@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/mcp-utils.js

@@ -0,0 +1,425 @@
+/**
+ * MCP Utilities
+ * 
+ * Shared utilities for MCP server implementations.
+ * Used by both the stdio (mcp-server/index.js) and HTTP (runMcp.js) implementations.
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+
+// =============================================================================
+// TIER DEFINITIONS (mirrors @vibecheck/core)
+// =============================================================================
+
+const TIERS = {
+  free: {
+    name: 'FREE',
+    price: '$0',
+    rateLimit: { rpm: 10, burst: 20, daily: 100 },
+  },
+  pro: {
+    name: 'PRO', 
+    price: '$69/mo',
+    rateLimit: { rpm: 100, burst: 200, daily: Infinity },
+  },
+};
+
+// =============================================================================
+// TOOL TIER MAPPINGS
+// =============================================================================
+
+const TOOL_TIERS = {
+  // FREE - Inspect & Observe
+  'vibecheck.scan': 'free',
+  'vibecheck.ctx': 'free',
+  'vibecheck.verify': 'free',
+  'vibecheck.report': 'free',
+  'vibecheck.status': 'free',
+  'vibecheck.doctor': 'free',
+  'vibecheck.firewall': 'free',
+  'authority.list': 'free',
+  'authority.classify': 'free',
+  'vibecheck_conductor_status': 'free',
+  
+  // HTTP tools (legacy names)
+  'repo_map': 'free',
+  'routes_list': 'free',
+  'truthpack_get': 'free',
+  'findings_latest': 'free',
+  
+  // PRO - Fix, Prove & Enforce
+  'vibecheck.ship': 'pro',
+  'vibecheck.fix': 'pro',
+  'vibecheck.prove': 'pro',
+  'vibecheck.gate': 'pro',
+  'vibecheck.badge': 'pro',
+  'vibecheck.reality': 'pro',
+  'vibecheck.ai_test': 'pro',
+  'vibecheck.share': 'pro',
+  'authority.approve': 'pro',
+  'vibecheck_conductor_register': 'pro',
+  'vibecheck_conductor_acquire_lock': 'pro',
+  'vibecheck_conductor_release_lock': 'pro',
+  'vibecheck_conductor_propose': 'pro',
+  'vibecheck_conductor_terminate': 'pro',
+  'vibecheck_agent_firewall_intercept': 'pro',
+  
+  // HTTP tools (legacy names)
+  'run_ship': 'pro',
+  'policy_check': 'pro',
+};
+
+/**
+ * Check if tool requires pro tier
+ */
+function requiresPro(toolName) {
+  return TOOL_TIERS[toolName] === 'pro';
+}
+
+/**
+ * Check tier access for a tool
+ */
+function checkTierAccess(toolName, userTier) {
+  const required = TOOL_TIERS[toolName];
+  
+  // Unknown tools default to pro
+  if (!required) {
+    return {
+      allowed: userTier === 'pro',
+      error: userTier !== 'pro' 
+        ? `Unknown tool "${toolName}" requires Pro tier` 
+        : undefined,
+    };
+  }
+  
+  if (required === 'free') {
+    return { allowed: true };
+  }
+  
+  if (userTier === 'pro') {
+    return { allowed: true };
+  }
+  
+  return {
+    allowed: false,
+    error: `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
+  };
+}
+
+// =============================================================================
+// RATE LIMITING
+// =============================================================================
+
+class RateLimiter {
+  constructor() {
+    this.clients = new Map();
+  }
+  
+  check(clientId, tier) {
+    const now = Date.now();
+    const limits = TIERS[tier]?.rateLimit || TIERS.free.rateLimit;
+    
+    if (!this.clients.has(clientId)) {
+      this.clients.set(clientId, {
+        requests: [],
+        dailyCount: 0,
+        dailyReset: this.getNextMidnight(),
+      });
+    }
+    
+    const client = this.clients.get(clientId);
+    
+    // Reset daily counter if needed
+    if (now > client.dailyReset) {
+      client.dailyCount = 0;
+      client.dailyReset = this.getNextMidnight();
+    }
+    
+    // Clean old requests (older than 1 minute)
+    client.requests = client.requests.filter(time => now - time < 60000);
+    
+    // Check RPM limit
+    if (client.requests.length >= limits.rpm) {
+      return {
+        allowed: false,
+        error: 'Rate limit exceeded',
+        resetAt: Math.min(...client.requests) + 60000,
+        remaining: 0,
+      };
+    }
+    
+    // Check daily limit
+    if (limits.daily !== Infinity && client.dailyCount >= limits.daily) {
+      return {
+        allowed: false,
+        error: 'Daily quota exceeded',
+        resetAt: client.dailyReset,
+        remaining: 0,
+      };
+    }
+    
+    // Record request
+    client.requests.push(now);
+    client.dailyCount++;
+    
+    return {
+      allowed: true,
+      remaining: limits.rpm - client.requests.length,
+      dailyRemaining: limits.daily === Infinity 
+        ? Infinity 
+        : limits.daily - client.dailyCount,
+    };
+  }
+  
+  getNextMidnight() {
+    const tomorrow = new Date();
+    tomorrow.setHours(24, 0, 0, 0);
+    return tomorrow.getTime();
+  }
+  
+  cleanup() {
+    const now = Date.now();
+    for (const [clientId, client] of this.clients) {
+      // Remove clients with no recent activity
+      if (client.requests.length === 0 && now > client.dailyReset) {
+        this.clients.delete(clientId);
+      }
+    }
+  }
+}
+
+// =============================================================================
+// AUDIT LOGGING
+// =============================================================================
+
+class AuditLogger {
+  constructor(logPath) {
+    this.logPath = logPath || path.join(process.cwd(), '.vibecheck', 'audit', 'mcp-audit.jsonl');
+    this.ensureDir();
+  }
+  
+  ensureDir() {
+    try {
+      fs.mkdirSync(path.dirname(this.logPath), { recursive: true });
+    } catch {
+      // Ignore
+    }
+  }
+  
+  log(event) {
+    const entry = {
+      timestamp: new Date().toISOString(),
+      ...event,
+    };
+    
+    try {
+      fs.appendFileSync(this.logPath, JSON.stringify(entry) + '\n');
+    } catch (err) {
+      // Silent fail for audit logging
+    }
+  }
+  
+  logToolCall(toolName, tier, success, duration, error) {
+    this.log({
+      type: 'tool_call',
+      tool: toolName,
+      tier,
+      success,
+      duration,
+      error: error?.message,
+    });
+  }
+  
+  logAuth(tier, success, error) {
+    this.log({
+      type: 'auth',
+      tier,
+      success,
+      error: error?.message,
+    });
+  }
+}
+
+// =============================================================================
+// PATH SECURITY
+// =============================================================================
+
+const BLOCKED_PATHS = [
+  '.env',
+  '.env.local',
+  '.env.production',
+  'credentials',
+  'secrets',
+  '.ssh',
+  '.aws',
+  '.npmrc',
+  '.pypirc',
+];
+
+/**
+ * Check if path is safe to access
+ */
+function isPathSafe(requestedPath, projectRoot) {
+  const resolved = path.resolve(projectRoot, requestedPath);
+  
+  // Must be within project root
+  if (!resolved.startsWith(projectRoot)) {
+    return { safe: false, error: 'Path traversal detected' };
+  }
+  
+  // Check blocked paths
+  const relative = path.relative(projectRoot, resolved);
+  for (const blocked of BLOCKED_PATHS) {
+    if (relative.includes(blocked) || relative.startsWith(blocked)) {
+      return { safe: false, error: `Access to ${blocked} is blocked` };
+    }
+  }
+  
+  return { safe: true };
+}
+
+// =============================================================================
+// INPUT VALIDATION
+// =============================================================================
+
+/**
+ * Validate tool arguments against schema
+ */
+function validateArgs(args, schema) {
+  const errors = [];
+  
+  if (!schema || !schema.properties) {
+    return { valid: true, args };
+  }
+  
+  const validated = {};
+  
+  for (const [key, prop] of Object.entries(schema.properties)) {
+    const value = args?.[key];
+    
+    // Check required
+    if (schema.required?.includes(key) && value === undefined) {
+      errors.push(`Missing required argument: ${key}`);
+      continue;
+    }
+    
+    // Use default if not provided
+    if (value === undefined && prop.default !== undefined) {
+      validated[key] = prop.default;
+      continue;
+    }
+    
+    // Skip undefined optional args
+    if (value === undefined) {
+      continue;
+    }
+    
+    // Type check
+    if (prop.type === 'string' && typeof value !== 'string') {
+      errors.push(`${key} must be a string`);
+    } else if (prop.type === 'boolean' && typeof value !== 'boolean') {
+      errors.push(`${key} must be a boolean`);
+    } else if (prop.type === 'number' && typeof value !== 'number') {
+      errors.push(`${key} must be a number`);
+    } else if (prop.type === 'array' && !Array.isArray(value)) {
+      errors.push(`${key} must be an array`);
+    }
+    
+    // Enum check
+    if (prop.enum && !prop.enum.includes(value)) {
+      errors.push(`${key} must be one of: ${prop.enum.join(', ')}`);
+    }
+    
+    validated[key] = value;
+  }
+  
+  return {
+    valid: errors.length === 0,
+    errors,
+    args: validated,
+  };
+}
+
+// =============================================================================
+// SECRET REDACTION
+// =============================================================================
+
+const SECRET_PATTERNS = [
+  /sk[_-][a-zA-Z0-9]{20,}/g,           // Stripe keys
+  /pk[_-][a-zA-Z0-9]{20,}/g,           // Stripe public keys
+  /ghp_[a-zA-Z0-9]{36}/g,              // GitHub tokens
+  /gho_[a-zA-Z0-9]{36}/g,              // GitHub OAuth
+  /xox[baprs]-[a-zA-Z0-9-]{10,}/g,     // Slack tokens
+  /Bearer\s+[a-zA-Z0-9._-]+/gi,        // Bearer tokens
+  /api[_-]?key[_-]?[=:]["']?[a-zA-Z0-9]{16,}/gi,
+  /password[_-]?[=:]["']?[^\s"']+/gi,
+  /secret[_-]?[=:]["']?[^\s"']+/gi,
+];
+
+/**
+ * Redact secrets from output
+ */
+function redactSecrets(text) {
+  if (!text || typeof text !== 'string') return text;
+  
+  let redacted = text;
+  for (const pattern of SECRET_PATTERNS) {
+    redacted = redacted.replace(pattern, '[REDACTED]');
+  }
+  return redacted;
+}
+
+/**
+ * Redact secrets from object (deep)
+ */
+function redactObject(obj) {
+  if (!obj) return obj;
+  if (typeof obj === 'string') return redactSecrets(obj);
+  if (Array.isArray(obj)) return obj.map(redactObject);
+  if (typeof obj !== 'object') return obj;
+  
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    // Always redact certain keys
+    const lowerKey = key.toLowerCase();
+    if (lowerKey.includes('password') || 
+        lowerKey.includes('secret') || 
+        lowerKey.includes('token') ||
+        lowerKey.includes('apikey') ||
+        lowerKey.includes('api_key')) {
+      result[key] = '[REDACTED]';
+    } else {
+      result[key] = redactObject(value);
+    }
+  }
+  return result;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Tier management
+  TIERS,
+  TOOL_TIERS,
+  requiresPro,
+  checkTierAccess,
+  
+  // Rate limiting
+  RateLimiter,
+  
+  // Audit logging
+  AuditLogger,
+  
+  // Security
+  isPathSafe,
+  validateArgs,
+  redactSecrets,
+  redactObject,
+  BLOCKED_PATHS,
+  SECRET_PATTERNS,
+};

