@vibecheckai/cli 3.0.2 → 3.0.3

package/bin/runners/lib/doctor/modules/security.js

@@ -1,348 +0,0 @@
-/**
- * Security Diagnostics Module
- * 
- * Checks for exposed secrets, gitignore configuration, and security best practices
- */
-
-const fs = require('fs');
-const path = require('path');
-const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
-
-const MODULE_ID = 'security';
-
-const SECRET_PATTERNS = [
-  { name: 'Stripe Live Key', pattern: /sk_live_[a-zA-Z0-9]{20,}/, critical: true },
-  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{20,}/, critical: false },
-  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/, critical: true },
-  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36}/, critical: true },
-  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36}/, critical: true },
-  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, critical: true },
-  { name: 'Generic API Key', pattern: /api[_-]?key['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
-  { name: 'Generic Secret', pattern: /secret['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
-  { name: 'Database URL', pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@/, critical: true },
-  { name: 'MongoDB URL', pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/, critical: true },
-];
-
-const REQUIRED_GITIGNORE = [
-  { pattern: '.env', name: '.env files' },
-  { pattern: 'node_modules', name: 'node_modules' },
-  { pattern: '.vibecheck', name: '.vibecheck output' },
-];
-
-function createDiagnostics(projectPath) {
-  return [
-    {
-      id: `${MODULE_ID}.env_file`,
-      name: '.env File',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const envPath = path.join(projectPath, '.env');
-        const envExamplePath = path.join(projectPath, '.env.example');
-        const envLocalPath = path.join(projectPath, '.env.local');
-        
-        const hasEnv = fs.existsSync(envPath);
-        const hasEnvExample = fs.existsSync(envExamplePath);
-        const hasEnvLocal = fs.existsSync(envLocalPath);
-        
-        const metadata = { hasEnv, hasEnvExample, hasEnvLocal };
-        
-        if (!hasEnv && !hasEnvLocal) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'No .env file found',
-            detail: 'Create .env for local environment variables',
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.FILE_CREATE,
-              description: 'Create .env from example',
-              path: envPath,
-              content: hasEnvExample 
-                ? fs.readFileSync(envExamplePath, 'utf8')
-                : '# Environment variables\n',
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        if (hasEnv && !hasEnvExample) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: '.env exists but no .env.example',
-            detail: 'Create .env.example for team documentation',
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.COMMAND,
-              description: 'Generate .env.example from .env',
-              command: 'vibecheck ctx --env-template',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: hasEnvExample ? '.env + .env.example' : '.env configured',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.gitignore`,
-      name: '.gitignore',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const gitignorePath = path.join(projectPath, '.gitignore');
-        
-        if (!fs.existsSync(gitignorePath)) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: 'No .gitignore file',
-            detail: 'Secrets and build artifacts may be committed to git',
-            fixes: [{
-              type: FIX_TYPE.FILE_CREATE,
-              description: 'Create .gitignore with common patterns',
-              path: gitignorePath,
-              content: [
-                '# Dependencies',
-                'node_modules/',
-                '',
-                '# Environment',
-                '.env',
-                '.env.local',
-                '.env.*.local',
-                '',
-                '# Build',
-                'dist/',
-                'build/',
-                '.next/',
-                '',
-                '# vibecheck',
-                '.vibecheck/',
-                '',
-                '# IDE',
-                '.idea/',
-                '.vscode/',
-                '*.swp',
-              ].join('\n'),
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        const content = fs.readFileSync(gitignorePath, 'utf8');
-        const missing = REQUIRED_GITIGNORE.filter(r => !content.includes(r.pattern));
-        
-        const metadata = { 
-          missing: missing.map(m => m.pattern),
-          lines: content.split('\n').length,
-        };
-        
-        if (missing.length > 0) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `Missing: ${missing.map(m => m.name).join(', ')}`,
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.FILE_EDIT,
-              description: 'Add missing patterns to .gitignore',
-              path: gitignorePath,
-              content: content + '\n\n# Added by vibecheck doctor\n' + 
-                missing.map(m => m.pattern).join('\n') + '\n',
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: 'Properly configured',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.exposed_secrets`,
-      name: 'Exposed Secrets',
-      category: CATEGORY.SECURITY,
-      parallel: false,
-      check: async () => {
-        const filesToCheck = [
-          'package.json',
-          'src/config.ts',
-          'src/config.js',
-          'config/index.ts',
-          'config/index.js',
-          'next.config.js',
-          'next.config.mjs',
-          '.env.example',
-          'README.md',
-        ];
-        
-        const findings = [];
-        
-        for (const file of filesToCheck) {
-          const filePath = path.join(projectPath, file);
-          if (!fs.existsSync(filePath)) continue;
-          
-          try {
-            const content = fs.readFileSync(filePath, 'utf8');
-            
-            for (const sp of SECRET_PATTERNS) {
-              if (sp.pattern.test(content)) {
-                findings.push({
-                  file,
-                  secret: sp.name,
-                  critical: sp.critical,
-                });
-              }
-            }
-          } catch {
-            // Skip unreadable files
-          }
-        }
-        
-        const metadata = { findings };
-        const criticalFindings = findings.filter(f => f.critical);
-        
-        if (criticalFindings.length > 0) {
-          return {
-            severity: SEVERITY.CRITICAL,
-            message: `${criticalFindings.length} critical secrets exposed`,
-            detail: criticalFindings.map(f => `${f.secret} in ${f.file}`).join(', '),
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Move secrets to .env and add to .gitignore',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        if (findings.length > 0) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `${findings.length} potential secrets found`,
-            detail: findings.map(f => `${f.secret} in ${f.file}`).join(', '),
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Review and move secrets to .env',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: 'No exposed secrets detected',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.env_in_git`,
-      name: '.env in Git History',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const gitDir = path.join(projectPath, '.git');
-        if (!fs.existsSync(gitDir)) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'Not a git repository',
-          };
-        }
-        
-        try {
-          const { execSync } = require('child_process');
-          const result = execSync('git log --all --full-history -- .env 2>/dev/null | head -1', {
-            cwd: projectPath,
-            encoding: 'utf8',
-            timeout: 10000,
-          }).trim();
-          
-          if (result) {
-            return {
-              severity: SEVERITY.ERROR,
-              message: '.env found in git history',
-              detail: 'Secrets may be exposed in git commits',
-              fixes: [
-                {
-                  type: FIX_TYPE.LINK,
-                  description: 'Guide: Remove secrets from git history',
-                  url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository',
-                },
-                {
-                  type: FIX_TYPE.COMMAND,
-                  description: 'Remove .env from history (dangerous)',
-                  command: 'git filter-branch --force --index-filter "git rm --cached --ignore-unmatch .env" --prune-empty --tag-name-filter cat -- --all',
-                  dangerous: true,
-                  autoFixable: false,
-                },
-              ],
-            };
-          }
-          
-          return {
-            severity: SEVERITY.PASS,
-            message: 'No .env in git history',
-          };
-        } catch {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'Could not check git history',
-          };
-        }
-      },
-    },
-    {
-      id: `${MODULE_ID}.npmrc`,
-      name: '.npmrc Security',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const npmrcPath = path.join(projectPath, '.npmrc');
-        
-        if (!fs.existsSync(npmrcPath)) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'No .npmrc file',
-          };
-        }
-        
-        const content = fs.readFileSync(npmrcPath, 'utf8');
-        const hasToken = content.includes('_authToken') || content.includes('//registry');
-        
-        if (hasToken) {
-          const gitignorePath = path.join(projectPath, '.gitignore');
-          const gitignoreContent = fs.existsSync(gitignorePath) 
-            ? fs.readFileSync(gitignorePath, 'utf8') 
-            : '';
-          
-          if (!gitignoreContent.includes('.npmrc')) {
-            return {
-              severity: SEVERITY.WARNING,
-              message: '.npmrc contains tokens but not in .gitignore',
-              fixes: [{
-                type: FIX_TYPE.FILE_EDIT,
-                description: 'Add .npmrc to .gitignore',
-                path: gitignorePath,
-                content: gitignoreContent + '\n.npmrc\n',
-                autoFixable: true,
-              }],
-            };
-          }
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: hasToken ? 'Contains tokens (gitignored)' : 'No sensitive data',
-        };
-      },
-    },
-  ];
-}
-
-module.exports = { MODULE_ID, createDiagnostics, SECRET_PATTERNS };

package/bin/runners/lib/doctor/modules/system.js

@@ -1,213 +0,0 @@
-/**
- * System Diagnostics Module
- * 
- * Checks OS, memory, disk, CPU, and system resources
- */
-
-const os = require('os');
-const fs = require('fs');
-const path = require('path');
-const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
-
-const MODULE_ID = 'system';
-
-function createDiagnostics(projectPath) {
-  return [
-    {
-      id: `${MODULE_ID}.os`,
-      name: 'Operating System',
-      category: CATEGORY.SYSTEM,
-      parallel: true,
-      check: async () => {
-        const platform = os.platform();
-        const release = os.release();
-        const arch = os.arch();
-        
-        const platformNames = {
-          win32: 'Windows',
-          darwin: 'macOS',
-          linux: 'Linux',
-          freebsd: 'FreeBSD',
-        };
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: `${platformNames[platform] || platform} ${release} (${arch})`,
-          metadata: { platform, release, arch },
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.memory`,
-      name: 'System Memory',
-      category: CATEGORY.SYSTEM,
-      parallel: true,
-      check: async () => {
-        const totalBytes = os.totalmem();
-        const freeBytes = os.freemem();
-        const totalGB = (totalBytes / 1024 / 1024 / 1024).toFixed(1);
-        const freeGB = (freeBytes / 1024 / 1024 / 1024).toFixed(1);
-        const usedPercent = Math.round((1 - freeBytes / totalBytes) * 100);
-        
-        const metadata = { totalBytes, freeBytes, totalGB, freeGB, usedPercent };
-        
-        if (freeBytes < 256 * 1024 * 1024) { // < 256MB
-          return {
-            severity: SEVERITY.ERROR,
-            message: `Critically low memory: ${freeGB}GB free`,
-            detail: 'vibecheck may fail or be extremely slow',
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Close other applications to free memory',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        if (freeBytes < 512 * 1024 * 1024) { // < 512MB
-          return {
-            severity: SEVERITY.WARNING,
-            message: `Low memory: ${freeGB}GB free of ${totalGB}GB`,
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Close other applications to free memory',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: `${freeGB}GB free of ${totalGB}GB (${usedPercent}% used)`,
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.cpu`,
-      name: 'CPU Information',
-      category: CATEGORY.SYSTEM,
-      parallel: true,
-      check: async () => {
-        const cpus = os.cpus();
-        const cores = cpus.length;
-        const model = cpus[0]?.model || 'Unknown';
-        const loadAvg = os.loadavg();
-        
-        const metadata = { cores, model, loadAvg };
-        
-        // High load warning (load > cores * 2)
-        if (loadAvg[0] > cores * 2) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `High CPU load: ${loadAvg[0].toFixed(1)} (${cores} cores)`,
-            detail: 'System is under heavy load',
-            metadata,
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: `${cores} cores, load: ${loadAvg[0].toFixed(2)}`,
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.disk_write`,
-      name: 'Disk Write Access',
-      category: CATEGORY.SYSTEM,
-      parallel: false,
-      check: async () => {
-        const testDir = path.join(projectPath, '.vibecheck');
-        const testFile = path.join(testDir, '.doctor-test');
-        
-        try {
-          // Ensure directory exists
-          if (!fs.existsSync(testDir)) {
-            fs.mkdirSync(testDir, { recursive: true });
-          }
-          
-          // Test write
-          fs.writeFileSync(testFile, `test-${Date.now()}`);
-          fs.unlinkSync(testFile);
-          
-          return {
-            severity: SEVERITY.PASS,
-            message: 'Write access OK',
-          };
-        } catch (err) {
-          return {
-            severity: SEVERITY.ERROR,
-            message: 'Cannot write to project directory',
-            detail: err.message,
-            fixes: [
-              {
-                type: FIX_TYPE.COMMAND,
-                description: 'Fix directory permissions',
-                command: process.platform === 'win32' 
-                  ? `icacls "${projectPath}" /grant "%USERNAME%":F /T`
-                  : `chmod -R u+w "${projectPath}"`,
-                dangerous: true,
-                autoFixable: false,
-              },
-            ],
-          };
-        }
-      },
-    },
-    {
-      id: `${MODULE_ID}.temp_dir`,
-      name: 'Temp Directory',
-      category: CATEGORY.SYSTEM,
-      parallel: true,
-      check: async () => {
-        const tmpDir = os.tmpdir();
-        
-        try {
-          const testFile = path.join(tmpDir, `.vibecheck-test-${Date.now()}`);
-          fs.writeFileSync(testFile, 'test');
-          fs.unlinkSync(testFile);
-          
-          return {
-            severity: SEVERITY.PASS,
-            message: `Writable: ${tmpDir}`,
-            metadata: { tmpDir },
-          };
-        } catch (err) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `Temp directory not writable: ${tmpDir}`,
-            detail: err.message,
-            metadata: { tmpDir },
-          };
-        }
-      },
-    },
-    {
-      id: `${MODULE_ID}.shell`,
-      name: 'Shell Environment',
-      category: CATEGORY.SYSTEM,
-      parallel: true,
-      check: async () => {
-        const shell = process.env.SHELL || process.env.ComSpec || 'unknown';
-        const term = process.env.TERM || process.env.WT_SESSION ? 'modern' : 'basic';
-        const colorSupport = process.stdout.isTTY && (
-          process.env.COLORTERM === 'truecolor' ||
-          process.env.TERM_PROGRAM === 'vscode' ||
-          process.env.WT_SESSION
-        );
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: `${path.basename(shell)} (${colorSupport ? 'color' : 'no-color'})`,
-          metadata: { shell, term, colorSupport },
-        };
-      },
-    },
-  ];
-}
-
-module.exports = { MODULE_ID, createDiagnostics };