guardvibe 3.0.3 → 3.0.6

package/build/cli/check-cmd.d.ts

@@ -0,0 +1 @@
+export declare function runCheckCmd(args: string[]): Promise<void>;

package/build/cli/check-cmd.js

@@ -0,0 +1,17 @@
+/**
+ * CLI: guardvibe check-cmd "<command>"
+ * Check if a shell command is safe to execute.
+ */
+import { parseArgs } from "./args.js";
+import { checkCommand } from "../tools/check-command.js";
+export async function runCheckCmd(args) {
+    const { flags, positional } = parseArgs(args);
+    const command = positional.join(" ");
+    if (!command) {
+        console.error('  [ERR] Please specify a command: npx guardvibe check-cmd "rm -rf /"');
+        process.exit(1);
+    }
+    const format = (flags.format === "json" ? "json" : "markdown");
+    const result = checkCommand(command, process.cwd(), undefined, format);
+    console.log(result);
+}

package/build/cli/explain.d.ts

@@ -0,0 +1 @@
+export declare function runExplain(args: string[]): Promise<void>;

package/build/cli/explain.js

@@ -0,0 +1,17 @@
+/**
+ * CLI: guardvibe explain <ruleId>
+ * Get detailed remediation guidance for a security rule.
+ */
+import { parseArgs } from "./args.js";
+import { explainRemediation } from "../tools/explain-remediation.js";
+export async function runExplain(args) {
+    const { flags, positional } = parseArgs(args);
+    const ruleId = positional[0];
+    if (!ruleId) {
+        console.error("  [ERR] Please specify a rule ID: npx guardvibe explain VG154");
+        process.exit(1);
+    }
+    const format = (flags.format === "json" ? "json" : "markdown");
+    const result = explainRemediation(ruleId, undefined, format);
+    console.log(result);
+}

package/build/cli/fix.d.ts

@@ -0,0 +1 @@
+export declare function runFix(args: string[]): Promise<void>;

package/build/cli/fix.js

@@ -0,0 +1,35 @@
+/**
+ * CLI: guardvibe fix <file>
+ * Get security fix suggestions for a file.
+ */
+import { readFileSync } from "fs";
+import { resolve, extname } from "path";
+import { parseArgs } from "./args.js";
+import { fixCode } from "../tools/fix-code.js";
+import { EXTENSION_MAP } from "../utils/constants.js";
+export async function runFix(args) {
+    const { flags, positional } = parseArgs(args);
+    const filePath = positional[0];
+    if (!filePath) {
+        console.error("  [ERR] Please specify a file: npx guardvibe fix src/app/api/route.ts");
+        process.exit(1);
+    }
+    const resolved = resolve(filePath);
+    let content;
+    try {
+        content = readFileSync(resolved, "utf-8");
+    }
+    catch {
+        console.error(`  [ERR] Could not read file: ${resolved}`);
+        process.exit(1);
+    }
+    const ext = extname(resolved).toLowerCase();
+    const language = EXTENSION_MAP[ext];
+    if (!language) {
+        console.error(`  [ERR] Unsupported file type: ${ext}`);
+        process.exit(1);
+    }
+    const format = (flags.format === "json" ? "json" : "markdown");
+    const result = fixCode(content, language, undefined, resolved, format);
+    console.log(result);
+}

package/build/cli.js

@@ -23,6 +23,9 @@ function printUsage() {
     npx guardvibe check <file>       Scan a single file for security issues
     npx guardvibe doctor [path]      Run host security audit
     npx guardvibe audit [path]       Full security audit with PASS/FAIL verdict
+    npx guardvibe explain <ruleId>   Get detailed remediation guidance for a rule
+    npx guardvibe fix <file>         Get security fix suggestions for a file
+    npx guardvibe check-cmd "<cmd>"  Check if a shell command is safe to execute
     npx guardvibe init <platform>    Setup MCP server configuration
     npx guardvibe hook install       Install pre-commit security hook
     npx guardvibe hook uninstall     Remove pre-commit security hook
@@ -127,6 +130,18 @@ async function main() {
         const { runAudit } = await import("./cli/audit.js");
         await runAudit(subArgs);
     }
+    else if (command === "explain") {
+        const { runExplain } = await import("./cli/explain.js");
+        await runExplain(subArgs);
+    }
+    else if (command === "fix") {
+        const { runFix } = await import("./cli/fix.js");
+        await runFix(subArgs);
+    }
+    else if (command === "check-cmd") {
+        const { runCheckCmd } = await import("./cli/check-cmd.js");
+        await runCheckCmd(subArgs);
+    }
     else {
         console.error(`  Unknown command: ${command}`);
         printUsage();

