@vibecheckai/cli 3.4.0 → 3.5.1

package/mcp-server/__tests__/registry.test.ts

@@ -0,0 +1,365 @@
+/**
+ * Tool Registry Tests
+ * 
+ * Ensures the registry is valid and consistent.
+ * 
+ * CRITICAL: CI must fail if:
+ * - Tool count exceeds 20 without VIBECHECK_ALLOW_TOOL_GROWTH=1
+ * - A tool is added without CLI mapping (unless helper)
+ */
+
+import { describe, it, expect, beforeAll } from 'vitest';
+import { readFileSync, existsSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// Maximum allowed tools without explicit override
+const MAX_TOOLS = 20;
+const ALLOW_TOOL_GROWTH = process.env.VIBECHECK_ALLOW_TOOL_GROWTH === '1';
+
+interface Tool {
+  name: string;
+  cli: string | null;
+  tier: string;
+  description: string;
+  category: string;
+  cacheable?: boolean;
+  cacheMaxAge?: number;
+  timeout?: number;
+  inputSchema: Record<string, unknown>;
+  outputSchema?: Record<string, unknown>;
+  tierGated?: Record<string, string>;
+}
+
+interface Registry {
+  version: string;
+  tools: Tool[];
+  aliases: Record<string, string>;
+  deprecated: Array<{ name: string; reason: string; replacement: string | null; removeIn: string }>;
+  categories: Record<string, { description: string; order: number }>;
+  tiers: Record<string, { name: string; order: number; price?: number }>;
+}
+
+describe('Tool Registry', () => {
+  let registry: Registry;
+
+  beforeAll(() => {
+    const registryPath = join(__dirname, '..', 'registry', 'tools.json');
+    registry = JSON.parse(readFileSync(registryPath, 'utf-8'));
+  });
+
+  describe('Registry Structure', () => {
+    it('should have a version', () => {
+      expect(registry.version).toBeDefined();
+      expect(registry.version).toMatch(/^\d+\.\d+\.\d+$/);
+    });
+
+    it('should have tools array', () => {
+      expect(Array.isArray(registry.tools)).toBe(true);
+      expect(registry.tools.length).toBeGreaterThan(0);
+    });
+
+    it('should have aliases object', () => {
+      expect(typeof registry.aliases).toBe('object');
+    });
+
+    it('should have categories', () => {
+      expect(typeof registry.categories).toBe('object');
+      expect(Object.keys(registry.categories).length).toBeGreaterThan(0);
+    });
+
+    it('should have tiers', () => {
+      expect(typeof registry.tiers).toBe('object');
+      expect(registry.tiers.free).toBeDefined();
+      expect(registry.tiers.starter).toBeDefined();
+      expect(registry.tiers.pro).toBeDefined();
+    });
+  });
+
+  describe('Tool Definitions', () => {
+    it('all tools should have required fields', () => {
+      for (const tool of registry.tools) {
+        expect(tool.name).toBeDefined();
+        expect(tool.name).toMatch(/^vibecheck\.[a-z_]+$/);
+        expect(tool.tier).toBeDefined();
+        expect(tool.description).toBeDefined();
+        expect(tool.description.length).toBeGreaterThan(10);
+        expect(tool.category).toBeDefined();
+        expect(tool.inputSchema).toBeDefined();
+        expect(typeof tool.inputSchema).toBe('object');
+      }
+    });
+
+    it('all tools should have valid tiers', () => {
+      const validTiers = Object.keys(registry.tiers);
+      
+      for (const tool of registry.tools) {
+        expect(validTiers).toContain(tool.tier);
+      }
+    });
+
+    it('all tools should have valid categories', () => {
+      const validCategories = Object.keys(registry.categories);
+      
+      for (const tool of registry.tools) {
+        expect(validCategories).toContain(tool.category);
+      }
+    });
+
+    it('tool names should be unique', () => {
+      const names = registry.tools.map(t => t.name);
+      const uniqueNames = new Set(names);
+      expect(names.length).toBe(uniqueNames.size);
+    });
+
+    it('cacheable tools should have cacheMaxAge', () => {
+      for (const tool of registry.tools) {
+        if (tool.cacheable) {
+          expect(tool.cacheMaxAge).toBeDefined();
+          expect(tool.cacheMaxAge).toBeGreaterThan(0);
+        }
+      }
+    });
+
+    it('all tools should have reasonable timeouts', () => {
+      for (const tool of registry.tools) {
+        if (tool.timeout !== undefined) {
+          expect(tool.timeout).toBeGreaterThanOrEqual(1000);
+          expect(tool.timeout).toBeLessThanOrEqual(600000);
+        }
+      }
+    });
+  });
+
+  describe('CLI Mapping', () => {
+    it('CLI-backed tools should have valid cli field', () => {
