vibepro 0.1.0-alpha.0

package/src/architecture-profiler.js

@@ -0,0 +1,423 @@
+import { readdir, readFile, stat } from 'node:fs/promises';
+import path from 'node:path';
+
+const PROFILER_IGNORED_DIRS = new Set([
+  '.git',
+  '.next',
+  '.turbo',
+  '.vibepro',
+  '.worktrees',
+  'coverage',
+  'node_modules',
+  'graphify-out'
+]);
+const PROFILER_PACKAGE_MANAGERS = [
+  { file: 'pnpm-lock.yaml', name: 'pnpm' },
+  { file: 'yarn.lock', name: 'yarn' },
+  { file: 'package-lock.json', name: 'npm' }
+];
+const PROFILER_FRAMEWORK_LANGUAGES = new Map([
+  ['.ts', 'typescript'],
+  ['.tsx', 'typescript'],
+  ['.js', 'javascript'],
+  ['.jsx', 'javascript'],
+  ['.mjs', 'javascript'],
+  ['.py', 'python'],
+  ['.rb', 'ruby'],
+  ['.go', 'go'],
+  ['.rs', 'rust'],
+  ['.php', 'php']
+]);
+
+export async function profileArchitecture(repoRoot) {
+  const root = path.resolve(repoRoot);
+  const files = await collectFiles(root);
+  const fileSet = new Set(files.map((file) => file.relativePath));
+  const packageJson = await readPackageJson(root, fileSet);
+  const dependencies = collectDependencies(packageJson);
+  const auth = detectAuth({ dependencies, fileSet });
+  const appType = detectAppType({ fileSet, dependencies });
+  const rendering = detectRendering({ dependencies });
+  const frameworks = detectFrameworks(dependencies);
+  const languages = detectLanguages(files);
+  const apiRoutes = listApiRoutes(fileSet);
+  const database = detectDatabase(dependencies);
+  const deployment = detectDeployment(fileSet);
+  const views = buildArchitectureViews({
+    appType,
+    rendering,
+    frameworks,
+    languages,
+    apiRoutes,
+    database,
+    auth,
+    deployment,
+    dependencies,
+    fileSet
+  });
+  const profile = {
+    system_type: toSystemType(appType),
+    app_type: appType,
+    rendering,
+    frameworks,
+    package_manager: detectPackageManager(fileSet),
+    languages,
+    views,
+    has_api_routes: views.runtime.entrypoints.length > 0,
+    has_database: views.data.stores.length > 0 || views.data.access_patterns.length > 0,
+    database,
+    has_auth: auth.length > 0,
+    auth,
+    deployment,
+    evidence: buildProfileEvidence({ fileSet, packageJson, dependencies })
+  };
+  const checkCatalog = selectCheckCatalog(profile);
+
+  return {
+    ...profile,
+    applicable_checks: checkCatalog.applicable_checks,
+    selected_views: checkCatalog.selected_views
+  };
+}
+
+function detectAppType({ fileSet, dependencies }) {
+  if (dependencies.has('next') || dependencies.has('react') || dependencies.has('vue') || dependencies.has('svelte')) {
+    return 'web_app';
+  }
+  if (fileSet.has('index.html')) return 'static_site';
+  return 'unknown';
+}
+
+function detectRendering({ dependencies }) {
+  if (dependencies.has('next')) return 'nextjs';
+  if (dependencies.has('react')) return 'react';
+  if (dependencies.has('vue')) return 'vue';
+  if (dependencies.has('svelte')) return 'svelte';
+  return null;
+}
+
+function detectFrameworks(dependencies) {
+  return ['next', 'react', 'vue', 'svelte']
+    .filter((dependency) => dependencies.has(dependency))
+    .map((dependency) => dependency === 'next' ? 'nextjs' : dependency);
+}
+
+function toSystemType(appType) {
+  if (appType === 'web_app') return 'web_application';
+  if (appType === 'static_site') return 'static_site';
+  return 'unknown';
+}
+
+function detectPackageManager(fileSet) {
+  const manager = PROFILER_PACKAGE_MANAGERS.find((candidate) => fileSet.has(candidate.file));
+  if (manager) return manager.name;
+  return fileSet.has('package.json') ? 'npm' : null;
+}
+
+function detectLanguages(files) {
+  return [...new Set(files
+    .map((file) => PROFILER_FRAMEWORK_LANGUAGES.get(path.extname(file.relativePath).toLowerCase()))
+    .filter(Boolean))]
+    .sort();
+}
+
+function hasApiRoutes(fileSet) {
+  return listApiRoutes(fileSet).length > 0;
+}
+
+function listApiRoutes(fileSet) {
+  return [...fileSet].filter((file) => (
+    /^app\/api\/.+\/route\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/app\/api\/.+\/route\.(js|jsx|ts|tsx)$/.test(file)
