@vibecheckai/cli 3.5.0 → 3.5.1

package/bin/runners/lib/agent-firewall/risk/vectors.js

@@ -1,421 +0,0 @@
-/**
- * Risk Vectors
- * 
- * Defines the risk vectors and their default weights for scoring changes.
- * Each vector contributes to the overall risk score.
- */
-
-"use strict";
-
-/**
- * Risk vector definitions
- */
-const RISK_VECTORS = {
-  /**
-   * Surface Area
-   * How many files are touched by the change
-   */
-  SURFACE_AREA: {
-    id: "surface_area",
-    name: "Surface Area",
-    description: "Number of files touched by the change",
-    baseWeight: 1,
-    calculate: (context) => {
-      const files = context.files || [];
-      const fileCount = files.length;
-      
-      // Single file changes are very common and safe - no penalty
-      if (fileCount <= 1) return 0;
-      
-      // Count "safe" files that shouldn't add to risk
-      const safeFiles = files.filter(f => {
-        const path = (f.path || f).toLowerCase();
-        return (
-          path.includes('.test.') || path.includes('.spec.') ||
-          path.includes('__tests__') || path.includes('__mocks__') ||
-          path.endsWith('.md') || path.endsWith('.mdx') ||
-          path.endsWith('.d.ts') || path.includes('.stories.') ||
-          path.endsWith('-lock.json') || path.endsWith('.lock') ||
-          path.includes('/docs/')
-        );
-      });
-      
-      // Effective file count excludes safe files
-      const effectiveCount = fileCount - safeFiles.length;
-      
-      // More generous thresholds
-      if (effectiveCount <= 1) return 0;
-      if (effectiveCount <= 3) return effectiveCount; // 1 point each
-      if (effectiveCount <= 5) return 3 + (effectiveCount - 3) * 2; // 2 points each
-      if (effectiveCount <= 10) return 7 + (effectiveCount - 5) * 3; // 3 points each
-      return 22 + (effectiveCount - 10) * 4; // 4 points each for large changes
-    },
-  },
-  
-  /**
-   * Blast Radius
-   * Impact on core vs peripheral code
-   */
-  BLAST_RADIUS: {
-    id: "blast_radius",
-    name: "Blast Radius",
-    description: "Impact on core vs peripheral code paths",
-    baseWeight: 1,
-    calculate: (context) => {
-      let score = 0;
-      const files = context.files || [];
-      
-      // For single-file changes, apply a discount since they're typically safer
-      const singleFileDiscount = files.length === 1 ? 0.6 : 1;
-      
-      for (const file of files) {
-        const path = (file.path || file).toLowerCase();
-        let fileScore = 0;
-        
-        // Tests have ZERO impact - they can't break production
-        if (path.includes("/test") || path.includes(".test.") || path.includes(".spec.") || 
-            path.includes("__tests__") || path.includes("__mocks__")) {
-          fileScore = 0;
-        }
-        // Documentation and config have minimal impact
-        else if (path.endsWith(".md") || path.endsWith(".mdx") || 
-                 path.includes("/docs/") || path.includes("readme")) {
-          fileScore = 0;
-        }
-        // Type definitions are low risk
-        else if (path.endsWith(".d.ts") || path.includes("/types/")) {
-          fileScore = 2;
-        }
-        // Storybook/examples - no production impact
-        else if (path.includes(".stories.") || path.includes("/examples/") || path.includes("/storybook/")) {
-          fileScore = 0;
-        }
-        // Core paths - high impact but reduced from 25
-        else if (path.includes("/core/") || path.includes("/lib/") || path.includes("/shared/")) {
-          fileScore = 15;
-        }
-        // Database/schema - high impact
-        else if (path.includes("/prisma/") || path.includes("/db/") || path.includes("/schema/")) {
-          fileScore = 18;
-        }
-        // Service paths - medium-high impact (reduced from 20)
-        else if (path.includes("/services/") || path.includes("/providers/")) {
-          fileScore = 12;
-        }
-        // Middleware - medium-high impact (reduced from 18)
-        else if (path.includes("/middleware/")) {
-          fileScore = 10;
-        }
-        // API routes - medium impact (reduced from 15)
-        else if (path.includes("/routes/") || path.includes("/api/")) {
-          fileScore = 8;
-        }
-        // Config files - low impact (reduced from 12)
-        else if (path.includes("/config/")) {
-          fileScore = 5;
-        }
-        // Package.json is special - lock files are fine, package.json needs care
-        else if (path.endsWith("package.json")) {
-          fileScore = 8;
-        }
-        else if (path.endsWith("package-lock.json") || path.endsWith("pnpm-lock.yaml") || path.endsWith("yarn.lock")) {
-          fileScore = 0; // Lock files are auto-generated
-        }
-        // JSON/YAML config files - minimal impact
-        else if (path.endsWith(".json") || path.endsWith(".yaml") || path.endsWith(".yml")) {
-          fileScore = 3;
-        }
-        // Components/Pages - low impact (UI changes)
-        else if (path.includes("/components/") || path.includes("/pages/") || path.includes("/app/")) {
-          fileScore = 3;
-        }
-        // Styles - minimal impact
-        else if (path.endsWith(".css") || path.endsWith(".scss") || path.endsWith(".less")) {
-          fileScore = 1;
-        }
-        // Everything else - low impact
-        else {
-          fileScore = 2;
-        }
-        
-        score += fileScore;
-      }
-      
-      // Apply single-file discount
-      return Math.round(score * singleFileDiscount);
-    },
-  },
-  
-  /**
-   * Irreversibility
-   * How hard it is to undo the change
-   */
-  IRREVERSIBILITY: {
-    id: "irreversibility",
-    name: "Irreversibility",
-    description: "Difficulty of undoing the change",
-    baseWeight: 1,
-    calculate: (context) => {
-      let score = 0;
-      const operations = context.operations || [];
-      const files = context.files || [];
-      
-      for (const op of operations) {
-        const type = op.type?.toLowerCase();
-        const path = (op.path || "").toLowerCase();
-        
-        // Deletions are highly irreversible
-        if (type === "delete") {
-          score += 20;
-          // Even more for core files
-          if (path.includes("/core/") || path.includes("/lib/")) {
-            score += 15;
-          }
-        }
-        // Migrations are very irreversible
-        else if (path.includes("migration") || path.includes("/prisma/")) {
-          score += 30;
-        }
-        // Schema changes are irreversible
-        else if (path.includes("schema") || path.includes(".prisma")) {
-          score += 25;
-        }
-      }
-      
-      // Check for delete operations in files
-      for (const file of files) {
-        const path = (file.path || file).toLowerCase();
-        if (path.includes("migration")) {
-          score += 25;
-        }
-      }
-      
-      return score;
-    },
-  },
-  
-  /**
-   * Confidence
-   * How confident we are in the change's safety
-   */
-  CONFIDENCE: {
-    id: "confidence",
-    name: "Confidence Gap",
-    description: "Points added for unverified assumptions",
-    baseWeight: 1,
-    calculate: (context) => {
-      let score = 0;
-      
-      // Unresolved assumptions add risk (reduced from 40 to 15 per assumption)
-      // Most assumptions are benign and resolve at runtime
-      const unresolvedAssumptions = context.unresolvedAssumptions || [];
-      const assumptionCount = unresolvedAssumptions.length;
-      
-      // Use diminishing returns for multiple assumptions
-      if (assumptionCount > 0) {
-        // First assumption: 15 points, then 10, then 5 each for more
-        score += Math.min(15 + Math.max(0, assumptionCount - 1) * 5, 40);
-      }
-      
-      // Low confidence in proposal (reduced from 30/20/10 to 15/10/5)
-      const confidence = context.proposalConfidence ?? 1;
-      if (confidence < 0.3) {
-        score += 15;
-      } else if (confidence < 0.5) {
-        score += 10;
-      } else if (confidence < 0.7) {
-        score += 5;
-      }
-      // Note: 0.7+ confidence adds no penalty (default is fine)
-      
-      // Missing intent - only penalize if completely missing
-      // Many agents provide minimal but valid intents
-      if (!context.intent || context.intent.trim().length === 0) {
-        score += 8;
-      }
-      
-      return score;
-    },
-  },
-  
-  /**
-   * Novelty
-   * Whether this introduces new patterns
-   */
-  NOVELTY: {
-    id: "novelty",
-    name: "Novelty",
-    description: "Introduction of new patterns or dependencies",
-    baseWeight: 1,
-    calculate: (context) => {
-      let score = 0;
-      
-      // New dependencies - only risky if adding many
-      // Single new dependency is very common during development
-      const newDependencies = context.newDependencies || [];
-      if (newDependencies.length > 3) {
-        score += 5 + (newDependencies.length - 3) * 3; // Only penalize bulk additions
-      }
-      
-      // New files being created - very normal during development
-      // Only flag if creating many files at once (could be a scaffold)
-      const operations = context.operations || [];
-      const creations = operations.filter(op => op.type === "create");
-      if (creations.length > 5) {
-        score += (creations.length - 5) * 2;
-      }
-      
-      // New env vars - reduced from 15 to 5 per var
-      // New env vars are common when adding features
-      const newEnvVars = context.newEnvVars || [];
-      score += Math.min(newEnvVars.length * 5, 15); // Cap at 15 points
-      
-      // New routes - reduced from 8 to 3 per route
-      // Adding routes is normal API development
-      const newRoutes = context.newRoutes || [];
-      score += Math.min(newRoutes.length * 3, 12); // Cap at 12 points
-      
-      return score;
-    },
-  },
-  
-  /**
-   * Domain Risk
-   * Risk based on the domain being modified
-   */
-  DOMAIN: {
-    id: "domain",
-    name: "Domain Risk",
-    description: "Risk associated with specific domains",
-    baseWeight: 1,
-    calculate: (context) => {
-      const domains = context.domains || [];
-      
-      // If no domains identified, it's likely a safe general change
-      if (domains.length === 0) return 0;
-      
-      // Reduced domain weights to avoid over-penalizing
-      // Single-file auth changes shouldn't trigger blocks by themselves
-      const domainWeights = {
-        payments: 20,      // Reduced from 35 - payments is sensitive but not always blocking
-        auth: 15,          // Reduced from 30 - many auth changes are benign
-        security: 15,      // Reduced from 30 - security patterns are common
-        database: 12,      // Reduced from 25 - schema changes are normal
-        middleware: 8,     // Reduced from 20 - middleware is often safe
-        core: 10,          // Reduced from 20 - core changes happen regularly
-        routes: 5,         // Reduced from 15 - route changes are common
-        contracts: 8,      // Reduced from 15 - API contracts evolve
-        config: 3,         // Reduced from 12 - config is usually safe
-        ui: 0,             // Reduced from 5 - UI changes are generally safe
-        test: 0,           // Reduced from 2 - tests have no production impact
-        general: 0,        // Reduced from 3 - general is the default, shouldn't add risk
-      };
-      
-      // Only count the highest-risk domain (don't stack)
-      // This prevents a file in "auth + routes" from getting double-penalized
-      let maxScore = 0;
-      for (const domain of domains) {
-        const weight = domainWeights[domain] ?? 2;
-        maxScore = Math.max(maxScore, weight);
-      }
-      
-      return maxScore;
-    },
-  },
-  
-  /**
-   * Side Effects
-   * Potential for unintended side effects
-   */
-  SIDE_EFFECTS: {
-    id: "side_effects",
-    name: "Side Effects",
-    description: "Potential for unintended side effects",
-    baseWeight: 1,
-    calculate: (context) => {
-      let score = 0;
-      const claims = context.claims || [];
-      
-      // Network calls - very common, reduced impact
-      // Only penalize if there are many or if they're to external services
-      const networkClaims = claims.filter(c => 
-        c.type === "fetch" || c.type === "api_call" || c.type === "network"
-      );
-      // First 3 network calls are free (normal API usage)
-      if (networkClaims.length > 3) {
-        score += (networkClaims.length - 3) * 5;
-      }
-      
-      // File system operations - only server-side concerns
-      const fsClaims = claims.filter(c => 
-        c.type === "fs_write" || c.type === "fs_delete"
-      );
-      // Writes are more concerning than reads
-      const writeOps = fsClaims.filter(c => c.type === "fs_write");
-      const deleteOps = fsClaims.filter(c => c.type === "fs_delete");
-      score += writeOps.length * 5;
-      score += deleteOps.length * 10; // Deletes are more dangerous
-      
-      // Database mutations - important but common
-      const dbClaims = claims.filter(c => 
-        c.type === "db_write" || c.type === "db_delete" || c.type === "db_mutation"
-      );
-      // Only penalize destructive DB operations heavily
-      const dbDeletes = dbClaims.filter(c => c.type === "db_delete");
-      const dbWrites = dbClaims.filter(c => c.type !== "db_delete");
-      score += dbWrites.length * 3;
-      score += dbDeletes.length * 12;
-      
-      // External service calls - reduced from 18 to 8
-      // Calling external APIs is normal
-      const externalClaims = claims.filter(c => 
-        c.type === "external_service" || c.type === "webhook"
-      );
-      score += Math.min(externalClaims.length * 8, 20); // Cap at 20
-      
-      return score;
-    },
-  },
-};
-
-/**
- * Risk level thresholds
- */
-const RISK_LEVELS = {
-  LOW: { min: 0, max: 25, label: "LOW", color: "green" },
-  MEDIUM: { min: 26, max: 50, label: "MEDIUM", color: "yellow" },
-  HIGH: { min: 51, max: 80, label: "HIGH", color: "orange" },
-  CRITICAL: { min: 81, max: Infinity, label: "CRITICAL", color: "red" },
-};
-
-/**
- * Get risk level from score
- */
-function getRiskLevel(score) {
-  if (score <= RISK_LEVELS.LOW.max) return RISK_LEVELS.LOW;
-  if (score <= RISK_LEVELS.MEDIUM.max) return RISK_LEVELS.MEDIUM;
-  if (score <= RISK_LEVELS.HIGH.max) return RISK_LEVELS.HIGH;
-  return RISK_LEVELS.CRITICAL;
-}
-
-/**
- * Get all vector IDs
- */
-function getVectorIds() {
-  return Object.values(RISK_VECTORS).map(v => v.id);
-}
-
-/**
- * Get vector by ID
- */
-function getVector(id) {
-  return Object.values(RISK_VECTORS).find(v => v.id === id);
-}
-
-module.exports = {
-  RISK_VECTORS,
-  RISK_LEVELS,
-  getRiskLevel,
-  getVectorIds,
-  getVector,
-};