guardvibe 2.4.2 → 2.4.4

package/CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.4] - 2026-04-04
+
+### Added
+- Code coverage reporting with c8 (`npm run test:coverage`)
+- Codecov integration in CI pipeline with coverage badge
+- 89% line coverage across codebase
+
+## [2.4.3] - 2026-04-04
+
+### Added
+- ESLint with typescript-eslint for static analysis (eslint.config.js)
+- `npm run lint` script for code quality checks
+- `npm audit` step in CI/CD pipelines
+- Dependabot configuration for automated dependency updates
+- `.gitattributes` for consistent line endings
+- `main` field in package.json for maximum compatibility
+- `funding` field in package.json
+
+### Changed
+- CI workflow now runs lint and security audit before tests
+- Publish workflow now runs lint and security audit before publish
+- Cleaned up unused imports and variables across codebase
+
 ## [2.4.1] - 2026-04-04
 
 ### Added

package/README.md

@@ -4,6 +4,7 @@
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Node.js CI](https://github.com/goklab/guardvibe/actions/workflows/ci.yml/badge.svg)](https://github.com/goklab/guardvibe/actions/workflows/ci.yml)
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
+[![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
 **The security MCP built for vibe coding.** 313 security rules covering the entire AI-generated code journey — from first line to production deployment.
 

package/build/tools/check-code.js

@@ -60,10 +60,10 @@ function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
     if (/^\s*\+\s*["']/.test(line))
         return true; // + "string continuation"
     // 3. Line contains escaped newlines (\n) suggesting it's inside a string value
-    const quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
+    const _quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
     if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
         // Extra check: is the match portion inside quotes on this line?
-        const matchEnd = matchIndex + 20; // approximate
+        const _matchEnd = matchIndex + 20; // approximate
         const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
         const col = matchIndex - lineStart;
         const beforeCol = line.substring(0, col);

package/build/tools/check-deps.js

@@ -10,7 +10,7 @@ export async function checkDependencies(packages) {
         ``,
     ];
     let totalVulns = 0;
-    let criticalPackages = [];
+    const criticalPackages = [];
     for (const pkg of packages) {
         try {
             const vulns = await queryOsv(pkg.name, pkg.version, pkg.ecosystem);

package/build/tools/review-pr.js

@@ -45,7 +45,7 @@ function detectLanguage(filePath) {
         return "dockerfile";
     return CONFIG_FILE_MAP[basename(filePath)] ?? null;
 }
-function assessConfidence(rule, match) {
+function assessConfidence(rule, _match) {
     // Higher confidence for specific patterns (secrets, hardcoded values)
     if (rule.id.startsWith("VG0") || rule.id.startsWith("VG6"))
         return 0.95; // core + secrets

package/build/tools/scan-secrets-history.js

@@ -29,7 +29,7 @@ function getFileAtCommit(cwd, commitHash, filePath) {
         return null;
     }
 }
-function fileExistsAtHead(cwd, filePath) {
+function _fileExistsAtHead(cwd, filePath) {
     const result = execGit(["cat-file", "-e", `HEAD:${filePath}`], cwd);
     // cat-file -e returns empty on success, error message on failure
     return result === "";

package/build/utils/ignore.js

@@ -9,13 +9,13 @@
 // Supports simple glob matching: * matches any segment, ** matches any depth.
 import { readFileSync } from "fs";
 import { join } from "path";
-let ignoreCache = new Map();
+const ignoreCache = new Map();
 export function loadIgnoreFile(dir) {
     const cached = ignoreCache.get(dir);
     if (cached)
         return cached;
     const ignorePath = join(dir, ".guardvibeignore");
-    let entries = [];
+    const entries = [];
     try {
         const content = readFileSync(ignorePath, "utf-8");
         const lines = content.split("\n");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.4.2",
+  "version": "2.4.4",
   "description": "Security MCP for vibe coding. 313 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
@@ -8,6 +8,7 @@
     "guardvibe-init": "build/cli.js",
     "guardvibe-scan": "build/cli.js"
   },
+  "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "files": [
     "build",
@@ -30,7 +31,9 @@
     "dev": "tsc --watch",
     "start": "node build/index.js",
     "prepare": "npm run build",
-    "test": "node --import tsx --test tests/**/*.test.ts"
+    "lint": "eslint src/",
+    "test": "node --import tsx --test tests/**/*.test.ts",
+    "test:coverage": "c8 --reporter=lcov --reporter=text node --import tsx --test tests/**/*.test.ts"
   },
   "keywords": [
     "mcp",
@@ -87,6 +90,9 @@
     "mass-assignment",
     "auto-fix"
   ],
+  "funding": {
+    "url": "https://github.com/sponsors/goklab"
+  },
   "author": "GokLab",
   "license": "Apache-2.0",
   "homepage": "https://guardvibe.dev",
@@ -103,8 +109,11 @@
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
+    "c8": "^11.0.0",
+    "eslint": "^10.2.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.58.0"
   },
   "engines": {
     "node": ">=18.0.0"