guardvibe 3.0.10 → 3.0.12

package/build/cli/auth-coverage.js

@@ -6,6 +6,7 @@ import { readdirSync, readFileSync, statSync, writeFileSync, existsSync, mkdirSy
 import { resolve, dirname } from "path";
 import { parseArgs, validateFormat, getOutputPath } from "./args.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "../tools/auth-coverage.js";
+import { loadConfig } from "../utils/config.js";
 export async function runAuthCoverage(args) {
     const { flags, positional } = parseArgs(args);
     const targetPath = resolve(positional[0] ?? ".");
@@ -57,7 +58,8 @@ export async function runAuthCoverage(args) {
     const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
     const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
     const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-    const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+    const config = loadConfig(targetPath);
+    const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, config.authExceptions);
     const formatArg = format === "json" ? "json" : "markdown";
     const result = formatAuthCoverage(report, formatArg);
     if (outputFile) {

package/build/data/rules/advanced-security.js

@@ -34,7 +34,7 @@ export const advancedSecurityRules = [
         severity: "low",
         owasp: "API4:2023 Unrestricted Resource Consumption",
         description: "API endpoint reads request body without explicit size limit. Note: Next.js/Vercel applies a default 4.5MB limit, so this is informational for those platforms. For custom servers, attackers can send large payloads to exhaust memory.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_|parseBody|checkBodySize|bodyParser|bodyLimit|sizeLimit)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
         languages: ["javascript", "typescript"],
         fix: "Check Content-Length header before parsing body, or use a body parser with size limit.",
         fixCode: '// Check body size before parsing\nexport async function POST(req: Request) {\n  const contentLength = parseInt(req.headers.get("content-length") || "0");\n  if (contentLength > 1024 * 1024) { // 1MB limit\n    return new Response("Payload too large", { status: 413 });\n  }\n  const body = await req.json();\n}',
@@ -188,7 +188,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Referrer-Policy is missing. Without it, the full URL (including query parameters with tokens/IDs) is sent to external sites in the Referer header.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Referrer-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Referrer-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Referrer-Policy: strict-origin-when-cross-origin to your security headers.",
         fixCode: '{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }',
@@ -201,7 +201,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Permissions-Policy is missing. Without it, embedded iframes and scripts can access camera, microphone, geolocation, and other sensitive browser APIs.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Permissions-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Permissions-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Permissions-Policy header to restrict browser API access.",
         fixCode: '{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" }',
@@ -330,7 +330,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "POST/PUT/PATCH/DELETE route handler performs database mutations without CSRF token verification. Cross-site requests from malicious pages can trick authenticated users into performing unwanted actions.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery|requireAdmin|requireAuth|checkAuth|withAuth|protectRoute|authenticate|x-csrf-protection)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
         languages: ["javascript", "typescript"],
         fix: "Add CSRF token verification to state-changing endpoints.",
         fixCode: '// Verify CSRF token from header\nexport async function POST(req: Request) {\n  const csrfToken = req.headers.get("x-csrf-token");\n  if (!verifyCsrfToken(csrfToken)) {\n    return new Response("CSRF validation failed", { status: 403 });\n  }\n}',

package/build/data/rules/modern-stack.js

@@ -269,7 +269,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Next.js app does not set a Content-Security-Policy header. CSP is the strongest defense against XSS — without it, injected scripts run freely in your users' browsers.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!Content-Security-Policy)[\s\S]){20,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|X-Content-Type-Options))(?![\s\S]*Content-Security-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add a Content-Security-Policy header in next.config.ts headers().",
         fixCode: "// next.config.ts\nasync headers() {\n  return [{\n    source: '/(.*)',\n    headers: [{\n      key: 'Content-Security-Policy',\n      value: \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;\"\n    }]\n  }];\n}",
@@ -476,7 +476,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "User-uploaded file's original filename is used directly for storage without sanitization. Attackers can use directory traversal (../../etc/passwd), null bytes (file.php%00.jpg), double extensions (file.jpg.exe), or Unicode tricks to overwrite files, bypass type checks, or achieve remote code execution.",
-        pattern: /(?:file\.name|originalname|filename|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])\s*[\s\S]{0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
+        pattern: /(?:file\.name|originalname|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])(?:(?!randomUUID|uuid|nanoid|sanitize|safeFilename|safeName|allowedExt|allowedExtensions|\.replace\s*\(\s*\/\[)[\s\S]){0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
         languages: ["javascript", "typescript"],
         fix: "Generate a random filename (UUID/nanoid) and validate the extension against an allowlist. Never use the original filename for storage.",
         fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',

package/build/data/rules/nextjs.js

@@ -66,7 +66,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
         languages: ["javascript", "typescript"],
         fix: "Add security headers in next.config.ts headers() function.",
         fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',

package/build/index.js

@@ -852,7 +852,8 @@ server.tool("auth_coverage", "Analyze authentication coverage across Next.js App
         const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
         const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
         const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-        const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+        const cfg = loadConfig(path);
+        const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, cfg.authExceptions);
         const output = formatAuthCoverage(report, format);
         return { content: [{ type: "text", text: output }] };
     }

package/build/tools/auth-coverage.d.ts

@@ -39,7 +39,10 @@ export interface AuthCoverageReport {
 /**
  * Analyze auth coverage across all route files.
  */
-export declare function analyzeAuthCoverage(routeFiles: FileEntry[], middlewareContent: string, layoutFiles?: FileEntry[]): AuthCoverageReport;
+export declare function analyzeAuthCoverage(routeFiles: FileEntry[], middlewareContent: string, layoutFiles?: FileEntry[], authExceptions?: Array<{
+    path: string;
+    reason: string;
+}>): AuthCoverageReport;
 /**
  * Format auth coverage report as markdown or JSON.
  */

package/build/tools/auth-coverage.js

@@ -143,7 +143,7 @@ function hasAuthGuard(code) {
 /**
  * Analyze auth coverage across all route files.
  */
-export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles) {
+export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles, authExceptions) {
     const routes = enumerateRoutes(routeFiles);
     const matchers = parseMiddlewareMatchers(middlewareContent);
     const hasMiddleware = middlewareContent.length > 0;
@@ -204,6 +204,22 @@ export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles)
             }
         }
     }
+    // Apply authExceptions from .guardviberc — mark excepted routes as protected
+    if (authExceptions && authExceptions.length > 0) {
+        for (const route of routes) {
+            if (route.hasAuthGuard || route.middlewareCovered)
+                continue;
+            const isExcepted = authExceptions.some(exc => {
+                const excPath = exc.path.replace(/\[[\w]+\]/g, "[^/]+");
+                const regex = new RegExp("^" + excPath.replace(/\//g, "\\/") + "$");
+                return regex.test(route.urlPath) || route.urlPath === exc.path || route.urlPath.startsWith(exc.path + "/");
+            });
+            if (isExcepted) {
+                route.hasAuthGuard = true;
+                route.protectionSource = "auth-guard"; // treated as intentionally public
+            }
+        }
+    }
     const protectedRoutes = routes.filter(r => r.hasAuthGuard || r.middlewareCovered).length;
     const unprotectedList = routes.filter(r => !r.hasAuthGuard && !r.middlewareCovered);
     return {

