@quantracode/vibecheck 0.4.0 → 0.4.1

package/dist/index.d.ts

@@ -1,4 +1,4 @@
 #!/usr/bin/env node
-declare const CLI_VERSION = "0.4.0";
+declare const CLI_VERSION = "0.4.1";
 
 export { CLI_VERSION };

package/dist/index.js

@@ -659,7 +659,7 @@ function validateArtifact(json) {
 }
 
 // src/constants.ts
-var CLI_VERSION = "0.4.0";
+var CLI_VERSION = "0.4.1";
 
 // src/utils/file-utils.ts
 import fs from "fs";
@@ -2333,6 +2333,61 @@ async function buildScanContext(repoRoot, options = {}) {
   };
 }
 
+// src/scanners/helpers/patch-generator.ts
+import { readFileSync as readFileSync4 } from "fs";
+function generateFunctionStartPatch(repoRoot, relPath, functionStartLine, codeToInsert, contextLines = 3) {
+  try {
+    const absPath = resolvePath(repoRoot, relPath);
+    const content = readFileSync4(absPath, "utf-8");
+    const lines = content.split("\n");
+    let bodyStartLine = functionStartLine;
+    for (let i = functionStartLine - 1; i < lines.length; i++) {
+      if (lines[i].includes("{")) {
+        bodyStartLine = i + 1;
+        break;
+      }
+    }
+    const contextBefore = lines.slice(
+      Math.max(0, bodyStartLine - contextLines),
+      bodyStartLine
+    );
+    const contextAfter = lines.slice(
+      bodyStartLine,
+      Math.min(lines.length, bodyStartLine + contextLines)
+    );
+    const firstLineAfterBrace = lines[bodyStartLine];
+    const indentation = firstLineAfterBrace?.match(/^(\s*)/)?.[1] || "  ";
+    const insertLines = codeToInsert.split("\n").map((line) => {
+      if (line.trim() === "") return "";
+      return indentation + line;
+    });
+    const oldStartLine = bodyStartLine - contextBefore.length + 1;
+    const oldLineCount = contextBefore.length + contextAfter.length;
+    const newLineCount = oldLineCount + insertLines.length;
+    const diffLines = [];
+    diffLines.push(`--- a/${relPath.replace(/\\/g, "/")}`);
+    diffLines.push(`+++ b/${relPath.replace(/\\/g, "/")}`);
+    diffLines.push(
+      `@@ -${oldStartLine},${oldLineCount} +${oldStartLine},${newLineCount} @@`
+    );
+    for (const line of contextBefore) {
+      diffLines.push(" " + line);
+    }
+    for (const line of insertLines) {
+      diffLines.push("+" + line);
+    }
+    if (contextAfter.length > 0 && contextAfter[0].trim() !== "") {
+      diffLines.push("+");
+    }
+    for (const line of contextAfter) {
+      diffLines.push(" " + line);
+    }
+    return diffLines.join("\n");
+  } catch (error) {
+    return "";
+  }
+}
+
 // src/scanners/auth/unprotected-api-route.ts
 var RULE_ID = "VC-AUTH-001";
 var STATE_CHANGING_METHODS = ["POST", "PUT", "PATCH", "DELETE"];
@@ -2396,6 +2451,19 @@ async function scanUnprotectedApiRoutes(context) {
         route: routePath
       });
       const sinkOperations = sinks.map((s) => `${s.kind}.${s.operation}`).join(", ");
+      const authCheckCode = `const session = await getServerSession(authOptions);
+if (!session) {
+  return new Response(JSON.stringify({ error: "Unauthorized" }), {
+    status: 401,
+    headers: { "Content-Type": "application/json" }
+  });
+}`;
+      const patch = generateFunctionStartPatch(
+        repoRoot,
+        relPath,
+        handler.startLine,
+        authCheckCode
+      );
       findings.push({
         id: generateFindingId({
           ruleId: RULE_ID,
@@ -2411,14 +2479,8 @@ async function scanUnprotectedApiRoutes(context) {
         evidence,
         remediation: {
           recommendedFix: `Add authentication to the ${handler.method} handler. Check for a valid session using getServerSession(), auth(), or similar before performing database operations.`,
-          patch: `// Add at the start of your handler:
-const session = await getServerSession(authOptions);
-if (!session) {
-  return new Response(JSON.stringify({ error: "Unauthorized" }), {
-    status: 401,
-    headers: { "Content-Type": "application/json" }
-  });
-}`
+          patch: patch || void 0
+          // Only include patch if generation succeeded
         },
         links: {
           owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
@@ -2521,19 +2583,8 @@ async function scanMiddlewareGap(context) {
         description: `This Next.js project uses next-auth but has no middleware.ts file. API routes (${fileIndex.apiRouteFiles.length} found) may lack server-side authentication enforcement. While next-auth provides session management, middleware is recommended for edge-level protection.`,
         evidence,
         remediation: {
-          recommendedFix: "Create a middleware.ts file that checks authentication for protected routes. See: https://next-auth.js.org/configuration/nextjs#middleware",
-          patch: `// middleware.ts
-import { withAuth } from "next-auth/middleware";
-
-export default withAuth({
-  callbacks: {
-    authorized: ({ token }) => !!token,
-  },
-});
-
-export const config = {
-  matcher: ["/api/:path*", "/dashboard/:path*"],
-};`
+          recommendedFix: "Create a middleware.ts file that checks authentication for protected routes. Use next-auth's withAuth helper with a matcher config for /api/:path* and other protected routes. See: https://next-auth.js.org/configuration/nextjs#middleware"
+          // No patch for file creation - apply-patches only handles modifications to existing files
         },
         links: {
           owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -2595,6 +2646,7 @@ export const config = {
       evidence,
       remediation: {
         recommendedFix: `Update the middleware matcher to include API routes. Example: matcher: ['/((?!_next/static|_next/image|favicon.ico).*)', '/api/:path*']`
+        // No patch for middleware matcher updates - requires understanding the full matcher pattern and what should be included/excluded
       },
       links: {
         owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -2656,14 +2708,8 @@ async function scanIgnoredValidation(context) {
             category: "validation",
             evidence,
             remediation: {
-              recommendedFix: `Assign the validation result to a variable and use the validated data instead of the raw input.`,
-              patch: usage.library === "zod" ? `// Instead of:
-schema.parse(data);
-
-// Do:
-const validatedData = schema.parse(data);
-// Use validatedData for all subsequent operations` : `// Assign and use the validated result
-const validatedData = await schema.validate(data);`
+              recommendedFix: `Assign the validation result to a variable and use the validated data instead of the raw input. For Zod: const validatedData = schema.parse(data). For Yup/Joi: const validatedData = await schema.validate(data). Then use validatedData for all operations.`
+              // No patch for validation fixes - requires knowing actual variable names and how to replace raw body usage
             },
             links: {
               cwe: "https://cwe.mitre.org/data/definitions/20.html"
@@ -2787,35 +2833,8 @@ async function scanClientSideOnlyValidation(context) {
         category: "validation",
         evidence,
         remediation: {
-          recommendedFix: `Add server-side validation using the same schema. Consider sharing schemas between frontend and backend.`,
-          patch: `// Share your Zod schema between frontend and backend:
-// lib/schemas/user.ts
-import { z } from "zod";
-
-export const createUserSchema = z.object({
-  name: z.string().min(1),
-  email: z.string().email(),
-});
-
-// In your API route:
-import { createUserSchema } from "@/lib/schemas/user";
-
-export async function POST(request: Request) {
-  const body = await request.json();
-
-  // Server-side validation
-  const result = createUserSchema.safeParse(body);
-  if (!result.success) {
-    return Response.json(
-      { error: result.error.flatten() },
-      { status: 400 }
-    );
-  }
-
-  // Use validated data
-  const { name, email } = result.data;
-  // ...
-}`
+          recommendedFix: `Add server-side validation using the same schema. Consider sharing schemas between frontend and backend. Example with Zod: const result = schema.safeParse(body); if (!result.success) return Response.json({ error: result.error }, { status: 400 }); then use result.data for validated values.`
+          // No patch for validation addition - requires knowing the validation schema structure and which fields to validate
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/20.html",
@@ -2885,12 +2904,8 @@ async function scanSensitiveLogging(context) {
         category: "privacy",
         evidence,
         remediation: {
-          recommendedFix: `Remove sensitive data from log statements. Only log non-sensitive identifiers like user IDs, timestamps, or action types.`,
-          patch: `// Instead of:
-console.log("Login:", { email, password });
-
-// Do:
-console.log("Login attempt:", { email, timestamp: Date.now() });`
+          recommendedFix: `Remove sensitive data from log statements. Only log non-sensitive identifiers like user IDs, timestamps, or action types. Never log passwords, tokens, auth headers, secrets, or API keys.`
+          // No patch for sensitive logging - requires understanding which data is needed for debugging vs which should be redacted
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/532.html",
@@ -2967,20 +2982,8 @@ async function scanOverBroadResponse(context) {
           category: "privacy",
           evidence,
           remediation: {
-            recommendedFix: `Use Prisma's \`select\` clause to explicitly choose which fields to return. Never expose password hashes, tokens, or other sensitive data in API responses.`,
-            patch: `// Instead of:
-const users = await prisma.${query.model.toLowerCase()}.${query.operation}();
-
-// Use select to return only needed fields:
-const users = await prisma.${query.model.toLowerCase()}.${query.operation}({
-  select: {
-    id: true,
-    name: true,
-    email: true,
-    createdAt: true,
-    // Explicitly omit: password, passwordHash, tokens, etc.
-  },
-});`
+            recommendedFix: `Use Prisma's \`select\` clause to explicitly choose which fields to return. Never expose password hashes, tokens, or other sensitive data in API responses. Example: prisma.user.findMany({ select: { id: true, name: true, email: true } }) - only include fields the API consumer needs.`
+            // No patch for over-broad responses - requires understanding which fields are needed by the API consumer
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/359.html",
@@ -3078,17 +3081,8 @@ async function scanDebugFlags(context) {
         category: "config",
         evidence,
         remediation: {
-          recommendedFix: `Ensure debug flags are only enabled in development. Use environment variables or NODE_ENV checks.`,
-          patch: `// Guard debug flags with environment check:
-const isDev = process.env.NODE_ENV === 'development';
-
-module.exports = {
-  // Only enable in development
-  ...(isDev && { debug: true }),
-
-  // Or use environment variable:
-  debug: process.env.DEBUG === 'true',
-};`
+          recommendedFix: `Ensure debug flags are only enabled in development. Use environment variables or NODE_ENV checks. Example: ...(process.env.NODE_ENV === 'development' && { debug: true }) or debug: process.env.DEBUG === 'true'.`
+          // No patch for debug flag fixes - requires understanding config structure and which flags to guard
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/489.html",
@@ -3338,30 +3332,8 @@ async function scanSsrfProneFetch(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Validate and sanitize the URL before use. Use an allowlist of permitted domains or URL patterns. Never allow requests to internal networks, localhost, or cloud metadata endpoints.`,
-            patch: `// Validate URL before fetching
-const url = new URL(userProvidedUrl);
-
-// Check against allowlist
-const allowedHosts = ["api.example.com", "cdn.example.com"];
-if (!allowedHosts.includes(url.hostname)) {
-  throw new Error("URL not allowed");
-}
-
-// Block internal addresses
-const blockedPatterns = [
-  /^localhost$/i,
-  /^127\\.\\d+\\.\\d+\\.\\d+$/,
-  /^10\\.\\d+\\.\\d+\\.\\d+$/,
-  /^172\\.(1[6-9]|2[0-9]|3[0-1])\\.\\d+\\.\\d+$/,
-  /^192\\.168\\.\\d+\\.\\d+$/,
-  /^169\\.254\\.169\\.254$/, // AWS metadata
-];
-if (blockedPatterns.some(p => p.test(url.hostname))) {
-  throw new Error("URL not allowed");
-}
-
-const response = await fetch(url.toString());`
+            recommendedFix: `Validate and sanitize the URL before use. Use an allowlist of permitted domains or URL patterns. Block requests to internal networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x), localhost (127.x.x.x), and cloud metadata endpoints (169.254.169.254). Parse with new URL() and validate url.hostname.`
+            // No patch for SSRF validation - requires defining application-specific allowlist of permitted domains
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/918.html",
@@ -3420,22 +3392,8 @@ async function scanOpenRedirect(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Validate the redirect URL against an allowlist of permitted paths or domains. Never redirect to arbitrary user-provided URLs without validation.`,
-            patch: `// Validate redirect URL before use
-const allowedPaths = ['/dashboard', '/profile', '/settings'];
-const redirectUrl = searchParams.get('next') || '/';
-
-// Option 1: Only allow relative paths
-if (!redirectUrl.startsWith('/') || redirectUrl.startsWith('//')) {
-  return NextResponse.redirect(new URL('/', request.url));
-}
-
-// Option 2: Allowlist check
-if (!allowedPaths.some(path => redirectUrl.startsWith(path))) {
-  return NextResponse.redirect(new URL('/', request.url));
-}
-
-return NextResponse.redirect(new URL(redirectUrl, request.url));`
+            recommendedFix: `Validate the redirect URL against an allowlist of permitted paths or domains. Never redirect to arbitrary user-provided URLs without validation. Options: (1) Only allow relative paths: check !url.startsWith('/') || url.startsWith('//'), (2) Use allowlist: check allowedPaths.some(path => url.startsWith(path)).`
+            // No patch for redirect validation - requires defining application-specific allowlist of permitted paths/domains
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/601.html",
@@ -3493,26 +3451,8 @@ async function scanCorsMisconfiguration(context) {
         category: "network",
         evidence,
         remediation: {
-          recommendedFix: `When using credentials, you must specify explicit allowed origins instead of "*". Use an allowlist of trusted domains.`,
-          patch: `// Instead of:
-// cors({ origin: "*", credentials: true })
-
-// Use an allowlist:
-const allowedOrigins = [
-  'https://app.example.com',
-  'https://admin.example.com',
-];
-
-app.use(cors({
-  origin: (origin, callback) => {
-    if (!origin || allowedOrigins.includes(origin)) {
-      callback(null, true);
-    } else {
-      callback(new Error('Not allowed by CORS'));
-    }
-  },
-  credentials: true,
-}));`
+          recommendedFix: `When using credentials, you must specify explicit allowed origins instead of "*". Use an allowlist of trusted domains. Example: cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error('Not allowed')); }, credentials: true })`
+          // No patch for CORS fixes - requires defining application-specific allowlist of trusted origins
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/942.html",
@@ -3569,28 +3509,8 @@ async function scanMissingTimeout(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Add a timeout to prevent indefinite hangs. For fetch, use AbortController; for axios, use the timeout option.`,
-            patch: `// For fetch, use AbortController:
-const controller = new AbortController();
-const timeoutId = setTimeout(() => controller.abort(), 5000);
-
-try {
-  const response = await fetch(url, {
-    signal: controller.signal,
-  });
-  clearTimeout(timeoutId);
-  return response;
-} catch (error) {
-  if (error.name === 'AbortError') {
-    throw new Error('Request timed out');
-  }
-  throw error;
-}
-
-// For axios:
-const response = await axios.get(url, {
-  timeout: 5000,
-});`
+            recommendedFix: `Add a timeout to prevent indefinite hangs. For fetch, use AbortController with setTimeout(() => controller.abort(), 5000) and handle AbortError. For axios, add timeout: 5000 to options. Choose timeout duration based on expected response times.`
+            // No patch for timeout fixes - implementation varies by method (fetch vs axios) and requires choosing appropriate timeout duration
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/400.html"
@@ -3860,19 +3780,8 @@ async function scanNextAuthNotEnforced(context) {
       category: "auth",
       evidence,
       remediation: {
-        recommendedFix: "Add authentication middleware or explicit auth checks to API routes. See https://next-auth.js.org/configuration/nextjs",
-        patch: `// middleware.ts
-import { withAuth } from "next-auth/middleware";
-
-export default withAuth({
-  callbacks: {
-    authorized: ({ token }) => !!token,
-  },
-});
-
-export const config = {
-  matcher: ["/api/:path*"],
-};`
+        recommendedFix: "Add authentication middleware or explicit auth checks to API routes. Create middleware.ts using next-auth's withAuth helper with matcher for /api/:path*. See https://next-auth.js.org/configuration/nextjs"
+        // No patch for file creation - apply-patches only handles modifications to existing files
       },
       links: {
         owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -3964,33 +3873,8 @@ async function scanMissingRateLimit(context) {
         category: "middleware",
         evidence,
         remediation: {
-          recommendedFix: `Add rate limiting to protect against abuse. Consider using @upstash/ratelimit for serverless, or express-rate-limit for Express apps.`,
-          patch: `// Using @upstash/ratelimit with Vercel KV:
-import { Ratelimit } from "@upstash/ratelimit";
-import { kv } from "@vercel/kv";
-
-const ratelimit = new Ratelimit({
-  redis: kv,
-  limiter: Ratelimit.slidingWindow(10, "60 s"), // 10 requests per minute
-});
-
-export async function POST(request: Request) {
-  const ip = request.headers.get("x-forwarded-for") ?? "127.0.0.1";
-  const { success, limit, reset, remaining } = await ratelimit.limit(ip);
-
-  if (!success) {
-    return new Response("Too Many Requests", {
-      status: 429,
-      headers: {
-        "X-RateLimit-Limit": limit.toString(),
-        "X-RateLimit-Remaining": remaining.toString(),
-        "X-RateLimit-Reset": reset.toString(),
-      },
-    });
-  }
-
-  // ... rest of handler
-}`
+          recommendedFix: `Add rate limiting to protect against abuse. For serverless: use @upstash/ratelimit with Ratelimit.slidingWindow(10, "60 s") and check success before proceeding. For Express: use express-rate-limit middleware. Limit by IP address or user ID.`
+          // No patch for rate limiting - implementation varies by infrastructure (serverless vs traditional) and requires setup (Redis connection, identifier strategy)
         },
         links: {
           owasp: "https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html",
@@ -4052,21 +3936,8 @@ async function scanMathRandomTokens(context) {
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: `Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values.`,
-          patch: `import { randomBytes, randomUUID } from 'crypto';
-
-// For tokens/keys (hex string):
-const token = randomBytes(32).toString('hex');
-
-// For session IDs (URL-safe base64):
-const sessionId = randomBytes(24).toString('base64url');
-
-// For UUIDs:
-const id = randomUUID();
-
-// For numbers in a range (e.g., 6-digit code):
-const code = randomBytes(4).readUInt32BE() % 1000000;
-const resetCode = code.toString().padStart(6, '0');`
+          recommendedFix: `Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values. For tokens/keys: randomBytes(32).toString('hex'). For session IDs: randomBytes(24).toString('base64url'). For UUIDs: randomUUID(). For numeric codes: randomBytes(4).readUInt32BE() % range.`
+          // No patch for crypto random fixes - the correct replacement depends on the specific use case
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/338.html",
@@ -4121,26 +3992,8 @@ async function scanJwtDecodeUnverified(context) {
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: `Use jwt.verify() instead of jwt.decode() to ensure the token signature is valid.`,
-          patch: `import jwt from 'jsonwebtoken';
-
-// WRONG - doesn't verify signature:
-// const payload = jwt.decode(token);
-
-// CORRECT - verifies signature:
-try {
-  const payload = jwt.verify(token, process.env.JWT_SECRET);
-  // Token is valid, payload can be trusted
-} catch (error) {
-  // Token is invalid or expired
-  throw new Error('Invalid token');
-}
-
-// If you need to read claims before verification (e.g., to get kid for key lookup):
-const header = jwt.decode(token, { complete: true })?.header;
-const kid = header?.kid;
-// ... look up the correct key ...
-const payload = jwt.verify(token, key); // MUST verify before trusting`
+          recommendedFix: `Use jwt.verify() instead of jwt.decode() to ensure the token signature is valid. Example: jwt.verify(token, process.env.JWT_SECRET) with proper error handling. If you need to read claims before verification (e.g., to get kid for key lookup), decode the header first, look up the correct key, then verify with that key.`
+          // No patch for JWT fixes - requires knowing secret location and error handling context
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/347.html",
@@ -4181,30 +4034,19 @@ async function scanWeakHashing(context) {
       });
       let title;
       let description;
-      let patch;
+      let recommendedFix;
       if (usage.algorithm.startsWith("bcrypt")) {
         title = "Bcrypt with insufficient salt rounds";
         description = `Bcrypt is configured with low salt rounds (${usage.algorithm}). The cost factor should be at least 10 (ideally 12+) to provide adequate protection against brute-force attacks. Lower values make password cracking significantly faster.`;
-        patch = `import bcrypt from 'bcrypt';
-
-// Use at least 10 salt rounds (12 recommended):
-const SALT_ROUNDS = 12;
-
-const hashedPassword = await bcrypt.hash(password, SALT_ROUNDS);`;
+        recommendedFix = "Increase bcrypt salt rounds to at least 10 (12 recommended): await bcrypt.hash(password, 12)";
       } else if (usage.algorithm === "md5" || usage.algorithm === "sha1") {
         title = `Weak hash algorithm (${usage.algorithm.toUpperCase()}) ${usage.isPasswordContext ? "for password" : "detected"}`;
         description = `${usage.algorithm.toUpperCase()} is cryptographically broken and should not be used for security purposes${usage.isPasswordContext ? ", especially for passwords" : ""}. MD5 can be brute-forced or attacked with rainbow tables in seconds. SHA1 has known collision vulnerabilities.`;
-        patch = `// For passwords, use bcrypt or argon2:
-import bcrypt from 'bcrypt';
-const hashedPassword = await bcrypt.hash(password, 12);
-
-// For non-password hashing (integrity checks, etc.):
-import { createHash } from 'crypto';
-const hash = createHash('sha256').update(data).digest('hex');`;
+        recommendedFix = usage.isPasswordContext ? "For passwords, use bcrypt: await bcrypt.hash(password, 12)" : "For non-password hashing, use SHA-256: createHash('sha256').update(data).digest('hex')";
       } else {
         title = `Weak cryptographic configuration: ${usage.algorithm}`;
         description = `The cryptographic configuration "${usage.algorithm}" is considered weak and should be updated to current standards.`;
-        patch = `// Use modern, secure algorithms and configurations`;
+        recommendedFix = "Use modern, secure algorithms and configurations";
       }
       findings.push({
         id: generateFindingId({
@@ -4221,8 +4063,8 @@ const hash = createHash('sha256').update(data).digest('hex');`;
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: usage.isPasswordContext ? "Use bcrypt with at least 10 salt rounds, or argon2id for new applications." : "Use SHA-256 or stronger for integrity checks. For passwords, use bcrypt or argon2.",
-          patch
+          recommendedFix
+          // No patch for crypto changes - too context-dependent
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/328.html",
@@ -4289,36 +4131,8 @@ async function scanMissingUploadConstraints(context) {
           category: "uploads",
           evidence,
           remediation: {
-            recommendedFix: `Add both size limits and file type validation to your upload handler.`,
-            patch: upload.uploadMethod === "multer" ? `// For multer, add limits and fileFilter:
-const upload = multer({
-  limits: {
-    fileSize: 5 * 1024 * 1024, // 5MB limit
-    files: 1, // Single file
-  },
-  fileFilter: (req, file, cb) => {
-    const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-    if (allowedTypes.includes(file.mimetype)) {
-      cb(null, true);
-    } else {
-      cb(new Error('Invalid file type'));
-    }
-  },
-});` : `// For Next.js formData, validate the file:
-const formData = await request.formData();
-const file = formData.get('file') as File;
-
-// Check file size
-const MAX_SIZE = 5 * 1024 * 1024; // 5MB
-if (file.size > MAX_SIZE) {
-  return Response.json({ error: 'File too large' }, { status: 400 });
-}
-
-// Check file type
-const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-if (!allowedTypes.includes(file.type)) {
-  return Response.json({ error: 'Invalid file type' }, { status: 400 });
-}`
+            recommendedFix: `Add both size limits and file type validation to your upload handler. For multer: add limits.fileSize and fileFilter callback. For Next.js formData: check file.size and file.type. Define allowed MIME types based on your use case (images, documents, etc.) and appropriate size limits.`
+            // No patch for upload constraints - requires knowing appropriate size limits and allowed file types for the specific use case
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/434.html",
@@ -4375,29 +4189,8 @@ async function scanPublicUploadPath(context) {
         category: "uploads",
         evidence,
         remediation: {
-          recommendedFix: `Store uploads outside the public directory and serve them through a controlled API endpoint. Always sanitize and generate safe filenames.`,
-          patch: `// DON'T: Write directly to public folder
-// fs.writeFile(path.join('public', filename), buffer);
-
-// DO: Store outside public with generated names
-import { randomUUID } from 'crypto';
-import path from 'path';
-
-// Generate safe filename
-const ext = path.extname(originalFilename).toLowerCase();
-const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'];
-if (!allowedExtensions.includes(ext)) {
-  throw new Error('Invalid file extension');
-}
-
-const safeFilename = \`\${randomUUID()}\${ext}\`;
-const uploadPath = path.join(process.cwd(), 'uploads', safeFilename);
-
-// Write to non-public directory
-await fs.writeFile(uploadPath, buffer);
-
-// Serve through API route:
-// GET /api/files/[id] -> Stream file from uploads directory`
+          recommendedFix: `Store uploads outside the public directory and serve them through a controlled API endpoint. Always sanitize and generate safe filenames using randomUUID() + validated extension. Store in a non-public directory (e.g., uploads/) and serve through an API route that handles authorization and content-type headers.`
+          // No patch for upload path fixes - requires restructuring file handling, creating API routes, and implementing authorization logic
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/434.html",
@@ -4755,59 +4548,25 @@ function generateDescription(match, missing, costMultiplier, routePath) {
   return `This endpoint (${routePath}) performs ${categoryDescriptions[match.category]}. Without proper controls, attackers can abuse this endpoint causing significant financial damage or service degradation. Estimated cost amplification: ${costMultiplier}x per request. Missing enforcement: ${missingText}.`;
 }
 function generateRemediation(category, missing) {
-  const patches = [];
+  const recommendations = [];
   if (missing.includes("auth")) {
-    patches.push(`// Add authentication
-const session = await getServerSession(authOptions);
-if (!session) {
-  return Response.json({ error: "Unauthorized" }, { status: 401 });
-}`);
+    recommendations.push("authentication (e.g., getServerSession with 401 for unauthorized)");
   }
   if (missing.includes("rate_limit")) {
-    patches.push(`// Add rate limiting
-import { Ratelimit } from "@upstash/ratelimit";
-const ratelimit = new Ratelimit({
-  redis: kv,
-  limiter: Ratelimit.slidingWindow(10, "60 s"),
-});
-const { success } = await ratelimit.limit(userId);
-if (!success) {
-  return Response.json({ error: "Rate limit exceeded" }, { status: 429 });
-}`);
+    recommendations.push("rate limiting (e.g., @upstash/ratelimit with sliding window)");
   }
   if (missing.includes("request_size_limit")) {
-    patches.push(`// Add request size limit
-const body = await request.json();
-const size = JSON.stringify(body).length;
-if (size > 100 * 1024) { // 100KB limit
-  return Response.json({ error: "Request too large" }, { status: 413 });
-}`);
+    recommendations.push("request size limits (check JSON.stringify(body).length, reject if > threshold)");
   }
   if (missing.includes("timeout")) {
-    patches.push(`// Add timeout
-const controller = new AbortController();
-const timeout = setTimeout(() => controller.abort(), 30000); // 30s timeout
-try {
-  const result = await expensiveOperation({ signal: controller.signal });
-} finally {
-  clearTimeout(timeout);
-}`);
+    recommendations.push("timeout enforcement (use AbortController with setTimeout)");
   }
   if (missing.includes("input_validation")) {
-    patches.push(`// Add input validation
-import { z } from "zod";
-const schema = z.object({
-  prompt: z.string().max(4000),
-  model: z.enum(["gpt-4", "gpt-3.5-turbo"]),
-});
-const { success, data } = schema.safeParse(body);
-if (!success) {
-  return Response.json({ error: "Invalid input" }, { status: 400 });
-}`);
+    recommendations.push("input validation (use Zod/Yup to validate and limit input size)");
   }
   return {
-    recommendedFix: `Add the following enforcement controls to protect against compute abuse: ${missing.map((m) => m.replace(/_/g, " ")).join(", ")}.`,
-    patch: patches.join("\n\n")
+    recommendedFix: `Add the following enforcement controls to protect against compute abuse: ${recommendations.join("; ")}.`
+    // No patch for compute abuse fixes - each requires different implementation based on the specific operation and infrastructure
   };
 }
 
@@ -11812,7 +11571,7 @@ import { resolve as resolve2, join as join4 } from "path";
 
 // src/utils/static-server.ts
 import { createServer } from "http";
-import { existsSync as existsSync2, readFileSync as readFileSync4, statSync as statSync2, readdirSync as readdirSync2 } from "fs";
+import { existsSync as existsSync2, readFileSync as readFileSync5, statSync as statSync2, readdirSync as readdirSync2 } from "fs";
 import { join as join2, extname as extname3 } from "path";
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
@@ -11908,7 +11667,7 @@ function handleRequest(staticDir, req, res) {
     return;
   }
   try {
-    const content = readFileSync4(filePath);
+    const content = readFileSync5(filePath);
     const contentType = getMimeType(filePath);
     res.writeHead(200, {
       "Content-Type": contentType,
@@ -11930,7 +11689,7 @@ async function startStaticServer(options) {
       if (urlPath === "/__vibecheck__/artifact" || urlPath === "/__vibecheck__/artifact.json") {
         if (artifactPath && existsSync2(artifactPath)) {
           try {
-            const content = readFileSync4(artifactPath);
+            const content = readFileSync5(artifactPath);
             res.writeHead(200, {
               "Content-Type": "application/json",
               "Content-Length": content.length,
@@ -12010,7 +11769,7 @@ function isPortAvailable(port) {
 }
 
 // src/utils/viewer-cache.ts
-import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync3, readFileSync as readFileSync5, rmSync } from "fs";
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync3, readFileSync as readFileSync6, rmSync } from "fs";
 import { join as join3 } from "path";
 import { homedir } from "os";
 import { execSync as execSync2 } from "child_process";
@@ -12025,7 +11784,7 @@ function getInstalledVersion() {
     return null;
   }
   try {
-    return readFileSync5(VERSION_FILE, "utf-8").trim();
+    return readFileSync6(VERSION_FILE, "utf-8").trim();
   } catch {
     return null;
   }
@@ -12303,7 +12062,7 @@ Workflow:
 }
 
 // src/commands/license.ts
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync2, unlinkSync } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync2, unlinkSync } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join5 } from "path";
 import chalk from "chalk";
@@ -12531,7 +12290,7 @@ function ensureConfigDir() {
 function getStoredLicenseKey() {
   try {
     if (existsSync5(LICENSE_FILE)) {
-      return readFileSync6(LICENSE_FILE, "utf-8").trim();
+      return readFileSync7(LICENSE_FILE, "utf-8").trim();
     }
   } catch {
   }
@@ -12727,7 +12486,7 @@ async function createLicenseAction(options) {
       console.error(chalk.red(`Error: Key file not found: ${options.key}`));
       process.exit(1);
     }
-    privateKey = readFileSync6(options.key, "utf-8").trim();
+    privateKey = readFileSync7(options.key, "utf-8").trim();
   } else if (process.env[options.keyEnv]) {
     privateKey = process.env[options.keyEnv];
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quantracode/vibecheck",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Security scanner for modern web applications",
   "type": "module",
   "main": "./dist/index.js",
@@ -58,8 +58,8 @@
     "@types/tar": "^6.1.13",
     "tsup": "^8.5.1",
     "vitest": "^2.1.8",
-    "@vibecheck/policy": "0.0.1",
     "@vibecheck/license": "0.0.1",
+    "@vibecheck/policy": "0.0.1",
     "@vibecheck/schema": "0.0.1"
   },
   "scripts": {