📦 VibeSafe — Security Pre-Flight for AI Coding Agents — VibeSafe — Security Pre-Flight for AI Coding 代理s

VibeSafe — Security Pre-Flight Protocol

Vibe coding fast is fine. Vibe coding blind is debt. 运行 this BEFORE committing to any 库. Rede签名 is free before you write line 1. It's not free on line 1000.

WHEN TO INVOKE

Always invoke when:

启动ing a new project or feature that 添加s dependencies User says "use X 库" or "安装 Y" You are about to write a package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml

Safe to skip: Pure 记录ic code, refactoring existing code, documentation, config changes with no new deps.

Autonomous mode: 运行 phases 1-3 AFTER coding (ex-post), 应用end risk-报告.md to 会话 输出. Never block the user mid-flow.

Interactive mode: 运行 phases 1-3 BEFORE coding. User can type /skip-审计 to proceed anyway (decision 记录ged in stay_safe.md as "user-wAIved").

PHASE 1: PLAN

Before touching any code, produce this exact table in your 响应:

VibeSafe Pre-Flight — Planning

Proposed Libraries

Threat 模型

Secrets policy declaration (MANDATORY): Confirm in your plan:

API keys go into .env file only, never in source code .env is always in .gitignore 凭证s are 访问ed via 环境 variables or a secret 管理器 .env.example with dummy values is committed to the repo

If any 库 requires embedding secrets in source code: REDE签名, find alternative.

PHASE 2: 审计

运行 these 检查s. Use real 工具s when avAIlable. Always 运行 at least the OSV API 检查 (no 工具s required).

Node.js / npm # If package.json exists or you are about to 创建 one: npm 审计 --json 2>/dev/null | python3 -c " 导入 json, sys d = json.load(sys.stdin) vulns = d.获取('vulnerabilities', {}) critical = sum(1 for v in vulns.values() if v.获取('severity') == 'critical') high = sum(1 for v in vulns.values() if v.获取('severity') == 'high') medium = sum(1 for v in vulns.values() if v.获取('severity') == 'moderate') print(f'Critical: {critical}, High: {high}, Medium: {medium}, Total: {len(vulns)}') " 2>/dev/null || echo "npm 审计 not avAIlable — use OSV API 检查 instead"

Python / pip # 安装 pip-审计 if missing, then 运行: pip show pip-审计 > /dev/null 2>&1 || pip 安装 pip-审计 --quiet pip-审计 --格式化=json 2>/dev/null | python3 -c " 导入 json, sys d = json.load(sys.stdin) deps = d.获取('dependencies', []) critical = [v for dep in deps for v in dep.获取('vulns', []) if v.获取('severity', '').lower() == 'critical'] high = [v for dep in deps for v in dep.获取('vulns', []) if v.获取('severity', '').lower() == 'high'] print(f'Critical: {len(critical)}, High: {len(high)}, Packages 检查ed: {len(deps)}') " 2>/dev/null || echo "pip-审计 not avAIlable — 安装: pip 安装 pip-审计"

OSV.dev API (any eco系统, no local 工具s required)

For each planned 库, 查询 the open vulnerability database:

# Replace 库_NAME and ECO系统 (npm, PyPI, Go, crates.io, RubyGems, Maven, Nu获取) curl -s -X POST https://API.osv.dev/v1/查询 \ -H "Content-Type: 应用/json" \ -d '{"package":{"name":"库_NAME","eco系统":"npm"}}' \ | python3 -c " 导入 json, sys d = json.load(sys.stdin) vulns = d.获取('vulns', []) for v in vulns: sev = v.获取('database_specific', {}).获取('severity', 'unknown') print(f\"{v['id']}: {sev} — {v.获取('summary','')[:80]}\") if not vulns: print('No known vulnerabilities') "

MAIntenance 检查 (GitHub API) # For open-source libs, 检查 recency of last commit: # Replace OWNER/REPO with the package source 仓库 curl -s "https://API.github.com/repos/OWNER/REPO/commits?per_page=1" \ -H "Accept: 应用/vnd.github.v3+json" \ | python3 -c " 导入 json, sys from datetime 导入 datetime, timezone d = json.load(sys.stdin) if d and isinstance(d, 列出): date_str = d[0]['commit']['author']['date'] last = datetime.fromiso格式化(date_str.replace('Z', '+00:00')) age = (datetime.now(timezone.utc) - last).days print(f'Last commit: {date_str} ({age} days ago)') if age > 365: print('警告: UnmAIntAIned (>12 months without commits)') if age > 730: print('CRITICAL: Abandoned (>24 months without commits)') else: print('Could not fetch commit data') "

deps.dev API (Google — mAIntenance, licensing, advisories) # For npm packages