vibe-coder-kit 6.0.0

package/.vibe/core/team-config.ts

@@ -0,0 +1,232 @@
+// Team Configuration & RBAC
+// Multi-tenant, role-based access control
+
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+export type Role = 'junior' | 'senior' | 'lead' | 'admin';
+
+export interface TeamMember {
+  id: string;
+  name: string;
+  role: Role;
+  teams: string[];
+  permissions: string[];
+}
+
+export interface TeamConfig {
+  version: string;
+  teams: Record<string, {
+    plugins: string[];
+    overrides: Record<string, unknown>;
+  }>;
+  roles: Record<Role, {
+    enforce: 'strict' | 'warn' | 'off';
+    suggest: boolean;
+    permissions: string[];
+  }>;
+  governance: {
+    approvers: string[];
+    requiredReviews: number;
+    compliance: string[];
+  };
+}
+
+const BLOCKED_KEYS = ['__proto__', 'constructor', 'prototype'];
+
+export class TeamManager {
+  private config: TeamConfig;
+  private members: TeamMember[] = [];
+  private configPath: string;
+
+  constructor(rootDir: string) {
+    this.configPath = join(rootDir, '.vibe', 'team.json');
+    this.config = this.loadConfig();
+  }
+
+  private loadConfig(): TeamConfig {
+    if (existsSync(this.configPath)) {
+      try {
+        const content = readFileSync(this.configPath, 'utf-8');
+        const parsed = JSON.parse(content);
+        return this.sanitizeConfig(parsed);
+      } catch (e) {
+        console.warn(`[TeamConfig] Failed to parse config: ${(e as Error).message}, using defaults`);
+      }
+    }
+
+    const defaultConfig: TeamConfig = {
+      version: '2.0',
+      teams: {
+        default: {
+          plugins: ['@vibe/core'],
+          overrides: {},
+        },
+      },
+      roles: {
+        junior: {
+          enforce: 'strict',
+          suggest: true,
+          permissions: ['read', 'suggest'],
+        },
+        senior: {
+          enforce: 'warn',
+          suggest: true,
+          permissions: ['read', 'write', 'suggest', 'approve'],
+        },
+        lead: {
+          enforce: 'off',
+          suggest: true,
+          permissions: ['read', 'write', 'suggest', 'approve', 'config'],
+        },
+        admin: {
+          enforce: 'off',
+          suggest: true,
+          permissions: ['all'],
+        },
+      },
+      governance: {
+        approvers: [],
+        requiredReviews: 1,
+        compliance: [],
+      },
+    };
+
+    writeFileSync(this.configPath, JSON.stringify(defaultConfig, null, 2));
+    return defaultConfig;
+  }
+
+  private sanitizeConfig(obj: unknown): unknown {
+    if (obj === null || typeof obj !== 'object') {
+      return obj;
+    }
+
+    if (Array.isArray(obj)) {
+      return obj.map(item => this.sanitizeConfig(item));
+    }
+
+    const sanitized: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {
+      if (BLOCKED_KEYS.includes(key)) {
+        console.warn(`[TeamConfig] Blocked potentially dangerous key: ${key}`);
+        continue;
+      }
+      sanitized[key] = this.sanitizeConfig(value);
+    }
+    return sanitized;
+  }
+
+  getTeamConfig(teamName: string): TeamConfig['teams'][string] | undefined {
+    return this.config.teams[teamName];
+  }
+
+  getRoleConfig(role: Role): TeamConfig['roles'][role] | undefined {
+    return this.config.roles[role];
+  }
+
+  hasPermission(role: Role, permission: string): boolean {
+    const roleConfig = this.config.roles[role];
+    if (!roleConfig) return false;
+    if (roleConfig.permissions.includes('all')) return true;
+    return roleConfig.permissions.includes(permission);
+  }
+
+  canApprove(role: Role): boolean {
+    return this.hasPermission(role, 'approve');
+  }
+
+  canDeploy(role: Role): boolean {
+    return this.hasPermission(role, 'deploy');
+  }
+
+  canEditConfig(role: Role): boolean {
+    return this.hasPermission(role, 'config');
+  }
+
+  canWriteEvent(role: Role): boolean {
+    return this.hasPermission(role, 'write');
+  }
+
+  getEnforcementLevel(role: Role): 'strict' | 'warn' | 'off' {
+    return this.config.roles[role]?.enforce || 'warn';
+  }
+
+  validateRoleAction(role: Role, action: string): { allowed: boolean; reason: string } {
+    const roleConfig = this.config.roles[role];
+    if (!roleConfig) {
+      return { allowed: false, reason: `Unknown role: ${role}` };
+    }
+
+    if (roleConfig.permissions.includes('all')) {
+      return { allowed: true, reason: 'Admin has all permissions' };
+    }
+
+    if (roleConfig.permissions.includes(action)) {
+      return { allowed: true, reason: `Role '${role}' has permission '${action}'` };
+    }
+
+    return {
+      allowed: false,
+      reason: `Role '${role}' does not have permission '${action}'`,
+    };
+  }
+
+  addMember(member: Omit<TeamMember, 'id'>): TeamMember {
+    const newMember: TeamMember = {
+      ...member,
+      id: `member-${Date.now()}-${Math.random().toString(36).substring(2, 9)}`,
+    };
+    this.members.push(newMember);
+    return newMember;
+  }
+
+  getMember(id: string): TeamMember | undefined {
+    return this.members.find(m => m.id === id);
+  }
+
+  getMembersByRole(role: Role): TeamMember[] {
+    return this.members.filter(m => m.role === role);
+  }
+
+  getMembersByTeam(team: string): TeamMember[] {
+    return this.members.filter(m => m.teams.includes(team));
+  }
+
+  updateConfig(updates: Partial<TeamConfig>, role: Role): { success: boolean; reason: string } {
+    // RBAC check
+    if (!this.canEditConfig(role)) {
+      return {
+        success: false,
+        reason: `Role '${role}' does not have permission to edit config`,
+      };
+    }
+
+    const sanitizedUpdates = this.sanitizeConfig(updates) as Partial<TeamConfig>;
+    this.config = this.deepMerge(this.config, sanitizedUpdates);
+    writeFileSync(this.configPath, JSON.stringify(this.config, null, 2));
+    return { success: true, reason: 'Config updated successfully' };
+  }
+
+  private deepMerge<T>(target: T, source: Partial<T>): T {
+    const result = { ...target };
+    for (const key in source) {
+      if (BLOCKED_KEYS.includes(key)) continue;
+      
+      if (source.hasOwnProperty(key)) {
+        const sourceVal = source[key];
+        const targetVal = (result as Record<string, unknown>)[key];
+        if (sourceVal && typeof sourceVal === 'object' && !Array.isArray(sourceVal) &&
+            targetVal && typeof targetVal === 'object' && !Array.isArray(targetVal)) {
+          (result as Record<string, unknown>)[key] = this.deepMerge(targetVal, sourceVal);
+        } else {
+          (result as Record<string, unknown>)[key] = sourceVal;
+        }
+      }
+    }
+    return result;
+  }
+
+  exportConfig(): string {
+    return JSON.stringify(this.config, null, 2);
+  }
+}

package/.vibe/core/telemetry.ts

@@ -0,0 +1,154 @@
+// Telemetry & Observability
+// Structured logging, metrics, and tracing
+
+import { randomUUID } from 'crypto';
+
+export interface TelemetryEvent {
+  name: string;
+  attributes: Record<string, string | number | boolean>;
+  timestamp: string;
+  traceId?: string;
+  spanId?: string;
+}
+
+export interface Metric {
+  name: string;
+  value: number;
+  unit: string;
+  tags: Record<string, string>;
+  timestamp: string;
+}
+
+export class Telemetry {
+  private events: TelemetryEvent[] = [];
+  private metrics: Metric[] = [];
+  private traceId: string;
+
+  constructor() {
+    this.traceId = randomUUID();
+  }
+
+  // Span management
+  startSpan(name: string): Span {
+    const spanId = randomUUID();
+    return new Span(name, spanId, this.traceId, this);
+  }
+
+  // Event recording
+  recordEvent(name: string, attributes: Record<string, string | number | boolean> = {}): void {
+    this.events.push({
+      name,
+      attributes,
+      timestamp: new Date().toISOString(),
+      traceId: this.traceId,
+    });
+  }
+
+  // Metric recording
+  recordMetric(name: string, value: number, unit: string, tags: Record<string, string> = {}): void {
+    this.metrics.push({
+      name,
+      value,
+      unit,
+      tags,
+      timestamp: new Date().toISOString(),
+    });
+  }
+
+  // Counter increment
+  incrementCounter(name: string, tags: Record<string, string> = {}): void {
+    const existing = this.metrics.find(m => m.name === name && JSON.stringify(m.tags) === JSON.stringify(tags));
+    if (existing) {
+      existing.value++;
+    } else {
+      this.recordMetric(name, 1, 'count', tags);
+    }
+  }
+
+  // Get all data
+  getEvents(): TelemetryEvent[] {
+    return [...this.events];
+  }
+
+  getMetrics(): Metric[] {
+    return [...this.metrics];
+  }
+
+  // Export for storage
+  export(): { events: TelemetryEvent[]; metrics: Metric[] } {
+    return {
+      events: [...this.events],
+      metrics: [...this.metrics],
+    };
+  }
+
+  // Summary
+  getSummary(): {
+    totalEvents: number;
+    totalMetrics: number;
+    phaseMetrics: Record<string, number>;
+  } {
+    const phaseMetrics: Record<string, number> = {};
+    
+    for (const metric of this.metrics) {
+      if (metric.name === 'phase_duration') {
+        const phase = metric.tags.phase || 'unknown';
+        phaseMetrics[phase] = (phaseMetrics[phase] || 0) + metric.value;
+      }
+    }
+
+    return {
+      totalEvents: this.events.length,
+      totalMetrics: this.metrics.length,
+      phaseMetrics,
+    };
+  }
+}
+
+export class Span {
+  private name: string;
+  private spanId: string;
+  private traceId: string;
+  private telemetry: Telemetry;
+  private startTime: number;
+  private attributes: Record<string, string | number | boolean> = {};
+  private status: 'OK' | 'ERROR' = 'OK';
+  private error?: Error;
+
+  constructor(name: string, spanId: string, traceId: string, telemetry: Telemetry) {
+    this.name = name;
+    this.spanId = spanId;
+    this.traceId = traceId;
+    this.telemetry = telemetry;
+    this.startTime = Date.now();
+  }
+
+  setAttribute(key: string, value: string | number | boolean): void {
+    this.attributes[key] = value;
+  }
+
+  setStatus(status: 'OK' | 'ERROR', error?: Error): void {
+    this.status = status;
+    this.error = error;
+  }
+
+  recordException(error: Error): void {
+    this.error = error;
+    this.status = 'ERROR';
+  }
+
+  end(): void {
+    const duration = Date.now() - this.startTime;
+    this.attributes['duration_ms'] = duration;
+    this.attributes['status'] = this.status;
+    
+    if (this.error) {
+      this.attributes['error.message'] = this.error.message;
+    }
+
+    this.telemetry.recordEvent(`span.${this.name}`, this.attributes);
+    this.telemetry.recordMetric(`${this.name}.duration`, duration, 'ms', {
+      status: this.status,
+    });
+  }
+}

package/.vibe/core/validator.ts

@@ -0,0 +1,168 @@
+// Output Validator
+// Validates subagent outputs before committing to state
+
+export interface ValidationResult {
+  valid: boolean;
+  score: number;
+  issues: ValidationIssue[];
+}
+
+export interface ValidationIssue {
+  type: 'error' | 'warning' | 'info';
+  message: string;
+  field?: string;
+  severity: 'critical' | 'high' | 'medium' | 'low';
+}
+
+export interface ValidationRule {
+  name: string;
+  description: string;
+  validate: (input: unknown) => ValidationIssue[];
+}
+
+export class OutputValidator {
+  private rules: ValidationRule[] = [];
+  private maxInputLength = 100000; // 100KB limit
+
+  constructor() {
+    this.registerBuiltinRules();
+  }
+
+  private registerBuiltinRules(): void {
+    this.addRule({
+      name: 'required-fields',
+      description: 'Checks for required fields in output',
+      validate: (input: unknown) => {
+        const issues: ValidationIssue[] = [];
+        if (!input || typeof input !== 'object') {
+          issues.push({
+            type: 'error',
+            message: 'Output must be a non-null object',
+            severity: 'critical',
+          });
+          return issues;
+        }
+        const obj = input as Record<string, unknown>;
+        if (!obj.title && !obj.name) {
+          issues.push({
+            type: 'warning',
+            message: 'Output missing title or name field',
+            field: 'title|name',
+            severity: 'medium',
+          });
+        }
+        return issues;
+      },
+    });
+
+    this.addRule({
+      name: 'no-secrets',
+      description: 'Checks for accidental secret exposure',
+      validate: (input: unknown) => {
+        const issues: ValidationIssue[] = [];
+        try {
+          let text = JSON.stringify(input);
+          
+          // Limit input length to prevent ReDoS
+          if (text.length > this.maxInputLength) {
+            text = text.substring(0, this.maxInputLength);
+          }
+          
+          const secretPatterns = [
+            { pattern: /API_KEY\s*[:=]\s*['"][^'"]+['"]/i, name: 'API_KEY' },
+            { pattern: /PASSWORD\s*[:=]\s*['"][^'"]+['"]/i, name: 'PASSWORD' },
+            { pattern: /SECRET\s*[:=]\s*['"][^'"]+['"]/i, name: 'SECRET' },
+            { pattern: /PRIVATE_KEY\s*[:=]/i, name: 'PRIVATE_KEY' },
+            { pattern: /-----BEGIN.*PRIVATE KEY-----/, name: 'RSA_PRIVATE_KEY' },
+            { pattern: /AKIA[0-9A-Z]{16}/, name: 'AWS_ACCESS_KEY' },
+            { pattern: /mysql:\/\/[^:]+:[^@]+@/, name: 'MYSQL_CONNECTION' },
+            { pattern: /postgres:\/\/[^:]+:[^@]+@/, name: 'POSTGRES_CONNECTION' },
+            { pattern: /mongodb:\/\/[^:]+:[^@]+@/, name: 'MONGODB_CONNECTION' },
+          ];
+          
+          // Use simple string matching instead of complex regex for JWT
+          if (text.includes('eyJ') && text.includes('.') && text.split('eyJ').length > 1) {
+            // Basic JWT detection without complex regex
+            const jwtParts = text.match(/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]*/g);
+            if (jwtParts && jwtParts.length > 0) {
+              issues.push({
+                type: 'error',
+                message: 'Potential JWT token detected',
+                severity: 'critical',
+              });
+            }
+          }
+          
+          for (const { pattern, name } of secretPatterns) {
+            if (pattern.test(text)) {
+              issues.push({
+                type: 'error',
+                message: `Potential secret detected: ${name}`,
+                severity: 'critical',
+              });
+            }
+          }
+        } catch {
+          // JSON.stringify failed, skip check
+        }
+        return issues;
+      },
+    });
+
+    this.addRule({
+      name: 'confidence-check',
+      description: 'Validates confidence level if present',
+      validate: (input: unknown) => {
+        const issues: ValidationIssue[] = [];
+        if (!input || typeof input !== 'object') return issues;
+        const obj = input as Record<string, unknown>;
+        
+        if ('confidence' in obj) {
+          const confidence = obj.confidence as number;
+          if (typeof confidence !== 'number' || confidence < 0 || confidence > 1) {
+            issues.push({
+              type: 'error',
+              message: 'Confidence must be a number between 0 and 1',
+              field: 'confidence',
+              severity: 'high',
+            });
+          }
+        }
+        return issues;
+      },
+    });
+  }
+
+  addRule(rule: ValidationRule): void {
+    this.rules.push(rule);
+  }
+
+  validate(input: unknown): ValidationResult {
+    const allIssues: ValidationIssue[] = [];
+    
+    for (const rule of this.rules) {
+      try {
+        const issues = rule.validate(input);
+        allIssues.push(...issues);
+      } catch (error) {
+        allIssues.push({
+          type: 'error',
+          message: `Validation rule ${rule.name} threw error: ${(error as Error).message}`,
+          severity: 'high',
+        });
+      }
+    }
+
+    const criticalCount = allIssues.filter(i => i.severity === 'critical').length;
+    const highCount = allIssues.filter(i => i.severity === 'high').length;
+    const mediumCount = allIssues.filter(i => i.severity === 'medium').length;
+    const lowCount = allIssues.filter(i => i.severity === 'low').length;
+    const score = Math.max(0, 100 - (criticalCount * 30) - (highCount * 15) - (mediumCount * 5) - (lowCount * 2));
+
+    return {
+      valid: criticalCount === 0,
+      score,
+      issues: allIssues,
+    };
+  }
+}

package/.vibe/flows/00-init.md

@@ -0,0 +1,34 @@
+# 00-init — Project Initialization
+
+## Entry Criteria
+- New project or first session
+- User invokes `vibe init`
+
+## Steps
+
+### 1. Detect Project
+- Scan root directory for package.json, Cargo.toml, requirements.txt, pubspec.yaml
+- Auto-detect technology stack
+- Output: Project type and stack
+
+### 2. Create Configuration
+- Generate `.vibe/config.json` with detected settings
+- Create `.vibe/state/events.jsonl`
+- Initialize knowledge base
+
+### 3. Initialize Workspace
+- Create workspace directories (plans, reports, archive, incidents)
+- Create initial CONTEXT.md template
+
+### 4. Update State
+- Append STARTED event for init phase
+- Append COMPLETED event
+
+## Exit Criteria
+- [ ] Config file created
+- [ ] State initialized
+- [ ] Knowledge base ready
+- [ ] Workspace directories created
+
+## Duration
+Expected: 1-2 minutes

package/.vibe/flows/01-clarify.md

@@ -0,0 +1,45 @@
+# 01-clarify — Requirements Clarification
+
+## Entry Criteria
+- 00-init completed
+- Task defined by user
+
+## Steps
+
+### 1. Understand Task
+- Read user's request
+- Identify task type (feature, bug, refactor, etc.)
+- Ask clarifying questions if needed
+
+### 2. Critical Assessment
+- Evaluate idea from multiple perspectives:
+  - Technical feasibility
+  - Business value
+  - Risk assessment
+  - Scale analysis (will this work at 1M users?)
+- Present pros, cons, and alternatives
+
+### 3. Define Scope
+- In scope: What will be done
+- Out of scope: What won't be done
+- Decided later: What needs more research
+
+### 4. Resolve Ambiguity
+- Address all open questions
+- Get user confirmation on scope
+- Document decisions
+
+### 5. Self-Reflection
+- Confidence level: [1-10]
+- What went well
+- What could be improved
+- Assumptions made
+
+## Exit Criteria
+- [ ] Task clearly defined
+- [ ] Scope documented
+- [ ] No critical open questions
+- [ ] User approved scope
+
+## Duration
+Expected: 5-15 minutes

package/.vibe/flows/02-brainstorm.md

@@ -0,0 +1,42 @@
+# 02-brainstorm — Research & Alternatives
+
+## Entry Criteria
+- 01-clarify completed
+- Technical ambiguity exists
+
+## Steps
+
+### 1. Research
+- Use codebase-memory to find existing patterns
+- Use context7 for library documentation
+- Use websearch for best practices
+- Check knowledge base for past decisions
+
+### 2. Generate Alternatives
+- List 2-3 possible approaches
+- For each: pros, cons, effort estimate
+- Consider: performance, maintainability, team skills
+
+### 3. Evaluate
+- Score each approach (0-10)
+- Consider: time to implement, complexity, risk
+- Select best approach with justification
+
+### 4. Create Scope Document
+- Architecture overview
+- Component diagram (if needed)
+- Technology choices
+
+### 5. Self-Reflection
+- Confidence level: [1-10]
+- Research completeness
+- Alternative quality
+
+## Exit Criteria
+- [ ] Alternatives evaluated
+- [ ] Approach selected
+- [ ] Scope documented
+- [ ] User approved approach
+
+## Duration
+Expected: 15-30 minutes

package/.vibe/flows/03-plan.md

@@ -0,0 +1,36 @@
+# 03-plan — Planning
+
+## Entry Criteria
+- 02-brainstorm completed (or skipped)
+- Scope clear
+
+## Steps
+
+### 1. Break Down Tasks
+- Create task list with IDs (T001, T002, etc.)
+- Each task: description, effort estimate, dependencies
+- Prioritize tasks (critical path first)
+
+### 2. Define Test Strategy
+- Unit tests: What to test
+- Integration tests: Key flows
+- E2E tests: Critical paths
+
+### 3. Create Plan Document
+- Save to workspace/plans/plan.md
+- Include: task list, timeline, dependencies
+- Define Definition of Done
+
+### 4. Self-Reflection
+- Confidence level: [1-10]
+- Plan completeness
+- Risk assessment
+
+## Exit Criteria
+- [ ] Task list created
+- [ ] Test strategy defined
+- [ ] Plan documented
+- [ ] User approved plan
+
+## Duration
+Expected: 10-20 minutes