guardvibe 2.8.0 → 2.9.0

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 334 security rules, 29 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 334 security rules, 31 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **334 security rules, 29 tools** purpose-built for the stacks AI agents generate
+- **334 security rules, 31 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -183,7 +183,7 @@ SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act (EUAIACT) control mapping with c
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (29 MCP tools)
+## Tools (31 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -216,6 +216,8 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `guardvibe_doctor` | **Host security audit** — CVE-2025-59536, CVE-2026-21852, MCP config, env scanner |
 | `audit_mcp_config` | Audit MCP server configurations for hook injection, file:// abuse, sensitive paths |
 | `scan_host_config` | Scan shell profiles, .env files for base URL hijack and credential sniffing |
+| `verify_fix` | Verify a security fix was applied correctly — returns fixed/still_vulnerable/new_issues |
+| `security_workflow` | Get recommended tool workflow for your current task (writing, pre-commit, PR review, etc.) |
 
 All scanning tools support `format: "json"` for machine-readable output.
 

package/build/index.js

@@ -38,10 +38,12 @@ import { auditMcpConfig } from "./tools/audit-mcp-config.js";
 import { scanHostConfig } from "./tools/scan-host-config.js";
 import { doctor } from "./tools/doctor.js";
 import { formatHostFindings, redactSecrets } from "./server/types.js";
+import { verifyFix } from "./tools/verify-fix.js";
+import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding. 334 security rules and 29 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Generates compliance reports (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration.",
+    description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Generates compliance reports (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration.",
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -432,6 +434,20 @@ server.tool("scan_file", "Scan a single file from disk for security vulnerabilit
     const cwd = dirname(resolved);
     recordScan(cwd, { toolName: "scan_file", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
     const summary = getSummaryLine(cwd, findings.length, format);
+    // Append suggested fixes in JSON mode for agent auto-apply
+    if (format === "json" && findings.length > 0) {
+        const fixResult = fixCodeTool(content, language, undefined, resolved, "json", rules);
+        const fixes = JSON.parse(fixResult);
+        const parsed = JSON.parse(result);
+        parsed.suggested_fixes = (fixes.fixes || []).map((f) => ({
+            ruleId: f.ruleId,
+            line: f.line,
+            edit: f.edit,
+            confidence: f.confidence,
+            effort: f.effort,
+        })).filter((f) => f.edit);
+        return { content: [{ type: "text", text: JSON.stringify(parsed) + summary }] };
+    }
     return { content: [{ type: "text", text: result + summary }] };
 });
 // Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
@@ -555,6 +571,95 @@ server.tool("guardvibe_doctor", "Comprehensive AI host security audit. Scans MCP
     const result = doctor(projectPath, scope, format);
     return { content: [{ type: "text", text: result }] };
 });
+// Tool 29: Verify a specific fix was applied correctly
+server.tool("verify_fix", "Verify that a specific security fix was applied correctly. Re-scans the updated code and checks if the target vulnerability (by rule ID) is resolved. Returns 'fixed', 'still_vulnerable', or 'new_issues' status with details.", {
+    code: z.string().describe("Updated code after applying the fix"),
+    language: z.string().describe("Programming language"),
+    ruleId: z.string().describe("Rule ID to verify (e.g. VG402)"),
+    filePath: z.string().optional().describe("File path for context-aware analysis"),
+}, async ({ code, language, ruleId, filePath }) => {
+    const rules = getRules();
+    const result = verifyFix(code, language, ruleId, filePath, rules);
+    return { content: [{ type: "text", text: JSON.stringify(result) }] };
+});
+// Tool 30: Security workflow guide for AI agents
+server.tool("security_workflow", "Get the recommended GuardVibe security workflow for your current task. Returns which tools to call, in what order, and with what parameters. Use this when you're unsure which GuardVibe tool to use.", {
+    task: z.enum([
+        "writing_code",
+        "pre_commit",
+        "pr_review",
+        "new_project",
+        "fix_vulnerabilities",
+        "compliance_audit",
+        "dependency_check",
+    ]).describe("What you are currently doing"),
+}, async ({ task }) => {
+    const workflows = {
+        writing_code: {
+            task: "writing_code",
