@vibecheckai/cli 3.4.0 → 3.5.1

package/mcp-server/agent-firewall-interceptor.js

@@ -1,500 +0,0 @@
-/**
- * Agent Firewall Interceptor - MCP Tool
- * 
- * Intercepts file write/patch tool calls from AI agents.
- * Validates changes against truthpack and policy before allowing writes.
- * 
- * Codename: Sentinel
- * 
- * Tier-based enforcement:
- * - FREE: Observe mode (logs violations but allows writes)
- * - STARTER: Advisory mode (warns but allows with confirmation)
- * - PRO: Enforce mode (blocks violations)
- * - ENTERPRISE: Enforce mode + audit trail
- * 
- * SECURITY: Tier is NEVER trusted from client - always derived from validated API key
- */
-
-import path from "path";
-import fs from "fs";
-import { createRequire } from "module";
-
-// Import tier auth for secure tier validation
-import { getMcpToolAccess } from "./tier-auth.js";
-
-const require = createRequire(import.meta.url);
-
-// Import core firewall modules
-const { interceptFileWrite, interceptMultiFileWrite } = require("../bin/runners/lib/agent-firewall/interceptor/base");
-const { loadPolicy } = require("../bin/runners/lib/agent-firewall/policy/loader");
-
-// Import new Sentinel modules
-let reality, risk, simulator, proposal, critic, proofBuilder;
-try {
-  reality = require("../bin/runners/lib/agent-firewall/reality");
-  risk = require("../bin/runners/lib/agent-firewall/risk");
-  simulator = require("../bin/runners/lib/agent-firewall/simulator");
-  proposal = require("../bin/runners/lib/agent-firewall/proposal");
-  critic = require("../bin/runners/lib/agent-firewall/critic");
-  proofBuilder = require("../bin/runners/lib/agent-firewall/change-packet/builder");
-} catch (err) {
-  console.warn(`[Agent Firewall] Some Sentinel modules not available: ${err.message}`);
-}
-
-// Tier-based policy mode mapping
-const TIER_POLICY_MODES = {
-  FREE: "observe",         // Log only, never block
-  STARTER: "advisory",     // Warn, allow with confirmation
-  PRO: "enforce",          // Block violations
-  ENTERPRISE: "enforce",   // Block + full audit
-};
-
-/**
- * Get effective policy mode based on tier
- * @param {string} tier - User's subscription tier
- * @param {object} policy - Policy configuration
- * @returns {string} Effective mode
- */
-function getEffectivePolicyMode(tier, policy) {
-  // If policy explicitly sets mode, respect it for PRO+
-  if (policy.mode && (tier === "PRO" || tier === "ENTERPRISE")) {
-    return policy.mode;
-  }
-  
-  // Otherwise use tier-based defaults
-  return TIER_POLICY_MODES[tier] || "observe";
-}
-
-/**
- * MCP Tool Definition
- */
-const AGENT_FIREWALL_TOOL = {
-  name: "vibecheck_agent_firewall_intercept",
-  description: `🛡️ Agent Firewall (Sentinel) - Intercepts AI code changes and validates against repo truth.
-
-This tool MUST be called before any file write/patch operations.
-It validates changes against truthpack, policy rules, and reality state.
-
-Features:
-- Reality state validation (routes, env vars, services)
-- Risk scoring (surface area, blast radius, irreversibility)
-- Diff simulation (broken imports, orphaned files)
-- Assumption verification
-- Proof artifact generation
-
-Tier modes:
-- FREE: Observe (logs only)
-- STARTER: Advisory (warns)
-- PRO/ENTERPRISE: Enforce (blocks)
-
-Returns: { allowed, verdict, riskScore, violations, unblockPlan, proofId }`,
-  inputSchema: {
-    type: "object",
-    required: ["agentId", "filePath", "content"],
-    properties: {
-      agentId: {
-        type: "string",
-        description: "Agent identifier (e.g., 'cursor', 'windsurf', 'copilot')"
-      },
-      filePath: {
-        type: "string",
-        description: "File path relative to project root"
-      },
-      content: {
-        type: "string",
-        description: "New file content"
-      },
-      oldContent: {
-        type: "string",
-        description: "Old file content (optional, for diff generation)"
-      },
-      intent: {
-        type: "string",
-        description: "Agent's stated intent for this change"
-      },
-      summary: {
-        type: "string",
-        description: "Human-readable summary of the change"
-      },
-      assumptions: {
-        type: "array",
-        description: "Declared assumptions (auto-extracted if not provided)",
-        items: {
-          type: "object",
-          properties: {
-            type: { type: "string", enum: ["env", "route", "service", "file"] },
-            key: { type: "string" },
-            reason: { type: "string" }
-          }
-        }
-      },
-      confidence: {
-        type: "number",
-        description: "Confidence level (0-1) that the change is correct",
-        minimum: 0,
-        maximum: 1
-      },
-      projectRoot: {
-        type: "string",
-        default: ".",
-        description: "Project root directory"
-      },
-      apiKey: {
-        type: "string",
-        description: "API key for authentication (tier is derived from this, never client-provided)"
-      }
-      // NOTE: 'tier' parameter removed for security - tier is now derived from validated apiKey
-      // Accepting tier from client allowed privilege escalation attacks
-    }
-  }
-};
-
-/**
- * Handle MCP tool call
- * 
- * SECURITY: Tier is NEVER accepted from client args - always derived from validated API key.
- * Previous implementation accepted args.tier which allowed attackers to escalate privileges
- * by simply passing tier: "ENTERPRISE".
- * 
- * @param {string} name - Tool name (unused, for consistency)
- * @param {object} args - Tool arguments
- * @returns {object} MCP tool response
- */
-async function handleAgentFirewallIntercept(name, args) {
-  const projectRoot = path.resolve(args.projectRoot || ".");
-  const agentId = args.agentId || "unknown";
-  const filePath = args.filePath;
-  const content = args.content;
-  const oldContent = args.oldContent || null;
-  const intent = args.intent || "No intent provided";
-  
-  // SECURITY FIX: Derive tier from validated API key, NEVER trust client-provided tier
-  let tier = "FREE"; // Default to most restrictive (observe mode)
-  try {
-    const access = await getMcpToolAccess("vibecheck_agent_firewall_intercept", args.apiKey);
-    if (access.tier) {
-      tier = access.tier.toUpperCase();
-    }
-    // Note: Even if access check fails, we continue with FREE tier (observe mode)
-    // This allows the tool to still provide value while logging violations
-  } catch (err) {
-    console.warn(`[Agent Firewall] Tier validation failed, defaulting to FREE: ${err.message}`);
-  }
-  
-  // Validate file path is within project root
-  const fileAbs = path.resolve(projectRoot, filePath);
-  if (!fileAbs.startsWith(projectRoot + path.sep) && fileAbs !== projectRoot) {
-    return {
-      content: [{
-        type: "text",
-        text: `❌ BLOCKED: File path outside project root: ${filePath}`
-      }],
-      isError: true
-    };
-  }
-  
-  try {
-    // Load policy and determine effective mode based on tier
-    const policy = loadPolicy(projectRoot);
-    const effectiveMode = getEffectivePolicyMode(tier, policy);
-    
-    // Read old content if not provided
-    // SECURITY FIX: Compute content hash to detect concurrent modifications
-    // Between reading and validation, another agent could modify the file.
-    // We provide the hash so callers can verify before actual write.
-    let actualOldContent = oldContent;
-    let oldContentHash = null;
-    const crypto = require('crypto');
-    
-    if (!actualOldContent && fs.existsSync(fileAbs)) {
-      actualOldContent = fs.readFileSync(fileAbs, "utf8");
-    }
-    
-    // Compute hash of the content we're validating against
-    if (actualOldContent) {
-      oldContentHash = crypto.createHash('sha256').update(actualOldContent).digest('hex');
-    }
-    
-    // Build structured proposal from args
-    let structuredProposal = null;
-    if (proposal) {
-      structuredProposal = proposal.proposal.create(
-        proposal.proposal.normalizeIntent(intent),
-        [{ type: actualOldContent ? "modify" : "create", path: filePath, content }]
-      );
-      structuredProposal.summary = args.summary || intent;
-      structuredProposal.assumptions = args.assumptions || [];
-      structuredProposal.confidence = args.confidence ?? 0.5;
-      
-      // Auto-extract assumptions if not provided
-      if (structuredProposal.assumptions.length === 0) {
-        const extracted = proposal.extractFromOperations(structuredProposal.operations);
-        structuredProposal.assumptions = extracted;
-      }
-      
-      // Validate proposal
-      const validationResult = proposal.proposal.validate(structuredProposal);
-      if (!validationResult.valid && effectiveMode === "enforce") {
-        return {
-          content: [{
-            type: "text",
-            text: `❌ INVALID PROPOSAL: ${validationResult.errors.map(e => e.message).join(", ")}`
-          }],
-          isError: true
-        };
-      }
-    }
-    
-    // Get reality state
-    let realityState = null;
-    if (reality) {
-      try {
-        realityState = reality.reality.getState(projectRoot);
-      } catch (err) {
-        console.warn(`[Agent Firewall] Reality state unavailable: ${err.message}`);
-      }
-    }
-    
-    // Calculate risk score
-    let riskScore = null;
-    if (risk && structuredProposal) {
-      try {
-        riskScore = risk.calculateRiskScore({
