@vibecheckai/cli 3.5.0 → 3.5.1

package/bin/runners/lib/agent-firewall/critic/prompts.js

@@ -1,305 +0,0 @@
-/**
- * Critic LLM Prompts
- * 
- * Prompt templates for the "savage" critic judge.
- * Philosophy: "If it cannot be proven safe, block it."
- */
-
-"use strict";
-
-/**
- * System prompt for the critic
- */
-const CRITIC_SYSTEM_PROMPT = `You are a strict code change critic. Your role is to judge whether proposed changes should be allowed.
-
-PHILOSOPHY:
-- If a change cannot be proven safe by the repository state, BLOCK it
-- Assumptions that cannot be verified are violations
-- Vague intent is a violation
-- Missing explanations are suspicious
-- Trust nothing, verify everything
-
-You output ONLY valid JSON. No explanations outside the JSON.
-
-VERDICT OPTIONS:
-- "ALLOW" - Change is safe and well-documented
-- "BLOCK" - Change has unverified assumptions or risks
-- "REQUIRE_CONFIRMATION" - Change needs human review
-
-Be conservative. When in doubt, BLOCK.`;
-
-/**
- * Prompt template for evaluating a proposal
- */
-const EVALUATION_PROMPT_TEMPLATE = `Evaluate this proposed code change:
-
-## Proposal
-Intent: {{intent}}
-Summary: {{summary}}
-Files touched: {{filesTouched}}
-Operations: {{operationsCount}} ({{operationTypes}})
-Declared confidence: {{confidence}}
-
-## Assumptions Declared
-{{assumptions}}
-
-## Assumption Validation Results
-{{validationResults}}
-
-## Risk Assessment
-Risk Score: {{riskScore}}
-Risk Level: {{riskLevel}}
-Risk Factors:
-{{riskFactors}}
-
-## Simulation Results
-Simulation Passed: {{simulationPassed}}
-Errors: {{simulationErrors}}
-Warnings: {{simulationWarnings}}
-
-## Reality State Summary
-Total files in repo: {{fileCount}}
-Total routes: {{routeCount}}
-Total env vars: {{envVarCount}}
-Affected domains: {{domains}}
-
----
-
-Evaluate and respond with JSON only:
-{
-  "verdict": "ALLOW" | "BLOCK" | "REQUIRE_CONFIRMATION",
-  "confidence": 0.0 to 1.0,
-  "reasoning": ["reason 1", "reason 2", ...],
-  "violations": ["violation 1", ...] or [],
-  "recommendations": ["recommendation 1", ...] or []
-}`;
-
-/**
- * Prompt for detecting vague/hand-wavy proposals
- */
-const VAGUENESS_CHECK_PROMPT = `Analyze this proposal for vagueness:
-
-Intent: {{intent}}
-Summary: {{summary}}
-Operation count: {{operationCount}}
-
-Rate the specificity on a scale of 1-10 (10 = very specific).
-Identify any vague language.
-
-Respond with JSON only:
-{
-  "specificityScore": 1-10,
-  "vagueTerms": ["term1", "term2"],
-  "suggestions": ["be more specific about X", ...]
-}`;
-
-/**
- * Prompt for assumption verification
- */
-const ASSUMPTION_VERIFICATION_PROMPT = `Verify these assumptions against the repository state:
-
-{{assumptions}}
-
-Repository State:
-- Declared env vars: {{declaredEnvVars}}
-- Registered routes: {{registeredRoutes}}
-- Registered services: {{registeredServices}}
-
-For each assumption, determine:
-1. Can it be verified from the repo state?
-2. Is there evidence supporting it?
-3. Is it a valid assumption?
-
-Respond with JSON only:
-{
-  "results": [
-    {
-      "assumption": "...",
-      "verified": true/false,
-      "evidence": "..." or null,
-      "reason": "..."
-    }
-  ],
-  "overallVerificationRate": 0.0 to 1.0
-}`;
-
-/**
- * Build evaluation prompt from data
- * @param {Object} data - Prompt data
- * @returns {string} Filled prompt
- */
-function buildEvaluationPrompt(data) {
-  const {
-    proposal,
-    validationResults,
-    riskScore,
-    simulationResult,
-    realityState,
-  } = data;
-  
-  let prompt = EVALUATION_PROMPT_TEMPLATE;
-  
-  // Fill in proposal data
-  prompt = prompt.replace("{{intent}}", proposal.intent || "not specified");
-  prompt = prompt.replace("{{summary}}", proposal.summary || "not provided");
-  prompt = prompt.replace("{{filesTouched}}", (proposal.filesTouched || []).join(", ") || "none");
-  prompt = prompt.replace("{{operationsCount}}", String((proposal.operations || []).length));
-  prompt = prompt.replace("{{operationTypes}}", 
-    [...new Set((proposal.operations || []).map(o => o.type))].join(", ") || "none"
-  );
-  prompt = prompt.replace("{{confidence}}", String(proposal.confidence ?? "not specified"));
-  
-  // Fill in assumptions
-  const assumptionsText = (proposal.assumptions || []).length > 0
-    ? proposal.assumptions.map(a => 
-        `- [${a.type}] ${a.key || a.path}: ${a.reason || "no reason given"}`
-      ).join("\n")
-    : "None declared";
-  prompt = prompt.replace("{{assumptions}}", assumptionsText);
-  
-  // Fill in validation results
-  const validationText = validationResults
-    ? Object.entries(validationResults).map(([key, val]) => 
-        `- ${key}: ${JSON.stringify(val)}`
-      ).join("\n")
