npm - @vibecheckai/cli - Versions diffs - 3.5.1 → 3.5.2 - Mend

@vibecheckai/cli 3.5.1 → 3.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

package/bin/registry.js +406 -154
package/bin/runners/context/analyzer.js +52 -1
package/bin/runners/context/generators/mcp.js +15 -13
package/bin/runners/context/git-context.js +3 -1
package/bin/runners/context/proof-context.js +248 -1
package/bin/runners/context/team-conventions.js +33 -7
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +304 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +86 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +162 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +189 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +321 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/analysis-core.js +220 -182
package/bin/runners/lib/analyzers.js +2145 -224
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/cli-output.js +242 -210
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detectors-v2.js +547 -785
package/bin/runners/lib/doctor/modules/security.js +3 -1
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/entitlements-v2.js +152 -446
package/bin/runners/lib/error-handler.js +60 -12
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +7 -1
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/global-flags.js +37 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/route-detection.js +137 -68
package/bin/runners/lib/route-truth.js +1167 -322
package/bin/runners/lib/scan-output.js +504 -463
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/validator.js +27 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +328 -31
package/bin/runners/lib/terminal-ui.js +234 -731
package/bin/runners/lib/truth.js +1332 -308
package/bin/runners/lib/unified-cli-output.js +604 -0
package/bin/runners/lib/unified-output.js +163 -155
package/bin/runners/lib/upsell.js +104 -204
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +166 -101
package/bin/runners/runApprove.js +1200 -0
package/bin/runners/runAuth.js +373 -95
package/bin/runners/runCheckpoint.js +59 -21
package/bin/runners/runClassify.js +926 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +136 -24
package/bin/runners/runDoctor.js +115 -67
package/bin/runners/runEvidencePack.js +239 -96
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +6 -5
package/bin/runners/runGuard.js +212 -118
package/bin/runners/runInit.js +66 -21
package/bin/runners/runLabs.js +204 -121
package/bin/runners/runMcp.js +131 -60
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +43 -20
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +15 -5
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +14 -0
package/bin/runners/runReport.js +36 -4
package/bin/runners/runScan.js +689 -91
package/bin/runners/runShip.js +96 -40
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +21 -4
package/bin/runners/runWatch.js +118 -54
package/bin/scan.js +6 -1
package/bin/vibecheck.js +297 -52
package/mcp-server/HARDENING_SUMMARY.md +299 -0
package/mcp-server/agent-firewall-interceptor.js +500 -0
package/mcp-server/authority-tools.js +569 -0
package/mcp-server/conductor/conflict-resolver.js +588 -0
package/mcp-server/conductor/execution-planner.js +544 -0
package/mcp-server/conductor/index.js +377 -0
package/mcp-server/conductor/lock-manager.js +615 -0
package/mcp-server/conductor/request-queue.js +550 -0
package/mcp-server/conductor/session-manager.js +500 -0
package/mcp-server/conductor/tools.js +510 -0
package/mcp-server/deprecation-middleware.js +282 -0
package/mcp-server/handlers/index.ts +15 -0
package/mcp-server/handlers/tool-handler.ts +474 -591
package/mcp-server/index.js +1748 -1099
package/mcp-server/lib/api-client.cjs +13 -0
package/mcp-server/lib/cache-wrapper.cjs +383 -0
package/mcp-server/lib/error-envelope.js +138 -0
package/mcp-server/lib/executor.ts +428 -721
package/mcp-server/lib/index.ts +19 -0
package/mcp-server/lib/logger.cjs +30 -0
package/mcp-server/lib/rate-limiter.js +166 -0
package/mcp-server/lib/sandbox.test.ts +519 -0
package/mcp-server/lib/sandbox.ts +342 -284
package/mcp-server/lib/types.ts +267 -0
package/mcp-server/logger.js +173 -0
package/mcp-server/package.json +11 -27
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/registry/tool-registry.js +794 -0
package/mcp-server/registry/tools.json +507 -378
package/mcp-server/registry.test.ts +334 -0
package/mcp-server/tests/tier-gating.test.js +297 -0
package/mcp-server/tier-auth.js +492 -347
package/mcp-server/tools-v3.js +950 -0
package/mcp-server/truth-context.js +131 -90
package/mcp-server/truth-firewall-tools.js +1612 -1001
package/mcp-server/tsconfig.json +8 -5
package/mcp-server/vibecheck-2.0-tools.js +14 -1
package/mcp-server/vibecheck-mcp-server-3.2.0.tgz +0 -0
package/mcp-server/vibecheck-tools.js +2 -2
package/package.json +4 -3
package/bin/runners/runInstall.js +0 -281
package/mcp-server/ARCHITECTURE.md +0 -339
package/mcp-server/__tests__/cache.test.ts +0 -313
