npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/lib/agent-firewall/enforcement/gateway.js ADDED Viewed

@@ -0,0 +1,1059 @@
+/**
+ * Agent Firewall Enforcement Gateway v3.0
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * AGENT FIREWALL™ - ENFORCEMENT GATEWAY
+ * ═══════════════════════════════════════════════════════════════════════════════
+ *
+ * THE SINGLE ENTRY POINT for all enforcement operations.
+ * All intercepted changes MUST flow through this gateway.
+ *
+ * Features:
+ * - Real-time blocking (blocks at write-time, not after)
+ * - Explainable blocks (exact reason + evidence + fix path)
+ * - Modes: ENFORCE (default), OBSERVE, CI, IDE
+ * - Signed verdicts for audit trail
+ * - Hash chain for tamper detection
+ *
+ * @module enforcement/gateway
+ * @version 3.0.0
+ */
+"use strict";
+const crypto = require("crypto");
+const path = require("path");
+const fs = require("fs");
+// Import schema validator
+const Ajv = require("ajv").default || require("ajv");
+const addFormats = require("ajv-formats").default || require("ajv-formats");
+// Import existing modules
+const { IntentStore } = require("../intent/store");
+const { checkAlignment, checkAlignmentBatch, VIOLATION_CODES } = require("../intent/alignment-engine");
+const { verifyIntentIntegrity, isIntentExpired } = require("../intent/schema");
+const { resolveEvidence } = require("../evidence/resolver");
+const { evaluatePolicy } = require("../policy/engine");
+const { SessionCollector } = require("../session/collector");
+// ═══════════════════════════════════════════════════════════════════════════════
+// CONSTANTS
+// ═══════════════════════════════════════════════════════════════════════════════
+const MODE = {
+  ENFORCE: "ENFORCE",   // Block on violation (default when intent exists)
+  OBSERVE: "OBSERVE",   // Log only (default when no intent)
+  CI: "CI",             // Fail pipeline on BLOCK
+  IDE: "IDE",           // Real-time interception, block writes
+};
+const VERDICT = {
+  PASS: "PASS",
+  BLOCK: "BLOCK",
+  WOULD_PASS: "WOULD_PASS",   // OBSERVE mode
+  WOULD_BLOCK: "WOULD_BLOCK", // OBSERVE mode
+};
+// Block patterns - code quality issues that always block
+const BLOCK_PATTERNS = [
+  { pattern: /\bTODO\b/i, code: "TODO_DETECTED", message: "TODO comment found - resolve before shipping" },
+  { pattern: /\bFIXME\b/i, code: "FIXME_DETECTED", message: "FIXME comment found - resolve before shipping" },
+  { pattern: /\bXXX\b/, code: "XXX_DETECTED", message: "XXX placeholder found - resolve before shipping" },
+  { pattern: /mock[A-Z]\w*\s*[=:]/, code: "MOCK_DATA", message: "Mock data detected in code" },
+  { pattern: /fakeDat[ae]|fakeUser|fakeResponse/i, code: "FAKE_DATA", message: "Fake data detected in code" },
+  { pattern: /placeholder|dummy/i, code: "PLACEHOLDER_DETECTED", message: "Placeholder code detected" },
+  { pattern: /console\.(log|debug|info)\(/, code: "CONSOLE_LOG", message: "Console statement in production code", severity: "warn" },
+  { pattern: /:\s*any\b/, code: "ANY_TYPE", message: "TypeScript 'any' type detected", severity: "warn" },
+  { pattern: /throw new Error\(['"]not implemented/i, code: "NOT_IMPLEMENTED", message: "Not implemented error found" },
+  { pattern: /\/\/ @ts-ignore|\/\/ @ts-nocheck/, code: "TS_IGNORE", message: "TypeScript ignore directive", severity: "warn" },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// SCHEMA VALIDATION
+// ═══════════════════════════════════════════════════════════════════════════════
+let ajv = null;
+let validators = {};
+function initializeValidators() {
+  if (ajv) return;
+  ajv = new Ajv({ allErrors: true, strict: false });
+  addFormats(ajv);
+  try {
+    const schemaDir = path.join(__dirname, "schemas");
+    const intentSchema = JSON.parse(fs.readFileSync(path.join(schemaDir, "intent.schema.json"), "utf-8"));
+    const changeSchema = JSON.parse(fs.readFileSync(path.join(schemaDir, "change-event.schema.json"), "utf-8"));
+    const verdictSchema = JSON.parse(fs.readFileSync(path.join(schemaDir, "verdict.schema.json"), "utf-8"));
+    validators.intent = ajv.compile(intentSchema);
+    validators.changeEvent = ajv.compile(changeSchema);
+    validators.verdict = ajv.compile(verdictSchema);
+  } catch (err) {
+    // Fallback to no validation if schemas not found
+    validators.intent = () => true;
+    validators.changeEvent = () => true;
+    validators.verdict = () => true;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// CHANGE EVENT BUILDER
+// ═══════════════════════════════════════════════════════════════════════════════
+let changeCounter = 0;
+function generateChangeId() {
+  return `chg-${Date.now().toString(36)}-${crypto.randomBytes(4).toString("hex")}`;
+}
+function generateVerdictId() {
+  return `vrd-${Date.now().toString(36)}-${crypto.randomBytes(6).toString("hex")}`;
+}
+/**
+ * Build a normalized change event from raw input
+ */
+function buildChangeEvent(rawChange, source) {
+  const id = generateChangeId();
+  const event = {
+    id,
+    type: rawChange.type || inferChangeType(rawChange),
+    source: {
+      agent_id: source?.agentId || rawChange.agentId || "unknown",
+      interception_point: source?.interceptionPoint || "cli",
+      tool_name: source?.toolName || null,
+      session_id: source?.sessionId || null,
+    },
+    location: rawChange.path || rawChange.file || rawChange.location,
+    diff: rawChange.diff || null,
+    content: rawChange.content || null,
+    domain: rawChange.domain || classifyDomain(rawChange.path || rawChange.location),
+    claims: rawChange.claims || [],
+    code_quality: null, // Will be populated by analyzeCodeQuality
+    timestamp: new Date().toISOString(),
+    metadata: rawChange.metadata || {},
+  };
+  // Analyze code quality if content is available
+  if (event.content || event.diff?.after) {
+    event.code_quality = analyzeCodeQuality(event.content || event.diff.after);
+  }
+  return event;
+}
+/**
+ * Infer change type from raw change
+ */
+function inferChangeType(rawChange) {
+  if (rawChange.type) return rawChange.type;
+  const loc = rawChange.path || rawChange.location || "";
+  // Check for route changes
+  if (rawChange.route || loc.includes("route") || rawChange.method) {
+    return rawChange.diff ? "route_modify" : "route_add";
+  }
+  // Check for env changes
+  if (rawChange.envVar || loc.includes(".env")) {
+    return rawChange.diff ? "env_write" : "env_ref";
+  }
+  // Check for file changes
+  if (rawChange.content && !rawChange.diff) {
+    return "file_create";
+  }
+  return "file_write";
+}
+/**
+ * Classify file domain
+ */
+function classifyDomain(filePath) {
+  if (!filePath) return "general";
+  const s = filePath.toLowerCase();
+  if (s.includes("auth") || s.includes("login") || s.includes("session")) return "auth";
+  if (s.includes("stripe") || s.includes("payment") || s.includes("billing")) return "payments";
+  if (s.includes("route") || s.includes("api/") || s.includes("endpoint")) return "routes";
+  if (s.includes("schema") || s.includes("contract") || s.includes("types")) return "contracts";
+  if (s.includes("component") || s.includes("page") || s.includes("/ui/")) return "ui";
+  if (s.includes("database") || s.includes("prisma") || s.includes("migration")) return "database";
+  if (s.includes("config") || s.includes(".env") || s.includes("setting")) return "config";
+  if (s.includes("test") || s.includes("spec") || s.includes("__tests__")) return "tests";
+  return "general";
+}
+/**
+ * Analyze code quality in content
+ */
+function analyzeCodeQuality(content) {
+  if (!content) return null;
+  const result = {
+    has_mock_data: false,
+    has_todo: false,
+    has_fixme: false,
+    has_placeholder: false,
+    has_fake_handler: false,
+    has_console_log: false,
+    has_any_type: false,
+    detected_patterns: [],
+  };
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of BLOCK_PATTERNS) {
+      if (pattern.pattern.test(line)) {
+        result.detected_patterns.push({
+          pattern: pattern.code,
+          line: i + 1,
+          severity: pattern.severity || "block",
+          snippet: line.trim().substring(0, 100),
+        });
+        // Set flags
+        if (pattern.code === "TODO_DETECTED") result.has_todo = true;
+        if (pattern.code === "FIXME_DETECTED") result.has_fixme = true;
+        if (pattern.code.includes("MOCK") || pattern.code.includes("FAKE")) result.has_mock_data = true;
+        if (pattern.code === "PLACEHOLDER_DETECTED") result.has_placeholder = true;
+        if (pattern.code === "CONSOLE_LOG") result.has_console_log = true;
+        if (pattern.code === "ANY_TYPE") result.has_any_type = true;
+      }
+    }
+    // Check for fake handlers
+    if (/function\s+\w*[Hh]andler\s*\([^)]*\)\s*\{\s*\}/.test(line) ||
+        /=>\s*\{\s*\}/.test(line) ||
+        /return\s+null\s*;?\s*\/\/\s*todo/i.test(line)) {
+      result.has_fake_handler = true;
+      result.detected_patterns.push({
+        pattern: "FAKE_HANDLER",
+        line: i + 1,
+        severity: "block",
+        snippet: line.trim().substring(0, 100),
+      });
+    }
+  }
+  return result;
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// ENFORCEMENT GATEWAY
+// ═══════════════════════════════════════════════════════════════════════════════
+class EnforcementGateway {
+  constructor(projectRoot, options = {}) {
+    this.projectRoot = projectRoot;
+    this.options = options;
+    // Initialize components
+    this.intentStore = new IntentStore(projectRoot);
+    this.sessionCollector = new SessionCollector(projectRoot);
+    // Session tracking
+    this.sessionId = options.sessionId || `session-${Date.now()}`;
+    this.verdictSequence = 0;
+    this.previousVerdictHash = null;
+    // Initialize validators
+    initializeValidators();
+  }
+  /**
+   * Get current mode based on intent and options
+   */
+  getMode() {
+    // Explicit mode override
+    if (this.options.mode) return this.options.mode;
+    // Environment override
+    if (process.env.VIBECHECK_FIREWALL_MODE) {
+      return process.env.VIBECHECK_FIREWALL_MODE.toUpperCase();
+    }
+    // CI detection
+    if (process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI) {
+      return MODE.CI;
+    }
+    // Default: OBSERVE if no intent, ENFORCE if intent exists
+    return this.intentStore.hasIntent() ? MODE.ENFORCE : MODE.OBSERVE;
+  }
+  /**
+   * MAIN ENTRY POINT - Intercept and evaluate a change
+   *
+   * This is THE function all interception points should call.
+   * Returns a verdict that determines if the change is allowed.
+   *
+   * @param {Object} rawChange - Raw change data
+   * @param {Object} source - Source information (agent, interception point)
+   * @returns {Promise<Object>} Verdict with decision and details
+   */
+  async intercept(rawChange, source = {}) {
+    const startTime = Date.now();
+    const mode = this.getMode();
+    // Build normalized change event
+    const changeEvent = buildChangeEvent(rawChange, source);
+    // Get current intent
+    const intent = this.intentStore.getCurrent({ allowMissing: true });
+    const hasIntent = this.intentStore.hasIntent();
+    // In OBSERVE mode without intent, log and allow
+    if (mode === MODE.OBSERVE && !hasIntent) {
+      this.sessionCollector.record({
+        type: changeEvent.type,
+        path: changeEvent.location,
+        agent_id: changeEvent.source.agent_id,
+        lines_added: changeEvent.diff?.lines_added || 0,
+        lines_removed: changeEvent.diff?.lines_removed || 0,
+      });
+      return this._buildVerdict({
+        decision: VERDICT.WOULD_PASS,
+        mode,
+        intent_hash: null,
+        change_events: [changeEvent.id],
+        violations: [],
+        proofs: [],
+        summary: "OBSERVE mode - change logged for later review",
+        duration_ms: Date.now() - startTime,
+      });
+    }
+    // Run enforcement checks
+    const violations = [];
+    // 1. Intent integrity check
+    if (intent) {
+      const integrityCheck = verifyIntentIntegrity(intent);
+      if (!integrityCheck.valid) {
+        violations.push(this._buildViolation(
+          VIOLATION_CODES.INTENT_CORRUPTED,
+          "intent_integrity",
+          `Intent integrity failed: ${integrityCheck.reason}`,
+          "intent",
+          { expected: "valid hash", actual: "hash mismatch" }
+        ));
+      }
+      if (isIntentExpired(intent)) {
+        violations.push(this._buildViolation(
+          VIOLATION_CODES.INTENT_EXPIRED,
+          "intent_expiration",
+          "Intent has expired - declare new intent",
+          "intent",
+          { expected: "not expired", actual: `expired at ${intent.expires_at}` }
+        ));
+      }
+    }
+    // 2. Intent alignment check
+    const alignmentResult = checkAlignment(intent, changeEvent);
+    if (!alignmentResult.aligned) {
+      violations.push(...alignmentResult.violations);
+    }
+    // 3. Code quality check
+    if (changeEvent.code_quality) {
+      const qualityViolations = this._checkCodeQuality(changeEvent);
+      violations.push(...qualityViolations);
+    }
+    // 4. Domain/scope check
+    if (intent?.scope) {
+      const scopeViolations = this._checkScope(changeEvent, intent);
+      violations.push(...scopeViolations);
+    }
+    // 5. Protected files check
+    if (intent?.scope?.protected_files) {
+      const protectedViolations = this._checkProtectedFiles(changeEvent, intent);
+      violations.push(...protectedViolations);
+    }
+    // 6. Evidence resolution (existing system)
+    const evidence = resolveEvidence(this.projectRoot, changeEvent.claims || []);
+    // 7. Policy evaluation (existing system)
+    const policyResult = await evaluatePolicy({
+      policy: this._loadPolicy(),
+      claims: changeEvent.claims || [],
+      evidence,
+      files: [{ path: changeEvent.location, domain: changeEvent.domain }],
+      intent: intent?.summary || "",
+    });
+    if (policyResult.violations) {
+      violations.push(...policyResult.violations.map(v => this._buildViolation(
+        v.rule?.toUpperCase().replace(/-/g, "_") || "POLICY_VIOLATION",
+        v.rule || "policy",
+        v.message || "Policy violation",
+        v.claimId || v.file || "unknown"
+      )));
+    }
+    // Build proofs from evidence
+    const proofs = evidence.map(e => ({
+      id: `prf-${e.type}-${crypto.randomBytes(4).toString("hex")}`,
+      type: this._mapClaimTypeToProofType(e.type),
+      status: e.result === "PROVEN" ? "verified" : e.result === "UNPROVEN" ? "failed" : "pending",
+      target: e.pointer || e.claimId,
+      trace: e.sources?.[0]?.pointer,
+      verified_at: new Date().toISOString(),
+      method: "static",
+      error: e.result !== "PROVEN" ? e.reason : null,
+    }));
+    // Determine final decision
+    const blockViolations = violations.filter(v => v.severity === "block");
+    let decision;
+    if (mode === MODE.OBSERVE) {
+      decision = blockViolations.length > 0 ? VERDICT.WOULD_BLOCK : VERDICT.WOULD_PASS;
+    } else {
+      decision = blockViolations.length > 0 ? VERDICT.BLOCK : VERDICT.PASS;
+    }
+    // Build verdict
+    const verdict = this._buildVerdict({
+      decision,
+      mode,
+      intent_hash: intent?.hash || null,
+      change_events: [changeEvent.id],
+      violations,
+      proofs,
+      summary: this._generateSummary(decision, violations),
+      duration_ms: Date.now() - startTime,
+    });
+    // Store verdict
+    this._storeVerdict(verdict);
+    // In OBSERVE mode, still log to session
+    if (mode === MODE.OBSERVE) {
+      this.sessionCollector.record({
+        type: changeEvent.type,
+        path: changeEvent.location,
+        agent_id: changeEvent.source.agent_id,
+        verdict_id: verdict.id,
+        would_block: verdict.decision === VERDICT.WOULD_BLOCK,
+      });
+    }
+    return verdict;
+  }
+  /**
+   * Intercept multiple changes in batch
+   */
+  async interceptBatch(rawChanges, source = {}) {
+    const startTime = Date.now();
+    const mode = this.getMode();
+    // Build normalized change events
+    const changeEvents = rawChanges.map(rc => buildChangeEvent(rc, source));
+    // Get intent
+    const intent = this.intentStore.getCurrent({ allowMissing: true });
+    const hasIntent = this.intentStore.hasIntent();
+    // In OBSERVE mode without intent
+    if (mode === MODE.OBSERVE && !hasIntent) {
+      for (const ce of changeEvents) {
+        this.sessionCollector.record({
+          type: ce.type,
+          path: ce.location,
+          agent_id: ce.source.agent_id,
+        });
+      }
+      return this._buildVerdict({
+        decision: VERDICT.WOULD_PASS,
+        mode,
+        intent_hash: null,
+        change_events: changeEvents.map(e => e.id),
+        violations: [],
+        proofs: [],
+        summary: "OBSERVE mode - changes logged for later review",
+        duration_ms: Date.now() - startTime,
+      });
+    }
+    // Run batch alignment
+    const alignmentResult = checkAlignmentBatch(intent, changeEvents);
+    const violations = [...alignmentResult.violations];
+    // Check code quality for each
+    for (const ce of changeEvents) {
+      if (ce.code_quality) {
+        violations.push(...this._checkCodeQuality(ce));
+      }
+    }
+    // Determine decision
+    const blockViolations = violations.filter(v => v.severity === "block");
+    let decision;
+    if (mode === MODE.OBSERVE) {
+      decision = blockViolations.length > 0 ? VERDICT.WOULD_BLOCK : VERDICT.WOULD_PASS;
+    } else {
+      decision = blockViolations.length > 0 ? VERDICT.BLOCK : VERDICT.PASS;
+    }
+    const verdict = this._buildVerdict({
+      decision,
+      mode,
+      intent_hash: intent?.hash || null,
+      change_events: changeEvents.map(e => e.id),
+      violations,
+      proofs: [],
+      summary: this._generateSummary(decision, violations),
+      duration_ms: Date.now() - startTime,
+    });
+    this._storeVerdict(verdict);
+    return verdict;
+  }
+  /**
+   * Quick check - fast path for simple validation
+   */
+  quickCheck(rawChange) {
+    const changeEvent = buildChangeEvent(rawChange, {});
+    const intent = this.intentStore.getCurrent({ allowMissing: true });
+    const alignmentResult = checkAlignment(intent, changeEvent);
+    return {
+      allowed: alignmentResult.aligned,
+      decision: alignmentResult.decision,
+      violations: alignmentResult.violations,
+      intent_hash: intent?.hash || null,
+    };
+  }
+  /**
+   * Get verdict required for ship
+   */
+  async getShipVerdict(options = {}) {
+    const latestVerdict = this._getLatestVerdict();
+    if (!latestVerdict) {
+      return {
+        can_ship: false,
+        reason: "NO_VERDICT",
+        message: "No enforcement verdict found. Run vibecheck shield first.",
+      };
+    }
+    // Verify verdict integrity
+    const integrity = this._verifyVerdictIntegrity(latestVerdict);
+    if (!integrity.valid) {
+      return {
+        can_ship: false,
+        reason: "VERDICT_TAMPERED",
+        message: `Verdict integrity check failed: ${integrity.reason}`,
+      };
+    }
+    // Check verdict is recent enough
+    const verdictAge = Date.now() - new Date(latestVerdict.timestamp).getTime();
+    const maxAge = options.maxAge || 30 * 60 * 1000; // 30 minutes default
+    if (verdictAge > maxAge) {
+      return {
+        can_ship: false,
+        reason: "VERDICT_STALE",
+        message: `Verdict is ${Math.round(verdictAge / 60000)} minutes old. Re-run vibecheck shield.`,
+      };
+    }
+    return {
+      can_ship: latestVerdict.decision === VERDICT.PASS,
+      verdict: latestVerdict,
+      reason: latestVerdict.decision,
+      message: latestVerdict.summary,
+    };
+  }
+  // ═══════════════════════════════════════════════════════════════════════════
+  // PRIVATE METHODS
+  // ═══════════════════════════════════════════════════════════════════════════
+  _buildViolation(code, rule, message, resource, evidence = null) {
+    const violation = {
+      code,
+      rule,
+      message,
+      resource,
+      intent_ref: rule,
+      severity: "block",
+      evidence: evidence || null,
+      fix_hint: this._getFixHint(code, resource),
+    };
+    return violation;
+  }
+  _buildVerdict({ decision, mode, intent_hash, change_events, violations, proofs, summary, duration_ms }) {
+    const id = generateVerdictId();
+    const timestamp = new Date().toISOString();
+    this.verdictSequence++;
+    const verdict = {
+      id,
+      decision,
+      mode,
+      violations,
+      proofs,
+      intent_hash,
+      change_events,
+      timestamp,
+      verdict_hash: "", // Will be computed
+      signature: null,
+      chain: {
+        previous_verdict_hash: this.previousVerdictHash,
+        sequence_number: this.verdictSequence,
+        session_id: this.sessionId,
+      },
+      summary,
+      block_message: decision === VERDICT.BLOCK ? this._formatBlockMessage(violations) : null,
+      fix_guidance: this._generateFixGuidance(violations),
+      metadata: {
+        run_id: crypto.randomBytes(8).toString("hex"),
+        agent_id: change_events[0]?.source?.agent_id || "unknown",
+        project_root: this.projectRoot,
+        file_count: change_events.length,
+        evaluation_duration_ms: duration_ms,
+        vibecheck_version: "3.0.0",
+      },
+    };
+    // Compute verdict hash
+    verdict.verdict_hash = this._computeVerdictHash(verdict);
+    // Sign verdict
+    verdict.signature = this._signVerdict(verdict);
+    // Update chain
+    this.previousVerdictHash = verdict.verdict_hash;
+    return verdict;
+  }
+  _checkCodeQuality(changeEvent) {
+    const violations = [];
+    const cq = changeEvent.code_quality;
+    if (!cq || !cq.detected_patterns) return violations;
+    for (const pattern of cq.detected_patterns) {
+      if (pattern.severity === "block") {
+        violations.push(this._buildViolation(
+          pattern.pattern,
+          "code_quality",
+          BLOCK_PATTERNS.find(p => p.code === pattern.pattern)?.message || `Code quality issue: ${pattern.pattern}`,
+          changeEvent.location,
+          {
+            file: changeEvent.location,
+            line: pattern.line,
+            snippet: pattern.snippet,
+          }
+        ));
+      }
+    }
+    return violations;
+  }
+  _checkScope(changeEvent, intent) {
+    const violations = [];
+    if (intent.scope?.directories) {
+      const loc = changeEvent.location;
+      const inScope = intent.scope.directories.some(dir =>
+        loc.startsWith(dir) || loc.includes(`/${dir}`) || loc.includes(`\\${dir}`)
+      );
+      if (!inScope) {
+        violations.push(this._buildViolation(
+          VIOLATION_CODES.SCOPE_VIOLATION,
+          "scope_check",
+          `File outside allowed directories: ${changeEvent.location}`,
+          changeEvent.location,
+          {
+            expected: intent.scope.directories.join(", "),
+            actual: changeEvent.location,
+          }
+        ));
+      }
+    }
+    if (intent.scope?.domains) {
+      if (!intent.scope.domains.includes(changeEvent.domain)) {
+        violations.push(this._buildViolation(
+          VIOLATION_CODES.DOMAIN_VIOLATION,
+          "domain_check",
+          `Domain '${changeEvent.domain}' not in allowed domains`,
+          changeEvent.location,
+          {
+            expected: intent.scope.domains.join(", "),
+            actual: changeEvent.domain,
+          }
+        ));
+      }
+    }
+    if (intent.scope?.excluded_paths) {
+      const isExcluded = intent.scope.excluded_paths.some(ex =>
+        changeEvent.location.includes(ex)
+      );
+      if (isExcluded) {
+        violations.push(this._buildViolation(
+          VIOLATION_CODES.SCOPE_VIOLATION,
+          "excluded_path",
+          `File is in excluded paths: ${changeEvent.location}`,
+          changeEvent.location
+        ));
+      }
+    }
+    return violations;
+  }
+  _checkProtectedFiles(changeEvent, intent) {
+    const violations = [];
+    for (const protectedFile of intent.scope.protected_files) {
+      if (changeEvent.location.includes(protectedFile)) {
+        violations.push(this._buildViolation(
+          "PROTECTED_FILE_MODIFICATION",
+          "protected_file",
+          `Protected file cannot be modified: ${protectedFile}`,
+          changeEvent.location
+        ));
+      }
+    }
+    return violations;
+  }
+  _computeVerdictHash(verdict) {
+    const content = JSON.stringify({
+      decision: verdict.decision,
+      mode: verdict.mode,
+      violations: verdict.violations.map(v => ({ code: v.code, resource: v.resource })),
+      proofs: verdict.proofs.map(p => ({ id: p.id, status: p.status })),
+      intent_hash: verdict.intent_hash,
+      timestamp: verdict.timestamp,
+      chain: verdict.chain,
+    });
+    return crypto.createHash("sha256").update(content).digest("hex");
+  }
+  _signVerdict(verdict) {
+    // Use HMAC signing with a local key (would be replaced with proper key management)
+    const secret = process.env.VIBECHECK_SIGN_KEY || "vibecheck-local-signing-key";
+    const signature = crypto.createHmac("sha256", secret)
+      .update(verdict.verdict_hash)
+      .digest("hex");
+    return {
+      algorithm: "sha256-hmac",
+      value: signature,
+      key_id: "local",
+      signed_at: new Date().toISOString(),
+    };
+  }
+  _verifyVerdictIntegrity(verdict) {
+    if (!verdict || !verdict.verdict_hash) {
+      return { valid: false, reason: "MISSING_HASH" };
+    }
+    const computed = this._computeVerdictHash(verdict);
+    if (computed !== verdict.verdict_hash) {
+      return { valid: false, reason: "HASH_MISMATCH" };
+    }
+    // Verify signature if present
+    if (verdict.signature && verdict.signature.algorithm === "sha256-hmac") {
+      const secret = process.env.VIBECHECK_SIGN_KEY || "vibecheck-local-signing-key";
+      const expected = crypto.createHmac("sha256", secret)
+        .update(verdict.verdict_hash)
+        .digest("hex");
+      if (expected !== verdict.signature.value) {
+        return { valid: false, reason: "SIGNATURE_INVALID" };
+      }
+    }
+    return { valid: true, reason: "VERIFIED" };
+  }
+  _formatBlockMessage(violations) {
+    if (violations.length === 0) {
+      return "BLOCKED_BY_AGENT_FIREWALL: Unknown reason";
+    }
+    const lines = ["═══════════════════════════════════════════════════════════════════════════════"];
+    lines.push("BLOCKED BY AGENT FIREWALL");
+    lines.push("═══════════════════════════════════════════════════════════════════════════════");
+    lines.push("");
+    for (const v of violations.filter(v => v.severity === "block").slice(0, 5)) {
+      lines.push(`❌ [${v.code}]`);
+      lines.push(`   Resource: ${v.resource}`);
+      lines.push(`   Reason: ${v.message}`);
+      if (v.evidence) {
+        if (v.evidence.file) lines.push(`   File: ${v.evidence.file}:${v.evidence.line || ''}`);
+        if (v.evidence.snippet) lines.push(`   Snippet: ${v.evidence.snippet.substring(0, 60)}...`);
+      }
+      if (v.fix_hint) {
+        lines.push(`   Fix: ${v.fix_hint}`);
+      }
+      lines.push("");
+    }
+    if (violations.length > 5) {
+      lines.push(`... and ${violations.length - 5} more violations`);
+      lines.push("");
+    }
+    lines.push("═══════════════════════════════════════════════════════════════════════════════");
+    return lines.join("\n");
+  }
+  _generateSummary(decision, violations) {
+    if (decision === VERDICT.PASS || decision === VERDICT.WOULD_PASS) {
+      return "All enforcement checks passed";
+    }
+    const blockCount = violations.filter(v => v.severity === "block").length;
+    const warnCount = violations.filter(v => v.severity === "warn").length;
+    const topIssues = violations
+      .filter(v => v.severity === "block")
+      .slice(0, 3)
+      .map(v => v.code)
+      .join(", ");
+    return `BLOCKED: ${blockCount} violation(s), ${warnCount} warning(s). Top issues: ${topIssues}`;
+  }
+  _generateFixGuidance(violations) {
+    const guidance = [];
+    for (const v of violations.filter(v => v.severity === "block")) {
+      const fix = this._getFixGuidanceForViolation(v);
+      if (fix) guidance.push(fix);
+    }
+    return guidance;
+  }
+  _getFixGuidanceForViolation(violation) {
+    const fixMap = {
+      "TODO_DETECTED": {
+        action: "remove_code",
+        explanation: "Remove or resolve TODO comment before shipping",
+        auto_fixable: false,
+      },
+      "FIXME_DETECTED": {
+        action: "remove_code",
+        explanation: "Resolve FIXME issue before shipping",
+        auto_fixable: false,
+      },
+      "MOCK_DATA": {
+        action: "modify_file",
+        explanation: "Replace mock data with real implementation or move to test files",
+        auto_fixable: false,
+      },
+      "UNDECLARED_ROUTE": {
+        action: "update_intent",
+        command: "vibecheck intent amend --allow-route",
+        explanation: "Add route to allowed_changes in intent",
+        auto_fixable: false,
+      },
+      "UNDECLARED_ENV_VAR": {
+        action: "add_env",
+        command: "vibecheck intent amend --allow-env",
+        explanation: "Declare env var in intent or add to .env",
+        auto_fixable: true,
+      },
+      "SCOPE_VIOLATION": {
+        action: "update_intent",
+        command: "vibecheck intent amend --allow-dir",
+        explanation: "Expand scope to include this directory",
+        auto_fixable: false,
+      },
+    };
+    const template = fixMap[violation.code];
+    if (!template) return null;
+    return {
+      violation_code: violation.code,
+      target: violation.resource,
+      ...template,
+    };
+  }
+  _getFixHint(code, resource) {
+    const hints = {
+      "TODO_DETECTED": "Remove TODO or resolve the issue",
+      "FIXME_DETECTED": "Fix the issue or remove FIXME comment",
+      "MOCK_DATA": "Replace mock data with real implementation",
+      "FAKE_DATA": "Replace fake data with real implementation",
+      "PLACEHOLDER_DETECTED": "Replace placeholder with real code",
+      "CONSOLE_LOG": "Remove console statement or use proper logger",
+      "ANY_TYPE": "Add proper TypeScript type",
+      "NOT_IMPLEMENTED": "Implement the function",
+      "TS_IGNORE": "Fix the TypeScript error instead of ignoring",
+      "UNDECLARED_ROUTE": `Run: vibecheck intent amend --allow-route "${resource}"`,
+      "UNDECLARED_ENV_VAR": `Run: vibecheck intent amend --allow-env "${resource}"`,
+      "UNDECLARED_FILE_CHANGE": `Run: vibecheck intent amend --allow-file "${resource}"`,
+      "SCOPE_VIOLATION": `Update intent scope or move file to allowed directory`,
+      "DOMAIN_NOT_ALLOWED": `Add domain to intent: vibecheck intent amend --domain`,
+    };
+    return hints[code] || "Review and fix the violation";
+  }
+  _mapClaimTypeToProofType(claimType) {
+    const map = {
+      route: "route",
+      auth_boundary: "auth",
+      ui_success_claim: "ui",
+      http_call: "integration",
+      env_used: "env",
+      env_declared: "env",
+      data_contract: "contract",
+    };
+    return map[claimType] || "integration";
+  }
+  _loadPolicy() {
+    const policyPath = path.join(this.projectRoot, ".vibecheck", "policy.json");
+    if (fs.existsSync(policyPath)) {
+      try {
+        return JSON.parse(fs.readFileSync(policyPath, "utf-8"));
+      } catch {
+        // Return default
+      }
+    }
+    return {
+      version: "3.0.0",
+      profile: "strict",
+      rules: {},
+    };
+  }
+  _storeVerdict(verdict) {
+    const verdictDir = path.join(this.projectRoot, ".vibecheck", "verdicts");
+    try {
+      if (!fs.existsSync(verdictDir)) {
+        fs.mkdirSync(verdictDir, { recursive: true });
+      }
+      // Store by ID
+      fs.writeFileSync(
+        path.join(verdictDir, `${verdict.id}.json`),
+        JSON.stringify(verdict, null, 2)
+      );
+      // Store as latest
+      fs.writeFileSync(
+        path.join(verdictDir, "latest.json"),
+        JSON.stringify(verdict, null, 2)
+      );
+    } catch (err) {
+      // Silent fail - verdict storage is not critical
+    }
+  }
+  _getLatestVerdict() {
+    const latestPath = path.join(this.projectRoot, ".vibecheck", "verdicts", "latest.json");
+    if (fs.existsSync(latestPath)) {
+      try {
+        return JSON.parse(fs.readFileSync(latestPath, "utf-8"));
+      } catch {
+        return null;
+      }
+    }
+    return null;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// FACTORY FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+/**
+ * Create an enforcement gateway instance
+ */
+function createGateway(projectRoot, options = {}) {
+  return new EnforcementGateway(projectRoot, options);
+}
+/**
+ * Quick intercept - one-shot enforcement without persisting gateway
+ */
+async function intercept(projectRoot, rawChange, source = {}) {
+  const gateway = createGateway(projectRoot);
+  return gateway.intercept(rawChange, source);
+}
+/**
+ * Quick check - fast validation without full enforcement
+ */
+function quickCheck(projectRoot, rawChange) {
+  const gateway = createGateway(projectRoot);
+  return gateway.quickCheck(rawChange);
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+module.exports = {
+  EnforcementGateway,
+  createGateway,
+  intercept,
+  quickCheck,
+  buildChangeEvent,
+  analyzeCodeQuality,
+  classifyDomain,
+  MODE,
+  VERDICT,
+  BLOCK_PATTERNS,
+};