arcvision 0.2.14 → 0.2.15

package/src/core/change-evaluator.js.backup

@@ -0,0 +1,424 @@
+/**
+ * Change Impact Evaluator
+ * Connects existing ArcVision data to invariants
+ */
+
+/**
+ * Evaluates changes against registered invariants
+ */
+function evaluateChange(input) {
+  // Validate input
+  if (!input) {
+    return createErrorResult('Invalid input: input object is required');
+  }
+
+  const { changedFiles, dependencyGraph, invariants, context } = input;
+  
+  // Validate required parameters with enhanced checks
+  if (!Array.isArray(changedFiles)) {
+    return createErrorResult('Invalid input: changedFiles must be an array');
+  }
+  
+  if (!dependencyGraph) {
+    return createErrorResult('Invalid input: dependencyGraph is required');
+  }
+  
+  if (!Array.isArray(invariants)) {
+    return createErrorResult('Invalid input: invariants must be an array');
+  }
+
+  try {
+    const violations = [];
+
+    // Check each invariant against the changes
+    for (const invariant of invariants) {
+      try {
+        const matchesScope = matchesInvariantScope(changedFiles, invariant);
+        
+        if (matchesScope) {
+          const isViolated = checkInvariantRule(invariant, dependencyGraph, changedFiles);
+          
+          if (isViolated) {
+            violations.push(invariant);
+          }
+        }
+      } catch (ruleError) {
+        console.warn(`Warning: Error evaluating invariant ${invariant?.id || 'unknown'}:`, ruleError.message);
+        // Continue with other invariants instead of failing completely
+      }
+    }
+
+    // Determine decision based on violations
+    if (violations.some(v => v.severity === 'block')) {
+      return {
+        decision: 'BLOCKED',
+        violations,
+        reasons: violations.map(v => v.description || 'Unknown violation'),
+        details: calculateImpactDetails(input, violations)
+      };
+    }
+
+    if (violations.length > 0) {
+      return {
+        decision: 'RISKY',
+        violations,
+        reasons: violations.map(v => v.description || 'Unknown violation'),
+        details: calculateImpactDetails(input, violations)
+      };
+    }
+
+    return {
+      decision: 'ALLOWED',
+      violations: [],
+      reasons: ['No invariant violations detected'],
+      details: calculateImpactDetails(input, violations)
+    };
+  } catch (error) {
+    return createErrorResult(`Evaluation failed: ${error.message}`);
+  }
+}
+
+/**
+ * Creates a standardized error result
+ */
+function createErrorResult(errorMessage) {
+  return {
+    decision: 'ERROR',
+    violations: [],
+    reasons: [errorMessage],
+    details: {
+      affectedNodes: 0,
+      blastRadiusImpact: 0,
+      authorityCoreChanges: false
+    }
+  };
+}
+
+/**
+ * Checks if changed files match the invariant's scope
+ */
+function matchesInvariantScope(changedFiles, invariant) {
+  if (!invariant || !invariant.scope) {
+    return false; // Invalid invariant, don't match
+  }
+
+  const scope = invariant.scope;
+  
+  // If no scope restrictions, always matches
+  if (!scope.files && !scope.components && !scope.flows) {
+    return true;
+  }
+
+  // Check file patterns if specified using robust pattern matcher
+  if (scope.files && Array.isArray(scope.files) && scope.files.length > 0) {
+    try {
+      const { patternMatcher } = require('./pattern-matcher');
+      return changedFiles.some(file => {
+        if (typeof file !== 'string') return false;
+        return scope.files.some(pattern => {
+          if (typeof pattern !== 'string') return false;
+          try {
+            return patternMatcher.match(file, pattern, { matchBase: true });
+          } catch (error) {
+            console.warn(`Warning: Invalid pattern "${pattern}" in invariant ${invariant.id || 'unknown'}:`, error.message);
+            return false;
+          }
+        });
+      });
+    } catch (error) {
