@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/phase3/scanners/middleware-assumed-not-matching.js

@@ -1,172 +0,0 @@
-/**
- * VC-HALL-011: Middleware Assumed But Not Matching
- *
- * Detects routes that appear to expect middleware protection
- * but are not covered by the middleware matcher patterns.
- *
- * Severity: High
- * Category: hallucinations
- * Confidence: 0.70
- */
-import crypto from "node:crypto";
-import { buildRouteMap, buildMiddlewareMap, isRouteCoveredByMiddleware, } from "../proof-trace-builder.js";
-import { mineAllIntentClaims } from "../intent-miner.js";
-const RULE_ID = "VC-HALL-011";
-/**
- * Signals that a route expects middleware protection
- */
-const MIDDLEWARE_EXPECTATION_SIGNALS = [
-    // Comments
-    /middleware.*protect/i,
-    /protected\s*by\s*middleware/i,
-    /middleware\s*handles?\s*auth/i,
-    /auth\s*(is|handled)\s*(by|in)\s*middleware/i,
-    // Code patterns that suggest middleware dependency
-    /withMiddleware/,
-    /requireMiddleware/,
-    /middlewareProtected/,
-];
-export async function scanMiddlewareAssumedNotMatching(ctx) {
-    const findings = [];
-    // Build maps
-    const routes = buildRouteMap(ctx);
-    const middlewareMap = buildMiddlewareMap(ctx);
-    // If no middleware file exists, skip this scanner
-    if (middlewareMap.length === 0) {
-        return findings;
-    }
-    const allMatchers = middlewareMap.flatMap((m) => m.matchers);
-    const intentClaims = mineAllIntentClaims(ctx, routes);
-    // Find routes that expect middleware but aren't covered
-    for (const route of routes) {
-        const isCovered = isRouteCoveredByMiddleware(route.path, allMatchers);
-        if (isCovered)
-            continue;
-        // Check if this route has signals expecting middleware
-        const expectsMiddleware = checkMiddlewareExpectation(ctx, route, intentClaims);
-        if (expectsMiddleware.expected) {
-            findings.push({
-                id: generateFindingId(route),
-                severity: "high",
-                confidence: 0.7,
-                category: "hallucinations",
-                ruleId: RULE_ID,
-                title: `Route ${route.method} ${route.path} expects middleware but is not covered`,
-                description: generateDescription(route, middlewareMap[0], expectsMiddleware.reason),
-                evidence: [
-                    {
-                        file: route.file,
-                        startLine: route.startLine,
-                        endLine: route.endLine,
-                        snippet: `export async function ${route.method}(request: Request)`,
-                        label: "Route expecting middleware protection",
-                    },
-                    ...(expectsMiddleware.evidenceLocation
-                        ? [
-                            {
-                                file: expectsMiddleware.evidenceLocation.file,
-                                startLine: expectsMiddleware.evidenceLocation.line,
-                                endLine: expectsMiddleware.evidenceLocation.line,
-                                snippet: expectsMiddleware.evidenceSnippet || "",
-                                label: "Signal expecting middleware",
-                            },
-                        ]
-                        : []),
-                    {
-                        file: middlewareMap[0].file,
-                        startLine: middlewareMap[0].startLine,
-                        endLine: middlewareMap[0].startLine,
-                        snippet: `matcher: ${JSON.stringify(allMatchers)}`,
-                        label: "Current middleware matcher (does not cover this route)",
-                    },
-                ],
-                remediation: {
-                    recommendedFix: generateRemediation(route, allMatchers),
-                },
