFactors - Other contributing events
- * @property {Object} recommendations - Recommendations to prevent recurrence
- * @property {Date} generatedAt - When report was generated
- */
-
-/**
- * Relationship types for causal links
- */
-const RELATIONSHIP_TYPES = {
-  DIRECT_CAUSE: "direct_cause",       // A directly caused B
-  CONTRIBUTING: "contributing",        // A contributed to B
-  CORRELATING: "correlating",          // A and B happened together
-  OVERRIDE_LED_TO: "override_led_to",  // Override led to issue
-  HIGH_RISK_CHANGE: "high_risk_change", // High risk change preceded issue
-};
-
-/**
- * Incident Correlator class
- */
-class IncidentCorrelator {
-  constructor(options = {}) {
-    this.projectRoot = options.projectRoot || process.cwd();
-    this.incidentsDir = path.join(this.projectRoot, ".vibecheck", "incidents");
-    this.packetsDir = path.join(this.projectRoot, ".vibecheck", "packets");
-    this.auditDir = path.join(this.projectRoot, ".vibecheck", "audit");
-    
-    // Correlation settings
-    this.lookbackWindow = options.lookbackWindow || 24 * 60 * 60 * 1000; // 24 hours
-    this.minConfidence = options.minConfidence || 0.5;
-  }
-  
-  /**
-   * Record a new incident
-   * @param {Object} incidentData - Incident data
-   * @returns {Incident} Created incident
-   */
-  recordIncident(incidentData) {
-    const incident = {
-      id: incidentData.id || `INC-${Date.now()}-${Math.random().toString(36).slice(2, 6).toUpperCase()}`,
-      title: incidentData.title || "Unnamed incident",
-      description: incidentData.description || "",
-      reportedAt: new Date().toISOString(),
-      severity: incidentData.severity || "medium",
-      affectedFiles: incidentData.affectedFiles || [],
-      affectedServices: incidentData.affectedServices || [],
-      status: "open",
-      metadata: incidentData.metadata || {},
-    };
-    
-    // Save incident
-    this.saveIncident(incident);
-    
-    return incident;
-  }
-  
-  /**
-   * Save an incident to disk
-   * @param {Incident} incident - Incident to save
-   */
-  saveIncident(incident) {
-    if (!fs.existsSync(this.incidentsDir)) {
-      fs.mkdirSync(this.incidentsDir, { recursive: true });
-    }
-    
-    // Save as individual file
-    fs.writeFileSync(
-      path.join(this.incidentsDir, `${incident.id}.json`),
-      JSON.stringify(incident, null, 2)
-    );
-    
-    // Also append to incidents log
-    const logPath = path.join(this.incidentsDir, "incidents.jsonl");
-    fs.appendFileSync(logPath, JSON.stringify(incident) + "\n");
-  }
-  
-  /**
-   * Load an incident by ID
-   * @param {string} incidentId - Incident ID
-   * @returns {Incident|null} Incident or null
-   */
-  loadIncident(incidentId) {
-    const incidentPath = path.join(this.incidentsDir, `${incidentId}.json`);
-    
-    if (fs.existsSync(incidentPath)) {
-      try {
-        return JSON.parse(fs.readFileSync(incidentPath, "utf-8"));
-      } catch {
-        return null;
-      }
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Correlate an incident with firewall events
-   * @param {string} incidentId - Incident ID
-   * @param {Object} options - Correlation options
-   * @returns {IncidentReport} Incident report
-   */
-  async correlateIncident(incidentId, options = {}) {
-    const incident = this.loadIncident(incidentId);
-    if (!incident) {
-      throw new Error(`Incident ${incidentId} not found`);
-    }
-    
-    const lookback = options.lookbackWindow || this.lookbackWindow;
-    const incidentTime = new Date(incident.reportedAt);
-    const lookbackTime = new Date(incidentTime.getTime() - lookback);
-    
-    // Load events in the lookback window
-    const events = await this.loadEventsInWindow(lookbackTime, incidentTime);
-    
-    // Filter to events affecting the same files/services
-    const relevantEvents = this.filterRelevantEvents(events, incident);
-    
-    // Build causal chain
-    const causalChain = this.buildCausalChain(relevantEvents, incident);
-    
-    // Identify root cause
-    const rootCause = this.identifyRootCause(causalChain, relevantEvents);
-    
-    // Find contributing factors
-    const contributingFactors = this.findContributingFactors(relevantEvents, rootCause);
-    
-    // Generate recommendations
-    const recommendations = this.generateRecommendations(incident, rootCause, contributingFactors);
-    
-    const report = {
-      incident,
-      causalChain,
-      rootCause,
-      contributingFactors,
-      recommendations,
-      eventsAnalyzed: events.length,
-      relevantEvents: relevantEvents.length,
-      generatedAt: new Date().toISOString(),
-    };
-    
-    // Save report
-    this.saveReport(incidentId, report);
-    
-    return report;
-  }
-  
-  /**
-   * Load events in a time window
-   * @param {Date} start - Start time
-   * @param {Date} end - End time
-   * @returns {Object[]} Events
-   */
-  async loadEventsInWindow(start, end) {
-    const events = [];
-    
-    // Load from firewall audit
-    const firewallLog = path.join(this.auditDir, "firewall-events.jsonl");
-    if (fs.existsSync(firewallLog)) {
-      const content = fs.readFileSync(firewallLog, "utf-8");
-      const lines = content.trim().split("\n").filter(l => l);
-      
-      for (const line of lines) {
-        try {
-          const event = JSON.parse(line);
-          const eventTime = new Date(event.timestamp);
-          
-          if (eventTime >= start && eventTime <= end) {
-            events.push({
-              ...event,
-              source: "firewall",
-            });
-          }
-        } catch {
-          // Skip invalid lines
-        }
-      }
-    }
-    
-    // Load from change packets
-    if (fs.existsSync(this.packetsDir)) {
-      const packets = fs.readdirSync(this.packetsDir)
-        .filter(f => f.endsWith(".json"));
-      
-      for (const packetFile of packets) {
-        try {
-          const packet = JSON.parse(
-            fs.readFileSync(path.join(this.packetsDir, packetFile), "utf-8")
-          );
-          
-          const packetTime = new Date(packet.timestamp || packet.createdAt);
-          
-          if (packetTime >= start && packetTime <= end) {
-            events.push({
-              ...packet,
-              source: "packet",
-            });
-          }
-        } catch {
-          // Skip invalid packets
-        }
-      }
-    }
-    
-    // Sort by timestamp
-    events.sort((a, b) => 
-      new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
-    );
-    
-    return events;
-  }
-  
-  /**
-   * Filter events relevant to an incident
-   * @param {Object[]} events - All events
-   * @param {Incident} incident - The incident
-   * @returns {Object[]} Relevant events
-   */
-  filterRelevantEvents(events, incident) {
-    const affectedFiles = new Set(incident.affectedFiles || []);
-    const affectedServices = new Set(incident.affectedServices || []);
-    
-    return events.filter(event => {
-      // Check file match
-      const eventFiles = this.extractFilesFromEvent(event);
-      const hasFileMatch = eventFiles.some(f => {
-        for (const affected of affectedFiles) {
-          if (f.includes(affected) || affected.includes(f)) {
-            return true;
-          }
-        }
-        return false;
-      });
-      
-      if (hasFileMatch) return true;
-      
-      // Check service match
-      const eventServices = event.services || [];
-      const hasServiceMatch = eventServices.some(s => affectedServices.has(s));
-      
-      if (hasServiceMatch) return true;
-      
-      // Include high-risk events
-      if ((event.riskScore || 0) >= 70) return true;
-      
-      // Include overrides
-      if (event.overrideUsed || event.proof?.overrideUsed) return true;
-      
-      return false;
-    });
-  }
-  
-  /**
-   * Extract files from an event
-   * @param {Object} event - Event
-   * @returns {string[]} Files
-   */
-  extractFilesFromEvent(event) {
-    const files = [];
-    
-    if (event.file) files.push(event.file);
-    if (event.filePath) files.push(event.filePath);
-    
-    for (const op of event.operations || []) {
-      if (op.path) files.push(op.path);
-      if (op.file) files.push(op.file);
-    }
-    
-    return files;
-  }
-  
-  /**
-   * Build causal chain from events to incident
-   * @param {Object[]} events - Relevant events
-   * @param {Incident} incident - The incident
-   * @returns {CausalLink[]} Causal chain
-   */
-  buildCausalChain(events, incident) {
-    const chain = [];
-    
-    // Sort events by time (newest last)
-    const sorted = [...events].sort((a, b) =>
-      new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
-    );
-    
-    // Find events that could have caused the incident
-    for (const event of sorted) {
-      const confidence = this.calculateCausalConfidence(event, incident);
-      
-      if (confidence >= this.minConfidence) {
-        const link = {
-          fromEvent: event.id || event.changeId,
-          toEvent: incident.id,
-          relationship: this.determineRelationship(event, incident),
-          confidence,
-          evidence: this.gatherEvidence(event, incident),
-          timestamp: event.timestamp,
-        };
-        
-        chain.push(link);
-      }
-    }
-    
-    // Link events to each other in the chain
-    for (let i = 0; i < chain.length - 1; i++) {
-      // Check if earlier events caused later events
-      const earlier = events.find(e => e.id === chain[i].fromEvent);
-      const later = events.find(e => e.id === chain[i + 1].fromEvent);
-      
-      if (earlier && later && this.eventsCausally Related(earlier, later)) {
-        chain.splice(i + 1, 0, {
-          fromEvent: chain[i].fromEvent,
-          toEvent: chain[i + 1].fromEvent,
-          relationship: RELATIONSHIP_TYPES.CONTRIBUTING,
-          confidence: 0.6,
-          evidence: ["Events affected same files"],
-        });
-      }
-    }
-    
-    return chain;
-  }
-  
-  /**
-   * Check if two events are causally related
-   * @param {Object} earlier - Earlier event
-   * @param {Object} later - Later event
-   * @returns {boolean} Are related
-   */
-  eventsCausallyRelated(earlier, later) {
-    // Same file affected
-    const earlierFiles = new Set(this.extractFilesFromEvent(earlier));
-    const laterFiles = this.extractFilesFromEvent(later);
-    
-    return laterFiles.some(f => earlierFiles.has(f));
-  }
-  
-  /**
-   * Calculate confidence that event caused incident
-   * @param {Object} event - Event
-   * @param {Incident} incident - Incident
-   * @returns {number} Confidence score
-   */
-  calculateCausalConfidence(event, incident) {
-    let confidence = 0;
-    
-    // Override events are highly suspicious
-    if (event.overrideUsed || event.proof?.overrideUsed) {
-      confidence += 0.4;
-    }
-    
-    // High risk score
-    const riskScore = event.riskScore || event.proof?.riskScore || 0;
-    if (riskScore >= 70) {
-      confidence += 0.3;
-    } else if (riskScore >= 50) {
-      confidence += 0.2;
-    }
-    
-    // File match
-    const eventFiles = this.extractFilesFromEvent(event);
-    const hasFileMatch = eventFiles.some(f =>
-      incident.affectedFiles?.some(af => f.includes(af) || af.includes(f))
-    );
-    
-    if (hasFileMatch) {
-      confidence += 0.3;
-    }
-    
-    // Temporal proximity (closer = more likely)
-    const eventTime = new Date(event.timestamp).getTime();
