@vibecheckai/cli 3.7.0 → 3.9.0

package/bin/runners/lib/safelist/index.js

@@ -0,0 +1,96 @@
+/**
+ * vibecheck safelist Module Index
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * A SCALPEL, NOT A TRASH CAN
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * 
+ * Responsible suppression of known findings with:
+ * - Required justification
+ * - Owner accountability  
+ * - Optional expiration
+ * - Audit trail
+ * - Scope control (repo-wide vs local)
+ * - Abuse prevention limits
+ * - Conflict detection
+ */
+
+"use strict";
+
+const schema = require("./schema");
+const store = require("./store");
+const matcher = require("./matcher");
+const integration = require("./integration");
+
+module.exports = {
+  // ═══════════════════════════════════════════════════════════════════════════
+  // SCHEMA & VALIDATION
+  // ═══════════════════════════════════════════════════════════════════════════
+  SCHEMA_VERSION: schema.SCHEMA_VERSION,
+  LIMITS: schema.LIMITS,
+  JUSTIFICATION_CATEGORIES: schema.JUSTIFICATION_CATEGORIES,
+  SCOPE_TYPES: schema.SCOPE_TYPES,
+  SAFELIST_COMMANDS: schema.SAFELIST_COMMANDS,
+  DANGEROUS_PATTERNS: schema.DANGEROUS_PATTERNS,
+  SafelistValidationError: schema.SafelistValidationError,
+  isDangerousPattern: schema.isDangerousPattern,
+  isValidISODate: schema.isValidISODate,
+  isValidEmail: schema.isValidEmail,
+  isValidUrl: schema.isValidUrl,
+  validateEntry: schema.validateEntry,
+  validateSafelist: schema.validateSafelist,
+  patternsOverlap: schema.patternsOverlap,
+  filesOverlap: schema.filesOverlap,
+  generateEntryId: schema.generateEntryId,
+  createEntry: schema.createEntry,
+  createEmptySafelist: schema.createEmptySafelist,
+  
+  // ═══════════════════════════════════════════════════════════════════════════
+  // STORAGE & PERSISTENCE
+  // ═══════════════════════════════════════════════════════════════════════════
+  getSafelistPaths: store.getSafelistPaths,
+  loadSafelistFile: store.loadSafelistFile,
+  loadSafelist: store.loadSafelist,
+  saveSafelistFile: store.saveSafelistFile,
+  saveEntry: store.saveEntry,
+  removeEntry: store.removeEntry,
+  updateEntry: store.updateEntry,
+  migrateLegacyAllowlist: store.migrateLegacyAllowlist,
+  ensureGitIgnore: store.ensureGitIgnore,
+  
+  // ═══════════════════════════════════════════════════════════════════════════
+  // MATCHING & FILTERING
+  // ═══════════════════════════════════════════════════════════════════════════
+  matchEntry: matcher.matchEntry,
+  isSuppressed: matcher.isSuppressed,
+  filterFindings: matcher.filterFindings,
+  previewSuppression: matcher.previewSuppression,
+  findUnusedEntries: matcher.findUnusedEntries,
+  calculateConfidence: matcher.calculateConfidence,
+  
+  // ═══════════════════════════════════════════════════════════════════════════
+  // LIFECYCLE MANAGEMENT
+  // ═══════════════════════════════════════════════════════════════════════════
+  updateMatchCounts: matcher.updateMatchCounts,
+  getExpiringSoon: matcher.getExpiringSoon,
+  getDueForReview: matcher.getDueForReview,
+  getExpired: matcher.getExpired,
+  getUnused: matcher.getUnused,
+  
+  // ═══════════════════════════════════════════════════════════════════════════
+  // UTILITIES
+  // ═══════════════════════════════════════════════════════════════════════════
+  normalizePath: matcher.normalizePath,
+  matchGlob: matcher.matchGlob,
+  matchBranch: matcher.matchBranch,
+  getCachedRegex: matcher.getCachedRegex,
+  
+  // ═══════════════════════════════════════════════════════════════════════════
+  // INTEGRATION (for audit, ship, scan, etc.)
+  // ═══════════════════════════════════════════════════════════════════════════
+  applySafelist: integration.applySafelist,
+  calculateHealth: integration.calculateHealth,
+  formatSuppressedFindings: integration.formatSuppressedFindings,
+  getSafelistSummary: integration.getSafelistSummary,
+  quickSuppress: integration.quickSuppress,
+};

package/bin/runners/lib/safelist/integration.js

@@ -0,0 +1,334 @@
+/**
+ * vibecheck safelist - Integration Hooks
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * Provides integration points for other commands (audit, ship, scan, etc.)
+ * to apply safelist filtering and report suppressed findings.
+ * ═══════════════════════════════════════════════════════════════════════════════
+ */
+
+"use strict";
+
+const { loadSafelist, updateEntry } = require("./store");
+const { filterFindings, getExpired, getExpiringSoon, getDueForReview } = require("./matcher");
+const { SAFELIST_COMMANDS } = require("./schema");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// INTEGRATION API
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Apply safelist filtering to findings
+ * This is the main integration point for other commands.
+ * 
+ * @param {Array} findings - Findings to filter
+ * @param {Object} options - Options
+ * @param {string} options.projectRoot - Project root directory
+ * @param {string} options.command - Command name (e.g., "audit", "ship")
+ * @param {string} [options.branch] - Current git branch
+ * @param {boolean} [options.updateMatchCounts=true] - Update match counts in safelist
+ * @param {boolean} [options.includeHealthWarnings=true] - Include safelist health warnings
+ * @returns {{ 
+ *   active: Array, 
+ *   suppressed: Array, 
+ *   stats: Object, 
+ *   warnings: string[], 
+ *   safelistHealth: Object 
+ * }}
+ */
+function applySafelist(findings, options = {}) {
+  const {
+    projectRoot = process.cwd(),
+    command = "audit",
+    branch = null,
+    updateMatchCounts = true,
+    includeHealthWarnings = true,
+  } = options;
+  
+  // Check if command supports safelist
+  if (!SAFELIST_COMMANDS.includes(command)) {
+    return {
+      active: findings,
+      suppressed: [],
+      stats: { total: findings.length, active: findings.length, suppressed: 0 },
+      warnings: [],
+      safelistHealth: null,
+    };
+  }
+  
+  // Load safelist
+  const { 
+    safelist, 
+    warnings: loadWarnings, 
+    errors: loadErrors 
+  } = loadSafelist(projectRoot);
+  
+  const warnings = [...loadWarnings];
+  
+  // Handle load errors gracefully - don't fail, just don't filter
+  if (loadErrors.length > 0) {
+    warnings.push(...loadErrors.map(e => `Safelist load error: ${e}`));
+    return {
+      active: findings,
+      suppressed: [],
+      stats: { total: findings.length, active: findings.length, suppressed: 0 },
+      warnings,
+      safelistHealth: { status: "error", errors: loadErrors },
+    };
+  }
+  
+  // No entries? Skip filtering
+  if (!safelist.entries || safelist.entries.length === 0) {
+    return {
+      active: findings,
+      suppressed: [],
+      stats: { total: findings.length, active: findings.length, suppressed: 0 },
+      warnings: [],
+      safelistHealth: { status: "empty", entries: 0 },
+    };
+  }
+  
+  // Apply filtering
+  const { active, suppressed, stats } = filterFindings(findings, safelist, {
+    command,
+    branch,
+    projectRoot,
+  });
+  
+  // Update match counts if requested
+  if (updateMatchCounts && stats.matchedEntries && stats.matchedEntries.length > 0) {
+    const now = new Date().toISOString();
+    
+    for (const entryId of stats.matchedEntries) {
+      const entry = safelist.entries.find(e => e.id === entryId);
+      if (entry) {
+        try {
+          updateEntry(projectRoot, entryId, {
+            lifecycle: {
+              lastMatchedAt: now,
+              matchCount: (entry.lifecycle?.matchCount || 0) + stats.byEntry[entryId],
+            },
+          });
+        } catch {
+          // Ignore update errors - non-critical
+        }
+      }
+    }
+  }
+  
+  // Calculate safelist health
+  const safelistHealth = calculateHealth(safelist, includeHealthWarnings ? warnings : []);
+  
+  return {
+    active,
+    suppressed,
+    stats,
+    warnings,
+    safelistHealth,
+  };
+}
+
+/**
+ * Calculate safelist health metrics
+ */
+function calculateHealth(safelist, warnings = []) {
+  const expired = getExpired(safelist);
+  const expiringSoon = getExpiringSoon(safelist);
+  const dueForReview = getDueForReview(safelist);
+  
+  let status = "healthy";
+  
+  if (expired.length > 0) {
+    status = "needs-attention";
+    warnings.push(`${expired.length} safelist entries have expired - run 'vibecheck safelist clean'`);
+  }
+  
+  if (expiringSoon.length > 0) {
+    warnings.push(`${expiringSoon.length} safelist entries expiring within 7 days`);
+  }
+  
+  if (dueForReview.length > 0) {
+    status = "needs-attention";
+    warnings.push(`${dueForReview.length} safelist entries are due for review`);
+  }
+  
+  return {
+    status,
+    entries: safelist.entries.length,
+    expired: expired.length,
+    expiringSoon: expiringSoon.length,
+    dueForReview: dueForReview.length,
+  };
+}
+
+/**
+ * Format suppressed findings for output
+ * 
+ * @param {Array} suppressed - Suppressed findings
+ * @param {Object} options - Formatting options
+ * @returns {string} Formatted output
+ */
+function formatSuppressedFindings(suppressed, options = {}) {
+  const { 
+    format = "text", 
+    verbose = false,
+    maxItems = 10,
+  } = options;
+  
+  if (suppressed.length === 0) {
+    return "";
+  }
+  
+  if (format === "json") {
+    return JSON.stringify({
+      suppressedCount: suppressed.length,
+      suppressed: suppressed.slice(0, verbose ? Infinity : maxItems).map(f => ({
+        id: f.id,
+        message: f.message,
+        file: f.file,
+        line: f.line,
+        suppressedBy: f._suppression?.entryId,
+        reason: f._suppression?.reason,
+        category: f._suppression?.category,
+        owner: f._suppression?.owner,
+      })),
+    }, null, 2);
+  }
+  
+  // Text format
+  const lines = [];
+  lines.push("");
+  lines.push("╔══════════════════════════════════════════════════════════════════════════════╗");
+  lines.push("║  🔇 SUPPRESSED FINDINGS                                                       ║");
+  lines.push("╚══════════════════════════════════════════════════════════════════════════════╝");
+  lines.push("");
+  lines.push(`  ${suppressed.length} finding(s) suppressed by safelist entries.`);
+  lines.push("");
+  
+  const displayItems = verbose ? suppressed : suppressed.slice(0, maxItems);
+  
+  // Group by entry
+  const byEntry = {};
+  for (const finding of displayItems) {
+    const entryId = finding._suppression?.entryId || "unknown";
+    if (!byEntry[entryId]) {
+      byEntry[entryId] = {
+        entry: finding._suppression,
+        findings: [],
+      };
+    }
+    byEntry[entryId].findings.push(finding);
+  }
+  
+  for (const [entryId, group] of Object.entries(byEntry)) {
+    lines.push(`  ┌─ ${entryId} (${group.entry?.category || "unknown"})`);
+    lines.push(`  │  Reason: ${group.entry?.reason || "No reason"}`);
+    lines.push(`  │  Owner: ${group.entry?.owner || "Unknown"}`);
+    lines.push(`  │`);
+    
+    for (const finding of group.findings.slice(0, 5)) {
+      const loc = finding.file ? `${finding.file}${finding.line ? `:${finding.line}` : ""}` : "unknown";
+      lines.push(`  │  • ${finding.id || finding.type}: ${(finding.message || "").substring(0, 50)}...`);
+      lines.push(`  │    at ${loc}`);
+    }
+    
+    if (group.findings.length > 5) {
+      lines.push(`  │  ... and ${group.findings.length - 5} more`);
+    }
+    
+    lines.push(`  └────────────────────────────────────────`);
+    lines.push("");
+  }
+  
+  if (!verbose && suppressed.length > maxItems) {
+    lines.push(`  ... and ${suppressed.length - maxItems} more suppressed findings.`);
+    lines.push(`  Run with --verbose to see all, or use 'vibecheck safelist list' to review entries.`);
+    lines.push("");
+  }
+  
+  return lines.join("\n");
+}
+
+/**
+ * Get a summary of safelist status for CLI output
+ */
+function getSafelistSummary(projectRoot) {
+  const { safelist, warnings, errors } = loadSafelist(projectRoot);
+  
+  if (errors.length > 0) {
+    return {
+      status: "error",
+      message: `Safelist error: ${errors[0]}`,
+      entries: 0,
+    };
+  }
+  
+  const health = calculateHealth(safelist, []);
+  
+  return {
+    status: health.status,
+    message: health.status === "healthy" 
+      ? `${safelist.entries.length} safelist entries active`
+      : `Safelist needs attention (${health.expired} expired, ${health.dueForReview} due for review)`,
+    entries: safelist.entries.length,
+    expired: health.expired,
+    expiringSoon: health.expiringSoon,
+    dueForReview: health.dueForReview,
+  };
+}
+
+/**
+ * Create a quick suppression entry (for inline suppression from CLI)
+ * This is a convenience function for rapid safelist entry creation.
+ * 
+ * @param {Object} finding - Finding to suppress
+ * @param {Object} options - Options
+ * @returns {{ success: boolean, entryId: string|null, error: string|null }}
+ */
+function quickSuppress(finding, options = {}) {
+  const {
+    projectRoot = process.cwd(),
+    reason = "Manually suppressed via CLI",
+    category = "false-positive",
+    owner = process.env.USER || process.env.USERNAME || "cli",
+    scope = "repo",
+    expires = null,
+  } = options;
+  
+  const { createEntry } = require("./schema");
+  const { saveEntry } = require("./store");
+  
+  try {
+    const entry = createEntry({
+      type: "finding",
+      findingId: finding.id,
+      reason,
+      category,
+      ownerName: owner,
+      scopeType: scope,
+      expiresIn: expires,
+    });
+    
+    const result = saveEntry(projectRoot, entry, scope);
+    
+    if (result.success) {
+      return { success: true, entryId: entry.id, error: null };
+    } else {
+      return { success: false, entryId: null, error: result.error };
+    }
+  } catch (err) {
+    return { success: false, entryId: null, error: err.message };
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  applySafelist,
+  calculateHealth,
+  formatSuppressedFindings,
+  getSafelistSummary,
+  quickSuppress,
+};