guardvibe 2.9.5 → 2.9.7

package/build/index.js

@@ -133,10 +133,14 @@ server.tool("check_dependencies", "Check npm, PyPI, or Go packages for known sec
         return val;
     }, z.array(packageSchema)).describe("List of packages to check: [{name, version, ecosystem}]"),
 }, async ({ packages }) => {
-    const results = await checkDependencies(packages);
-    return {
-        content: [{ type: "text", text: results }],
-    };
+    try {
+        const results = await checkDependencies(packages);
+        return { content: [{ type: "text", text: results }] };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { content: [{ type: "text", text: `⚠️ Dependency check failed: ${msg}\n\nThis may be a network issue reaching the OSV database. Try again or check your internet connection.` }] };
+    }
 });
 // Tool 5: Scan directory for security vulnerabilities (filesystem-native)
 server.tool("scan_directory", "Scan an entire project directory for security vulnerabilities. Reads files directly from the filesystem — no need to pass file contents. Returns a security score (A-F) and detailed findings. Includes scan metadata (ID, timestamp, duration, file hashes) for audit trails. Use baseline to compare with a previous scan.", {
@@ -170,7 +174,7 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
     return { content: [{ type: "text", text: results + summary }] };
 });
 // Tool 6: Scan manifest/lockfile for dependency vulnerabilities
-server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, package-lock.json, requirements.txt, go.mod) and check all dependencies for known CVEs via the OSV database. Reads the file directly.", {
+server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, package-lock.json, requirements.txt, go.mod) and check all dependencies for known CVEs via the OSV database. Reads the file directly. Use this after installing dependencies, during CI, or when auditing existing projects for vulnerable packages.", {
     manifest_path: z.string().describe("Path to manifest file (e.g. 'package.json', 'requirements.txt', 'go.mod')"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ manifest_path, format }) => {
@@ -258,8 +262,14 @@ server.tool("check_package_health", "Check npm packages for typosquat risk, main
     packages: z.array(z.string()).describe("List of package names to check (e.g. ['lodash', 'expres', 'react-qeury'])"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ packages, format }) => {
-    const results = await checkPackageHealth(packages, format);
-    return { content: [{ type: "text", text: results }] };
+    try {
+        const results = await checkPackageHealth(packages, format);
+        return { content: [{ type: "text", text: results }] };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { content: [{ type: "text", text: `⚠️ Package health check failed: ${msg}\n\nThis may be a network issue reaching the npm registry. Try again or check your internet connection.` }] };
+    }
 });
 // Tool 12: Auto-fix security vulnerabilities
 server.tool("fix_code", "Analyze code for security vulnerabilities and return fix suggestions with concrete patches. The AI agent can apply these patches to automatically fix issues. Returns structured fix data including before/after code, severity, and line numbers.", {
@@ -325,7 +335,7 @@ server.tool("scan_secrets_history", "Scan git history for leaked secrets. Finds
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 17: Compliance Policy Check
-server.tool("policy_check", "Check project against compliance policies defined in .guardviberc. Validates custom framework requirements, severity thresholds, required controls, and risk exceptions. Returns pass/fail status with detailed findings per control.", {
+server.tool("policy_check", "Check project against compliance policies defined in .guardviberc. Use this in CI/CD pipelines to enforce security gates, or before releases to verify compliance requirements are met. Validates custom framework requirements, severity thresholds, required controls, and risk exceptions. Returns pass/fail status with detailed findings per control.", {
     path: z.string().describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ path, format }) => {

package/build/tools/check-code.js

@@ -173,6 +173,13 @@ function hasRoleCheckPattern(code) {
     // Destructured role check: const { role } = ...; if (role !== "admin")
     if (/\brole\b[\s\S]{0,100}?(?:!==|===)\s*["']/i.test(code))
         return true;
+    // Import + call of admin/role guard function (requireAdmin, requireRole, checkAdmin, etc.)
