guardvibe 2.1.1 → 2.3.7

package/README.md

@@ -5,15 +5,15 @@
 [![Node.js CI](https://github.com/goklab/guardvibe/actions/workflows/ci.yml/badge.svg)](https://github.com/goklab/guardvibe/actions/workflows/ci.yml)
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 
-**The security MCP built for vibe coding.** 277 security rules covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 307 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
-Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
+Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
 ## Why GuardVibe
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **277 security rules** purpose-built for the stacks AI agents generate
+- **307 security rules** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -39,7 +39,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 21 packages | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 277 (focused) | 5000+ (broad) | N/A |
+| Rule count | 307 (focused) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -47,29 +47,56 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 
 ## Quick Start
 
-### MCP setup (recommended)
+### Claude Code
 
 ```bash
-npx guardvibe init claude    # Claude Code
-npx guardvibe init cursor    # Cursor
-npx guardvibe init gemini    # Gemini CLI
-npx guardvibe init all       # All platforms
+npx guardvibe init claude
 ```
 
-### Pre-commit hook
+Creates `.claude.json` MCP config, `.claude/settings.json` auto-scan hooks, and `CLAUDE.md` security rules. Restart Claude Code after setup.
+
+### Cursor
 
 ```bash
-npx guardvibe hook install   # Blocks commits with critical/high findings
-npx guardvibe hook uninstall # Remove hook
+npx guardvibe init cursor
 ```
 
-### CI/CD (GitHub Actions)
+Creates `.cursor/mcp.json` and `.cursorrules` with security rules. Restart Cursor after setup.
+
+### Gemini CLI
 
 ```bash
-npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
+npx guardvibe init gemini
 ```
 
-### Manual MCP config
+Creates `~/.gemini/settings.json` MCP config and `GEMINI.md` security rules.
+
+### Codex (OpenAI)
+
+```bash
+codex mcp add guardvibe -- npx -y guardvibe
+```
+
+### VS Code (GitHub Copilot)
+
+Create `.vscode/mcp.json` in your project:
+
+```json
+{
+  "servers": {
+    "guardvibe": {
+      "command": "npx",
+      "args": ["-y", "guardvibe"]
+    }
+  }
+}
+```
+
+> **Note:** VS Code uses `"servers"`, not `"mcpServers"`.
+
+### Windsurf
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
 
 ```json
 {
@@ -82,6 +109,25 @@ npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
 }
 ```
 
+### All platforms at once
+
+```bash
+npx guardvibe init all       # Claude + Cursor + Gemini
+```
+
+### Pre-commit hook
+
+```bash
+npx guardvibe hook install   # Blocks commits with critical/high findings
+npx guardvibe hook uninstall # Remove hook
+```
+
+### CI/CD (GitHub Actions)
+
+```bash
+npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
+```
+
 ## What GuardVibe Scans
 
 ### Application Code
@@ -132,7 +178,7 @@ SOC2, PCI-DSS, HIPAA control mapping with compliance reports
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (22 MCP tools)
+## Tools (25 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -158,34 +204,38 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `scan_config_change` | Compare config file versions to detect security downgrades |
 | `repo_security_posture` | Assess overall repository security posture and map sensitive areas |
 | `explain_remediation` | Get detailed remediation guidance with exploit scenarios and fix strategies |
+| `scan_file` | Real-time single-file scan — designed for post-edit hooks |
+| `scan_changed_files` | Scan only git-changed files — for PRs and incremental CI |
+| `security_stats` | Cumulative security dashboard — scans, fixes, grade trend over time |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (277 rules across 23 modules)
+## Security Rules (307 rules across 23 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
-| Core OWASP | 19 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
-| Next.js App Router | 13 | Server Actions, secret exposure, auth bypass, CSP, redirects |
+| Core OWASP | 38 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
+| Next.js App Router | 17 | Server Actions, secret exposure, auth bypass, CSP, redirects |
 | Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies |
-| Database (Supabase / Prisma / Drizzle) | 8 | Raw queries, client exposure, service role leaks |
+| Database (Supabase / Prisma / Drizzle) | 10 | Raw queries, client exposure, service role leaks |
 | OWASP API Security | 10 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
-| Modern Stack | 30 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
-| Deployment Config | 16 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify |
+| Modern Stack | 36 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
+| Deployment Config | 20 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify, Cloudflare |
 | Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
 | Services (Resend / Upstash / Pinecone / PostHog) | 11 | API key leaks, PII tracking, email injection |
-| Web Security | 14 | Webhooks, CSP, .env safety, AI key exposure, Cloudflare |
+| Web Security | 15 | Webhooks, CSP, .env safety, AI key exposure, cookie handling |
 | React Native / Expo | 10 | AsyncStorage secrets, deep links, ATS, hardcoded URLs |
 | Firebase | 7 | Firestore rules, admin SDK, storage, custom tokens |
-| AI / LLM Security | 14 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
-| CVE Version Intelligence | 20 | Known vulnerable versions in package.json (21 CVEs) |
+| AI / LLM Security | 16 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
+| CVE Version Intelligence | 21 | Known vulnerable versions in package.json (21 CVEs) |
 | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
 | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
-| Supply Chain | 2 | Malicious install scripts, unpinned actions |
+| Supply Chain | 10 | Malicious install scripts, unpinned actions, typosquat detection |
 | Go | 6 | SQL injection, command injection, template escaping |
-| Dockerfile | 5 | Root user, secrets in ENV, untagged images |
-| CI/CD (GitHub Actions) | 4 | Secrets interpolation, unpinned actions, write-all permissions |
-| Terraform | 5 | Public S3, open security groups, IAM wildcards |
+| Dockerfile | 7 | Root user, secrets in ENV, untagged images, non-root user |
+| CI/CD (GitHub Actions) | 7 | Secrets interpolation, unpinned actions, write-all permissions |
+| Terraform | 6 | Public S3, open security groups, IAM wildcards |
+| Advanced Security | 21 | ReDoS, CRLF injection, race conditions, XXE, brute force, audit logging |
 | Other Services | 5 | AWS, GCP, MongoDB, Convex, Sentry, Twilio |
 
 ## CLI Commands
@@ -304,6 +354,23 @@ app.get("/api/health", (req, res) => res.json({ ok: true }));
 
 Supports `//`, `#`, and `<!-- -->` comment styles.
 
+## GuardVibe Scans Itself
+
+We run GuardVibe on its own codebase. In v2.3.2, GuardVibe caught a **HIGH severity ReDoS vulnerability** in its own `policy-check.ts` — a regex injection risk that the developer missed during code review.
+
+```
+$ guardvibe scan_directory src/
+  Files scanned: 64
+  Scan duration: 102ms
+  Grade: B (89/100)
+
+  [HIGH] ReDoS via User-Controlled RegExp (VG107)
+    File: src/tools/policy-check.ts:47
+    Fix: escape regex metacharacters before passing to RegExp constructor
+```
+
+The vulnerability was fixed in the same session. This is exactly the workflow GuardVibe enables: catch what humans miss, fix before it ships.
+
 ## How It Works
 
 ```

package/build/cli.js

@@ -78,6 +78,14 @@ const SECURITY_RULES = `## Security Rules (enforced by GuardVibe MCP)
 - When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
 - BEFORE creating a PR: use scan_changed_files to review all changes
 
+### Scan visibility — ALWAYS report GuardVibe results to the user
+- AFTER every scan: ALWAYS tell the user the GuardVibe result, even when clean
+- When issues found: "GuardVibe: [count] issues found ([severity]). Fixing..."
+- When clean: "GuardVibe: scanned [filename] — no issues found."
+- Include the summary stats line from scan output when present
+- NEVER silently consume scan results — the user must see that GuardVibe is protecting their code
+- Periodically (every ~10 scans or at session start): run security_stats tool and share the dashboard with the user
+
 ### Writing secure code
 - Every API route handler MUST have auth check before DB access
 - Every POST endpoint MUST have input validation (zod/joi schema)
@@ -108,6 +116,8 @@ function setupSecurityGuide(platformName) {
         gemini: ["GEMINI.md"],
     };
     const entries = gitignoreEntries[platformName] || [];
+    // Always add .guardvibe/ (stats directory) to .gitignore
+    entries.push(".guardvibe/");
     if (entries.length > 0)
         addToGitignore(entries);
 }

package/build/data/rules/advanced-security.d.ts

@@ -0,0 +1,2 @@
+import type { SecurityRule } from "./types.js";
+export declare const advancedSecurityRules: SecurityRule[];

package/build/data/rules/advanced-security.js

@@ -0,0 +1,274 @@
+// Advanced security rules that catch patterns AI assistants commonly generate
+// These cover gaps in OWASP Top 10, CWE Top 25, and OWASP API Security Top 10
+export const advancedSecurityRules = [
+    // ── HTTP Response Header Injection (CWE-113) ─────────────────────
+    {
+        id: "VG130",
+        name: "HTTP Response Header Injection",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "User input is interpolated into HTTP response headers. Attackers can inject CRLF characters to add arbitrary headers (Set-Cookie, Location) or split the response.",
+        pattern: /(?:setHeader|set|append|headers\.set)\s*\(\s*["'][^"']+["']\s*,\s*(?:`[^`]*\$\{|[^"']*\+\s*(?:req\.|request\.|params\.|query\.|searchParams|input|body|user))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Never interpolate user input into response headers. Sanitize by removing \\r and \\n characters.",
+        fixCode: '// Sanitize header values\nconst safeValue = userInput.replace(/[\\r\\n]/g, "");\nres.setHeader("Content-Disposition", `attachment; filename="${safeValue}"`);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    // ── CSRF via State-Changing GET (CWE-352) ─────────────────────────
+    {
+        id: "VG131",
+        name: "State-Changing GET Request",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "GET handler performs database mutations (delete, update, create). GET requests should be idempotent and safe. State-changing operations in GET handlers are vulnerable to CSRF via img tags, link prefetching, and browser preloading.",
+        pattern: /export\s+(?:async\s+)?function\s+GET\s*\([^)]*\)\s*\{[\s\S]{0,1000}?(?:\.delete\s*\(|\.update\s*\(|\.create\s*\(|\.destroy\s*\(|\.remove\s*\(|\.insert\s*\(|DELETE\s+FROM|UPDATE\s+|INSERT\s+INTO)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Move state-changing operations to POST/PUT/DELETE handlers. GET should only read data.",
+        fixCode: '// BAD: mutation in GET\nexport async function GET(req: Request) {\n  await db.post.delete({ where: { id } }); // CSRF risk!\n}\n\n// GOOD: use POST/DELETE\nexport async function DELETE(req: Request) {\n  await db.post.delete({ where: { id } });\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    // ── Missing Request Body Size Limit ───────────────────────────────
+    {
+        id: "VG132",
+        name: "Missing Request Body Size Limit",
+        severity: "medium",
+        owasp: "API4:2023 Unrestricted Resource Consumption",
+        description: "API endpoint reads request body without size limit. Attackers can send multi-gigabyte payloads to exhaust server memory and cause denial of service.",
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Check Content-Length header before parsing body, or use a body parser with size limit.",
+        fixCode: '// Check body size before parsing\nexport async function POST(req: Request) {\n  const contentLength = parseInt(req.headers.get("content-length") || "0");\n  if (contentLength > 1024 * 1024) { // 1MB limit\n    return new Response("Payload too large", { status: 413 });\n  }\n  const body = await req.json();\n}',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // ── Race Condition in Check-Then-Act ──────────────────────────────
+    {
+        id: "VG133",
+        name: "Race Condition: Check-Then-Act Without Transaction",
+        severity: "high",
+        owasp: "A04:2025 Insecure Design",
+        description: "Code reads a value, checks a condition, then updates based on the check — without a database transaction. Two concurrent requests can both pass the check before either writes, leading to double-spending, overselling, or duplicate operations.",
+        pattern: /(?:findUnique|findFirst|findOne|findById)\s*\([\s\S]{0,200}?\)\s*;?\s*\n[\s\S]{0,300}?if\s*\([\s\S]{0,200}?\)\s*\{[\s\S]{0,500}?(?:\.update\s*\(|\.delete\s*\(|\.decrement|\.increment)(?:(?!\$transaction|\.transaction|BEGIN|SERIALIZABLE|FOR UPDATE|NOWAIT)[\s\S]){0,300}?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Wrap check-then-act sequences in a database transaction, or use atomic operations (e.g., UPDATE WHERE balance >= amount).",
+        fixCode: '// BAD: race condition\nconst account = await db.account.findUnique({ where: { id } });\nif (account.balance >= 100) {\n  await db.account.update({ where: { id }, data: { balance: { decrement: 100 } } });\n}\n\n// GOOD: atomic transaction\nawait db.$transaction(async (tx) => {\n  const account = await tx.account.findUnique({ where: { id } });\n  if (account.balance < 100) throw new Error("Insufficient");\n  await tx.account.update({ where: { id }, data: { balance: { decrement: 100 } } });\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // ── WebSocket Without Authentication ──────────────────────────────
+    {
+        id: "VG134",
+        name: "WebSocket Connection Without Authentication",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "WebSocket server accepts connections without verifying authentication. Any client can connect and receive or send data.",
