@vibecheckai/cli 3.2.6 → 3.4.0

package/mcp-server/tier-auth.js

@@ -1,475 +1,286 @@
 /**
- * MCP Server Tier Authentication & Authorization
+ * MCP Server Tier Authentication
  * 
- * UNIFIED AUTHORITY SYSTEM for MCP tools.
+ * Simple 2-tier model:
+ * - FREE ($0): Inspect & Observe
+ * - PRO ($69/mo): Fix, Prove & Enforce
  * 
- * Authority Rules:
- * - FREE: May see problems, never resolve certainty. Read-only context tools.
- * - STARTER: May fix, but not prove. Read tools + advisory actions.
- * - PRO: May enforce reality. Full MCP access with proof generation.
- * - ENTERPRISE: All features + compliance tools.
- * 
- * Verdict authority is paid. Evidence beats explanations.
+ * PRO includes:
+ * - Authority System (verdicts, approvals)
+ * - Agent Conductor (multi-agent coordination)
+ * - Agent Firewall (enforce mode)
  */
 
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// TIER DEFINITIONS - UNIFIED AUTHORITY SYSTEM
-// Synchronized with packages/core/src/tier-config.ts
-// 
-// Authority Rules:
-// - FREE: May see problems, never resolve certainty
-// - STARTER: May fix, but not prove (Advisory verdicts only)
-// - PRO: May enforce reality (Full verdict authority)
-// ═══════════════════════════════════════════════════════════════════════════════
+// ============================================================================
+// TIERS
+// ============================================================================
 export const TIERS = {
-  free: {
-    name: 'FREE',
-    price: 0,
-    order: 0,
-    // Verdict authority
-    verdictAuthority: 'NONE',
-    canIssueVerdicts: false,
-    canEnforceCI: false,
-    canGenerateProof: false,
-    // Limits
-    limits: { 
-      scans: -1,  // Unlimited scans
-      realityMaxPages: 5, 
-      realityMaxClicks: 20, 
-      mcpRateLimit: 10,
-    },
-    // MCP tools allowed on FREE (read-only context only)
-    mcpTools: [
-      'vibecheck.get_truthpack',
-      'vibecheck.compile_context',
-      'vibecheck.search_evidence',
-    ],
-  },
-  starter: {
-    name: 'STARTER',
-    price: 39,
-    order: 1,
-    // Verdict authority - ADVISORY (verdicts not enforced)
-    verdictAuthority: 'ADVISORY',
-    canIssueVerdicts: true,  // SHIP, WARN only
-    canEnforceCI: false,     // Cannot block builds
-    canGenerateProof: false, // Cannot generate proof
-    // Limits
-    limits: { 
-      scans: -1,           // Unlimited scans
-      realityMaxPages: -1, // Unlimited browser testing
-      realityMaxClicks: -1,
-      mcpRateLimit: 60,
-    },
-    // MCP tools allowed on STARTER (read + advisory actions)
-    mcpTools: [
-      'vibecheck.ctx',
-      'vibecheck.scan',
-      'vibecheck.ship',      // Advisory verdicts only
-      'vibecheck.get_truthpack',
-      'vibecheck.validate_claim',
-      'vibecheck.compile_context',
-      'vibecheck.search_evidence',
-      'vibecheck.find_counterexamples',
-      'vibecheck.check_invariants',
-      'vibecheck.fix',       // Plan mode only
-    ],
-  },
-  pro: {
-    name: 'PRO',
-    price: 99,
-    order: 2,
-    // Verdict authority - ENFORCED (verdicts block CI/PRs)
-    verdictAuthority: 'ENFORCED',
-    canIssueVerdicts: true,  // SHIP, WARN, BLOCK
-    canEnforceCI: true,      // Can block builds
-    canGenerateProof: true,  // Can generate cryptographic proof
-    // Limits
-    limits: { 
-      scans: -1,
-      realityMaxPages: -1,
-      realityMaxClicks: -1,
-      mcpRateLimit: -1,  // Unlimited
-    },
-    // MCP tools - FULL ACCESS
-    mcpTools: ['*'],  // All tools unlocked
-  },
-  enterprise: {
-    name: 'ENTERPRISE',
-    price: 0, // Custom pricing
-    order: 3,
-    // Verdict authority - ENFORCED + Compliance
-    verdictAuthority: 'ENFORCED',
-    canIssueVerdicts: true,
-    canEnforceCI: true,
-    canGenerateProof: true,
-    // Limits
-    limits: { 
-      scans: -1,
-      realityMaxPages: -1,
-      realityMaxClicks: -1,
-      mcpRateLimit: -1,
-    },
-    // MCP tools - FULL ACCESS + Compliance
-    mcpTools: ['*'],
-  }
+  free: { name: 'FREE', price: 0 },
+  pro: { name: 'PRO', price: 69 },
 };
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// MCP TOOL → TIER MAPPING (Unified Authority System)
-// Aligned with packages/core/src/features.ts
-// ═══════════════════════════════════════════════════════════════════════════════
-export const MCP_TOOL_TIERS = {
-  // FREE - Read-only context tools ONLY
-  // Free users may see problems, never resolve certainty
-  'vibecheck.get_truthpack': 'free',
-  'vibecheck.compile_context': 'free',
-  'vibecheck.search_evidence': 'free',
-  
-  // STARTER - Advisory verdict authority
-  // Starter users may fix, but not prove
-  'vibecheck.ctx': 'starter',
-  'vibecheck.scan': 'starter',
-  'vibecheck.ship': 'starter',          // SHIP/WARN (advisory, not enforced)
-  'vibecheck.fix': 'starter',           // Plan mode only (no apply)
-  'vibecheck.validate_claim': 'starter',
-  'vibecheck.find_counterexamples': 'starter',
-  'vibecheck.check_invariants': 'starter',
-  'vibecheck.gate': 'starter',          // Advisory gates
-  'vibecheck.badge': 'starter',         // Unverified badges
-  
-  // PRO - Full verdict authority & enforcement
-  // Pro users may enforce reality
-  'vibecheck.prove': 'pro',             // Cryptographic proof generation
-  'vibecheck.fix.apply': 'pro',         // Apply fixes
-  'vibecheck.fix.verify': 'pro',        // Verify fixes with proof
-  'vibecheck.reality': 'pro',           // Full browser testing
-  'vibecheck.reality.prove': 'pro',     // Prove runtime behavior
-  'vibecheck.enforce': 'pro',           // Enforce verdicts in CI
-  'vibecheck.ai_test': 'pro',           // AI agent testing
-  'vibecheck.autopilot': 'pro',         // Autonomous protection
-  'vibecheck.report': 'pro',            // Advanced reporting
-  'vibecheck.allowlist': 'pro',         // Manage allowlists
-  'vibecheck.status': 'pro',            // Advanced status
-};
+// ============================================================================
+// MCP TOOLS - 15 Core + PRO Features
+// ============================================================================
 
 /**
- * Load user configuration from ~/.vibecheck/credentials.json
+ * FREE TOOLS (7) - Inspect & Observe
  */
-async function loadUserConfig() {
-  try {
-    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
-    const configData = await fs.readFile(configPath, 'utf-8');
-    return JSON.parse(configData);
-  } catch (error) {
-    return null;
-  }
-}
+export const FREE_TOOLS = [
+  // Core FREE tools
+  'vibecheck.scan',
+  'vibecheck.ctx',
+  'vibecheck.verify',
+  'vibecheck.report',
+  'vibecheck.status',
+  'vibecheck.doctor',
+  'vibecheck.firewall',           // Observe mode only
+  // Authority (read-only)
+  'authority.list',
+  'authority.classify',
+  // Conductor (status only)
+  'vibecheck_conductor_status',
+];
 
 /**
- * Determine tier from API key
- * Matches CLI entitlements-v2.js logic
+ * PRO TOOLS (8 Core + Authority + Conductor + Firewall) - Fix, Prove & Enforce
  */
-async function getTierFromApiKey(apiKey) {
-  if (!apiKey) return null; // No API key = no access
+export const PRO_TOOLS = [
+  // Core PRO tools
+  'vibecheck.ship',
+  'vibecheck.fix',
+  'vibecheck.prove',
+  'vibecheck.gate',
+  'vibecheck.badge',
+  'vibecheck.reality',
+  'vibecheck.ai_test',
+  'vibecheck.share',
   
-  // Check API key prefix patterns (matches CLI)
-  if (apiKey.startsWith('gr_starter_')) return 'starter';
-  if (apiKey.startsWith('gr_pro_')) return 'pro';
-  if (apiKey.startsWith('gr_enterprise_') || apiKey.startsWith('gr_ent_')) return 'enterprise';
-  if (apiKey.startsWith('gr_free_')) return 'free';
+  // Authority System (full)
+  'authority.approve',
+  'authority.enforce',
   
-  // Try to validate with API
+  // Agent Conductor (full multi-agent coordination)
+  'vibecheck_conductor_register',
+  'vibecheck_conductor_acquire_lock',
+  'vibecheck_conductor_release_lock',
+  'vibecheck_conductor_propose',
+  'vibecheck_conductor_terminate',
+  
+  // Agent Firewall (enforce mode)
+  'vibecheck_agent_firewall_intercept',
+  'vibecheck.firewall.enforce',
+];
+
+export const ALL_TOOLS = [...FREE_TOOLS, ...PRO_TOOLS];
+
+// ============================================================================
+// TIER CACHE
+// ============================================================================
+const tierCache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+function hashKey(apiKey) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
+}
+
+// ============================================================================
+// TIER VALIDATION
+// ============================================================================
+
+export async function getTierFromApiKey(apiKey) {
+  if (!apiKey || typeof apiKey !== 'string' || apiKey.length < 10) {
+    return null;
+  }
+  
+  const keyHash = hashKey(apiKey);
+  const now = Date.now();
+  
+  // Check cache
+  const cached = tierCache.get(keyHash);
+  if (cached && cached.expiresAt > now) {
+    return cached.tier;
+  }
+  
+  // Validate with API
   try {
     const response = await fetch('https://api.vibecheckai.dev/whoami', {
-      headers: {
-        'Authorization': `Bearer ${apiKey}`,
-        'Content-Type': 'application/json',
-      },
+      headers: { 'Authorization': `Bearer ${apiKey}` },
+      signal: AbortSignal.timeout(10000),
     });
     
     if (!response.ok) {
-      return null; // Invalid API key
+      return null;
     }
     
     const data = await response.json();
+    const plan = data.plan?.toLowerCase() || 'free';
     
-    // Map API response to tier
-    switch (data.plan?.toLowerCase()) {
-      case 'starter':
-        return 'starter';
-      case 'pro':
-        return 'pro';
-      case 'enterprise':
-        return 'enterprise';
-      default:
-        return 'free';
-    }
-  } catch (error) {
-    console.error('API validation failed:', error);
-    return null; // On error, deny access
+    // Any paid plan = pro
+    const tier = (plan === 'free') ? 'free' : 'pro';
+    
+    tierCache.set(keyHash, { tier, expiresAt: now + CACHE_TTL });
+    return tier;
+    
+  } catch {
+    // Network error - check stale cache
+    if (cached) return cached.tier;
+    return null;
   }
-} // default for unknown keys
+}
+
+// ============================================================================
+// ACCESS CONTROL
+// ============================================================================
+
+export function isPro(tier) {
+  return tier === 'pro';
+}
+
+export function canAccessTool(tier, toolName) {
+  // PRO gets everything
+  if (tier === 'pro') return true;
+  
+  // FREE can access FREE tools
+  return FREE_TOOLS.includes(toolName);
+}
 
 /**
- * Check if user has access to a specific feature
- * Matches CLI entitlements-v2.js logic
+ * Get firewall mode based on tier
+ * - FREE: observe (log only)
+ * - PRO: enforce (block violations)
  */
-export async function getFeatureAccessStatus(featureName, providedApiKey = null) {
-  // Try to load user config
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
-  
-  if (!apiKey) {
-    return {
-      hasAccess: false,
-      tier: null,
-      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  
-  const currentTier = await getTierFromApiKey(apiKey);
-  
-  if (!currentTier) {
-    return {
-      hasAccess: false,
-      tier: null,
-      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  const currentTierConfig = TIERS[currentTier];
-  
-  // Find which tier has this feature
-  let requiredTier = null;
-  let requiredTierConfig = null;
-  
-  for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-    if (tierConfig.features.includes(featureName)) {
-      requiredTier = tierName;
-      requiredTierConfig = tierConfig;
-      break;
-    }
-  }
-  
-  // If feature not found in any tier, deny access
-  if (!requiredTier) {
-    return {
-      hasAccess: false,
-      tier: currentTier,
-      reason: `${featureName} is not available in any tier`,
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  
-  // Check if current tier meets minimum requirement (using order)
-  const hasAccess = currentTierConfig.order >= requiredTierConfig.order;
-  
-  if (!hasAccess) {
-    return {
-      hasAccess: false,
-      tier: currentTier,
-      requiredTier,
-      reason: `${featureName} requires ${requiredTierConfig.name} tier ($${requiredTierConfig.price}/mo) or higher. Current tier: ${currentTierConfig.name}`,
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  
-  return {
-    hasAccess: true,
-    tier: currentTier,
-    reason: 'Access granted'
-  };
+export function getFirewallMode(tier) {
+  return tier === 'pro' ? 'enforce' : 'observe';
 }
 
 /**
- * Middleware for MCP tool handlers
+ * Check if user can use full conductor features
  */
-export function withTierCheck(featureName, handler) {
-  return async (args) => {
-    const access = await checkFeatureAccess(featureName, args?.apiKey);
-    
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
-        }],
-        isError: true
-      };
-    }
-    
-    // Add tier info to args for the handler
-    args._tier = access.tier;
-    return handler(args);
-  };
+export function canUseCondcutor(tier) {
+  return tier === 'pro';
 }
 
 /**
- * Check if user has access to a specific MCP tool
- * MCP tools have specific tier requirements separate from CLI features
+ * Check if user can approve authorities
  */
-export async function getMcpToolAccess(toolName, providedApiKey = null) {
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
-  
+export function canApproveAuthority(tier) {
+  return tier === 'pro';
+}
+
+export async function getMcpToolAccess(toolName, apiKey) {
   if (!apiKey) {
     return {
-      hasAccess: false,
-      tier: null,
-      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
-      upgradeUrl: 'https://vibecheckai.dev'
+      hasAccess: FREE_TOOLS.includes(toolName),
+      tier: 'free',
+      reason: FREE_TOOLS.includes(toolName) 
+        ? 'Access granted (free tool)'
+        : 'This tool requires Pro. Set API key with `vibecheck login`.',
     };
   }
   
-  const currentTier = await getTierFromApiKey(apiKey);
+  const tier = await getTierFromApiKey(apiKey);
   
-  if (!currentTier) {
+  if (!tier) {
     return {
       hasAccess: false,
       tier: null,
-      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
-      upgradeUrl: 'https://vibecheckai.dev'
+      reason: 'Invalid API key.',
     };
   }
   
-  const currentTierConfig = TIERS[currentTier];
-  
-  // Check if tool is allowed for current tier
-  const allowedTools = [];
-  
-  // Accumulate tools from current tier and all lower tiers
-  for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-    if (tierConfig.order <= currentTierConfig.order) {
-      if (tierConfig.mcpTools) {
-        if (tierConfig.mcpTools.includes('*')) {
-          // Compliance tier - all tools allowed
-          return {
-            hasAccess: true,
-            tier: currentTier,
-            reason: 'Full MCP access'
-          };
-        }
-        allowedTools.push(...tierConfig.mcpTools);
-      }
-    }
-  }
-  
-  // Check if tool is in allowed list
-  const hasAccess = allowedTools.includes(toolName);
-  
-  if (!hasAccess) {
-    // Find which tier has this tool
-    let requiredTier = null;
-    for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-      if (tierConfig.mcpTools?.includes(toolName) || tierConfig.mcpTools?.includes('*')) {
-        requiredTier = tierName;
-        break;
-      }
-    }
-    
-    const requiredTierConfig = requiredTier ? TIERS[requiredTier] : null;
-    
-    return {
-      hasAccess: false,
-      tier: currentTier,
-      requiredTier,
-      reason: requiredTierConfig 
-        ? `${toolName} requires ${requiredTierConfig.name} tier ($${requiredTierConfig.price}/mo). Current: ${currentTierConfig.name}`
-        : `${toolName} is not available`,
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
+  const hasAccess = canAccessTool(tier, toolName);
   
   return {
-    hasAccess: true,
-    tier: currentTier,
-    reason: 'Access granted'
+    hasAccess,
+    tier,
+    firewallMode: getFirewallMode(tier),
+    reason: hasAccess
+      ? 'Access granted'
+      : `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
   };
 }
 
