@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/route-detection.js

@@ -1018,108 +1018,177 @@ async function resolvePythonClientRefs(repoRoot) {
 // MAIN: RESOLVE ALL ROUTES
 // ============================================================================
 
-async function resolveAllRoutes(repoRoot) {
+// Smart orchestration: only run expensive scanners when signals say they matter.
+// You can force the old behavior by setting:
+//   VIBECHECK_ROUTE_SCAN_MODE=deep
+// or calling resolveAllRoutes(repoRoot, { mode: "deep" }).
+async function resolveAllRoutes(repoRoot, opts = {}) {
+  const mode = (opts.mode || process.env.VIBECHECK_ROUTE_SCAN_MODE || "smart").toLowerCase();
+  const verbose = !!(opts.verbose || process.env.VIBECHECK_VERBOSE_ROUTES);
+  const skipExpress = !!opts.skipExpress; // When true, skip Express (handled by optimized extractor)
+
   const frameworks = await detectFrameworks(repoRoot);
-  
+
   const allRoutes = [];
   const allClientRefs = [];
   const gaps = [];
-  
-  console.log(`  📦 Detected frameworks: ${frameworks.length > 0 ? frameworks.join(", ") : "none detected, scanning all"}`);
-  
-  // Always scan for routes regardless of detected frameworks
-  // JavaScript/TypeScript frameworks
+
+  const fw = new Set(frameworks.map((x) => String(x).toLowerCase()));
+
+  // Lightweight language presence checks (avoid globbing millions of files)
+  const has = {
+    python: exists(path.join(repoRoot, "requirements.txt")) || exists(path.join(repoRoot, "pyproject.toml")),
+    ruby: exists(path.join(repoRoot, "Gemfile")),
+    go: exists(path.join(repoRoot, "go.mod")),
+  };
+
+  // If we don't have explicit deps, do a quick filesystem sniff.
+  // (We intentionally keep this cheap: just check for any matching file.)
+  if (!has.python) {
+    try {
+      const py = await fg(["**/*.py"], { cwd: repoRoot, absolute: true, ignore: ["**/node_modules/**", "**/.venv/**", "**/venv/**", "**/.git/**", "**/dist/**", "**/build/**"] , deep: 4 });
+      has.python = py.length > 0;
+    } catch {}
+  }
+
+  const shouldDeepScan = mode === "deep";
+
+  if (verbose) {
+    const list = frameworks.length ? frameworks.join(", ") : "none";
+    console.log(`  📦 Detected frameworks: ${list} (mode=${mode})`);
+  }
+
+  // JS/TS frameworks
+  const shouldExpress = shouldDeepScan || fw.has("express");
+  const shouldHono = shouldDeepScan || fw.has("hono");
+  const shouldKoa = shouldDeepScan || fw.has("koa");
+  const shouldNest = shouldDeepScan || fw.has("nestjs");
+
+  // Python frameworks
+  const shouldFlask = shouldDeepScan || fw.has("flask") || (has.python && fw.size === 0);
+  const shouldFastAPI = shouldDeepScan || fw.has("fastapi") || (has.python && fw.size === 0);
+  const shouldDjango = shouldDeepScan || fw.has("django") || (has.python && fw.size === 0);
+
+  // Go frameworks
+  const shouldGo = shouldDeepScan || fw.has("go") || has.go;
+
+  // OpenAPI/GraphQL are cheap and high-signal, so include when present.
+  const shouldOpenAPI = shouldDeepScan || fw.has("openapi");
+  const shouldGraphQL = shouldDeepScan || fw.has("graphql");
+
+  // If nothing detected and not deep mode, keep JS scanning conservative.
+  // (Truthpack already handles Next/Fastify separately; this is a safety net.)
+  const unknownRepo = fw.size === 0 && !has.python && !has.go && !has.ruby;
+  const safeJsScan = shouldDeepScan || !unknownRepo;
+
   try {
-    const expressRoutes = await resolveExpressRoutes(repoRoot);
-    if (expressRoutes.length > 0) {
-      console.log(`     ✓ Express: ${expressRoutes.length} routes`);
-      allRoutes.push(...expressRoutes);
+    if (safeJsScan && shouldExpress && !skipExpress) {
+      const expressRoutes = await resolveExpressRoutes(repoRoot);
+      if (expressRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Express: ${expressRoutes.length} routes`);
+        allRoutes.push(...expressRoutes);
+      }
+    } else if (skipExpress && verbose) {
+      console.log(`     ⏭️  Express: skipped (using optimized extractor)`);
     }
   } catch (e) { gaps.push({ kind: "express_scan_error", error: e.message }); }
-  
+
   try {
-    const honoRoutes = await resolveHonoRoutes(repoRoot);
-    if (honoRoutes.length > 0) {
-      console.log(`     ✓ Hono: ${honoRoutes.length} routes`);
-      allRoutes.push(...honoRoutes);
+    if (safeJsScan && shouldHono) {
+      const honoRoutes = await resolveHonoRoutes(repoRoot);
+      if (honoRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Hono: ${honoRoutes.length} routes`);
+        allRoutes.push(...honoRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "hono_scan_error", error: e.message }); }
-  
+
   try {
-    const koaRoutes = await resolveKoaRoutes(repoRoot);
-    if (koaRoutes.length > 0) {
-      console.log(`     ✓ Koa: ${koaRoutes.length} routes`);
-      allRoutes.push(...koaRoutes);
+    if (safeJsScan && shouldKoa) {
+      const koaRoutes = await resolveKoaRoutes(repoRoot);
+      if (koaRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Koa: ${koaRoutes.length} routes`);
+        allRoutes.push(...koaRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "koa_scan_error", error: e.message }); }
-  
-  // Python frameworks
+
+  // NestJS route extraction is expensive and flaky; only run it when clearly present.
+  if (shouldNest) {
+    // (No dedicated resolver today; keep placeholder for future.)
+  }
+
   try {
-    const flaskRoutes = await resolveFlaskRoutes(repoRoot);
-    if (flaskRoutes.length > 0) {
-      console.log(`     ✓ Flask: ${flaskRoutes.length} routes`);
-      allRoutes.push(...flaskRoutes);
+    if (shouldFlask) {
+      const flaskRoutes = await resolveFlaskRoutes(repoRoot);
+      if (flaskRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Flask: ${flaskRoutes.length} routes`);
+        allRoutes.push(...flaskRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "flask_scan_error", error: e.message }); }
-  
+
   try {
-    const fastapiRoutes = await resolveFastAPIRoutes(repoRoot);
-    if (fastapiRoutes.length > 0) {
-      console.log(`     ✓ FastAPI: ${fastapiRoutes.length} routes`);
-      allRoutes.push(...fastapiRoutes);
+    if (shouldFastAPI) {
+      const fastapiRoutes = await resolveFastAPIRoutes(repoRoot);
+      if (fastapiRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ FastAPI: ${fastapiRoutes.length} routes`);
+        allRoutes.push(...fastapiRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "fastapi_scan_error", error: e.message }); }
-  
+
   try {
-    const djangoRoutes = await resolveDjangoRoutes(repoRoot);
-    if (djangoRoutes.length > 0) {
-      console.log(`     ✓ Django: ${djangoRoutes.length} routes`);
-      allRoutes.push(...djangoRoutes);
+    if (shouldDjango) {
+      const djangoRoutes = await resolveDjangoRoutes(repoRoot);
+      if (djangoRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Django: ${djangoRoutes.length} routes`);
+        allRoutes.push(...djangoRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "django_scan_error", error: e.message }); }
-  
-  // Python client refs
+
   try {
-    const pythonRefs = await resolvePythonClientRefs(repoRoot);
-    if (pythonRefs.length > 0) {
-      console.log(`     ✓ Python client refs: ${pythonRefs.length}`);
-      allClientRefs.push(...pythonRefs);
+    if (has.python && (shouldDeepScan || shouldFlask || shouldFastAPI || shouldDjango)) {
+      const pythonRefs = await resolvePythonClientRefs(repoRoot);
+      if (pythonRefs.length > 0) {
+        if (verbose) console.log(`     ✓ Python client refs: ${pythonRefs.length}`);
+        allClientRefs.push(...pythonRefs);
+      }
     }
   } catch (e) { gaps.push({ kind: "python_client_scan_error", error: e.message }); }
-  
-  // OpenAPI/Swagger specs (high accuracy)
+
   try {
-    const openapiRoutes = await resolveOpenAPIRoutes(repoRoot);
-    if (openapiRoutes.length > 0) {
-      console.log(`     ✓ OpenAPI spec: ${openapiRoutes.length} routes`);
-      allRoutes.push(...openapiRoutes);
+    if (shouldOpenAPI) {
+      const openapiRoutes = await resolveOpenAPIRoutes(repoRoot);
+      if (openapiRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ OpenAPI spec: ${openapiRoutes.length} routes`);
+        allRoutes.push(...openapiRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "openapi_scan_error", error: e.message }); }
-  
-  // GraphQL endpoints
+
   try {
-    const graphqlRoutes = await resolveGraphQLRoutes(repoRoot);
-    if (graphqlRoutes.length > 0) {
-      console.log(`     ✓ GraphQL: ${graphqlRoutes.length} endpoints`);
-      allRoutes.push(...graphqlRoutes);
+    if (shouldGraphQL) {
+      const graphqlRoutes = await resolveGraphQLRoutes(repoRoot);
+      if (graphqlRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ GraphQL: ${graphqlRoutes.length} endpoints`);
+        allRoutes.push(...graphqlRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "graphql_scan_error", error: e.message }); }
-  
-  // Go frameworks (Gin, Echo, Fiber, Chi, Gorilla, stdlib)
+
   try {
-    const goRoutes = await resolveGoRoutes(repoRoot);
-    if (goRoutes.length > 0) {
-      console.log(`     ✓ Go: ${goRoutes.length} routes`);
-      allRoutes.push(...goRoutes);
+    if (shouldGo) {
+      const goRoutes = await resolveGoRoutes(repoRoot);
+      if (goRoutes.length > 0) {
+        if (verbose) console.log(`     ✓ Go: ${goRoutes.length} routes`);
+        allRoutes.push(...goRoutes);
+      }
     }
   } catch (e) { gaps.push({ kind: "go_scan_error", error: e.message }); }
-  
-  return {
-    routes: allRoutes,
-    clientRefs: allClientRefs,
-    gaps,
-    frameworks
-  };
+
+  return { routes: allRoutes, clientRefs: allClientRefs, gaps, frameworks };
 }
 
 module.exports = {

package/bin/runners/lib/scan-output.js

@@ -3,11 +3,13 @@
  * Features:
  * - "SCAN" ASCII Art
  * - Fixed alignment tables
- * - "Redacted" Upsell section for Scan context
+ * - Auto-fix upsell section for Scan context
+ * - Deterministic output ordering
  */
 
 // Use ANSI codes directly (chalk v5 is ESM-only, this is CommonJS)
 const ESC = '\x1b';
+const { sortFindings } = require('./finding-sorter');
 const chalk = {
   reset: `${ESC}[0m`,
   bold: `${ESC}[1m`,
@@ -99,6 +101,11 @@ function formatScanOutput(result, options = {}) {
   let duration = 0;
   let scannedFiles = 0;
   
+  // Sort findings deterministically for stable output
+  if (result.findings && Array.isArray(result.findings)) {
+    result.findings = sortFindings(result.findings);
+  }
+  
   // Helper function to calculate score from findings
   function calculateScoreFromFindings(findings) {
     if (!findings || findings.length === 0) return 100;
@@ -245,17 +252,33 @@ function formatScanOutput(result, options = {}) {
     });
     
     const categoryLabels = {
-      'EnvContract': '🔐 Env',
-      'MissingRoute': '🔗 Routes',
-      'GhostAuth': '🛡️ Auth',
-      'FakeSuccess': '⚠️ Fake',
-      'MockData': '🎭 Mocks',
+      // AI Hallucination Categories (primary)
+      'MissingRoute': '🛤️ Routes',
+      'FakeSuccess': '👻 Fake',
+      'GhostAuth': '🔒 Auth',
+      'EnvContract': '🌍 Env',
+      'EnvGap': '🌍 Env',
+      'DeadUI': '💀 Dead UI',
+      'OwnerModeBypass': '🔐 Bypass',
+      'OptimisticNoRollback': '↩️ Rollback',
+      'SilentCatch': '🔇 Silent',
+      // Billing/Monetization
+      'Billing': '💰 Billing',
+      'StripeWebhook': '💰 Webhook',
+      'PaidSurface': '💰 Paid',
+      'Entitlements': '💳 Entitle',
+      // Security
+      'Security': '🛡️ Security',
       'Secrets': '🔑 Secrets',
+      'SECRET': '🔑 Secrets',
+      // Quality
+      'MockData': '🎭 Mocks',
+      'MOCK': '🎭 Mocks',
       'ConsoleLog': '📝 Logs',
       'TodoFixme': '📋 TODOs',
       'CodeQuality': '✨ Quality',
-      'Security': '⚡ Security',
       'Performance': '⚡ Perf',
+      'ContractDrift': '📜 Drift',
     };
     
     const summaryItems = Object.entries(categoryCounts)
@@ -382,6 +405,25 @@ function formatScanOutput(result, options = {}) {
   lines.push(`${chalk.gray}${BOX.vertical}${chalk.reset}${' '.repeat(WIDTH - 2)}${chalk.gray}${BOX.vertical}${chalk.reset}`);
   lines.push(`${chalk.gray}${BOX.bottomLeft}${BOX.horizontal.repeat(WIDTH - 2)}${BOX.bottomRight}${chalk.reset}`);
 
+  // DASHBOARD LINK (outside frame)
+  const runId = result.runId || result.verdict?.runId;
+  if (runId) {
+    lines.push('');
+    lines.push(`  ${chalk.dim}🔗 Dashboard:${chalk.reset} https://app.vibecheckai.dev/runs/${runId}`);
+  }
+
+  // NEXT BEST ACTION (outside frame)
+  try {
+    const { formatNextActionOneLine, getNextActionForCommand } = require('./next-action');
+    const tier = options.tier || 'free';
+    const verdict = typeof result.verdict === 'object' ? result.verdict.verdict : result.verdict;
+    const nextAction = getNextActionForCommand('scan', { verdict, runId, findings }, tier);
+    lines.push('');
+    lines.push(`  ${formatNextActionOneLine(nextAction)}`);
+  } catch (e) {
+    // Next action module might not be available, skip gracefully
+  }
+
   return lines.join('\n');
 }
 
@@ -461,36 +503,56 @@ function printError(error, context = '') {
  * Format SARIF output (placeholder - full implementation in report-engine.js)
  */
 function formatSARIF(findings, options = {}) {
-  // Basic SARIF structure - full implementation should be in report-engine.js
-  return JSON.stringify({
+  const path = require('path');
+  // Sort findings deterministically for stable output
+  const sortedFindings = sortFindings(findings || []);
+  
+  const projectPath = options.projectPath || process.cwd();
+  
+  // Valid SARIF 2.1.0 structure
+  const sarif = {
     version: "2.1.0",
-    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema.json",
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
     runs: [{
       tool: {
         driver: {
           name: "vibecheck",
-          version: options.version || "1.0.0"
+          version: options.version || "1.0.0",
+          informationUri: "https://vibecheckai.dev"
         }
       },
-      results: findings.map((f, i) => ({
-        ruleId: f.ruleId || f.category || `rule-${i}`,
-        message: {
-          text: f.message || f.title || ""
-        },
-        level: f.severity === 'critical' ? 'error' : f.severity === 'warning' ? 'warning' : 'note',
-        locations: f.file ? [{
-          physicalLocation: {
-            artifactLocation: {
-              uri: f.file
-            },
-            region: f.line ? {
-              startLine: f.line
-            } : undefined
-          }
-        }] : []
-      }))
+      results: sortedFindings.map((f, i) => {
+        const filePath = f.file || f.path;
+        const relativePath = filePath && projectPath 
+          ? path.relative(projectPath, filePath).replace(/\\/g, '/')
+          : filePath || 'unknown';
+        
+        return {
+          ruleId: f.ruleId || f.id || f.category || f.type || `rule-${i}`,
+          message: {
+            text: f.message || f.title || f.description || "Issue detected"
+          },
+          level: f.severity === 'critical' || f.severity === 'BLOCK' ? 'error' : 
+                 f.severity === 'warning' || f.severity === 'WARN' ? 'warning' : 'note',
+          locations: filePath ? [{
+            physicalLocation: {
+              artifactLocation: {
+                uri: relativePath
+              },
+              region: f.line ? {
+                startLine: f.line,
+                startColumn: f.column || 1,
+                endLine: f.endLine || f.line,
+                endColumn: f.endColumn || f.column || 1
+              } : undefined
+            }
+          }] : []
+        };
+      })
     }]
-  }, null, 2);
+  };
+  
+  return JSON.stringify(sarif, null, 2);
 }
 
 // Placeholder functions for compatibility
@@ -510,52 +572,8 @@ function renderLayers(layers) {
   return ''; // Implement if needed
 }
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// ENHANCED OUTPUT (with charts and Pro upselling)
-// ═══════════════════════════════════════════════════════════════════════════════
-
-let enhancedOutput;
-try {
-  enhancedOutput = require('./scan-output-enhanced');
-} catch (e) {
-  enhancedOutput = null;
-}
-
-/**
- * Format scan output with enhanced visuals (charts, upsell)
- * Falls back to standard output if enhanced module not available
- */
-function formatScanOutputEnhanced(result, options = {}) {
-  if (enhancedOutput && !options.legacy) {
-    enhancedOutput.renderEnhancedScanOutput(result, options);
-    return ''; // Output is printed directly
-  }
-  return formatScanOutput(result, options);
-}
-
-/**
- * Get Pro upsell prompt for current context
- */
-function getProUpsellPrompt(context, data = {}) {
-  if (enhancedOutput) {
-    return enhancedOutput.getProPrompt(context, data);
-  }
-  return null;
-}
-
-/**
- * Render inline Pro upsell
- */
-function renderProUpsell(context, data = {}) {
-  if (enhancedOutput) {
-    return enhancedOutput.renderInlineProPrompt(context, data);
-  }
-  return '';
-}
-
 module.exports = { 
   formatScanOutput,
-  formatScanOutputEnhanced,
   calculateScore,
   getExitCode,
   printError,
@@ -565,7 +583,4 @@ module.exports = {
   renderBreakdown,
   renderBlockers,
   renderLayers,
-  // Pro upsell
-  getProUpsellPrompt,
-  renderProUpsell,
 };

package/bin/runners/lib/scan-runner.js

@@ -0,0 +1,135 @@
+/**
+ * Scan Runner - Timeout and Cancellation Support
+ * 
+ * Provides timeout and cancellation capabilities for scan execution.
+ * Prevents runaway scans from hanging indefinitely.
+ */
+
+const EventEmitter = require('events');
+
+/**
+ * @typedef {Object} ScanOptions
+ * @property {number} [timeout] - Timeout in milliseconds (default: 5 minutes)
+ * @property {AbortSignal} [signal] - AbortSignal for cancellation
+ */
+
+/**
+ * @typedef {Object} ScanResult
+ * @property {'completed'|'cancelled'|'failed'} status
+ * @property {Array} findings
+ * @property {string} [error]
+ */
+
+class ScanRunner extends EventEmitter {
+  constructor() {
+    super();
+    this.aborted = false;
+    this.timeoutId = null;
+  }
+  constructor() {
+    super();
+    this.aborted = false;
+    this.timeoutId = null;
+  }
+
+  /**
+   * Run a scan with timeout and cancellation support
+   * @param {string} projectPath - Path to project to scan
+   * @param {ScanOptions} options - Scan options
+   * @returns {Promise<ScanResult>}
+   */
+  async run(projectPath, options = {}) {
+    const timeout = options.timeout || 5 * 60 * 1000; // Default 5 minutes
+    
+    // Set up abort handling
+    if (options.signal) {
+      options.signal.addEventListener('abort', () => {
+        this.abort('Scan aborted via signal');
+      });
+    }
+    
+    // Set up timeout
+    this.timeoutId = setTimeout(() => {
+      this.abort('Scan timed out');
+    }, timeout);
+    
+    try {
+      this.emit('start', { projectPath, timeout });
+      
+      const result = await this.executeAnalyzers(projectPath);
+      
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [] };
+      }
+      
+      return result;
+    } catch (error) {
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [], error: error.message };
+      }
+      return { status: 'failed', findings: [], error: error.message };
+    } finally {
+      if (this.timeoutId) {
+        clearTimeout(this.timeoutId);
+        this.timeoutId = null;
+      }
+    }
+  }
+
+  /**
+   * Abort the current scan
+   * @param {string} reason - Reason for abortion
+   */
+  abort(reason = 'Scan aborted') {
+    this.aborted = true;
+    this.emit('abort', { reason });
+  }
+
+  /**
+   * Execute analyzers with abort checks between each
+   * @private
+   * @param {string} projectPath - Path to project
+   * @returns {Promise<ScanResult>}
+   */
+  async executeAnalyzers(projectPath) {
+    // Import analysis core dynamically to avoid circular dependencies
+    const { runAnalysis } = require('./analysis-core');
+    
+    // Check abort before starting
+    if (this.aborted) {
+      return { status: 'cancelled', findings: [] };
+    }
+    
+    try {
+      // Run analysis with progress tracking
+      this.emit('progress', { phase: 'analysis', status: 'running' });
+      
+      const result = await runAnalysis({
+        repoRoot: projectPath,
+        extended: true,
+        noWrite: false
+      });
+      
+      // Check abort after analysis
+      if (this.aborted) {
+        return { status: 'cancelled', findings: result.findings || [] };
+      }
+      
+      this.emit('progress', { phase: 'analysis', status: 'complete', count: result.findings?.length || 0 });
+      
+      return {
+        status: 'completed',
+        findings: result.findings || [],
+        verdict: result.verdict,
+        report: result.report
+      };
+    } catch (error) {
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [], error: error.message };
+      }
+      throw error;
+    }
+  }
+}
+
+module.exports = { ScanRunner };