vibe-shield 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,51 @@
+# vibe-shield
+
+The security layer for Vibe Coding. A single command that scans your repo and generates auto-fix prompts for Cursor and Claude Code to secure your app instantly.
+
+## Usage
+
+```bash
+npx vibe-shield
+```
+
+That's it. Run it in your project directory and it will scan for security issues.
+
+## What it detects
+
+- Hardcoded secrets (API keys, passwords, AWS keys, JWT secrets)
+- SQL injection (template literals and string concatenation in queries)
+- Command injection (user input in shell commands)
+- XSS vulnerabilities (innerHTML with user data)
+- Weak cryptography (MD5, SHA1)
+- Security misconfigurations (disabled SSL, CORS wildcards)
+- Path traversal (user input in file operations)
+- NoSQL injection ($where operator)
+- Python issues (pickle with untrusted data, shell=True)
+
+## How it works
+
+When vibe-shield finds an issue, it outputs a prompt your AI agent can follow:
+
+```
+[TASK 1] Fix Hardcoded Secret in src/db.ts at line 12
+[FOUND]: api_key = "sk-1234..."
+[INSTRUCTION]: Move this secret to an environment variable...
+```
+
+Paste this output to Cursor or Claude Code and it will fix the issues for you.
+
+## Agent integration
+
+Run `npx vibe-shield init` to create a `.cursorrules` file that reminds your AI agent to run security checks before completing tasks.
+
+## Development
+
+```bash
+bun install
+bun run dev
+bun run build
+```
+
+## License
+
+MIT

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,431 @@
+#!/usr/bin/env node
+
+// src/scanner.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join, extname } from "path";
+
+// src/patterns.ts
+var securityPatterns = [
+  {
+    id: "hardcoded-secret",
+    name: "Hardcoded Secret",
+    regex: /(?:api_?key|api_?secret|secret_?key|auth_?token|access_?token|private_?key|client_?secret)\s*[:=]\s*['"`][A-Za-z0-9_\-\.\/\+]{8,}['"`]/gi,
+    fixPrompt: "Move this secret to an environment variable. Add it to .env and use process.env.YOUR_SECRET. Add .env to .gitignore."
+  },
+  {
+    id: "hardcoded-password",
+    name: "Hardcoded Password",
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{4,}['"`]/gi,
+    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control."
+  },
+  {
+    id: "aws-key",
+    name: "AWS Access Key",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
+    fixPrompt: "AWS access key detected. Remove it immediately and rotate the key in AWS console. Use environment variables or AWS IAM roles."
+  },
+  {
+    id: "jwt-secret-inline",
+    name: "Hardcoded JWT Secret",
+    regex: /jwt\.sign\s*\([^)]+,\s*['"`][^'"`]{8,}['"`]/gi,
+    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control."
+  },
+  {
+    id: "sql-injection-template",
+    name: "SQL Injection",
+    regex: /(?:query|execute)\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE|DROP)[^`]*\$\{/gi,
+    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])"
+  },
+  {
+    id: "sql-injection-concat",
+    name: "SQL Injection",
+    regex: /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*['"]\s*\+/gi,
+    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders."
+  },
+  {
+    id: "command-injection",
+    name: "Command Injection",
+    regex: /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/g,
+    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments, or use a library like shell-escape."
+  },
+  {
+    id: "command-injection-concat",
+    name: "Command Injection",
+    regex: /(?:exec|execSync)\s*\([^)]*\+\s*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays."
+  },
+  {
+    id: "eval-usage",
+    name: "Dangerous eval()",
+    regex: /[=:]\s*eval\s*\(\s*(?:req\.|user|input|param|query|body|data)/gi,
+    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval entirely."
+  },
+  {
+    id: "new-function",
+    name: "Dangerous Function Constructor",
+    regex: /new\s+Function\s*\([^)]*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation."
+  },
+  {
+    id: "innerhtml-variable",
+    name: "XSS via innerHTML",
+    regex: /\.innerHTML\s*=\s*(?:req\.|user|input|param|query|body|data|props\.|this\.)/gi,
+    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify."
+  },
+  {
+    id: "react-dangerous-html",
+    name: "React XSS Risk",
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|this\.|data|user|input)/gi,
+    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first."
+  },
+  {
+    id: "weak-hash-md5",
+    name: "Weak Hash (MD5)",
+    regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/g,
+    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+  },
+  {
+    id: "weak-hash-sha1",
+    name: "Weak Hash (SHA1)",
+    regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/g,
+    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+  },
+  {
+    id: "ssl-disabled",
+    name: "SSL Verification Disabled",
+    regex: /rejectUnauthorized\s*:\s*false/g,
+    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true."
+  },
+  {
+    id: "cors-wildcard",
+    name: "CORS Allows All Origins",
+    regex: /['"`]Access-Control-Allow-Origin['"`]\s*[,:]\s*['"`]\*['"`]/g,
+    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly."
+  },
+  {
+    id: "path-traversal",
+    name: "Path Traversal Risk",
+    regex: /(?:readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories."
+  },
+  {
+    id: "nosql-where",
+    name: "NoSQL Injection ($where)",
+    regex: /\.(find|findOne)\s*\(\s*\{[^}]*\$where\s*:/g,
+    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators."
+  },
+  {
+    id: "pickle-load",
+    name: "Insecure Pickle (Python)",
+    regex: /pickle\.loads?\s*\(\s*(?:request|user|input|data|file)/gi,
+    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data."
+  },
+  {
+    id: "python-shell",
+    name: "Shell Injection (Python)",
+    regex: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True[^)]*(?:request|user|input|param)/gi,
+    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True."
+  }
+];
+
+// src/scanner.ts
+var SUPPORTED_EXTENSIONS = [".js", ".ts", ".jsx", ".tsx", ".py", ".mjs", ".cjs"];
