@vibecheckai/cli 3.7.0 → 3.9.0

package/bin/runners/lib/safelist/store.js

@@ -0,0 +1,438 @@
+/**
+ * vibecheck safelist - Storage & Persistence
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * Handles loading, saving, and migrating safelist files
+ * ═══════════════════════════════════════════════════════════════════════════════
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const {
+  SCHEMA_VERSION,
+  SCOPE_TYPES,
+  validateSafelist,
+  createEmptySafelist,
+} = require("./schema");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// FILE PATHS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Get safelist file paths for a project
+ * @param {string} projectRoot - Project root directory
+ * @returns {Object} Paths for repo and local safelists
+ */
+function getSafelistPaths(projectRoot) {
+  const vibecheckDir = path.join(projectRoot, ".vibecheck");
+  
+  return {
+    repo: path.join(vibecheckDir, "safelist.json"),
+    local: path.join(vibecheckDir, "safelist.local.json"),
+    legacy: path.join(vibecheckDir, "allowlist.json"),
+    dir: vibecheckDir,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// LOADING
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Load a safelist file with error handling
+ * @param {string} filePath - Path to safelist file
+ * @returns {{ success: boolean, data: Object|null, error: string|null }}
+ */
+function loadSafelistFile(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return { success: true, data: null, error: null };
+  }
+  
+  try {
+    const content = fs.readFileSync(filePath, "utf8");
+    const data = JSON.parse(content);
+    return { success: true, data, error: null };
+  } catch (err) {
+    return { 
+      success: false, 
+      data: null, 
+      error: `Failed to parse ${path.basename(filePath)}: ${err.message}` 
+    };
+  }
+}
+
+/**
+ * Load all safelists for a project (repo + local, merged)
+ * @param {string} projectRoot - Project root directory
+ * @returns {{ safelist: Object, warnings: string[], errors: string[] }}
+ */
+function loadSafelist(projectRoot) {
+  const paths = getSafelistPaths(projectRoot);
+  const warnings = [];
+  const errors = [];
+  
+  // Try to load repo safelist
+  let repoSafelist = createEmptySafelist();
+  const repoResult = loadSafelistFile(paths.repo);
+  
+  if (!repoResult.success) {
+    errors.push(repoResult.error);
+  } else if (repoResult.data) {
+    // Validate
+    const validation = validateSafelist(repoResult.data);
+    warnings.push(...validation.warnings);
+    
+    if (validation.valid) {
+      repoSafelist = repoResult.data;
+    } else {
+      errors.push(...validation.errors.map(e => `[repo] ${e}`));
+    }
+  }
+  
+  // Try to load local safelist
+  let localSafelist = createEmptySafelist();
+  const localResult = loadSafelistFile(paths.local);
+  
+  if (!localResult.success) {
+    errors.push(localResult.error);
+  } else if (localResult.data) {
+    const validation = validateSafelist(localResult.data);
+    warnings.push(...validation.warnings);
+    
+    if (validation.valid) {
+      localSafelist = localResult.data;
+    } else {
+      errors.push(...validation.errors.map(e => `[local] ${e}`));
+    }
+  }
+  
+  // Check for legacy allowlist.json and migrate
+  if (fs.existsSync(paths.legacy) && !fs.existsSync(paths.repo)) {
+    const legacyResult = loadSafelistFile(paths.legacy);
+    if (legacyResult.success && legacyResult.data) {
+      warnings.push("Found legacy allowlist.json - consider migrating with 'vibecheck safelist migrate'");
+    }
+  }
+  
+  // Merge safelists (local entries override/extend repo entries)
+  const mergedSafelist = {
+    version: SCHEMA_VERSION,
+    metadata: {
+      ...repoSafelist.metadata,
+      loadedAt: new Date().toISOString(),
+    },
+    entries: [
+      ...repoSafelist.entries.map(e => ({ ...e, _source: "repo" })),
+      ...localSafelist.entries.map(e => ({ ...e, _source: "local" })),
+    ],
+  };
+  
+  return {
+    safelist: mergedSafelist,
+    repoSafelist,
+    localSafelist,
+    warnings,
+    errors,
+    paths,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SAVING
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Save safelist to file
+ * @param {string} filePath - Path to save to
+ * @param {Object} safelist - Safelist data
+ * @returns {{ success: boolean, error: string|null }}
+ */
+function saveSafelistFile(filePath, safelist) {
+  try {
+    // Ensure directory exists
+    const dir = path.dirname(filePath);
+    fs.mkdirSync(dir, { recursive: true });
+    
+    // Remove internal properties before saving
+    const cleaned = {
+      ...safelist,
+      entries: safelist.entries.map(e => {
+        const { _source, ...rest } = e;
+        return rest;
+      }),
+    };
+    
+    // Update metadata
+    cleaned.metadata = {
+      ...cleaned.metadata,
+      lastModified: new Date().toISOString(),
+    };
+    
+    fs.writeFileSync(filePath, JSON.stringify(cleaned, null, 2) + "\n", "utf8");
+    return { success: true, error: null };
+  } catch (err) {
+    return { success: false, error: err.message };
+  }
+}
+
+/**
+ * Save an entry to the appropriate safelist file
+ * @param {string} projectRoot - Project root
+ * @param {Object} entry - Entry to save
+ * @param {string} scope - "repo" or "local"
+ * @returns {{ success: boolean, error: string|null }}
+ */
+function saveEntry(projectRoot, entry, scope = "repo") {
+  const paths = getSafelistPaths(projectRoot);
+  const filePath = scope === "local" ? paths.local : paths.repo;
+  
+  // Load existing
+  const result = loadSafelistFile(filePath);
+  const safelist = result.data || createEmptySafelist();
+  
+  // Add entry
+  safelist.entries.push(entry);
+  
+  // Save
+  return saveSafelistFile(filePath, safelist);
+}
+
+/**
+ * Remove an entry from safelist
+ * @param {string} projectRoot - Project root
+ * @param {string} entryId - Entry ID to remove
+ * @returns {{ success: boolean, removed: boolean, source: string|null, error: string|null }}
+ */
+function removeEntry(projectRoot, entryId) {
+  const paths = getSafelistPaths(projectRoot);
+  let removed = false;
+  let source = null;
+  
+  // Try repo safelist first
+  const repoResult = loadSafelistFile(paths.repo);
+  if (repoResult.data) {
+    const before = repoResult.data.entries.length;
+    repoResult.data.entries = repoResult.data.entries.filter(e => e.id !== entryId);
+    if (repoResult.data.entries.length < before) {
+      removed = true;
+      source = "repo";
+      const saveResult = saveSafelistFile(paths.repo, repoResult.data);
+      if (!saveResult.success) {
+        return { success: false, removed: false, source: null, error: saveResult.error };
+      }
+    }
+  }
+  
+  // Try local safelist
+  if (!removed) {
+    const localResult = loadSafelistFile(paths.local);
+    if (localResult.data) {
+      const before = localResult.data.entries.length;
+      localResult.data.entries = localResult.data.entries.filter(e => e.id !== entryId);
+      if (localResult.data.entries.length < before) {
+        removed = true;
+        source = "local";
+        const saveResult = saveSafelistFile(paths.local, localResult.data);
+        if (!saveResult.success) {
+          return { success: false, removed: false, source: null, error: saveResult.error };
+        }
+      }
+    }
+  }
+  
+  return { success: true, removed, source, error: null };
+}
+
+/**
+ * Update an existing entry
+ * @param {string} projectRoot - Project root
+ * @param {string} entryId - Entry ID to update
+ * @param {Object} updates - Fields to update
+ * @returns {{ success: boolean, updated: boolean, error: string|null }}
+ */
+function updateEntry(projectRoot, entryId, updates) {
+  const { safelist, paths } = loadSafelist(projectRoot);
+  
+  const entry = safelist.entries.find(e => e.id === entryId);
+  if (!entry) {
+    return { success: false, updated: false, error: "Entry not found" };
+  }
+  
+  // Apply updates (deep merge)
+  const updated = deepMerge(entry, updates);
+  
+  // Add audit trail
+  if (!updated.audit) updated.audit = { history: [] };
+  updated.audit.history.push({
+    action: "update",
+    timestamp: new Date().toISOString(),
+    changes: Object.keys(updates),
+    by: process.env.USER || process.env.USERNAME || "cli",
+  });
+  
+  // Determine which file to update
+  const filePath = entry._source === "local" ? paths.local : paths.repo;
+  const result = loadSafelistFile(filePath);
+  
+  if (!result.data) {
+    return { success: false, updated: false, error: "Source file not found" };
+  }
+  
+  // Update in place
+  const idx = result.data.entries.findIndex(e => e.id === entryId);
+  if (idx === -1) {
+    return { success: false, updated: false, error: "Entry not found in source file" };
+  }
+  
+  result.data.entries[idx] = updated;
+  
+  const saveResult = saveSafelistFile(filePath, result.data);
+  return { 
+    success: saveResult.success, 
+    updated: saveResult.success, 
+    error: saveResult.error 
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MIGRATION
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Migrate legacy allowlist.json to new safelist format
+ * @param {string} projectRoot - Project root
+ * @returns {{ success: boolean, migrated: number, error: string|null }}
+ */
+function migrateLegacyAllowlist(projectRoot) {
+  const paths = getSafelistPaths(projectRoot);
+  
+  if (!fs.existsSync(paths.legacy)) {
+    return { success: true, migrated: 0, error: null };
+  }
+  
+  const legacyResult = loadSafelistFile(paths.legacy);
+  if (!legacyResult.success || !legacyResult.data) {
+    return { success: false, migrated: 0, error: legacyResult.error || "No data" };
+  }
+  
+  const legacy = legacyResult.data;
+  const newSafelist = createEmptySafelist();
+  
+  // Convert each legacy entry
+  for (const old of (legacy.entries || [])) {
+    const newEntry = {
+      id: old.id || `SL_migrated_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 6)}`,
+      type: old.pattern ? "pattern" : "finding",
+      target: {},
+      justification: {
+        reason: old.reason || "Migrated from legacy allowlist",
+        category: "false-positive",
+      },
+      owner: {
+        name: old.addedBy || "migrated",
+      },
+      scope: {
+        type: old.scope === "global" ? "repo" : (old.scope || "repo"),
+      },
+      lifecycle: {
+        createdAt: old.addedAt || new Date().toISOString(),
+        createdBy: "migration",
+        matchCount: 0,
+      },
+    };
+    
+    // Map target
+    if (old.findingId) newEntry.target.findingId = old.findingId;
+    if (old.pattern) newEntry.target.pattern = old.pattern;
+    if (old.file) newEntry.target.file = old.file;
+    if (old.lines) newEntry.target.lines = old.lines;
+    
+    // Map expiration
+    if (old.expiresAt) {
+      newEntry.lifecycle.expiresAt = old.expiresAt;
+    }
+    
+    newSafelist.entries.push(newEntry);
+  }
+  
+  // Save new safelist
+  const saveResult = saveSafelistFile(paths.repo, newSafelist);
+  if (!saveResult.success) {
+    return { success: false, migrated: 0, error: saveResult.error };
+  }
+  
+  // Rename legacy file
+  try {
+    fs.renameSync(paths.legacy, paths.legacy + ".migrated");
+  } catch {
+    // Ignore rename errors
+  }
+  
+  return { success: true, migrated: newSafelist.entries.length, error: null };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// UTILITIES
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Deep merge objects
+ */
+function deepMerge(target, source) {
+  const result = { ...target };
+  
+  for (const key of Object.keys(source)) {
+    if (source[key] && typeof source[key] === "object" && !Array.isArray(source[key])) {
+      result[key] = deepMerge(target[key] || {}, source[key]);
+    } else {
+      result[key] = source[key];
+    }
+  }
+  
+  return result;
+}
+
+/**
+ * Ensure .gitignore includes local safelist
+ * @param {string} projectRoot - Project root
+ */
+function ensureGitIgnore(projectRoot) {
+  const gitignorePath = path.join(projectRoot, ".gitignore");
+  const localSafelistPattern = ".vibecheck/safelist.local.json";
+  
+  try {
+    let content = "";
+    if (fs.existsSync(gitignorePath)) {
+      content = fs.readFileSync(gitignorePath, "utf8");
+    }
+    
+    if (!content.includes(localSafelistPattern)) {
+      const addition = `\n# vibecheck local safelist (machine-specific)\n${localSafelistPattern}\n`;