-    : "Not available";
-  prompt = prompt.replace("{{validationResults}}", validationText);
-  
-  // Fill in risk assessment
-  prompt = prompt.replace("{{riskScore}}", String(riskScore?.total ?? "N/A"));
-  prompt = prompt.replace("{{riskLevel}}", riskScore?.level || "N/A");
-  prompt = prompt.replace("{{riskFactors}}", 
-    (riskScore?.reasons || []).map(r => `- ${r}`).join("\n") || "None"
-  );
-  
-  // Fill in simulation results
-  prompt = prompt.replace("{{simulationPassed}}", 
-    simulationResult ? String(simulationResult.passed) : "Not run"
-  );
-  prompt = prompt.replace("{{simulationErrors}}", 
-    simulationResult?.errors?.length > 0
-      ? simulationResult.errors.map(e => `- ${e.message}`).join("\n")
-      : "None"
-  );
-  prompt = prompt.replace("{{simulationWarnings}}", 
-    simulationResult?.warnings?.length > 0
-      ? simulationResult.warnings.map(w => `- ${w.message}`).join("\n")
-      : "None"
-  );
-  
-  // Fill in reality state
-  prompt = prompt.replace("{{fileCount}}", String(realityState?.files?.size ?? "N/A"));
-  prompt = prompt.replace("{{routeCount}}", String(realityState?.routes?.length ?? "N/A"));
-  prompt = prompt.replace("{{envVarCount}}", String(realityState?.envVars?.size ?? "N/A"));
-  prompt = prompt.replace("{{domains}}", 
-    [...new Set((proposal.operations || []).map(o => classifyDomain(o.path)))].join(", ") || "general"
-  );
-  
-  return prompt;
-}
-
-/**
- * Simple domain classifier (for prompt building)
- */
-function classifyDomain(filePath) {
-  if (!filePath) return "general";
-  const s = filePath.toLowerCase();
-  if (s.includes("auth")) return "auth";
-  if (s.includes("payment") || s.includes("stripe")) return "payments";
-  if (s.includes("route") || s.includes("api")) return "routes";
-  if (s.includes("db") || s.includes("prisma")) return "database";
-  return "general";
-}
-
-/**
- * Build vagueness check prompt
- * @param {Object} proposal - Proposal to check
- * @returns {string} Filled prompt
- */
-function buildVaguenessPrompt(proposal) {
-  let prompt = VAGUENESS_CHECK_PROMPT;
-  
-  prompt = prompt.replace("{{intent}}", proposal.intent || "not specified");
-  prompt = prompt.replace("{{summary}}", proposal.summary || "not provided");
-  prompt = prompt.replace("{{operationCount}}", String((proposal.operations || []).length));
-  
-  return prompt;
-}
-
-/**
- * Build assumption verification prompt
- * @param {Array} assumptions - Assumptions to verify
- * @param {Object} realityState - Repository state
- * @returns {string} Filled prompt
- */
-function buildVerificationPrompt(assumptions, realityState) {
-  let prompt = ASSUMPTION_VERIFICATION_PROMPT;
-  
-  const assumptionsText = assumptions.map(a => 
-    `- [${a.type}] ${a.key || a.path}: ${a.reason || "no reason"}`
-  ).join("\n");
-  
-  prompt = prompt.replace("{{assumptions}}", assumptionsText);
-  
-  // Extract state summaries
-  const declaredEnvVars = realityState?.envVars 
-    ? [...realityState.envVars.keys()].slice(0, 20).join(", ")
-    : "not available";
-  
-  const registeredRoutes = realityState?.routes
-    ? realityState.routes.slice(0, 10).map(r => `${r.method} ${r.path}`).join(", ")
-    : "not available";
-  
-  const registeredServices = realityState?.services
-    ? realityState.services.slice(0, 10).map(s => s.name).join(", ")
-    : "not available";
-  
-  prompt = prompt.replace("{{declaredEnvVars}}", declaredEnvVars);
-  prompt = prompt.replace("{{registeredRoutes}}", registeredRoutes);
-  prompt = prompt.replace("{{registeredServices}}", registeredServices);
-  
-  return prompt;
-}
-
-/**
- * Parse critic response
- * @param {string} response - LLM response text
- * @returns {Object} Parsed response
- */
-function parseCriticResponse(response) {
-  try {
-    // Try to extract JSON from response
-    const jsonMatch = response.match(/\{[\s\S]*\}/);
-    if (jsonMatch) {
-      return JSON.parse(jsonMatch[0]);
-    }
-    
-    // If no JSON found, return a default blocked response
-    return {
-      verdict: "BLOCK",
-      confidence: 0.5,
-      reasoning: ["Failed to parse critic response"],
-      violations: ["Invalid response format"],
-      recommendations: [],
-    };
-  } catch (error) {
-    return {
-      verdict: "BLOCK",
-      confidence: 0.5,
-      reasoning: ["Failed to parse critic response: " + error.message],
-      violations: ["Invalid JSON in response"],
-      recommendations: [],
-    };
-  }
-}
-
-module.exports = {
-  CRITIC_SYSTEM_PROMPT,
-  EVALUATION_PROMPT_TEMPLATE,
-  VAGUENESS_CHECK_PROMPT,
-  ASSUMPTION_VERIFICATION_PROMPT,
-  buildEvaluationPrompt,
-  buildVaguenessPrompt,
-  buildVerificationPrompt,
-  parseCriticResponse,
-};

package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js

@@ -1,88 +0,0 @@
-/**
- * Auth Evidence Resolver
- * 
- * Resolves auth claims against truthpack.auth.json
- * Checks for auth drift (claimed restriction not enforced).
- */
-
-"use strict";
-
-const { getAuthRules } = require("../truthpack");
-
-/**
- * Resolve auth claim evidence
- * @param {string} projectRoot - Project root directory
- * @param {object} claim - Auth claim
- * @returns {object} Evidence result
- */
-function resolve(projectRoot, claim) {
-  const authData = getAuthRules(projectRoot);
-  
-  // Extract auth keywords from claim value
-  const claimText = claim.value.toLowerCase();
-  const hasAuthKeywords = /\b(admin|owner|staff|role|scope|permission|auth|authorize|rbac)\b/i.test(claimText);
-  
-  if (!hasAuthKeywords) {
-    // Not an auth-related claim
-    return {
-      result: "PROVEN",
-      sources: [],
-      reason: "No auth keywords detected in claim"
-    };
-  }
-  
-  // Check if auth middleware exists
-  const nextMiddleware = authData.nextMiddleware || [];
-  const fastifyHooks = authData.fastify?.hooks || [];
-  
-  if (nextMiddleware.length > 0 || fastifyHooks.length > 0) {
-    // Auth infrastructure exists
-    // Check if claim matches protected patterns
-    const matcherPatterns = authData.nextMatcherPatterns || [];
-    const claimFile = claim.file || "";
-    
-    // Check if file is in protected path
-    const isProtected = matcherPatterns.some(pattern => {
-      // Simple pattern matching
-      if (pattern.includes("*")) {
-        const regex = new RegExp(pattern.replace(/\*/g, ".*"));
-        return regex.test(claimFile);
-      }
-      return claimFile.includes(pattern);
-    });
-    
-    if (isProtected) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "truthpack.auth",
-          pointer: claim.pointer,
-          confidence: 0.8
-        }],
-        reason: "Auth claim matches protected route pattern"
-      };
-    } else {
-      // Auth keywords present but route not protected - potential drift
-      return {
-        result: "CONTRADICTS",
-        sources: [{
-          type: "truthpack.auth",
-          pointer: claim.pointer,
-          confidence: 0.7
-        }],
-        reason: "Auth keywords present but route not in protected patterns (auth drift)"
-      };
-    }
-  } else {
-    // No auth infrastructure - cannot verify
-    return {
-      result: "UNPROVEN",
-      sources: [],
-      reason: "No auth middleware found in truthpack"
-    };
-  }
-}
-
-module.exports = {
-  resolve
-};