+    || /^pages\/api\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/pages\/api\/.+\.(js|jsx|ts|tsx)$/.test(file)
+  )).sort();
+}
+
+function detectDatabase(dependencies) {
+  const database = [];
+  if (dependencies.has('@supabase/supabase-js')) database.push('supabase');
+  if (dependencies.has('@prisma/client') || dependencies.has('prisma')) database.push('prisma');
+  if (dependencies.has('pg')) database.push('postgres');
+  if (dependencies.has('drizzle-orm')) database.push('drizzle');
+  if (dependencies.has('kysely')) database.push('kysely');
+  if (dependencies.has('mongoose')) database.push('mongodb');
+  if (dependencies.has('sequelize')) database.push('sequelize');
+  return database;
+}
+
+function detectAuth({ dependencies, fileSet }) {
+  const auth = [];
+  if (dependencies.has('next-auth')) auth.push('next-auth');
+  if (dependencies.has('@auth/core')) auth.push('authjs');
+  if (dependencies.has('@clerk/nextjs')) auth.push('clerk');
+  if (dependencies.has('@supabase/supabase-js')) auth.push('supabase-auth');
+  if (dependencies.has('passport')) auth.push('passport');
+  if (hasNextMiddleware(fileSet)) auth.push('next-middleware');
+  if (hasNextAuthRoute(fileSet)) auth.push('next-auth-route');
+  return auth;
+}
+
+function hasNextMiddleware(fileSet) {
+  return fileSet.has('middleware.ts')
+    || fileSet.has('middleware.js')
+    || fileSet.has('src/middleware.ts')
+    || fileSet.has('src/middleware.js');
+}
+
+function hasNextAuthRoute(fileSet) {
+  return [...fileSet].some((file) => (
+    /^app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+  ));
+}
+
+function detectDeployment(fileSet) {
+  const deployment = [];
+  if (fileSet.has('vercel.json')) deployment.push('vercel');
+  if (fileSet.has('fly.toml')) deployment.push('fly');
+  if (fileSet.has('wrangler.toml')) deployment.push('cloudflare');
+  if (fileSet.has('Dockerfile') || fileSet.has('docker-compose.yml') || fileSet.has('docker-compose.yaml')) {
+    deployment.push('docker');
+  }
+  return deployment;
+}
+
+function buildArchitectureViews({
+  appType,
+  rendering,
+  frameworks,
+  languages,
+  apiRoutes,
+  database,
+  auth,
+  deployment,
+  dependencies,
+  fileSet
+}) {
+  const structureComponents = [];
+  if (apiRoutes.length > 0) structureComponents.push('api_routes');
+  if (hasNextMiddleware(fileSet)) structureComponents.push('middleware');
+  if (hasPages(fileSet)) structureComponents.push('pages');
+  if (fileSet.has('index.html')) structureComponents.push('static_entry');
+
+  return {
+    structure: {
+      containers: appType === 'unknown' ? [] : [appType],
+      components: structureComponents,
+      frameworks,
+      languages
+    },
+    runtime: {
+      entrypoints: [...apiRoutes, ...listMiddlewareFiles(fileSet)],
+      server_boundaries: [
+        ...(apiRoutes.length > 0 ? ['api_routes'] : []),
+        ...(hasServerActions(fileSet) ? ['server_actions'] : []),
+        ...(hasNextMiddleware(fileSet) ? ['middleware'] : [])
+      ],
+      rendering
+    },
+    data: {
+      stores: database.filter((item) => ['postgres', 'mongodb', 'supabase'].includes(item)),
+      access_patterns: database.filter((item) => !['postgres', 'mongodb', 'supabase'].includes(item))
+    },
+    security: {
+      auth_boundaries: buildAuthBoundaries(fileSet),
+      auth_mechanisms: auth,
+      secret_files: listEnvFiles(fileSet)
+    },
+    deployment: {
+      targets: deployment,
+      config_files: listDeploymentFiles(fileSet)
+    },
+    quality: {
+      test_tools: detectTestTools(dependencies),
+      ci: listCiFiles(fileSet)
+    }
+  };
+}
+
+function selectCheckCatalog(profile) {
+  const checks = ['secrets', 'xss', 'dependency-graph'];
+  const selectedViews = ['structure'];
+  if (profile.app_type === 'web_app' || profile.app_type === 'static_site') {
+    checks.push('component-style');
+  }
+  if (profile.languages.some((language) => ['javascript', 'typescript'].includes(language))) {
+    selectedViews.push('quality');
+    checks.push('code-quality');
+  }
+  if (profile.views.runtime.entrypoints.length > 0 || profile.views.runtime.server_boundaries.length > 0) {
+    selectedViews.push('runtime');
+    checks.push('api-boundary');
+  }
+  if (profile.app_type === 'static_site') {
+    checks.push('static-entry', 'static-publish-surface', 'external-resources');
+  }
+  if (profile.views.data.stores.length > 0 || profile.views.data.access_patterns.length > 0) {
+    selectedViews.push('data');
+    checks.push('database-access');
+  }
+  if (profile.views.security.auth_boundaries.length > 0 || profile.views.security.auth_mechanisms.length > 0) {
+    selectedViews.push('security');
+    checks.push('auth-boundary');
+  }
+  if (profile.views.deployment.targets.length > 0) {
+    selectedViews.push('deployment');
+    checks.push('deployment-readiness');
+  }
+  if (profile.views.quality.test_tools.length > 0 || profile.views.quality.ci.length > 0) {
+    selectedViews.push('quality');
+  }
+  return {
+    selected_views: [...new Set(selectedViews)],
+    applicable_checks: [...new Set(checks)]
+  };
+}
+
+function buildProfileEvidence({ fileSet, packageJson, dependencies }) {
+  const evidence = [];
+  if (fileSet.has('package.json')) {
+    evidence.push({ kind: 'package_json', file: 'package.json', detail: packageJson?.name ?? 'package.json' });
+  }
+  if (dependencies.has('next')) {
+    evidence.push({ kind: 'framework', file: 'package.json', detail: 'next' });
+  }
+  if (hasApiRoutes(fileSet)) {
+    evidence.push({ kind: 'api_routes', file: findFirstApiRoute(fileSet), detail: 'API route detected' });
+  }
+  if (hasNextMiddleware(fileSet)) {
+    evidence.push({ kind: 'auth_boundary', file: findNextMiddleware(fileSet), detail: 'Next.js middleware detected' });
+  }
+  if (hasNextAuthRoute(fileSet)) {
+    evidence.push({ kind: 'auth_boundary', file: findFirstNextAuthRoute(fileSet), detail: 'Auth route detected' });
+  }
+  for (const deploymentFile of ['vercel.json', 'fly.toml', 'wrangler.toml', 'Dockerfile']) {
+    if (fileSet.has(deploymentFile)) {
+      evidence.push({ kind: 'deployment', file: deploymentFile, detail: deploymentFile });
+    }
+  }
+  return evidence;
+}
+
+function findFirstApiRoute(fileSet) {
+  return listApiRoutes(fileSet)[0] ?? null;
+}
+
+function findNextMiddleware(fileSet) {
+  return ['middleware.ts', 'middleware.js', 'src/middleware.ts', 'src/middleware.js']
+    .find((file) => fileSet.has(file)) ?? null;
+}
+
+function findFirstNextAuthRoute(fileSet) {
+  return [...fileSet].find((file) => (
+    /^app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+  )) ?? null;
+}
+
+function buildAuthBoundaries(fileSet) {
+  return [
+    ...listMiddlewareFiles(fileSet).map((file) => ({ type: 'middleware', file })),
+    ...listNextAuthRoutes(fileSet).map((file) => ({ type: 'auth_route', file }))
+  ];
+}
+
+function listMiddlewareFiles(fileSet) {
+  return ['middleware.ts', 'middleware.js', 'src/middleware.ts', 'src/middleware.js']
+    .filter((file) => fileSet.has(file));
+}
+
+function listNextAuthRoutes(fileSet) {
+  return [...fileSet].filter((file) => (
+    /^app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/app\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/pages\/api\/auth\/.+\.(js|jsx|ts|tsx)$/.test(file)
+  )).sort();
+}
+
+function listEnvFiles(fileSet) {
+  return [...fileSet].filter((file) => {
+    const basename = path.basename(file);
+    return basename === '.env' || basename.startsWith('.env.');
+  }).sort();
+}
+
+function listDeploymentFiles(fileSet) {
+  return ['vercel.json', 'fly.toml', 'wrangler.toml', 'Dockerfile', 'docker-compose.yml', 'docker-compose.yaml']
+    .filter((file) => fileSet.has(file));
+}
+
+function detectTestTools(dependencies) {
+  return [...new Set(['vitest', 'jest', 'playwright', '@playwright/test', 'cypress']
+    .filter((dependency) => dependencies.has(dependency))
+    .map((dependency) => dependency === '@playwright/test' ? 'playwright' : dependency))];
+}
+
+function listCiFiles(fileSet) {
+  return [...fileSet].filter((file) => file.startsWith('.github/workflows/') || file.startsWith('.circleci/')).sort();