+      fs.appendFileSync(gitignorePath, addition);
+      return true;
+    }
+  } catch {
+    // Ignore errors
+  }
+  
+  return false;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  getSafelistPaths,
+  loadSafelistFile,
+  loadSafelist,
+  saveSafelistFile,
+  saveEntry,
+  removeEntry,
+  updateEntry,
+  migrateLegacyAllowlist,
+  ensureGitIgnore,
+};

package/bin/runners/lib/schemas/ship-manifest.schema.json

@@ -0,0 +1,251 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "vibecheck/ship-manifest/v1",
+  "title": "Ship Manifest",
+  "description": "Vibecheck Ship Manifest - The authoritative artifact for ship verdicts",
+  "type": "object",
+  "required": ["version", "schema", "verdict", "repo", "evidence", "checks", "meta", "signature"],
+  "properties": {
+    "version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+$",
+      "description": "Manifest format version (semver)"
+    },
+    "schema": {
+      "type": "string",
+      "const": "vibecheck/ship-manifest/v1",
+      "description": "Schema identifier"
+    },
+    "verdict": {
+      "type": "object",
+      "required": ["status", "exitCode", "score", "ciStatus", "canShip"],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["SHIP", "WARN", "BLOCK"],
+          "description": "Final verdict"
+        },
+        "exitCode": {
+          "type": "integer",
+          "minimum": 0,
+          "maximum": 10,
+          "description": "CLI exit code (0=SHIP, 1=WARN, 2=BLOCK)"
+        },
+        "score": {
+          "type": "integer",
+          "minimum": 0,
+          "maximum": 100,
+          "description": "Quality score out of 100"
+        },
+        "ciStatus": {
+          "type": "string",
+          "enum": ["success", "warning", "failure"],
+          "description": "CI status string"
+        },
+        "canShip": {
+          "type": "boolean",
+          "description": "Whether the code is ready to ship"
+        }
+      },
+      "additionalProperties": false
+    },
+    "repo": {
+      "type": "object",
+      "required": ["root", "name", "fingerprint", "commit", "branch", "isDirty"],
+      "properties": {
+        "root": {
+          "type": "string",
+          "description": "Absolute path to repository root"
+        },
+        "name": {
+          "type": "string",
+          "maxLength": 100,
+          "description": "Repository name"
+        },
+        "fingerprint": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{32}$",
+          "description": "Deterministic repo state fingerprint"
+        },
+        "commit": {
+          "type": "string",
+          "description": "Git commit hash (12 chars) or 'unknown'"
+        },
+        "branch": {
+          "type": "string",
+          "description": "Git branch name or 'unknown'"
+        },
+        "treeHash": {
+          "type": "string",
+          "description": "Git tree hash (12 chars) or 'unknown'"
+        },
+        "isDirty": {
+          "type": "boolean",
+          "description": "Whether working tree has uncommitted changes"
+        },
+        "gitAvailable": {
+          "type": "boolean",
+          "description": "Whether git was available for fingerprinting"
+        }
+      },
+      "additionalProperties": false
+    },
+    "evidence": {
+      "type": "object",
+      "required": ["summary", "whyTree", "coverage"],
+      "properties": {
+        "summary": {
+          "type": "object",
+          "required": ["total", "blockers", "warnings", "info"],
+          "properties": {
+            "total": { "type": "integer", "minimum": 0 },
+            "blockers": { "type": "integer", "minimum": 0 },
+            "warnings": { "type": "integer", "minimum": 0 },
+            "info": { "type": "integer", "minimum": 0 }
+          },
+          "additionalProperties": false
+        },
+        "whyTree": {
+          "type": "object",
+          "required": ["summary", "topIssues", "fixMissions"],
+          "properties": {
+            "summary": { "type": "string" },
+            "topIssues": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "required": ["id", "category", "title"],
+                "properties": {
+                  "id": { "type": "string", "maxLength": 64 },
+                  "category": { "type": "string", "maxLength": 50 },
+                  "title": { "type": "string", "maxLength": 500 },
+                  "why": { "type": ["string", "null"], "maxLength": 1000 },
+                  "evidence": {
+                    "type": ["object", "null"],
+                    "properties": {
+                      "file": { "type": ["string", "null"] },
+                      "lines": { "type": ["string", "null"] },
+                      "snippet": { "type": ["string", "null"] },
+                      "kind": { "type": "string" }
+                    }
+                  },
+                  "fixHint": { "type": ["string", "null"] }
+                }
+              },
+              "maxItems": 10
+            },
+            "fixMissions": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "target": { "type": "string" },
+                  "action": { "type": "string" },
+                  "priority": { "type": "string", "enum": ["critical", "recommended"] }
+                }
+              },
+              "maxItems": 10
+            }
+          }
+        },
+        "coverage": {
+          "type": "object",
+          "properties": {
+            "routeCoverage": { "type": "number", "minimum": 0, "maximum": 100 },
+            "envCoverage": { "type": "number", "minimum": 0, "maximum": 100 },
+            "authCoverage": { "type": ["number", "null"] },
+            "runtimeCoverage": { "type": ["number", "null"] }
+          }
+        }
+      }
+    },
+    "checks": {
+      "type": "object",
+      "required": ["audit", "reality", "shield"],
+      "properties": {
+        "audit": {
+          "type": "object",
+          "required": ["ran", "findingsCount"],
+          "properties": {
+            "ran": { "type": "boolean" },
+            "findingsCount": { "type": "integer", "minimum": 0 },
+            "truthpackHash": { "type": ["string", "null"] }
+          }
+        },
+        "reality": {
+          "type": "object",
+          "required": ["ran", "actionsCount", "requestsCount"],
+          "properties": {
+            "ran": { "type": "boolean" },
+            "actionsCount": { "type": "integer", "minimum": 0 },
+            "requestsCount": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "shield": {
+          "type": "object",
+          "required": ["ran", "mode", "enforcing", "locked"],
+          "properties": {
+            "ran": { "type": "boolean" },
+            "mode": { "type": "string" },
+            "enforcing": { "type": "boolean" },
+            "locked": { "type": "boolean" }
+          }
+        }
+      }
+    },
+    "meta": {
+      "type": "object",
+      "required": ["generatedAt", "durationMs", "tool", "toolVersion"],
+      "properties": {
+        "generatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "description": "ISO 8601 timestamp"
+        },
+        "durationMs": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Evaluation duration in milliseconds"
+        },
+        "tool": {
+          "type": "string",
+          "const": "vibecheck"
+        },
+        "toolVersion": {
+          "type": "string",
+          "description": "Vibecheck version"
+        },
+        "platform": {
+          "type": "string",
+          "description": "Platform identifier (os-arch)"
+        },
+        "nodeVersion": {
+          "type": "string",
+          "description": "Node.js version"
+        }
+      }
+    },
+    "signature": {
+      "type": "object",
+      "required": ["algorithm", "digest", "verifiable"],
+      "properties": {
+        "algorithm": {
+          "type": "string",
+          "enum": ["sha256"],
+          "description": "Signature algorithm"
+        },
+        "digest": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{32}$",
+          "description": "Signature digest"
+        },
+        "verifiable": {
+          "type": "boolean",
+          "description": "Whether signature can be verified"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}