@vibecheckai/cli 3.5.0 → 3.5.2

package/mcp-server/index.js

@@ -63,7 +63,7 @@ const __dirname = path.dirname(__filename);
 // CENTRALIZED CONFIGURATION
 // ============================================================================
 const CONFIG = {
-  VERSION: "2.2.0",
+  VERSION: "2.1.0",
   BIN_PATH: path.join(__dirname, "..", "bin", "vibecheck.js"),
   OUTPUT_DIR: ".vibecheck",
   ENV_DEFAULTS: { VIBECHECK_SKIP_AUTH: "1" },
@@ -526,11 +526,25 @@ const CONTEXT_ATTRIBUTION = "🧠 Context enhanced by vibecheck";
 // Import Consolidated Tools (15 focused tools - recommended surface)
 import { CONSOLIDATED_TOOLS, handleConsolidatedTool } from "./consolidated-tools.js";
 
-// Import v3 Tools (10 focused tools - STARTER+ only, no free tools)
+// Import v3 Tools (2-tier model: FREE tools for inspect & observe, PRO for fix/prove/enforce)
 import { MCP_TOOLS_V3, handleToolV3, TOOL_TIERS as V3_TOOL_TIERS } from "./tools-v3.js";
 
 // Import tier auth for entitlement checking
-import { getFeatureAccessStatus } from "./tier-auth.js";
+import { getFeatureAccessStatus, getTierFromApiKey } from "./tier-auth.js";
+
+// Import new production modules
+const { 
+  validateToolInput, 
+  validateToolOutput, 
+  getToolTimeout,
+  getToolTier,
+} = require('./registry/tool-registry.js');
+const { 
+  executeWithEnvelope, 
+  createErrorEnvelope,
+  createSuccessEnvelope,
+} = require('./lib/error-envelope.js');
+const { rateLimiter } = require('./lib/rate-limiter.js');
 
 // Import Agent Firewall Interceptor - ENABLED BY DEFAULT
 // The Agent Firewall is the core gatekeeper that validates AI changes against reality
@@ -901,117 +915,29 @@ class VibecheckMCP {
       return '## Error: Invalid summary data\n';
     }
     
-    // Safely extract values with defaults - handle different output structures
-    const score = sanitizeNumber(
-      summary.score?.overall || summary.score || summary.verdict?.score || 0, 
-      0, 100, 0
-    );
-    const grade = sanitizeString(summary.grade || summary.verdict?.grade, 10) || 'N/A';
-    const verdict = summary.verdict?.verdict || summary.verdict || (score >= 80 ? 'SHIP' : score >= 50 ? 'WARN' : 'BLOCK');
-    const canShip = verdict === 'SHIP' || Boolean(summary.canShip);
-    const findings = sanitizeArray(summary.findings || summary.report?.findings || [], 500);
-    
-    // Get severity counts
-    const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
-    for (const f of findings) {
-      const sev = (f.severity || 'medium').toLowerCase();
-      if (sev === 'block' || sev === 'critical') sevCounts.critical++;
-      else if (sev === 'high') sevCounts.high++;
-      else if (sev === 'warn' || sev === 'warning' || sev === 'medium') sevCounts.medium++;
-      else sevCounts.low++;
-    }
-    
-    // Build structured output
-    let output = '';
-    
-    // Header with verdict
-    const verdictEmoji = verdict === 'SHIP' ? '✅' : verdict === 'WARN' ? '⚠️' : '🚫';
-    output += `## ${verdictEmoji} VERDICT: ${verdict}\n\n`;
-    output += `**Health Score:** ${score}/100 (${grade})\n\n`;
+    // Safely extract values with defaults
+    const score = sanitizeNumber(summary.score, 0, 100, 0);
+    const grade = sanitizeString(summary.grade, 10) || 'N/A';
+    const canShip = Boolean(summary.canShip);
     
-    // Summary stats
-    output += `### Summary\n`;
-    output += `- **Total Issues:** ${findings.length}\n`;
-    output += `- **Critical:** ${sevCounts.critical}\n`;
-    output += `- **High:** ${sevCounts.high}\n`;
-    output += `- **Medium:** ${sevCounts.medium}\n`;
-    output += `- **Low:** ${sevCounts.low}\n\n`;
-
-    // Category breakdown
+    let output = `## Score: ${score}/100 (${grade})\n\n`;
+    output += `**Verdict:** ${canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n\n`;
+
     if (summary.counts && typeof summary.counts === 'object') {
-      output += "### Issue Categories\n\n";
-      output += "| Category | Count | Status |\n|----------|-------|--------|\n";
+      output += "### Checks\n\n";
+      output += "| Category | Issues |\n|----------|--------|\n";
       
-      const entries = Object.entries(summary.counts).slice(0, 20);
+      // Limit to 50 categories to prevent output bloat
+      const entries = Object.entries(summary.counts).slice(0, 50);
       for (const [key, count] of entries) {
         const safeKey = sanitizeString(key, 50);
         const safeCount = sanitizeNumber(count, 0, 999999, 0);
         const icon = safeCount === 0 ? "✅" : "⚠️";
-        output += `| ${safeKey} | ${safeCount} | ${icon} |\n`;
+        output += `| ${icon} ${safeKey} | ${safeCount} |\n`;
       }
-      output += '\n';
     }
 
-    // Top findings with details (show up to 15)
-    if (findings.length > 0) {
-      output += "### Top Issues to Fix\n\n";
-      
-      // Sort by severity (critical first)
-      const sortedFindings = findings
-        .sort((a, b) => {
-          const sevOrder = { critical: 0, block: 0, high: 1, warn: 2, warning: 2, medium: 2, low: 3, info: 4 };
-          const aOrder = sevOrder[(a.severity || 'medium').toLowerCase()] || 2;
-          const bOrder = sevOrder[(b.severity || 'medium').toLowerCase()] || 2;
-          return aOrder - bOrder;
-        })
-        .slice(0, 15);
-      
-      for (let i = 0; i < sortedFindings.length; i++) {
-        const f = sortedFindings[i];
-        const sev = sanitizeString(f.severity || 'medium', 20).toUpperCase();
-        const sevEmoji = sev === 'CRITICAL' || sev === 'BLOCK' ? '🔴' : sev === 'HIGH' ? '🟠' : '🟡';
-        const title = sanitizeString(f.title || f.message || f.why || 'Unknown issue', 100);
-        const category = sanitizeString(f.category || f.type || 'Other', 30);
-        const file = sanitizeString(f.file || (f.evidence && f.evidence[0]?.file) || '', 150);
-        const line = f.line || (f.evidence && f.evidence[0]?.lines) || '';
-        
-        output += `**${i + 1}. ${sevEmoji} [${sev}] ${title}**\n`;
-        output += `   - Category: \`${category}\`\n`;
-        if (file) {
-          output += `   - File: \`${file}\`${line ? `:${line}` : ''}\n`;
-        }
-        
-        // Include fix hints if available
-        const fixHint = f.fixHints?.[0] || f.fixHint || f.fix;
-        if (fixHint) {
-          output += `   - **Fix:** ${sanitizeString(fixHint, 200)}\n`;
-        }
-        output += '\n';
-      }
-      
-      if (findings.length > 15) {
-        output += `_...and ${findings.length - 15} more issues. See full report for details._\n\n`;
-      }
-    }
-
-    // Next steps based on verdict
-    output += "### Recommended Actions\n\n";
-    if (verdict === 'SHIP') {
-      output += "- ✅ Code is clean and ready to ship\n";
-      output += "- Consider running `vibecheck ship --badge` to generate a status badge\n";
-    } else if (verdict === 'WARN') {
-      output += "- Review the warnings above before shipping\n";
-      output += "- Run `vibecheck fix --plan` to see fix suggestions\n";
-      output += "- Consider using `vibecheck fix --apply` (PRO) to auto-fix issues\n";
-    } else {
-      output += "- 🚫 Critical issues must be fixed before shipping\n";
-      output += "- Run `vibecheck fix --plan` to see detailed fix suggestions\n";
-      output += "- Address critical issues first, then re-scan\n";
-    }
-    
-    output += `\n📄 **Full Report:** ${CONFIG.OUTPUT_DIR}/report.html\n`;
-    output += `📊 **JSON Results:** ${CONFIG.OUTPUT_DIR}/results/latest.json\n`;
-    
+    output += `\n📄 **Report:** ${CONFIG.OUTPUT_DIR}/report.html\n`;
     return output;
   }
   
@@ -1141,25 +1067,101 @@ class VibecheckMCP {
           });
         }
         
-        // Handle v3 tools (10 consolidated tools, STARTER+ only)
+        // Handle v3 tools (2-tier: FREE/PRO aligned with CLI entitlements)
         if (USE_V3_TOOLS && V3_TOOL_TIERS[toolName]) {
-          // SECURITY FIX: Never trust client-provided tier - validate from API key
-          // Previous: const userTier = sanitizeString(args?.tier, 20) || ...
-          // This allowed privilege escalation via args.tier = "pro"
+          // ================================================================
+          // PRODUCTION HARDENING: Integrated validation, rate limiting, timeout
+          // ================================================================
+          
+          // 1. Get user tier from API key (never trust client-provided tier)
           const { getMcpToolAccess } = await import('./tier-auth.js');
-          const access = await getMcpToolAccess(toolName, apiKey);
+          const access = await getMcpToolAccess(toolName, apiKey, args);
           const userTier = access.tier || 'free';
-          const result = await handleToolV3(toolName, args, { tier: userTier });
           
-          if (result.error) {
-            return this.error(result.error, { tier: result.tier, required: result.required });
+          // 2. Check per-user rate limit
+          const userId = apiKey ? hashKeyForRateLimit(apiKey) : '__anonymous__';
+          const rateCheck = rateLimiter.check(userId, userTier);
+          if (!rateCheck.allowed) {
+            const errorEnvelope = createErrorEnvelope(
+              'RATE_LIMITED',
+              `Rate limit exceeded. Try again in ${rateCheck.retryAfter} seconds`,
+              { retryAfter: rateCheck.retryAfter, limit: rateCheck.limit }
+            );
+            return this.error(errorEnvelope.error.message, {
+              code: errorEnvelope.error.code,
+              retryAfter: rateCheck.retryAfter,
+            });
           }
           
-          // Sanitize and truncate output
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-          return {
-            content: [{ type: "text", text: outputText }],
-          };
+          // 3. Validate input schema
+          const validation = validateToolInput(toolName, args);
+          if (!validation.valid) {
+            const errorEnvelope = createErrorEnvelope(
+              'VALIDATION_ERROR',
+              'Invalid tool input',
+              { errors: validation.errors }
+            );
+            return this.error(errorEnvelope.error.message, {
+              code: errorEnvelope.error.code,
+              errors: validation.errors,
+            });
+          }
+          
+          // 4. Check tier access (already done above, but ensure it's checked)
+          if (!access.hasAccess) {
+            return this.error(access.error?.message || 'Access denied', {
+              code: access.error?.code || 'TIER_REQUIRED',
+              tier: access.tier,
+              required: access.error?.required,
+            });
+          }
+          
+          // 5. Execute with timeout and cancellation support
+          const timeout = getToolTimeout(toolName);
+          const controller = new AbortController();
+          
+          // Register job for cancellation (if needed)
+          const jobId = `${toolName}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+          if (typeof global !== 'undefined') {
+            if (!global.activeJobs) global.activeJobs = new Map();
+            global.activeJobs.set(jobId, controller);
+          }
+          
+          try {
+            const result = await executeWithEnvelope(
+              toolName,
+              async (signal) => {
+                return await handleToolV3(toolName, args, { 
+                  tier: userTier,
+                  signal, // Pass abort signal to tool handler
+                });
+              },
+              { timeout }
+            );
+            
+            // Cleanup job registration
+            if (typeof global !== 'undefined' && global.activeJobs) {
+              global.activeJobs.delete(jobId);
+            }
+            
+            // 6. Validate output schema (warn on mismatch, don't fail)
+            const outputValidation = validateToolOutput(toolName, result.data || result);
+            if (!outputValidation.valid) {
+              console.warn(`[MCP] Tool ${toolName} output validation warnings:`, outputValidation.errors);
+            }
+            
+            // 7. Return sanitized output
+            const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
+            return {
+              content: [{ type: "text", text: outputText }],
+            };
+          } catch (error) {
+            // Cleanup on error
+            if (typeof global !== 'undefined' && global.activeJobs) {
+              global.activeJobs.delete(jobId);
+            }
+            throw error;
+          }
         }
         
         // 1. Check tool registry first (local CLI handlers)
@@ -1284,12 +1286,6 @@ class VibecheckMCP {
     // Resources
     this.server.setRequestHandler(ListResourcesRequestSchema, async () => ({
       resources: [
-        {
-          uri: "vibecheck://status",
-          name: "Server Status",
-          description: "Current MCP server health, version, and rate limits",
-          mimeType: "application/json",
-        },
         {
           uri: "vibecheck://config",
           name: "vibecheck Config",
@@ -1338,12 +1334,6 @@ class VibecheckMCP {
           description: "Last prove loop results (ctx → reality → ship → fix)",
           mimeType: "application/json",
         },
-        {
-          uri: "vibecheck://registry",
-          name: "Command Registry",
-          description: "Available commands and their tiers",
-          mimeType: "application/json",
-        },
       ],
     }));
 
@@ -1490,82 +1480,6 @@ class VibecheckMCP {
           return await safeReadResource(provePath, "No prove results. Run vibecheck.prove first.");
         }
 
-        // Server status resource - live health check
-        if (uri === "vibecheck://status") {
-          const rateCheck = checkRateLimit(null);
-          const circuitCheck = checkCircuitBreaker();
-          
-          const status = {
-            server: {
-              version: CONFIG.VERSION,
-              uptime: Math.floor(process.uptime()),
-              transport: 'stdio',
-              nodeVersion: process.version,
-            },
-            health: {
-              status: circuitCheck.allowed ? 'healthy' : 'degraded',
-              circuitBreaker: circuitBreakerState.state,
-              failureCount: circuitBreakerState.failures,
-            },
-            rateLimit: {
-              remaining: rateCheck.remaining,
-              resetIn: rateCheck.resetIn || 0,
-              limit: CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS,
-              window: CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS,
-            },
-            features: {
-              hardening: true,
-              auditLogging: true,
-              secretRedaction: true,
-              pathSecurity: true,
-            },
-            timestamp: new Date().toISOString(),
-          };
-          
-          return {
-            contents: [{ uri, mimeType: "application/json", text: JSON.stringify(status, null, 2) }],
-          };
-        }
-
-        // Registry resource - available commands and tiers
-        if (uri === "vibecheck://registry") {
-          const registry = {
-            version: CONFIG.VERSION,
-            tiers: {
-              free: {
-                name: 'FREE',
-                price: '$0',
-                description: 'Inspect & Observe',
-              },
-              pro: {
-                name: 'PRO',
-                price: '$69/mo',
-                description: 'Fix, Prove & Enforce',
-              },
-            },
-            tools: Object.entries(V3_TOOL_TIERS).map(([name, tier]) => ({
-              name,
-              tier,
-            })),
-            resources: [
-              'vibecheck://status',
-              'vibecheck://config',
-              'vibecheck://summary',
-              'vibecheck://truthpack',
-              'vibecheck://missions',
-              'vibecheck://reality',
-              'vibecheck://findings',
-              'vibecheck://share',
-              'vibecheck://prove',
-              'vibecheck://registry',
-            ],
-          };
-          
-          return {
-            contents: [{ uri, mimeType: "application/json", text: JSON.stringify(registry, null, 2) }],
-          };
-        }
-
         return { 
           contents: [{ 
             uri, 
@@ -1842,16 +1756,24 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // GATE
+  // GATE - PRO tier required (CI/CD enforcement)
   // ============================================================================
   async handleGate(projectPath, args) {
-    // Check tier access (STARTER tier required)
-    const access = await getFeatureAccessStatus("gate", args?.apiKey);
+    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
+    const access = await getFeatureAccessStatus("vibecheck.gate", args?.apiKey, args);
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}`
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
         }],
         isError: true
       };
@@ -1881,21 +1803,27 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // FIX MISSIONS v1
+  // FIX MISSIONS v1 - PRO tier required (aligned with CLI entitlements-v2.js)
   // ============================================================================
   async handleFix(projectPath, args) {
-    // Check tier access for --apply and --autopilot (PRO tier required)
-    if (args?.apply || args?.autopilot) {
-      const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
-      if (!access.hasAccess) {
-        return {
-          content: [{
-            type: "text",
-            text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}\n\nNote: --prompt-only mode is available for FREE tier.`
-          }],
-          isError: true
-        };
-      }
+    // Check tier access - vibecheck.fix is PRO (all modes: plan, apply, autopilot)
+    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
+    if (!access.hasAccess) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
+        }],
+        isError: true
+      };
     }
 
     const mode = args?.autopilot ? "Autopilot" : 
@@ -2057,16 +1985,24 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // PROVE - One Command Reality Proof
+  // PROVE - One Command Reality Proof (PRO tier required)
   // ============================================================================
   async handleProve(projectPath, args) {
-    // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("prove", args?.apiKey);
+    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
+    const access = await getFeatureAccessStatus("vibecheck.prove", args?.apiKey, args);
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}`
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
         }],
         isError: true
       };
@@ -2261,9 +2197,29 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // SHIP - Quick health check
+  // SHIP - Verdict engine (PRO tier required - aligned with CLI entitlements-v2.js)
   // ============================================================================
   async handleShip(projectPath, args) {
+    // Check tier access (PRO tier required)
+    const access = await getFeatureAccessStatus("vibecheck.ship", args?.apiKey, args);
+    if (!access.hasAccess) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
+        }],
+        isError: true
+      };
+    }
+
     // HARDENING: Validate project path
     const validation = this.validateProjectPath(projectPath);
     if (!validation.valid) {
@@ -2588,16 +2544,24 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // AUTOPILOT PLAN - Generate fix plan (PRO tier)
+  // AUTOPILOT PLAN - Generate fix plan (PRO tier required)
   // ============================================================================
   async handleAutopilotPlan(projectPath, args) {
-    // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
+    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
+    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}`
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
         }],
         isError: true
       };
@@ -2675,11 +2639,11 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // AUTOPILOT APPLY - Apply fixes (PRO tier)
+  // AUTOPILOT APPLY - Apply fixes (PRO tier required)
   // ============================================================================
   async handleAutopilotApply(projectPath, args) {
-    // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
+    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
+    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -2736,16 +2700,24 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // BADGE - Generate ship badge
+  // BADGE - Generate ship badge (PRO tier required)
   // ============================================================================
   async handleBadge(projectPath, args) {
-    // Check tier access (STARTER tier required)
-    const access = await getFeatureAccessStatus("badge", args?.apiKey);
+    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
+    const access = await getFeatureAccessStatus("vibecheck.badge", args?.apiKey, args);
     if (!access.hasAccess) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}`
+          text: JSON.stringify({
+            ok: false,
+            error: access.error || {
+              code: 'NOT_ENTITLED',
+              message: 'Requires PRO',
+              userAction: 'Open billing',
+              retryable: false,
+            },
+          }, null, 2)
         }],
         isError: true
       };