guardvibe 1.7.1 → 1.8.0

package/README.md

@@ -127,7 +127,7 @@ SOC2, PCI-DSS, HIPAA control mapping with compliance reports
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (12 MCP tools)
+## Tools (22 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -143,6 +143,16 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
 | `get_security_docs` | Security best practices and guides |
 | `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |
+| `audit_config` | Audit project configuration files for cross-file security misconfigurations |
+| `generate_policy` | Detect project stack and generate tailored security policies (CSP, CORS, RLS) |
+| `review_pr` | Review PR diff for security issues with severity gating |
+| `scan_secrets_history` | Scan git history for leaked secrets (active and removed) |
+| `policy_check` | Check project against compliance policies defined in .guardviberc |
+| `analyze_dataflow` | Track tainted data flows from user input to dangerous sinks |
+| `check_command` | Analyze shell commands for security risks before execution |
+| `scan_config_change` | Compare config file versions to detect security downgrades |
+| `repo_security_posture` | Assess overall repository security posture and map sensitive areas |
+| `explain_remediation` | Get detailed remediation guidance with exploit scenarios and fix strategies |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
@@ -311,6 +321,104 @@ Tested on a real 644-file Next.js + Supabase project:
 - False positive rate: **near zero** (comment/string filtering, human-readable text detection)
 - Detection rate: **100%** on known vulnerability patterns
 
+## Troubleshooting
+
+### MCP connection issues
+
+If your AI agent cannot connect to GuardVibe:
+
+1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
+2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.claude.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
+3. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
+4. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.
+
+### Node.js version requirements
+
+GuardVibe requires **Node.js >= 18.0.0**. Earlier versions will fail with syntax errors or missing APIs. Node.js 22 LTS is recommended.
+
+### False positives
+
+If a rule triggers on safe code:
+
+- **Inline suppression:** Add `// guardvibe-ignore VG001` on the same line, or `// guardvibe-ignore-next-line VG001` on the line above. Supports `//`, `#`, and `<!-- -->` comment styles.
+- **Config exclusion:** Add the rule ID to `rules.disable` in `.guardviberc`:
+  ```json
+  { "rules": { "disable": ["VG030"] } }
+  ```
+- **Path exclusion:** Add directories to `scan.exclude` in `.guardviberc`:
+  ```json
+  { "scan": { "exclude": ["fixtures/", "test-data/"] } }
+  ```
+
+### Pre-commit hook issues
+
+- **Hook not running:** Verify the hook file exists at `.git/hooks/pre-commit` and is executable (`chmod +x .git/hooks/pre-commit`).
+- **Hook blocking valid commits:** Use `git commit --no-verify` to skip the hook temporarily, then investigate the findings.
+- **Removing the hook:** Run `npx guardvibe hook uninstall`.
+
+## Security Model
+
+GuardVibe is designed for use on sensitive and proprietary codebases:
+
+- **100% local execution.** All scanning happens on your machine. No code, findings, or metadata are sent to any server.
+- **No accounts, no API keys, no telemetry.** There is no signup, no cloud dashboard, and no usage tracking of any kind.
+- **One optional network call.** The `scan_dependencies` and `check_dependencies` tools query the [OSV API](https://osv.dev/) to check for known CVEs. This is opt-in -- you only call it when you explicitly use those tools. No other tool makes network requests.
+- **Safe for air-gapped environments.** All code analysis rules run entirely offline. Only dependency vulnerability checks require network access.
+
+## Configuration (.guardviberc)
+
+Create a `.guardviberc` JSON file in your project root to customize GuardVibe behavior.
+
+### Full example
+
+```json
+{
+  "rules": {
+    "disable": ["VG030", "VG045"],
+    "severity": {
+      "VG002": "medium",
+      "VG010": "low"
+    }
+  },
+  "scan": {
+    "exclude": ["fixtures/", "coverage/", "dist/", "vendor/"],
+    "maxFileSize": 1048576
+  },
+  "plugins": [
+    "guardvibe-rules-awesome",
+    "./my-local-rules"
+  ],
+  "compliance": {
+    "frameworks": ["SOC2", "HIPAA"],
+    "failOn": "high",
+    "exceptions": [
+      {
+        "ruleId": "VG030",
+        "reason": "Accepted risk per security review 2026-03",
+        "approvedBy": "security-team",
+        "expiresAt": "2026-12-31",
+        "files": ["src/legacy/**"]
+      }
+    ],
+    "requiredControls": ["SOC2:CC6.1"]
+  }
+}
+```
+
+### Configuration fields
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `rules.disable` | `string[]` | `[]` | Rule IDs to skip during scanning |
+| `rules.severity` | `Record<string, string>` | `{}` | Override severity for specific rules |
+| `scan.exclude` | `string[]` | `[]` | Glob patterns for directories/files to skip |
+| `scan.maxFileSize` | `number` | `512000` | Maximum file size in bytes (files larger than this are skipped) |
+| `plugins` | `string[]` | `[]` | npm package names or local paths to load as plugins |
+| `compliance.frameworks` | `string[]` | -- | Compliance frameworks to map against (`SOC2`, `PCI-DSS`, `HIPAA`, `GDPR`, `ISO27001`) |
+| `compliance.failOn` | `string` | `"high"` | Minimum severity that causes compliance failure |
+| `compliance.exceptions` | `PolicyException[]` | `[]` | Approved exceptions with expiration dates |
+| `compliance.requiredControls` | `string[]` | -- | Controls that must pass regardless of exceptions |
+
 ## Security
 
 GuardVibe takes supply chain security seriously:

package/build/cli.js

@@ -1,7 +1,10 @@
 #!/usr/bin/env node
+import { createRequire } from "module";
 import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, unlinkSync } from "fs";
 import { join, dirname } from "path";
 import { homedir } from "os";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
 const GUARDVIBE_MCP_CONFIG = {
     command: "npx",
     args: ["-y", "guardvibe"],
@@ -314,23 +317,33 @@ function printUsage() {
     console.log(`
   GuardVibe Security - CLI
 
-  Usage:
+  Commands:
     npx guardvibe scan [path]        Scan a directory for security issues
-    npx guardvibe check <file>       Scan a single file
-    npx guardvibe init <platform>    Setup MCP server
-    npx guardvibe hook install       Install pre-commit hook
-    npx guardvibe hook uninstall     Remove pre-commit hook
+    npx guardvibe check <file>       Scan a single file for security issues
+    npx guardvibe init <platform>    Setup MCP server configuration
+    npx guardvibe hook install       Install pre-commit security hook
+    npx guardvibe hook uninstall     Remove pre-commit security hook
     npx guardvibe ci github          Generate GitHub Actions workflow
 
+  Scan CLI (used by pre-commit hook and CI):
+    npx guardvibe-scan               Scan git-staged files
+    npx guardvibe-scan --format sarif --output results.sarif
+
   Options:
     --format <type>   Output format: markdown (default), json, sarif
     --output <file>   Write results to file instead of stdout
+    --version, -V     Print version and exit
+    --help, -h        Show this help message
 
   MCP Platforms:
-    claude    Claude Code (.claude.json)
+    claude    Claude Code (.claude.json in project root)
     gemini    Gemini CLI (~/.gemini/settings.json)
     cursor    Cursor (.cursor/mcp.json)
-    all       All platforms
+    all       All platforms at once
+
+  Supported File Types:
+    .js .jsx .mjs .cjs .ts .tsx .mts .cts .py .go .html .sql
+    .sh .bash .yml .yaml .tf .toml .json Dockerfile
 
   Examples:
     npx guardvibe scan .
@@ -345,6 +358,10 @@ function printUsage() {
 }
 async function main() {
     const args = process.argv.slice(2);
+    if (args.includes("--version") || args.includes("-V")) {
+        console.log(pkg.version);
+        process.exit(0);
+    }
     if (args.length === 0 || args[0] === "--help" || args[0] === "-h") {
         printUsage();
         process.exit(0);

package/build/data/rules/cicd.js

@@ -9,6 +9,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Pass secrets as environment variables instead of interpolating in run steps.",
         fixCode: "# Pass secrets via env, not interpolation\nsteps:\n  - run: echo \"deploying\"\n    env:\n      MY_SECRET: ${{ secrets.MY_SECRET }}",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
     },
     {
         id: "VG211",
@@ -20,6 +21,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Use pull_request trigger instead, or avoid checking out PR code with pull_request_target.",
         fixCode: "# Use pull_request instead of pull_request_target\non:\n  pull_request:\n    branches: [main]",
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6"],
     },
     {
         id: "VG212",
@@ -31,6 +33,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Pin actions to a specific commit SHA or version tag.",
         fixCode: "# Pin to specific version or SHA\nuses: actions/checkout@v4\n# Or pin to commit SHA:\n# uses: actions/checkout@abc123def456",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG213",
@@ -42,6 +45,7 @@ export const cicdRules = [
         languages: ["yaml"],
         fix: "Specify minimum required permissions for each job.",
         fixCode: "# Use least-privilege permissions\npermissions:\n  contents: read\n  pull-requests: write",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
     },
     {
         id: "VG214",

