guardvibe 3.0.49 → 3.0.51

package/README.md

@@ -278,6 +278,7 @@ npx guardvibe diff [base]            # Scan only changed files since git ref
 npx guardvibe audit [path]           # Full audit with PASS/FAIL verdict + hash
 npx guardvibe audit . --format json  # JSON output for CI pipelines
 npx guardvibe audit --skip-deps      # Skip dependency CVE check
+npx guardvibe audit --full           # Disable MCP-output truncation (full finding set)
 
 # Host security audit
 npx guardvibe doctor                 # Host hardening audit (project scope)
@@ -299,6 +300,7 @@ npx guardvibe-scan --format sarif --output results.sarif  # CI mode
 #   --format markdown|json|sarif|buddy
 #   --output <file>     Write results to file
 #   --fail-on <level>   Exit 1 on findings: critical|high|medium|low|none
+#   --full              Bypass response-size caps (50 JSON / 30 markdown / 200-file taint)
 ```
 
 ## Plugin System
@@ -514,6 +516,9 @@ Create a `.guardviberc` JSON file in your project root to customize GuardVibe be
       }
     ],
     "requiredControls": ["SOC2:CC6.1"]
+  },
+  "scoring": {
+    "densityModel": "exponential"
   }
 }
 ```
@@ -531,6 +536,7 @@ Create a `.guardviberc` JSON file in your project root to customize GuardVibe be
 | `compliance.failOn` | `string` | `"high"` | Minimum severity that causes compliance failure |
 | `compliance.exceptions` | `PolicyException[]` | `[]` | Approved exceptions with expiration dates |
 | `compliance.requiredControls` | `string[]` | -- | Controls that must pass regardless of exceptions |
+| `scoring.densityModel` | `"linear" \| "exponential"` | `"linear"` | Score decay curve. `linear` matches pre-v3.0.50 (cliff at density 5). `exponential` keeps resolution past density 5 — smoother decay for large repos. Severity caps (1+ critical → max C/60, 1+ high → max B/75) apply under both. |
 
 ## Security
 

package/build/tools/check-project.js

@@ -1,4 +1,6 @@
 import { analyzeCode, formatFindingsJson } from "./check-code.js";
+import { calculateScore, scoreToGrade } from "../utils/scoring.js";
+import { loadConfig } from "../utils/config.js";
 const extensionMap = {
     ".js": "javascript",
     ".jsx": "javascript",
@@ -42,29 +44,6 @@ function detectLanguage(filePath) {
     const ext = filePath.match(/\.[^.]+$/)?.[0]?.toLowerCase();
     return ext ? extensionMap[ext] ?? null : null;
 }
-function calculateScore(critical, high, medium, fileCount = 1) {
-    // Calibrated: medium issues are informational (0.5 weight), high issues are real (5x), critical are severe (15x)
-    const weighted = critical * 15 + high * 5 + medium * 0.5;
-    const density = weighted / Math.max(fileCount, 1);
-    let score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
-    // Severity caps: CRITICAL findings can never get A/B, HIGH can never get A
-    if (critical > 0)
-        score = Math.min(score, 60); // cap at C
-    if (high > 0)
-        score = Math.min(score, 75); // cap at B
-    return score;
-}
-function scoreToGrade(score) {
-    if (score >= 90)
-        return "A";
-    if (score >= 75)
-        return "B";
-    if (score >= 60)
-        return "C";
-    if (score >= 40)
-        return "D";
-    return "F";
-}
 export function checkProject(files, format = "markdown", rules) {
     const results = [];
     const skippedFiles = [];
@@ -85,7 +64,10 @@ export function checkProject(files, format = "markdown", rules) {
     const totalHigh = allFindings.filter((f) => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter((f) => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    const score = calculateScore(totalCritical, totalHigh, totalMedium, scannedCount);
+    const config = loadConfig();
+    const score = calculateScore(totalCritical, totalHigh, totalMedium, scannedCount, {
+        densityModel: config.scoring?.densityModel,
+    });
     const grade = scoreToGrade(score);
     if (format === "json") {
         return formatFindingsJson(allFindings, { grade, score });

package/build/tools/scan-directory.js

@@ -7,6 +7,7 @@ import { loadConfig } from "../utils/config.js";
 import { DEFAULT_EXCLUDES, EXTENSION_MAP, CONFIG_FILE_MAP } from "../utils/constants.js";
 import { walkDirectory } from "../utils/walk-directory.js";
 import { securityBanner } from "../utils/banner.js";
+import { calculateScore, scoreToGrade } from "../utils/scoring.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../../package.json");
 // GuardVibe version — used in scan metadata
@@ -110,17 +111,11 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     const totalHigh = allFindings.filter(f => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter(f => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    // Density-based scoring calibrated against real Next.js projects.
-    // A clean Next.js project with ~200 medium findings in ~800 files should score ~B.
-    // Critical issues have the most impact; medium issues are informational.
     const filesScanned = metadata.filesScanned || 1;
-    const weightedIssues = totalCritical * 15 + totalHigh * 5 + totalMedium * 0.5;
-    const density = weightedIssues / filesScanned;
-    // density 0 = 100, uses log scale so medium findings don't dominate
-    // density 0.5 ≈ 85 (B), density 2.0 ≈ 60 (C), density 5.0 ≈ 30 (D)
-    const score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
-    // Grade boundaries match full-audit so the section sub-grade and overall verdict agree.
-    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 50 ? "C" : score >= 25 ? "D" : "F";
+    const score = calculateScore(totalCritical, totalHigh, totalMedium, filesScanned, {
+        densityModel: config.scoring?.densityModel,
+    });
+    const grade = scoreToGrade(score);
     // Baseline comparison
     let baselineDiff = null;
     let previousBaseline = null;

