@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/firewall/content-validator.js

@@ -1,519 +0,0 @@
-/**
- * Content Validator
- * 
- * Validates file content against:
- * - Hallucination patterns (fake APIs, placeholder data)
- * - Hardcoded secrets and credentials
- * - Dangerous code patterns
- * - AI-generated placeholder text
- */
-
-"use strict";
-
-/**
- * ContentValidator class for validating file content
- */
-class ContentValidator {
-  /**
-   * Create a content validator
-   * @param {object} config - Firewall configuration
-   */
-  constructor(config) {
-    this.config = config;
-    
-    // Extract content configuration
-    const content = config.content || {};
-    this.hallucinationPatterns = content.hallucinations || [];
-    this.forbiddenPatterns = content.forbidden || [];
-    
-    // Build compiled patterns
-    this.compiledHallucinations = this.compilePatterns(this.hallucinationPatterns);
-    this.compiledForbidden = this.compilePatterns(this.forbiddenPatterns);
-    
-    // Additional built-in patterns
-    this.builtInPatterns = this.getBuiltInPatterns();
-  }
-  
-  /**
-   * Compile pattern configurations to regex
-   * @param {Array} patterns - Pattern configurations
-   * @returns {Array} Compiled patterns
-   */
-  compilePatterns(patterns) {
-    return patterns.map(p => {
-      if (typeof p === "string") {
-        return {
-          pattern: new RegExp(p, "gi"),
-          name: p,
-          severity: "warn",
-        };
-      }
-      return {
-        pattern: new RegExp(p.pattern, "gi"),
-        name: p.name || p.pattern,
-        severity: p.severity || "warn",
-        message: p.message,
-      };
-    });
-  }
-  
-  /**
-   * Get built-in hallucination/dangerous patterns
-   * @returns {Array} Built-in patterns
-   */
-  getBuiltInPatterns() {
-    return [
-      // Fake API patterns
-      {
-        pattern: /fetch\s*\(\s*['"]https?:\/\/example\.com/gi,
-        name: "fake-api-fetch",
-        severity: "high",
-        message: "Fetching from example.com - likely a hallucination",
-      },
-      {
-        pattern: /api\.example\.com/gi,
-        name: "fake-api-domain",
-        severity: "high",
-        message: "Reference to api.example.com - likely a hallucination",
-      },
-      {
-        pattern: /https?:\/\/jsonplaceholder\.typicode\.com/gi,
-        name: "placeholder-api",
-        severity: "warn",
-        message: "Using JSONPlaceholder API - replace with real API before production",
-      },
-      {
-        pattern: /https?:\/\/reqres\.in/gi,
-        name: "fake-rest-api",
-        severity: "warn",
-        message: "Using Reqres fake API - replace with real API before production",
-      },
-      
-      // Fake API keys
-      {
-        pattern: /sk-[a-zA-Z0-9]{20,}/g,
-        name: "fake-openai-key",
-        severity: "high",
-        message: "Possible fake or exposed OpenAI API key",
-      },
-      {
-        pattern: /AKIA[0-9A-Z]{16}/g,
-        name: "aws-access-key",
-        severity: "critical",
-        message: "AWS access key detected - never commit credentials",
-      },
-      {
-        pattern: /ghp_[a-zA-Z0-9]{36}/g,
-        name: "github-token",
-        severity: "critical",
-        message: "GitHub personal access token detected",
-      },
-      {
-        pattern: /ghu_[a-zA-Z0-9]{36}/g,
-        name: "github-user-token",
-        severity: "critical",
-        message: "GitHub user-to-server token detected",
-      },
-      {
-        pattern: /xox[baprs]-[a-zA-Z0-9-]+/g,
-        name: "slack-token",
-        severity: "critical",
-        message: "Slack token detected",
-      },
-      
-      // Placeholder patterns
-      {
-        pattern: /\bTODO\s*:\s*implement/gi,
-        name: "todo-implement",
-        severity: "warn",
-        message: "TODO: implement - incomplete implementation",
-      },
-      {
-        pattern: /\bFIXME\b/gi,
-        name: "fixme-comment",
-        severity: "warn",
-        message: "FIXME comment found - needs attention",
-      },
-      {
-        pattern: /placeholder.*data/gi,
-        name: "placeholder-data",
-        severity: "warn",
-        message: "Placeholder data detected",
-      },
-      {
-        pattern: /fake.*response/gi,
-        name: "fake-response",
-        severity: "warn",
-        message: "Fake response detected",
-      },
-      {
-        pattern: /mock.*api/gi,
-        name: "mock-api",
-        severity: "warn",
-        message: "Mock API detected - replace before production",
-      },
-      
-      // AI placeholder values
-      {
-        pattern: /your-api-key-here/gi,
-        name: "placeholder-api-key",
-        severity: "high",
-        message: "Placeholder API key found",
-      },
-      {
-        pattern: /YOUR_[A-Z_]+_KEY/g,
-        name: "placeholder-env-var",
-        severity: "warn",
-        message: "Placeholder environment variable found",
-      },
-      {
-        pattern: /<your-[a-z-]+>/gi,
-        name: "template-placeholder",
-        severity: "warn",
-        message: "Template placeholder found",
-      },
-      {
-        pattern: /\[insert.*here\]/gi,
-        name: "insert-placeholder",
-        severity: "warn",
-        message: "Insert placeholder found",
-      },
-      {
-        pattern: /xxx+/gi,
-        name: "xxx-placeholder",
-        severity: "warn",
-        message: "XXX placeholder pattern found",
-      },
-      
-      // Hardcoded credentials
-      {
-        pattern: /password\s*[=:]\s*['"][^'"]{3,}['"]/gi,
-        name: "hardcoded-password",
-        severity: "critical",
-        message: "Hardcoded password detected",
-      },
-      {
-        pattern: /secret\s*[=:]\s*['"][^'"]{3,}['"]/gi,
-        name: "hardcoded-secret",
-        severity: "critical",
-        message: "Hardcoded secret detected",
-      },
-      {
-        pattern: /api[_-]?key\s*[=:]\s*['"][^'"]{8,}['"]/gi,
-        name: "hardcoded-api-key",
-        severity: "critical",
-        message: "Hardcoded API key detected",
-      },
-      
-      // Common test/default credentials
-      {
-        pattern: /password.*['"](?:test|demo|admin|123|password)['"]/gi,
-        name: "test-password",
-        severity: "high",
-        message: "Test/default password detected",
-      },
-      {
-        pattern: /admin.*admin/gi,
-        name: "default-admin",
-        severity: "high",
-        message: "Default admin credentials pattern detected",
-      },
-      
-      // Dangerous code patterns
-      {
-        pattern: /eval\s*\(/g,
-        name: "eval-usage",
-        severity: "high",
-        message: "eval() usage detected - security risk",
-      },
-      {
-        pattern: /new\s+Function\s*\(/g,
-        name: "function-constructor",
-        severity: "high",
-        message: "Function constructor usage - similar to eval",
-      },
-      {
-        pattern: /document\.write\s*\(/g,
-        name: "document-write",
-        severity: "warn",
-        message: "document.write() is deprecated and potentially dangerous",
-      },
-      {
-        pattern: /innerHTML\s*=/g,
-        name: "innerHTML-assignment",
-        severity: "warn",
-        message: "innerHTML assignment - potential XSS risk",
-      },
-      {
-        pattern: /dangerouslySetInnerHTML/g,
-        name: "dangerous-html",
-        severity: "warn",
-        message: "dangerouslySetInnerHTML - ensure content is sanitized",
-      },
-      {
-        pattern: /exec\s*\(\s*['"].*\$\{/g,
-        name: "command-injection",
-        severity: "critical",
-        message: "Potential command injection - user input in exec",
-      },
-      {
-        pattern: /child_process.*exec\s*\(/g,
-        name: "child-exec",
-        severity: "warn",
-        message: "child_process.exec - ensure input is sanitized",
-      },
-    ];
-  }
-  
-  /**
-   * Validate file content
-   * @param {object} params - Validation parameters
-   * @param {string} params.content - File content to validate
-   * @param {string} params.path - File path (for context)
-   * @returns {object} Validation result
-   */
-  validate({ content, path }) {
-    // Skip if no content provided
-    if (!content) {
-      return { valid: true };
-    }
-    
-    const violations = [];
-    
-    // Check user-configured hallucination patterns
-    for (const { pattern, name, severity, message } of this.compiledHallucinations) {
-      const matches = content.match(pattern);
-      if (matches) {
-        violations.push({
-          rule: "hallucination-detected",
-          type: name,
-          severity: severity || "warn",
-          message: message || `Content contains hallucination pattern: ${name}`,
-          matches: matches.slice(0, 5), // Limit matches shown
-          matchCount: matches.length,
-        });
-      }
-    }
-    
-    // Check user-configured forbidden patterns
-    for (const { pattern, name, severity, message } of this.compiledForbidden) {
-      const matches = content.match(pattern);
-      if (matches) {
-        violations.push({
-          rule: "forbidden-pattern",
-          type: name,
-          severity: severity || "critical",
