guardvibe 2.0.1 → 2.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/build/cli.js +25 -3
  2. package/package.json +1 -1
package/build/cli.js CHANGED
@@ -83,7 +83,8 @@ function setupClaudeHooksAndGuide() {
83
83
  if (!existingSettings.hooks) {
84
84
  existingSettings.hooks = {};
85
85
  }
86
- // Don't overwrite existing hooks
86
+ // Real security hook: scan edited files automatically after every Edit/Write
87
+ // Claude Code passes tool_input as JSON on stdin — extract file_path with jq
87
88
  if (!existingSettings.hooks.PostToolUse) {
88
89
  existingSettings.hooks.PostToolUse = [
89
90
  {
@@ -91,7 +92,7 @@ function setupClaudeHooksAndGuide() {
91
92
  hooks: [
92
93
  {
93
94
  type: "command",
94
- command: "echo 'Run guardvibe scan_file on edited files for security check'"
95
+ command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format markdown 2>/dev/null || true"
95
96
  }
96
97
  ]
97
98
  }
@@ -101,7 +102,28 @@ function setupClaudeHooksAndGuide() {
101
102
  console.log(` [OK] Claude Code hooks configured (.claude/settings.json)`);
102
103
  // Add CLAUDE.md guidance if not present
103
104
  const claudeMdPath = join(process.cwd(), "CLAUDE.md");
104
- const guardvibeBlock = `\n## GuardVibe Security\n\n- After editing security-sensitive files (API routes, auth, middleware), use the \`scan_file\` MCP tool to check for vulnerabilities\n- Before committing, run \`scan_staged\` to catch issues in staged files\n- Use \`scan_changed_files\` with the base branch to review all changes\n- When you find issues, use \`explain_remediation\` for detailed fix guidance\n`;
105
+ const guardvibeBlock = `
106
+ ## Security Rules (enforced by GuardVibe MCP)
107
+
108
+ ### Mandatory checks
109
+ - BEFORE writing any API route, Server Action, or database query: call \`scan_file\` on the file after editing
110
+ - BEFORE committing: call \`scan_staged\` to catch issues in staged files
111
+ - When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
112
+
113
+ ### Writing secure code
114
+ - Every API route handler MUST have auth check before DB access
115
+ - Every POST endpoint MUST have input validation (zod/joi schema)
116
+ - Never pass user input to \`innerHTML\`, \`eval\`, \`exec\`, or raw SQL
117
+ - Never pass user-controlled URLs to \`fetch()\` without allowlist validation
118
+ - Always use \`select:\` in Prisma queries from Server Actions (never return full objects)
119
+ - Always validate redirect URLs against trusted domain allowlist
120
+ - Set security headers in next.config.ts (CSP, HSTS, X-Frame-Options)
121
+
122
+ ### When in doubt
123
+ - Use \`explain_remediation\` with the rule ID for detailed fix guidance
124
+ - Use \`scan_changed_files\` with base branch before creating PR
125
+ - Use \`check_code\` to verify a code snippet is secure before applying
126
+ `;
105
127
  if (existsSync(claudeMdPath)) {
106
128
  const content = readFileSync(claudeMdPath, "utf-8");
107
129
  if (!content.includes("GuardVibe")) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "2.0.1",
3
+ "version": "2.0.3",
4
4
  "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
5
5
  "type": "module",
6
6
  "bin": {