npm - @quantracode/vibecheck - Versions diffs - 0.0.1 → 0.0.2 - Mend

@quantracode/vibecheck 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/README.md +6 -6
package/dist/index.d.ts +0 -2
package/dist/index.js +7902 -8
package/package.json +13 -7
package/dist/__tests__/cli.test.d.ts +0 -2
package/dist/__tests__/cli.test.d.ts.map +0 -1
package/dist/__tests__/cli.test.js +0 -243
package/dist/__tests__/fixtures/safe-app/app/api/users/route.js +0 -36
package/dist/__tests__/fixtures/vulnerable-app/app/api/users/route.js +0 -28
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts +0 -4
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts.map +0 -1
package/dist/__tests__/fixtures/vulnerable-app/lib/config.js +0 -6
package/dist/__tests__/scanners/env-config.test.d.ts +0 -2
package/dist/__tests__/scanners/env-config.test.d.ts.map +0 -1
package/dist/__tests__/scanners/env-config.test.js +0 -142
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts +0 -2
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts.map +0 -1
package/dist/__tests__/scanners/nextjs-middleware.test.js +0 -193
package/dist/__tests__/scanners/scanner-packs.test.d.ts +0 -2
package/dist/__tests__/scanners/scanner-packs.test.d.ts.map +0 -1
package/dist/__tests__/scanners/scanner-packs.test.js +0 -126
package/dist/__tests__/scanners/unused-security-imports.test.d.ts +0 -2
package/dist/__tests__/scanners/unused-security-imports.test.d.ts.map +0 -1
package/dist/__tests__/scanners/unused-security-imports.test.js +0 -145
package/dist/commands/demo-artifact.d.ts +0 -7
package/dist/commands/demo-artifact.d.ts.map +0 -1
package/dist/commands/demo-artifact.js +0 -322
package/dist/commands/evaluate.d.ts +0 -30
package/dist/commands/evaluate.d.ts.map +0 -1
package/dist/commands/evaluate.js +0 -258
package/dist/commands/explain.d.ts +0 -12
package/dist/commands/explain.d.ts.map +0 -1
package/dist/commands/explain.js +0 -214
package/dist/commands/index.d.ts +0 -7
package/dist/commands/index.d.ts.map +0 -1
package/dist/commands/index.js +0 -6
package/dist/commands/intent.d.ts +0 -21
package/dist/commands/intent.d.ts.map +0 -1
package/dist/commands/intent.js +0 -192
package/dist/commands/scan.d.ts +0 -44
package/dist/commands/scan.d.ts.map +0 -1
package/dist/commands/scan.js +0 -497
package/dist/commands/waivers.d.ts +0 -30
package/dist/commands/waivers.d.ts.map +0 -1
package/dist/commands/waivers.js +0 -249
package/dist/index.d.ts.map +0 -1
package/dist/phase3/index.d.ts +0 -11
package/dist/phase3/index.d.ts.map +0 -1
package/dist/phase3/index.js +0 -12
package/dist/phase3/intent-miner.d.ts +0 -32
package/dist/phase3/intent-miner.d.ts.map +0 -1
package/dist/phase3/intent-miner.js +0 -323
package/dist/phase3/proof-trace-builder.d.ts +0 -42
package/dist/phase3/proof-trace-builder.d.ts.map +0 -1
package/dist/phase3/proof-trace-builder.js +0 -441
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts +0 -15
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts.map +0 -1
package/dist/phase3/scanners/auth-by-ui-server-gap.js +0 -237
package/dist/phase3/scanners/comment-claim-unproven.d.ts +0 -14
package/dist/phase3/scanners/comment-claim-unproven.d.ts.map +0 -1
package/dist/phase3/scanners/comment-claim-unproven.js +0 -161
package/dist/phase3/scanners/index.d.ts +0 -31
package/dist/phase3/scanners/index.d.ts.map +0 -1
package/dist/phase3/scanners/index.js +0 -40
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts +0 -14
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts.map +0 -1
package/dist/phase3/scanners/middleware-assumed-not-matching.js +0 -172
package/dist/phase3/scanners/validation-claimed-missing.d.ts +0 -15
package/dist/phase3/scanners/validation-claimed-missing.d.ts.map +0 -1
package/dist/phase3/scanners/validation-claimed-missing.js +0 -204
package/dist/scanners/abuse/compute-abuse.d.ts +0 -20
package/dist/scanners/abuse/compute-abuse.d.ts.map +0 -1
package/dist/scanners/abuse/compute-abuse.js +0 -509
package/dist/scanners/abuse/index.d.ts +0 -12
package/dist/scanners/abuse/index.d.ts.map +0 -1
package/dist/scanners/abuse/index.js +0 -15
package/dist/scanners/auth/index.d.ts +0 -5
package/dist/scanners/auth/index.d.ts.map +0 -1
package/dist/scanners/auth/index.js +0 -10
package/dist/scanners/auth/middleware-gap.d.ts +0 -22
package/dist/scanners/auth/middleware-gap.d.ts.map +0 -1
package/dist/scanners/auth/middleware-gap.js +0 -203
package/dist/scanners/auth/unprotected-api-route.d.ts +0 -12
package/dist/scanners/auth/unprotected-api-route.d.ts.map +0 -1
package/dist/scanners/auth/unprotected-api-route.js +0 -126
package/dist/scanners/config/index.d.ts +0 -5
package/dist/scanners/config/index.d.ts.map +0 -1
package/dist/scanners/config/index.js +0 -10
package/dist/scanners/config/insecure-defaults.d.ts +0 -12
package/dist/scanners/config/insecure-defaults.d.ts.map +0 -1
package/dist/scanners/config/insecure-defaults.js +0 -77
package/dist/scanners/config/undocumented-env.d.ts +0 -24
package/dist/scanners/config/undocumented-env.d.ts.map +0 -1
package/dist/scanners/config/undocumented-env.js +0 -159
package/dist/scanners/crypto/index.d.ts +0 -6
package/dist/scanners/crypto/index.d.ts.map +0 -1
package/dist/scanners/crypto/index.js +0 -11
package/dist/scanners/crypto/jwt-decode-unverified.d.ts +0 -14
package/dist/scanners/crypto/jwt-decode-unverified.d.ts.map +0 -1
package/dist/scanners/crypto/jwt-decode-unverified.js +0 -87
package/dist/scanners/crypto/math-random-tokens.d.ts +0 -13
package/dist/scanners/crypto/math-random-tokens.d.ts.map +0 -1
package/dist/scanners/crypto/math-random-tokens.js +0 -80
package/dist/scanners/crypto/weak-hashing.d.ts +0 -11
package/dist/scanners/crypto/weak-hashing.d.ts.map +0 -1
package/dist/scanners/crypto/weak-hashing.js +0 -95
package/dist/scanners/env-config.d.ts +0 -24
package/dist/scanners/env-config.d.ts.map +0 -1
package/dist/scanners/env-config.js +0 -164
package/dist/scanners/hallucinations/index.d.ts +0 -4
package/dist/scanners/hallucinations/index.d.ts.map +0 -1
package/dist/scanners/hallucinations/index.js +0 -8
package/dist/scanners/hallucinations/unused-security-imports.d.ts +0 -36
package/dist/scanners/hallucinations/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/hallucinations/unused-security-imports.js +0 -309
package/dist/scanners/helpers/ast-helpers.d.ts +0 -6
package/dist/scanners/helpers/ast-helpers.d.ts.map +0 -1
package/dist/scanners/helpers/ast-helpers.js +0 -945
package/dist/scanners/helpers/context-builder.d.ts +0 -17
package/dist/scanners/helpers/context-builder.d.ts.map +0 -1
package/dist/scanners/helpers/context-builder.js +0 -148
package/dist/scanners/helpers/index.d.ts +0 -3
package/dist/scanners/helpers/index.d.ts.map +0 -1
package/dist/scanners/helpers/index.js +0 -2
package/dist/scanners/index.d.ts +0 -30
package/dist/scanners/index.d.ts.map +0 -1
package/dist/scanners/index.js +0 -102
package/dist/scanners/middleware/index.d.ts +0 -4
package/dist/scanners/middleware/index.d.ts.map +0 -1
package/dist/scanners/middleware/index.js +0 -7
package/dist/scanners/middleware/missing-rate-limit.d.ts +0 -13
package/dist/scanners/middleware/missing-rate-limit.d.ts.map +0 -1
package/dist/scanners/middleware/missing-rate-limit.js +0 -140
package/dist/scanners/network/cors-misconfiguration.d.ts +0 -14
package/dist/scanners/network/cors-misconfiguration.d.ts.map +0 -1
package/dist/scanners/network/cors-misconfiguration.js +0 -89
package/dist/scanners/network/index.d.ts +0 -7
package/dist/scanners/network/index.d.ts.map +0 -1
package/dist/scanners/network/index.js +0 -18
package/dist/scanners/network/missing-timeout.d.ts +0 -15
package/dist/scanners/network/missing-timeout.d.ts.map +0 -1
package/dist/scanners/network/missing-timeout.js +0 -93
package/dist/scanners/network/open-redirect.d.ts +0 -15
package/dist/scanners/network/open-redirect.d.ts.map +0 -1
package/dist/scanners/network/open-redirect.js +0 -88
package/dist/scanners/network/ssrf-prone-fetch.d.ts +0 -12
package/dist/scanners/network/ssrf-prone-fetch.d.ts.map +0 -1
package/dist/scanners/network/ssrf-prone-fetch.js +0 -90
package/dist/scanners/nextjs-middleware.d.ts +0 -26
package/dist/scanners/nextjs-middleware.d.ts.map +0 -1
package/dist/scanners/nextjs-middleware.js +0 -246
package/dist/scanners/privacy/debug-flags.d.ts +0 -13
package/dist/scanners/privacy/debug-flags.d.ts.map +0 -1
package/dist/scanners/privacy/debug-flags.js +0 -124
package/dist/scanners/privacy/index.d.ts +0 -6
package/dist/scanners/privacy/index.d.ts.map +0 -1
package/dist/scanners/privacy/index.js +0 -11
package/dist/scanners/privacy/over-broad-response.d.ts +0 -15
package/dist/scanners/privacy/over-broad-response.d.ts.map +0 -1
package/dist/scanners/privacy/over-broad-response.js +0 -109
package/dist/scanners/privacy/sensitive-logging.d.ts +0 -11
package/dist/scanners/privacy/sensitive-logging.d.ts.map +0 -1
package/dist/scanners/privacy/sensitive-logging.js +0 -78
package/dist/scanners/types.d.ts +0 -456
package/dist/scanners/types.d.ts.map +0 -1
package/dist/scanners/types.js +0 -16
package/dist/scanners/unused-security-imports.d.ts +0 -34
package/dist/scanners/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/unused-security-imports.js +0 -206
package/dist/scanners/uploads/index.d.ts +0 -5
package/dist/scanners/uploads/index.d.ts.map +0 -1
package/dist/scanners/uploads/index.js +0 -9
package/dist/scanners/uploads/missing-constraints.d.ts +0 -15
package/dist/scanners/uploads/missing-constraints.d.ts.map +0 -1
package/dist/scanners/uploads/missing-constraints.js +0 -109
package/dist/scanners/uploads/public-path.d.ts +0 -11
package/dist/scanners/uploads/public-path.d.ts.map +0 -1
package/dist/scanners/uploads/public-path.js +0 -87
package/dist/scanners/validation/client-side-only.d.ts +0 -14
package/dist/scanners/validation/client-side-only.d.ts.map +0 -1
package/dist/scanners/validation/client-side-only.js +0 -140
package/dist/scanners/validation/ignored-validation.d.ts +0 -12
package/dist/scanners/validation/ignored-validation.d.ts.map +0 -1
package/dist/scanners/validation/ignored-validation.js +0 -119
package/dist/scanners/validation/index.d.ts +0 -5
package/dist/scanners/validation/index.d.ts.map +0 -1
package/dist/scanners/validation/index.js +0 -9
package/dist/utils/exclude-patterns.d.ts +0 -35
package/dist/utils/exclude-patterns.d.ts.map +0 -1
package/dist/utils/exclude-patterns.js +0 -78
package/dist/utils/file-utils.d.ts +0 -37
package/dist/utils/file-utils.d.ts.map +0 -1
package/dist/utils/file-utils.js +0 -77
package/dist/utils/fingerprint.d.ts +0 -25
package/dist/utils/fingerprint.d.ts.map +0 -1
package/dist/utils/fingerprint.js +0 -28
package/dist/utils/git-info.d.ts +0 -14
package/dist/utils/git-info.d.ts.map +0 -1
package/dist/utils/git-info.js +0 -55
package/dist/utils/index.d.ts +0 -4
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js +0 -3
package/dist/utils/progress.d.ts +0 -42
package/dist/utils/progress.d.ts.map +0 -1
package/dist/utils/progress.js +0 -165
package/dist/utils/sarif-formatter.d.ts +0 -92
package/dist/utils/sarif-formatter.d.ts.map +0 -1
package/dist/utils/sarif-formatter.js +0 -172

package/dist/scanners/helpers/context-builder.d.ts DELETED Viewed

@@ -1,17 +0,0 @@
-import type { ScanContext, FileProgressCallback } from "../types.js";
-/**
- * Options for building scan context
- */
-export interface ScanContextOptions {
-    /** Additional glob patterns to exclude */
-    excludePatterns?: string[];
-    /** Include test files in scan */
-    includeTests?: boolean;
-    /** Progress callback for file processing */
-    onFileProgress?: FileProgressCallback;
-}
-/**
- * Build a complete ScanContext for scanner use
- */
-export declare function buildScanContext(repoRoot: string, options?: ScanContextOptions): Promise<ScanContext>;
-//# sourceMappingURL=context-builder.d.ts.map

package/dist/scanners/helpers/context-builder.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"context-builder.d.ts","sourceRoot":"","sources":["../../../src/scanners/helpers/context-builder.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAA0E,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAE7I;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,iCAAiC;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,oBAAoB,CAAC;CACvC;AAyKD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,WAAW,CAAC,CAmBtB"}

package/dist/scanners/helpers/context-builder.js DELETED Viewed

@@ -1,148 +0,0 @@
-import { findFiles, readJsonSync, resolvePath, fileExists, readFileSync } from "../../utils/file-utils.js";
-import { createAstHelpers } from "./ast-helpers.js";
-import { mergeExcludes, normalizePatterns } from "../../utils/exclude-patterns.js";
-/**
- * Detect framework from package.json dependencies
- */
-function detectFramework(deps, devDeps) {
-    const allDeps = { ...deps, ...devDeps };
-    if (allDeps["next"])
-        return "next";
-    if (allDeps["express"])
-        return "express";
-    if (allDeps["fastify"])
-        return "fastify";
-    if (allDeps["koa"])
-        return "koa";
-    return "unknown";
-}
-/**
- * Build file index for quick lookups
- */
-async function buildFileIndex(repoRoot, options = {}) {
-    // Build exclude patterns from defaults + custom
-    const customExcludes = options.excludePatterns ?? [];
-    const ignorePatterns = normalizePatterns(mergeExcludes(customExcludes, { includeTests: options.includeTests }));
-    // Find all source files
-    const allSourceFiles = await findFiles(["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"], { cwd: repoRoot, ignore: ignorePatterns });
-    // TypeScript files only
-    const tsTsxFiles = allSourceFiles.filter((f) => f.endsWith(".ts") || f.endsWith(".tsx"));
-    // Config files
-    const configFiles = await findFiles([".env*", "**/*.config.*", "**/config.*"], { cwd: repoRoot, ignore: ignorePatterns });
-    // Next.js route files (App Router)
-    const routeFiles = await findFiles(["**/route.ts", "**/route.js", "src/**/route.ts", "src/**/route.js"], { cwd: repoRoot, ignore: ignorePatterns });
-    // API route files specifically
-    const apiRouteFiles = routeFiles.filter((f) => f.includes("/api/") || f.includes("\\api\\"));
-    // Find middleware file
-    let middlewareFile;
-    const middlewareCandidates = [
-        "middleware.ts",
-        "middleware.js",
-        "src/middleware.ts",
-        "src/middleware.js",
-    ];
-    for (const candidate of middlewareCandidates) {
-        if (fileExists(resolvePath(repoRoot, candidate))) {
-            middlewareFile = candidate;
-            break;
-        }
-    }
-    return {
-        allSourceFiles,
-        tsTsxFiles,
-        configFiles,
-        routeFiles,
-        middlewareFile,
-        apiRouteFiles,
-    };
-}
-/**
- * Build repository metadata from package.json
- */
-function buildRepoMeta(repoRoot) {
-    const pkgPath = resolvePath(repoRoot, "package.json");
-    const pkg = readJsonSync(pkgPath);
-    const dependencies = pkg?.dependencies ?? {};
-    const devDependencies = pkg?.devDependencies ?? {};
-    const allDeps = { ...dependencies, ...devDependencies };
-    return {
-        dependencies,
-        devDependencies,
-        framework: detectFramework(dependencies, devDependencies),
-        hasTypeScript: Boolean(allDeps["typescript"]),
-        hasNextAuth: Boolean(allDeps["next-auth"]),
-        hasPrisma: Boolean(allDeps["prisma"] || allDeps["@prisma/client"]),
-    };
-}
-/**
- * Build framework hints from dependencies
- */
-function buildFrameworkHints(repoRoot, deps, devDeps) {
-    const allDeps = { ...deps, ...devDeps };
-    return {
-        isNext: Boolean(allDeps["next"]),
-        isExpress: Boolean(allDeps["express"]),
-        hasPrisma: Boolean(allDeps["prisma"] || allDeps["@prisma/client"]),
-        hasNextAuth: Boolean(allDeps["next-auth"]),
-        hasMulter: Boolean(allDeps["multer"]),
-        hasFormidable: Boolean(allDeps["formidable"]),
-    };
-}
-/**
- * Parse Prisma schema file if it exists
- */
-function parsePrismaSchema(repoRoot) {
-    const schemaPath = resolvePath(repoRoot, "prisma/schema.prisma");
-    const content = readFileSync(schemaPath);
-    if (!content)
-        return undefined;
-    const models = new Map();
-    const sensitiveFieldPatterns = /password|hash|token|secret|apikey|api_key|private_key|credential/i;
-    // Parse model blocks
-    const modelRegex = /model\s+(\w+)\s*\{([^}]+)\}/g;
-    let match;
-    while ((match = modelRegex.exec(content)) !== null) {
-        const modelName = match[1];
-        const modelBody = match[2];
-        // Extract field names (first word on each non-empty line)
-        const fields = [];
-        const lines = modelBody.split("\n");
-        for (const line of lines) {
-            const trimmed = line.trim();
-            if (!trimmed || trimmed.startsWith("//") || trimmed.startsWith("@@"))
-                continue;
-            const fieldMatch = trimmed.match(/^(\w+)\s+/);
-            if (fieldMatch) {
-                fields.push(fieldMatch[1]);
-            }
-        }
-        const hasSensitiveFields = fields.some((f) => sensitiveFieldPatterns.test(f));
-        models.set(modelName.toLowerCase(), {
-            name: modelName,
-            fields,
-            hasSensitiveFields,
-        });
-    }
-    return { models };
-}
-/**
- * Build a complete ScanContext for scanner use
- */
-export async function buildScanContext(repoRoot, options = {}) {
-    const [fileIndex, repoMeta] = await Promise.all([
-        buildFileIndex(repoRoot, options),
-        Promise.resolve(buildRepoMeta(repoRoot)),
-    ]);
-    const helpers = createAstHelpers(repoRoot, fileIndex.allSourceFiles.length, options.onFileProgress);
-    const frameworkHints = buildFrameworkHints(repoRoot, repoMeta.dependencies, repoMeta.devDependencies);
-    const prismaSchemaInfo = parsePrismaSchema(repoRoot);
-    return {
-        repoRoot,
-        fileIndex,
-        repoMeta,
-        helpers,
-        frameworkHints,
-        prismaSchemaInfo,
-        onFileProgress: options.onFileProgress,
-    };
-}

package/dist/scanners/helpers/index.d.ts DELETED Viewed

@@ -1,3 +0,0 @@
-export { createAstHelpers } from "./ast-helpers.js";
-export { buildScanContext, type ScanContextOptions } from "./context-builder.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/scanners/helpers/index.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/helpers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,KAAK,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/scanners/helpers/index.js DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export { createAstHelpers } from "./ast-helpers.js";
2	- export { buildScanContext } from "./context-builder.js";

package/dist/scanners/index.d.ts DELETED Viewed

@@ -1,30 +0,0 @@
-export * from "./types.js";
-export { buildScanContext, createAstHelpers, type ScanContextOptions } from "./helpers/index.js";
-export { authPack } from "./auth/index.js";
-export { validationPack } from "./validation/index.js";
-export { privacyPack } from "./privacy/index.js";
-export { configPack } from "./config/index.js";
-export { networkPack } from "./network/index.js";
-export { hallucinationsPack } from "./hallucinations/index.js";
-export { middlewarePack } from "./middleware/index.js";
-export { cryptoPack } from "./crypto/index.js";
-export { uploadsPack } from "./uploads/index.js";
-export { abusePack } from "./abuse/index.js";
-import type { ScannerPack, Scanner } from "./types.js";
-/**
- * All available scanner packs
- */
-export declare const ALL_SCANNER_PACKS: ScannerPack[];
-/**
- * All available scanners (flattened from packs)
- */
-export declare const ALL_SCANNERS: Scanner[];
-/**
- * Get a scanner pack by ID
- */
-export declare function getScannerPack(id: string): ScannerPack | undefined;
-/**
- * Get all rule IDs covered by the scanners
- */
-export declare const SUPPORTED_RULES: readonly ["VC-AUTH-001", "VC-AUTH-INFO-001", "VC-MW-001", "VC-VAL-001", "VC-VAL-002", "VC-PRIV-001", "VC-PRIV-002", "VC-PRIV-003", "VC-CONFIG-001", "VC-CONFIG-002", "VC-NET-001", "VC-NET-002", "VC-NET-003", "VC-NET-004", "VC-HALL-001", "VC-HALL-002", "VC-HALL-010", "VC-HALL-011", "VC-HALL-012", "VC-AUTH-010", "VC-RATE-001", "VC-CRYPTO-001", "VC-CRYPTO-002", "VC-CRYPTO-003", "VC-UP-001", "VC-UP-002", "VC-ABUSE-001", "VC-ABUSE-002", "VC-ABUSE-003", "VC-ABUSE-004"];
-//# sourceMappingURL=index.d.ts.map

package/dist/scanners/index.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/scanners/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAG3B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAGjG,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAG7C,OAAO,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAkBvD;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,WAAW,EAc1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,OAAO,EAAuD,CAAC;AAE1F;;GAEG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAElE;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,odA2ClB,CAAC"}

package/dist/scanners/index.js DELETED Viewed

@@ -1,102 +0,0 @@
-// Export types
-export * from "./types.js";
-// Export helpers
-export { buildScanContext, createAstHelpers } from "./helpers/index.js";
-// Export scanner packs
-export { authPack } from "./auth/index.js";
-export { validationPack } from "./validation/index.js";
-export { privacyPack } from "./privacy/index.js";
-export { configPack } from "./config/index.js";
-export { networkPack } from "./network/index.js";
-export { hallucinationsPack } from "./hallucinations/index.js";
-export { middlewarePack } from "./middleware/index.js";
-export { cryptoPack } from "./crypto/index.js";
-export { uploadsPack } from "./uploads/index.js";
-export { abusePack } from "./abuse/index.js";
-import { authPack } from "./auth/index.js";
-import { validationPack } from "./validation/index.js";
-import { privacyPack } from "./privacy/index.js";
-import { configPack } from "./config/index.js";
-import { networkPack } from "./network/index.js";
-import { hallucinationsPack } from "./hallucinations/index.js";
-import { middlewarePack } from "./middleware/index.js";
-import { cryptoPack } from "./crypto/index.js";
-import { uploadsPack } from "./uploads/index.js";
-import { abusePack } from "./abuse/index.js";
-// Phase 3 scanners
-import { hallucinationsPack as hallucinationsPackPhase3, authPackPhase3, } from "../phase3/index.js";
-/**
- * All available scanner packs
- */
-export const ALL_SCANNER_PACKS = [
-    authPack,
-    validationPack,
-    privacyPack,
-    configPack,
-    networkPack,
-    hallucinationsPack,
-    middlewarePack,
-    cryptoPack,
-    uploadsPack,
-    abusePack,
-    // Phase 3 packs
-    hallucinationsPackPhase3,
-    authPackPhase3,
-];
-/**
- * All available scanners (flattened from packs)
- */
-export const ALL_SCANNERS = ALL_SCANNER_PACKS.flatMap((pack) => pack.scanners);
-/**
- * Get a scanner pack by ID
- */
-export function getScannerPack(id) {
-    return ALL_SCANNER_PACKS.find((pack) => pack.id === id);
-}
-/**
- * Get all rule IDs covered by the scanners
- */
-export const SUPPORTED_RULES = [
-    // Auth pack
-    "VC-AUTH-001",
-    "VC-AUTH-INFO-001",
-    "VC-MW-001",
-    // Validation pack
-    "VC-VAL-001",
-    "VC-VAL-002",
-    // Privacy pack
-    "VC-PRIV-001",
-    "VC-PRIV-002",
-    "VC-PRIV-003",
-    // Config pack
-    "VC-CONFIG-001",
-    "VC-CONFIG-002",
-    // Network pack
-    "VC-NET-001",
-    "VC-NET-002",
-    "VC-NET-003",
-    "VC-NET-004",
-    // Hallucinations pack (Phase 1-2)
-    "VC-HALL-001",
-    "VC-HALL-002",
-    // Hallucinations pack (Phase 3)
-    "VC-HALL-010",
-    "VC-HALL-011",
-    "VC-HALL-012",
-    // Auth pack (Phase 3)
-    "VC-AUTH-010",
-    // Middleware pack
-    "VC-RATE-001",
-    // Crypto pack
-    "VC-CRYPTO-001",
-    "VC-CRYPTO-002",
-    "VC-CRYPTO-003",
-    // Uploads pack
-    "VC-UP-001",
-    "VC-UP-002",
-    // Abuse pack
-    "VC-ABUSE-001",
-    "VC-ABUSE-002",
-    "VC-ABUSE-003",
-    "VC-ABUSE-004",
-];

package/dist/scanners/middleware/index.d.ts DELETED Viewed

@@ -1,4 +0,0 @@
-import type { ScannerPack } from "../types.js";
-export declare const middlewarePack: ScannerPack;
-export { scanMissingRateLimit } from "./missing-rate-limit.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/scanners/middleware/index.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/middleware/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,eAAO,MAAM,cAAc,EAAE,WAI5B,CAAC;AAEF,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/scanners/middleware/index.js DELETED Viewed

@@ -1,7 +0,0 @@
-import { scanMissingRateLimit } from "./missing-rate-limit.js";
-export const middlewarePack = {
-    id: "middleware",
-    name: "Middleware Security",
-    scanners: [scanMissingRateLimit],
-};
-export { scanMissingRateLimit } from "./missing-rate-limit.js";

package/dist/scanners/middleware/missing-rate-limit.d.ts DELETED Viewed

@@ -1,13 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-RATE-001: Missing rate limiting on public state-changing endpoints
- *
- * Only consider POST/PUT/PATCH/DELETE route handlers that:
- * - appear unauthenticated (no auth check)
- * - AND include a sink: DB write, email send, payment, or login/signup keywords
- *
- * If no rate-limit signals found in handler or middleware, flag it.
- */
-export declare function scanMissingRateLimit(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=missing-rate-limit.d.ts.map

package/dist/scanners/middleware/missing-rate-limit.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"missing-rate-limit.d.ts","sourceRoot":"","sources":["../../../src/scanners/middleware/missing-rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAgB/C;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAkInF"}

