dual-brain 0.1.0

package/hooks/profiles.mjs

@@ -0,0 +1,254 @@
+#!/usr/bin/env node
+/**
+ * profiles.mjs — Profile system for the Dual-Brain Orchestrator.
+ *
+ * Profiles configure routing posture, budget limits, and quality gate behavior.
+ * Active profile persists to .claude/dual-brain.profile.json.
+ *
+ * Exported API:
+ *   PROFILES                    → built-in profile definitions
+ *   getActiveProfile()          → current profile name + merged settings
+ *   setActiveProfile(name)      → switch profile, returns success/error
+ *   getProfileOverrides(key)    → profile-driven overrides for a specific system
+ */
+
+import { existsSync, readFileSync, renameSync, writeFileSync } from 'fs';
+import { dirname, join } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PROFILE_FILE = join(__dirname, '..', 'dual-brain.profile.json');
+const CONFIG_FILE = join(__dirname, '..', 'orchestrator.json');
+
+const ALIASES = {
+  // auto
+  'auto': 'auto', 'adaptive': 'auto', 'smart': 'auto', 'default': 'auto', 'normal': 'auto',
+  // balanced
+  'balanced': 'balanced', 'even': 'balanced', 'equal': 'balanced',
+  // cost-saver
+  'cost-saver': 'cost-saver', 'cheap': 'cost-saver', 'save': 'cost-saver', 'conservative': 'cost-saver', 'frugal': 'cost-saver', 'budget': 'cost-saver', 'fast': 'cost-saver', 'quick': 'cost-saver',
+  // quality-first
+  'quality-first': 'quality-first', 'aggressive': 'quality-first', 'quality': 'quality-first', 'max': 'quality-first', 'full': 'quality-first', 'both': 'quality-first', 'careful': 'quality-first', 'thorough': 'quality-first', 'safe': 'quality-first',
+};
+
+function resolveProfileName(input) {
+  if (!input) return null;
+  const cleaned = input.toLowerCase().trim()
+    .replace(/^(go|be|use|switch to|set|mode)\s+/i, '')
+    .replace(/\s+mode$/i, '');
+  return ALIASES[cleaned] || null;
+}
+
+const PROFILES = {
+  auto: {
+    description: 'Adapts routing based on task risk, provider health, and outcomes',
+    routing: {
+      prefer_provider: 'auto',
+      think_threshold: 'adaptive',
+      gpt_dispatch_bias: 0,
+    },
+    budgets: {
+      session_warn_usd: 5.00,
+      session_limit_usd: 10.00,
+      daily_warn_usd: 20.00,
+      daily_limit_usd: 50.00,
+    },
+    quality_gate: {
+      sensitivity_floor: 'medium',
+      dual_brain_minimum: 'high',
+    },
+    tier_overrides: null,
+  },
+
+  balanced: {
+    description: 'Auto-routes by complexity, uses both providers evenly',
+    routing: {
+      prefer_provider: 'auto',
+      think_threshold: 'normal',
+      gpt_dispatch_bias: 0,
+    },
+    budgets: {
+      session_warn_usd: 5.00,
+      session_limit_usd: 10.00,
+      daily_warn_usd: 20.00,
+      daily_limit_usd: 50.00,
+    },
+    quality_gate: {
+      sensitivity_floor: 'medium',
+      dual_brain_minimum: 'high',
+    },
+    tier_overrides: null,
+  },
+
+  'cost-saver': {
+    description: 'Conservative — fewer GPT dispatches, sticks to Claude',
+    routing: {
+      prefer_provider: 'cheapest',
+      think_threshold: 'strict',
+      gpt_dispatch_bias: -20,
+    },
+    budgets: {
+      session_warn_usd: 2.00,
+      session_limit_usd: 5.00,
+      daily_warn_usd: 8.00,
+      daily_limit_usd: 20.00,
+    },
+    quality_gate: {
+      sensitivity_floor: 'high',
+      dual_brain_minimum: 'critical',
+    },
+    tier_overrides: {
+      promote_execute_to_think: false,
+      demote_think_to_execute: true,
+    },
+  },
+
+  'quality-first': {
+    description: 'Aggressive — maximizes both subscriptions, dual-brain for medium+',
+    routing: {
+      prefer_provider: 'most-capable',
+      think_threshold: 'relaxed',
+      gpt_dispatch_bias: 10,
+    },
+    budgets: {
+      session_warn_usd: 15.00,
+      session_limit_usd: 30.00,
+      daily_warn_usd: 50.00,
+      daily_limit_usd: 100.00,
+    },
+    quality_gate: {
+      sensitivity_floor: 'low',
+      dual_brain_minimum: 'medium',
+    },
+    tier_overrides: {
+      promote_execute_to_think: true,
+      demote_think_to_execute: false,
+    },
+  },
+};
+
+function loadProfileFile() {
+  try {
+    return JSON.parse(readFileSync(PROFILE_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function loadConfig() {
+  try {
+    return JSON.parse(readFileSync(CONFIG_FILE, 'utf8'));
+  } catch {
+    return {};
+  }
+}
+
+function getActiveProfile() {
+  const saved = loadProfileFile();
+  const name = saved?.active || 'auto';
+  const profile = PROFILES[name] || PROFILES.auto;
+  const customOverrides = saved?.custom_overrides || {};
+
+  return {
+    name: PROFILES[name] ? name : 'auto',
+    ...profile,
+    budgets: { ...profile.budgets, ...customOverrides.budgets },
+    routing: { ...profile.routing, ...customOverrides.routing },
+    switched_at: saved?.switched_at || null,
+  };
+}
+
+function setActiveProfile(name, customOverrides = null) {
+  let resolved = name;
+  if (!PROFILES[resolved]) {
+    const alias = resolveProfileName(name);
+    if (alias) {
+      resolved = alias;
+    } else {
+      const aliasHint = Object.entries(ALIASES)
+        .filter(([k, v]) => k !== v)
+        .map(([k, v]) => `${k} → ${v}`)
+        .join(', ');
+      return { ok: false, error: `Unknown profile: ${name}. Available: ${Object.keys(PROFILES).join(', ')}. Aliases: ${aliasHint}` };
+    }
+  }
+
+  const data = {
+    active: resolved,
+    switched_at: new Date().toISOString(),
+  };
+  if (customOverrides) data.custom_overrides = customOverrides;
+
+  try {
+    const tmp = PROFILE_FILE + '.tmp.' + process.pid;
+    writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n');
+    renameSync(tmp, PROFILE_FILE);
+    return { ok: true, profile: PROFILES[resolved], resolvedName: resolved };
+  } catch (err) {
+    return { ok: false, error: `Failed to write profile: ${err.message}` };
+  }
+}
+
+function setBudgetOverrides(sessionLimit, dailyLimit) {
+  const saved = loadProfileFile() || { active: 'balanced' };
+  saved.custom_overrides = saved.custom_overrides || {};
+  saved.custom_overrides.budgets = {};
+
+  if (sessionLimit != null) {
+    saved.custom_overrides.budgets.session_warn_usd = sessionLimit * 0.6;
+    saved.custom_overrides.budgets.session_limit_usd = sessionLimit;
+  }
+  if (dailyLimit != null) {
+    saved.custom_overrides.budgets.daily_warn_usd = dailyLimit * 0.6;
+    saved.custom_overrides.budgets.daily_limit_usd = dailyLimit;
+  }
+
+  saved.switched_at = saved.switched_at || new Date().toISOString();
+
+  try {
+    const tmp = PROFILE_FILE + '.tmp.' + process.pid;
+    writeFileSync(tmp, JSON.stringify(saved, null, 2) + '\n');
+    renameSync(tmp, PROFILE_FILE);
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+}
+
+function getProfileOverrides(system) {
+  const profile = getActiveProfile();
+
+  switch (system) {
+    case 'enforce-tier':
+      return {
+        think_threshold: profile.routing.think_threshold,
+        tier_overrides: profile.tier_overrides,
+        gpt_dispatch_bias: profile.routing.gpt_dispatch_bias,
+      };
+
+    case 'budget-balancer':
+      return {
+        budgets: profile.budgets,
+        prefer_provider: profile.routing.prefer_provider,
+      };
+
+    case 'quality-gate':
+      return {
+        sensitivity_floor: profile.quality_gate.sensitivity_floor,
+        dual_brain_minimum: profile.quality_gate.dual_brain_minimum,
+      };
+
+    default:
+      return {};
+  }
+}
+
+export {
+  PROFILES,
+  ALIASES,
+  resolveProfileName,
+  getActiveProfile,
+  setActiveProfile,
+  setBudgetOverrides,
+  getProfileOverrides,
+};

package/hooks/quality-gate.mjs

@@ -0,0 +1,355 @@
+#!/usr/bin/env node
+/**
+ * quality-gate.mjs — Config-driven quality gate for the dual-brain orchestrator.
