Metadata-Version: 2.4
Name: aina-vibeguard
Version: 1.9.2
Summary: AI-powered Python security scanner — 13 vuln types, AINA L3 causal chains, 100% recall
Project-URL: Homepage, https://vibeguard.dev
Project-URL: Repository, https://github.com/shanyshany3528/aina-vibeguard
Project-URL: Issues, https://github.com/shanyshany3528/aina-vibeguard/issues
Author-email: AINA Sovereign <shanyshany3528@gmail.com>
License: MIT
Keywords: linter,python,sast,security,static-analysis,vulnerability
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Description-Content-Type: text/markdown

# 🛡️ aina-vibeguard

**AI-powered Python security scanner** — 13 vulnerability types, AINA L3 causal chain analysis, 100% recall on 30 golden cases.

[![PyPI version](https://badge.fury.io/py/aina-vibeguard.svg)](https://pypi.org/project/aina-vibeguard/)
[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

---

## What it detects

| # | Vulnerability | Free | Pro | Premium |
|---|---------------|:----:|:---:|:-------:|
| 1 | SQL Injection | ✅ | ✅ | ✅ |
| 2 | Command Injection | ✅ | ✅ | ✅ |
| 3 | Hardcoded Secrets | ✅ | ✅ | ✅ |
| 4 | Path Traversal | ✅ | ✅ | ✅ |
| 5 | SSRF | ✅ | ✅ | ✅ |
| 6 | XSS | ✅ | ✅ | ✅ |
| 7 | Insecure Deserialization | ✅ | ✅ | ✅ |
| 8 | Weak Crypto (MD5/SHA1) | ✅ | ✅ | ✅ |
| 9 | Open Redirect | ✅ | ✅ | ✅ |
| 10 | Template Injection | ✅ | ✅ | ✅ |
| 11 | **Cross-function Taint (5-hop)** | ❌ | ❌ | ✅ |
| 12 | **IDOR / CSRF / Mass Assignment** | ❌ | ❌ | ✅ |
| 13 | **Sensitive Data Leak** | ❌ | ❌ | ✅ |

**30/30 golden test recall (100%)** · **AINA L3 causal chains** trace attack paths from source to sink.

---

## Install

```bash
pip install aina-vibeguard
```

Zero dependencies. Pure Python 3.9+.

---

## Quick start

```bash
# 1. Set your API key (get one at vibeguard.dev)
aina-vibeguard config --key vg_pro_YOUR_KEY

# 2. Scan a file
aina-vibeguard scan myapp/views.py

# 3. Full output with L3 causal chains
aina-vibeguard scan myapp/views.py --verbose

# 4. [Premium] Scan entire project
aina-vibeguard scan-project ./myproject
```

**No API key?** Use a free key with 50 scans/day:
```bash
aina-vibeguard config --key vg_free_demo0001
```

---

## Example output

```
💎 [PRO]  views.py
  🔴 BLOCKED  blocks=2  warns=1
  scan_id: 8f3a1b2c-...
  hash: A3F9C2B1D4E5F6A7...  ✅

  ──────────────────────────────────────────────────
  KIND                   SEVERITY  LINE  DETAIL
  ──────────────────────────────────────────────────
  🔴 SQL_INJECTION       BLOCK     42    f-string in execute()
  🔴 COMMAND_INJECTION   BLOCK     87    subprocess with shell=True + user input
  🟡 HARDCODED_SECRET    WARN      15    API_KEY = "sk-..."

  🧠 AINA L3 Causal Chains (2):
    • user_input → string_concat → execute() → database_read
    • user_input → shell_interpolation → subprocess.run → OS_command
```

---

## Tier comparison

| Feature | Free | Pro ($19/mo) | Premium ($49/mo) |
|---------|:----:|:------------:|:----------------:|
| Scans per day | 50 | 500 | Unlimited |
| Max file size | 100 KB | 500 KB | 1 MB (ZIP) |
| 10 base vuln types | ✅ | ✅ | ✅ |
| Full issue details | ❌ | ✅ | ✅ |
| AINA L3 causal chains | ❌ | ✅ | ✅ |
| Senior code analysis | ❌ | ✅ | ✅ |
| Scan history (90 days) | ❌ | ✅ | ✅ |
| PDF certificate | ❌ | ✅ | ✅ |
| Cross-function taint | ❌ | ❌ | ✅ |
| IDOR / CSRF detection | ❌ | ❌ | ✅ |
| Sensitive data leak | ❌ | ❌ | ✅ |
| Project ZIP scan | ❌ | ❌ | ✅ |

🎫 **Early Bird:** First 100 Pro / 50 Premium slots at launch price.
→ `aina-vibeguard slots` to check availability.

---

## Hash proof

Every Pro/Premium scan returns a tamper-proof hash you can verify client-side:

```python
import hashlib, json

scan_id    = "8f3a1b2c-..."
blocks     = 2
block_types = {"SQL_INJECTION": 1, "COMMAND_INJECTION": 1}

payload = f"{scan_id}|{blocks}|{json.dumps(block_types, sort_keys=True)}"
result_hash = hashlib.sha256(payload.encode()).hexdigest()[:32].upper()
# → A3F9C2B1D4E5F6A7...
```

---

## CI/CD integration

```yaml
# .github/workflows/security.yml
- name: VibeGuard scan
  run: |
    pip install aina-vibeguard
    aina-vibeguard scan src/app.py
  env:
    VIBEGUARD_API_KEY: ${{ secrets.VIBEGUARD_API_KEY }}
```

Exit code `1` if any BLOCK-severity issues are found — fails the pipeline automatically.

---

## False positive feedback

```bash
aina-vibeguard feedback <scan_id> SQL_INJECTION --note "Parameterized query, safe"
```

Feedback is stored in the AINA L3 causal database and reduces future false positives.

---

## Commands

| Command | Description |
|---------|-------------|
| `config --key KEY` | Save API key locally |
| `scan FILE` | Scan a Python file |
| `scan-project DIR` | [Premium] Scan project directory |
| `status` | API status + tier info |
| `slots` | Early bird slot availability |
| `history` | Recent scan history |
| `feedback SCAN_ID KIND` | Report false positive |
| `docs` | Export learned patterns |

---

## How it works

VibeGuard is a **cloud-native SAST** (Static Application Security Testing) tool. Your code is sent to the VibeGuard API which runs:

1. **Structural analysis** — AST-based pattern matching for 13 vulnerability types
2. **AINA L3 causal chains** — Knowledge graph traversal traces taint from source to sink
3. **Senior code analysis** — GOD_OBJECT, N+1 queries, DEEP_NESTING detection
4. **[Premium] Inter-procedural taint** — 5-hop cross-function data flow

The API runs on Railway with a PostgreSQL-backed key store and self-improving causal database.

---

## Privacy

- Code snippets are processed server-side for analysis and **not stored permanently**
- Scan metadata (hash, block counts) is stored 90 days for Pro/Premium history
- No training on your code

---

## Get a key

1. **Free** — `vg_free_demo0001` (public demo, 50 scans/day shared)
2. **Pro / Premium** — [vibeguard.dev/pricing](https://vibeguard.dev/pricing)

---

## License

MIT © 2026 AINA Sovereign
