npm - @quantracode/vibecheck - Versions diffs - 0.3.2 → 0.4.0 - Mend

@quantracode/vibecheck 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,17 +1,34 @@
 # @quantracode/vibecheck
-A deterministic, local-only security scanner for modern web applications. Designed to catch common security issues in Next.js, Express, and other Node.js projects with high precision and low false positives.
+The first AI Enforcement Security tool. Proves whether AI-written code actually enforces the security it claims — not just implied, commented, or assumed.
-## Quickstart (No Install)
+## What is AI Enforcement Security?
-Run VibeCheck instantly without installation:
+Traditional security tools scan for vulnerabilities. VibeCheck verifies enforcement reality. That's a fundamentally different job.
+AI-generated code often hallucinates security guarantees. It writes comments claiming protection exists, imports security libraries but doesn't use them, or creates middleware that never gets wired up. VibeCheck detects these patterns and proves what's actually enforced.
+**Key Principles:**
+- **Deterministic** — No LLM calls, results are reproducible
+- **Local-only** — All analysis runs on your machine, code never uploaded
+- **Low false positives** — Precision over recall
+- **Framework-aware** — Built for Next.js, Express patterns
+- **Enforcement-focused** — Proves what's enforced, not just scanned
+## Quick Start
 ```bash
-# Using npx
+# Install globally
+npm install -g @quantracode/vibecheck
+# Or use without installing
 npx @quantracode/vibecheck scan --fail-on off --out vibecheck-scan.json
-# Using pnpm dlx
-pnpm dlx @quantracode/vibecheck scan --fail-on off --out vibecheck-scan.json
+# With auto-fix enabled
+npx @quantracode/vibecheck scan --apply-fixes
+# With custom security rules
+npx @quantracode/vibecheck scan --rules ./my-custom-rules
 ```
 ### Scan Another Folder
@@ -20,14 +37,6 @@ pnpm dlx @quantracode/vibecheck scan --fail-on off --out vibecheck-scan.json
 npx @quantracode/vibecheck scan --target ../my-other-app --out scan.json
 ```
-## Installation
-```bash
-npm install -g @quantracode/vibecheck
-# or
-pnpm add -g @quantracode/vibecheck
-```
 ## Usage
 ```bash
@@ -61,6 +70,18 @@ vibecheck scan --include-tests
 # Generate intent map with coverage metrics
 vibecheck scan --emit-intent-map
+# Auto-fix security issues (with confirmation)
+vibecheck scan --apply-fixes
+# Auto-fix without confirmation prompts
+vibecheck scan --apply-fixes --force
+# Load custom YAML security rules
+vibecheck scan --rules ./my-custom-rules
+# Load a single custom rule file
+vibecheck scan -r my-rule.yaml
 # Explain a scan report
 vibecheck explain ./scan.json
@@ -129,7 +150,9 @@ vibecheck view
 # Browser opens to http://localhost:3000 with results loaded
 ```
-### Command Line Options
+## Command Line Options
+### Scan Options
 | Option | Description | Default |
 |--------|-------------|---------|
@@ -141,7 +164,9 @@ vibecheck view
 | `-e, --exclude <glob>` | Glob pattern to exclude (repeatable) | See below |
 | `--include-tests` | Include test files in scan | `false` |
 | `--emit-intent-map` | Include route map and coverage metrics | `false` |
-| `--changed` | Only scan changed files (not implemented) | `false` |
+| `--apply-fixes` | Apply patches from findings after scan | `false` |
+| `--force` | Skip confirmation when applying patches | `false` |
+| `-r, --rules <path>` | Load custom YAML rules from directory or file | - |
 ### Default Excludes
@@ -156,618 +181,325 @@ The following patterns are excluded by default:
 - `test/`, `tests/`, `fixtures/`, `__mocks__/`, `__fixtures__/`
 - `cypress/`, `e2e/`, `*.stories.*`
-## Scanner Packs
-VibeCheck organizes security rules into modular scanner packs. Each pack focuses on a specific security domain.
-### Auth Pack
-Rules for authentication and authorization issues.
-#### VC-AUTH-001: Unprotected State-Changing API Route
+## Auto-Fix Security Issues
-**Severity:** High / Critical
-**Category:** auth
+VibeCheck can automatically apply security patches from findings:
-Detects Next.js App Router API route handlers (POST, PUT, PATCH, DELETE) that perform database operations without authentication checks.
-**What it looks for:**
-- Route handlers in `app/**/route.ts` files
-- Handlers that use Prisma, Drizzle, or other database operations
-- Missing calls to `getServerSession`, `auth()`, or similar auth checks
-**Example (vulnerable):**
-```typescript
-// app/api/users/route.ts
-export async function POST(request: Request) {
-  const body = await request.json();
-  await prisma.user.create({ data: body }); // No auth check!
-  return Response.json({ success: true });
-}
-```
-**Example (safe):**
-```typescript
-// app/api/users/route.ts
-export async function POST(request: Request) {
-  const session = await getServerSession();
-  if (!session) {
-    return Response.json({ error: "Unauthorized" }, { status: 401 });
-  }
-  const body = await request.json();
-  await prisma.user.create({ data: body });
-  return Response.json({ success: true });
-}
-```
----
-#### VC-MW-001: Middleware Matcher Gap
-**Severity:** High
-**Category:** middleware
-Detects Next.js middleware that doesn't cover API routes, potentially leaving them unprotected.
-**What it looks for:**
-- `middleware.ts` files with `config.matcher` exports
-- Matchers that exclude `/api` routes
-- Projects using next-auth without middleware protection
-**Example (vulnerable):**
-```typescript
-// middleware.ts
-export const config = {
-  matcher: ['/dashboard/:path*'] // Missing /api routes!
-};
-```
+```bash
+# Apply fixes with confirmation prompts for each patch
+vibecheck scan --apply-fixes
-**Example (safe):**
-```typescript
-// middleware.ts
-export const config = {
-  matcher: ['/api/:path*', '/dashboard/:path*']
-};
+# Apply all fixes automatically without prompts (use with caution!)
+vibecheck scan --apply-fixes --force
 ```
----
-### Validation Pack
-Rules for input validation issues.
-#### VC-VAL-001: Validation Defined But Output Ignored
-**Severity:** Medium
-**Category:** validation
-Detects cases where validation libraries (Zod, Yup, Joi) are called but the validated result is not used.
-**What it looks for:**
-- Calls to `.parse()`, `.validate()`, `.parseAsync()`, etc.
-- Result not assigned to a variable
-- Raw `request.body` or `req.body` used after validation
+### How It Works
-**Example (vulnerable):**
-```typescript
-const schema = z.object({ name: z.string() });
-schema.parse(body); // Result ignored!
-await prisma.user.create({ data: body }); // Uses unvalidated body
-```
+1. **Scan completes** - VibeCheck identifies security issues
+2. **Patches available** - Findings with `remediation.patch` field are candidates for auto-fix
+3. **Preview shown** - Each patch is displayed with before/after comparison
+4. **User confirmation** - You approve or reject each patch (unless `--force` is used)
+5. **Applied to files** - Approved patches are written to your source files
-**Example (safe):**
-```typescript
-const schema = z.object({ name: z.string() });
-const validated = schema.parse(body);
-await prisma.user.create({ data: validated });
-```
+### Safety Features
----
+- **Unified diff format**: Only standard git-style diffs are supported for safety
+- **Context validation**: Patches verify that file content matches before applying
+- **Confirmation required**: Interactive approval by default
+- **Detailed errors**: Clear messages if a patch fails to apply
-### Privacy Pack
+### Best Practices
-Rules for data privacy and logging issues.
+1. **Commit first**: Always have a clean git status before applying fixes
+2. **Review changes**: Run `git diff` after applying patches
+3. **Test thoroughly**: Run your test suite to ensure nothing broke
+4. **Use force carefully**: Only use `--force` when you fully trust the patches
-#### VC-PRIV-001: Sensitive Data Logged
+**Example:**
-**Severity:** High
-**Category:** privacy
+```bash
+# 1. Ensure clean working directory
+git status
-Detects logging statements that include sensitive variable names.
+# 2. Run scan with auto-fix
+vibecheck scan --apply-fixes
-**What it looks for:**
-- `console.log`, `console.info`, `console.debug`, `logger.info`, etc.
-- Variables containing: password, secret, token, apiKey, creditCard, ssn, etc.
+# 3. Review what changed
+git diff
-**Example (vulnerable):**
-```typescript
-console.log("User login:", { email, password }); // Logs password!
-```
+# 4. Test the changes
+npm test
-**Example (safe):**
-```typescript
-console.log("User login:", { email, timestamp: Date.now() });
+# 5. Commit if everything looks good
+git add .
+git commit -m "fix: apply VibeCheck security patches"
 ```
----
-### Config Pack
-Rules for configuration and secrets management issues.
-#### VC-CONFIG-001: Undocumented Environment Variable
-**Severity:** Low
-**Category:** config
+## Custom Security Rules
-Detects `process.env.VAR` references that aren't documented in `.env.example`.
+Extend VibeCheck with your own YAML-based security rules - no TypeScript required!
----
-#### VC-CONFIG-002: Insecure Default Secret Fallback
-**Severity:** Critical
-**Category:** secrets
-Detects hardcoded fallback values for security-critical environment variables.
-**What it looks for:**
-- `process.env.VAR || "fallback"` patterns
-- Variables named: SECRET, KEY, TOKEN, PASSWORD, etc.
-- Hardcoded string fallbacks
-**Example (vulnerable):**
-```typescript
-const jwtSecret = process.env.JWT_SECRET || "development-secret";
-```
+```bash
+# Load custom rules from a directory
+vibecheck scan --rules ./my-custom-rules
-**Example (safe):**
-```typescript
-const jwtSecret = process.env.JWT_SECRET;
-if (!jwtSecret) throw new Error("JWT_SECRET is required");
+# Load a single rule file
+vibecheck scan -r my-security-rule.yaml
 ```
----
+### Example Custom Rule
-### Network Pack
+```yaml
+id: CUSTOM-AUTH-001
+severity: high
+category: auth
+title: "Missing authentication on POST endpoint"
+description: |
+  POST endpoints should have authentication checks to prevent
+  unauthorized access to state-changing operations.
-Rules for network security issues.
+files:
+  file_type: [ts, tsx]
+  include: ["**/api/**/*.ts"]
+  exclude: ["**/*.test.*"]
-#### VC-NET-001: SSRF-Prone Fetch
+match:
+  contains: "export async function POST"
+  not_contains: "getServerSession"
+  case_sensitive: false
-**Severity:** High
-**Category:** network
+context:
+  in_function: [POST]
+  file_not_contains: ["test", "mock"]
-Detects fetch/axios calls where the URL is derived from user input without validation.
+recommended_fix: |
+  Add authentication to your POST handler:
-**What it looks for:**
-- `fetch()` or `axios.get()` calls
-- URL constructed from request parameters, query strings, or body
-- No URL validation or allowlist checks
+  ```typescript
+  import { getServerSession } from "next-auth";
-**Example (vulnerable):**
-```typescript
-export async function GET(request: Request) {
-  const { searchParams } = new URL(request.url);
-  const url = searchParams.get("url");
-  const response = await fetch(url); // SSRF risk!
-  return Response.json(await response.json());
-}
-```
-**Example (safe):**
-```typescript
-const ALLOWED_HOSTS = ["api.example.com", "cdn.example.com"];
-export async function GET(request: Request) {
-  const { searchParams } = new URL(request.url);
-  const url = searchParams.get("url");
-  const parsed = new URL(url);
-  if (!ALLOWED_HOSTS.includes(parsed.hostname)) {
-    return Response.json({ error: "Invalid host" }, { status: 400 });
+  export async function POST(request: Request) {
+    const session = await getServerSession(authOptions);
+    if (!session) {
+      return new Response("Unauthorized", { status: 401 });
+    }
+    // ... rest of handler
   }
-  const response = await fetch(url);
-  return Response.json(await response.json());
-}
-```
----
-### Hallucinations Pack
-Rules for detecting security libraries that are imported but not properly used.
-#### VC-HALL-001: Security Library Imported But Not Used
-**Severity:** Medium
-**Category:** middleware
-Detects security libraries (helmet, cors, csurf, etc.) that are imported but the import is never used.
+  ```
-**What it looks for:**
-- Imports from security packages: helmet, cors, csurf, express-rate-limit, hpp, etc.
-- Import identifier not referenced after the import statement
+links:
+  owasp: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/
+  cwe: https://cwe.mitre.org/data/definitions/306.html
-**Example (vulnerable):**
-```typescript
-import helmet from "helmet"; // Imported but never used!
-import cors from "cors";
-const app = express();
-app.use(cors());
-// Missing: app.use(helmet());
+metadata:
+  author: "Your Name"
+  tags: ["authentication", "api-security"]
+  created: "2025-01-07"
 ```
----
-#### VC-HALL-002: NextAuth Imported But Not Enforced
-**Severity:** High
-**Category:** auth
-Detects next-auth imported but `getServerSession` never called, suggesting auth is configured but not enforced.
-**What it looks for:**
-- Imports from `next-auth` or `next-auth/next`
-- No calls to `getServerSession` anywhere in the file
----
+### Rule Structure
-## Phase 2 Rules
+**Required Fields:**
+- `id`: Unique identifier (format: `XXX-XXX-000`)
+- `severity`: `critical`, `high`, `medium`, `low`, or `info`
+- `category`: Security category (auth, validation, secrets, etc.)
+- `title`: Short description
+- `description`: Detailed explanation
+- `match`: What to look for (see Match Conditions below)
+- `recommended_fix`: How to fix the issue
-### Network Pack (Extended)
+**Optional Fields:**
+- `files`: File filters (type, include/exclude patterns, directories)
+- `context`: Advanced conditions (imports, function types, file content)
+- `patch`: Unified diff for auto-fixing
+- `links`: Reference URLs (OWASP, CWE, docs)
+- `metadata`: Author, tags, version, dates
+- `enabled`: Whether the rule is active (default: true)
-#### VC-NET-002: Open Redirect
+### Match Conditions
-**Severity:** High
-**Category:** network
-Detects server-side redirects where user-controlled input determines the destination.
-**Two-signal requirement:** Must identify user-controlled source AND redirect call uses that value.
-**Example (vulnerable):**
-```typescript
-export async function GET(request: Request) {
-  const { searchParams } = new URL(request.url);
-  const next = searchParams.get("next");
-  return NextResponse.redirect(next!); // Open redirect!
-}
+**String Match:**
+```yaml
+match:
+  contains: "eval("
+  case_sensitive: true
 ```
----
-#### VC-NET-003: Over-permissive CORS with Credentials
-**Severity:** High
-**Category:** network
-Detects CORS configurations that combine `origin: "*"` with `credentials: true`.
-**Example (vulnerable):**
-```typescript
-cors({ origin: "*", credentials: true }) // Dangerous combination!
+**Negative Match (should NOT contain):**
+```yaml
+match:
+  not_contains: "getServerSession"  # Flag files without auth
 ```
----
-#### VC-NET-004: Missing Request Timeout
-**Severity:** Low
-**Category:** network
-Detects fetch/axios calls without timeout in API route handlers.
-**Example (vulnerable):**
-```typescript
-const response = await fetch("https://external-api.com/data"); // No timeout!
+**Regular Expression:**
+```yaml
+match:
+  regex: "password\\s*=\\s*['\"][^'\"]+['\"]"
+  case_sensitive: false
 ```
----
-### Middleware Pack
-#### VC-RATE-001: Missing Rate Limiting
-**Severity:** Medium
-**Category:** middleware
-**Confidence:** 0.65
-Detects unauthenticated state-changing endpoints without rate limiting.
-**What it looks for:**
-- POST/PUT/PATCH/DELETE handlers without auth checks
-- Handlers with database writes or sensitive operations
-- No rate limiting signals in handler or middleware
----
-### Validation Pack (Extended)
-#### VC-VAL-002: Client-Side Only Validation
-**Severity:** Medium
-**Category:** validation
-Detects validation in frontend components but missing in API routes.
