guardvibe 1.9.1 → 1.9.3

package/build/cli.js

@@ -63,8 +63,54 @@ function setupPlatform(name) {
         });
     }
     console.log(`  [OK] Added MCP server to ${platform.description}`);
+    // For Claude Code: also set up hooks and CLAUDE.md guidance
+    if (name === "claude") {
+        setupClaudeHooksAndGuide();
+    }
     return true;
 }
+function setupClaudeHooksAndGuide() {
+    // Add hook to .claude/settings.json for auto-scan after file edits
+    const claudeSettingsDir = join(process.cwd(), ".claude");
+    if (!existsSync(claudeSettingsDir)) {
+        mkdirSync(claudeSettingsDir, { recursive: true });
+    }
+    const claudeSettingsPath = join(claudeSettingsDir, "settings.json");
+    const existingSettings = readJsonFile(claudeSettingsPath) || {};
+    if (!existingSettings.hooks) {
+        existingSettings.hooks = {};
+    }
+    // Don't overwrite existing hooks
+    if (!existingSettings.hooks.PostToolUse) {
+        existingSettings.hooks.PostToolUse = [
+            {
+                matcher: "Edit|Write",
+                hooks: [
+                    {
+                        type: "command",
+                        command: "echo 'Run guardvibe scan_file on edited files for security check'"
+                    }
+                ]
+            }
+        ];
+    }
+    writeJsonFile(claudeSettingsPath, existingSettings);
+    console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
+    // Add CLAUDE.md guidance if not present
+    const claudeMdPath = join(process.cwd(), "CLAUDE.md");
+    const guardvibeBlock = `\n## GuardVibe Security\n\n- After editing security-sensitive files (API routes, auth, middleware), use the \`scan_file\` MCP tool to check for vulnerabilities\n- Before committing, run \`scan_staged\` to catch issues in staged files\n- Use \`scan_changed_files\` with the base branch to review all changes\n- When you find issues, use \`explain_remediation\` for detailed fix guidance\n`;
+    if (existsSync(claudeMdPath)) {
+        const content = readFileSync(claudeMdPath, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(claudeMdPath, content + guardvibeBlock, "utf-8");
+            console.log(`  [OK] GuardVibe guidance added to CLAUDE.md`);
+        }
+    }
+    else {
+        writeFileSync(claudeMdPath, `# Project Guidelines\n${guardvibeBlock}`, "utf-8");
+        console.log(`  [OK] Created CLAUDE.md with GuardVibe guidance`);
+    }
+}
 // ── Pre-commit hook ──────────────────────────────────────────────────
 const HOOK_SCRIPT = `#!/bin/sh
 # GuardVibe pre-commit security hook

package/build/data/rules/database.js

@@ -111,4 +111,16 @@ export const databaseRules = [
         fixCode: '-- GOOD: view respects RLS\nCREATE VIEW user_orders\n  WITH (security_invoker = true)\n  AS SELECT * FROM orders;\n\n-- BAD: bypasses RLS\n-- CREATE VIEW user_orders AS SELECT * FROM orders;',
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG448",
+        name: "Supabase RPC Call May Bypass RLS",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "supabase.rpc() calls execute PostgreSQL functions which may bypass Row Level Security if the function is defined as SECURITY DEFINER or if called with the service role key. Ensure the function uses SECURITY INVOKER or validate permissions manually.",
+        pattern: /supabase\.rpc\s*\(\s*["']\w+["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Ensure PostgreSQL functions called via rpc() use SECURITY INVOKER, or add explicit permission checks. Never call rpc() with the service role key from client-accessible code.",
+        fixCode: '-- PostgreSQL: use SECURITY INVOKER\nCREATE OR REPLACE FUNCTION get_user_data(user_id uuid)\nRETURNS TABLE (id uuid, name text)\nLANGUAGE sql\nSECURITY INVOKER  -- respects RLS!\nAS $$\n  SELECT id, name FROM users WHERE id = user_id;\n$$;\n\n// TypeScript: call with anon key (not service role)\nconst { data } = await supabase.rpc("get_user_data", { user_id: userId });',
+        compliance: ["SOC2:CC6.1"],
+    },
 ];

package/build/data/rules/nextjs.js

@@ -78,7 +78,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A03:2025 Injection",
         description: "Dynamic route parameters (params, searchParams) are used directly in database queries or operations without validation.",
-        pattern: /(?:params|searchParams)\s*[\.\[]\s*["']?\w+["']?\s*[\]\)]?\s*(?:;|\))\s*[\s\S]*?(?:query|execute|findUnique|findFirst|findMany|delete|update|create)\s*\(/g,
+        pattern: /(?:(?:await\s+)?(?:params|searchParams))\s*[\)\.\[]\s*["']?\w+["']?\s*[\]\)]?\s*(?:;|\))\s*[\s\S]*?(?:query|execute|findUnique|findFirst|findMany|delete|update|create)\s*\(/g,
         languages: ["javascript", "typescript"],
         fix: "Always validate and sanitize dynamic route parameters before using them in queries.",
         fixCode: '// Validate params before use\nimport { z } from "zod";\nconst idSchema = z.string().uuid();\n\nexport default async function Page({ params }: { params: { id: string } }) {\n  const id = idSchema.parse((await params).id);\n  const item = await db.item.findUnique({ where: { id } });\n}',
@@ -90,7 +90,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Sensitive data (tokens, secrets, internal IDs) appears to be passed from server to client component as props.",
-        pattern: /(?:secret|token|password|apiKey|privateKey|internalId|ssn|creditCard)\s*=\s*\{[\s\S]*?\}/g,
+        pattern: /(?:(?:^|[^a-zA-Z])(?:secret|token|password|apiKey|api_key|privateKey|private_key|internalId|ssn|creditCard|credit_card))\s*=\s*\{[\s\S]*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Never pass sensitive data as props to client components. Keep secrets server-side.",
         fixCode: "// Keep sensitive data server-side\nexport default async function Page() {\n  const secret = process.env.API_SECRET;\n  const publicData = await fetchData(secret);\n  return <ClientComponent data={publicData} />;\n}",
@@ -150,7 +150,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Server Action returns a full database query result without field selection. Sensitive fields (passwordHash, internalNotes) get serialized to the client.",
-        pattern: /["']use server["'][\s\S]{0,800}?(?:findUnique|findFirst|findMany)\s*\([^)]*\)\s*;?\s*\n\s*return/g,
+        pattern: /["']use server["'][\s\S]{0,800}?(?:return\s+\w+\.)?(?:findUnique|findFirst|findMany)\s*\((?:(?!select\s*:)[\s\S])*?\)/g,
         languages: ["javascript", "typescript"],
         fix: "Always use select to return only needed fields from Server Actions.",
         fixCode: '"use server";\nexport async function getUser(id: string) {\n  return prisma.user.findUnique({\n    where: { id },\n    select: { id: true, name: true, email: true },\n  });\n}',
@@ -180,4 +180,28 @@ export const nextjsRules = [
         fixCode: '<!-- EJS: use escaped output -->\n<p><%= userInput %></p>   <!-- SAFE: HTML-escaped -->\n<!-- NOT: <%- userInput %>  DANGEROUS: raw HTML -->\n\n<!-- Handlebars: use double braces -->\n<p>{{userInput}}</p>      <!-- SAFE: escaped -->\n<!-- NOT: {{{userInput}}}   DANGEROUS: raw HTML -->\n\n<!-- Pug: use = not != -->\np= userInput              //- SAFE: escaped\n//- NOT: p!= userInput    DANGEROUS: raw HTML',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG415",
+        name: "Cached Function Exposes User-Specific Data",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "A function marked with 'use cache' accesses user-specific data (auth, session, cookies, headers) but caches the result. Cached data is shared across all users, leaking one user's data to others.",
+        pattern: /["']use cache["'][\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|cookies\s*\(|headers\s*\()/g,
+        languages: ["javascript", "typescript"],
+        fix: "Do not access user-specific data inside cached functions. Pass user-independent parameters only, or use cacheTag with user-specific tags.",
+        fixCode: '// BAD: caches user-specific data\n"use cache";\nasync function getData() {\n  const { userId } = await auth(); // WRONG in cached fn!\n  return db.items.findMany({ where: { userId } });\n}\n\n// GOOD: cache only shared data\n"use cache";\nasync function getPublicPosts() {\n  return db.posts.findMany({ where: { published: true } });\n}',
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG416",
+        name: "Cached Function Without Revalidation Strategy",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "A function marked with 'use cache' does not specify a cacheLife or cacheTag for revalidation. Without explicit revalidation, stale data may be served indefinitely, including outdated security-sensitive information.",
+        pattern: /["']use cache["'](?:(?!cacheLife|cacheTag|unstable_cache)[\s\S]){10,}?(?:return|export)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add cacheLife() or cacheTag() inside cached functions to control revalidation.",
+        fixCode: '"use cache";\nimport { cacheLife, cacheTag } from "next/cache";\n\nasync function getCachedData() {\n  cacheLife("hours");\n  cacheTag("data-feed");\n  return db.posts.findMany();\n}\n\n// Revalidate when data changes:\nimport { revalidateTag } from "next/cache";\nrevalidateTag("data-feed");',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/tools/check-code.js

@@ -37,6 +37,55 @@ function isInComment(lines, lineNumber) {
         trimmed.startsWith("<!--") ||
         trimmed.startsWith("/*"));
 }
+/**
+ * Check if a match is inside a multi-line string literal (template literal,
+ * fixCode/description property, or string concatenation).
+ * This prevents rule definition files, docs, and test fixtures from triggering
+ * false positives when they contain code examples as string values.
+ */
+function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
+    const line = lines[lineNumber - 1];
+    if (!line)
+        return false;
+    // 1. Template literal: count unescaped backticks before this point
+    const before = code.substring(0, matchIndex);
+    const backtickCount = (before.match(/(?<!\\)`/g) || []).length;
+    if (backtickCount % 2 === 1)
+        return true;
+    // 2. The match line itself is a string continuation (starts with quote + or ends with +quote)
+    const trimmed = line.trimStart();
+    if (/^["']/.test(trimmed) && /\+\s*$/.test(line))
+        return true; // "string" +
+    if (/^\s*\+\s*["']/.test(line))
+        return true; // + "string continuation"
+    // 3. Line contains escaped newlines (\n) suggesting it's inside a string value
+    const quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
+    if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
+        // Extra check: is the match portion inside quotes on this line?
+        const matchEnd = matchIndex + 20; // approximate
+        const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
+        const col = matchIndex - lineStart;
+        const beforeCol = line.substring(0, col);
+        const singleQuotes = (beforeCol.match(/(?<!\\)'/g) || []).length;
+        const doubleQuotes = (beforeCol.match(/(?<!\\)"/g) || []).length;
+        if (singleQuotes % 2 === 1 || doubleQuotes % 2 === 1)
+            return true;
+    }
+    // 4. Look backwards for property assignment context (fixCode, description, etc.)
+    for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 20); i--) {
+        const prev = lines[i]?.trimStart() || "";
+        if (/^(?:fixCode|fix|description|exploit|audit)\s*[:=]/.test(prev))
+            return true;
+        if (/^(?:fixCode|fix|description|exploit|audit)\s*:\s*$/.test(prev))
+            return true;
+        // Hit a rule boundary — stop looking
+        if (/^\s*id\s*:\s*["']VG/.test(prev))
+            break;
+        if (/^\s*\{/.test(prev) && i < lineNumber - 2)
+            break;
+    }
+    return false;
+}
 /**
  * Check if a match on a given line is inside a string value used as a
  * human-readable message (UI label, error text) rather than an actual secret.
@@ -56,7 +105,32 @@ function isHumanReadableString(lines, lineNumber) {
         return true;
     return false;
 }
+/**
+ * Detect if a file is a security rule definition file.
+ * These files intentionally contain vulnerable code patterns
+ * as regex matchers and fixCode examples — scanning them is meaningless.
+ */
+function isRuleDefinitionFile(code, filePath) {
+    // Path-based: known rule definition directories
+    if (filePath && /(?:\/rules\/|\/data\/rules\/)/.test(filePath)) {
+        // Confirm it actually exports SecurityRule objects
+        if (/SecurityRule\s*\[\]/.test(code) && /id:\s*["']VG\d+["']/.test(code)) {
+            return true;
+        }
+    }
+    // Content-based: file defines multiple VG rules with pattern: regex
+    if (/id:\s*["']VG\d+["']/g.test(code) && /pattern:\s*\//.test(code)) {
+        const ruleCount = (code.match(/id:\s*["']VG\d+["']/g) || []).length;
+        if (ruleCount >= 3)
+            return true; // 3+ rule definitions = rule file
+    }
+    return false;
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
+    // Skip files that are security rule definitions (they intentionally contain
+    // vulnerable code patterns as regex matchers and fixCode examples)
+    if (isRuleDefinitionFile(code, filePath))
+        return [];
     const config = loadConfig(configDir);
     const ignoreEntries = loadIgnoreFile(configDir || process.cwd());
     const findings = [];
@@ -101,8 +175,9 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         if (rule.id.startsWith("VG54") && filePath && /(?:migrations?|seeds?|fixtures)\//i.test(filePath))
             continue;
         // Skip server-only import rule (VG964) for files that are inherently server-only:
-        // Route Handlers (app/api/), middleware, instrumentation, next.config
-        if (rule.id === "VG964" && filePath && /(?:\/api\/|middleware\.|instrumentation\.|next\.config\.)/.test(filePath))
+        // Route Handlers (app/api/), middleware, instrumentation, next.config,
+        // lib/, utils/, tools/, server/, scripts/, CLI files, config files
+        if (rule.id === "VG964" && filePath && /(?:\/api\/|middleware\.|instrumentation\.|next\.config\.|\/lib\/|\/utils\/|\/tools\/|\/server\/|\/scripts\/|\/src\/(?!app\/|pages\/|components\/)|\bcli\b|\.config\.)/.test(filePath))
             continue;
         // Skip React Native/mobile-only rules (VG70x) in web projects:
         // only apply when framework is react-native/expo or path suggests mobile
@@ -145,6 +220,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (isInComment(lines, lineNumber))
                     continue;
             }
+            // Skip matches inside string literals (fixCode, description, template strings)
+            // This prevents rule definition files and docs from triggering false positives
+            if (!rule.id.startsWith("VG9")) {
+                if (isInsideStringLiteral(lines, lineNumber, code, match.index))
+                    continue;
+            }
             // Skip hardcoded-credential rules when the value is a human-readable sentence
             if (rule.id === "VG001" || rule.id === "VG062") {
                 if (isHumanReadableString(lines, lineNumber))

package/build/utils/config.js

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { join, resolve } from "path";
+import { join, resolve, dirname } from "path";
 const DEFAULT_CONFIG = {
     rules: { disable: [], severity: {} },
     scan: { exclude: [], maxFileSize: 500 * 1024 },
@@ -14,13 +14,38 @@ function cloneDefaultConfig() {
         plugins: [...DEFAULT_CONFIG.plugins],
     };
 }
+/**
+ * Find .guardviberc by walking up from dir to filesystem root.
+ * Returns the path if found, null otherwise.
+ */
+function findConfigFile(startDir) {
+    let current = startDir;
+    const root = resolve("/");
+    while (true) {
+        const candidate = join(current, ".guardviberc");
+        try {
+            readFileSync(candidate, "utf-8"); // will throw if not found
+            return candidate;
+        }
+        catch { }
+        const parent = dirname(current);
+        if (parent === current || current === root)
+            break;
+        current = parent;
+    }
+    return null;
+}
 export function loadConfig(dir) {
     const configDir = resolve(dir || process.cwd());
     const cached = configCache.get(configDir);
     if (cached)
         return cached;
-    const configPath = join(configDir, ".guardviberc");
+    const configPath = findConfigFile(configDir);
     let resolvedConfig = cloneDefaultConfig();
+    if (!configPath) {
+        configCache.set(configDir, resolvedConfig);
+        return resolvedConfig;
+    }
     try {
         const content = readFileSync(configPath, "utf-8");
         const parsed = JSON.parse(content);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.1",
+  "version": "1.9.3",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {