guardvibe 3.9.0 → 3.10.0

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.10.0] - 2026-06-07
+
+### Added — Season 3 S3-1: autonomous, prioritized threat intel (441 rules / 37 tools)
+- **`npm run intel --scaffold`** now drafts a review-ready `cve-versions.ts` rule object **and** a version-range test stub for each uncovered advisory — turning "here's a gap" into "here's a rule + test to review." Drafts are printed only; nothing is auto-committed (the standing rule: never auto-commit untested rules).
+- **CISA KEV prioritization:** the intel gap report cross-references the CISA Known-Exploited-Vulnerabilities catalog and surfaces actively-exploited CVEs first (🔥 marker), so what's being exploited in the wild — past your model's training cutoff — rises to the top. Degrades gracefully if the catalog is unreachable.
+- New tested module `src/lib/cve-scaffold.ts`: `versionRangeRegex(introduced, fixed)` generalizes the hand-rolled 0-FP semver→regex work (single version / patch-range / minor-range / from-zero), and `scaffoldCveRule` emits the rule + test. Exact/`=` pins by default (a caret/tilde that resolves to the fix is left for the reviewer). The intel report (and `--json`) now also carries each gap's package + affected/fixed range + `kev` flag.
+- No rule or tool changes (441 / 37) — this drafts rules; humans + the gate still decide.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.9.0] - 2026-06-07
 
 ### Changed — diff-aware is now the default across every gating surface (441 rules / 37 tools)

package/build/lib/cve-scaffold.d.ts

@@ -0,0 +1,38 @@
+/**
+ * CVE rule scaffolding (Season 3, S3-1).
+ *
+ * Turns a "package X is vulnerable in [introduced, fixed)" advisory into a
+ * review-ready `cve-versions.ts` rule object + a version-range test stub, so the
+ * daily intel pipeline drafts rules instead of just reporting gaps. The output is
+ * a DRAFT for human review + the normal gate/corpus validation — never
+ * auto-committed (the hard-won "never auto-commit untested rules" rule stands).
+ *
+ * 0-FP-leaning by default: the generated pin matcher only accepts exact / `=`
+ * pins (a `^`/`~` range usually resolves to the fixed patch and is left for the
+ * reviewer to add where the range spans minors). Pure + deterministic.
+ */
+/**
+ * Regex fragment matching a semver version string in [introduced, fixed).
+ * Handles the shapes CVE advisories use: single version, a patch range within a
+ * minor, a minor range within a major, and from-zero. Multi-major ranges get a
+ * best-effort pattern (flagged for review by the scaffold).
+ */
+export declare function versionRangeRegex(introduced: string, fixed: string): string;
+export interface AdvisoryInput {
+    ruleId: string;
+    pkg: string;
+    introduced: string;
+    fixed: string;
+    cve?: string;
+    ghsa?: string;
+    severity: string;
+    summary: string;
+}
+/**
+ * Build a review-ready cve-versions.ts rule object + a matching test stub for an
+ * advisory. Returns source strings to paste (after review) — NOT auto-applied.
+ */
+export declare function scaffoldCveRule(a: AdvisoryInput): {
+    rule: string;
+    test: string;
+};

package/build/lib/cve-scaffold.js

@@ -0,0 +1,110 @@
+// guardvibe-ignore — builds CVE-rule regex *strings* from semver ranges; the
+// `["']`/`\s*` fragments here are detector-pattern templates, not vulnerable code.
+/**
+ * CVE rule scaffolding (Season 3, S3-1).
+ *
+ * Turns a "package X is vulnerable in [introduced, fixed)" advisory into a
+ * review-ready `cve-versions.ts` rule object + a version-range test stub, so the
+ * daily intel pipeline drafts rules instead of just reporting gaps. The output is
+ * a DRAFT for human review + the normal gate/corpus validation — never
+ * auto-committed (the hard-won "never auto-commit untested rules" rule stands).
+ *
+ * 0-FP-leaning by default: the generated pin matcher only accepts exact / `=`
+ * pins (a `^`/`~` range usually resolves to the fixed patch and is left for the
+ * reviewer to add where the range spans minors). Pure + deterministic.
+ */
+function parseVer(v) {
+    if (!v || v === "0")
+        return [0, 0, 0];
+    const m = v.match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?/);
+    if (!m)
+        return [0, 0, 0];
+    return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
+}
+/** Regex fragment matching integers in [min, max] (enumerated for the small ranges CVEs use). */
+function numRange(min, max) {
+    if (max < min)
+        return "(?!)"; // never matches (empty range)
+    if (min === max)
+        return String(min);
+    if (max - min <= 40) {
+        const alts = [];
+        for (let n = min; n <= max; n++)
+            alts.push(String(n));
+        return "(?:" + alts.join("|") + ")";
+    }
+    return "\\d+"; // unexpected for a CVE range — fall back to any
+}
+/**
+ * Regex fragment matching a semver version string in [introduced, fixed).
+ * Handles the shapes CVE advisories use: single version, a patch range within a
+ * minor, a minor range within a major, and from-zero. Multi-major ranges get a
+ * best-effort pattern (flagged for review by the scaffold).
+ */
+export function versionRangeRegex(introduced, fixed) {
+    const [iM, im, ip] = parseVer(introduced);
+    const [fM, fm, fp] = parseVer(fixed);
+    const alts = [];
+    if (iM === fM) {
+        if (im === fm) {
+            // Same minor: patches ip .. fp-1
+            alts.push(`${iM}\\.${im}\\.${numRange(ip, fp - 1)}`);
+        }
+        else {
+            if (ip === 0) {
+                // Introduced minor starts at .0 → folds into the full-minor sweep im..fm-1
+                alts.push(`${iM}\\.${numRange(im, fm - 1)}\\.\\d+`);
+            }
+            else {
+                // ip > 0: approximate the introduced minor as full (reviewer tightens)
+                alts.push(`${iM}\\.${im}\\.\\d+`);
+                if (fm - 1 >= im + 1)
+                    alts.push(`${iM}\\.${numRange(im + 1, fm - 1)}\\.\\d+`);
+            }
+            if (fp > 0)
+                alts.push(`${iM}\\.${fm}\\.${numRange(0, fp - 1)}`);
+        }
+    }
+    else {
+        // Multi-major (rare): majors iM..fM-1 in full, then the start of the fixed major.
+        alts.push(`${numRange(iM, fM - 1)}\\.\\d+\\.\\d+`);
+        if (fm > 0)
+            alts.push(`${fM}\\.${numRange(0, fm - 1)}\\.\\d+`);
+        if (fp > 0)
+            alts.push(`${fM}\\.${fm}\\.${numRange(0, fp - 1)}`);
+    }
+    const parts = alts.filter(Boolean);
+    return parts.length === 1 ? parts[0] : "(?:" + parts.join("|") + ")";
+}
+/** Escape a package name for use inside a regex literal. */
+function escapePkg(pkg) {
+    return pkg.replace(/[.*+?^${}()|[\]\\/]/g, "\\$&");
+}
+/**
+ * Build a review-ready cve-versions.ts rule object + a matching test stub for an
+ * advisory. Returns source strings to paste (after review) — NOT auto-applied.
+ */
+export function scaffoldCveRule(a) {
+    const frag = versionRangeRegex(a.introduced, a.fixed);
+    const ids = [a.cve, a.ghsa].filter(Boolean).join(" / ");
+    const pattern = `/["']${escapePkg(a.pkg)}["']\\s*:\\s*["']=?${frag}["']/g`;
+    const safeSummary = a.summary.replace(/"/g, "'").replace(/\s+/g, " ").trim();
+    const rule = `  {
+    id: "${a.ruleId}",
+    name: "${a.pkg} vulnerability${ids ? ` (${ids})` : ""}",
+    severity: "${a.severity}",
+    owasp: "A06:2025 Vulnerable and Outdated Components",
+    description:
+      "${safeSummary} Affected: ${a.pkg} ${a.introduced}–<${a.fixed}; fixed in ${a.fixed}. REVIEW: confirm the affected range, and add ~/^ prefixes only where they don't resolve to the fix, before merging.",
+    pattern:
+      ${pattern},
+    languages: ["json"],
+    fix: "Upgrade ${a.pkg} to ${a.fixed}+: npm install ${a.pkg}@latest.",
+    compliance: ["SOC2:CC7.1"],
+  },`;
+    const test = `  describe("${a.ruleId} - ${a.pkg} (${ids})", () => {
+    it("detects affected ${a.pkg}", () => testRule("${a.ruleId}", '"${a.pkg}": "${a.introduced}"', true));
+    it("ignores fixed ${a.pkg}", () => testRule("${a.ruleId}", '"${a.pkg}": "${a.fixed}"', false));
+  });`;
+    return { rule, test };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.9.0",
+  "version": "3.10.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 441 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 70 CVE rules refreshed daily from GHSA/OSV/CISA KEV — React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",