-          files: [{ path: filePath }],
-          operations: structuredProposal.operations,
-          claims: [],
-          evidence: [],
-          intent,
-          assumptions: structuredProposal.assumptions,
-          proposalConfidence: structuredProposal.confidence,
-          policy,
-        });
-      } catch (err) {
-        console.warn(`[Agent Firewall] Risk scoring failed: ${err.message}`);
-      }
-    }
-    
-    // Run diff simulation
-    let simulationResult = null;
-    if (simulator && content) {
-      try {
-        simulationResult = simulator.quickSimulate(projectRoot, filePath, content, actualOldContent);
-      } catch (err) {
-        console.warn(`[Agent Firewall] Simulation failed: ${err.message}`);
-      }
-    }
-    
-    // Intercept the write with core firewall
-    const result = await interceptFileWrite({
-      projectRoot,
-      agentId,
-      intent,
-      filePath,
-      content,
-      oldContent: actualOldContent
-    });
-    
-    // Get critic verdict (rule-based, LLM optional)
-    let criticVerdict = null;
-    if (critic) {
-      try {
-        criticVerdict = await critic.critic.evaluate({
-          proposal: structuredProposal,
-          validationResults: result,
-          riskScore,
-          simulationResult,
-          realityState,
-        });
-      } catch (err) {
-        console.warn(`[Agent Firewall] Critic evaluation failed: ${err.message}`);
-      }
-    }
-    
-    // Build enhanced proof artifact
-    let proofId = result.packetId;
-    if (proofBuilder && riskScore) {
-      try {
-        const proofArtifact = proofBuilder.buildProofArtifact({
-          changeId: `c-${result.packetId}`,
-          decision: result.verdict,
-          rulesTriggered: (result.violations || []).map(v => v.rule),
-          assumptionsFailed: (result.violations || []).filter(v => v.type === "assumption").map(v => v.key),
-          riskScore,
-          simulationResult,
-          criticVerdict,
-        });
-        proofId = proofArtifact.changeId;
-      } catch (err) {
-        console.warn(`[Agent Firewall] Proof artifact generation failed: ${err.message}`);
-      }
-    }
-    
-    // Format response based on mode
-    const formatResponse = (isBlocked) => {
-      let message = "";
-      const icon = isBlocked ? "❌" : (effectiveMode === "observe" ? "📊" : "✅");
-      const modeLabel = effectiveMode.toUpperCase();
-      
-      message += `${icon} ${modeLabel} MODE: ${result.verdict}\n\n`;
-      
-      // Risk score
-      if (riskScore) {
-        message += `Risk: ${riskScore.total} (${riskScore.level})\n`;
-        if (riskScore.reasons.length > 0) {
-          message += `Factors: ${riskScore.reasons.slice(0, 3).join(", ")}\n`;
-        }
-        message += "\n";
-      }
-      
-      // Simulation result
-      if (simulationResult) {
-        message += `Simulation: ${simulationResult.passed ? "✅ Passed" : "❌ Failed"}\n`;
-        if (!simulationResult.passed && simulationResult.errors.length > 0) {
-          message += `Errors: ${simulationResult.errors.slice(0, 2).map(e => e.message).join("; ")}\n`;
-        }
-        message += "\n";
-      }
-      
-      // Violations
-      if (result.violations && result.violations.length > 0) {
-        message += "Violations:\n";
-        for (const violation of result.violations.slice(0, 5)) {
-          message += `  - ${violation.rule || violation.type}: ${violation.message}\n`;
-        }
-        message += "\n";
-      }
-      
-      // Critic verdict (if blocked)
-      if (criticVerdict && criticVerdict.verdict === "BLOCK") {
-        message += `Critic: ${criticVerdict.verdict} (${(criticVerdict.confidence * 100).toFixed(0)}% confidence)\n`;
-        if (criticVerdict.reasoning.length > 0) {
-          message += `Reasoning: ${criticVerdict.reasoning[0]}\n`;
-        }
-        message += "\n";
-      }
-      
-      // Unblock plan
-      if (isBlocked && result.unblockPlan && result.unblockPlan.steps?.length > 0) {
-        message += "To unblock:\n";