package/build/data/rules/core.js

@@ -132,6 +132,7 @@ export const coreRules = [
         languages: ["json"],
         fix: "Pin dependencies to specific versions or use caret ranges (^1.2.3). Run npm audit regularly.",
         fixCode: "// Pin to specific version\n\"lodash\": \"^4.17.21\"\n// Run: npm audit to check for vulnerabilities",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG030",
@@ -143,6 +144,7 @@ export const coreRules = [
         languages: ["javascript", "typescript", "python", "go"],
         fix: "Add rate limiting middleware. Express: npm install express-rate-limit. FastAPI: use slowapi. Apply stricter limits on auth endpoints (e.g. 5 requests/minute).",
         fixCode: "// Express rate limiting\nimport rateLimit from 'express-rate-limit';\napp.use('/api/', rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG040",
@@ -166,6 +168,7 @@ export const coreRules = [
         languages: ["javascript", "typescript", "python"],
         fix: "Disable debug mode in production. Never expose stack traces to users.",
         fixCode: "// Use environment-based config\nconst DEBUG = process.env.NODE_ENV !== 'production';",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG042",
@@ -177,6 +180,7 @@ export const coreRules = [
         languages: ["javascript", "typescript"],
         fix: "Use helmet middleware: npm install helmet, then app.use(helmet()).",
         fixCode: "// Add helmet for security headers\nimport helmet from 'helmet';\napp.use(helmet());",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG060",
@@ -205,7 +209,7 @@ export const coreRules = [
     {
         id: "VG062",
         name: "Hardcoded secret in variable",
-        severity: "high",
+        severity: "critical",
         owasp: "A07:2025 Auth Failures",
         description: "Variable named secret, password, or apiKey assigned a string literal. Secrets should come from environment variables or a secrets manager, never hardcoded in source.",
         pattern: /(?:(?:const|let|var|export)\s+)?(?:secret|password|passwd|apiKey|api_key|privateKey|private_key|signingKey|signing_key|encryptionKey|encryption_key|masterKey|master_key|dbPassword|db_password)\s*(?::\s*string\s*)?=\s*["'][^"']{8,}["']/gi,

package/build/data/rules/deployment.js

@@ -47,6 +47,7 @@ export const deploymentRules = [
         languages: ["vercel-config", "json"],
         fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
         fixCode: '// Set reasonable maxDuration\nexport const maxDuration = 60; // seconds — adjust to actual need',
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG506",
@@ -83,6 +84,7 @@ export const deploymentRules = [
         languages: ["nextjs-config", "javascript", "typescript"],
         fix: "Set poweredByHeader to false in next.config.ts.",
         fixCode: "// next.config.ts\nconst config = {\n  poweredByHeader: false,\n};",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG510",

package/build/data/rules/dockerfile.js

@@ -9,6 +9,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Add a USER instruction after installing dependencies: USER node (or appropriate non-root user).",
         fixCode: "FROM node:20-alpine\nRUN addgroup -S app && adduser -S app -G app\n# ... install dependencies ...\nUSER app\nCMD [\"node\", \"server.js\"]",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG201",
@@ -20,6 +21,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Copy only dependency files first (package.json, requirements.txt), then install, then copy source.",
         fixCode: "# Copy dependency files first\nCOPY package.json package-lock.json ./\nRUN npm ci --production\n# Then copy source\nCOPY . .",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG202",
@@ -31,6 +33,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Pin to a specific version tag: FROM node:20-alpine instead of FROM node:latest.",
         fixCode: "# Pin to specific version\nFROM node:20-alpine\n# Not: FROM node:latest\n# Not: FROM node",
+        compliance: ["SOC2:CC7.1"],
     },
     {
         id: "VG203",
@@ -42,6 +45,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Use runtime environment variables or Docker secrets instead of baking secrets into the image.",
         fixCode: "# Don't bake secrets in image\n# Instead, pass at runtime:\n# docker run -e SECRET_KEY=xxx myapp\n# Or use Docker secrets / .env file",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
     },
     {
         id: "VG204",
@@ -53,6 +57,7 @@ export const dockerfileRules = [
         languages: ["dockerfile"],
         fix: "Use COPY instead of ADD for local files. Only use ADD for URLs or tar extraction.",
         fixCode: "# Use COPY for local files\nCOPY ./src /app/src\n# Only use ADD for remote files or tar extraction\n# ADD https://example.com/file.tar.gz /app/",
+        compliance: ["SOC2:CC6.1"],
     },
     {
         id: "VG205",

package/build/data/rules/go.js

@@ -10,6 +10,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Use parameterized queries: db.Query('SELECT * FROM users WHERE id = $1', id). Never use fmt.Sprintf for SQL.",
         fixCode: "// Use parameterized queries\nrows, err := db.Query(\"SELECT * FROM users WHERE id = $1\", id)",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
     {
         id: "VG111",
@@ -21,6 +22,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Validate and sanitize all input before passing to exec.Command. Use an allowlist of permitted commands.",
         fixCode: "// Validate input, use allowlist\ncmd := exec.Command(\"ls\", \"-la\", safeDir)",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
     {
         id: "VG112",
@@ -32,6 +34,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Avoid template.HTML() with user input. Use html/template which auto-escapes by default.",
         fixCode: "// Use html/template which auto-escapes\n// Avoid template.HTML() with user input\ntmpl.Execute(w, data) // auto-escaped",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
     },
     {
         id: "VG113",
@@ -43,6 +46,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Wrap handlers with authentication middleware: http.Handle('/api/', authMiddleware(handler)).",
         fixCode: "// Wrap with auth middleware\nhttp.Handle(\"/api/\", authMiddleware(apiHandler))",
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6"],
     },
     {
         id: "VG114",
@@ -54,6 +58,7 @@ export const goRules = [
         languages: ["go"],
         fix: "Use crypto/sha256 or golang.org/x/crypto/bcrypt for password hashing.",
         fixCode: "// Use bcrypt for passwords\nimport \"golang.org/x/crypto/bcrypt\"\nhash, _ := bcrypt.GenerateFromPassword([]byte(password), 12)",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
     },
     {
         id: "VG115",
@@ -65,5 +70,6 @@ export const goRules = [
         languages: ["go"],
         fix: "Set specific allowed origins instead of wildcard '*'.",
         fixCode: "// Specify allowed origins\nw.Header().Set(\"Access-Control-Allow-Origin\", \"https://myapp.com\")",
+        compliance: ["SOC2:CC6.1"],
     },
 ];

package/build/index.js

@@ -1,8 +1,11 @@
 #!/usr/bin/env node
+import { createRequire } from "module";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { checkCode } from "./tools/check-code.js";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
 import { checkProject } from "./tools/check-project.js";
 import { getSecurityDocs } from "./tools/get-security-docs.js";
 import { checkDependencies } from "./tools/check-deps.js";
@@ -27,9 +30,10 @@ import { explainRemediation } from "./tools/explain-remediation.js";
 import { discoverPlugins } from "./plugins/loader.js";
 import { builtinRules } from "./data/rules/index.js";
 import { loadConfig } from "./utils/config.js";
+import { setRules, getRules } from "./utils/rule-registry.js";
 const server = new McpServer({
     name: "guardvibe",
-    version: "1.6.0",
+    version: pkg.version,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -43,7 +47,7 @@ server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top
         .describe("Framework context (e.g. express, nextjs, fastapi, react, django)"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ code, language, framework, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = checkCode(code, language, framework, undefined, undefined, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -59,7 +63,7 @@ server.tool("check_project", "Scan multiple files for security vulnerabilities a
         .describe("List of files to scan: [{path, content}]"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ files, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = checkProject(files, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -111,7 +115,7 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
     baseline: z.string().optional().describe("Path to a previous scan JSON output file for baseline comparison (new/fixed/unchanged findings)"),
 }, async ({ path, recursive, exclude, format, baseline }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = scanDirectory(path, recursive, exclude, format, rules, baseline);
     return { content: [{ type: "text", text: results }] };
 });
@@ -136,7 +140,7 @@ server.tool("scan_secrets", "Scan files and directories for leaked secrets, API
 server.tool("scan_staged", "Scan git-staged files for security vulnerabilities before committing. Run this before every commit to catch issues early. No input needed — automatically reads staged files.", {
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = scanStaged(process.cwd(), format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -147,7 +151,7 @@ server.tool("compliance_report", "Generate a compliance-focused security report
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
     mode: z.enum(["full", "executive"]).default("full").describe("Report mode: full (detailed) or executive (C-level summary)"),
 }, async ({ path, framework, format, mode }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = complianceReport(path, framework, format, rules, mode);
     return { content: [{ type: "text", text: results }] };
 });
@@ -155,7 +159,7 @@ server.tool("compliance_report", "Generate a compliance-focused security report
 server.tool("export_sarif", "Scan a directory and export results in SARIF v2.1.0 format for CI/CD integration (GitHub, GitLab, Azure DevOps). Returns JSON string.", {
     path: z.string().describe("Directory to scan"),
 }, async ({ path }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = exportSarif(path, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -179,7 +183,7 @@ server.tool("fix_code", "Analyze code for security vulnerabilities and return fi
         .describe("Framework context (e.g. express, nextjs, fastapi, react, django)"),
     format: z.enum(["markdown", "json"]).default("json").describe("Output format: json (for agent auto-fix) or markdown (human review)"),
 }, async ({ code, language, framework, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = fixCode(code, language, framework, undefined, format, rules);
     return {
         content: [{ type: "text", text: results }],
@@ -209,7 +213,7 @@ server.tool("review_pr", "Review a pull request for security issues. Scans only
     diff_only: z.boolean().default(true).describe("Only report findings in changed lines (true) or all findings in changed files (false)"),
     fail_on: z.enum(["critical", "high", "medium", "low", "none"]).default("high").describe("Block PR if findings at this severity or above exist"),
 }, async ({ path, base, format, diff_only, fail_on }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = reviewPr(path, base, format, diff_only, fail_on, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -227,7 +231,7 @@ server.tool("policy_check", "Check project against compliance policies defined i
     path: z.string().describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ path, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = policyCheck(path, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -280,7 +284,7 @@ server.tool("explain_remediation", "Deep explanation of a security finding: why
     code: z.string().optional().describe("Affected code snippet for context"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ rule_id, code, format }) => {
-    const rules = globalThis.__guardvibe_rules;
+    const rules = getRules();
     const results = explainRemediation(rule_id, code, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
@@ -299,12 +303,18 @@ async function main() {
     // Register plugin tools
     for (const tool of plugins.tools) {
         server.tool(tool.name, tool.description, tool.schema, async (input) => {
-            const result = await tool.handler(input);
-            return { content: [{ type: "text", text: result }] };
+            try {
+                const result = await tool.handler(input);
+                return { content: [{ type: "text", text: result }] };
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                return { content: [{ type: "text", text: `Plugin error (${tool.name}): ${msg}` }] };
+            }
         });
     }
     // Store merged rules for tool handlers
-    globalThis.__guardvibe_rules = allRules;
+    setRules(allRules);
     const transport = new StdioServerTransport();
     await server.connect(transport);
     console.error("GuardVibe Security MCP server running on stdio");

package/build/tools/compliance-report.js

@@ -1,59 +1,15 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config",
-    "next.config.mjs": "nextjs-config",
-    "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose",
-    "docker-compose.yaml": "docker-compose",
-    "fly.toml": "fly-config",
-    "render.yaml": "render-config",
-    "netlify.toml": "netlify-config",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory()) {
-            walkDir(fullPath, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile") || CONFIG_FILE_MAP[entry.name]) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, CONFIG_FILE_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 export function complianceReport(path, framework, format = "markdown", rules, mode = "full") {
     const scanRoot = resolve(path);
     const config = loadConfig(scanRoot);
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     // Scan all files
     const allFindings = [];
     for (const filePath of filePaths) {

package/build/tools/export-sarif.js

@@ -1,42 +1,10 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform", ".json": "json",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory()) {
-            walkDir(fullPath, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile")) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 function severityToLevel(severity) {
     if (severity === "critical" || severity === "high")
         return "error";
@@ -49,7 +17,7 @@ export function exportSarif(path, rules) {
     const config = loadConfig(scanRoot);
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     const allResults = [];
     for (const filePath of filePaths) {
         try {

