vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/lib/doctor/modules/security.js

@@ -0,0 +1,350 @@
+/**
+ * Security Diagnostics Module
+ * 
+ * Checks for exposed secrets, gitignore configuration, and security best practices
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
+
+const MODULE_ID = 'security';
+
+const SECRET_PATTERNS = [
+  { name: 'Stripe Live Key', pattern: /sk_live_[a-zA-Z0-9]{20,}/, critical: true },
+  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{20,}/, critical: false },
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/, critical: true },
+  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36}/, critical: true },
+  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36}/, critical: true },
+  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, critical: true },
+  { name: 'Generic API Key', pattern: /api[_-]?key['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
+  { name: 'Generic Secret', pattern: /secret['"]?\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/, critical: false },
+  { name: 'Database URL', pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@/, critical: true },
+  { name: 'MongoDB URL', pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/, critical: true },
+];
+
+const REQUIRED_GITIGNORE = [
+  { pattern: '.env', name: '.env files' },
+  { pattern: 'node_modules', name: 'node_modules' },
+  { pattern: '.vibecheck', name: '.vibecheck output' },
+];
+
+function createDiagnostics(projectPath) {
+  return [
+    {
+      id: `${MODULE_ID}.env_file`,
+      name: '.env File',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const envPath = path.join(projectPath, '.env');
+        const envExamplePath = path.join(projectPath, '.env.example');
+        const envLocalPath = path.join(projectPath, '.env.local');
+        
+        const hasEnv = fs.existsSync(envPath);
+        const hasEnvExample = fs.existsSync(envExamplePath);
+        const hasEnvLocal = fs.existsSync(envLocalPath);
+        
+        const metadata = { hasEnv, hasEnvExample, hasEnvLocal };
+        
+        if (!hasEnv && !hasEnvLocal) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'No .env file found',
+            detail: 'Create .env for local environment variables',
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.FILE_CREATE,
+              description: 'Create .env from example',
+              path: envPath,
+              content: hasEnvExample 
+                ? fs.readFileSync(envExamplePath, 'utf8')
+                : '# Environment variables\n',
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        if (hasEnv && !hasEnvExample) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: '.env exists but no .env.example',
+            detail: 'Create .env.example for team documentation',
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.COMMAND,
+              description: 'Generate .env.example from .env',
+              command: 'vibecheck ctx --env-template',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: hasEnvExample ? '.env + .env.example' : '.env configured',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.gitignore`,
+      name: '.gitignore',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const gitignorePath = path.join(projectPath, '.gitignore');
+        
+        if (!fs.existsSync(gitignorePath)) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: 'No .gitignore file',
+            detail: 'Secrets and build artifacts may be committed to git',
+            fixes: [{
+              type: FIX_TYPE.FILE_CREATE,
+              description: 'Create .gitignore with common patterns',
+              path: gitignorePath,
+              content: [
+                '# Dependencies',
+                'node_modules/',
+                '',
+                '# Environment',
+                '.env',
+                '.env.local',
+                '.env.*.local',
+                '',
+                '# Build',
+                'dist/',
+                'build/',
+                '.next/',
+                '',
+                '# vibecheck',
+                '.vibecheck/',
+                '',
+                '# IDE',
+                '.idea/',
+                '.vscode/',
+                '*.swp',
+              ].join('\n'),
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        const content = fs.readFileSync(gitignorePath, 'utf8');
+        const missing = REQUIRED_GITIGNORE.filter(r => !content.includes(r.pattern));
+        
+        const metadata = { 
+          missing: missing.map(m => m.pattern),
+          lines: content.split('\n').length,
+        };
+        
+        if (missing.length > 0) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `Missing: ${missing.map(m => m.name).join(', ')}`,
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.FILE_EDIT,
+              description: 'Add missing patterns to .gitignore',
+              path: gitignorePath,
+              content: content + '\n\n# Added by vibecheck doctor\n' + 
+                missing.map(m => m.pattern).join('\n') + '\n',
+              autoFixable: true,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: 'Properly configured',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.exposed_secrets`,
+      name: 'Exposed Secrets',
+      category: CATEGORY.SECURITY,
+      parallel: false,
+      check: async () => {
+        const filesToCheck = [
+          'package.json',
+          'src/config.ts',
+          'src/config.js',
+          'config/index.ts',
+          'config/index.js',
+          'next.config.js',
+          'next.config.mjs',
+          '.env.example',
+          'README.md',
+        ];
+        
