vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/lib/pkgjson.js

@@ -0,0 +1,28 @@
+// bin/runners/lib/pkgjson.js
+const fs = require("fs");
+const path = require("path");
+
+function readPkg(root) {
+  const p = path.join(root, "package.json");
+  if (!fs.existsSync(p)) throw new Error("package.json not found");
+  return { path: p, json: JSON.parse(fs.readFileSync(p, "utf8")) };
+}
+
+function writePkg(pkgPath, json) {
+  fs.writeFileSync(pkgPath, JSON.stringify(json, null, 2) + "\n", "utf8");
+}
+
+function upsertScripts(pkg, scripts) {
+  pkg.scripts = pkg.scripts || {};
+  const changed = [];
+
+  for (const [k, v] of Object.entries(scripts)) {
+    if (pkg.scripts[k] === v) continue;
+    pkg.scripts[k] = v;
+    changed.push(k);
+  }
+
+  return changed;
+}
+
+module.exports = { readPkg, writePkg, upsertScripts };

package/bin/runners/lib/policy.js

@@ -0,0 +1,295 @@
+/**
+ * Policy Presets v2
+ * 
+ * Pre-configured policy settings so users don't have to bikeshed.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// =============================================================================
+// POLICY PRESETS
+// =============================================================================
+
+const POLICY_PRESETS = {
+  /**
+   * DEV: Warn-heavy, low thresholds
+   * For local development - informative but not blocking
+   */
+  dev: {
+    name: "dev",
+    description: "Development mode - warn-heavy, informative",
+    failOnWarn: false,
+    coverage: {
+      minActionCoverage: 0,
+      minRouteCoverage: 0,
+      requireAuthCoverage: false,
+    },
+    fastify: {
+      requireRuntimeDump: false,
+      allowStaticOnlyRoutes: true,
+    },
+    auth: {
+      requireVerifyAuth: false,
+      strictProtectedPatterns: false,
+    },
+    findings: {
+      // Downgrade some blockers to warnings in dev
+      downgradeToWarn: [
+        "D_ROUTE_MISSING",     // Missing routes less critical in dev
+        "D_CONTRACT_DRIFT",    // Drift expected during dev
+      ],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: true,
+    },
+  },
+
+  /**
+   * CI: Strict enough to block bad PRs
+   * Default for CI pipelines
+   */
+  ci: {
+    name: "ci",
+    description: "CI mode - strict, blocks on real issues",
+    failOnWarn: false,
+    coverage: {
+      minActionCoverage: 0,       // Don't require coverage yet
+      minRouteCoverage: 0,
+      requireAuthCoverage: false,
+    },
+    fastify: {
+      requireRuntimeDump: false,   // Optional but recommended
+      allowStaticOnlyRoutes: true,
+    },
+    auth: {
+      requireVerifyAuth: false,    // Only if auth patterns exist
+      strictProtectedPatterns: true,
+    },
+    findings: {
+      downgradeToWarn: [],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: false,
+    },
+  },
+
+  /**
+   * RELEASE: Production-ready checks
+   * Strictest mode for release gates
+   */
+  release: {
+    name: "release",
+    description: "Release mode - requires coverage if patterns exist",
+    failOnWarn: true,
+    coverage: {
+      minActionCoverage: 50,      // At least 50% of UI actions verified
+      minRouteCoverage: 80,       // At least 80% of routes covered
+      requireAuthCoverage: true,  // If auth patterns exist, verify them
+      minAuthCoverage: 80,
+    },
+    fastify: {
+      requireRuntimeDump: true,    // Must run runtime dump for Fastify
+      allowStaticOnlyRoutes: false,
+    },
+    auth: {
+      requireVerifyAuth: true,     // Must verify auth if patterns exist
+      strictProtectedPatterns: true,
+    },
+    findings: {
+      downgradeToWarn: [],
+      upgradeToBlock: [
+        "D_FAKE_SUCCESS",          // Fake success is blocking in release
+        "D_DEAD_CLICK",            // Dead clicks are blocking in release
+      ],
+    },
+    output: {
+      generateHTML: true,
+      verboseConsole: false,
+    },
+  },
+};
+
+// =============================================================================
+// POLICY RESOLUTION
+// =============================================================================
+
+/**
+ * Load policy from file or preset
+ */
+function loadPolicy(options = {}) {
