guardvibe 2.3.9 → 2.4.2

package/CHANGELOG.md

@@ -0,0 +1,212 @@
+# Changelog
+
+All notable changes to GuardVibe are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.4.1] - 2026-04-04
+
+### Added
+- VG910: Hono SSE injection detection via `streamSSE()` (CVE-2026-29085)
+- VG911: Kubernetes Secret hardcoded value detection
+- VG912: MongoDB NoSQL injection via query operators
+
+## [2.4.0] - 2026-04-04
+
+### Added
+- Buddy format (`--format buddy`) — compact ASCII character with mood-based security feedback
+- 5 face expressions based on security grade (A through F)
+- Grade-aware contextual message pool
+
+### Changed
+- Claude Code hook now uses buddy format by default for real-time visual feedback
+
+## [2.3.9] - 2026-04-03
+
+### Added
+- 6 new supply chain rules (VG860-868)
+- Yarn and pnpm lockfile support
+- Advanced typosquat detection
+
+## [2.3.8] - 2026-04-03
+
+### Changed
+- Capitalize extension name to GuardVibe in Gemini CLI gallery
+
+## [2.3.7] - 2026-04-02
+
+### Added
+- Gemini CLI extensions gallery support (gemini-extension.json)
+
+## [2.3.6] - 2026-04-02
+
+### Added
+- Platform-specific setup guides for all 6 IDEs in README
+
+## [2.3.5] - 2026-04-01
+
+### Fixed
+- Correct rule count: 322 → 307 (actual), update all module counts in README
+
+## [2.3.4] - 2026-04-01
+
+### Fixed
+- Suppress false positives in generate-policy template strings
+
+## [2.3.3] - 2026-04-01
+
+### Changed
+- README: add self-scan dogfooding section, update stats to 322 rules / 25 tools
+
+## [2.3.2] - 2026-04-01
+
+### Fixed
+- Fix ReDoS in policy-check glob matching (VG107)
+
+## [2.3.1] - 2026-04-01
+
+### Changed
+- Scan visibility rules: agent always reports GuardVibe results to user
+
+## [1.7.1] - 2026-04-01
+
+### Added
+- 10 new XSS/injection rules covering form actions, file uploads, rich text editors, and template injection
+
+## [1.7.0] - 2026-04-01
+
+### Added
+- 24 new rules from proactive threat research
+- Supply chain attack detection rules
+- CI/CD pipeline security rules
+- Kubernetes misconfiguration detection
+- AI/LLM security rules
+- New CVE version intelligence entries
+
+## [1.6.1] - 2026-04-01
+
+### Added
+- 4 new supply-chain rules for npm publish leak protection
+
+### Security
+- Self-hardening of the publish pipeline to prevent accidental credential leaks
+
+## [1.6.0] - 2026-03-31
+
+### Added
+- Agent-native security layer
+- Command guard for dangerous shell operations
+- Config diff tool for detecting security regressions
+- Repository security posture scoring
+- Deep remediation with expanded fix suggestions
+
+## [1.5.0] - 2026-03-31
+
+### Added
+- PR review security scanning
+- Git history scan for leaked secrets
+- Policy engine with compliance enforcement
+- Taint analysis for data flow tracking
+- 100% fixCode coverage across all rules
+- Expanded patch generation for auto-fix suggestions
+
+## [1.4.0] - 2026-03-31
+
+### Added
+- `check_package_health` tool for typosquat detection, maintenance status, and adoption metrics
+- `exploit` and `audit` fields on SecurityRule for compliance demonstrations
+- fixCode secure code examples added to all 25 rules that were missing them
+
+### Changed
+- Compliance mapping deepened with GDPR and ISO 27001 controls
+- Performance improvements for large project scanning
+
+## [1.3.3] - 2026-03-31
+
+### Fixed
+- Node.js 18 compatibility issue
+
+### Security
+- npm provenance via Sigstore for cryptographic package signing
+- Branch protection enabled (force push disabled on main)
+- Tag protection for version tags (`v*`)
+- Minimal CI permissions (`contents: read` only)
+
+## [1.3.2] - 2026-03-31
+
+### Changed
+- Rebranded project as GuardVibe with new description and metadata
+
+## [0.6.1] - 2026-03-30
+
+### Fixed
+- OSV severity normalization returning incorrect values
+
+### Changed
+- Updated MCP SDK dependency
+
+## [0.6.0] - 2026-03-30
+
+### Added
+- `.guardviberc` configuration file support with rule disable, severity override, and scan exclusions
+- Compliance mapping for SOC2, PCI-DSS, and HIPAA with `compliance_report` tool
+- Terraform IaC security rules (VG300-VG304): S3, IAM, RDS, security groups
+- SARIF v2.1.0 output for CI/CD integration (`export_sarif` tool)
+
+### Fixed
+- `scan_dependencies` severity and summary showing undefined when fetching OSV details
+
+## [0.5.0] - 2026-03-30
+
+### Added
+- `fixCode` field on SecurityRule type with secure code examples for core, Go, Java, PHP, Ruby rules
+- `scan_staged` tool for pre-commit security scanning
+- Dockerfile security rules (VG200-VG204): root user, secrets in ENV, untagged images
+- CI/CD security rules (VG210-VG213): secrets interpolation, unpinned actions, write-all permissions
+- Security guides for Django, NestJS, Hono, Supabase, and tRPC
+- fixCode snippets rendered in security reports
+
+### Changed
+- Renamed project from VibeGuard to GuardVibe across entire codebase
+- Cleaned up all old VibeGuard references and outdated specs
+
+## [0.4.0] - 2026-03-30
+
+### Added
+- `scan_directory` tool for filesystem-native project scanning
+- `scan_dependencies` tool with manifest parsing and OSV batch query
+- `scan_secrets` tool with pattern-based and entropy-based secret detection
+- `guardvibe-ignore` inline comment suppression (supports `//`, `#`, `<!-- -->`)
+- Finding deduplication in analysis pipeline
+
+### Changed
+- `check_project` refactored to use structured findings instead of string parsing
+- Extracted `analyzeCode()` as reusable analysis function
+- Rules split into per-language modules for maintainability
+
+## [0.3.0] - 2026-03-30
+
+### Added
+- Project scanning with `check_project` tool
+- CLI auto-setup (`npx guardvibe init`) for Claude Code, Cursor, Gemini CLI
+- Go security rules (SQL injection, command injection, template escaping)
+- Java security rules
+- PHP security rules
+- Ruby security rules
+- Test infrastructure with tsx and node:test
+- Rule tests for core, Go, Java, PHP, Ruby
+
+## [0.2.0] - 2026-03-30
+
+### Added
+- New security rules for Python
+- Improved Python support
+
+## [0.1.0] - 2026-03-30
+
+### Added
+- Initial release as VibeGuard Security MCP server
+- Core OWASP security rules (SQL injection, XSS, CSRF, command injection)
+- `check_code` tool for code snippet analysis
+- MCP server with stdio transport

package/build/cli.js

@@ -136,7 +136,7 @@ function setupClaudeGuide() {
                 matcher: "Edit|Write",
                 hooks: [{
                         type: "command",
-                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format markdown 2>/dev/null || true"
+                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format buddy 2>/dev/null || true"
                     }]
             }
         ];
@@ -560,7 +560,8 @@ async function runFileCheck(filePath, flags) {
         process.exit(1);
     }
     const format = flags.format ?? "markdown";
-    const result = checkCode(content, language, undefined, resolved, undefined, format === "json" ? "json" : "markdown");
+    const formatArg = format === "json" ? "json" : format === "buddy" ? "buddy" : "markdown";
+    const result = checkCode(content, language, undefined, resolved, undefined, formatArg);
     const outputFile = flags.output ?? null;
     if (outputFile) {
         writeFileSync(outputFile, result, "utf-8");
@@ -592,7 +593,7 @@ function printUsage() {
     npx guardvibe-scan --format sarif --output results.sarif
 
   Options:
-    --format <type>       Output format: markdown (default), json, sarif
+    --format <type>       Output format: markdown (default), json, sarif, buddy
     --output <file>       Write results to file instead of stdout
     --fail-on <level>     Exit 1 when findings at this level or above exist
                           critical (default) | high | medium | low | none

package/build/data/rules/database.js

@@ -123,4 +123,16 @@ export const databaseRules = [
         fixCode: '-- PostgreSQL: use SECURITY INVOKER\nCREATE OR REPLACE FUNCTION get_user_data(user_id uuid)\nRETURNS TABLE (id uuid, name text)\nLANGUAGE sql\nSECURITY INVOKER  -- respects RLS!\nAS $$\n  SELECT id, name FROM users WHERE id = user_id;\n$$;\n\n// TypeScript: call with anon key (not service role)\nconst { data } = await supabase.rpc("get_user_data", { user_id: userId });',
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG912",
+        name: "MongoDB NoSQL Injection via Query Operators",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "MongoDB query operators ($where, $regex, $gt, $ne, $nin) used in database queries may be vulnerable to NoSQL injection if user input is passed directly without validation. Attackers can manipulate query logic to bypass authentication or extract data.",
+        pattern: /\.(find|findOne|updateOne|deleteOne|aggregate)\(\s*\{[^}]*(\$where|\$regex|\$gt|\$ne|\$nin)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Validate and sanitize all user input before using it in MongoDB queries. Use a schema validation library (zod, joi) to ensure query parameters match expected types. Never pass raw request body directly to MongoDB queries.",
+        fixCode: 'import { z } from "zod";\n\n// Validate input before query\nconst schema = z.object({ id: z.string().regex(/^[a-f0-9]{24}$/) });\nconst { id } = schema.parse(req.body);\n\n// Safe query — no raw operators from user input\nconst user = await db.collection("users").findOne({ _id: new ObjectId(id) });',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
 ];

package/build/data/rules/deployment.js

@@ -244,4 +244,16 @@ export const deploymentRules = [
         fixCode: '// Validate URL scheme\nfunction isSafeUrl(url: string): boolean {\n  try {\n    const parsed = new URL(url);\n    return ["https:", "http:"].includes(parsed.protocol);\n  } catch {\n    return false;\n  }\n}\n\n// Usage\n<img src={isSafeUrl(userUrl) ? userUrl : "/placeholder.png"} />',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG911",
+        name: "Kubernetes Secret Hardcoded Value",
+        severity: "critical",
+        owasp: "A07:2025 Identification and Authentication Failures",
+        description: "Kubernetes Secret manifest contains hardcoded base64-encoded values in the data field. These secrets are only base64-encoded (not encrypted) and will be exposed in version control. Use External Secrets, Sealed Secrets, or a secrets manager instead.",
+        pattern: /kind:\s*Secret[\s\S]*?data:[\s\S]*?(?!\s*\{\{)[\w+/=]{8,}/g,
+        languages: ["yaml"],
+        fix: "Never commit Secret manifests with hardcoded values. Use External Secrets Operator, Sealed Secrets, or inject secrets via CI/CD pipeline. Store sensitive values in a secrets manager (Vault, AWS Secrets Manager, etc.).",
+        fixCode: '# Use External Secrets Operator\napiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n  name: my-secret\nspec:\n  refreshInterval: 1h\n  secretStoreRef:\n    name: vault-backend\n    kind: SecretStore\n  target:\n    name: my-secret\n  data:\n    - secretKey: password\n      remoteRef:\n        key: secret/data/myapp\n        property: password',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.3", "HIPAA:§164.312(a)"],
+    },
 ];

package/build/data/rules/modern-stack.js

@@ -482,4 +482,16 @@ export const modernStackRules = [
         fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG910",
+        name: "Hono SSE Injection via streamSSE",
+        severity: "medium",
+        owasp: "A02:2025 Injection",
+        description: "Hono's streamSSE() sends Server-Sent Events to clients. If event, id, or retry fields contain unsanitized user input, attackers can inject CR/LF characters to forge SSE messages, hijack event streams, or trigger client-side actions. Related to CVE-2026-29085.",
+        pattern: /streamSSE\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Sanitize all SSE field values by stripping CR/LF characters (\\r, \\n) before passing them to streamSSE. Never use raw user input in event, id, or retry fields.",
+        fixCode: '// Sanitize SSE fields\nfunction sanitizeSSE(value: string): string {\n  return value.replace(/[\\r\\n]/g, "");\n}\n\n// Usage with Hono streamSSE\nreturn streamSSE(c, async (stream) => {\n  await stream.writeSSE({\n    event: sanitizeSSE(eventName),\n    data: sanitizeSSE(data),\n    id: sanitizeSSE(id),\n  });\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/tools/check-code.d.ts

