guardvibe 3.0.32 → 3.0.34

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 365 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 365 security rules, 38 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **365 security rules, 36 tools** purpose-built for the stacks AI agents generate
+- **365 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -440,9 +440,10 @@ Tested on real AI-built projects (837 files, Next.js + Supabase + Clerk):
 If your AI agent cannot connect to GuardVibe:
 
 1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
-2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.claude.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
-3. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
-4. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.
+2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.mcp.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
+3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.0.33`) at init time for fast deterministic startup. Stale pins won't auto-update.
+4. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
+5. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.
 
 ### Node.js version requirements
 

package/build/data/compliance-metadata.js

@@ -127,7 +127,7 @@ export const complianceMetadata = {
         exploit: "Server Action returns full database objects including sensitive fields (passwordHash, internalNotes). Client receives all data in the response.",
         audit: "Review Server Action return values. Verify select/pick is used to return only necessary fields.",
     },
-    // === AUTH RULES (VG420-VG430) ===
+    // === AUTH RULES (VG420-VG449) ===
     VG420: {
         gdpr: ["GDPR:Art32(1)(b)", "GDPR:Art32(1)(d)"],
         iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.5"],

package/build/data/rules/auth.js

@@ -113,7 +113,7 @@ export const authRules = [
         compliance: ["SOC2:CC6.1"],
     },
     {
-        id: "VG430",
+        id: "VG449",
         name: "Clerk SSRF via clerkFrontendApiProxy",
         severity: "critical",
         owasp: "A10:2025 Server-Side Request Forgery",

package/build/data/rules/dockerfile.js

@@ -29,7 +29,7 @@ export const dockerfileRules = [
         severity: "medium",
         owasp: "A03:2025 Software Supply Chain Failures",
         description: "Using :latest tag or no tag makes builds non-reproducible and vulnerable to supply chain attacks.",
-        pattern: /FROM\s+\S+(?::latest\s|(?!:)\s)/gi,
+        pattern: /^FROM\s+[^\s:@]+(?::latest)?(?=\s)/gim,
         languages: ["dockerfile"],
         fix: "Pin to a specific version tag: FROM node:20-alpine instead of FROM node:latest.",
         fixCode: "# Pin to specific version\nFROM node:20-alpine\n# Not: FROM node:latest\n# Not: FROM node",

package/build/data/rules/web-security.js

@@ -179,7 +179,7 @@ export const webSecurityRules = [
         severity: "high",
         owasp: "A05:2021 Security Misconfiguration",
         description: "Response serving user-uploaded files does not set X-Content-Type-Options: nosniff. Browsers may MIME-sniff the content and execute uploaded files as HTML/JavaScript, enabling stored XSS via file uploads.",
-        pattern: /(?:createReadStream|sendFile|send\s*\(|pipe\s*\(|res\.download|res\.sendFile|getSignedUrl|getPublicUrl)[\s\S]{0,500}?(?:(?!X-Content-Type-Options|nosniff)[\s\S]){10,}?(?:res\.end|\.pipe|return|response)/gi,
+        pattern: /(?:res\.sendFile|res\.download|createReadStream|getSignedUrl|getPublicUrl|\.pipe\s*\(\s*res)[\s\S]{0,500}?(?:(?!X-Content-Type-Options|nosniff)[\s\S]){10,}?(?:res\.end|\.pipe|return|response)/gi,
         languages: ["javascript", "typescript"],
         fix: "Set X-Content-Type-Options: nosniff on all responses serving user-uploaded content.",
         fixCode: '// Set nosniff header for uploaded file responses\nres.setHeader("X-Content-Type-Options", "nosniff");\nres.setHeader("Content-Disposition", "attachment"); // force download for unknown types\nres.sendFile(filePath);',

package/build/index.js

@@ -60,7 +60,7 @@ function mergeStatsIntoOutput(results, summary, format) {
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding — single source of truth for AI assistants. 365 security rules and 36 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
+    description: "Security MCP for vibe coding — single source of truth for AI assistants. 365 security rules and 38 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {

package/build/tools/check-code.js

@@ -606,7 +606,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 const hasPublishingFields = /"(?:bin|exports|module|types|typings)"\s*:/i.test(code);
                 const mainPointsToBuild = /"main"\s*:\s*"(?:dist|build|lib|out)\//i.test(code);
                 const runtimeNames = "node|nodemon|tsx|ts-node|next|nest|vite|remix|astro";
-                const startsAsApp = new RegExp('"start"\\s*:\\s*"(?:' + runtimeNames + ')\\b', "i").test(code);
+                // Allow leading env-var assignments: NODE_OPTIONS=..., NODE_ENV=production, PORT=3000, etc.
+                const startsAsApp = new RegExp('"start"\\s*:\\s*"(?:[A-Z_][A-Z0-9_]*=\\S+\\s+)*(?:' + runtimeNames + ')\\b', "i").test(code);
                 if (!hasPublishingFields && !mainPointsToBuild && startsAsApp)
                     continue;
             }
@@ -744,6 +745,12 @@ function isDuplicatePair(a, b) {
     const bIsAdmin = adminPatterns.some(p => b.rule.name.includes(p));
     if (aIsAdmin && bIsAdmin)
         return true;
+    // Both are open-redirect rules — VG101 (core) + VG409 (nextjs) duplicate case
+    const redirectPatterns = ["Unvalidated redirect", "Open Redirect"];
+    const aIsRedirect = redirectPatterns.some(p => a.rule.name.includes(p));
+    const bIsRedirect = redirectPatterns.some(p => b.rule.name.includes(p));
+    if (aIsRedirect && bIsRedirect)
+        return true;
     return false;
 }
 /** Check if rule A is more specific than rule B (framework rules > core rules). */

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.0.32",
+  "version": "3.0.34",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",