@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/policy-engine.js

@@ -1,652 +0,0 @@
-/**
- * Enterprise Policy Enforcement Engine
- * 
- * Define and enforce security policies:
- * - Custom rules
- * - Threshold-based policies
- * - Team/org policies
- * - Branch policies
- * - Time-based policies
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-/**
- * Policy condition operators
- */
-const OPERATORS = {
-  eq: (a, b) => a === b,
-  ne: (a, b) => a !== b,
-  gt: (a, b) => a > b,
-  gte: (a, b) => a >= b,
-  lt: (a, b) => a < b,
-  lte: (a, b) => a <= b,
-  contains: (a, b) => String(a).includes(String(b)),
-  notContains: (a, b) => !String(a).includes(String(b)),
-  matches: (a, b) => new RegExp(b).test(String(a)),
-  notMatches: (a, b) => !new RegExp(b).test(String(a)),
-  in: (a, b) => Array.isArray(b) && b.includes(a),
-  notIn: (a, b) => Array.isArray(b) && !b.includes(a),
-  exists: (a) => a !== undefined && a !== null,
-  notExists: (a) => a === undefined || a === null,
-};
-
-/**
- * Policy actions
- */
-const ACTIONS = {
-  BLOCK: "block",
-  WARN: "warn",
-  ALLOW: "allow",
-  NOTIFY: "notify",
-  REQUIRE_APPROVAL: "require_approval",
-  AUTO_FIX: "auto_fix",
-  ESCALATE: "escalate",
-};
-
-/**
- * Built-in policy templates
- */
-const POLICY_TEMPLATES = {
-  "no-secrets": {
-    id: "no-secrets",
-    name: "No Hardcoded Secrets",
-    description: "Block deployments with hardcoded secrets",
-    enabled: true,
-    priority: 100,
-    conditions: [
-      {
-        field: "findings",
-        path: "category",
-        operator: "contains",
-        value: "secret",
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Hardcoded secrets detected. Remove all secrets before deploying.",
-    remediation: "Use environment variables or a secrets manager for sensitive data.",
-    tags: ["security", "secrets", "critical"],
-  },
-  
-  "no-critical-vulns": {
-    id: "no-critical-vulns",
-    name: "No Critical Vulnerabilities",
-    description: "Block deployments with critical vulnerabilities",
-    enabled: true,
-    priority: 95,
-    conditions: [
-      {
-        field: "summary.critical",
-        operator: "gt",
-        value: 0,
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Critical vulnerabilities detected. Fix all critical issues before deploying.",
-    tags: ["security", "vulnerabilities", "critical"],
-  },
-  
-  "max-high-issues": {
-    id: "max-high-issues",
-    name: "Maximum High-Severity Issues",
-    description: "Limit number of high-severity issues",
-    enabled: true,
-    priority: 80,
-    conditions: [
-      {
-        field: "summary.high",
-        operator: "gt",
-        value: 5,
-      },
-    ],
-    action: ACTIONS.WARN,
-    message: "Too many high-severity issues detected (>5).",
-    tags: ["quality", "threshold"],
-  },
-  
-  "minimum-score": {
-    id: "minimum-score",
-    name: "Minimum Quality Score",
-    description: "Require minimum quality score for deployment",
-    enabled: true,
-    priority: 70,
-    conditions: [
-      {
-        field: "score",
-        operator: "lt",
-        value: 70,
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Quality score too low. Minimum required: 70.",
-    tags: ["quality", "threshold"],
-  },
-  
-  "no-mock-data": {
-    id: "no-mock-data",
-    name: "No Mock Data in Production",
-    description: "Block mock/fake data in production code",
-    enabled: true,
-    priority: 90,
-    conditions: [
-      {
-        field: "findings",
-        path: "category",
-        operator: "matches",
-        value: "mock|fake|stub|test-data",
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Mock data detected in production paths.",
-    tags: ["quality", "data"],
-  },
-  
-  "require-tests": {
-    id: "require-tests",
-    name: "Require Test Coverage",
-    description: "Ensure test coverage meets minimum threshold",
-    enabled: false,
-    priority: 60,
-    conditions: [
-      {
-        field: "coverage",
-        operator: "lt",
-        value: 80,
-      },
-    ],
-    action: ACTIONS.WARN,
-    message: "Test coverage below 80%.",
-    tags: ["quality", "testing"],
-  },
-  
-  "branch-protection": {
-    id: "branch-protection",
-    name: "Main Branch Protection",
-    description: "Stricter rules for main/master branch",
