guardvibe 3.18.0 → 3.20.0

package/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.20.0] - 2026-06-14
+
+### Added — 3 fresh CVE version-pin rules from daily threat intel (442 → 445 rules / 38 tools)
+- **VG1089 — js-cookie `assign()` prototype hijack → cookie-attribute injection (CVE-2026-46625 / GHSA-qjx8-664m-686j, high).** js-cookie < 3.0.7 enumerates `Object.prototype` keys through the internal `assign()` helper, so a pollution gadget can inject `domain=`/`path=`/`secure=`/`samesite=`/`expires=` attributes into written cookies. Fixed in 3.0.7. 0-FP semver: only exact/`=` pins in the 3.0.x line are flagged (a caret/tilde there resolves to the fixed 3.0.7); 0.x–2.x majors are flagged with any range.
+- **VG1090 — PostCSS XSS via unescaped `</style>` in stringify output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93, medium).** postcss < 8.5.10 does not escape `</style>` when serializing a CSS AST; an app that re-emits user CSS into an inline `<style>` block can be broken out of for stored/reflected XSS. Fixed in 8.5.10. 0-FP semver: caret on the 8.x line resolves to the fix, so only exact/`=` pins (plus tilde within 8.0–8.4) on 8.x are flagged; 1.x–7.x majors flagged with any range.
+- **VG1091 — Axios HTTP-adapter proxy prototype-pollution gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh, high).** axios < 1.16.0 reads `config.proxy` in the Node HTTP adapter without an own-property check; a `Object.prototype.proxy` gadget routes every request through an attacker-controlled proxy (MITM / credential theft). Fixed in 1.16.0. **Distinct from VG1042 (pre-1.15.2 cluster):** a project that pinned 1.15.2 on VG1042's advice is still exposed, so this rule flags exactly the residual 1.15.2–1.15.x window (caret resolves to the fixed 1.16.0 → not flagged), with no double-firing against VG1042.
+- 26 new pattern tests in `tests/rules/cve-versions.test.ts` (detect affected pins, ignore patched + caret-resolves-to-fixed + adjacent-rule overlap). CVE version-pin rule count 71 → 74. All three sourced from the daily GHSA/OSV/CISA-KEV intel brief and verified against the upstream advisories; everything else in that brief (Clerk ×3, Drizzle, Next/RSC cluster, React RCE, Anthropic SDK memory tool, Vercel AI SDK filetype, MCP path traversal, Miasma) was already covered. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.19.0] - 2026-06-10
+
+### Added — secure_prompt: prompt-level security, shift left (442 rules / 37 → 38 tools)
+- **New MCP tool `secure_prompt`** — analyzes a raw coding prompt BEFORE any code is written and returns a structured enhancement directive (`guardvibe.secure_prompt.v1`) the host LLM uses to rewrite the prompt with GuardVibe security requirements embedded. Fully deterministic: no LLM calls, no network, no API keys — same prompt = same directive.
+- **Triage-first, "do no harm":** verdict `NO_MOD` (prompt already specific and security-aware, or touches no security surface → host proceeds with the ORIGINAL prompt unchanged), `LIGHT_MOD` (clear intent, missing security constraints → inject requirements only), `HEAVY_MOD` (vague AND security-relevant → requirements + up to 3 clarifying questions, never invented answers). Scoring heuristics (concrete nouns, security vocabulary, length/imperative specificity, sensitive surfaces) with thresholds in an exported `TRIAGE_CONFIG` constant.
+- **Stack + attack-surface detection** from keyword/alias maps (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono, Drizzle, Firebase, MongoDB, tRPC, FastAPI, Django...; auth, payments, file upload, user input, database/SQL, secrets, external APIs, deserialization, redirects), including surfaces implied by detected technologies. Optional `context` input merges client-known stack info. Token matching is boundary-checked `indexOf` — no dynamic RegExp (keeps the self-audit and ReDoS meta-test clean).
+- **Rule matching over the existing 442-rule set** by name/description keywords for the detected stack + surfaces, severity-ranked (critical → info), near-duplicate guidance deduped, capped at the top 8; each requirement carries `[rule-id]`, title, severity, and the rule's fix phrased as an instruction. CVE version-pin rules excluded (they gate package pins, not prompts).
+- Directive output: verdict + one-line reason, intent summary stated as a HARD CONSTRAINT, numbered security requirements, ambiguities (HEAVY_MOD only), explicit rewrite directive ("Do NOT add features the user did not request. Do NOT change the user's intent."), and the original prompt echoed verbatim (fence-safe even when the prompt contains code blocks).
+- New module `src/tools/secure-prompt.ts`; 24 tests in `tests/tools/secure-prompt.test.ts` (NO_MOD short-circuit, LIGHT vs HEAVY classification, 7-framework stack detection, rule cap + severity ordering, empty/garbage input, determinism). README gains a "Prompt-Level Security (Shift Left)" section with a before/after example. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.18.0] - 2026-06-09
 
 ### Added — FAZ 3 part c: AST BOLA mutation-guard detection for VG951 (442 rules / 37 tools)

package/README.md

@@ -13,20 +13,21 @@
 - **🎯 Deterministic, not probabilistic.** Same code = same result, every run (content-hashed). Your AI guesses; GuardVibe doesn't.
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
+- **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 442 security rules, 37 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 445 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
 ## Why a tool, when your AI is so good?
 
-"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later.
+"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later. And since v3.19, it runs *before* your AI codes too: `secure_prompt` rewrites the task itself so the security requirements are in the prompt, not in the post-mortem.
 
 ## Why GuardVibe
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **442 security rules, 37 tools** purpose-built for the stacks AI agents generate
+- **445 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -64,7 +65,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 442 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 445 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -212,7 +213,37 @@ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (E
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `--ignore-scripts` hardening (VG1070), typosquat detection, `node-ipc` protestware versions (VG1069), Miasma `@redhat-cloud-services` namespace compromise IOC (VG1074, RHSB-2026-006), Session messenger exfil endpoint IOC (VG1075, `filev2.getsession.org`), `@tanstack/*` Mini Shai-Hulud mass-malware versions (May 2026), `@wdio/browserstack-service` command injection via git branch names (CVE-2026-25244), lockfile poisoning patterns
 
-## Tools (37 MCP tools)
+## Prompt-Level Security (Shift Left)
+
+Most vulnerabilities in AI-generated code are born in the prompt: "add login to my app" says nothing about password hashing, session handling, or rate limiting — so the model picks defaults, and the defaults are where the CVEs live. `secure_prompt` moves the security gate to **before code generation**: it analyzes the raw prompt, detects the stack and attack surfaces it implies, matches them against GuardVibe's rule set, and returns a directive the host LLM uses to rewrite the prompt with security requirements embedded.
+
+This is not a prompt beautifier. It is deterministic (no LLM, no network), it never restructures intent, and its first job is **do no harm**: a prompt that is already specific and security-aware gets verdict `NO_MOD` and passes through untouched.
+
+- **`NO_MOD`** — prompt is already specific and security-aware → proceed with the original prompt unchanged
+- **`LIGHT_MOD`** — intent is clear but security constraints are missing → inject requirements only
+- **`HEAVY_MOD`** — prompt is vague *and* security-relevant → inject requirements + surface clarifying questions (never invent the answers)
+
+**Before** (what the user typed):
+
+```text
+add login to my app
+```
+
+**After** (what the host LLM executes, having applied the `secure_prompt` directive):
+
+```text
+Add login to my app, with these security requirements:
+- [VG001] Use environment variables or a secrets manager — never hardcode credentials.
+- [VG1008] Always verify the caller has admin privileges before allowing role elevation.
+- [VG105] Always specify allowed algorithms explicitly in jwt.verify().
+
+Before implementing, confirm: which framework/stack is this for, and which auth
+provider should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT)?
+```
+
+Same user intent — but the model now generates auth code with the guardrails stated up front, instead of GuardVibe catching the missing pieces after the fact.
+
+## Tools (38 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -253,10 +284,11 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 | `full_audit` | **Single source of truth** — runs ALL checks in one call, returns PASS/FAIL/WARN verdict + score + coverage % + deterministic result hash |
 | `remediation_plan` | **Remediation plan** — generates section-by-section fix checklist after audit |
 | `verify_remediation` | **Remediation verification** — compares before/after audit, flags skipped sections |
+| `secure_prompt` | **Prompt-level security (shift left)** — analyze a coding prompt BEFORE code is written; deterministic triage (NO_MOD/LIGHT_MOD/HEAVY_MOD), stack + attack-surface detection, severity-ranked GuardVibe requirements embedded via a rewrite directive |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (442 rules across 25 modules)
+## Security Rules (445 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/data/rules/cve-versions.js

@@ -829,4 +829,40 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"vite": "^5.4.9"  // or ^6',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1089",
+        name: "js-cookie assign() Prototype Hijack — Cookie Attribute Injection (CVE-2026-46625 / GHSA-qjx8-664m-686j)",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "js-cookie versions before 3.0.7 are vulnerable to a per-instance prototype hijack in the internal assign() helper. assign() copies properties with a for…in loop plus plain assignment, so any key planted on Object.prototype is enumerated and copied into the merged attributes object. When set() later serialises that object, attacker-polluted keys land in the Set-Cookie string as attribute pairs — letting an attacker force domain=, path=, secure=, samesite=, or expires= on cookies the application writes (cookie scoping abuse / fixation). Fixed in 3.0.7. Only exact (or =) pins in the 3.0.x line are flagged — a caret/tilde range there resolves to the fixed 3.0.7; older 0.x–2.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']js-cookie["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[0-2]\.\d+\.\d+|=?\s*3\.0\.[0-6])["']/g,
+        languages: ["json"],
+        fix: "Upgrade js-cookie to 3.0.7 or later: npm install js-cookie@latest. As defence-in-depth, freeze Object.prototype at bootstrap (Object.freeze(Object.prototype)) and never spread untrusted objects into cookie-attribute options.",
+        fixCode: '// package.json\n"js-cookie": "^3.0.7"  // or latest\n\n// Defence-in-depth — block prototype writes at startup\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.2"],
+    },
+    {
+        id: "VG1090",
+        name: "PostCSS XSS via Unescaped </style> in Stringify Output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93)",
+        severity: "medium",
+        owasp: "A03:2025 Injection",
+        description: "postcss versions before 8.5.10 do not escape a </style> sequence when stringifying a CSS AST back to text. An app that parses user-submitted CSS and re-emits it into an inline <style> block lets an attacker close the style element early with </style> and inject arbitrary markup/script — a stored or reflected XSS. Fixed in 8.5.10. Caret ranges on the 8.x line resolve to the fixed 8.5.10, so only exact/= pins (and tilde within 8.0–8.4) on the 8.x line are flagged; 1.x–7.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']postcss["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[1-7]\.\d+\.\d+|~?\s*8\.[0-4]\.\d+|=?\s*8\.5\.[0-9](?![0-9]))["']/g,
+        languages: ["json"],
+        fix: "Upgrade postcss to 8.5.10 or later: npm install postcss@latest. If you embed processed CSS in an inline <style> tag, also HTML-escape </style> (or serve the CSS from an external stylesheet) as defence-in-depth.",
+        fixCode: '// package.json\n"postcss": "^8.5.10"  // or latest',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG1091",
+        name: "Axios HTTP-Adapter Proxy Prototype-Pollution Gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh)",
+        severity: "high",
+        owasp: "A10:2025 SSRF",
+        description: "axios versions before 1.16.0 read config.proxy in the Node HTTP adapter without an own-property check. Because `proxy` is not set in axios defaults, a prototype-pollution gadget elsewhere in the process (Object.prototype.proxy = {...}) is picked up on every request, routing traffic through an attacker-controlled proxy — full MITM, credential theft, and response tampering. Fixed in 1.16.0 (own-property checks for proxy/socketPath/transport). Distinct from VG1042 (the pre-1.15.2 cluster): a project that took VG1042's advice and pinned 1.15.2–1.15.x is STILL exposed to this gadget, so this rule flags exactly that residual window (1.15.2 through 1.15.x). Caret ranges resolve to the fixed 1.16.0 and are not flagged.",
+        pattern: /["']axios["']\s*:\s*["'](?:~|=)?\s*1\.15\.(?:[2-9]|[1-9]\d)["']/g,
+        languages: ["json"],
+        fix: "Upgrade axios to 1.16.0 or later: npm install axios@latest. As defence-in-depth, freeze Object.prototype at startup so a pollution gadget cannot inject a proxy: Object.freeze(Object.prototype).",
+        fixCode: '// package.json\n"axios": "^1.16.0"  // or latest\n\n// Defence-in-depth — block prototype writes at bootstrap\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/build/index.js

@@ -42,6 +42,7 @@ import { formatHostFindings, redactSecrets } from "./server/types.js";
 import { verifyFix } from "./tools/verify-fix.js";
 import { fixCode as fixCodeTool } from "./tools/fix-code.js";
 import { secureThis } from "./tools/secure-this.js";
+import { securePrompt } from "./tools/secure-prompt.js";
 import { buildAgentReport } from "./tools/agent-output.js";
 import { analyzeAuthCoverage, formatAuthCoverage } from "./tools/auth-coverage.js";
 import { buildDeepScanPrompt, parseDeepScanResult, formatDeepScanFindings, callLLM } from "./tools/deep-scan.js";
@@ -63,7 +64,7 @@ function mergeStatsIntoOutput(results, summary, format) {
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: "Security MCP for vibe coding — single source of truth for AI assistants. 390 security rules and 36 tools. Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.",
+    description: `Security MCP for vibe coding — single source of truth for AI assistants. ${builtinRules.length} security rules and 38 tools. Call secure_prompt with the user's coding prompt BEFORE generating code to embed security requirements up front (shift left). Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.`,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
@@ -1031,6 +1032,15 @@ server.tool("verify_remediation", "Compare before/after audit results to verify
     lines.push("", "---", `**${summary}**`);
     return { content: [{ type: "text", text: lines.join("\n") }] };
 });
+// Tool 38: secure_prompt — shift-left security at the prompt level (enhance BEFORE code is written)
+server.tool("secure_prompt", "Shift-left security at the prompt level: analyze a raw coding prompt BEFORE any code is written and return a structured enhancement directive that embeds GuardVibe security requirements (auth checks, input validation, webhook signature verification, SQL injection prevention, secrets handling) into the prompt you are about to execute. Deterministic — no LLM, no network: triage verdict NO_MOD (prompt already specific and security-aware → proceed with the ORIGINAL prompt unchanged), LIGHT_MOD (inject missing security constraints only), or HEAVY_MOD (also surface clarifying questions — never invent answers to them). Detects stack (Next.js, Supabase, Clerk, Stripe, Prisma, Express, Hono...) and attack surfaces (auth, payments, file upload, user input, SQL, secrets, redirects) from the prompt text, matches them against GuardVibe's rule set, and returns verdict + intent summary + numbered [rule-id] requirements + rewrite directive. Call this with the user's prompt before generating code; prevents vulnerabilities before code generation instead of scanning after. Example: secure_prompt({raw_prompt: 'add login to my app'})", {
+    raw_prompt: z.string().describe("The user's original coding prompt, verbatim"),
+    context: z.string().optional().describe("Known stack/framework context if the client has it (e.g. 'Next.js app router, Supabase, Stripe')"),
+}, async ({ raw_prompt, context }) => {
+    const rules = getRules();
+    const result = securePrompt(raw_prompt, { context, rules });
+    return { content: [{ type: "text", text: result.markdown }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/secure-prompt.d.ts

@@ -0,0 +1,65 @@
+import type { SecurityRule } from "../data/rules/types.js";
+export type SecurePromptVerdict = "NO_MOD" | "LIGHT_MOD" | "HEAVY_MOD";
+export interface SecurePromptRequirement {
+    ruleId: string;
+    title: string;
+    requirement: string;
+    severity: SecurityRule["severity"];
+}
+export interface SecurePromptResult {
+    verdict: SecurePromptVerdict;
+    reason: string;
+    intentSummary: string;
+    detectedStack: string[];
+    detectedSurfaces: string[];
+    securityRequirements: SecurePromptRequirement[];
+    ambiguities: string[];
+    originalPrompt: string;
+    /** The single markdown directive block returned to the host LLM. */
+    markdown: string;
+}
+/** Triage thresholds — tune here, never inline. */
+export declare const TRIAGE_CONFIG: {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    readonly securityAwareTerms: 3;
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    readonly specificityThreshold: 4;
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    readonly minWords: 6;
+    /** Matched rules surfaced as requirements are capped at this many. */
+    readonly maxRequirements: 8;
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    readonly maxAmbiguities: 3;
+};
+/**
+ * A lowercased haystack searched in two forms: raw (so hyphenated tokens like
+ * "next-auth" match) and hyphen/underscore-normalized (so user phrasings like
+ * "sign-in"/"RLS-enabled"/"log_in" match space-joined tokens like "sign in").
+ */
+interface Haystack {
+    raw: string;
+    norm: string;
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export declare function includesToken(haystack: Haystack | string, token: string): boolean;
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export declare function detectPromptStack(rawPrompt: string, context?: string): string[];
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export declare function detectPromptSurfaces(rawPrompt: string, context?: string): string[];
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export declare function matchRulesForPrompt(stack: string[], surfaces: string[], rules: SecurityRule[]): SecurePromptRequirement[];
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export declare function securePrompt(rawPrompt: string, opts?: {
+    context?: string;
+    rules?: SecurityRule[];
+}): SecurePromptResult;
+export {};

package/build/tools/secure-prompt.js

@@ -0,0 +1,434 @@
+// secure_prompt — shift-left security at the prompt level.
+// Deterministic pipeline (no LLM calls, no network, no filesystem): triage the raw
+// prompt ("do no harm" first), detect stack + attack surfaces from keyword/alias maps,
+// match the existing GuardVibe rule set, and emit a markdown enhancement directive
+// (guardvibe.secure_prompt.v1) that the HOST LLM uses to rewrite the prompt with
+// security requirements embedded — BEFORE any code is written.
+//
+// Keyword matching deliberately avoids dynamic RegExp construction (boundary-checked
+// indexOf instead) so the scanner's own dynamic-regex and ReDoS audits stay clean.
+import { builtinRules } from "../data/rules/index.js";
+/** Triage thresholds — tune here, never inline. */
+export const TRIAGE_CONFIG = {
+    /** Distinct security terms at/above this → prompt counts as security-aware. */
+    securityAwareTerms: 3,
+    /** Specificity score at/above this → prompt counts as specific (not vague). */
+    specificityThreshold: 4,
+    /** Prompts shorter than this many words are vague regardless of other signals. */
+    minWords: 6,
+    /** Matched rules surfaced as requirements are capped at this many. */
+    maxRequirements: 8,
+    /** Clarifying questions (HEAVY_MOD only) are capped at this many. */
+    maxAmbiguities: 3,
+};
+const TECHS = [
+    { id: "nextjs", label: "Next.js", tokens: ["next.js", "nextjs", "next js", "app router", "server action", "server actions", "server component", "server components", "route handler"], ruleKeywords: ["next.js", "nextjs", "server action", "app router", "route handler", "next_public"], impliedSurfaces: [] },
+    { id: "react", label: "React", tokens: ["react", "jsx", "tsx"], ruleKeywords: ["react", "dangerouslysetinnerhtml"], impliedSurfaces: [] },
+    { id: "express", label: "Express", tokens: ["express", "expressjs"], ruleKeywords: ["express"], impliedSurfaces: [] },
+    { id: "hono", label: "Hono", tokens: ["hono"], ruleKeywords: ["hono"], impliedSurfaces: [] },
+    { id: "supabase", label: "Supabase", tokens: ["supabase", "row level security", "rls"], ruleKeywords: ["supabase", "row level security"], impliedSurfaces: ["database"] },
+    { id: "clerk", label: "Clerk", tokens: ["clerk"], ruleKeywords: ["clerk"], impliedSurfaces: ["auth"] },
+    { id: "nextauth", label: "Auth.js / NextAuth", tokens: ["next-auth", "nextauth", "auth.js", "authjs"], ruleKeywords: ["next-auth", "nextauth", "auth.js"], impliedSurfaces: ["auth"] },
+    { id: "stripe", label: "Stripe", tokens: ["stripe"], ruleKeywords: ["stripe"], impliedSurfaces: ["payments"] },
+    { id: "lemonsqueezy", label: "LemonSqueezy", tokens: ["lemonsqueezy", "lemon squeezy"], ruleKeywords: ["lemonsqueezy"], impliedSurfaces: ["payments"] },
+    { id: "prisma", label: "Prisma", tokens: ["prisma"], ruleKeywords: ["prisma"], impliedSurfaces: ["database"] },
+    { id: "drizzle", label: "Drizzle", tokens: ["drizzle"], ruleKeywords: ["drizzle"], impliedSurfaces: ["database"] },
+    { id: "mongodb", label: "MongoDB / Mongoose", tokens: ["mongodb", "mongoose", "mongo"], ruleKeywords: ["mongo", "nosql"], impliedSurfaces: ["database"] },
+    { id: "postgres", label: "PostgreSQL", tokens: ["postgres", "postgresql"], ruleKeywords: ["postgres", "sql"], impliedSurfaces: ["database"] },
+    { id: "firebase", label: "Firebase", tokens: ["firebase", "firestore"], ruleKeywords: ["firebase", "firestore"], impliedSurfaces: ["database"] },
+    { id: "trpc", label: "tRPC", tokens: ["trpc"], ruleKeywords: ["trpc", "procedure"], impliedSurfaces: [] },
+    { id: "fastapi", label: "FastAPI", tokens: ["fastapi"], ruleKeywords: ["fastapi"], impliedSurfaces: [] },
+    { id: "django", label: "Django", tokens: ["django"], ruleKeywords: ["django"], impliedSurfaces: [] },
+];
+const SURFACES = [
+    {
+        id: "auth", label: "authentication / access control",
+        tokens: ["auth", "authentication", "authorization", "login", "log in", "signin", "sign in", "signup", "sign up", "logout", "password", "session", "sessions", "jwt", "oauth", "sso", "2fa", "mfa", "role", "roles", "permission", "permissions", "admin", "account", "user management"],
+        ruleKeywords: ["auth", "session", "login", "access control", "unauthorized", "credential", "jwt", "bola", "idor"],
+        question: "Which auth provider or mechanism should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT sessions)?",
+        answeredByTechs: ["clerk", "nextauth", "supabase", "firebase"],
+    },
+    {
+        id: "payments", label: "payments / billing",
+        tokens: ["payment", "payments", "checkout", "billing", "subscription", "subscriptions", "invoice", "refund", "pricing", "pay"],
+        ruleKeywords: ["stripe", "payment", "webhook", "checkout", "billing", "price"],
+        question: "Which payment provider is used, and which webhook events must be handled?",
+        answeredByTechs: ["stripe", "lemonsqueezy"],
+    },
+    {
+        id: "file-upload", label: "file upload",
+        tokens: ["upload", "uploads", "file upload", "avatar", "attachment", "attachments", "multipart", "image upload"],
+        ruleKeywords: ["upload", "file type", "multipart", "path traversal", "content-type"],
+        question: "What file types and maximum size should uploads accept, and where are files stored?",
+    },
+    {
+        id: "user-input", label: "user input handling",
+        tokens: ["form", "forms", "input", "inputs", "comment", "comments", "search", "user input", "query param", "query params", "request body", "post endpoint", "api endpoint", "endpoint", "contact form", "profile"],
+        ruleKeywords: ["validation", "sanitiz", "xss", "injection", "innerhtml", "user input"],
+    },
+    {
+        id: "database", label: "database / SQL",
+        tokens: ["sql", "database", "db", "query", "queries", "mysql", "sqlite", "orm", "table", "schema", "migration"],
+        ruleKeywords: ["sql", "injection", "query", "orm", "database", "mass assignment"],
+        question: "Which database/ORM is used (e.g. Prisma, Drizzle, Supabase, raw Postgres)?",
+        answeredByTechs: ["prisma", "drizzle", "supabase", "postgres", "mongodb", "firebase"],
+    },
+    {
+        id: "secrets", label: "secrets / credentials",
+        tokens: ["secret", "secrets", "api key", "api keys", "apikey", "token", "tokens", "credential", "credentials", ".env", "env var", "env vars", "environment variable", "environment variables", "private key"],
+        ruleKeywords: ["secret", "credential", "api key", "hardcoded", "env"],
+    },
+    {
+        id: "external-api", label: "external API calls",
+        tokens: ["external api", "third-party", "third party", "fetch", "webhook", "webhooks", "http request", "api call", "api calls", "integration", "proxy", "scrape", "scraper"],
+        ruleKeywords: ["ssrf", "request forgery", "external", "url"],
+    },
+    {
+        id: "deserialization", label: "deserialization / dynamic evaluation",
+        tokens: ["deserialize", "deserialization", "unserialize", "pickle", "yaml.load", "eval", "serialize"],
+        ruleKeywords: ["deserial", "eval", "prototype pollution", "unserialize"],
+    },
+    {
+        id: "redirect", label: "redirects / callbacks",
+        tokens: ["redirect", "redirects", "callback url", "return url", "returnto", "return to", "callback"],
+        ruleKeywords: ["redirect", "callback"],
+    },
+];
+// Explicit security-engineering vocabulary, grouped by CONCEPT. countSecurityTerms
+// counts each group at most once, so synonyms/sub-phrases ("validation" +
+// "input validation" + "schema validation") of a single concept never triple-count.
+const SECURITY_TERM_GROUPS = [
+    ["auth", "authn", "authentication", "authorization", "access control", "ownership check"],
+    ["validate", "validates", "validation", "input validation", "schema validation", "zod"],
+    ["sanitize", "sanitizes", "sanitization", "escape", "escaping"],
+    ["rate limit", "rate-limit", "rate limiting", "rate-limiting", "throttle"],
+    ["csrf"],
+    ["xss"],
+    ["sql injection", "injection", "parameterized", "prepared statement"],
+    ["webhook signature", "signature verification", "verify the signature", "constructevent", "hmac", "timingsafeequal", "timing-safe"],
+    ["secret manager", "secrets manager", "env var", "environment variable"],
+    ["encrypt", "encryption", "hash", "hashed", "hashing", "bcrypt", "argon2", "scrypt"],
+    ["jwt verification", "verify jwt"],
+    ["rls", "row level security", "least privilege"],
+    ["csp", "hsts", "x-frame-options", "security header", "security headers", "helmet"],
+    ["cors"],
+    ["2fa", "mfa"],
+    ["owasp", "idor", "bola", "ssrf"],
+    ["allowlist", "whitelist", "denylist"],
+];
+/** Markers of an underspecified ask — each hit lowers the specificity score. */
+const VAGUE_MARKERS = [
+    "somehow", "something", "stuff", "make it work", "or whatever", "etc", "some kind of",
+    "quick and dirty", "simple app", "basic app", "a thing",
+];
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+/** Languages whose rules express things a code-writing prompt can actually satisfy. */
+const CODE_LANGUAGES = ["javascript", "typescript", "python", "go"];
+function isWordChar(ch) {
+    if (ch === "")
+        return false;
+    return /[a-z0-9_-]/.test(ch);
+}
+/** Word-boundary token search without dynamic RegExp (token is matched case-insensitively). */
+function includesTokenIn(haystackLower, token) {
+    const needle = token.toLowerCase();
+    let idx = haystackLower.indexOf(needle);
+    while (idx !== -1) {
+        const before = idx === 0 ? "" : haystackLower[idx - 1];
+        const afterIdx = idx + needle.length;
+        const after = afterIdx >= haystackLower.length ? "" : haystackLower[afterIdx];
+        if (!isWordChar(before) && !isWordChar(after))
+            return true;
+        idx = haystackLower.indexOf(needle, idx + 1);
+    }
+    return false;
+}
+function makeHaystack(text) {
+    const raw = text.toLowerCase();
+    return { raw, norm: raw.replace(/[-_]+/g, " ") };
+}
+/** True if the token appears (word-boundary) in either form of the haystack. */
+export function includesToken(haystack, token) {
+    const h = typeof haystack === "string" ? makeHaystack(haystack) : haystack;
+    return includesTokenIn(h.raw, token) || includesTokenIn(h.norm, token);
+}
+/** Detect technologies named in the prompt (and optional client-provided context). */
+export function detectPromptStack(rawPrompt, context) {
+    const h = makeHaystack(`${rawPrompt}\n${context ?? ""}`);
+    return TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).map((t) => t.id);
+}
+/**
+ * Detect security-sensitive attack surfaces implied by the prompt. Surfaces describe
+ * what the user is BUILDING, so they are derived from the prompt text only — the
+ * optional `context` (which names the stack, not the task) deliberately does not
+ * manufacture surfaces, preserving the NO_MOD "do no harm" path for non-security
+ * prompts even when a host always attaches project context.
+ */
+export function detectPromptSurfaces(rawPrompt, context) {
+    void context;
+    const h = makeHaystack(rawPrompt);
+    const direct = SURFACES.filter((s) => s.tokens.some((tok) => includesToken(h, tok))).map((s) => s.id);
+    const implied = TECHS.filter((t) => t.tokens.some((tok) => includesToken(h, tok))).flatMap((t) => t.impliedSurfaces);
+    return [...new Set([...direct, ...implied])];
+}
+/** Count DISTINCT security concepts present (each term group counts at most once). */
+function countSecurityTerms(textLower) {
+    const h = makeHaystack(textLower);
+    let count = 0;
+    for (const group of SECURITY_TERM_GROUPS) {
+        if (group.some((term) => includesToken(h, term)))
+            count++;
+    }
+    return count;
+}
+function specificityScore(rawPrompt, stackCount) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const words = collapsed.length === 0 ? [] : collapsed.split(" ");
+    const lower = collapsed.toLowerCase();
+    let score = Math.min(4, stackCount * 2);
+    // Concrete nouns: file paths / extensions and code identifiers.
+    let pathTokens = 0;
+    let codeTokens = 0;
+    for (const w of words) {
+        const cleaned = w.replace(/[,;:!?)]+$/, "");
+        if (cleaned.includes("/") && cleaned.length > 3)
+            pathTokens++;
+        else if (/\.[a-z]{2,4}$/i.test(cleaned))
+            pathTokens++;
+        else if (/[a-z][A-Z]/.test(cleaned) || cleaned.includes("(") || cleaned.includes("`"))
+            codeTokens++;
+    }
+    score += Math.min(2, pathTokens) + Math.min(2, codeTokens);
+    // Length tiers reward elaborated asks.
+    if (words.length >= 25)
+        score += 2;
+    else if (words.length >= 12)
+        score += 1;
+    // Vagueness markers subtract.
+    let vagueHits = 0;
+    for (const marker of VAGUE_MARKERS) {
+        if (includesToken(lower, marker))
+            vagueHits++;
+    }
+    score -= Math.min(2, vagueHits) * 2;
+    return score;
+}
+function triage(rawPrompt, stack, surfaces) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    if (collapsed.length === 0) {
+        return { verdict: "NO_MOD", reason: "Empty prompt — nothing to analyze; proceed as-is.", securityTermCount: 0 };
+    }
+    const lower = collapsed.toLowerCase();
+    const securityTermCount = countSecurityTerms(lower);
+    const securityRelevant = surfaces.length > 0 || securityTermCount > 0;
+    if (!securityRelevant) {
+        return { verdict: "NO_MOD", reason: "No security-sensitive surface detected — injecting security requirements would be noise; proceed as-is.", securityTermCount };
+    }
+    const wordCount = collapsed.split(" ").length;
+    const specific = wordCount >= TRIAGE_CONFIG.minWords
+        && specificityScore(rawPrompt, stack.length) >= TRIAGE_CONFIG.specificityThreshold;
+    const securityAware = securityTermCount >= TRIAGE_CONFIG.securityAwareTerms;
+    if (specific && securityAware) {
+        return {
+            verdict: "NO_MOD",
+            reason: `Prompt is already specific and security-aware (${securityTermCount} security terms, concrete stack/detail) — modification would risk altering intent.`,
+            securityTermCount,
+        };
+    }
+    if (specific) {
+        return {
+            verdict: "LIGHT_MOD",
+            reason: "Intent is clear and specific but explicit security constraints are missing — inject requirements only, do not restructure.",
+            securityTermCount,
+        };
+    }
+    return {
+        verdict: "HEAVY_MOD",
+        reason: "Prompt is vague/underspecified and touches security-sensitive surfaces — inject requirements and surface clarifying questions.",
+        securityTermCount,
+    };
+}
+/** Rank rules against the detected stack + surfaces; severity first, cap at maxRequirements. */
+export function matchRulesForPrompt(stack, surfaces, rules) {
+    const techDefs = TECHS.filter((t) => stack.includes(t.id));
+    const surfaceDefs = SURFACES.filter((s) => surfaces.includes(s.id));
+    if (techDefs.length === 0 && surfaceDefs.length === 0)
+        return [];
+    const scored = [];
+    for (const rule of rules) {
+        // Only code-level rules become prompt-level requirements. This drops version-pin
+        // advisories and config/manifest rules (languages json/yaml only — you can't
+        // satisfy "upgrade package X" by writing code) while keeping behavioral js/ts/
+        // python/go rules even when they cite a CVE in their name (e.g. Drizzle sql.raw
+        // injection, Axios redirect leak, Hono SSE injection).
+        if (!rule.languages.some((l) => CODE_LANGUAGES.includes(l)))
+            continue;
+        const text = `${rule.name} ${rule.description}`.toLowerCase();
+        let score = 0;
+        for (const t of techDefs) {
+            if (t.ruleKeywords.some((k) => text.includes(k)))
+                score += 2;
+        }
+        for (const s of surfaceDefs) {
+            if (s.ruleKeywords.some((k) => text.includes(k)))
+                score += 1;
+        }
+        if (score > 0)
+            scored.push({ rule, score });
+    }
+    scored.sort((a, b) => (SEVERITY_ORDER[a.rule.severity] ?? 99) - (SEVERITY_ORDER[b.rule.severity] ?? 99)
+        || b.score - a.score
+        || a.rule.id.localeCompare(b.rule.id));
+    // Dedupe near-identical guidance (e.g. three "use parameterized queries" rules)
+    // so the capped list spends its slots on diverse requirements.
+    const seen = new Set();
+    const requirements = [];
+    for (const { rule } of scored) {
+        if (requirements.length >= TRIAGE_CONFIG.maxRequirements)
+            break;
+        const requirement = firstSentence(rule.fix);
+        // Key on the instruction itself, ignoring an attached code example (": db.query(...)").
+        const key = requirement.split(":")[0].toLowerCase().replace(/[^a-z0-9 ]/g, "").replace(/ +/g, " ").trim();
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        requirements.push({ ruleId: rule.id, title: rule.name, requirement, severity: rule.severity });
+    }
+    return requirements;
+}
+/** Common abbreviations whose trailing "." is not a sentence boundary. */
+const ABBREVIATIONS = ["e.g", "i.e", "etc", "vs", "cf", "approx", "no", "fig", "al"];
+function firstSentence(text) {
+    const collapsed = text.replace(/\s+/g, " ").trim();
+    // Find the first real sentence boundary, skipping ellipses ("...") and abbreviations
+    // ("e.g. ", "etc. ") so an example mid-fix doesn't truncate the actionable instruction.
+    let idx = collapsed.indexOf(". ");
+    while (idx > 0) {
+        const isEllipsis = collapsed[idx - 1] === ".";
+        const before = collapsed.slice(0, idx).toLowerCase();
+        const isAbbrev = ABBREVIATIONS.some((a) => before.endsWith(a) && !isWordChar(before[before.length - a.length - 1] ?? ""));
+        if (!isEllipsis && !isAbbrev)
+            break;
+        idx = collapsed.indexOf(". ", idx + 1);
+    }
+    if (idx === -1)
+        return collapsed;
+    const sentence = collapsed.slice(0, idx + 1);
+    // Never cut inside an unclosed inline code span.
+    const backticks = sentence.split("`").length - 1;
+    return backticks % 2 === 0 ? sentence : collapsed;
+}
+function buildAmbiguities(stack, surfaces) {
+    const questions = [];
+    if (stack.length === 0) {
+        questions.push("Which framework/stack is this for (e.g. Next.js, Express, Hono)? Only generic security rules could be matched without it.");
+    }
+    for (const surface of SURFACES) {
+        if (!surfaces.includes(surface.id) || !surface.question)
+            continue;
+        const answered = surface.answeredByTechs?.some((t) => stack.includes(t)) ?? false;
+        if (!answered)
+            questions.push(surface.question);
+    }
+    if (questions.length === 0) {
+        questions.push("The request is broad — which routes/files are in scope, and what does a successful result look like?");
+    }
+    return questions.slice(0, TRIAGE_CONFIG.maxAmbiguities);
+}
+function buildIntentSummary(rawPrompt) {
+    const collapsed = rawPrompt.replace(/\s+/g, " ").trim();
+    const clipped = collapsed.length > 220 ? `${collapsed.slice(0, 217)}...` : collapsed;
+    return `The user wants to: ${clipped}`;
+}
+/** Pick a code fence longer than any backtick run in the prompt so it embeds verbatim. */
+function fenceFor(text) {
+    let longest = 0;
+    let run = 0;
+    for (const ch of text) {
+        run = ch === "`" ? run + 1 : 0;
+        if (run > longest)
+            longest = run;
+    }
+    return "`".repeat(Math.max(3, longest + 1));
+}
+const REWRITE_DIRECTIVE = "Rewrite the user's prompt incorporating the security requirements above. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent. " +
+    "If verdict is NO_MOD, use the original prompt as-is.";
+const NO_MOD_DIRECTIVE = "Verdict is NO_MOD: use the ORIGINAL prompt below as-is. " +
+    "Do NOT rewrite, augment, or reinterpret it. " +
+    "Do NOT add features the user did not request. Do NOT change the user's intent.";
+function surfaceLabel(id) {
+    return SURFACES.find((s) => s.id === id)?.label ?? id;
+}
+function techLabel(id) {
+    return TECHS.find((t) => t.id === id)?.label ?? id;
+}
+function buildMarkdown(result) {
+    const fence = fenceFor(result.originalPrompt);
+    const lines = [
+        "## GuardVibe secure_prompt directive (guardvibe.secure_prompt.v1)",
+        "",
+        `- **verdict:** ${result.verdict}`,
+        `- **reason:** ${result.reason}`,
+    ];
+    if (result.verdict === "NO_MOD") {
+        lines.push("", "### rewrite_directive", NO_MOD_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+        return lines.join("\n");
+    }
+    lines.push("", "### intent_summary (HARD CONSTRAINT — preserve this intent exactly)", `${result.intentSummary}`, "The rewritten prompt MUST preserve this intent exactly: no added features, no scope changes.");
+    if (result.detectedStack.length > 0 || result.detectedSurfaces.length > 0) {
+        lines.push("", "### detected_context");
+        if (result.detectedStack.length > 0) {
+            lines.push(`- **stack:** ${result.detectedStack.map(techLabel).join(", ")}`);
+        }
+        if (result.detectedSurfaces.length > 0) {
+            lines.push(`- **attack surfaces:** ${result.detectedSurfaces.map(surfaceLabel).join(", ")}`);
+        }
+    }
+    lines.push("", "### security_requirements");
+    if (result.securityRequirements.length === 0) {
+        lines.push("_No specific GuardVibe rules matched the detected stack/surfaces — apply standard input validation and authentication practices._");
+    }
+    else {
+        result.securityRequirements.forEach((req, i) => {
+            lines.push(`${i + 1}. [${req.ruleId}] (${req.severity}) ${req.title} — ${req.requirement}`);
+        });
+    }
+    if (result.verdict === "HEAVY_MOD" && result.ambiguities.length > 0) {
+        lines.push("", "### ambiguities (ask the user — do NOT invent answers)");
+        result.ambiguities.forEach((q, i) => lines.push(`${i + 1}. ${q}`));
+    }
+    lines.push("", "### rewrite_directive", REWRITE_DIRECTIVE, "", "### original_prompt", fence + "text", result.originalPrompt, fence);
+    return lines.join("\n");
+}
+/**
+ * Analyze a raw coding prompt BEFORE code generation and return a structured
+ * enhancement directive. Fully deterministic: same prompt = same directive.
+ */
+export function securePrompt(rawPrompt, opts) {
+    const effectiveRules = opts?.rules && opts.rules.length > 0 ? opts.rules : builtinRules;
+    // Full known stack (prompt + context) — informs display and answers "which provider"
+    // clarifying questions. promptStack (prompt only) drives triage and rule selection so
+    // that always-attached project context can never escalate a non-security prompt or
+    // manufacture off-topic requirements (the "do no harm" guarantee).
+    const detectedStack = detectPromptStack(rawPrompt, opts?.context);
+    const promptStack = detectPromptStack(rawPrompt);
+    const detectedSurfaces = detectPromptSurfaces(rawPrompt);
+    const { verdict, reason } = triage(rawPrompt, promptStack, detectedSurfaces);
+    // NO_MOD short-circuits: original prompt untouched, no requirements computed.
+    const securityRequirements = verdict === "NO_MOD"
+        ? []
+        : matchRulesForPrompt(promptStack, detectedSurfaces, effectiveRules);
+    const ambiguities = verdict === "HEAVY_MOD" ? buildAmbiguities(detectedStack, detectedSurfaces) : [];
+    const base = {
+        verdict,
+        reason,
+        intentSummary: buildIntentSummary(rawPrompt),
+        detectedStack,
+        detectedSurfaces,
+        securityRequirements,
+        ambiguities,
+        originalPrompt: rawPrompt,
+    };
+    return { ...base, markdown: buildMarkdown(base) };
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.18.0",
+  "version": "3.20.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 445 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 74 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",
@@ -119,7 +119,7 @@
     "@types/node": "^25.5.2",
     "c8": "^11.0.0",
     "eslint": "^10.2.0",
-    "tsx": "^4.21.0",
+    "tsx": "^4.22.4",
     "typescript-eslint": "^8.58.0"
   },
   "engines": {