@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/schemas/ajv-validator.js

@@ -0,0 +1,464 @@
+/**
+ * Schema Validator v3 - Production AJV Implementation
+ * 
+ * Full JSON Schema Draft 2020-12 validation using AJV.
+ * Replaces the minimal validator for production use.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+// Lazy-load AJV to avoid startup cost if not needed
+let ajv = null;
+let ajvFormats = null;
+
+function getAjv() {
+  if (!ajv) {
+    const Ajv = require("ajv");
+    ajvFormats = require("ajv-formats");
+    
+    ajv = new Ajv({
+      strict: true,
+      allErrors: true,
+      verbose: true,
+      validateFormats: true,
+      // Allow unknown keywords for custom extensions
+      strictTypes: true,
+      strictTuples: true,
+      // Cache schemas for performance
+      cache: new Map(),
+    });
+    
+    // Add standard formats (date-time, uri, email, etc.)
+    ajvFormats(ajv);
+    
+    // Add custom formats
+    ajv.addFormat("sha256", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("fingerprint", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("finding-id", /^F_[A-Z0-9_]+$/);
+    ajv.addFormat("evidence-id", /^E_[A-Z0-9]+$/);
+  }
+  
+  return ajv;
+}
+
+// Schema cache
+const schemaCache = new Map();
+const validatorCache = new Map();
+
+// Schema IDs (same as validator.js for compatibility)
+const SCHEMAS = {
+  FINDING: "finding.schema.json",
+  FINDING_V3: "finding-v3.schema.json",
+  SHIP_REPORT: "ship-report.schema.json",
+  REALITY_REPORT: "reality-report.schema.json",
+  TRUTHPACK_V2: "truthpack-v2.schema.json",
+  CONTRACTS: "contracts.schema.json",
+  PROOF_GRAPH: "proof-graph.schema.json",
+  MISSION_PACK: "mission-pack.schema.json",
+  SHARE_PACK: "share-pack.schema.json",
+  VERDICT: "verdict.schema.json",
+  ERROR_ENVELOPE: "error-envelope.schema.json",
+  RUN_REQUEST: "run-request.schema.json",
+  REPORT_ARTIFACT: "report-artifact.schema.json",
+};
+
+// =============================================================================
+// SCHEMA LOADING
+// =============================================================================
+
+/**
+ * Load a schema by ID
+ */
+function loadSchema(schemaId) {
+  if (schemaCache.has(schemaId)) {
+    return schemaCache.get(schemaId);
+  }
+
+  const schemaPath = path.join(__dirname, schemaId);
+  if (!fs.existsSync(schemaPath)) {
+    return null;
+  }
+
+  try {
+    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+    schemaCache.set(schemaId, schema);
+    return schema;
+  } catch (e) {
+    console.error(`Failed to load schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Get compiled validator for schema
+ */
+function getValidator(schemaId) {
+  if (validatorCache.has(schemaId)) {
+    return validatorCache.get(schemaId);
+  }
+  
+  const schema = loadSchema(schemaId);
+  if (!schema) {
+    return null;
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    
+    // Remove $id to avoid conflicts when compiling multiple schemas
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validator = ajvInstance.compile(schemaCopy);
+    validatorCache.set(schemaId, validator);
+    return validator;
+  } catch (e) {
+    console.error(`Failed to compile schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Validate data against schema using AJV
+ */
+function validateAgainstSchema(data, schema, contextPath = "") {
+  if (!schema || data === undefined) {
+    return [];
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validate = ajvInstance.compile(schemaCopy);
+    const valid = validate(data);
+    
+    if (valid) {
+      return [];
+    }
+    
+    // Convert AJV errors to our format
+    return (validate.errors || []).map(err => ({
+      path: contextPath + (err.instancePath || ""),
+      message: err.message || "Validation failed",
+      keyword: err.keyword,
+      params: err.params,
+    }));
+  } catch (e) {
+    return [{
+      path: contextPath,
+      message: `Schema compilation error: ${e.message}`,
+      keyword: "compile",
+    }];
+  }
+}
+
+// =============================================================================
+// ARTIFACT VALIDATION
+// =============================================================================
+
+/**
+ * Validate an artifact file against its schema
+ */
+function validateArtifact(filePath, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found or invalid`, keyword: "schema" }],
+    };
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (e) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
+    };
+  }
+
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [], data };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+    params: err.params,
+  }));
+  
+  return { valid: false, errors, data };
+}
+
+/**
+ * Validate data object against schema
+ */
+function validateData(data, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
+    };
+  }
+  
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [] };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+  }));
+  
+  return { valid: false, errors };
+}
+
+/**
+ * Validate and write artifact with schema check
+ */
+function writeValidatedArtifact(filePath, data, schemaId, options = {}) {
+  const { strict = false, warnOnly = true } = options;
+  
+  const result = validateData(data, schemaId);
+  
+  if (!result.valid) {
+    const message = `Artifact ${filePath} has ${result.errors.length} schema violations`;
+    
+    if (strict) {
+      throw new Error(`${message}: ${result.errors.map(e => e.message).join(", ")}`);
+    }
+    
+    if (warnOnly) {
+      console.warn(`Warning: ${message}:`);
+      result.errors.slice(0, 5).forEach(e => 
+        console.warn(`  - ${e.path || "/"}: ${e.message}`)
+      );
+      if (result.errors.length > 5) {
+        console.warn(`  ... and ${result.errors.length - 5} more errors`);
+      }
+    }
+  }
+
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+  
+  return { 
+    written: true, 
+    path: filePath,
+    valid: result.valid,
+    errors: result.errors,
+  };
+}
+
+// =============================================================================
+// FINDING GENERATION (kept for compatibility with validator.js)
+// =============================================================================
+
+/**
+ * Generate stable fingerprint for deduplication
+ */
+function generateFingerprint(parts) {
+  const content = parts.filter(Boolean).join("|");
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Generate finding ID
+ */
+function generateFindingId(detectorId, fingerprint) {
+  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
+}
+
+/**
+ * Generate evidence ID
+ */
+function generateEvidenceId(fingerprint) {
+  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
+}
+
+/**
+ * Create a spec-compliant finding
+ */
+function createFinding(options = {}) {
+  const {
+    detectorId,
+    severity = "WARN",
+    category = "Routes",
+    scope = "client",
+    title,
+    why,
+    confidence = "medium",
+    evidence = [],
+    repro = null,
+    related = [],
+    proofNode = null,
+    missionType = null,
+    file = null,
+    path: routePath = null,
+    method = null,
+  } = options;
+
+  const fingerprint = generateFingerprint([
+    detectorId,
+    file,
+    routePath,
+    method,
+    title,
+  ]);
+
+  const finding = {
+    id: generateFindingId(detectorId, fingerprint),
+    detectorId,
+    fingerprint: `sha256:${fingerprint}`,
+    severity,
+    category,
+    scope,
+    title,
+    why,
+    confidence,
+    evidence: evidence.map((e, i) => ({
+      id: e.id || generateEvidenceId(fingerprint + i),
+      kind: e.kind || "file",
+      ...e,
+    })),
+    repro,
+    related,
+    proofNode,
+    missionType,
+  };
+  
+  // Validate the finding
+  const result = validateData(finding, SCHEMAS.FINDING_V3);
+  if (!result.valid) {
+    console.warn(`Warning: Created finding has schema violations:`, result.errors.slice(0, 3));
+  }
+  
+  return finding;
+}
+
+/**
+ * Create file evidence
+ */
+function createFileEvidence(options = {}) {
+  const { file, lines, snippetHash, reason } = options;
+  const fp = generateFingerprint([file, lines, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "file",
+    file,
+    lines,
+    snippetHash,
+    reason,
+  };
+}
+
+/**
+ * Create runtime evidence
+ */
+function createRuntimeEvidence(options = {}) {
+  const { url, httpStatus, reason, data } = options;
+  const fp = generateFingerprint([url, httpStatus, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "request",
+    url,
+    httpStatus,
+    reason,
+    data,
+  };
+}
+
+// =============================================================================
+// SEVERITY POLICY (kept for compatibility with validator.js)
+// =============================================================================
+
+const SEVERITY_POLICY = {
+  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
+  ROUTE_404: { default: "BLOCK" },
+  ROUTE_405: { default: "WARN" },
+  AUTH_BYPASS: { default: "BLOCK" },
+  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
+  FAKE_SUCCESS: { default: "BLOCK" },
+  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
+  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
+  DEAD_CLICK: { default: "BLOCK" },
+  NO_FEEDBACK: { default: "WARN" },
+  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
+  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
+  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
+  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
+  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
+  OWNER_MODE_BYPASS: { default: "BLOCK" },
+  HARDCODED_SECRET: { default: "BLOCK" },
+};
+
+/**
+ * Get severity based on policy
+ */
+function getSeverity(issueType, context = {}) {
+  const policy = SEVERITY_POLICY[issueType];
+  if (!policy) return "WARN";
+
+  if (context.hasRuntimeProof && policy.withRuntimeProof) {
+    return policy.withRuntimeProof;
+  }
+  if (context.isCriticalPath && policy.criticalPath) {
+    return policy.criticalPath;
+  }
+  if (context.isBlocking && policy.blocking) {
+    return policy.blocking;
+  }
+  if (context.isRequired && policy.required) {
+    return policy.required;
+  }
+
+  return policy.default;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Schema operations
+  SCHEMAS,
+  loadSchema,
+  getValidator,
+  validateAgainstSchema,
+  validateArtifact,
+  validateData,
+  writeValidatedArtifact,
+  
+  // Finding generation
+  generateFingerprint,
+  generateFindingId,
+  generateEvidenceId,
+  createFinding,
+  createFileEvidence,
+  createRuntimeEvidence,
+  
+  // Severity policy
+  SEVERITY_POLICY,
+  getSeverity,
+  
+  // AJV access for advanced usage
+  getAjv,
+};

package/bin/runners/lib/schemas/error-envelope.schema.json

@@ -0,0 +1,105 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/error-envelope.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Error Envelope",
+  "description": "Standardized error response wrapper",
+  "type": "object",
+  "required": [
+    "error",
+    "code",
+    "message"
+  ],
+  "properties": {
+    "error": {
+      "type": "boolean",
+      "const": true,
+      "description": "Always true for error responses"
+    },
+    "code": {
+      "type": "string",
+      "enum": [
+        "SCHEMA_INVALID",
+        "TOOL_NOT_FOUND",
+        "TIER_REQUIRED",
+        "AUTH_REQUIRED",
+        "AUTH_INVALID",
+        "RATE_LIMITED",
+        "TIMEOUT",
+        "PROJECT_NOT_FOUND",
+        "CONFIG_INVALID",
+        "INTERNAL_ERROR",
+        "NETWORK_ERROR",
+        "PARSE_ERROR"
+      ],
+      "description": "Machine-readable error code"
+    },
+    "message": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Human-readable error message"
+    },
+    "details": {
+      "type": ["object", "null"],
+      "description": "Additional error details",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "JSON path to invalid field (for SCHEMA_INVALID)"
+        },
+        "expected": {
+          "type": "string",
+          "description": "Expected value or type"
+        },
+        "received": {
+          "type": "string",
+          "description": "Received value or type"
+        },
+        "schema_errors": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "instancePath": { "type": "string" },
+              "schemaPath": { "type": "string" },
+              "keyword": { "type": "string" },
+              "params": { "type": "object" },
+              "message": { "type": "string" }
+            }
+          },
+          "description": "Detailed AJV validation errors"
+        },
+        "required_tier": {
+          "type": "string",
+          "enum": ["free", "pro", "enterprise"],
+          "description": "Required tier (for TIER_REQUIRED)"
+        },
+        "current_tier": {
+          "type": "string",
+          "enum": ["free", "pro", "enterprise"],
+          "description": "Current user tier"
+        },
+        "retry_after_ms": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Milliseconds to wait before retry (for RATE_LIMITED)"
+        }
+      }
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp of error occurrence"
+    },
+    "correlation_id": {
+      "type": ["string", "null"],
+      "description": "Correlation ID for tracing"
+    },
+    "help_url": {
+      "type": ["string", "null"],
+      "format": "uri",
+      "description": "URL to documentation for this error"
+    }
+  },
+  "additionalProperties": false
+}

package/bin/runners/lib/schemas/finding-v3.schema.json

@@ -0,0 +1,151 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/finding-v3.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Finding v3",
+  "description": "A single finding from static or runtime analysis with stable fields",
+  "type": "object",
+  "required": [
+    "rule_id",
+    "category",
+    "severity",
+    "confidence",
+    "message",
+    "explanation",
+    "evidence",
+    "tags"
+  ],
+  "properties": {
+    "rule_id": {
+      "type": "string",
+      "pattern": "^[A-Z][A-Z0-9_]+$",
+      "description": "Unique rule identifier (e.g., MOCK_DATA_001, AUTH_BYPASS_002)"
+    },
+    "category": {
+      "type": "string",
+      "enum": [
+        "truth",
+        "routes",
+        "auth",
+        "env",
+        "billing",
+        "dead_ui",
+        "fake_success",
+        "ui_mismatch",
+        "contract_drift",
+        "security",
+        "coverage",
+        "quality",
+        "performance"
+      ],
+      "description": "Finding category for grouping and filtering"
+    },
+    "severity": {
+      "type": "string",
+      "enum": ["BLOCK", "WARN", "INFO"],
+      "description": "BLOCK stops ship, WARN allows with warning, INFO is informational"
+    },
+    "confidence": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1,
+      "description": "Confidence score from 0.0 (low) to 1.0 (high)"
+    },
+    "message": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 200,
+      "description": "Short human-readable message (displayed in lists)"
+    },
+    "explanation": {
+      "type": "string",
+      "minLength": 10,
+      "description": "Detailed explanation of why this is an issue"
+    },
+    "evidence": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "$ref": "#/$defs/evidence"
+      },
+      "description": "Evidence supporting this finding (at least one required)"
+    },
+    "fix_hint": {
+      "type": ["string", "null"],
+      "description": "Suggested fix or remediation steps"
+    },
+    "tags": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "pattern": "^[a-z][a-z0-9_-]*$"
+      },
+      "description": "Tags for categorization and filtering"
+    },
+    "fingerprint": {
+      "type": "string",
+      "pattern": "^sha256:[a-f0-9]{64}$",
+      "description": "Stable hash for deduplication across runs"
+    },
+    "first_seen": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp when first detected"
+    },
+    "suppressed": {
+      "type": "boolean",
+      "default": false,
+      "description": "Whether this finding is suppressed via allowlist"
+    },
+    "suppression_reason": {
+      "type": ["string", "null"],
+      "description": "Reason for suppression if suppressed"
+    }
+  },
+  "$defs": {
+    "evidence": {
+      "type": "object",
+      "required": ["path", "lineStart", "lineEnd"],
+      "properties": {
+        "path": {
+          "type": "string",
+          "minLength": 1,
+          "description": "File path relative to project root"
+        },
+        "lineStart": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Starting line number (1-indexed)"
+        },
+        "lineEnd": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Ending line number (1-indexed)"
+        },
+        "snippet": {
+          "type": ["string", "null"],
+          "maxLength": 2000,
+          "description": "Code snippet (optional, may be truncated)"
+        },
+        "kind": {
+          "type": "string",
+          "enum": ["file", "request", "runtime", "screenshot", "diff", "trace"],
+          "default": "file",
+          "description": "Type of evidence"
+        },
+        "url": {
+          "type": ["string", "null"],
+          "format": "uri",
+          "description": "URL for runtime/request evidence"
+        },
+        "httpStatus": {
+          "type": ["integer", "null"],
+          "minimum": 100,
+          "maximum": 599,
+          "description": "HTTP status code for request evidence"
+        }
+      }
+    }
+  },
+  "additionalProperties": false
+}