guardvibe 2.2.0 → 2.3.7

package/README.md

@@ -5,15 +5,15 @@
 [![Node.js CI](https://github.com/goklab/guardvibe/actions/workflows/ci.yml/badge.svg)](https://github.com/goklab/guardvibe/actions/workflows/ci.yml)
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 
-**The security MCP built for vibe coding.** 277 security rules covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 307 security rules covering the entire AI-generated code journey — from first line to production deployment.
 
-Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
+Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
 ## Why GuardVibe
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **277 security rules** purpose-built for the stacks AI agents generate
+- **307 security rules** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -39,7 +39,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 21 packages | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 277 (focused) | 5000+ (broad) | N/A |
+| Rule count | 307 (focused) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -47,29 +47,56 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 
 ## Quick Start
 
-### MCP setup (recommended)
+### Claude Code
 
 ```bash
-npx guardvibe init claude    # Claude Code
-npx guardvibe init cursor    # Cursor
-npx guardvibe init gemini    # Gemini CLI
-npx guardvibe init all       # All platforms
+npx guardvibe init claude
 ```
 
-### Pre-commit hook
+Creates `.claude.json` MCP config, `.claude/settings.json` auto-scan hooks, and `CLAUDE.md` security rules. Restart Claude Code after setup.
+
+### Cursor
 
 ```bash
-npx guardvibe hook install   # Blocks commits with critical/high findings
-npx guardvibe hook uninstall # Remove hook
+npx guardvibe init cursor
 ```
 
-### CI/CD (GitHub Actions)
+Creates `.cursor/mcp.json` and `.cursorrules` with security rules. Restart Cursor after setup.
+
+### Gemini CLI
 
 ```bash
-npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
+npx guardvibe init gemini
 ```
 
-### Manual MCP config
+Creates `~/.gemini/settings.json` MCP config and `GEMINI.md` security rules.
+
+### Codex (OpenAI)
+
+```bash
+codex mcp add guardvibe -- npx -y guardvibe
+```
+
+### VS Code (GitHub Copilot)
+
+Create `.vscode/mcp.json` in your project:
+
+```json
+{
+  "servers": {
+    "guardvibe": {
+      "command": "npx",
+      "args": ["-y", "guardvibe"]
+    }
+  }
+}
+```
+
+> **Note:** VS Code uses `"servers"`, not `"mcpServers"`.
+
+### Windsurf
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
 
 ```json
 {
@@ -82,6 +109,25 @@ npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
 }
 ```
 
+### All platforms at once
+
+```bash
+npx guardvibe init all       # Claude + Cursor + Gemini
+```
+
+### Pre-commit hook
+
+```bash
+npx guardvibe hook install   # Blocks commits with critical/high findings
+npx guardvibe hook uninstall # Remove hook
+```
+
+### CI/CD (GitHub Actions)
+
+```bash
+npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
+```
+
 ## What GuardVibe Scans
 
 ### Application Code
@@ -132,7 +178,7 @@ SOC2, PCI-DSS, HIPAA control mapping with compliance reports
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (22 MCP tools)
+## Tools (25 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -158,34 +204,38 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `scan_config_change` | Compare config file versions to detect security downgrades |
 | `repo_security_posture` | Assess overall repository security posture and map sensitive areas |
 | `explain_remediation` | Get detailed remediation guidance with exploit scenarios and fix strategies |
+| `scan_file` | Real-time single-file scan — designed for post-edit hooks |
+| `scan_changed_files` | Scan only git-changed files — for PRs and incremental CI |
+| `security_stats` | Cumulative security dashboard — scans, fixes, grade trend over time |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (277 rules across 23 modules)
+## Security Rules (307 rules across 23 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
-| Core OWASP | 19 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
-| Next.js App Router | 13 | Server Actions, secret exposure, auth bypass, CSP, redirects |
+| Core OWASP | 38 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
+| Next.js App Router | 17 | Server Actions, secret exposure, auth bypass, CSP, redirects |
 | Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies |
-| Database (Supabase / Prisma / Drizzle) | 8 | Raw queries, client exposure, service role leaks |
+| Database (Supabase / Prisma / Drizzle) | 10 | Raw queries, client exposure, service role leaks |
 | OWASP API Security | 10 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
-| Modern Stack | 30 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
-| Deployment Config | 16 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify |
+| Modern Stack | 36 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
+| Deployment Config | 20 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify, Cloudflare |
 | Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
 | Services (Resend / Upstash / Pinecone / PostHog) | 11 | API key leaks, PII tracking, email injection |
-| Web Security | 14 | Webhooks, CSP, .env safety, AI key exposure, Cloudflare |
+| Web Security | 15 | Webhooks, CSP, .env safety, AI key exposure, cookie handling |
 | React Native / Expo | 10 | AsyncStorage secrets, deep links, ATS, hardcoded URLs |
 | Firebase | 7 | Firestore rules, admin SDK, storage, custom tokens |
-| AI / LLM Security | 14 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
-| CVE Version Intelligence | 20 | Known vulnerable versions in package.json (21 CVEs) |
+| AI / LLM Security | 16 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
+| CVE Version Intelligence | 21 | Known vulnerable versions in package.json (21 CVEs) |
 | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
 | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
-| Supply Chain | 2 | Malicious install scripts, unpinned actions |
+| Supply Chain | 10 | Malicious install scripts, unpinned actions, typosquat detection |
 | Go | 6 | SQL injection, command injection, template escaping |
-| Dockerfile | 5 | Root user, secrets in ENV, untagged images |
-| CI/CD (GitHub Actions) | 4 | Secrets interpolation, unpinned actions, write-all permissions |
-| Terraform | 5 | Public S3, open security groups, IAM wildcards |
+| Dockerfile | 7 | Root user, secrets in ENV, untagged images, non-root user |
+| CI/CD (GitHub Actions) | 7 | Secrets interpolation, unpinned actions, write-all permissions |
+| Terraform | 6 | Public S3, open security groups, IAM wildcards |
+| Advanced Security | 21 | ReDoS, CRLF injection, race conditions, XXE, brute force, audit logging |
 | Other Services | 5 | AWS, GCP, MongoDB, Convex, Sentry, Twilio |
 
 ## CLI Commands
@@ -304,6 +354,23 @@ app.get("/api/health", (req, res) => res.json({ ok: true }));
 
 Supports `//`, `#`, and `<!-- -->` comment styles.
 
+## GuardVibe Scans Itself
+
+We run GuardVibe on its own codebase. In v2.3.2, GuardVibe caught a **HIGH severity ReDoS vulnerability** in its own `policy-check.ts` — a regex injection risk that the developer missed during code review.
+
+```
+$ guardvibe scan_directory src/
+  Files scanned: 64
+  Scan duration: 102ms
+  Grade: B (89/100)
+
+  [HIGH] ReDoS via User-Controlled RegExp (VG107)
+    File: src/tools/policy-check.ts:47
+    Fix: escape regex metacharacters before passing to RegExp constructor
+```
+
+The vulnerability was fixed in the same session. This is exactly the workflow GuardVibe enables: catch what humans miss, fix before it ships.
+
 ## How It Works
 
 ```

package/build/cli.js

@@ -78,6 +78,14 @@ const SECURITY_RULES = `## Security Rules (enforced by GuardVibe MCP)
 - When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
 - BEFORE creating a PR: use scan_changed_files to review all changes
 
+### Scan visibility — ALWAYS report GuardVibe results to the user
+- AFTER every scan: ALWAYS tell the user the GuardVibe result, even when clean
+- When issues found: "GuardVibe: [count] issues found ([severity]). Fixing..."
+- When clean: "GuardVibe: scanned [filename] — no issues found."
+- Include the summary stats line from scan output when present
+- NEVER silently consume scan results — the user must see that GuardVibe is protecting their code
+- Periodically (every ~10 scans or at session start): run security_stats tool and share the dashboard with the user
+
 ### Writing secure code
 - Every API route handler MUST have auth check before DB access
 - Every POST endpoint MUST have input validation (zod/joi schema)
@@ -108,6 +116,8 @@ function setupSecurityGuide(platformName) {
         gemini: ["GEMINI.md"],
     };
     const entries = gitignoreEntries[platformName] || [];
+    // Always add .guardvibe/ (stats directory) to .gitignore
+    entries.push(".guardvibe/");
     if (entries.length > 0)
         addToGitignore(entries);
 }

package/build/index.js

@@ -31,6 +31,8 @@ import { discoverPlugins } from "./plugins/loader.js";
 import { builtinRules } from "./data/rules/index.js";
 import { loadConfig } from "./utils/config.js";
 import { setRules, getRules } from "./utils/rule-registry.js";
+import { recordScan, recordFix, recordSecrets, recordDependencyCVEs, recordGrade, getSummaryLine } from "./lib/stats.js";
+import { securityStats } from "./tools/security-stats.js";
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
@@ -49,8 +51,12 @@ server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top
 }, async ({ code, language, framework, format }) => {
     const rules = getRules();
     const results = checkCode(code, language, framework, undefined, undefined, format, rules);
+    const findings = analyzeCode(code, language, framework, undefined, undefined, rules);
+    const cwd = process.cwd();
+    recordScan(cwd, { toolName: "check_code", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
+    const summary = getSummaryLine(cwd, findings.length, format);
     return {
-        content: [{ type: "text", text: results }],
+        content: [{ type: "text", text: results + summary }],
     };
 });
 // Tool 2: Scan entire project for security vulnerabilities
@@ -65,8 +71,25 @@ server.tool("check_project", "Scan multiple files for security vulnerabilities a
 }, async ({ files, format }) => {
     const rules = getRules();
     const results = checkProject(files, format, rules);
+    let findingCount = 0;
+    const cwd = process.cwd();
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        const grade = parsed?.summary?.grade;
+        const score = parsed?.summary?.score;
+        if (grade && score != null)
+            recordGrade(cwd, grade, score);
+        recordScan(cwd, { toolName: "check_project", filesScanned: files.length, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(cwd, { toolName: "check_project", filesScanned: files.length, findings: [] });
+    }
+    const summary = getSummaryLine(cwd, findingCount, format);
     return {
-        content: [{ type: "text", text: results }],
+        content: [{ type: "text", text: results + summary }],
     };
 });
 // Tool 3: Get security documentation and best practices (renumbered from Tool 2)
@@ -117,7 +140,26 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
 }, async ({ path, recursive, exclude, format, baseline }) => {
     const rules = getRules();
     const results = scanDirectory(path, recursive, exclude, format, rules, baseline);
-    return { content: [{ type: "text", text: results }] };
+    // Record stats from scan_directory results
+    let findingCount = 0;
+    const { resolve: resolvePath } = await import("path");
+    const root = resolvePath(path);
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        const grade = parsed?.summary?.grade;
+        const score = parsed?.summary?.score;
+        if (grade && score != null)
+            recordGrade(root, grade, score);
+        recordScan(root, { toolName: "scan_directory", filesScanned: parsed?.metadata?.filesScanned ?? 0, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(root, { toolName: "scan_directory", filesScanned: 0, findings: [] });
+    }
+    const summary = getSummaryLine(root, findingCount, format);
+    return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 6: Scan manifest/lockfile for dependency vulnerabilities
 server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, package-lock.json, requirements.txt, go.mod) and check all dependencies for known CVEs via the OSV database. Reads the file directly.", {
@@ -125,6 +167,19 @@ server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, pa
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ manifest_path, format }) => {
     const results = await scanDependencies(manifest_path, format);
+    // Record dependency CVE stats
+    const { resolve: resolvePath, dirname } = await import("path");
+    const root = dirname(resolvePath(manifest_path));
+    try {
+        const parsed = JSON.parse(results);
+        const cveCount = parsed?.summary?.total ?? 0;
+        if (cveCount > 0)
+            recordDependencyCVEs(root, cveCount);
+        recordScan(root, { toolName: "scan_dependencies", filesScanned: 1, findings: (parsed?.packages ?? []).flatMap((p) => (p.vulnerabilities ?? []).map((v) => ({ severity: v.severity, ruleId: `DEP-${p.name}` }))) });
+    }
+    catch {
+        recordScan(root, { toolName: "scan_dependencies", filesScanned: 1, findings: [] });
+    }
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 7: Scan for leaked secrets, API keys, and credentials
@@ -134,6 +189,20 @@ server.tool("scan_secrets", "Scan files and directories for leaked secrets, API
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ path, recursive, format }) => {
     const results = scanSecrets(path, recursive, format);
+    // Record secret findings
+    let secretCount = 0;
+    try {
+        const parsed = JSON.parse(results);
+        secretCount = parsed?.summary?.total ?? 0;
+    }
+    catch {
+        const m = /Secrets found:\s*(\d+)/.exec(results);
+        secretCount = m ? parseInt(m[1], 10) : 0;
+    }
+    const { resolve: resolvePath } = await import("path");
+    if (secretCount > 0)
+        recordSecrets(resolvePath(path), secretCount);
+    recordScan(resolvePath(path), { toolName: "scan_secrets", filesScanned: 0, findings: [] });
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 8: Scan git-staged files before committing
@@ -141,8 +210,21 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ format }) => {
     const rules = getRules();
-    const results = scanStaged(process.cwd(), format, rules);
-    return { content: [{ type: "text", text: results }] };
+    const cwd = process.cwd();
+    const results = scanStaged(cwd, format, rules);
+    let findingCount = 0;
+    try {
+        const parsed = JSON.parse(results);
+        findingCount = parsed?.summary?.total ?? 0;
+        recordScan(cwd, { toolName: "scan_staged", filesScanned: parsed?.summary?.stagedFiles ?? 0, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.id })) });
+    }
+    catch {
+        const m = /Issues found:\s*(\d+)/.exec(results);
+        findingCount = m ? parseInt(m[1], 10) : 0;
+        recordScan(cwd, { toolName: "scan_staged", filesScanned: 0, findings: [] });
+    }
+    const summary = getSummaryLine(cwd, findingCount, format);
+    return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 9: Generate compliance-focused security report
 server.tool("compliance_report", "Generate a compliance-focused security report mapped to SOC2, PCI-DSS, HIPAA, GDPR, or ISO27001 controls. Scans a directory and groups findings by compliance control. Includes exploit scenarios and audit evidence for each finding. Use mode=executive for a C-level summary.", {
@@ -185,6 +267,14 @@ server.tool("fix_code", "Analyze code for security vulnerabilities and return fi
 }, async ({ code, language, framework, format }) => {
     const rules = getRules();
     const results = fixCode(code, language, framework, undefined, format, rules);
+    // Record fix stats
+    try {
+        const parsed = JSON.parse(results);
+        const fixCount = parsed?.total ?? 0;
+        if (fixCount > 0)
+            recordFix(process.cwd(), fixCount);
+    }
+    catch { /* markdown format — skip */ }
     return {
         content: [{ type: "text", text: results }],
     };
@@ -312,7 +402,11 @@ server.tool("scan_file", "Scan a single file from disk for security vulnerabilit
     }
     const rules = getRules();
     const result = checkCode(content, language, undefined, resolved, dirname(resolved), format, rules);
-    return { content: [{ type: "text", text: result }] };
+    const findings = analyzeCode(content, language, undefined, resolved, dirname(resolved), rules);
+    const cwd = dirname(resolved);
+    recordScan(cwd, { toolName: "scan_file", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
+    const summary = getSummaryLine(cwd, findings.length, format);
+    return { content: [{ type: "text", text: result + summary }] };
 });
 // Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
 server.tool("scan_changed_files", "Scan only files that have changed since a given git ref (branch, commit, or HEAD~N). Ideal for PR checks, pre-push hooks, and incremental CI. Returns findings only for modified/added files.", {
@@ -366,6 +460,9 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
         }
         catch { /* skip unreadable files */ }
     }
+    // Record stats
+    recordScan(root, { toolName: "scan_changed_files", filesScanned: changedFiles.length, findings: allFindings.map(f => ({ severity: f.severity, ruleId: f.id })) });
+    const statsSummary = getSummaryLine(root, allFindings.length, format);
     if (format === "json") {
         const critical = allFindings.filter(f => f.severity === "critical").length;
         const high = allFindings.filter(f => f.severity === "high").length;
@@ -373,7 +470,7 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
         return { content: [{ type: "text", text: JSON.stringify({
                         summary: { total: allFindings.length, critical, high, medium, low: 0, blocked: critical > 0 || high > 0, changedFiles: changedFiles.length },
                         findings: allFindings,
-                    }) }] };
+                    }) + statsSummary }] };
     }
     // Markdown
     const lines = [`# GuardVibe Changed Files Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues found: ${allFindings.length}`, ``];
@@ -387,7 +484,18 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
             lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in \`${f.file}\`:${f.line} — ${f.fix}`);
         }
     }
-    return { content: [{ type: "text", text: lines.join("\n") }] };
+    return { content: [{ type: "text", text: lines.join("\n") + statsSummary }] };
+});
+// Tool 25: Security statistics dashboard
+server.tool("security_stats", "Show cumulative security statistics, grade trend, and vulnerability fix progress for this project. Use this to demonstrate the value of GuardVibe security scanning over time. Data is stored locally in .guardvibe/stats.json.", {
+    path: z.string().default(".").describe("Project root path"),
+    period: z.enum(["week", "month", "all"]).default("month").describe("Time period for stats"),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
+}, async ({ path: projectPath, period, format }) => {
+    const { resolve: resolvePath } = await import("path");
+    const root = resolvePath(projectPath);
+    const results = securityStats(root, period, format);
+    return { content: [{ type: "text", text: results }] };
 });
 export async function startMcpServer() {
     return main();

package/build/lib/stats.d.ts

@@ -0,0 +1,53 @@
+export interface MonthlyStats {
+    scans: number;
+    filesScanned: number;
+    findingsTotal: number;
+    findingsFixed: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+}
+export interface GradeEntry {
+    date: string;
+    grade: string;
+    score: number;
+}
+export interface StatsData {
+    version: number;
+    firstScan: string;
+    lastScan: string;
+    totals: {
+        scans: number;
+        filesScanned: number;
+        findingsTotal: number;
+        findingsFixed: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        autoFixesApplied: number;
+        secretsCaught: number;
+        dependencyCVEs: number;
+    };
+    monthly: Record<string, MonthlyStats>;
+    tools: Record<string, number>;
+    topRules: Record<string, number>;
+    grades: GradeEntry[];
+}
+export declare function loadStats(projectRoot: string): StatsData;
+export interface ScanResult {
+    toolName: string;
+    filesScanned: number;
+    findings: Array<{
+        severity: string;
+        ruleId: string;
+    }>;
+}
+export declare function recordScan(projectRoot: string, result: ScanResult): void;
+export declare function recordFix(projectRoot: string, fixCount: number): void;
+export declare function recordSecrets(projectRoot: string, count: number): void;
+export declare function recordDependencyCVEs(projectRoot: string, count: number): void;
+export declare function recordGrade(projectRoot: string, grade: string, score: number): void;
+export declare function getSummaryLine(projectRoot: string, currentFindings: number, format: "markdown" | "json"): string;
+export declare function generateDashboard(projectRoot: string, period: "week" | "month" | "all", format: "markdown" | "json"): string;

package/build/lib/stats.js

@@ -0,0 +1,276 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { join, resolve } from "path";
+// ─── Helpers ──────────────────────────────────────────────────────
+function emptyStats() {
+    return {
+        version: 1,
+        firstScan: "",
+        lastScan: "",
+        totals: {
+            scans: 0,
+            filesScanned: 0,
+            findingsTotal: 0,
+            findingsFixed: 0,
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            autoFixesApplied: 0,
+            secretsCaught: 0,
+            dependencyCVEs: 0,
+        },
+        monthly: {},
+        tools: {},
+        topRules: {},
+        grades: [],
+    };
+}
+function getMonthKey() {
+    const d = new Date();
+    return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
+}
+function getTodayKey() {
+    return new Date().toISOString().slice(0, 10);
+}
+function statsDir(projectRoot) {
+    return join(resolve(projectRoot), ".guardvibe");
+}
+function statsPath(projectRoot) {
+    return join(statsDir(projectRoot), "stats.json");
+}
+// ─── Core I/O ─────────────────────────────────────────────────────
+export function loadStats(projectRoot) {
+    try {
+        const p = statsPath(projectRoot);
+        if (!existsSync(p))
+            return emptyStats();
+        const raw = readFileSync(p, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return emptyStats();
+    }
+}
+function saveStats(projectRoot, data) {
+    try {
+        const dir = statsDir(projectRoot);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        writeFileSync(statsPath(projectRoot), JSON.stringify(data, null, 2), "utf-8");
+    }
+    catch {
+        // Stats write failure must never break scans — silently continue
+    }
+}
+function ensureMonth(data, key) {
+    if (!data.monthly[key]) {
+        data.monthly[key] = {
+            scans: 0, filesScanned: 0, findingsTotal: 0, findingsFixed: 0,
+            critical: 0, high: 0, medium: 0, low: 0,
+        };
+    }
+    return data.monthly[key];
+}
+export function recordScan(projectRoot, result) {
+    const data = loadStats(projectRoot);
+    const now = new Date().toISOString();
+    const month = getMonthKey();
+    if (!data.firstScan)
+        data.firstScan = now;
+    data.lastScan = now;
+    // Totals
+    data.totals.scans++;
+    data.totals.filesScanned += result.filesScanned;
+    data.totals.findingsTotal += result.findings.length;
+    // Severity counts
+    for (const f of result.findings) {
+        const sev = f.severity;
+        if (sev in data.totals && typeof data.totals[sev] === "number") {
+            data.totals[sev]++;
+        }
+        // Top rules
+        data.topRules[f.ruleId] = (data.topRules[f.ruleId] || 0) + 1;
+    }
+    // Tool usage
+    data.tools[result.toolName] = (data.tools[result.toolName] || 0) + 1;
+    // Monthly
+    const m = ensureMonth(data, month);
+    m.scans++;
+    m.filesScanned += result.filesScanned;
+    m.findingsTotal += result.findings.length;
+    for (const f of result.findings) {
+        const sev = f.severity;
+        if (sev in m && typeof m[sev] === "number") {
+            m[sev]++;
+        }
+    }
+    saveStats(projectRoot, data);
+}
+export function recordFix(projectRoot, fixCount) {
+    const data = loadStats(projectRoot);
+    const month = getMonthKey();
+    data.totals.findingsFixed += fixCount;
+    data.totals.autoFixesApplied += fixCount;
+    const m = ensureMonth(data, month);
+    m.findingsFixed += fixCount;
+    saveStats(projectRoot, data);
+}
+export function recordSecrets(projectRoot, count) {
+    const data = loadStats(projectRoot);
+    data.totals.secretsCaught += count;
+    saveStats(projectRoot, data);
+}
+export function recordDependencyCVEs(projectRoot, count) {
+    const data = loadStats(projectRoot);
+    data.totals.dependencyCVEs += count;
+    saveStats(projectRoot, data);
+}
+export function recordGrade(projectRoot, grade, score) {
+    const data = loadStats(projectRoot);
+    const today = getTodayKey();
+    // Replace today's entry if exists, otherwise append
+    const idx = data.grades.findIndex((g) => g.date === today);
+    if (idx >= 0) {
+        data.grades[idx] = { date: today, grade, score };
+    }
+    else {
+        data.grades.push({ date: today, grade, score });
+        // Keep last 90 days max
+        if (data.grades.length > 90)
+            data.grades = data.grades.slice(-90);
+    }
+    saveStats(projectRoot, data);
+}
+// ─── Summary Line (appended to scan output) ───────────────────────
+export function getSummaryLine(projectRoot, currentFindings, format) {
+    try {
+        const data = loadStats(projectRoot);
+        const month = getMonthKey();
+        const m = data.monthly[month];
+        const monthlyFixed = m?.findingsFixed ?? 0;
+        const monthlyTotal = m?.findingsTotal ?? 0;
+        // Latest grade
+        const latestGrade = data.grades.length > 0
+            ? data.grades[data.grades.length - 1]
+            : null;
+        // Trend: compare current grade to first grade this month
+        const monthGrades = data.grades.filter((g) => g.date.startsWith(month));
+        let trend = "";
+        if (monthGrades.length >= 2) {
+            const first = monthGrades[0].score;
+            const last = monthGrades[monthGrades.length - 1].score;
+            if (last > first)
+                trend = " (improving)";
+            else if (last < first)
+                trend = " (declining)";
+        }
+        if (format === "json") {
+            return JSON.stringify({
+                guardvibeStats: {
+                    sessionFindings: currentFindings,
+                    monthlyTotal,
+                    monthlyFixed,
+                    allTimeFixed: data.totals.findingsFixed,
+                    currentGrade: latestGrade?.grade ?? null,
+                    trend: trend.replace(/[() ]/g, "") || "stable",
+                },
+            });
+        }
+        // Markdown — single line
+        const parts = [
+            `${currentFindings} issues caught`,
+            monthlyFixed > 0 ? `${monthlyFixed} fixed this month` : null,
+            latestGrade ? `Grade: ${latestGrade.grade}${trend}` : null,
+        ].filter(Boolean);
+        return `\n---\n**GuardVibe** · ${parts.join(" · ")}`;
+    }
+    catch {
+        return "";
+    }
+}
+// ─── Dashboard (security_stats tool) ──────────────────────────────
+export function generateDashboard(projectRoot, period, format) {
+    const data = loadStats(projectRoot);
+    if (data.totals.scans === 0) {
+        const empty = "No security scans recorded yet. GuardVibe will track statistics automatically as you scan files.";
+        return format === "json"
+            ? JSON.stringify({ status: "empty", message: empty })
+            : empty;
+    }
+    const month = getMonthKey();
+    const m = data.monthly[month] ?? {
+        scans: 0, filesScanned: 0, findingsTotal: 0, findingsFixed: 0,
+        critical: 0, high: 0, medium: 0, low: 0,
+    };
+    // Top rules — sorted by count
+    const topRules = Object.entries(data.topRules)
+        .sort(([, a], [, b]) => b - a)
+        .slice(0, 5);
+    // Top tools — sorted by count
+    const topTools = Object.entries(data.tools)
+        .sort(([, a], [, b]) => b - a)
+        .slice(0, 5);
+    // Grade trend
+    const recentGrades = data.grades.slice(-7);
+    const gradeStr = recentGrades.map((g) => `${g.grade} (${g.date.slice(5)})`).join(" -> ");
+    // Fix rate
+    const fixRate = data.totals.findingsTotal > 0
+        ? Math.round((data.totals.findingsFixed / data.totals.findingsTotal) * 100)
+        : 0;
+    const monthFixRate = m.findingsTotal > 0
+        ? Math.round((m.findingsFixed / m.findingsTotal) * 100)
+        : 0;
+    if (format === "json") {
+        return JSON.stringify({
+            project: projectRoot,
+            period,
+            currentMonth: m,
+            allTime: data.totals,
+            fixRate: { monthly: monthFixRate, allTime: fixRate },
+            topRules,
+            topTools,
+            gradeHistory: recentGrades,
+            firstScan: data.firstScan,
+            lastScan: data.lastScan,
+        });
+    }
+    // Markdown dashboard
+    const lines = [
+        `# GuardVibe Security Dashboard`,
+        ``,
+        `**Project:** ${projectRoot}`,
+        `**Tracking since:** ${data.firstScan.slice(0, 10)}`,
+        `**Last scan:** ${data.lastScan.slice(0, 10)}`,
+        ``,
+        `## Impact Summary`,
+        `| Metric | This Month | All Time |`,
+        `|--------|-----------|----------|`,
+        `| Scans run | ${m.scans} | ${data.totals.scans} |`,
+        `| Files protected | ${m.filesScanned} | ${data.totals.filesScanned} |`,
+        `| Vulnerabilities caught | ${m.findingsTotal} | ${data.totals.findingsTotal} |`,
+        `| Vulnerabilities fixed | ${m.findingsFixed} | ${data.totals.findingsFixed} |`,
+        `| Fix rate | ${monthFixRate}% | ${fixRate}% |`,
+        `| Secrets intercepted | — | ${data.totals.secretsCaught} |`,
+        `| Dependency CVEs found | — | ${data.totals.dependencyCVEs} |`,
+        ``,
+    ];
+    if (recentGrades.length > 0) {
+        lines.push(`## Security Grade Trend`, gradeStr, ``);
+    }
+    if (topRules.length > 0) {
+        lines.push(`## Top Caught Vulnerabilities`);
+        for (const [ruleId, count] of topRules) {
+            lines.push(`- ${ruleId} — ${count} times`);
+        }
+        lines.push(``);
+    }
+    if (topTools.length > 0) {
+        lines.push(`## Most Used Tools`);
+        for (const [tool, count] of topTools) {
+            lines.push(`- ${tool} — ${count} calls`);
+        }
+        lines.push(``);
+    }
+    lines.push(`---`, `Protected by GuardVibe · guardvibe.dev`);
+    return lines.join("\n");
+}

package/build/tools/generate-policy.js

@@ -284,7 +284,7 @@ function generateRLS(stack) {
     if (stack.database.includes("prisma") || stack.database.includes("drizzle")) {
         suggestions.push({
             table: "N/A (ORM-level)",
-            policy: `// Always filter by authenticated user\nconst items = await prisma.item.findMany({ where: { userId: session.user.id } });`,
+            policy: `// Always filter by authenticated user\nconst items = await prisma.item.findMany({ where: { userId: session.user.id } });`, // guardvibe-ignore VG955
             description: "Without RLS, enforce row-level access in your ORM queries. Always include user ID in WHERE clauses.",
         });
     }
@@ -347,7 +347,8 @@ export function generatePolicy(path, format = "markdown") {
     if (stack.analytics.length > 0)
         lines.push(`- Analytics: ${stack.analytics.join(", ")}`);
     lines.push(``);
-    lines.push(`## Content-Security-Policy`, ``, "```", csp, "```", ``, `### Next.js Configuration`, ``, "```typescript", `// next.config.ts`, `async headers() {`, `  return [{`, `    source: "/(.*)",`, `    headers: [`, `      { key: "Content-Security-Policy", value: \`${csp}\` },`, ...headers.map(h => `      { key: "${h.key}", value: "${h.value}" },`), `    ]`, `  }];`, `}`, "```", ``);
+    lines.push(`## Content-Security-Policy`, ``, "```", csp, "```", ``, `### Next.js Configuration`, ``, "```typescript", `// next.config.ts`, `async headers() {`, // guardvibe-ignore
+    `  return [{`, `    source: "/(.*)",`, `    headers: [`, `      { key: "Content-Security-Policy", value: \`${csp}\` },`, ...headers.map(h => `      { key: "${h.key}", value: "${h.value}" },`), `    ]`, `  }];`, `}`, "```", ``);
     lines.push(`## CORS Policy`, ``, "```typescript", `// Recommended CORS configuration`, `const corsConfig = {`, `  allowedOrigins: ${JSON.stringify(cors.allowedOrigins)},`, `  allowedMethods: ${JSON.stringify(cors.allowedMethods)},`, `  allowedHeaders: ${JSON.stringify(cors.allowedHeaders)},`, `  maxAge: ${cors.maxAge},`, `};`, "```", ``);
     if (rls.length > 0) {
         lines.push(`## Row-Level Security Suggestions`, ``);

package/build/tools/policy-check.js

@@ -18,8 +18,14 @@ function isExcepted(ruleId, filePath, exceptions) {
         if (exc.files && exc.files.length > 0) {
             const matches = exc.files.some(pattern => {
                 if (pattern.includes("*")) {
-                    const regex = new RegExp(pattern.replace(/\*/g, ".*"));
-                    return regex.test(filePath);
+                    // Safe glob-to-regex: escape all regex metacharacters except our converted .*
+                    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+                    try {
+                        return new RegExp(`^${escaped}$`).test(filePath);
+                    }
+                    catch {
+                        return false; // malformed pattern — skip safely
+                    }
                 }
                 return filePath.includes(pattern);
             });

package/build/tools/security-stats.d.ts

@@ -0,0 +1,5 @@
+/**
+ * security_stats MCP tool handler.
+ * Returns cumulative security statistics and grade trend for the project.
+ */
+export declare function securityStats(projectRoot: string, period?: "week" | "month" | "all", format?: "markdown" | "json"): string;

package/build/tools/security-stats.js

@@ -0,0 +1,8 @@
+import { generateDashboard } from "../lib/stats.js";
+/**
+ * security_stats MCP tool handler.
+ * Returns cumulative security statistics and grade trend for the project.
+ */
+export function securityStats(projectRoot, period = "month", format = "markdown") {
+    return generateDashboard(projectRoot, period, format);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "guardvibe",
-  "version": "2.2.0",
-  "description": "Security MCP for vibe coding. 307 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "version": "2.3.7",
+  "description": "Security MCP for vibe coding. 307 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",