+            description: "Scan code after each significant edit to catch vulnerabilities early.",
+            steps: [
+                { tool: "scan_file", params: { file_path: "<edited_file>", format: "json" }, purpose: "Scan the file you just edited. Returns findings + suggested_fixes with structured edits." },
+                { tool: "verify_fix", params: { code: "<updated_code>", language: "<lang>", ruleId: "<id>" }, purpose: "After applying a fix, verify it resolved the issue.", condition: "if suggested_fixes returned" },
+            ],
+        },
+        pre_commit: {
+            task: "pre_commit",
+            description: "Security gate before committing code.",
+            steps: [
+                { tool: "scan_staged", params: { format: "json" }, purpose: "Scan all staged files for vulnerabilities." },
+                { tool: "fix_code", params: { code: "<vulnerable_code>", language: "<lang>", format: "json" }, purpose: "Get structured fix suggestions with edit instructions.", condition: "if critical/high findings" },
+                { tool: "verify_fix", params: { code: "<fixed_code>", language: "<lang>", ruleId: "<id>" }, purpose: "Verify each fix was applied correctly.", condition: "after applying fixes" },
+                { tool: "scan_staged", params: { format: "json" }, purpose: "Final verification — confirm all issues resolved.", condition: "after all fixes applied" },
+            ],
+        },
+        pr_review: {
+            task: "pr_review",
+            description: "Review a pull request for security issues.",
+            steps: [
+                { tool: "scan_changed_files", params: { path: ".", format: "json" }, purpose: "Scan only git-changed files." },
+                { tool: "review_pr", params: { path: ".", format: "json" }, purpose: "Review PR diff with severity gating." },
+                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get detailed fix guidance for critical findings.", condition: "for each critical/high finding" },
+            ],
+        },
+        new_project: {
+            task: "new_project",
+            description: "Set up security for a new project.",
+            steps: [
+                { tool: "scan_directory", params: { path: ".", format: "json" }, purpose: "Full project scan to establish baseline." },
+                { tool: "generate_policy", params: { path: "." }, purpose: "Auto-detect stack and generate security policies (CSP, CORS, RLS)." },
+                { tool: "audit_config", params: { path: "." }, purpose: "Audit config files for security misconfigurations." },
+                { tool: "guardvibe_doctor", params: { scope: "project" }, purpose: "Audit AI host security (hooks, MCP configs, env)." },
+            ],
+        },
+        fix_vulnerabilities: {
+            task: "fix_vulnerabilities",
+            description: "Fix known vulnerabilities in existing code.",
+            steps: [
+                { tool: "fix_code", params: { code: "<code>", language: "<lang>", format: "json" }, purpose: "Get structured fix suggestions with edit instructions and confidence scores." },
+                { tool: "verify_fix", params: { code: "<fixed_code>", language: "<lang>", ruleId: "<id>" }, purpose: "Verify each fix resolved the target vulnerability.", condition: "after applying each fix" },
+                { tool: "scan_file", params: { file_path: "<file>", format: "json" }, purpose: "Final scan to confirm file is clean.", condition: "after all fixes" },
+            ],
+        },
+        compliance_audit: {
+            task: "compliance_audit",
+            description: "Generate compliance reports for regulatory frameworks.",
+            steps: [
+                { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Generate compliance-mapped findings report." },
+                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get audit evidence and fix strategies for each finding.", condition: "for each finding" },
+            ],
+        },
+        dependency_check: {
+            task: "dependency_check",
+            description: "Check dependencies for vulnerabilities and supply chain risks.",
+            steps: [
+                { tool: "scan_dependencies", params: { manifest_path: "package.json" }, purpose: "Check all dependencies against OSV database." },
+                { tool: "check_package_health", params: { name: "<pkg>" }, purpose: "Check individual packages for typosquatting and maintenance status.", condition: "for suspicious packages" },
+            ],
+        },
+    };
+    return { content: [{ type: "text", text: JSON.stringify(workflows[task]) }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/check-code.d.ts

@@ -3,6 +3,7 @@ export interface Finding {
     rule: SecurityRule;
     match: string;
     line: number;
+    confidence: "high" | "medium" | "low";
 }
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;

package/build/tools/check-code.js

@@ -175,6 +175,32 @@ function hasRoleCheckPattern(code) {
         return true;
     return false;
 }
+/**
+ * Calculate confidence level for a finding based on file context and match quality.
+ */
+function calculateConfidence(rule, matchText, lineNumber, lines, filePath) {
+    // Test/fixture/example files → low confidence
+    if (filePath && /(?:\/tests?\/|__tests__|\.test\.|\.spec\.|\/fixtures?\/|\/examples?\/|\/mocks?\/)/.test(filePath)) {
+        return "low";
+    }
+    // CVE version rules in package.json → always high
+    if (rule.id.startsWith("VG9") && filePath?.endsWith("package.json")) {
+        return "high";
+    }
+    // Secret detection with known prefixes → high
+    if (["VG001", "VG062"].includes(rule.id)) {
+        if (/(?:sk-live-|sk_live_|ghp_|gho_|github_pat_|AKIA[0-9A-Z]{16}|xoxb-|xoxp-|whsec_|rk_live_)/.test(matchText)) {
+            return "high";
+        }
+        return "medium";
+    }
+    // Match is on a comment-only line → low
+    const line = lines[lineNumber - 1] || "";
+    if (/^\s*(?:\/\/|#|\*|\/\*)/.test(line)) {
+        return "low";
+    }
+    return "medium";
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
     // Skip files that are security rule definitions (they intentionally contain
     // vulnerable code patterns as regex matchers and fixCode examples)
@@ -302,6 +328,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 rule: effectiveRule,
                 match: match[0].substring(0, 80),
                 line: lineNumber,
+                confidence: calculateConfidence(effectiveRule, match[0], lineNumber, lines, filePath),
             });
         }
     }

package/build/tools/fix-code.d.ts

@@ -1,4 +1,11 @@
 import { type SecurityRule } from "../data/rules/index.js";
+export interface StructuredEdit {
+    startLine: number;
+    endLine: number;
+    oldText: string;
+    newText: string;
+    imports?: string[];
+}
 export interface FixSuggestion {
     ruleId: string;
     ruleName: string;
@@ -9,6 +16,9 @@ export interface FixSuggestion {
     fix: string;
     fixCode?: string;
     patch?: string;
+    edit?: StructuredEdit;
+    confidence: "high" | "medium" | "low";
+    effort: 1 | 2 | 3;
 }
 /**
  * Analyze code and return structured fix suggestions that an AI agent can apply.

package/build/tools/fix-code.js

@@ -34,6 +34,8 @@ function generateFixSuggestions(findings, code) {
         seen.add(key);
         const sourceLine = lines[finding.line - 1] || "";
         const patch = generatePatch(finding, sourceLine);
+        const edit = generateStructuredEdit(finding, sourceLine, lines);
+        const effort = estimateEffort(finding.rule.id);
         suggestions.push({
             ruleId: finding.rule.id,
             ruleName: finding.rule.name,
@@ -44,6 +46,9 @@ function generateFixSuggestions(findings, code) {
             fix: finding.rule.fix,
             fixCode: finding.rule.fixCode,
             patch,
+            edit,
+            confidence: finding.confidence,
+            effort,
         });
     }
     // Sort by severity (critical first)
@@ -206,6 +211,96 @@ function generatePatch(finding, sourceLine) {
     }
     return undefined;
 }
+/**
+ * Generate a structured edit that an AI agent can apply directly.
+ */
+function generateStructuredEdit(finding, sourceLine, _lines) {
+    const { rule, line } = finding;
+    const trimmed = sourceLine.trim();
+    if (!trimmed)
+        return undefined;
+    // --- Hardcoded credentials → env var ---
+    if (["VG001", "VG062", "VG060", "VG506", "VG514", "VG517", "VG603",
+        "VG621", "VG626", "VG651", "VG665", "VG677"].includes(rule.id)) {
+        const m = /(\w+)\s*[:=]\s*['"][^'"]+['"]/.exec(sourceLine);
+        if (m) {
+            const envName = m[1].replace(/([a-z])([A-Z])/g, "$1_$2").toUpperCase();
+            return {
+                startLine: line, endLine: line,
+                oldText: sourceLine,
+                newText: sourceLine.replace(/['"][^'"]+['"]/, `process.env.${envName}`),
+            };
+        }
+    }
+    // --- NEXT_PUBLIC_ exposure → remove prefix ---
+    if (["VG411", "VG604", "VG627", "VG631", "VG655", "VG671", "VG676", "VG755"].includes(rule.id)) {
+        const m = /(NEXT_PUBLIC_)(\w+)/.exec(sourceLine);
+        if (m) {
+            return {
+                startLine: line, endLine: line,
+                oldText: sourceLine, newText: sourceLine.replace(`NEXT_PUBLIC_${m[2]}`, m[2]),
+            };
+        }
+    }
+    // --- innerHTML → textContent ---
+    if (["VG012", "VG042", "VG408"].includes(rule.id) && sourceLine.includes("innerHTML")) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace("innerHTML", "textContent"),
+        };
+    }
+    // --- CORS wildcard → env var ---
+    if (["VG040", "VG403", "VG500", "VG510"].includes(rule.id) && /['"]\*['"]/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/['"]\*['"]/, "process.env.ALLOWED_ORIGIN"),
+        };
+    }
+    // --- dangerouslyAllowBrowser: true → remove ---
+    if (rule.id === "VG998" && /dangerouslyAllowBrowser\s*:\s*true/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/,?\s*dangerouslyAllowBrowser\s*:\s*true\s*,?/, ""),
+        };
+    }
+    // --- Source maps → disable ---
+    if (["VG512", "VG662"].includes(rule.id) && /true/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/true/, "false"),
+        };
+    }
+    // --- Missing auth → add auth check before the line ---
+    if (["VG002", "VG402", "VG420", "VG952"].includes(rule.id)) {
+        const indent = sourceLine.match(/^(\s*)/)?.[1] || "  ";
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine,
+            newText: `${indent}const { userId } = await auth();\n${indent}if (!userId) return new Response("Unauthorized", { status: 401 });\n${sourceLine}`,
+            imports: ['import { auth } from "@clerk/nextjs/server"'],
+        };
+    }
+    return undefined;
+}
+/**
+ * Estimate fix effort: 1 = single line, 2 = few lines, 3 = structural change
+ */
+function estimateEffort(ruleId) {
+    const effort1 = new Set([
+        "VG001", "VG062", "VG060", "VG012", "VG042", "VG040", "VG411",
+        "VG506", "VG507", "VG512", "VG514", "VG517", "VG656", "VG662",
+        "VG874", "VG875", "VG978", "VG998",
+    ]);
+    if (effort1.has(ruleId))
+        return 1;
+    const effort3 = new Set([
+        "VG402", "VG404", "VG405", "VG407", "VG432", "VG440", "VG441",
+        "VG859", "VG953", "VG964",
+    ]);
+    if (effort3.has(ruleId))
+        return 3;
+    return 2;
+}
 function formatFixMarkdown(suggestions) {
     const lines = [
         "# GuardVibe Auto-Fix Suggestions",

