v0.9.0

Highlights

VibeGuard 0.9.0 focuses on adoption readiness with one-command GitHub Actions setup, new detection rules, and improved interoperability.

New Features

• *\�ibeguard setup github-actions* — One-command PR-gate generator for GitHub Actions. Replaces manual workflow YAML authoring, handles policy-pack defaults, and provides --dry-run\ and --force\ options (#99, #116).
• Two new detection rules: \slopsquat\ (typosquatting registry attacks) and \prompt-injection\ (LLM injection hazards). Both honor registry scope and document their heuristics.
• Rule scaffolder — \�ibeguard scaffold \ generates type-safe rule stubs, tests, and golden fixtures to lower the barrier for new detections.
• Weaver spec export — VibeGuard now exports to the OASIS Artifact Safety Report format for ecosystem interop and tool chaining.
• Idempotent PR comment upsert — PR comments are now led with a hidden marker for safe, repeatable CI updates without duplicating comments.

Improvements

• PR comment pagination — Correctly handle repos with many existing comments when upserting feedback.
• npm registry caching — Slopsquat rule caches package lookups to avoid rate limits and improve scan speed.
• Monorepo lockfile scoping — Better detection of which lockfile governs which dependency in complex monorepos.
• Bootstrap and imports — Code generation and import scaffolds are now consistent and tested.

Fixes

• Derive _version_\ from package metadata, ending the version drift class (#86, #87, #94).
• Guard doc-generation scripts against inadvertent drift.
• Harden npm URL quoting in registry queries.

Stability

No breaking changes to the output schema or CLI. See docs/stability-contract.md for details.

Installation

PyPI (local / pre-commit / CI):
\\�ash
pip install vibeguard-gate==0.9.0
\\

GitHub Action (PR gating):
\\yaml

• uses: dgenio/vibeguard@v0.9.0
  \\

Or use the interactive setup:
\\�ash
vibeguard setup github-actions
\\

---

Full Changelog: v0.8.1...v0.9.0

v0.8.1

What's Changed

• feat(config): built-in policy packs and monorepo source-test mapping by @dgenio in #79
• feat: packaging leak expansion + optional explain adapter interface by @dgenio in #80
• fix(cli): make the PR gate fail closed and report truthfully by @dgenio in #108
• fix: address v1 trust paper-cuts from the newcomer audit (#86, #87, #88, #89, #90, #91) by @dgenio in #109
• docs: adoption-first README, comparison guide, and ecosystem note (#95, #96, #104) by @dgenio in #110

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

• docs: contributor foundation — README rewrite, CONTRIBUTING, issue/PR templates by @dgenio in #76
• feat(output): finding fingerprints, repo health score, IDE diagnostics by @dgenio in #77
• feat(integrations): pre-commit hooks and Docker image for CI usage by @dgenio in #78

Full Changelog: v0.7.0...v0.8.0

v0.7.0

What's Changed

• feat(rules): public plugin API, entry-point discovery, rules CLI, and generated docs by @dgenio in #74
• feat(quality): add corpus, mutation, golden, fuzz, and benchmark infrastructure by @dgenio in #75

Full Changelog: v0.6.0...v0.7.0

v0.6.0

What's Changed

• feat: v0.3 pre-publish safety — vibeguard publish-check by @dgenio in #73

Full Changelog: v0.5.0...v0.6.0

v0.5.0 - GitHub Actions integration, SARIF, baselines, and PR comments

What's New in v0.5.0

GitHub Actions (composite action)

• Published as a GitHub Marketplace action (dgenio/vibeguard@v0.5.0)
• Renamed Marketplace listing to VibeGuard Security Gate (unique name requirement)
• Problem matcher for inline GitHub Annotations
• test-action.yml integration test workflow
• Full GitHub Actions reference docs (docs/github-action-reference.md, docs/github-actions.md)
• Ready-to-use workflow examples: PR gate, baseline management, SARIF upload, publish check, PR comment

New output formats

• SARIF — upload findings to GitHub Code Scanning (--sarif)
• GitHub Annotations — inline findings on PR file diffs (--annotations)
• PR comment — post a collapsible Markdown summary as a PR comment (--pr-comment)

Baseline management

• vibeguard baseline create — snapshot current findings to a baseline file
• --baseline flag on gate — suppress known findings and only fail on new ones

Policy controls

• Per-rule severity overrides in vibeguard.yaml
• Policy-level suppressions (suppress by rule ID, path glob, or fingerprint)
• Diff line tracking — only report findings in changed lines when --diff is set

Security & quality

• SECURITY.md — security policy with response SLAs
• Hardened suppressions, registry, and scanner (audit findings B1, M1–M5)
• CI review feedback addressed across reporter, config, and git layers

Breaking changes

None. All v0.4.x inputs, outputs, and CLI flags remain valid.

Upgrading

pip install --upgrade vibeguard-gate

Or pin the action:

uses: dgenio/vibeguard@v0.5.0

v0.4.0 - Rule Expansion

What's Changed

• feat: v0.4 Rule Expansion — 11 issues by @dgenio in #70

Full Changelog: v0.1.1...v0.4.0

What's Changed

• feat: v0.4 Rule Expansion — 11 issues by @dgenio in #70

Full Changelog: v0.1.1...v0.4.0

v0.1.1 — Core Hardening

What's Changed

• feat: initial VibeGuard implementation — deterministic pre-merge safety gate for AI-generated code by @Copilot in #1
• feat: v0.1.1 core hardening — CLI, Config, Scanner & CI by @dgenio in #62

New Contributors

• @Copilot made their first contribution in #1
• @dgenio made their first contribution in #62

Full Changelog: https://github.com/dgenio/vibeguard/commits/v0.1.1

What's Changed

• feat: initial VibeGuard implementation — deterministic pre-merge safety gate for AI-generated code by @Copilot in #1
• feat: v0.1.1 core hardening — CLI, Config, Scanner & CI by @dgenio in #62

New Contributors

• @Copilot made their first contribution in #1
• @dgenio made their first contribution in #62

Full Changelog: https://github.com/dgenio/vibeguard/commits/v0.1.1