@@ -6,4 +6,4 @@ export interface Finding {
 }
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;
-export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json", rules?: SecurityRule[]): string;
+export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json" | "buddy", rules?: SecurityRule[]): string;

package/build/tools/check-code.js

@@ -1,3 +1,4 @@
+import { basename } from "path";
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
@@ -421,6 +422,9 @@ export function checkCode(code, language, framework, filePath, configDir, format
     if (format === "json") {
         return formatFindingsJson(findings);
     }
+    if (format === "buddy") {
+        return formatBuddyOutput(findings, filePath);
+    }
     if (findings.length === 0) {
         return formatCleanReport(language, framework);
     }
@@ -547,3 +551,49 @@ function formatReport(findings, language, framework) {
     }
     return lines.join("\n");
 }
+// ─── Buddy Format ────────────────────────────────────────────────
+function severityWeight(s) {
+    return s === "critical" ? 4 : s === "high" ? 3 : s === "medium" ? 2 : 1;
+}
+function formatBuddyOutput(findings, filePath) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const f of findings) {
+        const sev = f.rule.severity;
+        if (sev in counts)
+            counts[sev]++;
+    }
+    let score = 100;
+    score -= counts.critical * 15;
+    score -= counts.high * 8;
+    score -= counts.medium * 3;
+    score -= counts.low * 1;
+    score = Math.max(0, Math.min(100, score));
+    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
+    const faces = {
+        A: "\\[^_^]/",
+        B: " [^_^]b",
+        C: " [o_o] ",
+        D: " [>_<] ",
+        F: " [X_X]!",
+    };
+    const face = faces[grade] || faces.C;
+    const messages = {
+        A: ["All clear, captain!", "Fort Knox level!", "Zero issues. Nice!", "Secure & clean!"],
+        B: ["Looking good!", "Almost perfect!", "Solid work!", "Just minor things."],
+        C: ["Some issues here...", "Needs attention.", "Review recommended."],
+        D: ["Multiple issues!", "Fix these ASAP.", "Getting risky..."],
+        F: ["Red alert!", "Critical issues!", "Stop and fix now!", "Danger zone!"],
+    };
+    const pool = messages[grade] || messages.C;
+    const msg = pool[Math.floor(Math.random() * pool.length)];
+    if (findings.length === 0) {
+        return `🛡️ ${face} GuardVibe: ${grade} [${score}] ✓ ${msg}`;
+    }
+    const sorted = [...findings].sort((a, b) => severityWeight(b.rule.severity) - severityWeight(a.rule.severity));
+    const top = sorted[0];
+    const fileName = filePath ? basename(filePath) : "unknown";
+    const severityIcon = counts.critical > 0 ? "🚨" : counts.high > 0 ? "⚠" : "⚡";
+    const total = counts.critical + counts.high + counts.medium + counts.low;
+    const detail = `${total} issue${total > 1 ? "s" : ""} — ${top.rule.name} (${fileName}:${top.line})`;
+    return `🛡️ ${face} GuardVibe: ${grade} [${score}] ${severityIcon} ${detail} — ${msg}`;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.3.9",
+  "version": "2.4.2",
   "description": "Security MCP for vibe coding. 313 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
@@ -8,12 +8,22 @@
     "guardvibe-init": "build/cli.js",
     "guardvibe-scan": "build/cli.js"
   },
+  "types": "./build/index.d.ts",
   "files": [
-    "build"
+    "build",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
   ],
   "exports": {
-    ".": "./build/index.js",
-    "./plugins": "./build/plugins/types.js"
+    ".": {
+      "types": "./build/index.d.ts",
+      "default": "./build/index.js"
+    },
+    "./plugins": {
+      "types": "./build/plugins/types.d.ts",
+      "default": "./build/plugins/types.js"
+    }
   },
   "scripts": {
     "build": "tsc",