@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/validators/dep-audit.js

@@ -0,0 +1,245 @@
+/**
+ * Dependency Auditor - Ship-only check
+ * Checks for known vulnerabilities in dependencies
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const { execSync } = require("child_process");
+
+/**
+ * Audit dependencies for known vulnerabilities
+ * Uses npm audit / pnpm audit under the hood
+ */
+async function auditDependencies(projectPath) {
+  const findings = [];
+  const startTime = Date.now();
+  
+  try {
+    // Detect package manager
+    const packageManager = detectPackageManager(projectPath);
+    
+    // Check for package.json
+    const packageJsonPath = path.join(projectPath, "package.json");
+    if (!fs.existsSync(packageJsonPath)) {
+      return {
+        findings,
+        duration: Date.now() - startTime,
+        type: "dep-audit",
+      };
+    }
+    
+    // Check for lockfile
+    const hasLockfile = checkLockfile(projectPath, packageManager);
+    if (!hasLockfile) {
+      findings.push({
+        id: "DEP_NO_LOCKFILE",
+        category: "DependencyAudit",
+        severity: "WARN",
+        title: "No lockfile found",
+        message: "Project has no package-lock.json, pnpm-lock.yaml, or yarn.lock. Dependencies are not pinned.",
+        confidence: "high",
+        type: "no_lockfile",
+      });
+    }
+    
+    // Run audit command
+    const auditResult = await runAudit(projectPath, packageManager);
+    
+    // Parse audit results
+    if (auditResult.vulnerabilities) {
+      const vulnCounts = {
+        critical: 0,
+        high: 0,
+        moderate: 0,
+        low: 0,
+      };
+      
+      for (const [name, vuln] of Object.entries(auditResult.vulnerabilities)) {
+        const severity = vuln.severity || "moderate";
+        vulnCounts[severity] = (vulnCounts[severity] || 0) + 1;
+        
+        // Only report critical and high
+        if (severity === "critical" || severity === "high") {
+          findings.push({
+            id: `DEP_VULN_${hashString(name)}`,
+            category: "DependencyAudit",
+            severity: severity === "critical" ? "BLOCK" : "WARN",
+            title: `Vulnerable dependency: ${name}`,
+            message: `${severity.toUpperCase()} severity vulnerability in ${name}${vuln.via ? ` via ${Array.isArray(vuln.via) ? vuln.via[0] : vuln.via}` : ""}`,
+            confidence: "high",
+            type: "vulnerability",
+            details: {
+              package: name,
+              severity,
+              fixAvailable: vuln.fixAvailable || false,
+            },
+          });
+        }
+      }
+      
+      // Summary finding
+      if (vulnCounts.critical > 0 || vulnCounts.high > 0) {
+        findings.push({
+          id: "DEP_VULN_SUMMARY",
+          category: "DependencyAudit",
+          severity: vulnCounts.critical > 0 ? "BLOCK" : "WARN",
+          title: "Dependency vulnerabilities found",
+          message: `${vulnCounts.critical} critical, ${vulnCounts.high} high, ${vulnCounts.moderate} moderate, ${vulnCounts.low} low severity vulnerabilities`,
+          confidence: "high",
+          type: "summary",
+        });
+      }
+    }
+    
+    // Check for outdated dependencies (major versions behind)
+    const outdatedFindings = await checkOutdatedDependencies(projectPath, packageManager);
+    findings.push(...outdatedFindings);
+    
+  } catch (error) {
+    // Audit command failed - this is common if node_modules doesn't exist
+    if (!error.message.includes("ENOENT")) {
+      findings.push({
+        id: "DEP_AUDIT_ERROR",
+        category: "DependencyAudit",
+        severity: "INFO",
+        title: "Dependency audit incomplete",
+        message: `Could not run dependency audit: ${error.message}`,
+        confidence: "low",
+        type: "audit_error",
+      });
+    }
+  }
+  
+  return {
+    findings,
+    duration: Date.now() - startTime,
+    type: "dep-audit",
+  };
+}
+
+function detectPackageManager(projectPath) {
