guardvibe 3.1.24 → 3.1.26

package/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.25] - 2026-05-16
+
+### Added — 2 new rules (422 → 424)
+- **VG1069** node-ipc malicious versions detection (CVE-2022-23812 / peacenotwar). Flags `node-ipc` pins on 9.2.2, 10.1.1–10.1.3, and the entire 11.x line — these versions ship maintainer-authored sabotage payloads (file overwrite on RU/BY-geolocated hosts and propaganda-file drops to `~/Desktop`). Fix advises pinning via `overrides`/`resolutions` to 12.0.0+ and treating any install host as compromised
+- **VG1070** CI npm install/ci without supply-chain hardening flag. Fires on `.github/workflows/*.yml` (or any YAML CI file) that calls `npm ci`, `npm install`, or `npm i` without `--expect-provenance` (npm 10.2+) or `--ignore-scripts`. Mitigates lifecycle-script execution from typosquatted or compromised packages — the same path the 2026 @tanstack Mini Shai-Hulud wave used to reach CI secrets
+
+### Changed
+- Dogfood: GuardVibe's own `.github/workflows/ci.yml` and `publish.yml` now run `npm ci --ignore-scripts` (was plain `npm ci`)
+- CLI `rulesApplied` default 422 → 424 (src/index.ts + src/tools/full-audit.ts)
+- package.json description refreshed: 422 → 424 rules, 60 → 61 CVE rules, mentions VG1070 supply-chain hardening
+
+### Skipped from the 2026-05-16 briefing (already covered)
+- P1 Next.js 15.5.18 / 16.2.6 upgrade → VG1047 (May 2026 cluster) already detects 12.2.0–15.5.17 and 16.0.0–16.2.5
+- P1 @tanstack/* compromised versions → VG1056 already detects the May 2026 Mini Shai-Hulud wave
+- P2 MCP Tool Poisoning kural seti → VG1068 already implements the OWASP MCP Top 10 tool-description prompt-injection markers
+- P3 EU AI Act August 2026 → handled by existing compliance_report module via `EUAIACT:Art14` / `EUAIACT:Art15` mappings; no new rule
+
 ## [3.1.24] - 2026-05-14
 
 ### Changed — docs / metadata refresh

package/build/data/rules/api-security.js

@@ -128,4 +128,17 @@ export const apiSecurityRules = [
         fixCode: 'catch (error) {\n  console.error("Internal error:", error); // log server-side\n  return Response.json(\n    { error: "Something went wrong" }, // generic to client\n    { status: 500 }\n  );\n}',
         compliance: ["SOC2:CC7.2"],
     },
+    {
+        id: "VG1071",
+        name: "Axios Proxy Auth Leak Through Redirect (CVE-2026-44486 / CVE-2026-44487)",
+        severity: "high",
+        owasp: "API8:2023 Security Misconfiguration",
+        description: "An axios() call or axios.create() config sets a proxy with auth credentials (or a Proxy-Authorization header) without disabling redirect-following. When axios follows a 3xx redirect, the original Proxy-Authorization header is replayed against the redirect destination — leaking proxy credentials to whatever origin an attacker can redirect to. CVE-2026-44486 (Proxy-Authorization leak to redirect target) and CVE-2026-44487 (header carry-over to origin server) describe the dual leak; either is enough to compromise the proxy account. The rule fires when proxy auth is present and no nearby maxRedirects: 0 mitigation is set; pair the upgrade with a hard-coded maxRedirects: 0 on any request that traverses an authenticated proxy.",
+        pattern: /\baxios(?:\.create)?\s*\(\s*\{(?:(?!maxRedirects\s*:\s*0)[\s\S]){0,800}?\bproxy\s*:\s*\{(?:(?!maxRedirects\s*:\s*0)[\s\S]){0,400}?(?:\bauth\s*:|Proxy-Authorization)(?!(?:(?!\}\s*\))[\s\S]){0,1500}?\bmaxRedirects\s*:\s*0\b)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Upgrade axios to a patched release that strips Proxy-Authorization on redirects. For pre-patch versions, force maxRedirects: 0 on every request that traverses an authenticated proxy, or replace the credentialed proxy with a non-authenticated proxy plus a signed-URL pattern.",
+        fixCode: "// BAD — proxy auth + default redirect-following leaks creds\nconst client = axios.create({\n  proxy: {\n    host: 'proxy.internal',\n    port: 8080,\n    auth: { username: process.env.PROXY_USER, password: process.env.PROXY_PASS },\n  },\n  // maxRedirects defaults to 5 — Proxy-Authorization travels with every hop\n});\n\n// GOOD — hard-disable redirects on the authenticated proxy path\nconst client = axios.create({\n  proxy: {\n    host: 'proxy.internal',\n    port: 8080,\n    auth: { username: process.env.PROXY_USER, password: process.env.PROXY_PASS },\n  },\n  maxRedirects: 0,\n});",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1", "ISO27001:A.13.2.1"],
+        exploit: "Attacker controls a redirect target the proxied request reaches (open redirect on a partner site, attacker-owned subdomain, or DNS-rebinding). Axios issues the second-hop request and replays the cached Proxy-Authorization header — the attacker captures the proxy username/password from the second hop's logs and uses them to pivot inside the corporate network the proxy fronts.",
+    },
 ];

