guardvibe 3.7.0 → 3.8.0

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.8.0] - 2026-06-07
+
+### Fixed — auth-coverage no longer crashes on (and now understands) Clerk/Next.js middleware (441 rules / 37 tools)
+- **Crash fix:** the Next.js/Clerk catch-all `config.matcher` contains `]` inside character classes (e.g. `[^?]`), which truncated the old matcher parser and then made `matcherToRegex` throw "Unterminated character class" — so `auth_coverage` errored out on essentially every Clerk app. The matcher array is now parsed string-aware (brackets/commas/escapes inside a pattern are preserved) and matcher-to-regex never throws (it tries path-style and regex-style forms, skipping any it can't compile).
+- **Precision:** when the middleware uses Clerk's `createRouteMatcher([...])`, those patterns are used as the precise protected-route set (a sensitive route outside the list is correctly still reported unprotected) instead of the broad `config.matcher` run-scope.
+- **Fewer false negatives:** a recognizably non-auth middleware (next-intl / i18n / analytics) with a catch-all matcher no longer marks routes as protected. Default remains lenient for everything else, so custom auth middleware still counts.
+- New exported `parseProtectedRouteMatchers`; verified on the corpus (5 real middleware files, 0 crashes). No rule or tool changes (441 / 37).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.7.0] - 2026-06-07
 
 ### Added — 3 fresh CVE rules from daily intel (438 → 441 rules / 37 tools)

package/build/tools/auth-coverage.d.ts

@@ -18,11 +18,14 @@ export interface FileEntry {
  * Enumerate all routes from a set of app directory files.
  */
 export declare function enumerateRoutes(files: FileEntry[]): RouteInfo[];
+export declare function parseMiddlewareMatchers(content: string): string[];
 /**
- * Parse Next.js middleware config.matcher from middleware file content.
- * Returns array of matcher patterns.
+ * Clerk-style protect lists: `createRouteMatcher([...])`. When present these are the
+ * precise routes the middleware enforces auth on — more accurate than config.matcher
+ * (which only says where the middleware *runs*), so a sensitive route outside the
+ * protect list is correctly still reported as unprotected.
  */
-export declare function parseMiddlewareMatchers(content: string): string[];
+export declare function parseProtectedRouteMatchers(content: string): string[];
 /**
  * Check if a route URL path matches any of the middleware matchers.
  * Empty matchers = middleware covers all routes.

package/build/tools/auth-coverage.js

@@ -82,35 +82,108 @@ export function enumerateRoutes(files) {
  * Parse Next.js middleware config.matcher from middleware file content.
  * Returns array of matcher patterns.
  */
+function stripComments(content) {
+    return content
+        .replace(/\\n/g, "\n").replace(/\\t/g, "\t")
+        .replace(/\/\*[\s\S]*?\*\//g, "")
+        .replace(/\/\/.*$/gm, "");
+}
+/** Inner text of the array starting at `[` at `openIdx`, scanning string-aware so
+ *  a `]` inside a string literal (e.g. the catch-all `[^?]`) doesn't end it early. */
+function bracketInner(s, openIdx) {
+    let depth = 0;
+    for (let i = openIdx; i < s.length; i++) {
+        const ch = s[i];
+        if (ch === '"' || ch === "'" || ch === "`") {
+            const q = ch;
+            i++;
+            while (i < s.length && s[i] !== q) {
+                if (s[i] === "\\")
+                    i++;
+                i++;
+            }
+        }
+        else if (ch === "[") {
+            depth++;
+        }
+        else if (ch === "]") {
+            depth--;
+            if (depth === 0)
+                return s.slice(openIdx + 1, i);
+        }
+    }
+    return null;
+}
+/** A matcher written in JS source escapes regex backslashes (`\\.`); collapse one
+ *  level so the extracted pattern is a usable regex (`\.`). */
+function unescapeMatcher(s) {
+    return s.replace(/\\\\/g, "\\");
+}
+/** Every quoted string literal inside a region (handles `]`, `,`, escapes within). */
+function extractStringLiterals(region) {
+    const out = [];
+    const re = /(["'`])((?:\\.|(?!\1)[\s\S])*?)\1/g;
+    let m;
+    while ((m = re.exec(region)) !== null)
+        out.push(unescapeMatcher(m[2]));
+    return out;
+}
 export function parseMiddlewareMatchers(content) {
-    // Normalize literal escape sequences that AI assistants may pass
-    let normalized = content.replace(/\\n/g, "\n").replace(/\\t/g, "\t");
-    // Strip block + line comments before pulling the matcher array. Real-world
-    // middleware files carry JSDoc-style notes inline (dub's matcher block has
-    // four bullet points); split-on-comma was swallowing those bullets into the
-    // matcher list, breaking every downstream regex test.
-    normalized = normalized.replace(/\/\*[\s\S]*?\*\//g, "").replace(/\/\/.*$/gm, "");
-    const stringMatch = /matcher\s*:\s*"([^"]+)"/.exec(normalized);
-    if (stringMatch)
-        return [stringMatch[1]];
-    const arrayMatch = /matcher\s*:\s*\[([^\]]+)\]/.exec(normalized);
-    if (arrayMatch) {
-        return arrayMatch[1]
-            .split(",")
-            .map(s => s.trim().replace(/^["']|["']$/g, ""))
-            .filter(Boolean);
+    const normalized = stripComments(content);
+    // Array form: matcher: [ ... ] — bound the array string-aware so a catch-all
+    // pattern containing `]`/`,` (e.g. Clerk's `[^?]`) isn't truncated.
+    const arrM = /matcher\s*:\s*\[/.exec(normalized);
+    if (arrM) {
+        const openIdx = normalized.indexOf("[", arrM.index);
+        const inner = bracketInner(normalized, openIdx);
+        if (inner !== null) {
+            const lits = extractStringLiterals(inner);
+            if (lits.length)
+                return lits;
+        }
     }
+    // String form: matcher: "..."
+    const strM = /matcher\s*:\s*(["'`])((?:\\.|(?!\1).)*)\1/.exec(normalized);
+    if (strM)
+        return [unescapeMatcher(strM[2])];
     return [];
 }
 /**
- * Convert a Next.js matcher pattern to a regex.
- * Handles :path* and :param patterns.
+ * Clerk-style protect lists: `createRouteMatcher([...])`. When present these are the
+ * precise routes the middleware enforces auth on — more accurate than config.matcher
+ * (which only says where the middleware *runs*), so a sensitive route outside the
+ * protect list is correctly still reported as unprotected.
+ */
+export function parseProtectedRouteMatchers(content) {
+    const normalized = stripComments(content);
+    const out = [];
+    const callRe = /createRouteMatcher\s*\(\s*\[/g;
+    let m;
+    while ((m = callRe.exec(normalized)) !== null) {
+        const openIdx = normalized.indexOf("[", m.index);
+        const inner = bracketInner(normalized, openIdx);
+        if (inner !== null)
+            out.push(...extractStringLiterals(inner));
+    }
+    return out;
+}
+/**
+ * Convert a Next.js matcher to a regex. Path-style matchers (`/x/:id`, `/y/:path*`)
+ * get token conversion; regex-style matchers (Clerk catch-all, `(.*)`, char classes)
+ * are used raw. Tries the likely form first, falls back to the other, and NEVER throws
+ * on a malformed pattern (returns null, which callers skip).
  */
 function matcherToRegex(pattern) {
-    const regexStr = pattern
-        .replace(/\/:[\w]+\*/g, "(?:/.*)?")
-        .replace(/:[\w]+/g, "[^/]+");
-    return new RegExp("^" + regexStr + "$");
+    const pathConvert = (p) => p.replace(/\/:[\w]+\*/g, "(?:/.*)?").replace(/:[\w]+/g, "[^/]+");
+    const looksRegex = /[(|]|\.\*|\\[dwsDWS]|\[\^?/.test(pattern);
+    const candidates = looksRegex ? [pattern, pathConvert(pattern)] : [pathConvert(pattern), pattern];
+    for (const c of candidates) {
+        try {
+            return new RegExp("^" + c + "$");
+        }
+        catch { /* try next form */ }
+    }
+    return null;
 }
 /**
  * Check if a route URL path matches any of the middleware matchers.
@@ -121,7 +194,7 @@ export function routeMatchesMatcher(urlPath, matchers) {
         return true;
     for (const pattern of matchers) {
         const regex = matcherToRegex(pattern);
-        if (regex.test(urlPath))
+        if (regex && regex.test(urlPath))
             return true;
     }
     return false;
@@ -154,8 +227,19 @@ function hasAuthGuard(code) {
  */
 export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles, authExceptions) {
     const routes = enumerateRoutes(routeFiles);
-    const matchers = parseMiddlewareMatchers(middlewareContent);
     const hasMiddleware = middlewareContent.length > 0;
+    // Default-lenient: a middleware with a matcher counts as protection — EXCEPT when it
+    // is recognizably a non-auth middleware (i18n / analytics) with no auth signal, which
+    // must not mark routes protected (that would hide genuinely unprotected routes).
+    const hasAuthSignal = hasAuthGuard(middlewareContent) ||
+        /\b(?:clerkMiddleware|authMiddleware|withAuth|createRouteMatcher|NextAuth|auth0|betterAuth|supabaseMiddleware|updateSession|createServerClient|getToken)\b/.test(middlewareContent) ||
+        /auth\s*\.\s*protect\s*\(/.test(middlewareContent);
+    const isNonAuthMiddleware = /\b(?:next-intl|createI18nMiddleware|next-international|paraglide|@vercel\/analytics|posthog)\b/.test(middlewareContent)
+        || /from\s+["']next-intl\/middleware["']/.test(middlewareContent);
+    const middlewareCountsAsAuth = hasMiddleware && (hasAuthSignal || !isNonAuthMiddleware);
+    // Prefer the precise Clerk protect list; fall back to where the (auth) middleware runs.
+    const protectMatchers = parseProtectedRouteMatchers(middlewareContent);
+    const coverageMatchers = protectMatchers.length ? protectMatchers : parseMiddlewareMatchers(middlewareContent);
     // Map file content by path for auth detection
     const contentByPath = new Map();
     for (const f of routeFiles)
@@ -167,9 +251,9 @@ export function analyzeAuthCoverage(routeFiles, middlewareContent, layoutFiles,
         route.hasAuthGuard = hasAuthGuard(content);
         if (route.hasAuthGuard)
             route.protectionSource = "auth-guard";
-        // Middleware coverage
-        if (hasMiddleware) {
-            route.middlewareCovered = routeMatchesMatcher(route.urlPath, matchers);
+        // Middleware coverage (skipped for recognizably non-auth middleware)
+        if (middlewareCountsAsAuth) {
+            route.middlewareCovered = routeMatchesMatcher(route.urlPath, coverageMatchers);
             if (route.middlewareCovered) {
                 middlewareCoveredCount++;
                 if (route.protectionSource === "none")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.7.0",
+  "version": "3.8.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 441 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 70 CVE rules refreshed daily from GHSA/OSV/CISA KEV — React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",