@vibecheckai/cli 3.5.1 → 3.5.2

package/bin/runners/lib/scan-runner.js

@@ -0,0 +1,135 @@
+/**
+ * Scan Runner - Timeout and Cancellation Support
+ * 
+ * Provides timeout and cancellation capabilities for scan execution.
+ * Prevents runaway scans from hanging indefinitely.
+ */
+
+const EventEmitter = require('events');
+
+/**
+ * @typedef {Object} ScanOptions
+ * @property {number} [timeout] - Timeout in milliseconds (default: 5 minutes)
+ * @property {AbortSignal} [signal] - AbortSignal for cancellation
+ */
+
+/**
+ * @typedef {Object} ScanResult
+ * @property {'completed'|'cancelled'|'failed'} status
+ * @property {Array} findings
+ * @property {string} [error]
+ */
+
+class ScanRunner extends EventEmitter {
+  constructor() {
+    super();
+    this.aborted = false;
+    this.timeoutId = null;
+  }
+  constructor() {
+    super();
+    this.aborted = false;
+    this.timeoutId = null;
+  }
+
+  /**
+   * Run a scan with timeout and cancellation support
+   * @param {string} projectPath - Path to project to scan
+   * @param {ScanOptions} options - Scan options
+   * @returns {Promise<ScanResult>}
+   */
+  async run(projectPath, options = {}) {
+    const timeout = options.timeout || 5 * 60 * 1000; // Default 5 minutes
+    
+    // Set up abort handling
+    if (options.signal) {
+      options.signal.addEventListener('abort', () => {
+        this.abort('Scan aborted via signal');
+      });
+    }
+    
+    // Set up timeout
+    this.timeoutId = setTimeout(() => {
+      this.abort('Scan timed out');
+    }, timeout);
+    
+    try {
+      this.emit('start', { projectPath, timeout });
+      
+      const result = await this.executeAnalyzers(projectPath);
+      
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [] };
+      }
+      
+      return result;
+    } catch (error) {
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [], error: error.message };
+      }
+      return { status: 'failed', findings: [], error: error.message };
+    } finally {
+      if (this.timeoutId) {
+        clearTimeout(this.timeoutId);
+        this.timeoutId = null;
+      }
+    }
+  }
+
+  /**
+   * Abort the current scan
+   * @param {string} reason - Reason for abortion
+   */
+  abort(reason = 'Scan aborted') {
+    this.aborted = true;
+    this.emit('abort', { reason });
+  }
+
+  /**
+   * Execute analyzers with abort checks between each
+   * @private
+   * @param {string} projectPath - Path to project
+   * @returns {Promise<ScanResult>}
+   */
+  async executeAnalyzers(projectPath) {
+    // Import analysis core dynamically to avoid circular dependencies
+    const { runAnalysis } = require('./analysis-core');
+    
+    // Check abort before starting
+    if (this.aborted) {
+      return { status: 'cancelled', findings: [] };
+    }
+    
+    try {
+      // Run analysis with progress tracking
+      this.emit('progress', { phase: 'analysis', status: 'running' });
+      
+      const result = await runAnalysis({
+        repoRoot: projectPath,
+        extended: true,
+        noWrite: false
+      });
+      
+      // Check abort after analysis
+      if (this.aborted) {
+        return { status: 'cancelled', findings: result.findings || [] };
+      }
+      
+      this.emit('progress', { phase: 'analysis', status: 'complete', count: result.findings?.length || 0 });
+      
+      return {
+        status: 'completed',
+        findings: result.findings || [],
+        verdict: result.verdict,
+        report: result.report
+      };
+    } catch (error) {
+      if (this.aborted) {
+        return { status: 'cancelled', findings: [], error: error.message };
+      }
+      throw error;
+    }
+  }
+}
+
+module.exports = { ScanRunner };

package/bin/runners/lib/schemas/ajv-validator.js

@@ -0,0 +1,464 @@
+/**
+ * Schema Validator v3 - Production AJV Implementation
+ * 
+ * Full JSON Schema Draft 2020-12 validation using AJV.
+ * Replaces the minimal validator for production use.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+// Lazy-load AJV to avoid startup cost if not needed
+let ajv = null;
+let ajvFormats = null;
+
+function getAjv() {
+  if (!ajv) {
+    const Ajv = require("ajv");
+    ajvFormats = require("ajv-formats");
+    
+    ajv = new Ajv({
+      strict: true,
+      allErrors: true,
+      verbose: true,
+      validateFormats: true,
+      // Allow unknown keywords for custom extensions
+      strictTypes: true,
+      strictTuples: true,
+      // Cache schemas for performance
+      cache: new Map(),
+    });
+    
+    // Add standard formats (date-time, uri, email, etc.)
+    ajvFormats(ajv);
+    
+    // Add custom formats
+    ajv.addFormat("sha256", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("fingerprint", /^sha256:[a-f0-9]{64}$/);
+    ajv.addFormat("finding-id", /^F_[A-Z0-9_]+$/);
+    ajv.addFormat("evidence-id", /^E_[A-Z0-9]+$/);
+  }
+  
+  return ajv;
+}
+
+// Schema cache
+const schemaCache = new Map();
+const validatorCache = new Map();
+
+// Schema IDs (same as validator.js for compatibility)
+const SCHEMAS = {
+  FINDING: "finding.schema.json",
+  FINDING_V3: "finding-v3.schema.json",
+  SHIP_REPORT: "ship-report.schema.json",
+  REALITY_REPORT: "reality-report.schema.json",
+  TRUTHPACK_V2: "truthpack-v2.schema.json",
+  CONTRACTS: "contracts.schema.json",
+  PROOF_GRAPH: "proof-graph.schema.json",
+  MISSION_PACK: "mission-pack.schema.json",
+  SHARE_PACK: "share-pack.schema.json",
+  VERDICT: "verdict.schema.json",
+  ERROR_ENVELOPE: "error-envelope.schema.json",
+  RUN_REQUEST: "run-request.schema.json",
+  REPORT_ARTIFACT: "report-artifact.schema.json",
+};
+
+// =============================================================================
+// SCHEMA LOADING
+// =============================================================================
+
+/**
+ * Load a schema by ID
+ */
+function loadSchema(schemaId) {
+  if (schemaCache.has(schemaId)) {
+    return schemaCache.get(schemaId);
+  }
+
+  const schemaPath = path.join(__dirname, schemaId);
+  if (!fs.existsSync(schemaPath)) {
+    return null;
+  }
+
+  try {
+    const schema = JSON.parse(fs.readFileSync(schemaPath, "utf8"));
+    schemaCache.set(schemaId, schema);
+    return schema;
+  } catch (e) {
+    console.error(`Failed to load schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Get compiled validator for schema
+ */
+function getValidator(schemaId) {
+  if (validatorCache.has(schemaId)) {
+    return validatorCache.get(schemaId);
+  }
+  
+  const schema = loadSchema(schemaId);
+  if (!schema) {
+    return null;
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    
+    // Remove $id to avoid conflicts when compiling multiple schemas
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validator = ajvInstance.compile(schemaCopy);
+    validatorCache.set(schemaId, validator);
+    return validator;
+  } catch (e) {
+    console.error(`Failed to compile schema ${schemaId}:`, e.message);
+    return null;
+  }
+}
+
+/**
+ * Validate data against schema using AJV
+ */
+function validateAgainstSchema(data, schema, contextPath = "") {
+  if (!schema || data === undefined) {
+    return [];
+  }
+  
+  try {
+    const ajvInstance = getAjv();
+    const schemaCopy = { ...schema };
+    delete schemaCopy.$id;
+    
+    const validate = ajvInstance.compile(schemaCopy);
+    const valid = validate(data);
+    
+    if (valid) {
+      return [];
+    }
+    
+    // Convert AJV errors to our format
+    return (validate.errors || []).map(err => ({
+      path: contextPath + (err.instancePath || ""),
+      message: err.message || "Validation failed",
+      keyword: err.keyword,
+      params: err.params,
+    }));
+  } catch (e) {
+    return [{
+      path: contextPath,
+      message: `Schema compilation error: ${e.message}`,
+      keyword: "compile",
+    }];
+  }
+}
+
+// =============================================================================
+// ARTIFACT VALIDATION
+// =============================================================================
+
+/**
+ * Validate an artifact file against its schema
+ */
+function validateArtifact(filePath, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found or invalid`, keyword: "schema" }],
+    };
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (e) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Failed to read/parse file: ${e.message}`, keyword: "parse" }],
+    };
+  }
+
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [], data };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+    params: err.params,
+  }));
+  
+  return { valid: false, errors, data };
+}
+
+/**
+ * Validate data object against schema
+ */
+function validateData(data, schemaId) {
+  const validator = getValidator(schemaId);
+  
+  if (!validator) {
+    return {
+      valid: false,
+      errors: [{ path: "", message: `Schema ${schemaId} not found`, keyword: "schema" }],
+    };
+  }
+  
+  const valid = validator(data);
+  
+  if (valid) {
