guardvibe 3.0.15 → 3.0.17

package/build/data/rules/nextjs.js

@@ -66,7 +66,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{0,20}return\s+\[(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
         languages: ["javascript", "typescript"],
         fix: "Add security headers in next.config.ts headers() function.",
         fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',

package/build/tools/full-audit.js

@@ -169,8 +169,14 @@ export async function runFullAudit(path, options) {
             const secretsJson = scanSecrets(projectRoot, true, "json");
             const parsed = safeJsonParse(secretsJson);
             if (parsed) {
-                const counts = parseSectionCounts(parsed);
-                const secretFindings = (parsed.findings ?? []).map((f) => ({
+                // Filter out gitignored secrets — they're local dev files, not a security risk
+                const rawFindings = parsed.findings ?? [];
+                const actionableFindings = rawFindings.filter((f) => f.gitStatus !== "ignored");
+                const ignoredCount = rawFindings.length - actionableFindings.length;
+                const actionableCritical = actionableFindings.filter((f) => f.severity === "critical").length;
+                const actionableHigh = actionableFindings.filter((f) => f.severity === "high").length;
+                const actionableMedium = actionableFindings.length - actionableCritical - actionableHigh;
+                const secretFindings = actionableFindings.map((f) => ({
                     ruleId: `SECRET:${(f.provider ?? "unknown")}`,
                     severity: (f.severity ?? "high"),
                     file: (f.file ?? ""),
@@ -179,8 +185,15 @@ export async function runFullAudit(path, options) {
                     description: (f.match ?? f.description ?? ""),
                     fix: "Move this secret to an environment variable and ensure the file is in .gitignore",
                 }));
-                sections.push({ name: "secrets", status: "ok", ...counts, details: counts.findings === 0 ? "No secrets found" : `${counts.findings} secret(s) detected`, sectionFindings: secretFindings });
-                for (const f of parsed.findings ?? []) {
+                const detailText = actionableFindings.length === 0
+                    ? (ignoredCount > 0 ? `${ignoredCount} secret(s) in .gitignore (safe)` : "No secrets found")
+                    : `${actionableFindings.length} secret(s) detected${ignoredCount > 0 ? ` (${ignoredCount} in .gitignore excluded)` : ""}`;
+                sections.push({
+                    name: "secrets", status: "ok",
+                    findings: actionableFindings.length, critical: actionableCritical, high: actionableHigh, medium: actionableMedium,
+                    details: detailText, sectionFindings: secretFindings,
+                });
+                for (const f of actionableFindings) {
                     allFindings.push({ ruleId: `SECRET:${f.provider ?? "unknown"}`, severity: f.severity, file: f.file ?? "", line: f.line ?? 0 });
                 }
             }
@@ -232,18 +245,21 @@ export async function runFullAudit(path, options) {
         const parsed = safeJsonParse(configJson);
         if (parsed) {
             const counts = parseSectionCounts(parsed);
-            const configFindings = (parsed.findings ?? []).map((f) => ({
+            // auditConfig uses "issues" key, not "findings"
+            const rawIssues = parsed.issues ?? parsed.findings ?? [];
+            const configFindings = rawIssues.map((f) => ({
                 ruleId: (f.id ?? f.ruleId ?? "CONFIG"),
                 severity: (f.severity ?? "medium"),
-                file: (f.file ?? ""),
+                file: (Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "")),
                 line: (f.line ?? 0),
-                name: (f.name ?? f.description ?? ""),
-                description: (f.description ?? f.details ?? ""),
-                fix: (f.fix ?? f.remediation ?? ""),
+                name: (f.title ?? f.name ?? ""),
+                description: (f.description ?? ""),
+                fix: (f.fix ?? ""),
             }));
             sections.push({ name: "config", status: "ok", ...counts, details: counts.findings === 0 ? "Config secure" : `${counts.findings} config issue(s)`, sectionFindings: configFindings });
-            for (const f of parsed.findings ?? []) {
-                allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file: f.file ?? "", line: f.line ?? 0 });
+            for (const f of rawIssues) {
+                const file = Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "");
+                allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file, line: f.line ?? 0 });
             }
         }
     }
@@ -378,60 +394,54 @@ function buildInlineRemediationPlan(result) {
             priority: 1,
             tool: "scan_secrets",
             actions: [
-                "MCP: Call scan_secrets with format: json — OR CLI: run `npx guardvibe scan --format json` and look for SECRET: findings in the output",
-                "For EACH secret found: (a) if it's in a .env file, ensure .env* is in .gitignore, (b) if it's hardcoded in source code, move it to an environment variable, (c) NEVER dismiss secrets as 'already in .gitignore' — if GuardVibe found it, the FILE exists and contains real values",
-                "Rotate any API keys/tokens that were committed to git history — run `git log --all -p -S 'YOUR_KEY_PREFIX' -- '*.env*'` to check",
-                "MCP: Call scan_secrets_history — OR CLI: run `npx guardvibe scan --format json` to verify",
-                "Re-run the scan and confirm secret count dropped to 0. If it didn't, your fix didn't work — try again",
+                "Look at sectionFindings above — each has file, line, description",
+                "For each: move hardcoded secret to .env, add file to .gitignore",
+                "Verify: run `npx guardvibe audit --format json 2>&1 | head -1` — secrets count must be 0",
             ],
         },
         code: {
             priority: 2,
             tool: "scan_directory",
             actions: [
-                "MCP: Call scan_directory with format: json — OR CLI: run `npx guardvibe scan --format json` to get full finding list",
-                "Fix ALL critical and high severity findings. Read each flagged file, understand the vulnerability, apply the fix suggested in the finding",
-                "After fixing each file, re-scan it: MCP: Call scan_file — OR CLI: run `npx guardvibe check <file> --format json` to confirm the finding is gone",
-                "Re-run full scan to confirm total code findings dropped",
+                "Look at sectionFindings above — each has ruleId, file, line, fix",
+                "Read each file, apply the fix. Run `npx guardvibe explain <RULE_ID>` if unclear",
+                "Verify each file: `npx guardvibe check <file> --format json` — must show 0 findings",
             ],
         },
         dependencies: {
             priority: 3,
             tool: "scan_dependencies",
             actions: [
-                "MCP: Call scan_dependencies with format: json — OR CLI: run `npx guardvibe scan --format json` and check dependency findings, also run `npm audit`",
-                "Run `npm audit fix` to auto-fix what's possible. If that doesn't work, run `npm update <package>` for each vulnerable package",
-                "If a package can't be updated (breaking changes), find an alternative or pin to a patched version",
-                "Re-run `npx guardvibe audit` and confirm dependency findings dropped to 0",
+                "Look at sectionFindings above — each has package name and CVE",
+                "Run `npm update <package>` for each. If already latest, check for alternative package",
+                "Verify: re-run audit — dependencies count must drop",
             ],
         },
         config: {
             priority: 4,
             tool: "audit_config",
             actions: [
-                "MCP: Call audit_config with format: json — OR CLI: run `npx guardvibe audit --format json` and parse the config section details",
-                "Common config fixes: add missing security headers in next.config.ts (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), set poweredByHeader: false, configure CORS properly",
-                "MCP: Call explain_remediation for each rule ID — OR CLI: run `npx guardvibe explain <RULE_ID>` to get specific fix guidance",
-                "Re-run audit and confirm config findings dropped",
+                "Look at sectionFindings above — each has ruleId, file, title, fix",
+                "Run `npx guardvibe explain <RULE_ID>` for each finding to get exact fix code",
+                "Apply fixes to the listed files. Verify: re-run audit — config count must drop",
             ],
         },
         taint: {
             priority: 5,
             tool: "analyze_cross_file_dataflow",
             actions: [
-                "MCP: Call analyze_cross_file_dataflow — OR CLI: run `npx guardvibe audit --format json` and parse the taint section. Look for user input (URL params, form data, req.body) flowing to dangerous sinks (SQL, HTML, file system)",
-                "Fix each tainted flow: add Zod/joi validation at the input source, use parameterized queries for SQL, use sanitizeUrl/DOMPurify for HTML output, validate file paths",
-                "Re-run audit and confirm taint findings dropped to 0",
+                "Look at sectionFindings above — each shows source file:line → sink file:line",
+                "Add input validation (Zod) at source, or sanitization at sink",
+                "Verify: re-run audit — taint count must be 0",
             ],
         },
         "auth-coverage": {
             priority: 6,
             tool: "auth_coverage",
             actions: [
-                "MCP: Call auth_coverage with format: json — OR CLI: run `npx guardvibe auth-coverage --format json` to list all unprotected routes",
-                "For each unprotected route: (a) if it needs auth, add middleware or auth guard (Clerk/NextAuth/Supabase), (b) if it's intentionally public (homepage, blog, about, etc.), add it to .guardviberc file under authExceptions with a reason",
-                "Create or update .guardviberc in project root: {\"authExceptions\": [{\"path\": \"/blog\", \"reason\": \"Public page\"}]}",
-                "Re-run `npx guardvibe auth-coverage --format json` and confirm unprotected count matches your authExceptions count",
+                "Look at sectionFindings above — each shows unprotected route path and file",
+                "Add auth guard, or add to .guardviberc authExceptions: {\"path\": \"/route\", \"reason\": \"Public\"}",
+                "Verify: `npx guardvibe auth-coverage --format json` — unprotected must be 0",
             ],
         },
     };
@@ -468,14 +478,11 @@ export function formatAuditResult(result, format) {
                 ...result,
                 remediationPlan: {
                     totalSectionsWithFindings: plan.length,
-                    warning: `MANDATORY: You must fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call verify_remediation to confirm.`,
+                    warning: `FIX ALL ${plan.length} SECTIONS. Each section has sectionFindings with exact file, line, and fix. Process every finding. After ALL sections: re-run audit to verify.`,
                     rules: [
-                        "Do NOT dismiss findings as 'false positive' without running the section-specific tool first and verifying the finding is genuinely wrong.",
-                        "Do NOT say 'npm audit is clean' to skip dependencies — GuardVibe uses the OSV database which may detect CVEs that npm audit misses.",
-                        "Do NOT say 'already in .gitignore' to skip secrets — if GuardVibe detects secrets, they exist in the scanned files and must be removed or moved to env vars.",
-                        "Do NOT skip auth-coverage by saying routes are 'intentionally public' — either add auth guards or add them to .guardviberc authExceptions so the scanner recognizes them.",
-                        "After fixing each section, re-run the section-specific tool to confirm the finding count dropped. If it didn't drop, your fix didn't work.",
-                        "Only call verify_remediation AFTER you have worked through ALL sections and confirmed each one improved.",
+                        "NEVER use 'npx guardvibe diff' — use 'npx guardvibe audit --format json 2>&1 | head -1'",
+                        "Fix EVERY finding in sectionFindings — not just one section",
+                        "After fixing, re-run audit and verify finding count dropped",
                     ],
                     steps: plan,
                 },
@@ -551,14 +558,7 @@ export function formatAuditResult(result, format) {
             lines.push(``);
             lines.push(`## Mandatory Remediation Plan`);
             lines.push(``);
-            lines.push(`> **IMPORTANT: You MUST fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call \`verify_remediation\` to confirm.**`);
-            lines.push(``);
-            lines.push(`**Rules:**`);
-            lines.push(`- Do NOT dismiss findings as "false positive" without running the section-specific tool first`);
-            lines.push(`- Do NOT say "npm audit is clean" to skip dependencies — GuardVibe uses OSV which may detect CVEs npm misses`);
-            lines.push(`- Do NOT say "already in .gitignore" to skip secrets — if detected, they exist in scanned files`);
-            lines.push(`- After fixing each section, re-run the section tool to confirm finding count dropped`);
-            lines.push(`- Only call verify_remediation AFTER all sections show improvement`);
+            lines.push(`> **FIX ALL ${plan.length} SECTIONS. Each section's sectionFindings has exact file, line, and fix. Process every finding. Re-run audit after ALL sections to verify.**`);
             lines.push(``);
             for (const step of plan) {
                 lines.push(`### Step ${step.priority}: ${step.section} (${step.findings} findings — ${step.critical} critical, ${step.high} high)`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.15",
+  "version": "3.0.17",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",