npm - guardvibe - Versions diffs - 3.1.0 → 3.1.2 - Mend

guardvibe 3.1.0 → 3.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +8 -1
package/build/cli/init.js +30 -3
package/build/cli.js +4 -0
package/build/index.js +3 -0
package/build/utils/update-check.d.ts +27 -0
package/build/utils/update-check.js +125 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -64,7 +64,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 npx guardvibe init claude
 ```
-Creates `.claude.json` MCP config, `.claude/settings.json` auto-scan hooks, and `CLAUDE.md` security rules. Restart Claude Code after setup.
+Creates `.mcp.json` MCP config (pinned to current version), `.claude/settings.json` auto-scan hooks, and `CLAUDE.md` security rules. Restart Claude Code after setup.
 ### Cursor
@@ -286,6 +286,13 @@ npx guardvibe doctor --scope host    # + shell profiles, global MCP configs
 npx guardvibe doctor --scope full    # + home dir configs
 npx guardvibe doctor --format json   # JSON output
+# LLM-powered deep scan (IDOR, business logic, race conditions, auth bypass)
+npx guardvibe deep-scan <file>                  # Default: Haiku 4.5, all focus areas
+npx guardvibe deep-scan <file> --focus idor     # Narrow to IDOR
+npx guardvibe deep-scan <file> --model sonnet   # Deeper analysis (more expensive)
+npx guardvibe deep-scan <file> --max-bytes 5000 # Truncate input for cost control
+# Requires ANTHROPIC_API_KEY or OPENAI_API_KEY env var
 # Setup
 npx guardvibe init <platform>       # Setup MCP server (claude, cursor, gemini, all)
 npx guardvibe hook install           # Install pre-commit hook

package/build/cli/init.js CHANGED Viewed

@@ -14,6 +14,18 @@ const GUARDVIBE_MCP_CONFIG = {
     command: "npx",
     args: ["-y", `guardvibe@${pkg.version}`],
 };
+/** Extract a pinned version from an existing MCP server config (`{ args: ["-y", "guardvibe@X.Y.Z"] }`). */
+function extractPinnedVersion(config) {
+    const args = config?.args;
+    if (!Array.isArray(args))
+        return null;
+    for (const arg of args) {
+        if (typeof arg === "string" && arg.startsWith("guardvibe@")) {
+            return arg.slice("guardvibe@".length);
+        }
+    }
+    return null;
+}
 const platforms = {
     claude: {
         path: join(process.cwd(), ".mcp.json"),
@@ -177,12 +189,27 @@ function setupPlatform(name) {
         if (!existing.mcpServers) {
             existing.mcpServers = {};
         }
-        if (existing.mcpServers["guardvibe"]) {
-            console.log(`  [OK] GuardVibe already configured in ${platform.description}`);
+        const servers = existing.mcpServers;
+        if (servers["guardvibe"]) {
+            const existingPin = extractPinnedVersion(servers["guardvibe"]);
+            if (existingPin && existingPin !== pkg.version) {
+                servers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
+                writeJsonFile(platform.path, existing);
+                console.log(`  [OK] Upgraded GuardVibe pin in ${platform.description} (${existingPin} → ${pkg.version})`);
+            }
+            else if (!existingPin) {
+                // Existing config has no pin (legacy unpinned form) — overwrite to pin.
+                servers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
+                writeJsonFile(platform.path, existing);
+                console.log(`  [OK] Pinned GuardVibe in ${platform.description} (was unpinned → ${pkg.version})`);
+            }
+            else {
+                console.log(`  [OK] GuardVibe already up-to-date in ${platform.description} (v${pkg.version})`);
+            }
             setupSecurityGuide(name);
             return true;
         }
-        existing.mcpServers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
+        servers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
         writeJsonFile(platform.path, existing);
     }
     else {

package/build/cli.js CHANGED Viewed

@@ -1,7 +1,11 @@
 #!/usr/bin/env node
 import { createRequire } from "module";
+import { checkForUpdate } from "./utils/update-check.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
+// Fire-and-forget update notification (writes to stderr if newer version exists).
+// Skipped when GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1, or CI=true.
+checkForUpdate(pkg.version);
 // ── Scan entry point detection ──────────────────────────────────────
 const SCAN_SCRIPT_DETECTED = process.argv[1]?.endsWith("guardvibe-scan") ||
     process.argv[1]?.endsWith("guardvibe-scan.js");

package/build/index.js CHANGED Viewed

@@ -998,6 +998,9 @@ export async function startMcpServer() {
     return main();
 }
 async function main() {
+    // Fire-and-forget npm update check (writes a banner to stderr if newer version exists).
+    const { checkForUpdate } = await import("./utils/update-check.js");
+    checkForUpdate(pkg.version);
     // Load plugins
     const config = loadConfig(process.cwd());
     const plugins = await discoverPlugins(process.cwd(), config.plugins);

package/build/utils/update-check.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Non-blocking npm update notification.
+ *
+ * On startup of the CLI or MCP server, fires an async GET against
+ * https://registry.npmjs.org/guardvibe/latest. Result is cached for 24h
+ * in ~/.cache/guardvibe/version-check.json so we never hit npm twice in
+ * a day from one machine. If a newer version is available, a 5-line
+ * banner is written to stderr — never stdout, so the MCP JSON-RPC stream
+ * is untouched.
+ *
+ * Disable with GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1,
+ * or CI=true (CI runners don't need version banners).
+ */
+/**
+ * Compare two semver strings. Returns true if `latest` is strictly newer.
+ * Handles plain MAJOR.MINOR.PATCH (no pre-release / build metadata).
+ */
+export declare function isNewer(latest: string, current: string): boolean;
+/**
+ * Fire-and-forget version check. Never throws, never blocks.
+ *
+ * Behavior:
+ *   - If env var disables it → no-op.
+ *   - If cache is fresh (< 24h) and indicates newer version → announce immediately.
+ *   - If cache is stale → fire async fetch, update cache, announce if newer.
+ */
+export declare function checkForUpdate(currentVersion: string): void;

package/build/utils/update-check.js ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Non-blocking npm update notification.
+ *
+ * On startup of the CLI or MCP server, fires an async GET against
+ * https://registry.npmjs.org/guardvibe/latest. Result is cached for 24h
+ * in ~/.cache/guardvibe/version-check.json so we never hit npm twice in
+ * a day from one machine. If a newer version is available, a 5-line
+ * banner is written to stderr — never stdout, so the MCP JSON-RPC stream
+ * is untouched.
+ *
+ * Disable with GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1,
+ * or CI=true (CI runners don't need version banners).
+ */
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir, tmpdir } from "node:os";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24h
+const NPM_URL = "https://registry.npmjs.org/guardvibe/latest";
+const FETCH_TIMEOUT_MS = 2000;
+function cachePath() {
+    const home = process.env.HOME ?? homedir();
+    const baseDir = home && home.length > 0 ? join(home, ".cache", "guardvibe") : join(tmpdir(), "guardvibe");
+    return join(baseDir, "version-check.json");
+}
+function readCache() {
+    try {
+        const raw = readFileSync(cachePath(), "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+function writeCache(data) {
+    try {
+        const path = cachePath();
+        mkdirSync(dirname(path), { recursive: true });
+        writeFileSync(path, JSON.stringify(data));
+    }
+    catch {
+        // Cache write failure is non-fatal; silently swallow.
+    }
+}
+/**
+ * Compare two semver strings. Returns true if `latest` is strictly newer.
+ * Handles plain MAJOR.MINOR.PATCH (no pre-release / build metadata).
+ */
+export function isNewer(latest, current) {
+    const parse = (v) => v.split(".").map(n => parseInt(n, 10));
+    const la = parse(latest);
+    const ca = parse(current);
+    for (let i = 0; i < 3; i++) {
+        const l = la[i] ?? 0;
+        const c = ca[i] ?? 0;
+        if (l !== c)
+            return l > c;
+    }
+    return false;
+}
+async function fetchLatest() {
+    try {
+        const ctrl = new AbortController();
+        const timer = setTimeout(() => ctrl.abort(), FETCH_TIMEOUT_MS);
+        // guardvibe-ignore VG120 — NPM_URL is a hardcoded module-level constant, not user input
+        const res = await fetch(NPM_URL, { signal: ctrl.signal });
+        clearTimeout(timer);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return typeof data.version === "string" ? data.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function announceUpdate(latest, current) {
+    const lines = [
+        "",
+        "  ┌──────────────────────────────────────────────────────────┐",
+        `  │  GuardVibe ${current} → ${latest} available`,
+        "  │  Upgrade: re-run `npx guardvibe init <host>` to pin the new",
+        "  │           version into your .mcp.json (or `npx guardvibe@latest`)",
+        "  │  Silence: set GUARDVIBE_NO_UPDATE_CHECK=1",
+        "  └──────────────────────────────────────────────────────────┘",
+        "",
+    ];
+    process.stderr.write(lines.join("\n"));
+}
+function isDisabled() {
+    return (process.env.GUARDVIBE_NO_UPDATE_CHECK === "1" ||
+        process.env.NO_UPDATE_NOTIFIER === "1" ||
+        process.env.CI === "true" ||
+        process.env.CI === "1");
+}
+/**
+ * Fire-and-forget version check. Never throws, never blocks.
+ *
+ * Behavior:
+ *   - If env var disables it → no-op.
+ *   - If cache is fresh (< 24h) and indicates newer version → announce immediately.
+ *   - If cache is stale → fire async fetch, update cache, announce if newer.
+ */
+export function checkForUpdate(currentVersion) {
+    if (isDisabled())
+        return;
+    const cache = readCache();
+    const now = Date.now();
+    if (cache && cache.latest && now - cache.checkedAt < CACHE_TTL_MS) {
+        if (isNewer(cache.latest, currentVersion)) {
+            announceUpdate(cache.latest, currentVersion);
+        }
+        return;
+    }
+    // Cache missing or stale — refresh in background, don't await.
+    fetchLatest()
+        .then(latest => {
+        writeCache({ checkedAt: now, latest });
+        if (latest && isNewer(latest, currentVersion)) {
+            announceUpdate(latest, currentVersion);
+        }
+    })
+        .catch(() => {
+        // Non-fatal.
+    });
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",