guardvibe 2.0.0 → 2.0.2

package/build/cli.js

@@ -83,7 +83,8 @@ function setupClaudeHooksAndGuide() {
     if (!existingSettings.hooks) {
         existingSettings.hooks = {};
     }
-    // Don't overwrite existing hooks
+    // Real security hook: scan edited files automatically after every Edit/Write
+    // This makes GuardVibe an active guardian, not a passive tool
     if (!existingSettings.hooks.PostToolUse) {
         existingSettings.hooks.PostToolUse = [
             {
@@ -91,7 +92,7 @@ function setupClaudeHooksAndGuide() {
                 hooks: [
                     {
                         type: "command",
-                        command: "echo 'Run guardvibe scan_file on edited files for security check'"
+                        command: "npx -y guardvibe check $CLAUDE_FILE_PATH --format markdown 2>/dev/null || true"
                     }
                 ]
             }
@@ -101,7 +102,28 @@ function setupClaudeHooksAndGuide() {
     console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
     // Add CLAUDE.md guidance if not present
     const claudeMdPath = join(process.cwd(), "CLAUDE.md");
-    const guardvibeBlock = `\n## GuardVibe Security\n\n- After editing security-sensitive files (API routes, auth, middleware), use the \`scan_file\` MCP tool to check for vulnerabilities\n- Before committing, run \`scan_staged\` to catch issues in staged files\n- Use \`scan_changed_files\` with the base branch to review all changes\n- When you find issues, use \`explain_remediation\` for detailed fix guidance\n`;
+    const guardvibeBlock = `
+## Security Rules (enforced by GuardVibe MCP)
+
+### Mandatory checks
+- BEFORE writing any API route, Server Action, or database query: call \`scan_file\` on the file after editing
+- BEFORE committing: call \`scan_staged\` to catch issues in staged files
+- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
+
+### Writing secure code
+- Every API route handler MUST have auth check before DB access
+- Every POST endpoint MUST have input validation (zod/joi schema)
+- Never pass user input to \`innerHTML\`, \`eval\`, \`exec\`, or raw SQL
+- Never pass user-controlled URLs to \`fetch()\` without allowlist validation
+- Always use \`select:\` in Prisma queries from Server Actions (never return full objects)
+- Always validate redirect URLs against trusted domain allowlist
+- Set security headers in next.config.ts (CSP, HSTS, X-Frame-Options)
+
+### When in doubt
+- Use \`explain_remediation\` with the rule ID for detailed fix guidance
+- Use \`scan_changed_files\` with base branch before creating PR
+- Use \`check_code\` to verify a code snippet is secure before applying
+`;
     if (existsSync(claudeMdPath)) {
         const content = readFileSync(claudeMdPath, "utf-8");
         if (!content.includes("GuardVibe")) {

package/build/data/rules/core.js

@@ -392,7 +392,7 @@ export const coreRules = [
         severity: "high",
         owasp: "A10:2025 Server-Side Request Forgery",
         description: "User-controlled input is passed directly to fetch(), axios, or http.request() as the URL. Attackers can make the server request internal services (169.254.169.254 for cloud metadata, localhost admin panels, internal APIs) leading to data exfiltration or remote code execution.",
-        pattern: /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got(?:\.(?:get|post|put|delete|patch))?|request|http\.(?:get|request)|https\.(?:get|request)|urllib\.request\.urlopen)\s*\(\s*(?:url|uri|href|endpoint|target|destination|webhook[Uu]rl|callback[Uu]rl|redirect[Uu]rl|image[Uu]rl|proxy[Uu]rl|api[Uu]rl|base[Uu]rl|link|src|source|remoteUrl|externalUrl|userUrl|inputUrl|requestUrl)\b/gi,
+        pattern: /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got(?:\.(?:get|post|put|delete|patch))?|http\.(?:get|request)|https\.(?:get|request)|urllib\.request\.urlopen)\s*\(\s*(?!["'`]https?:\/\/|["'`]\/|`\$\{process\.env)(?:[a-zA-Z_$]\w*)\s*[,)]/gi,
         languages: ["javascript", "typescript", "python"],
         fix: "Validate URLs against an allowlist of trusted domains. Block private/internal IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x, ::1). Use a URL parser to check the hostname before making the request.",
         fixCode: '// Validate URL before fetching\nconst ALLOWED_HOSTS = ["api.example.com", "cdn.example.com"];\nconst parsed = new URL(userUrl);\nif (!ALLOWED_HOSTS.includes(parsed.hostname)) {\n  throw new Error("Blocked: untrusted host");\n}\n// Also block private IPs\nconst ip = await dns.resolve(parsed.hostname);\nif (isPrivateIP(ip)) throw new Error("Blocked: internal host");\nawait fetch(parsed.href);',

package/build/tools/check-code.js

@@ -126,6 +126,53 @@ function isRuleDefinitionFile(code, filePath) {
     }
     return false;
 }
+/**
+ * Detect if code contains an auth guard pattern — regardless of function name.
+ * Matches patterns like:
+ *   const { userId } = await someFunction(); if (!userId) return/throw;
+ *   const { error } = await someFunction(); if (error) return error;
+ *   const session = await someFunction(); if (!session) throw/return;
+ *   await someFunction(); // + early return pattern
+ *
+ * This is naming-agnostic: works for requireAdmin, verifyAuth, checkPermission,
+ * ensureLoggedIn, or any custom auth wrapper.
+ */
+function hasAuthGuardPattern(code) {
+    // Pattern 1: destructured result checked with early return/throw
+    // e.g., const { userId } = await xxx(); if (!userId) return;
+    // e.g., const { error } = await xxx(); if (error) return error;
+    if (/(?:const|let)\s+\{[^}]*\}\s*=\s*await\s+\w+\s*\([^)]*\)\s*;?\s*\n\s*if\s*\(\s*!?\w+/.test(code)) {
+        if (/if\s*\([^)]*\)\s*(?:return|throw)\b/.test(code))
+            return true;
+    }
+    // Pattern 2: result assigned then checked
+    // e.g., const session = await xxx(); if (!session) return;
+    if (/(?:const|let)\s+\w+\s*=\s*await\s+\w+\s*\([^)]*\)\s*;?\s*\n\s*if\s*\(\s*!\w+/.test(code)) {
+        return true;
+    }
+    // Pattern 3: function called with await that contains auth-like keywords in name
+    // Broad catch: any function name containing auth/session/permission/guard/verify/protect
+    if (/await\s+(?:\w+\.)*\w*(?:auth|Auth|session|Session|permission|Permission|guard|Guard|verify|Verify|protect|Protect|check|Check|ensure|Ensure|require|Require|assert|Assert|authorize|Authorize)\w*\s*\(/i.test(code)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Detect if code has a role/permission check — regardless of function name.
+ * Matches: role === "admin", permission check, role-based condition.
+ */
+function hasRoleCheckPattern(code) {
+    // Direct role/permission comparison
+    if (/(?:role|permission|isAdmin|access|level)\s*(?:===|!==|==|!=)\s*["']/i.test(code))
+        return true;
+    // Function call with role/permission-like args
+    if (/(?:check|require|verify|ensure|assert|has|can)\w*\s*\(\s*["'](?:admin|manager|editor|owner|moderator|superadmin)/i.test(code))
+        return true;
+    // Destructured role check: const { role } = ...; if (role !== "admin")
+    if (/\brole\b[\s\S]{0,100}?(?:!==|===)\s*["']/i.test(code))
+        return true;
+    return false;
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
     // Skip files that are security rule definitions (they intentionally contain
     // vulnerable code patterns as regex matchers and fixCode examples)
@@ -136,6 +183,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
     const findings = [];
     const lines = code.split("\n");
     const suppressions = parseSuppressionsFromCode(lines);
+    // Pre-analyze: detect auth guards and role checks pattern-agnostically
+    let codeHasAuthGuard = hasAuthGuardPattern(code);
+    const codeHasRoleCheck = hasRoleCheckPattern(code);
+    // Config: check custom auth function names from .guardviberc
+    if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
+        const customPattern = new RegExp(`(?:${config.authFunctions.join("|")})\\s*\\(`, "i");
+        if (customPattern.test(code))
+            codeHasAuthGuard = true;
+    }
     const effectiveRules = rules ?? owaspRules;
     for (const rule of effectiveRules) {
         if (!rule.languages.includes(language))
@@ -152,25 +208,30 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             continue;
         if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
             continue;
-        // Context-aware: skip auth rules for webhook routes that have signature verification
