@vibecheckai/cli 3.5.1 → 3.5.2

package/bin/runners/lib/agent-firewall/change-packet/builder.js

@@ -0,0 +1,488 @@
+/**
+ * Change Packet Builder
+ * 
+ * Builds change packets from diffs + agent intent.
+ * Each packet is a complete audit artifact of an AI code change attempt.
+ * 
+ * Enhanced with:
+ * - Risk scoring
+ * - Simulation results
+ * - Critic verdict
+ * - Override tracking
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+const path = require("path");
+
+/**
+ * @typedef {Object} ProofArtifact
+ * @property {string} changeId - Unique change identifier
+ * @property {string} decision - ALLOW, BLOCK, or REQUIRE_CONFIRMATION
+ * @property {Array} rulesTriggered - Rules that were triggered
+ * @property {Array} assumptionsFailed - Failed assumptions
+ * @property {number} riskScore - Numerical risk score
+ * @property {string} riskLevel - LOW, MEDIUM, HIGH, CRITICAL
+ * @property {Object} simulationResult - Result of diff simulation
+ * @property {Object} criticVerdict - Critic LLM verdict
+ * @property {string} timestamp - ISO timestamp
+ * @property {boolean} overrideUsed - Whether override was used
+ * @property {string} overrideBy - Who overrode (if applicable)
+ * @property {string} overrideReason - Reason for override
+ */
+
+/**
+ * Build a change packet from diff and agent intent
+ * @param {object} params
+ * @param {string} params.agentId - Agent identifier
+ * @param {string} params.intent - Agent's stated intent
+ * @param {object} params.diff - Diff object { before, after, unified }
+ * @param {string} params.filePath - File path (relative to repo root)
+ * @param {object} params.claims - Extracted claims
+ * @param {object} params.evidence - Evidence resolution results
+ * @param {object} params.verdict - Policy verdict
+ * @param {object} params.unblockPlan - Unblock plan (if blocked)
+ * @param {object} params.policy - Policy used for evaluation
+ * @param {object} params.riskScore - Risk scoring result
+ * @param {object} params.simulationResult - Diff simulation result
+ * @param {object} params.criticVerdict - Critic LLM verdict
+ * @param {object} params.proposal - Structured change proposal
+ * @param {object} params.override - Override information
+ * @returns {object} Change packet
+ */
+function buildChangePacket({
+  agentId,
+  intent,
+  diff,
+  filePath,
+  claims = [],
+  evidence = [],
+  verdict,
+  unblockPlan = null,
+  policy = null,
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  proposal = null,
+  override = null
+}) {
+  const timestamp = new Date().toISOString();
+  
+  // Generate unique packet ID from content hash
+  const packetContent = JSON.stringify({
+    agentId,
+    intent,
+    filePath,
+    timestamp,
+    diff: diff?.unified || ""
+  });
+  const id = crypto.createHash("sha256")
+    .update(packetContent)
+    .digest("hex")
+    .slice(0, 16);
+  
+  // Calculate file statistics
+  const linesChanged = diff?.unified 
+    ? diff.unified.split('\n').filter(line => line.startsWith('+') || line.startsWith('-')).length
+    : 0;
+  
+  const files = [{
+    path: filePath,
+    linesChanged,
+    domain: classifyFileDomain(filePath)
+  }];
+  
+  // Extract failed assumptions from evidence
+  const assumptionsFailed = evidence
+    .filter(e => e.status === "UNPROVEN" || !e.verified)
+    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
+  
+  // Extract triggered rules from verdict
+  const rulesTriggered = (verdict?.violations || [])
+    .map(v => v.rule || v.type || v.id)
+    .filter(Boolean);
+  
+  // Build packet with enhanced proof artifact fields
+  const packet = {
+    id,
+    timestamp,
+    agentId,
+    intent: intent || "No intent provided",
+    
+    // Original fields
+    diff: diff || null,
+    files,
+    claims,
+    evidence,
+    
+    // Verdict and decision
+    verdict: verdict || {
+      decision: "ALLOW",
+      violations: [],
+      message: "No verdict provided"
+    },
+    unblockPlan: unblockPlan || null,
+    
+    // Enhanced proof artifact fields
+    proof: {
+      changeId: `c-${id}`,
+      decision: verdict?.decision || "ALLOW",
+      rulesTriggered,
+      assumptionsFailed,
+      riskScore: riskScore?.total ?? null,
+      riskLevel: riskScore?.level || null,
+      riskFactors: riskScore?.reasons || [],
+      simulationResult: simulationResult ? {
+        passed: simulationResult.passed,
+        errorCount: simulationResult.errors?.length || 0,
+        warningCount: simulationResult.warnings?.length || 0,
+        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
+        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
+      } : null,
+      criticVerdict: criticVerdict ? {
+        verdict: criticVerdict.verdict,
+        confidence: criticVerdict.confidence,
+        reasoning: criticVerdict.reasoning || [],
+        violations: criticVerdict.violations || [],
+      } : null,
+      overrideUsed: override?.used || false,
+      overrideBy: override?.by || null,
+      overrideReason: override?.reason || null,
+      overrideTimestamp: override?.timestamp || null,
+    },
+    
+    // Structured proposal (if provided)
+    proposal: proposal ? {
+      intent: proposal.intent,
+      summary: proposal.summary,
+      confidence: proposal.confidence,
+      assumptions: proposal.assumptions,
+      filesTouched: proposal.filesTouched,
+      operationCount: proposal.operations?.length || 0,
+    } : null,
+    
+    // Metadata
+    metadata: {
+      totalFiles: files.length,
+      totalLines: linesChanged,
+      policyVersion: policy?.version || "unknown",
+      policyProfile: policy?.profile || "unknown",
+      policyMode: policy?.mode || "unknown",
+      domains: [...new Set(files.map(f => f.domain))],
+    }
+  };
+  
+  return packet;
+}
+
+/**
+ * Build change packet from multiple files
+ * @param {object} params
+ * @param {string} params.agentId - Agent identifier
+ * @param {string} params.intent - Agent's stated intent
+ * @param {array} params.changes - Array of { filePath, diff, claims }
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.verdict - Policy verdict
+ * @param {object} params.unblockPlan - Unblock plan (if blocked)
+ * @param {object} params.policy - Policy used for evaluation
+ * @param {object} params.riskScore - Risk scoring result
+ * @param {object} params.simulationResult - Diff simulation result
+ * @param {object} params.criticVerdict - Critic LLM verdict
+ * @param {object} params.proposal - Structured change proposal
+ * @param {object} params.override - Override information
+ * @returns {object} Change packet
+ */
+function buildMultiFileChangePacket({
+  agentId,
+  intent,
+  changes = [],
+  evidence = [],
+  verdict,
+  unblockPlan = null,
+  policy = null,
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  proposal = null,
+  override = null
+}) {
+  const timestamp = new Date().toISOString();
+  
+  // Aggregate all file changes
+  const files = changes.map(change => ({
+    path: change.filePath,
+    linesChanged: calculateLinesChanged(change.diff),
+    domain: classifyFileDomain(change.filePath)
+  }));
+  
+  // Aggregate all claims
+  const claims = changes.flatMap(change => 
+    (change.claims || []).map(claim => ({
+      ...claim,
+      file: change.filePath
+    }))
+  );
+  
+  // Generate unique packet ID from all changes
+  const packetContent = JSON.stringify({
+    agentId,
+    intent,
+    timestamp,
+    files: files.map(f => f.path),
+    claims: claims.map(c => `${c.type}:${c.value}`)
+  });
+  const id = crypto.createHash("sha256")
+    .update(packetContent)
+    .digest("hex")
+    .slice(0, 16);
+  
+  // Build unified diff (concatenate all diffs)
+  const unifiedDiff = changes
+    .map(change => {
+      const diff = change.diff?.unified || "";
+      return diff ? `--- ${change.filePath}\n+++ ${change.filePath}\n${diff}` : "";
+    })
+    .filter(Boolean)
+    .join("\n\n");
+  
+  // Extract failed assumptions from evidence
+  const assumptionsFailed = evidence
+    .filter(e => e.status === "UNPROVEN" || !e.verified)
+    .map(e => e.claim?.key || e.claim?.type || e.assumption || "unknown");
+  
+  // Extract triggered rules from verdict
+  const rulesTriggered = (verdict?.violations || [])
+    .map(v => v.rule || v.type || v.id)
+    .filter(Boolean);
+  
+  const packet = {
+    id,
+    timestamp,
+    agentId,
+    intent: intent || "No intent provided",
+    
+    // Original fields
+    diff: unifiedDiff ? {
+      unified: unifiedDiff,
+      before: null,
+      after: null
+    } : null,
+    files,
+    claims,
+    evidence,
+    
+    // Verdict and decision
+    verdict: verdict || {
+      decision: "ALLOW",
+      violations: [],
+      message: "No verdict provided"
+    },
+    unblockPlan: unblockPlan || null,
+    
+    // Enhanced proof artifact fields
+    proof: {
+      changeId: `c-${id}`,
+      decision: verdict?.decision || "ALLOW",
+      rulesTriggered,
+      assumptionsFailed,
+      riskScore: riskScore?.total ?? null,
+      riskLevel: riskScore?.level || null,
+      riskFactors: riskScore?.reasons || [],
+      simulationResult: simulationResult ? {
+        passed: simulationResult.passed,
+        errorCount: simulationResult.errors?.length || 0,
+        warningCount: simulationResult.warnings?.length || 0,
+        errors: (simulationResult.errors || []).slice(0, 5).map(e => e.message || e),
+        warnings: (simulationResult.warnings || []).slice(0, 5).map(w => w.message || w),
+      } : null,
+      criticVerdict: criticVerdict ? {
+        verdict: criticVerdict.verdict,
+        confidence: criticVerdict.confidence,
+        reasoning: criticVerdict.reasoning || [],
+        violations: criticVerdict.violations || [],
+      } : null,
+      overrideUsed: override?.used || false,
+      overrideBy: override?.by || null,
+      overrideReason: override?.reason || null,
+      overrideTimestamp: override?.timestamp || null,
+    },
+    
+    // Structured proposal (if provided)
+    proposal: proposal ? {
+      intent: proposal.intent,
+      summary: proposal.summary,
+      confidence: proposal.confidence,
+      assumptions: proposal.assumptions,
+      filesTouched: proposal.filesTouched,
+      operationCount: proposal.operations?.length || 0,
+    } : null,
+    
+    // Metadata
+    metadata: {
+      totalFiles: files.length,
+      totalLines: files.reduce((sum, f) => sum + f.linesChanged, 0),
+      policyVersion: policy?.version || "unknown",
+      policyProfile: policy?.profile || "unknown",
+      policyMode: policy?.mode || "unknown",
+      domains: [...new Set(files.map(f => f.domain))],
+    }
+  };
+  
+  return packet;
+}
+
+/**
+ * Calculate number of lines changed from diff
+ * @param {object} diff - Diff object
+ * @returns {number} Number of lines changed
+ */
+function calculateLinesChanged(diff) {
+  if (!diff || !diff.unified) return 0;
+  return diff.unified
+    .split('\n')
+    .filter(line => line.startsWith('+') || line.startsWith('-'))
+    .length;
+}
+
+/**
+ * Classify file domain from path
+ * @param {string} filePath - File path
+ * @returns {string} Domain classification
+ */
+function classifyFileDomain(filePath) {
+  const s = filePath.toLowerCase();
+  if (s.includes("auth")) return "auth";
+  if (s.includes("stripe") || s.includes("payment")) return "payments";
+  if (s.includes("routes") || s.includes("router") || s.includes("api")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("openapi")) return "contracts";
+  if (s.includes("ui") || s.includes("components") || s.includes("pages")) return "ui";
+  return "general";
+}
+
+/**
+ * Build a standalone proof artifact for compliance
+ * @param {object} params - Proof parameters
+ * @returns {ProofArtifact} Proof artifact
+ */
+function buildProofArtifact({
+  changeId,
+  decision,
+  rulesTriggered = [],
+  assumptionsFailed = [],
+  riskScore = null,
+  simulationResult = null,
+  criticVerdict = null,
+  override = null,
+}) {
+  const timestamp = new Date().toISOString();
+  
+  return {
+    changeId: changeId || `c-${crypto.randomBytes(8).toString("hex")}`,
+    decision: decision || "BLOCK",
+    rulesTriggered,
+    assumptionsFailed,
+    riskScore: riskScore?.total ?? null,
+    riskLevel: riskScore?.level || "UNKNOWN",
+    riskFactors: riskScore?.reasons || [],
+    simulationResult: simulationResult ? {
+      passed: simulationResult.passed,
+      errorCount: simulationResult.errors?.length || 0,
+      warningCount: simulationResult.warnings?.length || 0,
+      brokenImports: (simulationResult.errors || [])
+        .filter(e => e.type === "broken_import" || e.type === "unresolved_import")
+        .map(e => e.import),
+    } : null,
+    criticVerdict: criticVerdict ? {
+      verdict: criticVerdict.verdict,
+      confidence: criticVerdict.confidence,
+      reasoning: criticVerdict.reasoning || [],
+    } : null,
+    timestamp,
+    overrideUsed: override?.used || false,
+    overrideBy: override?.by || null,
+    overrideReason: override?.reason || null,
+  };
+}
+
+/**
+ * Extract proof artifact from a change packet
+ * @param {object} packet - Change packet
+ * @returns {ProofArtifact} Proof artifact
+ */
+function extractProofArtifact(packet) {
+  if (packet.proof) {
+    return {
+      ...packet.proof,
+      timestamp: packet.timestamp,
+    };
+  }
+  
+  // Build from legacy packet format
+  return {
+    changeId: `c-${packet.id}`,
+    decision: packet.verdict?.decision || "UNKNOWN",
+    rulesTriggered: (packet.verdict?.violations || []).map(v => v.rule || v.type),
+    assumptionsFailed: packet.evidence
+      ?.filter(e => e.status === "UNPROVEN")
+      .map(e => e.claim?.key) || [],
+    riskScore: null,
+    riskLevel: "UNKNOWN",
+    simulationResult: null,
+    criticVerdict: null,
+    timestamp: packet.timestamp,
+    overrideUsed: false,
+    overrideBy: null,
+    overrideReason: null,
+  };
+}
+
+/**
+ * Format proof artifact for display
+ * @param {ProofArtifact} proof - Proof artifact
+ * @returns {string} Formatted string
+ */
+function formatProofArtifact(proof) {
+  const lines = [
+    `Change ID: ${proof.changeId}`,
+    `Decision: ${proof.decision}`,
+    `Timestamp: ${proof.timestamp}`,
+    "",
+  ];
+  
+  if (proof.riskScore !== null) {
+    lines.push(`Risk Score: ${proof.riskScore} (${proof.riskLevel})`);
+  }
+  
+  if (proof.rulesTriggered.length > 0) {
+    lines.push(`Rules Triggered: ${proof.rulesTriggered.join(", ")}`);
+  }
+  
+  if (proof.assumptionsFailed.length > 0) {
+    lines.push(`Assumptions Failed: ${proof.assumptionsFailed.join(", ")}`);
+  }
+  
+  if (proof.simulationResult) {
+    lines.push(`Simulation: ${proof.simulationResult.passed ? "PASSED" : "FAILED"} (${proof.simulationResult.errorCount} errors)`);
+  }
+  
+  if (proof.criticVerdict) {
+    lines.push(`Critic: ${proof.criticVerdict.verdict} (${(proof.criticVerdict.confidence * 100).toFixed(0)}% confidence)`);
+  }
+  
+  if (proof.overrideUsed) {
+    lines.push(`Override: Used by ${proof.overrideBy} - ${proof.overrideReason}`);
+  }
+  
+  return lines.join("\n");
+}
+
+module.exports = {
+  buildChangePacket,
+  buildMultiFileChangePacket,
+  buildProofArtifact,
+  extractProofArtifact,
+  formatProofArtifact,
+  calculateLinesChanged,
+  classifyFileDomain
+};

package/bin/runners/lib/agent-firewall/change-packet/schema.json

@@ -0,0 +1,228 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["id", "timestamp", "agentId", "intent", "files", "claims", "verdict"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Unique packet ID (hash-based)"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO timestamp of the change"
+    },
+    "agentId": {
+      "type": "string",
+      "description": "Identifier for the AI agent (e.g., 'cursor', 'windsurf', 'copilot')"
+    },
+    "intent": {
+      "type": "string",
+      "description": "Agent's stated intent for the change"
+    },
+    "diff": {
+      "type": "object",
+      "properties": {
+        "before": {
+          "type": "string",
+          "description": "File content before change"
+        },
+        "after": {
+          "type": "string",
+          "description": "File content after change"
+        },
+        "unified": {
+          "type": "string",
+          "description": "Unified diff format"
+        }
+      }
+    },
+    "files": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["path", "linesChanged"],
+        "properties": {
+          "path": {
+            "type": "string",
+            "description": "Relative file path"
+          },
+          "linesChanged": {
+            "type": "number",
+            "description": "Number of lines changed"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"],
+            "description": "File domain classification"
+          }
+        }
+      },
+      "description": "List of changed files"
+    },
+    "claims": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["type", "value", "criticality"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["route", "env_used", "auth_boundary", "data_contract", "http_call", "ui_success_claim", "side_effect"],
+            "description": "Claim type"
+          },
+          "value": {
+            "type": "string",
+            "description": "Claim value (e.g., route path, env var name)"
+          },
+          "criticality": {
+            "type": "string",
+            "enum": ["hard", "soft"],
+            "description": "Claim criticality"
+          },
+          "pointer": {
+            "type": "string",
+            "description": "File:line pointer (e.g., 'file.ts:42-45')"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Reason for claim extraction"
+          },
+          "file": {
+            "type": "string",
+            "description": "File where claim was found"
+          },
+          "domain": {
+            "type": "string",
+            "enum": ["auth", "payments", "routes", "contracts", "ui", "general"]
+          }
+        }
+      },
+      "description": "Extracted claims from the change"
+    },
+    "evidence": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["claimId", "result"],
+        "properties": {
+          "claimId": {
+            "type": "string",
+            "description": "Reference to claim in claims array"
+          },
+          "result": {
+            "type": "string",
+            "enum": ["PROVEN", "UNPROVEN", "CONTRADICTS"],
+            "description": "Evidence resolution result"
+          },
+          "sources": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "properties": {
+                "type": {
+                  "type": "string",
+                  "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
+                },
+                "pointer": {
+                  "type": "string"
+                },
+                "confidence": {
+                  "type": "number",
+                  "minimum": 0,
+                  "maximum": 1
+                }
+              }
+            }
+          }
+        }
+      },
+      "description": "Evidence resolution results"
+    },
+    "verdict": {
+      "type": "object",
+      "required": ["decision", "violations"],
+      "properties": {
+        "decision": {
+          "type": "string",
+          "enum": ["ALLOW", "WARN", "BLOCK"],
+          "description": "Final verdict"
+        },
+        "violations": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["rule", "severity", "message"],
+            "properties": {
+              "rule": {
+                "type": "string",
+                "description": "Rule ID that was violated"
+              },
+              "severity": {
+                "type": "string",
+                "enum": ["allow", "warn", "block"]
+              },
+              "message": {
+                "type": "string",
+                "description": "Violation message"
+              },
+              "claimId": {
+                "type": "string",
+                "description": "Related claim ID"
+              }
+            }
+          }
+        },
+        "message": {
+          "type": "string",
+          "description": "Human-readable verdict message"
+        }
+      }
+    },
+    "unblockPlan": {
+      "type": "object",
+      "properties": {
+        "steps": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["action", "file", "description"],
+            "properties": {
+              "action": {
+                "type": "string",
+                "enum": ["add", "modify", "create"]
+              },
+              "file": {
+                "type": "string"
+              },
+              "line": {
+                "type": "number"
+              },
+              "description": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      },
+      "description": "Plan to unblock if verdict is BLOCK"
+    },
+    "metadata": {
+      "type": "object",
+      "properties": {
+        "totalFiles": {
+          "type": "number"
+        },
+        "totalLines": {
+          "type": "number"
+        },
+        "policyVersion": {
+          "type": "string"
+        },
+        "policyProfile": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}