guardvibe 3.0.10 → 3.0.11

package/build/data/rules/advanced-security.js

@@ -34,7 +34,7 @@ export const advancedSecurityRules = [
         severity: "low",
         owasp: "API4:2023 Unrestricted Resource Consumption",
         description: "API endpoint reads request body without explicit size limit. Note: Next.js/Vercel applies a default 4.5MB limit, so this is informational for those platforms. For custom servers, attackers can send large payloads to exhaust memory.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_|parseBody|checkBodySize|bodyParser|bodyLimit|sizeLimit)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
         languages: ["javascript", "typescript"],
         fix: "Check Content-Length header before parsing body, or use a body parser with size limit.",
         fixCode: '// Check body size before parsing\nexport async function POST(req: Request) {\n  const contentLength = parseInt(req.headers.get("content-length") || "0");\n  if (contentLength > 1024 * 1024) { // 1MB limit\n    return new Response("Payload too large", { status: 413 });\n  }\n  const body = await req.json();\n}',
@@ -188,7 +188,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Referrer-Policy is missing. Without it, the full URL (including query parameters with tokens/IDs) is sent to external sites in the Referer header.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Referrer-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Referrer-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Referrer-Policy: strict-origin-when-cross-origin to your security headers.",
         fixCode: '{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }',
@@ -201,7 +201,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Permissions-Policy is missing. Without it, embedded iframes and scripts can access camera, microphone, geolocation, and other sensitive browser APIs.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Permissions-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Permissions-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Permissions-Policy header to restrict browser API access.",
         fixCode: '{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" }',
@@ -330,7 +330,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "POST/PUT/PATCH/DELETE route handler performs database mutations without CSRF token verification. Cross-site requests from malicious pages can trick authenticated users into performing unwanted actions.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery|requireAdmin|requireAuth|checkAuth|withAuth|protectRoute|authenticate|x-csrf-protection)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
         languages: ["javascript", "typescript"],
         fix: "Add CSRF token verification to state-changing endpoints.",
         fixCode: '// Verify CSRF token from header\nexport async function POST(req: Request) {\n  const csrfToken = req.headers.get("x-csrf-token");\n  if (!verifyCsrfToken(csrfToken)) {\n    return new Response("CSRF validation failed", { status: 403 });\n  }\n}',

package/build/data/rules/modern-stack.js

@@ -269,7 +269,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Next.js app does not set a Content-Security-Policy header. CSP is the strongest defense against XSS — without it, injected scripts run freely in your users' browsers.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!Content-Security-Policy)[\s\S]){20,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|X-Content-Type-Options))(?![\s\S]*Content-Security-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add a Content-Security-Policy header in next.config.ts headers().",
         fixCode: "// next.config.ts\nasync headers() {\n  return [{\n    source: '/(.*)',\n    headers: [{\n      key: 'Content-Security-Policy',\n      value: \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;\"\n    }]\n  }];\n}",
@@ -476,7 +476,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "User-uploaded file's original filename is used directly for storage without sanitization. Attackers can use directory traversal (../../etc/passwd), null bytes (file.php%00.jpg), double extensions (file.jpg.exe), or Unicode tricks to overwrite files, bypass type checks, or achieve remote code execution.",
-        pattern: /(?:file\.name|originalname|filename|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])\s*[\s\S]{0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
+        pattern: /(?:file\.name|originalname|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])(?:(?!randomUUID|uuid|nanoid|sanitize|safeFilename|safeName|allowedExt|allowedExtensions|\.replace\s*\(\s*\/\[)[\s\S]){0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
         languages: ["javascript", "typescript"],
         fix: "Generate a random filename (UUID/nanoid) and validate the extension against an allowlist. Never use the original filename for storage.",
         fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',

package/build/data/rules/nextjs.js

@@ -66,7 +66,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
         languages: ["javascript", "typescript"],
         fix: "Add security headers in next.config.ts headers() function.",
         fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',

package/build/tools/full-audit.js

@@ -388,6 +388,14 @@ export function formatAuditResult(result, format) {
                 remediationPlan: {
                     totalSectionsWithFindings: plan.length,
                     warning: `MANDATORY: You must fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call verify_remediation to confirm.`,
+                    rules: [
+                        "Do NOT dismiss findings as 'false positive' without running the section-specific tool first and verifying the finding is genuinely wrong.",
+                        "Do NOT say 'npm audit is clean' to skip dependencies — GuardVibe uses the OSV database which may detect CVEs that npm audit misses.",
+                        "Do NOT say 'already in .gitignore' to skip secrets — if GuardVibe detects secrets, they exist in the scanned files and must be removed or moved to env vars.",
+                        "Do NOT skip auth-coverage by saying routes are 'intentionally public' — either add auth guards or add them to .guardviberc authExceptions so the scanner recognizes them.",
+                        "After fixing each section, re-run the section-specific tool to confirm the finding count dropped. If it didn't drop, your fix didn't work.",
+                        "Only call verify_remediation AFTER you have worked through ALL sections and confirmed each one improved.",
+                    ],
                     steps: plan,
                 },
             });
@@ -464,6 +472,13 @@ export function formatAuditResult(result, format) {
             lines.push(``);
             lines.push(`> **IMPORTANT: You MUST fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call \`verify_remediation\` to confirm.**`);
             lines.push(``);
+            lines.push(`**Rules:**`);
+            lines.push(`- Do NOT dismiss findings as "false positive" without running the section-specific tool first`);
+            lines.push(`- Do NOT say "npm audit is clean" to skip dependencies — GuardVibe uses OSV which may detect CVEs npm misses`);
+            lines.push(`- Do NOT say "already in .gitignore" to skip secrets — if detected, they exist in scanned files`);
+            lines.push(`- After fixing each section, re-run the section tool to confirm finding count dropped`);
+            lines.push(`- Only call verify_remediation AFTER all sections show improvement`);
+            lines.push(``);
             for (const step of plan) {
                 lines.push(`### Step ${step.priority}: ${step.section} (${step.findings} findings — ${step.critical} critical, ${step.high} high)`);
                 lines.push(``);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.10",
+  "version": "3.0.11",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",