@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/missions/plan.js

@@ -0,0 +1,69 @@
+// bin/runners/lib/missions/plan.js
+function scoreFinding(f) {
+  if (f.severity === "BLOCK") return 100;
+  if (f.severity === "WARN") return 50;
+  return 0;
+}
+
+function missionFromFinding(f) {
+  const typeByCategory = {
+    Security: "REMOVE_OWNER_MODE",
+    Billing: "FIX_STRIPE_WEBHOOKS",
+    Entitlements: "ENFORCE_PAID_SURFACE",
+    GhostAuth: "ADD_SERVER_AUTH",
+    MissingRoute: "FIX_MISSING_ROUTE",
+    EnvContract: "FIX_ENV_CONTRACT",
+    FakeSuccess: "FIX_FAKE_SUCCESS",
+    DeadUI: "FIX_DEAD_UI",
+    AuthCoverage: "ADD_SERVER_AUTH"
+  };
+
+  return {
+    id: `M_${f.id}`,
+    type: typeByCategory[f.category] || "GENERIC_FIX",
+    title: f.title,
+    severity: f.severity,
+    category: f.category,
+    successCriteria: [
+      `Finding ${f.id} no longer appears in ship results` 
+    ],
+    targetFindingIds: [f.id]
+  };
+}
+
+function planMissions(findings, { maxMissions = 12, blocksOnlyFirst = true } = {}) {
+  const sorted = [...findings].sort((a,b) => scoreFinding(b) - scoreFinding(a));
+
+  // Cost control: if there are BLOCKs, only plan for BLOCKs first
+  const hasBlocks = sorted.some(f => f.severity === "BLOCK");
+  const scoped = (blocksOnlyFirst && hasBlocks)
+    ? sorted.filter(f => f.severity === "BLOCK")
+    : sorted;
+
+  const seen = new Set();
+  const filtered = [];
+  for (const f of scoped) {
+    const k = `${f.category}:${f.title}`;
+    if (f.severity === "WARN" && seen.has(k)) continue;
+    seen.add(k);
+    filtered.push(f);
+  }
+
+  const missions = filtered.slice(0, maxMissions).map(missionFromFinding);
+
+  const priority = {
+    REMOVE_OWNER_MODE: 1,
+    FIX_STRIPE_WEBHOOKS: 2,
+    ENFORCE_PAID_SURFACE: 3,
+    ADD_SERVER_AUTH: 4,
+    FIX_MISSING_ROUTE: 5,
+    FIX_FAKE_SUCCESS: 6,
+    FIX_ENV_CONTRACT: 7,
+    GENERIC_FIX: 99
+  };
+
+  missions.sort((a,b) => (priority[a.type] || 50) - (priority[b.type] || 50));
+  return missions;
+}
+
+module.exports = { planMissions };

