@quantracode/vibecheck 0.0.1

package/dist/__tests__/cli.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cli.test.d.ts.map

package/dist/__tests__/cli.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/cli.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/cli.test.js

@@ -0,0 +1,243 @@
+import { describe, it, expect } from "vitest";
+import { executeScan } from "../commands/scan.js";
+import { executeExplain } from "../commands/explain.js";
+import { ScanArtifactSchema } from "@vibecheck/schema";
+import path from "node:path";
+import fs from "node:fs";
+import os from "node:os";
+describe("scan command", () => {
+    it("produces valid artifact", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const outputPath = path.join(tmpDir, "output", "scan.json");
+        // Create a simple test file
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const url = process.env.DATABASE_URL;`);
+        try {
+            const options = {
+                out: outputPath,
+                format: "json",
+                failOn: "critical", // Don't fail on high so we can test output
+                changed: false,
+            };
+            // Capture console output
+            const originalLog = console.log;
+            const logs = [];
+            console.log = (...args) => logs.push(args.join(" "));
+            await executeScan(tmpDir, options);
+            console.log = originalLog;
+            // Read and validate output
+            const content = fs.readFileSync(outputPath, "utf-8");
+            const artifact = JSON.parse(content);
+            const result = ScanArtifactSchema.safeParse(artifact);
+            expect(result.success).toBe(true);
+            if (result.success) {
+                expect(result.data.artifactVersion).toBe("0.1");
+                expect(result.data.tool.name).toBe("vibecheck");
+                expect(result.data.findings.length).toBeGreaterThan(0);
+            }
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("includes repo info when available", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const outputPath = path.join(tmpDir, "scan.json");
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const x = 1;`);
+        try {
+            const options = {
+                out: outputPath,
+                format: "json",
+                repoName: "test-repo",
+                failOn: "critical",
+                changed: false,
+            };
+            const originalLog = console.log;
+            console.log = () => { };
+            await executeScan(tmpDir, options);
+            console.log = originalLog;
+            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
+            expect(artifact.repo.name).toBe("test-repo");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("includes metrics in output", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const outputPath = path.join(tmpDir, "scan.json");
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const x = 1;`);
+        try {
+            const options = {
+                out: outputPath,
+                format: "json",
+                failOn: "critical",
+                changed: false,
+            };
+            const originalLog = console.log;
+            console.log = () => { };
+            await executeScan(tmpDir, options);
+            console.log = originalLog;
+            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
+            expect(artifact.metrics).toBeDefined();
+            expect(artifact.metrics.filesScanned).toBe(1);
+            expect(artifact.metrics.scanDurationMs).toBeGreaterThanOrEqual(0);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("exits with non-zero when findings exceed threshold", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const outputPath = path.join(tmpDir, "scan.json");
+        // Create file with high severity finding
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const key = process.env.API_SECRET_KEY;`);
+        try {
+            const options = {
+                out: outputPath,
+                format: "json",
+                failOn: "high",
+                changed: false,
+            };
+            const originalLog = console.log;
+            console.log = () => { };
+            const exitCode = await executeScan(tmpDir, options);
+            console.log = originalLog;
+            expect(exitCode).toBe(1);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});
+describe("explain command", () => {
+    it("reads and displays artifact", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const artifactPath = path.join(tmpDir, "scan.json");
+        const artifact = {
+            artifactVersion: "0.1",
+            generatedAt: new Date().toISOString(),
+            tool: { name: "vibecheck", version: "0.0.1" },
+            summary: {
+                totalFindings: 1,
+                bySeverity: { critical: 0, high: 1, medium: 0, low: 0, info: 0 },
+                byCategory: {
+                    auth: 1,
+                    validation: 0,
+                    middleware: 0,
+                    secrets: 0,
+                    injection: 0,
+                    privacy: 0,
+                    config: 0,
+                    other: 0,
+                },
+            },
+            findings: [
+                {
+                    id: "test-001",
+                    severity: "high",
+                    confidence: 0.9,
+                    category: "auth",
+                    ruleId: "VC-AUTH-001",
+                    title: "Test finding",
+                    description: "Test description",
+                    evidence: [
+                        { file: "test.ts", startLine: 1, endLine: 1, label: "Test label" },
+                    ],
+                    remediation: { recommendedFix: "Fix it" },
+                    fingerprint: "abc123",
+                },
+            ],
+        };
+        fs.writeFileSync(artifactPath, JSON.stringify(artifact));
+        try {
+            const originalLog = console.log;
+            const logs = [];
+            console.log = (...args) => logs.push(args.join(" "));
+            const exitCode = await executeExplain(artifactPath, { limit: 5 });
+            console.log = originalLog;
+            expect(exitCode).toBe(0);
+            expect(logs.some((l) => l.includes("VIBECHECK SCAN REPORT"))).toBe(true);
+            expect(logs.some((l) => l.includes("Test finding"))).toBe(true);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("returns error for invalid artifact", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const artifactPath = path.join(tmpDir, "invalid.json");
+        fs.writeFileSync(artifactPath, JSON.stringify({ invalid: true }));
+        try {
+            const originalLog = console.log;
+            const originalError = console.error;
+            console.log = () => { };
+            console.error = () => { };
+            const exitCode = await executeExplain(artifactPath, { limit: 5 });
+            console.log = originalLog;
+            console.error = originalError;
+            expect(exitCode).toBe(1);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});
+describe("artifact output shape", () => {
+    it("has correct structure", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const outputPath = path.join(tmpDir, "scan.json");
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `import { z } from "zod";
+// unused
+`);
+        try {
+            const options = {
+                out: outputPath,
+                format: "json",
+                failOn: "critical",
+                changed: false,
+            };
+            const originalLog = console.log;
+            console.log = () => { };
+            await executeScan(tmpDir, options);
+            console.log = originalLog;
+            const artifact = JSON.parse(fs.readFileSync(outputPath, "utf-8"));
+            // Check top-level structure
+            expect(artifact).toHaveProperty("artifactVersion", "0.1");
+            expect(artifact).toHaveProperty("generatedAt");
+            expect(artifact).toHaveProperty("tool");
+            expect(artifact).toHaveProperty("summary");
+            expect(artifact).toHaveProperty("findings");
+            // Check tool info
+            expect(artifact.tool).toHaveProperty("name", "vibecheck");
+            expect(artifact.tool).toHaveProperty("version");
+            // Check summary structure
+            expect(artifact.summary).toHaveProperty("totalFindings");
+            expect(artifact.summary).toHaveProperty("bySeverity");
+            expect(artifact.summary).toHaveProperty("byCategory");
+            // Check finding structure (if any)
+            if (artifact.findings.length > 0) {
+                const finding = artifact.findings[0];
+                expect(finding).toHaveProperty("id");
+                expect(finding).toHaveProperty("severity");
+                expect(finding).toHaveProperty("confidence");
+                expect(finding).toHaveProperty("category");
+                expect(finding).toHaveProperty("ruleId");
+                expect(finding).toHaveProperty("title");
+                expect(finding).toHaveProperty("description");
+                expect(finding).toHaveProperty("evidence");
+                expect(finding).toHaveProperty("remediation");
+                expect(finding).toHaveProperty("fingerprint");
+                // Check ruleId format
+                expect(finding.ruleId).toMatch(/^VC-[A-Z]+-\d{3}$/);
+                // Check evidence structure
+                expect(finding.evidence[0]).toHaveProperty("file");
+                expect(finding.evidence[0]).toHaveProperty("startLine");
+                expect(finding.evidence[0]).toHaveProperty("endLine");
+                expect(finding.evidence[0]).toHaveProperty("label");
+            }
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});

package/dist/__tests__/fixtures/safe-app/app/api/users/route.js

@@ -0,0 +1,36 @@
+import { prisma } from "@/lib/prisma";
+import { getServerSession } from "next-auth";
+import { z } from "zod";
+const userSchema = z.object({
+    name: z.string(),
+    email: z.string().email(),
+});
+// Safe: Has auth check
+export async function POST(request) {
+    const session = await getServerSession();
+    if (!session) {
+        return Response.json({ error: "Unauthorized" }, { status: 401 });
+    }
+    const body = await request.json();
+    // Safe: Validation result is used
+    const validatedData = userSchema.parse(body);
+    const user = await prisma.user.create({
+        data: validatedData,
+    });
+    // Safe: Not logging sensitive data
+    console.log("Created user:", { id: user.id, timestamp: Date.now() });
+    return Response.json(user);
+}
+// Safe: Has auth check
+export async function DELETE(request) {
+    const session = await getServerSession();
+    if (!session) {
+        return Response.json({ error: "Unauthorized" }, { status: 401 });
+    }
+    const { searchParams } = new URL(request.url);
+    const id = searchParams.get("id");
+    await prisma.user.delete({
+        where: { id },
+    });
+    return Response.json({ success: true });
+}

package/dist/__tests__/fixtures/vulnerable-app/app/api/users/route.js

@@ -0,0 +1,28 @@
+import { prisma } from "@/lib/prisma";
+import { z } from "zod";
+const userSchema = z.object({
+    name: z.string(),
+    email: z.string().email(),
+});
+// VC-AUTH-001: No auth check before database write
+export async function POST(request) {
+    const body = await request.json();
+    // VC-VAL-001: Validation called but result ignored
+    userSchema.parse(body);
+    // Using raw body instead of validated data
+    const user = await prisma.user.create({
+        data: body,
+    });
+    // VC-PRIV-001: Logging sensitive data
+    console.log("Created user:", { email: body.email, password: body.password });
+    return Response.json(user);
+}
+// VC-AUTH-001: Critical - delete without auth
+export async function DELETE(request) {
+    const { searchParams } = new URL(request.url);
+    const id = searchParams.get("id");
+    await prisma.user.delete({
+        where: { id },
+    });
+    return Response.json({ success: true });
+}

package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts

@@ -0,0 +1,4 @@
+export declare const JWT_SECRET: string;
+export declare const SESSION_SECRET: string;
+export declare const API_URL: string;
+//# sourceMappingURL=config.d.ts.map

package/dist/__tests__/fixtures/vulnerable-app/lib/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../../src/__tests__/fixtures/vulnerable-app/lib/config.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,UAAU,QAA6C,CAAC;AAGrE,eAAO,MAAM,cAAc,QAA8C,CAAC;AAG1E,eAAO,MAAM,OAAO,QAAiD,CAAC"}

package/dist/__tests__/fixtures/vulnerable-app/lib/config.js

@@ -0,0 +1,6 @@
+// VC-CONFIG-002: Insecure default for critical secret
+export const JWT_SECRET = process.env.JWT_SECRET || "dev-secret-123";
+// VC-CONFIG-002: Another insecure default
+export const SESSION_SECRET = process.env.SESSION_SECRET ?? "session-dev";
+// Safe - not a secret
+export const API_URL = process.env.API_URL || "http://localhost:3000";

package/dist/__tests__/scanners/env-config.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=env-config.test.d.ts.map

package/dist/__tests__/scanners/env-config.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-config.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/env-config.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/scanners/env-config.test.js

@@ -0,0 +1,142 @@
+import { describe, it, expect } from "vitest";
+import { parseEnvExample, findEnvUsages, scanEnvConfig, } from "../../scanners/env-config.js";
+import path from "node:path";
+import fs from "node:fs";
+import os from "node:os";
+describe("parseEnvExample", () => {
+    it("parses simple env file", () => {
+        const content = `
+DATABASE_URL=
+API_KEY=your-key-here
+SECRET_TOKEN=
+`;
+        const vars = parseEnvExample(content);
+        expect(vars.has("DATABASE_URL")).toBe(true);
+        expect(vars.has("API_KEY")).toBe(true);
+        expect(vars.has("SECRET_TOKEN")).toBe(true);
+    });
+    it("ignores comments", () => {
+        const content = `
+# This is a comment
+DATABASE_URL=
+# API_KEY=should-be-ignored
+`;
+        const vars = parseEnvExample(content);
+        expect(vars.has("DATABASE_URL")).toBe(true);
+        expect(vars.has("API_KEY")).toBe(false);
+    });
+    it("handles empty lines", () => {
+        const content = `
+
+DATABASE_URL=
+
+API_KEY=
+
+`;
+        const vars = parseEnvExample(content);
+        expect(vars.size).toBe(2);
+    });
+    it("handles vars without values", () => {
+        const content = `DATABASE_URL`;
+        const vars = parseEnvExample(content);
+        expect(vars.has("DATABASE_URL")).toBe(true);
+    });
+});
+describe("findEnvUsages", () => {
+    it("finds process.env.VAR usage", () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const filePath = path.join(tmpDir, "test.ts");
+        fs.writeFileSync(filePath, `
+const url = process.env.DATABASE_URL;
+const key = process.env.API_KEY;
+`);
+        try {
+            const usages = findEnvUsages(["test.ts"], tmpDir);
+            expect(usages).toHaveLength(2);
+            expect(usages[0].name).toBe("DATABASE_URL");
+            expect(usages[1].name).toBe("API_KEY");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("finds bracket notation usage", () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const filePath = path.join(tmpDir, "test.ts");
+        fs.writeFileSync(filePath, `const url = process.env["DATABASE_URL"];`);
+        try {
+            const usages = findEnvUsages(["test.ts"], tmpDir);
+            expect(usages).toHaveLength(1);
+            expect(usages[0].name).toBe("DATABASE_URL");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("returns correct line numbers", () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const filePath = path.join(tmpDir, "test.ts");
+        fs.writeFileSync(filePath, `// line 1
+// line 2
+const x = process.env.MY_VAR; // line 3
+`);
+        try {
+            const usages = findEnvUsages(["test.ts"], tmpDir);
+            expect(usages[0].line).toBe(3);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});
+describe("scanEnvConfig", () => {
+    it("creates findings for undocumented env vars", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        const filePath = path.join(tmpDir, "app.ts");
+        fs.writeFileSync(filePath, `const url = process.env.DATABASE_URL;`);
+        try {
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: ["app.ts"],
+            };
+            const findings = await scanEnvConfig(context);
+            expect(findings).toHaveLength(1);
+            expect(findings[0].ruleId).toBe("VC-CONFIG-001");
+            expect(findings[0].title).toContain("DATABASE_URL");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("does not create findings for documented vars", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const url = process.env.DATABASE_URL;`);
+        fs.writeFileSync(path.join(tmpDir, ".env.example"), "DATABASE_URL=");
+        try {
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: ["app.ts"],
+            };
+            const findings = await scanEnvConfig(context);
+            expect(findings).toHaveLength(0);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("marks SECRET-like vars as high severity", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        fs.writeFileSync(path.join(tmpDir, "app.ts"), `const key = process.env.API_SECRET_KEY;`);
+        try {
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: ["app.ts"],
+            };
+            const findings = await scanEnvConfig(context);
+            expect(findings[0].severity).toBe("high");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});

package/dist/__tests__/scanners/nextjs-middleware.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=nextjs-middleware.test.d.ts.map

package/dist/__tests__/scanners/nextjs-middleware.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs-middleware.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/nextjs-middleware.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/scanners/nextjs-middleware.test.js

@@ -0,0 +1,193 @@
+import { describe, it, expect } from "vitest";
+import { parseMatcherConfig, matcherCoversApi, scanNextjsMiddleware, } from "../../scanners/nextjs-middleware.js";
+import path from "node:path";
+import fs from "node:fs";
+import os from "node:os";
+describe("parseMatcherConfig", () => {
+    it("parses single string matcher", () => {
+        const content = `
+export const config = {
+  matcher: '/dashboard/:path*'
+};
+`;
+        const matchers = parseMatcherConfig(content);
+        expect(matchers).toEqual(["/dashboard/:path*"]);
+    });
+    it("parses array matcher", () => {
+        const content = `
+export const config = {
+  matcher: ['/dashboard/:path*', '/admin/:path*']
+};
+`;
+        const matchers = parseMatcherConfig(content);
+        expect(matchers).toEqual(["/dashboard/:path*", "/admin/:path*"]);
+    });
+    it("returns null when no config export", () => {
+        const content = `
+export function middleware(request) {
+  return NextResponse.next();
+}
+`;
+        const matchers = parseMatcherConfig(content);
+        expect(matchers).toBeNull();
+    });
+    it("parses complex negation pattern", () => {
+        const content = `
+export const config = {
+  matcher: '/((?!_next/static|_next/image|favicon.ico).*)'
+};
+`;
+        const matchers = parseMatcherConfig(content);
+        expect(matchers).toEqual(["/((?!_next/static|_next/image|favicon.ico).*)"]);
+    });
+});
+describe("matcherCoversApi", () => {
+    it("returns true for direct /api match", () => {
+        expect(matcherCoversApi(["/api"])).toBe(true);
+        expect(matcherCoversApi(["/api/:path*"])).toBe(true);
+    });
+    it("returns true for patterns starting with /api", () => {
+        expect(matcherCoversApi(["/api/users/:path*"])).toBe(true);
+    });
+    it("returns true for catch-all patterns", () => {
+        expect(matcherCoversApi(["/:path*"])).toBe(true);
+    });
+    it("returns true for negation patterns not excluding api", () => {
+        expect(matcherCoversApi(["/((?!_next/static|_next/image|favicon.ico).*)"])).toBe(true);
+    });
+    it("returns false for dashboard-only patterns", () => {
+        expect(matcherCoversApi(["/dashboard/:path*"])).toBe(false);
+    });
+    it("returns false for unrelated patterns", () => {
+        expect(matcherCoversApi(["/admin", "/profile"])).toBe(false);
+    });
+});
+describe("scanNextjsMiddleware", () => {
+    function createNextProject(tmpDir, options = {}) {
+        // Create package.json
+        const pkg = {
+            name: "test-app",
+            dependencies: {
+                next: "14.0.0",
+                ...(options.hasNextAuth && { "next-auth": "4.0.0" }),
+            },
+        };
+        fs.writeFileSync(path.join(tmpDir, "package.json"), JSON.stringify(pkg));
+        // Create middleware if specified
+        if (options.hasMiddleware && options.middlewareContent) {
+            fs.writeFileSync(path.join(tmpDir, "middleware.ts"), options.middlewareContent);
+        }
+        // Create API routes if specified
+        if (options.hasApiRoutes) {
+            const apiDir = path.join(tmpDir, "app", "api", "users");
+            fs.mkdirSync(apiDir, { recursive: true });
+            fs.writeFileSync(path.join(apiDir, "route.ts"), `export async function GET() { return Response.json({}); }`);
+        }
+    }
+    it("returns no findings for non-Next.js project", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        try {
+            fs.writeFileSync(path.join(tmpDir, "package.json"), JSON.stringify({ name: "test" }));
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: [],
+            };
+            const findings = await scanNextjsMiddleware(context);
+            expect(findings).toHaveLength(0);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("returns no findings when no API routes exist", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        try {
+            createNextProject(tmpDir, { hasApiRoutes: false });
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: [],
+            };
+            const findings = await scanNextjsMiddleware(context);
+            expect(findings).toHaveLength(0);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("finds missing middleware with next-auth", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        try {
+            createNextProject(tmpDir, {
+                hasNextAuth: true,
+                hasApiRoutes: true,
+            });
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: [],
+            };
+            const findings = await scanNextjsMiddleware(context);
+            expect(findings).toHaveLength(1);
+            expect(findings[0].ruleId).toBe("VC-AUTH-INFO-001");
+            expect(findings[0].severity).toBe("medium");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("finds middleware not covering API routes", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        try {
+            createNextProject(tmpDir, {
+                hasMiddleware: true,
+                middlewareContent: `
+export function middleware(request) {
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: '/dashboard/:path*'
+};
+`,
+                hasApiRoutes: true,
+            });
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: [],
+            };
+            const findings = await scanNextjsMiddleware(context);
+            expect(findings).toHaveLength(1);
+            expect(findings[0].ruleId).toBe("VC-MW-001");
+            expect(findings[0].severity).toBe("high");
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+    it("returns no findings when middleware covers API", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "vibecheck-test-"));
+        try {
+            createNextProject(tmpDir, {
+                hasMiddleware: true,
+                middlewareContent: `
+export function middleware(request) {
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ['/dashboard/:path*', '/api/:path*']
+};
+`,
+                hasApiRoutes: true,
+            });
+            const context = {
+                targetDir: tmpDir,
+                sourceFiles: [],
+            };
+            const findings = await scanNextjsMiddleware(context);
+            expect(findings).toHaveLength(0);
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true });
+        }
+    });
+});