@quantracode/vibecheck 0.0.1 → 0.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quantracode/vibecheck",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Security scanner for modern web applications",
   "type": "module",
   "main": "./dist/index.js",
@@ -43,24 +43,30 @@
     "node": ">=18.0.0"
   },
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsup",
+    "build:tsc": "tsc -p tsconfig.build.json",
     "typecheck": "tsc --noEmit",
-    "dev": "tsc -p tsconfig.build.json --watch",
+    "dev": "tsup --watch",
     "test": "vitest run",
     "test:watch": "vitest",
     "vibecheck": "node ./dist/index.js",
     "smoke": "node scripts/smoke-test.mjs",
-    "prepublishOnly": "pnpm run build"
+    "pack:check": "node scripts/pack-check.mjs",
+    "prepublishOnly": "pnpm run build && pnpm run pack:check"
   },
   "dependencies": {
-    "@vibecheck/policy": "workspace:*",
-    "@vibecheck/schema": "workspace:*",
     "commander": "^12.1.0",
     "fast-glob": "^3.3.2",
-    "ts-morph": "^24.0.0"
+    "micromatch": "^4.0.8",
+    "ts-morph": "^24.0.0",
+    "zod": "^3.24.1"
   },
   "devDependencies": {
+    "@types/micromatch": "^4.0.9",
     "@types/node": "^22.10.2",
+    "@vibecheck/policy": "workspace:*",
+    "@vibecheck/schema": "workspace:*",
+    "tsup": "^8.5.1",
     "vitest": "^2.1.8"
   }
 }

package/dist/__tests__/cli.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=cli.test.d.ts.map

package/dist/__tests__/cli.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cli.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/cli.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/cli.test.js

@@ -1,243 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { executeScan } from "../commands/scan.js";
-import { executeExplain } from "../commands/explain.js";
-import { ScanArtifactSchema } from "@vibecheck/schema";
-import path from "node:path";
-import fs from "node:fs";
-import os from "node:os";
-describe("scan command", () => {
-    it("produces valid artifact", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const outputPath = path.join(tmpDir, "output", "scan.json");
-        // Create a simple test file
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const url = process.env.DATABASE_URL;`);
-        try {
-            const options = {
-                out: outputPath,
-                format: "json",
-                failOn: "critical", // Don't fail on high so we can test output
-                changed: false,
-            };
-            // Capture console output
-            const originalLog = console.log;
-            const logs = [];
-            console.log = (...args) => logs.push(args.join(" "));
-            await executeScan(tmpDir, options);
-            console.log = originalLog;
-            // Read and validate output
-            const content = fs.readFileSync(outputPath, "utf-8");
-            const artifact = JSON.parse(content);
-            const result = ScanArtifactSchema.safeParse(artifact);
-            expect(result.success).toBe(true);
-            if (result.success) {
-                expect(result.data.artifactVersion).toBe("0.1");
-                expect(result.data.tool.name).toBe("vibecheck");
-                expect(result.data.findings.length).toBeGreaterThan(0);
-            }
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("includes repo info when available", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const outputPath = path.join(tmpDir, "scan.json");
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const x = 1;`);
-        try {
-            const options = {
-                out: outputPath,
-                format: "json",
-                repoName: "test-repo",
-                failOn: "critical",
-                changed: false,
-            };
-            const originalLog = console.log;
-            console.log = () => { };
-            await executeScan(tmpDir, options);
-            console.log = originalLog;
-            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
-            expect(artifact.repo.name).toBe("test-repo");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("includes metrics in output", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const outputPath = path.join(tmpDir, "scan.json");
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const x = 1;`);
-        try {
-            const options = {
-                out: outputPath,
-                format: "json",
-                failOn: "critical",
-                changed: false,
-            };
-            const originalLog = console.log;
-            console.log = () => { };
-            await executeScan(tmpDir, options);
-            console.log = originalLog;
-            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
-            expect(artifact.metrics).toBeDefined();
-            expect(artifact.metrics.filesScanned).toBe(1);
-            expect(artifact.metrics.scanDurationMs).toBeGreaterThanOrEqual(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("exits with non-zero when findings exceed threshold", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const outputPath = path.join(tmpDir, "scan.json");
-        // Create file with high severity finding
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const key = process.env.API_SECRET_KEY;`);
-        try {
-            const options = {
-                out: outputPath,
-                format: "json",
-                failOn: "high",
-                changed: false,
-            };
-            const originalLog = console.log;
-            console.log = () => { };
-            const exitCode = await executeScan(tmpDir, options);
-            console.log = originalLog;
-            expect(exitCode).toBe(1);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});
-describe("explain command", () => {
-    it("reads and displays artifact", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const artifactPath = path.join(tmpDir, "scan.json");
-        const artifact = {
-            artifactVersion: "0.1",
-            generatedAt: new Date().toISOString(),
-            tool: { name: "vibecheck", version: "0.0.1" },
-            summary: {
-                totalFindings: 1,
-                bySeverity: { critical: 0, high: 1, medium: 0, low: 0, info: 0 },
-                byCategory: {
-                    auth: 1,
-                    validation: 0,
-                    middleware: 0,
-                    secrets: 0,
-                    injection: 0,
-                    privacy: 0,
-                    config: 0,
-                    other: 0,
-                },
-            },
-            findings: [
-                {
-                    id: "test-001",
-                    severity: "high",
-                    confidence: 0.9,
-                    category: "auth",
-                    ruleId: "VC-AUTH-001",
-                    title: "Test finding",
-                    description: "Test description",
-                    evidence: [
-                        { file: "test.ts", startLine: 1, endLine: 1, label: "Test label" },
-                    ],
-                    remediation: { recommendedFix: "Fix it" },
-                    fingerprint: "abc123",
-                },
-            ],
-        };
-        fs.writeFileSync(artifactPath, JSON.stringify(artifact));
-        try {
-            const originalLog = console.log;
-            const logs = [];
-            console.log = (...args) => logs.push(args.join(" "));
-            const exitCode = await executeExplain(artifactPath, { limit: 5 });
-            console.log = originalLog;
-            expect(exitCode).toBe(0);
-            expect(logs.some((l) => l.includes("VIBECHECK SCAN REPORT"))).toBe(true);
-            expect(logs.some((l) => l.includes("Test finding"))).toBe(true);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("returns error for invalid artifact", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const artifactPath = path.join(tmpDir, "invalid.json");
-        fs.writeFileSync(artifactPath, JSON.stringify({ invalid: true }));
-        try {
-            const originalLog = console.log;
-            const originalError = console.error;
-            console.log = () => { };
-            console.error = () => { };
-            const exitCode = await executeExplain(artifactPath, { limit: 5 });
-            console.log = originalLog;
-            console.error = originalError;
-            expect(exitCode).toBe(1);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});
-describe("artifact output shape", () => {
-    it("has correct structure", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const outputPath = path.join(tmpDir, "scan.json");
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `import { z } from "zod";
-// unused
-`);
-        try {
-            const options = {
-                out: outputPath,
-                format: "json",
-                failOn: "critical",
-                changed: false,
-            };
-            const originalLog = console.log;
-            console.log = () => { };
-            await executeScan(tmpDir, options);
-            console.log = originalLog;
-            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
-            // Check top-level structure
-            expect(artifact).toHaveProperty("artifactVersion", "0.1");
-            expect(artifact).toHaveProperty("generatedAt");
-            expect(artifact).toHaveProperty("tool");
-            expect(artifact).toHaveProperty("summary");
-            expect(artifact).toHaveProperty("findings");
-            // Check tool info
-            expect(artifact.tool).toHaveProperty("name", "vibecheck");
-            expect(artifact.tool).toHaveProperty("version");
-            // Check summary structure
-            expect(artifact.summary).toHaveProperty("totalFindings");
-            expect(artifact.summary).toHaveProperty("bySeverity");
-            expect(artifact.summary).toHaveProperty("byCategory");
-            // Check finding structure (if any)
-            if (artifact.findings.length > 0) {
-                const finding = artifact.findings[0];
-                expect(finding).toHaveProperty("id");
-                expect(finding).toHaveProperty("severity");
-                expect(finding).toHaveProperty("confidence");
-                expect(finding).toHaveProperty("category");
-                expect(finding).toHaveProperty("ruleId");
-                expect(finding).toHaveProperty("title");
-                expect(finding).toHaveProperty("description");
-                expect(finding).toHaveProperty("evidence");
-                expect(finding).toHaveProperty("remediation");
-                expect(finding).toHaveProperty("fingerprint");
-                // Check ruleId format
-                expect(finding.ruleId).toMatch(/^VC-[A-Z]+-\d{3}$/);
-                // Check evidence structure
-                expect(finding.evidence[0]).toHaveProperty("file");
-                expect(finding.evidence[0]).toHaveProperty("startLine");
-                expect(finding.evidence[0]).toHaveProperty("endLine");
-                expect(finding.evidence[0]).toHaveProperty("label");
-            }
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});

package/dist/__tests__/fixtures/safe-app/app/api/users/route.js

@@ -1,36 +0,0 @@
-import { prisma } from "@/lib/prisma";
-import { getServerSession } from "next-auth";
-import { z } from "zod";
-const userSchema = z.object({
-    name: z.string(),
-    email: z.string().email(),
-});
-// Safe: Has auth check
-export async function POST(request) {
-    const session = await getServerSession();
-    if (!session) {
-        return Response.json({ error: "Unauthorized" }, { status: 401 });
-    }
-    const body = await request.json();
-    // Safe: Validation result is used
-    const validatedData = userSchema.parse(body);
-    const user = await prisma.user.create({
-        data: validatedData,
-    });
-    // Safe: Not logging sensitive data
-    console.log("Created user:", { id: user.id, timestamp: Date.now() });
-    return Response.json(user);
-}
-// Safe: Has auth check
-export async function DELETE(request) {
-    const session = await getServerSession();
-    if (!session) {
-        return Response.json({ error: "Unauthorized" }, { status: 401 });
-    }
-    const { searchParams } = new URL(request.url);
-    const id = searchParams.get("id");
-    await prisma.user.delete({
-        where: { id },
-    });
-    return Response.json({ success: true });
-}

package/dist/__tests__/fixtures/vulnerable-app/app/api/users/route.js

@@ -1,28 +0,0 @@
-import { prisma } from "@/lib/prisma";
-import { z } from "zod";
-const userSchema = z.object({
-    name: z.string(),
-    email: z.string().email(),
-});
-// VC-AUTH-001: No auth check before database write
-export async function POST(request) {
-    const body = await request.json();
-    // VC-VAL-001: Validation called but result ignored
-    userSchema.parse(body);
-    // Using raw body instead of validated data
-    const user = await prisma.user.create({
-        data: body,
-    });
-    // VC-PRIV-001: Logging sensitive data
-    console.log("Created user:", { email: body.email, password: body.password });
-    return Response.json(user);
-}
-// VC-AUTH-001: Critical - delete without auth
-export async function DELETE(request) {
-    const { searchParams } = new URL(request.url);
-    const id = searchParams.get("id");
-    await prisma.user.delete({
-        where: { id },
-    });
-    return Response.json({ success: true });
-}

package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts

@@ -1,4 +0,0 @@
-export declare const JWT_SECRET: string;
-export declare const SESSION_SECRET: string;
-export declare const API_URL: string;
-//# sourceMappingURL=config.d.ts.map

package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../../src/__tests__/fixtures/vulnerable-app/lib/config.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,UAAU,QAA6C,CAAC;AAGrE,eAAO,MAAM,cAAc,QAA8C,CAAC;AAG1E,eAAO,MAAM,OAAO,QAAiD,CAAC"}

package/dist/__tests__/fixtures/vulnerable-app/lib/config.js

@@ -1,6 +0,0 @@
-// VC-CONFIG-002: Insecure default for critical secret
-export const JWT_SECRET = process.env.JWT_SECRET || "dev-secret-123";
-// VC-CONFIG-002: Another insecure default
-export const SESSION_SECRET = process.env.SESSION_SECRET ?? "session-dev";
-// Safe - not a secret
-export const API_URL = process.env.API_URL || "http://localhost:3000";

package/dist/__tests__/scanners/env-config.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=env-config.test.d.ts.map

package/dist/__tests__/scanners/env-config.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"env-config.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/env-config.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/scanners/env-config.test.js

@@ -1,142 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { parseEnvExample, findEnvUsages, scanEnvConfig, } from "../../scanners/env-config.js";
-import path from "node:path";
-import fs from "node:fs";
-import os from "node:os";
-describe("parseEnvExample", () => {
-    it("parses simple env file", () => {
-        const content = `
-DATABASE_URL=
-API_KEY=your-key-here
-SECRET_TOKEN=
-`;
-        const vars = parseEnvExample(content);
-        expect(vars.has("DATABASE_URL")).toBe(true);
-        expect(vars.has("API_KEY")).toBe(true);
-        expect(vars.has("SECRET_TOKEN")).toBe(true);
-    });
-    it("ignores comments", () => {
-        const content = `
-# This is a comment
-DATABASE_URL=
-# API_KEY=should-be-ignored
-`;
-        const vars = parseEnvExample(content);
-        expect(vars.has("DATABASE_URL")).toBe(true);
-        expect(vars.has("API_KEY")).toBe(false);
-    });
-    it("handles empty lines", () => {
-        const content = `
-
-DATABASE_URL=
-
-API_KEY=
-
-`;
-        const vars = parseEnvExample(content);
-        expect(vars.size).toBe(2);
-    });
-    it("handles vars without values", () => {
-        const content = `DATABASE_URL`;
-        const vars = parseEnvExample(content);
-        expect(vars.has("DATABASE_URL")).toBe(true);
-    });
-});
-describe("findEnvUsages", () => {
-    it("finds process.env.VAR usage", () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const filePath = path.join(tmpDir, "test.ts");
-        fs.writeFileSync(filePath, `
-const url = process.env.DATABASE_URL;
-const key = process.env.API_KEY;
-`);
-        try {
-            const usages = findEnvUsages(["test.ts"], tmpDir);
-            expect(usages).toHaveLength(2);
-            expect(usages[0].name).toBe("DATABASE_URL");
-            expect(usages[1].name).toBe("API_KEY");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("finds bracket notation usage", () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const filePath = path.join(tmpDir, "test.ts");
-        fs.writeFileSync(filePath, `const url = process.env["DATABASE_URL"];`);
-        try {
-            const usages = findEnvUsages(["test.ts"], tmpDir);
-            expect(usages).toHaveLength(1);
-            expect(usages[0].name).toBe("DATABASE_URL");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("returns correct line numbers", () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const filePath = path.join(tmpDir, "test.ts");
-        fs.writeFileSync(filePath, `// line 1
-// line 2
-const x = process.env.MY_VAR; // line 3
-`);
-        try {
-            const usages = findEnvUsages(["test.ts"], tmpDir);
-            expect(usages[0].line).toBe(3);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});
-describe("scanEnvConfig", () => {
-    it("creates findings for undocumented env vars", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        const filePath = path.join(tmpDir, "app.ts");
-        fs.writeFileSync(filePath, `const url = process.env.DATABASE_URL;`);
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["app.ts"],
-            };
-            const findings = await scanEnvConfig(context);
-            expect(findings).toHaveLength(1);
-            expect(findings[0].ruleId).toBe("VC-CONFIG-001");
-            expect(findings[0].title).toContain("DATABASE_URL");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("does not create findings for documented vars", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const url = process.env.DATABASE_URL;`);
-        fs.writeFileSync(path.join(tmpDir, ".env.example"), "DATABASE_URL=");
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["app.ts"],
-            };
-            const findings = await scanEnvConfig(context);
-            expect(findings).toHaveLength(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("marks SECRET-like vars as high severity", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const key = process.env.API_SECRET_KEY;`);
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["app.ts"],
-            };
-            const findings = await scanEnvConfig(context);
-            expect(findings[0].severity).toBe("high");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});

package/dist/__tests__/scanners/nextjs-middleware.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=nextjs-middleware.test.d.ts.map

package/dist/__tests__/scanners/nextjs-middleware.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"nextjs-middleware.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/nextjs-middleware.test.ts"],"names":[],"mappings":""}