guardvibe 3.18.0 → 3.19.0

package/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.19.0] - 2026-06-10
+
+### Added — secure_prompt: prompt-level security, shift left (442 rules / 37 → 38 tools)
+- **New MCP tool `secure_prompt`** — analyzes a raw coding prompt BEFORE any code is written and returns a structured enhancement directive (`guardvibe.secure_prompt.v1`) the host LLM uses to rewrite the prompt with GuardVibe security requirements embedded. Fully deterministic: no LLM calls, no network, no API keys — same prompt = same directive.
+- **Triage-first, "do no harm":** verdict `NO_MOD` (prompt already specific and security-aware, or touches no security surface → host proceeds with the ORIGINAL prompt unchanged), `LIGHT_MOD` (clear intent, missing security constraints → inject requirements only), `HEAVY_MOD` (vague AND security-relevant → requirements + up to 3 clarifying questions, never invented answers). Scoring heuristics (concrete nouns, security vocabulary, length/imperative specificity, sensitive surfaces) with thresholds in an exported `TRIAGE_CONFIG` constant.
+- **Stack + attack-surface detection** from keyword/alias maps (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono, Drizzle, Firebase, MongoDB, tRPC, FastAPI, Django...; auth, payments, file upload, user input, database/SQL, secrets, external APIs, deserialization, redirects), including surfaces implied by detected technologies. Optional `context` input merges client-known stack info. Token matching is boundary-checked `indexOf` — no dynamic RegExp (keeps the self-audit and ReDoS meta-test clean).
+- **Rule matching over the existing 442-rule set** by name/description keywords for the detected stack + surfaces, severity-ranked (critical → info), near-duplicate guidance deduped, capped at the top 8; each requirement carries `[rule-id]`, title, severity, and the rule's fix phrased as an instruction. CVE version-pin rules excluded (they gate package pins, not prompts).
+- Directive output: verdict + one-line reason, intent summary stated as a HARD CONSTRAINT, numbered security requirements, ambiguities (HEAVY_MOD only), explicit rewrite directive ("Do NOT add features the user did not request. Do NOT change the user's intent."), and the original prompt echoed verbatim (fence-safe even when the prompt contains code blocks).
+- New module `src/tools/secure-prompt.ts`; 24 tests in `tests/tools/secure-prompt.test.ts` (NO_MOD short-circuit, LIGHT vs HEAVY classification, 7-framework stack detection, rule cap + severity ordering, empty/garbage input, determinism). README gains a "Prompt-Level Security (Shift Left)" section with a before/after example. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.18.0] - 2026-06-09
 
 ### Added — FAZ 3 part c: AST BOLA mutation-guard detection for VG951 (442 rules / 37 tools)

package/README.md

@@ -14,7 +14,7 @@
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
 
-**The security MCP built for vibe coding.** 442 security rules, 37 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 442 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -26,7 +26,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **442 security rules, 37 tools** purpose-built for the stacks AI agents generate
+- **442 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -212,7 +212,37 @@ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (E
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `--ignore-scripts` hardening (VG1070), typosquat detection, `node-ipc` protestware versions (VG1069), Miasma `@redhat-cloud-services` namespace compromise IOC (VG1074, RHSB-2026-006), Session messenger exfil endpoint IOC (VG1075, `filev2.getsession.org`), `@tanstack/*` Mini Shai-Hulud mass-malware versions (May 2026), `@wdio/browserstack-service` command injection via git branch names (CVE-2026-25244), lockfile poisoning patterns
 
-## Tools (37 MCP tools)
+## Prompt-Level Security (Shift Left)
+
+Most vulnerabilities in AI-generated code are born in the prompt: "add login to my app" says nothing about password hashing, session handling, or rate limiting — so the model picks defaults, and the defaults are where the CVEs live. `secure_prompt` moves the security gate to **before code generation**: it analyzes the raw prompt, detects the stack and attack surfaces it implies, matches them against GuardVibe's rule set, and returns a directive the host LLM uses to rewrite the prompt with security requirements embedded.
+
+This is not a prompt beautifier. It is deterministic (no LLM, no network), it never restructures intent, and its first job is **do no harm**: a prompt that is already specific and security-aware gets verdict `NO_MOD` and passes through untouched.
+
+- **`NO_MOD`** — prompt is already specific and security-aware → proceed with the original prompt unchanged
+- **`LIGHT_MOD`** — intent is clear but security constraints are missing → inject requirements only
+- **`HEAVY_MOD`** — prompt is vague *and* security-relevant → inject requirements + surface clarifying questions (never invent the answers)
+
+**Before** (what the user typed):
+
+```text
+add login to my app
+```
+
+**After** (what the host LLM executes, having applied the `secure_prompt` directive):
+
+```text
+Add login to my app, with these security requirements:
+- [VG001] Use environment variables or a secrets manager — never hardcode credentials.
+- [VG1008] Always verify the caller has admin privileges before allowing role elevation.
+- [VG105] Always specify allowed algorithms explicitly in jwt.verify().
+
+Before implementing, confirm: which framework/stack is this for, and which auth
+provider should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT)?
+```
+
+Same user intent — but the model now generates auth code with the guardrails stated up front, instead of GuardVibe catching the missing pieces after the fact.
+
+## Tools (38 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -253,6 +283,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 | `full_audit` | **Single source of truth** — runs ALL checks in one call, returns PASS/FAIL/WARN verdict + score + coverage % + deterministic result hash |
 | `remediation_plan` | **Remediation plan** — generates section-by-section fix checklist after audit |
 | `verify_remediation` | **Remediation verification** — compares before/after audit, flags skipped sections |
+| `secure_prompt` | **Prompt-level security (shift left)** — analyze a coding prompt BEFORE code is written; deterministic triage (NO_MOD/LIGHT_MOD/HEAVY_MOD), stack + attack-surface detection, severity-ranked GuardVibe requirements embedded via a rewrite directive |
 
 All scanning tools support `format: "json"` for machine-readable output.
 

package/build/index.js

@@ -42,6 +42,7 @@ import { formatHostFindings, redactSecrets } from "./server/types.js";
 import { verifyFix } from "./tools/verify-fix.js";
 import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 import { secureThis } from "./tools/secure-this.js";
+import { securePrompt } from "./tools/secure-prompt.js";
 import { buildAgentReport } from "./tools/agent-output.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "./tools/auth-coverage.js";
 import { buildDeepScanPrompt, parseDeepScanResult, formatDeepScanFindings, callLLM } from "./tools/deep-scan.js";
@@ -63,7 +64,7 @@ function mergeStatsIntoOutput(results, summary, format) {
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding — single source of truth for AI assistants. 390 security rules and 36 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
+    description: `Security MCP for vibe coding — single source of truth for AI assistants. ${builtinRules.length} security rules and 38 tools. Call secure_prompt with the user's coding prompt BEFORE generating code to embed security requirements up front (shift left). Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.`,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
@@ -1031,6 +1032,15 @@ server.tool("verify_remediation", "Compare before/after audit results to verify
     lines.push("", "---", `**${summary}**`);
     return { content: [{ type: "text", text: lines.join("\n") }] };
 });
+// Tool 38: secure_prompt — shift-left security at the prompt level (enhance BEFORE code is written)
+server.tool("secure_prompt", "Shift-left security at the prompt level: analyze a raw coding prompt BEFORE any code is written and return a structured enhancement directive that embeds GuardVibe security requirements (auth checks, input validation, webhook signature verification, SQL injection prevention, secrets handling) into the prompt you are about to execute. Deterministic — no LLM, no network: triage verdict NO_MOD (prompt already specific and security-aware → proceed with the ORIGINAL prompt unchanged), LIGHT_MOD (inject missing security constraints only), or HEAVY_MOD (also surface clarifying questions — never invent answers to them). Detects stack (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono...) and attack surfaces (auth, payments, file upload, user input, SQL, secrets, redirects) from the prompt text, matches them against GuardVibe's rule set, and returns verdict + intent summary + numbered [rule-id] requirements + rewrite directive. Call this with the user's prompt before generating code; prevents vulnerabilities before code generation instead of scanning after. Example: secure_prompt({raw_prompt: 'add login to my app'})", {
+    raw_prompt: z.string().describe("The user's original coding prompt, verbatim"),
+    context: z.string().optional().describe("Known stack/framework context if the client has it (e.g. 'Next.js app router, Supabase, Stripe')"),
+}, async ({ raw_prompt, context }) => {
+    const rules = getRules();
+    const result = securePrompt(raw_prompt, { context, rules });
+    return { content: [{ type: "text", text: result.markdown }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/secure-prompt.d.ts

@@ -0,0 +1,65 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export type SecurePromptVerdict = "NO_MOD" | "LIGHT_MOD" | "HEAVY_MOD";
+export interface SecurePromptRequirement {
+    ruleId: string;
+    title: string;
+    requirement: string;
+    severity: SecurityRule["severity"];
+}
+export interface SecurePromptResult {
+    verdict: SecurePromptVerdict;
+    reason: string;
+    intentSummary: string;
+    detectedStack: string[];
+    detectedSurfaces: string[];
+    securityRequirements: SecurePromptRequirement[];
+    ambiguities: string[];
+    originalPrompt: string;
+    /** The single markdown directive block returned to the host LLM. */
+    markdown: string;
+}
+/** Triage thresholds — tune here, never inline. */
+export declare const TRIAGE_CONFIG: {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    readonly securityAwareTerms: 3;
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    readonly specificityThreshold: 4;
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    readonly minWords: 6;
+    /** Matched rules surfaced as requirements are capped at this many. */
+    readonly maxRequirements: 8;
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    readonly maxAmbiguities: 3;
+};
+/**
+ * A lowercased haystack searched in two forms: raw (so hyphenated tokens like
+ * "next-auth" match) and hyphen/underscore-normalized (so user phrasings like
+ * "sign-in"/"RLS-enabled"/"log_in" match space-joined tokens like "sign in").
+ */
+interface Haystack {
+    raw: string;
+    norm: string;
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export declare function includesToken(haystack: Haystack | string, token: string): boolean;
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export declare function detectPromptStack(rawPrompt: string, context?: string): string[];
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export declare function detectPromptSurfaces(rawPrompt: string, context?: string): string[];
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export declare function matchRulesForPrompt(stack: string[], surfaces: string[], rules: SecurityRule[]): SecurePromptRequirement[];
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export declare function securePrompt(rawPrompt: string, opts?: {
+    context?: string;
+    rules?: SecurityRule[];
+}): SecurePromptResult;
+export {};

package/build/tools/secure-prompt.js

@@ -0,0 +1,434 @@
+// secure_prompt — shift-left security at the prompt level.
+// Deterministic pipeline (no LLM calls, no network, no filesystem): triage the raw
+// prompt ("do no harm" first), detect stack + attack surfaces from keyword/alias maps,
+// match the existing GuardVibe rule set, and emit a markdown enhancement directive
+// (guardvibe.secure_prompt.v1) that the HOST LLM uses to rewrite the prompt with
+// security requirements embedded — BEFORE any code is written.
+//
+// Keyword matching deliberately avoids dynamic RegExp construction (boundary-checked
+// indexOf instead) so the scanner's own dynamic-regex and ReDoS audits stay clean.
+import { builtinRules } from "../data/rules/index.js";
+/** Triage thresholds — tune here, never inline. */
+export const TRIAGE_CONFIG = {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    securityAwareTerms: 3,
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    specificityThreshold: 4,
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    minWords: 6,
+    /** Matched rules surfaced as requirements are capped at this many. */
+    maxRequirements: 8,
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    maxAmbiguities: 3,
+};
+const TECHS = [
+    { id: "nextjs", label: "Next.js", tokens: ["next.js", "nextjs", "next js", "app router", "server action", "server actions", "server component", "server components", "route handler"], ruleKeywords: ["next.js", "nextjs", "server action", "app router", "route handler", "next_public"], impliedSurfaces: [] },
+    { id: "react", label: "React", tokens: ["react", "jsx", "tsx"], ruleKeywords: ["react", "dangerouslysetinnerhtml"], impliedSurfaces: [] },
+    { id: "express", label: "Express", tokens: ["express", "expressjs"], ruleKeywords: ["express"], impliedSurfaces: [] },
+    { id: "hono", label: "Hono", tokens: ["hono"], ruleKeywords: ["hono"], impliedSurfaces: [] },
+    { id: "supabase", label: "Supabase", tokens: ["supabase", "row level security", "rls"], ruleKeywords: ["supabase", "row level security"], impliedSurfaces: ["database"] },
+    { id: "clerk", label: "Clerk", tokens: ["clerk"], ruleKeywords: ["clerk"], impliedSurfaces: ["auth"] },
+    { id: "nextauth", label: "Auth.js / NextAuth", tokens: ["next-auth", "nextauth", "auth.js", "authjs"], ruleKeywords: ["next-auth", "nextauth", "auth.js"], impliedSurfaces: ["auth"] },
+    { id: "stripe", label: "Stripe", tokens: ["stripe"], ruleKeywords: ["stripe"], impliedSurfaces: ["payments"] },
+    { id: "lemonsqueezy", label: "LemonSqueezy", tokens: ["lemonsqueezy", "lemon squeezy"], ruleKeywords: ["lemonsqueezy"], impliedSurfaces: ["payments"] },
+    { id: "prisma", label: "Prisma", tokens: ["prisma"], ruleKeywords: ["prisma"], impliedSurfaces: ["database"] },
+    { id: "drizzle", label: "Drizzle", tokens: ["drizzle"], ruleKeywords: ["drizzle"], impliedSurfaces: ["database"] },
+    { id: "mongodb", label: "MongoDB / Mongoose", tokens: ["mongodb", "mongoose", "mongo"], ruleKeywords: ["mongo", "nosql"], impliedSurfaces: ["database"] },
+    { id: "postgres", label: "PostgreSQL", tokens: ["postgres", "postgresql"], ruleKeywords: ["postgres", "sql"], impliedSurfaces: ["database"] },
+    { id: "firebase", label: "Firebase", tokens: ["firebase", "firestore"], ruleKeywords: ["firebase", "firestore"], impliedSurfaces: ["database"] },
+    { id: "trpc", label: "tRPC", tokens: ["trpc"], ruleKeywords: ["trpc", "procedure"], impliedSurfaces: [] },
+    { id: "fastapi", label: "FastAPI", tokens: ["fastapi"], ruleKeywords: ["fastapi"], impliedSurfaces: [] },
+    { id: "django", label: "Django", tokens: ["django"], ruleKeywords: ["django"], impliedSurfaces: [] },
+];
+const SURFACES = [
+    {
+        id: "auth", label: "authentication / access control",
+        tokens: ["auth", "authentication", "authorization", "login", "log in", "signin", "sign in", "signup", "sign up", "logout", "password", "session", "sessions", "jwt", "oauth", "sso", "2fa", "mfa", "role", "roles", "permission", "permissions", "admin", "account", "user management"],
+        ruleKeywords: ["auth", "session", "login", "access control", "unauthorized", "credential", "jwt", "bola", "idor"],
+        question: "Which auth provider or mechanism should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT sessions)?",
+        answeredByTechs: ["clerk", "nextauth", "supabase", "firebase"],
+    },
+    {
+        id: "payments", label: "payments / billing",
+        tokens: ["payment", "payments", "checkout", "billing", "subscription", "subscriptions", "invoice", "refund", "pricing", "pay"],
+        ruleKeywords: ["stripe", "payment", "webhook", "checkout", "billing", "price"],
+        question: "Which payment provider is used, and which webhook events must be handled?",
+        answeredByTechs: ["stripe", "lemonsqueezy"],
+    },
+    {
+        id: "file-upload", label: "file upload",
+        tokens: ["upload", "uploads", "file upload", "avatar", "attachment", "attachments", "multipart", "image upload"],
+        ruleKeywords: ["upload", "file type", "multipart", "path traversal", "content-type"],
+        question: "What file types and maximum size should uploads accept, and where are files stored?",
+    },
+    {
+        id: "user-input", label: "user input handling",
+        tokens: ["form", "forms", "input", "inputs", "comment", "comments", "search", "user input", "query param", "query params", "request body", "post endpoint", "api endpoint", "endpoint", "contact form", "profile"],
+        ruleKeywords: ["validation", "sanitiz", "xss", "injection", "innerhtml", "user input"],
+    },
+    {
+        id: "database", label: "database / SQL",
+        tokens: ["sql", "database", "db", "query", "queries", "mysql", "sqlite", "orm", "table", "schema", "migration"],
+        ruleKeywords: ["sql", "injection", "query", "orm", "database", "mass assignment"],
+        question: "Which database/ORM is used (e.g. Prisma, Drizzle, Supabase, raw Postgres)?",
+        answeredByTechs: ["prisma", "drizzle", "supabase", "postgres", "mongodb", "firebase"],
+    },
+    {
+        id: "secrets", label: "secrets / credentials",
+        tokens: ["secret", "secrets", "api key", "api keys", "apikey", "token", "tokens", "credential", "credentials", ".env", "env var", "env vars", "environment variable", "environment variables", "private key"],
+        ruleKeywords: ["secret", "credential", "api key", "hardcoded", "env"],
+    },
+    {
+        id: "external-api", label: "external API calls",
+        tokens: ["external api", "third-party", "third party", "fetch", "webhook", "webhooks", "http request", "api call", "api calls", "integration", "proxy", "scrape", "scraper"],
+        ruleKeywords: ["ssrf", "request forgery", "external", "url"],
+    },
+    {
+        id: "deserialization", label: "deserialization / dynamic evaluation",
+        tokens: ["deserialize", "deserialization", "unserialize", "pickle", "yaml.load", "eval", "serialize"],
+        ruleKeywords: ["deserial", "eval", "prototype pollution", "unserialize"],
+    },
+    {
+        id: "redirect", label: "redirects / callbacks",
+        tokens: ["redirect", "redirects", "callback url", "return url", "returnto", "return to", "callback"],
+        ruleKeywords: ["redirect", "callback"],
+    },
+];
+// Explicit security-engineering vocabulary, grouped by CONCEPT. countSecurityTerms
+// counts each group at most once, so synonyms/sub-phrases ("validation" +
+// "input validation" + "schema validation") of a single concept never triple-count.
+const SECURITY_TERM_GROUPS = [
+    ["auth", "authn", "authentication", "authorization", "access control", "ownership check"],
+    ["validate", "validates", "validation", "input validation", "schema validation", "zod"],
+    ["sanitize", "sanitizes", "sanitization", "escape", "escaping"],
+    ["rate limit", "rate-limit", "rate limiting", "rate-limiting", "throttle"],
+    ["csrf"],
+    ["xss"],
+    ["sql injection", "injection", "parameterized", "prepared statement"],
+    ["webhook signature", "signature verification", "verify the signature", "constructevent", "hmac", "timingsafeequal", "timing-safe"],
+    ["secret manager", "secrets manager", "env var", "environment variable"],
+    ["encrypt", "encryption", "hash", "hashed", "hashing", "bcrypt", "argon2", "scrypt"],
+    ["jwt verification", "verify jwt"],
+    ["rls", "row level security", "least privilege"],
+    ["csp", "hsts", "x-frame-options", "security header", "security headers", "helmet"],
+    ["cors"],
+    ["2fa", "mfa"],
+    ["owasp", "idor", "bola", "ssrf"],
+    ["allowlist", "whitelist", "denylist"],
+];
+/** Markers of an underspecified ask — each hit lowers the specificity score. */
+const VAGUE_MARKERS = [
+    "somehow", "something", "stuff", "make it work", "or whatever", "etc", "some kind of",
+    "quick and dirty", "simple app", "basic app", "a thing",
+];
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+/** Languages whose rules express things a code-writing prompt can actually satisfy. */
+const CODE_LANGUAGES = ["javascript", "typescript", "python", "go"];
+function isWordChar(ch) {
+    if (ch === "")
+        return false;
+    return /[a-z0-9_-]/.test(ch);
+}
+/** Word-boundary token search without dynamic RegExp (token is matched case-insensitively). */
+function includesTokenIn(haystackLower, token) {
+    const needle = token.toLowerCase();
+    let idx = haystackLower.indexOf(needle);
+    while (idx !== -1) {
+        const before = idx === 0 ? "" : haystackLower[idx - 1];
+        const afterIdx = idx + needle.length;
+        const after = afterIdx >= haystackLower.length ? "" : haystackLower[afterIdx];
+        if (!isWordChar(before) && !isWordChar(after))
+            return true;
+        idx = haystackLower.indexOf(needle, idx + 1);
+    }
+    return false;
+}
+function makeHaystack(text) {
+    const raw = text.toLowerCase();
+    return { raw, norm: raw.replace(/[-_]+/g, " ") };
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export function includesToken(haystack, token) {
+    const h = typeof haystack === "string" ? makeHaystack(haystack) : haystack;
+    return includesTokenIn(h.raw, token) || includesTokenIn(h.norm, token);
+}
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export function detectPromptStack(rawPrompt, context) {
+    const h = makeHaystack(`${rawPrompt}\n${context ?? ""}`);
+    return TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).map((t) => t.id);
+}
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export function detectPromptSurfaces(rawPrompt, context) {
+    void context;
+    const h = makeHaystack(rawPrompt);
+    const direct = SURFACES.filter((s) => s.tokens.some((tok) => includesToken(h, tok))).map((s) => s.id);
+    const implied = TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).flatMap((t) => t.impliedSurfaces);
+    return [...new Set([...direct, ...implied])];
+}
+/** Count DISTINCT security concepts present (each term group counts at most once). */
+function countSecurityTerms(textLower) {
+    const h = makeHaystack(textLower);
+    let count = 0;
+    for (const group of SECURITY_TERM_GROUPS) {
+        if (group.some((term) => includesToken(h, term)))
+            count++;
+    }
+    return count;
+}
+function specificityScore(rawPrompt, stackCount) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const words = collapsed.length === 0 ? [] : collapsed.split(" ");
+    const lower = collapsed.toLowerCase();
+    let score = Math.min(4, stackCount * 2);
+    // Concrete nouns: file paths / extensions and code identifiers.
+    let pathTokens = 0;
+    let codeTokens = 0;
+    for (const w of words) {
+        const cleaned = w.replace(/[,;:!?)]+$/, "");
+        if (cleaned.includes("/") && cleaned.length > 3)
+            pathTokens++;
+        else if (/\.[a-z]{2,4}$/i.test(cleaned))
+            pathTokens++;
+        else if (/[a-z][A-Z]/.test(cleaned) || cleaned.includes("(") || cleaned.includes("`"))
+            codeTokens++;
+    }
+    score += Math.min(2, pathTokens) + Math.min(2, codeTokens);
+    // Length tiers reward elaborated asks.
+    if (words.length >= 25)
+        score += 2;
+    else if (words.length >= 12)
+        score += 1;
+    // Vagueness markers subtract.
+    let vagueHits = 0;
+    for (const marker of VAGUE_MARKERS) {
+        if (includesToken(lower, marker))
+            vagueHits++;
+    }
+    score -= Math.min(2, vagueHits) * 2;
+    return score;
+}
+function triage(rawPrompt, stack, surfaces) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    if (collapsed.length === 0) {
+        return { verdict: "NO_MOD", reason: "Empty prompt — nothing to analyze; proceed as-is.", securityTermCount: 0 };
+    }
+    const lower = collapsed.toLowerCase();
+    const securityTermCount = countSecurityTerms(lower);
+    const securityRelevant = surfaces.length > 0 || securityTermCount > 0;
+    if (!securityRelevant) {
+        return { verdict: "NO_MOD", reason: "No security-sensitive surface detected — injecting security requirements would be noise; proceed as-is.", securityTermCount };
+    }
+    const wordCount = collapsed.split(" ").length;
+    const specific = wordCount >= TRIAGE_CONFIG.minWords
+        && specificityScore(rawPrompt, stack.length) >= TRIAGE_CONFIG.specificityThreshold;
+    const securityAware = securityTermCount >= TRIAGE_CONFIG.securityAwareTerms;
+    if (specific && securityAware) {
+        return {
+            verdict: "NO_MOD",
+            reason: `Prompt is already specific and security-aware (${securityTermCount} security terms, concrete stack/detail) — modification would risk altering intent.`,
+            securityTermCount,
+        };
+    }
+    if (specific) {
+        return {
+            verdict: "LIGHT_MOD",
+            reason: "Intent is clear and specific but explicit security constraints are missing — inject requirements only, do not restructure.",
+            securityTermCount,
+        };
+    }
+    return {
+        verdict: "HEAVY_MOD",
+        reason: "Prompt is vague/underspecified and touches security-sensitive surfaces — inject requirements and surface clarifying questions.",
+        securityTermCount,
+    };
+}
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export function matchRulesForPrompt(stack, surfaces, rules) {
+    const techDefs = TECHS.filter((t) => stack.includes(t.id));
+    const surfaceDefs = SURFACES.filter((s) => surfaces.includes(s.id));
+    if (techDefs.length === 0 && surfaceDefs.length === 0)
+        return [];
+    const scored = [];
+    for (const rule of rules) {
+        // Only code-level rules become prompt-level requirements. This drops version-pin
+        // advisories and config/manifest rules (languages json/yaml only — you can't
+        // satisfy "upgrade package X" by writing code) while keeping behavioral js/ts/
+        // python/go rules even when they cite a CVE in their name (e.g. Drizzle sql.raw
+        // injection, Axios redirect leak, Hono SSE injection).
+        if (!rule.languages.some((l) => CODE_LANGUAGES.includes(l)))
+            continue;
+        const text = `${rule.name} ${rule.description}`.toLowerCase();
+        let score = 0;
+        for (const t of techDefs) {
+            if (t.ruleKeywords.some((k) => text.includes(k)))
+                score += 2;
+        }
+        for (const s of surfaceDefs) {
+            if (s.ruleKeywords.some((k) => text.includes(k)))
+                score += 1;
+        }
+        if (score > 0)
+            scored.push({ rule, score });
+    }
+    scored.sort((a, b) => (SEVERITY_ORDER[a.rule.severity] ?? 99) - (SEVERITY_ORDER[b.rule.severity] ?? 99)
+        || b.score - a.score
+        || a.rule.id.localeCompare(b.rule.id));
+    // Dedupe near-identical guidance (e.g. three "use parameterized queries" rules)
+    // so the capped list spends its slots on diverse requirements.
+    const seen = new Set();
+    const requirements = [];
+    for (const { rule } of scored) {
+        if (requirements.length >= TRIAGE_CONFIG.maxRequirements)
+            break;
+        const requirement = firstSentence(rule.fix);
+        // Key on the instruction itself, ignoring an attached code example (": db.query(...)").
+        const key = requirement.split(":")[0].toLowerCase().replace(/[^a-z0-9 ]/g, "").replace(/ +/g, " ").trim();
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        requirements.push({ ruleId: rule.id, title: rule.name, requirement, severity: rule.severity });
+    }
+    return requirements;
+}
+/** Common abbreviations whose trailing "." is not a sentence boundary. */
+const ABBREVIATIONS = ["e.g", "i.e", "etc", "vs", "cf", "approx", "no", "fig", "al"];
+function firstSentence(text) {
+    const collapsed = text.replace(/\s+/g, " ").trim();
+    // Find the first real sentence boundary, skipping ellipses ("...") and abbreviations
+    // ("e.g. ", "etc. ") so an example mid-fix doesn't truncate the actionable instruction.
+    let idx = collapsed.indexOf(". ");
+    while (idx > 0) {
+        const isEllipsis = collapsed[idx - 1] === ".";
+        const before = collapsed.slice(0, idx).toLowerCase();
+        const isAbbrev = ABBREVIATIONS.some((a) => before.endsWith(a) && !isWordChar(before[before.length - a.length - 1] ?? ""));
+        if (!isEllipsis && !isAbbrev)
+            break;
+        idx = collapsed.indexOf(". ", idx + 1);
+    }
+    if (idx === -1)
+        return collapsed;
+    const sentence = collapsed.slice(0, idx + 1);
+    // Never cut inside an unclosed inline code span.
+    const backticks = sentence.split("`").length - 1;
+    return backticks % 2 === 0 ? sentence : collapsed;
+}
+function buildAmbiguities(stack, surfaces) {
+    const questions = [];
+    if (stack.length === 0) {
+        questions.push("Which framework/stack is this for (e.g. Next.js, Express, Hono)? Only generic security rules could be matched without it.");
+    }
+    for (const surface of SURFACES) {
+        if (!surfaces.includes(surface.id) || !surface.question)
+            continue;
+        const answered = surface.answeredByTechs?.some((t) => stack.includes(t)) ?? false;
+        if (!answered)
+            questions.push(surface.question);
+    }
+    if (questions.length === 0) {
+        questions.push("The request is broad — which routes/files are in scope, and what does a successful result look like?");
+    }
+    return questions.slice(0, TRIAGE_CONFIG.maxAmbiguities);
+}
+function buildIntentSummary(rawPrompt) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const clipped = collapsed.length > 220 ? `${collapsed.slice(0, 217)}...` : collapsed;
+    return `The user wants to: ${clipped}`;
+}
+/** Pick a code fence longer than any backtick run in the prompt so it embeds verbatim. */
+function fenceFor(text) {
+    let longest = 0;
+    let run = 0;
+    for (const ch of text) {
+        run = ch === "`" ? run + 1 : 0;
+        if (run > longest)
+            longest = run;
+    }
+    return "`".repeat(Math.max(3, longest + 1));
+}
+const REWRITE_DIRECTIVE = "Rewrite the user's prompt incorporating the security requirements above. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent. " +
+    "If verdict is NO_MOD, use the original prompt as-is.";
+const NO_MOD_DIRECTIVE = "Verdict is NO_MOD: use the ORIGINAL prompt below as-is. " +
+    "Do NOT rewrite, augment, or reinterpret it. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent.";
+function surfaceLabel(id) {
+    return SURFACES.find((s) => s.id === id)?.label ?? id;
+}
+function techLabel(id) {
+    return TECHS.find((t) => t.id === id)?.label ?? id;
+}
+function buildMarkdown(result) {
+    const fence = fenceFor(result.originalPrompt);
+    const lines = [
+        "## GuardVibe secure_prompt directive (guardvibe.secure_prompt.v1)",
+        "",
+        `- **verdict:** ${result.verdict}`,
+        `- **reason:** ${result.reason}`,
+    ];
+    if (result.verdict === "NO_MOD") {
+        lines.push("", "### rewrite_directive", NO_MOD_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+        return lines.join("\n");
+    }
+    lines.push("", "### intent_summary (HARD CONSTRAINT — preserve this intent exactly)", `${result.intentSummary}`, "The rewritten prompt MUST preserve this intent exactly: no added features, no scope changes.");
+    if (result.detectedStack.length > 0 || result.detectedSurfaces.length > 0) {
+        lines.push("", "### detected_context");
+        if (result.detectedStack.length > 0) {
+            lines.push(`- **stack:** ${result.detectedStack.map(techLabel).join(", ")}`);
+        }
+        if (result.detectedSurfaces.length > 0) {
+            lines.push(`- **attack surfaces:** ${result.detectedSurfaces.map(surfaceLabel).join(", ")}`);
+        }
+    }
+    lines.push("", "### security_requirements");
+    if (result.securityRequirements.length === 0) {
+        lines.push("_No specific GuardVibe rules matched the detected stack/surfaces — apply standard input validation and authentication practices._");
+    }
+    else {
+        result.securityRequirements.forEach((req, i) => {
+            lines.push(`${i + 1}. [${req.ruleId}] (${req.severity}) ${req.title} — ${req.requirement}`);
+        });
+    }
+    if (result.verdict === "HEAVY_MOD" && result.ambiguities.length > 0) {
+        lines.push("", "### ambiguities (ask the user — do NOT invent answers)");
+        result.ambiguities.forEach((q, i) => lines.push(`${i + 1}. ${q}`));
+    }
+    lines.push("", "### rewrite_directive", REWRITE_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+    return lines.join("\n");
+}
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export function securePrompt(rawPrompt, opts) {
+    const effectiveRules = opts?.rules && opts.rules.length > 0 ? opts.rules : builtinRules;
+    // Full known stack (prompt + context) — informs display and answers "which provider"
+    // clarifying questions. promptStack (prompt only) drives triage and rule selection so
+    // that always-attached project context can never escalate a non-security prompt or
+    // manufacture off-topic requirements (the "do no harm" guarantee).
+    const detectedStack = detectPromptStack(rawPrompt, opts?.context);
+    const promptStack = detectPromptStack(rawPrompt);
+    const detectedSurfaces = detectPromptSurfaces(rawPrompt);
+    const { verdict, reason } = triage(rawPrompt, promptStack, detectedSurfaces);
+    // NO_MOD short-circuits: original prompt untouched, no requirements computed.
+    const securityRequirements = verdict === "NO_MOD"
+        ? []
+        : matchRulesForPrompt(promptStack, detectedSurfaces, effectiveRules);
+    const ambiguities = verdict === "HEAVY_MOD" ? buildAmbiguities(detectedStack, detectedSurfaces) : [];
+    const base = {
+        verdict,
+        reason,
+        intentSummary: buildIntentSummary(rawPrompt),
+        detectedStack,
+        detectedSurfaces,
+        securityRequirements,
+        ambiguities,
+        originalPrompt: rawPrompt,
+    };
+    return { ...base, markdown: buildMarkdown(base) };
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.18.0",
+  "version": "3.19.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",