+}
+
+function hasPages(fileSet) {
+  return [...fileSet].some((file) => (
+    /^app\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/app\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^pages\/.+\.(js|jsx|ts|tsx)$/.test(file)
+    || /^src\/pages\/.+\.(js|jsx|ts|tsx)$/.test(file)
+  ));
+}
+
+function hasServerActions(fileSet) {
+  return [...fileSet].some((file) => /actions?\.(js|jsx|ts|tsx)$/.test(file));
+}
+
+function collectDependencies(packageJson) {
+  const dependencyGroups = [
+    packageJson?.dependencies,
+    packageJson?.devDependencies,
+    packageJson?.peerDependencies,
+    packageJson?.optionalDependencies
+  ];
+  return new Set(dependencyGroups.flatMap((group) => Object.keys(group ?? {})));
+}
+
+async function readPackageJson(root, fileSet) {
+  if (!fileSet.has('package.json')) return null;
+  try {
+    return JSON.parse(await readFile(path.join(root, 'package.json'), 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function hasAnyDependency(dependencies, names) {
+  return names.some((name) => dependencies.has(name));
+}
+
+async function collectFiles(root, current = root) {
+  const entries = await readdir(current, { withFileTypes: true });
+  const files = [];
+
+  for (const entry of entries) {
+    if (entry.isDirectory() && PROFILER_IGNORED_DIRS.has(entry.name)) continue;
+    const absolutePath = path.join(current, entry.name);
+    const relativePath = path.relative(root, absolutePath).split(path.sep).join('/');
+
+    if (entry.isDirectory()) {
+      files.push(...await collectFiles(root, absolutePath));
+      continue;
+    }
+
+    if (!entry.isFile()) continue;
+    const fileStat = await stat(absolutePath);
+    if (fileStat.size > 1024 * 1024) continue;
+    files.push({ absolutePath, relativePath });
+  }
+
+  return files;
+}

package/src/authorization-scoring.js

@@ -0,0 +1,149 @@
+const SCHEMA_VERSION = '0.1.0';
+
+const SURFACE_ALIASES = {
+  frontend_interaction: ['frontend', 'ui', 'interaction', 'screen', 'component', 'フロント', '画面'],
+  server_api: ['server_api', 'api', 'endpoint', 'route', 'サーバー'],
+  service_orchestration: ['service', 'orchestration', 'orchestrator', 'サービス'],
+  core_workflow_state: ['workflow', 'state machine', 'orchestration', 'state', 'transition', 'ワークフロー', '状態'],
+  gate_orchestration: ['gate', 'pr-manager', 'gate orchestration'],
+  verification_evidence: ['verification', 'evidence', 'flow verifier'],
+  review_lifecycle: ['review lifecycle', 'agent review', 'lifecycle'],
+  database_state: ['database', 'db', 'schema', 'persistence'],
+  queue_worker: ['queue', 'worker', 'job', 'background'],
+  polling_retry: ['polling', 'poll', 'retry', 'status check'],
+  auth_boundary: ['auth', 'authentication', 'authorization', 'permission', 'session', '認証'],
+  legacy_v1_compatibility: ['legacy', 'v1', '互換']
+};
+
+const MATRIX = {
+  light: { high: 'allow', medium: 'allow', low: 'allow', unknown: 'allow' },
+  ui_interaction: { high: 'allow', medium: 'allow', low: 'require_human_review', unknown: 'require_human_review' },
+  api_contract: { high: 'allow', medium: 'require_human_review', low: 'require_human_review', unknown: 'block' },
+  workflow_heavy: { high: 'allow', medium: 'require_human_review', low: 'block', unknown: 'block' }
+};
+
+const KNOWN_PROFILES = new Set(Object.keys(MATRIX));
+
+export function scoreAuthorization({ riskProfile = null, storySource = null, decisions = [] } = {}) {
+  const profile = riskProfile?.profile ?? 'light';
+  const riskSurfaces = Array.isArray(riskProfile?.risk_surfaces) ? riskProfile.risk_surfaces : [];
+  const hasStory = isNonEmptyStory(storySource);
+  const hasDecisions = Array.isArray(decisions) && decisions.length > 0;
+
+  const signals = [];
+  const acceptedSignals = collectAcceptedDecisionSignals(decisions, riskSurfaces);
+  signals.push(...acceptedSignals.signals);
+
+  const storySignals = collectStorySurfaceSignals(storySource, riskSurfaces);
+  signals.push(...storySignals);
+
+  let authorizationLevel;
+  if (acceptedSignals.qualifies) {