+        // ── Context-aware rule skipping (pattern-agnostic) ──────────────
+        const authRuleIds = new Set(["VG420", "VG952", "VG002", "VG402"]);
+        const adminRoleRuleIds = new Set(["VG426", "VG957"]);
+        const rateLimitRuleIds = new Set(["VG956", "VG030"]);
         const isWebhookRoute = filePath && /webhook/i.test(filePath);
+        const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
+        const isAdminRoute = filePath && /\/admin\//i.test(filePath);
+        // Skip auth rules when code has any auth guard pattern (naming-agnostic)
+        if (codeHasAuthGuard && authRuleIds.has(rule.id))
+            continue;
+        // Skip admin role rules when code has any role/permission check
+        if (codeHasRoleCheck && adminRoleRuleIds.has(rule.id))
+            continue;
+        // Skip auth rules for webhook routes with signature verification
         const hasSignatureVerification = isWebhookRoute && /(?:verify|signature|hmac|constructEvent|svix|webhookSecret|createHmac|X-Signature|stripe-signature)/i.test(code);
-        const authRuleIds = new Set(["VG420", "VG952", "VG002"]);
         if (hasSignatureVerification && authRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for cron/scheduled routes
-        const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
-        const rateLimitRuleIds = new Set(["VG956", "VG030"]);
+        // Skip rate limiting for cron and webhook routes
         if (isCronRoute && rateLimitRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for webhook routes
-        // Webhooks are called by external services, not users — rate limiting is irrelevant
         if (isWebhookRoute && rateLimitRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for admin routes that have admin auth
-        const isAdminRoute = filePath && /\/admin\//i.test(filePath);
-        const hasAdminAuth = isAdminRoute && /(?:requireAdmin|adminOnly|orgRole|org:admin|isAdmin|checkRole|requireRole|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)/i.test(code);
-        if (hasAdminAuth && rateLimitRuleIds.has(rule.id))
+        // Skip rate limiting for admin routes with auth guard
+        if (isAdminRoute && codeHasAuthGuard && rateLimitRuleIds.has(rule.id))
             continue;
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
@@ -199,7 +260,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             : rule;
         // Context-aware severity: downgrade rate limiting/pagination issues in admin routes
         // Admin routes behind requireAdmin have lower brute-force risk
-        if (isAdminRoute && hasAdminAuth) {
+        if (isAdminRoute && codeHasAuthGuard) {
             const downgradeInAdmin = new Set(["VG955"]); // pagination in admin is less critical
             if (downgradeInAdmin.has(rule.id) && effectiveRule.severity === "medium") {
                 effectiveRule = { ...effectiveRule, severity: "low" };

package/build/utils/config.d.ts

@@ -22,6 +22,10 @@ export interface GuardVibeConfig {
     };
     plugins: string[];
     compliance?: CompliancePolicy;
+    /** Custom auth function names that GuardVibe should recognize as auth guards.
+     *  e.g. ["requireAdmin", "verifyUser", "ensureLoggedIn"]
+     *  These are added ON TOP of the built-in pattern-agnostic detection. */
+    authFunctions?: string[];
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -67,6 +67,7 @@ export function loadConfig(dir) {
                 exceptions: Array.isArray(parsed.compliance.exceptions) ? parsed.compliance.exceptions : [],
                 requiredControls: Array.isArray(parsed.compliance.requiredControls) ? parsed.compliance.requiredControls : undefined,
             } : undefined,
+            authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
         };
     }
     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {