@vibecheckai/cli 3.2.6 → 3.4.0

package/mcp-server/truth-firewall-tools.js

@@ -570,8 +570,47 @@ export function enforceClaimResult(result, policy = "strict") {
   return { allowed: true, confidence: derived };
 }
 
+// =============================================================================
+// CLAIM VALIDATION WITH RACE CONDITION PROTECTION
+// 
+// SECURITY FIX: Previous implementation had a TOCTOU race condition:
+// 1. Thread A: hasRecentClaimValidation() returns true
+// 2. Thread B: invalidates the claim (file change, etc.)
+// 3. Thread A: proceeds with stale claim → invalid state
+// 
+// New implementation uses atomic check-and-consume pattern with per-project locks.
+// =============================================================================
+
+/**
+ * Per-project validation locks to prevent concurrent operations
+ * from using the same validation state.
+ */
+const validationLocks = new Map(); // Map<projectPath, { locked: boolean, queue: Promise }>
+
+/**
+ * Acquire a validation lock for a project (serializes validation checks).
+ */
+function acquireValidationLock(projectPath) {
+  let lockState = validationLocks.get(projectPath);
+  if (!lockState) {
+    lockState = { locked: false, queue: Promise.resolve() };
+    validationLocks.set(projectPath, lockState);
+  }
+  
+  const acquirePromise = lockState.queue.then(() => {
+    lockState.locked = true;
+    return () => {
+      lockState.locked = false;
+    };
+  });
+  
+  lockState.queue = acquirePromise.catch(() => {});
+  return acquirePromise;
+}
+
 /**
- * Claim validation freshness per policy TTL.
+ * Check claim validation freshness (basic check, no lock).
+ * Use checkAndConsumeClaimValidation for atomic operations.
  */
 export function hasRecentClaimValidation(projectPath, policy = "strict") {
   const last = state.lastValidationByProject.get(projectPath);
@@ -580,6 +619,56 @@ export function hasRecentClaimValidation(projectPath, policy = "strict") {
   return Date.now() - last <= ttl;
 }
 
+/**
+ * Atomic check-and-consume claim validation.
+ * 
+ * SECURITY: Use this for operations that depend on claim validation.
+ * It ensures no other operation can use the same validation state concurrently.
+ * 
+ * @param {string} projectPath - Project path
+ * @param {string} policy - Policy name (strict/balanced/permissive)
+ * @param {string} operationId - Unique ID for this operation (for audit)
+ * @returns {Promise<{ valid: boolean, consumedAt?: number, reason?: string }>}
+ */
+export async function checkAndConsumeClaimValidation(projectPath, policy = "strict", operationId = null) {
+  const release = await acquireValidationLock(projectPath);
+  
+  try {
+    const last = state.lastValidationByProject.get(projectPath);
+    const now = Date.now();
+    
+    if (typeof last !== "number") {
+      return { 
+        valid: false, 
+        reason: "No claim validation found for this project" 
+      };
+    }
+    
+    const ttl = getPolicyConfig(policy).validationTTL;
+    const age = now - last;
+    
+    if (age > ttl) {
+      return { 
+        valid: false, 
+        reason: `Claim validation expired (age: ${Math.round(age / 1000)}s, TTL: ${Math.round(ttl / 1000)}s)` 
+      };
+    }
+    
+    // Mark this validation as consumed by updating the timestamp
+    // This prevents replay/reuse of the same validation
+    state.lastValidationByProject.set(projectPath, now);
+    
+    return { 
+      valid: true, 
+      consumedAt: now,
+      operationId,
+    };
+    
+  } finally {
+    release();
+  }
+}
+
 // =============================================================================
 // FINGERPRINT + WRAPPER
 // =============================================================================
@@ -1069,22 +1158,63 @@ async function proposePatch(projectPath, args) {
   return patch;
 }
 
+/**
+ * Validate command against strict allowlist.
+ * 
+ * SECURITY FIX: Previous allowlist was too permissive, allowing arbitrary code execution:
+ * - "node -e 'require(\"child_process\").exec(\"rm -rf /\")'" would pass
+ * - "npm exec malicious-package" would pass
+ * - "pnpm dlx evil-tool" would pass
+ * 
+ * New allowlist only permits specific safe subcommands.
+ */
 function commandAllowlisted(cmd) {
-  // Keep this tight. Expand only if you mean it.
-  const allow = [
-    /^vibecheck(\s|$)/,
-    /^pnpm(\s|$)/,
-    /^npm(\s|$)/,
-    /^yarn(\s|$)/,
-    /^node(\s|$)/,
-    /^bun(\s|$)/,
-    /^vitest(\s|$)/,
-    /^jest(\s|$)/,
-    /^tsc(\s|$)/,
-    /^eslint(\s|$)/,
-    /^playwright(\s|$)/,
+  const trimmed = cmd.trim();
+  
+  // Reject commands with shell metacharacters that could enable injection
+  // These are dangerous even in "safe" commands: ; | & $ ` \ ( ) { } < > \n
+  if (/[;|&$`\\(){}<>\n]/.test(trimmed)) {
+    return false;
+  }
+  
+  // Reject commands that use flags commonly used for code execution
+  if (/\s-[eEc]\s|\s--eval\s|\s--exec\s/i.test(trimmed)) {
+    return false;
+  }
+  
+  // Strict allowlist: only specific commands with specific safe subcommands
+  const strictAllow = [
+    // Vibecheck CLI - only specific safe commands
+    /^vibecheck\s+(ship|scan|ctx|lint|status)\b/,
+    /^vibecheck\s+--help\b/,
+    /^vibecheck\s+--version\b/,
+    
+    // Package managers - only test/build/lint (no exec, dlx, or install scripts)
+    /^pnpm\s+(test|build|lint|typecheck|check|run\s+(test|build|lint|typecheck))\b/,
+    /^npm\s+(test|run\s+(test|build|lint|typecheck))\b/,
+    /^yarn\s+(test|build|lint|typecheck|run\s+(test|build|lint|typecheck))\b/,
+    /^bun\s+(test|run\s+(test|build|lint))\b/,
+    
+    // TypeScript compiler - only type checking (no emit)
+    /^tsc\s+(--noEmit|--build)\b/,
+    /^tsc$/,  // Default tsc with no args is safe
+    
+    // Linters - safe read-only operations
+    /^eslint\s+/,  // ESLint with any args (read-only)
+    /^eslint$/,
+    
+    // Test runners - only run tests
+    /^vitest\s*(run|--run)?\b/,
+    /^vitest$/,
+    /^jest\s*(--ci|--coverage|--passWithNoTests)?\b/,
+    /^jest$/,
+    
+    // Playwright - only test mode (no codegen which opens browsers)
+    /^playwright\s+test\b/,
+    /^npx\s+playwright\s+test\b/,
   ];
-  return allow.some((re) => re.test(cmd.trim()));
+  
+  return strictAllow.some((re) => re.test(trimmed));
 }
 
 async function verifyPatch(projectPath, args) {

package/mcp-server/vibecheck-tools.js

@@ -13,7 +13,7 @@
 import path from "path";
 import fs from "fs/promises";
 import { execSync } from "child_process";
-import { withTierCheck, checkFeatureAccess } from "./tier-auth.js";
+import { withTierCheck, getFeatureAccessStatus } from "./tier-auth.js";
 
 // ============================================================================
 // TOOL DEFINITIONS
@@ -292,7 +292,7 @@ export async function handleVibecheckTool(toolName, args) {
 
   const requiredFeature = featureMap[toolName];
   if (requiredFeature) {
-    const access = await checkFeatureAccess(requiredFeature, args?.apiKey);
+    const access = await getFeatureAccessStatus(requiredFeature, args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecheckai/cli",
-  "version": "3.2.6",
+  "version": "3.4.0",
   "description": "Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.",
   "main": "bin/vibecheck.js",
   "bin": {
@@ -37,7 +37,6 @@
     "js-yaml": "^4.1.0",
     "ora": "^8.0.0",
     "uuid": "^9.0.0",
-    "yaml": "^2.3.0",
     "zod": "^3.23.0"
   },
   "optionalDependencies": {
@@ -77,7 +76,7 @@
     "url": "https://github.com/vibecheck-oss/vibecheck/issues"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.11"
   },
   "publishConfig": {
     "access": "public"