guardvibe 3.24.0 → 3.26.0

package/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.26.0] - 2026-06-25
+
+### Improved — AST engine: inter-procedural & nested ownership for BOLA/IDOR (no rule/tool count change: 450 rules / 39 tools)
+- **VG950 (find-by-id BOLA) precision via the AST engine.** The ownership guard now also recognizes two real-world authorization shapes the same-function analysis structurally could not see: (1) an ownership field nested inside a relation filter (`members: { some: { userId } }`, `teams.some.team.members.some.userId`), and (2) an **inter-procedural** check — an authorization helper the function calls *before* the query, passing both a session value and the same id (`isAdminForUser(ctx.user.id, targetId)` → throw, then `findUnique({ where: { id: targetId } })`). The same inter-procedural guard now also applies to VG951 (delete/update BOLA).
+- **Soundness preserved:** only a session/auth-derived ownership value counts — a request-controlled value (`req.body.UserId`) is attacker-chosen and keeps firing. Deterministic (bundled TypeScript parser, no resolution of the scanned project's copy).
+- Corpus delta: 3 confirmed false positives removed, zero true positives lost, zero drift on other rules. 8 new tests.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.25.0] - 2026-06-24
+
+### Fixed — QA hardening pass (no rule/tool count change: 450 rules / 39 tools)
+- **Pre-commit gate now actually blocks.** `scan --staged` (the command the installed pre-commit hook runs) was falling through to a whole-directory scan that always exited 0, so the hook never blocked an insecure commit. It now runs a staged scan and defaults to `--fail-on critical`. The slopsquat/typosquat detector no longer false-flags declared, popular packages (e.g. `cors`, `chai`, `sinon`) or first-party source dirs as hallucinated, and `--format` now errors on an unsupported (command, format) combo instead of silently emitting markdown (so `check --format sarif` produces real SARIF).
+- **Robustness & accuracy:** `diff` / changed-files scans auto-detect the base branch (origin/HEAD → main → master → HEAD~1 → HEAD) instead of assuming `main`, with a clear "not a git repository" vs "ref not found" distinction; `check_dependencies` gained `format: json`; `secure_this` returns clean rule IDs; the edit hook no longer depends on `jq`; `guardvibe-scan --help`/`--version` and a non-zero exit on an unknown `explain <rule>` now work.
+- **Docs:** corrected the CVE-rule count, the per-category rule table (now sums to the real total), and the dependency description; added consistency guards so those counts cannot silently drift again. +20 regression tests.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.24.0] - 2026-06-23
 
 ### Added — 1 rule from daily intel: Clerk 4.x auth() IDOR version-pin (449 → 450 rules)

package/README.md

@@ -9,7 +9,7 @@
 > **Security infrastructure your AI can't be.**
 > No matter how good your coding agent gets, it can't know the CVE published after its training cutoff, it can't deterministically guarantee the same check every run, it can't hold your whole repo in context, and it can't objectively review its own code. GuardVibe does all four — the deterministic, post-cutoff-current, whole-repo, author-independent verification layer for AI-written code.
 
-- **🗓️ Knows what your AI doesn't.** CVE rules refreshed **daily** from GHSA / OSV.dev / CISA KEV — GuardVibe flags vulnerable dependencies published *after* your model's training cutoff. (71 CVE rules, `npm run intel` daily triage.)
+- **🗓️ Knows what your AI doesn't.** CVE rules refreshed **daily** from GHSA / OSV.dev / CISA KEV — GuardVibe flags vulnerable dependencies published *after* your model's training cutoff. (77 CVE rules, `npm run intel` daily triage.)
 - **🎯 Deterministic, not probabilistic.** Same code = same result, every run (content-hashed). Your AI guesses; GuardVibe doesn't.
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
@@ -31,7 +31,7 @@ Most security tools are built for enterprise security teams. GuardVibe is built
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
-- **CVE version intelligence** — detects 71 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
+- **CVE version intelligence** — detects 77 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
 - **AI agent & MCP security** — detects MCP server vulnerabilities, tool-description prompt injection (OWASP MCP Top 10), model-controlled sandbox-disable flags, excessive AI permissions, indirect prompt injection
 - **Auto-fix suggestions** — `fix_code` tool returns concrete patches and structured edits the AI agent can apply mechanically. Coverage: hardcoded credentials → env-var migration; public-prefix LLM keys (`NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_/REACT_APP_`) → prefix removal; CORS wildcards → env allowlist; `dangerouslyAllowBrowser` flags → drop; sandbox bypass flags (`unsafe`/`noSandbox`/`allowEval`) → drop; agent loops → add `maxSteps`; raw-HTML React props → `<ReactMarkdown>`; missing auth checks → insert auth guard; SQL injection → parameterized queries; missing rate limiters / CSRF / security headers → snippet templates.
