guardvibe 3.0.36 → 3.0.38

package/build/tools/check-code.js

@@ -618,10 +618,17 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     continue;
             }
             // Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
+            // and for comparisons against literals/null/undefined that are emptiness checks,
+            // not timing-sensitive secret equality (e.g. token !== '' or apiKey == null).
             if (rule.id === "VG106") {
                 const varName = match[0].split(/\s*(?:===|!==|==|!=)/)[0].trim();
                 if (/(?:Count|Length|Balance|Map|List|Array|Index|Size|Total|Num|Id|Type|Name|Status|Data|Info|Error|Result|Response|Config|Option|Url|Path|Provider|Model|Limit|Quota|Rate|Max|Min)/i.test(varName))
                     continue;
+                // Look at what comes after the operator. If it's a string literal, null, undefined,
+                // or a number — this is an emptiness/type check, not a secret comparison.
+                const afterOp = code.substring(match.index + match[0].length).trimStart();
+                if (/^(?:''|""|``|null\b|undefined\b|\d|0x|true\b|false\b)/.test(afterOp))
+                    continue;
             }
             // Skip VG1005 (.or() filter injection) when all interpolated variables are
             // server-verified auth IDs (user.id, session.user.id, auth.uid, currentUser.id)
@@ -945,7 +952,7 @@ function formatBuddyOutput(findings, filePath) {
     score -= counts.medium * 3;
     score -= counts.low * 1;
     score = Math.max(0, Math.min(100, score));
-    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
+    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
     const faces = {
         A: "\\[^_^]/",
         B: " [^_^]b",

package/build/tools/scan-directory.js

@@ -119,7 +119,8 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     // density 0 = 100, uses log scale so medium findings don't dominate
     // density 0.5 ≈ 85 (B), density 2.0 ≈ 60 (C), density 5.0 ≈ 30 (D)
     const score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
-    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
+    // Grade boundaries match full-audit so the section sub-grade and overall verdict agree.
+    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
     // Baseline comparison
     let baselineDiff = null;
     let previousBaseline = null;

package/build/tools/scan-staged.js

@@ -93,7 +93,7 @@ export function scanStaged(cwd = process.cwd(), format = "markdown", rules) {
     const weightedIssues = totalCritical * 10 + totalHigh * 3 + totalMedium * 1;
     const density = weightedIssues / Math.max(scannedCount, 1);
     const score = Math.max(0, Math.min(100, Math.round(100 - density * 20)));
-    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
+    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
     if (format === "json") {
         return formatFindingsJson(allFindings, { grade, score });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.36",
+  "version": "3.0.38",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",