@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js

@@ -0,0 +1,217 @@
+/**
+ * Type-Aware Engine (TypeScript focused)
+ * Detects risky TypeScript patterns: any, non-null assertions, ts-ignore, unsafe casts, missing return types on exported APIs.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function isTSFile(filePath) {
+  return filePath.endsWith(".ts") || filePath.endsWith(".tsx");
+}
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isExportedFunctionPath(path) {
+  // export function foo() {}
+  if (path.parentPath?.isExportNamedDeclaration?.() || path.parentPath?.isExportDefaultDeclaration?.()) return true;
+
+  // export const foo = () => {}
+  const exportDecl = path.findParent((p) => p.isExportNamedDeclaration?.());
+  if (exportDecl) return true;
+
+  return false;
+}
+
+function analyzeTypeAware(code, filePath) {
+  const findings = [];
+
+  if (!isTSFile(filePath)) return findings;
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "type-aware")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Scan header comments for ts-ignore
+  const comments = ast.comments || [];
+  for (const c of comments) {
+    const v = (c.value || "").trim();
+    if (/^@ts-ignore\b/.test(v) || /^@ts-expect-error\b/.test(v)) {
+      const line = c.loc?.start?.line || 1;
+      findings.push({
+        type: "ts_ignore",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: c.loc?.start?.column || 0,
+        title: "TypeScript ignore directive used",
+        message: `Found ${v.split(/\s+/)[0]} - this bypasses type safety.`,
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "high",
+      });
+    }
+  }
+
+  // General TS AST checks
+  traverse(ast, {
+    TSAnyKeyword(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "any_type",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Usage of 'any' type",
+        message: "Avoid 'any' where possible. Prefer unknown + narrowing or a specific type.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "high",
+      });
+    },
+
+    TSNonNullExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "non_null_assertion",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Non-null assertion used (!)",
+        message: "Non-null assertions can hide real null/undefined bugs. Consider proper checks.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+
+    TSAsExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      const typeAnn = path.node.typeAnnotation;
+      if (t.isTSAnyKeyword(typeAnn)) {
+        findings.push({
+          type: "unsafe_type_cast",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Unsafe type cast to 'any'",
+          message: "Casting to 'any' disables type checking. Prefer unknown + validation.",
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "high",
+        });
+      }
+    },
+
+    FunctionDeclaration(path) {
+      if (!path.node.loc) return;
+      if (!isExportedFunctionPath(path)) return;
+
+      // only flag when return type is missing AND the body has at least one return
+      const hasReturnType = Boolean(path.node.returnType);
+      if (hasReturnType) return;
+
+      let returnsValue = false;
+      path.traverse({
+        Function(inner) {
+          if (inner !== path) inner.skip();
+        },
+        ReturnStatement(r) {
+          if (r.node.argument) returnsValue = true;
+        },
+      });
+
+      if (!returnsValue) return;
+
+      const line = path.node.loc.start.line;
+      findings.push({
+        type: "missing_return_type",
+        severity: "INFO",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: path.node.loc.start.column,
+        title: "Exported function missing explicit return type",
+        message: "Public/ exported APIs should specify return types for stability and clarity.",
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "low",
+      });
+    },
+
+    ExportNamedDeclaration(path) {
+      // export const foo = () => {}
+      const decl = path.node.declaration;
+      if (!t.isVariableDeclaration(decl)) return;
+
+      for (const d of decl.declarations) {
+        if (!t.isVariableDeclarator(d)) continue;
+        if (!t.isIdentifier(d.id) || !d.init) continue;
+        if (!t.isArrowFunctionExpression(d.init) && !t.isFunctionExpression(d.init)) continue;
+
+        const fnNode = d.init;
+        const hasReturnType = Boolean(fnNode.returnType);
+        if (hasReturnType) continue;
+
+        // Only if it returns a value
+        let returnsValue = false;
+        traverse(
+          t.file(t.program([t.expressionStatement(fnNode)])),
+          {
+            ReturnStatement(r) {
+              if (r.node.argument) returnsValue = true;
+            },
+            Function(inner) {
+              // skip nested
+              inner.skip();
+            },
+          },
+          undefined,
+          undefined,
+          undefined
+        );
+
+        if (!returnsValue) continue;
+
+        const loc = fnNode.loc?.start;
+        if (!loc) continue;
+
+        findings.push({
+          type: "missing_return_type",
+          severity: "INFO",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Exported function missing explicit return type",
+          message: `Exported '${d.id.name}' should specify a return type.`,
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "low",
+        });
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeTypeAware,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js

@@ -0,0 +1,78 @@
+/**
+ * Unsafe Regex Engine
+ * Detects potentially catastrophic backtracking patterns.
+ *
+ * This is heuristic-based. It aims to flag the riskiest regexes:
+ * - Nested quantifiers like (.+)+, (.*)*, (a|aa)+, ([\s\S]*)+
+ * - Ambiguous repetitions inside groups: (a|a?)+ etc
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isRiskyPattern(pattern) {
+  if (!pattern || typeof pattern !== "string") return false;
+
+  // Nested quantifiers: (.*)+, (.+)+, (.*)*, (.+)*
+  if (/\((?:[^()\\]|\\.)*([+*])\)\s*[+*]/.test(pattern)) return true;
+
+  // Very broad character classes repeated aggressively
+  if (/\[(?:\\s\\S|\\S\\s|\\w\\W|\\W\\w|\\d\\D|\\D\\d)\]\s*[+*]\s*[+*]/.test(pattern)) return true;
+
+  // Alternation inside repetition: (a|aa)+ or (.*|.+)+
+  if (/\((?:[^()\\]|\\.)*\|(?:[^()\\]|\\.)*\)\s*[+*]/.test(pattern)) return true;
+
+  // Repetition of ambiguous wildcard with backreferences (commonly risky)
+  if (/(\.\*|\.\+).*\1/.test(pattern)) return true;
+
+  return false;
+}
+
+function analyzeUnsafeRegex(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "unsafe-regex")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    RegExpLiteral(path) {
+      const pattern = path.node.pattern;
+      if (!isRiskyPattern(pattern)) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "unsafe_regex",
+        severity: "WARN",
+        category: "Security",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Potential ReDoS risk in regex",
+        message: `Regex pattern "${pattern}" may cause catastrophic backtracking.`,
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeUnsafeRegex,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "vibecheck-analysis-engines",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Hardened analysis engines for Vibecheck-style static scanning.",
+  "main": "index.js",
+  "type": "commonjs",
+  "dependencies": {
+    "@babel/parser": "^7.26.0",
+    "@babel/traverse": "^7.26.0",
+    "@babel/types": "^7.26.0"
+  }
+}