@vibecheckai/cli 3.7.0 → 3.9.0

package/bin/runners/lib/missions/safety-gates.js

@@ -0,0 +1,645 @@
+// bin/runners/lib/missions/safety-gates.js
+// ═══════════════════════════════════════════════════════════════════════════════
+// SAFETY GATES - Pre-flight and post-flight checks for mission safety
+// Gates must pass before missions run, and verify success after
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const { RISK_LEVEL, BLAST_RADIUS } = require('./schema');
+const {
+  SafetyGateError,
+  ValidationError,
+  isValidConfidence,
+  validateOptions,
+  getAuditTrail,
+} = require('./hardening');
+
+/**
+ * Gate result structure
+ * @typedef {object} GateResult
+ * @property {string} gate - Gate name
+ * @property {boolean} pass - Whether gate passed
+ * @property {string} reason - Human-readable reason
+ * @property {string} [remedy] - Suggested fix if gate failed
+ * @property {string} [severity] - Gate severity (error, warning, info)
+ */
+
+/**
+ * Default thresholds for safety gates
+ */
+const DEFAULT_THRESHOLDS = {
+  minConfidence: 0.6,
+  maxBlastRadius: 10,
+  maxFilesPerMission: 6,
+  maxLinesChanged: 400,
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// PRE-FLIGHT GATES - Must pass before mission execution
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Check if mission confidence meets threshold
+ * @param {object} mission - Mission object
+ * @param {object} options - Gate options
+ * @returns {GateResult}
+ */
+function gateConfidence(mission, options = {}) {
+  const threshold = options.minConfidence ?? DEFAULT_THRESHOLDS.minConfidence;
+  const confidence = mission.safety?.confidence ?? 0.5;
+  
+  const pass = confidence >= threshold;
+  
+  return {
+    gate: 'confidence',
+    pass,
+    reason: pass
+      ? `Confidence ${(confidence * 100).toFixed(0)}% >= ${(threshold * 100).toFixed(0)}% threshold`
+      : `Confidence ${(confidence * 100).toFixed(0)}% < ${(threshold * 100).toFixed(0)}% threshold`,
+    remedy: pass ? null : 'Use --force to override or --min-confidence to adjust threshold',
+    severity: pass ? 'info' : 'error',
+    value: confidence,
+    threshold,
+  };
+}
+
+/**
+ * Check if blast radius is acceptable
+ * @param {object} mission - Mission object
+ * @param {object} options - Gate options
+ * @returns {GateResult}
+ */
+function gateBlastRadius(mission, options = {}) {
+  const maxFiles = options.maxBlastRadius ?? DEFAULT_THRESHOLDS.maxBlastRadius;
+  const files = mission.scope?.allowedFiles?.length ?? 0;
+  const blastRadius = mission.scope?.blastRadius ?? BLAST_RADIUS.MEDIUM;
+  
+  const pass = files <= maxFiles;
+  
+  return {
+    gate: 'blast_radius',
+    pass,
+    reason: pass
+      ? `Blast radius: ${files} files (${blastRadius}) <= ${maxFiles} max`
+      : `Blast radius: ${files} files (${blastRadius}) > ${maxFiles} max`,
+    remedy: pass ? null : 'Use --max-blast to increase limit or --force to override',
+    severity: pass ? 'info' : 'error',
+    value: files,
+    threshold: maxFiles,
+  };
+}
+
+/**
+ * Check if risk level is acceptable for auto-apply
+ * @param {object} mission - Mission object
+ * @param {object} options - Gate options
+ * @returns {GateResult}
+ */
+function gateRiskLevel(mission, options = {}) {
+  const riskLevel = mission.safety?.riskLevel ?? RISK_LEVEL.MEDIUM;
+  const requiresApproval = mission.safety?.requiresApproval ?? false;
+  const forceMode = options.force ?? false;
+  
+  // Critical missions require --force unless explicitly approved
+  const isCritical = riskLevel === RISK_LEVEL.CRITICAL;
+  const pass = !isCritical || forceMode || !requiresApproval;
+  
+  return {
+    gate: 'risk_level',
+    pass,
+    reason: pass
+      ? `Risk level: ${riskLevel.toUpperCase()} ${isCritical ? '(approved with --force)' : ''}`
+      : `Risk level: ${riskLevel.toUpperCase()} requires explicit approval`,
+    remedy: pass ? null : 'Use --force to approve critical mission execution',
+    severity: pass ? (isCritical ? 'warning' : 'info') : 'error',
+    value: riskLevel,
+  };
+}
+
+/**
+ * Check for uncommitted changes in git
+ * @param {string} repoRoot - Repository root
+ * @param {object} options - Gate options
+ * @returns {GateResult}
+ */
+function gateOpenChanges(repoRoot, options = {}) {
+  const allowDirty = options.allowDirty ?? false;
+  
+  let isDirty = false;
+  let changes = 0;
+  
+  try {
+    const status = execSync('git status --porcelain', {
+      cwd: repoRoot,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    
+    isDirty = status.length > 0;
+    changes = status.split('\n').filter(Boolean).length;
+  } catch (e) {
+    // Not a git repo or git not available
+    return {
+      gate: 'open_changes',
+      pass: true,
+      reason: 'Not a git repository',
+      severity: 'info',
+    };
+  }
+  
+  const pass = !isDirty || allowDirty;
+  
+  return {
+    gate: 'open_changes',
+    pass,
+    reason: pass
+      ? isDirty 
+        ? `${changes} uncommitted changes (allowed)`
+        : 'Working directory clean'
+      : `${changes} uncommitted changes - commit or stash before fixing`,
+    remedy: pass ? null : 'Commit or stash changes before running fix, or use --allow-dirty',
+    severity: pass ? 'info' : 'error',
+    value: changes,
+  };
+}
+
+/**
+ * Check if target files exist and are readable
+ * @param {string} repoRoot - Repository root
+ * @param {object} mission - Mission object
+ * @returns {GateResult}
+ */
+function gateFilesExist(repoRoot, mission) {
+  const allowedFiles = mission.scope?.allowedFiles ?? [];
+  const missing = [];
+  
+  for (const file of allowedFiles) {
+    const absPath = path.join(repoRoot, file);
+    if (!fs.existsSync(absPath)) {
+      missing.push(file);
+    }
+  }
+  
+  const pass = missing.length === 0;
+  
+  return {
+    gate: 'files_exist',
+    pass,
+    reason: pass
+      ? `All ${allowedFiles.length} target files exist`
+      : `${missing.length} target files missing: ${missing.slice(0, 3).join(', ')}${missing.length > 3 ? '...' : ''}`,
+    remedy: pass ? null : 'Ensure target files exist or re-run scan to update findings',
+    severity: pass ? 'info' : 'warning',
+    value: allowedFiles.length - missing.length,
+    missing,
+  };
+}
+
+/**
+ * Run all pre-flight gates
+ * @param {string} repoRoot - Repository root
+ * @param {object} mission - Mission object
+ * @param {object} options - Gate options
+ * @returns {object} Combined gate results
+ */
+function runPreFlightGates(repoRoot, mission, options = {}) {
+  const audit = getAuditTrail();
+  const missionId = mission?.id || 'unknown';
+  
+  audit.debug('preflight_gates_start', { missionId, options });
+  
+  // Validate inputs
+  if (!mission || typeof mission !== 'object') {
+    audit.error('preflight_gates_invalid_mission', { mission });
+    return {
+      ok: false,
+      results: [{
+        gate: 'validation',
+        pass: false,
+        reason: 'Mission object is required',
+        severity: 'error',
+      }],
+      passed: 0,
+      failed: 1,
+      warnings: 0,
+      summary: 'Mission validation failed',
+    };
+  }
+  
+  // Sanitize options with defaults
+  const safeOptions = {
+    minConfidence: options.minConfidence ?? DEFAULT_THRESHOLDS.minConfidence,
+    maxBlastRadius: options.maxBlastRadius ?? DEFAULT_THRESHOLDS.maxBlastRadius,
+    force: options.force ?? false,
+    allowDirty: options.allowDirty ?? false,
+  };
+  
+  // Run all gates
+  const results = [];
+  
+  try {
+    results.push(gateConfidence(mission, safeOptions));
+  } catch (e) {
+    results.push({ gate: 'confidence', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateBlastRadius(mission, safeOptions));
+  } catch (e) {
+    results.push({ gate: 'blast_radius', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateRiskLevel(mission, safeOptions));
+  } catch (e) {
+    results.push({ gate: 'risk_level', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateOpenChanges(repoRoot, safeOptions));
+  } catch (e) {
+    results.push({ gate: 'open_changes', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateFilesExist(repoRoot, mission));
+  } catch (e) {
+    results.push({ gate: 'files_exist', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  const passed = results.filter(r => r.pass);
+  const failed = results.filter(r => !r.pass);
+  const warnings = results.filter(r => r.severity === 'warning');
+  
+  const gateResults = {
+    ok: failed.length === 0,
+    results,
+    passed: passed.length,
+    failed: failed.length,
+    warnings: warnings.length,
+    summary: failed.length === 0
+      ? `All ${results.length} pre-flight gates passed`
+      : `${failed.length} gate(s) failed: ${failed.map(f => f.gate).join(', ')}`,
+  };
+  
+  audit.info('preflight_gates_complete', { 
+    missionId, 
+    ok: gateResults.ok,
+    passed: passed.length,
+    failed: failed.length,
+    failedGates: failed.map(f => f.gate),
+  });
+  
+  return gateResults;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// POST-FLIGHT GATES - Verify success after mission execution
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Check if findings were reduced
+ * @param {object} before - Ship results before fix
+ * @param {object} after - Ship results after fix
+ * @param {object} mission - Mission object
+ * @returns {GateResult}
+ */
+function gateFindingsReduced(before, after, mission) {
+  const beforeFindings = before?.report?.findings ?? before?.findings ?? [];
+  const afterFindings = after?.report?.findings ?? after?.findings ?? [];
+  
+  const targetIds = new Set(mission.objective?.targetFindingIds ?? []);
+  
+  // Count target findings before and after
+  const targetsBefore = beforeFindings.filter(f => targetIds.has(f.id)).length;
+  const targetsAfter = afterFindings.filter(f => targetIds.has(f.id)).length;
+  
+  const reduced = targetsAfter < targetsBefore;
+  const eliminated = targetsAfter === 0;
+  
+  return {
+    gate: 'findings_reduced',
+    pass: reduced,
+    reason: reduced
+      ? eliminated
+        ? `All ${targetsBefore} target findings eliminated`
+        : `Target findings reduced: ${targetsBefore} → ${targetsAfter}`
+      : `Target findings not reduced: ${targetsBefore} → ${targetsAfter}`,
+    remedy: reduced ? null : 'Fix did not address target findings - rollback recommended',
+    severity: reduced ? 'info' : 'error',
+    value: { before: targetsBefore, after: targetsAfter },
+  };
+}
+
+/**
+ * Check for regressions (new findings introduced)
+ * @param {object} before - Ship results before fix
+ * @param {object} after - Ship results after fix
+ * @returns {GateResult}
+ */
+function gateNoRegressions(before, after) {
+  const beforeFindings = before?.report?.findings ?? before?.findings ?? [];
+  const afterFindings = after?.report?.findings ?? after?.findings ?? [];
+  
+  const beforeIds = new Set(beforeFindings.map(f => f.id));
+  const newFindings = afterFindings.filter(f => !beforeIds.has(f.id));
+  
+  // Only count new BLOCK findings as regressions
+  const newBlocks = newFindings.filter(f => f.severity === 'BLOCK');
+  
+  const pass = newBlocks.length === 0;
+  
+  return {
+    gate: 'no_regressions',
+    pass,
+    reason: pass
+      ? newFindings.length === 0
+        ? 'No new findings introduced'
+        : `${newFindings.length} new non-blocking findings (acceptable)`
+      : `${newBlocks.length} new BLOCK findings introduced`,
+    remedy: pass ? null : 'Fix introduced new blocking issues - rollback recommended',
+    severity: pass ? 'info' : 'error',
+    value: { newTotal: newFindings.length, newBlocks: newBlocks.length },
+    newFindings: newBlocks,
+  };
+}
+
+/**
+ * Check if overall score decreased
+ * @param {object} before - Ship results before fix
+ * @param {object} after - Ship results after fix
+ * @returns {GateResult}
+ */
+function gateScoreDecrease(before, after) {
+  const beforeFindings = before?.report?.findings ?? before?.findings ?? [];
+  const afterFindings = after?.report?.findings ?? after?.findings ?? [];
+  
+  // Calculate scores
+  const score = (findings) => {
+    let s = 0;
+    for (const f of findings) {
+      if (f.severity === 'BLOCK') s += 10;
+      else if (f.severity === 'WARN') s += 3;
+      else s += 1;
+    }
+    return s;
+  };
+  
+  const beforeScore = score(beforeFindings);
+  const afterScore = score(afterFindings);
+  
+  const decreased = afterScore < beforeScore;
+  const delta = beforeScore - afterScore;
+  
+  return {
+    gate: 'score_decrease',
+    pass: decreased,
+    reason: decreased
+      ? `Score decreased: ${beforeScore} → ${afterScore} (${delta > 0 ? '-' : '+'}${Math.abs(delta)})`
+      : `Score not decreased: ${beforeScore} → ${afterScore}`,
+    remedy: decreased ? null : 'Fix did not improve overall score',
+    severity: decreased ? 'info' : 'warning',
+    value: { before: beforeScore, after: afterScore, delta },
+  };
+}
+
+/**
+ * Check if tests pass (optional - requires test runner config)
+ * @param {string} repoRoot - Repository root
+ * @param {object} options - Test options
+ * @returns {GateResult}
+ */
+function gateTestsPass(repoRoot, options = {}) {
+  const testCommand = options.testCommand ?? null;
+  const skipTests = options.skipTests ?? true;
+  
+  if (skipTests || !testCommand) {
+    return {
+      gate: 'tests_pass',
+      pass: true,
+      reason: 'Tests skipped (not configured)',
+      severity: 'info',
+      skipped: true,
+    };
+  }
+  
+  try {
+    execSync(testCommand, {
+      cwd: repoRoot,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: options.testTimeout ?? 60000,
+    });
+    
+    return {
+      gate: 'tests_pass',
+      pass: true,
+      reason: 'All tests passed',
+      severity: 'info',
+    };
+  } catch (e) {
+    return {
+      gate: 'tests_pass',
+      pass: false,
+      reason: `Tests failed: ${e.message?.slice(0, 100) ?? 'Unknown error'}`,
+      remedy: 'Fix test failures or use --skip-tests to bypass',
+      severity: 'error',
+    };
+  }
+}
+
+/**
+ * Run all post-flight gates
+ * @param {string} repoRoot - Repository root
+ * @param {object} mission - Mission object
+ * @param {object} before - Ship results before fix
+ * @param {object} after - Ship results after fix
+ * @param {object} options - Gate options
+ * @returns {object} Combined gate results
+ */
+function runPostFlightGates(repoRoot, mission, before, after, options = {}) {
+  const audit = getAuditTrail();
+  const missionId = mission?.id || 'unknown';
+  
+  audit.debug('postflight_gates_start', { missionId });
+  
+  // Validate inputs
+  if (!before || !after) {
+    audit.error('postflight_gates_missing_results', { missionId, hasBefore: !!before, hasAfter: !!after });
+    return {
+      ok: false,
+      results: [{
+        gate: 'validation',
+        pass: false,
+        reason: 'Before and after ship results are required',
+        severity: 'error',
+      }],
+      passed: 0,
+      failed: 1,
+      warnings: 0,
+      shouldRollback: true,
+      summary: 'Post-flight validation failed',
+    };
+  }
+  
+  const results = [];
+  
+  // Run gates with error handling
+  try {
+    results.push(gateFindingsReduced(before, after, mission));
+  } catch (e) {
+    results.push({ gate: 'findings_reduced', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateNoRegressions(before, after));
+  } catch (e) {
+    results.push({ gate: 'no_regressions', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  try {
+    results.push(gateScoreDecrease(before, after));
+  } catch (e) {
+    results.push({ gate: 'score_decrease', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+  }
+  
+  // Optionally run tests
+  if (options.runTests) {
+    try {
+      results.push(gateTestsPass(repoRoot, options));
+    } catch (e) {
+      results.push({ gate: 'tests_pass', pass: false, reason: `Gate error: ${e.message}`, severity: 'error' });
+    }
+  }
+  
+  const passed = results.filter(r => r.pass);
+  const failed = results.filter(r => !r.pass);
+  const warnings = results.filter(r => r.severity === 'warning');
+  
+  // Determine if rollback is recommended
+  const shouldRollback = failed.some(f => 
+    f.gate === 'findings_reduced' || 
+    f.gate === 'no_regressions' ||
+    f.gate === 'tests_pass'
+  );
+  
+  const gateResults = {
+    ok: failed.length === 0,
+    results,
+    passed: passed.length,
+    failed: failed.length,
+    warnings: warnings.length,
+    shouldRollback,
+    summary: failed.length === 0
+      ? `All ${results.length} post-flight gates passed`
+      : `${failed.length} gate(s) failed: ${failed.map(f => f.gate).join(', ')}`,
+  };
+  
+  audit.info('postflight_gates_complete', { 
+    missionId, 
+    ok: gateResults.ok,
+    passed: passed.length,
+    failed: failed.length,
+    shouldRollback,
+    failedGates: failed.map(f => f.gate),
+  });
+  
+  return gateResults;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// COMBINED GATE RUNNER
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Format gate results for display
+ * @param {object[]} results - Array of gate results
+ * @returns {string[]} Formatted lines
+ */
+function formatGateResults(results) {
+  const lines = [];
+  
+  for (const r of results) {
+    const icon = r.pass 
+      ? (r.severity === 'warning' ? '⚠' : '✓') 
+      : '✗';
+    const color = r.pass 
+      ? (r.severity === 'warning' ? 'yellow' : 'green')
+      : 'red';
+    
+    lines.push({
+      icon,
+      color,
+      gate: r.gate,
+      reason: r.reason,
+      remedy: r.remedy,
+    });
+  }
+  
+  return lines;
+}
+
+/**
+ * Check if mission should auto-apply based on gates
+ * @param {string} repoRoot - Repository root
+ * @param {object} mission - Mission object
+ * @param {object} options - Gate options
+ * @returns {object} Decision result
+ */
+function shouldAutoApply(repoRoot, mission, options = {}) {
+  const preFlightResults = runPreFlightGates(repoRoot, mission, options);
+  
+  if (!preFlightResults.ok) {
+    return {
+      shouldApply: false,
+      reason: 'Pre-flight gates failed',
+      preFlightResults,
+    };
+  }
+  
+  // Check mission-level safety
+  const isSafe = 
+    mission.safety?.reversible !== false &&
+    mission.safety?.riskLevel !== RISK_LEVEL.CRITICAL &&
+    mission.safety?.confidence >= (options.minConfidence ?? DEFAULT_THRESHOLDS.minConfidence);
+  
+  if (!isSafe && !options.force) {
+    return {
+      shouldApply: false,
+      reason: 'Mission does not meet auto-apply criteria',
+      preFlightResults,
+    };
+  }
+  
+  return {
+    shouldApply: true,
+    reason: 'All safety checks passed',
+    preFlightResults,
+  };
+}
+
+module.exports = {
+  // Pre-flight gates
+  gateConfidence,
+  gateBlastRadius,
+  gateRiskLevel,
+  gateOpenChanges,
+  gateFilesExist,
+  runPreFlightGates,
+  
+  // Post-flight gates
+  gateFindingsReduced,
+  gateNoRegressions,
+  gateScoreDecrease,
+  gateTestsPass,
+  runPostFlightGates,
+  
+  // Utilities
+  formatGateResults,
+  shouldAutoApply,
+  
+  // Constants
+  DEFAULT_THRESHOLDS,
+};