-                fingerprint: generateFingerprint(route),
-            });
-        }
-    }
-    return findings;
-}
-function checkMiddlewareExpectation(ctx, route, claims) {
-    // Check intent claims for middleware protection
-    const middlewareClaims = claims.filter((c) => c.type === "MIDDLEWARE_PROTECTED" &&
-        (c.targetRouteId === route.routeId || c.scope === "global" || c.location.file === route.file));
-    if (middlewareClaims.length > 0) {
-        const claim = middlewareClaims[0];
-        return {
-            expected: true,
-            reason: "Intent claim indicates middleware protection expected",
-            evidenceLocation: {
-                file: claim.location.file,
-                line: claim.location.startLine,
-            },
-            evidenceSnippet: claim.textEvidence,
-        };
-    }
-    // Check source file for middleware expectation signals
-    const sourceFile = ctx.helpers.parseFile(require("path").join(ctx.repoRoot, route.file));
-    if (sourceFile) {
-        const fullText = sourceFile.getFullText();
-        for (const signal of MIDDLEWARE_EXPECTATION_SIGNALS) {
-            const match = fullText.match(signal);
-            if (match) {
-                const pos = match.index || 0;
-                const line = sourceFile.getLineAndColumnAtPos(pos).line;
-                return {
-                    expected: true,
-                    reason: "Code pattern suggests middleware protection expected",
-                    evidenceLocation: {
-                        file: route.file,
-                        line,
-                    },
-                    evidenceSnippet: match[0],
-                };
-            }
-        }
-    }
-    // Check if auth claims exist but no auth check in handler
-    const authClaims = claims.filter((c) => c.type === "AUTH_ENFORCED" &&
-        c.source === "comment" &&
-        (c.targetRouteId === route.routeId || c.location.file === route.file));
-    if (authClaims.length > 0) {
-        // Check if the handler has its own auth check
-        const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-        const handler = handlers.find((h) => h.method === route.method);
-        if (handler && !ctx.helpers.containsAuthCheck(handler.functionNode)) {
-            // Auth is claimed but not in handler - might expect middleware
-            const claim = authClaims[0];
-            return {
-                expected: true,
-                reason: "Auth claimed in comment but not in handler - may expect middleware",
-                evidenceLocation: {
-                    file: claim.location.file,
-                    line: claim.location.startLine,
-                },
-                evidenceSnippet: claim.textEvidence,
-            };
-        }
-    }
-    return { expected: false, reason: "" };
-}
-function generateDescription(route, middleware, reason) {
-    return (`The route ${route.method} ${route.path} shows signals that it expects middleware protection, ` +
-        `but the middleware matcher in ${middleware.file} does not cover this path. ` +
-        `${reason}. This could leave the route unprotected.`);
-}
-function generateRemediation(route, currentMatchers) {
-    const suggestedPattern = route.path.includes("/api/")
-        ? "/api/:path*"
-        : `${route.path}/:path*`;
-    return (`Update the middleware matcher to include this route. ` +
-        `Current matchers: ${JSON.stringify(currentMatchers)}. ` +
-        `Consider adding "${suggestedPattern}" or add explicit auth in the handler.`);
-}
-function generateFindingId(route) {
-    return `f-${crypto.randomUUID().slice(0, 8)}`;
-}
-function generateFingerprint(route) {
-    const data = `${RULE_ID}:${route.file}:${route.method}:${route.path}`;
-    return `sha256:${crypto.createHash("sha256").update(data).digest("hex")}`;
-}

