npm - guardvibe - Versions diffs - 3.12.0 → 3.13.0 - Mend

guardvibe 3.12.0 → 3.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,15 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.13.0] - 2026-06-07
+### Added — Season 3 S3-3: PR-native, author-independent review (441 rules / 37 tools)
+- **`guardvibe ci github --pr`** generates a `.github/workflows/guardvibe-pr-review.yml` that, on every pull request, runs a **diff-aware** scan (only the issues the PR newly introduced) and posts them as **inline review comments** on the exact file + line — the moat made visible where AI-written code lands: whole-repo aware, independent of the author, in the loop.
+- Uses `actions/github-script` to create the PR review (no extra runtime dependency), with `pull-requests: write` and a graceful fallback to a summary comment if inline review can't be posted. Pinned + auto-upgraded like the existing scan workflow.
+- Completes Season 3 (S3-1 autonomous/prioritized intel, S3-2 proof-carrying fixes, S3-3 PR-native review). New exported `buildGithubPrReviewWorkflow`; 6 tests. No rule or tool changes (441 / 37).
+Gate green (build / lint / test / self-audit PASS / A / 0).
 ## [3.12.0] - 2026-06-07
 ### Added — Season 3 S3-2: proof-carrying fixes (441 rules / 37 tools)

package/README.md CHANGED Viewed

@@ -150,7 +150,8 @@ npx guardvibe hook uninstall # Remove hook
 ### CI/CD (GitHub Actions)
 ```bash
-npx guardvibe ci github      # Generates .github/workflows/guardvibe.yml
+npx guardvibe ci github          # Generates .github/workflows/guardvibe.yml (SARIF scan)
+npx guardvibe ci github --pr     # + a diff-aware PR review workflow that posts inline comments
 ```
 ## What GuardVibe Scans

package/build/cli/ci.d.ts CHANGED Viewed

@@ -2,4 +2,11 @@
  * CLI: guardvibe ci <provider>
  * Generates CI/CD workflow configurations.
  */
+/**
+ * PR-native, author-independent review workflow: on each PR, run a DIFF-AWARE scan
+ * (only issues newly introduced by the PR) and post them as inline review comments
+ * via actions/github-script — no extra runtime dependency. The moat made visible
+ * exactly where AI-written code lands.
+ */
+export declare function buildGithubPrReviewWorkflow(version: string): string;
 export declare function runCi(args: string[]): void;

package/build/cli/ci.js CHANGED Viewed

@@ -45,6 +45,78 @@ jobs:
           category: guardvibe
 `;
 }
+/**
+ * PR-native, author-independent review workflow: on each PR, run a DIFF-AWARE scan
+ * (only issues newly introduced by the PR) and post them as inline review comments
+ * via actions/github-script — no extra runtime dependency. The moat made visible
+ * exactly where AI-written code lands.
+ */
+export function buildGithubPrReviewWorkflow(version) {
+    return `name: GuardVibe PR Review
+# Pinned to guardvibe@${version}. Re-run \`npx guardvibe ci github --pr\` to upgrade.
+# Diff-aware: comments only on issues this PR newly introduced (not pre-existing debt).
+on:
+  pull_request:
+    branches: [main, master]
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  guardvibe-pr-review:
+    name: GuardVibe PR Review
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+      - name: GuardVibe diff-aware scan (newly-introduced issues only)
+        run: |
+          git fetch --no-tags --depth=1 origin "\${{ github.base_ref }}"
+          npx -y guardvibe@${version} diff "origin/\${{ github.base_ref }}" --format json --output gv-diff.json || true
+      - name: Post findings as PR review comments
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let data;
+            try { data = JSON.parse(fs.readFileSync('gv-diff.json', 'utf8')); } catch (e) { return; }
+            const findings = (data.findings || []).filter(f => f.line > 0);
+            if (!findings.length) return;
+            const comments = findings.map(f => ({
+              path: f.file,
+              line: f.line,
+              body: '**GuardVibe ' + String(f.severity).toUpperCase() + ': ' + f.name + '** (' + f.id + ')\\n\\n' + (f.fix || '')
+            }));
+            const summary = 'GuardVibe found ' + findings.length + ' newly-introduced issue(s) in this PR.';
+            try {
+              await github.rest.pulls.createReview({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+                event: 'COMMENT',
+                body: summary,
+                comments
+              });
+            } catch (e) {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: summary + ' (inline review unavailable: ' + e.message + ')'
+              });
+            }
+`;
+}
 /** Extract a pinned guardvibe version from a generated workflow YAML, or "latest"/null for legacy/unrecognized forms. */
 function extractPinnedVersionFromWorkflow(content) {
     const pinned = content.match(/guardvibe@(\d+\.\d+\.\d+(?:-[\w.]+)?)/);
@@ -85,14 +157,43 @@ function generateGitHubActions() {
     console.log(`  [OK] Created .github/workflows/guardvibe.yml (pinned to v${pkg.version}).`);
     console.log("  [OK] SARIF results will appear in GitHub Security tab.");
 }
+function generateGitHubPrReview() {
+    const workflowDir = join(process.cwd(), ".github", "workflows");
+    if (!existsSync(workflowDir))
+        mkdirSync(workflowDir, { recursive: true });
+    const workflowPath = join(workflowDir, "guardvibe-pr-review.yml");
+    const fresh = buildGithubPrReviewWorkflow(pkg.version);
+    if (existsSync(workflowPath)) {
+        const existingPin = extractPinnedVersionFromWorkflow(readFileSync(workflowPath, "utf-8"));
+        if (existingPin === pkg.version) {
+            console.log(`  [OK] .github/workflows/guardvibe-pr-review.yml already up-to-date (pinned to v${pkg.version}).`);
+            return;
+        }
+        if (existingPin) {
+            writeFileSync(workflowPath, fresh, "utf-8");
+            console.log(`  [OK] Updated .github/workflows/guardvibe-pr-review.yml (${existingPin} → ${pkg.version}).`);
+            return;
+        }
+        console.log("  [OK] .github/workflows/guardvibe-pr-review.yml exists with custom contents — leaving as-is.");
+        return;
+    }
+    writeFileSync(workflowPath, fresh, "utf-8");
+    console.log(`  [OK] Created .github/workflows/guardvibe-pr-review.yml (pinned to v${pkg.version}).`);
+    console.log("  [OK] PRs will get inline, diff-aware GuardVibe review comments.");
+}
 export function runCi(args) {
     const provider = args[0]?.toLowerCase();
+    const wantPr = args.includes("--pr");
     console.log(`\n  GuardVibe CI/CD Setup\n`);
     if (provider === "github") {
         generateGitHubActions();
+        if (wantPr)
+            generateGitHubPrReview();
+        else
+            console.log("  [tip] Add --pr to also generate a diff-aware PR review workflow (inline comments).");
     }
     else {
-        console.error("  [ERR] Unknown CI provider. Usage: npx guardvibe ci github");
+        console.error("  [ERR] Unknown CI provider. Usage: npx guardvibe ci github [--pr]");
         process.exit(1);
     }
     console.log();

package/build/cli.js CHANGED Viewed

@@ -37,7 +37,7 @@ function printUsage() {
     npx guardvibe init <platform>    Setup MCP server configuration
     npx guardvibe hook install       Install pre-commit security hook
     npx guardvibe hook uninstall     Remove pre-commit security hook
-    npx guardvibe ci github          Generate GitHub Actions workflow
+    npx guardvibe ci github [--pr]   Generate GitHub Actions workflow (--pr: diff-aware PR review with inline comments)
   Scan CLI (used by pre-commit hook and CI):
     npx guardvibe-scan               Scan git-staged files

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.12.0",
+  "version": "3.13.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 441 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 70 CVE rules refreshed daily from GHSA/OSV/CISA KEV — React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",