@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/auth-truth.js

@@ -1,193 +1,193 @@
-// bin/runners/lib/auth-truth.js
-// Auth Truth v1 - Detects auth/protection patterns in Next + Fastify codebases
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function safeRead(fileAbs) {
-  return fs.readFileSync(fileAbs, "utf8");
-}
-
-function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
-  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  const lines = safeRead(fileAbs).split(/\r?\n/);
-  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
-  const snippet = lines[idx] || "";
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${lineNo}-${lineNo}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-function findLineMatches(code, regex) {
-  const out = [];
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    if (regex.test(lines[i])) out.push(i + 1);
-  }
-  return out;
-}
-
-function guessAuthSignalsFromCode(code) {
-  const signals = [];
-
-  const patterns = [
-    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
-    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
-    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
-    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
-    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
-    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
-    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
-    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
-    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
-  ];
-
-  for (const p of patterns) {
-    if (p.rx.test(code)) signals.push(p.key);
-  }
-  return Array.from(new Set(signals));
-}
-
-async function resolveNextMiddleware(repoRoot) {
-  const candidates = await fg(
-    ["middleware.@(ts|js)", "src/middleware.@(ts|js)"],
-    { cwd: repoRoot, absolute: true, onlyFiles: true }
-  );
-
-  const middlewares = [];
-
-  for (const fileAbs of candidates) {
-    const code = safeRead(fileAbs);
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-    const matcherLines = findLineMatches(code, /\bmatcher\b/);
-    const redirectLines = findLineMatches(code, /\bNextResponse\.(redirect|rewrite)\b/);
-
-    const evidence = [];
-    for (const ln of matcherLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware matcher config" }));
-    }
-    for (const ln of redirectLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware redirect/rewrite" }));
-    }
-
-    const matcher = [];
-    const matcherBlock = code.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
-    if (matcherBlock && matcherBlock[1]) {
-      const raw = matcherBlock[1];
-      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
-      matcher.push(...strings);
-    }
-
-    middlewares.push({
-      file: fileRel,
-      matcher,
-      signals: guessAuthSignalsFromCode(code),
-      evidence
-    });
-  }
-
-  return middlewares;
-}
-
-async function resolveFastifyAuthSignals(repoRoot, truthpackRoutes) {
-  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
-  const signals = [];
-  const evidence = [];
-
-  for (const fileRel of handlerFiles) {
-    const fileAbs = path.join(repoRoot, fileRel);
-    if (!fs.existsSync(fileAbs)) continue;
-
-    const code = safeRead(fileAbs);
-    const sigs = guessAuthSignalsFromCode(code);
-    if (!sigs.length) continue;
-
-    for (const s of sigs) signals.push({ type: s, file: fileRel });
-
-    const authLinePatterns = [
-      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
-      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
-      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
-      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
-    ];
-
-    const lines = code.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const p of authLinePatterns) {
-        if (p.rx.test(line)) {
-          evidence.push({
-            id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-            file: fileRel,
-            lines: `${i + 1}-${i + 1}`,
-            snippetHash: sha256(line),
-            reason: p.reason
-          });
-        }
-      }
-      if (evidence.length > 30) break;
-    }
-  }
-
-  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
-
-  return {
-    signalTypes: uniqueTypes,
-    signals,
-    evidence
-  };
-}
-
-function matcherCoversPath(matcherList, p) {
-  if (!Array.isArray(matcherList) || !matcherList.length) return false;
-  const pathStr = p.startsWith("/") ? p : `/${p}`;
-
-  return matcherList.some(m => {
-    if (!m) return false;
-
-    if (m.includes(":path*")) {
-      const prefix = m.split(":path*")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-    if (m.includes("(.*)")) {
-      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-
-    if (m === pathStr) return true;
-    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
-
-    return false;
-  });
-}
-
-async function buildAuthTruth(repoRoot, routesServer) {
-  const middlewares = await resolveNextMiddleware(repoRoot);
-  const matchers = middlewares.flatMap(mw => mw.matcher || []);
-  const fastify = await resolveFastifyAuthSignals(repoRoot, routesServer);
-
-  return {
-    nextMiddleware: middlewares,
-    nextMatcherPatterns: matchers,
-    fastify,
-    helpers: {
-      matcherCoversPath: "runtime-only"
-    }
-  };
-}
-
-module.exports = {
-  buildAuthTruth,
-  matcherCoversPath,
-  guessAuthSignalsFromCode
-};
+// bin/runners/lib/auth-truth.js
+// Auth Truth v1 - Detects auth/protection patterns in Next + Fastify codebases
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const lines = safeRead(fileAbs).split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function guessAuthSignalsFromCode(code) {
+  const signals = [];
+
+  const patterns = [
+    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
+    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
+    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
+    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
+    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
+    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
+    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
+    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
+    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
+  ];
+
+  for (const p of patterns) {
+    if (p.rx.test(code)) signals.push(p.key);
+  }
+  return Array.from(new Set(signals));
+}
+
+async function resolveNextMiddleware(repoRoot) {
+  const candidates = await fg(
+    ["middleware.@(ts|js)", "src/middleware.@(ts|js)"],
+    { cwd: repoRoot, absolute: true, onlyFiles: true }
+  );
+
+  const middlewares = [];
+
+  for (const fileAbs of candidates) {
+    const code = safeRead(fileAbs);
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+
+    const matcherLines = findLineMatches(code, /\bmatcher\b/);
+    const redirectLines = findLineMatches(code, /\bNextResponse\.(redirect|rewrite)\b/);
+
+    const evidence = [];
+    for (const ln of matcherLines.slice(0, 5)) {
+      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware matcher config" }));
+    }
+    for (const ln of redirectLines.slice(0, 5)) {
+      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware redirect/rewrite" }));
+    }
+
+    const matcher = [];
+    const matcherBlock = code.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
+    if (matcherBlock && matcherBlock[1]) {
+      const raw = matcherBlock[1];
+      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
+      matcher.push(...strings);
+    }
+
+    middlewares.push({
+      file: fileRel,
+      matcher,
+      signals: guessAuthSignalsFromCode(code),
+      evidence
+    });
+  }
+
+  return middlewares;
+}
+
+async function resolveFastifyAuthSignals(repoRoot, truthpackRoutes) {
+  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
+  const signals = [];
+  const evidence = [];
+
+  for (const fileRel of handlerFiles) {
+    const fileAbs = path.join(repoRoot, fileRel);
+    if (!fs.existsSync(fileAbs)) continue;
+
+    const code = safeRead(fileAbs);
+    const sigs = guessAuthSignalsFromCode(code);
+    if (!sigs.length) continue;
+
+    for (const s of sigs) signals.push({ type: s, file: fileRel });
+
+    const authLinePatterns = [
+      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
+      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
+      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
+      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
+    ];
+
+    const lines = code.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const p of authLinePatterns) {
+        if (p.rx.test(line)) {
+          evidence.push({
+            id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+            file: fileRel,
+            lines: `${i + 1}-${i + 1}`,
+            snippetHash: sha256(line),
+            reason: p.reason
+          });
+        }
+      }
+      if (evidence.length > 30) break;
+    }
+  }
+
+  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
+
+  return {
+    signalTypes: uniqueTypes,
+    signals,
+    evidence
+  };
+}
+
+function matcherCoversPath(matcherList, p) {
+  if (!Array.isArray(matcherList) || !matcherList.length) return false;
+  const pathStr = p.startsWith("/") ? p : `/${p}`;
+
+  return matcherList.some(m => {
+    if (!m) return false;
+
+    if (m.includes(":path*")) {
+      const prefix = m.split(":path*")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m.includes("(.*)")) {
+      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+
+    if (m === pathStr) return true;
+    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
+
+    return false;
+  });
+}
+
+async function buildAuthTruth(repoRoot, routesServer) {
+  const middlewares = await resolveNextMiddleware(repoRoot);
+  const matchers = middlewares.flatMap(mw => mw.matcher || []);
+  const fastify = await resolveFastifyAuthSignals(repoRoot, routesServer);
+
+  return {
+    nextMiddleware: middlewares,
+    nextMatcherPatterns: matchers,
+    fastify,
+    helpers: {
+      matcherCoversPath: "runtime-only"
+    }
+  };
+}
+
+module.exports = {
+  buildAuthTruth,
+  matcherCoversPath,
+  guessAuthSignalsFromCode
+};

package/bin/runners/lib/backup.js

@@ -1,62 +1,62 @@
-// bin/runners/lib/backup.js
-const fs = require("fs");
-const path = require("path");
-
-function ensureDir(p) {
-  fs.mkdirSync(p, { recursive: true });
-}
-
-function backupFiles(repoRoot, fileRelPaths, backupRoot) {
-  ensureDir(backupRoot);
-
-  const saved = [];
-  for (const rel of fileRelPaths) {
-    const abs = path.join(repoRoot, rel);
-    if (!fs.existsSync(abs)) {
-      saved.push({ rel, existed: false });
-      continue;
-    }
-
-    const dest = path.join(backupRoot, rel);
-    ensureDir(path.dirname(dest));
-    fs.copyFileSync(abs, dest);
-    saved.push({ rel, existed: true });
-  }
-
-  fs.writeFileSync(
-    path.join(backupRoot, "_manifest.json"),
-    JSON.stringify({ saved }, null, 2),
-    "utf8"
-  );
-
-  return saved;
-}
-
-function restoreBackup(repoRoot, backupRoot) {
-  const manifestPath = path.join(backupRoot, "_manifest.json");
-  if (!fs.existsSync(manifestPath)) {
-    return { ok: false, error: "backup manifest missing" };
-  }
-
-  const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
-  const saved = manifest.saved || [];
-
-  for (const s of saved) {
-    const abs = path.join(repoRoot, s.rel);
-    const bak = path.join(backupRoot, s.rel);
-
-    if (!s.existed) {
-      if (fs.existsSync(abs)) fs.rmSync(abs, { force: true });
-      continue;
-    }
-
-    if (fs.existsSync(bak)) {
-      ensureDir(path.dirname(abs));
-      fs.copyFileSync(bak, abs);
-    }
-  }
-
-  return { ok: true };
-}
-
-module.exports = { backupFiles, restoreBackup };
+// bin/runners/lib/backup.js
+const fs = require("fs");
+const path = require("path");
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function backupFiles(repoRoot, fileRelPaths, backupRoot) {
+  ensureDir(backupRoot);
+
+  const saved = [];
+  for (const rel of fileRelPaths) {
+    const abs = path.join(repoRoot, rel);
+    if (!fs.existsSync(abs)) {
+      saved.push({ rel, existed: false });
+      continue;
+    }
+
+    const dest = path.join(backupRoot, rel);
+    ensureDir(path.dirname(dest));
+    fs.copyFileSync(abs, dest);
+    saved.push({ rel, existed: true });
+  }
+
+  fs.writeFileSync(
+    path.join(backupRoot, "_manifest.json"),
+    JSON.stringify({ saved }, null, 2),
+    "utf8"
+  );
+
+  return saved;
+}
+
+function restoreBackup(repoRoot, backupRoot) {
+  const manifestPath = path.join(backupRoot, "_manifest.json");
+  if (!fs.existsSync(manifestPath)) {
+    return { ok: false, error: "backup manifest missing" };
+  }
+
+  const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+  const saved = manifest.saved || [];
+
+  for (const s of saved) {
+    const abs = path.join(repoRoot, s.rel);
+    const bak = path.join(backupRoot, s.rel);
+
+    if (!s.existed) {
+      if (fs.existsSync(abs)) fs.rmSync(abs, { force: true });
+      continue;
+    }
+
+    if (fs.existsSync(bak)) {
+      ensureDir(path.dirname(abs));
+      fs.copyFileSync(bak, abs);
+    }
+  }
+
+  return { ok: true };
+}
+
+module.exports = { backupFiles, restoreBackup };