+        pattern: /(?:WebSocketServer|WebSocket\.Server|new\s+Server)\s*\([\s\S]{0,200}?\)[\s\S]{0,300}?\.on\s*\(\s*["']connection["'][\s\S]{0,500}?(?:(?!auth|token|verify|session|cookie|jwt|bearer)[\s\S]){10,}?\.on\s*\(\s*["']message["']/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Verify authentication token in the WebSocket upgrade request or first message.",
+        fixCode: '// Verify auth on connection\nwss.on("connection", (ws, req) => {\n  const token = new URL(req.url!, "http://localhost").searchParams.get("token");\n  if (!verifyToken(token)) { ws.close(1008, "Unauthorized"); return; }\n  ws.on("message", (msg) => { /* handle */ });\n});',
+        compliance: ["SOC2:CC6.6"],
+    },
+    // ── SSE/Streaming Without Authentication ──────────────────────────
+    {
+        id: "VG135",
+        name: "Server-Sent Events Without Authentication",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Server-Sent Events endpoint streams data without authentication check. Anyone can subscribe and receive real-time updates.",
+        pattern: /["']text\/event-stream["'][\s\S]{0,500}?(?:export\s+(?:async\s+)?function\s+GET|new\s+Response\s*\()(?:(?!auth\s*\(|getServerSession|currentUser|verifyToken|session|protect)[\s\S]){5,}/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add authentication check before establishing SSE connection.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    // ── postMessage Without Origin Check ──────────────────────────────
+    {
+        id: "VG136",
+        name: "postMessage Handler Without Origin Validation",
+        severity: "high",
+        owasp: "A07:2025 Cross-Site Scripting",
+        description: "Window message event handler processes data without checking event.origin. Any page (including malicious iframes) can send messages to this handler.",
+        pattern: /addEventListener\s*\(\s*["']message["']\s*,\s*(?:async\s+)?(?:\([^)]*\)|(?:event|e|evt|msg))\s*(?:=>|{)(?:(?!\.origin|event\.source)[\s\S]){5,}?(?:JSON\.parse|\.data|innerHTML|setState|dispatch|update|execute)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always check event.origin against trusted origins before processing message data.",
+        fixCode: '// Always validate origin\nwindow.addEventListener("message", (event) => {\n  if (event.origin !== "https://trusted.example.com") return;\n  const data = JSON.parse(event.data);\n  processData(data);\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // ── Debug/Internal Endpoint Exposed ───────────────────────────────
+    {
+        id: "VG137",
+        name: "Debug Endpoint Exposes System Information",
+        severity: "critical",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Route exposes system internals (process.env, process.memoryUsage, os.cpus, debug data) that help attackers map the infrastructure.",
+        pattern: /(?:\/debug|\/internal|\/_internal|\/test|\/dev)\b[\s\S]{0,300}?(?:process\.env|process\.memoryUsage|os\.cpus|os\.hostname|process\.uptime|process\.version)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Remove debug endpoints from production code, or protect them with authentication and restrict to internal networks.",
+        compliance: ["SOC2:CC6.1"],
+    },
+    // ── Plaintext Password Comparison ─────────────────────────────────
+    {
+        id: "VG138",
+        name: "Plaintext Password Comparison",
+        severity: "critical",
+        owasp: "A02:2025 Cryptographic Failures",
+        description: "Password is compared using direct string equality (=== or ==) instead of a hashing function. This means passwords are stored or transmitted in plaintext.",
+        pattern: /(?:password|passwd|pwd)\s*(?:===|!==|==|!=)\s*(?:(?:req|request|body|input|data|form|user)[\.\[]|["'])/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Never compare passwords directly. Use bcrypt.compare() or argon2.verify() to compare against hashed passwords.",
+        fixCode: '// BAD: plaintext comparison\nif (user.password === inputPassword) { ... }\n\n// GOOD: hash comparison\nimport bcrypt from "bcrypt";\nconst valid = await bcrypt.compare(inputPassword, user.passwordHash);\nif (!valid) return new Response("Invalid", { status: 401 });',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
+    },
+    // ── TLS Certificate Verification Disabled ─────────────────────────
+    {
+        id: "VG139",
+        name: "TLS Certificate Verification Disabled",
+        severity: "critical",
+        owasp: "A02:2025 Cryptographic Failures",
+        description: "TLS certificate verification is disabled, allowing man-in-the-middle attacks. All HTTPS connections become insecure.",
+        pattern: /(?:NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*["']0["']|rejectUnauthorized\s*:\s*false|verify\s*=\s*False|InsecureSkipVerify\s*:\s*true)/gi,
+        languages: ["javascript", "typescript", "python", "go"],
+        fix: "Never disable TLS verification in production. Fix certificate issues instead.",
+        fixCode: '// BAD: disables all TLS verification\n// process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";\n// const agent = new https.Agent({ rejectUnauthorized: false });\n\n// GOOD: fix the certificate issue\n// - Use valid certificates (Let\'s Encrypt)\n// - Add CA certificate to Node: --use-openssl-ca\n// - For self-signed dev certs: only disable in NODE_ENV=development',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
+    },
+    // ── XXE (XML External Entity) ─────────────────────────────────────
+    {
+        id: "VG140",
+        name: "XML Parsing Without Disabling External Entities",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "XML is parsed without disabling external entity resolution. Attackers can use XXE to read local files, perform SSRF, or cause denial of service.",
+        pattern: /(?:parseStringPromise|parseString|DOMParser|xml2js|xmldom|libxmljs|(?:fast-xml-parser|XMLParser))\s*[\.(](?:(?!processExternalEntities\s*:\s*false|noent\s*:\s*false|resolveExternals\s*:\s*false|entityMode|FORBID_DTD)[\s\S]){5,}?(?:req\.|request\.|body|input|data|text)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Disable external entity processing in your XML parser configuration.",
+        fixCode: '// xml2js: external entities disabled by default (safe)\nimport { parseStringPromise } from "xml2js";\nconst result = await parseStringPromise(xmlInput);\n\n// fast-xml-parser: safe by default\nimport { XMLParser } from "fast-xml-parser";\nconst parser = new XMLParser({ processEntities: false });\nconst result = parser.parse(xmlInput);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    // ── YAML Unsafe Load ──────────────────────────────────────────────
+    {
+        id: "VG141",
+        name: "YAML Parsed with Unsafe Loader",
+        severity: "high",
+        owasp: "A08:2025 Software and Data Integrity Failures",
+        description: "YAML is parsed using an unsafe loader that can execute arbitrary code via !!js/function, !!python/object, or other language-specific tags.",
+        pattern: /yaml\.(?:load|unsafeLoad)\s*\(\s*(?![\s\S]{0,30}?(?:JSON_SCHEMA|FAILSAFE_SCHEMA|CORE_SCHEMA|safeLoad))/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Use yaml.safeLoad() or yaml.load(input, { schema: yaml.JSON_SCHEMA }).",