+      console.warn(`Warning: Could not process file patterns for invariant ${invariant.id || 'unknown'}:`, error.message);
+      return false; // If pattern matching fails, don't match the scope
+    }
+  }
+
+  // Check component names if specified
+  if (scope.components && Array.isArray(scope.components) && scope.components.length > 0) {
+    try {
+      return changedFiles.some(file => {
+        if (typeof file !== 'string') return false;
+        return scope.components.some(component => {
+          if (typeof component !== 'string') return false;
+          return file.toLowerCase().includes(component.toLowerCase());
+        });
+      });
+    } catch (error) {
+      console.warn(`Warning: Could not process component patterns for invariant ${invariant.id || 'unknown'}:`, error.message);
+      return false;
+    }
+  }
+
+  // Check flow patterns if specified
+  if (scope.flows && Array.isArray(scope.flows) && scope.flows.length > 0) {
+    // Placeholder for flow matching logic
+    // This would require more sophisticated analysis of the dependency graph
+    return true;
+  }
+
+  return true;
+}
+
+/**
+ * Checks if an invariant rule is violated by the changes
+ */
+function checkInvariantRule(invariant, dependencyGraph, changedFiles) {
+  if (!invariant || !invariant.rule) {
+    return false; // Invalid invariant, no violation
+  }
+
+  try {
+    switch (invariant.rule.type) {
+      case 'dependency':
+        return checkDependencyRule(invariant, dependencyGraph, changedFiles);
+      case 'flow':
+        return checkFlowRule(invariant, dependencyGraph, changedFiles);
+      case 'ownership':
+        return checkOwnershipRule(invariant, dependencyGraph, changedFiles);
+      case 'access_control':
+        return checkAccessControlRule(invariant, dependencyGraph, changedFiles);
+      case 'data_flow':
+        return checkDataFlowRule(invariant, dependencyGraph, changedFiles);
+      default:
+        // Unknown rule types are treated as non-violating to prevent false positives
+        console.warn(`Warning: Unknown rule type "${invariant.rule.type}" in invariant ${invariant.id || 'unknown'}`);
+        return false;
+    }
+  } catch (error) {
+    console.warn(`Warning: Error checking rule for invariant ${invariant.id || 'unknown'}:`, error.message);
+    return false; // If rule check fails, treat as non-violating to avoid blocking changes unnecessarily
+  }
+}
+
+/**
+ * Generic rule checker that interprets the condition dynamically
+ */
+function checkGenericRule(condition, dependencyGraph, changedFiles) {
+  if (!condition) return false;
+  
+  try {
+    // Handle different condition types dynamically
+    if (condition.forbiddenDependency && typeof condition.forbiddenDependency === 'object') {
+      return checkForbiddenDependency(condition.forbiddenDependency, dependencyGraph, changedFiles);
+    }
+    
+    if (condition.mustExist) {
+      return checkRequirement(condition.mustExist, dependencyGraph, changedFiles);
+    }
+    
+    if (condition.mustNotExist) {
+      return checkProhibition(condition.mustNotExist, dependencyGraph, changedFiles);
+    }
+    
+    if (condition.pattern) {
+      return checkPatternMatch(condition.pattern, dependencyGraph, changedFiles);
+    }
+    
+    // Default: if condition exists and has properties, consider it potentially violated
+    return typeof condition === 'object' && Object.keys(condition).length > 0;
+  } catch (error) {
+    console.warn(`Warning: Error in generic rule check:`, error.message);
+    return false; // If generic check fails, don't treat as violation
+  }
+}
+
+/**
+ * Check dependency rule violations
+ */
+function checkDependencyRule(invariant, dependencyGraph, changedFiles) {
+  // Use the generic rule checker to interpret the condition
+  return checkGenericRule(invariant.rule.condition, dependencyGraph, changedFiles);
+}
+
+/**
+ * Check forbidden dependency specifically - more generic approach
+ */
+function checkForbiddenDependency(forbiddenDep, dependencyGraph, changedFiles) {
+  if (!forbiddenDep || typeof forbiddenDep !== 'object') {
+    return false;
+  }
+  
+  if (!forbiddenDep.from || !forbiddenDep.to) {
+    return false;
+  }
+  
+  try {
+    // Check if any changed file matches the 'from' pattern and creates dependency to 'to'
+    const { patternMatcher } = require('./pattern-matcher');
+    
+    return changedFiles.some(file => {
+      if (typeof file !== 'string') return false;
+      
+      // Check if file matches the 'from' scope using robust pattern matching
+      const matchesFrom = patternMatcher.match(file, forbiddenDep.from, { matchBase: true }) ||
+                         patternMatcher.match(file, `**/${forbiddenDep.from}/**`, { matchBase: false }) ||
+                         file.toLowerCase().includes(forbiddenDep.from.toLowerCase());
+      
+      if (matchesFrom) {
+        // Check if this file now depends on the 'to' component
+        return hasDependencyTo(dependencyGraph, file, forbiddenDep.to);
+      }
+      return false;
+    });
+  } catch (error) {
+    console.warn(`Warning: Error checking forbidden dependency:`, error.message);
+    return false; // If dependency check fails, don't block
+  }
+}
+
+/**
+ * Check general requirement
+ */
+function checkRequirement(requirement, dependencyGraph, changedFiles) {
+  // Placeholder for requirement checking logic
+  // For now, return false to avoid false positives
+  return false;
+}
+
+/**
+ * Check prohibition
+ */
+function checkProhibition(prohibition, dependencyGraph, changedFiles) {
+  // Placeholder for prohibition checking logic
+  // For now, return false to avoid false positives
+  return false;
+}
+
+/**
+ * Check pattern matching
+ */
+function checkPatternMatch(pattern, dependencyGraph, changedFiles) {
+  // Placeholder for pattern matching logic
+  // For now, return false to avoid false positives
+  return false;
+}
+
+/**
+ * Check flow rule violations
+ */
+function checkFlowRule(invariant, dependencyGraph, changedFiles) {
+  // Use the generic rule checker to interpret the condition
+  return checkGenericRule(invariant.rule.condition, dependencyGraph, changedFiles);
+}
+
+/**
+ * Check ownership rule violations
+ */
+function checkOwnershipRule(invariant, dependencyGraph, changedFiles) {
+  try {
+    // Check if changed files fall under this invariant's scope and if ownership is violated
+    if (invariant.rule.condition && invariant.scope.files) {
+      const { authorizedOwners } = invariant.rule.condition;
+      
+      if (authorizedOwners && Array.isArray(authorizedOwners)) {
+        return changedFiles.some(file => {
+          if (typeof file !== 'string') return false;
+          
+          // Check if file matches the scope
+          const matchesScope = invariant.scope.files.some(pattern => {
+            if (typeof pattern !== 'string') return false;
+            try {
+              const { patternMatcher } = require('./pattern-matcher');
+              return patternMatcher.match(file, pattern, { matchBase: true });
+            } catch (error) {
+              console.warn(`Warning: Invalid pattern "${pattern}" in ownership check:`, error.message);
+              return false;
+            }
+          });
+          
+          if (matchesScope) {
+            // Check if current owner is authorized (this would require additional context about who made the change)
+            // For now, we'll just check if the invariant has an owner specified and it's different
+            return invariant.owner && !authorizedOwners.includes(invariant.owner);
+          }
+          return false;
+        });
+      }
+    }
+  } catch (error) {
+    console.warn(`Warning: Error in ownership rule check:`, error.message);
+    return false;
+  }
+  
+  return false;
+}
+
+/**
+ * Check access control rule violations
+ */
+function checkAccessControlRule(invariant, dependencyGraph, changedFiles) {
+  // Use the generic rule checker to interpret the condition
+  return checkGenericRule(invariant.rule.condition, dependencyGraph, changedFiles);
+}
+
+/**
+ * Check data flow rule violations
+ */
+function checkDataFlowRule(invariant, dependencyGraph, changedFiles) {
+  // Use the generic rule checker to interpret the condition
+  return checkGenericRule(invariant.rule.condition, dependencyGraph, changedFiles);
+}
+
+/**
+ * Helper function to check if a file has dependency to another component
+ */
+function hasDependencyTo(dependencyGraph, fromFile, toComponent) {
+  if (typeof fromFile !== 'string' || typeof toComponent !== 'string') {
+    return false;
+  }
+  
+  try {
+    // Simplified implementation - would need to analyze actual dependency graph
+    if (dependencyGraph && dependencyGraph.edges && Array.isArray(dependencyGraph.edges)) {
+      return dependencyGraph.edges.some((edge) => {
+        if (!edge || !edge.source || !edge.target) return false;
+        
+        return edge.source === fromFile && 
+               (edge.target.includes(toComponent) || 
+                edge.target.toLowerCase().includes(toComponent.toLowerCase()));
+      });
+    }
+  } catch (error) {
+    console.warn(`Warning: Error checking dependency graph:`, error.message);
+  }
+  
+  return false;
+}
+
+/**
+ * Calculate impact details for the evaluation result
+ */
+function calculateImpactDetails(input, violations) {
+  const { changedFiles, dependencyGraph, context } = input || {};
+  
+  // Calculate affected nodes from dependency graph
+  let affectedNodes = 0;
+  if (dependencyGraph && dependencyGraph.nodes && Array.isArray(dependencyGraph.nodes)) {
+    affectedNodes = dependencyGraph.nodes.filter((node) => 
+      changedFiles && Array.isArray(changedFiles) && 
+      changedFiles.includes(node.id || node.path)
+    ).length;
+  }
+
+  // Calculate blast radius impact if available in context
+  let blastRadiusImpact = 0;
+  if (context && context.blastRadiusAnalysis) {
+    blastRadiusImpact = context.blastRadiusAnalysis.totalAffected || 0;
+  }
+
+  // Check for authority core changes
+  let authorityCoreChanges = false;
+  if (context && Array.isArray(context.authorityCores)) {
+    authorityCoreChanges = changedFiles && Array.isArray(changedFiles) && 
+      changedFiles.some(file => 
+        context.authorityCores.some((core) => core.path === file)
+      );
+  }
+
+  return {
+    affectedNodes,
+    blastRadiusImpact,
+    authorityCoreChanges
+  };
+}
+
+module.exports = { evaluateChange };function isValidInvariant(invariant) { if (!invariant || typeof invariant !== 'object') return false; if (!invariant.id || typeof invariant.id !== 'string' || invariant.id.trim().length === 0) return false; if (!invariant.system || typeof invariant.system !== 'string' || invariant.system.trim().length === 0) return false; if (!invariant.description || typeof invariant.description !== 'string' || invariant.description.trim().length === 0) return false; if (!invariant.severity || typeof invariant.severity !== 'string' || !['block', 'risk', 'BLOCK', 'RISK'].includes(invariant.severity)) return false; if (!invariant.scope || typeof invariant.scope !== 'object') return false; if (!invariant.rule || typeof invariant.rule !== 'object') return false; return true; }
+

package/src/core/change-evaluator.ts

@@ -0,0 +1,285 @@
+import { Invariant } from './invariant-registry';
+
+/**
+ * Change Impact Evaluator
+ * Connects existing ArcVision data to invariants
+ */
+export interface ChangeEvaluationInput {
+  changedFiles: string[];
+  dependencyGraph: any; // ArcVision's existing graph structure
+  invariants: Invariant[];
+  context?: any; // Additional context from ArcVision analysis
+}
+
+export interface ChangeEvaluationResult {
+  decision: 'ALLOWED' | 'RISKY' | 'BLOCKED';
+  violations: Invariant[];
+  reasons: string[];
+  details: {
+    affectedNodes: number;
+    blastRadiusImpact: number;
+    authorityCoreChanges: boolean;
+  };
+}
+
+/**
+ * Evaluates changes against registered invariants
+ */
+export function evaluateChange(input: ChangeEvaluationInput): ChangeEvaluationResult {
+  const { changedFiles, dependencyGraph, invariants } = input;
+  const violations: Invariant[] = [];
+
+  // Check each invariant against the changes
+  for (const invariant of invariants) {
+    const matchesScope = matchesInvariantScope(changedFiles, invariant);
+    
+    if (matchesScope) {
+      const isViolated = checkInvariantRule(invariant, dependencyGraph, changedFiles);
+      
+      if (isViolated) {
+        violations.push(invariant);
+      }
+    }
+  }
+
+  // Determine decision based on violations
+  if (violations.some(v => v.severity === 'block')) {
+    return {
+      decision: 'BLOCKED',
+      violations,
+      reasons: violations.map(v => v.description),
+      details: calculateImpactDetails(input, violations)
+    };
+  }
+
+  if (violations.length > 0) {
+    return {
+      decision: 'RISKY',
+      violations,
+      reasons: violations.map(v => v.description),
+      details: calculateImpactDetails(input, violations)
+    };
+  }
+
+  return {
+    decision: 'ALLOWED',
+    violations: [],
+    reasons: ['No invariant violations detected'],
+    details: calculateImpactDetails(input, violations)
+  };
+}
+
+/**
+ * Checks if changed files match the invariant's scope
+ */
+function matchesInvariantScope(changedFiles: string[], invariant: Invariant): boolean {
+  const scope = invariant.scope;
+  
+  // If no scope restrictions, always matches
+  if (!scope.files && !scope.components && !scope.flows) {
+    return true;
+  }
+
+  // Check file patterns if specified
+  if (scope.files && scope.files.length > 0) {
+    const minimatch = require('minimatch');
+    return changedFiles.some(file =>
+      scope.files!.some(pattern =>
+        minimatch(file, pattern, { matchBase: true })
+      )
+    );
+  }
+
+  // Check component names if specified
+  if (scope.components && scope.components.length > 0) {
+    // For now, check if any changed file contains a component name
+    return changedFiles.some(file =>
+      scope.components!.some(component =>
+        file.toLowerCase().includes(component.toLowerCase())
+      )
+    );
+  }
+
+  // Check flow patterns if specified
+  if (scope.flows && scope.flows.length > 0) {
+    // Placeholder for flow matching logic
+    // This would require more sophisticated analysis of the dependency graph
+    return true;
+  }
+
+  return true;
+}
+
+/**
+ * Checks if an invariant rule is violated by the changes
+ */
+function checkInvariantRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  switch (invariant.rule.type) {
+    case 'dependency':
+      return checkDependencyRule(invariant, dependencyGraph, changedFiles);
+    case 'flow':
+      return checkFlowRule(invariant, dependencyGraph, changedFiles);
+    case 'ownership':
+      return checkOwnershipRule(invariant, dependencyGraph, changedFiles);
+    case 'access_control':
+      return checkAccessControlRule(invariant, dependencyGraph, changedFiles);
+    case 'data_flow':
+      return checkDataFlowRule(invariant, dependencyGraph, changedFiles);
+    default:
+      console.warn(`Unknown rule type: ${invariant.rule.type}`);
+      return false;
+  }
+}
+
+/**
+ * Check dependency rule violations
+ */
+function checkDependencyRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  // Example: "Auth service cannot depend on user service"
+  // Check if the dependency graph now contains a dependency that violates the rule
+  if (invariant.rule.condition && typeof invariant.rule.condition === 'object') {
+    const { forbiddenDependency } = invariant.rule.condition;
+    
+    if (forbiddenDependency && typeof forbiddenDependency === 'object') {
+      const { from, to } = forbiddenDependency;
