@vibecheckai/cli 3.0.2 → 3.0.3

package/bin/runners/lib/analyzers.js

@@ -1,541 +0,0 @@
-// bin/runners/lib/analyzers.js
-const fs = require("fs");
-const path = require("path");
-const fg = require("fast-glob");
-const crypto = require("crypto");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const { routeMatches } = require("./claims");
-const { matcherCoversPath } = require("./auth-truth");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function parseFile(code) {
-  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
-}
-
-function evidenceFromLoc(fileAbs, repoRoot, loc, reason) {
-  if (!loc) return null;
-  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
-  const start = Math.max(1, loc.start?.line || 1);
-  const end = Math.max(start, loc.end?.line || start);
-  const snippet = lines.slice(start - 1, end).join("\n");
-  return { id: `ev_${crypto.randomBytes(4).toString("hex")}`, file: fileRel, lines: `${start}-${end}`, snippetHash: sha256(snippet), reason };
-}
-
-function findMissingRoutes(truthpack) {
-  const findings = [];
-  const server = truthpack.routes.server || [];
-  const refs = truthpack.routes.clientRefs || [];
-  const gaps = truthpack.routes.gaps || [];
-  
-  // If we have route detection gaps, be less aggressive with BLOCKs
-  const hasGaps = gaps.length > 0;
-  
-  // Build a set of known route path prefixes for smarter matching
-  const knownPrefixes = new Set();
-  for (const r of server) {
-    const parts = r.path.split('/').filter(Boolean);
-    if (parts.length >= 2) {
-      knownPrefixes.add('/' + parts[0] + '/' + parts[1]);
-    }
-    if (parts.length >= 1) {
-      knownPrefixes.add('/' + parts[0]);
-    }
-  }
-
-  for (const ref of refs) {
-    const method = ref.method || "*";
-    const p = ref.path;
-
-    const ok = server.some(r => routeMatches(r, method, p) || routeMatches(r, "*", p));
-    if (ok) continue;
-    
-    // Check if route shares a prefix with known routes (might be undetected sibling)
-    const refParts = p.split('/').filter(Boolean);
-    const refPrefix1 = refParts.length >= 1 ? '/' + refParts[0] : '/';
-    const refPrefix2 = refParts.length >= 2 ? '/' + refParts[0] + '/' + refParts[1] : refPrefix1;
-    const sharesPrefix = knownPrefixes.has(refPrefix1) || knownPrefixes.has(refPrefix2);
-    
-    // Determine severity based on confidence and context
-    // In monorepos with complex routing (plugins, dynamic registration), static analysis has limits
-    // Default to WARN unless we're very confident the route is truly invented
-    let severity = "WARN";
-    
-    // Only BLOCK if:
-    // 1. High confidence client ref
-    // 2. No detection gaps
-    // 3. Doesn't share prefix with any known route
-    // 4. Looks like an invented/hallucinated route (unusual patterns)
-    const looksInvented = /\/(fake|test|mock|dummy|example|foo|bar|baz|xxx|yyy|placeholder)/i.test(p);
-    if (ref.confidence === "high" && !hasGaps && !sharesPrefix && looksInvented) {
-      severity = "BLOCK";
-    }
-    
-    // Always WARN for common internal/utility routes
-    const isInternalRoute = /^\/(health|metrics|ready|live|version|debug|internal|suggestions|security|analyze|websocket|dashboard)/.test(p);
-    if (isInternalRoute) {
-      severity = "WARN";
-    }
-
-    findings.push({
-      id: `F_MISSING_ROUTE_${String(findings.length + 1).padStart(3, "0")}`,
-      severity,
-      category: "MissingRoute",
-      title: `Client references route that does not exist: ${method} ${p}`,
-      why: severity === "BLOCK" 
-        ? "AI frequently invents endpoints. Shipping this = broken flows (404 / silent failure)."
-        : "Route reference found but server route not detected. May be a false positive if route is defined dynamically.",
-      confidence: ref.confidence || "low",
-      evidence: ref.evidence || [],
-      fixHints: [
-        "Update the client call to a real server route (see route map).",
-        "If the route exists but wasn't detected, it may use dynamic registration.",
-        "If truly missing, implement it in your API and re-run ship."
-      ]
-    });
-  }
-
-  // If route scan had gaps, add a WARN so users know why some routes may be unknown
-  if (hasGaps) {
-    findings.push({
-      id: `F_ROUTE_MAP_GAPS_001`,
-      severity: "WARN",
-      category: "RouteMapGaps",
-      title: `Route map incomplete (${gaps.length} unresolved sources)`,
-      why: "Some routes may not be detected due to dynamic registration or unresolved plugins.",
-      confidence: "low",
-      evidence: [],
-      fixHints: [
-        "Routes registered dynamically or via unresolved imports may not be detected.",
-        "Consider using explicit route registration for better static analysis.",
-        "Run with --verbose to see detection gaps."
-      ]
-    });
-  }
-
-  return findings;
-}
-
-// ============================================================================
-// ENV GAPS ANALYZER
-// ============================================================================
-
-function findEnvGaps(truthpack) {
-  const findings = [];
-  const used = truthpack?.env?.vars || [];
-  const declared = new Set(truthpack?.env?.declared || []);
-  const declaredSources = truthpack?.env?.declaredSources || [];
-
-  // 1) USED but not declared in templates/examples => WARN (or BLOCK if required)
-  for (const v of used) {
-    if (declared.has(v.name)) continue;
-
-    const sev = v.required ? "BLOCK" : "WARN";
-    findings.push({
-      id: `F_ENV_UNDECLARED_${v.name}`,
-      severity: sev,
-      category: "EnvContract",
-      title: `Env var used but not declared in env templates: ${v.name}`,
-      why: v.required
-        ? "Required env var is used with no fallback. Vibecoders will ship a broken app if it's not documented."
-        : "Env var appears optional but should still be documented to prevent guesswork.",
-      confidence: "high",
-      evidence: v.references || [],
-      fixHints: [
-        `Add ${v.name}= to .env.example (or .env.template).`,
-        "If it's truly optional, ensure the code has an explicit fallback or guard."
-      ]
-    });
-  }
-
-  // 2) Declared but never used => WARN (hygiene)
-  const usedSet = new Set(used.map(v => v.name));
-  for (const name of declared) {
-    if (usedSet.has(name)) continue;
-
-    findings.push({
-      id: `F_ENV_UNUSED_${name}`,
-      severity: "WARN",
-      category: "EnvContract",
-      title: `Env var declared but never used: ${name}`,
-      why: "Dead config creates confusion and encourages hallucinated wiring.",
-      confidence: "med",
-      evidence: [],
-      fixHints: [
-        "Remove it from templates if it's obsolete, or wire it into code intentionally.",
-        "If used at runtime only (in infra), document that explicitly."
-      ]
-    });
-  }
-
-  // 3) If no template sources exist, warn loudly
-  if (!declaredSources.length && used.length) {
-    findings.push({
-      id: "F_ENV_NO_TEMPLATE",
-      severity: "WARN",
-      category: "EnvContract",
-      title: "No .env.example/.env.template found",
-      why: "Without an env contract file, AI and humans will guess env vars and ship broken setups.",
-      confidence: "high",
-      evidence: [],
-      fixHints: ["Add a .env.example that lists required/optional vars with comments."]
