npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vibe-armor

v0.1.1

Published

Harden AI coding agents (Claude Code, Cursor, Codex CLI, Windsurf, Gemini CLI) against secret leaks and dangerous actions in 30 seconds.

Downloads

265

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tejasrathi_tejasrathi_

Keywords

aisecurityclaude-codecursorcodexwindsurfgeminiguardrailssecrets

Readme

vibe-armor

Harden AI coding agents against secret leaks and dangerous actions in 30 seconds. One command, sensible defaults, no GUI.

npx vibe-armor init

That's the install. It detects every supported AI CLI on your machine (Claude Code, Cursor, Codex CLI, Windsurf, Gemini CLI) and configures each one with its own native security mechanisms. No runtime interceptor, no daemon, no telemetry.

What it protects against

  • Credential file reads: .env, ~/.ssh/, ~/.aws/, ~/.gcp/, ~/.azure/, ~/.kube/config, ~/.npmrc, ~/.netrc, ~/.pgpass, macOS Keychain — agents can't read these even if a prompt-injection tries to convince them.
  • Destructive shell commands: rm -rf /, curl … | sh, mkfs.*, reverse shells, dd to a raw disk, fork bombs.
  • Prompt-injected secrets: when you paste an AWS key, Anthropic key, OpenAI key, GitHub PAT, Stripe live key, or PEM private key into a prompt, vibe-armor refuses to forward it to the model.
  • Secrets reaching git: a gitleaks pre-commit hook stops real credential content from landing in commits, regardless of filename.

Quick verify

npx vibe-armor test    # runs the rule engine + hook probes
npx vibe-armor audit   # diffs your config against the canonical guardrails

What it bundles

| Layer | Files written | Notes | |---|---|---| | Claude Code | ~/.claude/settings.json (permissions.deny + permissions.allow), two PreToolUse / UserPromptSubmit hook scripts in ~/.claude/hooks/ | Idempotent; backs up your previous settings.json before mutation | | Cursor | .cursorignore, .cursorrules in cwd | Both use a managed vibe-armor:start … :end block — your own content is preserved | | Codex CLI | AGENTS.md in cwd, ~/.codex/config.toml (sandbox_mode = "workspace-write", approval_policy = "on-request") | Conservative defaults, not so strict that the agent can't work | | Windsurf | .windsurfrules in cwd | Same managed-block pattern | | Gemini CLI | GEMINI.md in cwd | Prose-level rules; Gemini lacks a path-deny schema, so the git pre-commit hook is the hard backstop | | Git layer | .gitignore (managed block), .pre-commit-config.yaml (gitleaks hook) | Activate the hook with pip install pre-commit && pre-commit install |

The attacks this stops

The patterns vibe-armor encodes are not theoretical. Recent incidents:

  • Moltbook (Jan 2026) — vibe-coded launch leaked 1.5M API tokens within three days because .env files were sitting next to source the agent freely read.
  • Lovable security crisis (2026) — 48 days of cross-project credential exposure. Same root cause: agent context windows pulling in files no one realized were sensitive.
  • SANDWORM_MODE / McpInject (Feb 2026) — 19 malicious npm packages installed rogue MCP servers that exfiltrated SSH keys, AWS credentials, npm tokens, and .env files. Standard MCP install flow gave them a read of every credential file on disk.
  • GitGuardian 2025 report — 28.6M secrets leaked on GitHub; AI-assisted commits leak secrets at 2× the human rate; 24,008 unique secrets found in MCP config files alone.

The fixes (Claude Code's PreToolUse hooks, permissions.deny, .cursorignore, gitleaks, etc.) already exist. Vibe coders just don't discover them until after they've leaked something. vibe-armor is the canonical "secure your AI coding agent in one command" answer.

How it works

vibe-armor is a configuration aggregator. It does not intercept syscalls, sandbox processes, or run in the background. It simply writes the right config into each platform's native security mechanism:

  • Claude Code → permissions.deny / permissions.allow arrays + PreToolUse + UserPromptSubmit hook scripts.
  • Cursor / Windsurf / Gemini → ignore-files + system-prompt rule preambles.
  • Codex CLI → sandbox_mode + approval_policy in config.toml plus an AGENTS.md rule block.
  • Git → .gitignore block + gitleaks pre-commit hook.

Because the enforcement happens inside each platform, vibe-armor disappears after init — there's no daemon and no runtime overhead. If you uninstall vibe-armor tomorrow, your protections stay until you remove them yourself.

Design philosophy: low false positives

A security tool that blocks too broadly is worse than one that blocks too little. Developers will disable it on day two and lose protection from the actual leaks.

So vibe-armor deliberately does not blanket-block:

  • *.pem, *.p12, *.pfx, *.key — these appear constantly in legit dev TLS certs and JWT signing keys.
  • credentials.json, secrets.json, service-account*.json — common in tutorials, k8s manifests, and Firebase examples.

Real secrets in those files are caught by content-based scanning instead:

  • The secret-scan UserPromptSubmit hook flags real credentials by content (PEM headers, AKIA…, sk-ant-…, ghp_…, etc.).
  • The gitleaks pre-commit hook stops actual secret content from reaching git.

That gives low-false-positive ergonomics with stronger real security than naive filename blocking.

The path-blocks vibe-armor does impose are unambiguous: .env, id_rsa, ~/.ssh/, ~/.aws/, etc. — places where a legitimate read by an AI agent never makes sense.

Customization

All rules live in TypeScript:

Edit and re-run vibe-armor init to push your changes into every platform.

For a one-off override, edit the platform config directly. vibe-armor is idempotent and only mutates entries it owns (everything inside vibe-armor:start … :end markers, plus the permissions.deny / permissions.allow entries it added). Your additions stay.

Uninstall / undo

vibe-armor's mutations are localized and reversible:

  • Claude Code: restore from ~/.claude/settings.json.vibe-armor-backup-<timestamp> (vibe-armor writes one before mutating). Or manually remove the entries we added — search for vibe-armor-danger-bash.sh and vibe-armor-secret-scan.sh references in settings.json. Delete ~/.claude/hooks/vibe-armor-*.
  • Everything else: delete the block between <!-- vibe-armor:start --> / <!-- vibe-armor:end --> (or the equivalent # vibe-armor:start markers in .gitignore and config.toml).

There is no vibe-armor uninstall subcommand in v1; the explicit reversal is intentional so you see exactly what's coming out.

Credit

The deny-rule patterns are derived from dwarvesf/claude-guardrails; vibe-armor is the cross-platform npm distribution of those patterns. Secret regexes follow the public gitleaks ruleset. The data behind the attack writeups comes from the GitGuardian State of Secrets 2025 report and public incident postmortems.

Roadmap

  • MCP server allowlist (block unknown MCP servers from auto-installing)
  • OS-level sandbox handoff for platforms that support it
  • Plugin marketplace listing for Claude Code

License

MIT