vibecheck-ai 2.0.2 → 5.0.1

package/bin/runners/lib/agent-firewall/policy/schema.json

@@ -0,0 +1,183 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["version", "mode", "scope", "rules"],
+  "properties": {
+    "version": {
+      "type": "string",
+      "description": "Policy schema version"
+    },
+    "mode": {
+      "type": "string",
+      "enum": ["observe", "enforce"],
+      "description": "Firewall mode: observe (log only) or enforce (block writes)"
+    },
+    "profile": {
+      "type": "string",
+      "description": "Policy profile name (e.g., 'repo-lock', 'balanced', 'permissive')"
+    },
+    "scope": {
+      "type": "object",
+      "properties": {
+        "max_files_touched": {
+          "type": "number",
+          "description": "Maximum number of files that can be touched in a single change"
+        },
+        "max_lines_changed": {
+          "type": "number",
+          "description": "Maximum number of lines that can be changed in a single change"
+        },
+        "blocked_paths": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Glob patterns for paths that are blocked from changes"
+        },
+        "allowed_paths": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Glob patterns for paths that are allowed for changes"
+        },
+        "require_intent_for_expand_scope": {
+          "type": "boolean",
+          "description": "Require explicit intent message when scope exceeds limits"
+        }
+      }
+    },
+    "hard_domains": {
+      "type": "object",
+      "properties": {
+        "routes": {
+          "type": "boolean",
+          "description": "Enforce route truth"
+        },
+        "env": {
+          "type": "boolean",
+          "description": "Enforce environment variable truth"
+        },
+        "auth": {
+          "type": "boolean",
+          "description": "Enforce authentication truth"
+        },
+        "contracts": {
+          "type": "boolean",
+          "description": "Enforce API contract truth"
+        },
+        "payments": {
+          "type": "boolean",
+          "description": "Enforce payment-related changes"
+        },
+        "side_effects": {
+          "type": "boolean",
+          "description": "Enforce side effect verification"
+        }
+      }
+    },
+    "rules": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "severity": {
+            "type": "string",
+            "enum": ["allow", "warn", "block"],
+            "description": "Rule severity level"
+          },
+          "block_if_domain": {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "enum": ["auth", "payments", "side_effects", "routes", "env", "contracts"]
+            },
+            "description": "Upgrade to block if change affects these domains"
+          },
+          "enabled": {
+            "type": "boolean",
+            "description": "Whether this rule is enabled"
+          }
+        }
+      }
+    },
+    "evidence": {
+      "type": "object",
+      "properties": {
+        "require_pointers": {
+          "type": "boolean",
+          "description": "Require file:line pointers in evidence"
+        },
+        "acceptable_sources": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["truthpack.routes", "truthpack.env", "truthpack.auth", "truthpack.contracts", "repo.search"]
+          },
+          "description": "Acceptable evidence sources"
+        },
+        "pointer_format": {
+          "type": "string",
+          "description": "Expected pointer format (e.g., 'file:lineStart-lineEnd')"
+        }
+      }
+    },
+    "verification": {
+      "type": "object",
+      "properties": {
+        "require_for_domains": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["auth", "payments", "side_effects"]
+          },
+          "description": "Domains that require verification"
+        },
+        "accepted": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["tests", "reality"]
+          },
+          "description": "Accepted verification methods"
+        },
+        "reality": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "block_on": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "enum": ["fake_success", "no_mutation", "network_error"]
+              }
+            }
+          }
+        }
+      }
+    },
+    "output": {
+      "type": "object",
+      "properties": {
+        "write_change_packets": {
+          "type": "boolean",
+          "description": "Write change packets to disk"
+        },
+        "packet_dir": {
+          "type": "string",
+          "description": "Directory for change packets"
+        },
+        "report_formats": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["md", "html", "json", "sarif"]
+          },
+          "description": "Report output formats"
+        }
+      }
+    }
+  }
+}

package/bin/runners/lib/agent-firewall/policy/verdict.js

@@ -0,0 +1,54 @@
+/**
+ * Verdict Generator
+ * 
+ * Combines rule results into final verdict.
