@vibecheckai/cli 3.7.0 → 3.9.0

package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js

@@ -0,0 +1,418 @@
+/**
+ * Proof Artifact System - Reality Mode Integration
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * AGENT FIREWALL™ - REALITY PROOF SYSTEM
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * 
+ * After intent-aligned changes pass structural checks:
+ * - Trigger Reality Mode execution
+ * - Verify routes are reachable
+ * - Verify auth gates are enforced
+ * - Verify UI success paths are actually reachable
+ * - Verify no dead code paths remain
+ * 
+ * Generate Proof Artifacts:
+ * - proof.id
+ * - proof.type (route | auth | ui | integration)
+ * - proof.status (verified | failed)
+ * - proof.trace (pointer or reference)
+ * 
+ * If ANY required proof fails → BLOCK SHIP.
+ * 
+ * @module enforcement/proof-artifact
+ * @version 2.0.0
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+/**
+ * Proof types
+ */
+const PROOF_TYPE = {
+  ROUTE: "route",
+  AUTH: "auth",
+  UI: "ui",
+  INTEGRATION: "integration",
+  ENV: "env",
+  CONTRACT: "contract",
+  SIDE_EFFECT: "side_effect",
+};
+
+/**
+ * Proof status
+ */
+const PROOF_STATUS = {
+  VERIFIED: "verified",
+  FAILED: "failed",
+  PENDING: "pending",
+  SKIPPED: "skipped",
+};
+
+/**
+ * Generate proof ID
+ * @param {string} type - Proof type
+ * @returns {string} Unique proof ID
+ */
+function generateProofId(type) {
+  return `prf-${type.slice(0, 3)}-${Date.now().toString(36)}-${crypto.randomBytes(3).toString("hex")}`;
+}
+
+/**
+ * Proof Artifact
+ * @typedef {Object} ProofArtifact
+ * @property {string} id - Unique proof identifier
+ * @property {string} type - Type of proof
+ * @property {string} status - Verification status
+ * @property {string} target - What was verified
+ * @property {string} trace - Reference to evidence
+ * @property {string} timestamp - When proof was generated
+ * @property {Object} details - Type-specific details
+ * @property {string} error - Error message if failed
+ */
+
+/**
+ * Create a proof artifact
+ * @param {Object} params - Proof parameters
+ * @param {string} params.type - Proof type
+ * @param {string} params.status - Verification status
+ * @param {string} params.target - What was verified
+ * @param {string} params.trace - Reference to evidence
+ * @param {Object} params.details - Additional details
+ * @param {string} params.error - Error message if failed
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createProofArtifact({
+  type,
+  status,
+  target,
+  trace = null,
+  details = {},
+  error = null,
+}) {
+  return {
+    id: generateProofId(type),
+    type,
+    status,
+    target,
+    trace,
+    timestamp: new Date().toISOString(),
+    details,
+    error,
+  };
+}
+
+/**
+ * Create route reachability proof
+ * @param {string} method - HTTP method
+ * @param {string} path - Route path
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createRouteProof(method, path, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.ROUTE,
+    status: result.reachable ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: `${method} ${path}`,
+    trace: result.trace || result.file,
+    details: {
+      method,
+      path,
+      statusCode: result.statusCode,
+      responseTime: result.responseTime,
+      handler: result.handler,
+    },
+    error: result.reachable ? null : (result.error || "Route not reachable"),
+  });
+}
+
+/**
+ * Create auth gate proof
+ * @param {string} route - Route being protected
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createAuthProof(route, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.AUTH,
+    status: result.enforced ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: route,
+    trace: result.trace || result.middlewareFile,
+    details: {
+      middleware: result.middleware,
+      authType: result.authType,
+      roles: result.roles,
+      unauthenticatedBlocked: result.unauthenticatedBlocked,
+      unauthorizedBlocked: result.unauthorizedBlocked,
+    },
+    error: result.enforced ? null : (result.error || "Auth gate not properly enforced"),
+  });
+}
+
+/**
+ * Create UI success path proof
+ * @param {string} component - UI component/path
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createUIProof(component, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.UI,
+    status: result.reachable ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: component,
+    trace: result.trace || result.screenshot,
+    details: {
+      selector: result.selector,
+      url: result.url,
+      stateRequired: result.stateRequired,
+      backendCalled: result.backendCalled,
+      screenshotPath: result.screenshotPath,
+    },
+    error: result.reachable ? null : (result.error || "UI success path not reachable"),
+  });
+}
+
+/**
+ * Create integration proof
+ * @param {string} integration - Integration name
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createIntegrationProof(integration, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.INTEGRATION,
+    status: result.working ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: integration,
+    trace: result.trace,
+    details: {
+      endpoint: result.endpoint,
+      requestSent: result.requestSent,
+      responseReceived: result.responseReceived,
+      dataFlowVerified: result.dataFlowVerified,
+    },
+    error: result.working ? null : (result.error || "Integration not working"),
+  });
+}
+
+/**
+ * Create env var proof
+ * @param {string} varName - Environment variable name
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createEnvProof(varName, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.ENV,
+    status: result.exists ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: varName,
+    trace: result.source,
+    details: {
+      declaredIn: result.declaredIn,
+      usedIn: result.usedIn,
+      hasValue: result.hasValue,
+      isSecret: result.isSecret,
+    },
+    error: result.exists ? null : `Environment variable ${varName} not declared or missing`,
+  });
+}
+
+/**
+ * Create contract proof (API schema validation)
+ * @param {string} endpoint - API endpoint
+ * @param {Object} result - Verification result
+ * @returns {ProofArtifact} Proof artifact
+ */
+function createContractProof(endpoint, result) {
+  return createProofArtifact({
+    type: PROOF_TYPE.CONTRACT,
+    status: result.valid ? PROOF_STATUS.VERIFIED : PROOF_STATUS.FAILED,
+    target: endpoint,
+    trace: result.schemaPath,
+    details: {
+      schemaVersion: result.schemaVersion,
+      requestValid: result.requestValid,
+      responseValid: result.responseValid,
+      missingFields: result.missingFields,
+      extraFields: result.extraFields,
+    },
+    error: result.valid ? null : (result.error || "Contract validation failed"),
+  });
+}
+
+/**
+ * Proof Collection - aggregates all proofs for a change
+ */
+class ProofCollection {
+  constructor() {
+    this.proofs = [];
+    this.required = new Set();
+  }
+  
+  /**
+   * Add a proof to the collection
+   * @param {ProofArtifact} proof - Proof to add
+   */
+  add(proof) {
+    this.proofs.push(proof);
+  }
+  
+  /**
+   * Mark a proof type as required
+   * @param {string} type - Proof type
+   */
+  require(type) {
+    this.required.add(type);
+  }
+  
+  /**
+   * Check if all required proofs are verified
+   * @returns {Object} Verification result
+   */
+  checkRequired() {
+    const missing = [];
+    const failed = [];
+    
+    for (const type of this.required) {
+      const proofsOfType = this.proofs.filter(p => p.type === type);
+      
+      if (proofsOfType.length === 0) {
+        missing.push(type);
+      } else {
+        const failedProofs = proofsOfType.filter(p => p.status === PROOF_STATUS.FAILED);
+        if (failedProofs.length > 0) {
+          failed.push(...failedProofs);
+        }
+      }
+    }
+    
+    return {
+      satisfied: missing.length === 0 && failed.length === 0,
+      missing,
+      failed,
+    };
+  }
+  
+  /**
+   * Get all proofs
+   * @returns {ProofArtifact[]} All proofs
+   */
+  getAll() {
+    return this.proofs;
+  }
+  
+  /**
+   * Get proofs by type
+   * @param {string} type - Proof type
+   * @returns {ProofArtifact[]} Proofs of specified type
+   */
+  getByType(type) {
+    return this.proofs.filter(p => p.type === type);
+  }
+  
+  /**
+   * Get failed proofs
+   * @returns {ProofArtifact[]} Failed proofs
+   */
+  getFailed() {
+    return this.proofs.filter(p => p.status === PROOF_STATUS.FAILED);
+  }
+  
+  /**
+   * Get verified proofs
+   * @returns {ProofArtifact[]} Verified proofs
+   */
+  getVerified() {
+    return this.proofs.filter(p => p.status === PROOF_STATUS.VERIFIED);
+  }
+  
+  /**
+   * Get summary
+   * @returns {Object} Summary object
+   */
+  getSummary() {
+    const total = this.proofs.length;
+    const verified = this.getVerified().length;
+    const failed = this.getFailed().length;
+    const pending = this.proofs.filter(p => p.status === PROOF_STATUS.PENDING).length;
+    
+    return {
+      total,
+      verified,
+      failed,
+      pending,
+      required: Array.from(this.required),
+      satisfied: this.checkRequired().satisfied,
+    };
+  }
+  
+  /**
+   * Export as JSON
+   * @returns {Object} JSON representation
+   */
+  toJSON() {
+    return {
+      proofs: this.proofs,
+      required: Array.from(this.required),
+      summary: this.getSummary(),
+      timestamp: new Date().toISOString(),
+    };
+  }
+}
+
+/**
+ * Determine required proofs based on change types
+ * @param {Object[]} claims - Extracted claims from change
+ * @param {Object} intent - Intent declaration
+ * @returns {string[]} Array of required proof types
+ */
+function determineRequiredProofs(claims, intent) {
+  const required = new Set();
+  
+  for (const claim of claims) {
+    switch (claim.type) {
+      case "route":
+        required.add(PROOF_TYPE.ROUTE);
+        break;
+      case "auth_boundary":
+        required.add(PROOF_TYPE.AUTH);
+        break;
+      case "ui_success_claim":
+        required.add(PROOF_TYPE.UI);
+        break;
+      case "http_call":
+        required.add(PROOF_TYPE.INTEGRATION);
+        break;
+      case "env_used":
+        required.add(PROOF_TYPE.ENV);
+        break;
+      case "data_contract":
+        required.add(PROOF_TYPE.CONTRACT);
+        break;
+    }
+  }
+  
+  // Intent can specify additional required proofs
+  if (intent?.verification?.requiresRealityCheck) {
+    required.add(PROOF_TYPE.UI);
