@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/context/security-scanner.js

@@ -0,0 +1,303 @@
+/**
+ * Security Scanner Module
+ * Scans context for secrets, vulnerabilities, and sensitive data
+ */
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+/**
+ * Secret patterns to detect
+ */
+const SECRET_PATTERNS = [
+  // API Keys
+  { pattern: /AIza[0-9A-Za-z_-]{35}/, type: "Google API Key" },
+  { pattern: /AKIA[0-9A-Z]{16}/, type: "AWS Access Key" },
+  { pattern: /xoxb-[0-9]{10}-[0-9]{10}/, type: "Slack Bot Token" },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, type: "GitHub Personal Token" },
+  { pattern: /sk_live_[0-9a-zA-Z]{24}/, type: "Stripe Live Key" },
+  { pattern: /pk_live_[0-9a-zA-Z]{24}/, type: "Stripe Publishable Key" },
+  
+  // Generic patterns
+  { pattern: /['"]?API[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "API Key" },
+  { pattern: /['"]?SECRET[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "Secret Key" },
+  { pattern: /['"]?PASSWORD['"]?\s*[:=]\s*['"][^'"]{6,}['"]/, type: "Password" },
+  { pattern: /['"]?TOKEN['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "Token" },
+  { pattern: /['"]?PRIVATE[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{16,}['"]/, type: "Private Key" },
+  
+  // Database URLs
+  { pattern: /mongodb:\/\/[^:]+:[^@]+@/, type: "MongoDB URL" },
+  { pattern: /postgres:\/\/[^:]+:[^@]+@/, type: "PostgreSQL URL" },
+  { pattern: /mysql:\/\/[^:]+:[^@]+@/, type: "MySQL URL" },
+  
+  // JWT tokens
+  { pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/, type: "JWT Token" },
+];
+
+/**
+ * Vulnerability patterns
+ */
+const VULNERABILITY_PATTERNS = [
+  // SQL Injection
+  { pattern: /query\s*\(\s*['"]\s*\+.*\+\s*['"]/, type: "SQL Injection", severity: "high" },
+  { pattern: /execute\s*\(\s*['"]\s*\+/, type: "SQL Injection", severity: "high" },
+  
+  // XSS
+  { pattern: /dangerouslySetInnerHTML/, type: "XSS Risk", severity: "high" },
+  { pattern: /innerHTML\s*=/, type: "XSS Risk", severity: "medium" },
+  { pattern: /document\.write\s*\(/, type: "XSS Risk", severity: "high" },
+  
+  // Path Traversal
+  { pattern: /\.\.\/\.\./, type: "Path Traversal", severity: "medium" },
+  { pattern: /readFile\s*\(\s*.*\+/, type: "Path Traversal", severity: "high" },
+  
+  // Insecure Crypto
+  { pattern: /md5\s*\(/, type: "Weak Hash", severity: "medium" },
+  { pattern: /sha1\s*\(/, type: "Weak Hash", severity: "medium" },
+  
+  // Hardcoded credentials
+  { pattern: /admin\s*:\s*['"]admin['"]/, type: "Hardcoded Credentials", severity: "high" },
+  { pattern: /root\s*:\s*['"][^'"]{4,}['"]/, type: "Hardcoded Credentials", severity: "high" },
+  
+  // Debug code
+  { pattern: /console\.log\s*\(\s*password/, type: "Password in Log", severity: "high" },
+  { pattern: /console\.log\s*\(\s*token/, type: "Token in Log", severity: "high" },
+];
+
+/**
+ * Find files recursively
+ */
+function findFiles(dir, extensions, maxDepth = 5, currentDepth = 0) {
+  if (currentDepth >= maxDepth || !fs.existsSync(dir)) return [];
+  
+  const files = [];
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory() && !entry.name.startsWith(".") && entry.name !== "node_modules") {
+        files.push(...findFiles(fullPath, extensions, maxDepth, currentDepth + 1));
+      } else if (entry.isFile() && extensions.some(ext => entry.name.endsWith(ext))) {
+        files.push(fullPath);
+      }
+    }
+  } catch {}
+  return files;
+}
+
+/**
+ * Scan file for secrets
+ */
+function scanForSecrets(content, filePath) {
+  const secrets = [];
+  const lines = content.split("\n");
+  
+  for (const pattern of SECRET_PATTERNS) {
+    const matches = content.matchAll(new RegExp(pattern.pattern.source, 'g'));
+    for (const match of matches) {
+      const lineNum = content.substring(0, match.index).split("\n").length;
+      const line = lines[lineNum - 1];
+      
+      secrets.push({
+        type: pattern.type,
+        file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+        line: lineNum,
+        content: line.trim(),
+        severity: "critical",
+      });
+    }
+  }
+  
+  return secrets;
+}
+
+/**
+ * Scan file for vulnerabilities
+ */
+function scanForVulnerabilities(content, filePath) {
+  const vulnerabilities = [];
+  const lines = content.split("\n");
+  
+  for (const pattern of VULNERABILITY_PATTERNS) {
+    const matches = content.matchAll(new RegExp(pattern.pattern.source, 'g'));
+    for (const match of matches) {
+      const lineNum = content.substring(0, match.index).split("\n").length;
+      const line = lines[lineNum - 1];
+      
+      vulnerabilities.push({
+        type: pattern.type,
+        file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+        line: lineNum,
+        content: line.trim(),
+        severity: pattern.severity || "medium",
+        recommendation: getRecommendation(pattern.type),
+      });
+    }
+  }
+  
+  return vulnerabilities;
+}
+
+/**
+ * Get recommendation for vulnerability type
+ */
+function getRecommendation(type) {
+  const recommendations = {
+    "SQL Injection": "Use parameterized queries or prepared statements",
+    "XSS Risk": "Sanitize user input and use textContent instead of innerHTML",
+    "Path Traversal": "Validate and sanitize file paths, use path.join()",
+    "Weak Hash": "Use stronger hashing algorithms like bcrypt or Argon2",
+    "Hardcoded Credentials": "Use environment variables for credentials",
+    "Password in Log": "Remove sensitive data from logs",
+    "Token in Log": "Remove sensitive data from logs",
+  };
+  
+  return recommendations[type] || "Review and fix the security issue";
+}
+
+/**
+ * Scan project for security issues
+ */
+function scanProject(projectPath) {
+  const files = findFiles(projectPath, [".ts", ".tsx", ".js", ".jsx", ".json", ".env*", ".yml", ".yaml"], 5);
+  
+  const results = {
+    secrets: [],
+    vulnerabilities: [],
+    stats: {
+      totalFiles: files.length,
+      filesWithSecrets: 0,
+      filesWithVulnerabilities: 0,
+      criticalIssues: 0,
+      highIssues: 0,
+      mediumIssues: 0,
+    },
+    scanned: new Date().toISOString(),
+  };
+  
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf-8");
+      const relativePath = path.relative(projectPath, file).replace(/\\/g, "/");
+      
+      // Skip certain files
+      if (relativePath.includes("node_modules") || 
+          relativePath.includes(".git") ||
+          relativePath.includes("dist/") ||
+          relativePath.includes("build/")) {
+        continue;
+      }
+      
+      const secrets = scanForSecrets(content, file);
+      const vulnerabilities = scanForVulnerabilities(content, file);
+      
+      if (secrets.length > 0) {
+        results.secrets.push(...secrets);
+        results.stats.filesWithSecrets++;
+      }
+      
+      if (vulnerabilities.length > 0) {
+        results.vulnerabilities.push(...vulnerabilities);
+        results.stats.filesWithVulnerabilities++;
+      }
+      
+      // Count severity
+      for (const issue of [...secrets, ...vulnerabilities]) {
+        switch (issue.severity) {
+          case "critical":
+            results.stats.criticalIssues++;
+            break;
+          case "high":
+            results.stats.highIssues++;
+            break;
+          case "medium":
+            results.stats.mediumIssues++;
+            break;
+        }
+      }
+    } catch {}
+  }
+  
+  return results;
+}
+
+/**
+ * Generate security report
+ */
+function generateSecurityReport(results) {
+  let report = `# Security Scan Report\n\n`;
+  report += `Scanned: ${new Date(results.scanned).toLocaleString()}\n`;
+  report += `Total Files: ${results.stats.totalFiles}\n\n`;
+  
+  // Summary
+  report += `## Summary\n\n`;