+      
+      // Check if 'from' component now depends on 'to' component
+      // This is a simplified check - real implementation would traverse the dependency graph
+      if (from && to) {
+        // Check if any changed file is in the 'from' scope and creates dependency to 'to'
+        return changedFiles.some(file => {
+          // Simplified logic - in reality would need to analyze the dependency graph
+          return file.includes(from) && hasDependencyTo(dependencyGraph, file, to);
+        });
+      }
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Check flow rule violations
+ */
+function checkFlowRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  // Example: "Payments flow must never bypass fraud check"
+  // This would require flow analysis of the code changes
+  return false; // Placeholder
+}
+
+/**
+ * Check ownership rule violations
+ */
+function checkOwnershipRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  // Example: "Only billing team can modify these files"
+  // Check if changed files are owned by unauthorized team
+  if (invariant.rule.condition && invariant.scope.files) {
+    const { authorizedOwners } = invariant.rule.condition;
+    
+    if (authorizedOwners && Array.isArray(authorizedOwners)) {
+      // Check if any changed file is restricted to specific owners
+      return changedFiles.some(file => {
+        // If file matches invariant scope and owner is not authorized
+        return invariant.scope.files?.some(pattern => {
+          const minimatch = require('minimatch');
+          return minimatch(file, pattern, { matchBase: true });
+        }) && !authorizedOwners.includes(invariant.owner || '');
+      });
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Check access control rule violations
+ */
+function checkAccessControlRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  // Example: "Direct database access not allowed from controllers"
+  // Check if changes create unauthorized access patterns
+  return false; // Placeholder
+}
+
+/**
+ * Check data flow rule violations
+ */
+function checkDataFlowRule(
+  invariant: Invariant, 
+  dependencyGraph: any, 
+  changedFiles: string[]
+): boolean {
+  // Example: "PII data must not flow to logging systems"
+  // Check data flow patterns in the changes
+  return false; // Placeholder
+}
+
+/**
+ * Helper function to check if a file has dependency to another component
+ */
+function hasDependencyTo(dependencyGraph: any, fromFile: string, toComponent: string): boolean {
+  // Simplified implementation - would need to analyze actual dependency graph
+  if (dependencyGraph && dependencyGraph.edges) {
+    return dependencyGraph.edges.some((edge: any) => {
+      return edge.source === fromFile && edge.target.includes(toComponent);
+    });
+  }
+  return false;
+}
+
+/**
+ * Calculate impact details for the evaluation result
+ */
+function calculateImpactDetails(
+  input: ChangeEvaluationInput, 
+  violations: Invariant[]
+): ChangeEvaluationResult['details'] {
+  const { changedFiles, dependencyGraph, context } = input;
+  
+  // Calculate affected nodes from dependency graph
+  let affectedNodes = 0;
+  if (dependencyGraph && dependencyGraph.nodes) {
+    affectedNodes = dependencyGraph.nodes.filter((node: any) => 
+      changedFiles.includes(node.id || node.path)
+    ).length;
+  }
+
+  // Calculate blast radius impact if available in context
+  let blastRadiusImpact = 0;
+  if (context && context.blastRadiusAnalysis) {
+    blastRadiusImpact = context.blastRadiusAnalysis.totalAffected || 0;
+  }
+
+  // Check for authority core changes
+  let authorityCoreChanges = false;
+  if (context && context.authorityCores) {
+    authorityCoreChanges = changedFiles.some(file => 
+      context.authorityCores.some((core: any) => core.path === file)
+    );
+  }
+
+  return {
+    affectedNodes,
+    blastRadiusImpact,
+    authorityCoreChanges
+  };
+}