guardvibe 3.0.9 → 3.0.11

package/build/data/rules/advanced-security.js

@@ -34,7 +34,7 @@ export const advancedSecurityRules = [
         severity: "low",
         owasp: "API4:2023 Unrestricted Resource Consumption",
         description: "API endpoint reads request body without explicit size limit. Note: Next.js/Vercel applies a default 4.5MB limit, so this is informational for those platforms. For custom servers, attackers can send large payloads to exhaust memory.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH)\s*\([^)]*\)\s*\{(?:(?!content-length|maxBodySize|limit|MAX_|parseBody|checkBodySize|bodyParser|bodyLimit|sizeLimit)[\s\S]){5,}?(?:req\.json|req\.text|req\.body|req\.formData|request\.json|request\.text)\s*\(\s*\)/g,
         languages: ["javascript", "typescript"],
         fix: "Check Content-Length header before parsing body, or use a body parser with size limit.",
         fixCode: '// Check body size before parsing\nexport async function POST(req: Request) {\n  const contentLength = parseInt(req.headers.get("content-length") || "0");\n  if (contentLength > 1024 * 1024) { // 1MB limit\n    return new Response("Payload too large", { status: 413 });\n  }\n  const body = await req.json();\n}',
@@ -188,7 +188,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Referrer-Policy is missing. Without it, the full URL (including query parameters with tokens/IDs) is sent to external sites in the Referer header.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Referrer-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Referrer-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Referrer-Policy: strict-origin-when-cross-origin to your security headers.",
         fixCode: '{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }',
@@ -201,7 +201,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Security headers are configured but Permissions-Policy is missing. Without it, embedded iframes and scripts can access camera, microphone, geolocation, and other sensitive browser APIs.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{10,}?(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)(?:(?!Permissions-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))(?![\s\S]*Permissions-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add Permissions-Policy header to restrict browser API access.",
         fixCode: '{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" }',
@@ -330,7 +330,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "POST/PUT/PATCH/DELETE route handler performs database mutations without CSRF token verification. Cross-site requests from malicious pages can trick authenticated users into performing unwanted actions.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery|requireAdmin|requireAuth|checkAuth|withAuth|protectRoute|authenticate|x-csrf-protection)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
         languages: ["javascript", "typescript"],
         fix: "Add CSRF token verification to state-changing endpoints.",
         fixCode: '// Verify CSRF token from header\nexport async function POST(req: Request) {\n  const csrfToken = req.headers.get("x-csrf-token");\n  if (!verifyCsrfToken(csrfToken)) {\n    return new Response("CSRF validation failed", { status: 403 });\n  }\n}',

package/build/data/rules/modern-stack.js

@@ -269,7 +269,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Next.js app does not set a Content-Security-Policy header. CSP is the strongest defense against XSS — without it, injected scripts run freely in your users' browsers.",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!Content-Security-Policy)[\s\S]){20,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?=[\s\S]*(?:X-Frame-Options|Strict-Transport-Security|X-Content-Type-Options))(?![\s\S]*Content-Security-Policy)/g,
         languages: ["javascript", "typescript"],
         fix: "Add a Content-Security-Policy header in next.config.ts headers().",
         fixCode: "// next.config.ts\nasync headers() {\n  return [{\n    source: '/(.*)',\n    headers: [{\n      key: 'Content-Security-Policy',\n      value: \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;\"\n    }]\n  }];\n}",
@@ -476,7 +476,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "User-uploaded file's original filename is used directly for storage without sanitization. Attackers can use directory traversal (../../etc/passwd), null bytes (file.php%00.jpg), double extensions (file.jpg.exe), or Unicode tricks to overwrite files, bypass type checks, or achieve remote code execution.",
-        pattern: /(?:file\.name|originalname|filename|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])\s*[\s\S]{0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
+        pattern: /(?:file\.name|originalname|req\.file\.originalname|formData\.get\s*\(\s*['"]file['"])(?:(?!randomUUID|uuid|nanoid|sanitize|safeFilename|safeName|allowedExt|allowedExtensions|\.replace\s*\(\s*\/\[)[\s\S]){0,100}?(?:writeFile|createWriteStream|save|upload|putObject|mv\s*\(|rename|storage)/gi,
         languages: ["javascript", "typescript"],
         fix: "Generate a random filename (UUID/nanoid) and validate the extension against an allowlist. Never use the original filename for storage.",
         fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',

package/build/data/rules/nextjs.js

@@ -66,7 +66,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
-        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{(?:(?!X-Frame-Options|Strict-Transport-Security|Content-Security-Policy)[\s\S]){10,}?\}/g,
+        pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
         languages: ["javascript", "typescript"],
         fix: "Add security headers in next.config.ts headers() function.",
         fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',

package/build/tools/full-audit.js

@@ -291,12 +291,115 @@ export async function runFullAudit(path, options) {
         actionItems,
     };
 }
+function buildInlineRemediationPlan(result) {
+    const sectionConfig = {
+        secrets: {
+            priority: 1,
+            tool: "scan_secrets",
+            actions: [
+                "Call scan_secrets with format: json to list all secrets with file locations",
+                "For EACH secret: move to environment variable, add file to .gitignore",
+                "Rotate any API keys/tokens that were committed — they are compromised",
+                "Call scan_secrets_history to check git history for previously committed secrets",
+                "Re-run scan_secrets to confirm 0 secrets remain",
+            ],
+        },
+        code: {
+            priority: 2,
+            tool: "scan_directory",
+            actions: [
+                "Call scan_directory with format: json to get full finding list with fix suggestions",
+                "Fix ALL critical and high severity findings using fix_code for each file",
+                "Call verify_fix after each fix to confirm the vulnerability is resolved",
+                "Re-run scan_directory to confirm findings are resolved",
+            ],
+        },
+        dependencies: {
+            priority: 3,
+            tool: "scan_dependencies",
+            actions: [
+                "Call scan_dependencies with format: json to list vulnerable packages with CVE details",
+                "Run npm audit fix or npm update <package> for each vulnerable dependency",
+                "If a package is abandoned, find an alternative with check_package_health",
+                "Re-run scan_dependencies to confirm 0 CVEs remain",
+            ],
+        },
+        config: {
+            priority: 4,
+            tool: "audit_config",
+            actions: [
+                "Call audit_config with format: json to list all config issues",
+                "Call explain_remediation for each finding to get specific fix guidance",
+                "Apply fixes to next.config, middleware, .env, vercel.json, etc.",
+                "Re-run audit_config to confirm config issues are resolved",
+            ],
+        },
+        taint: {
+            priority: 5,
+            tool: "analyze_cross_file_dataflow",
+            actions: [
+                "Call analyze_cross_file_dataflow to trace tainted data flows from source to sink",
+                "Add input validation (zod/joi) at each source, or output encoding at each sink",
+                "Re-run analyze_cross_file_dataflow to confirm tainted flows are resolved",
+            ],
+        },
+        "auth-coverage": {
+            priority: 6,
+            tool: "auth_coverage",
+            actions: [
+                "Call auth_coverage with format: json to list all unprotected routes",
+                "Add auth guard (Clerk/NextAuth/Supabase) to each unprotected route",
+                "If a route is intentionally public, document it in .guardviberc authExceptions",
+                "Re-run auth_coverage to confirm all routes are protected or documented",
+            ],
+        },
+    };
+    const steps = [];
+    for (const section of result.sections) {
+        if (section.findings === 0)
+            continue;
+        const config = sectionConfig[section.name];
+        if (!config)
+            continue;
+        steps.push({
+            section: section.name,
+            priority: config.priority,
+            findings: section.findings,
+            critical: section.critical,
+            high: section.high,
+            tool: config.tool,
+            actions: config.actions,
+        });
+    }
+    steps.sort((a, b) => a.priority - b.priority);
+    return steps;
+}
 // --- Formatter ---
 /**
  * Format audit result as markdown, JSON, or terminal-friendly output.
  */
 export function formatAuditResult(result, format) {
     if (format === "json") {
+        // Embed remediation plan directly in JSON when verdict is not PASS
+        if (result.verdict !== "PASS") {
+            const plan = buildInlineRemediationPlan(result);
+            return JSON.stringify({
+                ...result,
+                remediationPlan: {
+                    totalSectionsWithFindings: plan.length,
+                    warning: `MANDATORY: You must fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call verify_remediation to confirm.`,
+                    rules: [
+                        "Do NOT dismiss findings as 'false positive' without running the section-specific tool first and verifying the finding is genuinely wrong.",
+                        "Do NOT say 'npm audit is clean' to skip dependencies — GuardVibe uses the OSV database which may detect CVEs that npm audit misses.",
+                        "Do NOT say 'already in .gitignore' to skip secrets — if GuardVibe detects secrets, they exist in the scanned files and must be removed or moved to env vars.",
+                        "Do NOT skip auth-coverage by saying routes are 'intentionally public' — either add auth guards or add them to .guardviberc authExceptions so the scanner recognizes them.",
+                        "After fixing each section, re-run the section-specific tool to confirm the finding count dropped. If it didn't drop, your fix didn't work.",
+                        "Only call verify_remediation AFTER you have worked through ALL sections and confirmed each one improved.",
+                    ],
+                    steps: plan,
+                },
+            });
+        }
         return JSON.stringify(result);
     }
     if (format === "terminal") {
@@ -360,6 +463,35 @@ export function formatAuditResult(result, format) {
             lines.push(`- ${item}`);
         }
     }
+    // Embed remediation plan when verdict is not PASS
+    if (result.verdict !== "PASS") {
+        const plan = buildInlineRemediationPlan(result);
+        if (plan.length > 0) {
+            lines.push(``);
+            lines.push(`## Mandatory Remediation Plan`);
+            lines.push(``);
+            lines.push(`> **IMPORTANT: You MUST fix ALL ${plan.length} sections below. Do NOT fix only the code section and skip the rest. Work through each section in priority order. After completing ALL sections, call \`verify_remediation\` to confirm.**`);
+            lines.push(``);
+            lines.push(`**Rules:**`);
+            lines.push(`- Do NOT dismiss findings as "false positive" without running the section-specific tool first`);
+            lines.push(`- Do NOT say "npm audit is clean" to skip dependencies — GuardVibe uses OSV which may detect CVEs npm misses`);
+            lines.push(`- Do NOT say "already in .gitignore" to skip secrets — if detected, they exist in scanned files`);
+            lines.push(`- After fixing each section, re-run the section tool to confirm finding count dropped`);
+            lines.push(`- Only call verify_remediation AFTER all sections show improvement`);
+            lines.push(``);
+            for (const step of plan) {
+                lines.push(`### Step ${step.priority}: ${step.section} (${step.findings} findings — ${step.critical} critical, ${step.high} high)`);
+                lines.push(``);
+                for (let i = 0; i < step.actions.length; i++) {
+                    lines.push(`${i + 1}. ${step.actions[i]}`);
+                }
+                lines.push(``);
+            }
+            lines.push(`### Final verification`);
+            lines.push(``);
+            lines.push(`After completing ALL steps above, call \`verify_remediation\` to confirm every section was addressed. Do NOT declare remediation complete until verify_remediation returns "complete".`);
+        }
+    }
     lines.push(``);
     lines.push(`---`);
     lines.push(`Timestamp: ${result.timestamp}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.9",
+  "version": "3.0.11",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",