guardvibe 3.2.0 → 3.3.0

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.0] - 2026-06-07
+
+### Added — diff-aware scanning: block what you just wrote, not the backlog (438 rules / 37 tools)
+- **`guardvibe diff [base]` is now diff-aware by default** — it reports only findings on lines the change actually **added**, instead of re-reporting pre-existing debt in every file you touched. This makes the gate actionable: it blocks the issues newly introduced vs the base, the ones an AI agent just wrote.
+- **Transparent, never silent:** the report states the mode and how many pre-existing findings on unchanged lines were hidden (`preExistingHidden` in JSON; a note in markdown). `--all-lines` restores the whole-changed-file view.
+- New module `src/tools/diff-aware.ts` — a pure, git-free unified-diff hunk parser (`addedLinesFromUnifiedDiff`) plus thin `git diff` wrappers (`getAddedLinesForDiff`, `getAddedLinesStaged`) and a `filterToAddedLines` helper. Unit-tested independent of git; works at any `--unified` context level; counts newly-added files as fully added; ignores deletions.
+- No rule or tool changes (438 / 37).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.2.0] - 2026-06-07
 
 ### Added — `secure_this`: close the loop from "warns" to "guarantees the fix landed" (438 rules / 37 tools)

package/README.md

@@ -292,7 +292,8 @@ All scanning tools support `format: "json"` for machine-readable output.
 npx guardvibe scan [path]            # Scan a directory for security issues
 npx guardvibe scan . --format json   # JSON output for automation
 npx guardvibe check <file>           # Scan a single file
-npx guardvibe diff [base]            # Scan only changed files since git ref
+npx guardvibe diff [base]            # Scan changed files — reports only newly-introduced issues
+npx guardvibe diff [base] --all-lines # Include pre-existing findings in changed files too
 
 # Close the loop — scan, apply verified fixes, re-verify
 npx guardvibe secure-this <file>          # Dry run: show the fixes that would land + remaining manual work

package/build/cli/scan.js

@@ -78,9 +78,13 @@ export async function runDiffScan(base, flags) {
     const { execFileSync } = await import("child_process");
     const { analyzeFileSecurity } = await import("../tools/file-security.js");
     const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("../utils/constants.js");
+    const { getAddedLinesForDiff, filterToAddedLines } = await import("../tools/diff-aware.js");
     const format = validateFormat(flags);
     const outputFile = getOutputPath(flags);
     const root = resolve(".");
+    // Diff-aware by default: report only issues on newly-added lines. --all-lines
+    // restores the old whole-changed-file behavior (surfaces pre-existing debt too).
+    const allLines = flags["all-lines"] === true;
     let changedFiles;
     try {
         const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
@@ -95,6 +99,7 @@ export async function runDiffScan(base, flags) {
         return;
     }
     const allFindings = [];
+    let preExistingHidden = 0;
     for (const relPath of changedFiles) {
         const fullPath = resolve(root, relPath);
         if (!existsSync(fullPath))
@@ -110,24 +115,34 @@ export async function runDiffScan(base, flags) {
         try {
             const content = readFileSync(fullPath, "utf-8");
             const findings = analyzeFileSecurity(content, language, undefined, fullPath, root);
-            for (const f of findings) {
+            let kept = findings;
+            if (!allLines) {
+                const added = getAddedLinesForDiff(base, relPath, root);
+                kept = filterToAddedLines(findings, added);
+                preExistingHidden += findings.length - kept.length;
+            }
+            for (const f of kept) {
                 allFindings.push({ file: relPath, severity: f.rule.severity, name: f.rule.name, id: f.rule.id, line: f.line, fix: f.rule.fix });
             }
         }
         catch { /* skip */ }
     }
+    const mode = allLines ? "all changed lines" : "newly-introduced lines only";
     let result;
     if (format === "json") {
         const critical = allFindings.filter(f => f.severity === "critical").length;
         const high = allFindings.filter(f => f.severity === "high").length;
         const medium = allFindings.filter(f => f.severity === "medium").length;
         result = JSON.stringify({
-            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0 },
+            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0, diffAware: !allLines, preExistingHidden },
             findings: allFindings,
         });
     }
     else {
-        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Mode: ${mode}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        if (!allLines && preExistingHidden > 0) {
+            lines.push(`> ${preExistingHidden} pre-existing finding(s) on unchanged lines hidden — re-run with \`--all-lines\` to see them.`, ``);
+        }
         if (allFindings.length === 0) {
             lines.push(`All changed files passed security checks.`);
         }

package/build/cli.js

@@ -23,7 +23,7 @@ function printUsage() {
 
   Commands:
     npx guardvibe scan [path]        Scan a directory for security issues
-    npx guardvibe diff [base]        Scan only changed files since a git ref
+    npx guardvibe diff [base]        Scan changed files; reports only newly-introduced issues (--all-lines for whole files)
     npx guardvibe check <file>       Scan a single file for security issues
     npx guardvibe doctor [path]      Run host security audit
     npx guardvibe audit [path]       Full security audit with PASS/FAIL verdict
@@ -50,6 +50,7 @@ function printUsage() {
                           critical (default) | high | medium | low | none
     --baseline <file>     Compare against a previous scan JSON for fix tracking
     --save-baseline       Save current scan as baseline (.guardvibe-baseline.json)
+    --all-lines           (diff) Report all findings in changed files, not just newly-added lines
     --version, -V         Print version and exit
     --help, -h            Show this help message
 

package/build/tools/diff-aware.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Parse unified-diff text and return the set of 1-based line numbers that are
+ * ADDED in the new version of the file. Works at any `--unified` context level.
+ */
+export declare function addedLinesFromUnifiedDiff(diff: string): Set<number>;
+/** Keep only findings whose line number is in the added-line set. */
+export declare function filterToAddedLines<T extends {
+    line: number;
+}>(findings: T[], added: Set<number>): T[];
+/** Lines added in `relPath` relative to a git base ref (branch/commit/HEAD~N). */
+export declare function getAddedLinesForDiff(base: string, relPath: string, cwd: string): Set<number>;
+/** Lines added in `relPath` in the staged (index) changes — for pre-commit gating. */
+export declare function getAddedLinesStaged(relPath: string, cwd: string): Set<number>;

package/build/tools/diff-aware.js

@@ -0,0 +1,78 @@
+/**
+ * Diff-aware scanning — surface only the issues that were NEWLY introduced.
+ *
+ * Scanning a changed file whole re-reports pre-existing debt the author didn't
+ * touch, which trains agents (and people) to ignore the output. Diff-aware
+ * filtering keeps only findings that land on lines the current change actually
+ * ADDED, so the gate blocks what you just wrote — not the backlog.
+ *
+ * The hunk parser is pure and git-free (unit-tested); a thin wrapper shells out
+ * to `git diff` to obtain the unified diff for a file.
+ */
+import { execFileSync } from "child_process";
+/**
+ * Parse unified-diff text and return the set of 1-based line numbers that are
+ * ADDED in the new version of the file. Works at any `--unified` context level.
+ */
+export function addedLinesFromUnifiedDiff(diff) {
+    const added = new Set();
+    let newLine = 0;
+    let inHunk = false;
+    for (const raw of diff.split("\n")) {
+        if (raw.startsWith("@@")) {
+            // @@ -oldStart,oldCount +newStart,newCount @@
+            const m = raw.match(/@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+            if (m) {
+                newLine = parseInt(m[1], 10);
+                inHunk = true;
+            }
+            continue;
+        }
+        if (!inHunk || raw === "")
+            continue;
+        if (raw.startsWith("+++") || raw.startsWith("---"))
+            continue;
+        const c = raw[0];
+        if (c === "+") {
+            added.add(newLine);
+            newLine++;
+        }
+        else if (c === "-") {
+            // deletion — present only in the old file, does not advance the new line
+        }
+        else if (c === "\\") {
+            // "" — metadata, ignore
+        }
+        else {
+            // context line (leading space) — advances the new-file line counter
+            newLine++;
+        }
+    }
+    return added;
+}
+/** Keep only findings whose line number is in the added-line set. */
+export function filterToAddedLines(findings, added) {
+    return findings.filter(f => added.has(f.line));
+}
+function gitDiffAddedLines(args, relPath, cwd) {
+    try {
+        const out = execFileSync("git", ["diff", "--no-color", "--unified=0", ...args, "--", relPath], {
+            cwd,
+            encoding: "utf-8",
+            maxBuffer: 32 * 1024 * 1024,
+        });
+        return addedLinesFromUnifiedDiff(out);
+    }
+    catch {
+        // Not a git repo, untracked path, or git unavailable — caller decides fallback.
+        return new Set();
+    }
+}
+/** Lines added in `relPath` relative to a git base ref (branch/commit/HEAD~N). */
+export function getAddedLinesForDiff(base, relPath, cwd) {
+    return gitDiffAddedLines([base], relPath, cwd);
+}
+/** Lines added in `relPath` in the staged (index) changes — for pre-commit gating. */
+export function getAddedLinesStaged(relPath, cwd) {
+    return gitDiffAddedLines(["--cached"], relPath, cwd);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.2.0",
+  "version": "3.3.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 438 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",