@bddiudiu/vibeguard 0.1.0

package/.github/workflows/publish.yml

@@ -0,0 +1,40 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+    
+permissions:
+  id-token: write
+  contents: read
+  
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version
+      - run: npm run build
+      - run: npm test
+
+  publish:
+    needs: build-and-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+          cache: npm
+      - run: npm ci
+      - run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version
+      - run: npm run build
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.vibeguard.yaml

@@ -0,0 +1,49 @@
+# VibeGuard 默认规则配置
+# 在项目根目录放置 .vibeguard.yaml 可覆盖此默认配置
+
+# AI 模型配置
+model:
+  # 提供商: openai | ollama
+  provider: ollama
+  # OpenAI 及兼容 API 配置 (当 provider=openai 时生效)
+  # 支持任何兼容 OpenAI 协议的第三方服务，只需设置 baseUrl
+  openai:
+    model: gpt-4o-mini
+    # 通过环境变量 OPENAI_API_KEY 设置 API Key (也可直接在此处填写)
+    # apiKey: sk-xxx
+    # 不设置 baseUrl 时默认使用 OpenAI 官方 API
+    # 第三方兼容服务示例:
+    # baseUrl: https://api.deepseek.com       # DeepSeek
+    # baseUrl: https://api.moonshot.cn/v1     # Moonshot / Kimi
+    # baseUrl: https://api.openai-proxy.com   # 任意 OpenAI 兼容代理
+  # Ollama 配置 (当 provider=ollama 时生效)
+  ollama:
+    model: llama3
+    baseUrl: http://localhost:11434
+
+# 扫描配置
+scan:
+  # 最大 diff 字符数，超出部分将被切片处理
+  maxDiffChars: 12000
+  # 是否启用语义幻觉检测
+  hallucinationDetection: true
+  # 是否启用安全扫描
+  securityScan: true
+  # 超时时间 (秒)
+  timeout: 30
+
+# 架构禁令规则 (示例)
+rules:
+  # 禁止使用的库
+  bannedImports:
+    - lodash.get
+    - request
+  # 禁止的模式
+  bannedPatterns:
+    - "eval("
+    - "new Function("
+  # 允许跳过的文件路径 (glob 模式)
+  ignorePaths:
+    - "dist/**"
+    - "node_modules/**"
+    - "*.min.js"

