guardvibe 3.0.9 → 3.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/full-audit.js +117 -0
- package/package.json +1 -1
|
@@ -291,12 +291,107 @@ export async function runFullAudit(path, options) {
|
|
|
291
291
|
actionItems,
|
|
292
292
|
};
|
|
293
293
|
}
|
|
294
|
+
function buildInlineRemediationPlan(result) {
|
|
295
|
+
const sectionConfig = {
|
|
296
|
+
secrets: {
|
|
297
|
+
priority: 1,
|
|
298
|
+
tool: "scan_secrets",
|
|
299
|
+
actions: [
|
|
300
|
+
"Call scan_secrets with format: json to list all secrets with file locations",
|
|
301
|
+
"For EACH secret: move to environment variable, add file to .gitignore",
|
|
302
|
+
"Rotate any API keys/tokens that were committed — they are compromised",
|
|
303
|
+
"Call scan_secrets_history to check git history for previously committed secrets",
|
|
304
|
+
"Re-run scan_secrets to confirm 0 secrets remain",
|
|
305
|
+
],
|
|
306
|
+
},
|
|
307
|
+
code: {
|
|
308
|
+
priority: 2,
|
|
309
|
+
tool: "scan_directory",
|
|
310
|
+
actions: [
|
|
311
|
+
"Call scan_directory with format: json to get full finding list with fix suggestions",
|
|
312
|
+
"Fix ALL critical and high severity findings using fix_code for each file",
|
|
313
|
+
"Call verify_fix after each fix to confirm the vulnerability is resolved",
|
|
314
|
+
"Re-run scan_directory to confirm findings are resolved",
|
|
315
|
+
],
|
|
316
|
+
},
|
|
317
|
+
dependencies: {
|
|
318
|
+
priority: 3,
|
|
319
|
+
tool: "scan_dependencies",
|
|
320
|
+
actions: [
|
|
321
|
+
"Call scan_dependencies with format: json to list vulnerable packages with CVE details",
|
|
322
|
+
"Run npm audit fix or npm update <package> for each vulnerable dependency",
|
|
323
|
+
"If a package is abandoned, find an alternative with check_package_health",
|
|
324
|
+
"Re-run scan_dependencies to confirm 0 CVEs remain",
|
|
325
|
+
],
|
|
326
|
+
},
|
|
327
|
+
config: {
|
|
328
|
+
priority: 4,
|
|
329
|
+
tool: "audit_config",
|
|
330
|
+
actions: [
|
|
331
|
+
"Call audit_config with format: json to list all config issues",
|
|
332
|
+
"Call explain_remediation for each finding to get specific fix guidance",
|
|
333
|
+
"Apply fixes to next.config, middleware, .env, vercel.json, etc.",
|
|
334
|
+
"Re-run audit_config to confirm config issues are resolved",
|
|
335
|
+
],
|
|
336
|
+
},
|
|
337
|
+
taint: {
|
|
338
|
+
priority: 5,
|
|
339
|
+
tool: "analyze_cross_file_dataflow",
|
|
340
|
+
actions: [
|
|
341
|
+
"Call analyze_cross_file_dataflow to trace tainted data flows from source to sink",
|
|
342
|
+
"Add input validation (zod/joi) at each source, or output encoding at each sink",
|
|
343
|
+
"Re-run analyze_cross_file_dataflow to confirm tainted flows are resolved",
|
|
344
|
+
],
|
|
345
|
+
},
|
|
346
|
+
"auth-coverage": {
|
|
347
|
+
priority: 6,
|
|
348
|
+
tool: "auth_coverage",
|
|
349
|
+
actions: [
|
|
350
|
+
"Call auth_coverage with format: json to list all unprotected routes",
|
|
351
|
+
"Add auth guard (Clerk/NextAuth/Supabase) to each unprotected route",
|
|
352
|
+
"If a route is intentionally public, document it in .guardviberc authExceptions",
|
|
353
|
+
"Re-run auth_coverage to confirm all routes are protected or documented",
|
|
354
|
+
],
|
|
355
|
+
},
|
|
356
|
+
};
|
|
357
|
+
const steps = [];
|
|
358
|
+
for (const section of result.sections) {
|
|
359
|
+
if (section.findings === 0)
|
|
360
|
+
continue;
|
|
361
|
+
const config = sectionConfig[section.name];
|
|
362
|
+
if (!config)
|
|
363
|
+
continue;
|
|
364
|
+
steps.push({
|
|
365
|
+
section: section.name,
|
|
366
|
+
priority: config.priority,
|
|
367
|
+
findings: section.findings,
|
|
368
|
+
critical: section.critical,
|
|
369
|
+
high: section.high,
|
|
370
|
+
tool: config.tool,
|
|
371
|
+
actions: config.actions,
|
|
372
|
+
});
|
|
373
|
+
}
|
|
374
|
+
steps.sort((a, b) => a.priority - b.priority);
|
|
375
|
+
return steps;
|
|
376
|
+
}
|
|
294
377
|
// --- Formatter ---
|
|
295
378
|
/**
|
|
296
379
|
* Format audit result as markdown, JSON, or terminal-friendly output.
|
|
297
380
|
*/
|
|
298
381
|
export function formatAuditResult(result, format) {
|
|
299
382
|
if (format === "json") {
|
|
383
|
+
// Embed remediation plan directly in JSON when verdict is not PASS
|
|
384
|
+
if (result.verdict !== "PASS") {
|
|
385
|
+
const plan = buildInlineRemediationPlan(result);
|
|
386
|
+
return JSON.stringify({
|
|
387
|
+
...result,
|
|
388
|
+
remediationPlan: {
|
|
389
|
+
totalSectionsWithFindings: plan.length,
|
|
390
|
+
warning: `MANDATORY: You must fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call verify_remediation to confirm.`,
|
|
391
|
+
steps: plan,
|
|
392
|
+
},
|
|
393
|
+
});
|
|
394
|
+
}
|
|
300
395
|
return JSON.stringify(result);
|
|
301
396
|
}
|
|
302
397
|
if (format === "terminal") {
|
|
@@ -360,6 +455,28 @@ export function formatAuditResult(result, format) {
|
|
|
360
455
|
lines.push(`- ${item}`);
|
|
361
456
|
}
|
|
362
457
|
}
|
|
458
|
+
// Embed remediation plan when verdict is not PASS
|
|
459
|
+
if (result.verdict !== "PASS") {
|
|
460
|
+
const plan = buildInlineRemediationPlan(result);
|
|
461
|
+
if (plan.length > 0) {
|
|
462
|
+
lines.push(``);
|
|
463
|
+
lines.push(`## Mandatory Remediation Plan`);
|
|
464
|
+
lines.push(``);
|
|
465
|
+
lines.push(`> **IMPORTANT: You MUST fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call \`verify_remediation\` to confirm.**`);
|
|
466
|
+
lines.push(``);
|
|
467
|
+
for (const step of plan) {
|
|
468
|
+
lines.push(`### Step ${step.priority}: ${step.section} (${step.findings} findings — ${step.critical} critical, ${step.high} high)`);
|
|
469
|
+
lines.push(``);
|
|
470
|
+
for (let i = 0; i < step.actions.length; i++) {
|
|
471
|
+
lines.push(`${i + 1}. ${step.actions[i]}`);
|
|
472
|
+
}
|
|
473
|
+
lines.push(``);
|
|
474
|
+
}
|
|
475
|
+
lines.push(`### Final verification`);
|
|
476
|
+
lines.push(``);
|
|
477
|
+
lines.push(`After completing ALL steps above, call \`verify_remediation\` to confirm every section was addressed. Do NOT declare remediation complete until verify_remediation returns "complete".`);
|
|
478
|
+
}
|
|
479
|
+
}
|
|
363
480
|
lines.push(``);
|
|
364
481
|
lines.push(`---`);
|
|
365
482
|
lines.push(`Timestamp: ${result.timestamp}`);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.10",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|