vibecheck-ai 2.0.2 → 5.0.0

package/bin/runners/runScan.js

@@ -0,0 +1,688 @@
+/**
+ * runScan.js — Ultimate Scanner v5.0 Runner
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * Inline scanner with 3 core engines (credentials, fake-features, security).
+ * When dist/scanner/ is compiled, upgrades to full 8-engine mode automatically.
+ *
+ * Architecture:
+ *   Files → Classify → [Engines in parallel] → Deduplicate → Score → Report
+ * ═══════════════════════════════════════════════════════════════════════════════
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+const { withErrorHandling } = require("./lib/error-handler");
+const { parseGlobalFlags } = require("./lib/global-flags");
+const { EXIT } = require("./lib/exit-codes");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// LAZY-LOAD: Try compiled 8-engine scanner first
+// ═══════════════════════════════════════════════════════════════════════════════
+
+let _scanner = null;
+function getScanner() {
+  if (_scanner) return _scanner;
+  try {
+    _scanner = require("../../dist/scanner/index.js");
+    return _scanner;
+  } catch {
+    return null;
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// TERMINAL STYLING (zero deps)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SUPPORTS_COLOR = process.stdout.isTTY && !process.env.NO_COLOR;
+const c = SUPPORTS_COLOR
+  ? {
+      reset: "\x1b[0m", bold: "\x1b[1m", dim: "\x1b[2m",
+      red: "\x1b[31m", green: "\x1b[32m", yellow: "\x1b[33m",
+      blue: "\x1b[34m", magenta: "\x1b[35m", cyan: "\x1b[36m",
+      white: "\x1b[37m", gray: "\x1b[90m",
+    }
+  : Object.fromEntries(
+      ["reset","bold","dim","red","green","yellow","blue","magenta","cyan","white","gray"].map(k => [k, ""])
+    );
+
+const SEV_ICON = { critical: `${c.red}●${c.reset}`, high: `${c.yellow}●${c.reset}`, medium: `${c.cyan}●${c.reset}`, low: `${c.dim}●${c.reset}` };
+const SEV_LABEL = { critical: `${c.red}CRITICAL${c.reset}`, high: `${c.yellow}HIGH${c.reset}`, medium: `${c.cyan}MEDIUM${c.reset}`, low: `${c.dim}LOW${c.reset}` };
+const SEV_ORDER = { critical: 4, high: 3, medium: 2, low: 1 };
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ARGS PARSER
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function parseArgs(args) {
+  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
+  const opts = {
+    path: globalFlags.path || process.cwd(),
+    format: "pretty", severity: "low", engines: null, includeTests: false,
+    parallel: true, fix: false, dryRun: false, category: null,
+    help: globalFlags.help || false, json: globalFlags.json || false,
+    quiet: globalFlags.quiet || false, ci: globalFlags.ci || false,
+    verbose: globalFlags.verbose || false, sarif: false, failOn: null,
+    output: globalFlags.output || null,
+  };
+  for (let i = 0; i < cleanArgs.length; i++) {
+    const a = cleanArgs[i], n = cleanArgs[i + 1];
+    switch (a) {
+      case "--format": opts.format = n || "pretty"; i++; break;
+      case "--severity": opts.severity = n || "low"; i++; break;
+      case "--engines": opts.engines = n ? n.split(",") : null; i++; break;
+      case "--include-tests": opts.includeTests = true; break;
+      case "--parallel": opts.parallel = true; break;
+      case "--no-parallel": opts.parallel = false; break;
+      case "--fix": case "--auto-fix": opts.fix = true; break;
+      case "--dry-run": opts.dryRun = true; break;
+      case "--category": opts.category = n; i++; break;
+      case "--sarif": opts.sarif = true; opts.format = "sarif"; break;
+      case "--fail-on": opts.failOn = n; i++; break;
+      case "--output": opts.output = n; i++; break;
+      case "--json": opts.json = true; opts.format = "json"; break;
+      case "--quiet": case "-q": opts.quiet = true; break;
+      case "--verbose": opts.verbose = true; break;
+      case "--help": case "-h": opts.help = true; break;
+      default: if (!a.startsWith("-") && !opts.category) opts.category = a; break;
+    }
+  }
+  return opts;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// HELP
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function printHelp() {
+  console.log(`
+  ${c.bold}${c.cyan}vibecheck scan${c.reset} — The most accurate AI code scanner
+
+  ${c.bold}Usage:${c.reset}
+    vibecheck scan [subcommand] [options]
+
+  ${c.bold}Subcommands:${c.reset}
+    ${c.cyan}secrets${c.reset}        Scan for leaked credentials & API keys
+    ${c.cyan}vulns${c.reset}          Scan for dependency vulnerabilities
+    ${c.cyan}routes${c.reset}         Scan for dead/orphan routes
+    ${c.cyan}env${c.reset}            Scan for ghost environment variables
+    ${c.cyan}auth${c.reset}           Scan for auth drift & unprotected endpoints
+
+  ${c.bold}Options:${c.reset}
+    --path <dir>         Project path (default: .)
+    --format <fmt>       Output: pretty, json, sarif (default: pretty)
+    --severity <level>   Min severity: low, medium, high, critical
+    --engines <list>     Comma-separated engine names
+    --include-tests      Include test files
+    --fix                Auto-fix fixable findings
+    --dry-run            Preview fixes without applying
+    --sarif              SARIF output for GitHub
+    --fail-on <level>    Exit non-zero if findings >= level (CI mode)
+    --output <dir>       Report output directory
+    --quiet              Minimal output
+    --help               Show this help
+
+  ${c.bold}Engines:${c.reset}
+    credentials, security, fake-features, hallucinations,
+    dead-ui, code-quality, import-graph, runtime-verify
+
+  ${c.bold}Examples:${c.reset}
+    vibecheck scan
+    vibecheck scan secrets
+    vibecheck scan --sarif --fail-on high
+    vibecheck scan --fix --dry-run
+`);
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// PATH CLASSIFIER
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const CODE_EXTS = new Set([
+  ".ts",".tsx",".js",".jsx",".mjs",".cjs",".vue",".svelte",
+  ".py",".rb",".go",".rs",".java",".kt",".cs",".php",".swift",
+]);
+
+function isCodeFile(fp) { return CODE_EXTS.has(path.extname(fp).toLowerCase()); }
+
+function classifyPath(rel) {
+  const r = rel.replace(/\\/g, "/");
+  if (/node_modules\/|vendor\/|\.yarn\/|\.pnpm\//.test(r)) return { category: "third_party", excludeByDefault: true, isCriticalPath: false };
+  if (/\/dist\/|\/build\/|\/.next\/|\/.nuxt\/|\.min\.(js|css)$/.test(r)) return { category: "build_output", excludeByDefault: true, isCriticalPath: false };
+  if (/\.d\.ts$|\/generated\/|\.gen\.(ts|js)$|\.lock$/.test(r)) return { category: "generated", excludeByDefault: true, isCriticalPath: false };
+  if (/\.(test|spec)\.(ts|tsx|js|jsx)$|__tests__|__mocks__|\.stories\./.test(r)) return { category: "test", excludeByDefault: false, isCriticalPath: false };
+  if (/\.(md|mdx|rst|txt)$|\/docs\//.test(r)) return { category: "documentation", excludeByDefault: true, isCriticalPath: false };
+  const isCrit = /\/api\/|\/auth\/|\/payment\/|\/billing\/|\/admin\/|middleware/i.test(r);
+  return { category: "user_code", excludeByDefault: false, isCriticalPath: isCrit };
+}
+
+function escalateSev(sev, isCrit) {
+  if (!isCrit) return sev;
+  if (sev === "low") return "medium";
+  if (sev === "medium") return "high";
+  return sev;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// FILE LOADER
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const DEFAULT_EXCLUDE = ["node_modules",".git","dist","build",".next",".nuxt","coverage","__pycache__",".venv",".output"];
+
+function loadFiles(root, opts) {
+  const files = new Map();
+  const exclude = DEFAULT_EXCLUDE;
+  const maxSize = 512 * 1024;
+
+  function walk(dir) {
+    let entries;
+    try { entries = fs.readdirSync(dir); } catch { return; }
+    for (const entry of entries) {
+      const full = path.join(dir, entry);
+      if (exclude.includes(entry) || entry.startsWith(".")) {
+        try { if (fs.statSync(full).isDirectory()) continue; } catch { continue; }
+      }
+      let stat;
+      try { stat = fs.statSync(full); } catch { continue; }
+      if (stat.isDirectory()) { walk(full); continue; }
+      if (!isCodeFile(full)) continue;
+      if (stat.size > maxSize) continue;
+      const rel = path.relative(root, full).replace(/\\/g, "/");
+      const cl = classifyPath(rel);
+      if (cl.excludeByDefault && cl.category !== "test") continue;
+      if (cl.category === "test" && !opts.includeTests) continue;
+      try {
+        const content = fs.readFileSync(full, "utf-8");
+        files.set(rel, {
+          path: rel, absolutePath: full, content, lines: content.split("\n"),
+          ext: path.extname(full).toLowerCase(),
+          hash: crypto.createHash("md5").update(content).digest("hex"),
+          classification: cl,
+        });
+      } catch { /* skip unreadable */ }
+    }
+  }
+  walk(root);
+  return files;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ENGINE: CREDENTIALS (20 patterns)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const CRED_PATTERNS = [
+  { n: "stripe-live-secret", id: "CRED001", re: /['"`](sk_live_[a-zA-Z0-9]{20,})['"`]/, sev: "critical", msg: "Stripe live secret key hardcoded", fix: "Use process.env.STRIPE_SECRET_KEY", conf: 99, test: true, cwe: "CWE-798" },
+  { n: "stripe-live-pub", id: "CRED001", re: /['"`](pk_live_[a-zA-Z0-9]{20,})['"`]/, sev: "high", msg: "Stripe live publishable key hardcoded", fix: "Use process.env.NEXT_PUBLIC_STRIPE_KEY", conf: 95, test: false },
+  { n: "aws-access", id: "CRED001", re: /['"`](AKIA[0-9A-Z]{16})['"`]/, sev: "critical", msg: "AWS Access Key ID hardcoded", fix: "Use AWS SDK credential chain", conf: 99, test: true, cwe: "CWE-798" },
+  { n: "aws-secret", id: "CRED001", re: /aws_secret_access_key\s*[:=]\s*['"`]([^'"`]{20,})['"`]/i, sev: "critical", msg: "AWS Secret Access Key hardcoded", fix: "Use AWS_SECRET_ACCESS_KEY env var", conf: 98, test: true, cwe: "CWE-798" },
+  { n: "openai", id: "CRED001", re: /['"`](sk-[a-zA-Z0-9]{32,})['"`]/, sev: "critical", msg: "OpenAI API key hardcoded", fix: "Use process.env.OPENAI_API_KEY", conf: 92, test: true },
+  { n: "anthropic", id: "CRED001", re: /['"`](sk-ant-[a-zA-Z0-9-]{20,})['"`]/, sev: "critical", msg: "Anthropic API key hardcoded", fix: "Use process.env.ANTHROPIC_API_KEY", conf: 98, test: true },
+  { n: "github-pat", id: "CRED001", re: /['"`](ghp_[a-zA-Z0-9]{36,})['"`]/, sev: "critical", msg: "GitHub personal access token hardcoded", fix: "Use process.env.GITHUB_TOKEN", conf: 99, test: true },
+  { n: "github-oauth", id: "CRED001", re: /['"`](gho_[a-zA-Z0-9]{36,})['"`]/, sev: "critical", msg: "GitHub OAuth token hardcoded", fix: "Use process.env.GITHUB_OAUTH_TOKEN", conf: 99, test: true },
+  { n: "google-api", id: "CRED001", re: /['"`](AIza[0-9A-Za-z_-]{35})['"`]/, sev: "high", msg: "Google API key hardcoded", fix: "Use process.env.GOOGLE_API_KEY", conf: 95, test: false },
+  { n: "jwt-secret", id: "CRED003", re: /(?:jwt[_-]?secret|JWT_SECRET)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i, sev: "critical", msg: "JWT signing secret hardcoded", fix: "Use process.env.JWT_SECRET", conf: 90, test: false, cwe: "CWE-798" },
+  { n: "password", id: "CRED002", re: /(?:password|passwd|pwd)\s*[:=]\s*['"`]([^'"`]{4,})['"`]/i, sev: "high", msg: "Hardcoded password detected", fix: "Use env variable or secrets manager", conf: 75, test: false, cwe: "CWE-798" },
+  { n: "generic-secret", id: "CRED002", re: /(?:secret|api[_-]?key|auth[_-]?token)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i, sev: "high", msg: "Hardcoded secret/token detected", fix: "Use environment variable", conf: 70, test: false },
+  { n: "private-key", id: "CRED004", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, sev: "critical", msg: "Private key embedded in source code", fix: "Store key in file, reference via env var", conf: 99, test: true, cwe: "CWE-321" },
+  { n: "conn-string", id: "CRED005", re: /['"`](?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\/\/[^'"`\s]{10,}['"`]/i, sev: "critical", msg: "Database connection string with credentials", fix: "Use DATABASE_URL env var", conf: 92, test: false, cwe: "CWE-798" },
+  { n: "slack", id: "CRED001", re: /['"`](xox[bpoas]-[0-9a-zA-Z-]{10,})['"`]/, sev: "critical", msg: "Slack token hardcoded", fix: "Use process.env.SLACK_TOKEN", conf: 97, test: true },
+  { n: "sendgrid", id: "CRED001", re: /['"`](SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})['"`]/, sev: "critical", msg: "SendGrid API key hardcoded", fix: "Use process.env.SENDGRID_API_KEY", conf: 99, test: true },
+  { n: "npm-token", id: "CRED001", re: /['"`](npm_[a-zA-Z0-9]{36,})['"`]/, sev: "critical", msg: "npm auth token hardcoded", fix: "Use .npmrc with env var interpolation", conf: 98, test: true },
+];
+
+function scanCredentials(files) {
+  const findings = [];
+  for (const [, file] of files) {
+    const isTest = file.classification.category === "test";
+    const isExample = /\.(example|sample|template)\b/.test(file.path);
+    const isCrit = file.classification.isCriticalPath;
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (trimmed.startsWith("//") && !trimmed.includes("=")) continue;
+      if (trimmed.startsWith("*")) continue;
+      for (const p of CRED_PATTERNS) {
+        if (isTest && !p.test) continue;
+        if (isExample) continue;
+        const m = line.match(p.re);
+        if (!m) continue;
+        if (p.n === "password") {
+          if (/type\s|interface\s|placeholder|example/i.test(line)) continue;
+          if (!m[1] || m[1].length < 6) continue;
+        }
+        if (p.n === "generic-secret") {
+          if (!m[1] || /^[a-z_]+$/i.test(m[1])) continue;
+          if (/placeholder|example|your[_-]/i.test(m[1])) continue;
+        }
+        findings.push({
+          id: `${p.id}-${file.path}-${i+1}`, ruleId: p.id, engine: "credentials",
+          category: "credentials", severity: escalateSev(p.sev, isCrit),
+          confidence: p.conf >= 90 ? "certain" : p.conf >= 70 ? "likely" : "possible",
+          confidenceScore: p.conf, file: file.path, line: i+1, column: m.index,
+          code: trimmed, message: p.msg, why: "Hardcoded credentials can be extracted from source, builds, or version history.", fix: p.fix,
+          autoFixable: false, tags: ["secrets","credentials"], cwe: p.cwe, verified: false,
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ENGINE: FAKE FEATURES (6 pattern groups)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const PLACEHOLDER_RE = [
+  /[=:]\s*['"]?placeholder['"]?(?:\s*[,;}\]]|$)/i, /\bstub(?:bed|bing)?\s*(?:function|method|implementation)/i,
+  /\bdummy[-_]?(?:data|value|user|id|token|response)\b/i, /\bfake[-_]?(?:data|response|user|api|endpoint)\b/i,
+  /\bTODO\b.*(?:implement|fix|complete|replace|remove)/i, /\bWIP\b(?:\s*[-:]\s|\s+)/i,
+  /\bcoming\s+soon\b/i, /\bCHANGE[-_]?ME\b/i, /\bREPLACE[-_]?ME\b/i,
+];
+const FAKE_SUCCESS_RE = [
+  /^\s*return\s+true\s*;?\s*$/i, /return\s*{\s*success:\s*true\s*}/i,
+  /return\s*{\s*status:\s*["']ok["']\s*}/i, /\/\/\s*(?:fake|mock|stub)\s*success/i,
+];
+const SILENT_FAIL_RE = [
+  /catch\s*\(\s*(?:_|e|err|error)?\s*\)\s*{\s*}/, /catch\s*\([^)]*\)\s*{\s*return(?:\s+(?:undefined|null))?\s*;?\s*}/,
+  /catch\s*\([^)]*\)\s*{\s*\/\/[^\n]*\s*}/, /catch\s*\([^)]*\)\s*{\s*console\.log\([^)]+\)\s*;?\s*}/,
+];
+const AUTH_BYPASS_RE = [
+  /(?:if|&&|\|\|)\s*\(\s*(?:true|1)\s*\)\s*.*(?:admin|auth)/i, /\b(?:skip|disable|bypass)Auth(?:entication)?\s*[=:]\s*true\b/i,
+  /\b(?:const|let|var)\s+isAdmin\s*=\s*true\b/i, /\/\/\s*(?:bypass|skip|disable)\s*auth/i,
+  /permissions?\s*[=:]\s*\[\s*['"]?\*['"]?\s*\]/i, /(?:isAuth|isAdmin|hasPermission|canAccess)\s*[=:]\s*\(\)\s*=>\s*true/i,
+];
+const DANGER_DEFAULT_RE = [
+  /process\.env\.(?:\w*(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*)\s*\|\|\s*["'][^'"]{0,50}["']/i,
+  /(?:api[_-]?key|secret|token|password)\s*[=:]\s*["'](?:CHANGEME|REPLACE_ME|YOUR_[A-Z_]+|xxx+|TODO)["']/i,
+];
+const EMPTY_FN_RE = [
+  /async\s+(?:function\s+\w+|(?:const|let)\s+\w+\s*=\s*async)\s*\([^)]*\)\s*(?::\s*\w+[<>\[\]]*\s*)?\s*{\s*}/,
+  /function\s+\w+\s*\([^)]*\)\s*{\s*return\s*;?\s*}/, /=>\s*{\s*}\s*[;,)]/,
+];
+
+const FAKE_RULES = {
+  FAKE001: { desc: "Empty/stub function — no implementation", why: "Functions with no body silently do nothing. Users think the feature works.", fix: "Implement the function body or throw NotImplementedError.", tags: ["stub","empty"], auto: false },
+  FAKE002: { desc: "Fake success return — always returns true/ok", why: "Functions that always return success bypass real logic. Login that always succeeds = no auth.", fix: "Implement actual validation before returning success.", tags: ["fake-success"], auto: false },
+  FAKE003: { desc: "Silent error swallowing — empty catch block", why: "Empty catch blocks hide failures. Users see no error but nothing actually works.", fix: "Log the error, rethrow, or handle it meaningfully.", tags: ["silent-failure"], auto: true },
+  FAKE004: { desc: "Placeholder/TODO marker in production code", why: "Placeholder values indicate unfinished work that may be deployed.", fix: "Complete the implementation or remove the placeholder.", tags: ["placeholder","todo"], auto: false },
+  FAKE005: { desc: "Auth bypass — hardcoded admin or skipped auth", why: "Authentication bypasses let anyone access protected resources.", fix: "Remove hardcoded bypasses. Implement proper auth checks.", tags: ["auth-bypass","security"], auto: false },
+  FAKE006: { desc: "Dangerous default — secret env var with insecure fallback", why: "If the env var is missing, the app runs with an insecure default value.", fix: "Throw on missing required secrets. Never provide insecure defaults.", tags: ["dangerous-default"], auto: false },
+};
+
+function scanFakeFeatures(files, opts) {
+  const findings = [];
+  for (const [, file] of files) {
+    if (file.classification.category === "test" && !opts.includeTests) continue;
+    if (file.classification.category === "documentation") continue;
+    const isCrit = file.classification.isCriticalPath;
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i], trimmed = line.trim();
+      const isComment = /^\s*(?:\/\/|\/\*|\*|#)/.test(trimmed);
+
+      // Placeholders (including TODO comments)
+      if (!isComment || /\b(?:TODO|FIXME|WIP)\b/i.test(trimmed)) {
+        if (!/\.(md|mdx|rst|txt)$/.test(file.path) && !file.path.includes("/docs/")) {
+          for (const re of PLACEHOLDER_RE) {
+            if (re.test(line)) { findings.push(makeFake("FAKE004", file, i, trimmed, "medium", 65, isCrit)); break; }
+          }
+        }
+      }
+      if (isComment) continue;
+
+      // Fake success
+      for (const re of FAKE_SUCCESS_RE) {
+        if (re.test(line) && !file.path.includes(".test.") && !file.path.includes(".spec.")) {
+          findings.push(makeFake("FAKE002", file, i, trimmed, "medium", 65, isCrit)); break;
+        }
+      }
+      // Silent failures
+      for (const re of SILENT_FAIL_RE) {
+        if (re.test(line) && !line.toLowerCase().includes("finally")) {
+          findings.push(makeFake("FAKE003", file, i, trimmed, "high", 85, isCrit)); break;
+        }
+      }
+      // Auth bypass
+      for (const re of AUTH_BYPASS_RE) {
+        if (re.test(line) && !file.path.includes(".config.") && !file.path.includes(".env")) {
+          findings.push(makeFake("FAKE005", file, i, trimmed, "critical", 88, isCrit)); break;
+        }
+      }
+      // Dangerous defaults
+      for (const re of DANGER_DEFAULT_RE) {
+        if (re.test(line) && !file.path.includes(".example") && !file.path.includes(".template")) {
+          findings.push(makeFake("FAKE006", file, i, trimmed, "high", 82, isCrit)); break;
+        }
+      }
+      // Empty functions
+      for (const re of EMPTY_FN_RE) {
+        if (re.test(line) && !/noop|passthrough|abstract|interface|override/i.test(line)) {
+          findings.push(makeFake("FAKE001", file, i, trimmed, "high", 75, isCrit)); break;
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+function makeFake(ruleId, file, idx, code, sev, conf, isCrit) {
+  const r = FAKE_RULES[ruleId];
+  return {
+    id: `${ruleId}-${file.path}-${idx+1}`, ruleId, engine: "fake-features",
+    category: "fake-features", severity: escalateSev(sev, isCrit),
+    confidence: conf >= 85 ? "certain" : conf >= 65 ? "likely" : "possible",
+    confidenceScore: conf, file: file.path, line: idx+1, code,
+    message: r.desc, why: r.why, fix: r.fix, autoFixable: r.auto,
+    tags: [...r.tags], verified: false,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ENGINE: SECURITY (15 patterns)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SEC_PATTERNS = [
+  { n: "sql-inject-tpl", id: "SEC001", re: /(?:query|execute|raw)\s*\(\s*[`'"](?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\s[^`'"]*\$\{/i, sev: "critical", msg: "SQL injection: template literal in query", fix: "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId])", conf: 92, cwe: "CWE-89" },
+  { n: "sql-inject-concat", id: "SEC001", re: /(?:query|execute|raw)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)\s[^'"]*['"]\s*\+/i, sev: "critical", msg: "SQL injection: string concatenation in query", fix: "Use parameterized queries. Never concatenate user input into SQL.", conf: 90, cwe: "CWE-89" },
+  { n: "unfiltered-delete", id: "SEC011", re: /DELETE\s+FROM\s+\w+\s*;?\s*$/im, sev: "critical", msg: "Unfiltered DELETE (no WHERE clause)", fix: "Add WHERE clause. Add confirmation for destructive ops.", conf: 85, cwe: "CWE-89" },
+  { n: "exec-tpl", id: "SEC002", re: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/, sev: "critical", msg: "Command injection: template literal in shell command", fix: "Use execFile() with args array", conf: 95, cwe: "CWE-78" },
+  { n: "exec-concat", id: "SEC002", re: /(?:exec|execSync)\s*\(\s*['"][^'"]*['"]\s*\+/, sev: "critical", msg: "Command injection: concatenation in shell command", fix: "Use execFile() with args array", conf: 93, cwe: "CWE-78" },
+  { n: "innerHTML", id: "SEC003", re: /\.innerHTML\s*=/, sev: "high", msg: "innerHTML assignment — potential XSS", fix: "Use textContent for text. Use DOMPurify.sanitize() for HTML.", conf: 75, cwe: "CWE-79" },
+  { n: "dangerouslySet", id: "SEC003", re: /dangerouslySetInnerHTML/, sev: "high", msg: "dangerouslySetInnerHTML — ensure content is sanitized", fix: "Sanitize with DOMPurify before passing.", conf: 70, cwe: "CWE-79" },
+  { n: "document-write", id: "SEC003", re: /document\.write\s*\(/, sev: "high", msg: "document.write() can overwrite page with unescaped content", fix: "Use DOM manipulation methods instead.", conf: 80, cwe: "CWE-79" },
+  { n: "path-traversal", id: "SEC004", re: /(?:path\.join|path\.resolve)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/, sev: "high", msg: "User input in file path — potential path traversal", fix: "Validate/sanitize file paths. Use path.normalize() and check for '..'.", conf: 82, cwe: "CWE-22" },
+  { n: "eval", id: "SEC005", re: /\beval\s*\(/, sev: "critical", msg: "eval() executes arbitrary code", fix: "Replace with JSON.parse(), Function constructor, or safer alternatives.", conf: 88, cwe: "CWE-95" },
+  { n: "cors-star", id: "SEC006", re: /(?:Access-Control-Allow-Origin|cors)\s*[=:]\s*['"`]\s*\*\s*['"`]/, sev: "high", msg: "CORS wildcard allows any origin", fix: "Restrict to specific trusted origins.", conf: 85, cwe: "CWE-942" },
+  { n: "no-https", id: "SEC007", re: /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[\w.-]+\.\w+/, sev: "medium", msg: "Non-HTTPS URL in production code", fix: "Use HTTPS for all external endpoints.", conf: 60 },
+  { n: "disable-ssl", id: "SEC007", re: /rejectUnauthorized\s*:\s*false/, sev: "critical", msg: "TLS verification disabled — MITM attack risk", fix: "Enable TLS verification. Fix certificates instead of disabling.", conf: 95, cwe: "CWE-295" },
+  { n: "debug-true", id: "SEC008", re: /(?:debug|DEBUG)\s*[:=]\s*true\b/, sev: "medium", msg: "Debug mode enabled — may leak sensitive info", fix: "Use env-based debug flag. Disable in production.", conf: 55 },
+  { n: "no-rate-limit", id: "SEC010", re: /\/\/\s*(?:TODO|FIXME).*rate.?limit/i, sev: "high", msg: "Missing rate limiting (noted in TODO)", fix: "Implement rate limiting for public endpoints.", conf: 80, cwe: "CWE-770" },
+];
+
+function scanSecurity(files, opts) {
+  const findings = [];
+  for (const [, file] of files) {
+    if (file.classification.category === "test" && !opts.includeTests) continue;
+    if (file.classification.category === "documentation") continue;
+    const isCrit = file.classification.isCriticalPath;
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i], trimmed = line.trim();
+      if (/^\s*(?:\/\/|\/\*|\*)/.test(trimmed) && !/TODO|FIXME/i.test(trimmed)) continue;
+      for (const p of SEC_PATTERNS) {
+        if (!p.re.test(line)) continue;
+        findings.push({
+          id: `${p.id}-${file.path}-${i+1}`, ruleId: p.id, engine: "security",
+          category: "security", severity: escalateSev(p.sev, isCrit),
+          confidence: p.conf >= 85 ? "certain" : p.conf >= 65 ? "likely" : "possible",
+          confidenceScore: p.conf, file: file.path, line: i+1, code: trimmed,
+          message: p.msg, why: "Security vulnerabilities can be exploited to compromise your application.", fix: p.fix,
+          autoFixable: false, tags: ["security"], cwe: p.cwe, verified: false,
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// DEDUPLICATION
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function dedup(findings) {
+  const groups = new Map();
+  for (const f of findings) {
+    const key = `${f.file}:${f.line}`;
+    if (!groups.has(key)) groups.set(key, []);
+    groups.get(key).push(f);
+  }
+  const out = [];
+  let suppressed = 0;
+  for (const [, group] of groups) {
+    if (group.length === 1) { out.push(group[0]); continue; }
+    const subs = new Map();
+    for (const f of group) {
+      if (!subs.has(f.category)) subs.set(f.category, []);
+      subs.get(f.category).push(f);
+    }
+    for (const [, sub] of subs) {
+      if (sub.length === 1) { out.push(sub[0]); continue; }
+      sub.sort((a, b) => (b.confidenceScore - a.confidenceScore) || ((SEV_ORDER[b.severity]||0) - (SEV_ORDER[a.severity]||0)));
+      const best = { ...sub[0] };
+      const engines = new Set(sub.map(f => f.engine));
+      if (engines.size >= 2) {
+        best.verified = true;
+        best.confidenceScore = Math.min(99, best.confidenceScore + 5);
+      }
+      out.push(best);
+      suppressed += sub.length - 1;
+    }
+  }
+  out.sort((a, b) => ((SEV_ORDER[b.severity]||0) - (SEV_ORDER[a.severity]||0)) || (b.confidenceScore - a.confidenceScore));
+  return { findings: out, suppressed };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// HEALTH SCORE
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function healthScore(findings) {
+  let score = 100;
+  for (const f of findings) {
+    switch (f.severity) { case "critical": score -= 15; break; case "high": score -= 8; break; case "medium": score -= 3; break; case "low": score -= 1; break; }
+    if (f.category === "hallucinations") score -= 3;
+    if (f.ruleId === "FAKE005") score -= 5;
+  }
+  return Math.max(0, Math.min(100, score));
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// INLINE SCAN (lite mode — 3 engines, no build required)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+async function inlineScan(projectPath, opts) {
+  const startTime = Date.now();
+  const scanId = `scan-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+
+  const files = loadFiles(projectPath, opts);
+  const engineResults = [];
+  let allFindings = [];
+
+  // Map category to engine filter
+  const catMap = {
+    secrets: ["credentials"], credentials: ["credentials"],
+    security: ["security"], auth: ["fake-features", "security"],
+    "fake-features": ["fake-features"], env: ["fake-features"],
+    routes: ["fake-features"], vulns: [],
+  };
+  const allowedEngines = opts.category && catMap[opts.category] ? catMap[opts.category] : null;
+
+  const engines = [
+    { name: "credentials", fn: () => scanCredentials(files) },
+    { name: "fake-features", fn: () => scanFakeFeatures(files, opts) },
+    { name: "security", fn: () => scanSecurity(files, opts) },
+  ];
+
+  for (const eng of engines) {
+    if (allowedEngines && !allowedEngines.includes(eng.name)) continue;
+    if (opts.engines && !opts.engines.includes(eng.name)) continue;
+    const t = Date.now();
+    try {
+      const f = await eng.fn();
+      engineResults.push({ engine: eng.name, findings: f.length, durationMs: Date.now() - t, success: true });
+      allFindings.push(...f);
+    } catch (e) {
+      engineResults.push({ engine: eng.name, findings: 0, durationMs: Date.now() - t, success: false, error: e.message });
+    }
+  }
+
+  const { findings: deduplicated, suppressed } = dedup(allFindings);
+
+  // Severity filter
+  const minSev = SEV_ORDER[opts.severity] || 1;
+  const filtered = deduplicated.filter(f => (SEV_ORDER[f.severity] || 0) >= minSev);
+
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byCategory = {}, byEngine = {};
+  for (const f of filtered) {
+    bySeverity[f.severity]++;
+    byCategory[f.category] = (byCategory[f.category] || 0) + 1;
+    byEngine[f.engine] = (byEngine[f.engine] || 0) + 1;
+  }
+  const dur = Date.now() - startTime;
+  const timings = {};
+  for (const r of engineResults) timings[r.engine] = r.durationMs;
+
+  return {
+    scanId, timestamp: new Date().toISOString(), findings: filtered,
+    summary: { totalFiles: files.size, filesScanned: files.size, totalFindings: filtered.length, bySeverity, byCategory, byEngine, autoFixable: filtered.filter(f => f.autoFixable).length, suppressedDuplicates: suppressed },
+    healthScore: healthScore(filtered), engineResults,
+    metrics: { durationMs: dur, filesPerSecond: files.size > 0 ? Math.round((files.size / dur) * 1000) : 0, engineTimings: timings },
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// PRETTY REPORT
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function getHealthBar(score) {
+  const filled = Math.round(score / 5), empty = 20 - filled;
+  const bar = "\u2588".repeat(filled) + "\u2591".repeat(empty);
+  return score >= 80 ? `${c.green}${bar}${c.reset}` : score >= 50 ? `${c.yellow}${bar}${c.reset}` : `${c.red}${bar}${c.reset}`;
+}
+
+function printReport(report, mode) {
+  const { summary, findings, healthScore: hs, metrics, engineResults } = report;
+  console.log("");
+  console.log(`${c.magenta}${c.bold}  VIBECHECK SCAN${c.reset} ${c.dim}${mode}${c.reset}`);
+  console.log(`${c.dim}  ${engineResults.length} engines \u00b7 ${summary.totalFiles} files \u00b7 ${metrics.durationMs}ms${c.reset}`);
+  console.log("");
+  const sc = hs >= 80 ? c.green : hs >= 50 ? c.yellow : c.red;
+  console.log(`  ${c.bold}Health Score:${c.reset} ${getHealthBar(hs)} ${sc}${hs}%${c.reset}`);
+  console.log("");
+  console.log(`  ${c.bold}Files scanned:${c.reset} ${summary.filesScanned}`);
+  console.log(`  ${c.bold}Total findings:${c.reset} ${summary.totalFindings}${summary.suppressedDuplicates > 0 ? `${c.dim} (${summary.suppressedDuplicates} dupes suppressed)${c.reset}` : ""}`);
+  console.log(`  ${c.bold}Auto-fixable:${c.reset} ${summary.autoFixable}`);
+  console.log("");
+  if (summary.bySeverity.critical > 0) console.log(`  ${SEV_ICON.critical} ${c.red}${summary.bySeverity.critical} critical${c.reset}`);
+  if (summary.bySeverity.high > 0) console.log(`  ${SEV_ICON.high} ${c.yellow}${summary.bySeverity.high} high${c.reset}`);
+  if (summary.bySeverity.medium > 0) console.log(`  ${SEV_ICON.medium} ${c.cyan}${summary.bySeverity.medium} medium${c.reset}`);
+  if (summary.bySeverity.low > 0) console.log(`  ${SEV_ICON.low} ${c.dim}${summary.bySeverity.low} low${c.reset}`);
+  console.log("");
+  console.log(`${c.dim}  \u2500\u2500\u2500 Engine Performance \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500${c.reset}`);
+  for (const er of engineResults) {
+    const st = er.success ? `${c.green}\u2713${c.reset}` : `${c.red}\u2717${c.reset}`;
+    const fc = er.findings > 0 ? `${c.yellow} ${er.findings} findings${c.reset}` : `${c.dim} 0 findings${c.reset}`;
+    console.log(`  ${st} ${er.engine.padEnd(16)}${String(er.durationMs).padStart(5)}ms${fc}`);
+  }
+  console.log(`  ${c.dim}  Total: ${metrics.durationMs}ms (${metrics.filesPerSecond} files/sec)${c.reset}`);
+  console.log("");
+  if (findings.length > 0) {
+    console.log(`${c.bold}  \u2500\u2500\u2500 Findings \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500${c.reset}`);
+    console.log("");
+    const byFile = new Map();
+    for (const f of findings) { if (!byFile.has(f.file)) byFile.set(f.file, []); byFile.get(f.file).push(f); }
+    for (const [file, ff] of byFile) {
+      console.log(`  ${c.bold}${c.white}${file}${c.reset}`);
+      for (const f of ff) {
+        console.log(`    ${SEV_ICON[f.severity]||"\u25cf"} ${SEV_LABEL[f.severity]||f.severity} ${c.dim}[${f.ruleId}]${c.reset} ${f.message} ${c.dim}:${f.line}${c.reset}`);
+        console.log(`      ${c.dim}\u2192${c.reset} ${f.fix}`);
+        if (f.verified) console.log(`      ${c.green}\u2713 Verified by multiple engines${c.reset}`);
+      }
+      console.log("");
+    }
+  } else {
+    console.log(`${c.green}  \u2713 No issues found. Ship it!${c.reset}`);
+    console.log("");
+  }
+  const verdict = hs >= 80 ? `${c.green}${c.bold}SHIP \u2713${c.reset}` : hs >= 50 ? `${c.yellow}${c.bold}WARN \u26a0${c.reset}` : `${c.red}${c.bold}BLOCK \u2717${c.reset}`;
+  console.log(`  ${c.bold}Verdict:${c.reset} ${verdict}`);
+  if (mode && mode.includes("lite")) {
+    console.log(`\n  ${c.dim}Lite mode (3 engines). Run 'pnpm build' to unlock all 8 engines (160+ patterns).${c.reset}`);
+  }
+  console.log("");
+}
+
+function toSarif(report) {
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [{ tool: { driver: { name: "VibeCheck Ultimate Scanner", version: "5.0.0", informationUri: "https://vibecheckai.dev",
+      rules: report.findings.map(f => ({ id: f.ruleId, shortDescription: { text: f.message }, help: { text: f.fix } })) } },
+      results: report.findings.map(f => ({ ruleId: f.ruleId, level: (f.severity === "critical" || f.severity === "high") ? "error" : "warning",
+        message: { text: f.message }, locations: [{ physicalLocation: { artifactLocation: { uri: f.file }, region: { startLine: f.line } } }] })) }],
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MAIN RUNNER
+// ═══════════════════════════════════════════════════════════════════════════════
+
+async function runScan(args, context = {}) {
+  const opts = parseArgs(args);
+  if (opts.help) { printHelp(); return 0; }
+  const projectPath = path.resolve(opts.path);
+
+  // Try compiled 8-engine scanner first
+  const scanner = getScanner();
+  let report;
+  let mode;
+
+  if (scanner) {
+    mode = "8 engines \u00b7 160+ patterns";
+    if (!opts.quiet && !opts.json && !opts.sarif) console.log(`${c.dim}  Scanning ${projectPath}...${c.reset}`);
+    const scanOpts = {
+      projectRoot: projectPath, severityThreshold: opts.severity,
+      engines: opts.engines || undefined, includeTests: opts.includeTests,
+      parallel: opts.parallel,
+      onProgress: (opts.quiet || opts.json || opts.sarif) ? undefined : (p) => {
+        if (p.phase === "loading") process.stdout.write(`${c.dim}\r  Loading files...${c.reset}`);
+        if (p.phase === "scanning") process.stdout.write(`${c.dim}\r  Running engines...${c.reset}`);
+        if (p.phase === "complete") process.stdout.write("\r" + " ".repeat(40) + "\r");
+      },
+    };
+    report = await scanner.scan(scanOpts);
+  } else {
+    mode = "3 engines \u00b7 52 patterns (lite)";
+    if (!opts.quiet && !opts.json && !opts.sarif) console.log(`${c.dim}  Scanning ${projectPath}...${c.reset}`);
+    report = await inlineScan(projectPath, opts);
+  }
+
+  // Output
+  if (opts.format === "json" || opts.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else if (opts.format === "sarif" || opts.sarif) {
+    console.log(JSON.stringify(toSarif(report), null, 2));
+  } else {
+    printReport(report, mode);
+  }
+
+  // Save to output dir
+  if (opts.output) {
+    const outDir = path.resolve(opts.output);
+    if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
+    fs.writeFileSync(path.join(outDir, "scan-report.json"), JSON.stringify(report, null, 2));
+    if (!opts.quiet) console.log(`${c.dim}  Report saved to ${outDir}/scan-report.json${c.reset}`);
+  }
+
+  // Exit code
+  if (opts.failOn) {
+    const threshold = SEV_ORDER[opts.failOn] || 0;
+    for (const f of report.findings) { if ((SEV_ORDER[f.severity] || 0) >= threshold) return EXIT.FINDINGS || 1; }
+  }
+  if (report.summary.bySeverity.critical > 0) return 2;
+  if (report.summary.bySeverity.high > 0) return 1;
+  return 0;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  runScan: withErrorHandling(runScan, "Scan failed"),
+};