@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/validators/dep-audit.js

@@ -1,245 +0,0 @@
-/**
- * Dependency Auditor - Ship-only check
- * Checks for known vulnerabilities in dependencies
- */
-
-"use strict";
-
-const path = require("path");
-const fs = require("fs");
-const { execSync } = require("child_process");
-
-/**
- * Audit dependencies for known vulnerabilities
- * Uses npm audit / pnpm audit under the hood
- */
-async function auditDependencies(projectPath) {
-  const findings = [];
-  const startTime = Date.now();
-  
-  try {
-    // Detect package manager
-    const packageManager = detectPackageManager(projectPath);
-    
-    // Check for package.json
-    const packageJsonPath = path.join(projectPath, "package.json");
-    if (!fs.existsSync(packageJsonPath)) {
-      return {
-        findings,
-        duration: Date.now() - startTime,
-        type: "dep-audit",
-      };
-    }
-    
-    // Check for lockfile
-    const hasLockfile = checkLockfile(projectPath, packageManager);
-    if (!hasLockfile) {
-      findings.push({
-        id: "DEP_NO_LOCKFILE",
-        category: "DependencyAudit",
-        severity: "WARN",
-        title: "No lockfile found",
-        message: "Project has no package-lock.json, pnpm-lock.yaml, or yarn.lock. Dependencies are not pinned.",
-        confidence: "high",
-        type: "no_lockfile",
-      });
-    }
-    
-    // Run audit command
-    const auditResult = await runAudit(projectPath, packageManager);
-    
-    // Parse audit results
-    if (auditResult.vulnerabilities) {
-      const vulnCounts = {
-        critical: 0,
-        high: 0,
-        moderate: 0,
-        low: 0,
-      };
-      
-      for (const [name, vuln] of Object.entries(auditResult.vulnerabilities)) {
-        const severity = vuln.severity || "moderate";
-        vulnCounts[severity] = (vulnCounts[severity] || 0) + 1;
-        
-        // Only report critical and high
-        if (severity === "critical" || severity === "high") {
-          findings.push({
-            id: `DEP_VULN_${hashString(name)}`,
-            category: "DependencyAudit",
-            severity: severity === "critical" ? "BLOCK" : "WARN",
-            title: `Vulnerable dependency: ${name}`,
-            message: `${severity.toUpperCase()} severity vulnerability in ${name}${vuln.via ? ` via ${Array.isArray(vuln.via) ? vuln.via[0] : vuln.via}` : ""}`,
-            confidence: "high",
-            type: "vulnerability",
-            details: {
-              package: name,
-              severity,
-              fixAvailable: vuln.fixAvailable || false,
-            },
-          });
-        }
-      }
-      
-      // Summary finding
-      if (vulnCounts.critical > 0 || vulnCounts.high > 0) {
-        findings.push({
-          id: "DEP_VULN_SUMMARY",
-          category: "DependencyAudit",
-          severity: vulnCounts.critical > 0 ? "BLOCK" : "WARN",
-          title: "Dependency vulnerabilities found",
-          message: `${vulnCounts.critical} critical, ${vulnCounts.high} high, ${vulnCounts.moderate} moderate, ${vulnCounts.low} low severity vulnerabilities`,
-          confidence: "high",
-          type: "summary",
-        });
-      }
-    }
-    
-    // Check for outdated dependencies (major versions behind)
-    const outdatedFindings = await checkOutdatedDependencies(projectPath, packageManager);
-    findings.push(...outdatedFindings);
-    
-  } catch (error) {
-    // Audit command failed - this is common if node_modules doesn't exist
-    if (!error.message.includes("ENOENT")) {
-      findings.push({
-        id: "DEP_AUDIT_ERROR",
-        category: "DependencyAudit",
-        severity: "INFO",
-        title: "Dependency audit incomplete",
-        message: `Could not run dependency audit: ${error.message}`,
-        confidence: "low",
-        type: "audit_error",
-      });
-    }
-  }
-  
-  return {
-    findings,
-    duration: Date.now() - startTime,
-    type: "dep-audit",
-  };
-}
-
-function detectPackageManager(projectPath) {
-  if (fs.existsSync(path.join(projectPath, "pnpm-lock.yaml"))) return "pnpm";
-  if (fs.existsSync(path.join(projectPath, "yarn.lock"))) return "yarn";
-  if (fs.existsSync(path.join(projectPath, "bun.lockb"))) return "bun";
-  return "npm";
-}
-
-function checkLockfile(projectPath, packageManager) {
-  const lockfiles = {
-    npm: "package-lock.json",
-    pnpm: "pnpm-lock.yaml",
-    yarn: "yarn.lock",
-    bun: "bun.lockb",
-  };
-  return fs.existsSync(path.join(projectPath, lockfiles[packageManager]));
-}
-
-async function runAudit(projectPath, packageManager) {
-  try {
-    let command;
-    switch (packageManager) {
-      case "pnpm":
-        command = "pnpm audit --json";
-        break;
-      case "yarn":
-        command = "yarn audit --json";
-        break;
-      default:
-        command = "npm audit --json";
-    }
-    
-    const result = execSync(command, {
-      cwd: projectPath,
-      encoding: "utf8",
-      stdio: ["pipe", "pipe", "pipe"],
-      timeout: 60000, // 60 second timeout
-    });
-    
-    return JSON.parse(result);
-  } catch (error) {
-    // npm audit exits with non-zero when vulnerabilities found
-    if (error.stdout) {
-      try {
-        return JSON.parse(error.stdout);
-      } catch {
-        return { vulnerabilities: {} };
-      }
-    }
-    return { vulnerabilities: {} };
-  }
-}
-
-async function checkOutdatedDependencies(projectPath, packageManager) {
-  const findings = [];
-  
-  try {
-    let command;
-    switch (packageManager) {
-      case "pnpm":
-        command = "pnpm outdated --json";
-        break;
-      case "yarn":
-        command = "yarn outdated --json";
-        break;
-      default:
-        command = "npm outdated --json";
-    }
-    
-    const result = execSync(command, {
-      cwd: projectPath,
-      encoding: "utf8",
-      stdio: ["pipe", "pipe", "pipe"],
-      timeout: 60000,
-    });
-    
-    const outdated = JSON.parse(result || "{}");
-    
-    // Count packages that are multiple major versions behind
-    let majorOutdated = 0;
-    for (const [name, info] of Object.entries(outdated)) {
-      const current = info.current || "0.0.0";
-      const latest = info.latest || "0.0.0";
-      
-      const currentMajor = parseInt(current.split(".")[0], 10) || 0;
-      const latestMajor = parseInt(latest.split(".")[0], 10) || 0;
-      
-      if (latestMajor - currentMajor >= 2) {
-        majorOutdated++;
-      }
-    }
-    
-    if (majorOutdated > 5) {
-      findings.push({
-        id: "DEP_MAJOR_OUTDATED",
-        category: "DependencyAudit",
-        severity: "WARN",
-        title: "Many dependencies are significantly outdated",
-        message: `${majorOutdated} dependencies are 2+ major versions behind. Consider updating.`,
-        confidence: "medium",
-        type: "outdated",
-      });
-    }
-    
-  } catch {
-    // Outdated check failed - ignore
-  }
-  
-  return findings;
-}
-
-function hashString(str) {
-  let hash = 0;
-  for (let i = 0; i < str.length; i++) {
-    const char = str.charCodeAt(i);
-    hash = ((hash << 5) - hash) + char;
-    hash = hash & hash;
-  }
-  return Math.abs(hash).toString(36).substring(0, 8);
-}
-
-module.exports = {
-  auditDependencies,
-};

package/bin/runners/lib/validators/env-validator.js

@@ -1,319 +0,0 @@
-/**
- * Environment Validator - Ship-only check
- * Validates environment variable configuration
- */
-
-"use strict";
-
-const path = require("path");
-const fs = require("fs");
-const fg = require("fast-glob");
-
-/**
- * Validate environment variable configuration
- * Checks:
- * - All used env vars are documented in .env.example
- * - No secrets in .env files that should be in .gitignore
- * - Required env vars have validation
- * - Env var naming conventions
- */
-async function validateEnv(projectPath) {
-  const findings = [];
-  const startTime = Date.now();
-  
-  try {
-    // Find .env files
-    const envFiles = fg.sync([".env*", "**/.env*"], {
-      cwd: projectPath,
-      absolute: true,
-      ignore: ["**/node_modules/**"],
-      dot: true,
-    });
-    
-    // Parse env template (.env.example, .env.template)
-    const templateVars = await parseEnvTemplate(projectPath);
-    
-    // Parse actual env files
-    const actualEnvVars = new Map();
-    const envFileContents = new Map();
-    
-    for (const envFile of envFiles) {
-      const relativePath = path.relative(projectPath, envFile).replace(/\\/g, "/");
-      const content = fs.readFileSync(envFile, "utf8");
-      envFileContents.set(relativePath, content);
-      
-      const vars = parseEnvFile(content);
-      for (const [key, value] of Object.entries(vars)) {
-        if (!actualEnvVars.has(key)) {
-          actualEnvVars.set(key, { files: [], value });
-        }
-        actualEnvVars.get(key).files.push(relativePath);
-      }
-    }
-    
-    // Find env var usage in code
-    const usedEnvVars = await findEnvVarUsage(projectPath);
-    
-    // Check for missing documentation
-    for (const [varName, usage] of usedEnvVars.entries()) {
-      if (!templateVars.has(varName) && !isSystemEnvVar(varName)) {
-        findings.push({
-          id: `ENV_UNDOCUMENTED_${hashString(varName)}`,
-          category: "EnvValidation",
-          severity: "WARN",
-          title: `Environment variable not documented: ${varName}`,
-          message: `${varName} is used in code but not in .env.example`,
-          file: usage.files[0],
-          line: usage.line,
-          confidence: "medium",
-          type: "undocumented_env",
-        });
-      }
-    }
-    
-    // Check for secrets in committed env files
-    for (const [filePath, content] of envFileContents.entries()) {
-      // Skip .env.example, .env.template, .env.local (usually gitignored)
-      if (filePath.includes("example") || filePath.includes("template")) continue;
-      
-      const potentialSecrets = findPotentialSecrets(content);
-      
-      for (const secret of potentialSecrets) {
-        findings.push({
-          id: `ENV_SECRET_${hashString(secret.key + filePath)}`,
-          category: "EnvValidation",
-          severity: "BLOCK",
-          title: `Potential secret in env file: ${secret.key}`,
-          message: `${filePath} contains what looks like a secret value for ${secret.key}. Ensure this file is gitignored.`,
-          file: filePath,
-          confidence: "high",
-          type: "potential_secret",
-        });
-      }
-    }
-    
-    // Check .gitignore for env files
-    const gitignorePath = path.join(projectPath, ".gitignore");
-    if (fs.existsSync(gitignorePath)) {
-      const gitignore = fs.readFileSync(gitignorePath, "utf8");
-      const envFilesIgnored = gitignore.includes(".env") || gitignore.includes("*.env");
-      
-      if (!envFilesIgnored) {
-        findings.push({
-          id: "ENV_NOT_GITIGNORED",
-          category: "EnvValidation",
-          severity: "WARN",
-          title: ".env files may not be gitignored",
-          message: "Add .env* to .gitignore to prevent committing secrets",
-          file: ".gitignore",
-          confidence: "medium",
-          type: "gitignore_missing",
-        });
-      }
-    }
-    
-    // Check for .env.example
-    const hasEnvExample = templateVars.size > 0;
-    if (!hasEnvExample && usedEnvVars.size > 5) {
-      findings.push({
-        id: "ENV_NO_EXAMPLE",
-        category: "EnvValidation",
-        severity: "WARN",
-        title: "No .env.example file",
-        message: "Create a .env.example to document required environment variables",
-        confidence: "high",
-        type: "no_example",
-      });
-    }
-    
-    // Check naming conventions
-    for (const varName of usedEnvVars.keys()) {
-      if (isSystemEnvVar(varName)) continue;
-      
-      // Check for lowercase (should be SCREAMING_SNAKE_CASE)
-      if (varName !== varName.toUpperCase() && !varName.startsWith("npm_")) {
-        findings.push({
-          id: `ENV_NAMING_${hashString(varName)}`,
-          category: "EnvValidation",
-          severity: "INFO",
-          title: `Environment variable naming: ${varName}`,
-          message: `Convention is SCREAMING_SNAKE_CASE. Consider renaming to ${varName.toUpperCase()}`,
-          confidence: "low",
-          type: "naming_convention",
-        });
-      }
-    }
-    
-  } catch (error) {
-    findings.push({
-      id: "ENV_VALIDATION_ERROR",
-      category: "EnvValidation",
-      severity: "INFO",
-      title: "Environment validation incomplete",
-      message: `Could not complete env validation: ${error.message}`,
-      confidence: "low",
-      type: "validation_error",
-    });
-  }
-  
-  return {
-    findings,
-    duration: Date.now() - startTime,
-    type: "env-validator",
-  };
-}
-
-async function parseEnvTemplate(projectPath) {
-  const templateVars = new Map();
-  
-  const templateFiles = [".env.example", ".env.template", ".env.sample"];
-  
-  for (const filename of templateFiles) {
-    const filePath = path.join(projectPath, filename);
-    if (fs.existsSync(filePath)) {
-      const content = fs.readFileSync(filePath, "utf8");
-      const vars = parseEnvFile(content);
-      for (const [key, value] of Object.entries(vars)) {
-        templateVars.set(key, { value, file: filename });
-      }
-    }
-  }
-  
-  return templateVars;
-}
-
-function parseEnvFile(content) {
-  const vars = {};
-  const lines = content.split("\n");
-  
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    
-    const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
-    if (match) {
-      vars[match[1]] = match[2].replace(/^["']|["']$/g, "");
-    }
-  }
-  
-  return vars;
-}
-
-async function findEnvVarUsage(projectPath) {
-  const usedVars = new Map();
-  
-  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: projectPath,
-    absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-    ],
-  });
-  
-  for (const file of files) {
-    try {
-      const content = fs.readFileSync(file, "utf8");
-      const relativePath = path.relative(projectPath, file).replace(/\\/g, "/");
-      
-      // process.env.VAR_NAME
-      const processEnvMatches = content.matchAll(/process\.env\.([A-Z_][A-Z0-9_]*)/g);
-      for (const match of processEnvMatches) {
-        const varName = match[1];
-        const line = content.substring(0, match.index).split("\n").length;
-        
-        if (!usedVars.has(varName)) {
-          usedVars.set(varName, { files: [], line });
-        }
-        usedVars.get(varName).files.push(relativePath);
-      }
-      
-      // import.meta.env.VAR_NAME (Vite)
-      const importMetaMatches = content.matchAll(/import\.meta\.env\.([A-Z_][A-Z0-9_]*)/g);
-      for (const match of importMetaMatches) {
-        const varName = match[1];
-        const line = content.substring(0, match.index).split("\n").length;
-        
-        if (!usedVars.has(varName)) {
-          usedVars.set(varName, { files: [], line });
-        }
-        usedVars.get(varName).files.push(relativePath);
-      }
-    } catch {
-      // Skip files that can't be read
-    }
-  }
-  
-  return usedVars;
-}
-
-function isSystemEnvVar(name) {
-  const systemVars = [
-    "NODE_ENV", "PORT", "HOST", "PATH", "HOME", "USER", "SHELL",
-    "PWD", "LANG", "TZ", "TERM", "CI", "DEBUG", "VERBOSE",
-    "npm_package_version", "npm_package_name",
-  ];
-  return systemVars.includes(name) || name.startsWith("npm_") || name.startsWith("NODE_");
-}
-
-function findPotentialSecrets(content) {
-  const secrets = [];
-  const lines = content.split("\n");
-  
-  const secretPatterns = [
-    /^(.*(?:SECRET|KEY|TOKEN|PASSWORD|PRIVATE|CREDENTIAL|AUTH).*?)=(.+)$/i,
-    /^(.*API_KEY.*)=(.+)$/i,
-    /^(.*ACCESS_TOKEN.*)=(.+)$/i,
-    /^(.*DATABASE_URL.*)=(.+)$/i,
-    /^(.*STRIPE_.*)=(.+)$/i,
-    /^(.*AWS_.*)=(.+)$/i,
-    /^(.*GOOGLE_.*)=(.+)$/i,
-    /^(.*GITHUB_.*)=(.+)$/i,
-  ];
-  
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    
-    for (const pattern of secretPatterns) {
-      const match = trimmed.match(pattern);
-      if (match) {
-        const value = match[2].replace(/^["']|["']$/g, "");
-        // Skip placeholder values
-        if (!isPlaceholderValue(value)) {
-          secrets.push({ key: match[1], hasValue: true });
-          break;
-        }
-      }
-    }
-  }
-  
-  return secrets;
-}
-
-function isPlaceholderValue(value) {
-  const placeholders = [
-    "", "your-", "xxx", "TODO", "CHANGEME", "placeholder",
-    "<", ">", "...", "example", "test", "dev", "local",
-  ];
-  
-  const lowerValue = value.toLowerCase();
-  return placeholders.some(p => lowerValue.includes(p)) || value.length < 8;
-}
-
-function hashString(str) {
-  let hash = 0;
-  for (let i = 0; i < str.length; i++) {
-    const char = str.charCodeAt(i);
-    hash = ((hash << 5) - hash) + char;
-    hash = hash & hash;
-  }
-  return Math.abs(hash).toString(36).substring(0, 8);
-}
-
-module.exports = {
-  validateEnv,
-};

package/bin/runners/lib/validators/index.js

@@ -1,120 +0,0 @@
-/**
- * Ship-only Validators
- * These validators only run during `vibecheck ship` (PRO feature)
- */
-
-"use strict";
-
-const { validateRoutes } = require("./route-validator");
-const { validateContracts } = require("./contract-validator");
-const { auditDependencies } = require("./dep-audit");
-const { checkLicenses } = require("./license-checker");
-const { validateEnv } = require("./env-validator");
-const { detectDeadExports } = require("./dead-export-detector");
-
-/**
- * Run all ship-only validators
- * @param {string} projectPath - Path to project root
- * @param {Object} options - Validator options
- * @returns {Promise<{findings: Array, stats: Object}>}
- */
-async function runShipValidators(projectPath, options = {}) {
-  const { onProgress = null, parallel = true } = options;
-  
-  const startTime = Date.now();
-  const results = [];
-  
-  const validators = [
-    { name: "Route Integrity", fn: validateRoutes },
-    { name: "Contract Validation", fn: validateContracts },
-    { name: "Dependency Audit", fn: auditDependencies },
-    { name: "License Compliance", fn: checkLicenses },
-    { name: "Environment Validation", fn: validateEnv },
-    { name: "Dead Export Detection", fn: detectDeadExports },
-  ];
-  
-  if (parallel) {
-    // Run validators in parallel
-    const promises = validators.map(async ({ name, fn }) => {
-      try {
-        if (onProgress) onProgress(name, "running");
-        const result = await fn(projectPath);
-        if (onProgress) onProgress(name, "complete");
-        return { name, ...result };
-      } catch (error) {
-        if (onProgress) onProgress(name, "error");
-        return {
-          name,
-          findings: [{
-            id: `VALIDATOR_ERROR_${name.replace(/\s/g, "_")}`,
-            category: "ValidatorError",
-            severity: "INFO",
-            title: `${name} validator failed`,
-            message: error.message,
-            confidence: "low",
-            type: "validator_error",
-          }],
-          duration: 0,
-        };
-      }
-    });
-    
-    results.push(...await Promise.all(promises));
-  } else {
-    // Run validators sequentially
-    for (const { name, fn } of validators) {
-      try {
-        if (onProgress) onProgress(name, "running");
-        const result = await fn(projectPath);
-        if (onProgress) onProgress(name, "complete");
-        results.push({ name, ...result });
-      } catch (error) {
-        if (onProgress) onProgress(name, "error");
-        results.push({
-          name,
-          findings: [{
-            id: `VALIDATOR_ERROR_${name.replace(/\s/g, "_")}`,
-            category: "ValidatorError",
-            severity: "INFO",
-            title: `${name} validator failed`,
-            message: error.message,
-            confidence: "low",
-            type: "validator_error",
-          }],
-          duration: 0,
-        });
-      }
-    }
-  }
-  
-  // Aggregate findings
-  const allFindings = [];
-  const stats = {
-    validatorsRun: results.length,
-    findingsPerValidator: {},
-    totalDuration: Date.now() - startTime,
-  };
-  
-  for (const result of results) {
-    stats.findingsPerValidator[result.name] = result.findings.length;
-    allFindings.push(...result.findings.map(f => ({
-      ...f,
-      validator: result.name,
-    })));
-  }
-  
-  return { findings: allFindings, stats };
-}
-
-module.exports = {
-  // Main orchestrator
-  runShipValidators,
-  
-  // Individual validators
-  validateRoutes,
-  validateContracts,
-  auditDependencies,
-  checkLicenses,
-  validateEnv,
-  detectDeadExports,
-};