vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/lib/missions/plan.js

@@ -0,0 +1,648 @@
+// bin/runners/lib/missions/plan.js
+// ═══════════════════════════════════════════════════════════════════════════════
+// MISSION PLANNING V2 - Enhanced with dependency-aware grouping, blast radius
+// analysis, and risk-based batching. "Missions, not chaos."
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const {
+  createMission,
+  calculateBlastRadius,
+  calculateRiskLevel,
+  RISK_LEVEL,
+  BLAST_RADIUS,
+} = require('./schema');
+const { templateForMissionType } = require('./templates');
+const {
+  ValidationError,
+  validateFinding,
+  validateOptions,
+  getAuditTrail,
+} = require('./hardening');
+
+/**
+ * Score a finding for priority ordering
+ * Enhanced with confidence-based scoring
+ */
+function scoreFinding(f) {
+  let score = 0;
+  
+  // Base severity score
+  if (f.severity === "BLOCK") score += 100;
+  else if (f.severity === "WARN") score += 50;
+  
+  // Confidence adjustment (findings with evidence are more reliable)
+  const confidence = f.confidence || (f.evidence?.length > 0 ? 0.8 : 0.5);
+  score = Math.round(score * confidence);
+  
+  // Boost for findings with file evidence (more actionable)
+  if (f.file || f.evidence?.some(e => e.file)) {
+    score += 10;
+  }
+  
+  // Boost for security-related categories
+  if (['Security', 'GhostAuth', 'AuthCoverage', 'Billing'].includes(f.category)) {
+    score += 20;
+  }
+  
+  return score;
+}
+
+/**
+ * Generate a fingerprint for deduplication
+ * Uses multiple signals to identify truly unique findings
+ */
+function generateFingerprint(f) {
+  const parts = [];
+  
+  // Primary: category + normalized title
+  parts.push(f.category || 'Unknown');
+  
+  // Normalize title (remove specific IDs, file paths, line numbers)
+  let normalizedTitle = (f.title || '')
+    .replace(/[a-f0-9]{8,}/gi, 'HASH')  // Remove hash-like IDs
+    .replace(/:\d+/g, ':LINE')           // Normalize line numbers
+    .replace(/\/[^/\s]+\.(ts|js|tsx|jsx)/gi, '/FILE.$1')  // Normalize file paths
+    .trim();
+  parts.push(normalizedTitle);
+  
+  // Secondary: file if available (for file-specific issues)
+  if (f.file) {
+    // Normalize the file path to base name for grouping
+    const fileName = f.file.split(/[/\\]/).pop() || f.file;
+    parts.push(fileName);
+  }
+  
+  return parts.join('|');
+}
+
+/**
+ * Extended category to mission type mapping
+ * Includes new categories from enhanced detection
+ */
+const CATEGORY_TO_MISSION_TYPE = {
+  // Security & Auth
+  Security: "REMOVE_OWNER_MODE",
+  GhostAuth: "ADD_SERVER_AUTH",
+  AuthCoverage: "ADD_SERVER_AUTH",
+  AuthDrift: "FIX_AUTH_DRIFT",
+  
+  // Billing & Payments
+  Billing: "FIX_STRIPE_WEBHOOKS",
+  Entitlements: "ENFORCE_PAID_SURFACE",
+  
+  // Routes & APIs
+  MissingRoute: "FIX_MISSING_ROUTE",
+  RouteDrift: "FIX_ROUTE_DRIFT",
+  
+  // Environment & Config
+  EnvContract: "FIX_ENV_CONTRACT",
+  
+  // Reality/Runtime issues
+  FakeSuccess: "FIX_FAKE_SUCCESS",
+  DeadUI: "FIX_DEAD_UI",
+  FakeDomain: "FIX_MOCK_DOMAINS",
+  FakeResponse: "FIX_PLACEHOLDER_DATA",
+  MockStatus: "FIX_MOCK_DOMAINS",
+  
+  // Code Quality
+  EmptyCatch: "FIX_EMPTY_CATCH",
+  TestKeys: "FIX_TEST_KEYS",
+  HardcodedSecrets: "FIX_HARDCODED_SECRETS",
+  SilentFallback: "FIX_SILENT_FALLBACK",
+};
+
+/**
+ * Mission type priority (lower = higher priority)
+ * Security issues come first, then billing, then everything else
+ */
+const MISSION_PRIORITY = {
+  // P0: Critical security (immediate fix required)
+  REMOVE_OWNER_MODE: 1,
+  FIX_HARDCODED_SECRETS: 2,
+  FIX_AUTH_DRIFT: 3,
+  
+  // P1: Security & billing (fix before shipping)
+  FIX_STRIPE_WEBHOOKS: 10,
+  ENFORCE_PAID_SURFACE: 11,
+  ADD_SERVER_AUTH: 12,
+  FIX_TEST_KEYS: 13,
+  
+  // P2: Fake data (fix before production)
+  FIX_MOCK_DOMAINS: 20,
+  FIX_PLACEHOLDER_DATA: 21,
+  FIX_FAKE_SUCCESS: 22,
+  
+  // P3: Code quality (fix when possible)