----
-### Privacy Pack (Extended)
-#### VC-PRIV-002: Over-broad API Response
-**Severity:** Medium/High
-**Category:** privacy
-Detects Prisma queries returning full models without `select` restrictions.
-**Example (vulnerable):**
-```typescript
-const users = await prisma.user.findMany(); // Returns password hash!
-return Response.json(users);
+**Combined Conditions:**
+```yaml
+match:
+  contains: "export async function POST"
+  not_contains: "await auth()"
+  regex: "prisma\\.(create|update|delete)"
 ```
-**Example (safe):**
-```typescript
-const users = await prisma.user.findMany({
-  select: { id: true, name: true, email: true }
-});
-return Response.json(users);
-```
----
-#### VC-PRIV-003: Debug Flags in Production
-**Severity:** Medium
-**Category:** config
-Detects `debug: true` or `dev: true` in config files without NODE_ENV guards.
----
-### Crypto Pack
-#### VC-CRYPTO-001: Math.random for Tokens
-**Severity:** High
-**Category:** crypto
-Detects Math.random used to generate tokens, keys, or session IDs.
+### File Filters
-**Example (vulnerable):**
-```typescript
-const token = Math.random().toString(36).substring(2); // Predictable!
+```yaml
+files:
+  file_type: [ts, tsx, js, jsx]
+  include: ["**/api/**/*.ts", "**/routes/**/*.ts"]
+  exclude: ["**/*.test.*", "**/*.spec.*"]
+  directories: ["/api/", "/routes/"]
 ```
-**Example (safe):**
-```typescript
-const token = crypto.randomBytes(32).toString('hex');
-```
+Available file types: `ts`, `tsx`, `js`, `jsx`, `json`, `env`, `yaml`, `yml`, `md`, `config`, `any`
----
+### Context Conditions
-#### VC-CRYPTO-002: JWT Decode Without Verify
+```yaml
+context:
+  # Only flag if file imports these packages
+  requires_import: ["next-auth", "@prisma/client"]
-**Severity:** Critical
-**Category:** crypto
+  # Don't flag if file imports these
+  excludes_import: ["vitest", "@testing-library"]
-Detects jwt.decode() used without jwt.verify() in the same file.
+  # File must contain all of these
+  file_contains: ["database", "user"]
-**Example (vulnerable):**
-```typescript
-const payload = jwt.decode(token); // Signature not verified!
-```
+  # File must NOT contain any of these
+  file_not_contains: ["test", "mock"]
-**Example (safe):**
-```typescript
-const payload = jwt.verify(token, secret); // Signature verified
+  # Only match in specific handler types
+  in_function: [POST, PUT, DELETE, route_handler]
 ```
----
+### Multiple Rules in One File
-#### VC-CRYPTO-003: Weak Password Hashing
+```yaml
+schema_version: "1.0"
-**Severity:** High
-**Category:** crypto
+rules:
+  - id: CUSTOM-001
+    severity: high
+    category: auth
+    title: "First rule"
+    # ... rule config
-Detects MD5/SHA1 for passwords or bcrypt with saltRounds < 10.
-**Example (vulnerable):**
-```typescript
-crypto.createHash('md5').update(password).digest('hex'); // Weak!
-bcrypt.hash(password, 5); // Too few rounds!
+  - id: CUSTOM-002
+    severity: medium
+    category: validation
+    title: "Second rule"
+    # ... rule config
 ```
----
+### Complete Guide
-### Uploads Pack
+See [examples/CUSTOM_RULES_GUIDE.md](./examples/CUSTOM_RULES_GUIDE.md) for:
+- Full rule specification
+- Advanced examples (SQL injection, hardcoded secrets, etc.)
+- Best practices and troubleshooting
+- Community contribution guidelines
-#### VC-UP-001: File Upload Without Constraints
+### Example Rules
-**Severity:** High
-**Category:** uploads
+Check out [examples/custom-rules/](./examples/custom-rules/) for production-ready examples:
+- `hardcoded-secret.yaml` - Detect secrets in .env files
+- `missing-rate-limit.yaml` - Find API routes without rate limiting
+- `console-log-production.yaml` - Flag console.log in production code
+- `collection-example.yaml` - Multiple rules in one file
-Detects file uploads without size or type validation.