package/dist/phase3/scanners/validation-claimed-missing.d.ts

@@ -1,15 +0,0 @@
-/**
- * VC-HALL-012: Validation Claimed But Missing/Ignored
- *
- * Detects routes where validation is claimed (via comments, imports,
- * or identifiers) but is either not implemented or the validated
- * result is not used.
- *
- * Severity: Medium
- * Category: hallucinations
- * Confidence: 0.80
- */
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../../scanners/types.js";
-export declare function scanValidationClaimedMissing(ctx: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=validation-claimed-missing.d.ts.map

package/dist/phase3/scanners/validation-claimed-missing.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validation-claimed-missing.d.ts","sourceRoot":"","sources":["../../../src/phase3/scanners/validation-claimed-missing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,KAAK,EAAE,WAAW,EAA0B,MAAM,yBAAyB,CAAC;AAMnF,wBAAsB,4BAA4B,CAChD,GAAG,EAAE,WAAW,GACf,OAAO,CAAC,OAAO,EAAE,CAAC,CAmGpB"}

package/dist/phase3/scanners/validation-claimed-missing.js

@@ -1,204 +0,0 @@
-/**
- * VC-HALL-012: Validation Claimed But Missing/Ignored
- *
- * Detects routes where validation is claimed (via comments, imports,
- * or identifiers) but is either not implemented or the validated
- * result is not used.
- *
- * Severity: Medium
- * Category: hallucinations
- * Confidence: 0.80
- */
-import crypto from "node:crypto";
-import path from "node:path";
-import { buildRouteMap, buildAllProofTraces } from "../proof-trace-builder.js";
-import { mineAllIntentClaims } from "../intent-miner.js";
-const RULE_ID = "VC-HALL-012";
-export async function scanValidationClaimedMissing(ctx) {
-    const findings = [];
-    // Build route map and proof traces
-    const routes = buildRouteMap(ctx);
-    const proofTraces = buildAllProofTraces(ctx, routes);
-    const intentClaims = mineAllIntentClaims(ctx, routes);
-    // Find validation claims
-    const validationClaims = intentClaims.filter((c) => c.type === "INPUT_VALIDATED");
-    // Group claims by file for efficiency
-    const claimsByFile = new Map();
-    for (const claim of validationClaims) {
-        const existing = claimsByFile.get(claim.location.file) || [];
-        existing.push(claim);
-        claimsByFile.set(claim.location.file, existing);
-    }
-    // Check each file with validation claims
-    for (const [file, claims] of claimsByFile) {
-        const sourceFile = ctx.helpers.parseFile(path.join(ctx.repoRoot, file));
-        if (!sourceFile)
-            continue;
-        // Find routes in this file
-        const fileRoutes = routes.filter((r) => r.file === file);
-        const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-        for (const handler of handlers) {
-            const route = fileRoutes.find((r) => r.method === handler.method);
-            if (!route)
-                continue;
-            // Check if this handler should have validation
-            const relevantClaims = claims.filter((c) => c.targetRouteId === route.routeId ||
-                c.scope === "module" ||
-                c.scope === "global" ||
-                (c.location.startLine <= handler.startLine &&
-                    c.location.endLine >= handler.startLine - 5) // Claim is near handler
-            );
-            if (relevantClaims.length === 0)
-                continue;
-            // Check actual validation status
-            const validationUsage = ctx.helpers.findValidationUsage(handler.functionNode);
-            // Case 1: No validation at all despite claims
-            if (validationUsage.length === 0) {
-                findings.push(createFinding(route, relevantClaims[0], "missing", "Validation is claimed but no validation library usage found in handler"));
-                continue;
-            }
-            // Case 2: Validation exists but result not assigned
-            const unassigned = validationUsage.filter((v) => !v.resultAssigned);
-            if (unassigned.length > 0) {
-                findings.push(createFinding(route, relevantClaims[0], "ignored_result", "Validation is called but the result is not assigned to a variable", {
-                    file: route.file,
-                    line: unassigned[0].line,
-                    snippet: ctx.helpers.getNodeText(unassigned[0].node).slice(0, 100),
-                }));
-                continue;
-            }
-            // Case 3: Validation result assigned but raw body still used
-            const rawBodyUsed = validationUsage.filter((v) => v.rawBodyUsedAfter);
-            if (rawBodyUsed.length > 0) {
-                findings.push(createFinding(route, relevantClaims[0], "bypassed", "Validation is performed but raw request body is used afterward instead of validated data", {
-                    file: route.file,
-                    line: rawBodyUsed[0].line,
-                    snippet: ctx.helpers.getNodeText(rawBodyUsed[0].node).slice(0, 100),
-                }));
-            }
-        }
-    }
-    // Also check for validation imports that are never used
-    findings.push(...checkUnusedValidationImports(ctx, routes, intentClaims));
-    return findings;
-}
-function createFinding(route, claim, issueType, description, additionalEvidence) {
-    const evidence = [
-        {
-            file: claim.location.file,
-            startLine: claim.location.startLine,
-            endLine: claim.location.endLine,
-            snippet: claim.textEvidence,
-            label: `Validation claim (${claim.source})`,
-        },
-        {
-            file: route.file,
-            startLine: route.startLine,
-            endLine: route.endLine,
-            snippet: `${route.method} ${route.path}`,
-            label: "Route handler",
-        },