+    return { valid: true, errors: [] };
+  }
+  
+  const errors = (validator.errors || []).map(err => ({
+    path: err.instancePath || "",
+    message: err.message || "Validation failed",
+    keyword: err.keyword,
+  }));
+  
+  return { valid: false, errors };
+}
+
+/**
+ * Validate and write artifact with schema check
+ */
+function writeValidatedArtifact(filePath, data, schemaId, options = {}) {
+  const { strict = false, warnOnly = true } = options;
+  
+  const result = validateData(data, schemaId);
+  
+  if (!result.valid) {
+    const message = `Artifact ${filePath} has ${result.errors.length} schema violations`;
+    
+    if (strict) {
+      throw new Error(`${message}: ${result.errors.map(e => e.message).join(", ")}`);
+    }
+    
+    if (warnOnly) {
+      console.warn(`Warning: ${message}:`);
+      result.errors.slice(0, 5).forEach(e => 
+        console.warn(`  - ${e.path || "/"}: ${e.message}`)
+      );
+      if (result.errors.length > 5) {
+        console.warn(`  ... and ${result.errors.length - 5} more errors`);
+      }
+    }
+  }
+
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+  
+  return { 
+    written: true, 
+    path: filePath,
+    valid: result.valid,
+    errors: result.errors,
+  };
+}
+
+// =============================================================================
+// FINDING GENERATION (kept for compatibility with validator.js)
+// =============================================================================
+
+/**
+ * Generate stable fingerprint for deduplication
+ */
+function generateFingerprint(parts) {
+  const content = parts.filter(Boolean).join("|");
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+/**
+ * Generate finding ID
+ */
+function generateFindingId(detectorId, fingerprint) {
+  return `F_${detectorId}_${fingerprint.slice(0, 8).toUpperCase()}`;
+}
+
+/**
+ * Generate evidence ID
+ */
+function generateEvidenceId(fingerprint) {
+  return `E_${fingerprint.slice(0, 12).toUpperCase()}`;
+}
+
+/**
+ * Create a spec-compliant finding
+ */
+function createFinding(options = {}) {
+  const {
+    detectorId,
+    severity = "WARN",
+    category = "Routes",
+    scope = "client",
+    title,
+    why,
+    confidence = "medium",
+    evidence = [],
+    repro = null,
+    related = [],
+    proofNode = null,
+    missionType = null,
+    file = null,
+    path: routePath = null,
+    method = null,
+  } = options;
+
+  const fingerprint = generateFingerprint([
+    detectorId,
+    file,
+    routePath,
+    method,
+    title,
+  ]);
+
+  const finding = {
+    id: generateFindingId(detectorId, fingerprint),
+    detectorId,
+    fingerprint: `sha256:${fingerprint}`,
+    severity,
+    category,
+    scope,
+    title,
+    why,
+    confidence,
+    evidence: evidence.map((e, i) => ({
+      id: e.id || generateEvidenceId(fingerprint + i),
+      kind: e.kind || "file",
+      ...e,
+    })),
+    repro,
+    related,
+    proofNode,
+    missionType,
+  };
+  
+  // Validate the finding
+  const result = validateData(finding, SCHEMAS.FINDING_V3);
+  if (!result.valid) {
+    console.warn(`Warning: Created finding has schema violations:`, result.errors.slice(0, 3));
+  }
+  
+  return finding;
+}
+
+/**
+ * Create file evidence
+ */
+function createFileEvidence(options = {}) {
+  const { file, lines, snippetHash, reason } = options;
+  const fp = generateFingerprint([file, lines, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "file",
+    file,
+    lines,
+    snippetHash,
+    reason,
+  };
+}
+
+/**
+ * Create runtime evidence
+ */
+function createRuntimeEvidence(options = {}) {
+  const { url, httpStatus, reason, data } = options;
+  const fp = generateFingerprint([url, httpStatus, reason]);
+  
+  return {
+    id: generateEvidenceId(fp),
+    kind: "request",
+    url,
+    httpStatus,
+    reason,
+    data,
+  };
+}
+
+// =============================================================================
+// SEVERITY POLICY (kept for compatibility with validator.js)
+// =============================================================================
+
+const SEVERITY_POLICY = {
+  ROUTE_MISSING: { default: "BLOCK", withRuntimeProof: "BLOCK" },
+  ROUTE_404: { default: "BLOCK" },
+  ROUTE_405: { default: "WARN" },
+  AUTH_BYPASS: { default: "BLOCK" },
+  AUTH_MISSING: { default: "WARN", criticalPath: "BLOCK" },
+  FAKE_SUCCESS: { default: "BLOCK" },
+  SUCCESS_TOAST_NO_CHANGE: { default: "BLOCK" },
+  SUCCESS_BEFORE_REQUEST: { default: "BLOCK" },
+  DEAD_CLICK: { default: "BLOCK" },
+  NO_FEEDBACK: { default: "WARN" },
+  CONTRACT_DRIFT_ROUTE: { default: "WARN", blocking: "BLOCK" },
+  CONTRACT_DRIFT_ENV: { default: "WARN", required: "BLOCK" },
+  CONTRACT_DRIFT_AUTH: { default: "BLOCK" },
+  STRIPE_WEBHOOK_UNVERIFIED: { default: "BLOCK" },
+  PAID_SURFACE_UNENFORCED: { default: "BLOCK" },
+  OWNER_MODE_BYPASS: { default: "BLOCK" },
+  HARDCODED_SECRET: { default: "BLOCK" },
+};
+
+/**
+ * Get severity based on policy
+ */
+function getSeverity(issueType, context = {}) {
+  const policy = SEVERITY_POLICY[issueType];
+  if (!policy) return "WARN";
+
+  if (context.hasRuntimeProof && policy.withRuntimeProof) {
+    return policy.withRuntimeProof;
+  }
+  if (context.isCriticalPath && policy.criticalPath) {
+    return policy.criticalPath;
+  }
+  if (context.isBlocking && policy.blocking) {
+    return policy.blocking;
+  }
+  if (context.isRequired && policy.required) {
+    return policy.required;
+  }
+
+  return policy.default;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  // Schema operations
+  SCHEMAS,
+  loadSchema,
+  getValidator,
+  validateAgainstSchema,
+  validateArtifact,
+  validateData,
+  writeValidatedArtifact,
+  
+  // Finding generation
+  generateFingerprint,
+  generateFindingId,
+  generateEvidenceId,
+  createFinding,
+  createFileEvidence,
+  createRuntimeEvidence,
+  
+  // Severity policy
+  SEVERITY_POLICY,
+  getSeverity,
+  
+  // AJV access for advanced usage
+  getAjv,
+};

package/bin/runners/lib/schemas/error-envelope.schema.json

@@ -0,0 +1,105 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/error-envelope.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Error Envelope",
+  "description": "Standardized error response wrapper",
+  "type": "object",
+  "required": [
+    "error",
+    "code",
+    "message"
+  ],
+  "properties": {
+    "error": {
+      "type": "boolean",
+      "const": true,
+      "description": "Always true for error responses"
+    },
+    "code": {
+      "type": "string",
+      "enum": [
+        "SCHEMA_INVALID",
+        "TOOL_NOT_FOUND",
+        "TIER_REQUIRED",
+        "AUTH_REQUIRED",
+        "AUTH_INVALID",
+        "RATE_LIMITED",
+        "TIMEOUT",
+        "PROJECT_NOT_FOUND",
+        "CONFIG_INVALID",
+        "INTERNAL_ERROR",
+        "NETWORK_ERROR",
+        "PARSE_ERROR"
+      ],
+      "description": "Machine-readable error code"
+    },
+    "message": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Human-readable error message"
+    },
+    "details": {
+      "type": ["object", "null"],
+      "description": "Additional error details",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "JSON path to invalid field (for SCHEMA_INVALID)"
+        },
+        "expected": {
+          "type": "string",
+          "description": "Expected value or type"
+        },
+        "received": {
+          "type": "string",
+          "description": "Received value or type"
+        },
+        "schema_errors": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "instancePath": { "type": "string" },
+              "schemaPath": { "type": "string" },
+              "keyword": { "type": "string" },
+              "params": { "type": "object" },
+              "message": { "type": "string" }
+            }
+          },
+          "description": "Detailed AJV validation errors"
+        },
+        "required_tier": {
+          "type": "string",
+          "enum": ["free", "pro", "enterprise"],
+          "description": "Required tier (for TIER_REQUIRED)"
+        },
+        "current_tier": {
+          "type": "string",
+          "enum": ["free", "pro", "enterprise"],
+          "description": "Current user tier"
+        },
+        "retry_after_ms": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Milliseconds to wait before retry (for RATE_LIMITED)"
+        }
+      }
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp of error occurrence"
+    },
+    "correlation_id": {
+      "type": ["string", "null"],
+      "description": "Correlation ID for tracing"
+    },
+    "help_url": {
+      "type": ["string", "null"],
+      "format": "uri",
+      "description": "URL to documentation for this error"
+    }
+  },
+  "additionalProperties": false
+}