guardvibe 1.7.0 → 1.8.0

package/README.md

@@ -1,6 +1,6 @@
 # GuardVibe
 
-**The security MCP built for vibe coding.** 267 security rules covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 277 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
 
@@ -8,7 +8,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-com
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **267 security rules** purpose-built for the stacks AI agents generate
+- **277 security rules** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -34,7 +34,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 21 packages | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 267 (focused) | 5000+ (broad) | N/A |
+| Rule count | 277 (focused) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -127,7 +127,7 @@ SOC2, PCI-DSS, HIPAA control mapping with compliance reports
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (12 MCP tools)
+## Tools (22 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -143,10 +143,20 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
 | `get_security_docs` | Security best practices and guides |
 | `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |
+| `audit_config` | Audit project configuration files for cross-file security misconfigurations |
+| `generate_policy` | Detect project stack and generate tailored security policies (CSP, CORS, RLS) |
+| `review_pr` | Review PR diff for security issues with severity gating |
+| `scan_secrets_history` | Scan git history for leaked secrets (active and removed) |
+| `policy_check` | Check project against compliance policies defined in .guardviberc |
+| `analyze_dataflow` | Track tainted data flows from user input to dangerous sinks |
+| `check_command` | Analyze shell commands for security risks before execution |
+| `scan_config_change` | Compare config file versions to detect security downgrades |
+| `repo_security_posture` | Assess overall repository security posture and map sensitive areas |
+| `explain_remediation` | Get detailed remediation guidance with exploit scenarios and fix strategies |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (267 rules across 23 modules)
+## Security Rules (277 rules across 23 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
@@ -311,6 +321,104 @@ Tested on a real 644-file Next.js + Supabase project:
 - False positive rate: **near zero** (comment/string filtering, human-readable text detection)
 - Detection rate: **100%** on known vulnerability patterns
 
+## Troubleshooting
+
+### MCP connection issues
+
+If your AI agent cannot connect to GuardVibe:
+
+1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
+2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.claude.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
+3. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
+4. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.
+
+### Node.js version requirements
+
+GuardVibe requires **Node.js >= 18.0.0**. Earlier versions will fail with syntax errors or missing APIs. Node.js 22 LTS is recommended.
+
+### False positives
+
+If a rule triggers on safe code:
+
+- **Inline suppression:** Add `// guardvibe-ignore VG001` on the same line, or `// guardvibe-ignore-next-line VG001` on the line above. Supports `//`, `#`, and `<!-- -->` comment styles.
+- **Config exclusion:** Add the rule ID to `rules.disable` in `.guardviberc`:
+  ```json
+  { "rules": { "disable": ["VG030"] } }
+  ```
+- **Path exclusion:** Add directories to `scan.exclude` in `.guardviberc`:
+  ```json
+  { "scan": { "exclude": ["fixtures/", "test-data/"] } }
+  ```
+
+### Pre-commit hook issues
+
+- **Hook not running:** Verify the hook file exists at `.git/hooks/pre-commit` and is executable (`chmod +x .git/hooks/pre-commit`).
+- **Hook blocking valid commits:** Use `git commit --no-verify` to skip the hook temporarily, then investigate the findings.
+- **Removing the hook:** Run `npx guardvibe hook uninstall`.
+
+## Security Model
+
+GuardVibe is designed for use on sensitive and proprietary codebases:
+
+- **100% local execution.** All scanning happens on your machine. No code, findings, or metadata are sent to any server.
+- **No accounts, no API keys, no telemetry.** There is no signup, no cloud dashboard, and no usage tracking of any kind.
+- **One optional network call.** The `scan_dependencies` and `check_dependencies` tools query the [OSV API](https://osv.dev/) to check for known CVEs. This is opt-in -- you only call it when you explicitly use those tools. No other tool makes network requests.
+- **Safe for air-gapped environments.** All code analysis rules run entirely offline. Only dependency vulnerability checks require network access.
+
+## Configuration (.guardviberc)
+
+Create a `.guardviberc` JSON file in your project root to customize GuardVibe behavior.
+
+### Full example
+
+```json
+{
+  "rules": {
+    "disable": ["VG030", "VG045"],
+    "severity": {
+      "VG002": "medium",
+      "VG010": "low"
+    }
+  },
+  "scan": {
+    "exclude": ["fixtures/", "coverage/", "dist/", "vendor/"],
+    "maxFileSize": 1048576
+  },
+  "plugins": [
+    "guardvibe-rules-awesome",
+    "./my-local-rules"
+  ],
+  "compliance": {
+    "frameworks": ["SOC2", "HIPAA"],
+    "failOn": "high",
+    "exceptions": [
+      {
+        "ruleId": "VG030",
+        "reason": "Accepted risk per security review 2026-03",
+        "approvedBy": "security-team",
+        "expiresAt": "2026-12-31",
+        "files": ["src/legacy/**"]
+      }
+    ],
+    "requiredControls": ["SOC2:CC6.1"]
+  }
+}
+```
+
+### Configuration fields
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `rules.disable` | `string[]` | `[]` | Rule IDs to skip during scanning |
+| `rules.severity` | `Record<string, string>` | `{}` | Override severity for specific rules |
+| `scan.exclude` | `string[]` | `[]` | Glob patterns for directories/files to skip |
+| `scan.maxFileSize` | `number` | `512000` | Maximum file size in bytes (files larger than this are skipped) |
+| `plugins` | `string[]` | `[]` | npm package names or local paths to load as plugins |
+| `compliance.frameworks` | `string[]` | -- | Compliance frameworks to map against (`SOC2`, `PCI-DSS`, `HIPAA`, `GDPR`, `ISO27001`) |
+| `compliance.failOn` | `string` | `"high"` | Minimum severity that causes compliance failure |
+| `compliance.exceptions` | `PolicyException[]` | `[]` | Approved exceptions with expiration dates |
+| `compliance.requiredControls` | `string[]` | -- | Controls that must pass regardless of exceptions |
+
 ## Security
 
