@vibecheckai/cli 3.0.3 → 3.0.4

package/bin/runners/lib/auth.js

@@ -0,0 +1,215 @@
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+// Config paths
+function getConfigPath() {
+  const home = os.homedir();
+  if (process.platform === "win32") {
+    return path.join(
+      process.env.APPDATA || path.join(home, "AppData", "Roaming"),
+      "vibecheck",
+      "config.json",
+    );
+  }
+  return path.join(home, ".config", "vibecheck", "config.json");
+}
+
+function ensureConfigDir(configPath) {
+  const dir = path.dirname(configPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+}
+
+// 1. Get API Key
+function getApiKey() {
+  // 1. Env var (CI/Production)
+  if (process.env.VIBECHECK_API_KEY) {
+    return { key: process.env.VIBECHECK_API_KEY, source: "env" };
+  }
+
+  // 2. User config
+  try {
+    const configPath = getConfigPath();
+    if (fs.existsSync(configPath)) {
+      const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      if (config.apiKey) {
+        return { key: config.apiKey, source: "user" };
+      }
+    }
+  } catch (err) {
+    // ignore config errors
+  }
+
+  return { key: null, source: null };
+}
+
+// 2. Save API Key
+function saveApiKey(apiKey) {
+  const configPath = getConfigPath();
+  ensureConfigDir(configPath);
+
+  let config = {};
+  try {
+    if (fs.existsSync(configPath)) {
+      config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+    }
+  } catch (err) {
+    // ignore, start fresh
+  }
+
+  config.apiKey = apiKey;
+  // Also save a basic user structure if needed, but for now just key
+
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2), {
+    mode: 0o600,
+  });
+}
+
+// 3. Delete API Key
+function deleteApiKey() {
+  const configPath = getConfigPath();
+  try {
+    if (fs.existsSync(configPath)) {
+      const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      delete config.apiKey;
+      fs.writeFileSync(configPath, JSON.stringify(config, null, 2), {
+        mode: 0o600,
+      });
+    }
+  } catch (err) {
+    // ignore
+  }
+}
+
+// 4. Get Entitlements (Mocked for now, but ready for API)
+// In real world: fetch from GET /v1/auth/whoami
+async function getEntitlements(apiKey) {
+  if (!apiKey) return null;
+
+  // Check cache first
+  const configPath = getConfigPath();
+  const cachePath = path.join(
+    path.dirname(configPath),
+    "entitlements-cache.json",
+  );
+
+  try {
+    if (fs.existsSync(cachePath)) {
+      const cache = JSON.parse(fs.readFileSync(cachePath, "utf8"));
+      // Check if same key and fresh (10 mins)
+      if (
+        cache.keyHash === Buffer.from(apiKey).toString("base64") &&
+        Date.now() - cache.timestamp < 10 * 60 * 1000
+      ) {
+        return cache.data;
+      }
+    }
+  } catch (err) {
+    // ignore cache errors
+  }
+
+  // Simulate API delay
+  // await new Promise(r => setTimeout(r, 100));
+
+  // Call the real API endpoint
+  let res;
+  try {
+    // Try production API first, then fallback to localhost for development
+    const apiUrl =
+      process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev";
+    const urls = [apiUrl, "http://localhost:3000"];
+
+    for (const url of urls) {
+      try {
+        res = await fetch(`${url}/v1/auth/whoami`, {
+          headers: {
+            Authorization: `Bearer ${apiKey}`,
+          },
+          signal: AbortSignal.timeout(5000), // 5 second timeout
+        });
+        if (res.ok) break;
+      } catch (e) {
+        // Try next URL
+        continue;
+      }
+    }
+
+    if (!res || !res.ok) {
+      throw new Error("API unavailable");
+    }
+  } catch (error) {
+    // SECURITY: Do not fallback to mock entitlements
+    // If API is unavailable, fail gracefully with clear error message
+    throw new Error(
+      "Cannot connect to vibecheck API. API connection required for this feature. " +
+      "Please check your network connection and ensure VIBECHECK_API_URL is set correctly."
+    );
+  }
+
+  if (!res.ok) {
+    throw new Error(`API returned ${res.status}: ${res.statusText}`);
+  }
+
+  const result = await res.json();
+
+  // Write to cache
+  try {
+    ensureConfigDir(cachePath);
+    fs.writeFileSync(
+      cachePath,
+      JSON.stringify(
+        {
+          keyHash: Buffer.from(apiKey).toString("base64"),
+          timestamp: Date.now(),
+          data: result,
+        },
+        null,
+        2,
+      ),
+    );
+  } catch (err) {
+    // ignore cache write errors
+  }
+
+  return result;
+}
+
+// 5. Check Entitlement
+async function checkEntitlement(requiredScope) {
+  const { key } = getApiKey();
+  if (!key) {
+    return {
+      allowed: false,
+      reason:
+        'No API key found. Run "vibecheck login" or set VIBECHECK_API_KEY.',
+    };
+  }
+
+  const entitlements = await getEntitlements(key);
+  if (!entitlements) {
+    return { allowed: false, reason: "Invalid API key." };
+  }
+
+  if (
+    entitlements.scopes.includes(requiredScope) ||
+    entitlements.scopes.includes("*")
+  ) {
+    return { allowed: true, plan: entitlements.plan };
+  }
+
+  return {
+    allowed: false,
+    reason: `Plan '${entitlements.plan}' does not support this feature. Required scope: ${requiredScope}`,
+  };
+}
+
+module.exports = {
+  getApiKey,
+  saveApiKey,
+  deleteApiKey,
+  getEntitlements,
+  checkEntitlement,
+  getConfigPath,
+};

package/bin/runners/lib/backup.js

@@ -0,0 +1,62 @@
+// bin/runners/lib/backup.js
+const fs = require("fs");
+const path = require("path");
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function backupFiles(repoRoot, fileRelPaths, backupRoot) {
+  ensureDir(backupRoot);
+
+  const saved = [];
+  for (const rel of fileRelPaths) {
+    const abs = path.join(repoRoot, rel);
+    if (!fs.existsSync(abs)) {
+      saved.push({ rel, existed: false });
+      continue;
+    }
+
+    const dest = path.join(backupRoot, rel);
+    ensureDir(path.dirname(dest));
+    fs.copyFileSync(abs, dest);
+    saved.push({ rel, existed: true });
+  }
+
+  fs.writeFileSync(
+    path.join(backupRoot, "_manifest.json"),
+    JSON.stringify({ saved }, null, 2),
+    "utf8"
+  );
+
+  return saved;
+}
+
+function restoreBackup(repoRoot, backupRoot) {
+  const manifestPath = path.join(backupRoot, "_manifest.json");
+  if (!fs.existsSync(manifestPath)) {
+    return { ok: false, error: "backup manifest missing" };
+  }
+
+  const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+  const saved = manifest.saved || [];
+
+  for (const s of saved) {
+    const abs = path.join(repoRoot, s.rel);
+    const bak = path.join(backupRoot, s.rel);
+
+    if (!s.existed) {
+      if (fs.existsSync(abs)) fs.rmSync(abs, { force: true });
+      continue;
+    }
+
+    if (fs.existsSync(bak)) {
+      ensureDir(path.dirname(abs));
+      fs.copyFileSync(bak, abs);
+    }
+  }
+
+  return { ok: true };
+}
+
+module.exports = { backupFiles, restoreBackup };

package/bin/runners/lib/billing.js

@@ -0,0 +1,107 @@
+// bin/runners/lib/billing.js
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const lines = safeRead(fileAbs).split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function classifyStripeSignals(code) {
+  const signals = {
+    usesStripeSdk: /\bstripe\b/i.test(code) && /from\s+['"]stripe['"]|require\(['"]stripe['"]\)/.test(code),
+    webhookConstructEvent: /\bconstructEvent(Async)?\b/.test(code) || /\bstripe\.webhooks\.constructEvent\b/.test(code),
+    readsStripeSignatureHeader: /stripe-signature/i.test(code) || /\bStripe-Signature\b/.test(code),
+    rawBodySignal:
+      /\bbodyParser\s*:\s*false\b/.test(code) ||
+      /\breq\.(text|arrayBuffer)\(\)/.test(code) ||
+      /\brawBody\b/.test(code) || /\brequest\.raw\b/.test(code) || /\bcontentTypeParser\b/i.test(code),
+    idempotencySignal:
+      /\bevent\.id\b/.test(code) && /\b(prisma|db|redis|cache|processed|dedupe|idempotent)\b/i.test(code) ||
+      /\bidempotenc(y|e)\b/i.test(code)
+  };
+
+  return signals;
+}
+
+async function buildBillingTruth(repoRoot) {
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+  });
+
+  const webhookCandidates = [];
+  const stripeFiles = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    const signals = classifyStripeSignals(code);
+
+    if (signals.usesStripeSdk) stripeFiles.push(fileRel);
+
+    if (signals.webhookConstructEvent || signals.readsStripeSignatureHeader) {
+      const ev = [];
+      const lines1 = findLineMatches(code, /\bconstructEvent(Async)?\b|stripe\.webhooks\.constructEvent/);
+      const lines2 = findLineMatches(code, /stripe-signature|Stripe-Signature/i);
+      const lines3 = findLineMatches(code, /bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|rawBody|contentTypeParser/i);
+      const lines4 = findLineMatches(code, /event\.id|idempotenc(y|e)|dedupe|processed/i);
+
+      for (const ln of lines1.slice(0, 3)) ev.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Stripe webhook signature constructEvent signal" }));
+      for (const ln of lines2.slice(0, 3)) ev.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Stripe-Signature header usage signal" }));
+      for (const ln of lines3.slice(0, 3)) ev.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Raw body handling signal (required for Stripe verification)" }));
+      for (const ln of lines4.slice(0, 3)) ev.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Idempotency/dedupe signal (event replay protection)" }));
+
+      webhookCandidates.push({
+        file: fileRel,
+        signals,
+        evidence: ev
+      });
+    }
+  }
+
+  const hasStripe = stripeFiles.length > 0;
+
+  return {
+    hasStripe,
+    stripeFiles: stripeFiles.slice(0, 200),
+    webhookCandidates,
+    summary: {
+      webhookHandlersFound: webhookCandidates.length,
+      verifiedWebhookHandlers: webhookCandidates.filter(w => w.signals.webhookConstructEvent && w.signals.rawBodySignal).length,
+      idempotentWebhookHandlers: webhookCandidates.filter(w => w.signals.idempotencySignal).length
+    }
+  };
+}
+
+module.exports = { buildBillingTruth };

package/bin/runners/lib/claims.js

@@ -0,0 +1,118 @@
+// bin/runners/lib/claims.js
+const { canonicalizeMethod, canonicalizePath } = require("./truth");
+
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function compileRoutePattern(routePath) {
+  const parts = routePath.split("/").filter(Boolean);
+  const reParts = parts.map(seg => {
+    if (seg.startsWith(":")) return "([^/]+)";
+    if (seg.startsWith("*")) {
+      const optional = seg.endsWith("?");
+      return optional ? "(.*)?" : "(.*)";
+    }
+    return escapeRegex(seg);
+  });
+  return new RegExp("^/" + reParts.join("/") + "$");
+}
+
+function routeMatches(routeDef, method, path) {
+  const m = method === "*" ? "*" : method;
+  const rm = routeDef.method;
+
+  const methodOk = (rm === "*" || m === "*" || rm === m);
+  if (!methodOk) return false;
+
+  if (routeDef.path === path) return true;
+  return compileRoutePattern(routeDef.path).test(path);
+}
+
+function validateClaimRouteExists(truthpack, claim) {
+  const method = canonicalizeMethod(claim?.subject?.method || "*");
+  const path = canonicalizePath(claim?.subject?.path || "/");
+
+  const server = truthpack?.routes?.server || [];
+  const matches = server.filter(r => routeMatches(r, method, path));
+
+  if (matches.length) {
+    // pick best confidence
+    const score = c => (c === "high" ? 3 : c === "med" ? 2 : 1);
+    matches.sort((a,b) => score(b.confidence) - score(a.confidence));
+    const best = matches[0];
+
+    return {
+      id: claim.id,
+      result: "true",
+      confidence: best.confidence,
+      evidence: best.evidence || [],
+      assumptions: [],
+      gaps: [],
+      nextSteps: []
+    };
+  }
+
+  const gaps = truthpack?.routes?.gaps || [];
+  const hasGaps = gaps.length > 0;
+
+  return {
+    id: claim.id,
+    result: hasGaps ? "unknown" : "false",
+    confidence: hasGaps ? "low" : "high",
+    evidence: [],
+    assumptions: hasGaps ? ["Fastify plugin resolution incomplete"] : [],
+    gaps,
+    nextSteps: hasGaps ? ["Resolve Fastify plugin imports (relative) or add optional runtime route dump mode later"] : []
+  };
+}
+
+function validateClaimEnvVarUsed(truthpack, claim) {
+  const name = String(claim?.subject?.name || "").trim();
+  const vars = truthpack?.env?.vars || [];
+  const hit = vars.find(v => v.name === name);
+
+  if (hit) {
+    return {
+      id: claim.id,
+      result: "true",
+      confidence: hit.references?.length ? "high" : "med",
+      evidence: hit.references || [],
+      assumptions: [],
+      gaps: [],
+      nextSteps: []
+    };
+  }
+  return {
+    id: claim.id,
+    result: "false",
+    confidence: "high",
+    evidence: [],
+    assumptions: [],
+    gaps: [],
+    nextSteps: []
+  };
+}
+
+function validateClaimEnvVarDeclared(truthpack, claim) {
+  const name = String(claim?.subject?.name || "").trim();
+  const declared = truthpack?.env?.declared || [];
+  const ok = declared.includes(name);
+
+  return {
+    id: claim.id,
+    result: ok ? "true" : "false",
+    confidence: "high",
+    evidence: [],
+    assumptions: [],
+    gaps: [],
+    nextSteps: ok ? [] : ["Add to .env.example/.env.template so the project contract is real"]
+  };
+}
+
+module.exports = {
+  routeMatches,
+  validateClaimRouteExists,
+  validateClaimEnvVarUsed,
+  validateClaimEnvVarDeclared
+};