+## Scanner Categories
-**Example (vulnerable):**
-```typescript
-const file = formData.get('file') as File;
-// No size or type check before processing
-```
+VibeCheck includes 30+ enforcement verification scanners across these categories:
----
+### Auth & Authorization
-#### VC-UP-002: Upload to Public Path
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-AUTH-001 | Unprotected State-Changing API Route | High/Critical |
+| VC-MW-001 | Middleware Matcher Gap | High |
+| VC-AUTH-010 | Auth-by-UI with Server Gap | Critical |
-**Severity:** High
-**Category:** uploads
+### Input Validation
-Detects uploaded files written to public directories.
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-VAL-001 | Validation Defined But Output Ignored | Medium |
+| VC-VAL-002 | Client-Side Only Validation | Medium |
-**Example (vulnerable):**
-```typescript
-fs.writeFileSync(`public/uploads/${filename}`, buffer); // Publicly accessible!
-```
+### Network Security
----
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-NET-001 | SSRF-Prone Fetch | High |
+| VC-NET-002 | Open Redirect | High |
+| VC-NET-003 | Over-permissive CORS with Credentials | High |
+| VC-NET-004 | Missing Request Timeout | Low |
-## Phase 3: Hallucination Detection Engine
+### Secrets & Config
-Advanced cross-file analysis for detecting security intent vs implementation gaps.
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-CONFIG-001 | Undocumented Environment Variable | Low |
+| VC-CONFIG-002 | Insecure Default Secret Fallback | Critical |
+| VC-PRIV-003 | Debug Flags in Production | Medium |
-### Intent Command
+### Privacy & Data
-Generate a security intent map baseline for your codebase:
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-PRIV-001 | Sensitive Data Logged | High |
+| VC-PRIV-002 | Over-broad API Response | Medium/High |
-```bash
-# Generate intent map
-vibecheck intent ./my-project --out intent-map.json
+### Cryptography
-# Include intent map in scan output
-vibecheck scan ./my-project --emit-intent-map
-```
-### Hallucinations Pack (Phase 3)
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-CRYPTO-001 | Math.random for Tokens | High |
+| VC-CRYPTO-002 | JWT Decode Without Verify | Critical |
+| VC-CRYPTO-003 | Weak Password Hashing | High |
-#### VC-HALL-010: Comment Claims Protection But Unproven
+### File Uploads
-**Severity:** Medium
-**Category:** hallucinations
-**Confidence:** 0.75
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-UP-001 | File Upload Without Constraints | High |
+| VC-UP-002 | Upload to Public Path | High |
-Detects comments that claim security protection but the implementation doesn't prove it.
+### Middleware
-**Example (vulnerable):**
-```typescript
-// This route is protected by authentication middleware
-export async function POST(request: Request) {
-  // No auth check here, and middleware doesn't cover /api routes
-  await prisma.user.create({ data: body });
-}
-```
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-RATE-001 | Missing Rate Limiting | Medium |
----
+### AI Hallucinations
-#### VC-HALL-011: Middleware Assumed But Not Matching
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-HALL-001 | Security Library Imported But Not Used | Medium |
+| VC-HALL-010 | Comment Claims Protection But Unproven | Medium |
+| VC-HALL-011 | Middleware Assumed But Not Matching | High |
+| VC-HALL-012 | Validation Claimed But Missing/Ignored | Medium |
-**Severity:** High
-**Category:** hallucinations
-**Confidence:** 0.70
+### Supply Chain
-Detects routes that expect middleware protection but are not covered by matcher patterns.
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-SC-001 | Unpinned Dependencies | Medium |
+| VC-SC-002 | Suspicious Postinstall Scripts | High |
+| VC-SC-003 | Deprecated Packages | Low |
-**Example (vulnerable):**
-```typescript
-// middleware.ts
-export const config = {
-  matcher: ['/dashboard/:path*'], // Missing /api routes!
-};
+### Abuse & Compute
-// app/api/users/route.ts
-// Auth handled by middleware (but middleware doesn't cover this!)