+ * Priority: BLOCK > WARN > ALLOW
+ */
+
+"use strict";
+
+/**
+ * Generate verdict from violations
+ * @param {array} violations - Array of rule violations
+ * @returns {object} Verdict object
+ */
+function generateVerdict(violations) {
+  if (!violations || violations.length === 0) {
+    return {
+      decision: "ALLOW",
+      violations: [],
+      message: "No violations detected"
+    };
+  }
+  
+  // Check for blocks (highest priority)
+  const blocks = violations.filter(v => v.severity === "block");
+  if (blocks.length > 0) {
+    return {
+      decision: "BLOCK",
+      violations,
+      message: `BLOCKED: ${blocks.length} blocking violation(s) found`
+    };
+  }
+  
+  // Check for warnings
+  const warns = violations.filter(v => v.severity === "warn");
+  if (warns.length > 0) {
+    return {
+      decision: "WARN",
+      violations,
+      message: `WARNING: ${warns.length} warning(s) found`
+    };
+  }
+  
+  // Only allows (shouldn't happen, but handle gracefully)
+  return {
+    decision: "ALLOW",
+    violations,
+    message: "Violations found but all are allow-level"
+  };
+}
+
+module.exports = {
+  generateVerdict
+};

package/bin/runners/lib/agent-firewall/proposal/extractor.js

@@ -0,0 +1,394 @@
+/**
+ * Assumption Extractor
+ * 
+ * Auto-extracts assumptions from code content.
+ * Used when proposals don't explicitly declare their assumptions.
+ */
+
+"use strict";
+
+/**
+ * Extract environment variable assumptions
+ * @param {string} content - File content
+ * @returns {Array} Env var assumptions
+ */
+function extractEnvAssumptions(content) {
+  const assumptions = [];
+  const seen = new Set();
+  
+  // process.env.VAR_NAME
+  const processEnvRegex = /process\.env\.([A-Z][A-Z0-9_]+)/g;
+  let match;
+  
+  while ((match = processEnvRegex.exec(content)) !== null) {
+    const key = match[1];
+    if (!seen.has(key)) {
+      seen.add(key);
+      assumptions.push({
+        type: "env",
+        key,
+        reason: `Used in code: process.env.${key}`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  // import.meta.env.VAR_NAME (Vite)
+  const viteEnvRegex = /import\.meta\.env\.([A-Z][A-Z0-9_]+)/g;
+  
+  while ((match = viteEnvRegex.exec(content)) !== null) {
+    const key = match[1];
+    if (!seen.has(key)) {
+      seen.add(key);
+      assumptions.push({
+        type: "env",
+        key,
+        reason: `Used in code: import.meta.env.${key}`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  // Destructured: const { VAR } = process.env
+  const destructuredRegex = /const\s*\{\s*([^}]+)\s*\}\s*=\s*process\.env/g;
+  
+  while ((match = destructuredRegex.exec(content)) !== null) {
+    const vars = match[1].split(",").map(s => s.trim().split(/\s+as\s+/)[0].trim());
+    for (const varName of vars) {
+      if (varName && /^[A-Z][A-Z0-9_]*$/.test(varName) && !seen.has(varName)) {
+        seen.add(varName);
+        assumptions.push({
+          type: "env",
+          key: varName,
+          reason: "Destructured from process.env",
+          line: content.substring(0, match.index).split("\n").length,
+        });
+      }
+    }
+  }
+  
+  return assumptions;
+}
+
+/**
+ * Extract route assumptions
+ * @param {string} content - File content
+ * @returns {Array} Route assumptions
+ */
+function extractRouteAssumptions(content) {
+  const assumptions = [];
+  const seen = new Set();
+  
+  // fetch('/api/...')
+  const fetchRegex = /fetch\s*\(\s*['"`]([^'"`]+)['"`]/g;
+  let match;
+  
+  while ((match = fetchRegex.exec(content)) !== null) {
+    const path = match[1];
+    if (path.startsWith("/api/") || path.startsWith("/")) {
+      const key = path.split("?")[0]; // Remove query params
+      if (!seen.has(key)) {
+        seen.add(key);
+        assumptions.push({
+          type: "route",
+          path: key,
+          method: detectHttpMethod(content, match.index),
+          reason: `Fetch call to ${key}`,
+          line: content.substring(0, match.index).split("\n").length,
+        });
+      }
+    }
+  }
+  
+  // axios.get('/api/...')
