@vibecheckai/cli 3.7.0 → 3.8.0

package/bin/runners/lib/engines/attack-detector.js

@@ -0,0 +1,1192 @@
+/**
+ * Attack Detector Engine - "Convincing Wrongness" Scanner
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * Finds code that LOOKS done but DOESN'T WORK.
+ * The most dangerous kind of bug: the invisible one.
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * 
+ * Attack Categories:
+ * 1. DEAD_ROUTE        - Routes that exist but don't work (client/server mismatch)
+ * 2. GHOST_ENV         - Env vars used but never declared
+ * 3. FAKE_SUCCESS      - UI shows success without actual operation
+ * 4. AUTH_DRIFT        - Auth patterns that look secure but aren't
+ * 5. MOCK_LANDMINE     - Mock/TODO code hidden in production paths
+ * 6. SILENT_FAIL       - Errors swallowed without user feedback
+ * 7. OPTIMISTIC_BOMB   - Optimistic UI without rollback
+ * 8. PAID_THEATER      - Paid features that aren't enforced
+ * 
+ * @version 2.0.0
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const crypto = require("crypto");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// CONSTANTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const STANDARD_IGNORE = [
+  "**/node_modules/**",
+  "**/.git/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/.next/**",
+  "**/coverage/**",
+  "**/_archive/**",
+  "**/*.min.js",
+  "**/*.bundle.js",
+];
+
+const TEST_FILE_PATTERNS = [
+  /\.(test|spec|stories|mock)\.(tsx?|jsx?)$/i,
+  /__tests__/,
+  /__mocks__/,
+  /\/test\//,
+  /\/tests\//,
+  /\.test\./,
+  /\.spec\./,
+];
+
+// Critical paths where findings are more severe
+const CRITICAL_PATHS = [
+  "**/api/**",
+  "**/auth/**",
+  "**/payment/**",
+  "**/billing/**",
+  "**/checkout/**",
+  "**/middleware/**",
+  "**/login/**",
+  "**/signup/**",
+  "**/register/**",
+  "**/admin/**",
+  "**/dashboard/**",
+];
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// FINDING SCHEMA
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * @typedef {Object} AttackFinding
+ * @property {string} id - Stable unique ID (e.g., "ATK-001-abc123")
+ * @property {string} type - Attack category
+ * @property {string} severity - "critical" | "high" | "medium" | "low"
+ * @property {number} confidence - 0-100 confidence score
+ * @property {number} blastRadius - 1-10 impact scope
+ * @property {string} title - Human-readable title
+ * @property {string} description - What's wrong
+ * @property {string} file - File path (relative)
+ * @property {number} line - Line number
+ * @property {string} snippet - Code snippet (max 120 chars)
+ * @property {string} whyConvincing - Why it LOOKS correct
+ * @property {string} whyWrong - Why it DOESN'T work
+ * @property {string} howToProve - Steps to verify the bug exists
+ * @property {string} howToFix - Actionable fix instructions
+ * @property {Array<{file: string, line?: number, reason: string}>} evidence - Supporting evidence
+ * @property {boolean} inCriticalPath - Is this in auth/payment/etc
+ * @property {string} attackVector - How this could be exploited
+ */
+
+/**
+ * @typedef {Object} AttackReport
+ * @property {string} version - Report format version
+ * @property {string} timestamp - ISO timestamp
+ * @property {string} projectPath - Scanned project path
+ * @property {string} mode - "fast" | "deep"
+ * @property {AttackFinding[]} findings - All findings
+ * @property {Object} summary - Summary statistics
+ * @property {number} attackScore - 0-100 vulnerability score
+ * @property {Object} manifest - Deterministic manifest for CI
+ */
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SEVERITY MODEL
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SEVERITY_WEIGHTS = {
+  critical: 100,
+  high: 40,
+  medium: 15,
+  low: 5,
+};
+
+const BLAST_RADIUS = {
+  // Scope of impact
+  SINGLE_FILE: 1,
+  SINGLE_FEATURE: 3,
+  MODULE: 5,
+  CROSS_MODULE: 7,
+  ENTIRE_APP: 10,
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// UTILITY FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function stableId(type, context) {
+  const hash = crypto.createHash("sha256")
+    .update(`${type}:${context}`)
+    .digest("hex")
+    .slice(0, 8);
+  return `ATK-${type.slice(0, 3).toUpperCase()}-${hash}`;
+}
+
+function isTestFile(filePath) {
+  return TEST_FILE_PATTERNS.some(pattern => 
+    pattern instanceof RegExp ? pattern.test(filePath) : filePath.includes(pattern)
+  );
+}
+
+function isInCriticalPath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/").toLowerCase();
+  for (const pattern of CRITICAL_PATHS) {
+    const regex = new RegExp(pattern.replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*"));
+    if (regex.test(normalized)) return true;
+  }
+  return false;
+}
+
+function readFileContent(filePath) {
+  try {
+    return fs.readFileSync(filePath, "utf8");
+  } catch {
+    return null;
+  }
+}
+
+function getSnippet(content, line, maxLength = 120) {
+  const lines = content.split("\n");
+  const targetLine = lines[line - 1] || "";
+  return targetLine.trim().slice(0, maxLength);
+}
+
+function getCodeContext(content, line, before = 2, after = 2) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 1 - before);
+  const end = Math.min(lines.length, line + after);
+  return lines.slice(start, end).join("\n");
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ATTACK DETECTORS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * ATTACK 1: Dead Routes - Routes that exist but don't work
+ * Client references a route that doesn't exist on server, or vice versa
+ */
+function detectDeadRoutes(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  // Find API routes (server-side)
+  const apiRoutes = new Map();
+  const apiFiles = fg.sync([
+    "**/app/api/**/route.{ts,tsx,js,jsx}",
+    "**/pages/api/**/*.{ts,tsx,js,jsx}",
+    "**/src/api/**/*.{ts,tsx,js,jsx}",
+    "**/server/routes/**/*.{ts,tsx,js,jsx}",
+  ], { cwd: repoRoot, absolute: true, ignore: STANDARD_IGNORE });
+
+  for (const file of apiFiles) {
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Extract route path from file path
+    let routePath = "";
+    if (relPath.includes("app/api/")) {
+      routePath = "/api/" + relPath.split("app/api/")[1].replace(/\/route\.(ts|tsx|js|jsx)$/, "");
+    } else if (relPath.includes("pages/api/")) {
+      routePath = "/api/" + relPath.split("pages/api/")[1].replace(/\.(ts|tsx|js|jsx)$/, "");
+    }
+    
+    // Check what HTTP methods are exported
+    const methods = [];
+    if (/export\s+(async\s+)?function\s+GET/m.test(content)) methods.push("GET");
+    if (/export\s+(async\s+)?function\s+POST/m.test(content)) methods.push("POST");
+    if (/export\s+(async\s+)?function\s+PUT/m.test(content)) methods.push("PUT");
+    if (/export\s+(async\s+)?function\s+DELETE/m.test(content)) methods.push("DELETE");
+    if (/export\s+(async\s+)?function\s+PATCH/m.test(content)) methods.push("PATCH");
+    
+    // Check for stub implementations
+    const isStub = /throw\s+new\s+Error\s*\(\s*["'`]Not implemented/i.test(content) ||
+                   /\/\/\s*TODO/i.test(content) ||
+                   /return\s+(NextResponse\.)?json\s*\(\s*\{\s*\}\s*\)/.test(content);
+    
+    apiRoutes.set(routePath, { file: relPath, methods, isStub, content });
+  }
+
+  // Find client-side fetch calls
+  const clientFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [...STANDARD_IGNORE, "**/api/**"],
+  });
+
+  for (const file of clientFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Find fetch calls to /api routes
+    const fetchPattern = /fetch\s*\(\s*["'`]([^"'`]+api[^"'`]*)["'`]/g;
+    let match;
+    
+    while ((match = fetchPattern.exec(content)) !== null) {
+      const fetchUrl = match[1];
+      const line = content.slice(0, match.index).split("\n").length;
+      
+      // Normalize URL
+      let normalizedUrl = fetchUrl.split("?")[0]; // Remove query params
+      normalizedUrl = normalizedUrl.replace(/\$\{[^}]+\}/g, "[param]"); // Replace template literals
+      
+      // Check if route exists
+      if (normalizedUrl.startsWith("/api/") && !apiRoutes.has(normalizedUrl)) {
+        // Check for dynamic routes
+        const dynamicMatches = [...apiRoutes.keys()].filter(r => {
+          const pattern = r.replace(/\[.*?\]/g, "[^/]+");
+          return new RegExp(`^${pattern}$`).test(normalizedUrl);
+        });
+        
+        if (dynamicMatches.length === 0) {
+          findings.push({
+            id: stableId("DEAD_ROUTE", `${relPath}:${line}:${normalizedUrl}`),
+            type: "DEAD_ROUTE",
+            severity: isInCriticalPath(relPath) ? "critical" : "high",
+            confidence: 85,
+            blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+            title: `Dead API route: ${normalizedUrl}`,
+            description: `Client fetches ${normalizedUrl} but no matching API route exists`,
+            file: relPath,
+            line,
+            snippet: getSnippet(content, line),
+            whyConvincing: "The fetch call looks correct with proper URL formatting",
+            whyWrong: "The server has no handler for this route - requests will 404",
+            howToProve: `curl -X GET http://localhost:3000${normalizedUrl} - expect 404`,
+            howToFix: `Create API route at app/api${normalizedUrl.replace("/api", "")}/route.ts`,
+            evidence: [{ file: relPath, line, reason: "Fetch call to missing route" }],
+            inCriticalPath: isInCriticalPath(relPath),
+            attackVector: "Feature appears to work in UI but silently fails",
+          });
+        }
+      }
+    }
+  }
+
+  // Check for stub routes
+  for (const [routePath, { file, methods, isStub, content }] of apiRoutes) {
+    if (isStub) {
+      const line = content.split("\n").findIndex(l => 
+        /throw\s+new\s+Error\s*\(\s*["'`]Not implemented/i.test(l) ||
+        /\/\/\s*TODO/i.test(l)
+      ) + 1 || 1;
+      
+      findings.push({
+        id: stableId("DEAD_ROUTE", `${file}:stub:${routePath}`),
+        type: "DEAD_ROUTE",
+        severity: isInCriticalPath(file) ? "critical" : "high",
+        confidence: 95,
+        blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+        title: `Stub API route: ${routePath}`,
+        description: `API route exists but throws "Not implemented" or has TODO`,
+        file,
+        line,
+        snippet: getSnippet(content, line),
+        whyConvincing: "Route file exists with proper Next.js structure",
+        whyWrong: "Handler throws error or is incomplete - will fail at runtime",
+        howToProve: `curl -X ${methods[0] || "GET"} http://localhost:3000${routePath}`,
+        howToFix: "Implement the route handler with actual logic",
+        evidence: [{ file, line, reason: "Stub implementation detected" }],
+        inCriticalPath: isInCriticalPath(file),
+        attackVector: "Feature endpoint returns 500 errors to users",
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 2: Ghost Env - Environment variables used but never declared
+ */
+function detectGhostEnv(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  // Standard Node.js/runtime env vars that don't need to be declared
+  const STANDARD_ENV_VARS = new Set([
+    "NODE_ENV",
+    "CI",
+    "DEBUG",
+    "HOME",
+    "PATH",
+    "USER",
+    "PWD",
+    "SHELL",
+    "TERM",
+    "LANG",
+    "TZ",
+    "TMPDIR",
+    "TEMP",
+    "TMP",
+    "npm_package_version",
+    "npm_package_name",
+  ]);
+  
+  // Find declared env vars
+  const declaredEnvVars = new Set(STANDARD_ENV_VARS);
+  const envFiles = [".env", ".env.local", ".env.example", ".env.template", ".env.development"];
+  
+  for (const envFile of envFiles) {
+    const envPath = path.join(repoRoot, envFile);
+    const content = readFileContent(envPath);
+    if (!content) continue;
+    
+    const varPattern = /^([A-Z][A-Z0-9_]*)=/gm;
+    let match;
+    while ((match = varPattern.exec(content)) !== null) {
+      declaredEnvVars.add(match[1]);
+    }
+  }
+
+  // Find used env vars in code
+  const codeFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE,
+  });
+
+  for (const file of codeFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Find process.env.VAR_NAME usage
+    const envUsagePattern = /process\.env\.([A-Z][A-Z0-9_]*)/g;
+    let match;
+    
+    while ((match = envUsagePattern.exec(content)) !== null) {
+      const varName = match[1];
+      const line = content.slice(0, match.index).split("\n").length;
+      
+      // Skip if declared
+      if (declaredEnvVars.has(varName)) continue;
+      
+      // Check if there's a fallback
+      const snippet = getSnippet(content, line);
+      const hasFallback = /\|\||\?\?/.test(snippet) || 
+                          new RegExp(`${varName}.*\\|\\||${varName}.*\\?\\?`).test(snippet);
+      
+      // Check if it's conditionally checked
+      const context = getCodeContext(content, line, 3, 0);
+      const isConditional = /if\s*\([^)]*process\.env/.test(context);
+      
+      if (!hasFallback && !isConditional) {
+        findings.push({
+          id: stableId("GHOST_ENV", `${relPath}:${line}:${varName}`),
+          type: "GHOST_ENV",
+          severity: isInCriticalPath(relPath) ? "critical" : "high",
+          confidence: hasFallback ? 60 : 90,
+          blastRadius: isInCriticalPath(relPath) ? BLAST_RADIUS.MODULE : BLAST_RADIUS.SINGLE_FEATURE,
+          title: `Missing env var: ${varName}`,
+          description: `Code uses ${varName} but it's not declared in any .env file`,
+          file: relPath,
+          line,
+          snippet,
+          whyConvincing: "Environment variable access looks standard",
+          whyWrong: `${varName} is undefined - will be 'undefined' or cause runtime crash`,
+          howToProve: `Add console.log(process.env.${varName}) - will be undefined`,
+          howToFix: `Add ${varName}=your_value to .env.local and .env.example`,
+          evidence: [{ file: relPath, line, reason: `Uses undeclared ${varName}` }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "Feature silently fails or crashes in production",
+        });
+      }
+    }
+
+    // Check for import.meta.env (Vite)
+    const viteEnvPattern = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
+    while ((match = viteEnvPattern.exec(content)) !== null) {
+      const varName = match[1];
+      const line = content.slice(0, match.index).split("\n").length;
+      
+      if (!declaredEnvVars.has(varName) && !varName.startsWith("VITE_")) {
+        findings.push({
+          id: stableId("GHOST_ENV", `${relPath}:${line}:${varName}:vite`),
+          type: "GHOST_ENV",
+          severity: "high",
+          confidence: 85,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: `Missing Vite env var: ${varName}`,
+          description: `Vite env var ${varName} used but not declared`,
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Vite env pattern looks correct",
+          whyWrong: "Variable will be undefined at build time",
+          howToProve: "Check browser console for undefined value",
+          howToFix: `Add VITE_${varName}=value to .env`,
+          evidence: [{ file: relPath, line, reason: "Undeclared Vite env" }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "Client-side feature breaks silently",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 3: Fake Success - UI shows success without actual operation
+ */
+function detectFakeSuccess(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  const codeFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE,
+  });
+
+  // Patterns that indicate fake success
+  const fakeSuccessPatterns = [
+    // Toast/notification without API call
+    {
+      pattern: /toast\.(success|info)\s*\([^)]+\)\s*;?\s*$/m,
+      name: "Toast success without API",
+      check: (content, match) => {
+        // Check if there's an await/fetch nearby
+        const context = getCodeContext(content, content.slice(0, match.index).split("\n").length, 10, 0);
+        return !/await\s|fetch\(|\.mutate\(|\.post\(|\.put\(/.test(context);
+      }
+    },
+    // Direct success state without API
+    {
+      pattern: /set(Is)?Success\s*\(\s*true\s*\)/,
+      name: "Success state set directly",
+      check: (content, match) => {
+        const context = getCodeContext(content, content.slice(0, match.index).split("\n").length, 10, 0);
+        return !/await\s|fetch\(|\.mutate\(|try\s*\{/.test(context);
+      }
+    },
+    // Alert success without operation
+    {
+      pattern: /alert\s*\(\s*["'`][^"'`]*success[^"'`]*["'`]\s*\)/i,
+      name: "Alert success message",
+      check: (content, match) => {
+        const context = getCodeContext(content, content.slice(0, match.index).split("\n").length, 10, 0);
+        return !/await\s|fetch\(|\.mutate\(/.test(context);
+      }
+    },
+    // onClick handlers that just show success
+    {
+      pattern: /onClick\s*=\s*\{\s*\(\s*\)\s*=>\s*\{?\s*(toast|alert|setSuccess|setIs)/,
+      name: "Click handler shows success immediately",
+      check: () => true, // Always suspicious
+    },
+  ];
+
+  for (const file of codeFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+
+    for (const { pattern, name, check } of fakeSuccessPatterns) {
+      const regex = new RegExp(pattern, "gm");
+      let match;
+      
+      while ((match = regex.exec(content)) !== null) {
+        if (check && !check(content, match)) continue;
+        
+        const line = content.slice(0, match.index).split("\n").length;
+        
+        findings.push({
+          id: stableId("FAKE_SUCCESS", `${relPath}:${line}:${name}`),
+          type: "FAKE_SUCCESS",
+          severity: isInCriticalPath(relPath) ? "critical" : "medium",
+          confidence: 75,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: `Fake success: ${name}`,
+          description: "UI shows success message without performing actual operation",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Success feedback looks like normal UX pattern",
+          whyWrong: "No API call, mutation, or database operation - data not saved",
+          howToProve: "Click the button, refresh page - changes are lost",
+          howToFix: "Add actual API call/mutation, show success only after 200 response",
+          evidence: [{ file: relPath, line, reason: name }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "User thinks action succeeded but nothing was saved",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 4: Auth Drift - Auth patterns that look secure but aren't
+ */
+function detectAuthDrift(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  // Find middleware and auth files
+  const authFiles = fg.sync([
+    "**/middleware.{ts,tsx,js,jsx}",
+    "**/auth/**/*.{ts,tsx,js,jsx}",
+    "**/api/**/*.{ts,tsx,js,jsx}",
+  ], { cwd: repoRoot, absolute: true, ignore: STANDARD_IGNORE });
+
+  // Check for auth patterns
+  for (const file of authFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+
+    // Pattern 1: Auth check with early return bypass
+    const earlyReturnPattern = /if\s*\(\s*!session\s*\)\s*\{[^}]*return\s+.*\}/g;
+    let match;
+    while ((match = earlyReturnPattern.exec(content)) !== null) {
+      // Check if there's a bypass condition before
+      const before = content.slice(Math.max(0, match.index - 200), match.index);
+      if (/if\s*\([^)]*dev|if\s*\([^)]*test|if\s*\([^)]*demo/i.test(before)) {
+        const line = content.slice(0, match.index).split("\n").length;
+        findings.push({
+          id: stableId("AUTH_DRIFT", `${relPath}:${line}:bypass`),
+          type: "AUTH_DRIFT",
+          severity: "critical",
+          confidence: 90,
+          blastRadius: BLAST_RADIUS.ENTIRE_APP,
+          title: "Auth bypass in dev/test mode",
+          description: "Authentication can be bypassed with dev/test flag",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Auth check exists and looks proper",
+          whyWrong: "Dev/test bypass may be active in production",
+          howToProve: "Set NODE_ENV=development and access protected route",
+          howToFix: "Remove dev bypasses or ensure env check is strict",
+          evidence: [{ file: relPath, line, reason: "Dev bypass before auth check" }],
+          inCriticalPath: true,
+          attackVector: "Attacker sets dev flag to bypass authentication",
+        });
+      }
+    }
+
+    // Pattern 2: API routes without auth
+    if (relPath.includes("/api/") && !relPath.includes("/auth/") && !relPath.includes("/public/")) {
+      const hasAuthCheck = /getServerSession|auth\(\)|getSession|withAuth|requireAuth|verifyToken|jwtVerify/.test(content);
+      const hasPublicComment = /\/\/\s*public|\/\*\s*public|\*\s*@public/i.test(content);
+      
+      if (!hasAuthCheck && !hasPublicComment) {
+        // Check if it's handling sensitive operations
+        const hasSensitiveOp = /create|update|delete|post|put|patch|prisma\.|db\./i.test(content);
+        
+        if (hasSensitiveOp) {
+          findings.push({
+            id: stableId("AUTH_DRIFT", `${relPath}:noauth`),
+            type: "AUTH_DRIFT",
+            severity: "critical",
+            confidence: 80,
+            blastRadius: BLAST_RADIUS.MODULE,
+            title: "API route without authentication",
+            description: "API route performs sensitive operations without auth check",
+            file: relPath,
+            line: 1,
+            snippet: getSnippet(content, 1),
+            whyConvincing: "Route exists with proper API structure",
+            whyWrong: "Anyone can call this endpoint without being logged in",
+            howToProve: "Call endpoint with curl (no auth header) - should work",
+            howToFix: "Add getServerSession() or auth middleware",
+            evidence: [{ file: relPath, reason: "No auth check found in API route" }],
+            inCriticalPath: true,
+            attackVector: "Unauthorized users can access/modify data",
+          });
+        }
+      }
+    }
+
+    // Pattern 3: Role check that can be spoofed
+    const roleCheckPattern = /user\.role\s*===?\s*["'`]admin["'`]|isAdmin\s*:\s*true/g;
+    while ((match = roleCheckPattern.exec(content)) !== null) {
+      // Check if role comes from client input
+      const context = getCodeContext(content, content.slice(0, match.index).split("\n").length, 20, 5);
+      if (/req\.body\..*role|req\.query\..*role|params\..*role/.test(context)) {
+        const line = content.slice(0, match.index).split("\n").length;
+        findings.push({
+          id: stableId("AUTH_DRIFT", `${relPath}:${line}:role-spoof`),
+          type: "AUTH_DRIFT",
+          severity: "critical",
+          confidence: 85,
+          blastRadius: BLAST_RADIUS.ENTIRE_APP,
+          title: "Role check uses client-provided value",
+          description: "Admin/role check may use value from request body",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Role check looks like proper authorization",
+          whyWrong: "Role value comes from client - can be forged",
+          howToProve: "Send request with role=admin in body",
+          howToFix: "Get role from database/session, never from client input",
+          evidence: [{ file: relPath, line, reason: "Role from client input" }],
+          inCriticalPath: true,
+          attackVector: "Any user can elevate to admin by setting role in request",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 5: Mock Landmine - Mock/TODO code in production paths
+ */
+function detectMockLandmines(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  const codeFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE,
+  });
+
+  const landminePatterns = [
+    // Mock data patterns
+    { pattern: /return\s*(NextResponse\.)?json\s*\(\s*\{[^}]*mock/i, name: "Mock data in API response", severity: "high" },
+    { pattern: /return\s*(NextResponse\.)?json\s*\(\s*\{[^}]*fake/i, name: "Fake data in API response", severity: "high" },
+    { pattern: /return\s*(NextResponse\.)?json\s*\(\s*\[\s*\]?\s*\)/, name: "Empty array/object response", severity: "medium" },
+    { pattern: /Promise\.resolve\s*\(\s*\{[^}]*\}?\s*\)/, name: "Fake async - immediately resolved", severity: "medium" },
+    
+    // Demo credentials
+    { pattern: /["'`]user@example\.com["'`]/i, name: "Demo email hardcoded", severity: "high" },
+    { pattern: /["'`]password123["'`]/i, name: "Demo password hardcoded", severity: "critical" },
+    { pattern: /["'`]sk[-_]test[-_]/i, name: "Test API key in code", severity: "critical" },
+    { pattern: /DEMO_API_KEY|YOUR_API_KEY/i, name: "Placeholder API key", severity: "high" },
+    
+    // TODO landmines
+    { pattern: /\/\/\s*TODO:?\s*(implement|add|fix|finish|complete)/i, name: "TODO - not implemented", severity: "medium" },
+    { pattern: /\/\/\s*FIXME/i, name: "FIXME - known bug", severity: "high" },
+    { pattern: /\/\/\s*HACK/i, name: "HACK - temporary workaround", severity: "medium" },
+    { pattern: /throw\s+new\s+Error\s*\(\s*["'`]Not implemented/i, name: "Throws 'Not implemented'", severity: "high" },
+    
+    // Bypass patterns
+    { pattern: /bypassAuth|skipAuth|noAuth/i, name: "Auth bypass flag", severity: "critical" },
+    { pattern: /demoMode|isDemo|testMode/i, name: "Demo/test mode flag", severity: "high" },
+    { pattern: /if\s*\(\s*true\s*\)\s*\{/, name: "Always-true condition", severity: "medium" },
+    { pattern: /if\s*\(\s*false\s*\)\s*\{/, name: "Dead code (always false)", severity: "low" },
+  ];
+
+  for (const file of codeFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+
+    for (const { pattern, name, severity } of landminePatterns) {
+      const regex = new RegExp(pattern, "gm");
+      let match;
+      
+      while ((match = regex.exec(content)) !== null) {
+        const line = content.slice(0, match.index).split("\n").length;
+        const actualSeverity = isInCriticalPath(relPath) && severity !== "critical" 
+          ? (severity === "low" ? "medium" : "high") 
+          : severity;
+        
+        findings.push({
+          id: stableId("MOCK_LANDMINE", `${relPath}:${line}:${name}`),
+          type: "MOCK_LANDMINE",
+          severity: actualSeverity,
+          confidence: 90,
