@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/reality/request-hashing.js

@@ -1,416 +1,416 @@
-/**
- * Request Body Hashing v2
- * 
- * Hashes request/response bodies for correlation and duplicate detection.
- * Enables catching: duplicate mutations, no-op responses, optimistic UI mismatches.
- */
-
-"use strict";
-
-const crypto = require("crypto");
-
-// =============================================================================
-// CONSTANTS
-// =============================================================================
-
-const MAX_BODY_SIZE = 100 * 1024; // 100KB max for hashing
-const REDACT_KEYS = [
-  "password",
-  "token",
-  "secret",
-  "apiKey",
-  "api_key",
-  "authorization",
-  "auth",
-  "credit_card",
-  "creditCard",
-  "ssn",
-  "social_security",
-];
-
-// =============================================================================
-// BODY HASHING
-// =============================================================================
-
-/**
- * Hash request/response body with redaction
- */
-function hashBody(body, options = {}) {
-  const { redact = true, maxSize = MAX_BODY_SIZE } = options;
-
-  if (!body) {
-    return { hash: null, isEmpty: true, size: 0 };
-  }
-
-  let content;
-  let contentType = "unknown";
-
-  // Handle different body types
-  if (typeof body === "string") {
-    content = body;
-    contentType = detectContentType(body);
-  } else if (Buffer.isBuffer(body)) {
-    content = body.toString("utf8");
-    contentType = "binary";
-  } else if (typeof body === "object") {
-    try {
-      content = JSON.stringify(body);
-      contentType = "json";
-    } catch {
-      content = String(body);
-    }
-  } else {
-    content = String(body);
-  }
-
-  // Size check
-  const size = content.length;
-  if (size > maxSize) {
-    return {
-      hash: null,
-      isEmpty: false,
-      size,
-      truncated: true,
-      contentType,
-    };
-  }
-
-  // Redact sensitive data before hashing
-  let hashContent = content;
-  if (redact && contentType === "json") {
-    try {
-      const parsed = JSON.parse(content);
-      hashContent = JSON.stringify(redactSensitiveData(parsed));
-    } catch {
-      // Keep original if can't parse
-    }
-  }
-
-  // Compute hash
-  const hash = crypto.createHash("sha256").update(hashContent).digest("hex").slice(0, 16);
-
-  return {
-    hash,
-    isEmpty: size === 0 || content === "{}" || content === "null" || content === "[]",
-    size,
-    contentType,
-  };
-}
-
-/**
- * Detect content type from string
- */
-function detectContentType(content) {
-  if (!content) return "empty";
-  
-  const trimmed = content.trim();
-  if (trimmed.startsWith("{") || trimmed.startsWith("[")) return "json";
-  if (trimmed.startsWith("<?xml") || trimmed.startsWith("<")) return "xml";
-  if (trimmed.includes("=") && trimmed.includes("&")) return "form";
-  
-  return "text";
-}
-
-/**
- * Redact sensitive data from object
- */
-function redactSensitiveData(obj, depth = 0) {
-  if (depth > 10) return obj; // Prevent infinite recursion
-  
-  if (Array.isArray(obj)) {
-    return obj.map(item => redactSensitiveData(item, depth + 1));
-  }
-  
-  if (typeof obj === "object" && obj !== null) {
-    const redacted = {};
-    for (const [key, value] of Object.entries(obj)) {
-      const keyLower = key.toLowerCase();
-      const isSensitive = REDACT_KEYS.some(k => keyLower.includes(k.toLowerCase()));
-      
-      if (isSensitive) {
-        redacted[key] = "[REDACTED]";
-      } else if (typeof value === "object" && value !== null) {
-        redacted[key] = redactSensitiveData(value, depth + 1);
-      } else {
-        redacted[key] = value;
-      }
-    }
-    return redacted;
-  }
-  
-  return obj;
-}
-
-// =============================================================================
-// REQUEST RECORD ENHANCEMENT