+  const axiosRegex = /axios\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/gi;
+  
+  while ((match = axiosRegex.exec(content)) !== null) {
+    const method = match[1].toUpperCase();
+    const path = match[2];
+    if (path.startsWith("/api/") || path.startsWith("/")) {
+      const key = `${method}:${path.split("?")[0]}`;
+      if (!seen.has(key)) {
+        seen.add(key);
+        assumptions.push({
+          type: "route",
+          path: path.split("?")[0],
+          method,
+          reason: `Axios ${method} call`,
+          line: content.substring(0, match.index).split("\n").length,
+        });
+      }
+    }
+  }
+  
+  return assumptions;
+}
+
+/**
+ * Detect HTTP method from context
+ */
+function detectHttpMethod(content, index) {
+  // Look back for method specification
+  const context = content.substring(Math.max(0, index - 200), index);
+  
+  if (context.includes("method: 'POST'") || context.includes('method: "POST"')) return "POST";
+  if (context.includes("method: 'PUT'") || context.includes('method: "PUT"')) return "PUT";
+  if (context.includes("method: 'DELETE'") || context.includes('method: "DELETE"')) return "DELETE";
+  if (context.includes("method: 'PATCH'") || context.includes('method: "PATCH"')) return "PATCH";
+  
+  return "GET"; // Default
+}
+
+/**
+ * Extract import/dependency assumptions
+ * @param {string} content - File content
+ * @returns {Array} Dependency assumptions
+ */
+function extractDependencyAssumptions(content) {
+  const assumptions = [];
+  const seen = new Set();
+  
+  // External imports
+  const importRegex = /import\s+.*?\s+from\s+['"]([^'"./][^'"]*)['"]/g;
+  let match;
+  
+  while ((match = importRegex.exec(content)) !== null) {
+    const pkg = match[1].split("/")[0]; // Get package name
+    if (!seen.has(pkg) && !isBuiltinModule(pkg)) {
+      seen.add(pkg);
+      assumptions.push({
+        type: "dependency",
+        key: pkg,
+        reason: `Import statement: ${match[0].slice(0, 50)}...`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  // require() calls
+  const requireRegex = /require\s*\(\s*['"]([^'"./][^'"]*)['"]\s*\)/g;
+  
+  while ((match = requireRegex.exec(content)) !== null) {
+    const pkg = match[1].split("/")[0];
+    if (!seen.has(pkg) && !isBuiltinModule(pkg)) {
+      seen.add(pkg);
+      assumptions.push({
+        type: "dependency",
+        key: pkg,
+        reason: "Required module",
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  return assumptions;
+}
+
+/**
+ * Check if module is Node.js builtin
+ */
+function isBuiltinModule(name) {
+  const builtins = [
+    "fs", "path", "os", "http", "https", "crypto", "util", "events",
+    "stream", "buffer", "url", "querystring", "child_process", "net",
+    "assert", "zlib", "readline", "cluster", "dns", "tls", "dgram",
+    "process", "module", "vm", "worker_threads",
+  ];
+  return builtins.includes(name) || name.startsWith("node:");
+}
+
+/**
+ * Extract service/class assumptions
+ * @param {string} content - File content
+ * @returns {Array} Service assumptions
+ */
+function extractServiceAssumptions(content) {
+  const assumptions = [];
+  const seen = new Set();
+  
+  // new ServiceName() or ServiceName.method()
+  const serviceRegex = /(?:new\s+|(?:await\s+)?)((?:[A-Z][a-z]+)+(?:Service|Client|Provider|Manager|Controller|Repository))(?:\s*\(|\.)/g;
+  let match;
+  
+  while ((match = serviceRegex.exec(content)) !== null) {
+    const service = match[1];
+    if (!seen.has(service)) {
+      seen.add(service);
+      assumptions.push({
+        type: "service",
+        key: service,
+        reason: `Service usage: ${service}`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  // Prisma client
+  if (content.includes("prisma.")) {
+    const prismaRegex = /prisma\.(\w+)\./g;
+    while ((match = prismaRegex.exec(content)) !== null) {
+      const model = match[1];
+      const key = `prisma.${model}`;
+      if (!seen.has(key)) {
+        seen.add(key);
+        assumptions.push({
+          type: "service",
+          key: `PrismaModel:${model}`,
+          reason: `Prisma model access: ${model}`,
+          line: content.substring(0, match.index).split("\n").length,
+        });
+      }
+    }
+  }
+  
+  return assumptions;
+}
+
+/**
+ * Extract file reference assumptions
+ * @param {string} content - File content
+ * @param {string} currentFile - Current file path
+ * @returns {Array} File assumptions
+ */
+function extractFileAssumptions(content, currentFile = "") {
+  const assumptions = [];
+  const seen = new Set();
+  
+  // Relative imports
+  const relativeImportRegex = /(?:import|require)\s*\(?['"](\.[^'"]+)['"]/g;
+  let match;
+  
+  while ((match = relativeImportRegex.exec(content)) !== null) {
+    const importPath = match[1];
+    if (!seen.has(importPath)) {
+      seen.add(importPath);
+      assumptions.push({
+        type: "file",
+        path: importPath,
+        reason: `Relative import: ${importPath}`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  // fs.readFileSync, fs.writeFileSync, etc.
