@vibecheckai/cli 3.8.0 → 3.9.1

package/bin/runners/lib/engine/auth-extractor.js

@@ -1,211 +1,211 @@
-// bin/runners/lib/engine/auth-extractor.js
-// Optimized auth/middleware extraction using RepoIndex
-
-const path = require("path");
-const fs = require("fs");
-const crypto = require("crypto");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function evidenceFromContent(content, fileRel, lineNo, reason) {
-  if (!content) return null;
-  const lines = content.split(/\r?\n/);
-  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
-  const snippet = lines[idx] || "";
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${lineNo}-${lineNo}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-function findLineMatches(code, regex) {
-  const out = [];
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    if (regex.test(lines[i])) out.push(i + 1);
-  }
-  return out;
-}
-
-function guessAuthSignalsFromCode(code) {
-  const signals = [];
-
-  const patterns = [
-    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
-    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
-    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
-    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
-    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
-    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
-    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
-    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
-    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
-  ];
-
-  for (const p of patterns) {
-    if (p.rx.test(code)) signals.push(p.key);
-  }
-  return Array.from(new Set(signals));
-}
-
-/**
- * Resolve Next.js middleware using RepoIndex
- * @param {import('./repo-index').RepoIndex} index
- * @returns {Array}
- */
-function extractNextMiddleware(index) {
-  // Find middleware.ts/js files
-  const middlewareFiles = index.files.filter(f =>
-    /^(src\/)?middleware\.(ts|tsx|js|jsx)$/.test(f.rel)
-  );
-
-  const middlewares = [];
-
-  for (const file of middlewareFiles) {
-    const content = index.getContent(file.abs);
-    if (!content) continue;
-
-    const matcherLines = findLineMatches(content, /\bmatcher\b/);
-    const redirectLines = findLineMatches(content, /\bNextResponse\.(redirect|rewrite)\b/);
-
-    const evidence = [];
-    for (const ln of matcherLines.slice(0, 5)) {
-      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware matcher config"));
-    }
-    for (const ln of redirectLines.slice(0, 5)) {
-      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware redirect/rewrite"));
-    }
-
-    const matcher = [];
-    const matcherBlock = content.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
-    if (matcherBlock && matcherBlock[1]) {
-      const raw = matcherBlock[1];
-      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
-      matcher.push(...strings);
-    }
-
-    middlewares.push({
-      file: file.rel,
-      matcher,
-      signals: guessAuthSignalsFromCode(content),
-      evidence
-    });
-  }
-
-  return middlewares;
-}
-
-/**
- * Resolve Fastify auth signals using RepoIndex
- * @param {import('./repo-index').RepoIndex} index
- * @param {Array} truthpackRoutes - Server routes from truthpack
- * @returns {Object}
- */
-function extractFastifyAuthSignals(index, truthpackRoutes) {
-  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
-  const signals = [];
-  const evidence = [];
-
-  for (const fileRel of handlerFiles) {
-    // Try to get content from index first (fast path)
-    const fileAbs = path.join(index.repoRoot, fileRel);
-    let content = index.getContent(fileAbs);
-    
-    // Fall back to direct read if not in index
-    if (!content) {
-      try {
-        content = fs.readFileSync(fileAbs, "utf8");
-      } catch {
-        continue;
-      }
-    }
-
-    const sigs = guessAuthSignalsFromCode(content);
-    if (!sigs.length) continue;
-
-    for (const s of sigs) signals.push({ type: s, file: fileRel });
-
-    const authLinePatterns = [
-      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
-      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
-      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
-      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
-    ];
-
-    const lines = content.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const p of authLinePatterns) {
-        if (p.rx.test(line)) {
-          evidence.push(evidenceFromContent(content, fileRel, i + 1, p.reason));
-        }
-      }
-      if (evidence.length > 30) break;
-    }
-  }
-
-  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
-
-  return {
-    signalTypes: uniqueTypes,
-    signals,
-    evidence
-  };
-}
-
