npm - @vibecheckai/cli - Versions diffs - 3.2.6 → 3.3.0 - Mend

@vibecheckai/cli 3.2.6 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/bin/registry.js +192 -5
package/bin/runners/lib/agent-firewall/change-packet/builder.js +280 -6
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +312 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +113 -1
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +133 -6
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +321 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/analyzers.js +81 -18
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/cli-output.js +7 -1
package/bin/runners/lib/error-handler.js +16 -9
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/global-flags.js +37 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/unified-cli-output.js +604 -0
package/bin/runners/lib/upsell.js +148 -0
package/bin/runners/runApprove.js +1200 -0
package/bin/runners/runAuth.js +324 -95
package/bin/runners/runCheckpoint.js +39 -21
package/bin/runners/runClassify.js +859 -0
package/bin/runners/runContext.js +136 -24
package/bin/runners/runDoctor.js +108 -68
package/bin/runners/runFix.js +6 -5
package/bin/runners/runGuard.js +212 -118
package/bin/runners/runInit.js +3 -2
package/bin/runners/runMcp.js +130 -52
package/bin/runners/runPolish.js +43 -20
package/bin/runners/runProve.js +1 -2
package/bin/runners/runReport.js +3 -2
package/bin/runners/runScan.js +63 -44
package/bin/runners/runShip.js +3 -4
package/bin/runners/runValidate.js +19 -2
package/bin/runners/runWatch.js +104 -53
package/bin/vibecheck.js +106 -19
package/mcp-server/HARDENING_SUMMARY.md +299 -0
package/mcp-server/agent-firewall-interceptor.js +367 -31
package/mcp-server/authority-tools.js +569 -0
package/mcp-server/conductor/conflict-resolver.js +588 -0
package/mcp-server/conductor/execution-planner.js +544 -0
package/mcp-server/conductor/index.js +377 -0
package/mcp-server/conductor/lock-manager.js +615 -0
package/mcp-server/conductor/request-queue.js +550 -0
package/mcp-server/conductor/session-manager.js +500 -0
package/mcp-server/conductor/tools.js +510 -0
package/mcp-server/index.js +1149 -243
package/mcp-server/lib/{api-client.js → api-client.cjs} +40 -4
package/mcp-server/lib/logger.cjs +30 -0
package/mcp-server/logger.js +173 -0
package/mcp-server/package.json +2 -2
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/tier-auth.js +245 -35
package/mcp-server/truth-firewall-tools.js +145 -15
package/mcp-server/vibecheck-tools.js +2 -2
package/package.json +2 -3
package/mcp-server/index.old.js +0 -4137
package/mcp-server/package-lock.json +0 -165

package/mcp-server/lib/{api-client.js → api-client.cjs} RENAMED Viewed

@@ -12,7 +12,7 @@
 const https = require("https");
 const http = require("http");
-const { logger } = require("./logger");
+const { logger } = require("./logger.cjs");
 // Configuration
 const API_BASE_URL = process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev";
@@ -146,6 +146,36 @@ function getApiKey() {
   return null;
 }
+// =============================================================================
+// SECURITY: Input Validation
+// =============================================================================
+/**
+ * Validate scanId format to prevent path injection.
+ *
+ * SECURITY FIX: scanId is interpolated into URLs like `/api/scans/${scanId}/progress`.
+ * Without validation, an attacker could inject path segments:
+ *   scanId = "../../admin/delete"
+ *   → URL becomes "/api/scans/../../admin/delete/progress"
+ *
+ * @param {string} scanId - The scan ID to validate
+ * @returns {string} - The validated scanId
+ * @throws {Error} - If scanId is invalid
+ */
+function validateScanId(scanId) {
+  if (!scanId || typeof scanId !== 'string') {
+    throw new Error('scanId is required and must be a string');
+  }
+  // Only allow alphanumeric, hyphens, underscores (no dots, slashes, etc.)
+  // Max length 64 to prevent abuse
+  if (!/^[a-zA-Z0-9_-]{1,64}$/.test(scanId)) {
+    throw new Error('Invalid scanId format - must be alphanumeric with hyphens/underscores only, max 64 chars');
+  }
+  return scanId;
+}
 /**
  * Create a new scan record
  */
@@ -179,7 +209,9 @@ async function createScan(options) {
  * Update scan progress
  */
 async function updateScanProgress(scanId, progress, status = null) {
-  const response = await makeRequest(`/api/scans/${scanId}/progress`, {
+  const validatedId = validateScanId(scanId);
+  const response = await makeRequest(`/api/scans/${validatedId}/progress`, {
     body: {
       progress,
       status,
@@ -197,6 +229,8 @@ async function updateScanProgress(scanId, progress, status = null) {
  * Submit scan results
  */
 async function submitScanResults(scanId, results) {
+  const validatedId = validateScanId(scanId);
   const {
     verdict,
     score,
@@ -207,7 +241,7 @@ async function submitScanResults(scanId, results) {
     metadata = {},
   } = results;
-  const response = await makeRequest(`/api/scans/${scanId}/complete`, {
+  const response = await makeRequest(`/api/scans/${validatedId}/complete`, {
     body: {
       verdict,
       score,
@@ -230,7 +264,9 @@ async function submitScanResults(scanId, results) {
  * Report scan error
  */
 async function reportScanError(scanId, error) {
-  const response = await makeRequest(`/api/scans/${scanId}/error`, {
+  const validatedId = validateScanId(scanId);
+  const response = await makeRequest(`/api/scans/${validatedId}/error`, {
     body: {
       error: error.message || String(error),
       stack: error.stack,

package/mcp-server/lib/logger.cjs ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * Simple logger for MCP server
+ * Outputs to stderr to avoid interfering with MCP stdio protocol
+ */
+"use strict";
+const DEBUG = process.env.VIBECHECK_DEBUG === "true" || process.env.DEBUG === "true";
+const logger = {
+  debug(...args) {
+    if (DEBUG) {
+      console.error("[DEBUG]", ...args);
+    }
+  },
+  info(...args) {
+    console.error("[INFO]", ...args);
+  },
+  warn(...args) {
+    console.error("[WARN]", ...args);
+  },
+  error(...args) {
+    console.error("[ERROR]", ...args);
+  },
+};
+module.exports = { logger };

package/mcp-server/logger.js ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * VibeCheck MCP Server Logger
+ *
+ * Centralized logging utility for all MCP server modules.
+ * Avoids console.log/warn/error in production code.
+ */
+"use strict";
+/**
+ * Log levels
+ */
+export const LOG_LEVELS = {
+  DEBUG: 0,
+  INFO: 1,
+  WARN: 2,
+  ERROR: 3,
+  SILENT: 4,
+};
+/**
+ * Current log level (can be set via environment)
+ */
+let currentLevel = LOG_LEVELS.INFO;
+// Set from environment
+if (process.env.VIBECHECK_LOG_LEVEL) {
+  const envLevel = process.env.VIBECHECK_LOG_LEVEL.toUpperCase();
+  if (LOG_LEVELS[envLevel] !== undefined) {
+    currentLevel = LOG_LEVELS[envLevel];
+  }
+}
+/**
+ * Log buffer for testing/inspection
+ */
+const logBuffer = [];
+const MAX_BUFFER_SIZE = 1000;
+/**
+ * Format a log message
+ * @param {string} level - Log level
+ * @param {string} module - Module name
+ * @param {string} message - Log message
+ * @returns {string} Formatted message
+ */
+function formatMessage(level, module, message) {
+  const timestamp = new Date().toISOString();
+  return `[${timestamp}] [${level}] [${module}] ${message}`;
+}
+/**
+ * Write a log entry
+ * @param {number} level - Log level number
+ * @param {string} levelName - Level name
+ * @param {string} module - Module name
+ * @param {string} message - Message
+ * @param {Error} [error] - Optional error object
+ */
+function writeLog(level, levelName, module, message, error = null) {
+  if (level < currentLevel) return;
+  const formatted = formatMessage(levelName, module, message);
+  // Add to buffer
+  logBuffer.push({
+    timestamp: new Date(),
+    level: levelName,
+    module,
+    message,
+    error: error ? { message: error.message, stack: error.stack } : null,
+  });
+  // Trim buffer
+  if (logBuffer.length > MAX_BUFFER_SIZE) {
+    logBuffer.shift();
+  }
+  // Write to stderr (MCP servers should write logs to stderr, stdout is for JSON-RPC)
+  if (level >= LOG_LEVELS.WARN) {
+    process.stderr.write(formatted + '\n');
+  } else if (process.env.VIBECHECK_DEBUG || currentLevel === LOG_LEVELS.DEBUG) {
+    process.stderr.write(formatted + '\n');
+  }
+}
+/**
+ * Create a logger for a specific module
+ * @param {string} moduleName - Module name
+ * @returns {Object} Logger instance
+ */
+export function createLogger(moduleName) {
+  return {
+    debug: (message) => writeLog(LOG_LEVELS.DEBUG, 'DEBUG', moduleName, message),
+    info: (message) => writeLog(LOG_LEVELS.INFO, 'INFO', moduleName, message),
+    warn: (message, error = null) => writeLog(LOG_LEVELS.WARN, 'WARN', moduleName, message, error),
+    error: (message, error = null) => writeLog(LOG_LEVELS.ERROR, 'ERROR', moduleName, message, error),
+  };
+}
+/**
+ * Set the global log level
+ * @param {string|number} level - Level name or number
+ */
+export function setLogLevel(level) {
+  if (typeof level === 'string') {
+    const upperLevel = level.toUpperCase();
+    if (LOG_LEVELS[upperLevel] !== undefined) {
+      currentLevel = LOG_LEVELS[upperLevel];
+    }
+  } else if (typeof level === 'number') {
+    currentLevel = level;
+  }
+}
+/**
+ * Get current log level
+ * @returns {number} Current level
+ */
+export function getLogLevel() {
+  return currentLevel;
+}
+/**
+ * Get recent log entries
+ * @param {number} count - Number of entries
+ * @returns {Object[]} Log entries
+ */
+export function getRecentLogs(count = 100) {
+  return logBuffer.slice(-count);
+}
+/**
+ * Clear log buffer
+ */
+export function clearLogs() {
+  logBuffer.length = 0;
+}
+/**
+ * Get error message safely from any error type
+ * @param {unknown} error - Error object
+ * @returns {string} Error message
+ */
+export function getErrorMessage(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === 'string') {
+    return error;
+  }
+  if (error && typeof error === 'object' && 'message' in error) {
+    return String(error.message);
+  }
+  return String(error);
+}
+// Pre-created loggers for common modules
+export const conductorLogger = createLogger('Conductor');
+export const lawbookLogger = createLogger('Lawbook');
+export const timeMachineLogger = createLogger('TimeMachine');
+export const clearanceLogger = createLogger('Clearance');
+export const firewallLogger = createLogger('Firewall');
+export default {
+  createLogger,
+  setLogLevel,
+  getLogLevel,
+  getRecentLogs,
+  clearLogs,
+  getErrorMessage,
+  LOG_LEVELS,
+};

package/mcp-server/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vibecheck-mcp-server",
-  "version": "3.2.6",
+  "version": "3.3.0",
   "description": "Professional MCP server for vibecheck - Intelligent development environment vibechecks",
   "type": "module",
   "main": "index.js",
@@ -24,7 +24,7 @@
     "@modelcontextprotocol/sdk": "^1.0.0"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.11"
   },
   "author": "vibecheck",
   "license": "MIT",

package/mcp-server/premium-tools.js CHANGED Viewed

@@ -16,7 +16,7 @@
 import fs from 'fs/promises';
 import path from 'path';
 import { execSync, spawn } from 'child_process';
-import { checkFeatureAccess } from "./tier-auth.js";
+import { getFeatureAccessStatus } from "./tier-auth.js";
 // State management (in-memory for MCP session, persisted to disk)
 class MCPState {
@@ -434,7 +434,7 @@ export async function handlePremiumTool(name, args, logger) {
   const requiredFeature = featureMap[name];
   if (requiredFeature) {
-    const access = await checkFeatureAccess(requiredFeature, args?.apiKey);
+    const access = await getFeatureAccessStatus(requiredFeature, args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{