 - **Pre-commit hook** — block insecure code before it reaches your repo
@@ -62,7 +62,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | AI/LLM security (prompt injection, MCP, tool abuse) | 68 rules | Experimental/None | None |
 | AI host security (CVE-2025-59536, CVE-2026-21852) | `guardvibe doctor` | Not supported | Not supported |
 | Auto-fix suggestions for AI agents | `fix_code` tool | CLI autofix | Not supported |
-| CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
+| CVE version detection | 77 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
 | Rule count | 450 (focused, 68 AI-native) | 5000+ (broad) | N/A |
@@ -190,7 +190,7 @@ React Native, Expo — AsyncStorage secrets, deep link token exposure, hardcoded
 ### Firebase
 Firestore security rules, Firebase Admin SDK exposure, storage rules, custom token validation
 
-### CVE Version Intelligence (71 CVEs, refreshed daily)
+### CVE Version Intelligence (77 CVEs, refreshed daily)
 **Frameworks:** Next.js (CVE-2024-34351, CVE-2024-46982, CVE-2025-29927, CVE-2026-23869, CVE-2026-44573 / 44574 / 44575 / 44578 / 44579 / 45109 May 2026 cluster), React + react-server-dom-* (CVE-2025-55182, CVE-2026-23870), Express, Hono pre-4.12.18 cluster, @vitejs/plugin-rsc, Strapi content-type-builder (CVE-2026-22599)
 **Auth:** Clerk middleware bypass (GHSA-vqx2), Clerk `has()` org/billing/reverification bypass (GHSA-w24r), Clerk `clerkFrontendApiProxy` SSRF (CVE-2026-34076), NextAuth.js (2 CVEs), jsonwebtoken
 **ORMs / SQL:** Drizzle SQL identifier injection (CVE-2026-39356) + Drizzle `sql.raw` interpolation (VG1073), MikroORM SQL injection (CVE-2026-44680), Prisma raw-query call-form, Kysely JSON-path traversal (CVE-2026-44635)
@@ -306,30 +306,30 @@ The offline tier is also a `full_audit` section (online never runs inside the au
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
-| Core OWASP | 38 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
-| Next.js App Router | 17 | Server Actions, secret exposure, auth bypass, CSP, redirects |
-| Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies |
-| Database (Supabase / Prisma / Drizzle) | 12 | Raw queries, client exposure, service role leaks, NoSQL injection, Drizzle identifier injection (CVE-2026-39356) |
-| OWASP API Security | 10 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
-| Modern Stack | 40 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK, React Server Action validation (React2Shell) |
+| Core OWASP | 39 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
+| Next.js App Router | 18 | Server Actions, secret exposure, auth bypass, CSP, redirects |
+| Auth (Clerk / Auth.js / Supabase Auth) | 17 | Middleware, secret keys, session storage, role checks, SSR cookies |
+| Database (Supabase / Prisma / Drizzle) | 13 | Raw queries, client exposure, service role leaks, NoSQL injection, Drizzle identifier injection (CVE-2026-39356) |
+| OWASP API Security | 11 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
+| Modern Stack | 47 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK, React Server Action validation (React2Shell) |
 | Deployment Config | 21 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify, Cloudflare, K8s secrets |
 | Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
 | Services (Resend / Upstash / Pinecone / PostHog) | 11 | API key leaks, PII tracking, email injection |
-| Web Security | 15 | Webhooks, CSP, .env safety, AI key exposure, cookie handling |
+| Web Security | 20 | Webhooks, CSP, .env safety, AI key exposure, cookie handling |
 | React Native / Expo | 10 | AsyncStorage secrets, deep links, ATS, hardcoded URLs |
 | Firebase | 7 | Firestore rules, admin SDK, storage, custom tokens |
-| AI / LLM Security | 16 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
-| **AI Host Security** | **10** | **CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit** |
-| **AI Tool Runtime** | **4** | **MCP tool output sanitization, obfuscated descriptions, safety bypass** |
-| CVE Version Intelligence | 31 | Known vulnerable versions in package.json — incl. Vite dev-server cmd injection (CVE-2024-52011), React Router 7 cluster (CVE-2026-33245/42211/42342), DOMPurify XSS (CVE-2026-47423), Better Auth bypass (CVE-2026-45337), Axios supply-chain backdoor |
+| AI / LLM Security | 33 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
+| **AI Host Security** | **14** | **CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit** |
+| **AI Tool Runtime** | **14** | **MCP tool output sanitization, obfuscated descriptions, safety bypass** |
+| CVE Version Intelligence | 75 | Known vulnerable versions in package.json — incl. Vite dev-server cmd injection (CVE-2024-52011), React Router 7 cluster (CVE-2026-33245/42211/42342), DOMPurify XSS (CVE-2026-47423), Better Auth bypass (CVE-2026-45337), Axios supply-chain backdoor |
 | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
 | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
-| Supply Chain | 16 | Malicious install scripts, lockfile integrity, dependency confusion, typosquat detection |
+| Supply Chain | 19 | Malicious install scripts, lockfile integrity, dependency confusion, typosquat detection |
 | Go | 6 | SQL injection, command injection, template escaping |
 | Dockerfile | 7 | Root user, secrets in ENV, untagged images, non-root user |
-| CI/CD (GitHub Actions) | 7 | Secrets interpolation, unpinned actions, write-all permissions |
+| CI/CD (GitHub Actions) | 8 | Secrets interpolation, unpinned actions, write-all permissions |
 | Terraform | 6 | Public S3, open security groups, IAM wildcards |
-| Advanced Security | 21 | ReDoS, CRLF injection, race conditions, XXE, brute force, audit logging |
+| Advanced Security | 31 | ReDoS, CRLF injection, race conditions, XXE, brute force, audit logging |
 | Other Services | 5 | AWS, GCP, MongoDB, Convex, Sentry, Twilio |
 
 ## CLI Commands
@@ -376,12 +376,16 @@ npx guardvibe ci github              # Generate GitHub Actions workflow
 npx guardvibe-scan                   # Scan staged files (for pre-commit)
 npx guardvibe-scan --format sarif --output results.sarif  # CI mode
 
-# Options (all scan commands)
-#   --format markdown|json|sarif|buddy|agent
+# Options (scan commands)
+#   --format <type>     scan / diff: markdown|json|sarif
+#                       check:       markdown|json|sarif|buddy|agent
 #       agent = guardvibe.agent.v1 — per finding: { id, severity, confidence, exactEdit, manualFix, verify }
 #       so an AI agent can apply the exact edit and run the verify step to prove the fix
+#       (an unsupported format errors rather than silently falling back to markdown)
 #   --output <file>     Write results to file
-#   --fail-on <level>   Exit 1 on findings: critical|high|medium|low|none
+#   --fail-on <level>   critical|high|medium|low|none — exit 1 when a finding at/above this level exists
+#       check, audit, and the pre-commit gate (guardvibe-scan / scan --staged) gate on
+#       critical by DEFAULT; scan and diff are reports (exit 0) unless --fail-on is passed
 #   --full              Bypass response-size caps (50 JSON / 30 markdown / 200-file taint)
 ```
 
@@ -630,7 +634,7 @@ GuardVibe takes supply chain security seriously:
 - **Branch protection** — force push disabled on main, admin enforcement enabled
 - **Tag protection** — version tags (`v*`) cannot be deleted or force-pushed
 - **Minimal CI permissions** — GitHub Actions workflows use `permissions: contents: read` only
-- **Minimal, fully-audited runtime dependencies** — only the MCP SDK, Zod, and the TypeScript compiler (used for AST-based dataflow analysis). All three are widely-audited, zero-sub-dependency packages — no native bindings, no obscure transitive deps
+- **Minimal, fully-audited runtime dependencies** — only three direct dependencies: the MCP SDK, Zod, and the TypeScript compiler (used for AST-based dataflow analysis). Zod and TypeScript are zero-sub-dependency, pure-JS packages. The MCP SDK pulls a small set of widely-used, audited transitive packages (e.g. `express`, `cors`, `ajv`) for its optional HTTP transport — GuardVibe itself runs over stdio. No native bindings anywhere in the tree, and all code analysis runs 100% locally and offline
 
 To report a vulnerability, please email info@goklab.com or open a GitHub issue.
