@vibecheckai/cli 3.0.2 → 3.0.3

package/bin/runners/lib/audit-bridge.js

@@ -1,391 +0,0 @@
-/**
- * Audit Bridge - CLI Integration
- * 
- * Provides a CommonJS wrapper for the audit trail functionality.
- * Used by CLI runners to emit audit events.
- */
-
-"use strict";
-
-const path = require("path");
-const fs = require("fs");
-const crypto = require("crypto");
-
-// Configuration
-const AUDIT_DIR = ".vibecheck/audit";
-const AUDIT_FILE = "audit.log.jsonl";
-const GENESIS_HASH = "0".repeat(64);
-
-// Tier from environment or default
-function getCurrentTier() {
-  return process.env.VIBECHECK_TIER || "free";
-}
-
-// Get current actor from environment
-function getCurrentActor() {
-  const userId = process.env.VIBECHECK_USER_ID || process.env.USER || process.env.USERNAME || "anonymous";
-  const userName = process.env.VIBECHECK_USER_NAME || process.env.USERNAME;
-  const userEmail = process.env.VIBECHECK_USER_EMAIL;
-  
-  // Detect CI environment
-  if (process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI) {
-    return {
-      id: process.env.GITHUB_ACTOR || process.env.GITLAB_USER_LOGIN || "ci-system",
-      type: "ci",
-      name: process.env.GITHUB_ACTOR || process.env.GITLAB_USER_NAME,
-    };
-  }
-  
-  return {
-    id: userId,
-    type: "user",
-    name: userName,
-    email: userEmail,
-  };
-}
-
-// Redaction patterns for sensitive data
-const REDACTION_PATTERNS = [
-  /(?:api[_-]?key|apikey|token|secret|password|pwd|auth)[=:]\s*['"]?([a-zA-Z0-9_\-]{16,})['"]?/gi,
-  /eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
-  /(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}/g,
-  /(?:sk_live_|sk_test_|pk_live_|pk_test_)[a-zA-Z0-9]+/g,
-];
-
-function redactSensitive(input) {
-  if (typeof input !== "string") return input;
-  let result = input;
-  for (const pattern of REDACTION_PATTERNS) {
-    result = result.replace(pattern, "[REDACTED]");
-  }
-  return result;
-}
-
-function redactMetadata(metadata, tier) {
-  if (!metadata) return undefined;
-  
-  // Compliance+ gets full metadata (still redact secrets)
-  if (["compliance", "enterprise", "unlimited"].includes(tier)) {
-    return redactObject(metadata);
-  }
-  
-  // Pro gets limited metadata
-  if (tier === "pro") {
-    return {
-      command: metadata.command,
-      score: metadata.score,
-      grade: metadata.grade,
-      issueCount: metadata.issueCount,
-      fixCount: metadata.fixCount,
-      durationMs: metadata.durationMs,
-      errorCode: metadata.errorCode,
-    };
-  }
-  
-  // Free/Starter get minimal
-  return {
-    score: metadata.score,
-    grade: metadata.grade,
-  };
-}
-
-function redactObject(obj) {
-  if (!obj || typeof obj !== "object") return obj;
-  const result = {};
-  for (const [key, value] of Object.entries(obj)) {
-    if (typeof value === "string") {
-      result[key] = redactSensitive(value);
-    } else if (Array.isArray(value)) {
-      result[key] = value.map((v) => (typeof v === "string" ? redactSensitive(v) : v));
-    } else if (typeof value === "object" && value !== null) {
-      result[key] = redactObject(value);
-    } else {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-
-// Compute SHA-256 hash
-function computeHash(event) {
-  const payload = JSON.stringify({
-    id: event.id,
-    timestamp: event.timestamp,
-    actor: event.actor,
-    surface: event.surface,
-    action: event.action,
-    category: event.category,
-    target: event.target,
-    tier: event.tier,
-    result: event.result,
-    metadata: event.metadata,
-    prevHash: event.prevHash,
-    version: event.version,
-  });
-  return crypto.createHash("sha256").update(payload).digest("hex");
-}
-
-// Get audit file path
-function getAuditFilePath(basePath = process.cwd()) {
-  return path.join(basePath, AUDIT_DIR, AUDIT_FILE);
-}
-
-// Ensure audit directory exists
-function ensureAuditDir(basePath = process.cwd()) {
-  const dir = path.join(basePath, AUDIT_DIR);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
-  }
-}
-
-// Get last hash from audit log
-function getLastHash(basePath = process.cwd()) {
-  const filePath = getAuditFilePath(basePath);
-  if (!fs.existsSync(filePath)) {
-    return GENESIS_HASH;
-  }
-  
-  const content = fs.readFileSync(filePath, "utf8");
-  const lines = content.split("\n").filter((line) => line.trim());
-  if (lines.length === 0) {
-    return GENESIS_HASH;
-  }
-  
-  try {
-    const lastEvent = JSON.parse(lines[lines.length - 1]);
-    return lastEvent.hash || GENESIS_HASH;
-  } catch {
-    return GENESIS_HASH;
-  }
-}
-
-// Create audit event
-function createEvent(input, prevHash) {
-  const tier = getCurrentTier();
-  const id = crypto.randomUUID();
-  const timestamp = new Date().toISOString();
-  
-  const eventWithoutHash = {
-    id,
-    timestamp,
-    actor: input.actor || getCurrentActor(),
-    surface: input.surface,
-    action: input.action,
-    category: input.category,
-    target: input.target,
-    tier,
-    result: input.result,
-    metadata: redactMetadata(input.metadata, tier),
-    prevHash,
-    version: 1,
-  };
-  
-  const hash = computeHash(eventWithoutHash);
-  
-  return {
-    ...eventWithoutHash,
-    hash,
-  };
-}
-
-// Emit audit event
-function emit(input, basePath = process.cwd()) {
-  try {
-    ensureAuditDir(basePath);
-    const prevHash = getLastHash(basePath);
-    const event = createEvent(input, prevHash);
-    
-    const filePath = getAuditFilePath(basePath);
-    fs.appendFileSync(filePath, JSON.stringify(event) + "\n", "utf8");
-    
-    return event;
-  } catch (err) {
-    // Silently fail - audit should not break main functionality
-    if (process.env.VIBECHECK_DEBUG) {
-      console.error("[audit] Failed to emit event:", err.message);
-    }
-    return null;
-  }
-}
-
-// Pre-defined actions
-const AuditActions = {
-  SCAN_START: "scan.start",
-  SCAN_COMPLETE: "scan.complete",
-  SCAN_ERROR: "scan.error",
-  SHIP_CHECK: "ship.check",
-  SHIP_APPROVE: "ship.approve",
-  SHIP_REJECT: "ship.reject",
-  REALITY_START: "reality.start",
-  REALITY_COMPLETE: "reality.complete",
-  REALITY_ERROR: "reality.error",
-  AUTOPILOT_ENABLE: "autopilot.enable",
-  AUTOPILOT_DISABLE: "autopilot.disable",
-  AUTOPILOT_RUN: "autopilot.run",
-  AUTOPILOT_REPORT: "autopilot.report",
-  FIX_PLAN: "fix.plan",
-  FIX_APPLY: "fix.apply",
-  FIX_REVERT: "fix.revert",
-  GATE_CHECK: "gate.check",
-  GATE_PASS: "gate.pass",
-  GATE_FAIL: "gate.fail",
-  AUTH_LOGIN: "auth.login",
-  AUTH_LOGOUT: "auth.logout",
-  TOOL_INVOKE: "tool.invoke",
-  TOOL_COMPLETE: "tool.complete",
-  TOOL_ERROR: "tool.error",
-};
-
-// Convenience emitters
-function emitScanStart(projectPath, args) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.SCAN_START,
-    category: "scan",
-    target: { type: "project", path: projectPath },
-    result: "success",
-    metadata: { command: "scan", args, projectPath },
-  });
-}
-
-function emitScanComplete(projectPath, result, metadata) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.SCAN_COMPLETE,
-    category: "scan",
-    target: { type: "project", path: projectPath },
-    result,
-    metadata: { command: "scan", projectPath, ...metadata },
-  });
-}
-
-function emitShipCheck(projectPath, result, metadata) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.SHIP_CHECK,
-    category: "ship",
-    target: { type: "project", path: projectPath },
-    result,
-    metadata: { command: "ship", projectPath, ...metadata },
-  });
-}
-
-function emitRealityStart(url, flows) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.REALITY_START,
-    category: "reality",
-    target: { type: "url", path: url },
-    result: "success",
-    metadata: { command: "reality", url, flows },
-  });
-}
-
-function emitRealityComplete(url, result, metadata) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.REALITY_COMPLETE,
-    category: "reality",
-    target: { type: "url", path: url },
-    result,
-    metadata: { command: "reality", ...metadata },
-  });
-}
-
-function emitAutopilotAction(action, projectPath, result, metadata) {
-  const actionMap = {
-    enable: AuditActions.AUTOPILOT_ENABLE,
-    disable: AuditActions.AUTOPILOT_DISABLE,
-    run: AuditActions.AUTOPILOT_RUN,
-    report: AuditActions.AUTOPILOT_REPORT,
-  };
-  
-  return emit({
-    surface: "cli",
-    action: actionMap[action] || action,
-    category: "autopilot",
-    target: { type: "project", path: projectPath },
-    result,
-    metadata: { command: "autopilot", projectPath, ...metadata },
-  });
-}
-
-function emitFixPlan(projectPath, result, metadata) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.FIX_PLAN,
-    category: "fix",
-    target: { type: "project", path: projectPath },
-    result,
-    metadata: { command: "fix", projectPath, ...metadata },
-  });
-}
-
-function emitFixApply(projectPath, result, metadata) {
-  return emit({
-    surface: "cli",
-    action: AuditActions.FIX_APPLY,
-    category: "fix",
-    target: { type: "project", path: projectPath },
-    result,
-    metadata: { command: "fix", projectPath, ...metadata },
-  });
-}
-
-function emitGateCheck(projectPath, passed, metadata) {
-  return emit({
-    surface: "cli",
-    action: passed ? AuditActions.GATE_PASS : AuditActions.GATE_FAIL,
-    category: "gate",
-    target: { type: "project", path: projectPath },
-    result: passed ? "success" : "failure",
-    metadata: { command: "gate", projectPath, ...metadata },
-  });
-}
-
-function emitToolInvoke(surface, toolName, args, result, metadata) {
-  return emit({
-    surface,
-    action: AuditActions.TOOL_INVOKE,
-    category: "tool",
-    target: { type: "tool", name: toolName },
-    result,
-    metadata: { command: toolName, args, ...metadata },
-  });
-}
-
-function emitAuth(action, result, metadata) {
-  const actionMap = {
-    login: AuditActions.AUTH_LOGIN,
-    logout: AuditActions.AUTH_LOGOUT,
-  };
-  
-  return emit({
-    surface: "cli",
-    action: actionMap[action] || action,
-    category: "auth",
-    target: { type: "auth" },
-    result,
-    metadata,
-  });
-}
-
-// Export the audit bridge
-module.exports = {
-  emit,
-  AuditActions,
-  emitScanStart,
-  emitScanComplete,
-  emitShipCheck,
-  emitRealityStart,
-  emitRealityComplete,
-  emitAutopilotAction,
-  emitFixPlan,
-  emitFixApply,
-  emitGateCheck,
-  emitToolInvoke,
-  emitAuth,
-  getCurrentTier,
-  getCurrentActor,
-  getAuditFilePath,
-};

package/bin/runners/lib/auth-truth.js

@@ -1,193 +0,0 @@
-// bin/runners/lib/auth-truth.js
-// Auth Truth v1 - Detects auth/protection patterns in Next + Fastify codebases
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function safeRead(fileAbs) {
-  return fs.readFileSync(fileAbs, "utf8");
-}
-
-function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
-  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  const lines = safeRead(fileAbs).split(/\r?\n/);
-  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
-  const snippet = lines[idx] || "";
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${lineNo}-${lineNo}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-function findLineMatches(code, regex) {
-  const out = [];
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    if (regex.test(lines[i])) out.push(i + 1);
-  }
-  return out;
-}
-
-function guessAuthSignalsFromCode(code) {
-  const signals = [];
-
-  const patterns = [
-    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
-    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
-    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
-    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
-    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
-    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
-    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
-    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
-    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
-  ];
-
-  for (const p of patterns) {
-    if (p.rx.test(code)) signals.push(p.key);
-  }
-  return Array.from(new Set(signals));
-}
-
-async function resolveNextMiddleware(repoRoot) {
-  const candidates = await fg(
-    ["middleware.@(ts|js)", "src/middleware.@(ts|js)"],
-    { cwd: repoRoot, absolute: true, onlyFiles: true }
-  );
-
-  const middlewares = [];
-
-  for (const fileAbs of candidates) {
-    const code = safeRead(fileAbs);
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-    const matcherLines = findLineMatches(code, /\bmatcher\b/);
-    const redirectLines = findLineMatches(code, /\bNextResponse\.(redirect|rewrite)\b/);
-
-    const evidence = [];
-    for (const ln of matcherLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware matcher config" }));
-    }
-    for (const ln of redirectLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware redirect/rewrite" }));
-    }
-
-    const matcher = [];
-    const matcherBlock = code.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
-    if (matcherBlock && matcherBlock[1]) {
-      const raw = matcherBlock[1];
-      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
-      matcher.push(...strings);
-    }
-
-    middlewares.push({
-      file: fileRel,
-      matcher,
-      signals: guessAuthSignalsFromCode(code),
-      evidence
-    });
-  }
-
-  return middlewares;
-}
-
-async function resolveFastifyAuthSignals(repoRoot, truthpackRoutes) {
-  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
-  const signals = [];
-  const evidence = [];
-
-  for (const fileRel of handlerFiles) {
-    const fileAbs = path.join(repoRoot, fileRel);
-    if (!fs.existsSync(fileAbs)) continue;
-
-    const code = safeRead(fileAbs);
-    const sigs = guessAuthSignalsFromCode(code);
-    if (!sigs.length) continue;
-
-    for (const s of sigs) signals.push({ type: s, file: fileRel });
-
-    const authLinePatterns = [
-      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
-      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
-      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
-      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
-    ];
-
-    const lines = code.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const p of authLinePatterns) {
-        if (p.rx.test(line)) {
-          evidence.push({
-            id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-            file: fileRel,
-            lines: `${i + 1}-${i + 1}`,
-            snippetHash: sha256(line),
-            reason: p.reason
-          });
-        }
-      }
-      if (evidence.length > 30) break;
-    }
-  }
-
-  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
-
-  return {
-    signalTypes: uniqueTypes,
-    signals,
-    evidence
-  };
-}
-
-function matcherCoversPath(matcherList, p) {
-  if (!Array.isArray(matcherList) || !matcherList.length) return false;
-  const pathStr = p.startsWith("/") ? p : `/${p}`;
-
-  return matcherList.some(m => {
-    if (!m) return false;
-
-    if (m.includes(":path*")) {
-      const prefix = m.split(":path*")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-    if (m.includes("(.*)")) {
-      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-
-    if (m === pathStr) return true;
-    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
-
-    return false;
-  });
-}
-
-async function buildAuthTruth(repoRoot, routesServer) {
-  const middlewares = await resolveNextMiddleware(repoRoot);
-  const matchers = middlewares.flatMap(mw => mw.matcher || []);
-  const fastify = await resolveFastifyAuthSignals(repoRoot, routesServer);
-
-  return {
-    nextMiddleware: middlewares,
-    nextMatcherPatterns: matchers,
-    fastify,
-    helpers: {
-      matcherCoversPath: "runtime-only"
-    }
-  };
-}
-
-module.exports = {
-  buildAuthTruth,
-  matcherCoversPath,
-  guessAuthSignalsFromCode
-};