-    const incidentTime = new Date(incident.reportedAt).getTime();
-    const hoursBefore = (incidentTime - eventTime) / (1000 * 60 * 60);
-    
-    if (hoursBefore <= 1) {
-      confidence += 0.2;
-    } else if (hoursBefore <= 6) {
-      confidence += 0.1;
-    }
-    
-    return Math.min(confidence, 1);
-  }
-  
-  /**
-   * Determine the relationship type between event and incident
-   * @param {Object} event - Event
-   * @param {Incident} incident - Incident
-   * @returns {string} Relationship type
-   */
-  determineRelationship(event, incident) {
-    if (event.overrideUsed || event.proof?.overrideUsed) {
-      return RELATIONSHIP_TYPES.OVERRIDE_LED_TO;
-    }
-    
-    const riskScore = event.riskScore || event.proof?.riskScore || 0;
-    if (riskScore >= 70) {
-      return RELATIONSHIP_TYPES.HIGH_RISK_CHANGE;
-    }
-    
-    const eventFiles = this.extractFilesFromEvent(event);
-    const hasFileMatch = eventFiles.some(f =>
-      incident.affectedFiles?.some(af => f.includes(af) || af.includes(f))
-    );
-    
-    if (hasFileMatch) {
-      return RELATIONSHIP_TYPES.DIRECT_CAUSE;
-    }
-    
-    return RELATIONSHIP_TYPES.CONTRIBUTING;
-  }
-  
-  /**
-   * Gather evidence for a causal link
-   * @param {Object} event - Event
-   * @param {Incident} incident - Incident
-   * @returns {string[]} Evidence
-   */
-  gatherEvidence(event, incident) {
-    const evidence = [];
-    
-    if (event.overrideUsed || event.proof?.overrideUsed) {
-      evidence.push(`Override was used: ${event.proof?.overrideReason || "No reason given"}`);
-    }
-    
-    const riskScore = event.riskScore || event.proof?.riskScore || 0;
-    if (riskScore > 0) {
-      evidence.push(`Risk score was ${riskScore}`);
-    }
-    
-    const eventFiles = this.extractFilesFromEvent(event);
-    const matchingFiles = eventFiles.filter(f =>
-      incident.affectedFiles?.some(af => f.includes(af) || af.includes(f))
-    );
-    
-    if (matchingFiles.length > 0) {
-      evidence.push(`Modified files: ${matchingFiles.join(", ")}`);
-    }
-    
-    if (event.verdict === "BLOCK") {
-      evidence.push("Change was initially blocked by firewall");
-    }
-    
-    return evidence;
-  }
-  
-  /**
-   * Identify the root cause from the causal chain
-   * @param {CausalLink[]} chain - Causal chain
-   * @param {Object[]} events - All relevant events
-   * @returns {Object|null} Root cause
-   */
-  identifyRootCause(chain, events) {
-    if (chain.length === 0) return null;
-    
-    // Sort by confidence and find the first event (chronologically) with high confidence
-    const highConfidence = chain
-      .filter(link => link.confidence >= 0.7)
-      .sort((a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime());
-    
-    if (highConfidence.length > 0) {
-      const rootLink = highConfidence[0];
-      const rootEvent = events.find(e => 
-        e.id === rootLink.fromEvent || e.changeId === rootLink.fromEvent
-      );
-      
-      return {
-        event: rootEvent,
-        link: rootLink,
-        reason: `First high-confidence change (${Math.round(rootLink.confidence * 100)}%)`,
-      };
-    }
-    
-    // Fall back to the first event in the chain
-    const firstLink = chain[0];
-    const firstEvent = events.find(e =>
-      e.id === firstLink.fromEvent || e.changeId === firstLink.fromEvent
-    );
-    
-    return {
-      event: firstEvent,
-      link: firstLink,
-      reason: "First change in causal chain",
-    };
-  }
-  
-  /**
-   * Find contributing factors beyond root cause
-   * @param {Object[]} events - All relevant events
-   * @param {Object} rootCause - Identified root cause
-   * @returns {Object[]} Contributing factors
-   */
-  findContributingFactors(events, rootCause) {
-    if (!rootCause) return [];
-    
-    return events
-      .filter(e => {
-        const eventId = e.id || e.changeId;
-        return eventId !== rootCause.link?.fromEvent;
-      })
-      .filter(e => {
-        // Include events with some risk
-        const riskScore = e.riskScore || e.proof?.riskScore || 0;
-        return riskScore >= 30 || e.overrideUsed || e.proof?.overrideUsed;
-      })
-      .slice(0, 5); // Limit to top 5
-  }
-  
-  /**
-   * Generate recommendations based on analysis
-   * @param {Incident} incident - The incident
-   * @param {Object} rootCause - Root cause
-   * @param {Object[]} contributingFactors - Contributing factors
-   * @returns {Object} Recommendations
-   */
-  generateRecommendations(incident, rootCause, contributingFactors) {
-    const recommendations = {
-      immediate: [],
-      shortTerm: [],
-      longTerm: [],
-    };
-    
-    if (rootCause?.event?.overrideUsed || rootCause?.event?.proof?.overrideUsed) {
-      recommendations.immediate.push({
-        action: "Review override policy",
-        reason: "Incident was caused by an overridden firewall block",
-        priority: "high",
-      });
-      
-      recommendations.shortTerm.push({
-        action: "Add invariant rule to prevent similar overrides",
-        reason: `Consider blocking changes to ${incident.affectedFiles?.join(", ")}`,
-        priority: "medium",
-      });
-    }
-    
-    const highRiskChanges = contributingFactors.filter(e =>
-      (e.riskScore || e.proof?.riskScore || 0) >= 70
-    );
-    
-    if (highRiskChanges.length > 0) {
-      recommendations.immediate.push({
-        action: "Review high-risk changes",
-        reason: `${highRiskChanges.length} high-risk changes preceded this incident`,
-        priority: "high",
-      });
-    }
-    
-    recommendations.longTerm.push({
-      action: "Add automated tests for affected functionality",
-      reason: "Prevent regression of the fixed issue",
-      priority: "medium",
-    });
-    
-    if (incident.affectedFiles?.length > 0) {
-      recommendations.longTerm.push({
-        action: `Consider protecting ${incident.affectedFiles[0]}`,
-        reason: "Add to lawbook as a sensitive file",
-        priority: "low",
-      });
-    }
-    
-    return recommendations;
-  }
-  
-  /**
-   * Save an incident report
-   * @param {string} incidentId - Incident ID
-   * @param {IncidentReport} report - Report to save
-   */
-  saveReport(incidentId, report) {
-    const reportsDir = path.join(this.incidentsDir, "reports");
-    
-    if (!fs.existsSync(reportsDir)) {
-      fs.mkdirSync(reportsDir, { recursive: true });
-    }
-    
-    fs.writeFileSync(
-      path.join(reportsDir, `${incidentId}-report.json`),
-      JSON.stringify(report, null, 2)
-    );
-  }
-  
-  /**
-   * Get all incidents
-   * @returns {Incident[]} All incidents
-   */
-  getAllIncidents() {
-    const incidents = [];
-    
-    if (!fs.existsSync(this.incidentsDir)) {
-      return incidents;
-    }
-    
-    const files = fs.readdirSync(this.incidentsDir)
-      .filter(f => f.endsWith(".json") && !f.includes("-report"));
-    
-    for (const file of files) {
-      try {
-        const incident = JSON.parse(
-          fs.readFileSync(path.join(this.incidentsDir, file), "utf-8")
-        );
-        incidents.push(incident);
-      } catch {
-        // Skip invalid files
-      }
-    }
-    
-    return incidents.sort((a, b) =>
-      new Date(b.reportedAt).getTime() - new Date(a.reportedAt).getTime()
-    );
-  }
-}
-
-/**
- * Create an incident correlator instance
- * @param {Object} options - Options
- * @returns {IncidentCorrelator} Incident correlator
- */
-function createIncidentCorrelator(options = {}) {
-  return new IncidentCorrelator(options);
-}
-
-module.exports = { IncidentCorrelator, createIncidentCorrelator, RELATIONSHIP_TYPES };