@vibecheckai/cli 3.5.0 → 3.5.1

package/mcp-server/tier-auth.js

@@ -1,286 +1,474 @@
 /**
- * MCP Server Tier Authentication
+ * MCP Server Tier Authentication & Authorization
  * 
- * Simple 2-tier model:
- * - FREE ($0): Inspect & Observe
- * - PRO ($69/mo): Fix, Prove & Enforce
+ * Provides tier checking for MCP tools.
+ * Uses @vibecheck/core tier-config.json as source of truth.
  * 
- * PRO includes:
- * - Authority System (verdicts, approvals)
- * - Agent Conductor (multi-agent coordination)
- * - Agent Firewall (enforce mode)
+ * SECURITY: Tier is ALWAYS fetched from /v1/me endpoint.
+ * NEVER parse tier from API key prefix - that's a bypass vulnerability.
  */
 
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
+import { fileURLToPath } from "url";
 
 // ============================================================================
-// TIERS
+// TIER DEFINITIONS - IMPORTED FROM @vibecheck/core (SINGLE SOURCE OF TRUTH)
 // ============================================================================
-export const TIERS = {
-  free: { name: 'FREE', price: 0 },
-  pro: { name: 'PRO', price: 69 },
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// Load canonical tier config
+let CANONICAL_TIER_CONFIG;
+try {
+  // Try to load from monorepo relative path
+  const configPath = path.resolve(__dirname, "../packages/core/src/tier-config.json");
+  const configData = await fs.readFile(configPath, "utf-8");
+  CANONICAL_TIER_CONFIG = JSON.parse(configData);
+} catch {
+  // Fallback: minimal inline config (should not happen in production)
+  console.warn("[vibecheck-mcp] Could not load canonical tier config, using minimal fallback");
+  CANONICAL_TIER_CONFIG = {
+    TIER_CONFIG: {
+      free: { id: "free", name: "Free", price: 0 },
+      starter: { id: "starter", name: "Starter", price: 29 },
+      pro: { id: "pro", name: "Pro", price: 99 },
+      compliance: { id: "compliance", name: "Compliance", price: 199 },
+      enterprise: { id: "enterprise", name: "Enterprise", price: 499 },
+      unlimited: { id: "unlimited", name: "Unlimited", price: 0 },
+    },
+    TIER_ORDER: ["free", "starter", "pro", "compliance", "enterprise", "unlimited"],
+  };
+}
+
+const TIER_ORDER = CANONICAL_TIER_CONFIG.TIER_ORDER || ['free', 'starter', 'pro', 'compliance', 'enterprise', 'unlimited'];
+
+// MCP-specific rate limits per tier
+const MCP_RATE_LIMITS = {
+  free: 10,
+  starter: 60,
+  pro: -1,
+  compliance: -1,
+  enterprise: -1,
+  unlimited: -1,
 };
 
+// Build TIERS object from canonical config
+export const TIERS = {};
+TIER_ORDER.forEach((tierId, index) => {
+  const config = CANONICAL_TIER_CONFIG.TIER_CONFIG[tierId];
+  TIERS[tierId] = {
+    name: config?.name?.toUpperCase() || tierId.toUpperCase(),
+    price: config?.price || 0,
+    order: index,
+    mcpRateLimit: MCP_RATE_LIMITS[tierId] ?? -1,
+  };
+});
+
 // ============================================================================
-// MCP TOOLS - 15 Core + PRO Features
+// FEATURE -> TIER MAPPING (defines minimum tier for each feature)
+// Must match CLI entitlements and @vibecheck/core
 // ============================================================================
 
-/**
- * FREE TOOLS (7) - Inspect & Observe
- */
-export const FREE_TOOLS = [
-  // Core FREE tools
-  'vibecheck.scan',
-  'vibecheck.ctx',
-  'vibecheck.verify',
-  'vibecheck.report',
-  'vibecheck.status',
-  'vibecheck.doctor',
-  'vibecheck.firewall',           // Observe mode only
-  // Authority (read-only)
-  'authority.list',
-  'authority.classify',
-  // Conductor (status only)
-  'vibecheck_conductor_status',
-];
-
-/**
- * PRO TOOLS (8 Core + Authority + Conductor + Firewall) - Fix, Prove & Enforce
- */
-export const PRO_TOOLS = [
-  // Core PRO tools
-  'vibecheck.ship',
-  'vibecheck.fix',
-  'vibecheck.prove',
-  'vibecheck.gate',
-  'vibecheck.badge',
-  'vibecheck.reality',
-  'vibecheck.ai_test',
-  'vibecheck.share',
+const FEATURE_TIER_MAP = {
+  // FREE features
+  'scan': 'free',
+  'ship': 'free',
+  'ship.static': 'free',
+  'init': 'free',
+  'init.local': 'free',
+  'doctor': 'free',
+  'status': 'free',
+  'ctx': 'free',
+  'guard': 'free',
+  'context': 'free',
+  'fix': 'free',
+  'fix.plan_only': 'free',
+  'reality': 'free',
+  'reality.preview': 'free',
+  'report': 'free',
+  'report.html_md': 'free',
+  'mcp.help_only': 'free',
   
-  // Authority System (full)
-  'authority.approve',
-  'authority.enforce',
+  // STARTER features
+  'init.connect': 'starter',
+  'scan.autofix': 'starter',
+  'gate': 'starter',
+  'pr': 'starter',
+  'badge': 'starter',
+  'ship.full': 'starter',
+  'reality.basic': 'starter',
+  'report.sarif_csv': 'starter',
+  'mcp': 'starter',
+  'mcp.read_only': 'starter',
   
-  // Agent Conductor (full multi-agent coordination)
-  'vibecheck_conductor_register',
-  'vibecheck_conductor_acquire_lock',
-  'vibecheck_conductor_release_lock',
-  'vibecheck_conductor_propose',
-  'vibecheck_conductor_terminate',
+  // PRO features
+  'prove': 'pro',
+  'fix.apply_patches': 'pro',
+  'fix.loop': 'pro',
+  'reality.full': 'pro',
+  'reality.advanced_auth_boundary': 'pro',
+  'replay': 'pro',
+  'share': 'pro',
+  'ai-test': 'pro',
+  'permissions': 'pro',
+  'graph': 'pro',
+  'mcp.full': 'pro',
+  'checkpoint.hallucination': 'pro',
   
-  // Agent Firewall (enforce mode)
-  'vibecheck_agent_firewall_intercept',
-  'vibecheck.firewall.enforce',
-];
-
-export const ALL_TOOLS = [...FREE_TOOLS, ...PRO_TOOLS];
+  // COMPLIANCE features
+  'report.compliance_packs': 'compliance',
+  'scan:compliance': 'compliance',
+};
 
 // ============================================================================
-// TIER CACHE
+// CACHE
 // ============================================================================
-const tierCache = new Map();
-const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
 
-function hashKey(apiKey) {
-  const crypto = require('crypto');
-  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
+let cachedMeResponse = null;
+let cacheExpiry = 0;
+const CACHE_TTL = 300000; // 5 minutes
+
+function getCached() {
+  if (cachedMeResponse && Date.now() < cacheExpiry) {
+    return cachedMeResponse;
+  }
+  cachedMeResponse = null;
+  return null;
+}
+
+function setCache(data) {
+  cachedMeResponse = data;
+  cacheExpiry = Date.now() + CACHE_TTL;
+}
+
+export function clearTierCache() {
+  cachedMeResponse = null;
+  cacheExpiry = 0;
 }
 
 // ============================================================================
-// TIER VALIDATION
+// CONFIG LOADING
 // ============================================================================
 
-export async function getTierFromApiKey(apiKey) {
-  if (!apiKey || typeof apiKey !== 'string' || apiKey.length < 10) {
+async function loadUserConfig() {
+  try {
+    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
+    const configData = await fs.readFile(configPath, 'utf-8');
+    return JSON.parse(configData);
+  } catch {
     return null;
   }
-  
-  const keyHash = hashKey(apiKey);
-  const now = Date.now();
-  
-  // Check cache
-  const cached = tierCache.get(keyHash);
-  if (cached && cached.expiresAt > now) {
-    return cached.tier;
+}
+
+function getApiUrl() {
+  return process.env.VIBECHECK_API_URL || 'https://api.vibecheckai.dev';
+}
+
+// ============================================================================
+// FETCH TIER FROM /v1/me (SERVER-AUTHORITATIVE)
+// ============================================================================
+
+/**
+ * Fetch tier from /v1/me endpoint
+ * 
+ * SECURITY: This is the ONLY way to determine tier.
+ * Never parse tier from API key prefix.
+ */
+async function fetchTierFromServer(apiKey) {
+  // Check cache first
+  const cached = getCached();
+  if (cached) {
+    return cached;
   }
+
+  if (!apiKey) {
+    return { tier: 'free', features: [], authenticated: false };
+  }
+
+  const apiUrl = getApiUrl();
   
-  // Validate with API
   try {
-    const response = await fetch('https://api.vibecheckai.dev/whoami', {
-      headers: { 'Authorization': `Bearer ${apiKey}` },
-      signal: AbortSignal.timeout(10000),
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 5000);
+
+    const response = await fetch(`${apiUrl}/api/v1/me`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-API-Key': apiKey,
+      },
+      signal: controller.signal,
     });
-    
-    if (!response.ok) {
-      return null;
+
+    clearTimeout(timeoutId);
+
+    if (response.ok) {
+      const data = await response.json();
+      if (data.tier && TIER_ORDER.includes(data.tier)) {
+        setCache(data);
+        return data;
+      }
     }
-    
-    const data = await response.json();
-    const plan = data.plan?.toLowerCase() || 'free';
-    
-    // Any paid plan = pro
-    const tier = (plan === 'free') ? 'free' : 'pro';
-    
-    tierCache.set(keyHash, { tier, expiresAt: now + CACHE_TTL });
-    return tier;
-    
-  } catch {
-    // Network error - check stale cache
-    if (cached) return cached.tier;
-    return null;
+  } catch (error) {
+    // Network error - SECURITY: default to free tier
+    console.warn('[vibecheck-mcp] API unavailable, using free tier');
   }
+
+  // Default to free tier on any error
+  return { tier: 'free', features: [], authenticated: false };
 }
 
 // ============================================================================
-// ACCESS CONTROL
+// TIER COMPARISON
 // ============================================================================
 
-export function isPro(tier) {
-  return tier === 'pro';
+function tierMeetsMinimum(current, required) {
+  const currentIndex = TIER_ORDER.indexOf(current);
+  const requiredIndex = TIER_ORDER.indexOf(required);
+  return currentIndex >= requiredIndex;
 }
 
-export function canAccessTool(tier, toolName) {
-  // PRO gets everything
-  if (tier === 'pro') return true;
-  
-  // FREE can access FREE tools
-  return FREE_TOOLS.includes(toolName);
-}
+// ============================================================================
+// PUBLIC API
+// ============================================================================
 
 /**
- * Get firewall mode based on tier
- * - FREE: observe (log only)
- * - PRO: enforce (block violations)
+ * Check if user has access to a specific feature
  */
-export function getFirewallMode(tier) {
-  return tier === 'pro' ? 'enforce' : 'observe';
+export async function checkFeatureAccess(featureName, providedApiKey = null) {
+  const userConfig = await loadUserConfig();
+  const apiKey = providedApiKey || userConfig?.apiKey;
+  
+  // Fetch tier from server
+  const meData = await fetchTierFromServer(apiKey);
+  const currentTier = meData.tier || 'free';
+  const currentTierConfig = TIERS[currentTier] || TIERS.free;
+  
+  // Get required tier for this feature
+  const requiredTier = FEATURE_TIER_MAP[featureName] || 'pro'; // Default to pro for unknown features
+  const requiredTierConfig = TIERS[requiredTier] || TIERS.pro;
+  
+  // Check if current tier meets requirement
+  const hasAccess = tierMeetsMinimum(currentTier, requiredTier);
+  
+  if (!hasAccess) {
+    return {
+      hasAccess: false,
+      tier: currentTier,
+      requiredTier,
+      reason: `${featureName} requires ${requiredTierConfig.name} tier ($${requiredTierConfig.price}/mo) or higher. Current tier: ${currentTierConfig.name}`,
+      upgradeUrl: 'https://vibecheckai.dev/pricing'
+    };
+  }
+  
+  return {
+    hasAccess: true,
+    tier: currentTier,
+    reason: 'Access granted'
+  };
 }
 
 /**
- * Check if user can use full conductor features
+ * Middleware for MCP tool handlers
  */
-export function canUseCondcutor(tier) {
-  return tier === 'pro';
+export function withTierCheck(featureName, handler) {
+  return async (args) => {
+    const access = await checkFeatureAccess(featureName, args?.apiKey);
+    
+    if (!access.hasAccess) {
+      return {
+        content: [{
+          type: "text",
+          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
+        }],
+        isError: true
+      };
+    }
+    
+    args._tier = access.tier;
+    return handler(args);
+  };
 }
 
 /**
- * Check if user can approve authorities
+ * Check if user has access to a specific MCP tool
  */
-export function canApproveAuthority(tier) {
-  return tier === 'pro';
-}
-
-export async function getMcpToolAccess(toolName, apiKey) {
-  if (!apiKey) {
+export async function checkMcpToolAccess(toolName, providedApiKey = null) {
+  const userConfig = await loadUserConfig();
+  const apiKey = providedApiKey || userConfig?.apiKey;
+  
+  // Fetch tier from server
+  const meData = await fetchTierFromServer(apiKey);
+  const currentTier = meData.tier || 'free';
+  
+  // Unlimited and compliance have full access
+  if (currentTier === 'unlimited' || currentTier === 'compliance' || currentTier === 'enterprise') {
     return {
-      hasAccess: FREE_TOOLS.includes(toolName),
-      tier: 'free',
-      reason: FREE_TOOLS.includes(toolName) 
-        ? 'Access granted (free tool)'
-        : 'This tool requires Pro. Set API key with `vibecheck login`.',
+      hasAccess: true,
+      tier: currentTier,
+      reason: 'Full MCP access'
     };
   }
   
-  const tier = await getTierFromApiKey(apiKey);
+  // For now, allow all MCP tools for pro tier
+  // Individual tool gating can be added later if needed
+  if (currentTier === 'pro') {
+    return {
+      hasAccess: true,
+      tier: currentTier,
+      reason: 'Pro MCP access'
+    };
+  }
   
-  if (!tier) {
+  // Starter has limited MCP access (read-only tools)
+  if (currentTier === 'starter') {
+    // Allow read-only tools
+    const readOnlyTools = [
+      'vibecheck.ctx',
+      'vibecheck.scan',
+      'vibecheck.ship',
+      'vibecheck.get_truthpack',
+      'vibecheck.validate_claim',
+      'vibecheck.search_evidence',
+    ];
+    
+    if (readOnlyTools.includes(toolName)) {
+      return {
+        hasAccess: true,
+        tier: currentTier,
+        reason: 'Starter read-only access'
+      };
+    }
+    
     return {
       hasAccess: false,
-      tier: null,
-      reason: 'Invalid API key.',
+      tier: currentTier,
+      requiredTier: 'pro',
+      reason: `${toolName} requires PRO tier ($99/mo). Current: STARTER`,
+      upgradeUrl: 'https://vibecheckai.dev/pricing'
     };
   }
   
-  const hasAccess = canAccessTool(tier, toolName);
+  // Free tier has very limited MCP access
+  const freeTools = [
+    'vibecheck.get_truthpack',
+    'vibecheck.validate_claim',
+    'vibecheck.search_evidence',
+  ];
+  
+  if (freeTools.includes(toolName)) {
+    return {
+      hasAccess: true,
+      tier: 'free',
+      reason: 'Free tier access'
+    };
+  }
   
   return {
-    hasAccess,
-    tier,
-    firewallMode: getFirewallMode(tier),
-    reason: hasAccess
-      ? 'Access granted'
-      : `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
+    hasAccess: false,
+    tier: 'free',
+    requiredTier: 'starter',
+    reason: `${toolName} requires STARTER tier ($29/mo) or higher. Current: FREE`,
+    upgradeUrl: 'https://vibecheckai.dev/pricing'
   };
 }
 
-// ============================================================================
-// MIDDLEWARE
-// ============================================================================
-
-export function withTierCheck(toolName, handler) {
+/**
+ * Middleware for MCP tool handlers with tool-specific checking
+ */
+export function withMcpToolCheck(toolName, handler) {
   return async (args) => {
-    const access = await getMcpToolAccess(toolName, args?.apiKey);
+    const access = await checkMcpToolAccess(toolName, args?.apiKey);
     
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `This tool requires Pro.\n\n${toolName} is a Pro feature.\n\nUpgrade to Pro ($69/mo) to unlock:\n- Authority System (verdicts & approvals)\n- Agent Conductor (multi-agent coordination)\n- Agent Firewall (enforce mode)\n\nhttps://vibecheckai.dev/pricing`
+          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
         }],
         isError: true
       };
     }
     
     args._tier = access.tier;
-    args._firewallMode = access.firewallMode;
     return handler(args);
   };
 }
 
-// ============================================================================
-// USER INFO
-// ============================================================================
-
-async function loadUserConfig() {
-  try {
-    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
-    const data = await fs.readFile(configPath, 'utf-8');
-    return JSON.parse(data);
-  } catch {
-    return null;
-  }
-}
-
+/**
+ * Get current user info
+ */
 export async function getUserInfo() {
   const config = await loadUserConfig();
-  
   if (!config?.apiKey) {
     return {
       authenticated: false,
       tier: 'free',
-      tools: FREE_TOOLS,
-      firewallMode: 'observe',
+      message: 'Not authenticated. Run: vibecheck auth --key YOUR_API_KEY'
     };
   }
   
-  const tier = await getTierFromApiKey(config.apiKey);
+  const meData = await fetchTierFromServer(config.apiKey);
+  const tier = meData.tier || 'free';
+  const tierConfig = TIERS[tier] || TIERS.free;
   
   return {
-    authenticated: true,
-    tier: tier || 'free',
+    authenticated: meData.authenticated || false,
+    tier,
+    tierName: tierConfig.name,
     email: config.email,
-    tools: tier === 'pro' ? ALL_TOOLS : FREE_TOOLS,
-    firewallMode: getFirewallMode(tier || 'free'),
+    authenticatedAt: config.authenticatedAt,
   };
 }
 
-export async function getAvailableMcpTools(apiKey) {
-  const tier = apiKey ? await getTierFromApiKey(apiKey) : 'free';
+/**
+ * Get list of MCP tools available for current tier
+ */
+export async function getAvailableMcpTools(providedApiKey = null) {
+  const userConfig = await loadUserConfig();
+  const apiKey = providedApiKey || userConfig?.apiKey;
+  
+  const meData = await fetchTierFromServer(apiKey);
+  const currentTier = meData.tier || 'free';
+  
+  // Return tools based on tier
+  if (currentTier === 'unlimited' || currentTier === 'compliance' || currentTier === 'enterprise') {
+    return { tier: currentTier, tools: ['*'], unlimited: true };
+  }
+  
+  if (currentTier === 'pro') {
+    return {
+      tier: currentTier,
+      tools: ['*'], // Pro has full MCP access
+      unlimited: true
+    };
+  }
+  
+  if (currentTier === 'starter') {
+    return {
+      tier: currentTier,
+      tools: [
+        'vibecheck.ctx',
+        'vibecheck.scan',
+        'vibecheck.ship',
+        'vibecheck.get_truthpack',
+        'vibecheck.validate_claim',
+        'vibecheck.search_evidence',
+      ],
+      unlimited: false
+    };
+  }
+  
+  // Free tier
   return {
-    tier: tier || 'free',
-    tools: (tier === 'pro') ? ALL_TOOLS : FREE_TOOLS,
-    firewallMode: getFirewallMode(tier || 'free'),
+    tier: 'free',
+    tools: [
+      'vibecheck.get_truthpack',
+      'vibecheck.validate_claim',
+      'vibecheck.search_evidence',
+    ],
+    unlimited: false
   };
 }
-
-// Legacy exports for backward compatibility
-export async function getFeatureAccessStatus(featureName, apiKey) {
-  return getMcpToolAccess(featureName, apiKey);
-}
-
-export function withMcpToolCheck(toolName, handler) {
-  return withTierCheck(toolName, handler);
-}