@vibecheckai/cli 3.0.9 → 3.1.0

package/bin/runners/runPreflight.js

@@ -0,0 +1,553 @@
+/**
+ * Preflight Validation Command
+ * 
+ * Validates environment, migrations, storage, and security
+ * before deployment. Fails fast on critical issues.
+ */
+
+"use strict";
+
+const { execSync } = require("child_process");
+const fs = require("fs");
+const path = require("path");
+const https = require("https");
+const http = require("http");
+
+const c = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  blue: "\x1b[34m",
+  cyan: "\x1b[36m",
+};
+
+const checks = {
+  env: validateEnvironment,
+  secrets: validateSecrets,
+  database: validateDatabase,
+  storage: validateStorage,
+  ssl: validateSSL,
+  webhooks: validateWebhooks,
+  tiers: validateTierEnforcement,
+  services: validateExternalServices,
+  security: validateSecurityConfig
+};
+
+async function runPreflight(args) {
+  console.log(`${c.cyan}${c.bold}🚀 Vibecheck Preflight Check${c.reset}\n`);
+  
+  const env = process.env.NODE_ENV || "development";
+  console.log(`${c.dim}Environment: ${env.toUpperCase()}${c.reset}\n`);
+  
+  // Determine which checks to run
+  const checksToRun = args.includes("--all") 
+    ? Object.keys(checks)
+    : args.filter(arg => arg.startsWith("--")).map(arg => arg.substring(2)).filter(arg => checks[arg]);
+  
+  if (checksToRun.length === 0) {
+    checksToRun.push(...Object.keys(checks));
+  }
+  
+  console.log(`${c.blue}Running checks:${c.reset} ${checksToRun.join(", ")}\n`);
+  
+  const results = {
+    passed: [],
+    failed: [],
+    warnings: []
+  };
+  
+  // Run each check
+  for (const checkName of checksToRun) {
+    console.log(`${c.yellow}⏳ Running ${checkName} check...${c.reset}`);
+    
+    try {
+      const result = await checks[checkName]();
+      
+      if (result.passed) {
+        console.log(`${c.green}✅ ${checkName}: PASSED${c.reset}`);
+        results.passed.push(checkName);
+        if (result.message) {
+          console.log(`   ${c.dim}${result.message}${c.reset}`);
+        }
+      } else {
+        console.log(`${c.red}❌ ${checkName}: FAILED${c.reset}`);
+        console.log(`   ${result.error}`);
+        results.failed.push({ name: checkName, error: result.error });
+      }
+    } catch (err) {
+      console.log(`${c.red}❌ ${checkName}: ERROR${c.reset}`);
+      console.log(`   ${err.message}`);
+      results.failed.push({ name: checkName, error: err.message });
+    }
+    
+    console.log();
+  }
+  
+  // Summary
+  console.log(`${c.bold}═`.repeat(50));
+  console.log(`${c.bold}PREFLIGHT CHECK SUMMARY${c.reset}`);
+  console.log(`${c.bold}═`.repeat(50)}`);
+  console.log(`${c.green}✅ Passed: ${results.passed.length}${c.reset}`);
+  console.log(`${c.red}❌ Failed: ${results.failed.length}${c.reset}`);
+  console.log(`${c.yellow}⚠️  Warnings: ${results.warnings.length}${c.reset}\n`);
+  
+  // Fail if any critical checks failed
+  const criticalFailures = results.failed.filter(f => 
+    ["env", "secrets", "database", "webhooks", "tiers"].includes(f.name)
+  );
+  
+  if (criticalFailures.length > 0) {
+    console.log(`${c.red}${c.bold}💥 CRITICAL FAILURES DETECTED${c.reset}`);
+    console.log("Fix the following issues before deploying:\n");
+    
+    for (const failure of criticalFailures) {
+      console.log(`${c.red}• ${failure.name}: ${failure.error}${c.reset}`);
+    }
+    
+    console.log(`\n${c.yellow}Run 'vibecheck preflight --fix' to attempt auto-fixes${c.reset}`);
+    return 2; // BLOCK
+  }
+  
+  if (results.failed.length > 0) {
+    console.log(`${c.yellow}⚠️  Some non-critical checks failed${c.reset}`);
+    console.log("Review and fix if necessary\n");
+    return 1; // WARN
+  }
+  
+  console.log(`${c.green}🎉 All checks passed! Ready to deploy.${c.reset}`);
+  return 0; // SHIP
+}
+
+async function validateEnvironment() {
+  const { validateEnvironment } = require("../../shared/env-validator");
+  
+  try {
+    const { validated } = validateEnvironment();
+    
+    // Check for production-specific requirements
+    if (process.env.NODE_ENV === "production") {
+      const prodRequired = [
+        "VIBECHECK_ENFORCE_HTTPS",
+        "VIBECHECK_CORS_ORIGIN",
+        "SENTRY_DSN",
+        "VIBECHECK_RATE_LIMIT_STRICT"
+      ];
+      
+      for (const key of prodRequired) {
+        if (!validated[key]) {
+          return { passed: false, error: `Missing production variable: ${key}` };
+        }
+      }
+      
+      // Check that dangerous dev flags are NOT set
+      const forbidden = [
+        "VIBECHECK_SKIP_AUTH",
+        "VIBECHECK_FAKE_BILLING",
+        "VIBECHECK_MOCK_AI"
+      ];
+      
+      for (const key of forbidden) {
+        if (validated[key] === "true") {
+          return { passed: false, error: `Dangerous flag set in production: ${key}` };
+        }
+      }
+    }
+    
+    return { passed: true, message: "All environment variables valid" };
+  } catch (err) {
+    return { passed: false, error: err.message };
+  }
+}
+
+async function validateSecrets() {
+  const secrets = [
+    "VIBECHECK_JWT_SECRET",
+    "VIBECHECK_REFRESH_SECRET",
+    "VIBECHECK_API_SECRET"
+  ];
+  
+  for (const secret of secrets) {
+    const value = process.env[secret];
+    
+    if (!value) {
+      return { passed: false, error: `Missing secret: ${secret}` };
+    }
+    
+    if (value.length < 32) {
+      return { passed: false, error: `${secret} too short (min 32 chars)` };
+    }
+    
+    // Check for weak patterns
+    if (value === "secret" || value === "password" || value.startsWith("test")) {
+      return { passed: false, error: `${secret} appears to be weak` };
+    }
+  }
+  
+  return { passed: true, message: "All secrets are strong" };
+}
+
+async function validateDatabase() {
+  const databaseUrl = process.env.DATABASE_URL;
+  
+  if (!databaseUrl) {
+    return { passed: false, error: "DATABASE_URL not set" };
+  }
+  
+  try {
+    // Parse database URL to check SSL
+    const url = new URL(databaseUrl);
+    
+    if (process.env.NODE_ENV === "production" && url.searchParams.get("sslmode") !== "require") {
+      return { passed: false, error: "Database must use SSL in production" };
+    }
+    
+    // Test connectivity
+    const { Client } = require("pg");
+    const client = new Client({ connectionString: databaseUrl });
+    
+    await client.connect();
+    
+    // Check migrations
+    const result = await client.query(`
+      SELECT COUNT(*) as count FROM schema_migrations
+    `);
+    
+    await client.end();
+    
+    const migrationCount = parseInt(result.rows[0].count);
+    if (migrationCount === 0) {
+      return { passed: false, error: "No migrations found - run 'npm run db:migrate'" };
+    }
+    
+    return { passed: true, message: `${migrationCount} migrations applied` };
+  } catch (err) {
+    return { passed: false, error: `Database connection failed: ${err.message}` };
+  }
+}
+
+async function validateStorage() {
+  const storageType = process.env.STORAGE_TYPE || "local";
+  
+  if (storageType === "s3") {
+    const required = ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_S3_BUCKET"];
+    
+    for (const key of required) {
+      if (!process.env[key]) {
+        return { passed: false, error: `Missing S3 config: ${key}` };
+      }
+    }
+    
+    // Test S3 connectivity
+    try {
+      const AWS = require("aws-sdk");
+      const s3 = new AWS.S3({
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+        region: process.env.AWS_REGION || "us-east-1"
+      });
+      
+      await s3.headBucket({ Bucket: process.env.AWS_S3_BUCKET }).promise();
+      
+      return { passed: true, message: "S3 bucket accessible" };
+    } catch (err) {
+      return { passed: false, error: `S3 access failed: ${err.message}` };
+    }
+  }
+  
+  // For local storage, check directory exists
+  if (storageType === "local") {
+    const uploadDir = process.env.UPLOAD_DIR || "./uploads";
+    
+    if (!fs.existsSync(uploadDir)) {
+      try {
+        fs.mkdirSync(uploadDir, { recursive: true });
+      } catch (err) {
+        return { passed: false, error: `Cannot create upload directory: ${err.message}` };
+      }
+    }
+    
+    return { passed: true, message: "Local storage ready" };
+  }
+  
+  return { passed: true, message: `${storageType} storage configured` };
+}
+
+async function validateSSL() {
+  if (process.env.NODE_ENV !== "production") {
+    return { passed: true, message: "SSL not required in development" };
+  }
+  
+  const url = process.env.VIBECHECK_PUBLIC_URL || "https://api.vibecheck.ai";
+  
+  try {
+    return new Promise((resolve) => {
+      const req = https.get(url, (res) => {
+        const cert = res.socket.getPeerCertificate();
+        
+        if (!cert) {
+          resolve({ passed: false, error: "No SSL certificate found" });
+          return;
+        }
+        
+        // Check certificate expiry
+        const now = new Date();
+        const expiry = new Date(cert.valid_to);
+        
+        if (expiry < now) {
+          resolve({ passed: false, error: "SSL certificate expired" });
+          return;
+        }
+        
+        // Check expiry within 30 days
+        const thirtyDays = new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000);
+        if (expiry < thirtyDays) {
+          resolve({ 
+            passed: false, 
+            error: `SSL certificate expires soon: ${cert.valid_to}` 
+          });
+          return;
+        }
+        
+        resolve({ 
+          passed: true, 
+          message: `SSL valid until ${cert.valid_to}` 
+        });
+      });
+      
+      req.on("error", (err) => {
+        resolve({ passed: false, error: `SSL check failed: ${err.message}` });
+      });
+      
+      req.setTimeout(5000, () => {
+        req.destroy();
+        resolve({ passed: false, error: "SSL check timeout" });
+      });
+    });
+  } catch (err) {
+    return { passed: false, error: err.message };
+  }
+}
+
+async function validateWebhooks() {
+  const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+  
+  if (!webhookSecret) {
+    return { passed: false, error: "STRIPE_WEBHOOK_SECRET not set" };
+  }
+  
+  if (!webhookSecret.startsWith("whsec_")) {
+    return { passed: false, error: "Invalid webhook secret format" };
+  }
+  
+  // Test webhook endpoint
+  const testPayload = JSON.stringify({
+    id: `evt_test_${Date.now()}`,
+    type: "test",
+    data: { object: { test: true } }
+  });
+  
+  const timestamp = Math.floor(Date.now() / 1000);
+  const signedPayload = `${timestamp}.${testPayload}`;
+  
+  const crypto = require("crypto");
+  const signature = crypto
+    .createHmac("sha256", webhookSecret)
+    .update(signedPayload)
+    .digest("hex");
+  
+  const stripeSignature = `t=${timestamp},v1=${signature}`;
+  
+  try {
+    const webhookUrl = process.env.VIBECHECK_WEBHOOK_URL || "http://localhost:3000/webhooks/stripe";
+    
+    return new Promise((resolve) => {
+      const postData = testPayload;
+      
+      const req = http.request(webhookUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(postData),
+          "Stripe-Signature": stripeSignature
+        }
+      }, (res) => {
+        let data = "";
+        res.on("data", chunk => data += chunk);
+        res.on("end", () => {
+          if (res.statusCode === 200) {
+            resolve({ passed: true, message: "Webhook signature verification working" });
+          } else {
+            resolve({ passed: false, error: `Webhook returned ${res.statusCode}` });
+          }
+        });
+      });
+      
+      req.on("error", (err) => {
+        resolve({ passed: false, error: `Webhook test failed: ${err.message}` });
+      });
+      
+      req.setTimeout(5000, () => {
+        req.destroy();
+        resolve({ passed: false, error: "Webhook test timeout" });
+      });
+      
+      req.write(postData);
+      req.end();
+    });
+  } catch (err) {
+    return { passed: false, error: err.message };
+  }
+}
+
+async function validateTierEnforcement() {
+  // Check CLI tier enforcement
+  try {
+    const { enforce } = require("../lib/entitlements-v2");
+    
+    // Test free tier
+    const freeResult = await enforce("scan", { silent: true });
+    if (!freeResult.allowed) {
+      return { passed: false, error: "CLI incorrectly blocks free tier features" };
+    }
+    
+    // Test pro tier enforcement
+    const proResult = await enforce("prove", { silent: true });
+    if (proResult.allowed && process.env.NODE_ENV === "production") {
+      return { passed: false, error: "CLI incorrectly allows pro features without auth" };
+    }
+  } catch (err) {
+    return { passed: false, error: `CLI tier check failed: ${err.message}` };
+  }
+  
+  // Check API tier enforcement if server is running
+  const apiUrl = process.env.VIBECHECK_API_URL || "http://localhost:3000";
+  
+  try {
+    // Test without auth
+    const response = await fetch(`${apiUrl}/api/v1/ship`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" }
+    });
+    
+    if (response.status !== 401 && response.status !== 403) {
+      return { passed: false, error: "API not enforcing authentication" };
+    }
+  } catch (err) {
+    // Server might not be running - that's OK for preflight
+    return { passed: true, message: "API not running - skip check" };
+  }
+  
+  return { passed: true, message: "Tier enforcement consistent" };
+}
+
+async function validateExternalServices() {
+  const services = [
+    { name: "License API", url: process.env.VIBECHECK_LICENSE_API },
+    { name: "AI Endpoint", url: process.env.VIBECHECK_AI_ENDPOINT }
+  ];
+  
+  for (const service of services) {
+    if (!service.url) {
+      return { passed: false, error: `${service.name} URL not configured` };
+    }
+    
+    try {
+      const response = await fetch(`${service.url}/health`, {
+        method: "GET",
+        timeout: 5000
+      });
+      
+      if (!response.ok) {
+        return { passed: false, error: `${service.name} unhealthy: ${response.status}` };
+      }
+    } catch (err) {
+      return { passed: false, error: `${service.name} unreachable: ${err.message}` };
+    }
+  }
+  
+  return { passed: true, message: "All external services healthy" };
+}
+
+async function validateSecurityConfig() {
+  const issues = [];
+  
+  // Check for secure headers in production
+  if (process.env.NODE_ENV === "production") {
+    if (!process.env.VIBECHECK_ENFORCE_HTTPS) {
+      issues.push("HTTPS enforcement not enabled");
+    }
+    
+    if (!process.env.VIBECHECK_RATE_LIMIT_STRICT) {
+      issues.push("Strict rate limiting not enabled");
+    }
+    
+    const corsOrigin = process.env.VIBECHECK_CORS_ORIGIN;
+    if (!corsOrigin || corsOrigin.includes("*") || corsOrigin.includes("localhost")) {
+      issues.push("CORS origin not properly restricted");
+    }
+  }
+  
+  // Check for required security headers
+  const requiredHeaders = [
+    "helmet",
+    "cors",
+    "rateLimit"
+  ];
+  
+  // Check if security middleware is configured
+  try {
+    const apiFile = fs.readFileSync("./apps/api/src/app.js", "utf8");
+    
+    for (const header of requiredHeaders) {
+      if (!apiFile.includes(header)) {
+        issues.push(`Security middleware '${header}' not found`);
+      }
+    }
+  } catch (err) {
+    // API file might not exist in this context
+  }
+  
+  if (issues.length > 0) {
+    return { passed: false, error: issues.join("; ") };
+  }
+  
+  return { passed: true, message: "Security configuration valid" };
+}
+
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}vibecheck preflight${c.reset} - Deployment validation
+
+${c.bold}USAGE${c.reset}
+  vibecheck preflight [options]
+
+${c.bold}OPTIONS${c.reset}
+  --all              Run all checks
+  --env              Validate environment variables
+  --secrets          Validate secrets strength
+  --database         Validate database connectivity
+  --storage          Validate storage configuration
+  --ssl              Validate SSL certificates
+  --webhooks         Validate webhook signatures
+  --tiers            Validate tier enforcement
+  --services         Validate external services
+  --security         Validate security configuration
+  --fix              Attempt to fix issues (where possible)
+  --help, -h         Show this help
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck preflight --all           # Run all checks
+  vibecheck preflight --env --secrets # Run specific checks
+  vibecheck preflight                 # Run all checks (default)
+
+${c.bold}EXIT CODES${c.reset}
+  0 = All checks passed
+  1 = Non-critical warnings
+  2 = Critical failures (block deployment)
+`);
+}
+
+module.exports = { runPreflight, printHelp };