-export async function DELETE(request: Request) {
-  await prisma.user.delete({ where: { id } });
-}
-```
----
-#### VC-HALL-012: Validation Claimed But Missing/Ignored
-**Severity:** Medium
-**Category:** hallucinations
-**Confidence:** 0.80
-Detects validation that is claimed but not properly implemented or used.
-**Example (vulnerable):**
-```typescript
-const schema = z.object({ name: z.string() });
-schema.parse(body); // Result ignored!
-await prisma.user.create({ data: body }); // Uses raw body
-```
----
-#### VC-AUTH-010: Auth-by-UI with Server Gap
-**Severity:** Critical
-**Category:** auth
-**Confidence:** 0.85
-Detects client-side auth checks without corresponding server-side protection.
-**Example (vulnerable):**
-```tsx
-// Client component
-const { session } = useSession();
-if (session) {
-  // Only render if logged in
-  await fetch('/api/users', { method: 'DELETE' }); // Server has no auth!
-}
-```
----
-### Coverage Metrics
-With `--emit-intent-map`, the scan artifact includes coverage metrics:
-- **authCoverage**: Percentage of state-changing routes with proven auth
-- **validationCoverage**: Percentage of routes with request bodies that have validation
-- **middlewareCoverage**: Percentage of routes covered by middleware matchers
-### Intent Map Structure
-```json
-{
-  "routeMap": [
-    {
-      "routeId": "abc123",
-      "method": "POST",
-      "path": "/api/users",
-      "file": "app/api/users/route.ts",
-      "startLine": 10,
-      "endLine": 25
-    }
-  ],
-  "middlewareMap": [
-    {
-      "file": "middleware.ts",
-      "matchers": ["/api/:path*"],
-      "protectsApi": true,
-      "startLine": 15
-    }
-  ],
-  "intentMap": [
-    {
-      "intentId": "def456",
-      "type": "AUTH_ENFORCED",
-      "scope": "route",
-      "source": "comment",
-      "textEvidence": "// Protected by auth"
-    }
-  ],
-  "proofTraces": {
-    "abc123": {
-      "routeId": "abc123",
-      "authProven": true,
-      "validationProven": false,
-      "middlewareCovered": true,
-      "steps": [...]
-    }
-  },
-  "coverage": {
-    "authCoverage": 0.85,
-    "validationCoverage": 0.60,
-    "middlewareCoverage": 1.0
-  }
-}
-```
----
+| Rule ID | Title | Severity |
+|---------|-------|----------|
+| VC-ABUSE-001 | Unbounded AI API Calls | High |
+| VC-ABUSE-002 | Missing Cost Controls | Medium |
 ## Output Formats
@@ -779,11 +511,11 @@ The default format, defined by `@vibecheck/schema`:
 ```json
 {
-  "artifactVersion": "0.1",
+  "artifactVersion": "0.3",
   "generatedAt": "2024-01-15T10:30:00.000Z",
   "tool": {
     "name": "vibecheck",
-    "version": "1.0.0"
+    "version": "0.3.2"
   },
   "summary": {
     "totalFindings": 2,
@@ -824,21 +556,79 @@ The default format, defined by `@vibecheck/schema`:
 ### SARIF Format
-[SARIF (Static Analysis Results Interchange Format)](https://sarifweb.azurewebsites.net/) is an OASIS standard for static analysis tools. Use `--format sarif` to generate SARIF 2.1.0 output, compatible with:
+SARIF (Static Analysis Results Interchange Format) is an OASIS standard for static analysis tools. Use `--format sarif` to generate SARIF 2.1.0 output, compatible with:
-- **GitHub Code Scanning** - Upload via `github/codeql-action/upload-sarif`
-- **Azure DevOps** - Native SARIF support in security reports
-- **VS Code** - SARIF Viewer extension
-- **Other tools** - Any SARIF 2.1.0 compatible viewer
+- **GitHub Code Scanning** — Upload via `github/codeql-action/upload-sarif`
+- **Azure DevOps** — Native SARIF support in security reports
+- **VS Code** — SARIF Viewer extension
+- **Other tools** — Any SARIF 2.1.0 compatible viewer
 ```bash
 # Generate SARIF for GitHub Code Scanning
 vibecheck scan --format sarif --out results.sarif
+```
+## CI/CD Integration
+### GitHub Actions Example
+```yaml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  vibecheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Run VibeCheck
+        run: npx @quantracode/vibecheck scan --format sarif --out results.sarif --fail-on high
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: results.sarif
+```
-# Upload to GitHub (in CI workflow)
-- uses: github/codeql-action/upload-sarif@v2
-  with:
-    sarif_file: results.sarif
+### Policy Evaluation
+Compare scans against baselines for regression detection:
+```bash
+# Evaluate against startup profile
+vibecheck evaluate \
+  --artifact vibecheck-scan.json \
+  --profile startup \
+  --out policy-report.json
+# Compare against baseline (regression detection)
+vibecheck evaluate \
+  --artifact vibecheck-scan.json \
+  --baseline main-branch-scan.json \
+  --profile enterprise
+```
+Available profiles: `startup`, `growth`, `enterprise`
+## Intent Map & Coverage Metrics
+With `--emit-intent-map`, the scan artifact includes coverage metrics:
+- **authCoverage**: Percentage of state-changing routes with proven auth
+- **validationCoverage**: Percentage of routes with request bodies that have validation
+- **middlewareCoverage**: Percentage of routes covered by middleware matchers
+```bash
+# Generate intent map
+vibecheck scan ./my-project --emit-intent-map --out scan.json
 ```
 ## Architecture
@@ -847,57 +637,27 @@ vibecheck scan --format sarif --out results.sarif
 packages/cli/src/
 ├── commands/
 │   ├── scan.ts         # Main scan orchestrator
+│   ├── evaluate.ts     # Policy evaluation
 │   └── explain.ts      # Report viewer
 ├── scanners/
 │   ├── types.ts        # ScanContext, types
 │   ├── helpers/
 │   │   ├── ast-helpers.ts      # ts-morph utilities
 │   │   └── context-builder.ts  # ScanContext factory
-│   ├── auth/
-│   │   ├── unprotected-api-route.ts  # VC-AUTH-001
-│   │   └── middleware-gap.ts         # VC-MW-001
-│   ├── validation/
-│   │   └── ignored-validation.ts     # VC-VAL-001
-│   ├── privacy/
-│   │   └── sensitive-logging.ts      # VC-PRIV-001
-│   ├── config/
-│   │   ├── undocumented-env.ts       # VC-CONFIG-001
-│   │   └── insecure-defaults.ts      # VC-CONFIG-002
-│   ├── network/
-│   │   └── ssrf-prone-fetch.ts       # VC-NET-001
-│   └── hallucinations/
-│       └── unused-security-imports.ts # VC-HALL-001, VC-HALL-002
+│   ├── auth/           # Auth & authorization scanners
+│   ├── validation/     # Input validation scanners
+│   ├── privacy/        # Privacy & data scanners
+│   ├── config/         # Config & secrets scanners
+│   ├── network/        # Network security scanners
+│   ├── crypto/         # Cryptography scanners
+│   ├── uploads/        # File upload scanners
+│   ├── middleware/     # Middleware scanners
+│   ├── hallucinations/ # AI hallucination scanners
+│   ├── supply-chain/   # Supply chain scanners
+│   └── abuse/          # Abuse & compute scanners
 └── index.ts
 ```
-## Design Principles
-1. **Deterministic** - No LLM calls, results are reproducible
-2. **Local-only** - All analysis runs on your machine
-3. **Low false positives** - Precision over recall
-4. **Framework-aware** - Built for Next.js, Express patterns
-5. **Schema-compliant** - Output conforms to `@vibecheck/schema`
-## Adding New Scanners
-Each scanner must:
-1. Accept a `ScanContext` with repo info and AST helpers
-2. Return `Finding[]` conforming to the schema
-3. Generate deterministic fingerprints for deduplication
-4. Include clear evidence with file locations
-```typescript
-import { type ScanContext } from "../types.js";
-import { type Finding } from "@vibecheck/schema";
-export async function scanMyRule(ctx: ScanContext): Promise<Finding[]> {
-  const findings: Finding[] = [];
-  // ... detection logic
-  return findings;
-}
-```
 ## License
 MIT