guardvibe 3.22.0 → 3.23.0

package/CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.23.0] - 2026-06-19
+
+### Added — MCP/agent unauth endpoint rule + full CORS-credentials coverage from daily intel (448 → 449 rules)
+- **VG1095 — MCP / agent tool-call endpoint without authentication (high).** Flags an HTTP route (`app|router|server|fastify`.`post|all|put|use`) that exposes an MCP `tools/call`, `/mcp`, or agent `run`/`invoke`/`execute` endpoint with no auth token within ~200 chars of the registration. Targets the June-2026 advisory wave: praisonai (unauthenticated HTTP tools/call + AgentOS agent listing/calling), network-ai (empty default secret authorizing every request, CVE-2026-48814/46701), AgenticMail (unauthenticated inbound mail driving a privileged agent session). Skips routes guarded by auth middleware or an in-handler session/token check.
+- **VG1094 extended to full CVE-2026-54290 behavioral coverage.** Now also flags `cors({ origin: '*', credentials: true })` and `cors({ credentials: true })` with no origin key (middleware default reflects), in addition to the existing `origin:true` / reflecting-arrow-function cases. VG973 (wildcard without credentials) narrowed with a negative lookahead so the two are mutually exclusive — no double-firing. Explicit allowlists with credentials are still not flagged.
+- **Already covered (verified against this brief, no action):** axios CVE-2026-44489/44490/44496 (all fixed in 1.16.0 → VG1042∪VG1091 `<1.16.0`), next RSC cluster CVE-2026-44576/44582/44577 (fixed 16.2.5/16.2.6 → VG1047), Hono CVE-2026-54290 version-pin (VG1092), Clerk/Drizzle/js-cookie/postcss/Anthropic-SDK/Vercel-AI-SDK. The brief's execSync command-injection suggestion is already covered by the MCP-handler rule (VG857) + the general command-injection rule.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.22.0] - 2026-06-18
 