package/dist/scanners/middleware/missing-rate-limit.js DELETED Viewed

@@ -1,140 +0,0 @@
-import { resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-RATE-001";
-/**
- * State-changing HTTP methods
- */
-const STATE_CHANGING_METHODS = ["POST", "PUT", "PATCH", "DELETE"];
-/**
- * Keywords that suggest sensitive operations
- */
-const SENSITIVE_SINK_PATTERNS = /create|insert|update|delete|send|email|mail|payment|charge|login|signup|register|auth|password|reset/i;
-/**
- * VC-RATE-001: Missing rate limiting on public state-changing endpoints
- *
- * Only consider POST/PUT/PATCH/DELETE route handlers that:
- * - appear unauthenticated (no auth check)
- * - AND include a sink: DB write, email send, payment, or login/signup keywords
- *
- * If no rate-limit signals found in handler or middleware, flag it.
- */
-export async function scanMissingRateLimit(context) {
-    const { repoRoot, fileIndex, helpers } = context;
-    const findings = [];
-    // Check if middleware has rate limiting
-    let middlewareHasRateLimit = false;
-    if (fileIndex.middlewareFile) {
-        const middlewarePath = resolvePath(repoRoot, fileIndex.middlewareFile);
-        const middlewareSource = helpers.parseFile(middlewarePath);
-        if (middlewareSource) {
-            middlewareHasRateLimit = helpers.hasRateLimitSignals(middlewareSource);
-        }
-    }
-    // If middleware already has rate limiting, skip this scanner
-    if (middlewareHasRateLimit) {
-        return findings;
-    }
-    // Scan API route files
-    for (const relPath of fileIndex.apiRouteFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        // Check if file has rate limiting
-        const fileHasRateLimit = helpers.hasRateLimitSignals(sourceFile);
-        if (fileHasRateLimit)
-            continue;
-        const handlers = helpers.findRouteHandlers(sourceFile);
-        for (const handler of handlers) {
-            // Only check state-changing methods
-            if (!STATE_CHANGING_METHODS.includes(handler.method)) {
-                continue;
-            }
-            // Check for auth - only flag unauthenticated endpoints
-            const hasAuth = helpers.containsAuthCheck(handler.functionNode);
-            if (hasAuth)
-                continue;
-            // Find sensitive sinks
-            const dbSinks = helpers.findDbSinks(handler.functionNode);
-            const handlerText = helpers.getNodeText(handler.functionNode);
-            const hasSensitiveSink = dbSinks.length > 0 || SENSITIVE_SINK_PATTERNS.test(handlerText);
-            if (!hasSensitiveSink)
-                continue;
-            const evidence = [
-                {
-                    file: relPath,
-                    startLine: handler.startLine,
-                    endLine: handler.endLine,
-                    snippet: handlerText.slice(0, 200) + "...",
-                    label: `Unauthenticated ${handler.method} handler without rate limiting`,
-                },
-            ];
-            // Add sink evidence
-            if (dbSinks.length > 0) {
-                evidence.push({
-                    file: relPath,
-                    startLine: dbSinks[0].line,
-                    endLine: dbSinks[0].line,
-                    snippet: dbSinks[0].snippet,
-                    label: `Sensitive operation: ${dbSinks[0].kind}.${dbSinks[0].operation}`,
-                });
-            }
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relPath,
-                symbol: handler.method,
-                startLine: handler.startLine,
-            });
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relPath,
-                    symbol: handler.method,
-                    startLine: handler.startLine,
-                }),
-                ruleId: RULE_ID,
-                title: `Missing rate limiting on public ${handler.method} endpoint`,
-                description: `This public (unauthenticated) ${handler.method} handler performs sensitive operations but lacks rate limiting. Without rate limiting, attackers can abuse this endpoint for credential stuffing, brute force attacks, or denial of service by overwhelming your resources.`,
-                severity: "medium",
-                confidence: 0.65,
-                category: "middleware",
-                evidence,
-                remediation: {
-                    recommendedFix: `Add rate limiting to protect against abuse. Consider using @upstash/ratelimit for serverless, or express-rate-limit for Express apps.`,
-                    patch: `// Using @upstash/ratelimit with Vercel KV:
-import { Ratelimit } from "@upstash/ratelimit";
-import { kv } from "@vercel/kv";
-const ratelimit = new Ratelimit({
-  redis: kv,
-  limiter: Ratelimit.slidingWindow(10, "60 s"), // 10 requests per minute
-});
-export async function POST(request: Request) {
-  const ip = request.headers.get("x-forwarded-for") ?? "127.0.0.1";
-  const { success, limit, reset, remaining } = await ratelimit.limit(ip);
-  if (!success) {
-    return new Response("Too Many Requests", {
-      status: 429,
-      headers: {
-        "X-RateLimit-Limit": limit.toString(),
-        "X-RateLimit-Remaining": remaining.toString(),
-        "X-RateLimit-Reset": reset.toString(),
-      },
-    });
-  }
-  // ... rest of handler
-}`,
-                },
-                links: {
-                    owasp: "https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html",
-                    cwe: "https://cwe.mitre.org/data/definitions/770.html",
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}

package/dist/scanners/network/cors-misconfiguration.d.ts DELETED Viewed

@@ -1,14 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-NET-003: Over-permissive CORS with credentials
- *
- * Detects CORS configurations that combine:
- * - allowCredentials: true (or "Access-Control-Allow-Credentials: true")
- * AND
- * - allowOrigin: "*" (or reflects arbitrary origin unsafely)
- *
- * Two-signal: must see both wildcard origin AND credentials enabled
- */
-export declare function scanCorsMisconfiguration(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=cors-misconfiguration.d.ts.map

package/dist/scanners/network/cors-misconfiguration.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"cors-misconfiguration.d.ts","sourceRoot":"","sources":["../../../src/scanners/network/cors-misconfiguration.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAkFvF"}

package/dist/scanners/network/cors-misconfiguration.js DELETED Viewed

@@ -1,89 +0,0 @@
-import { resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-NET-003";
-/**
- * VC-NET-003: Over-permissive CORS with credentials
- *
- * Detects CORS configurations that combine:
- * - allowCredentials: true (or "Access-Control-Allow-Credentials: true")
- * AND
- * - allowOrigin: "*" (or reflects arbitrary origin unsafely)
- *
- * Two-signal: must see both wildcard origin AND credentials enabled
- */
-export async function scanCorsMisconfiguration(context) {
-    const { repoRoot, fileIndex, helpers } = context;
-    const findings = [];
-    // Scan all source files for CORS configuration
-    for (const relPath of fileIndex.allSourceFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        const corsConfigs = helpers.findCorsConfig(sourceFile);
-        for (const config of corsConfigs) {
-            // Two-signal: only flag when BOTH wildcard origin AND credentials
-            if (!config.hasWildcardOrigin || !config.hasCredentials) {
-                continue;
-            }
-            const evidence = [
-                {
-                    file: relPath,
-                    startLine: config.line,
-                    endLine: config.line,
-                    snippet: config.snippet,
-                    label: `CORS with origin: "${config.originValue}" and credentials: ${config.credentialsValue}`,
-                },
-            ];
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relPath,
-                symbol: "cors",
-                startLine: config.line,
-            });
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relPath,
-                    symbol: "cors",
-                    startLine: config.line,
-                }),
-                ruleId: RULE_ID,
-                title: "Over-permissive CORS with credentials",
-                description: `The CORS configuration allows credentials (cookies, auth headers) to be sent with requests from any origin (*). This is dangerous because it allows any website to make authenticated requests to your API on behalf of logged-in users, enabling CSRF-like attacks. Browsers will actually block this specific combination, but the intent suggests a security misunderstanding.`,
-                severity: "high",
-                confidence: 0.9,
-                category: "network",
-                evidence,
-                remediation: {
-                    recommendedFix: `When using credentials, you must specify explicit allowed origins instead of "*". Use an allowlist of trusted domains.`,
-                    patch: `// Instead of:
-// cors({ origin: "*", credentials: true })
-// Use an allowlist:
-const allowedOrigins = [
-  'https://app.example.com',
-  'https://admin.example.com',
-];
-app.use(cors({
-  origin: (origin, callback) => {
-    if (!origin || allowedOrigins.includes(origin)) {
-      callback(null, true);
-    } else {
-      callback(new Error('Not allowed by CORS'));
-    }
-  },
-  credentials: true,
-}));`,
-                },
-                links: {
-                    cwe: "https://cwe.mitre.org/data/definitions/942.html",
-                    owasp: "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing",
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}

package/dist/scanners/network/index.d.ts DELETED Viewed

@@ -1,7 +0,0 @@
-import type { ScannerPack } from "../types.js";
-export declare const networkPack: ScannerPack;
-export { scanSsrfProneFetch } from "./ssrf-prone-fetch.js";
-export { scanOpenRedirect } from "./open-redirect.js";
-export { scanCorsMisconfiguration } from "./cors-misconfiguration.js";
-export { scanMissingTimeout } from "./missing-timeout.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/scanners/network/index.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/network/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C,eAAO,MAAM,WAAW,EAAE,WASzB,CAAC;AAEF,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/scanners/network/index.js DELETED Viewed

@@ -1,18 +0,0 @@
-import { scanSsrfProneFetch } from "./ssrf-prone-fetch.js";
-import { scanOpenRedirect } from "./open-redirect.js";
-import { scanCorsMisconfiguration } from "./cors-misconfiguration.js";
-import { scanMissingTimeout } from "./missing-timeout.js";
-export const networkPack = {
-    id: "network",
-    name: "Network Security",
-    scanners: [
-        scanSsrfProneFetch,
-        scanOpenRedirect,
-        scanCorsMisconfiguration,
-        scanMissingTimeout,
-    ],
-};
-export { scanSsrfProneFetch } from "./ssrf-prone-fetch.js";
-export { scanOpenRedirect } from "./open-redirect.js";
-export { scanCorsMisconfiguration } from "./cors-misconfiguration.js";
-export { scanMissingTimeout } from "./missing-timeout.js";

package/dist/scanners/network/missing-timeout.d.ts DELETED Viewed

@@ -1,15 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-NET-004: Missing request timeout on outbound calls
- *
- * Detects axios/fetch usage without explicit timeout:
- * - axios(...) without timeout option
- * - fetch(...) without AbortController / timeout wrapper
- *
- * Precision rule:
- * - Only flag when outbound call is inside a route handler (app/api/**) AND
- * - Call appears to hit non-localhost URL (string literal starting http)
- */
-export declare function scanMissingTimeout(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=missing-timeout.d.ts.map

package/dist/scanners/network/missing-timeout.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"missing-timeout.d.ts","sourceRoot":"","sources":["../../../src/scanners/network/missing-timeout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAqFjF"}