+    required.add(PROOF_TYPE.ROUTE);
+  }
+  
+  return Array.from(required);
+}
+
+module.exports = {
+  PROOF_TYPE,
+  PROOF_STATUS,
+  generateProofId,
+  createProofArtifact,
+  createRouteProof,
+  createAuthProof,
+  createUIProof,
+  createIntegrationProof,
+  createEnvProof,
+  createContractProof,
+  ProofCollection,
+  determineRequiredProofs,
+};

package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json

@@ -0,0 +1,173 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://vibecheckai.dev/schemas/change-event/v3",
+  "title": "Agent Firewall Change Event Schema v3",
+  "description": "Represents a single atomic change intercepted by the firewall",
+  "type": "object",
+  "required": ["id", "type", "timestamp", "source"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^chg-[a-z0-9]{8,}$",
+      "description": "Unique change event ID"
+    },
+    "type": {
+      "enum": [
+        "file_write",
+        "file_create",
+        "file_delete",
+        "file_rename",
+        "route_add",
+        "route_modify",
+        "route_delete",
+        "env_ref",
+        "env_write",
+        "permission_change",
+        "ui_state",
+        "config_change",
+        "migration",
+        "dependency_add",
+        "dependency_remove"
+      ]
+    },
+    "source": {
+      "type": "object",
+      "required": ["agent_id", "interception_point"],
+      "properties": {
+        "agent_id": {
+          "type": "string",
+          "description": "Agent that generated the change (cursor, windsurf, copilot, etc)"
+        },
+        "interception_point": {
+          "enum": ["mcp_tool", "fs_hook", "git_hook", "ide_hook", "cli"],
+          "description": "Where the change was intercepted"
+        },
+        "tool_name": {
+          "type": "string",
+          "description": "MCP tool name if applicable"
+        },
+        "session_id": {
+          "type": "string"
+        }
+      }
+    },
+    "location": {
+      "type": "string",
+      "description": "File path, route path, or component identifier"
+    },
+    "diff": {
+      "type": "object",
+      "properties": {
+        "before": { "type": "string" },
+        "after": { "type": "string" },
+        "unified": { "type": "string" },
+        "lines_added": { "type": "integer" },
+        "lines_removed": { "type": "integer" },
+        "hunks": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "start_line": { "type": "integer" },
+              "end_line": { "type": "integer" },
+              "content": { "type": "string" }
+            }
+          }
+        }
+      }
+    },
+    "content": {
+      "type": "string",
+      "description": "New content (for creates) or full file content"
+    },
+    "domain": {
+      "enum": ["auth", "payments", "routes", "contracts", "ui", "database", "config", "general", "tests"]
+    },
+    "claims": {
+      "type": "array",
+      "description": "Claims extracted from the change",
+      "items": {
+        "$ref": "#/definitions/Claim"
+      }
+    },
+    "code_quality": {
+      "type": "object",
+      "description": "Code quality signals detected",
+      "properties": {
+        "has_mock_data": { "type": "boolean" },
+        "has_todo": { "type": "boolean" },
+        "has_fixme": { "type": "boolean" },
+        "has_placeholder": { "type": "boolean" },
+        "has_fake_handler": { "type": "boolean" },
+        "has_console_log": { "type": "boolean" },
+        "has_any_type": { "type": "boolean" },
+        "detected_patterns": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "pattern": { "type": "string" },
+              "line": { "type": "integer" },
+              "severity": { "enum": ["block", "warn"] }
+            }
+          }
+        }
+      }
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "description": "Additional type-specific metadata",
+      "properties": {
+        "http_method": { "type": "string" },
+        "route_path": { "type": "string" },
+        "env_var_name": { "type": "string" },
+        "env_exists_in_file": { "type": "boolean" },
+        "permission_scope": { "type": "string" },
+        "migration_type": { "type": "string" }
+      }
+    }
+  },
+  "definitions": {
+    "Claim": {
+      "type": "object",
+      "required": ["type", "value", "criticality"],
+      "properties": {
+        "type": {
+          "enum": [
+            "route",
+            "env_used",
+            "env_declared",
+            "auth_boundary",
+            "auth_bypass",
+            "data_contract",
+            "http_call",
+            "ui_success_claim",
+            "side_effect",
+            "database_write",
+            "external_api"
+          ]
+        },
+        "value": {
+          "type": "string",
+          "description": "The claimed value (route path, env var name, etc)"
+        },
+        "criticality": {
+          "enum": ["hard", "soft"],
+          "description": "hard = BLOCK if unproven, soft = WARN"
+        },
+        "pointer": {
+          "type": "string",
+          "description": "File:line reference"
+        },
+        "evidence_required": {
+          "type": "boolean",
+          "description": "Whether this claim requires evidence before shipping"
+        }
+      }
+    }
+  }
+}