guardvibe 2.8.0 → 2.9.1

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 334 security rules, 29 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 334 security rules, 31 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **334 security rules, 29 tools** purpose-built for the stacks AI agents generate
+- **334 security rules, 31 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -177,13 +177,13 @@ Dockerfile security, GitHub Actions CI/CD, Terraform (S3, IAM, RDS, security gro
 ### Secrets & Environment
 API keys (AWS, GitHub, Stripe, OpenAI, Resend, Turso), .env management, .gitignore coverage, high-entropy detection, NEXT_PUBLIC exposure
 
-### Compliance
-SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act (EUAIACT) control mapping with compliance reports
+### Compliance Control Mapping
+Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (EUAIACT) controls. Identifies which code-level vulnerabilities are relevant to specific compliance requirements. **Not a substitute for professional compliance audits.**
 
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (29 MCP tools)
+## Tools (31 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -195,7 +195,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `scan_secrets` | Detect leaked secrets, API keys, tokens |
 | `check_dependencies` | Check individual packages against OSV |
 | `check_package_health` | Typosquat detection, maintenance status, adoption metrics |
-| `compliance_report` | SOC2 / PCI-DSS / HIPAA / GDPR / ISO27001 / EU AI Act compliance mapping |
+| `compliance_report` | Map security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act) |
 | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
 | `get_security_docs` | Security best practices and guides |
 | `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |
@@ -216,6 +216,8 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `guardvibe_doctor` | **Host security audit** — CVE-2025-59536, CVE-2026-21852, MCP config, env scanner |
 | `audit_mcp_config` | Audit MCP server configurations for hook injection, file:// abuse, sensitive paths |
 | `scan_host_config` | Scan shell profiles, .env files for base URL hijack and credential sniffing |
+| `verify_fix` | Verify a security fix was applied correctly — returns fixed/still_vulnerable/new_issues |
+| `security_workflow` | Get recommended tool workflow for your current task (writing, pre-commit, PR review, etc.) |
 
 All scanning tools support `format: "json"` for machine-readable output.
 

package/build/index.js

@@ -38,10 +38,12 @@ import { auditMcpConfig } from "./tools/audit-mcp-config.js";
 import { scanHostConfig } from "./tools/scan-host-config.js";
 import { doctor } from "./tools/doctor.js";
 import { formatHostFindings, redactSecrets } from "./server/types.js";
+import { verifyFix } from "./tools/verify-fix.js";
+import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding. 334 security rules and 29 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Generates compliance reports (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration.",
+    description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Maps security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration. Note: GuardVibe is a security scanner, not a compliance auditor — it helps identify code-level issues relevant to compliance frameworks but does not replace professional compliance audits.",
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -233,7 +235,7 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
     return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 9: Generate compliance-focused security report
-server.tool("compliance_report", "Generate a compliance-focused security report mapped to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, or EUAIACT (EU AI Act) controls. Scans a directory and groups findings by compliance control. Includes exploit scenarios and audit evidence for each finding. Use mode=executive for a C-level summary.", {
+server.tool("compliance_report", "Map security scan findings to compliance framework controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EUAIACT). Scans a directory and groups code-level security issues by the compliance control they relate to. Includes exploit scenarios and remediation evidence for each finding. Use mode=executive for a risk summary. Note: this maps code vulnerabilities to controls — it does not perform a compliance audit or replace professional assessment.", {
     path: z.string().describe("Directory to scan"),
     framework: z.enum(["SOC2", "PCI-DSS", "HIPAA", "GDPR", "ISO27001", "EUAIACT", "all"]).describe("Compliance framework"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
@@ -432,6 +434,20 @@ server.tool("scan_file", "Scan a single file from disk for security vulnerabilit
     const cwd = dirname(resolved);
     recordScan(cwd, { toolName: "scan_file", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
     const summary = getSummaryLine(cwd, findings.length, format);
+    // Append suggested fixes in JSON mode for agent auto-apply
+    if (format === "json" && findings.length > 0) {
+        const fixResult = fixCodeTool(content, language, undefined, resolved, "json", rules);
+        const fixes = JSON.parse(fixResult);
+        const parsed = JSON.parse(result);
+        parsed.suggested_fixes = (fixes.fixes || []).map((f) => ({
+            ruleId: f.ruleId,
+            line: f.line,
+            edit: f.edit,
+            confidence: f.confidence,
+            effort: f.effort,
+        })).filter((f) => f.edit);
+        return { content: [{ type: "text", text: JSON.stringify(parsed) + summary }] };
+    }
     return { content: [{ type: "text", text: result + summary }] };
 });
 // Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
@@ -555,6 +571,95 @@ server.tool("guardvibe_doctor", "Comprehensive AI host security audit. Scans MCP
     const result = doctor(projectPath, scope, format);
     return { content: [{ type: "text", text: result }] };
 });
+// Tool 29: Verify a specific fix was applied correctly
+server.tool("verify_fix", "Verify that a specific security fix was applied correctly. Re-scans the updated code and checks if the target vulnerability (by rule ID) is resolved. Returns 'fixed', 'still_vulnerable', or 'new_issues' status with details.", {
+    code: z.string().describe("Updated code after applying the fix"),
+    language: z.string().describe("Programming language"),
+    ruleId: z.string().describe("Rule ID to verify (e.g. VG402)"),
+    filePath: z.string().optional().describe("File path for context-aware analysis"),
+}, async ({ code, language, ruleId, filePath }) => {
+    const rules = getRules();
+    const result = verifyFix(code, language, ruleId, filePath, rules);
+    return { content: [{ type: "text", text: JSON.stringify(result) }] };
+});
+// Tool 30: Security workflow guide for AI agents
+server.tool("security_workflow", "Get the recommended GuardVibe security workflow for your current task. Returns which tools to call, in what order, and with what parameters. Use this when you're unsure which GuardVibe tool to use.", {
+    task: z.enum([
+        "writing_code",
+        "pre_commit",
+        "pr_review",
+        "new_project",
+        "fix_vulnerabilities",
+        "compliance_mapping",
+        "dependency_check",
+    ]).describe("What you are currently doing"),
+}, async ({ task }) => {
+    const workflows = {
+        writing_code: {
+            task: "writing_code",
+            description: "Scan code after each significant edit to catch vulnerabilities early.",
+            steps: [
+                { tool: "scan_file", params: { file_path: "<edited_file>", format: "json" }, purpose: "Scan the file you just edited. Returns findings + suggested_fixes with structured edits." },
+                { tool: "verify_fix", params: { code: "<updated_code>", language: "<lang>", ruleId: "<id>" }, purpose: "After applying a fix, verify it resolved the issue.", condition: "if suggested_fixes returned" },
+            ],
+        },
+        pre_commit: {
+            task: "pre_commit",
+            description: "Security gate before committing code.",
+            steps: [
+                { tool: "scan_staged", params: { format: "json" }, purpose: "Scan all staged files for vulnerabilities." },
+                { tool: "fix_code", params: { code: "<vulnerable_code>", language: "<lang>", format: "json" }, purpose: "Get structured fix suggestions with edit instructions.", condition: "if critical/high findings" },
+                { tool: "verify_fix", params: { code: "<fixed_code>", language: "<lang>", ruleId: "<id>" }, purpose: "Verify each fix was applied correctly.", condition: "after applying fixes" },
+                { tool: "scan_staged", params: { format: "json" }, purpose: "Final verification — confirm all issues resolved.", condition: "after all fixes applied" },
+            ],
+        },
+        pr_review: {
+            task: "pr_review",
+            description: "Review a pull request for security issues.",
+            steps: [
+                { tool: "scan_changed_files", params: { path: ".", format: "json" }, purpose: "Scan only git-changed files." },
+                { tool: "review_pr", params: { path: ".", format: "json" }, purpose: "Review PR diff with severity gating." },
+                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get detailed fix guidance for critical findings.", condition: "for each critical/high finding" },
+            ],
+        },
+        new_project: {
+            task: "new_project",
+            description: "Set up security for a new project.",
+            steps: [
+                { tool: "scan_directory", params: { path: ".", format: "json" }, purpose: "Full project scan to establish baseline." },
+                { tool: "generate_policy", params: { path: "." }, purpose: "Auto-detect stack and generate security policies (CSP, CORS, RLS)." },
+                { tool: "audit_config", params: { path: "." }, purpose: "Audit config files for security misconfigurations." },
+                { tool: "guardvibe_doctor", params: { scope: "project" }, purpose: "Audit AI host security (hooks, MCP configs, env)." },
+            ],
+        },
+        fix_vulnerabilities: {
+            task: "fix_vulnerabilities",
+            description: "Fix known vulnerabilities in existing code.",
+            steps: [
+                { tool: "fix_code", params: { code: "<code>", language: "<lang>", format: "json" }, purpose: "Get structured fix suggestions with edit instructions and confidence scores." },
+                { tool: "verify_fix", params: { code: "<fixed_code>", language: "<lang>", ruleId: "<id>" }, purpose: "Verify each fix resolved the target vulnerability.", condition: "after applying each fix" },
+                { tool: "scan_file", params: { file_path: "<file>", format: "json" }, purpose: "Final scan to confirm file is clean.", condition: "after all fixes" },
+            ],
+        },
+        compliance_audit: {
+            task: "compliance_mapping",
+            description: "Map security findings to compliance framework controls. This identifies code-level issues relevant to specific controls — it does not replace professional compliance audits.",
+            steps: [
+                { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Scan code and map findings to compliance controls." },
+                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get remediation guidance and fix strategies for each finding.", condition: "for each finding" },
+            ],
+        },
+        dependency_check: {
+            task: "dependency_check",
+            description: "Check dependencies for vulnerabilities and supply chain risks.",
+            steps: [
+                { tool: "scan_dependencies", params: { manifest_path: "package.json" }, purpose: "Check all dependencies against OSV database." },
+                { tool: "check_package_health", params: { name: "<pkg>" }, purpose: "Check individual packages for typosquatting and maintenance status.", condition: "for suspicious packages" },
+            ],
+        },
+    };
+    return { content: [{ type: "text", text: JSON.stringify(workflows[task]) }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/check-code.d.ts

@@ -3,6 +3,7 @@ export interface Finding {
     rule: SecurityRule;
     match: string;
     line: number;
+    confidence: "high" | "medium" | "low";
 }
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;

package/build/tools/check-code.js

@@ -175,6 +175,32 @@ function hasRoleCheckPattern(code) {
         return true;
     return false;
 }
+/**
+ * Calculate confidence level for a finding based on file context and match quality.
+ */
+function calculateConfidence(rule, matchText, lineNumber, lines, filePath) {
+    // Test/fixture/example files → low confidence
+    if (filePath && /(?:\/tests?\/|__tests__|\.test\.|\.spec\.|\/fixtures?\/|\/examples?\/|\/mocks?\/)/.test(filePath)) {
+        return "low";
+    }
+    // CVE version rules in package.json → always high
+    if (rule.id.startsWith("VG9") && filePath?.endsWith("package.json")) {
+        return "high";
+    }
+    // Secret detection with known prefixes → high
+    if (["VG001", "VG062"].includes(rule.id)) {
+        if (/(?:sk-live-|sk_live_|ghp_|gho_|github_pat_|AKIA[0-9A-Z]{16}|xoxb-|xoxp-|whsec_|rk_live_)/.test(matchText)) {
+            return "high";
+        }
+        return "medium";
+    }
+    // Match is on a comment-only line → low
+    const line = lines[lineNumber - 1] || "";
+    if (/^\s*(?:\/\/|#|\*|\/\*)/.test(line)) {
+        return "low";
+    }
+    return "medium";
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
     // Skip files that are security rule definitions (they intentionally contain
     // vulnerable code patterns as regex matchers and fixCode examples)
@@ -302,6 +328,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 rule: effectiveRule,
                 match: match[0].substring(0, 80),
                 line: lineNumber,
+                confidence: calculateConfidence(effectiveRule, match[0], lineNumber, lines, filePath),
             });
         }
     }

package/build/tools/compliance-report.js

@@ -77,16 +77,18 @@ export function complianceReport(path, framework, format = "markdown", rules, mo
     }
     // --- FULL MODE ---
     const lines = [
-        `# GuardVibe Compliance Report`,
+        `# GuardVibe Compliance Control Mapping`,
+        ``,
+        `> This report maps code-level security findings to ${framework} controls. It identifies vulnerabilities relevant to compliance requirements but is not a substitute for professional compliance audits.`,
         ``,
         `Framework: ${framework}`,
         `Directory: ${scanRoot}`,
         `Files scanned: ${filePaths.length}`,
-        `Compliance issues: ${relevant.length}`,
+        `Security issues mapped to controls: ${relevant.length}`,
         ``,
     ];
     if (controlMap.size === 0) {
-        lines.push(`## No Compliance Issues`, ``, `No issues mapped to ${framework} controls were found.`);
+        lines.push(`## No Issues Found`, ``, `No code-level security issues mapped to ${framework} controls were found. This does not constitute a compliance certification.`);
         return lines.join("\n");
     }
     // Sort controls
@@ -120,7 +122,9 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
     const total = critical + high + medium;
     const riskLevel = critical > 0 ? "HIGH" : high > 0 ? "MEDIUM" : total > 0 ? "LOW" : "MINIMAL";
     const lines = [
-        `# Executive Security Summary`,
+        `# Security Findings — ${framework} Control Mapping`,
+        ``,
+        `> Maps code-level security findings to ${framework} controls. Not a compliance audit or certification.`,
         ``,
         `**Framework:** ${framework} | **Date:** ${new Date().toISOString().split("T")[0]}`,
         `**Directory:** ${scanRoot}`,
@@ -167,7 +171,7 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
         }
     }
     // Compliance coverage
-    lines.push(`## Compliance Coverage`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
+    lines.push(`## Controls with Findings`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
     const sortedControls = [...controlMap.entries()].sort((a, b) => a[0].localeCompare(b[0]));
     for (const [control, items] of sortedControls) {
         const hasCritical = items.some(i => i.finding.rule.severity === "critical");