+        const findings = [];
+        
+        for (const file of filesToCheck) {
+          const filePath = path.join(projectPath, file);
+          if (!fs.existsSync(filePath)) continue;
+          
+          try {
+            const content = fs.readFileSync(filePath, 'utf8');
+            
+            for (const sp of SECRET_PATTERNS) {
+              if (sp.pattern.test(content)) {
+                findings.push({
+                  file,
+                  secret: sp.name,
+                  critical: sp.critical,
+                });
+              }
+            }
+          } catch {
+            // Skip unreadable files
+          }
+        }
+        
+        const metadata = { findings };
+        const criticalFindings = findings.filter(f => f.critical);
+        
+        if (criticalFindings.length > 0) {
+          return {
+            severity: SEVERITY.CRITICAL,
+            message: `${criticalFindings.length} critical secrets exposed`,
+            detail: criticalFindings.map(f => `${f.secret} in ${f.file}`).join(', '),
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Move secrets to .env and add to .gitignore',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        if (findings.length > 0) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `${findings.length} potential secrets found`,
+            detail: findings.map(f => `${f.secret} in ${f.file}`).join(', '),
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Review and move secrets to .env',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: 'No exposed secrets detected',
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.env_in_git`,
+      name: '.env in Git History',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const gitDir = path.join(projectPath, '.git');
+        if (!fs.existsSync(gitDir)) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'Not a git repository',
+          };
+        }
+        
+        try {
+          const { execSync } = require('child_process');
+          // Windows-compatible: use -n 1 instead of piping to head
+          const result = execSync('git log --all --full-history -n 1 -- .env', {
+            cwd: projectPath,
+            encoding: 'utf8',
+            timeout: 10000,
+            stdio: ['pipe', 'pipe', 'pipe'], // Suppress stderr on all platforms
+          }).trim();
+          
+          if (result) {
+            return {
+              severity: SEVERITY.ERROR,
+              message: '.env found in git history',
+              detail: 'Secrets may be exposed in git commits',
+              fixes: [
+                {
+                  type: FIX_TYPE.LINK,
+                  description: 'Guide: Remove secrets from git history',
+                  url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository',
+                },
+                {
+                  type: FIX_TYPE.COMMAND,
+                  description: 'Remove .env from history (dangerous)',
+                  command: 'git filter-branch --force --index-filter "git rm --cached --ignore-unmatch .env" --prune-empty --tag-name-filter cat -- --all',
+                  dangerous: true,
+                  autoFixable: false,
+                },
+              ],
+            };
+          }
+          
+          return {
+            severity: SEVERITY.PASS,
+            message: 'No .env in git history',
+          };
+        } catch {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'Could not check git history',
+          };
+        }
+      },
+    },
+    {
+      id: `${MODULE_ID}.npmrc`,
+      name: '.npmrc Security',
+      category: CATEGORY.SECURITY,
+      parallel: true,
+      check: async () => {
+        const npmrcPath = path.join(projectPath, '.npmrc');
+        
+        if (!fs.existsSync(npmrcPath)) {
+          return {
+            severity: SEVERITY.INFO,
+            message: 'No .npmrc file',
+          };
+        }
+        
+        const content = fs.readFileSync(npmrcPath, 'utf8');
+        const hasToken = content.includes('_authToken') || content.includes('//registry');
+        
+        if (hasToken) {
+          const gitignorePath = path.join(projectPath, '.gitignore');
+          const gitignoreContent = fs.existsSync(gitignorePath) 
+            ? fs.readFileSync(gitignorePath, 'utf8') 
+            : '';
+          
+          if (!gitignoreContent.includes('.npmrc')) {
+            return {
+              severity: SEVERITY.WARNING,
+              message: '.npmrc contains tokens but not in .gitignore',
+              fixes: [{
+                type: FIX_TYPE.FILE_EDIT,
+                description: 'Add .npmrc to .gitignore',
+                path: gitignorePath,
+                content: gitignoreContent + '\n.npmrc\n',
+                autoFixable: true,
+              }],
+            };
+          }
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: hasToken ? 'Contains tokens (gitignored)' : 'No sensitive data',
+        };
+      },
+    },
+  ];
+}
+
+module.exports = { MODULE_ID, createDiagnostics, SECRET_PATTERNS };

package/bin/runners/lib/doctor/modules/system.js

@@ -0,0 +1,213 @@
+/**
+ * System Diagnostics Module
+ * 
+ * Checks OS, memory, disk, CPU, and system resources
+ */
+
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const { SEVERITY, CATEGORY, FIX_TYPE } = require('../types');
+
+const MODULE_ID = 'system';
+
+function createDiagnostics(projectPath) {
+  return [
+    {
+      id: `${MODULE_ID}.os`,
+      name: 'Operating System',
+      category: CATEGORY.SYSTEM,
+      parallel: true,
+      check: async () => {
+        const platform = os.platform();
+        const release = os.release();
+        const arch = os.arch();
+        
+        const platformNames = {
+          win32: 'Windows',
+          darwin: 'macOS',
+          linux: 'Linux',
+          freebsd: 'FreeBSD',
+        };
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: `${platformNames[platform] || platform} ${release} (${arch})`,
+          metadata: { platform, release, arch },
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.memory`,
+      name: 'System Memory',
+      category: CATEGORY.SYSTEM,
+      parallel: true,
+      check: async () => {
+        const totalBytes = os.totalmem();
+        const freeBytes = os.freemem();
+        const totalGB = (totalBytes / 1024 / 1024 / 1024).toFixed(1);
+        const freeGB = (freeBytes / 1024 / 1024 / 1024).toFixed(1);
+        const usedPercent = Math.round((1 - freeBytes / totalBytes) * 100);
+        
+        const metadata = { totalBytes, freeBytes, totalGB, freeGB, usedPercent };
+        
+        if (freeBytes < 256 * 1024 * 1024) { // < 256MB
+          return {
+            severity: SEVERITY.ERROR,
+            message: `Critically low memory: ${freeGB}GB free`,
+            detail: 'vibecheck may fail or be extremely slow',
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Close other applications to free memory',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        if (freeBytes < 512 * 1024 * 1024) { // < 512MB
+          return {
+            severity: SEVERITY.WARNING,
+            message: `Low memory: ${freeGB}GB free of ${totalGB}GB`,
+            metadata,
+            fixes: [{
+              type: FIX_TYPE.MANUAL,
+              description: 'Close other applications to free memory',
+              autoFixable: false,
+            }],
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: `${freeGB}GB free of ${totalGB}GB (${usedPercent}% used)`,
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.cpu`,
+      name: 'CPU Information',
+      category: CATEGORY.SYSTEM,
+      parallel: true,
+      check: async () => {
+        const cpus = os.cpus();
+        const cores = cpus.length;
+        const model = cpus[0]?.model || 'Unknown';
+        const loadAvg = os.loadavg();
+        
+        const metadata = { cores, model, loadAvg };
+        
+        // High load warning (load > cores * 2)
+        if (loadAvg[0] > cores * 2) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `High CPU load: ${loadAvg[0].toFixed(1)} (${cores} cores)`,
+            detail: 'System is under heavy load',
+            metadata,
+          };
+        }
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: `${cores} cores, load: ${loadAvg[0].toFixed(2)}`,
+          metadata,
+        };
+      },
+    },
+    {
+      id: `${MODULE_ID}.disk_write`,
+      name: 'Disk Write Access',
+      category: CATEGORY.SYSTEM,
+      parallel: false,
+      check: async () => {
+        const testDir = path.join(projectPath, '.vibecheck');
+        const testFile = path.join(testDir, '.doctor-test');
+        
+        try {
+          // Ensure directory exists
+          if (!fs.existsSync(testDir)) {
+            fs.mkdirSync(testDir, { recursive: true });
+          }
+          
+          // Test write
+          fs.writeFileSync(testFile, `test-${Date.now()}`);
+          fs.unlinkSync(testFile);
+          
+          return {
+            severity: SEVERITY.PASS,
+            message: 'Write access OK',
+          };
+        } catch (err) {
+          return {
+            severity: SEVERITY.ERROR,
+            message: 'Cannot write to project directory',
+            detail: err.message,
+            fixes: [
+              {
+                type: FIX_TYPE.COMMAND,
+                description: 'Fix directory permissions',
+                command: process.platform === 'win32' 
+                  ? `icacls "${projectPath}" /grant "%USERNAME%":F /T`
+                  : `chmod -R u+w "${projectPath}"`,
+                dangerous: true,
+                autoFixable: false,
+              },
+            ],
+          };
+        }
+      },
+    },
+    {
+      id: `${MODULE_ID}.temp_dir`,
+      name: 'Temp Directory',
+      category: CATEGORY.SYSTEM,
+      parallel: true,
+      check: async () => {
+        const tmpDir = os.tmpdir();
+        
+        try {
+          const testFile = path.join(tmpDir, `.vibecheck-test-${Date.now()}`);
+          fs.writeFileSync(testFile, 'test');
+          fs.unlinkSync(testFile);
+          
+          return {
+            severity: SEVERITY.PASS,
+            message: `Writable: ${tmpDir}`,
+            metadata: { tmpDir },
+          };
+        } catch (err) {
+          return {
+            severity: SEVERITY.WARNING,
+            message: `Temp directory not writable: ${tmpDir}`,
+            detail: err.message,
+            metadata: { tmpDir },
+          };
+        }
+      },
+    },
+    {
+      id: `${MODULE_ID}.shell`,
+      name: 'Shell Environment',
+      category: CATEGORY.SYSTEM,
+      parallel: true,
+      check: async () => {
+        const shell = process.env.SHELL || process.env.ComSpec || 'unknown';
+        const term = process.env.TERM || process.env.WT_SESSION ? 'modern' : 'basic';
+        const colorSupport = process.stdout.isTTY && (
+          process.env.COLORTERM === 'truecolor' ||
+          process.env.TERM_PROGRAM === 'vscode' ||
+          process.env.WT_SESSION
+        );
+        
+        return {
+          severity: SEVERITY.PASS,
+          message: `${path.basename(shell)} (${colorSupport ? 'color' : 'no-color'})`,
+          metadata: { shell, term, colorSupport },
+        };
+      },
+    },
+  ];
+}
+
+module.exports = { MODULE_ID, createDiagnostics };