@vibecheckai/cli 3.2.4 → 3.2.6

package/mcp-server/lib/api-client.js

@@ -0,0 +1,269 @@
+/**
+ * API Client for Vibecheck Dashboard Integration
+ * 
+ * Handles communication with the web dashboard API for:
+ * - Creating scan records
+ * - Updating scan progress
+ * - Submitting scan results
+ * - Broadcasting real-time updates
+ */
+
+"use strict";
+
+const https = require("https");
+const http = require("http");
+const { logger } = require("./logger");
+
+// Configuration
+const API_BASE_URL = process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev";
+const API_TIMEOUT = 30000; // 30 seconds
+
+/**
+ * Make HTTP request to API
+ */
+async function makeRequest(path, options = {}) {
+  const url = new URL(path, API_BASE_URL);
+  const isHttps = url.protocol === "https:";
+  const client = isHttps ? https : http;
+
+  const defaultOptions = {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "vibecheck-cli/3.3.0",
+    },
+    timeout: API_TIMEOUT,
+  };
+
+  const requestOptions = {
+    ...defaultOptions,
+    ...options,
+    hostname: url.hostname,
+    port: url.port || (isHttps ? 443 : 80),
+    path: url.pathname + url.search,
+  };
+
+  // Add Authorization header if API key is available
+  const apiKey = process.env.VIBECHECK_API_KEY || getApiKey();
+  if (apiKey) {
+    requestOptions.headers.Authorization = `Bearer ${apiKey}`;
+  }
+
+  return new Promise((resolve, reject) => {
+    const req = client.request(requestOptions, (res) => {
+      let data = "";
+
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+
+      res.on("end", () => {
+        try {
+          const jsonData = data ? JSON.parse(data) : {};
+          resolve({
+            ok: res.statusCode >= 200 && res.statusCode < 300,
+            status: res.statusCode,
+            data: jsonData,
+          });
+        } catch (err) {
+          resolve({
+            ok: false,
+            status: res.statusCode,
+            data: { error: "Invalid JSON response" },
+          });
+        }
+      });
+    });
+
+    req.on("error", (err) => {
+      logger.debug(`API request failed: ${err.message}`);
+      resolve({
+        ok: false,
+        error: err.message,
+        data: { error: err.message },
+      });
+    });
+
+    req.on("timeout", () => {
+      req.destroy();
+      resolve({
+        ok: false,
+        error: "Request timeout",
+        data: { error: "Request timeout" },
+      });
+    });
+
+    if (options.body) {
+      req.write(JSON.stringify(options.body));
+    }
+
+    req.end();
+  });
+}
+
+/**
+ * Get API key from environment or config
+ */
+function getApiKey() {
+  // Try various environment variables
+  const envVars = [
+    "VIBECHECK_API_KEY",
+    "VIBECHECK_TOKEN",
+    "API_KEY",
+    "TOKEN",
+  ];
+
+  for (const envVar of envVars) {
+    if (process.env[envVar]) {
+      return process.env[envVar];
+    }
+  }
+
+  // Try to read from config file
+  try {
+    const fs = require("fs");
+    const path = require("path");
+    const os = require("os");
+
+    const configPaths = [
+      path.join(os.homedir(), ".vibecheck", "config.json"),
+      path.join(process.cwd(), ".vibecheckrc.json"),
+      path.join(process.cwd(), "vibecheck.config.json"),
+    ];
+
+    for (const configPath of configPaths) {
+      if (fs.existsSync(configPath)) {
+        const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+        if (config.apiKey || config.token) {
+          return config.apiKey || config.token;
+        }
+      }
+    }
+  } catch (err) {
+    // Ignore config file errors
+  }
+
+  return null;
+}
+
+/**
+ * Create a new scan record
+ */
+async function createScan(options) {
+  const {
+    repositoryId,
+    repositoryUrl,
+    localPath,
+    branch = "main",
+    enableLLM = false,
+  } = options;
+
+  const response = await makeRequest("/api/scans", {
+    body: {
+      repositoryId,
+      repositoryUrl,
+      localPath,
+      branch,
+      enableLLM,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to create scan: ${response.data?.error || response.error}`);
+  }
+
+  return response.data.data;
+}
+
+/**
+ * Update scan progress
+ */
+async function updateScanProgress(scanId, progress, status = null) {
+  const response = await makeRequest(`/api/scans/${scanId}/progress`, {
+    body: {
+      progress,
+      status,
+    },
+  });
+
+  if (!response.ok) {
+    logger.debug(`Failed to update scan progress: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Submit scan results
+ */
+async function submitScanResults(scanId, results) {
+  const {
+    verdict,
+    score,
+    findings,
+    filesScanned,
+    linesScanned,
+    durationMs,
+    metadata = {},
+  } = results;
+
+  const response = await makeRequest(`/api/scans/${scanId}/complete`, {
+    body: {
+      verdict,
+      score,
+      findings,
+      filesScanned,
+      linesScanned,
+      durationMs,
+      metadata,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to submit scan results: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Report scan error
+ */
+async function reportScanError(scanId, error) {
+  const response = await makeRequest(`/api/scans/${scanId}/error`, {
+    body: {
+      error: error.message || String(error),
+      stack: error.stack,
+    },
+  });
+
+  if (!response.ok) {
+    logger.debug(`Failed to report scan error: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Check if API is available
+ */
+async function isApiAvailable() {
+  try {
+    const response = await makeRequest("/api/health", {
+      method: "GET",
+      timeout: 5000,
+    });
+    return response.ok;
+  } catch (err) {
+    return false;
+  }
+}
+
+module.exports = {
+  createScan,
+  updateScanProgress,
+  submitScanResults,
+  reportScanError,
+  isApiAvailable,
+  getApiKey,
+};

package/mcp-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibecheck-mcp-server",
-  "version": "3.1.8",
+  "version": "3.2.6",
   "description": "Professional MCP server for vibecheck - Intelligent development environment vibechecks",
   "type": "module",
   "main": "index.js",

package/mcp-server/tier-auth.js

@@ -1,157 +1,162 @@
 /**
  * MCP Server Tier Authentication & Authorization
  * 
- * Provides tier checking for MCP tools based on API keys
+ * UNIFIED AUTHORITY SYSTEM for MCP tools.
+ * 
+ * Authority Rules:
+ * - FREE: May see problems, never resolve certainty. Read-only context tools.
+ * - STARTER: May fix, but not prove. Read tools + advisory actions.
+ * - PRO: May enforce reality. Full MCP access with proof generation.
+ * - ENTERPRISE: All features + compliance tools.
+ * 
+ * Verdict authority is paid. Evidence beats explanations.
  */
 
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
 
-// Tier definitions - MUST MATCH CLI entitlements-v2.js
+// ═══════════════════════════════════════════════════════════════════════════════
+// TIER DEFINITIONS - UNIFIED AUTHORITY SYSTEM
+// Synchronized with packages/core/src/tier-config.ts
+// 
+// Authority Rules:
+// - FREE: May see problems, never resolve certainty
+// - STARTER: May fix, but not prove (Advisory verdicts only)
+// - PRO: May enforce reality (Full verdict authority)
+// ═══════════════════════════════════════════════════════════════════════════════
 export const TIERS = {
   free: {
     name: 'FREE',
     price: 0,
     order: 0,
-    features: [
-      // Core commands
-      'scan', 'ship', 'ship.static',
-      // Setup
-      'init', 'init.local', 'doctor', 'status', 'install', 'preflight', 'watch', 'watch.local',
-      // AI Truth
-      'ctx', 'guard', 'context', 'mdc', 'contracts',
-      // Quality
-      'verify', 'quality', 'polish', 'checkpoint', 'checkpoint.basic',
-      // Fix (plan only)
-      'fix', 'fix.plan_only',
-      // Reality (preview)
-      'reality', 'reality.preview',
-      // MCP (help only)
-      'mcp.help_only',
-      // Report (html/md only)
-      'report', 'report.html_md',
-    ],
+    // Verdict authority
+    verdictAuthority: 'NONE',
+    canIssueVerdicts: false,
+    canEnforceCI: false,
+    canGenerateProof: false,
+    // Limits
     limits: { 
-      scans: 50, 
-      shipChecks: 20, 
+      scans: -1,  // Unlimited scans
       realityMaxPages: 5, 
       realityMaxClicks: 20, 
-      fixApplyPatches: false,
-      mcpRateLimit: 10, // requests per minute
+      mcpRateLimit: 10,
     },
-    // MCP tools allowed on FREE
+    // MCP tools allowed on FREE (read-only context only)
     mcpTools: [
       'vibecheck.get_truthpack',
-      'vibecheck.validate_claim',
       'vibecheck.compile_context',
       'vibecheck.search_evidence',
     ],
   },
   starter: {
     name: 'STARTER',
-    price: 39, // Updated pricing
+    price: 39,
     order: 1,
-    features: [
-      // All FREE features plus...
-      // Init connect
-      'init.connect',
-      // Scan autofix
-      'scan.autofix',
-      // CI/CD
-      'gate', 'pr', 'badge', 'launch', 'dashboard_sync',
-      // Watch PR
-      'watch.pr',
-      // Report formats
-      'report.sarif_csv',
-      // Reality basic
-      'reality.basic',
-      // MCP read-only
-      'mcp', 'mcp.read_only',
-      // Ship full
-      'ship.full',
-    ],
+    // Verdict authority - ADVISORY (verdicts not enforced)
+    verdictAuthority: 'ADVISORY',
+    canIssueVerdicts: true,  // SHIP, WARN only
+    canEnforceCI: false,     // Cannot block builds
+    canGenerateProof: false, // Cannot generate proof
+    // Limits
     limits: { 
-      scans: -1, 
-      shipChecks: -1, 
-      realityMaxPages: 50, 
-      realityMaxClicks: 200, 
-      fixApplyPatches: false,
-      mcpRateLimit: 60, // requests per minute
+      scans: -1,           // Unlimited scans
+      realityMaxPages: -1, // Unlimited browser testing
+      realityMaxClicks: -1,
+      mcpRateLimit: 60,
     },
-    // MCP tools allowed on STARTER (curated)
+    // MCP tools allowed on STARTER (read + advisory actions)
     mcpTools: [
       'vibecheck.ctx',
       'vibecheck.scan',
-      'vibecheck.ship',
+      'vibecheck.ship',      // Advisory verdicts only
       'vibecheck.get_truthpack',
       'vibecheck.validate_claim',
       'vibecheck.compile_context',
       'vibecheck.search_evidence',
       'vibecheck.find_counterexamples',
       'vibecheck.check_invariants',
+      'vibecheck.fix',       // Plan mode only
     ],
   },
   pro: {
     name: 'PRO',
     price: 99,
     order: 2,
-    features: [
-      // All STARTER features plus...
-      // Prove
-      'prove',
-      // Fix apply
-      'fix.apply_patches', 'fix.loop',
-      // Checkpoint advanced
-      'checkpoint.hallucination',
-      // Reality advanced
-      'reality.full', 'reality.advanced_auth_boundary',
-      // Premium
-      'replay', 'share', 'ai-test', 'permissions', 'graph',
-      // MCP full
-      'mcp.full',
-    ],
+    // Verdict authority - ENFORCED (verdicts block CI/PRs)
+    verdictAuthority: 'ENFORCED',
+    canIssueVerdicts: true,  // SHIP, WARN, BLOCK
+    canEnforceCI: true,      // Can block builds
+    canGenerateProof: true,  // Can generate cryptographic proof
+    // Limits
     limits: { 
-      scans: -1, 
-      shipChecks: -1, 
-      realityMaxPages: -1, 
-      realityMaxClicks: -1, 
-      fixApplyPatches: true,
-      mcpRateLimit: -1, // unlimited
+      scans: -1,
+      realityMaxPages: -1,
+      realityMaxClicks: -1,
+      mcpRateLimit: -1,  // Unlimited
     },
-    // MCP tools allowed on PRO (curated)
-    mcpTools: [
-      'vibecheck.ctx',
-      'vibecheck.scan',
-      'vibecheck.ship',
-      'vibecheck.get_truthpack',
-      'vibecheck.validate_claim',
-      'vibecheck.compile_context',
-      'vibecheck.search_evidence',
-      'vibecheck.find_counterexamples',
-      'vibecheck.check_invariants',
-    ],
+    // MCP tools - FULL ACCESS
+    mcpTools: ['*'],  // All tools unlocked
   },
-  compliance: {
-    name: 'COMPLIANCE',
-    price: 0, // Enterprise/on-prem
+  enterprise: {
+    name: 'ENTERPRISE',
+    price: 0, // Custom pricing
     order: 3,
-    features: [
-      // All PRO features plus...
-      'report.compliance_packs',
-    ],
+    // Verdict authority - ENFORCED + Compliance
+    verdictAuthority: 'ENFORCED',
+    canIssueVerdicts: true,
+    canEnforceCI: true,
+    canGenerateProof: true,
+    // Limits
     limits: { 
-      scans: -1, 
-      shipChecks: -1, 
-      realityMaxPages: -1, 
-      realityMaxClicks: -1, 
-      fixApplyPatches: true,
+      scans: -1,
+      realityMaxPages: -1,
+      realityMaxClicks: -1,
       mcpRateLimit: -1,
     },
-    mcpTools: ['*'], // All tools
+    // MCP tools - FULL ACCESS + Compliance
+    mcpTools: ['*'],
   }
 };
 
+// ═══════════════════════════════════════════════════════════════════════════════
+// MCP TOOL → TIER MAPPING (Unified Authority System)
+// Aligned with packages/core/src/features.ts
+// ═══════════════════════════════════════════════════════════════════════════════
+export const MCP_TOOL_TIERS = {
+  // FREE - Read-only context tools ONLY
+  // Free users may see problems, never resolve certainty
+  'vibecheck.get_truthpack': 'free',
+  'vibecheck.compile_context': 'free',
+  'vibecheck.search_evidence': 'free',
+  
+  // STARTER - Advisory verdict authority
+  // Starter users may fix, but not prove
+  'vibecheck.ctx': 'starter',
+  'vibecheck.scan': 'starter',
+  'vibecheck.ship': 'starter',          // SHIP/WARN (advisory, not enforced)
+  'vibecheck.fix': 'starter',           // Plan mode only (no apply)
+  'vibecheck.validate_claim': 'starter',
+  'vibecheck.find_counterexamples': 'starter',
+  'vibecheck.check_invariants': 'starter',
+  'vibecheck.gate': 'starter',          // Advisory gates
+  'vibecheck.badge': 'starter',         // Unverified badges
+  
+  // PRO - Full verdict authority & enforcement
+  // Pro users may enforce reality
+  'vibecheck.prove': 'pro',             // Cryptographic proof generation
+  'vibecheck.fix.apply': 'pro',         // Apply fixes
+  'vibecheck.fix.verify': 'pro',        // Verify fixes with proof
+  'vibecheck.reality': 'pro',           // Full browser testing
+  'vibecheck.reality.prove': 'pro',     // Prove runtime behavior
+  'vibecheck.enforce': 'pro',           // Enforce verdicts in CI
+  'vibecheck.ai_test': 'pro',           // AI agent testing
+  'vibecheck.autopilot': 'pro',         // Autonomous protection
+  'vibecheck.report': 'pro',            // Advanced reporting
+  'vibecheck.allowlist': 'pro',         // Manage allowlists
+  'vibecheck.status': 'pro',            // Advanced status
+};
+
 /**
  * Load user configuration from ~/.vibecheck/credentials.json
  */
@@ -169,25 +174,52 @@ async function loadUserConfig() {
  * Determine tier from API key
  * Matches CLI entitlements-v2.js logic
  */
-function getTierFromApiKey(apiKey) {
-  if (!apiKey) return 'free';
+async function getTierFromApiKey(apiKey) {
+  if (!apiKey) return null; // No API key = no access
   
   // Check API key prefix patterns (matches CLI)
   if (apiKey.startsWith('gr_starter_')) return 'starter';
   if (apiKey.startsWith('gr_pro_')) return 'pro';
-  if (apiKey.startsWith('gr_compliance_') || apiKey.startsWith('gr_ent_')) return 'compliance';
+  if (apiKey.startsWith('gr_enterprise_') || apiKey.startsWith('gr_ent_')) return 'enterprise';
   if (apiKey.startsWith('gr_free_')) return 'free';
   
-  // Try to fetch from API (same as CLI)
-  // For now, default to free - API lookup would happen in production
-  return 'free'; // default for unknown keys
-}
+  // Try to validate with API
+  try {
+    const response = await fetch('https://api.vibecheckai.dev/whoami', {
+      headers: {
+        'Authorization': `Bearer ${apiKey}`,
+        'Content-Type': 'application/json',
+      },
+    });
+    
+    if (!response.ok) {
+      return null; // Invalid API key
+    }
+    
+    const data = await response.json();
+    
+    // Map API response to tier
+    switch (data.plan?.toLowerCase()) {
+      case 'starter':
+        return 'starter';
+      case 'pro':
+        return 'pro';
+      case 'enterprise':
+        return 'enterprise';
+      default:
+        return 'free';
+    }
+  } catch (error) {
+    console.error('API validation failed:', error);
+    return null; // On error, deny access
+  }
+} // default for unknown keys
 
 /**
  * Check if user has access to a specific feature
  * Matches CLI entitlements-v2.js logic
  */
-export async function checkFeatureAccess(featureName, providedApiKey = null) {
+export async function getFeatureAccessStatus(featureName, providedApiKey = null) {
   // Try to load user config
   const userConfig = await loadUserConfig();
   const apiKey = providedApiKey || userConfig?.apiKey;
@@ -195,13 +227,22 @@ export async function checkFeatureAccess(featureName, providedApiKey = null) {
   if (!apiKey) {
     return {
       hasAccess: false,
-      tier: 'free',
-      reason: 'No API key provided. Run: vibecheck auth --key YOUR_API_KEY',
+      tier: null,
+      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
       upgradeUrl: 'https://vibecheckai.dev'
     };
   }
   
-  const currentTier = getTierFromApiKey(apiKey);
+  const currentTier = await getTierFromApiKey(apiKey);
+  
+  if (!currentTier) {
+    return {
+      hasAccess: false,
+      tier: null,
+      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
+      upgradeUrl: 'https://vibecheckai.dev'
+    };
+  }
   const currentTierConfig = TIERS[currentTier];
   
   // Find which tier has this feature
@@ -273,11 +314,30 @@ export function withTierCheck(featureName, handler) {
  * Check if user has access to a specific MCP tool
  * MCP tools have specific tier requirements separate from CLI features
  */
-export async function checkMcpToolAccess(toolName, providedApiKey = null) {
+export async function getMcpToolAccess(toolName, providedApiKey = null) {
   const userConfig = await loadUserConfig();
   const apiKey = providedApiKey || userConfig?.apiKey;
   
-  const currentTier = getTierFromApiKey(apiKey);
+  if (!apiKey) {
+    return {
+      hasAccess: false,
+      tier: null,
+      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
+      upgradeUrl: 'https://vibecheckai.dev'
+    };
+  }
+  
+  const currentTier = await getTierFromApiKey(apiKey);
+  
+  if (!currentTier) {
+    return {
+      hasAccess: false,
+      tier: null,
+      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
+      upgradeUrl: 'https://vibecheckai.dev'
+    };
+  }
+  
   const currentTierConfig = TIERS[currentTier];
   
   // Check if tool is allowed for current tier