-// =============================================================================
-
-/**
- * Enhance request record with body hashes
- */
-function enhanceRequestWithHashes(request, options = {}) {
-  const enhanced = { ...request };
-
-  // Hash request body
-  if (request.postData || request.body) {
-    const bodyHash = hashBody(request.postData || request.body, options);
-    enhanced.requestBodyHash = bodyHash.hash;
-    enhanced.requestBodyEmpty = bodyHash.isEmpty;
-    enhanced.requestBodySize = bodyHash.size;
-    enhanced.requestContentType = bodyHash.contentType;
-  }
-
-  // Hash response body if available
-  if (request.responseBody) {
-    const respHash = hashBody(request.responseBody, options);
-    enhanced.responseBodyHash = respHash.hash;
-    enhanced.responseBodyEmpty = respHash.isEmpty;
-    enhanced.responseBodySize = respHash.size;
-  }
-
-  return enhanced;
-}
-
-// =============================================================================
-// DUPLICATE DETECTION
-// =============================================================================
-
-/**
- * Find duplicate mutation requests
- */
-function findDuplicateMutations(requests) {
-  const mutations = requests.filter(r => 
-    ["POST", "PUT", "PATCH", "DELETE"].includes(r.method?.toUpperCase())
-  );
-
-  // Group by method + path + requestBodyHash
-  const groups = new Map();
-  
-  for (const req of mutations) {
-    if (!req.requestBodyHash) continue;
-    
-    const key = `${req.method}:${req.canonicalPath || req.url}:${req.requestBodyHash}`;
-    if (!groups.has(key)) {
-      groups.set(key, []);
-    }
-    groups.set(key, [...groups.get(key), req]);
-  }
-
-  // Find groups with duplicates
-  const duplicates = [];
-  for (const [key, reqs] of groups) {
-    if (reqs.length > 1) {
-      duplicates.push({
-        key,
-        count: reqs.length,
-        requests: reqs,
-        firstTimestamp: reqs[0].timestamp,
-        lastTimestamp: reqs[reqs.length - 1].timestamp,
-        timeDeltaMs: reqs.length > 1 
-          ? new Date(reqs[reqs.length - 1].timestamp) - new Date(reqs[0].timestamp)
-          : 0,
-      });
-    }
-  }
-
-  return duplicates;
-}
-
-/**
- * Find no-op mutations (success response with empty body)
- */
-function findNoOpMutations(requests) {
-  const noOps = [];
-
-  for (const req of requests) {
-    if (!["POST", "PUT", "PATCH"].includes(req.method?.toUpperCase())) continue;
-    
-    const isSuccess = req.status >= 200 && req.status < 300;
-    const isEmptyResponse = req.responseBodyEmpty;
-    
-    if (isSuccess && isEmptyResponse) {
-      noOps.push({
-        request: req,
-        reason: "Mutation succeeded but returned empty response",
-      });
-    }
-  }
-
-  return noOps;
-}
-
-// =============================================================================
-// UI MISMATCH DETECTION
-// =============================================================================
-
-/**
- * Detect optimistic UI that didn't match server response
- * Requires action records with before/after UI state
- */
-function detectOptimisticMismatch(action, request) {
-  const mismatches = [];
-
-  // Check if action had optimistic update
-  if (!action.optimisticUpdate) return mismatches;
-
-  // Check if request succeeded
-  if (!request || request.status < 200 || request.status >= 300) {
-    mismatches.push({
-      type: "optimistic_request_failed",
-      action,
-      request,
-      reason: "Optimistic update shown but request failed",
-    });
-    return mismatches;
-  }
-
-  // Check if response body matches what UI expected
-  if (action.expectedResponseHash && request.responseBodyHash) {
-    if (action.expectedResponseHash !== request.responseBodyHash) {
-      mismatches.push({
-        type: "optimistic_response_mismatch",
-        action,
-        request,
-        expected: action.expectedResponseHash,
-        actual: request.responseBodyHash,
-        reason: "Optimistic UI didn't match server response",
-      });
-    }
-  }
-
-  return mismatches;
-}
-
-/**
- * Analyze all actions and requests for UI mismatches
- */
-function analyzeUIMismatches(actions, requests) {
-  const mismatches = [];
-  const duplicates = findDuplicateMutations(requests);
-  const noOps = findNoOpMutations(requests);
-
-  // Duplicate mutations
-  for (const dup of duplicates) {
-    mismatches.push({
-      type: "duplicate_mutation",
-      severity: dup.timeDeltaMs < 1000 ? "WARN" : "INFO",
-      ...dup,
-      reason: `Same mutation submitted ${dup.count} times`,
-    });
-  }
-
-  // No-op mutations
-  for (const noOp of noOps) {
-    mismatches.push({
-      type: "noop_mutation",
-      severity: "WARN",
-      ...noOp,
-    });
-  }
-
-  // Optimistic mismatches
-  for (const action of actions) {
-    // Find associated request
-    const request = requests.find(r => 
-      r.actionId === action.id ||
-      (r.timestamp >= action.startTime && r.timestamp <= action.endTime)
-    );
-    
-    const actionMismatches = detectOptimisticMismatch(action, request);
-    for (const m of actionMismatches) {
-      mismatches.push({
-        ...m,
-        severity: "BLOCK",
-      });
-    }
-  }
-
-  return mismatches;
-}
-
-// =============================================================================
-// PLAYWRIGHT INTEGRATION
-// =============================================================================
-
-/**
- * Playwright script to capture request/response bodies
- * Inject this to capture bodies during crawling
- */
-const PLAYWRIGHT_BODY_CAPTURE_SCRIPT = `
-// Vibecheck Request Body Capture
-window.__vibecheck_request_bodies = window.__vibecheck_request_bodies || new Map();
-
-// Intercept fetch
-const originalFetch = window.fetch;
-window.fetch = async function(...args) {
-  const [input, init] = args;
-  const url = typeof input === 'string' ? input : input.url;
-  const method = init?.method || 'GET';
-  
-  // Capture request body
-  if (init?.body) {
-    const id = crypto.randomUUID();
-    window.__vibecheck_request_bodies.set(id, {
-      url,
-      method,
-      requestBody: typeof init.body === 'string' ? init.body : JSON.stringify(init.body),
-      timestamp: Date.now(),
-    });
-  }
-  
-  const response = await originalFetch.apply(this, args);
-  return response;
-};
-
-// Intercept XMLHttpRequest
-const originalXhrOpen = XMLHttpRequest.prototype.open;
-const originalXhrSend = XMLHttpRequest.prototype.send;
-
-XMLHttpRequest.prototype.open = function(method, url) {
-  this.__vibecheck_method = method;
-  this.__vibecheck_url = url;
-  return originalXhrOpen.apply(this, arguments);
-};
-
-XMLHttpRequest.prototype.send = function(body) {
-  if (body) {
-    const id = crypto.randomUUID();
-    window.__vibecheck_request_bodies.set(id, {
-      url: this.__vibecheck_url,
-      method: this.__vibecheck_method,
-      requestBody: typeof body === 'string' ? body : JSON.stringify(body),
-      timestamp: Date.now(),
-    });
-  }
-  return originalXhrSend.apply(this, arguments);
-};
-`;
-
-// =============================================================================
-// EXPORTS
-// =============================================================================
-
-module.exports = {
-  // Core hashing
-  hashBody,
-  detectContentType,
-  redactSensitiveData,
-  REDACT_KEYS,
-
-  // Request enhancement
-  enhanceRequestWithHashes,
-
-  // Duplicate detection
-  findDuplicateMutations,
-  findNoOpMutations,
-
-  // UI mismatch detection
-  detectOptimisticMismatch,
-  analyzeUIMismatches,
-
-  // Playwright integration
-  PLAYWRIGHT_BODY_CAPTURE_SCRIPT,
-
-  // Constants
-  MAX_BODY_SIZE,
-};
+/**
+ * Request Body Hashing v2
+ * 
+ * Hashes request/response bodies for correlation and duplicate detection.
+ * Enables catching: duplicate mutations, no-op responses, optimistic UI mismatches.
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+const MAX_BODY_SIZE = 100 * 1024; // 100KB max for hashing
+const REDACT_KEYS = [
+  "password",
+  "token",
+  "secret",
+  "apiKey",
+  "api_key",
+  "authorization",
+  "auth",
+  "credit_card",
+  "creditCard",
+  "ssn",
+  "social_security",
+];
+
+// =============================================================================
+// BODY HASHING
+// =============================================================================
+
+/**
+ * Hash request/response body with redaction
+ */
+function hashBody(body, options = {}) {
+  const { redact = true, maxSize = MAX_BODY_SIZE } = options;
+
+  if (!body) {
+    return { hash: null, isEmpty: true, size: 0 };
+  }
+
+  let content;
+  let contentType = "unknown";
+
+  // Handle different body types
+  if (typeof body === "string") {
+    content = body;
+    contentType = detectContentType(body);
+  } else if (Buffer.isBuffer(body)) {
+    content = body.toString("utf8");
+    contentType = "binary";
+  } else if (typeof body === "object") {
+    try {
+      content = JSON.stringify(body);
+      contentType = "json";
+    } catch {
+      content = String(body);
+    }
+  } else {
+    content = String(body);
+  }
+
+  // Size check
+  const size = content.length;
+  if (size > maxSize) {
+    return {
+      hash: null,
+      isEmpty: false,
+      size,
+      truncated: true,
+      contentType,
+    };
+  }
+
+  // Redact sensitive data before hashing
+  let hashContent = content;
+  if (redact && contentType === "json") {
+    try {
+      const parsed = JSON.parse(content);
+      hashContent = JSON.stringify(redactSensitiveData(parsed));
+    } catch {
+      // Keep original if can't parse
+    }
+  }
+
+  // Compute hash
+  const hash = crypto.createHash("sha256").update(hashContent).digest("hex").slice(0, 16);
+
+  return {
+    hash,
+    isEmpty: size === 0 || content === "{}" || content === "null" || content === "[]",
+    size,
+    contentType,
+  };
+}
+
+/**
+ * Detect content type from string
+ */
+function detectContentType(content) {
+  if (!content) return "empty";
+  
+  const trimmed = content.trim();
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) return "json";
+  if (trimmed.startsWith("<?xml") || trimmed.startsWith("<")) return "xml";
+  if (trimmed.includes("=") && trimmed.includes("&")) return "form";
+  
+  return "text";
+}
+
+/**
+ * Redact sensitive data from object
+ */
+function redactSensitiveData(obj, depth = 0) {
+  if (depth > 10) return obj; // Prevent infinite recursion
+  
+  if (Array.isArray(obj)) {
+    return obj.map(item => redactSensitiveData(item, depth + 1));
+  }
+  
+  if (typeof obj === "object" && obj !== null) {
+    const redacted = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const keyLower = key.toLowerCase();
+      const isSensitive = REDACT_KEYS.some(k => keyLower.includes(k.toLowerCase()));
+      
+      if (isSensitive) {
+        redacted[key] = "[REDACTED]";
+      } else if (typeof value === "object" && value !== null) {
+        redacted[key] = redactSensitiveData(value, depth + 1);
+      } else {
+        redacted[key] = value;
+      }
+    }
+    return redacted;
+  }
+  
+  return obj;
+}
+
+// =============================================================================
+// REQUEST RECORD ENHANCEMENT
+// =============================================================================
+
+/**
+ * Enhance request record with body hashes
+ */
+function enhanceRequestWithHashes(request, options = {}) {
+  const enhanced = { ...request };
+
+  // Hash request body
+  if (request.postData || request.body) {
+    const bodyHash = hashBody(request.postData || request.body, options);
+    enhanced.requestBodyHash = bodyHash.hash;
+    enhanced.requestBodyEmpty = bodyHash.isEmpty;
+    enhanced.requestBodySize = bodyHash.size;
+    enhanced.requestContentType = bodyHash.contentType;
+  }
+
+  // Hash response body if available
+  if (request.responseBody) {
+    const respHash = hashBody(request.responseBody, options);
+    enhanced.responseBodyHash = respHash.hash;
+    enhanced.responseBodyEmpty = respHash.isEmpty;
+    enhanced.responseBodySize = respHash.size;
+  }
+
+  return enhanced;
+}
+
+// =============================================================================
+// DUPLICATE DETECTION
+// =============================================================================
+
+/**
+ * Find duplicate mutation requests
+ */
+function findDuplicateMutations(requests) {
+  const mutations = requests.filter(r => 
+    ["POST", "PUT", "PATCH", "DELETE"].includes(r.method?.toUpperCase())
+  );
+
+  // Group by method + path + requestBodyHash
+  const groups = new Map();
+  
+  for (const req of mutations) {
+    if (!req.requestBodyHash) continue;
+    
+    const key = `${req.method}:${req.canonicalPath || req.url}:${req.requestBodyHash}`;
+    if (!groups.has(key)) {
+      groups.set(key, []);
+    }
+    groups.set(key, [...groups.get(key), req]);
+  }
+
+  // Find groups with duplicates
+  const duplicates = [];
+  for (const [key, reqs] of groups) {
+    if (reqs.length > 1) {
+      duplicates.push({
+        key,
+        count: reqs.length,
+        requests: reqs,
+        firstTimestamp: reqs[0].timestamp,
+        lastTimestamp: reqs[reqs.length - 1].timestamp,
+        timeDeltaMs: reqs.length > 1 
+          ? new Date(reqs[reqs.length - 1].timestamp) - new Date(reqs[0].timestamp)
+          : 0,
+      });
+    }
+  }
+
+  return duplicates;
+}
+
+/**
+ * Find no-op mutations (success response with empty body)
+ */
+function findNoOpMutations(requests) {
+  const noOps = [];
+
+  for (const req of requests) {
+    if (!["POST", "PUT", "PATCH"].includes(req.method?.toUpperCase())) continue;
+    
+    const isSuccess = req.status >= 200 && req.status < 300;
+    const isEmptyResponse = req.responseBodyEmpty;
+    
+    if (isSuccess && isEmptyResponse) {
+      noOps.push({
+        request: req,
+        reason: "Mutation succeeded but returned empty response",
+      });
+    }
+  }
+
+  return noOps;
+}
+
+// =============================================================================
+// UI MISMATCH DETECTION
+// =============================================================================
+
+/**
+ * Detect optimistic UI that didn't match server response
+ * Requires action records with before/after UI state
+ */
+function detectOptimisticMismatch(action, request) {
+  const mismatches = [];
+
+  // Check if action had optimistic update
+  if (!action.optimisticUpdate) return mismatches;
+
+  // Check if request succeeded
+  if (!request || request.status < 200 || request.status >= 300) {
+    mismatches.push({
+      type: "optimistic_request_failed",
+      action,
+      request,
+      reason: "Optimistic update shown but request failed",
+    });
+    return mismatches;
+  }
+
+  // Check if response body matches what UI expected
+  if (action.expectedResponseHash && request.responseBodyHash) {
+    if (action.expectedResponseHash !== request.responseBodyHash) {
+      mismatches.push({
+        type: "optimistic_response_mismatch",
+        action,
+        request,
+        expected: action.expectedResponseHash,
+        actual: request.responseBodyHash,
+        reason: "Optimistic UI didn't match server response",
+      });
+    }
+  }
+
+  return mismatches;
+}
+
+/**
+ * Analyze all actions and requests for UI mismatches
+ */
+function analyzeUIMismatches(actions, requests) {
+  const mismatches = [];
+  const duplicates = findDuplicateMutations(requests);
+  const noOps = findNoOpMutations(requests);
+
+  // Duplicate mutations
+  for (const dup of duplicates) {
+    mismatches.push({
+      type: "duplicate_mutation",
+      severity: dup.timeDeltaMs < 1000 ? "WARN" : "INFO",
+      ...dup,
+      reason: `Same mutation submitted ${dup.count} times`,
+    });
+  }
+
+  // No-op mutations
+  for (const noOp of noOps) {
+    mismatches.push({
+      type: "noop_mutation",
+      severity: "WARN",
+      ...noOp,
+    });
+  }
+
+  // Optimistic mismatches
+  for (const action of actions) {
+    // Find associated request
+    const request = requests.find(r => 
+      r.actionId === action.id ||
+      (r.timestamp >= action.startTime && r.timestamp <= action.endTime)
+    );
+    
+    const actionMismatches = detectOptimisticMismatch(action, request);
+    for (const m of actionMismatches) {
+      mismatches.push({
+        ...m,
+        severity: "BLOCK",
+      });
+    }
+  }
+
+  return mismatches;
+}
+
+// =============================================================================
+// PLAYWRIGHT INTEGRATION
+// =============================================================================
+
+/**
+ * Playwright script to capture request/response bodies
+ * Inject this to capture bodies during crawling
+ */
+const PLAYWRIGHT_BODY_CAPTURE_SCRIPT = `
+// Vibecheck Request Body Capture
+window.__vibecheck_request_bodies = window.__vibecheck_request_bodies || new Map();
+
+// Intercept fetch
+const originalFetch = window.fetch;
+window.fetch = async function(...args) {
+  const [input, init] = args;
+  const url = typeof input === 'string' ? input : input.url;
+  const method = init?.method || 'GET';
+  
+  // Capture request body
+  if (init?.body) {
+    const id = crypto.randomUUID();
+    window.__vibecheck_request_bodies.set(id, {
+      url,
+      method,
+      requestBody: typeof init.body === 'string' ? init.body : JSON.stringify(init.body),
+      timestamp: Date.now(),
+    });
+  }
+  
+  const response = await originalFetch.apply(this, args);
+  return response;
+};
+
+// Intercept XMLHttpRequest
+const originalXhrOpen = XMLHttpRequest.prototype.open;
+const originalXhrSend = XMLHttpRequest.prototype.send;
+
+XMLHttpRequest.prototype.open = function(method, url) {
+  this.__vibecheck_method = method;
+  this.__vibecheck_url = url;
+  return originalXhrOpen.apply(this, arguments);
+};
+
+XMLHttpRequest.prototype.send = function(body) {
+  if (body) {
+    const id = crypto.randomUUID();
+    window.__vibecheck_request_bodies.set(id, {
+      url: this.__vibecheck_url,
+      method: this.__vibecheck_method,
+      requestBody: typeof body === 'string' ? body : JSON.stringify(body),
+      timestamp: Date.now(),
+    });
+  }
+  return originalXhrSend.apply(this, arguments);
+};
+`;
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Core hashing
+  hashBody,
+  detectContentType,
+  redactSensitiveData,
+  REDACT_KEYS,
+
+  // Request enhancement
+  enhanceRequestWithHashes,
+
+  // Duplicate detection
+  findDuplicateMutations,
+  findNoOpMutations,
+
+  // UI mismatch detection
+  detectOptimisticMismatch,
+  analyzeUIMismatches,
+
+  // Playwright integration
+  PLAYWRIGHT_BODY_CAPTURE_SCRIPT,
+
+  // Constants
+  MAX_BODY_SIZE,
+};