package/mcp-server/__tests__/executor.test.ts +0 -239
package/mcp-server/__tests__/fixtures/exclusion-test/.cache/webpack/cache.pack +0 -1
package/mcp-server/__tests__/fixtures/exclusion-test/.next/server/chunk.js +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/.turbo/cache.json +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/.venv/lib/env.py +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/dist/bundle.js +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/package.json +0 -5
package/mcp-server/__tests__/fixtures/exclusion-test/src/app.ts +0 -5
package/mcp-server/__tests__/fixtures/exclusion-test/venv/lib/config.py +0 -4
package/mcp-server/__tests__/ids.test.ts +0 -345
package/mcp-server/__tests__/integration/tools.test.ts +0 -410
package/mcp-server/__tests__/registry.test.ts +0 -365
package/mcp-server/__tests__/sandbox.test.ts +0 -323
package/mcp-server/__tests__/schemas.test.ts +0 -372
package/mcp-server/benchmarks/run-benchmarks.ts +0 -304
package/mcp-server/examples/doctor.request.json +0 -14
package/mcp-server/examples/doctor.response.json +0 -53
package/mcp-server/examples/error.response.json +0 -15
package/mcp-server/examples/scan.request.json +0 -14
package/mcp-server/examples/scan.response.json +0 -108
package/mcp-server/index-v3.ts +0 -293
package/mcp-server/index.old.js +0 -4137
package/mcp-server/lib/cache.ts +0 -341
package/mcp-server/lib/errors.ts +0 -346
package/mcp-server/lib/ids.ts +0 -238
package/mcp-server/lib/logger.ts +0 -368
package/mcp-server/lib/metrics.ts +0 -365
package/mcp-server/lib/validator.ts +0 -229
package/mcp-server/package-lock.json +0 -165
package/mcp-server/schemas/error-envelope.schema.json +0 -125
package/mcp-server/schemas/finding.schema.json +0 -167
package/mcp-server/schemas/report-artifact.schema.json +0 -88
package/mcp-server/schemas/run-request.schema.json +0 -75
package/mcp-server/schemas/verdict.schema.json +0 -168
package/mcp-server/tier-auth.d.ts +0 -71
package/mcp-server/vitest.config.ts +0 -16

package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js ADDED Viewed

@@ -0,0 +1,217 @@
+/**
+ * Type-Aware Engine (TypeScript focused)
+ * Detects risky TypeScript patterns: any, non-null assertions, ts-ignore, unsafe casts, missing return types on exported APIs.
+ */
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+function isTSFile(filePath) {
+  return filePath.endsWith(".ts") || filePath.endsWith(".tsx");
+}
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+function isExportedFunctionPath(path) {
+  // export function foo() {}
+  if (path.parentPath?.isExportNamedDeclaration?.() || path.parentPath?.isExportDefaultDeclaration?.()) return true;
+  // export const foo = () => {}
+  const exportDecl = path.findParent((p) => p.isExportNamedDeclaration?.());
+  if (exportDecl) return true;
+  return false;
+}
+function analyzeTypeAware(code, filePath) {
+  const findings = [];
+  if (!isTSFile(filePath)) return findings;
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "type-aware")) return findings;
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+  const lines = code.split("\n");
+  // Scan header comments for ts-ignore
+  const comments = ast.comments || [];
+  for (const c of comments) {
+    const v = (c.value || "").trim();
+    if (/^@ts-ignore\b/.test(v) || /^@ts-expect-error\b/.test(v)) {
+      const line = c.loc?.start?.line || 1;
+      findings.push({
+        type: "ts_ignore",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: c.loc?.start?.column || 0,
+        title: "TypeScript ignore directive used",
+        message: `Found ${v.split(/\s+/)[0]} - this bypasses type safety.`,
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "high",
+      });
+    }
+  }
+  // General TS AST checks
+  traverse(ast, {
+    TSAnyKeyword(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      findings.push({
+        type: "any_type",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Usage of 'any' type",
+        message: "Avoid 'any' where possible. Prefer unknown + narrowing or a specific type.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "high",
+      });
+    },
+    TSNonNullExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      findings.push({
+        type: "non_null_assertion",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Non-null assertion used (!)",
+        message: "Non-null assertions can hide real null/undefined bugs. Consider proper checks.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+    TSAsExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      const typeAnn = path.node.typeAnnotation;
+      if (t.isTSAnyKeyword(typeAnn)) {
+        findings.push({
+          type: "unsafe_type_cast",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Unsafe type cast to 'any'",
+          message: "Casting to 'any' disables type checking. Prefer unknown + validation.",
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "high",
