npm - @quantracode/vibecheck - Versions diffs - 0.0.1 → 0.0.2 - Mend

@quantracode/vibecheck 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/README.md +6 -6
package/dist/index.d.ts +0 -2
package/dist/index.js +7902 -8
package/package.json +13 -7
package/dist/__tests__/cli.test.d.ts +0 -2
package/dist/__tests__/cli.test.d.ts.map +0 -1
package/dist/__tests__/cli.test.js +0 -243
package/dist/__tests__/fixtures/safe-app/app/api/users/route.js +0 -36
package/dist/__tests__/fixtures/vulnerable-app/app/api/users/route.js +0 -28
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts +0 -4
package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts.map +0 -1
package/dist/__tests__/fixtures/vulnerable-app/lib/config.js +0 -6
package/dist/__tests__/scanners/env-config.test.d.ts +0 -2
package/dist/__tests__/scanners/env-config.test.d.ts.map +0 -1
package/dist/__tests__/scanners/env-config.test.js +0 -142
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts +0 -2
package/dist/__tests__/scanners/nextjs-middleware.test.d.ts.map +0 -1
package/dist/__tests__/scanners/nextjs-middleware.test.js +0 -193
package/dist/__tests__/scanners/scanner-packs.test.d.ts +0 -2
package/dist/__tests__/scanners/scanner-packs.test.d.ts.map +0 -1
package/dist/__tests__/scanners/scanner-packs.test.js +0 -126
package/dist/__tests__/scanners/unused-security-imports.test.d.ts +0 -2
package/dist/__tests__/scanners/unused-security-imports.test.d.ts.map +0 -1
package/dist/__tests__/scanners/unused-security-imports.test.js +0 -145
package/dist/commands/demo-artifact.d.ts +0 -7
package/dist/commands/demo-artifact.d.ts.map +0 -1
package/dist/commands/demo-artifact.js +0 -322
package/dist/commands/evaluate.d.ts +0 -30
package/dist/commands/evaluate.d.ts.map +0 -1
package/dist/commands/evaluate.js +0 -258
package/dist/commands/explain.d.ts +0 -12
package/dist/commands/explain.d.ts.map +0 -1
package/dist/commands/explain.js +0 -214
package/dist/commands/index.d.ts +0 -7
package/dist/commands/index.d.ts.map +0 -1
package/dist/commands/index.js +0 -6
package/dist/commands/intent.d.ts +0 -21
package/dist/commands/intent.d.ts.map +0 -1
package/dist/commands/intent.js +0 -192
package/dist/commands/scan.d.ts +0 -44
package/dist/commands/scan.d.ts.map +0 -1
package/dist/commands/scan.js +0 -497
package/dist/commands/waivers.d.ts +0 -30
package/dist/commands/waivers.d.ts.map +0 -1
package/dist/commands/waivers.js +0 -249
package/dist/index.d.ts.map +0 -1
package/dist/phase3/index.d.ts +0 -11
package/dist/phase3/index.d.ts.map +0 -1
package/dist/phase3/index.js +0 -12
package/dist/phase3/intent-miner.d.ts +0 -32
package/dist/phase3/intent-miner.d.ts.map +0 -1
package/dist/phase3/intent-miner.js +0 -323
package/dist/phase3/proof-trace-builder.d.ts +0 -42
package/dist/phase3/proof-trace-builder.d.ts.map +0 -1
package/dist/phase3/proof-trace-builder.js +0 -441
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts +0 -15
package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts.map +0 -1
package/dist/phase3/scanners/auth-by-ui-server-gap.js +0 -237
package/dist/phase3/scanners/comment-claim-unproven.d.ts +0 -14
package/dist/phase3/scanners/comment-claim-unproven.d.ts.map +0 -1
package/dist/phase3/scanners/comment-claim-unproven.js +0 -161
package/dist/phase3/scanners/index.d.ts +0 -31
package/dist/phase3/scanners/index.d.ts.map +0 -1
package/dist/phase3/scanners/index.js +0 -40
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts +0 -14
package/dist/phase3/scanners/middleware-assumed-not-matching.d.ts.map +0 -1
package/dist/phase3/scanners/middleware-assumed-not-matching.js +0 -172
package/dist/phase3/scanners/validation-claimed-missing.d.ts +0 -15
package/dist/phase3/scanners/validation-claimed-missing.d.ts.map +0 -1
package/dist/phase3/scanners/validation-claimed-missing.js +0 -204
package/dist/scanners/abuse/compute-abuse.d.ts +0 -20
package/dist/scanners/abuse/compute-abuse.d.ts.map +0 -1
package/dist/scanners/abuse/compute-abuse.js +0 -509
package/dist/scanners/abuse/index.d.ts +0 -12
package/dist/scanners/abuse/index.d.ts.map +0 -1
package/dist/scanners/abuse/index.js +0 -15
package/dist/scanners/auth/index.d.ts +0 -5
package/dist/scanners/auth/index.d.ts.map +0 -1
package/dist/scanners/auth/index.js +0 -10
package/dist/scanners/auth/middleware-gap.d.ts +0 -22
package/dist/scanners/auth/middleware-gap.d.ts.map +0 -1
package/dist/scanners/auth/middleware-gap.js +0 -203
package/dist/scanners/auth/unprotected-api-route.d.ts +0 -12
package/dist/scanners/auth/unprotected-api-route.d.ts.map +0 -1
package/dist/scanners/auth/unprotected-api-route.js +0 -126
package/dist/scanners/config/index.d.ts +0 -5
package/dist/scanners/config/index.d.ts.map +0 -1
package/dist/scanners/config/index.js +0 -10
package/dist/scanners/config/insecure-defaults.d.ts +0 -12
package/dist/scanners/config/insecure-defaults.d.ts.map +0 -1
package/dist/scanners/config/insecure-defaults.js +0 -77
package/dist/scanners/config/undocumented-env.d.ts +0 -24
package/dist/scanners/config/undocumented-env.d.ts.map +0 -1
package/dist/scanners/config/undocumented-env.js +0 -159
package/dist/scanners/crypto/index.d.ts +0 -6
package/dist/scanners/crypto/index.d.ts.map +0 -1
package/dist/scanners/crypto/index.js +0 -11
package/dist/scanners/crypto/jwt-decode-unverified.d.ts +0 -14
package/dist/scanners/crypto/jwt-decode-unverified.d.ts.map +0 -1
package/dist/scanners/crypto/jwt-decode-unverified.js +0 -87
package/dist/scanners/crypto/math-random-tokens.d.ts +0 -13
package/dist/scanners/crypto/math-random-tokens.d.ts.map +0 -1
package/dist/scanners/crypto/math-random-tokens.js +0 -80
package/dist/scanners/crypto/weak-hashing.d.ts +0 -11
package/dist/scanners/crypto/weak-hashing.d.ts.map +0 -1
package/dist/scanners/crypto/weak-hashing.js +0 -95
package/dist/scanners/env-config.d.ts +0 -24
package/dist/scanners/env-config.d.ts.map +0 -1
package/dist/scanners/env-config.js +0 -164
package/dist/scanners/hallucinations/index.d.ts +0 -4
package/dist/scanners/hallucinations/index.d.ts.map +0 -1
package/dist/scanners/hallucinations/index.js +0 -8
package/dist/scanners/hallucinations/unused-security-imports.d.ts +0 -36
package/dist/scanners/hallucinations/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/hallucinations/unused-security-imports.js +0 -309