package/README.md

@@ -0,0 +1,203 @@
+# VibeGuard
+
+**AI 代码生成的"语义安检门"**
+
+> 你是否曾因为信任 AI 而直接合入了带有虚构 API 的代码？
+> 你是否曾在 commit 里意外夹带了测试用的 Secret？
+> **VibeGuard 在你按下 commit 键的一瞬，自动为你守住代码底线。**
+
+## 核心特性
+
+- **拦截幻觉** — 自动识别 AI 编造的函数、虚假 API 和逻辑矛盾
+- **泄漏防护** — 语义识别硬编码的 API Key、Token 和敏感信息
+- **零配置启动** — `npm install -g vibeguard && vibeguard init`
+- **100% 本地隐私** — 完美适配 Ollama，让代码审计不出本地
+
+## 工作原理
+
+```
+git commit → VibeGuard 提取 diff → AI 语义扫描 → 发现风险 → 拦截提交
+```
+
+VibeGuard 不查语法（那是 ESLint 的事），它只查"语义对不对"。它通过 Git Hook 介入你的开发流程，在 `git commit` 时自动扫描暂存区变更，利用 LLM（云端或本地 Ollama）进行语义分析，发现高危幻觉或安全风险时强制拦截 commit。
+
+## 快速开始
+
+### 安装
+
+```bash
+npm install -g vibeguard
+```
+
+### 初始化项目
+
+```bash
+cd your-project
+vibeguard init
+```
+
+这会在你的项目中安装 pre-commit hook，之后每次 `git commit` 都会自动扫描。
+
+### 手动扫描
+
+```bash
+vibeguard scan
+```
+
+### 跳过扫描
+
+```bash
+git commit --no-verify -m "skip vibeguard"
+```
+
+## 配置
+
+在项目根目录创建 `.vibeguard.yaml`：
+
+```yaml
+model:
+  # 选择 AI 提供商: openai | ollama
+  provider: ollama
+
+  ollama:
+    model: llama3
+    baseUrl: http://localhost:11434
+
+  openai:
+    model: gpt-4o-mini
+  # API Key 通过环境变量 OPENAI_API_KEY 设置
+
+scan:
+  maxDiffChars: 12000   # 最大扫描字符数
+  hallucinationDetection: true
+  securityScan: true
+  timeout: 30           # 超时时间(秒)
+
+rules:
+  bannedImports:
+    - lodash.get
+    - request
+  bannedPatterns:
+    - "eval("
+    - "new Function("
+  ignorePaths:
+    - "dist/**"
+    - "*.min.js"
+```
+
+### 使用本地模型 (推荐)
+
+1. 安装 [Ollama](https://ollama.ai)
+2. 拉取模型: `ollama pull llama3`
+3. 在 `.vibeguard.yaml` 中设置 `provider: ollama`
+
+## 检测能力
+
+### 幻觉检测
+
+- 虚假 API 调用（如 `requests.get_with_auto_retry()`）
+- 虚构的库引用（不存在的 npm 包或模块）
+- 逻辑矛盾与类型不匹配
+- 未实现的占位代码
+- 架构禁令违规
+
+### 安全扫描
+
+- 硬编码密钥（API Key、Token、密码）
+- 注入风险（SQL 注入、命令注入、XSS）
+- 不安全的加密算法（MD5、SHA1）
+- 危险函数调用（eval、new Function）
+- 敏感信息泄露
+
+## CLI 命令
+
+| 命令 | 说明 |
+|------|------|
+| `vibeguard scan` | 扫描暂存区变更 |
+| `vibeguard init` | 安装 pre-commit hook |
+| `vibeguard uninstall` | 卸载 pre-commit hook |
+| `vibeguard config` | 显示当前生效配置 |
+| `vibeguard --help` | 查看帮助 |
+
+## 工程架构
+
+```
+vibeguard/
+├── src/
+│   ├── cli.ts            # CLI 入口
+│   ├── core/
+│   │   ├── audit.ts      # 扫描调度器
+│   │   ├── analyzer.ts   # AI 分析与结果解析
+│   │   ├── config.ts     # 配置加载
+│   │   └── git.ts        # Git diff 提取与 Hook 管理
+│   ├── connectors/
+│   │   ├── openai.ts     # OpenAI 适配器
+│   │   └── ollama.ts     # Ollama 适配器
+│   └── rules/
+│       ├── index.ts      # Prompt 构建器
+│       ├── hallucination.ts  # 幻觉检测 Prompt
+│       └── security.ts       # 安全扫描 Prompt
+├── tests/
+├── .vibeguard.yaml       # 默认规则配置
+├── package.json
+└── README.md
+```
+
+## 风险与规避
+
+| 风险 | 规避方案 |
+|------|----------|
+| 语义分析误伤正常代码 | 支持 `--no-verify` 跳过，本地白名单配置 |
+| LLM 调用延迟 | 只扫描 diff 变更行及上下文，非全文件扫描 |
+| 云端 API 成本 | 默认适配 Ollama 本地模型，零成本审计 |
+
+## 开发
+
+```bash
+# 克隆项目
+git clone https://github.com/your-org/vibeguard.git
+cd vibeguard
+
+# 安装依赖
+npm install
+
+# 开发模式 (监听编译)
+npm run dev
+
+# 运行测试
+npm test
+
+# 构建
+npm run build
+```
+
+## 发布
+
+发布通过 GitHub Actions 自动完成，只需两步：
+
+1. 在 GitHub 仓库 Settings → Secrets 中添加 `NPM_TOKEN`（npm Access Token）
+2. 在 GitHub 创建 Release，填写 tag（如 `v0.1.0`）并发布
+
+Actions 会自动完成：构建 → 测试 → 发布到 npm。
+
+```bash
+# 也可以通过 git tag 触发
+git tag v0.1.0
+git push origin v0.1.0
+# 然后在 GitHub 上基于该 tag 创建 Release
+```
+
+## 路线图
+
+- [x] CLI 核心与 Git diff 提取
+- [x] OpenAI API 集成（含第三方兼容 API）
+- [x] Ollama 本地模型支持
+- [x] pre-commit hook 自动安装
+- [x] 终端风险等级可视化
+- [x] 大型 Diff 切片处理
+- [x] NPM 发布（GitHub Actions 自动化）
+- [ ] IDE 插件 (VS Code / Cursor)
+
+## License
+
+MIT