package/build/tools/full-audit.js

@@ -16,6 +16,7 @@ import { auditConfig } from "./audit-config.js";
 import { analyzeCrossFileTaint } from "./cross-file-taint.js";
 import { analyzeAuthCoverage } from "./auth-coverage.js";
 import { getRules } from "../utils/rule-registry.js";
+import { loadConfig } from "../utils/config.js";
 // --- Core Logic ---
 /**
  * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
@@ -239,7 +240,8 @@ export async function runFullAudit(path, options) {
         const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
         if (routeFiles.length > 0) {
             const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-            const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+            const config = loadConfig(projectRoot);
+            const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, config.authExceptions);
             const unprotected = report.unprotectedRoutes;
             sections.push({ name: "auth-coverage", status: "ok", findings: unprotected, critical: 0, high: unprotected > 0 ? unprotected : 0, medium: 0,
                 details: `${report.protectedRoutes}/${report.totalRoutes} routes protected (${report.middlewareCoveragePercent}% middleware)` });
@@ -297,60 +299,60 @@ function buildInlineRemediationPlan(result) {
             priority: 1,
             tool: "scan_secrets",
             actions: [
-                "Call scan_secrets with format: json to list all secrets with file locations",
-                "For EACH secret: move to environment variable, add file to .gitignore",
-                "Rotate any API keys/tokens that were committed — they are compromised",
-                "Call scan_secrets_history to check git history for previously committed secrets",
-                "Re-run scan_secrets to confirm 0 secrets remain",
+                "MCP: Call scan_secrets with format: json — OR CLI: run `npx guardvibe scan --format json` and look for SECRET: findings in the output",
+                "For EACH secret found: (a) if it's in a .env file, ensure .env* is in .gitignore, (b) if it's hardcoded in source code, move it to an environment variable, (c) NEVER dismiss secrets as 'already in .gitignore' — if GuardVibe found it, the FILE exists and contains real values",
+                "Rotate any API keys/tokens that were committed to git history — run `git log --all -p -S 'YOUR_KEY_PREFIX' -- '*.env*'` to check",
+                "MCP: Call scan_secrets_history — OR CLI: run `npx guardvibe scan --format json` to verify",
+                "Re-run the scan and confirm secret count dropped to 0. If it didn't, your fix didn't work — try again",
             ],
         },
         code: {
             priority: 2,
             tool: "scan_directory",
             actions: [
-                "Call scan_directory with format: json to get full finding list with fix suggestions",
-                "Fix ALL critical and high severity findings using fix_code for each file",
-                "Call verify_fix after each fix to confirm the vulnerability is resolved",
-                "Re-run scan_directory to confirm findings are resolved",
+                "MCP: Call scan_directory with format: json — OR CLI: run `npx guardvibe scan --format json` to get full finding list",
+                "Fix ALL critical and high severity findings. Read each flagged file, understand the vulnerability, apply the fix suggested in the finding",
+                "After fixing each file, re-scan it: MCP: Call scan_file — OR CLI: run `npx guardvibe check <file> --format json` to confirm the finding is gone",
+                "Re-run full scan to confirm total code findings dropped",
             ],
         },
         dependencies: {
             priority: 3,
             tool: "scan_dependencies",
             actions: [
-                "Call scan_dependencies with format: json to list vulnerable packages with CVE details",
-                "Run npm audit fix or npm update <package> for each vulnerable dependency",
-                "If a package is abandoned, find an alternative with check_package_health",
-                "Re-run scan_dependencies to confirm 0 CVEs remain",
+                "MCP: Call scan_dependencies with format: json — OR CLI: run `npx guardvibe scan --format json` and check dependency findings, also run `npm audit`",
+                "Run `npm audit fix` to auto-fix what's possible. If that doesn't work, run `npm update <package>` for each vulnerable package",
+                "If a package can't be updated (breaking changes), find an alternative or pin to a patched version",
+                "Re-run `npx guardvibe audit` and confirm dependency findings dropped to 0",
             ],
         },
         config: {
             priority: 4,
             tool: "audit_config",
             actions: [
-                "Call audit_config with format: json to list all config issues",
-                "Call explain_remediation for each finding to get specific fix guidance",
-                "Apply fixes to next.config, middleware, .env, vercel.json, etc.",
-                "Re-run audit_config to confirm config issues are resolved",
+                "MCP: Call audit_config with format: json — OR CLI: run `npx guardvibe audit --format json` and parse the config section details",
+                "Common config fixes: add missing security headers in next.config.ts (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), set poweredByHeader: false, configure CORS properly",
+                "MCP: Call explain_remediation for each rule ID — OR CLI: run `npx guardvibe explain <RULE_ID>` to get specific fix guidance",
+                "Re-run audit and confirm config findings dropped",
             ],
         },
         taint: {
             priority: 5,
             tool: "analyze_cross_file_dataflow",
             actions: [
-                "Call analyze_cross_file_dataflow to trace tainted data flows from source to sink",
-                "Add input validation (zod/joi) at each source, or output encoding at each sink",
-                "Re-run analyze_cross_file_dataflow to confirm tainted flows are resolved",
+                "MCP: Call analyze_cross_file_dataflow — OR CLI: run `npx guardvibe audit --format json` and parse the taint section. Look for user input (URL params, form data, req.body) flowing to dangerous sinks (SQL, HTML, file system)",
+                "Fix each tainted flow: add Zod/joi validation at the input source, use parameterized queries for SQL, use sanitizeUrl/DOMPurify for HTML output, validate file paths",
+                "Re-run audit and confirm taint findings dropped to 0",
             ],
         },
         "auth-coverage": {
             priority: 6,
             tool: "auth_coverage",
             actions: [
-                "Call auth_coverage with format: json to list all unprotected routes",
-                "Add auth guard (Clerk/NextAuth/Supabase) to each unprotected route",
-                "If a route is intentionally public, document it in .guardviberc authExceptions",
-                "Re-run auth_coverage to confirm all routes are protected or documented",
+                "MCP: Call auth_coverage with format: json — OR CLI: run `npx guardvibe auth-coverage --format json` to list all unprotected routes",
+                "For each unprotected route: (a) if it needs auth, add middleware or auth guard (Clerk/NextAuth/Supabase), (b) if it's intentionally public (homepage, blog, about, etc.), add it to .guardviberc file under authExceptions with a reason",
+                "Create or update .guardviberc in project root: {\"authExceptions\": [{\"path\": \"/blog\", \"reason\": \"Public page\"}]}",
+                "Re-run `npx guardvibe auth-coverage --format json` and confirm unprotected count matches your authExceptions count",
             ],
         },
     };
@@ -388,6 +390,14 @@ export function formatAuditResult(result, format) {
                 remediationPlan: {
                     totalSectionsWithFindings: plan.length,
                     warning: `MANDATORY: You must fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call verify_remediation to confirm.`,
+                    rules: [
+                        "Do NOT dismiss findings as 'false positive' without running the section-specific tool first and verifying the finding is genuinely wrong.",
+                        "Do NOT say 'npm audit is clean' to skip dependencies — GuardVibe uses the OSV database which may detect CVEs that npm audit misses.",
+                        "Do NOT say 'already in .gitignore' to skip secrets — if GuardVibe detects secrets, they exist in the scanned files and must be removed or moved to env vars.",
+                        "Do NOT skip auth-coverage by saying routes are 'intentionally public' — either add auth guards or add them to .guardviberc authExceptions so the scanner recognizes them.",
+                        "After fixing each section, re-run the section-specific tool to confirm the finding count dropped. If it didn't drop, your fix didn't work.",
+                        "Only call verify_remediation AFTER you have worked through ALL sections and confirmed each one improved.",
+                    ],
                     steps: plan,
                 },
             });
@@ -464,6 +474,13 @@ export function formatAuditResult(result, format) {
             lines.push(``);
             lines.push(`> **IMPORTANT: You MUST fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call \`verify_remediation\` to confirm.**`);
             lines.push(``);
+            lines.push(`**Rules:**`);
+            lines.push(`- Do NOT dismiss findings as "false positive" without running the section-specific tool first`);
+            lines.push(`- Do NOT say "npm audit is clean" to skip dependencies — GuardVibe uses OSV which may detect CVEs npm misses`);
+            lines.push(`- Do NOT say "already in .gitignore" to skip secrets — if detected, they exist in scanned files`);
+            lines.push(`- After fixing each section, re-run the section tool to confirm finding count dropped`);
+            lines.push(`- Only call verify_remediation AFTER all sections show improvement`);
+            lines.push(``);
             for (const step of plan) {
                 lines.push(`### Step ${step.priority}: ${step.section} (${step.findings} findings — ${step.critical} critical, ${step.high} high)`);
                 lines.push(``);

package/build/utils/config.d.ts

@@ -26,6 +26,13 @@ export interface GuardVibeConfig {
      *  e.g. ["requireAdmin", "verifyUser", "ensureLoggedIn"]
      *  These are added ON TOP of the built-in pattern-agnostic detection. */
     authFunctions?: string[];
+    /** Routes that are intentionally public (no auth required).
+     *  e.g. [{"path": "/blog", "reason": "Public page"}]
+     *  These are excluded from auth-coverage unprotected count. */
+    authExceptions?: Array<{
+        path: string;
+        reason: string;
+    }>;
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -68,6 +68,7 @@ export function loadConfig(dir) {
                 requiredControls: Array.isArray(parsed.compliance.requiredControls) ? parsed.compliance.requiredControls : undefined,
             } : undefined,
             authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
+            authExceptions: Array.isArray(parsed.authExceptions) ? parsed.authExceptions : undefined,
         };
     }
     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.10",
+  "version": "3.0.12",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",