guardvibe 1.5.0 → 1.6.1

package/README.md

@@ -1,6 +1,6 @@
 # GuardVibe
 
-**The security MCP built for vibe coding.** 239 security rules covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 243 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
 
@@ -8,7 +8,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-com
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **239 security rules** purpose-built for the stacks AI agents generate
+- **243 security rules** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -34,7 +34,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 21 packages | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 239 (focused) | 5000+ (broad) | N/A |
+| Rule count | 243 (focused) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -146,7 +146,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (239 rules across 23 modules)
+## Security Rules (243 rules across 23 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/cli.d.ts

@@ -1,3 +1,2 @@
 #!/usr/bin/env node
 export {};
-//# sourceMappingURL=cli.d.ts.map

package/build/cli.js

@@ -422,4 +422,3 @@ async function main() {
         process.exit(1);
     }
 }
-//# sourceMappingURL=cli.js.map

package/build/data/compliance-metadata.d.ts

@@ -21,4 +21,3 @@ export declare function enrichRulesWithCompliance<T extends {
     audit?: string;
 }>(rules: T[]): T[];
 export {};
-//# sourceMappingURL=compliance-metadata.d.ts.map

package/build/data/compliance-metadata.js

@@ -271,4 +271,3 @@ export function enrichRulesWithCompliance(rules) {
     }
     return rules;
 }
-//# sourceMappingURL=compliance-metadata.js.map

package/build/data/framework-guides.d.ts

@@ -5,4 +5,3 @@ export interface SecurityGuide {
     content: string;
 }
 export declare const frameworkGuides: SecurityGuide[];
-//# sourceMappingURL=framework-guides.d.ts.map

package/build/data/framework-guides.js

@@ -786,4 +786,3 @@ throw new TRPCError({
 `,
     },
 ];
-//# sourceMappingURL=framework-guides.js.map

package/build/data/rules/ai-security.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const aiSecurityRules: SecurityRule[];
-//# sourceMappingURL=ai-security.d.ts.map

package/build/data/rules/ai-security.js

@@ -172,4 +172,3 @@ export const aiSecurityRules = [
         compliance: ["SOC2:CC7.1"],
     },
 ];
-//# sourceMappingURL=ai-security.js.map

package/build/data/rules/api-security.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const apiSecurityRules: SecurityRule[];
-//# sourceMappingURL=api-security.d.ts.map

package/build/data/rules/api-security.js

@@ -129,4 +129,3 @@ export const apiSecurityRules = [
         compliance: ["SOC2:CC7.2"],
     },
 ];
-//# sourceMappingURL=api-security.js.map

package/build/data/rules/auth.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const authRules: SecurityRule[];
-//# sourceMappingURL=auth.d.ts.map

package/build/data/rules/auth.js

@@ -170,6 +170,7 @@ export const authRules = [
         pattern: /(?:signInWithPassword|signUp)[\s\S]{0,200}?(?:searchParams|query|req\.query|params)[\s\S]{0,100}?password/gi,
         languages: ["javascript", "typescript"],
         fix: "Always send passwords via POST request body, never in URL parameters.",
+        fixCode: '// Send password in request body, not URL:\nconst { data } = await supabase.auth.signInWithPassword({\n  email,\n  password, // from form body, not URL params\n});',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
     },
     {
@@ -197,4 +198,3 @@ export const authRules = [
         compliance: ["SOC2:CC6.6"],
     },
 ];
-//# sourceMappingURL=auth.js.map

package/build/data/rules/cicd.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const cicdRules: SecurityRule[];
-//# sourceMappingURL=cicd.d.ts.map

package/build/data/rules/cicd.js

@@ -44,4 +44,3 @@ export const cicdRules = [
         fixCode: "# Use least-privilege permissions\npermissions:\n  contents: read\n  pull-requests: write",
     },
 ];
-//# sourceMappingURL=cicd.js.map

package/build/data/rules/core.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const coreRules: SecurityRule[];
-//# sourceMappingURL=core.d.ts.map

package/build/data/rules/core.js

@@ -299,4 +299,3 @@ export const coreRules = [
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
 ];
-//# sourceMappingURL=core.js.map

package/build/data/rules/cve-versions.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const cveVersionRules: SecurityRule[];
-//# sourceMappingURL=cve-versions.d.ts.map

package/build/data/rules/cve-versions.js

@@ -242,4 +242,3 @@ export const cveVersionRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=cve-versions.js.map

package/build/data/rules/database.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const databaseRules: SecurityRule[];
-//# sourceMappingURL=database.d.ts.map

package/build/data/rules/database.js

@@ -100,4 +100,3 @@ export const databaseRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=database.js.map

package/build/data/rules/deployment.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const deploymentRules: SecurityRule[];
-//# sourceMappingURL=deployment.d.ts.map

package/build/data/rules/deployment.js

@@ -195,4 +195,3 @@ export const deploymentRules = [
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
     },
 ];
-//# sourceMappingURL=deployment.js.map

package/build/data/rules/dockerfile.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const dockerfileRules: SecurityRule[];
-//# sourceMappingURL=dockerfile.d.ts.map

package/build/data/rules/dockerfile.js

@@ -55,4 +55,3 @@ export const dockerfileRules = [
         fixCode: "# Use COPY for local files\nCOPY ./src /app/src\n# Only use ADD for remote files or tar extraction\n# ADD https://example.com/file.tar.gz /app/",
     },
 ];
-//# sourceMappingURL=dockerfile.js.map

package/build/data/rules/firebase.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const firebaseRules: SecurityRule[];
-//# sourceMappingURL=firebase.d.ts.map

package/build/data/rules/firebase.js

@@ -68,6 +68,7 @@ export const firebaseRules = [
         pattern: /NEXT_PUBLIC_\w*(?:FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN|FIREBASE_PRIVATE|FIREBASE_SECRET)\w*\s*=/gi,
         languages: ["javascript", "typescript", "shell"],
         fix: "Remove NEXT_PUBLIC_ prefix from Firebase admin/service account credentials. These must be server-side only.",
+        fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_FIREBASE_SERVICE_ACCOUNT=...\n\n# CORRECT — server-side only\nFIREBASE_SERVICE_ACCOUNT=...\n# Use in API routes: admin.initializeApp({ credential: cert(JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT!)) })",
         compliance: ["SOC2:CC6.1"],
     },
     {
@@ -83,4 +84,3 @@ export const firebaseRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=firebase.js.map

package/build/data/rules/go.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const goRules: SecurityRule[];
-//# sourceMappingURL=go.d.ts.map

package/build/data/rules/go.js

@@ -67,4 +67,3 @@ export const goRules = [
         fixCode: "// Specify allowed origins\nw.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.com\")",
     },
 ];
-//# sourceMappingURL=go.js.map

package/build/data/rules/index.d.ts

@@ -1,4 +1,3 @@
 export type { SecurityRule } from "./types.js";
 export declare const owaspRules: import("./types.js").SecurityRule[];
 export declare const builtinRules: import("./types.js").SecurityRule[];
-//# sourceMappingURL=index.d.ts.map

package/build/data/rules/index.js

@@ -47,4 +47,3 @@ export const owaspRules = enrichRulesWithCompliance([
 ]);
 // Alias for clarity — these are the built-in rules without plugins
 export const builtinRules = owaspRules;
-//# sourceMappingURL=index.js.map

package/build/data/rules/modern-stack.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const modernStackRules: SecurityRule[];
-//# sourceMappingURL=modern-stack.d.ts.map

package/build/data/rules/modern-stack.js

@@ -411,4 +411,3 @@ export const modernStackRules = [
         compliance: ["SOC2:CC6.6"],
     },
 ];
-//# sourceMappingURL=modern-stack.js.map

package/build/data/rules/nextjs.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const nextjsRules: SecurityRule[];
-//# sourceMappingURL=nextjs.d.ts.map

package/build/data/rules/nextjs.js

@@ -157,4 +157,3 @@ export const nextjsRules = [
         compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
     },
 ];
-//# sourceMappingURL=nextjs.js.map

package/build/data/rules/other-services.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const otherServiceRules: SecurityRule[];
-//# sourceMappingURL=other-services.d.ts.map

package/build/data/rules/other-services.js

@@ -60,4 +60,3 @@ export const otherServiceRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=other-services.js.map

package/build/data/rules/payments.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const paymentRules: SecurityRule[];
-//# sourceMappingURL=payments.d.ts.map

package/build/data/rules/payments.js

@@ -111,4 +111,3 @@ export const paymentRules = [
         compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
     },
 ];
-//# sourceMappingURL=payments.js.map

package/build/data/rules/react-native.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const reactNativeRules: SecurityRule[];
-//# sourceMappingURL=react-native.d.ts.map

package/build/data/rules/react-native.js

@@ -120,4 +120,3 @@ export const reactNativeRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=react-native.js.map

package/build/data/rules/services.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const serviceRules: SecurityRule[];
-//# sourceMappingURL=services.d.ts.map

package/build/data/rules/services.js

@@ -137,4 +137,3 @@ export const serviceRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=services.js.map

package/build/data/rules/shell.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const shellRules: SecurityRule[];
-//# sourceMappingURL=shell.d.ts.map

package/build/data/rules/shell.js

@@ -60,4 +60,3 @@ export const shellRules = [
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
 ];
-//# sourceMappingURL=shell.js.map

package/build/data/rules/sql.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const sqlRules: SecurityRule[];
-//# sourceMappingURL=sql.d.ts.map

package/build/data/rules/sql.js

@@ -48,4 +48,3 @@ export const sqlRules = [
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
 ];
-//# sourceMappingURL=sql.js.map

package/build/data/rules/supply-chain.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const supplyChainRules: SecurityRule[];
-//# sourceMappingURL=supply-chain.d.ts.map

package/build/data/rules/supply-chain.js

@@ -24,5 +24,52 @@ export const supplyChainRules = [
         fixCode: "- uses: actions/checkout@v4\n  with:\n    persist-credentials: false",
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG862",
+        name: "Source Map Publish Risk",
+        severity: "critical",
+        owasp: "A05:2021 Security Misconfiguration",
+        description: 'Source map files (.map) expose original source code when published to npm. Anthropic\'s Claude Code source leak (March 2026) was caused by this exact misconfiguration. If tsconfig enables sourceMap and the package lacks .npmignore exclusions, your entire codebase ships to the registry.',
+        pattern: /"sourceMap"\s*:\s*true/g,
+        languages: ["json"],
+        fix: 'Set "sourceMap": false in tsconfig.json for production builds, or add *.map to .npmignore to prevent source maps from being published.',
+        fixCode: '// tsconfig.json — disable source maps for published packages\n{\n  "compilerOptions": {\n    "sourceMap": false,\n    "declarationMap": false\n  }\n}\n\n// Or add to .npmignore:\n// *.map',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10"],
+    },
+    {
+        id: "VG863",
+        name: 'package.json Missing "files" Field',
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        description: 'A publishable npm package without a "files" field in package.json publishes the entire project directory — including src/, .env, test fixtures, and internal configs. Always use "files" to whitelist only build output.',
+        pattern: /"version"\s*:\s*"[^"]*"(?![\s\S]*"files"\s*:)(?![\s\S]*"private"\s*:\s*true)/g,
+        languages: ["json"],
+        fix: 'Add a "files" field to package.json listing only the directories and files needed by consumers (e.g., dist/, build/).',
+        fixCode: '// package.json — whitelist published files\n{\n  "name": "my-package",\n  "version": "1.0.0",\n  "files": [\n    "dist",\n    "build",\n    "README.md"\n  ]\n}',
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG864",
+        name: '"files" Field Includes Source Code',
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        description: 'The "files" field in package.json includes source directories ("src", ".", or "**"). This publishes raw source code to npm, defeating the purpose of the whitelist. Only compiled output should be listed.',
+        pattern: /"files"\s*:\s*\[[^\]]*(?:"src"|"\.\/?"|"\*\*")[^\]]*\]/g,
+        languages: ["json"],
+        fix: 'Remove "src", ".", and "**" from the "files" array. Only include compiled output directories like "dist" or "build".',
+        fixCode: '// BAD — leaks source code\n// "files": ["src", "dist"]\n\n// GOOD — only build output\n{\n  "files": [\n    "dist",\n    "build"\n  ]\n}',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10"],
+    },
+    {
+        id: "VG865",
+        name: ".npmignore Missing Sensitive File Patterns",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        description: ".npmignore exists but does not exclude common sensitive files (*.map, .env, src/). Without these exclusions, source maps, environment secrets, and raw source code can leak into the published package.",
+        pattern: /^(?![\s\S]*\*\.map)(?![\s\S]*\.env)(?![\s\S]*src\/).+/gm,
+        languages: ["shell"],
+        fix: "Add *.map, .env*, src/, and tests/ to .npmignore to prevent accidental publish of sensitive files.",
+        fixCode: "# .npmignore — exclude sensitive files from npm publish\n*.map\n.env\n.env.*\nsrc/\ntests/\n__tests__/\n*.test.*\n*.spec.*\ntsconfig*.json\n.github/",
+        compliance: ["SOC2:CC6.1"],
+    },
 ];
-//# sourceMappingURL=supply-chain.js.map

package/build/data/rules/terraform.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const terraformRules: SecurityRule[];
-//# sourceMappingURL=terraform.d.ts.map

package/build/data/rules/terraform.js

@@ -60,4 +60,3 @@ export const terraformRules = [
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
     },
 ];
-//# sourceMappingURL=terraform.js.map

package/build/data/rules/types.d.ts

@@ -12,4 +12,3 @@ export interface SecurityRule {
     exploit?: string;
     audit?: string;
 }
-//# sourceMappingURL=types.d.ts.map

package/build/data/rules/types.js

@@ -1,2 +1 @@
 export {};
-//# sourceMappingURL=types.js.map

package/build/data/rules/web-security.d.ts

@@ -1,3 +1,2 @@
 import type { SecurityRule } from "./types.js";
 export declare const webSecurityRules: SecurityRule[];
-//# sourceMappingURL=web-security.d.ts.map

package/build/data/rules/web-security.js

@@ -174,4 +174,3 @@ export const webSecurityRules = [
         compliance: ["SOC2:CC6.1"],
     },
 ];
-//# sourceMappingURL=web-security.js.map

package/build/data/secret-patterns.d.ts

@@ -6,4 +6,3 @@ export interface SecretPattern {
 }
 export declare const secretPatterns: SecretPattern[];
 export declare function calculateEntropy(str: string): number;
-//# sourceMappingURL=secret-patterns.d.ts.map

package/build/data/secret-patterns.js

@@ -84,4 +84,3 @@ export function calculateEntropy(str) {
     }
     return entropy;
 }
-//# sourceMappingURL=secret-patterns.js.map

package/build/index.d.ts

@@ -1,3 +1,2 @@
 #!/usr/bin/env node
 export {};
-//# sourceMappingURL=index.d.ts.map

package/build/index.js

@@ -20,12 +20,16 @@ import { reviewPr } from "./tools/review-pr.js";
 import { scanSecretsHistory } from "./tools/scan-secrets-history.js";
 import { policyCheck } from "./tools/policy-check.js";
 import { analyzeTaint, formatTaintFindings } from "./tools/taint-analysis.js";
+import { checkCommand } from "./tools/check-command.js";
+import { scanConfigChange } from "./tools/scan-config-change.js";
+import { repoSecurityPosture } from "./tools/repo-posture.js";
+import { explainRemediation } from "./tools/explain-remediation.js";
 import { discoverPlugins } from "./plugins/loader.js";
 import { builtinRules } from "./data/rules/index.js";
 import { loadConfig } from "./utils/config.js";
 const server = new McpServer({
     name: "guardvibe",
-    version: "1.5.0",
+    version: "1.6.0",
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -242,6 +246,44 @@ server.tool("analyze_dataflow", "Track user input (request body, URL params, for
     const results = formatTaintFindings(findings, format);
     return { content: [{ type: "text", text: results }] };
 });
+// Tool 19: Shell Command Risk Analyzer
+server.tool("check_command", "Analyze a shell command for security risks before execution. Returns allow/ask/deny verdict with blast radius, safer alternatives, and context-aware risk assessment. Detects: destructive ops, git history rewrites, secret exposure, data exfiltration, deploy triggers, privilege escalation, database drops.", {
+    command: z.string().describe("Shell command to analyze"),
+    cwd: z.string().default(".").describe("Current working directory"),
+    branch: z.string().optional().describe("Current git branch (for branch-specific risk)"),
+    format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
+}, async ({ command, cwd, branch, format }) => {
+    const results = checkCommand(command, cwd, branch, format);
+    return { content: [{ type: "text", text: results }] };
+});
+// Tool 20: Config Change Security Analyzer
+server.tool("scan_config_change", "Compare before/after versions of a config file to detect security downgrades: CORS relaxation, CSP weakening, HSTS removal, debug mode, cookie flag changes, TLS disabling, new hardcoded secrets, removed security headers.", {
+    before: z.string().describe("Previous config file content"),
+    after: z.string().describe("New config file content"),
+    file_path: z.string().default("config").describe("Config file path for context"),
+    format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
+}, async ({ before, after, file_path, format }) => {
+    const results = scanConfigChange(before, after, file_path, format);
+    return { content: [{ type: "text", text: results }] };
+});
+// Tool 21: Repository Security Posture
+server.tool("repo_security_posture", "Analyze a repository's overall security posture. Maps sensitive areas (auth, payments, PII, admin, API, infrastructure), identifies high-risk workflows, recommends guard mode, and lists priority fixes.", {
+    path: z.string().describe("Repository root path"),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
+}, async ({ path, format }) => {
+    const results = repoSecurityPosture(path, format);
+    return { content: [{ type: "text", text: results }] };
+});
+// Tool 22: Explain Remediation
+server.tool("explain_remediation", "Deep explanation of a security finding: why it's risky, real-world impact, exploit scenario, minimum fix, secure alternative, breaking risk assessment, and test strategy. Helps agents apply fixes correctly.", {
+    rule_id: z.string().describe("GuardVibe rule ID (e.g. VG001, VG402)"),
+    code: z.string().optional().describe("Affected code snippet for context"),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
+}, async ({ rule_id, code, format }) => {
+    const rules = globalThis.__guardvibe_rules;
+    const results = explainRemediation(rule_id, code, format, rules);
+    return { content: [{ type: "text", text: results }] };
+});
 async function main() {
     // Load plugins
     const config = loadConfig(process.cwd());
@@ -271,4 +313,3 @@ main().catch((error) => {
     console.error("Fatal error:", error);
     process.exit(1);
 });
-//# sourceMappingURL=index.js.map

package/build/plugins/loader.d.ts

@@ -15,4 +15,3 @@ export interface LoadedPlugins {
 }
 export declare function discoverPlugins(baseDir: string, configPlugins?: string[]): Promise<LoadedPlugins>;
 export {};
-//# sourceMappingURL=loader.d.ts.map

package/build/plugins/loader.js

@@ -148,4 +148,3 @@ export async function discoverPlugins(baseDir, configPlugins = []) {
     }
     return result;
 }
-//# sourceMappingURL=loader.js.map

package/build/plugins/types.d.ts

@@ -14,4 +14,3 @@ export interface GuardVibePlugin {
     rules?: SecurityRule[];
     tools?: GuardVibeTool[];
 }
-//# sourceMappingURL=types.d.ts.map

package/build/plugins/types.js

@@ -1,2 +1 @@
 export {};
-//# sourceMappingURL=types.js.map

package/build/tools/audit-config.d.ts

@@ -8,4 +8,3 @@ export interface ConfigIssue {
     files: string[];
 }
 export declare function auditConfig(path: string, format?: "markdown" | "json"): string;
-//# sourceMappingURL=audit-config.d.ts.map

package/build/tools/audit-config.js

@@ -367,4 +367,3 @@ export function auditConfig(path, format = "markdown") {
     }
     return lines.join("\n");
 }
-//# sourceMappingURL=audit-config.js.map

package/build/tools/check-code.d.ts

@@ -7,4 +7,3 @@ export interface Finding {
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;
 export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json", rules?: SecurityRule[]): string;
-//# sourceMappingURL=check-code.d.ts.map

package/build/tools/check-code.js

@@ -204,4 +204,3 @@ function formatReport(findings, language, framework) {
     }
     return lines.join("\n");
 }
-//# sourceMappingURL=check-code.js.map

package/build/tools/check-command.d.ts

@@ -0,0 +1,12 @@
+export interface CommandVerdict {
+    verdict: "allow" | "ask" | "deny";
+    risk: "critical" | "high" | "medium" | "low" | "none";
+    confidence: number;
+    category: string;
+    reason: string;
+    blastRadius: string;
+    saferAlternative?: string;
+    confirmationText?: string;
+    details: string[];
+}
+export declare function checkCommand(command: string, cwd?: string, branch?: string, format?: "markdown" | "json"): string;