-/**
- * Middleware for MCP tool handlers with tool-specific checking
- */
-export function withMcpToolCheck(toolName, handler) {
+// ============================================================================
+// MIDDLEWARE
+// ============================================================================
+
+export function withTierCheck(toolName, handler) {
   return async (args) => {
-    const access = await checkMcpToolAccess(toolName, args?.apiKey);
+    const access = await getMcpToolAccess(toolName, args?.apiKey);
     
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
+          text: `This tool requires Pro.\n\n${toolName} is a Pro feature.\n\nUpgrade to Pro ($69/mo) to unlock:\n- Authority System (verdicts & approvals)\n- Agent Conductor (multi-agent coordination)\n- Agent Firewall (enforce mode)\n\nhttps://vibecheckai.dev/pricing`
         }],
         isError: true
       };
     }
     
-    // Add tier info to args for the handler
     args._tier = access.tier;
+    args._firewallMode = access.firewallMode;
     return handler(args);
   };
 }
 
-/**
- * Get current user info
- */
+// ============================================================================
+// USER INFO
+// ============================================================================
+
+async function loadUserConfig() {
+  try {
+    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
+    const data = await fs.readFile(configPath, 'utf-8');
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+
 export async function getUserInfo() {
   const config = await loadUserConfig();
-  if (!config) {
+  
+  if (!config?.apiKey) {
     return {
       authenticated: false,
       tier: 'free',
-      message: 'Not authenticated. Run: vibecheck auth --key YOUR_API_KEY'
+      tools: FREE_TOOLS,
+      firewallMode: 'observe',
     };
   }
   
-  const tier = getTierFromApiKey(config.apiKey);
-  const tierConfig = TIERS[tier];
+  const tier = await getTierFromApiKey(config.apiKey);
   
   return {
     authenticated: true,
-    tier,
+    tier: tier || 'free',
     email: config.email,
-    authenticatedAt: config.authenticatedAt,
-    features: tierConfig.features,
-    limits: tierConfig.limits,
-    mcpTools: tierConfig.mcpTools,
+    tools: tier === 'pro' ? ALL_TOOLS : FREE_TOOLS,
+    firewallMode: getFirewallMode(tier || 'free'),
   };
 }
 
-/**
- * Get list of MCP tools available for current tier
- */
-export async function getAvailableMcpTools(providedApiKey = null) {
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
-  
-  const currentTier = getTierFromApiKey(apiKey);
-  const currentTierConfig = TIERS[currentTier];
-  
-  const allowedTools = new Set();
-  
-  // Accumulate tools from current tier and all lower tiers
-  for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-    if (tierConfig.order <= currentTierConfig.order) {
-      if (tierConfig.mcpTools) {
-        if (tierConfig.mcpTools.includes('*')) {
-          return { tier: currentTier, tools: ['*'], unlimited: true };
-        }
-        tierConfig.mcpTools.forEach(t => allowedTools.add(t));
-      }
-    }
-  }
-  
+export async function getAvailableMcpTools(apiKey) {
+  const tier = apiKey ? await getTierFromApiKey(apiKey) : 'free';
   return {
-    tier: currentTier,
-    tools: Array.from(allowedTools),
-    unlimited: false
+    tier: tier || 'free',
+    tools: (tier === 'pro') ? ALL_TOOLS : FREE_TOOLS,
+    firewallMode: getFirewallMode(tier || 'free'),
   };
 }
+
+// Legacy exports for backward compatibility
+export async function getFeatureAccessStatus(featureName, apiKey) {
+  return getMcpToolAccess(featureName, apiKey);
+}
+
+export function withMcpToolCheck(toolName, handler) {
+  return withTierCheck(toolName, handler);
+}