package/build/tools/verify-fix.d.ts

@@ -0,0 +1,17 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export interface VerifyResult {
+    ruleId: string;
+    status: "fixed" | "still_vulnerable" | "new_issues";
+    details: string;
+    remainingFindings: Array<{
+        id: string;
+        name: string;
+        severity: string;
+        line: number;
+    }>;
+}
+/**
+ * Verify that a specific security fix was applied correctly.
+ * Re-scans the code and checks if the target rule is resolved.
+ */
+export declare function verifyFix(code: string, language: string, ruleId: string, filePath?: string, rules?: SecurityRule[]): VerifyResult;

package/build/tools/verify-fix.js

@@ -0,0 +1,42 @@
+import { analyzeCode } from "./check-code.js";
+/**
+ * Verify that a specific security fix was applied correctly.
+ * Re-scans the code and checks if the target rule is resolved.
+ */
+export function verifyFix(code, language, ruleId, filePath, rules) {
+    const findings = analyzeCode(code, language, undefined, filePath, undefined, rules);
+    const targetStillPresent = findings.filter(f => f.rule.id === ruleId);
+    const otherFindings = findings.filter(f => f.rule.id !== ruleId);
+    if (targetStillPresent.length > 0) {
+        return {
+            ruleId,
+            status: "still_vulnerable",
+            details: `${ruleId} still detected on line(s) ${targetStillPresent.map(f => f.line).join(", ")}. Fix was not applied correctly.`,
+            remainingFindings: targetStillPresent.map(f => ({
+                id: f.rule.id,
+                name: f.rule.name,
+                severity: f.rule.severity,
+                line: f.line,
+            })),
+        };
+    }
+    if (otherFindings.length > 0) {
+        return {
+            ruleId,
+            status: "new_issues",
+            details: `${ruleId} resolved, but ${otherFindings.length} other issue(s) found. Review before proceeding.`,
+            remainingFindings: otherFindings.map(f => ({
+                id: f.rule.id,
+                name: f.rule.name,
+                severity: f.rule.severity,
+                line: f.line,
+            })),
+        };
+    }
+    return {
+        ruleId,
+        status: "fixed",
+        details: `${ruleId} resolved. No remaining security issues.`,
+        remainingFindings: [],
+    };
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "2.8.0",
+  "version": "2.9.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 334 rules, 29 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",