@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/api-client.js

@@ -0,0 +1,269 @@
+/**
+ * API Client for Vibecheck Dashboard Integration
+ * 
+ * Handles communication with the web dashboard API for:
+ * - Creating scan records
+ * - Updating scan progress
+ * - Submitting scan results
+ * - Broadcasting real-time updates
+ */
+
+"use strict";
+
+const https = require("https");
+const http = require("http");
+const { logger } = require("./logger");
+
+// Configuration
+const API_BASE_URL = process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev";
+const API_TIMEOUT = 30000; // 30 seconds
+
+/**
+ * Make HTTP request to API
+ */
+async function makeRequest(path, options = {}) {
+  const url = new URL(path, API_BASE_URL);
+  const isHttps = url.protocol === "https:";
+  const client = isHttps ? https : http;
+
+  const defaultOptions = {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "vibecheck-cli/3.3.0",
+    },
+    timeout: API_TIMEOUT,
+  };
+
+  const requestOptions = {
+    ...defaultOptions,
+    ...options,
+    hostname: url.hostname,
+    port: url.port || (isHttps ? 443 : 80),
+    path: url.pathname + url.search,
+  };
+
+  // Add Authorization header if API key is available
+  const apiKey = process.env.VIBECHECK_API_KEY || getApiKey();
+  if (apiKey) {
+    requestOptions.headers.Authorization = `Bearer ${apiKey}`;
+  }
+
+  return new Promise((resolve, reject) => {
+    const req = client.request(requestOptions, (res) => {
+      let data = "";
+
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+
+      res.on("end", () => {
+        try {
+          const jsonData = data ? JSON.parse(data) : {};
+          resolve({
+            ok: res.statusCode >= 200 && res.statusCode < 300,
+            status: res.statusCode,
+            data: jsonData,
+          });
+        } catch (err) {
+          resolve({
+            ok: false,
+            status: res.statusCode,
+            data: { error: "Invalid JSON response" },
+          });
+        }
+      });
+    });
+
+    req.on("error", (err) => {
+      logger.debug(`API request failed: ${err.message}`);
+      resolve({
+        ok: false,
+        error: err.message,
+        data: { error: err.message },
+      });
+    });
+
+    req.on("timeout", () => {
+      req.destroy();
+      resolve({
+        ok: false,
+        error: "Request timeout",
+        data: { error: "Request timeout" },
+      });
+    });
+
+    if (options.body) {
+      req.write(JSON.stringify(options.body));
+    }
+
+    req.end();
+  });
+}
+
+/**
+ * Get API key from environment or config
+ */
+function getApiKey() {
+  // Try various environment variables
+  const envVars = [
+    "VIBECHECK_API_KEY",
+    "VIBECHECK_TOKEN",
+    "API_KEY",
+    "TOKEN",
+  ];
+
+  for (const envVar of envVars) {
+    if (process.env[envVar]) {
+      return process.env[envVar];
+    }
+  }
+
+  // Try to read from config file
+  try {
+    const fs = require("fs");
+    const path = require("path");
+    const os = require("os");
+
+    const configPaths = [
+      path.join(os.homedir(), ".vibecheck", "config.json"),
+      path.join(process.cwd(), ".vibecheckrc.json"),
+      path.join(process.cwd(), "vibecheck.config.json"),
+    ];
+
+    for (const configPath of configPaths) {
+      if (fs.existsSync(configPath)) {
+        const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+        if (config.apiKey || config.token) {
+          return config.apiKey || config.token;
+        }
+      }
+    }
+  } catch (err) {
+    // Ignore config file errors
+  }
+
+  return null;
+}
+
+/**
+ * Create a new scan record
+ */
+async function createScan(options) {
+  const {
+    repositoryId,
+    repositoryUrl,
+    localPath,
+    branch = "main",
+    enableLLM = false,
+  } = options;
+
+  const response = await makeRequest("/api/scans", {
+    body: {
+      repositoryId,
+      repositoryUrl,
+      localPath,
+      branch,
+      enableLLM,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to create scan: ${response.data?.error || response.error}`);
+  }
+
+  return response.data.data;
+}
+
+/**
+ * Update scan progress
+ */
+async function updateScanProgress(scanId, progress, status = null) {
+  const response = await makeRequest(`/api/scans/${scanId}/progress`, {
+    body: {
+      progress,
+      status,
+    },
+  });
+
+  if (!response.ok) {
+    logger.debug(`Failed to update scan progress: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Submit scan results
+ */
+async function submitScanResults(scanId, results) {
+  const {
+    verdict,
+    score,
+    findings,
+    filesScanned,
+    linesScanned,
+    durationMs,
+    metadata = {},
+  } = results;
+
+  const response = await makeRequest(`/api/scans/${scanId}/complete`, {
+    body: {
+      verdict,
+      score,
+      findings,
+      filesScanned,
+      linesScanned,
+      durationMs,
+      metadata,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to submit scan results: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Report scan error
+ */
+async function reportScanError(scanId, error) {
+  const response = await makeRequest(`/api/scans/${scanId}/error`, {
+    body: {
+      error: error.message || String(error),
+      stack: error.stack,
+    },
+  });
+
+  if (!response.ok) {
+    logger.debug(`Failed to report scan error: ${response.data?.error || response.error}`);
+  }
+
+  return response.data;
+}
+
+/**
+ * Check if API is available
+ */
+async function isApiAvailable() {
+  try {
+    const response = await makeRequest("/api/health", {
+      method: "GET",
+      timeout: 5000,
+    });
+    return response.ok;
+  } catch (err) {
+    return false;
+  }
+}
+
+module.exports = {
+  createScan,
+  updateScanProgress,
+  submitScanResults,
+  reportScanError,
+  isApiAvailable,
+  getApiKey,
+};

package/bin/runners/lib/auth-truth.js

@@ -1,193 +1,193 @@
-// bin/runners/lib/auth-truth.js
-// Auth Truth v1 - Detects auth/protection patterns in Next + Fastify codebases
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function safeRead(fileAbs) {
-  return fs.readFileSync(fileAbs, "utf8");
-}
-
-function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
-  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  const lines = safeRead(fileAbs).split(/\r?\n/);
-  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
-  const snippet = lines[idx] || "";
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${lineNo}-${lineNo}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-function findLineMatches(code, regex) {
-  const out = [];
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    if (regex.test(lines[i])) out.push(i + 1);
-  }
-  return out;
-}
-
-function guessAuthSignalsFromCode(code) {
-  const signals = [];
-
-  const patterns = [
-    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
-    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
-    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
-    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
-    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
-    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
-    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
-    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
-    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
-  ];
-
-  for (const p of patterns) {
-    if (p.rx.test(code)) signals.push(p.key);
-  }
-  return Array.from(new Set(signals));
-}
-
-async function resolveNextMiddleware(repoRoot) {
-  const candidates = await fg(
-    ["middleware.@(ts|js)", "src/middleware.@(ts|js)"],
-    { cwd: repoRoot, absolute: true, onlyFiles: true }
-  );
-
-  const middlewares = [];
-
-  for (const fileAbs of candidates) {
-    const code = safeRead(fileAbs);
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-    const matcherLines = findLineMatches(code, /\bmatcher\b/);
-    const redirectLines = findLineMatches(code, /\bNextResponse\.(redirect|rewrite)\b/);
-
-    const evidence = [];
-    for (const ln of matcherLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware matcher config" }));
-    }
-    for (const ln of redirectLines.slice(0, 5)) {
-      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware redirect/rewrite" }));
-    }
-
-    const matcher = [];
-    const matcherBlock = code.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
-    if (matcherBlock && matcherBlock[1]) {
-      const raw = matcherBlock[1];
-      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
-      matcher.push(...strings);
-    }
-
-    middlewares.push({
-      file: fileRel,
-      matcher,
-      signals: guessAuthSignalsFromCode(code),
-      evidence
-    });
-  }
-
-  return middlewares;
-}
-
-async function resolveFastifyAuthSignals(repoRoot, truthpackRoutes) {
-  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
-  const signals = [];
-  const evidence = [];
-
-  for (const fileRel of handlerFiles) {
-    const fileAbs = path.join(repoRoot, fileRel);
-    if (!fs.existsSync(fileAbs)) continue;
-
-    const code = safeRead(fileAbs);
-    const sigs = guessAuthSignalsFromCode(code);
-    if (!sigs.length) continue;
-
-    for (const s of sigs) signals.push({ type: s, file: fileRel });
-
-    const authLinePatterns = [
-      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
-      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
-      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
-      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
-    ];
-
-    const lines = code.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const p of authLinePatterns) {
-        if (p.rx.test(line)) {
-          evidence.push({
-            id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-            file: fileRel,
-            lines: `${i + 1}-${i + 1}`,
-            snippetHash: sha256(line),
-            reason: p.reason
-          });
-        }
-      }
-      if (evidence.length > 30) break;
-    }
-  }
-
-  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
-
-  return {
-    signalTypes: uniqueTypes,
-    signals,
-    evidence
-  };
-}
-
-function matcherCoversPath(matcherList, p) {
-  if (!Array.isArray(matcherList) || !matcherList.length) return false;
-  const pathStr = p.startsWith("/") ? p : `/${p}`;
-
-  return matcherList.some(m => {
-    if (!m) return false;
-
-    if (m.includes(":path*")) {
-      const prefix = m.split(":path*")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-    if (m.includes("(.*)")) {
-      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-
-    if (m === pathStr) return true;
-    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
-
-    return false;
-  });
-}
-
-async function buildAuthTruth(repoRoot, routesServer) {
-  const middlewares = await resolveNextMiddleware(repoRoot);
-  const matchers = middlewares.flatMap(mw => mw.matcher || []);
-  const fastify = await resolveFastifyAuthSignals(repoRoot, routesServer);
-
-  return {
-    nextMiddleware: middlewares,
-    nextMatcherPatterns: matchers,
-    fastify,
-    helpers: {
-      matcherCoversPath: "runtime-only"
-    }
-  };
-}
-
-module.exports = {
-  buildAuthTruth,
-  matcherCoversPath,
-  guessAuthSignalsFromCode
-};
+// bin/runners/lib/auth-truth.js
+// Auth Truth v1 - Detects auth/protection patterns in Next + Fastify codebases
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function evidenceFromLine({ fileAbs, repoRoot, lineNo, reason }) {
+  const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+  const lines = safeRead(fileAbs).split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function guessAuthSignalsFromCode(code) {
+  const signals = [];
+
+  const patterns = [
+    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
+    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
+    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
+    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
+    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
+    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
+    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
+    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
+    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
+  ];
+
+  for (const p of patterns) {
+    if (p.rx.test(code)) signals.push(p.key);
+  }
+  return Array.from(new Set(signals));
+}
+
+async function resolveNextMiddleware(repoRoot) {
+  const candidates = await fg(
+    ["middleware.@(ts|js)", "src/middleware.@(ts|js)"],
+    { cwd: repoRoot, absolute: true, onlyFiles: true }
+  );
+
+  const middlewares = [];
+
+  for (const fileAbs of candidates) {
+    const code = safeRead(fileAbs);
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+
+    const matcherLines = findLineMatches(code, /\bmatcher\b/);
+    const redirectLines = findLineMatches(code, /\bNextResponse\.(redirect|rewrite)\b/);
+
+    const evidence = [];
+    for (const ln of matcherLines.slice(0, 5)) {
+      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware matcher config" }));
+    }
+    for (const ln of redirectLines.slice(0, 5)) {
+      evidence.push(evidenceFromLine({ fileAbs, repoRoot, lineNo: ln, reason: "Next middleware redirect/rewrite" }));
+    }
+
+    const matcher = [];
+    const matcherBlock = code.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
+    if (matcherBlock && matcherBlock[1]) {
+      const raw = matcherBlock[1];
+      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
+      matcher.push(...strings);
+    }
+
+    middlewares.push({
+      file: fileRel,
+      matcher,
+      signals: guessAuthSignalsFromCode(code),
+      evidence
+    });
+  }
+
+  return middlewares;
+}
+
+async function resolveFastifyAuthSignals(repoRoot, truthpackRoutes) {
+  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
+  const signals = [];
+  const evidence = [];
+
+  for (const fileRel of handlerFiles) {
+    const fileAbs = path.join(repoRoot, fileRel);
+    if (!fs.existsSync(fileAbs)) continue;
+
+    const code = safeRead(fileAbs);
+    const sigs = guessAuthSignalsFromCode(code);
+    if (!sigs.length) continue;
+
+    for (const s of sigs) signals.push({ type: s, file: fileRel });
+
+    const authLinePatterns = [
+      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
+      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
+      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
+      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
+    ];
+
+    const lines = code.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const p of authLinePatterns) {
+        if (p.rx.test(line)) {
+          evidence.push({
+            id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+            file: fileRel,
+            lines: `${i + 1}-${i + 1}`,
+            snippetHash: sha256(line),
+            reason: p.reason
+          });
+        }
+      }
+      if (evidence.length > 30) break;
+    }
+  }
+
+  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
+
+  return {
+    signalTypes: uniqueTypes,
+    signals,
+    evidence
+  };
+}
+
+function matcherCoversPath(matcherList, p) {
+  if (!Array.isArray(matcherList) || !matcherList.length) return false;
+  const pathStr = p.startsWith("/") ? p : `/${p}`;
+
+  return matcherList.some(m => {
+    if (!m) return false;
+
+    if (m.includes(":path*")) {
+      const prefix = m.split(":path*")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m.includes("(.*)")) {
+      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+
+    if (m === pathStr) return true;
+    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
+
+    return false;
+  });
+}
+
+async function buildAuthTruth(repoRoot, routesServer) {
+  const middlewares = await resolveNextMiddleware(repoRoot);
+  const matchers = middlewares.flatMap(mw => mw.matcher || []);
+  const fastify = await resolveFastifyAuthSignals(repoRoot, routesServer);
+
+  return {
+    nextMiddleware: middlewares,
+    nextMatcherPatterns: matchers,
+    fastify,
+    helpers: {
+      matcherCoversPath: "runtime-only"
+    }
+  };
+}
+
+module.exports = {
+  buildAuthTruth,
+  matcherCoversPath,
+  guessAuthSignalsFromCode
+};