@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/commands/demo-artifact.js

@@ -1,322 +0,0 @@
-import { writeFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { ARTIFACT_VERSION, computeSummary, } from "@vibecheck/schema";
-function generateDemoArtifact() {
-    const findings = [
-        {
-            id: "demo-finding-1",
-            ruleId: "VC-AUTH-001",
-            title: "Missing Authentication in API Route",
-            description: "The API route /api/users does not verify user authentication before returning sensitive data. An attacker could access user information without logging in.",
-            severity: "critical",
-            confidence: 0.95,
-            category: "auth",
-            evidence: [
-                {
-                    file: "pages/api/users.ts",
-                    startLine: 5,
-                    endLine: 12,
-                    snippet: `export default async function handler(req, res) {
-  // No authentication check!
-  const users = await db.query("SELECT * FROM users");
-  res.json(users);
-}`,
-                    label: "Unauthenticated API handler",
-                },
-            ],
-            remediation: {
-                recommendedFix: "Add authentication middleware to verify the user session before processing the request.",
-                patch: `import { getServerSession } from "next-auth";
-
-export default async function handler(req, res) {
-  const session = await getServerSession(req, res);
-  if (!session) {
-    return res.status(401).json({ error: "Unauthorized" });
-  }
-  const users = await db.query("SELECT * FROM users");
-  res.json(users);
-}`,
-            },
-            links: {
-                owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
-                cwe: "https://cwe.mitre.org/data/definitions/306.html",
-            },
-            fingerprint: "demo-fp-001",
-        },
-        {
-            id: "demo-finding-2",
-            ruleId: "VC-INJECT-001",
-            title: "SQL Injection Vulnerability",
-            description: "User input is directly interpolated into SQL query without parameterization, allowing attackers to execute arbitrary SQL commands.",
-            severity: "critical",
-            confidence: 0.92,
-            category: "injection",
-            evidence: [
-                {
-                    file: "lib/database.ts",
-                    startLine: 23,
-                    endLine: 25,
-                    snippet: `async function getUser(id: string) {
-  return db.query(\`SELECT * FROM users WHERE id = '\${id}'\`);
-}`,
-                    label: "SQL string interpolation",
-                },
-            ],
-            proof: {
-                summary: "User input flows from API parameter to SQL query without sanitization",
-                nodes: [
-                    {
-                        kind: "route",
-                        label: "User ID received from request query parameter",
-                        file: "pages/api/user/[id].ts",
-                        line: 4,
-                    },
-                    {
-                        kind: "function",
-                        label: "ID passed to getUser() without validation",
-                        file: "pages/api/user/[id].ts",
-                        line: 8,
-                    },
-                    {
-                        kind: "sink",
-                        label: "ID interpolated directly into SQL query",
-                        file: "lib/database.ts",
-                        line: 24,
-                    },
-                ],
-            },
-            remediation: {
-                recommendedFix: "Use parameterized queries or prepared statements instead of string interpolation.",
-                patch: `async function getUser(id: string) {
-  return db.query("SELECT * FROM users WHERE id = $1", [id]);
-}`,
-            },
-            links: {
-                owasp: "https://owasp.org/Top10/A03_2021-Injection/",
-                cwe: "https://cwe.mitre.org/data/definitions/89.html",
