guardvibe 3.0.30 → 3.0.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/cli/init.js +6 -1
- package/build/tools/check-code.js +9 -0
- package/package.json +1 -1
package/build/cli/init.js
CHANGED
|
@@ -2,12 +2,17 @@
|
|
|
2
2
|
* CLI: guardvibe init <platform>
|
|
3
3
|
* Sets up MCP server configuration for AI coding hosts.
|
|
4
4
|
*/
|
|
5
|
+
import { createRequire } from "module";
|
|
5
6
|
import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
|
|
6
7
|
import { join, dirname } from "path";
|
|
7
8
|
import { homedir } from "os";
|
|
9
|
+
const require = createRequire(import.meta.url);
|
|
10
|
+
const pkg = require("../../package.json");
|
|
11
|
+
// Pin to the version that ran `init` for fast, deterministic startup.
|
|
12
|
+
// Users upgrade by re-running init. Avoids slow npx-cache misses on each session start.
|
|
8
13
|
const GUARDVIBE_MCP_CONFIG = {
|
|
9
14
|
command: "npx",
|
|
10
|
-
args: ["-y",
|
|
15
|
+
args: ["-y", `guardvibe@${pkg.version}`],
|
|
11
16
|
};
|
|
12
17
|
const platforms = {
|
|
13
18
|
claude: {
|
|
@@ -335,6 +335,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
335
335
|
const isWebhookRoute = filePath && /webhook/i.test(filePath);
|
|
336
336
|
const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
|
|
337
337
|
const isAdminRoute = filePath && /\/admin\//i.test(filePath);
|
|
338
|
+
// Skip rate-limit rules when the file installs a global rate limiter via app.use().
|
|
339
|
+
// Covers `app.use(rateLimit({...}))`, `app.use(limiter)`, `app.use('/api', rateLimit({...}))`,
|
|
340
|
+
// and named middleware vars matching limiter naming conventions.
|
|
341
|
+
if (rateLimitRuleIds.has(rule.id)) {
|
|
342
|
+
const hasGlobalRateLimit = /(?:app|router)\.use\s*\(\s*(?:[^,)]*,\s*)?(?:rateLimit|slowDown|expressRateLimit|expressSlowDown|RateLimit|Throttle|throttle)\s*\(/i.test(code) ||
|
|
343
|
+
/(?:app|router)\.use\s*\(\s*(?:[^,)]*,\s*)?\w*(?:[Ll]imiter|[Tt]hrottle|[Rr]ate[Ll]imit|[Ss]low[Dd]own|[Bb]rute)\w*\s*\)/.test(code);
|
|
344
|
+
if (hasGlobalRateLimit)
|
|
345
|
+
continue;
|
|
346
|
+
}
|
|
338
347
|
// Skip auth rules when code has any auth guard pattern (naming-agnostic)
|
|
339
348
|
if (codeHasAuthGuard && authRuleIds.has(rule.id))
|
|
340
349
|
continue;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.32",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|