guardvibe 2.5.0 → 2.7.4

package/build/tools/audit-mcp-config.js

@@ -0,0 +1,296 @@
+import { readFileSync, existsSync } from "fs";
+import { join, resolve } from "path";
+// Known suspicious patterns in hook commands
+const NETWORK_CMDS = /\b(?:curl|wget|nc|ncat|netcat|fetch|http|telnet)\b/i;
+const SHELL_CHAIN = /(?:\||\$\(|`[^`]+`|;\s*\w|&&\s*\w|>\s*\/)/;
+const FILE_MODIFY = /\b(?:cp|mv|rm|chmod|chown|sed|tee|dd)\b/;
+const EVAL_PIPE = /\|\s*(?:bash|sh|zsh|python|node|eval|exec)\b/;
+const DANGEROUS_PATTERNS = /\b(?:eval|base64|decode|exec\s*\(|os\.system|subprocess)\b/i;
+/**
+ * Scan MCP configuration files for security issues.
+ * Standalone tool + called by doctor.
+ */
+export function auditMcpConfig(projectPath, doctorConfig) {
+    const findings = [];
+    const scannedFiles = [];
+    const skippedFiles = [];
+    const root = resolve(projectPath);
+    const configFiles = [
+        { path: join(root, ".claude.json"), host: "Claude" },
+        { path: join(root, ".claude", "settings.json"), host: "Claude" },
+        { path: join(root, ".cursor", "mcp.json"), host: "Cursor" },
+        { path: join(root, ".vscode", "mcp.json"), host: "VS Code" },
+        { path: join(root, ".vscode", "settings.json"), host: "VS Code" },
+    ];
+    const trustedServers = new Set(doctorConfig?.trustedServers ?? []);
+    const ignorePaths = new Set(doctorConfig?.ignorePaths ?? []);
+    for (const { path: configPath, host } of configFiles) {
+        if (ignorePaths.has(configPath) || ignorePaths.has(configPath.replace(root + "/", ""))) {
+            skippedFiles.push(configPath);
+            continue;
+        }
+        if (!existsSync(configPath)) {
+            skippedFiles.push(configPath);
+            continue;
+        }
+        scannedFiles.push(configPath);
+        let content;
+        try {
+            content = readFileSync(configPath, "utf-8");
+        }
+        catch {
+            skippedFiles.push(configPath);
+            continue;
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(content);
+        }
+        catch {
+            findings.push({
+                ruleId: "VG-HOST-001",
+                severity: "info",
+                trustState: "unknown",
+                verdict: "observed",
+                confidence: "high",
+                source: "core",
+                file: configPath,
+                description: `${host} config file contains invalid JSON`,
+                remediation: "Fix JSON syntax errors in the configuration file.",
+            });
+            continue;
+        }
+        // Scan hooks (Claude settings.json)
+        if (parsed.hooks && typeof parsed.hooks === "object") {
+            scanHooks(parsed, configPath, findings);
+        }
+        // Scan allowedTools
+        if (Array.isArray(parsed.allowedTools)) {
+            scanAllowedTools(parsed.allowedTools, configPath, findings);
+        }
+        // Scan MCP server entries
+        const servers = parsed.mcpServers ?? parsed.servers;
+        if (servers && typeof servers === "object") {
+            scanMcpServers(servers, configPath, host, trustedServers, findings);
+        }
+    }
+    return { findings, scannedFiles, skippedFiles };
+}
+function scanHooks(settings, file, findings) {
+    if (!settings.hooks)
+        return;
+    for (const [hookName, hooks] of Object.entries(settings.hooks)) {
+        if (!Array.isArray(hooks))
+            continue;
+        for (const hook of hooks) {
+            const cmd = hook.command;
+            if (!cmd)
+                continue;
+            // VG884: Shell metacharacters
+            if (SHELL_CHAIN.test(cmd)) {
+                findings.push({
+                    ruleId: "VG884",
+                    severity: "critical",
+                    trustState: "suspicious",
+                    verdict: "exploitable",
+                    confidence: "high",
+                    source: "core",
+                    file,
+                    description: `${hookName} hook contains shell metacharacters: potential command injection (CVE-2025-59536)`,
+                    remediation: "Remove shell metacharacters (|, ;, &&, $()) from hook commands. Use simple, direct commands.",
+                    patchPreview: `"${hookName}": [{ "command": "<simple-command-without-pipes>" }]`,
+                });
+            }
+            // VG890: Network requests
+            if (NETWORK_CMDS.test(cmd)) {
+                findings.push({
+                    ruleId: "VG890",
+                    severity: "critical",
+                    trustState: "suspicious",
+                    verdict: "exploitable",
+                    confidence: "high",
+                    source: "core",
+                    file,
+                    description: `${hookName} hook executes network requests — potential data exfiltration`,
+                    remediation: "Remove network request commands (curl, wget, nc) from hooks. Hooks should only perform local operations.",
+                });
+            }
+            // VG891: Pipe to interpreter
+            if (EVAL_PIPE.test(cmd)) {
+                findings.push({
+                    ruleId: "VG891",
+                    severity: "high",
+                    trustState: "suspicious",
+                    verdict: "risky",
+                    confidence: "high",
+                    source: "core",
+                    file,
+                    description: `${hookName} hook pipes output to interpreter (bash/python/node) — code execution risk`,
+                    remediation: "Remove pipe chains to interpreters. Process output in a dedicated script if needed.",
+                });
+            }
+            // VG895: PostToolUse file modifications
+            if (hookName === "PostToolUse" && FILE_MODIFY.test(cmd)) {
+                findings.push({
+                    ruleId: "VG895",
+                    severity: "high",
+                    trustState: "suspicious",
+                    verdict: "risky",
+                    confidence: "high",
+                    source: "core",
+                    file,
+                    description: `PostToolUse hook modifies files silently — potential backdoor or code tampering`,
+                    remediation: "Remove file-modifying commands from PostToolUse hooks. Hooks should only observe and report.",
+                });
+            }
+            // Generic dangerous patterns
+            if (DANGEROUS_PATTERNS.test(cmd) && !NETWORK_CMDS.test(cmd)) {
+                findings.push({
+                    ruleId: "VG884",
+                    severity: "high",
+                    trustState: "suspicious",
+                    verdict: "risky",
+                    confidence: "medium",
+                    source: "core",
+                    file,
+                    description: `${hookName} hook contains dangerous pattern (eval/base64/exec) — potential code execution`,
+                    remediation: "Remove eval, base64 decode, and exec patterns from hook commands.",
+                });
+            }
+        }
+    }
+}
+function scanAllowedTools(tools, file, findings) {
+    for (const tool of tools) {
+        if (tool === "*") {
+            findings.push({
+                ruleId: "VG885",
+                severity: "medium",
+                trustState: "unknown",
+                verdict: "risky",
+                confidence: "high",
+                source: "core",
+                file,
+                description: 'allowedTools contains wildcard "*" — all tools are accessible without restriction',
+                remediation: "Replace wildcard tool access with explicit tool names that the MCP server actually needs.",
+                patchPreview: '"allowedTools": ["read_file", "list_directory"]',
+            });
+        }
+        else if (/\*/.test(tool) && tool !== "*") {
+            // Broad wildcards like mcp__*, edit*, etc.
+            const prefix = tool.replace(/\*/g, "");
+            if (prefix.length < 10) {
+                findings.push({
+                    ruleId: "VG893",
+                    severity: "medium",
+                    trustState: "unknown",
+                    verdict: "risky",
+                    confidence: "medium",
+                    source: "core",
+                    file,
+                    description: `allowedTools contains broad wildcard "${tool}" — grants more access than intended`,
+                    remediation: "Replace broad wildcards with specific tool names. Use exact match patterns.",
+                });
