@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/entitlements-v2.js

@@ -0,0 +1,381 @@
+/**
+ * Entitlements v2 - Signed Receipts
+ * 
+ * Proper server-side metering with signed receipts:
+ * 1. Every ship check requests a signed usage receipt from API
+ * 2. Receipt includes: {userId, tier, remainingShipChecks, expiresAt, signature}
+ * 3. CLI caches receipt in .vibecheck/.entitlements.json
+ * 4. Offline grace: 24h using last valid receipt
+ * 
+ * Spec tiers:
+ * - Free: $0, 10 ship checks/month
+ * - Pro: $39/mo, unlimited ship + reality + fix + share
+ * - Team: $99/mo, + PR gating + CI automation
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const crypto = require("crypto");
+
+// Constants
+const FREE_SHIP_CHECKS_PER_MONTH = 10;
+const RECEIPT_GRACE_HOURS = 24;
+const API_BASE_URL = process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev";
+
+// Public key for receipt verification (would be fetched from API in production)
+const VIBECHECK_PUBLIC_KEY = process.env.VIBECHECK_PUBLIC_KEY || `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Z3VS5JJcds3xfn/ygWb
+rAnr6J6WvLW3YNHQZ8vJqUvBcl3L9S2gKj3wBi3M8N9pYhEj5Y5h5gJq5v5l5n5o
+placeholder-key-for-development
+AQIDAQAB
+-----END PUBLIC KEY-----`;
+
+/**
+ * Get entitlements cache path (project-local)
+ */
+function getEntitlementsCachePath(projectPath) {
+  return path.join(projectPath || process.cwd(), ".vibecheck", ".entitlements.json");
+}
+
+/**
+ * Get global config path (user home)
+ */
+function getGlobalConfigPath() {
+  const home = os.homedir();
+  if (process.platform === "win32") {
+    return path.join(
+      process.env.APPDATA || path.join(home, "AppData", "Roaming"),
+      "vibecheck",
+      "config.json"
+    );
+  }
+  return path.join(home, ".config", "vibecheck", "config.json");
+}
+
+/**
+ * Load cached entitlements receipt
+ */
+function loadCachedReceipt(projectPath) {
+  const cachePath = getEntitlementsCachePath(projectPath);
+  try {
+    if (fs.existsSync(cachePath)) {
+      return JSON.parse(fs.readFileSync(cachePath, "utf8"));
+    }
+  } catch {}
+  return null;
+}
+
+/**
+ * Save entitlements receipt to cache
+ */
+function saveCachedReceipt(projectPath, receipt) {
+  const cachePath = getEntitlementsCachePath(projectPath);
+  const dir = path.dirname(cachePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  fs.writeFileSync(cachePath, JSON.stringify(receipt, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Verify receipt signature (HMAC-SHA256 for simplicity, RSA in production)
+ */
+function verifyReceiptSignature(receipt) {
+  if (!receipt || !receipt.signature || !receipt.data) {
+    return false;
+  }
+  
+  // In production: use RSA signature verification with public key
+  // For now: use HMAC with a shared secret (server would use same secret)
+  const secret = process.env.VIBECHECK_RECEIPT_SECRET || "vibecheck-receipt-v1";
+  const dataStr = JSON.stringify(receipt.data);
+  const expectedSig = crypto.createHmac("sha256", secret).update(dataStr).digest("hex");
+  
+  return receipt.signature === expectedSig;
+}
+
+/**
+ * Check if receipt is within grace period
+ */
+function isReceiptInGrace(receipt) {
+  if (!receipt || !receipt.data || !receipt.data.issuedAt) {
+    return false;
+  }
+  
+  const issuedAt = new Date(receipt.data.issuedAt).getTime();
+  const graceMs = RECEIPT_GRACE_HOURS * 3600 * 1000;
+  return Date.now() - issuedAt < graceMs;
+}
+
+/**
+ * Get current month key (YYYY-MM)
+ */
+function getCurrentMonthKey() {
+  const now = new Date();
+  return `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+}
+
+/**
+ * Request ship usage from server
+ * Returns signed receipt with updated usage
+ */
+async function requestShipUsage(apiKey, projectPath) {
+  if (!apiKey) {
+    return { error: "No API key" };
+  }
+  
+  try {
+    const res = await fetch(`${API_BASE_URL}/v1/ship/use`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        projectPath: projectPath ? path.basename(projectPath) : "unknown",
+        timestamp: new Date().toISOString()
+      }),
+      signal: AbortSignal.timeout(10000)
+    });
+    
+    if (!res.ok) {
+      if (res.status === 429) {
+        return { error: "rate_limited", message: "Ship check limit reached" };
+      }
+      if (res.status === 401) {
+        return { error: "unauthorized", message: "Invalid API key" };
+      }
+      return { error: "api_error", message: `API returned ${res.status}` };
+    }
+    
+    const receipt = await res.json();
+    
+    // Validate receipt signature
+    if (!verifyReceiptSignature(receipt)) {
+      console.warn("Warning: Receipt signature invalid, proceeding with caution");
+    }
+    
+    // Cache receipt
+    saveCachedReceipt(projectPath, receipt);
+    
+    return receipt;
+  } catch (error) {
+    // Network error - try to use cached receipt
+    const cached = loadCachedReceipt(projectPath);
+    if (cached && isReceiptInGrace(cached)) {
+      console.log("  (offline mode - using cached entitlements)");
+      return { ...cached, offline: true };
+    }
+    
+    return { error: "network", message: error.message };
+  }
+}
+
+/**
+ * Check if user can run ship (main entitlement check)
+ */
+async function canShip(projectPath, options = {}) {
+  const { apiKey, skipMeter = false } = options;
+  
+  // Demo/owner mode bypass
+  if (process.env.VIBECHECK_DEMO === "1" || process.env.VIBECHECK_OWNER === "1") {
+    return {
+      allowed: true,
+      tier: "enterprise",
+      reason: "Demo/owner mode",
+      remaining: Infinity
+    };
+  }
+  
+  // If no API key, use free tier with local metering
+  if (!apiKey) {
+    return checkFreeTierLocal(projectPath, skipMeter);
+  }
+  
+  // Request usage from server (meters the ship check)
+  if (!skipMeter) {
+    const receipt = await requestShipUsage(apiKey, projectPath);
+    
+    if (receipt.error) {
+      // If network error but within grace, allow
+      if (receipt.offline && receipt.data) {
+        return {
+          allowed: true,
+          tier: receipt.data.tier || "free",
+          reason: "Offline grace period",
+          remaining: receipt.data.remainingShipChecks || 0,
+          offline: true
+        };
+      }
+      
+      // Rate limited
+      if (receipt.error === "rate_limited") {
+        return {
+          allowed: false,
+          tier: "free",
+          reason: "Ship check limit reached for this month",
+          remaining: 0
+        };
+      }
+      
+      // Other errors - fall back to free tier
+      return checkFreeTierLocal(projectPath, skipMeter);
+    }
+    
+    // Valid receipt from server
+    const data = receipt.data || receipt;
+    return {
+      allowed: true,
+      tier: data.tier || "pro",
+      reason: "Authenticated",
+      remaining: data.remainingShipChecks,
+      receipt
+    };
+  }
+  
+  // Skip meter - just check tier
+  const cached = loadCachedReceipt(projectPath);
+  if (cached && cached.data) {
+    return {
+      allowed: true,
+      tier: cached.data.tier || "pro",
+      reason: "Cached entitlements",
+      remaining: cached.data.remainingShipChecks
+    };
+  }
+  
+  return { allowed: true, tier: "pro", reason: "API key provided" };
+}
+
+/**
+ * Check free tier with local metering (fallback)
+ */
+function checkFreeTierLocal(projectPath, skipMeter = false) {
+  const cachePath = getEntitlementsCachePath(projectPath);
+  const currentMonth = getCurrentMonthKey();
+  
+  let usage = { month: currentMonth, shipChecks: 0 };
+  
+  try {
+    const cached = loadCachedReceipt(projectPath);
+    if (cached && cached.freeUsage && cached.freeUsage.month === currentMonth) {
+      usage = cached.freeUsage;
+    }
+  } catch {}
+  
+  const remaining = FREE_SHIP_CHECKS_PER_MONTH - usage.shipChecks;
+  
+  if (remaining <= 0) {
+    return {
+      allowed: false,
+      tier: "free",
+      reason: `Free tier limit reached (${FREE_SHIP_CHECKS_PER_MONTH}/month)`,
+      remaining: 0,
+      upgradeUrl: "https://vibecheckai.dev/pricing"
+    };
+  }
+  
+  // Increment usage if not skipping meter
+  if (!skipMeter) {
+    usage.shipChecks++;
+    try {
+      saveCachedReceipt(projectPath, {
+        freeUsage: usage,
+        data: { tier: "free", remainingShipChecks: remaining - 1 },
+        issuedAt: new Date().toISOString()
+      });
+    } catch {}
+  }
+  
+  return {
+    allowed: true,
+    tier: "free",
+    reason: "Free tier",
+    remaining: remaining - (skipMeter ? 0 : 1)
+  };
+}
+
+/**
+ * Check if user has access to a specific feature
+ */
+async function hasFeatureAccess(feature, projectPath, apiKey) {
+  const entitlement = await canShip(projectPath, { apiKey, skipMeter: true });
+  
+  const featureTiers = {
+    // Free features
+    ship: ["free", "pro", "team", "enterprise"],
+    scan: ["free", "pro", "team", "enterprise"],
+    ctx: ["free", "pro", "team", "enterprise"],
+    install: ["free", "pro", "team", "enterprise"],
+    
+    // Pro features
+    reality: ["pro", "team", "enterprise"],
+    fix_autopilot: ["pro", "team", "enterprise"],
+    share: ["pro", "team", "enterprise"],
+    
+    // Team features
+    pr_gate: ["team", "enterprise"],
+    ci_automation: ["team", "enterprise"]
+  };
+  
+  const allowedTiers = featureTiers[feature] || ["enterprise"];
+  const hasAccess = allowedTiers.includes(entitlement.tier);
+  
+  return {
+    allowed: hasAccess,
+    tier: entitlement.tier,
+    requiredTier: allowedTiers[0],
+    upgradeUrl: hasAccess ? null : "https://vibecheckai.dev/pricing"
+  };
+}
+
+/**
+ * Get usage stats for display
+ */
+function getUsageStats(projectPath) {
+  const cached = loadCachedReceipt(projectPath);
+  const currentMonth = getCurrentMonthKey();
+  
+  if (!cached) {
+    return {
+      tier: "free",
+      shipChecksUsed: 0,
+      shipChecksRemaining: FREE_SHIP_CHECKS_PER_MONTH,
+      month: currentMonth
+    };
+  }
+  
+  if (cached.freeUsage && cached.freeUsage.month === currentMonth) {
+    return {
+      tier: "free",
+      shipChecksUsed: cached.freeUsage.shipChecks,
+      shipChecksRemaining: FREE_SHIP_CHECKS_PER_MONTH - cached.freeUsage.shipChecks,
+      month: currentMonth
+    };
+  }
+  
+  if (cached.data) {
+    return {
+      tier: cached.data.tier || "unknown",
+      shipChecksRemaining: cached.data.remainingShipChecks,
+      month: currentMonth,
+      issuedAt: cached.data.issuedAt
+    };
+  }
+  
+  return { tier: "unknown", month: currentMonth };
+}
+
+module.exports = {
+  canShip,
+  hasFeatureAccess,
+  getUsageStats,
+  loadCachedReceipt,
+  saveCachedReceipt,
+  requestShipUsage,
+  FREE_SHIP_CHECKS_PER_MONTH,
+  RECEIPT_GRACE_HOURS
+};

package/bin/runners/lib/entitlements.js

@@ -0,0 +1,332 @@
+/**
+ * Entitlements System - CLI Wrapper
+ *
+ * ⚠️  AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY
+ *
+ * This file wraps the canonical entitlements implementation from @vibecheck/core.
+ * The source of truth is packages/core/src/entitlements.ts
+ *
+ * To modify entitlements logic, edit packages/core/src/entitlements.ts
+ * then run `pnpm build` in packages/core.
+ *
+ * This wrapper exists to:
+ * 1. Provide CommonJS exports for CLI runners
+ * 2. Add CLI-specific functionality (server-usage integration)
+ * 3. Maintain backward compatibility with existing CLI code
+ */
+
+"use strict";
+
+// Import from compiled @vibecheck/core
+let coreEntitlements;
+try {
+  coreEntitlements = require("@vibecheck/core");
+} catch (e) {
+  // Fallback for development: try direct path
+  try {
+    coreEntitlements = require("../../../packages/dist-core/index.js");
+  } catch (e2) {
+    console.error(
+      "[entitlements] Failed to load @vibecheck/core. Run `pnpm build` in packages/core first.",
+    );
+    // Provide minimal fallback
+    coreEntitlements = {
+      TIER_CONFIG: {},
+      SEAT_PRICING: {},
+      entitlements: {
+        getCurrentTier: async () => "free",
+        checkFeature: async () => ({ allowed: true }),
+        checkLimit: async () => ({ allowed: true }),
+        enforceFeature: async () => {},
+        enforceLimit: async () => {},
+        trackUsage: async () => {},
+        getUsageSummary: async () => "Usage summary unavailable",
+        getTierConfig: () => ({}),
+        checkSeatLimit: () => ({ allowed: true, effectiveSeats: 1 }),
+      },
+      calculateEffectiveSeats: () => 1,
+      canAddMember: () => ({ allowed: true }),
+      formatSeatInfo: () => "1 seat",
+      validateSeatReduction: () => ({ safe: true }),
+    };
+  }
+}
+
+// Import server-usage for CLI-specific server-authoritative enforcement
+const { serverUsage } = require("./server-usage");
+
+// Re-export everything from core
+const {
+  TIER_CONFIG,
+  SEAT_PRICING,
+  entitlements,
+  calculateEffectiveSeats,
+  canAddMember,
+  formatSeatInfo,
+  validateSeatReduction,
+  isValidTier,
+  getTierConfig,
+  getMinimumTierForFeature,
+} = coreEntitlements;
+
+// ============================================================================
+// CLI-SPECIFIC WRAPPER
+// ============================================================================
+
+/**
+ * CLI Entitlements Manager
+ * Wraps core entitlements with CLI-specific server-authoritative checks
+ */
+class CLIEntitlementsManager {
+  constructor(coreManager) {
+    this._core = coreManager;
+  }
+
+  async getCurrentTier() {
+    return this._core.getCurrentTier();
+  }
+
+  async checkFeature(feature) {
+    return this._core.checkFeature(feature);
+  }
+
+  /**
+   * Check usage limits - SERVER-AUTHORITATIVE for CLI
+   */
+  async checkLimit(limitType) {
+    // Map old limit types to new action types
+    const actionMap = {
+      scans: "scan",
+      realityRuns: "reality",
+      aiAgentRuns: "agent",
+    };
+    const actionType = actionMap[limitType] || limitType;
+
+    // Use server-authoritative check
+    try {
+      const result = await serverUsage.checkUsage(actionType);
+
+      if (result.allowed) {
+        return {
+          allowed: true,
+          usage: result.current,
+          limit: result.limit === -1 ? Infinity : result.limit,
+          source: result.source,
+        };
+      }
+
+      const tier = await this.getCurrentTier();
+      return {
+        allowed: false,
+        reason:
+          result.reason ||
+          `Monthly ${limitType} limit reached (${result.current}/${result.limit})`,
+        usage: result.current,
+        limit: result.limit,
+        upgradePrompt: this._core.formatLimitUpgradePrompt(
+          tier,
+          limitType,
+          result.current,
+          result.limit,
+        ),
+        source: result.source,
+      };
+    } catch (error) {
+      // Fallback to core check if server is unreachable
+      return this._core.checkLimit(limitType);
+    }
+  }
+
+  /**
+   * Track usage - SERVER-AUTHORITATIVE for CLI
+   */
+  async trackUsage(type, count = 1) {
+    // Map old types to new action types
+    const actionMap = {
+      scans: "scan",
+      realityRuns: "reality",
+      aiAgentRuns: "agent",
+      gateRuns: "gate",
+      fixRuns: "fix",
+    };
+    const actionType = actionMap[type] || type;
+
+    // Record on server (authoritative)
+    try {
+      const result = await serverUsage.recordUsage(actionType, count);
+      // Also update local via core
+      await this._core.trackUsage(type, count);
+      return result;
+    } catch (error) {
+      // Still update local, mark as unsynced
+      await this._core.trackUsage(type, count);
+      return { success: false, error: error.message, queued: true };
+    }
+  }
+
+  async enforceFeature(feature) {
+    return this._core.enforceFeature(feature);
+  }
+
+  /**
+   * Enforce usage limits - SERVER-AUTHORITATIVE for CLI
+   */
+  async enforceLimit(limitType) {
+    // Check if sync is required first
+    const needsSync = await serverUsage.requiresSync();
+    if (needsSync) {
+      const syncResult = await serverUsage.syncOfflineUsage();
+      if (syncResult.error) {
+        // Allow offline mode by default - CLI should work without internet
+        console.warn(
+          "\x1b[33mWarning: Could not connect to vibecheck API, using offline mode\x1b[0m\n",
+        );
+        return { allowed: true, source: "offline" };
+      }
+    }
+
+    const check = await this.checkLimit(limitType);
+    if (!check.allowed) {
+      const error = new Error(check.reason);
+      error.code = "LIMIT_EXCEEDED";
+      error.upgradePrompt = check.upgradePrompt;
+      error.usage = check.usage;
+      error.limit = check.limit;
+      throw error;
+    }
+
+    return check;
+  }
+
+  async getUsageSummary() {
+    // Try to get server-authoritative summary
+    try {
+      const serverSummary = await serverUsage.getUsageSummary();
+
+      if (serverSummary.success !== false && serverSummary.usage) {
+        const tier = serverSummary.tier || (await this.getCurrentTier());
+        const config = TIER_CONFIG[tier];
+        const limits = serverSummary.limits || config.limits;
+
+        const formatLimit = (current, limit) => {
+          if (limit === -1) return `${current} (unlimited)`;
+          const pct = Math.round((current / limit) * 100);
+          const bar = this.progressBar(pct);
+          return `${current}/${limit} ${bar} ${pct}%`;
+        };
+
+        const lines = [
+          "",
+          `\x1b[1m📊 Usage Summary\x1b[0m (\x1b[36m${config.name}\x1b[0m tier - $${config.price}/mo)`,
+          "\x1b[90m" + "─".repeat(50) + "\x1b[0m",
+          `Scans:        ${formatLimit(serverSummary.usage.scan || 0, limits.scans || limits.scansPerMonth)}`,
+          `Reality Runs: ${formatLimit(serverSummary.usage.reality || 0, limits.reality || limits.realityRunsPerMonth)}`,
+          `AI Agent:     ${formatLimit(serverSummary.usage.agent || 0, limits.agent || limits.aiAgentRunsPerMonth)}`,
+          `Team Seats:   ${formatSeatInfo(tier)}`,
+          "\x1b[90m" + "─".repeat(50) + "\x1b[0m",
+        ];
+
+        if (serverSummary.period) {
+          lines.push(
+            `Period: ${serverSummary.period.start.split("T")[0]} to ${serverSummary.period.end.split("T")[0]}`,
+          );
+        }
+
+        if (serverSummary.pendingOffline > 0) {
+          lines.push(
+            `\x1b[33m⚠ ${serverSummary.pendingOffline} action(s) pending sync\x1b[0m`,
+          );
+        }
+
+        lines.push(
+          `\x1b[90mSource: ${serverSummary.source || "server"}\x1b[0m`,
+        );
+        lines.push("");
+
+        return lines.join("\n");
+      }
+    } catch {
+      // Fall through to core summary
+    }
+
+    return this._core.getUsageSummary();
+  }
+
+  getTierConfig(tier) {
+    return this._core.getTierConfig(tier);
+  }
+
+  getAllTiers() {
+    return this._core.getAllTiers();
+  }
+
+  // Seat management
+  checkSeatLimit(tier, currentMemberCount, purchasedExtraSeats) {
+    return this._core.checkSeatLimit(
+      tier,
+      currentMemberCount,
+      purchasedExtraSeats,
+    );
+  }
+
+  getOrganizationSeats(tier, purchasedExtraSeats, currentMembers) {
+    return this._core.getOrganizationSeats(
+      tier,
+      purchasedExtraSeats,
+      currentMembers,
+    );
+  }
+
+  progressBar(percent) {
+    const filled = Math.min(10, Math.round(percent / 10));
+    const empty = 10 - filled;
+    return `[${"█".repeat(filled)}${"░".repeat(empty)}]`;
+  }
+}
+
+// Create CLI-specific wrapper
+const cliEntitlements = new CLIEntitlementsManager(entitlements);
+
+// ============================================================================
+// EXPORTS
+// ============================================================================
+
+module.exports = {
+  // Main entitlements instance (CLI wrapper)
+  entitlements: cliEntitlements,
+
+  // Tier configuration
+  TIER_CONFIG,
+  SEAT_PRICING,
+
+  // Convenience functions
+  checkFeature: (feature) => cliEntitlements.checkFeature(feature),
+  checkLimit: (limitType) => cliEntitlements.checkLimit(limitType),
+  enforceFeature: (feature) => cliEntitlements.enforceFeature(feature),
+  enforceLimit: (limitType) => cliEntitlements.enforceLimit(limitType),
+  trackUsage: (type, count) => cliEntitlements.trackUsage(type, count),
+  getCurrentTier: () => cliEntitlements.getCurrentTier(),
+  getUsageSummary: () => cliEntitlements.getUsageSummary(),
+  getTierConfig: (tier) => cliEntitlements.getTierConfig(tier),
+
+  // Seat management
+  checkSeatLimit: (tier, currentMemberCount, purchasedExtraSeats) =>
+    cliEntitlements.checkSeatLimit(
+      tier,
+      currentMemberCount,
+      purchasedExtraSeats,
+    ),
+  calculateEffectiveSeats,
+  canAddMember,
+  formatSeatInfo,
+  validateSeatReduction,
+
+  // Tier helpers
+  isValidTier,
+  getMinimumTierForFeature,
+
+  // Server-authoritative usage enforcement
+  serverUsage,
+  syncOfflineUsage: () => serverUsage.syncOfflineUsage(),
+  requiresSync: () => serverUsage.requiresSync(),
+};