npm - @vibecheckai/cli - Versions diffs - 2.8.2 → 3.0.0 - Mend

@vibecheckai/cli 2.8.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (454) hide show

package/README.md +8 -8
package/bin/_deprecations.js +35 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/guardrail.js +834 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +462 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +151 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +302 -0
package/bin/runners/context/index.js +1042 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +972 -0
package/bin/runners/context/security-scanner.js +303 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +310 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +271 -0
package/bin/runners/lib/analyzers.js +541 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +194 -0
package/bin/runners/lib/contracts/env-contract.js +178 -0
package/bin/runners/lib/contracts/external-contract.js +198 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +192 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +46 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +348 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +381 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +332 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +320 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/init-wizard.js +308 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/plan.js +69 -0
package/bin/runners/lib/missions/templates.js +147 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +447 -0
package/bin/runners/lib/report-html.js +1117 -0
package/bin/runners/lib/report-templates.js +964 -0
package/bin/runners/lib/route-detection.js +1140 -0
package/bin/runners/lib/route-truth.js +477 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/truth.js +667 -0
package/bin/runners/lib/unified-output.js +189 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +2 -0
package/bin/runners/runAudit.js +2 -0
package/bin/runners/runAuth.js +106 -0
package/bin/runners/runAutopilot.js +2 -0
package/bin/runners/runBadge.js +2 -0
package/bin/runners/runCertify.js +2 -0
package/bin/runners/runClaimVerifier.js +483 -0
package/bin/runners/runContext.js +56 -0
package/bin/runners/runContextCompiler.js +385 -0
package/bin/runners/runCtx.js +187 -0
package/bin/runners/runCtxGuard.js +176 -0
package/bin/runners/runCtxSync.js +116 -0
package/bin/runners/runDashboard.js +10 -0
package/bin/runners/runDoctor.js +245 -0
package/bin/runners/runEnhancedShip.js +2 -0
package/bin/runners/runFix.js +735 -0
package/bin/runners/runFixPacks.js +2 -0
package/bin/runners/runGate.js +17 -0
package/bin/runners/runGraph.js +283 -0
package/bin/runners/runInit.js +260 -0
package/bin/runners/runInitGha.js +101 -0
package/bin/runners/runInstall.js +76 -0
package/bin/runners/runInteractive.js +388 -0
package/bin/runners/runLaunch.js +2 -0
package/bin/runners/runMcp.js +19 -0
package/bin/runners/runMdc.js +2 -0
package/bin/runners/runMissionGenerator.js +282 -0
package/bin/runners/runNaturalLanguage.js +3 -0
package/bin/runners/runPR.js +96 -0
package/bin/runners/runPermissions.js +290 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProof.js +2 -0
package/bin/runners/runProve.js +392 -0
package/bin/runners/runReality.js +489 -0
package/bin/runners/runRealitySniff.js +2 -0
package/bin/runners/runReplay.js +469 -0
package/bin/runners/runReport.js +478 -0
package/bin/runners/runScan.js +835 -0
package/bin/runners/runShare.js +34 -0
package/bin/runners/runShip.js +1062 -0
package/bin/runners/runStatus.js +136 -0
package/bin/runners/runTruthpack.js +634 -0
package/bin/runners/runUpgrade.js +2 -0
package/bin/runners/runValidate.js +2 -0
package/bin/runners/runVerifyAgentOutput.js +2 -0
package/bin/runners/runWatch.js +230 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +612 -0
package/bin/vibecheck.js +834 -0
package/package.json +11 -11
package/dist/autopatch/verified-autopatch.d.ts +0 -111
package/dist/autopatch/verified-autopatch.d.ts.map +0 -1
package/dist/autopatch/verified-autopatch.js +0 -503
package/dist/autopatch/verified-autopatch.js.map +0 -1
package/dist/bundles/index.js +0 -8
package/dist/bundles/vibecheck-core.js +0 -25799
package/dist/bundles/vibecheck-security.js +0 -208693
package/dist/bundles/vibecheck-ship.js +0 -2318
package/dist/commands/baseline.d.ts +0 -7
package/dist/commands/baseline.d.ts.map +0 -1
package/dist/commands/baseline.js +0 -79
package/dist/commands/baseline.js.map +0 -1
package/dist/commands/cache.d.ts +0 -13
package/dist/commands/cache.d.ts.map +0 -1
package/dist/commands/cache.js +0 -165
package/dist/commands/cache.js.map +0 -1
package/dist/commands/checkpoint.d.ts +0 -8
package/dist/commands/checkpoint.d.ts.map +0 -1
package/dist/commands/checkpoint.js +0 -35
package/dist/commands/checkpoint.js.map +0 -1
package/dist/commands/doctor.d.ts +0 -17
package/dist/commands/doctor.d.ts.map +0 -1
package/dist/commands/doctor.js +0 -226
package/dist/commands/doctor.js.map +0 -1
package/dist/commands/evidence.d.ts +0 -45
package/dist/commands/evidence.d.ts.map +0 -1
package/dist/commands/evidence.js +0 -197
package/dist/commands/evidence.js.map +0 -1
package/dist/commands/explain.d.ts +0 -8
package/dist/commands/explain.d.ts.map +0 -1
package/dist/commands/explain.js +0 -52
package/dist/commands/explain.js.map +0 -1
package/dist/commands/fix-consolidated.d.ts +0 -19
package/dist/commands/fix-consolidated.d.ts.map +0 -1
package/dist/commands/fix-consolidated.js +0 -165
package/dist/commands/fix-consolidated.js.map +0 -1
package/dist/commands/index.d.ts +0 -8
package/dist/commands/index.d.ts.map +0 -1
package/dist/commands/index.js +0 -15
package/dist/commands/index.js.map +0 -1
package/dist/commands/init.d.ts +0 -8
package/dist/commands/init.d.ts.map +0 -1
package/dist/commands/init.js +0 -125
package/dist/commands/init.js.map +0 -1
package/dist/commands/launcher.d.ts +0 -10
package/dist/commands/launcher.d.ts.map +0 -1
package/dist/commands/launcher.js +0 -174
package/dist/commands/launcher.js.map +0 -1
package/dist/commands/on.d.ts +0 -8
package/dist/commands/on.d.ts.map +0 -1
package/dist/commands/on.js +0 -123
package/dist/commands/on.js.map +0 -1
package/dist/commands/replay.d.ts +0 -8
package/dist/commands/replay.d.ts.map +0 -1
package/dist/commands/replay.js +0 -52
package/dist/commands/replay.js.map +0 -1
package/dist/commands/scan-consolidated.d.ts +0 -61
package/dist/commands/scan-consolidated.d.ts.map +0 -1
package/dist/commands/scan-consolidated.js +0 -243
package/dist/commands/scan-consolidated.js.map +0 -1
package/dist/commands/scan-secrets.d.ts +0 -47
package/dist/commands/scan-secrets.d.ts.map +0 -1
package/dist/commands/scan-secrets.js +0 -225
package/dist/commands/scan-secrets.js.map +0 -1
package/dist/commands/scan-vulnerabilities-enhanced.d.ts +0 -41
package/dist/commands/scan-vulnerabilities-enhanced.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities-enhanced.js +0 -368
package/dist/commands/scan-vulnerabilities-enhanced.js.map +0 -1
package/dist/commands/scan-vulnerabilities-osv.d.ts +0 -58
package/dist/commands/scan-vulnerabilities-osv.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities-osv.js +0 -722
package/dist/commands/scan-vulnerabilities-osv.js.map +0 -1
package/dist/commands/scan-vulnerabilities.d.ts +0 -32
package/dist/commands/scan-vulnerabilities.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities.js +0 -283
package/dist/commands/scan-vulnerabilities.js.map +0 -1
package/dist/commands/secrets-allowlist.d.ts +0 -7
package/dist/commands/secrets-allowlist.d.ts.map +0 -1
package/dist/commands/secrets-allowlist.js +0 -85
package/dist/commands/secrets-allowlist.js.map +0 -1
package/dist/commands/ship-consolidated.d.ts +0 -58
package/dist/commands/ship-consolidated.d.ts.map +0 -1
package/dist/commands/ship-consolidated.js +0 -515
package/dist/commands/ship-consolidated.js.map +0 -1
package/dist/commands/stats.d.ts +0 -8
package/dist/commands/stats.d.ts.map +0 -1
package/dist/commands/stats.js +0 -134
package/dist/commands/stats.js.map +0 -1
package/dist/commands/upgrade.d.ts +0 -8
package/dist/commands/upgrade.d.ts.map +0 -1
package/dist/commands/upgrade.js +0 -30
package/dist/commands/upgrade.js.map +0 -1
package/dist/fix/applicator.d.ts +0 -44
package/dist/fix/applicator.d.ts.map +0 -1
package/dist/fix/applicator.js +0 -144
package/dist/fix/applicator.js.map +0 -1
package/dist/fix/backup.d.ts +0 -38
package/dist/fix/backup.d.ts.map +0 -1
package/dist/fix/backup.js +0 -154
package/dist/fix/backup.js.map +0 -1
package/dist/fix/engine.d.ts +0 -55
package/dist/fix/engine.d.ts.map +0 -1
package/dist/fix/engine.js +0 -285
package/dist/fix/engine.js.map +0 -1
package/dist/fix/index.d.ts +0 -5
package/dist/fix/index.d.ts.map +0 -1
package/dist/fix/index.js +0 -12
package/dist/fix/index.js.map +0 -1
package/dist/fix/interactive.d.ts +0 -22
package/dist/fix/interactive.d.ts.map +0 -1
package/dist/fix/interactive.js +0 -172
package/dist/fix/interactive.js.map +0 -1
package/dist/formatters/index.d.ts +0 -6
package/dist/formatters/index.d.ts.map +0 -1
package/dist/formatters/index.js +0 -11
package/dist/formatters/index.js.map +0 -1
package/dist/formatters/sarif-enhanced.d.ts +0 -78
package/dist/formatters/sarif-enhanced.d.ts.map +0 -1
package/dist/formatters/sarif-enhanced.js +0 -144
package/dist/formatters/sarif-enhanced.js.map +0 -1
package/dist/formatters/sarif-v2.d.ts +0 -121
package/dist/formatters/sarif-v2.d.ts.map +0 -1
package/dist/formatters/sarif-v2.js +0 -356
package/dist/formatters/sarif-v2.js.map +0 -1
package/dist/formatters/sarif.d.ts +0 -72
package/dist/formatters/sarif.d.ts.map +0 -1
package/dist/formatters/sarif.js +0 -146
package/dist/formatters/sarif.js.map +0 -1
package/dist/index.d.ts +0 -61
package/dist/index.d.ts.map +0 -1
package/dist/index.js +0 -4388
package/dist/index.js.map +0 -1
package/dist/init/ci-generator.d.ts +0 -18
package/dist/init/ci-generator.d.ts.map +0 -1
package/dist/init/ci-generator.js +0 -317
package/dist/init/ci-generator.js.map +0 -1
package/dist/init/detect-framework.d.ts +0 -15
package/dist/init/detect-framework.d.ts.map +0 -1
package/dist/init/detect-framework.js +0 -301
package/dist/init/detect-framework.js.map +0 -1
package/dist/init/hooks-installer.d.ts +0 -22
package/dist/init/hooks-installer.d.ts.map +0 -1
package/dist/init/hooks-installer.js +0 -310
package/dist/init/hooks-installer.js.map +0 -1
package/dist/init/index.d.ts +0 -8
package/dist/init/index.d.ts.map +0 -1
package/dist/init/index.js +0 -22
package/dist/init/index.js.map +0 -1
package/dist/init/templates.d.ts +0 -402
package/dist/init/templates.d.ts.map +0 -1
package/dist/init/templates.js +0 -240
package/dist/init/templates.js.map +0 -1
package/dist/mcp/server.d.ts +0 -12
package/dist/mcp/server.d.ts.map +0 -1
package/dist/mcp/server.js +0 -42
package/dist/mcp/server.js.map +0 -1
package/dist/mcp/telemetry.d.ts +0 -40
package/dist/mcp/telemetry.d.ts.map +0 -1
package/dist/mcp/telemetry.js +0 -98
package/dist/mcp/telemetry.js.map +0 -1
package/dist/reality/no-dead-buttons/button-sweep-generator.d.ts +0 -32
package/dist/reality/no-dead-buttons/button-sweep-generator.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/button-sweep-generator.js +0 -236
package/dist/reality/no-dead-buttons/button-sweep-generator.js.map +0 -1
package/dist/reality/no-dead-buttons/index.d.ts +0 -11
package/dist/reality/no-dead-buttons/index.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/index.js +0 -18
package/dist/reality/no-dead-buttons/index.js.map +0 -1
package/dist/reality/no-dead-buttons/static-scanner.d.ts +0 -34
package/dist/reality/no-dead-buttons/static-scanner.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/static-scanner.js +0 -230
package/dist/reality/no-dead-buttons/static-scanner.js.map +0 -1
package/dist/reality/reality-graph.d.ts +0 -192
package/dist/reality/reality-graph.d.ts.map +0 -1
package/dist/reality/reality-graph.js +0 -600
package/dist/reality/reality-graph.js.map +0 -1
package/dist/reality/reality-runner.d.ts +0 -89
package/dist/reality/reality-runner.d.ts.map +0 -1
package/dist/reality/reality-runner.js +0 -540
package/dist/reality/reality-runner.js.map +0 -1
package/dist/reality/receipt-generator.d.ts +0 -152
package/dist/reality/receipt-generator.d.ts.map +0 -1
package/dist/reality/receipt-generator.js +0 -495
package/dist/reality/receipt-generator.js.map +0 -1
package/dist/reality/runtime-tracer.d.ts +0 -75
package/dist/reality/runtime-tracer.d.ts.map +0 -1
package/dist/reality/runtime-tracer.js +0 -109
package/dist/reality/runtime-tracer.js.map +0 -1
package/dist/runtime/auth-utils.d.ts +0 -43
package/dist/runtime/auth-utils.d.ts.map +0 -1
package/dist/runtime/auth-utils.js +0 -130
package/dist/runtime/auth-utils.js.map +0 -1
package/dist/runtime/client.d.ts +0 -74
package/dist/runtime/client.d.ts.map +0 -1
package/dist/runtime/client.js +0 -222
package/dist/runtime/client.js.map +0 -1
package/dist/runtime/creds.d.ts +0 -48
package/dist/runtime/creds.d.ts.map +0 -1
package/dist/runtime/creds.js +0 -245
package/dist/runtime/creds.js.map +0 -1
package/dist/runtime/exit-codes.d.ts +0 -49
package/dist/runtime/exit-codes.d.ts.map +0 -1
package/dist/runtime/exit-codes.js +0 -93
package/dist/runtime/exit-codes.js.map +0 -1
package/dist/runtime/index.d.ts +0 -9
package/dist/runtime/index.d.ts.map +0 -1
package/dist/runtime/index.js +0 -25
package/dist/runtime/index.js.map +0 -1
package/dist/runtime/json-output.d.ts +0 -42
package/dist/runtime/json-output.d.ts.map +0 -1
package/dist/runtime/json-output.js +0 -59
package/dist/runtime/json-output.js.map +0 -1
package/dist/runtime/semver.d.ts +0 -37
package/dist/runtime/semver.d.ts.map +0 -1
package/dist/runtime/semver.js +0 -110
package/dist/runtime/semver.js.map +0 -1
package/dist/scan/dead-ui-detector.d.ts +0 -48
package/dist/scan/dead-ui-detector.d.ts.map +0 -1
package/dist/scan/dead-ui-detector.js +0 -170
package/dist/scan/dead-ui-detector.js.map +0 -1
package/dist/scan/playwright-sweep.d.ts +0 -40
package/dist/scan/playwright-sweep.d.ts.map +0 -1
package/dist/scan/playwright-sweep.js +0 -216
package/dist/scan/playwright-sweep.js.map +0 -1
package/dist/scan/proof-bundle.d.ts +0 -25
package/dist/scan/proof-bundle.d.ts.map +0 -1
package/dist/scan/proof-bundle.js +0 -203
package/dist/scan/proof-bundle.js.map +0 -1
package/dist/scan/proof-graph.d.ts +0 -59
package/dist/scan/proof-graph.d.ts.map +0 -1
package/dist/scan/proof-graph.js +0 -64
package/dist/scan/proof-graph.js.map +0 -1
package/dist/scan/reality-sniff.d.ts +0 -56
package/dist/scan/reality-sniff.d.ts.map +0 -1
package/dist/scan/reality-sniff.js +0 -200
package/dist/scan/reality-sniff.js.map +0 -1
package/dist/scan/structural-verifier.d.ts +0 -20
package/dist/scan/structural-verifier.d.ts.map +0 -1
package/dist/scan/structural-verifier.js +0 -112
package/dist/scan/structural-verifier.js.map +0 -1
package/dist/scan/verification-engine.d.ts +0 -47
package/dist/scan/verification-engine.d.ts.map +0 -1
package/dist/scan/verification-engine.js +0 -141
package/dist/scan/verification-engine.js.map +0 -1
package/dist/scanner/baseline.d.ts +0 -52
package/dist/scanner/baseline.d.ts.map +0 -1
package/dist/scanner/baseline.js +0 -85
package/dist/scanner/baseline.js.map +0 -1
package/dist/scanner/incremental.d.ts +0 -30
package/dist/scanner/incremental.d.ts.map +0 -1
package/dist/scanner/incremental.js +0 -82
package/dist/scanner/incremental.js.map +0 -1
package/dist/scanner/parallel.d.ts +0 -43
package/dist/scanner/parallel.d.ts.map +0 -1
package/dist/scanner/parallel.js +0 -99
package/dist/scanner/parallel.js.map +0 -1
package/dist/standalone.d.ts +0 -1
package/dist/standalone.d.ts.map +0 -1
package/dist/standalone.js +0 -1
package/dist/standalone.js.map +0 -1
package/dist/truth-pack/index.d.ts +0 -102
package/dist/truth-pack/index.d.ts.map +0 -1
package/dist/truth-pack/index.js +0 -694
package/dist/truth-pack/index.js.map +0 -1
package/dist/ui/frame.d.ts +0 -68
package/dist/ui/frame.d.ts.map +0 -1
package/dist/ui/frame.js +0 -165
package/dist/ui/frame.js.map +0 -1
package/dist/ui/index.d.ts +0 -5
package/dist/ui/index.d.ts.map +0 -1
package/dist/ui/index.js +0 -16
package/dist/ui/index.js.map +0 -1
package/dist/ui.d.ts +0 -36
package/dist/ui.d.ts.map +0 -1
package/dist/ui.js +0 -45
package/dist/ui.js.map +0 -1

package/bin/runners/lib/analyzers.js ADDED Viewed

@@ -0,0 +1,541 @@
+// bin/runners/lib/analyzers.js
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { routeMatches } = require("./claims");
+const { matcherCoversPath } = require("./auth-truth");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function parseFile(code) {
+  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
+}
+function evidenceFromLoc(fileAbs, repoRoot, loc, reason) {
+  if (!loc) return null;
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return { id: `ev_${crypto.randomBytes(4).toString("hex")}`, file: fileRel, lines: `${start}-${end}`, snippetHash: sha256(snippet), reason };
+}
+function findMissingRoutes(truthpack) {
+  const findings = [];
+  const server = truthpack.routes.server || [];
+  const refs = truthpack.routes.clientRefs || [];
+  const gaps = truthpack.routes.gaps || [];
+  // If we have route detection gaps, be less aggressive with BLOCKs
+  const hasGaps = gaps.length > 0;
+  // Build a set of known route path prefixes for smarter matching
+  const knownPrefixes = new Set();
+  for (const r of server) {
+    const parts = r.path.split('/').filter(Boolean);
+    if (parts.length >= 2) {
+      knownPrefixes.add('/' + parts[0] + '/' + parts[1]);
+    }
+    if (parts.length >= 1) {
+      knownPrefixes.add('/' + parts[0]);
+    }
+  }
+  for (const ref of refs) {
+    const method = ref.method || "*";
+    const p = ref.path;
+    const ok = server.some(r => routeMatches(r, method, p) || routeMatches(r, "*", p));
+    if (ok) continue;
+    // Check if route shares a prefix with known routes (might be undetected sibling)
+    const refParts = p.split('/').filter(Boolean);
+    const refPrefix1 = refParts.length >= 1 ? '/' + refParts[0] : '/';
+    const refPrefix2 = refParts.length >= 2 ? '/' + refParts[0] + '/' + refParts[1] : refPrefix1;
+    const sharesPrefix = knownPrefixes.has(refPrefix1) || knownPrefixes.has(refPrefix2);
+    // Determine severity based on confidence and context
+    // In monorepos with complex routing (plugins, dynamic registration), static analysis has limits
+    // Default to WARN unless we're very confident the route is truly invented
+    let severity = "WARN";
+    // Only BLOCK if:
+    // 1. High confidence client ref
+    // 2. No detection gaps
+    // 3. Doesn't share prefix with any known route
+    // 4. Looks like an invented/hallucinated route (unusual patterns)
+    const looksInvented = /\/(fake|test|mock|dummy|example|foo|bar|baz|xxx|yyy|placeholder)/i.test(p);
+    if (ref.confidence === "high" && !hasGaps && !sharesPrefix && looksInvented) {
+      severity = "BLOCK";
+    }
+    // Always WARN for common internal/utility routes
+    const isInternalRoute = /^\/(health|metrics|ready|live|version|debug|internal|suggestions|security|analyze|websocket|dashboard)/.test(p);
+    if (isInternalRoute) {
+      severity = "WARN";
+    }
+    findings.push({
+      id: `F_MISSING_ROUTE_${String(findings.length + 1).padStart(3, "0")}`,
+      severity,
+      category: "MissingRoute",
+      title: `Client references route that does not exist: ${method} ${p}`,
+      why: severity === "BLOCK"
+        ? "AI frequently invents endpoints. Shipping this = broken flows (404 / silent failure)."
+        : "Route reference found but server route not detected. May be a false positive if route is defined dynamically.",
+      confidence: ref.confidence || "low",
+      evidence: ref.evidence || [],
+      fixHints: [
+        "Update the client call to a real server route (see route map).",
+        "If the route exists but wasn't detected, it may use dynamic registration.",
+        "If truly missing, implement it in your API and re-run ship."
+      ]
+    });
+  }
+  // If route scan had gaps, add a WARN so users know why some routes may be unknown
+  if (hasGaps) {
+    findings.push({
+      id: `F_ROUTE_MAP_GAPS_001`,
+      severity: "WARN",
+      category: "RouteMapGaps",
+      title: `Route map incomplete (${gaps.length} unresolved sources)`,
+      why: "Some routes may not be detected due to dynamic registration or unresolved plugins.",
+      confidence: "low",
+      evidence: [],
+      fixHints: [
+        "Routes registered dynamically or via unresolved imports may not be detected.",
+        "Consider using explicit route registration for better static analysis.",
+        "Run with --verbose to see detection gaps."
+      ]
+    });
+  }
+  return findings;
+}
+// ============================================================================
+// ENV GAPS ANALYZER
+// ============================================================================
+function findEnvGaps(truthpack) {
+  const findings = [];
+  const used = truthpack?.env?.vars || [];
+  const declared = new Set(truthpack?.env?.declared || []);
+  const declaredSources = truthpack?.env?.declaredSources || [];
+  // 1) USED but not declared in templates/examples => WARN (or BLOCK if required)
+  for (const v of used) {
+    if (declared.has(v.name)) continue;
+    const sev = v.required ? "BLOCK" : "WARN";
+    findings.push({
+      id: `F_ENV_UNDECLARED_${v.name}`,
+      severity: sev,
+      category: "EnvContract",
+      title: `Env var used but not declared in env templates: ${v.name}`,
+      why: v.required
+        ? "Required env var is used with no fallback. Vibecoders will ship a broken app if it's not documented."
+        : "Env var appears optional but should still be documented to prevent guesswork.",
+      confidence: "high",
+      evidence: v.references || [],
+      fixHints: [
+        `Add ${v.name}= to .env.example (or .env.template).`,
+        "If it's truly optional, ensure the code has an explicit fallback or guard."
+      ]
+    });
+  }
+  // 2) Declared but never used => WARN (hygiene)
+  const usedSet = new Set(used.map(v => v.name));
+  for (const name of declared) {
+    if (usedSet.has(name)) continue;
+    findings.push({
+      id: `F_ENV_UNUSED_${name}`,
+      severity: "WARN",
+      category: "EnvContract",
+      title: `Env var declared but never used: ${name}`,
+      why: "Dead config creates confusion and encourages hallucinated wiring.",
+      confidence: "med",
+      evidence: [],
+      fixHints: [
+        "Remove it from templates if it's obsolete, or wire it into code intentionally.",
+        "If used at runtime only (in infra), document that explicitly."
+      ]
+    });
+  }
+  // 3) If no template sources exist, warn loudly
+  if (!declaredSources.length && used.length) {
+    findings.push({
+      id: "F_ENV_NO_TEMPLATE",
+      severity: "WARN",
+      category: "EnvContract",
+      title: "No .env.example/.env.template found",
+      why: "Without an env contract file, AI and humans will guess env vars and ship broken setups.",
+      confidence: "high",
+      evidence: [],
+      fixHints: ["Add a .env.example that lists required/optional vars with comments."]
+    });
+  }
+  return findings;
+}
+// ============================================================================
+// FAKE SUCCESS ANALYZER (INV_NO_FAKE_SUCCESS)
+// ============================================================================
+function isToastSuccessCall(node) {
+  return t.isCallExpression(node) &&
+    t.isMemberExpression(node.callee) &&
+    t.isIdentifier(node.callee.object, { name: "toast" }) &&
+    t.isIdentifier(node.callee.property, { name: "success" });
+}
+function isRouterPushCall(node) {
+  return t.isCallExpression(node) && (
+    (t.isMemberExpression(node.callee) &&
+      t.isIdentifier(node.callee.property, { name: "push" })) ||
+    (t.isIdentifier(node.callee) && (node.callee.name === "navigate"))
+  );
+}
+function isFetchCall(node) {
+  return t.isCallExpression(node) && t.isIdentifier(node.callee, { name: "fetch" });
+}
+function isAxiosCall(node) {
+  return t.isCallExpression(node) &&
+    t.isMemberExpression(node.callee) &&
+    t.isIdentifier(node.callee.object, { name: "axios" }) &&
+    t.isIdentifier(node.callee.property) &&
+    ["get","post","put","patch","delete"].includes(node.callee.property.name);
+}
+function findFakeSuccess(repoRoot) {
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+  for (const fileAbs of files) {
+    const code = fs.readFileSync(fileAbs, "utf8");
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+    traverse(ast, {
+      Function(pathFn) {
+        let hasSuccess = false;
+        let successLoc = null;
+        let hasNetwork = false;
+        let hasAwaitNetwork = false;
+        let hasOkCheck = false;
+        pathFn.traverse({
+          CallExpression(p) {
+            const n = p.node;
+            if (isToastSuccessCall(n) || isRouterPushCall(n)) {
+              hasSuccess = true;
+              successLoc = successLoc || n.loc;
+            }
+            if (isFetchCall(n) || isAxiosCall(n)) {
+              hasNetwork = true;
+              if (p.parentPath && p.parentPath.isAwaitExpression()) hasAwaitNetwork = true;
+            }
+          },
+          IfStatement(p) {
+            const test = p.node.test;
+            const text = code.slice(test.start || 0, test.end || 0);
+            if (/\b(ok|status)\b/.test(text) && /(res|response)/.test(text)) {
+              hasOkCheck = true;
+            }
+          }
+        });
+        if (!hasSuccess || !hasNetwork) return;
+        const severity = hasAwaitNetwork ? (hasOkCheck ? null : "WARN") : "BLOCK";
+        if (!severity) return;
+        const ev = evidenceFromLoc(fileAbs, repoRoot, successLoc, "Success UI call in networked flow");
+        findings.push({
+          id: `F_FAKE_SUCCESS_${String(findings.length + 1).padStart(3, "0")}`,
+          severity,
+          category: "FakeSuccess",
+          title: severity === "BLOCK"
+            ? "Success UI triggered without awaiting network call"
+            : "Success UI triggered without verifying network result (res.ok/status)",
+          why: severity === "BLOCK"
+            ? "This ships lies. Users see success even when the request never completed."
+            : "This often ships lies. You're not gating success on a real response.",
+          confidence: "med",
+          evidence: ev ? [ev] : [],
+          fixHints: [
+            "Await the network call (await fetch/await axios...).",
+            "Gate success UI behind res.ok / status checks; surface errors otherwise."
+          ]
+        });
+      }
+    });
+  }
+  return findings;
+}
+// ============================================================================
+// GHOST AUTH ANALYZER (INV_NO_GHOST_AUTH)
+// ============================================================================
+function looksSensitive(pathStr) {
+  const p = String(pathStr || "");
+  return (
+    p.startsWith("/api/admin") ||
+    p.startsWith("/api/billing") ||
+    p.startsWith("/api/stripe") ||
+    p.startsWith("/api/org") ||
+    p.startsWith("/api/team") ||
+    p.startsWith("/api/account") ||
+    p.startsWith("/api/settings") ||
+    p.startsWith("/api/users") ||
+    p.startsWith("/api/user")
+  );
+}
+function hasRouteLevelProtection(routeDef) {
+  const hooks = routeDef.hooks || [];
+  if (hooks.includes("preHandler") || hooks.includes("onRequest") || hooks.includes("preValidation")) return true;
+  return false;
+}
+function handlerHasAuthSignal(repoRoot, handlerRel) {
+  const abs = path.join(repoRoot, handlerRel);
+  if (!fs.existsSync(abs)) return false;
+  const code = fs.readFileSync(abs, "utf8");
+  return (
+    /\bgetServerSession\b|\bauth\(\)\b|\bclerk\b|@clerk\/nextjs|\bcreateRouteHandlerClient\b|@supabase/i.test(code) ||
+    /\b(jwtVerify|authorization|bearer|verifyToken|verifyJWT)\b/i.test(code) ||
+    /\b(isAdmin|adminOnly|permissions|rbac)\b/i.test(code)
+  );
+}
+function isProtectedByNextMiddleware(truthpack, routePath) {
+  const patterns = truthpack?.auth?.nextMatcherPatterns || [];
+  return matcherCoversPath(patterns, routePath);
+}
+function findGhostAuth(truthpack, repoRoot) {
+  const findings = [];
+  const server = truthpack?.routes?.server || [];
+  for (const r of server) {
+    if (!looksSensitive(r.path)) continue;
+    const middlewareProtected = isProtectedByNextMiddleware(truthpack, r.path);
+    const routeHooksProtected = hasRouteLevelProtection(r);
+    const handlerProtected = r.handler ? handlerHasAuthSignal(repoRoot, r.handler) : false;
+    const protectedSomehow = middlewareProtected || routeHooksProtected || handlerProtected;
+    if (!protectedSomehow) {
+      findings.push({
+        id: `F_GHOST_AUTH_${r.method}_${r.path}`.replace(/[^A-Z0-9_\/:*-]/gi, "_"),
+        severity: "BLOCK",
+        category: "GhostAuth",
+        title: `Sensitive endpoint appears unprotected: ${r.method} ${r.path}`,
+        why: "This is how apps get owned. UI gating doesn't matter. If the server doesn't enforce auth, it's public.",
+        confidence: "med",
+        evidence: (r.evidence || []).slice(0, 2),
+        fixHints: [
+          "Add server-side auth verification in the handler (session/jwt).",
+          "Or protect the path via Next middleware matcher (and verify it actually applies).",
+          "If Fastify: add preHandler/onRequest auth hook and ensure it's registered for this route."
+        ]
+      });
+    }
+  }
+  // If there IS middleware but it doesn't cover obvious sensitive prefixes, warn
+  const patterns = truthpack?.auth?.nextMatcherPatterns || [];
+  if (patterns.length) {
+    const coversApi = patterns.some(p => String(p).includes("/api"));
+    if (!coversApi) {
+      findings.push({
+        id: "F_MIDDLEWARE_NOT_COVERING_API",
+        severity: "WARN",
+        category: "GhostAuth",
+        title: "Next middleware exists but does not appear to cover /api routes",
+        why: "People assume middleware protects APIs. Often it doesn't. Verify matcher patterns.",
+        confidence: "high",
+        evidence: (truthpack?.auth?.nextMiddleware?.[0]?.evidence || []).slice(0, 3),
+        fixHints: ["Add /api/:path* to middleware matcher if your design expects API auth protection."]
+      });
+    }
+  }
+  return findings;
+}
+// ============================================================================
+// STRIPE WEBHOOK VIOLATIONS (INV_WEBHOOK_VERIFIED + INV_WEBHOOK_IDEMPOTENT)
+// ============================================================================
+function findStripeWebhookViolations(truthpack) {
+  const findings = [];
+  const billing = truthpack?.billing;
+  if (!billing?.hasStripe) return findings;
+  const candidates = billing.webhookCandidates || [];
+  if (!candidates.length) {
+    findings.push({
+      id: "F_STRIPE_NO_WEBHOOK_HANDLER",
+      severity: "WARN",
+      category: "Billing",
+      title: "Stripe appears used but no webhook handler candidate detected",
+      why: "If you bill with Stripe, webhooks are usually required. Missing webhooks often means subscription state desync.",
+      confidence: "med",
+      evidence: [],
+      fixHints: ["Add a Stripe webhook handler with signature verification and idempotency."]
+    });
+    return findings;
+  }
+  for (const w of candidates) {
+    const verified = w.signals.webhookConstructEvent && w.signals.rawBodySignal && w.signals.readsStripeSignatureHeader;
+    const idempotent = !!w.signals.idempotencySignal;
+    if (!verified) {
+      findings.push({
+        id: `F_STRIPE_WEBHOOK_NOT_VERIFIED_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
+        severity: "BLOCK",
+        category: "Billing",
+        title: `Stripe webhook handler not clearly signature-verified: ${w.file}`,
+        why: "Unverified webhooks = spoofable billing state. That's catastrophic.",
+        confidence: "high",
+        evidence: (w.evidence || []).slice(0, 4),
+        fixHints: [
+          "Use stripe.webhooks.constructEvent(rawBody, sigHeader, STRIPE_WEBHOOK_SECRET).",
+          "Ensure raw body is used (disable bodyParser in pages router; in app router read req.text()/arrayBuffer).",
+          "Reject if signature missing/invalid."
+        ]
+      });
+    }
+    if (!idempotent) {
+      findings.push({
+        id: `F_STRIPE_WEBHOOK_NOT_IDEMPOTENT_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
+        severity: "BLOCK",
+        category: "Billing",
+        title: `Stripe webhook handler not clearly idempotent: ${w.file}`,
+        why: "Stripe retries webhooks. Without dedupe, you'll double-grant access, double-send emails, or double-write state.",
+        confidence: "med",
+        evidence: (w.evidence || []).slice(0, 4),
+        fixHints: [
+          "Persist event.id as processed (DB/Redis). If seen, return 200 immediately.",
+          "Wrap state mutation in a transaction keyed by event.id."
+        ]
+      });
+    }
+  }
+  return findings;
+}
+// ============================================================================
+// PAID SURFACE NOT ENFORCED (INV_PAID_FEATURE_ENFORCED_SERVER_SIDE)
+// ============================================================================
+function findPaidSurfaceNotEnforced(truthpack) {
+  const findings = [];
+  const enforcement = truthpack?.enforcement;
+  const checks = enforcement?.checks || [];
+  for (const c of checks) {
+    if (c.enforced) continue;
+    findings.push({
+      id: `F_PAID_SURFACE_NOT_ENFORCED_${c.method}_${c.path}`.replace(/[^a-z0-9]/gi, "_"),
+      severity: "BLOCK",
+      category: "Entitlements",
+      title: `Paid surface appears un-enforced server-side: ${c.method} ${c.path}`,
+      why: "If enforcement is only in the CLI/UI, users can call the endpoint directly. That's a free enterprise bypass.",
+      confidence: "med",
+      evidence: [],
+      fixHints: [
+        "Add enforceFeature/enforceLimit in the server handler BEFORE doing work.",
+        "Return 402/403 with a structured error code.",
+        "Make the CLI treat that code as an upgrade prompt."
+      ]
+    });
+  }
+  return findings;
+}
+// ============================================================================
+// OWNER MODE BYPASS (INV_NO_OWNER_MODE_BYPASS)
+// ============================================================================
+function findOwnerModeBypass(repoRoot) {
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+  const patterns = [
+    /OWNER_MODE/i,
+    /GUARDRAIL_OWNER_MODE/i,
+    /VIBECHECK_OWNER_MODE/i,
+    /process\.env\.[A-Z0-9_]*OWNER[A-Z0-9_]*/i
+  ];
+  for (const fileAbs of files) {
+    const code = fs.readFileSync(fileAbs, "utf8");
+    const hit = patterns.some(rx => rx.test(code));
+    if (!hit) continue;
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    findings.push({
+      id: `F_OWNER_MODE_BYPASS_${fileRel.replace(/[^a-z0-9]/gi, "_")}`,
+      severity: "BLOCK",
+      category: "Security",
+      title: `Owner mode / env bypass signal detected: ${fileRel}`,
+      why: "This is a production backdoor unless it's cryptographically gated. It cannot ship.",
+      confidence: "high",
+      evidence: [],
+      fixHints: [
+        "Delete owner mode bypass. If you need dev override, require a signed admin token + non-prod environment.",
+        "Add a test that asserts no OWNER_MODE env var grants entitlements."
+      ]
+    });
+  }
+  return findings;
+}
+module.exports = {
+  findMissingRoutes,
+  findEnvGaps,
+  findFakeSuccess,
+  findGhostAuth,
+  findStripeWebhookViolations,
+  findPaidSurfaceNotEnforced,
+  findOwnerModeBypass
+};