-        for (const step of result.unblockPlan.steps.slice(0, 3)) {
-          message += `  ${step.action === "create" ? "➕ Create" : "✏️ Modify"} ${step.file || "file"}: ${step.description}\n`;
-        }
-        message += "\n";
-      }
-      
-      message += `Proof ID: ${proofId}\n`;
-      
-      // SECURITY: Include content hash for race condition protection
-      // Callers MUST verify this hash matches current file content before writing
-      // to prevent TOCTOU (time-of-check-time-of-use) vulnerabilities
-      if (oldContentHash) {
-        message += `\n⚠️ IMPORTANT: Before writing, verify file hash matches:\n`;
-        message += `Content Hash: ${oldContentHash}\n`;
-        message += `(Re-read file and compare SHA-256 hash to detect concurrent modifications)`;
-      } else {
-        message += `\nNote: New file (no existing content to verify)`;
-      }
-      
-      return message;
-    };
-    
-    // Determine final decision based on mode
-    if (effectiveMode === "observe") {
-      // Observe mode - always allow, log everything
-      return {
-        content: [{
-          type: "text",
-          text: formatResponse(false)
-        }]
-      };
-    }
-    
-    if (effectiveMode === "advisory") {
-      // Advisory mode - warn but allow (for STARTER tier)
-      const shouldWarn = !result.allowed || (riskScore && riskScore.total > 50);
-      return {
-        content: [{
-          type: "text",
-          text: formatResponse(false) + (shouldWarn ? "\n\n⚠️ Consider reviewing before proceeding." : "")
-        }]
-      };
-    }
-    
-    // Enforce mode - block if not allowed
-    // More intelligent blocking logic to reduce false positives:
-    // 1. Base interception result must say not allowed, OR
-    // 2. Simulation failed with actual errors (not just warnings), OR
-    // 3. Critic says BLOCK with very high confidence (90%+), OR
-    // 4. Risk score decision is BLOCK (but respect lowered thresholds)
-    
-    // Count the number of blocking signals
-    let blockingSignals = 0;
-    const blockReasons = [];
-    
-    if (!result.allowed) {
-      blockingSignals++;
-      blockReasons.push("policy_violation");
-    }
-    
-    // Only count simulation failure if it has actual errors (not just warnings)
-    if (simulationResult && !simulationResult.passed) {
-      const hasActualErrors = simulationResult.errors?.some(e => 
-        e.severity === 'error' || e.type === 'broken_import' || e.type === 'syntax_error'
-      );
-      if (hasActualErrors) {
-        blockingSignals++;
-        blockReasons.push("simulation_failed");
-      }
-    }
-    
-    // Critic verdict - require very high confidence (90%+) to block
-    if (criticVerdict && criticVerdict.verdict === "BLOCK" && criticVerdict.confidence >= 0.9) {
-      blockingSignals++;
-      blockReasons.push("critic_blocked");
-    }
-    
-    // Risk score decision
-    if (riskScore && riskScore.decision?.decision === "BLOCK") {
-      blockingSignals++;
-      blockReasons.push("risk_threshold_exceeded");
-    }
-    
-    // Only block if we have at least 2 independent blocking signals
-    // This prevents a single false positive from blocking legitimate changes
-    // Exception: if risk score is CRITICAL (total >= 120), block with 1 signal
-    const isCriticalRisk = riskScore && riskScore.total >= 120;
-    const shouldBlock = (blockingSignals >= 2) || (isCriticalRisk && blockingSignals >= 1);
-    
-    if (shouldBlock) {
-      return {
-        content: [{
-          type: "text",
-          text: formatResponse(true) + `\n\nBlocking reasons: ${blockReasons.join(", ")}`
-        }],
-        isError: true
-      };
-    }
-    
-    // Allowed
-    return {
-      content: [{
-        type: "text",
-        text: formatResponse(false)
-      }]
-    };
-    
-  } catch (error) {
-    return {
-      content: [{
-        type: "text",
-        text: `❌ Error intercepting write: ${error.message}\n\n${error.stack}`
-      }],
-      isError: true
-    };
-  }
-}
-
-export {
-  AGENT_FIREWALL_TOOL,
-  handleAgentFirewallIntercept
-};