npm - @quantracode/vibecheck - Versions diffs - 0.0.1 → 0.0.2 - Mend

@quantracode/vibecheck 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/README.md +6 -6
package/dist/index.d.ts +0 -2
package/dist/index.js +7902 -8
package/package.json +13 -7
package/dist/__tests__/cli.test.d.ts +0 -2
package/dist/__tests__/cli.test.d.ts.map +0 -1
package/dist/__tests__/cli.test.js +0 -243
package/dist/__tests__/fixtures/safe-app/app/api/users/route.js +0 -36
package/dist/__tests__/fixtures/vulnerable-app/app/api/users/route.js +0 -28
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts +0 -4
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts.map +0 -1
package/dist/__tests__/fixtures/vulnerable-app/lib/config.js +0 -6
package/dist/__tests__/scanners/env-config.test.d.ts +0 -2
package/dist/__tests__/scanners/env-config.test.d.ts.map +0 -1
package/dist/__tests__/scanners/env-config.test.js +0 -142
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts +0 -2
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts.map +0 -1
package/dist/__tests__/scanners/nextjs-middleware.test.js +0 -193
package/dist/__tests__/scanners/scanner-packs.test.d.ts +0 -2
package/dist/__tests__/scanners/scanner-packs.test.d.ts.map +0 -1
package/dist/__tests__/scanners/scanner-packs.test.js +0 -126
package/dist/__tests__/scanners/unused-security-imports.test.d.ts +0 -2
package/dist/__tests__/scanners/unused-security-imports.test.d.ts.map +0 -1
package/dist/__tests__/scanners/unused-security-imports.test.js +0 -145
package/dist/commands/demo-artifact.d.ts +0 -7
package/dist/commands/demo-artifact.d.ts.map +0 -1
package/dist/commands/demo-artifact.js +0 -322
package/dist/commands/evaluate.d.ts +0 -30
package/dist/commands/evaluate.d.ts.map +0 -1
package/dist/commands/evaluate.js +0 -258
package/dist/commands/explain.d.ts +0 -12
package/dist/commands/explain.d.ts.map +0 -1
package/dist/commands/explain.js +0 -214
package/dist/commands/index.d.ts +0 -7
package/dist/commands/index.d.ts.map +0 -1
package/dist/commands/index.js +0 -6
package/dist/commands/intent.d.ts +0 -21
package/dist/commands/intent.d.ts.map +0 -1
package/dist/commands/intent.js +0 -192
package/dist/commands/scan.d.ts +0 -44
package/dist/commands/scan.d.ts.map +0 -1
package/dist/commands/scan.js +0 -497
package/dist/commands/waivers.d.ts +0 -30
package/dist/commands/waivers.d.ts.map +0 -1
package/dist/commands/waivers.js +0 -249
package/dist/index.d.ts.map +0 -1
package/dist/phase3/index.d.ts +0 -11
package/dist/phase3/index.d.ts.map +0 -1
package/dist/phase3/index.js +0 -12
package/dist/phase3/intent-miner.d.ts +0 -32
package/dist/phase3/intent-miner.d.ts.map +0 -1
package/dist/phase3/intent-miner.js +0 -323
package/dist/phase3/proof-trace-builder.d.ts +0 -42
package/dist/phase3/proof-trace-builder.d.ts.map +0 -1
package/dist/phase3/proof-trace-builder.js +0 -441
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts +0 -15
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts.map +0 -1
package/dist/phase3/scanners/auth-by-ui-server-gap.js +0 -237
package/dist/phase3/scanners/comment-claim-unproven.d.ts +0 -14
package/dist/phase3/scanners/comment-claim-unproven.d.ts.map +0 -1
package/dist/phase3/scanners/comment-claim-unproven.js +0 -161
package/dist/phase3/scanners/index.d.ts +0 -31
package/dist/phase3/scanners/index.d.ts.map +0 -1
package/dist/phase3/scanners/index.js +0 -40
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts +0 -14
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts.map +0 -1
package/dist/phase3/scanners/middleware-assumed-not-matching.js +0 -172
package/dist/phase3/scanners/validation-claimed-missing.d.ts +0 -15
package/dist/phase3/scanners/validation-claimed-missing.d.ts.map +0 -1