+        fixCode: '// BAD: allows code execution\n// yaml.load(userInput)\n\n// GOOD: safe schema\nimport yaml from "js-yaml";\nconst config = yaml.load(userInput, { schema: yaml.JSON_SCHEMA });',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // ── Missing Subresource Integrity ─────────────────────────────────
+    {
+        id: "VG142",
+        name: "External Script Without Subresource Integrity",
+        severity: "medium",
+        owasp: "A08:2025 Software and Data Integrity Failures",
+        description: "External script loaded from CDN without integrity attribute. If the CDN is compromised, malicious code executes in your users' browsers.",
+        pattern: /<script\s+[^>]*src\s*=\s*["']https?:\/\/(?:(?!integrity)[\s\S])*?>/gi,
+        languages: ["html", "javascript", "typescript"],
+        fix: "Add integrity and crossorigin attributes to external script tags.",
+        fixCode: '<!-- Add SRI hash -->\n<script\n  src="https://cdn.example.com/lib.js"\n  integrity="sha384-HASH_HERE"\n  crossorigin="anonymous"\n></script>\n\n<!-- Generate hash: openssl dgst -sha384 -binary lib.js | base64 -->',
+        compliance: ["SOC2:CC7.1"],
+    },
+    // ── CSP Missing frame-ancestors ───────────────────────────────────
+    {
+        id: "VG143",
+        name: "CSP Missing frame-ancestors Directive",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Content-Security-Policy is set but lacks frame-ancestors directive. Without it, the page can be embedded in malicious iframes for clickjacking attacks. frame-ancestors supersedes X-Frame-Options.",
+        pattern: /Content-Security-Policy["']\s*[,:]\s*["'][^"']*(?:default-src|script-src)(?:(?!frame-ancestors)[^"'])*["']/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add frame-ancestors 'self' to your Content-Security-Policy header.",
+        fixCode: '// Add frame-ancestors to CSP\nheaders: [\n  {\n    key: "Content-Security-Policy",\n    value: "default-src \'self\'; frame-ancestors \'self\'; script-src \'self\'"\n  }\n]',
+        compliance: ["SOC2:CC6.1"],
+    },
+    // ── Missing Referrer-Policy ───────────────────────────────────────
+    {
+        id: "VG144",
+        name: "Missing Referrer-Policy Header",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Security headers are configured but Referrer-Policy is missing. Without it, the full URL (including query parameters with tokens/IDs) is sent to external sites in the Referer header.",
+        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Referrer-Policy)[\s\S]){10,}?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add Referrer-Policy: strict-origin-when-cross-origin to your security headers.",
+        fixCode: '{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }',
+        compliance: ["SOC2:CC6.1"],
+    },
+    // ── Missing Permissions-Policy ────────────────────────────────────
+    {
+        id: "VG145",
+        name: "Missing Permissions-Policy Header",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Security headers are configured but Permissions-Policy is missing. Without it, embedded iframes and scripts can access camera, microphone, geolocation, and other sensitive browser APIs.",
+        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Permissions-Policy)[\s\S]){10,}?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add Permissions-Policy header to restrict browser API access.",
+        fixCode: '{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" }',
+        compliance: ["SOC2:CC6.1"],
+    },
+    // ── Unquoted .env Value ───────────────────────────────────────────
+    {
+        id: "VG146",
+        name: "Unquoted .env Value with Special Characters",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Environment variable value contains special characters but is not quoted. This can cause parsing errors or shell injection when the .env file is sourced.",
+        pattern: /^[A-Z_]+=(?:[^"'\s]*[@#$&|;`\\(){}[\]!<>^~*?])/gm,
+        languages: ["shell"],
+        fix: "Quote .env values that contain special characters.",
+        fixCode: '# BAD: unquoted special characters\nDATABASE_URL=postgres://user:p@ss@host/db\n\n# GOOD: quoted\nDATABASE_URL="postgres://user:p@ss@host/db"',
+        compliance: ["SOC2:CC6.1"],
+    },
+    // ── Audit Logging Missing for Critical Operations ─────────────────
+    {
+        id: "VG147",
+        name: "Critical Operation Without Audit Logging",
+        severity: "medium",
+        owasp: "A09:2025 Security Logging and Monitoring Failures",
+        description: "Destructive database operation (delete user, change role, update payment) has no audit logging. Without audit trails, security incidents cannot be investigated.",
+        pattern: /(?:deleteUser|deleteAccount|updateRole|changeRole|cancelSubscription|refund|transferFunds|resetPassword|changePassword|deleteOrg|removeUser|banUser|suspendUser|updatePermission)\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))[\s\S]{0,500}?(?:\.delete\s*\(|\.update\s*\(|\.destroy\s*\()(?:(?!console\.log|logger\.|audit\.|log\.|createAuditLog|logAction|trackEvent|analytics)[\s\S]){0,300}?(?:return|Response)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add audit logging for all critical operations: who did what, when, and to whom.",
+        fixCode: 'async function deleteUser(targetId: string) {\n  const { userId } = await auth();\n  await db.user.delete({ where: { id: targetId } });\n  // Audit log\n  await db.auditLog.create({\n    data: { action: "DELETE_USER", actorId: userId, targetId, timestamp: new Date() }\n  });\n}',
+        compliance: ["SOC2:CC7.2", "HIPAA:§164.312(b)", "GDPR:Art30"],
+    },
+    // ── Login Without Brute Force Protection ──────────────────────────
+    {
+        id: "VG148",
+        name: "Login Endpoint Without Brute Force Protection",
+        severity: "high",
+        owasp: "A07:2025 Identification and Authentication Failures",
+        description: "Login/authentication endpoint compares passwords without rate limiting or account lockout. Attackers can try unlimited password combinations.",
+        pattern: /(?:signIn|login|authenticate|logIn)\b[\s\S]{0,500}?(?:bcrypt\.compare|argon2\.verify|compare|verify)[\s\S]{0,300}?(?:(?!rateLimit|limiter|throttle|lockout|maxAttempts|failedAttempts|loginAttempts|Ratelimit)[\s\S]){5,}?(?:return|Response|res\.)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add rate limiting and account lockout to login endpoints.",
+        fixCode: '// Add rate limiting to login\nimport { Ratelimit } from "@upstash/ratelimit";\nconst loginLimiter = new Ratelimit({\n  redis: Redis.fromEnv(),\n  limiter: Ratelimit.slidingWindow(5, "15 m"), // 5 attempts per 15 min\n});\n\nconst { success } = await loginLimiter.limit(email);\nif (!success) return new Response("Too many attempts", { status: 429 });',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req8"],
+    },
+    // ── Multi-Tenant Data Leak ────────────────────────────────────────
+    {
+        id: "VG149",