+  report += `- Files with Secrets: ${results.stats.filesWithSecrets}\n`;
+  report += `- Files with Vulnerabilities: ${results.stats.filesWithVulnerabilities}\n`;
+  report += `- Critical Issues: ${results.stats.criticalIssues}\n`;
+  report += `- High Issues: ${results.stats.highIssues}\n`;
+  report += `- Medium Issues: ${results.stats.mediumIssues}\n\n`;
+  
+  // Secrets
+  if (results.secrets.length > 0) {
+    report += `## 🔑 Secrets Found (${results.secrets.length})\n\n`;
+    for (const secret of results.secrets) {
+      report += `### ${secret.type} - ${secret.file}:${secret.line}\n`;
+      report += `\`\`\`\n${secret.content}\n\`\`\`\n\n`;
+    }
+  }
+  
+  // Vulnerabilities
+  if (results.vulnerabilities.length > 0) {
+    report += `## 🚨 Vulnerabilities Found (${results.vulnerabilities.length})\n\n`;
+    for (const vuln of results.vulnerabilities) {
+      const icon = vuln.severity === "critical" ? "🔴" : 
+                   vuln.severity === "high" ? "🟠" : "🟡";
+      report += `### ${icon} ${vuln.type} - ${vuln.file}:${vuln.line}\n`;
+      report += `**Severity:** ${vuln.severity}\n`;
+      report += `**Recommendation:** ${vuln.recommendation}\n\n`;
+      report += `\`\`\`\n${vuln.content}\n\`\`\`\n\n`;
+    }
+  }
+  
+  if (results.secrets.length === 0 && results.vulnerabilities.length === 0) {
+    report += `## ✅ No Security Issues Found\n\n`;
+    report += `Great job! No secrets or obvious vulnerabilities were detected.\n`;
+  }
+  
+  return report;
+}
+
+/**
+ * Filter content for safe AI consumption
+ */
+function filterForAI(content) {
+  let filtered = content;
+  
+  // Remove detected secrets
+  for (const pattern of SECRET_PATTERNS) {
+    filtered = filtered.replace(pattern.pattern, "[REDACTED_SECRET]");
+  }
+  
+  // Remove sensitive lines
+  const lines = filtered.split("\n");
+  const safeLines = lines.filter(line => {
+    const lower = line.toLowerCase();
+    return !lower.includes("password") &&
+           !lower.includes("secret") &&
+           !lower.includes("private_key") &&
+           !lower.includes("api_key") &&
+           !line.includes("console.log") &&
+           !line.includes("debugger");
+  });
+  
+  return safeLines.join("\n");
+}
+
+module.exports = {
+  scanProject,
+  generateSecurityReport,
+  filterForAI,
+  SECRET_PATTERNS,
+  VULNERABILITY_PATTERNS,
+};

package/bin/runners/context/semantic-search.js

@@ -0,0 +1,350 @@
+/**
+ * Semantic Code Search Module
+ * Embeds code chunks for natural language queries
+ */
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+/**
+ * Simple TF-IDF vectorizer for semantic search
+ * In production, would use OpenAI embeddings or similar
+ */
+class SimpleVectorizer {
+  constructor() {
+    this.vocabulary = new Map();
+    this.idf = new Map();
+    this.documents = [];
+  }
+  
+  /**
+   * Tokenize text into words
+   */
+  tokenize(text) {
+    return text
+      .toLowerCase()
+      .replace(/[^\w\s]/g, " ")
+      .split(/\s+/)
+      .filter(word => word.length > 2);
+  }
+  
+  /**
+   * Build vocabulary from documents
+   */
+  fit(documents) {
+    this.documents = documents;
+    const docCount = documents.length;
+    const docFreq = new Map();
+    
+    // Count document frequency for each term
+    for (const doc of documents) {
+      const tokens = new Set(this.tokenize(doc));
+      for (const token of tokens) {
+        docFreq.set(token, (docFreq.get(token) || 0) + 1);
+      }
+    }
+    
+    // Calculate IDF
+    for (const [term, freq] of docFreq) {
+      this.idf.set(term, Math.log(docCount / freq));
+      this.vocabulary.set(term, this.vocabulary.size);
+    }
+  }
+  
+  /**
+   * Transform document to TF-IDF vector
+   */
+  transform(text) {
+    const tokens = this.tokenize(text);
+    const tf = new Map();
+    
+    // Count term frequency
+    for (const token of tokens) {