package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js

@@ -1,75 +0,0 @@
-/**
- * Contract Evidence Resolver
- * 
- * Resolves contract claims against truthpack.contracts.json
- * Checks for contract drift (API shape mismatch).
- */
-
-"use strict";
-
-const { getContracts } = require("../truthpack");
-
-/**
- * Resolve contract claim evidence
- * @param {string} projectRoot - Project root directory
- * @param {object} claim - Contract claim
- * @returns {object} Evidence result
- */
-function resolve(projectRoot, claim) {
-  const contracts = getContracts(projectRoot);
-  
-  // Extract contract identifier from claim
-  // Contract claims might reference API endpoints, types, or schemas
-  const claimValue = claim.value.toLowerCase();
-  
-  // Check if contracts exist
-  if (!contracts || Object.keys(contracts).length === 0) {
-    return {
-      result: "UNPROVEN",
-      sources: [],
-      reason: "No contracts found in truthpack"
-    };
-  }
-  
-  // Try to match claim against contract definitions
-  // This is a simplified check - full implementation would parse contract schemas
-  const contractKeys = Object.keys(contracts);
-  const matchingContract = contractKeys.find(key => 
-    key.toLowerCase().includes(claimValue) || 
-    claimValue.includes(key.toLowerCase())
-  );
-  
-  if (matchingContract) {
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "truthpack.contracts",
-        pointer: claim.pointer,
-        confidence: 0.8
-      }],
-      reason: `Contract ${matchingContract} found in truthpack`
-    };
-  }
-  
-  // Check for contract drift by examining the claim context
-  // If claim references an API endpoint, check if contract exists for that endpoint
-  if (claimValue.includes("api") || claimValue.includes("endpoint")) {
-    // Potential contract drift - endpoint referenced but contract not found
-    return {
-      result: "CONTRADICTS",
-      sources: [],
-      reason: "API endpoint referenced but contract not found in truthpack (contract drift)"
-    };
-  }
-  
-  // Cannot verify contract
-  return {
-    result: "UNPROVEN",
-    sources: [],
-    reason: "Contract not found in truthpack"
-  };
-}
-
-module.exports = {
-  resolve
-};

package/bin/runners/lib/agent-firewall/evidence/env-evidence.js

@@ -1,127 +0,0 @@
-/**
- * Environment Variable Evidence Resolver
- * 
- * Resolves env var claims against truthpack.env.json
- * Checks for ghost env vars (used but not declared).
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const { getEnvVars } = require("../truthpack");
-
-/**
- * Resolve env var claim evidence
- * @param {string} projectRoot - Project root directory
- * @param {object} claim - Env var claim
- * @returns {object} Evidence result
- */
-function resolve(projectRoot, claim) {
-  const envData = getEnvVars(projectRoot);
-  
-  // Check declared env vars
-  const declared = envData.declared || [];
-  const declaredSet = new Set(declared.map(v => v.name || v));
-  
-  // Check declared sources (env.schema.ts, .env.example, etc.)
-  const declaredSources = envData.declaredSources || [];
-  
-  const envVarName = claim.value;
-  
-  // Check if env var is declared
-  if (declaredSet.has(envVarName)) {
-    // Find source file
-    const source = declaredSources.find(s => 
-      s.vars && s.vars.includes(envVarName)
-    );
-    
-    return {
-      result: "PROVEN",
-      sources: [{
-        type: "truthpack.env",
-        pointer: source ? source.file : claim.pointer,
-        confidence: 0.9
-      }],
-      reason: `Environment variable ${envVarName} found in truthpack`
-    };
-  }
-  
-  // Check if env var exists in .env.example or schema files
-  // Check multiple possible locations for .env.example
-  const envExamplePaths = [
-    path.join(projectRoot, ".env.example"),
-    path.join(projectRoot, "apps", "web-ui", ".env.example"),
-    path.join(projectRoot, "apps", "api", ".env.example")
-  ];
-  
-  for (const envExamplePath of envExamplePaths) {
-    if (fs.existsSync(envExamplePath)) {
-      const envExample = fs.readFileSync(envExamplePath, "utf8");
-      if (envExample.includes(envVarName)) {
-        const relativePath = path.relative(projectRoot, envExamplePath).replace(/\\/g, "/");
-        return {
-          result: "PROVEN",
-          sources: [{
-            type: "repo.search",
-            pointer: relativePath,
-            confidence: 0.7
-          }],
-          reason: `Environment variable ${envVarName} found in ${relativePath}`
-        };
-      }
-    }
-  }
-  
-  const envSchemaPath = findEnvSchemaFile(projectRoot);
-  
-  if (envSchemaPath && fs.existsSync(envSchemaPath)) {
-    const envSchema = fs.readFileSync(envSchemaPath, "utf8");
-    if (envSchema.includes(envVarName)) {
-      return {
-        result: "PROVEN",
-        sources: [{
-          type: "repo.search",
-          pointer: envSchemaPath,
-          confidence: 0.8
-        }],
-        reason: `Environment variable ${envVarName} found in env schema`
-      };
-    }
-  }
-  
-  // Not found - ghost env var
-  return {
-    result: "UNPROVEN",
-    sources: [],
-    reason: `Environment variable ${envVarName} not declared (ghost env var)`
-  };
-}
-
-/**
- * Find env schema file (env.schema.ts, env.ts, etc.)
- * @param {string} projectRoot - Project root directory
- * @returns {string|null} Path to schema file or null
- */
-function findEnvSchemaFile(projectRoot) {
-  const candidates = [
-    "apps/api/src/config/env.schema.ts",
-    "apps/api/src/env.schema.ts",
-    "src/config/env.schema.ts",
-    "src/env.schema.ts",
-    "env.schema.ts"
-  ];
-  
-  for (const candidate of candidates) {
-    const fullPath = path.join(projectRoot, candidate);
-    if (fs.existsSync(fullPath)) {
-      return candidate;
-    }
-  }
-  
-  return null;
-}
-
-module.exports = {
-  resolve
-};

