vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/lib/schemas/ajv-validator.js

@@ -0,0 +1,464 @@
+/**
+ * Schema Validator v3 - Production AJV Implementation
+ * 
+ * Full JSON Schema Draft 2020-12 validation using AJV.
+ * Replaces the minimal validator for production use.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+// Lazy-load AJV to avoid startup cost if not needed
+let ajv = null;
+let ajvFormats = null;
+
+function getAjv() {
+  if (!ajv) {
+    const Ajv = require("ajv");
+    ajvFormats = require("ajv-formats");
+    
+    ajv = new Ajv({
+      strict: true,
+      allErrors: true,
+      verbose: true,
+      validateFormats: true,
+      // Allow unknown keywords for custom extensions
+      strictTypes: true,
+      strictTuples: true,
+      // Cache schemas for performance
+      cache: new Map(),
+    });
+    
+    // Add standard formats (date-time, uri, email, etc.)
+    ajvFormats(ajv);
+    
+    // Add custom formats
+    ajv.addFormat("sha256", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("fingerprint", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("finding-id", /^F_[A-Z0-9_]+$/);
+    ajv.addFormat("evidence-id", /^E_[A-Z0-9]+$/);
+  }
+  
+  return ajv;
+}
+
+// Schema cache
+const schemaCache = new Map();
+const validatorCache = new Map();
+
+// Schema IDs (same as validator.js for compatibility)
+const SCHEMAS = {
+  FINDING: "finding.schema.json",
+  FINDING_V3: "finding-v3.schema.json",
+  SHIP_REPORT: "ship-report.schema.json",
+  REALITY_REPORT: "reality-report.schema.json",
+  TRUTHPACK_V2: "truthpack-v2.schema.json",
+  CONTRACTS: "contracts.schema.json",
+  PROOF_GRAPH: "proof-graph.schema.json",
+  MISSION_PACK: "mission-pack.schema.json",
+  SHARE_PACK: "share-pack.schema.json",
+  VERDICT: "verdict.schema.json",
+  ERROR_ENVELOPE: "error-envelope.schema.json",
+  RUN_REQUEST: "run-request.schema.json",
+  REPORT_ARTIFACT: "report-artifact.schema.json",
+};
+
+// =============================================================================
+// SCHEMA LOADING
+// =============================================================================
+
+/**
+ * Load a schema by ID
+ */
+function loadSchema(schemaId) {
+  if (schemaCache.has(schemaId)) {
+    return schemaCache.get(schemaId);
+  }
+
+  const schemaPath = path.join(__dirname, schemaId);
+  if (!fs.existsSync(schemaPath)) {
+    return null;
+  }
+
+  try {
+    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+    schemaCache.set(schemaId, schema);
+    return schema;
+  } catch (e) {
+    console.error(`Failed to load schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Get compiled validator for schema
+ */
+function getValidator(schemaId) {
+  if (validatorCache.has(schemaId)) {
+    return validatorCache.get(schemaId);
+  }
+  
+  const schema = loadSchema(schemaId);
+  if (!schema) {
+    return null;
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    
+    // Remove $id to avoid conflicts when compiling multiple schemas
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validator = ajvInstance.compile(schemaCopy);
+    validatorCache.set(schemaId, validator);
+    return validator;
+  } catch (e) {
+    console.error(`Failed to compile schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Validate data against schema using AJV
+ */
+function validateAgainstSchema(data, schema, contextPath = "") {
+  if (!schema || data === undefined) {
+    return [];
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validate = ajvInstance.compile(schemaCopy);
+    const valid = validate(data);
+    
+    if (valid) {
+      return [];
+    }
+    
+    // Convert AJV errors to our format
+    return (validate.errors || []).map(err => ({
+      path: contextPath + (err.instancePath || ""),
+      message: err.message || "Validation failed",
+      keyword: err.keyword,
+      params: err.params,
+    }));
+  } catch (e) {
+    return [{
+      path: contextPath,
+      message: `Schema compilation error: ${e.message}`,
+      keyword: "compile",
+    }];
+  }
+}
+
+// =============================================================================
+// ARTIFACT VALIDATION
+// =============================================================================
+
+/**
+ * Validate an artifact file against its schema
+ */
+function validateArtifact(filePath, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found or invalid`, keyword: "schema" }],
+    };
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (e) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
+    };
+  }
+
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [], data };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+    params: err.params,
+  }));
+  
+  return { valid: false, errors, data };
+}
+
+/**
+ * Validate data object against schema
+ */
+function validateData(data, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
+    };
+  }
+  
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [] };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+  }));
+  
+  return { valid: false, errors };
+}
+
+/**
+ * Validate and write artifact with schema check
+ */
+function writeValidatedArtifact(filePath, data, schemaId, options = {}) {
+  const { strict = false, warnOnly = true } = options;
+  
+  const result = validateData(data, schemaId);
+  
+  if (!result.valid) {
+    const message = `Artifact ${filePath} has ${result.errors.length} schema violations`;
+    
+    if (strict) {
+      throw new Error(`${message}: ${result.errors.map(e => e.message).join(", ")}`);
+    }
+    
+    if (warnOnly) {
+      console.warn(`Warning: ${message}:`);
+      result.errors.slice(0, 5).forEach(e => 
+        console.warn(`  - ${e.path || "/"}: ${e.message}`)
+      );
+      if (result.errors.length > 5) {
+        console.warn(`  ... and ${result.errors.length - 5} more errors`);
+      }
+    }
+  }
+
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+  
+  return { 
+    written: true, 
+    path: filePath,
+    valid: result.valid,
+    errors: result.errors,
+  };
+}
+
+// =============================================================================
+// FINDING GENERATION (kept for compatibility with validator.js)
+// =============================================================================
+
+/**
+ * Generate stable fingerprint for deduplication
+ */
+function generateFingerprint(parts) {
+  const content = parts.filter(Boolean).join("|");
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Generate finding ID
+ */
+function generateFindingId(detectorId, fingerprint) {
+  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
+}
+
+/**
+ * Generate evidence ID
+ */
+function generateEvidenceId(fingerprint) {
+  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
+}
+
+/**
+ * Create a spec-compliant finding
+ */
+function createFinding(options = {}) {
+  const {
+    detectorId,
+    severity = "WARN",
+    category = "Routes",
+    scope = "client",
+    title,
+    why,
+    confidence = "medium",
+    evidence = [],
+    repro = null,
+    related = [],
+    proofNode = null,
+    missionType = null,
+    file = null,
+    path: routePath = null,
+    method = null,
+  } = options;
+
+  const fingerprint = generateFingerprint([
+    detectorId,
+    file,
+    routePath,
+    method,
+    title,
+  ]);
+
+  const finding = {
+    id: generateFindingId(detectorId, fingerprint),
+    detectorId,
+    fingerprint: `sha256:${fingerprint}`,
+    severity,
+    category,
+    scope,
+    title,
+    why,
+    confidence,
+    evidence: evidence.map((e, i) => ({
+      id: e.id || generateEvidenceId(fingerprint + i),
+      kind: e.kind || "file",
+      ...e,
+    })),
+    repro,
+    related,
+    proofNode,
+    missionType,
+  };
+  
+  // Validate the finding
+  const result = validateData(finding, SCHEMAS.FINDING_V3);
+  if (!result.valid) {
+    console.warn(`Warning: Created finding has schema violations:`, result.errors.slice(0, 3));
+  }
+  
+  return finding;
+}
+
+/**
+ * Create file evidence
+ */
+function createFileEvidence(options = {}) {
+  const { file, lines, snippetHash, reason } = options;
+  const fp = generateFingerprint([file, lines, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "file",
+    file,
+    lines,
+    snippetHash,
+    reason,
+  };
+}
+
+/**
+ * Create runtime evidence
+ */
+function createRuntimeEvidence(options = {}) {
+  const { url, httpStatus, reason, data } = options;
+  const fp = generateFingerprint([url, httpStatus, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "request",
+    url,
+    httpStatus,
+    reason,
+    data,
+  };
+}
+
+// =============================================================================
+// SEVERITY POLICY (kept for compatibility with validator.js)
+// =============================================================================
+
+const SEVERITY_POLICY = {
+  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
+  ROUTE_404: { default: "BLOCK" },
+  ROUTE_405: { default: "WARN" },
+  AUTH_BYPASS: { default: "BLOCK" },
+  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
+  FAKE_SUCCESS: { default: "BLOCK" },
+  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
+  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
+  DEAD_CLICK: { default: "BLOCK" },
+  NO_FEEDBACK: { default: "WARN" },
+  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
+  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
+  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
+  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
+  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
+  OWNER_MODE_BYPASS: { default: "BLOCK" },
+  HARDCODED_SECRET: { default: "BLOCK" },
+};
+
+/**
+ * Get severity based on policy
+ */
+function getSeverity(issueType, context = {}) {
+  const policy = SEVERITY_POLICY[issueType];
+  if (!policy) return "WARN";
+
+  if (context.hasRuntimeProof && policy.withRuntimeProof) {
+    return policy.withRuntimeProof;
+  }
+  if (context.isCriticalPath && policy.criticalPath) {
+    return policy.criticalPath;
+  }
+  if (context.isBlocking && policy.blocking) {
+    return policy.blocking;
+  }
+  if (context.isRequired && policy.required) {
+    return policy.required;
+  }
+
+  return policy.default;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Schema operations
+  SCHEMAS,
+  loadSchema,
+  getValidator,
+  validateAgainstSchema,
+  validateArtifact,
+  validateData,
+  writeValidatedArtifact,
+  
+  // Finding generation
+  generateFingerprint,
+  generateFindingId,
+  generateEvidenceId,
+  createFinding,
+  createFileEvidence,
+  createRuntimeEvidence,
+  
+  // Severity policy
+  SEVERITY_POLICY,
+  getSeverity,
+  
+  // AJV access for advanced usage
+  getAjv,
+};

package/bin/runners/lib/schemas/contracts.schema.json

@@ -0,0 +1,160 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/contracts.schema.json",
+  "title": "Vibecheck Contracts",
+  "description": "Stable contracts extracted from truthpack for drift detection",
+  "type": "object",
+  "required": ["specVersion", "generatedAt", "projectRoot", "fingerprint", "routes", "env", "auth"],
+  "properties": {
+    "specVersion": {
+      "type": "string",
+      "const": "2.0"
+    },
+    "generatedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "projectRoot": {
+      "type": "string"
+    },
+    "fingerprint": {
+      "type": "string",
+      "pattern": "^sha256:[a-f0-9]{64}$",
+      "description": "Hash of contracts for quick comparison"
+    },
+    "routes": {
+      "$ref": "#/$defs/routesContract"
+    },
+    "env": {
+      "$ref": "#/$defs/envContract"
+    },
+    "auth": {
+      "$ref": "#/$defs/authContract"
+    },
+    "external": {
+      "$ref": "#/$defs/externalContract"
+    },
+    "artifacts": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/artifact" }
+    }
+  },
+  "$defs": {
+    "routesContract": {
+      "type": "object",
+      "required": ["count", "fingerprint", "endpoints"],
+      "properties": {
+        "count": { "type": "integer", "minimum": 0 },
+        "fingerprint": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        },
+        "endpoints": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["method", "path", "framework"],
+            "properties": {
+              "method": {
+                "type": "string",
+                "enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS", "ALL"]
+              },
+              "path": { "type": "string" },
+              "canonicalPath": { "type": "string" },
+              "framework": { "type": "string" },
+              "authRequired": { "type": "boolean" },
+              "source": {
+                "type": "string",
+                "enum": ["static", "runtime"]
+              }
+            }
+          }
+        },
+        "byFramework": {
+          "type": "object",
+          "additionalProperties": { "type": "integer" }
+        }
+      }
+    },
+    "envContract": {
+      "type": "object",
+      "required": ["count", "fingerprint", "vars"],
+      "properties": {
+        "count": { "type": "integer", "minimum": 0 },
+        "fingerprint": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        },
+        "vars": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["name"],
+            "properties": {
+              "name": { "type": "string" },
+              "required": { "type": "boolean" },
+              "isPublic": { "type": "boolean" },
+              "isSecret": { "type": "boolean" }
+            }
+          }
+        },
+        "baseUrlVar": { "type": ["string", "null"] }
+      }
+    },
+    "authContract": {
+      "type": "object",
+      "required": ["fingerprint", "protectedPatterns"],
+      "properties": {
+        "fingerprint": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        },
+        "provider": {
+          "type": ["string", "null"],
+          "enum": [null, "next-auth", "clerk", "supabase", "custom"]
+        },
+        "protectedPatterns": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "publicPatterns": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "middlewareHash": {
+          "type": ["string", "null"],
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        }
+      }
+    },
+    "externalContract": {
+      "type": "object",
+      "properties": {
+        "fingerprint": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        },
+        "apis": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["host"],
+            "properties": {
+              "host": { "type": "string" },
+              "paths": { "type": "array", "items": { "type": "string" } },
+              "envVar": { "type": ["string", "null"] }
+            }
+          }
+        }
+      }
+    },
+    "artifact": {
+      "type": "object",
+      "required": ["path", "sha256"],
+      "properties": {
+        "path": { "type": "string" },
+        "sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
+      }
+    }
+  }
+}