+    if (/import\s+.*(?:requireAdmin|requireRole|checkAdmin|isAdmin|verifyAdmin|assertAdmin)\b/i.test(code) &&
+        /(?:requireAdmin|requireRole|checkAdmin|isAdmin|verifyAdmin|assertAdmin)\s*\(/i.test(code))
+        return true;
+    // await requireAdmin() with error check pattern (naming-agnostic admin guard)
+    if (/await\s+(?:\w+\.)*\w*(?:Admin|admin)\w*\s*\([^)]*\)\s*;?\s*\n\s*if\s*\(/i.test(code))
+        return true;
     return false;
 }
 /**
@@ -202,6 +209,9 @@ const LEGITIMATE_PREFIXED_PACKAGES = new Set([
     "original-url", "original-fs",
     "secure-json-parse",
     "native-run",
+    "fast-sha256", "fast-text-encoding",
+    "svix",
+    "cheerio",
 ]);
 function isLegitimatePackage(name) {
     return LEGITIMATE_PREFIXED_PACKAGES.has(name);
@@ -258,6 +268,10 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
     const codeHasRedirectValidation = /(?:sanitize|validate|verify|check|safe|allowed)(?:Redirect|RedirectUrl|CallbackUrl)\s*\(/i.test(code) ||
         /import\s+.*(?:sanitizeRedirect|validateRedirect|safeRedirect)/i.test(code);
     const isMigrationFile = filePath ? /(?:migrations?|supabase\/migrations|seeds?|fixtures)\//i.test(filePath) : false;
+    const isSqlSchemaFile = filePath ? /(?:schema|migration|seed|ddl|init).*\.sql$/i.test(filePath) : false;
+    const isReactNative = /(?:react-native|from\s+['"]react-native['"]|from\s+['"]expo|import\s+.*\bexpo\b)/i.test(code);
+    const codeHasTimingSafeEqual = /(?:timingSafeEqual|timing.?safe|constant.?time)/i.test(code);
+    const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code);
     const isPeerDeps = /["']peerDependencies["']/i.test(code);
     // Config: check custom auth function names from .guardviberc
     if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
@@ -291,6 +305,10 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip auth rules when code has any auth guard pattern (naming-agnostic)
         if (codeHasAuthGuard && authRuleIds.has(rule.id))
             continue;
+        // Skip auth rules for intentionally public endpoints
+        // /api/public/*, health checks, config endpoints, recache/warmup
+        if (authRuleIds.has(rule.id) && filePath && /(?:\/api\/public\/|\/health|\/config|\/recache|\/warmup|\/ping|\/status)/i.test(filePath))
+            continue;
         // Skip admin role rules when code has any role/permission check
         if (codeHasRoleCheck && adminRoleRuleIds.has(rule.id))
             continue;
@@ -312,33 +330,131 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip destructive DDL rules (VG540-VG542) and view rules (VG439) in migration directories
         if ((rule.id.startsWith("VG54") || rule.id === "VG439") && isMigrationFile)
             continue;
+        // Skip SQL injection rules in schema/migration .sql files (DDL, not user input)
+        if (rule.id === "VG543" && (isMigrationFile || isSqlSchemaFile))
+            continue;
+        // Skip web-only rules in React Native/mobile context
+        // VG427 (getSession) is correct in mobile; VG678/VG977/VG978 are HTTP-only concerns
+        if (isReactNative && ["VG427", "VG678", "VG977", "VG978", "VG964"].includes(rule.id))
+            continue;
         // Skip innerHTML/XSS rules when DOMPurify or sanitization is present
-        if (codeHasSanitization && ["VG408", "VG012", "VG042"].includes(rule.id))
+        if (codeHasSanitization && ["VG408", "VG012", "VG042", "VG852"].includes(rule.id))
             continue;
+        // Skip innerHTML rules for static content patterns (JSON-LD structured data, theme scripts)
+        // These use hardcoded app-defined data, not user input
+        if (["VG408", "VG012", "VG042", "VG852"].includes(rule.id)) {
+            const hasStaticContent = /(?:JSON\.stringify|themeScript|structuredData|jsonLd|schema|gtag|analytics)/i.test(code);
+            const hasUserContent = /(?:userInput|userData|postContent|messageBody|commentHtml)/i.test(code);
+            if (hasStaticContent && !hasUserContent)
+                continue;
+        }
         // Skip SSRF rules when URL validation/allowlist pattern is present
-        if (codeHasUrlValidation && ["VG120"].includes(rule.id))
+        if (codeHasUrlValidation && rule.id === "VG120")
+            continue;
+        // Skip SSRF for fetch() calls that only use relative URLs or known-safe patterns
+        // (internal API calls like /api/..., Supabase signed URLs)
+        if (rule.id === "VG120") {
+            const fetchCalls = code.match(/fetch\s*\(\s*(?:["'`]|url|signedUrl)/gi) || [];
+            const hasUserUrl = /fetch\s*\(\s*(?:(?:req|request|params|query|body|input|data)\s*[\[.]|new\s+URL\s*\(\s*(?:req|request))/i.test(code);
+            const onlyInternalFetches = !hasUserUrl &&
+                !/fetch\s*\(\s*["'`]https?:\/\//i.test(code) ||
+                /fetch\s*\(\s*(?:["'`]\/api\/|signedUrl|presignedUrl|uploadUrl)/i.test(code);
+            if (fetchCalls.length > 0 && onlyInternalFetches)
+                continue;
+        }
+        // Skip filename rules when UUID-based filename generation OR filename sanitization is present
+        if ((codeHasUuidFilename || codeHasFilenameSanitization) && rule.id === "VG993")
             continue;
-        // Skip filename rules when UUID-based filename generation is present
-        if (codeHasUuidFilename && rule.id === "VG993")
+        // Skip timing-unsafe comparison rule when timingSafeEqual is already used in the file
+        if (codeHasTimingSafeEqual && rule.id === "VG106")
             continue;
+        // Downgrade VG106 for non-secret variable names (TokenCount, tokenLength, etc.)
+        // These contain "token" but aren't actual secret comparisons
+        if (rule.id === "VG106") {
+            // Will be checked at match level below
+        }
         // Skip cron secret rules when custom verification function is present
         if (codeHasCronVerification && ["VG968", "VG503"].includes(rule.id))
             continue;
         // Skip open redirect rules when redirect URL validation is present
         if (codeHasRedirectValidation && ["VG425", "VG409", "VG660"].includes(rule.id))
             continue;
-        // Skip VG131 (state-changing GET) when only read operations are present
-        if (rule.id === "VG131") {
-            // If code only has read operations (findMany, findFirst, count, aggregate, select)
-            // and no actual mutations, skip this rule
-            const hasMutation = /(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.destroy\s*\(|\.remove\s*\(|\.insert\s*\(|DELETE\s+FROM|UPDATE\s+\w|INSERT\s+INTO)/i.test(code);
-            const onlyInComments = !hasMutation;
-            if (onlyInComments)
+        // Skip VG105 JWT alg:none when code uses HMAC/custom token verification (not JWT library)
+        if (rule.id === "VG105") {
+            const usesJwtLib = /(?:jsonwebtoken|jose|jwt\.verify|jwt\.sign|jwt\.decode)\b/i.test(code);
+            const usesHmac = /(?:createHmac|hmac|crypto\.subtle\.sign|crypto\.sign)/i.test(code);
+            const importsCustomTokenLib = /import\s+.*(?:verifyToken|validateToken|checkToken|decodeToken)\b.*from\s+["'].*(?:token|auth|hmac)/i.test(code);
+            if (!usesJwtLib && (usesHmac || importsCustomTokenLib))
                 continue;
         }
+        // Skip VG989 (X-Forwarded-For rate limit bypass) when project uses Next.js/Vercel
+        // Vercel sets X-Forwarded-For from its edge network — it's trustworthy in that context
+        if (rule.id === "VG989" && filePath && /(?:\/app\/|\/pages\/|next)/i.test(filePath))
+            continue;
+        // Skip VG678 (Missing X-Content-Type-Options) when not actually serving files:
+        // - Client components can't set HTTP response headers
+        // - Supabase getPublicUrl/getSignedUrl just generate URL strings
+        // - Email sending (Resend, nodemailer) doesn't serve files
+        // - React Native components are not HTTP endpoints
+        if (rule.id === "VG678") {
+            const isClientComponent = /^['"]use client['"]/.test(code.trimStart()) ||
+                (filePath && /Client\.\w+$/.test(filePath));
+            if (isClientComponent)
+                continue;
+            if (isReactNative)
+                continue;
+            const isEmailFile = /(?:resend|nodemailer|sendEmail|sendMail|email\.send)/i.test(code);
+            if (isEmailFile)
+                continue;
+            const hasOnlyUrlGeneration = /(?:getPublicUrl|getSignedUrl)\s*\(/i.test(code) &&
+                !/(?:createReadStream|sendFile|res\.download|\.pipe\s*\()/i.test(code);
+            if (hasOnlyUrlGeneration)
+                continue;
+        }
+        // Skip VG131 (state-changing GET) when the GET function body has no mutations.
+        // Must check per-GET-function, not the whole file — files with GET+POST would false-positive.
+        if (rule.id === "VG131") {
+            const getMatch = /export\s+(?:async\s+)?function\s+GET\s*\([^)]*\)\s*\{/.exec(code);
+            if (getMatch) {
+                const getStart = getMatch.index + getMatch[0].length;
+                let depth = 1, pos = getStart;
+                while (depth > 0 && pos < code.length) {
+                    if (code[pos] === "{")
+                        depth++;
+                    else if (code[pos] === "}")
+                        depth--;
+                    pos++;
+                }
+                const getBody = code.substring(getStart, pos);
+                const hasMutationInGet = /(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.destroy\s*\(|\.remove\s*\(|\.insert\s*\(|\.upsert\s*\(|DELETE\s+FROM|UPDATE\s+\w|INSERT\s+INTO)/i.test(getBody);
+                if (!hasMutationInGet)
+                    continue;
+            }
+        }
         // Skip CVE version rules in peerDependencies (ranges, not actual versions)
         if (isPeerDeps && rule.id === "VG903")
             continue;
+        // Skip VG140 (XXE) when file doesn't actually parse XML — just has XML-related imports
+        if (rule.id === "VG140") {
+            const hasXmlParsing = /(?:parseString|parseXml|xml2js|DOMParser|XMLParser)\s*\(/i.test(code);
+            if (!hasXmlParsing)
+                continue;
+        }
+        // Skip VG020 (wildcard dependency version) in lock files — engine constraints
+        // like "node": ">=6" are not dependency versions
+        if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
+            continue;
+        // Skip VG430 (Supabase anon key on server) when file properly separates client/server
+        // Pattern: file exports both a client (anon key) and server (service_role) function
+        if (rule.id === "VG430") {
+            const hasServiceRole = /(?:SUPABASE_SERVICE_ROLE|service_role|serviceRole)/i.test(code);
+            const hasClientServer = /(?:createClient|createServerClient|createBrowserClient)/i.test(code) && hasServiceRole;
+            if (hasClientServer)
+                continue;
+        }
+        // Skip VG448 (Supabase RPC bypass RLS) when using service_role key (server-side)
+        if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient)/i.test(code))
+            continue;
         // VG872/VG873 legitimate package filtering is handled at match level below
         // Skip server-only import rule (VG964) for files that are inherently server-only:
         // Route Handlers (app/api/), middleware, instrumentation, next.config,
@@ -403,6 +519,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (pkgMatch && isLegitimatePackage(pkgMatch[1]))
                     continue;
             }
+            // Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
+            if (rule.id === "VG106") {
+                const varName = match[0].split(/\s*(?:===|!==|==|!=)/)[0].trim();
+                if (/(?:Count|Length|Balance|Map|List|Array|Index|Size|Total|Num|Id|Type|Name|Status|Data|Info|Error|Result|Response|Config|Option|Url|Path|Provider|Model|Limit|Quota|Rate|Max|Min)/i.test(varName))
+                    continue;
+            }
             // Skip VG903 React version in peerDependencies sections
             if (rule.id === "VG903") {
                 const beforeText = code.substring(0, match.index);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.9.5",
+  "version": "2.9.7",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",