vbguard 0.3.0 → 0.5.1

package/README.md

@@ -1,26 +1,46 @@
-# ⚡ vibeguard
+# vbguard
 
-**Security scanner built for AI-generated code. Catches what traditional scanners miss.**
+**Security scanner for AI-generated code. Catches what Snyk, Semgrep, and GitGuardian miss.**
 
-[![npm version](https://img.shields.io/npm/v/vibeguard.svg)](https://www.npmjs.com/package/vibeguard)
+[![npm version](https://img.shields.io/npm/v/vbguard.svg)](https://www.npmjs.com/package/vbguard)
+[![npm downloads](https://img.shields.io/npm/dm/vbguard.svg)](https://www.npmjs.com/package/vbguard)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 ---
 
-Vibe coding is fast. But 45% of AI-generated code ships with known vulnerabilities. The Moltbook breach, the pickle exploits, the hardcoded Supabase keys — all caused by patterns that traditional scanners weren't designed to catch.
+Vibe coding is fast. But 45% of AI-generated code ships with known vulnerabilities. The Moltbook breach, the pickle exploits, the hardcoded Supabase keys -- all caused by patterns that traditional scanners weren't designed to catch.
 
-**vibeguard** scans your codebase for the security mistakes that AI coding tools (Cursor, Claude Code, Copilot, Lovable, Bolt, Replit) introduce most often.
+**vbguard** scans your codebase for security mistakes that AI coding tools (Cursor, Claude Code, Copilot, Lovable, Bolt, Replit) introduce most often. It also does things no other scanner can -- like detecting **hallucinated packages** and **broken auth flows**.
 
 ## Quick Start
 
 ```bash
-npx vibeguard .
+npx vbguard .
 ```
 
-That's it. No config, no account, no API key.
+No config. No account. No API key. Runs in milliseconds.
+
+## Get Your Security Score
+
+```bash
+npx vbguard . --score
+```
+
+```
+  vbguard security score:
+
+  ████████████████░░░░ 78/100 -- good
+
+  * 0 critical
+  * 2 high
+  * 3 medium
+  * 1 low
+```
 
 ## What It Catches
 
+### Core Scanners
+
 | Category | Examples | Severity |
 |----------|----------|----------|
 | **Hardcoded Secrets** | API keys, DB connection strings, JWTs, private keys inline in code | Critical |
@@ -33,143 +53,291 @@ That's it. No config, no account, no API key.
 | **Missing .gitignore** | `.env` files not gitignored, secrets about to be committed | Critical |
 | **Docker Misconfigs** | Running as root, copying `.env` into images, exposed DB ports | Medium-High |
 
-## Supported Languages
+### Hallucinated Package Detector (unique to vbguard)
+
+AI tools frequently invent package names that don't exist. If someone registers that name with malicious code, your project is compromised.
 
-- **JavaScript / TypeScript** — Express, Fastify, Next.js, React, Vue, Svelte
-- **Python** — Flask, FastAPI, Django
+- **CRITICAL**: Package doesn't exist on npm/PyPI (hallucinated by AI)
+- **HIGH**: Package created less than 30 days ago (potential typosquat)
+- **HIGH**: Package name within edit distance 1-2 of a popular package (`lodas` vs `lodash`)
+
+```bash
+# Skip online checks for offline environments
+npx vbguard . --offline
+```
+
+### Auth Flow Analyzer (Snyk can't do this)
+
+Snyk and Semgrep **cannot** catch broken auth because it requires understanding application semantics. vbguard detects:
+
+| Pattern | Why It Matters |
+|---------|---------------|
+| JWT with no expiration | Stolen tokens grant permanent access |
+| JWT with weak/hardcoded secret | Anyone can forge valid tokens |
+| User enumeration | Different errors for "user not found" vs "wrong password" reveal valid emails |
+| Tokens in localStorage | Vulnerable to XSS -- use httpOnly cookies |
+| OAuth open redirects | Unvalidated redirect_uri lets attackers steal tokens |
+| Password reset without rate limiting | Enables brute-force of reset tokens |
+| Signup with no email verification | Allows fake account creation |
+| Inverted auth checks | The exact Lovable/Moltbook bug: blocking authenticated users, allowing anonymous |
+| API routes with no auth middleware | Publicly accessible endpoints |
+| Supabase signUp with no email confirmation | Anyone can register with any email |
+
+### Vibe-Code Patterns (unique to AI-generated code)
+
+Patterns that **only** appear in AI-generated code, not human code:
+
+| Pattern | Why It Matters |
+|---------|---------------|
+| Security TODO comments | `TODO: add authentication` -- AI leaves these as placeholders and never comes back |
+| Placeholder data in production | `test@test.com`, `John Doe`, `password123` shipped to prod |
+| Sensitive data in console.log | `console.log(password)`, `console.log(token)` -- debugging leftovers |
+| Commented-out security code | Auth checks, validation, rate limiting disabled during debugging |
+| AI-generated markers | "Created with Cursor", "Copilot suggestion" -- indicates unreviewed code |
+| Error stack trace leaks | `res.status(500).send(err.stack)` exposes internals to attackers |
+| Silent error swallowing | `catch(e) {}` -- security failures silently ignored |
+
+### Framework-Specific Scanners
+
+#### Next.js
+
+| Pattern | Severity |
+|---------|----------|
+| API keys in `"use client"` components | Critical |
+| Missing `middleware.ts` for auth | Medium |
+| Server Actions with no input validation | High |
+| `publicRuntimeConfig` exposing secrets | Critical |
+| API routes with no auth checks | Medium |
+| `NEXT_PUBLIC_` prefix on sensitive env vars | Critical |
+
+#### Supabase
+
+| Pattern | Severity |
+|---------|----------|
+| Service role key in client-side code | Critical |
+| `.from('table').select('*')` with no filter | Medium |
+| Anon key used with no RLS | High |
+| Public storage buckets with no policies | Medium |
+| `SECURITY DEFINER` functions without auth checks | High |
+
+#### Firebase
+
+| Pattern | Severity |
+|---------|----------|
+| Firestore rules with `allow read, write: if true` | Critical |
+| Realtime Database rules with `.read: true` at root | Critical |
+| Storage rules with no auth condition | Critical/High |
+| Firebase Admin SDK in client-side code | Critical |
+| Firebase config with no App Check | Medium |
+
+## Comparison
+
+| Feature | vbguard | Snyk | Semgrep | GitGuardian |
+|---------|---------|------|---------|-------------|
+| Hardcoded secrets | Yes | Partial | Yes | Yes |
+| Hallucinated package detection | **Yes** | No | No | No |
+| Auth flow analysis | **Yes** | No | No | No |
+| AI-code-specific patterns | **Yes** | No | No | No |
+| Next.js-specific rules | **Yes** | No | Partial | No |
+| Supabase security | **Yes** | No | No | No |
+| Firebase security | **Yes** | Partial | Partial | No |
+| Security score | **Yes** | No | No | No |
+| Zero config | **Yes** | No | No | No |
+| Runs offline | **Yes** | No | Yes | No |
+| Free & open source | **Yes** | Partial | Yes | Partial |
+| Speed | < 100ms | Minutes | Seconds | Seconds |
 
