@vibecheckai/cli 3.0.3 → 3.0.5

package/bin/runners/lib/contracts/auth-contract.js

@@ -0,0 +1,202 @@
+/**
+ * Auth Contract Builder
+ * Builds auth.json contract from truthpack
+ */
+
+"use strict";
+
+/**
+ * Build auth contract from truthpack
+ */
+function buildAuthContract(truthpack) {
+  const contract = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    protectedPatterns: [],
+    publicPatterns: [],
+    roles: [],
+    evidence: []
+  };
+
+  // Extract protected patterns from Next middleware
+  const nextMiddleware = truthpack?.auth?.nextMiddleware || [];
+  const matcherPatterns = truthpack?.auth?.nextMatcherPatterns || [];
+
+  contract.protectedPatterns = [...new Set(matcherPatterns)];
+
+  // Add evidence from middleware files
+  for (const mw of nextMiddleware) {
+    contract.evidence.push({
+      file: mw.file,
+      type: "next_middleware",
+      signals: mw.signalTypes || []
+    });
+  }
+
+  // Extract Fastify auth info
+  const fastify = truthpack?.auth?.fastify || {};
+  if (fastify.hooks?.length) {
+    for (const hook of fastify.hooks) {
+      contract.evidence.push({
+        file: hook.file,
+        type: "fastify_hook",
+        hookType: hook.hookType,
+        line: hook.line
+      });
+    }
+  }
+
+  // Infer roles from truthpack
+  contract.roles = inferRoles(truthpack);
+
+  // Default public patterns
+  contract.publicPatterns = [
+    "/api/health",
+    "/api/status",
+    "/api/public/*",
+    "/_next/*",
+    "/favicon.ico"
+  ];
+
+  // Deterministic output: sort all arrays
+  contract.protectedPatterns.sort();
+  contract.publicPatterns.sort();
+  contract.roles.sort((a, b) => a.name.localeCompare(b.name));
+  for (const role of contract.roles) {
+    if (role.routes) role.routes.sort();
+  }
+
+  return contract;
+}
+
+/**
+ * Infer roles from truthpack
+ */
+function inferRoles(truthpack) {
+  const roles = [];
+  const routes = truthpack?.routes?.server || [];
+
+  // Check for admin routes
+  const adminRoutes = routes.filter(r => r.path.includes("/admin"));
+  if (adminRoutes.length > 0) {
+    roles.push({
+      name: "admin",
+      routes: adminRoutes.map(r => r.path),
+      evidence: adminRoutes.flatMap(r => r.evidence || [])
+    });
+  }
+
+  // Check for user routes (default authenticated)
+  const userRoutes = routes.filter(r => 
+    !r.path.includes("/admin") && 
+    !r.path.includes("/public") &&
+    !r.path.includes("/health")
+  );
+  if (userRoutes.length > 0) {
+    roles.push({
+      name: "user",
+      routes: userRoutes.map(r => r.path),
+      evidence: []
+    });
+  }
+
+  return roles;
+}
+
+/**
+ * Validate auth coverage
+ */
+function validateAuthContract(contract, routes, realityResults) {
+  const violations = [];
+
+  // Check that all non-public routes are protected
+  for (const route of routes) {
+    const isPublic = contract.publicPatterns.some(p => matchesPattern(route.path, p));
+    const isProtected = contract.protectedPatterns.some(p => matchesPattern(route.path, p));
+
+    if (!isPublic && !isProtected) {
+      // Check if route looks sensitive
+      if (looksLikeSensitiveRoute(route.path)) {
+        violations.push({
+          type: "unprotected_sensitive",
+          severity: "WARN",
+          route: route.path,
+          message: `Sensitive route ${route.path} not covered by auth patterns`,
+          evidence: route.evidence || []
+        });
+      }
+    }
+  }
+
+  // Check reality results for auth bypass
+  if (realityResults) {
+    for (const result of realityResults) {
+      if (result.type === "AuthCoverage" && result.severity === "BLOCK") {
+        violations.push({
+          type: "auth_bypass",
+          severity: "BLOCK",
+          route: result.page,
+          message: result.title,
+          evidence: []
+        });
+      }
+    }
+  }
+
+  return violations;
+}
+
+function matchesPattern(path, pattern) {
+  const normPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  try {
+    const rx = new RegExp(`^${normPattern}`, "i");
+    return rx.test(path);
+  } catch {
+    return false;
+  }
+}
+
+function looksLikeSensitiveRoute(path) {
+  const sensitivePatterns = [
+    /\/api\/users/i,
+    /\/api\/billing/i,
+    /\/api\/payment/i,
+    /\/api\/subscription/i,
+    /\/api\/settings/i,
+    /\/api\/profile/i,
+    /\/api\/account/i,
+    /\/api\/admin/i,
+    /\/api\/webhook/i,
+  ];
+
+  return sensitivePatterns.some(p => p.test(path));
+}
+
+/**
+ * Diff two auth contracts
+ */
+function diffAuthContracts(before, after) {
+  const diff = {
+    protectedAdded: [],
+    protectedRemoved: [],
+    rolesChanged: []
+  };
+
+  const beforeProtected = new Set(before.protectedPatterns);
+  const afterProtected = new Set(after.protectedPatterns);
+
+  for (const p of afterProtected) {
+    if (!beforeProtected.has(p)) diff.protectedAdded.push(p);
+  }
+  for (const p of beforeProtected) {
+    if (!afterProtected.has(p)) diff.protectedRemoved.push(p);
+  }
+
+  return diff;
+}
+
+module.exports = {
+  buildAuthContract,
+  validateAuthContract,
+  diffAuthContracts
+};

package/bin/runners/lib/contracts/env-contract.js

@@ -0,0 +1,181 @@
+/**
+ * Env Contract Builder
+ * Builds env.json contract from truthpack
+ */
+
+"use strict";
+
+/**
+ * Build env contract from truthpack
+ */
+function buildEnvContract(truthpack) {
+  const contract = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    vars: []
+  };
+
+  const envVars = truthpack?.env?.vars || [];
+  const declared = new Set(truthpack?.env?.declared || []);
+  const declaredSources = truthpack?.env?.declaredSources || [];
+
+  for (const v of envVars) {
+    const varSpec = {
+      name: v.name,
+      required: inferRequired(v, declared),
+      usedIn: (v.references || []).map(r => r.file).filter(Boolean),
+      declaredIn: declaredSources.filter(s => isDeclaredInSource(v.name, s)),
+      description: inferDescription(v.name),
+      evidence: v.references || []
+    };
+
+    contract.vars.push(varSpec);
+  }
+
+  // Add declared vars that aren't used (might be optional)
+  for (const name of declared) {
+    if (!envVars.find(v => v.name === name)) {
+      contract.vars.push({
+        name,
+        required: false,
+        usedIn: [],
+        declaredIn: declaredSources,
+        description: inferDescription(name),
+        evidence: []
+      });
+    }
+  }
+
+  // Deterministic output: sort vars by name
+  contract.vars.sort((a, b) => a.name.localeCompare(b.name));
+
+  return contract;
+}
+
+/**
+ * Infer if env var is required
+ */
+function inferRequired(envVar, declared) {
+  const name = envVar.name;
+  
+  // Common required patterns
+  const requiredPatterns = [
+    /^DATABASE_URL$/i,
+    /^NEXTAUTH_SECRET$/i,
+    /^NEXTAUTH_URL$/i,
+    /^JWT_SECRET$/i,
+    /^API_KEY$/i,
+    /^STRIPE_SECRET_KEY$/i,
+    /^STRIPE_WEBHOOK_SECRET$/i,
+    /^AUTH0_/i,
+    /^CLERK_/i,
+  ];
+
+  for (const pattern of requiredPatterns) {
+    if (pattern.test(name)) return true;
+  }
+
+  // If used but not declared, likely required
+  if (!declared.has(name) && envVar.references?.length > 0) {
+    return true;
+  }
+
+  return false;
+}
+
+function isDeclaredInSource(name, source) {
+  // Simple heuristic - would need to parse files for accurate check
+  return true;
+}
+
+function inferDescription(name) {
+  const descriptions = {
+    DATABASE_URL: "Database connection string",
+    NEXTAUTH_SECRET: "NextAuth.js encryption secret",
+    NEXTAUTH_URL: "NextAuth.js base URL",
+    JWT_SECRET: "JWT signing secret",
+    STRIPE_SECRET_KEY: "Stripe API secret key",
+    STRIPE_PUBLISHABLE_KEY: "Stripe publishable key",
+    STRIPE_WEBHOOK_SECRET: "Stripe webhook signing secret",
+    NODE_ENV: "Node environment (development/production)",
+    PORT: "Server port",
+    HOST: "Server host",
+  };
+
+  return descriptions[name] || undefined;
+}
+
+/**
+ * Validate code against env contract
+ */
+function validateAgainstEnvContract(contract, usedVars) {
+  const violations = [];
+  const contractVars = new Map(contract.vars.map(v => [v.name, v]));
+
+  for (const used of usedVars) {
+    if (!contractVars.has(used.name)) {
+      violations.push({
+        type: "undeclared_env",
+        severity: "WARN",
+        name: used.name,
+        usedIn: used.references?.map(r => r.file) || [],
+        message: `Env var ${used.name} used but not declared in contract`,
+        evidence: used.references || []
+      });
+    }
+  }
+
+  // Check for required vars that aren't used
+  for (const [name, spec] of contractVars) {
+    if (spec.required && spec.usedIn.length === 0) {
+      violations.push({
+        type: "unused_required",
+        severity: "WARN",
+        name,
+        message: `Required env var ${name} declared but not used`,
+        evidence: []
+      });
+    }
+  }
+
+  return violations;
+}
+
+/**
+ * Diff two env contracts
+ */
+function diffEnvContracts(before, after) {
+  const diff = {
+    added: [],
+    removed: [],
+    changed: []
+  };
+
+  const beforeMap = new Map(before.vars.map(v => [v.name, v]));
+  const afterMap = new Map(after.vars.map(v => [v.name, v]));
+
+  for (const [name, spec] of afterMap) {
+    if (!beforeMap.has(name)) {
+      diff.added.push(spec);
+    } else {
+      const prev = beforeMap.get(name);
+      if (prev.required !== spec.required) {
+        diff.changed.push({ before: prev, after: spec });
+      }
+    }
+  }
+
+  for (const [name, spec] of beforeMap) {
+    if (!afterMap.has(name)) {
+      diff.removed.push(spec);
+    }
+  }
+
+  return diff;
+}
+
+module.exports = {
+  buildEnvContract,
+  validateAgainstEnvContract,
+  diffEnvContracts
+};

package/bin/runners/lib/contracts/external-contract.js

@@ -0,0 +1,206 @@
+/**
+ * External Contract Builder
+ * Builds external.json contract from truthpack (Stripe, GitHub, etc.)
+ */
+
+"use strict";
+
+/**
+ * Build external services contract from truthpack
+ */
+function buildExternalContract(truthpack) {
+  const contract = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    services: []
+  };
+
+  // Extract billing/Stripe info
+  const billing = truthpack?.billing || {};
+  if (billing.hasStripe || billing.webhookCandidates?.length) {
+    const stripeService = {
+      name: "stripe",
+      envVars: extractStripeEnvVars(truthpack),
+      usedIn: billing.webhookCandidates?.map(w => w.file) || [],
+      webhooks: billing.webhookCandidates?.map(w => ({
+        path: w.path,
+        verified: w.hasSignatureVerification || false,
+        idempotent: w.hasIdempotency || false
+      })) || [],
+      evidence: billing.webhookCandidates?.flatMap(w => w.evidence || []) || []
+    };
+    contract.services.push(stripeService);
+  }
+
+  // Detect other external services from env vars
+  const envVars = truthpack?.env?.vars || [];
+  
+  // GitHub
+  const githubVars = envVars.filter(v => /github/i.test(v.name));
+  if (githubVars.length) {
+    contract.services.push({
+      name: "github",
+      envVars: githubVars.map(v => v.name),
+      usedIn: githubVars.flatMap(v => v.references?.map(r => r.file) || []),
+      evidence: githubVars.flatMap(v => v.references || [])
+    });
+  }
+
+  // SendGrid
+  const sendgridVars = envVars.filter(v => /sendgrid/i.test(v.name));
+  if (sendgridVars.length) {
+    contract.services.push({
+      name: "sendgrid",
+      envVars: sendgridVars.map(v => v.name),
+      usedIn: sendgridVars.flatMap(v => v.references?.map(r => r.file) || []),
+      evidence: sendgridVars.flatMap(v => v.references || [])
+    });
+  }
+
+  // Twilio
+  const twilioVars = envVars.filter(v => /twilio/i.test(v.name));
+  if (twilioVars.length) {
+    contract.services.push({
+      name: "twilio",
+      envVars: twilioVars.map(v => v.name),
+      usedIn: twilioVars.flatMap(v => v.references?.map(r => r.file) || []),
+      evidence: twilioVars.flatMap(v => v.references || [])
+    });
+  }
+
+  // AWS
+  const awsVars = envVars.filter(v => /^aws/i.test(v.name));
+  if (awsVars.length) {
+    contract.services.push({
+      name: "aws",
+      envVars: awsVars.map(v => v.name),
+      usedIn: awsVars.flatMap(v => v.references?.map(r => r.file) || []),
+      evidence: awsVars.flatMap(v => v.references || [])
+    });
+  }
+
+  // Supabase
+  const supabaseVars = envVars.filter(v => /supabase/i.test(v.name));
+  if (supabaseVars.length) {
+    contract.services.push({
+      name: "supabase",
+      envVars: supabaseVars.map(v => v.name).sort(),
+      usedIn: [...new Set(supabaseVars.flatMap(v => v.references?.map(r => r.file) || []))].sort(),
+      evidence: supabaseVars.flatMap(v => v.references || [])
+    });
+  }
+
+  // Deterministic output: sort services by name, and their internal arrays
+  contract.services.sort((a, b) => a.name.localeCompare(b.name));
+  for (const svc of contract.services) {
+    if (svc.envVars) svc.envVars.sort();
+    if (svc.usedIn) svc.usedIn = [...new Set(svc.usedIn)].sort();
+    if (svc.webhooks) svc.webhooks.sort((a, b) => a.path.localeCompare(b.path));
+  }
+
+  return contract;
+}
+
+function extractStripeEnvVars(truthpack) {
+  const envVars = truthpack?.env?.vars || [];
+  return envVars
+    .filter(v => /stripe/i.test(v.name))
+    .map(v => v.name);
+}
+
+/**
+ * Validate external services contract
+ */
+function validateExternalContract(contract) {
+  const violations = [];
+
+  for (const service of contract.services) {
+    // Check Stripe webhook verification
+    if (service.name === "stripe") {
+      for (const webhook of service.webhooks || []) {
+        if (!webhook.verified) {
+          violations.push({
+            type: "unverified_webhook",
+            severity: "BLOCK",
+            service: "stripe",
+            path: webhook.path,
+            message: `Stripe webhook at ${webhook.path} missing signature verification`,
+            evidence: []
+          });
+        }
+        if (!webhook.idempotent) {
+          violations.push({
+            type: "non_idempotent_webhook",
+            severity: "WARN",
+            service: "stripe",
+            path: webhook.path,
+            message: `Stripe webhook at ${webhook.path} may not be idempotent`,
+            evidence: []
+          });
+        }
+      }
+    }
+
+    // Check for missing required env vars
+    const requiredVars = getRequiredVarsForService(service.name);
+    for (const required of requiredVars) {
+      if (!service.envVars.includes(required)) {
+        violations.push({
+          type: "missing_env",
+          severity: "WARN",
+          service: service.name,
+          envVar: required,
+          message: `Service ${service.name} typically requires ${required}`,
+          evidence: []
+        });
+      }
+    }
+  }
+
+  return violations;
+}
+
+function getRequiredVarsForService(name) {
+  const requirements = {
+    stripe: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET"],
+    github: ["GITHUB_TOKEN"],
+    sendgrid: ["SENDGRID_API_KEY"],
+    twilio: ["TWILIO_ACCOUNT_SID", "TWILIO_AUTH_TOKEN"],
+    supabase: ["SUPABASE_URL", "SUPABASE_ANON_KEY"]
+  };
+  return requirements[name] || [];
+}
+
+/**
+ * Diff two external contracts
+ */
+function diffExternalContracts(before, after) {
+  const diff = {
+    added: [],
+    removed: [],
+    changed: []
+  };
+
+  const beforeMap = new Map(before.services.map(s => [s.name, s]));
+  const afterMap = new Map(after.services.map(s => [s.name, s]));
+
+  for (const [name, service] of afterMap) {
+    if (!beforeMap.has(name)) {
+      diff.added.push(service);
+    }
+  }
+
+  for (const [name, service] of beforeMap) {
+    if (!afterMap.has(name)) {
+      diff.removed.push(service);
+    }
+  }
+
+  return diff;
+}
+
+module.exports = {
+  buildExternalContract,
+  validateExternalContract,
+  diffExternalContracts
+};