+      tf.set(token, (tf.get(token) || 0) + 1);
+    }
+    
+    // Create vector
+    const vector = new Array(this.vocabulary.size).fill(0);
+    for (const [term, count] of tf) {
+      if (this.vocabulary.has(term)) {
+        const idx = this.vocabulary.get(term);
+        vector[idx] = (count / tokens.length) * this.idf.get(term);
+      }
+    }
+    
+    return vector;
+  }
+  
+  /**
+   * Calculate cosine similarity between vectors
+   */
+  cosineSimilarity(vec1, vec2) {
+    let dotProduct = 0;
+    let norm1 = 0;
+    let norm2 = 0;
+    
+    for (let i = 0; i < vec1.length; i++) {
+      dotProduct += vec1[i] * vec2[i];
+      norm1 += vec1[i] * vec1[i];
+      norm2 += vec2[i] * vec2[i];
+    }
+    
+    return dotProduct / (Math.sqrt(norm1) * Math.sqrt(norm2));
+  }
+}
+
+/**
+ * Find files recursively
+ */
+function findFiles(dir, extensions, maxDepth = 5, currentDepth = 0) {
+  if (currentDepth >= maxDepth || !fs.existsSync(dir)) return [];
+  
+  const files = [];
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory() && !entry.name.startsWith(".") && entry.name !== "node_modules") {
+        files.push(...findFiles(fullPath, extensions, maxDepth, currentDepth + 1));
+      } else if (entry.isFile() && extensions.some(ext => entry.name.endsWith(ext))) {
+        files.push(fullPath);
+      }
+    }
+  } catch {}
+  return files;
+}
+
+/**
+ * Extract code chunks with context
+ */
+function extractCodeChunks(filePath, maxSize = 1000) {
+  const chunks = [];
+  try {
+    const content = fs.readFileSync(filePath, "utf-8");
+    const lines = content.split("\n");
+    
+    // Extract functions, classes, and important blocks
+    let currentChunk = [];
+    let startLine = 0;
+    let inFunction = false;
+    let inClass = false;
+    let braceCount = 0;
+    
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      currentChunk.push(line);
+      
+      // Detect function/class start
+      if (line.match(/^(function|class|export\s+(function|class)|const\s+\w+\s*=|async\s+function)/)) {
+        startLine = i;
+        inFunction = true;
+        braceCount = (line.match(/{/g) || []).length - (line.match(/}/g) || []).length;
+      }
+      
+      // Track braces for function boundaries
+      if (inFunction) {
+        braceCount += (line.match(/{/g) || []).length - (line.match(/}/g) || []).length;
+        
+        if (braceCount <= 0 || line.trim().endsWith("}") || line.trim().endsWith("});")) {
+          // End of function
+          const chunkText = currentChunk.join("\n");
+          if (chunkText.length < maxSize) {
+            chunks.push({
+              text: chunkText,
+              file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+              startLine: startLine + 1,
+              endLine: i + 1,
+              type: "function",
+            });
+          }
+          currentChunk = [];
+          inFunction = false;
+          braceCount = 0;
+        }
+      }
+      
+      // Split large chunks
+      if (currentChunk.length > 50) {
+        const chunkText = currentChunk.join("\n");
+        if (chunkText.length < maxSize) {
+          chunks.push({
+            text: chunkText,
+            file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+            startLine: startLine + 1,
+            endLine: i + 1,
+            type: "block",
+          });
+        }
+        currentChunk = [];
+        startLine = i + 1;
+      }
+    }
+    
+    // Add remaining chunk if significant
+    if (currentChunk.length > 5) {
+      const chunkText = currentChunk.join("\n");
+      if (chunkText.length < maxSize) {
+        chunks.push({
+          text: chunkText,
+          file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+          startLine: startLine + 1,
+          endLine: lines.length,
+          type: "block",
+        });
+      }
+    }
+  } catch {}