+ *
+ * Usage:  node .claude/hooks/quality-gate.mjs
+ * Output: Always valid JSON to stdout, always exits 0.
+ *
+ * Logic:
+ *  1. Read orchestrator.json → quality_gate config
+ *  2. If disabled, output { "gate": "disabled" } and exit
+ *  3. Get changed files via `git diff --name-only HEAD` + `git ls-files --others --exclude-standard`
+ *  4. Filter by trigger_extensions, exclude skip_patterns
+ *  5. If no qualifying files → { "gate": "pass", "reason": "no qualifying code changes" }
+ *  6. Otherwise run dual-brain-review.mjs, save result to .claude/reviews/<timestamp>.json
+ *  7. Output { "gate": "reviewed", "files": [...], "issues_found": bool, "review_path": "..." }
+ */
+
+import { createHash } from 'crypto';
+import { spawnSync } from 'child_process';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { dirname, extname, join, resolve } from 'path';
+import { fileURLToPath } from 'url';
+
+import { getProfileOverrides as _getProfileOverrides } from './profiles.mjs';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ORCHESTRATOR_CONFIG = resolve(__dirname, '..', 'orchestrator.json');
+const REVIEWS_DIR = resolve(__dirname, '..', 'reviews');
+const DUAL_BRAIN = resolve(__dirname, 'dual-brain-review.mjs');
+
+const RISK_LEVELS = ['low', 'medium', 'high', 'critical'];
+
+const APPROVAL_MAP = {
+  low:      { recommendation: 'self_check',           message: 'Low risk — self-check is sufficient' },
+  medium:   { recommendation: 'review_recommended',   message: 'Medium risk — a code review would catch edge cases' },
+  high:     { recommendation: 'dual_brain_review',    message: 'High risk — recommending dual-brain review for safety' },
+  critical: { recommendation: 'user_approval_needed', message: 'Critical risk — this needs your explicit approval before merging' },
+};
+
+/**
+ * Compute approval recommendation from risk level + profile overrides.
+ * Profile escalation: if dual_brain_minimum is at or below the current risk,
+ * escalate the recommendation by one tier (e.g. medium → dual_brain_review
+ * under quality-first where dual_brain_minimum is 'medium').
+ */
+function computeApproval(risk, profileGate) {
+  let effectiveRisk = risk;
+
+  // Profile escalation: when dual_brain_minimum <= risk and the base
+  // recommendation would be below dual_brain_review, escalate one level.
+  const riskIdx = RISK_LEVELS.indexOf(risk);
+  const dualBrainIdx = RISK_LEVELS.indexOf(profileGate.dual_brain_minimum);
+  if (dualBrainIdx >= 0 && riskIdx >= dualBrainIdx && riskIdx < RISK_LEVELS.length - 1) {
+    const baseRec = APPROVAL_MAP[risk].recommendation;
+    if (baseRec !== 'dual_brain_review' && baseRec !== 'user_approval_needed') {
+      effectiveRisk = RISK_LEVELS[riskIdx + 1];
+    }
+  }
+
+  const entry = APPROVAL_MAP[effectiveRisk] || APPROVAL_MAP[risk];
+  return {
+    approval_recommendation: entry.recommendation,
+    approval_message: entry.message,
+  };
+}
+
+function loadProfileGateSettings() {
+  try {
+    return _getProfileOverrides('quality-gate');
+  } catch {
+    return { sensitivity_floor: 'medium', dual_brain_minimum: 'high' };
+  }
+}
+
+function riskMeetsFloor(risk, floor) {
+  return RISK_LEVELS.indexOf(risk) >= RISK_LEVELS.indexOf(floor);
+}
+
+function exit(obj) {
+  process.stdout.write(JSON.stringify(obj) + '\n');
+  process.exit(0);
+}
+
+function runGit(args) {
+  try {
+    const proc = spawnSync('git', args, {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10_000,
+    });
+    return proc.status === 0 ? proc.stdout : '';
+  } catch {
+    return '';
+  }
+}
+
+function scoreSensitivity(files, config) {
+  const sensitivePaths = config?.dual_thinking?.sensitive_paths || [
+    'auth', 'security', 'middleware/auth', 'payment', 'billing',
+    'migration', 'schema', 'permissions', 'secrets', 'crypto',
+    'api/public', '.env'
+  ];
+
+  let score = 0;
+  const reasons = [];
+
+  for (const file of files) {
+    const lower = file.toLowerCase();
+
+    // Check sensitive paths
+    for (const sp of sensitivePaths) {
+      if (lower.includes(sp)) {
+        score += 30;
+        reasons.push(`sensitive path: ${sp} in ${file}`);
+        break;
+      }
+    }
+
+    // Database/migration files
+    if (/migrat|schema|\.sql/i.test(lower)) {
+      score += 25;
+      reasons.push(`database change: ${file}`);
+    }
+
+    // Config/env files
+    if (/\.env|config.*\.(ts|js|json)|docker|ci|\.yml|\.yaml/i.test(lower)) {
+      score += 15;
+      reasons.push(`config/infra change: ${file}`);
+    }
+
+    // Dependency changes
+    if (/package\.json|requirements\.txt|go\.mod|Cargo\.toml/i.test(lower)) {
+      score += 20;
+      reasons.push(`dependency change: ${file}`);
+    }
+  }
+
+  // Scale by number of files
+  if (files.length > 10) {
+    score += 15;
+    reasons.push(`large changeset: ${files.length} files`);
+  }
+
+  // Determine risk level
+  let risk, gate;
+  if (score >= 50) {
+    risk = 'critical';
+    gate = 'dual-brain-required';
+  } else if (score >= 30) {
+    risk = 'high';
+    gate = 'dual-brain-recommended';
+  } else if (score >= 10) {
+    risk = 'medium';
+    gate = 'single-review';
+  } else {
+    risk = 'low';
+    gate = 'self-check';
+  }
+
+  return { score, risk, gate, reasons };
+}
+
+function matchesSkipPattern(filePath, patterns) {
+  const segments = filePath.split('/');
+  const basename = segments[segments.length - 1];
+  const isTestFile = /\.(test|spec)\.(js|ts|tsx|jsx|mjs)$/.test(basename);
+  const isTestDirectory = segments.some(seg => seg === '__tests__' || seg === '__mocks__');
+
+  if (isTestFile || isTestDirectory) {
+    return true;
+  }
+
+  return patterns.some(p => {
+    if (p.startsWith('.')) return basename.endsWith(p);  // extension match
+    return segments.some(seg => seg === p || seg.startsWith(p + '.'));  // exact segment match
+  });
+}
+
+function getChangedFiles() {
+  const tracked = runGit(['diff', '--name-only', 'HEAD']) || '';
+  const untracked = runGit(['ls-files', '--others', '--exclude-standard']) || '';
+  const all = [...new Set([
+    ...tracked.split('\n').filter(Boolean),
+    ...untracked.split('\n').filter(Boolean),
+  ])];
+  return all;
+}
+
+function main() {
+  // 1. Load config
+  let config;
+  try {
+    config = JSON.parse(readFileSync(ORCHESTRATOR_CONFIG, 'utf8'));
+  } catch {
+    exit({ gate: 'pass', reason: 'orchestrator.json not found or invalid' });
+  }
+
+  const gate = config?.quality_gate ?? {};
+
+  // 2. Check enabled flag
+  if (gate.enabled === false) {
+    exit({ gate: 'disabled' });
+  }
+
+  const triggerExtensions = gate.trigger_extensions ?? ['.ts', '.tsx', '.js', '.jsx', '.py'];
+  const skipPatterns = gate.skip_patterns ?? ['test', '__tests__', 'spec', '.md'];
+
+  // 3. Get changed files (tracked diffs + untracked new files)
+  const allFiles = getChangedFiles();
+
+  // 4. Filter files
+  const qualifyingFiles = allFiles.filter(f => {
+    const ext = extname(f);
+    if (!triggerExtensions.includes(ext)) return false;
+    if (matchesSkipPattern(f, skipPatterns)) return false;
+    return true;
+  });
+
+  // 5. No qualifying files
+  if (qualifyingFiles.length === 0) {
+    exit({ gate: 'pass', reason: 'no qualifying code changes' });
+  }
+
+  // 5a. Score sensitivity BEFORE running any external review
+  const sensitivity = scoreSensitivity(qualifyingFiles, config);
+
+  // 5b. Apply profile-driven sensitivity floor
+  const profileGate = loadProfileGateSettings();
+  if (!riskMeetsFloor(sensitivity.risk, profileGate.sensitivity_floor)) {
+    exit({
+      gate: 'pass',
+      risk: sensitivity.risk,
+      sensitivity_score: sensitivity.score,
+      sensitivity_reasons: sensitivity.reasons,
+      reason: `${sensitivity.risk} risk — below profile floor (${profileGate.sensitivity_floor})`,
+      profile_floor: profileGate.sensitivity_floor,
+      files: qualifyingFiles,
+      ...computeApproval(sensitivity.risk, profileGate),
+    });
+  }
+
+  // 6. Run dual-brain review (medium / high / critical)
+  let reviewResult = {};
+  try {
+    const proc = spawnSync(process.execPath, [DUAL_BRAIN], {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 120_000,
+    });
+    const stdout = (proc.stdout || '').trim();
+    if (stdout) {
+      reviewResult = JSON.parse(stdout);
+    } else {
+      reviewResult = {
+        review: 'dual-brain-review produced no output',
+        error: true,
+      };
+    }
+  } catch (err) {
+    reviewResult = {
+      review: `Failed to run dual-brain-review: ${err?.message ?? String(err)}`,
+      error: true,
+    };
+  }
+
+  // Compute diff hash
+  const diff = runGit(['diff', 'HEAD']);
+  const diffHash = createHash('sha256').update(diff).digest('hex').slice(0, 8);
+
+  // Build review record (includes sensitivity info)
+  const timestamp = new Date().toISOString();
+  const record = {
+    timestamp,
+    files_changed: qualifyingFiles,
+    diff_hash: diffHash,
+    risk: sensitivity.risk,
+    sensitivity_score: sensitivity.score,
+    sensitivity_reasons: sensitivity.reasons,
+    model: reviewResult.model ?? 'unknown',
+    review: reviewResult.review ?? '',
+    issues_found: reviewResult.issues_found ?? false,
+  };
+
+  // 7. Save to .claude/reviews/<timestamp>.json
+  mkdirSync(REVIEWS_DIR, { recursive: true });
+  const safeTs = timestamp.replace(/[:.]/g, '-');
+  const reviewFile = join(REVIEWS_DIR, `${safeTs}.json`);
+  try {
+    writeFileSync(reviewFile, JSON.stringify(record, null, 2) + '\n', 'utf8');
+  } catch {
+    // Non-fatal: still output summary
+  }
+
+  // 8. Determine gate status from review result + sensitivity tier
+  const reviewUnavailable =
+    reviewResult.skip_reason === 'no_gpt_auth' ||
+    reviewResult.error === true ||
+    !reviewResult.review;
+
+  // Profile can lower the dual-brain threshold
+  const needsDualBrain = riskMeetsFloor(sensitivity.risk, profileGate.dual_brain_minimum);
+
+  let gateStatus;
+  if (sensitivity.gate === 'dual-brain-required' || (needsDualBrain && sensitivity.risk === 'critical')) {
+    gateStatus = 'needs_dual_think';
+  } else if (reviewUnavailable) {
+    gateStatus = 'needs_human_review';
+  } else if (reviewResult.issues_found) {
+    gateStatus = 'issues_found';
+  } else if (needsDualBrain) {
+    gateStatus = 'reviewed';
+  } else {
+    gateStatus = sensitivity.gate === 'dual-brain-recommended' ? 'reviewed' : 'pass';
+  }
+
+  // 9. Build output object — common fields first
+  const approval = computeApproval(sensitivity.risk, profileGate);
+  const output = {
+    gate: gateStatus,
+    risk: sensitivity.risk,
+    sensitivity_score: sensitivity.score,
+    sensitivity_reasons: sensitivity.reasons,
+    files: qualifyingFiles,
+    issues_found: Boolean(reviewResult.issues_found),
+    review_unavailable: reviewUnavailable,
+    review_path: reviewFile,
+    model: reviewResult.model || null,
+    auth_type: reviewResult.auth_type || null,
+    approval_recommendation: approval.approval_recommendation,
+    approval_message: approval.approval_message,
+  };
+
+  // High risk: recommend dual-brain-think in addition
+  if (sensitivity.gate === 'dual-brain-recommended') {
+    output.dual_thinking_recommended = true;
+  }
+
+  // Critical risk: add strong warning
+  if (sensitivity.gate === 'dual-brain-required') {
+    output.warning =
+      'Critical sensitivity detected. Dual-brain review + explicit user approval strongly recommended before merging.';
+    output.reasons = sensitivity.reasons;
+  }
+
+  exit(output);
+}
+
+try {
+  main();
+} catch (err) {
+  process.stdout.write(
+    JSON.stringify({ gate: 'error', error: err?.message ?? String(err) }) + '\n'
+  );
+  process.exit(0);
+}

package/hooks/risk-classifier.mjs

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+/**
+ * risk-classifier.mjs — File-path risk classification for adaptive routing.
+ *
+ * Export: classifyRisk(paths) → { level, reason }
+ */
+
+const PATTERNS = [
+  { level: 'critical', regex: /\b(auth|credential|secret|\.env|key[s]?|token[s]?|password|encrypt|certificate|cert[s]?|\.pem|\.key)\b/i, label: 'security-sensitive' },
+  { level: 'high', regex: /\b(billing|payment|migration|deploy|ci[-/]cd|\.github\/workflows|security|permission|policy|schema\.prisma|schema\.sql|api[-_]?contract|openapi|swagger)\b/i, label: 'high-impact infrastructure' },
+  { level: 'medium', regex: /\b(test|spec|\.test\.|\.spec\.|shared|util[s]?|lib\/|public[-_]?api|integrat|config|\.config\.)\b/i, label: 'shared/tested code' },
+  { level: 'low', regex: /\b(readme|\.md$|docs?\/|comment|format|lint|\.prettierrc|local[-_]?script|internal[-_]?only|changelog)\b/i, label: 'docs/formatting' },
+];
+
+const LEVEL_ORDER = { critical: 3, high: 2, medium: 1, low: 0 };
+
+function classifyRisk(paths) {
+  if (!paths || paths.length === 0) return { level: 'low', reason: 'no file paths detected' };
+
+  let highest = { level: 'low', reason: 'no matching risk patterns' };
+
+  for (const p of paths) {
+    for (const pattern of PATTERNS) {
+      if (pattern.regex.test(p) && LEVEL_ORDER[pattern.level] > LEVEL_ORDER[highest.level]) {
+        highest = { level: pattern.level, reason: `${pattern.label}: ${p}` };
+        if (pattern.level === 'critical') return highest;
+      }
+    }
+  }
+
+  return highest;
+}
+
+function extractPaths(text) {
+  if (!text) return [];
+  const matches = text.match(/(?:^|\s|["'`])([./~]?(?:[\w@.-]+\/)+[\w@.*-]+(?:\.\w+)?)/g);
+  if (!matches) return [];
+  return matches.map(m => m.trim().replace(/^["'`]/, ''));
+}
+
+export { classifyRisk, extractPaths };