-    ];
-    if (additionalEvidence) {
-        evidence.push({
-            file: additionalEvidence.file,
-            startLine: additionalEvidence.line,
-            endLine: additionalEvidence.line,
-            snippet: additionalEvidence.snippet,
-            label: issueType === "ignored_result" ? "Unused validation call" : "Raw body usage",
-        });
-    }
-    return {
-        id: `f-${crypto.randomUUID().slice(0, 8)}`,
-        severity: "medium",
-        confidence: 0.8,
-        category: "hallucinations",
-        ruleId: RULE_ID,
-        title: generateTitle(route, issueType),
-        description,
-        evidence,
-        remediation: {
-            recommendedFix: generateRemediation(issueType),
-        },
-        fingerprint: generateFingerprint(route, issueType),
-    };
-}
-function generateTitle(route, issueType) {
-    switch (issueType) {
-        case "missing":
-            return `Validation claimed but missing in ${route.method} ${route.path}`;
-        case "ignored_result":
-            return `Validation result ignored in ${route.method} ${route.path}`;
-        case "bypassed":
-            return `Validation bypassed in ${route.method} ${route.path}`;
-        default:
-            return `Validation issue in ${route.method} ${route.path}`;
-    }
-}
-function generateRemediation(issueType) {
-    switch (issueType) {
-        case "missing":
-            return ("Implement validation using Zod, Yup, or Joi. " +
-                "Example: `const validated = schema.parse(await request.json());` " +
-                "Then use `validated` instead of the raw request body.");
-        case "ignored_result":
-            return ("Assign the validation result to a variable and use it: " +
-                "`const validated = schema.parse(body);` " +
-                "Then pass `validated` to database operations.");
-        case "bypassed":
-            return ("Replace usage of raw `body`, `req.body`, or `request.json()` result " +
-                "with the validated data. Using raw input after validation defeats its purpose.");
-        default:
-            return "Ensure validation is properly implemented and the validated result is used.";
-    }
-}
-function checkUnusedValidationImports(ctx, routes, claims) {
-    const findings = [];
-    // Find import-based validation claims
-    const importClaims = claims.filter((c) => c.type === "INPUT_VALIDATED" && c.source === "import");
-    for (const claim of importClaims) {
-        const sourceFile = ctx.helpers.parseFile(path.join(ctx.repoRoot, claim.location.file));
-        if (!sourceFile)
-            continue;
-        // Check if validation schemas/methods are actually defined and used
-        const hasSchemas = ctx.helpers.hasValidationSchemas(sourceFile);
-        if (!hasSchemas) {
-            // Validation library imported but no schemas defined
-            const fileRoutes = routes.filter((r) => r.file === claim.location.file);
-            if (fileRoutes.length > 0) {
-                findings.push({
-                    id: `f-${crypto.randomUUID().slice(0, 8)}`,
-                    severity: "medium",
-                    confidence: 0.7,
-                    category: "hallucinations",
-                    ruleId: RULE_ID,
-                    title: `Validation library imported but no schemas defined in ${claim.location.file}`,
-                    description: "A validation library is imported suggesting validation intent, " +
-                        "but no validation schemas are defined in the file. " +
-                        "This could be dead code or incomplete implementation.",
-                    evidence: [
-                        {
-                            file: claim.location.file,
-                            startLine: claim.location.startLine,
-                            endLine: claim.location.endLine,
-                            snippet: claim.textEvidence,
-                            label: "Validation import",
-                        },
-                    ],
-                    remediation: {
-                        recommendedFix: "Define validation schemas using the imported library, or remove the unused import.",
-                    },
-                    fingerprint: `sha256:${crypto
-                        .createHash("sha256")
-                        .update(`${RULE_ID}:${claim.location.file}:import_unused`)
-                        .digest("hex")}`,
-                });
-            }
-        }
-    }
-    return findings;
-}
-function generateFingerprint(route, issueType) {
-    const data = `${RULE_ID}:${route.file}:${route.method}:${issueType}`;
-    return `sha256:${crypto.createHash("sha256").update(data).digest("hex")}`;
-}

package/dist/scanners/abuse/compute-abuse.d.ts

@@ -1,20 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-ABUSE-001 to VC-ABUSE-004: Compute Abuse Detection
- *
- * Detects compute-intensive endpoints that may be vulnerable to abuse:
- * - AI/LLM generation endpoints
- * - Code execution endpoints
- * - File processing endpoints
- * - Expensive API endpoints
- *
- * Checks for missing enforcement:
- * - Authentication
- * - Rate limiting
- * - Request size limits
- * - Timeouts
- * - Input validation
- */
-export declare function scanComputeAbuse(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=compute-abuse.d.ts.map

package/dist/scanners/abuse/compute-abuse.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"compute-abuse.d.ts","sourceRoot":"","sources":["../../../src/scanners/abuse/compute-abuse.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAqC,MAAM,mBAAmB,CAAC;AACpF,OAAO,KAAK,EAAE,WAAW,EAA8B,MAAM,aAAa,CAAC;AAyW3E;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA8H/E"}