 ## Usage
 
 ```bash
 # Scan current directory
-vibeguard .
+npx vbguard .
 
 # Scan a specific project
-vibeguard ./my-app
+npx vbguard ./my-app
 
 # Only show high and critical issues
-vibeguard . --severity=high
+npx vbguard . --severity=high
+
+# Output as JSON
+npx vbguard . --json
+
+# Security score (0-100)
+npx vbguard . --score
+
+# Generate fix suggestions file
+npx vbguard . --fix
 
-# Output as JSON (for CI/CD)
-vibeguard . --json
+# Only scan git-changed files (fast!)
+npx vbguard . --diff
+
+# Watch mode -- re-scans on file changes
+npx vbguard . --watch
+
+# SARIF output for GitHub Code Scanning
+npx vbguard . --ci
+
+# Skip online checks (hallucinated packages)
+npx vbguard . --offline
 
 # Hide fix suggestions
-vibeguard . --no-fix
+npx vbguard . --no-fix
 
 # Ignore specific directories
-vibeguard . --ignore=tests,scripts
+npx vbguard . --ignore=tests,scripts
 ```
 
 ## CI/CD Integration
 
-### GitHub Actions
+### GitHub Actions (SARIF)
+
+vbguard outputs SARIF format, which integrates directly with GitHub's Security tab:
 
 ```yaml
-name: Security Scan
+name: vbguard Security Scan
 on: [push, pull_request]
 
 jobs:
-  vibeguard:
+  security-scan:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
-      - run: npx vibeguard . --severity=high
+      - name: Run vbguard
+        run: npx vbguard@latest . --ci --offline > results.sarif || true
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+        if: always()
 ```
 
-vibeguard exits with code 1 if critical or high severity issues are found, making it easy to block deploys.
+### Simple CI (fail on critical/high)
 
-### Pre-commit Hook
+```yaml
+- run: npx vbguard . --severity=high --offline
+```
+
+vbguard exits with code 1 if critical or high issues are found, blocking the deploy.
+
+## Pre-Commit Hook
+
+### Option 1: Husky
+
+```bash
+npm install --save-dev husky
+npx husky init
+echo "npx vbguard-precommit" > .husky/pre-commit
+```
+
+### Option 2: Manual git hook
 
 ```bash
-# .husky/pre-commit
-npx vibeguard . --severity=high
+cat > .git/hooks/pre-commit << 'EOF'
+#!/bin/sh
+npx vbguard-precommit
+EOF
+chmod +x .git/hooks/pre-commit
 ```
 
+The pre-commit hook:
+- Only scans **staged files** (fast)
+- Blocks commits with **critical or high** issues
+- Shows exactly what was blocked and why
+- Skips online checks for speed
+- Use `git commit --no-verify` to bypass if needed
+
 ## Example Output
 
 ```
-  ⚡ vibeguard v0.1.0
+  vbguard v0.5.0
   Security scanner for AI-generated code
 
   Scanning: /Users/dev/my-vibe-app
 
-  🚨 CRITICAL (3)
+  CRITICAL (3)
 
-    ▸ secret/openai-api-key
+    > secret/openai-api-key
       src/api/chat.ts:5
-      Hardcoded OpenAI API Key detected. AI tools commonly inline
-      credentials — this is a top cause of breaches in vibe-coded apps.
-      💡 Fix: Move to environment variable OPENAI_API_KEY.
-
-    ▸ frontend/stripe-secret-key-in-client
-      src/components/Checkout.tsx:12
-      Stripe Secret Key in Client found in client-side code. This will
-      be visible to anyone who opens browser DevTools.
-      💡 Fix: Stripe secret keys must NEVER be in frontend code.
-
-    ▸ dangerous/pickle-deserialization
-      api/data.py:23
-      pickle.load() allows arbitrary code execution when deserializing
-      untrusted data.
-      💡 Fix: Use json.loads() for data exchange.
-
-  🔴 HIGH (2)
-
-    ▸ defaults/no-rate-limiting
-      src/api/server.ts
-      No rate limiting detected on HTTP server.
-      💡 Fix: Add express-rate-limit.
-
-    ▸ defaults/permissive-cors
-      src/api/server.ts:8
-      CORS is set to allow all origins (*).
-      💡 Fix: Set specific origin: cors({ origin: 'https://yourdomain.com' })
-
-  ─────────────────────────────────────────
+      Hardcoded OpenAI API Key detected.
+      Fix: Move to environment variable OPENAI_API_KEY.
+
+    > auth/jwt-weak-secret
+      src/auth/login.ts:23
+      JWT signed with weak secret "password". Anyone can forge tokens.
+      Fix: Use a strong random secret from process.env.JWT_SECRET.
+
+    > hallucinated/npm-package-not-found
+      package.json
+      Package "react-auth-helper" does not exist on npm.
+      Fix: Remove and search for the correct package name.
+
+  HIGH (2)
+
+    > vibe/security-todo-left-behind
+      src/middleware.ts:12
+      "TODO: add authentication before deploying"
+      Fix: Implement the security feature now.
+
+    > auth/token-in-localstorage
+      src/hooks/useAuth.ts:45
+      Auth token stored in localStorage. Vulnerable to XSS.
+      Fix: Use httpOnly cookies instead.
+
+  -----------------------------------------
   5 issues found: 3 critical, 2 high
   Scanned 24 files in 12ms
 
-  ⚠ Fix critical and high severity issues before deploying!
+  Fix critical and high severity issues before deploying!
 ```
 
-## Why Not Just Use Snyk / Semgrep / SonarQube?
-
-Those tools are great for traditional code. But they weren't designed for AI-generated code patterns:
-
-- **Snyk** focuses on dependency vulnerabilities, not hardcoded secrets or missing middleware
-- **Semgrep** requires writing custom rules — vibeguard ships with AI-specific patterns out of the box
-- **SonarQube** is enterprise-heavy and takes hours to configure
+## Supported Languages
 
-vibeguard is opinionated, zero-config, and runs in milliseconds. It's built specifically for the patterns that Cursor, Claude Code, Copilot, Lovable, and Bolt introduce.
+- **JavaScript / TypeScript** -- Express, Fastify, Next.js, React, Vue, Svelte
+- **Python** -- Flask, FastAPI, Django
 
 ## How It Works
 
-vibeguard uses pattern matching (regex + structural analysis) against a curated ruleset of AI-specific vulnerability patterns. No AI, no API calls, no data leaves your machine. It runs entirely locally.
+vbguard uses pattern matching (regex + structural analysis) against a curated ruleset of AI-specific vulnerability patterns. No AI, no API calls (except optional package registry checks), no data leaves your machine.
 
-The ruleset is based on real-world breaches and academic research:
-- The Moltbook breach (Supabase misconfiguration)
+The ruleset is based on real-world breaches and research:
+- The Moltbook breach (Supabase misconfiguration + inverted auth)
 - Tenzai's 2025 study (69 vulnerabilities across 5 AI coding tools)
 - Escape.tech's scan of 5,600 vibe-coded apps
 - Georgia Tech's Vibe Security Radar (tracking AI-generated CVEs)
 
-## Contributing
-
-Contributions welcome. If you've found a vulnerability pattern that AI tools commonly introduce, open a PR to add it to the scanner.
+## Project Structure
 
 ```
 src/scanners/
-  secrets.js           # Hardcoded API keys, tokens, connection strings
-  dangerous-defaults.js # Missing auth, rate limiting, CORS, headers
-  dangerous-functions.js # eval, pickle, SQL injection, XSS
-  exposed-frontend.js   # Server secrets in client-side code
-  permissive-configs.js  # Supabase, Firebase, Docker misconfigs
-  dependencies.js       # Compromised/deprecated packages
-  gitignore.js          # Missing .gitignore entries
+  secrets.js              # Hardcoded API keys, tokens, connection strings
+  dangerous-defaults.js   # Missing auth, rate limiting, CORS, headers
+  dangerous-functions.js  # eval, pickle, SQL injection, XSS
+  exposed-frontend.js     # Server secrets in client-side code
+  permissive-configs.js   # Docker misconfigs
+  dependencies.js         # Compromised/deprecated packages
+  gitignore.js            # Missing .gitignore entries
+  hallucinated-packages.js # AI-hallucinated npm/PyPI packages
+  auth-flow.js            # Broken auth patterns
+  vibe-patterns.js        # AI-code-specific antipatterns
+  nextjs.js               # Next.js framework rules
+  supabase.js             # Supabase security rules
+  firebase.js             # Firebase security rules
 ```
 
+## Contributing
+
+Contributions welcome! If you've found a vulnerability pattern that AI tools commonly introduce, open a PR to add it.
+
+1. Add your pattern to the relevant scanner in `src/scanners/`
+2. Add a test case in `test/test.js`
+3. Run `npm test` to verify
+4. Open a PR with a description of the real-world scenario this catches
+
 ## License
 
 MIT

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "vbguard",
-  "version": "0.3.0",
+  "version": "0.5.1",
   "description": "Security scanner for AI-generated code. Catches what traditional scanners miss.",
   "main": "src/index.js",
   "bin": {
-    "vbguard": "./src/run.cmd"
+    "vbguard": "src/bin.js",
+    "vbguard-precommit": "src/precommit.js"
   },
   "scripts": {
     "start": "node src/cli.js",
@@ -32,4 +33,4 @@
     "README.md",
     "LICENSE"
   ]
-}
+}

package/src/bin.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('./cli.js');

package/src/cli.js

@@ -1,6 +1,7 @@
+const fs = require('fs');
 const path = require('path');
 const { scanDirectory } = require('./index');
-const { formatReport } = require('./reporter');
+const { formatReport, formatSarif, formatScore, formatFixes } = require('./reporter');
 
 const args = process.argv.slice(2);
 
@@ -15,17 +16,33 @@ const HELP = `
     --severity=X    Minimum severity (low, medium, high, critical)
     --no-fix        Hide fix suggestions
     --ignore=X      Comma-separated patterns to ignore
+    --offline       Skip online checks (hallucinated package detection)
+    --fix           Generate .vbguard-fixes.md with suggested code changes
+    --diff          Only scan files changed since last git commit
+    --watch         Watch for file changes and re-scan automatically
+    --ci            Output results in SARIF format (for GitHub Code Scanning)
+    --score         Output a security score (0-100) for the project
     -h, --help      Show this help
     -v, --version   Show version
 `;
 
 function parseArgs(args) {
-  const opts = { dir: '.', json: false, severity: 'low', showFix: true, ignore: [] };
+  const opts = {
+    dir: '.', json: false, severity: 'low', showFix: true,
+    ignore: [], offline: false, fix: false, diff: false,
+    watch: false, ci: false, score: false,
+  };
   for (const arg of args) {
     if (arg === '-h' || arg === '--help') { console.log(HELP); process.exit(0); }
-    if (arg === '-v' || arg === '--version') { console.log('0.1.0'); process.exit(0); }
+    if (arg === '-v' || arg === '--version') { console.log('0.5.1'); process.exit(0); }
     if (arg === '--json') opts.json = true;
     else if (arg === '--no-fix') opts.showFix = false;
+    else if (arg === '--offline') opts.offline = true;
+    else if (arg === '--fix') opts.fix = true;
+    else if (arg === '--diff') opts.diff = true;
+    else if (arg === '--watch') opts.watch = true;
+    else if (arg === '--ci') opts.ci = true;
+    else if (arg === '--score') opts.score = true;
     else if (arg.startsWith('--severity=')) opts.severity = arg.split('=')[1];
     else if (arg.startsWith('--ignore=')) opts.ignore = arg.split('=')[1].split(',');
     else if (!arg.startsWith('-')) opts.dir = arg;
@@ -33,24 +50,86 @@ function parseArgs(args) {
   return opts;
 }
 
