guardvibe 1.9.0 → 1.9.2

package/build/cli.js

@@ -63,8 +63,54 @@ function setupPlatform(name) {
         });
     }
     console.log(`  [OK] Added MCP server to ${platform.description}`);
+    // For Claude Code: also set up hooks and CLAUDE.md guidance
+    if (name === "claude") {
+        setupClaudeHooksAndGuide();
+    }
     return true;
 }
+function setupClaudeHooksAndGuide() {
+    // Add hook to .claude/settings.json for auto-scan after file edits
+    const claudeSettingsDir = join(process.cwd(), ".claude");
+    if (!existsSync(claudeSettingsDir)) {
+        mkdirSync(claudeSettingsDir, { recursive: true });
+    }
+    const claudeSettingsPath = join(claudeSettingsDir, "settings.json");
+    const existingSettings = readJsonFile(claudeSettingsPath) || {};
+    if (!existingSettings.hooks) {
+        existingSettings.hooks = {};
+    }
+    // Don't overwrite existing hooks
+    if (!existingSettings.hooks.PostToolUse) {
+        existingSettings.hooks.PostToolUse = [
+            {
+                matcher: "Edit|Write",
+                hooks: [
+                    {
+                        type: "command",
+                        command: "echo 'Run guardvibe scan_file on edited files for security check'"
+                    }
+                ]
+            }
+        ];
+    }
+    writeJsonFile(claudeSettingsPath, existingSettings);
+    console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
+    // Add CLAUDE.md guidance if not present
+    const claudeMdPath = join(process.cwd(), "CLAUDE.md");
+    const guardvibeBlock = `\n## GuardVibe Security\n\n- After editing security-sensitive files (API routes, auth, middleware), use the \`scan_file\` MCP tool to check for vulnerabilities\n- Before committing, run \`scan_staged\` to catch issues in staged files\n- Use \`scan_changed_files\` with the base branch to review all changes\n- When you find issues, use \`explain_remediation\` for detailed fix guidance\n`;
+    if (existsSync(claudeMdPath)) {
+        const content = readFileSync(claudeMdPath, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(claudeMdPath, content + guardvibeBlock, "utf-8");
+            console.log(`  [OK] GuardVibe guidance added to CLAUDE.md`);
+        }
+    }
+    else {
+        writeFileSync(claudeMdPath, `# Project Guidelines\n${guardvibeBlock}`, "utf-8");
+        console.log(`  [OK] Created CLAUDE.md with GuardVibe guidance`);
+    }
+}
 // ── Pre-commit hook ──────────────────────────────────────────────────
 const HOOK_SCRIPT = `#!/bin/sh
 # GuardVibe pre-commit security hook

package/build/data/rules/database.js

@@ -111,4 +111,16 @@ export const databaseRules = [
         fixCode: '-- GOOD: view respects RLS\nCREATE VIEW user_orders\n  WITH (security_invoker = true)\n  AS SELECT * FROM orders;\n\n-- BAD: bypasses RLS\n-- CREATE VIEW user_orders AS SELECT * FROM orders;',
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG448",
+        name: "Supabase RPC Call May Bypass RLS",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "supabase.rpc() calls execute PostgreSQL functions which may bypass Row Level Security if the function is defined as SECURITY DEFINER or if called with the service role key. Ensure the function uses SECURITY INVOKER or validate permissions manually.",
+        pattern: /supabase\.rpc\s*\(\s*["']\w+["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Ensure PostgreSQL functions called via rpc() use SECURITY INVOKER, or add explicit permission checks. Never call rpc() with the service role key from client-accessible code.",
+        fixCode: '-- PostgreSQL: use SECURITY INVOKER\nCREATE OR REPLACE FUNCTION get_user_data(user_id uuid)\nRETURNS TABLE (id uuid, name text)\nLANGUAGE sql\nSECURITY INVOKER  -- respects RLS!\nAS $$\n  SELECT id, name FROM users WHERE id = user_id;\n$$;\n\n// TypeScript: call with anon key (not service role)\nconst { data } = await supabase.rpc("get_user_data", { user_id: userId });',
+        compliance: ["SOC2:CC6.1"],
+    },
 ];

package/build/data/rules/nextjs.js

@@ -78,7 +78,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A03:2025 Injection",
         description: "Dynamic route parameters (params, searchParams) are used directly in database queries or operations without validation.",
-        pattern: /(?:params|searchParams)\s*[\.\[]\s*["']?\w+["']?\s*[\]\)]?\s*(?:;|\))\s*[\s\S]*?(?:query|execute|findUnique|findFirst|findMany|delete|update|create)\s*\(/g,
+        pattern: /(?:(?:await\s+)?(?:params|searchParams))\s*[\)\.\[]\s*["']?\w+["']?\s*[\]\)]?\s*(?:;|\))\s*[\s\S]*?(?:query|execute|findUnique|findFirst|findMany|delete|update|create)\s*\(/g,
         languages: ["javascript", "typescript"],
         fix: "Always validate and sanitize dynamic route parameters before using them in queries.",
         fixCode: '// Validate params before use\nimport { z } from "zod";\nconst idSchema = z.string().uuid();\n\nexport default async function Page({ params }: { params: { id: string } }) {\n  const id = idSchema.parse((await params).id);\n  const item = await db.item.findUnique({ where: { id } });\n}',
@@ -90,7 +90,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Sensitive data (tokens, secrets, internal IDs) appears to be passed from server to client component as props.",
-        pattern: /(?:secret|token|password|apiKey|privateKey|internalId|ssn|creditCard)\s*=\s*\{[\s\S]*?\}/g,
+        pattern: /(?:(?:^|[^a-zA-Z])(?:secret|token|password|apiKey|api_key|privateKey|private_key|internalId|ssn|creditCard|credit_card))\s*=\s*\{[\s\S]*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Never pass sensitive data as props to client components. Keep secrets server-side.",
         fixCode: "// Keep sensitive data server-side\nexport default async function Page() {\n  const secret = process.env.API_SECRET;\n  const publicData = await fetchData(secret);\n  return <ClientComponent data={publicData} />;\n}",
@@ -150,7 +150,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Server Action returns a full database query result without field selection. Sensitive fields (passwordHash, internalNotes) get serialized to the client.",
-        pattern: /["']use server["'][\s\S]{0,800}?(?:findUnique|findFirst|findMany)\s*\([^)]*\)\s*;?\s*\n\s*return/g,
+        pattern: /["']use server["'][\s\S]{0,800}?(?:return\s+\w+\.)?(?:findUnique|findFirst|findMany)\s*\((?:(?!select\s*:)[\s\S])*?\)/g,
         languages: ["javascript", "typescript"],
         fix: "Always use select to return only needed fields from Server Actions.",
         fixCode: '"use server";\nexport async function getUser(id: string) {\n  return prisma.user.findUnique({\n    where: { id },\n    select: { id: true, name: true, email: true },\n  });\n}',

package/build/tools/check-code.js

@@ -37,6 +37,40 @@ function isInComment(lines, lineNumber) {
         trimmed.startsWith("<!--") ||
         trimmed.startsWith("/*"));
 }
+/**
+ * Check if a match is inside a multi-line string literal (template literal,
+ * fixCode/description property, or string concatenation).
+ * This prevents rule definition files, docs, and test fixtures from triggering
+ * false positives when they contain code examples as string values.
+ */
+function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
+    const line = lines[lineNumber - 1];
+    if (!line)
+        return false;
+    const trimmed = line.trimStart();
+    // Line is part of a template literal or multi-line string
+    // Check if we're between backticks by counting unescaped backticks before this point
+    const before = code.substring(0, matchIndex);
+    const backtickCount = (before.match(/(?<!\\)`/g) || []).length;
+    if (backtickCount % 2 === 1)
+        return true; // inside template literal
+    // Line is a string property value (fixCode, description, fix, exploit, audit, fixCode)
+    // Look backwards to find if this line is inside a property assignment string
+    for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 20); i--) {
+        const prev = lines[i]?.trimStart() || "";
+        // Property assignment with string value that likely spans lines
+        if (/^(?:fixCode|fix|description|exploit|audit|fixCode)\s*[:=]/.test(prev))
+            return true;
+        if (/^(?:fixCode|fix|description|exploit|audit)\s*:\s*$/.test(prev))
+            return true;
+        // Hit a rule boundary (id: "VG...) — stop looking
+        if (/^\s*id\s*:\s*["']VG/.test(prev))
+            break;
+        if (/^\s*\{/.test(prev) && i < lineNumber - 2)
+            break;
+    }
+    return false;
+}
 /**
  * Check if a match on a given line is inside a string value used as a
  * human-readable message (UI label, error text) rather than an actual secret.
@@ -101,8 +135,9 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         if (rule.id.startsWith("VG54") && filePath && /(?:migrations?|seeds?|fixtures)\//i.test(filePath))
             continue;
         // Skip server-only import rule (VG964) for files that are inherently server-only:
-        // Route Handlers (app/api/), middleware, instrumentation, next.config
-        if (rule.id === "VG964" && filePath && /(?:\/api\/|middleware\.|instrumentation\.|next\.config\.)/.test(filePath))
+        // Route Handlers (app/api/), middleware, instrumentation, next.config,
+        // lib/, utils/, tools/, server/, scripts/, CLI files, config files
+        if (rule.id === "VG964" && filePath && /(?:\/api\/|middleware\.|instrumentation\.|next\.config\.|\/lib\/|\/utils\/|\/tools\/|\/server\/|\/scripts\/|\/src\/(?!app\/|pages\/|components\/)|\bcli\b|\.config\.)/.test(filePath))
             continue;
         // Skip React Native/mobile-only rules (VG70x) in web projects:
         // only apply when framework is react-native/expo or path suggests mobile
@@ -145,6 +180,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (isInComment(lines, lineNumber))
                     continue;
             }
+            // Skip matches inside string literals (fixCode, description, template strings)
+            // This prevents rule definition files and docs from triggering false positives
+            if (!rule.id.startsWith("VG9")) {
+                if (isInsideStringLiteral(lines, lineNumber, code, match.index))
+                    continue;
+            }
             // Skip hardcoded-credential rules when the value is a human-readable sentence
             if (rule.id === "VG001" || rule.id === "VG062") {
                 if (isHumanReadableString(lines, lineNumber))
@@ -218,6 +259,23 @@ function isDuplicatePair(a, b) {
         return true;
     if (a.rule.name.includes("Unsafe innerHTML") && b.rule.name.includes("XSS via innerHTML"))
         return true;
+    // Both are auth/unprotected route rules — VG420+VG952+VG002 duplicate case
+    const authPatterns = ["Unprotected Route", "Without Authentication", "Missing authentication"];
+    const aIsAuth = authPatterns.some(p => a.rule.name.includes(p));
+    const bIsAuth = authPatterns.some(p => b.rule.name.includes(p));
+    if (aIsAuth && bIsAuth)
+        return true;
+    // Both are CORS wildcard rules — VG040+VG403+VG973 duplicate case
+    const aIsCors = a.rule.name.includes("CORS") && a.rule.name.includes("ildcard");
+    const bIsCors = b.rule.name.includes("CORS") && b.rule.name.includes("ildcard");
+    if (aIsCors && bIsCors)
+        return true;
+    // Both are admin role check rules — VG426+VG957 duplicate case
+    const adminPatterns = ["Admin", "Role Check", "Role Verification"];
+    const aIsAdmin = adminPatterns.some(p => a.rule.name.includes(p));
+    const bIsAdmin = adminPatterns.some(p => b.rule.name.includes(p));
+    if (aIsAdmin && bIsAdmin)
+        return true;
     return false;
 }
 /** Check if rule A is more specific than rule B (framework rules > core rules). */

package/build/utils/config.js

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { join, resolve } from "path";
+import { join, resolve, dirname } from "path";
 const DEFAULT_CONFIG = {
     rules: { disable: [], severity: {} },
     scan: { exclude: [], maxFileSize: 500 * 1024 },
@@ -14,13 +14,38 @@ function cloneDefaultConfig() {
         plugins: [...DEFAULT_CONFIG.plugins],
     };
 }
+/**
+ * Find .guardviberc by walking up from dir to filesystem root.
+ * Returns the path if found, null otherwise.
+ */
+function findConfigFile(startDir) {
+    let current = startDir;
+    const root = resolve("/");
+    while (true) {
+        const candidate = join(current, ".guardviberc");
+        try {
+            readFileSync(candidate, "utf-8"); // will throw if not found
+            return candidate;
+        }
+        catch { }
+        const parent = dirname(current);
+        if (parent === current || current === root)
+            break;
+        current = parent;
+    }
+    return null;
+}
 export function loadConfig(dir) {
     const configDir = resolve(dir || process.cwd());
     const cached = configCache.get(configDir);
     if (cached)
         return cached;
-    const configPath = join(configDir, ".guardviberc");
+    const configPath = findConfigFile(configDir);
     let resolvedConfig = cloneDefaultConfig();
+    if (!configPath) {
+        configCache.set(configDir, resolvedConfig);
+        return resolvedConfig;
+    }
     try {
         const content = readFileSync(configPath, "utf-8");
         const parsed = JSON.parse(content);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {