npm - @vibecheckai/cli - Versions diffs - 3.1.6 → 3.2.0 - Mend

@vibecheckai/cli 3.1.6 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/README.md +27 -32
package/bin/registry.js +208 -343
package/bin/runners/context/generators/mcp.js +18 -0
package/bin/runners/context/index.js +72 -4
package/bin/runners/context/proof-context.js +293 -1
package/bin/runners/context/security-scanner.js +311 -73
package/bin/runners/lib/analyzers.js +607 -20
package/bin/runners/lib/detectors-v2.js +172 -15
package/bin/runners/lib/entitlements-v2.js +48 -1
package/bin/runners/lib/evidence-pack.js +678 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/missions/plan.js +231 -41
package/bin/runners/lib/missions/templates.js +125 -0
package/bin/runners/lib/scan-output.js +492 -253
package/bin/runners/lib/ship-output.js +901 -641
package/bin/runners/runCheckpoint.js +44 -3
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +2 -3
package/bin/runners/runDoctor.js +11 -4
package/bin/runners/runFix.js +51 -341
package/bin/runners/runInit.js +37 -20
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +608 -29
package/bin/runners/runProve.js +210 -25
package/bin/runners/runReality.js +861 -107
package/bin/runners/runScan.js +238 -4
package/bin/runners/runShip.js +19 -3
package/bin/runners/runWatch.js +25 -5
package/bin/vibecheck.js +35 -47
package/mcp-server/consolidated-tools.js +408 -42
package/mcp-server/index.js +152 -15
package/mcp-server/package.json +1 -1
package/mcp-server/proof-tools.js +571 -0
package/mcp-server/tier-auth.js +22 -19
package/mcp-server/tools-v3.js +744 -0
package/mcp-server/truth-firewall-tools.js +190 -4
package/package.json +3 -1
package/bin/runners/runBadge.js +0 -916
package/bin/runners/runContracts.js +0 -105
package/bin/runners/runCtx.js +0 -680
package/bin/runners/runCtxDiff.js +0 -301
package/bin/runners/runCtxGuard.js +0 -176
package/bin/runners/runCtxSync.js +0 -116
package/bin/runners/runExport.js +0 -93
package/bin/runners/runGraph.js +0 -454
package/bin/runners/runInstall.js +0 -273
package/bin/runners/runLabs.js +0 -341
package/bin/runners/runLaunch.js +0 -181
package/bin/runners/runPR.js +0 -255
package/bin/runners/runPermissions.js +0 -310
package/bin/runners/runPreflight.js +0 -580
package/bin/runners/runReplay.js +0 -499
package/bin/runners/runSecurity.js +0 -92
package/bin/runners/runShare.js +0 -212
package/bin/runners/runStatus.js +0 -102
package/bin/runners/runVerify.js +0 -272

package/bin/runners/runPreflight.js DELETED Viewed

@@ -1,580 +0,0 @@
-/**
- * Preflight Validation Command
- *
- * Validates environment, migrations, storage, and security
- * before deployment. Fails fast on critical issues.
- */
-"use strict";
-const { execSync } = require("child_process");
-const fs = require("fs");
-const path = require("path");
-const https = require("https");
-const http = require("http");
-const c = {
-  reset: "\x1b[0m",
-  bold: "\x1b[1m",
-  dim: "\x1b[2m",
-  red: "\x1b[31m",
-  green: "\x1b[32m",
-  yellow: "\x1b[33m",
-  blue: "\x1b[34m",
-  cyan: "\x1b[36m",
-};
-const checks = {
-  env: validateEnvironment,
-  secrets: validateSecrets,
-  database: validateDatabase,
-  storage: validateStorage,
-  ssl: validateSSL,
-  webhooks: validateWebhooks,
-  tiers: validateTierEnforcement,
-  services: validateExternalServices,
-  security: validateSecurityConfig
-};
-async function runPreflight(args) {
-  if (args.includes("--help") || args.includes("-h")) {
-    console.log(`
-  ${c.bold}vibecheck preflight${c.reset} - Deployment validation checks
-  ${c.bold}Usage:${c.reset}
-    vibecheck preflight [options]
-  ${c.bold}Options:${c.reset}
-    ${c.cyan}--all${c.reset}              Run all checks
-    ${c.cyan}--env${c.reset}              Validate environment variables
-    ${c.cyan}--secrets${c.reset}          Validate secrets configuration
-    ${c.cyan}--database${c.reset}         Validate database connectivity
-    ${c.cyan}--storage${c.reset}          Validate storage configuration
-    ${c.cyan}--ssl${c.reset}              Validate SSL certificates
-    ${c.cyan}--webhooks${c.reset}        Validate webhook endpoints
-    ${c.cyan}--tiers${c.reset}            Validate tier enforcement
-    ${c.cyan}--services${c.reset}         Validate external services
-    ${c.cyan}--security${c.reset}         Validate security configuration
-    ${c.cyan}--help, -h${c.reset}         Show this help
-  ${c.bold}Examples:${c.reset}
-    vibecheck preflight --all
-    vibecheck preflight --env --secrets --database
-`);
-    return 0;
-  }
-  console.log(`${c.cyan}${c.bold}🚀 Vibecheck Preflight Check${c.reset}\n`);
-  const env = process.env.NODE_ENV || "development";
-  console.log(`${c.dim}Environment: ${env.toUpperCase()}${c.reset}\n`);
-  // Determine which checks to run
-  const checksToRun = args.includes("--all")
-    ? Object.keys(checks)
-    : args.filter(arg => arg.startsWith("--")).map(arg => arg.substring(2)).filter(arg => checks[arg]);
-  if (checksToRun.length === 0) {
-    checksToRun.push(...Object.keys(checks));
-  }
-  console.log(`${c.blue}Running checks:${c.reset} ${checksToRun.join(", ")}\n`);
-  const results = {
-    passed: [],
-    failed: [],
-    warnings: []
-  };
-  // Run each check
-  for (const checkName of checksToRun) {
-    console.log(`${c.yellow}⏳ Running ${checkName} check...${c.reset}`);
-    try {
-      const result = await checks[checkName]();
-      if (result.passed) {
-        console.log(`${c.green}✅ ${checkName}: PASSED${c.reset}`);
-        results.passed.push(checkName);
-        if (result.message) {
-          console.log(`   ${c.dim}${result.message}${c.reset}`);
-        }
-      } else {
-        console.log(`${c.red}❌ ${checkName}: FAILED${c.reset}`);
-        console.log(`   ${result.error}`);
-        results.failed.push({ name: checkName, error: result.error });
-      }
-    } catch (err) {
-      console.log(`${c.red}❌ ${checkName}: ERROR${c.reset}`);
-      console.log(`   ${err.message}`);
-      results.failed.push({ name: checkName, error: err.message });
-    }
-    console.log();
-  }
-  // Summary
-  console.log(`${c.bold}${'═'.repeat(50)}${c.reset}`);
-  console.log(`${c.bold}PREFLIGHT CHECK SUMMARY${c.reset}`);
-  console.log(`${c.bold}${'═'.repeat(50)}${c.reset}`);
-  console.log(`${c.green}✅ Passed: ${results.passed.length}${c.reset}`);
-  console.log(`${c.red}❌ Failed: ${results.failed.length}${c.reset}`);
-  console.log(`${c.yellow}⚠️  Warnings: ${results.warnings.length}${c.reset}\n`);
-  // Fail if any critical checks failed
-  const criticalFailures = results.failed.filter(f =>
-    ["env", "secrets", "database", "webhooks", "tiers"].includes(f.name)
-  );
-  if (criticalFailures.length > 0) {
-    console.log(`${c.red}${c.bold}💥 CRITICAL FAILURES DETECTED${c.reset}`);
-    console.log("Fix the following issues before deploying:\n");
-    for (const failure of criticalFailures) {
-      console.log(`${c.red}• ${failure.name}: ${failure.error}${c.reset}`);
-    }
-    console.log(`\n${c.yellow}Run 'vibecheck preflight --fix' to attempt auto-fixes${c.reset}`);
-    return 2; // BLOCK
-  }
-  if (results.failed.length > 0) {
-    console.log(`${c.yellow}⚠️  Some non-critical checks failed${c.reset}`);
-    console.log("Review and fix if necessary\n");
-    return 1; // WARN
-  }
-  console.log(`${c.green}🎉 All checks passed! Ready to deploy.${c.reset}`);
-  return 0; // SHIP
-}
-async function validateEnvironment() {
-  const { validateEnvironment } = require("../../shared/env-validator");
-  try {
-    const { validated } = validateEnvironment();
-    // Check for production-specific requirements
-    if (process.env.NODE_ENV === "production") {
-      const prodRequired = [
-        "VIBECHECK_ENFORCE_HTTPS",
-        "VIBECHECK_CORS_ORIGIN",
-        "SENTRY_DSN",
-        "VIBECHECK_RATE_LIMIT_STRICT"
-      ];
-      for (const key of prodRequired) {
-        if (!validated[key]) {
-          return { passed: false, error: `Missing production variable: ${key}` };
-        }
-      }
-      // Check that dangerous dev flags are NOT set
-      const forbidden = [
-        "VIBECHECK_SKIP_AUTH",
-        "VIBECHECK_FAKE_BILLING",
-        "VIBECHECK_MOCK_AI"
-      ];
-      for (const key of forbidden) {
-        if (validated[key] === "true") {
-          return { passed: false, error: `Dangerous flag set in production: ${key}` };
-        }
-      }
-    }
-    return { passed: true, message: "All environment variables valid" };
-  } catch (err) {
-    return { passed: false, error: err.message };
-  }
-}
-async function validateSecrets() {
-  const secrets = [
-    "VIBECHECK_JWT_SECRET",
-    "VIBECHECK_REFRESH_SECRET",
-    "VIBECHECK_API_SECRET"
-  ];
-  for (const secret of secrets) {
-    const value = process.env[secret];
-    if (!value) {
-      return { passed: false, error: `Missing secret: ${secret}` };
-    }
-    if (value.length < 32) {
-      return { passed: false, error: `${secret} too short (min 32 chars)` };
-    }
-    // Check for weak patterns
-    if (value === "secret" || value === "password" || value.startsWith("test")) {
-      return { passed: false, error: `${secret} appears to be weak` };
-    }
-  }
-  return { passed: true, message: "All secrets are strong" };
-}
-async function validateDatabase() {
-  const databaseUrl = process.env.DATABASE_URL;
-  if (!databaseUrl) {
-    return { passed: false, error: "DATABASE_URL not set" };
-  }
-  try {
-    // Parse database URL to check SSL
-    const url = new URL(databaseUrl);
-    if (process.env.NODE_ENV === "production" && url.searchParams.get("sslmode") !== "require") {
-      return { passed: false, error: "Database must use SSL in production" };
-    }
-    // Test connectivity
-    const { Client } = require("pg");
-    const client = new Client({ connectionString: databaseUrl });
-    await client.connect();
-    // Check migrations
-    const result = await client.query(`
-      SELECT COUNT(*) as count FROM schema_migrations
-    `);
-    await client.end();
-    const migrationCount = parseInt(result.rows[0].count);
-    if (migrationCount === 0) {
-      return { passed: false, error: "No migrations found - run 'npm run db:migrate'" };
-    }
-    return { passed: true, message: `${migrationCount} migrations applied` };
-  } catch (err) {
-    return { passed: false, error: `Database connection failed: ${err.message}` };
-  }
-}
-async function validateStorage() {
-  const storageType = process.env.STORAGE_TYPE || "local";
-  if (storageType === "s3") {
-    const required = ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_S3_BUCKET"];
-    for (const key of required) {
-      if (!process.env[key]) {
-        return { passed: false, error: `Missing S3 config: ${key}` };
-      }
-    }
-    // Test S3 connectivity
-    try {
-      const AWS = require("aws-sdk");
-      const s3 = new AWS.S3({
-        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
-        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
-        region: process.env.AWS_REGION || "us-east-1"
-      });
-      await s3.headBucket({ Bucket: process.env.AWS_S3_BUCKET }).promise();
-      return { passed: true, message: "S3 bucket accessible" };
-    } catch (err) {
-      return { passed: false, error: `S3 access failed: ${err.message}` };
-    }
-  }
-  // For local storage, check directory exists
-  if (storageType === "local") {
-    const uploadDir = process.env.UPLOAD_DIR || "./uploads";
-    if (!fs.existsSync(uploadDir)) {
-      try {
-        fs.mkdirSync(uploadDir, { recursive: true });
-      } catch (err) {
-        return { passed: false, error: `Cannot create upload directory: ${err.message}` };
-      }
-    }
-    return { passed: true, message: "Local storage ready" };
-  }
-  return { passed: true, message: `${storageType} storage configured` };
-}
-async function validateSSL() {
-  if (process.env.NODE_ENV !== "production") {
-    return { passed: true, message: "SSL not required in development" };
-  }
-  const url = process.env.VIBECHECK_PUBLIC_URL || "https://api.vibecheck.ai";
-  try {
-    return new Promise((resolve) => {
-      const req = https.get(url, (res) => {
-        const cert = res.socket.getPeerCertificate();
-        if (!cert) {
-          resolve({ passed: false, error: "No SSL certificate found" });
-          return;
-        }
-        // Check certificate expiry
-        const now = new Date();
-        const expiry = new Date(cert.valid_to);
-        if (expiry < now) {
-          resolve({ passed: false, error: "SSL certificate expired" });
-          return;
-        }
-        // Check expiry within 30 days
-        const thirtyDays = new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000);
-        if (expiry < thirtyDays) {
-          resolve({
-            passed: false,
-            error: `SSL certificate expires soon: ${cert.valid_to}`
-          });
-          return;
-        }
-        resolve({
-          passed: true,
-          message: `SSL valid until ${cert.valid_to}`
-        });
-      });
-      req.on("error", (err) => {
-        resolve({ passed: false, error: `SSL check failed: ${err.message}` });
-      });
-      req.setTimeout(5000, () => {
-        req.destroy();
-        resolve({ passed: false, error: "SSL check timeout" });
-      });
-    });
-  } catch (err) {
-    return { passed: false, error: err.message };
-  }
-}
-async function validateWebhooks() {
-  const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
-  if (!webhookSecret) {
-    return { passed: false, error: "STRIPE_WEBHOOK_SECRET not set" };
-  }
-  if (!webhookSecret.startsWith("whsec_")) {
-    return { passed: false, error: "Invalid webhook secret format" };
-  }
-  // Test webhook endpoint
-  const testPayload = JSON.stringify({
-    id: `evt_test_${Date.now()}`,
-    type: "test",
-    data: { object: { test: true } }
-  });
-  const timestamp = Math.floor(Date.now() / 1000);
-  const signedPayload = `${timestamp}.${testPayload}`;
-  const crypto = require("crypto");
-  const signature = crypto
-    .createHmac("sha256", webhookSecret)
-    .update(signedPayload)
-    .digest("hex");
-  const stripeSignature = `t=${timestamp},v1=${signature}`;
-  try {
-    const webhookUrl = process.env.VIBECHECK_WEBHOOK_URL || "http://localhost:3000/webhooks/stripe";
-    return new Promise((resolve) => {
-      const postData = testPayload;
-      const req = http.request(webhookUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(postData),
-          "Stripe-Signature": stripeSignature
-        }
-      }, (res) => {
-        let data = "";
-        res.on("data", chunk => data += chunk);
-        res.on("end", () => {
-          if (res.statusCode === 200) {
-            resolve({ passed: true, message: "Webhook signature verification working" });
-          } else {
-            resolve({ passed: false, error: `Webhook returned ${res.statusCode}` });
-          }
-        });
-      });
-      req.on("error", (err) => {
-        resolve({ passed: false, error: `Webhook test failed: ${err.message}` });
-      });
-      req.setTimeout(5000, () => {
-        req.destroy();
-        resolve({ passed: false, error: "Webhook test timeout" });
-      });
-      req.write(postData);
-      req.end();
-    });
-  } catch (err) {
-    return { passed: false, error: err.message };
-  }
-}
-async function validateTierEnforcement() {
-  // Check CLI tier enforcement
-  try {
-    const { enforce } = require("../lib/entitlements-v2");
-    // Test free tier
-    const freeResult = await enforce("scan", { silent: true });
-    if (!freeResult.allowed) {
-      return { passed: false, error: "CLI incorrectly blocks free tier features" };
-    }
-    // Test pro tier enforcement
-    const proResult = await enforce("prove", { silent: true });
-    if (proResult.allowed && process.env.NODE_ENV === "production") {
-      return { passed: false, error: "CLI incorrectly allows pro features without auth" };
-    }
-  } catch (err) {
-    return { passed: false, error: `CLI tier check failed: ${err.message}` };
-  }
-  // Check API tier enforcement if server is running
-  const apiUrl = process.env.VIBECHECK_API_URL || "http://localhost:3000";
-  try {
-    // Test without auth
-    const response = await fetch(`${apiUrl}/api/v1/ship`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" }
-    });
-    if (response.status !== 401 && response.status !== 403) {
-      return { passed: false, error: "API not enforcing authentication" };
-    }
-  } catch (err) {
-    // Server might not be running - that's OK for preflight
-    return { passed: true, message: "API not running - skip check" };
-  }
-  return { passed: true, message: "Tier enforcement consistent" };
-}
-async function validateExternalServices() {
-  const services = [
-    { name: "License API", url: process.env.VIBECHECK_LICENSE_API },
-    { name: "AI Endpoint", url: process.env.VIBECHECK_AI_ENDPOINT }
-  ];
-  for (const service of services) {
-    if (!service.url) {
-      return { passed: false, error: `${service.name} URL not configured` };
-    }
-    try {
-      const response = await fetch(`${service.url}/health`, {
-        method: "GET",
-        timeout: 5000
-      });
-      if (!response.ok) {
-        return { passed: false, error: `${service.name} unhealthy: ${response.status}` };
-      }
-    } catch (err) {
-      return { passed: false, error: `${service.name} unreachable: ${err.message}` };
-    }
-  }
-  return { passed: true, message: "All external services healthy" };
-}
-async function validateSecurityConfig() {
-  const issues = [];
-  // Check for secure headers in production
-  if (process.env.NODE_ENV === "production") {
-    if (!process.env.VIBECHECK_ENFORCE_HTTPS) {
-      issues.push("HTTPS enforcement not enabled");
-    }
-    if (!process.env.VIBECHECK_RATE_LIMIT_STRICT) {
-      issues.push("Strict rate limiting not enabled");
-    }
-    const corsOrigin = process.env.VIBECHECK_CORS_ORIGIN;
-    if (!corsOrigin || corsOrigin.includes("*") || corsOrigin.includes("localhost")) {
-      issues.push("CORS origin not properly restricted");
-    }
-  }
-  // Check for required security headers
-  const requiredHeaders = [
-    "helmet",
-    "cors",
-    "rateLimit"
-  ];
-  // Check if security middleware is configured
-  try {
-    const apiFile = fs.readFileSync("./apps/api/src/app.js", "utf8");
-    for (const header of requiredHeaders) {
-      if (!apiFile.includes(header)) {
-        issues.push(`Security middleware '${header}' not found`);
-      }
-    }
-  } catch (err) {
-    // API file might not exist in this context
-  }
-  if (issues.length > 0) {
-    return { passed: false, error: issues.join("; ") };
-  }
-  return { passed: true, message: "Security configuration valid" };
-}
-function printHelp() {
-  console.log(`
-${c.cyan}${c.bold}vibecheck preflight${c.reset} - Deployment validation
-${c.bold}USAGE${c.reset}
-  vibecheck preflight [options]
-${c.bold}OPTIONS${c.reset}
-  --all              Run all checks
-  --env              Validate environment variables
-  --secrets          Validate secrets strength
-  --database         Validate database connectivity
-  --storage          Validate storage configuration
-  --ssl              Validate SSL certificates
-  --webhooks         Validate webhook signatures
-  --tiers            Validate tier enforcement
-  --services         Validate external services
-  --security         Validate security configuration
-  --fix              Attempt to fix issues (where possible)
-  --help, -h         Show this help
-${c.bold}EXAMPLES${c.reset}
-  vibecheck preflight --all           # Run all checks
-  vibecheck preflight --env --secrets # Run specific checks
-  vibecheck preflight                 # Run all checks (default)
-${c.bold}EXIT CODES${c.reset}
-  0 = All checks passed
-  1 = Non-critical warnings
-  2 = Critical failures (block deployment)
-`);
-}
-module.exports = { runPreflight, printHelp };