npm - guardvibe - Versions diffs - 2.0.3 → 2.1.0 - Mend

guardvibe 2.0.3 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/build/cli.js +91 -52
package/package.json +1 -1

package/build/cli.js CHANGED Viewed

@@ -50,9 +50,8 @@ function setupPlatform(name) {
         }
         if (existing.mcpServers["guardvibe"]) {
             console.log(`  [OK] GuardVibe already configured in ${platform.description}`);
-            // Still ensure CLAUDE.md and .gitignore are set up
-            if (name === "claude")
-                setupClaudeHooksAndGuide();
+            // Still ensure security guidance and .gitignore are set up
+            setupSecurityGuide(name);
             return true;
         }
         existing.mcpServers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
@@ -66,77 +65,117 @@ function setupPlatform(name) {
         });
     }
     console.log(`  [OK] Added MCP server to ${platform.description}`);
-    // For Claude Code: also set up hooks and CLAUDE.md guidance
-    if (name === "claude") {
-        setupClaudeHooksAndGuide();
-    }
+    // Set up platform-specific security guidance + universal security rules
+    setupSecurityGuide(name);
     return true;
 }
-function setupClaudeHooksAndGuide() {
-    // Add hook to .claude/settings.json for auto-scan after file edits
+// ── Universal security rules (shared across all AI platforms) ────────
+const SECURITY_RULES = `## Security Rules (enforced by GuardVibe MCP)
+### Mandatory checks
+- AFTER writing any API route, Server Action, or database query: use the guardvibe scan_file MCP tool on the file
+- BEFORE committing: use the guardvibe scan_staged MCP tool
+- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
+- BEFORE creating a PR: use scan_changed_files to review all changes
+### Writing secure code
+- Every API route handler MUST have auth check before DB access
+- Every POST endpoint MUST have input validation (zod/joi schema)
+- Never pass user input to innerHTML, eval, exec, or raw SQL
+- Never pass user-controlled URLs to fetch() without allowlist validation
+- Always use select: in Prisma/Drizzle queries from Server Actions (never return full objects to client)
+- Always validate redirect URLs against trusted domain allowlist
+- Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Verify webhook signatures before processing events
+- Use parameterized queries, never string concatenation/template literals for SQL
+### When in doubt
+- Use the guardvibe explain_remediation MCP tool with the rule ID for detailed fix guidance
+- Use the guardvibe check_code MCP tool to verify a code snippet is secure before applying
+`;
+function setupSecurityGuide(platformName) {
+    // 1. Platform-specific guidance file
+    if (platformName === "claude")
+        setupClaudeGuide();
+    else if (platformName === "cursor")
+        setupCursorGuide();
+    else if (platformName === "gemini")
+        setupGeminiGuide();
+    // 2. Platform-specific .gitignore entries
+    const gitignoreEntries = {
+        claude: [".claude.json", ".claude/", "CLAUDE.md"],
+        cursor: [".cursor/", ".cursorrules"],
+        gemini: ["GEMINI.md"],
+    };
+    const entries = gitignoreEntries[platformName] || [];
+    if (entries.length > 0)
+        addToGitignore(entries);
+}
+function setupClaudeGuide() {
+    // Claude Code hooks
     const claudeSettingsDir = join(process.cwd(), ".claude");
-    if (!existsSync(claudeSettingsDir)) {
+    if (!existsSync(claudeSettingsDir))
         mkdirSync(claudeSettingsDir, { recursive: true });
-    }
     const claudeSettingsPath = join(claudeSettingsDir, "settings.json");
     const existingSettings = readJsonFile(claudeSettingsPath) || {};
-    if (!existingSettings.hooks) {
+    if (!existingSettings.hooks)
         existingSettings.hooks = {};
-    }
-    // Real security hook: scan edited files automatically after every Edit/Write
-    // Claude Code passes tool_input as JSON on stdin — extract file_path with jq
     if (!existingSettings.hooks.PostToolUse) {
         existingSettings.hooks.PostToolUse = [
             {
                 matcher: "Edit|Write",
-                hooks: [
-                    {
+                hooks: [{
                         type: "command",
                         command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format markdown 2>/dev/null || true"
-                    }
-                ]
+                    }]
             }
         ];
     }
     writeJsonFile(claudeSettingsPath, existingSettings);
     console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
-    // Add CLAUDE.md guidance if not present
+    // CLAUDE.md
     const claudeMdPath = join(process.cwd(), "CLAUDE.md");
-    const guardvibeBlock = `
-## Security Rules (enforced by GuardVibe MCP)
-### Mandatory checks
-- BEFORE writing any API route, Server Action, or database query: call \`scan_file\` on the file after editing
-- BEFORE committing: call \`scan_staged\` to catch issues in staged files
-- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
-### Writing secure code
-- Every API route handler MUST have auth check before DB access
-- Every POST endpoint MUST have input validation (zod/joi schema)
-- Never pass user input to \`innerHTML\`, \`eval\`, \`exec\`, or raw SQL
-- Never pass user-controlled URLs to \`fetch()\` without allowlist validation
-- Always use \`select:\` in Prisma queries from Server Actions (never return full objects)
-- Always validate redirect URLs against trusted domain allowlist
-- Set security headers in next.config.ts (CSP, HSTS, X-Frame-Options)
-### When in doubt
-- Use \`explain_remediation\` with the rule ID for detailed fix guidance
-- Use \`scan_changed_files\` with base branch before creating PR
-- Use \`check_code\` to verify a code snippet is secure before applying
-`;
     if (existsSync(claudeMdPath)) {
         const content = readFileSync(claudeMdPath, "utf-8");
         if (!content.includes("GuardVibe")) {
-            writeFileSync(claudeMdPath, content + guardvibeBlock, "utf-8");
-            console.log(`  [OK] GuardVibe guidance added to CLAUDE.md`);
+            writeFileSync(claudeMdPath, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to CLAUDE.md`);
+        }
+    }
+    else {
+        writeFileSync(claudeMdPath, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created CLAUDE.md with security rules`);
+    }
+}
+function setupCursorGuide() {
+    // .cursorrules — Cursor reads this file for AI instructions
+    const cursorrules = join(process.cwd(), ".cursorrules");
+    if (existsSync(cursorrules)) {
+        const content = readFileSync(cursorrules, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(cursorrules, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to .cursorrules`);
+        }
+    }
+    else {
+        writeFileSync(cursorrules, SECURITY_RULES, "utf-8");
+        console.log(`  [OK] Created .cursorrules with security rules`);
+    }
+}
+function setupGeminiGuide() {
+    // GEMINI.md — Gemini CLI reads this for project context
+    const geminiMd = join(process.cwd(), "GEMINI.md");
+    if (existsSync(geminiMd)) {
+        const content = readFileSync(geminiMd, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(geminiMd, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to GEMINI.md`);
         }
     }
     else {
-        writeFileSync(claudeMdPath, `# Project Guidelines\n${guardvibeBlock}`, "utf-8");
-        console.log(`  [OK] Created CLAUDE.md with GuardVibe guidance`);
+        writeFileSync(geminiMd, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created GEMINI.md with security rules`);
     }
-    // Add generated files to .gitignore so they don't get committed
-    addToGitignore([".claude.json", ".claude/", "CLAUDE.md"]);
 }
 function addToGitignore(entries) {
     const gitignorePath = join(process.cwd(), ".gitignore");
@@ -148,7 +187,7 @@ function addToGitignore(entries) {
     const missing = entries.filter(e => !content.split("\n").some(line => line.trim() === e));
     if (missing.length === 0)
         return;
-    const block = `\n# GuardVibe / Claude Code (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
+    const block = `\n# GuardVibe (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
     writeFileSync(gitignorePath, content.trimEnd() + block, "utf-8");
     console.log(`  [OK] Added ${missing.join(", ")} to .gitignore`);
 }
@@ -553,9 +592,9 @@ function printUsage() {
     --help, -h            Show this help message
   MCP Platforms:
-    claude    Claude Code (.claude.json in project root)
-    gemini    Gemini CLI (~/.gemini/settings.json)
-    cursor    Cursor (.cursor/mcp.json)
+    claude    Claude Code (.claude.json + CLAUDE.md + hooks)
+    cursor    Cursor (.cursor/mcp.json + .cursorrules)
+    gemini    Gemini CLI (~/.gemini/settings.json + GEMINI.md)
     all       All platforms at once
   Supported File Types:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {