@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/default-config.js

@@ -0,0 +1,127 @@
+/**
+ * Default Configuration for Vibecheck Scans
+ * 
+ * Provides default exclusions and limits for all scan operations.
+ * Cross-platform compatible (Windows, macOS, Linux).
+ */
+
+"use strict";
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// DEFAULT EXCLUSIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const DEFAULT_EXCLUSIONS = [
+  // Dependencies
+  'node_modules',
+  'vendor',
+  '.venv',
+  'venv',
+  '__pycache__',
+  '.pip',
+  
+  // Build outputs
+  'dist',
+  'build',
+  '.next',
+  'out',
+  '.turbo',
+  'coverage',
+  
+  // Version control
+  '.git',
+  '.svn',
+  '.hg',
+  
+  // IDE
+  '.idea',
+  '.vscode',
+  '.cursor',
+  
+  // Vibecheck artifacts
+  '.vibecheck',
+  '.guardrail',
+  
+  // Logs and temp
+  'logs',
+  '*.log',
+  'tmp',
+  'temp',
+];
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// FILE SIZE LIMITS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const MAX_FILE_SIZE_BYTES = 1024 * 1024; // 1MB
+const MAX_FILES_TO_SCAN = 10000;
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// HELPER FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Check if a file path should be excluded based on default patterns.
+ * Handles Windows path separators correctly.
+ * 
+ * @param {string} filePath - File path to check (can be absolute or relative)
+ * @param {string[]} [additionalExclusions] - Additional exclusion patterns
+ * @returns {boolean} True if file should be excluded
+ */
+function shouldExclude(filePath, additionalExclusions = []) {
+  const allExclusions = [...DEFAULT_EXCLUSIONS, ...additionalExclusions];
+  
+  // Normalize path separators (Windows uses \, Unix uses /)
+  const normalized = filePath.replace(/\\/g, '/');
+  
+  // Split path into segments
+  const segments = normalized.split('/');
+  
+  for (const pattern of allExclusions) {
+    // Handle glob patterns (e.g., *.log)
+    if (pattern.includes('*')) {
+      const regex = new RegExp(pattern.replace(/\*/g, '.*').replace(/\./g, '\\.'));
+      if (regex.test(normalized) || segments.some(seg => regex.test(seg))) {
+        return true;
+      }
+    } else {
+      // Exact match or directory match
+      if (segments.includes(pattern) || 
+          normalized.includes(`/${pattern}/`) || 
+          normalized.startsWith(`${pattern}/`) ||
+          normalized.endsWith(`/${pattern}`)) {
+        return true;
+      }
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Check if a file exceeds size limits
+ * 
+ * @param {number} fileSizeBytes - File size in bytes
+ * @returns {boolean} True if file exceeds limit
+ */
+function exceedsSizeLimit(fileSizeBytes) {
+  return fileSizeBytes > MAX_FILE_SIZE_BYTES;
+}
+
+/**
+ * Get default exclusion patterns
+ * 
+ * @returns {string[]} Array of exclusion patterns
+ */
+function getDefaultExclusions() {
+  return [...DEFAULT_EXCLUSIONS];
+}
+
+module.exports = {
+  DEFAULT_EXCLUSIONS,
+  MAX_FILE_SIZE_BYTES,
+  MAX_FILES_TO_SCAN,
+  shouldExclude,
+  exceedsSizeLimit,
+  getDefaultExclusions,
+};

package/bin/runners/lib/doctor/modules/security.js

@@ -257,10 +257,12 @@ function createDiagnostics(projectPath) {
         
         try {
           const { execSync } = require('child_process');
-          const result = execSync('git log --all --full-history -- .env 2>/dev/null | head -1', {
+          // Windows-compatible: use -n 1 instead of piping to head
+          const result = execSync('git log --all --full-history -n 1 -- .env', {
             cwd: projectPath,
             encoding: 'utf8',
             timeout: 10000,
+            stdio: ['pipe', 'pipe', 'pipe'], // Suppress stderr on all platforms
           }).trim();
           
           if (result) {

package/bin/runners/lib/engine/ast-cache.js

@@ -0,0 +1,210 @@
+// bin/runners/lib/engine/ast-cache.js
+// Shared AST cache with content-hash keying
+
+const parser = require("@babel/parser");
+const crypto = require("crypto");
+
+/**
+ * Compute SHA256 hash
+ * @param {string} content
+ * @returns {string}
+ */
+function sha256(content) {
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Default Babel parser options for maximum compatibility
+ */
+const DEFAULT_PARSER_OPTIONS = {
+  sourceType: "unambiguous",
+  errorRecovery: true,
+  allowImportExportEverywhere: true,
+  plugins: [
+    "typescript",
+    "jsx",
+    "dynamicImport",
+    "importMeta",
+    "topLevelAwait",
+    "classProperties",
+    "classPrivateProperties",
+    "classPrivateMethods",
+    "optionalChaining",
+    "nullishCoalescingOperator",
+    "decorators-legacy",
+  ],
+};
+
+/**
+ * ASTCache - Content-hash keyed AST cache
+ * 
+ * Usage:
+ *   const cache = new ASTCache();
+ *   const ast = cache.parse(content, filePath);
+ *   
+ *   // Later, same content will return cached AST
+ *   const ast2 = cache.parse(content, filePath); // cache hit
+ */
+class ASTCache {
+  /**
+   * @param {Object} [options]
+   * @param {number} [options.maxEntries] - Max cache entries (default: 5000)
+   * @param {Object} [options.parserOptions] - Babel parser options override
+   */
+  constructor(options = {}) {
+    this.maxEntries = options.maxEntries || 5000;
+    this.parserOptions = { ...DEFAULT_PARSER_OPTIONS, ...options.parserOptions };
+
+    /** @type {Map<string, { ast: any, accessCount: number }>} hash -> { ast, accessCount } */
+    this._cache = new Map();
+
+    this.stats = {
+      hits: 0,
+      misses: 0,
+      parseErrors: 0,
+      evictions: 0,
+    };
+  }
+
+  /**
+   * Parse code and cache the AST
+   * @param {string} content - Source code
+   * @param {string} [filePath] - Optional file path for error messages
+   * @returns {{ ast: any, error: Error|null }}
+   */
+  parse(content, filePath) {
+    const hash = sha256(content);
+
+    // Check cache
+    if (this._cache.has(hash)) {
+      const entry = this._cache.get(hash);
+      entry.accessCount++;
+      this.stats.hits++;
+      return { ast: entry.ast, error: null };
+    }
+
+    this.stats.misses++;
+
+    // Parse
+    let ast = null;
+    let error = null;
+
+    try {
+      ast = parser.parse(content, {
+        ...this.parserOptions,
+        sourceFilename: filePath || undefined,
+      });
+    } catch (e) {
+      error = e;
+      this.stats.parseErrors++;
+    }
+
+    // Cache if successful
+    if (ast) {
+      this._cacheEntry(hash, ast);
+    }
+
+    return { ast, error };
+  }
+
+  /**
+   * Get cached AST by content hash
+   * @param {string} hash - Content hash
+   * @returns {any|null}
+   */
+  getByHash(hash) {
+    const entry = this._cache.get(hash);
+    if (entry) {
+      entry.accessCount++;
+      this.stats.hits++;
+      return entry.ast;
+    }
+    return null;
+  }
+
+  /**
+   * Check if AST is cached
+   * @param {string} content
+   * @returns {boolean}
+   */
+  has(content) {
+    return this._cache.has(sha256(content));
+  }
+
+  /**
+   * Cache an entry with LRU eviction
+   * @param {string} hash
+   * @param {any} ast
+   */
+  _cacheEntry(hash, ast) {
+    // Evict if at capacity
+    if (this._cache.size >= this.maxEntries) {
+      this._evictLRU();
+    }
+
+    this._cache.set(hash, { ast, accessCount: 1 });
+  }
+
+  /**
+   * Evict least recently used entries
+   */
+  _evictLRU() {
+    // Find entry with lowest access count
+    let minKey = null;
+    let minCount = Infinity;
+
+    for (const [key, entry] of this._cache) {
+      if (entry.accessCount < minCount) {
+        minCount = entry.accessCount;
+        minKey = key;
+      }
+    }
+
+    if (minKey) {
+      this._cache.delete(minKey);
+      this.stats.evictions++;
+    }
+  }
+
+  /**
+   * Clear the cache
+   */
+  clear() {
+    this._cache.clear();
+  }
+
+  /**
+   * Get cache size
+   * @returns {number}
+   */
+  get size() {
+    return this._cache.size;
+  }
+
+  /**
+   * Get cache stats summary
+   * @returns {Object}
+   */
+  getSummary() {
+    const total = this.stats.hits + this.stats.misses;
+    const hitRate = total > 0 ? (this.stats.hits / total * 100).toFixed(1) : 0;
+
+    return {
+      ...this.stats,
+      size: this._cache.size,
+      hitRate: `${hitRate}%`,
+    };
+  }
+}
+
+/**
+ * Global shared AST cache instance
+ * Use this for cross-adapter/analyzer caching
+ */
+const globalASTCache = new ASTCache();
+
+module.exports = {
+  ASTCache,
+  globalASTCache,
+  DEFAULT_PARSER_OPTIONS,
+};

package/bin/runners/lib/engine/auth-extractor.js

@@ -0,0 +1,211 @@
+// bin/runners/lib/engine/auth-extractor.js
+// Optimized auth/middleware extraction using RepoIndex
+
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function guessAuthSignalsFromCode(code) {
+  const signals = [];
+
+  const patterns = [
+    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
+    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
+    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
+    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
+    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
+    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
+    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
+    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
+    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
+  ];
+
+  for (const p of patterns) {
+    if (p.rx.test(code)) signals.push(p.key);
+  }
+  return Array.from(new Set(signals));
+}
+
+/**
+ * Resolve Next.js middleware using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @returns {Array}
+ */
+function extractNextMiddleware(index) {
+  // Find middleware.ts/js files
+  const middlewareFiles = index.files.filter(f =>
+    /^(src\/)?middleware\.(ts|tsx|js|jsx)$/.test(f.rel)
+  );
+
+  const middlewares = [];
+
+  for (const file of middlewareFiles) {
+    const content = index.getContent(file.abs);
+    if (!content) continue;
+
+    const matcherLines = findLineMatches(content, /\bmatcher\b/);
+    const redirectLines = findLineMatches(content, /\bNextResponse\.(redirect|rewrite)\b/);
+
+    const evidence = [];
+    for (const ln of matcherLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware matcher config"));
+    }
+    for (const ln of redirectLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware redirect/rewrite"));
+    }
+
+    const matcher = [];
+    const matcherBlock = content.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
+    if (matcherBlock && matcherBlock[1]) {
+      const raw = matcherBlock[1];
+      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
+      matcher.push(...strings);
+    }
+
+    middlewares.push({
+      file: file.rel,
+      matcher,
+      signals: guessAuthSignalsFromCode(content),
+      evidence
+    });
+  }
+
+  return middlewares;
+}
+
+/**
+ * Resolve Fastify auth signals using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} truthpackRoutes - Server routes from truthpack
+ * @returns {Object}
+ */
+function extractFastifyAuthSignals(index, truthpackRoutes) {
+  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
+  const signals = [];
+  const evidence = [];
+
+  for (const fileRel of handlerFiles) {
+    // Try to get content from index first (fast path)
+    const fileAbs = path.join(index.repoRoot, fileRel);
+    let content = index.getContent(fileAbs);
+    
+    // Fall back to direct read if not in index
+    if (!content) {
+      try {
+        content = fs.readFileSync(fileAbs, "utf8");
+      } catch {
+        continue;
+      }
+    }
+
+    const sigs = guessAuthSignalsFromCode(content);
+    if (!sigs.length) continue;
+
+    for (const s of sigs) signals.push({ type: s, file: fileRel });
+
+    const authLinePatterns = [
+      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
+      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
+      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
+      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
+    ];
+
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const p of authLinePatterns) {
+        if (p.rx.test(line)) {
+          evidence.push(evidenceFromContent(content, fileRel, i + 1, p.reason));
+        }
+      }
+      if (evidence.length > 30) break;
+    }
+  }
+
+  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
+
+  return {
+    signalTypes: uniqueTypes,
+    signals,
+    evidence
+  };
+}
+
+function matcherCoversPath(matcherList, p) {
+  if (!Array.isArray(matcherList) || !matcherList.length) return false;
+  const pathStr = p.startsWith("/") ? p : `/${p}`;
+
+  return matcherList.some(m => {
+    if (!m) return false;
+
+    if (m.includes(":path*")) {
+      const prefix = m.split(":path*")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m.includes("(.*)")) {
+      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+
+    if (m === pathStr) return true;
+    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
+
+    return false;
+  });
+}
+
+/**
+ * Build auth truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} serverRoutes
+ * @returns {Object}
+ */
+function buildAuthTruthV2(index, serverRoutes) {
+  const middlewares = extractNextMiddleware(index);
+  const matchers = middlewares.flatMap(mw => mw.matcher || []);
+  const fastify = extractFastifyAuthSignals(index, serverRoutes);
+
+  return {
+    nextMiddleware: middlewares,
+    nextMatcherPatterns: matchers,
+    fastify,
+    helpers: {
+      matcherCoversPath: "runtime-only"
+    }
+  };
+}
+
+module.exports = {
+  buildAuthTruthV2,
+  extractNextMiddleware,
+  extractFastifyAuthSignals,
+  matcherCoversPath,
+  guessAuthSignalsFromCode,
+};

package/bin/runners/lib/engine/billing-extractor.js

@@ -0,0 +1,112 @@
+// bin/runners/lib/engine/billing-extractor.js
+// Optimized billing/Stripe extraction using RepoIndex
+
+const path = require("path");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function classifyStripeSignals(code) {
+  return {
+    usesStripeSdk: /\bstripe\b/i.test(code) && /from\s+['"]stripe['"]|require\(['"]stripe['"]\)/.test(code),
+    webhookConstructEvent: /\bconstructEvent(Async)?\b/.test(code) || /\bstripe\.webhooks\.constructEvent\b/.test(code),
+    readsStripeSignatureHeader: /stripe-signature/i.test(code) || /\bStripe-Signature\b/.test(code),
+    rawBodySignal:
+      /\bbodyParser\s*:\s*false\b/.test(code) ||
+      /\breq\.(text|arrayBuffer)\(\)/.test(code) ||
+      /\brawBody\b/.test(code) || /\brequest\.raw\b/.test(code) || /\bcontentTypeParser\b/i.test(code),
+    idempotencySignal:
+      /\bevent\.id\b/.test(code) && /\b(prisma|db|redis|cache|processed|dedupe|idempotent)\b/i.test(code) ||
+      /\bidempotenc(y|e)\b/i.test(code)
+  };
+}
+
+/**
+ * Build billing truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object}
+ */
+function buildBillingTruthV2(index, stats) {
+  // Use token prefilter - only scan files that mention stripe
+  const candidateAbs = index.getByAnyToken(["stripe", "Stripe"]);
+  
+  // Filter to JS/TS files
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    return jsExtensions.has(ext);
+  });
+
+  const webhookCandidates = [];
+  const stripeFiles = [];
+
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+
+    const signals = classifyStripeSignals(content);
+
+    if (signals.usesStripeSdk) stripeFiles.push(fileRel);
+
+    if (signals.webhookConstructEvent || signals.readsStripeSignatureHeader) {
+      const ev = [];
+      const lines1 = findLineMatches(content, /\bconstructEvent(Async)?\b|stripe\.webhooks\.constructEvent/);
+      const lines2 = findLineMatches(content, /stripe-signature|Stripe-Signature/i);
+      const lines3 = findLineMatches(content, /bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|rawBody|contentTypeParser/i);
+      const lines4 = findLineMatches(content, /event\.id|idempotenc(y|e)|dedupe|processed/i);
+
+      for (const ln of lines1.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe webhook signature constructEvent signal"));
+      for (const ln of lines2.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe-Signature header usage signal"));
+      for (const ln of lines3.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Raw body handling signal (required for Stripe verification)"));
+      for (const ln of lines4.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Idempotency/dedupe signal (event replay protection)"));
+
+      webhookCandidates.push({
+        file: fileRel,
+        signals,
+        evidence: ev
+      });
+    }
+  }
+
+  const hasStripe = stripeFiles.length > 0;
+
+  return {
+    hasStripe,
+    stripeFiles: stripeFiles.slice(0, 200),
+    webhookCandidates,
+    summary: {
+      webhookHandlersFound: webhookCandidates.length,
+      verifiedWebhookHandlers: webhookCandidates.filter(w => w.signals.webhookConstructEvent && w.signals.rawBodySignal).length,
+      idempotentWebhookHandlers: webhookCandidates.filter(w => w.signals.idempotencySignal).length
+    }
+  };
+}
+
+module.exports = { buildBillingTruthV2 };