guardvibe 2.9.0 → 2.9.4

package/README.md

@@ -177,8 +177,8 @@ Dockerfile security, GitHub Actions CI/CD, Terraform (S3, IAM, RDS, security gro
 ### Secrets & Environment
 API keys (AWS, GitHub, Stripe, OpenAI, Resend, Turso), .env management, .gitignore coverage, high-entropy detection, NEXT_PUBLIC exposure
 
-### Compliance
-SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act (EUAIACT) control mapping with compliance reports
+### Compliance Control Mapping
+Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (EUAIACT) controls. Identifies which code-level vulnerabilities are relevant to specific compliance requirements. **Not a substitute for professional compliance audits.**
 
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
@@ -195,7 +195,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `scan_secrets` | Detect leaked secrets, API keys, tokens |
 | `check_dependencies` | Check individual packages against OSV |
 | `check_package_health` | Typosquat detection, maintenance status, adoption metrics |
-| `compliance_report` | SOC2 / PCI-DSS / HIPAA / GDPR / ISO27001 / EU AI Act compliance mapping |
+| `compliance_report` | Map security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act) |
 | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
 | `get_security_docs` | Security best practices and guides |
 | `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |

package/build/index.js

@@ -43,7 +43,7 @@ import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Generates compliance reports (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration.",
+    description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Maps security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration. Note: GuardVibe is a security scanner, not a compliance auditor — it helps identify code-level issues relevant to compliance frameworks but does not replace professional compliance audits.",
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -235,7 +235,7 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
     return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 9: Generate compliance-focused security report
-server.tool("compliance_report", "Generate a compliance-focused security report mapped to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, or EUAIACT (EU AI Act) controls. Scans a directory and groups findings by compliance control. Includes exploit scenarios and audit evidence for each finding. Use mode=executive for a C-level summary.", {
+server.tool("compliance_report", "Map security scan findings to compliance framework controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EUAIACT). Scans a directory and groups code-level security issues by the compliance control they relate to. Includes exploit scenarios and remediation evidence for each finding. Use mode=executive for a risk summary. Note: this maps code vulnerabilities to controls — it does not perform a compliance audit or replace professional assessment.", {
     path: z.string().describe("Directory to scan"),
     framework: z.enum(["SOC2", "PCI-DSS", "HIPAA", "GDPR", "ISO27001", "EUAIACT", "all"]).describe("Compliance framework"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
@@ -590,7 +590,7 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
         "pr_review",
         "new_project",
         "fix_vulnerabilities",
-        "compliance_audit",
+        "compliance_mapping",
         "dependency_check",
     ]).describe("What you are currently doing"),
 }, async ({ task }) => {
@@ -642,11 +642,11 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
             ],
         },
         compliance_audit: {
-            task: "compliance_audit",
-            description: "Generate compliance reports for regulatory frameworks.",
+            task: "compliance_mapping",
+            description: "Map security findings to compliance framework controls. This identifies code-level issues relevant to specific controls — it does not replace professional compliance audits.",
             steps: [
-                { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Generate compliance-mapped findings report." },
-                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get audit evidence and fix strategies for each finding.", condition: "for each finding" },
+                { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Scan code and map findings to compliance controls." },
+                { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get remediation guidance and fix strategies for each finding.", condition: "for each finding" },
             ],
         },
         dependency_check: {

package/build/tools/check-code.js

@@ -175,6 +175,37 @@ function hasRoleCheckPattern(code) {
         return true;
     return false;
 }
+/**
+ * Known legitimate npm packages with suspicious-looking prefixes.
+ * These are widely-used packages that trigger VG872/VG873 false positives.
+ */
+const LEGITIMATE_PREFIXED_PACKAGES = new Set([
+    "fast-glob", "fast-deep-equal", "fast-json-stable-stringify", "fast-json-stringify",
+    "fast-xml-parser", "fast-diff", "fast-levenshtein", "fast-redact", "fast-check",
+    "fast-uri", "fast-querystring", "fast-decode-uri-component", "fast-content-type-parse",
+    "safe-array-concat", "safe-stable-stringify", "safe-buffer", "safe-regex",
+    "safe-regex-test", "safe-push-apply",
+    "simple-git", "simple-update-notifier", "simple-swizzle", "simple-concat",
+    "native-promise-only", "native-url",
+    "pure-rand",
+    "clean-css", "clean-stack",
+    "modern-normalize", "modern-ahocorasick",
+    "enhanced-resolve",
+    "better-sqlite3", "better-opn",
+    "super-json",
+    "ultra-runner",
+    "core-js", "core-js-compat", "core-util-is", "core-js-pure",
+    "common-tags", "common-path-prefix",
+    "base-x", "base64-js",
+    "internal-slot", "internal-ip",
+    "shared-utils",
+    "original-url", "original-fs",
+    "secure-json-parse",
+    "native-run",
+]);
+function isLegitimatePackage(name) {
+    return LEGITIMATE_PREFIXED_PACKAGES.has(name);
+}
 /**
  * Calculate confidence level for a finding based on file context and match quality.
  */
@@ -214,6 +245,13 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
     // Pre-analyze: detect auth guards and role checks pattern-agnostically
     let codeHasAuthGuard = hasAuthGuardPattern(code);
     const codeHasRoleCheck = hasRoleCheckPattern(code);
+    // Pre-analyze: detect fix patterns to suppress false positives after remediation
+    const codeHasSanitization = /(?:DOMPurify\.sanitize|sanitize(?:Html|HTML)|xss\s*\(|purify\s*\(|escapeHtml|sanitizeHtml)\s*\(/i.test(code);
+    const codeHasUrlValidation = /(?:(?:validate|verify|check|safe|allowed)(?:Url|URL|Uri|URI)|(?:ALLOWED_(?:HOSTS|URLS|ORIGINS|DOMAINS))|(?:allowlist|whitelist|safelist)[\s\S]{0,50}?(?:includes|has|match))/i.test(code);
+    const codeHasUuidFilename = /(?:randomUUID|nanoid|uuidv4|v4\s*\(\)|crypto\.randomUUID)\s*\(/i.test(code);
+    const codeHasCronVerification = /(?:verify|validate|check)(?:Cron|Secret|Auth|Signature)\s*\(/i.test(code);
+    const isMigrationFile = filePath ? /(?:migrations?|supabase\/migrations|seeds?|fixtures)\//i.test(filePath) : false;
+    const isPeerDeps = /["']peerDependencies["']/i.test(code);
     // Config: check custom auth function names from .guardviberc
     if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
         const customPattern = new RegExp(`(?:${config.authFunctions.join("|")})\\s*\\(`, "i");
@@ -264,9 +302,25 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
             continue;
-        // Skip destructive DDL rules (VG540-VG542) in migration directories
-        if (rule.id.startsWith("VG54") && filePath && /(?:migrations?|seeds?|fixtures)\//i.test(filePath))
+        // Skip destructive DDL rules (VG540-VG542) and view rules (VG439) in migration directories
+        if ((rule.id.startsWith("VG54") || rule.id === "VG439") && isMigrationFile)
+            continue;
+        // Skip innerHTML/XSS rules when DOMPurify or sanitization is present
+        if (codeHasSanitization && ["VG408", "VG012", "VG042"].includes(rule.id))
+            continue;
+        // Skip SSRF rules when URL validation/allowlist pattern is present
+        if (codeHasUrlValidation && ["VG120"].includes(rule.id))
+            continue;
+        // Skip filename rules when UUID-based filename generation is present
+        if (codeHasUuidFilename && rule.id === "VG993")
             continue;
+        // Skip cron secret rules when custom verification function is present
+        if (codeHasCronVerification && ["VG968", "VG503"].includes(rule.id))
+            continue;
+        // Skip CVE version rules in peerDependencies (ranges, not actual versions)
+        if (isPeerDeps && rule.id === "VG903")
+            continue;
+        // VG872/VG873 legitimate package filtering is handled at match level below
         // Skip server-only import rule (VG964) for files that are inherently server-only:
         // Route Handlers (app/api/), middleware, instrumentation, next.config,
         // lib/, utils/, tools/, server/, scripts/, CLI files, config files
@@ -324,6 +378,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (isHumanReadableString(lines, lineNumber))
                     continue;
             }
+            // Skip supply chain rules for known legitimate packages
+            if (["VG872", "VG873"].includes(rule.id)) {
+                const pkgMatch = /"([\w@/-]+)"/.exec(match[0]);
+                if (pkgMatch && isLegitimatePackage(pkgMatch[1]))
+                    continue;
+            }
+            // Skip VG903 React version in peerDependencies sections
+            if (rule.id === "VG903") {
+                const beforeText = code.substring(0, match.index);
+                const lastPeer = beforeText.lastIndexOf("peerDependencies");
+                const lastDeps = Math.max(beforeText.lastIndexOf('"dependencies"'), beforeText.lastIndexOf('"devDependencies"'));
+                if (lastPeer > lastDeps)
+                    continue;
+            }
             findings.push({
                 rule: effectiveRule,
                 match: match[0].substring(0, 80),

package/build/tools/check-project.js

@@ -130,37 +130,25 @@ export function checkProject(files, format = "markdown", rules) {
             });
         }
         lines.push(`---`, ``);
-        // Per-file details
+        // Per-file details (truncated to prevent MCP output overflow)
+        const MAX_DETAIL_FINDINGS = 30;
+        let detailCount = 0;
         for (const r of results) {
+            if (detailCount >= MAX_DETAIL_FINDINGS) {
+                const remaining = totalIssues - detailCount;
+                lines.push(``, `> **${remaining} more findings omitted.** Use \`check_code\` or \`scan_file\` on individual files for full details.`, ``);
+                break;
+            }
             const fileIssueCount = r.findings.length;
             lines.push(`## File: ${r.path} (${fileIssueCount} issues)`, ``);
-            // Group findings by rule.id to match check-code formatting
-            const grouped = new Map();
             for (const finding of r.findings) {
-                const existing = grouped.get(finding.rule.id);
-                if (existing) {
-                    existing.push(finding);
-                }
-                else {
-                    grouped.set(finding.rule.id, [finding]);
-                }
-            }
-            const sortedGroups = Array.from(grouped.entries()).sort(([, aFindings], [, bFindings]) => {
-                return (severityOrder[aFindings[0].rule.severity] ?? 99) - (severityOrder[bFindings[0].rule.severity] ?? 99);
-            });
-            for (const [, groupFindings] of sortedGroups) {
-                const first = groupFindings[0];
-                const icon = first.rule.severity.toUpperCase();
-                if (groupFindings.length > 2) {
-                    const lineList = groupFindings.map((f) => `~${f.line}`).join(", ");
-                    lines.push(`## [${icon}] ${first.rule.name} (${first.rule.id})`, ``, `**OWASP:** ${first.rule.owasp}`, `**Occurrences:** ${groupFindings.length} (lines: ${lineList})`, `**Example match:** \`${first.match}\``, ``, first.rule.description, ``, `**Fix:** ${first.rule.fix}`, ...(first.rule.fixCode ? [``, `**Secure code:**`, `\`\`\``, first.rule.fixCode, `\`\`\``] : []), ``, `---`, ``);
-                }
-                else {
-                    for (const finding of groupFindings) {
-                        lines.push(`## [${icon}] ${finding.rule.name} (${finding.rule.id})`, ``, `**OWASP:** ${finding.rule.owasp}`, `**Line:** ~${finding.line}`, `**Match:** \`${finding.match}\``, ``, finding.rule.description, ``, `**Fix:** ${finding.rule.fix}`, ...(finding.rule.fixCode ? [``, `**Secure code:**`, `\`\`\``, finding.rule.fixCode, `\`\`\``] : []), ``, `---`, ``);
-                    }
-                }
+                if (detailCount >= MAX_DETAIL_FINDINGS)
+                    break;
+                const icon = finding.rule.severity.toUpperCase();
+                lines.push(`### [${icon}] ${finding.rule.name} (${finding.rule.id})`, `**Line:** ~${finding.line} | **Match:** \`${finding.match}\``, `**Fix:** ${finding.rule.fix}`, ``);
+                detailCount++;
             }
+            lines.push(`---`, ``);
         }
     }
     else {

package/build/tools/compliance-report.js

@@ -77,16 +77,18 @@ export function complianceReport(path, framework, format = "markdown", rules, mo
     }
     // --- FULL MODE ---
     const lines = [
-        `# GuardVibe Compliance Report`,
+        `# GuardVibe Compliance Control Mapping`,
+        ``,
+        `> This report maps code-level security findings to ${framework} controls. It identifies vulnerabilities relevant to compliance requirements but is not a substitute for professional compliance audits.`,
         ``,
         `Framework: ${framework}`,
         `Directory: ${scanRoot}`,
         `Files scanned: ${filePaths.length}`,
-        `Compliance issues: ${relevant.length}`,
+        `Security issues mapped to controls: ${relevant.length}`,
         ``,
     ];
     if (controlMap.size === 0) {
-        lines.push(`## No Compliance Issues`, ``, `No issues mapped to ${framework} controls were found.`);
+        lines.push(`## No Issues Found`, ``, `No code-level security issues mapped to ${framework} controls were found. This does not constitute a compliance certification.`);
         return lines.join("\n");
     }
     // Sort controls
@@ -97,17 +99,20 @@ export function complianceReport(path, framework, format = "markdown", rules, mo
     }
     lines.push(``);
     lines.push(`---`, ``);
+    const MAX_COMPLIANCE_FINDINGS = 50;
+    let complianceCount = 0;
     for (const [control, items] of sortedControls) {
+        if (complianceCount >= MAX_COMPLIANCE_FINDINGS) {
+            lines.push(``, `> **Additional findings omitted.** Use \`scan_file\` on individual files for full details.`, ``);
+            break;
+        }
         lines.push(`## ${control}`, ``);
         for (const item of items) {
+            if (complianceCount >= MAX_COMPLIANCE_FINDINGS)
+                break;
             const f = item.finding;
             lines.push(`- **[${f.rule.severity.toUpperCase()}]** ${f.rule.name} (${f.rule.id}) in \`${f.filePath}\`:${f.line}`);
-            if (f.rule.exploit) {
-                lines.push(`  - **Exploit scenario:** ${f.rule.exploit}`);
-            }
-            if (f.rule.audit) {
-                lines.push(`  - **Audit evidence:** ${f.rule.audit}`);
-            }
+            complianceCount++;
         }
         lines.push(``);
     }
@@ -120,7 +125,9 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
     const total = critical + high + medium;
     const riskLevel = critical > 0 ? "HIGH" : high > 0 ? "MEDIUM" : total > 0 ? "LOW" : "MINIMAL";
     const lines = [
-        `# Executive Security Summary`,
+        `# Security Findings — ${framework} Control Mapping`,
+        ``,
+        `> Maps code-level security findings to ${framework} controls. Not a compliance audit or certification.`,
         ``,
         `**Framework:** ${framework} | **Date:** ${new Date().toISOString().split("T")[0]}`,
         `**Directory:** ${scanRoot}`,
@@ -167,7 +174,7 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
         }
     }
     // Compliance coverage
-    lines.push(`## Compliance Coverage`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
+    lines.push(`## Controls with Findings`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
     const sortedControls = [...controlMap.entries()].sort((a, b) => a[0].localeCompare(b[0]));
     for (const [control, items] of sortedControls) {
         const hasCritical = items.some(i => i.finding.rule.severity === "critical");

package/build/tools/scan-directory.js

@@ -127,8 +127,17 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
             // baseline file unreadable, skip comparison
         }
     }
+    // MCP output size limit — large projects can produce 300K+ characters which
+    // exceeds Claude Code's max allowed tokens for tool results.
+    const MAX_JSON_FINDINGS = 50;
+    const MAX_MD_FINDINGS = 30;
     if (format === "json") {
         const findingsWithFiles = scanResults.flatMap(r => r.findings.map(f => ({ ...f, rule: f.rule, file: r.path })));
+        // Sort by severity: critical first, then high, then medium
+        const severityRank = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        findingsWithFiles.sort((a, b) => (severityRank[a.rule.severity] ?? 4) - (severityRank[b.rule.severity] ?? 4));
+        const truncated = findingsWithFiles.length > MAX_JSON_FINDINGS;
+        const limitedFindings = findingsWithFiles.slice(0, MAX_JSON_FINDINGS);
         const baseJson = {
             summary: {
                 total: allFindings.length,
@@ -136,12 +145,13 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
                 low: allFindings.filter(f => f.rule.severity === "low").length,
                 blocked: totalCritical > 0 || totalHigh > 0,
                 grade, score,
+                ...(truncated ? { truncated: true, showing: MAX_JSON_FINDINGS, message: `Showing top ${MAX_JSON_FINDINGS} of ${allFindings.length} findings (sorted by severity). Use scan_file on individual files for full details.` } : {}),
             },
             metadata,
-            findings: findingsWithFiles.map(f => ({
+            findings: limitedFindings.map(f => ({
                 id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
                 owasp: f.rule.owasp, line: f.line, match: f.match, file: f.file,
-                fix: f.rule.fix, fixCode: f.rule.fixCode, compliance: f.rule.compliance,
+                fix: f.rule.fix,
             })),
             baseline: findingsToBaseline(scanResults),
         };
@@ -224,11 +234,20 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
             lines.push(`${i + 1}. **[${item.rule.severity.toUpperCase()}] ${item.rule.name}** (${item.rule.id}) — ${item.count} ${item.count === 1 ? "occurrence" : "occurrences"} in ${fileLabel}`, `   ${item.rule.fix}`, ``);
         });
         lines.push(`---`, ``);
+        let findingsPrinted = 0;
         for (const result of scanResults) {
+            if (findingsPrinted >= MAX_MD_FINDINGS) {
+                const remaining = allFindings.length - findingsPrinted;
+                lines.push(``, `> **${remaining} more findings omitted.** Use \`scan_file\` on individual files for full details.`, ``);
+                break;
+            }
             lines.push(`## File: ${result.path} (${result.findings.length} issues)`, ``);
             for (const f of result.findings) {
+                if (findingsPrinted >= MAX_MD_FINDINGS)
+                    break;
                 const icon = f.rule.severity.toUpperCase();
-                lines.push(`### [${icon}] ${f.rule.name} (${f.rule.id})`, `**Line:** ~${f.line} | **Match:** \`${f.match}\``, `${f.rule.description}`, `**Fix:** ${f.rule.fix}`, ...(f.rule.fixCode ? [``, `**Secure code:**`, `\`\`\``, f.rule.fixCode, `\`\`\``] : []), ``);
+                lines.push(`### [${icon}] ${f.rule.name} (${f.rule.id})`, `**Line:** ~${f.line} | **Match:** \`${f.match}\``, `**Fix:** ${f.rule.fix}`, ``);
+                findingsPrinted++;
             }
             lines.push(`---`, ``);
         }
@@ -237,9 +256,35 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
         lines.push(`## No Issues Found`, ``, `All files passed security checks.`);
     }
     if (skippedFiles.length > 0) {
-        lines.push(``, `**Skipped files:**`);
-        for (const s of skippedFiles)
-            lines.push(`- ${s}`);
+        lines.push(``, `**Skipped files:** ${skippedFiles.length}`);
+    }
+    // ── Priority Summary Table (always at the end, visible in terminal) ──
+    if (totalIssues > 0) {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        const ruleStats = new Map();
+        for (const r of scanResults) {
+            for (const f of r.findings) {
+                const existing = ruleStats.get(f.rule.id);
+                if (existing) {
+                    existing.files.add(r.path);
+                    existing.count++;
+                }
+                else
+                    ruleStats.set(f.rule.id, { rule: f.rule, files: new Set([r.path]), count: 1 });
+            }
+        }
+        const sorted = Array.from(ruleStats.values())
+            .sort((a, b) => (severityOrder[a.rule.severity] ?? 99) - (severityOrder[b.rule.severity] ?? 99))
+            .slice(0, 10);
+        lines.push(``, `---`, `## Priority Summary`, ``, `| # | Severity | Rule | Issue | Files | Count |`, `|---|----------|------|-------|-------|-------|`);
+        sorted.forEach((item, i) => {
+            const sev = item.rule.severity.toUpperCase();
+            lines.push(`| ${i + 1} | ${sev} | ${item.rule.id} | ${item.rule.name} | ${item.files.size} | ${item.count} |`);
+        });
+        if (ruleStats.size > 10) {
+            lines.push(``, `*+ ${ruleStats.size - 10} more rule types not shown*`);
+        }
+        lines.push(``);
     }
     lines.push(securityBanner({ total: totalIssues, critical: totalCritical, high: totalHigh, medium: totalMedium, score, grade, filesScanned: metadata.filesScanned }));
     return lines.join("\n");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.9.0",
+  "version": "2.9.4",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",