+            }
+        }
+    }
+}
+function scanMcpServers(servers, file, host, trustedServers, findings) {
+    for (const [name, server] of Object.entries(servers)) {
+        // Skip trusted servers
+        if (isTrusted(name, trustedServers))
+            continue;
+        // VG892: file:// references
+        const url = server.url ?? "";
+        if (/^file:\/\//i.test(url)) {
+            findings.push({
+                ruleId: "VG892",
+                severity: "high",
+                trustState: "suspicious",
+                verdict: "risky",
+                confidence: "high",
+                source: "core",
+                file,
+                description: `MCP server "${name}" uses file:// URL — potential local file access`,
+                remediation: "Use npm packages or HTTPS URLs for MCP servers. Avoid file:// references.",
+            });
+        }
+        // Non-HTTPS URL
+        if (url && /^http:\/\//i.test(url)) {
+            findings.push({
+                ruleId: "VG892",
+                severity: "medium",
+                trustState: "unknown",
+                verdict: "risky",
+                confidence: "medium",
+                source: "core",
+                file,
+                description: `MCP server "${name}" uses HTTP (not HTTPS) — traffic is unencrypted`,
+                remediation: "Use HTTPS for MCP server connections to prevent traffic interception.",
+            });
+        }
+        // Check command for suspicious patterns
+        const cmd = server.command ?? "";
+        const argsStr = (server.args ?? []).join(" ");
+        const fullCmd = `${cmd} ${argsStr}`;
+        if (NETWORK_CMDS.test(fullCmd) && SHELL_CHAIN.test(fullCmd)) {
+            findings.push({
+                ruleId: "VG890",
+                severity: "high",
+                trustState: "suspicious",
+                verdict: "risky",
+                confidence: "medium",
+                source: "core",
+                file,
+                description: `MCP server "${name}" command contains network requests with shell chaining`,
+                remediation: "Review the MCP server command for suspicious network activity.",
+            });
+        }
+        // Check for env overrides in server config
+        if (server.env) {
+            for (const [key, val] of Object.entries(server.env)) {
+                if (/ANTHROPIC_BASE_URL/i.test(key) && !/api\.anthropic\.com/.test(val)) {
+                    findings.push({
+                        ruleId: "VG882",
+                        severity: "high",
+                        trustState: "suspicious",
+                        verdict: "risky",
+                        confidence: "medium",
+                        source: "core",
+                        file,
+                        description: `MCP server "${name}" overrides ANTHROPIC_BASE_URL — API traffic redirection`,
+                        remediation: "Remove ANTHROPIC_BASE_URL override or add the URL to trustedBaseUrls in .guardviberc.",
+                    });
+                }
+            }
+        }
+        // VG894: Sensitive path access
+        const sensitivePaths = /(?:\.ssh|\.gnupg|\.aws|\.kube|\/etc(?:\/|\b)|\.config\/gcloud)/i;
+        if (sensitivePaths.test(fullCmd) || sensitivePaths.test(JSON.stringify(server))) {
+            findings.push({
+                ruleId: "VG894",
+                severity: "high",
+                trustState: "suspicious",
+                verdict: "risky",
+                confidence: "high",
+                source: "core",
+                file,
+                description: `MCP server "${name}" references security-sensitive paths (.ssh, .aws, .gnupg, /etc)`,
+                remediation: "Remove security-sensitive paths from MCP server configuration. Limit access to project directories.",
+            });
+        }
+    }
+}
+function isTrusted(name, trustedServers) {
+    if (trustedServers.has(name))
+        return true;
+    // Check glob patterns like @anthropic/*
+    for (const pattern of trustedServers) {
+        if (pattern.endsWith("/*")) {
+            const prefix = pattern.slice(0, -2);
+            if (name.startsWith(prefix))
+                return true;
+        }
+    }
+    return false;
+}

package/build/tools/check-code.js

@@ -2,6 +2,7 @@ import { basename } from "path";
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
+import { securityBanner } from "../utils/banner.js";
 function parseSuppressionsFromCode(lines) {
     const suppressions = [];
     const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?\s*(?:-->)?/i;
@@ -441,6 +442,7 @@ function formatCleanReport(language, framework) {
         ``,
         `Tips for ${language}${ctx}:`,
         ...tips.map(t => `- ${t}`),
+        securityBanner({ total: 0, critical: 0, high: 0, medium: 0 }),
     ].join("\n");
 }
 function getLanguageTips(language, framework) {
@@ -549,6 +551,7 @@ function formatReport(findings, language, framework) {
             }
         }
     }
+    lines.push(securityBanner({ total: allFindings.length, critical: criticalCount, high: highCount, medium: mediumCount }));
     return lines.join("\n");
 }
 // ─── Buddy Format ────────────────────────────────────────────────

package/build/tools/doctor.d.ts

@@ -0,0 +1,14 @@
+import type { DoctorScope } from "../server/types.js";
+/**
+ * guardvibe_doctor — Unified host hardening scanner
+ *
+ * Orchestrates multiple analyzers to provide a comprehensive
+ * security assessment of AI coding host configuration.
+ *
+ * Analyzers:
+ * 1. MCP Config (audit_mcp_config) — hooks, servers, tool access
+ * 2. Host Environment (scan_host_config) — base URL hijack, env sniffing
+ * 3. Permissions (inline) — allowedTools wildcards, sensitive paths
+ * 4. File Transport (inline) — file:// references, path traversal
+ */
+export declare function doctor(projectPath: string, scope?: DoctorScope, format?: "markdown" | "json"): string;

package/build/tools/doctor.js

@@ -0,0 +1,123 @@
+import { readFileSync, existsSync } from "fs";
+import { join, resolve } from "path";
+import { formatHostFindings, redactSecrets } from "../server/types.js";
+import { auditMcpConfig } from "./audit-mcp-config.js";
+import { scanHostConfig } from "./scan-host-config.js";
+import { enrichAllRemediations } from "../cli/remediation.js";
+/**
+ * guardvibe_doctor — Unified host hardening scanner
+ *
+ * Orchestrates multiple analyzers to provide a comprehensive
+ * security assessment of AI coding host configuration.
+ *
+ * Analyzers:
+ * 1. MCP Config (audit_mcp_config) — hooks, servers, tool access
+ * 2. Host Environment (scan_host_config) — base URL hijack, env sniffing
+ * 3. Permissions (inline) — allowedTools wildcards, sensitive paths
+ * 4. File Transport (inline) — file:// references, path traversal
+ */
+export function doctor(projectPath, scope = "project", format = "markdown") {
+    const root = resolve(projectPath);
+    const doctorConfig = loadDoctorConfig(root);
+    const allFindings = [];
+    const allScanned = [];
+    const allSkipped = [];
+    // ── Analyzer 1: MCP Config ──────────────────────────────────────
+    const mcpResult = auditMcpConfig(root, doctorConfig);
+    allFindings.push(...mcpResult.findings);
+    allScanned.push(...mcpResult.scannedFiles);
+    allSkipped.push(...mcpResult.skippedFiles);
+    // ── Analyzer 2: Host Environment ────────────────────────────────
+    const hostResult = scanHostConfig(root, scope, doctorConfig);
+    allFindings.push(...hostResult.findings);
+    allScanned.push(...hostResult.scannedFiles);
+    allSkipped.push(...hostResult.skippedFiles);
+    // ── Analyzer 3: Permissions (inline scan) ───────────────────────
+    scanPermissions(root, doctorConfig, allFindings, allScanned, allSkipped);
+    // ── Host-Specific Remediation Enrichment ─────────────────────────
+    enrichAllRemediations(allFindings);
+    // ── Output ──────────────────────────────────────────────────────
+    const title = `GuardVibe Doctor — Host Security Audit (scope: ${scope})`;
+    const output = formatHostFindings(allFindings, allScanned, allSkipped, format, title);
+    return redactSecrets(output);
+}
+/**
+ * Load doctor-specific config from .guardviberc
+ */
+function loadDoctorConfig(root) {
+    const configPath = findConfigFileUp(root, ".guardviberc");
+    if (!configPath)
+        return {};
+    try {
+        const content = readFileSync(configPath, "utf-8");
+        const parsed = JSON.parse(content);
+        return parsed.doctor ?? {};
+    }
+    catch {
+        return {};
+    }
+}
+function findConfigFileUp(startDir, filename) {
+    let current = startDir;
+    const fsRoot = resolve("/");
+    while (true) {
+        const candidate = join(current, filename);
+        if (existsSync(candidate))
+            return candidate;
+        const parent = resolve(current, "..");
+        if (parent === current || current === fsRoot)
+            break;
+        current = parent;
+    }
+    return null;
+}
+/**
+ * Inline permissions analyzer — checks for overly permissive
+ * configurations that don't fit in other analyzers.
+ */
+function scanPermissions(root, _doctorConfig, findings, scannedFiles, _skippedFiles) {
+    // Check .claude.json for permissive patterns
+    const claudeJson = join(root, ".claude.json");
+    if (existsSync(claudeJson)) {
+        if (!scannedFiles.includes(claudeJson))
+            scannedFiles.push(claudeJson);
+        try {
+            const content = readFileSync(claudeJson, "utf-8");
+            const parsed = JSON.parse(content);
+            // Check for allowedTools with dangerous patterns
+            if (Array.isArray(parsed.permissions?.allow)) {
+                for (const perm of parsed.permissions.allow) {
+                    if (typeof perm === "string" && /^(?:Bash|Edit|Write)\(.*\*.*\)$/i.test(perm)) {
+                        findings.push({
+                            ruleId: "VG893",
+                            severity: "medium",
+                            trustState: "unknown",
+                            verdict: "risky",
+                            confidence: "medium",
+                            source: "core",
+                            file: claudeJson,
+                            description: `Broad permission pattern "${perm}" — may grant unintended access`,
+                            remediation: "Replace broad wildcard permissions with specific, scoped patterns.",
+                        });
+                    }
+                }
+            }
+            // Check for deny list being empty when allow list is broad
+            if (Array.isArray(parsed.permissions?.allow) && parsed.permissions.allow.length > 10
+                && (!parsed.permissions?.deny || parsed.permissions.deny.length === 0)) {
+                findings.push({
+                    ruleId: "VG885",
+                    severity: "low",
+                    trustState: "unknown",
+                    verdict: "observed",
+                    confidence: "low",
+                    source: "core",
+                    file: claudeJson,
+                    description: "Large allow list with no deny list — consider adding explicit denials for sensitive operations",
+                    remediation: "Add a deny list to explicitly block dangerous operations (e.g., rm -rf, git push --force).",
+                });
+            }
+        }
+        catch { /* invalid JSON already caught by MCP config scanner */ }
+    }
+}

package/build/tools/scan-directory.js

@@ -6,6 +6,7 @@ import { analyzeCode } from "./check-code.js";
 import { loadConfig } from "../utils/config.js";
 import { DEFAULT_EXCLUDES, EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
 import { walkDirectory } from "../utils/walk-directory.js";
+import { securityBanner } from "../utils/banner.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../../package.json");
 // GuardVibe version — used in scan metadata
@@ -240,5 +241,6 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
         for (const s of skippedFiles)
             lines.push(`- ${s}`);
     }
+    lines.push(securityBanner({ total: totalIssues, critical: totalCritical, high: totalHigh, medium: totalMedium, score, grade, filesScanned: metadata.filesScanned }));
     return lines.join("\n");
 }

package/build/tools/scan-host-config.d.ts

@@ -0,0 +1,10 @@
+import type { HostFinding, DoctorConfig, DoctorScope } from "../server/types.js";
+/**
+ * Scan host environment configuration for security issues.
+ * Checks .env files, shell profiles, and environment variables.
+ */
+export declare function scanHostConfig(projectPath: string, scope?: DoctorScope, doctorConfig?: DoctorConfig): {
+    findings: HostFinding[];
+    scannedFiles: string[];
+    skippedFiles: string[];
+};

package/build/tools/scan-host-config.js

@@ -0,0 +1,181 @@
+import { readFileSync, existsSync } from "fs";
+import { join, resolve } from "path";
+import { homedir } from "os";
+// Known legitimate base URLs
+const ANTHROPIC_HOSTS = ["api.anthropic.com"];
+const OPENAI_HOSTS = ["api.openai.com"];
+const BASE_URL_PATTERN = /(?:ANTHROPIC_BASE_URL|OPENAI_BASE_URL|ANTHROPIC_API_BASE|OPENAI_API_BASE)\s*=\s*['"]?(https?:\/\/[^\s'"#]+)/gi;
+const API_KEY_EXPORT = /export\s+(?:ANTHROPIC_API_KEY|OPENAI_API_KEY|ANTHROPIC_KEY|OPENAI_KEY)\s*=\s*['"]?([^\s'"]+)/gi;
+const ENV_SNIFF = /(?:echo|cat|printenv|env\s|set\s)[\s|]*(?:\$(?:ANTHROPIC|OPENAI|CLAUDE|API)_\w+|\$\{(?:ANTHROPIC|OPENAI|CLAUDE|API)_\w+\})/gi;
+/**
+ * Scan host environment configuration for security issues.
+ * Checks .env files, shell profiles, and environment variables.
+ */
+export function scanHostConfig(projectPath, scope = "project", doctorConfig) {
+    const findings = [];
+    const scannedFiles = [];
+    const skippedFiles = [];
+    const root = resolve(projectPath);
+    const home = homedir();
+    const trustedBaseUrls = new Set(doctorConfig?.trustedBaseUrls ?? []);
+    const ignorePaths = new Set(doctorConfig?.ignorePaths ?? []);
+    // Project-scope .env files
+    const envFiles = [
+        join(root, ".env"),
+        join(root, ".env.local"),
+        join(root, ".env.production"),
+        join(root, ".env.development"),
+    ];
+    for (const envFile of envFiles) {
+        const relPath = envFile.replace(root + "/", "");
+        if (ignorePaths.has(relPath) || ignorePaths.has(envFile)) {
+            skippedFiles.push(envFile);
+            continue;
+        }
+        scanEnvFile(envFile, findings, scannedFiles, skippedFiles, trustedBaseUrls);
+    }
+    // Host-scope: shell profiles
+    if (scope === "host" || scope === "full") {
+        const shellProfiles = [
+            join(home, ".bashrc"),
+            join(home, ".zshrc"),
+            join(home, ".profile"),
+            join(home, ".bash_profile"),
+            join(home, ".zprofile"),
+        ];
+        for (const profile of shellProfiles) {
+            scanShellProfile(profile, findings, scannedFiles, skippedFiles, trustedBaseUrls);
+        }
+    }
+    // Host-scope: global AI host configs
+    if (scope === "host" || scope === "full") {
+        const globalConfigs = [
+            { path: join(home, ".gemini", "settings.json"), host: "Gemini" },
+            { path: join(home, ".codeium", "windsurf", "mcp_config.json"), host: "Windsurf" },
+        ];
+        for (const { path: configPath } of globalConfigs) {
+            if (!existsSync(configPath)) {
+                skippedFiles.push(configPath);
+                continue;
+            }
+            scannedFiles.push(configPath);
+            try {
+                const content = readFileSync(configPath, "utf-8");
+                scanContentForBaseUrls(content, configPath, findings, trustedBaseUrls);
+            }
+            catch {
+                skippedFiles.push(configPath);
+            }
+        }
+    }
+    return { findings, scannedFiles, skippedFiles };
+}
+function scanEnvFile(filePath, findings, scannedFiles, skippedFiles, trustedBaseUrls) {
+    if (!existsSync(filePath)) {
+        skippedFiles.push(filePath);
+        return;
+    }
+    scannedFiles.push(filePath);
+    let content;
+    try {
+        content = readFileSync(filePath, "utf-8");
+    }
+    catch {
+        skippedFiles.push(filePath);
+        return;
+    }
+    scanContentForBaseUrls(content, filePath, findings, trustedBaseUrls);
+}
+function scanShellProfile(filePath, findings, scannedFiles, skippedFiles, trustedBaseUrls) {
+    if (!existsSync(filePath)) {
+        skippedFiles.push(filePath);
+        return;
+    }
+    scannedFiles.push(filePath);
+    let content;
+    try {
+        content = readFileSync(filePath, "utf-8");
+    }
+    catch {
+        skippedFiles.push(filePath);
+        return;
+    }
+    // Check for base URL overrides
+    scanContentForBaseUrls(content, filePath, findings, trustedBaseUrls);
+    // Check for env variable sniffing patterns
+    ENV_SNIFF.lastIndex = 0;
+    let match;
+    while ((match = ENV_SNIFF.exec(content)) !== null) {
+        const lineNum = content.slice(0, match.index).split("\n").length;
+        findings.push({
+            ruleId: "VG882",
+            severity: "medium",
+            trustState: "suspicious",
+            verdict: "risky",
+            confidence: "low",
+            source: "core",
+            file: filePath,
+            line: lineNum,
+            description: "Shell profile reads/outputs AI API environment variables — potential credential sniffing",
+            remediation: "Review why shell profile accesses AI API keys. Remove if not intentional.",
+        });
+    }
+    // Check for API key exports (hardcoded in profile)
+    API_KEY_EXPORT.lastIndex = 0;
+    while ((match = API_KEY_EXPORT.exec(content)) !== null) {
+        const lineNum = content.slice(0, match.index).split("\n").length;
+        findings.push({
+            ruleId: "VG882",
+            severity: "high",
+            trustState: "suspicious",
+            verdict: "risky",
+            confidence: "high",
+            source: "core",
+            file: filePath,
+            line: lineNum,
+            description: "API key exported in shell profile — key is visible in process environment and shell history",
+            remediation: "Move API keys to a secure secrets manager or .env file (not tracked by git). Remove from shell profile.",
+        });
+    }
+}
+function scanContentForBaseUrls(content, file, findings, trustedBaseUrls) {
+    BASE_URL_PATTERN.lastIndex = 0;
+    let match;
+    while ((match = BASE_URL_PATTERN.exec(content)) !== null) {
+        const url = match[1];
+        const lineNum = content.slice(0, match.index).split("\n").length;
+        // Check if trusted
+        if (trustedBaseUrls.has(url)) {
+            continue;
+        }
+        // Determine which provider
+        const envVar = match[0].split("=")[0].trim();
+        const isAnthropic = /ANTHROPIC/i.test(envVar);
+        const isOpenai = /OPENAI/i.test(envVar);
+        let hostname;
+        try {
+            hostname = new URL(url).hostname;
+        }
+        catch {
+            hostname = url;
+        }
+        const legitimateHosts = isAnthropic ? ANTHROPIC_HOSTS : isOpenai ? OPENAI_HOSTS : [];
+        const isLegitimate = legitimateHosts.some(h => hostname === h || hostname.endsWith(`.${h}`));
+        if (isLegitimate)
+            continue;
+        const isLocalhost = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/.test(hostname);
+        findings.push({
+            ruleId: isAnthropic ? "VG882" : "VG883",
+            severity: isLocalhost ? "medium" : "high",
+            trustState: isLocalhost ? "unknown" : "suspicious",
+            verdict: isLocalhost ? "observed" : "risky",
+            confidence: isLocalhost ? "medium" : "medium",
+            source: "core",
+            file,
+            line: lineNum,
+            description: `${envVar} set to non-official domain (${hostname}) — API traffic redirection${isAnthropic ? " (CVE-2026-21852)" : ""}`,
+            remediation: `Remove the ${envVar} override, or add "${url}" to trustedBaseUrls in .guardviberc if it's a legitimate corporate proxy.`,
+            patchPreview: `# .guardviberc\n{ "doctor": { "trustedBaseUrls": ["${url}"] } }`,
+        });
+    }
+}