TEKIMAX
diff --git a/‎CHANGELOG.md‎
Lines changed: 53 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 3 deletions b/‎README.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎commands/dep-audit.md‎
Lines changed: 91 additions & 0 deletions b/‎commands/dep-audit.md‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎config/tekimax-security-config.template.yml‎
Lines changed: 39 additions & 8 deletions b/‎config/tekimax-security-config.template.yml‎
Lines changed: 39 additions & 8 deletions
diff --git a/‎docs-site/content/docs/commands.mdx‎
Lines changed: 5 additions & 4 deletions b/‎docs-site/content/docs/commands.mdx‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎docs-site/content/docs/customization.mdx‎
Lines changed: 23 additions & 11 deletions b/‎docs-site/content/docs/customization.mdx‎
Lines changed: 23 additions & 11 deletions
@@ -3,6 +3,59 @@
 All notable changes to `tekimax-security` will be documented here.
 Format: [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) · SemVer.
 
+## [0.3.1] — 2026-04-16
+
+### Added
+
+- **Gate G — Dependency CVEs.** New `scripts/bash/dep-audit.sh` and
+  `speckit.tekimax-security.dep-audit` command. Resolution order:
+  `osv-scanner` (polyglot, preferred) → `pnpm audit` → `npm audit`
+  → `yarn npm audit`. Skips cleanly when no scanner is available.
+  Threshold configurable via `dep_audit.fail_on`
+  (`low` | `moderate` | `high` | `critical`, default `high`).
+  Opt-out via `dep_audit.enabled: false`. Gate G runs automatically
+  as part of `gate-check` and logs to
+  `.tekimax-security/dep-audit-log.jsonl`.
+- **Polyglot file coverage.** Gate F and the audit now scan Go,
+  Rust, Ruby, Java, Kotlin, Swift, PHP, shell, YAML, JSON, TOML,
+  Terraform, and Markdown by default — secrets and inline prompts
+  commonly live outside TS/Py. Defaults live in
+  `lib/defaults.sh:DEFAULT_INCLUDE_EXTS`.
+- **`audit.include_globs` and `audit.exclude_paths` config keys**
+  to extend the polyglot scan without replacing defaults.
+- **`audit.direct_sdk_patterns` config key.** Extend the default
+  SDK list (`@google/genai`, `@anthropic-ai/sdk`, `openai`,
+  `cohere-ai`, `@mistralai/mistralai`,
+  `@aws-sdk/client-bedrock-runtime`, `replicate`, `together-ai`)
+  with any provider your stack adopts.
+- **`--staged-only` flag** on `audit.sh` and `gate-check.sh`.
+  Scans only files in the git index. Pre-commit-hook-friendly: a
+  typical change touches <5 files, not the whole tree.
+- **`--json` flag** on `audit.sh`, `gate-check.sh`, and
+  `dep-audit.sh`. Emits machine-readable findings alongside (or in
+  place of) the human table so CI jobs and dashboards don't have
+  to re-parse the log file.
+- **`build_exclude_regex` and `scan_staged_files`** helpers in
+  `lib/defaults.sh` to support polyglot and staged-file scans.
+- **Three regression tests:**
+  `anchored-allowlist-rejects-prefix-bypass.sh`,
+  `polyglot-go-secret.sh`, `env-in-subdirectory.sh`. Suite is 18/18.
+
+### Changed
+
+- **Gateway allowlist uses anchored matching.**
+  `_is_gateway_allowed` in `lib/defaults.sh` now matches only at
+  the exact path, as a directory prefix with a '/' boundary, or
+  with a file-extension append. An entry `src/ai/gateway` no
+  longer silently matches `src/ai/gateway-bypass.ts`. Teams that
+  relied on the substring match must list full file paths or the
+  containing directory.
+- **`.env` detection is recursive.** `apps/*/.env`,
+  `packages/*/.env.local`, and similar nested env files are now
+  detected; previously only the repo root was checked.
+  `.env.example`, `.env.sample`, and `.env.template` remain
+  allowed.
+
 ## [0.3.0] — 2026-04-16
 
 ### Added
 
@@ -20,7 +20,7 @@
 
 [![Spec Kit Extension](https://img.shields.io/badge/spec--kit-extension-7c3aed)](https://github.com/github/spec-kit)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue)](LICENSE)
-[![Version](https://img.shields.io/badge/version-0.3.0-green)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.3.1-green)](CHANGELOG.md)
 [![Status](https://img.shields.io/badge/status-alpha-orange)]()
 [![Docs](https://img.shields.io/badge/docs-speckit.tekimax.com-7c3aed)](https://speckit.tekimax.com)
 [![Ask AI](https://img.shields.io/badge/ask%20AI-chat-10b981)](https://speckit.tekimax.com/chat)
@@ -62,6 +62,7 @@ follows automatically via Spec Kit hooks.
 | `/speckit.tekimax-security.gate-check` | `before_implement` | Blocks implementation until all security sections pass |
 | `/speckit.tekimax-security.audit` | `after_implement` | Inline prompts, committed secrets, direct SDK imports, guardrail drift |
 | `/speckit.tekimax-security.red-team` | `before_analyze` | Adversarial testing — prompt injection, jailbreak, extraction, auth bypass |
+| `/speckit.tekimax-security.dep-audit` | part of `gate-check` | Dependency CVEs (Gate G) via osv-scanner / pnpm / npm / yarn |
 | `/speckit.tekimax-security.install-rules` | manual | Installs a `DEVELOPMENT-RULES.md` into your project — commit hygiene, file structure, DRY, naming, inline docs, unit test rules |
 
 ---
@@ -137,7 +138,7 @@ agent (Claude Code, Copilot, Gemini CLI). The typical flow:
 
 ---
 
-## The Six Security Gates
+## The Seven Security Gates
 
 | Gate | Phase | Enforces |
 |---|---|---|
@@ -146,7 +147,8 @@ agent (Claude Code, Copilot, Gemini CLI). The typical flow:
 | **C — Model Governance** | DESIGN | Version pinning, eval baselines, rollback plan |
 | **D — Guardrails** | SPECIFY/DESIGN | Input/output filters, numeric rate limits, numeric cost ceilings |
 | **E — Red Team** | VERIFY | Adversarial scenarios, no succeeded High/Critical attacks |
-| **F — Inline Content Scan** | IMPLEMENT | No inline prompts, no secrets, no `.env` committed |
+| **F — Inline Content Scan** | IMPLEMENT | No inline prompts, no secrets, no `.env` committed — **polyglot** (TS/JS/Py/Go/Rs/Java/Kt/Swift/Rb/Sh/YAML/TF/Toml/MD), recursive `.env` detection |
+| **G — Dependency CVEs** | IMPLEMENT | `osv-scanner` (preferred) or `pnpm` / `npm` / `yarn audit`, threshold-gated |
 
 Each gate produces an append-only JSONL entry in
 `.tekimax-security/gate-log.jsonl` for compliance audit trails.
 
@@ -0,0 +1,91 @@
+---
+description: "Scan project dependencies for known CVEs via osv-scanner / pnpm / npm / yarn (Gate G)"
+scripts:
+  sh: ../../scripts/bash/dep-audit.sh
+---
+
+# Dependency CVE Scan (Gate G)
+
+Scan the project's locked dependencies for known vulnerabilities
+published to the OSV database or the relevant package manager's
+advisory feed.
+
+## User Input
+
+$ARGUMENTS
+
+## Context
+
+Spec Kit writes application code; it never touches `package.json`,
+`Cargo.toml`, `go.mod`, or any other manifest. Vulnerable
+dependencies therefore slip past every other gate in this
+extension. Gate G closes that loop by scanning the committed
+lockfile and failing when findings meet or exceed the configured
+severity threshold.
+
+## Steps
+
+1. **Run the dependency audit**:
+
+   ```bash
+   bash {SCRIPT}
+   ```
+
+   Add `--json` for machine-readable output (CI, dashboards):
+
+   ```bash
+   bash {SCRIPT} --json
+   ```
+
+2. **Scanner resolution** (first available wins):
+
+   - `osv-scanner` on `PATH` — preferred. Polyglot (npm, pypi,
+     cargo, go, maven, gem), no account needed, queries OSV.dev.
+   - `pnpm audit` — if `pnpm-lock.yaml` is present.
+   - `npm audit` — if `package-lock.json` is present.
+   - `yarn npm audit` — if `yarn.lock` is present (Yarn 2+).
+   - None available → skip with a clear message (exit 0).
+
+3. **Severity threshold** — read from
+   `tekimax-security-config.yml`:
+
+   ```yaml
+   dep_audit:
+     enabled: true
+     fail_on: high    # low | moderate | high | critical
+   ```
+
+   `fail_on: high` blocks on any high or critical finding. Set
+   `enabled: false` to skip Gate G entirely (useful for repos with
+   no runtime dependencies).
+
+4. **Report** — human table by default:
+
+   ```
+   ┌─────────────────────────────────────────────────┐
+   │ Dependency CVE Scan (Gate G)                    │
+   ├─────────────────────────────────────────────────┤
+   │ tool: osv-scanner                               │
+   │ threshold: high                                 │
+   │ critical=0  high=2  moderate=5  low=1           │
+   └─────────────────────────────────────────────────┘
+   VERDICT: BLOCK (total=8)
+   ```
+
+5. **Log** the verdict to
+   `.tekimax-security/dep-audit-log.jsonl` (append-only).
+
+## Rules
+
+- Never print the actual SBOM or full advisory payload in the
+  console — only counts and verdict. Use `--json` when a machine
+  consumer needs detail.
+- Gate G does **not** auto-fix. Remediation is a separate
+  workflow (bump the direct dep, run `pnpm update`, etc.).
+- `osv-scanner` is strictly preferred. Install it once per machine
+  and every repo benefits:
+
+  ```bash
+  brew install osv-scanner      # macOS
+  go install github.com/google/osv-scanner/cmd/osv-scanner@v1
+  ```
@@ -20,6 +20,10 @@ stack:
   storage: <your-storage>
 
 audit:
+  # User entries extend the built-in defaults from lib/defaults.sh.
+  # The defaults are polyglot — TS/JS/Py/Go/Rs/Ruby/Java/Kt/Swift/
+  # PHP/Sh/YAML/JSON/Toml/TF/MD — so most teams only add
+  # project-specific markers here.
   inline_prompt_patterns:
     - "you\\s+are\\s+a"
     - "as\\s+an\\s+ai"
@@ -35,16 +39,43 @@ audit:
     - "ghp_[0-9a-zA-Z]{36}"
     - "AKIA[0-9A-Z]{16}"
     - "AIza[0-9A-Za-z-_]{35}"
-  file_scope:
-    - "src/**/*.ts"
-    - "src/**/*.tsx"
-    - "src/**/*.js"
-    - "src/**/*.jsx"
-    - "src/**/*.py"
+
+  # Extra file extensions to scan beyond the polyglot defaults.
+  # Format: glob patterns matching filenames (not paths).
+  include_globs:
+    - "*.vue"
+    - "*.svelte"
+
+  # Path fragments skipped during recursive scans. Extends the
+  # default exclude list (node_modules, .git, dist, build, target,
+  # .next, out, .venv, venv, coverage, etc.).
+  exclude_paths:
+    - "fixtures/"
+    - "examples/"
+
+  # Direct-SDK import detection. Extends the built-in list
+  # (@google/genai, @anthropic-ai/sdk, openai, cohere-ai,
+  # @mistralai/mistralai, @aws-sdk/client-bedrock-runtime, replicate,
+  # together-ai). Add packages specific to your stack.
+  direct_sdk_patterns:
+    - "fireworks-ai"
+    - "@groq/groq-sdk"
+
   allowlist:
-    # Files allowed to import model SDKs directly (gateway internals only)
+    # Files allowed to import model SDKs directly (gateway internals
+    # only). Anchored match — `src/ai/gateway-bypass.ts` will NOT
+    # inherit an `src/ai/gateway` entry. Use a directory entry or
+    # list the full file path.
     stack_direct_sdk:
-      - "src/ai/gateway.ts"
+      - "src/ai/gateway"
+      - "workers/ai"
+
+# Gate G — Dependency CVE scan. Uses osv-scanner when available
+# (polyglot, no account, no network auth), else pnpm / npm / yarn
+# audit against the project's lockfile.
+dep_audit:
+  enabled: true             # set to false to skip Gate G entirely
+  fail_on: high             # low | moderate | high | critical
 
 red_team:
   staging_url: "${SPECKIT_TEKIMAX_SECURITY_STAGING_URL}"
 
@@ -1,9 +1,9 @@
 ---
 title: Commands
-description: The eight slash commands speckit-security adds to Spec Kit.
+description: The nine slash commands speckit-security adds to Spec Kit.
 ---
 
-`speckit-security` adds **eight slash commands** to whichever AI agent
+`speckit-security` adds **nine slash commands** to whichever AI agent
 you're using. Every command is an agent-neutral Markdown file under
 `commands/` in the extension repo, Spec Kit translates each one into
 the active agent's native format on install.
@@ -14,8 +14,9 @@ the active agent's native format on install.
 | `threat-model` | Generate a STRIDE threat model for the active spec |
 | `model-governance` | Pin model version, define eval baselines, write rollback plan |
 | `guardrails` | Generate versioned system prompt + guardrail YAML for AI features |
-| `gate-check` | Run all six gates against the active spec, emit verdict |
-| `audit` | Post-implementation scan, inline prompts, secrets, direct SDKs |
+| `gate-check` | Run all seven gates against the active spec, emit verdict |
+| `audit` | Post-implementation scan — inline prompts, secrets, direct SDKs (polyglot) |
+| `dep-audit` | Dependency CVE scan (Gate G) via osv-scanner / pnpm / npm / yarn |
 | `red-team` | Generate adversarial scenarios; `--run` hits staging automatically |
 | `install-rules` | Install dev rules into docs, constitution, and agent context file |
 
 
@@ -6,26 +6,38 @@ description: Config file, template overrides, hook toggling, allowlists, and env
 `speckit-security` is designed to be vendor-agnostic. You can adapt
 it to your team's conventions, tools, and policies without forking
 the repo. This page walks through every supported customization
-point in v0.2.5.
+point in v0.3.1.
 
 <Callout type="info">
   **What the scripts actually read from the config:**
 
   - ✅ `red_team.staging_url`
-  - ✅ `red_team.max_rps` (new in v0.2.5)
-  - ✅ `audit.secret_patterns` (extends built-ins; new in v0.2.5)
-  - ✅ `audit.inline_prompt_patterns` (extends built-ins; new in v0.2.5)
-  - ✅ `audit.allowlist.stack_direct_sdk` (extends built-ins; new in v0.2.5)
+  - ✅ `red_team.max_rps`
+  - ✅ `red_team.never_run_against`
+  - ✅ `audit.secret_patterns` (extends built-ins)
+  - ✅ `audit.inline_prompt_patterns` (extends built-ins)
+  - ✅ `audit.allowlist.stack_direct_sdk` (extends built-ins, **anchored** in v0.3.1)
+  - ✅ `audit.include_globs` (extends polyglot defaults — **new in v0.3.1**)
+  - ✅ `audit.exclude_paths` (extends the default exclude list — **new in v0.3.1**)
+  - ✅ `audit.direct_sdk_patterns` (extends built-ins — **new in v0.3.1**)
+  - ✅ `dep_audit.enabled`, `dep_audit.fail_on` (Gate G — **new in v0.3.1**)
   - ⏳ `required_sections` — still hardcoded (Gate A/B header text)
-  - ⏳ `audit.file_scope` — still hardcoded
-  - ⏳ `red_team.never_run_against` — hardcoded on purpose (defense in depth)
   - 🛈 `enforcement`, `stack.*` — informational, read by humans
     and by Spec Kit's hook runtime (not the individual scripts)
 
-  User-supplied patterns and allowlist entries are **additive**:
-  they extend the built-in defaults rather than replacing them. A
-  missing config file means full built-in coverage, so adoption is
-  safe by default.
+  User-supplied patterns, paths, and allowlist entries are
+  **additive**: they extend the built-in defaults rather than
+  replacing them. A missing config file means full built-in
+  coverage, so adoption is safe by default.
+</Callout>
+
+<Callout type="warn">
+  **v0.3.1 allowlist is anchored.** `src/ai/gateway` now matches
+  the exact path, a directory prefix with a `/` boundary, or a
+  file-extension append — it does **not** silently allowlist
+  `src/ai/gateway-bypass.ts`. If your project relied on the
+  looser substring match, list full file paths or use directory
+  entries like `workers/ai`.
 </Callout>
 
 <Callout type="info">