+  if (fs.existsSync(path.join(projectPath, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs.existsSync(path.join(projectPath, "yarn.lock"))) return "yarn";
+  if (fs.existsSync(path.join(projectPath, "bun.lockb"))) return "bun";
+  return "npm";
+}
+
+function checkLockfile(projectPath, packageManager) {
+  const lockfiles = {
+    npm: "package-lock.json",
+    pnpm: "pnpm-lock.yaml",
+    yarn: "yarn.lock",
+    bun: "bun.lockb",
+  };
+  return fs.existsSync(path.join(projectPath, lockfiles[packageManager]));
+}
+
+async function runAudit(projectPath, packageManager) {
+  try {
+    let command;
+    switch (packageManager) {
+      case "pnpm":
+        command = "pnpm audit --json";
+        break;
+      case "yarn":
+        command = "yarn audit --json";
+        break;
+      default:
+        command = "npm audit --json";
+    }
+    
+    const result = execSync(command, {
+      cwd: projectPath,
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 60000, // 60 second timeout
+    });
+    
+    return JSON.parse(result);
+  } catch (error) {
+    // npm audit exits with non-zero when vulnerabilities found
+    if (error.stdout) {
+      try {
+        return JSON.parse(error.stdout);
+      } catch {
+        return { vulnerabilities: {} };
+      }
+    }
+    return { vulnerabilities: {} };
+  }
+}
+
+async function checkOutdatedDependencies(projectPath, packageManager) {
+  const findings = [];
+  
+  try {
+    let command;
+    switch (packageManager) {
+      case "pnpm":
+        command = "pnpm outdated --json";
+        break;
+      case "yarn":
+        command = "yarn outdated --json";
+        break;
+      default:
+        command = "npm outdated --json";
+    }
+    
+    const result = execSync(command, {
+      cwd: projectPath,
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 60000,
+    });
+    
+    const outdated = JSON.parse(result || "{}");
+    
+    // Count packages that are multiple major versions behind
+    let majorOutdated = 0;
+    for (const [name, info] of Object.entries(outdated)) {
+      const current = info.current || "0.0.0";
+      const latest = info.latest || "0.0.0";
+      
+      const currentMajor = parseInt(current.split(".")[0], 10) || 0;
+      const latestMajor = parseInt(latest.split(".")[0], 10) || 0;
+      
+      if (latestMajor - currentMajor >= 2) {
+        majorOutdated++;
+      }
+    }
+    
+    if (majorOutdated > 5) {
+      findings.push({
+        id: "DEP_MAJOR_OUTDATED",
+        category: "DependencyAudit",
+        severity: "WARN",
+        title: "Many dependencies are significantly outdated",
+        message: `${majorOutdated} dependencies are 2+ major versions behind. Consider updating.`,
+        confidence: "medium",
+        type: "outdated",
+      });
+    }
+    
+  } catch {
+    // Outdated check failed - ignore
+  }
+  
+  return findings;
+}
+
+function hashString(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = ((hash << 5) - hash) + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(36).substring(0, 8);
+}
+
+module.exports = {
+  auditDependencies,
+};

package/bin/runners/lib/validators/env-validator.js

@@ -0,0 +1,319 @@
+/**
+ * Environment Validator - Ship-only check
+ * Validates environment variable configuration
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const fg = require("fast-glob");
+
+/**
+ * Validate environment variable configuration
+ * Checks:
+ * - All used env vars are documented in .env.example
+ * - No secrets in .env files that should be in .gitignore
+ * - Required env vars have validation
+ * - Env var naming conventions
+ */
+async function validateEnv(projectPath) {
+  const findings = [];
+  const startTime = Date.now();
+  
+  try {
+    // Find .env files
+    const envFiles = fg.sync([".env*", "**/.env*"], {
+      cwd: projectPath,
+      absolute: true,
+      ignore: ["**/node_modules/**"],
+      dot: true,
+    });
+    
+    // Parse env template (.env.example, .env.template)
+    const templateVars = await parseEnvTemplate(projectPath);
+    
+    // Parse actual env files
+    const actualEnvVars = new Map();
