@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/context-detection.js

@@ -1,264 +0,0 @@
-/**
- * Context-Aware Detection Utilities
- * 
- * Provides smarter detection logic to reduce false positives in vibecheck scans.
- * Handles cases like:
- * - Tailwind CSS modifiers (placeholder:text-white/40)
- * - UI button labels (Mock/Live toggles)
- * - Valid example data (Todo App in project lists)
- */
-
-/**
- * Patterns that indicate Tailwind CSS class context
- * These are styling directives, not placeholder content
- */
-const TAILWIND_MODIFIER_PATTERNS = [
-  // Tailwind placeholder: modifier (styles placeholder text in inputs)
-  /\bplaceholder:/,
-  // Other Tailwind state modifiers that might contain keywords
-  /\b(?:hover|focus|active|disabled|checked|invalid|required|empty|default):/,
-  // Tailwind arbitrary value syntax
-  /\[placeholder[:\]]/,
-];
-
-/**
- * Patterns that indicate className or CSS context
- */
-const CSS_CLASS_PATTERNS = [
-  // className="..." or className={...}
-  /className\s*[=:]\s*[{"`']/,
-  // class="..." (HTML)
-  /\bclass\s*=\s*["']/,
-  // Tailwind @apply directive
-  /@apply\s+/,
-  // CSS-in-JS style objects
-  /\bstyle\s*[=:]\s*\{/,
-  // clsx, classnames, cn utilities
-  /\b(?:clsx|classnames|cn)\s*\(/,
-  // twMerge, tailwind-merge
-  /\b(?:twMerge|tailwind-merge)\s*\(/,
-];
-
-/**
- * Patterns for UI labels/buttons that legitimately use "mock", "todo", etc.
- */
-const LEGITIMATE_UI_LABEL_PATTERNS = [
-  // Button onClick handlers with mode labels
-  /onClick\s*=.*['"](?:mock|live|demo|test)["']/i,
-  // Mode change handlers
-  /onModeChange\s*\?\.\s*\(['"](?:mock|live|demo)["']\)/i,
-  // Radio button or toggle values
-  /value\s*[=:]\s*['"](?:mock|live|demo|test)["']/i,
-  // UI state labels
-  /mode\s*===?\s*['"](?:mock|live|demo|test)["']/i,
-  // Tab or button labels in arrays/maps
-  /\[\s*['"](?:mock|live)["']\s*,/i,
-  // Option/select values
-  /option\s*value\s*=\s*['"](?:mock|live|demo)["']/i,
-  // Button children with mode text
-  />\s*(?:Mock|Live|Demo|Test)\s*</i,
-];
-
-/**
- * Patterns for legitimate example/template data
- */
-const LEGITIMATE_EXAMPLE_DATA_PATTERNS = [
-  // Array of project/template names (common in UI)
-  /\[\s*['"](?:Todo\s*App|Landing\s*Page|Dashboard|Blog|Portfolio|E-?commerce)["']/i,
-  // Project name selectors or dropdowns
-  /projectName|templateName|appName|recentProjects/i,
-  // Example/sample data arrays in UI components
-  /examples?\s*[=:]\s*\[/i,
-  /templates?\s*[=:]\s*\[/i,
-  /presets?\s*[=:]\s*\[/i,
-  // Map over example items
-  /\.map\(\s*\(\s*(?:name|item|template)\s*\)/i,
-];
-
-/**
- * Check if a line contains Tailwind CSS placeholder modifier
- */
-function isTailwindPlaceholderModifier(line) {
-  return TAILWIND_MODIFIER_PATTERNS.some(pattern => pattern.test(line));
-}
-
-/**
- * Check if the context is a CSS class definition
- */
-function isCSSClassContext(line, surroundingLines) {
-  // Check the current line
-  if (CSS_CLASS_PATTERNS.some(pattern => pattern.test(line))) {
-    return true;
-  }
-  
-  // Check surrounding lines for context
-  if (surroundingLines && surroundingLines.length > 0) {
-    const contextBlock = surroundingLines.join('\n');
-    return CSS_CLASS_PATTERNS.some(pattern => pattern.test(contextBlock));
-  }
-  
-  return false;
-}
-
-/**
- * Check if "mock" or similar words are used as legitimate UI labels
- */
-function isLegitimateUILabel(line, surroundingLines) {
-  const fullContext = surroundingLines 
-    ? [...surroundingLines, line].join('\n')
-    : line;
-  
-  return LEGITIMATE_UI_LABEL_PATTERNS.some(pattern => pattern.test(fullContext));
-}
-
-/**
- * Check if the content is legitimate example/template data
- */
-function isLegitimateExampleData(line, surroundingLines) {
-  const fullContext = surroundingLines 
-    ? [...surroundingLines, line].join('\n')
-    : line;
-  
-  return LEGITIMATE_EXAMPLE_DATA_PATTERNS.some(pattern => pattern.test(fullContext));
-}
-
-/**
- * Check if the match is in a JSX prop context (not user-visible content)
- */
-function isJSXPropContext(line, matchedPattern) {
-  // Check if the pattern is part of a JSX prop name (not value)
-  const propNamePatterns = [
-    // Prop names that legitimately contain keywords
-    /\b(?:placeholder|mock|test)(?:Id|Key|Ref|Name|Type|Mode|Data)\s*[=:]/i,
-    // Data attributes
-    /data-(?:placeholder|mock|test)\s*=/i,
-    // Aria labels (visible content, but intentional)
-    /aria-(?:label|description)\s*=\s*["'][^"']*(?:placeholder|mock|test)/i,
-  ];
-  
-  return propNamePatterns.some(pattern => pattern.test(line));
-}
-
-/**
- * Main context detection function
- * Analyzes a line and its context to determine if a match is a false positive
- */
-function detectFalsePositive(line, matchedPattern, options = {}) {
-  const { lineIndex, allLines, filePath, patternType } = options;
-  
-  // Get surrounding lines for context (2 before, 2 after)
-  let surroundingLines = [];
-  if (allLines && lineIndex !== undefined) {
-    const start = Math.max(0, lineIndex - 2);
-    const end = Math.min(allLines.length, lineIndex + 3);
-    surroundingLines = allLines.slice(start, end);
-  }
-  
-  // Check for Tailwind CSS placeholder modifier
-  const lowerPattern = (matchedPattern || '').toLowerCase();
-  if (lowerPattern.includes('placeholder') || patternType === 'placeholder') {
-    if (isTailwindPlaceholderModifier(line)) {
-      return {
-        isFalsePositive: true,
-        reason: 'Tailwind CSS placeholder: modifier (styles input placeholder text)',
-        confidence: 0.95,
-      };
-    }
-  }
-  
-  // Check for CSS class context
-  if (isCSSClassContext(line, surroundingLines)) {
-    return {
-      isFalsePositive: true,
-      reason: 'CSS class/className context (styling, not content)',
-      confidence: 0.9,
-    };
-  }
-  
-  // Check for legitimate UI labels (Mock/Live toggles, etc.)
-  if (lowerPattern.includes('mock') || patternType === 'mock') {
-    if (isLegitimateUILabel(line, surroundingLines)) {
-      return {
-        isFalsePositive: true,
-        reason: 'Legitimate UI label (mode toggle, button text)',
-        confidence: 0.85,
-      };
-    }
-  }
-  
-  // Check for legitimate example data ("Todo App", etc.)
-  if (lowerPattern.includes('todo') || patternType === 'todo') {
-    if (isLegitimateExampleData(line, surroundingLines)) {
-      return {
-        isFalsePositive: true,
-        reason: 'Legitimate example/template data in UI',
-        confidence: 0.8,
-      };
-    }
-  }
-  
-  // Check for JSX props that are not content
-  if (isJSXPropContext(line, matchedPattern)) {
-    return {
-      isFalsePositive: true,
-      reason: 'JSX prop context (attribute, not visible content)',
-      confidence: 0.75,
-    };
-  }
-  
-  // Not a false positive
-  return {
-    isFalsePositive: false,
-    confidence: 0.5,
-  };
-}
-
-/**
- * Quick check if a line is likely a false positive
- * Use this for fast pre-filtering before detailed analysis
- */
-function quickFalsePositiveCheck(line) {
-  // Fast check for common false positive patterns
-  const quickPatterns = [
-    /className.*placeholder:/,
-    /class=.*placeholder:/,
-    /placeholder:text-/,
-    /placeholder:opacity-/,
-    /placeholder:italic/,
-    /onModeChange.*['"]mock["']/i,
-    /onClick.*['"]mock["']/i,
-    /value=['"](?:mock|live)["']/i,
-    /\[['"]Todo App["']/i,
-    /\[['"]Mock["'],\s*['"]Live["']\]/i,
-    />\s*Mock\s*</i,
-    />\s*Live\s*</i,
-  ];
-  
-  return quickPatterns.some(pattern => pattern.test(line));
-}
-
-/**
- * Filter findings to remove false positives
- */
-function filterFalsePositives(findings, allLines, options = {}) {
-  return findings.filter(finding => {
-    const lineContent = finding.content || finding.codeSnippet || allLines[finding.line - 1] || '';
-    const result = detectFalsePositive(lineContent, lineContent, {
-      lineIndex: finding.line - 1,
-      allLines,
-      ...options,
-    });
-    return !result.isFalsePositive;
-  });
-}
-
-module.exports = {
-  isTailwindPlaceholderModifier,
-  isCSSClassContext,
-  isLegitimateUILabel,
-  isLegitimateExampleData,
-  isJSXPropContext,
-  detectFalsePositive,
-  quickFalsePositiveCheck,
-  filterFalsePositives,
-};

package/bin/runners/lib/engines/database-patterns-engine.js

@@ -1,429 +0,0 @@
-/**
- * Database Patterns Engine
- * Detects:
- * - N+1 query patterns
- * - Missing transaction boundaries
- * - Unbounded queries (no LIMIT)
- * - Raw SQL injection risks (beyond basic detection)
- * - Missing indexes (suggested)
- * - Connection pool issues
- * - ORM anti-patterns
- * - Missing error handling on DB operations
- */
-
-const { getAST } = require("./ast-cache");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
-
-function snippetForLine(lines, line) {
-  return lines[line - 1] ? lines[line - 1].trim() : "";
-}
-
-/**
- * ORM detection patterns
- */
-const ORM_PATTERNS = {
-  prisma: {
-    import: /from\s+['"]@prisma\/client['"]/,
-    findMany: /\.findMany\s*\(/,
-    findFirst: /\.findFirst\s*\(/,
-    findUnique: /\.findUnique\s*\(/,
-    create: /\.create\s*\(/,
-    update: /\.update\s*\(/,
-    delete: /\.delete\s*\(/,
-    transaction: /\$transaction/,
-    rawQuery: /\$queryRaw|\$executeRaw/,
-  },
-  drizzle: {
-    import: /from\s+['"]drizzle-orm['"]/,
-    select: /\.select\s*\(/,
-    insert: /\.insert\s*\(/,
-    update: /\.update\s*\(/,
-    delete: /\.delete\s*\(/,
-    rawQuery: /sql`|sql\(/,
-  },
-  typeorm: {
-    import: /from\s+['"]typeorm['"]/,
-    find: /\.find\s*\(/,
-    findOne: /\.findOne\s*\(/,
-    save: /\.save\s*\(/,
-    remove: /\.remove\s*\(/,
-    transaction: /\.transaction\s*\(/,
-    rawQuery: /\.query\s*\(/,
-  },
-  sequelize: {
-    import: /from\s+['"]sequelize['"]/,
-    findAll: /\.findAll\s*\(/,
-    findOne: /\.findOne\s*\(/,
-    create: /\.create\s*\(/,
-    update: /\.update\s*\(/,
-    destroy: /\.destroy\s*\(/,
-    transaction: /\.transaction\s*\(/,
-    rawQuery: /\.query\s*\(/,
-  },
-  mongoose: {
-    import: /from\s+['"]mongoose['"]/,
-    find: /\.find\s*\(/,
-    findOne: /\.findOne\s*\(/,
-    findById: /\.findById\s*\(/,
-    save: /\.save\s*\(/,
-    aggregate: /\.aggregate\s*\(/,
-  },
-  knex: {
-    import: /from\s+['"]knex['"]/,
-    select: /\.select\s*\(/,
-    insert: /\.insert\s*\(/,
-    update: /\.update\s*\(/,
-    delete: /\.del\s*\(|\.delete\s*\(/,
-    transaction: /\.transaction\s*\(/,
-    rawQuery: /\.raw\s*\(/,
-  },
-};
-
-/**
- * Detect which ORM is being used
- */
-function detectORM(code) {
-  for (const [name, patterns] of Object.entries(ORM_PATTERNS)) {
-    if (patterns.import.test(code)) {
-      return name;
-    }
-  }
-  return null;
-}
-
-/**
- * Analyze database patterns
- */
-function analyzeDatabasePatterns(code, filePath) {
-  const findings = [];
-  
-  if (shouldExcludeFile(filePath)) return findings;
-  if (isTestContext(code, filePath)) return findings;
-  if (hasIgnoreDirective(code, "database-patterns")) return findings;
-  
-  const ast = getAST(code, filePath);
-  if (!ast) return findings;
-  
-  const lines = code.split("\n");
-  const orm = detectORM(code);
-  
-  // If no ORM detected, skip most checks
-  if (!orm) return findings;
-  
-  // Track queries for N+1 detection
-  const queriesInLoops = [];
-  let inLoop = false;
-  let loopDepth = 0;
-  
-  // Track if we're in a transaction
-  let inTransaction = false;
-  
-  traverse(ast, {
-    // Track loop entry
-    ForStatement: {
-      enter() { inLoop = true; loopDepth++; },
-      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
-    },
-    ForInStatement: {
-      enter() { inLoop = true; loopDepth++; },
-      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
-    },
-    ForOfStatement: {
-      enter() { inLoop = true; loopDepth++; },
-      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
-    },
-    WhileStatement: {
-      enter() { inLoop = true; loopDepth++; },
-      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
-    },
-    
-    // Check for map/forEach with DB calls (potential N+1)
-    CallExpression(path) {
-      const node = path.node;
-      const callee = node.callee;
-      const loc = node.loc?.start;
-      if (!loc) return;
-      
-      // Check for array.map/forEach that might contain DB queries
-      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
-        const methodName = callee.property.name;
-        
-        if (["map", "forEach", "filter", "reduce"].includes(methodName)) {
-          const callback = node.arguments[0];
-          
-          if (callback && (t.isArrowFunctionExpression(callback) || t.isFunctionExpression(callback))) {
-            // Check if callback contains DB operations
-            let hasDBCall = false;
-            let dbCallLoc = null;
-            
-            path.traverse({
-              CallExpression(innerPath) {
-                const innerNode = innerPath.node;
-                const innerCallee = innerNode.callee;
-                
-                // Check for Prisma patterns
-                if (orm === "prisma" && t.isMemberExpression(innerCallee)) {
-                  const prop = innerCallee.property;
-                  if (t.isIdentifier(prop) && 
-                      ["findUnique", "findFirst", "findMany", "create", "update", "delete"].includes(prop.name)) {
-                    hasDBCall = true;
-                    dbCallLoc = innerNode.loc?.start;
-                  }
-                }
-                
-                // Check for await inside the callback (common pattern)
-                if (t.isAwaitExpression(innerPath.parent)) {
-                  // Check if awaiting a DB operation
-                  const awaitedCode = code.substring(innerNode.start, innerNode.end);
-                  const dbPatterns = [
-                    /findUnique|findFirst|findMany|findOne|findById/,
-                    /\.select\(|\.find\(|\.query\(/,
-                  ];
-                  
-                  if (dbPatterns.some(p => p.test(awaitedCode))) {
-                    hasDBCall = true;
-                    dbCallLoc = innerNode.loc?.start;
-                  }
-                }
-              },
-            });
-            
-            if (hasDBCall) {
-              findings.push({
-                type: "n_plus_1_query",
-                severity: "WARN",
-                category: "DatabasePatterns",
-                file: filePath,
-                line: dbCallLoc?.line || loc.line,
-                column: 0,
-                title: "Potential N+1 query pattern",
-                message: `Database query inside ${methodName}() callback. This executes a query for each item.`,
-                codeSnippet: snippetForLine(lines, dbCallLoc?.line || loc.line),
-                confidence: "high",
-                fixHint: orm === "prisma" 
-                  ? "Use include/select to fetch related data in one query, or use Prisma's createMany/updateMany"
-                  : "Batch queries or use eager loading to reduce database roundtrips",
-              });
-            }
-          }
-        }
-      }
-      
-      // Detect DB operations in loops
-      if (inLoop && t.isMemberExpression(callee)) {
-        const prop = callee.property;
-        const ormPatterns = ORM_PATTERNS[orm];
-        
-        if (ormPatterns && t.isIdentifier(prop)) {
-          const isDbOp = Object.entries(ormPatterns)
-            .filter(([key]) => key !== "import" && key !== "transaction" && key !== "rawQuery")
-            .some(([_, pattern]) => pattern.test(`.${prop.name}(`));
-          
-          if (isDbOp) {
-            findings.push({
-              type: "query_in_loop",
-              severity: "WARN",
-              category: "DatabasePatterns",
-              file: filePath,
-              line: loc.line,
-              column: loc.column,
-              title: "Database query inside loop",
-              message: `${prop.name}() called in a loop may cause performance issues.`,
-              codeSnippet: snippetForLine(lines, loc.line),
-              confidence: "high",
-              fixHint: "Batch operations or fetch all data before the loop",
-            });
-          }
-        }
-      }
-      
-      // Check for findMany/findAll without take/limit
-      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
-        const methodName = callee.property.name;
-        
-        if (["findMany", "findAll", "find"].includes(methodName)) {
-          const args = node.arguments;
-          let hasLimit = false;
-          
-          if (args.length > 0 && t.isObjectExpression(args[0])) {
-            const props = args[0].properties;
-            hasLimit = props.some(p => 
-              t.isObjectProperty(p) && 
-              t.isIdentifier(p.key) &&
-              ["take", "limit", "first", "last"].includes(p.key.name)
-            );
-          }
-          
-          if (!hasLimit) {
-            findings.push({
-              type: "unbounded_query",
-              severity: "INFO",
-              category: "DatabasePatterns",
-              file: filePath,
-              line: loc.line,
-              column: loc.column,
-              title: "Query without limit",
-              message: `${methodName}() without limit may return excessive data.`,
-              codeSnippet: snippetForLine(lines, loc.line),
-              confidence: "low",
-              fixHint: orm === "prisma" 
-                ? "Add { take: 100 } or implement pagination"
-                : "Add a limit parameter or implement pagination",
-            });
-          }
-        }
-      }
-      
-      // Check for missing transaction in multiple writes
-      // (This is a heuristic check)
-      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
-        const methodName = callee.property.name;
-        const writeMethods = ["create", "update", "delete", "upsert", "insert", "save", "remove", "destroy"];
-        
-        if (writeMethods.includes(methodName) && !inTransaction) {
-          // Check if there are multiple write operations in the same function
-          const fnParent = path.getFunctionParent();
-          if (fnParent) {
-            let writeCount = 0;
-            
-            fnParent.traverse({
-              CallExpression(innerPath) {
-                const innerCallee = innerPath.node.callee;
-                if (t.isMemberExpression(innerCallee) && t.isIdentifier(innerCallee.property)) {
-                  if (writeMethods.includes(innerCallee.property.name)) {
-                    writeCount++;
-                  }
-                }
-              },
-            });
-            
-            if (writeCount >= 2) {
-              // Check if function uses transaction
-              const fnCode = code.substring(fnParent.node.start, fnParent.node.end);
-              const hasTransaction = /\$transaction|\.transaction\s*\(|BEGIN|COMMIT/.test(fnCode);
-              
-              if (!hasTransaction) {
-                findings.push({
-                  type: "missing_transaction",
-                  severity: "INFO",
-                  category: "DatabasePatterns",
-                  file: filePath,
-                  line: loc.line,
-                  column: loc.column,
-                  title: "Multiple writes without transaction",
-                  message: `Function has ${writeCount} write operations without explicit transaction.`,
-                  codeSnippet: snippetForLine(lines, loc.line),
-                  confidence: "low",
-                  fixHint: orm === "prisma"
-                    ? "Wrap in prisma.$transaction([...])"
-                    : "Wrap operations in a transaction for atomicity",
-                });
-              }
-            }
-          }
-        }
-      }
-      
-      // Check for raw queries (SQL injection risk)
-      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
-        const methodName = callee.property.name;
-        const rawMethods = ["query", "raw", "$queryRaw", "$executeRaw", "queryRaw", "executeRaw"];
-        
-        if (rawMethods.includes(methodName)) {
-          const args = node.arguments;
-          
-          // Check if using template literal (safer) vs string concatenation
-          if (args.length > 0) {
-            const queryArg = args[0];
-            
-            // String concatenation or interpolation is risky
-            if (t.isBinaryExpression(queryArg, { operator: "+" }) ||
-                (t.isTemplateLiteral(queryArg) && queryArg.expressions.length > 0)) {
-              
-              // Check if expressions are parameterized
-              let hasUnsafeInterpolation = false;
-              
-              if (t.isTemplateLiteral(queryArg)) {
-                // Prisma's Prisma.sql`` is safe, but direct string template isn't
-                const parentCallee = path.parentPath?.node?.callee;
-                const isPrismaSql = t.isMemberExpression(parentCallee) && 
-                  t.isIdentifier(parentCallee.object, { name: "Prisma" }) &&
-                  t.isIdentifier(parentCallee.property, { name: "sql" });
-                
-                if (!isPrismaSql) {
-                  hasUnsafeInterpolation = true;
-                }
-              } else {
-                hasUnsafeInterpolation = true;
-              }
-              
-              if (hasUnsafeInterpolation) {
-                findings.push({
-                  type: "raw_query_interpolation",
-                  severity: "WARN",
-                  category: "DatabasePatterns",
-                  file: filePath,
-                  line: loc.line,
-                  column: loc.column,
-                  title: "Dynamic values in raw query",
-                  message: "Raw query with string interpolation may be vulnerable to SQL injection.",
-                  codeSnippet: snippetForLine(lines, loc.line),
-                  confidence: "med",
-                  fixHint: orm === "prisma"
-                    ? "Use Prisma.sql`` tagged template or $queryRaw with Prisma.sql"
-                    : "Use parameterized queries with placeholders ($1, ?, :name)",
-                });
-              }
-            }
-          }
-        }
-      }
-    },
-    
-    // Check for missing error handling on DB operations
-    AwaitExpression(path) {
-      const node = path.node;
-      const argument = node.argument;
-      const loc = node.loc?.start;
-      if (!loc) return;
-      
-      // Check if it's a DB operation
-      if (t.isCallExpression(argument) && t.isMemberExpression(argument.callee)) {
-        const prop = argument.callee.property;
-        const dbMethods = ["findMany", "findFirst", "findUnique", "findOne", "find", "findAll",
-                          "create", "update", "delete", "save", "query", "execute"];
-        
-        if (t.isIdentifier(prop) && dbMethods.includes(prop.name)) {
-          // Check if inside try-catch
-          const tryParent = path.findParent(p => p.isTryStatement());
-          
-          if (!tryParent) {
-            findings.push({
-              type: "db_no_error_handling",
-              severity: "INFO",
-              category: "DatabasePatterns",
-              file: filePath,
-              line: loc.line,
-              column: loc.column,
-              title: "Database operation without error handling",
-              message: `${prop.name}() should be wrapped in try-catch for proper error handling.`,
-              codeSnippet: snippetForLine(lines, loc.line),
-              confidence: "low",
-              fixHint: "Wrap in try-catch to handle potential database errors",
-            });
-          }
-        }
-      }
-    },
-  });
-  
-  return findings;
-}
-
-module.exports = {
-  analyzeDatabasePatterns,
-  detectORM,
-  ORM_PATTERNS,
-};