Metadata-Version: 2.4
Name: vibecheck-security
Version: 0.1.0
Summary: Security auditor for AI-generated (vibecoded) apps — auth, sessions, tokens, secrets
Author: Scot Gardner
License: MIT
Project-URL: Homepage, https://github.com/gardnerscot/vibecheck
Project-URL: Repository, https://github.com/gardnerscot/vibecheck
Project-URL: Issues, https://github.com/gardnerscot/vibecheck/issues
Keywords: security,static-analysis,auth,vibecoding,scanner
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: rich>=13.7.0
Requires-Dist: typer>=0.12.0
Requires-Dist: fastapi>=0.110.0
Requires-Dist: uvicorn[standard]>=0.27.0
Requires-Dist: python-multipart>=0.0.9
Requires-Dist: jinja2>=3.1.0
Requires-Dist: httpx>=0.27.0
Requires-Dist: pyyaml>=6.0
Provides-Extra: dev
Requires-Dist: pytest>=8.0; extra == "dev"
Requires-Dist: ruff>=0.3.0; extra == "dev"
Requires-Dist: build>=1.0; extra == "dev"
Requires-Dist: twine>=5.0; extra == "dev"
Dynamic: license-file

# 🛡️ VibeCheck Security Auditor

**Auth-focused security scanner for AI-generated ("vibecoded") apps.**

Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck is the fire extinguisher.

```bash
vibecheck scan ./my-app
```

![score](https://img.shields.io/badge/focus-auth%20%7C%20sessions%20%7C%20tokens%20%7C%20secrets-a78bfa)
![python](https://img.shields.io/badge/python-3.10%2B-blue)

## Why this exists

LLMs generate sketchy auth by default:

| Vibecode classic | What breaks |
|------------------|-------------|
| `SECRET_KEY = "secret"` | Session/JWT forgery |
| `jwt.decode(..., verify=False)` | Identity spoofing |
| `password == user.password` | Credential dump on breach |
| `localStorage.setItem("token", …)` | XSS → full account takeover |
| `Access-Control-Allow-Origin: *` | Cross-site API abuse |
| `SKIP_2FA = True` | MFA theater |
| Hardcoded `sk-…` / `sk_live_…` | Instant key theft from GitHub |

Non-technical founders don't know what they don't know. Point at the exposed keys, take the check.

## Quick start

### Install (packaged)

```bash
# From a built wheel / sdist (local)
pip install dist/vibecheck_security-*.whl

# From git (tagged beta)
pip install "git+https://github.com/gardnerscot/vibecheck.git@v0.1.0"

# From GitHub release wheel
# pip install https://github.com/gardnerscot/vibecheck/releases/download/v0.1.0/vibecheck_security-0.1.0-py3-none-any.whl

# From PyPI (when published)
# pip install vibecheck-security
```

### Develop from source

```bash
cd vibecheck
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

# Scan the intentional dumpster fire
vibecheck scan fixtures/vulnerable_app

# JSON + Markdown reports
vibecheck scan fixtures/vulnerable_app -j reports/out.json -m reports/out.md

# CI gate: fail if score < 70 or any critical/high
vibecheck scan ./src --fail-under 70 --fail-on high

# List rules
vibecheck rules

# Web UI
vibecheck serve
# → http://127.0.0.1:8742
```

### Optional local LLM enrichment (M-series friendly)

```bash
# Ollama running with a code model
ollama pull qwen2.5-coder:7b

vibecheck scan ./my-app --llm --llm-model qwen2.5-coder:7b
```

Static rules always run. LLM review is additive on auth-related files only.

## What it scans

**Rule packs** (30+ heuristics):

- **secrets** — API keys, AWS, Stripe, PEM keys, weak `SECRET_KEY`
- **authentication** — plaintext passwords, MD5, auth bypass, SQLi in login, default admin
- **session** — cookie flags, localStorage tokens, fixation hints
- **tokens** — JWT verify off, alg none, predictable reset tokens, tokens in URLs
- **mfa_2fa** — hardcoded TOTP, static OTP, bypass flags
- **cors_csrf** — `*`, origin reflection, CSRF disabled
- **cryptography** — TLS verify off, HTTP auth URLs, weak RNG, debug mode

Each finding includes severity, CWE (when mapped), confidence, and a concrete fix.

## Score

Starts at **100**. Weighted deductions by severity × confidence:

| Severity | Weight |
|----------|--------|
| critical | 25 |
| high | 15 |
| medium | 8 |
| low | 3 |

Grade bands: A ≥90 · B ≥80 · C ≥70 · D ≥55 · F &lt;55.

## Project layout

```
vibecheck/
  vibecheck/          # core library + CLI
    rules/            # heuristic packs
    scanner.py
    llm.py            # optional Ollama
    report.py
  web/                # FastAPI UI
  fixtures/           # vulnerable + clean demos
  tests/
```

## Monetization (product sketch)

| Tier | Price | What |
|------|-------|------|
| CLI free | $0 | Local static scan |
| Single scan | $9.99 | Upload + hosted report |
| Pro | subscription | Monitoring, PR checks, history |

MVP ships freemium-ready: local CLI free forever; web upload is the paid surface later (Stripe not wired yet).

## Packaging & release

| Channel | Who it's for | Command |
|---------|--------------|---------|
| **Editable (dev)** | You, day to day | `pip install -e ".[dev]"` |
| **Wheel / sdist** | Friends, CI, TestPyPI | `make build` → `dist/` |
| **PyPI** | Public `pip install` | `make publish-test` then `make publish` |
| **Docker** | Hosted UI / demos | `make docker && make docker-run` |
| **Git** | Early adopters | `pip install git+https://…` |

```bash
# Build installable artifacts
make build
# → dist/vibecheck_security-0.1.0-py3-none-any.whl
# → dist/vibecheck_security-0.1.0.tar.gz

# Smoke-test the wheel in a clean venv
python3 -m venv /tmp/vc-test && source /tmp/vc-test/bin/activate
pip install dist/vibecheck_security-*.whl
vibecheck scan /path/to/app
vibecheck serve

# Publish (needs PyPI token in ~/.pypirc or TWINE_USERNAME/PASSWORD)
make publish-test   # TestPyPI first
make publish        # real PyPI
```

**Naming:** PyPI distribution is `vibecheck-security`; the import and CLI stay `vibecheck` / `vibecheck`.

**What's in the wheel:** library + CLI + web templates/static. Fixtures stay in the repo only (demo data, not shipped).

### Docker

```bash
docker build -t vibecheck .
docker run --rm -p 8742:8742 vibecheck
# Scan a mounted project:
docker run --rm -v "$PWD:/scan:ro" vibecheck scan /scan
```

### Later (non-Python founders)

- **Standalone binary:** `pyinstaller` / `uv tool` once CLI is stable  
- **Homebrew:** formula wrapping the wheel  
- **GitHub Action:** `vibecheck scan . --fail-on high` in CI  

## Development

```bash
pip install -e ".[dev]"
pytest -q
make scan    # self-scan + fixture dumpster fire
make build
```

## Disclaimer

VibeCheck is a **static heuristic scanner**, not a pentest or compliance certification. Findings are leads. Always verify before you panic — or before you invoice.

## License

MIT