-    enabled: true,
-    priority: 100,
-    conditions: [
-      {
-        field: "branch",
-        operator: "matches",
-        value: "^(main|master)$",
-      },
-      {
-        field: "summary.critical",
-        operator: "gt",
-        value: 0,
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Cannot merge to main/master with critical issues.",
-    tags: ["branch", "protection"],
-  },
-  
-  "after-hours-approval": {
-    id: "after-hours-approval",
-    name: "After-Hours Approval Required",
-    description: "Require approval for deployments outside business hours",
-    enabled: false,
-    priority: 50,
-    conditions: [
-      {
-        field: "time.hour",
-        operator: "notIn",
-        value: [9, 10, 11, 12, 13, 14, 15, 16, 17],
-      },
-    ],
-    action: ACTIONS.REQUIRE_APPROVAL,
-    message: "Deployment outside business hours requires approval.",
-    tags: ["time", "approval"],
-  },
-  
-  "weekend-block": {
-    id: "weekend-block",
-    name: "Weekend Deployment Block",
-    description: "Block deployments on weekends",
-    enabled: false,
-    priority: 40,
-    conditions: [
-      {
-        field: "time.dayOfWeek",
-        operator: "in",
-        value: [0, 6], // Sunday, Saturday
-      },
-    ],
-    action: ACTIONS.BLOCK,
-    message: "Deployments are not allowed on weekends.",
-    tags: ["time", "weekend"],
-  },
-};
-
-/**
- * Policy evaluation result
- */
-class PolicyResult {
-  constructor(policy, matched, action, message) {
-    this.policyId = policy.id;
-    this.policyName = policy.name;
-    this.matched = matched;
-    this.action = action;
-    this.message = message;
-    this.remediation = policy.remediation;
-    this.priority = policy.priority;
-    this.tags = policy.tags || [];
-    this.timestamp = new Date().toISOString();
-  }
-}
-
-/**
- * Policy Engine class
- */
-class PolicyEngine {
-  constructor(options = {}) {
-    this.options = {
-      policiesDir: options.policiesDir || path.join(process.cwd(), ".vibecheck", "policies"),
-      enableBuiltIn: options.enableBuiltIn !== false,
-      strictMode: options.strictMode || false,
-      ...options,
-    };
-    
-    this.policies = new Map();
-    this.customPolicies = new Map();
-    
-    // Load built-in policies
-    if (this.options.enableBuiltIn) {
-      this.loadBuiltInPolicies();
-    }
-    
-    // Load custom policies
-    this.loadCustomPolicies();
-  }
-  
-  /**
-   * Load built-in policies
-   */
-  loadBuiltInPolicies() {
-    for (const [id, policy] of Object.entries(POLICY_TEMPLATES)) {
-      this.policies.set(id, { ...policy, builtIn: true });
-    }
-  }
-  
-  /**
-   * Load custom policies from directory
-   */
-  loadCustomPolicies() {
-    if (!fs.existsSync(this.options.policiesDir)) {
-      return;
-    }
-    
-    const files = fs.readdirSync(this.options.policiesDir)
-      .filter(f => f.endsWith(".json") || f.endsWith(".yaml") || f.endsWith(".yml"));
-    
-    for (const file of files) {
-      try {
-        const content = fs.readFileSync(path.join(this.options.policiesDir, file), "utf-8");
-        const policy = JSON.parse(content);
-        
-        if (this.validatePolicy(policy)) {
-          this.customPolicies.set(policy.id, { ...policy, builtIn: false });
-        }
-      } catch (error) {
-        console.error(`Failed to load policy ${file}:`, error.message);
-      }
-    }
-  }
-  
-  /**
-   * Validate policy structure
-   */
-  validatePolicy(policy) {
-    if (!policy.id || !policy.name || !policy.conditions || !policy.action) {
-      return false;
-    }
-    
-    if (!Array.isArray(policy.conditions)) {
-      return false;
-    }
-    
-    for (const condition of policy.conditions) {
-      if (!condition.field || !condition.operator) {
-        return false;
-      }
-      if (!OPERATORS[condition.operator]) {
-        return false;
-      }
-    }
-    
-    if (!Object.values(ACTIONS).includes(policy.action)) {
-      return false;
-    }
-    
-    return true;
-  }
-  
-  /**
-   * Add or update a policy
-   */
-  addPolicy(policy) {
-    if (!this.validatePolicy(policy)) {
-      throw new Error("Invalid policy structure");
-    }
-    
-    this.customPolicies.set(policy.id, { ...policy, builtIn: false });
-    
-    // Save to disk
-    const policyPath = path.join(this.options.policiesDir, `${policy.id}.json`);
-    fs.mkdirSync(this.options.policiesDir, { recursive: true });
-    fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
-    
-    return policy;
-  }
-  
-  /**
-   * Remove a custom policy
-   */
-  removePolicy(policyId) {
-    if (!this.customPolicies.has(policyId)) {
-      return false;
-    }
-    
-    this.customPolicies.delete(policyId);
-    
-    const policyPath = path.join(this.options.policiesDir, `${policyId}.json`);
-    if (fs.existsSync(policyPath)) {
-      fs.unlinkSync(policyPath);
-    }
-    
-    return true;
-  }
-  
-  /**
-   * Get all policies (built-in + custom)
-   */
-  getAllPolicies() {
-    const all = new Map([...this.policies, ...this.customPolicies]);
-    return Array.from(all.values())
-      .filter(p => p.enabled)
-      .sort((a, b) => (b.priority || 0) - (a.priority || 0));
-  }
-  
-  /**
-   * Evaluate a condition against context
-   */
-  evaluateCondition(condition, context) {
-    let value = context;
-    
-    // Navigate to field
-    const fieldParts = condition.field.split(".");
-    for (const part of fieldParts) {
-      if (value === undefined || value === null) break;
-      value = value[part];
-    }
-    
-    // If path is specified, check array items
-    if (condition.path && Array.isArray(value)) {
-      return value.some(item => {
-        let itemValue = item;
-        const pathParts = condition.path.split(".");
-        for (const part of pathParts) {
-          if (itemValue === undefined || itemValue === null) break;
-          itemValue = itemValue[part];
-        }
-        return OPERATORS[condition.operator](itemValue, condition.value);
-      });
-    }
-    
-    // Regular evaluation
-    return OPERATORS[condition.operator](value, condition.value);
-  }
-  
-  /**
-   * Evaluate all policies against context
-   */
-  evaluate(context) {
-    const results = [];
-    const policies = this.getAllPolicies();
-    
-    // Add time context
-    const now = new Date();
-    context.time = {
-      hour: now.getHours(),
-      minute: now.getMinutes(),
-      dayOfWeek: now.getDay(),
-      date: now.toISOString().split("T")[0],
-      timestamp: now.toISOString(),
-    };
-    
-    // Evaluate each policy
-    for (const policy of policies) {
-      let matched = true;
-      
-      // All conditions must match (AND logic)
-      for (const condition of policy.conditions) {
-        if (!this.evaluateCondition(condition, context)) {
-          matched = false;
-          break;
-        }
-      }
-      
-      if (matched) {
-        results.push(new PolicyResult(
-          policy,
-          true,
-          policy.action,
-          policy.message
-        ));
-      }
-    }
-    
-    return results;
-  }
-  
-  /**
-   * Get the most severe action from results
-   */
-  getMostSevereAction(results) {
-    const actionPriority = {
-      [ACTIONS.BLOCK]: 100,
-      [ACTIONS.REQUIRE_APPROVAL]: 80,
-      [ACTIONS.ESCALATE]: 70,
-      [ACTIONS.WARN]: 50,
-      [ACTIONS.NOTIFY]: 30,
-      [ACTIONS.AUTO_FIX]: 20,
-      [ACTIONS.ALLOW]: 0,
-    };
-    
-    let mostSevere = ACTIONS.ALLOW;
-    let maxPriority = 0;
-    
-    for (const result of results) {
-      const priority = actionPriority[result.action] || 0;
-      if (priority > maxPriority) {
-        maxPriority = priority;
-        mostSevere = result.action;
-      }
-    }
-    
-    return mostSevere;
-  }
-  
-  /**
-   * Check if deployment should be blocked
-   */
-  shouldBlock(results) {
-    return results.some(r => r.action === ACTIONS.BLOCK);
-  }
-  
-  /**
-   * Check if approval is required
-   */
-  requiresApproval(results) {
-    return results.some(r => r.action === ACTIONS.REQUIRE_APPROVAL);
-  }
-  
-  /**
-   * Generate policy enforcement summary
-   */
-  generateSummary(results) {
-    const summary = {
-      totalPolicies: this.getAllPolicies().length,
-      evaluated: results.length,
-      blocked: results.filter(r => r.action === ACTIONS.BLOCK).length,
-      warnings: results.filter(r => r.action === ACTIONS.WARN).length,
-      requiresApproval: results.filter(r => r.action === ACTIONS.REQUIRE_APPROVAL).length,
-      finalAction: this.getMostSevereAction(results),
-      policies: results.map(r => ({
-        id: r.policyId,
-        name: r.policyName,
-        action: r.action,
-        message: r.message,
-      })),
-    };
-    
-    return summary;
-  }
-  
-  /**
-   * Create override request
-   */
-  createOverrideRequest(results, requestedBy, reason) {
-    const request = {
-      id: crypto.randomUUID(),
-      timestamp: new Date().toISOString(),
-      requestedBy,
-      reason,
-      policies: results.filter(r => r.action === ACTIONS.BLOCK).map(r => r.policyId),
-      status: "pending",
-      approvals: [],
-      expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(), // 24 hours
-    };
-    
-    // Save override request
-    const overridesDir = path.join(this.options.policiesDir, "overrides");
-    fs.mkdirSync(overridesDir, { recursive: true });
-    fs.writeFileSync(
-      path.join(overridesDir, `${request.id}.json`),
-      JSON.stringify(request, null, 2)
-    );
-    
-    return request;
-  }
-  
-  /**
-   * Approve override request
-   */
-  approveOverride(requestId, approvedBy) {
-    const overridesDir = path.join(this.options.policiesDir, "overrides");
-    const requestPath = path.join(overridesDir, `${requestId}.json`);
-    
-    if (!fs.existsSync(requestPath)) {
-      throw new Error("Override request not found");
-    }
-    
-    const request = JSON.parse(fs.readFileSync(requestPath, "utf-8"));
-    
-    if (new Date(request.expiresAt) < new Date()) {
-      request.status = "expired";
-    } else {
-      request.approvals.push({
-        approvedBy,
-        timestamp: new Date().toISOString(),
-      });
-      request.status = "approved";
-    }
-    
-    fs.writeFileSync(requestPath, JSON.stringify(request, null, 2));
-    
-    return request;
-  }
-  
-  /**
-   * Check if override is valid
-   */
-  isOverrideValid(requestId) {
-    const overridesDir = path.join(this.options.policiesDir, "overrides");
-    const requestPath = path.join(overridesDir, `${requestId}.json`);
-    
-    if (!fs.existsSync(requestPath)) {
-      return false;
-    }
-    
-    const request = JSON.parse(fs.readFileSync(requestPath, "utf-8"));
-    
-    return request.status === "approved" && new Date(request.expiresAt) > new Date();
-  }
-}
-
-// Terminal UI rendering
-let terminalUI;
-try {
-  terminalUI = require("./terminal-ui");
-} catch {
-  terminalUI = {
-    c: { reset: "", bold: "", dim: "" },
-    rgb: () => "",
-  };
-}
-
-const { c, rgb } = terminalUI;
-
-const colors = {
-  block: rgb(255, 80, 80),
-  warn: rgb(255, 200, 0),
-  allow: rgb(0, 255, 150),
-  approval: rgb(255, 150, 50),
-};
-
-/**
- * Render policy results for terminal
- */
-function renderPolicyResults(results) {
-  const lines = [];
-  
-  lines.push(`  ${c.dim}╭${"─".repeat(60)}╮${c.reset}`);
-  lines.push(`  ${c.dim}│${c.reset} ${rgb(0, 200, 255)}${c.bold}🛡️  POLICY ENFORCEMENT${c.reset}                                    ${c.dim}│${c.reset}`);
-  lines.push(`  ${c.dim}├${"─".repeat(60)}┤${c.reset}`);
-  
-  if (results.length === 0) {
-    lines.push(`  ${c.dim}│${c.reset} ${colors.allow}✓${c.reset} All policies passed                                     ${c.dim}│${c.reset}`);
-  } else {
-    for (const result of results) {
-      const actionIcon = {
-        block: `${colors.block}✗`,
-        warn: `${colors.warn}⚠`,
-        allow: `${colors.allow}✓`,
-        require_approval: `${colors.approval}🔐`,
-        notify: `${rgb(100, 200, 255)}📢`,
-      }[result.action] || "•";
-      
-      const actionColor = {
-        block: colors.block,
-        warn: colors.warn,
-        allow: colors.allow,
-        require_approval: colors.approval,
-      }[result.action] || c.dim;
-      
-      lines.push(`  ${c.dim}│${c.reset} ${actionIcon}${c.reset} ${result.policyName.padEnd(45)} ${actionColor}${result.action.toUpperCase().padEnd(6)}${c.reset}${c.dim}│${c.reset}`);
-      
-      if (result.message) {
-        const msg = result.message.substring(0, 54);
-        lines.push(`  ${c.dim}│${c.reset}   ${c.dim}${msg}${c.reset}`.padEnd(73) + `${c.dim}│${c.reset}`);
-      }
-    }
-  }
-  
-  lines.push(`  ${c.dim}╰${"─".repeat(60)}╯${c.reset}`);
-  
-  return lines.join("\n");
-}
-
-module.exports = {
-  PolicyEngine,
-  PolicyResult,
-  renderPolicyResults,
-  OPERATORS,
-  ACTIONS,
-  POLICY_TEMPLATES,
-};