package/bin/runners/lib/agent-firewall/evidence/resolver.js

@@ -1,102 +0,0 @@
-/**
- * Evidence Resolver
- * 
- * Main orchestrator for resolving claims against truthpack.
- * Returns PROVEN, UNPROVEN, or CONTRADICTS for each claim.
- */
-
-"use strict";
-
-const routeEvidence = require("./route-evidence");
-const envEvidence = require("./env-evidence");
-const authEvidence = require("./auth-evidence");
-const contractEvidence = require("./contract-evidence");
-const sideEffectEvidence = require("./side-effect-evidence");
-const { CLAIM_TYPES } = require("../claims/claim-types");
-
-/**
- * Resolve evidence for all claims
- * @param {string} projectRoot - Project root directory
- * @param {array} claims - Array of claims to resolve
- * @returns {array} Array of evidence results
- */
-function resolveEvidence(projectRoot, claims) {
-  const results = [];
-  
-  for (let i = 0; i < claims.length; i++) {
-    const claim = claims[i];
-    const claimId = `claim_${i}`;
-    
-    let result;
-    
-    switch (claim.type) {
-      case CLAIM_TYPES.ROUTE:
-        result = routeEvidence.resolve(projectRoot, claim);
-        break;
-        
-      case CLAIM_TYPES.ENV:
-        result = envEvidence.resolve(projectRoot, claim);
-        break;
-        
-      case CLAIM_TYPES.AUTH:
-        result = authEvidence.resolve(projectRoot, claim);
-        break;
-        
-      case CLAIM_TYPES.CONTRACT:
-        result = contractEvidence.resolve(projectRoot, claim);
-        break;
-        
-      case CLAIM_TYPES.SIDE_EFFECT:
-        result = sideEffectEvidence.resolve(projectRoot, claim);
-        break;
-        
-      case CLAIM_TYPES.HTTP_CALL:
-        // HTTP calls are checked as routes
-        result = routeEvidence.resolve(projectRoot, {
-          ...claim,
-          type: CLAIM_TYPES.ROUTE,
-          value: extractRouteFromHttpCall(claim.value)
-        });
-        break;
-        
-      case CLAIM_TYPES.UI_SUCCESS:
-        // UI success claims are checked for side effects
-        result = sideEffectEvidence.resolve(projectRoot, claim);
-        break;
-        
-      default:
-        result = {
-          claimId,
-          result: "UNPROVEN",
-          sources: [],
-          reason: `Unknown claim type: ${claim.type}`
-        };
-    }
-    
-    results.push({
-      claimId,
-      ...result
-    });
-  }
-  
-  return results;
-}
-
-/**
- * Extract route path from HTTP call claim value
- * @param {string} httpCall - HTTP call string (e.g., "GET /api/users")
- * @returns {string} Route path
- */
-function extractRouteFromHttpCall(httpCall) {
-  // Handle "GET /api/users" format
-  const match = httpCall.match(/\s+(.+)$/);
-  if (match) {
-    return match[1];
-  }
-  // Handle "/api/users" format
-  return httpCall.startsWith("/") ? httpCall : `/${httpCall}`;
-}
-
-module.exports = {
-  resolveEvidence
-};