package/build/index.js

@@ -43,13 +43,25 @@ import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "./tools/auth-coverage.js";
 import { buildDeepScanPrompt, parseDeepScanResult, formatDeepScanFindings, callLLM } from "./tools/deep-scan.js";
 import { runFullAudit, formatAuditResult } from "./tools/full-audit.js";
+// Helper: merge stats summary into JSON output instead of concatenating two JSON objects
+function mergeStatsIntoOutput(results, summary, format) {
+    if (format === "json" && summary) {
+        try {
+            const parsed = JSON.parse(results);
+            const stats = JSON.parse(summary);
+            return JSON.stringify({ ...parsed, _meta: stats.guardvibeStats ?? stats });
+        }
+        catch { /* fall through */ }
+    }
+    return results + summary;
+}
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
     description: "Security MCP for vibe coding — single source of truth for AI assistants. 334 security rules and 34 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
 });
 // Tool 1: Analyze code for security vulnerabilities
-server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
+server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
     code: z.string().describe("The code snippet to analyze"),
     language: z
         .enum(["javascript", "typescript", "python", "go", "dockerfile", "html", "sql", "shell", "yaml", "terraform", "firestore"])
@@ -67,7 +79,7 @@ server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top
     recordScan(cwd, { toolName: "check_code", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
     const summary = getSummaryLine(cwd, findings.length, format);
     return {
-        content: [{ type: "text", text: results + summary }],
+        content: [{ type: "text", text: mergeStatsIntoOutput(results, summary, format) }],
     };
 });
 // Tool 2: Scan entire project for security vulnerabilities
@@ -100,7 +112,7 @@ server.tool("check_project", "Scan multiple files for security vulnerabilities a
     }
     const summary = getSummaryLine(cwd, findingCount, format);
     return {
-        content: [{ type: "text", text: results + summary }],
+        content: [{ type: "text", text: mergeStatsIntoOutput(results, summary, format) }],
     };
 });
 // Tool 3: Get security documentation and best practices (renumbered from Tool 2)
@@ -146,7 +158,7 @@ server.tool("check_dependencies", "Check npm, PyPI, or Go packages for known sec
     }
 });
 // Tool 5: Scan directory for security vulnerabilities (filesystem-native)
-server.tool("scan_directory", "Scan an entire project directory for security vulnerabilities. Reads files directly from the filesystem — no need to pass file contents. Returns a security score (A-F) and detailed findings. Includes scan metadata (ID, timestamp, duration, file hashes) for audit trails. Use baseline to compare with a previous scan.", {
+server.tool("scan_directory", "Scan all files in a directory on disk for security vulnerabilities. Pass a directory path — reads files from filesystem. Returns security score (A-F) and findings. Results may be truncated for large projects — check fileRanking in JSON output for top files. Example: scan_directory({path: './src'})", {
     path: z.string().describe("Directory path to scan (e.g. './src', '.')"),
     recursive: z.boolean().optional().default(true).describe("Scan subdirectories"),
     exclude: z.array(z.string()).optional().default([]).describe("Additional directories to exclude"),
@@ -174,7 +186,7 @@ server.tool("scan_directory", "Scan an entire project directory for security vul
         recordScan(root, { toolName: "scan_directory", filesScanned: 0, findings: [] });
     }
     const summary = getSummaryLine(root, findingCount, format);
-    return { content: [{ type: "text", text: results + summary }] };
+    return { content: [{ type: "text", text: mergeStatsIntoOutput(results, summary, format) }] };
 });
 // Tool 6: Scan manifest/lockfile for dependency vulnerabilities
 server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, package-lock.json, requirements.txt, go.mod) and check all dependencies for known CVEs via the OSV database. Reads the file directly. Use this after installing dependencies, during CI, or when auditing existing projects for vulnerable packages.", {
@@ -239,10 +251,10 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
         recordScan(cwd, { toolName: "scan_staged", filesScanned: 0, findings: [] });
     }
     const summary = getSummaryLine(cwd, findingCount, format);
-    return { content: [{ type: "text", text: results + summary }] };
+    return { content: [{ type: "text", text: mergeStatsIntoOutput(results, summary, format) }] };
 });
 // Tool 9: Generate compliance-focused security report
-server.tool("compliance_report", "Map security scan findings to compliance framework controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EUAIACT). Scans a directory and groups code-level security issues by the compliance control they relate to. Includes exploit scenarios and remediation evidence for each finding. Use mode=executive for a risk summary. Note: this maps code vulnerabilities to controls — it does not perform a compliance audit or replace professional assessment.", {
+server.tool("compliance_report", "Map security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EUAIACT). Scans a directory and groups issues by control. Output includes a summary section at the top; for large projects, findings are truncated to top 50. Use mode=executive for C-level summary. Example: compliance_report({path: '.', framework: 'SOC2'})", {
     path: z.string().describe("Directory to scan"),
     framework: z.enum(["SOC2", "PCI-DSS", "HIPAA", "GDPR", "ISO27001", "EUAIACT", "all"]).describe("Compliance framework"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
@@ -275,7 +287,7 @@ server.tool("check_package_health", "Check npm packages for typosquat risk, main
     }
 });
 // Tool 12: Auto-fix security vulnerabilities
-server.tool("fix_code", "Analyze code for security vulnerabilities and return fix suggestions with concrete patches. The AI agent can apply these patches to automatically fix issues. Returns structured fix data including before/after code, severity, and line numbers.", {
+server.tool("fix_code", "Pass vulnerable code as a string and get fix suggestions with before/after patches. Returns structured edit instructions (line numbers, severity, confidence). Use verify_fix afterwards to confirm the fix resolved the issue. Example: fix_code({code: '...', language: 'typescript'})", {
     code: z.string().describe("The code snippet to analyze and fix"),
     language: z
         .enum(["javascript", "typescript", "python", "go", "dockerfile", "html", "sql", "shell", "yaml", "terraform", "firestore"])
@@ -301,7 +313,7 @@ server.tool("fix_code", "Analyze code for security vulnerabilities and return fi
     };
 });
 // Tool 13: Cross-file configuration security audit
-server.tool("audit_config", "Audit project configuration files (next.config, middleware/proxy, .env, vercel.json) together for cross-file security issues. Detects gaps that single-file scanning misses: missing security headers, unprotected routes, exposed secrets, middleware/route mismatches.", {
+server.tool("audit_config", "Audit application config files (next.config, middleware, .env, vercel.json) for cross-file security gaps: missing headers, unprotected routes, exposed secrets. NOT the same as guardvibe_doctor which checks AI host security (MCP configs, hooks). Example: audit_config({path: '.'})", {
     path: z.string().describe("Project root directory to audit"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
 }, async ({ path, format }) => {
@@ -362,16 +374,66 @@ server.tool("analyze_dataflow", "Track user input (request body, URL params, for
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 18b: Cross-File Taint/Dataflow Analysis
-server.tool("analyze_cross_file_dataflow", "Track user input flowing across module boundaries — detects injection vulnerabilities that span multiple files. Resolves imports/exports, builds a module graph, and follows tainted data from HTTP handlers through helper functions to dangerous sinks (SQL, eval, redirect, file ops). Pass all related files for best results.", {
+server.tool("analyze_cross_file_dataflow", "Track user input flowing across module boundaries — detects injection vulnerabilities spanning multiple files. Pass files array with file contents. For single-file analysis, use analyze_dataflow instead. Example: analyze_cross_file_dataflow({files: [{path: 'src/api.ts', content: '...'}, {path: 'src/db.ts', content: '...'}]})", {
+    path: z.string().optional().describe("Project directory path. When provided, auto-discovers all JS/TS files — no need to pass file contents manually."),
     files: z
         .array(z.object({
         path: z.string().describe("Relative file path (e.g. src/lib/db.ts)"),
         content: z.string().describe("File source code"),
     }))
-        .describe("List of files to analyze: [{path, content}]"),
+        .default([])
+        .describe("List of files to analyze (ignored when path is provided)"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
-}, async ({ files, format }) => {
-    const { crossFileFindings, perFileFindings } = analyzeCrossFileTaint(files);
+}, async ({ path, files, format }) => {
+    let analysisFiles = files;
+    if (path) {
+        const { readdirSync, readFileSync, statSync } = await import("fs");
+        const { resolve: resolvePath } = await import("path");
+        const jsFiles = [];
+        const skip = new Set(["node_modules", ".git", ".next", "build", "dist", ".turbo", "coverage"]);
+        function walk(d) {
+            if (jsFiles.length >= 500)
+                return;
+            let entries;
+            try {
+                entries = readdirSync(d);
+            }
+            catch {
+                return;
+            }
+            for (const entry of entries) {
+                if (jsFiles.length >= 500)
+                    return;
+                if (skip.has(entry))
+                    continue;
+                const full = resolvePath(d, entry);
+                let stat;
+                try {
+                    stat = statSync(full);
+                }
+                catch {
+                    continue;
+                }
+                if (stat.isDirectory()) {
+                    walk(full);
+                    continue;
+                }
+                if (!/\.(ts|tsx|js|jsx)$/.test(entry))
+                    continue;
+                if (stat.size > 100_000)
+                    continue;
+                try {
+                    const content = readFileSync(full, "utf-8");
+                    const relPath = full.replace(resolvePath(path) + "/", "");
+                    jsFiles.push({ path: relPath, content });
+                }
+                catch { /* skip unreadable */ }
+            }
+        }
+        walk(resolvePath(path));
+        analysisFiles = jsFiles;
+    }
+    const { crossFileFindings, perFileFindings } = analyzeCrossFileTaint(analysisFiles);
     const total = crossFileFindings.length + Array.from(perFileFindings.values()).reduce((sum, f) => sum + f.length, 0);
     if (total === 0) {
         if (format === "json")
@@ -410,7 +472,7 @@ server.tool("repo_security_posture", "Analyze a repository's overall security po
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 22: Explain Remediation
-server.tool("explain_remediation", "Deep explanation of a security finding: why it's risky, real-world impact, exploit scenario, minimum fix, secure alternative, breaking risk assessment, and test strategy. Helps agents apply fixes correctly.", {
+server.tool("explain_remediation", "Pass a GuardVibe rule ID (e.g. VG154) to get a detailed explanation: risk assessment, exploit scenario, minimum fix, secure alternative, and test strategy. Optionally pass the affected code snippet for context-aware guidance. Example: explain_remediation({rule_id: 'VG402'})", {
     rule_id: z.string().describe("GuardVibe rule ID (e.g. VG001, VG402)"),
     code: z.string().optional().describe("Affected code snippet for context"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
@@ -420,7 +482,7 @@ server.tool("explain_remediation", "Deep explanation of a security finding: why
     return { content: [{ type: "text", text: results }] };
 });
 // Tool 23: Quick file scan — designed for real-time integration
-server.tool("scan_file", "Scan a single file from disk for security vulnerabilities. Returns only findings (no boilerplate). Designed for real-time use: call this after editing a file to catch security issues immediately. Lightweight and fast — reads the file, detects language, and returns findings in JSON.", {
+server.tool("scan_file", "Scan a single file on disk by path for security vulnerabilities. Pass a file path — the tool reads the file itself. For inline code snippets, use check_code instead. Example: scan_file({file_path: 'src/api/route.ts'})", {
     file_path: z.string().describe("Absolute or relative path to the file to scan"),
     format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
 }, async ({ file_path, format }) => {
@@ -459,9 +521,9 @@ server.tool("scan_file", "Scan a single file from disk for security vulnerabilit
             confidence: f.confidence,
             effort: f.effort,
         })).filter((f) => f.edit);
-        return { content: [{ type: "text", text: JSON.stringify(parsed) + summary }] };
+        return { content: [{ type: "text", text: mergeStatsIntoOutput(JSON.stringify(parsed), summary, format) }] };
     }
-    return { content: [{ type: "text", text: result + summary }] };
+    return { content: [{ type: "text", text: mergeStatsIntoOutput(result, summary, format) }] };
 });
 // Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
 server.tool("scan_changed_files", "Scan only files that have changed since a given git ref (branch, commit, or HEAD~N). Ideal for PR checks, pre-push hooks, and incremental CI. Returns findings only for modified/added files.", {
@@ -522,10 +584,10 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
         const critical = allFindings.filter(f => f.severity === "critical").length;
         const high = allFindings.filter(f => f.severity === "high").length;
         const medium = allFindings.filter(f => f.severity === "medium").length;
-        return { content: [{ type: "text", text: JSON.stringify({
+        return { content: [{ type: "text", text: mergeStatsIntoOutput(JSON.stringify({
                         summary: { total: allFindings.length, critical, high, medium, low: 0, blocked: critical > 0 || high > 0, changedFiles: changedFiles.length },
                         findings: allFindings,
-                    }) + statsSummary }] };
+                    }), statsSummary, format) }] };
     }
     // Markdown
     const lines = [`# GuardVibe Changed Files Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues found: ${allFindings.length}`, ``];
@@ -539,7 +601,7 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
             lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in \`${f.file}\`:${f.line} — ${f.fix}`);
         }
     }
-    return { content: [{ type: "text", text: lines.join("\n") + statsSummary }] };
+    return { content: [{ type: "text", text: mergeStatsIntoOutput(lines.join("\n"), statsSummary, format) }] };
 });
 // Tool 25: Security statistics dashboard
 server.tool("security_stats", "Show cumulative security statistics, grade trend, and vulnerability fix progress for this project. Use this to demonstrate the value of GuardVibe security scanning over time. Data is stored locally in .guardvibe/stats.json.", {
@@ -576,7 +638,7 @@ server.tool("scan_host_config", "Scan host environment for AI security issues: A
     return { content: [{ type: "text", text: redactSecrets(output) }] };
 });
 // Tool 28: Unified host hardening scanner (doctor)
-server.tool("guardvibe_doctor", "Comprehensive AI host security audit. Scans MCP configurations, hooks, environment variables, shell profiles, and permissions for known attack vectors (CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, tool result injection, supply chain attacks). Reports trust state, verdict, and confidence for each finding. Supports allowlists via .guardviberc. Use scope=project (default) for project-only scan, scope=host to include shell profiles and global configs.", {
+server.tool("guardvibe_doctor", "Check AI host security: MCP configurations, hooks, base URL hijacking, environment variable exposure. NOT the same as audit_config which checks application config files (next.config, .env, headers). Use scope=project (default) for project-only, scope=host to include shell profiles and global AI configs. Example: guardvibe_doctor({scope: 'project'})", {
     path: z.string().default(".").describe("Project root directory"),
     scope: z.enum(["project", "host", "full"]).default("project").describe("Scan scope: project (default, .claude.json + .cursor/ + .vscode/ + .env), host (+ shell profiles + global MCP configs), full (+ home dir configs)"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable)"),
@@ -596,7 +658,7 @@ server.tool("verify_fix", "Verify that a specific security fix was applied corre
     return { content: [{ type: "text", text: JSON.stringify(result) }] };
 });
 // Tool 30: Security workflow guide for AI agents
-server.tool("security_workflow", "Get the recommended GuardVibe security workflow for your current task. Returns which tools to call, in what order, and with what parameters. Use this when you're unsure which GuardVibe tool to use.", {
+server.tool("security_workflow", "Get the recommended GuardVibe tool sequence for your current task. Returns which tools to call, in what order, and with what parameters. Use this when unsure which tool to use. Example: security_workflow({task: 'pre_commit'})", {
     task: z.enum([
         "writing_code",
         "pre_commit",
@@ -609,7 +671,7 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
         "publish_package",
         "security_audit",
         "incident_response",
-    ]).describe("What you are currently doing"),
+    ]).describe("Current task: writing_code (after edits), pre_commit (before commit), pr_review (reviewing PR), new_project (initial setup), fix_vulnerabilities (fixing known issues), compliance_mapping (audit against framework), dependency_check (check deps), merge_to_main (pre-merge gate), publish_package (pre-publish checks), security_audit (comprehensive audit), incident_response (post-breach investigation)"),
 }, async ({ task }) => {
     const workflows = {
         writing_code: {
@@ -715,14 +777,67 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
     return { content: [{ type: "text", text: JSON.stringify(workflows[task]) }] };
 });
 // Tool 31: Auth coverage map
-server.tool("auth_coverage", "Analyze authentication coverage across all Next.js App Router routes. Enumerates API routes and pages, parses middleware matchers, detects auth guards (Clerk, NextAuth, Supabase, custom), and reports which routes are protected vs unprotected. Use this to find gaps in your auth layer.", {
+server.tool("auth_coverage", "Analyze authentication coverage across Next.js App Router routes. Detects auth guards (Clerk, NextAuth, Supabase, custom) and reports protected vs unprotected routes. Pass files array with route file contents and middleware content. Example: auth_coverage({files: [{path: 'app/api/users/route.ts', content: '...'}], middleware: '...'})", {
+    path: z.string().optional().describe("Project directory path. When provided, auto-discovers all route, page, layout, and middleware files — no need to pass file contents manually."),
     files: z.array(z.object({
         path: z.string().describe("File path relative to project root (e.g. app/api/users/route.ts)"),
         content: z.string().describe("File source code"),
-    })).describe("Route and page files from app/ directory"),
-    middleware: z.string().default("").describe("Content of middleware.ts file (empty if none)"),
+    })).default([]).describe("Route and page files from app/ directory (ignored when path is provided)"),
+    middleware: z.string().default("").describe("Content of middleware.ts file (ignored when path is provided)"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
-}, async ({ files, middleware, format }) => {
+}, async ({ path, files, middleware, format }) => {
+    if (path) {
+        const { readdirSync, readFileSync, statSync } = await import("fs");
+        const { resolve: resolvePath } = await import("path");
+        const jsFiles = [];
+        const skip = new Set(["node_modules", ".git", ".next", "build", "dist", ".turbo", "coverage"]);
+        function walk(d) {
+            if (jsFiles.length >= 500)
+                return;
+            let entries;
+            try {
+                entries = readdirSync(d);
+            }
+            catch {
+                return;
+            }
+            for (const entry of entries) {
+                if (jsFiles.length >= 500)
+                    return;
+                if (skip.has(entry))
+                    continue;
+                const full = resolvePath(d, entry);
+                let stat;
+                try {
+                    stat = statSync(full);
+                }
+                catch {
+                    continue;
+                }
+                if (stat.isDirectory()) {
+                    walk(full);
+                    continue;
+                }
+                if (!/\.(ts|tsx|js|jsx)$/.test(entry))
+                    continue;
+                if (stat.size > 100_000)
+                    continue;
+                try {
+                    const content = readFileSync(full, "utf-8");
+                    const relPath = full.replace(resolvePath(path) + "/", "");
+                    jsFiles.push({ path: relPath, content });
+                }
+                catch { /* skip unreadable */ }
+            }
+        }
+        walk(resolvePath(path));
+        const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
+        const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
+        const middlewareFile = jsFiles.find(f => /middleware\.(ts|js)$/.test(f.path));
+        const report = analyzeAuthCoverage(routeFiles, middlewareFile?.content ?? "", layoutFiles);
+        const output = formatAuthCoverage(report, format);
+        return { content: [{ type: "text", text: output }] };
+    }
     const report = analyzeAuthCoverage(files, middleware);
     const output = formatAuthCoverage(report, format);
     return { content: [{ type: "text", text: output }] };
@@ -750,7 +865,7 @@ server.tool("deep_scan", "LLM-powered deep security analysis for vulnerabilities
     return { content: [{ type: "text", text: output }] };
 });
 // Tool 33: Full audit — single source of truth
-server.tool("full_audit", "Single source of truth security audit. Runs ALL security checks in one call: code scan (334 rules), secret detection, dependency CVE check, config audit, cross-file taint analysis, and auth coverage mapping. Returns a deterministic PASS/FAIL/WARN verdict, unified score, coverage %, and a result hash (same code = same hash, always). Use this instead of running individual tools when you need a comprehensive security assessment. Trust the verdict — do not add speculative security concerns beyond what this tool reports.", {
+server.tool("full_audit", "Single command that runs ALL checks: code scan (334 rules), secret detection, dependency CVEs, config audit, taint analysis, and auth coverage. Returns PASS/FAIL/WARN verdict with deterministic hash. Use this for comprehensive security assessment — no need to call individual tools separately. Example: full_audit({path: '.'})", {
     path: z.string().default(".").describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
     skipDeps: z.boolean().default(false).describe("Skip dependency vulnerability check"),

package/build/tools/auth-coverage.js

@@ -79,10 +79,12 @@ export function enumerateRoutes(files) {
  * Returns array of matcher patterns.
  */
 export function parseMiddlewareMatchers(content) {
-    const stringMatch = /matcher\s*:\s*"([^"]+)"/.exec(content);
+    // Normalize literal escape sequences that AI assistants may pass
+    const normalized = content.replace(/\\n/g, "\n").replace(/\\t/g, "\t");
+    const stringMatch = /matcher\s*:\s*"([^"]+)"/.exec(normalized);
     if (stringMatch)
         return [stringMatch[1]];
-    const arrayMatch = /matcher\s*:\s*\[([^\]]+)\]/.exec(content);
+    const arrayMatch = /matcher\s*:\s*\[([^\]]+)\]/.exec(normalized);
     if (arrayMatch) {
         return arrayMatch[1]
             .split(",")

package/build/tools/compliance-report.js

@@ -63,12 +63,37 @@ export function complianceReport(path, framework, format = "markdown", rules, mo
         const critical = relevant.filter(f => f.rule.severity === "critical").length;
         const high = relevant.filter(f => f.rule.severity === "high").length;
         const medium = relevant.filter(f => f.rule.severity === "medium").length;
+        // Count controls that have zero findings as "passed"
+        const totalControls = controlMap.size;
+        const failedControls = totalControls; // all mapped controls have findings
+        const passedControls = 0; // controls without findings are not in the map
+        const complianceScore = totalControls === 0 ? 100 : Math.round((passedControls / totalControls) * 100);
+        // Flatten all findings, sort by severity, limit to top 50
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        const allFindingsFlat = relevant
+            .map(f => ({
+            id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
+            file: f.filePath, line: f.line,
+            exploit: f.rule.exploit, audit: f.rule.audit,
+        }))
+            .sort((a, b) => (severityOrder[a.severity] ?? 4) - (severityOrder[b.severity] ?? 4));
+        const MAX_JSON_FINDINGS = 50;
+        const truncated = allFindingsFlat.length > MAX_JSON_FINDINGS;
+        const topFindings = allFindingsFlat.slice(0, MAX_JSON_FINDINGS);
         return JSON.stringify({
             summary: {
-                framework, total: relevant.length, controls: controlMap.size,
-                critical, high, medium, mode,
+                framework,
+                totalControls,
+                passedControls,
+                failedControls,
+                totalFindings: relevant.length,
+                critical, high, medium,
+                complianceScore,
+                mode,
             },
             controls,
+            findings: topFindings,
+            ...(truncated ? { truncation: { shown: MAX_JSON_FINDINGS, total: allFindingsFlat.length, note: "Sorted by severity. Use scan_file on individual files for full details." } } : {}),
         });
     }
     // --- EXECUTIVE SUMMARY MODE ---

package/build/tools/scan-dependencies.js

@@ -73,7 +73,13 @@ export async function scanDependencies(manifestPath, format = "markdown") {
             }
         }
         return JSON.stringify({
-            summary: { total: packages.length, vulnerable: criticalPackages.length, ...sevCounts },
+            summary: {
+                total: packages.length,
+                vulnerable: criticalPackages.length,
+                vulnerablePackages: criticalPackages.length,
+                totalAdvisories: totalVulns,
+                ...sevCounts,
+            },
             packages: pkgResults,
         });
     }

package/build/tools/scan-directory.js

@@ -95,6 +95,15 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
         filesSkipped: skippedFiles.length,
         fileHashes,
     };
+    // File ranking — always included in JSON, even when truncated
+    const fileRankingMap = new Map();
+    for (const r of scanResults) {
+        fileRankingMap.set(r.path, r.findings.length);
+    }
+    const fileRanking = Array.from(fileRankingMap.entries())
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 10)
+        .map(([file, count]) => ({ file, findingCount: count }));
     // Scoring
     const allFindings = scanResults.flatMap(r => r.findings);
     const totalCritical = allFindings.filter(f => f.rule.severity === "critical").length;
@@ -155,6 +164,7 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
                 },
             },
             metadata,
+            fileRanking,
             findings: limitedFindings.map(f => ({
                 id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
                 owasp: f.rule.owasp, line: f.line, match: f.match, file: f.file,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.3",
+  "version": "3.0.6",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 334 rules, 34 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",