@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/runGuard.js

@@ -1,27 +1,15 @@
 /**
- * vibecheck guard - Agent Firewall System
+ * vibecheck guard - Unified trust boundary enforcement
  * 
  * ═══════════════════════════════════════════════════════════════════════════════
- * Monitors and blocks AI agent actions based on policy
+ * World-Class AI Guardrails
  * ═══════════════════════════════════════════════════════════════════════════════
- * 
- * Modes:
- * - observe (FREE): Logs violations but doesn't block
- * - enforce (PRO): Blocks AI writes that violate policy
- * 
- * What It Guards Against:
- * - Forbidden paths (secrets, .env, config files)
- * - Scope violations (writing outside allowed directories)
- * - Dangerous commands (rm -rf, curl | bash)
- * - Hallucination patterns (fake APIs, placeholder data)
- * - Policy violations (custom rules)
  */
 
 const path = require("path");
 const fs = require("fs");
 const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = require("./lib/global-flags");
 const { EXIT } = require("./lib/exit-codes");
-const { tierHasFeature, getCurrentTier } = require("./lib/entitlements-v2");
 const {
   ansi,
   sym,
@@ -31,26 +19,12 @@ const {
   renderSuccess,
   renderError,
   renderWarning,
-  renderInfo,
   renderFooter,
   Spinner,
   getTierFromKey,
 } = require("./lib/unified-cli-output");
 
-// Unified Output System
-const { output } = require("./lib/output/index.js");
-
-// Import firewall components
-const {
-  loadFirewallConfig,
-  PathValidator,
-  CommandValidator,
-  ContentValidator,
-  createFirewall,
-  initFirewallConfig,
-} = require("./lib/firewall");
-
-// Import underlying implementations for legacy support
+// Import underlying implementations
 let runValidate, runPromptFirewall;
 try {
   runValidate = require("./runValidate").runValidate;
@@ -63,10 +37,6 @@ try {
   runPromptFirewall = null;
 }
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// HELP OUTPUT
-// ═══════════════════════════════════════════════════════════════════════════════
-
 function printHelp() {
   console.log(`
   ${ansi.bold}USAGE${ansi.reset}
@@ -74,185 +44,46 @@ function printHelp() {
 
   ${ansi.dim}Aliases: ai-guard, firewall, validate${ansi.reset}
 
-  Agent Firewall - Monitor and block AI agent actions based on policy.
-  Protects against unauthorized file writes, dangerous commands, and
-  hallucination patterns.
-
-  ${ansi.bold}MODES${ansi.reset}
-    ${ansi.cyan}--mode observe${ansi.reset}    Log violations but don't block ${ansi.green}(FREE)${ansi.reset}
-    ${ansi.cyan}--mode enforce${ansi.reset}    Block AI writes that violate policy ${ansi.yellow}(PRO)${ansi.reset}
+  Validate AI-generated code and prompts. Detects prompt injection attempts,
+  verifies claims against your codebase (hallucination checking), and ensures
+  AI outputs meet your standards.
 
-  ${ansi.bold}ACTIONS${ansi.reset}
-    ${ansi.cyan}--action write${ansi.reset}    Validate file write operation
-    ${ansi.cyan}--action delete${ansi.reset}   Validate file delete operation
-    ${ansi.cyan}--action execute${ansi.reset}  Validate command execution
-
-  ${ansi.bold}OPTIONS${ansi.reset}
-    ${ansi.cyan}--path <path>${ansi.reset}     File path to validate
-    ${ansi.cyan}--content <str>${ansi.reset}   Content to validate (or use stdin)
-    ${ansi.cyan}--command <cmd>${ansi.reset}   Shell command to validate
-    ${ansi.cyan}--config <path>${ansi.reset}   Path to firewall config (default: .vibecheck/firewall.json)
-
-  ${ansi.bold}LEGACY CHECK MODES${ansi.reset}
+  ${ansi.bold}CHECK MODES${ansi.reset}
     ${ansi.cyan}--claims${ansi.reset}           Verify AI claims against truthpack
     ${ansi.cyan}--prompts${ansi.reset}          Check code for prompt injection
     ${ansi.cyan}--hallucinations${ansi.reset}   Detect AI hallucination patterns
     ${ansi.dim}(default: run all checks)${ansi.reset}
 
-  ${ansi.bold}OTHER OPTIONS${ansi.reset}
-    ${ansi.cyan}--init${ansi.reset}             Initialize firewall configuration
+  ${ansi.bold}OPTIONS${ansi.reset}
+    ${ansi.cyan}--file <path>${ansi.reset}      Check specific file(s)
     ${ansi.cyan}--strict${ansi.reset}           Fail on warnings (default: fail on errors only)
     ${ansi.cyan}--json${ansi.reset}             Output as JSON (CI integration)
     ${ansi.cyan}--quiet, -q${ansi.reset}        Suppress non-essential output
     ${ansi.cyan}--help, -h${ansi.reset}         Show this help
 
   ${ansi.bold}EXAMPLES${ansi.reset}
-    ${ansi.dim}# Initialize firewall configuration${ansi.reset}
-    vibecheck guard --init
-
-    ${ansi.dim}# Check if path is allowed (observe mode)${ansi.reset}
-    vibecheck guard --mode observe --action write --path .env
-
-    ${ansi.dim}# Block write to sensitive file (enforce mode, PRO)${ansi.reset}
-    vibecheck guard --mode enforce --action write --path .env
+    ${ansi.dim}# Run all guardrail checks${ansi.reset}
+    vibecheck guard
 
-    ${ansi.dim}# Validate command before execution${ansi.reset}
-    vibecheck guard --action execute --command "rm -rf /"
+    ${ansi.dim}# Verify AI claims in specific file${ansi.reset}
+    vibecheck guard --claims --file api.ts
 
-    ${ansi.dim}# Validate content for hallucinations${ansi.reset}
-    echo "fetch('https://example.com/api')" | vibecheck guard --action write --path api.js
+    ${ansi.dim}# Prompt injection scan only${ansi.reset}
+    vibecheck guard --prompts
 
     ${ansi.dim}# CI pipeline (strict, JSON output)${ansi.reset}
     vibecheck guard --strict --json
 
   ${ansi.bold}EXIT CODES${ansi.reset}
-    0  Action allowed / checks passed
+    0  All checks passed
     1  Warnings found (non-blocking)
-    2  Action blocked / errors found
-    3  Pro feature required
-
-  ${ansi.bold}CONFIGURATION${ansi.reset}
-    Configure via ${ansi.cyan}.vibecheck/firewall.json${ansi.reset}:
-    {
-      "mode": "observe",
-      "paths": {
-        "forbidden": [".env", "secrets/**"],
-        "allowed": ["src/**", "lib/**"]
-      },
-      "commands": {
-        "blocked": ["rm -rf /", "curl | bash"]
-      }
-    }
+    2  Errors found (blocking issues)
 
   ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
   ${ansi.dim}Documentation: https://docs.vibecheckai.dev/cli/guard${ansi.reset}
 `);
 }
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// MAIN GUARD FUNCTION - New Firewall Mode
-// ═══════════════════════════════════════════════════════════════════════════════
-
-/**
- * Run the firewall validation
- * @param {object} options - Validation options
- * @returns {object} Validation result
- */
-async function runFirewallCheck(options) {
-  const { mode = "observe", action, path: filePath, content, command, configPath } = options;
-  
-  // Enforce mode requires PRO
-  if (mode === "enforce") {
-    const tier = await getCurrentTier();
-    if (!tierHasFeature(tier, "firewall.enforce")) {
-      return {
-        allowed: true,
-        reason: "free-tier-passthrough",
-        message: "Enforce mode requires VibeCheck Pro. Running in observe mode.",
-        tier,
-      };
-    }
-  }
-  
-  // Load configuration
-  const config = loadFirewallConfig(configPath || ".vibecheck/firewall.json");
-  
-  // Create validators
-  const pathValidator = new PathValidator(config);
-  const commandValidator = new CommandValidator(config);
-  const contentValidator = new ContentValidator(config);
-  
-  const violations = [];
-  const warnings = [];
-  
-  // Validate path
-  if (filePath && (action === "write" || action === "delete" || !action)) {
-    const pathResult = pathValidator.validate({ action: action || "write", path: filePath });
-    if (!pathResult.valid) {
-      violations.push({
-        type: "path",
-        ...pathResult,
-      });
-    }
-  }
-  
-  // Validate command
-  if (command && (action === "execute" || !action)) {
-    const cmdResult = commandValidator.validate({ command });
-    if (!cmdResult.valid) {
-      violations.push({
-        type: "command",
-        ...cmdResult,
-      });
-    } else if (cmdResult.requiresConfirmation) {
-      warnings.push({
-        type: "command",
-        ...cmdResult,
-      });
-    }
-  }
-  
-  // Validate content
-  if (content && (action === "write" || !action)) {
-    const contentResult = contentValidator.validate({ content, path: filePath });
-    if (!contentResult.valid) {
-      violations.push({
-        type: "content",
-        ...contentResult,
-      });
-    } else if (contentResult.hasWarnings) {
-      warnings.push(...contentResult.warnings.map(w => ({
-        type: "content",
-        ...w,
-      })));
-    }
-  }
-  
-  const hasViolations = violations.length > 0;
-  
-  // Determine if action is allowed based on mode
-  let allowed;
-  if (mode === "enforce") {
-    allowed = !hasViolations;
-  } else {
-    // Observe mode: always allow, but log violations
-    allowed = true;
-  }
-  
-  return {
-    allowed,
-    mode,
-    violations,
-    warnings,
-    violationCount: violations.length,
-    warningCount: warnings.length,
-  };
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// MAIN ENTRY POINT
-// ═══════════════════════════════════════════════════════════════════════════════
-
 async function runGuard(args = []) {
   const { flags: globalFlags } = parseGlobalFlags(args);
   const quiet = shouldSuppressOutput(globalFlags);
@@ -264,198 +95,7 @@ async function runGuard(args = []) {
     printHelp();
     return EXIT.SUCCESS;
   }
-  
-  // Check for --init flag
-  if (args.includes("--init")) {
-    try {
-      const configPath = initFirewallConfig(process.cwd());
-      if (!quiet && !json) {
-        renderSuccess(`Firewall configuration created at ${configPath}`);
-        renderInfo("Edit .vibecheck/firewall.json to customize rules");
-      }
-      if (json) {
-        console.log(JSON.stringify({ success: true, configPath }));
-      }
-      return EXIT.SUCCESS;
-    } catch (error) {
-      if (json) {
-        console.log(JSON.stringify({ success: false, error: error.message }));
-      } else {
-        renderError(`Failed to initialize firewall: ${error.message}`);
-      }
-      return EXIT.INTERNAL_ERROR;
-    }
-  }
-  
-  // Detect if using new firewall mode (--action, --path, --content, --command)
-  const hasAction = args.includes("--action");
-  const hasPath = args.includes("--path");
-  const hasContent = args.includes("--content");
-  const hasCommand = args.includes("--command");
-  const hasMode = args.includes("--mode");
-  
-  const isFirewallMode = hasAction || hasPath || hasContent || hasCommand || hasMode;
-  
-  if (isFirewallMode) {
-    // New firewall validation mode
-    return await runFirewallValidation(args, { quiet, json, startTime });
-  } else {
-    // Legacy guard mode (claims, prompts, hallucinations)
-    return await runLegacyGuard(args, { quiet, json, startTime, globalFlags });
-  }
-}
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// FIREWALL VALIDATION MODE
-// ═══════════════════════════════════════════════════════════════════════════════
-
-async function runFirewallValidation(args, { quiet, json, startTime }) {
-  // Parse firewall-specific options
-  const modeIndex = args.indexOf("--mode");
-  const mode = modeIndex !== -1 ? args[modeIndex + 1] : "observe";
-  
-  const actionIndex = args.indexOf("--action");
-  const action = actionIndex !== -1 ? args[actionIndex + 1] : null;
-  
-  const pathIndex = args.indexOf("--path");
-  const filePath = pathIndex !== -1 ? args[pathIndex + 1] : null;
-  
-  const contentIndex = args.indexOf("--content");
-  let content = contentIndex !== -1 ? args[contentIndex + 1] : null;