-function matcherCoversPath(matcherList, p) {
-  if (!Array.isArray(matcherList) || !matcherList.length) return false;
-  const pathStr = p.startsWith("/") ? p : `/${p}`;
-
-  return matcherList.some(m => {
-    if (!m) return false;
-
-    if (m.includes(":path*")) {
-      const prefix = m.split(":path*")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-    if (m.includes("(.*)")) {
-      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
-      return pathStr.startsWith(prefix || "/");
-    }
-
-    if (m === pathStr) return true;
-    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
-
-    return false;
-  });
-}
-
-/**
- * Build auth truth using RepoIndex (optimized)
- * @param {import('./repo-index').RepoIndex} index
- * @param {Array} serverRoutes
- * @returns {Object}
- */
-function buildAuthTruthV2(index, serverRoutes) {
-  const middlewares = extractNextMiddleware(index);
-  const matchers = middlewares.flatMap(mw => mw.matcher || []);
-  const fastify = extractFastifyAuthSignals(index, serverRoutes);
-
-  return {
-    nextMiddleware: middlewares,
-    nextMatcherPatterns: matchers,
-    fastify,
-    helpers: {
-      matcherCoversPath: "runtime-only"
-    }
-  };
-}
-
-module.exports = {
-  buildAuthTruthV2,
-  extractNextMiddleware,
-  extractFastifyAuthSignals,
-  matcherCoversPath,
-  guessAuthSignalsFromCode,
-};
+// bin/runners/lib/engine/auth-extractor.js
+// Optimized auth/middleware extraction using RepoIndex
+
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function guessAuthSignalsFromCode(code) {
+  const signals = [];
+
+  const patterns = [
+    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
+    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
+    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
+    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
+    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
+    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
+    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
+    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
+    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
+  ];
+
+  for (const p of patterns) {
+    if (p.rx.test(code)) signals.push(p.key);
+  }
+  return Array.from(new Set(signals));
+}
+
+/**
+ * Resolve Next.js middleware using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @returns {Array}
+ */
+function extractNextMiddleware(index) {
+  // Find middleware.ts/js files
+  const middlewareFiles = index.files.filter(f =>
+    /^(src\/)?middleware\.(ts|tsx|js|jsx)$/.test(f.rel)
+  );
+
+  const middlewares = [];
+
+  for (const file of middlewareFiles) {
+    const content = index.getContent(file.abs);
+    if (!content) continue;
+
+    const matcherLines = findLineMatches(content, /\bmatcher\b/);
+    const redirectLines = findLineMatches(content, /\bNextResponse\.(redirect|rewrite)\b/);
+
+    const evidence = [];
+    for (const ln of matcherLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware matcher config"));
+    }
+    for (const ln of redirectLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware redirect/rewrite"));
+    }
+
+    const matcher = [];
+    const matcherBlock = content.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
+    if (matcherBlock && matcherBlock[1]) {
+      const raw = matcherBlock[1];
+      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
+      matcher.push(...strings);
+    }
+
+    middlewares.push({
+      file: file.rel,
+      matcher,
+      signals: guessAuthSignalsFromCode(content),
+      evidence
+    });
+  }
+
+  return middlewares;
+}
+
+/**
+ * Resolve Fastify auth signals using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} truthpackRoutes - Server routes from truthpack
+ * @returns {Object}
+ */
+function extractFastifyAuthSignals(index, truthpackRoutes) {
+  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
+  const signals = [];
+  const evidence = [];
+
+  for (const fileRel of handlerFiles) {
+    // Try to get content from index first (fast path)
+    const fileAbs = path.join(index.repoRoot, fileRel);
+    let content = index.getContent(fileAbs);
+    
+    // Fall back to direct read if not in index
+    if (!content) {
+      try {
+        content = fs.readFileSync(fileAbs, "utf8");
+      } catch {
+        continue;
+      }
+    }
+
+    const sigs = guessAuthSignalsFromCode(content);
+    if (!sigs.length) continue;
+
+    for (const s of sigs) signals.push({ type: s, file: fileRel });
+
+    const authLinePatterns = [
+      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
+      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
+      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
+      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
+    ];
+
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const p of authLinePatterns) {
+        if (p.rx.test(line)) {
+          evidence.push(evidenceFromContent(content, fileRel, i + 1, p.reason));
+        }
+      }
+      if (evidence.length > 30) break;
+    }
+  }
+
+  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
+
+  return {
+    signalTypes: uniqueTypes,
+    signals,
+    evidence
+  };
+}
+
+function matcherCoversPath(matcherList, p) {
+  if (!Array.isArray(matcherList) || !matcherList.length) return false;
+  const pathStr = p.startsWith("/") ? p : `/${p}`;
+
+  return matcherList.some(m => {
+    if (!m) return false;
+
+    if (m.includes(":path*")) {
+      const prefix = m.split(":path*")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m.includes("(.*)")) {
+      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+
+    if (m === pathStr) return true;
+    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
+
+    return false;
+  });
+}
+
+/**
+ * Build auth truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} serverRoutes
+ * @returns {Object}
+ */
+function buildAuthTruthV2(index, serverRoutes) {
+  const middlewares = extractNextMiddleware(index);
+  const matchers = middlewares.flatMap(mw => mw.matcher || []);
+  const fastify = extractFastifyAuthSignals(index, serverRoutes);
+
+  return {
+    nextMiddleware: middlewares,
+    nextMatcherPatterns: matchers,
+    fastify,
+    helpers: {
+      matcherCoversPath: "runtime-only"
+    }
+  };
+}
+
+module.exports = {
+  buildAuthTruthV2,
+  extractNextMiddleware,
+  extractFastifyAuthSignals,
+  matcherCoversPath,
+  guessAuthSignalsFromCode,
+};

package/bin/runners/lib/engine/billing-extractor.js

@@ -1,112 +1,112 @@
-// bin/runners/lib/engine/billing-extractor.js
-// Optimized billing/Stripe extraction using RepoIndex
-
-const path = require("path");
-const crypto = require("crypto");
-
-function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
-}
-
-function evidenceFromContent(content, fileRel, lineNo, reason) {
-  if (!content) return null;
-  const lines = content.split(/\r?\n/);
-  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
-  const snippet = lines[idx] || "";
-  return {
-    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
-    file: fileRel,
-    lines: `${lineNo}-${lineNo}`,
-    snippetHash: sha256(snippet),
-    reason
-  };
-}
-
-function findLineMatches(code, regex) {
-  const out = [];
-  const lines = code.split(/\r?\n/);
-  for (let i = 0; i < lines.length; i++) {
-    if (regex.test(lines[i])) out.push(i + 1);
-  }
-  return out;
-}
-
-function classifyStripeSignals(code) {
-  return {
-    usesStripeSdk: /\bstripe\b/i.test(code) && /from\s+['"]stripe['"]|require\(['"]stripe['"]\)/.test(code),
-    webhookConstructEvent: /\bconstructEvent(Async)?\b/.test(code) || /\bstripe\.webhooks\.constructEvent\b/.test(code),
-    readsStripeSignatureHeader: /stripe-signature/i.test(code) || /\bStripe-Signature\b/.test(code),
-    rawBodySignal:
-      /\bbodyParser\s*:\s*false\b/.test(code) ||
-      /\breq\.(text|arrayBuffer)\(\)/.test(code) ||
-      /\brawBody\b/.test(code) || /\brequest\.raw\b/.test(code) || /\bcontentTypeParser\b/i.test(code),
-    idempotencySignal:
-      /\bevent\.id\b/.test(code) && /\b(prisma|db|redis|cache|processed|dedupe|idempotent)\b/i.test(code) ||
-      /\bidempotenc(y|e)\b/i.test(code)
-  };
-}
-
-/**
- * Build billing truth using RepoIndex (optimized)
- * @param {import('./repo-index').RepoIndex} index
- * @param {Object} stats
- * @returns {Object}
- */
-function buildBillingTruthV2(index, stats) {
-  // Use token prefilter - only scan files that mention stripe
-  const candidateAbs = index.getByAnyToken(["stripe", "Stripe"]);
-  
-  // Filter to JS/TS files
-  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
-  const files = candidateAbs.filter(abs => {
-    const ext = path.extname(abs).toLowerCase();
-    return jsExtensions.has(ext);
-  });
-
-  const webhookCandidates = [];
-  const stripeFiles = [];
-
-  for (const fileAbs of files) {
-    const fileRel = index.relPath(fileAbs);
-    const content = index.getContent(fileAbs);
-    if (!content) continue;
-
-    const signals = classifyStripeSignals(content);
-
-    if (signals.usesStripeSdk) stripeFiles.push(fileRel);
-
-    if (signals.webhookConstructEvent || signals.readsStripeSignatureHeader) {
-      const ev = [];
-      const lines1 = findLineMatches(content, /\bconstructEvent(Async)?\b|stripe\.webhooks\.constructEvent/);
-      const lines2 = findLineMatches(content, /stripe-signature|Stripe-Signature/i);
-      const lines3 = findLineMatches(content, /bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|rawBody|contentTypeParser/i);
-      const lines4 = findLineMatches(content, /event\.id|idempotenc(y|e)|dedupe|processed/i);
-
-      for (const ln of lines1.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe webhook signature constructEvent signal"));
-      for (const ln of lines2.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe-Signature header usage signal"));
-      for (const ln of lines3.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Raw body handling signal (required for Stripe verification)"));
-      for (const ln of lines4.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Idempotency/dedupe signal (event replay protection)"));
-
-      webhookCandidates.push({
-        file: fileRel,
-        signals,
-        evidence: ev
-      });
-    }
-  }
-
-  const hasStripe = stripeFiles.length > 0;
-
-  return {
-    hasStripe,
-    stripeFiles: stripeFiles.slice(0, 200),
-    webhookCandidates,
-    summary: {
-      webhookHandlersFound: webhookCandidates.length,
-      verifiedWebhookHandlers: webhookCandidates.filter(w => w.signals.webhookConstructEvent && w.signals.rawBodySignal).length,
-      idempotentWebhookHandlers: webhookCandidates.filter(w => w.signals.idempotencySignal).length
-    }
-  };
-}
-
-module.exports = { buildBillingTruthV2 };
+// bin/runners/lib/engine/billing-extractor.js
+// Optimized billing/Stripe extraction using RepoIndex
+
+const path = require("path");
+const crypto = require("crypto");
+
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+
+function classifyStripeSignals(code) {
+  return {
+    usesStripeSdk: /\bstripe\b/i.test(code) && /from\s+['"]stripe['"]|require\(['"]stripe['"]\)/.test(code),
+    webhookConstructEvent: /\bconstructEvent(Async)?\b/.test(code) || /\bstripe\.webhooks\.constructEvent\b/.test(code),
+    readsStripeSignatureHeader: /stripe-signature/i.test(code) || /\bStripe-Signature\b/.test(code),
+    rawBodySignal:
+      /\bbodyParser\s*:\s*false\b/.test(code) ||
+      /\breq\.(text|arrayBuffer)\(\)/.test(code) ||
+      /\brawBody\b/.test(code) || /\brequest\.raw\b/.test(code) || /\bcontentTypeParser\b/i.test(code),
+    idempotencySignal:
+      /\bevent\.id\b/.test(code) && /\b(prisma|db|redis|cache|processed|dedupe|idempotent)\b/i.test(code) ||
+      /\bidempotenc(y|e)\b/i.test(code)
+  };
+}
+
+/**
+ * Build billing truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object}
+ */
+function buildBillingTruthV2(index, stats) {
+  // Use token prefilter - only scan files that mention stripe
+  const candidateAbs = index.getByAnyToken(["stripe", "Stripe"]);
+  
+  // Filter to JS/TS files
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    return jsExtensions.has(ext);
+  });
+
+  const webhookCandidates = [];
+  const stripeFiles = [];
+
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+
+    const signals = classifyStripeSignals(content);
+
+    if (signals.usesStripeSdk) stripeFiles.push(fileRel);
+
+    if (signals.webhookConstructEvent || signals.readsStripeSignatureHeader) {
+      const ev = [];
+      const lines1 = findLineMatches(content, /\bconstructEvent(Async)?\b|stripe\.webhooks\.constructEvent/);
+      const lines2 = findLineMatches(content, /stripe-signature|Stripe-Signature/i);
+      const lines3 = findLineMatches(content, /bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|rawBody|contentTypeParser/i);
+      const lines4 = findLineMatches(content, /event\.id|idempotenc(y|e)|dedupe|processed/i);
+
+      for (const ln of lines1.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe webhook signature constructEvent signal"));
+      for (const ln of lines2.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe-Signature header usage signal"));
+      for (const ln of lines3.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Raw body handling signal (required for Stripe verification)"));
+      for (const ln of lines4.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Idempotency/dedupe signal (event replay protection)"));
+
+      webhookCandidates.push({
+        file: fileRel,
+        signals,
+        evidence: ev
+      });
+    }
+  }
+
+  const hasStripe = stripeFiles.length > 0;
+
+  return {
+    hasStripe,
+    stripeFiles: stripeFiles.slice(0, 200),
+    webhookCandidates,
+    summary: {
+      webhookHandlersFound: webhookCandidates.length,
+      verifiedWebhookHandlers: webhookCandidates.filter(w => w.signals.webhookConstructEvent && w.signals.rawBodySignal).length,
+      idempotentWebhookHandlers: webhookCandidates.filter(w => w.signals.idempotencySignal).length
+    }
+  };
+}
+
+module.exports = { buildBillingTruthV2 };