guardvibe 1.8.0 → 1.8.2

package/README.md

@@ -1,5 +1,10 @@
 # GuardVibe
 
+[![npm version](https://img.shields.io/npm/v/guardvibe)](https://www.npmjs.com/package/guardvibe)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Node.js CI](https://github.com/goklab/guardvibe/actions/workflows/ci.yml/badge.svg)](https://github.com/goklab/guardvibe/actions/workflows/ci.yml)
+[![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
+
 **The security MCP built for vibe coding.** 277 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
@@ -430,7 +435,7 @@ GuardVibe takes supply chain security seriously:
 - **Minimal CI permissions** — GitHub Actions workflows use `permissions: contents: read` only
 - **Zero runtime dependencies** — only MCP SDK and Zod (both widely audited)
 
-To report a vulnerability, please email security@goklab.com or open a GitHub issue.
+To report a vulnerability, please email info@goklab.com or open a GitHub issue.
 
 ## License
 

package/build/cli.js

@@ -362,10 +362,23 @@ async function main() {
         console.log(pkg.version);
         process.exit(0);
     }
-    if (args.length === 0 || args[0] === "--help" || args[0] === "-h") {
+    if (args[0] === "--help" || args[0] === "-h") {
         printUsage();
         process.exit(0);
     }
+    // No args: if stdin is a pipe, start MCP server; if TTY, show help
+    if (args.length === 0) {
+        if (process.stdin.isTTY) {
+            printUsage();
+            process.exit(0);
+        }
+        else {
+            // Started by MCP client (Claude Code, Cursor, etc.) — launch MCP server
+            const { startMcpServer } = await import("./index.js");
+            await startMcpServer();
+            return;
+        }
+    }
     const command = args[0];
     if (command === "init") {
         const platform = args[1]?.toLowerCase();

package/build/data/rules/modern-stack.js

@@ -38,7 +38,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A04:2023 Unrestricted Resource Consumption",
         description: "File upload handler does not validate file type (MIME type or extension). Attackers can upload executable files, scripts, or malicious content.",
-        pattern: /(?:formData\.get|req\.file|upload|multer|busboy|formidable|Files?\s*\[)[\s\S]{0,500}?(?:writeFile|putObject|upload|save|createBucket|put\s*\()(?:(?!mime|type|extension|contentType|allowedTypes|accept|fileFilter|allowedMimeTypes)[\s\S]){0,200}/gi,
+        pattern: /(?:formData\.get\s*\(|req\.file\b|multer\s*\(|busboy|formidable\s*\(|Files?\s*\[)[\s\S]{0,500}?(?:writeFile|putObject|\.upload\s*\(|\.save\s*\(|createBucket|\.put\s*\()(?:(?!mime|type|extension|contentType|allowedTypes|accept|fileFilter|allowedMimeTypes)[\s\S]){0,200}/gi,
         languages: ["javascript", "typescript"],
         fix: "Always validate file types against an allowlist before storing. Check both MIME type and extension.",
         fixCode: '// Validate file type before upload\nconst ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp"];\nconst file = formData.get("file") as File;\nif (!ALLOWED_TYPES.includes(file.type)) {\n  return new Response("Invalid file type", { status: 400 });\n}\nif (file.size > 5 * 1024 * 1024) {\n  return new Response("File too large", { status: 400 });\n}',
@@ -50,7 +50,7 @@ export const modernStackRules = [
         severity: "medium",
         owasp: "A04:2023 Unrestricted Resource Consumption",
         description: "File upload handler does not enforce a file size limit. Attackers can upload extremely large files to exhaust storage or memory.",
-        pattern: /(?:formData\.get|req\.file|upload)[\s\S]{0,300}?(?:writeFile|putObject|upload|save|put\s*\()(?:(?!size|limit|max|MB|GB|bytes|fileSizeLimit)[\s\S]){0,200}/gi,
+        pattern: /(?:formData\.get\s*\(|req\.file\b|multer\s*\()[\s\S]{0,300}?(?:writeFile|putObject|\.upload\s*\(|\.save\s*\(|\.put\s*\()(?:(?!size|limit|max|MB|GB|bytes|fileSizeLimit)[\s\S]){0,200}/gi,
         languages: ["javascript", "typescript"],
         fix: "Enforce a file size limit before processing uploads. Typical limits: 5MB for images, 50MB for documents.",
         fixCode: '// Check file size before upload\nconst MAX_SIZE = 5 * 1024 * 1024; // 5MB\nconst file = formData.get("file") as File;\nif (file.size > MAX_SIZE) {\n  return new Response("File too large (max 5MB)", { status: 400 });\n}',

package/build/index.d.ts

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-export {};
+export declare function startMcpServer(): Promise<void>;

package/build/index.js

@@ -288,6 +288,9 @@ server.tool("explain_remediation", "Deep explanation of a security finding: why
     const results = explainRemediation(rule_id, code, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
+export async function startMcpServer() {
+    return main();
+}
 async function main() {
     // Load plugins
     const config = loadConfig(process.cwd());
@@ -319,7 +322,11 @@ async function main() {
     await server.connect(transport);
     console.error("GuardVibe Security MCP server running on stdio");
 }
-main().catch((error) => {
-    console.error("Fatal error:", error);
-    process.exit(1);
-});
+// Only auto-start when run directly (not imported by cli.ts)
+const isDirectRun = process.argv[1]?.replace(/\.js$/, "").endsWith("index");
+if (isDirectRun) {
+    main().catch((error) => {
+        console.error("Fatal error:", error);
+        process.exit(1);
+    });
+}

package/build/tools/export-sarif.js

@@ -1,3 +1,4 @@
+import { createRequire } from "module";
 import { readFileSync, statSync } from "fs";
 import { extname, basename, resolve } from "path";
 import { analyzeCode } from "./check-code.js";
@@ -5,6 +6,8 @@ import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
 import { EXTENSION_MAP, DEFAULT_EXCLUDES } from "../utils/constants.js";
 import { walkDirectory } from "../utils/walk-directory.js";
+const _require = createRequire(import.meta.url);
+const _pkg = _require("../../package.json");
 function severityToLevel(severity) {
     if (severity === "critical" || severity === "high")
         return "error";
@@ -72,7 +75,7 @@ export function exportSarif(path, rules) {
                 tool: {
                     driver: {
                         name: "GuardVibe",
-                        version: "0.10.0",
+                        version: _pkg.version,
                         informationUri: "https://guardvibe.dev",
                         rules: sarifRules,
                     },

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "guardvibe",
-  "version": "1.8.0",
+  "version": "1.8.2",
   "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
-    "guardvibe": "build/index.js",
+    "guardvibe": "build/cli.js",
     "guardvibe-init": "build/cli.js",
     "guardvibe-scan": "build/cli.js"
   },
@@ -79,7 +79,7 @@
   ],
   "author": "GokLab",
   "license": "Apache-2.0",
-  "homepage": "https://github.com/goklab/guardvibe",
+  "homepage": "https://guardvibe.dev",
   "repository": {
     "type": "git",
     "url": "https://github.com/goklab/guardvibe.git"