-  
-  const commandIndex = args.indexOf("--command");
-  const command = commandIndex !== -1 ? args[commandIndex + 1] : null;
-  
-  const configIndex = args.indexOf("--config");
-  const configPath = configIndex !== -1 ? args[configIndex + 1] : null;
-  
-  // Read content from stdin if not provided
-  if (!content && !process.stdin.isTTY) {
-    content = await readStdin();
-  }
-  
-  // Validate mode
-  if (mode && !["observe", "enforce"].includes(mode)) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: `Invalid mode: ${mode}` }));
-    } else {
-      renderError(`Invalid mode: ${mode}. Must be 'observe' or 'enforce'`);
-    }
-    return EXIT.USER_ERROR;
-  }
-  
-  // Validate action
-  if (action && !["write", "delete", "execute"].includes(action)) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: `Invalid action: ${action}` }));
-    } else {
-      renderError(`Invalid action: ${action}. Must be 'write', 'delete', or 'execute'`);
-    }
-    return EXIT.USER_ERROR;
-  }
-  
-  try {
-    if (!quiet && !json) {
-      renderMinimalHeader("guard", "starter");
-      renderSectionHeader(`Agent Firewall (${mode} mode)`, sym.shield);
-    }
-    
-    // Run firewall check
-    const result = await runFirewallCheck({
-      mode,
-      action,
-      path: filePath,
-      content,
-      command,
-      configPath,
-    });
-    
-    const duration = Date.now() - startTime;
-    
-    // Output results
-    if (json) {
-      console.log(JSON.stringify({
-        ...result,
-        duration,
-        success: result.allowed,
-      }, null, 2));
-    } else if (!quiet) {
-      // Display violations
-      for (const violation of result.violations) {
-        console.log();
-        renderError(`${sym.cross} ${violation.rule}: ${violation.message}`);
-        if (violation.details) {
-          console.log(`   ${ansi.dim}Path: ${violation.details.path || violation.details.command || "N/A"}${ansi.reset}`);
-          if (violation.details.suggestion) {
-            console.log(`   ${ansi.cyan}Suggestion: ${violation.details.suggestion}${ansi.reset}`);
-          }
-        }
-      }
-      
-      // Display warnings
-      for (const warning of result.warnings) {
-        console.log();
-        renderWarning(`${sym.warn} ${warning.rule || warning.type}: ${warning.message}`);
-      }
-      
-      console.log();
-      
-      if (result.allowed) {
-        if (result.violations.length > 0 && mode === "observe") {
-          renderVerdict("WARN", {
-            warnings: result.violationCount,
-            duration,
-            message: `${result.violationCount} violation(s) logged (observe mode - not blocking)`,
-          });
-        } else {
-          renderVerdict("PASS", {
-            warnings: result.warningCount,
-            duration,
-          });
-        }
-      } else {
-        renderVerdict("BLOCK", {
-          critical: result.violationCount,
-          duration,
-          message: `Action blocked: ${result.violations[0]?.message}`,
-        });
-      }
-      
-      renderFooter({
-        nextSteps: result.allowed ? [
-          { cmd: "vibecheck scan", desc: "run full code analysis" },
-        ] : [
-          { cmd: "vibecheck guard --mode observe", desc: "run in observe mode" },
-          { cmd: "Edit .vibecheck/firewall.json", desc: "customize firewall rules" },
-        ],
-        docsUrl: "https://docs.vibecheckai.dev/cli/guard",
-      });
-    }
-    
-    // Return appropriate exit code
-    if (!result.allowed) {
-      return EXIT.BLOCKING;
-    }
-    if (result.violationCount > 0 || result.warningCount > 0) {
-      return EXIT.WARNINGS;
-    }
-    return EXIT.SUCCESS;
-    
-  } catch (error) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: error.message }));
-    } else {
-      renderError(`Firewall check failed: ${error.message}`);
-    }
-    return EXIT.INTERNAL_ERROR;
-  }
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// LEGACY GUARD MODE (Claims, Prompts, Hallucinations)
-// ═══════════════════════════════════════════════════════════════════════════════
-
-async function runLegacyGuard(args, { quiet, json, startTime, globalFlags }) {
   const runClaims = args.includes("--claims") || (!args.includes("--prompts") && !args.includes("--hallucinations"));
   const runPrompts = args.includes("--prompts") || (!args.includes("--claims") && !args.includes("--hallucinations"));
   const runHallucinations = args.includes("--hallucinations") || (!args.includes("--claims") && !args.includes("--prompts"));
@@ -619,37 +259,4 @@ async function runLegacyGuard(args, { quiet, json, startTime, globalFlags }) {
   }
 }
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// UTILITY FUNCTIONS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-/**
- * Read content from stdin
- * @returns {Promise<string>} Stdin content
- */
-function readStdin() {
-  return new Promise((resolve) => {
-    let data = "";
-    process.stdin.setEncoding("utf8");
-    process.stdin.on("readable", () => {
-      let chunk;
-      while ((chunk = process.stdin.read()) !== null) {
-        data += chunk;
-      }
-    });
-    process.stdin.on("end", () => {
-      resolve(data);
-    });
-    // Timeout after 100ms if no data
-    setTimeout(() => resolve(data), 100);
-  });
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// EXPORTS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-module.exports = { 
-  runGuard,
-  runFirewallCheck,
-};
+module.exports = { runGuard };