@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/runMissionGenerator.js

@@ -0,0 +1,282 @@
+#!/usr/bin/env node
+/**
+ * Mission Generator v1
+ * 
+ * Generates Assist Mission files from ship findings.
+ * Each mission is a Markdown file with YAML frontmatter.
+ * 
+ * Usage:
+ *   generateMissions(findings, projectPath)
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import yaml from 'js-yaml';
+
+/**
+ * Generate mission files from findings
+ * 
+ * @param {Object[]} findings - Array of findings from vibecheck ship
+ * @param {string} projectPath - Project root path
+ * @returns {Object} Generated missions info
+ */
+export async function generateMissions(findings, projectPath = process.cwd()) {
+  const assistDir = path.join(projectPath, '.vibecheck', 'assist');
+  const missionsDir = path.join(assistDir, 'missions');
+  
+  await fs.mkdir(missionsDir, { recursive: true });
+  
+  // Group findings by category
+  const grouped = groupFindings(findings);
+  
+  // Generate mission files
+  const missions = [];
+  let missionNumber = 1;
+  
+  for (const [category, categoryFindings] of Object.entries(grouped)) {
+    for (const finding of categoryFindings) {
+      const mission = createMission(finding, missionNumber, category);
+      const filename = `${String(missionNumber).padStart(2, '0')}_${slugify(mission.title)}.md`;
+      const filePath = path.join(missionsDir, filename);
+      
+      await fs.writeFile(filePath, formatMission(mission));
+      
+      missions.push({
+        id: mission.missionId,
+        title: mission.title,
+        file: filename,
+        severity: mission.severity,
+        category: mission.category,
+      });
+      
+      missionNumber++;
+    }
+  }
+  
+  // Write plan.json
+  const plan = {
+    generatedAt: new Date().toISOString(),
+    totalMissions: missions.length,
+    byCategory: Object.fromEntries(
+      Object.entries(grouped).map(([cat, items]) => [cat, items.length])
+    ),
+    missions,
+  };
+  
+  await fs.writeFile(
+    path.join(assistDir, 'plan.json'),
+    JSON.stringify(plan, null, 2)
+  );
+  
+  console.log(`\n📋 Generated ${missions.length} missions in ${missionsDir}`);
+  
+  return plan;
+}
+
+/**
+ * Group findings by category
+ */
+function groupFindings(findings) {
+  const groups = {};
+  
+  for (const finding of findings) {
+    const category = finding.category || 'general';
+    if (!groups[category]) groups[category] = [];
+    groups[category].push(finding);
+  }
+  
+  // Sort by severity within each category
+  const severityOrder = { BLOCK: 0, WARN: 1, INFO: 2 };
+  for (const category of Object.keys(groups)) {
+    groups[category].sort((a, b) => 
+      (severityOrder[a.severity] || 3) - (severityOrder[b.severity] || 3)
+    );
+  }
+  
+  return groups;
+}
+
+/**
+ * Create a mission object from a finding
+ */
+function createMission(finding, number, category) {
+  const missionId = `M${String(number).padStart(2, '0')}`;
+  
+  // Determine required claims based on finding type
+  const dependsOnClaims = [];
+  if (finding.type === 'dead_ui' || finding.type === 'route_mismatch') {
+    dependsOnClaims.push({
+      type: 'route_exists',
+      subject: { path: finding.route || finding.expectedRoute },
+    });
+  }
+  if (finding.type === 'auth_gap') {
+    dependsOnClaims.push({
+      type: 'auth_enforced',
+      subject: { path: finding.route },
+    });
+  }
+  
+  // Determine applicable invariants
+  const invariants = [];
+  if (category === 'DeadUI' || finding.type === 'dead_ui') {
+    invariants.push('INV_NO_FAKE_SUCCESS', 'INV_NO_ROUTE_INVENTION');
+  }
+  if (category === 'Auth' || finding.type === 'auth_gap') {
+    invariants.push('INV_NO_BYPASS_ENTITLEMENTS', 'INV_NO_SILENT_CATCH_AUTH');
+  }
+  if (category === 'Billing') {
+    invariants.push('INV_NO_BYPASS_ENTITLEMENTS');
+  }
+  
+  return {
+    missionId,
+    title: finding.title || `Fix ${category} issue`,
+    severity: finding.severity || 'WARN',
+    category,
+    scopeFiles: finding.files || [],
+    dependsOnClaims,
+    invariants,
+    assumptionBudget: 2,
+    finding,
+  };
+}
+
+/**
+ * Format a mission as Markdown with YAML frontmatter
+ */
+function formatMission(mission) {
+  const frontmatter = {
+    missionId: mission.missionId,
+    title: mission.title,
+    severity: mission.severity,
+    category: mission.category,
+    scopeFiles: mission.scopeFiles,
+    dependsOnClaims: mission.dependsOnClaims,
+    invariants: mission.invariants,
+    assumptionBudget: mission.assumptionBudget,
+  };
+  
+  const finding = mission.finding;
+  
+  const content = `---
+${yaml.dump(frontmatter, { lineWidth: -1 })}---
+
+# Objective
+${finding.description || finding.title || 'Fix the identified issue.'}
+
+# Truth Pack (authoritative)
+Use the provided context slice and do not invent endpoints, env vars, or auth assumptions.
+
+# Evidence Pack (must reference when editing)
+- Finding ${finding.id || mission.missionId}:
+${mission.scopeFiles.map(f => `  - ${f}`).join('\n') || '  - (no specific files identified)'}
+  - Reason: ${finding.reason || finding.description || 'See finding details'}
+
+# Required tool calls (before making claims)
+${generateRequiredToolCalls(mission)}
+
+# Steps
+${generateSteps(mission)}
+
+# Acceptance tests (must pass)
+- vibecheck ship
+- ${findTestCommand(mission)}
+- No new blockers introduced
+
+# Output requirements
+- List changed files
+- Explain each change with evidence refs
+- Provide final ship verdict result
+`;
+
+  return content;
+}
+
+/**
+ * Generate required tool calls for the mission
+ */
+function generateRequiredToolCalls(mission) {
+  const calls = [];
+  let callNum = 1;
+  
+  for (const claim of mission.dependsOnClaims) {
+    calls.push(`${callNum}) validate_claim(${claim.type} ${JSON.stringify(claim.subject)})`);
+    callNum++;
+  }
+  
+  if (calls.length === 0) {
+    calls.push('1) vibecheck.get_truthpack() - Get current truth state');
+  }
+  
+  calls.push(`${callNum}) search_evidence("${mission.category.toLowerCase()}", globs=["src/**","apps/**"])`);
+  
+  return calls.join('\n');
+}
+
+/**
+ * Generate steps for the mission
+ */
+function generateSteps(mission) {
+  const steps = [];
+  const finding = mission.finding;
+  
+  switch (mission.category) {
+    case 'DeadUI':
+      steps.push('1) Identify why the UI action is dead (early return / missing handler / missing await).');
+      steps.push('2) If route mismatch exists, align client call to an existing proven route (do not invent).');
+      steps.push('3) Ensure success UI happens only after response ok.');
+      steps.push('4) Ensure errors surface (no empty catch).');
+      break;
+      
+    case 'Auth':
+      steps.push('1) Verify the auth gap is real by checking middleware/guard configuration.');
+      steps.push('2) Add or fix the auth middleware on the affected route.');
+      steps.push('3) Ensure auth errors are properly handled (no silent failures).');
+      steps.push('4) Test both authenticated and unauthenticated access.');
+      break;
+      
+    case 'Billing':
+      steps.push('1) Verify the billing gate is missing or bypassable.');
+      steps.push('2) Add server-side tier/entitlement check.');
+      steps.push('3) Ensure client-side checks match server-side enforcement.');
+      steps.push('4) Remove any bypass flags or dev-only overrides.');
+      break;
+      
+    case 'Security':
+      steps.push('1) Identify the security vulnerability.');
+      steps.push('2) Apply the appropriate fix without breaking functionality.');
+      steps.push('3) Add validation/sanitization as needed.');
+      steps.push('4) Verify the fix does not introduce new vulnerabilities.');
+      break;
+      
+    default:
+      steps.push('1) Analyze the finding to understand the root cause.');
+      steps.push('2) Identify the minimal change needed to fix the issue.');
+      steps.push('3) Implement the fix with proper error handling.');
+      steps.push('4) Verify the fix resolves the finding.');
+  }
+  
+  return steps.join('\n');
+}
+
+/**
+ * Find the appropriate test command
+ */
+function findTestCommand(mission) {
+  // This would ideally come from the truth pack's project.scripts
+  return 'pnpm test OR npm test (if present)';
+}
+
+/**
+ * Convert title to slug
+ */
+function slugify(text) {
+  return text
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '_')
+    .replace(/^_+|_+$/g, '')
+    .slice(0, 40);
+}
+
+export default { generateMissions };

package/bin/runners/runNaturalLanguage.js

@@ -0,0 +1,3 @@
+function isNaturalLanguageCommand(s) { return false; }
+async function runNaturalLanguage(s) { return 1; }
+module.exports = { runNaturalLanguage, isNaturalLanguageCommand };

package/bin/runners/runPR.js

@@ -0,0 +1,96 @@
+// bin/runners/runPR.js
+const fs = require("fs");
+const path = require("path");
+const { shipCore } = require("./runShip");
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function severityCounts(findings) {
+  const c = { BLOCK: 0, WARN: 0, INFO: 0 };
+  for (const f of findings || []) {
+    if (f.severity === "BLOCK") c.BLOCK++;
+    else if (f.severity === "WARN") c.WARN++;
+    else c.INFO++;
+  }
+  return c;
+}
+
+function toEmojiVerdict(v) {
+  if (v === "SHIP") return "✅ SHIP";
+  if (v === "WARN") return "⚠️ WARN";
+  return "🛑 BLOCK";
+}
+
+function buildPrMarkdown({ report, maxFindings = 12 } = {}) {
+  const verdict = report?.meta?.verdict || "unknown";
+  const findings = report?.findings || [];
+  const counts = severityCounts(findings);
+
+  const top = findings
+    .filter(f => f.severity === "BLOCK" || f.severity === "WARN")
+    .slice(0, maxFindings);
+
+  const lines = [];
+  lines.push(`## vibecheck — ${toEmojiVerdict(verdict)}`);
+  lines.push(``);
+  lines.push(`**Reality summary:** BLOCK=${counts.BLOCK} • WARN=${counts.WARN}`);
+  lines.push(``);
+
+  if (!top.length) {
+    lines.push(`✅ No blockers. Ship it.`);
+    return lines.join("\n");
+  }
+
+  lines.push(`### Top findings`);
+  for (const f of top) {
+    lines.push(`- **${f.severity}** \`${f.id}\` — ${f.title}`);
+    const ev = (f.evidence || [])[0];
+    if (ev?.file) {
+      lines.push(`  - Evidence: \`${ev.file}:${ev.lines}\` (${ev.reason})`);
+      if (ev.snippetHash) lines.push(`  - SnipHash: \`${ev.snippetHash}\``);
+    }
+    const hint = (f.fixHints || [])[0];
+    if (hint) lines.push(`  - Fix: ${hint}`);
+  }
+
+  if (findings.length > top.length) {
+    lines.push(``);
+    lines.push(`_…and ${findings.length - top.length} more finding(s). See \`.vibecheck/last_ship.json\` for full details._`);
+  }
+
+  return lines.join("\n");
+}
+
+function exitCodeForVerdict(verdict, { failOnWarn = false } = {}) {
+  if (verdict === "SHIP") return 0;
+  if (verdict === "WARN") return failOnWarn ? 1 : 0;
+  return 2; // BLOCK
+}
+
+async function runPR({
+  repoRoot,
+  fastifyEntry,
+  out,
+  failOnWarn = false,
+  maxFindings = 12
+} = {}) {
+  const root = repoRoot || process.cwd();
+
+  const { report, verdict } = await shipCore({ repoRoot: root, fastifyEntry, noWrite: false });
+
+  const md = buildPrMarkdown({ report, maxFindings });
+
+  if (out) {
+    const outAbs = path.isAbsolute(out) ? out : path.join(root, out);
+    ensureDir(path.dirname(outAbs));
+    fs.writeFileSync(outAbs, md, "utf8");
+  }
+
+  console.log(md);
+
+  process.exitCode = exitCodeForVerdict(verdict, { failOnWarn });
+}
+
+module.exports = { runPR };

package/bin/runners/runPermissions.js

@@ -0,0 +1,290 @@
+/**
+ * vibecheck permissions - AuthZ Matrix & IDOR Detection
+ * 
+ * Verifies authorization is correct, not just present:
+ * - Which roles can hit which routes
+ * - Which UI actions leak data cross-user (IDOR)
+ * - Which admin endpoints are accidentally public
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const { buildTruthpack, loadTruthpack } = require("./lib/truth");
+const { 
+  extractAuthModel,
+  buildAuthZMatrix,
+  formatMatrix,
+  detectIDORCandidates,
+  buildIDORTestPlan,
+  formatIDORPlan
+} = require("./lib/permissions");
+
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+  red: '\x1b[31m',
+  blue: '\x1b[34m',
+};
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+async function runPermissions(args) {
+  const opts = parseArgs(args);
+
+  if (opts.help) {
+    printHelp();
+    return 0;
+  }
+
+  const root = path.resolve(opts.path || process.cwd());
+  const outDir = path.join(root, ".vibecheck", "permissions");
+  ensureDir(outDir);
+
+  console.log(`\n${c.cyan}${c.bold}🔐 vibecheck permissions${c.reset}`);
+
+  // Load or build truthpack
+  let truthpack = loadTruthpack(root);
+  if (!truthpack) {
+    console.log(`${c.dim}Building truthpack...${c.reset}`);
+    truthpack = await buildTruthpack({ repoRoot: root, fastifyEntry: opts.fastifyEntry });
+  }
+
+  // Extract auth model
+  console.log(`${c.dim}Extracting auth model...${c.reset}`);
+  const authModel = await extractAuthModel(root, truthpack);
+
+  // Save auth model
+  fs.writeFileSync(
+    path.join(outDir, "auth-model.json"),
+    JSON.stringify(authModel, null, 2),
+    "utf8"
+  );
+
+  if (opts.learn) {
+    // Learning mode - just extract and display
+    console.log(`\n${c.bold}Auth Model${c.reset}`);
+    console.log(`  Roles: ${authModel.roles.map(r => r.name).join(", ")}`);
+    console.log(`  Protected patterns: ${authModel.protectedPatterns?.length || 0}`);
+    console.log(`  Routes: ${authModel.routes.length}`);
+    console.log(`  RBAC patterns: ${authModel.rbacPatterns.length}`);
+
+    if (authModel.roles.length > 0) {
+      console.log(`\n${c.bold}Detected Roles${c.reset}`);
+      for (const role of authModel.roles) {
+        console.log(`  - ${role.name} (${role.evidence.length} references)`);
+      }
+    }
+
+    console.log(`\n${c.dim}Auth model saved to: .vibecheck/permissions/auth-model.json${c.reset}`);
+    console.log(`${c.dim}Run 'vibecheck permissions --prove' to verify at runtime${c.reset}\n`);
+    return 0;
+  }
+
+  if (opts.prove) {
+    // Runtime verification mode
+    if (!opts.url) {
+      console.log(`${c.red}Error: --prove requires --url${c.reset}`);
+      return 1;
+    }
+
+    console.log(`${c.dim}Running permission verification against ${opts.url}...${c.reset}`);
+
+    // This would run actual browser tests
+    // For now, show what would be tested
+    const matrix = buildAuthZMatrix(authModel, null);
+    
+    console.log(`\n${c.bold}AuthZ Matrix${c.reset}`);
+    console.log(`  Routes to verify: ${matrix.routes.length}`);
+    console.log(`  Roles to test: ${matrix.roles.join(", ")}`);
+
+    // Save matrix
+    fs.writeFileSync(
+      path.join(outDir, "authz-matrix.json"),
+      JSON.stringify(matrix, null, 2),
+      "utf8"
+    );
+
+    fs.writeFileSync(
+      path.join(outDir, "authz-matrix.md"),
+      formatMatrix(matrix),
+      "utf8"
+    );
+
+    const blocks = matrix.violations.filter(v => v.severity === "BLOCK").length;
+    const warns = matrix.violations.filter(v => v.severity === "WARN").length;
+
+    if (matrix.violations.length > 0) {
+      console.log(`\n${c.bold}Violations${c.reset}`);
+      for (const v of matrix.violations.slice(0, 10)) {
+        const icon = v.severity === "BLOCK" ? `${c.red}✗` : `${c.yellow}⚠`;
+        console.log(`  ${icon} ${v.message}${c.reset}`);
+      }
+    } else {
+      console.log(`\n${c.green}✓ No violations detected${c.reset}`);
+    }
+
+    console.log(`\n${c.dim}Matrix saved to: .vibecheck/permissions/authz-matrix.json${c.reset}`);
+    console.log(`\n${c.bold}Verdict:${c.reset} ${blocks ? `${c.red}🛑 BLOCK${c.reset}` : warns ? `${c.yellow}⚠️ WARN${c.reset}` : `${c.green}✅ CLEAN${c.reset}`}`);
+
+    return blocks ? 2 : warns ? 1 : 0;
+  }
+
+  if (opts.matrix) {
+    // Output matrix mode
+    const matrix = buildAuthZMatrix(authModel, null);
+    console.log("\n" + formatMatrix(matrix));
+
+    fs.writeFileSync(
+      path.join(outDir, "authz-matrix.json"),
+      JSON.stringify(matrix, null, 2),
+      "utf8"
+    );
+
+    fs.writeFileSync(
+      path.join(outDir, "authz-matrix.md"),
+      formatMatrix(matrix),
+      "utf8"
+    );
+
+    return 0;
+  }
+
+  if (opts.idor) {
+    // IDOR detection mode
+    console.log(`${c.dim}Detecting IDOR candidates...${c.reset}`);
+    
+    const candidates = detectIDORCandidates(authModel);
+    const plan = buildIDORTestPlan(candidates, { safe: opts.safe });
+
+    console.log(`\n${c.bold}IDOR Candidates${c.reset}`);
+    console.log(`  Detected: ${candidates.length}`);
+
+    if (candidates.length > 0) {
+      for (const c of candidates.slice(0, 10)) {
+        console.log(`  - ${c.resourceType}: ${c.path}`);
+      }
+    }
+
+    // Save plan
+    fs.writeFileSync(
+      path.join(outDir, "idor-plan.json"),
+      JSON.stringify(plan, null, 2),
+      "utf8"
+    );
+
+    fs.writeFileSync(
+      path.join(outDir, "idor-plan.md"),
+      formatIDORPlan(plan),
+      "utf8"
+    );
+
+    console.log(`\n${c.dim}IDOR plan saved to: .vibecheck/permissions/idor-plan.json${c.reset}`);
+
+    if (!opts.safe) {
+      console.log(`\n${c.yellow}⚠️ IDOR tests require --safe flag for first-party testing${c.reset}`);
+    }
+
+    return 0;
+  }
+
+  // Default: show summary
+  console.log(`\n${c.bold}Summary${c.reset}`);
+  console.log(`  Roles: ${authModel.roles.length}`);
+  console.log(`  Routes: ${authModel.routes.length}`);
+  console.log(`  Protected patterns: ${authModel.protectedPatterns?.length || 0}`);
+
+  console.log(`\n${c.bold}Run one of:${c.reset}`);
+  console.log(`  ${c.cyan}vibecheck permissions --learn${c.reset}     Extract auth model from code`);
+  console.log(`  ${c.cyan}vibecheck permissions --prove${c.reset}     Runtime verification`);
+  console.log(`  ${c.cyan}vibecheck permissions --matrix${c.reset}    Output AuthZ matrix`);
+  console.log(`  ${c.cyan}vibecheck permissions --idor${c.reset}      Detect IDOR candidates\n`);
+
+  return 0;
+}
+
+function parseArgs(args) {
+  const opts = {
+    path: process.cwd(),
+    url: null,
+    learn: false,
+    prove: false,
+    matrix: false,
+    idor: false,
+    safe: false,
+    fastifyEntry: null,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--learn") opts.learn = true;
+    else if (arg === "--prove") opts.prove = true;
+    else if (arg === "--matrix") opts.matrix = true;
+    else if (arg === "--idor") opts.idor = true;
+    else if (arg === "--safe") opts.safe = true;
+    else if (arg === "--url") opts.url = args[++i];
+    else if (arg === "--fastify-entry") opts.fastifyEntry = args[++i];
+    else if (arg === "--path" || arg === "-p") opts.path = args[++i];
+    else if (arg === "--help" || arg === "-h") opts.help = true;
+  }
+
+  return opts;
+}
+
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}🔐 vibecheck permissions${c.reset} - AuthZ Matrix & IDOR Detection
+
+Verify authorization is correct, not just present.
+
+${c.bold}USAGE${c.reset}
+  vibecheck permissions --learn          ${c.dim}# Extract auth model from code${c.reset}
+  vibecheck permissions --prove --url    ${c.dim}# Runtime verification${c.reset}
+  vibecheck permissions --matrix         ${c.dim}# Output full AuthZ matrix${c.reset}
+  vibecheck permissions --idor --safe    ${c.dim}# IDOR detection (first-party)${c.reset}
+
+${c.bold}OPTIONS${c.reset}
+  --learn             Extract auth model from code
+  --prove             Runtime verification of permissions
+  --matrix            Output AuthZ matrix
+  --idor              Detect IDOR candidates
+  --safe              Enable safe mode for IDOR testing (required)
+  --url <url>         Target URL for runtime testing
+  --fastify-entry     Fastify entry file (e.g. src/server.ts)
+  --path, -p          Project path (default: current directory)
+  --help, -h          Show this help
+
+${c.bold}FINDINGS${c.reset}
+  ${c.red}BLOCK${c.reset} Endpoint accessible as anon that should require auth
+  ${c.red}BLOCK${c.reset} User A can access User B's resource (IDOR)
+  ${c.red}BLOCK${c.reset} Role mismatch between UI + server
+  ${c.yellow}WARN${c.reset}  Admin endpoint missing role check (static)
+
+${c.bold}OUTPUT${c.reset}
+  .vibecheck/permissions/
+    auth-model.json     Extracted auth model
+    authz-matrix.json   Full authorization matrix
+    authz-matrix.md     Human-readable matrix
+    idor-plan.json      IDOR test plan
+
+${c.bold}SAFETY${c.reset}
+  IDOR tests only run with --idor --safe flag
+  Only use on local dev/staging with explicit consent
+  Configure test users in .vibecheck/config.json
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck permissions --learn                            ${c.dim}# Extract model${c.reset}
+  vibecheck permissions --prove --url http://localhost:3000
+  vibecheck permissions --idor --safe                      ${c.dim}# IDOR detection${c.reset}
+`);
+}
+
+module.exports = { runPermissions };