@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js

@@ -0,0 +1,139 @@
+/**
+ * Hardcoded Secrets Engine
+ * Detects API keys, tokens, passwords, and private keys in code.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+// Enhanced patterns with more comprehensive detection
+const SECRET_PATTERNS = [
+  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: "AWS Secret Key", pattern: /[0-9a-zA-Z/+]{40}/ },
+  { name: "GitHub Token", pattern: /ghp_[0-9a-zA-Z]{36}/ },
+  { name: "GitLab Token", pattern: /glpat-[0-9a-zA-Z\-_]{20,}/ },
+  { name: "Slack Token", pattern: /xox[baprs]-[0-9a-zA-Z]{10,48}/ },
+  { name: "Stripe Key", pattern: /sk_(live|test)_[0-9a-zA-Z]{24,}/ },
+  { name: "Generic API Key", pattern: /[a-zA-Z0-9]{32,}/ },
+  { name: "JWT Token", pattern: /eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/ },
+  { name: "Private Key", pattern: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/ },
+  { name: "Database URL", pattern: /(mongodb|postgresql|mysql):\/\/[^\\s]+/ },
+  { name: "Password", pattern: /(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i },
+  { name: "Bearer Token", pattern: /Bearer\s+[a-zA-Z0-9\-_\.]+/i },
+  { name: "OAuth Token", pattern: /ya29\.[0-9A-Za-z\-_]+/ },
+  { name: "Twilio Key", pattern: /SK[0-9a-fA-F]{32}/ },
+];
+
+function getContext(code, start, length = 80) {
+  const contextStart = Math.max(0, start - length / 2);
+  const contextEnd = Math.min(code.length, start + length / 2);
+  return code.slice(contextStart, contextEnd).replace(/\n/g, " ").trim();
+}
+
+function isLikelyFalsePositive(value) {
+  // Exclude obvious placeholders
+  const placeholders = [
+    "YOUR_API_KEY",
+    "API_KEY_HERE",
+    "REPLACE_ME",
+    "CHANGE_ME",
+    "INSERT_KEY",
+    "TODO",
+    "EXAMPLE",
+    "SAMPLE",
+    "TEST",
+    "DUMMY",
+  ];
+  const upper = String(value).toUpperCase();
+  return placeholders.some((p) => upper.includes(p));
+}
+
+function analyzeHardcodedSecrets(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "hardcoded-secrets")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Check string literals for secrets
+  traverse(ast, {
+    StringLiteral(path) {
+      const value = path.node.value;
+      if (!value || value.length < 12) return;
+      if (isLikelyFalsePositive(value)) return;
+
+      for (const secretPattern of SECRET_PATTERNS) {
+        const match = value.match(secretPattern.pattern);
+        if (!match) continue;
+
+        const loc = path.node.loc?.start;
+        if (!loc) continue;
+
+        const line = loc.line;
+        const context = getContext(code, path.node.start || 0);
+
+        findings.push({
+          type: "hardcoded_secret",
+          severity: "BLOCK",
+          category: "Security",
+          file: filePath,
+          line,
+          column: loc.column,
+          title: `Hardcoded ${secretPattern.name} detected`,
+          message: `Found potential ${secretPattern.name} in string literal. Move to environment variables or secret manager.`,
+          codeSnippet: lines[line - 1]?.trim(),
+          evidence: context,
+          confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
+        });
+      }
+    },
+
+    TemplateLiteral(path) {
+      // Template literals may contain secrets in raw strings (rare), but catch if a quasi looks like a token.
+      for (const quasi of path.node.quasis || []) {
+        const value = quasi.value?.cooked || "";
+        if (!value || value.length < 12) continue;
+        if (isLikelyFalsePositive(value)) continue;
+
+        for (const secretPattern of SECRET_PATTERNS) {
+          const match = value.match(secretPattern.pattern);
+          if (!match) continue;
+
+          const loc = quasi.loc?.start || path.node.loc?.start;
+          if (!loc) continue;
+
+          const line = loc.line;
+          const context = getContext(code, quasi.start || path.node.start || 0);
+
+          findings.push({
+            type: "hardcoded_secret",
+            severity: "BLOCK",
+            category: "Security",
+            file: filePath,
+            line,
+            column: loc.column,
+            title: `Hardcoded ${secretPattern.name} detected`,
+            message: `Found potential ${secretPattern.name} in template literal. Move to environment variables or secret manager.`,
+            codeSnippet: lines[line - 1]?.trim(),
+            evidence: context,
+            confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
+          });
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeHardcodedSecrets,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js

@@ -0,0 +1,140 @@
+/**
+ * Mock Data Engine
+ * Detects mock, fake, or placeholder data in production code.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+// Enhanced mock data patterns
+const MOCK_PATTERNS = [
+  { pattern: /mock/i, type: "mock_reference", message: "Mock reference found" },
+  { pattern: /fake/i, type: "fake_data", message: "Fake data reference found" },
+  { pattern: /dummy/i, type: "dummy_data", message: "Dummy data reference found" },
+  { pattern: /test.*data/i, type: "test_data", message: "Test data reference found" },
+  { pattern: /lorem ipsum/i, type: "lorem_ipsum", message: "Lorem ipsum placeholder found" },
+  { pattern: /todo|fixme/i, type: "todo_fixme", message: "TODO/FIXME found in code" },
+  { pattern: /placeholder/i, type: "placeholder", message: "Placeholder reference found" },
+  { pattern: /example/i, type: "example_data", message: "Example reference found" },
+  { pattern: /sample/i, type: "sample_data", message: "Sample data reference found" },
+  { pattern: /hardcode/i, type: "hardcoded", message: "Hardcoded data reference found" },
+];
+
+// Common mock data values
+const MOCK_VALUES = [
+  "test",
+  "demo",
+  "example",
+  "sample",
+  "placeholder",
+  "lorem",
+  "ipsum",
+  "foo",
+  "bar",
+  "baz",
+  "mock",
+  "fake",
+  "dummy",
+  "12345",
+  "password",
+  "admin",
+  "user",
+];
+
+function analyzeMockData(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "mock-data")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Check string literals for mock data
+  traverse(ast, {
+    StringLiteral(path) {
+      const value = path.node.value;
+      if (!value || value.length < 2) return;
+
+      // Check for common mock values (case-insensitive)
+      const lower = value.toLowerCase();
+      if (MOCK_VALUES.includes(lower)) {
+        const loc = path.node.loc?.start;
+        if (!loc) return;
+
+        findings.push({
+          type: "mock_value",
+          severity: "INFO",
+          category: "CodeQuality",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Potential mock value in string literal",
+          message: `String literal "${value}" looks like mock/placeholder data.`,
+          codeSnippet: lines[loc.line - 1]?.trim(),
+          confidence: "low",
+        });
+      }
+
+      // Check for mock patterns
+      for (const mockPattern of MOCK_PATTERNS) {
+        if (mockPattern.pattern.test(value)) {
+          const loc = path.node.loc?.start;
+          if (!loc) continue;
+
+          findings.push({
+            type: mockPattern.type,
+            severity: mockPattern.type === "todo_fixme" ? "WARN" : "INFO",
+            category: "CodeQuality",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: mockPattern.message,
+            message: `Found "${mockPattern.pattern}" in string literal: "${value}"`,
+            codeSnippet: lines[loc.line - 1]?.trim(),
+            confidence: "low",
+          });
+        }
+      }
+    },
+
+    Identifier(path) {
+      const name = path.node.name;
+      if (!name) return;
+
+      // Check for mock patterns in variable names (avoid huge noise: only longer names)
+      if (name.length < 5) return;
+
+      for (const mockPattern of MOCK_PATTERNS) {
+        if (mockPattern.pattern.test(name)) {
+          const loc = path.node.loc?.start;
+          if (!loc) continue;
+
+          findings.push({
+            type: mockPattern.type,
+            severity: mockPattern.type === "todo_fixme" ? "WARN" : "INFO",
+            category: "CodeQuality",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `Mock-like identifier: ${name}`,
+            message: `Identifier name suggests mock/placeholder data: "${name}"`,
+            codeSnippet: lines[loc.line - 1]?.trim(),
+            confidence: "low",
+          });
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeMockData,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js

@@ -0,0 +1,164 @@
+/**
+ * Parallel Processor
+ * Utility to process a list of files concurrently with bounded parallelism.
+ *
+ * NOTE: The caller provides `processor(filePath)` which may return any value.
+ * We collect both results and errors without crashing the whole run.
+ */
+
+const os = require("os");
+
+/**
+ * Run a promise with an optional timeout.
+ */
+async function withTimeout(promise, timeoutMs, label = "operation") {
+  if (!timeoutMs || timeoutMs <= 0) return promise;
+
+  let timer = null;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => {
+      const err = new Error(`${label} timed out after ${timeoutMs}ms`);
+      err.code = "ETIMEDOUT";
+      reject(err);
+    }, timeoutMs);
+  });
+
+  try {
+    return await Promise.race([promise, timeout]);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+
+/**
+ * Process files in parallel with bounded concurrency.
+ *
+ * @param {string[]} files
+ * @param {(filePath: string) => Promise<any>} processor
+ * @param {object} options
+ * @returns {Promise<{results: Array<{file: string, result: any}>, errors: Array<{file: string, error: Error}>, stats: object}>}
+ */
+async function processFilesInParallel(files, processor, options = {}) {
+  const concurrency =
+    Number.isFinite(options.concurrency) && options.concurrency > 0
+      ? Math.floor(options.concurrency)
+      : Math.max(1, Math.min(os.cpus().length, 8));
+
+  const timeoutMs = Number.isFinite(options.timeoutMs) ? options.timeoutMs : 0;
+  const stopOnError = Boolean(options.stopOnError);
+  const onProgress = typeof options.onProgress === "function" ? options.onProgress : null;
+  const signal = options.signal;
+
+  const results = [];
+  const errors = [];
+
+  let cursor = 0;
+  let completed = 0;
+  const startedAt = Date.now();
+
+  function reportProgress(file, kind) {
+    if (!onProgress) return;
+    try {
+      onProgress({
+        kind,
+        file,
+        completed,
+        total: files.length,
+        errors: errors.length,
+        elapsedMs: Date.now() - startedAt,
+      });
+    } catch {
+      // ignore progress handler failures
+    }
+  }
+
+  async function runFile(filePath) {
+    if (signal?.aborted) {
+      const err = new Error("Aborted");
+      err.code = "ABORTED";
+      throw err;
+    }
+
+    const label = `process(${filePath})`;
+    const result = await withTimeout(Promise.resolve().then(() => processor(filePath)), timeoutMs, label);
+    return result;
+  }
+
+  async function worker(workerId) {
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+      if (signal?.aborted) break;
+      if (stopOnError && errors.length) break;
+
+      const i = cursor++;
+      if (i >= files.length) break;
+
+      const filePath = files[i];
+      reportProgress(filePath, "start");
+
+      try {
+        const result = await runFile(filePath);
+        results.push({ file: filePath, result });
+      } catch (error) {
+        errors.push({ file: filePath, error });
+        reportProgress(filePath, "error");
+      } finally {
+        completed++;
+        reportProgress(filePath, "done");
+      }
+    }
+  }
+
+  const workers = Array.from({ length: Math.min(concurrency, files.length) }, (_, i) => worker(i));
+  await Promise.all(workers);
+
+  return {
+    results,
+    errors,
+    stats: {
+      totalFiles: files.length,
+      processed: completed,
+      results: results.length,
+      errors: errors.length,
+      concurrency,
+      timeoutMs,
+      elapsedMs: Date.now() - startedAt,
+      aborted: Boolean(signal?.aborted),
+    },
+  };
+}
+
+/**
+ * Process in sequential batches (useful when you want deterministic ordering).
+ *
+ * @param {string[]} files
+ * @param {(filePath: string) => Promise<any>} processor
+ * @param {number} batchSize
+ */
+async function processFilesInBatches(files, processor, batchSize = 10) {
+  const results = [];
+  const errors = [];
+  const size = Math.max(1, Number(batchSize) || 10);
+
+  for (let i = 0; i < files.length; i += size) {
+    const batch = files.slice(i, i + size);
+    const batchResults = await Promise.allSettled(batch.map((f) => Promise.resolve().then(() => processor(f))));
+
+    for (let j = 0; j < batchResults.length; j++) {
+      const file = batch[j];
+      const r = batchResults[j];
+      if (r.status === "fulfilled") {
+        results.push({ file, result: r.value });
+      } else {
+        errors.push({ file, error: r.reason });
+      }
+    }
+  }
+
+  return { results, errors };
+}
+
+module.exports = {
+  processFilesInParallel,
+  processFilesInBatches,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js

@@ -0,0 +1,234 @@
+/**
+ * Performance Issues Engine
+ * Detects potential performance problems:
+ * - Nested loops
+ * - Potential memory leaks (event listeners without cleanup)
+ * - Expensive operations in render-like contexts (heuristic)
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isLoopStatement(node) {
+  return (
+    t.isForStatement(node) ||
+    t.isForInStatement(node) ||
+    t.isForOfStatement(node) ||
+    t.isWhileStatement(node) ||
+    t.isDoWhileStatement(node)
+  );
+}
+
+function getEventName(callNode) {
+  const arg0 = callNode.arguments?.[0];
+  if (t.isStringLiteral(arg0)) return arg0.value;
+  if (t.isIdentifier(arg0)) return arg0.name;
+  return null;
+}
+
+function calleePropertyName(callNode) {
+  const callee = callNode.callee;
+  if (t.isMemberExpression(callee) && t.isIdentifier(callee.property) && !callee.computed) return callee.property.name;
+  if (t.isIdentifier(callee)) return callee.name;
+  return null;
+}
+
+function hasMatchingRemoveEventListener(fnPath, eventName) {
+  let found = false;
+
+  fnPath.traverse({
+    Function(inner) {
+      if (inner !== fnPath) inner.skip();
+    },
+    CallExpression(p) {
+      const name = calleePropertyName(p.node);
+      if (name !== "removeEventListener") return;
+      const ev = getEventName(p.node);
+      if (!eventName || !ev) {
+        // no event info: still counts as cleanup
+        found = true;
+        return;
+      }
+      if (ev === eventName) found = true;
+    },
+  });
+
+  return found;
+}
+
+function isLikelyRenderContext(path) {
+  // Heuristic: inside a function named render, or a React component (PascalCase) returning JSX
+  const fn = path.getFunctionParent();
+  if (!fn) return false;
+
+  const node = fn.node;
+  let name = null;
+
+  if (t.isFunctionDeclaration(node) && node.id?.name) name = node.id.name;
+  if ((t.isFunctionExpression(node) || t.isArrowFunctionExpression(node)) && t.isVariableDeclarator(fn.parent) && t.isIdentifier(fn.parent.id)) {
+    name = fn.parent.id.name;
+  }
+
+  if (name === "render") return true;
+  if (name && /^[A-Z]/.test(name)) return true; // component-ish
+
+  // If function returns JSX somewhere
+  let returnsJSX = false;
+  fn.traverse({
+    Function(inner) {
+      if (inner !== fn) inner.skip();
+    },
+    ReturnStatement(r) {
+      if (t.isJSXElement(r.node.argument) || t.isJSXFragment(r.node.argument)) returnsJSX = true;
+    },
+  });
+
+  return returnsJSX;
+}
+
+function analyzePerformanceIssues(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "performance")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    // Nested loops - only flag 3+ levels deep
+    enter(path) {
+      if (!isLoopStatement(path.node)) return;
+
+      // Count nesting depth
+      let depth = 0;
+      let current = path;
+      while (current) {
+        if (isLoopStatement(current.node)) {
+          depth++;
+        }
+        current = current.parentPath;
+      }
+
+      // Only flag if 3 or more levels deep
+      if (depth < 3) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "nested_loop",
+        severity: "WARN",
+        category: "Performance",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: `Deeply nested loop (${depth} levels)`,
+        message: "Deeply nested loops can be expensive. Consider optimizing or using better data structures.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+      path.skip(); // avoid multiple nested loop reports in same subtree
+    },
+
+    // Event listeners without cleanup - only flag in component-like contexts
+    CallExpression(path) {
+      const callee = path.node.callee;
+      if (!t.isMemberExpression(callee)) return;
+      if (callee.computed) return;
+      if (!t.isIdentifier(callee.property, { name: "addEventListener" })) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      // Skip if not in a component-like context (React, Vue, etc.)
+      const fn = path.getFunctionParent();
+      if (!fn) return;
+
+      // Only flag in component-like functions or useEffect-like hooks
+      const fnName = fn.node.id?.name || (fn.parent?.id?.name);
+      const isComponent = fnName && /^[A-Z]/.test(fnName);
+      const isEffectHook = fnName && /useEffect|useLayoutEffect|componentDidMount|componentWillUnmount/i.test(fnName);
+      
+      if (!isComponent && !isEffectHook) return;
+
+      const evName = getEventName(path.node);
+      const hasCleanup = hasMatchingRemoveEventListener(fn, evName);
+
+      if (hasCleanup) return;
+
+      findings.push({
+        type: "potential_memory_leak",
+        severity: "WARN",
+        category: "Performance",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Event listener without cleanup",
+        message: "addEventListener() found without a matching removeEventListener() in the same function scope.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "low",
+      });
+    },
+
+    // Expensive operations in render-like contexts
+    CallExpression(path) {
+      const callee = path.node.callee;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      if (!isLikelyRenderContext(path)) return;
+
+      // JSON.parse / stringify in render
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.object, { name: "JSON" }) && t.isIdentifier(callee.property)) {
+        const m = callee.property.name;
+        if (m === "parse" || m === "stringify") {
+          findings.push({
+            type: "expensive_render_op",
+            severity: "INFO",
+            category: "Performance",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `JSON.${m} in render context`,
+            message: "Consider moving JSON parsing/serialization out of render to avoid repeated work.",
+            codeSnippet: snippetForLine(lines, loc.line),
+            confidence: "low",
+          });
+        }
+      }
+
+      // Array.sort in render (mutates + expensive)
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property, { name: "sort" })) {
+        findings.push({
+          type: "expensive_render_op",
+          severity: "INFO",
+          category: "Performance",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Array.sort in render context",
+          message: "Sorting during render can be expensive and mutates arrays. Consider sorting in memoized/selectors.",
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "low",
+        });
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzePerformanceIssues,
+  parseCode,
+};