@vibecheckai/cli 3.4.0 → 3.5.1

package/mcp-server/lib/metrics.ts

@@ -0,0 +1,365 @@
+/**
+ * Metrics Collection for MCP Server
+ * 
+ * Provides structured metrics for:
+ * - Tool execution duration
+ * - Error rates by type
+ * - Cache hit rates
+ * - Findings counts by severity
+ * 
+ * Metrics are aggregated in memory and can be flushed to storage.
+ */
+
+import { createHash } from 'crypto';
+
+/**
+ * Metric types
+ */
+export type MetricType = 'counter' | 'gauge' | 'histogram';
+
+/**
+ * Metric entry structure
+ */
+export interface MetricEntry {
+  name: string;
+  type: MetricType;
+  value: number;
+  unit: 'ms' | 'count' | 'bytes' | 'percent' | 'ratio';
+  timestamp: number;
+  tags?: Record<string, string>;
+}
+
+/**
+ * Histogram statistics result type
+ */
+export interface HistogramStats {
+  count: number;
+  min: number;
+  max: number;
+  avg: number;
+  p50: number;
+  p95: number;
+  p99: number;
+}
+
+/**
+ * Histogram buckets for duration metrics
+ */
+const DURATION_BUCKETS_MS = [10, 50, 100, 250, 500, 1000, 2500, 5000, 10000, 30000, 60000];
+
+/**
+ * Metrics aggregator
+ */
+export class MetricsCollector {
+  private counters = new Map<string, number>();
+  private gauges = new Map<string, number>();
+  private histograms = new Map<string, number[]>();
+  private entries: MetricEntry[] = [];
+  private flushInterval?: NodeJS.Timeout;
+  private maxEntries: number;
+
+  constructor(options: { maxEntries?: number; flushIntervalMs?: number } = {}) {
+    this.maxEntries = options.maxEntries ?? 10000;
+    
+    if (options.flushIntervalMs) {
+      this.flushInterval = setInterval(() => {
+        this.trimEntries();
+      }, options.flushIntervalMs);
+    }
+  }
+
+  /**
+   * Increment a counter
+   */
+  incCounter(name: string, value = 1, tags?: Record<string, string>): void {
+    const key = this.makeKey(name, tags);
+    const current = this.counters.get(key) ?? 0;
+    this.counters.set(key, current + value);
+    
+    this.record({
+      name,
+      type: 'counter',
+      value: current + value,
+      unit: 'count',
+      timestamp: Date.now(),
+      tags,
+    });
+  }
+
+  /**
+   * Set a gauge value
+   */
+  setGauge(name: string, value: number, tags?: Record<string, string>): void {
+    const key = this.makeKey(name, tags);
+    this.gauges.set(key, value);
+    
+    this.record({
+      name,
+      type: 'gauge',
+      value,
+      unit: 'count',
+      timestamp: Date.now(),
+      tags,
+    });
+  }
+
+  /**
+   * Record a histogram value (e.g., duration)
+   */
+  recordHistogram(
+    name: string, 
+    value: number, 
+    unit: 'ms' | 'bytes' = 'ms',
+    tags?: Record<string, string>
+  ): void {
+    const key = this.makeKey(name, tags);
+    const values = this.histograms.get(key) ?? [];
+    values.push(value);
+    this.histograms.set(key, values);
+    
+    this.record({
+      name,
+      type: 'histogram',
+      value,
+      unit,
+      timestamp: Date.now(),
+      tags,
+    });
+  }
+
+  /**
+   * Record tool execution metrics
+   */
+  recordToolExecution(
+    tool: string,
+    durationMs: number,
+    success: boolean,
+    cached: boolean
+  ): void {
+    const tags = { tool, status: success ? 'success' : 'error', cached: String(cached) };
+    
+    this.recordHistogram('tool_duration_ms', durationMs, 'ms', tags);
+    this.incCounter('tool_executions_total', 1, tags);
+    
+    if (!success) {
+      this.incCounter('tool_errors_total', 1, { tool });
+    }
+    
+    if (cached) {
+      this.incCounter('cache_hits_total', 1, { tool });
+    } else {
+      this.incCounter('cache_misses_total', 1, { tool });
+    }
+  }
+
+  /**
+   * Record findings by severity
+   */
+  recordFindings(
+    tool: string,
+    findings: { severity?: string }[]
+  ): void {
+    const bySeverity: Record<string, number> = {};
+    
+    for (const finding of findings) {
+      const severity = finding.severity || 'INFO';
+      bySeverity[severity] = (bySeverity[severity] || 0) + 1;
+    }
+    
+    for (const [severity, count] of Object.entries(bySeverity)) {
+      this.incCounter('findings_total', count, { tool, severity });
+    }
+    
+    this.setGauge('findings_current', findings.length, { tool });
+  }
+
+  /**
+   * Get cache hit rate
+   */
+  getCacheHitRate(tool?: string): number {
+    const tags = tool ? { tool } : undefined;
+    const hitsKey = this.makeKey('cache_hits_total', tags);
+    const missesKey = this.makeKey('cache_misses_total', tags);
+    
+    const hits = this.counters.get(hitsKey) ?? 0;
+    const misses = this.counters.get(missesKey) ?? 0;
+    const total = hits + misses;
+    
+    return total > 0 ? hits / total : 0;
+  }
+
+  /**
+   * Get histogram statistics
+   */
+  getHistogramStats(name: string, tags?: Record<string, string>): HistogramStats | null {
+    const key = this.makeKey(name, tags);
+    const values = this.histograms.get(key);
+    
+    if (!values || values.length === 0) return null;
+    
+    const sorted = [...values].sort((a, b) => a - b);
+    const count = sorted.length;
+    
+    return {
+      count,
+      min: sorted[0],
+      max: sorted[count - 1],
+      avg: sorted.reduce((a, b) => a + b, 0) / count,
+      p50: sorted[Math.floor(count * 0.5)],
+      p95: sorted[Math.floor(count * 0.95)],
+      p99: sorted[Math.floor(count * 0.99)],
+    };
+  }
+
+  /**
+   * Get all metrics as summary
+   */
+  getSummary(): {
+    counters: Record<string, number>;
+    gauges: Record<string, number>;
+    histograms: Record<string, HistogramStats | null>;
+    cacheHitRate: number;
+  } {
+    const counters: Record<string, number> = {};
+    const gauges: Record<string, number> = {};
+    const histograms: Record<string, HistogramStats | null> = {};
+    
+    for (const [key, value] of this.counters.entries()) {
+      counters[key] = value;
+    }
+    
+    for (const [key, value] of this.gauges.entries()) {
+      gauges[key] = value;
+    }
+    
+    for (const key of this.histograms.keys()) {
+      histograms[key] = this.getHistogramStats(key);
+    }
+    
+    return {
+      counters,
+      gauges,
+      histograms,
+      cacheHitRate: this.getCacheHitRate(),
+    };
+  }
+
+  /**
+   * Get raw entries (for export)
+   */
+  getEntries(): MetricEntry[] {
+    return [...this.entries];
+  }
+
+  /**
+   * Clear all metrics
+   */
+  clear(): void {
+    this.counters.clear();
+    this.gauges.clear();
+    this.histograms.clear();
+    this.entries = [];
+  }
+
+  /**
+   * Stop the collector
+   */
+  stop(): void {
+    if (this.flushInterval) {
+      clearInterval(this.flushInterval);
+      this.flushInterval = undefined;
+    }
+  }
+
+  /**
+   * Internal: record a metric entry
+   */
+  private record(entry: MetricEntry): void {
+    this.entries.push(entry);
+    this.trimEntries();
+  }
+
+  /**
+   * Internal: trim entries if over limit
+   */
+  private trimEntries(): void {
+    if (this.entries.length > this.maxEntries) {
+      this.entries = this.entries.slice(-this.maxEntries);
+    }
+  }
+
+  /**
+   * Internal: make a unique key from name and tags
+   */
+  private makeKey(name: string, tags?: Record<string, string>): string {
+    if (!tags || Object.keys(tags).length === 0) {
+      return name;
+    }
+    
+    const sortedTags = Object.entries(tags)
+      .sort(([a], [b]) => a.localeCompare(b))
+      .map(([k, v]) => `${k}=${v}`)
+      .join(',');
+    
+    return `${name}{${sortedTags}}`;
+  }
+}
+
+// Singleton instance
+let globalCollector: MetricsCollector | null = null;
+
+/**
+ * Get global metrics collector
+ */
+export function getMetricsCollector(): MetricsCollector {
+  if (!globalCollector) {
+    globalCollector = new MetricsCollector({
+      maxEntries: 10000,
+      flushIntervalMs: 60000, // 1 minute
+    });
+  }
+  return globalCollector;
+}
+
+/**
+ * Initialize global metrics collector
+ */
+export function initMetricsCollector(options?: {
+  maxEntries?: number;
+  flushIntervalMs?: number;
+}): void {
+  if (globalCollector) {
+    globalCollector.stop();
+  }
+  globalCollector = new MetricsCollector(options);
+}
+
+/**
+ * Convenience: record tool execution
+ */
+export function recordToolExecution(
+  tool: string,
+  durationMs: number,
+  success: boolean,
+  cached: boolean
+): void {
+  getMetricsCollector().recordToolExecution(tool, durationMs, success, cached);
+}
+
+/**
+ * Convenience: record findings
+ */
+export function recordFindings(
+  tool: string,
+  findings: { severity?: string }[]
+): void {
+  getMetricsCollector().recordFindings(tool, findings);
+}
+
+export default {
+  MetricsCollector,
+  getMetricsCollector,
+  initMetricsCollector,
+  recordToolExecution,
+  recordFindings,
+};

package/mcp-server/lib/sandbox.ts

@@ -0,0 +1,337 @@
+/**
+ * Path Sandboxing & Security
+ * 
+ * Ensures all file operations stay within allowed workspace.
+ * Prevents path traversal and access to sensitive files.
+ */
+
+import { resolve, normalize, relative, isAbsolute } from 'path';
+import { existsSync, statSync } from 'fs';
+import { Errors } from './errors.js';
+
+/**
+ * Sensitive paths that should never be accessed
+ */
+const SENSITIVE_PATTERNS = [
+  /^\/etc\//,
+  /^\/root\//,
+  /^\/home\/[^/]+\/\.ssh\//,
+  /^\/home\/[^/]+\/\.gnupg\//,
+  /^\/home\/[^/]+\/\.aws\//,
+  /^\/home\/[^/]+\/\.config\//,
+  /^C:\\Windows\\/i,
+  /^C:\\Users\\[^\\]+\\\.ssh\\/i,
+  /^C:\\Users\\[^\\]+\\\.aws\\/i,
+  /^C:\\Users\\[^\\]+\\AppData\\/i,
+  /\.env$/,
+  /\.env\.\w+$/,
+  /credentials\.json$/,
+  /secrets\.json$/,
+  /\.pem$/,
+  /\.key$/,
+  /id_rsa/,
+  /id_ed25519/,
+];
+
+/**
+ * Paths that should be excluded from scanning (but not blocked)
+ * 
+ * CRITICAL: Default exclusions enforced at MCP layer even if CLI forgets.
+ * These are the canonical exclusions matching the architecture spec.
+ */
+const EXCLUDE_PATTERNS = [
+  // Package managers
+  /node_modules\//,
+  /node_modules\\/,
+  /\.npm\//,
+  /\.yarn\//,
+  /\.pnpm-store\//,
+  
+  // Python environments
+  /venv\//,
+  /venv\\/,
+  /\.venv\//,
+  /\.venv\\/,
+  /env\//,
+  /\.env\//,
+  /__pycache__\//,
+  /\.pytest_cache\//,
+  /\.mypy_cache\//,
+  
+  // Version control
+  /\.git\//,
+  /\.git\\/,
+  /\.svn\//,
+  /\.hg\//,
+  
+  // Build outputs
+  /dist\//,
+  /dist\\/,
+  /build\//,
+  /build\\/,
+  /out\//,
+  /out\\/,
+  /\.next\//,
+  /\.next\\/,
+  /\.nuxt\//,
+  /\.output\//,
+  
+  // Cache directories
+  /\.cache\//,
+  /\.cache\\/,
+  /\.turbo\//,
+  /\.turbo\\/,
+  /\.parcel-cache\//,
+  /\.webpack\//,
+  
+  // Coverage
+  /coverage\//,
+  /coverage\\/,
+  /\.nyc_output\//,
+  
+  // Vendor directories
+  /vendor\//,
+  /\.bundle\//,
+  /bower_components\//,
+  
+  // IDE/Editor
+  /\.idea\//,
+  /\.vscode\//,
+  /\.vs\//,
+  
+  // Temp files
+  /\.tmp\//,
+  /\.temp\//,
+  /tmp\//,
+];
+
+/**
+ * Sandbox configuration
+ */
+export interface SandboxConfig {
+  workspace: string;
+  allowSymlinks?: boolean;
+  maxDepth?: number;
+  excludePatterns?: RegExp[];
+}
+
+/**
+ * Sandbox result
+ */
+export interface SandboxResult {
+  allowed: boolean;
+  path: string;
+  relativePath: string;
+  reason?: string;
+}
+
+/**
+ * Create a sandbox validator for a workspace
+ */
+export function createSandbox(config: SandboxConfig) {
+  const workspace = resolve(normalize(config.workspace));
+  const maxDepth = config.maxDepth ?? 20;
+  const excludePatterns = [...EXCLUDE_PATTERNS, ...(config.excludePatterns ?? [])];
+
+  return {
+    /**
+     * Validate a path is within the sandbox
+     */
+    validate(inputPath: string): SandboxResult {
+      // Normalize the input path
+      const normalizedInput = normalize(inputPath);
+      
+      // Resolve to absolute
+      const absolutePath = isAbsolute(normalizedInput) 
+        ? normalizedInput 
+        : resolve(workspace, normalizedInput);
+
+      // Re-normalize after resolution
+      const normalized = normalize(absolutePath);
+
+      // Get relative path
+      const relativePath = relative(workspace, normalized);
+
+      // Check for path traversal (relative path should not start with ..)
+      if (relativePath.startsWith('..') || relativePath.startsWith('/..')) {
+        return {
+          allowed: false,
+          path: normalized,
+          relativePath,
+          reason: 'Path traversal detected',
+        };
+      }
+
+      // Check depth
+      const depth = relativePath.split(/[/\\]/).filter(Boolean).length;
+      if (depth > maxDepth) {
+        return {
+          allowed: false,
+          path: normalized,
+          relativePath,
+          reason: `Path depth exceeds maximum (${maxDepth})`,
+        };
+      }
+
+      // Check sensitive patterns
+      for (const pattern of SENSITIVE_PATTERNS) {
+        if (pattern.test(normalized) || pattern.test(relativePath)) {
+          return {
+            allowed: false,
+            path: normalized,
+            relativePath,
+            reason: 'Sensitive file access not allowed',
+          };
+        }
+      }
+
+      // Check if path is within workspace
+      if (!normalized.startsWith(workspace)) {
+        return {
+          allowed: false,
+          path: normalized,
+          relativePath,
+          reason: 'Path outside workspace',
+        };
+      }
+
+      return {
+        allowed: true,
+        path: normalized,
+        relativePath,
+      };
+    },
+
+    /**
+     * Check if path should be excluded from scanning
+     */
+    shouldExclude(inputPath: string): boolean {
+      const normalized = normalize(inputPath);
+      const relativePath = relative(workspace, normalized);
+
+      for (const pattern of excludePatterns) {
+        if (pattern.test(relativePath) || pattern.test(normalized)) {
+          return true;
+        }
+      }
+
+      return false;
+    },
+
+    /**
+     * Validate and return path or throw
+     */
+    requireValid(inputPath: string): string {
+      const result = this.validate(inputPath);
+      
+      if (!result.allowed) {
+        throw Errors.pathOutsideSandbox(inputPath, workspace);
+      }
+
+      return result.path;
+    },
+
+    /**
+     * Check if path exists within sandbox
+     */
+    exists(inputPath: string): boolean {
+      const result = this.validate(inputPath);
+      if (!result.allowed) return false;
+      return existsSync(result.path);
+    },
+
+    /**
+     * Get workspace root
+     */
+    getWorkspace(): string {
+      return workspace;
+    },
+
+    /**
+     * Convert absolute path to relative
+     */
+    toRelative(absolutePath: string): string {
+      return relative(workspace, absolutePath);
+    },
+
+    /**
+     * Convert relative path to absolute
+     */
+    toAbsolute(relativePath: string): string {
+      return resolve(workspace, relativePath);
+    },
+  };
+}
+
+/**
+ * Default sandbox for current working directory
+ */
+let defaultSandbox: ReturnType<typeof createSandbox> | null = null;
+
+export function getDefaultSandbox(): ReturnType<typeof createSandbox> {
+  if (!defaultSandbox) {
+    defaultSandbox = createSandbox({ workspace: process.cwd() });
+  }
+  return defaultSandbox;
+}
+
+export function setDefaultSandbox(workspace: string): void {
+  defaultSandbox = createSandbox({ workspace });
+}
+
+/**
+ * Redact sensitive information from paths in output
+ */
+export function redactPath(path: string, workspace: string): string {
+  // Convert to relative path
+  const relativePath = relative(workspace, path);
+  
+  // If it's outside workspace, redact completely
+  if (relativePath.startsWith('..')) {
+    return '[REDACTED]';
+  }
+
+  return relativePath;
+}
+
+/**
+ * Redact sensitive values from objects
+ */
+export function redactSensitive(obj: Record<string, unknown>): Record<string, unknown> {
+  const sensitiveKeys = [
+    'password', 'secret', 'token', 'apiKey', 'api_key', 'auth',
+    'credential', 'private', 'key', 'cert', 'cookie', 'session',
+  ];
+
+  const result: Record<string, unknown> = {};
+
+  for (const [key, value] of Object.entries(obj)) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveKeys.some(s => lowerKey.includes(s))) {
+      result[key] = '[REDACTED]';
+    } else if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+      result[key] = redactSensitive(value as Record<string, unknown>);
+    } else if (Array.isArray(value)) {
+      result[key] = value.map(item => 
+        typeof item === 'object' && item !== null 
+          ? redactSensitive(item as Record<string, unknown>)
+          : item
+      );
+    } else {
+      result[key] = value;
+    }
+  }
+
+  return result;
+}
+
+export default {
+  createSandbox,
+  getDefaultSandbox,
+  setDefaultSandbox,
+  redactPath,
+  redactSensitive,
+  SENSITIVE_PATTERNS,
+  EXCLUDE_PATTERNS,
+};