-            },
-            fingerprint: "demo-fp-002",
-        },
-        {
-            id: "demo-finding-3",
-            ruleId: "VC-XSS-001",
-            title: "Cross-Site Scripting (XSS) via dangerouslySetInnerHTML",
-            description: "User-generated content is rendered using dangerouslySetInnerHTML without sanitization, enabling XSS attacks.",
-            severity: "high",
-            confidence: 0.88,
-            category: "validation",
-            evidence: [
-                {
-                    file: "components/Comment.tsx",
-                    startLine: 15,
-                    endLine: 17,
-                    snippet: `function Comment({ content }: { content: string }) {
-  return <div dangerouslySetInnerHTML={{ __html: content }} />;
-}`,
-                    label: "Unsanitized HTML rendering",
-                },
-            ],
-            remediation: {
-                recommendedFix: "Sanitize HTML content using a library like DOMPurify before rendering.",
-                patch: `import DOMPurify from "dompurify";
-
-function Comment({ content }: { content: string }) {
-  const sanitized = DOMPurify.sanitize(content);
-  return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
-}`,
-            },
-            links: {
-                owasp: "https://owasp.org/Top10/A03_2021-Injection/",
-                cwe: "https://cwe.mitre.org/data/definitions/79.html",
-            },
-            fingerprint: "demo-fp-003",
-        },
-        {
-            id: "demo-finding-4",
-            ruleId: "VC-SECRETS-001",
-            title: "Hardcoded API Key in Source Code",
-            description: "An API key is hardcoded in the source file. This could be exposed in version control or client bundles.",
-            severity: "high",
-            confidence: 0.85,
-            category: "secrets",
-            evidence: [
-                {
-                    file: "lib/stripe.ts",
-                    startLine: 3,
-                    endLine: 3,
-                    snippet: `const STRIPE_KEY = "sk_live_abc123xyz789";`,
-                    label: "Hardcoded secret key",
-                },
-            ],
-            remediation: {
-                recommendedFix: "Move secrets to environment variables and never commit them to version control.",
-                patch: `const STRIPE_KEY = process.env.STRIPE_SECRET_KEY;
-
-if (!STRIPE_KEY) {
-  throw new Error("STRIPE_SECRET_KEY environment variable is required");
-}`,
-            },
-            fingerprint: "demo-fp-004",
-        },
-        {
-            id: "demo-finding-5",
-            ruleId: "VC-HALL-001",
-            title: "Unused Security Import: helmet",
-            description: "The helmet security middleware is imported but never used, suggesting incomplete security implementation.",
-            severity: "medium",
-            confidence: 0.94,
-            category: "middleware",
-            evidence: [
-                {
-                    file: "server.ts",
-                    startLine: 2,
-                    endLine: 2,
-                    snippet: `import helmet from "helmet";`,
-                    label: "Unused helmet import",
-                },
-            ],
-            claim: {
-                type: "OTHER",
-                source: "import",
-                scope: "module",
-                strength: "weak",
-                textEvidence: 'import helmet from "helmet"',
-                location: {
-                    file: "server.ts",
-                    startLine: 2,
-                    endLine: 2,
-                },
-            },
-            remediation: {
-                recommendedFix: "Apply the helmet middleware to add security headers, or remove the unused import.",
-                patch: `import helmet from "helmet";
-
-app.use(helmet());`,
-            },
-            fingerprint: "demo-fp-005",
-        },
-        {
-            id: "demo-finding-6",
-            ruleId: "VC-PRIVACY-001",
-            title: "Sensitive Data in Console Logs",
