@vibecheckai/cli 3.4.0 → 3.5.1

package/bin/runners/lib/engines/type-aware-engine.js

@@ -1,152 +0,0 @@
-/**
- * Type-Aware Analysis Engine
- * Uses TypeScript type information for more accurate detection
- */
-
-const { getAST } = require("./ast-cache");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-
-/**
- * Analyze type-related issues
- */
-function analyzeTypeAware(code, filePath) {
-  const findings = [];
-  const ast = getAST(code, filePath);
-  if (!ast) return findings;
-
-  const lines = code.split("\n");
-  const isTypeScript = filePath.endsWith(".ts") || filePath.endsWith(".tsx");
-
-  // Type safety issues
-  traverse(ast, {
-    // Any types in TypeScript
-    TSAnyKeyword(path) {
-      if (isTypeScript) {
-        const line = path.node.loc.start.line;
-        findings.push({
-          type: "any_type",
-          severity: "WARN",
-          category: "TypeSafety",
-          file: filePath,
-          line,
-          column: path.node.loc.start.column,
-          title: "Use of 'any' type",
-          message: "Using 'any' type defeats TypeScript's type safety",
-          codeSnippet: lines[line - 1]?.trim(),
-          confidence: "high",
-        });
-      }
-    },
-    
-    // @ts-ignore comments
-    Comment(path) {
-      const comment = path.node;
-      if (comment.type === "CommentLine" || comment.type === "CommentBlock") {
-        const text = comment.value || "";
-        if (/@ts-ignore|@ts-expect-error|@ts-nocheck/.test(text)) {
-          const line = comment.loc.start.line;
-          findings.push({
-            type: "ts_ignore",
-            severity: "WARN",
-            category: "TypeSafety",
-            file: filePath,
-            line,
-            column: comment.loc.start.column,
-            title: "TypeScript error suppression",
-            message: `Using ${text.match(/@ts-\w+/)?.[0]} suppresses type checking - fix the underlying issue`,
-            codeSnippet: lines[line - 1]?.trim(),
-            confidence: "high",
-          });
-        }
-      }
-    },
-    
-    // Unsafe type assertions (as any)
-    TSAsExpression(path) {
-      if (t.isTSAnyKeyword(path.node.typeAnnotation)) {
-        const line = path.node.loc.start.line;
-        findings.push({
-          type: "unsafe_type_assertion",
-          severity: "WARN",
-          category: "TypeSafety",
-          file: filePath,
-          line,
-          column: path.node.loc.start.column,
-          title: "Unsafe type assertion (as any)",
-          message: "Type assertion to 'any' bypasses type checking",
-          codeSnippet: lines[line - 1]?.trim(),
-          confidence: "high",
-        });
-      }
-    },
-    
-    // Non-null assertions (!)
-    TSNonNullExpression(path) {
-      const line = path.node.loc.start.line;
-      findings.push({
-        type: "non_null_assertion",
-        severity: "WARN",
-        category: "TypeSafety",
-        file: filePath,
-        line,
-        column: path.node.loc.start.column,
-        title: "Non-null assertion operator (!)",
-        message: "Non-null assertion can cause runtime errors if value is null/undefined",
-        codeSnippet: lines[line - 1]?.trim(),
-        confidence: "med",
-      });
-    },
-    
-    // Optional chaining without null check
-    OptionalMemberExpression(path) {
-      // Check if result is used without null check
-      const parent = path.parent;
-      if (!t.isIfStatement(parent) && !t.isConditionalExpression(parent)) {
-        const line = path.node.loc.start.line;
-        findings.push({
-          type: "unsafe_optional_chaining",
-          severity: "WARN",
-          category: "TypeSafety",
-          file: filePath,
-          line,
-          column: path.node.loc.start.column,
-          title: "Optional chaining without null check",
-          message: "Optional chaining result should be checked for null/undefined",
-          codeSnippet: lines[line - 1]?.trim(),
-          confidence: "low",
-        });
-      }
-    },
-  });
-
-  // Missing return type annotations
-  if (isTypeScript) {
-    traverse(ast, {
-      FunctionDeclaration(path) {
-        const node = path.node;
-        if (!node.returnType && node.id) {
-          const line = node.loc.start.line;
-          findings.push({
-            type: "missing_return_type",
-            severity: "WARN",
-            category: "TypeSafety",
-            file: filePath,
-            line,
-            column: node.loc.start.column,
-            title: `Missing return type annotation: ${node.id.name}`,
-            message: "Function should have explicit return type annotation",
-            codeSnippet: lines[line - 1]?.trim(),
-            confidence: "med",
-          });
-        }
-      },
-    });
-  }
-
-  return findings;
-}
-
-module.exports = {
-  analyzeTypeAware,
-};

package/bin/runners/lib/engines/unsafe-regex-engine.js

@@ -1,225 +0,0 @@
-/**
- * Unsafe Regex Detection Engine
- * Uses AST analysis to detect ReDoS (Regular Expression Denial of Service) patterns
- */
-
-const { getAST, parseCode } = require("./ast-cache");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const { shouldExcludeFile } = require("./file-filter");
-
-/**
- * Extract regex pattern from node
- */
-function extractRegexPattern(node) {
-  if (t.isRegExpLiteral(node)) {
-    return node.pattern;
-  }
-  
-  if (t.isNewExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
-    const args = node.arguments;
-    if (args.length > 0 && t.isStringLiteral(args[0])) {
-      return args[0].value;
-    }
-  }
-  
-  if (t.isCallExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
-    const args = node.arguments;
-    if (args.length > 0 && t.isStringLiteral(args[0])) {
-      return args[0].value;
-    }
-  }
-  
-  return null;
-}
-
-/**
- * Check if regex pattern is unsafe (ReDoS risk)
- */
-function isUnsafeRegex(pattern) {
-  if (!pattern || typeof pattern !== "string") return null;
-  
-  const issues = [];
-  
-  // Nested quantifiers: (.*)+, (.+)+, (.*)*, (.+)*
-  if (/\(\.\*\)\+|\(\.\+\)\+|\(\.\*\)\*|\(\.\+\)\*/.test(pattern)) {
-    issues.push({
-      type: "nested_quantifiers",
-      severity: "WARN",
-      message: "Nested quantifiers can cause catastrophic backtracking",
-    });
-  }
-  
-  // Alternation with quantifier: (a|b)+
-  if (/\([^)]+\|[^)]+\)\+/.test(pattern)) {
-    issues.push({
-      type: "alternation_quantifier",
-      severity: "WARN",
-      message: "Alternation with quantifier can cause ReDoS",
-    });
-  }
-  
-  // Repetition of repetition: a+a+, a*a*
-  if (/(\w|\+|\*)\1\+|(\w|\+|\*)\2\*/.test(pattern)) {
-    issues.push({
-      type: "repetition_repetition",
-      severity: "WARN",
-      message: "Repeated repetition can cause exponential backtracking",
-    });
-  }
-  
-  // Complex nested groups with quantifiers
-  if (/\([^)]*\([^)]*\)[^)]*\)[\+\*]/.test(pattern)) {
-    issues.push({
-      type: "nested_groups_quantifier",
-      severity: "WARN",
-      message: "Nested groups with quantifiers can be unsafe",
-    });
-  }
-  
-  return issues.length > 0 ? issues : null;
-}
-
-/**
- * Check if regex is constructed dynamically (concatenation)
- */
-function isDynamicRegex(node, code) {
-  // Check for new RegExp(... + ...)
-  if (t.isNewExpression(node) && t.isIdentifier(node.callee) && node.callee.name === "RegExp") {
-    const args = node.arguments;
-    if (args.length > 0) {
-      // Check if argument contains binary expression (concatenation)
-      if (t.isBinaryExpression(args[0]) && args[0].operator === "+") {
-        return true;
-      }
-      
-      // Check source code for concatenation
-      const source = code.substring(args[0].start || 0, args[0].end || 0);
-      if (source.includes("+")) {
-        return true;
-      }
-    }
-  }
-  
-  return false;
-}
-
-/**
- * Analyze a file for unsafe regex patterns
- */
-function analyzeUnsafeRegex(code, filePath) {
-  const findings = [];
-  
-  // Skip excluded files
-  if (shouldExcludeFile(filePath)) return findings;
-  
-  const ast = getAST(code, filePath);
-  if (!ast) return findings;
-
-  const lines = code.split("\n");
-
-  traverse(ast, {
-    // Check RegExp literals: /pattern/flags
-    RegExpLiteral(path) {
-      const pattern = path.node.pattern;
-      const issues = isUnsafeRegex(pattern);
-      
-      if (issues) {
-        for (const issue of issues) {
-          const line = path.node.loc.start.line;
-          findings.push({
-            type: issue.type,
-            severity: issue.severity,
-            category: "UnsafeRegex",
-            file: filePath,
-            line,
-            column: path.node.loc.start.column,
-            title: issue.message,
-            message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
-            codeSnippet: lines[line - 1]?.trim(),
-            confidence: "med",
-          });
-        }
-      }
-    },
-
-    // Check RegExp constructor: new RegExp(...)
-    NewExpression(path) {
-      if (t.isIdentifier(path.node.callee) && path.node.callee.name === "RegExp") {
-        // Check for dynamic construction
-        if (isDynamicRegex(path.node, code)) {
-          const line = path.node.loc.start.line;
-          findings.push({
-            type: "dynamic_regex",
-            severity: "WARN",
-            category: "UnsafeRegex",
-            file: filePath,
-            line,
-            column: path.node.loc.start.column,
-            title: "Dynamic regex with concatenation",
-            message: "Regex constructed dynamically with string concatenation - validate input length",
-            codeSnippet: lines[line - 1]?.trim(),
-            confidence: "med",
-          });
-        }
-        
-        // Check pattern if it's a string literal
-        const pattern = extractRegexPattern(path.node);
-        if (pattern) {
-          const issues = isUnsafeRegex(pattern);
-          if (issues) {
-            for (const issue of issues) {
-              const line = path.node.loc.start.line;
-              findings.push({
-                type: issue.type,
-                severity: issue.severity,
-                category: "UnsafeRegex",
-                file: filePath,
-                line,
-                column: path.node.loc.start.column,
-                title: issue.message,
-                message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
-                codeSnippet: lines[line - 1]?.trim(),
-                confidence: "med",
-              });
-            }
-          }
-        }
-      }
-    },
-
-    // Check RegExp() calls
-    CallExpression(path) {
-      if (t.isIdentifier(path.node.callee) && path.node.callee.name === "RegExp") {
-        const pattern = extractRegexPattern(path.node);
-        if (pattern) {
-          const issues = isUnsafeRegex(pattern);
-          if (issues) {
-            for (const issue of issues) {
-              const line = path.node.loc.start.line;
-              findings.push({
-                type: issue.type,
-                severity: issue.severity,
-                category: "UnsafeRegex",
-                file: filePath,
-                line,
-                column: path.node.loc.start.column,
-                title: issue.message,
-                message: `Unsafe regex pattern detected: ${pattern.substring(0, 50)}`,
-                codeSnippet: lines[line - 1]?.trim(),
-                confidence: "med",
-              });
-            }
-          }
-        }
-      }
-    },
-  });
-
-  return findings;
-}
-
-module.exports = {
-  analyzeUnsafeRegex,
-  parseCode,
-};

package/bin/runners/lib/engines/vibecheck-engines/README.md

@@ -1,53 +0,0 @@
-# Vibecheck Analysis Engines (Drop-in)
-
-This zip contains upgraded, conservative analysis engines designed to reduce false positives and avoid wasting cycles on generated/minified/test code.
-
-## What's inside
-- `lib/file-filter.js` — central file exclusion + test-context detection + ignore directives
-- `lib/ast-cache.js` — bounded AST cache with minified/giant-file guards
-- `lib/parallel-processor.js` — safe bounded concurrency runner with timeouts + progress hooks
-- Engines:
-  - `dead-code-engine.js`
-  - `empty-catch-engine.js`
-  - `code-quality-engine.js`
-  - `console-logs-engine.js`
-  - `deprecated-api-engine.js`
-  - `hardcoded-secrets-engine.js`
-  - `mock-data-engine.js`
-  - `performance-issues-engine.js`
-  - `type-aware-engine.js`
-  - `unsafe-regex-engine.js`
-
-## Ignore directives
-Add near the top of a file to suppress a specific engine:
-
-```js
-// vibecheck-ignore(code-quality)
-// vibecheck-ignore(dead-code)
-// vibecheck-ignore(console-logs)
-```
-
-Or suppress any engine in that file:
-
-```js
-// vibecheck-ignore
-```
-
-## Usage (example)
-
-```js
-const engines = require('./vibecheck-engines');
-
-const code = fs.readFileSync(file, 'utf8');
-
-const findings = [
-  ...engines.analyzeDeadCode(code, file),
-  ...engines.analyzeEmptyCatch(code, file),
-  ...engines.analyzeCodeQuality(code, file),
-  ...engines.analyzeConsoleLogs(code, file),
-];
-```
-
-## Notes
-- These engines intentionally skip tests/fixtures and generated/bundled outputs to keep signal high.
-- `hardcoded-secrets` is conservative, but the "Generic API Key" rule is intentionally low-confidence.

package/bin/runners/lib/engines/vibecheck-engines/index.js

@@ -1,15 +0,0 @@
-module.exports = {
-  ...require('./lib/ast-cache'),
-  fileFilter: require('./lib/file-filter'),
-  parallelProcessor: require('./lib/parallel-processor'),
-  analyzeDeadCode: require('./lib/dead-code-engine').analyzeDeadCode,
-  analyzeEmptyCatch: require('./lib/empty-catch-engine').analyzeEmptyCatch,
-  analyzeCodeQuality: require('./lib/code-quality-engine').analyzeCodeQuality,
-  analyzeConsoleLogs: require('./lib/console-logs-engine').analyzeConsoleLogs,
-  analyzeDeprecatedApi: require('./lib/deprecated-api-engine').analyzeDeprecatedApi,
-  analyzeHardcodedSecrets: require('./lib/hardcoded-secrets-engine').analyzeHardcodedSecrets,
-  analyzeMockData: require('./lib/mock-data-engine').analyzeMockData,
-  analyzePerformanceIssues: require('./lib/performance-issues-engine').analyzePerformanceIssues,
-  analyzeTypeAware: require('./lib/type-aware-engine').analyzeTypeAware,
-  analyzeUnsafeRegex: require('./lib/unsafe-regex-engine').analyzeUnsafeRegex,
-};

package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js

@@ -1,164 +0,0 @@
-/**
- * AST Cache
- * Shared AST parsing cache for analysis engines.
- *
- * Goals:
- * - Parse each source file once (per content hash)
- * - Avoid re-parsing unchanged files across multiple engines
- * - Keep cache bounded (entries + total bytes) to prevent memory blowups
- * - Refuse to parse obviously minified/giant files (should be excluded anyway)
- */
-
-const crypto = require("crypto");
-const parser = require("@babel/parser");
-
-// Map preserves insertion order. We'll use it as a simple LRU:
-// on get -> delete+set to move entry to end
-const _AST_CACHE = new Map(); // key -> { ast, hash, bytes, lines, ts }
-let _TOTAL_BYTES = 0;
-
-const LIMITS = {
-  maxEntries: 6000,
-  maxTotalBytes: 200 * 1024 * 1024, // 200MB across cached source sizes
-  maxFileBytes: 1_200_000, // 1.2MB per file (bigger files likely generated)
-  maxLines: 25_000,
-};
-
-function sha1(text) {
-  return crypto.createHash("sha1").update(text).digest("hex");
-}
-
-function countNewlines(text) {
-  let n = 1;
-  for (let i = 0; i < text.length; i++) if (text.charCodeAt(i) === 10) n++;
-  return n;
-}
-
-/**
- * Heuristic: identify minified/bundled files (super long lines, few newlines).
- */
-function isProbablyMinified(code) {
-  if (!code || typeof code !== "string") return false;
-  const bytes = Buffer.byteLength(code, "utf8");
-  if (bytes < 40_000) return false; // small files aren't our concern
-
-  const lines = countNewlines(code);
-  const avgLine = bytes / Math.max(1, lines);
-  if (avgLine > 600) return true;
-
-  // Count semicolons as a crude "density" marker
-  const sample = code.slice(0, Math.min(80_000, code.length));
-  const semi = (sample.match(/;/g) || []).length;
-  const braces = (sample.match(/[{}]/g) || []).length;
-  const density = (semi + braces) / Math.max(1, sample.length);
-
-  return density > 0.035 && lines < 80;
-}
-
-/**
- * Parse code into a Babel AST.
- * Returns null if code is too big/minified or parsing fails.
- */
-function parseCode(code, filePath = "<unknown>") {
-  if (!code || typeof code !== "string") return null;
-
-  const bytes = Buffer.byteLength(code, "utf8");
-  if (bytes > LIMITS.maxFileBytes) return null;
-
-  const lines = countNewlines(code);
-  if (lines > LIMITS.maxLines) return null;
-
-  if (isProbablyMinified(code)) return null;
-
-  try {
-    // include TypeScript + JSX support; \"unambiguous\" handles CJS/ESM
-    return parser.parse(code, {
-      sourceType: "unambiguous",
-      plugins: [
-        "typescript",
-        "jsx",
-        "decorators-legacy",
-        "classProperties",
-        "classPrivateProperties",
-        "classPrivateMethods",
-        "dynamicImport",
-        "optionalChaining",
-        "nullishCoalescingOperator",
-        "objectRestSpread",
-        "topLevelAwait",
-      ],
-      errorRecovery: true,
-      ranges: false,
-      tokens: false,
-      attachComment: true,
-    });
-  } catch {
-    return null;
-  }
-}
-
-function _evictIfNeeded() {
-  while (_AST_CACHE.size > LIMITS.maxEntries || _TOTAL_BYTES > LIMITS.maxTotalBytes) {
-    const firstKey = _AST_CACHE.keys().next().value;
-    if (!firstKey) break;
-    const entry = _AST_CACHE.get(firstKey);
-    _AST_CACHE.delete(firstKey);
-    _TOTAL_BYTES -= entry?.bytes || 0;
-  }
-}
-
-function getAST(code, filePath = "<unknown>") {
-  // Caller should already filter, but keep extra guards here.
-  const bytes = Buffer.byteLength(code || "", "utf8");
-  if (!code || bytes > LIMITS.maxFileBytes) return null;
-  if (isProbablyMinified(code)) return null;
-
-  const key = String(filePath || "<unknown>");
-  const hash = sha1(code);
-
-  const existing = _AST_CACHE.get(key);
-  if (existing && existing.hash === hash && existing.ast) {
-    // LRU touch
-    _AST_CACHE.delete(key);
-    _AST_CACHE.set(key, existing);
-    return existing.ast;
-  }
-
-  const ast = parseCode(code, key);
-  if (!ast) return null;
-
-  const entry = {
-    ast,
-    hash,
-    bytes,
-    lines: countNewlines(code),
-    ts: Date.now(),
-  };
-
-  if (existing) _TOTAL_BYTES -= existing.bytes || 0;
-  _AST_CACHE.set(key, entry);
-  _TOTAL_BYTES += bytes;
-
-  _evictIfNeeded();
-  return ast;
-}
-
-function clearASTCache() {
-  _AST_CACHE.clear();
-  _TOTAL_BYTES = 0;
-}
-
-function getASTCacheStats() {
-  return {
-    entries: _AST_CACHE.size,
-    totalBytes: _TOTAL_BYTES,
-    limits: { ...LIMITS },
-  };
-}
-
-module.exports = {
-  getAST,
-  parseCode,
-  clearASTCache,
-  getASTCacheStats,
-};