 GuardVibe takes supply chain security seriously:

package/build/cli.js

@@ -1,7 +1,10 @@
 #!/usr/bin/env node
+import { createRequire } from "module";
 import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, unlinkSync } from "fs";
 import { join, dirname } from "path";
 import { homedir } from "os";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
 const GUARDVIBE_MCP_CONFIG = {
     command: "npx",
     args: ["-y", "guardvibe"],
@@ -314,23 +317,33 @@ function printUsage() {
     console.log(`
   GuardVibe Security - CLI
 
-  Usage:
+  Commands:
     npx guardvibe scan [path]        Scan a directory for security issues
-    npx guardvibe check <file>       Scan a single file
-    npx guardvibe init <platform>    Setup MCP server
-    npx guardvibe hook install       Install pre-commit hook
-    npx guardvibe hook uninstall     Remove pre-commit hook
+    npx guardvibe check <file>       Scan a single file for security issues
+    npx guardvibe init <platform>    Setup MCP server configuration
+    npx guardvibe hook install       Install pre-commit security hook
+    npx guardvibe hook uninstall     Remove pre-commit security hook
     npx guardvibe ci github          Generate GitHub Actions workflow
 
+  Scan CLI (used by pre-commit hook and CI):
+    npx guardvibe-scan               Scan git-staged files
+    npx guardvibe-scan --format sarif --output results.sarif
+
   Options:
     --format <type>   Output format: markdown (default), json, sarif
     --output <file>   Write results to file instead of stdout
+    --version, -V     Print version and exit
+    --help, -h        Show this help message
 
   MCP Platforms:
-    claude    Claude Code (.claude.json)
+    claude    Claude Code (.claude.json in project root)
     gemini    Gemini CLI (~/.gemini/settings.json)
     cursor    Cursor (.cursor/mcp.json)
-    all       All platforms
+    all       All platforms at once
+
+  Supported File Types:
+    .js .jsx .mjs .cjs .ts .tsx .mts .cts .py .go .html .sql
+    .sh .bash .yml .yaml .tf .toml .json Dockerfile
 
   Examples:
     npx guardvibe scan .
@@ -345,6 +358,10 @@ function printUsage() {
 }
 async function main() {
     const args = process.argv.slice(2);
+    if (args.includes("--version") || args.includes("-V")) {
+        console.log(pkg.version);
+        process.exit(0);
+    }
     if (args.length === 0 || args[0] === "--help" || args[0] === "-h") {
         printUsage();
         process.exit(0);

package/build/data/rules/cicd.js

@@ -9,6 +9,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Pass secrets as environment variables instead of interpolating in run steps.",
         fixCode: "# Pass secrets via env, not interpolation\nsteps:\n  - run: echo \"deploying\"\n    env:\n      MY_SECRET: ${{ secrets.MY_SECRET }}",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
     },
     {
         id: "VG211",
@@ -20,6 +21,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Use pull_request trigger instead, or avoid checking out PR code with pull_request_target.",
         fixCode: "# Use pull_request instead of pull_request_target\non:\n  pull_request:\n    branches: [main]",
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6"],
     },
     {
         id: "VG212",
@@ -31,6 +33,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Pin actions to a specific commit SHA or version tag.",
         fixCode: "# Pin to specific version or SHA\nuses: actions/checkout@v4\n# Or pin to commit SHA:\n# uses: actions/checkout@abc123def456",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG213",
@@ -42,6 +45,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Specify minimum required permissions for each job.",
         fixCode: "# Use least-privilege permissions\npermissions:\n  contents: read\n  pull-requests: write",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
     },
     {
         id: "VG214",

package/build/data/rules/core.js

@@ -132,6 +132,7 @@ export const coreRules = [
         languages: ["json"],
         fix: "Pin dependencies to specific versions or use caret ranges (^1.2.3). Run npm audit regularly.",
         fixCode: "// Pin to specific version\n\"lodash\": \"^4.17.21\"\n// Run: npm audit to check for vulnerabilities",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG030",
@@ -143,6 +144,7 @@ export const coreRules = [
         languages: ["javascript", "typescript", "python", "go"],
         fix: "Add rate limiting middleware. Express: npm install express-rate-limit. FastAPI: use slowapi. Apply stricter limits on auth endpoints (e.g. 5 requests/minute).",
         fixCode: "// Express rate limiting\nimport rateLimit from 'express-rate-limit';\napp.use('/api/', rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG040",
@@ -166,6 +168,7 @@ export const coreRules = [
         languages: ["javascript", "typescript", "python"],
         fix: "Disable debug mode in production. Never expose stack traces to users.",
         fixCode: "// Use environment-based config\nconst DEBUG = process.env.NODE_ENV !== 'production';",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG042",
@@ -177,6 +180,7 @@ export const coreRules = [
         languages: ["javascript", "typescript"],
         fix: "Use helmet middleware: npm install helmet, then app.use(helmet()).",
         fixCode: "// Add helmet for security headers\nimport helmet from 'helmet';\napp.use(helmet());",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG060",
@@ -205,7 +209,7 @@ export const coreRules = [
     {
         id: "VG062",
         name: "Hardcoded secret in variable",
-        severity: "high",
+        severity: "critical",
         owasp: "A07:2025 Auth Failures",
         description: "Variable named secret, password, or apiKey assigned a string literal. Secrets should come from environment variables or a secrets manager, never hardcoded in source.",
         pattern: /(?:(?:const|let|var|export)\s+)?(?:secret|password|passwd|apiKey|api_key|privateKey|private_key|signingKey|signing_key|encryptionKey|encryption_key|masterKey|master_key|dbPassword|db_password)\s*(?::\s*string\s*)?=\s*["'][^"']{8,}["']/gi,
@@ -346,4 +350,40 @@ export const coreRules = [
         fixCode: '// BAD: user controls the regex\nconst re = new RegExp(req.query.search);\n\n// GOOD: escape regex special chars\nfunction escapeRegex(s: string) {\n  return s.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&");\n}\nconst re = new RegExp(escapeRegex(req.query.search));\n\n// BETTER: use string methods\nconst results = items.filter(i => i.name.includes(query));',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG108",
+        name: "Vue v-html Directive with User Data",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "Vue's v-html directive renders raw HTML without sanitization, equivalent to innerHTML. If user-controlled data is bound via v-html, attackers can inject arbitrary scripts for stored or reflected XSS.",
+        pattern: /v-html\s*=\s*["'](?!['"])\w/gi,
+        languages: ["html", "javascript", "typescript"],
+        fix: "Avoid v-html with user data. Use text interpolation {{ }} or sanitize with DOMPurify before rendering.",
+        fixCode: '<!-- BAD: raw HTML rendering -->\n<!-- <div v-html="userComment"></div> -->\n\n<!-- GOOD: text interpolation (auto-escaped) -->\n<div>{{ userComment }}</div>\n\n<!-- If HTML needed: sanitize first -->\n<div v-html="DOMPurify.sanitize(userComment)"></div>',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG109",
+        name: "Angular innerHTML Binding with User Data",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "Angular's [innerHTML] property binding renders HTML content. While Angular's built-in sanitizer strips scripts, it can be bypassed with bypassSecurityTrustHtml() or via CSS/SVG-based XSS vectors.",
+        pattern: /(?:\[innerHTML\]\s*=\s*["']\w|bypassSecurityTrustHtml\s*\()/gi,
+        languages: ["html", "typescript"],
+        fix: "Avoid [innerHTML] with user data. If unavoidable, never use bypassSecurityTrustHtml() on user input.",
+        fixCode: '<!-- BAD: bypass Angular sanitizer -->\n<!-- <div [innerHTML]="trustedHtml"></div> -->\n<!-- this.trustedHtml = this.sanitizer.bypassSecurityTrustHtml(userInput); -->\n\n<!-- GOOD: let Angular sanitize automatically -->\n<div [innerText]="userInput"></div>\n<!-- Or use Angular pipe with DOMPurify -->',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG116",
+        name: "HTML Event Handler Injection via User Input",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "User input is interpolated into HTML attributes that accept JavaScript (onclick, onerror, onload, onmouseover, onfocus). Even without script tags, event handlers execute arbitrary JavaScript when the element is interacted with or loads.",
+        pattern: /(?:on(?:click|error|load|mouseover|focus|blur|submit|change|input|keyup|keydown))\s*=\s*(?:`[^`]*\$\{|["'][^"']*["']\s*\+\s*(?:user|input|query|param|req\.|data\.))/gi,
+        languages: ["javascript", "typescript", "html"],
+        fix: "Never interpolate user input into HTML event handler attributes. Use addEventListener with sanitized data instead.",
+        fixCode: '// BAD: user input in event handler\n// `<img onerror="${userInput}">`\n\n// GOOD: use addEventListener\nconst img = document.createElement("img");\nimg.addEventListener("error", () => handleError(sanitizedInput));',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/data/rules/deployment.js

@@ -47,6 +47,7 @@ export const deploymentRules = [
         languages: ["vercel-config", "json"],
         fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
         fixCode: '// Set reasonable maxDuration\nexport const maxDuration = 60; // seconds — adjust to actual need',
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG506",
@@ -83,6 +84,7 @@ export const deploymentRules = [
         languages: ["nextjs-config", "javascript", "typescript"],
         fix: "Set poweredByHeader to false in next.config.ts.",
         fixCode: "// next.config.ts\nconst config = {\n  poweredByHeader: false,\n};",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG510",
@@ -230,4 +232,16 @@ export const deploymentRules = [
         fixCode: '# BAD: breaks container isolation\n# hostNetwork: true\n# hostPID: true\n\n# GOOD: use pod networking\nspec:\n  hostNetwork: false\n  hostPID: false\n  hostIPC: false\n  containers:\n    - name: app\n      securityContext:\n        runAsNonRoot: true',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10"],
     },
+    {
+        id: "VG524",
+        name: "Data URL or Blob URL in User-Controlled src/href",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "User-controlled input is used in src or href attributes without blocking data: and blob: URL schemes. data:text/html URLs can embed full HTML pages with scripts, and javascript: URLs execute code — bypassing same-origin restrictions.",
+        pattern: /(?:src|href|action|poster|srcDoc)\s*=\s*\{[\s\S]{0,100}?(?:user|input|param|query|data|url|link|content)[\s\S]{0,100}?(?:(?!(?:startsWith|protocol|scheme|allowlist|whitelist|URL\()[\s\S]{0,50}?))\}/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Validate URL scheme against an allowlist (https: only). Block data:, blob:, and javascript: URLs from user input.",
+        fixCode: '// Validate URL scheme\nfunction isSafeUrl(url: string): boolean {\n  try {\n    const parsed = new URL(url);\n    return ["https:", "http:"].includes(parsed.protocol);\n  } catch {\n    return false;\n  }\n}\n\n// Usage\n<img src={isSafeUrl(userUrl) ? userUrl : "/placeholder.png"} />',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/data/rules/dockerfile.js

@@ -9,6 +9,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Add a USER instruction after installing dependencies: USER node (or appropriate non-root user).",
         fixCode: "FROM node:20-alpine\nRUN addgroup -S app && adduser -S app -G app\n# ... install dependencies ...\nUSER app\nCMD [\"node\", \"server.js\"]",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG201",
@@ -20,6 +21,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Copy only dependency files first (package.json, requirements.txt), then install, then copy source.",
         fixCode: "# Copy dependency files first\nCOPY package.json package-lock.json ./\nRUN npm ci --production\n# Then copy source\nCOPY . .",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG202",
@@ -31,6 +33,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Pin to a specific version tag: FROM node:20-alpine instead of FROM node:latest.",
         fixCode: "# Pin to specific version\nFROM node:20-alpine\n# Not: FROM node:latest\n# Not: FROM node",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG203",
@@ -42,6 +45,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Use runtime environment variables or Docker secrets instead of baking secrets into the image.",
         fixCode: "# Don't bake secrets in image\n# Instead, pass at runtime:\n# docker run -e SECRET_KEY=xxx myapp\n# Or use Docker secrets / .env file",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
     },
     {
         id: "VG204",
@@ -53,6 +57,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Use COPY instead of ADD for local files. Only use ADD for URLs or tar extraction.",
         fixCode: "# Use COPY for local files\nCOPY ./src /app/src\n# Only use ADD for remote files or tar extraction\n# ADD https://example.com/file.tar.gz /app/",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG205",

package/build/data/rules/go.js

@@ -10,6 +10,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Use parameterized queries: db.Query('SELECT * FROM users WHERE id = $1', id). Never use fmt.Sprintf for SQL.",
         fixCode: "// Use parameterized queries\nrows, err := db.Query(\"SELECT * FROM users WHERE id = $1\", id)",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
     {
         id: "VG111",
@@ -21,6 +22,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Validate and sanitize all input before passing to exec.Command. Use an allowlist of permitted commands.",
         fixCode: "// Validate input, use allowlist\ncmd := exec.Command(\"ls\", \"-la\", safeDir)",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
     {
         id: "VG112",
@@ -32,6 +34,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Avoid template.HTML() with user input. Use html/template which auto-escapes by default.",
         fixCode: "// Use html/template which auto-escapes\n// Avoid template.HTML() with user input\ntmpl.Execute(w, data) // auto-escaped",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
     },
     {
         id: "VG113",
@@ -43,6 +46,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Wrap handlers with authentication middleware: http.Handle('/api/', authMiddleware(handler)).",
         fixCode: "// Wrap with auth middleware\nhttp.Handle(\"/api/\", authMiddleware(apiHandler))",
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6"],
     },
     {
         id: "VG114",
@@ -54,6 +58,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Use crypto/sha256 or golang.org/x/crypto/bcrypt for password hashing.",
         fixCode: "// Use bcrypt for passwords\nimport \"golang.org/x/crypto/bcrypt\"\nhash, _ := bcrypt.GenerateFromPassword([]byte(password), 12)",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
     },
     {
         id: "VG115",
@@ -65,5 +70,6 @@ export const goRules = [
         languages: ["go"],
         fix: "Set specific allowed origins instead of wildcard '*'.",
         fixCode: "// Specify allowed origins\nw.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.com\")",
+        compliance: ["SOC2:CC6.1"],
     },
 ];

package/build/data/rules/modern-stack.js

@@ -434,4 +434,52 @@ export const modernStackRules = [
         fixCode: '// Express: trust only your reverse proxy\napp.set("trust proxy", 1); // trust first proxy\n\n// Rate limiter: use req.ip (respects trust proxy)\nimport rateLimit from "express-rate-limit";\nconst limiter = rateLimit({\n  keyGenerator: (req) => req.ip, // uses trusted proxy chain\n  max: 100,\n  windowMs: 15 * 60 * 1000,\n});',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG990",
+        name: "SVG File Upload Without Content Sanitization",
+        severity: "critical",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "File upload accepts SVG files but does not scan or sanitize SVG content. SVG files can contain embedded <script> tags, event handlers (onload, onclick), and external resource references that execute JavaScript when the SVG is rendered in a browser.",
+        pattern: /(?:(?:allowedMimeTypes|accept|mimeTypes|fileTypes|allowedTypes|contentType)\s*[:=]\s*(?:\[[\s\S]*?|['"`])[\s\S]{0,100}?(?:svg|image\/svg|\.svg))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Either reject SVG uploads entirely or sanitize SVG content by stripping script tags, event handlers, and external references. Use a library like DOMPurify with SVG profile.",
+        fixCode: '// Option 1: Reject SVGs\nconst ALLOWED_TYPES = ["image/png", "image/jpeg", "image/webp"]; // no SVG\n\n// Option 2: Sanitize SVG content\nimport DOMPurify from "dompurify";\nconst cleanSvg = DOMPurify.sanitize(svgContent, {\n  USE_PROFILES: { svg: true, svgFilters: true },\n  FORBID_TAGS: ["script", "foreignObject"],\n  FORBID_ATTR: ["onclick", "onerror", "onload"],\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG991",
+        name: "Markdown Rendered as HTML Without Sanitization",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "Markdown library output (marked, showdown, markdown-it, remark) is rendered as HTML without sanitization. Most markdown parsers allow raw HTML by default — user-submitted markdown like `<img onerror=alert(1)>` passes through as executable HTML.",
+        pattern: /(?:marked|showdown|markdownIt|markdown-it|unified|remark|rehype)[\s\S]{0,300}?(?:innerHTML|dangerouslySetInnerHTML|v-html|\[innerHTML\]|\.html\s*\(|res\.send)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Sanitize markdown HTML output with DOMPurify before rendering, or configure the parser to disable raw HTML.",
+        fixCode: '// BAD: unsanitized markdown\n// element.innerHTML = marked.parse(userMarkdown);\n\n// GOOD: sanitize after parsing\nimport DOMPurify from "dompurify";\nimport { marked } from "marked";\nconst html = DOMPurify.sanitize(marked.parse(userMarkdown));\n\n// Or disable HTML in parser\nmarked.setOptions({ sanitize: true });\n// markdown-it: const md = markdownIt({ html: false });',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG992",
+        name: "Rich Text Editor Output Without Sanitization",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "WYSIWYG/rich text editor content (TipTap, Draft.js, Slate, Quill, CKEditor, TinyMCE) is rendered via innerHTML or dangerouslySetInnerHTML without sanitization. Editor output is user-controlled HTML that can contain XSS payloads — especially if the editor allows source code editing or paste from external sources.",
+        pattern: /(?:editor\.getHTML|getContent|convertToHTML|stateToHTML|serialize|draftToHtml|renderToString)[\s\S]{0,300}?(?:innerHTML|dangerouslySetInnerHTML|v-html|\[innerHTML\])/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always sanitize rich text editor output with DOMPurify before rendering, even if the editor has its own sanitization.",
+        fixCode: '// BAD: direct editor output rendering\n// <div dangerouslySetInnerHTML={{ __html: editor.getHTML() }} />\n\n// GOOD: sanitize editor output\nimport DOMPurify from "dompurify";\nconst cleanHtml = DOMPurify.sanitize(editor.getHTML(), {\n  ALLOWED_TAGS: ["p", "b", "i", "em", "strong", "a", "ul", "ol", "li", "br", "h1", "h2", "h3"],\n  ALLOWED_ATTR: ["href", "target", "rel"],\n});\n<div dangerouslySetInnerHTML={{ __html: cleanHtml }} />',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG993",
+        name: "Upload Filename Used Without Sanitization",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "User-uploaded file's original filename is used directly for storage without sanitization. Attackers can use directory traversal (../../etc/passwd), null bytes (file.php%00.jpg), double extensions (file.jpg.exe), or Unicode tricks to overwrite files, bypass type checks, or achieve remote code execution.",
+        pattern: /(?:file\.name|originalname|filename|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])\s*[\s\S]{0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Generate a random filename (UUID/nanoid) and validate the extension against an allowlist. Never use the original filename for storage.",
+        fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/data/rules/nextjs.js

@@ -168,4 +168,16 @@ export const nextjsRules = [
         fixCode: '// next.config.ts\nexport default {\n  serverActions: {\n    allowedOrigins: ["myapp.com", "*.myapp.com"],\n  },\n};',
         compliance: ["SOC2:CC6.6"],
     },
+    {
+        id: "VG414",
+        name: "Server-Side Template Injection (SSTI)",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input is rendered using an unescaped template directive (EJS <%- %>, Handlebars {{{ }}}, Pug != operator, Nunjucks | safe filter). These directives bypass HTML escaping, allowing attackers to inject arbitrary HTML and JavaScript that executes server-side or client-side.",
+        pattern: /(?:<%-\s*\w|(?:\{\{\{)\s*\w|!=\s*\w[\s\S]{0,50}?(?:user|input|query|body|param|req\.|data\.)|\|\s*safe\s*(?:\}\}|\%\}))/gi,
+        languages: ["javascript", "typescript", "html"],
+        fix: "Always use escaped template directives: EJS <%= %>, Handlebars {{ }}, Pug =. Only use unescaped rendering for trusted, developer-controlled content.",
+        fixCode: '<!-- EJS: use escaped output -->\n<p><%= userInput %></p>   <!-- SAFE: HTML-escaped -->\n<!-- NOT: <%- userInput %>  DANGEROUS: raw HTML -->\n\n<!-- Handlebars: use double braces -->\n<p>{{userInput}}</p>      <!-- SAFE: escaped -->\n<!-- NOT: {{{userInput}}}   DANGEROUS: raw HTML -->\n\n<!-- Pug: use = not != -->\np= userInput              //- SAFE: escaped\n//- NOT: p!= userInput    DANGEROUS: raw HTML',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
 ];

package/build/data/rules/web-security.js

@@ -173,4 +173,16 @@ export const webSecurityRules = [
         fixCode: "// Reads from OPENAI_API_KEY env automatically\nconst openai = new OpenAI();",
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG678",
+        name: "Missing X-Content-Type-Options Header",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        description: "Response serving user-uploaded files does not set X-Content-Type-Options: nosniff. Browsers may MIME-sniff the content and execute uploaded files as HTML/JavaScript, enabling stored XSS via file uploads.",
+        pattern: /(?:createReadStream|sendFile|send\s*\(|pipe\s*\(|res\.download|res\.sendFile|getSignedUrl|getPublicUrl)[\s\S]{0,500}?(?:(?!X-Content-Type-Options|nosniff)[\s\S]){10,}?(?:res\.end|\.pipe|return|response)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Set X-Content-Type-Options: nosniff on all responses serving user-uploaded content.",
+        fixCode: '// Set nosniff header for uploaded file responses\nres.setHeader("X-Content-Type-Options", "nosniff");\nres.setHeader("Content-Disposition", "attachment"); // force download for unknown types\nres.sendFile(filePath);',
+        compliance: ["SOC2:CC6.1"],
+    },
 ];

package/build/index.js

@@ -1,8 +1,11 @@
 #!/usr/bin/env node
+import { createRequire } from "module";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { checkCode } from "./tools/check-code.js";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
 import { checkProject } from "./tools/check-project.js";
 import { getSecurityDocs } from "./tools/get-security-docs.js";
 import { checkDependencies } from "./tools/check-deps.js";
@@ -27,9 +30,10 @@ import { explainRemediation } from "./tools/explain-remediation.js";
 import { discoverPlugins } from "./plugins/loader.js";
 import { builtinRules } from "./data/rules/index.js";
 import { loadConfig } from "./utils/config.js";
+import { setRules, getRules } from "./utils/rule-registry.js";
 const server = new McpServer({
     name: "guardvibe",
-    version: "1.6.0",
+    version: pkg.version,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -43,7 +47,7 @@ server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top
         .describe("Framework context (e.g. express, nextjs, fastapi, react, django)"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ code, language, framework, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = checkCode(code, language, framework, undefined, undefined, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -59,7 +63,7 @@ server.tool("check_project", "Scan multiple files for security vulnerabilities a
         .describe("List of files to scan: [{path, content}]"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ files, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = checkProject(files, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -111,7 +115,7 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
     baseline: z.string().optional().describe("Path to a previous scan JSON output file for baseline comparison (new/fixed/unchanged findings)"),
 }, async ({ path, recursive, exclude, format, baseline }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = scanDirectory(path, recursive, exclude, format, rules, baseline);
     return { content: [{ type: "text", text: results }] };
 });
@@ -136,7 +140,7 @@ server.tool("scan_secrets", "Scan files and directories for leaked secrets, API
 server.tool("scan_staged", "Scan git-staged files for security vulnerabilities before committing. Run this before every commit to catch issues early. No input needed — automatically reads staged files.", {
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = scanStaged(process.cwd(), format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -147,7 +151,7 @@ server.tool("compliance_report", "Generate a compliance-focused security report
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
     mode: z.enum(["full", "executive"]).default("full").describe("Report mode: full (detailed) or executive (C-level summary)"),
 }, async ({ path, framework, format, mode }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = complianceReport(path, framework, format, rules, mode);
     return { content: [{ type: "text", text: results }] };
 });
@@ -155,7 +159,7 @@ server.tool("compliance_report", "Generate a compliance-focused security report
 server.tool("export_sarif", "Scan a directory and export results in SARIF v2.1.0 format for CI/CD integration (GitHub, GitLab, Azure DevOps). Returns JSON string.", {
     path: z.string().describe("Directory to scan"),
 }, async ({ path }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = exportSarif(path, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -179,7 +183,7 @@ server.tool("fix_code", "Analyze code for security vulnerabilities and return fi
         .describe("Framework context (e.g. express, nextjs, fastapi, react, django)"),
     format: z.enum(["markdown", "json"]).default("json").describe("Output format: json (for agent auto-fix) or markdown (human review)"),
 }, async ({ code, language, framework, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = fixCode(code, language, framework, undefined, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -209,7 +213,7 @@ server.tool("review_pr", "Review a pull request for security issues. Scans only
     diff_only: z.boolean().default(true).describe("Only report findings in changed lines (true) or all findings in changed files (false)"),
     fail_on: z.enum(["critical", "high", "medium", "low", "none"]).default("high").describe("Block PR if findings at this severity or above exist"),
 }, async ({ path, base, format, diff_only, fail_on }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = reviewPr(path, base, format, diff_only, fail_on, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -227,7 +231,7 @@ server.tool("policy_check", "Check project against compliance policies defined i
     path: z.string().describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ path, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = policyCheck(path, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -280,7 +284,7 @@ server.tool("explain_remediation", "Deep explanation of a security finding: why
     code: z.string().optional().describe("Affected code snippet for context"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ rule_id, code, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = explainRemediation(rule_id, code, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -299,12 +303,18 @@ async function main() {
     // Register plugin tools
     for (const tool of plugins.tools) {
         server.tool(tool.name, tool.description, tool.schema, async (input) => {
-            const result = await tool.handler(input);
-            return { content: [{ type: "text", text: result }] };
+            try {
+                const result = await tool.handler(input);
+                return { content: [{ type: "text", text: result }] };
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                return { content: [{ type: "text", text: `Plugin error (${tool.name}): ${msg}` }] };
+            }
         });
     }
     // Store merged rules for tool handlers
-    globalThis.__guardvibe_rules = allRules;
+    setRules(allRules);
     const transport = new StdioServerTransport();
     await server.connect(transport);
     console.error("GuardVibe Security MCP server running on stdio");

package/build/tools/compliance-report.js

@@ -1,59 +1,15 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config",
-    "next.config.mjs": "nextjs-config",
-    "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose",
-    "docker-compose.yaml": "docker-compose",
-    "fly.toml": "fly-config",
-    "render.yaml": "render-config",
-    "netlify.toml": "netlify-config",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory()) {
-            walkDir(fullPath, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile") || CONFIG_FILE_MAP[entry.name]) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, CONFIG_FILE_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 export function complianceReport(path, framework, format = "markdown", rules, mode = "full") {
     const scanRoot = resolve(path);
     const config = loadConfig(scanRoot);
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     // Scan all files
     const allFindings = [];
     for (const filePath of filePaths) {

package/build/tools/export-sarif.js

@@ -1,42 +1,10 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform", ".json": "json",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory()) {
-            walkDir(fullPath, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile")) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 function severityToLevel(severity) {
     if (severity === "critical" || severity === "high")
         return "error";
@@ -49,7 +17,7 @@ export function exportSarif(path, rules) {
     const config = loadConfig(scanRoot);
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     const allResults = [];
     for (const filePath of filePaths) {
         try {

package/build/tools/policy-check.js

@@ -1,46 +1,9 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory())
-            walkDir(fullPath, excludes, results);
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile") || CONFIG_FILE_MAP[entry.name]) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, CONFIG_FILE_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 function isExcepted(ruleId, filePath, exceptions) {
     for (const exc of exceptions) {
         if (exc.ruleId !== ruleId && exc.ruleId !== "*")
@@ -87,7 +50,7 @@ export function policyCheck(path, format = "markdown", rules) {
     }
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     const policyFindings = [];
     const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
     const failLevel = severityOrder[policy.failOn] ?? 1;

package/build/tools/review-pr.js

@@ -1,19 +1,7 @@
 import { execFileSync } from "child_process";
 import { extname, basename } from "path";
 import { analyzeCode } from "./check-code.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
-};
+import { EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
 function execGit(args, cwd) {
     try {
         return execFileSync("git", args, { cwd, encoding: "utf-8", timeout: 15000 });

package/build/tools/scan-directory.js

@@ -1,64 +1,15 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { createRequire } from "module";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { createHash, randomUUID } from "crypto";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", ".svelte-kit", "target", "bin", "obj",
-    "coverage", ".turbo", ".venv", "venv",
-]);
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml",
-    ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config",
-    "next.config.mjs": "nextjs-config",
-    "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose",
-    "docker-compose.yaml": "docker-compose",
-    "fly.toml": "fly-config",
-    "render.yaml": "render-config",
-    "netlify.toml": "netlify-config",
-};
+import { DEFAULT_EXCLUDES, EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
+const require = createRequire(import.meta.url);
+const pkg = require("../../package.json");
 // GuardVibe version — used in scan metadata
-const GUARDVIBE_VERSION = "1.4.0";
-function walkDirectory(dir, recursive, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory() && recursive) {
-            walkDirectory(fullPath, recursive, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext]) {
-                results.push(fullPath);
-            }
-            if (entry.name.startsWith("Dockerfile") || entry.name.endsWith(".dockerfile")) {
-                results.push(fullPath);
-            }
-            if (CONFIG_FILE_MAP[entry.name] && !results.includes(fullPath)) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+const GUARDVIBE_VERSION = pkg.version;
 function hashContent(content) {
     return createHash("sha256").update(content).digest("hex").substring(0, 16);
 }

package/build/utils/constants.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Shared constants used across GuardVibe tools.
+ * Single source of truth — all tool modules import from here.
+ */
+/** Maps file extensions to language identifiers for security analysis. */
+export declare const EXTENSION_MAP: Record<string, string>;
+/** Maps well-known config filenames to their language/type identifier. */
+export declare const CONFIG_FILE_MAP: Record<string, string>;
+/** Directory names excluded from filesystem scans by default. */
+export declare const DEFAULT_EXCLUDES: Set<string>;

package/build/utils/constants.js

@@ -0,0 +1,32 @@
+/**
+ * Shared constants used across GuardVibe tools.
+ * Single source of truth — all tool modules import from here.
+ */
+/** Maps file extensions to language identifiers for security analysis. */
+export const EXTENSION_MAP = {
+    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
+    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
+    ".py": "python", ".go": "go", ".html": "html",
+    ".sql": "sql", ".sh": "shell", ".bash": "shell",
+    ".yml": "yaml", ".yaml": "yaml",
+    ".tf": "terraform",
+    ".toml": "toml", ".json": "json",
+};
+/** Maps well-known config filenames to their language/type identifier. */
+export const CONFIG_FILE_MAP = {
+    "vercel.json": "vercel-config",
+    "next.config.js": "nextjs-config",
+    "next.config.mjs": "nextjs-config",
+    "next.config.ts": "nextjs-config",
+    "docker-compose.yml": "docker-compose",
+    "docker-compose.yaml": "docker-compose",
+    "fly.toml": "fly-config",
+    "render.yaml": "render-config",
+    "netlify.toml": "netlify-config",
+};
+/** Directory names excluded from filesystem scans by default. */
+export const DEFAULT_EXCLUDES = new Set([
+    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
+    ".next", ".nuxt", ".svelte-kit", "target", "bin", "obj",
+    "coverage", ".turbo", ".venv", "venv",
+]);

package/build/utils/rule-registry.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export declare function setRules(rules: SecurityRule[]): void;
+export declare function getRules(): SecurityRule[];

package/build/utils/rule-registry.js

@@ -0,0 +1,7 @@
+let registeredRules = [];
+export function setRules(rules) {
+    registeredRules = rules;
+}
+export function getRules() {
+    return registeredRules;
+}

package/build/utils/walk-directory.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Shared recursive directory walker used by scan-directory, export-sarif,
+ * compliance-report, policy-check, and generate-policy tools.
+ */
+/**
+ * Recursively walk a directory, collecting file paths that match
+ * known source extensions, Dockerfiles, or config file names.
+ *
+ * @param dir       - Directory to walk
+ * @param recursive - Whether to descend into subdirectories
+ * @param excludes  - Set of directory names to skip
+ * @param results   - Accumulator array (mutated in place)
+ */
+export declare function walkDirectory(dir: string, recursive: boolean, excludes: Set<string>, results: string[]): void;

package/build/utils/walk-directory.js

@@ -0,0 +1,46 @@
+/**
+ * Shared recursive directory walker used by scan-directory, export-sarif,
+ * compliance-report, policy-check, and generate-policy tools.
+ */
+import { readdirSync } from "fs";
+import { join, extname } from "path";
+import { EXTENSION_MAP, CONFIG_FILE_MAP } from "./constants.js";
+/**
+ * Recursively walk a directory, collecting file paths that match
+ * known source extensions, Dockerfiles, or config file names.
+ *
+ * @param dir       - Directory to walk
+ * @param recursive - Whether to descend into subdirectories
+ * @param excludes  - Set of directory names to skip
+ * @param results   - Accumulator array (mutated in place)
+ */
+export function walkDirectory(dir, recursive, excludes, results) {
+    let entries;
+    try {
+        entries = readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (excludes.has(entry.name))
+            continue;
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory() && recursive) {
+            walkDirectory(fullPath, recursive, excludes, results);
+        }
+        else if (entry.isFile()) {
+            const ext = extname(entry.name).toLowerCase();
+            if (EXTENSION_MAP[ext]) {
+                results.push(fullPath);
+            }
+            if (entry.name.startsWith("Dockerfile") || entry.name.endsWith(".dockerfile")) {
+                if (!results.includes(fullPath))
+                    results.push(fullPath);
+            }
+            if (CONFIG_FILE_MAP[entry.name] && !results.includes(fullPath)) {
+                results.push(fullPath);
+            }
+        }
+    }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "guardvibe",
-  "version": "1.7.0",
-  "description": "Security MCP for vibe coding. 267 rules, 14 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "version": "1.8.0",
+  "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/index.js",