+    const envFileContents = new Map();
+    
+    for (const envFile of envFiles) {
+      const relativePath = path.relative(projectPath, envFile).replace(/\\/g, "/");
+      const content = fs.readFileSync(envFile, "utf8");
+      envFileContents.set(relativePath, content);
+      
+      const vars = parseEnvFile(content);
+      for (const [key, value] of Object.entries(vars)) {
+        if (!actualEnvVars.has(key)) {
+          actualEnvVars.set(key, { files: [], value });
+        }
+        actualEnvVars.get(key).files.push(relativePath);
+      }
+    }
+    
+    // Find env var usage in code
+    const usedEnvVars = await findEnvVarUsage(projectPath);
+    
+    // Check for missing documentation
+    for (const [varName, usage] of usedEnvVars.entries()) {
+      if (!templateVars.has(varName) && !isSystemEnvVar(varName)) {
+        findings.push({
+          id: `ENV_UNDOCUMENTED_${hashString(varName)}`,
+          category: "EnvValidation",
+          severity: "WARN",
+          title: `Environment variable not documented: ${varName}`,
+          message: `${varName} is used in code but not in .env.example`,
+          file: usage.files[0],
+          line: usage.line,
+          confidence: "medium",
+          type: "undocumented_env",
+        });
+      }
+    }
+    
+    // Check for secrets in committed env files
+    for (const [filePath, content] of envFileContents.entries()) {
+      // Skip .env.example, .env.template, .env.local (usually gitignored)
+      if (filePath.includes("example") || filePath.includes("template")) continue;
+      
+      const potentialSecrets = findPotentialSecrets(content);
+      
+      for (const secret of potentialSecrets) {
+        findings.push({
+          id: `ENV_SECRET_${hashString(secret.key + filePath)}`,
+          category: "EnvValidation",
+          severity: "BLOCK",
+          title: `Potential secret in env file: ${secret.key}`,
+          message: `${filePath} contains what looks like a secret value for ${secret.key}. Ensure this file is gitignored.`,
+          file: filePath,
+          confidence: "high",
+          type: "potential_secret",
+        });
+      }
+    }
+    
+    // Check .gitignore for env files
+    const gitignorePath = path.join(projectPath, ".gitignore");
+    if (fs.existsSync(gitignorePath)) {
+      const gitignore = fs.readFileSync(gitignorePath, "utf8");
+      const envFilesIgnored = gitignore.includes(".env") || gitignore.includes("*.env");
+      
+      if (!envFilesIgnored) {
+        findings.push({
+          id: "ENV_NOT_GITIGNORED",
+          category: "EnvValidation",
+          severity: "WARN",
+          title: ".env files may not be gitignored",
+          message: "Add .env* to .gitignore to prevent committing secrets",
+          file: ".gitignore",
+          confidence: "medium",
+          type: "gitignore_missing",
+        });
+      }
+    }
+    
+    // Check for .env.example
+    const hasEnvExample = templateVars.size > 0;
+    if (!hasEnvExample && usedEnvVars.size > 5) {
+      findings.push({
+        id: "ENV_NO_EXAMPLE",
+        category: "EnvValidation",
+        severity: "WARN",
+        title: "No .env.example file",
+        message: "Create a .env.example to document required environment variables",
+        confidence: "high",
+        type: "no_example",
+      });
+    }
+    
+    // Check naming conventions
+    for (const varName of usedEnvVars.keys()) {
+      if (isSystemEnvVar(varName)) continue;
+      
+      // Check for lowercase (should be SCREAMING_SNAKE_CASE)
+      if (varName !== varName.toUpperCase() && !varName.startsWith("npm_")) {
+        findings.push({
+          id: `ENV_NAMING_${hashString(varName)}`,
+          category: "EnvValidation",
+          severity: "INFO",
+          title: `Environment variable naming: ${varName}`,
+          message: `Convention is SCREAMING_SNAKE_CASE. Consider renaming to ${varName.toUpperCase()}`,
+          confidence: "low",
+          type: "naming_convention",
+        });
+      }
+    }
+    
+  } catch (error) {
+    findings.push({
+      id: "ENV_VALIDATION_ERROR",
+      category: "EnvValidation",
+      severity: "INFO",
+      title: "Environment validation incomplete",
+      message: `Could not complete env validation: ${error.message}`,
+      confidence: "low",
+      type: "validation_error",
+    });
+  }
+  
+  return {
+    findings,
+    duration: Date.now() - startTime,
+    type: "env-validator",
+  };
+}
+
+async function parseEnvTemplate(projectPath) {
+  const templateVars = new Map();
+  
+  const templateFiles = [".env.example", ".env.template", ".env.sample"];
+  
+  for (const filename of templateFiles) {
+    const filePath = path.join(projectPath, filename);
+    if (fs.existsSync(filePath)) {
+      const content = fs.readFileSync(filePath, "utf8");
+      const vars = parseEnvFile(content);
+      for (const [key, value] of Object.entries(vars)) {
+        templateVars.set(key, { value, file: filename });
+      }
+    }
+  }
+  
+  return templateVars;
+}
+
+function parseEnvFile(content) {
+  const vars = {};
+  const lines = content.split("\n");
+  
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    
+    const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
+    if (match) {
+      vars[match[1]] = match[2].replace(/^["']|["']$/g, "");
+    }
+  }
+  
+  return vars;
+}
+
+async function findEnvVarUsage(projectPath) {
+  const usedVars = new Map();
+  
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: projectPath,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+    ],
+  });
+  
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf8");
+      const relativePath = path.relative(projectPath, file).replace(/\\/g, "/");
+      
+      // process.env.VAR_NAME
+      const processEnvMatches = content.matchAll(/process\.env\.([A-Z_][A-Z0-9_]*)/g);
+      for (const match of processEnvMatches) {
+        const varName = match[1];
+        const line = content.substring(0, match.index).split("\n").length;
+        
+        if (!usedVars.has(varName)) {
+          usedVars.set(varName, { files: [], line });
+        }
+        usedVars.get(varName).files.push(relativePath);
+      }
+      
+      // import.meta.env.VAR_NAME (Vite)
+      const importMetaMatches = content.matchAll(/import\.meta\.env\.([A-Z_][A-Z0-9_]*)/g);
+      for (const match of importMetaMatches) {
+        const varName = match[1];
+        const line = content.substring(0, match.index).split("\n").length;
+        
+        if (!usedVars.has(varName)) {
+          usedVars.set(varName, { files: [], line });
+        }
+        usedVars.get(varName).files.push(relativePath);
+      }
+    } catch {
+      // Skip files that can't be read
+    }
+  }
+  
+  return usedVars;
+}
+
+function isSystemEnvVar(name) {
+  const systemVars = [
+    "NODE_ENV", "PORT", "HOST", "PATH", "HOME", "USER", "SHELL",
+    "PWD", "LANG", "TZ", "TERM", "CI", "DEBUG", "VERBOSE",
+    "npm_package_version", "npm_package_name",
+  ];
+  return systemVars.includes(name) || name.startsWith("npm_") || name.startsWith("NODE_");
+}
+
+function findPotentialSecrets(content) {
+  const secrets = [];
+  const lines = content.split("\n");
+  
+  const secretPatterns = [
+    /^(.*(?:SECRET|KEY|TOKEN|PASSWORD|PRIVATE|CREDENTIAL|AUTH).*?)=(.+)$/i,
+    /^(.*API_KEY.*)=(.+)$/i,
+    /^(.*ACCESS_TOKEN.*)=(.+)$/i,
+    /^(.*DATABASE_URL.*)=(.+)$/i,
+    /^(.*STRIPE_.*)=(.+)$/i,
+    /^(.*AWS_.*)=(.+)$/i,
+    /^(.*GOOGLE_.*)=(.+)$/i,
+    /^(.*GITHUB_.*)=(.+)$/i,
+  ];
+  
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    
+    for (const pattern of secretPatterns) {
+      const match = trimmed.match(pattern);
+      if (match) {
+        const value = match[2].replace(/^["']|["']$/g, "");
+        // Skip placeholder values
+        if (!isPlaceholderValue(value)) {
+          secrets.push({ key: match[1], hasValue: true });
+          break;
+        }
+      }
+    }
+  }
+  
+  return secrets;
+}
+
+function isPlaceholderValue(value) {
+  const placeholders = [
+    "", "your-", "xxx", "TODO", "CHANGEME", "placeholder",
