guardvibe 3.0.14 → 3.0.16

package/build/data/rules/nextjs.js

@@ -66,7 +66,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{0,20}return\s+\[(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
         languages: ["javascript", "typescript"],
         fix: "Add security headers in next.config.ts headers() function.",
         fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',

package/build/tools/full-audit.d.ts

@@ -21,6 +21,15 @@ export interface FindingRef {
     line: number;
     [key: string]: unknown;
 }
+export interface SectionFinding {
+    ruleId: string;
+    severity: string;
+    file: string;
+    line: number;
+    name?: string;
+    description?: string;
+    fix?: string;
+}
 export interface AuditSection {
     name: string;
     status: "ok" | "error" | "skipped";
@@ -29,6 +38,8 @@ export interface AuditSection {
     high: number;
     medium: number;
     details: string;
+    /** Individual findings for this section — enables AI to see exactly what to fix */
+    sectionFindings?: SectionFinding[];
 }
 export interface AuditResult {
     verdict: AuditVerdict;

package/build/tools/full-audit.js

@@ -141,7 +141,15 @@ export async function runFullAudit(path, options) {
             score = parsed.summary?.score ?? 100;
             const codeGrade = parsed.summary?.grade ?? "A";
             const codeScore = parsed.summary?.score ?? 100;
-            sections.push({ name: "code", status: "ok", ...counts, details: `Code ${codeGrade} (${codeScore}/100)` });
+            const codeSectionFindings = (parsed.findings ?? []).map((f) => ({
+                ruleId: (f.id ?? "unknown"),
+                severity: f.severity,
+                file: (f.file ?? ""),
+                line: (f.line ?? 0),
+                name: f.name,
+                fix: f.fix,
+            }));
+            sections.push({ name: "code", status: "ok", ...counts, details: `Code ${codeGrade} (${codeScore}/100)`, sectionFindings: codeSectionFindings });
             for (const f of parsed.findings ?? []) {
                 allFindings.push({ ruleId: f.id ?? "unknown", severity: f.severity, file: f.file ?? "", line: f.line ?? 0 });
             }
@@ -162,7 +170,16 @@ export async function runFullAudit(path, options) {
             const parsed = safeJsonParse(secretsJson);
             if (parsed) {
                 const counts = parseSectionCounts(parsed);
-                sections.push({ name: "secrets", status: "ok", ...counts, details: counts.findings === 0 ? "No secrets found" : `${counts.findings} secret(s) detected` });
+                const secretFindings = (parsed.findings ?? []).map((f) => ({
+                    ruleId: `SECRET:${(f.provider ?? "unknown")}`,
+                    severity: (f.severity ?? "high"),
+                    file: (f.file ?? ""),
+                    line: (f.line ?? 0),
+                    name: `Secret detected: ${(f.provider ?? "unknown")}`,
+                    description: (f.match ?? f.description ?? ""),
+                    fix: "Move this secret to an environment variable and ensure the file is in .gitignore",
+                }));
+                sections.push({ name: "secrets", status: "ok", ...counts, details: counts.findings === 0 ? "No secrets found" : `${counts.findings} secret(s) detected`, sectionFindings: secretFindings });
                 for (const f of parsed.findings ?? []) {
                     allFindings.push({ ruleId: `SECRET:${f.provider ?? "unknown"}`, severity: f.severity, file: f.file ?? "", line: f.line ?? 0 });
                 }
@@ -182,12 +199,23 @@ export async function runFullAudit(path, options) {
                 if (parsed) {
                     const vuln = parsed.summary?.vulnerable ?? 0;
                     const counts = { findings: vuln, critical: parsed.summary?.critical ?? 0, high: parsed.summary?.high ?? 0, medium: parsed.summary?.medium ?? 0 };
-                    sections.push({ name: "dependencies", status: "ok", ...counts, details: vuln === 0 ? "No known CVEs" : `${vuln} vulnerable package(s)` });
+                    const depFindings = [];
                     for (const pkg of parsed.packages ?? []) {
                         for (const v of pkg.vulnerabilities ?? []) {
-                            allFindings.push({ ruleId: `DEP:${v.id ?? "CVE"}`, severity: v.severity, file: "package.json", line: 0 });
+                            const vuln2 = v;
+                            depFindings.push({
+                                ruleId: `DEP:${(vuln2.id ?? "CVE")}`,
+                                severity: (vuln2.severity ?? "high"),
+                                file: "package.json",
+                                line: 0,
+                                name: `${pkg.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
+                                description: (vuln2.summary ?? vuln2.details ?? ""),
+                                fix: `Run: npm update ${pkg.name ?? ""}`,
+                            });
+                            allFindings.push({ ruleId: `DEP:${vuln2.id ?? "CVE"}`, severity: vuln2.severity, file: "package.json", line: 0 });
                         }
                     }
+                    sections.push({ name: "dependencies", status: "ok", ...counts, details: vuln === 0 ? "No known CVEs" : `${vuln} vulnerable package(s)`, sectionFindings: depFindings });
                 }
             }
             catch {
