@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/__tests__/scanners/nextjs-middleware.test.js

@@ -1,193 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { parseMatcherConfig, matcherCoversApi, scanNextjsMiddleware, } from "../../scanners/nextjs-middleware.js";
-import path from "node:path";
-import fs from "node:fs";
-import os from "node:os";
-describe("parseMatcherConfig", () => {
-    it("parses single string matcher", () => {
-        const content = `
-export const config = {
-  matcher: '/dashboard/:path*'
-};
-`;
-        const matchers = parseMatcherConfig(content);
-        expect(matchers).toEqual(["/dashboard/:path*"]);
-    });
-    it("parses array matcher", () => {
-        const content = `
-export const config = {
-  matcher: ['/dashboard/:path*', '/admin/:path*']
-};
-`;
-        const matchers = parseMatcherConfig(content);
-        expect(matchers).toEqual(["/dashboard/:path*", "/admin/:path*"]);
-    });
-    it("returns null when no config export", () => {
-        const content = `
-export function middleware(request) {
-  return NextResponse.next();
-}
-`;
-        const matchers = parseMatcherConfig(content);
-        expect(matchers).toBeNull();
-    });
-    it("parses complex negation pattern", () => {
-        const content = `
-export const config = {
-  matcher: '/((?!_next/static|_next/image|favicon.ico).*)'
-};
-`;
-        const matchers = parseMatcherConfig(content);
-        expect(matchers).toEqual(["/((?!_next/static|_next/image|favicon.ico).*)"]);
-    });
-});
-describe("matcherCoversApi", () => {
-    it("returns true for direct /api match", () => {
-        expect(matcherCoversApi(["/api"])).toBe(true);
-        expect(matcherCoversApi(["/api/:path*"])).toBe(true);
-    });
-    it("returns true for patterns starting with /api", () => {
-        expect(matcherCoversApi(["/api/users/:path*"])).toBe(true);
-    });
-    it("returns true for catch-all patterns", () => {
-        expect(matcherCoversApi(["/:path*"])).toBe(true);
-    });
-    it("returns true for negation patterns not excluding api", () => {
-        expect(matcherCoversApi(["/((?!_next/static|_next/image|favicon.ico).*)"])).toBe(true);
-    });
-    it("returns false for dashboard-only patterns", () => {
-        expect(matcherCoversApi(["/dashboard/:path*"])).toBe(false);
-    });
-    it("returns false for unrelated patterns", () => {
-        expect(matcherCoversApi(["/admin", "/profile"])).toBe(false);
-    });
-});
-describe("scanNextjsMiddleware", () => {
-    function createNextProject(tmpDir, options = {}) {
-        // Create package.json
-        const pkg = {
-            name: "test-app",
-            dependencies: {
-                next: "14.0.0",
-                ...(options.hasNextAuth && { "next-auth": "4.0.0" }),
-            },
-        };
-        fs.writeFileSync(path.join(tmpDir, "package.json"), JSON.stringify(pkg));
-        // Create middleware if specified
-        if (options.hasMiddleware && options.middlewareContent) {
-            fs.writeFileSync(path.join(tmpDir, "middleware.ts"), options.middlewareContent);
-        }
-        // Create API routes if specified
-        if (options.hasApiRoutes) {
-            const apiDir = path.join(tmpDir, "app", "api", "users");
-            fs.mkdirSync(apiDir, { recursive: true });
-            fs.writeFileSync(path.join(apiDir, "route.ts"), `export async function GET() { return Response.json({}); }`);
-        }
-    }
-    it("returns no findings for non-Next.js project", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        try {
-            fs.writeFileSync(path.join(tmpDir, "package.json"), JSON.stringify({ name: "test" }));
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: [],
-            };
-            const findings = await scanNextjsMiddleware(context);
-            expect(findings).toHaveLength(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("returns no findings when no API routes exist", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        try {
-            createNextProject(tmpDir, { hasApiRoutes: false });
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: [],
-            };
-            const findings = await scanNextjsMiddleware(context);
-            expect(findings).toHaveLength(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("finds missing middleware with next-auth", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        try {
-            createNextProject(tmpDir, {
-                hasNextAuth: true,
-                hasApiRoutes: true,
-            });
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: [],
-            };
-            const findings = await scanNextjsMiddleware(context);
-            expect(findings).toHaveLength(1);
-            expect(findings[0].ruleId).toBe("VC-AUTH-INFO-001");
-            expect(findings[0].severity).toBe("medium");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("finds middleware not covering API routes", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        try {
-            createNextProject(tmpDir, {
-                hasMiddleware: true,
-                middlewareContent: `
-export function middleware(request) {
-  return NextResponse.next();
-}
-
-export const config = {
-  matcher: '/dashboard/:path*'
-};
-`,
-                hasApiRoutes: true,
-            });
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: [],
-            };
-            const findings = await scanNextjsMiddleware(context);
-            expect(findings).toHaveLength(1);
-            expect(findings[0].ruleId).toBe("VC-MW-001");
-            expect(findings[0].severity).toBe("high");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("returns no findings when middleware covers API", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        try {
-            createNextProject(tmpDir, {
-                hasMiddleware: true,
-                middlewareContent: `
-export function middleware(request) {
-  return NextResponse.next();
-}
-
-export const config = {
-  matcher: ['/dashboard/:path*', '/api/:path*']
-};
-`,
-                hasApiRoutes: true,
-            });
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: [],
-            };
-            const findings = await scanNextjsMiddleware(context);
-            expect(findings).toHaveLength(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});

package/dist/__tests__/scanners/scanner-packs.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=scanner-packs.test.d.ts.map

package/dist/__tests__/scanners/scanner-packs.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"scanner-packs.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/scanner-packs.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/scanners/scanner-packs.test.js

@@ -1,126 +0,0 @@
-import { describe, it, expect, beforeAll } from "vitest";
-import path from "node:path";
-import { buildScanContext } from "../../scanners/index.js";
-import { scanUnprotectedApiRoutes } from "../../scanners/auth/unprotected-api-route.js";
-import { parseMatcherConfig, matcherCoversApi } from "../../scanners/auth/middleware-gap.js";
-import { scanInsecureDefaults } from "../../scanners/config/insecure-defaults.js";
-import { findSecurityImports, checkIdentifierUsage, } from "../../scanners/hallucinations/unused-security-imports.js";
-const FIXTURES_DIR = path.resolve(__dirname, "../fixtures");
-const VULNERABLE_APP = path.join(FIXTURES_DIR, "vulnerable-app");
-const SAFE_APP = path.join(FIXTURES_DIR, "safe-app");
-describe("Scanner Packs", () => {
-    let vulnerableContext;
-    let safeContext;
-    beforeAll(async () => {
-        vulnerableContext = await buildScanContext(VULNERABLE_APP);
-        safeContext = await buildScanContext(SAFE_APP);
-    });
-    describe("Auth Pack", () => {
-        describe("VC-AUTH-001: Unprotected API Routes", () => {
-            it("should detect unprotected POST handler with database writes", async () => {
-                const findings = await scanUnprotectedApiRoutes(vulnerableContext);
-                const postFinding = findings.find((f) => f.ruleId === "VC-AUTH-001" && f.title.includes("POST"));
-                expect(postFinding).toBeDefined();
-                expect(postFinding?.severity).toBe("high");
-                expect(postFinding?.category).toBe("auth");
-            });
-            it("should detect unprotected DELETE handler as critical", async () => {
-                const findings = await scanUnprotectedApiRoutes(vulnerableContext);
-                const deleteFinding = findings.find((f) => f.ruleId === "VC-AUTH-001" && f.title.includes("DELETE"));
-                expect(deleteFinding).toBeDefined();
-                expect(deleteFinding?.severity).toBe("critical");
-            });
-            it("should not flag protected routes", async () => {
-                const findings = await scanUnprotectedApiRoutes(safeContext);
-                expect(findings).toHaveLength(0);
-            });
-        });
-        describe("Middleware Gap Detection", () => {
-            it("should parse single string matcher", () => {
-                const content = `export const config = { matcher: '/api/:path*' }`;
-                const matchers = parseMatcherConfig(content);
-                expect(matchers).toEqual(["/api/:path*"]);
-            });
-            it("should parse array matcher", () => {
-                const content = `export const config = { matcher: ['/api/:path*', '/admin/:path*'] }`;
-                const matchers = parseMatcherConfig(content);
-                expect(matchers).toEqual(["/api/:path*", "/admin/:path*"]);
-            });
-            it("should detect when matcher covers api", () => {
-                expect(matcherCoversApi(["/api/:path*"])).toBe(true);
-                expect(matcherCoversApi(["/api/users"])).toBe(true);
-                expect(matcherCoversApi(["/:path*"])).toBe(true);
-            });
-            it("should detect when matcher does not cover api", () => {
-                expect(matcherCoversApi(["/dashboard/:path*"])).toBe(false);
-                expect(matcherCoversApi(["/admin/:path*"])).toBe(false);
-            });
-        });
-    });
-    describe("Config Pack", () => {
-        describe("VC-CONFIG-002: Insecure Defaults", () => {
-            it("should detect insecure default for JWT_SECRET", async () => {
-                const findings = await scanInsecureDefaults(vulnerableContext);
-                const jwtFinding = findings.find((f) => f.ruleId === "VC-CONFIG-002" && f.title.includes("JWT_SECRET"));
-                expect(jwtFinding).toBeDefined();
-                expect(jwtFinding?.severity).toBe("critical");
-            });
-            it("should detect insecure default for SESSION_SECRET", async () => {
-                const findings = await scanInsecureDefaults(vulnerableContext);
-                const sessionFinding = findings.find((f) => f.ruleId === "VC-CONFIG-002" && f.title.includes("SESSION_SECRET"));
-                expect(sessionFinding).toBeDefined();
-                expect(sessionFinding?.severity).toBe("critical");
-            });
-        });
-    });
-    describe("Hallucinations Pack", () => {
-        describe("findSecurityImports", () => {
-            it("should find default imports", () => {
-                const content = `import helmet from "helmet";`;
-                const imports = findSecurityImports(content, ["helmet"]);
-                expect(imports).toHaveLength(1);
-                expect(imports[0].library).toBe("helmet");
-                expect(imports[0].importedNames).toEqual(["helmet"]);
-                expect(imports[0].isDefaultImport).toBe(true);
-            });
-            it("should find named imports", () => {
-                const content = `import { z, ZodError } from "zod";`;
-                const imports = findSecurityImports(content, ["zod"]);
-                expect(imports).toHaveLength(1);
-                expect(imports[0].library).toBe("zod");
-                expect(imports[0].importedNames).toContain("z");
-                expect(imports[0].importedNames).toContain("ZodError");
-            });
-            it("should find namespace imports", () => {
-                const content = `import * as yup from "yup";`;
-                const imports = findSecurityImports(content, ["yup"]);
-                expect(imports).toHaveLength(1);
-                expect(imports[0].library).toBe("yup");
-                expect(imports[0].isNamespaceImport).toBe(true);
-            });
-        });
-        describe("checkIdentifierUsage", () => {
-            it("should detect used identifiers", () => {
-                const content = `import helmet from "helmet";
-
-app.use(helmet());`;
-                const usage = checkIdentifierUsage(content, 1, ["helmet"], false);
-                expect(usage[0].used).toBe(true);
-            });
-            it("should detect unused identifiers", () => {
-                const content = `import helmet from "helmet";
-
-app.use(cors());`;
-                const usage = checkIdentifierUsage(content, 1, ["helmet"], false);
-                expect(usage[0].used).toBe(false);
-            });
-            it("should detect namespace usage", () => {
-                const content = `import * as yup from "yup";
-
-const schema = yup.object();`;
-                const usage = checkIdentifierUsage(content, 1, ["yup"], true);
-                expect(usage[0].used).toBe(true);
-            });
-        });
-    });
-});

package/dist/__tests__/scanners/unused-security-imports.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=unused-security-imports.test.d.ts.map

package/dist/__tests__/scanners/unused-security-imports.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"unused-security-imports.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/unused-security-imports.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/scanners/unused-security-imports.test.js

@@ -1,145 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { findSecurityImports, checkIdentifierUsage, scanUnusedSecurityImports, } from "../../scanners/unused-security-imports.js";
-import path from "node:path";
-import fs from "node:fs";
-import os from "node:os";
-describe("findSecurityImports", () => {
-    it("finds default imports", () => {
-        const content = `import zod from "zod";`;
-        const imports = findSecurityImports(content, ["zod"]);
-        expect(imports).toHaveLength(1);
-        expect(imports[0].library).toBe("zod");
-        expect(imports[0].importedNames).toContain("zod");
-        expect(imports[0].isDefaultImport).toBe(true);
-    });
-    it("finds named imports", () => {
-        const content = `import { z, ZodError } from "zod";`;
-        const imports = findSecurityImports(content, ["zod"]);
-        expect(imports).toHaveLength(1);
-        expect(imports[0].importedNames).toContain("z");
-        expect(imports[0].importedNames).toContain("ZodError");
-    });
-    it("finds namespace imports", () => {
-        const content = `import * as yup from "yup";`;
-        const imports = findSecurityImports(content, ["yup"]);
-        expect(imports).toHaveLength(1);
-        expect(imports[0].isNamespaceImport).toBe(true);
-        expect(imports[0].importedNames).toContain("yup");
-    });
-    it("finds helmet import", () => {
-        const content = `import helmet from "helmet";`;
-        const imports = findSecurityImports(content, ["helmet"]);
-        expect(imports).toHaveLength(1);
-        expect(imports[0].library).toBe("helmet");
-    });
-    it("returns correct line numbers", () => {
-        const content = `// line 1
-// line 2
-import { z } from "zod";
-`;
-        const imports = findSecurityImports(content, ["zod"]);
-        expect(imports[0].line).toBe(3);
-    });
-    it("ignores non-security imports", () => {
-        const content = `
-import express from "express";
-import { z } from "zod";
-`;
-        const imports = findSecurityImports(content, ["zod", "helmet"]);
-        expect(imports).toHaveLength(1);
-        expect(imports[0].library).toBe("zod");
-    });
-});
-describe("checkIdentifierUsage", () => {
-    it("detects used identifiers", () => {
-        const content = `
-import { z } from "zod";
-const schema = z.string();
-`;
-        const result = checkIdentifierUsage(content, 2, ["z"], false);
-        expect(result[0].used).toBe(true);
-    });
-    it("detects unused identifiers", () => {
-        const content = `
-import { z, ZodError } from "zod";
-const schema = z.string();
-`;
-        const result = checkIdentifierUsage(content, 2, ["z", "ZodError"], false);
-        expect(result.find((r) => r.identifier === "z")?.used).toBe(true);
-        expect(result.find((r) => r.identifier === "ZodError")?.used).toBe(false);
-    });
-    it("handles namespace imports", () => {
-        const content = `
-import * as yup from "yup";
-const schema = yup.string();
-`;
-        const result = checkIdentifierUsage(content, 2, ["yup"], true);
-        expect(result[0].used).toBe(true);
-    });
-    it("detects unused namespace imports", () => {
-        const content = `
-import * as yup from "yup";
-// not used
-`;
-        const result = checkIdentifierUsage(content, 2, ["yup"], true);
-        expect(result[0].used).toBe(false);
-    });
-});
-describe("scanUnusedSecurityImports", () => {
-    it("finds unused zod import", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `import { z } from "zod";
-// import is never used below
-const x = 1;
-`);
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["app.ts"],
-            };
-            const findings = await scanUnusedSecurityImports(context);
-            expect(findings).toHaveLength(1);
-            expect(findings[0].ruleId).toBe("VC-HALL-001");
-            expect(findings[0].category).toBe("validation");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("does not flag used imports", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        fs.writeFileSync(path.join(tmpDir, "app.ts"), `import { z } from "zod";
-const schema = z.string();
-`);
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["app.ts"],
-            };
-            const findings = await scanUnusedSecurityImports(context);
-            expect(findings).toHaveLength(0);
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-    it("finds unused helmet import", async () => {
-        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
-        fs.writeFileSync(path.join(tmpDir, "server.ts"), `import helmet from "helmet";
-// import is never used below
-const app = express();
-`);
-        try {
-            const context = {
-                targetDir: tmpDir,
-                sourceFiles: ["server.ts"],
-            };
-            const findings = await scanUnusedSecurityImports(context);
-            expect(findings).toHaveLength(1);
-            expect(findings[0].category).toBe("middleware");
-        }
-        finally {
-            fs.rmSync(tmpDir, { recursive: true });
-        }
-    });
-});

package/dist/commands/demo-artifact.d.ts

@@ -1,7 +0,0 @@
-import { Command } from "commander";
-export interface DemoArtifactOptions {
-    out?: string;
-}
-export declare function executeDemoArtifact(options: DemoArtifactOptions): void;
-export declare function registerDemoArtifactCommand(program: Command): void;
-//# sourceMappingURL=demo-artifact.d.ts.map

package/dist/commands/demo-artifact.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"demo-artifact.d.ts","sourceRoot":"","sources":["../../src/commands/demo-artifact.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC,MAAM,WAAW,mBAAmB;IAClC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AA4SD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI,CA6BtE;AAED,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAQlE"}