+    "<", ">", "...", "example", "test", "dev", "local",
+  ];
+  
+  const lowerValue = value.toLowerCase();
+  return placeholders.some(p => lowerValue.includes(p)) || value.length < 8;
+}
+
+function hashString(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = ((hash << 5) - hash) + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(36).substring(0, 8);
+}
+
+module.exports = {
+  validateEnv,
+};

package/bin/runners/lib/validators/index.js

@@ -0,0 +1,120 @@
+/**
+ * Ship-only Validators
+ * These validators only run during `vibecheck ship` (PRO feature)
+ */
+
+"use strict";
+
+const { validateRoutes } = require("./route-validator");
+const { validateContracts } = require("./contract-validator");
+const { auditDependencies } = require("./dep-audit");
+const { checkLicenses } = require("./license-checker");
+const { validateEnv } = require("./env-validator");
+const { detectDeadExports } = require("./dead-export-detector");
+
+/**
+ * Run all ship-only validators
+ * @param {string} projectPath - Path to project root
+ * @param {Object} options - Validator options
+ * @returns {Promise<{findings: Array, stats: Object}>}
+ */
+async function runShipValidators(projectPath, options = {}) {
+  const { onProgress = null, parallel = true } = options;
+  
+  const startTime = Date.now();
+  const results = [];
+  
+  const validators = [
+    { name: "Route Integrity", fn: validateRoutes },
+    { name: "Contract Validation", fn: validateContracts },
+    { name: "Dependency Audit", fn: auditDependencies },
+    { name: "License Compliance", fn: checkLicenses },
+    { name: "Environment Validation", fn: validateEnv },
+    { name: "Dead Export Detection", fn: detectDeadExports },
+  ];
+  
+  if (parallel) {
+    // Run validators in parallel
+    const promises = validators.map(async ({ name, fn }) => {
+      try {
+        if (onProgress) onProgress(name, "running");
+        const result = await fn(projectPath);
+        if (onProgress) onProgress(name, "complete");
+        return { name, ...result };
+      } catch (error) {
+        if (onProgress) onProgress(name, "error");
+        return {
+          name,
+          findings: [{
+            id: `VALIDATOR_ERROR_${name.replace(/\s/g, "_")}`,
+            category: "ValidatorError",
+            severity: "INFO",
+            title: `${name} validator failed`,
+            message: error.message,
+            confidence: "low",
+            type: "validator_error",
+          }],
+          duration: 0,
+        };
+      }
+    });
+    
+    results.push(...await Promise.all(promises));
+  } else {
+    // Run validators sequentially
+    for (const { name, fn } of validators) {
+      try {
+        if (onProgress) onProgress(name, "running");
+        const result = await fn(projectPath);
+        if (onProgress) onProgress(name, "complete");
+        results.push({ name, ...result });
+      } catch (error) {
+        if (onProgress) onProgress(name, "error");
+        results.push({
+          name,
+          findings: [{
+            id: `VALIDATOR_ERROR_${name.replace(/\s/g, "_")}`,
+            category: "ValidatorError",
+            severity: "INFO",
+            title: `${name} validator failed`,
+            message: error.message,
+            confidence: "low",
+            type: "validator_error",
+          }],
+          duration: 0,
+        });
+      }
+    }
+  }
+  
+  // Aggregate findings
+  const allFindings = [];
+  const stats = {
+    validatorsRun: results.length,
+    findingsPerValidator: {},
+    totalDuration: Date.now() - startTime,
+  };
+  
+  for (const result of results) {
+    stats.findingsPerValidator[result.name] = result.findings.length;
+    allFindings.push(...result.findings.map(f => ({
+      ...f,
+      validator: result.name,
+    })));
+  }
+  
+  return { findings: allFindings, stats };
+}
+
+module.exports = {
+  // Main orchestrator
+  runShipValidators,
+  
+  // Individual validators
+  validateRoutes,
+  validateContracts,
+  auditDependencies,
+  checkLicenses,
+  validateEnv,
+  detectDeadExports,
+};