guardvibe 3.10.0 → 3.11.0

package/CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.11.0] - 2026-06-07
+
+### Changed — S3-1 (cont.): reachability-weighted dependency prioritization (441 rules / 37 tools)
+- The audit's dependency section now **prioritizes** findings: severity first, then **imported (reachable) packages ahead of unused ones** within the same tier — so the agent fixes what its code actually calls into first. Severity is never altered (an unreachable dep can still be exploitable), so no false negatives are introduced.
+- Each dependency `SectionFinding` now carries a structured `reachable` field (agent-consumable), in addition to the existing in-description annotation and the section's "N of M directly imported" count.
+- New exported pure helper `sortDepFindings` (severity-rank + reachable-first), unit-tested. No rule or tool changes (441 / 37). Completes S3-1.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.10.0] - 2026-06-07
 
 ### Added — Season 3 S3-1: autonomous, prioritized threat intel (441 rules / 37 tools)

package/build/tools/full-audit.d.ts

@@ -29,7 +29,16 @@ export interface SectionFinding {
     name?: string;
     description?: string;
     fix?: string;
+    /** Dependency findings: is the vulnerable package actually imported in source? */
+    reachable?: boolean;
 }
+/**
+ * Order dependency findings by severity first, then surface reachable (imported)
+ * packages ahead of unreachable ones within the same tier — so the agent fixes
+ * what its code actually calls into first. Severity is never altered (an
+ * unreachable dep can still be exploitable), so this introduces no false negatives.
+ */
+export declare function sortDepFindings(findings: SectionFinding[]): SectionFinding[];
 export interface AuditSection {
     name: string;
     status: "ok" | "error" | "skipped";

package/build/tools/full-audit.js

@@ -21,6 +21,17 @@ import { loadConfig } from "../utils/config.js";
 import { isExcludedFilename } from "../utils/constants.js";
 const _require = createRequire(import.meta.url);
 const _pkg = _require("../../package.json");
+const DEP_SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+/**
+ * Order dependency findings by severity first, then surface reachable (imported)
+ * packages ahead of unreachable ones within the same tier — so the agent fixes
+ * what its code actually calls into first. Severity is never altered (an
+ * unreachable dep can still be exploitable), so this introduces no false negatives.
+ */
+export function sortDepFindings(findings) {
+    return [...findings].sort((a, b) => (DEP_SEV_RANK[a.severity] ?? 9) - (DEP_SEV_RANK[b.severity] ?? 9) ||
+        (Number(b.reachable === true) - Number(a.reachable === true)));
+}
 // --- Core Logic ---
 /**
  * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
@@ -285,10 +296,14 @@ export async function runFullAudit(path, options) {
                                 name: `${pkgRec.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
                                 description: `${(vuln2.summary ?? vuln2.details ?? "")}${reachNote}`,
                                 fix: `Run: npm update ${pkgRec.name ?? ""}`,
+                                reachable,
                             });
                             allFindings.push({ ruleId: `DEP:${vuln2.id ?? "CVE"}`, severity: sev, file: "package.json", line: 0 });
                         }
                     }
+                    // Prioritize: severity first, then imported-and-vulnerable ahead of unused.
+                    depFindings.sort((a, b) => (DEP_SEV_RANK[a.severity] ?? 9) - (DEP_SEV_RANK[b.severity] ?? 9) ||
+                        (Number(b.reachable === true) - Number(a.reachable === true)));
                     const counts = { findings: depFindings.length, critical: depCritical, high: depHigh, medium: depMedium };
                     const reachText = typeof reachableVulnerable === "number" && vulnPackages > 0
                         ? ` (${reachableVulnerable} of ${vulnPackages} directly imported in source)`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.10.0",
+  "version": "3.11.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 441 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 70 CVE rules refreshed daily from GHSA/OSV/CISA KEV — React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",