guardvibe 3.21.0 → 3.23.0

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.23.0] - 2026-06-19
+
+### Added — MCP/agent unauth endpoint rule + full CORS-credentials coverage from daily intel (448 → 449 rules)
+- **VG1095 — MCP / agent tool-call endpoint without authentication (high).** Flags an HTTP route (`app|router|server|fastify`.`post|all|put|use`) that exposes an MCP `tools/call`, `/mcp`, or agent `run`/`invoke`/`execute` endpoint with no auth token within ~200 chars of the registration. Targets the June-2026 advisory wave: praisonai (unauthenticated HTTP tools/call + AgentOS agent listing/calling), network-ai (empty default secret authorizing every request, CVE-2026-48814/46701), AgenticMail (unauthenticated inbound mail driving a privileged agent session). Skips routes guarded by auth middleware or an in-handler session/token check.
+- **VG1094 extended to full CVE-2026-54290 behavioral coverage.** Now also flags `cors({ origin: '*', credentials: true })` and `cors({ credentials: true })` with no origin key (middleware default reflects), in addition to the existing `origin:true` / reflecting-arrow-function cases. VG973 (wildcard without credentials) narrowed with a negative lookahead so the two are mutually exclusive — no double-firing. Explicit allowlists with credentials are still not flagged.
+- **Already covered (verified against this brief, no action):** axios CVE-2026-44489/44490/44496 (all fixed in 1.16.0 → VG1042∪VG1091 `<1.16.0`), next RSC cluster CVE-2026-44576/44582/44577 (fixed 16.2.5/16.2.6 → VG1047), Hono CVE-2026-54290 version-pin (VG1092), Clerk/Drizzle/js-cookie/postcss/Anthropic-SDK/Vercel-AI-SDK. The brief's execSync command-injection suggestion is already covered by the MCP-handler rule (VG857) + the general command-injection rule.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.22.0] - 2026-06-18
+
+### Added — `slopscan`: AI-hallucinated / slopsquat package detector (38 → 39 tools)
+- **New MCP tool `scan_hallucinated_packages` + CLI `slopscan [path]`** — detects the supply-chain seam commodity SCA misses: package names AI assistants invent (~20% of AI-generated code references non-existent packages) and the slopsquats attackers register for them. Commodity SCA scans known/published packages against vuln DBs; this catches names that don't exist yet, were never installed, or were published yesterday — at code-gen/PR time (shift-left).
+- **Offline tier (deterministic, no network, air-gapped):** `phantom_import` (imported in source but absent from every package.json — a classic LLM tell) + typosquat/deceptive-prefix of popular packages. Import extraction is statement-anchored and strips comments + template-literal bodies, so example imports embedded in docs/codegen strings are never miscounted (verified 0 false positives on GuardVibe's own example-heavy source).
+- **Online tier (opt-in, default on, graceful degrade):** npm-registry truth — `nonexistent` (404 = definitive hallucination), brand-new + low-download (easy-day-js/Mastra slopsquat pattern), deprecated/unmaintained/low-adoption. A total registry outage degrades to the deterministic offline result instead of misreporting every package as nonexistent.
+- **`full_audit` integration:** the offline tier runs as a new `hallucinated-packages` section; the online tier never runs inside the audit, so the deterministic result hash is preserved.
+- **Config:** `.guardviberc` `slopscan: { online?, allow? }` to allowlist intentional unpublished/workspace imports.
+- **Reuse, no new dependency:** built on existing `detectTyposquat`, `packageRoot`, `assessPackageRisk`, and a new discriminated `fetchRegistryStatus` (distinguishes 404 from network failure). 13 new tests (offline phantom/typosquat/determinism, statement-anchored extraction, online-mock 404 + graceful degradation, CLI). Counts bumped 38 → 39 tools across all surfaces.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.21.0] - 2026-06-18
 
 ### Added — 3 rules from daily threat intel: Hono CORS reflection + @hono/node-server bypass (445 → 448 rules / 38 tools)

package/README.md

@@ -15,7 +15,7 @@
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
 - **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 448 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
+**The security MCP built for vibe coding.** 449 security rules, 39 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -27,7 +27,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **448 security rules, 38 tools** purpose-built for the stacks AI agents generate
+- **449 security rules, 39 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -65,7 +65,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 448 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 449 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -243,7 +243,7 @@ provider should be used (e.g. Clerk, Auth.js/NextAuth, Supabase Auth, custom JWT
 
 Same user intent — but the model now generates auth code with the guardrails stated up front, instead of GuardVibe catching the missing pieces after the fact.
 
-## Tools (38 MCP tools)
+## Tools (39 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -285,10 +285,24 @@ Same user intent — but the model now generates auth code with the guardrails s
 | `remediation_plan` | **Remediation plan** — generates section-by-section fix checklist after audit |
 | `verify_remediation` | **Remediation verification** — compares before/after audit, flags skipped sections |
 | `secure_prompt` | **Prompt-level security (shift left)** — analyze a coding prompt BEFORE code is written; deterministic triage (NO_MOD/LIGHT_MOD/HEAVY_MOD), stack + attack-surface detection, severity-ranked GuardVibe requirements embedded via a rewrite directive |
+| `scan_hallucinated_packages` | **Slopsquat / AI-hallucination detector** — flags phantom imports (imported but in no manifest) and typosquats fully offline + deterministic; opt-in online tier adds npm-registry truth (404 = nonexistent, brand-new low-download = slopsquat pattern). CLI: `npx guardvibe slopscan [path] --offline` |
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (448 rules across 25 modules)
+### Slopsquat / hallucinated-package detection
+
+AI assistants invent package names — ~20% of AI-generated code references packages that don't exist, and attackers register those hallucinated names ("slopsquatting"). Commodity SCA scans *known, published* packages against vuln databases; it can't see a name that doesn't exist yet, was never installed, or was published yesterday. `scan_hallucinated_packages` / `slopscan` targets exactly that seam, at code-gen/PR time:
+
+- **Offline (deterministic, air-gapped):** `phantom_import` (a package imported in source but absent from every `package.json` — a classic LLM tell) and typosquats of popular packages. Statement-anchored + comment/template-aware, so example imports in docs/strings are never miscounted.
+- **Online (opt-in, graceful degrade):** npm-registry truth — `nonexistent` (404), brand-new + low-download (slopsquat-registration pattern), deprecated/unmaintained.
+
+The offline tier is also a `full_audit` section (online never runs inside the audit, keeping the result hash deterministic). Allowlist intentional unpublished/workspace names via `.guardviberc`:
+
+```json
+{ "slopscan": { "online": true, "allow": ["@myorg/internal-pkg"] } }
+```
+
+## Security Rules (449 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/cli/slopscan.d.ts

@@ -0,0 +1 @@
+export declare function runSlopscan(args: string[]): Promise<void>;

package/build/cli/slopscan.js

@@ -0,0 +1,39 @@
+/**
+ * CLI: guardvibe slopscan [path]
+ * Detect AI-hallucinated / slopsquatted packages (phantom imports + typosquats + registry truth).
+ */
+import { resolve } from "node:path";
+import { statSync } from "node:fs";
+import { parseArgs } from "./args.js";
+import { scanHallucinatedPackages } from "../tools/scan-hallucinated.js";
+export async function runSlopscan(args) {
+    const { flags, positional } = parseArgs(args);
+    const path = resolve(positional[0] ?? ".");
+    try {
+        const stat = statSync(path);
+        if (!stat.isDirectory()) {
+            console.error(`  [ERR] Not a directory: ${path}`);
+            process.exit(1);
+        }
+    }
+    catch {
+        console.error(`  [ERR] Path not found: ${path}`);
+        process.exit(1);
+    }
+    const format = (flags.format === "json" ? "json" : "markdown");
+    const online = !flags.offline;
+    const output = await scanHallucinatedPackages(path, format, { online });
+    console.log(output);
+    // Exit 1 when suspicious packages are found, so it can gate pre-commit / CI.
+    if (format === "json") {
+        try {
+            const parsed = JSON.parse(output);
+            if ((parsed.findings ?? []).length > 0)
+                process.exit(1);
+        }
+        catch { /* ignore */ }
+    }
+    else if (/^\*\*\d+ suspicious package/m.test(output)) {
+        process.exit(1);
+    }
+}

package/build/cli.js

@@ -34,6 +34,7 @@ function printUsage() {
     npx guardvibe auth-coverage [path]  Auth coverage analysis (Next.js routes)
     npx guardvibe compliance [path]     Compliance report (--framework SOC2|GDPR|...)
     npx guardvibe deep-scan <file>   LLM-powered deep scan (IDOR, business logic, race conditions)
+    npx guardvibe slopscan [path]    Detect AI-hallucinated / slopsquatted packages (--offline = deterministic-only)
     npx guardvibe init <platform>    Setup MCP server configuration
     npx guardvibe hook install       Install pre-commit security hook
     npx guardvibe hook uninstall     Remove pre-commit security hook
@@ -168,6 +169,10 @@ async function main() {
         const { runDeepScan } = await import("./cli/deep-scan.js");
         await runDeepScan(subArgs);
     }
+    else if (command === "slopscan") {
+        const { runSlopscan } = await import("./cli/slopscan.js");
+        await runSlopscan(subArgs);
+    }
     else {
         console.error(`  Unknown command: ${command}`);
         printUsage();

package/build/data/rules/ai-security.js

@@ -97,6 +97,18 @@ export const aiSecurityRules = [
         fixCode: '// Use spawn with argument array (no shell interpretation)\nimport { spawn } from "child_process";\nconst allowed = /^[a-zA-Z0-9._-]+$/;\nif (!allowed.test(args.filename)) throw new Error("Invalid filename");\nconst child = spawn("cat", [args.filename], { shell: false });',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1", "EUAIACT:Art15"],
     },
+    {
+        id: "VG1095",
+        name: "MCP / Agent Tool-Call Endpoint Without Authentication",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "An HTTP route exposes an MCP tools/call endpoint, an /mcp endpoint, or an agent run/invoke/execute endpoint with no authentication guard near the route registration. Exposing tool execution or agent invocation over HTTP without auth lets any caller run server-side tools/agents — the pattern behind the June-2026 advisory wave for praisonai (unauthenticated HTTP tools/call + AgentOS agent listing/calling), network-ai (empty default secret authorizing every request), and AgenticMail (unauthenticated inbound mail driving a privileged agent session). Heuristic: flags `(app|router|server|fastify).(post|all|put|use)` on a tool-call/mcp/agent-exec path when no auth token (auth/verify/session/getAuth/bearer/apiKey/token/middleware/guard/protect) appears within the next ~200 characters. Add an auth check, or — for the MCP SDK — authenticate at the transport layer before registering tools.",
+        pattern: /\b(?:app|router|server|fastify)\.(?:post|all|put|use)\s*\(\s*[`'"][^`'"]*(?:tools\/call|tool[-_]call|\/mcp\b|agents?\/[\w:./*-]*(?:run|invoke|execute|call)|(?:run|invoke|execute)[-_]?(?:tool|agent))[^`'"]*[`'"](?![\s\S]{0,200}?\b(?:auth|requireAuth|verify|authenticate|middleware|getAuth|getSession|session|currentUser|requireUser|isAuthenticated|bearer|apiKey|token|protect|guard)\b)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Require authentication before exposing tool-call or agent-invocation endpoints. Gate the route with auth middleware or an in-handler session/token check; for MCP over HTTP, authenticate the transport (bearer/API key) before dispatching tools/call.",
+        fixCode: '// Gate the MCP tools/call endpoint with auth middleware\nimport { requireAuth } from "./auth";\n\napp.post("/mcp/tools/call", requireAuth, async (req, res) => {\n  const session = await getSession(req);\n  if (!session) return res.status(401).json({ error: "Unauthorized" });\n  // ... dispatch tool call\n});',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10", "EUAIACT:Art15"],
+    },
     // ── Katman 2: Excessive Agency Detection ───────────────────────────
     {
         id: "VG858",

package/build/data/rules/modern-stack.js

@@ -214,8 +214,8 @@ export const modernStackRules = [
         name: "Hono CORS Wildcard",
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
-        description: "Hono app uses cors() with wildcard origin, allowing any website to make requests to your API.",
-        pattern: /cors\s*\(\s*\{[\s\S]{0,200}?origin\s*:\s*['"]\*['"]/g,
+        description: "Hono app uses cors() with wildcard origin, allowing any website to make requests to your API. (When combined with credentials:true this is the account-takeover-grade CVE-2026-54290 case — flagged separately by VG1094.)",
+        pattern: /cors\s*\(\s*\{(?![\s\S]{0,400}?credentials\s*:\s*true)[\s\S]{0,200}?origin\s*:\s*['"]\*['"]/g,
         languages: ["javascript", "typescript"],
         fix: "Set specific allowed origins in Hono CORS configuration.",
         fixCode: 'import { cors } from "hono/cors";\n\napp.use("/*", cors({\n  origin: ["https://myapp.com", "https://staging.myapp.com"],\n}));',
@@ -226,10 +226,10 @@ export const modernStackRules = [
         name: "CORS Origin Reflection With Credentials (CVE-2026-54290)",
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
-        description: "cors() is configured with credentials:true AND an origin that reflects the caller — either origin:true or an arrow function that returns its origin argument unchanged (origin: (o) => o). This combination echoes any request's Origin back together with Access-Control-Allow-Credentials:true, so any website can make authenticated cross-origin requests on the victim's behalf (account-takeover-grade CSRF). This is the exact misconfiguration that made Hono CVE-2026-54290 exploitable, and it is dangerous on any CORS middleware (Hono, Express). The wildcard literal origin:'*' form is covered separately by VG973; this rule targets the reflected-origin forms that VG973 cannot see.",
-        pattern: /cors\s*\(\s*\{(?=[\s\S]{0,400}?credentials\s*:\s*true)[\s\S]{0,400}?origin\s*:\s*(?:true\b|\(\s*(\w+)\s*\)\s*=>\s*\1\b)/g,
+        description: "cors() is configured with credentials:true together with a reflected or wildcard origin — origin:'*', origin:true, an arrow function that returns its origin argument unchanged (origin: (o) => o), OR no origin key at all (the middleware default reflects/wildcards). Any of these echoes an arbitrary request Origin back with Access-Control-Allow-Credentials:true, so any website can make authenticated cross-origin requests on the victim's behalf (account-takeover-grade CSRF). This is exactly the misconfiguration that made Hono CVE-2026-54290 exploitable, and it is dangerous on any CORS middleware (Hono, Express). An explicit origin allowlist (origin: ['https://app.example.com']) with credentials:true is NOT flagged. VG973 covers the wildcard-without-credentials case.",
+        pattern: /cors\s*\(\s*\{(?=[\s\S]{0,400}?credentials\s*:\s*true)(?:[\s\S]{0,400}?origin\s*:\s*(?:['"]\*['"]|true\b|\(\s*(\w+)\s*\)\s*=>\s*\1\b)|(?![\s\S]{0,400}?\borigin\s*:)[\s\S]{0,200}?credentials\s*:\s*true)/g,
         languages: ["javascript", "typescript"],
-        fix: "Never combine credentials:true with a reflected origin. Pass an explicit allowlist of trusted origins, or validate the incoming origin against an allowlist before returning it.",
+        fix: "Never combine credentials:true with a reflected/wildcard origin or an omitted origin. Pass an explicit allowlist of trusted origins, or validate the incoming origin against an allowlist before returning it.",
         fixCode: 'import { cors } from "hono/cors";\n\nconst ALLOWED = new Set(["https://myapp.com", "https://app.myapp.com"]);\napp.use("/api/*", cors({\n  origin: (origin) => (ALLOWED.has(origin) ? origin : null),\n  credentials: true,\n}));',
         compliance: ["SOC2:CC6.1", "SOC2:CC6.6", "PCI-DSS:Req6.2"],
     },

package/build/index.js

@@ -12,6 +12,7 @@ import { getSecurityDocs } from "./tools/get-security-docs.js";
 import { checkDependencies } from "./tools/check-deps.js";
 import { scanDirectory } from "./tools/scan-directory.js";
 import { scanDependencies } from "./tools/scan-dependencies.js";
+import { scanHallucinatedPackages } from "./tools/scan-hallucinated.js";
 import { scanSecrets } from "./tools/scan-secrets.js";
 import { scanStaged } from "./tools/scan-staged.js";
 import { complianceReport } from "./tools/compliance-report.js";
@@ -64,7 +65,7 @@ function mergeStatsIntoOutput(results, summary, format) {
 const server = new McpServer({
     name: "guardvibe",
     version: pkg.version,
-    description: `Security MCP for vibe coding — single source of truth for AI assistants. ${builtinRules.length} security rules and 38 tools. Call secure_prompt with the user's coding prompt BEFORE generating code to embed security requirements up front (shift left). Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.`,
+    description: `Security MCP for vibe coding — single source of truth for AI assistants. ${builtinRules.length} security rules and 39 tools. Call secure_prompt with the user's coding prompt BEFORE generating code to embed security requirements up front (shift left). Use full_audit for a comprehensive PASS/FAIL/WARN verdict with deterministic result hash, coverage %, and unified report across code, secrets, dependencies, config, taint analysis, and auth coverage. IMPORTANT: When full_audit returns FAIL/WARN, call remediation_plan to get a mandatory section-by-section fix checklist covering ALL 6 sections (not just code). After fixing, call verify_remediation to confirm all sections were addressed. Same code = same hash = same results regardless of which AI assistant runs it. Covers OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, host hardening. Maps to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act. Runs 100% locally with zero configuration.`,
 });
 // Tool 1: Analyze code for security vulnerabilities
 server.tool("check_code", "Analyze inline code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Pass code as a string parameter. For scanning files on disk, use scan_file instead. Example: check_code({code: 'app.get(...)', language: 'javascript'})", {
@@ -215,6 +216,29 @@ server.tool("scan_dependencies", "Parse a lockfile or manifest (package.json, pa
     }
     return { content: [{ type: "text", text: results }] };
 });
+// Detect AI-hallucinated / slopsquatted packages (phantom imports + typosquats + registry truth)
+server.tool("scan_hallucinated_packages", "Detect AI-hallucinated and slopsquatted packages in a repo — the supply-chain seam commodity SCA misses. OFFLINE (deterministic): flags phantom imports (a package imported in source but absent from every package.json — a classic LLM hallucination tell) and typosquats of popular packages. ONLINE (opt-in, default on; gracefully degrades offline): adds npm-registry truth — packages that return 404 (definitive hallucination) and brand-new low-download packages (slopsquat-registration pattern). Run on AI-generated code at PR time, before `npm install`. Pass online:false for a fully deterministic, air-gapped scan.", {
+    path: z.string().default(".").describe("Repository root to scan (default current directory)"),
+    online: z.boolean().default(true).describe("Query the npm registry for existence/age/downloads. false = deterministic offline-only (phantom imports + typosquats)."),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (guardvibe.slopscan.v1 for agents)"),
+}, async ({ path, online, format }) => {
+    try {
+        const results = await scanHallucinatedPackages(path, format, { online });
+        const { resolve: resolvePath } = await import("path");
+        const root = resolvePath(path);
+        try {
+            const parsed = format === "json" ? JSON.parse(results) : null;
+            recordScan(root, { toolName: "scan_hallucinated_packages", filesScanned: 1, findings: (parsed?.findings ?? []).map((f) => ({ severity: f.severity, ruleId: f.ruleId })) });
+        }
+        catch {
+            recordScan(root, { toolName: "scan_hallucinated_packages", filesScanned: 1, findings: [] });
+        }
+        return { content: [{ type: "text", text: results }] };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: `# GuardVibe Slopsquat Report\n\nError scanning ${path}: ${e.message}\n\nThis may be a network issue reaching the npm registry. Retry with online:false for a deterministic offline scan.` }] };
+    }
+});
 // Tool 7: Scan for leaked secrets, API keys, and credentials
 server.tool("scan_secrets", "Scan files and directories for leaked secrets, API keys, tokens, and credentials. Detects high-entropy strings, known API key patterns (AWS, Stripe, OpenAI, GitHub, Supabase), exposed .env files, and missing .gitignore coverage. Returns findings with exact line numbers and remediation steps.", {
     path: z.string().describe("File or directory path to scan"),

package/build/tools/check-package-health.d.ts

@@ -24,5 +24,20 @@ export interface PackageHealthResult {
     similarTo?: string;
 }
 export declare function assessPackageRisk(name: string, data: RegistryData): PackageHealthResult;
+/**
+ * Discriminated registry fetch. Distinguishes "package truly does not exist (404)"
+ * from "could not reach/parse the registry (network/5xx)" — critical so a network
+ * outage is NOT misreported as every package being nonexistent.
+ *   { ok: true, data }  → resolved (data.exists is true for 200, false for 404)
+ *   { ok: false }       → transport/5xx error — existence is unknown
+ */
+export type RegistryFetch = {
+    ok: true;
+    data: RegistryData;
+} | {
+    ok: false;
+};
+export declare function fetchRegistryStatus(name: string): Promise<RegistryFetch>;
+export declare function fetchRegistryData(name: string): Promise<RegistryData>;
 export declare function checkPackageHealth(packages: string[], format?: "markdown" | "json"): Promise<string>;
 export {};

package/build/tools/check-package-health.js

@@ -68,17 +68,17 @@ export function assessPackageRisk(name, data) {
         similarTo,
     };
 }
-async function fetchRegistryData(name) {
+export async function fetchRegistryStatus(name) {
     try {
         const [metaRes, downloadsRes] = await Promise.all([
             fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}`, { signal: AbortSignal.timeout(5000) }),
             fetch(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(name)}`, { signal: AbortSignal.timeout(5000) }),
         ]);
         if (metaRes.status === 404) {
-            return { exists: false, downloads: 0, lastPublish: "", maintainers: 0, deprecated: false };
+            return { ok: true, data: { exists: false, downloads: 0, lastPublish: "", maintainers: 0, deprecated: false } };
         }
         if (!metaRes.ok) {
-            throw new Error(`npm registry error: ${metaRes.status}`);
+            return { ok: false }; // 5xx / rate-limit — cannot determine existence
         }
         const meta = await metaRes.json();
         const latestVersion = meta["dist-tags"]?.latest;
@@ -90,12 +90,16 @@ async function fetchRegistryData(name) {
             const dlData = await downloadsRes.json();
             downloads = dlData.downloads ?? 0;
         }
-        return { exists: true, downloads, lastPublish, maintainers, deprecated };
+        return { ok: true, data: { exists: true, downloads, lastPublish, maintainers, deprecated } };
     }
     catch {
-        return { exists: false, downloads: 0, lastPublish: "", maintainers: 0, deprecated: false };
+        return { ok: false }; // network error — cannot determine existence
     }
 }
+export async function fetchRegistryData(name) {
+    const r = await fetchRegistryStatus(name);
+    return r.ok ? r.data : { exists: false, downloads: 0, lastPublish: "", maintainers: 0, deprecated: false };
+}
 export async function checkPackageHealth(packages, format = "markdown") {
     const results = [];
     for (const name of packages) {

package/build/tools/full-audit.js

@@ -16,6 +16,7 @@ import { scanDependencies } from "./scan-dependencies.js";
 import { auditConfig } from "./audit-config.js";
 import { analyzeCrossFileTaint } from "./cross-file-taint.js";
 import { analyzeAuthCoverage } from "./auth-coverage.js";
+import { detectHallucinatedOffline } from "./scan-hallucinated.js";
 import { getRules } from "../utils/rule-registry.js";
 import { loadConfig } from "../utils/config.js";
 import { isExcludedFilename } from "../utils/constants.js";
@@ -417,6 +418,40 @@ export async function runFullAudit(path, options) {
         }
     }
     catch { /* auth coverage is optional */ }
+    // --- Section 7: Hallucinated / slopsquatted packages (OFFLINE only — keeps result hash deterministic) ---
+    try {
+        const halluc = detectHallucinatedOffline(projectRoot);
+        if (halluc.length > 0) {
+            let hCritical = 0, hHigh = 0, hMedium = 0;
+            const hFindings = halluc.map(f => {
+                if (f.severity === "critical")
+                    hCritical++;
+                else if (f.severity === "high")
+                    hHigh++;
+                else
+                    hMedium++;
+                return {
+                    ruleId: f.ruleId,
+                    severity: f.severity,
+                    file: "package.json",
+                    line: 0,
+                    name: `${f.name}: ${f.signals.join(", ")}${f.similarTo ? ` (did you mean ${f.similarTo}?)` : ""}`,
+                    description: `Possible AI-hallucinated / slopsquatted package. Signals: ${f.signals.join(", ")}.`,
+                    fix: f.fix,
+                };
+            });
+            sections.push({
+                name: "hallucinated-packages", status: "ok",
+                findings: hFindings.length, critical: hCritical, high: hHigh, medium: hMedium,
+                details: `${hFindings.length} suspicious package(s) (offline: phantom imports + typosquats)`,
+                sectionFindings: hFindings,
+            });
+            for (const f of hFindings) {
+                allFindings.push({ ruleId: f.ruleId, severity: f.severity, file: f.file, line: f.line });
+            }
+        }
+    }
+    catch { /* hallucination scan is optional */ }
     // --- Compute totals ---
     const totalCritical = sections.reduce((s, sec) => s + sec.critical, 0);
     const totalHigh = sections.reduce((s, sec) => s + sec.high, 0);
@@ -527,6 +562,15 @@ function buildInlineRemediationPlan(result) {
                 "Verify: `npx guardvibe auth-coverage --format json` — unprotected must be 0",
             ],
         },
+        "hallucinated-packages": {
+            priority: 7,
+            tool: "scan_hallucinated_packages",
+            actions: [
+                "Look at sectionFindings above — each names a phantom-imported or typosquatted package",
+                "For phantom imports: add the real dependency, or remove the import if the AI invented it. For typosquats: switch to the official package name",
+                "Confirm existence/provenance: `npx guardvibe slopscan . --format json` (online), or add intentional names to .guardviberc slopscan.allow",
+            ],
+        },
     };
     const steps = [];
     for (const section of result.sections) {

package/build/tools/scan-hallucinated.d.ts

@@ -0,0 +1,65 @@
+export type HallucinationSignal = "phantom_import" | "typosquat" | "deceptive_prefix" | "nonexistent" | "new_package" | "low_adoption" | "single_maintainer" | "unmaintained" | "deprecated";
+export type Severity = "critical" | "high" | "medium" | "low";
+export interface HallucinationFinding {
+    name: string;
+    ecosystem: "npm";
+    signals: HallucinationSignal[];
+    severity: Severity;
+    similarTo?: string;
+    tier: "offline" | "online";
+    ruleId: string;
+    fix: string;
+}
+export interface HallucinationResult {
+    schema: "guardvibe.slopscan.v1";
+    root: string;
+    declaredCount: number;
+    importedCount: number;
+    deterministic: boolean;
+    networkStatus: "ok" | "unreachable" | "skipped";
+    findings: HallucinationFinding[];
+}
+/**
+ * Blank out comments and template-literal (backtick) bodies, preserving newlines and
+ * single/double-quoted strings. Real ES import specifiers are single/double-quoted in
+ * code context and survive; example imports living inside backtick templates or comments
+ * are removed so they are never counted as real dependencies.
+ */
+export declare function stripCommentsAndTemplates(src: string): string;
+/** Real npm package roots imported via import/require STATEMENTS in a file's source. */
+export declare function extractStatementImports(code: string): Set<string>;
+/** Walk a source tree and collect every package root imported via a real statement. */
+export declare function collectStatementImports(root: string, opts?: {
+    exclude?: string[];
+    maxFiles?: number;
+}): Set<string>;
+export interface DeclaredInfo {
+    /** Every dependency name declared across all package.json files under root. */
+    declared: Set<string>;
+    /** `name` field of every package.json found (workspace-internal / self packages). */
+    selfNames: Set<string>;
+}
+/** Collect declared dependency names + workspace self-names from every package.json under root. */
+export declare function collectDeclaredPackages(root: string, opts?: {
+    exclude?: string[];
+}): DeclaredInfo;
+/**
+ * OFFLINE / deterministic core. Pure — no network, no filesystem. Unit-testable with
+ * injected sets. Flags phantom imports (imported ∉ declared) and typosquats.
+ */
+export declare function detectOffline(imported: Set<string>, declared: Set<string>, opts?: {
+    allow?: string[];
+    selfNames?: Set<string>;
+}): HallucinationFinding[];
+/**
+ * Repo-level orchestrator. Runs the offline tier, then (unless online === false)
+ * enriches with npm-registry truth, gracefully degrading to offline on any network error.
+ */
+export declare function scanHallucinatedPackages(root: string, format?: "markdown" | "json", opts?: {
+    online?: boolean;
+}): Promise<string>;
+/**
+ * OFFLINE-only repo scan, for use inside full_audit (never makes a network call →
+ * keeps the audit result hash deterministic). Returns the deterministic finding list.
+ */
+export declare function detectHallucinatedOffline(root: string): HallucinationFinding[];

package/build/tools/scan-hallucinated.js

@@ -0,0 +1,457 @@
+// guardvibe-ignore — defines import-detection regexes; the `import`/`require`/`from`
+// string literals here are detector patterns, not vulnerable code.
+/**
+ * Slopsquat / AI-hallucinated package detector.
+ *
+ * AI coding assistants invent package names: ~20% of AI-generated code references
+ * packages that do not exist (USENIX 2025), and attackers register those hallucinated
+ * names ("slopsquatting"). Commodity SCA (Snyk/Socket/GHAS) scans KNOWN, PUBLISHED
+ * packages against vuln DBs — it is blind to a name that does not exist yet, was never
+ * installed, or was published yesterday to satisfy a hallucinated import. This tool
+ * targets exactly that seam, at code-generation / PR time (shift-left).
+ *
+ * Two tiers:
+ *   OFFLINE (deterministic, no network) — always runs:
+ *     - phantom_import: imported in source but absent from every manifest (classic LLM tell)
+ *     - typosquat / deceptive_prefix: looks like a popular package (reuses detectTyposquat)
+ *   ONLINE (opt-in, gracefully degrades) — adds npm-registry truth:
+ *     - nonexistent: 404 on the registry (definitive hallucination)
+ *     - new_package: published <30d ago with low downloads (easy-day-js/Mastra pattern)
+ *     - deprecated / unmaintained / low_adoption / single_maintainer
+ *
+ * The offline tier is import-statement-anchored and strips comments + template-literal
+ * bodies, so example imports embedded in docs/codegen strings are NOT mistaken for real
+ * dependencies (verified 0 false positives on GuardVibe's own example-heavy source).
+ */
+import { readdirSync, statSync, readFileSync } from "fs";
+import { join, extname, resolve } from "path";
+import { detectTyposquat } from "../utils/typosquat.js";
+import { packageRoot } from "./reachability.js";
+import { assessPackageRisk, fetchRegistryStatus } from "./check-package-health.js";
+import { loadConfig } from "../utils/config.js";
+const SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
+// Static list (not module.builtinModules) so results don't drift across Node versions.
+const NODE_BUILTINS = new Set([
+    "assert", "async_hooks", "buffer", "child_process", "cluster", "console", "constants",
+    "crypto", "dgram", "diagnostics_channel", "dns", "domain", "events", "fs", "http",
+    "http2", "https", "inspector", "module", "net", "os", "path", "perf_hooks", "process",
+    "punycode", "querystring", "readline", "repl", "stream", "string_decoder", "sys",
+    "timers", "tls", "trace_events", "tty", "url", "util", "v8", "vm", "wasi", "worker_threads", "zlib",
+]);
+const CODE_EXT = new Set([".js", ".jsx", ".mjs", ".cjs", ".ts", ".tsx", ".mts", ".cts"]);
+const SKIP_DIR = new Set([
+    "node_modules", ".git", ".next", "dist", "build", "out", "coverage",
+    ".turbo", "vendor", ".vercel", ".cache", ".svelte-kit", ".output", ".nuxt", ".astro",
+]);
+/**
+ * Blank out comments and template-literal (backtick) bodies, preserving newlines and
+ * single/double-quoted strings. Real ES import specifiers are single/double-quoted in
+ * code context and survive; example imports living inside backtick templates or comments
+ * are removed so they are never counted as real dependencies.
+ */
+export function stripCommentsAndTemplates(src) {
+    let out = "";
+    let i = 0;
+    const n = src.length;
+    // state: 0 code, 1 line comment, 2 block comment, 3 template literal
+    let state = 0;
+    while (i < n) {
+        const c = src[i];
+        const d = src[i + 1];
+        if (state === 0) {
+            if (c === "/" && d === "/") {
+                state = 1;
+                out += "  ";
+                i += 2;
+                continue;
+            }
+            if (c === "/" && d === "*") {
+                state = 2;
+                out += "  ";
+                i += 2;
+                continue;
+            }
+            if (c === "`") {
+                state = 3;
+                out += " ";
+                i++;
+                continue;
+            }
+            if (c === "'" || c === '"') {
+                const q = c;
+                out += c;
+                i++;
+                while (i < n) {
+                    const e = src[i];
+                    if (e === "\\") {
+                        out += e + (src[i + 1] ?? "");
+                        i += 2;
+                        continue;
+                    }
+                    out += e;
+                    i++;
+                    if (e === q || e === "\n")
+                        break;
+                }
+                continue;
+            }
+            out += c;
+            i++;
+            continue;
+        }
+        if (state === 1) {
+            if (c === "\n") {
+                state = 0;
+                out += c;
+            }
+            else
+                out += " ";
+            i++;
+            continue;
+        }
+        if (state === 2) {
+            if (c === "*" && d === "/") {
+                state = 0;
+                out += "  ";
+                i += 2;
+                continue;
+            }
+            out += c === "\n" ? "\n" : " ";
+            i++;
+            continue;
+        }
+        // state === 3 (template literal)
+        if (c === "\\") {
+            out += "  ";
+            i += 2;
+            continue;
+        }
+        if (c === "`") {
+            state = 0;
+            out += " ";
+            i++;
+            continue;
+        }
+        out += c === "\n" ? "\n" : " ";
+        i++;
+        continue;
+    }
+    return out;
+}
+// Statement-anchored (^\s*) import detectors — only real import statements, never
+// substrings inside other expressions. Run on comment/template-stripped code.
+const STMT_FROM = /^\s*(?:import|export)\b[^'";]*?\bfrom\s+['"]([^'"]+)['"]/gm;
+const STMT_BARE = /^\s*import\s+['"]([^'"]+)['"]/gm;
+const STMT_DYN = /^\s*(?:await\s+)?import\s*\(\s*['"]([^'"]+)['"]\s*\)/gm;
+const STMT_REQUIRE = /^\s*(?:(?:const|let|var)\s+[^=\n]+=\s*)?require\s*\(\s*['"]([^'"]+)['"]\s*\)/gm;
+/** Is this specifier a path alias (tsconfig paths) rather than a real package? */
+function isPathAlias(spec) {
+    return spec.startsWith("@/") || spec.startsWith("~");
+}
+/** Real npm package roots imported via import/require STATEMENTS in a file's source. */
+export function extractStatementImports(code) {
+    const stripped = stripCommentsAndTemplates(code);
+    const out = new Set();
+    for (const re of [STMT_FROM, STMT_BARE, STMT_DYN, STMT_REQUIRE]) {
+        re.lastIndex = 0;
+        for (const m of stripped.matchAll(re)) {
+            const spec = m[1];
+            if (isPathAlias(spec))
+                continue;
+            const root = packageRoot(spec);
+            if (root && !NODE_BUILTINS.has(root))
+                out.add(root);
+        }
+    }
+    return out;
+}
+/** Walk a source tree and collect every package root imported via a real statement. */
+export function collectStatementImports(root, opts = {}) {
+    const found = new Set();
+    const skip = new Set([...SKIP_DIR, ...(opts.exclude ?? [])]);
+    const maxFiles = opts.maxFiles ?? 20_000;
+    let count = 0;
+    const walk = (dir) => {
+        if (count >= maxFiles)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (count >= maxFiles)
+                return;
+            if (skip.has(e))
+                continue;
+            const p = join(dir, e);
+            let st;
+            try {
+                st = statSync(p);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                walk(p);
+                continue;
+            }
+            if (CODE_EXT.has(extname(e).toLowerCase()) && st.size < 1_000_000) {
+                count++;
+                let code;
+                try {
+                    code = readFileSync(p, "utf-8");
+                }
+                catch {
+                    continue;
+                }
+                for (const pkg of extractStatementImports(code))
+                    found.add(pkg);
+            }
+        }
+    };
+    walk(root);
+    return found;
+}
+/** Collect declared dependency names + workspace self-names from every package.json under root. */
+export function collectDeclaredPackages(root, opts = {}) {
+    const declared = new Set();
+    const selfNames = new Set();
+    const skip = new Set([...SKIP_DIR, ...(opts.exclude ?? [])]);
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (skip.has(e))
+                continue;
+            const p = join(dir, e);
+            let st;
+            try {
+                st = statSync(p);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                walk(p);
+                continue;
+            }
+            if (e === "package.json") {
+                let json;
+                try {
+                    json = JSON.parse(readFileSync(p, "utf-8"));
+                }
+                catch {
+                    continue;
+                }
+                for (const section of ["dependencies", "devDependencies", "optionalDependencies", "peerDependencies", "overrides"]) {
+                    for (const name of Object.keys(json[section] ?? {}))
+                        declared.add(name);
+                }
+                if (typeof json.name === "string" && json.name)
+                    selfNames.add(json.name);
+            }
+        }
+    };
+    walk(root);
+    return { declared, selfNames };
+}
+const SIGNAL_FIX = {
+    phantom_import: "This package is imported in source but is not in any package.json. If the import is real, add the dependency; if the AI invented it, remove the import or replace it with the genuine package.",
+    typosquat: "This name closely resembles a popular package — verify it is the one you intend before installing. Use the official name.",
+    deceptive_prefix: "This name uses a deceptive prefix/suffix of a popular package (a known supply-chain attack shape). Use the official package name.",
+    nonexistent: "This package does NOT exist on the npm registry — almost certainly an AI hallucination. Remove the import or replace it with the real package.",
+    new_package: "This package was published very recently and has low adoption — a slopsquat-registration red flag. Verify the publisher and provenance before installing.",
+    low_adoption: "Very low weekly downloads — confirm this is a legitimate, intended dependency.",
+    single_maintainer: "Single maintainer with low adoption — elevated supply-chain risk; review before depending on it.",
+    unmaintained: "Not published in over 2 years — consider a maintained alternative.",
+    deprecated: "Marked deprecated on npm — migrate to the recommended replacement.",
+};
+function ruleIdFor(signals) {
+    if (signals.includes("deceptive_prefix"))
+        return "VG873";
+    return "VG-SLOP";
+}
+function mergeFinding(map, name, signal, severity, tier, similarTo) {
+    const existing = map.get(name);
+    if (existing) {
+        if (!existing.signals.includes(signal))
+            existing.signals.push(signal);
+        if (SEV_RANK[severity] < SEV_RANK[existing.severity])
+            existing.severity = severity;
+        if (tier === "online")
+            existing.tier = "online";
+        if (similarTo && !existing.similarTo)
+            existing.similarTo = similarTo;
+        existing.ruleId = ruleIdFor(existing.signals);
+        existing.fix = SIGNAL_FIX[existing.signals[0]];
+        return;
+    }
+    map.set(name, { name, ecosystem: "npm", signals: [signal], severity, similarTo, tier, ruleId: ruleIdFor([signal]), fix: SIGNAL_FIX[signal] });
+}
+function sortFindings(findings) {
+    return [...findings].sort((a, b) => (SEV_RANK[a.severity] - SEV_RANK[b.severity]) || a.name.localeCompare(b.name));
+}
+/**
+ * OFFLINE / deterministic core. Pure — no network, no filesystem. Unit-testable with
+ * injected sets. Flags phantom imports (imported ∉ declared) and typosquats.
+ */
+export function detectOffline(imported, declared, opts = {}) {
+    const allow = new Set(opts.allow ?? []);
+    const self = opts.selfNames ?? new Set();
+    const map = new Map();
+    // Candidates are IMPORTED names only — what the code actually uses. Running typosquat
+    // over declared-but-unused devtools (e.g. "c8", "@types/node") produces Levenshtein
+    // false positives, so a declared package is only judged when source imports it.
+    for (const name of imported) {
+        if (allow.has(name) || self.has(name))
+            continue;
+        const typo = detectTyposquat(name);
+        if (typo) {
+            const signal = typo.confidence >= 0.9 && /^(?:plain-|real-|original-|safe-|secure-|true-|actual-|verified-|legit-|official-|clean-|pure-|native-|simple-|fast-|super-|ultra-|better-|enhanced-|improved-|modern-|updated-|new-|my-|the-|a-|node-|js-|ts-)/.test(name.toLowerCase())
+                ? "deceptive_prefix" : "typosquat";
+            mergeFinding(map, name, signal, "critical", "offline", typo.similarTo);
+        }
+        // phantom: imported in source, but not declared anywhere (and not a self/workspace pkg)
+        if (imported.has(name) && !declared.has(name)) {
+            mergeFinding(map, name, "phantom_import", "high", "offline");
+        }
+    }
+    return sortFindings([...map.values()]);
+}
+/** Map an assessPackageRisk flag type to a HallucinationSignal (online tier). */
+const FLAG_TO_SIGNAL = {
+    new_package: "new_package",
+    low_adoption: "low_adoption",
+    single_maintainer: "single_maintainer",
+    unmaintained: "unmaintained",
+    deprecated: "deprecated",
+};
+const FLAG_SEVERITY = {
+    phantom_import: "high", typosquat: "critical", deceptive_prefix: "critical",
+    nonexistent: "critical", new_package: "medium", low_adoption: "medium",
+    single_maintainer: "high", unmaintained: "high", deprecated: "high",
+};
+/**
+ * Repo-level orchestrator. Runs the offline tier, then (unless online === false)
+ * enriches with npm-registry truth, gracefully degrading to offline on any network error.
+ */
+export async function scanHallucinatedPackages(root, format = "markdown", opts = {}) {
+    const projectRoot = resolve(root);
+    const config = loadConfig(projectRoot);
+    const exclude = config.scan.exclude;
+    const allow = config.slopscan?.allow ?? [];
+    const online = opts.online ?? config.slopscan?.online ?? true;
+    const imported = collectStatementImports(projectRoot, { exclude });
+    const { declared, selfNames } = collectDeclaredPackages(projectRoot, { exclude });
+    const offline = detectOffline(imported, declared, { allow, selfNames });
+    let networkStatus = "skipped";
+    let findings = offline;
+    let deterministic = true;
+    if (online) {
+        const map = new Map();
+        for (const f of offline)
+            map.set(f.name, { ...f, signals: [...f.signals] });
+        // Query suspicious offline names + every declared/imported external package so we
+        // also catch declared-but-fake (404) and brand-new slopsquat deps (easy-day-js shape).
+        const allowSet = new Set(allow);
+        const queryNames = [...new Set([
+                ...offline.map(f => f.name),
+                ...declared,
+                ...imported,
+            ])].filter(n => !allowSet.has(n) && !selfNames.has(n)).sort();
+        let anyOk = false;
+        for (const name of queryNames) {
+            const r = await fetchRegistryStatus(name);
+            if (!r.ok)
+                continue; // transport error for THIS name — never false-positive as nonexistent
+            anyOk = true;
+            if (!r.data.exists) {
+                mergeFinding(map, name, "nonexistent", "critical", "online");
+                continue;
+            }
+            const risk = assessPackageRisk(name, r.data);
+            for (const flag of risk.flags) {
+                const signal = FLAG_TO_SIGNAL[flag.type];
+                if (!signal)
+                    continue;
+                mergeFinding(map, name, signal, FLAG_SEVERITY[signal], "online");
+            }
+        }
+        if (!anyOk && queryNames.length > 0) {
+            // Total registry outage — could not determine anything online. Degrade to the
+            // deterministic offline result rather than guessing.
+            networkStatus = "unreachable";
+            findings = offline;
+            deterministic = true;
+        }
+        else {
+            // Composition: a phantom/typosquat name that is ALSO brand-new is critical.
+            for (const f of map.values()) {
+                if (f.signals.includes("new_package") && (f.signals.includes("phantom_import") || f.signals.includes("typosquat") || f.signals.includes("deceptive_prefix"))) {
+                    f.severity = "critical";
+                }
+            }
+            networkStatus = "ok";
+            findings = sortFindings([...map.values()]);
+            deterministic = false;
+        }
+    }
+    const result = {
+        schema: "guardvibe.slopscan.v1",
+        root: projectRoot,
+        declaredCount: declared.size,
+        importedCount: imported.size,
+        deterministic,
+        networkStatus,
+        findings,
+    };
+    if (format === "json")
+        return JSON.stringify(result);
+    return renderMarkdown(result);
+}
+function renderMarkdown(r) {
+    const lines = [
+        "# GuardVibe Slopsquat / Hallucinated Package Report",
+        "",
+        `Root: ${r.root}`,
+        `Imported packages: ${r.importedCount} · Declared: ${r.declaredCount}`,
+        `Mode: ${r.networkStatus === "skipped" ? "offline (deterministic)" : r.networkStatus === "unreachable" ? "online requested but registry unreachable — offline results only" : "offline + online (npm registry)"}`,
+        "",
+        "---",
+        "",
+    ];
+    if (r.findings.length === 0) {
+        lines.push("No hallucinated, phantom, or slopsquatted packages detected.");
+        return lines.join("\n");
+    }
+    lines.push(`**${r.findings.length} suspicious package(s):**`, "");
+    for (const f of r.findings) {
+        lines.push(`## ${f.name} — ${f.severity.toUpperCase()} (${f.tier})`, "");
+        lines.push(`- Signals: ${f.signals.join(", ")}`);
+        if (f.similarTo)
+            lines.push(`- Did you mean **${f.similarTo}**?`);
+        lines.push(`- Fix: ${f.fix}`, "", "---", "");
+    }
+    return lines.join("\n");
+}
+/**
+ * OFFLINE-only repo scan, for use inside full_audit (never makes a network call →
+ * keeps the audit result hash deterministic). Returns the deterministic finding list.
+ */
+export function detectHallucinatedOffline(root) {
+    const projectRoot = resolve(root);
+    const config = loadConfig(projectRoot);
+    const exclude = config.scan.exclude;
+    const allow = config.slopscan?.allow ?? [];
+    const imported = collectStatementImports(projectRoot, { exclude });
+    const { declared, selfNames } = collectDeclaredPackages(projectRoot, { exclude });
+    return detectOffline(imported, declared, { allow, selfNames });
+}

package/build/utils/config.d.ts

@@ -41,6 +41,15 @@ export interface GuardVibeConfig {
     scoring?: {
         densityModel?: "linear" | "exponential";
     };
+    /** Slopsquat / hallucinated-package detector (`slopscan`) settings.
+     *  - online: query the npm registry for existence/age/downloads (default true for the
+     *    standalone tool; full_audit always runs offline-only regardless).
+     *  - allow: package names to treat as intentional (e.g. private/unpublished or
+     *    path-aliased imports) so they are never flagged as phantom imports. */
+    slopscan?: {
+        online?: boolean;
+        allow?: string[];
+    };
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -72,6 +72,10 @@ export function loadConfig(dir) {
             scoring: parsed.scoring && typeof parsed.scoring === "object" ? {
                 densityModel: parsed.scoring.densityModel === "exponential" ? "exponential" : "linear",
             } : undefined,
+            slopscan: parsed.slopscan && typeof parsed.slopscan === "object" ? {
+                online: typeof parsed.slopscan.online === "boolean" ? parsed.slopscan.online : undefined,
+                allow: Array.isArray(parsed.slopscan.allow) ? parsed.slopscan.allow : undefined,
+            } : undefined,
         };
     }
     catch (err) {

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.21.0",
+  "version": "3.23.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 448 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 76 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 449 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 76 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",