package/build/data/rules/cicd.js

@@ -83,4 +83,16 @@ export const cicdRules = [
         fixCode: '# Use pull_request for untrusted code\non:\n  pull_request:\n    branches: [main]\nsteps:\n  - uses: actions/checkout@v4\n  - run: npm test  # safe: runs YOUR code, not PR code',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG1070",
+        name: "CI npm install/ci Without Supply-Chain Hardening Flag (--expect-provenance / --ignore-scripts)",
+        severity: "medium",
+        owasp: "A08:2025 Software & Data Integrity Failures",
+        description: "A CI workflow runs `npm install` or `npm ci` without `--expect-provenance` (npm 10.2+, requires every installed package to ship an SLSA provenance attestation signed against the npm registry) or `--ignore-scripts` (skips lifecycle scripts that typosquats and compromised maintainers use as the execution beachhead). One of the two should be on every CI install step. The 2026 @tanstack mass-malware wave, the 2022 node-ipc protestware, and the long tail of post-install crypto-miners all execute through lifecycle scripts the first time the package lands on a build runner — once that command runs, the runner's secrets are reachable. `--expect-provenance` raises the bar further by refusing unsigned packages entirely; pair it with `--ignore-scripts` for packages whose maintainers have not yet published provenance.",
+        pattern: /(?:^|\n)\s*(?:-\s+)?(?:run|cmd|shell):\s*[|>-]?\s*["'`]?[^"'`\n]*\bnpm\s+(?:ci|install|i)\b(?![^\n"'`]*--(?:expect-provenance|ignore-scripts))[^\n"'`]*/gi,
+        languages: ["yaml"],
+        fix: "Add `--expect-provenance` (recommended for new pipelines) or `--ignore-scripts` (broadest compatibility) to every `npm install` / `npm ci` invocation in CI. `--expect-provenance` will fail the install if any package lacks a signed SLSA attestation — combine with `--ignore-scripts` while upstream packages catch up to provenance. For deployments that must run `postinstall` (e.g. native binary build), narrow the allowlist instead of disabling the flag globally.",
+        fixCode: "# BAD — no supply-chain gate\n- run: npm ci\n\n# GOOD — strict\n- run: npm ci --expect-provenance --ignore-scripts\n\n# GOOD — minimal\n- run: npm ci --ignore-scripts",
+        compliance: ["SOC2:CC7.1", "SOC2:CC8.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/build/data/rules/cve-versions.js

@@ -721,4 +721,16 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"@trpc/server": "^11.8.0"  // or "^10.45.3" for v10\n\n// Defence-in-depth — strict schema + frozen prototype\nimport { z } from "zod";\nconst input = z.object({ id: z.string() }).strict();  // rejects __proto__\nObject.freeze(Object.prototype);  // run once at bootstrap',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1069",
+        name: "node-ipc Malicious Versions — Embedded Sabotage Payload (CVE-2022-23812 / peacenotwar)",
+        severity: "critical",
+        owasp: "A08:2025 Software & Data Integrity Failures",
+        description: "node-ipc versions 9.2.2 (hidden functionality, GHSA-8gr3-2gjw-jj7g), 10.1.1–10.1.3 (embedded malicious code overwriting files on hosts geo-located to RU/BY, CVE-2022-23812, GHSA-97m3-w2cp-4xx6), and the entire 11.x line (peacenotwar dependency that writes propaganda files to the user's Desktop, GHSA-3mpp-xfvh-qh37) ship attacker-authored protestware as the maintainer's intentional payload. The package is still pulled in transitively today by older Salesforce CLI builds and a handful of legacy tooling. Any install that resolves to one of these versions is treated as a confirmed compromise — rotate any secrets reachable from the install host and re-image build agents.",
+        pattern: /["']node-ipc["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:9\.2\.2|10\.1\.[1-3]|11\.\d+\.\d+)["']/g,
+        languages: ["json"],
+        fix: "Pin node-ipc to 12.0.0+ via `overrides` / `resolutions` / `pnpm.overrides` to break transitive resolution onto the compromised 9.2.2 / 10.1.1–10.1.3 / 11.x band. Audit the install host: rotate any developer / CI secrets the install machine could read, re-image build agents, and check `~/Desktop/WITH-LOVE-FROM-AMERICA.txt` and similar paths for the protestware drop. If the dependency is no longer needed, remove it entirely.",
+        fixCode: '// package.json\n"overrides": { "node-ipc": "^12.0.0" }\n\n// pnpm-only\n// "pnpm": { "overrides": { "node-ipc": "^12.0.0" } }\n\n// yarn classic / berry\n// "resolutions": { "node-ipc": "^12.0.0" }',
+        compliance: ["SOC2:CC7.1", "SOC2:CC8.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/build/data/rules/database.js

@@ -147,4 +147,17 @@ export const databaseRules = [
         fixCode: 'import { sql } from "drizzle-orm";\n\n// BAD: user input in identifier\nconst col = req.query.sortBy;\ndb.select().from(sql.identifier(col)); // SQL injection!\n\n// GOOD: allowlist valid identifiers\nconst ALLOWED_COLUMNS = ["name", "email", "created_at"] as const;\nconst col = ALLOWED_COLUMNS.find(c => c === req.query.sortBy);\nif (!col) throw new Error("Invalid column");\ndb.select().from(users).orderBy(users[col]);',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1073",
+        name: "Drizzle sql.raw / sql.identifier with Interpolation or Concatenation (CVE-2026-39356 follow-on)",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "A sql.raw(...) or sql.identifier(...) call receives either a backtick template with ${...} interpolation or a string built with + concatenation. Both bypass Drizzle's parameterizer — the constructed string is fed straight into the executed query, exposing the same identifier-escape gap CVE-2026-39356 patched (drizzle-orm < 0.45.2 / 1.0.0-beta.20). On older builds it is a hard SQL injection; on patched builds sql.raw still has no escape at all. The supported safe shape is the tagged template `sql`... ${value}`` (auto-parameterized) plus a strict allowlist for any identifier the caller must vary. Distinct from VG1011, which catches the variable-name form sql.identifier(req.X) only; this rule covers the template-literal and string-concatenation shapes plus the previously-uncovered sql.raw call.",
+        pattern: /\bsql\s*\.\s*(?:raw|identifier)\s*\(\s*(?:`[^`]{0,400}\$\{|[\s\S]{0,200}?(?<![=!<>])\+(?!\+|=))/g,
+        languages: ["javascript", "typescript"],
+        fix: "Replace sql.raw / sql.identifier interpolation with the tagged-template form sql`... ${value}` (auto-parameterized) for values, and a hardcoded allowlist for any table/column identifier you must vary by request. Upgrade drizzle-orm to 0.45.2+ (stable) or 1.0.0-beta.20+ (beta) to close the escape gap covered by VG1052.",
+        fixCode: "// BAD — template-literal interpolation feeds attacker input straight in\nawait db.execute(sql.raw(`SELECT * FROM ${table} WHERE id = ${id}`));\n\n// BAD — string concatenation into sql.raw\nawait db.execute(sql.raw('SELECT * FROM users WHERE name = \\'' + name + '\\''));\n\n// GOOD — tagged template auto-parameterizes the value\nimport { sql } from 'drizzle-orm';\nawait db.execute(sql`SELECT * FROM users WHERE id = ${id}`);\n\n// GOOD — strict allowlist when the identifier really must vary\nconst ALLOWED_TABLES = ['users', 'orders'] as const;\nif (!ALLOWED_TABLES.includes(table as never)) throw new Error('Invalid table');\nawait db.execute(sql`SELECT * FROM ${sql.identifier(table)}`);",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+        exploit: "Attacker controls a request field that becomes the value of `table` or `id`. A payload like `users WHERE 1=1; DROP TABLE users; --` is concatenated into the raw query string; Drizzle hands the whole string to the driver and the driver executes the injected statements with the application's database role.",
+    },
 ];

package/build/data/rules/modern-stack.js

@@ -593,4 +593,17 @@ export const modernStackRules = [
         fixCode: '// BAD: unvalidated Server Action argument\n"use server";\nexport async function updateUser(data: any) {\n  await prisma.user.update({ where: { id: data.id }, data });\n}\n\n// GOOD: validate with zod before any operation\n"use server";\nimport { z } from "zod";\nconst schema = z.object({ id: z.string().uuid(), name: z.string().max(100) });\nexport async function updateUser(raw: unknown) {\n  const data = schema.parse(raw);\n  await prisma.user.update({ where: { id: data.id }, data: { name: data.name } });\n}',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.2", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1072",
+        name: "Hono setCookie sameSite/priority From User Input (CVE-2026-47675)",
+        severity: "medium",
+        owasp: "A02:2025 Injection",
+        description: "Hono's setCookie / setSignedCookie helper accepts a config object with sameSite and priority attributes. When user-controlled input (c.req.X, c.get(), req.body, query/params, formData, etc.) flows into one of those attributes, an attacker can break out of the intended enum value and inject extra cookie attributes — flipping Secure or HttpOnly off, downgrading SameSite from Strict to None, or appending a duplicate Set-Cookie segment that overrides the legitimate one. CVE-2026-47675 documents the attribute-injection bypass in the affected hono line; the safe pattern always passes a literal enum value or maps the input through a strict allowlist first. Distinct from VG924, which is the older CRLF-injection CVE-2026-29086 in the cookie value itself.",
+        pattern: /\b(?:setCookie|setSignedCookie)\s*\([\s\S]{0,300}?(?:\bsameSite\b|\bpriority\b)\s*:\s*(?:c\.req\.|c\.get\(|req\.|request\.|input\.|params\.|body\.|query\.|searchParams|formData|ctx\.|args\.)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never pass user-controlled input to the sameSite or priority cookie attributes. Use a literal enum value ('Strict'/'Lax'/'None' for sameSite, 'Low'/'Medium'/'High' for priority) or map the user input through a strict allowlist first. Also upgrade hono to the patched release.",
+        fixCode: "// BAD — user input flows into sameSite attribute\nsetCookie(c, 'session', token, {\n  sameSite: c.req.query('site_mode'), // attacker chooses\n  httpOnly: true,\n});\n\n// GOOD — literal value, never user input\nsetCookie(c, 'session', token, {\n  sameSite: 'Strict',\n  httpOnly: true,\n  secure: true,\n});\n\n// GOOD — allowlist if you really need to vary\nconst SAFE_SAMESITE = { strict: 'Strict', lax: 'Lax' } as const;\nconst mode = SAFE_SAMESITE[c.req.query('site_mode') as keyof typeof SAFE_SAMESITE] ?? 'Strict';\nsetCookie(c, 'session', token, { sameSite: mode, httpOnly: true });",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.10"],
+        exploit: "Attacker submits a query parameter whose value contains cookie-attribute terminators (e.g. `Lax; Secure=false; HttpOnly=false` or `Strict\\r\\nSet-Cookie: tracker=x`). The helper renders the value into the Set-Cookie header verbatim — the browser then either downgrades the cookie's flags or treats the injected segment as a separate Set-Cookie, hijacking the session.",
+    },
 ];

package/build/data/rules/supply-chain.js

@@ -204,4 +204,30 @@ export const supplyChainRules = [
         fixCode: '// package.json — pin to clean versions\n"@tanstack/react-router": "^1.169.9",  // or latest non-malicious\n"@tanstack/router-core": "^1.169.9",\n"@tanstack/react-start": "^1.167.72"\n\n// pnpm / yarn / npm overrides to evict transitive copies\n"overrides": {\n  "@tanstack/react-router": "^1.169.9",\n  "@tanstack/router-core": "^1.169.9"\n}\n\n// Network mitigation while rotating: block *.getsession.org egress',
         compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2", "PCI-DSS:Req3.5"],
     },
+    {
+        id: "VG1074",
+        name: "@redhat-cloud-services/* Miasma Supply-Chain Compromise (RHSB-2026-006)",
+        severity: "high",
+        owasp: "A03:2025 Software Supply Chain Failures",
+        description: "On 2026-06-01 the Miasma campaign published trojanized versions across at least 32 packages in the @redhat-cloud-services npm namespace (combined ~80K weekly downloads). The attacker reused a compromised Red Hat employee GitHub account to push orphan commits, then leveraged the repository's GitHub Actions OIDC trusted-publisher chain to ship malicious packages WITH valid SLSA provenance attestations — provenance alone is no longer a sufficient trust signal here. A preinstall hook fetches a ~4.29 MB obfuscated dropper that downloads the Bun runtime and exfiltrates GitHub / npm / AWS / Azure / GCP credentials, SSH private keys, browser-stored secrets, and crypto-wallet data over the Session/Oxen messenger network (filev2.getsession.org — same exfil family as VG1056 @tanstack). Sources: Wiz blog, Microsoft Security Response Center, Red Hat RHSB-2026-006. Until the namespace publishes a clean, audited replacement series, treat every @redhat-cloud-services/* version reference in a package.json or lockfile as suspect; rotate every credential the install host could reach.",
+        pattern: /["']@redhat-cloud-services\/[a-z0-9._-]+["']\s*:\s*["'](?:\^|~|>=?|=)?\s*[^"']{1,80}["']/g,
+        languages: ["json"],
+        fix: "Remove every @redhat-cloud-services/* dependency until Red Hat publishes a clean replacement series under a new (un-compromised) namespace or numbered re-release. Rotate every credential the install host could reach: AWS access keys, GCP service-account keys, Azure tokens, GitHub PATs, npm tokens, SSH private keys, browser-cached cookies, and any crypto-wallet seed. Wipe and reissue the CI runner if the install ran in CI. Add filev2.getsession.org and *.getsession.org to your egress denylist. Do NOT trust SLSA provenance as sole evidence — the attacker forged provenance via the OIDC trusted-publisher chain.",
+        fixCode: '// package.json — remove every @redhat-cloud-services/* entry\n// (currently EVERY version in this namespace is suspect)\n\n// If a transitive copy is pulled in by another dep, evict via overrides:\n"overrides": {\n  "@redhat-cloud-services/some-package": "npm:noop@1.0.0"\n}\n\n// Egress controls while rotating credentials:\n// - block *.getsession.org\n// - block bun.sh and github.com/oven-sh/bun/releases on CI runners\n//   that have no legitimate Bun runtime usage',
+        compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2", "PCI-DSS:Req3.5"],
+        exploit: "Attacker who compromised a Red Hat employee's GitHub credentials pushes an orphan commit that adds a preinstall lifecycle script to one or more @redhat-cloud-services/* packages, then triggers the repository's publish workflow. The workflow uses the OIDC trusted-publisher chain, so npm accepts the malicious tarball with a valid provenance attestation. Any developer or CI runner that runs `npm install` on a project depending on the package — directly or transitively — executes the preinstall script, which downloads the Bun runtime, decodes a credential-stealer payload, harvests environment files and cloud credentials, and exfiltrates them over Session messenger to filev2.getsession.org.",
+    },
+    {
+        id: "VG1075",
+        name: "Session Messenger Exfil Endpoint Reference (filev2.getsession.org)",
+        severity: "critical",
+        owasp: "A03:2025 Software Supply Chain Failures",
+        description: "Code, configuration, or dependency references the Session/Oxen messenger file-relay endpoint filev2.getsession.org (or another *.getsession.org host) as a fetch target, base URL, or hardcoded constant. This endpoint is the documented exfiltration channel for two distinct 2026 supply-chain campaigns: @tanstack mass malware (CVE-2026-45321, VG1056) and the Miasma @redhat-cloud-services compromise (RHSB-2026-006, VG1074). A web/server codebase has no legitimate reason to talk to this host; presence is a high-confidence Indicator of Compromise. Audit the host running this code for credential rotation candidates immediately.",
+        pattern: /\b(?:[a-z0-9-]+\.)?getsession\.org\b/gi,
+        languages: ["javascript", "typescript", "json"],
+        fix: "Treat the host running this code as potentially compromised. Block *.getsession.org egress at the firewall, rotate every cloud, npm, GitHub, and SSH credential reachable from the host, wipe and reissue the runner if it is a CI box, and search the lockfile for the upstream package that introduced the reference. Pin away from that package or use overrides to evict it. Search git history for when the reference appeared to estimate the exposure window.",
+        fixCode: "// REMOVE — never legitimate in a web/server codebase\n// const exfilUrl = 'https://filev2.getsession.org/file';\n\n// If you genuinely use Session as an end-user feature (not as an exfil channel),\n// move the URL behind a feature flag and document why. Add an explicit allowlist\n// comment so this rule can be suppressed via .guardviberc:\n//   { rules: { allow: [{ id: 'VG1075', paths: ['src/features/session-link.ts'] }] } }",
+        compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2"],
+        exploit: "Attacker leverages Session's anonymity-by-design file relay (no DNS exposure, encrypted at the network layer, no account binding) to exfiltrate stolen credentials. Any code or dependency that posts to filev2.getsession.org is almost certainly an installed credential stealer staged by a supply-chain compromise — most often a malicious npm preinstall script that has already executed once on this host.",
+    },
 ];

package/build/index.js

@@ -889,7 +889,7 @@ server.tool("deep_scan", "LLM-powered deep security analysis for vulnerabilities
     return { content: [{ type: "text", text: output }] };
 });
 // Tool 33: Full audit — single source of truth
-server.tool("full_audit", "Single command that runs ALL checks: code scan (422 rules), secret detection, dependency CVEs, config audit, taint analysis, and auth coverage. Returns PASS/FAIL/WARN verdict with deterministic hash. IMPORTANT: If verdict is FAIL or WARN, you MUST call remediation_plan next to get a section-by-section fix checklist — do NOT skip any section. After fixing, call verify_remediation to confirm ALL sections are addressed. Example: full_audit({path: '.'})", {
+server.tool("full_audit", "Single command that runs ALL checks: code scan (429 rules), secret detection, dependency CVEs, config audit, taint analysis, and auth coverage. Returns PASS/FAIL/WARN verdict with deterministic hash. IMPORTANT: If verdict is FAIL or WARN, you MUST call remediation_plan next to get a section-by-section fix checklist — do NOT skip any section. After fixing, call verify_remediation to confirm ALL sections are addressed. Example: full_audit({path: '.'})", {
     path: z.string().default(".").describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
     skipDeps: z.boolean().default(false).describe("Skip dependency vulnerability check"),

package/build/tools/full-audit.js

@@ -392,7 +392,7 @@ export async function runFullAudit(path, options) {
     const totalHigh = sections.reduce((s, sec) => s + sec.high, 0);
     const totalMedium = sections.reduce((s, sec) => s + sec.medium, 0);
     const totalFindings = sections.reduce((s, sec) => s + sec.findings, 0);
-    const rulesApplied = rules.length > 0 ? rules.length : 422;
+    const rulesApplied = rules.length > 0 ? rules.length : 429;
     // Adjust score to reflect ALL sections, not just code
     // Each critical finding deducts 5 points, high deducts 3, medium deducts 1
     // Score from code scan is the baseline, other sections reduce it further

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.1.24",
+  "version": "3.1.26",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 422 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 60 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068) and model-controlled sandbox-disable flag detection (VG1063).",
+  "description": "Security MCP for vibe coding. 429 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 63 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",
@@ -108,7 +108,7 @@
     "zod": "^3.25.0"
   },
   "overrides": {
-    "hono": "^4.12.18",
+    "hono": "^4.12.21",
     "fast-uri": "^3.1.2",
     "ip-address": "^10.2.0"
   },