@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/permissions/auth-model.js

@@ -1,213 +1,213 @@
-/**
- * Auth Model Extractor
- * Extracts authorization model from code and contracts
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const fg = require("fast-glob");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-
-/**
- * Extract auth model from codebase
- */
-async function extractAuthModel(repoRoot, truthpack) {
-  const model = {
-    version: "1.0.0",
-    generatedAt: new Date().toISOString(),
-    roles: [],
-    routes: [],
-    rbacPatterns: [],
-    evidence: []
-  };
-
-  // Extract from truthpack
-  if (truthpack?.auth) {
-    model.protectedPatterns = truthpack.auth.nextMatcherPatterns || [];
-    
-    // Add middleware evidence
-    for (const mw of truthpack.auth.nextMiddleware || []) {
-      model.evidence.push({
-        type: "next_middleware",
-        file: mw.file,
-        signals: mw.signalTypes || []
-      });
-    }
-  }
-
-  // Extract role patterns from code
-  const rolePatterns = await extractRolePatterns(repoRoot);
-  model.rbacPatterns = rolePatterns;
-
-  // Infer roles from patterns
-  model.roles = inferRoles(rolePatterns, truthpack);
-
-  // Build route auth map
-  model.routes = buildRouteAuthMap(truthpack, model.roles);
-
-  return model;
-}
-
-/**
- * Extract RBAC patterns from code
- */
-async function extractRolePatterns(repoRoot) {
-  const patterns = [];
-
-  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
-  });
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = fs.readFileSync(fileAbs, "utf8");
-
-    // Look for role-related patterns
-    const roleMatches = [
-      // role === 'admin'
-      /role\s*===?\s*['"](\w+)['"]/gi,
-      // isAdmin, isUser
-      /\b(is(?:Admin|User|Manager|Owner|Moderator))\b/gi,
-      // hasRole('admin')
-      /hasRole\s*\(\s*['"](\w+)['"]\s*\)/gi,
-      // checkPermission('edit')
-      /check(?:Permission|Auth)\s*\(\s*['"](\w+)['"]\s*\)/gi,
-      // [role: 'admin']
-      /role:\s*['"](\w+)['"]/gi
-    ];
-
-    for (const pattern of roleMatches) {
-      let match;
-      while ((match = pattern.exec(code)) !== null) {
-        patterns.push({
-          type: "role_check",
-          file: fileRel,
-          role: match[1],
-          line: code.substring(0, match.index).split("\n").length
-        });
-      }
-    }
-  }
-
-  return patterns;
-}
-
-/**
- * Infer roles from patterns
- */
-function inferRoles(patterns, truthpack) {
-  const roleNames = new Set();
-
-  // Common roles
-  roleNames.add("user");
-  roleNames.add("admin");
-
-  // From patterns
-  for (const p of patterns) {
-    if (p.role) {
-      roleNames.add(p.role.toLowerCase());
-    }
-    // Extract from isAdmin -> admin
-    if (p.role?.startsWith("is")) {
-      roleNames.add(p.role.substring(2).toLowerCase());
-    }
-  }
-
-  // Build role objects
-  const roles = [];
-  for (const name of roleNames) {
-    const role = {
-      name,
-      routes: [],
-      evidence: patterns.filter(p => 
-        p.role?.toLowerCase() === name || 
-        p.role?.toLowerCase() === `is${name}`
-      )
-    };
-    roles.push(role);
-  }
-
-  return roles;
-}
-
-/**
- * Build route auth map
- */
-function buildRouteAuthMap(truthpack, roles) {
-  const routes = [];
-  const serverRoutes = truthpack?.routes?.server || [];
-  const protectedPatterns = truthpack?.auth?.nextMatcherPatterns || [];
-
-  for (const route of serverRoutes) {
-    const isProtected = protectedPatterns.some(p => matchesPattern(route.path, p));
-    
-    const routeAuth = {
-      path: route.path,
-      method: route.method,
-      handler: route.handler,
-      declared: {
-        protected: isProtected,
-        roles: inferRouteRoles(route, roles),
-        public: !isProtected && isPublicRoute(route.path)
-      },
-      actual: null // Filled by runtime verification
-    };
-
-    routes.push(routeAuth);
-  }
-
-  return routes;
-}
-
-/**
- * Infer which roles can access a route
- */
-function inferRouteRoles(route, roles) {
-  const routeRoles = [];
-
-  // Admin routes
-  if (route.path.includes("/admin")) {
-    routeRoles.push("admin");
-  }
-
-  // User routes (most authenticated routes)
-  if (!route.path.includes("/admin") && !route.path.includes("/public")) {
-    routeRoles.push("user");
-  }
-
-  return routeRoles;
-}
-
-function isPublicRoute(path) {
-  const publicPatterns = [
-    /^\/api\/health/i,
-    /^\/api\/status/i,
-    /^\/api\/public\//i,
-    /^\/_next\//i,
-    /^\/favicon/i
-  ];
-  return publicPatterns.some(p => p.test(path));
-}
-
-function matchesPattern(path, pattern) {
-  const normPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
-  try {
-    const rx = new RegExp(`^${normPattern}`, "i");
-    return rx.test(path);
-  } catch {
-    return false;
-  }
-}
-
-module.exports = {
-  extractAuthModel,
-  extractRolePatterns,
-  inferRoles,
-  buildRouteAuthMap
-};
+/**
+ * Auth Model Extractor
+ * Extracts authorization model from code and contracts
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+/**
+ * Extract auth model from codebase
+ */
+async function extractAuthModel(repoRoot, truthpack) {
+  const model = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    roles: [],
+    routes: [],
+    rbacPatterns: [],
+    evidence: []
+  };
+
+  // Extract from truthpack
+  if (truthpack?.auth) {
+    model.protectedPatterns = truthpack.auth.nextMatcherPatterns || [];
+    
+    // Add middleware evidence
+    for (const mw of truthpack.auth.nextMiddleware || []) {
+      model.evidence.push({
+        type: "next_middleware",
+        file: mw.file,
+        signals: mw.signalTypes || []
+      });
+    }
+  }
+
+  // Extract role patterns from code
+  const rolePatterns = await extractRolePatterns(repoRoot);
+  model.rbacPatterns = rolePatterns;
+
+  // Infer roles from patterns
+  model.roles = inferRoles(rolePatterns, truthpack);
+
+  // Build route auth map
+  model.routes = buildRouteAuthMap(truthpack, model.roles);
+
+  return model;
+}
+
+/**
+ * Extract RBAC patterns from code
+ */
+async function extractRolePatterns(repoRoot) {
+  const patterns = [];
+
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+  });
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = fs.readFileSync(fileAbs, "utf8");
+
+    // Look for role-related patterns
+    const roleMatches = [
+      // role === 'admin'
+      /role\s*===?\s*['"](\w+)['"]/gi,
+      // isAdmin, isUser
+      /\b(is(?:Admin|User|Manager|Owner|Moderator))\b/gi,
+      // hasRole('admin')
+      /hasRole\s*\(\s*['"](\w+)['"]\s*\)/gi,
+      // checkPermission('edit')
+      /check(?:Permission|Auth)\s*\(\s*['"](\w+)['"]\s*\)/gi,
+      // [role: 'admin']
+      /role:\s*['"](\w+)['"]/gi
+    ];
+
+    for (const pattern of roleMatches) {
+      let match;
+      while ((match = pattern.exec(code)) !== null) {
+        patterns.push({
+          type: "role_check",
+          file: fileRel,
+          role: match[1],
+          line: code.substring(0, match.index).split("\n").length
+        });
+      }
+    }
+  }
+
+  return patterns;
+}
+
+/**
+ * Infer roles from patterns
+ */
+function inferRoles(patterns, truthpack) {
+  const roleNames = new Set();
+
+  // Common roles
+  roleNames.add("user");
+  roleNames.add("admin");
+
+  // From patterns
+  for (const p of patterns) {
+    if (p.role) {
+      roleNames.add(p.role.toLowerCase());
+    }
+    // Extract from isAdmin -> admin
+    if (p.role?.startsWith("is")) {
+      roleNames.add(p.role.substring(2).toLowerCase());
+    }
+  }
+
+  // Build role objects
+  const roles = [];
+  for (const name of roleNames) {
+    const role = {
+      name,
+      routes: [],
+      evidence: patterns.filter(p => 
+        p.role?.toLowerCase() === name || 
+        p.role?.toLowerCase() === `is${name}`
+      )
+    };
+    roles.push(role);
+  }
+
+  return roles;
+}
+
+/**
+ * Build route auth map
+ */
+function buildRouteAuthMap(truthpack, roles) {
+  const routes = [];
+  const serverRoutes = truthpack?.routes?.server || [];
+  const protectedPatterns = truthpack?.auth?.nextMatcherPatterns || [];
+
+  for (const route of serverRoutes) {
+    const isProtected = protectedPatterns.some(p => matchesPattern(route.path, p));
+    
+    const routeAuth = {
+      path: route.path,
+      method: route.method,
+      handler: route.handler,
+      declared: {
+        protected: isProtected,
+        roles: inferRouteRoles(route, roles),
+        public: !isProtected && isPublicRoute(route.path)
+      },
+      actual: null // Filled by runtime verification
+    };
+
+    routes.push(routeAuth);
+  }
+
+  return routes;
+}
+
+/**
+ * Infer which roles can access a route
+ */
+function inferRouteRoles(route, roles) {
+  const routeRoles = [];
+
+  // Admin routes
+  if (route.path.includes("/admin")) {
+    routeRoles.push("admin");
+  }
+
+  // User routes (most authenticated routes)
+  if (!route.path.includes("/admin") && !route.path.includes("/public")) {
+    routeRoles.push("user");
+  }
+
+  return routeRoles;
+}
+
+function isPublicRoute(path) {
+  const publicPatterns = [
+    /^\/api\/health/i,
+    /^\/api\/status/i,
+    /^\/api\/public\//i,
+    /^\/_next\//i,
+    /^\/favicon/i
+  ];
+  return publicPatterns.some(p => p.test(path));
+}
+
+function matchesPattern(path, pattern) {
+  const normPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  try {
+    const rx = new RegExp(`^${normPattern}`, "i");
+    return rx.test(path);
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  extractAuthModel,
+  extractRolePatterns,
+  inferRoles,
+  buildRouteAuthMap
+};