+  const fsOpRegex = /fs(?:Promises)?\.(?:read|write|unlink|mkdir|rmdir|access)(?:File)?(?:Sync)?\s*\(\s*['"`]([^'"`]+)['"`]/g;
+  
+  while ((match = fsOpRegex.exec(content)) !== null) {
+    const filePath = match[1];
+    if (!seen.has(filePath) && !filePath.includes("${")) { // Skip template literals
+      seen.add(filePath);
+      assumptions.push({
+        type: "file",
+        path: filePath,
+        reason: `File system operation on: ${filePath}`,
+        line: content.substring(0, match.index).split("\n").length,
+      });
+    }
+  }
+  
+  return assumptions;
+}
+
+/**
+ * Extract all assumptions from content
+ * @param {string} content - File content
+ * @param {Object} options - Extraction options
+ * @returns {Array} All extracted assumptions
+ */
+function extractAssumptions(content, options = {}) {
+  const { filePath = "", includeTypes = ["env", "route", "dependency", "service", "file"] } = options;
+  
+  const assumptions = [];
+  
+  if (includeTypes.includes("env")) {
+    assumptions.push(...extractEnvAssumptions(content));
+  }
+  
+  if (includeTypes.includes("route")) {
+    assumptions.push(...extractRouteAssumptions(content));
+  }
+  
+  if (includeTypes.includes("dependency")) {
+    assumptions.push(...extractDependencyAssumptions(content));
+  }
+  
+  if (includeTypes.includes("service")) {
+    assumptions.push(...extractServiceAssumptions(content));
+  }
+  
+  if (includeTypes.includes("file")) {
+    assumptions.push(...extractFileAssumptions(content, filePath));
+  }
+  
+  // Sort by line number
+  assumptions.sort((a, b) => (a.line || 0) - (b.line || 0));
+  
+  return assumptions;
+}
+
+/**
+ * Extract assumptions from all operations in a proposal
+ * @param {Array} operations - Proposal operations
+ * @returns {Array} All assumptions
+ */
+function extractFromOperations(operations) {
+  const allAssumptions = [];
+  const seen = new Set();
+  
+  for (const op of operations) {
+    if (op.content) {
+      const assumptions = extractAssumptions(op.content, { filePath: op.path });
+      
+      for (const assumption of assumptions) {
+        // Deduplicate
+        const key = `${assumption.type}:${assumption.key || assumption.path}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          allAssumptions.push({
+            ...assumption,
+            sourceFile: op.path,
+          });
+        }
+      }
+    }
+  }
+  
+  return allAssumptions;
+}
+
+/**
+ * Merge extracted assumptions with declared assumptions
+ * @param {Array} declared - Declared assumptions
+ * @param {Array} extracted - Extracted assumptions
+ * @returns {Array} Merged assumptions
+ */
+function mergeAssumptions(declared, extracted) {
+  const merged = [...declared];
+  const declaredKeys = new Set(
+    declared.map(a => `${a.type}:${a.key || a.path}`)
+  );
+  
+  for (const assumption of extracted) {
+    const key = `${assumption.type}:${assumption.key || assumption.path}`;
+    if (!declaredKeys.has(key)) {
+      merged.push({
+        ...assumption,
+        autoExtracted: true,
+      });
+    }
+  }
+  
+  return merged;
+}
+
+module.exports = {
+  extractAssumptions,
+  extractEnvAssumptions,
+  extractRouteAssumptions,
+  extractDependencyAssumptions,
+  extractServiceAssumptions,
+  extractFileAssumptions,
+  extractFromOperations,
+  mergeAssumptions,
+};