@@ -204,9 +232,21 @@ export async function runFullAudit(path, options) {
         const parsed = safeJsonParse(configJson);
         if (parsed) {
             const counts = parseSectionCounts(parsed);
-            sections.push({ name: "config", status: "ok", ...counts, details: counts.findings === 0 ? "Config secure" : `${counts.findings} config issue(s)` });
-            for (const f of parsed.findings ?? []) {
-                allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file: f.file ?? "", line: f.line ?? 0 });
+            // auditConfig uses "issues" key, not "findings"
+            const rawIssues = parsed.issues ?? parsed.findings ?? [];
+            const configFindings = rawIssues.map((f) => ({
+                ruleId: (f.id ?? f.ruleId ?? "CONFIG"),
+                severity: (f.severity ?? "medium"),
+                file: (Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "")),
+                line: (f.line ?? 0),
+                name: (f.title ?? f.name ?? ""),
+                description: (f.description ?? ""),
+                fix: (f.fix ?? ""),
+            }));
+            sections.push({ name: "config", status: "ok", ...counts, details: counts.findings === 0 ? "Config secure" : `${counts.findings} config issue(s)`, sectionFindings: configFindings });
+            for (const f of rawIssues) {
+                const file = Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "");
+                allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file, line: f.line ?? 0 });
             }
         }
     }
@@ -224,8 +264,31 @@ export async function runFullAudit(path, options) {
             const taintCritical = crossFileFindings.filter(f => f.severity === "critical").length;
             const taintHigh = crossFileFindings.filter(f => f.severity === "high").length;
             const taintMedium = taintTotal - taintCritical - taintHigh;
+            const taintSectionFindings = crossFileFindings.map(f => ({
+                ruleId: `TAINT:${f.sink.type}`,
+                severity: f.severity,
+                file: f.source.file,
+                line: f.source.line,
+                name: `Tainted flow: ${f.source.type} → ${f.sink.type}`,
+                description: `User input from ${f.source.file}:${f.source.line} flows to ${f.sink.type} in ${f.sink.file}:${f.sink.line}`,
+                fix: `Add input validation at ${f.source.file}:${f.source.line} or output encoding at ${f.sink.file}:${f.sink.line}`,
+            }));
+            // Add per-file findings
+            for (const [file, findings] of perFileFindings) {
+                for (const pf of findings) {
+                    taintSectionFindings.push({
+                        ruleId: `TAINT:${pf.sink.type}`,
+                        severity: "medium",
+                        file,
+                        line: pf.source.line,
+                        name: `Tainted flow: ${pf.source.type} → ${pf.sink.type}`,
+                        description: `${pf.source.type} (${pf.source.variable}) at line ${pf.source.line} flows to ${pf.sink.type} at line ${pf.sink.line}`,
+                        fix: `Add validation/sanitization at line ${pf.source.line} before ${pf.sink.type} usage at line ${pf.sink.line}`,
+                    });
+                }
+            }
             sections.push({ name: "taint", status: "ok", findings: taintTotal, critical: taintCritical, high: taintHigh, medium: taintMedium,
-                details: taintTotal === 0 ? "No tainted data flows" : `${taintTotal} tainted flow(s)` });
+                details: taintTotal === 0 ? "No tainted data flows" : `${taintTotal} tainted flow(s)`, sectionFindings: taintSectionFindings });
             for (const f of crossFileFindings) {
                 allFindings.push({ ruleId: `TAINT:${f.sink.type}`, severity: f.severity, file: f.source.file, line: f.source.line });
             }
@@ -244,8 +307,17 @@ export async function runFullAudit(path, options) {
             const config = loadConfig(projectRoot);
             const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles, config.authExceptions);
             const unprotected = report.unprotectedRoutes;
+            const authFindings = report.unprotectedList.map(r => ({
+                ruleId: "AUTH:UNPROTECTED",
+                severity: "high",
+                file: r.filePath,
+                line: 0,
+                name: `Unprotected route: ${r.urlPath} (${r.method})`,
+                description: `Route ${r.urlPath} has no auth guard, middleware protection, or layout-level auth`,
+                fix: `Add auth guard to ${r.filePath}, or add {"path": "${r.urlPath}", "reason": "Public page"} to .guardviberc authExceptions`,
+            }));
             sections.push({ name: "auth-coverage", status: "ok", findings: unprotected, critical: 0, high: unprotected > 0 ? unprotected : 0, medium: 0,
-                details: `${report.protectedRoutes}/${report.totalRoutes} routes protected (${report.middlewareCoveragePercent}% middleware)` });
+                details: `${report.protectedRoutes}/${report.totalRoutes} routes protected (${report.middlewareCoveragePercent}% middleware)`, sectionFindings: authFindings });
         }
     }
     catch { /* auth coverage is optional */ }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.14",
+  "version": "3.0.16",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",