vibecheck-ai 2.0.2 → 5.0.0

package/bin/runners/lib/missions/templates.js

@@ -0,0 +1,317 @@
+// bin/runners/lib/missions/templates.js
+function templateForMissionType(type) {
+  switch (type) {
+    case "REMOVE_OWNER_MODE":
+      return {
+        intent: "Remove any env-based entitlement bypass. Ship must not allow secretless unlocks.",
+        do: [
+          "Delete OWNER_MODE logic or gate it with signed admin token AND non-production check.",
+          "Ensure entitlement checks require real verification (API key / token / server-side).",
+          "Add/adjust tests if present (at minimum remove bypass path)."
+        ],
+        dont: [
+          "Do not replace with another env var.",
+          "Do not add 'temporary' backdoor."
+        ],
+        success: [
+          "Owner mode bypass finding disappears from ship results."
+        ]
+      };
+
+    case "FIX_STRIPE_WEBHOOKS":
+      return {
+        intent: "Make Stripe webhooks real: signature verified + raw body + idempotent event handling.",
+        do: [
+          "Use stripe.webhooks.constructEvent(rawBody, sigHeader, secret).",
+          "Ensure raw body is used (Next pages: bodyParser false; Next app: req.text()/arrayBuffer()).",
+          "Persist processed event.id and short-circuit on replays."
+        ],
+        dont: [
+          "Do not trust parsed JSON body for signature verification.",
+          "Do not mutate billing state without dedupe."
+        ],
+        success: [
+          "Webhook verification + idempotency findings disappear."
+        ]
+      };
+
+    case "ENFORCE_PAID_SURFACE":
+      return {
+        intent: "Move paid gating to the server handler BEFORE doing work.",
+        do: [
+          "Add enforceFeature/enforceLimit (or equivalent) at top of handler.",
+          "Return a structured 402/403 error code used by CLI/UI to upsell.",
+          "Keep logic minimal; don't refactor unrelated code."
+        ],
+        dont: [
+          "Do not rely on client/CLI-only gating.",
+          "Do not introduce new plans/tiers in this step."
+        ],
+        success: [
+          "Paid surface missing enforcement finding disappears."
+        ]
+      };
+
+    case "ADD_SERVER_AUTH":
+      return {
+        intent: "Ensure sensitive endpoints have real server-side auth enforcement.",
+        do: [
+          "Add session/JWT verification in handler or route hook.",
+          "If using Next middleware, ensure matcher covers the sensitive paths (but do not over-widen blindly).",
+          "Return 401/403 on missing/invalid auth."
+        ],
+        dont: [
+          "Do not only hide UI routes.",
+          "Do not add fake auth helpers without evidence."
+        ],
+        success: [
+          "GhostAuth findings disappear."
+        ]
+      };
+
+    case "FIX_MISSING_ROUTE":
+      return {
+        intent: "Make the referenced route real OR stop referencing it.",
+        do: [
+          "If the UI calls /api/x, ensure server route exists and matches method/path.",
+          "If the route should not exist, remove the client reference safely.",
+          "Prefer minimal handler that returns correct status and shape if needed."
+        ],
+        dont: [
+          "Do not invent new API surface unless required by evidence.",
+          "Do not add broad wildcard routes."
+        ],
+        success: [
+          "MissingRoute findings disappear."
+        ]
+      };
+
+    case "FIX_FAKE_SUCCESS":
+      return {
+        intent: "Remove success UI lies: success must be gated on awaited + verified network result.",
+        do: [
+          "Await the network call.",
+          "Gate toast.success / navigation behind res.ok/status checks.",
+          "Surface error toast on failure."
+        ],
+        dont: [
+          "Do not just delete success feedback.",
+          "Do not swallow errors silently."
+        ],
+        success: [
+          "FakeSuccess findings disappear."
+        ]
+      };
+
+    case "FIX_ENV_CONTRACT":
+      return {
+        intent: "Make env reality explicit: used env vars must be declared in .env.example/.env.template.",
+        do: [
+          "Add missing used vars to env template with safe defaults or comments.",
+          "If truly optional, ensure code has explicit fallback and document it."
+        ],
+        dont: [
+          "Do not introduce new env var usage unrelated to the finding."
+        ],
+        success: [
+          "EnvContract findings disappear."
+        ]
+      };
+
+    case "FIX_DEAD_UI":
+      return {
+        intent: "Make UI actions real: clicks must trigger real handler + real success criteria.",
+        do: [
+          "If click calls /api/*: ensure route exists server-side and returns success only on real ok.",
+          "If click should navigate: ensure href/router push is correct and target route exists.",
+          "If click should open modal: ensure state toggles and modal renders.",
+          "If action is disabled: remove click affordance or add aria-disabled + disabled styling consistently."
+        ],
+        dont: [
+          "Do not silence by removing UI without replacing the feature.",
+          "Do not show success toast before awaiting and verifying."
+        ],
+        success: ["Dead UI findings disappear from ship (after running reality again)."]
+      };
+
+    case "SYNC_CONTRACTS":
+      return {
+        intent: "Update contracts to match current code reality. Drift causes AI hallucinations.",
+        do: [
+          "Run 'vibecheck ctx sync' to regenerate contracts from truthpack.",
+          "Review the diff to ensure changes are intentional.",
+          "Commit updated contracts alongside code changes."
+        ],
+        dont: [
+          "Do not manually edit contract JSON files.",
+          "Do not ignore drift - it will cause AI to generate broken code."
+        ],
+        success: ["Contract drift findings disappear from ship."]
+      };
+
+    case "FIX_ROUTE_DRIFT":
+      return {
+        intent: "Align route contract with actual server routes.",
+        do: [
+          "If route was intentionally added: run 'vibecheck ctx sync'.",
+          "If route was accidentally removed: restore it or update client refs.",
+          "If client refs fake route: fix the client to use real routes."
+        ],
+        dont: [
+          "Do not invent routes to match client refs.",
+          "Do not remove routes without updating all client references."
+        ],
+        success: ["Route drift findings disappear."]
+      };
+
+    case "FIX_AUTH_DRIFT":
+      return {
+        intent: "Align auth contract with actual middleware patterns.",
+        do: [
+          "If auth pattern was intentionally changed: run 'vibecheck ctx sync'.",
+          "If auth was accidentally removed: RESTORE IT IMMEDIATELY (security risk).",
+          "Verify all sensitive routes are still protected."
+        ],
+        dont: [
+          "Do not remove auth patterns without security review.",
+          "Do not ignore auth drift - it may indicate a security regression."
+        ],
+        success: ["Auth drift findings disappear."]
+      };
+
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // ENHANCED MISSION TYPES - World-class detection and fixing
+    // ═══════════════════════════════════════════════════════════════════════════════
+
+    case "FIX_EMPTY_CATCH":
+      return {
+        intent: "Add proper error handling to empty catch blocks. Silent failures hide bugs and security issues.",
+        do: [
+          "Add error logging: console.error('Context:', err) or use structured logger.",
+          "Re-throw the error OR return a meaningful error response to caller.",
+          "If intentionally ignoring, add explicit comment explaining WHY (e.g., // Expected: optional feature).",
+          "Consider adding error tracking (Sentry, etc.) for production visibility."
+        ],
+        dont: [
+          "Do not just add a comment without actual handling.",
+          "Do not swallow errors in auth, payment, or data mutation paths.",
+          "Do not use console.log for errors (use console.error)."
+        ],
+        success: ["Empty catch findings disappear and errors become visible."]
+      };
+
+    case "FIX_TEST_KEYS":
+      return {
+        intent: "Replace test/demo API keys with environment variable references. Test keys in production = security breach.",
+        do: [
+          "Replace sk_test_*, pk_test_*, api_key_test with process.env.STRIPE_SECRET_KEY etc.",
+          "Add the env var to .env.example with a placeholder comment.",
+          "Ensure the code fails fast if env var is missing (no silent fallback to test key).",
+          "Add runtime validation: if (!process.env.STRIPE_SECRET_KEY) throw new Error('Missing STRIPE_SECRET_KEY')."
+        ],
+        dont: [
+          "Do not leave test keys as fallback defaults.",
+          "Do not commit .env files with real keys.",
+          "Do not use generic names like API_KEY - be specific (STRIPE_SECRET_KEY, SENDGRID_API_KEY)."
+        ],
+        success: ["Test key findings disappear and production uses real credentials."]
+      };
+
+    case "FIX_MOCK_DOMAINS":
+      return {
+        intent: "Replace hardcoded mock/localhost URLs with configurable endpoints. Mock domains in production = broken features.",
+        do: [
+          "Replace localhost:*, jsonplaceholder.typicode.com, mockapi.io with process.env.API_BASE_URL.",
+          "Add the env var to .env.example: API_BASE_URL=https://api.yourproduct.com",
+          "Add URL validation at startup to catch misconfiguration early.",
+          "For development, use .env.local with localhost values."
+        ],
+        dont: [
+          "Do not use localhost as a fallback default.",
+          "Do not hardcode staging URLs - use env vars for all environments.",
+          "Do not mix mock and real endpoints in the same codebase without clear separation."
+        ],
+        success: ["Mock domain findings disappear and API calls hit real backends."]
+      };
+
+    case "FIX_PLACEHOLDER_DATA":
+      return {
+        intent: "Replace lorem ipsum and placeholder data with real data fetching or meaningful defaults.",
+        do: [
+          "Replace 'Lorem ipsum', 'John Doe', 'user@example.com' with actual data bindings.",
+          "If data comes from API: ensure proper loading states and error handling.",
+          "If truly static: use real, contextually appropriate content.",
+          "For avatars/images: use real assets or proper placeholder services with fallbacks."
+        ],
+        dont: [
+          "Do not show placeholder data to real users.",
+          "Do not use obviously fake data (123-456-7890, test@test.com) in production UI.",
+          "Do not remove placeholder without adding real data source."
+        ],
+        success: ["Placeholder data findings disappear and UI shows real content."]
+      };
+
+    case "FIX_HARDCODED_SECRETS":
+      return {
+        intent: "Move hardcoded secrets to environment variables. Secrets in code = compromised on first commit.",
+        do: [
+          "Extract secret to environment variable with descriptive name.",
+          "Add to .env.example with CHANGEME or empty placeholder.",
+          "Add .env to .gitignore if not already present.",
+          "Add startup validation to fail fast on missing secrets.",
+          "Consider using a secrets manager (Vault, AWS Secrets Manager) for production."
+        ],
+        dont: [
+          "Do not leave secrets in code comments.",
+          "Do not use generic names (SECRET, PASSWORD) - be specific.",
+          "Do not commit the actual secret value anywhere.",
+          "Do not use base64 encoding as 'encryption' - it's not."
+        ],
+        success: ["Hardcoded secret findings disappear and secrets are externalized."]
+      };
+
+    case "FIX_SIMULATED_BILLING":
+      return {
+        intent: "Replace simulated billing responses with real payment processor integration.",
+        do: [
+          "Connect to real Stripe/payment processor in production mode.",
+          "Ensure webhook handlers verify signatures and process real events.",
+          "Add proper error handling for payment failures.",
+          "Implement idempotency to prevent double charges."
+        ],
+        dont: [
+          "Do not show 'Payment successful' without real charge.",
+          "Do not skip signature verification in production.",
+          "Do not trust client-side payment confirmations."
+        ],
+        success: ["Simulated billing findings disappear and payments are real."]
+      };
+
+    case "FIX_SILENT_FALLBACK":
+      return {
+        intent: "Make failures visible instead of silently returning success. Silent fallbacks hide broken features.",
+        do: [
+          "Remove catch blocks that return { success: true } or empty data.",
+          "Surface errors to the UI with appropriate messaging.",
+          "Log errors with context for debugging.",
+          "Consider graceful degradation that's VISIBLE (e.g., 'Feature temporarily unavailable')."
+        ],
+        dont: [
+          "Do not return success: true when operation failed.",
+          "Do not show success toast/UI when API returned error.",
+          "Do not hide errors from users entirely - they need to know something went wrong."
+        ],
+        success: ["Silent fallback findings disappear and failures become visible."]
+      };
+
+    default:
+      return {
+        intent: "Fix the specific finding with smallest correct patch.",
+        do: ["Keep it minimal, evidence-based, and verifiable."],
+        dont: ["Do not refactor unrelated code."],
+        success: ["Target finding disappears."]
+      };
+  }
+}
+
+module.exports = { templateForMissionType };