-          message: message || `Content contains forbidden pattern: ${name}`,
-          matches: matches.slice(0, 5),
-          matchCount: matches.length,
-        });
-      }
-    }
-    
-    // Check built-in patterns
-    for (const { pattern, name, severity, message } of this.builtInPatterns) {
-      // Reset regex lastIndex for global patterns
-      pattern.lastIndex = 0;
-      const matches = content.match(pattern);
-      if (matches) {
-        violations.push({
-          rule: this.getRuleType(name),
-          type: name,
-          severity,
-          message,
-          matches: matches.slice(0, 5),
-          matchCount: matches.length,
-          line: this.findLineNumber(content, matches[0]),
-        });
-      }
-    }
-    
-    // Determine overall validity based on severity
-    const hasCritical = violations.some(v => v.severity === "critical");
-    const hasHigh = violations.some(v => v.severity === "high");
-    
-    if (hasCritical || hasHigh) {
-      // Find the most severe violation
-      const mostSevere = violations.find(v => v.severity === "critical") 
-        || violations.find(v => v.severity === "high")
-        || violations[0];
-      
-      return {
-        valid: false,
-        rule: mostSevere.rule,
-        severity: mostSevere.severity,
-        message: mostSevere.message,
-        violations,
-        details: {
-          path,
-          totalViolations: violations.length,
-          criticalCount: violations.filter(v => v.severity === "critical").length,
-          highCount: violations.filter(v => v.severity === "high").length,
-          warnCount: violations.filter(v => v.severity === "warn").length,
-        },
-      };
-    }
-    
-    // Return warnings but don't fail validation
-    if (violations.length > 0) {
-      return {
-        valid: true,
-        hasWarnings: true,
-        warnings: violations,
-        details: {
-          path,
-          totalWarnings: violations.length,
-        },
-      };
-    }
-    
-    return { valid: true };
-  }
-  
-  /**
-   * Get rule type from pattern name
-   * @param {string} name - Pattern name
-   * @returns {string} Rule type
-   */
-  getRuleType(name) {
-    if (name.includes("api") || name.includes("placeholder") || name.includes("fake") || name.includes("mock")) {
-      return "hallucination-detected";
-    }
-    if (name.includes("key") || name.includes("password") || name.includes("secret") || name.includes("token")) {
-      return "credential-detected";
-    }
-    if (name.includes("eval") || name.includes("exec") || name.includes("injection") || name.includes("html")) {
-      return "dangerous-code";
-    }
-    return "content-violation";
-  }
-  
-  /**
-   * Find line number of a match in content
-   * @param {string} content - Full content
-   * @param {string} match - Match to find
-   * @returns {number} Line number (1-indexed)
-   */
-  findLineNumber(content, match) {
-    const index = content.indexOf(match);
-    if (index === -1) return -1;
-    
-    const beforeMatch = content.substring(0, index);
-    return (beforeMatch.match(/\n/g) || []).length + 1;
-  }
-  
-  /**
-   * Analyze content for risk assessment
-   * @param {string} content - Content to analyze
-   * @returns {object} Risk assessment
-   */
-  analyzeRisk(content) {
-    const result = this.validate({ content });
-    
-    const riskScore = this.calculateRiskScore(result);
-    
-    return {
-      riskLevel: riskScore > 70 ? "high" : riskScore > 40 ? "medium" : riskScore > 10 ? "low" : "none",
-      riskScore,
-      violations: result.violations || [],
-      warnings: result.warnings || [],
-      summary: this.generateSummary(result),
-    };
-  }
-  
-  /**
-   * Calculate risk score from validation result
-   * @param {object} result - Validation result
-   * @returns {number} Risk score 0-100
-   */
-  calculateRiskScore(result) {
-    let score = 0;
-    
-    const violations = result.violations || [];
-    const warnings = result.warnings || [];
-    
-    for (const v of violations) {
-      if (v.severity === "critical") score += 30;
-      else if (v.severity === "high") score += 20;
-      else if (v.severity === "warn") score += 5;
-    }
-    
-    for (const w of warnings) {
-      if (w.severity === "warn") score += 3;
-    }
-    
-    return Math.min(100, score);
-  }
-  
-  /**
-   * Generate human-readable summary
-   * @param {object} result - Validation result
-   * @returns {string} Summary text
-   */
-  generateSummary(result) {
-    if (result.valid && !result.hasWarnings) {
-      return "Content passed all validation checks";
-    }
-    
-    const parts = [];
-    const violations = result.violations || [];
-    const warnings = result.warnings || [];
-    
-    if (violations.length > 0) {
-      parts.push(`${violations.length} violation(s) found`);
-    }
-    if (warnings.length > 0) {
-      parts.push(`${warnings.length} warning(s)`);
-    }
-    
-    return parts.join(", ");
-  }
-  
-  /**
-   * Check if content contains specific pattern type
-   * @param {string} content - Content to check
-   * @param {string} patternType - Pattern type to check
-   * @returns {boolean} True if pattern found
-   */
-  hasPattern(content, patternType) {
-    const patterns = this.builtInPatterns.filter(p => p.name.includes(patternType));
-    
-    for (const { pattern } of patterns) {
-      pattern.lastIndex = 0;
-      if (pattern.test(content)) {
-        return true;
-      }
-    }
-    
-    return false;
-  }
-  
-  /**
-   * Get all detected patterns in content
-   * @param {string} content - Content to scan
-   * @returns {Array} Array of detected patterns
-   */
-  getDetectedPatterns(content) {
-    const detected = [];
-    
-    for (const { pattern, name, severity, message } of this.builtInPatterns) {
-      pattern.lastIndex = 0;
-      const matches = content.match(pattern);
-      if (matches) {
-        detected.push({
-          name,
-          severity,
-          message,
-          matchCount: matches.length,
-          samples: matches.slice(0, 3),
-        });
-      }
-    }
-    
-    return detected;
-  }
-}
-
-module.exports = {
-  ContentValidator,
-};

package/bin/runners/lib/firewall/index.js

@@ -1,101 +0,0 @@
-/**
- * Agent Firewall - Main Entry Point
- * 
- * Exports all firewall components:
- * - Configuration loader
- * - Path validator
- * - Command validator
- * - Content validator
- */
-
-"use strict";
-
-const { loadFirewallConfig, getDefaultConfig, saveFirewallConfig, initFirewallConfig, DEFAULT_CONFIG } = require("./config");
-const { PathValidator } = require("./path-validator");
-const { CommandValidator } = require("./command-validator");
-const { ContentValidator } = require("./content-validator");
-
-/**
- * Create a complete firewall instance with all validators
- * @param {string} configPath - Path to configuration file
- * @returns {object} Firewall instance with all validators
- */
-function createFirewall(configPath) {
-  const config = loadFirewallConfig(configPath);
-  
-  return {
-    config,
-    pathValidator: new PathValidator(config),
-    commandValidator: new CommandValidator(config),
-    contentValidator: new ContentValidator(config),
-    
-    /**
-     * Validate an action
-     * @param {object} params - Validation parameters
-     * @returns {object} Combined validation result
-     */
-    validate(params) {
-      const { action, path, content, command } = params;
-      const violations = [];
-      
-      // Validate path
-      if (path && (action === "write" || action === "delete")) {
-        const pathResult = this.pathValidator.validate({ action, path });
-        if (!pathResult.valid) {
-          violations.push(pathResult);
-        }
-      }
-      
-      // Validate command
-      if (command && action === "execute") {
-        const cmdResult = this.commandValidator.validate({ command });
-        if (!cmdResult.valid) {
-          violations.push(cmdResult);
-        }
-      }
-      
-      // Validate content
-      if (content && action === "write") {
-        const contentResult = this.contentValidator.validate({ content, path });
-        if (!contentResult.valid) {
-          violations.push(contentResult);
-        }
-        // Include warnings
-        if (contentResult.hasWarnings) {
-          violations.push({
-            valid: true,
-            isWarning: true,
-            warnings: contentResult.warnings,
-          });
-        }
-      }
-      
-      const hasViolation = violations.some(v => !v.valid && !v.isWarning);
-      const hasWarnings = violations.some(v => v.isWarning || v.hasWarnings);
-      
-      return {
-        allowed: !hasViolation,
-        violations: violations.filter(v => !v.valid && !v.isWarning),
-        warnings: violations.filter(v => v.isWarning || v.hasWarnings),
-        mode: config.mode,
-      };
-    },
-  };
-}
-
-module.exports = {
-  // Configuration
-  loadFirewallConfig,
-  getDefaultConfig,
-  saveFirewallConfig,
-  initFirewallConfig,
-  DEFAULT_CONFIG,
-  
-  // Validators
-  PathValidator,
-  CommandValidator,
-  ContentValidator,
-  
-  // Factory
-  createFirewall,
-};