+  const { 
+    preset = "ci", 
+    policyFile = null,
+    repoRoot = process.cwd(),
+    overrides = {},
+  } = options;
+
+  let policy;
+
+  // Try loading from file first
+  if (policyFile) {
+    const policyPath = path.isAbsolute(policyFile) 
+      ? policyFile 
+      : path.join(repoRoot, policyFile);
+    
+    if (fs.existsSync(policyPath)) {
+      try {
+        policy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
+      } catch (e) {
+        console.warn(`Warning: Could not parse policy file ${policyPath}: ${e.message}`);
+      }
+    }
+  }
+
+  // Try loading from .vibecheck/policy.json
+  if (!policy) {
+    const defaultPolicyPath = path.join(repoRoot, ".vibecheck", "policy.json");
+    if (fs.existsSync(defaultPolicyPath)) {
+      try {
+        policy = JSON.parse(fs.readFileSync(defaultPolicyPath, "utf8"));
+      } catch (e) {
+        // Ignore parse errors for default file
+      }
+    }
+  }
+
+  // Fall back to preset
+  if (!policy) {
+    policy = POLICY_PRESETS[preset] || POLICY_PRESETS.ci;
+  }
+
+  // Apply overrides
+  return mergePolicy(policy, overrides);
+}
+
+/**
+ * Deep merge policy with overrides
+ */
+function mergePolicy(base, overrides) {
+  const merged = JSON.parse(JSON.stringify(base));
+
+  for (const [key, value] of Object.entries(overrides)) {
+    if (value === undefined) continue;
+    
+    if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+      merged[key] = mergePolicy(merged[key] || {}, value);
+    } else {
+      merged[key] = value;
+    }
+  }
+
+  return merged;
+}
+
+/**
+ * Get effective thresholds from policy
+ */
+function getThresholdsFromPolicy(policy) {
+  return {
+    minActionCoverage: policy.coverage?.minActionCoverage ?? 0,
+    minRouteCoverage: policy.coverage?.minRouteCoverage ?? 0,
+    requireAuthCoverage: policy.coverage?.requireAuthCoverage ?? false,
+    minAuthCoverage: policy.coverage?.minAuthCoverage ?? 80,
+  };
+}
+
+/**
+ * Apply policy to findings (downgrades/upgrades)
+ */
+function applyPolicyToFindings(findings, policy) {
+  const downgrade = new Set(policy.findings?.downgradeToWarn || []);
+  const upgrade = new Set(policy.findings?.upgradeToBlock || []);
+
+  return findings.map(finding => {
+    if (downgrade.has(finding.detectorId) && finding.severity === "BLOCK") {
+      return {
+        ...finding,
+        severity: "WARN",
+        originalSeverity: "BLOCK",
+        policyDowngraded: true,
+      };
+    }
+    
+    if (upgrade.has(finding.detectorId) && finding.severity === "WARN") {
+      return {
+        ...finding,
+        severity: "BLOCK",
+        originalSeverity: "WARN",
+        policyUpgraded: true,
+      };
+    }
+    
+    return finding;
+  });
+}
+
+/**
+ * Check if auth verification is required based on policy and truthpack
+ */
+function requiresAuthVerification(policy, truthpack) {
+  if (!policy.auth?.requireVerifyAuth) return false;
+  
+  // Only require if auth patterns exist
+  const hasAuthPatterns = truthpack?.auth?.protectedPatterns?.length > 0;
+  return hasAuthPatterns;
+}
+
+/**
+ * Check if Fastify runtime dump is required
+ */
+function requiresFastifyRuntimeDump(policy, truthpack) {
+  if (!policy.fastify?.requireRuntimeDump) return false;
+  
+  // Only require if Fastify is detected
+  const hasFastify = truthpack?.stack?.fastify?.present;
+  return hasFastify;
+}
+
+/**
+ * Write policy file
+ */
+function writePolicyFile(repoRoot, policy) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  fs.mkdirSync(dir, { recursive: true });
+
+  const policyPath = path.join(dir, "policy.json");
+  fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2));
+
+  return policyPath;
+}
+
+/**
+ * Get preset names
+ */
+function getPresetNames() {
+  return Object.keys(POLICY_PRESETS);
+}
+
+/**
+ * Get preset by name
+ */
+function getPreset(name) {
+  return POLICY_PRESETS[name] || null;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  POLICY_PRESETS,
+  loadPolicy,
+  mergePolicy,
+  getThresholdsFromPolicy,
+  applyPolicyToFindings,
+  requiresAuthVerification,
+  requiresFastifyRuntimeDump,
+  writePolicyFile,
+  getPresetNames,
+  getPreset,
+};

package/bin/runners/lib/polish/accessibility.js

@@ -0,0 +1,62 @@
+/**
+ * Accessibility Polish Engine
+ *
+ * Checks: A11y testing, skip links, focus management.
+ */
+
+const path = require("path");
+const { pathExists, findFile, readFileSafe } = require("./utils");
+
+module.exports = async function accessibilityEngine(projectPath) {
+  const issues = [];
+  const packageJson = await readFileSafe(path.join(projectPath, "package.json"));
+
+  // A11y testing
+  const hasA11yTesting =
+    packageJson && /axe-core|@axe-core|jest-axe|cypress-axe|pa11y/i.test(packageJson);
+  if (!hasA11yTesting) {
+    issues.push({
+      id: "missing-a11y-testing",
+      category: "Accessibility",
+      severity: "medium",
+      title: "No Accessibility Testing",
+      description: "No accessibility testing library found.",
+      suggestion: "Add jest-axe, cypress-axe, or pa11y for automated a11y testing.",
+      autoFixable: false,
+    });
+  }
+
+  // Skip link
+  const hasSkipLink = await findFile(projectPath, /skip-link|skiplink|SkipNav/i);
+  if (!hasSkipLink) {
+    issues.push({
+      id: "missing-skip-link",
+      category: "Accessibility",
+      severity: "medium",
+      title: "Missing Skip Link",
+      description: "No skip-to-content link found. Keyboard users can't skip navigation.",
+      suggestion: "Add a skip-to-main-content link at the top of your pages.",
+      autoFixable: true,
+    });
+  }
+
+  // Focus outline removal
+  const globalCss =
+    (await readFileSafe(path.join(projectPath, "src", "styles", "globals.css"))) ||
+    (await readFileSafe(path.join(projectPath, "app", "globals.css"))) ||
+    (await readFileSafe(path.join(projectPath, "styles", "globals.css")));
+
+  if (globalCss && /outline:\s*none|outline:\s*0/i.test(globalCss) && !/focus-visible/i.test(globalCss)) {
+    issues.push({
+      id: "focus-removed",
+      category: "Accessibility",
+      severity: "high",
+      title: "Focus Outline Removed",
+      description: "Focus outlines are removed without alternative. Keyboard users can't see focus.",
+      suggestion: "Use :focus-visible instead of removing outlines entirely.",
+      autoFixable: false,
+    });
+  }
+
+  return issues;
+};

package/bin/runners/lib/polish/analyzer.js

@@ -0,0 +1,93 @@
+/**
+ * Polish Analyzer (Orchestrator)
+ *
+ * Runs selected engines, aggregates issues, computes score,
+ * and generates actionable recommendations.
+ */
+
+const { c } = require("./styles");
+const { engines, categories } = require("./index");
+
+/**
+ * Severity weights for score calculation.
+ */
+const SEVERITY_WEIGHT = {
+  critical: 10,
+  high: 5,
+  medium: 2,
+  low: 1,
+};
+
+/**
+ * Run all (or selected) engines against a project path.
+ *
+ * @param {string} projectPath - Absolute path to the project root
+ * @param {Object} options
+ * @param {string} [options.category] - Run only this category (lowercase)
+ * @returns {Object} Full analysis report
+ */
+async function analyzeProject(projectPath, options = {}) {
+  const allIssues = [];
+  const selectedCategories = options.category
+    ? [options.category.toLowerCase()]
+    : categories;
+
+  for (const category of selectedCategories) {
+    const engine = engines[category];
+    if (!engine) continue;
+
+    try {
+      const issues = await engine(projectPath);
+      allIssues.push(...issues);
+    } catch (error) {
+      console.error(`${c.red}Error in ${category} engine:${c.reset}`, error.message);
+    }
+  }
+
+  // Score
+  let score = 100;
+  for (const issue of allIssues) {
+    score -= SEVERITY_WEIGHT[issue.severity] || 0;
+  }
+  score = Math.max(0, Math.min(100, score));
+
+  // Counts
+  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const issue of allIssues) {
+    counts[issue.severity] = (counts[issue.severity] || 0) + 1;
+  }
+
+  const autoFixable = allIssues.filter((i) => i.autoFixable).length;
+
+  // Recommendations
+  const recommendations = [];
+  if (counts.critical > 0) {
+    recommendations.push(
+      `Fix ${counts.critical} critical issue(s) immediately - these affect security or functionality.`
+    );
+  }
+  if (counts.high > 0) {
+    recommendations.push(
+      `Address ${counts.high} high-priority issue(s) - these impact user experience or production readiness.`
+    );
+  }
+  if (autoFixable > 0) {
+    recommendations.push(
+      `${autoFixable} issue(s) can be auto-fixed. Run 'vibecheck polish --fix' to apply fixes.`
+    );
+  }
+  if (recommendations.length === 0) {
+    recommendations.push("Your project looks polished! Great job! 🎉");
+  }
+
+  return {
+    projectPath,
+    totalIssues: allIssues.length,
+    ...counts,
+    issues: allIssues,
+    score,
+    recommendations,
+  };
+}
+
+module.exports = { analyzeProject };

package/bin/runners/lib/polish/backend.js

@@ -0,0 +1,87 @@
+/**
+ * Backend Polish Engine
+ *
+ * Checks: Health endpoints, input validation, rate limiting, error handling.
+ */
+
+const path = require("path");
+const { pathExists, findFile, readFileSafe } = require("./utils");
+
+module.exports = async function backendEngine(projectPath) {
+  const issues = [];
+  const apiPath = path.join(projectPath, "src", "server");
+  const apiAltPath = path.join(projectPath, "api");
+  const pagesApiPath = path.join(projectPath, "pages", "api");
+  const appApiPath = path.join(projectPath, "app", "api");
+
+  const hasApi =
+    (await pathExists(apiPath)) ||
+    (await pathExists(apiAltPath)) ||
+    (await pathExists(pagesApiPath)) ||
+    (await pathExists(appApiPath));
+
+  if (!hasApi) return issues;
+
+  const packageJson = await readFileSafe(path.join(projectPath, "package.json"));
+
+  // Health endpoint
+  const hasHealth = await findFile(projectPath, /health|healthcheck|status/i);
+  if (!hasHealth) {
+    issues.push({
+      id: "missing-health-endpoint",
+      category: "Backend",
+      severity: "high",
+      title: "Missing Health Endpoint",
+      description: "No health check endpoint found. Load balancers and monitoring can't verify service status.",
+      suggestion: "Add a /health or /api/health endpoint that returns service status.",
+      autoFixable: true,
+    });
+  }
+
+  // Validation library
+  if (packageJson) {
+    const hasValidation = /zod|yup|joi|class-validator|ajv/i.test(packageJson);
+    if (!hasValidation) {
+      issues.push({
+        id: "missing-validation",
+        category: "Backend",
+        severity: "high",
+        title: "Missing Input Validation",
+        description: "No validation library found. API inputs may not be properly validated.",
+        suggestion: "Add zod, yup, joi, or similar for input validation.",
+        autoFixable: false,
+      });
+    }
+  }
+
+  // Rate limiting
+  const hasRateLimiting =
+    packageJson && /rate-limit|ratelimit|express-rate-limit|@upstash\/ratelimit/i.test(packageJson);
+  if (!hasRateLimiting) {
+    issues.push({
+      id: "missing-rate-limiting",
+      category: "Backend",
+      severity: "high",
+      title: "Missing Rate Limiting",
+      description: "No rate limiting found. API is vulnerable to abuse and DDoS.",
+      suggestion: "Add rate limiting middleware to protect your API.",
+      autoFixable: false,
+    });
+  }
+
+  // Global error handler
+  const hasErrorMiddleware = await findFile(projectPath, /errorHandler|error-handler|errorMiddleware/i);
+  if (!hasErrorMiddleware) {
+    issues.push({
+      id: "missing-error-handler",
+      category: "Backend",
+      severity: "medium",
+      title: "Missing Global Error Handler",
+      description: "No global error handler found. Unhandled errors may leak stack traces.",
+      suggestion: "Add a global error handler middleware that catches and formats errors.",
+      autoFixable: true,
+    });
+  }
+
+  return issues;
+};