-            description: "User passwords are being logged to the console, which could expose credentials in log files or monitoring systems.",
-            severity: "medium",
-            confidence: 0.91,
-            category: "privacy",
-            evidence: [
-                {
-                    file: "lib/auth.ts",
-                    startLine: 45,
-                    endLine: 45,
-                    snippet: `console.log("Login attempt:", { email, password });`,
-                    label: "Password logged to console",
-                },
-            ],
-            remediation: {
-                recommendedFix: "Remove sensitive data from log statements. Only log non-sensitive identifiers.",
-                patch: `console.log("Login attempt:", { email, timestamp: Date.now() });`,
-            },
-            fingerprint: "demo-fp-006",
-        },
-        {
-            id: "demo-finding-7",
-            ruleId: "VC-CONFIG-001",
-            title: "Insecure Cookie Configuration",
-            description: "Session cookies are configured without the Secure and HttpOnly flags, making them vulnerable to interception and XSS attacks.",
-            severity: "low",
-            confidence: 0.82,
-            category: "config",
-            evidence: [
-                {
-                    file: "lib/session.ts",
-                    startLine: 8,
-                    endLine: 12,
-                    snippet: `const sessionConfig = {
-  name: "session",
-  secret: process.env.SESSION_SECRET,
-  // Missing: secure, httpOnly, sameSite
-};`,
-                    label: "Insecure session config",
-                },
-            ],
-            remediation: {
-                recommendedFix: "Add secure cookie options to protect against common attacks.",
-                patch: `const sessionConfig = {
-  name: "session",
-  secret: process.env.SESSION_SECRET,
-  cookie: {
-    secure: process.env.NODE_ENV === "production",
-    httpOnly: true,
-    sameSite: "strict",
-    maxAge: 60 * 60 * 24 * 7, // 1 week
-  },
-};`,
-            },
-            fingerprint: "demo-fp-007",
-        },
-    ];
-    const artifact = {
-        artifactVersion: ARTIFACT_VERSION,
-        generatedAt: new Date().toISOString(),
-        tool: {
-            name: "vibecheck",
-            version: "0.0.1",
-        },
-        repo: {
-            name: "demo-project",
-            rootPathHash: "demo-hash-12345",
-            git: {
-                branch: "main",
-                commit: "abc1234",
-                isDirty: false,
-            },
-        },
-        summary: computeSummary(findings),
-        findings,
-        metrics: {
-            filesScanned: 42,
-            linesOfCode: 3847,
-            scanDurationMs: 1250,
-            rulesExecuted: 12,
-        },
-    };
-    return artifact;
-}
-export function executeDemoArtifact(options) {
-    const artifact = generateDemoArtifact();
-    const json = JSON.stringify(artifact, null, 2);
-    if (options.out) {
-        const outPath = resolve(process.cwd(), options.out);
-        writeFileSync(outPath, json, "utf-8");
-        console.log(`Demo artifact written to: ${outPath}`);
-    }
-    else {
-        console.log(json);
-    }
-    console.log(`
-============================================================
-Demo Artifact Generated
-============================================================
-
-Findings: ${artifact.summary.totalFindings}
-  - Critical: ${artifact.summary.bySeverity.critical}
-  - High: ${artifact.summary.bySeverity.high}
-  - Medium: ${artifact.summary.bySeverity.medium}
-  - Low: ${artifact.summary.bySeverity.low}
-  - Info: ${artifact.summary.bySeverity.info}
-
-Use this artifact to test the VibeCheck UI:
-  1. Run: pnpm dev:web
-  2. Open: http://localhost:3000
-  3. Import the generated JSON file
-`);
-}
-export function registerDemoArtifactCommand(program) {
-    program
-        .command("demo-artifact")
-        .description("Generate a demo artifact for testing the UI")
-        .option("-o, --out <path>", "Output file path (prints to stdout if not specified)")
-        .action((options) => {
-        executeDemoArtifact(options);
-    });
-}

package/dist/commands/evaluate.d.ts

@@ -1,30 +0,0 @@
-import type { Command } from "commander";
-import { type ProfileName } from "@vibecheck/policy";
-/**
- * Evaluate command options
- */
-export interface EvaluateOptions {
-    /** Path to scan artifact (JSON) */
-    artifact: string;
-    /** Optional baseline artifact for regression detection */
-    baseline?: string;
-    /** Policy profile name */
-    profile: ProfileName;
-    /** Path to policy config file (JSON) */
-    config?: string;
-    /** Path to waivers file (JSON) */
-    waivers?: string;
-    /** Output report to file */
-    out?: string;
-    /** JSON output only (no console summary) */
-    quiet: boolean;
-}
-/**
- * Execute the evaluate command
- */
-export declare function executeEvaluate(options: EvaluateOptions): Promise<number>;
-/**
- * Register evaluate command with commander
- */
-export declare function registerEvaluateCommand(program: Command): void;
-//# sourceMappingURL=evaluate.d.ts.map

package/dist/commands/evaluate.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/commands/evaluate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAKL,KAAK,WAAW,EAOjB,MAAM,mBAAmB,CAAC;AAG3B;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,OAAO,EAAE,WAAW,CAAC;IACrB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,KAAK,EAAE,OAAO,CAAC;CAChB;AAkLD;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAqD/E;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA0E9D"}

package/dist/commands/evaluate.js

@@ -1,258 +0,0 @@
-import path from "node:path";
-import { readFileSync, fileExists, resolvePath, writeFileSync, ensureDir } from "../utils/file-utils.js";
-import { evaluate, PROFILE_NAMES, PROFILE_DESCRIPTIONS, WaiversFileSchema, PolicyConfigSchema, } from "@vibecheck/policy";
-import { validateArtifact } from "@vibecheck/schema";
-/**
- * Load and validate scan artifact from file
- */
-function loadArtifact(filepath) {
-    const absolutePath = resolvePath(filepath);
-    if (!fileExists(absolutePath)) {
-        throw new Error(`Artifact file not found: ${filepath}`);
-    }
-    const content = readFileSync(absolutePath);
-    if (!content) {
-        throw new Error(`Failed to read artifact file: ${filepath}`);
-    }
-    const data = JSON.parse(content);
-    // Validate the artifact
-    return validateArtifact(data);
-}
-/**
- * Load and validate waivers file
- */
-function loadWaivers(filepath) {
-    const absolutePath = resolvePath(filepath);
-    if (!fileExists(absolutePath)) {
-        throw new Error(`Waivers file not found: ${filepath}`);
-    }
-    const content = readFileSync(absolutePath);
-    if (!content) {
-        throw new Error(`Failed to read waivers file: ${filepath}`);
-    }
-    const data = JSON.parse(content);
-    const result = WaiversFileSchema.safeParse(data);
-    if (!result.success) {
-        throw new Error(`Invalid waivers file: ${result.error.message}`);
-    }
-    return result.data.waivers;
-}
-/**
- * Load and validate policy config file
- */
-function loadConfig(filepath) {
-    const absolutePath = resolvePath(filepath);
-    if (!fileExists(absolutePath)) {
-        throw new Error(`Config file not found: ${filepath}`);
-    }
-    const content = readFileSync(absolutePath);
-    if (!content) {
-        throw new Error(`Failed to read config file: ${filepath}`);
-    }
-    const data = JSON.parse(content);
-    const result = PolicyConfigSchema.safeParse(data);
-    if (!result.success) {
-        throw new Error(`Invalid config file: ${result.error.message}`);
-    }
-    return result.data;
-}
-/**
- * Format severity for console output with color
- */
-function formatSeverity(severity) {
-    const colors = {
-        critical: "\x1b[35m", // Magenta
-        high: "\x1b[31m", // Red
-        medium: "\x1b[33m", // Yellow
-        low: "\x1b[36m", // Cyan
-        info: "\x1b[90m", // Gray
-    };
-    const reset = "\x1b[0m";
-    return `${colors[severity]}${severity.toUpperCase()}${reset}`;
-}
-/**
- * Format status for console output with color
- */
-function formatStatus(status) {
-    const colors = {
-        pass: "\x1b[32m", // Green
-        warn: "\x1b[33m", // Yellow
-        fail: "\x1b[31m", // Red
-    };
-    const reset = "\x1b[0m";
-    return `${colors[status]}${status.toUpperCase()}${reset}`;
-}
-/**
- * Print evaluation summary to console
- */
-function printSummary(report) {
-    console.log("\n" + "=".repeat(60));
-    console.log("VibeCheck Policy Evaluation");
-    console.log("=".repeat(60));
-    console.log(`\nProfile: ${report.profileName ?? "custom"}`);
-    console.log(`Status: ${formatStatus(report.status)}`);
-    console.log(`Exit Code: ${report.exitCode}`);
-    console.log("\nSummary:");
-    console.log(`  Total active findings: ${report.summary.total}`);
-    console.log(`  Waived findings: ${report.summary.waived}`);
-    console.log(`  Ignored by override: ${report.summary.ignored}`);
-    if (report.summary.total > 0) {
-        console.log("\nBy severity:");
-        if (report.summary.bySeverity.critical > 0) {
-            console.log(`  ${formatSeverity("critical")}: ${report.summary.bySeverity.critical}`);
-        }
-        if (report.summary.bySeverity.high > 0) {
-            console.log(`  ${formatSeverity("high")}: ${report.summary.bySeverity.high}`);
-        }
-        if (report.summary.bySeverity.medium > 0) {
-            console.log(`  ${formatSeverity("medium")}: ${report.summary.bySeverity.medium}`);
-        }
-        if (report.summary.bySeverity.low > 0) {
-            console.log(`  ${formatSeverity("low")}: ${report.summary.bySeverity.low}`);
-        }
-        if (report.summary.bySeverity.info > 0) {
-            console.log(`  ${formatSeverity("info")}: ${report.summary.bySeverity.info}`);
-        }
-    }
-    // Show thresholds
-    console.log("\nThresholds:");
-    console.log(`  Fail on severity >= ${report.thresholds.failOnSeverity} (confidence >= ${report.thresholds.minConfidenceForFail})`);
-    console.log(`  Warn on severity >= ${report.thresholds.warnOnSeverity} (confidence >= ${report.thresholds.minConfidenceForWarn})`);
-    if (report.thresholds.maxFindings > 0) {
-        console.log(`  Max findings: ${report.thresholds.maxFindings}`);
-    }
-    // Show regression if present
-    if (report.regression) {
-        console.log("\nRegression:");
-        console.log(`  New findings: ${report.regression.newFindings.length}`);
-        console.log(`  Resolved findings: ${report.regression.resolvedFindings.length}`);
-        console.log(`  Severity regressions: ${report.regression.severityRegressions.length}`);
-        console.log(`  Net change: ${report.regression.netChange > 0 ? "+" : ""}${report.regression.netChange}`);
-    }
-    // Show reasons
-    if (report.reasons.length > 0) {
-        console.log("\nReasons:");
-        for (const reason of report.reasons) {
-            const statusIcon = reason.status === "fail" ? "\x1b[31m✗\x1b[0m"
-                : reason.status === "warn" ? "\x1b[33m!\x1b[0m"
-                    : "\x1b[32m✓\x1b[0m";
-            console.log(`  ${statusIcon} ${reason.message}`);
-        }
-    }
-    // Show waived findings if any
-    if (report.waivedFindings.length > 0) {
-        console.log("\nWaived findings:");
-        for (const wf of report.waivedFindings.slice(0, 5)) {
-            const expiredNote = wf.expired ? " (EXPIRED)" : "";
-            console.log(`  - [${wf.finding.ruleId}] ${wf.finding.title}${expiredNote}`);
-            console.log(`    Reason: ${wf.waiver.reason}`);
-        }
-        if (report.waivedFindings.length > 5) {
-            console.log(`  ... and ${report.waivedFindings.length - 5} more`);
-        }
-    }
-    console.log("");
-}
-/**
- * Execute the evaluate command
- */
-export async function executeEvaluate(options) {
-    // Load artifact
-    const artifact = loadArtifact(options.artifact);
-    // Load baseline if provided
-    let baseline;
-    if (options.baseline) {
-        baseline = loadArtifact(options.baseline);
-    }
-    // Load config if provided, otherwise use profile
-    let config;
-    if (options.config) {
-        config = loadConfig(options.config);
-    }
-    // Load waivers if provided
-    let waivers = [];
-    if (options.waivers) {
-        waivers = loadWaivers(options.waivers);
-    }
-    // Run evaluation
-    const report = evaluate({
-        artifact,
-        baseline,
-        config,
-        profile: config ? undefined : options.profile,
-        waivers,
-        artifactPath: options.artifact,
-    });
-    // Output report
-    if (options.out) {
-        const outPath = resolvePath(options.out);
-        ensureDir(path.dirname(outPath));
-        writeFileSync(outPath, JSON.stringify(report, null, 2));
-        if (!options.quiet) {
-            console.log(`Policy report written to: ${outPath}`);
-        }
-    }
-    // Print summary unless quiet mode
-    if (!options.quiet) {
-        printSummary(report);
-    }
-    else {
-        // In quiet mode, just output JSON
-        if (!options.out) {
-            console.log(JSON.stringify(report, null, 2));
-        }
-    }
-    return report.exitCode;
-}
-/**
- * Register evaluate command with commander
- */
-export function registerEvaluateCommand(program) {
-    program
-        .command("evaluate")
-        .description("Evaluate a scan artifact against a policy")
-        .requiredOption("-a, --artifact <path>", "Path to scan artifact (JSON)")
-        .option("-b, --baseline <path>", "Path to baseline artifact for regression detection")
-        .option("-p, --profile <name>", `Policy profile (${PROFILE_NAMES.join(", ")})`, "startup")
-        .option("-c, --config <path>", "Path to policy config file (overrides profile)")
-        .option("-w, --waivers <path>", "Path to waivers file")
-        .option("-o, --out <path>", "Output report to file")
-        .option("-q, --quiet", "JSON output only (no console summary)")
-        .addHelpText("after", `
-Profiles:
-${PROFILE_NAMES.map((name) => `  ${name}: ${PROFILE_DESCRIPTIONS[name]}`).join("\n")}
-
-Examples:
-  $ vibecheck evaluate -a ./vibecheck-scan.json
-  $ vibecheck evaluate -a ./scan.json -p strict
-  $ vibecheck evaluate -a ./scan.json -b ./baseline.json
-  $ vibecheck evaluate -a ./scan.json -w ./waivers.json
-  $ vibecheck evaluate -a ./scan.json -c ./policy.json
-  $ vibecheck evaluate -a ./scan.json -o ./report.json -q
-`)
-        .action(async (cmdOptions) => {
-        // Validate profile
-        const profileStr = cmdOptions.profile;
-        if (!PROFILE_NAMES.includes(profileStr)) {
-            console.error(`\x1b[31mError: Invalid profile "${profileStr}". Valid options: ${PROFILE_NAMES.join(", ")}\x1b[0m`);
-            process.exit(1);
-        }
-        const options = {
-            artifact: cmdOptions.artifact,
-            baseline: cmdOptions.baseline,
-            profile: profileStr,
-            config: cmdOptions.config,
-            waivers: cmdOptions.waivers,
-            out: cmdOptions.out,
-            quiet: Boolean(cmdOptions.quiet),
-        };
-        try {
-            const exitCode = await executeEvaluate(options);
-            process.exit(exitCode);
-        }
-        catch (error) {
-            console.error(`\x1b[31mError: ${error instanceof Error ? error.message : String(error)}\x1b[0m`);
-            process.exit(1);
-        }
-    });
-}

package/dist/commands/explain.d.ts

@@ -1,12 +0,0 @@
-import type { Command } from "commander";
-/**
- * Execute the explain command
- */
-export declare function executeExplain(artifactPath: string, options: {
-    limit: number;
-}): Promise<number>;
-/**
- * Register explain command with commander
- */
-export declare function registerExplainCommand(program: Command): void;
-//# sourceMappingURL=explain.d.ts.map

package/dist/commands/explain.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../src/commands/explain.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA0MzC;;GAEG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,MAAM,CAAC,CAkCjB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAU7D"}