package/dist/phase3/scanners/validation-claimed-missing.js +0 -204
package/dist/scanners/abuse/compute-abuse.d.ts +0 -20
package/dist/scanners/abuse/compute-abuse.d.ts.map +0 -1
package/dist/scanners/abuse/compute-abuse.js +0 -509
package/dist/scanners/abuse/index.d.ts +0 -12
package/dist/scanners/abuse/index.d.ts.map +0 -1
package/dist/scanners/abuse/index.js +0 -15
package/dist/scanners/auth/index.d.ts +0 -5
package/dist/scanners/auth/index.d.ts.map +0 -1
package/dist/scanners/auth/index.js +0 -10
package/dist/scanners/auth/middleware-gap.d.ts +0 -22
package/dist/scanners/auth/middleware-gap.d.ts.map +0 -1
package/dist/scanners/auth/middleware-gap.js +0 -203
package/dist/scanners/auth/unprotected-api-route.d.ts +0 -12
package/dist/scanners/auth/unprotected-api-route.d.ts.map +0 -1
package/dist/scanners/auth/unprotected-api-route.js +0 -126
package/dist/scanners/config/index.d.ts +0 -5
package/dist/scanners/config/index.d.ts.map +0 -1
package/dist/scanners/config/index.js +0 -10
package/dist/scanners/config/insecure-defaults.d.ts +0 -12
package/dist/scanners/config/insecure-defaults.d.ts.map +0 -1
package/dist/scanners/config/insecure-defaults.js +0 -77
package/dist/scanners/config/undocumented-env.d.ts +0 -24
package/dist/scanners/config/undocumented-env.d.ts.map +0 -1
package/dist/scanners/config/undocumented-env.js +0 -159
package/dist/scanners/crypto/index.d.ts +0 -6
package/dist/scanners/crypto/index.d.ts.map +0 -1
package/dist/scanners/crypto/index.js +0 -11
package/dist/scanners/crypto/jwt-decode-unverified.d.ts +0 -14
package/dist/scanners/crypto/jwt-decode-unverified.d.ts.map +0 -1
package/dist/scanners/crypto/jwt-decode-unverified.js +0 -87
package/dist/scanners/crypto/math-random-tokens.d.ts +0 -13
package/dist/scanners/crypto/math-random-tokens.d.ts.map +0 -1
package/dist/scanners/crypto/math-random-tokens.js +0 -80
package/dist/scanners/crypto/weak-hashing.d.ts +0 -11
package/dist/scanners/crypto/weak-hashing.d.ts.map +0 -1
package/dist/scanners/crypto/weak-hashing.js +0 -95
package/dist/scanners/env-config.d.ts +0 -24
package/dist/scanners/env-config.d.ts.map +0 -1
package/dist/scanners/env-config.js +0 -164
package/dist/scanners/hallucinations/index.d.ts +0 -4
package/dist/scanners/hallucinations/index.d.ts.map +0 -1
package/dist/scanners/hallucinations/index.js +0 -8
package/dist/scanners/hallucinations/unused-security-imports.d.ts +0 -36
package/dist/scanners/hallucinations/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/hallucinations/unused-security-imports.js +0 -309
package/dist/scanners/helpers/ast-helpers.d.ts +0 -6
package/dist/scanners/helpers/ast-helpers.d.ts.map +0 -1
package/dist/scanners/helpers/ast-helpers.js +0 -945
package/dist/scanners/helpers/context-builder.d.ts +0 -17
package/dist/scanners/helpers/context-builder.d.ts.map +0 -1
package/dist/scanners/helpers/context-builder.js +0 -148
package/dist/scanners/helpers/index.d.ts +0 -3
package/dist/scanners/helpers/index.d.ts.map +0 -1
package/dist/scanners/helpers/index.js +0 -2
package/dist/scanners/index.d.ts +0 -30
package/dist/scanners/index.d.ts.map +0 -1
package/dist/scanners/index.js +0 -102
package/dist/scanners/middleware/index.d.ts +0 -4
package/dist/scanners/middleware/index.d.ts.map +0 -1
package/dist/scanners/middleware/index.js +0 -7
package/dist/scanners/middleware/missing-rate-limit.d.ts +0 -13
package/dist/scanners/middleware/missing-rate-limit.d.ts.map +0 -1
package/dist/scanners/middleware/missing-rate-limit.js +0 -140
package/dist/scanners/network/cors-misconfiguration.d.ts +0 -14
package/dist/scanners/network/cors-misconfiguration.d.ts.map +0 -1
package/dist/scanners/network/cors-misconfiguration.js +0 -89
package/dist/scanners/network/index.d.ts +0 -7
package/dist/scanners/network/index.d.ts.map +0 -1
package/dist/scanners/network/index.js +0 -18
package/dist/scanners/network/missing-timeout.d.ts +0 -15
package/dist/scanners/network/missing-timeout.d.ts.map +0 -1
package/dist/scanners/network/missing-timeout.js +0 -93
package/dist/scanners/network/open-redirect.d.ts +0 -15
package/dist/scanners/network/open-redirect.d.ts.map +0 -1
package/dist/scanners/network/open-redirect.js +0 -88
package/dist/scanners/network/ssrf-prone-fetch.d.ts +0 -12
package/dist/scanners/network/ssrf-prone-fetch.d.ts.map +0 -1
package/dist/scanners/network/ssrf-prone-fetch.js +0 -90
package/dist/scanners/nextjs-middleware.d.ts +0 -26
package/dist/scanners/nextjs-middleware.d.ts.map +0 -1
package/dist/scanners/nextjs-middleware.js +0 -246
package/dist/scanners/privacy/debug-flags.d.ts +0 -13
package/dist/scanners/privacy/debug-flags.d.ts.map +0 -1
package/dist/scanners/privacy/debug-flags.js +0 -124
package/dist/scanners/privacy/index.d.ts +0 -6
package/dist/scanners/privacy/index.d.ts.map +0 -1
package/dist/scanners/privacy/index.js +0 -11
package/dist/scanners/privacy/over-broad-response.d.ts +0 -15
package/dist/scanners/privacy/over-broad-response.d.ts.map +0 -1
package/dist/scanners/privacy/over-broad-response.js +0 -109
package/dist/scanners/privacy/sensitive-logging.d.ts +0 -11
package/dist/scanners/privacy/sensitive-logging.d.ts.map +0 -1
package/dist/scanners/privacy/sensitive-logging.js +0 -78
package/dist/scanners/types.d.ts +0 -456
package/dist/scanners/types.d.ts.map +0 -1
package/dist/scanners/types.js +0 -16
package/dist/scanners/unused-security-imports.d.ts +0 -34
package/dist/scanners/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/unused-security-imports.js +0 -206
package/dist/scanners/uploads/index.d.ts +0 -5
package/dist/scanners/uploads/index.d.ts.map +0 -1
package/dist/scanners/uploads/index.js +0 -9
package/dist/scanners/uploads/missing-constraints.d.ts +0 -15
package/dist/scanners/uploads/missing-constraints.d.ts.map +0 -1
package/dist/scanners/uploads/missing-constraints.js +0 -109
package/dist/scanners/uploads/public-path.d.ts +0 -11
package/dist/scanners/uploads/public-path.d.ts.map +0 -1
package/dist/scanners/uploads/public-path.js +0 -87
package/dist/scanners/validation/client-side-only.d.ts +0 -14
package/dist/scanners/validation/client-side-only.d.ts.map +0 -1
package/dist/scanners/validation/client-side-only.js +0 -140
package/dist/scanners/validation/ignored-validation.d.ts +0 -12
package/dist/scanners/validation/ignored-validation.d.ts.map +0 -1
package/dist/scanners/validation/ignored-validation.js +0 -119
package/dist/scanners/validation/index.d.ts +0 -5
package/dist/scanners/validation/index.d.ts.map +0 -1
package/dist/scanners/validation/index.js +0 -9
package/dist/utils/exclude-patterns.d.ts +0 -35
package/dist/utils/exclude-patterns.d.ts.map +0 -1
package/dist/utils/exclude-patterns.js +0 -78
package/dist/utils/file-utils.d.ts +0 -37
package/dist/utils/file-utils.d.ts.map +0 -1
package/dist/utils/file-utils.js +0 -77
package/dist/utils/fingerprint.d.ts +0 -25
package/dist/utils/fingerprint.d.ts.map +0 -1
package/dist/utils/fingerprint.js +0 -28
package/dist/utils/git-info.d.ts +0 -14
package/dist/utils/git-info.d.ts.map +0 -1
package/dist/utils/git-info.js +0 -55
package/dist/utils/index.d.ts +0 -4
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js +0 -3
package/dist/utils/progress.d.ts +0 -42
package/dist/utils/progress.d.ts.map +0 -1
package/dist/utils/progress.js +0 -165
package/dist/utils/sarif-formatter.d.ts +0 -92
package/dist/utils/sarif-formatter.d.ts.map +0 -1
package/dist/utils/sarif-formatter.js +0 -172

package/dist/phase3/scanners/auth-by-ui-server-gap.js DELETED Viewed

@@ -1,237 +0,0 @@
-/**
- * VC-AUTH-010: Auth-by-UI with Server Gap
- *
- * Detects patterns where authentication appears to be enforced only
- * on the client side (via useSession, conditionally rendering UI, etc.)
- * but the corresponding API routes lack server-side auth checks.
- *
- * Severity: Critical
- * Category: auth
- * Confidence: 0.85
- */
-import crypto from "node:crypto";
-import path from "node:path";
-import { buildRouteMap, buildAllProofTraces } from "../proof-trace-builder.js";
-const RULE_ID = "VC-AUTH-010";
-/**
- * Client-side auth patterns that suggest UI-level protection
- */
-const CLIENT_AUTH_PATTERNS = [
-    // React/Next.js session hooks
-    /\buseSession\s*\(/,
-    /\buseAuth\s*\(/,
-    /\buseUser\s*\(/,
-    /\bsession\s*&&/,
-    /\bsession\s*\?/,
-    /\bisAuthenticated\s*&&/,
-    /\bisLoggedIn\s*&&/,
-    // Conditional rendering based on auth
-    /{\s*session\s*&&/,
-    /{\s*user\s*&&/,
-    /{\s*isAuthenticated\s*&&/,
-    // Auth redirects in client components
-    /redirect\([^)]*login/i,
-    /router\.push\([^)]*login/i,
-    /useRouter.*login/i,
-];
-/**
- * Patterns indicating the component makes API calls
- */
-const API_CALL_PATTERNS = [
-    // Fetch to API routes
-    /fetch\s*\(\s*['"`]\/api\//,
-    /fetch\s*\(\s*['"`]\.\.?\/api\//,
-    // Axios to API routes
-    /axios\.[a-z]+\s*\(\s*['"`]\/api\//,
-    // Form actions
-    /action\s*=\s*['"`]\/api\//,
-    // SWR/React Query to API routes
-    /useSWR\s*\(\s*['"`]\/api\//,
-    /useQuery\s*\([^)]*['"`]\/api\//,
-];
-export async function scanAuthByUiServerGap(ctx) {
-    const findings = [];
-    // Build route map and proof traces
-    const routes = buildRouteMap(ctx);
-    const proofTraces = buildAllProofTraces(ctx, routes);
-    // Find state-changing routes without auth
-    const unprotectedRoutes = routes.filter((r) => {
-        if (!["POST", "PUT", "PATCH", "DELETE"].includes(r.method)) {
-            return false;
-        }
-        const trace = proofTraces.get(r.routeId);
-        return trace && !trace.authProven && !trace.middlewareCovered;
-    });
-    if (unprotectedRoutes.length === 0) {
-        return findings;
-    }
-    // Scan client components for UI-level auth patterns
-    const clientComponents = ctx.fileIndex.allSourceFiles.filter((f) => (f.endsWith(".tsx") || f.endsWith(".jsx")) &&
-        !f.includes("/api/") &&
-        !f.includes("route."));
-    for (const componentFile of clientComponents) {
-        const sourceFile = ctx.helpers.parseFile(componentFile);
-        if (!sourceFile)
-            continue;
-        const fullText = sourceFile.getFullText();
-        const relPath = path.relative(ctx.repoRoot, componentFile).replace(/\\/g, "/");
-        // Check for client-side auth patterns
-        const hasClientAuth = CLIENT_AUTH_PATTERNS.some((p) => p.test(fullText));
-        if (!hasClientAuth)
-            continue;
-        // Find API calls in this component
-        const apiCalls = findApiCalls(fullText, relPath, sourceFile);
-        if (apiCalls.length === 0)
-            continue;
-        // Check if any API calls target unprotected routes
-        for (const apiCall of apiCalls) {
-            const matchingUnprotected = findMatchingUnprotectedRoute(apiCall.path, apiCall.method, unprotectedRoutes);
-            if (matchingUnprotected) {
-                const clientAuthLocation = findClientAuthLocation(sourceFile, fullText);
-                findings.push({
-                    id: `f-${crypto.randomUUID().slice(0, 8)}`,
-                    severity: "critical",
-                    confidence: 0.85,
-                    category: "auth",
-                    ruleId: RULE_ID,
-                    title: `Client-side auth with unprotected server endpoint ${matchingUnprotected.method} ${matchingUnprotected.path}`,
-                    description: generateDescription(relPath, matchingUnprotected, apiCall),
-                    evidence: [
-                        {
-                            file: relPath,
-                            startLine: clientAuthLocation.line,
-                            endLine: clientAuthLocation.line,
-                            snippet: clientAuthLocation.snippet,
-                            label: "Client-side auth check",
-                        },
-                        {
-                            file: relPath,
-                            startLine: apiCall.line,
-                            endLine: apiCall.line,
-                            snippet: apiCall.snippet,
-                            label: "API call to unprotected endpoint",
-                        },
-                        {
-                            file: matchingUnprotected.file,
-                            startLine: matchingUnprotected.startLine,
-                            endLine: matchingUnprotected.endLine,
-                            snippet: `export async function ${matchingUnprotected.method}(request: Request)`,
-                            label: "Server endpoint without auth check",
-                        },
-                    ],
-                    remediation: {
-                        recommendedFix: generateRemediation(matchingUnprotected),
-                    },
-                    fingerprint: generateFingerprint(relPath, matchingUnprotected),
-                });
-            }
-        }
-    }
-    return findings;
-}
-function findApiCalls(fullText, relPath, sourceFile) {
-    const calls = [];
-    // Find fetch calls to /api routes
-    const fetchMatches = fullText.matchAll(/fetch\s*\(\s*['"`](\/api\/[^'"`]+)['"`](?:,\s*\{[^}]*method:\s*['"`](\w+)['"`])?/g);
-    for (const match of fetchMatches) {
-        const pos = match.index || 0;
-        const line = sourceFile.getLineAndColumnAtPos(pos).line;
-        calls.push({
-            path: match[1],
-            method: match[2]?.toUpperCase() || "GET",
-            line,
-            snippet: match[0].slice(0, 80),
-        });
-    }
-    // Find axios calls
-    const axiosMatches = fullText.matchAll(/axios\.(\w+)\s*\(\s*['"`](\/api\/[^'"`]+)['"`]/g);
-    for (const match of axiosMatches) {
-        const pos = match.index || 0;
-        const line = sourceFile.getLineAndColumnAtPos(pos).line;
-        calls.push({
-            path: match[2],
-            method: match[1].toUpperCase(),
-            line,
-            snippet: match[0].slice(0, 80),
-        });
-    }
-    // Find form actions
-    const actionMatches = fullText.matchAll(/action\s*=\s*['"`](\/api\/[^'"`]+)['"`]/g);
-    for (const match of actionMatches) {
-        const pos = match.index || 0;
-        const line = sourceFile.getLineAndColumnAtPos(pos).line;
-        calls.push({
-            path: match[1],
-            method: "POST", // Form actions are typically POST
-            line,
-            snippet: match[0],
-        });
-    }
-    return calls;
-}
-function findMatchingUnprotectedRoute(apiPath, method, unprotectedRoutes) {
-    // Normalize the API path
-    const normalizedPath = apiPath.split("?")[0]; // Remove query string
-    for (const route of unprotectedRoutes) {
-        // Check method match
-        if (route.method !== method)
-            continue;
-        // Check path match (accounting for dynamic segments)
-        if (pathsMatch(normalizedPath, route.path)) {
-            return route;
-        }
-    }
-    return undefined;
-}
-function pathsMatch(clientPath, routePath) {
-    // Exact match
-    if (clientPath === routePath)
-        return true;
-    // Convert route path pattern to regex
-    const routePattern = routePath
-        .replace(/\[([^\]]+)\]/g, "[^/]+") // Replace [param] with regex
-        .replace(/\//g, "\\/"); // Escape slashes
-    try {
-        const regex = new RegExp(`^${routePattern}$`);
-        return regex.test(clientPath);
-    }
-    catch {
-        return false;
-    }
-}
-function findClientAuthLocation(sourceFile, fullText) {
-    // Find the first client auth pattern
-    for (const pattern of CLIENT_AUTH_PATTERNS) {
-        const match = fullText.match(pattern);
-        if (match) {
-            const pos = match.index || 0;
-            const line = sourceFile.getLineAndColumnAtPos(pos).line;
-            return {
-                line,
-                snippet: match[0],
-            };
-        }
-    }
-    return { line: 1, snippet: "Client-side auth" };
-}
-function generateDescription(componentFile, route, apiCall) {
-    return (`The component ${componentFile} uses client-side authentication checks ` +
-        `(useSession, session &&, etc.) before calling the API endpoint ` +
-        `${route.method} ${route.path}. However, this endpoint lacks server-side ` +
-        `authentication verification. An attacker can bypass the UI and directly ` +
-        `call the API endpoint without authentication, potentially gaining ` +
-        `unauthorized access to sensitive operations.`);
-}
-function generateRemediation(route) {
-    return (`Add server-side authentication check to the ${route.method} ${route.path} handler. ` +
-        `Example:\n` +
-        `const session = await getServerSession();\n` +
-        `if (!session) {\n` +
-        `  return Response.json({ error: "Unauthorized" }, { status: 401 });\n` +
-        `}\n\n` +
-        `Client-side auth checks are for UX only and must never be the sole protection mechanism.`);
-}
-function generateFingerprint(componentFile, route) {
-    const data = `${RULE_ID}:${componentFile}:${route.file}:${route.method}`;
-    return `sha256:${crypto.createHash("sha256").update(data).digest("hex")}`;
-}

package/dist/phase3/scanners/comment-claim-unproven.d.ts DELETED Viewed

@@ -1,14 +0,0 @@
-/**
- * VC-HALL-010: Comment Claims Protection But Unproven
- *
- * Detects comments that claim security protection but the actual
- * implementation doesn't prove it.
- *
- * Severity: Medium
- * Category: hallucinations
- * Confidence: 0.75
- */
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../../scanners/types.js";
-export declare function scanCommentClaimUnproven(ctx: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=comment-claim-unproven.d.ts.map

package/dist/phase3/scanners/comment-claim-unproven.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"comment-claim-unproven.d.ts","sourceRoot":"","sources":["../../../src/phase3/scanners/comment-claim-unproven.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,KAAK,EAAE,WAAW,EAAsC,MAAM,yBAAyB,CAAC;AAM/F,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,WAAW,GACf,OAAO,CAAC,OAAO,EAAE,CAAC,CAsDpB"}

package/dist/phase3/scanners/comment-claim-unproven.js DELETED Viewed

@@ -1,161 +0,0 @@
-/**
- * VC-HALL-010: Comment Claims Protection But Unproven
- *
- * Detects comments that claim security protection but the actual
- * implementation doesn't prove it.
- *
- * Severity: Medium
- * Category: hallucinations
- * Confidence: 0.75
- */
-import crypto from "node:crypto";
-import { buildRouteMap, buildAllProofTraces } from "../proof-trace-builder.js";
-import { mineAllIntentClaims } from "../intent-miner.js";
-const RULE_ID = "VC-HALL-010";
-export async function scanCommentClaimUnproven(ctx) {
-    const findings = [];
-    // Build route map and proof traces
-    const routes = buildRouteMap(ctx);
-    const proofTraces = buildAllProofTraces(ctx, routes);
-    // Mine intent claims from comments
-    const allClaims = mineAllIntentClaims(ctx, routes);
-    const commentClaims = allClaims.filter((c) => c.source === "comment");
-    // Find claims that aren't proven
-    const unprovenClaims = findUnprovenCommentClaims(commentClaims, proofTraces, routes);
-    for (const claim of unprovenClaims) {
-        const route = routes.find((r) => r.routeId === claim.targetRouteId);
-        const trace = claim.targetRouteId ? proofTraces.get(claim.targetRouteId) : undefined;
-        findings.push({
-            id: generateFindingId(claim),
-            severity: "medium",
-            confidence: 0.75,
-            category: "hallucinations",
-            ruleId: RULE_ID,
-            title: `Comment claims ${formatClaimType(claim.type)} but implementation doesn't prove it`,
-            description: generateDescription(claim, route, trace),
-            evidence: [
-                {
-                    file: claim.location.file,
-                    startLine: claim.location.startLine,
-                    endLine: claim.location.endLine,
-                    snippet: claim.textEvidence,
-                    label: "Security claim in comment",
-                },
-                ...(route
-                    ? [
-                        {
-                            file: route.file,
-                            startLine: route.startLine,
-                            endLine: route.endLine,
-                            snippet: `${route.method} ${route.path}`,
-                            label: "Associated route without proof",
-                        },
-                    ]
-                    : []),
-            ],
-            remediation: {
-                recommendedFix: generateRemediation(claim),
-            },
-            fingerprint: generateFingerprint(claim),
-        });
-    }
-    return findings;
-}
-function findUnprovenCommentClaims(claims, proofTraces, routes) {
-    const unproven = [];
-    for (const claim of claims) {
-        // Skip claims without route association for auth/validation
-        if ((claim.type === "AUTH_ENFORCED" || claim.type === "INPUT_VALIDATED") &&
-            !claim.targetRouteId) {