-    });
-  }
-
-  return findings;
-}
-
-// ============================================================================
-// FAKE SUCCESS ANALYZER (INV_NO_FAKE_SUCCESS)
-// ============================================================================
-
-function isToastSuccessCall(node) {
-  return t.isCallExpression(node) &&
-    t.isMemberExpression(node.callee) &&
-    t.isIdentifier(node.callee.object, { name: "toast" }) &&
-    t.isIdentifier(node.callee.property, { name: "success" });
-}
-
-function isRouterPushCall(node) {
-  return t.isCallExpression(node) && (
-    (t.isMemberExpression(node.callee) &&
-      t.isIdentifier(node.callee.property, { name: "push" })) ||
-    (t.isIdentifier(node.callee) && (node.callee.name === "navigate"))
-  );
-}
-
-function isFetchCall(node) {
-  return t.isCallExpression(node) && t.isIdentifier(node.callee, { name: "fetch" });
-}
-
-function isAxiosCall(node) {
-  return t.isCallExpression(node) &&
-    t.isMemberExpression(node.callee) &&
-    t.isIdentifier(node.callee.object, { name: "axios" }) &&
-    t.isIdentifier(node.callee.property) &&
-    ["get","post","put","patch","delete"].includes(node.callee.property.name);
-}
-
-function findFakeSuccess(repoRoot) {
-  const findings = [];
-  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
-  });
-
-  for (const fileAbs of files) {
-    const code = fs.readFileSync(fileAbs, "utf8");
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    traverse(ast, {
-      Function(pathFn) {
-        let hasSuccess = false;
-        let successLoc = null;
-        let hasNetwork = false;
-        let hasAwaitNetwork = false;
-        let hasOkCheck = false;
-
-        pathFn.traverse({
-          CallExpression(p) {
-            const n = p.node;
-
-            if (isToastSuccessCall(n) || isRouterPushCall(n)) {
-              hasSuccess = true;
-              successLoc = successLoc || n.loc;
-            }
-
-            if (isFetchCall(n) || isAxiosCall(n)) {
-              hasNetwork = true;
-              if (p.parentPath && p.parentPath.isAwaitExpression()) hasAwaitNetwork = true;
-            }
-          },
-          IfStatement(p) {
-            const test = p.node.test;
-            const text = code.slice(test.start || 0, test.end || 0);
-            if (/\b(ok|status)\b/.test(text) && /(res|response)/.test(text)) {
-              hasOkCheck = true;
-            }
-          }
-        });
-
-        if (!hasSuccess || !hasNetwork) return;
-
-        const severity = hasAwaitNetwork ? (hasOkCheck ? null : "WARN") : "BLOCK";
-        if (!severity) return;
-
-        const ev = evidenceFromLoc(fileAbs, repoRoot, successLoc, "Success UI call in networked flow");
-        findings.push({
-          id: `F_FAKE_SUCCESS_${String(findings.length + 1).padStart(3, "0")}`,
-          severity,
-          category: "FakeSuccess",
-          title: severity === "BLOCK"
-            ? "Success UI triggered without awaiting network call"
-            : "Success UI triggered without verifying network result (res.ok/status)",
-          why: severity === "BLOCK"
-            ? "This ships lies. Users see success even when the request never completed."
-            : "This often ships lies. You're not gating success on a real response.",
-          confidence: "med",
-          evidence: ev ? [ev] : [],
-          fixHints: [
-            "Await the network call (await fetch/await axios...).",
-            "Gate success UI behind res.ok / status checks; surface errors otherwise."
-          ]
-        });
-      }
-    });
-  }
-
-  return findings;
-}
-
-// ============================================================================
-// GHOST AUTH ANALYZER (INV_NO_GHOST_AUTH)
-// ============================================================================
-
-function looksSensitive(pathStr) {
-  const p = String(pathStr || "");
-  return (
-    p.startsWith("/api/admin") ||
-    p.startsWith("/api/billing") ||
-    p.startsWith("/api/stripe") ||
-    p.startsWith("/api/org") ||
-    p.startsWith("/api/team") ||
-    p.startsWith("/api/account") ||
-    p.startsWith("/api/settings") ||
-    p.startsWith("/api/users") ||
-    p.startsWith("/api/user")
-  );
-}
-
-function hasRouteLevelProtection(routeDef) {
-  const hooks = routeDef.hooks || [];
-  if (hooks.includes("preHandler") || hooks.includes("onRequest") || hooks.includes("preValidation")) return true;
-  return false;
-}
-
-function handlerHasAuthSignal(repoRoot, handlerRel) {
-  const abs = path.join(repoRoot, handlerRel);
-  if (!fs.existsSync(abs)) return false;
-  const code = fs.readFileSync(abs, "utf8");
-
-  return (
-    /\bgetServerSession\b|\bauth\(\)\b|\bclerk\b|@clerk\/nextjs|\bcreateRouteHandlerClient\b|@supabase/i.test(code) ||
-    /\b(jwtVerify|authorization|bearer|verifyToken|verifyJWT)\b/i.test(code) ||
-    /\b(isAdmin|adminOnly|permissions|rbac)\b/i.test(code)
-  );
-}
-
-function isProtectedByNextMiddleware(truthpack, routePath) {
-  const patterns = truthpack?.auth?.nextMatcherPatterns || [];
-  return matcherCoversPath(patterns, routePath);
-}
-
-function findGhostAuth(truthpack, repoRoot) {
-  const findings = [];
-  const server = truthpack?.routes?.server || [];
-
-  for (const r of server) {
-    if (!looksSensitive(r.path)) continue;
-
-    const middlewareProtected = isProtectedByNextMiddleware(truthpack, r.path);
-    const routeHooksProtected = hasRouteLevelProtection(r);
-    const handlerProtected = r.handler ? handlerHasAuthSignal(repoRoot, r.handler) : false;
-
-    const protectedSomehow = middlewareProtected || routeHooksProtected || handlerProtected;
-
-    if (!protectedSomehow) {
-      findings.push({
-        id: `F_GHOST_AUTH_${r.method}_${r.path}`.replace(/[^A-Z0-9_\/:*-]/gi, "_"),
-        severity: "BLOCK",
-        category: "GhostAuth",
-        title: `Sensitive endpoint appears unprotected: ${r.method} ${r.path}`,
-        why: "This is how apps get owned. UI gating doesn't matter. If the server doesn't enforce auth, it's public.",
-        confidence: "med",
-        evidence: (r.evidence || []).slice(0, 2),
-        fixHints: [
-          "Add server-side auth verification in the handler (session/jwt).",
-          "Or protect the path via Next middleware matcher (and verify it actually applies).",
-          "If Fastify: add preHandler/onRequest auth hook and ensure it's registered for this route."
-        ]
-      });
-    }
-  }
-
-  // If there IS middleware but it doesn't cover obvious sensitive prefixes, warn
-  const patterns = truthpack?.auth?.nextMatcherPatterns || [];
-  if (patterns.length) {
-    const coversApi = patterns.some(p => String(p).includes("/api"));
-    if (!coversApi) {
-      findings.push({
-        id: "F_MIDDLEWARE_NOT_COVERING_API",
-        severity: "WARN",
-        category: "GhostAuth",
-        title: "Next middleware exists but does not appear to cover /api routes",
-        why: "People assume middleware protects APIs. Often it doesn't. Verify matcher patterns.",
-        confidence: "high",
-        evidence: (truthpack?.auth?.nextMiddleware?.[0]?.evidence || []).slice(0, 3),
-        fixHints: ["Add /api/:path* to middleware matcher if your design expects API auth protection."]
-      });
-    }
-  }
-
-  return findings;
-}
-
-// ============================================================================
-// STRIPE WEBHOOK VIOLATIONS (INV_WEBHOOK_VERIFIED + INV_WEBHOOK_IDEMPOTENT)
-// ============================================================================
-
-function findStripeWebhookViolations(truthpack) {
-  const findings = [];
-  const billing = truthpack?.billing;
-
-  if (!billing?.hasStripe) return findings;
-
-  const candidates = billing.webhookCandidates || [];
-
-  if (!candidates.length) {
-    findings.push({
-      id: "F_STRIPE_NO_WEBHOOK_HANDLER",
-      severity: "WARN",
-      category: "Billing",
-      title: "Stripe appears used but no webhook handler candidate detected",
-      why: "If you bill with Stripe, webhooks are usually required. Missing webhooks often means subscription state desync.",
-      confidence: "med",
-      evidence: [],
-      fixHints: ["Add a Stripe webhook handler with signature verification and idempotency."]
-    });
-    return findings;
-  }
-
-  for (const w of candidates) {
-    const verified = w.signals.webhookConstructEvent && w.signals.rawBodySignal && w.signals.readsStripeSignatureHeader;
-    const idempotent = !!w.signals.idempotencySignal;
-
-    if (!verified) {
-      findings.push({
-        id: `F_STRIPE_WEBHOOK_NOT_VERIFIED_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
-        severity: "BLOCK",
-        category: "Billing",
-        title: `Stripe webhook handler not clearly signature-verified: ${w.file}`,
-        why: "Unverified webhooks = spoofable billing state. That's catastrophic.",
-        confidence: "high",
-        evidence: (w.evidence || []).slice(0, 4),
-        fixHints: [
-          "Use stripe.webhooks.constructEvent(rawBody, sigHeader, STRIPE_WEBHOOK_SECRET).",
-          "Ensure raw body is used (disable bodyParser in pages router; in app router read req.text()/arrayBuffer).",
-          "Reject if signature missing/invalid."
-        ]
-      });
-    }
-
-    if (!idempotent) {
-      findings.push({
-        id: `F_STRIPE_WEBHOOK_NOT_IDEMPOTENT_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
-        severity: "BLOCK",
-        category: "Billing",
-        title: `Stripe webhook handler not clearly idempotent: ${w.file}`,
-        why: "Stripe retries webhooks. Without dedupe, you'll double-grant access, double-send emails, or double-write state.",
-        confidence: "med",
-        evidence: (w.evidence || []).slice(0, 4),
-        fixHints: [
-          "Persist event.id as processed (DB/Redis). If seen, return 200 immediately.",
-          "Wrap state mutation in a transaction keyed by event.id."
-        ]
-      });
-    }
-  }
-
-  return findings;
-}
-
-// ============================================================================
-// PAID SURFACE NOT ENFORCED (INV_PAID_FEATURE_ENFORCED_SERVER_SIDE)
-// ============================================================================
-
-function findPaidSurfaceNotEnforced(truthpack) {
-  const findings = [];
-  const enforcement = truthpack?.enforcement;
-
-  const checks = enforcement?.checks || [];
-  for (const c of checks) {
-    if (c.enforced) continue;
-
-    findings.push({
-      id: `F_PAID_SURFACE_NOT_ENFORCED_${c.method}_${c.path}`.replace(/[^a-z0-9]/gi, "_"),
-      severity: "BLOCK",
-      category: "Entitlements",
-      title: `Paid surface appears un-enforced server-side: ${c.method} ${c.path}`,
-      why: "If enforcement is only in the CLI/UI, users can call the endpoint directly. That's a free enterprise bypass.",
-      confidence: "med",
-      evidence: [],
-      fixHints: [
-        "Add enforceFeature/enforceLimit in the server handler BEFORE doing work.",
-        "Return 402/403 with a structured error code.",
-        "Make the CLI treat that code as an upgrade prompt."
-      ]
-    });
-  }
-  return findings;
-}
-
-// ============================================================================
-// OWNER MODE BYPASS (INV_NO_OWNER_MODE_BYPASS)
-// ============================================================================
-
-function findOwnerModeBypass(repoRoot) {
-  const findings = [];
-  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
-  });
-
-  const patterns = [
-    /OWNER_MODE/i,
-    /GUARDRAIL_OWNER_MODE/i,
-    /VIBECHECK_OWNER_MODE/i,
-    /process\.env\.[A-Z0-9_]*OWNER[A-Z0-9_]*/i
-  ];
-
-  for (const fileAbs of files) {
-    const code = fs.readFileSync(fileAbs, "utf8");
-    const hit = patterns.some(rx => rx.test(code));
-    if (!hit) continue;
-
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-    findings.push({
-      id: `F_OWNER_MODE_BYPASS_${fileRel.replace(/[^a-z0-9]/gi, "_")}`,
-      severity: "BLOCK",
-      category: "Security",
-      title: `Owner mode / env bypass signal detected: ${fileRel}`,
-      why: "This is a production backdoor unless it's cryptographically gated. It cannot ship.",
-      confidence: "high",
-      evidence: [],
-      fixHints: [
-        "Delete owner mode bypass. If you need dev override, require a signed admin token + non-prod environment.",
-        "Add a test that asserts no OWNER_MODE env var grants entitlements."
-      ]
-    });
-  }
-
-  return findings;
-}
-
-module.exports = {
-  findMissingRoutes,
-  findEnvGaps,
-  findFakeSuccess,
-  findGhostAuth,
-  findStripeWebhookViolations,
-  findPaidSurfaceNotEnforced,
-  findOwnerModeBypass
-};