package/bin/runners/lib/missions/templates.js

@@ -0,0 +1,147 @@
+// bin/runners/lib/missions/templates.js
+function templateForMissionType(type) {
+  switch (type) {
+    case "REMOVE_OWNER_MODE":
+      return {
+        intent: "Remove any env-based entitlement bypass. Ship must not allow secretless unlocks.",
+        do: [
+          "Delete OWNER_MODE logic or gate it with signed admin token AND non-production check.",
+          "Ensure entitlement checks require real verification (API key / token / server-side).",
+          "Add/adjust tests if present (at minimum remove bypass path)."
+        ],
+        dont: [
+          "Do not replace with another env var.",
+          "Do not add 'temporary' backdoor."
+        ],
+        success: [
+          "Owner mode bypass finding disappears from ship results."
+        ]
+      };
+
+    case "FIX_STRIPE_WEBHOOKS":
+      return {
+        intent: "Make Stripe webhooks real: signature verified + raw body + idempotent event handling.",
+        do: [
+          "Use stripe.webhooks.constructEvent(rawBody, sigHeader, secret).",
+          "Ensure raw body is used (Next pages: bodyParser false; Next app: req.text()/arrayBuffer()).",
+          "Persist processed event.id and short-circuit on replays."
+        ],
+        dont: [
+          "Do not trust parsed JSON body for signature verification.",
+          "Do not mutate billing state without dedupe."
+        ],
+        success: [
+          "Webhook verification + idempotency findings disappear."
+        ]
+      };
+
+    case "ENFORCE_PAID_SURFACE":
+      return {
+        intent: "Move paid gating to the server handler BEFORE doing work.",
+        do: [
+          "Add enforceFeature/enforceLimit (or equivalent) at top of handler.",
+          "Return a structured 402/403 error code used by CLI/UI to upsell.",
+          "Keep logic minimal; don't refactor unrelated code."
+        ],
+        dont: [
+          "Do not rely on client/CLI-only gating.",
+          "Do not introduce new plans/tiers in this step."
+        ],
+        success: [
+          "Paid surface missing enforcement finding disappears."
+        ]
+      };
+
+    case "ADD_SERVER_AUTH":
+      return {
+        intent: "Ensure sensitive endpoints have real server-side auth enforcement.",
+        do: [
+          "Add session/JWT verification in handler or route hook.",
+          "If using Next middleware, ensure matcher covers the sensitive paths (but do not over-widen blindly).",
+          "Return 401/403 on missing/invalid auth."
+        ],
+        dont: [
+          "Do not only hide UI routes.",
+          "Do not add fake auth helpers without evidence."
+        ],
+        success: [
+          "GhostAuth findings disappear."
+        ]
+      };
+
+    case "FIX_MISSING_ROUTE":
+      return {
+        intent: "Make the referenced route real OR stop referencing it.",
+        do: [
+          "If the UI calls /api/x, ensure server route exists and matches method/path.",
+          "If the route should not exist, remove the client reference safely.",
+          "Prefer minimal handler that returns correct status and shape if needed."
+        ],
+        dont: [
+          "Do not invent new API surface unless required by evidence.",
+          "Do not add broad wildcard routes."
+        ],
+        success: [
+          "MissingRoute findings disappear."
+        ]
+      };
+
+    case "FIX_FAKE_SUCCESS":
+      return {
+        intent: "Remove success UI lies: success must be gated on awaited + verified network result.",
+        do: [
+          "Await the network call.",
+          "Gate toast.success / navigation behind res.ok/status checks.",
+          "Surface error toast on failure."
+        ],
+        dont: [
+          "Do not just delete success feedback.",
+          "Do not swallow errors silently."
+        ],
+        success: [
+          "FakeSuccess findings disappear."
+        ]
+      };
+
+    case "FIX_ENV_CONTRACT":
+      return {
+        intent: "Make env reality explicit: used env vars must be declared in .env.example/.env.template.",
+        do: [
+          "Add missing used vars to env template with safe defaults or comments.",
+          "If truly optional, ensure code has explicit fallback and document it."
+        ],
+        dont: [
+          "Do not introduce new env var usage unrelated to the finding."
+        ],
+        success: [
+          "EnvContract findings disappear."
+        ]
+      };
+
+    case "FIX_DEAD_UI":
+      return {
+        intent: "Make UI actions real: clicks must trigger real handler + real success criteria.",
+        do: [
+          "If click calls /api/*: ensure route exists server-side and returns success only on real ok.",
+          "If click should navigate: ensure href/router push is correct and target route exists.",
+          "If click should open modal: ensure state toggles and modal renders.",
+          "If action is disabled: remove click affordance or add aria-disabled + disabled styling consistently."
+        ],
+        dont: [
+          "Do not silence by removing UI without replacing the feature.",
+          "Do not show success toast before awaiting and verifying."
+        ],
+        success: ["Dead UI findings disappear from ship (after running reality again)."]
+      };
+
+    default:
+      return {
+        intent: "Fix the specific finding with smallest correct patch.",
+        do: ["Keep it minimal, evidence-based, and verifiable."],
+        dont: ["Do not refactor unrelated code."],
+        success: ["Target finding disappears."]
+      };
+  }
+}
+
+module.exports = { templateForMissionType };

package/bin/runners/lib/patch.js

@@ -0,0 +1,40 @@
+// bin/runners/lib/patch.js
+const fs = require("fs");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function writeTempPatch(repoRoot, diffText) {
+  const dir = path.join(repoRoot, ".vibecheck", "tmp");
+  ensureDir(dir);
+  const p = path.join(dir, `patch_${Date.now()}.diff`);
+  fs.writeFileSync(p, diffText, "utf8");
+  return p;
+}
+
+function applyPatchWithGit(repoRoot, patchPath) {
+  const r = spawnSync("git", ["apply", "--reject", "--whitespace=fix", patchPath], {
+    cwd: repoRoot,
+    stdio: "pipe",
+    encoding: "utf8"
+  });
+
+  return { ok: r.status === 0, stdout: r.stdout, stderr: r.stderr, code: r.status };
+}
+
+function applyUnifiedDiff(repoRoot, diffText) {
+  const patchPath = writeTempPatch(repoRoot, diffText);
+
+  const check = spawnSync("git", ["--version"], { stdio: "ignore" });
+  if (check.status !== 0) {
+    return { ok: false, error: "git not found; cannot apply unified diff safely" };
+  }
+
+  const res = applyPatchWithGit(repoRoot, patchPath);
+  return res.ok ? { ok: true } : { ok: false, error: res.stderr || "git apply failed", details: res };
+}
+
+module.exports = { applyUnifiedDiff };

package/bin/runners/lib/permissions/auth-model.js

@@ -0,0 +1,213 @@
+/**
+ * Auth Model Extractor
+ * Extracts authorization model from code and contracts
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+/**
+ * Extract auth model from codebase
+ */
+async function extractAuthModel(repoRoot, truthpack) {
+  const model = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    roles: [],
+    routes: [],
+    rbacPatterns: [],
+    evidence: []
+  };
+
+  // Extract from truthpack
+  if (truthpack?.auth) {
+    model.protectedPatterns = truthpack.auth.nextMatcherPatterns || [];
+    
+    // Add middleware evidence
+    for (const mw of truthpack.auth.nextMiddleware || []) {
+      model.evidence.push({
+        type: "next_middleware",
+        file: mw.file,
+        signals: mw.signalTypes || []
+      });
+    }
+  }
+
+  // Extract role patterns from code
+  const rolePatterns = await extractRolePatterns(repoRoot);
+  model.rbacPatterns = rolePatterns;
+
+  // Infer roles from patterns
+  model.roles = inferRoles(rolePatterns, truthpack);
+
+  // Build route auth map
+  model.routes = buildRouteAuthMap(truthpack, model.roles);
+
+  return model;
+}
+
+/**
+ * Extract RBAC patterns from code
+ */
+async function extractRolePatterns(repoRoot) {
+  const patterns = [];
+
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+  });
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = fs.readFileSync(fileAbs, "utf8");
+
+    // Look for role-related patterns
+    const roleMatches = [
+      // role === 'admin'
+      /role\s*===?\s*['"](\w+)['"]/gi,
+      // isAdmin, isUser
+      /\b(is(?:Admin|User|Manager|Owner|Moderator))\b/gi,
+      // hasRole('admin')
+      /hasRole\s*\(\s*['"](\w+)['"]\s*\)/gi,
+      // checkPermission('edit')
