@vibecodetown/mcp-server 2.1.0

package/build/security/sandbox.js

@@ -0,0 +1,228 @@
+// adapters/mcp-ts/src/security/sandbox.ts
+// Optional Docker sandbox for production environments
+//
+// Note: This is an optional security layer. The primary security
+// is provided by input validation and path policy.
+import { spawn } from "node:child_process";
+/**
+ * Default sandbox configuration (no sandboxing)
+ */
+export const DEFAULT_SANDBOX_CONFIG = {
+    mode: "none",
+    allowedPaths: [],
+    networkAccess: false,
+    memoryLimitMb: 512,
+    cpuLimit: 1,
+    timeoutMs: 120_000,
+};
+/**
+ * Check if Docker is available on the system
+ */
+export async function isDockerAvailable() {
+    return new Promise((resolve) => {
+        const proc = spawn("docker", ["version"], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        proc.on("error", () => resolve(false));
+        proc.on("close", (code) => resolve(code === 0));
+    });
+}
+/**
+ * Check if firejail is available on the system
+ */
+export async function isFirejailAvailable() {
+    return new Promise((resolve) => {
+        const proc = spawn("firejail", ["--version"], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        proc.on("error", () => resolve(false));
+        proc.on("close", (code) => resolve(code === 0));
+    });
+}
+/**
+ * Run command in sandbox environment
+ *
+ * @param cmd - Command to execute
+ * @param args - Command arguments
+ * @param config - Sandbox configuration
+ * @returns Execution result
+ */
+export async function runInSandbox(cmd, args, config = DEFAULT_SANDBOX_CONFIG) {
+    switch (config.mode) {
+        case "docker":
+            return runInDocker(cmd, args, config);
+        case "firejail":
+            return runInFirejail(cmd, args, config);
+        case "none":
+        default:
+            return runDirect(cmd, args, config);
+    }
+}
+/**
+ * Run command directly (no sandboxing)
+ */
+async function runDirect(cmd, args, config) {
+    return new Promise((resolve) => {
+        const proc = spawn(cmd, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        const timeout = setTimeout(() => {
+            try {
+                proc.kill("SIGKILL");
+            }
+            catch { }
+            resolve({ code: 124, stdout, stderr: stderr + "\n[SANDBOX TIMEOUT]" });
+        }, config.timeoutMs);
+        proc.stdout.on("data", (data) => {
+            stdout += data.toString();
+        });
+        proc.stderr.on("data", (data) => {
+            stderr += data.toString();
+        });
+        proc.on("close", (code) => {
+            clearTimeout(timeout);
+            resolve({ code: code ?? 1, stdout, stderr });
+        });
+    });
+}
+/**
+ * Run command in Docker sandbox
+ *
+ * Requirements:
+ * - Docker must be installed and running
+ * - vibecode/sandbox:latest image must exist
+ */
+async function runInDocker(cmd, args, config) {
+    const dockerArgs = [
+        "run",
+        "--rm",
+        // Network isolation
+        "--network",
+        config.networkAccess ? "bridge" : "none",
+        // Resource limits
+        "--memory",
+        `${config.memoryLimitMb}m`,
+        "--cpus",
+        String(config.cpuLimit),
+        // Security options
+        "--security-opt",
+        "no-new-privileges:true",
+        "--cap-drop",
+        "ALL",
+        // Read-only root filesystem
+        "--read-only",
+    ];
+    // Mount allowed paths as read-only volumes
+    for (const allowedPath of config.allowedPaths) {
+        dockerArgs.push("-v", `${allowedPath}:${allowedPath}:ro`);
+    }
+    // Add tmpfs for /tmp if needed
+    dockerArgs.push("--tmpfs", "/tmp:rw,noexec,nosuid,size=100m");
+    // Image and command
+    dockerArgs.push("vibecode/sandbox:latest", cmd, ...args);
+    return new Promise((resolve) => {
+        const proc = spawn("docker", dockerArgs, {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        const timeout = setTimeout(() => {
+            try {
+                // Kill the docker container
+                spawn("docker", ["kill", proc.pid?.toString() ?? ""], {
+                    stdio: "ignore",
+                });
+                proc.kill("SIGKILL");
+            }
+            catch { }
+            resolve({ code: 124, stdout, stderr: stderr + "\n[DOCKER TIMEOUT]" });
+        }, config.timeoutMs);
+        proc.stdout.on("data", (data) => {
+            stdout += data.toString();
+        });
+        proc.stderr.on("data", (data) => {
+            stderr += data.toString();
+        });
+        proc.on("close", (code) => {
+            clearTimeout(timeout);
+            resolve({ code: code ?? 1, stdout, stderr });
+        });
+    });
+}
+/**
+ * Run command in firejail sandbox (Linux only)
+ *
+ * Requirements:
+ * - firejail must be installed
+ */
+async function runInFirejail(cmd, args, config) {
+    const firejailArgs = [
+        // Disable network if not allowed
+        ...(config.networkAccess ? [] : ["--net=none"]),
+        // Resource limits
+        "--rlimit-as=" + config.memoryLimitMb * 1024 * 1024,
+        // Security options
+        "--caps.drop=all",
+        "--nonewprivs",
+        "--seccomp",
+        // No X11
+        "--x11=none",
+        // Read-only paths
+        "--read-only=/",
+    ];
+    // Whitelist allowed paths
+    for (const allowedPath of config.allowedPaths) {
+        firejailArgs.push(`--whitelist=${allowedPath}`);
+    }
+    // Allow /tmp for temporary files
+    firejailArgs.push("--private-tmp");
+    // Command to run
+    firejailArgs.push("--", cmd, ...args);
+    return new Promise((resolve) => {
+        const proc = spawn("firejail", firejailArgs, {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        const timeout = setTimeout(() => {
+            try {
+                proc.kill("SIGKILL");
+            }
+            catch { }
+            resolve({ code: 124, stdout, stderr: stderr + "\n[FIREJAIL TIMEOUT]" });
+        }, config.timeoutMs);
+        proc.stdout.on("data", (data) => {
+            stdout += data.toString();
+        });
+        proc.stderr.on("data", (data) => {
+            stderr += data.toString();
+        });
+        proc.on("close", (code) => {
+            clearTimeout(timeout);
+            resolve({ code: code ?? 1, stdout, stderr });
+        });
+    });
+}
+/**
+ * Create sandbox configuration from environment
+ */
+export function getSandboxConfigFromEnv() {
+    const mode = (process.env.VIBECODE_SANDBOX_MODE ?? "none");
+    const networkAccess = process.env.VIBECODE_SANDBOX_NETWORK === "true";
+    const memoryLimitMb = parseInt(process.env.VIBECODE_SANDBOX_MEMORY ?? "512", 10);
+    const cpuLimit = parseFloat(process.env.VIBECODE_SANDBOX_CPU ?? "1");
+    const timeoutMs = parseInt(process.env.VIBECODE_SANDBOX_TIMEOUT ?? "120000", 10);
+    const allowedPaths = (process.env.VIBECODE_SANDBOX_PATHS ?? "")
+        .split(":")
+        .filter((p) => p.length > 0);
+    return {
+        mode,
+        allowedPaths,
+        networkAccess,
+        memoryLimitMb,
+        cpuLimit,
+        timeoutMs,
+    };
+}

package/build/tools/react_perf/check_patterns.js

@@ -0,0 +1,172 @@
+// adapters/mcp-ts/src/tools/react_perf/check_patterns.ts
+// Main implementation for react_perf.check_patterns
+import * as fs from "fs";
+import * as path from "path";
+import { filterByMinImpact, sortByImpact, countViolationsByImpact, getTopSuggestions } from "./types.js";
+import { getAllRules, getRulesByCategories } from "./rules/index.js";
+// ============================================================
+// File Discovery
+// ============================================================
+const DEFAULT_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx"];
+const IGNORE_DIRS = ["node_modules", ".next", "dist", "build", ".git", "coverage"];
+function shouldIgnoreDir(dirName) {
+    return IGNORE_DIRS.includes(dirName) || dirName.startsWith(".");
+}
+function shouldIncludeFile(filePath) {
+    const ext = path.extname(filePath);
+    return DEFAULT_EXTENSIONS.includes(ext);
+}
+function findFiles(dir, files = []) {
+    if (!fs.existsSync(dir)) {
+        return files;
+    }
+    const stat = fs.statSync(dir);
+    if (stat.isFile()) {
+        if (shouldIncludeFile(dir)) {
+            files.push(dir);
+        }
+        return files;
+    }
+    if (!stat.isDirectory()) {
+        return files;
+    }
+    const entries = fs.readdirSync(dir);
+    for (const entry of entries) {
+        if (shouldIgnoreDir(entry))
+            continue;
+        const fullPath = path.join(dir, entry);
+        const entryStat = fs.statSync(fullPath);
+        if (entryStat.isDirectory()) {
+            findFiles(fullPath, files);
+        }
+        else if (entryStat.isFile() && shouldIncludeFile(fullPath)) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+function findPatternMatches(content, pattern) {
+    const matches = [];
+    const lines = content.split("\n");
+    // Use multiline matching
+    const globalPattern = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes("g") ? "" : "g"));
+    let match;
+    while ((match = globalPattern.exec(content)) !== null) {
+        // Calculate line number from index
+        const beforeMatch = content.substring(0, match.index);
+        const lineNumber = beforeMatch.split("\n").length;
+        const lastNewline = beforeMatch.lastIndexOf("\n");
+        const column = match.index - lastNewline;
+        // Get the line content for snippet
+        const lineText = lines[lineNumber - 1] || "";
+        matches.push({
+            line: lineNumber,
+            column,
+            text: lineText.trim().substring(0, 100) // Truncate long lines
+        });
+        // Prevent infinite loops on zero-length matches
+        if (match[0].length === 0) {
+            globalPattern.lastIndex++;
+        }
+    }
+    return matches;
+}
+function checkAntiPattern(content, antiPattern) {
+    if (!antiPattern)
+        return false;
+    return antiPattern.test(content);
+}
+// ============================================================
+// Main Analysis
+// ============================================================
+function analyzeFile(filePath, rules) {
+    const violations = [];
+    let content;
+    try {
+        content = fs.readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return violations;
+    }
+    for (const rule of rules) {
+        // Check file filter
+        if (rule.fileFilter && !rule.fileFilter.test(filePath)) {
+            continue;
+        }
+        // Check anti-pattern (if file has anti-pattern, skip this rule)
+        if (checkAntiPattern(content, rule.antiPattern)) {
+            continue;
+        }
+        // Find pattern matches
+        const matches = findPatternMatches(content, rule.pattern);
+        for (const match of matches) {
+            violations.push({
+                rule_id: rule.id,
+                category: rule.category,
+                file: filePath,
+                line: match.line,
+                column: match.column,
+                impact: rule.impact,
+                message: rule.message,
+                suggestion: rule.suggestion,
+                code_snippet: match.text
+            });
+        }
+    }
+    return violations;
+}
+// ============================================================
+// Main Entry Point
+// ============================================================
+export async function checkPatterns(input) {
+    const startTime = Date.now();
+    // Determine target paths
+    const targetPaths = input.target_paths || [process.cwd()];
+    // Collect all files to scan
+    const allFiles = [];
+    for (const targetPath of targetPaths) {
+        const resolvedPath = path.resolve(targetPath);
+        const files = findFiles(resolvedPath);
+        allFiles.push(...files);
+    }
+    // Deduplicate files
+    const uniqueFiles = [...new Set(allFiles)];
+    // Get rules to check
+    const rules = input.rules
+        ? getRulesByCategories(input.rules)
+        : getAllRules();
+    // Skip if no rules
+    if (rules.length === 0) {
+        return {
+            status: "OK",
+            total_files_scanned: uniqueFiles.length,
+            total_violations: 0,
+            violations: [],
+            summary: { critical: 0, high: 0, medium: 0, low: 0 },
+            top_suggestions: [],
+            scan_time_ms: Date.now() - startTime
+        };
+    }
+    // Analyze all files
+    let allViolations = [];
+    for (const file of uniqueFiles) {
+        const fileViolations = analyzeFile(file, rules);
+        allViolations.push(...fileViolations);
+    }
+    // Filter by minimum impact
+    const minImpact = input.min_impact || "MEDIUM";
+    allViolations = filterByMinImpact(allViolations, minImpact);
+    // Sort by impact
+    allViolations = sortByImpact(allViolations);
+    // Build output
+    const output = {
+        status: allViolations.length > 0 ? "VIOLATIONS_FOUND" : "OK",
+        total_files_scanned: uniqueFiles.length,
+        total_violations: allViolations.length,
+        violations: allViolations,
+        summary: countViolationsByImpact(allViolations),
+        top_suggestions: getTopSuggestions(allViolations, 3),
+        scan_time_ms: Date.now() - startTime
+    };
+    return output;
+}