+        });
+      }
+    },
+    FunctionDeclaration(path) {
+      if (!path.node.loc) return;
+      if (!isExportedFunctionPath(path)) return;
+      // only flag when return type is missing AND the body has at least one return
+      const hasReturnType = Boolean(path.node.returnType);
+      if (hasReturnType) return;
+      let returnsValue = false;
+      path.traverse({
+        Function(inner) {
+          if (inner !== path) inner.skip();
+        },
+        ReturnStatement(r) {
+          if (r.node.argument) returnsValue = true;
+        },
+      });
+      if (!returnsValue) return;
+      const line = path.node.loc.start.line;
+      findings.push({
+        type: "missing_return_type",
+        severity: "INFO",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: path.node.loc.start.column,
+        title: "Exported function missing explicit return type",
+        message: "Public/ exported APIs should specify return types for stability and clarity.",
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "low",
+      });
+    },
+    ExportNamedDeclaration(path) {
+      // export const foo = () => {}
+      const decl = path.node.declaration;
+      if (!t.isVariableDeclaration(decl)) return;
+      for (const d of decl.declarations) {
+        if (!t.isVariableDeclarator(d)) continue;
+        if (!t.isIdentifier(d.id) || !d.init) continue;
+        if (!t.isArrowFunctionExpression(d.init) && !t.isFunctionExpression(d.init)) continue;
+        const fnNode = d.init;
+        const hasReturnType = Boolean(fnNode.returnType);
+        if (hasReturnType) continue;
+        // Only if it returns a value
+        let returnsValue = false;
+        traverse(
+          t.file(t.program([t.expressionStatement(fnNode)])),
+          {
+            ReturnStatement(r) {
+              if (r.node.argument) returnsValue = true;
+            },
+            Function(inner) {
+              // skip nested
+              inner.skip();
+            },
+          },
+          undefined,
+          undefined,
+          undefined
+        );
+        if (!returnsValue) continue;
+        const loc = fnNode.loc?.start;
+        if (!loc) continue;
+        findings.push({
+          type: "missing_return_type",
+          severity: "INFO",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Exported function missing explicit return type",
+          message: `Exported '${d.id.name}' should specify a return type.`,
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "low",
+        });
+      }
+    },
+  });
+  return findings;
+}
+module.exports = {
+  analyzeTypeAware,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * Unsafe Regex Engine
+ * Detects potentially catastrophic backtracking patterns.
+ *
+ * This is heuristic-based. It aims to flag the riskiest regexes:
+ * - Nested quantifiers like (.+)+, (.*)*, (a|aa)+, ([\s\S]*)+
+ * - Ambiguous repetitions inside groups: (a|a?)+ etc
+ */
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+function isRiskyPattern(pattern) {
+  if (!pattern || typeof pattern !== "string") return false;
+  // Nested quantifiers: (.*)+, (.+)+, (.*)*, (.+)*
+  if (/\((?:[^()\\]|\\.)*([+*])\)\s*[+*]/.test(pattern)) return true;
+  // Very broad character classes repeated aggressively
+  if (/\[(?:\\s\\S|\\S\\s|\\w\\W|\\W\\w|\\d\\D|\\D\\d)\]\s*[+*]\s*[+*]/.test(pattern)) return true;
+  // Alternation inside repetition: (a|aa)+ or (.*|.+)+
+  if (/\((?:[^()\\]|\\.)*\|(?:[^()\\]|\\.)*\)\s*[+*]/.test(pattern)) return true;
+  // Repetition of ambiguous wildcard with backreferences (commonly risky)
+  if (/(\.\*|\.\+).*\1/.test(pattern)) return true;
+  return false;
+}
+function analyzeUnsafeRegex(code, filePath) {
+  const findings = [];
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "unsafe-regex")) return findings;
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+  const lines = code.split("\n");
+  traverse(ast, {
+    RegExpLiteral(path) {
+      const pattern = path.node.pattern;
+      if (!isRiskyPattern(pattern)) return;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      findings.push({
+        type: "unsafe_regex",
+        severity: "WARN",
+        category: "Security",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Potential ReDoS risk in regex",
+        message: `Regex pattern "${pattern}" may cause catastrophic backtracking.`,
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+  });
+  return findings;
+}
+module.exports = {
+  analyzeUnsafeRegex,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/package.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "name": "vibecheck-analysis-engines",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Hardened analysis engines for Vibecheck-style static scanning.",
+  "main": "index.js",
+  "type": "commonjs",
+  "dependencies": {
+    "@babel/parser": "^7.26.0",
+    "@babel/traverse": "^7.26.0",
+    "@babel/types": "^7.26.0"
+  }
+}