+      /check(?:Permission|Auth)\s*\(\s*['"](\w+)['"]\s*\)/gi,
+      // [role: 'admin']
+      /role:\s*['"](\w+)['"]/gi
+    ];
+
+    for (const pattern of roleMatches) {
+      let match;
+      while ((match = pattern.exec(code)) !== null) {
+        patterns.push({
+          type: "role_check",
+          file: fileRel,
+          role: match[1],
+          line: code.substring(0, match.index).split("\n").length
+        });
+      }
+    }
+  }
+
+  return patterns;
+}
+
+/**
+ * Infer roles from patterns
+ */
+function inferRoles(patterns, truthpack) {
+  const roleNames = new Set();
+
+  // Common roles
+  roleNames.add("user");
+  roleNames.add("admin");
+
+  // From patterns
+  for (const p of patterns) {
+    if (p.role) {
+      roleNames.add(p.role.toLowerCase());
+    }
+    // Extract from isAdmin -> admin
+    if (p.role?.startsWith("is")) {
+      roleNames.add(p.role.substring(2).toLowerCase());
+    }
+  }
+
+  // Build role objects
+  const roles = [];
+  for (const name of roleNames) {
+    const role = {
+      name,
+      routes: [],
+      evidence: patterns.filter(p => 
+        p.role?.toLowerCase() === name || 
+        p.role?.toLowerCase() === `is${name}`
+      )
+    };
+    roles.push(role);
+  }
+
+  return roles;
+}
+
+/**
+ * Build route auth map
+ */
+function buildRouteAuthMap(truthpack, roles) {
+  const routes = [];
+  const serverRoutes = truthpack?.routes?.server || [];
+  const protectedPatterns = truthpack?.auth?.nextMatcherPatterns || [];
+
+  for (const route of serverRoutes) {
+    const isProtected = protectedPatterns.some(p => matchesPattern(route.path, p));
+    
+    const routeAuth = {
+      path: route.path,
+      method: route.method,
+      handler: route.handler,
+      declared: {
+        protected: isProtected,
+        roles: inferRouteRoles(route, roles),
+        public: !isProtected && isPublicRoute(route.path)
+      },
+      actual: null // Filled by runtime verification
+    };
+
+    routes.push(routeAuth);
+  }
+
+  return routes;
+}
+
+/**
+ * Infer which roles can access a route
+ */
+function inferRouteRoles(route, roles) {
+  const routeRoles = [];
+
+  // Admin routes
+  if (route.path.includes("/admin")) {
+    routeRoles.push("admin");
+  }
+
+  // User routes (most authenticated routes)
+  if (!route.path.includes("/admin") && !route.path.includes("/public")) {
+    routeRoles.push("user");
+  }
+
+  return routeRoles;
+}
+
+function isPublicRoute(path) {
+  const publicPatterns = [
+    /^\/api\/health/i,
+    /^\/api\/status/i,
+    /^\/api\/public\//i,
+    /^\/_next\//i,
+    /^\/favicon/i
+  ];
+  return publicPatterns.some(p => p.test(path));
+}
+
+function matchesPattern(path, pattern) {
+  const normPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  try {
+    const rx = new RegExp(`^${normPattern}`, "i");
+    return rx.test(path);
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  extractAuthModel,
+  extractRolePatterns,
+  inferRoles,
+  buildRouteAuthMap
+};

package/bin/runners/lib/permissions/idor-prover.js

@@ -0,0 +1,205 @@
+/**
+ * IDOR Prover
+ * Detects Insecure Direct Object Reference vulnerabilities
+ * Tests if User A can access User B's resources
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+function sha256(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+
+/**
+ * Detect potential IDOR routes from auth model
+ */
+function detectIDORCandidates(authModel) {
+  const candidates = [];
+
+  for (const route of authModel.routes) {
+    // Look for patterns like /users/:id, /invoices/:id, /orders/:id
+    const idorPatterns = [
+      /\/users\/:[^/]+/i,
+      /\/accounts\/:[^/]+/i,
+      /\/profiles\/:[^/]+/i,
+      /\/invoices\/:[^/]+/i,
+      /\/orders\/:[^/]+/i,
+      /\/documents\/:[^/]+/i,
+      /\/files\/:[^/]+/i,
+      /\/projects\/:[^/]+/i,
+      /\/teams\/:[^/]+/i,
+      /\/organizations\/:[^/]+/i
+    ];
+
+    for (const pattern of idorPatterns) {
+      if (pattern.test(route.path)) {
+        candidates.push({
+          path: route.path,
+          method: route.method,
+          handler: route.handler,
+          paramName: extractParamName(route.path),
+          resourceType: extractResourceType(route.path)
+        });
+        break;
+      }
+    }
+  }
+
+  return candidates;
+}
+
+function extractParamName(path) {
+  const match = path.match(/:([^/]+)/);
+  return match ? match[1] : "id";
+}
+
+function extractResourceType(path) {
+  const parts = path.split("/").filter(Boolean);
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i].startsWith(":") && i > 0) {
+      return parts[i - 1];
+    }
+  }
+  return "resource";
+}
+
+/**
+ * Build IDOR test plan
+ */
+function buildIDORTestPlan(candidates, options = {}) {
+  const plan = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    tests: [],
+    safeMode: options.safe !== false
+  };
+
+  for (const candidate of candidates) {
+    const test = {
+      id: `idor_${sha256(candidate.path)}`,
+      route: candidate.path,
+      method: candidate.method,
+      resourceType: candidate.resourceType,
+      paramName: candidate.paramName,
+      steps: [
+        {
+          description: `Login as User A`,
+          action: "auth",
+          role: "user_a"
+        },
+        {
+          description: `Access own resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_A_ID')}`,
+          action: "request",
+          path: candidate.path,
+          param: "USER_A_ID",
+          expectStatus: [200, 201]
+        },
+        {
+          description: `Attempt to access User B's resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_B_ID')}`,
+          action: "request", 
+          path: candidate.path,
+          param: "USER_B_ID",
+          expectStatus: [403, 404]
+        }
+      ],
+      violation: {
+        condition: "step[2].status === 200",
+        severity: "BLOCK",
+        type: "idor",
+        message: `User A can access User B's ${candidate.resourceType}`
+      }
+    };
+
+    plan.tests.push(test);
+  }
+
+  return plan;
+}
+
+/**
+ * Execute IDOR test (requires browser context)
+ */
+async function executeIDORTest(page, test, users) {
+  const result = {
+    testId: test.id,
+    route: test.route,
+    passed: true,
+    steps: [],
+    violation: null
+  };
+
+  // This is a placeholder - actual implementation requires:
+  // 1. Two test user accounts
+  // 2. Known resource IDs for each user
+  // 3. Ability to switch between sessions
+
+  if (!users?.userA || !users?.userB) {
+    result.skipped = true;
+    result.reason = "IDOR tests require two configured test users";
+    return result;
+  }
+
+  // Step 1: Login as User A
+  // Step 2: Access own resource - should succeed
+  // Step 3: Access User B's resource - should fail
+
+  // For now, return a template result
+  result.steps = test.steps.map((step, i) => ({
+    ...step,
+    executed: false,
+    reason: "IDOR testing requires explicit --idor --safe flag and user configuration"
+  }));
+
+  return result;
+}
+
+/**
+ * Format IDOR test plan for display
+ */
+function formatIDORPlan(plan) {
+  const lines = [];
+
+  lines.push("# IDOR Test Plan\n");
+  lines.push(`Generated: ${plan.generatedAt}`);
+  lines.push(`Safe Mode: ${plan.safeMode ? "Yes" : "No"}`);
+  lines.push(`Tests: ${plan.tests.length}\n`);
+
+  if (plan.tests.length === 0) {
+    lines.push("No IDOR candidates detected.\n");
+    return lines.join("\n");
+  }
+
+  lines.push("## Candidates\n");
+
+  for (const test of plan.tests) {
+    lines.push(`### ${test.resourceType}: ${test.route}`);
+    lines.push(`Method: ${test.method}`);
+    lines.push(`Parameter: ${test.paramName}\n`);
+
+    lines.push("**Test Steps:**");
+    for (const step of test.steps) {
+      lines.push(`1. ${step.description}`);
+    }
+
+    lines.push("\n**Violation Condition:**");
+    lines.push(`If ${test.violation.condition}: ${test.violation.message}\n`);
+  }
+
+  lines.push("---\n");
+  lines.push("⚠️ **Safety Notice**");
+  lines.push("IDOR tests modify data access patterns. Only run on:");
+  lines.push("- Local development environments");
+  lines.push("- Staging with explicit consent");
+  lines.push("- With dedicated test accounts\n");
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  detectIDORCandidates,
+  buildIDORTestPlan,
+  executeIDORTest,
+  formatIDORPlan
+};