package/build/tools/policy-check.js

@@ -1,46 +1,9 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
-};
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", "coverage", ".turbo",
-]);
-function walkDir(dir, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory())
-            walkDir(fullPath, excludes, results);
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile") || CONFIG_FILE_MAP[entry.name]) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+import { EXTENSION_MAP, CONFIG_FILE_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
 function isExcepted(ruleId, filePath, exceptions) {
     for (const exc of exceptions) {
         if (exc.ruleId !== ruleId && exc.ruleId !== "*")
@@ -87,7 +50,7 @@ export function policyCheck(path, format = "markdown", rules) {
     }
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDir(scanRoot, excludes, filePaths);
+    walkDirectory(scanRoot, true, excludes, filePaths);
     const policyFindings = [];
     const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
     const failLevel = severityOrder[policy.failOn] ?? 1;

package/build/tools/review-pr.js

@@ -1,19 +1,7 @@
 import { execFileSync } from "child_process";
 import { extname, basename } from "path";
 import { analyzeCode } from "./check-code.js";
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
-};
+import { EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
 function execGit(args, cwd) {
     try {
         return execFileSync("git", args, { cwd, encoding: "utf-8", timeout: 15000 });

package/build/tools/scan-directory.js

@@ -1,64 +1,15 @@
-import { readdirSync, readFileSync, statSync } from "fs";
-import { join, extname, basename, resolve } from "path";
+import { createRequire } from "module";
+import { readFileSync, statSync } from "fs";
+import { extname, basename, resolve } from "path";
 import { createHash, randomUUID } from "crypto";
 import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
-const DEFAULT_EXCLUDES = new Set([
-    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
-    ".next", ".nuxt", ".svelte-kit", "target", "bin", "obj",
-    "coverage", ".turbo", ".venv", "venv",
-]);
-const EXTENSION_MAP = {
-    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
-    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
-    ".py": "python", ".go": "go", ".html": "html",
-    ".sql": "sql", ".sh": "shell", ".bash": "shell",
-    ".yml": "yaml", ".yaml": "yaml",
-    ".tf": "terraform",
-    ".toml": "toml", ".json": "json",
-};
-const CONFIG_FILE_MAP = {
-    "vercel.json": "vercel-config",
-    "next.config.js": "nextjs-config",
-    "next.config.mjs": "nextjs-config",
-    "next.config.ts": "nextjs-config",
-    "docker-compose.yml": "docker-compose",
-    "docker-compose.yaml": "docker-compose",
-    "fly.toml": "fly-config",
-    "render.yaml": "render-config",
-    "netlify.toml": "netlify-config",
-};
+import { DEFAULT_EXCLUDES, EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
+import { walkDirectory } from "../utils/walk-directory.js";
+const require = createRequire(import.meta.url);
+const pkg = require("../../package.json");
 // GuardVibe version — used in scan metadata
-const GUARDVIBE_VERSION = "1.4.0";
-function walkDirectory(dir, recursive, excludes, results) {
-    let entries;
-    try {
-        entries = readdirSync(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
-    for (const entry of entries) {
-        if (excludes.has(entry.name))
-            continue;
-        const fullPath = join(dir, entry.name);
-        if (entry.isDirectory() && recursive) {
-            walkDirectory(fullPath, recursive, excludes, results);
-        }
-        else if (entry.isFile()) {
-            const ext = extname(entry.name).toLowerCase();
-            if (EXTENSION_MAP[ext]) {
-                results.push(fullPath);
-            }
-            if (entry.name.startsWith("Dockerfile") || entry.name.endsWith(".dockerfile")) {
-                results.push(fullPath);
-            }
-            if (CONFIG_FILE_MAP[entry.name] && !results.includes(fullPath)) {
-                results.push(fullPath);
-            }
-        }
-    }
-}
+const GUARDVIBE_VERSION = pkg.version;
 function hashContent(content) {
     return createHash("sha256").update(content).digest("hex").substring(0, 16);
 }

package/build/utils/constants.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Shared constants used across GuardVibe tools.
+ * Single source of truth — all tool modules import from here.
+ */
+/** Maps file extensions to language identifiers for security analysis. */
+export declare const EXTENSION_MAP: Record<string, string>;
+/** Maps well-known config filenames to their language/type identifier. */
+export declare const CONFIG_FILE_MAP: Record<string, string>;
+/** Directory names excluded from filesystem scans by default. */
+export declare const DEFAULT_EXCLUDES: Set<string>;

package/build/utils/constants.js

@@ -0,0 +1,32 @@
+/**
+ * Shared constants used across GuardVibe tools.
+ * Single source of truth — all tool modules import from here.
+ */
+/** Maps file extensions to language identifiers for security analysis. */
+export const EXTENSION_MAP = {
+    ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
+    ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
+    ".py": "python", ".go": "go", ".html": "html",
+    ".sql": "sql", ".sh": "shell", ".bash": "shell",
+    ".yml": "yaml", ".yaml": "yaml",
+    ".tf": "terraform",
+    ".toml": "toml", ".json": "json",
+};
+/** Maps well-known config filenames to their language/type identifier. */
+export const CONFIG_FILE_MAP = {
+    "vercel.json": "vercel-config",
+    "next.config.js": "nextjs-config",
+    "next.config.mjs": "nextjs-config",
+    "next.config.ts": "nextjs-config",
+    "docker-compose.yml": "docker-compose",
+    "docker-compose.yaml": "docker-compose",
+    "fly.toml": "fly-config",
+    "render.yaml": "render-config",
+    "netlify.toml": "netlify-config",
+};
+/** Directory names excluded from filesystem scans by default. */
+export const DEFAULT_EXCLUDES = new Set([
+    "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
+    ".next", ".nuxt", ".svelte-kit", "target", "bin", "obj",
+    "coverage", ".turbo", ".venv", "venv",
+]);

package/build/utils/rule-registry.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export declare function setRules(rules: SecurityRule[]): void;
+export declare function getRules(): SecurityRule[];

package/build/utils/rule-registry.js

@@ -0,0 +1,7 @@
+let registeredRules = [];
+export function setRules(rules) {
+    registeredRules = rules;
+}
+export function getRules() {
+    return registeredRules;
+}

package/build/utils/walk-directory.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Shared recursive directory walker used by scan-directory, export-sarif,
+ * compliance-report, policy-check, and generate-policy tools.
+ */
+/**
+ * Recursively walk a directory, collecting file paths that match
+ * known source extensions, Dockerfiles, or config file names.
+ *
+ * @param dir       - Directory to walk
+ * @param recursive - Whether to descend into subdirectories
+ * @param excludes  - Set of directory names to skip
+ * @param results   - Accumulator array (mutated in place)
+ */
+export declare function walkDirectory(dir: string, recursive: boolean, excludes: Set<string>, results: string[]): void;

package/build/utils/walk-directory.js

@@ -0,0 +1,46 @@
+/**
+ * Shared recursive directory walker used by scan-directory, export-sarif,
+ * compliance-report, policy-check, and generate-policy tools.
+ */
+import { readdirSync } from "fs";
+import { join, extname } from "path";
+import { EXTENSION_MAP, CONFIG_FILE_MAP } from "./constants.js";
+/**
+ * Recursively walk a directory, collecting file paths that match
+ * known source extensions, Dockerfiles, or config file names.
+ *
+ * @param dir       - Directory to walk
+ * @param recursive - Whether to descend into subdirectories
+ * @param excludes  - Set of directory names to skip
+ * @param results   - Accumulator array (mutated in place)
+ */
+export function walkDirectory(dir, recursive, excludes, results) {
+    let entries;
+    try {
+        entries = readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (excludes.has(entry.name))
+            continue;
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory() && recursive) {
+            walkDirectory(fullPath, recursive, excludes, results);
+        }
+        else if (entry.isFile()) {
+            const ext = extname(entry.name).toLowerCase();
+            if (EXTENSION_MAP[ext]) {
+                results.push(fullPath);
+            }
+            if (entry.name.startsWith("Dockerfile") || entry.name.endsWith(".dockerfile")) {
+                if (!results.includes(fullPath))
+                    results.push(fullPath);
+            }
+            if (CONFIG_FILE_MAP[entry.name] && !results.includes(fullPath)) {
+                results.push(fullPath);
+            }
+        }
+    }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "guardvibe",
-  "version": "1.7.1",
-  "description": "Security MCP for vibe coding. 277 rules, 14 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "version": "1.8.0",
+  "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/index.js",