guardvibe 3.0.0 → 3.0.1

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 334 security rules, 31 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 334 security rules, 32 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **334 security rules, 31 tools** purpose-built for the stacks AI agents generate
+- **334 security rules, 32 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -38,10 +38,10 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | AI/LLM security (prompt injection, MCP, tool abuse) | 30 rules | Experimental/None | None |
 | AI host security (CVE-2025-59536, CVE-2026-21852) | `guardvibe doctor` | Not supported | Not supported |
 | Auto-fix suggestions for AI agents | `fix_code` tool | CLI autofix | Not supported |
-| CVE version detection | 21 packages | Extensive | Extensive |
+| CVE version detection | 23 packages | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 330 (focused) | 5000+ (broad) | N/A |
+| Rule count | 334 (focused) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -150,7 +150,7 @@ Resend (email HTML injection), Upstash Redis, Pinecone, PostHog, Google Analytic
 ### AI / LLM Security
 Prompt injection detection, LLM output sinks, system prompt leaks, MCP server SSRF/path traversal/command injection, `dangerouslyAllowBrowser`, missing `maxTokens`, AI API key client exposure, indirect prompt injection via external data
 
-### AI Host Security (NEW in v2.6.0+)
+### AI Host Security
 `guardvibe doctor` — unified host hardening scanner detecting CVE-2025-59536 (hook injection via `.claude/settings.json`), CVE-2026-21852 (API key exfiltration via `ANTHROPIC_BASE_URL` override), MCP config audit, environment scanner, permission analysis. Supports Claude, Cursor, VS Code, Gemini, Windsurf. Host-specific remediation with platform-tailored fix steps.
 
 ### OWASP API Security
@@ -183,7 +183,7 @@ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (E
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (31 MCP tools)
+## Tools (32 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -389,20 +389,7 @@ Supports `//`, `#`, and `<!-- -->` comment styles.
 
 ## GuardVibe Scans Itself
 
-We run GuardVibe on its own codebase. In v2.3.2, GuardVibe caught a **HIGH severity ReDoS vulnerability** in its own `policy-check.ts` — a regex injection risk that the developer missed during code review.
-
-```
-$ guardvibe scan_directory src/
-  Files scanned: 64
-  Scan duration: 102ms
-  Grade: B (89/100)
-
-  [HIGH] ReDoS via User-Controlled RegExp (VG107)
-    File: src/tools/policy-check.ts:47
-    Fix: escape regex metacharacters before passing to RegExp constructor
-```
-
-The vulnerability was fixed in the same session. This is exactly the workflow GuardVibe enables: catch what humans miss, fix before it ships.
+We run GuardVibe on its own codebase as a pre-commit hook. Every commit is scanned before it reaches the repository — the same workflow GuardVibe enables for your projects.
 
 ## How It Works
 
@@ -420,11 +407,12 @@ AI agent fixes issues before they reach production
 
 ## Performance
 
-Tested on a real 644-file Next.js + Supabase project:
+Tested on real AI-built projects (837 files, Next.js + Supabase + Clerk):
 
-- Scan time: **502ms**
-- False positive rate: **near zero** (comment/string filtering, human-readable text detection)
+- Scan time: **~1.2s** (837 files)
+- False positive rate: **near zero** — context-aware detection (React Native, Supabase client/server, static innerHTML, git-aware secrets)
 - Detection rate: **100%** on known vulnerability patterns
+- Security score: **A (99/100)** on production projects
 
 ## Troubleshooting
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",