guardvibe 2.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/cli.js +25 -3
- package/package.json +1 -1
package/build/cli.js
CHANGED
|
@@ -83,7 +83,8 @@ function setupClaudeHooksAndGuide() {
|
|
|
83
83
|
if (!existingSettings.hooks) {
|
|
84
84
|
existingSettings.hooks = {};
|
|
85
85
|
}
|
|
86
|
-
//
|
|
86
|
+
// Real security hook: scan edited files automatically after every Edit/Write
|
|
87
|
+
// This makes GuardVibe an active guardian, not a passive tool
|
|
87
88
|
if (!existingSettings.hooks.PostToolUse) {
|
|
88
89
|
existingSettings.hooks.PostToolUse = [
|
|
89
90
|
{
|
|
@@ -91,7 +92,7 @@ function setupClaudeHooksAndGuide() {
|
|
|
91
92
|
hooks: [
|
|
92
93
|
{
|
|
93
94
|
type: "command",
|
|
94
|
-
command: "
|
|
95
|
+
command: "npx -y guardvibe check $CLAUDE_FILE_PATH --format markdown 2>/dev/null || true"
|
|
95
96
|
}
|
|
96
97
|
]
|
|
97
98
|
}
|
|
@@ -101,7 +102,28 @@ function setupClaudeHooksAndGuide() {
|
|
|
101
102
|
console.log(` [OK] Claude Code hooks configured (.claude/settings.json)`);
|
|
102
103
|
// Add CLAUDE.md guidance if not present
|
|
103
104
|
const claudeMdPath = join(process.cwd(), "CLAUDE.md");
|
|
104
|
-
const guardvibeBlock =
|
|
105
|
+
const guardvibeBlock = `
|
|
106
|
+
## Security Rules (enforced by GuardVibe MCP)
|
|
107
|
+
|
|
108
|
+
### Mandatory checks
|
|
109
|
+
- BEFORE writing any API route, Server Action, or database query: call \`scan_file\` on the file after editing
|
|
110
|
+
- BEFORE committing: call \`scan_staged\` to catch issues in staged files
|
|
111
|
+
- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
|
|
112
|
+
|
|
113
|
+
### Writing secure code
|
|
114
|
+
- Every API route handler MUST have auth check before DB access
|
|
115
|
+
- Every POST endpoint MUST have input validation (zod/joi schema)
|
|
116
|
+
- Never pass user input to \`innerHTML\`, \`eval\`, \`exec\`, or raw SQL
|
|
117
|
+
- Never pass user-controlled URLs to \`fetch()\` without allowlist validation
|
|
118
|
+
- Always use \`select:\` in Prisma queries from Server Actions (never return full objects)
|
|
119
|
+
- Always validate redirect URLs against trusted domain allowlist
|
|
120
|
+
- Set security headers in next.config.ts (CSP, HSTS, X-Frame-Options)
|
|
121
|
+
|
|
122
|
+
### When in doubt
|
|
123
|
+
- Use \`explain_remediation\` with the rule ID for detailed fix guidance
|
|
124
|
+
- Use \`scan_changed_files\` with base branch before creating PR
|
|
125
|
+
- Use \`check_code\` to verify a code snippet is secure before applying
|
|
126
|
+
`;
|
|
105
127
|
if (existsSync(claudeMdPath)) {
|
|
106
128
|
const content = readFileSync(claudeMdPath, "utf-8");
|
|
107
129
|
if (!content.includes("GuardVibe")) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.2",
|
|
4
4
|
"description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|