+  FIX_MISSING_ROUTE: 30,
+  FIX_ROUTE_DRIFT: 31,
+  FIX_ENV_CONTRACT: 32,
+  FIX_EMPTY_CATCH: 33,
+  FIX_SILENT_FALLBACK: 34,
+  
+  // P4: UI issues (fix before polish)
+  FIX_DEAD_UI: 40,
+  
+  // P5: Generic (lowest priority)
+  GENERIC_FIX: 99,
+};
+
+/**
+ * Extract files from findings
+ * @param {Array} findings - Findings array
+ * @returns {string[]} Unique file paths
+ */
+function extractFilesFromFindings(findings) {
+  const files = new Set();
+  for (const f of findings) {
+    if (f.file) files.add(f.file);
+    for (const ev of (f.evidence || [])) {
+      if (ev.file) files.add(ev.file);
+      if (ev.path) files.add(ev.path);
+    }
+  }
+  return Array.from(files);
+}
+
+/**
+ * Build a simple import graph from truthpack
+ * @param {object} truthpack - Truthpack object
+ * @returns {Map} Map of file -> imported files
+ */
+function buildImportGraph(truthpack) {
+  const graph = new Map();
+  
+  // Extract imports from truthpack if available
+  const imports = truthpack?.imports || truthpack?.dependencies?.imports || [];
+  for (const imp of imports) {
+    if (imp.from && imp.to) {
+      if (!graph.has(imp.from)) graph.set(imp.from, new Set());
+      graph.get(imp.from).add(imp.to);
+    }
+  }
+  
+  return graph;
+}
+
+/**
+ * Find connected components in file graph
+ * Files that import each other should be grouped together
+ * @param {string[]} files - List of files
+ * @param {Map} importGraph - Import graph
+ * @returns {string[][]} Array of file clusters
+ */
+function findConnectedFileClusters(files, importGraph) {
+  const fileSet = new Set(files);
+  const visited = new Set();
+  const clusters = [];
+  
+  function dfs(file, cluster) {
+    if (visited.has(file)) return;
+    visited.add(file);
+    cluster.push(file);
+    
+    // Check files this one imports
+    const imports = importGraph.get(file) || new Set();
+    for (const imported of imports) {
+      if (fileSet.has(imported)) {
+        dfs(imported, cluster);
+      }
+    }
+    
+    // Check files that import this one
+    for (const [from, toSet] of importGraph) {
+      if (toSet.has(file) && fileSet.has(from)) {
+        dfs(from, cluster);
+      }
+    }
+  }
+  
+  for (const file of files) {
+    if (!visited.has(file)) {
+      const cluster = [];
+      dfs(file, cluster);
+      if (cluster.length > 0) {
+        clusters.push(cluster);
+      }
+    }
+  }
+  
+  return clusters;
+}
+
+/**
+ * Calculate cluster risk score
+ * @param {Array} findings - Findings in cluster
+ * @returns {number} Risk score 0-100
+ */
+function calculateClusterRisk(findings) {
+  let score = 0;
+  
+  for (const f of findings) {
+    // Severity contribution
+    if (f.severity === 'BLOCK') score += 30;
+    else if (f.severity === 'WARN') score += 15;
+    else score += 5;
+    
+    // Confidence inverse (lower confidence = higher risk)
+    const confidence = f.confidence || 0.5;
+    score += Math.round((1 - confidence) * 10);
+  }
+  
+  // Normalize by finding count, cap at 100
+  return Math.min(100, score);
+}
+
+/**
+ * Create a mission from a finding using the new schema
+ * Enhanced with confidence and better metadata
+ */
+function missionFromFinding(f, relatedFindings = [], options = {}) {
+  const type = CATEGORY_TO_MISSION_TYPE[f.category] || "GENERIC_FIX";
+  const allFindingIds = [f.id, ...relatedFindings.map(r => r.id)];
+  const allFindings = [f, ...relatedFindings];
+  
+  // Calculate mission confidence based on findings
+  const confidences = [f.confidence || 0.5, ...relatedFindings.map(r => r.confidence || 0.5)];
+  const avgConfidence = confidences.reduce((a, b) => a + b, 0) / confidences.length;
+  
+  // Extract all files from findings
+  const allowedFiles = extractFilesFromFindings(allFindings);
+  
+  // Get template for this mission type
+  const template = templateForMissionType(type);
+  
+  // Use the new schema to create a proper mission object
+  return createMission({
+    type,
+    title: f.title,
+    severity: f.severity,
+    category: f.category,
+    targetFindingIds: allFindingIds,
+    template,
+    allowedFiles,
+    readOnlyContext: options.readOnlyContext || [],
+    confidence: avgConfidence,
+    evidence: f.evidence || [],
+    file: f.file || null,
+  });
+}
+
+/**
+ * Group related findings that can be fixed together
+ * E.g., multiple Dead UI issues in the same file
+ * Now with dependency-aware clustering
+ */
+function groupRelatedFindings(findings, options = {}) {
+  const { importGraph = new Map(), maxClusterRisk = 80 } = options;
+  const groups = new Map();
+  
+  // First pass: group by category
+  const byCategory = new Map();
+  for (const f of findings) {
+    const cat = f.category || 'Unknown';
+    if (!byCategory.has(cat)) byCategory.set(cat, []);
+    byCategory.get(cat).push(f);
+  }
+  
+  // Second pass: within each category, cluster by file dependencies
+  for (const [category, catFindings] of byCategory) {
+    const files = extractFilesFromFindings(catFindings);
+    const clusters = findConnectedFileClusters(files, importGraph);
+    
+    // Map files to their cluster index
+    const fileToCluster = new Map();
+    clusters.forEach((cluster, idx) => {
+      for (const file of cluster) {
+        fileToCluster.set(file, idx);
+      }
+    });
+    
+    // Group findings by their file's cluster
+    const clusterGroups = new Map();
+    for (const f of catFindings) {
+      const file = f.file || f.evidence?.[0]?.file || f.evidence?.[0]?.path || 'unknown';
+      const clusterIdx = fileToCluster.get(file) ?? -1;
+      const groupKey = `${category}:cluster_${clusterIdx}:${file}`;
+      
+      if (!clusterGroups.has(groupKey)) {
+        clusterGroups.set(groupKey, []);
+      }
+      clusterGroups.get(groupKey).push(f);
+    }
+    
+    // Third pass: split groups that exceed risk threshold
+    for (const [groupKey, groupFindings] of clusterGroups) {
+      const risk = calculateClusterRisk(groupFindings);
+      
+      if (risk > maxClusterRisk && groupFindings.length > 1) {
+        // Split into individual findings for high-risk groups
+        for (let i = 0; i < groupFindings.length; i++) {
+          groups.set(`${groupKey}:split_${i}`, [groupFindings[i]]);
+        }
+      } else {
+        groups.set(groupKey, groupFindings);
+      }
+    }
+  }
+  
+  return groups;
+}
+
+/**
+ * Advanced grouping with blast radius analysis
+ * Groups findings while respecting blast radius limits
+ */
+function groupWithBlastRadiusLimit(findings, options = {}) {
+  const { maxBlastRadius = 5, importGraph = new Map() } = options;
+  const groups = new Map();
+  
+  // Start with basic grouping
+  const basicGroups = groupRelatedFindings(findings, { importGraph });
+  
+  // Check each group's blast radius
+  for (const [key, groupFindings] of basicGroups) {
+    const files = extractFilesFromFindings(groupFindings);
+    
+    if (files.length > maxBlastRadius) {
+      // Split into smaller groups by file
+      const byFile = new Map();
+      for (const f of groupFindings) {
+        const file = f.file || f.evidence?.[0]?.file || 'unknown';
+        if (!byFile.has(file)) byFile.set(file, []);
+        byFile.get(file).push(f);
+      }
+      
+      // Create separate groups for each file
+      let idx = 0;
+      for (const [file, fileFindings] of byFile) {
+        groups.set(`${key}:file_${idx++}`, fileFindings);
+      }
+    } else {
+      groups.set(key, groupFindings);
+    }
+  }
+  
+  return groups;
+}
+
+/**
+ * Plan missions from findings with enhanced deduplication and prioritization
+ * 
+ * @param {Array} findings - List of findings from ship/scan
+ * @param {Object} options - Planning options
+ * @param {number} [options.maxMissions=12] - Maximum missions to plan
+ * @param {boolean} [options.blocksOnlyFirst=true] - Prioritize BLOCK findings
+ * @param {boolean} [options.groupRelated=true] - Group related findings
+ * @param {object} [options.truthpack] - Truthpack for dependency analysis
+ * @param {number} [options.maxBlastRadius=5] - Maximum files per mission
+ * @param {number} [options.maxClusterRisk=80] - Maximum cluster risk score
+ * @param {number} [options.minConfidence=0] - Minimum confidence threshold
+ * @returns {Array} Planned missions
+ */
+function planMissions(findings, options = {}) {
+  const audit = getAuditTrail();
+  
+  // ═══════════════════════════════════════════════════════════════════════════════
+  // INPUT VALIDATION
+  // ═══════════════════════════════════════════════════════════════════════════════
+  
+  // Handle null/undefined findings
+  if (!findings) {
+    audit.warn('plan_missions_no_findings', { findings });
+    return [];
+  }
+  
+  // Handle non-array findings
+  if (!Array.isArray(findings)) {
+    audit.error('plan_missions_invalid_findings', { type: typeof findings });
+    throw new ValidationError('findings must be an array', 'findings', findings);
+  }
+  
+  // Handle empty findings
+  if (findings.length === 0) {
+    audit.info('plan_missions_empty_findings');
+    return [];
+  }
+  
+  // Validate and sanitize options
+  const optionsSchema = {
+    maxMissions: { type: 'number', default: 12, min: 1, max: 100 },
+    blocksOnlyFirst: { type: 'boolean', default: true },
+    groupRelated: { type: 'boolean', default: true },
+    maxBlastRadius: { type: 'number', default: 5, min: 1, max: 50 },
+    maxClusterRisk: { type: 'number', default: 80, min: 0, max: 100 },
+    minConfidence: { type: 'number', default: 0, min: 0, max: 1 },
+  };
+  
+  const validatedOptions = validateOptions(options, optionsSchema);
+  if (!validatedOptions.valid) {
+    audit.warn('plan_missions_invalid_options', { errors: validatedOptions.errors });
+  }
+  
+  const {
+    maxMissions,
+    blocksOnlyFirst,
+    groupRelated,
+    maxBlastRadius,
+    maxClusterRisk,
+    minConfidence,
+  } = validatedOptions.sanitized;
+  
+  const truthpack = options.truthpack || null;
+  
+  audit.info('plan_missions_start', { 
+    findingCount: findings.length, 
+    maxMissions, 
+    blocksOnlyFirst,
+    groupRelated,
+  });
+
+  // Build import graph from truthpack if available
+  const importGraph = truthpack ? buildImportGraph(truthpack) : new Map();
+
+  // ═══════════════════════════════════════════════════════════════════════════════
+  // FINDING VALIDATION & FILTERING
+  // ═══════════════════════════════════════════════════════════════════════════════
+  
+  // Validate and filter findings
+  const validFindings = [];
+  let invalidCount = 0;
+  
+  for (const f of findings) {
+    const validation = validateFinding(f);
+    if (validation.valid) {
+      validFindings.push(f);
+    } else {
+      invalidCount++;
+      audit.debug('plan_missions_invalid_finding', { id: f?.id, errors: validation.errors });
+    }
+  }
+  
+  if (invalidCount > 0) {
+    audit.warn('plan_missions_invalid_findings_skipped', { invalidCount, validCount: validFindings.length });
+  }
+  
+  if (validFindings.length === 0) {
+    audit.info('plan_missions_no_valid_findings');
+    return [];
+  }
+  
+  // Step 1: Sort by score (severity + confidence + evidence)
+  const sorted = [...validFindings].sort((a, b) => scoreFinding(b) - scoreFinding(a));
+
+  // Step 2: Filter to BLOCKs only if we have them (cost control)
+  const hasBlocks = sorted.some(f => f.severity === "BLOCK");
+  const scoped = (blocksOnlyFirst && hasBlocks)
+    ? sorted.filter(f => f.severity === "BLOCK")
+    : sorted;
+
+  // Step 3: Deduplicate using fingerprints
+  const seenFingerprints = new Set();
+  const deduplicated = [];
+  
+  for (const f of scoped) {
+    const fingerprint = generateFingerprint(f);
+    
+    // Skip exact duplicates
+    if (seenFingerprints.has(fingerprint)) continue;
+    seenFingerprints.add(fingerprint);
+    
+    // Also check for near-duplicates (same category + similar title)
+    const nearDupeKey = `${f.category}:${(f.title || '').substring(0, 50)}`;
+    if (f.severity === "WARN" && seenFingerprints.has(nearDupeKey)) continue;
+    seenFingerprints.add(nearDupeKey);
+    
+    // Filter by minimum confidence if specified
+    const confidence = f.confidence || 0.5;
+    if (confidence < minConfidence) continue;
+    
+    deduplicated.push(f);
+  }
+
+  // Step 4: Group related findings with enhanced heuristics
+  let missions = [];
+  
+  if (groupRelated) {
+    // Use blast radius-aware grouping
+    const groups = groupWithBlastRadiusLimit(deduplicated, {
+      maxBlastRadius,
+      importGraph,
+      maxClusterRisk,
+    });
+    
+    for (const [groupKey, groupFindings] of groups) {
+      // Take the highest severity finding as primary
+      const primary = groupFindings[0]; // Already sorted by score
+      const related = groupFindings.slice(1, 5); // Limit related findings
+      
+      missions.push(missionFromFinding(primary, related, { importGraph }));
+    }
+  } else {
+    missions = deduplicated.map(f => missionFromFinding(f));
+  }
+
+  // Step 5: Sort by priority and risk
+  missions.sort((a, b) => {
+    const prioA = MISSION_PRIORITY[a.type] || 50;
+    const prioB = MISSION_PRIORITY[b.type] || 50;
+    if (prioA !== prioB) return prioA - prioB;
+    
+    // Secondary sort by risk level (lower risk first for safety)
+    const riskOrder = { low: 0, medium: 1, high: 2, critical: 3 };
+    const riskA = riskOrder[a.safety?.riskLevel] ?? 1;
+    const riskB = riskOrder[b.safety?.riskLevel] ?? 1;
+    if (riskA !== riskB) return riskA - riskB;
+    
+    // Tertiary sort by confidence (higher first)
+    return (b.safety?.confidence || 0.5) - (a.safety?.confidence || 0.5);
+  });
+
+  const result = missions.slice(0, maxMissions);
+  
+  // Log planning results
+  audit.info('plan_missions_complete', {
+    inputFindings: findings.length,
+    validFindings: validFindings.length,
+    deduplicated: deduplicated.length,
+    missions: result.length,
+    missionTypes: result.map(m => m.type),
+  });
+  
+  return result;
+}
+
+/**
+ * Plan a single mission for a specific finding
+ * @param {object} finding - The finding to create a mission for
+ * @param {object} options - Planning options
+ * @returns {object} Mission object
+ */
+function planSingleMission(finding, options = {}) {
+  return missionFromFinding(finding, [], options);
+}
+
+/**
+ * Get mission statistics
+ * @param {Array} missions - Array of missions
+ * @returns {object} Statistics object
+ */
+function getMissionStats(missions) {
+  const stats = {
+    total: missions.length,
+    byType: {},
+    byRisk: { low: 0, medium: 0, high: 0, critical: 0 },
+    byBlastRadius: { low: 0, medium: 0, high: 0 },
+    totalFindings: 0,
+    avgConfidence: 0,
+  };
+  
+  let totalConfidence = 0;
+  
+  for (const m of missions) {
+    // By type
+    stats.byType[m.type] = (stats.byType[m.type] || 0) + 1;
+    
+    // By risk
+    const risk = m.safety?.riskLevel || 'medium';
+    stats.byRisk[risk] = (stats.byRisk[risk] || 0) + 1;
+    
+    // By blast radius
+    const blast = m.scope?.blastRadius || 'medium';
+    stats.byBlastRadius[blast] = (stats.byBlastRadius[blast] || 0) + 1;
+    
+    // Finding count
+    stats.totalFindings += m.objective?.findingCount || 1;
+    
+    // Confidence
+    totalConfidence += m.safety?.confidence || 0.5;
+  }
+  
+  stats.avgConfidence = missions.length > 0 
+    ? Math.round((totalConfidence / missions.length) * 100) / 100 
+    : 0;
+  
+  return stats;
+}
+
+module.exports = { 
+  // Main planning functions
+  planMissions,
+  planSingleMission,
+  getMissionStats,
+  
+  // Grouping functions
+  groupRelatedFindings,
+  groupWithBlastRadiusLimit,
+  
+  // Utility functions
+  scoreFinding,
+  generateFingerprint,
+  extractFilesFromFindings,
+  buildImportGraph,
+  findConnectedFileClusters,
+  calculateClusterRisk,
+  
+  // Constants
+  CATEGORY_TO_MISSION_TYPE,
+  MISSION_PRIORITY,
+};