@vibecheckai/cli 3.1.8 → 3.2.0

package/bin/runners/lib/detectors-v2.js

@@ -355,6 +355,7 @@ function detectAuthContractDrift(truthpack, authContract) {
 /**
  * D_ENV_USED_BUT_UNDECLARED (WARN→BLOCK if required)
  * Trigger: truthpack envUsage includes FOO but contracts/env.json does not
+ * Enhanced with better required/optional detection
  */
 function detectEnvUsedButUndeclared(truthpack, envContract) {
   const findings = [];
@@ -363,7 +364,28 @@ function detectEnvUsedButUndeclared(truthpack, envContract) {
 
   for (const usage of envUsage) {
     if (!declaredVars.has(usage.name)) {
-      const isRequired = usage.inferredRequiredness === "required" || isLikelyRequired(usage.name);
+      // Check if usage pattern suggests optional
+      const usageCode = usage.locations?.[0]?.snippet || "";
+      const hasOptionalPattern = hasOptionalUsagePattern(usageCode);
+      
+      // Determine if required based on name patterns and usage
+      const isRequired = !hasOptionalPattern && 
+        (usage.inferredRequiredness === "required" || isLikelyRequired(usage.name));
+      
+      // Skip reporting for common optional env vars that are typically not documented
+      const commonOptionalVars = [
+        /^DEBUG$/i,
+        /^LOG_LEVEL$/i,
+        /^NODE_ENV$/i,
+        /^CI$/i,
+        /^VERCEL/i,
+        /^GITHUB_/i,
+        /^NEXT_PUBLIC_VERCEL/i,
+      ];
+      
+      if (commonOptionalVars.some(p => p.test(usage.name))) {
+        continue;
+      }
       
       findings.push(createFindingV2({
         detectorId: "ENV_USED_BUT_UNDECLARED",
@@ -620,44 +642,177 @@ function detectContractsOutOfDate(truthpack, contracts) {
 // Helpers
 // =============================================================================
 
+/**
+ * Enhanced route matching with support for:
+ * - Dynamic segments (:id, [id], [slug], [...slug])
+ * - Optional catch-all routes [[...slug]]
+ * - Query string stripping
+ * - Trailing slash normalization
+ */
 function routeMatches(pattern, actual) {
-  const patternParts = pattern.split("/").filter(Boolean);
-  const actualParts = actual.split("/").filter(Boolean);
+  // Normalize: strip query strings and trailing slashes
+  const normalizedPattern = pattern.split("?")[0].replace(/\/+$/, "") || "/";
+  const normalizedActual = actual.split("?")[0].replace(/\/+$/, "") || "/";
+  
+  const patternParts = normalizedPattern.split("/").filter(Boolean);
+  const actualParts = normalizedActual.split("/").filter(Boolean);
+
+  // Handle catch-all routes: [...slug] or [[...slug]]
+  const hasCatchAll = patternParts.some(p => 
+    p.startsWith("[...") || p.startsWith("[[...")
+  );
+  
+  if (hasCatchAll) {
+    const catchAllIndex = patternParts.findIndex(p => 
+      p.startsWith("[...") || p.startsWith("[[...")
+    );
+    
+    // For catch-all, pattern up to catch-all must match
+    for (let i = 0; i < catchAllIndex; i++) {
+      const p = patternParts[i];
+      if (isDynamicSegment(p)) continue;
+      if (p !== actualParts[i]) return false;
+    }
+    
+    // Catch-all matches any remaining segments (including none for [[...]])
+    const isOptional = patternParts[catchAllIndex].startsWith("[[...");
+    if (!isOptional && actualParts.length <= catchAllIndex) {
+      return false;
+    }
+    
+    return true;
+  }
 
+  // Standard matching: lengths must match
   if (patternParts.length !== actualParts.length) return false;
 
   for (let i = 0; i < patternParts.length; i++) {
     const p = patternParts[i];
-    if (p.startsWith(":") || p.startsWith("[") || p === "*") continue;
+    if (isDynamicSegment(p)) continue;
     if (p !== actualParts[i]) return false;
   }
   return true;
 }
 
+/**
+ * Check if a route segment is dynamic
+ */
+function isDynamicSegment(segment) {
+  return segment.startsWith(":") ||    // Express-style :id
+         segment.startsWith("[") ||     // Next.js-style [id]
+         segment === "*" ||             // Wildcard
+         segment.startsWith("$");       // Remix-style $id
+}
+
+/**
+ * Enhanced glob pattern matching with proper escaping
+ */
 function matchPattern(pattern, url) {
-  // Convert glob-like pattern to regex
-  const regex = new RegExp(
-    "^" + pattern
-      .replace(/\*/g, ".*")
-      .replace(/\//g, "\\/")
-    + "$"
-  );
-  return regex.test(url) || regex.test(new URL(url, "http://localhost").pathname);
+  try {
+    // Normalize URL: extract pathname
+    let pathname;
+    try {
+      pathname = new URL(url, "http://localhost").pathname;
+    } catch {
+      pathname = url.split("?")[0];
+    }
+    
+    // Escape special regex chars except * and ?
+    const escaped = pattern
+      .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+      .replace(/\*\*/g, "{{GLOBSTAR}}")
+      .replace(/\*/g, "[^/]*")
+      .replace(/\?/g, ".")
+      .replace(/{{GLOBSTAR}}/g, ".*");
+    
+    const regex = new RegExp("^" + escaped + "$");
+    return regex.test(url) || regex.test(pathname);
+  } catch {
+    // Fallback to simple comparison
+    return pattern === url;
+  }
 }
 
+/**
+ * Enhanced env var requirement detection
+ * Returns { required: boolean, confidence: 'high' | 'medium' | 'low', reason: string }
+ */
 function isLikelyRequired(name) {
-  const requiredPatterns = [
+  // High-confidence required patterns
+  const highConfidenceRequired = [
     /^DATABASE_URL$/i,
     /^NEXTAUTH_SECRET$/i,
     /^NEXTAUTH_URL$/i,
     /^JWT_SECRET$/i,
+    /^AUTH_SECRET$/i,
+    /^SESSION_SECRET$/i,
+    /^ENCRYPTION_KEY$/i,
     /^STRIPE_SECRET_KEY$/i,
     /^STRIPE_WEBHOOK_SECRET$/i,
-    /SECRET/i,
+    /^OPENAI_API_KEY$/i,
+    /^ANTHROPIC_API_KEY$/i,
+  ];
+  
+  // Medium-confidence required patterns
+  const mediumConfidenceRequired = [
+    /SECRET$/i,
     /TOKEN$/i,
     /API_KEY$/i,
+    /PRIVATE_KEY$/i,
+    /PASSWORD$/i,
+    /CREDENTIALS$/i,
+  ];
+  
+  // Patterns that indicate optional env vars
+  const optionalPatterns = [
+    /^DEBUG/i,
+    /^LOG_/i,
+    /^ENABLE_/i,
+    /^DISABLE_/i,
+    /^FEATURE_/i,
+    /^FLAG_/i,
+    /^ANALYTICS/i,
+    /^TELEMETRY/i,
+    /^SENTRY/i,
+    /^PORT$/i,
+    /^HOST$/i,
+    /^NODE_ENV$/i,
   ];
-  return requiredPatterns.some(p => p.test(name));
+  
+  // Check optional first (overrides required)
+  if (optionalPatterns.some(p => p.test(name))) {
+    return false;
+  }
+  
+  // Check high-confidence required
+  if (highConfidenceRequired.some(p => p.test(name))) {
+    return true;
+  }
+  
+  // Check medium-confidence required
+  if (mediumConfidenceRequired.some(p => p.test(name))) {
+    return true;
+  }
+  
+  return false;
+}
+
+/**
+ * Check if an env var usage suggests it's optional
+ */
+function hasOptionalUsagePattern(code) {
+  const optionalPatterns = [
+    /\|\|\s*['"]?undefined['"]?/,      // || undefined
+    /\?\?\s*['"]?undefined['"]?/,      // ?? undefined
+    /\|\|\s*null/,                      // || null
+    /\?\?\s*null/,                      // ?? null
+    /\|\|\s*false/,                     // || false
+    /\?\?\s*false/,                     // ?? false
+    /if\s*\(\s*process\.env\./,         // Conditional usage
+    /process\.env\.\w+\s*\?\s*\./,      // Optional chaining
+  ];
+  
+  return optionalPatterns.some(p => p.test(code));
 }
 
 // =============================================================================
@@ -700,4 +855,6 @@ module.exports = {
   routeMatches,
   matchPattern,
   isLikelyRequired,
+  isDynamicSegment,
+  hasOptionalUsagePattern,
 };

package/bin/runners/lib/entitlements-v2.js

@@ -141,6 +141,50 @@ const ENTITLEMENTS = {
   // ─────────────────────────────────────────────────────────────────────────────
   "security": { minTier: "pro" },
   
+  // ─────────────────────────────────────────────────────────────────────────────
+  // AI FEATURES - Token/Cost Controls
+  // ─────────────────────────────────────────────────────────────────────────────
+  "ai": { minTier: "starter", downgrade: "ai.none" },
+  "ai.none": { minTier: "free", caps: { free: "No AI features - upgrade for AI" } },
+  "ai.starter": { 
+    minTier: "starter", 
+    caps: { 
+      starter: {
+        model: "gpt-3.5-turbo",           // Cheaper model for Starter
+        maxCallsPerMonth: 10,              // 10 AI calls/month
+        maxInputTokensPerRequest: 2000,    // ~$0.002 max input cost
+        maxOutputTokensPerRequest: 1000,   // ~$0.002 max output cost
+        maxCostPerMonth: 0.50,             // $0.50 max AI spend/month
+      }
+    } 
+  },
+  "ai.pro": { 
+    minTier: "pro", 
+    caps: { 
+      pro: {
+        model: "gpt-4-turbo-preview",     // Premium model for Pro
+        alternateModel: "claude-3-5-sonnet-20241022", // Fallback
+        maxCallsPerMonth: 50,              // 50 AI calls/month
+        maxInputTokensPerRequest: 4000,    // ~$0.04 max input cost
+        maxOutputTokensPerRequest: 2000,   // ~$0.06 max output cost
+        maxCostPerMonth: 5.00,             // $5.00 max AI spend/month
+      }
+    } 
+  },
+  "ai.compliance": { 
+    minTier: "compliance", 
+    caps: { 
+      compliance: {
+        model: "gpt-4-turbo-preview",
+        alternateModel: "claude-3-5-sonnet-20241022",
+        maxCallsPerMonth: 500,             // 500 AI calls/month
+        maxInputTokensPerRequest: 8000,
+        maxOutputTokensPerRequest: 4000,
+        maxCostPerMonth: 50.00,            // $50 max AI spend/month
+      }
+    } 
+  },
+  
   // ─────────────────────────────────────────────────────────────────────────────
   // PRO ONLY
   // ─────────────────────────────────────────────────────────────────────────────
@@ -155,7 +199,10 @@ const ENTITLEMENTS = {
   // ─────────────────────────────────────────────────────────────────────────────
   "gate": { minTier: "starter" },
   "pr": { minTier: "starter" },
-  "badge": { minTier: "starter" },
+  "badge": { minTier: "starter", downgrade: "badge.basic" },
+  "badge.basic": { minTier: "starter" },           // Basic badge (STARTER)
+  "badge.verified": { minTier: "pro" },            // Verified badge with seal (PRO)
+  "fix_hints": { minTier: "starter" },             // Fix hints/missions in output
   "launch": { minTier: "starter" },
   "dashboard_sync": { minTier: "starter" },