+          blastRadius: isInCriticalPath(relPath) ? BLAST_RADIUS.MODULE : BLAST_RADIUS.SINGLE_FEATURE,
+          title: `Mock landmine: ${name}`,
+          description: `Production code contains ${name.toLowerCase()}`,
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Code exists and may appear to work in dev",
+          whyWrong: "Will fail, return wrong data, or bypass security in production",
+          howToProve: name.includes("TODO") 
+            ? "Use the feature - it won't work"
+            : "Check if mock/fake data appears in production",
+          howToFix: name.includes("TODO")
+            ? "Implement the feature or remove the code"
+            : "Replace mock data with real implementation",
+          evidence: [{ file: relPath, line, reason: name }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: name.includes("bypass") || name.includes("password")
+            ? "Security bypass in production"
+            : "Feature doesn't work as expected",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 6: Silent Fail - Errors swallowed without feedback
+ */
+function detectSilentFails(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  const codeFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE,
+  });
+
+  for (const file of codeFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    // Fast path: skip files without try-catch
+    if (!/\bcatch\s*\(/.test(content)) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Find catch blocks
+    const catchPattern = /catch\s*\(\s*(\w+)?\s*\)\s*\{([^{}]*(?:\{[^{}]*\}[^{}]*)*)\}/g;
+    let match;
+    
+    while ((match = catchPattern.exec(content)) !== null) {
+      const errorVar = match[1] || "error";
+      const catchBody = match[2];
+      const line = content.slice(0, match.index).split("\n").length;
+      
+      // Check if catch body is effectively empty
+      const hasLogging = /console\.(error|warn|log)|logger\.(error|warn)|log\.(error|warn)/i.test(catchBody);
+      const hasRethrow = /throw\s/.test(catchBody);
+      const hasUserFeedback = /toast|notification|alert|setError|showError/i.test(catchBody);
+      const hasReturn = /return\s/.test(catchBody);
+      const hasComment = /\/\/\s*intentional|\/\/\s*ignore|\/\/\s*swallow/i.test(catchBody);
+      
+      // Empty catch (only whitespace/comments)
+      if (catchBody.replace(/\/\/.*|\/\*[\s\S]*?\*\/|\s/g, "").length < 3) {
+        findings.push({
+          id: stableId("SILENT_FAIL", `${relPath}:${line}:empty`),
+          type: "SILENT_FAIL",
+          severity: isInCriticalPath(relPath) ? "critical" : "high",
+          confidence: 95,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: "Empty catch block",
+          description: "Catch block is empty - errors are completely swallowed",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Error handling structure exists",
+          whyWrong: "Errors disappear - no logging, no feedback, no debugging possible",
+          howToProve: "Trigger an error condition - nothing happens",
+          howToFix: `Add console.error(${errorVar}) or show user-friendly error`,
+          evidence: [{ file: relPath, line, reason: "Empty catch block" }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "Failures are invisible - users see broken state with no explanation",
+        });
+      }
+      // Silent catch (no user feedback)
+      else if (!hasLogging && !hasRethrow && !hasUserFeedback && !hasComment) {
+        findings.push({
+          id: stableId("SILENT_FAIL", `${relPath}:${line}:silent`),
+          type: "SILENT_FAIL",
+          severity: isInCriticalPath(relPath) ? "high" : "medium",
+          confidence: 75,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: "Silent catch - no error feedback",
+          description: "Catch handles error but doesn't log or show user feedback",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Catch block exists with some code",
+          whyWrong: "Users get no feedback when something fails",
+          howToProve: "Trigger error - no message appears",
+          howToFix: "Add toast.error() or console.error() for debugging",
+          evidence: [{ file: relPath, line, reason: "No user feedback in catch" }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "User confusion - action failed but no error shown",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 7: Optimistic Bomb - Optimistic UI without rollback
+ */
+function detectOptimisticBombs(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  const codeFiles = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE,
+  });
+
+  for (const file of codeFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    // Fast path: skip files without optimistic patterns
+    if (!/setState|set[A-Z]\w*|useOptimistic|optimistic/i.test(content)) continue;
+    if (!/fetch|axios|mutate|useMutation/i.test(content)) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Pattern: state update followed by fetch without try-catch rollback
+    const stateUpdatePattern = /(set[A-Z]\w*|setState)\s*\([^)]+\)/g;
+    let match;
+    
+    while ((match = stateUpdatePattern.exec(content)) !== null) {
+      const line = content.slice(0, match.index).split("\n").length;