+  
+  return chunks;
+}
+
+/**
+ * Build semantic search index
+ */
+function buildSearchIndex(projectPath) {
+  const files = findFiles(projectPath, [".ts", ".tsx", ".js", ".jsx"], 5);
+  const chunks = [];
+  
+  // Extract code chunks
+  for (const file of files) {
+    const fileChunks = extractCodeChunks(file);
+    chunks.push(...fileChunks);
+  }
+  
+  // Create vectorizer and fit
+  const vectorizer = new SimpleVectorizer();
+  const documents = chunks.map(c => c.text);
+  vectorizer.fit(documents);
+  
+  // Create embeddings
+  const embeddings = chunks.map((chunk, idx) => ({
+    ...chunk,
+    vector: vectorizer.transform(chunk.text),
+    id: crypto.createHash("md5").update(chunk.text).digest("hex").slice(0, 8),
+  }));
+  
+  return {
+    vectorizer,
+    embeddings,
+    totalChunks: chunks.length,
+    totalFiles: files.length,
+  };
+}
+
+/**
+ * Search code semantically
+ */
+function semanticSearch(index, query, limit = 10) {
+  const queryVector = index.vectorizer.transform(query);
+  const results = [];
+  
+  for (const embedding of index.embeddings) {
+    const similarity = index.vectorizer.cosineSimilarity(queryVector, embedding.vector);
+    if (similarity > 0.1) { // Threshold
+      results.push({
+        ...embedding,
+        similarity,
+      });
+    }
+  }
+  
+  return results
+    .sort((a, b) => b.similarity - a.similarity)
+    .slice(0, limit);
+}
+
+/**
+ * Save search index
+ */
+function saveSearchIndex(projectPath, index) {
+  const vibecheckDir = path.join(projectPath, ".vibecheck");
+  if (!fs.existsSync(vibecheckDir)) {
+    fs.mkdirSync(vibecheckDir, { recursive: true });
+  }
+  
+  const indexData = {
+    version: "1.0.0",
+    created: new Date().toISOString(),
+    totalChunks: index.totalChunks,
+    totalFiles: index.totalFiles,
+    vocabulary: Array.from(index.vectorizer.vocabulary.keys()),
+    idf: Object.fromEntries(index.vectorizer.idf),
+    embeddings: index.embeddings.map(e => ({
+      id: e.id,
+      file: e.file,
+      startLine: e.startLine,
+      endLine: e.endLine,
+      type: e.type,
+      vector: e.vector,
+    })),
+  };
+  
+  fs.writeFileSync(
+    path.join(vibecheckDir, "semantic-index.json"),
+    JSON.stringify(indexData, null, 2)
+  );
+}
+
+/**
+ * Load search index
+ */
+function loadSearchIndex(projectPath) {
+  const indexPath = path.join(projectPath, ".vibecheck", "semantic-index.json");
+  
+  if (!fs.existsSync(indexPath)) {
+    return null;
+  }
+  
+  try {
+    const data = JSON.parse(fs.readFileSync(indexPath, "utf-8"));
+    
+    // Reconstruct vectorizer
+    const vectorizer = new SimpleVectorizer();
+    data.vocabulary.forEach((term, idx) => {
+      vectorizer.vocabulary.set(term, idx);
+    });
+    vectorizer.idf = new Map(Object.entries(data.idf));
+    
+    return {
+      vectorizer,
+      embeddings: data.embeddings,
+      totalChunks: data.totalChunks,
+      totalFiles: data.totalFiles,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Generate semantic search report
+ */
+function generateSearchReport(results, query) {
+  let report = `# Semantic Search Results\n\n`;
+  report += `Query: "${query}"\n`;
+  report += `Found: ${results.length} results\n\n`;
+  
+  for (const result of results) {
+    report += `## ${result.file}:${result.startLine}-${result.endLine}\n`;
+    report += `**Similarity:** ${(result.similarity * 100).toFixed(1)}%\n`;
+    report += `**Type:** ${result.type}\n\n`;
+    report += `\`\`\`${path.extname(result.file).slice(1)}\n`;
+    report += result.text.split("\n").slice(0, 10).join("\n");
+    if (result.text.split("\n").length > 10) {
+      report += "\n...";
+    }
+    report += "\n\`\`\`\n\n";
+  }
+  
+  return report;
+}
+
+module.exports = {
+  buildSearchIndex,
+  semanticSearch,
+  saveSearchIndex,
+  loadSearchIndex,
+  generateSearchReport,
+  SimpleVectorizer,
+};