guardvibe 1.1.1 → 1.3.3

package/LICENSE

@@ -1,21 +1,191 @@
-MIT License
-
-Copyright (c) 2026 GokLab
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 GokLab
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,6 +1,6 @@
 # GuardVibe
 
-**The security MCP built for vibe coding.** 191 security rules covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 239 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
 
@@ -8,17 +8,38 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-com
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **191 security rules** purpose-built for the stacks AI agents generate
+- **239 security rules** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
-- **CVE version intelligence** — detects known vulnerable package versions in package.json
+- **CVE version intelligence** — detects 21 known vulnerable package versions in package.json
 - **AI agent security** — detects MCP server vulnerabilities, excessive AI permissions, indirect prompt injection
+- **Auto-fix suggestions** — `fix_code` tool returns concrete patches the AI agent can apply
 - **Pre-commit hook** — block insecure code before it reaches your repo
 - **CI/CD ready** — GitHub Actions workflow with SARIF upload to Security tab
 - **Agent-friendly output** — JSON format for AI agents, Markdown for humans, SARIF for CI/CD
 - **Plugin system** — extend with community or premium rule packs
 
+## How GuardVibe Compares
+
+GuardVibe is purpose-built for the AI coding workflow. Traditional tools are excellent for enterprise CI/CD pipelines — GuardVibe fills a different gap.
+
+| Capability | GuardVibe | Traditional SAST | Dependency Scanners |
+|-----------|-----------|-----------------|-------------------|
+| Runs inside AI agents (MCP) | Native | Not supported | Not supported |
+| Zero config setup | `npx guardvibe` | Account + config required | Built-in (limited) |
+| Vibecoding stack rules (Next.js, Supabase, Clerk, tRPC, Hono) | 100+ dedicated | Generic patterns | Not applicable |
+| AI/LLM security (prompt injection, MCP, tool abuse) | 17 rules | Experimental/None | None |
+| Auto-fix suggestions for AI agents | `fix_code` tool | CLI autofix | Not supported |
+| CVE version detection | 21 packages | Extensive | Extensive |
+| Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
+| SARIF CI/CD export | Yes | Yes | Limited |
+| Rule count | 239 (focused) | 5000+ (broad) | N/A |
+
+**When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
+
+**When to use traditional tools:** You need deep AST analysis, enterprise dashboards, org-wide policy enforcement, or coverage across hundreds of languages.
+
 ## Quick Start
 
 ### MCP setup (recommended)
@@ -59,22 +80,28 @@ npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
 ## What GuardVibe Scans
 
 ### Application Code
-Next.js App Router, Server Actions, Server Components, React, Express, FastAPI, Go
+Next.js App Router, Server Actions, Server Components, React, Express, Hono, tRPC, GraphQL, FastAPI, Go
 
-### Authentication
-Clerk, Auth.js (NextAuth), Supabase Auth — middleware checks, secret exposure, session handling, SSR cookie auth, admin method protection, email confirmation, callback code exchange
+### Authentication & Authorization
+Clerk, Auth.js (NextAuth), Supabase Auth, OAuth/OIDC (state parameter, PKCE) — middleware checks, secret exposure, session handling, SSR cookie auth, admin method protection
 
-### Database
-Supabase (RLS, anon vs service role), Prisma (raw query injection), Drizzle (SQL injection)
+### Database & ORM
+Supabase (RLS, anon vs service role), Prisma (raw query injection, CVEs), Drizzle (SQL injection), Turso/LibSQL (client exposure, SQL injection), Convex (auth bypass, internal function exposure)
 
 ### Payments
-Stripe (webhook signatures, secret keys, client-side pricing), Polar.sh, LemonSqueezy
+Stripe (webhook signatures, replay protection, secret keys), Polar.sh, LemonSqueezy
 
 ### Third-Party Services
-Resend (email injection), Upstash Redis, Pinecone, PostHog, Google Analytics (PII tracking)
+Resend (email HTML injection), Upstash Redis, Pinecone, PostHog, Google Analytics (PII tracking), Uploadthing (auth, file type/size)
+
+### AI / LLM Security
+Prompt injection detection, LLM output sinks, system prompt leaks, MCP server SSRF/path traversal/command injection, `dangerouslyAllowBrowser`, missing `maxTokens`, AI API key client exposure, indirect prompt injection via external data
 
-### AI Security
-Prompt injection detection, LLM output sinks (eval, SQL, exec), system prompt leaks, MCP server SSRF/path traversal/command injection, excessive AI agent permissions, indirect prompt injection via external data
+### OWASP API Security
+BOLA/IDOR (Broken Object Level Authorization), mass assignment (spread request body, Object.assign), missing pagination, rate limiting, admin endpoint authorization, verbose error leaks
+
+### Modern Stack
+Zod `.passthrough()` mass assignment, `z.any()` bypass, file upload validation, `server-only` import guard, webhook replay protection, CSP headers, `unsafe-inline`/`unsafe-eval` detection, cron endpoint auth
 
 ### Mobile
 React Native, Expo — AsyncStorage secrets, deep link token exposure, hardcoded API URLs, ATS configuration
@@ -82,8 +109,8 @@ React Native, Expo — AsyncStorage secrets, deep link token exposure, hardcoded
 ### Firebase
 Firestore security rules, Firebase Admin SDK exposure, storage rules, custom token validation
 
-### CVE Version Intelligence
-Detects known vulnerable versions in package.json: Next.js (CVE-2024-34351, CVE-2024-46982, CVE-2025-29927), React, Express, Axios, jsonwebtoken, lodash, node-fetch, tar, xml2js, crypto-js
+### CVE Version Intelligence (21 CVEs)
+Next.js (3 CVEs), React, Express, Axios, jsonwebtoken, lodash, node-fetch, tar, xml2js, crypto-js, Prisma (2 CVEs), next-auth (2 CVEs), sharp, ws, undici (2 CVEs)
 
 ### Deployment & Config
 Vercel (vercel.json, cron secrets, headers), Next.js config, Docker, Docker Compose, Fly.io, Render, Netlify, Cloudflare
@@ -92,10 +119,7 @@ Vercel (vercel.json, cron secrets, headers), Next.js config, Docker, Docker Comp
 Dockerfile security, GitHub Actions CI/CD, Terraform (S3, IAM, RDS, security groups)
 
 ### Secrets & Environment
-API keys (AWS, GitHub, Stripe, OpenAI, Resend), .env management, .gitignore coverage, high-entropy detection, NEXT_PUBLIC exposure
-
-### Webhooks & Web Security
-Signature verification, open redirects, robots.txt exposure, source maps, meta tag injection, CSP headers
+API keys (AWS, GitHub, Stripe, OpenAI, Resend, Turso), .env management, .gitignore coverage, high-entropy detection, NEXT_PUBLIC exposure
 
 ### Compliance
 SOC2, PCI-DSS, HIPAA control mapping with compliance reports
@@ -103,7 +127,7 @@ SOC2, PCI-DSS, HIPAA control mapping with compliance reports
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (11 MCP tools)
+## Tools (12 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -118,17 +142,20 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `compliance_report` | SOC2 / PCI-DSS / HIPAA compliance mapping |
 | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
 | `get_security_docs` | Security best practices and guides |
+| `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (191 rules across 21 modules)
+## Security Rules (239 rules across 23 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
-| Core OWASP | 25 | SQL injection, XSS, CSRF, command injection, eval, CORS, SSRF, hardcoded secrets |
-| Next.js App Router | 13 | Server Actions, secret exposure, auth bypass, redirects, innerHTML |
-| Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies, admin protection |
+| Core OWASP | 19 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
+| Next.js App Router | 13 | Server Actions, secret exposure, auth bypass, CSP, redirects |
+| Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies |
 | Database (Supabase / Prisma / Drizzle) | 8 | Raw queries, client exposure, service role leaks |
+| OWASP API Security | 10 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
+| Modern Stack | 30 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
 | Deployment Config | 16 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify |
 | Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
 | Services (Resend / Upstash / Pinecone / PostHog) | 11 | API key leaks, PII tracking, email injection |
@@ -136,7 +163,7 @@ All scanning tools support `format: "json"` for machine-readable output.
 | React Native / Expo | 10 | AsyncStorage secrets, deep links, ATS, hardcoded URLs |
 | Firebase | 7 | Firestore rules, admin SDK, storage, custom tokens |
 | AI / LLM Security | 14 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
-| CVE Version Intelligence | 12 | Known vulnerable versions in package.json |
+| CVE Version Intelligence | 20 | Known vulnerable versions in package.json (21 CVEs) |
 | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
 | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
 | Supply Chain | 2 | Malicious install scripts, unpinned actions |
@@ -167,24 +194,30 @@ npm install guardvibe-rules-awesome
 
 Plugins matching `guardvibe-rules-*`, `@guardvibe/rules-*`, or `@guardvibe-pro/rules-*` are discovered automatically.
 
-**Create a plugin:**
+### Writing a Plugin
+
+A plugin is an npm package that exports a `GuardVibePlugin` object:
 
 ```typescript
+// index.ts
 import type { GuardVibePlugin } from "guardvibe/plugins";
 
 const plugin: GuardVibePlugin = {
   name: "my-rules",
   version: "1.0.0",
+  description: "My custom security rules",
   rules: [
     {
       id: "CUSTOM001",
       name: "My Custom Rule",
-      severity: "high",
+      severity: "high",       // "critical" | "high" | "medium" | "low" | "info"
       owasp: "A01:2025 Broken Access Control",
-      description: "Description of what this detects",
-      pattern: /vulnerable_pattern/g,
-      languages: ["javascript", "typescript"],
-      fix: "How to fix it",
+      description: "What this rule detects and why it's dangerous",
+      pattern: /vulnerable_pattern_here/g,   // RegExp with global flag
+      languages: ["javascript", "typescript"], // which file types to scan
+      fix: "How to fix the vulnerability",
+      fixCode: "// Copy-paste secure code example",
+      compliance: ["SOC2:CC6.1"],  // optional compliance mapping
     },
   ],
 };
@@ -192,6 +225,39 @@ const plugin: GuardVibePlugin = {
 export default plugin;
 ```
 
+### Plugin Rule Schema
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `id` | string | Yes | Unique rule ID (e.g., "CUSTOM001") |
+| `name` | string | Yes | Human-readable rule name |
+| `severity` | string | Yes | `critical`, `high`, `medium`, `low`, or `info` |
+| `owasp` | string | Yes | OWASP category mapping |
+| `description` | string | Yes | What the rule detects |
+| `pattern` | RegExp | Yes | Regex pattern to match vulnerable code (use `/g` flag) |
+| `languages` | string[] | Yes | File types to scan |
+| `fix` | string | Yes | How to fix the issue |
+| `fixCode` | string | No | Copy-paste secure code example |
+| `compliance` | string[] | No | SOC2/PCI-DSS/HIPAA control IDs |
+
+### Loading Plugins
+
+Plugins are loaded from three sources:
+
+1. **Auto-discovery:** Any installed npm package matching `guardvibe-rules-*` or `@guardvibe/rules-*`
+2. **Config-specified:** Packages listed in `.guardviberc` `plugins` array
+3. **Local paths:** Relative paths in `.guardviberc` `plugins` array
+
+```json
+// .guardviberc
+{
+  "plugins": [
+    "guardvibe-rules-awesome",
+    "./my-local-rules"
+  ]
+}
+```
+
 ## Configuration
 
 Create a `.guardviberc` file in your project root:
@@ -242,9 +308,22 @@ AI agent fixes issues before they reach production
 Tested on a real 644-file Next.js + Supabase project:
 
 - Scan time: **502ms**
-- False positive rate: **near zero** (validated against production codebase)
+- False positive rate: **near zero** (comment/string filtering, human-readable text detection)
 - Detection rate: **100%** on known vulnerability patterns
 
+## Security
+
+GuardVibe takes supply chain security seriously:
+
+- **npm provenance** — every published version is cryptographically signed via Sigstore, linking the package to this exact GitHub repo and commit. Verify with `npm audit signatures`
+- **2FA enabled** — npm account protected with two-factor authentication
+- **Branch protection** — force push disabled on main, admin enforcement enabled
+- **Tag protection** — version tags (`v*`) cannot be deleted or force-pushed
+- **Minimal CI permissions** — GitHub Actions workflows use `permissions: contents: read` only
+- **Zero runtime dependencies** — only MCP SDK and Zod (both widely audited)
+
+To report a vulnerability, please email security@goklab.com or open a GitHub issue.
+
 ## License
 
-MIT — open source and free to use. Built by [GokLab](https://github.com/goklab).
+Apache 2.0 — open source, patent-safe, enterprise-ready. Built by [GokLab](https://github.com/goklab).

package/build/data/rules/api-security.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const apiSecurityRules: SecurityRule[];
+//# sourceMappingURL=api-security.d.ts.map

package/build/data/rules/api-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAkK1C,CAAC"}

package/build/data/rules/api-security.js

@@ -0,0 +1,131 @@
+// OWASP API Security Top 10 rules
+// See: https://owasp.org/API-Security/
+export const apiSecurityRules = [
+    // API1:2023 — Broken Object Level Authorization (BOLA)
+    {
+        id: "VG950",
+        name: "BOLA: Direct Object Reference Without Ownership Check",
+        severity: "high",
+        owasp: "API1:2023 Broken Object Level Authorization",
+        description: "API endpoint accesses a resource by user-supplied ID without verifying that the authenticated user owns or has access to that resource. This is the #1 API vulnerability (BOLA/IDOR).",
+        pattern: /(?:findUnique|findFirst|findById|findOne|getOne)\s*\(\s*\{?\s*(?:where\s*:\s*\{)?\s*(?:id|_id)\s*:\s*(?:req\.(?:params|query|body)|params\.|args\.|input\.)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always include an ownership check: add the authenticated user's ID to the query filter (e.g., { where: { id, userId } }).",
+        fixCode: '// Always scope queries to the authenticated user\nconst { userId } = await auth();\nconst item = await prisma.item.findFirst({\n  where: { id: params.id, userId }, // ownership check!\n});\nif (!item) return new Response("Not Found", { status: 404 });',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG951",
+        name: "BOLA: Delete/Update Without Ownership Verification",
+        severity: "critical",
+        owasp: "API1:2023 Broken Object Level Authorization",
+        description: "Delete or update operation uses user-supplied ID without verifying resource ownership. Any authenticated user can modify or delete other users' resources.",
+        pattern: /(?:delete|update|destroy|remove)\s*\(\s*\{?\s*(?:where\s*:\s*\{)?\s*(?:id|_id)\s*:\s*(?:req\.(?:params|query|body)|params\.|args\.|input\.)(?:(?!userId|user_id|ownerId|owner_id|createdBy|created_by)[\s\S]){0,200}?\}/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Include the authenticated user's ID in the where clause to prevent unauthorized modifications.",
+        fixCode: '// Scope mutations to the authenticated user\nconst { userId } = await auth();\nawait prisma.post.delete({\n  where: { id: params.id, userId }, // ownership!\n});',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(a)"],
+    },
+    // API2:2023 — Broken Authentication
+    {
+        id: "VG952",
+        name: "API Route Without Authentication",
+        severity: "high",
+        owasp: "API2:2023 Broken Authentication",
+        description: "Next.js Route Handler that performs data operations without any authentication check. API routes are publicly accessible by default.",
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|verifyToken|checkAuth|clerkClient|getToken|session|protect)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add authentication at the start of every Route Handler that reads or writes data.",
+        fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  // ... data access\n}',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
+    },
+    // API3:2023 — Broken Object Property Level Authorization (Mass Assignment)
+    {
+        id: "VG953",
+        name: "Mass Assignment: Spreading Request Body into Database",
+        severity: "high",
+        owasp: "API3:2023 Broken Object Property Level Authorization",
+        description: "Request body is spread directly into a database create/update operation. Attackers can inject extra fields (like role, isAdmin, price) that the API didn't intend to accept.",
+        pattern: /(?:create|update|upsert|insert)\s*\(\s*\{[\s\S]{0,100}?(?:\.\.\.(?:req\.body|body|input|data|args)|(?:data|values)\s*:\s*(?:req\.body|body|input))\s*\}/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Explicitly pick allowed fields instead of spreading the entire request body. Use a validation schema (zod) to define exactly which fields are accepted.",
+        fixCode: '// BAD: mass assignment\nawait prisma.user.update({ where: { id }, data: { ...req.body } });\n\n// GOOD: explicit fields\nconst { name, email } = schema.parse(req.body);\nawait prisma.user.update({ where: { id }, data: { name, email } });',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG954",
+        name: "Mass Assignment: Object.assign from User Input",
+        severity: "high",
+        owasp: "API3:2023 Broken Object Property Level Authorization",
+        description: "Object.assign or spread is used to merge user input directly into a model/entity object, allowing attackers to overwrite internal fields.",
+        pattern: /Object\.assign\s*\(\s*(?:user|item|record|entity|model|doc|document)\s*,\s*(?:req\.body|body|input|args|data)\s*\)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Pick specific allowed fields from user input before merging into model objects.",
+        fixCode: '// BAD: Object.assign(user, req.body);\n\n// GOOD: explicit pick\nconst { name, bio } = schema.parse(req.body);\nObject.assign(user, { name, bio });',
+        compliance: ["SOC2:CC6.6"],
+    },
+    // API4:2023 — Unrestricted Resource Consumption
+    {
+        id: "VG955",
+        name: "Missing Pagination on List Endpoint",
+        severity: "medium",
+        owasp: "API4:2023 Unrestricted Resource Consumption",
+        description: "Database query returns all records without pagination (no limit/take/top). An attacker can request the entire table, causing DoS or exposing excessive data.",
+        pattern: /(?:findMany|find|select|from)\s*\((?:(?!limit|take|top|pageSize|per_?page|first|last|\.limit|LIMIT)[\s\S]){5,}?\)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always add pagination: use take/limit with a maximum value. Never return unbounded result sets.",
+        fixCode: '// Add pagination\nconst items = await prisma.item.findMany({\n  take: Math.min(Number(searchParams.get("limit")) || 20, 100),\n  skip: Number(searchParams.get("offset")) || 0,\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG956",
+        name: "Missing Rate Limiting on API Route",
+        severity: "medium",
+        owasp: "API4:2023 Unrestricted Resource Consumption",
+        description: "Next.js API route handler performs expensive operations (database writes, external API calls, email sending) without any rate limiting. Attackers can abuse this to exhaust resources.",
+        pattern: /export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!rateLimit|rateLimiter|limiter|throttle|upstash|Ratelimit)[\s\S]){10,}?(?:\.create\s*\(|\.insert\s*\(|\.send\s*\(|resend\.|sendgrid\.|fetch\s*\(\s*['"]https)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add rate limiting to POST endpoints that create resources or call external services. Use @upstash/ratelimit or similar.",
+        fixCode: 'import { Ratelimit } from "@upstash/ratelimit";\nimport { Redis } from "@upstash/redis";\n\nconst ratelimit = new Ratelimit({\n  redis: Redis.fromEnv(),\n  limiter: Ratelimit.slidingWindow(10, "60 s"),\n});\n\nexport async function POST(req: Request) {\n  const { success } = await ratelimit.limit(userId);\n  if (!success) return new Response("Too Many Requests", { status: 429 });\n}',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // API5:2023 — Broken Function Level Authorization
+    {
+        id: "VG957",
+        name: "Admin Endpoint Without Role Verification",
+        severity: "high",
+        owasp: "API5:2023 Broken Function Level Authorization",
+        description: "Endpoint in /admin or /api/admin path performs operations without verifying admin role or permissions. Any authenticated user could access admin functionality.",
+        pattern: /(?:\/api\/admin|\/admin)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!role|isAdmin|orgRole|permission|requireAdmin|checkRole|adminOnly|org:admin)[\s\S]){10,}?(?:prisma|db|supabase|sql)\.\w+/g,
+        languages: ["javascript", "typescript"],
+        fix: "Always verify admin role/permissions in admin endpoints.",
+        fixCode: 'const { userId, orgRole } = await auth();\nif (orgRole !== "org:admin") {\n  return new Response("Forbidden", { status: 403 });\n}',
+        compliance: ["SOC2:CC6.6", "HIPAA:§164.312(d)"],
+    },
+    // API6:2023 — Unrestricted Access to Sensitive Business Flows
+    {
+        id: "VG958",
+        name: "Sensitive Business Operation Without Confirmation",
+        severity: "medium",
+        owasp: "API6:2023 Unrestricted Access to Sensitive Business Flows",
+        description: "Destructive or irreversible operations (delete account, transfer money, cancel subscription) executed without a confirmation step or re-authentication.",
+        pattern: /(?:deleteAccount|deleteUser|cancelSubscription|transferFunds|refund|terminat)\w*\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))(?:(?!confirm|verify|reauthenticate|twoFactor|2fa|otp|challenge)[\s\S]){10,}?(?:delete|destroy|remove|cancel)\s*\(/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add a confirmation step or re-authentication before destructive operations.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    // API8:2023 — Security Misconfiguration
+    {
+        id: "VG959",
+        name: "Verbose Error Response Leaks Internal Details",
+        severity: "medium",
+        owasp: "API8:2023 Security Misconfiguration",
+        description: "Catch block sends the raw error message or stack trace in the API response. This leaks internal implementation details to attackers.",
+        pattern: /catch\s*\(\s*(?:err|error|e)\s*\)\s*\{[\s\S]{0,200}?(?:res\.(?:json|send|status)|Response\.json|NextResponse\.json)\s*\([\s\S]{0,100}?(?:err|error|e)\.(?:message|stack|toString)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Return generic error messages to the client. Log detailed errors server-side only.",
+        fixCode: 'catch (error) {\n  console.error("Internal error:", error); // log server-side\n  return Response.json(\n    { error: "Something went wrong" }, // generic to client\n    { status: 500 }\n  );\n}',
+        compliance: ["SOC2:CC7.2"],
+    },
+];
+//# sourceMappingURL=api-security.js.map

package/build/data/rules/api-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-security.js","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,uDAAuD;IACvD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,uLAAuL;QACzL,OAAO,EACL,+JAA+J;QACjK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2HAA2H;QAChI,OAAO,EACL,8PAA8P;QAChQ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oDAAoD;QAC1D,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,4JAA4J;QAC9J,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,sQAAsQ;QACxQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kNAAkN;QACpN,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,2EAA2E;IAC3E;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,8KAA8K;QAChL,OAAO,EACL,2JAA2J;QAC7J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yJAAyJ;QAC9J,OAAO,EACL,gPAAgP;QAClP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,2IAA2I;QAC7I,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,sJAAsJ;QACxJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gDAAgD;IAChD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,8JAA8J;QAChK,OAAO,EACL,qHAAqH;QACvH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,wLAAwL;QAC1L,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yHAAyH;QAC9H,OAAO,EACL,mYAAmY;QACrY,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,kDAAkD;IAClD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,iKAAiK;QACnK,OAAO,EACL,+OAA+O;QACjP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,8DAA8D;IAC9D;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EACT,yJAAyJ;QAC3J,OAAO,EACL,8OAA8O;QAChP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,qLAAqL;QACvL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oMAAoM;QACtM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}

package/build/data/rules/auth.js

@@ -190,7 +190,7 @@ export const authRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Next.js project uses Supabase Auth but middleware.ts/proxy.ts does not refresh the Supabase session. Without this, sessions expire and users get unexpectedly logged out.",
-        pattern: /(?:middleware|proxy)\.(?:ts|js)[\s\S]*?export\s+(?:async\s+)?function\s+middleware[\s\S]*?(?![\s\S]*?(?:supabase|createServerClient|updateSession))/g,
+        pattern: /export\s+(?:async\s+)?function\s+middleware\s*\([^)]*\)\s*\{(?:(?!supabase|createServerClient|updateSession)[\s\S]){50,}(?:\n\}|$)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Supabase session refresh to your middleware.",
         fixCode: '// middleware.ts\nimport { createServerClient } from "@supabase/ssr";\nimport { NextResponse, type NextRequest } from "next/server";\n\nexport async function middleware(request: NextRequest) {\n  const response = NextResponse.next();\n  const supabase = createServerClient(url, anonKey, {\n    cookies: { /* cookie handlers */ }\n  });\n  await supabase.auth.getUser(); // refreshes session\n  return response;\n}',