package/bin/runners/lib/missions/plan.js

@@ -69,6 +69,7 @@ const CATEGORY_TO_MISSION_TYPE = {
   GhostAuth: "ADD_SERVER_AUTH",
   AuthCoverage: "ADD_SERVER_AUTH",
   AuthDrift: "FIX_AUTH_DRIFT",
+  SecurityVulnerabilities: "FIX_SECURITY_VULN",
   
   // Billing & Payments
   Billing: "FIX_STRIPE_WEBHOOKS",
@@ -77,9 +78,12 @@ const CATEGORY_TO_MISSION_TYPE = {
   // Routes & APIs
   MissingRoute: "FIX_MISSING_ROUTE",
   RouteDrift: "FIX_ROUTE_DRIFT",
+  APIConsistency: "FIX_API_CONSISTENCY",
   
   // Environment & Config
   EnvContract: "FIX_ENV_CONTRACT",
+  EnvVariable: "FIX_ENV_VALIDATION",
+  EnvSetup: "FIX_ENV_SETUP",
   
   // Reality/Runtime issues
   FakeSuccess: "FIX_FAKE_SUCCESS",
@@ -93,6 +97,26 @@ const CATEGORY_TO_MISSION_TYPE = {
   TestKeys: "FIX_TEST_KEYS",
   HardcodedSecrets: "FIX_HARDCODED_SECRETS",
   SilentFallback: "FIX_SILENT_FALLBACK",
+  CodeQuality: "FIX_CODE_QUALITY",
+  
+  // React Patterns (V5)
+  ReactPatterns: "FIX_REACT_PATTERN",
+  
+  // Database Patterns (V5)
+  DatabasePatterns: "FIX_DATABASE_PATTERN",
+  
+  // Async Patterns (V5)
+  AsyncPatterns: "FIX_ASYNC_PATTERN",
+  
+  // Error Handling (V5)
+  ErrorHandling: "FIX_ERROR_HANDLING",
+  
+  // Performance (V5)
+  Performance: "FIX_PERFORMANCE",
+  BundleSize: "FIX_BUNDLE_SIZE",
+  
+  // Accessibility
+  Accessibility: "FIX_ACCESSIBILITY",
 };
 
 /**
@@ -104,6 +128,7 @@ const MISSION_PRIORITY = {
   REMOVE_OWNER_MODE: 1,
   FIX_HARDCODED_SECRETS: 2,
   FIX_AUTH_DRIFT: 3,
+  FIX_SECURITY_VULN: 4,
   
   // P1: Security & billing (fix before shipping)
   FIX_STRIPE_WEBHOOKS: 10,
@@ -116,17 +141,32 @@ const MISSION_PRIORITY = {
   FIX_PLACEHOLDER_DATA: 21,
   FIX_FAKE_SUCCESS: 22,
   
-  // P3: Code quality (fix when possible)
+  // P3: Code quality & patterns (fix when possible)
   FIX_MISSING_ROUTE: 30,
   FIX_ROUTE_DRIFT: 31,
   FIX_ENV_CONTRACT: 32,
-  FIX_EMPTY_CATCH: 33,
-  FIX_SILENT_FALLBACK: 34,
+  FIX_ENV_VALIDATION: 33,
+  FIX_ENV_SETUP: 34,
+  FIX_EMPTY_CATCH: 35,
+  FIX_SILENT_FALLBACK: 36,
+  FIX_ERROR_HANDLING: 37,
+  FIX_API_CONSISTENCY: 38,
+  
+  // P4: React & Framework patterns
+  FIX_REACT_PATTERN: 40,
+  FIX_ASYNC_PATTERN: 41,
+  FIX_DATABASE_PATTERN: 42,
+  FIX_CODE_QUALITY: 43,
+  
+  // P5: Performance & optimization
+  FIX_PERFORMANCE: 50,
+  FIX_BUNDLE_SIZE: 51,
   
-  // P4: UI issues (fix before polish)
-  FIX_DEAD_UI: 40,
+  // P6: UI & accessibility
+  FIX_DEAD_UI: 60,
+  FIX_ACCESSIBILITY: 61,
   
-  // P5: Generic (lowest priority)
+  // P7: Generic (lowest priority)
   GENERIC_FIX: 99,
 };