npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Fake Success UI Rule
+ *
+ * Only flags egregious cases of UI showing success without any backing logic.
+ * This rule is now much more lenient to reduce false positives - most success
+ * messages are legitimate (form submissions, state updates, etc.)
+ *
+ * Only flags when:
+ * 1. Success message is in a "critical" domain (payments, auth)
+ * 2. AND there's zero HTTP/API activity in the entire file
+ * 3. AND no state management activity detected
+ */
+"use strict";
+const { CLAIM_TYPES } = require("../../claims/claim-types");
+/**
+ * Evaluate fake success UI rule
+ * @param {object} params
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ claims, evidence, policy }) {
+  const ruleConfig = policy.rules?.fake_success_ui;
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  // Find UI success claims
+  const successClaims = claims.filter(c => c.type === CLAIM_TYPES.UI_SUCCESS);
+  if (successClaims.length === 0) {
+    return null;
+  }
+  // Check if there's ANY HTTP call, route reference, or side effect in the claims
+  // If yes, the file likely has real logic and success messages are legitimate
+  const hasHttpCall = claims.some(c =>
+    c.type === CLAIM_TYPES.HTTP_CALL || c.type === CLAIM_TYPES.ROUTE
+  );
+  const hasSideEffect = claims.some(c => c.type === CLAIM_TYPES.SIDE_EFFECT);
+  // If there's any API activity, allow all success messages
+  if (hasHttpCall || hasSideEffect) {
+    return null;
+  }
+  // Check if any success claim is in a critical domain
+  const criticalDomains = ruleConfig.block_if_domain || ["payments", "auth"];
+  const criticalSuccessClaims = successClaims.filter(claim => {
+    const domain = claim.domain || "general";
+    return criticalDomains.includes(domain);
+  });
+  // Only flag if:
+  // 1. There's a success claim in a critical domain
+  // 2. AND there's zero API activity
+  // 3. AND we have multiple success claims (single success is likely legitimate)
+  if (criticalSuccessClaims.length > 0 && successClaims.length > 2) {
+    return {
+      rule: "fake_success_ui",
+      severity: ruleConfig.severity || "warn", // Default to warn, not block
+      message: `Multiple success messages (${successClaims.length}) in ${criticalSuccessClaims[0].domain} without API calls - verify logic exists`,
+      claimId: `claim_${claims.indexOf(criticalSuccessClaims[0])}`,
+      claim: criticalSuccessClaims[0]
+    };
+  }
+  return null;
+}
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js ADDED Viewed

@@ -0,0 +1,227 @@
+/**
+ * Ghost Env Rule
+ *
+ * Blocks if process.env.X used but not declared.
+ * Includes smart whitelisting to reduce false positives.
+ */
+"use strict";
+const { CLAIM_TYPES } = require("../../claims/claim-types");
+/**
+ * Common environment variables that are safe to use without explicit declaration.
+ * These are well-known Node.js, Next.js, and common deployment platform vars.
+ *
+ * NOTE: Be generous with this list - most env vars are set by the user's deployment
+ * environment and aren't hallucinations. We only want to flag truly phantom vars
+ * that the agent invented with no basis.
+ */
+const SAFE_ENV_VARS = new Set([
+  // Node.js core
+  "NODE_ENV",
+  "NODE_OPTIONS",
+  "NODE_PATH",
+  "NODE_DEBUG",
+  "NODE_TLS_REJECT_UNAUTHORIZED",
+  // Next.js / React
+  "NEXT_PUBLIC_",      // Prefix pattern
+  "REACT_APP_",        // Prefix pattern
+  "VERCEL",
+  "VERCEL_ENV",
+  "VERCEL_URL",
+  "NEXT_RUNTIME",
+  "ANALYZE",
+  // Common deployment
+  "PORT",
+  "HOST",
+  "HOSTNAME",
+  "CI",
+  "DEBUG",
+  "LOG_LEVEL",
+  "TZ",
+  "LANG",
+  "HOME",
+  "USER",
+  "PATH",
+  "PWD",
+  "SHELL",
+  "TERM",
+  "TMPDIR",
+  "TEMP",
+  "TMP",
+  // Testing
+  "TEST",
+  "JEST_WORKER_ID",
+  "VITEST",
+  "PLAYWRIGHT_TEST_BASE_URL",
+  // Build tools
+  "npm_package_name",
+  "npm_package_version",
+  "npm_lifecycle_event",
+  // Database (common naming patterns)
+  "DATABASE_URL",
+  "DB_HOST",
+  "DB_PORT",
+  "DB_USER",
+  "DB_PASSWORD",
+  "DB_NAME",
+  "POSTGRES_URL",
+  "MYSQL_URL",
+  "REDIS_URL",
+  "MONGODB_URI",
+  // Auth (common naming patterns)
+  "JWT_SECRET",
+  "SESSION_SECRET",
+  "AUTH_SECRET",
+  "NEXTAUTH_SECRET",
+  "NEXTAUTH_URL",
+  // API keys (generic patterns)
+  "API_KEY",
+  "API_SECRET",
+  "SECRET_KEY",
+  // Email
+  "SMTP_HOST",
+  "SMTP_PORT",
+  "SMTP_USER",
+  "SMTP_PASSWORD",
+  "MAIL_HOST",
+  "MAIL_PORT",
+  "RESEND_API_KEY",
+  "SENDGRID_API_KEY",
+  // Payments
+  "STRIPE_SECRET_KEY",
+  "STRIPE_PUBLISHABLE_KEY",
+  "STRIPE_WEBHOOK_SECRET",
+]);
+/**
+ * Prefix patterns that are safe - these are from known platforms/tools
+ */
+const SAFE_ENV_PREFIXES = [
+  "NEXT_PUBLIC_",
+  "REACT_APP_",
+  "VITE_",
+  "VUE_APP_",
+  "NUXT_",
+  "npm_",
+  "GITHUB_",
+  "CI_",
+  "VERCEL_",
+  "RAILWAY_",
+  "RENDER_",
+  "HEROKU_",
+  "AWS_",
+  "AZURE_",
+  "GOOGLE_",
+  "FIREBASE_",
+  "SUPABASE_",
+  "CLERK_",
+  "AUTH0_",
+  "SENTRY_",
+  "DATADOG_",
+  "NEW_RELIC_",
+  "OPENAI_",
+  "ANTHROPIC_",
+  "VIBECHECK_",
+];
+/**
+ * Check if an env var is in the safe list
+ * @param {string} varName - Environment variable name
+ * @returns {boolean} Is safe
+ */
+function isSafeEnvVar(varName) {
+  if (!varName || typeof varName !== 'string') return false;
+  const normalized = varName.toUpperCase();
+  // Direct match
+  if (SAFE_ENV_VARS.has(normalized)) return true;
+  // Prefix match
+  for (const prefix of SAFE_ENV_PREFIXES) {
+    if (normalized.startsWith(prefix)) return true;
+  }
+  return false;
+}
+/**
+ * Evaluate ghost env rule
+ * @param {object} params
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ claims, evidence, policy }) {
+  const ruleConfig = policy.rules?.ghost_env;
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  // Get custom whitelist from policy
+  const customWhitelist = new Set(ruleConfig.whitelist || []);
+  // Find env claims with UNPROVEN evidence
+  for (let i = 0; i < claims.length; i++) {
+    const claim = claims[i];
+    if (claim.type === CLAIM_TYPES.ENV) {
+      const ev = evidence.find(e => e.claimId === `claim_${i}`);
+      if (ev && ev.result === "UNPROVEN") {
+        const envVar = String(claim.value || claim.key || "");
+        // Skip if it's a known safe env var
+        if (isSafeEnvVar(envVar)) {
+          continue;
+        }
+        // Skip if in custom whitelist
+        if (customWhitelist.has(envVar)) {
+          continue;
+        }
+        // Skip if it's a fallback pattern (e.g., process.env.X || 'default')
+        if (claim.hasFallback) {
+          // Downgrade to warning instead of block
+          return {
+            rule: "ghost_env",
+            severity: "warn",
+            message: `Env var ${envVar} is used with fallback but not declared`,
+            claimId: `claim_${i}`,
+            claim
+          };
+        }
+        // Default to "warn" - only block if explicitly configured
+        // Most env vars are real, just not in .env.example
+        return {
+          rule: "ghost_env",
+          severity: ruleConfig.severity || "warn",
+          message: `Env var ${envVar} used but not found in .env.example`,
+          claimId: `claim_${i}`,
+          claim
+        };
+      }
+    }
+  }
+  return null;
+}
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js ADDED Viewed

@@ -0,0 +1,191 @@
+/**
+ * Ghost Route Rule
+ *
+ * Blocks if UI references route not registered in truthpack.
+ * Includes smart detection of external APIs and common patterns.
+ */
+"use strict";
+const { CLAIM_TYPES } = require("../../claims/claim-types");
+/**
+ * Patterns that indicate an external API (not a local route)
+ */
+const EXTERNAL_API_PATTERNS = [
+  // Full URLs
+  /^https?:\/\//i,
+  /^\/\/[a-z]/i,
+  // Common external API domains
+  /api\.github\.com/i,
+  /api\.stripe\.com/i,
+  /api\.openai\.com/i,
+  /api\.anthropic\.com/i,
+  /api\.twilio\.com/i,
+  /api\.sendgrid\.com/i,
+  /graph\.facebook\.com/i,
+  /api\.twitter\.com/i,
+  /googleapis\.com/i,
+  /aws\.amazon\.com/i,
+  /cloudflare\.com/i,
+  /api\.clerk\.dev/i,
+  /api\.auth0\.com/i,
+  /api\.supabase\.co/i,
+  /api\.vercel\.app/i,
+  // GraphQL endpoints
+  /graphql/i,
+  // Webhook patterns
+  /webhook/i,
+  /hook\//i,
+];
+/**
+ * Path patterns that are safe to skip (dynamic or template)
+ */
+const SAFE_ROUTE_PATTERNS = [
+  // Dynamic segments
+  /\$\{/,                    // Template literals
+  /\[.*\]/,                  // Dynamic route segments [id]
+  /:\w+/,                    // URL params :id
+  /\{\{.*\}\}/,              // Template syntax
+  // Hash-only routes
+  /^#/,
+  // Query-only
+  /^\?/,
+  // Empty or undefined
+  /^undefined$/i,
+  /^null$/i,
+];
+/**
+ * Check if a route is external
+ * @param {string} route - Route path
+ * @returns {boolean} Is external
+ */
+function isExternalRoute(route) {
+  if (!route || typeof route !== 'string') return true;
+  const trimmed = route.trim();
+  // Check external patterns
+  for (const pattern of EXTERNAL_API_PATTERNS) {
+    if (pattern.test(trimmed)) return true;
+  }
+  return false;
+}
+/**
+ * Check if a route should be skipped
+ * @param {string} route - Route path
+ * @returns {boolean} Should skip
+ */
+function shouldSkipRoute(route) {
+  if (!route || typeof route !== 'string') return true;
+  const trimmed = route.trim();
+  // Skip empty routes
+  if (trimmed.length === 0) return true;
+  // Check safe patterns
+  for (const pattern of SAFE_ROUTE_PATTERNS) {
+    if (pattern.test(trimmed)) return true;
+  }
+  return false;
+}
+/**
+ * Check if route is a local API route
+ * @param {string} route - Route path
+ * @returns {boolean} Is local API
+ */
+function isLocalApiRoute(route) {
+  if (!route || typeof route !== 'string') return false;
+  const trimmed = route.trim().toLowerCase();
+  // Must start with /api/ to be a local Next.js API route
+  return trimmed.startsWith('/api/');
+}
+/**
+ * Evaluate ghost route rule
+ * @param {object} params
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ claims, evidence, policy }) {
+  const ruleConfig = policy.rules?.ghost_route;
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  // Get custom whitelist from policy
+  const customWhitelist = new Set(ruleConfig.whitelist || []);
+  // Find route claims with UNPROVEN evidence
+  for (let i = 0; i < claims.length; i++) {
+    const claim = claims[i];
+    if (claim.type === CLAIM_TYPES.ROUTE || claim.type === CLAIM_TYPES.HTTP_CALL) {
+      const ev = evidence.find(e => e.claimId === `claim_${i}`);
+      // Skip if evidence shows it's already proven
+      if (ev && ev.result === "PROVEN") {
+        continue;
+      }
+      if (ev && ev.result === "UNPROVEN") {
+        const routePath = String(claim.value || "").trim();
+        // Skip dynamic or template routes
+        if (shouldSkipRoute(routePath)) {
+          continue;
+        }
+        // Skip external API calls
+        if (isExternalRoute(routePath)) {
+          continue;
+        }
+        // Only flag local API routes
+        if (!isLocalApiRoute(routePath)) {
+          // Not a local API route - could be page navigation, skip
+          continue;
+        }
+        // Skip if in custom whitelist
+        if (customWhitelist.has(routePath)) {
+          continue;
+        }
+        // Default to "warn" - only block if explicitly configured
+        // Route references are often correct, just not in truthpack yet
+        return {
+          rule: "ghost_route",
+          severity: ruleConfig.severity || "warn",
+          message: `Route ${routePath} not found in truthpack - verify it exists`,
+          claimId: `claim_${i}`,
+          claim
+        };
+      }
+    }
+  }
+  return null;
+}
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/rules/scope.js ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Scope Explosion Rule
+ *
+ * Blocks if too many files touched.
+ */
+"use strict";
+/**
+ * Evaluate scope explosion rule
+ * @param {object} params
+ * @param {array} params.files - Changed files
+ * @param {string} params.intent - Agent intent message
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ files, intent, policy }) {
+  const ruleConfig = policy.rules?.scope_explosion;
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  const scope = policy.scope || {};
+  const maxFiles = scope.max_files_touched || 10;
+  const maxLines = scope.max_lines_changed || 600;
+  const requireIntent = scope.require_intent_for_expand_scope || false;
+  const totalFiles = files.length;
+  const totalLines = files.reduce((sum, f) => sum + (f.linesChanged || 0), 0);
+  // Check file count
+  if (totalFiles > maxFiles) {
+    const hasIntent = intent && intent.trim().length > 0;
+    if (requireIntent && !hasIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles}). Intent required for scope expansion.`,
+        metadata: {
+          totalFiles,
+          maxFiles,
+          hasIntent
+        }
+      };
+    } else if (!requireIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalFiles} files touched (max: ${maxFiles})`,
+        metadata: {
+          totalFiles,
+          maxFiles
+        }
+      };
+    }
+  }
+  // Check line count
+  if (totalLines > maxLines) {
+    const hasIntent = intent && intent.trim().length > 0;
+    if (requireIntent && !hasIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines}). Intent required for scope expansion.`,
+        metadata: {
+          totalLines,
+          maxLines,
+          hasIntent
+        }
+      };
+    } else if (!requireIntent) {
+      return {
+        rule: "scope_explosion",
+        severity: ruleConfig.severity || "block",
+        message: `Scope explosion: ${totalLines} lines changed (max: ${maxLines})`,
+        metadata: {
+          totalLines,
+          maxLines
+        }
+      };
+    }
+  }
+  return null;
+}
+module.exports = {
+  evaluate
+};

package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Unsafe Side Effect Rule
+ *
+ * Blocks unverified side effects.
+ */
+"use strict";
+const { CLAIM_TYPES } = require("../../claims/claim-types");
+/**
+ * Evaluate unsafe side effect rule
+ * @param {object} params
+ * @param {array} params.claims - Extracted claims
+ * @param {array} params.evidence - Evidence resolution results
+ * @param {object} params.policy - Policy configuration
+ * @returns {object|null} Violation or null
+ */
+function evaluate({ claims, evidence, policy }) {
+  const ruleConfig = policy.rules?.unsafe_side_effect;
+  if (!ruleConfig || !ruleConfig.enabled) {
+    return null;
+  }
+  const verification = policy.verification || {};
+  const requireForDomains = verification.require_for_domains || [];
+  // Find side effect claims
+  for (let i = 0; i < claims.length; i++) {
+    const claim = claims[i];
+    if (claim.type === CLAIM_TYPES.SIDE_EFFECT) {
+      const ev = evidence.find(e => e.claimId === `claim_${i}`);
+      // Check if domain requires verification
+      const claimDomain = claim.domain || "general";
+      const requiresVerification = requireForDomains.includes(claimDomain);
+      if (requiresVerification && ev && ev.result === "UNPROVEN") {
+        return {
+          rule: "unsafe_side_effect",
+          severity: ruleConfig.severity || "block",
+          message: `Unsafe side effect: ${claim.value} requires verification (test coverage or reality proof)`,
+          claimId: `claim_${i}`,
+          claim
+        };
+      }
+    }
+  }
+  return null;
+}
+module.exports = {
+  evaluate
+};