guardvibe 3.0.11 → 3.0.13

package/build/cli/auth-coverage.js

@@ -6,6 +6,7 @@ import { readdirSync, readFileSync, statSync, writeFileSync, existsSync, mkdirSy
 import { resolve, dirname } from "path";
 import { parseArgs, validateFormat, getOutputPath } from "./args.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "../tools/auth-coverage.js";
+import { loadConfig } from "../utils/config.js";
 export async function runAuthCoverage(args) {
     const { flags, positional } = parseArgs(args);
     const targetPath = resolve(positional[0] ?? ".");
@@ -57,7 +58,8 @@ export async function runAuthCoverage(args) {
     const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
     const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
     const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-    const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+    const config = loadConfig(targetPath);
+    const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, config.authExceptions);
     const formatArg = format === "json" ? "json" : "markdown";
     const result = formatAuthCoverage(report, formatArg);
     if (outputFile) {

package/build/index.js

@@ -852,7 +852,8 @@ server.tool("auth_coverage", "Analyze authentication coverage across Next.js App
         const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
         const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
         const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-        const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+        const cfg = loadConfig(path);
+        const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, cfg.authExceptions);
         const output = formatAuthCoverage(report, format);
         return { content: [{ type: "text", text: output }] };
     }

package/build/tools/auth-coverage.d.ts

@@ -39,7 +39,10 @@ export interface AuthCoverageReport {
 /**
  * Analyze auth coverage across all route files.
  */
-export declare function analyzeAuthCoverage(routeFiles: FileEntry[], middlewareContent: string, layoutFiles?: FileEntry[]): AuthCoverageReport;
+export declare function analyzeAuthCoverage(routeFiles: FileEntry[], middlewareContent: string, layoutFiles?: FileEntry[], authExceptions?: Array<{
+    path: string;
+    reason: string;
+}>): AuthCoverageReport;
 /**
  * Format auth coverage report as markdown or JSON.
  */

package/build/tools/auth-coverage.js

@@ -143,7 +143,7 @@ function hasAuthGuard(code) {
 /**
  * Analyze auth coverage across all route files.
  */
-export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles) {
+export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles, authExceptions) {
     const routes = enumerateRoutes(routeFiles);
     const matchers = parseMiddlewareMatchers(middlewareContent);
     const hasMiddleware = middlewareContent.length > 0;
@@ -204,6 +204,22 @@ export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles)
             }
         }
     }
+    // Apply authExceptions from .guardviberc — mark excepted routes as protected
+    if (authExceptions && authExceptions.length > 0) {
+        for (const route of routes) {
+            if (route.hasAuthGuard || route.middlewareCovered)
+                continue;
+            const isExcepted = authExceptions.some(exc => {
+                const excPath = exc.path.replace(/\[[\w]+\]/g, "[^/]+");
+                const regex = new RegExp("^" + excPath.replace(/\//g, "\\/") + "$");
+                return regex.test(route.urlPath) || route.urlPath === exc.path || route.urlPath.startsWith(exc.path + "/");
+            });
+            if (isExcepted) {
+                route.hasAuthGuard = true;
+                route.protectionSource = "auth-guard"; // treated as intentionally public
+            }
+        }
+    }
     const protectedRoutes = routes.filter(r => r.hasAuthGuard || r.middlewareCovered).length;
     const unprotectedList = routes.filter(r => !r.hasAuthGuard && !r.middlewareCovered);
     return {

package/build/tools/full-audit.js

@@ -16,6 +16,7 @@ import { auditConfig } from "./audit-config.js";
 import { analyzeCrossFileTaint } from "./cross-file-taint.js";
 import { analyzeAuthCoverage } from "./auth-coverage.js";
 import { getRules } from "../utils/rule-registry.js";
+import { loadConfig } from "../utils/config.js";
 // --- Core Logic ---
 /**
  * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
@@ -138,8 +139,9 @@ export async function runFullAudit(path, options) {
             filesScanned = parsed.metadata?.filesScanned ?? 0;
             filesSkipped = parsed.metadata?.filesSkipped ?? 0;
             score = parsed.summary?.score ?? 100;
-            grade = parsed.summary?.grade ?? "A";
-            sections.push({ name: "code", status: "ok", ...counts, details: `Grade ${grade} (${score}/100)` });
+            const codeGrade = parsed.summary?.grade ?? "A";
+            const codeScore = parsed.summary?.score ?? 100;
+            sections.push({ name: "code", status: "ok", ...counts, details: `Code ${codeGrade} (${codeScore}/100)` });
             for (const f of parsed.findings ?? []) {
                 allFindings.push({ ruleId: f.id ?? "unknown", severity: f.severity, file: f.file ?? "", line: f.line ?? 0 });
             }
@@ -239,7 +241,8 @@ export async function runFullAudit(path, options) {
         const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
         if (routeFiles.length > 0) {
             const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
-            const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+            const config = loadConfig(projectRoot);
+            const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, config.authExceptions);
             const unprotected = report.unprotectedRoutes;
             sections.push({ name: "auth-coverage", status: "ok", findings: unprotected, critical: 0, high: unprotected > 0 ? unprotected : 0, medium: 0,
                 details: `${report.protectedRoutes}/${report.totalRoutes} routes protected (${report.middlewareCoveragePercent}% middleware)` });
@@ -252,6 +255,15 @@ export async function runFullAudit(path, options) {
     const totalMedium = sections.reduce((s, sec) => s + sec.medium, 0);
     const totalFindings = sections.reduce((s, sec) => s + sec.findings, 0);
     const rulesApplied = rules.length > 0 ? rules.length : 335;
+    // Adjust score to reflect ALL sections, not just code
+    // Each critical finding deducts 5 points, high deducts 3, medium deducts 1
+    // Score from code scan is the baseline, other sections reduce it further
+    const nonCodeCritical = totalCritical - (sections.find(s => s.name === "code")?.critical ?? 0);
+    const nonCodeHigh = totalHigh - (sections.find(s => s.name === "code")?.high ?? 0);
+    const nonCodeMedium = totalMedium - (sections.find(s => s.name === "code")?.medium ?? 0);
+    const deduction = (nonCodeCritical * 5) + (nonCodeHigh * 3) + (nonCodeMedium * 1);
+    score = Math.max(0, score - deduction);
+    grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
     const verdict = computeVerdict(totalCritical, totalHigh, totalMedium);
     const coverage = computeCoverage(filesScanned, filesSkipped, rulesApplied);
     const resultHash = computeResultHash(allFindings);
@@ -297,60 +309,60 @@ function buildInlineRemediationPlan(result) {
             priority: 1,
             tool: "scan_secrets",
             actions: [
-                "Call scan_secrets with format: json to list all secrets with file locations",
-                "For EACH secret: move to environment variable, add file to .gitignore",
-                "Rotate any API keys/tokens that were committed — they are compromised",
-                "Call scan_secrets_history to check git history for previously committed secrets",
-                "Re-run scan_secrets to confirm 0 secrets remain",
+                "MCP: Call scan_secrets with format: json — OR CLI: run `npx guardvibe scan --format json` and look for SECRET: findings in the output",
+                "For EACH secret found: (a) if it's in a .env file, ensure .env* is in .gitignore, (b) if it's hardcoded in source code, move it to an environment variable, (c) NEVER dismiss secrets as 'already in .gitignore' — if GuardVibe found it, the FILE exists and contains real values",
+                "Rotate any API keys/tokens that were committed to git history — run `git log --all -p -S 'YOUR_KEY_PREFIX' -- '*.env*'` to check",
+                "MCP: Call scan_secrets_history — OR CLI: run `npx guardvibe scan --format json` to verify",
+                "Re-run the scan and confirm secret count dropped to 0. If it didn't, your fix didn't work — try again",
             ],
         },
         code: {
             priority: 2,
             tool: "scan_directory",
             actions: [
-                "Call scan_directory with format: json to get full finding list with fix suggestions",
-                "Fix ALL critical and high severity findings using fix_code for each file",
-                "Call verify_fix after each fix to confirm the vulnerability is resolved",
-                "Re-run scan_directory to confirm findings are resolved",
+                "MCP: Call scan_directory with format: json — OR CLI: run `npx guardvibe scan --format json` to get full finding list",
+                "Fix ALL critical and high severity findings. Read each flagged file, understand the vulnerability, apply the fix suggested in the finding",
+                "After fixing each file, re-scan it: MCP: Call scan_file — OR CLI: run `npx guardvibe check <file> --format json` to confirm the finding is gone",
+                "Re-run full scan to confirm total code findings dropped",
             ],
         },
         dependencies: {
             priority: 3,
             tool: "scan_dependencies",
             actions: [
-                "Call scan_dependencies with format: json to list vulnerable packages with CVE details",
-                "Run npm audit fix or npm update <package> for each vulnerable dependency",
-                "If a package is abandoned, find an alternative with check_package_health",
-                "Re-run scan_dependencies to confirm 0 CVEs remain",
+                "MCP: Call scan_dependencies with format: json — OR CLI: run `npx guardvibe scan --format json` and check dependency findings, also run `npm audit`",
+                "Run `npm audit fix` to auto-fix what's possible. If that doesn't work, run `npm update <package>` for each vulnerable package",
+                "If a package can't be updated (breaking changes), find an alternative or pin to a patched version",
+                "Re-run `npx guardvibe audit` and confirm dependency findings dropped to 0",
             ],
         },
         config: {
             priority: 4,
             tool: "audit_config",
             actions: [
-                "Call audit_config with format: json to list all config issues",
-                "Call explain_remediation for each finding to get specific fix guidance",
-                "Apply fixes to next.config, middleware, .env, vercel.json, etc.",
-                "Re-run audit_config to confirm config issues are resolved",
+                "MCP: Call audit_config with format: json — OR CLI: run `npx guardvibe audit --format json` and parse the config section details",
+                "Common config fixes: add missing security headers in next.config.ts (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), set poweredByHeader: false, configure CORS properly",
+                "MCP: Call explain_remediation for each rule ID — OR CLI: run `npx guardvibe explain <RULE_ID>` to get specific fix guidance",
+                "Re-run audit and confirm config findings dropped",
             ],
         },
         taint: {
             priority: 5,
             tool: "analyze_cross_file_dataflow",
             actions: [
-                "Call analyze_cross_file_dataflow to trace tainted data flows from source to sink",
-                "Add input validation (zod/joi) at each source, or output encoding at each sink",
-                "Re-run analyze_cross_file_dataflow to confirm tainted flows are resolved",
+                "MCP: Call analyze_cross_file_dataflow — OR CLI: run `npx guardvibe audit --format json` and parse the taint section. Look for user input (URL params, form data, req.body) flowing to dangerous sinks (SQL, HTML, file system)",
+                "Fix each tainted flow: add Zod/joi validation at the input source, use parameterized queries for SQL, use sanitizeUrl/DOMPurify for HTML output, validate file paths",
+                "Re-run audit and confirm taint findings dropped to 0",
             ],
         },
         "auth-coverage": {
             priority: 6,
             tool: "auth_coverage",
             actions: [
-                "Call auth_coverage with format: json to list all unprotected routes",
-                "Add auth guard (Clerk/NextAuth/Supabase) to each unprotected route",
-                "If a route is intentionally public, document it in .guardviberc authExceptions",
-                "Re-run auth_coverage to confirm all routes are protected or documented",
+                "MCP: Call auth_coverage with format: json — OR CLI: run `npx guardvibe auth-coverage --format json` to list all unprotected routes",
+                "For each unprotected route: (a) if it needs auth, add middleware or auth guard (Clerk/NextAuth/Supabase), (b) if it's intentionally public (homepage, blog, about, etc.), add it to .guardviberc file under authExceptions with a reason",
+                "Create or update .guardviberc in project root: {\"authExceptions\": [{\"path\": \"/blog\", \"reason\": \"Public page\"}]}",
+                "Re-run `npx guardvibe auth-coverage --format json` and confirm unprotected count matches your authExceptions count",
             ],
         },
     };

package/build/utils/config.d.ts

@@ -26,6 +26,13 @@ export interface GuardVibeConfig {
      *  e.g. ["requireAdmin", "verifyUser", "ensureLoggedIn"]
      *  These are added ON TOP of the built-in pattern-agnostic detection. */
     authFunctions?: string[];
+    /** Routes that are intentionally public (no auth required).
+     *  e.g. [{"path": "/blog", "reason": "Public page"}]
+     *  These are excluded from auth-coverage unprotected count. */
+    authExceptions?: Array<{
+        path: string;
+        reason: string;
+    }>;
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -68,6 +68,7 @@ export function loadConfig(dir) {
                 requiredControls: Array.isArray(parsed.compliance.requiredControls) ? parsed.compliance.requiredControls : undefined,
             } : undefined,
             authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
+            authExceptions: Array.isArray(parsed.authExceptions) ? parsed.authExceptions : undefined,
         };
     }
     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.11",
+  "version": "3.0.13",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",