@vibecheckai/cli 3.2.6 → 3.4.0

package/bin/runners/lib/analyzers.js

@@ -13,6 +13,44 @@ const t = require("@babel/types");
 const { routeMatches } = require("./claims");
 const { matcherCoversPath } = require("./auth-truth");
 
+/* ============================================================================
+ * STANDARD IGNORE PATTERNS
+ * Used by all analyzers to exclude non-production code
+ * ========================================================================== */
+const STANDARD_IGNORE_PATTERNS = [
+  // Core excludes
+  "**/node_modules/**",
+  "**/.next/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/*.d.ts",
+  "**/*.d.ts.map",
+  // Test files
+  "**/__tests__/**",
+  "**/tests/**",
+  "**/*.test.ts",
+  "**/*.test.tsx",
+  "**/*.test.js",
+  "**/*.spec.ts",
+  "**/*.spec.tsx",
+  "**/*.spec.js",
+  "**/fixtures/**",
+  // Internal tooling
+  "**/mcp-server/**",
+  "**/bin/**",
+  "**/packages/cli/**",
+  // Examples and templates
+  "**/examples/**",
+  "**/templates/**",
+  "**/docs/**",
+  // Cache and generated
+  "**/.guardrail/**",
+  "**/.cursor/**",
+  "**/.vibecheck/**",
+  "**/coverage/**",
+  "**/_archive/**",
+];
+
 /* ============================================================================
  * WORLD-CLASS INFRA HELPERS
  * - file caching (speed + consistent evidence)
@@ -177,19 +215,69 @@ function pathLooksLikeAsset(p) {
 }
 
 function isInternalUtilityRoute(p) {
-  return !!rxTest(/^\/(health|metrics|ready|live|version|debug|internal|security|websocket|ws|admin|dashboard|_|\.)/i, p);
+  // Common internal/utility routes that should NOT be flagged as missing
+  // These are typically framework-specific, monitoring, or debugging endpoints
+  const internalPatterns = [
+    // Health/monitoring
+    /^\/(health|healthz|healthcheck|ready|readyz|live|livez|liveness|readiness|metrics|status|ping|version)/i,
+    // Internal/debug
+    /^\/(debug|internal|_internal|__internal|security|\.well-known)/i,
+    // WebSockets
+    /^\/(websocket|ws|socket\.io|sockjs)/i,
+    // Admin/dashboard
+    /^\/(admin|dashboard|_admin|__admin)/i,
+    // Next.js internals
+    /^\/_next\//i,
+    // Vite/dev tools
+    /^\/@vite|^\/@fs|^\/__vite/i,
+    // GraphQL
+    /^\/(graphql|graphiql|playground)/i,
+    // Swagger/API docs
+    /^\/(swagger|api-docs|openapi|docs|redoc)/i,
+    // Auth callbacks
+    /^\/(auth|oauth|callback|login|logout|signin|signout)\/?(callback|redirect)?$/i,
+    // Common framework routes
+    /^\/(favicon\.ico|robots\.txt|sitemap\.xml|manifest\.json)$/i,
+    // Vercel/serverless
+    /^\/api\/_/i,
+    // Hidden paths
+    /^\/[._]/i,
+  ];
+  return internalPatterns.some(rx => rxTest(rx, p));
 }
 
 function looksInventedRoute(p) {
-  // Stuff AI loves to hallucinate - but NOT legitimate test endpoints like /test-email
-  // Only flag truly fake/placeholder routes, not common test/debug endpoints
-  if (rxTest(/^\/(fake|dummy|foo|bar|baz|xxx|yyy|placeholder|asdf|qwerty|lorem|ipsum)\b/i, p)) return true;
-  // Random hashes in path
-  if (rxTest(/\/[a-f0-9]{32,}\b/i, p)) return true;
-  // Obvious "ai generated" patterns
-  if (rxTest(/^\/(generated|auto[-_]?gen)\b/i, p)) return true;
-  // Obvious placeholder test data patterns (not legitimate /test-* endpoints)
-  if (rxTest(/\/(test123|abc123|demo123|sample123)\b/i, p)) return true;
+  // Stuff AI loves to hallucinate - but be VERY precise to avoid false positives
+  // Only flag patterns that are CLEARLY fake/placeholder
+  
+  // Require routes to start with these patterns (not just contain them)
+  // This avoids flagging legitimate routes like /users/foo-bar-123
+  const clearlyFakeStarts = [
+    /^\/(fake|dummy|placeholder|asdf|qwerty|lorem|ipsum)\b/i,
+    /^\/(foo|bar|baz|xxx|yyy)$/i, // Only if it's the ENTIRE route segment
+  ];
+  
+  for (const rx of clearlyFakeStarts) {
+    if (rxTest(rx, p)) return true;
+  }
+  
+  // Obvious "ai generated" patterns - must be at route start
+  if (rxTest(/^\/(generated|auto[-_]?gen|ai[-_]?gen)\b/i, p)) return true;
+  
+  // Obvious placeholder test data patterns (test123, abc123, demo123)
+  // Only if the ENTIRE segment is clearly placeholder
+  if (rxTest(/\/(test123|abc123|demo123|sample123|example123)$/i, p)) return true;
+  
+  // Very long hex strings in route (32+ chars) that aren't IDs
+  // Skip if it looks like a valid UUID pattern or session token
+  const segments = p.split('/').filter(Boolean);
+  for (const seg of segments) {
+    // Long hex that's NOT a UUID format and NOT a reasonable ID length
+    if (/^[a-f0-9]{40,}$/i.test(seg) && !/^[a-f0-9]{8}-/.test(seg)) {
+      return true;
+    }
+  }
+  
   return false;
 }
 
@@ -445,7 +533,9 @@ function findMissingRoutes(truthpack) {
       .sort((a, b) => b.score - a.score)
       .slice(0, 3);
 
-    return scored.filter((x) => x.score >= 0.35).map((x) => ({
+    // Raise threshold to 0.50 to only show genuinely similar routes
+    // This reduces "did you mean" noise for unrelated routes
+    return scored.filter((x) => x.score >= 0.50).map((x) => ({
       method: x.r._method,
       path: x.r._pathNorm,
       score: Number(x.score.toFixed(2)),
@@ -553,28 +643,39 @@ function findMissingRoutes(truthpack) {
 
     const invented = looksInventedRoute(pNorm);
     const internal = isInternalUtilityRoute(pNorm);
+    
+    // Skip internal utility routes entirely - they're almost never real issues
+    if (internal) continue;
 
     // Similarity suggestions
     const suggestions = closestSuggestions(method, pNorm);
 
-    // Confidence + severity gating
+    // Confidence + severity gating - CONSERVATIVE by default to reduce noise
     let confidence = "low";
     let severity = "WARN";
 
-    if (invented && !internal) {
+    if (invented) {
+      // Only BLOCK truly invented routes - and require high confidence
       severity = "BLOCK";
       confidence = "high";
-    } else if (routeMapQuality === "strong" && !isLikelyMonorepo && !internal) {
-      // Only escalate if route map quality is strong and it doesn't look like a monorepo
+    } else if (routeMapQuality === "strong" && !isLikelyMonorepo) {
+      // Even with strong route map, be conservative
       const best = suggestions[0]?.score ?? 0;
-      // If there's no close suggestion, it's more likely actually missing
-      if (best < 0.40) {
-        severity = "WARN"; // keep WARN by default; you can flip to BLOCK if you want
+      if (best < 0.30) {
+        // No close matches - more likely to be a real issue, but still WARN
         confidence = "med";
+        severity = "WARN";
+      } else if (best >= 0.70) {
+        // Very close match exists - probably a typo, keep as low-priority WARN
+        confidence = "low";
+        severity = "WARN";
       } else {
+        // Moderate similarity - unclear
         confidence = "low";
+        severity = "WARN";
       }
     } else {
+      // Weak route map or monorepo - don't trust findings, always WARN with low confidence
       confidence = "low";
       severity = "WARN";
     }
@@ -851,7 +952,7 @@ function findFakeSuccess(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1142,7 +1243,7 @@ function findOwnerModeBypass(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   const patterns = [
@@ -1187,17 +1288,7 @@ function findMockData(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-      "**/test/**",
-      "**/__tests__/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1248,13 +1339,7 @@ function findTodoFixme(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1321,13 +1406,7 @@ function findConsoleLogs(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1373,16 +1452,7 @@ function findHardcodedSecrets(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx,json}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/package*.json",
-      "**/*.test.*",
-      "**/tests/**",
-      "**/*.d.ts",
-    ],
+    ignore: [...STANDARD_IGNORE_PATTERNS, "**/package*.json"],
   });
 
   for (const fileAbs of files) {
@@ -1439,13 +1509,7 @@ function findDeadCode(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1491,13 +1555,7 @@ function findDeprecatedApis(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1543,13 +1601,7 @@ function findEmptyCatch(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1595,13 +1647,7 @@ function findUnsafeRegex(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1649,13 +1695,7 @@ function findSecurityVulnerabilities(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1699,13 +1739,7 @@ function findPerformanceIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1750,13 +1784,7 @@ function findCodeQualityIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1802,16 +1830,7 @@ function findCrossFileIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   const engineFindings = analyzeCrossFile(files, repoRoot);
@@ -1846,13 +1865,7 @@ function findTypeSafetyIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1896,16 +1909,7 @@ function findAccessibilityIssues(repoRoot) {
   const files = fg.sync(["**/*.{tsx,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1949,16 +1953,7 @@ function findAPIConsistencyIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {