guardvibe 3.17.0 → 3.19.0

package/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.19.0] - 2026-06-10
+
+### Added — secure_prompt: prompt-level security, shift left (442 rules / 37 → 38 tools)
+- **New MCP tool `secure_prompt`** — analyzes a raw coding prompt BEFORE any code is written and returns a structured enhancement directive (`guardvibe.secure_prompt.v1`) the host LLM uses to rewrite the prompt with GuardVibe security requirements embedded. Fully deterministic: no LLM calls, no network, no API keys — same prompt = same directive.
+- **Triage-first, "do no harm":** verdict `NO_MOD` (prompt already specific and security-aware, or touches no security surface → host proceeds with the ORIGINAL prompt unchanged), `LIGHT_MOD` (clear intent, missing security constraints → inject requirements only), `HEAVY_MOD` (vague AND security-relevant → requirements + up to 3 clarifying questions, never invented answers). Scoring heuristics (concrete nouns, security vocabulary, length/imperative specificity, sensitive surfaces) with thresholds in an exported `TRIAGE_CONFIG` constant.
+- **Stack + attack-surface detection** from keyword/alias maps (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono, Drizzle, Firebase, MongoDB, tRPC, FastAPI, Django...; auth, payments, file upload, user input, database/SQL, secrets, external APIs, deserialization, redirects), including surfaces implied by detected technologies. Optional `context` input merges client-known stack info. Token matching is boundary-checked `indexOf` — no dynamic RegExp (keeps the self-audit and ReDoS meta-test clean).
+- **Rule matching over the existing 442-rule set** by name/description keywords for the detected stack + surfaces, severity-ranked (critical → info), near-duplicate guidance deduped, capped at the top 8; each requirement carries `[rule-id]`, title, severity, and the rule's fix phrased as an instruction. CVE version-pin rules excluded (they gate package pins, not prompts).
+- Directive output: verdict + one-line reason, intent summary stated as a HARD CONSTRAINT, numbered security requirements, ambiguities (HEAVY_MOD only), explicit rewrite directive ("Do NOT add features the user did not request. Do NOT change the user's intent."), and the original prompt echoed verbatim (fence-safe even when the prompt contains code blocks).
+- New module `src/tools/secure-prompt.ts`; 24 tests in `tests/tools/secure-prompt.test.ts` (NO_MOD short-circuit, LIGHT vs HEAVY classification, 7-framework stack detection, rule cap + severity ordering, empty/garbage input, determinism). README gains a "Prompt-Level Security (Shift Left)" section with a before/after example. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.18.0] - 2026-06-09
+
+### Added — FAZ 3 part c: AST BOLA mutation-guard detection for VG951 (442 rules / 37 tools)
+- **VG951 (BOLA — delete/update without ownership) is now AST-aware for the `find → compare → mutate` pattern.** The rule's regex already excludes an ownership field inside the mutation's WHERE clause; its only blind spot was a bare-id mutation preceded by a separate ownership check. `bolaMutationGuarded` (AST) suppresses VG951 when the enclosing function performs a **post-fetch ownership comparison** of the fetched resource against the session (e.g. `const s = await prisma.schedule.findUnique({ where: { id } }); if (s?.userId !== user.id) throw; await prisma.schedule.delete({ where: { id } })`). Anything without that comparison keeps firing.
+- Reuses the part-1/2 AST engine — factored a shared `callNearLine` anchor finder and `hasPostFetchOwnershipGuard` (the case-2 ownership-comparison check) out of `bolaOwnershipGuarded`, then anchored it on the mutation call instead of the find call.
+- **Validated (clean stash diff): VG951 11 → 9; both removed are genuinely ownership-guarded** — cal `delete.handler` (`findUnique select userId → if (scheduleToDelete?.userId !== user.id) throw UNAUTHORIZED → delete`) and cal `ScheduleService.update` (`findUnique → if (userSchedule?.userId !== user.id) require team edit-permission else throw → update`). **0 true positives lost, 0 false positives added, 0 other-rule drift.** 5 new mutation-guard tests (10 BOLA tests total).
+- No rule or tool changes (442 / 37). FAZ 3 part c.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.17.0] - 2026-06-09
 
 ### Added — FAZ 3 part 3: AST constant-origin detection for VG126 (442 rules / 37 tools)

package/README.md

@@ -14,7 +14,7 @@
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
 
-**The security MCP built for vibe coding.** 442 security rules, 37 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 442 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -26,7 +26,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **442 security rules, 37 tools** purpose-built for the stacks AI agents generate
+- **442 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -212,7 +212,37 @@ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (E
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `--ignore-scripts` hardening (VG1070), typosquat detection, `node-ipc` protestware versions (VG1069), Miasma `@redhat-cloud-services` namespace compromise IOC (VG1074, RHSB-2026-006), Session messenger exfil endpoint IOC (VG1075, `filev2.getsession.org`), `@tanstack/*` Mini Shai-Hulud mass-malware versions (May 2026), `@wdio/browserstack-service` command injection via git branch names (CVE-2026-25244), lockfile poisoning patterns
 
-## Tools (37 MCP tools)
+## Prompt-Level Security (Shift Left)
+
+Most vulnerabilities in AI-generated code are born in the prompt: "add login to my app" says nothing about password hashing, session handling, or rate limiting — so the model picks defaults, and the defaults are where the CVEs live. `secure_prompt` moves the security gate to **before code generation**: it analyzes the raw prompt, detects the stack and attack surfaces it implies, matches them against GuardVibe's rule set, and returns a directive the host LLM uses to rewrite the prompt with security requirements embedded.
+
+This is not a prompt beautifier. It is deterministic (no LLM, no network), it never restructures intent, and its first job is **do no harm**: a prompt that is already specific and security-aware gets verdict `NO_MOD` and passes through untouched.
+
+- **`NO_MOD`** — prompt is already specific and security-aware → proceed with the original prompt unchanged
+- **`LIGHT_MOD`** — intent is clear but security constraints are missing → inject requirements only
+- **`HEAVY_MOD`** — prompt is vague *and* security-relevant → inject requirements + surface clarifying questions (never invent the answers)
+
+**Before** (what the user typed):
+
+```text
+add login to my app
+```
+
+**After** (what the host LLM executes, having applied the `secure_prompt` directive):
+
+```text
+Add login to my app, with these security requirements:
+- [VG001] Use environment variables or a secrets manager — never hardcode credentials.
+- [VG1008] Always verify the caller has admin privileges before allowing role elevation.
+- [VG105] Always specify allowed algorithms explicitly in jwt.verify().
+
+Before implementing, confirm: which framework/stack is this for, and which auth
+provider should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT)?
+```
+
+Same user intent — but the model now generates auth code with the guardrails stated up front, instead of GuardVibe catching the missing pieces after the fact.
+
+## Tools (38 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -253,6 +283,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 | `full_audit` | **Single source of truth** — runs ALL checks in one call, returns PASS/FAIL/WARN verdict + score + coverage % + deterministic result hash |
 | `remediation_plan` | **Remediation plan** — generates section-by-section fix checklist after audit |
 | `verify_remediation` | **Remediation verification** — compares before/after audit, flags skipped sections |
+| `secure_prompt` | **Prompt-level security (shift left)** — analyze a coding prompt BEFORE code is written; deterministic triage (NO_MOD/LIGHT_MOD/HEAVY_MOD), stack + attack-surface detection, severity-ranked GuardVibe requirements embedded via a rewrite directive |
 
 All scanning tools support `format: "json"` for machine-readable output.
 

package/build/index.js

@@ -42,6 +42,7 @@ import { formatHostFindings, redactSecrets } from "./server/types.js";
 import { verifyFix } from "./tools/verify-fix.js";
 import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 import { secureThis } from "./tools/secure-this.js";
+import { securePrompt } from "./tools/secure-prompt.js";
 import { buildAgentReport } from "./tools/agent-output.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "./tools/auth-coverage.js";
 import { buildDeepScanPrompt, parseDeepScanResult, formatDeepScanFindings, callLLM } from "./tools/deep-scan.js";
@@ -63,7 +64,7 @@ function mergeStatsIntoOutput(results, summary, format) {
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding — single source of truth for AI assistants. 390 security rules and 36 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
+    description: `Security MCP for vibe coding — single source of truth for AI assistants. ${builtinRules.length} security rules and 38 tools. Call secure_prompt with the user's coding prompt BEFORE generating code to embed security requirements up front (shift left). Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.`,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
@@ -1031,6 +1032,15 @@ server.tool("verify_remediation", "Compare before/after audit results to verify
     lines.push("", "---", `**${summary}**`);
     return { content: [{ type: "text", text: lines.join("\n") }] };
 });
+// Tool 38: secure_prompt — shift-left security at the prompt level (enhance BEFORE code is written)
+server.tool("secure_prompt", "Shift-left security at the prompt level: analyze a raw coding prompt BEFORE any code is written and return a structured enhancement directive that embeds GuardVibe security requirements (auth checks, input validation, webhook signature verification, SQL injection prevention, secrets handling) into the prompt you are about to execute. Deterministic — no LLM, no network: triage verdict NO_MOD (prompt already specific and security-aware → proceed with the ORIGINAL prompt unchanged), LIGHT_MOD (inject missing security constraints only), or HEAVY_MOD (also surface clarifying questions — never invent answers to them). Detects stack (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono...) and attack surfaces (auth, payments, file upload, user input, SQL, secrets, redirects) from the prompt text, matches them against GuardVibe's rule set, and returns verdict + intent summary + numbered [rule-id] requirements + rewrite directive. Call this with the user's prompt before generating code; prevents vulnerabilities before code generation instead of scanning after. Example: secure_prompt({raw_prompt: 'add login to my app'})", {
+    raw_prompt: z.string().describe("The user's original coding prompt, verbatim"),
+    context: z.string().optional().describe("Known stack/framework context if the client has it (e.g. 'Next.js app router, Supabase, Stripe')"),
+}, async ({ raw_prompt, context }) => {
+    const rules = getRules();
+    const result = securePrompt(raw_prompt, { context, rules });
+    return { content: [{ type: "text", text: result.markdown }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/ast-engine.d.ts

@@ -16,6 +16,16 @@ export declare function paramReachesSink(code: string, filePath?: string): boole
  * firing — for a BOLA rule we prefer a false positive over hiding a real one.
  */
 export declare function bolaOwnershipGuarded(code: string, filePath: string | undefined, line: number): boolean;
+/**
+ * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
+ * already suppresses an ownership field inside the mutation's WHERE clause (via a
+ * negative lookahead), so the only blind spot is the find → compare → mutate
+ * pattern: the mutation's where-clause is a bare id, but the enclosing function
+ * fetched the resource and compared its ownership field against the session first.
+ * Returns true (→ suppress) only when that post-fetch comparison is present;
+ * false on uncertainty so a genuinely unguarded mutation keeps firing.
+ */
+export declare function bolaMutationGuarded(code: string, filePath: string | undefined, line: number): boolean;
 /**
  * True when the argument to a `new RegExp(...)` at `line` is PROVABLY a constant
  * (a string literal, a variable assigned from a string literal, or the callback

package/build/tools/ast-engine.js

@@ -137,6 +137,10 @@ export function paramReachesSink(code, filePath) {
     return sinkArgs.some(args => refsTaint(args, tainted));
 }
 const FIND_METHODS = new Set(["findUnique", "findFirst", "findById", "findOne", "getOne"]);
+// Mutation sinks for VG951 (delete/update BOLA) — the last identifier of the callee.
+const MUTATION_METHODS = new Set([
+    "delete", "update", "destroy", "remove", "deleteMany", "updateMany", "deleteOne", "updateOne",
+]);
 const OWNERSHIP_FIELDS = new Set([
     "userId", "user_id", "ownerId", "owner_id", "authorId", "author_id", "createdById", "createdBy", "created_by",
     "accountId", "account_id", "tenantId", "tenant_id", "orgId", "org_id", "organizationId",
@@ -146,6 +150,44 @@ const OWNERSHIP_FIELDS = new Set([
 // A comparison of a fetched resource's ownership field, on a line that also references a session/user.
 const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
 const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+/** The first CallExpression near `line` whose last-identifier method is in `methods`. */
+function callNearLine(ts, sf, line, methods) {
+    let target;
+    const visit = (node) => {
+        if (!target && ts.isCallExpression(node)) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && methods.has(method)) {
+                const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
+                if (Math.abs(startLine - line) <= 1)
+                    target = node;
+            }
+        }
+        if (!target)
+            ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return target;
+}
+/**
+ * True when the function enclosing `node` performs a post-fetch ownership
+ * comparison — an ownership field (`fetched.userId`) compared against a
+ * session/user value on the same line (`!== ctx.user.id`). Same-function only
+ * (no inter-procedural tracing), matching the line/regex engine's precision.
+ */
+function hasPostFetchOwnershipGuard(ts, sf, node) {
+    let fn = node;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    const body = fn ? fn.getText(sf) : sf.getText();
+    for (const ln of body.split("\n")) {
+        if (OWNERSHIP_COMPARE.test(ln) && SESSION_REF.test(ln))
+            return true;
+    }
+    return false;
+}
 /**
  * BOLA ownership-guard detection for VG950 (find-by-user-id). Returns true (the
  * query is ownership-guarded → suppress the finding) when EITHER:
@@ -167,22 +209,7 @@ export function bolaOwnershipGuarded(code, filePath, line) {
     catch {
         return false;
     }
-    let target;
-    const visit = (node) => {
-        if (!target && ts.isCallExpression(node)) {
-            const callee = node.expression;
-            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
-                : ts.isIdentifier(callee) ? callee.text : undefined;
-            if (method && FIND_METHODS.has(method)) {
-                const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
-                if (Math.abs(startLine - line) <= 1)
-                    target = node;
-            }
-        }
-        if (!target)
-            ts.forEachChild(node, visit);
-    };
-    visit(sf);
+    const target = callNearLine(ts, sf, line, FIND_METHODS);
     if (!target)
         return false;
     // (1) ownership field in the WHERE clause with a non-param value.
@@ -201,16 +228,32 @@ export function bolaOwnershipGuarded(code, filePath, line) {
         }
     }
     // (2) post-fetch ownership comparison against a session/user value, in the same function.
-    let fn = target;
-    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
-        fn = fn.parent;
+    return hasPostFetchOwnershipGuard(ts, sf, target);
+}
+/**
+ * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
+ * already suppresses an ownership field inside the mutation's WHERE clause (via a
+ * negative lookahead), so the only blind spot is the find → compare → mutate
+ * pattern: the mutation's where-clause is a bare id, but the enclosing function
+ * fetched the resource and compared its ownership field against the session first.
+ * Returns true (→ suppress) only when that post-fetch comparison is present;
+ * false on uncertainty so a genuinely unguarded mutation keeps firing.
+ */
+export function bolaMutationGuarded(code, filePath, line) {
+    const ts = getTs();
+    if (!ts)
+        return false;
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
     }
-    const body = fn ? fn.getText(sf) : code;
-    for (const ln of body.split("\n")) {
-        if (OWNERSHIP_COMPARE.test(ln) && SESSION_REF.test(ln))
-            return true;
+    catch {
+        return false;
     }
-    return false;
+    const target = callNearLine(ts, sf, line, MUTATION_METHODS);
+    if (!target)
+        return false;
+    return hasPostFetchOwnershipGuard(ts, sf, target);
 }
 const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
 /** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */

package/build/tools/check-code.js

@@ -4,7 +4,7 @@ import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 import { securityBanner } from "../utils/banner.js";
 import { looksMinified } from "../utils/constants.js";
-import { paramReachesSink, bolaOwnershipGuarded, regexpArgIsConstant } from "./ast-engine.js";
+import { paramReachesSink, bolaOwnershipGuarded, bolaMutationGuarded, regexpArgIsConstant } from "./ast-engine.js";
 /** CVE version-pin rule IDs are VG900-VG931 (and only these). Other VG9xx IDs
  * (VG983 Turso, VG990 SVG, VG998 OpenAI browser flag, etc.) are regular code-pattern
  * rules and should NOT be exempted from comment / string-literal skip logic. */
@@ -886,6 +886,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             // `userId` that only appears in `select`, and sees a separate comparison statement.
             if (rule.id === "VG950" && filePath && bolaOwnershipGuarded(code, filePath, lineNumber))
                 continue;
+            // VG951 (BOLA delete/update): the regex already suppresses an ownership field
+            // inside the mutation's WHERE clause, so its only blind spot is the
+            // find → compare → mutate pattern — a bare-id mutation preceded by a post-fetch
+            // ownership comparison against the session. Suppress only when AST proves it.
+            if (rule.id === "VG951" && filePath && bolaMutationGuarded(code, filePath, lineNumber))
+                continue;
             // VG126 (Dynamic RegExp from User Input): the regex matches `new RegExp(anyVar)`,
             // but the var is often a provable constant — a string literal or the callback
             // param iterating a const string array (the classic bot-UA / referrer-list pattern).

package/build/tools/secure-prompt.d.ts

@@ -0,0 +1,65 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export type SecurePromptVerdict = "NO_MOD" | "LIGHT_MOD" | "HEAVY_MOD";
+export interface SecurePromptRequirement {
+    ruleId: string;
+    title: string;
+    requirement: string;
+    severity: SecurityRule["severity"];
+}
+export interface SecurePromptResult {
+    verdict: SecurePromptVerdict;
+    reason: string;
+    intentSummary: string;
+    detectedStack: string[];
+    detectedSurfaces: string[];
+    securityRequirements: SecurePromptRequirement[];
+    ambiguities: string[];
+    originalPrompt: string;
+    /** The single markdown directive block returned to the host LLM. */
+    markdown: string;
+}
+/** Triage thresholds — tune here, never inline. */
+export declare const TRIAGE_CONFIG: {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    readonly securityAwareTerms: 3;
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    readonly specificityThreshold: 4;
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    readonly minWords: 6;
+    /** Matched rules surfaced as requirements are capped at this many. */
+    readonly maxRequirements: 8;
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    readonly maxAmbiguities: 3;
+};
+/**
+ * A lowercased haystack searched in two forms: raw (so hyphenated tokens like
+ * "next-auth" match) and hyphen/underscore-normalized (so user phrasings like
+ * "sign-in"/"RLS-enabled"/"log_in" match space-joined tokens like "sign in").
+ */
+interface Haystack {
+    raw: string;
+    norm: string;
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export declare function includesToken(haystack: Haystack | string, token: string): boolean;
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export declare function detectPromptStack(rawPrompt: string, context?: string): string[];
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export declare function detectPromptSurfaces(rawPrompt: string, context?: string): string[];
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export declare function matchRulesForPrompt(stack: string[], surfaces: string[], rules: SecurityRule[]): SecurePromptRequirement[];
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export declare function securePrompt(rawPrompt: string, opts?: {
+    context?: string;
+    rules?: SecurityRule[];
+}): SecurePromptResult;
+export {};

package/build/tools/secure-prompt.js

@@ -0,0 +1,434 @@
+// secure_prompt — shift-left security at the prompt level.
+// Deterministic pipeline (no LLM calls, no network, no filesystem): triage the raw
+// prompt ("do no harm" first), detect stack + attack surfaces from keyword/alias maps,
+// match the existing GuardVibe rule set, and emit a markdown enhancement directive
+// (guardvibe.secure_prompt.v1) that the HOST LLM uses to rewrite the prompt with
+// security requirements embedded — BEFORE any code is written.
+//
+// Keyword matching deliberately avoids dynamic RegExp construction (boundary-checked
+// indexOf instead) so the scanner's own dynamic-regex and ReDoS audits stay clean.
+import { builtinRules } from "../data/rules/index.js";
+/** Triage thresholds — tune here, never inline. */
+export const TRIAGE_CONFIG = {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    securityAwareTerms: 3,
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    specificityThreshold: 4,
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    minWords: 6,
+    /** Matched rules surfaced as requirements are capped at this many. */
+    maxRequirements: 8,
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    maxAmbiguities: 3,
+};
+const TECHS = [
+    { id: "nextjs", label: "Next.js", tokens: ["next.js", "nextjs", "next js", "app router", "server action", "server actions", "server component", "server components", "route handler"], ruleKeywords: ["next.js", "nextjs", "server action", "app router", "route handler", "next_public"], impliedSurfaces: [] },
+    { id: "react", label: "React", tokens: ["react", "jsx", "tsx"], ruleKeywords: ["react", "dangerouslysetinnerhtml"], impliedSurfaces: [] },
+    { id: "express", label: "Express", tokens: ["express", "expressjs"], ruleKeywords: ["express"], impliedSurfaces: [] },
+    { id: "hono", label: "Hono", tokens: ["hono"], ruleKeywords: ["hono"], impliedSurfaces: [] },
+    { id: "supabase", label: "Supabase", tokens: ["supabase", "row level security", "rls"], ruleKeywords: ["supabase", "row level security"], impliedSurfaces: ["database"] },
+    { id: "clerk", label: "Clerk", tokens: ["clerk"], ruleKeywords: ["clerk"], impliedSurfaces: ["auth"] },
+    { id: "nextauth", label: "Auth.js / NextAuth", tokens: ["next-auth", "nextauth", "auth.js", "authjs"], ruleKeywords: ["next-auth", "nextauth", "auth.js"], impliedSurfaces: ["auth"] },
+    { id: "stripe", label: "Stripe", tokens: ["stripe"], ruleKeywords: ["stripe"], impliedSurfaces: ["payments"] },
+    { id: "lemonsqueezy", label: "LemonSqueezy", tokens: ["lemonsqueezy", "lemon squeezy"], ruleKeywords: ["lemonsqueezy"], impliedSurfaces: ["payments"] },
+    { id: "prisma", label: "Prisma", tokens: ["prisma"], ruleKeywords: ["prisma"], impliedSurfaces: ["database"] },
+    { id: "drizzle", label: "Drizzle", tokens: ["drizzle"], ruleKeywords: ["drizzle"], impliedSurfaces: ["database"] },
+    { id: "mongodb", label: "MongoDB / Mongoose", tokens: ["mongodb", "mongoose", "mongo"], ruleKeywords: ["mongo", "nosql"], impliedSurfaces: ["database"] },
+    { id: "postgres", label: "PostgreSQL", tokens: ["postgres", "postgresql"], ruleKeywords: ["postgres", "sql"], impliedSurfaces: ["database"] },
+    { id: "firebase", label: "Firebase", tokens: ["firebase", "firestore"], ruleKeywords: ["firebase", "firestore"], impliedSurfaces: ["database"] },
+    { id: "trpc", label: "tRPC", tokens: ["trpc"], ruleKeywords: ["trpc", "procedure"], impliedSurfaces: [] },
+    { id: "fastapi", label: "FastAPI", tokens: ["fastapi"], ruleKeywords: ["fastapi"], impliedSurfaces: [] },
+    { id: "django", label: "Django", tokens: ["django"], ruleKeywords: ["django"], impliedSurfaces: [] },
+];
+const SURFACES = [
+    {
+        id: "auth", label: "authentication / access control",
+        tokens: ["auth", "authentication", "authorization", "login", "log in", "signin", "sign in", "signup", "sign up", "logout", "password", "session", "sessions", "jwt", "oauth", "sso", "2fa", "mfa", "role", "roles", "permission", "permissions", "admin", "account", "user management"],
+        ruleKeywords: ["auth", "session", "login", "access control", "unauthorized", "credential", "jwt", "bola", "idor"],
+        question: "Which auth provider or mechanism should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT sessions)?",
+        answeredByTechs: ["clerk", "nextauth", "supabase", "firebase"],
+    },
+    {
+        id: "payments", label: "payments / billing",
+        tokens: ["payment", "payments", "checkout", "billing", "subscription", "subscriptions", "invoice", "refund", "pricing", "pay"],
+        ruleKeywords: ["stripe", "payment", "webhook", "checkout", "billing", "price"],
+        question: "Which payment provider is used, and which webhook events must be handled?",
+        answeredByTechs: ["stripe", "lemonsqueezy"],
+    },
+    {
+        id: "file-upload", label: "file upload",
+        tokens: ["upload", "uploads", "file upload", "avatar", "attachment", "attachments", "multipart", "image upload"],
+        ruleKeywords: ["upload", "file type", "multipart", "path traversal", "content-type"],
+        question: "What file types and maximum size should uploads accept, and where are files stored?",
+    },
+    {
+        id: "user-input", label: "user input handling",
+        tokens: ["form", "forms", "input", "inputs", "comment", "comments", "search", "user input", "query param", "query params", "request body", "post endpoint", "api endpoint", "endpoint", "contact form", "profile"],
+        ruleKeywords: ["validation", "sanitiz", "xss", "injection", "innerhtml", "user input"],
+    },
+    {
+        id: "database", label: "database / SQL",
+        tokens: ["sql", "database", "db", "query", "queries", "mysql", "sqlite", "orm", "table", "schema", "migration"],
+        ruleKeywords: ["sql", "injection", "query", "orm", "database", "mass assignment"],
+        question: "Which database/ORM is used (e.g. Prisma, Drizzle, Supabase, raw Postgres)?",
+        answeredByTechs: ["prisma", "drizzle", "supabase", "postgres", "mongodb", "firebase"],
+    },
+    {
+        id: "secrets", label: "secrets / credentials",
+        tokens: ["secret", "secrets", "api key", "api keys", "apikey", "token", "tokens", "credential", "credentials", ".env", "env var", "env vars", "environment variable", "environment variables", "private key"],
+        ruleKeywords: ["secret", "credential", "api key", "hardcoded", "env"],
+    },
+    {
+        id: "external-api", label: "external API calls",
+        tokens: ["external api", "third-party", "third party", "fetch", "webhook", "webhooks", "http request", "api call", "api calls", "integration", "proxy", "scrape", "scraper"],
+        ruleKeywords: ["ssrf", "request forgery", "external", "url"],
+    },
+    {
+        id: "deserialization", label: "deserialization / dynamic evaluation",
+        tokens: ["deserialize", "deserialization", "unserialize", "pickle", "yaml.load", "eval", "serialize"],
+        ruleKeywords: ["deserial", "eval", "prototype pollution", "unserialize"],
+    },
+    {
+        id: "redirect", label: "redirects / callbacks",
+        tokens: ["redirect", "redirects", "callback url", "return url", "returnto", "return to", "callback"],
+        ruleKeywords: ["redirect", "callback"],
+    },
+];
+// Explicit security-engineering vocabulary, grouped by CONCEPT. countSecurityTerms
+// counts each group at most once, so synonyms/sub-phrases ("validation" +
+// "input validation" + "schema validation") of a single concept never triple-count.
+const SECURITY_TERM_GROUPS = [
+    ["auth", "authn", "authentication", "authorization", "access control", "ownership check"],
+    ["validate", "validates", "validation", "input validation", "schema validation", "zod"],
+    ["sanitize", "sanitizes", "sanitization", "escape", "escaping"],
+    ["rate limit", "rate-limit", "rate limiting", "rate-limiting", "throttle"],
+    ["csrf"],
+    ["xss"],
+    ["sql injection", "injection", "parameterized", "prepared statement"],
+    ["webhook signature", "signature verification", "verify the signature", "constructevent", "hmac", "timingsafeequal", "timing-safe"],
+    ["secret manager", "secrets manager", "env var", "environment variable"],
+    ["encrypt", "encryption", "hash", "hashed", "hashing", "bcrypt", "argon2", "scrypt"],
+    ["jwt verification", "verify jwt"],
+    ["rls", "row level security", "least privilege"],
+    ["csp", "hsts", "x-frame-options", "security header", "security headers", "helmet"],
+    ["cors"],
+    ["2fa", "mfa"],
+    ["owasp", "idor", "bola", "ssrf"],
+    ["allowlist", "whitelist", "denylist"],
+];
+/** Markers of an underspecified ask — each hit lowers the specificity score. */
+const VAGUE_MARKERS = [
+    "somehow", "something", "stuff", "make it work", "or whatever", "etc", "some kind of",
+    "quick and dirty", "simple app", "basic app", "a thing",
+];
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+/** Languages whose rules express things a code-writing prompt can actually satisfy. */
+const CODE_LANGUAGES = ["javascript", "typescript", "python", "go"];
+function isWordChar(ch) {
+    if (ch === "")
+        return false;
+    return /[a-z0-9_-]/.test(ch);
+}
+/** Word-boundary token search without dynamic RegExp (token is matched case-insensitively). */
+function includesTokenIn(haystackLower, token) {
+    const needle = token.toLowerCase();
+    let idx = haystackLower.indexOf(needle);
+    while (idx !== -1) {
+        const before = idx === 0 ? "" : haystackLower[idx - 1];
+        const afterIdx = idx + needle.length;
+        const after = afterIdx >= haystackLower.length ? "" : haystackLower[afterIdx];
+        if (!isWordChar(before) && !isWordChar(after))
+            return true;
+        idx = haystackLower.indexOf(needle, idx + 1);
+    }
+    return false;
+}
+function makeHaystack(text) {
+    const raw = text.toLowerCase();
+    return { raw, norm: raw.replace(/[-_]+/g, " ") };
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export function includesToken(haystack, token) {
+    const h = typeof haystack === "string" ? makeHaystack(haystack) : haystack;
+    return includesTokenIn(h.raw, token) || includesTokenIn(h.norm, token);
+}
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export function detectPromptStack(rawPrompt, context) {
+    const h = makeHaystack(`${rawPrompt}\n${context ?? ""}`);
+    return TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).map((t) => t.id);
+}
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export function detectPromptSurfaces(rawPrompt, context) {
+    void context;
+    const h = makeHaystack(rawPrompt);
+    const direct = SURFACES.filter((s) => s.tokens.some((tok) => includesToken(h, tok))).map((s) => s.id);
+    const implied = TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).flatMap((t) => t.impliedSurfaces);
+    return [...new Set([...direct, ...implied])];
+}
+/** Count DISTINCT security concepts present (each term group counts at most once). */
+function countSecurityTerms(textLower) {
+    const h = makeHaystack(textLower);
+    let count = 0;
+    for (const group of SECURITY_TERM_GROUPS) {
+        if (group.some((term) => includesToken(h, term)))
+            count++;
+    }
+    return count;
+}
+function specificityScore(rawPrompt, stackCount) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const words = collapsed.length === 0 ? [] : collapsed.split(" ");
+    const lower = collapsed.toLowerCase();
+    let score = Math.min(4, stackCount * 2);
+    // Concrete nouns: file paths / extensions and code identifiers.
+    let pathTokens = 0;
+    let codeTokens = 0;
+    for (const w of words) {
+        const cleaned = w.replace(/[,;:!?)]+$/, "");
+        if (cleaned.includes("/") && cleaned.length > 3)
+            pathTokens++;
+        else if (/\.[a-z]{2,4}$/i.test(cleaned))
+            pathTokens++;
+        else if (/[a-z][A-Z]/.test(cleaned) || cleaned.includes("(") || cleaned.includes("`"))
+            codeTokens++;
+    }
+    score += Math.min(2, pathTokens) + Math.min(2, codeTokens);
+    // Length tiers reward elaborated asks.
+    if (words.length >= 25)
+        score += 2;
+    else if (words.length >= 12)
+        score += 1;
+    // Vagueness markers subtract.
+    let vagueHits = 0;
+    for (const marker of VAGUE_MARKERS) {
+        if (includesToken(lower, marker))
+            vagueHits++;
+    }
+    score -= Math.min(2, vagueHits) * 2;
+    return score;
+}
+function triage(rawPrompt, stack, surfaces) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    if (collapsed.length === 0) {
+        return { verdict: "NO_MOD", reason: "Empty prompt — nothing to analyze; proceed as-is.", securityTermCount: 0 };
+    }
+    const lower = collapsed.toLowerCase();
+    const securityTermCount = countSecurityTerms(lower);
+    const securityRelevant = surfaces.length > 0 || securityTermCount > 0;
+    if (!securityRelevant) {
+        return { verdict: "NO_MOD", reason: "No security-sensitive surface detected — injecting security requirements would be noise; proceed as-is.", securityTermCount };
+    }
+    const wordCount = collapsed.split(" ").length;
+    const specific = wordCount >= TRIAGE_CONFIG.minWords
+        && specificityScore(rawPrompt, stack.length) >= TRIAGE_CONFIG.specificityThreshold;
+    const securityAware = securityTermCount >= TRIAGE_CONFIG.securityAwareTerms;
+    if (specific && securityAware) {
+        return {
+            verdict: "NO_MOD",
+            reason: `Prompt is already specific and security-aware (${securityTermCount} security terms, concrete stack/detail) — modification would risk altering intent.`,
+            securityTermCount,
+        };
+    }
+    if (specific) {
+        return {
+            verdict: "LIGHT_MOD",
+            reason: "Intent is clear and specific but explicit security constraints are missing — inject requirements only, do not restructure.",
+            securityTermCount,
+        };
+    }
+    return {
+        verdict: "HEAVY_MOD",
+        reason: "Prompt is vague/underspecified and touches security-sensitive surfaces — inject requirements and surface clarifying questions.",
+        securityTermCount,
+    };
+}
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export function matchRulesForPrompt(stack, surfaces, rules) {
+    const techDefs = TECHS.filter((t) => stack.includes(t.id));
+    const surfaceDefs = SURFACES.filter((s) => surfaces.includes(s.id));
+    if (techDefs.length === 0 && surfaceDefs.length === 0)
+        return [];
+    const scored = [];
+    for (const rule of rules) {
+        // Only code-level rules become prompt-level requirements. This drops version-pin
+        // advisories and config/manifest rules (languages json/yaml only — you can't
+        // satisfy "upgrade package X" by writing code) while keeping behavioral js/ts/
+        // python/go rules even when they cite a CVE in their name (e.g. Drizzle sql.raw
+        // injection, Axios redirect leak, Hono SSE injection).
+        if (!rule.languages.some((l) => CODE_LANGUAGES.includes(l)))
+            continue;
+        const text = `${rule.name} ${rule.description}`.toLowerCase();
+        let score = 0;
+        for (const t of techDefs) {
+            if (t.ruleKeywords.some((k) => text.includes(k)))
+                score += 2;
+        }
+        for (const s of surfaceDefs) {
+            if (s.ruleKeywords.some((k) => text.includes(k)))
+                score += 1;
+        }
+        if (score > 0)
+            scored.push({ rule, score });
+    }
+    scored.sort((a, b) => (SEVERITY_ORDER[a.rule.severity] ?? 99) - (SEVERITY_ORDER[b.rule.severity] ?? 99)
+        || b.score - a.score
+        || a.rule.id.localeCompare(b.rule.id));
+    // Dedupe near-identical guidance (e.g. three "use parameterized queries" rules)
+    // so the capped list spends its slots on diverse requirements.
+    const seen = new Set();
+    const requirements = [];
+    for (const { rule } of scored) {
+        if (requirements.length >= TRIAGE_CONFIG.maxRequirements)
+            break;
+        const requirement = firstSentence(rule.fix);
+        // Key on the instruction itself, ignoring an attached code example (": db.query(...)").
+        const key = requirement.split(":")[0].toLowerCase().replace(/[^a-z0-9 ]/g, "").replace(/ +/g, " ").trim();
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        requirements.push({ ruleId: rule.id, title: rule.name, requirement, severity: rule.severity });
+    }
+    return requirements;
+}
+/** Common abbreviations whose trailing "." is not a sentence boundary. */
+const ABBREVIATIONS = ["e.g", "i.e", "etc", "vs", "cf", "approx", "no", "fig", "al"];
+function firstSentence(text) {
+    const collapsed = text.replace(/\s+/g, " ").trim();
+    // Find the first real sentence boundary, skipping ellipses ("...") and abbreviations
+    // ("e.g. ", "etc. ") so an example mid-fix doesn't truncate the actionable instruction.
+    let idx = collapsed.indexOf(". ");
+    while (idx > 0) {
+        const isEllipsis = collapsed[idx - 1] === ".";
+        const before = collapsed.slice(0, idx).toLowerCase();
+        const isAbbrev = ABBREVIATIONS.some((a) => before.endsWith(a) && !isWordChar(before[before.length - a.length - 1] ?? ""));
+        if (!isEllipsis && !isAbbrev)
+            break;
+        idx = collapsed.indexOf(". ", idx + 1);
+    }
+    if (idx === -1)
+        return collapsed;
+    const sentence = collapsed.slice(0, idx + 1);
+    // Never cut inside an unclosed inline code span.
+    const backticks = sentence.split("`").length - 1;
+    return backticks % 2 === 0 ? sentence : collapsed;
+}
+function buildAmbiguities(stack, surfaces) {
+    const questions = [];
+    if (stack.length === 0) {
+        questions.push("Which framework/stack is this for (e.g. Next.js, Express, Hono)? Only generic security rules could be matched without it.");
+    }
+    for (const surface of SURFACES) {
+        if (!surfaces.includes(surface.id) || !surface.question)
+            continue;
+        const answered = surface.answeredByTechs?.some((t) => stack.includes(t)) ?? false;
+        if (!answered)
+            questions.push(surface.question);
+    }
+    if (questions.length === 0) {
+        questions.push("The request is broad — which routes/files are in scope, and what does a successful result look like?");
+    }
+    return questions.slice(0, TRIAGE_CONFIG.maxAmbiguities);
+}
+function buildIntentSummary(rawPrompt) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const clipped = collapsed.length > 220 ? `${collapsed.slice(0, 217)}...` : collapsed;
+    return `The user wants to: ${clipped}`;
+}
+/** Pick a code fence longer than any backtick run in the prompt so it embeds verbatim. */
+function fenceFor(text) {
+    let longest = 0;
+    let run = 0;
+    for (const ch of text) {
+        run = ch === "`" ? run + 1 : 0;
+        if (run > longest)
+            longest = run;
+    }
+    return "`".repeat(Math.max(3, longest + 1));
+}
+const REWRITE_DIRECTIVE = "Rewrite the user's prompt incorporating the security requirements above. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent. " +
+    "If verdict is NO_MOD, use the original prompt as-is.";
+const NO_MOD_DIRECTIVE = "Verdict is NO_MOD: use the ORIGINAL prompt below as-is. " +
+    "Do NOT rewrite, augment, or reinterpret it. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent.";
+function surfaceLabel(id) {
+    return SURFACES.find((s) => s.id === id)?.label ?? id;
+}
+function techLabel(id) {
+    return TECHS.find((t) => t.id === id)?.label ?? id;
+}
+function buildMarkdown(result) {
+    const fence = fenceFor(result.originalPrompt);
+    const lines = [
+        "## GuardVibe secure_prompt directive (guardvibe.secure_prompt.v1)",
+        "",
+        `- **verdict:** ${result.verdict}`,
+        `- **reason:** ${result.reason}`,
+    ];
+    if (result.verdict === "NO_MOD") {
+        lines.push("", "### rewrite_directive", NO_MOD_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+        return lines.join("\n");
+    }
+    lines.push("", "### intent_summary (HARD CONSTRAINT — preserve this intent exactly)", `${result.intentSummary}`, "The rewritten prompt MUST preserve this intent exactly: no added features, no scope changes.");
+    if (result.detectedStack.length > 0 || result.detectedSurfaces.length > 0) {
+        lines.push("", "### detected_context");
+        if (result.detectedStack.length > 0) {
+            lines.push(`- **stack:** ${result.detectedStack.map(techLabel).join(", ")}`);
+        }
+        if (result.detectedSurfaces.length > 0) {
+            lines.push(`- **attack surfaces:** ${result.detectedSurfaces.map(surfaceLabel).join(", ")}`);
+        }
+    }
+    lines.push("", "### security_requirements");
+    if (result.securityRequirements.length === 0) {
+        lines.push("_No specific GuardVibe rules matched the detected stack/surfaces — apply standard input validation and authentication practices._");
+    }
+    else {
+        result.securityRequirements.forEach((req, i) => {
+            lines.push(`${i + 1}. [${req.ruleId}] (${req.severity}) ${req.title} — ${req.requirement}`);
+        });
+    }
+    if (result.verdict === "HEAVY_MOD" && result.ambiguities.length > 0) {
+        lines.push("", "### ambiguities (ask the user — do NOT invent answers)");
+        result.ambiguities.forEach((q, i) => lines.push(`${i + 1}. ${q}`));
+    }
+    lines.push("", "### rewrite_directive", REWRITE_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+    return lines.join("\n");
+}
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export function securePrompt(rawPrompt, opts) {
+    const effectiveRules = opts?.rules && opts.rules.length > 0 ? opts.rules : builtinRules;
+    // Full known stack (prompt + context) — informs display and answers "which provider"
+    // clarifying questions. promptStack (prompt only) drives triage and rule selection so
+    // that always-attached project context can never escalate a non-security prompt or
+    // manufacture off-topic requirements (the "do no harm" guarantee).
+    const detectedStack = detectPromptStack(rawPrompt, opts?.context);
+    const promptStack = detectPromptStack(rawPrompt);
+    const detectedSurfaces = detectPromptSurfaces(rawPrompt);
+    const { verdict, reason } = triage(rawPrompt, promptStack, detectedSurfaces);
+    // NO_MOD short-circuits: original prompt untouched, no requirements computed.
+    const securityRequirements = verdict === "NO_MOD"
+        ? []
+        : matchRulesForPrompt(promptStack, detectedSurfaces, effectiveRules);
+    const ambiguities = verdict === "HEAVY_MOD" ? buildAmbiguities(detectedStack, detectedSurfaces) : [];
+    const base = {
+        verdict,
+        reason,
+        intentSummary: buildIntentSummary(rawPrompt),
+        detectedStack,
+        detectedSurfaces,
+        securityRequirements,
+        ambiguities,
+        originalPrompt: rawPrompt,
+    };
+    return { ...base, markdown: buildMarkdown(base) };
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.17.0",
+  "version": "3.19.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",