package/bin/runners/lib/polish/configuration.js

@@ -0,0 +1,83 @@
+/**
+ * Configuration Polish Engine
+ *
+ * Checks: TypeScript strict, ESLint, Prettier, EditorConfig.
+ */
+
+const path = require("path");
+const { pathExists, readFileSafe } = require("./utils");
+
+module.exports = async function configurationEngine(projectPath) {
+  const issues = [];
+
+  // TypeScript strict mode
+  const tsConfig = await readFileSafe(path.join(projectPath, "tsconfig.json"));
+  if (tsConfig) {
+    try {
+      const parsed = JSON.parse(tsConfig);
+      if (!parsed.compilerOptions?.strict) {
+        issues.push({
+          id: "ts-not-strict",
+          category: "Configuration",
+          severity: "medium",
+          title: "TypeScript Strict Mode Disabled",
+          description: "TypeScript strict mode is not enabled. Type safety is reduced.",
+          suggestion: 'Enable "strict": true in tsconfig.json for better type safety.',
+          autoFixable: true,
+        });
+      }
+    } catch {
+      // Malformed tsconfig - skip
+    }
+  }
+
+  // ESLint
+  const hasEslint =
+    (await pathExists(path.join(projectPath, ".eslintrc.json"))) ||
+    (await pathExists(path.join(projectPath, ".eslintrc.js"))) ||
+    (await pathExists(path.join(projectPath, "eslint.config.js")));
+  if (!hasEslint) {
+    issues.push({
+      id: "missing-eslint",
+      category: "Configuration",
+      severity: "medium",
+      title: "Missing ESLint Configuration",
+      description: "No ESLint config found. Code quality may not be enforced.",
+      suggestion: "Add ESLint configuration for code quality enforcement.",
+      autoFixable: true,
+    });
+  }
+
+  // Prettier
+  const hasPrettier =
+    (await pathExists(path.join(projectPath, ".prettierrc"))) ||
+    (await pathExists(path.join(projectPath, ".prettierrc.json"))) ||
+    (await pathExists(path.join(projectPath, "prettier.config.js")));
+  if (!hasPrettier) {
+    issues.push({
+      id: "missing-prettier",
+      category: "Configuration",
+      severity: "low",
+      title: "Missing Prettier Configuration",
+      description: "No Prettier config found. Code formatting may be inconsistent.",
+      suggestion: "Add Prettier configuration for consistent code formatting.",
+      autoFixable: true,
+    });
+  }
+
+  // EditorConfig
+  const hasEditorConfig = await pathExists(path.join(projectPath, ".editorconfig"));
+  if (!hasEditorConfig) {
+    issues.push({
+      id: "missing-editorconfig",
+      category: "Configuration",
+      severity: "low",
+      title: "Missing .editorconfig",
+      description: "No .editorconfig found. Different editors may format differently.",
+      suggestion: "Add .editorconfig for consistent editor settings across team.",
+      autoFixable: true,
+    });
+  }
+
+  return issues;
+};