-            // Check if there are ANY routes in the file without proof
-            const fileRoutes = routes.filter((r) => r.file === claim.location.file);
-            for (const route of fileRoutes) {
-                const proof = proofTraces.get(route.routeId);
-                if (claim.type === "AUTH_ENFORCED" && proof && !proof.authProven && !proof.middlewareCovered) {
-                    unproven.push({ ...claim, targetRouteId: route.routeId });
-                }
-                else if (claim.type === "INPUT_VALIDATED" && proof && !proof.validationProven) {
-                    unproven.push({ ...claim, targetRouteId: route.routeId });
-                }
-            }
-            continue;
-        }
-        if (!claim.targetRouteId)
-            continue;
-        const proof = proofTraces.get(claim.targetRouteId);
-        if (!proof) {
-            unproven.push(claim);
-            continue;
-        }
-        // Check specific claim types
-        if (claim.type === "AUTH_ENFORCED" && !proof.authProven && !proof.middlewareCovered) {
-            unproven.push(claim);
-        }
-        else if (claim.type === "INPUT_VALIDATED" && !proof.validationProven) {
-            unproven.push(claim);
-        }
-        else if (claim.type === "MIDDLEWARE_PROTECTED" && !proof.middlewareCovered) {
-            unproven.push(claim);
-        }
-    }
-    return unproven;
-}
-function formatClaimType(type) {
-    switch (type) {
-        case "AUTH_ENFORCED":
-            return "authentication";
-        case "INPUT_VALIDATED":
-            return "input validation";
-        case "MIDDLEWARE_PROTECTED":
-            return "middleware protection";
-        case "CSRF_ENABLED":
-            return "CSRF protection";
-        case "RATE_LIMITED":
-            return "rate limiting";
-        default:
-            return type.toLowerCase().replace(/_/g, " ");
-    }
-}
-function generateDescription(claim, route, trace) {
-    let desc = `A comment claims that ${formatClaimType(claim.type)} is in place`;
-    if (route) {
-        desc += ` for the ${route.method} ${route.path} endpoint`;
-    }
-    desc += ", but static analysis couldn't verify this claim.";
-    if (trace) {
-        const missing = [];
-        if (claim.type === "AUTH_ENFORCED" && !trace.authProven && !trace.middlewareCovered) {
-            missing.push("authentication check");
-        }
-        if (claim.type === "INPUT_VALIDATED" && !trace.validationProven) {
-            missing.push("validation usage");
-        }
-        if (claim.type === "MIDDLEWARE_PROTECTED" && !trace.middlewareCovered) {
-            missing.push("middleware coverage");
-        }
-        if (missing.length > 0) {
-            desc += ` Missing: ${missing.join(", ")}.`;
-        }
-    }
-    desc += " This could be a documentation issue or missing implementation.";
-    return desc;
-}
-function generateRemediation(claim) {
-    switch (claim.type) {
-        case "AUTH_ENFORCED":
-            return "Add authentication check using getServerSession(), auth(), or similar before performing operations. Alternatively, update the comment if the claim is incorrect.";
-        case "INPUT_VALIDATED":
-            return "Add input validation using Zod, Yup, or Joi and ensure the validated result is used. Alternatively, update the comment if validation isn't needed.";
-        case "MIDDLEWARE_PROTECTED":
-            return "Ensure the middleware matcher covers this route, or add explicit auth check in the handler.";
-        default:
-            return "Verify the security claim matches the implementation, or update documentation to reflect actual behavior.";
-    }
-}
-function generateFindingId(claim) {
-    return `f-${crypto.randomUUID().slice(0, 8)}`;
-}
-function generateFingerprint(claim) {
-    const data = `${RULE_ID}:${claim.location.file}:${claim.location.startLine}:${claim.type}`;
-    return `sha256:${crypto.createHash("sha256").update(data).digest("hex")}`;
-}

package/dist/phase3/scanners/index.d.ts DELETED Viewed

@@ -1,31 +0,0 @@
-/**
- * Phase 3 Scanner Exports
- */
-export { scanCommentClaimUnproven } from "./comment-claim-unproven.js";
-export { scanMiddlewareAssumedNotMatching } from "./middleware-assumed-not-matching.js";
-export { scanValidationClaimedMissing } from "./validation-claimed-missing.js";
-export { scanAuthByUiServerGap } from "./auth-by-ui-server-gap.js";
-import type { Scanner } from "../../scanners/types.js";
-import { scanCommentClaimUnproven } from "./comment-claim-unproven.js";
-import { scanAuthByUiServerGap } from "./auth-by-ui-server-gap.js";
-/**
- * All Phase 3 scanners
- */
-export declare const phase3Scanners: Scanner[];
-/**
- * Phase 3 Hallucination Pack
- */
-export declare const hallucinationsPack: {
-    id: string;
-    name: string;
-    scanners: (typeof scanCommentClaimUnproven)[];
-};
-/**
- * Phase 3 Auth Pack extension
- */
-export declare const authPackPhase3: {
-    id: string;
-    name: string;
-    scanners: (typeof scanAuthByUiServerGap)[];
-};
-//# sourceMappingURL=index.d.ts.map

package/dist/phase3/scanners/index.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/phase3/scanners/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,sCAAsC,CAAC;AACxF,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAGvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,OAAO,EAKnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;CAQ9B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,cAAc;;;;CAI1B,CAAC"}

package/dist/phase3/scanners/index.js DELETED Viewed

@@ -1,40 +0,0 @@
-/**
- * Phase 3 Scanner Exports
- */
-export { scanCommentClaimUnproven } from "./comment-claim-unproven.js";
-export { scanMiddlewareAssumedNotMatching } from "./middleware-assumed-not-matching.js";
-export { scanValidationClaimedMissing } from "./validation-claimed-missing.js";
-export { scanAuthByUiServerGap } from "./auth-by-ui-server-gap.js";
-import { scanCommentClaimUnproven } from "./comment-claim-unproven.js";
-import { scanMiddlewareAssumedNotMatching } from "./middleware-assumed-not-matching.js";
-import { scanValidationClaimedMissing } from "./validation-claimed-missing.js";
-import { scanAuthByUiServerGap } from "./auth-by-ui-server-gap.js";
-/**
- * All Phase 3 scanners
- */
-export const phase3Scanners = [
-    scanCommentClaimUnproven,
-    scanMiddlewareAssumedNotMatching,
-    scanValidationClaimedMissing,
-    scanAuthByUiServerGap,
-];
-/**
- * Phase 3 Hallucination Pack
- */
-export const hallucinationsPack = {
-    id: "hallucinations",
-    name: "Hallucinations Pack (Phase 3)",
-    scanners: [
-        scanCommentClaimUnproven,
-        scanMiddlewareAssumedNotMatching,
-        scanValidationClaimedMissing,
-    ],
-};
-/**
- * Phase 3 Auth Pack extension
- */
-export const authPackPhase3 = {
-    id: "auth-phase3",
-    name: "Auth Pack (Phase 3)",
-    scanners: [scanAuthByUiServerGap],
-};

package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts DELETED Viewed

@@ -1,14 +0,0 @@
-/**
- * VC-HALL-011: Middleware Assumed But Not Matching
- *
- * Detects routes that appear to expect middleware protection
- * but are not covered by the middleware matcher patterns.
- *
- * Severity: High
- * Category: hallucinations
- * Confidence: 0.70
- */
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../../scanners/types.js";
-export declare function scanMiddlewareAssumedNotMatching(ctx: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=middleware-assumed-not-matching.d.ts.map

package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"middleware-assumed-not-matching.d.ts","sourceRoot":"","sources":["../../../src/phase3/scanners/middleware-assumed-not-matching.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,KAAK,EAAE,WAAW,EAA0B,MAAM,yBAAyB,CAAC;AA0BnF,wBAAsB,gCAAgC,CACpD,GAAG,EAAE,WAAW,GACf,OAAO,CAAC,OAAO,EAAE,CAAC,CAqEpB"}