package/build/utils/config.d.ts

@@ -33,6 +33,14 @@ export interface GuardVibeConfig {
         path: string;
         reason: string;
     }>;
+    /** Score calculation tweaks. Default density model is "linear" (matches
+     *  pre-v3.0.50 behavior). Set to "exponential" for smoother decay past
+     *  density 5 — projects with many medium findings will see slightly higher
+     *  scores under exponential, projects with concentrated criticals will see
+     *  lower. CI gates set on absolute score should keep the default. */
+    scoring?: {
+        densityModel?: "linear" | "exponential";
+    };
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -69,6 +69,9 @@ export function loadConfig(dir) {
             } : undefined,
             authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
             authExceptions: Array.isArray(parsed.authExceptions) ? parsed.authExceptions : undefined,
+            scoring: parsed.scoring && typeof parsed.scoring === "object" ? {
+                densityModel: parsed.scoring.densityModel === "exponential" ? "exponential" : "linear",
+            } : undefined,
         };
     }
     catch { }

package/build/utils/scoring.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Single source of truth for security score / grade calculation.
+ *
+ * Goals:
+ *   1. Same finding counts produce the same score across scan-directory,
+ *      check-project, full-audit, and CLI output.
+ *   2. Severity caps so a critical finding cannot ever look like a clean run
+ *      (1+ critical → max C/60, 1+ high → max B/75).
+ *   3. Optional exponential density decay (`scoring.densityModel: "exponential"`
+ *      in .guardviberc) for projects that want resolution past density 5
+ *      instead of the linear cliff.
+ *
+ * Default density formula stays linear so existing CI thresholds don't shift.
+ */
+export type DensityModel = "linear" | "exponential";
+export interface ScoreOptions {
+    /** Density curve. "linear" (default) is `100 - min(density, 5) * 20`.
+     *  "exponential" is `100 * exp(-density / 3)` — smoother, no cliff. */
+    densityModel?: DensityModel;
+}
+/** Severity caps applied AFTER the density-derived score. */
+export declare const CRITICAL_SCORE_CAP = 60;
+export declare const HIGH_SCORE_CAP = 75;
+export declare function calculateScore(critical: number, high: number, medium: number, fileCount?: number, options?: ScoreOptions): number;
+export declare function scoreToGrade(score: number): string;

package/build/utils/scoring.js

@@ -0,0 +1,52 @@
+/**
+ * Single source of truth for security score / grade calculation.
+ *
+ * Goals:
+ *   1. Same finding counts produce the same score across scan-directory,
+ *      check-project, full-audit, and CLI output.
+ *   2. Severity caps so a critical finding cannot ever look like a clean run
+ *      (1+ critical → max C/60, 1+ high → max B/75).
+ *   3. Optional exponential density decay (`scoring.densityModel: "exponential"`
+ *      in .guardviberc) for projects that want resolution past density 5
+ *      instead of the linear cliff.
+ *
+ * Default density formula stays linear so existing CI thresholds don't shift.
+ */
+/** Severity caps applied AFTER the density-derived score. */
+export const CRITICAL_SCORE_CAP = 60; // 1+ critical → cannot exceed C
+export const HIGH_SCORE_CAP = 75; // 1+ high → cannot exceed B
+/** Severity weights for density. Calibrated against real Next.js projects:
+ *  a clean Next.js app with ~200 medium findings in ~800 files lands near B. */
+const WEIGHT_CRITICAL = 15;
+const WEIGHT_HIGH = 5;
+const WEIGHT_MEDIUM = 0.5;
+/** Exponential decay constant — density = 3 produces ~37 (D). */
+const EXPONENTIAL_K = 3;
+export function calculateScore(critical, high, medium, fileCount = 1, options) {
+    const weighted = critical * WEIGHT_CRITICAL + high * WEIGHT_HIGH + medium * WEIGHT_MEDIUM;
+    const density = weighted / Math.max(fileCount, 1);
+    let score;
+    if (options?.densityModel === "exponential") {
+        score = Math.round(100 * Math.exp(-density / EXPONENTIAL_K));
+    }
+    else {
+        score = Math.round(100 - Math.min(density, 5) * 20);
+    }
+    score = Math.max(0, Math.min(100, score));
+    if (critical > 0)
+        score = Math.min(score, CRITICAL_SCORE_CAP);
+    if (high > 0)
+        score = Math.min(score, HIGH_SCORE_CAP);
+    return score;
+}
+export function scoreToGrade(score) {
+    if (score >= 90)
+        return "A";
+    if (score >= 75)
+        return "B";
+    if (score >= 50)
+        return "C";
+    if (score >= 25)
+        return "D";
+    return "F";
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.49",
+  "version": "3.0.51",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",