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import chalk from "chalk";
+import { runScan } from "./core/audit.js";
+import { installHook, uninstallHook } from "./core/git.js";
+import { loadConfig } from "./core/config.js";
+const program = new Command();
+program
+    .name("vibeguard")
+    .description("AI 代码生成的语义安检门 — 在 git commit 前拦截幻觉与安全隐患")
+    .version("0.1.0");
+program
+    .command("scan")
+    .description("扫描当前暂存区的变更")
+    .option("--no-verify", "强制扫描，不阻止 commit")
+    .action(async (opts) => {
+    const config = await loadConfig();
+    const result = await runScan(config);
+    if (!result.passed && opts.verify !== false) {
+        console.log(chalk.red.bold("\n🛡️  VibeGuard 拦截了本次提交，请修复上述问题后重试。"));
+        process.exit(1);
+    }
+});
+program
+    .command("init")
+    .description("在当前项目安装 git pre-commit hook")
+    .action(async () => {
+    await installHook();
+    console.log(chalk.green("✅ pre-commit hook 已安装。"));
+    console.log(chalk.dim("   提交时 VibeGuard 将自动扫描变更。使用 --no-verify 可跳过。"));
+});
+program
+    .command("uninstall")
+    .description("卸载 git pre-commit hook")
+    .action(async () => {
+    await uninstallHook();
+    console.log(chalk.yellow("⚠️  pre-commit hook 已卸载。"));
+});
+program
+    .command("config")
+    .description("显示当前生效的配置")
+    .action(async () => {
+    const config = await loadConfig();
+    console.log(JSON.stringify(config, null, 2));
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,YAAY,CAAC;KACzB,MAAM,CAAC,aAAa,EAAE,iBAAiB,CAAC;KACxC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAErC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,IAAI,CACZ,sCAAsC,CACvC,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,WAAW,EAAE,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAC1D,CAAC;AACJ,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,aAAa,EAAE,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,CAAC;AACxD,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,WAAW,CAAC;KACxB,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC/C,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/connectors/ollama.d.ts

@@ -0,0 +1,7 @@
+interface OllamaConfig {
+    model: string;
+    baseUrl: string;
+}
+export declare function callOllama(prompt: string, config: OllamaConfig): Promise<string>;
+export {};
+//# sourceMappingURL=ollama.d.ts.map

package/dist/connectors/ollama.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ollama.d.ts","sourceRoot":"","sources":["../../src/connectors/ollama.ts"],"names":[],"mappings":"AAAA,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,MAAM,CAAC,CA6BjB"}

package/dist/connectors/ollama.js

@@ -0,0 +1,26 @@
+export async function callOllama(prompt, config) {
+    const response = await fetch(`${config.baseUrl}/api/chat`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            model: config.model,
+            messages: [
+                {
+                    role: "system",
+                    content: "你是代码审计专家。请严格以 JSON 数组格式返回检测结果，不要包含任何其他文本。如果没有发现问题，返回空数组 []。",
+                },
+                { role: "user", content: prompt },
+            ],
+            stream: false,
+            options: {
+                temperature: 0.1,
+            },
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Ollama API error: ${response.status} ${response.statusText}`);
+    }
+    const data = (await response.json());
+    return data.message?.content ?? "[]";
+}
+//# sourceMappingURL=ollama.js.map

package/dist/connectors/ollama.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ollama.js","sourceRoot":"","sources":["../../src/connectors/ollama.ts"],"names":[],"mappings":"AAKA,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,MAAoB;IAEpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,CAAC,OAAO,WAAW,EAAE;QACzD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,QAAQ;oBACd,OAAO,EACL,6DAA6D;iBAChE;gBACD,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE;aAClC;YACD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,WAAW,EAAE,GAAG;aACjB;SACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,qBAAqB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAuC,CAAC;IAC3E,OAAO,IAAI,CAAC,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC;AACvC,CAAC"}

package/dist/connectors/openai.d.ts

@@ -0,0 +1,8 @@
+interface OpenAIConfig {
+    model: string;
+    apiKey?: string;
+    baseUrl?: string;
+}
+export declare function callOpenAI(prompt: string, config: OpenAIConfig): Promise<string>;
+export {};
+//# sourceMappingURL=openai.d.ts.map

package/dist/connectors/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../src/connectors/openai.ts"],"names":[],"mappings":"AAEA,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,MAAM,CAAC,CAoBjB"}

package/dist/connectors/openai.js

@@ -0,0 +1,20 @@
+import OpenAI from "openai";
+export async function callOpenAI(prompt, config) {
+    const client = new OpenAI({
+        apiKey: config.apiKey || process.env.OPENAI_API_KEY,
+        baseURL: config.baseUrl,
+    });
+    const response = await client.chat.completions.create({
+        model: config.model,
+        temperature: 0.1,
+        messages: [
+            {
+                role: "system",
+                content: "你是代码审计专家。请严格以 JSON 数组格式返回检测结果，不要包含任何其他文本。如果没有发现问题，返回空数组 []。",
+            },
+            { role: "user", content: prompt },
+        ],
+    });
+    return response.choices[0]?.message?.content ?? "[]";
+}
+//# sourceMappingURL=openai.js.map

package/dist/connectors/openai.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.js","sourceRoot":"","sources":["../../src/connectors/openai.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAQ5B,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,MAAoB;IAEpB,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC;QACxB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QACnD,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;QACpD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,WAAW,EAAE,GAAG;QAChB,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,QAAQ;gBACd,OAAO,EACL,6DAA6D;aAChE;YACD,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE;SAClC;KACF,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC;AACvD,CAAC"}

package/dist/core/analyzer.d.ts

@@ -0,0 +1,12 @@
+import { DiffEntry } from "./git.js";
+import { VibeguardConfig } from "./config.js";
+export interface AuditResult {
+    file: string;
+    line?: number;
+    severity: "high" | "medium" | "low";
+    category: string;
+    message: string;
+    suggestion?: string;
+}
+export declare function analyzeWithAI(entry: DiffEntry, config: VibeguardConfig): Promise<AuditResult[]>;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/core/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../src/core/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAUD,wBAAsB,aAAa,CACjC,KAAK,EAAE,SAAS,EAChB,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,WAAW,EAAE,CAAC,CAYxB"}

package/dist/core/analyzer.js

@@ -0,0 +1,38 @@
+import { callOpenAI } from "../connectors/openai.js";
+import { callOllama } from "../connectors/ollama.js";
+import { buildAuditPrompt } from "../rules/index.js";
+export async function analyzeWithAI(entry, config) {
+    const prompt = buildAuditPrompt(entry.diff, config);
+    const timeout = config.scan.timeout * 1000;
+    const raw = await Promise.race([
+        callAI(prompt, config),
+        new Promise((_, reject) => setTimeout(() => reject(new Error("AI scan timeout")), timeout)),
+    ]);
+    return parseResults(entry.filePath, raw);
+}
+async function callAI(prompt, config) {
+    if (config.model.provider === "ollama") {
+        return callOllama(prompt, config.model.ollama);
+    }
+    return callOpenAI(prompt, config.model.openai);
+}
+function parseResults(filePath, raw) {
+    const jsonMatch = raw.match(/\[[\s\S]*\]/);
+    if (!jsonMatch)
+        return [];
+    try {
+        const items = JSON.parse(jsonMatch[0]);
+        return items.map((item) => ({
+            file: filePath,
+            line: item.line,
+            severity: item.severity,
+            category: item.category,
+            message: item.message,
+            suggestion: item.suggestion,
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+//# sourceMappingURL=analyzer.js.map

package/dist/core/analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../src/core/analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAmBrD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAgB,EAChB,MAAuB;IAEvB,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IAE3C,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;QAC7B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;QACtB,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,EAAE,OAAO,CAAC,CAChE;KACF,CAAC,CAAC;IAEH,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,MAAM,CACnB,MAAc,EACd,MAAuB;IAEvB,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACvC,OAAO,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,GAAW;IACjD,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAE1B,IAAI,CAAC;QACH,MAAM,KAAK,GAAmB,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAC1B,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/core/audit.d.ts

@@ -0,0 +1,9 @@
+import { VibeguardConfig } from "./config.js";
+import { AuditResult } from "./analyzer.js";
+export interface ScanResult {
+    passed: boolean;
+    issues: AuditResult[];
+    scannedFiles: number;
+}
+export declare function runScan(config: VibeguardConfig): Promise<ScanResult>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/core/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/core/audit.ts"],"names":[],"mappings":"AAEA,OAAO,EAAc,eAAe,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAiB,WAAW,EAAE,MAAM,eAAe,CAAC;AAE3D,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,wBAAsB,OAAO,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CA2B1E"}

package/dist/core/audit.js

@@ -0,0 +1,52 @@
+import chalk from "chalk";
+import { getCachedDiff } from "./git.js";
+import { analyzeWithAI } from "./analyzer.js";
+export async function runScan(config) {
+    const entries = getCachedDiff(config.rules.ignorePaths);
+    if (entries.length === 0) {
+        console.log(chalk.dim("🛡️  VibeGuard: 暂存区无代码变更，跳过扫描。"));
+        return { passed: true, issues: [], scannedFiles: 0 };
+    }
+    console.log(chalk.cyan(`🛡️  VibeGuard: 发现 ${entries.length} 个变更文件，开始扫描...\n`));
+    const allIssues = [];
+    for (const entry of entries) {
+        const truncated = truncateDiff(entry, config.scan.maxDiffChars);
+        const issues = await analyzeWithAI(truncated, config);
+        allIssues.push(...issues);
+    }
+    printReport(allIssues);
+    return {
+        passed: allIssues.filter((i) => i.severity === "high").length === 0,
+        issues: allIssues,
+        scannedFiles: entries.length,
+    };
+}
+function truncateDiff(entry, maxChars) {
+    if (entry.diff.length <= maxChars)
+        return entry;
+    return {
+        filePath: entry.filePath,
+        diff: entry.diff.slice(0, maxChars) + "\n... (diff truncated)",
+    };
+}
+function printReport(issues) {
+    if (issues.length === 0) {
+        console.log(chalk.green.bold("✅ VibeGuard: 未检测到风险，可以安全提交。"));
+        return;
+    }
+    console.log(chalk.yellow.bold(`\n⚠️  检测到 ${issues.length} 个问题:\n`));
+    for (const issue of issues) {
+        const icon = issue.severity === "high"
+            ? chalk.red.bold("🚨 HIGH")
+            : issue.severity === "medium"
+                ? chalk.yellow("⚠️  MED ")
+                : chalk.blue("ℹ️  LOW ");
+        console.log(`${icon}  ${chalk.bold(issue.file)}:${issue.line ?? "?"}`);
+        console.log(`    ${issue.message}`);
+        if (issue.suggestion) {
+            console.log(chalk.dim(`    💡 建议: ${issue.suggestion}`));
+        }
+        console.log();
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/core/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/core/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAa,MAAM,UAAU,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAe,MAAM,eAAe,CAAC;AAQ3D,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,MAAuB;IACnD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAExD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,MAAM,kBAAkB,CAAC,CACnE,CAAC;IAEF,MAAM,SAAS,GAAkB,EAAE,CAAC;IAEpC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACtD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;IAC5B,CAAC;IAED,WAAW,CAAC,SAAS,CAAC,CAAC;IAEvB,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;QACnE,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,OAAO,CAAC,MAAM;KAC7B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,KAAgB,EAAE,QAAgB;IACtD,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChD,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,wBAAwB;KAC/D,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAqB;IACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GACR,KAAK,CAAC,QAAQ,KAAK,MAAM;YACvB,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YAC3B,CAAC,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ;gBAC3B,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC;gBAC1B,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE/B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/core/config.d.ts

@@ -0,0 +1,27 @@
+export interface VibeguardConfig {
+    model: {
+        provider: "openai" | "ollama";
+        openai: {
+            model: string;
+            apiKey?: string;
+            baseUrl?: string;
+        };
+        ollama: {
+            model: string;
+            baseUrl: string;
+        };
+    };
+    scan: {
+        maxDiffChars: number;
+        hallucinationDetection: boolean;
+        securityScan: boolean;
+        timeout: number;
+    };
+    rules: {
+        bannedImports: string[];
+        bannedPatterns: string[];
+        ignorePaths: string[];
+    };
+}
+export declare function loadConfig(): Promise<VibeguardConfig>;
+//# sourceMappingURL=config.d.ts.map

package/dist/core/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE;QACL,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAAC;QAC9B,MAAM,EAAE;YACN,KAAK,EAAE,MAAM,CAAC;YACd,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,MAAM,EAAE;YACN,KAAK,EAAE,MAAM,CAAC;YACd,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;KACH,CAAC;IACF,IAAI,EAAE;QACJ,YAAY,EAAE,MAAM,CAAC;QACrB,sBAAsB,EAAE,OAAO,CAAC;QAChC,YAAY,EAAE,OAAO,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,KAAK,EAAE;QACL,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;CACH;AA2BD,wBAAsB,UAAU,IAAI,OAAO,CAAC,eAAe,CAAC,CAoB3D"}

package/dist/core/config.js

@@ -0,0 +1,46 @@
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+import yaml from "js-yaml";
+const DEFAULT_CONFIG = {
+    model: {
+        provider: "ollama",
+        openai: {
+            model: "gpt-4o-mini",
+            // 默认使用 OpenAI 官方 API，不设置 baseUrl
+        },
+        ollama: {
+            model: "llama3",
+            baseUrl: "http://localhost:11434",
+        },
+    },
+    scan: {
+        maxDiffChars: 12000,
+        hallucinationDetection: true,
+        securityScan: true,
+        timeout: 30,
+    },
+    rules: {
+        bannedImports: [],
+        bannedPatterns: [],
+        ignorePaths: ["dist/**", "node_modules/**"],
+    },
+};
+export async function loadConfig() {
+    const configPath = join(process.cwd(), ".vibeguard.yaml");
+    if (!existsSync(configPath)) {
+        return DEFAULT_CONFIG;
+    }
+    const raw = readFileSync(configPath, "utf-8");
+    const userConfig = yaml.load(raw);
+    return {
+        model: {
+            ...DEFAULT_CONFIG.model,
+            ...userConfig?.model,
+            openai: { ...DEFAULT_CONFIG.model.openai, ...userConfig?.model?.openai },
+            ollama: { ...DEFAULT_CONFIG.model.ollama, ...userConfig?.model?.ollama },
+        },
+        scan: { ...DEFAULT_CONFIG.scan, ...userConfig?.scan },
+        rules: { ...DEFAULT_CONFIG.rules, ...userConfig?.rules },
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/core/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,IAAI,MAAM,SAAS,CAAC;AA4B3B,MAAM,cAAc,GAAoB;IACtC,KAAK,EAAE;QACL,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE;YACN,KAAK,EAAE,aAAa;YACpB,iCAAiC;SAClC;QACD,MAAM,EAAE;YACN,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,wBAAwB;SAClC;KACF;IACD,IAAI,EAAE;QACJ,YAAY,EAAE,KAAK;QACnB,sBAAsB,EAAE,IAAI;QAC5B,YAAY,EAAE,IAAI;QAClB,OAAO,EAAE,EAAE;KACZ;IACD,KAAK,EAAE;QACL,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,WAAW,EAAE,CAAC,SAAS,EAAE,iBAAiB,CAAC;KAC5C;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAE1D,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAA6B,CAAC;IAE9D,OAAO;QACL,KAAK,EAAE;YACL,GAAG,cAAc,CAAC,KAAK;YACvB,GAAG,UAAU,EAAE,KAAK;YACpB,MAAM,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE;YACxE,MAAM,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE;SACzE;QACD,IAAI,EAAE,EAAE,GAAG,cAAc,CAAC,IAAI,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE;QACrD,KAAK,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE;KACzD,CAAC;AACJ,CAAC"}