+    authorizationLevel = 'high';
+  } else if (storySignals.some((signal) => signal.kind === 'acceptance_criteria_mentions_surface' || signal.kind === 'story_background_mentions_surface')) {
+    authorizationLevel = 'medium';
+  } else if (!hasStory && !hasDecisions) {
+    authorizationLevel = 'unknown';
+  } else if (riskSurfaces.length === 0) {
+    authorizationLevel = 'unknown';
+  } else {
+    authorizationLevel = 'low';
+  }
+
+  const matrixProfile = KNOWN_PROFILES.has(profile) ? profile : null;
+  const recommendation = matrixProfile
+    ? MATRIX[matrixProfile][authorizationLevel]
+    : 'require_human_review';
+
+  return {
+    schema_version: SCHEMA_VERSION,
+    authorization_level: authorizationLevel,
+    signals,
+    review_outcome_recommendation: recommendation,
+    matrix_cell: {
+      risk_profile: profile,
+      authorization_level: authorizationLevel,
+      known_profile: matrixProfile !== null
+    }
+  };
+}
+
+function isNonEmptyStory(storySource) {
+  if (!storySource || typeof storySource !== 'object') return false;
+  const fields = [
+    storySource.title,
+    storySource.requirement_title,
+    storySource.background,
+    storySource.policy,
+    ...(Array.isArray(storySource.acceptance_criteria) ? storySource.acceptance_criteria : [])
+  ];
+  return fields.some((value) => typeof value === 'string' && value.trim().length > 0);
+}
+
+function collectAcceptedDecisionSignals(decisions, riskSurfaces) {
+  const signals = [];
+  let qualifies = false;
+  if (!Array.isArray(decisions)) return { signals, qualifies };
+  for (const decision of decisions) {
+    if (!decision || typeof decision !== 'object') continue;
+    if (decision.status !== 'accepted') continue;
+    const source = typeof decision.source === 'string' ? decision.source.trim() : '';
+    if (!source) {
+      signals.push({
+        kind: 'decision_record_invalid_source',
+        decision_id: decision.decision_id ?? null,
+        reason: 'accepted decision has no source reference'
+      });
+      continue;
+    }
+    if (!isPlausibleSourceReference(source)) {
+      signals.push({
+        kind: 'decision_record_invalid_source',
+        decision_id: decision.decision_id ?? null,
+        source,
+        reason: 'source does not look like a gate or finding id'
+      });
+      continue;
+    }
+    qualifies = true;
+    signals.push({
+      kind: 'decision_record_accepted',
+      decision_id: decision.decision_id ?? null,
+      source,
+      addresses_risk_surface: riskSurfaces.find((surface) => source.toLowerCase().includes(surface)) ?? null
+    });
+  }
+  return { signals, qualifies };
+}
+
+function isPlausibleSourceReference(source) {
+  return /^(gate:|finding:|check:|review:|dec-|decision-)/i.test(source) || source.includes(':');
+}
+
+function collectStorySurfaceSignals(storySource, riskSurfaces) {
+  if (!isNonEmptyStory(storySource) || riskSurfaces.length === 0) return [];
+  const acceptance = Array.isArray(storySource.acceptance_criteria) ? storySource.acceptance_criteria : [];
+  const background = [storySource.background, storySource.policy, storySource.title, storySource.requirement_title]
+    .filter((value) => typeof value === 'string')
+    .join('\n');
+  const signals = [];
+  for (const surface of riskSurfaces) {
+    const aliases = SURFACE_ALIASES[surface] ?? [];
+    const haystack = (str) => surfaceMatches(str, surface, aliases);
+    if (acceptance.some(haystack)) {
+      signals.push({ kind: 'acceptance_criteria_mentions_surface', surface });
+    } else if (haystack(background)) {
+      signals.push({ kind: 'story_background_mentions_surface', surface });
+    }
+  }
+  return signals;
+}
+
+function surfaceMatches(text, surface, aliases) {
+  if (typeof text !== 'string' || text.length === 0) return false;
+  const lower = text.toLowerCase();
+  if (lower.includes(surface.toLowerCase())) return true;
+  const surfaceWords = surface.replace(/_/g, ' ').toLowerCase();
+  if (lower.includes(surfaceWords)) return true;
+  return aliases.some((alias) => lower.includes(alias.toLowerCase()));
+}