@vibecheckai/cli 3.0.4 → 3.0.7

package/bin/runners/lib/reality/request-hashing.js

@@ -0,0 +1,416 @@
+/**
+ * Request Body Hashing v2
+ * 
+ * Hashes request/response bodies for correlation and duplicate detection.
+ * Enables catching: duplicate mutations, no-op responses, optimistic UI mismatches.
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+const MAX_BODY_SIZE = 100 * 1024; // 100KB max for hashing
+const REDACT_KEYS = [
+  "password",
+  "token",
+  "secret",
+  "apiKey",
+  "api_key",
+  "authorization",
+  "auth",
+  "credit_card",
+  "creditCard",
+  "ssn",
+  "social_security",
+];
+
+// =============================================================================
+// BODY HASHING
+// =============================================================================
+
+/**
+ * Hash request/response body with redaction
+ */
+function hashBody(body, options = {}) {
+  const { redact = true, maxSize = MAX_BODY_SIZE } = options;
+
+  if (!body) {
+    return { hash: null, isEmpty: true, size: 0 };
+  }
+
+  let content;
+  let contentType = "unknown";
+
+  // Handle different body types
+  if (typeof body === "string") {
+    content = body;
+    contentType = detectContentType(body);
+  } else if (Buffer.isBuffer(body)) {
+    content = body.toString("utf8");
+    contentType = "binary";
+  } else if (typeof body === "object") {
+    try {
+      content = JSON.stringify(body);
+      contentType = "json";
+    } catch {
+      content = String(body);
+    }
+  } else {
+    content = String(body);
+  }
+
+  // Size check
+  const size = content.length;
+  if (size > maxSize) {
+    return {
+      hash: null,
+      isEmpty: false,
+      size,
+      truncated: true,
+      contentType,
+    };
+  }
+
+  // Redact sensitive data before hashing
+  let hashContent = content;
+  if (redact && contentType === "json") {
+    try {
+      const parsed = JSON.parse(content);
+      hashContent = JSON.stringify(redactSensitiveData(parsed));
+    } catch {
+      // Keep original if can't parse
+    }
+  }
+
+  // Compute hash
+  const hash = crypto.createHash("sha256").update(hashContent).digest("hex").slice(0, 16);
+
+  return {
+    hash,
+    isEmpty: size === 0 || content === "{}" || content === "null" || content === "[]",
+    size,
+    contentType,
+  };
+}
+
+/**
+ * Detect content type from string
+ */
+function detectContentType(content) {
+  if (!content) return "empty";
+  
+  const trimmed = content.trim();
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) return "json";
+  if (trimmed.startsWith("<?xml") || trimmed.startsWith("<")) return "xml";
+  if (trimmed.includes("=") && trimmed.includes("&")) return "form";
+  
+  return "text";
+}
+
+/**
+ * Redact sensitive data from object
+ */
+function redactSensitiveData(obj, depth = 0) {
+  if (depth > 10) return obj; // Prevent infinite recursion
+  
+  if (Array.isArray(obj)) {
+    return obj.map(item => redactSensitiveData(item, depth + 1));
+  }
+  
+  if (typeof obj === "object" && obj !== null) {
+    const redacted = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const keyLower = key.toLowerCase();
+      const isSensitive = REDACT_KEYS.some(k => keyLower.includes(k.toLowerCase()));
+      
+      if (isSensitive) {
+        redacted[key] = "[REDACTED]";
+      } else if (typeof value === "object" && value !== null) {
+        redacted[key] = redactSensitiveData(value, depth + 1);
+      } else {
+        redacted[key] = value;
+      }
+    }
+    return redacted;
+  }
+  
+  return obj;
+}
+
+// =============================================================================
+// REQUEST RECORD ENHANCEMENT
+// =============================================================================
+
+/**
+ * Enhance request record with body hashes
+ */
+function enhanceRequestWithHashes(request, options = {}) {
+  const enhanced = { ...request };
+
+  // Hash request body
+  if (request.postData || request.body) {
+    const bodyHash = hashBody(request.postData || request.body, options);
+    enhanced.requestBodyHash = bodyHash.hash;
+    enhanced.requestBodyEmpty = bodyHash.isEmpty;
+    enhanced.requestBodySize = bodyHash.size;
+    enhanced.requestContentType = bodyHash.contentType;
+  }
+
+  // Hash response body if available
+  if (request.responseBody) {
+    const respHash = hashBody(request.responseBody, options);
+    enhanced.responseBodyHash = respHash.hash;
+    enhanced.responseBodyEmpty = respHash.isEmpty;
+    enhanced.responseBodySize = respHash.size;
+  }
+
+  return enhanced;
+}
+
+// =============================================================================
+// DUPLICATE DETECTION
+// =============================================================================
+
+/**
+ * Find duplicate mutation requests
+ */
+function findDuplicateMutations(requests) {
+  const mutations = requests.filter(r => 
+    ["POST", "PUT", "PATCH", "DELETE"].includes(r.method?.toUpperCase())
+  );
+
+  // Group by method + path + requestBodyHash
+  const groups = new Map();
+  
+  for (const req of mutations) {
+    if (!req.requestBodyHash) continue;
+    
+    const key = `${req.method}:${req.canonicalPath || req.url}:${req.requestBodyHash}`;
+    if (!groups.has(key)) {
+      groups.set(key, []);
+    }
+    groups.set(key, [...groups.get(key), req]);
+  }
+
+  // Find groups with duplicates
+  const duplicates = [];
+  for (const [key, reqs] of groups) {
+    if (reqs.length > 1) {
+      duplicates.push({
+        key,
+        count: reqs.length,
+        requests: reqs,
+        firstTimestamp: reqs[0].timestamp,
+        lastTimestamp: reqs[reqs.length - 1].timestamp,
+        timeDeltaMs: reqs.length > 1 
+          ? new Date(reqs[reqs.length - 1].timestamp) - new Date(reqs[0].timestamp)
+          : 0,
+      });
+    }
+  }
+
+  return duplicates;
+}
+
+/**
+ * Find no-op mutations (success response with empty body)
+ */
+function findNoOpMutations(requests) {
+  const noOps = [];
+
+  for (const req of requests) {
+    if (!["POST", "PUT", "PATCH"].includes(req.method?.toUpperCase())) continue;
+    
+    const isSuccess = req.status >= 200 && req.status < 300;
+    const isEmptyResponse = req.responseBodyEmpty;
+    
+    if (isSuccess && isEmptyResponse) {
+      noOps.push({
+        request: req,
+        reason: "Mutation succeeded but returned empty response",
+      });
+    }
+  }
+
+  return noOps;
+}
+
+// =============================================================================
+// UI MISMATCH DETECTION
+// =============================================================================
+
+/**
+ * Detect optimistic UI that didn't match server response
+ * Requires action records with before/after UI state
+ */
+function detectOptimisticMismatch(action, request) {
+  const mismatches = [];
+
+  // Check if action had optimistic update
+  if (!action.optimisticUpdate) return mismatches;
+
+  // Check if request succeeded
+  if (!request || request.status < 200 || request.status >= 300) {
+    mismatches.push({
+      type: "optimistic_request_failed",
+      action,
+      request,
+      reason: "Optimistic update shown but request failed",
+    });
+    return mismatches;
+  }
+
+  // Check if response body matches what UI expected
+  if (action.expectedResponseHash && request.responseBodyHash) {
+    if (action.expectedResponseHash !== request.responseBodyHash) {
+      mismatches.push({
+        type: "optimistic_response_mismatch",
+        action,
+        request,
+        expected: action.expectedResponseHash,
+        actual: request.responseBodyHash,
+        reason: "Optimistic UI didn't match server response",
+      });
+    }
+  }
+
+  return mismatches;
+}
+
+/**
+ * Analyze all actions and requests for UI mismatches
+ */
+function analyzeUIMismatches(actions, requests) {
+  const mismatches = [];
+  const duplicates = findDuplicateMutations(requests);
+  const noOps = findNoOpMutations(requests);
+
+  // Duplicate mutations
+  for (const dup of duplicates) {
+    mismatches.push({
+      type: "duplicate_mutation",
+      severity: dup.timeDeltaMs < 1000 ? "WARN" : "INFO",
+      ...dup,
+      reason: `Same mutation submitted ${dup.count} times`,
+    });
+  }
+
+  // No-op mutations
+  for (const noOp of noOps) {
+    mismatches.push({
+      type: "noop_mutation",
+      severity: "WARN",
+      ...noOp,
+    });
+  }
+
+  // Optimistic mismatches
+  for (const action of actions) {
+    // Find associated request
+    const request = requests.find(r => 
+      r.actionId === action.id ||
+      (r.timestamp >= action.startTime && r.timestamp <= action.endTime)
+    );
+    
+    const actionMismatches = detectOptimisticMismatch(action, request);
+    for (const m of actionMismatches) {
+      mismatches.push({
+        ...m,
+        severity: "BLOCK",
+      });
+    }
+  }
+
+  return mismatches;
+}
+
+// =============================================================================
+// PLAYWRIGHT INTEGRATION
+// =============================================================================
+
+/**
+ * Playwright script to capture request/response bodies
+ * Inject this to capture bodies during crawling
+ */
+const PLAYWRIGHT_BODY_CAPTURE_SCRIPT = `
+// Vibecheck Request Body Capture
+window.__vibecheck_request_bodies = window.__vibecheck_request_bodies || new Map();
+
+// Intercept fetch
+const originalFetch = window.fetch;
+window.fetch = async function(...args) {
+  const [input, init] = args;
+  const url = typeof input === 'string' ? input : input.url;
+  const method = init?.method || 'GET';
+  
+  // Capture request body
+  if (init?.body) {
+    const id = crypto.randomUUID();
+    window.__vibecheck_request_bodies.set(id, {
+      url,
+      method,
+      requestBody: typeof init.body === 'string' ? init.body : JSON.stringify(init.body),
+      timestamp: Date.now(),
+    });
+  }
+  
+  const response = await originalFetch.apply(this, args);
+  return response;
+};
+
+// Intercept XMLHttpRequest
+const originalXhrOpen = XMLHttpRequest.prototype.open;
+const originalXhrSend = XMLHttpRequest.prototype.send;
+
+XMLHttpRequest.prototype.open = function(method, url) {
+  this.__vibecheck_method = method;
+  this.__vibecheck_url = url;
+  return originalXhrOpen.apply(this, arguments);
+};
+
+XMLHttpRequest.prototype.send = function(body) {
+  if (body) {
+    const id = crypto.randomUUID();
+    window.__vibecheck_request_bodies.set(id, {
+      url: this.__vibecheck_url,
+      method: this.__vibecheck_method,
+      requestBody: typeof body === 'string' ? body : JSON.stringify(body),
+      timestamp: Date.now(),
+    });
+  }
+  return originalXhrSend.apply(this, arguments);
+};
+`;
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Core hashing
+  hashBody,
+  detectContentType,
+  redactSensitiveData,
+  REDACT_KEYS,
+
+  // Request enhancement
+  enhanceRequestWithHashes,
+
+  // Duplicate detection
+  findDuplicateMutations,
+  findNoOpMutations,
+
+  // UI mismatch detection
+  detectOptimisticMismatch,
+  analyzeUIMismatches,
+
+  // Playwright integration
+  PLAYWRIGHT_BODY_CAPTURE_SCRIPT,
+
+  // Constants
+  MAX_BODY_SIZE,
+};