@vibecheckai/cli 3.0.2 → 3.0.3

package/bin/runners/lib/contracts/auth-contract.js

@@ -1,194 +0,0 @@
-/**
- * Auth Contract Builder
- * Builds auth.json contract from truthpack
- */
-
-"use strict";
-
-/**
- * Build auth contract from truthpack
- */
-function buildAuthContract(truthpack) {
-  const contract = {
-    version: "1.0.0",
-    generatedAt: new Date().toISOString(),
-    protectedPatterns: [],
-    publicPatterns: [],
-    roles: [],
-    evidence: []
-  };
-
-  // Extract protected patterns from Next middleware
-  const nextMiddleware = truthpack?.auth?.nextMiddleware || [];
-  const matcherPatterns = truthpack?.auth?.nextMatcherPatterns || [];
-
-  contract.protectedPatterns = [...new Set(matcherPatterns)];
-
-  // Add evidence from middleware files
-  for (const mw of nextMiddleware) {
-    contract.evidence.push({
-      file: mw.file,
-      type: "next_middleware",
-      signals: mw.signalTypes || []
-    });
-  }
-
-  // Extract Fastify auth info
-  const fastify = truthpack?.auth?.fastify || {};
-  if (fastify.hooks?.length) {
-    for (const hook of fastify.hooks) {
-      contract.evidence.push({
-        file: hook.file,
-        type: "fastify_hook",
-        hookType: hook.hookType,
-        line: hook.line
-      });
-    }
-  }
-
-  // Infer roles from truthpack
-  contract.roles = inferRoles(truthpack);
-
-  // Default public patterns
-  contract.publicPatterns = [
-    "/api/health",
-    "/api/status",
-    "/api/public/*",
-    "/_next/*",
-    "/favicon.ico"
-  ];
-
-  return contract;
-}
-
-/**
- * Infer roles from truthpack
- */
-function inferRoles(truthpack) {
-  const roles = [];
-  const routes = truthpack?.routes?.server || [];
-
-  // Check for admin routes
-  const adminRoutes = routes.filter(r => r.path.includes("/admin"));
-  if (adminRoutes.length > 0) {
-    roles.push({
-      name: "admin",
-      routes: adminRoutes.map(r => r.path),
-      evidence: adminRoutes.flatMap(r => r.evidence || [])
-    });
-  }
-
-  // Check for user routes (default authenticated)
-  const userRoutes = routes.filter(r => 
-    !r.path.includes("/admin") && 
-    !r.path.includes("/public") &&
-    !r.path.includes("/health")
-  );
-  if (userRoutes.length > 0) {
-    roles.push({
-      name: "user",
-      routes: userRoutes.map(r => r.path),
-      evidence: []
-    });
-  }
-
-  return roles;
-}
-
-/**
- * Validate auth coverage
- */
-function validateAuthContract(contract, routes, realityResults) {
-  const violations = [];
-
-  // Check that all non-public routes are protected
-  for (const route of routes) {
-    const isPublic = contract.publicPatterns.some(p => matchesPattern(route.path, p));
-    const isProtected = contract.protectedPatterns.some(p => matchesPattern(route.path, p));
-
-    if (!isPublic && !isProtected) {
-      // Check if route looks sensitive
-      if (looksLikeSensitiveRoute(route.path)) {
-        violations.push({
-          type: "unprotected_sensitive",
-          severity: "WARN",
-          route: route.path,
-          message: `Sensitive route ${route.path} not covered by auth patterns`,
-          evidence: route.evidence || []
-        });
-      }
-    }
-  }
-
-  // Check reality results for auth bypass
-  if (realityResults) {
-    for (const result of realityResults) {
-      if (result.type === "AuthCoverage" && result.severity === "BLOCK") {
-        violations.push({
-          type: "auth_bypass",
-          severity: "BLOCK",
-          route: result.page,
-          message: result.title,
-          evidence: []
-        });
-      }
-    }
-  }
-
-  return violations;
-}
-
-function matchesPattern(path, pattern) {
-  const normPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
-  try {
-    const rx = new RegExp(`^${normPattern}`, "i");
-    return rx.test(path);
-  } catch {
-    return false;
-  }
-}
-
-function looksLikeSensitiveRoute(path) {
-  const sensitivePatterns = [
-    /\/api\/users/i,
-    /\/api\/billing/i,
-    /\/api\/payment/i,
-    /\/api\/subscription/i,
-    /\/api\/settings/i,
-    /\/api\/profile/i,
-    /\/api\/account/i,
-    /\/api\/admin/i,
-    /\/api\/webhook/i,
-  ];
-
-  return sensitivePatterns.some(p => p.test(path));
-}
-
-/**
- * Diff two auth contracts
- */
-function diffAuthContracts(before, after) {
-  const diff = {
-    protectedAdded: [],
-    protectedRemoved: [],
-    rolesChanged: []
-  };
-
-  const beforeProtected = new Set(before.protectedPatterns);
-  const afterProtected = new Set(after.protectedPatterns);
-
-  for (const p of afterProtected) {
-    if (!beforeProtected.has(p)) diff.protectedAdded.push(p);
-  }
-  for (const p of beforeProtected) {
-    if (!afterProtected.has(p)) diff.protectedRemoved.push(p);
-  }
-
-  return diff;
-}
-
-module.exports = {
-  buildAuthContract,
-  validateAuthContract,
-  diffAuthContracts
-};

package/bin/runners/lib/contracts/env-contract.js

@@ -1,178 +0,0 @@
-/**
- * Env Contract Builder
- * Builds env.json contract from truthpack
- */
-
-"use strict";
-
-/**
- * Build env contract from truthpack
- */
-function buildEnvContract(truthpack) {
-  const contract = {
-    version: "1.0.0",
-    generatedAt: new Date().toISOString(),
-    vars: []
-  };
-
-  const envVars = truthpack?.env?.vars || [];
-  const declared = new Set(truthpack?.env?.declared || []);
-  const declaredSources = truthpack?.env?.declaredSources || [];
-
-  for (const v of envVars) {
-    const varSpec = {
-      name: v.name,
-      required: inferRequired(v, declared),
-      usedIn: (v.references || []).map(r => r.file).filter(Boolean),
-      declaredIn: declaredSources.filter(s => isDeclaredInSource(v.name, s)),
-      description: inferDescription(v.name),
-      evidence: v.references || []
-    };
-
-    contract.vars.push(varSpec);
-  }
-
-  // Add declared vars that aren't used (might be optional)
-  for (const name of declared) {
-    if (!envVars.find(v => v.name === name)) {
-      contract.vars.push({
-        name,
-        required: false,
-        usedIn: [],
-        declaredIn: declaredSources,
-        description: inferDescription(name),
-        evidence: []
-      });
-    }
-  }
-
-  return contract;
-}
-
-/**
- * Infer if env var is required
- */
-function inferRequired(envVar, declared) {
-  const name = envVar.name;
-  
-  // Common required patterns
-  const requiredPatterns = [
-    /^DATABASE_URL$/i,
-    /^NEXTAUTH_SECRET$/i,
-    /^NEXTAUTH_URL$/i,
-    /^JWT_SECRET$/i,
-    /^API_KEY$/i,
-    /^STRIPE_SECRET_KEY$/i,
-    /^STRIPE_WEBHOOK_SECRET$/i,
-    /^AUTH0_/i,
-    /^CLERK_/i,
-  ];
-
-  for (const pattern of requiredPatterns) {
-    if (pattern.test(name)) return true;
-  }
-
-  // If used but not declared, likely required
-  if (!declared.has(name) && envVar.references?.length > 0) {
-    return true;
-  }
-
-  return false;
-}
-
-function isDeclaredInSource(name, source) {
-  // Simple heuristic - would need to parse files for accurate check
-  return true;
-}
-
-function inferDescription(name) {
-  const descriptions = {
-    DATABASE_URL: "Database connection string",
-    NEXTAUTH_SECRET: "NextAuth.js encryption secret",
-    NEXTAUTH_URL: "NextAuth.js base URL",
-    JWT_SECRET: "JWT signing secret",
-    STRIPE_SECRET_KEY: "Stripe API secret key",
-    STRIPE_PUBLISHABLE_KEY: "Stripe publishable key",
-    STRIPE_WEBHOOK_SECRET: "Stripe webhook signing secret",
-    NODE_ENV: "Node environment (development/production)",
-    PORT: "Server port",
-    HOST: "Server host",
-  };
-
-  return descriptions[name] || undefined;
-}
-
-/**
- * Validate code against env contract
- */
-function validateAgainstEnvContract(contract, usedVars) {
-  const violations = [];
-  const contractVars = new Map(contract.vars.map(v => [v.name, v]));
-
-  for (const used of usedVars) {
-    if (!contractVars.has(used.name)) {
-      violations.push({
-        type: "undeclared_env",
-        severity: "WARN",
-        name: used.name,
-        usedIn: used.references?.map(r => r.file) || [],
-        message: `Env var ${used.name} used but not declared in contract`,
-        evidence: used.references || []
-      });
-    }
-  }
-
-  // Check for required vars that aren't used
-  for (const [name, spec] of contractVars) {
-    if (spec.required && spec.usedIn.length === 0) {
-      violations.push({
-        type: "unused_required",
-        severity: "WARN",
-        name,
-        message: `Required env var ${name} declared but not used`,
-        evidence: []
-      });
-    }
-  }
-
-  return violations;
-}
-
-/**
- * Diff two env contracts
- */
-function diffEnvContracts(before, after) {
-  const diff = {
-    added: [],
-    removed: [],
-    changed: []
-  };
-
-  const beforeMap = new Map(before.vars.map(v => [v.name, v]));
-  const afterMap = new Map(after.vars.map(v => [v.name, v]));
-
-  for (const [name, spec] of afterMap) {
-    if (!beforeMap.has(name)) {
-      diff.added.push(spec);
-    } else {
-      const prev = beforeMap.get(name);
-      if (prev.required !== spec.required) {
-        diff.changed.push({ before: prev, after: spec });
-      }
-    }
-  }
-
-  for (const [name, spec] of beforeMap) {
-    if (!afterMap.has(name)) {
-      diff.removed.push(spec);
-    }
-  }
-
-  return diff;
-}
-
-module.exports = {
-  buildEnvContract,
-  validateAgainstEnvContract,
-  diffEnvContracts
-};

package/bin/runners/lib/contracts/external-contract.js

@@ -1,198 +0,0 @@
-/**
- * External Contract Builder
- * Builds external.json contract from truthpack (Stripe, GitHub, etc.)
- */
-
-"use strict";
-
-/**
- * Build external services contract from truthpack
- */
-function buildExternalContract(truthpack) {
-  const contract = {
-    version: "1.0.0",
-    generatedAt: new Date().toISOString(),
-    services: []
-  };
-
-  // Extract billing/Stripe info
-  const billing = truthpack?.billing || {};
-  if (billing.hasStripe || billing.webhookCandidates?.length) {
-    const stripeService = {
-      name: "stripe",
-      envVars: extractStripeEnvVars(truthpack),
-      usedIn: billing.webhookCandidates?.map(w => w.file) || [],
-      webhooks: billing.webhookCandidates?.map(w => ({
-        path: w.path,
-        verified: w.hasSignatureVerification || false,
-        idempotent: w.hasIdempotency || false
-      })) || [],
-      evidence: billing.webhookCandidates?.flatMap(w => w.evidence || []) || []
-    };
-    contract.services.push(stripeService);
-  }
-
-  // Detect other external services from env vars
-  const envVars = truthpack?.env?.vars || [];
-  
-  // GitHub
-  const githubVars = envVars.filter(v => /github/i.test(v.name));
-  if (githubVars.length) {
-    contract.services.push({
-      name: "github",
-      envVars: githubVars.map(v => v.name),
-      usedIn: githubVars.flatMap(v => v.references?.map(r => r.file) || []),
-      evidence: githubVars.flatMap(v => v.references || [])
-    });
-  }
-
-  // SendGrid
-  const sendgridVars = envVars.filter(v => /sendgrid/i.test(v.name));
-  if (sendgridVars.length) {
-    contract.services.push({
-      name: "sendgrid",
-      envVars: sendgridVars.map(v => v.name),
-      usedIn: sendgridVars.flatMap(v => v.references?.map(r => r.file) || []),
-      evidence: sendgridVars.flatMap(v => v.references || [])
-    });
-  }
-
-  // Twilio
-  const twilioVars = envVars.filter(v => /twilio/i.test(v.name));
-  if (twilioVars.length) {
-    contract.services.push({
-      name: "twilio",
-      envVars: twilioVars.map(v => v.name),
-      usedIn: twilioVars.flatMap(v => v.references?.map(r => r.file) || []),
-      evidence: twilioVars.flatMap(v => v.references || [])
-    });
-  }
-
-  // AWS
-  const awsVars = envVars.filter(v => /^aws/i.test(v.name));
-  if (awsVars.length) {
-    contract.services.push({
-      name: "aws",
-      envVars: awsVars.map(v => v.name),
-      usedIn: awsVars.flatMap(v => v.references?.map(r => r.file) || []),
-      evidence: awsVars.flatMap(v => v.references || [])
-    });
-  }
-
-  // Supabase
-  const supabaseVars = envVars.filter(v => /supabase/i.test(v.name));
-  if (supabaseVars.length) {
-    contract.services.push({
-      name: "supabase",
-      envVars: supabaseVars.map(v => v.name),
-      usedIn: supabaseVars.flatMap(v => v.references?.map(r => r.file) || []),
-      evidence: supabaseVars.flatMap(v => v.references || [])
-    });
-  }
-
-  return contract;
-}
-
-function extractStripeEnvVars(truthpack) {
-  const envVars = truthpack?.env?.vars || [];
-  return envVars
-    .filter(v => /stripe/i.test(v.name))
-    .map(v => v.name);
-}
-
-/**
- * Validate external services contract
- */
-function validateExternalContract(contract) {
-  const violations = [];
-
-  for (const service of contract.services) {
-    // Check Stripe webhook verification
-    if (service.name === "stripe") {
-      for (const webhook of service.webhooks || []) {
-        if (!webhook.verified) {
-          violations.push({
-            type: "unverified_webhook",
-            severity: "BLOCK",
-            service: "stripe",
-            path: webhook.path,
-            message: `Stripe webhook at ${webhook.path} missing signature verification`,
-            evidence: []
-          });
-        }
-        if (!webhook.idempotent) {
-          violations.push({
-            type: "non_idempotent_webhook",
-            severity: "WARN",
-            service: "stripe",
-            path: webhook.path,
-            message: `Stripe webhook at ${webhook.path} may not be idempotent`,
-            evidence: []
-          });
-        }
-      }
-    }
-
-    // Check for missing required env vars
-    const requiredVars = getRequiredVarsForService(service.name);
-    for (const required of requiredVars) {
-      if (!service.envVars.includes(required)) {
-        violations.push({
-          type: "missing_env",
-          severity: "WARN",
-          service: service.name,
-          envVar: required,
-          message: `Service ${service.name} typically requires ${required}`,
-          evidence: []
-        });
-      }
-    }
-  }
-
-  return violations;
-}
-
-function getRequiredVarsForService(name) {
-  const requirements = {
-    stripe: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET"],
-    github: ["GITHUB_TOKEN"],
-    sendgrid: ["SENDGRID_API_KEY"],
-    twilio: ["TWILIO_ACCOUNT_SID", "TWILIO_AUTH_TOKEN"],
-    supabase: ["SUPABASE_URL", "SUPABASE_ANON_KEY"]
-  };
-  return requirements[name] || [];
-}
-
-/**
- * Diff two external contracts
- */
-function diffExternalContracts(before, after) {
-  const diff = {
-    added: [],
-    removed: [],
-    changed: []
-  };
-
-  const beforeMap = new Map(before.services.map(s => [s.name, s]));
-  const afterMap = new Map(after.services.map(s => [s.name, s]));
-
-  for (const [name, service] of afterMap) {
-    if (!beforeMap.has(name)) {
-      diff.added.push(service);
-    }
-  }
-
-  for (const [name, service] of beforeMap) {
-    if (!afterMap.has(name)) {
-      diff.removed.push(service);
-    }
-  }
-
-  return diff;
-}
-
-module.exports = {
-  buildExternalContract,
-  validateExternalContract,
-  diffExternalContracts
-};