guardvibe 3.0.41 → 3.0.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +3 -3
  2. package/build/index.js +1 -1
  3. package/build/tools/check-code.js +16 -0
  4. package/package.json +2 -2
package/README.md CHANGED
@@ -6,7 +6,7 @@
6
6
  [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
7
7
  [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
8
8
 
9
- **The security MCP built for vibe coding.** 365 security rules, 38 tools covering the entire AI-generated code journey — from first line to production deployment.
9
+ **The security MCP built for vibe coding.** 365 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
10
10
 
11
11
  Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
12
12
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
14
14
 
15
15
  Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
16
16
 
17
- - **365 security rules, 38 tools** purpose-built for the stacks AI agents generate
17
+ - **365 security rules, 36 tools** purpose-built for the stacks AI agents generate
18
18
  - **Zero setup friction** — `npx guardvibe` and you're scanning
19
19
  - **No account required** — runs 100% locally, no API keys, no cloud
20
20
  - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -441,7 +441,7 @@ If your AI agent cannot connect to GuardVibe:
441
441
 
442
442
  1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
443
443
  2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.mcp.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
444
- 3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.0.33`) at init time for fast deterministic startup. Stale pins won't auto-update.
444
+ 3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.0.41`) at init time for fast deterministic startup. Stale pins won't auto-update.
445
445
  4. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
446
446
  5. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.
447
447
 
package/build/index.js CHANGED
@@ -60,7 +60,7 @@ function mergeStatsIntoOutput(results, summary, format) {
60
60
  const server = new McpServer({
61
61
  name: "guardvibe",
62
62
  version: pkg.version,
63
- description: "Security MCP for vibe coding — single source of truth for AI assistants. 365 security rules and 38 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
63
+ description: "Security MCP for vibe coding — single source of truth for AI assistants. 365 security rules and 36 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
64
64
  });
65
65
  // Tool 1: Analyze code for security vulnerabilities
66
66
  server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
package/build/tools/check-code.js CHANGED
@@ -652,6 +652,22 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
652
652
  if (/\b(?:id|[a-zA-Z]+Id)\s*[,}]/i.test(matched))
653
653
  continue; // where: { userId } shorthand
654
654
  }
655
+ // Skip VG154 (Supabase race condition) for count-only or list queries — these don't
656
+ // produce a value-checked-then-mutated pattern. count: 'exact', head: true returns no
657
+ // rows; .order/.limit/.range chains are paginated reads, not single-record check-then-act.
658
+ if (rule.id === "VG154") {
659
+ const matched = match[0];
660
+ if (/\bhead\s*:\s*true\b/i.test(matched))
661
+ continue;
662
+ if (/\.(?:order|range|limit)\s*\(/i.test(matched))
663
+ continue;
664
+ }
665
+ // Skip VG155 (CSRF) in Next.js App Router route handlers (app/.../route.{ts,tsx,js,jsx}).
666
+ // App Router protects state-changing requests by default: SameSite=Lax cookies block
667
+ // cross-site cookie attachment, and JSON Content-Type triggers CORS preflight. Bearer-token
668
+ // auth (Clerk, Auth0) is also CSRF-immune since tokens aren't browser-attached automatically.
669
+ if (rule.id === "VG155" && filePath && /\/app\/.+\/route\.(?:ts|tsx|js|jsx)$/i.test(filePath))
670
+ continue;
655
671
  // Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
656
672
  // and for comparisons against literals/null/undefined that are emptiness checks,
657
673
  // not timing-sensitive secret equality (e.g. token !== '' or apiKey == null).
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "3.0.41",
3
+ "version": "3.0.43",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
- "description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
5
+ "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",
7
7
  "bin": {
8
8
  "guardvibe": "build/cli.js",