+      const cliTools = registry.tools.filter(t => t.cli !== null);
+      
+      for (const tool of cliTools) {
+        expect(typeof tool.cli).toBe('string');
+        expect(tool.cli!.length).toBeGreaterThan(0);
+      }
+    });
+
+    it('query tools should have null cli', () => {
+      const queryTools = registry.tools.filter(t => t.category === 'query');
+      
+      for (const tool of queryTools) {
+        expect(tool.cli).toBeNull();
+      }
+    });
+  });
+
+  describe('Aliases', () => {
+    it('all alias targets should exist', () => {
+      const toolNames = new Set(registry.tools.map(t => t.name));
+      
+      for (const [alias, target] of Object.entries(registry.aliases)) {
+        expect(toolNames.has(target)).toBe(true);
+      }
+    });
+
+    it('aliases should not conflict with tool names', () => {
+      const toolNames = new Set(registry.tools.map(t => t.name));
+      
+      for (const alias of Object.keys(registry.aliases)) {
+        expect(toolNames.has(alias)).toBe(false);
+      }
+    });
+  });
+
+  describe('Deprecated Tools', () => {
+    it('deprecated tools should have required fields', () => {
+      for (const dep of registry.deprecated) {
+        expect(dep.name).toBeDefined();
+        expect(dep.reason).toBeDefined();
+        expect(dep.removeIn).toBeDefined();
+        expect(dep.removeIn).toMatch(/^\d+\.\d+\.\d+$/);
+      }
+    });
+
+    it('replacement tools should exist if specified', () => {
+      const toolNames = new Set(registry.tools.map(t => t.name));
+      
+      for (const dep of registry.deprecated) {
+        if (dep.replacement !== null) {
+          expect(toolNames.has(dep.replacement)).toBe(true);
+        }
+      }
+    });
+  });
+
+  describe('Input Schemas', () => {
+    it('all input schemas should be valid JSON Schema', () => {
+      for (const tool of registry.tools) {
+        expect(tool.inputSchema.type).toBe('object');
+        expect(tool.inputSchema.properties).toBeDefined();
+      }
+    });
+
+    it('projectPath should have default value', () => {
+      for (const tool of registry.tools) {
+        const props = tool.inputSchema.properties as Record<string, { default?: string }>;
+        if (props.projectPath) {
+          expect(props.projectPath.default).toBe('.');
+        }
+      }
+    });
+
+    it('required fields should be in properties', () => {
+      for (const tool of registry.tools) {
+        const required = tool.inputSchema.required as string[] | undefined;
+        const props = tool.inputSchema.properties as Record<string, unknown>;
+        
+        if (required) {
+          for (const field of required) {
+            expect(props[field]).toBeDefined();
+          }
+        }
+      }
+    });
+  });
+
+  describe('Tier Gating', () => {
+    it('tierGated options should reference valid tiers', () => {
+      const validTiers = Object.keys(registry.tiers);
+      
+      for (const tool of registry.tools) {
+        if (tool.tierGated) {
+          for (const tier of Object.values(tool.tierGated)) {
+            expect(validTiers).toContain(tier);
+          }
+        }
+      }
+    });
+
+    it('tierGated options should be in input schema', () => {
+      for (const tool of registry.tools) {
+        if (tool.tierGated) {
+          const props = tool.inputSchema.properties as Record<string, unknown>;
+          for (const option of Object.keys(tool.tierGated)) {
+            expect(props[option]).toBeDefined();
+          }
+        }
+      }
+    });
+  });
+
+  describe('Core Tools Present', () => {
+    const coreTools = [
+      'vibecheck.doctor',
+      'vibecheck.init',
+      'vibecheck.scan',
+      'vibecheck.ship',
+      'vibecheck.prove',
+      'vibecheck.reality',
+      'vibecheck.fix',
+      'vibecheck.guard',
+      'vibecheck.ctx',
+      'vibecheck.report',
+      'vibecheck.status',
+    ];
+
+    for (const toolName of coreTools) {
+      it(`should have ${toolName}`, () => {
+        const tool = registry.tools.find(t => t.name === toolName);
+        expect(tool).toBeDefined();
+      });
+    }
+  });
+
+  describe('Category Order', () => {
+    it('categories should have sequential order', () => {
+      const orders = Object.values(registry.categories).map(c => c.order);
+      const sorted = [...orders].sort((a, b) => a - b);
+      
+      for (let i = 0; i < sorted.length; i++) {
+        expect(sorted[i]).toBe(i + 1);
+      }
+    });
+  });
+
+  describe('Tier Order', () => {
+    it('tiers should have sequential order', () => {
+      const tierEntries = Object.entries(registry.tiers).sort((a, b) => a[1].order - b[1].order);
+      
+      expect(tierEntries[0][0]).toBe('free');
+      expect(tierEntries[0][1].order).toBe(0);
+    });
+
+    it('paid tiers should have prices', () => {
+      expect(registry.tiers.starter.price).toBeDefined();
+      expect(registry.tiers.pro.price).toBeDefined();
+      expect(registry.tiers.starter.price).toBeLessThan(registry.tiers.pro.price!);
+    });
+  });
+
+  describe('Tool Count Enforcement', () => {
+    it(`should not exceed ${MAX_TOOLS} tools without override`, () => {
+      const toolCount = registry.tools.length;
+      
+      if (!ALLOW_TOOL_GROWTH) {
+        expect(toolCount).toBeLessThanOrEqual(MAX_TOOLS);
+      }
+      
+      // Always log warning if approaching limit
+      if (toolCount >= MAX_TOOLS - 2) {
+        console.warn(`Warning: Tool count (${toolCount}) is approaching limit (${MAX_TOOLS})`);
+      }
+    });
+
+    it('all CLI-backed tools should have valid CLI mapping', () => {
+      const helperCategories = ['query', 'utility'];
+      
+      for (const tool of registry.tools) {
+        // Helper tools are allowed to have null CLI
+        const isHelper = helperCategories.includes(tool.category) && tool.cli === null;
+        
+        if (!isHelper) {
+          // Non-helper tools must have CLI mapping or be explicitly a helper
+          if (tool.cli === null) {
+            // This is a query/utility helper - allowed
+            expect(tool.description.toLowerCase()).toMatch(/artifact|query|list|get|search/);
+          }
+        }
+      }
+    });
+
+    it('should not add tools without CLI mapping (unless helper)', () => {
+      const toolsWithoutCli = registry.tools.filter(t => t.cli === null);
+      const allowedHelpers = [
+        'vibecheck.get_truthpack',
+        'vibecheck.validate_claim',
+        'vibecheck.search_evidence',
+        'vibecheck.list_reports',
+        'vibecheck.get_last_verdict',
+        'vibecheck.get_finding',
+      ];
+      
+      for (const tool of toolsWithoutCli) {
+        expect(allowedHelpers).toContain(tool.name);
+      }
+    });
+  });
+
+  describe('Deprecation Handling', () => {
+    it('deprecated tools should have valid replacement or null', () => {
+      const toolNames = new Set(registry.tools.map(t => t.name));
+      
+      for (const dep of registry.deprecated) {
+        if (dep.replacement) {
+          expect(toolNames.has(dep.replacement)).toBe(true);
+        }
+      }
+    });
+
+    it('aliases should warn about deprecation', () => {
+      // All aliases should have a target that exists
+      for (const [alias, target] of Object.entries(registry.aliases)) {
+        expect(registry.tools.some(t => t.name === target)).toBe(true);
+      }
+    });
+  });
+});

package/mcp-server/__tests__/sandbox.test.ts

@@ -0,0 +1,323 @@
+/**
+ * Sandbox Security Tests
+ * 
+ * Ensures path sandboxing is secure and prevents:
+ * - Path traversal attacks (../)
+ * - Absolute path escape
+ * - Symlink escape
+ * - Access to sensitive files
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { mkdirSync, writeFileSync, symlinkSync, rmSync, existsSync } from 'fs';
+import { join, resolve } from 'path';
+import { tmpdir } from 'os';
+import { createSandbox, redactPath, redactSensitive } from '../lib/sandbox.js';
+
+describe('Path Sandboxing', () => {
+  let testDir: string;
+  let workspace: string;
+
+  beforeAll(() => {
+    testDir = join(tmpdir(), `vibecheck-sandbox-test-${Date.now()}`);
+    workspace = join(testDir, 'workspace');
+    mkdirSync(workspace, { recursive: true });
+    mkdirSync(join(workspace, 'src'));
+    mkdirSync(join(workspace, 'node_modules', 'pkg'), { recursive: true });
+    mkdirSync(join(workspace, 'venv', 'lib'), { recursive: true });
+    
+    writeFileSync(join(workspace, 'src', 'app.ts'), 'export const app = 1;');
+    writeFileSync(join(workspace, 'node_modules', 'pkg', 'index.js'), 'module.exports = {}');
+    
+    // Create a directory outside workspace for escape tests
+    mkdirSync(join(testDir, 'outside'));
+    writeFileSync(join(testDir, 'outside', 'secret.txt'), 'secret');
+    
+    // Create a symlink pointing outside (if platform supports)
+    try {
+      symlinkSync(join(testDir, 'outside'), join(workspace, 'escape-link'));
+    } catch {
+      // Symlinks may not be supported on all platforms
+    }
+  });
+
+  afterAll(() => {
+    if (existsSync(testDir)) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  describe('validate()', () => {
+    it('should allow paths within workspace', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate(join(workspace, 'src', 'app.ts'));
+      expect(result.allowed).toBe(true);
+      expect(result.relativePath).toBe(join('src', 'app.ts'));
+    });
+
+    it('should allow relative paths', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('src/app.ts');
+      expect(result.allowed).toBe(true);
+    });
+
+    it('should block path traversal with ../', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('../outside/secret.txt');
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toMatch(/traversal|outside/i);
+    });
+
+    it('should block path traversal with multiple ../', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('src/../../outside/secret.txt');
+      expect(result.allowed).toBe(false);
+    });
+
+    it('should block absolute paths outside workspace', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate(join(testDir, 'outside', 'secret.txt'));
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toMatch(/outside|sandbox/i);
+    });
+
+    it('should block access to /etc/passwd (Unix)', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('/etc/passwd');
+      expect(result.allowed).toBe(false);
+    });
+
+    it('should block access to C:\\Windows (Windows)', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('C:\\Windows\\System32\\config');
+      expect(result.allowed).toBe(false);
+    });
+
+    it('should block access to .ssh directory', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('/home/user/.ssh/id_rsa');
+      expect(result.allowed).toBe(false);
+    });
+
+    it('should block access to .aws directory', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.validate('/home/user/.aws/credentials');
+      expect(result.allowed).toBe(false);
+    });
+
+    it('should handle path depth limit', () => {
+      const sandbox = createSandbox({ workspace, maxDepth: 5 });
+      
+      // Deep path
+      const deepPath = 'a/b/c/d/e/f/g/h/i/j/file.ts';
+      const result = sandbox.validate(deepPath);
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toMatch(/depth/i);
+    });
+  });
+
+  describe('shouldExclude()', () => {
+    it('should exclude node_modules by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('node_modules/pkg/index.js')).toBe(true);
+      expect(sandbox.shouldExclude(join(workspace, 'node_modules', 'pkg', 'index.js'))).toBe(true);
+    });
+
+    it('should exclude venv by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('venv/lib/config.py')).toBe(true);
+      expect(sandbox.shouldExclude('.venv/lib/config.py')).toBe(true);
+    });
+
+    it('should exclude .git by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('.git/config')).toBe(true);
+      expect(sandbox.shouldExclude('.git/objects/abc')).toBe(true);
+    });
+
+    it('should exclude dist/build/out by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('dist/bundle.js')).toBe(true);
+      expect(sandbox.shouldExclude('build/output.js')).toBe(true);
+      expect(sandbox.shouldExclude('out/compiled.js')).toBe(true);
+    });
+
+    it('should exclude .next by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('.next/server/app.js')).toBe(true);
+    });
+
+    it('should exclude coverage by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('coverage/lcov.info')).toBe(true);
+    });
+
+    it('should exclude .cache and .turbo by default', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('.cache/webpack/chunk.js')).toBe(true);
+      expect(sandbox.shouldExclude('.turbo/cache.json')).toBe(true);
+    });
+
+    it('should NOT exclude src files', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.shouldExclude('src/app.ts')).toBe(false);
+      expect(sandbox.shouldExclude('lib/utils.ts')).toBe(false);
+      expect(sandbox.shouldExclude('app/page.tsx')).toBe(false);
+    });
+
+    it('should apply custom exclusion patterns', () => {
+      const sandbox = createSandbox({ 
+        workspace,
+        excludePatterns: [/custom_exclude\//],
+      });
+      
+      expect(sandbox.shouldExclude('custom_exclude/file.ts')).toBe(true);
+    });
+  });
+
+  describe('requireValid()', () => {
+    it('should return normalized path for valid paths', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const result = sandbox.requireValid('src/app.ts');
+      expect(result).toBe(resolve(workspace, 'src/app.ts'));
+    });
+
+    it('should throw for invalid paths', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(() => sandbox.requireValid('../outside/secret.txt')).toThrow();
+    });
+  });
+
+  describe('exists()', () => {
+    it('should return true for existing files in sandbox', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.exists('src/app.ts')).toBe(true);
+    });
+
+    it('should return false for non-existent files', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.exists('src/nonexistent.ts')).toBe(false);
+    });
+
+    it('should return false for paths outside sandbox', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      // Even if file exists outside, should return false
+      expect(sandbox.exists('../outside/secret.txt')).toBe(false);
+    });
+  });
+
+  describe('path conversion', () => {
+    it('toRelative should convert absolute to relative', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const relative = sandbox.toRelative(join(workspace, 'src', 'app.ts'));
+      expect(relative).toBe(join('src', 'app.ts'));
+    });
+
+    it('toAbsolute should convert relative to absolute', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      const absolute = sandbox.toAbsolute('src/app.ts');
+      expect(absolute).toBe(resolve(workspace, 'src/app.ts'));
+    });
+
+    it('getWorkspace should return workspace root', () => {
+      const sandbox = createSandbox({ workspace });
+      
+      expect(sandbox.getWorkspace()).toBe(resolve(workspace));
+    });
+  });
+});
+
+describe('Path Redaction', () => {
+  it('should redact paths outside workspace', () => {
+    const result = redactPath('/etc/passwd', '/home/user/project');
+    expect(result).toBe('[REDACTED]');
+  });
+
+  it('should return relative path for paths within workspace', () => {
+    const result = redactPath('/home/user/project/src/app.ts', '/home/user/project');
+    expect(result).toBe('src/app.ts');
+  });
+});
+
+describe('Sensitive Data Redaction', () => {
+  it('should redact password fields', () => {
+    const obj = { username: 'admin', password: 'secret123' };
+    const result = redactSensitive(obj);
+    expect(result.username).toBe('admin');
+    expect(result.password).toBe('[REDACTED]');
+  });
+
+  it('should redact apiKey fields', () => {
+    const obj = { name: 'test', apiKey: 'sk-xxx-yyy' };
+    const result = redactSensitive(obj);
+    expect(result.name).toBe('test');
+    expect(result.apiKey).toBe('[REDACTED]');
+  });
+
+  it('should redact nested sensitive fields', () => {
+    const obj = {
+      config: {
+        database: {
+          password: 'dbpass',
+          host: 'localhost',
+        },
+      },
+    };
+    const result = redactSensitive(obj) as { config: { database: { password: string; host: string } } };
+    expect(result.config.database.host).toBe('localhost');
+    expect(result.config.database.password).toBe('[REDACTED]');
+  });
+
+  it('should redact arrays with sensitive objects', () => {
+    const obj = {
+      users: [
+        { name: 'alice', secret: 'alice-secret' },
+        { name: 'bob', secret: 'bob-secret' },
+      ],
+    };
+    const result = redactSensitive(obj) as { users: Array<{ name: string; secret: string }> };
+    expect(result.users[0].name).toBe('alice');
+    expect(result.users[0].secret).toBe('[REDACTED]');
+    expect(result.users[1].secret).toBe('[REDACTED]');
+  });
+
+  it('should handle various sensitive key patterns', () => {
+    const obj = {
+      auth_token: 'token',
+      credential: 'cred',
+      private_key: 'key',
+      session_cookie: 'cookie',
+      safe_value: 'value',
+    };
+    const result = redactSensitive(obj);
+    expect(result.auth_token).toBe('[REDACTED]');
+    expect(result.credential).toBe('[REDACTED]');
+    expect(result.private_key).toBe('[REDACTED]');
+    expect(result.session_cookie).toBe('[REDACTED]');
+    expect(result.safe_value).toBe('value');
+  });
+});