 ### Added — `slopscan`: AI-hallucinated / slopsquat package detector (38 → 39 tools)

package/README.md

@@ -15,7 +15,7 @@
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
 - **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 448 security rules, 39 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
+**The security MCP built for vibe coding.** 449 security rules, 39 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -27,7 +27,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **448 security rules, 39 tools** purpose-built for the stacks AI agents generate
+- **449 security rules, 39 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -65,7 +65,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 448 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 449 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -302,7 +302,7 @@ The offline tier is also a `full_audit` section (online never runs inside the au
 { "slopscan": { "online": true, "allow": ["@myorg/internal-pkg"] } }
 ```
 
-## Security Rules (448 rules across 25 modules)
+## Security Rules (449 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/data/rules/ai-security.js

@@ -97,6 +97,18 @@ export const aiSecurityRules = [
         fixCode: '// Use spawn with argument array (no shell interpretation)\nimport { spawn } from "child_process";\nconst allowed = /^[a-zA-Z0-9._-]+$/;\nif (!allowed.test(args.filename)) throw new Error("Invalid filename");\nconst child = spawn("cat", [args.filename], { shell: false });',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1", "EUAIACT:Art15"],
     },
+    {
+        id: "VG1095",
+        name: "MCP / Agent Tool-Call Endpoint Without Authentication",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "An HTTP route exposes an MCP tools/call endpoint, an /mcp endpoint, or an agent run/invoke/execute endpoint with no authentication guard near the route registration. Exposing tool execution or agent invocation over HTTP without auth lets any caller run server-side tools/agents — the pattern behind the June-2026 advisory wave for praisonai (unauthenticated HTTP tools/call + AgentOS agent listing/calling), network-ai (empty default secret authorizing every request), and AgenticMail (unauthenticated inbound mail driving a privileged agent session). Heuristic: flags `(app|router|server|fastify).(post|all|put|use)` on a tool-call/mcp/agent-exec path when no auth token (auth/verify/session/getAuth/bearer/apiKey/token/middleware/guard/protect) appears within the next ~200 characters. Add an auth check, or — for the MCP SDK — authenticate at the transport layer before registering tools.",
+        pattern: /\b(?:app|router|server|fastify)\.(?:post|all|put|use)\s*\(\s*[`'"][^`'"]*(?:tools\/call|tool[-_]call|\/mcp\b|agents?\/[\w:./*-]*(?:run|invoke|execute|call)|(?:run|invoke|execute)[-_]?(?:tool|agent))[^`'"]*[`'"](?![\s\S]{0,200}?\b(?:auth|requireAuth|verify|authenticate|middleware|getAuth|getSession|session|currentUser|requireUser|isAuthenticated|bearer|apiKey|token|protect|guard)\b)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Require authentication before exposing tool-call or agent-invocation endpoints. Gate the route with auth middleware or an in-handler session/token check; for MCP over HTTP, authenticate the transport (bearer/API key) before dispatching tools/call.",
+        fixCode: '// Gate the MCP tools/call endpoint with auth middleware\nimport { requireAuth } from "./auth";\n\napp.post("/mcp/tools/call", requireAuth, async (req, res) => {\n  const session = await getSession(req);\n  if (!session) return res.status(401).json({ error: "Unauthorized" });\n  // ... dispatch tool call\n});',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10", "EUAIACT:Art15"],
+    },
     // ── Katman 2: Excessive Agency Detection ───────────────────────────
     {
         id: "VG858",

package/build/data/rules/modern-stack.js

@@ -214,8 +214,8 @@ export const modernStackRules = [
         name: "Hono CORS Wildcard",
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
-        description: "Hono app uses cors() with wildcard origin, allowing any website to make requests to your API.",
-        pattern: /cors\s*\(\s*\{[\s\S]{0,200}?origin\s*:\s*['"]\*['"]/g,
+        description: "Hono app uses cors() with wildcard origin, allowing any website to make requests to your API. (When combined with credentials:true this is the account-takeover-grade CVE-2026-54290 case — flagged separately by VG1094.)",
+        pattern: /cors\s*\(\s*\{(?![\s\S]{0,400}?credentials\s*:\s*true)[\s\S]{0,200}?origin\s*:\s*['"]\*['"]/g,
         languages: ["javascript", "typescript"],
         fix: "Set specific allowed origins in Hono CORS configuration.",
         fixCode: 'import { cors } from "hono/cors";\n\napp.use("/*", cors({\n  origin: ["https://myapp.com", "https://staging.myapp.com"],\n}));',
@@ -226,10 +226,10 @@ export const modernStackRules = [
         name: "CORS Origin Reflection With Credentials (CVE-2026-54290)",
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
-        description: "cors() is configured with credentials:true AND an origin that reflects the caller — either origin:true or an arrow function that returns its origin argument unchanged (origin: (o) => o). This combination echoes any request's Origin back together with Access-Control-Allow-Credentials:true, so any website can make authenticated cross-origin requests on the victim's behalf (account-takeover-grade CSRF). This is the exact misconfiguration that made Hono CVE-2026-54290 exploitable, and it is dangerous on any CORS middleware (Hono, Express). The wildcard literal origin:'*' form is covered separately by VG973; this rule targets the reflected-origin forms that VG973 cannot see.",
-        pattern: /cors\s*\(\s*\{(?=[\s\S]{0,400}?credentials\s*:\s*true)[\s\S]{0,400}?origin\s*:\s*(?:true\b|\(\s*(\w+)\s*\)\s*=>\s*\1\b)/g,
+        description: "cors() is configured with credentials:true together with a reflected or wildcard origin — origin:'*', origin:true, an arrow function that returns its origin argument unchanged (origin: (o) => o), OR no origin key at all (the middleware default reflects/wildcards). Any of these echoes an arbitrary request Origin back with Access-Control-Allow-Credentials:true, so any website can make authenticated cross-origin requests on the victim's behalf (account-takeover-grade CSRF). This is exactly the misconfiguration that made Hono CVE-2026-54290 exploitable, and it is dangerous on any CORS middleware (Hono, Express). An explicit origin allowlist (origin: ['https://app.example.com']) with credentials:true is NOT flagged. VG973 covers the wildcard-without-credentials case.",
+        pattern: /cors\s*\(\s*\{(?=[\s\S]{0,400}?credentials\s*:\s*true)(?:[\s\S]{0,400}?origin\s*:\s*(?:['"]\*['"]|true\b|\(\s*(\w+)\s*\)\s*=>\s*\1\b)|(?![\s\S]{0,400}?\borigin\s*:)[\s\S]{0,200}?credentials\s*:\s*true)/g,
         languages: ["javascript", "typescript"],
-        fix: "Never combine credentials:true with a reflected origin. Pass an explicit allowlist of trusted origins, or validate the incoming origin against an allowlist before returning it.",
+        fix: "Never combine credentials:true with a reflected/wildcard origin or an omitted origin. Pass an explicit allowlist of trusted origins, or validate the incoming origin against an allowlist before returning it.",
         fixCode: 'import { cors } from "hono/cors";\n\nconst ALLOWED = new Set(["https://myapp.com", "https://app.myapp.com"]);\napp.use("/api/*", cors({\n  origin: (origin) => (ALLOWED.has(origin) ? origin : null),\n  credentials: true,\n}));',
         compliance: ["SOC2:CC6.1", "SOC2:CC6.6", "PCI-DSS:Req6.2"],
     },

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.22.0",
+  "version": "3.23.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 448 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 76 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 449 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 76 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",