package/build/tools/fix-code.d.ts

@@ -1,4 +1,11 @@
 import { type SecurityRule } from "../data/rules/index.js";
+export interface StructuredEdit {
+    startLine: number;
+    endLine: number;
+    oldText: string;
+    newText: string;
+    imports?: string[];
+}
 export interface FixSuggestion {
     ruleId: string;
     ruleName: string;
@@ -9,6 +16,9 @@ export interface FixSuggestion {
     fix: string;
     fixCode?: string;
     patch?: string;
+    edit?: StructuredEdit;
+    confidence: "high" | "medium" | "low";
+    effort: 1 | 2 | 3;
 }
 /**
  * Analyze code and return structured fix suggestions that an AI agent can apply.

package/build/tools/fix-code.js

@@ -34,6 +34,8 @@ function generateFixSuggestions(findings, code) {
         seen.add(key);
         const sourceLine = lines[finding.line - 1] || "";
         const patch = generatePatch(finding, sourceLine);
+        const edit = generateStructuredEdit(finding, sourceLine, lines);
+        const effort = estimateEffort(finding.rule.id);
         suggestions.push({
             ruleId: finding.rule.id,
             ruleName: finding.rule.name,
@@ -44,6 +46,9 @@ function generateFixSuggestions(findings, code) {
             fix: finding.rule.fix,
             fixCode: finding.rule.fixCode,
             patch,
+            edit,
+            confidence: finding.confidence,
+            effort,
         });
     }
     // Sort by severity (critical first)
@@ -206,6 +211,96 @@ function generatePatch(finding, sourceLine) {
     }
     return undefined;
 }
+/**
+ * Generate a structured edit that an AI agent can apply directly.
+ */
+function generateStructuredEdit(finding, sourceLine, _lines) {
+    const { rule, line } = finding;
+    const trimmed = sourceLine.trim();
+    if (!trimmed)
+        return undefined;
+    // --- Hardcoded credentials → env var ---
+    if (["VG001", "VG062", "VG060", "VG506", "VG514", "VG517", "VG603",
+        "VG621", "VG626", "VG651", "VG665", "VG677"].includes(rule.id)) {
+        const m = /(\w+)\s*[:=]\s*['"][^'"]+['"]/.exec(sourceLine);
+        if (m) {
+            const envName = m[1].replace(/([a-z])([A-Z])/g, "$1_$2").toUpperCase();
+            return {
+                startLine: line, endLine: line,
+                oldText: sourceLine,
+                newText: sourceLine.replace(/['"][^'"]+['"]/, `process.env.${envName}`),
+            };
+        }
+    }
+    // --- NEXT_PUBLIC_ exposure → remove prefix ---
+    if (["VG411", "VG604", "VG627", "VG631", "VG655", "VG671", "VG676", "VG755"].includes(rule.id)) {
+        const m = /(NEXT_PUBLIC_)(\w+)/.exec(sourceLine);
+        if (m) {
+            return {
+                startLine: line, endLine: line,
+                oldText: sourceLine, newText: sourceLine.replace(`NEXT_PUBLIC_${m[2]}`, m[2]),
+            };
+        }
+    }
+    // --- innerHTML → textContent ---
+    if (["VG012", "VG042", "VG408"].includes(rule.id) && sourceLine.includes("innerHTML")) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace("innerHTML", "textContent"),
+        };
+    }
+    // --- CORS wildcard → env var ---
+    if (["VG040", "VG403", "VG500", "VG510"].includes(rule.id) && /['"]\*['"]/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/['"]\*['"]/, "process.env.ALLOWED_ORIGIN"),
+        };
+    }
+    // --- dangerouslyAllowBrowser: true → remove ---
+    if (rule.id === "VG998" && /dangerouslyAllowBrowser\s*:\s*true/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/,?\s*dangerouslyAllowBrowser\s*:\s*true\s*,?/, ""),
+        };
+    }
+    // --- Source maps → disable ---
+    if (["VG512", "VG662"].includes(rule.id) && /true/.test(sourceLine)) {
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine, newText: sourceLine.replace(/true/, "false"),
+        };
+    }
+    // --- Missing auth → add auth check before the line ---
+    if (["VG002", "VG402", "VG420", "VG952"].includes(rule.id)) {
+        const indent = sourceLine.match(/^(\s*)/)?.[1] || "  ";
+        return {
+            startLine: line, endLine: line,
+            oldText: sourceLine,
+            newText: `${indent}const { userId } = await auth();\n${indent}if (!userId) return new Response("Unauthorized", { status: 401 });\n${sourceLine}`,
+            imports: ['import { auth } from "@clerk/nextjs/server"'],
+        };
+    }
+    return undefined;
+}
+/**
+ * Estimate fix effort: 1 = single line, 2 = few lines, 3 = structural change
+ */
+function estimateEffort(ruleId) {
+    const effort1 = new Set([
+        "VG001", "VG062", "VG060", "VG012", "VG042", "VG040", "VG411",
+        "VG506", "VG507", "VG512", "VG514", "VG517", "VG656", "VG662",
+        "VG874", "VG875", "VG978", "VG998",
+    ]);
+    if (effort1.has(ruleId))
+        return 1;
+    const effort3 = new Set([
+        "VG402", "VG404", "VG405", "VG407", "VG432", "VG440", "VG441",
+        "VG859", "VG953", "VG964",
+    ]);
+    if (effort3.has(ruleId))
+        return 3;
+    return 2;
+}
 function formatFixMarkdown(suggestions) {
     const lines = [
         "# GuardVibe Auto-Fix Suggestions",

package/build/tools/verify-fix.d.ts

@@ -0,0 +1,17 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export interface VerifyResult {
+    ruleId: string;
+    status: "fixed" | "still_vulnerable" | "new_issues";
+    details: string;
+    remainingFindings: Array<{
+        id: string;
+        name: string;
+        severity: string;
+        line: number;
+    }>;
+}
+/**
+ * Verify that a specific security fix was applied correctly.
+ * Re-scans the code and checks if the target rule is resolved.
+ */
+export declare function verifyFix(code: string, language: string, ruleId: string, filePath?: string, rules?: SecurityRule[]): VerifyResult;

package/build/tools/verify-fix.js

@@ -0,0 +1,42 @@
+import { analyzeCode } from "./check-code.js";
+/**
+ * Verify that a specific security fix was applied correctly.
+ * Re-scans the code and checks if the target rule is resolved.
+ */
+export function verifyFix(code, language, ruleId, filePath, rules) {
+    const findings = analyzeCode(code, language, undefined, filePath, undefined, rules);
+    const targetStillPresent = findings.filter(f => f.rule.id === ruleId);
+    const otherFindings = findings.filter(f => f.rule.id !== ruleId);
+    if (targetStillPresent.length > 0) {
+        return {
+            ruleId,
+            status: "still_vulnerable",
+            details: `${ruleId} still detected on line(s) ${targetStillPresent.map(f => f.line).join(", ")}. Fix was not applied correctly.`,
+            remainingFindings: targetStillPresent.map(f => ({
+                id: f.rule.id,
+                name: f.rule.name,
+                severity: f.rule.severity,
+                line: f.line,
+            })),
+        };
+    }
+    if (otherFindings.length > 0) {
+        return {
+            ruleId,
+            status: "new_issues",
+            details: `${ruleId} resolved, but ${otherFindings.length} other issue(s) found. Review before proceeding.`,
+            remainingFindings: otherFindings.map(f => ({
+                id: f.rule.id,
+                name: f.rule.name,
+                severity: f.rule.severity,
+                line: f.line,
+            })),
+        };
+    }
+    return {
+        ruleId,
+        status: "fixed",
+        details: `${ruleId} resolved. No remaining security issues.`,
+        remainingFindings: [],
+    };
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "2.8.0",
+  "version": "2.9.1",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 334 rules, 29 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",