package/dist/scanners/helpers/ast-helpers.d.ts +0 -6
package/dist/scanners/helpers/ast-helpers.d.ts.map +0 -1
package/dist/scanners/helpers/ast-helpers.js +0 -945
package/dist/scanners/helpers/context-builder.d.ts +0 -17
package/dist/scanners/helpers/context-builder.d.ts.map +0 -1
package/dist/scanners/helpers/context-builder.js +0 -148
package/dist/scanners/helpers/index.d.ts +0 -3
package/dist/scanners/helpers/index.d.ts.map +0 -1
package/dist/scanners/helpers/index.js +0 -2
package/dist/scanners/index.d.ts +0 -30
package/dist/scanners/index.d.ts.map +0 -1
package/dist/scanners/index.js +0 -102
package/dist/scanners/middleware/index.d.ts +0 -4
package/dist/scanners/middleware/index.d.ts.map +0 -1
package/dist/scanners/middleware/index.js +0 -7
package/dist/scanners/middleware/missing-rate-limit.d.ts +0 -13
package/dist/scanners/middleware/missing-rate-limit.d.ts.map +0 -1
package/dist/scanners/middleware/missing-rate-limit.js +0 -140
package/dist/scanners/network/cors-misconfiguration.d.ts +0 -14
package/dist/scanners/network/cors-misconfiguration.d.ts.map +0 -1
package/dist/scanners/network/cors-misconfiguration.js +0 -89
package/dist/scanners/network/index.d.ts +0 -7
package/dist/scanners/network/index.d.ts.map +0 -1
package/dist/scanners/network/index.js +0 -18
package/dist/scanners/network/missing-timeout.d.ts +0 -15
package/dist/scanners/network/missing-timeout.d.ts.map +0 -1
package/dist/scanners/network/missing-timeout.js +0 -93
package/dist/scanners/network/open-redirect.d.ts +0 -15
package/dist/scanners/network/open-redirect.d.ts.map +0 -1
package/dist/scanners/network/open-redirect.js +0 -88
package/dist/scanners/network/ssrf-prone-fetch.d.ts +0 -12
package/dist/scanners/network/ssrf-prone-fetch.d.ts.map +0 -1
package/dist/scanners/network/ssrf-prone-fetch.js +0 -90
package/dist/scanners/nextjs-middleware.d.ts +0 -26
package/dist/scanners/nextjs-middleware.d.ts.map +0 -1
package/dist/scanners/nextjs-middleware.js +0 -246
package/dist/scanners/privacy/debug-flags.d.ts +0 -13
package/dist/scanners/privacy/debug-flags.d.ts.map +0 -1
package/dist/scanners/privacy/debug-flags.js +0 -124
package/dist/scanners/privacy/index.d.ts +0 -6
package/dist/scanners/privacy/index.d.ts.map +0 -1
package/dist/scanners/privacy/index.js +0 -11
package/dist/scanners/privacy/over-broad-response.d.ts +0 -15
package/dist/scanners/privacy/over-broad-response.d.ts.map +0 -1
package/dist/scanners/privacy/over-broad-response.js +0 -109
package/dist/scanners/privacy/sensitive-logging.d.ts +0 -11
package/dist/scanners/privacy/sensitive-logging.d.ts.map +0 -1
package/dist/scanners/privacy/sensitive-logging.js +0 -78
package/dist/scanners/types.d.ts +0 -456
package/dist/scanners/types.d.ts.map +0 -1
package/dist/scanners/types.js +0 -16
package/dist/scanners/unused-security-imports.d.ts +0 -34
package/dist/scanners/unused-security-imports.d.ts.map +0 -1
package/dist/scanners/unused-security-imports.js +0 -206
package/dist/scanners/uploads/index.d.ts +0 -5
package/dist/scanners/uploads/index.d.ts.map +0 -1
package/dist/scanners/uploads/index.js +0 -9
package/dist/scanners/uploads/missing-constraints.d.ts +0 -15
package/dist/scanners/uploads/missing-constraints.d.ts.map +0 -1
package/dist/scanners/uploads/missing-constraints.js +0 -109
package/dist/scanners/uploads/public-path.d.ts +0 -11
package/dist/scanners/uploads/public-path.d.ts.map +0 -1
package/dist/scanners/uploads/public-path.js +0 -87
package/dist/scanners/validation/client-side-only.d.ts +0 -14
package/dist/scanners/validation/client-side-only.d.ts.map +0 -1
package/dist/scanners/validation/client-side-only.js +0 -140
package/dist/scanners/validation/ignored-validation.d.ts +0 -12
package/dist/scanners/validation/ignored-validation.d.ts.map +0 -1
package/dist/scanners/validation/ignored-validation.js +0 -119
package/dist/scanners/validation/index.d.ts +0 -5
package/dist/scanners/validation/index.d.ts.map +0 -1
package/dist/scanners/validation/index.js +0 -9
package/dist/utils/exclude-patterns.d.ts +0 -35
package/dist/utils/exclude-patterns.d.ts.map +0 -1
package/dist/utils/exclude-patterns.js +0 -78
package/dist/utils/file-utils.d.ts +0 -37
package/dist/utils/file-utils.d.ts.map +0 -1
package/dist/utils/file-utils.js +0 -77
package/dist/utils/fingerprint.d.ts +0 -25
package/dist/utils/fingerprint.d.ts.map +0 -1
package/dist/utils/fingerprint.js +0 -28
package/dist/utils/git-info.d.ts +0 -14
package/dist/utils/git-info.d.ts.map +0 -1
package/dist/utils/git-info.js +0 -55
package/dist/utils/index.d.ts +0 -4
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js +0 -3
package/dist/utils/progress.d.ts +0 -42
package/dist/utils/progress.d.ts.map +0 -1
package/dist/utils/progress.js +0 -165
package/dist/utils/sarif-formatter.d.ts +0 -92
package/dist/utils/sarif-formatter.d.ts.map +0 -1
package/dist/utils/sarif-formatter.js +0 -172

package/dist/phase3/proof-trace-builder.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"proof-trace-builder.d.ts","sourceRoot":"","sources":["../../src/phase3/proof-trace-builder.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,cAAc,EACd,UAAU,EAGV,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAI9B;;GAEG;AACH,wBAAgB,eAAe,CAC7B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GACX,MAAM,CAGR;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgB5D;AAcD;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,WAAW,GAAG,SAAS,EAAE,CA4B3D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,WAAW,GAAG,cAAc,EAAE,CAwCrE;AA2BD;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAAE,GACjB,OAAO,CAqBT;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,SAAS,GACf,UAAU,CA0GZ;AA+MD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EAAE,EACnB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,EACpC,aAAa,EAAE,cAAc,EAAE,GAC9B,eAAe,CA2CjB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,SAAS,EAAE,GAClB,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CASzB"}

package/dist/phase3/proof-trace-builder.js DELETED Viewed

@@ -1,441 +0,0 @@
-/**
- * Phase 3: Cross-file Proof Trace Builder
- *
- * Lightweight call-graph tracing for Next.js App Router.
- * Traces auth/validation through local imports (max depth 2).
- * Deterministic, local-only.
- */
-import crypto from "node:crypto";
-import path from "node:path";
-import { SyntaxKind } from "ts-morph";
-const MAX_TRACE_DEPTH = 2;
-/**
- * Generate a stable route ID from path, method, and file
- */
-export function generateRouteId(routePath, method, file) {
-    const normalized = `${method}:${routePath}:${file}`.toLowerCase();
-    return crypto.createHash("sha256").update(normalized).digest("hex").slice(0, 12);
-}
-/**
- * Convert file path to URL path for Next.js App Router
- * e.g., "app/api/users/[id]/route.ts" -> "/api/users/[id]"
- */
-export function filePathToRoutePath(filePath) {
-    // Normalize to forward slashes
-    const normalized = filePath.replace(/\\/g, "/");
-    // Find app directory
-    const appIndex = normalized.indexOf("/app/");
-    if (appIndex === -1) {
-        // Try without leading slash
-        const appIndexAlt = normalized.indexOf("app/");
-        if (appIndexAlt === 0) {
-            return extractRoutePath(normalized.slice(4));
-        }
-        return "/";
-    }
-    return extractRoutePath(normalized.slice(appIndex + 5));
-}
-function extractRoutePath(routePart) {
-    // Remove route.ts/route.js suffix
-    const withoutRoute = routePart.replace(/\/route\.(ts|tsx|js|jsx)$/, "");
-    // Handle root API route
-    if (withoutRoute === "" || withoutRoute === "api") {
-        return withoutRoute === "" ? "/" : "/api";
-    }
-    return "/" + withoutRoute;
-}
-/**
- * Build route map from scan context
- */
-export function buildRouteMap(ctx) {
-    const routes = [];
-    for (const routeFile of ctx.fileIndex.routeFiles) {
-        // routeFiles are relative paths, need to resolve to absolute for parseFile
-        const absolutePath = path.join(ctx.repoRoot, routeFile);
-        const sourceFile = ctx.helpers.parseFile(absolutePath);
-        if (!sourceFile)
-            continue;
-        const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-        // routeFile is already relative to repoRoot, just normalize slashes
-        const relPath = routeFile.replace(/\\/g, "/");
-        const routePath = filePathToRoutePath(relPath);
-        for (const handler of handlers) {
-            const routeId = generateRouteId(routePath, handler.method, relPath);
-            routes.push({
-                routeId,
-                method: handler.method,
-                path: routePath,
-                file: relPath,
-                startLine: handler.startLine,
-                endLine: handler.endLine,
-            });
-        }
-    }
-    return routes;
-}
-/**
- * Build middleware map from scan context
- */
-export function buildMiddlewareMap(ctx) {
-    const middlewareList = [];
-    if (!ctx.fileIndex.middlewareFile) {
-        return middlewareList;
-    }
-    // middlewareFile is a relative path, resolve to absolute for parseFile
-    const absolutePath = path.join(ctx.repoRoot, ctx.fileIndex.middlewareFile);
-    const sourceFile = ctx.helpers.parseFile(absolutePath);
-    if (!sourceFile)
-        return middlewareList;
-    // middlewareFile is already relative, just normalize slashes
-    const relPath = ctx.fileIndex.middlewareFile.replace(/\\/g, "/");
-    // Find config.matcher export
-    const matchers = extractMiddlewareMatchers(sourceFile);
-    const protectsApi = matchers.some((m) => m.includes("/api") || m.includes("/(api)") || m === "/(.*)");
-    // Find the config declaration line
-    let startLine = 1;
-    sourceFile.forEachDescendant((node) => {
-        if (node.getKind() === SyntaxKind.VariableDeclaration &&
-            node.getText().includes("config")) {
-            startLine = node.getStartLineNumber();
-        }
-    });
-    middlewareList.push({
-        file: relPath,
-        matchers,
-        protectsApi,
-        startLine,
-    });
-    return middlewareList;
-}
-/**
- * Extract matcher patterns from middleware config
- */
-function extractMiddlewareMatchers(sourceFile) {
-    const matchers = [];
-    sourceFile.forEachDescendant((node) => {
-        // Look for config = { matcher: [...] }
-        if (node.getKind() === SyntaxKind.PropertyAssignment) {
-            const text = node.getText();
-            if (text.startsWith("matcher")) {
-                // Extract string literals from matcher array
-                node.forEachDescendant((child) => {
-                    if (child.getKind() === SyntaxKind.StringLiteral) {
-                        const value = child.getText().replace(/['"]/g, "");
-                        matchers.push(value);
-                    }
-                });
-            }
-        }
-    });
-    return matchers;
-}
-/**
- * Check if a route path is covered by middleware matchers
- */
-export function isRouteCoveredByMiddleware(routePath, matchers) {
-    for (const matcher of matchers) {
-        // Convert Next.js matcher pattern to regex
-        const pattern = matcher
-            .replace(/\*/g, ".*")
-            .replace(/\/:path\*/g, "/.*")
-            .replace(/\(([^)]+)\)/g, "(?:$1)");
-        try {
-            const regex = new RegExp(`^${pattern}`);
-            if (regex.test(routePath)) {
-                return true;
-            }
-        }
-        catch {
-            // Invalid regex, try simple prefix match
-            if (routePath.startsWith(matcher.replace(/\/:path\*$/, ""))) {
-                return true;
-            }
-        }
-    }
-    return false;
-}
-/**
- * Trace auth/validation through a handler and its imports
- */
-export function buildProofTrace(ctx, route) {
-    const steps = [];
-    let authProven = false;
-    let validationProven = false;
-    const sourceFile = ctx.helpers.parseFile(path.join(ctx.repoRoot, route.file));
-    if (!sourceFile) {
-        return {
-            routeId: route.routeId,
-            authProven: false,
-            validationProven: false,
-            middlewareCovered: false,
-            steps: [],
-        };
-    }
-    // Find the handler function
-    const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-    const handler = handlers.find((h) => h.method === route.method);
-    if (!handler) {
-        return {
-            routeId: route.routeId,
-            authProven: false,
-            validationProven: false,
-            middlewareCovered: false,
-            steps: [],
-        };
-    }
-    // Check handler directly for auth
-    if (ctx.helpers.containsAuthCheck(handler.functionNode)) {
-        authProven = true;
-        steps.push({
-            file: route.file,
-            line: handler.startLine,
-            snippet: truncateSnippet(handler.functionNode.getText(), 100),
-            label: "Auth check found in handler",
-        });
-    }
-    // Check handler directly for validation
-    const validationUsage = ctx.helpers.findValidationUsage(handler.functionNode);
-    if (validationUsage.length > 0 && validationUsage.some((v) => v.resultUsed)) {
-        validationProven = true;
-        steps.push({
-            file: route.file,
-            line: validationUsage[0].line,
-            snippet: truncateSnippet(ctx.helpers.getNodeText(validationUsage[0].node), 100),
-            label: "Validation found in handler",
-        });
-    }
-    // If not proven yet, trace through imports (max depth 2)
-    if (!authProven || !validationProven) {
-        const importedModules = getLocalImports(sourceFile, ctx.repoRoot, route.file);
-        for (const importInfo of importedModules) {
-            if (authProven && validationProven)
-                break;
-            const traceResult = traceImportedModule(ctx, importInfo, 1, // depth
-            !authProven, !validationProven);
-            if (traceResult.authProven && !authProven) {
-                authProven = true;
-                steps.push(...traceResult.steps.filter((s) => s.label.includes("Auth")));
-            }
-            if (traceResult.validationProven && !validationProven) {
-                validationProven = true;
-                steps.push(...traceResult.steps.filter((s) => s.label.includes("Validation")));
-            }
-        }
-    }
-    // Check middleware coverage
-    const middlewareMap = buildMiddlewareMap(ctx);
-    const allMatchers = middlewareMap.flatMap((m) => m.matchers);
-    const middlewareCovered = isRouteCoveredByMiddleware(route.path, allMatchers);
-    if (middlewareCovered) {
-        const middleware = middlewareMap[0];
-        if (middleware) {
-            steps.push({
-                file: middleware.file,
-                line: middleware.startLine,
-                snippet: `matcher: ${JSON.stringify(middleware.matchers)}`,
-                label: "Covered by middleware",
-            });
-        }
-    }
-    return {
-        routeId: route.routeId,
-        authProven,
-        validationProven,
-        middlewareCovered,
-        steps,
-    };
-}
-/**
- * Get local (relative) imports from a source file
- */
-function getLocalImports(sourceFile, repoRoot, currentFile) {
-    const imports = [];
-    const currentDir = path.dirname(path.join(repoRoot, currentFile));
-    for (const importDecl of sourceFile.getImportDeclarations()) {
-        const moduleSpecifier = importDecl.getModuleSpecifierValue();
-        // Only process relative imports
-        if (!moduleSpecifier.startsWith(".")) {
-            continue;
-        }
-        // Resolve to absolute path
-        let absolutePath = path.resolve(currentDir, moduleSpecifier);
-        // Try common extensions
-        const extensions = [".ts", ".tsx", ".js", ".jsx"];
-        let resolved = false;
-        for (const ext of extensions) {
-            const withExt = absolutePath + ext;
-            try {
-                // Check if file exists by trying to parse it
-                if (sourceFile.getProject().getSourceFile(withExt)) {
-                    absolutePath = withExt;
-                    resolved = true;
-                    break;
-                }
-            }
-            catch {
-                // File doesn't exist
-            }
-        }
-        // Also try index files
-        if (!resolved) {
-            for (const ext of extensions) {
-                const indexPath = path.join(absolutePath, `index${ext}`);
-                try {
-                    if (sourceFile.getProject().getSourceFile(indexPath)) {
-                        absolutePath = indexPath;
-                        resolved = true;
-                        break;
-                    }
-                }
-                catch {
-                    // File doesn't exist
-                }
-            }
-        }
-        const importedNames = [];
-        // Get named imports
-        for (const namedImport of importDecl.getNamedImports()) {
-            importedNames.push(namedImport.getName());
-        }
-        // Get default import
-        const defaultImport = importDecl.getDefaultImport();
-        if (defaultImport) {
-            importedNames.push(defaultImport.getText());
-        }
-        imports.push({
-            modulePath: moduleSpecifier,
-            absolutePath,
-            importedNames,
-        });
-    }
-    return imports;
-}
-/**
- * Trace an imported module for auth/validation
- */
-function traceImportedModule(ctx, importInfo, depth, needAuth, needValidation) {
-    const result = {
-        authProven: false,
-        validationProven: false,
-        steps: [],
-    };
-    if (depth > MAX_TRACE_DEPTH) {
-        return result;
-    }
-    const sourceFile = ctx.helpers.parseFile(importInfo.absolutePath);
-    if (!sourceFile) {
-        return result;
-    }
-    const relPath = path.relative(ctx.repoRoot, importInfo.absolutePath).replace(/\\/g, "/");
-    // Look for auth patterns in exported functions
-    if (needAuth) {
-        sourceFile.forEachDescendant((node) => {
-            if (result.authProven)
-                return;
-            // Check function declarations
-            if (node.getKind() === SyntaxKind.FunctionDeclaration ||
-                node.getKind() === SyntaxKind.ArrowFunction) {
-                const funcNode = node;
-                if (ctx.helpers.containsAuthCheck(funcNode)) {
-                    result.authProven = true;
-                    result.steps.push({
-                        file: relPath,
-                        line: node.getStartLineNumber(),
-                        snippet: truncateSnippet(node.getText(), 100),
-                        label: `Auth check found in imported module (depth ${depth})`,
-                    });
-                }
-            }
-        });
-    }
-    // Look for validation patterns
-    if (needValidation) {
-        sourceFile.forEachDescendant((node) => {
-            if (result.validationProven)
-                return;
-            if (node.getKind() === SyntaxKind.FunctionDeclaration ||
-                node.getKind() === SyntaxKind.ArrowFunction) {
-                const funcNode = node;
-                const validation = ctx.helpers.findValidationUsage(funcNode);
-                if (validation.length > 0 && validation.some((v) => v.resultUsed)) {
-                    result.validationProven = true;
-                    result.steps.push({
-                        file: relPath,
-                        line: validation[0].line,
-                        snippet: truncateSnippet(ctx.helpers.getNodeText(validation[0].node), 100),
-                        label: `Validation found in imported module (depth ${depth})`,
-                    });
-                }
-            }
-        });
-    }
-    // Recurse into this module's imports if still needed
-    if ((!result.authProven && needAuth) || (!result.validationProven && needValidation)) {
-        const nestedImports = getLocalImports(sourceFile, ctx.repoRoot, relPath);
-        for (const nested of nestedImports) {
-            const nestedResult = traceImportedModule(ctx, nested, depth + 1, needAuth && !result.authProven, needValidation && !result.validationProven);
-            if (nestedResult.authProven) {
-                result.authProven = true;
-                result.steps.push(...nestedResult.steps);
-            }
-            if (nestedResult.validationProven) {
-                result.validationProven = true;
-                result.steps.push(...nestedResult.steps);
-            }
-        }
-    }
-    return result;
-}
-/**
- * Truncate a code snippet to max length
- */
-function truncateSnippet(text, maxLength) {
-    // Remove excessive whitespace
-    const cleaned = text.replace(/\s+/g, " ").trim();
-    if (cleaned.length <= maxLength) {
-        return cleaned;
-    }
-    return cleaned.slice(0, maxLength - 3) + "...";
-}
-/**
- * Calculate coverage metrics from routes and proof traces
- */
-export function calculateCoverage(routes, proofTraces, middlewareMap) {
-    const stateChangingMethods = ["POST", "PUT", "PATCH", "DELETE"];
-    const stateChangingRoutes = routes.filter((r) => stateChangingMethods.includes(r.method));
-    // Auth coverage: state-changing routes with auth proven
-    const authCoveredCount = stateChangingRoutes.filter((r) => {
-        const trace = proofTraces.get(r.routeId);
-        return trace?.authProven || trace?.middlewareCovered;
-    }).length;
-    const authCoverage = stateChangingRoutes.length > 0
-        ? authCoveredCount / stateChangingRoutes.length
-        : 1;
-    // Validation coverage: POST/PUT/PATCH routes with validation proven
-    const bodyRoutes = routes.filter((r) => ["POST", "PUT", "PATCH"].includes(r.method));
-    const validationCoveredCount = bodyRoutes.filter((r) => {
-        const trace = proofTraces.get(r.routeId);
-        return trace?.validationProven;
-    }).length;
-    const validationCoverage = bodyRoutes.length > 0 ? validationCoveredCount / bodyRoutes.length : 1;
-    // Middleware coverage: all routes covered by middleware
-    const allMatchers = middlewareMap.flatMap((m) => m.matchers);
-    const middlewareCoveredCount = routes.filter((r) => isRouteCoveredByMiddleware(r.path, allMatchers)).length;
-    const middlewareCoverage = routes.length > 0 ? middlewareCoveredCount / routes.length : 1;
-    return {
-        authCoverage: Math.round(authCoverage * 100) / 100,
-        validationCoverage: Math.round(validationCoverage * 100) / 100,
-        middlewareCoverage: Math.round(middlewareCoverage * 100) / 100,
-    };
-}
-/**
- * Build all proof traces for a scan context
- */
-export function buildAllProofTraces(ctx, routes) {
-    const traces = new Map();
-    for (const route of routes) {
-        const trace = buildProofTrace(ctx, route);
-        traces.set(route.routeId, trace);
-    }
-    return traces;
-}

package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts DELETED Viewed

@@ -1,15 +0,0 @@
-/**
- * VC-AUTH-010: Auth-by-UI with Server Gap
- *
- * Detects patterns where authentication appears to be enforced only
- * on the client side (via useSession, conditionally rendering UI, etc.)
- * but the corresponding API routes lack server-side auth checks.
- *
- * Severity: Critical
- * Category: auth
- * Confidence: 0.85
- */
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../../scanners/types.js";
-export declare function scanAuthByUiServerGap(ctx: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=auth-by-ui-server-gap.d.ts.map

package/dist/phase3/scanners/auth-by-ui-server-gap.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"auth-by-ui-server-gap.d.ts","sourceRoot":"","sources":["../../../src/phase3/scanners/auth-by-ui-server-gap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,KAAK,EAAE,WAAW,EAAa,MAAM,yBAAyB,CAAC;AAgDtE,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,WAAW,GACf,OAAO,CAAC,OAAO,EAAE,CAAC,CAmGpB"}