@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/engines/type-aware-engine.js

@@ -0,0 +1,152 @@
+/**
+ * Type-Aware Analysis Engine
+ * Uses TypeScript type information for more accurate detection
+ */
+
+const { getAST } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+/**
+ * Analyze type-related issues
+ */
+function analyzeTypeAware(code, filePath) {
+  const findings = [];
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+  const isTypeScript = filePath.endsWith(".ts") || filePath.endsWith(".tsx");
+
+  // Type safety issues
+  traverse(ast, {
+    // Any types in TypeScript
+    TSAnyKeyword(path) {
+      if (isTypeScript) {
+        const line = path.node.loc.start.line;
+        findings.push({
+          type: "any_type",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Use of 'any' type",
+          message: "Using 'any' type defeats TypeScript's type safety",
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "high",
+        });
+      }
+    },
+    
+    // @ts-ignore comments
+    Comment(path) {
+      const comment = path.node;
+      if (comment.type === "CommentLine" || comment.type === "CommentBlock") {
+        const text = comment.value || "";
+        if (/@ts-ignore|@ts-expect-error|@ts-nocheck/.test(text)) {
+          const line = comment.loc.start.line;
+          findings.push({
+            type: "ts_ignore",
+            severity: "WARN",
+            category: "TypeSafety",
+            file: filePath,
+            line,
+            column: comment.loc.start.column,
+            title: "TypeScript error suppression",
+            message: `Using ${text.match(/@ts-\w+/)?.[0]} suppresses type checking - fix the underlying issue`,
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "high",
+          });
+        }
+      }
+    },
+    
+    // Unsafe type assertions (as any)
+    TSAsExpression(path) {
+      if (t.isTSAnyKeyword(path.node.typeAnnotation)) {
+        const line = path.node.loc.start.line;
+        findings.push({
+          type: "unsafe_type_assertion",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Unsafe type assertion (as any)",
+          message: "Type assertion to 'any' bypasses type checking",
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "high",
+        });
+      }
+    },
+    
+    // Non-null assertions (!)
+    TSNonNullExpression(path) {
+      const line = path.node.loc.start.line;
+      findings.push({
+        type: "non_null_assertion",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: path.node.loc.start.column,
+        title: "Non-null assertion operator (!)",
+        message: "Non-null assertion can cause runtime errors if value is null/undefined",
+        codeSnippet: lines[line - 1]?.trim(),
+        confidence: "med",
+      });
+    },
+    
+    // Optional chaining without null check
+    OptionalMemberExpression(path) {
+      // Check if result is used without null check
+      const parent = path.parent;
+      if (!t.isIfStatement(parent) && !t.isConditionalExpression(parent)) {
+        const line = path.node.loc.start.line;
+        findings.push({
+          type: "unsafe_optional_chaining",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Optional chaining without null check",
+          message: "Optional chaining result should be checked for null/undefined",
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "low",
+        });
+      }
+    },
+  });
+
+  // Missing return type annotations
+  if (isTypeScript) {
+    traverse(ast, {
+      FunctionDeclaration(path) {
+        const node = path.node;
+        if (!node.returnType && node.id) {
+          const line = node.loc.start.line;
+          findings.push({
+            type: "missing_return_type",
+            severity: "WARN",
+            category: "TypeSafety",
+            file: filePath,
+            line,
+            column: node.loc.start.column,
+            title: `Missing return type annotation: ${node.id.name}`,
+            message: "Function should have explicit return type annotation",
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+        }
+      },
+    });
+  }
+
+  return findings;
+}
+
+module.exports = {
+  analyzeTypeAware,
+};

package/bin/runners/lib/engines/unsafe-regex-engine.js

@@ -0,0 +1,225 @@
+/**
+ * Unsafe Regex Detection Engine
+ * Uses AST analysis to detect ReDoS (Regular Expression Denial of Service) patterns
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Extract regex pattern from node
+ */
+function extractRegexPattern(node) {
+  if (t.isRegExpLiteral(node)) {
+    return node.pattern;
+  }
+  
+  if (t.isNewExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
+    const args = node.arguments;
+    if (args.length > 0 && t.isStringLiteral(args[0])) {
+      return args[0].value;
+    }
+  }
+  
+  if (t.isCallExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
+    const args = node.arguments;
+    if (args.length > 0 && t.isStringLiteral(args[0])) {
+      return args[0].value;
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Check if regex pattern is unsafe (ReDoS risk)
+ */
+function isUnsafeRegex(pattern) {
+  if (!pattern || typeof pattern !== "string") return null;
+  
+  const issues = [];
+  
+  // Nested quantifiers: (.*)+, (.+)+, (.*)*, (.+)*
+  if (/\(\.\*\)\+|\(\.\+\)\+|\(\.\*\)\*|\(\.\+\)\*/.test(pattern)) {
+    issues.push({
+      type: "nested_quantifiers",
+      severity: "WARN",
+      message: "Nested quantifiers can cause catastrophic backtracking",
+    });
+  }
+  
+  // Alternation with quantifier: (a|b)+
+  if (/\([^)]+\|[^)]+\)\+/.test(pattern)) {
+    issues.push({
+      type: "alternation_quantifier",
+      severity: "WARN",
+      message: "Alternation with quantifier can cause ReDoS",
+    });
+  }
+  
+  // Repetition of repetition: a+a+, a*a*
+  if (/(\w|\+|\*)\1\+|(\w|\+|\*)\2\*/.test(pattern)) {
+    issues.push({
+      type: "repetition_repetition",
+      severity: "WARN",
+      message: "Repeated repetition can cause exponential backtracking",
+    });
+  }
+  
+  // Complex nested groups with quantifiers
+  if (/\([^)]*\([^)]*\)[^)]*\)[\+\*]/.test(pattern)) {
+    issues.push({
+      type: "nested_groups_quantifier",
+      severity: "WARN",
+      message: "Nested groups with quantifiers can be unsafe",
+    });
+  }
+  
+  return issues.length > 0 ? issues : null;
+}
+
+/**
+ * Check if regex is constructed dynamically (concatenation)
+ */
+function isDynamicRegex(node, code) {
+  // Check for new RegExp(... + ...)
+  if (t.isNewExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
+    const args = node.arguments;
+    if (args.length > 0) {
+      // Check if argument contains binary expression (concatenation)
+      if (t.isBinaryExpression(args[0]) && args[0].operator === "+") {
+        return true;
+      }
+      
+      // Check source code for concatenation
+      const source = code.substring(args[0].start || 0, args[0].end || 0);
+      if (source.includes("+")) {
+        return true;
+      }
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Analyze a file for unsafe regex patterns
+ */
+function analyzeUnsafeRegex(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    // Check RegExp literals: /pattern/flags
+    RegExpLiteral(path) {
+      const pattern = path.node.pattern;
+      const issues = isUnsafeRegex(pattern);
+      
+      if (issues) {
+        for (const issue of issues) {
+          const line = path.node.loc.start.line;
+          findings.push({
+            type: issue.type,
+            severity: issue.severity,
+            category: "UnsafeRegex",
+            file: filePath,
+            line,
+            column: path.node.loc.start.column,
+            title: issue.message,
+            message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+        }
+      }
+    },
+
+    // Check RegExp constructor: new RegExp(...)
+    NewExpression(path) {
+      if (t.isIdentifier(path.node.callee) && path.node.callee.name === "RegExp") {
+        // Check for dynamic construction
+        if (isDynamicRegex(path.node, code)) {
+          const line = path.node.loc.start.line;
+          findings.push({
+            type: "dynamic_regex",
+            severity: "WARN",
+            category: "UnsafeRegex",
+            file: filePath,
+            line,
+            column: path.node.loc.start.column,
+            title: "Dynamic regex with concatenation",
+            message: "Regex constructed dynamically with string concatenation - validate input length",
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+        }
+        
+        // Check pattern if it's a string literal
+        const pattern = extractRegexPattern(path.node);
+        if (pattern) {
+          const issues = isUnsafeRegex(pattern);
+          if (issues) {
+            for (const issue of issues) {
+              const line = path.node.loc.start.line;
+              findings.push({
+                type: issue.type,
+                severity: issue.severity,
+                category: "UnsafeRegex",
+                file: filePath,
+                line,
+                column: path.node.loc.start.column,
+                title: issue.message,
+                message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "med",
+              });
+            }
+          }
+        }
+      }
+    },
+
+    // Check RegExp() calls
+    CallExpression(path) {
+      if (t.isIdentifier(path.node.callee) && path.node.callee.name === "RegExp") {
+        const pattern = extractRegexPattern(path.node);
+        if (pattern) {
+          const issues = isUnsafeRegex(pattern);
+          if (issues) {
+            for (const issue of issues) {
+              const line = path.node.loc.start.line;
+              findings.push({
+                type: issue.type,
+                severity: issue.severity,
+                category: "UnsafeRegex",
+                file: filePath,
+                line,
+                column: path.node.loc.start.column,
+                title: issue.message,
+                message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "med",
+              });
+            }
+          }
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeUnsafeRegex,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/README.md

@@ -0,0 +1,53 @@
+# Vibecheck Analysis Engines (Drop-in)
+
+This zip contains upgraded, conservative analysis engines designed to reduce false positives and avoid wasting cycles on generated/minified/test code.
+
+## What's inside
+- `lib/file-filter.js` — central file exclusion + test-context detection + ignore directives
+- `lib/ast-cache.js` — bounded AST cache with minified/giant-file guards
+- `lib/parallel-processor.js` — safe bounded concurrency runner with timeouts + progress hooks
+- Engines:
+  - `dead-code-engine.js`
+  - `empty-catch-engine.js`
+  - `code-quality-engine.js`
+  - `console-logs-engine.js`
+  - `deprecated-api-engine.js`
+  - `hardcoded-secrets-engine.js`
+  - `mock-data-engine.js`
+  - `performance-issues-engine.js`
+  - `type-aware-engine.js`
+  - `unsafe-regex-engine.js`
+
+## Ignore directives
+Add near the top of a file to suppress a specific engine:
+
+```js
+// vibecheck-ignore(code-quality)
+// vibecheck-ignore(dead-code)
+// vibecheck-ignore(console-logs)
+```
+
+Or suppress any engine in that file:
+
+```js
+// vibecheck-ignore
+```
+
+## Usage (example)
+
+```js
+const engines = require('./vibecheck-engines');
+
+const code = fs.readFileSync(file, 'utf8');
+
+const findings = [
+  ...engines.analyzeDeadCode(code, file),
+  ...engines.analyzeEmptyCatch(code, file),
+  ...engines.analyzeCodeQuality(code, file),
+  ...engines.analyzeConsoleLogs(code, file),
+];
+```
+
+## Notes
+- These engines intentionally skip tests/fixtures and generated/bundled outputs to keep signal high.
+- `hardcoded-secrets` is conservative, but the "Generic API Key" rule is intentionally low-confidence.

package/bin/runners/lib/engines/vibecheck-engines/index.js

@@ -0,0 +1,15 @@
+module.exports = {
+  ...require('./lib/ast-cache'),
+  fileFilter: require('./lib/file-filter'),
+  parallelProcessor: require('./lib/parallel-processor'),
+  analyzeDeadCode: require('./lib/dead-code-engine').analyzeDeadCode,
+  analyzeEmptyCatch: require('./lib/empty-catch-engine').analyzeEmptyCatch,
+  analyzeCodeQuality: require('./lib/code-quality-engine').analyzeCodeQuality,
+  analyzeConsoleLogs: require('./lib/console-logs-engine').analyzeConsoleLogs,
+  analyzeDeprecatedApi: require('./lib/deprecated-api-engine').analyzeDeprecatedApi,
+  analyzeHardcodedSecrets: require('./lib/hardcoded-secrets-engine').analyzeHardcodedSecrets,
+  analyzeMockData: require('./lib/mock-data-engine').analyzeMockData,
+  analyzePerformanceIssues: require('./lib/performance-issues-engine').analyzePerformanceIssues,
+  analyzeTypeAware: require('./lib/type-aware-engine').analyzeTypeAware,
+  analyzeUnsafeRegex: require('./lib/unsafe-regex-engine').analyzeUnsafeRegex,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js

@@ -0,0 +1,164 @@
+/**
+ * AST Cache
+ * Shared AST parsing cache for analysis engines.
+ *
+ * Goals:
+ * - Parse each source file once (per content hash)
+ * - Avoid re-parsing unchanged files across multiple engines
+ * - Keep cache bounded (entries + total bytes) to prevent memory blowups
+ * - Refuse to parse obviously minified/giant files (should be excluded anyway)
+ */
+
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+
+// Map preserves insertion order. We'll use it as a simple LRU:
+// on get -> delete+set to move entry to end
+const _AST_CACHE = new Map(); // key -> { ast, hash, bytes, lines, ts }
+let _TOTAL_BYTES = 0;
+
+const LIMITS = {
+  maxEntries: 6000,
+  maxTotalBytes: 200 * 1024 * 1024, // 200MB across cached source sizes
+  maxFileBytes: 1_200_000, // 1.2MB per file (bigger files likely generated)
+  maxLines: 25_000,
+};
+
+function sha1(text) {
+  return crypto.createHash("sha1").update(text).digest("hex");
+}
+
+function countNewlines(text) {
+  let n = 1;
+  for (let i = 0; i < text.length; i++) if (text.charCodeAt(i) === 10) n++;
+  return n;
+}
+
+/**
+ * Heuristic: identify minified/bundled files (super long lines, few newlines).
+ */
+function isProbablyMinified(code) {
+  if (!code || typeof code !== "string") return false;
+  const bytes = Buffer.byteLength(code, "utf8");
+  if (bytes < 40_000) return false; // small files aren't our concern
+
+  const lines = countNewlines(code);
+  const avgLine = bytes / Math.max(1, lines);
+  if (avgLine > 600) return true;
+
+  // Count semicolons as a crude "density" marker
+  const sample = code.slice(0, Math.min(80_000, code.length));
+  const semi = (sample.match(/;/g) || []).length;
+  const braces = (sample.match(/[{}]/g) || []).length;
+  const density = (semi + braces) / Math.max(1, sample.length);
+
+  return density > 0.035 && lines < 80;
+}
+
+/**
+ * Parse code into a Babel AST.
+ * Returns null if code is too big/minified or parsing fails.
+ */
+function parseCode(code, filePath = "<unknown>") {
+  if (!code || typeof code !== "string") return null;
+
+  const bytes = Buffer.byteLength(code, "utf8");
+  if (bytes > LIMITS.maxFileBytes) return null;
+
+  const lines = countNewlines(code);
+  if (lines > LIMITS.maxLines) return null;
+
+  if (isProbablyMinified(code)) return null;
+
+  try {
+    // include TypeScript + JSX support; \"unambiguous\" handles CJS/ESM
+    return parser.parse(code, {
+      sourceType: "unambiguous",
+      plugins: [
+        "typescript",
+        "jsx",
+        "decorators-legacy",
+        "classProperties",
+        "classPrivateProperties",
+        "classPrivateMethods",
+        "dynamicImport",
+        "optionalChaining",
+        "nullishCoalescingOperator",
+        "objectRestSpread",
+        "topLevelAwait",
+      ],
+      errorRecovery: true,
+      ranges: false,
+      tokens: false,
+      attachComment: true,
+    });
+  } catch {
+    return null;
+  }
+}
+
+function _evictIfNeeded() {
+  while (_AST_CACHE.size > LIMITS.maxEntries || _TOTAL_BYTES > LIMITS.maxTotalBytes) {
+    const firstKey = _AST_CACHE.keys().next().value;
+    if (!firstKey) break;
+    const entry = _AST_CACHE.get(firstKey);
+    _AST_CACHE.delete(firstKey);
+    _TOTAL_BYTES -= entry?.bytes || 0;
+  }
+}
+
+function getAST(code, filePath = "<unknown>") {
+  // Caller should already filter, but keep extra guards here.
+  const bytes = Buffer.byteLength(code || "", "utf8");
+  if (!code || bytes > LIMITS.maxFileBytes) return null;
+  if (isProbablyMinified(code)) return null;
+
+  const key = String(filePath || "<unknown>");
+  const hash = sha1(code);
+
+  const existing = _AST_CACHE.get(key);
+  if (existing && existing.hash === hash && existing.ast) {
+    // LRU touch
+    _AST_CACHE.delete(key);
+    _AST_CACHE.set(key, existing);
+    return existing.ast;
+  }
+
+  const ast = parseCode(code, key);
+  if (!ast) return null;
+
+  const entry = {
+    ast,
+    hash,
+    bytes,
+    lines: countNewlines(code),
+    ts: Date.now(),
+  };
+
+  if (existing) _TOTAL_BYTES -= existing.bytes || 0;
+  _AST_CACHE.set(key, entry);
+  _TOTAL_BYTES += bytes;
+
+  _evictIfNeeded();
+  return ast;
+}
+
+function clearASTCache() {
+  _AST_CACHE.clear();
+  _TOTAL_BYTES = 0;
+}
+
+function getASTCacheStats() {
+  return {
+    entries: _AST_CACHE.size,
+    totalBytes: _TOTAL_BYTES,
+    limits: { ...LIMITS },
+  };
+}
+
+module.exports = {
+  getAST,
+  parseCode,
+  clearASTCache,
+  getASTCacheStats,
+};