+        name: "Multi-Tenant Query Without Tenant Scoping",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Endpoint authenticates a user/org but queries the database without filtering by tenant ID. Returns data from ALL tenants instead of only the authenticated tenant's data.",
+        pattern: /(?:orgId|tenantId|organizationId|org_id|tenant_id)\s*[\s\S]{0,200}?(?:findMany|findAll|getAll|fetchAll)\s*\(\s*(?:\{(?:(?!orgId|tenantId|organizationId|org_id|tenant_id)[\s\S]){5,}?\}|\s*\))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always include the tenant/org ID in the WHERE clause of every query.",
+        fixCode: '// BAD: returns all tenants\' data\nconst { orgId } = await auth();\nconst items = await db.item.findMany(); // missing orgId filter!\n\n// GOOD: scoped to tenant\nconst items = await db.item.findMany({ where: { orgId } });',
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+    // ── Lockfile in .gitignore ────────────────────────────────────────
+    {
+        id: "VG150",
+        name: "Package Lockfile Excluded from Git",
+        severity: "high",
+        owasp: "A08:2025 Software and Data Integrity Failures",
+        description: "package-lock.json, yarn.lock, or pnpm-lock.yaml is in .gitignore. Without a committed lockfile, builds are non-reproducible and vulnerable to dependency confusion and supply chain attacks.",
+        pattern: /^(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml)\s*$/gm,
+        languages: ["shell"],
+        fix: "Remove the lockfile from .gitignore and commit it to the repository.",
+        compliance: ["SOC2:CC7.1"],
+    },
+];

package/build/data/rules/index.js

@@ -20,6 +20,7 @@ import { supplyChainRules } from "./supply-chain.js";
 import { cveVersionRules } from "./cve-versions.js";
 import { apiSecurityRules } from "./api-security.js";
 import { modernStackRules } from "./modern-stack.js";
+import { advancedSecurityRules } from "./advanced-security.js";
 import { enrichRulesWithCompliance } from "../compliance-metadata.js";
 export const owaspRules = enrichRulesWithCompliance([
     ...coreRules,
@@ -44,6 +45,7 @@ export const owaspRules = enrichRulesWithCompliance([
     ...cveVersionRules,
     ...apiSecurityRules,
     ...modernStackRules,
+    ...advancedSecurityRules,
 ]);
 // Alias for clarity — these are the built-in rules without plugins
 export const builtinRules = owaspRules;

package/build/index.js

@@ -31,6 +31,8 @@ import { discoverPlugins } from "./plugins/loader.js";
 import { builtinRules } from "./data/rules/index.js";
 import { loadConfig } from "./utils/config.js";
 import { setRules, getRules } from "./utils/rule-registry.js";
+import { recordScan, recordFix, recordSecrets, recordDependencyCVEs, recordGrade, getSummaryLine } from "./lib/stats.js";
+import { securityStats } from "./tools/security-stats.js";
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
@@ -49,8 +51,12 @@ server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top
 }, async ({ code, language, framework, format }) => {
     const rules = getRules();
     const results = checkCode(code, language, framework, undefined, undefined, format, rules);
+    const findings = analyzeCode(code, language, framework, undefined, undefined, rules);
+    const cwd = process.cwd();
+    recordScan(cwd, { toolName: "check_code", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
+    const summary = getSummaryLine(cwd, findings.length, format);
     return {
-        content: [{ type: "text", text: results }],
+        content: [{ type: "text", text: results + summary }],
     };
 });
 // Tool 2: Scan entire project for security vulnerabilities
@@ -65,8 +71,25 @@ server.tool("check_project", "Scan multiple files for security vulnerabilities a
 }, async ({ files, format }) => {
     const rules = getRules();
     const results = checkProject(files, format, rules);
+    let findingCount = 0;
+    const cwd = process.cwd();
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        const grade = parsed?.summary?.grade;
+        const score = parsed?.summary?.score;
+        if (grade && score != null)
+            recordGrade(cwd, grade, score);
+        recordScan(cwd, { toolName: "check_project", filesScanned: files.length, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(cwd, { toolName: "check_project", filesScanned: files.length, findings: [] });
+    }
+    const summary = getSummaryLine(cwd, findingCount, format);
     return {
-        content: [{ type: "text", text: results }],
+        content: [{ type: "text", text: results + summary }],
     };
 });
 // Tool 3: Get security documentation and best practices (renumbered from Tool 2)
@@ -117,7 +140,26 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
 }, async ({ path, recursive, exclude, format, baseline }) => {
     const rules = getRules();
     const results = scanDirectory(path, recursive, exclude, format, rules, baseline);
-    return { content: [{ type: "text", text: results }] };
+    // Record stats from scan_directory results
+    let findingCount = 0;
+    const { resolve: resolvePath } = await import("path");
+    const root = resolvePath(path);
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        const grade = parsed?.summary?.grade;
+        const score = parsed?.summary?.score;
+        if (grade && score != null)
+            recordGrade(root, grade, score);
+        recordScan(root, { toolName: "scan_directory", filesScanned: parsed?.metadata?.filesScanned ?? 0, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(root, { toolName: "scan_directory", filesScanned: 0, findings: [] });
+    }
+    const summary = getSummaryLine(root, findingCount, format);
+    return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 6: Scan manifest/lockfile for dependency vulnerabilities
 server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, package-lock.json, requirements.txt, go.mod) and check all dependencies for known CVEs via the OSV database. Reads the file directly.", {
@@ -125,6 +167,19 @@ server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, pa
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ manifest_path, format }) => {
     const results = await scanDependencies(manifest_path, format);
+    // Record dependency CVE stats
+    const { resolve: resolvePath, dirname } = await import("path");
+    const root = dirname(resolvePath(manifest_path));
+    try {
+        const parsed = JSON.parse(results);
+        const cveCount = parsed?.summary?.total ?? 0;
+        if (cveCount > 0)
+            recordDependencyCVEs(root, cveCount);
+        recordScan(root, { toolName: "scan_dependencies", filesScanned: 1, findings: (parsed?.packages ?? []).flatMap((p) => (p.vulnerabilities ?? []).map((v) => ({ severity: v.severity, ruleId: `DEP-${p.name}` }))) });
+    }
+    catch {
+        recordScan(root, { toolName: "scan_dependencies", filesScanned: 1, findings: [] });
+    }
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 7: Scan for leaked secrets, API keys, and credentials
@@ -134,6 +189,20 @@ server.tool("scan_secrets", "Scan files and directories for leaked secrets, API
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ path, recursive, format }) => {
     const results = scanSecrets(path, recursive, format);
+    // Record secret findings
+    let secretCount = 0;
+    try {
+        const parsed = JSON.parse(results);
+        secretCount = parsed?.summary?.total ?? 0;
+    }
+    catch {
+        const m = /Secrets found:\s*(\d+)/.exec(results);
+        secretCount = m ? parseInt(m[1], 10) : 0;
+    }
+    const { resolve: resolvePath } = await import("path");
+    if (secretCount > 0)
+        recordSecrets(resolvePath(path), secretCount);
+    recordScan(resolvePath(path), { toolName: "scan_secrets", filesScanned: 0, findings: [] });
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 8: Scan git-staged files before committing
@@ -141,8 +210,21 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ format }) => {
     const rules = getRules();
-    const results = scanStaged(process.cwd(), format, rules);
-    return { content: [{ type: "text", text: results }] };
+    const cwd = process.cwd();
+    const results = scanStaged(cwd, format, rules);
+    let findingCount = 0;
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        recordScan(cwd, { toolName: "scan_staged", filesScanned: parsed?.summary?.stagedFiles ?? 0, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(cwd, { toolName: "scan_staged", filesScanned: 0, findings: [] });
+    }
+    const summary = getSummaryLine(cwd, findingCount, format);
+    return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 9: Generate compliance-focused security report
 server.tool("compliance_report", "Generate a compliance-focused security report mapped to SOC2, PCI-DSS, HIPAA, GDPR, or ISO27001 controls. Scans a directory and groups findings by compliance control. Includes exploit scenarios and audit evidence for each finding. Use mode=executive for a C-level summary.", {
@@ -185,6 +267,14 @@ server.tool("fix_code", "Analyze code for security vulnerabilities and return fi
 }, async ({ code, language, framework, format }) => {
     const rules = getRules();
     const results = fixCode(code, language, framework, undefined, format, rules);
+    // Record fix stats
+    try {
+        const parsed = JSON.parse(results);
+        const fixCount = parsed?.total ?? 0;
+        if (fixCount > 0)
+            recordFix(process.cwd(), fixCount);
+    }
+    catch { /* markdown format — skip */ }
     return {
         content: [{ type: "text", text: results }],
     };
@@ -312,7 +402,11 @@ server.tool("scan_file", "Scan a single file from disk for security vulnerabilit
     }
     const rules = getRules();
     const result = checkCode(content, language, undefined, resolved, dirname(resolved), format, rules);
-    return { content: [{ type: "text", text: result }] };
+    const findings = analyzeCode(content, language, undefined, resolved, dirname(resolved), rules);
+    const cwd = dirname(resolved);
+    recordScan(cwd, { toolName: "scan_file", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
+    const summary = getSummaryLine(cwd, findings.length, format);
+    return { content: [{ type: "text", text: result + summary }] };
 });
 // Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
 server.tool("scan_changed_files", "Scan only files that have changed since a given git ref (branch, commit, or HEAD~N). Ideal for PR checks, pre-push hooks, and incremental CI. Returns findings only for modified/added files.", {
@@ -366,6 +460,9 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
         }
         catch { /* skip unreadable files */ }
     }
+    // Record stats
+    recordScan(root, { toolName: "scan_changed_files", filesScanned: changedFiles.length, findings: allFindings.map(f => ({ severity: f.severity, ruleId: f.id })) });
+    const statsSummary = getSummaryLine(root, allFindings.length, format);
     if (format === "json") {
         const critical = allFindings.filter(f => f.severity === "critical").length;
         const high = allFindings.filter(f => f.severity === "high").length;
@@ -373,7 +470,7 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
         return { content: [{ type: "text", text: JSON.stringify({
                         summary: { total: allFindings.length, critical, high, medium, low: 0, blocked: critical > 0 || high > 0, changedFiles: changedFiles.length },
                         findings: allFindings,
-                    }) }] };
+                    }) + statsSummary }] };
     }
     // Markdown
     const lines = [`# GuardVibe Changed Files Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues found: ${allFindings.length}`, ``];
@@ -387,7 +484,18 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
             lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in \`${f.file}\`:${f.line} — ${f.fix}`);
         }
     }
-    return { content: [{ type: "text", text: lines.join("\n") }] };
+    return { content: [{ type: "text", text: lines.join("\n") + statsSummary }] };
+});
+// Tool 25: Security statistics dashboard
+server.tool("security_stats", "Show cumulative security statistics, grade trend, and vulnerability fix progress for this project. Use this to demonstrate the value of GuardVibe security scanning over time. Data is stored locally in .guardvibe/stats.json.", {
+    path: z.string().default(".").describe("Project root path"),
+    period: z.enum(["week", "month", "all"]).default("month").describe("Time period for stats"),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
+}, async ({ path: projectPath, period, format }) => {
+    const { resolve: resolvePath } = await import("path");
+    const root = resolvePath(projectPath);
+    const results = securityStats(root, period, format);
+    return { content: [{ type: "text", text: results }] };
 });
 export async function startMcpServer() {
     return main();

package/build/lib/stats.d.ts

@@ -0,0 +1,53 @@
+export interface MonthlyStats {
+    scans: number;
+    filesScanned: number;
+    findingsTotal: number;
+    findingsFixed: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+}
+export interface GradeEntry {
+    date: string;
+    grade: string;
+    score: number;
+}
+export interface StatsData {
+    version: number;
+    firstScan: string;
+    lastScan: string;
+    totals: {
+        scans: number;
+        filesScanned: number;
+        findingsTotal: number;
+        findingsFixed: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        autoFixesApplied: number;
+        secretsCaught: number;
+        dependencyCVEs: number;
+    };
+    monthly: Record<string, MonthlyStats>;
+    tools: Record<string, number>;
+    topRules: Record<string, number>;
+    grades: GradeEntry[];
+}
+export declare function loadStats(projectRoot: string): StatsData;
+export interface ScanResult {
+    toolName: string;
+    filesScanned: number;
+    findings: Array<{
+        severity: string;
+        ruleId: string;
+    }>;
+}
+export declare function recordScan(projectRoot: string, result: ScanResult): void;
+export declare function recordFix(projectRoot: string, fixCount: number): void;
+export declare function recordSecrets(projectRoot: string, count: number): void;
+export declare function recordDependencyCVEs(projectRoot: string, count: number): void;
+export declare function recordGrade(projectRoot: string, grade: string, score: number): void;
+export declare function getSummaryLine(projectRoot: string, currentFindings: number, format: "markdown" | "json"): string;
+export declare function generateDashboard(projectRoot: string, period: "week" | "month" | "all", format: "markdown" | "json"): string;

package/build/lib/stats.js

@@ -0,0 +1,276 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { join, resolve } from "path";
+// ─── Helpers ──────────────────────────────────────────────────────
+function emptyStats() {
+    return {
+        version: 1,
+        firstScan: "",
+        lastScan: "",
+        totals: {
+            scans: 0,
+            filesScanned: 0,
+            findingsTotal: 0,
+            findingsFixed: 0,
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            autoFixesApplied: 0,
+            secretsCaught: 0,
+            dependencyCVEs: 0,
+        },
+        monthly: {},
+        tools: {},
+        topRules: {},
+        grades: [],
+    };
+}
+function getMonthKey() {
+    const d = new Date();
+    return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
+}
+function getTodayKey() {
+    return new Date().toISOString().slice(0, 10);
+}
+function statsDir(projectRoot) {
+    return join(resolve(projectRoot), ".guardvibe");
+}
+function statsPath(projectRoot) {
+    return join(statsDir(projectRoot), "stats.json");
+}
+// ─── Core I/O ─────────────────────────────────────────────────────
+export function loadStats(projectRoot) {
+    try {
+        const p = statsPath(projectRoot);
+        if (!existsSync(p))
+            return emptyStats();
+        const raw = readFileSync(p, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return emptyStats();
+    }
+}
+function saveStats(projectRoot, data) {
+    try {
+        const dir = statsDir(projectRoot);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        writeFileSync(statsPath(projectRoot), JSON.stringify(data, null, 2), "utf-8");
+    }
+    catch {
+        // Stats write failure must never break scans — silently continue
+    }
+}
+function ensureMonth(data, key) {
+    if (!data.monthly[key]) {
+        data.monthly[key] = {
+            scans: 0, filesScanned: 0, findingsTotal: 0, findingsFixed: 0,
+            critical: 0, high: 0, medium: 0, low: 0,
+        };
+    }
+    return data.monthly[key];
+}
+export function recordScan(projectRoot, result) {
+    const data = loadStats(projectRoot);
+    const now = new Date().toISOString();
+    const month = getMonthKey();
+    if (!data.firstScan)
+        data.firstScan = now;
+    data.lastScan = now;
+    // Totals
+    data.totals.scans++;
+    data.totals.filesScanned += result.filesScanned;
+    data.totals.findingsTotal += result.findings.length;
+    // Severity counts
+    for (const f of result.findings) {
+        const sev = f.severity;
+        if (sev in data.totals && typeof data.totals[sev] === "number") {
+            data.totals[sev]++;
+        }
+        // Top rules
+        data.topRules[f.ruleId] = (data.topRules[f.ruleId] || 0) + 1;
+    }
+    // Tool usage
+    data.tools[result.toolName] = (data.tools[result.toolName] || 0) + 1;
+    // Monthly
+    const m = ensureMonth(data, month);
+    m.scans++;
+    m.filesScanned += result.filesScanned;
+    m.findingsTotal += result.findings.length;
+    for (const f of result.findings) {
+        const sev = f.severity;
+        if (sev in m && typeof m[sev] === "number") {
+            m[sev]++;
+        }
+    }
+    saveStats(projectRoot, data);
+}
+export function recordFix(projectRoot, fixCount) {
+    const data = loadStats(projectRoot);
+    const month = getMonthKey();
+    data.totals.findingsFixed += fixCount;
+    data.totals.autoFixesApplied += fixCount;
+    const m = ensureMonth(data, month);
+    m.findingsFixed += fixCount;
+    saveStats(projectRoot, data);
+}
+export function recordSecrets(projectRoot, count) {
+    const data = loadStats(projectRoot);
+    data.totals.secretsCaught += count;
+    saveStats(projectRoot, data);
+}
+export function recordDependencyCVEs(projectRoot, count) {
+    const data = loadStats(projectRoot);
+    data.totals.dependencyCVEs += count;
+    saveStats(projectRoot, data);
+}
+export function recordGrade(projectRoot, grade, score) {
+    const data = loadStats(projectRoot);
+    const today = getTodayKey();
+    // Replace today's entry if exists, otherwise append
+    const idx = data.grades.findIndex((g) => g.date === today);
+    if (idx >= 0) {
+        data.grades[idx] = { date: today, grade, score };
+    }
+    else {
+        data.grades.push({ date: today, grade, score });
+        // Keep last 90 days max
+        if (data.grades.length > 90)
+            data.grades = data.grades.slice(-90);
+    }
+    saveStats(projectRoot, data);
+}
+// ─── Summary Line (appended to scan output) ───────────────────────
+export function getSummaryLine(projectRoot, currentFindings, format) {
+    try {
+        const data = loadStats(projectRoot);
+        const month = getMonthKey();
+        const m = data.monthly[month];
+        const monthlyFixed = m?.findingsFixed ?? 0;
+        const monthlyTotal = m?.findingsTotal ?? 0;
+        // Latest grade
+        const latestGrade = data.grades.length > 0
+            ? data.grades[data.grades.length - 1]
+            : null;
+        // Trend: compare current grade to first grade this month
+        const monthGrades = data.grades.filter((g) => g.date.startsWith(month));
+        let trend = "";
+        if (monthGrades.length >= 2) {
+            const first = monthGrades[0].score;
+            const last = monthGrades[monthGrades.length - 1].score;
+            if (last > first)
+                trend = " (improving)";
+            else if (last < first)
+                trend = " (declining)";
+        }
+        if (format === "json") {
+            return JSON.stringify({
+                guardvibeStats: {
+                    sessionFindings: currentFindings,
+                    monthlyTotal,
+                    monthlyFixed,
+                    allTimeFixed: data.totals.findingsFixed,
+                    currentGrade: latestGrade?.grade ?? null,
+                    trend: trend.replace(/[() ]/g, "") || "stable",
+                },
+            });
+        }
+        // Markdown — single line
+        const parts = [
+            `${currentFindings} issues caught`,
+            monthlyFixed > 0 ? `${monthlyFixed} fixed this month` : null,
+            latestGrade ? `Grade: ${latestGrade.grade}${trend}` : null,
+        ].filter(Boolean);
+        return `\n---\n**GuardVibe** · ${parts.join(" · ")}`;
+    }
+    catch {
+        return "";
+    }
+}
+// ─── Dashboard (security_stats tool) ──────────────────────────────
+export function generateDashboard(projectRoot, period, format) {
+    const data = loadStats(projectRoot);
+    if (data.totals.scans === 0) {
+        const empty = "No security scans recorded yet. GuardVibe will track statistics automatically as you scan files.";
+        return format === "json"
+            ? JSON.stringify({ status: "empty", message: empty })
+            : empty;
+    }
+    const month = getMonthKey();
+    const m = data.monthly[month] ?? {
+        scans: 0, filesScanned: 0, findingsTotal: 0, findingsFixed: 0,
+        critical: 0, high: 0, medium: 0, low: 0,
+    };
+    // Top rules — sorted by count
+    const topRules = Object.entries(data.topRules)
+        .sort(([, a], [, b]) => b - a)
+        .slice(0, 5);
+    // Top tools — sorted by count
+    const topTools = Object.entries(data.tools)
+        .sort(([, a], [, b]) => b - a)
+        .slice(0, 5);
+    // Grade trend
+    const recentGrades = data.grades.slice(-7);
+    const gradeStr = recentGrades.map((g) => `${g.grade} (${g.date.slice(5)})`).join(" -> ");
+    // Fix rate
+    const fixRate = data.totals.findingsTotal > 0
+        ? Math.round((data.totals.findingsFixed / data.totals.findingsTotal) * 100)
+        : 0;
+    const monthFixRate = m.findingsTotal > 0
+        ? Math.round((m.findingsFixed / m.findingsTotal) * 100)
+        : 0;
+    if (format === "json") {
+        return JSON.stringify({
+            project: projectRoot,
+            period,
+            currentMonth: m,
+            allTime: data.totals,
+            fixRate: { monthly: monthFixRate, allTime: fixRate },
+            topRules,
+            topTools,
+            gradeHistory: recentGrades,
+            firstScan: data.firstScan,
+            lastScan: data.lastScan,
+        });
+    }
+    // Markdown dashboard
+    const lines = [
+        `# GuardVibe Security Dashboard`,
+        ``,
+        `**Project:** ${projectRoot}`,
+        `**Tracking since:** ${data.firstScan.slice(0, 10)}`,
+        `**Last scan:** ${data.lastScan.slice(0, 10)}`,
+        ``,
+        `## Impact Summary`,
+        `| Metric | This Month | All Time |`,
+        `|--------|-----------|----------|`,
+        `| Scans run | ${m.scans} | ${data.totals.scans} |`,
+        `| Files protected | ${m.filesScanned} | ${data.totals.filesScanned} |`,
+        `| Vulnerabilities caught | ${m.findingsTotal} | ${data.totals.findingsTotal} |`,
+        `| Vulnerabilities fixed | ${m.findingsFixed} | ${data.totals.findingsFixed} |`,
+        `| Fix rate | ${monthFixRate}% | ${fixRate}% |`,
+        `| Secrets intercepted | — | ${data.totals.secretsCaught} |`,
+        `| Dependency CVEs found | — | ${data.totals.dependencyCVEs} |`,
+        ``,
+    ];
+    if (recentGrades.length > 0) {
+        lines.push(`## Security Grade Trend`, gradeStr, ``);
+    }
+    if (topRules.length > 0) {
+        lines.push(`## Top Caught Vulnerabilities`);
+        for (const [ruleId, count] of topRules) {
+            lines.push(`- ${ruleId} — ${count} times`);
+        }
+        lines.push(``);
+    }
+    if (topTools.length > 0) {
+        lines.push(`## Most Used Tools`);
+        for (const [tool, count] of topTools) {
+            lines.push(`- ${tool} — ${count} calls`);
+        }
+        lines.push(``);
+    }
+    lines.push(`---`, `Protected by GuardVibe · guardvibe.dev`);
+    return lines.join("\n");
+}

package/build/tools/generate-policy.js

@@ -284,7 +284,7 @@ function generateRLS(stack) {
     if (stack.database.includes("prisma") || stack.database.includes("drizzle")) {
         suggestions.push({
             table: "N/A (ORM-level)",
-            policy: `// Always filter by authenticated user\nconst items = await prisma.item.findMany({ where: { userId: session.user.id } });`,
+            policy: `// Always filter by authenticated user\nconst items = await prisma.item.findMany({ where: { userId: session.user.id } });`, // guardvibe-ignore VG955
             description: "Without RLS, enforce row-level access in your ORM queries. Always include user ID in WHERE clauses.",
         });
     }
@@ -347,7 +347,8 @@ export function generatePolicy(path, format = "markdown") {
     if (stack.analytics.length > 0)
         lines.push(`- Analytics: ${stack.analytics.join(", ")}`);
     lines.push(``);
-    lines.push(`## Content-Security-Policy`, ``, "```", csp, "```", ``, `### Next.js Configuration`, ``, "```typescript", `// next.config.ts`, `async headers() {`, `  return [{`, `    source: "/(.*)",`, `    headers: [`, `      { key: "Content-Security-Policy", value: \`${csp}\` },`, ...headers.map(h => `      { key: "${h.key}", value: "${h.value}" },`), `    ]`, `  }];`, `}`, "```", ``);
+    lines.push(`## Content-Security-Policy`, ``, "```", csp, "```", ``, `### Next.js Configuration`, ``, "```typescript", `// next.config.ts`, `async headers() {`, // guardvibe-ignore
+    `  return [{`, `    source: "/(.*)",`, `    headers: [`, `      { key: "Content-Security-Policy", value: \`${csp}\` },`, ...headers.map(h => `      { key: "${h.key}", value: "${h.value}" },`), `    ]`, `  }];`, `}`, "```", ``);
     lines.push(`## CORS Policy`, ``, "```typescript", `// Recommended CORS configuration`, `const corsConfig = {`, `  allowedOrigins: ${JSON.stringify(cors.allowedOrigins)},`, `  allowedMethods: ${JSON.stringify(cors.allowedMethods)},`, `  allowedHeaders: ${JSON.stringify(cors.allowedHeaders)},`, `  maxAge: ${cors.maxAge},`, `};`, "```", ``);
     if (rls.length > 0) {
         lines.push(`## Row-Level Security Suggestions`, ``);

package/build/tools/policy-check.js

@@ -18,8 +18,14 @@ function isExcepted(ruleId, filePath, exceptions) {
         if (exc.files && exc.files.length > 0) {
             const matches = exc.files.some(pattern => {
                 if (pattern.includes("*")) {
-                    const regex = new RegExp(pattern.replace(/\*/g, ".*"));
-                    return regex.test(filePath);
+                    // Safe glob-to-regex: escape all regex metacharacters except our converted .*
+                    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+                    try {
+                        return new RegExp(`^${escaped}$`).test(filePath);
+                    }
+                    catch {
+                        return false; // malformed pattern — skip safely
+                    }
                 }
                 return filePath.includes(pattern);
             });

package/build/tools/security-stats.d.ts

@@ -0,0 +1,5 @@
+/**
+ * security_stats MCP tool handler.
+ * Returns cumulative security statistics and grade trend for the project.
+ */
+export declare function securityStats(projectRoot: string, period?: "week" | "month" | "all", format?: "markdown" | "json"): string;

package/build/tools/security-stats.js

@@ -0,0 +1,8 @@
+import { generateDashboard } from "../lib/stats.js";
+/**
+ * security_stats MCP tool handler.
+ * Returns cumulative security statistics and grade trend for the project.
+ */
+export function securityStats(projectRoot, period = "month", format = "markdown") {
+    return generateDashboard(projectRoot, period, format);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "guardvibe",
-  "version": "2.1.1",
-  "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "version": "2.3.7",
+  "description": "Security MCP for vibe coding. 307 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",