 

package/build/cli/args.d.ts

@@ -2,7 +2,7 @@
  * CLI argument parsing utilities
  */
 export declare function getStringFlag(flags: Record<string, string | true>, key: string): string | null;
-export declare function validateFormat(flags: Record<string, string | true>): string;
+export declare function validateFormat(flags: Record<string, string | true>, supported?: string[]): string;
 export declare function getOutputPath(flags: Record<string, string | true>): string | null;
 export declare function parseArgs(args: string[]): {
     flags: Record<string, string | true>;

package/build/cli/args.js

@@ -8,10 +8,17 @@ export function getStringFlag(flags, key) {
         return null;
     return val;
 }
-export function validateFormat(flags) {
+export function validateFormat(flags, supported) {
     const format = getStringFlag(flags, "format") ?? "markdown";
     if (!VALID_FORMATS.has(format)) {
-        console.error(`  [ERR] Invalid format "${format}". Use: markdown, json, sarif, or buddy`);
+        console.error(`  [ERR] Invalid format "${format}". Use: markdown, json, sarif, buddy, or agent`);
+        process.exit(1);
+    }
+    // Command-aware: a format may be globally valid but unsupported by THIS command.
+    // Error explicitly rather than silently degrading to markdown (which produced
+    // wrong output, e.g. `check --format sarif` writing markdown to a .sarif file).
+    if (supported && !supported.includes(format)) {
+        console.error(`  [ERR] Format "${format}" is not supported by this command. Supported: ${supported.join(", ")}.`);
         process.exit(1);
     }
     return format;

package/build/cli/explain.js

@@ -14,4 +14,15 @@ export async function runExplain(args) {
     const format = (flags.format === "json" ? "json" : "markdown");
     const result = explainRemediation(ruleId, undefined, format);
     console.log(result);
+    // Unknown rule id is an error, not a successful lookup — exit 1 so scripts can tell.
+    const notFound = format === "json"
+        ? (() => { try {
+            return Boolean(JSON.parse(result).error);
+        }
+        catch {
+            return false;
+        } })()
+        : /^Rule .* not found\.?$/.test(result.trim());
+    if (notFound)
+        process.exit(1);
 }

package/build/cli/init.js

@@ -99,7 +99,11 @@ function addToGitignore(entries) {
     const missing = entries.filter(e => !content.split("\n").some(line => line.trim() === e));
     if (missing.length === 0)
         return;
-    const block = `\n# GuardVibe (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
+    // Only write the header comment once — `init all` runs this per platform, so a
+    // repeated header would otherwise stack up (3×) in the same .gitignore.
+    const header = "# GuardVibe (auto-added by guardvibe init)";
+    const hasHeader = content.split("\n").some(line => line.trim() === header);
+    const block = hasHeader ? `\n${missing.join("\n")}\n` : `\n${header}\n${missing.join("\n")}\n`;
     writeFileSync(gitignorePath, content.trimEnd() + block, "utf-8");
     console.log(`  [OK] Added ${missing.join(", ")} to .gitignore`);
 }
@@ -111,7 +115,10 @@ function setupClaudeGuide() {
     const existingSettings = readJsonFile(claudeSettingsPath) || {};
     if (!existingSettings.hooks)
         existingSettings.hooks = {};
-    const hookCommand = `jq -r '.tool_input.file_path' | xargs npx -y guardvibe@${pkg.version} check --format buddy 2>/dev/null || true`;
+    // Extract the edited file path with node (always present — no `jq` dependency, which
+    // when absent made the hook a silent no-op) and pass it as an argv (no shell injection
+    // via filename). Errors are swallowed so a post-edit scan never blocks editing.
+    const hookCommand = `node -e "const fs=require('fs');let s='';try{s=fs.readFileSync(0,'utf8')}catch(e){}try{const p=(JSON.parse(s).tool_input||{}).file_path;if(p)require('child_process').execFileSync('npx',['-y','guardvibe@${pkg.version}','check',p,'--format','buddy'],{stdio:'inherit'})}catch(e){}" 2>/dev/null || true`;
     if (!existingSettings.hooks.PostToolUse) {
         existingSettings.hooks.PostToolUse = [
             {
@@ -126,7 +133,7 @@ function setupClaudeGuide() {
         // and in lock-step with the pinned MCP server.
         for (const entry of existingSettings.hooks.PostToolUse) {
             for (const h of entry?.hooks ?? []) {
-                if (typeof h.command === "string" && /npx\s+-y\s+guardvibe@[^\s]+\s+check/.test(h.command)) {
+                if (typeof h.command === "string" && /guardvibe@[^\s'"]+/.test(h.command) && /\bcheck\b/.test(h.command)) {
                     h.command = hookCommand;
                 }
             }

package/build/cli/scan.d.ts

@@ -2,9 +2,17 @@
  * CLI: guardvibe scan [path], guardvibe diff [base], guardvibe check <file>
  * Also: guardvibe-scan (pre-commit hook / CI entry point)
  */
+/**
+ * Pre-commit / staged-files scan. Used by the `guardvibe-scan` bin AND by
+ * `guardvibe scan --staged` (the generated pre-commit hook calls the latter). This is a
+ * GATE: it defaults to `--fail-on critical` so a non-zero exit actually blocks the commit
+ * — previously `scan --staged` fell through to a whole-directory scan that exited 0,
+ * so the hook never blocked anything.
+ */
+export declare function runStagedScan(flags: Record<string, string | true>): Promise<void>;
 export declare function runScan(): Promise<void>;
 export declare function runDirectoryScan(targetPath: string, flags: Record<string, string | true>): Promise<void>;
-export declare function runDiffScan(base: string, flags: Record<string, string | true>): Promise<void>;
+export declare function runDiffScan(requestedBase: string | undefined, flags: Record<string, string | true>): Promise<void>;
 export declare function runFileCheck(filePath: string, flags: Record<string, string | true>): Promise<void>;
 export declare function handleScanCommand(args: string[]): Promise<void>;
 export declare function handleDiffCommand(args: string[]): Promise<void>;

package/build/cli/scan.js

@@ -14,10 +14,15 @@ function safeWriteOutput(outputFile, result) {
     writeFileSync(outputFile, result, "utf-8");
     console.log(`  [OK] Results written to ${outputFile}`);
 }
-export async function runScan() {
-    const args = process.argv.slice(2);
-    const { flags } = parseArgs(args);
-    const format = validateFormat(flags);
+/**
+ * Pre-commit / staged-files scan. Used by the `guardvibe-scan` bin AND by
+ * `guardvibe scan --staged` (the generated pre-commit hook calls the latter). This is a
+ * GATE: it defaults to `--fail-on critical` so a non-zero exit actually blocks the commit
+ * — previously `scan --staged` fell through to a whole-directory scan that exited 0,
+ * so the hook never blocked anything.
+ */
+export async function runStagedScan(flags) {
+    const format = validateFormat(flags, ["markdown", "json", "sarif"]);
     const outputFile = getOutputPath(flags);
     let result;
     if (format === "sarif") {
@@ -34,15 +39,20 @@ export async function runScan() {
     else {
         console.log(result);
     }
-    if (format !== "sarif" && flags["fail-on"]) {
+    // Default to gating on critical — this path is a commit/CI gate, not a report.
+    if (format !== "sarif") {
         const failOn = getStringFlag(flags, "fail-on") ?? "critical";
         if (shouldFail(result, failOn))
             process.exit(1);
     }
 }
+export async function runScan() {
+    const { flags } = parseArgs(process.argv.slice(2));
+    await runStagedScan(flags);
+}
 export async function runDirectoryScan(targetPath, flags) {
     const { scanDirectory } = await import("../tools/scan-directory.js");
-    const format = validateFormat(flags);
+    const format = validateFormat(flags, ["markdown", "json", "sarif"]);
     const outputFile = getOutputPath(flags);
     const baselinePath = getStringFlag(flags, "baseline");
     const saveBaseline = flags["save-baseline"] === true || typeof flags["save-baseline"] === "string";
@@ -68,20 +78,30 @@ export async function runDirectoryScan(targetPath, flags) {
             : join(scanPath, ".guardvibe-baseline.json");
         safeWriteOutput(baselineFile, result);
     }
+    // `scan <dir>` is a report; it gates only when --fail-on is explicitly requested
+    // (the pre-commit gate is `scan --staged`, which gates by default).
     if (format !== "sarif" && flags["fail-on"]) {
         const failOn = getStringFlag(flags, "fail-on") ?? "critical";
         if (shouldFail(result, failOn))
             process.exit(1);
     }
 }
-export async function runDiffScan(base, flags) {
+export async function runDiffScan(requestedBase, flags) {
     const { execFileSync } = await import("child_process");
     const { analyzeFileSecurity } = await import("../tools/file-security.js");
     const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("../utils/constants.js");
-    const { getAddedLinesForDiff, filterToAddedLines } = await import("../tools/diff-aware.js");
-    const format = validateFormat(flags);
+    const { getAddedLinesForDiff, filterToAddedLines, resolveGitBase } = await import("../tools/diff-aware.js");
+    const format = validateFormat(flags, ["markdown", "json"]);
     const outputFile = getOutputPath(flags);
     const root = resolve(".");
+    // Resolve a usable base: honor an explicit ref (error if it's a typo), otherwise
+    // auto-detect (origin/HEAD → main → master → HEAD~1 → HEAD) instead of assuming `main`.
+    const resolved = resolveGitBase(root, requestedBase, { strict: requestedBase !== undefined });
+    if (!resolved.ok) {
+        console.error(`  [ERR] ${resolved.error}`);
+        process.exit(1);
+    }
+    const base = resolved.base;
     // Diff-aware by default: report only issues on newly-added lines. --all-lines
     // restores the old whole-changed-file behavior (surfaces pre-existing debt too).
     const allLines = flags["all-lines"] === true;
@@ -91,7 +111,7 @@ export async function runDiffScan(base, flags) {
         changedFiles = output.trim().split("\n").filter(Boolean);
     }
     catch {
-        console.error("  [ERR] Failed to get git diff. Ensure you're in a git repository.");
+        console.error(`  [ERR] git diff against "${base}" failed.`);
         process.exit(1);
     }
     if (changedFiles.length === 0) {
@@ -205,10 +225,16 @@ export async function runFileCheck(filePath, flags) {
         console.error(`  [ERR] Unsupported file type: ${ext}`);
         process.exit(1);
     }
-    const format = validateFormat(flags);
+    const format = validateFormat(flags, ["markdown", "json", "sarif", "buddy", "agent"]);
     const findings = analyzeFileSecurity(content, language, undefined, resolved, undefined);
     let result;
-    if (format === "agent") {
+    if (format === "sarif") {
+        // SARIF for a single file (CI upload of one path) — was previously a silent
+        // markdown fallback, which corrupted `--output results.sarif`.
+        const { exportSarif } = await import("../tools/export-sarif.js");
+        result = exportSarif(resolved);
+    }
+    else if (format === "agent") {
         // Agent-native contract: finding + exact-edit + confidence + verify step.
         const { buildAgentReport } = await import("../tools/agent-output.js");
         result = JSON.stringify(buildAgentReport(findings, content, language, resolved));
@@ -231,6 +257,12 @@ export async function runFileCheck(filePath, flags) {
 }
 export async function handleScanCommand(args) {
     const { flags, positional } = parseArgs(args);
+    // `scan --staged` is the pre-commit gate (the installed hook calls it). It must run
+    // the staged-files scan, not silently fall through to a whole-directory scan.
+    if (flags["staged"]) {
+        await runStagedScan(flags);
+        return;
+    }
     const targetPath = positional[0] ?? ".";
     if (targetPath !== "." && existsSync(targetPath) && !statSync(targetPath).isDirectory()) {
         console.log(`  [INFO] "${targetPath}" is a file. Running: guardvibe check ${targetPath}\n`);
@@ -242,8 +274,7 @@ export async function handleScanCommand(args) {
 }
 export async function handleDiffCommand(args) {
     const { flags, positional } = parseArgs(args);
-    const base = positional[0] ?? "main";
-    await runDiffScan(base, flags);
+    await runDiffScan(positional[0], flags);
 }
 export async function handleCheckCommand(args) {
     const { flags, positional } = parseArgs(args);

package/build/cli.js

@@ -10,8 +10,17 @@ checkForUpdate(pkg.version);
 const SCAN_SCRIPT_DETECTED = process.argv[1]?.endsWith("guardvibe-scan") ||
     process.argv[1]?.endsWith("guardvibe-scan.js");
 if (SCAN_SCRIPT_DETECTED) {
-    const { runScan } = await import("./cli/scan.js");
-    await runScan();
+    const scanArgs = process.argv.slice(2);
+    if (scanArgs.includes("--version") || scanArgs.includes("-V")) {
+        console.log(pkg.version);
+    }
+    else if (scanArgs.includes("--help") || scanArgs.includes("-h")) {
+        printUsage();
+    }
+    else {
+        const { runScan } = await import("./cli/scan.js");
+        await runScan();
+    }
 }
 else {
     await main();

package/build/index.js

@@ -154,9 +154,10 @@ server.tool("check_dependencies", "Check npm, PyPI, or Go packages for known sec
         }
         return val;
     }, z.array(packageSchema)).describe("List of packages to check: [{name, version, ecosystem}]"),
-}, async ({ packages }) => {
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
+}, async ({ packages, format }) => {
     try {
-        const results = await checkDependencies(packages);
+        const results = await checkDependencies(packages, format);
         return { content: [{ type: "text", text: results }] };
     }
     catch (err) {
@@ -592,15 +593,22 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
     const { readFileSync, existsSync } = await import("fs");
     const { resolve, extname, basename } = await import("path");
     const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("./utils/constants.js");
-    const { getAddedLinesForDiff, filterToAddedLines } = await import("./tools/diff-aware.js");
+    const { getAddedLinesForDiff, filterToAddedLines, resolveGitBase } = await import("./tools/diff-aware.js");
     const root = resolve(repoPath);
+    // Resolve the base: fall back from the default ref (origin/HEAD → main → master →
+    // HEAD~1 → HEAD) so single-commit / master-named repos work; precise error otherwise.
+    const resolution = resolveGitBase(root, base, { strict: false });
+    if (!resolution.ok) {
+        return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ error: resolution.error }) : `Error: ${resolution.error}` }] };
+    }
+    const effectiveBase = resolution.base;
     let changedFiles;
     try {
-        const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
+        const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", effectiveBase], { cwd: root, encoding: "utf-8" });
         changedFiles = output.trim().split("\n").filter(Boolean);
     }
     catch {
-        return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ error: "Failed to get git diff" }) : "Error: Failed to get git diff. Ensure you're in a git repository." }] };
+        return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ error: `git diff against ${effectiveBase} failed` }) : `Error: git diff against ${effectiveBase} failed.` }] };
     }
     if (changedFiles.length === 0) {
         const empty = format === "json"
@@ -627,7 +635,7 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
             const content = readFileSync(fullPath, "utf-8");
             let findings = analyzeFileSecurity(content, language, undefined, fullPath, root, rules);
             if (diff_aware) {
-                const added = getAddedLinesForDiff(base, relPath, root);
+                const added = getAddedLinesForDiff(effectiveBase, relPath, root);
                 const kept = filterToAddedLines(findings, added);
                 preExistingHidden += findings.length - kept.length;
                 findings = kept;

package/build/tools/ast-engine.js

@@ -150,6 +150,96 @@ const OWNERSHIP_FIELDS = new Set([
 // A comparison of a fetched resource's ownership field, on a line that also references a session/user.
 const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
 const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+// A value text that is directly request/route-controlled is attacker-chosen, so an
+// ownership field scoped to it (`UserId: req.body.UserId`, `workspaceId: params.x`)
+// is NOT a real guard — the request can name any owner. Only session/auth-derived
+// values count. (Mirrors the existing top-level `params|searchParams` exclusion,
+// extended to req/request so juice-shop's `req.body.UserId` scoping keeps firing.)
+const REQUEST_CONTROLLED = /\b(?:req|request|params|searchParams)\b/;
+/**
+ * Recursively scan a `where` object literal for an ownership field (at any nesting
+ * depth, e.g. `members: { some: { userId: ... } }`) whose value is session-derived
+ * (not request-controlled). The line/regex engine and the prior top-level-only scan
+ * miss ownership nested inside relation filters.
+ */
+function whereHasNestedOwnership(ts, sf, obj) {
+    for (const prop of obj.properties) {
+        const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
+        if (ts.isPropertyAssignment(prop)) {
+            if (nm && OWNERSHIP_FIELDS.has(nm)) {
+                const valText = prop.initializer.getText(sf);
+                if (!REQUEST_CONTROLLED.test(valText))
+                    return true;
+            }
+            if (ts.isObjectLiteralExpression(prop.initializer) && whereHasNestedOwnership(ts, sf, prop.initializer))
+                return true;
+        }
+        else if (ts.isShorthandPropertyAssignment(prop) && nm && OWNERSHIP_FIELDS.has(nm)) {
+            // `where: { userId }` — the bound variable carries the ownership scope.
+            return true;
+        }
+    }
+    return false;
+}
+// An authz/ownership-check helper: an action verb + an authz noun (isAdminForUser,
+// assertOwnership, checkAccess, requirePermission, ensureMemberRole…) or a bare
+// authorize/authorise. Names like formatId/getUserById deliberately do NOT match.
+const AUTHZ_HELPER = /^(?:authoris|authoriz)e|^(?:is|assert|ensure|require|check|verify|can|has|validate|guard|protect|enforce)[A-Za-z]*(?:owner|admin|member|access|permission|auth|allowed|belongs|role)/i;
+/** The text of the `where.id` value (or the call's first-arg id) the call is keyed by. */
+function findKeyedIdText(ts, sf, call) {
+    const arg0 = call.arguments[0];
+    if (arg0 && ts.isObjectLiteralExpression(arg0)) {
+        const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
+        const whereObj = whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            ? whereProp.initializer : arg0;
+        const idProp = whereObj.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "id");
+        if (idProp && ts.isPropertyAssignment(idProp))
+            return idProp.initializer.getText(sf);
+    }
+    return undefined;
+}
+/**
+ * Inter-procedural ownership guard: the enclosing function calls an authz-named
+ * helper BEFORE the find/mutation, passing both a session value and the same id the
+ * query is keyed by (`isAdminForUser(ctx.user.id, input.forUserId)` → throw, then
+ * `findUnique({ where: { id: input.forUserId } })`). This is the case VG950/VG951's
+ * same-function analysis structurally can't see. Conservative on every axis (authz
+ * name + session ref + exact id-sharing + textually-before) so an unrelated guard
+ * can't hide a real BOLA.
+ */
+function hasInterProceduralOwnershipGuard(ts, sf, target) {
+    const idText = findKeyedIdText(ts, sf, target);
+    // Require a specific id expression (a member access or a sufficiently long name);
+    // a bare `id` is too generic to match a helper argument soundly.
+    if (!idText || (!idText.includes(".") && idText.length < 5))
+        return false;
+    let fn = target;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    if (!fn)
+        return false;
+    const targetStart = target.getStart(sf);
+    let guarded = false;
+    const visit = (node) => {
+        if (guarded)
+            return;
+        if (ts.isCallExpression(node) && node !== target && node.getStart(sf) < targetStart) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && AUTHZ_HELPER.test(method)) {
+                const argsText = node.arguments.map(a => a.getText(sf)).join(", ");
+                if (SESSION_REF.test(argsText) && argsText.includes(idText))
+                    guarded = true;
+            }
+        }
+        if (!guarded)
+            ts.forEachChild(node, visit);
+    };
+    visit(fn);
+    return guarded;
+}
 /** The first CallExpression near `line` whose last-identifier method is in `methods`. */
 function callNearLine(ts, sf, line, methods) {
     let target;
@@ -212,23 +302,22 @@ export function bolaOwnershipGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, FIND_METHODS);
     if (!target)
         return false;
-    // (1) ownership field in the WHERE clause with a non-param value.
+    // (1) ownership field in the WHERE clause with a non-param value — now scanned
+    // recursively so ownership nested inside a relation filter (`members.some.userId`)
+    // counts too, with a session-derived (not request-controlled) value.
     const arg0 = target.arguments[0];
     if (arg0 && ts.isObjectLiteralExpression(arg0)) {
         const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
-        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)) {
-            for (const prop of whereProp.initializer.properties) {
-                const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
-                if (nm && OWNERSHIP_FIELDS.has(nm)) {
-                    const valText = ts.isPropertyAssignment(prop) ? prop.initializer.getText(sf) : nm;
-                    if (!/\b(?:params|searchParams)\b/.test(valText))
-                        return true;
-                }
-            }
+        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            && whereHasNestedOwnership(ts, sf, whereProp.initializer)) {
+            return true;
         }
     }
     // (2) post-fetch ownership comparison against a session/user value, in the same function.
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    // (3) inter-procedural: an authz helper checks session + this id before the find.
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
 /**
  * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
@@ -253,7 +342,11 @@ export function bolaMutationGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, MUTATION_METHODS);
     if (!target)
         return false;
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    // Same-function post-fetch comparison, OR an inter-procedural authz helper that
+    // checked session + this id before the mutation (the helper-guard blind spot).
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
 const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
 /** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */

package/build/tools/check-code.js

@@ -1535,9 +1535,12 @@ function isDuplicatePair(a, b) {
     const bIsAuth = authPatterns.some(p => b.rule.name.includes(p));
     if (aIsAuth && bIsAuth)
         return true;
-    // Both are CORS wildcard rules — VG040+VG403+VG973 duplicate case
-    const aIsCors = a.rule.name.includes("CORS") && a.rule.name.includes("ildcard");
-    const bIsCors = b.rule.name.includes("CORS") && b.rule.name.includes("ildcard");
+    // Both are CORS misconfiguration rules on the SAME line — same CORS construct, so the
+    // generic VG040 ("CORS wildcard") is redundant next to a more specific one like VG1094
+    // ("CORS Origin Reflection With Credentials", CVE-2026-54290) or VG973 (Hono). Keep the
+    // most specific (isMoreSpecific); a line with only one CORS finding is untouched (0-FN).
+    const aIsCors = a.rule.name.includes("CORS");
+    const bIsCors = b.rule.name.includes("CORS");
     if (aIsCors && bIsCors)
         return true;
     // Both are admin role check rules — VG426+VG957 duplicate case

package/build/tools/check-deps.d.ts

@@ -3,5 +3,5 @@ interface PackageInput {
     version: string;
     ecosystem: string;
 }
-export declare function checkDependencies(packages: PackageInput[]): Promise<string>;
+export declare function checkDependencies(packages: PackageInput[], format?: "markdown" | "json"): Promise<string>;
 export {};

package/build/tools/check-deps.js

@@ -1,5 +1,28 @@
 import { queryOsv, formatVulnerability } from "../utils/osv-client.js";
-export async function checkDependencies(packages) {
+export async function checkDependencies(packages, format = "markdown") {
+    // JSON output for agents (parity with scan_dependencies, which already supports it).
+    if (format === "json") {
+        const pkgResults = [];
+        let total = 0;
+        for (const pkg of packages) {
+            try {
+                const vulns = await queryOsv(pkg.name, pkg.version, pkg.ecosystem);
+                total += vulns.length;
+                pkgResults.push({ name: pkg.name, version: pkg.version, ecosystem: pkg.ecosystem, vulnerabilities: vulns });
+            }
+            catch (error) {
+                pkgResults.push({ name: pkg.name, version: pkg.version, ecosystem: pkg.ecosystem, vulnerabilities: [], error: error instanceof Error ? error.message : "Unknown error" });
+            }
+        }
+        return JSON.stringify({
+            schema: "guardvibe.check-dependencies.v1",
+            database: "OSV",
+            packagesChecked: packages.length,
+            totalVulnerabilities: total,
+            vulnerablePackages: pkgResults.filter(p => p.vulnerabilities.length > 0).length,
+            packages: pkgResults,
+        });
+    }
     const results = [
         `# GuardVibe Dependency Security Report`,
         ``,

package/build/tools/diff-aware.d.ts

@@ -11,3 +11,21 @@ export declare function filterToAddedLines<T extends {
 export declare function getAddedLinesForDiff(base: string, relPath: string, cwd: string): Set<number>;
 /** Lines added in `relPath` in the staged (index) changes — for pre-commit gating. */
 export declare function getAddedLinesStaged(relPath: string, cwd: string): Set<number>;
+export interface BaseResolution {
+    ok: boolean;
+    base?: string;
+    error?: string;
+}
+/**
+ * Resolve a usable diff base. Distinguishes "not a git repository" from "that ref does
+ * not exist here" (the old code conflated both as "Ensure you're in a git repository"),
+ * and — when no base is explicitly requested — auto-detects instead of hard-coding `main`
+ * (which fails on `master`-named or freshly-initialized repos). Fallback order:
+ * origin/HEAD → main → master → HEAD~1 → HEAD (uncommitted changes).
+ *
+ * @param strict when a base IS requested but missing, error instead of falling back
+ *   (used by the CLI so a typo'd ref is reported, not silently swapped).
+ */
+export declare function resolveGitBase(cwd: string, requested?: string, opts?: {
+    strict?: boolean;
+}): BaseResolution;

package/build/tools/diff-aware.js

@@ -76,3 +76,39 @@ export function getAddedLinesForDiff(base, relPath, cwd) {
 export function getAddedLinesStaged(relPath, cwd) {
     return gitDiffAddedLines(["--cached"], relPath, cwd);
 }
+function gitTry(cwd, args) {
+    try {
+        return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve a usable diff base. Distinguishes "not a git repository" from "that ref does
+ * not exist here" (the old code conflated both as "Ensure you're in a git repository"),
+ * and — when no base is explicitly requested — auto-detects instead of hard-coding `main`
+ * (which fails on `master`-named or freshly-initialized repos). Fallback order:
+ * origin/HEAD → main → master → HEAD~1 → HEAD (uncommitted changes).
+ *
+ * @param strict when a base IS requested but missing, error instead of falling back
+ *   (used by the CLI so a typo'd ref is reported, not silently swapped).
+ */
+export function resolveGitBase(cwd, requested, opts = {}) {
+    if (gitTry(cwd, ["rev-parse", "--is-inside-work-tree"]) !== "true") {
+        return { ok: false, error: "Not a git repository. Run `git init`, or pass a path inside a repo." };
+    }
+    const refExists = (ref) => gitTry(cwd, ["rev-parse", "--verify", "--quiet", `${ref}^{commit}`]) !== null;
+    if (requested) {
+        if (refExists(requested))
+            return { ok: true, base: requested };
+        if (opts.strict)
+            return { ok: false, error: `Base ref "${requested}" not found in this repository.` };
+    }
+    const originHead = gitTry(cwd, ["symbolic-ref", "--quiet", "--short", "refs/remotes/origin/HEAD"]);
+    for (const cand of [originHead, "main", "master", "HEAD~1", "HEAD"]) {
+        if (cand && refExists(cand))
+            return { ok: true, base: cand };
+    }
+    return { ok: false, error: "No base ref available — repository has no commits yet." };
+}

package/build/tools/export-sarif.js

@@ -20,7 +20,16 @@ export function exportSarif(path, rules) {
     const config = loadConfig(scanRoot);
     const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
     const filePaths = [];
-    walkDirectory(scanRoot, true, excludes, filePaths);
+    // Accept a single file (for `check <file> --format sarif`) or a directory.
+    let isFile = false;
+    try {
+        isFile = statSync(scanRoot).isFile();
+    }
+    catch { /* treat as dir */ }
+    if (isFile)
+        filePaths.push(scanRoot);
+    else
+        walkDirectory(scanRoot, true, excludes, filePaths);
     const allResults = [];
     for (const filePath of filePaths) {
         try {

package/build/tools/scan-hallucinated.d.ts

@@ -26,6 +26,14 @@ export interface HallucinationResult {
  * are removed so they are never counted as real dependencies.
  */
 export declare function stripCommentsAndTemplates(src: string): string;
+/**
+ * Names that resolve to LOCAL first-party modules via tsconfig/jsconfig `baseUrl` or
+ * `paths` — e.g. `import x from "models/user"` under `baseUrl: "."`. These are source
+ * directories, NOT npm packages, so they must never be flagged phantom/typosquat
+ * (juice-shop's `models`/`data`/`lib` are the canonical false-positive case).
+ * Deterministic: reads the config + lists the baseUrl dir under root only; no network.
+ */
+export declare function baseUrlLocalNames(root: string): Set<string>;
 /** Real npm package roots imported via import/require STATEMENTS in a file's source. */
 export declare function extractStatementImports(code: string): Set<string>;
 /** Walk a source tree and collect every package root imported via a real statement. */

package/build/tools/scan-hallucinated.js

@@ -148,6 +148,102 @@ const STMT_REQUIRE = /^\s*(?:(?:const|let|var)\s+[^=\n]+=\s*)?require\s*\(\s*['"
 function isPathAlias(spec) {
     return spec.startsWith("@/") || spec.startsWith("~");
 }
+/** Strip // and block comments + trailing commas so a JSONC tsconfig can be JSON.parsed. */
+function parseJsonc(text) {
+    const noBlock = text.replace(/\/\*[\s\S]*?\*\//g, "");
+    const noLine = noBlock.replace(/(^|[^:"'])\/\/[^\n]*/g, "$1");
+    const noTrailingCommas = noLine.replace(/,(\s*[}\]])/g, "$1");
+    return JSON.parse(noTrailingCommas);
+}
+/**
+ * Names that resolve to LOCAL first-party modules via tsconfig/jsconfig `baseUrl` or
+ * `paths` — e.g. `import x from "models/user"` under `baseUrl: "."`. These are source
+ * directories, NOT npm packages, so they must never be flagged phantom/typosquat
+ * (juice-shop's `models`/`data`/`lib` are the canonical false-positive case).
+ * Deterministic: reads the config + lists the baseUrl dir under root only; no network.
+ */
+export function baseUrlLocalNames(root) {
+    const names = new Set();
+    const skip = new Set(SKIP_DIR);
+    // List a directory's child dirs + bare source-file names as resolvable local roots.
+    const addLocalFrom = (baseDir) => {
+        let entries;
+        try {
+            entries = readdirSync(baseDir);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (skip.has(e))
+                continue;
+            let st;
+            try {
+                st = statSync(join(baseDir, e));
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory())
+                names.add(e);
+            else {
+                const ext = extname(e).toLowerCase();
+                if (CODE_EXT.has(ext))
+                    names.add(e.slice(0, -ext.length));
+            }
+        }
+    };
+    // Walk the tree; every dir containing a tsconfig/jsconfig is a project root whose
+    // source dirs are addressable as project/baseUrl-relative bare imports (e.g. Angular's
+    // `import ... from 'src/app/...'`, or `models/user` under `baseUrl: "."`). This handles
+    // monorepos (a nested frontend/ with its own config). Deterministic + offline.
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        const hasConfig = entries.includes("tsconfig.json") || entries.includes("jsconfig.json");
+        if (hasConfig) {
+            for (const cfgFile of ["tsconfig.json", "jsconfig.json"]) {
+                if (!entries.includes(cfgFile))
+                    continue;
+                let cfg;
+                try {
+                    cfg = parseJsonc(readFileSync(join(dir, cfgFile), "utf-8"));
+                }
+                catch {
+                    cfg = null;
+                }
+                const co = cfg?.compilerOptions ?? {};
+                for (const key of Object.keys(co.paths ?? {})) {
+                    const seg = key.replace(/\/\*?$/, "").split("/")[0];
+                    if (seg)
+                        names.add(seg);
+                }
+                addLocalFrom(typeof co.baseUrl === "string" ? resolve(dir, co.baseUrl) : dir);
+            }
+        }
+        for (const e of entries) {
+            if (skip.has(e))
+                continue;
+            const p = join(dir, e);
+            let st;
+            try {
+                st = statSync(p);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory())
+                walk(p);
+        }
+    };
+    walk(root);
+    return names;
+}
 /** Real npm package roots imported via import/require STATEMENTS in a file's source. */
 export function extractStatementImports(code) {
     const stripped = stripCommentsAndTemplates(code);
@@ -170,6 +266,8 @@ export function collectStatementImports(root, opts = {}) {
     const found = new Set();
     const skip = new Set([...SKIP_DIR, ...(opts.exclude ?? [])]);
     const maxFiles = opts.maxFiles ?? 20_000;
+    // Local first-party module names (tsconfig baseUrl/paths) — never treated as packages.
+    const localModules = baseUrlLocalNames(root);
     let count = 0;
     const walk = (dir) => {
         if (count >= maxFiles)
@@ -208,7 +306,8 @@ export function collectStatementImports(root, opts = {}) {
                     continue;
                 }
                 for (const pkg of extractStatementImports(code))
-                    found.add(pkg);
+                    if (!localModules.has(pkg))
+                        found.add(pkg);
             }
         }
     };
@@ -299,6 +398,22 @@ function mergeFinding(map, name, signal, severity, tier, similarTo) {
 function sortFindings(findings) {
     return [...findings].sort((a, b) => (SEV_RANK[a.severity] - SEV_RANK[b.severity]) || a.name.localeCompare(b.name));
 }
+/** Bare (scope-stripped) package name, for length-based precision gating. */
+function bareName(name) {
+    return name.startsWith("@") ? name.split("/").pop() ?? name : name;
+}
+/**
+ * High-precision gate for the deterministic typosquat tier. Structural squats
+ * (deceptive prefix/suffix/separator) are kept at any length; a bare Levenshtein match
+ * is kept only when the name is long enough (≥5) that the collision is unlikely to be
+ * coincidental — short names like `jws`/`cdk` sit within edit-distance of `jest`/`sdk`
+ * by chance, which is the residual false-positive source after the declared-name gate.
+ */
+function isPreciseTyposquat(name, typo) {
+    if (typo.method === "levenshtein")
+        return bareName(name).length >= 5;
+    return true;
+}
 /**
  * OFFLINE / deterministic core. Pure — no network, no filesystem. Unit-testable with
  * injected sets. Flags phantom imports (imported ∉ declared) and typosquats.
@@ -313,16 +428,22 @@ export function detectOffline(imported, declared, opts = {}) {
     for (const name of imported) {
         if (allow.has(name) || self.has(name))
             continue;
+        // The deterministic tier is gated on UNDECLARED (phantom) names only. A declared
+        // dependency is an intentional install — its existence/legitimacy is the ONLINE
+        // tier's job (404 / brand-new). Flagging a declared package as a typosquat offline,
+        // purely on edit-distance, is the dominant false-positive source: real, popular
+        // packages like `cors`/`chai`/`sinon`/`pug` sit within Levenshtein distance of
+        // unrelated popular names. (0-FP discipline > catching a declared typo offline.)
+        const isPhantom = !declared.has(name);
+        if (!isPhantom)
+            continue;
         const typo = detectTyposquat(name);
-        if (typo) {
-            const signal = typo.confidence >= 0.9 && /^(?:plain-|real-|original-|safe-|secure-|true-|actual-|verified-|legit-|official-|clean-|pure-|native-|simple-|fast-|super-|ultra-|better-|enhanced-|improved-|modern-|updated-|new-|my-|the-|a-|node-|js-|ts-)/.test(name.toLowerCase())
-                ? "deceptive_prefix" : "typosquat";
+        if (typo && isPreciseTyposquat(name, typo)) {
+            const signal = typo.method === "prefix" || typo.method === "suffix" ? "deceptive_prefix" : "typosquat";
             mergeFinding(map, name, signal, "critical", "offline", typo.similarTo);
         }
         // phantom: imported in source, but not declared anywhere (and not a self/workspace pkg)
-        if (imported.has(name) && !declared.has(name)) {
-            mergeFinding(map, name, "phantom_import", "high", "offline");
-        }
+        mergeFinding(map, name, "phantom_import", "high", "offline");
     }
     return sortFindings([...map.values()]);
 }

package/build/utils/typosquat.d.ts

@@ -3,6 +3,8 @@ export declare function levenshtein(a: string, b: string): number;
 interface TyposquatResult {
     similarTo: string;
     confidence: number;
+    /** How the match was made — lets callers apply method-specific precision gates. */
+    method?: "prefix" | "suffix" | "separator" | "levenshtein";
 }
 export declare function detectTyposquat(name: string): TyposquatResult | null;
 export {};

package/build/utils/typosquat.js

@@ -95,13 +95,13 @@ function detectPrefixSuffixSquat(name) {
         if (lower.startsWith(prefix)) {
             const stripped = lower.slice(prefix.length);
             if (POPULAR_PACKAGES.includes(stripped)) {
-                return { similarTo: stripped, confidence: 0.95 };
+                return { similarTo: stripped, confidence: 0.95, method: "prefix" };
             }
             // Also check Levenshtein against stripped name
             for (const popular of POPULAR_PACKAGES) {
                 const popularBare = popular.startsWith("@") ? popular.split("/").pop() ?? popular : popular;
                 if (Math.abs(stripped.length - popularBare.length) <= 1 && levenshtein(stripped, popularBare) === 1) {
-                    return { similarTo: popular, confidence: 0.85 };
+                    return { similarTo: popular, confidence: 0.85, method: "prefix" };
                 }
             }
         }
@@ -110,7 +110,7 @@ function detectPrefixSuffixSquat(name) {
         if (lower.endsWith(suffix)) {
             const stripped = lower.slice(0, -suffix.length);
             if (POPULAR_PACKAGES.includes(stripped)) {
-                return { similarTo: stripped, confidence: 0.9 };
+                return { similarTo: stripped, confidence: 0.9, method: "suffix" };
             }
         }
     }
@@ -125,12 +125,12 @@ function detectSeparatorSquat(name) {
     // Replace underscores and dots with hyphens, then check
     const normalized = lower.replace(/[_.]/g, "-");
     if (normalized !== lower && POPULAR_PACKAGES.includes(normalized)) {
-        return { similarTo: normalized, confidence: 0.9 };
+        return { similarTo: normalized, confidence: 0.9, method: "separator" };
     }
     // Reverse: replace hyphens with underscores/dots
     const withUnderscore = lower.replace(/-/g, "_");
     if (withUnderscore !== lower && POPULAR_PACKAGES.includes(withUnderscore)) {
-        return { similarTo: withUnderscore, confidence: 0.9 };
+        return { similarTo: withUnderscore, confidence: 0.9, method: "separator" };
     }
     return null;
 }
@@ -167,5 +167,5 @@ export function detectTyposquat(name) {
         return null;
     // Confidence: distance 1 = 0.9, distance 2 = 0.7
     const confidence = bestDistance === 1 ? 0.9 : 0.7;
-    return { similarTo: bestMatch, confidence };
+    return { similarTo: bestMatch, confidence, method: "levenshtein" };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.24.0",
+  "version": "3.26.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 450 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 77 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",