guardvibe 3.0.48 → 3.0.50

package/build/cli/audit.js

@@ -16,11 +16,12 @@ export async function runAudit(args) {
     const failOn = getStringFlag(flags, "fail-on") ?? "critical";
     const skipDeps = flags["skip-deps"] === true;
     const skipSecrets = flags["skip-secrets"] === true;
+    const full = flags["full"] === true;
     setRules(builtinRules);
     // Terminal format by default when outputting to TTY, unless --format is specified
     const isTerminal = !outputFile && process.stdout.isTTY && !flags["format"];
     const format = isTerminal ? "terminal" : rawFormat;
-    const result = await runFullAudit(targetPath, { skipDeps, skipSecrets });
+    const result = await runFullAudit(targetPath, { skipDeps, skipSecrets, full });
     const output = formatAuditResult(result, format);
     // For shouldFail, always use JSON-parseable format
     const failCheckOutput = formatAuditResult(result, "json");

package/build/cli/scan.js

@@ -46,6 +46,7 @@ export async function runDirectoryScan(targetPath, flags) {
     const outputFile = getOutputPath(flags);
     const baselinePath = getStringFlag(flags, "baseline");
     const saveBaseline = flags["save-baseline"] === true || typeof flags["save-baseline"] === "string";
+    const full = flags["full"] === true;
     const scanPath = resolve(targetPath);
     let result;
     if (format === "sarif") {
@@ -53,7 +54,7 @@ export async function runDirectoryScan(targetPath, flags) {
         result = exportSarif(scanPath);
     }
     else {
-        result = scanDirectory(scanPath, true, [], format === "json" ? "json" : "markdown", undefined, baselinePath ?? undefined);
+        result = scanDirectory(scanPath, true, [], format === "json" ? "json" : "markdown", undefined, baselinePath ?? undefined, full);
     }
     if (outputFile) {
         safeWriteOutput(outputFile, result);

package/build/tools/check-project.js

@@ -1,4 +1,6 @@
 import { analyzeCode, formatFindingsJson } from "./check-code.js";
+import { calculateScore, scoreToGrade } from "../utils/scoring.js";
+import { loadConfig } from "../utils/config.js";
 const extensionMap = {
     ".js": "javascript",
     ".jsx": "javascript",
@@ -42,29 +44,6 @@ function detectLanguage(filePath) {
     const ext = filePath.match(/\.[^.]+$/)?.[0]?.toLowerCase();
     return ext ? extensionMap[ext] ?? null : null;
 }
-function calculateScore(critical, high, medium, fileCount = 1) {
-    // Calibrated: medium issues are informational (0.5 weight), high issues are real (5x), critical are severe (15x)
-    const weighted = critical * 15 + high * 5 + medium * 0.5;
-    const density = weighted / Math.max(fileCount, 1);
-    let score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
-    // Severity caps: CRITICAL findings can never get A/B, HIGH can never get A
-    if (critical > 0)
-        score = Math.min(score, 60); // cap at C
-    if (high > 0)
-        score = Math.min(score, 75); // cap at B
-    return score;
-}
-function scoreToGrade(score) {
-    if (score >= 90)
-        return "A";
-    if (score >= 75)
-        return "B";
-    if (score >= 60)
-        return "C";
-    if (score >= 40)
-        return "D";
-    return "F";
-}
 export function checkProject(files, format = "markdown", rules) {
     const results = [];
     const skippedFiles = [];
@@ -85,7 +64,10 @@ export function checkProject(files, format = "markdown", rules) {
     const totalHigh = allFindings.filter((f) => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter((f) => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    const score = calculateScore(totalCritical, totalHigh, totalMedium, scannedCount);
+    const config = loadConfig();
+    const score = calculateScore(totalCritical, totalHigh, totalMedium, scannedCount, {
+        densityModel: config.scoring?.densityModel,
+    });
     const grade = scoreToGrade(score);
     if (format === "json") {
         return formatFindingsJson(allFindings, { grade, score });

package/build/tools/full-audit.d.ts

@@ -89,6 +89,7 @@ export declare function computeResultHash(findings: FindingRef[]): string;
 export declare function runFullAudit(path: string, options?: {
     skipDeps?: boolean;
     skipSecrets?: boolean;
+    full?: boolean;
 }): Promise<AuditResult>;
 /**
  * Format audit result as markdown, JSON, or terminal-friendly output.

package/build/tools/full-audit.js

@@ -72,6 +72,7 @@ function collectJsFiles(dir, maxFiles = 200) {
         "node_modules", ".git", ".next", "build", "dist", ".turbo", "coverage",
         ...config.scan.exclude,
     ]);
+    // `maxFiles = Infinity` is the contract for full mode (CLI --full flag): scan everything.
     function walk(d) {
         if (files.length >= maxFiles)
             return;
@@ -124,19 +125,20 @@ export async function runFullAudit(path, options) {
     const rules = getRules();
     const allFindings = [];
     const sections = [];
+    const full = options?.full === true;
     let filesScanned = 0;
     let filesSkipped = 0;
     let score = 100;
     let grade = "A";
-    // Truncation tracking
+    // Truncation tracking — `full` mode (CLI --full flag) bypasses caps for local debugging.
     let scanTruncated = false;
     let scanTotalFindings = 0;
-    let scanMaxFindings = 50; // MAX_JSON_FINDINGS from scan-directory
+    let scanMaxFindings = full ? Number.POSITIVE_INFINITY : 50;
     let taintFilesProcessed = 0;
-    const taintFileCap = 200;
+    const taintFileCap = full ? Number.POSITIVE_INFINITY : 200;
     // --- Section 1: Code scan ---
     try {
-        const codeJson = scanDirectory(projectRoot, true, [], "json", rules.length > 0 ? rules : undefined);
+        const codeJson = scanDirectory(projectRoot, true, [], "json", rules.length > 0 ? rules : undefined, undefined, full);
         const parsed = safeJsonParse(codeJson);
         if (parsed) {
             const counts = parseSectionCounts(parsed);
@@ -296,7 +298,7 @@ export async function runFullAudit(path, options) {
     }
     // --- Section 5: Taint analysis ---
     try {
-        const jsFiles = collectJsFiles(projectRoot);
+        const jsFiles = collectJsFiles(projectRoot, taintFileCap);
         taintFilesProcessed = jsFiles.length;
         if (jsFiles.length > 0) {
             const { crossFileFindings, perFileFindings } = analyzeCrossFileTaint(jsFiles);
@@ -340,7 +342,7 @@ export async function runFullAudit(path, options) {
     }
     // --- Section 6: Auth coverage ---
     try {
-        const jsFiles = collectJsFiles(projectRoot);
+        const jsFiles = collectJsFiles(projectRoot, taintFileCap);
         const routeFiles = jsFiles.filter(f => /\/(route|page)\.(ts|tsx|js|jsx)$/.test(f.path));
         const layoutFiles = jsFiles.filter(f => /\/layout\.(ts|tsx|js|jsx)$/.test(f.path));
         if (routeFiles.length > 0) {

package/build/tools/scan-directory.d.ts

@@ -1,2 +1,2 @@
 import type { SecurityRule } from "../data/rules/types.js";
-export declare function scanDirectory(path: string, recursive?: boolean, exclude?: string[], format?: "markdown" | "json", rules?: SecurityRule[], baselinePath?: string): string;
+export declare function scanDirectory(path: string, recursive?: boolean, exclude?: string[], format?: "markdown" | "json", rules?: SecurityRule[], baselinePath?: string, full?: boolean): string;

package/build/tools/scan-directory.js

@@ -7,6 +7,7 @@ import { loadConfig } from "../utils/config.js";
 import { DEFAULT_EXCLUDES, EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
 import { walkDirectory } from "../utils/walk-directory.js";
 import { securityBanner } from "../utils/banner.js";
+import { calculateScore, scoreToGrade } from "../utils/scoring.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../../package.json");
 // GuardVibe version — used in scan metadata
@@ -41,7 +42,7 @@ function computeBaselineDiff(current, previous) {
         unchanged: current.filter(e => prevSet.has(currKey(e))),
     };
 }
-export function scanDirectory(path, recursive = true, exclude = [], format = "markdown", rules, baselinePath) {
+export function scanDirectory(path, recursive = true, exclude = [], format = "markdown", rules, baselinePath, full = false) {
     const startTime = performance.now();
     const scanId = randomUUID();
     const scanRoot = resolve(path);
@@ -110,17 +111,11 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     const totalHigh = allFindings.filter(f => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter(f => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    // Density-based scoring calibrated against real Next.js projects.
-    // A clean Next.js project with ~200 medium findings in ~800 files should score ~B.
-    // Critical issues have the most impact; medium issues are informational.
     const filesScanned = metadata.filesScanned || 1;
-    const weightedIssues = totalCritical * 15 + totalHigh * 5 + totalMedium * 0.5;
-    const density = weightedIssues / filesScanned;
-    // density 0 = 100, uses log scale so medium findings don't dominate
-    // density 0.5 ≈ 85 (B), density 2.0 ≈ 60 (C), density 5.0 ≈ 30 (D)
-    const score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
-    // Grade boundaries match full-audit so the section sub-grade and overall verdict agree.
-    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
+    const score = calculateScore(totalCritical, totalHigh, totalMedium, filesScanned, {
+        densityModel: config.scoring?.densityModel,
+    });
+    const grade = scoreToGrade(score);
     // Baseline comparison
     let baselineDiff = null;
     let previousBaseline = null;
@@ -141,8 +136,10 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     }
     // MCP output size limit — large projects can produce 300K+ characters which
     // exceeds Claude Code's max allowed tokens for tool results.
-    const MAX_JSON_FINDINGS = 50;
-    const MAX_MD_FINDINGS = 30;
+    // `full=true` (CLI --full flag) bypasses these caps for local debugging where
+    // size budget doesn't apply.
+    const MAX_JSON_FINDINGS = full ? Number.POSITIVE_INFINITY : 50;
+    const MAX_MD_FINDINGS = full ? Number.POSITIVE_INFINITY : 30;
     if (format === "json") {
         const findingsWithFiles = scanResults.flatMap(r => r.findings.map(f => ({ ...f, rule: f.rule, file: r.path })));
         // Sort by severity: critical first, then high, then medium

package/build/utils/config.d.ts

@@ -33,6 +33,14 @@ export interface GuardVibeConfig {
         path: string;
         reason: string;
     }>;
+    /** Score calculation tweaks. Default density model is "linear" (matches
+     *  pre-v3.0.50 behavior). Set to "exponential" for smoother decay past
+     *  density 5 — projects with many medium findings will see slightly higher
+     *  scores under exponential, projects with concentrated criticals will see
+     *  lower. CI gates set on absolute score should keep the default. */
+    scoring?: {
+        densityModel?: "linear" | "exponential";
+    };
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -69,6 +69,9 @@ export function loadConfig(dir) {
             } : undefined,
             authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
             authExceptions: Array.isArray(parsed.authExceptions) ? parsed.authExceptions : undefined,
+            scoring: parsed.scoring && typeof parsed.scoring === "object" ? {
+                densityModel: parsed.scoring.densityModel === "exponential" ? "exponential" : "linear",
+            } : undefined,
         };
     }
     catch { }

package/build/utils/scoring.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Single source of truth for security score / grade calculation.
+ *
+ * Goals:
+ *   1. Same finding counts produce the same score across scan-directory,
+ *      check-project, full-audit, and CLI output.
+ *   2. Severity caps so a critical finding cannot ever look like a clean run
+ *      (1+ critical → max C/60, 1+ high → max B/75).
+ *   3. Optional exponential density decay (`scoring.densityModel: "exponential"`
+ *      in .guardviberc) for projects that want resolution past density 5
+ *      instead of the linear cliff.
+ *
+ * Default density formula stays linear so existing CI thresholds don't shift.
+ */
+export type DensityModel = "linear" | "exponential";
+export interface ScoreOptions {
+    /** Density curve. "linear" (default) is `100 - min(density, 5) * 20`.
+     *  "exponential" is `100 * exp(-density / 3)` — smoother, no cliff. */
+    densityModel?: DensityModel;
+}
+/** Severity caps applied AFTER the density-derived score. */
+export declare const CRITICAL_SCORE_CAP = 60;
+export declare const HIGH_SCORE_CAP = 75;
+export declare function calculateScore(critical: number, high: number, medium: number, fileCount?: number, options?: ScoreOptions): number;
+export declare function scoreToGrade(score: number): string;

package/build/utils/scoring.js

@@ -0,0 +1,52 @@
+/**
+ * Single source of truth for security score / grade calculation.
+ *
+ * Goals:
+ *   1. Same finding counts produce the same score across scan-directory,
+ *      check-project, full-audit, and CLI output.
+ *   2. Severity caps so a critical finding cannot ever look like a clean run
+ *      (1+ critical → max C/60, 1+ high → max B/75).
+ *   3. Optional exponential density decay (`scoring.densityModel: "exponential"`
+ *      in .guardviberc) for projects that want resolution past density 5
+ *      instead of the linear cliff.
+ *
+ * Default density formula stays linear so existing CI thresholds don't shift.
+ */
+/** Severity caps applied AFTER the density-derived score. */
+export const CRITICAL_SCORE_CAP = 60; // 1+ critical → cannot exceed C
+export const HIGH_SCORE_CAP = 75; // 1+ high → cannot exceed B
+/** Severity weights for density. Calibrated against real Next.js projects:
+ *  a clean Next.js app with ~200 medium findings in ~800 files lands near B. */
+const WEIGHT_CRITICAL = 15;
+const WEIGHT_HIGH = 5;
+const WEIGHT_MEDIUM = 0.5;
+/** Exponential decay constant — density = 3 produces ~37 (D). */
+const EXPONENTIAL_K = 3;
+export function calculateScore(critical, high, medium, fileCount = 1, options) {
+    const weighted = critical * WEIGHT_CRITICAL + high * WEIGHT_HIGH + medium * WEIGHT_MEDIUM;
+    const density = weighted / Math.max(fileCount, 1);
+    let score;
+    if (options?.densityModel === "exponential") {
+        score = Math.round(100 * Math.exp(-density / EXPONENTIAL_K));
+    }
+    else {
+        score = Math.round(100 - Math.min(density, 5) * 20);
+    }
+    score = Math.max(0, Math.min(100, score));
+    if (critical > 0)
+        score = Math.min(score, CRITICAL_SCORE_CAP);
+    if (high > 0)
+        score = Math.min(score, HIGH_SCORE_CAP);
+    return score;
+}
+export function scoreToGrade(score) {
+    if (score >= 90)
+        return "A";
+    if (score >= 75)
+        return "B";
+    if (score >= 50)
+        return "C";
+    if (score >= 25)
+        return "D";
+    return "F";
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.48",
+  "version": "3.0.50",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",