+      const afterUpdate = content.slice(match.index, match.index + 500);
+      
+      // Check if there's a fetch/mutation call after
+      if (!/fetch\(|axios\.|\.mutate\(|useMutation/.test(afterUpdate)) continue;
+      
+      // Check for rollback in catch
+      const hasCatch = /catch\s*\([^)]*\)\s*\{/.test(afterUpdate);
+      let hasRollback = false;
+      
+      if (hasCatch) {
+        const catchMatch = afterUpdate.match(/catch\s*\([^)]*\)\s*\{([^{}]*(?:\{[^{}]*\}[^{}]*)*)\}/);
+        if (catchMatch) {
+          hasRollback = /set[A-Z]\w*|setState/.test(catchMatch[1]);
+        }
+      }
+      
+      if (!hasRollback) {
+        findings.push({
+          id: stableId("OPTIMISTIC_BOMB", `${relPath}:${line}`),
+          type: "OPTIMISTIC_BOMB",
+          severity: isInCriticalPath(relPath) ? "high" : "medium",
+          confidence: 70,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: "Optimistic update without rollback",
+          description: "State updated before API call, but no rollback on failure",
+          file: relPath,
+          line,
+          snippet: getSnippet(content, line),
+          whyConvincing: "Optimistic UI pattern looks correct",
+          whyWrong: "If API fails, UI shows success but data wasn't saved",
+          howToProve: "Update item, kill network, refresh - changes gone",
+          howToFix: "Store previous state, restore in catch block on error",
+          evidence: [{ file: relPath, line, reason: "No rollback in catch" }],
+          inCriticalPath: isInCriticalPath(relPath),
+          attackVector: "Data loss - users think changes saved but they weren't",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * ATTACK 8: Paid Theater - Paid features that aren't enforced
+ */
+function detectPaidTheater(repoRoot, mode = "fast") {
+  const findings = [];
+  
+  // Find pricing/tier related files
+  const pricingFiles = fg.sync([
+    "**/pricing/**/*.{ts,tsx,js,jsx}",
+    "**/billing/**/*.{ts,tsx,js,jsx}",
+    "**/subscription/**/*.{ts,tsx,js,jsx}",
+    "**/plans/**/*.{ts,tsx,js,jsx}",
+    "**/*tier*.{ts,tsx,js,jsx}",
+    "**/*plan*.{ts,tsx,js,jsx}",
+  ], { cwd: repoRoot, absolute: true, ignore: STANDARD_IGNORE });
+
+  // Track premium features mentioned
+  const premiumFeatures = new Set();
+  const premiumPatterns = [
+    /["'`](pro|premium|enterprise|paid|unlimited)["'`]/gi,
+    /tier\s*[=!]==?\s*["'`](pro|premium|enterprise|paid)/gi,
+    /isPro|isPremium|isEnterprise|isPaid/gi,
+  ];
+
+  for (const file of pricingFiles) {
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    for (const pattern of premiumPatterns) {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        premiumFeatures.add(match[0].toLowerCase());
+      }
+    }
+  }
+
+  if (premiumFeatures.size === 0) return findings;
+
+  // Check API routes for enforcement
+  const apiFiles = fg.sync([
+    "**/app/api/**/route.{ts,tsx,js,jsx}",
+    "**/pages/api/**/*.{ts,tsx,js,jsx}",
+  ], { cwd: repoRoot, absolute: true, ignore: STANDARD_IGNORE });
+
+  for (const file of apiFiles) {
+    if (isTestFile(file)) continue;
+    
+    const content = readFileContent(file);
+    if (!content) continue;
+    
+    const relPath = path.relative(repoRoot, file).replace(/\\/g, "/");
+    
+    // Check if route mentions premium but doesn't enforce
+    const mentionsPremium = /pro|premium|enterprise|paid|tier/i.test(content);
+    const hasEnforcement = /checkSubscription|requireTier|isPro|isPremium|subscription\.status|tier\s*[=!]==?/.test(content);
+    const returnsUnauthorized = /401|403|Unauthorized|Forbidden|upgrade/i.test(content);
+    
+    if (mentionsPremium && !hasEnforcement) {
+      findings.push({
+        id: stableId("PAID_THEATER", `${relPath}:no-check`),
+        type: "PAID_THEATER",
+        severity: "high",
+        confidence: 70,
+        blastRadius: BLAST_RADIUS.MODULE,
+        title: "Premium feature without tier check",
+        description: "API route mentions premium/pro but doesn't verify subscription",
+        file: relPath,
+        line: 1,
+        snippet: getSnippet(content, 1),
+        whyConvincing: "Pricing UI shows feature as premium-only",
+        whyWrong: "Anyone can access the API endpoint without paying",
+        howToProve: "Call endpoint with free account - it works",
+        howToFix: "Add tier check: if (!user.isPro) return 403",
+        evidence: [{ file: relPath, reason: "Mentions premium but no enforcement" }],
+        inCriticalPath: true,
+        attackVector: "Revenue loss - free users access paid features",
+      });
+    }
+    
+    if (hasEnforcement && !returnsUnauthorized) {
+      // Has check but might not block
+      const hasBypass = /return\s+true|return\s+next|continue/.test(content.split(/if.*tier|if.*isPro/i)[1] || "");
+      if (hasBypass) {
+        findings.push({
+          id: stableId("PAID_THEATER", `${relPath}:weak-check`),
+          type: "PAID_THEATER",
+          severity: "medium",
+          confidence: 60,
+          blastRadius: BLAST_RADIUS.SINGLE_FEATURE,
+          title: "Weak tier enforcement",
+          description: "Tier check exists but may not properly block access",
+          file: relPath,
+          line: 1,
+          snippet: getSnippet(content, 1),
+          whyConvincing: "Tier check code exists",
+          whyWrong: "Check may be bypassed or not return 403",
+          howToProve: "Test with wrong tier - may still work",
+          howToFix: "Ensure check returns 403 for unauthorized tiers",
+          evidence: [{ file: relPath, reason: "Tier check may not block" }],
+          inCriticalPath: true,
+          attackVector: "Free users might still access paid features",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// DEEP MODE DETECTORS (Cross-file analysis)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Deep analysis: Cross-file route integrity check
+ */
+function deepRouteAnalysis(repoRoot) {
+  // More expensive: actually trace imports and exports
+  // TODO: Implement full cross-file analysis
+  return [];
+}
+
+/**
+ * Deep analysis: Auth flow tracing
+ */
+function deepAuthAnalysis(repoRoot) {
+  // Trace auth from middleware through to API routes
+  // TODO: Implement full auth flow analysis
+  return [];
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MAIN DETECTOR CLASS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+class AttackDetector {
+  constructor(repoRoot, options = {}) {
+    this.repoRoot = repoRoot;
+    this.mode = options.mode || "fast";
+    this.exclude = options.exclude || [];
+    this.findings = [];
+  }
+
+  async scan() {
+    const startTime = Date.now();
+    this.findings = [];
+
+    // Fast mode detectors (cheap, single-file analysis)
+    const fastDetectors = [
+      detectDeadRoutes,
+      detectGhostEnv,
+      detectFakeSuccess,
+      detectAuthDrift,
+      detectMockLandmines,
+      detectSilentFails,
+      detectOptimisticBombs,
+      detectPaidTheater,
+    ];
+
+    for (const detector of fastDetectors) {
+      try {
+        const results = detector(this.repoRoot, this.mode);
+        this.findings.push(...results);
+      } catch (err) {
+        // Log but continue
+        if (process.env.DEBUG) {
+          console.error(`Detector error: ${err.message}`);
+        }
+      }
+    }
+
+    // Deep mode detectors (expensive, cross-file analysis)
+    if (this.mode === "deep") {
+      const deepDetectors = [
+        deepRouteAnalysis,
+        deepAuthAnalysis,
+      ];
+
+      for (const detector of deepDetectors) {
+        try {
+          const results = detector(this.repoRoot);
+          this.findings.push(...results);
+        } catch (err) {
+          if (process.env.DEBUG) {
+            console.error(`Deep detector error: ${err.message}`);
+          }
+        }
+      }
+    }
+
+    // Sort by severity and confidence
+    this.findings.sort((a, b) => {
+      const sevOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+      if (sevOrder[a.severity] !== sevOrder[b.severity]) {
+        return sevOrder[a.severity] - sevOrder[b.severity];
+      }
+      return b.confidence - a.confidence;
+    });
+
+    // Deduplicate by ID
+    const seen = new Set();
+    this.findings = this.findings.filter(f => {
+      if (seen.has(f.id)) return false;
+      seen.add(f.id);
+      return true;
+    });
+
+    return this.generateReport(Date.now() - startTime);
+  }
+
+  generateReport(elapsedMs) {
+    const summary = {
+      total: this.findings.length,
+      critical: this.findings.filter(f => f.severity === "critical").length,
+      high: this.findings.filter(f => f.severity === "high").length,
+      medium: this.findings.filter(f => f.severity === "medium").length,
+      low: this.findings.filter(f => f.severity === "low").length,
+      byType: {},
+      inCriticalPaths: this.findings.filter(f => f.inCriticalPath).length,
+    };
+
+    for (const f of this.findings) {
+      summary.byType[f.type] = (summary.byType[f.type] || 0) + 1;
+    }
+
+    // Calculate attack score (0-100)
+    let attackScore = 0;
+    for (const f of this.findings) {
+      const weight = SEVERITY_WEIGHTS[f.severity] || 5;
+      const confidenceMultiplier = f.confidence / 100;
+      const criticalPathMultiplier = f.inCriticalPath ? 1.5 : 1;
+      attackScore += weight * confidenceMultiplier * criticalPathMultiplier;
+    }
+    attackScore = Math.min(100, Math.round(attackScore));
+
+    // Generate deterministic manifest
+    const manifest = {
+      hash: crypto.createHash("sha256")
+        .update(this.findings.map(f => f.id).sort().join(":"))
+        .digest("hex"),
+      findingCount: this.findings.length,
+      criticalCount: summary.critical,
+      highCount: summary.high,
+      attackScore,
+      findingIds: this.findings.map(f => f.id).sort(),
+    };
+
+    return {
+      version: "2.0.0",
+      timestamp: new Date().toISOString(),
+      projectPath: this.repoRoot,
+      mode: this.mode,
+      elapsedMs,
+      findings: this.findings,
+      summary,
+      attackScore,
+      manifest,
+    };
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  AttackDetector,
+  // Individual detectors for testing
+  detectDeadRoutes,
+  detectGhostEnv,
+  detectFakeSuccess,
+  detectAuthDrift,
+  detectMockLandmines,
+  detectSilentFails,
+  detectOptimisticBombs,
+  detectPaidTheater,
+  // Constants
+  SEVERITY_WEIGHTS,
+  BLAST_RADIUS,
+  CRITICAL_PATHS,
+};