@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/permissions/matrix-builder.js

@@ -1,198 +1,198 @@
-/**
- * AuthZ Matrix Builder
- * Builds authorization matrix from auth model and runtime verification
- */
-
-"use strict";
-
-const crypto = require("crypto");
-
-function sha256(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
-}
-
-/**
- * Build AuthZ matrix from auth model
- */
-function buildAuthZMatrix(authModel, runtimeResults = null) {
-  const matrix = {
-    meta: {
-      version: "1.0.0",
-      generatedAt: new Date().toISOString()
-    },
-    roles: authModel.roles.map(r => r.name),
-    routes: [],
-    violations: []
-  };
-
-  for (const route of authModel.routes) {
-    const routeAuthZ = {
-      path: route.path,
-      method: route.method,
-      declared: route.declared,
-      actual: {
-        anon: null,
-        user: null,
-        admin: null
-      }
-    };
-
-    // Merge runtime results if available
-    if (runtimeResults) {
-      const runtimeForRoute = runtimeResults.filter(r => 
-        matchesRoute(route.path, r.path)
-      );
-
-      for (const result of runtimeForRoute) {
-        if (result.role === "anon") {
-          routeAuthZ.actual.anon = {
-            status: result.status,
-            redirected: result.redirected,
-            accessible: result.status >= 200 && result.status < 400 && !result.redirected
-          };
-        } else if (result.role === "user") {
-          routeAuthZ.actual.user = {
-            status: result.status,
-            redirected: result.redirected,
-            accessible: result.status >= 200 && result.status < 400 && !result.redirected
-          };
-        } else if (result.role === "admin") {
-          routeAuthZ.actual.admin = {
-            status: result.status,
-            redirected: result.redirected,
-            accessible: result.status >= 200 && result.status < 400 && !result.redirected
-          };
-        }
-      }
-    }
-
-    matrix.routes.push(routeAuthZ);
-  }
-
-  // Detect violations
-  matrix.violations = detectViolations(matrix);
-
-  return matrix;
-}
-
-/**
- * Detect authorization violations
- */
-function detectViolations(matrix) {
-  const violations = [];
-
-  for (const route of matrix.routes) {
-    // Check: protected route accessible anonymously
-    if (route.declared.protected && route.actual.anon?.accessible) {
-      violations.push({
-        id: `AUTHZ_ANON_${sha256(route.path)}`,
-        severity: "BLOCK",
-        type: "anon_access",
-        route: route.path,
-        method: route.method,
-        expected: "protected (should require auth)",
-        actual: "accessible anonymously",
-        message: `Protected route ${route.path} accessible without authentication`,
-        evidence: []
-      });
-    }
-
-    // Check: role mismatch (admin route accessible by user)
-    if (route.declared.roles?.includes("admin") && 
-        !route.declared.roles?.includes("user") &&
-        route.actual.user?.accessible) {
-      violations.push({
-        id: `AUTHZ_ROLE_${sha256(route.path)}`,
-        severity: "BLOCK",
-        type: "role_mismatch",
-        route: route.path,
-        method: route.method,
-        expected: "admin only",
-        actual: "accessible by user role",
-        message: `Admin route ${route.path} accessible by non-admin users`,
-        evidence: []
-      });
-    }
-
-    // Check: protected route blocked after login (broken auth)
-    if (route.declared.protected && 
-        route.actual.anon?.redirected &&
-        route.actual.user && !route.actual.user.accessible) {
-      violations.push({
-        id: `AUTHZ_BLOCKED_${sha256(route.path)}`,
-        severity: "WARN",
-        type: "blocked_after_auth",
-        route: route.path,
-        method: route.method,
-        expected: "accessible after auth",
-        actual: `blocked (status ${route.actual.user.status})`,
-        message: `Protected route ${route.path} not accessible after authentication`,
-        evidence: []
-      });
-    }
-  }
-
-  return violations;
-}
-
-/**
- * Format matrix for display
- */
-function formatMatrix(matrix) {
-  const lines = [];
-  
-  lines.push("# AuthZ Matrix\n");
-  lines.push(`Generated: ${matrix.meta.generatedAt}`);
-  lines.push(`Roles: ${matrix.roles.join(", ")}\n`);
-
-  // Build table header
-  const header = ["Route", "Method", "Declared", "Anon", "User", "Admin"];
-  lines.push(`| ${header.join(" | ")} |`);
-  lines.push(`| ${header.map(() => "---").join(" | ")} |`);
-
-  for (const route of matrix.routes) {
-    const declared = route.declared.protected ? "🔒" : "🌐";
-    const anon = formatAccess(route.actual.anon);
-    const user = formatAccess(route.actual.user);
-    const admin = formatAccess(route.actual.admin);
-
-    lines.push(`| ${route.path} | ${route.method} | ${declared} | ${anon} | ${user} | ${admin} |`);
-  }
-
-  if (matrix.violations.length > 0) {
-    lines.push("\n## Violations\n");
-    for (const v of matrix.violations) {
-      const icon = v.severity === "BLOCK" ? "🛑" : "⚠️";
-      lines.push(`${icon} **${v.type}**: ${v.message}`);
-    }
-  }
-
-  return lines.join("\n");
-}
-
-function formatAccess(result) {
-  if (!result) return "?";
-  if (result.accessible) return "✅";
-  if (result.redirected) return "↩️";
-  return `❌ ${result.status}`;
-}
-
-function matchesRoute(pattern, actual) {
-  const patternParts = pattern.split("/").filter(Boolean);
-  const actualParts = actual.split("/").filter(Boolean);
-
-  if (patternParts.length !== actualParts.length) return false;
-
-  for (let i = 0; i < patternParts.length; i++) {
-    const p = patternParts[i];
-    if (p.startsWith(":") || p.startsWith("*")) continue;
-    if (p !== actualParts[i]) return false;
-  }
-  return true;
-}
-
-module.exports = {
-  buildAuthZMatrix,
-  detectViolations,
-  formatMatrix
-};
+/**
+ * AuthZ Matrix Builder
+ * Builds authorization matrix from auth model and runtime verification
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+function sha256(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+
+/**
+ * Build AuthZ matrix from auth model
+ */
+function buildAuthZMatrix(authModel, runtimeResults = null) {
+  const matrix = {
+    meta: {
+      version: "1.0.0",
+      generatedAt: new Date().toISOString()
+    },
+    roles: authModel.roles.map(r => r.name),
+    routes: [],
+    violations: []
+  };
+
+  for (const route of authModel.routes) {
+    const routeAuthZ = {
+      path: route.path,
+      method: route.method,
+      declared: route.declared,
+      actual: {
+        anon: null,
+        user: null,
+        admin: null
+      }
+    };
+
+    // Merge runtime results if available
+    if (runtimeResults) {
+      const runtimeForRoute = runtimeResults.filter(r => 
+        matchesRoute(route.path, r.path)
+      );
+
+      for (const result of runtimeForRoute) {
+        if (result.role === "anon") {
+          routeAuthZ.actual.anon = {
+            status: result.status,
+            redirected: result.redirected,
+            accessible: result.status >= 200 && result.status < 400 && !result.redirected
+          };
+        } else if (result.role === "user") {
+          routeAuthZ.actual.user = {
+            status: result.status,
+            redirected: result.redirected,
+            accessible: result.status >= 200 && result.status < 400 && !result.redirected
+          };
+        } else if (result.role === "admin") {
+          routeAuthZ.actual.admin = {
+            status: result.status,
+            redirected: result.redirected,
+            accessible: result.status >= 200 && result.status < 400 && !result.redirected
+          };
+        }
+      }
+    }
+
+    matrix.routes.push(routeAuthZ);
+  }
+
+  // Detect violations
+  matrix.violations = detectViolations(matrix);
+
+  return matrix;
+}
+
+/**
+ * Detect authorization violations
+ */
+function detectViolations(matrix) {
+  const violations = [];
+
+  for (const route of matrix.routes) {
+    // Check: protected route accessible anonymously
+    if (route.declared.protected && route.actual.anon?.accessible) {
+      violations.push({
+        id: `AUTHZ_ANON_${sha256(route.path)}`,
+        severity: "BLOCK",
+        type: "anon_access",
+        route: route.path,
+        method: route.method,
+        expected: "protected (should require auth)",
+        actual: "accessible anonymously",
+        message: `Protected route ${route.path} accessible without authentication`,
+        evidence: []
+      });
+    }
+
+    // Check: role mismatch (admin route accessible by user)
+    if (route.declared.roles?.includes("admin") && 
+        !route.declared.roles?.includes("user") &&
+        route.actual.user?.accessible) {
+      violations.push({
+        id: `AUTHZ_ROLE_${sha256(route.path)}`,
+        severity: "BLOCK",
+        type: "role_mismatch",
+        route: route.path,
+        method: route.method,
+        expected: "admin only",
+        actual: "accessible by user role",
+        message: `Admin route ${route.path} accessible by non-admin users`,
+        evidence: []
+      });
+    }
+
+    // Check: protected route blocked after login (broken auth)
+    if (route.declared.protected && 
+        route.actual.anon?.redirected &&
+        route.actual.user && !route.actual.user.accessible) {
+      violations.push({
+        id: `AUTHZ_BLOCKED_${sha256(route.path)}`,
+        severity: "WARN",
+        type: "blocked_after_auth",
+        route: route.path,
+        method: route.method,
+        expected: "accessible after auth",
+        actual: `blocked (status ${route.actual.user.status})`,
+        message: `Protected route ${route.path} not accessible after authentication`,
+        evidence: []
+      });
+    }
+  }
+
+  return violations;
+}
+
+/**
+ * Format matrix for display
+ */
+function formatMatrix(matrix) {
+  const lines = [];
+  
+  lines.push("# AuthZ Matrix\n");
+  lines.push(`Generated: ${matrix.meta.generatedAt}`);
+  lines.push(`Roles: ${matrix.roles.join(", ")}\n`);
+
+  // Build table header
+  const header = ["Route", "Method", "Declared", "Anon", "User", "Admin"];
+  lines.push(`| ${header.join(" | ")} |`);
+  lines.push(`| ${header.map(() => "---").join(" | ")} |`);
+
+  for (const route of matrix.routes) {
+    const declared = route.declared.protected ? "🔒" : "🌐";
+    const anon = formatAccess(route.actual.anon);
+    const user = formatAccess(route.actual.user);
+    const admin = formatAccess(route.actual.admin);
+
+    lines.push(`| ${route.path} | ${route.method} | ${declared} | ${anon} | ${user} | ${admin} |`);
+  }
+
+  if (matrix.violations.length > 0) {
+    lines.push("\n## Violations\n");
+    for (const v of matrix.violations) {
+      const icon = v.severity === "BLOCK" ? "🛑" : "⚠️";
+      lines.push(`${icon} **${v.type}**: ${v.message}`);
+    }
+  }
+
+  return lines.join("\n");
+}
+
+function formatAccess(result) {
+  if (!result) return "?";
+  if (result.accessible) return "✅";
+  if (result.redirected) return "↩️";
+  return `❌ ${result.status}`;
+}
+
+function matchesRoute(pattern, actual) {
+  const patternParts = pattern.split("/").filter(Boolean);
+  const actualParts = actual.split("/").filter(Boolean);
+
+  if (patternParts.length !== actualParts.length) return false;
+
+  for (let i = 0; i < patternParts.length; i++) {
+    const p = patternParts[i];
+    if (p.startsWith(":") || p.startsWith("*")) continue;
+    if (p !== actualParts[i]) return false;
+  }
+  return true;
+}
+
+module.exports = {
+  buildAuthZMatrix,
+  detectViolations,
+  formatMatrix
+};

package/bin/runners/lib/pkgjson.js

@@ -1,28 +1,28 @@
-// bin/runners/lib/pkgjson.js
-const fs = require("fs");
-const path = require("path");
-
-function readPkg(root) {
-  const p = path.join(root, "package.json");
-  if (!fs.existsSync(p)) throw new Error("package.json not found");
-  return { path: p, json: JSON.parse(fs.readFileSync(p, "utf8")) };
-}
-
-function writePkg(pkgPath, json) {
-  fs.writeFileSync(pkgPath, JSON.stringify(json, null, 2) + "\n", "utf8");
-}
-
-function upsertScripts(pkg, scripts) {
-  pkg.scripts = pkg.scripts || {};
-  const changed = [];
-
-  for (const [k, v] of Object.entries(scripts)) {
-    if (pkg.scripts[k] === v) continue;
-    pkg.scripts[k] = v;
-    changed.push(k);
-  }
-
-  return changed;
-}
-
-module.exports = { readPkg, writePkg, upsertScripts };
+// bin/runners/lib/pkgjson.js
+const fs = require("fs");
+const path = require("path");
+
+function readPkg(root) {
+  const p = path.join(root, "package.json");
+  if (!fs.existsSync(p)) throw new Error("package.json not found");
+  return { path: p, json: JSON.parse(fs.readFileSync(p, "utf8")) };
+}
+
+function writePkg(pkgPath, json) {
+  fs.writeFileSync(pkgPath, JSON.stringify(json, null, 2) + "\n", "utf8");
+}
+
+function upsertScripts(pkg, scripts) {
+  pkg.scripts = pkg.scripts || {};
+  const changed = [];
+
+  for (const [k, v] of Object.entries(scripts)) {
+    if (pkg.scripts[k] === v) continue;
+    pkg.scripts[k] = v;
+    changed.push(k);
+  }
+
+  return changed;
+}
+
+module.exports = { readPkg, writePkg, upsertScripts };