guardvibe 1.8.7 → 1.8.9

package/build/data/rules/api-security.js

@@ -33,7 +33,7 @@ export const apiSecurityRules = [
         severity: "high",
         owasp: "API2:2023 Broken Authentication",
         description: "Next.js Route Handler that performs data operations without any authentication check. API routes are publicly accessible by default.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|verifyToken|checkAuth|clerkClient|getToken|session|protect)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|requireRole|isAuthenticated|verifyToken|checkAuth|clerkClient|getToken|session|protect|withAuth)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Add authentication at the start of every Route Handler that reads or writes data.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  // ... data access\n}',

package/build/tools/check-code.js

@@ -76,6 +76,9 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
             continue;
+        // Skip destructive DDL rules (VG540-VG542) in migration directories
+        if (rule.id.startsWith("VG54") && filePath && /(?:migrations?|seeds?|fixtures)\//i.test(filePath))
+            continue;
         // Skip server-only import rule (VG964) for files that are inherently server-only:
         // Route Handlers (app/api/), middleware, instrumentation, next.config
         if (rule.id === "VG964" && filePath && /(?:\/api\/|middleware\.|instrumentation\.|next\.config\.)/.test(filePath))

package/build/tools/check-project.js

@@ -42,8 +42,10 @@ function detectLanguage(filePath) {
     const ext = filePath.match(/\.[^.]+$/)?.[0]?.toLowerCase();
     return ext ? extensionMap[ext] ?? null : null;
 }
-function calculateScore(critical, high, medium) {
-    return Math.max(0, Math.min(100, 100 - critical * 25 - high * 10 - medium * 5));
+function calculateScore(critical, high, medium, fileCount = 1) {
+    const weighted = critical * 10 + high * 3 + medium * 1;
+    const density = weighted / Math.max(fileCount, 1);
+    return Math.max(0, Math.min(100, Math.round(100 - density * 20)));
 }
 function scoreToGrade(score) {
     if (score >= 90)
@@ -76,7 +78,7 @@ export function checkProject(files, format = "markdown", rules) {
     const totalHigh = allFindings.filter((f) => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter((f) => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    const score = calculateScore(totalCritical, totalHigh, totalMedium);
+    const score = calculateScore(totalCritical, totalHigh, totalMedium, scannedCount);
     const grade = scoreToGrade(score);
     if (format === "json") {
         return formatFindingsJson(allFindings, { grade, score });

package/build/tools/scan-directory.js

@@ -98,7 +98,13 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     const totalHigh = allFindings.filter(f => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter(f => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    const score = Math.max(0, Math.min(100, 100 - totalCritical * 25 - totalHigh * 10 - totalMedium * 5));
+    // Score based on weighted issue density (per file), not raw counts.
+    // This makes scoring fair for both small and large projects.
+    const filesScanned = scanResults.length || 1;
+    const weightedIssues = totalCritical * 10 + totalHigh * 3 + totalMedium * 1;
+    const density = weightedIssues / filesScanned;
+    // density 0 = 100, density >= 5 = 0
+    const score = Math.max(0, Math.min(100, Math.round(100 - density * 20)));
     const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
     // Baseline comparison
     let baselineDiff = null;

package/build/tools/scan-staged.js

@@ -89,7 +89,9 @@ export function scanStaged(cwd = process.cwd(), format = "markdown", rules) {
     const totalHigh = allFindings.filter(f => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter(f => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    const score = Math.max(0, Math.min(100, 100 - totalCritical * 25 - totalHigh * 10 - totalMedium * 5));
+    const weightedIssues = totalCritical * 10 + totalHigh * 3 + totalMedium * 1;
+    const density = weightedIssues / Math.max(scannedCount, 1);
+    const score = Math.max(0, Math.min(100, Math.round(100 - density * 20)));
     const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
     if (format === "json") {
         return formatFindingsJson(allFindings, { grade, score });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.8.7",
+  "version": "1.8.9",
   "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {