guardvibe 2.0.3 → 2.1.1

package/build/cli.js

@@ -50,9 +50,8 @@ function setupPlatform(name) {
         }
         if (existing.mcpServers["guardvibe"]) {
             console.log(`  [OK] GuardVibe already configured in ${platform.description}`);
-            // Still ensure CLAUDE.md and .gitignore are set up
-            if (name === "claude")
-                setupClaudeHooksAndGuide();
+            // Still ensure security guidance and .gitignore are set up
+            setupSecurityGuide(name);
             return true;
         }
         existing.mcpServers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
@@ -66,77 +65,117 @@ function setupPlatform(name) {
         });
     }
     console.log(`  [OK] Added MCP server to ${platform.description}`);
-    // For Claude Code: also set up hooks and CLAUDE.md guidance
-    if (name === "claude") {
-        setupClaudeHooksAndGuide();
-    }
+    // Set up platform-specific security guidance + universal security rules
+    setupSecurityGuide(name);
     return true;
 }
-function setupClaudeHooksAndGuide() {
-    // Add hook to .claude/settings.json for auto-scan after file edits
+// ── Universal security rules (shared across all AI platforms) ────────
+const SECURITY_RULES = `## Security Rules (enforced by GuardVibe MCP)
+
+### Mandatory checks
+- AFTER writing any API route, Server Action, or database query: use the guardvibe scan_file MCP tool on the file
+- BEFORE committing: use the guardvibe scan_staged MCP tool
+- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
+- BEFORE creating a PR: use scan_changed_files to review all changes
+
+### Writing secure code
+- Every API route handler MUST have auth check before DB access
+- Every POST endpoint MUST have input validation (zod/joi schema)
+- Never pass user input to innerHTML, eval, exec, or raw SQL
+- Never pass user-controlled URLs to fetch() without allowlist validation
+- Always use select: in Prisma/Drizzle queries from Server Actions (never return full objects to client)
+- Always validate redirect URLs against trusted domain allowlist
+- Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Verify webhook signatures before processing events
+- Use parameterized queries, never string concatenation/template literals for SQL
+
+### When in doubt
+- Use the guardvibe explain_remediation MCP tool with the rule ID for detailed fix guidance
+- Use the guardvibe check_code MCP tool to verify a code snippet is secure before applying
+`;
+function setupSecurityGuide(platformName) {
+    // 1. Platform-specific guidance file
+    if (platformName === "claude")
+        setupClaudeGuide();
+    else if (platformName === "cursor")
+        setupCursorGuide();
+    else if (platformName === "gemini")
+        setupGeminiGuide();
+    // 2. Platform-specific .gitignore entries
+    const gitignoreEntries = {
+        claude: [".claude.json", ".claude/", "CLAUDE.md"],
+        cursor: [".cursor/", ".cursorrules"],
+        gemini: ["GEMINI.md"],
+    };
+    const entries = gitignoreEntries[platformName] || [];
+    if (entries.length > 0)
+        addToGitignore(entries);
+}
+function setupClaudeGuide() {
+    // Claude Code hooks
     const claudeSettingsDir = join(process.cwd(), ".claude");
-    if (!existsSync(claudeSettingsDir)) {
+    if (!existsSync(claudeSettingsDir))
         mkdirSync(claudeSettingsDir, { recursive: true });
-    }
     const claudeSettingsPath = join(claudeSettingsDir, "settings.json");
     const existingSettings = readJsonFile(claudeSettingsPath) || {};
-    if (!existingSettings.hooks) {
+    if (!existingSettings.hooks)
         existingSettings.hooks = {};
-    }
-    // Real security hook: scan edited files automatically after every Edit/Write
-    // Claude Code passes tool_input as JSON on stdin — extract file_path with jq
     if (!existingSettings.hooks.PostToolUse) {
         existingSettings.hooks.PostToolUse = [
             {
                 matcher: "Edit|Write",
-                hooks: [
-                    {
+                hooks: [{
                         type: "command",
                         command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format markdown 2>/dev/null || true"
-                    }
-                ]
+                    }]
             }
         ];
     }
     writeJsonFile(claudeSettingsPath, existingSettings);
     console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
-    // Add CLAUDE.md guidance if not present
+    // CLAUDE.md
     const claudeMdPath = join(process.cwd(), "CLAUDE.md");
-    const guardvibeBlock = `
-## Security Rules (enforced by GuardVibe MCP)
-
-### Mandatory checks
-- BEFORE writing any API route, Server Action, or database query: call \`scan_file\` on the file after editing
-- BEFORE committing: call \`scan_staged\` to catch issues in staged files
-- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
-
-### Writing secure code
-- Every API route handler MUST have auth check before DB access
-- Every POST endpoint MUST have input validation (zod/joi schema)
-- Never pass user input to \`innerHTML\`, \`eval\`, \`exec\`, or raw SQL
-- Never pass user-controlled URLs to \`fetch()\` without allowlist validation
-- Always use \`select:\` in Prisma queries from Server Actions (never return full objects)
-- Always validate redirect URLs against trusted domain allowlist
-- Set security headers in next.config.ts (CSP, HSTS, X-Frame-Options)
-
-### When in doubt
-- Use \`explain_remediation\` with the rule ID for detailed fix guidance
-- Use \`scan_changed_files\` with base branch before creating PR
-- Use \`check_code\` to verify a code snippet is secure before applying
-`;
     if (existsSync(claudeMdPath)) {
         const content = readFileSync(claudeMdPath, "utf-8");
         if (!content.includes("GuardVibe")) {
-            writeFileSync(claudeMdPath, content + guardvibeBlock, "utf-8");
-            console.log(`  [OK] GuardVibe guidance added to CLAUDE.md`);
+            writeFileSync(claudeMdPath, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to CLAUDE.md`);
+        }
+    }
+    else {
+        writeFileSync(claudeMdPath, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created CLAUDE.md with security rules`);
+    }
+}
+function setupCursorGuide() {
+    // .cursorrules — Cursor reads this file for AI instructions
+    const cursorrules = join(process.cwd(), ".cursorrules");
+    if (existsSync(cursorrules)) {
+        const content = readFileSync(cursorrules, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(cursorrules, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to .cursorrules`);
+        }
+    }
+    else {
+        writeFileSync(cursorrules, SECURITY_RULES, "utf-8");
+        console.log(`  [OK] Created .cursorrules with security rules`);
+    }
+}
+function setupGeminiGuide() {
+    // GEMINI.md — Gemini CLI reads this for project context
+    const geminiMd = join(process.cwd(), "GEMINI.md");
+    if (existsSync(geminiMd)) {
+        const content = readFileSync(geminiMd, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(geminiMd, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to GEMINI.md`);
         }
     }
     else {
-        writeFileSync(claudeMdPath, `# Project Guidelines\n${guardvibeBlock}`, "utf-8");
-        console.log(`  [OK] Created CLAUDE.md with GuardVibe guidance`);
+        writeFileSync(geminiMd, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created GEMINI.md with security rules`);
     }
-    // Add generated files to .gitignore so they don't get committed
-    addToGitignore([".claude.json", ".claude/", "CLAUDE.md"]);
 }
 function addToGitignore(entries) {
     const gitignorePath = join(process.cwd(), ".gitignore");
@@ -148,7 +187,7 @@ function addToGitignore(entries) {
     const missing = entries.filter(e => !content.split("\n").some(line => line.trim() === e));
     if (missing.length === 0)
         return;
-    const block = `\n# GuardVibe / Claude Code (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
+    const block = `\n# GuardVibe (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
     writeFileSync(gitignorePath, content.trimEnd() + block, "utf-8");
     console.log(`  [OK] Added ${missing.join(", ")} to .gitignore`);
 }
@@ -553,9 +592,9 @@ function printUsage() {
     --help, -h            Show this help message
 
   MCP Platforms:
-    claude    Claude Code (.claude.json in project root)
-    gemini    Gemini CLI (~/.gemini/settings.json)
-    cursor    Cursor (.cursor/mcp.json)
+    claude    Claude Code (.claude.json + CLAUDE.md + hooks)
+    cursor    Cursor (.cursor/mcp.json + .cursorrules)
+    gemini    Gemini CLI (~/.gemini/settings.json + GEMINI.md)
     all       All platforms at once
 
   Supported File Types:

package/build/data/rules/core.js

@@ -387,7 +387,7 @@ export const coreRules = [
         compliance: ["SOC2:CC7.1"],
     },
     {
-        id: "VG111",
+        id: "VG120",
         name: "SSRF via User-Controlled URL",
         severity: "high",
         owasp: "A10:2025 Server-Side Request Forgery",
@@ -399,7 +399,7 @@ export const coreRules = [
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
     {
-        id: "VG112",
+        id: "VG121",
         name: "XSS via insertAdjacentHTML",
         severity: "high",
         owasp: "A02:2025 Injection",
@@ -411,7 +411,7 @@ export const coreRules = [
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
     },
     {
-        id: "VG113",
+        id: "VG122",
         name: "XSS/SSRF via XMLHttpRequest",
         severity: "high",
         owasp: "A02:2025 Injection",
@@ -423,7 +423,7 @@ export const coreRules = [
         compliance: ["SOC2:CC7.1"],
     },
     {
-        id: "VG114",
+        id: "VG123",
         name: "SQL Injection via Template Literal",
         severity: "critical",
         owasp: "A02:2025 Injection",
@@ -434,4 +434,28 @@ export const coreRules = [
         fixCode: '// BAD: template literal SQL\ndb.query(`SELECT * FROM users WHERE id = \'${userId}\'`);\n\n// GOOD: parameterized query\ndb.query("SELECT * FROM users WHERE id = $1", [userId]);\n\n// ALSO SAFE: tagged template literal (Prisma/Drizzle)\nimport { sql } from "drizzle-orm";\ndb.execute(sql`SELECT * FROM users WHERE id = ${userId}`);',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG124",
+        name: "Insecure Random for Security Token",
+        severity: "high",
+        owasp: "A02:2025 Cryptographic Failures",
+        description: "Math.random() is used to generate tokens, IDs, codes, or nonces. Math.random() is not cryptographically secure — its output is predictable, allowing attackers to guess reset tokens, session IDs, verification codes, or API keys.",
+        pattern: /(?:(?:token|secret|key|code|nonce|session|reset|verify|otp|password|auth|invite|magic|csrf)\w*\s*=[\s\S]{0,30}?Math\.random|Math\.random\s*\(\s*\)[\s\S]{0,50}?(?:token|secret|key|code|nonce|session|reset|verify|otp|password|auth|invite|magic|csrf))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use crypto.randomUUID() or crypto.randomBytes() for security-sensitive random values.",
+        fixCode: '// BAD: predictable\nconst token = Math.random().toString(36);\n\n// GOOD: cryptographically secure\nimport { randomUUID, randomBytes } from "crypto";\nconst token = randomUUID();\nconst resetCode = randomBytes(32).toString("hex");\n// Or in browser:\nconst token = crypto.randomUUID();',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.3"],
+    },
+    {
+        id: "VG125",
+        name: "Session Not Regenerated After Authentication",
+        severity: "high",
+        owasp: "A07:2025 Identification and Authentication Failures",
+        description: "User session is not regenerated after login/authentication. This enables session fixation attacks — an attacker can set a known session ID before the user logs in, then hijack their authenticated session.",
+        pattern: /(?:login|signIn|authenticate|logIn)\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))[\s\S]{0,500}?(?:req\.session\.\w+\s*=)(?:(?!regenerate|destroy|create|rotate)[\s\S]){0,300}?(?:res\.|return|next\()/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Regenerate the session after successful authentication. In Express: req.session.regenerate(). In Next.js: use a new session token.",
+        fixCode: '// Express: regenerate session after login\napp.post("/login", async (req, res) => {\n  const user = await authenticate(req.body);\n  if (!user) return res.status(401).json({ error: "Invalid credentials" });\n  req.session.regenerate((err) => {\n    req.session.userId = user.id;\n    res.json({ ok: true });\n  });\n});',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
+    },
 ];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.0.3",
+  "version": "2.1.1",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {