@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/authority/authorities/quality.js

@@ -1,420 +0,0 @@
-/**
- * Quality Authority - Automated code quality review
- * 
- * Checks for:
- * - Code complexity (cyclomatic complexity)
- * - Code smells
- * - Best practices
- * - Documentation coverage
- * - Test coverage indicators
- */
-
-"use strict";
-
-const crypto = require("crypto");
-
-class QualityAuthority {
-  static description = "Code quality review";
-  static automated = true;
-  static tier = "pro";
-  
-  constructor(options = {}) {
-    this.options = options;
-    this.thresholds = {
-      maxFunctionLength: options.maxFunctionLength || 50,
-      maxFileLength: options.maxFileLength || 500,
-      maxComplexity: options.maxComplexity || 10,
-      maxNestedDepth: options.maxNestedDepth || 4,
-      ...options.thresholds,
-    };
-    this.rules = this._initializeRules();
-  }
-  
-  _initializeRules() {
-    return {
-      codeSmells: [
-        {
-          name: "console-log",
-          pattern: /console\.(log|debug|info)\s*\(/,
-          message: "Console statements should be removed in production code",
-          severity: "low",
-        },
-        {
-          name: "todo-fixme",
-          pattern: /\/\/\s*(TODO|FIXME|HACK|XXX|BUG):/i,
-          message: "Unresolved TODO/FIXME comment found",
-          severity: "low",
-        },
-        {
-          name: "magic-number",
-          pattern: /[^a-zA-Z0-9_](?<!0[xX])\d{4,}[^a-zA-Z0-9_]/,
-          message: "Magic number detected - consider using named constants",
-          severity: "low",
-        },
-        {
-          name: "empty-catch",
-          pattern: /catch\s*\([^)]*\)\s*{\s*}/,
-          message: "Empty catch block - errors should be handled or logged",
-          severity: "medium",
-        },
-        {
-          name: "any-type",
-          pattern: /:\s*any\b|as\s+any\b/,
-          message: "TypeScript 'any' type reduces type safety",
-          severity: "low",
-        },
-        {
-          name: "duplicate-string",
-          pattern: /(['"])[^'"]{20,}\1.*\1[^'"]{20,}\1/,
-          message: "Duplicate long string - consider extracting to constant",
-          severity: "low",
-        },
-        {
-          name: "hardcoded-timeout",
-          pattern: /setTimeout\s*\([^,]+,\s*\d{4,}\)/,
-          message: "Hardcoded timeout value - consider using named constant",
-          severity: "low",
-        },
-      ],
-      complexity: [
-        {
-          name: "nested-callbacks",
-          pattern: /\)\s*=>\s*{[\s\S]*?\)\s*=>\s*{[\s\S]*?\)\s*=>\s*{/,
-          message: "Deeply nested callbacks detected - consider async/await or extracting functions",
-          severity: "medium",
-        },
-        {
-          name: "nested-ternary",
-          pattern: /\?[^:]+\?[^:]+:/,
-          message: "Nested ternary operators reduce readability",
-          severity: "low",
-        },
-        {
-          name: "long-parameter-list",
-          pattern: /\([^)]*,\s*[^)]*,\s*[^)]*,\s*[^)]*,\s*[^)]*,/,
-          message: "Function has many parameters - consider using an options object",
-          severity: "low",
-        },
-      ],
-      bestPractices: [
-        {
-          name: "var-usage",
-          pattern: /\bvar\s+\w+/,
-          message: "Use 'const' or 'let' instead of 'var'",
-          severity: "low",
-        },
-        {
-          name: "double-equals",
-          pattern: /[^!=]==[^=]/,
-          message: "Use strict equality (===) instead of loose equality (==)",
-          severity: "low",
-        },
-        {
-          name: "async-no-await",
-          pattern: /async\s+(?:function\s+\w+|\([^)]*\)\s*=>|\w+\s*=>)\s*{[^}]*(?!await)[^}]*}/,
-          message: "Async function without await - consider removing async keyword",
-          severity: "low",
-        },
-        {
-          name: "promise-executor-async",
-          pattern: /new\s+Promise\s*\(\s*async/,
-          message: "Promise executor should not be async",
-          severity: "medium",
-        },
-        {
-          name: "floating-promise",
-          pattern: /^\s*\w+\.(then|catch)\s*\(/m,
-          message: "Floating promise - ensure proper error handling with await or .catch()",
-          severity: "medium",
-        },
-      ],
-      documentation: [
-        {
-          name: "missing-jsdoc-export",
-          pattern: /^export\s+(async\s+)?function\s+\w+\s*\([^)]*\)/m,
-          inverse: true,
-          context: /\/\*\*[\s\S]*?\*\/\s*export/,
-          message: "Exported function missing JSDoc documentation",
-          severity: "low",
-        },
-      ],
-      testing: [
-        {
-          name: "skip-test",
-          pattern: /\.(skip|only)\s*\(/,
-          context: /\.(test|spec)\.(ts|tsx|js|jsx)$/,
-          message: "Test skip/only found - should not be committed",
-          severity: "high",
-        },
-        {
-          name: "empty-test",
-          pattern: /it\s*\([^)]+,\s*\(\s*\)\s*=>\s*{\s*}\s*\)/,
-          context: /\.(test|spec)\.(ts|tsx|js|jsx)$/,
-          message: "Empty test case detected",
-          severity: "medium",
-        },
-      ],
-    };
-  }
-
-  async review(payload) {
-    const { files = [], diff = "", context = {} } = payload;
-    const findings = [];
-    const startTime = Date.now();
-    const metrics = {
-      totalLines: 0,
-      filesOverLength: 0,
-      functionsOverLength: 0,
-      complexFunctions: 0,
-    };
-
-    // Analyze diff content
-    if (diff) {
-      findings.push(...this._analyzeDiff(diff));
-    }
-
-    // Analyze files
-    for (const file of files) {
-      if (file.content) {
-        const fileFindings = this._analyzeFile(file.path || "unknown", file.content);
-        findings.push(...fileFindings);
-        
-        // Collect metrics
-        const lines = file.content.split("\n").length;
-        metrics.totalLines += lines;
-        
-        if (lines > this.thresholds.maxFileLength) {
-          metrics.filesOverLength++;
-          findings.push({
-            type: "quality-metric",
-            rule: "file-length",
-            severity: "medium",
-            message: `File exceeds ${this.thresholds.maxFileLength} lines (${lines} lines)`,
-            file: file.path,
-          });
-        }
-        
-        // Analyze function lengths
-        const functionLengthFindings = this._checkFunctionLengths(file.path, file.content);
-        findings.push(...functionLengthFindings);
-        metrics.functionsOverLength += functionLengthFindings.length;
-      }
-    }
-
-    // Calculate quality score
-    const qualityScore = this._calculateQualityScore(findings, metrics);
-
-    // Determine approval status
-    const hasHigh = findings.some(f => f.severity === "high");
-    const hasMedium = findings.some(f => f.severity === "medium");
-    const lowCount = findings.filter(f => f.severity === "low").length;
-
-    return {
-      approved: !hasHigh && !(hasMedium && lowCount > 10),
-      reason: hasHigh 
-        ? "Quality issues require attention before approval" 
-        : hasMedium
-          ? "Approved with quality warnings"
-          : findings.length > 0 
-            ? "Approved with minor quality suggestions"
-            : "Code quality looks excellent",
-      findings,
-      qualityScore,
-      metrics,
-      signature: this._sign(findings),
-      metadata: {
-        analysisTimeMs: Date.now() - startTime,
-        filesAnalyzed: files.length,
-        totalLines: metrics.totalLines,
-        rulesChecked: this._countRules(),
-      },
-    };
-  }
-
-  _analyzeDiff(diff) {
-    const findings = [];
-    const lines = diff.split("\n");
-    let currentFile = "unknown";
-    let lineNumber = 0;
-
-    for (const line of lines) {
-      if (line.startsWith("+++") || line.startsWith("---")) {
-        const match = line.match(/[ab]\/(.+)/);
-        if (match) currentFile = match[1];
-        continue;
-      }
-
-      if (line.startsWith("@@")) {
-        const match = line.match(/@@ -\d+(?:,\d+)? \+(\d+)/);
-        if (match) lineNumber = parseInt(match[1], 10);
-        continue;
-      }
-
-      if (line.startsWith("+") && !line.startsWith("+++")) {
-        const addedContent = line.slice(1);
-        
-        for (const category of ["codeSmells", "complexity", "bestPractices", "testing"]) {
-          for (const rule of this.rules[category]) {
-            if (this._matchesRule(addedContent, currentFile, rule)) {
-              findings.push({
-                type: "quality-issue",
-                category,
-                rule: rule.name,
-                severity: rule.severity,
-                message: rule.message,
-                file: currentFile,
-                line: lineNumber,
-                evidence: addedContent.trim().slice(0, 80),
-              });
-            }
-          }
-        }
-
-        lineNumber++;
-      } else if (!line.startsWith("-")) {
-        lineNumber++;
-      }
-    }
-
-    return findings;
-  }
-
-  _analyzeFile(filePath, content) {
-    const findings = [];
-    const lines = content.split("\n");
-
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      
-      for (const category of ["codeSmells", "complexity", "bestPractices", "testing"]) {
-        for (const rule of this.rules[category]) {
-          if (this._matchesRule(line, filePath, rule)) {
-            findings.push({
-              type: "quality-issue",
-              category,
-              rule: rule.name,
-              severity: rule.severity,
-              message: rule.message,
-              file: filePath,
-              line: i + 1,
-              evidence: line.trim().slice(0, 80),
-            });
-          }
-        }
-      }
-    }
-
-    return findings;
-  }
-
-  _matchesRule(content, filePath, rule) {
-    if (rule.context) {
-      if (rule.context instanceof RegExp) {
-        if (!rule.context.test(content) && !rule.context.test(filePath)) {
-          return false;
-        }
-      }
-    }
-
-    const matches = rule.pattern.test(content);
-    
-    if (rule.inverse) {
-      return !matches;
-    }
-    
-    return matches;
-  }
-
-  _checkFunctionLengths(filePath, content) {
-    const findings = [];
-    const functionPattern = /(?:function\s+\w+|(?:const|let|var)\s+\w+\s*=\s*(?:async\s+)?(?:function|\([^)]*\)\s*=>))/g;
-    const lines = content.split("\n");
-    
-    let match;
-    while ((match = functionPattern.exec(content)) !== null) {
-      const startIndex = match.index;
-      const startLine = content.slice(0, startIndex).split("\n").length;
-      
-      // Find the matching closing brace
-      let braceCount = 0;
-      let foundOpen = false;
-      let endLine = startLine;
-      
-      for (let i = startLine - 1; i < lines.length; i++) {
-        const line = lines[i];
-        for (const char of line) {
-          if (char === "{") {
-            braceCount++;
-            foundOpen = true;
-          } else if (char === "}") {
-            braceCount--;
-            if (foundOpen && braceCount === 0) {
-              endLine = i + 1;
-              break;
-            }
-          }
-        }
-        if (foundOpen && braceCount === 0) break;
-      }
-      
-      const functionLength = endLine - startLine;
-      if (functionLength > this.thresholds.maxFunctionLength) {
-        findings.push({
-          type: "quality-metric",
-          rule: "function-length",
-          severity: "medium",
-          message: `Function exceeds ${this.thresholds.maxFunctionLength} lines (${functionLength} lines)`,
-          file: filePath,
-          line: startLine,
-        });
-      }
-    }
-
-    return findings;
-  }
-
-  _calculateQualityScore(findings, metrics) {
-    let score = 100;
-    
-    // Deduct points for findings
-    for (const finding of findings) {
-      switch (finding.severity) {
-        case "critical":
-          score -= 20;
-          break;
-        case "high":
-          score -= 10;
-          break;
-        case "medium":
-          score -= 5;
-          break;
-        case "low":
-          score -= 1;
-          break;
-      }
-    }
-    
-    // Bonus for small, focused files
-    if (metrics.filesOverLength === 0 && metrics.totalLines > 0) {
-      score = Math.min(100, score + 5);
-    }
-
-    return Math.max(0, Math.min(100, Math.round(score)));
-  }
-
-  _countRules() {
-    return Object.values(this.rules).reduce((sum, arr) => sum + arr.length, 0);
-  }
-
-  _sign(findings) {
-    const timestamp = Date.now();
-    const hash = crypto
-      .createHash("sha256")
-      .update(JSON.stringify({ findings: findings.length, timestamp }))
-      .digest("hex")
-      .slice(0, 16);
-    return `qual_${timestamp}_${hash}_${findings.length}`;
-  }
-}
-
-module.exports = { QualityAuthority };

package/bin/runners/lib/authority/authorities/security.js

@@ -1,228 +0,0 @@
-/**
- * Security Authority - Automated security review
- * 
- * Checks for:
- * - Hardcoded secrets in code/diffs
- * - Dangerous patterns (eval, innerHTML, etc.)
- * - SQL injection vulnerabilities
- * - Command injection vulnerabilities
- * - Path traversal risks
- */
-
-"use strict";
-
-const crypto = require("crypto");
-
-class SecurityAuthority {
-  static description = "Automated security review";
-  static automated = true;
-  static tier = "pro";
-  
-  constructor(options = {}) {
-    this.options = options;
-    this.patterns = this._initializePatterns();
-  }
-  
-  _initializePatterns() {
-    return {
-      secrets: [
-        { pattern: /password\s*[=:]\s*['"][^'"]{4,}['"]/gi, message: "Potential password detected" },
-        { pattern: /api[_-]?key\s*[=:]\s*['"][^'"]{8,}['"]/gi, message: "Potential API key detected" },
-        { pattern: /secret\s*[=:]\s*['"][^'"]{8,}['"]/gi, message: "Potential secret detected" },
-        { pattern: /token\s*[=:]\s*['"][^'"]{8,}['"]/gi, message: "Potential token detected" },
-        { pattern: /private[_-]?key\s*[=:]\s*['"][^'"]+['"]/gi, message: "Potential private key detected" },
-        { pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/gi, message: "Private key detected" },
-        { pattern: /aws[_-]?(access[_-]?key|secret)[_-]?(id|key)?\s*[=:]\s*['"][^'"]+['"]/gi, message: "AWS credential detected" },
-        { pattern: /ghp_[a-zA-Z0-9]{36}/g, message: "GitHub personal access token detected" },
-        { pattern: /sk-[a-zA-Z0-9]{48}/g, message: "OpenAI API key detected" },
-        { pattern: /stripe[_-]?(secret|key)\s*[=:]\s*['"]sk_[^'"]+['"]/gi, message: "Stripe secret key detected" },
-      ],
-      dangerous: [
-        { pattern: /eval\s*\(/, message: "eval() usage detected", severity: "high" },
-        { pattern: /innerHTML\s*=/, message: "innerHTML assignment detected", severity: "high" },
-        { pattern: /dangerouslySetInnerHTML/, message: "React dangerouslySetInnerHTML detected", severity: "high" },
-        { pattern: /document\.write\s*\(/, message: "document.write usage detected", severity: "medium" },
-        { pattern: /new\s+Function\s*\(/, message: "Function constructor usage detected", severity: "high" },
-        { pattern: /execSync\s*\(\s*[`$]/, message: "Command injection via shell interpolation", severity: "critical" },
-        { pattern: /exec\s*\(\s*[`$]/, message: "Command injection risk", severity: "high" },
-        { pattern: /child_process\.exec\s*\(.*\$\{/, message: "Command injection via template literal", severity: "critical" },
-      ],
-      sqlInjection: [
-        { pattern: /query\s*\(\s*[`$]/, message: "SQL injection via string interpolation", severity: "critical" },
-        { pattern: /execute\s*\(\s*['"].*\+\s*/, message: "SQL injection via concatenation", severity: "critical" },
-        { pattern: /\.raw\s*\(\s*[`$]/, message: "Raw SQL with interpolation", severity: "high" },
-      ],
-      pathTraversal: [
-        { pattern: /path\.join\s*\([^)]*req\./, message: "Path traversal via user input", severity: "high" },
-        { pattern: /fs\.(read|write|unlink|rmdir).*req\.(params|query|body)/, message: "File operation with user input", severity: "high" },
-        { pattern: /\.\.\/|\.\.\\/, message: "Potential path traversal sequence", severity: "medium" },
-      ],
-    };
-  }
-
-  async review(payload) {
-    const { files = [], diff = "", context = {} } = payload;
-    const findings = [];
-    const startTime = Date.now();
-
-    // Analyze diff content
-    if (diff) {
-      findings.push(...this._analyzeDiff(diff));
-    }
-
-    // Analyze files content
-    for (const file of files) {
-      if (file.content) {
-        findings.push(...this._analyzeFile(file.path || "unknown", file.content));
-      }
-    }
-
-    // Check for secrets
-    const secretFindings = this._checkSecrets(diff, files);
-    findings.push(...secretFindings);
-
-    // Determine approval status
-    const hasCritical = findings.some(f => f.severity === "critical");
-    const hasHigh = findings.some(f => f.severity === "high");
-
-    return {
-      approved: !hasCritical,
-      reason: hasCritical 
-        ? "Critical security issues found - changes blocked" 
-        : hasHigh
-          ? "Approved with warnings - review high severity issues"
-          : findings.length > 0 
-            ? "Approved with minor warnings"
-            : "No security issues detected",
-      findings,
-      signature: this._sign(findings),
-      metadata: {
-        analysisTimeMs: Date.now() - startTime,
-        filesAnalyzed: files.length,
-        patternsChecked: this._countPatterns(),
-      },
-    };
-  }
-
-  _analyzeDiff(diff) {
-    const findings = [];
-    const lines = diff.split("\n");
-    let currentFile = "unknown";
-    let lineNumber = 0;
-
-    for (const line of lines) {
-      // Track file context from diff header
-      if (line.startsWith("+++") || line.startsWith("---")) {
-        const match = line.match(/[ab]\/(.+)/);
-        if (match) currentFile = match[1];
-        continue;
-      }
-
-      // Track line numbers
-      if (line.startsWith("@@")) {
-        const match = line.match(/@@ -\d+(?:,\d+)? \+(\d+)/);
-        if (match) lineNumber = parseInt(match[1], 10);
-        continue;
-      }
-
-      // Only check added lines
-      if (line.startsWith("+") && !line.startsWith("+++")) {
-        const addedContent = line.slice(1);
-        
-        // Check dangerous patterns
-        for (const category of ["dangerous", "sqlInjection", "pathTraversal"]) {
-          for (const { pattern, message, severity } of this.patterns[category]) {
-            if (pattern.test(addedContent)) {
-              findings.push({
-                type: `${category}-pattern`,
-                severity: severity || "high",
-                message,
-                file: currentFile,
-                line: lineNumber,
-                evidence: addedContent.trim().slice(0, 100),
-              });
-              // Reset lastIndex for global patterns
-              pattern.lastIndex = 0;
-            }
-          }
-        }
-        lineNumber++;
-      } else if (!line.startsWith("-")) {
-        lineNumber++;
-      }
-    }
-
-    return findings;
-  }
-
-  _analyzeFile(filePath, content) {
-    const findings = [];
-    const lines = content.split("\n");
-
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      
-      for (const category of ["dangerous", "sqlInjection", "pathTraversal"]) {
-        for (const { pattern, message, severity } of this.patterns[category]) {
-          if (pattern.test(line)) {
-            findings.push({
-              type: `${category}-pattern`,
-              severity: severity || "high",
-              message,
-              file: filePath,
-              line: i + 1,
-              evidence: line.trim().slice(0, 100),
-            });
-            pattern.lastIndex = 0;
-          }
-        }
-      }
-    }
-
-    return findings;
-  }
-
-  _checkSecrets(diff, files) {
-    const findings = [];
-    const allContent = diff + files.map(f => f.content || "").join("\n");
-
-    for (const { pattern, message } of this.patterns.secrets) {
-      const matches = allContent.match(pattern);
-      if (matches) {
-        for (const match of matches) {
-          findings.push({
-            type: "secret-in-diff",
-            severity: "critical",
-            message,
-            evidence: this._redactSecret(match),
-          });
-        }
-        pattern.lastIndex = 0;
-      }
-    }
-
-    return findings;
-  }
-
-  _redactSecret(secret) {
-    // Show first 4 and last 2 chars, redact the rest
-    if (secret.length <= 10) return "***REDACTED***";
-    return secret.slice(0, 4) + "***REDACTED***" + secret.slice(-2);
-  }
-
-  _countPatterns() {
-    return Object.values(this.patterns).reduce((sum, arr) => sum + arr.length, 0);
-  }
-
-  _sign(findings) {
-    const timestamp = Date.now();
-    const hash = crypto
-      .createHash("sha256")
-      .update(JSON.stringify({ findings: findings.length, timestamp }))
-      .digest("hex")
-      .slice(0, 16);
-    return `sec_${timestamp}_${hash}_${findings.length}`;
-  }
-}
-
-module.exports = { SecurityAuthority };