+async function runScan(opts) {
+  const targetDir = path.resolve(opts.dir);
+
+  const results = await scanDirectory(targetDir, opts);
+
+  if (opts.ci) {
+    console.log(JSON.stringify(formatSarif(results, targetDir), null, 2));
+  } else if (opts.score) {
+    formatScore(results);
+  } else if (opts.json) {
+    console.log(JSON.stringify(results, null, 2));
+  } else {
+    formatReport(results, opts);
+  }
+
+  if (opts.fix) {
+    const fixContent = formatFixes(results, targetDir);
+    const fixPath = path.join(targetDir, '.vbguard-fixes.md');
+    fs.writeFileSync(fixPath, fixContent);
+    console.log(`  \x1b[32m📝 Fix suggestions written to .vbguard-fixes.md\x1b[0m\n`);
+  }
+
+  return results;
+}
+
 async function main() {
   const opts = parseArgs(args);
   const targetDir = path.resolve(opts.dir);
 
+  if (opts.watch) {
+    // Watch mode
+    console.log('');
+    console.log('  \x1b[1m\x1b[35m⚡ vbguard\x1b[0m \x1b[2mv0.5.1 — watch mode\x1b[0m');
+    console.log(`  \x1b[2mWatching:\x1b[0m ${targetDir}`);
+    console.log('');
+
+    let debounceTimer = null;
+    const doScan = async () => {
+      try {
+        process.stdout.write('\x1b[2J\x1b[H'); // Clear terminal
+        console.log('');
+        console.log('  \x1b[1m\x1b[35m⚡ vbguard\x1b[0m \x1b[2mv0.5.1 — watch mode\x1b[0m');
+        console.log(`  \x1b[2mWatching:\x1b[0m ${targetDir}`);
+        console.log('');
+        await runScan(opts);
+        console.log('  \x1b[2mWatching for changes...\x1b[0m\n');
+      } catch (err) {
+        console.error(`\x1b[31m  Error: ${err.message}\x1b[0m`);
+      }
+    };
+
+    await doScan();
+    console.log('  \x1b[2mWatching for changes...\x1b[0m\n');
+
+    const IGNORE = new Set(['node_modules', '.git', '.next', 'dist', 'build', '.cache']);
+    fs.watch(targetDir, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+      const parts = filename.split(path.sep);
+      if (parts.some(p => IGNORE.has(p))) return;
+      if (debounceTimer) clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(doScan, 500);
+    });
+
+    return; // Keep process alive
+  }
+
+  // Normal scan
   console.log('');
-  console.log('  \x1b[1m\x1b[35m\u26a1 vbguard\x1b[0m \x1b[2mv0.1.0\x1b[0m');
+  console.log('  \x1b[1m\x1b[35m⚡ vbguard\x1b[0m \x1b[2mv0.5.1\x1b[0m');
   console.log('  \x1b[2mSecurity scanner for AI-generated code\x1b[0m');
   console.log('');
-  console.log(`  \x1b[2mScanning:\x1b[0m ${targetDir}`);
+  if (opts.diff) {
+    console.log(`  \x1b[2mScanning changed files in:\x1b[0m ${targetDir}`);
+  } else {
+    console.log(`  \x1b[2mScanning:\x1b[0m ${targetDir}`);
+  }
   console.log('');
 
   try {
-    const results = await scanDirectory(targetDir, opts);
-    if (opts.json) {
-      console.log(JSON.stringify(results, null, 2));
-    } else {
-      formatReport(results, opts);
-    }
+    const results = await runScan(opts);
     const hasCritical = results.findings.some(f => f.severity === 'critical' || f.severity === 'high');
     process.exit(hasCritical ? 1 : 0);
   } catch (err) {
@@ -59,4 +138,4 @@ async function main() {
   }
 }
 
-main();
+main();

package/src/index.js

@@ -1,5 +1,6 @@
 const fs = require('fs');
 const path = require('path');
+const { execSync } = require('child_process');
 
 const { scanSecrets } = require('./scanners/secrets');
 const { scanDangerousDefaults } = require('./scanners/dangerous-defaults');
@@ -8,6 +9,12 @@ const { scanMissingGitignore } = require('./scanners/gitignore');
 const { scanDangerousFunctions } = require('./scanners/dangerous-functions');
 const { scanPermissiveConfigs } = require('./scanners/permissive-configs');
 const { scanDependencies } = require('./scanners/dependencies');
+const { scanHallucinatedPackages } = require('./scanners/hallucinated-packages');
+const { scanAuthFlow } = require('./scanners/auth-flow');
+const { scanVibePatterns } = require('./scanners/vibe-patterns');
+const { scanNextjs, scanNextjsProject } = require('./scanners/nextjs');
+const { scanSupabase } = require('./scanners/supabase');
+const { scanFirebase } = require('./scanners/firebase');
 
 const IGNORE_DIRS = new Set([
   'node_modules', '.git', '.next', '__pycache__', '.venv', 'venv',
@@ -68,6 +75,28 @@ function walkDir(dir, ignore = []) {
   return files;
 }
 
+function getChangedFiles(dir) {
+  try {
+    // Get both staged and unstaged changed files
+    const staged = execSync('git diff --cached --name-only', { cwd: dir, encoding: 'utf-8' }).trim();
+    const unstaged = execSync('git diff --name-only', { cwd: dir, encoding: 'utf-8' }).trim();
+    const untracked = execSync('git ls-files --others --exclude-standard', { cwd: dir, encoding: 'utf-8' }).trim();
+    const all = [staged, unstaged, untracked].filter(Boolean).join('\n');
+    return [...new Set(all.split('\n').filter(Boolean))].map(f => path.resolve(dir, f));
+  } catch {
+    return null; // Not a git repo
+  }
+}
+
+function getStagedFiles(dir) {
+  try {
+    const staged = execSync('git diff --cached --name-only', { cwd: dir, encoding: 'utf-8' }).trim();
+    return staged ? staged.split('\n').map(f => path.resolve(dir, f)) : [];
+  } catch {
+    return [];
+  }
+}
+
 async function scanDirectory(dir, opts = {}) {
   const startTime = Date.now();
 
@@ -75,7 +104,19 @@ async function scanDirectory(dir, opts = {}) {
     throw new Error(`Directory not found: ${dir}`);
   }
 
-  const files = walkDir(dir, opts.ignore || []);
+  let files;
+  if (opts.diff) {
+    const changed = getChangedFiles(dir);
+    if (changed === null) {
+      throw new Error('--diff requires a git repository');
+    }
+    files = changed.filter(f => shouldScanFile(f));
+  } else if (opts.staged) {
+    const staged = getStagedFiles(dir);
+    files = staged.filter(f => shouldScanFile(f));
+  } else {
+    files = walkDir(dir, opts.ignore || []);
+  }
   const findings = [];
   let filesScanned = 0;
 
@@ -103,11 +144,22 @@ async function scanDirectory(dir, opts = {}) {
     findings.push(...scanExposedFrontend(ctx));
     findings.push(...scanDangerousFunctions(ctx));
     findings.push(...scanPermissiveConfigs(ctx));
+    findings.push(...scanAuthFlow(ctx));
+    findings.push(...scanVibePatterns(ctx));
+    findings.push(...scanNextjs(ctx, dir));
+    findings.push(...scanSupabase(ctx));
+    findings.push(...scanFirebase(ctx));
   }
 
   // Project-level scanners
   findings.push(...scanMissingGitignore(dir));
   findings.push(...(await scanDependencies(dir)));
+  findings.push(...scanNextjsProject(dir));
+
+  // Online scanners (can be skipped with --offline)
+  if (!opts.offline) {
+    findings.push(...(await scanHallucinatedPackages(dir, opts)));
+  }
 
   // Filter by severity
   const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };