cortexhq
v1.0.2
Published
CortexHQ: Security & Guardrails for AI Code
Maintainers
kishanssgReadme
🛡️ CORTEX
Intent-Aware Security for AI-Generated Code
The first security engine designed specifically for "vibe coding"
Quick Start • Detection Engine • CLI Commands • Benchmarks
🎯 The Problem
AI coding assistants (Cursor, Copilot, Claude) generate code that works but isn't secure:
| Issue | What Happens | CORTEX Detection |
|-------|--------------|------------------|
| Client-side auth | if (password === 'admin') in React | ✅ Invariant violation |
| RLS bypass | using (true) in Supabase policies | ✅ Policy misconfiguration |
| Hallucinated packages | npm install react-native-encrypt-fast | ✅ Slopsquatting detection |
| Missing rate limits | Public /api/signup with no protection | ✅ Absence-of-control |
| SQL injection | Template literals in queries | ✅ Taint analysis |
Traditional SAST misses these because the code is "correct" — it just violates security intent.
✅ The Solution
CORTEX is an Intent-Aware Security Engine with 6 detection layers:
┌─────────────────────────────────────────────────────────────┐
│ CORTEX DETECTION ENGINE │
├─────────────────────────────────────────────────────────────┤
│ Layer 1: Semgrep Patterns (SQLi, XSS, secrets) │
│ Layer 1.5: Dependency Intelligence (CVEs, hallucinations) │
│ Layer 2: Taint Analysis (source → sink tracking) │
│ Layer 3: Policy Semantics (RLS, Firebase, CORS) │
│ Layer 3.5: Invariant Analysis (client-side auth) │
│ Layer 4: Absence Detection (missing rate limits) │
├─────────────────────────────────────────────────────────────┤
│ Layer 5: Confidence Scoring + Explainable Findings │
└─────────────────────────────────────────────────────────────┘🚀 Quick Start
# Install
npm install -g cortex-ai
# Run a security scan
cortex detect scan ./src
# Check dependencies for hallucinations
cortex detect deps
# Run benchmarks
cortex benchmark runExample Output
🔬 CORTEX Intent-Aware Detection Engine v2.0
📊 SECURITY SCAN SUMMARY
═══════════════════════════════════════
🔴 Critical: 2
🟠 High: 3
🟡 Medium: 1
🔵 Low: 0
────────────────────────────────────────
Total: 6 findings
┌──────────────────────────────────────────────────────────────────┐
│ 🔴 CRITICAL: Client-Side Authentication │
│ │
│ File: src/components/Login.tsx:15 │
│ Confidence: 92% │
│ │
│ CODE: │
│ > if (password === 'admin123') { setLoggedIn(true); } │
│ │
│ WHY THIS IS DANGEROUS: │
│ • Authentication check performed in browser context │
│ • Client-side checks can be bypassed via DevTools │
│ │
│ INVARIANT VIOLATED: │
│ "Authentication decisions must occur server-side" │
│ │
│ FIX: │
│ Move authentication to server-side with HttpOnly cookies │
└──────────────────────────────────────────────────────────────────┘🔬 Detection Engine
Detection Classes
| Class | What It Detects | Examples |
|-------|-----------------|----------|
| exploit | Active vulnerabilities | SQL injection, XSS, command injection |
| invariant | Security intent violations | Client-side auth, trust boundaries |
| policy | Misconfigured policies | RLS using(true), CORS wildcards |
| supply-chain | Dependency risks | CVEs, hallucinated packages |
| absence | Missing security controls | No rate limiting, no CAPTCHA |
55+ Security Rules
| Category | Count | Examples | |----------|-------|----------| | Injection | 10 | SQL, NoSQL, command, path traversal | | XSS | 6 | innerHTML, dangerouslySetInnerHTML | | Secrets | 8 | API keys, tokens, hardcoded passwords | | Auth/Authz | 8 | Client-side auth, IDOR, missing auth | | Policy | 6 | RLS, Firebase, CORS, S3 buckets | | Supply Chain | 6 | CVEs, hallucinations, deprecated | | Abuse Control | 7 | Missing rate limits, no CAPTCHA | | Crypto | 4 | Weak hashing, insecure storage |
💻 CLI Commands
Detection Engine
cortex detect scan [path] # Full security scan
cortex detect deps # Dependency intelligence
cortex detect invariants <f> # Check invariant violations
cortex detect policies <f> # Check policy misconfigurations
cortex detect summary # Show detection capabilitiesBenchmarking
cortex benchmark run # Run all benchmarks
cortex benchmark run --update-baseline # Update baseline
cortex benchmark list # List benchmark categoriesFeedback (Confidence Calibration)
cortex feedback accept <id> # Mark as true positive
cortex feedback dismiss <id> # Mark as false positive
cortex feedback stats # View precision per ruleScope Management
cortex scope init # Create scope.yaml
cortex scope show # Display current scope
cortex scope check <path> # Check if file allowedOther Commands
cortex version # Show version
cortex security rules # List all security rules
cortex patterns detect # Auto-detect framework
cortex learn progress # Learning mode progress🧪 Benchmarks
CORTEX includes a benchmark harness with ground truth:
benchmarks/
├── sql-injection/ # SQL injection samples
├── xss/ # Cross-site scripting
├── client-auth-bypass/ # Client-side auth issues
├── rls-misconfig/ # RLS policy problems
├── firebase-public/ # Public storage buckets
├── slopsquatting/ # Hallucinated packages
├── race-condition/ # Race condition patterns
├── unprotected-endpoint/ # Missing abuse controls
└── expected-findings.json # 26 ground truth findingsRegression Protection: If a previously passing test regresses, CI fails.
🔧 Configuration
# .cortex/scope.yaml
task: "Add user authentication"
allow:
- src/auth/**
- src/components/Login.tsx
block:
- .env*
- src/core/**
limits:
files: 10
lines: 500📚 Documentation
- Detection Engine Guide - Layers, capabilities, limitations
- Vibe Coding Security - Security checklist
- Core Architecture - System design
- Integration Guide - CI/IDE setup