@vibecheckai/cli 3.1.6 → 3.2.0

package/bin/runners/runPermissions.js

@@ -1,310 +0,0 @@
-/**
- * vibecheck permissions - AuthZ Matrix & IDOR Detection
- * 
- * Verifies authorization is correct, not just present:
- * - Which roles can hit which routes
- * - Which UI actions leak data cross-user (IDOR)
- * - Which admin endpoints are accidentally public
- */
-
-"use strict";
-
-const path = require("path");
-const fs = require("fs");
-const { buildTruthpack, loadTruthpack } = require("./lib/truth");
-const { 
-  extractAuthModel,
-  buildAuthZMatrix,
-  formatMatrix,
-  detectIDORCandidates,
-  buildIDORTestPlan,
-  formatIDORPlan
-} = require("./lib/permissions");
-const { parseGlobalFlags, shouldShowBanner } = require("./lib/global-flags");
-
-// Entitlements enforcement
-const entitlements = require("./lib/entitlements-v2");
-
-const c = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  cyan: '\x1b[36m',
-  red: '\x1b[31m',
-  blue: '\x1b[34m',
-};
-
-function ensureDir(p) {
-  fs.mkdirSync(p, { recursive: true });
-}
-
-async function runPermissions(args) {
-  const opts = parseArgs(args);
-
-  if (opts.help) {
-    printHelp(shouldShowBanner(opts));
-    return 0;
-  }
-
-  // TIER ENFORCEMENT: COMPLETE only
-  const access = await entitlements.enforce("permissions", {
-    projectPath: opts.path || process.cwd(),
-    silent: false,
-  });
-  
-  if (!access.allowed) {
-    console.log(`\n${c.yellow}Tip:${c.reset} The permissions command requires COMPLETE tier for advanced AuthZ analysis.`);
-    return entitlements.EXIT_FEATURE_NOT_ALLOWED;
-  }
-
-  const root = path.resolve(opts.path || process.cwd());
-  const outDir = path.join(root, ".vibecheck", "permissions");
-  ensureDir(outDir);
-
-  console.log(`\n${c.cyan}${c.bold}🔐 vibecheck permissions${c.reset}`);
-
-  // Load or build truthpack
-  let truthpack = loadTruthpack(root);
-  if (!truthpack) {
-    console.log(`${c.dim}Building truthpack...${c.reset}`);
-    truthpack = await buildTruthpack({ repoRoot: root, fastifyEntry: opts.fastifyEntry });
-  }
-
-  // Extract auth model
-  console.log(`${c.dim}Extracting auth model...${c.reset}`);
-  const authModel = await extractAuthModel(root, truthpack);
-
-  // Save auth model
-  fs.writeFileSync(
-    path.join(outDir, "auth-model.json"),
-    JSON.stringify(authModel, null, 2),
-    "utf8"
-  );
-
-  if (opts.learn) {
-    // Learning mode - just extract and display
-    console.log(`\n${c.bold}Auth Model${c.reset}`);
-    console.log(`  Roles: ${authModel.roles.map(r => r.name).join(", ")}`);
-    console.log(`  Protected patterns: ${authModel.protectedPatterns?.length || 0}`);
-    console.log(`  Routes: ${authModel.routes.length}`);
-    console.log(`  RBAC patterns: ${authModel.rbacPatterns.length}`);
-
-    if (authModel.roles.length > 0) {
-      console.log(`\n${c.bold}Detected Roles${c.reset}`);
-      for (const role of authModel.roles) {
-        console.log(`  - ${role.name} (${role.evidence.length} references)`);
-      }
-    }
-
-    console.log(`\n${c.dim}Auth model saved to: .vibecheck/permissions/auth-model.json${c.reset}`);
-    console.log(`${c.dim}Run 'vibecheck permissions --prove' to verify at runtime${c.reset}\n`);
-    return 0;
-  }
-
-  if (opts.prove) {
-    // Runtime verification mode
-    if (!opts.url) {
-      console.log(`${c.red}Error: --prove requires --url${c.reset}`);
-      return 1;
-    }
-
-    console.log(`${c.dim}Running permission verification against ${opts.url}...${c.reset}`);
-
-    // This would run actual browser tests
-    // For now, show what would be tested
-    const matrix = buildAuthZMatrix(authModel, null);
-    
-    console.log(`\n${c.bold}AuthZ Matrix${c.reset}`);
-    console.log(`  Routes to verify: ${matrix.routes.length}`);
-    console.log(`  Roles to test: ${matrix.roles.join(", ")}`);
-
-    // Save matrix
-    fs.writeFileSync(
-      path.join(outDir, "authz-matrix.json"),
-      JSON.stringify(matrix, null, 2),
-      "utf8"
-    );
-
-    fs.writeFileSync(
-      path.join(outDir, "authz-matrix.md"),
-      formatMatrix(matrix),
-      "utf8"
-    );
-
-    const blocks = matrix.violations.filter(v => v.severity === "BLOCK").length;
-    const warns = matrix.violations.filter(v => v.severity === "WARN").length;
-
-    if (matrix.violations.length > 0) {
-      console.log(`\n${c.bold}Violations${c.reset}`);
-      for (const v of matrix.violations.slice(0, 10)) {
-        const icon = v.severity === "BLOCK" ? `${c.red}✗` : `${c.yellow}⚠`;
-        console.log(`  ${icon} ${v.message}${c.reset}`);
-      }
-    } else {
-      console.log(`\n${c.green}✓ No violations detected${c.reset}`);
-    }
-
-    console.log(`\n${c.dim}Matrix saved to: .vibecheck/permissions/authz-matrix.json${c.reset}`);
-    console.log(`\n${c.bold}Verdict:${c.reset} ${blocks ? `${c.red}🛑 BLOCK${c.reset}` : warns ? `${c.yellow}⚠️ WARN${c.reset}` : `${c.green}✅ CLEAN${c.reset}`}`);
-
-    return blocks ? 2 : warns ? 1 : 0;
-  }
-
-  if (opts.matrix) {
-    // Output matrix mode
-    const matrix = buildAuthZMatrix(authModel, null);
-    console.log("\n" + formatMatrix(matrix));
-
-    fs.writeFileSync(
-      path.join(outDir, "authz-matrix.json"),
-      JSON.stringify(matrix, null, 2),
-      "utf8"
-    );
-
-    fs.writeFileSync(
-      path.join(outDir, "authz-matrix.md"),
-      formatMatrix(matrix),
-      "utf8"
-    );
-
-    return 0;
-  }
-
-  if (opts.idor) {
-    // IDOR detection mode
-    console.log(`${c.dim}Detecting IDOR candidates...${c.reset}`);
-    
-    const candidates = detectIDORCandidates(authModel);
-    const plan = buildIDORTestPlan(candidates, { safe: opts.safe });
-
-    console.log(`\n${c.bold}IDOR Candidates${c.reset}`);
-    console.log(`  Detected: ${candidates.length}`);
-
-    if (candidates.length > 0) {
-      for (const c of candidates.slice(0, 10)) {
-        console.log(`  - ${c.resourceType}: ${c.path}`);
-      }
-    }
-
-    // Save plan
-    fs.writeFileSync(
-      path.join(outDir, "idor-plan.json"),
-      JSON.stringify(plan, null, 2),
-      "utf8"
-    );
-
-    fs.writeFileSync(
-      path.join(outDir, "idor-plan.md"),
-      formatIDORPlan(plan),
-      "utf8"
-    );
-
-    console.log(`\n${c.dim}IDOR plan saved to: .vibecheck/permissions/idor-plan.json${c.reset}`);
-
-    if (!opts.safe) {
-      console.log(`\n${c.yellow}⚠️ IDOR tests require --safe flag for first-party testing${c.reset}`);
-    }
-
-    return 0;
-  }
-
-  // Default: show summary
-  console.log(`\n${c.bold}Summary${c.reset}`);
-  console.log(`  Roles: ${authModel.roles.length}`);
-  console.log(`  Routes: ${authModel.routes.length}`);
-  console.log(`  Protected patterns: ${authModel.protectedPatterns?.length || 0}`);
-
-  console.log(`\n${c.bold}Run one of:${c.reset}`);
-  console.log(`  ${c.cyan}vibecheck permissions --learn${c.reset}     Extract auth model from code`);
-  console.log(`  ${c.cyan}vibecheck permissions --prove${c.reset}     Runtime verification`);
-  console.log(`  ${c.cyan}vibecheck permissions --matrix${c.reset}    Output AuthZ matrix`);
-  console.log(`  ${c.cyan}vibecheck permissions --idor${c.reset}      Detect IDOR candidates\n`);
-
-  return 0;
-}
-
-function parseArgs(args) {
-  // Parse global flags first
-  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
-  
-  const opts = {
-    ...globalFlags, // Merge global flags (json, verbose, noBanner, quiet, ci, etc.)
-    path: globalFlags.path || process.cwd(),
-    url: null,
-    learn: false,
-    prove: false,
-    matrix: false,
-    idor: false,
-    safe: false,
-    fastifyEntry: null,
-    help: false,
-  };
-
-  // Parse command-specific args from cleanArgs
-  for (let i = 0; i < cleanArgs.length; i++) {
-    const arg = cleanArgs[i];
-    if (arg === "--learn") opts.learn = true;
-    else if (arg === "--prove") opts.prove = true;
-    else if (arg === "--matrix") opts.matrix = true;
-    else if (arg === "--idor") opts.idor = true;
-    else if (arg === "--safe") opts.safe = true;
-    else if (arg === "--url") opts.url = cleanArgs[++i];
-    else if (arg === "--fastify-entry") opts.fastifyEntry = cleanArgs[++i];
-    else if (arg === "--path" || arg === "-p") opts.path = cleanArgs[++i];
-    else if (arg === "--help" || arg === "-h") opts.help = true;
-  }
-
-  return opts;
-}
-
-function printHelp() {
-  console.log(`
-${c.cyan}${c.bold}🔐 vibecheck permissions${c.reset} - AuthZ Matrix & IDOR Detection
-
-Verify authorization is correct, not just present.
-
-${c.bold}USAGE${c.reset}
-  vibecheck permissions --learn          ${c.dim}# Extract auth model from code${c.reset}
-  vibecheck permissions --prove --url    ${c.dim}# Runtime verification${c.reset}
-  vibecheck permissions --matrix         ${c.dim}# Output full AuthZ matrix${c.reset}
-  vibecheck permissions --idor --safe    ${c.dim}# IDOR detection (first-party)${c.reset}
-
-${c.bold}OPTIONS${c.reset}
-  --learn             Extract auth model from code
-  --prove             Runtime verification of permissions
-  --matrix            Output AuthZ matrix
-  --idor              Detect IDOR candidates
-  --safe              Enable safe mode for IDOR testing (required)
-  --url <url>         Target URL for runtime testing
-  --fastify-entry     Fastify entry file (e.g. src/server.ts)
-  --path, -p          Project path (default: current directory)
-  --help, -h          Show this help
-
-${c.bold}FINDINGS${c.reset}
-  ${c.red}BLOCK${c.reset} Endpoint accessible as anon that should require auth
-  ${c.red}BLOCK${c.reset} User A can access User B's resource (IDOR)
-  ${c.red}BLOCK${c.reset} Role mismatch between UI + server
-  ${c.yellow}WARN${c.reset}  Admin endpoint missing role check (static)
-
-${c.bold}OUTPUT${c.reset}
-  .vibecheck/permissions/
-    auth-model.json     Extracted auth model
-    authz-matrix.json   Full authorization matrix
-    authz-matrix.md     Human-readable matrix
-    idor-plan.json      IDOR test plan
-
-${c.bold}SAFETY${c.reset}
-  IDOR tests only run with --idor --safe flag
-  Only use on local dev/staging with explicit consent
-  Configure test users in .vibecheck/config.json
-
-${c.bold}EXAMPLES${c.reset}
-  vibecheck permissions --learn                            ${c.dim}# Extract model${c.reset}
-  vibecheck permissions --prove --url http://localhost:3000
-  vibecheck permissions --idor --safe                      ${c.dim}# IDOR detection${c.reset}
-`);
-}
-
-module.exports = { runPermissions };