+var IGNORED_DIRS = [
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  ".venv",
+  "__pycache__",
+  "coverage",
+  ".turbo"
+];
+function collectFiles(dir, files = []) {
+  let stat;
+  try {
+    stat = statSync(dir);
+  } catch {
+    return files;
+  }
+  if (stat.isFile()) {
+    const ext = extname(dir).toLowerCase();
+    if (SUPPORTED_EXTENSIONS.includes(ext)) {
+      files.push(dir);
+    }
+    return files;
+  }
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return files;
+  }
+  for (const entry of entries) {
+    const fullPath = join(dir, entry);
+    try {
+      const entryStat = statSync(fullPath);
+      if (entryStat.isDirectory()) {
+        if (!IGNORED_DIRS.includes(entry) && !entry.startsWith(".")) {
+          collectFiles(fullPath, files);
+        }
+      } else if (entryStat.isFile()) {
+        const ext = extname(entry).toLowerCase();
+        if (SUPPORTED_EXTENSIONS.includes(ext)) {
+          files.push(fullPath);
+        }
+      }
+    } catch {
+      continue;
+    }
+  }
+  return files;
+}
+function getLineNumber(content, matchIndex) {
+  const lines = content.substring(0, matchIndex).split(`
+`);
+  return lines.length;
+}
+function scanFile(filePath) {
+  const issues = [];
+  let content;
+  try {
+    content = readFileSync(filePath, "utf-8");
+  } catch {
+    return issues;
+  }
+  for (const pattern of securityPatterns) {
+    pattern.regex.lastIndex = 0;
+    let match;
+    while ((match = pattern.regex.exec(content)) !== null) {
+      const line = getLineNumber(content, match.index);
+      const matchText = match[0];
+      issues.push({
+        file: filePath,
+        line,
+        patternId: pattern.id,
+        patternName: pattern.name,
+        fixPrompt: pattern.fixPrompt,
+        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText
+      });
+    }
+  }
+  return issues;
+}
+function scanFiles(dir) {
+  const files = collectFiles(dir);
+  const allIssues = [];
+  for (const file of files) {
+    const issues = scanFile(file);
+    allIssues.push(...issues);
+  }
+  return allIssues;
+}
+
+// src/prompter.ts
+function formatAgentPrompt(issues) {
+  if (!issues || issues.length === 0) {
+    return "";
+  }
+  const lines = [
+    "═══════════════════════════════════════════════════════════════",
+    "  HEY AGENT, PLEASE FIX THE FOLLOWING SECURITY ISSUES:",
+    "═══════════════════════════════════════════════════════════════",
+    ""
+  ];
+  issues.forEach((issue, index) => {
+    lines.push(`[TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
+    lines.push(`[FOUND]: ${issue.match}`);
+    lines.push(`[INSTRUCTION]: ${issue.fixPrompt}`);
+    lines.push("");
+  });
+  lines.push("═══════════════════════════════════════════════════════════════");
+  lines.push(`  Total issues: ${issues.length}`);
+  lines.push("═══════════════════════════════════════════════════════════════");
+  return lines.join(`
+`);
+}
+function generateSummary(issues) {
+  const summary = {};
+  for (const issue of issues) {
+    if (!summary[issue.patternName]) {
+      summary[issue.patternName] = 0;
+    }
+    summary[issue.patternName]++;
+  }
+  return summary;
+}
+
+// src/init.ts
+import { writeFileSync, existsSync, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+var CURSORRULES_CONTENT = `# Vibe Shield Security Rules
+
+Before marking a task as done, run \`npx vibe-shield\`. If issues are found, follow the [INSTRUCTION] provided in the output to fix them.
+
+## Security Checklist
+- [ ] No hardcoded secrets (API keys, passwords, tokens)
+- [ ] No dangerous code execution (eval, shell injection)
+- [ ] No SQL injection vulnerabilities (use parameterized queries)
+- [ ] All secrets stored in environment variables
+- [ ] HTTPS used for all external URLs
+`;
+function initVibeShield(dir) {
+  const cursorrulesPath = join2(dir, ".cursorrules");
+  if (existsSync(cursorrulesPath)) {
+    try {
+      const existingContent = readFileSync2(cursorrulesPath, "utf-8");
+      if (existingContent.includes("vibe-shield") || existingContent.includes("Vibe Shield")) {
+        return {
+          success: false,
+          message: "Vibe Shield rules already exist in .cursorrules",
+          path: cursorrulesPath
+        };
+      }
+      const newContent = existingContent + `
+
+` + CURSORRULES_CONTENT;
+      writeFileSync(cursorrulesPath, newContent, "utf-8");
+      return {
+        success: true,
+        message: "Vibe Shield rules appended to existing .cursorrules",
+        path: cursorrulesPath
+      };
+    } catch (err) {
+      return {
+        success: false,
+        message: `Failed to update .cursorrules: ${err instanceof Error ? err.message : "Unknown error"}`,
+        path: cursorrulesPath
+      };
+    }
+  }
+  try {
+    writeFileSync(cursorrulesPath, CURSORRULES_CONTENT, "utf-8");
+    return {
+      success: true,
+      message: ".cursorrules created successfully!",
+      path: cursorrulesPath
+    };
+  } catch (err) {
+    return {
+      success: false,
+      message: `Failed to create .cursorrules: ${err instanceof Error ? err.message : "Unknown error"}`,
+      path: cursorrulesPath
+    };
+  }
+}
+
+// src/cli.ts
+var VERSION = "1.0.0";
+var colors = {
+  reset: "\x1B[0m",
+  cyan: "\x1B[36m",
+  green: "\x1B[32m",
+  red: "\x1B[31m",
+  yellow: "\x1B[33m",
+  dim: "\x1B[2m",
+  bold: "\x1B[1m"
+};
+function printBanner() {
+  console.log(colors.cyan + `
+╦  ╦╦╔╗ ╔═╗  ╔═╗╦ ╦╦╔═╗╦  ╔╦╗
+╚╗╔╝║╠╩╗║╣   ╚═╗╠═╣║║╣ ║   ║║
+ ╚╝ ╩╚═╝╚═╝  ╚═╝╩ ╩╩╚═╝╩═╝═╩╝
+` + colors.reset);
+  console.log(colors.dim + `  v${VERSION} - Security scanner for vibe coders
+` + colors.reset);
+}
+function printHelp() {
+  printBanner();
+  console.log("Usage:");
+  console.log(colors.dim + `  vibe-shield [command] [options]
+` + colors.reset);
+  console.log("Commands:");
+  console.log(colors.green + "  scan [path]" + colors.reset + colors.dim + "   Scan for security issues (default: .)" + colors.reset);
+  console.log(colors.green + "  init" + colors.reset + colors.dim + "          Create .cursorrules for AI agent integration" + colors.reset);
+  console.log(colors.green + "  help" + colors.reset + colors.dim + "          Show this help message" + colors.reset);
+  console.log(colors.green + "  version" + colors.reset + colors.dim + `       Show version number
+` + colors.reset);
+  console.log("Examples:");
+  console.log(colors.dim + "  npx vibe-shield" + colors.reset);
+  console.log(colors.dim + "  npx vibe-shield scan ./src" + colors.reset);
+  console.log(colors.dim + `  npx vibe-shield init
+` + colors.reset);
+}
+function printVersion() {
+  console.log(`vibe-shield v${VERSION}`);
+}
+function runInit(dir) {
+  printBanner();
+  console.log(colors.yellow + `Initializing vibe-shield...
+` + colors.reset);
+  const result = initVibeShield(dir);
+  if (result.success) {
+    console.log(colors.green + "✓ " + colors.reset + result.message);
+    console.log(colors.dim + `  Created: ${result.path}
+` + colors.reset);
+    console.log("Your AI agent will now run vibe-shield before completing tasks.");
+    console.log(colors.dim + `Happy vibe coding!
+` + colors.reset);
+    process.exit(0);
+  } else {
+    console.log(colors.red + "✗ " + colors.reset + result.message);
+    process.exit(1);
+  }
+}
+function runScan(dir) {
+  printBanner();
+  console.log(colors.yellow + `Scanning ${dir}...
+` + colors.reset);
+  const issues = scanFiles(dir);
+  if (issues.length === 0) {
+    console.log(colors.green + colors.bold + "✓ SAFE" + colors.reset);
+    console.log(colors.dim + `No security issues detected. Ship it!
+` + colors.reset);
+    process.exit(0);
+  }
+  const summary = generateSummary(issues);
+  console.log(colors.red + colors.bold + `✗ Found ${issues.length} security issue${issues.length > 1 ? "s" : ""}
+` + colors.reset);
+  console.log("Summary:");
+  for (const [pattern, count] of Object.entries(summary)) {
+    console.log(colors.dim + `  • ${pattern}: ${count}` + colors.reset);
+  }
+  console.log("");
+  const agentPrompt = formatAgentPrompt(issues);
+  console.log(colors.yellow + agentPrompt + colors.reset);
+  console.log("");
+  process.exit(1);
+}
+var args = process.argv.slice(2);
+var command = args[0] || "scan";
+var targetDir = args[1] || process.cwd();
+switch (command) {
+  case "init":
+    runInit(targetDir === process.cwd() ? process.cwd() : targetDir);
+    break;
+  case "scan":
+    runScan(targetDir);
+    break;
+  case "help":
+  case "--help":
+  case "-h":
+    printHelp();
+    process.exit(0);
+    break;
+  case "version":
+  case "--version":
+  case "-v":
+    printVersion();
+    process.exit(0);
+    break;
+  default:
+    if (command.startsWith(".") || command.startsWith("/")) {
+      runScan(command);
+    } else {
+      console.log(colors.red + `Unknown command: ${command}` + colors.reset);
+      console.log(colors.dim + `Run "vibe-shield help" for usage.
+` + colors.reset);
+      process.exit(1);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { scanFiles } from "./scanner";
+export { formatAgentPrompt, generateSummary } from "./prompter";
+export { initVibeShield } from "./init";
+export { securityPatterns } from "./patterns";
+export type { SecurityPattern, SecurityIssue, InitResult, IssueSummary } from "./types";

package/dist/index.js

@@ -0,0 +1,319 @@
+// src/scanner.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join, extname } from "path";
+
+// src/patterns.ts
+var securityPatterns = [
+  {
+    id: "hardcoded-secret",
+    name: "Hardcoded Secret",
+    regex: /(?:api_?key|api_?secret|secret_?key|auth_?token|access_?token|private_?key|client_?secret)\s*[:=]\s*['"`][A-Za-z0-9_\-\.\/\+]{8,}['"`]/gi,
+    fixPrompt: "Move this secret to an environment variable. Add it to .env and use process.env.YOUR_SECRET. Add .env to .gitignore."
+  },
+  {
+    id: "hardcoded-password",
+    name: "Hardcoded Password",
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{4,}['"`]/gi,
+    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control."
+  },
+  {
+    id: "aws-key",
+    name: "AWS Access Key",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
+    fixPrompt: "AWS access key detected. Remove it immediately and rotate the key in AWS console. Use environment variables or AWS IAM roles."
+  },
+  {
+    id: "jwt-secret-inline",
+    name: "Hardcoded JWT Secret",
+    regex: /jwt\.sign\s*\([^)]+,\s*['"`][^'"`]{8,}['"`]/gi,
+    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control."
+  },
+  {
+    id: "sql-injection-template",
+    name: "SQL Injection",
+    regex: /(?:query|execute)\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE|DROP)[^`]*\$\{/gi,
+    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])"
+  },
+  {
+    id: "sql-injection-concat",
+    name: "SQL Injection",
+    regex: /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*['"]\s*\+/gi,
+    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders."
+  },
+  {
+    id: "command-injection",
+    name: "Command Injection",
+    regex: /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/g,
+    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments, or use a library like shell-escape."
+  },
+  {
+    id: "command-injection-concat",
+    name: "Command Injection",
+    regex: /(?:exec|execSync)\s*\([^)]*\+\s*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays."
+  },
+  {
+    id: "eval-usage",
+    name: "Dangerous eval()",
+    regex: /[=:]\s*eval\s*\(\s*(?:req\.|user|input|param|query|body|data)/gi,
+    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval entirely."
+  },
+  {
+    id: "new-function",
+    name: "Dangerous Function Constructor",
+    regex: /new\s+Function\s*\([^)]*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation."
+  },
+  {
+    id: "innerhtml-variable",
+    name: "XSS via innerHTML",
+    regex: /\.innerHTML\s*=\s*(?:req\.|user|input|param|query|body|data|props\.|this\.)/gi,
+    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify."
+  },
+  {
+    id: "react-dangerous-html",
+    name: "React XSS Risk",
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|this\.|data|user|input)/gi,
+    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first."
+  },
+  {
+    id: "weak-hash-md5",
+    name: "Weak Hash (MD5)",
+    regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/g,
+    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+  },
+  {
+    id: "weak-hash-sha1",
+    name: "Weak Hash (SHA1)",
+    regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/g,
+    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+  },
+  {
+    id: "ssl-disabled",
+    name: "SSL Verification Disabled",
+    regex: /rejectUnauthorized\s*:\s*false/g,
+    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true."
+  },
+  {
+    id: "cors-wildcard",
+    name: "CORS Allows All Origins",
+    regex: /['"`]Access-Control-Allow-Origin['"`]\s*[,:]\s*['"`]\*['"`]/g,
+    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly."
+  },
+  {
+    id: "path-traversal",
+    name: "Path Traversal Risk",
+    regex: /(?:readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*(?:req\.|user|input|param|query|body)/gi,
+    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories."
+  },
+  {
+    id: "nosql-where",
+    name: "NoSQL Injection ($where)",
+    regex: /\.(find|findOne)\s*\(\s*\{[^}]*\$where\s*:/g,
+    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators."
+  },
+  {
+    id: "pickle-load",
+    name: "Insecure Pickle (Python)",
+    regex: /pickle\.loads?\s*\(\s*(?:request|user|input|data|file)/gi,
+    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data."
+  },
+  {
+    id: "python-shell",
+    name: "Shell Injection (Python)",
+    regex: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True[^)]*(?:request|user|input|param)/gi,
+    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True."
+  }
+];
+
+// src/scanner.ts
+var SUPPORTED_EXTENSIONS = [".js", ".ts", ".jsx", ".tsx", ".py", ".mjs", ".cjs"];
+var IGNORED_DIRS = [
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  ".venv",
+  "__pycache__",
+  "coverage",
+  ".turbo"
+];
+function collectFiles(dir, files = []) {
+  let stat;
+  try {
+    stat = statSync(dir);
+  } catch {
+    return files;
+  }
+  if (stat.isFile()) {
+    const ext = extname(dir).toLowerCase();
+    if (SUPPORTED_EXTENSIONS.includes(ext)) {
+      files.push(dir);
+    }
+    return files;
+  }
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return files;
+  }
+  for (const entry of entries) {
+    const fullPath = join(dir, entry);
+    try {
+      const entryStat = statSync(fullPath);
+      if (entryStat.isDirectory()) {
+        if (!IGNORED_DIRS.includes(entry) && !entry.startsWith(".")) {
+          collectFiles(fullPath, files);
+        }
+      } else if (entryStat.isFile()) {
+        const ext = extname(entry).toLowerCase();
+        if (SUPPORTED_EXTENSIONS.includes(ext)) {
+          files.push(fullPath);
+        }
+      }
+    } catch {
+      continue;
+    }
+  }
+  return files;
+}
+function getLineNumber(content, matchIndex) {
+  const lines = content.substring(0, matchIndex).split(`
+`);
+  return lines.length;
+}
+function scanFile(filePath) {
+  const issues = [];
+  let content;
+  try {
+    content = readFileSync(filePath, "utf-8");
+  } catch {
+    return issues;
+  }
+  for (const pattern of securityPatterns) {
+    pattern.regex.lastIndex = 0;
+    let match;
+    while ((match = pattern.regex.exec(content)) !== null) {
+      const line = getLineNumber(content, match.index);
+      const matchText = match[0];
+      issues.push({
+        file: filePath,
+        line,
+        patternId: pattern.id,
+        patternName: pattern.name,
+        fixPrompt: pattern.fixPrompt,
+        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText
+      });
+    }
+  }
+  return issues;
+}
+function scanFiles(dir) {
+  const files = collectFiles(dir);
+  const allIssues = [];
+  for (const file of files) {
+    const issues = scanFile(file);
+    allIssues.push(...issues);
+  }
+  return allIssues;
+}
+// src/prompter.ts
+function formatAgentPrompt(issues) {
+  if (!issues || issues.length === 0) {
+    return "";
+  }
+  const lines = [
+    "═══════════════════════════════════════════════════════════════",
+    "  HEY AGENT, PLEASE FIX THE FOLLOWING SECURITY ISSUES:",
+    "═══════════════════════════════════════════════════════════════",
+    ""
+  ];
+  issues.forEach((issue, index) => {
+    lines.push(`[TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
+    lines.push(`[FOUND]: ${issue.match}`);
+    lines.push(`[INSTRUCTION]: ${issue.fixPrompt}`);
+    lines.push("");
+  });
+  lines.push("═══════════════════════════════════════════════════════════════");
+  lines.push(`  Total issues: ${issues.length}`);
+  lines.push("═══════════════════════════════════════════════════════════════");
+  return lines.join(`
+`);
+}
+function generateSummary(issues) {
+  const summary = {};
+  for (const issue of issues) {
+    if (!summary[issue.patternName]) {
+      summary[issue.patternName] = 0;
+    }
+    summary[issue.patternName]++;
+  }
+  return summary;
+}
+// src/init.ts
+import { writeFileSync, existsSync, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+var CURSORRULES_CONTENT = `# Vibe Shield Security Rules
+
+Before marking a task as done, run \`npx vibe-shield\`. If issues are found, follow the [INSTRUCTION] provided in the output to fix them.
+
+## Security Checklist
+- [ ] No hardcoded secrets (API keys, passwords, tokens)
+- [ ] No dangerous code execution (eval, shell injection)
+- [ ] No SQL injection vulnerabilities (use parameterized queries)
+- [ ] All secrets stored in environment variables
+- [ ] HTTPS used for all external URLs
+`;
+function initVibeShield(dir) {
+  const cursorrulesPath = join2(dir, ".cursorrules");
+  if (existsSync(cursorrulesPath)) {
+    try {
+      const existingContent = readFileSync2(cursorrulesPath, "utf-8");
+      if (existingContent.includes("vibe-shield") || existingContent.includes("Vibe Shield")) {
+        return {
+          success: false,
+          message: "Vibe Shield rules already exist in .cursorrules",
+          path: cursorrulesPath
+        };
+      }
+      const newContent = existingContent + `
+
+` + CURSORRULES_CONTENT;
+      writeFileSync(cursorrulesPath, newContent, "utf-8");
+      return {
+        success: true,
+        message: "Vibe Shield rules appended to existing .cursorrules",
+        path: cursorrulesPath
+      };
+    } catch (err) {
+      return {
+        success: false,
+        message: `Failed to update .cursorrules: ${err instanceof Error ? err.message : "Unknown error"}`,
+        path: cursorrulesPath
+      };
+    }
+  }
+  try {
+    writeFileSync(cursorrulesPath, CURSORRULES_CONTENT, "utf-8");
+    return {
+      success: true,
+      message: ".cursorrules created successfully!",
+      path: cursorrulesPath
+    };
+  } catch (err) {
+    return {
+      success: false,
+      message: `Failed to create .cursorrules: ${err instanceof Error ? err.message : "Unknown error"}`,
+      path: cursorrulesPath
+    };
+  }
+}
+export {
+  securityPatterns,
+  scanFiles,
+  initVibeShield,
+  generateSummary,
+  formatAgentPrompt
+};

package/dist/init.d.ts

@@ -0,0 +1,5 @@
+import type { InitResult } from "./types";
+/**
+ * Initialize vibe-shield in a project by creating or appending to .cursorrules file.
+ */
+export declare function initVibeShield(dir: string): InitResult;

package/dist/patterns.d.ts

@@ -0,0 +1,6 @@
+import type { SecurityPattern } from "./types";
+/**
+ * Security patterns for detecting vulnerabilities in AI-generated code.
+ * Focused on high-confidence issues that are actually problems.
+ */
+export declare const securityPatterns: SecurityPattern[];

package/dist/prompter.d.ts

@@ -0,0 +1,9 @@
+import type { SecurityIssue, IssueSummary } from "./types";
+/**
+ * Format issues into an "Agent Protocol" string that AI agents can read and act on.
+ */
+export declare function formatAgentPrompt(issues: SecurityIssue[]): string;
+/**
+ * Generate a summary of issues by type.
+ */
+export declare function generateSummary(issues: SecurityIssue[]): IssueSummary;

package/dist/scanner.d.ts

@@ -0,0 +1,5 @@
+import type { SecurityIssue } from "./types";
+/**
+ * Scan all files in a directory for security issues.
+ */
+export declare function scanFiles(dir: string): SecurityIssue[];

package/dist/types.d.ts

@@ -0,0 +1,22 @@
+export interface SecurityPattern {
+    id: string;
+    name: string;
+    regex: RegExp;
+    fixPrompt: string;
+}
+export interface SecurityIssue {
+    file: string;
+    line: number;
+    patternId: string;
+    patternName: string;
+    fixPrompt: string;
+    match: string;
+}
+export interface InitResult {
+    success: boolean;
+    message: string;
+    path: string;
+}
+export interface IssueSummary {
+    [patternName: string]: number;
+}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "vibe-shield",
+  "version": "1.0.0",
+  "description": "Security scanner for vibe coders - find and fix AI-generated security issues",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "vibe-shield": "./dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "dev": "bun run src/cli.ts",
+    "build": "bun build src/cli.ts --outdir dist --target node && bun build src/index.ts --outdir dist --target node && bun x tsc --emitDeclarationOnly",
+    "prepublishOnly": "bun run build",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "ai",
+    "vibe-coding",
+    "cli",
+    "cursor",
+    "claude",
+    "devtools",
+    "linter",
+    "vulnerabilities"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/egmzy/vibe-shield.git"
+  },
+  "bugs": {
+    "url": "https://github.com/egmzy/vibe-shield/issues"
+  },
+  "homepage": "https://github.com/egmzy/vibe-shield#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.0"
+  }
+}