@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/doctor/modules/security.js

@@ -1,348 +1,348 @@
-/**
- * Security Diagnostics Module
- * 
- * Checks for exposed secrets, gitignore configuration, and security best practices
- */
-
-const fs = require('fs');
-const path = require('path');
-const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
-
-const MODULE_ID = 'security';
-
-const SECRET_PATTERNS = [
-  { name: 'Stripe Live Key', pattern: /sk_live_[a-zA-Z0-9]{20,}/, critical: true },
-  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{20,}/, critical: false },
-  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/, critical: true },
-  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36}/, critical: true },
-  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36}/, critical: true },
-  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, critical: true },
-  { name: 'Generic API Key', pattern: /api[_-]?key['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
-  { name: 'Generic Secret', pattern: /secret['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
-  { name: 'Database URL', pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@/, critical: true },
-  { name: 'MongoDB URL', pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/, critical: true },
-];
-
-const REQUIRED_GITIGNORE = [
-  { pattern: '.env', name: '.env files' },
-  { pattern: 'node_modules', name: 'node_modules' },
-  { pattern: '.vibecheck', name: '.vibecheck output' },
-];
-
-function createDiagnostics(projectPath) {
-  return [
-    {
-      id: `${MODULE_ID}.env_file`,
-      name: '.env File',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const envPath = path.join(projectPath, '.env');
-        const envExamplePath = path.join(projectPath, '.env.example');
-        const envLocalPath = path.join(projectPath, '.env.local');
-        
-        const hasEnv = fs.existsSync(envPath);
-        const hasEnvExample = fs.existsSync(envExamplePath);
-        const hasEnvLocal = fs.existsSync(envLocalPath);
-        
-        const metadata = { hasEnv, hasEnvExample, hasEnvLocal };
-        
-        if (!hasEnv && !hasEnvLocal) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'No .env file found',
-            detail: 'Create .env for local environment variables',
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.FILE_CREATE,
-              description: 'Create .env from example',
-              path: envPath,
-              content: hasEnvExample 
-                ? fs.readFileSync(envExamplePath, 'utf8')
-                : '# Environment variables\n',
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        if (hasEnv && !hasEnvExample) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: '.env exists but no .env.example',
-            detail: 'Create .env.example for team documentation',
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.COMMAND,
-              description: 'Generate .env.example from .env',
-              command: 'vibecheck ctx --env-template',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: hasEnvExample ? '.env + .env.example' : '.env configured',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.gitignore`,
-      name: '.gitignore',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const gitignorePath = path.join(projectPath, '.gitignore');
-        
-        if (!fs.existsSync(gitignorePath)) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: 'No .gitignore file',
-            detail: 'Secrets and build artifacts may be committed to git',
-            fixes: [{
-              type: FIX_TYPE.FILE_CREATE,
-              description: 'Create .gitignore with common patterns',
-              path: gitignorePath,
-              content: [
-                '# Dependencies',
-                'node_modules/',
-                '',
-                '# Environment',
-                '.env',
-                '.env.local',
-                '.env.*.local',
-                '',
-                '# Build',
-                'dist/',
-                'build/',
-                '.next/',
-                '',
-                '# vibecheck',
-                '.vibecheck/',
-                '',
-                '# IDE',
-                '.idea/',
-                '.vscode/',
-                '*.swp',
-              ].join('\n'),
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        const content = fs.readFileSync(gitignorePath, 'utf8');
-        const missing = REQUIRED_GITIGNORE.filter(r => !content.includes(r.pattern));
-        
-        const metadata = { 
-          missing: missing.map(m => m.pattern),
-          lines: content.split('\n').length,
-        };
-        
-        if (missing.length > 0) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `Missing: ${missing.map(m => m.name).join(', ')}`,
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.FILE_EDIT,
-              description: 'Add missing patterns to .gitignore',
-              path: gitignorePath,
-              content: content + '\n\n# Added by vibecheck doctor\n' + 
-                missing.map(m => m.pattern).join('\n') + '\n',
-              autoFixable: true,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: 'Properly configured',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.exposed_secrets`,
-      name: 'Exposed Secrets',
-      category: CATEGORY.SECURITY,
-      parallel: false,
-      check: async () => {
-        const filesToCheck = [
-          'package.json',
-          'src/config.ts',
-          'src/config.js',
-          'config/index.ts',
-          'config/index.js',
-          'next.config.js',
-          'next.config.mjs',
-          '.env.example',
-          'README.md',
-        ];
-        
-        const findings = [];
-        
-        for (const file of filesToCheck) {
-          const filePath = path.join(projectPath, file);
-          if (!fs.existsSync(filePath)) continue;
-          
-          try {
-            const content = fs.readFileSync(filePath, 'utf8');
-            
-            for (const sp of SECRET_PATTERNS) {
-              if (sp.pattern.test(content)) {
-                findings.push({
-                  file,
-                  secret: sp.name,
-                  critical: sp.critical,
-                });
-              }
-            }
-          } catch {
-            // Skip unreadable files
-          }
-        }
-        
-        const metadata = { findings };
-        const criticalFindings = findings.filter(f => f.critical);
-        
-        if (criticalFindings.length > 0) {
-          return {
-            severity: SEVERITY.CRITICAL,
-            message: `${criticalFindings.length} critical secrets exposed`,
-            detail: criticalFindings.map(f => `${f.secret} in ${f.file}`).join(', '),
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Move secrets to .env and add to .gitignore',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        if (findings.length > 0) {
-          return {
-            severity: SEVERITY.WARNING,
-            message: `${findings.length} potential secrets found`,
-            detail: findings.map(f => `${f.secret} in ${f.file}`).join(', '),
-            metadata,
-            fixes: [{
-              type: FIX_TYPE.MANUAL,
-              description: 'Review and move secrets to .env',
-              autoFixable: false,
-            }],
-          };
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: 'No exposed secrets detected',
-          metadata,
-        };
-      },
-    },
-    {
-      id: `${MODULE_ID}.env_in_git`,
-      name: '.env in Git History',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const gitDir = path.join(projectPath, '.git');
-        if (!fs.existsSync(gitDir)) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'Not a git repository',
-          };
-        }
-        
-        try {
-          const { execSync } = require('child_process');
-          const result = execSync('git log --all --full-history -- .env 2>/dev/null | head -1', {
-            cwd: projectPath,
-            encoding: 'utf8',
-            timeout: 10000,
-          }).trim();
-          
-          if (result) {
-            return {
-              severity: SEVERITY.ERROR,
-              message: '.env found in git history',
-              detail: 'Secrets may be exposed in git commits',
-              fixes: [
-                {
-                  type: FIX_TYPE.LINK,
-                  description: 'Guide: Remove secrets from git history',
-                  url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository',
-                },
-                {
-                  type: FIX_TYPE.COMMAND,
-                  description: 'Remove .env from history (dangerous)',
-                  command: 'git filter-branch --force --index-filter "git rm --cached --ignore-unmatch .env" --prune-empty --tag-name-filter cat -- --all',
-                  dangerous: true,
-                  autoFixable: false,
-                },
-              ],
-            };
-          }
-          
-          return {
-            severity: SEVERITY.PASS,
-            message: 'No .env in git history',
-          };
-        } catch {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'Could not check git history',
-          };
-        }
-      },
-    },
-    {
-      id: `${MODULE_ID}.npmrc`,
-      name: '.npmrc Security',
-      category: CATEGORY.SECURITY,
-      parallel: true,
-      check: async () => {
-        const npmrcPath = path.join(projectPath, '.npmrc');
-        
-        if (!fs.existsSync(npmrcPath)) {
-          return {
-            severity: SEVERITY.INFO,
-            message: 'No .npmrc file',
-          };
-        }
-        
-        const content = fs.readFileSync(npmrcPath, 'utf8');
-        const hasToken = content.includes('_authToken') || content.includes('//registry');
-        
-        if (hasToken) {
-          const gitignorePath = path.join(projectPath, '.gitignore');
-          const gitignoreContent = fs.existsSync(gitignorePath) 
-            ? fs.readFileSync(gitignorePath, 'utf8') 
-            : '';
-          
-          if (!gitignoreContent.includes('.npmrc')) {
-            return {
-              severity: SEVERITY.WARNING,
-              message: '.npmrc contains tokens but not in .gitignore',
-              fixes: [{
-                type: FIX_TYPE.FILE_EDIT,
-                description: 'Add .npmrc to .gitignore',
-                path: gitignorePath,
-                content: gitignoreContent + '\n.npmrc\n',
-                autoFixable: true,
-              }],
-            };
-          }
-        }
-        
-        return {
-          severity: SEVERITY.PASS,
-          message: hasToken ? 'Contains tokens (gitignored)' : 'No sensitive data',
-        };
-      },
-    },
-  ];
-}
-
-module.exports = { MODULE_ID, createDiagnostics, SECRET_PATTERNS };
+/**
+ * Security Diagnostics Module
+ * 
+ * Checks for exposed secrets, gitignore configuration, and security best practices
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
+
+const MODULE_ID = 'security';
+
+const SECRET_PATTERNS = [
+  { name: 'Stripe Live Key', pattern: /sk_live_[a-zA-Z0-9]{20,}/, critical: true },
+  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{20,}/, critical: false },
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/, critical: true },
+  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36}/, critical: true },
+  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36}/, critical: true },
+  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, critical: true },
+  { name: 'Generic API Key', pattern: /api[_-]?key['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
+  { name: 'Generic Secret', pattern: /secret['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
+  { name: 'Database URL', pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@/, critical: true },
+  { name: 'MongoDB URL', pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/, critical: true },
+];
+
+const REQUIRED_GITIGNORE = [
+  { pattern: '.env', name: '.env files' },
+  { pattern: 'node_modules', name: 'node_modules' },
+  { pattern: '.vibecheck', name: '.vibecheck output' },
+];
+
+function createDiagnostics(projectPath) {
+  return [
+    {
+      id: `${MODULE_ID}.env_file`,
+      name: '.env File',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const envPath = path.join(projectPath, '.env');
+        const envExamplePath = path.join(projectPath, '.env.example');
+        const envLocalPath = path.join(projectPath, '.env.local');
+        
+        const hasEnv = fs.existsSync(envPath);
+        const hasEnvExample = fs.existsSync(envExamplePath);
+        const hasEnvLocal = fs.existsSync(envLocalPath);
+        
+        const metadata = { hasEnv, hasEnvExample, hasEnvLocal };
+        
+        if (!hasEnv && !hasEnvLocal) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'No .env file found',
+            detail: 'Create .env for local environment variables',
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.FILE_CREATE,
+              description: 'Create .env from example',
+              path: envPath,
+              content: hasEnvExample 
+                ? fs.readFileSync(envExamplePath, 'utf8')
+                : '# Environment variables\n',
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        if (hasEnv && !hasEnvExample) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: '.env exists but no .env.example',
+            detail: 'Create .env.example for team documentation',
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.COMMAND,
+              description: 'Generate .env.example from .env',
+              command: 'vibecheck ctx --env-template',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: hasEnvExample ? '.env + .env.example' : '.env configured',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.gitignore`,
+      name: '.gitignore',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const gitignorePath = path.join(projectPath, '.gitignore');
+        
+        if (!fs.existsSync(gitignorePath)) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: 'No .gitignore file',
+            detail: 'Secrets and build artifacts may be committed to git',
+            fixes: [{
+              type: FIX_TYPE.FILE_CREATE,
+              description: 'Create .gitignore with common patterns',
+              path: gitignorePath,
+              content: [
+                '# Dependencies',
+                'node_modules/',
+                '',
+                '# Environment',
+                '.env',
+                '.env.local',
+                '.env.*.local',
+                '',
+                '# Build',
+                'dist/',
+                'build/',
+                '.next/',
+                '',
+                '# vibecheck',
+                '.vibecheck/',
+                '',
+                '# IDE',
+                '.idea/',
+                '.vscode/',
+                '*.swp',
+              ].join('\n'),
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        const content = fs.readFileSync(gitignorePath, 'utf8');
+        const missing = REQUIRED_GITIGNORE.filter(r => !content.includes(r.pattern));
+        
+        const metadata = { 
+          missing: missing.map(m => m.pattern),
+          lines: content.split('\n').length,
+        };
+        
+        if (missing.length > 0) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `Missing: ${missing.map(m => m.name).join(', ')}`,
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.FILE_EDIT,
+              description: 'Add missing patterns to .gitignore',
+              path: gitignorePath,
+              content: content + '\n\n# Added by vibecheck doctor\n' + 
+                missing.map(m => m.pattern).join('\n') + '\n',
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: 'Properly configured',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.exposed_secrets`,
+      name: 'Exposed Secrets',
+      category: CATEGORY.SECURITY,
+      parallel: false,
+      check: async () => {
+        const filesToCheck = [
+          'package.json',
+          'src/config.ts',
+          'src/config.js',
+          'config/index.ts',
+          'config/index.js',
+          'next.config.js',
+          'next.config.mjs',
+          '.env.example',
+          'README.md',
+        ];
+        
+        const findings = [];
+        
+        for (const file of filesToCheck) {
+          const filePath = path.join(projectPath, file);
+          if (!fs.existsSync(filePath)) continue;
+          
+          try {
+            const content = fs.readFileSync(filePath, 'utf8');
+            
+            for (const sp of SECRET_PATTERNS) {
+              if (sp.pattern.test(content)) {
+                findings.push({
+                  file,
+                  secret: sp.name,
+                  critical: sp.critical,
+                });
+              }
+            }
+          } catch {
+            // Skip unreadable files
+          }
+        }
+        
+        const metadata = { findings };
+        const criticalFindings = findings.filter(f => f.critical);
+        
+        if (criticalFindings.length > 0) {
+          return {
+            severity: SEVERITY.CRITICAL,
+            message: `${criticalFindings.length} critical secrets exposed`,
+            detail: criticalFindings.map(f => `${f.secret} in ${f.file}`).join(', '),
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Move secrets to .env and add to .gitignore',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        if (findings.length > 0) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `${findings.length} potential secrets found`,
+            detail: findings.map(f => `${f.secret} in ${f.file}`).join(', '),
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Review and move secrets to .env',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: 'No exposed secrets detected',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.env_in_git`,
+      name: '.env in Git History',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const gitDir = path.join(projectPath, '.git');
+        if (!fs.existsSync(gitDir)) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'Not a git repository',
+          };
+        }
+        
+        try {
+          const { execSync } = require('child_process');
+          const result = execSync('git log --all --full-history -- .env 2>/dev/null | head -1', {
+            cwd: projectPath,
+            encoding: 'utf8',
+            timeout: 10000,
+          }).trim();
+          
+          if (result) {
+            return {
+              severity: SEVERITY.ERROR,
+              message: '.env found in git history',
+              detail: 'Secrets may be exposed in git commits',
+              fixes: [
+                {
+                  type: FIX_TYPE.LINK,
+                  description: 'Guide: Remove secrets from git history',
+                  url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository',
+                },
+                {
+                  type: FIX_TYPE.COMMAND,
+                  description: 'Remove .env from history (dangerous)',
+                  command: 'git filter-branch --force --index-filter "git rm --cached --ignore-unmatch .env" --prune-empty --tag-name-filter cat -- --all',
+                  dangerous: true,
+                  autoFixable: false,
+                },
+              ],
+            };
+          }
+          
+          return {
+            severity: SEVERITY.PASS,
+            message: 'No .env in git history',
+          };
+        } catch {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'Could not check git history',
+          };
+        }
+      },
+    },
+    {
+      id: `${MODULE_ID}.npmrc`,
+      name: '.npmrc Security',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const npmrcPath = path.join(projectPath, '.npmrc');
+        
+        if (!fs.existsSync(npmrcPath)) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'No .npmrc file',
+          };
+        }
+        
+        const content = fs.readFileSync(npmrcPath, 'utf8');
+        const hasToken = content.includes('_authToken') || content.includes('//registry');
+        
+        if (hasToken) {
+          const gitignorePath = path.join(projectPath, '.gitignore');
+          const gitignoreContent = fs.existsSync(gitignorePath) 
+            ? fs.readFileSync(gitignorePath, 'utf8') 
+            : '';
+          
+          if (!gitignoreContent.includes('.npmrc')) {
+            return {
+              severity: SEVERITY.WARNING,
+              message: '.npmrc contains tokens but not in .gitignore',
+              fixes: [{
+                type: FIX_TYPE.FILE_EDIT,
+                description: 'Add .npmrc to .gitignore',
+                path: gitignorePath,
+                content: gitignoreContent + '\n.npmrc\n',
+                autoFixable: true,
+              }],
+            };
+          }
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: hasToken ? 'Contains tokens (gitignored)' : 'No sensitive data',
+        };
+      },
+    },
+  ];
+}
+
+module.exports = { MODULE_ID, createDiagnostics, SECRET_PATTERNS };